search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
TODO drsuapi compressed
[wireshark-sm.git] / epan / dissectors / packet-tls-utils.c
blobf82dc30286eec635d1f40770c7690889bea3e3ef
1 /* packet-tls-utils.c
2 * ssl manipulation functions
3 * By Paolo Abeni <paolo.abeni@email.com>
4 *
5 * Copyright (c) 2013, Hauke Mehrtens <hauke@hauke-m.de>
6 * Copyright (c) 2014, Peter Wu <peter@lekensteyn.nl>
7 *
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <gerald@wireshark.org>
10 * Copyright 1998 Gerald Combs
11 *
12 * SPDX-License-Identifier: GPL-2.0-or-later
13 */
14
15 #include "config.h"
16
17 #if defined(HAVE_ZLIB) && !defined(HAVE_ZLIBNG)
18 #define ZLIB_CONST
19 #define ZLIB_PREFIX(x) x
20 #include <zlib.h>
21 typedef z_stream zlib_stream;
22 #endif /* HAVE_ZLIB */
23
24 #ifdef HAVE_ZLIBNG
25 #define ZLIB_PREFIX(x) zng_ ## x
26 #include <zlib-ng.h>
27 typedef zng_stream zlib_stream;
28 #endif /* HAVE_ZLIBNG */
29
30 #include <stdlib.h>
31 #include <errno.h>
32
33 #include <epan/packet.h>
34 #include <epan/strutil.h>
35 #include <epan/addr_resolv.h>
36 #include <epan/expert.h>
37 #include <epan/asn1.h>
38 #include <epan/proto_data.h>
39 #include <epan/oids.h>
40 #include <epan/secrets.h>
41
42 #include <wsutil/inet_cidr.h>
43 #include <wsutil/filesystem.h>
44 #include <wsutil/file_util.h>
45 #include <wsutil/str_util.h>
46 #include <wsutil/report_message.h>
47 #include <wsutil/pint.h>
48 #include <wsutil/strtoi.h>
49 #include <wsutil/wsgcrypt.h>
50 #include <wsutil/rsa.h>
51 #include <wsutil/ws_assert.h>
52 #include "packet-ber.h"
53 #include "packet-x509af.h"
54 #include "packet-x509if.h"
55 #include "packet-tls-utils.h"
56 #include "packet-ocsp.h"
57 #include "packet-tls.h"
58 #include "packet-dtls.h"
59 #include "packet-quic.h"
60 #if defined(HAVE_LIBGNUTLS)
61 #include <gnutls/abstract.h>
62 #endif
63
64 /* JA3/JA3S calculations must ignore GREASE values
65 * as described in RFC 8701.
66 */
67 #define IS_GREASE_TLS(x) ((((x) & 0x0f0f) == 0x0a0a) && \
68 (((x) & 0xff) == (((x)>>8) & 0xff)))
69
70 /* Section 22.3 of RFC 9000 (QUIC) reserves values of this
71 * form for a similar purpose as GREASE.
72 */
73 #define IS_GREASE_QUIC(x) ((x) > 27 ? ((((x) - 27) % 31) == 0) : 0)
74
75 #define DTLS13_MAX_EPOCH 10
76
77 /* Lookup tables {{{ */
78 const value_string ssl_version_short_names[] = {
79 { SSLV2_VERSION, "SSLv2" },
80 { SSLV3_VERSION, "SSLv3" },
81 { TLSV1_VERSION, "TLSv1" },
82 { TLCPV1_VERSION, "TLCP" },
83 { TLSV1DOT1_VERSION, "TLSv1.1" },
84 { TLSV1DOT2_VERSION, "TLSv1.2" },
85 { TLSV1DOT3_VERSION, "TLSv1.3" },
86 { DTLSV1DOT0_VERSION, "DTLSv1.0" },
87 { DTLSV1DOT2_VERSION, "DTLSv1.2" },
88 { DTLSV1DOT3_VERSION, "DTLSv1.3" },
89 { DTLSV1DOT0_OPENSSL_VERSION, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
90 { 0x00, NULL }
91 };
92
93 const value_string ssl_versions[] = {
94 { SSLV2_VERSION, "SSL 2.0" },
95 { SSLV3_VERSION, "SSL 3.0" },
96 { TLSV1_VERSION, "TLS 1.0" },
97 { TLCPV1_VERSION, "TLCP" },
98 { TLSV1DOT1_VERSION, "TLS 1.1" },
99 { TLSV1DOT2_VERSION, "TLS 1.2" },
100 { TLSV1DOT3_VERSION, "TLS 1.3" },
101 { 0x7F0E, "TLS 1.3 (draft 14)" },
102 { 0x7F0F, "TLS 1.3 (draft 15)" },
103 { 0x7F10, "TLS 1.3 (draft 16)" },
104 { 0x7F11, "TLS 1.3 (draft 17)" },
105 { 0x7F12, "TLS 1.3 (draft 18)" },
106 { 0x7F13, "TLS 1.3 (draft 19)" },
107 { 0x7F14, "TLS 1.3 (draft 20)" },
108 { 0x7F15, "TLS 1.3 (draft 21)" },
109 { 0x7F16, "TLS 1.3 (draft 22)" },
110 { 0x7F17, "TLS 1.3 (draft 23)" },
111 { 0x7F18, "TLS 1.3 (draft 24)" },
112 { 0x7F19, "TLS 1.3 (draft 25)" },
113 { 0x7F1A, "TLS 1.3 (draft 26)" },
114 { 0x7F1B, "TLS 1.3 (draft 27)" },
115 { 0x7F1C, "TLS 1.3 (draft 28)" },
116 { 0xFB17, "TLS 1.3 (Facebook draft 23)" },
117 { 0xFB1A, "TLS 1.3 (Facebook draft 26)" },
118 { DTLSV1DOT0_OPENSSL_VERSION, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
119 { DTLSV1DOT0_VERSION, "DTLS 1.0" },
120 { DTLSV1DOT2_VERSION, "DTLS 1.2" },
121 { DTLSV1DOT3_VERSION, "DTLS 1.3" },
122 { 0x0A0A, "Reserved (GREASE)" }, /* RFC 8701 */
123 { 0x1A1A, "Reserved (GREASE)" }, /* RFC 8701 */
124 { 0x2A2A, "Reserved (GREASE)" }, /* RFC 8701 */
125 { 0x3A3A, "Reserved (GREASE)" }, /* RFC 8701 */
126 { 0x4A4A, "Reserved (GREASE)" }, /* RFC 8701 */
127 { 0x5A5A, "Reserved (GREASE)" }, /* RFC 8701 */
128 { 0x6A6A, "Reserved (GREASE)" }, /* RFC 8701 */
129 { 0x7A7A, "Reserved (GREASE)" }, /* RFC 8701 */
130 { 0x8A8A, "Reserved (GREASE)" }, /* RFC 8701 */
131 { 0x9A9A, "Reserved (GREASE)" }, /* RFC 8701 */
132 { 0xAAAA, "Reserved (GREASE)" }, /* RFC 8701 */
133 { 0xBABA, "Reserved (GREASE)" }, /* RFC 8701 */
134 { 0xCACA, "Reserved (GREASE)" }, /* RFC 8701 */
135 { 0xDADA, "Reserved (GREASE)" }, /* RFC 8701 */
136 { 0xEAEA, "Reserved (GREASE)" }, /* RFC 8701 */
137 { 0xFAFA, "Reserved (GREASE)" }, /* RFC 8701 */
138 { 0x00, NULL }
139 };
140
141 static const value_string ssl_version_ja4_names[] = {
142 { 0x0100, "s1" },
143 { SSLV2_VERSION, "s2" },
144 { SSLV3_VERSION, "s3" },
145 { TLSV1_VERSION, "10" },
146 { TLSV1DOT1_VERSION, "11" },
147 { TLSV1DOT2_VERSION, "12" },
148 { TLSV1DOT3_VERSION, "13" },
149 { DTLSV1DOT0_VERSION, "d1" },
150 { DTLSV1DOT2_VERSION, "d2" },
151 { DTLSV1DOT3_VERSION, "d3" },
152 { 0x00, NULL }
153 };
154
155 const value_string ssl_20_msg_types[] = {
156 { SSL2_HND_ERROR, "Error" },
157 { SSL2_HND_CLIENT_HELLO, "Client Hello" },
158 { SSL2_HND_CLIENT_MASTER_KEY, "Client Master Key" },
159 { SSL2_HND_CLIENT_FINISHED, "Client Finished" },
160 { SSL2_HND_SERVER_HELLO, "Server Hello" },
161 { SSL2_HND_SERVER_VERIFY, "Server Verify" },
162 { SSL2_HND_SERVER_FINISHED, "Server Finished" },
163 { SSL2_HND_REQUEST_CERTIFICATE, "Request Certificate" },
164 { SSL2_HND_CLIENT_CERTIFICATE, "Client Certificate" },
165 { 0x00, NULL }
166 };
167 /* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
168 /* Note: sorted by ascending value so value_string-ext can do a binary search */
169 static const value_string ssl_20_cipher_suites[] = {
170 { 0x000000, "TLS_NULL_WITH_NULL_NULL" },
171 { 0x000001, "TLS_RSA_WITH_NULL_MD5" },
172 { 0x000002, "TLS_RSA_WITH_NULL_SHA" },
173 { 0x000003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
174 { 0x000004, "TLS_RSA_WITH_RC4_128_MD5" },
175 { 0x000005, "TLS_RSA_WITH_RC4_128_SHA" },
176 { 0x000006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
177 { 0x000007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
178 { 0x000008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
179 { 0x000009, "TLS_RSA_WITH_DES_CBC_SHA" },
180 { 0x00000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
181 { 0x00000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
182 { 0x00000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
183 { 0x00000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
184 { 0x00000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
185 { 0x00000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
186 { 0x000010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
187 { 0x000011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
188 { 0x000012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
189 { 0x000013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
190 { 0x000014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
191 { 0x000015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
192 { 0x000016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
193 { 0x000017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
194 { 0x000018, "TLS_DH_anon_WITH_RC4_128_MD5" },
195 { 0x000019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
196 { 0x00001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
197 { 0x00001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
198 { 0x00001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
199 { 0x00001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
200 #if 0
201 { 0x00001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
202 #endif
203 /* RFC 2712 */
204 { 0x00001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
205 { 0x00001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
206 { 0x000020, "TLS_KRB5_WITH_RC4_128_SHA" },
207 { 0x000021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
208 { 0x000022, "TLS_KRB5_WITH_DES_CBC_MD5" },
209 { 0x000023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
210 { 0x000024, "TLS_KRB5_WITH_RC4_128_MD5" },
211 { 0x000025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
212 { 0x000026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
213 { 0x000027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
214 { 0x000028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
215 { 0x000029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
216 { 0x00002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
217 { 0x00002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
218 /* RFC 4785 */
219 { 0x00002C, "TLS_PSK_WITH_NULL_SHA" },
220 { 0x00002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
221 { 0x00002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
222 /* RFC 5246 */
223 { 0x00002f, "TLS_RSA_WITH_AES_128_CBC_SHA" },
224 { 0x000030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
225 { 0x000031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
226 { 0x000032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
227 { 0x000033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
228 { 0x000034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
229 { 0x000035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
230 { 0x000036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
231 { 0x000037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
232 { 0x000038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
233 { 0x000039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
234 { 0x00003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
235 { 0x00003B, "TLS_RSA_WITH_NULL_SHA256" },
236 { 0x00003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
237 { 0x00003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
238 { 0x00003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
239 { 0x00003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
240 { 0x000040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
241 { 0x000041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
242 { 0x000042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
243 { 0x000043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
244 { 0x000044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
245 { 0x000045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
246 { 0x000046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
247 { 0x000047, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
248 { 0x000048, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
249 { 0x000049, "TLS_ECDH_ECDSA_WITH_DES_CBC_SHA" },
250 { 0x00004A, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
251 { 0x00004B, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
252 { 0x00004C, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
253 { 0x000060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
254 { 0x000061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
255 { 0x000062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
256 { 0x000063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
257 { 0x000064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
258 { 0x000065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
259 { 0x000066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
260 { 0x000067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
261 { 0x000068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
262 { 0x000069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
263 { 0x00006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
264 { 0x00006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
265 { 0x00006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
266 { 0x00006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
267 /* 0x00,0x6E-83 Unassigned */
268 { 0x000084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
269 { 0x000085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
270 { 0x000086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
271 { 0x000087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
272 { 0x000088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
273 { 0x000089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
274 /* RFC 4279 */
275 { 0x00008A, "TLS_PSK_WITH_RC4_128_SHA" },
276 { 0x00008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
277 { 0x00008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
278 { 0x00008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
279 { 0x00008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
280 { 0x00008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
281 { 0x000090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
282 { 0x000091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
283 { 0x000092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
284 { 0x000093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
285 { 0x000094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
286 { 0x000095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
287 /* RFC 4162 */
288 { 0x000096, "TLS_RSA_WITH_SEED_CBC_SHA" },
289 { 0x000097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
290 { 0x000098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
291 { 0x000099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
292 { 0x00009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
293 { 0x00009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
294 /* RFC 5288 */
295 { 0x00009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
296 { 0x00009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
297 { 0x00009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
298 { 0x00009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
299 { 0x0000A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
300 { 0x0000A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
301 { 0x0000A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
302 { 0x0000A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
303 { 0x0000A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
304 { 0x0000A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
305 { 0x0000A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
306 { 0x0000A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
307 /* RFC 5487 */
308 { 0x0000A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
309 { 0x0000A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
310 { 0x0000AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
311 { 0x0000AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
312 { 0x0000AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
313 { 0x0000AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
314 { 0x0000AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
315 { 0x0000AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
316 { 0x0000B0, "TLS_PSK_WITH_NULL_SHA256" },
317 { 0x0000B1, "TLS_PSK_WITH_NULL_SHA384" },
318 { 0x0000B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
319 { 0x0000B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
320 { 0x0000B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
321 { 0x0000B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
322 { 0x0000B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
323 { 0x0000B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
324 { 0x0000B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
325 { 0x0000B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
326 /* From RFC 5932 */
327 { 0x0000BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
328 { 0x0000BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
329 { 0x0000BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
330 { 0x0000BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
331 { 0x0000BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
332 { 0x0000BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
333 { 0x0000C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
334 { 0x0000C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
335 { 0x0000C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
336 { 0x0000C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
337 { 0x0000C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
338 { 0x0000C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
339 /* 0x00,0xC6-FE Unassigned */
340 { 0x0000FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
341 /* 0x01-BF,* Unassigned */
342 /* From RFC 4492 */
343 { 0x00c001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
344 { 0x00c002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
345 { 0x00c003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
346 { 0x00c004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
347 { 0x00c005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
348 { 0x00c006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
349 { 0x00c007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
350 { 0x00c008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
351 { 0x00c009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
352 { 0x00c00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
353 { 0x00c00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
354 { 0x00c00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
355 { 0x00c00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
356 { 0x00c00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
357 { 0x00c00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
358 { 0x00c010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
359 { 0x00c011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
360 { 0x00c012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
361 { 0x00c013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
362 { 0x00c014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
363 { 0x00c015, "TLS_ECDH_anon_WITH_NULL_SHA" },
364 { 0x00c016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
365 { 0x00c017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
366 { 0x00c018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
367 { 0x00c019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
368 /* RFC 5054 */
369 { 0x00C01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
370 { 0x00C01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
371 { 0x00C01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
372 { 0x00C01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
373 { 0x00C01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
374 { 0x00C01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
375 { 0x00C020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
376 { 0x00C021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
377 { 0x00C022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
378 /* RFC 5589 */
379 { 0x00C023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
380 { 0x00C024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
381 { 0x00C025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
382 { 0x00C026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
383 { 0x00C027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
384 { 0x00C028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
385 { 0x00C029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
386 { 0x00C02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
387 { 0x00C02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
388 { 0x00C02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
389 { 0x00C02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
390 { 0x00C02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
391 { 0x00C02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
392 { 0x00C030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
393 { 0x00C031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
394 { 0x00C032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
395 /* RFC 5489 */
396 { 0x00C033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
397 { 0x00C034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
398 { 0x00C035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
399 { 0x00C036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
400 { 0x00C037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
401 { 0x00C038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
402 { 0x00C039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
403 { 0x00C03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
404 { 0x00C03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
405 /* 0xC0,0x3C-FF Unassigned
406 0xC1-FD,* Unassigned
407 0xFE,0x00-FD Unassigned
408 0xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
409 0xFF,0x00-FF Reserved for Private Use [RFC5246]
410 */
411
412 /* old numbers used in the beginning
413 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
414 { 0x00CC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
415 { 0x00CC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
416 { 0x00CC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
417
418 /* https://tools.ietf.org/html/rfc7905 */
419 { 0x00CCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
420 { 0x00CCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
421 { 0x00CCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
422 { 0x00CCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
423 { 0x00CCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
424 { 0x00CCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
425 { 0x00CCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
426
427 /* GM/T 0024-2014 */
428 { 0x00e001, "ECDHE_SM1_SM3"},
429 { 0x00e003, "ECC_SM1_SM3"},
430 { 0x00e005, "IBSDH_SM1_SM3"},
431 { 0x00e007, "IBC_SM1_SM3"},
432 { 0x00e009, "RSA_SM1_SM3"},
433 { 0x00e00a, "RSA_SM1_SHA1"},
434 { 0x00e011, "ECDHE_SM4_CBC_SM3"},
435 { 0x00e013, "ECC_SM4_CBC_SM3"},
436 { 0x00e015, "IBSDH_SM4_CBC_SM3"},
437 { 0x00e017, "IBC_SM4_CBC_SM3"},
438 { 0x00e019, "RSA_SM4_CBC_SM3"},
439 { 0x00e01a, "RSA_SM4_CBC_SHA1"},
440 { 0x00e01c, "RSA_SM4_CBC_SHA256"},
441 { 0x00e051, "ECDHE_SM4_GCM_SM3"},
442 { 0x00e053, "ECC_SM4_GCM_SM3"},
443 { 0x00e055, "IBSDH_SM4_GCM_SM3"},
444 { 0x00e057, "IBC_SM4_GCM_SM3"},
445 { 0x00e059, "RSA_SM4_GCM_SM3"},
446 { 0x00e05a, "RSA_SM4_GCM_SHA256"},
447
448 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
449 { 0x00E410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
450 { 0x00E411, "TLS_RSA_WITH_SALSA20_SHA1" },
451 { 0x00E412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
452 { 0x00E413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
453 { 0x00E414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
454 { 0x00E415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
455 { 0x00E416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
456 { 0x00E417, "TLS_PSK_WITH_SALSA20_SHA1" },
457 { 0x00E418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
458 { 0x00E419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
459 { 0x00E41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
460 { 0x00E41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
461 { 0x00E41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
462 { 0x00E41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
463 { 0x00E41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
464 { 0x00E41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
465
466 /* these from http://www.mozilla.org/projects/
467 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
468 { 0x00fefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
469 { 0x00feff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
470 { 0x00ffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
471 { 0x00ffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
472 /* note that ciphersuites of {0x00????} are TLS cipher suites in
473 * a sslv2 client hello message; the ???? above is the two-byte
474 * tls cipher suite id
475 */
476
477 { 0x010080, "SSL2_RC4_128_WITH_MD5" },
478 { 0x020080, "SSL2_RC4_128_EXPORT40_WITH_MD5" },
479 { 0x030080, "SSL2_RC2_128_CBC_WITH_MD5" },
480 { 0x040080, "SSL2_RC2_128_CBC_EXPORT40_WITH_MD5" },
481 { 0x050080, "SSL2_IDEA_128_CBC_WITH_MD5" },
482 { 0x060040, "SSL2_DES_64_CBC_WITH_MD5" },
483 { 0x0700c0, "SSL2_DES_192_EDE3_CBC_WITH_MD5" },
484 { 0x080080, "SSL2_RC4_64_WITH_MD5" },
485
486 { 0x00, NULL }
487 };
488
489 value_string_ext ssl_20_cipher_suites_ext = VALUE_STRING_EXT_INIT(ssl_20_cipher_suites);
490
491
492 /*
493 * Supported Groups (formerly named "EC Named Curve").
494 * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
495 */
496 const value_string ssl_extension_curves[] = {
497 { 1, "sect163k1" },
498 { 2, "sect163r1" },
499 { 3, "sect163r2" },
500 { 4, "sect193r1" },
501 { 5, "sect193r2" },
502 { 6, "sect233k1" },
503 { 7, "sect233r1" },
504 { 8, "sect239k1" },
505 { 9, "sect283k1" },
506 { 10, "sect283r1" },
507 { 11, "sect409k1" },
508 { 12, "sect409r1" },
509 { 13, "sect571k1" },
510 { 14, "sect571r1" },
511 { 15, "secp160k1" },
512 { 16, "secp160r1" },
513 { 17, "secp160r2" },
514 { 18, "secp192k1" },
515 { 19, "secp192r1" },
516 { 20, "secp224k1" },
517 { 21, "secp224r1" },
518 { 22, "secp256k1" },
519 { 23, "secp256r1" },
520 { 24, "secp384r1" },
521 { 25, "secp521r1" },
522 { 26, "brainpoolP256r1" }, /* RFC 7027 */
523 { 27, "brainpoolP384r1" }, /* RFC 7027 */
524 { 28, "brainpoolP512r1" }, /* RFC 7027 */
525 { 29, "x25519" }, /* RFC 8446 / RFC 8422 */
526 { 30, "x448" }, /* RFC 8446 / RFC 8422 */
527 { 31, "brainpoolP256r1tls13" }, /* RFC8734 */
528 { 32, "brainpoolP384r1tls13" }, /* RFC8734 */
529 { 33, "brainpoolP512r1tls13" }, /* RFC8734 */
530 { 34, "GC256A" }, /* RFC9189 */
531 { 35, "GC256B" }, /* RFC9189 */
532 { 36, "GC256C" }, /* RFC9189 */
533 { 37, "GC256D" }, /* RFC9189 */
534 { 38, "GC512A" }, /* RFC9189 */
535 { 39, "GC512B" }, /* RFC9189 */
536 { 40, "GC512C" }, /* RFC9189 */
537 { 41, "curveSM2" }, /* RFC 8998 */
538 { 256, "ffdhe2048" }, /* RFC 7919 */
539 { 257, "ffdhe3072" }, /* RFC 7919 */
540 { 258, "ffdhe4096" }, /* RFC 7919 */
541 { 259, "ffdhe6144" }, /* RFC 7919 */
542 { 260, "ffdhe8192" }, /* RFC 7919 */
543 { 2570, "Reserved (GREASE)" }, /* RFC 8701 */
544 { 4587, "SecP256r1MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-02 */
545 { 4588, "X25519MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-02 */
546 { 6682, "Reserved (GREASE)" }, /* RFC 8701 */
547 { 10794, "Reserved (GREASE)" }, /* RFC 8701 */
548 { 14906, "Reserved (GREASE)" }, /* RFC 8701 */
549 { 19018, "Reserved (GREASE)" }, /* RFC 8701 */
550 { 23130, "Reserved (GREASE)" }, /* RFC 8701 */
551 { 25497, "X25519Kyber768Draft00 (OBSOLETE)" }, /* draft-tls-westerbaan-xyber768d00-02 */
552 { 25498, "SecP256r1Kyber768Draft00 (OBSOLETE)" }, /* draft-kwiatkowski-tls-ecdhe-kyber-01 */
553 { 27242, "Reserved (GREASE)" }, /* RFC 8701 */
554 { 31354, "Reserved (GREASE)" }, /* RFC 8701 */
555 { 35466, "Reserved (GREASE)" }, /* RFC 8701 */
556 { 39578, "Reserved (GREASE)" }, /* RFC 8701 */
557 { 43690, "Reserved (GREASE)" }, /* RFC 8701 */
558 { 47802, "Reserved (GREASE)" }, /* RFC 8701 */
559 { 51914, "Reserved (GREASE)" }, /* RFC 8701 */
560 { 56026, "Reserved (GREASE)" }, /* RFC 8701 */
561 { 60138, "Reserved (GREASE)" }, /* RFC 8701 */
562 { 64250, "Reserved (GREASE)" }, /* RFC 8701 */
563 { 0xFF01, "arbitrary_explicit_prime_curves" },
564 { 0xFF02, "arbitrary_explicit_char2_curves" },
565 /* Below are various unofficial values that have been used for testing. */
566 /* PQC key exchange algorithms from OQS-OpenSSL,
567 see https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/oqs-kem-info.md
568 These use IANA unassigned values and this list may be incomplete.
569 */
570 { 0x0200, "frodo640aes" },
571 { 0x2F00, "p256_frodo640aes" },
572 { 0x0201, "frodo640shake" },
573 { 0x2F01, "p256_frodo640shake" },
574 { 0x0202, "frodo976aes" },
575 { 0x2F02, "p384_frodo976aes" },
576 { 0x0203, "frodo976shake" },
577 { 0x2F03, "p384_frodo976shake" },
578 { 0x0204, "frodo1344aes" },
579 { 0x2F04, "p521_frodo1344aes" },
580 { 0x0205, "frodo1344shake" },
581 { 0x2F05, "p521_frodo1344shake" },
582 { 0x023A, "kyber512" },
583 { 0x2F3A, "p256_kyber512" },
584 { 0x023C, "kyber768" },
585 { 0x2F3C, "p384_kyber768" },
586 { 0x023D, "kyber1024" },
587 { 0x2F3D, "p521_kyber1024" },
588 { 0x0214, "ntru_hps2048509" },
589 { 0x2F14, "p256_ntru_hps2048509" },
590 { 0x0215, "ntru_hps2048677" },
591 { 0x2F15, "p384_ntru_hps2048677" },
592 { 0x0216, "ntru_hps4096821" },
593 { 0x2F16, "p521_ntru_hps4096821" },
594 { 0x0245, "ntru_hps40961229" },
595 { 0x2F45, "p521_ntru_hps40961229" },
596 { 0x0217, "ntru_hrss701" },
597 { 0x2F17, "p384_ntru_hrss701" },
598 { 0x0246, "ntru_hrss1373" },
599 { 0x2F46, "p521_ntru_hrss1373" },
600 { 0x0218, "lightsaber" },
601 { 0x2F18, "p256_lightsaber" },
602 { 0x0219, "saber" },
603 { 0x2F19, "p384_saber" },
604 { 0x021A, "firesaber" },
605 { 0x2F1A, "p521_firesaber" },
606 { 0x021B, "sidhp434" },
607 { 0x2F1B, "p256_sidhp434" },
608 { 0x021C, "sidhp503" },
609 { 0x2F1C, "p256_sidhp503" },
610 { 0x021D, "sidhp610" },
611 { 0x2F1D, "p384_sidhp610" },
612 { 0x021E, "sidhp751" },
613 { 0x2F1E, "p521_sidhp751" },
614 { 0x021F, "sikep434" },
615 { 0x2F1F, "p256_sikep434" },
616 { 0x0220, "sikep503" },
617 { 0x2F20, "p256_sikep503" },
618 { 0x0221, "sikep610" },
619 { 0x2F21, "p384_sikep610" },
620 { 0x0222, "sikep751" },
621 { 0x2F22, "p521_sikep751" },
622 { 0x0238, "bikel1" },
623 { 0x2F38, "p256_bikel1" },
624 { 0x023B, "bikel3" },
625 { 0x2F3B, "p384_bikel3" },
626 { 0x023E, "kyber90s512" },
627 { 0x2F3E, "p256_kyber90s512" },
628 { 0x023F, "kyber90s768" },
629 { 0x2F3F, "p384_kyber90s768" },
630 { 0x0240, "kyber90s1024" },
631 { 0x2F40, "p521_kyber90s1024" },
632 { 0x022C, "hqc128" },
633 { 0x2F2C, "p256_hqc128" },
634 { 0x022D, "hqc192" },
635 { 0x2F2D, "p384_hqc192" },
636 { 0x022E, "hqc256" },
637 { 0x2F2E, "p521_hqc256" },
638 { 0x022F, "ntrulpr653" },
639 { 0x2F2F, "p256_ntrulpr653" },
640 { 0x0230, "ntrulpr761" },
641 { 0x2F43, "p256_ntrulpr761" },
642 { 0x0231, "ntrulpr857" },
643 { 0x2F31, "p384_ntrulpr857" },
644 { 0x0241, "ntrulpr1277" },
645 { 0x2F41, "p521_ntrulpr1277" },
646 { 0x0232, "sntrup653" },
647 { 0x2F32, "p256_sntrup653" },
648 { 0x0233, "sntrup761" },
649 { 0x2F44, "p256_sntrup761" },
650 { 0x0234, "sntrup857" },
651 { 0x2F34, "p384_sntrup857" },
652 { 0x0242, "sntrup1277" },
653 { 0x2F42, "p521_sntrup1277" },
654 /* Other PQ key exchange algorithms, using Reserved for Private Use values
655 https://blog.cloudflare.com/post-quantum-for-all
656 https://www.ietf.org/archive/id/draft-tls-westerbaan-xyber768d00-02.txt */
657 { 0xFE30, "X25519Kyber512Draft00 (OBSOLETE)" },
658 { 0xFE31, "X25519Kyber768Draft00 (OBSOLETE)" },
659 { 0x00, NULL }
660 };
661
662 const value_string ssl_curve_types[] = {
663 { 1, "explicit_prime" },
664 { 2, "explicit_char2" },
665 { 3, "named_curve" },
666 { 0x00, NULL }
667 };
668
669 const value_string ssl_extension_ec_point_formats[] = {
670 { 0, "uncompressed" },
671 { 1, "ansiX962_compressed_prime" },
672 { 2, "ansiX962_compressed_char2" },
673 { 0x00, NULL }
674 };
675
676 const value_string ssl_20_certificate_type[] = {
677 { 0x00, "N/A" },
678 { 0x01, "X.509 Certificate" },
679 { 0x00, NULL }
680 };
681
682 const value_string ssl_31_content_type[] = {
683 { 20, "Change Cipher Spec" },
684 { 21, "Alert" },
685 { 22, "Handshake" },
686 { 23, "Application Data" },
687 { 24, "Heartbeat" },
688 { 25, "Connection ID" },
689 { 0x00, NULL }
690 };
691
692 #if 0
693 /* XXX - would be used if we dissected the body of a Change Cipher Spec
694 message. */
695 const value_string ssl_31_change_cipher_spec[] = {
696 { 1, "Change Cipher Spec" },
697 { 0x00, NULL }
698 };
699 #endif
700
701 const value_string ssl_31_alert_level[] = {
702 { 1, "Warning" },
703 { 2, "Fatal" },
704 { 0x00, NULL }
705 };
706
707 const value_string ssl_31_alert_description[] = {
708 { 0, "Close Notify" },
709 { 1, "End of Early Data" },
710 { 10, "Unexpected Message" },
711 { 20, "Bad Record MAC" },
712 { 21, "Decryption Failed" },
713 { 22, "Record Overflow" },
714 { 30, "Decompression Failure" },
715 { 40, "Handshake Failure" },
716 { 41, "No Certificate" },
717 { 42, "Bad Certificate" },
718 { 43, "Unsupported Certificate" },
719 { 44, "Certificate Revoked" },
720 { 45, "Certificate Expired" },
721 { 46, "Certificate Unknown" },
722 { 47, "Illegal Parameter" },
723 { 48, "Unknown CA" },
724 { 49, "Access Denied" },
725 { 50, "Decode Error" },
726 { 51, "Decrypt Error" },
727 { 60, "Export Restriction" },
728 { 70, "Protocol Version" },
729 { 71, "Insufficient Security" },
730 { 80, "Internal Error" },
731 { 86, "Inappropriate Fallback" },
732 { 90, "User Canceled" },
733 { 100, "No Renegotiation" },
734 { 109, "Missing Extension" },
735 { 110, "Unsupported Extension" },
736 { 111, "Certificate Unobtainable" },
737 { 112, "Unrecognized Name" },
738 { 113, "Bad Certificate Status Response" },
739 { 114, "Bad Certificate Hash Value" },
740 { 115, "Unknown PSK Identity" },
741 { 116, "Certificate Required" },
742 { 120, "No application Protocol" },
743 { 121, "ECH Required" },
744 { 0x00, NULL }
745 };
746
747 const value_string ssl_31_handshake_type[] = {
748 { SSL_HND_HELLO_REQUEST, "Hello Request" },
749 { SSL_HND_CLIENT_HELLO, "Client Hello" },
750 { SSL_HND_SERVER_HELLO, "Server Hello" },
751 { SSL_HND_HELLO_VERIFY_REQUEST, "Hello Verify Request"},
752 { SSL_HND_NEWSESSION_TICKET, "New Session Ticket" },
753 { SSL_HND_END_OF_EARLY_DATA, "End of Early Data" },
754 { SSL_HND_HELLO_RETRY_REQUEST, "Hello Retry Request" },
755 { SSL_HND_ENCRYPTED_EXTENSIONS, "Encrypted Extensions" },
756 { SSL_HND_CERTIFICATE, "Certificate" },
757 { SSL_HND_SERVER_KEY_EXCHG, "Server Key Exchange" },
758 { SSL_HND_CERT_REQUEST, "Certificate Request" },
759 { SSL_HND_SVR_HELLO_DONE, "Server Hello Done" },
760 { SSL_HND_CERT_VERIFY, "Certificate Verify" },
761 { SSL_HND_CLIENT_KEY_EXCHG, "Client Key Exchange" },
762 { SSL_HND_FINISHED, "Finished" },
763 { SSL_HND_CERT_URL, "Client Certificate URL" },
764 { SSL_HND_CERT_STATUS, "Certificate Status" },
765 { SSL_HND_SUPPLEMENTAL_DATA, "Supplemental Data" },
766 { SSL_HND_KEY_UPDATE, "Key Update" },
767 { SSL_HND_COMPRESSED_CERTIFICATE, "Compressed Certificate" },
768 { SSL_HND_ENCRYPTED_EXTS, "Encrypted Extensions" },
769 { 0x00, NULL }
770 };
771
772 const value_string tls_heartbeat_type[] = {
773 { 1, "Request" },
774 { 2, "Response" },
775 { 0x00, NULL }
776 };
777
778 const value_string tls_heartbeat_mode[] = {
779 { 1, "Peer allowed to send requests" },
780 { 2, "Peer not allowed to send requests" },
781 { 0x00, NULL }
782 };
783
784 const value_string ssl_31_compression_method[] = {
785 { 0, "null" },
786 { 1, "DEFLATE" },
787 { 64, "LZS" },
788 { 0x00, NULL }
789 };
790
791 #if 0
792 /* XXX - would be used if we dissected a Signature, as would be
793 seen in a server key exchange or certificate verify message. */
794 const value_string ssl_31_key_exchange_algorithm[] = {
795 { 0, "RSA" },
796 { 1, "Diffie Hellman" },
797 { 0x00, NULL }
798 };
799
800 const value_string ssl_31_signature_algorithm[] = {
801 { 0, "Anonymous" },
802 { 1, "RSA" },
803 { 2, "DSA" },
804 { 0x00, NULL }
805 };
806 #endif
807
808 const value_string ssl_31_client_certificate_type[] = {
809 { 1, "RSA Sign" },
810 { 2, "DSS Sign" },
811 { 3, "RSA Fixed DH" },
812 { 4, "DSS Fixed DH" },
813 /* GOST certificate types */
814 /* Section 3.5 of draft-chudov-cryptopro-cptls-04 */
815 { 21, "GOST R 34.10-94" },
816 { 22, "GOST R 34.10-2001" },
817 /* END GOST certificate types */
818 { 64, "ECDSA Sign" },
819 { 65, "RSA Fixed ECDH" },
820 { 66, "ECDSA Fixed ECDH" },
821 { 80, "IBC Params" },
822 { 0x00, NULL }
823 };
824
825 #if 0
826 /* XXX - would be used if we dissected exchange keys, as would be
827 seen in a client key exchange message. */
828 const value_string ssl_31_public_value_encoding[] = {
829 { 0, "Implicit" },
830 { 1, "Explicit" },
831 { 0x00, NULL }
832 };
833 #endif
834
835 /* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
836 /* Note: sorted by ascending value so value_string_ext fcns can do a binary search */
837 static const value_string ssl_31_ciphersuite[] = {
838 /* RFC 2246, RFC 4346, RFC 5246 */
839 { 0x0000, "TLS_NULL_WITH_NULL_NULL" },
840 { 0x0001, "TLS_RSA_WITH_NULL_MD5" },
841 { 0x0002, "TLS_RSA_WITH_NULL_SHA" },
842 { 0x0003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
843 { 0x0004, "TLS_RSA_WITH_RC4_128_MD5" },
844 { 0x0005, "TLS_RSA_WITH_RC4_128_SHA" },
845 { 0x0006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
846 { 0x0007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
847 { 0x0008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
848 { 0x0009, "TLS_RSA_WITH_DES_CBC_SHA" },
849 { 0x000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
850 { 0x000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
851 { 0x000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
852 { 0x000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
853 { 0x000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
854 { 0x000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
855 { 0x0010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
856 { 0x0011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
857 { 0x0012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
858 { 0x0013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
859 { 0x0014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
860 { 0x0015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
861 { 0x0016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
862 { 0x0017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
863 { 0x0018, "TLS_DH_anon_WITH_RC4_128_MD5" },
864 { 0x0019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
865 { 0x001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
866 { 0x001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
867
868 { 0x001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
869 { 0x001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
870 #if 0 /* Because it clashes with KRB5, is never used any more, and is safe
871 to remove according to David Hopwood <david.hopwood@zetnet.co.uk>
872 of the ietf-tls list */
873 { 0x001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
874 #endif
875 /* RFC 2712 */
876 { 0x001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
877 { 0x001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
878 { 0x0020, "TLS_KRB5_WITH_RC4_128_SHA" },
879 { 0x0021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
880 { 0x0022, "TLS_KRB5_WITH_DES_CBC_MD5" },
881 { 0x0023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
882 { 0x0024, "TLS_KRB5_WITH_RC4_128_MD5" },
883 { 0x0025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
884 { 0x0026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
885 { 0x0027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
886 { 0x0028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
887 { 0x0029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
888 { 0x002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
889 { 0x002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
890 /* RFC 4785 */
891 { 0x002C, "TLS_PSK_WITH_NULL_SHA" },
892 { 0x002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
893 { 0x002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
894 /* RFC 5246 */
895 { 0x002F, "TLS_RSA_WITH_AES_128_CBC_SHA" },
896 { 0x0030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
897 { 0x0031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
898 { 0x0032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
899 { 0x0033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
900 { 0x0034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
901 { 0x0035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
902 { 0x0036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
903 { 0x0037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
904 { 0x0038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
905 { 0x0039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
906 { 0x003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
907 { 0x003B, "TLS_RSA_WITH_NULL_SHA256" },
908 { 0x003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
909 { 0x003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
910 { 0x003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
911 { 0x003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
912 { 0x0040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
913 /* RFC 4132 */
914 { 0x0041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
915 { 0x0042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
916 { 0x0043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
917 { 0x0044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
918 { 0x0045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
919 { 0x0046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
920 /* 0x00,0x60-66 Reserved to avoid conflicts with widely deployed implementations */
921 /* --- ??? --- */
922 { 0x0060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
923 { 0x0061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
924 /* draft-ietf-tls-56-bit-ciphersuites-01.txt */
925 { 0x0062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
926 { 0x0063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
927 { 0x0064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
928 { 0x0065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
929 { 0x0066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
930 /* --- ??? ---*/
931 { 0x0067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
932 { 0x0068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
933 { 0x0069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
934 { 0x006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
935 { 0x006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
936 { 0x006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
937 { 0x006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
938 /* draft-chudov-cryptopro-cptls-04.txt */
939 { 0x0080, "TLS_GOSTR341094_WITH_28147_CNT_IMIT" },
940 { 0x0081, "TLS_GOSTR341001_WITH_28147_CNT_IMIT" },
941 { 0x0082, "TLS_GOSTR341094_WITH_NULL_GOSTR3411" },
942 { 0x0083, "TLS_GOSTR341001_WITH_NULL_GOSTR3411" },
943 /* RFC 4132 */
944 { 0x0084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
945 { 0x0085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
946 { 0x0086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
947 { 0x0087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
948 { 0x0088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
949 { 0x0089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
950 /* RFC 4279 */
951 { 0x008A, "TLS_PSK_WITH_RC4_128_SHA" },
952 { 0x008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
953 { 0x008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
954 { 0x008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
955 { 0x008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
956 { 0x008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
957 { 0x0090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
958 { 0x0091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
959 { 0x0092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
960 { 0x0093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
961 { 0x0094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
962 { 0x0095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
963 /* RFC 4162 */
964 { 0x0096, "TLS_RSA_WITH_SEED_CBC_SHA" },
965 { 0x0097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
966 { 0x0098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
967 { 0x0099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
968 { 0x009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
969 { 0x009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
970 /* RFC 5288 */
971 { 0x009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
972 { 0x009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
973 { 0x009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
974 { 0x009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
975 { 0x00A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
976 { 0x00A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
977 { 0x00A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
978 { 0x00A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
979 { 0x00A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
980 { 0x00A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
981 { 0x00A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
982 { 0x00A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
983 /* RFC 5487 */
984 { 0x00A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
985 { 0x00A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
986 { 0x00AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
987 { 0x00AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
988 { 0x00AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
989 { 0x00AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
990 { 0x00AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
991 { 0x00AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
992 { 0x00B0, "TLS_PSK_WITH_NULL_SHA256" },
993 { 0x00B1, "TLS_PSK_WITH_NULL_SHA384" },
994 { 0x00B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
995 { 0x00B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
996 { 0x00B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
997 { 0x00B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
998 { 0x00B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
999 { 0x00B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
1000 { 0x00B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
1001 { 0x00B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
1002 /* From RFC 5932 */
1003 { 0x00BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1004 { 0x00BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
1005 { 0x00BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1006 { 0x00BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
1007 { 0x00BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1008 { 0x00BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
1009 { 0x00C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1010 { 0x00C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1011 { 0x00C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1012 { 0x00C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1013 { 0x00C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1014 { 0x00C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
1015 /* RFC 8998 */
1016 { 0x00C6, "TLS_SM4_GCM_SM3" },
1017 { 0x00C7, "TLS_SM4_CCM_SM3" },
1018 /* 0x00,0xC8-FE Unassigned */
1019 /* From RFC 5746 */
1020 { 0x00FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
1021 /* RFC 8701 */
1022 { 0x0A0A, "Reserved (GREASE)" },
1023 /* RFC 8446 */
1024 { 0x1301, "TLS_AES_128_GCM_SHA256" },
1025 { 0x1302, "TLS_AES_256_GCM_SHA384" },
1026 { 0x1303, "TLS_CHACHA20_POLY1305_SHA256" },
1027 { 0x1304, "TLS_AES_128_CCM_SHA256" },
1028 { 0x1305, "TLS_AES_128_CCM_8_SHA256" },
1029 /* RFC 8701 */
1030 { 0x1A1A, "Reserved (GREASE)" },
1031 { 0x2A2A, "Reserved (GREASE)" },
1032 { 0x3A3A, "Reserved (GREASE)" },
1033 { 0x4A4A, "Reserved (GREASE)" },
1034 /* From RFC 7507 */
1035 { 0x5600, "TLS_FALLBACK_SCSV" },
1036 /* RFC 8701 */
1037 { 0x5A5A, "Reserved (GREASE)" },
1038 { 0x6A6A, "Reserved (GREASE)" },
1039 { 0x7A7A, "Reserved (GREASE)" },
1040 { 0x8A8A, "Reserved (GREASE)" },
1041 { 0x9A9A, "Reserved (GREASE)" },
1042 { 0xAAAA, "Reserved (GREASE)" },
1043 { 0xBABA, "Reserved (GREASE)" },
1044 /* From RFC 4492 */
1045 { 0xc001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
1046 { 0xc002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
1047 { 0xc003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1048 { 0xc004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
1049 { 0xc005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
1050 { 0xc006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
1051 { 0xc007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
1052 { 0xc008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1053 { 0xc009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
1054 { 0xc00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
1055 { 0xc00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
1056 { 0xc00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
1057 { 0xc00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
1058 { 0xc00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
1059 { 0xc00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
1060 { 0xc010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
1061 { 0xc011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
1062 { 0xc012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
1063 { 0xc013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
1064 { 0xc014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
1065 { 0xc015, "TLS_ECDH_anon_WITH_NULL_SHA" },
1066 { 0xc016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
1067 { 0xc017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
1068 { 0xc018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
1069 { 0xc019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
1070 /* RFC 5054 */
1071 { 0xC01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
1072 { 0xC01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
1073 { 0xC01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
1074 { 0xC01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
1075 { 0xC01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
1076 { 0xC01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
1077 { 0xC020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
1078 { 0xC021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
1079 { 0xC022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
1080 /* RFC 5589 */
1081 { 0xC023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
1082 { 0xC024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
1083 { 0xC025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
1084 { 0xC026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
1085 { 0xC027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
1086 { 0xC028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
1087 { 0xC029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
1088 { 0xC02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
1089 { 0xC02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
1090 { 0xC02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
1091 { 0xC02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
1092 { 0xC02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
1093 { 0xC02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
1094 { 0xC030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
1095 { 0xC031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
1096 { 0xC032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
1097 /* RFC 5489 */
1098 { 0xC033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
1099 { 0xC034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
1100 { 0xC035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
1101 { 0xC036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
1102 { 0xC037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
1103 { 0xC038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
1104 { 0xC039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
1105 { 0xC03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
1106 { 0xC03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
1107 /* RFC 6209 */
1108 { 0xC03C, "TLS_RSA_WITH_ARIA_128_CBC_SHA256" },
1109 { 0xC03D, "TLS_RSA_WITH_ARIA_256_CBC_SHA384" },
1110 { 0xC03E, "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256" },
1111 { 0xC03F, "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384" },
1112 { 0xC040, "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256" },
1113 { 0xC041, "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384" },
1114 { 0xC042, "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256" },
1115 { 0xC043, "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384" },
1116 { 0xC044, "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1117 { 0xC045, "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1118 { 0xC046, "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" },
1119 { 0xC047, "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" },
1120 { 0xC048, "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1121 { 0xC049, "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1122 { 0xC04A, "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1123 { 0xC04B, "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1124 { 0xC04C, "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1125 { 0xC04D, "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1126 { 0xC04E, "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256" },
1127 { 0xC04F, "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384" },
1128 { 0xC050, "TLS_RSA_WITH_ARIA_128_GCM_SHA256" },
1129 { 0xC051, "TLS_RSA_WITH_ARIA_256_GCM_SHA384" },
1130 { 0xC052, "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1131 { 0xC053, "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1132 { 0xC054, "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256" },
1133 { 0xC055, "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384" },
1134 { 0xC056, "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256" },
1135 { 0xC057, "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384" },
1136 { 0xC058, "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256" },
1137 { 0xC059, "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384" },
1138 { 0xC05A, "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" },
1139 { 0xC05B, "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" },
1140 { 0xC05C, "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1141 { 0xC05D, "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1142 { 0xC05E, "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1143 { 0xC05F, "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1144 { 0xC060, "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1145 { 0xC061, "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1146 { 0xC062, "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256" },
1147 { 0xC063, "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384" },
1148 { 0xC064, "TLS_PSK_WITH_ARIA_128_CBC_SHA256" },
1149 { 0xC065, "TLS_PSK_WITH_ARIA_256_CBC_SHA384" },
1150 { 0xC066, "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1151 { 0xC067, "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1152 { 0xC068, "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256" },
1153 { 0xC069, "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384" },
1154 { 0xC06A, "TLS_PSK_WITH_ARIA_128_GCM_SHA256" },
1155 { 0xC06B, "TLS_PSK_WITH_ARIA_256_GCM_SHA384" },
1156 { 0xC06C, "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256" },
1157 { 0xC06D, "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384" },
1158 { 0xC06E, "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256" },
1159 { 0xC06F, "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384" },
1160 { 0xC070, "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1161 { 0xC071, "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1162 /* RFC 6367 */
1163 { 0xC072, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1164 { 0xC073, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1165 { 0xC074, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1166 { 0xC075, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1167 { 0xC076, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1168 { 0xC077, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1169 { 0xC078, "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1170 { 0xC079, "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1171 { 0xC07A, "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1172 { 0xC07B, "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1173 { 0xC07C, "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1174 { 0xC07D, "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1175 { 0xC07E, "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1176 { 0xC07F, "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1177 { 0xC080, "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1178 { 0xC081, "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1179 { 0xC082, "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1180 { 0xC083, "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1181 { 0xC084, "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" },
1182 { 0xC085, "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" },
1183 { 0xC086, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1184 { 0xC087, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1185 { 0xC088, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1186 { 0xC089, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1187 { 0xC08A, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1188 { 0xC08B, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1189 { 0xC08C, "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1190 { 0xC08D, "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1191 { 0xC08E, "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1192 { 0xC08F, "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1193 { 0xC090, "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1194 { 0xC091, "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1195 { 0xC092, "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1196 { 0xC093, "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1197 { 0xC094, "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1198 { 0xC095, "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1199 { 0xC096, "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1200 { 0xC097, "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1201 { 0xC098, "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1202 { 0xC099, "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1203 { 0xC09A, "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1204 { 0xC09B, "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1205 /* RFC 6655 */
1206 { 0xC09C, "TLS_RSA_WITH_AES_128_CCM" },
1207 { 0xC09D, "TLS_RSA_WITH_AES_256_CCM" },
1208 { 0xC09E, "TLS_DHE_RSA_WITH_AES_128_CCM" },
1209 { 0xC09F, "TLS_DHE_RSA_WITH_AES_256_CCM" },
1210 { 0xC0A0, "TLS_RSA_WITH_AES_128_CCM_8" },
1211 { 0xC0A1, "TLS_RSA_WITH_AES_256_CCM_8" },
1212 { 0xC0A2, "TLS_DHE_RSA_WITH_AES_128_CCM_8" },
1213 { 0xC0A3, "TLS_DHE_RSA_WITH_AES_256_CCM_8" },
1214 { 0xC0A4, "TLS_PSK_WITH_AES_128_CCM" },
1215 { 0xC0A5, "TLS_PSK_WITH_AES_256_CCM" },
1216 { 0xC0A6, "TLS_DHE_PSK_WITH_AES_128_CCM" },
1217 { 0xC0A7, "TLS_DHE_PSK_WITH_AES_256_CCM" },
1218 { 0xC0A8, "TLS_PSK_WITH_AES_128_CCM_8" },
1219 { 0xC0A9, "TLS_PSK_WITH_AES_256_CCM_8" },
1220 { 0xC0AA, "TLS_PSK_DHE_WITH_AES_128_CCM_8" },
1221 { 0xC0AB, "TLS_PSK_DHE_WITH_AES_256_CCM_8" },
1222 /* RFC 7251 */
1223 { 0xC0AC, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM" },
1224 { 0xC0AD, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM" },
1225 { 0xC0AE, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8" },
1226 { 0xC0AF, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8" },
1227 /* RFC 8492 */
1228 { 0xC0B0, "TLS_ECCPWD_WITH_AES_128_GCM_SHA256" },
1229 { 0xC0B1, "TLS_ECCPWD_WITH_AES_256_GCM_SHA384" },
1230 { 0xC0B2, "TLS_ECCPWD_WITH_AES_128_CCM_SHA256" },
1231 { 0xC0B3, "TLS_ECCPWD_WITH_AES_256_CCM_SHA384" },
1232 /* draft-camwinget-tls-ts13-macciphersuites */
1233 { 0xC0B4, "TLS_SHA256_SHA256" },
1234 { 0xC0B5, "TLS_SHA384_SHA384" },
1235 /* https://www.ietf.org/archive/id/draft-cragie-tls-ecjpake-01.txt */
1236 { 0xC0FF, "TLS_ECJPAKE_WITH_AES_128_CCM_8" },
1237 /* draft-smyshlyaev-tls12-gost-suites */
1238 { 0xC100, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" },
1239 { 0xC101, "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" },
1240 { 0xC102, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" },
1241 /* draft-smyshlyaev-tls13-gost-suites */
1242 { 0xC103, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L" },
1243 { 0xC104, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L" },
1244 { 0xC105, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S" },
1245 { 0xC106, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S" },
1246 /* RFC 8701 */
1247 { 0xCACA, "Reserved (GREASE)" },
1248 /*
1249 0xC0,0xAB-FF Unassigned
1250 0xC1,0x03-FD,* Unassigned
1251 0xFE,0x00-FD Unassigned
1252 0xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
1253 0xFF,0x00-FF Reserved for Private Use [RFC5246]
1254 */
1255 /* old numbers used in the beginning
1256 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
1257 { 0xCC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1258 { 0xCC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1259 { 0xCC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1260 /* RFC 7905 */
1261 { 0xCCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1262 { 0xCCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1263 { 0xCCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1264 { 0xCCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1265 { 0xCCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1266 { 0xCCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1267 { 0xCCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1268 /* RFC 8442 */
1269 { 0xD001, "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256" },
1270 { 0xD002, "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384" },
1271 { 0xD003, "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256" },
1272 { 0xD005, "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256" },
1273 /* RFC 8701 */
1274 { 0xDADA, "Reserved (GREASE)" },
1275 /* GM/T 0024-2014 */
1276 { 0xe001, "ECDHE_SM1_SM3"},
1277 { 0xe003, "ECC_SM1_SM3"},
1278 { 0xe005, "IBSDH_SM1_SM3"},
1279 { 0xe007, "IBC_SM1_SM3"},
1280 { 0xe009, "RSA_SM1_SM3"},
1281 { 0xe00a, "RSA_SM1_SHA1"},
1282 { 0xe011, "ECDHE_SM4_CBC_SM3"},
1283 { 0xe013, "ECC_SM4_CBC_SM3"},
1284 { 0xe015, "IBSDH_SM4_CBC_SM3"},
1285 { 0xe017, "IBC_SM4_CBC_SM3"},
1286 { 0xe019, "RSA_SM4_CBC_SM3"},
1287 { 0xe01a, "RSA_SM4_CBC_SHA1"},
1288 { 0xe01c, "RSA_SM4_CBC_SHA256"},
1289 { 0xe051, "ECDHE_SM4_GCM_SM3"},
1290 { 0xe053, "ECC_SM4_GCM_SM3"},
1291 { 0xe055, "IBSDH_SM4_GCM_SM3"},
1292 { 0xe057, "IBC_SM4_GCM_SM3"},
1293 { 0xe059, "RSA_SM4_GCM_SM3"},
1294 { 0xe05a, "RSA_SM4_GCM_SHA256"},
1295 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
1296 { 0xE410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1297 { 0xE411, "TLS_RSA_WITH_SALSA20_SHA1" },
1298 { 0xE412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1299 { 0xE413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
1300 { 0xE414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
1301 { 0xE415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
1302 { 0xE416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1303 { 0xE417, "TLS_PSK_WITH_SALSA20_SHA1" },
1304 { 0xE418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1305 { 0xE419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
1306 { 0xE41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1307 { 0xE41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
1308 { 0xE41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1309 { 0xE41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
1310 { 0xE41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1311 { 0xE41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
1312 /* RFC 8701 */
1313 { 0xEAEA, "Reserved (GREASE)" },
1314 { 0xFAFA, "Reserved (GREASE)" },
1315 /* these from http://www.mozilla.org/projects/
1316 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
1317 { 0xfefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
1318 { 0xfeff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1319 { 0xffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1320 { 0xffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA" },
1321 /* note that ciphersuites 0xff00 - 0xffff are private */
1322 { 0x00, NULL }
1323 };
1324
1325 value_string_ext ssl_31_ciphersuite_ext = VALUE_STRING_EXT_INIT(ssl_31_ciphersuite);
1326
1327 /* http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#tls-extensiontype-values-1 */
1328 const value_string tls_hello_extension_types[] = {
1329 { SSL_HND_HELLO_EXT_SERVER_NAME, "server_name" }, /* RFC 6066 */
1330 { SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH, "max_fragment_length" },/* RFC 6066 */
1331 { SSL_HND_HELLO_EXT_CLIENT_CERTIFICATE_URL, "client_certificate_url" }, /* RFC 6066 */
1332 { SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS, "trusted_ca_keys" }, /* RFC 6066 */
1333 { SSL_HND_HELLO_EXT_TRUNCATED_HMAC, "truncated_hmac" }, /* RFC 6066 */
1334 { SSL_HND_HELLO_EXT_STATUS_REQUEST, "status_request" }, /* RFC 6066 */
1335 { SSL_HND_HELLO_EXT_USER_MAPPING, "user_mapping" }, /* RFC 4681 */
1336 { SSL_HND_HELLO_EXT_CLIENT_AUTHZ, "client_authz" }, /* RFC 5878 */
1337 { SSL_HND_HELLO_EXT_SERVER_AUTHZ, "server_authz" }, /* RFC 5878 */
1338 { SSL_HND_HELLO_EXT_CERT_TYPE, "cert_type" }, /* RFC 6091 */
1339 { SSL_HND_HELLO_EXT_SUPPORTED_GROUPS, "supported_groups" }, /* RFC 4492, RFC 7919 */
1340 { SSL_HND_HELLO_EXT_EC_POINT_FORMATS, "ec_point_formats" }, /* RFC 4492 */
1341 { SSL_HND_HELLO_EXT_SRP, "srp" }, /* RFC 5054 */
1342 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS, "signature_algorithms" }, /* RFC 5246 */
1343 { SSL_HND_HELLO_EXT_USE_SRTP, "use_srtp" }, /* RFC 5764 */
1344 { SSL_HND_HELLO_EXT_HEARTBEAT, "heartbeat" }, /* RFC 6520 */
1345 { SSL_HND_HELLO_EXT_ALPN, "application_layer_protocol_negotiation" }, /* RFC 7301 */
1346 { SSL_HND_HELLO_EXT_STATUS_REQUEST_V2, "status_request_v2" }, /* RFC 6961 */
1347 { SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP, "signed_certificate_timestamp" }, /* RFC 6962 */
1348 { SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE, "client_certificate_type" }, /* RFC 7250 */
1349 { SSL_HND_HELLO_EXT_SERVER_CERT_TYPE, "server_certificate_type" }, /* RFC 7250 */
1350 { SSL_HND_HELLO_EXT_PADDING, "padding" }, /* RFC 7685 */
1351 { SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC, "encrypt_then_mac" }, /* RFC 7366 */
1352 { SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET, "extended_master_secret" }, /* RFC 7627 */
1353 { SSL_HND_HELLO_EXT_TOKEN_BINDING, "token_binding" }, /* https://tools.ietf.org/html/draft-ietf-tokbind-negotiation */
1354 { SSL_HND_HELLO_EXT_CACHED_INFO, "cached_info" }, /* RFC 7924 */
1355 { SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE, "compress_certificate" }, /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03 */
1356 { SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT, "record_size_limit" }, /* RFC 8449 */
1357 { SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS, "delegated_credentials" }, /* draft-ietf-tls-subcerts-10.txt */
1358 { SSL_HND_HELLO_EXT_SESSION_TICKET_TLS, "session_ticket" }, /* RFC 5077 / RFC 8447 */
1359 { SSL_HND_HELLO_EXT_KEY_SHARE_OLD, "Reserved (key_share)" }, /* https://tools.ietf.org/html/draft-ietf-tls-tls13-22 (removed in -23) */
1360 { SSL_HND_HELLO_EXT_PRE_SHARED_KEY, "pre_shared_key" }, /* RFC 8446 */
1361 { SSL_HND_HELLO_EXT_EARLY_DATA, "early_data" }, /* RFC 8446 */
1362 { SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS, "supported_versions" }, /* RFC 8446 */
1363 { SSL_HND_HELLO_EXT_COOKIE, "cookie" }, /* RFC 8446 */
1364 { SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES, "psk_key_exchange_modes" }, /* RFC 8446 */
1365 { SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO, "Reserved (ticket_early_data_info)" }, /* draft-ietf-tls-tls13-18 (removed in -19) */
1366 { SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES, "certificate_authorities" }, /* RFC 8446 */
1367 { SSL_HND_HELLO_EXT_OID_FILTERS, "oid_filters" }, /* RFC 8446 */
1368 { SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH, "post_handshake_auth" }, /* RFC 8446 */
1369 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT, "signature_algorithms_cert" }, /* RFC 8446 */
1370 { SSL_HND_HELLO_EXT_KEY_SHARE, "key_share" }, /* RFC 8446 */
1371 { SSL_HND_HELLO_EXT_TRANSPARENCY_INFO, "transparency_info" }, /* draft-ietf-trans-rfc6962-bis-41 */
1372 { SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED, "connection_id (deprecated)" }, /* draft-ietf-tls-dtls-connection-id-07 */
1373 { SSL_HND_HELLO_EXT_CONNECTION_ID, "connection_id" }, /* RFC 9146 */
1374 { SSL_HND_HELLO_EXT_EXTERNAL_ID_HASH, "external_id_hash" }, /* RFC 8844 */
1375 { SSL_HND_HELLO_EXT_EXTERNAL_SESSION_ID, "external_session_id" }, /* RFC 8844 */
1376 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V1, "quic_transport_parameters" }, /* draft-ietf-quic-tls-33 */
1377 { SSL_HND_HELLO_EXT_TICKET_REQUEST, "ticket_request" }, /* draft-ietf-tls-ticketrequests-07 */
1378 { SSL_HND_HELLO_EXT_DNSSEC_CHAIN, "dnssec_chain" }, /* RFC 9102 */
1379 { SSL_HND_HELLO_EXT_GREASE_0A0A, "Reserved (GREASE)" }, /* RFC 8701 */
1380 { SSL_HND_HELLO_EXT_GREASE_1A1A, "Reserved (GREASE)" }, /* RFC 8701 */
1381 { SSL_HND_HELLO_EXT_GREASE_2A2A, "Reserved (GREASE)" }, /* RFC 8701 */
1382 { SSL_HND_HELLO_EXT_NPN, "next_protocol_negotiation"}, /* https://tools.ietf.org/id/draft-agl-tls-nextprotoneg-03.html */
1383 { SSL_HND_HELLO_EXT_GREASE_3A3A, "Reserved (GREASE)" }, /* RFC 8701 */
1384 { SSL_HND_HELLO_EXT_ALPS, "application_settings" }, /* draft-vvv-tls-alps-01 */
1385 { SSL_HND_HELLO_EXT_GREASE_4A4A, "Reserved (GREASE)" }, /* RFC 8701 */
1386 { SSL_HND_HELLO_EXT_GREASE_5A5A, "Reserved (GREASE)" }, /* RFC 8701 */
1387 { SSL_HND_HELLO_EXT_GREASE_6A6A, "Reserved (GREASE)" }, /* RFC 8701 */
1388 { SSL_HND_HELLO_EXT_CHANNEL_ID_OLD, "channel_id_old" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
1389 https://twitter.com/ericlaw/status/274237352531083264 */
1390 { SSL_HND_HELLO_EXT_CHANNEL_ID, "channel_id" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-01
1391 https://code.google.com/p/chromium/codesearch#chromium/src/net/third_party/nss/ssl/sslt.h&l=209 */
1392 { SSL_HND_HELLO_EXT_RENEGOTIATION_INFO, "renegotiation_info" }, /* RFC 5746 */
1393 { SSL_HND_HELLO_EXT_GREASE_7A7A, "Reserved (GREASE)" }, /* RFC 8701 */
1394 { SSL_HND_HELLO_EXT_GREASE_8A8A, "Reserved (GREASE)" }, /* RFC 8701 */
1395 { SSL_HND_HELLO_EXT_GREASE_9A9A, "Reserved (GREASE)" }, /* RFC 8701 */
1396 { SSL_HND_HELLO_EXT_GREASE_AAAA, "Reserved (GREASE)" }, /* RFC 8701 */
1397 { SSL_HND_HELLO_EXT_GREASE_BABA, "Reserved (GREASE)" }, /* RFC 8701 */
1398 { SSL_HND_HELLO_EXT_GREASE_CACA, "Reserved (GREASE)" }, /* RFC 8701 */
1399 { SSL_HND_HELLO_EXT_GREASE_DADA, "Reserved (GREASE)" }, /* RFC 8701 */
1400 { SSL_HND_HELLO_EXT_GREASE_EAEA, "Reserved (GREASE)" }, /* RFC 8701 */
1401 { SSL_HND_HELLO_EXT_GREASE_FAFA, "Reserved (GREASE)" }, /* RFC 8701 */
1402 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS, "quic_transport_parameters (drafts version)" }, /* https://tools.ietf.org/html/draft-ietf-quic-tls */
1403 { SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME, "encrypted_server_name" }, /* https://tools.ietf.org/html/draft-ietf-tls-esni-01 */
1404 { SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO, "encrypted_client_hello" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1405 { 0, NULL }
1406 };
1407
1408 const value_string tls_hello_ext_server_name_type_vs[] = {
1409 { 0, "host_name" },
1410 { 0, NULL }
1411 };
1412
1413 /* RFC 6066 Section 4 */
1414 const value_string tls_hello_ext_max_fragment_length[] = {
1415 { 1, "512" }, // 2^9
1416 { 2, "1024" }, // 2^10
1417 { 3, "2048" }, // 2^11
1418 { 4, "4096" }, // 2^12
1419 { 0, NULL }
1420 };
1421
1422 /* RFC 8446 Section 4.2.9 */
1423 const value_string tls_hello_ext_psk_ke_mode[] = {
1424 { 0, "PSK-only key establishment (psk_ke)" },
1425 { 1, "PSK with (EC)DHE key establishment (psk_dhe_ke)" },
1426 { 0, NULL }
1427 };
1428
1429 /* RFC 6066 Section 6 */
1430 const value_string tls_hello_ext_trusted_ca_key_type[] = {
1431 {0, "pre_agreed"},
1432 {1, "key_sha1_hash"},
1433 {2, "x509_name"},
1434 {3, "cert_sha1_hash"},
1435 {0, NULL}
1436 };
1437
1438 const value_string tls13_key_update_request[] = {
1439 { 0, "update_not_requested" },
1440 { 1, "update_requested" },
1441 { 0, NULL }
1442 };
1443
1444 /* RFC 5246 7.4.1.4.1 */
1445 /* https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
1446 /* Note that the TLS 1.3 SignatureScheme registry reserves all values
1447 * with first octet 0x00-0x06 and all values with second octet 0x00-0x03
1448 * for backwards compatibility with TLS 1.2 SignatureAndHashAlgorithm.
1449 *
1450 * RFC 8422 and RFC 9189 add official support in TLS 1.2 for some algorithms
1451 * originally defined for TLS 1.3, and extend the TLS SignatureAlgorithm
1452 * and TLS HashAlgorithm registries, but the new values are not compatible
1453 * with all of the TLS 1.3-only SignatureSchemes. Adding those values could
1454 * cause confusion if used to interpret one of those schemes in a
1455 * signature_algorithms extension offered in a TLS 1.3 ClientHello.
1456 */
1457 const value_string tls_hash_algorithm[] = {
1458 { 0, "None" },
1459 { 1, "MD5" },
1460 { 2, "SHA1" },
1461 { 3, "SHA224" },
1462 { 4, "SHA256" },
1463 { 5, "SHA384" },
1464 { 6, "SHA512" },
1465 #if 0
1466 /* RFC 8422 adds this to the HashAlgorithm registry, but it really
1467 * only applies to 0x0807 and 0x0808, not for other TLS 1.3
1468 * SignatureSchemes with 0x08 in the octet used for Hash in TLS 1.2.
1469 * E.g., we don't want to display this for 0x0806 rsa_pss_rsae_sha512.
1470 */
1471 { 8, "Intrinsic" },
1472 #endif
1473 { 0, NULL }
1474 };
1475
1476 const value_string tls_signature_algorithm[] = {
1477 { 0, "Anonymous" },
1478 { 1, "RSA" },
1479 { 2, "DSA" },
1480 { 3, "ECDSA" },
1481 #if 0
1482 /* As above. */
1483 { 7, "ED25519" },
1484 { 8, "ED448" },
1485 { 64, "GOSTR34102012_256" },
1486 { 65, "GOSTR34102012_512" },
1487 #endif
1488 { 0, NULL }
1489 };
1490
1491 /* RFC 8446 Section 4.2.3 */
1492 const value_string tls13_signature_algorithm[] = {
1493 { 0x0201, "rsa_pkcs1_sha1" },
1494 { 0x0203, "ecdsa_sha1" },
1495 { 0x0401, "rsa_pkcs1_sha256" },
1496 { 0x0403, "ecdsa_secp256r1_sha256" },
1497 { 0x0420, "rsa_pkcs1_sha256_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1498 { 0x0501, "rsa_pkcs1_sha384" },
1499 { 0x0503, "ecdsa_secp384r1_sha384" },
1500 { 0x0520, "rsa_pkcs1_sha384_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1501 { 0x0601, "rsa_pkcs1_sha512" },
1502 { 0x0603, "ecdsa_secp521r1_sha512" },
1503 { 0x0620, "rsa_pkcs1_sha512_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1504 { 0x0708, "sm2sig_sm3" },
1505 { 0x0709, "gostr34102012_256a" }, /* RFC9367 */
1506 { 0x070a, "gostr34102012_256b" }, /* RFC9367 */
1507 { 0x070b, "gostr34102012_256c" }, /* RFC9367 */
1508 { 0x070c, "gostr34102012_256d" }, /* RFC9367 */
1509 { 0x070d, "gostr34102012_512a" }, /* RFC9367 */
1510 { 0x070e, "gostr34102012_512b" }, /* RFC9367 */
1511 { 0x070f, "gostr34102012_512c" }, /* RFC9367 */
1512 { 0x0804, "rsa_pss_rsae_sha256" },
1513 { 0x0805, "rsa_pss_rsae_sha384" },
1514 { 0x0806, "rsa_pss_rsae_sha512" },
1515 { 0x0807, "ed25519" },
1516 { 0x0808, "ed448" },
1517 { 0x0809, "rsa_pss_pss_sha256" },
1518 { 0x080a, "rsa_pss_pss_sha384" },
1519 { 0x080b, "rsa_pss_pss_sha512" },
1520 { 0x081a, "ecdsa_brainpoolP256r1tls13_sha256" }, /* RFC8734 */
1521 { 0x081b, "ecdsa_brainpoolP384r1tls13_sha384" }, /* RFC8734 */
1522 { 0x081c, "ecdsa_brainpoolP512r1tls13_sha512" }, /* RFC8734 */
1523 /* PQC digital signature algorithms from OQS-OpenSSL,
1524 see https://github.com/open-quantum-safe/openssl/blob/OQS-OpenSSL_1_1_1-stable/oqs-template/oqs-sig-info.md */
1525 { 0xfea0, "dilithium2" },
1526 { 0xfea1, "p256_dilithium2" },
1527 { 0xfea2, "rsa3072_dilithium2" },
1528 { 0xfea3, "dilithium3" },
1529 { 0xfea4, "p384_dilithium3" },
1530 { 0xfea5, "dilithium5" },
1531 { 0xfea6, "p521_dilithium5" },
1532 { 0xfea7, "dilithium2_aes" },
1533 { 0xfea8, "p256_dilithium2_aes" },
1534 { 0xfea9, "rsa3072_dilithium2_aes" },
1535 { 0xfeaa, "dilithium3_aes" },
1536 { 0xfeab, "p384_dilithium3_aes" },
1537 { 0xfeac, "dilithium5_aes" },
1538 { 0xfead, "p521_dilithium5_aes" },
1539 { 0xfe0b, "falcon512" },
1540 { 0xfe0c, "p256_falcon512" },
1541 { 0xfe0d, "rsa3072_falcon512" },
1542 { 0xfe0e, "falcon1024" },
1543 { 0xfe0f, "p521_falcon1024" },
1544 { 0xfe96, "picnicl1full" },
1545 { 0xfe97, "p256_picnicl1full" },
1546 { 0xfe98, "rsa3072_picnicl1full" },
1547 { 0xfe1b, "picnic3l1" },
1548 { 0xfe1c, "p256_picnic3l1" },
1549 { 0xfe1d, "rsa3072_picnic3l1" },
1550 { 0xfe27, "rainbowIclassic" },
1551 { 0xfe28, "p256_rainbowIclassic" },
1552 { 0xfe29, "rsa3072_rainbowIclassic" },
1553 { 0xfe3c, "rainbowVclassic" },
1554 { 0xfe3d, "p521_rainbowVclassic" },
1555 { 0xfe42, "sphincsharaka128frobust" },
1556 { 0xfe43, "p256_sphincsharaka128frobust" },
1557 { 0xfe44, "rsa3072_sphincsharaka128frobust" },
1558 { 0xfe5e, "sphincssha256128frobust" },
1559 { 0xfe5f, "p256_sphincssha256128frobust" },
1560 { 0xfe60, "rsa3072_sphincssha256128frobust" },
1561 { 0xfe7a, "sphincsshake256128frobust" },
1562 { 0xfe7b, "p256_sphincsshake256128frobust" },
1563 { 0xfe7c, "rsa3072_sphincsshake256128frobust" },
1564 { 0, NULL }
1565 };
1566
1567 /* RFC 6091 3.1 */
1568 const value_string tls_certificate_type[] = {
1569 { 0, "X.509" },
1570 { 1, "OpenPGP" },
1571 { SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY, "Raw Public Key" }, /* RFC 7250 */
1572 { 0, NULL }
1573 };
1574
1575 const value_string tls_cert_chain_type[] = {
1576 { SSL_HND_CERT_URL_TYPE_INDIVIDUAL_CERT, "Individual Certificates" },
1577 { SSL_HND_CERT_URL_TYPE_PKIPATH, "PKI Path" },
1578 { 0, NULL }
1579 };
1580
1581 const value_string tls_cert_status_type[] = {
1582 { SSL_HND_CERT_STATUS_TYPE_OCSP, "OCSP" },
1583 { SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI, "OCSP Multi" },
1584 { 0, NULL }
1585 };
1586
1587 /* Generated by tools/make-tls-ct-logids.py
1588 * Last-Modified Sat, 05 Oct 2024 13:48:00 GMT, 165 entries. */
1589 static const bytes_string ct_logids[] = {
1590 { (const uint8_t[]){
1591 0xb2, 0x1e, 0x05, 0xcc, 0x8b, 0xa2, 0xcd, 0x8a, 0x20, 0x4e, 0x87,
1592 0x66, 0xf9, 0x2b, 0xb9, 0x8a, 0x25, 0x20, 0x67, 0x6b, 0xda, 0xfa,
1593 0x70, 0xe7, 0xb2, 0x49, 0x53, 0x2d, 0xef, 0x8b, 0x90, 0x5e,
1594 },
1595 32, "Google 'Argon2020' log" },
1596 { (const uint8_t[]){
1597 0xf6, 0x5c, 0x94, 0x2f, 0xd1, 0x77, 0x30, 0x22, 0x14, 0x54, 0x18,
1598 0x08, 0x30, 0x94, 0x56, 0x8e, 0xe3, 0x4d, 0x13, 0x19, 0x33, 0xbf,
1599 0xdf, 0x0c, 0x2f, 0x20, 0x0b, 0xcc, 0x4e, 0xf1, 0x64, 0xe3,
1600 },
1601 32, "Google 'Argon2021' log" },
1602 { (const uint8_t[]){
1603 0x29, 0x79, 0xbe, 0xf0, 0x9e, 0x39, 0x39, 0x21, 0xf0, 0x56, 0x73,
1604 0x9f, 0x63, 0xa5, 0x77, 0xe5, 0xbe, 0x57, 0x7d, 0x9c, 0x60, 0x0a,
1605 0xf8, 0xf9, 0x4d, 0x5d, 0x26, 0x5c, 0x25, 0x5d, 0xc7, 0x84,
1606 },
1607 32, "Google 'Argon2022' log" },
1608 { (const uint8_t[]){
1609 0xe8, 0x3e, 0xd0, 0xda, 0x3e, 0xf5, 0x06, 0x35, 0x32, 0xe7, 0x57,
1610 0x28, 0xbc, 0x89, 0x6b, 0xc9, 0x03, 0xd3, 0xcb, 0xd1, 0x11, 0x6b,
1611 0xec, 0xeb, 0x69, 0xe1, 0x77, 0x7d, 0x6d, 0x06, 0xbd, 0x6e,
1612 },
1613 32, "Google 'Argon2023' log" },
1614 { (const uint8_t[]){
1615 0xee, 0xcd, 0xd0, 0x64, 0xd5, 0xdb, 0x1a, 0xce, 0xc5, 0x5c, 0xb7,
1616 0x9d, 0xb4, 0xcd, 0x13, 0xa2, 0x32, 0x87, 0x46, 0x7c, 0xbc, 0xec,
1617 0xde, 0xc3, 0x51, 0x48, 0x59, 0x46, 0x71, 0x1f, 0xb5, 0x9b,
1618 },
1619 32, "Google 'Argon2024' log" },
1620 { (const uint8_t[]){
1621 0x4e, 0x75, 0xa3, 0x27, 0x5c, 0x9a, 0x10, 0xc3, 0x38, 0x5b, 0x6c,
1622 0xd4, 0xdf, 0x3f, 0x52, 0xeb, 0x1d, 0xf0, 0xe0, 0x8e, 0x1b, 0x8d,
1623 0x69, 0xc0, 0xb1, 0xfa, 0x64, 0xb1, 0x62, 0x9a, 0x39, 0xdf,
1624 },
1625 32, "Google 'Argon2025h1' log" },
1626 { (const uint8_t[]){
1627 0x12, 0xf1, 0x4e, 0x34, 0xbd, 0x53, 0x72, 0x4c, 0x84, 0x06, 0x19,
1628 0xc3, 0x8f, 0x3f, 0x7a, 0x13, 0xf8, 0xe7, 0xb5, 0x62, 0x87, 0x88,
1629 0x9c, 0x6d, 0x30, 0x05, 0x84, 0xeb, 0xe5, 0x86, 0x26, 0x3a,
1630 },
1631 32, "Google 'Argon2025h2' log" },
1632 { (const uint8_t[]){
1633 0x0e, 0x57, 0x94, 0xbc, 0xf3, 0xae, 0xa9, 0x3e, 0x33, 0x1b, 0x2c,
1634 0x99, 0x07, 0xb3, 0xf7, 0x90, 0xdf, 0x9b, 0xc2, 0x3d, 0x71, 0x32,
1635 0x25, 0xdd, 0x21, 0xa9, 0x25, 0xac, 0x61, 0xc5, 0x4e, 0x21,
1636 },
1637 32, "Google 'Argon2026h1' log" },
1638 { (const uint8_t[]){
1639 0xd7, 0x6d, 0x7d, 0x10, 0xd1, 0xa7, 0xf5, 0x77, 0xc2, 0xc7, 0xe9,
1640 0x5f, 0xd7, 0x00, 0xbf, 0xf9, 0x82, 0xc9, 0x33, 0x5a, 0x65, 0xe1,
1641 0xd0, 0xb3, 0x01, 0x73, 0x17, 0xc0, 0xc8, 0xc5, 0x69, 0x77,
1642 },
1643 32, "Google 'Argon2026h2' log" },
1644 { (const uint8_t[]){
1645 0x07, 0xb7, 0x5c, 0x1b, 0xe5, 0x7d, 0x68, 0xff, 0xf1, 0xb0, 0xc6,
1646 0x1d, 0x23, 0x15, 0xc7, 0xba, 0xe6, 0x57, 0x7c, 0x57, 0x94, 0xb7,
1647 0x6a, 0xee, 0xbc, 0x61, 0x3a, 0x1a, 0x69, 0xd3, 0xa2, 0x1c,
1648 },
1649 32, "Google 'Xenon2020' log" },
1650 { (const uint8_t[]){
1651 0x7d, 0x3e, 0xf2, 0xf8, 0x8f, 0xff, 0x88, 0x55, 0x68, 0x24, 0xc2,
1652 0xc0, 0xca, 0x9e, 0x52, 0x89, 0x79, 0x2b, 0xc5, 0x0e, 0x78, 0x09,
1653 0x7f, 0x2e, 0x6a, 0x97, 0x68, 0x99, 0x7e, 0x22, 0xf0, 0xd7,
1654 },
1655 32, "Google 'Xenon2021' log" },
1656 { (const uint8_t[]){
1657 0x46, 0xa5, 0x55, 0xeb, 0x75, 0xfa, 0x91, 0x20, 0x30, 0xb5, 0xa2,
1658 0x89, 0x69, 0xf4, 0xf3, 0x7d, 0x11, 0x2c, 0x41, 0x74, 0xbe, 0xfd,
1659 0x49, 0xb8, 0x85, 0xab, 0xf2, 0xfc, 0x70, 0xfe, 0x6d, 0x47,
1660 },
1661 32, "Google 'Xenon2022' log" },
1662 { (const uint8_t[]){
1663 0xad, 0xf7, 0xbe, 0xfa, 0x7c, 0xff, 0x10, 0xc8, 0x8b, 0x9d, 0x3d,
1664 0x9c, 0x1e, 0x3e, 0x18, 0x6a, 0xb4, 0x67, 0x29, 0x5d, 0xcf, 0xb1,
1665 0x0c, 0x24, 0xca, 0x85, 0x86, 0x34, 0xeb, 0xdc, 0x82, 0x8a,
1666 },
1667 32, "Google 'Xenon2023' log" },
1668 { (const uint8_t[]){
1669 0x76, 0xff, 0x88, 0x3f, 0x0a, 0xb6, 0xfb, 0x95, 0x51, 0xc2, 0x61,
1670 0xcc, 0xf5, 0x87, 0xba, 0x34, 0xb4, 0xa4, 0xcd, 0xbb, 0x29, 0xdc,
1671 0x68, 0x42, 0x0a, 0x9f, 0xe6, 0x67, 0x4c, 0x5a, 0x3a, 0x74,
1672 },
1673 32, "Google 'Xenon2024' log" },
1674 { (const uint8_t[]){
1675 0xcf, 0x11, 0x56, 0xee, 0xd5, 0x2e, 0x7c, 0xaf, 0xf3, 0x87, 0x5b,
1676 0xd9, 0x69, 0x2e, 0x9b, 0xe9, 0x1a, 0x71, 0x67, 0x4a, 0xb0, 0x17,
1677 0xec, 0xac, 0x01, 0xd2, 0x5b, 0x77, 0xce, 0xcc, 0x3b, 0x08,
1678 },
1679 32, "Google 'Xenon2025h1' log" },
1680 { (const uint8_t[]){
1681 0xdd, 0xdc, 0xca, 0x34, 0x95, 0xd7, 0xe1, 0x16, 0x05, 0xe7, 0x95,
1682 0x32, 0xfa, 0xc7, 0x9f, 0xf8, 0x3d, 0x1c, 0x50, 0xdf, 0xdb, 0x00,
1683 0x3a, 0x14, 0x12, 0x76, 0x0a, 0x2c, 0xac, 0xbb, 0xc8, 0x2a,
1684 },
1685 32, "Google 'Xenon2025h2' log" },
1686 { (const uint8_t[]){
1687 0x96, 0x97, 0x64, 0xbf, 0x55, 0x58, 0x97, 0xad, 0xf7, 0x43, 0x87,
1688 0x68, 0x37, 0x08, 0x42, 0x77, 0xe9, 0xf0, 0x3a, 0xd5, 0xf6, 0xa4,
1689 0xf3, 0x36, 0x6e, 0x46, 0xa4, 0x3f, 0x0f, 0xca, 0xa9, 0xc6,
1690 },
1691 32, "Google 'Xenon2026h1' log" },
1692 { (const uint8_t[]){
1693 0xd8, 0x09, 0x55, 0x3b, 0x94, 0x4f, 0x7a, 0xff, 0xc8, 0x16, 0x19,
1694 0x6f, 0x94, 0x4f, 0x85, 0xab, 0xb0, 0xf8, 0xfc, 0x5e, 0x87, 0x55,
1695 0x26, 0x0f, 0x15, 0xd1, 0x2e, 0x72, 0xbb, 0x45, 0x4b, 0x14,
1696 },
1697 32, "Google 'Xenon2026h2' log" },
1698 { (const uint8_t[]){
1699 0x68, 0xf6, 0x98, 0xf8, 0x1f, 0x64, 0x82, 0xbe, 0x3a, 0x8c, 0xee,
1700 0xb9, 0x28, 0x1d, 0x4c, 0xfc, 0x71, 0x51, 0x5d, 0x67, 0x93, 0xd4,
1701 0x44, 0xd1, 0x0a, 0x67, 0xac, 0xbb, 0x4f, 0x4f, 0xfb, 0xc4,
1702 },
1703 32, "Google 'Aviator' log" },
1704 { (const uint8_t[]){
1705 0x29, 0x3c, 0x51, 0x96, 0x54, 0xc8, 0x39, 0x65, 0xba, 0xaa, 0x50,
1706 0xfc, 0x58, 0x07, 0xd4, 0xb7, 0x6f, 0xbf, 0x58, 0x7a, 0x29, 0x72,
1707 0xdc, 0xa4, 0xc3, 0x0c, 0xf4, 0xe5, 0x45, 0x47, 0xf4, 0x78,
1708 },
1709 32, "Google 'Icarus' log" },
1710 { (const uint8_t[]){
1711 0xa4, 0xb9, 0x09, 0x90, 0xb4, 0x18, 0x58, 0x14, 0x87, 0xbb, 0x13,
1712 0xa2, 0xcc, 0x67, 0x70, 0x0a, 0x3c, 0x35, 0x98, 0x04, 0xf9, 0x1b,
1713 0xdf, 0xb8, 0xe3, 0x77, 0xcd, 0x0e, 0xc8, 0x0d, 0xdc, 0x10,
1714 },
1715 32, "Google 'Pilot' log" },
1716 { (const uint8_t[]){
1717 0xee, 0x4b, 0xbd, 0xb7, 0x75, 0xce, 0x60, 0xba, 0xe1, 0x42, 0x69,
1718 0x1f, 0xab, 0xe1, 0x9e, 0x66, 0xa3, 0x0f, 0x7e, 0x5f, 0xb0, 0x72,
1719 0xd8, 0x83, 0x00, 0xc4, 0x7b, 0x89, 0x7a, 0xa8, 0xfd, 0xcb,
1720 },
1721 32, "Google 'Rocketeer' log" },
1722 { (const uint8_t[]){
1723 0xbb, 0xd9, 0xdf, 0xbc, 0x1f, 0x8a, 0x71, 0xb5, 0x93, 0x94, 0x23,
1724 0x97, 0xaa, 0x92, 0x7b, 0x47, 0x38, 0x57, 0x95, 0x0a, 0xab, 0x52,
1725 0xe8, 0x1a, 0x90, 0x96, 0x64, 0x36, 0x8e, 0x1e, 0xd1, 0x85,
1726 },
1727 32, "Google 'Skydiver' log" },
1728 { (const uint8_t[]){
1729 0xfa, 0xd4, 0xc9, 0x7c, 0xc4, 0x9e, 0xe2, 0xf8, 0xac, 0x85, 0xc5,
1730 0xea, 0x5c, 0xea, 0x09, 0xd0, 0x22, 0x0d, 0xbb, 0xf4, 0xe4, 0x9c,
1731 0x6b, 0x50, 0x66, 0x2f, 0xf8, 0x68, 0xf8, 0x6b, 0x8c, 0x28,
1732 },
1733 32, "Google 'Argon2017' log" },
1734 { (const uint8_t[]){
1735 0xa4, 0x50, 0x12, 0x69, 0x05, 0x5a, 0x15, 0x54, 0x5e, 0x62, 0x11,
1736 0xab, 0x37, 0xbc, 0x10, 0x3f, 0x62, 0xae, 0x55, 0x76, 0xa4, 0x5e,
1737 0x4b, 0x17, 0x14, 0x45, 0x3e, 0x1b, 0x22, 0x10, 0x6a, 0x25,
1738 },
1739 32, "Google 'Argon2018' log" },
1740 { (const uint8_t[]){
1741 0x63, 0xf2, 0xdb, 0xcd, 0xe8, 0x3b, 0xcc, 0x2c, 0xcf, 0x0b, 0x72,
1742 0x84, 0x27, 0x57, 0x6b, 0x33, 0xa4, 0x8d, 0x61, 0x77, 0x8f, 0xbd,
1743 0x75, 0xa6, 0x38, 0xb1, 0xc7, 0x68, 0x54, 0x4b, 0xd8, 0x8d,
1744 },
1745 32, "Google 'Argon2019' log" },
1746 { (const uint8_t[]){
1747 0xb1, 0x0c, 0xd5, 0x59, 0xa6, 0xd6, 0x78, 0x46, 0x81, 0x1f, 0x7d,
1748 0xf9, 0xa5, 0x15, 0x32, 0x73, 0x9a, 0xc4, 0x8d, 0x70, 0x3b, 0xea,
1749 0x03, 0x23, 0xda, 0x5d, 0x38, 0x75, 0x5b, 0xc0, 0xad, 0x4e,
1750 },
1751 32, "Google 'Xenon2018' log" },
1752 { (const uint8_t[]){
1753 0x08, 0x41, 0x14, 0x98, 0x00, 0x71, 0x53, 0x2c, 0x16, 0x19, 0x04,
1754 0x60, 0xbc, 0xfc, 0x47, 0xfd, 0xc2, 0x65, 0x3a, 0xfa, 0x29, 0x2c,
1755 0x72, 0xb3, 0x7f, 0xf8, 0x63, 0xae, 0x29, 0xcc, 0xc9, 0xf0,
1756 },
1757 32, "Google 'Xenon2019' log" },
1758 { (const uint8_t[]){
1759 0xa8, 0x99, 0xd8, 0x78, 0x0c, 0x92, 0x90, 0xaa, 0xf4, 0x62, 0xf3,
1760 0x18, 0x80, 0xcc, 0xfb, 0xd5, 0x24, 0x51, 0xe9, 0x70, 0xd0, 0xfb,
1761 0xf5, 0x91, 0xef, 0x75, 0xb0, 0xd9, 0x9b, 0x64, 0x56, 0x81,
1762 },
1763 32, "Google 'Submariner' log" },
1764 { (const uint8_t[]){
1765 0x1d, 0x02, 0x4b, 0x8e, 0xb1, 0x49, 0x8b, 0x34, 0x4d, 0xfd, 0x87,
1766 0xea, 0x3e, 0xfc, 0x09, 0x96, 0xf7, 0x50, 0x6f, 0x23, 0x5d, 0x1d,
1767 0x49, 0x70, 0x61, 0xa4, 0x77, 0x3c, 0x43, 0x9c, 0x25, 0xfb,
1768 },
1769 32, "Google 'Daedalus' log" },
1770 { (const uint8_t[]){
1771 0xb0, 0xcc, 0x83, 0xe5, 0xa5, 0xf9, 0x7d, 0x6b, 0xaf, 0x7c, 0x09,
1772 0xcc, 0x28, 0x49, 0x04, 0x87, 0x2a, 0xc7, 0xe8, 0x8b, 0x13, 0x2c,
1773 0x63, 0x50, 0xb7, 0xc6, 0xfd, 0x26, 0xe1, 0x6c, 0x6c, 0x77,
1774 },
1775 32, "Google 'Testtube' log" },
1776 { (const uint8_t[]){
1777 0xc3, 0xbf, 0x03, 0xa7, 0xe1, 0xca, 0x88, 0x41, 0xc6, 0x07, 0xba,
1778 0xe3, 0xff, 0x42, 0x70, 0xfc, 0xa5, 0xec, 0x45, 0xb1, 0x86, 0xeb,
1779 0xbe, 0x4e, 0x2c, 0xf3, 0xfc, 0x77, 0x86, 0x30, 0xf5, 0xf6,
1780 },
1781 32, "Google 'Crucible' log" },
1782 { (const uint8_t[]){
1783 0x52, 0xeb, 0x4b, 0x22, 0x5e, 0xc8, 0x96, 0x97, 0x48, 0x50, 0x67,
1784 0x5f, 0x23, 0xe4, 0x3b, 0xc1, 0xd0, 0x21, 0xe3, 0x21, 0x4c, 0xe5,
1785 0x2e, 0xcd, 0x5f, 0xa8, 0x7c, 0x20, 0x3c, 0xdf, 0xca, 0x03,
1786 },
1787 32, "Google 'Solera2018' log" },
1788 { (const uint8_t[]){
1789 0x0b, 0x76, 0x0e, 0x9a, 0x8b, 0x9a, 0x68, 0x2f, 0x88, 0x98, 0x5b,
1790 0x15, 0xe9, 0x47, 0x50, 0x1a, 0x56, 0x44, 0x6b, 0xba, 0x88, 0x30,
1791 0x78, 0x5c, 0x38, 0x42, 0x99, 0x43, 0x86, 0x45, 0x0c, 0x00,
1792 },
1793 32, "Google 'Solera2019' log" },
1794 { (const uint8_t[]){
1795 0x1f, 0xc7, 0x2c, 0xe5, 0xa1, 0xb7, 0x99, 0xf4, 0x00, 0xc3, 0x59,
1796 0xbf, 0xf9, 0x6c, 0xa3, 0x91, 0x35, 0x48, 0xe8, 0x64, 0x42, 0x20,
1797 0x61, 0x09, 0x52, 0xe9, 0xba, 0x17, 0x74, 0xf7, 0xba, 0xc7,
1798 },
1799 32, "Google 'Solera2020' log" },
1800 { (const uint8_t[]){
1801 0xa3, 0xc9, 0x98, 0x45, 0xe8, 0x0a, 0xb7, 0xce, 0x00, 0x15, 0x7b,
1802 0x37, 0x42, 0xdf, 0x02, 0x07, 0xdd, 0x27, 0x2b, 0x2b, 0x60, 0x2e,
1803 0xcf, 0x98, 0xee, 0x2c, 0x12, 0xdb, 0x9c, 0x5a, 0xe7, 0xe7,
1804 },
1805 32, "Google 'Solera2021' log" },
1806 { (const uint8_t[]){
1807 0x69, 0x7a, 0xaf, 0xca, 0x1a, 0x6b, 0x53, 0x6f, 0xae, 0x21, 0x20,
1808 0x50, 0x46, 0xde, 0xba, 0xd7, 0xe0, 0xea, 0xea, 0x13, 0xd2, 0x43,
1809 0x2e, 0x6e, 0x9d, 0x8f, 0xb3, 0x79, 0xf2, 0xb9, 0xaa, 0xf3,
1810 },
1811 32, "Google 'Solera2022' log" },
1812 { (const uint8_t[]){
1813 0xf9, 0x7e, 0x97, 0xb8, 0xd3, 0x3e, 0xf7, 0xa1, 0x59, 0x02, 0xa5,
1814 0x3a, 0x19, 0xe1, 0x79, 0x90, 0xe5, 0xdc, 0x40, 0x6a, 0x03, 0x18,
1815 0x25, 0xba, 0xad, 0x93, 0xe9, 0x8f, 0x9b, 0x9c, 0x69, 0xcb,
1816 },
1817 32, "Google 'Solera2023' log" },
1818 { (const uint8_t[]){
1819 0x30, 0x24, 0xce, 0x7e, 0xeb, 0x16, 0x88, 0x62, 0x72, 0x4b, 0xea,
1820 0x70, 0x2e, 0xff, 0xf9, 0x92, 0xcf, 0xe4, 0x56, 0x43, 0x41, 0x91,
1821 0xaa, 0x59, 0x5b, 0x25, 0xf8, 0x02, 0x26, 0xc8, 0x00, 0x17,
1822 },
1823 32, "Google 'Solera2024' log" },
1824 { (const uint8_t[]){
1825 0x3f, 0xe1, 0xcb, 0x46, 0xed, 0x47, 0x35, 0x79, 0xaf, 0x01, 0x41,
1826 0xf9, 0x72, 0x4d, 0x9d, 0xc4, 0x43, 0x47, 0x2d, 0x75, 0x6e, 0x85,
1827 0xe7, 0x71, 0x9c, 0x55, 0x82, 0x48, 0x5d, 0xd4, 0xe1, 0xe4,
1828 },
1829 32, "Google 'Solera2025h1' log" },
1830 { (const uint8_t[]){
1831 0x26, 0x02, 0x39, 0x48, 0x87, 0x4c, 0xf7, 0xfc, 0xd0, 0xfb, 0x64,
1832 0x71, 0xa4, 0x3e, 0x84, 0x7e, 0xbb, 0x20, 0x0a, 0xe6, 0xe2, 0xfa,
1833 0x24, 0x23, 0x6d, 0xf6, 0xd1, 0xa6, 0x06, 0x63, 0x0f, 0xb1,
1834 },
1835 32, "Google 'Solera2025h2' log" },
1836 { (const uint8_t[]){
1837 0xc8, 0x4b, 0x90, 0x7a, 0x07, 0xbe, 0xaa, 0x29, 0xa6, 0x14, 0xc2,
1838 0x45, 0x84, 0xb7, 0xa3, 0xf6, 0x62, 0x43, 0x94, 0x68, 0x7b, 0x25,
1839 0xfe, 0x62, 0x83, 0x8b, 0x71, 0xec, 0x42, 0x2a, 0xd2, 0xf9,
1840 },
1841 32, "Google 'Solera2026h1' log" },
1842 { (const uint8_t[]){
1843 0x62, 0xe9, 0x00, 0x60, 0x04, 0xa3, 0x07, 0x95, 0x5a, 0x75, 0x44,
1844 0xb4, 0xd5, 0x84, 0xa9, 0x62, 0x68, 0xca, 0x1d, 0x6e, 0x45, 0x85,
1845 0xad, 0xf0, 0x91, 0x6d, 0xfe, 0x5f, 0xdc, 0x1f, 0x04, 0xdb,
1846 },
1847 32, "Google 'Solera2026h2' log" },
1848 { (const uint8_t[]){
1849 0x5e, 0xa7, 0x73, 0xf9, 0xdf, 0x56, 0xc0, 0xe7, 0xb5, 0x36, 0x48,
1850 0x7d, 0xd0, 0x49, 0xe0, 0x32, 0x7a, 0x91, 0x9a, 0x0c, 0x84, 0xa1,
1851 0x12, 0x12, 0x84, 0x18, 0x75, 0x96, 0x81, 0x71, 0x45, 0x58,
1852 },
1853 32, "Cloudflare 'Nimbus2020' Log" },
1854 { (const uint8_t[]){
1855 0x44, 0x94, 0x65, 0x2e, 0xb0, 0xee, 0xce, 0xaf, 0xc4, 0x40, 0x07,
1856 0xd8, 0xa8, 0xfe, 0x28, 0xc0, 0xda, 0xe6, 0x82, 0xbe, 0xd8, 0xcb,
1857 0x31, 0xb5, 0x3f, 0xd3, 0x33, 0x96, 0xb5, 0xb6, 0x81, 0xa8,
1858 },
1859 32, "Cloudflare 'Nimbus2021' Log" },
1860 { (const uint8_t[]){
1861 0x41, 0xc8, 0xca, 0xb1, 0xdf, 0x22, 0x46, 0x4a, 0x10, 0xc6, 0xa1,
1862 0x3a, 0x09, 0x42, 0x87, 0x5e, 0x4e, 0x31, 0x8b, 0x1b, 0x03, 0xeb,
1863 0xeb, 0x4b, 0xc7, 0x68, 0xf0, 0x90, 0x62, 0x96, 0x06, 0xf6,
1864 },
1865 32, "Cloudflare 'Nimbus2022' Log" },
1866 { (const uint8_t[]){
1867 0x7a, 0x32, 0x8c, 0x54, 0xd8, 0xb7, 0x2d, 0xb6, 0x20, 0xea, 0x38,
1868 0xe0, 0x52, 0x1e, 0xe9, 0x84, 0x16, 0x70, 0x32, 0x13, 0x85, 0x4d,
1869 0x3b, 0xd2, 0x2b, 0xc1, 0x3a, 0x57, 0xa3, 0x52, 0xeb, 0x52,
1870 },
1871 32, "Cloudflare 'Nimbus2023' Log" },
1872 { (const uint8_t[]){
1873 0xda, 0xb6, 0xbf, 0x6b, 0x3f, 0xb5, 0xb6, 0x22, 0x9f, 0x9b, 0xc2,
1874 0xbb, 0x5c, 0x6b, 0xe8, 0x70, 0x91, 0x71, 0x6c, 0xbb, 0x51, 0x84,
1875 0x85, 0x34, 0xbd, 0xa4, 0x3d, 0x30, 0x48, 0xd7, 0xfb, 0xab,
1876 },
1877 32, "Cloudflare 'Nimbus2024' Log" },
1878 { (const uint8_t[]){
1879 0xcc, 0xfb, 0x0f, 0x6a, 0x85, 0x71, 0x09, 0x65, 0xfe, 0x95, 0x9b,
1880 0x53, 0xce, 0xe9, 0xb2, 0x7c, 0x22, 0xe9, 0x85, 0x5c, 0x0d, 0x97,
1881 0x8d, 0xb6, 0xa9, 0x7e, 0x54, 0xc0, 0xfe, 0x4c, 0x0d, 0xb0,
1882 },
1883 32, "Cloudflare 'Nimbus2025'" },
1884 { (const uint8_t[]){
1885 0xcb, 0x38, 0xf7, 0x15, 0x89, 0x7c, 0x84, 0xa1, 0x44, 0x5f, 0x5b,
1886 0xc1, 0xdd, 0xfb, 0xc9, 0x6e, 0xf2, 0x9a, 0x59, 0xcd, 0x47, 0x0a,
1887 0x69, 0x05, 0x85, 0xb0, 0xcb, 0x14, 0xc3, 0x14, 0x58, 0xe7,
1888 },
1889 32, "Cloudflare 'Nimbus2026'" },
1890 { (const uint8_t[]){
1891 0x1f, 0xbc, 0x36, 0xe0, 0x02, 0xed, 0xe9, 0x7f, 0x40, 0x19, 0x9e,
1892 0x86, 0xb3, 0x57, 0x3b, 0x8a, 0x42, 0x17, 0xd8, 0x01, 0x87, 0x74,
1893 0x6a, 0xd0, 0xda, 0x03, 0xa0, 0x60, 0x54, 0xd2, 0x0d, 0xf4,
1894 },
1895 32, "Cloudflare 'Nimbus2017' Log" },
1896 { (const uint8_t[]){
1897 0xdb, 0x74, 0xaf, 0xee, 0xcb, 0x29, 0xec, 0xb1, 0xfe, 0xca, 0x3e,
1898 0x71, 0x6d, 0x2c, 0xe5, 0xb9, 0xaa, 0xbb, 0x36, 0xf7, 0x84, 0x71,
1899 0x83, 0xc7, 0x5d, 0x9d, 0x4f, 0x37, 0xb6, 0x1f, 0xbf, 0x64,
1900 },
1901 32, "Cloudflare 'Nimbus2018' Log" },
1902 { (const uint8_t[]){
1903 0x74, 0x7e, 0xda, 0x83, 0x31, 0xad, 0x33, 0x10, 0x91, 0x21, 0x9c,
1904 0xce, 0x25, 0x4f, 0x42, 0x70, 0xc2, 0xbf, 0xfd, 0x5e, 0x42, 0x20,
1905 0x08, 0xc6, 0x37, 0x35, 0x79, 0xe6, 0x10, 0x7b, 0xcc, 0x56,
1906 },
1907 32, "Cloudflare 'Nimbus2019' Log" },
1908 { (const uint8_t[]){
1909 0x56, 0x14, 0x06, 0x9a, 0x2f, 0xd7, 0xc2, 0xec, 0xd3, 0xf5, 0xe1,
1910 0xbd, 0x44, 0xb2, 0x3e, 0xc7, 0x46, 0x76, 0xb9, 0xbc, 0x99, 0x11,
1911 0x5c, 0xc0, 0xef, 0x94, 0x98, 0x55, 0xd6, 0x89, 0xd0, 0xdd,
1912 },
1913 32, "DigiCert Log Server" },
1914 { (const uint8_t[]){
1915 0x87, 0x75, 0xbf, 0xe7, 0x59, 0x7c, 0xf8, 0x8c, 0x43, 0x99, 0x5f,
1916 0xbd, 0xf3, 0x6e, 0xff, 0x56, 0x8d, 0x47, 0x56, 0x36, 0xff, 0x4a,
1917 0xb5, 0x60, 0xc1, 0xb4, 0xea, 0xff, 0x5e, 0xa0, 0x83, 0x0f,
1918 },
1919 32, "DigiCert Log Server 2" },
1920 { (const uint8_t[]){
1921 0xf0, 0x95, 0xa4, 0x59, 0xf2, 0x00, 0xd1, 0x82, 0x40, 0x10, 0x2d,
1922 0x2f, 0x93, 0x88, 0x8e, 0xad, 0x4b, 0xfe, 0x1d, 0x47, 0xe3, 0x99,
1923 0xe1, 0xd0, 0x34, 0xa6, 0xb0, 0xa8, 0xaa, 0x8e, 0xb2, 0x73,
1924 },
1925 32, "DigiCert Yeti2020 Log" },
1926 { (const uint8_t[]){
1927 0x5c, 0xdc, 0x43, 0x92, 0xfe, 0xe6, 0xab, 0x45, 0x44, 0xb1, 0x5e,
1928 0x9a, 0xd4, 0x56, 0xe6, 0x10, 0x37, 0xfb, 0xd5, 0xfa, 0x47, 0xdc,
1929 0xa1, 0x73, 0x94, 0xb2, 0x5e, 0xe6, 0xf6, 0xc7, 0x0e, 0xca,
1930 },
1931 32, "DigiCert Yeti2021 Log" },
1932 { (const uint8_t[]){
1933 0x22, 0x45, 0x45, 0x07, 0x59, 0x55, 0x24, 0x56, 0x96, 0x3f, 0xa1,
1934 0x2f, 0xf1, 0xf7, 0x6d, 0x86, 0xe0, 0x23, 0x26, 0x63, 0xad, 0xc0,
1935 0x4b, 0x7f, 0x5d, 0xc6, 0x83, 0x5c, 0x6e, 0xe2, 0x0f, 0x02,
1936 },
1937 32, "DigiCert Yeti2022 Log" },
1938 { (const uint8_t[]){
1939 0x35, 0xcf, 0x19, 0x1b, 0xbf, 0xb1, 0x6c, 0x57, 0xbf, 0x0f, 0xad,
1940 0x4c, 0x6d, 0x42, 0xcb, 0xbb, 0xb6, 0x27, 0x20, 0x26, 0x51, 0xea,
1941 0x3f, 0xe1, 0x2a, 0xef, 0xa8, 0x03, 0xc3, 0x3b, 0xd6, 0x4c,
1942 },
1943 32, "DigiCert Yeti2023 Log" },
1944 { (const uint8_t[]){
1945 0x48, 0xb0, 0xe3, 0x6b, 0xda, 0xa6, 0x47, 0x34, 0x0f, 0xe5, 0x6a,
1946 0x02, 0xfa, 0x9d, 0x30, 0xeb, 0x1c, 0x52, 0x01, 0xcb, 0x56, 0xdd,
1947 0x2c, 0x81, 0xd9, 0xbb, 0xbf, 0xab, 0x39, 0xd8, 0x84, 0x73,
1948 },
1949 32, "DigiCert Yeti2024 Log" },
1950 { (const uint8_t[]){
1951 0x7d, 0x59, 0x1e, 0x12, 0xe1, 0x78, 0x2a, 0x7b, 0x1c, 0x61, 0x67,
1952 0x7c, 0x5e, 0xfd, 0xf8, 0xd0, 0x87, 0x5c, 0x14, 0xa0, 0x4e, 0x95,
1953 0x9e, 0xb9, 0x03, 0x2f, 0xd9, 0x0e, 0x8c, 0x2e, 0x79, 0xb8,
1954 },
1955 32, "DigiCert Yeti2025 Log" },
1956 { (const uint8_t[]){
1957 0xc6, 0x52, 0xa0, 0xec, 0x48, 0xce, 0xb3, 0xfc, 0xab, 0x17, 0x09,
1958 0x92, 0xc4, 0x3a, 0x87, 0x41, 0x33, 0x09, 0xe8, 0x00, 0x65, 0xa2,
1959 0x62, 0x52, 0x40, 0x1b, 0xa3, 0x36, 0x2a, 0x17, 0xc5, 0x65,
1960 },
1961 32, "DigiCert Nessie2020 Log" },
1962 { (const uint8_t[]){
1963 0xee, 0xc0, 0x95, 0xee, 0x8d, 0x72, 0x64, 0x0f, 0x92, 0xe3, 0xc3,
1964 0xb9, 0x1b, 0xc7, 0x12, 0xa3, 0x69, 0x6a, 0x09, 0x7b, 0x4b, 0x6a,
1965 0x1a, 0x14, 0x38, 0xe6, 0x47, 0xb2, 0xcb, 0xed, 0xc5, 0xf9,
1966 },
1967 32, "DigiCert Nessie2021 Log" },
1968 { (const uint8_t[]){
1969 0x51, 0xa3, 0xb0, 0xf5, 0xfd, 0x01, 0x79, 0x9c, 0x56, 0x6d, 0xb8,
1970 0x37, 0x78, 0x8f, 0x0c, 0xa4, 0x7a, 0xcc, 0x1b, 0x27, 0xcb, 0xf7,
1971 0x9e, 0x88, 0x42, 0x9a, 0x0d, 0xfe, 0xd4, 0x8b, 0x05, 0xe5,
1972 },
1973 32, "DigiCert Nessie2022 Log" },
1974 { (const uint8_t[]){
1975 0xb3, 0x73, 0x77, 0x07, 0xe1, 0x84, 0x50, 0xf8, 0x63, 0x86, 0xd6,
1976 0x05, 0xa9, 0xdc, 0x11, 0x09, 0x4a, 0x79, 0x2d, 0xb1, 0x67, 0x0c,
1977 0x0b, 0x87, 0xdc, 0xf0, 0x03, 0x0e, 0x79, 0x36, 0xa5, 0x9a,
1978 },
1979 32, "DigiCert Nessie2023 Log" },
1980 { (const uint8_t[]){
1981 0x73, 0xd9, 0x9e, 0x89, 0x1b, 0x4c, 0x96, 0x78, 0xa0, 0x20, 0x7d,
1982 0x47, 0x9d, 0xe6, 0xb2, 0xc6, 0x1c, 0xd0, 0x51, 0x5e, 0x71, 0x19,
1983 0x2a, 0x8c, 0x6b, 0x80, 0x10, 0x7a, 0xc1, 0x77, 0x72, 0xb5,
1984 },
1985 32, "DigiCert Nessie2024 Log" },
1986 { (const uint8_t[]){
1987 0xe6, 0xd2, 0x31, 0x63, 0x40, 0x77, 0x8c, 0xc1, 0x10, 0x41, 0x06,
1988 0xd7, 0x71, 0xb9, 0xce, 0xc1, 0xd2, 0x40, 0xf6, 0x96, 0x84, 0x86,
1989 0xfb, 0xba, 0x87, 0x32, 0x1d, 0xfd, 0x1e, 0x37, 0x8e, 0x50,
1990 },
1991 32, "DigiCert Nessie2025 Log" },
1992 { (const uint8_t[]){
1993 0xb6, 0x9d, 0xdc, 0xbc, 0x3c, 0x1a, 0xbd, 0xef, 0x6f, 0x9f, 0xd6,
1994 0x0c, 0x88, 0xb1, 0x06, 0x7b, 0x77, 0xf0, 0x82, 0x68, 0x8b, 0x2d,
1995 0x78, 0x65, 0xd0, 0x4b, 0x39, 0xab, 0xe9, 0x27, 0xa5, 0x75,
1996 },
1997 32, "DigiCert 'Wyvern2024h1' Log" },
1998 { (const uint8_t[]){
1999 0x0c, 0x2a, 0xef, 0x2c, 0x4a, 0x5b, 0x98, 0x83, 0xd4, 0xdd, 0xa3,
2000 0x82, 0xfe, 0x50, 0xfb, 0x51, 0x88, 0xb3, 0xe9, 0x73, 0x33, 0xa1,
2001 0xec, 0x53, 0xa0, 0x9d, 0xc9, 0xa7, 0x9d, 0x0d, 0x08, 0x20,
2002 },
2003 32, "DigiCert 'Wyvern2024h2' Log" },
2004 { (const uint8_t[]){
2005 0x73, 0x20, 0x22, 0x0f, 0x08, 0x16, 0x8a, 0xf9, 0xf3, 0xc4, 0xa6,
2006 0x8b, 0x0a, 0xb2, 0x6a, 0x9a, 0x4a, 0x00, 0xee, 0xf5, 0x77, 0x85,
2007 0x8a, 0x08, 0x4d, 0x05, 0x00, 0xd4, 0xa5, 0x42, 0x44, 0x59,
2008 },
2009 32, "DigiCert 'Wyvern2025h1' Log" },
2010 { (const uint8_t[]){
2011 0xed, 0x3c, 0x4b, 0xd6, 0xe8, 0x06, 0xc2, 0xa4, 0xa2, 0x00, 0x57,
2012 0xdb, 0xcb, 0x24, 0xe2, 0x38, 0x01, 0xdf, 0x51, 0x2f, 0xed, 0xc4,
2013 0x86, 0xc5, 0x70, 0x0f, 0x20, 0xdd, 0xb7, 0x3e, 0x3f, 0xe0,
2014 },
2015 32, "DigiCert 'Wyvern2025h2' Log" },
2016 { (const uint8_t[]){
2017 0x64, 0x11, 0xc4, 0x6c, 0xa4, 0x12, 0xec, 0xa7, 0x89, 0x1c, 0xa2,
2018 0x02, 0x2e, 0x00, 0xbc, 0xab, 0x4f, 0x28, 0x07, 0xd4, 0x1e, 0x35,
2019 0x27, 0xab, 0xea, 0xfe, 0xd5, 0x03, 0xc9, 0x7d, 0xcd, 0xf0,
2020 },
2021 32, "DigiCert 'Wyvern2026h1'" },
2022 { (const uint8_t[]){
2023 0xc2, 0x31, 0x7e, 0x57, 0x45, 0x19, 0xa3, 0x45, 0xee, 0x7f, 0x38,
2024 0xde, 0xb2, 0x90, 0x41, 0xeb, 0xc7, 0xc2, 0x21, 0x5a, 0x22, 0xbf,
2025 0x7f, 0xd5, 0xb5, 0xad, 0x76, 0x9a, 0xd9, 0x0e, 0x52, 0xcd,
2026 },
2027 32, "DigiCert 'Wyvern2026h2'" },
2028 { (const uint8_t[]){
2029 0xdb, 0x07, 0x6c, 0xde, 0x6a, 0x8b, 0x78, 0xec, 0x58, 0xd6, 0x05,
2030 0x64, 0x96, 0xeb, 0x6a, 0x26, 0xa8, 0xc5, 0x9e, 0x72, 0x12, 0x93,
2031 0xe8, 0xac, 0x03, 0x27, 0xdd, 0xde, 0x89, 0xdb, 0x5a, 0x2a,
2032 },
2033 32, "DigiCert 'Sphinx2024h1' Log" },
2034 { (const uint8_t[]){
2035 0xdc, 0xc9, 0x5e, 0x6f, 0xa2, 0x99, 0xb9, 0xb0, 0xfd, 0xbd, 0x6c,
2036 0xa6, 0xa3, 0x6e, 0x1d, 0x72, 0xc4, 0x21, 0x2f, 0xdd, 0x1e, 0x0f,
2037 0x47, 0x55, 0x3a, 0x36, 0xd6, 0xcf, 0x1a, 0xd1, 0x1d, 0x8d,
2038 },
2039 32, "DigiCert 'Sphinx2024h2' Log" },
2040 { (const uint8_t[]){
2041 0xde, 0x85, 0x81, 0xd7, 0x50, 0x24, 0x7c, 0x6b, 0xcd, 0xcb, 0xaf,
2042 0x56, 0x37, 0xc5, 0xe7, 0x81, 0xc6, 0x4c, 0xe4, 0x6e, 0xd6, 0x17,
2043 0x63, 0x9f, 0x8f, 0x34, 0xa7, 0x26, 0xc9, 0xe2, 0xbd, 0x37,
2044 },
2045 32, "DigiCert 'Sphinx2025h1' Log" },
2046 { (const uint8_t[]){
2047 0xa4, 0x42, 0xc5, 0x06, 0x49, 0x60, 0x61, 0x54, 0x8f, 0x0f, 0xd4,
2048 0xea, 0x9c, 0xfb, 0x7a, 0x2d, 0x26, 0x45, 0x4d, 0x87, 0xa9, 0x7f,
2049 0x2f, 0xdf, 0x45, 0x59, 0xf6, 0x27, 0x4f, 0x3a, 0x84, 0x54,
2050 },
2051 32, "DigiCert 'Sphinx2025h2' Log" },
2052 { (const uint8_t[]){
2053 0x49, 0x9c, 0x9b, 0x69, 0xde, 0x1d, 0x7c, 0xec, 0xfc, 0x36, 0xde,
2054 0xcd, 0x87, 0x64, 0xa6, 0xb8, 0x5b, 0xaf, 0x0a, 0x87, 0x80, 0x19,
2055 0xd1, 0x55, 0x52, 0xfb, 0xe9, 0xeb, 0x29, 0xdd, 0xf8, 0xc3,
2056 },
2057 32, "DigiCert 'Sphinx2026h1'" },
2058 { (const uint8_t[]){
2059 0x94, 0x4e, 0x43, 0x87, 0xfa, 0xec, 0xc1, 0xef, 0x81, 0xf3, 0x19,
2060 0x24, 0x26, 0xa8, 0x18, 0x65, 0x01, 0xc7, 0xd3, 0x5f, 0x38, 0x02,
2061 0x01, 0x3f, 0x72, 0x67, 0x7d, 0x55, 0x37, 0x2e, 0x19, 0xd8,
2062 },
2063 32, "DigiCert 'Sphinx2026h2'" },
2064 { (const uint8_t[]){
2065 0xdd, 0xeb, 0x1d, 0x2b, 0x7a, 0x0d, 0x4f, 0xa6, 0x20, 0x8b, 0x81,
2066 0xad, 0x81, 0x68, 0x70, 0x7e, 0x2e, 0x8e, 0x9d, 0x01, 0xd5, 0x5c,
2067 0x88, 0x8d, 0x3d, 0x11, 0xc4, 0xcd, 0xb6, 0xec, 0xbe, 0xcc,
2068 },
2069 32, "Symantec log" },
2070 { (const uint8_t[]){
2071 0xbc, 0x78, 0xe1, 0xdf, 0xc5, 0xf6, 0x3c, 0x68, 0x46, 0x49, 0x33,
2072 0x4d, 0xa1, 0x0f, 0xa1, 0x5f, 0x09, 0x79, 0x69, 0x20, 0x09, 0xc0,
2073 0x81, 0xb4, 0xf3, 0xf6, 0x91, 0x7f, 0x3e, 0xd9, 0xb8, 0xa5,
2074 },
2075 32, "Symantec 'Vega' log" },
2076 { (const uint8_t[]){
2077 0x15, 0x97, 0x04, 0x88, 0xd7, 0xb9, 0x97, 0xa0, 0x5b, 0xeb, 0x52,
2078 0x51, 0x2a, 0xde, 0xe8, 0xd2, 0xe8, 0xb4, 0xa3, 0x16, 0x52, 0x64,
2079 0x12, 0x1a, 0x9f, 0xab, 0xfb, 0xd5, 0xf8, 0x5a, 0xd9, 0x3f,
2080 },
2081 32, "Symantec 'Sirius' log" },
2082 { (const uint8_t[]){
2083 0x05, 0x9c, 0x01, 0xd3, 0x20, 0xe0, 0x07, 0x84, 0x13, 0x95, 0x80,
2084 0x49, 0x8d, 0x11, 0x7c, 0x90, 0x32, 0x66, 0xaf, 0xaf, 0x72, 0x50,
2085 0xb5, 0xaf, 0x3b, 0x46, 0xa4, 0x3e, 0x11, 0x84, 0x0d, 0x4a,
2086 },
2087 32, "DigiCert Yeti2022-2 Log" },
2088 { (const uint8_t[]){
2089 0xc1, 0x16, 0x4a, 0xe0, 0xa7, 0x72, 0xd2, 0xd4, 0x39, 0x2d, 0xc8,
2090 0x0a, 0xc1, 0x07, 0x70, 0xd4, 0xf0, 0xc4, 0x9b, 0xde, 0x99, 0x1a,
2091 0x48, 0x40, 0xc1, 0xfa, 0x07, 0x51, 0x64, 0xf6, 0x33, 0x60,
2092 },
2093 32, "DigiCert Yeti2018 Log" },
2094 { (const uint8_t[]){
2095 0xe2, 0x69, 0x4b, 0xae, 0x26, 0xe8, 0xe9, 0x40, 0x09, 0xe8, 0x86,
2096 0x1b, 0xb6, 0x3b, 0x83, 0xd4, 0x3e, 0xe7, 0xfe, 0x74, 0x88, 0xfb,
2097 0xa4, 0x8f, 0x28, 0x93, 0x01, 0x9d, 0xdd, 0xf1, 0xdb, 0xfe,
2098 },
2099 32, "DigiCert Yeti2019 Log" },
2100 { (const uint8_t[]){
2101 0x6f, 0xf1, 0x41, 0xb5, 0x64, 0x7e, 0x42, 0x22, 0xf7, 0xef, 0x05,
2102 0x2c, 0xef, 0xae, 0x7c, 0x21, 0xfd, 0x60, 0x8e, 0x27, 0xd2, 0xaf,
2103 0x5a, 0x6e, 0x9f, 0x4b, 0x8a, 0x37, 0xd6, 0x63, 0x3e, 0xe5,
2104 },
2105 32, "DigiCert Nessie2018 Log" },
2106 { (const uint8_t[]){
2107 0xfe, 0x44, 0x61, 0x08, 0xb1, 0xd0, 0x1a, 0xb7, 0x8a, 0x62, 0xcc,
2108 0xfe, 0xab, 0x6a, 0xb2, 0xb2, 0xba, 0xbf, 0xf3, 0xab, 0xda, 0xd8,
2109 0x0a, 0x4d, 0x8b, 0x30, 0xdf, 0x2d, 0x00, 0x08, 0x83, 0x0c,
2110 },
2111 32, "DigiCert Nessie2019 Log" },
2112 { (const uint8_t[]){
2113 0xa7, 0xce, 0x4a, 0x4e, 0x62, 0x07, 0xe0, 0xad, 0xde, 0xe5, 0xfd,
2114 0xaa, 0x4b, 0x1f, 0x86, 0x76, 0x87, 0x67, 0xb5, 0xd0, 0x02, 0xa5,
2115 0x5d, 0x47, 0x31, 0x0e, 0x7e, 0x67, 0x0a, 0x95, 0xea, 0xb2,
2116 },
2117 32, "Symantec Deneb" },
2118 { (const uint8_t[]){
2119 0xcd, 0xb5, 0x17, 0x9b, 0x7f, 0xc1, 0xc0, 0x46, 0xfe, 0xea, 0x31,
2120 0x13, 0x6a, 0x3f, 0x8f, 0x00, 0x2e, 0x61, 0x82, 0xfa, 0xf8, 0x89,
2121 0x6f, 0xec, 0xc8, 0xb2, 0xf5, 0xb5, 0xab, 0x60, 0x49, 0x00,
2122 },
2123 32, "Certly.IO log" },
2124 { (const uint8_t[]){
2125 0x74, 0x61, 0xb4, 0xa0, 0x9c, 0xfb, 0x3d, 0x41, 0xd7, 0x51, 0x59,
2126 0x57, 0x5b, 0x2e, 0x76, 0x49, 0xa4, 0x45, 0xa8, 0xd2, 0x77, 0x09,
2127 0xb0, 0xcc, 0x56, 0x4a, 0x64, 0x82, 0xb7, 0xeb, 0x41, 0xa3,
2128 },
2129 32, "Izenpe log" },
2130 { (const uint8_t[]){
2131 0x89, 0x41, 0x44, 0x9c, 0x70, 0x74, 0x2e, 0x06, 0xb9, 0xfc, 0x9c,
2132 0xe7, 0xb1, 0x16, 0xba, 0x00, 0x24, 0xaa, 0x36, 0xd5, 0x9a, 0xf4,
2133 0x4f, 0x02, 0x04, 0x40, 0x4f, 0x00, 0xf7, 0xea, 0x85, 0x66,
2134 },
2135 32, "Izenpe 'Argi' log" },
2136 { (const uint8_t[]){
2137 0x41, 0xb2, 0xdc, 0x2e, 0x89, 0xe6, 0x3c, 0xe4, 0xaf, 0x1b, 0xa7,
2138 0xbb, 0x29, 0xbf, 0x68, 0xc6, 0xde, 0xe6, 0xf9, 0xf1, 0xcc, 0x04,
2139 0x7e, 0x30, 0xdf, 0xfa, 0xe3, 0xb3, 0xba, 0x25, 0x92, 0x63,
2140 },
2141 32, "WoSign log" },
2142 { (const uint8_t[]){
2143 0x9e, 0x4f, 0xf7, 0x3d, 0xc3, 0xce, 0x22, 0x0b, 0x69, 0x21, 0x7c,
2144 0x89, 0x9e, 0x46, 0x80, 0x76, 0xab, 0xf8, 0xd7, 0x86, 0x36, 0xd5,
2145 0xcc, 0xfc, 0x85, 0xa3, 0x1a, 0x75, 0x62, 0x8b, 0xa8, 0x8b,
2146 },
2147 32, "WoSign CT log #1" },
2148 { (const uint8_t[]){
2149 0x63, 0xd0, 0x00, 0x60, 0x26, 0xdd, 0xe1, 0x0b, 0xb0, 0x60, 0x1f,
2150 0x45, 0x24, 0x46, 0x96, 0x5e, 0xe2, 0xb6, 0xea, 0x2c, 0xd4, 0xfb,
2151 0xc9, 0x5a, 0xc8, 0x66, 0xa5, 0x50, 0xaf, 0x90, 0x75, 0xb7,
2152 },
2153 32, "WoSign log 2" },
2154 { (const uint8_t[]){
2155 0xac, 0x3b, 0x9a, 0xed, 0x7f, 0xa9, 0x67, 0x47, 0x57, 0x15, 0x9e,
2156 0x6d, 0x7d, 0x57, 0x56, 0x72, 0xf9, 0xd9, 0x81, 0x00, 0x94, 0x1e,
2157 0x9b, 0xde, 0xff, 0xec, 0xa1, 0x31, 0x3b, 0x75, 0x78, 0x2d,
2158 },
2159 32, "Venafi log" },
2160 { (const uint8_t[]){
2161 0x03, 0x01, 0x9d, 0xf3, 0xfd, 0x85, 0xa6, 0x9a, 0x8e, 0xbd, 0x1f,
2162 0xac, 0xc6, 0xda, 0x9b, 0xa7, 0x3e, 0x46, 0x97, 0x74, 0xfe, 0x77,
2163 0xf5, 0x79, 0xfc, 0x5a, 0x08, 0xb8, 0x32, 0x8c, 0x1d, 0x6b,
2164 },
2165 32, "Venafi Gen2 CT log" },
2166 { (const uint8_t[]){
2167 0xa5, 0x77, 0xac, 0x9c, 0xed, 0x75, 0x48, 0xdd, 0x8f, 0x02, 0x5b,
2168 0x67, 0xa2, 0x41, 0x08, 0x9d, 0xf8, 0x6e, 0x0f, 0x47, 0x6e, 0xc2,
2169 0x03, 0xc2, 0xec, 0xbe, 0xdb, 0x18, 0x5f, 0x28, 0x26, 0x38,
2170 },
2171 32, "CNNIC CT log" },
2172 { (const uint8_t[]){
2173 0x34, 0xbb, 0x6a, 0xd6, 0xc3, 0xdf, 0x9c, 0x03, 0xee, 0xa8, 0xa4,
2174 0x99, 0xff, 0x78, 0x91, 0x48, 0x6c, 0x9d, 0x5e, 0x5c, 0xac, 0x92,
2175 0xd0, 0x1f, 0x7b, 0xfd, 0x1b, 0xce, 0x19, 0xdb, 0x48, 0xef,
2176 },
2177 32, "StartCom log" },
2178 { (const uint8_t[]){
2179 0x55, 0x81, 0xd4, 0xc2, 0x16, 0x90, 0x36, 0x01, 0x4a, 0xea, 0x0b,
2180 0x9b, 0x57, 0x3c, 0x53, 0xf0, 0xc0, 0xe4, 0x38, 0x78, 0x70, 0x25,
2181 0x08, 0x17, 0x2f, 0xa3, 0xaa, 0x1d, 0x07, 0x13, 0xd3, 0x0c,
2182 },
2183 32, "Sectigo 'Sabre' CT log" },
2184 { (const uint8_t[]){
2185 0xa2, 0xe2, 0xbf, 0xd6, 0x1e, 0xde, 0x2f, 0x2f, 0x07, 0xa0, 0xd6,
2186 0x4e, 0x6d, 0x37, 0xa7, 0xdc, 0x65, 0x43, 0xb0, 0xc6, 0xb5, 0x2e,
2187 0xa2, 0xda, 0xb7, 0x8a, 0xf8, 0x9a, 0x6d, 0xf5, 0x17, 0xd8,
2188 },
2189 32, "Sectigo 'Sabre2024h1'" },
2190 { (const uint8_t[]){
2191 0x19, 0x98, 0x10, 0x71, 0x09, 0xf0, 0xd6, 0x52, 0x2e, 0x30, 0x80,
2192 0xd2, 0x9e, 0x3f, 0x64, 0xbb, 0x83, 0x6e, 0x28, 0xcc, 0xf9, 0x0f,
2193 0x52, 0x8e, 0xee, 0xdf, 0xce, 0x4a, 0x3f, 0x16, 0xb4, 0xca,
2194 },
2195 32, "Sectigo 'Sabre2024h2'" },
2196 { (const uint8_t[]){
2197 0xe0, 0x92, 0xb3, 0xfc, 0x0c, 0x1d, 0xc8, 0xe7, 0x68, 0x36, 0x1f,
2198 0xde, 0x61, 0xb9, 0x96, 0x4d, 0x0a, 0x52, 0x78, 0x19, 0x8a, 0x72,
2199 0xd6, 0x72, 0xc4, 0xb0, 0x4d, 0xa5, 0x6d, 0x6f, 0x54, 0x04,
2200 },
2201 32, "Sectigo 'Sabre2025h1'" },
2202 { (const uint8_t[]){
2203 0x1a, 0x04, 0xff, 0x49, 0xd0, 0x54, 0x1d, 0x40, 0xaf, 0xf6, 0xa0,
2204 0xc3, 0xbf, 0xf1, 0xd8, 0xc4, 0x67, 0x2f, 0x4e, 0xec, 0xee, 0x23,
2205 0x40, 0x68, 0x98, 0x6b, 0x17, 0x40, 0x2e, 0xdc, 0x89, 0x7d,
2206 },
2207 32, "Sectigo 'Sabre2025h2'" },
2208 { (const uint8_t[]){
2209 0x6f, 0x53, 0x76, 0xac, 0x31, 0xf0, 0x31, 0x19, 0xd8, 0x99, 0x00,
2210 0xa4, 0x51, 0x15, 0xff, 0x77, 0x15, 0x1c, 0x11, 0xd9, 0x02, 0xc1,
2211 0x00, 0x29, 0x06, 0x8d, 0xb2, 0x08, 0x9a, 0x37, 0xd9, 0x13,
2212 },
2213 32, "Sectigo 'Mammoth' CT log" },
2214 { (const uint8_t[]){
2215 0x29, 0xd0, 0x3a, 0x1b, 0xb6, 0x74, 0xaa, 0x71, 0x1c, 0xd3, 0x03,
2216 0x5b, 0x65, 0x57, 0xc1, 0x4f, 0x8a, 0xa7, 0x8b, 0x4f, 0xe8, 0x38,
2217 0x94, 0x49, 0xec, 0xa4, 0x53, 0xf9, 0x44, 0xbd, 0x24, 0x68,
2218 },
2219 32, "Sectigo 'Mammoth2024h1'" },
2220 { (const uint8_t[]){
2221 0x50, 0x85, 0x01, 0x58, 0xdc, 0xb6, 0x05, 0x95, 0xc0, 0x0e, 0x92,
2222 0xa8, 0x11, 0x02, 0xec, 0xcd, 0xfe, 0x3f, 0x6b, 0x78, 0x58, 0x42,
2223 0x9f, 0x57, 0x98, 0x35, 0x38, 0xc9, 0xda, 0x52, 0x50, 0x63,
2224 },
2225 32, "Sectigo 'Mammoth2024h1b'" },
2226 { (const uint8_t[]){
2227 0xdf, 0xe1, 0x56, 0xeb, 0xaa, 0x05, 0xaf, 0xb5, 0x9c, 0x0f, 0x86,
2228 0x71, 0x8d, 0xa8, 0xc0, 0x32, 0x4e, 0xae, 0x56, 0xd9, 0x6e, 0xa7,
2229 0xf5, 0xa5, 0x6a, 0x01, 0xd1, 0xc1, 0x3b, 0xbe, 0x52, 0x5c,
2230 },
2231 32, "Sectigo 'Mammoth2024h2'" },
2232 { (const uint8_t[]){
2233 0x13, 0x4a, 0xdf, 0x1a, 0xb5, 0x98, 0x42, 0x09, 0x78, 0x0c, 0x6f,
2234 0xef, 0x4c, 0x7a, 0x91, 0xa4, 0x16, 0xb7, 0x23, 0x49, 0xce, 0x58,
2235 0x57, 0x6a, 0xdf, 0xae, 0xda, 0xa7, 0xc2, 0xab, 0xe0, 0x22,
2236 },
2237 32, "Sectigo 'Mammoth2025h1'" },
2238 { (const uint8_t[]){
2239 0xaf, 0x18, 0x1a, 0x28, 0xd6, 0x8c, 0xa3, 0xe0, 0xa9, 0x8a, 0x4c,
2240 0x9c, 0x67, 0xab, 0x09, 0xf8, 0xbb, 0xbc, 0x22, 0xba, 0xae, 0xbc,
2241 0xb1, 0x38, 0xa3, 0xa1, 0x9d, 0xd3, 0xf9, 0xb6, 0x03, 0x0d,
2242 },
2243 32, "Sectigo 'Mammoth2025h2'" },
2244 { (const uint8_t[]){
2245 0x25, 0x2f, 0x94, 0xc2, 0x2b, 0x29, 0xe9, 0x6e, 0x9f, 0x41, 0x1a,
2246 0x72, 0x07, 0x2b, 0x69, 0x5c, 0x5b, 0x52, 0xff, 0x97, 0xa9, 0x0d,
2247 0x25, 0x40, 0xbb, 0xfc, 0xdc, 0x51, 0xec, 0x4d, 0xee, 0x0b,
2248 },
2249 32, "Sectigo 'Mammoth2026h1'" },
2250 { (const uint8_t[]){
2251 0x94, 0xb1, 0xc1, 0x8a, 0xb0, 0xd0, 0x57, 0xc4, 0x7b, 0xe0, 0xac,
2252 0x04, 0x0e, 0x1f, 0x2c, 0xbc, 0x8d, 0xc3, 0x75, 0x72, 0x7b, 0xc9,
2253 0x51, 0xf2, 0x0a, 0x52, 0x61, 0x26, 0x86, 0x3b, 0xa7, 0x3c,
2254 },
2255 32, "Sectigo 'Mammoth2026h2'" },
2256 { (const uint8_t[]){
2257 0x56, 0x6c, 0xd5, 0xa3, 0x76, 0xbe, 0x83, 0xdf, 0xe3, 0x42, 0xb6,
2258 0x75, 0xc4, 0x9c, 0x23, 0x24, 0x98, 0xa7, 0x69, 0xba, 0xc3, 0x82,
2259 0xcb, 0xab, 0x49, 0xa3, 0x87, 0x7d, 0x9a, 0xb3, 0x2d, 0x01,
2260 },
2261 32, "Sectigo 'Sabre2026h1'" },
2262 { (const uint8_t[]){
2263 0x1f, 0x56, 0xd1, 0xab, 0x94, 0x70, 0x4a, 0x41, 0xdd, 0x3f, 0xea,
2264 0xfd, 0xf4, 0x69, 0x93, 0x55, 0x30, 0x2c, 0x14, 0x31, 0xbf, 0xe6,
2265 0x13, 0x46, 0x08, 0x9f, 0xff, 0xae, 0x79, 0x5d, 0xcc, 0x2f,
2266 },
2267 32, "Sectigo 'Sabre2026h2'" },
2268 { (const uint8_t[]){
2269 0xdb, 0x76, 0xfd, 0xad, 0xac, 0x65, 0xe7, 0xd0, 0x95, 0x08, 0x88,
2270 0x6e, 0x21, 0x59, 0xbd, 0x8b, 0x90, 0x35, 0x2f, 0x5f, 0xea, 0xd3,
2271 0xe3, 0xdc, 0x5e, 0x22, 0xeb, 0x35, 0x0a, 0xcc, 0x7b, 0x98,
2272 },
2273 32, "Sectigo 'Dodo' CT log" },
2274 { (const uint8_t[]){
2275 0xe7, 0x12, 0xf2, 0xb0, 0x37, 0x7e, 0x1a, 0x62, 0xfb, 0x8e, 0xc9,
2276 0x0c, 0x61, 0x84, 0xf1, 0xea, 0x7b, 0x37, 0xcb, 0x56, 0x1d, 0x11,
2277 0x26, 0x5b, 0xf3, 0xe0, 0xf3, 0x4b, 0xf2, 0x41, 0x54, 0x6e,
2278 },
2279 32, "Let's Encrypt 'Oak2020' log" },
2280 { (const uint8_t[]){
2281 0x94, 0x20, 0xbc, 0x1e, 0x8e, 0xd5, 0x8d, 0x6c, 0x88, 0x73, 0x1f,
2282 0x82, 0x8b, 0x22, 0x2c, 0x0d, 0xd1, 0xda, 0x4d, 0x5e, 0x6c, 0x4f,
2283 0x94, 0x3d, 0x61, 0xdb, 0x4e, 0x2f, 0x58, 0x4d, 0xa2, 0xc2,
2284 },
2285 32, "Let's Encrypt 'Oak2021' log" },
2286 { (const uint8_t[]){
2287 0xdf, 0xa5, 0x5e, 0xab, 0x68, 0x82, 0x4f, 0x1f, 0x6c, 0xad, 0xee,
2288 0xb8, 0x5f, 0x4e, 0x3e, 0x5a, 0xea, 0xcd, 0xa2, 0x12, 0xa4, 0x6a,
2289 0x5e, 0x8e, 0x3b, 0x12, 0xc0, 0x20, 0x44, 0x5c, 0x2a, 0x73,
2290 },
2291 32, "Let's Encrypt 'Oak2022' log" },
2292 { (const uint8_t[]){
2293 0xb7, 0x3e, 0xfb, 0x24, 0xdf, 0x9c, 0x4d, 0xba, 0x75, 0xf2, 0x39,
2294 0xc5, 0xba, 0x58, 0xf4, 0x6c, 0x5d, 0xfc, 0x42, 0xcf, 0x7a, 0x9f,
2295 0x35, 0xc4, 0x9e, 0x1d, 0x09, 0x81, 0x25, 0xed, 0xb4, 0x99,
2296 },
2297 32, "Let's Encrypt 'Oak2023' log" },
2298 { (const uint8_t[]){
2299 0x3b, 0x53, 0x77, 0x75, 0x3e, 0x2d, 0xb9, 0x80, 0x4e, 0x8b, 0x30,
2300 0x5b, 0x06, 0xfe, 0x40, 0x3b, 0x67, 0xd8, 0x4f, 0xc3, 0xf4, 0xc7,
2301 0xbd, 0x00, 0x0d, 0x2d, 0x72, 0x6f, 0xe1, 0xfa, 0xd4, 0x17,
2302 },
2303 32, "Let's Encrypt 'Oak2024H1' log" },
2304 { (const uint8_t[]){
2305 0x3f, 0x17, 0x4b, 0x4f, 0xd7, 0x22, 0x47, 0x58, 0x94, 0x1d, 0x65,
2306 0x1c, 0x84, 0xbe, 0x0d, 0x12, 0xed, 0x90, 0x37, 0x7f, 0x1f, 0x85,
2307 0x6a, 0xeb, 0xc1, 0xbf, 0x28, 0x85, 0xec, 0xf8, 0x64, 0x6e,
2308 },
2309 32, "Let's Encrypt 'Oak2024H2' log" },
2310 { (const uint8_t[]){
2311 0xa2, 0xe3, 0x0a, 0xe4, 0x45, 0xef, 0xbd, 0xad, 0x9b, 0x7e, 0x38,
2312 0xed, 0x47, 0x67, 0x77, 0x53, 0xd7, 0x82, 0x5b, 0x84, 0x94, 0xd7,
2313 0x2b, 0x5e, 0x1b, 0x2c, 0xc4, 0xb9, 0x50, 0xa4, 0x47, 0xe7,
2314 },
2315 32, "Let's Encrypt 'Oak2025h1'" },
2316 { (const uint8_t[]){
2317 0x0d, 0xe1, 0xf2, 0x30, 0x2b, 0xd3, 0x0d, 0xc1, 0x40, 0x62, 0x12,
2318 0x09, 0xea, 0x55, 0x2e, 0xfc, 0x47, 0x74, 0x7c, 0xb1, 0xd7, 0xe9,
2319 0x30, 0xef, 0x0e, 0x42, 0x1e, 0xb4, 0x7e, 0x4e, 0xaa, 0x34,
2320 },
2321 32, "Let's Encrypt 'Oak2025h2'" },
2322 { (const uint8_t[]){
2323 0x19, 0x86, 0xd4, 0xc7, 0x28, 0xaa, 0x6f, 0xfe, 0xba, 0x03, 0x6f,
2324 0x78, 0x2a, 0x4d, 0x01, 0x91, 0xaa, 0xce, 0x2d, 0x72, 0x31, 0x0f,
2325 0xae, 0xce, 0x5d, 0x70, 0x41, 0x2d, 0x25, 0x4c, 0xc7, 0xd4,
2326 },
2327 32, "Let's Encrypt 'Oak2026h1'" },
2328 { (const uint8_t[]){
2329 0xac, 0xab, 0x30, 0x70, 0x6c, 0xeb, 0xec, 0x84, 0x31, 0xf4, 0x13,
2330 0xd2, 0xf4, 0x91, 0x5f, 0x11, 0x1e, 0x42, 0x24, 0x43, 0xb1, 0xf2,
2331 0xa6, 0x8c, 0x4f, 0x3c, 0x2b, 0x3b, 0xa7, 0x1e, 0x02, 0xc3,
2332 },
2333 32, "Let's Encrypt 'Oak2026h2'" },
2334 { (const uint8_t[]){
2335 0x65, 0x9b, 0x33, 0x50, 0xf4, 0x3b, 0x12, 0xcc, 0x5e, 0xa5, 0xab,
2336 0x4e, 0xc7, 0x65, 0xd3, 0xfd, 0xe6, 0xc8, 0x82, 0x43, 0x77, 0x77,
2337 0x78, 0xe7, 0x20, 0x03, 0xf9, 0xeb, 0x2b, 0x8c, 0x31, 0x29,
2338 },
2339 32, "Let's Encrypt 'Oak2019' log" },
2340 { (const uint8_t[]){
2341 0x84, 0x9f, 0x5f, 0x7f, 0x58, 0xd2, 0xbf, 0x7b, 0x54, 0xec, 0xbd,
2342 0x74, 0x61, 0x1c, 0xea, 0x45, 0xc4, 0x9c, 0x98, 0xf1, 0xd6, 0x48,
2343 0x1b, 0xc6, 0xf6, 0x9e, 0x8c, 0x17, 0x4f, 0x24, 0xf3, 0xcf,
2344 },
2345 32, "Let's Encrypt 'Testflume2019' log" },
2346 { (const uint8_t[]){
2347 0x23, 0x2d, 0x41, 0xa4, 0xcd, 0xac, 0x87, 0xce, 0xd9, 0xf9, 0x43,
2348 0xf4, 0x68, 0xc2, 0x82, 0x09, 0x5a, 0xe0, 0x9d, 0x30, 0xd6, 0x2e,
2349 0x2f, 0xa6, 0x5d, 0xdc, 0x3b, 0x91, 0x9c, 0x2e, 0x46, 0x8f,
2350 },
2351 32, "Let's Encrypt 'Sapling 2022h2' log" },
2352 { (const uint8_t[]){
2353 0xc1, 0x83, 0x24, 0x0b, 0xf1, 0xa4, 0x50, 0xc7, 0x6f, 0xbb, 0x00,
2354 0x72, 0x69, 0xdc, 0xac, 0x3b, 0xe2, 0x2a, 0x48, 0x05, 0xd4, 0xdb,
2355 0xe0, 0x49, 0x66, 0xc3, 0xc8, 0xab, 0xc4, 0x47, 0xb0, 0x0c,
2356 },
2357 32, "Let's Encrypt 'Sapling 2023h1' log" },
2358 { (const uint8_t[]){
2359 0xc6, 0x3f, 0x22, 0x18, 0xc3, 0x7d, 0x56, 0xa6, 0xaa, 0x06, 0xb5,
2360 0x96, 0xda, 0x8e, 0x53, 0xd4, 0xd7, 0x15, 0x6d, 0x1e, 0x9b, 0xac,
2361 0x8e, 0x44, 0xd2, 0x20, 0x2d, 0xe6, 0x4d, 0x69, 0xd9, 0xdc,
2362 },
2363 32, "Let's Encrypt 'Testflume2020' log" },
2364 { (const uint8_t[]){
2365 0x03, 0xed, 0xf1, 0xda, 0x97, 0x76, 0xb6, 0xf3, 0x8c, 0x34, 0x1e,
2366 0x39, 0xed, 0x9d, 0x70, 0x7a, 0x75, 0x70, 0x36, 0x9c, 0xf9, 0x84,
2367 0x4f, 0x32, 0x7f, 0xe9, 0xe1, 0x41, 0x38, 0x36, 0x1b, 0x60,
2368 },
2369 32, "Let's Encrypt 'Testflume2021' log" },
2370 { (const uint8_t[]){
2371 0x23, 0x27, 0xef, 0xda, 0x35, 0x25, 0x10, 0xdb, 0xc0, 0x19, 0xef,
2372 0x49, 0x1a, 0xe3, 0xff, 0x1c, 0xc5, 0xa4, 0x79, 0xbc, 0xe3, 0x78,
2373 0x78, 0x36, 0x0e, 0xe3, 0x18, 0xcf, 0xfb, 0x64, 0xf8, 0xc8,
2374 },
2375 32, "Let's Encrypt 'Testflume2022' log" },
2376 { (const uint8_t[]){
2377 0x55, 0x34, 0xb7, 0xab, 0x5a, 0x6a, 0xc3, 0xa7, 0xcb, 0xeb, 0xa6,
2378 0x54, 0x87, 0xb2, 0xa2, 0xd7, 0x1b, 0x48, 0xf6, 0x50, 0xfa, 0x17,
2379 0xc5, 0x19, 0x7c, 0x97, 0xa0, 0xcb, 0x20, 0x76, 0xf3, 0xc6,
2380 },
2381 32, "Let's Encrypt 'Testflume2023' log" },
2382 { (const uint8_t[]){
2383 0x29, 0x6a, 0xfa, 0x2d, 0x56, 0x8b, 0xca, 0x0d, 0x2e, 0xa8, 0x44,
2384 0x95, 0x6a, 0xe9, 0x72, 0x1f, 0xc3, 0x5f, 0xa3, 0x55, 0xec, 0xda,
2385 0x99, 0x69, 0x3a, 0xaf, 0xd4, 0x58, 0xa7, 0x1a, 0xef, 0xdd,
2386 },
2387 32, "Let's Encrypt 'Clicky' log" },
2388 { (const uint8_t[]){
2389 0xa5, 0x95, 0x94, 0x3b, 0x53, 0x70, 0xbe, 0xe9, 0x06, 0xe0, 0x05,
2390 0x0d, 0x1f, 0xb5, 0xbb, 0xc6, 0xa4, 0x0e, 0x65, 0xf2, 0x65, 0xae,
2391 0x85, 0x2c, 0x76, 0x36, 0x3f, 0xad, 0xb2, 0x33, 0x36, 0xed,
2392 },
2393 32, "Trust Asia Log2020" },
2394 { (const uint8_t[]){
2395 0xa8, 0xdc, 0x52, 0xf6, 0x3d, 0x6b, 0x24, 0x25, 0xe5, 0x31, 0xe3,
2396 0x7c, 0xf4, 0xe4, 0x4a, 0x71, 0x4f, 0x14, 0x2a, 0x20, 0x80, 0x3b,
2397 0x0d, 0x04, 0xd2, 0xe2, 0xee, 0x06, 0x64, 0x79, 0x4a, 0x23,
2398 },
2399 32, "Trust Asia CT2021" },
2400 { (const uint8_t[]){
2401 0x67, 0x8d, 0xb6, 0x5b, 0x3e, 0x74, 0x43, 0xb6, 0xf3, 0xa3, 0x70,
2402 0xd5, 0xe1, 0x3a, 0xb1, 0xb4, 0x3b, 0xe0, 0xa0, 0xd3, 0x51, 0xf7,
2403 0xca, 0x74, 0x22, 0x50, 0xc7, 0xc6, 0xfa, 0x51, 0xa8, 0x8a,
2404 },
2405 32, "Trust Asia Log2021" },
2406 { (const uint8_t[]){
2407 0xc3, 0x65, 0xf9, 0xb3, 0x65, 0x4f, 0x32, 0x83, 0xc7, 0x9d, 0xa9,
2408 0x8e, 0x93, 0xd7, 0x41, 0x8f, 0x5b, 0xab, 0x7b, 0xe3, 0x25, 0x2c,
2409 0x98, 0xe1, 0xd2, 0xf0, 0x4b, 0xb9, 0xeb, 0x42, 0x7d, 0x23,
2410 },
2411 32, "Trust Asia Log2022" },
2412 { (const uint8_t[]){
2413 0xe8, 0x7e, 0xa7, 0x66, 0x0b, 0xc2, 0x6c, 0xf6, 0x00, 0x2e, 0xf5,
2414 0x72, 0x5d, 0x3f, 0xe0, 0xe3, 0x31, 0xb9, 0x39, 0x3b, 0xb9, 0x2f,
2415 0xbf, 0x58, 0xeb, 0x3b, 0x90, 0x49, 0xda, 0xf5, 0x43, 0x5a,
2416 },
2417 32, "Trust Asia Log2023" },
2418 { (const uint8_t[]){
2419 0x30, 0x6d, 0x29, 0x57, 0x6a, 0xd2, 0x1a, 0x9d, 0x4a, 0xe1, 0x2a,
2420 0xca, 0xd8, 0xaa, 0x8a, 0x78, 0x3a, 0xa6, 0x5a, 0x32, 0x11, 0x60,
2421 0xac, 0xff, 0x5b, 0x0e, 0xee, 0x4c, 0xa3, 0x20, 0x1d, 0x05,
2422 },
2423 32, "Trust Asia Log2024" },
2424 { (const uint8_t[]){
2425 0x87, 0x4f, 0xb5, 0x0d, 0xc0, 0x29, 0xd9, 0x93, 0x1d, 0xe5, 0x73,
2426 0xe9, 0xf2, 0x89, 0x9e, 0x8e, 0x45, 0x33, 0xb3, 0x92, 0xd3, 0x8b,
2427 0x0a, 0x46, 0x25, 0x74, 0xbf, 0x0f, 0xee, 0xb2, 0xfc, 0x1e,
2428 },
2429 32, "Trust Asia Log2024-2" },
2430 { (const uint8_t[]){
2431 0x28, 0xe2, 0x81, 0x38, 0xfd, 0x83, 0x21, 0x45, 0xe9, 0xa9, 0xd6,
2432 0xaa, 0x75, 0x37, 0x6d, 0x83, 0x77, 0xa8, 0x85, 0x12, 0xb3, 0xc0,
2433 0x7f, 0x72, 0x41, 0x48, 0x21, 0xdc, 0xbd, 0xe9, 0x8c, 0x66,
2434 },
2435 32, "TrustAsia Log2025a" },
2436 { (const uint8_t[]){
2437 0x28, 0x2c, 0x8b, 0xdd, 0x81, 0x0f, 0xf9, 0x09, 0x12, 0x0a, 0xce,
2438 0x16, 0xd6, 0xe0, 0xec, 0x20, 0x1b, 0xea, 0x82, 0xa3, 0xa4, 0xaf,
2439 0x19, 0xd9, 0xef, 0xfb, 0x59, 0xe8, 0x3f, 0xdc, 0x42, 0x68,
2440 },
2441 32, "TrustAsia Log2025b" },
2442 { (const uint8_t[]){
2443 0x74, 0xdb, 0x9d, 0x58, 0xf7, 0xd4, 0x7e, 0x9d, 0xfd, 0x78, 0x7a,
2444 0x16, 0x2a, 0x99, 0x1c, 0x18, 0xcf, 0x69, 0x8d, 0xa7, 0xc7, 0x29,
2445 0x91, 0x8c, 0x9a, 0x18, 0xb0, 0x45, 0x0d, 0xba, 0x44, 0xbc,
2446 },
2447 32, "TrustAsia 'log2026a'" },
2448 { (const uint8_t[]){
2449 0x25, 0xb7, 0xef, 0xde, 0xa1, 0x13, 0x01, 0x93, 0xed, 0x93, 0x07,
2450 0x97, 0x70, 0xaa, 0x32, 0x2a, 0x26, 0x62, 0x0d, 0xe3, 0x5a, 0xc8,
2451 0xaa, 0x7c, 0x75, 0x19, 0x7d, 0xe0, 0xb1, 0xa9, 0xe0, 0x65,
2452 },
2453 32, "TrustAsia 'log2026b'" },
2454 { (const uint8_t[]){
2455 0x45, 0x35, 0x94, 0x98, 0xd9, 0x3a, 0x89, 0xe0, 0x28, 0x03, 0x08,
2456 0xd3, 0x7d, 0x62, 0x6d, 0xc4, 0x23, 0x75, 0x47, 0x58, 0xdc, 0xe0,
2457 0x37, 0x00, 0x36, 0xfb, 0xab, 0x0e, 0xdf, 0x8a, 0x6b, 0xcf,
2458 },
2459 32, "Trust Asia Log1" },
2460 { (const uint8_t[]){
2461 0xc9, 0xcf, 0x89, 0x0a, 0x21, 0x10, 0x9c, 0x66, 0x6c, 0xc1, 0x7a,
2462 0x3e, 0xd0, 0x65, 0xc9, 0x30, 0xd0, 0xe0, 0x13, 0x5a, 0x9f, 0xeb,
2463 0xa8, 0x5a, 0xf1, 0x42, 0x10, 0xb8, 0x07, 0x24, 0x21, 0xaa,
2464 },
2465 32, "GDCA CT log #1" },
2466 { (const uint8_t[]){
2467 0x92, 0x4a, 0x30, 0xf9, 0x09, 0x33, 0x6f, 0xf4, 0x35, 0xd6, 0x99,
2468 0x3a, 0x10, 0xac, 0x75, 0xa2, 0xc6, 0x41, 0x72, 0x8e, 0x7f, 0xc2,
2469 0xd6, 0x59, 0xae, 0x61, 0x88, 0xff, 0xad, 0x40, 0xce, 0x01,
2470 },
2471 32, "GDCA CT log #2" },
2472 { (const uint8_t[]){
2473 0x71, 0x7e, 0xa7, 0x42, 0x09, 0x75, 0xbe, 0x84, 0xa2, 0x72, 0x35,
2474 0x53, 0xf1, 0x77, 0x7c, 0x26, 0xdd, 0x51, 0xaf, 0x4e, 0x10, 0x21,
2475 0x44, 0x09, 0x4d, 0x90, 0x19, 0xb4, 0x62, 0xfb, 0x66, 0x68,
2476 },
2477 32, "GDCA Log 1" },
2478 { (const uint8_t[]){
2479 0x14, 0x30, 0x8d, 0x90, 0xcc, 0xd0, 0x30, 0x13, 0x50, 0x05, 0xc0,
2480 0x1c, 0xa5, 0x26, 0xd8, 0x1e, 0x84, 0xe8, 0x76, 0x24, 0xe3, 0x9b,
2481 0x62, 0x48, 0xe0, 0x8f, 0x72, 0x4a, 0xea, 0x3b, 0xb4, 0x2a,
2482 },
2483 32, "GDCA Log 2" },
2484 { (const uint8_t[]){
2485 0xe0, 0x12, 0x76, 0x29, 0xe9, 0x04, 0x96, 0x56, 0x4e, 0x3d, 0x01,
2486 0x47, 0x98, 0x44, 0x98, 0xaa, 0x48, 0xf8, 0xad, 0xb1, 0x66, 0x00,
2487 0xeb, 0x79, 0x02, 0xa1, 0xef, 0x99, 0x09, 0x90, 0x62, 0x73,
2488 },
2489 32, "PuChuangSiDa CT log" },
2490 { (const uint8_t[]){
2491 0x53, 0x7b, 0x69, 0xa3, 0x56, 0x43, 0x35, 0xa9, 0xc0, 0x49, 0x04,
2492 0xe3, 0x95, 0x93, 0xb2, 0xc2, 0x98, 0xeb, 0x8d, 0x7a, 0x6e, 0x83,
2493 0x02, 0x36, 0x35, 0xc6, 0x27, 0x24, 0x8c, 0xd6, 0xb4, 0x40,
2494 },
2495 32, "Nordu 'flimsy' log" },
2496 { (const uint8_t[]){
2497 0xaa, 0xe7, 0x0b, 0x7f, 0x3c, 0xb8, 0xd5, 0x66, 0xc8, 0x6c, 0x2f,
2498 0x16, 0x97, 0x9c, 0x9f, 0x44, 0x5f, 0x69, 0xab, 0x0e, 0xb4, 0x53,
2499 0x55, 0x89, 0xb2, 0xf7, 0x7a, 0x03, 0x01, 0x04, 0xf3, 0xcd,
2500 },
2501 32, "Nordu 'plausible' log" },
2502 { (const uint8_t[]){
2503 0xcf, 0x55, 0xe2, 0x89, 0x23, 0x49, 0x7c, 0x34, 0x0d, 0x52, 0x06,
2504 0xd0, 0x53, 0x53, 0xae, 0xb2, 0x58, 0x34, 0xb5, 0x2f, 0x1f, 0x8d,
2505 0xc9, 0x52, 0x68, 0x09, 0xf2, 0x12, 0xef, 0xdd, 0x7c, 0xa6,
2506 },
2507 32, "SHECA CT log 1" },
2508 { (const uint8_t[]){
2509 0x32, 0xdc, 0x59, 0xc2, 0xd4, 0xc4, 0x19, 0x68, 0xd5, 0x6e, 0x14,
2510 0xbc, 0x61, 0xac, 0x8f, 0x0e, 0x45, 0xdb, 0x39, 0xfa, 0xf3, 0xc1,
2511 0x55, 0xaa, 0x42, 0x52, 0xf5, 0x00, 0x1f, 0xa0, 0xc6, 0x23,
2512 },
2513 32, "SHECA CT log 2" },
2514 { (const uint8_t[]){
2515 0x96, 0x06, 0xc0, 0x2c, 0x69, 0x00, 0x33, 0xaa, 0x1d, 0x14, 0x5f,
2516 0x59, 0xc6, 0xe2, 0x64, 0x8d, 0x05, 0x49, 0xf0, 0xdf, 0x96, 0xaa,
2517 0xb8, 0xdb, 0x91, 0x5a, 0x70, 0xd8, 0xec, 0xf3, 0x90, 0xa5,
2518 },
2519 32, "Akamai CT Log" },
2520 { (const uint8_t[]){
2521 0x39, 0x37, 0x6f, 0x54, 0x5f, 0x7b, 0x46, 0x07, 0xf5, 0x97, 0x42,
2522 0xd7, 0x68, 0xcd, 0x5d, 0x24, 0x37, 0xbf, 0x34, 0x73, 0xb6, 0x53,
2523 0x4a, 0x48, 0x34, 0xbc, 0xf7, 0x2e, 0x68, 0x1c, 0x83, 0xc9,
2524 },
2525 32, "Alpha CT Log" },
2526 { (const uint8_t[]){
2527 0xb0, 0xb7, 0x84, 0xbc, 0x81, 0xc0, 0xdd, 0xc4, 0x75, 0x44, 0xe8,
2528 0x83, 0xf0, 0x59, 0x85, 0xbb, 0x90, 0x77, 0xd1, 0x34, 0xd8, 0xab,
2529 0x88, 0xb2, 0xb2, 0xe5, 0x33, 0x98, 0x0b, 0x8e, 0x50, 0x8b,
2530 },
2531 32, "Up In The Air 'Behind the Sofa' log" },
2532 { (const uint8_t[]){
2533 0x47, 0x44, 0x47, 0x7c, 0x75, 0xde, 0x42, 0x6d, 0x5c, 0x44, 0xef,
2534 0xd4, 0xa9, 0x2c, 0x96, 0x77, 0x59, 0x7f, 0x65, 0x7a, 0x8f, 0xe0,
2535 0xca, 0xdb, 0xc6, 0xd6, 0x16, 0xed, 0xa4, 0x97, 0xc4, 0x25,
2536 },
2537 32, "Qihoo 360 2020" },
2538 { (const uint8_t[]){
2539 0xc6, 0xd7, 0xed, 0x9e, 0xdb, 0x8e, 0x74, 0xf0, 0xa7, 0x1b, 0x4d,
2540 0x4a, 0x98, 0x4b, 0xcb, 0xeb, 0xab, 0xbd, 0x28, 0xcc, 0x1f, 0xd7,
2541 0x63, 0x29, 0xe8, 0x87, 0x26, 0xcd, 0x4c, 0x25, 0x46, 0x63,
2542 },
2543 32, "Qihoo 360 2021" },
2544 { (const uint8_t[]){
2545 0x66, 0x3c, 0xb0, 0x9c, 0x1f, 0xcd, 0x9b, 0xaa, 0x62, 0x76, 0x3c,
2546 0xcb, 0x53, 0x4e, 0xec, 0x80, 0x58, 0x12, 0x28, 0x05, 0x07, 0xac,
2547 0x69, 0xa4, 0x5f, 0xcd, 0x38, 0xcf, 0x4c, 0xc7, 0x4c, 0xf1,
2548 },
2549 32, "Qihoo 360 2022" },
2550 { (const uint8_t[]){
2551 0xe2, 0x64, 0x7f, 0x6e, 0xda, 0x34, 0x05, 0x03, 0xc6, 0x4d, 0x4e,
2552 0x10, 0xa8, 0x69, 0x68, 0x1f, 0xde, 0x9c, 0x5a, 0x2c, 0xf3, 0xb3,
2553 0x2d, 0x5f, 0x20, 0x0b, 0x96, 0x36, 0x05, 0x90, 0x88, 0x23,
2554 },
2555 32, "Qihoo 360 2023" },
2556 { (const uint8_t[]){
2557 0xc5, 0xcf, 0xe5, 0x4b, 0x61, 0x51, 0xb4, 0x9b, 0x14, 0x2e, 0xd2,
2558 0x63, 0xbd, 0xe7, 0x32, 0x93, 0x36, 0x37, 0x99, 0x79, 0x95, 0x50,
2559 0xae, 0x44, 0x35, 0xcd, 0x1a, 0x69, 0x97, 0xc9, 0xc3, 0xc3,
2560 },
2561 32, "Qihoo 360 v1 2020" },
2562 { (const uint8_t[]){
2563 0x48, 0x14, 0x58, 0x7c, 0xf2, 0x8b, 0x08, 0xfe, 0x68, 0x3f, 0xd2,
2564 0xbc, 0xd9, 0x45, 0x99, 0x4c, 0x2e, 0xb7, 0x4c, 0x8a, 0xe8, 0xc8,
2565 0x7f, 0xce, 0x42, 0x9b, 0x7c, 0xd3, 0x1d, 0x51, 0xbd, 0xc4,
2566 },
2567 32, "Qihoo 360 v1 2021" },
2568 { (const uint8_t[]){
2569 0x49, 0x11, 0xb8, 0xd6, 0x14, 0xcf, 0xd3, 0xd9, 0x9f, 0x16, 0xd3,
2570 0x76, 0x54, 0x5e, 0xe1, 0xb8, 0xcc, 0xfc, 0x51, 0x1f, 0x50, 0x9f,
2571 0x08, 0x0b, 0xa0, 0xa0, 0x87, 0xd9, 0x1d, 0xfa, 0xee, 0xa9,
2572 },
2573 32, "Qihoo 360 v1 2022" },
2574 { (const uint8_t[]){
2575 0xb6, 0x74, 0x0b, 0x12, 0x00, 0x2e, 0x03, 0x3f, 0xd0, 0xe7, 0xe9,
2576 0x41, 0xf4, 0xba, 0x3e, 0xe1, 0xbf, 0xc1, 0x49, 0xb5, 0x24, 0xb4,
2577 0xcf, 0x62, 0x8d, 0x53, 0xef, 0xea, 0x1f, 0x40, 0x3a, 0x8d,
2578 },
2579 32, "Qihoo 360 v1 2023" },
2580 { NULL, 0, NULL }
2581 };
2582
2583 /*
2584 * Application-Layer Protocol Negotiation (ALPN) dissector tables.
2585 */
2586 static dissector_table_t ssl_alpn_dissector_table;
2587 static dissector_table_t dtls_alpn_dissector_table;
2588
2589 /*
2590 * Special cases for prefix matching of the ALPN, if the ALPN includes
2591 * a version number for a draft or protocol revision.
2592 */
2593 typedef struct ssl_alpn_prefix_match_protocol {
2594 const char *proto_prefix;
2595 const char *dissector_name;
2596 } ssl_alpn_prefix_match_protocol_t;
2597
2598 static const ssl_alpn_prefix_match_protocol_t ssl_alpn_prefix_match_protocols[] = {
2599 /* SPDY moves so fast, just 1, 2 and 3 are registered with IANA but there
2600 * already exists 3.1 as of this writing... match the prefix. */
2601 { "spdy/", "spdy" },
2602 /* draft-ietf-httpbis-http2-16 */
2603 { "h2-", "http2" }, /* draft versions */
2604 };
2605
2606 const value_string compress_certificate_algorithm_vals[] = {
2607 { 1, "zlib" },
2608 { 2, "brotli" },
2609 { 3, "zstd" },
2610 { 0, NULL }
2611 };
2612
2613
2614 const val64_string quic_transport_parameter_id[] = {
2615 { SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID, "original_destination_connection_id" },
2616 { SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT, "max_idle_timeout" },
2617 { SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN, "stateless_reset_token" },
2618 { SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE, "max_udp_payload_size" },
2619 { SSL_HND_QUIC_TP_INITIAL_MAX_DATA, "initial_max_data" },
2620 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL, "initial_max_stream_data_bidi_local" },
2621 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE, "initial_max_stream_data_bidi_remote" },
2622 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI, "initial_max_stream_data_uni" },
2623 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI, "initial_max_streams_uni" },
2624 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI, "initial_max_streams_bidi" },
2625 { SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT, "ack_delay_exponent" },
2626 { SSL_HND_QUIC_TP_MAX_ACK_DELAY, "max_ack_delay" },
2627 { SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION, "disable_active_migration" },
2628 { SSL_HND_QUIC_TP_PREFERRED_ADDRESS, "preferred_address" },
2629 { SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT, "active_connection_id_limit" },
2630 { SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID, "initial_source_connection_id" },
2631 { SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID, "retry_source_connection_id" },
2632 { SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE, "max_datagram_frame_size" },
2633 { SSL_HND_QUIC_TP_CIBIR_ENCODING, "cibir_encoding" },
2634 { SSL_HND_QUIC_TP_LOSS_BITS, "loss_bits" },
2635 { SSL_HND_QUIC_TP_GREASE_QUIC_BIT, "grease_quic_bit" },
2636 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP, "enable_time_stamp" },
2637 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V2, "enable_time_stamp_v2" },
2638 { SSL_HND_QUIC_TP_VERSION_INFORMATION, "version_information" },
2639 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD, "min_ack_delay" },
2640 { SSL_HND_QUIC_TP_GOOGLE_USER_AGENT, "google_user_agent" },
2641 { SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED, "google_key_update_not_yet_supported" },
2642 { SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION, "google_quic_version" },
2643 { SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT, "google_initial_rtt" },
2644 { SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE, "google_support_handshake_done" },
2645 { SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS, "google_quic_params" },
2646 { SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS, "google_connection_options" },
2647 { SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY, "facebook_partial_reliability" },
2648 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V1, "min_ack_delay (draft-01)" },
2649 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT05, "min_ack_delay (draft-05)" },
2650 { SSL_HND_QUIC_TP_MIN_ACK_DELAY, "min_ack_delay" },
2651 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT04, "enable_multipath (draft-04)" },
2652 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT05, "enable_multipath (draft-05)" },
2653 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH, "enable_multipath (draft-06)" },
2654 { SSL_HND_QUIC_TP_INITIAL_MAX_PATHS, "initial_max_paths (draft-07/08)" },
2655 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID, "initial_max_path_id" },
2656 { 0, NULL }
2657 };
2658
2659 /* https://tools.ietf.org/html/draft-huitema-quic-ts-03 */
2660 const val64_string quic_enable_time_stamp_v2_vals[] = {
2661 { 1, "I would like to receive TIME_STAMP frames" },
2662 { 2, "I am able to generate TIME_STAMP frames" },
2663 { 3, "I am able to generate TIME_STAMP frames and I would like to receive them" },
2664 { 0, NULL }
2665 };
2666
2667 /* https://tools.ietf.org/html/draft-multipath-04 */
2668 const val64_string quic_enable_multipath_vals[] = {
2669 { 0, "don't support multipath" },
2670 { 1, "support multipath as defined in this document" },
2671 { 0, NULL }
2672 };
2673
2674 /* https://www.ietf.org/archive/id/draft-ietf-tls-esni-16.txt */
2675 const value_string tls_hello_ext_ech_clienthello_types[] = {
2676 { 0, "Outer Client Hello" },
2677 { 1, "Inner Client Hello" },
2678 { 0, NULL }
2679 };
2680
2681 /* RFC 9180 */
2682 const value_string kem_id_type_vals[] = {
2683 { 0x0000, "Reserved" },
2684 { 0x0010, "DHKEM(P-256, HKDF-SHA256)" },
2685 { 0x0011, "DHKEM(P-384, HKDF-SHA384)" },
2686 { 0x0012, "DHKEM(P-521, HKDF-SHA512)" },
2687 { 0x0020, "DHKEM(X25519, HKDF-SHA256)" },
2688 { 0x0021, "DHKEM(X448, HKDF-SHA512)" },
2689 { 0, NULL }
2690 };
2691 const value_string kdf_id_type_vals[] = {
2692 { 0x0000, "Reserved" },
2693 { 0x0001, "HKDF-SHA256" },
2694 { 0x0002, "HKDF-SHA384" },
2695 { 0x0003, "HKDF-SHA512" },
2696 { 0, NULL }
2697 };
2698 const value_string aead_id_type_vals[] = {
2699 { 0x0000, "Reserved" },
2700 { 0x0001, "AES-128-GCM" },
2701 { 0x0002, "AES-256-GCM" },
2702 { 0x0003, "ChaCha20Poly1305" },
2703 { 0xFFFF, "Export-only" },
2704 { 0, NULL }
2705 };
2706
2707 const value_string token_binding_key_parameter_vals[] = {
2708 { 0, "rsa2048_pkcs1.5" },
2709 { 1, "rsa2048_pss" },
2710 { 2, "ecdsap256" },
2711 { 0, NULL }
2712 };
2713
2714 /* Lookup tables }}} */
2715
2716 void
2717 quic_transport_parameter_id_base_custom(char *result, uint64_t parameter_id)
2718 {
2719 const char *label;
2720 if (IS_GREASE_QUIC(parameter_id)) {
2721 label = "GREASE";
2722 } else {
2723 label = val64_to_str_const(parameter_id, quic_transport_parameter_id, "Unknown");
2724 }
2725 snprintf(result, ITEM_LABEL_LENGTH, "%s (0x%02" PRIx64 ")", label, parameter_id);
2726 }
2727
2728 /* we keep this internal to packet-tls-utils, as there should be
2729 no need to access it any other way.
2730
2731 This also allows us to hide the dependency on zlib.
2732 */
2733 struct _SslDecompress {
2734 int compression;
2735 #if defined (HAVE_ZLIB) || defined (HAVE_ZLIBNG)
2736 zlib_stream istream;
2737 #endif
2738 };
2739
2740 /* To assist in parsing client/server key exchange messages
2741 0 indicates unknown */
2742 int ssl_get_keyex_alg(int cipher)
2743 {
2744 /* Map Cipher suite number to Key Exchange algorithm {{{ */
2745 switch(cipher) {
2746 case 0x0017:
2747 case 0x0018:
2748 case 0x0019:
2749 case 0x001a:
2750 case 0x001b:
2751 case 0x0034:
2752 case 0x003a:
2753 case 0x0046:
2754 case 0x006c:
2755 case 0x006d:
2756 case 0x0089:
2757 case 0x009b:
2758 case 0x00a6:
2759 case 0x00a7:
2760 case 0x00bf:
2761 case 0x00c5:
2762 case 0xc084:
2763 case 0xc085:
2764 return KEX_DH_ANON;
2765 case 0x000b:
2766 case 0x000c:
2767 case 0x000d:
2768 case 0x0030:
2769 case 0x0036:
2770 case 0x003e:
2771 case 0x0042:
2772 case 0x0068:
2773 case 0x0085:
2774 case 0x0097:
2775 case 0x00a4:
2776 case 0x00a5:
2777 case 0x00bb:
2778 case 0x00c1:
2779 case 0xc082:
2780 case 0xc083:
2781 return KEX_DH_DSS;
2782 case 0x000e:
2783 case 0x000f:
2784 case 0x0010:
2785 case 0x0031:
2786 case 0x0037:
2787 case 0x003f:
2788 case 0x0043:
2789 case 0x0069:
2790 case 0x0086:
2791 case 0x0098:
2792 case 0x00a0:
2793 case 0x00a1:
2794 case 0x00bc:
2795 case 0x00c2:
2796 case 0xc07e:
2797 case 0xc07f:
2798 return KEX_DH_RSA;
2799 case 0x0011:
2800 case 0x0012:
2801 case 0x0013:
2802 case 0x0032:
2803 case 0x0038:
2804 case 0x0040:
2805 case 0x0044:
2806 case 0x0063:
2807 case 0x0065:
2808 case 0x0066:
2809 case 0x006a:
2810 case 0x0087:
2811 case 0x0099:
2812 case 0x00a2:
2813 case 0x00a3:
2814 case 0x00bd:
2815 case 0x00c3:
2816 case 0xc080:
2817 case 0xc081:
2818 return KEX_DHE_DSS;
2819 case 0x002d:
2820 case 0x008e:
2821 case 0x008f:
2822 case 0x0090:
2823 case 0x0091:
2824 case 0x00aa:
2825 case 0x00ab:
2826 case 0x00b2:
2827 case 0x00b3:
2828 case 0x00b4:
2829 case 0x00b5:
2830 case 0xc090:
2831 case 0xc091:
2832 case 0xc096:
2833 case 0xc097:
2834 case 0xc0a6:
2835 case 0xc0a7:
2836 case 0xc0aa:
2837 case 0xc0ab:
2838 case 0xccad:
2839 case 0xe41c:
2840 case 0xe41d:
2841 return KEX_DHE_PSK;
2842 case 0x0014:
2843 case 0x0015:
2844 case 0x0016:
2845 case 0x0033:
2846 case 0x0039:
2847 case 0x0045:
2848 case 0x0067:
2849 case 0x006b:
2850 case 0x0088:
2851 case 0x009a:
2852 case 0x009e:
2853 case 0x009f:
2854 case 0x00be:
2855 case 0x00c4:
2856 case 0xc07c:
2857 case 0xc07d:
2858 case 0xc09e:
2859 case 0xc09f:
2860 case 0xc0a2:
2861 case 0xc0a3:
2862 case 0xccaa:
2863 case 0xe41e:
2864 case 0xe41f:
2865 return KEX_DHE_RSA;
2866 case 0xc015:
2867 case 0xc016:
2868 case 0xc017:
2869 case 0xc018:
2870 case 0xc019:
2871 return KEX_ECDH_ANON;
2872 case 0xc001:
2873 case 0xc002:
2874 case 0xc003:
2875 case 0xc004:
2876 case 0xc005:
2877 case 0xc025:
2878 case 0xc026:
2879 case 0xc02d:
2880 case 0xc02e:
2881 case 0xc074:
2882 case 0xc075:
2883 case 0xc088:
2884 case 0xc089:
2885 return KEX_ECDH_ECDSA;
2886 case 0xc00b:
2887 case 0xc00c:
2888 case 0xc00d:
2889 case 0xc00e:
2890 case 0xc00f:
2891 case 0xc029:
2892 case 0xc02a:
2893 case 0xc031:
2894 case 0xc032:
2895 case 0xc078:
2896 case 0xc079:
2897 case 0xc08c:
2898 case 0xc08d:
2899 return KEX_ECDH_RSA;
2900 case 0xc006:
2901 case 0xc007:
2902 case 0xc008:
2903 case 0xc009:
2904 case 0xc00a:
2905 case 0xc023:
2906 case 0xc024:
2907 case 0xc02b:
2908 case 0xc02c:
2909 case 0xc072:
2910 case 0xc073:
2911 case 0xc086:
2912 case 0xc087:
2913 case 0xc0ac:
2914 case 0xc0ad:
2915 case 0xc0ae:
2916 case 0xc0af:
2917 case 0xcca9:
2918 case 0xe414:
2919 case 0xe415:
2920 return KEX_ECDHE_ECDSA;
2921 case 0xc033:
2922 case 0xc034:
2923 case 0xc035:
2924 case 0xc036:
2925 case 0xc037:
2926 case 0xc038:
2927 case 0xc039:
2928 case 0xc03a:
2929 case 0xc03b:
2930 case 0xc09a:
2931 case 0xc09b:
2932 case 0xccac:
2933 case 0xe418:
2934 case 0xe419:
2935 case 0xd001:
2936 case 0xd002:
2937 case 0xd003:
2938 case 0xd005:
2939 return KEX_ECDHE_PSK;
2940 case 0xc010:
2941 case 0xc011:
2942 case 0xc012:
2943 case 0xc013:
2944 case 0xc014:
2945 case 0xc027:
2946 case 0xc028:
2947 case 0xc02f:
2948 case 0xc030:
2949 case 0xc076:
2950 case 0xc077:
2951 case 0xc08a:
2952 case 0xc08b:
2953 case 0xcca8:
2954 case 0xe412:
2955 case 0xe413:
2956 return KEX_ECDHE_RSA;
2957 case 0x001e:
2958 case 0x001f:
2959 case 0x0020:
2960 case 0x0021:
2961 case 0x0022:
2962 case 0x0023:
2963 case 0x0024:
2964 case 0x0025:
2965 case 0x0026:
2966 case 0x0027:
2967 case 0x0028:
2968 case 0x0029:
2969 case 0x002a:
2970 case 0x002b:
2971 return KEX_KRB5;
2972 case 0x002c:
2973 case 0x008a:
2974 case 0x008b:
2975 case 0x008c:
2976 case 0x008d:
2977 case 0x00a8:
2978 case 0x00a9:
2979 case 0x00ae:
2980 case 0x00af:
2981 case 0x00b0:
2982 case 0x00b1:
2983 case 0xc064:
2984 case 0xc065:
2985 case 0xc08e:
2986 case 0xc08f:
2987 case 0xc094:
2988 case 0xc095:
2989 case 0xc0a4:
2990 case 0xc0a5:
2991 case 0xc0a8:
2992 case 0xc0a9:
2993 case 0xccab:
2994 case 0xe416:
2995 case 0xe417:
2996 return KEX_PSK;
2997 case 0x0001:
2998 case 0x0002:
2999 case 0x0003:
3000 case 0x0004:
3001 case 0x0005:
3002 case 0x0006:
3003 case 0x0007:
3004 case 0x0008:
3005 case 0x0009:
3006 case 0x000a:
3007 case 0x002f:
3008 case 0x0035:
3009 case 0x003b:
3010 case 0x003c:
3011 case 0x003d:
3012 case 0x0041:
3013 case 0x0060:
3014 case 0x0061:
3015 case 0x0062:
3016 case 0x0064:
3017 case 0x0084:
3018 case 0x0096:
3019 case 0x009c:
3020 case 0x009d:
3021 case 0x00ba:
3022 case 0x00c0:
3023 case 0xc07a:
3024 case 0xc07b:
3025 case 0xc09c:
3026 case 0xc09d:
3027 case 0xc0a0:
3028 case 0xc0a1:
3029 case 0xe410:
3030 case 0xe411:
3031 case 0xfefe:
3032 case 0xfeff:
3033 case 0xffe0:
3034 case 0xffe1:
3035 return KEX_RSA;
3036 case 0x002e:
3037 case 0x0092:
3038 case 0x0093:
3039 case 0x0094:
3040 case 0x0095:
3041 case 0x00ac:
3042 case 0x00ad:
3043 case 0x00b6:
3044 case 0x00b7:
3045 case 0x00b8:
3046 case 0x00b9:
3047 case 0xc092:
3048 case 0xc093:
3049 case 0xc098:
3050 case 0xc099:
3051 case 0xccae:
3052 case 0xe41a:
3053 case 0xe41b:
3054 return KEX_RSA_PSK;
3055 case 0xc01a:
3056 case 0xc01d:
3057 case 0xc020:
3058 return KEX_SRP_SHA;
3059 case 0xc01c:
3060 case 0xc01f:
3061 case 0xc022:
3062 return KEX_SRP_SHA_DSS;
3063 case 0xc01b:
3064 case 0xc01e:
3065 case 0xc021:
3066 return KEX_SRP_SHA_RSA;
3067 case 0xc0ff:
3068 return KEX_ECJPAKE;
3069 case 0xe003:
3070 case 0xe013:
3071 case 0xe053:
3072 return KEX_ECC_SM2;
3073 default:
3074 break;
3075 }
3076
3077 return 0;
3078 /* }}} */
3079 }
3080
3081 static wmem_list_t *connection_id_session_list;
3082
3083 void
3084 ssl_init_cid_list(void) {
3085 connection_id_session_list = wmem_list_new(wmem_file_scope());
3086 }
3087
3088 void
3089 ssl_cleanup_cid_list(void) {
3090 wmem_destroy_list(connection_id_session_list);
3091 }
3092
3093 void
3094 ssl_add_session_by_cid(SslDecryptSession *session)
3095 {
3096 wmem_list_append(connection_id_session_list, session);
3097 }
3098
3099 SslDecryptSession *
3100 ssl_get_session_by_cid(tvbuff_t *tvb, uint32_t offset)
3101 {
3102 SslDecryptSession * ssl_cid = NULL;
3103 wmem_list_frame_t *it = wmem_list_head(connection_id_session_list);
3104
3105 while (it != NULL && ssl_cid == NULL) {
3106 SslDecryptSession * ssl = (SslDecryptSession *)wmem_list_frame_data(it);
3107 DISSECTOR_ASSERT(ssl != NULL);
3108 SslSession *session = &ssl->session;
3109
3110 if (session->client_cid_len > 0 && tvb_bytes_exist(tvb, offset, session->client_cid_len)) {
3111 if (tvb_memeql(tvb, offset, session->client_cid, session->client_cid_len) == 0) {
3112 ssl_cid = ssl;
3113 }
3114 }
3115
3116 if (session->server_cid_len > 0) {
3117 if (tvb_memeql(tvb, offset, session->server_cid, session->server_cid_len) == 0) {
3118 ssl_cid = ssl;
3119 }
3120 }
3121
3122 it = wmem_list_frame_next(it);
3123 }
3124
3125 return ssl_cid;
3126 }
3127
3128 /* StringInfo structure (len + data) functions {{{ */
3129
3130 int
3131 ssl_data_alloc(StringInfo* str, size_t len)
3132 {
3133 str->data = (unsigned char *)g_malloc(len);
3134 /* the allocator can return a null pointer for a size equal to 0,
3135 * and that must be allowed */
3136 if (len > 0 && !str->data)
3137 return -1;
3138 str->data_len = (unsigned) len;
3139 return 0;
3140 }
3141
3142 void
3143 ssl_data_set(StringInfo* str, const unsigned char* data, unsigned len)
3144 {
3145 DISSECTOR_ASSERT(data);
3146 memcpy(str->data, data, len);
3147 str->data_len = len;
3148 }
3149
3150 static int
3151 ssl_data_realloc(StringInfo* str, unsigned len)
3152 {
3153 str->data = (unsigned char *)g_realloc(str->data, len);
3154 if (!str->data)
3155 return -1;
3156 str->data_len = len;
3157 return 0;
3158 }
3159
3160 static StringInfo *
3161 ssl_data_clone(StringInfo *str)
3162 {
3163 StringInfo *cloned_str;
3164 cloned_str = (StringInfo *) wmem_alloc0(wmem_file_scope(),
3165 sizeof(StringInfo) + str->data_len);
3166 cloned_str->data = (unsigned char *) (cloned_str + 1);
3167 ssl_data_set(cloned_str, str->data, str->data_len);
3168 return cloned_str;
3169 }
3170
3171 static int
3172 ssl_data_copy(StringInfo* dst, StringInfo* src)
3173 {
3174 if (dst->data_len < src->data_len) {
3175 if (ssl_data_realloc(dst, src->data_len))
3176 return -1;
3177 }
3178 memcpy(dst->data, src->data, src->data_len);
3179 dst->data_len = src->data_len;
3180 return 0;
3181 }
3182
3183 /* from_hex converts |hex_len| bytes of hex data from |in| and sets |*out| to
3184 * the result. |out->data| will be allocated using wmem_file_scope. Returns true on
3185 * success. */
3186 static bool from_hex(StringInfo* out, const char* in, size_t hex_len) {
3187 size_t i;
3188
3189 if (hex_len & 1)
3190 return false;
3191
3192 out->data = (unsigned char *)wmem_alloc(wmem_file_scope(), hex_len / 2);
3193 for (i = 0; i < hex_len / 2; i++) {
3194 int a = ws_xton(in[i*2]);
3195 int b = ws_xton(in[i*2 + 1]);
3196 if (a == -1 || b == -1)
3197 return false;
3198 out->data[i] = a << 4 | b;
3199 }
3200 out->data_len = (unsigned)hex_len / 2;
3201 return true;
3202 }
3203 /* StringInfo structure (len + data) functions }}} */
3204
3205
3206 /* libgcrypt wrappers for HMAC/message digest operations {{{ */
3207 /* hmac abstraction layer */
3208 #define SSL_HMAC gcry_md_hd_t
3209
3210 static inline int
3211 ssl_hmac_init(SSL_HMAC* md, int algo)
3212 {
3213 gcry_error_t err;
3214 const char *err_str, *err_src;
3215
3216 err = gcry_md_open(md,algo, GCRY_MD_FLAG_HMAC);
3217 if (err != 0) {
3218 err_str = gcry_strerror(err);
3219 err_src = gcry_strsource(err);
3220 ssl_debug_printf("ssl_hmac_init(): gcry_md_open failed %s/%s", err_str, err_src);
3221 return -1;
3222 }
3223 return 0;
3224 }
3225
3226 static inline int
3227 ssl_hmac_setkey(SSL_HMAC* md, const void * key, int len)
3228 {
3229 gcry_error_t err;
3230 const char *err_str, *err_src;
3231
3232 err = gcry_md_setkey (*(md), key, len);
3233 if (err != 0) {
3234 err_str = gcry_strerror(err);
3235 err_src = gcry_strsource(err);
3236 ssl_debug_printf("ssl_hmac_setkey(): gcry_md_setkey failed %s/%s", err_str, err_src);
3237 return -1;
3238 }
3239 return 0;
3240 }
3241
3242 static inline int
3243 ssl_hmac_reset(SSL_HMAC* md)
3244 {
3245 gcry_md_reset(*md);
3246 return 0;
3247 }
3248
3249 static inline void
3250 ssl_hmac_update(SSL_HMAC* md, const void* data, int len)
3251 {
3252 gcry_md_write(*(md), data, len);
3253 }
3254 static inline void
3255 ssl_hmac_final(SSL_HMAC* md, unsigned char* data, unsigned* datalen)
3256 {
3257 int algo;
3258 unsigned len;
3259
3260 algo = gcry_md_get_algo (*(md));
3261 len = gcry_md_get_algo_dlen(algo);
3262 DISSECTOR_ASSERT(len <= *datalen);
3263 memcpy(data, gcry_md_read(*(md), algo), len);
3264 *datalen = len;
3265 }
3266 static inline void
3267 ssl_hmac_cleanup(SSL_HMAC* md)
3268 {
3269 gcry_md_close(*(md));
3270 }
3271
3272 /* message digest abstraction layer*/
3273 #define SSL_MD gcry_md_hd_t
3274
3275 static inline int
3276 ssl_md_init(SSL_MD* md, int algo)
3277 {
3278 gcry_error_t err;
3279 const char *err_str, *err_src;
3280 err = gcry_md_open(md,algo, 0);
3281 if (err != 0) {
3282 err_str = gcry_strerror(err);
3283 err_src = gcry_strsource(err);
3284 ssl_debug_printf("ssl_md_init(): gcry_md_open failed %s/%s", err_str, err_src);
3285 return -1;
3286 }
3287 return 0;
3288 }
3289 static inline void
3290 ssl_md_update(SSL_MD* md, unsigned char* data, int len)
3291 {
3292 gcry_md_write(*(md), data, len);
3293 }
3294 static inline void
3295 ssl_md_final(SSL_MD* md, unsigned char* data, unsigned* datalen)
3296 {
3297 int algo;
3298 int len;
3299 algo = gcry_md_get_algo (*(md));
3300 len = gcry_md_get_algo_dlen (algo);
3301 memcpy(data, gcry_md_read(*(md), algo), len);
3302 *datalen = len;
3303 }
3304 static inline void
3305 ssl_md_cleanup(SSL_MD* md)
3306 {
3307 gcry_md_close(*(md));
3308 }
3309
3310 static inline void
3311 ssl_md_reset(SSL_MD* md)
3312 {
3313 gcry_md_reset(*md);
3314 }
3315
3316 /* md5 /sha abstraction layer */
3317 #define SSL_SHA_CTX gcry_md_hd_t
3318 #define SSL_MD5_CTX gcry_md_hd_t
3319
3320 static inline int
3321 ssl_sha_init(SSL_SHA_CTX* md)
3322 {
3323 gcry_error_t err;
3324 const char *err_str, *err_src;
3325 err = gcry_md_open(md, GCRY_MD_SHA1, 0);
3326 if (err != 0) {
3327 err_str = gcry_strerror(err);
3328 err_src = gcry_strsource(err);
3329 ssl_debug_printf("ssl_sha_init(): gcry_md_open failed %s/%s", err_str, err_src);
3330 return -1;
3331 }
3332 return 0;
3333 }
3334 static inline void
3335 ssl_sha_update(SSL_SHA_CTX* md, unsigned char* data, int len)
3336 {
3337 gcry_md_write(*(md), data, len);
3338 }
3339 static inline void
3340 ssl_sha_final(unsigned char* buf, SSL_SHA_CTX* md)
3341 {
3342 memcpy(buf, gcry_md_read(*(md), GCRY_MD_SHA1),
3343 gcry_md_get_algo_dlen(GCRY_MD_SHA1));
3344 }
3345
3346 static inline void
3347 ssl_sha_reset(SSL_SHA_CTX* md)
3348 {
3349 gcry_md_reset(*md);
3350 }
3351
3352 static inline void
3353 ssl_sha_cleanup(SSL_SHA_CTX* md)
3354 {
3355 gcry_md_close(*(md));
3356 }
3357
3358 static inline int
3359 ssl_md5_init(SSL_MD5_CTX* md)
3360 {
3361 gcry_error_t err;
3362 const char *err_str, *err_src;
3363 err = gcry_md_open(md,GCRY_MD_MD5, 0);
3364 if (err != 0) {
3365 err_str = gcry_strerror(err);
3366 err_src = gcry_strsource(err);
3367 ssl_debug_printf("ssl_md5_init(): gcry_md_open failed %s/%s", err_str, err_src);
3368 return -1;
3369 }
3370 return 0;
3371 }
3372 static inline void
3373 ssl_md5_update(SSL_MD5_CTX* md, unsigned char* data, int len)
3374 {
3375 gcry_md_write(*(md), data, len);
3376 }
3377 static inline void
3378 ssl_md5_final(unsigned char* buf, SSL_MD5_CTX* md)
3379 {
3380 memcpy(buf, gcry_md_read(*(md), GCRY_MD_MD5),
3381 gcry_md_get_algo_dlen(GCRY_MD_MD5));
3382 }
3383
3384 static inline void
3385 ssl_md5_reset(SSL_MD5_CTX* md)
3386 {
3387 gcry_md_reset(*md);
3388 }
3389
3390 static inline void
3391 ssl_md5_cleanup(SSL_MD5_CTX* md)
3392 {
3393 gcry_md_close(*(md));
3394 }
3395 /* libgcrypt wrappers for HMAC/message digest operations }}} */
3396
3397 /* libgcrypt wrappers for Cipher state manipulation {{{ */
3398 int
3399 ssl_cipher_setiv(SSL_CIPHER_CTX *cipher, unsigned char* iv, int iv_len)
3400 {
3401 int ret;
3402 #if 0
3403 unsigned char *ivp;
3404 int i;
3405 gcry_cipher_hd_t c;
3406 c=(gcry_cipher_hd_t)*cipher;
3407 #endif
3408 ssl_debug_printf("--------------------------------------------------------------------");
3409 #if 0
3410 for(ivp=c->iv,i=0; i < iv_len; i++ )
3411 {
3412 ssl_debug_printf("%d ",ivp[i]);
3413 i++;
3414 }
3415 #endif
3416 ssl_debug_printf("--------------------------------------------------------------------");
3417 ret = gcry_cipher_setiv(*(cipher), iv, iv_len);
3418 #if 0
3419 for(ivp=c->iv,i=0; i < iv_len; i++ )
3420 {
3421 ssl_debug_printf("%d ",ivp[i]);
3422 i++;
3423 }
3424 #endif
3425 ssl_debug_printf("--------------------------------------------------------------------");
3426 return ret;
3427 }
3428 /* stream cipher abstraction layer*/
3429 static int
3430 ssl_cipher_init(gcry_cipher_hd_t *cipher, int algo, unsigned char* sk,
3431 unsigned char* iv, int mode)
3432 {
3433 int gcry_modes[] = {
3434 GCRY_CIPHER_MODE_STREAM,
3435 GCRY_CIPHER_MODE_CBC,
3436 GCRY_CIPHER_MODE_GCM,
3437 GCRY_CIPHER_MODE_CCM,
3438 GCRY_CIPHER_MODE_CCM,
3439 GCRY_CIPHER_MODE_POLY1305,
3440 GCRY_CIPHER_MODE_ECB, /* used for DTLSv1.3 seq number encryption */
3441 };
3442 int err;
3443 if (algo == -1) {
3444 /* NULL mode */
3445 *(cipher) = (gcry_cipher_hd_t)-1;
3446 return 0;
3447 }
3448 err = gcry_cipher_open(cipher, algo, gcry_modes[mode], 0);
3449 if (err !=0)
3450 return -1;
3451 err = gcry_cipher_setkey(*(cipher), sk, gcry_cipher_get_algo_keylen (algo));
3452 if (err != 0)
3453 return -1;
3454 /* AEAD cipher suites will set the nonce later. */
3455 if (mode == MODE_CBC) {
3456 err = gcry_cipher_setiv(*(cipher), iv, gcry_cipher_get_algo_blklen(algo));
3457 if (err != 0)
3458 return -1;
3459 }
3460 return 0;
3461 }
3462 static inline int
3463 ssl_cipher_decrypt(gcry_cipher_hd_t *cipher, unsigned char * out, int outl,
3464 const unsigned char * in, int inl)
3465 {
3466 if ((*cipher) == (gcry_cipher_hd_t)-1)
3467 {
3468 if (in && inl)
3469 memcpy(out, in, outl < inl ? outl : inl);
3470 return 0;
3471 }
3472 return gcry_cipher_decrypt ( *(cipher), out, outl, in, inl);
3473 }
3474 static inline int
3475 ssl_get_digest_by_name(const char*name)
3476 {
3477 return gcry_md_map_name(name);
3478 }
3479 static inline int
3480 ssl_get_cipher_by_name(const char* name)
3481 {
3482 return gcry_cipher_map_name(name);
3483 }
3484
3485 static inline void
3486 ssl_cipher_cleanup(gcry_cipher_hd_t *cipher)
3487 {
3488 if ((*cipher) != (gcry_cipher_hd_t)-1)
3489 gcry_cipher_close(*cipher);
3490 *cipher = NULL;
3491 }
3492 /* }}} */
3493
3494 /* Digests, Ciphers and Cipher Suites registry {{{ */
3495 static const SslDigestAlgo digests[]={
3496 {"MD5", 16},
3497 {"SHA1", 20},
3498 {"SHA256", 32},
3499 {"SHA384", 48},
3500 {"SM3", 32},
3501 {"Not Applicable", 0},
3502 };
3503
3504 #define DIGEST_MAX_SIZE 48
3505
3506 /* get index digest index */
3507 static const SslDigestAlgo *
3508 ssl_cipher_suite_dig(const SslCipherSuite *cs) {
3509 return &digests[cs->dig - DIG_MD5];
3510 }
3511
3512 static const char *ciphers[]={
3513 "DES",
3514 "3DES",
3515 "ARCFOUR", /* libgcrypt does not support rc4, but this should be 100% compatible*/
3516 "RFC2268_128", /* libgcrypt name for RC2 with a 128-bit key */
3517 "IDEA",
3518 "AES",
3519 "AES256",
3520 "CAMELLIA128",
3521 "CAMELLIA256",
3522 "SEED",
3523 "CHACHA20", /* since Libgcrypt 1.7.0 */
3524 "SM1",
3525 "SM4",
3526 "*UNKNOWN*"
3527 };
3528
3529 static const SslCipherSuite cipher_suites[]={
3530 {0x0001,KEX_RSA, ENC_NULL, DIG_MD5, MODE_STREAM}, /* TLS_RSA_WITH_NULL_MD5 */
3531 {0x0002,KEX_RSA, ENC_NULL, DIG_SHA, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA */
3532 {0x0003,KEX_RSA, ENC_RC4, DIG_MD5, MODE_STREAM}, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
3533 {0x0004,KEX_RSA, ENC_RC4, DIG_MD5, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_MD5 */
3534 {0x0005,KEX_RSA, ENC_RC4, DIG_SHA, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_SHA */
3535 {0x0006,KEX_RSA, ENC_RC2, DIG_MD5, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
3536 {0x0007,KEX_RSA, ENC_IDEA, DIG_SHA, MODE_CBC }, /* TLS_RSA_WITH_IDEA_CBC_SHA */
3537 {0x0008,KEX_RSA, ENC_DES, DIG_SHA, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
3538 {0x0009,KEX_RSA, ENC_DES, DIG_SHA, MODE_CBC }, /* TLS_RSA_WITH_DES_CBC_SHA */
3539 {0x000A,KEX_RSA, ENC_3DES, DIG_SHA, MODE_CBC }, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
3540 {0x000B,KEX_DH_DSS, ENC_DES, DIG_SHA, MODE_CBC }, /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
3541 {0x000C,KEX_DH_DSS, ENC_DES, DIG_SHA, MODE_CBC }, /* TLS_DH_DSS_WITH_DES_CBC_SHA */
3542 {0x000D,KEX_DH_DSS, ENC_3DES, DIG_SHA, MODE_CBC }, /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
3543 {0x000E,KEX_DH_RSA, ENC_DES, DIG_SHA, MODE_CBC }, /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
3544 {0x000F,KEX_DH_RSA, ENC_DES, DIG_SHA, MODE_CBC }, /* TLS_DH_RSA_WITH_DES_CBC_SHA */
3545 {0x0010,KEX_DH_RSA, ENC_3DES, DIG_SHA, MODE_CBC }, /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
3546 {0x0011,KEX_DHE_DSS, ENC_DES, DIG_SHA, MODE_CBC }, /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
3547 {0x0012,KEX_DHE_DSS, ENC_DES, DIG_SHA, MODE_CBC }, /* TLS_DHE_DSS_WITH_DES_CBC_SHA */
3548 {0x0013,KEX_DHE_DSS, ENC_3DES, DIG_SHA, MODE_CBC }, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
3549 {0x0014,KEX_DHE_RSA, ENC_DES, DIG_SHA, MODE_CBC }, /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
3550 {0x0015,KEX_DHE_RSA, ENC_DES, DIG_SHA, MODE_CBC }, /* TLS_DHE_RSA_WITH_DES_CBC_SHA */
3551 {0x0016,KEX_DHE_RSA, ENC_3DES, DIG_SHA, MODE_CBC }, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
3552 {0x0017,KEX_DH_ANON, ENC_RC4, DIG_MD5, MODE_STREAM}, /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
3553 {0x0018,KEX_DH_ANON, ENC_RC4, DIG_MD5, MODE_STREAM}, /* TLS_DH_anon_WITH_RC4_128_MD5 */
3554 {0x0019,KEX_DH_ANON, ENC_DES, DIG_SHA, MODE_CBC }, /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
3555 {0x001A,KEX_DH_ANON, ENC_DES, DIG_SHA, MODE_CBC }, /* TLS_DH_anon_WITH_DES_CBC_SHA */
3556 {0x001B,KEX_DH_ANON, ENC_3DES, DIG_SHA, MODE_CBC }, /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
3557 {0x002C,KEX_PSK, ENC_NULL, DIG_SHA, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA */
3558 {0x002D,KEX_DHE_PSK, ENC_NULL, DIG_SHA, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA */
3559 {0x002E,KEX_RSA_PSK, ENC_NULL, DIG_SHA, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA */
3560 {0x002F,KEX_RSA, ENC_AES, DIG_SHA, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA */
3561 {0x0030,KEX_DH_DSS, ENC_AES, DIG_SHA, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA */
3562 {0x0031,KEX_DH_RSA, ENC_AES, DIG_SHA, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA */
3563 {0x0032,KEX_DHE_DSS, ENC_AES, DIG_SHA, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA */
3564 {0x0033,KEX_DHE_RSA, ENC_AES, DIG_SHA, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */
3565 {0x0034,KEX_DH_ANON, ENC_AES, DIG_SHA, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA */
3566 {0x0035,KEX_RSA, ENC_AES256, DIG_SHA, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA */
3567 {0x0036,KEX_DH_DSS, ENC_AES256, DIG_SHA, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA */
3568 {0x0037,KEX_DH_RSA, ENC_AES256, DIG_SHA, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA */
3569 {0x0038,KEX_DHE_DSS, ENC_AES256, DIG_SHA, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA */
3570 {0x0039,KEX_DHE_RSA, ENC_AES256, DIG_SHA, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */
3571 {0x003A,KEX_DH_ANON, ENC_AES256, DIG_SHA, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA */
3572 {0x003B,KEX_RSA, ENC_NULL, DIG_SHA256, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA256 */
3573 {0x003C,KEX_RSA, ENC_AES, DIG_SHA256, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA256 */
3574 {0x003D,KEX_RSA, ENC_AES256, DIG_SHA256, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA256 */
3575 {0x003E,KEX_DH_DSS, ENC_AES, DIG_SHA256, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA256 */
3576 {0x003F,KEX_DH_RSA, ENC_AES, DIG_SHA256, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA256 */
3577 {0x0040,KEX_DHE_DSS, ENC_AES, DIG_SHA256, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 */
3578 {0x0041,KEX_RSA, ENC_CAMELLIA128,DIG_SHA, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA */
3579 {0x0042,KEX_DH_DSS, ENC_CAMELLIA128,DIG_SHA, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA */
3580 {0x0043,KEX_DH_RSA, ENC_CAMELLIA128,DIG_SHA, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA */
3581 {0x0044,KEX_DHE_DSS, ENC_CAMELLIA128,DIG_SHA, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA */
3582 {0x0045,KEX_DHE_RSA, ENC_CAMELLIA128,DIG_SHA, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA */
3583 {0x0046,KEX_DH_ANON, ENC_CAMELLIA128,DIG_SHA, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA */
3584 {0x0060,KEX_RSA, ENC_RC4, DIG_MD5, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
3585 {0x0061,KEX_RSA, ENC_RC2, DIG_MD5, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
3586 {0x0062,KEX_RSA, ENC_DES, DIG_SHA, MODE_CBC }, /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
3587 {0x0063,KEX_DHE_DSS, ENC_DES, DIG_SHA, MODE_CBC }, /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
3588 {0x0064,KEX_RSA, ENC_RC4, DIG_SHA, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
3589 {0x0065,KEX_DHE_DSS, ENC_RC4, DIG_SHA, MODE_STREAM}, /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
3590 {0x0066,KEX_DHE_DSS, ENC_RC4, DIG_SHA, MODE_STREAM}, /* TLS_DHE_DSS_WITH_RC4_128_SHA */
3591 {0x0067,KEX_DHE_RSA, ENC_AES, DIG_SHA256, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 */
3592 {0x0068,KEX_DH_DSS, ENC_AES256, DIG_SHA256, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA256 */
3593 {0x0069,KEX_DH_RSA, ENC_AES256, DIG_SHA256, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA256 */
3594 {0x006A,KEX_DHE_DSS, ENC_AES256, DIG_SHA256, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 */
3595 {0x006B,KEX_DHE_RSA, ENC_AES256, DIG_SHA256, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 */
3596 {0x006C,KEX_DH_ANON, ENC_AES, DIG_SHA256, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA256 */
3597 {0x006D,KEX_DH_ANON, ENC_AES256, DIG_SHA256, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA256 */
3598 {0x0084,KEX_RSA, ENC_CAMELLIA256,DIG_SHA, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA */
3599 {0x0085,KEX_DH_DSS, ENC_CAMELLIA256,DIG_SHA, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA */
3600 {0x0086,KEX_DH_RSA, ENC_CAMELLIA256,DIG_SHA, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA */
3601 {0x0087,KEX_DHE_DSS, ENC_CAMELLIA256,DIG_SHA, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA */
3602 {0x0088,KEX_DHE_RSA, ENC_CAMELLIA256,DIG_SHA, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA */
3603 {0x0089,KEX_DH_ANON, ENC_CAMELLIA256,DIG_SHA, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA */
3604 {0x008A,KEX_PSK, ENC_RC4, DIG_SHA, MODE_STREAM}, /* TLS_PSK_WITH_RC4_128_SHA */
3605 {0x008B,KEX_PSK, ENC_3DES, DIG_SHA, MODE_CBC }, /* TLS_PSK_WITH_3DES_EDE_CBC_SHA */
3606 {0x008C,KEX_PSK, ENC_AES, DIG_SHA, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA */
3607 {0x008D,KEX_PSK, ENC_AES256, DIG_SHA, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA */
3608 {0x008E,KEX_DHE_PSK, ENC_RC4, DIG_SHA, MODE_STREAM}, /* TLS_DHE_PSK_WITH_RC4_128_SHA */
3609 {0x008F,KEX_DHE_PSK, ENC_3DES, DIG_SHA, MODE_CBC }, /* TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA */
3610 {0x0090,KEX_DHE_PSK, ENC_AES, DIG_SHA, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA */
3611 {0x0091,KEX_DHE_PSK, ENC_AES256, DIG_SHA, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA */
3612 {0x0092,KEX_RSA_PSK, ENC_RC4, DIG_SHA, MODE_STREAM}, /* TLS_RSA_PSK_WITH_RC4_128_SHA */
3613 {0x0093,KEX_RSA_PSK, ENC_3DES, DIG_SHA, MODE_CBC }, /* TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA */
3614 {0x0094,KEX_RSA_PSK, ENC_AES, DIG_SHA, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA */
3615 {0x0095,KEX_RSA_PSK, ENC_AES256, DIG_SHA, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA */
3616 {0x0096,KEX_RSA, ENC_SEED, DIG_SHA, MODE_CBC }, /* TLS_RSA_WITH_SEED_CBC_SHA */
3617 {0x0097,KEX_DH_DSS, ENC_SEED, DIG_SHA, MODE_CBC }, /* TLS_DH_DSS_WITH_SEED_CBC_SHA */
3618 {0x0098,KEX_DH_RSA, ENC_SEED, DIG_SHA, MODE_CBC }, /* TLS_DH_RSA_WITH_SEED_CBC_SHA */
3619 {0x0099,KEX_DHE_DSS, ENC_SEED, DIG_SHA, MODE_CBC }, /* TLS_DHE_DSS_WITH_SEED_CBC_SHA */
3620 {0x009A,KEX_DHE_RSA, ENC_SEED, DIG_SHA, MODE_CBC }, /* TLS_DHE_RSA_WITH_SEED_CBC_SHA */
3621 {0x009B,KEX_DH_ANON, ENC_SEED, DIG_SHA, MODE_CBC }, /* TLS_DH_anon_WITH_SEED_CBC_SHA */
3622 {0x009C,KEX_RSA, ENC_AES, DIG_SHA256, MODE_GCM }, /* TLS_RSA_WITH_AES_128_GCM_SHA256 */
3623 {0x009D,KEX_RSA, ENC_AES256, DIG_SHA384, MODE_GCM }, /* TLS_RSA_WITH_AES_256_GCM_SHA384 */
3624 {0x009E,KEX_DHE_RSA, ENC_AES, DIG_SHA256, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */
3625 {0x009F,KEX_DHE_RSA, ENC_AES256, DIG_SHA384, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 */
3626 {0x00A0,KEX_DH_RSA, ENC_AES, DIG_SHA256, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_128_GCM_SHA256 */
3627 {0x00A1,KEX_DH_RSA, ENC_AES256, DIG_SHA384, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_256_GCM_SHA384 */
3628 {0x00A2,KEX_DHE_DSS, ENC_AES, DIG_SHA256, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 */
3629 {0x00A3,KEX_DHE_DSS, ENC_AES256, DIG_SHA384, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 */
3630 {0x00A4,KEX_DH_DSS, ENC_AES, DIG_SHA256, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_128_GCM_SHA256 */
3631 {0x00A5,KEX_DH_DSS, ENC_AES256, DIG_SHA384, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_256_GCM_SHA384 */
3632 {0x00A6,KEX_DH_ANON, ENC_AES, DIG_SHA256, MODE_GCM }, /* TLS_DH_anon_WITH_AES_128_GCM_SHA256 */
3633 {0x00A7,KEX_DH_ANON, ENC_AES256, DIG_SHA384, MODE_GCM }, /* TLS_DH_anon_WITH_AES_256_GCM_SHA384 */
3634 {0x00A8,KEX_PSK, ENC_AES, DIG_SHA256, MODE_GCM }, /* TLS_PSK_WITH_AES_128_GCM_SHA256 */
3635 {0x00A9,KEX_PSK, ENC_AES256, DIG_SHA384, MODE_GCM }, /* TLS_PSK_WITH_AES_256_GCM_SHA384 */
3636 {0x00AA,KEX_DHE_PSK, ENC_AES, DIG_SHA256, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 */
3637 {0x00AB,KEX_DHE_PSK, ENC_AES256, DIG_SHA384, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 */
3638 {0x00AC,KEX_RSA_PSK, ENC_AES, DIG_SHA256, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 */
3639 {0x00AD,KEX_RSA_PSK, ENC_AES256, DIG_SHA384, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 */
3640 {0x00AE,KEX_PSK, ENC_AES, DIG_SHA256, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA256 */
3641 {0x00AF,KEX_PSK, ENC_AES256, DIG_SHA384, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA384 */
3642 {0x00B0,KEX_PSK, ENC_NULL, DIG_SHA256, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA256 */
3643 {0x00B1,KEX_PSK, ENC_NULL, DIG_SHA384, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA384 */
3644 {0x00B2,KEX_DHE_PSK, ENC_AES, DIG_SHA256, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 */
3645 {0x00B3,KEX_DHE_PSK, ENC_AES256, DIG_SHA384, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 */
3646 {0x00B4,KEX_DHE_PSK, ENC_NULL, DIG_SHA256, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA256 */
3647 {0x00B5,KEX_DHE_PSK, ENC_NULL, DIG_SHA384, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA384 */
3648 {0x00B6,KEX_RSA_PSK, ENC_AES, DIG_SHA256, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 */
3649 {0x00B7,KEX_RSA_PSK, ENC_AES256, DIG_SHA384, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 */
3650 {0x00B8,KEX_RSA_PSK, ENC_NULL, DIG_SHA256, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA256 */
3651 {0x00B9,KEX_RSA_PSK, ENC_NULL, DIG_SHA384, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA384 */
3652 {0x00BA,KEX_RSA, ENC_CAMELLIA128,DIG_SHA256, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3653 {0x00BB,KEX_DH_DSS, ENC_CAMELLIA128,DIG_SHA256, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3654 {0x00BC,KEX_DH_RSA, ENC_CAMELLIA128,DIG_SHA256, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3655 {0x00BD,KEX_DHE_DSS, ENC_CAMELLIA128,DIG_SHA256, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3656 {0x00BE,KEX_DHE_RSA, ENC_CAMELLIA128,DIG_SHA256, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3657 {0x00BF,KEX_DH_ANON, ENC_CAMELLIA128,DIG_SHA256, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 */
3658 {0x00C0,KEX_RSA, ENC_CAMELLIA256,DIG_SHA256, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3659 {0x00C1,KEX_DH_DSS, ENC_CAMELLIA256,DIG_SHA256, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3660 {0x00C2,KEX_DH_RSA, ENC_CAMELLIA256,DIG_SHA256, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3661 {0x00C3,KEX_DHE_DSS, ENC_CAMELLIA256,DIG_SHA256, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3662 {0x00C4,KEX_DHE_RSA, ENC_CAMELLIA256,DIG_SHA256, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3663 {0x00C5,KEX_DH_ANON, ENC_CAMELLIA256,DIG_SHA256, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */
3664
3665 /* NOTE: TLS 1.3 cipher suites are incompatible with TLS 1.2. */
3666 {0x1301,KEX_TLS13, ENC_AES, DIG_SHA256, MODE_GCM }, /* TLS_AES_128_GCM_SHA256 */
3667 {0x1302,KEX_TLS13, ENC_AES256, DIG_SHA384, MODE_GCM }, /* TLS_AES_256_GCM_SHA384 */
3668 {0x1303,KEX_TLS13, ENC_CHACHA20, DIG_SHA256, MODE_POLY1305 }, /* TLS_CHACHA20_POLY1305_SHA256 */
3669 {0x1304,KEX_TLS13, ENC_AES, DIG_SHA256, MODE_CCM }, /* TLS_AES_128_CCM_SHA256 */
3670 {0x1305,KEX_TLS13, ENC_AES, DIG_SHA256, MODE_CCM_8 }, /* TLS_AES_128_CCM_8_SHA256 */
3671 {0x00C6,KEX_TLS13, ENC_SM4, DIG_SM3, MODE_GCM }, /* TLS_SM4_GCM_SM3 */
3672
3673 {0xC001,KEX_ECDH_ECDSA, ENC_NULL, DIG_SHA, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_NULL_SHA */
3674 {0xC002,KEX_ECDH_ECDSA, ENC_RC4, DIG_SHA, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_RC4_128_SHA */
3675 {0xC003,KEX_ECDH_ECDSA, ENC_3DES, DIG_SHA, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA */
3676 {0xC004,KEX_ECDH_ECDSA, ENC_AES, DIG_SHA, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA */
3677 {0xC005,KEX_ECDH_ECDSA, ENC_AES256, DIG_SHA, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */
3678 {0xC006,KEX_ECDHE_ECDSA, ENC_NULL, DIG_SHA, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_NULL_SHA */
3679 {0xC007,KEX_ECDHE_ECDSA, ENC_RC4, DIG_SHA, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_RC4_128_SHA */
3680 {0xC008,KEX_ECDHE_ECDSA, ENC_3DES, DIG_SHA, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA */
3681 {0xC009,KEX_ECDHE_ECDSA, ENC_AES, DIG_SHA, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */
3682 {0xC00A,KEX_ECDHE_ECDSA, ENC_AES256, DIG_SHA, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */
3683 {0xC00B,KEX_ECDH_RSA, ENC_NULL, DIG_SHA, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_NULL_SHA */
3684 {0xC00C,KEX_ECDH_RSA, ENC_RC4, DIG_SHA, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_RC4_128_SHA */
3685 {0xC00D,KEX_ECDH_RSA, ENC_3DES, DIG_SHA, MODE_CBC }, /* TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA */
3686 {0xC00E,KEX_ECDH_RSA, ENC_AES, DIG_SHA, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA */
3687 {0xC00F,KEX_ECDH_RSA, ENC_AES256, DIG_SHA, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */
3688 {0xC0FF,KEX_ECJPAKE, ENC_AES, DIG_NA, MODE_CCM_8 }, /* TLS_ECJPAKE_WITH_AES_128_CCM_8 */
3689 {0xC010,KEX_ECDHE_RSA, ENC_NULL, DIG_SHA, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_NULL_SHA */
3690 {0xC011,KEX_ECDHE_RSA, ENC_RC4, DIG_SHA, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_RC4_128_SHA */
3691 {0xC012,KEX_ECDHE_RSA, ENC_3DES, DIG_SHA, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */
3692 {0xC013,KEX_ECDHE_RSA, ENC_AES, DIG_SHA, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA */
3693 {0xC014,KEX_ECDHE_RSA, ENC_AES256, DIG_SHA, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */
3694 {0xC015,KEX_ECDH_ANON, ENC_NULL, DIG_SHA, MODE_STREAM}, /* TLS_ECDH_anon_WITH_NULL_SHA */
3695 {0xC016,KEX_ECDH_ANON, ENC_RC4, DIG_SHA, MODE_STREAM}, /* TLS_ECDH_anon_WITH_RC4_128_SHA */
3696 {0xC017,KEX_ECDH_ANON, ENC_3DES, DIG_SHA, MODE_CBC }, /* TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA */
3697 {0xC018,KEX_ECDH_ANON, ENC_AES, DIG_SHA, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_128_CBC_SHA */
3698 {0xC019,KEX_ECDH_ANON, ENC_AES256, DIG_SHA, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_256_CBC_SHA */
3699 {0xC01A,KEX_SRP_SHA, ENC_3DES, DIG_SHA, MODE_CBC }, /* TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA */
3700 {0xC01B,KEX_SRP_SHA_RSA, ENC_3DES, DIG_SHA, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA */
3701 {0xC01C,KEX_SRP_SHA_DSS, ENC_3DES, DIG_SHA, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA */
3702 {0xC01D,KEX_SRP_SHA, ENC_AES, DIG_SHA, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_128_CBC_SHA */
3703 {0xC01E,KEX_SRP_SHA_RSA, ENC_AES, DIG_SHA, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA */
3704 {0xC01F,KEX_SRP_SHA_DSS, ENC_AES, DIG_SHA, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA */
3705 {0xC020,KEX_SRP_SHA, ENC_AES256, DIG_SHA, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_256_CBC_SHA */
3706 {0xC021,KEX_SRP_SHA_RSA, ENC_AES256, DIG_SHA, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA */
3707 {0xC022,KEX_SRP_SHA_DSS, ENC_AES256, DIG_SHA, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA */
3708 {0xC023,KEX_ECDHE_ECDSA, ENC_AES, DIG_SHA256, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 */
3709 {0xC024,KEX_ECDHE_ECDSA, ENC_AES256, DIG_SHA384, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */
3710 {0xC025,KEX_ECDH_ECDSA, ENC_AES, DIG_SHA256, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 */
3711 {0xC026,KEX_ECDH_ECDSA, ENC_AES256, DIG_SHA384, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 */
3712 {0xC027,KEX_ECDHE_RSA, ENC_AES, DIG_SHA256, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 */
3713 {0xC028,KEX_ECDHE_RSA, ENC_AES256, DIG_SHA384, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */
3714 {0xC029,KEX_ECDH_RSA, ENC_AES, DIG_SHA256, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 */
3715 {0xC02A,KEX_ECDH_RSA, ENC_AES256, DIG_SHA384, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 */
3716 {0xC02B,KEX_ECDHE_ECDSA, ENC_AES, DIG_SHA256, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 */
3717 {0xC02C,KEX_ECDHE_ECDSA, ENC_AES256, DIG_SHA384, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 */
3718 {0xC02D,KEX_ECDH_ECDSA, ENC_AES, DIG_SHA256, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 */
3719 {0xC02E,KEX_ECDH_ECDSA, ENC_AES256, DIG_SHA384, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 */
3720 {0xC02F,KEX_ECDHE_RSA, ENC_AES, DIG_SHA256, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */
3721 {0xC030,KEX_ECDHE_RSA, ENC_AES256, DIG_SHA384, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 */
3722 {0xC031,KEX_ECDH_RSA, ENC_AES, DIG_SHA256, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 */
3723 {0xC032,KEX_ECDH_RSA, ENC_AES256, DIG_SHA384, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 */
3724 {0xC033,KEX_ECDHE_PSK, ENC_RC4, DIG_SHA, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_RC4_128_SHA */
3725 {0xC034,KEX_ECDHE_PSK, ENC_3DES, DIG_SHA, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA */
3726 {0xC035,KEX_ECDHE_PSK, ENC_AES, DIG_SHA, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA */
3727 {0xC036,KEX_ECDHE_PSK, ENC_AES256, DIG_SHA, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA */
3728 {0xC037,KEX_ECDHE_PSK, ENC_AES, DIG_SHA256, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 */
3729 {0xC038,KEX_ECDHE_PSK, ENC_AES256, DIG_SHA384, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 */
3730 {0xC039,KEX_ECDHE_PSK, ENC_NULL, DIG_SHA, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA */
3731 {0xC03A,KEX_ECDHE_PSK, ENC_NULL, DIG_SHA256, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA256 */
3732 {0xC03B,KEX_ECDHE_PSK, ENC_NULL, DIG_SHA384, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA384 */
3733 {0xC072,KEX_ECDHE_ECDSA, ENC_CAMELLIA128,DIG_SHA256, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3734 {0xC073,KEX_ECDHE_ECDSA, ENC_CAMELLIA256,DIG_SHA384, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3735 {0xC074,KEX_ECDH_ECDSA, ENC_CAMELLIA128,DIG_SHA256, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3736 {0xC075,KEX_ECDH_ECDSA, ENC_CAMELLIA256,DIG_SHA384, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3737 {0xC076,KEX_ECDHE_RSA, ENC_CAMELLIA128,DIG_SHA256, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3738 {0xC077,KEX_ECDHE_RSA, ENC_CAMELLIA256,DIG_SHA384, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3739 {0xC078,KEX_ECDH_RSA, ENC_CAMELLIA128,DIG_SHA256, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3740 {0xC079,KEX_ECDH_RSA, ENC_CAMELLIA256,DIG_SHA384, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3741 {0xC07A,KEX_RSA, ENC_CAMELLIA128,DIG_SHA256, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3742 {0xC07B,KEX_RSA, ENC_CAMELLIA256,DIG_SHA384, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3743 {0xC07C,KEX_DHE_RSA, ENC_CAMELLIA128,DIG_SHA256, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3744 {0xC07D,KEX_DHE_RSA, ENC_CAMELLIA256,DIG_SHA384, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3745 {0xC07E,KEX_DH_RSA, ENC_CAMELLIA128,DIG_SHA256, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3746 {0xC07F,KEX_DH_RSA, ENC_CAMELLIA256,DIG_SHA384, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3747 {0xC080,KEX_DHE_DSS, ENC_CAMELLIA128,DIG_SHA256, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3748 {0xC081,KEX_DHE_DSS, ENC_CAMELLIA256,DIG_SHA384, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3749 {0xC082,KEX_DH_DSS, ENC_CAMELLIA128,DIG_SHA256, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3750 {0xC083,KEX_DH_DSS, ENC_CAMELLIA256,DIG_SHA384, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3751 {0xC084,KEX_DH_ANON, ENC_CAMELLIA128,DIG_SHA256, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 */
3752 {0xC085,KEX_DH_ANON, ENC_CAMELLIA256,DIG_SHA384, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 */
3753 {0xC086,KEX_ECDHE_ECDSA, ENC_CAMELLIA128,DIG_SHA256, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3754 {0xC087,KEX_ECDHE_ECDSA, ENC_CAMELLIA256,DIG_SHA384, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3755 {0xC088,KEX_ECDH_ECDSA, ENC_CAMELLIA128,DIG_SHA256, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3756 {0xC089,KEX_ECDH_ECDSA, ENC_CAMELLIA256,DIG_SHA384, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3757 {0xC08A,KEX_ECDHE_RSA, ENC_CAMELLIA128,DIG_SHA256, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3758 {0xC08B,KEX_ECDHE_RSA, ENC_CAMELLIA256,DIG_SHA384, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3759 {0xC08C,KEX_ECDH_RSA, ENC_CAMELLIA128,DIG_SHA256, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3760 {0xC08D,KEX_ECDH_RSA, ENC_CAMELLIA256,DIG_SHA384, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3761 {0xC08E,KEX_PSK, ENC_CAMELLIA128,DIG_SHA256, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3762 {0xC08F,KEX_PSK, ENC_CAMELLIA256,DIG_SHA384, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3763 {0xC090,KEX_DHE_PSK, ENC_CAMELLIA128,DIG_SHA256, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3764 {0xC091,KEX_DHE_PSK, ENC_CAMELLIA256,DIG_SHA384, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3765 {0xC092,KEX_RSA_PSK, ENC_CAMELLIA128,DIG_SHA256, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3766 {0xC093,KEX_RSA_PSK, ENC_CAMELLIA256,DIG_SHA384, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3767 {0xC094,KEX_PSK, ENC_CAMELLIA128,DIG_SHA256, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3768 {0xC095,KEX_PSK, ENC_CAMELLIA256,DIG_SHA384, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3769 {0xC096,KEX_DHE_PSK, ENC_CAMELLIA128,DIG_SHA256, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3770 {0xC097,KEX_DHE_PSK, ENC_CAMELLIA256,DIG_SHA384, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3771 {0xC098,KEX_RSA_PSK, ENC_CAMELLIA128,DIG_SHA256, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3772 {0xC099,KEX_RSA_PSK, ENC_CAMELLIA256,DIG_SHA384, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3773 {0xC09A,KEX_ECDHE_PSK, ENC_CAMELLIA128,DIG_SHA256, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3774 {0xC09B,KEX_ECDHE_PSK, ENC_CAMELLIA256,DIG_SHA384, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3775 {0xC09C,KEX_RSA, ENC_AES, DIG_NA, MODE_CCM }, /* TLS_RSA_WITH_AES_128_CCM */
3776 {0xC09D,KEX_RSA, ENC_AES256, DIG_NA, MODE_CCM }, /* TLS_RSA_WITH_AES_256_CCM */
3777 {0xC09E,KEX_DHE_RSA, ENC_AES, DIG_NA, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_128_CCM */
3778 {0xC09F,KEX_DHE_RSA, ENC_AES256, DIG_NA, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_256_CCM */
3779 {0xC0A0,KEX_RSA, ENC_AES, DIG_NA, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_128_CCM_8 */
3780 {0xC0A1,KEX_RSA, ENC_AES256, DIG_NA, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_256_CCM_8 */
3781 {0xC0A2,KEX_DHE_RSA, ENC_AES, DIG_NA, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_128_CCM_8 */
3782 {0xC0A3,KEX_DHE_RSA, ENC_AES256, DIG_NA, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_256_CCM_8 */
3783 {0xC0A4,KEX_PSK, ENC_AES, DIG_NA, MODE_CCM }, /* TLS_PSK_WITH_AES_128_CCM */
3784 {0xC0A5,KEX_PSK, ENC_AES256, DIG_NA, MODE_CCM }, /* TLS_PSK_WITH_AES_256_CCM */
3785 {0xC0A6,KEX_DHE_PSK, ENC_AES, DIG_NA, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_128_CCM */
3786 {0xC0A7,KEX_DHE_PSK, ENC_AES256, DIG_NA, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_256_CCM */
3787 {0xC0A8,KEX_PSK, ENC_AES, DIG_NA, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_128_CCM_8 */
3788 {0xC0A9,KEX_PSK, ENC_AES256, DIG_NA, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_256_CCM_8 */
3789 {0xC0AA,KEX_DHE_PSK, ENC_AES, DIG_NA, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_128_CCM_8 */
3790 {0xC0AB,KEX_DHE_PSK, ENC_AES256, DIG_NA, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_256_CCM_8 */
3791 {0xC0AC,KEX_ECDHE_ECDSA, ENC_AES, DIG_NA, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM */
3792 {0xC0AD,KEX_ECDHE_ECDSA, ENC_AES256, DIG_NA, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM */
3793 {0xC0AE,KEX_ECDHE_ECDSA, ENC_AES, DIG_NA, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 */
3794 {0xC0AF,KEX_ECDHE_ECDSA, ENC_AES256, DIG_NA, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 */
3795 {0xCCA8,KEX_ECDHE_RSA, ENC_CHACHA20, DIG_SHA256, MODE_POLY1305 }, /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3796 {0xCCA9,KEX_ECDHE_ECDSA, ENC_CHACHA20, DIG_SHA256, MODE_POLY1305 }, /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */
3797 {0xCCAA,KEX_DHE_RSA, ENC_CHACHA20, DIG_SHA256, MODE_POLY1305 }, /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3798 {0xCCAB,KEX_PSK, ENC_CHACHA20, DIG_SHA256, MODE_POLY1305 }, /* TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3799 {0xCCAC,KEX_ECDHE_PSK, ENC_CHACHA20, DIG_SHA256, MODE_POLY1305 }, /* TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3800 {0xCCAD,KEX_DHE_PSK, ENC_CHACHA20, DIG_SHA256, MODE_POLY1305 }, /* TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3801 {0xCCAE,KEX_RSA_PSK, ENC_CHACHA20, DIG_SHA256, MODE_POLY1305 }, /* TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3802 {0xD001,KEX_ECDHE_PSK, ENC_AES, DIG_SHA256, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 */
3803 {0xD002,KEX_ECDHE_PSK, ENC_AES256, DIG_SHA384, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 */
3804 {0xD003,KEX_ECDHE_PSK, ENC_AES, DIG_SHA256, MODE_CCM_8}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 */
3805 {0xD005,KEX_ECDHE_PSK, ENC_AES, DIG_SHA256, MODE_CCM}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 */
3806 /* GM */
3807 {0xe001,KEX_ECDHE_SM2, ENC_SM1, DIG_SM3, MODE_CBC}, /* ECDHE_SM1_SM3 */
3808 {0xe003,KEX_ECC_SM2, ENC_SM1, DIG_SM3, MODE_CBC}, /* ECC_SM1_SM3 */
3809 {0xe005,KEX_IBSDH_SM9, ENC_SM1, DIG_SM3, MODE_CBC}, /* IBSDH_SM1_SM3 */
3810 {0xe007,KEX_IBC_SM9, ENC_SM1, DIG_SM3, MODE_CBC}, /* IBC_SM1_SM3 */
3811 {0xe009,KEX_RSA, ENC_SM1, DIG_SM3, MODE_CBC}, /* RSA_SM1_SM3 */
3812 {0xe00a,KEX_RSA, ENC_SM1, DIG_SHA, MODE_CBC}, /* RSA_SM1_SHA1 */
3813 {0xe011,KEX_ECDHE_SM2, ENC_SM4, DIG_SM3, MODE_CBC}, /* ECDHE_SM4_CBC_SM3 */
3814 {0xe013,KEX_ECC_SM2, ENC_SM4, DIG_SM3, MODE_CBC}, /* ECC_SM4_CBC_SM3 */
3815 {0xe015,KEX_IBSDH_SM9, ENC_SM4, DIG_SM3, MODE_CBC}, /* IBSDH_SM4_CBC_SM3 */
3816 {0xe017,KEX_IBC_SM9, ENC_SM4, DIG_SM3, MODE_CBC}, /* IBC_SM4_CBC_SM3 */
3817 {0xe019,KEX_RSA, ENC_SM4, DIG_SM3, MODE_CBC}, /* RSA_SM4_CBC_SM3 */
3818 {0xe01a,KEX_RSA, ENC_SM4, DIG_SHA, MODE_CBC}, /* RSA_SM4_CBC_SHA1 */
3819 {0xe01c,KEX_RSA, ENC_SM4, DIG_SHA256, MODE_CBC}, /* RSA_SM4_CBC_SHA256 */
3820 {0xe051,KEX_ECDHE_SM2, ENC_SM4, DIG_SM3, MODE_GCM}, /* ECDHE_SM4_GCM_SM3 */
3821 {0xe053,KEX_ECC_SM2, ENC_SM4, DIG_SM3, MODE_GCM}, /* ECC_SM4_GCM_SM3 */
3822 {0xe055,KEX_IBSDH_SM9, ENC_SM4, DIG_SM3, MODE_GCM}, /* IBSDH_SM4_GCM_SM3 */
3823 {0xe057,KEX_IBC_SM9, ENC_SM4, DIG_SM3, MODE_GCM}, /* IBC_SM4_GCM_SM3 */
3824 {0xe059,KEX_RSA, ENC_SM4, DIG_SM3, MODE_GCM}, /* RSA_SM4_GCM_SM3 */
3825 {0xe05a,KEX_RSA, ENC_SM4, DIG_SHA256, MODE_GCM}, /* RSA_SM4_GCM_SHA256 */
3826 {-1, 0, 0, 0, MODE_STREAM}
3827 };
3828
3829 #define MAX_BLOCK_SIZE 16
3830 #define MAX_KEY_SIZE 32
3831
3832 const SslCipherSuite *
3833 ssl_find_cipher(int num)
3834 {
3835 const SslCipherSuite *c;
3836 for(c=cipher_suites;c->number!=-1;c++){
3837 if(c->number==num){
3838 return c;
3839 }
3840 }
3841
3842 return NULL;
3843 }
3844
3845 int
3846 ssl_get_cipher_algo(const SslCipherSuite *cipher_suite)
3847 {
3848 return gcry_cipher_map_name(ciphers[cipher_suite->enc - ENC_START]);
3849 }
3850
3851 unsigned
3852 ssl_get_cipher_blocksize(const SslCipherSuite *cipher_suite)
3853 {
3854 int cipher_algo;
3855 if (cipher_suite->mode != MODE_CBC) return 0;
3856 cipher_algo = ssl_get_cipher_by_name(ciphers[cipher_suite->enc - ENC_START]);
3857 return (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
3858 }
3859
3860 static unsigned
3861 ssl_get_cipher_export_keymat_size(int cipher_suite_num)
3862 {
3863 switch (cipher_suite_num) {
3864 /* See RFC 6101 (SSL 3.0), Table 2, column Key Material. */
3865 case 0x0003: /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
3866 case 0x0006: /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
3867 case 0x0008: /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
3868 case 0x000B: /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
3869 case 0x000E: /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
3870 case 0x0011: /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
3871 case 0x0014: /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
3872 case 0x0017: /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
3873 case 0x0019: /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
3874 return 5;
3875
3876 /* not defined in below draft, but "implemented by several vendors",
3877 * https://www.ietf.org/mail-archive/web/tls/current/msg00036.html */
3878 case 0x0060: /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
3879 case 0x0061: /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
3880 return 7;
3881
3882 /* Note: the draft states that DES_CBC needs 8 bytes, but Wireshark always
3883 * used 7. Until a pcap proves 8, let's use the old value. Link:
3884 * https://tools.ietf.org/html/draft-ietf-tls-56-bit-ciphersuites-01 */
3885 case 0x0062: /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
3886 case 0x0063: /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
3887 case 0x0064: /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
3888 case 0x0065: /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
3889 return 7;
3890
3891 default:
3892 return 0;
3893 }
3894 }
3895
3896 /* Digests, Ciphers and Cipher Suites registry }}} */
3897
3898
3899 /* HMAC and the Pseudorandom function {{{ */
3900 static int
3901 tls_hash(StringInfo *secret, StringInfo *seed, int md,
3902 StringInfo *out, unsigned out_len)
3903 {
3904 /* RFC 2246 5. HMAC and the pseudorandom function
3905 * '+' denotes concatenation.
3906 * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
3907 * HMAC_hash(secret, A(2) + seed) + ...
3908 * A(0) = seed
3909 * A(i) = HMAC_hash(secret, A(i - 1))
3910 */
3911 uint8_t *ptr;
3912 unsigned left, tocpy;
3913 uint8_t *A;
3914 uint8_t _A[DIGEST_MAX_SIZE], tmp[DIGEST_MAX_SIZE];
3915 unsigned A_l, tmp_l;
3916 SSL_HMAC hm;
3917
3918 ptr = out->data;
3919 left = out_len;
3920
3921 ssl_print_string("tls_hash: hash secret", secret);
3922 ssl_print_string("tls_hash: hash seed", seed);
3923 /* A(0) = seed */
3924 A = seed->data;
3925 A_l = seed->data_len;
3926
3927 if (ssl_hmac_init(&hm, md) != 0) {
3928 return -1;
3929 }
3930 while (left) {
3931 /* A(i) = HMAC_hash(secret, A(i-1)) */
3932 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
3933 ssl_hmac_update(&hm, A, A_l);
3934 A_l = sizeof(_A); /* upper bound len for hash output */
3935 ssl_hmac_final(&hm, _A, &A_l);
3936 A = _A;
3937
3938 /* HMAC_hash(secret, A(i) + seed) */
3939 ssl_hmac_reset(&hm);
3940 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
3941 ssl_hmac_update(&hm, A, A_l);
3942 ssl_hmac_update(&hm, seed->data, seed->data_len);
3943 tmp_l = sizeof(tmp); /* upper bound len for hash output */
3944 ssl_hmac_final(&hm, tmp, &tmp_l);
3945 ssl_hmac_reset(&hm);
3946
3947 /* ssl_hmac_final puts the actual digest output size in tmp_l */
3948 tocpy = MIN(left, tmp_l);
3949 memcpy(ptr, tmp, tocpy);
3950 ptr += tocpy;
3951 left -= tocpy;
3952 }
3953 ssl_hmac_cleanup(&hm);
3954 out->data_len = out_len;
3955
3956 ssl_print_string("hash out", out);
3957 return 0;
3958 }
3959
3960 static bool
3961 tls_prf(StringInfo* secret, const char *usage,
3962 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
3963 {
3964 StringInfo seed, sha_out, md5_out;
3965 uint8_t *ptr;
3966 StringInfo s1, s2;
3967 unsigned i,s_l;
3968 size_t usage_len, rnd2_len;
3969 bool success = false;
3970 usage_len = strlen(usage);
3971 rnd2_len = rnd2 ? rnd2->data_len : 0;
3972
3973 /* initialize buffer for sha, md5 random seed*/
3974 if (ssl_data_alloc(&sha_out, MAX(out_len, 20)) < 0) {
3975 ssl_debug_printf("tls_prf: can't allocate sha out\n");
3976 return false;
3977 }
3978 if (ssl_data_alloc(&md5_out, MAX(out_len, 16)) < 0) {
3979 ssl_debug_printf("tls_prf: can't allocate md5 out\n");
3980 goto free_sha;
3981 }
3982 if (ssl_data_alloc(&seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
3983 ssl_debug_printf("tls_prf: can't allocate rnd %d\n",
3984 (int) (usage_len+rnd1->data_len+rnd2_len));
3985 goto free_md5;
3986 }
3987
3988 ptr=seed.data;
3989 memcpy(ptr,usage,usage_len);
3990 ptr+=usage_len;
3991 memcpy(ptr,rnd1->data,rnd1->data_len);
3992 if (rnd2_len > 0) {
3993 ptr+=rnd1->data_len;
3994 memcpy(ptr,rnd2->data,rnd2->data_len);
3995 /*ptr+=rnd2->data_len;*/
3996 }
3997
3998 /* initialize buffer for client/server seeds*/
3999 s_l=secret->data_len/2 + secret->data_len%2;
4000 if (ssl_data_alloc(&s1, s_l) < 0) {
4001 ssl_debug_printf("tls_prf: can't allocate secret %d\n", s_l);
4002 goto free_seed;
4003 }
4004 if (ssl_data_alloc(&s2, s_l) < 0) {
4005 ssl_debug_printf("tls_prf: can't allocate secret(2) %d\n", s_l);
4006 goto free_s1;
4007 }
4008
4009 memcpy(s1.data,secret->data,s_l);
4010 memcpy(s2.data,secret->data + (secret->data_len - s_l),s_l);
4011
4012 ssl_debug_printf("tls_prf: tls_hash(md5 secret_len %d seed_len %d )\n", s1.data_len, seed.data_len);
4013 if(tls_hash(&s1, &seed, ssl_get_digest_by_name("MD5"), &md5_out, out_len) != 0)
4014 goto free_s2;
4015 ssl_debug_printf("tls_prf: tls_hash(sha)\n");
4016 if(tls_hash(&s2, &seed, ssl_get_digest_by_name("SHA1"), &sha_out, out_len) != 0)
4017 goto free_s2;
4018
4019 for (i = 0; i < out_len; i++)
4020 out->data[i] = md5_out.data[i] ^ sha_out.data[i];
4021 /* success, now store the new meaningful data length */
4022 out->data_len = out_len;
4023 success = true;
4024
4025 ssl_print_string("PRF out",out);
4026 free_s2:
4027 g_free(s2.data);
4028 free_s1:
4029 g_free(s1.data);
4030 free_seed:
4031 g_free(seed.data);
4032 free_md5:
4033 g_free(md5_out.data);
4034 free_sha:
4035 g_free(sha_out.data);
4036 return success;
4037 }
4038
4039 static bool
4040 tls12_prf(int md, StringInfo* secret, const char* usage,
4041 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4042 {
4043 StringInfo label_seed;
4044 int success;
4045 size_t usage_len, rnd2_len;
4046 rnd2_len = rnd2 ? rnd2->data_len : 0;
4047
4048 usage_len = strlen(usage);
4049 if (ssl_data_alloc(&label_seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
4050 ssl_debug_printf("tls12_prf: can't allocate label_seed\n");
4051 return false;
4052 }
4053 memcpy(label_seed.data, usage, usage_len);
4054 memcpy(label_seed.data+usage_len, rnd1->data, rnd1->data_len);
4055 if (rnd2_len > 0)
4056 memcpy(label_seed.data+usage_len+rnd1->data_len, rnd2->data, rnd2->data_len);
4057
4058 ssl_debug_printf("tls12_prf: tls_hash(hash_alg %s secret_len %d seed_len %d )\n", gcry_md_algo_name(md), secret->data_len, label_seed.data_len);
4059 success = tls_hash(secret, &label_seed, md, out, out_len);
4060 g_free(label_seed.data);
4061 if(success != -1){
4062 ssl_print_string("PRF out", out);
4063 return true;
4064 }
4065 return false;
4066 }
4067
4068 static bool
4069 ssl3_generate_export_iv(StringInfo *r1, StringInfo *r2,
4070 StringInfo *out, unsigned out_len)
4071 {
4072 SSL_MD5_CTX md5;
4073 uint8_t tmp[16];
4074
4075 if (ssl_md5_init(&md5) != 0) {
4076 return false;
4077 }
4078 ssl_md5_update(&md5,r1->data,r1->data_len);
4079 ssl_md5_update(&md5,r2->data,r2->data_len);
4080 ssl_md5_final(tmp,&md5);
4081 ssl_md5_cleanup(&md5);
4082
4083 DISSECTOR_ASSERT(out_len <= sizeof(tmp));
4084 ssl_data_set(out, tmp, out_len);
4085 ssl_print_string("export iv", out);
4086 return true;
4087 }
4088
4089 static bool
4090 ssl3_prf(StringInfo* secret, const char* usage,
4091 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4092 {
4093 SSL_MD5_CTX md5;
4094 SSL_SHA_CTX sha;
4095 unsigned off;
4096 int i = 0,j;
4097 uint8_t buf[20];
4098
4099 if (ssl_sha_init(&sha) != 0) {
4100 return false;
4101 }
4102 if (ssl_md5_init(&md5) != 0) {
4103 ssl_sha_cleanup(&sha);
4104 return false;
4105 }
4106 for (off = 0; off < out_len; off += 16) {
4107 unsigned char outbuf[16];
4108 i++;
4109
4110 ssl_debug_printf("ssl3_prf: sha1_hash(%d)\n",i);
4111 /* A, BB, CCC, ... */
4112 for(j=0;j<i;j++){
4113 buf[j]=64+i;
4114 }
4115
4116 ssl_sha_update(&sha,buf,i);
4117 ssl_sha_update(&sha,secret->data,secret->data_len);
4118
4119 if(!strcmp(usage,"client write key") || !strcmp(usage,"server write key")){
4120 if (rnd2)
4121 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4122 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4123 }
4124 else{
4125 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4126 if (rnd2)
4127 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4128 }
4129
4130 ssl_sha_final(buf,&sha);
4131 ssl_sha_reset(&sha);
4132
4133 ssl_debug_printf("ssl3_prf: md5_hash(%d) datalen %d\n",i,
4134 secret->data_len);
4135 ssl_md5_update(&md5,secret->data,secret->data_len);
4136 ssl_md5_update(&md5,buf,20);
4137 ssl_md5_final(outbuf,&md5);
4138 ssl_md5_reset(&md5);
4139
4140 memcpy(out->data + off, outbuf, MIN(out_len - off, 16));
4141 }
4142 ssl_sha_cleanup(&sha);
4143 ssl_md5_cleanup(&md5);
4144 out->data_len = out_len;
4145
4146 return true;
4147 }
4148
4149 /* out_len is the wanted output length for the pseudorandom function.
4150 * Ensure that ssl->cipher_suite is set. */
4151 static bool
4152 prf(SslDecryptSession *ssl, StringInfo *secret, const char *usage,
4153 StringInfo *rnd1, StringInfo *rnd2, StringInfo *out, unsigned out_len)
4154 {
4155 switch (ssl->session.version) {
4156 case SSLV3_VERSION:
4157 return ssl3_prf(secret, usage, rnd1, rnd2, out, out_len);
4158
4159 case TLSV1_VERSION:
4160 case TLSV1DOT1_VERSION:
4161 case DTLSV1DOT0_VERSION:
4162 case DTLSV1DOT0_OPENSSL_VERSION:
4163 return tls_prf(secret, usage, rnd1, rnd2, out, out_len);
4164
4165 default: /* TLSv1.2 */
4166 switch (ssl->cipher_suite->dig) {
4167 case DIG_SM3:
4168 #if GCRYPT_VERSION_NUMBER >= 0x010900
4169 return tls12_prf(GCRY_MD_SM3, secret, usage, rnd1, rnd2,
4170 out, out_len);
4171 #else
4172 return false;
4173 #endif
4174 case DIG_SHA384:
4175 return tls12_prf(GCRY_MD_SHA384, secret, usage, rnd1, rnd2,
4176 out, out_len);
4177 default:
4178 return tls12_prf(GCRY_MD_SHA256, secret, usage, rnd1, rnd2,
4179 out, out_len);
4180 }
4181 }
4182 }
4183
4184 static int tls_handshake_hash(SslDecryptSession* ssl, StringInfo* out)
4185 {
4186 SSL_MD5_CTX md5;
4187 SSL_SHA_CTX sha;
4188
4189 if (ssl_data_alloc(out, 36) < 0)
4190 return -1;
4191
4192 if (ssl_md5_init(&md5) != 0)
4193 return -1;
4194 ssl_md5_update(&md5,ssl->handshake_data.data,ssl->handshake_data.data_len);
4195 ssl_md5_final(out->data,&md5);
4196 ssl_md5_cleanup(&md5);
4197
4198 if (ssl_sha_init(&sha) != 0)
4199 return -1;
4200 ssl_sha_update(&sha,ssl->handshake_data.data,ssl->handshake_data.data_len);
4201 ssl_sha_final(out->data+16,&sha);
4202 ssl_sha_cleanup(&sha);
4203 return 0;
4204 }
4205
4206 static int tls12_handshake_hash(SslDecryptSession* ssl, int md, StringInfo* out)
4207 {
4208 SSL_MD mc;
4209 uint8_t tmp[48];
4210 unsigned len;
4211
4212 if (ssl_md_init(&mc, md) != 0)
4213 return -1;
4214 ssl_md_update(&mc,ssl->handshake_data.data,ssl->handshake_data.data_len);
4215 ssl_md_final(&mc, tmp, &len);
4216 ssl_md_cleanup(&mc);
4217
4218 if (ssl_data_alloc(out, len) < 0)
4219 return -1;
4220 memcpy(out->data, tmp, len);
4221 return 0;
4222 }
4223
4224 /**
4225 * Obtains the label prefix used in HKDF-Expand-Label. This function can be
4226 * inlined and removed once support for draft 19 and before is dropped.
4227 */
4228 static inline const char *
4229 tls13_hkdf_label_prefix(SslDecryptSession *ssl_session)
4230 {
4231 if (ssl_session->session.tls13_draft_version && ssl_session->session.tls13_draft_version < 20) {
4232 return "TLS 1.3, ";
4233 } else if (ssl_session->session.version == DTLSV1DOT3_VERSION) {
4234 return "dtls13";
4235 } else {
4236 return "tls13 ";
4237 }
4238 }
4239
4240 /*
4241 * Computes HKDF-Expand-Label(Secret, Label, Hash(context_value), Length) with a
4242 * custom label prefix. If "context_hash" is NULL, then an empty context is
4243 * used. Otherwise it must have the same length as the hash algorithm output.
4244 */
4245 bool
4246 tls13_hkdf_expand_label_context(int md, const StringInfo *secret,
4247 const char *label_prefix, const char *label,
4248 const uint8_t *context_hash, uint8_t context_length,
4249 uint16_t out_len, unsigned char **out)
4250 {
4251 /* RFC 8446 Section 7.1:
4252 * HKDF-Expand-Label(Secret, Label, Context, Length) =
4253 * HKDF-Expand(Secret, HkdfLabel, Length)
4254 * struct {
4255 * uint16 length = Length;
4256 * opaque label<7..255> = "tls13 " + Label; // "tls13 " is label prefix.
4257 * opaque context<0..255> = Context;
4258 * } HkdfLabel;
4259 *
4260 * RFC 5869 HMAC-based Extract-and-Expand Key Derivation Function (HKDF):
4261 * HKDF-Expand(PRK, info, L) -> OKM
4262 */
4263 gcry_error_t err;
4264 const unsigned label_prefix_length = (unsigned) strlen(label_prefix);
4265 const unsigned label_length = (unsigned) strlen(label);
4266
4267 /* Some sanity checks */
4268 DISSECTOR_ASSERT(label_length > 0 && label_prefix_length + label_length <= 255);
4269
4270 /* info = HkdfLabel { length, label, context } */
4271 GByteArray *info = g_byte_array_new();
4272 const uint16_t length = g_htons(out_len);
4273 g_byte_array_append(info, (const uint8_t *)&length, sizeof(length));
4274
4275 const uint8_t label_vector_length = label_prefix_length + label_length;
4276 g_byte_array_append(info, &label_vector_length, 1);
4277 g_byte_array_append(info, (const uint8_t *)label_prefix, label_prefix_length);
4278 g_byte_array_append(info, (const uint8_t*)label, label_length);
4279
4280 g_byte_array_append(info, &context_length, 1);
4281 if (context_length) {
4282 g_byte_array_append(info, context_hash, context_length);
4283 }
4284
4285 *out = (unsigned char *)wmem_alloc(NULL, out_len);
4286 err = hkdf_expand(md, secret->data, secret->data_len, info->data, info->len, *out, out_len);
4287 g_byte_array_free(info, true);
4288
4289 if (err) {
4290 ssl_debug_printf("%s failed %d: %s\n", G_STRFUNC, md, gcry_strerror(err));
4291 wmem_free(NULL, *out);
4292 *out = NULL;
4293 return false;
4294 }
4295
4296 return true;
4297 }
4298
4299 bool
4300 tls13_hkdf_expand_label(int md, const StringInfo *secret,
4301 const char *label_prefix, const char *label,
4302 uint16_t out_len, unsigned char **out)
4303 {
4304 return tls13_hkdf_expand_label_context(md, secret, label_prefix, label, NULL, 0, out_len, out);
4305 }
4306 /* HMAC and the Pseudorandom function }}} */
4307
4308 /* Record Decompression (after decryption) {{{ */
4309 #if defined (HAVE_ZLIB) || defined (HAVE_ZLIBNG)
4310 /* memory allocation functions for zlib initialization */
4311 static void* ssl_zalloc(void* opaque _U_, unsigned int no, unsigned int size)
4312 {
4313 return g_malloc0(no*size);
4314 }
4315 static void ssl_zfree(void* opaque _U_, void* addr)
4316 {
4317 g_free(addr);
4318 }
4319 #endif
4320
4321 static SslDecompress*
4322 ssl_create_decompressor(int compression)
4323 {
4324 SslDecompress *decomp;
4325 #if defined (HAVE_ZLIB) || defined (HAVE_ZLIBNG)
4326 int err;
4327 #endif
4328
4329 if (compression == 0) return NULL;
4330 ssl_debug_printf("ssl_create_decompressor: compression method %d\n", compression);
4331 decomp = wmem_new(wmem_file_scope(), SslDecompress);
4332 decomp->compression = compression;
4333 switch (decomp->compression) {
4334 #if defined (HAVE_ZLIB) || defined (HAVE_ZLIBNG)
4335 case 1: /* DEFLATE */
4336 decomp->istream.zalloc = ssl_zalloc;
4337 decomp->istream.zfree = ssl_zfree;
4338 decomp->istream.opaque = Z_NULL;
4339 decomp->istream.next_in = Z_NULL;
4340 decomp->istream.next_out = Z_NULL;
4341 decomp->istream.avail_in = 0;
4342 decomp->istream.avail_out = 0;
4343 err = ZLIB_PREFIX(inflateInit)(&decomp->istream);
4344 if (err != Z_OK) {
4345 ssl_debug_printf("ssl_create_decompressor: inflateInit_() failed - %d\n", err);
4346 return NULL;
4347 }
4348 break;
4349 #endif
4350 default:
4351 ssl_debug_printf("ssl_create_decompressor: unsupported compression method %d\n", decomp->compression);
4352 return NULL;
4353 }
4354 return decomp;
4355 }
4356
4357 #if defined (HAVE_ZLIB) || defined (HAVE_ZLIBNG)
4358 static int
4359 ssl_decompress_record(SslDecompress* decomp, const unsigned char* in, unsigned inl, StringInfo* out_str, unsigned* outl)
4360 {
4361 int err;
4362
4363 switch (decomp->compression) {
4364 case 1: /* DEFLATE */
4365 err = Z_OK;
4366 if (out_str->data_len < 16384) { /* maximal plain length */
4367 ssl_data_realloc(out_str, 16384);
4368 }
4369 #ifdef z_const
4370 decomp->istream.next_in = in;
4371 #else
4372 DIAG_OFF(cast-qual)
4373 decomp->istream.next_in = (Bytef *)in;
4374 DIAG_ON(cast-qual)
4375 #endif
4376 decomp->istream.avail_in = inl;
4377 decomp->istream.next_out = out_str->data;
4378 decomp->istream.avail_out = out_str->data_len;
4379 if (inl > 0)
4380 err = ZLIB_PREFIX(inflate)(&decomp->istream, Z_SYNC_FLUSH);
4381 if (err != Z_OK) {
4382 ssl_debug_printf("ssl_decompress_record: inflate() failed - %d\n", err);
4383 return -1;
4384 }
4385 *outl = out_str->data_len - decomp->istream.avail_out;
4386 break;
4387 default:
4388 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4389 return -1;
4390 }
4391 return 0;
4392 }
4393 #else
4394 int
4395 ssl_decompress_record(SslDecompress* decomp _U_, const unsigned char* in _U_, unsigned inl _U_, StringInfo* out_str _U_, unsigned* outl _U_)
4396 {
4397 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4398 return -1;
4399 }
4400 #endif
4401 /* Record Decompression (after decryption) }}} */
4402
4403 /* Create a new structure to store decrypted chunks. {{{ */
4404 static SslFlow*
4405 ssl_create_flow(void)
4406 {
4407 SslFlow *flow;
4408
4409 flow = wmem_new(wmem_file_scope(), SslFlow);
4410 flow->byte_seq = 0;
4411 flow->flags = 0;
4412 flow->multisegment_pdus = wmem_tree_new(wmem_file_scope());
4413 return flow;
4414 }
4415 /* }}} */
4416
4417 /* Use the negotiated security parameters for decryption. {{{ */
4418 void
4419 ssl_change_cipher(SslDecryptSession *ssl_session, bool server)
4420 {
4421 SslDecoder **new_decoder = server ? &ssl_session->server_new : &ssl_session->client_new;
4422 SslDecoder **dest = server ? &ssl_session->server : &ssl_session->client;
4423 ssl_debug_printf("ssl_change_cipher %s%s\n", server ? "SERVER" : "CLIENT",
4424 *new_decoder ? "" : " (No decoder found - retransmission?)");
4425 if (*new_decoder) {
4426 *dest = *new_decoder;
4427 *new_decoder = NULL;
4428 }
4429 }
4430 /* }}} */
4431
4432 /* Init cipher state given some security parameters. {{{ */
4433 static bool
4434 ssl_decoder_destroy_cb(wmem_allocator_t *, wmem_cb_event_t, void *);
4435
4436 static SslDecoder*
4437 ssl_create_decoder(const SslCipherSuite *cipher_suite, int cipher_algo,
4438 int compression, uint8_t *mk, uint8_t *sk, uint8_t *sn_key, uint8_t *iv, unsigned iv_length)
4439 {
4440 SslDecoder *dec;
4441 ssl_cipher_mode_t mode = cipher_suite->mode;
4442
4443 dec = wmem_new0(wmem_file_scope(), SslDecoder);
4444 /* init mac buffer: mac storage is embedded into decoder struct to save a
4445 memory allocation and waste samo more memory*/
4446 dec->cipher_suite=cipher_suite;
4447 dec->compression = compression;
4448 if ((mode == MODE_STREAM && mk != NULL) || mode == MODE_CBC) {
4449 // AEAD ciphers use no MAC key, but stream and block ciphers do. Note
4450 // the special case for NULL ciphers, even if there is insufficiency
4451 // keying material (including MAC key), we will can still create
4452 // decoders since "decryption" is easy for such ciphers.
4453 dec->mac_key.data = dec->_mac_key_or_write_iv;
4454 ssl_data_set(&dec->mac_key, mk, ssl_cipher_suite_dig(cipher_suite)->len);
4455 } else if (mode == MODE_GCM || mode == MODE_CCM || mode == MODE_CCM_8 || mode == MODE_POLY1305) {
4456 // Input for the nonce, to be used with AEAD ciphers.
4457 DISSECTOR_ASSERT(iv_length <= sizeof(dec->_mac_key_or_write_iv));
4458 dec->write_iv.data = dec->_mac_key_or_write_iv;
4459 ssl_data_set(&dec->write_iv, iv, iv_length);
4460 }
4461 dec->seq = 0;
4462 dec->decomp = ssl_create_decompressor(compression);
4463 wmem_register_callback(wmem_file_scope(), ssl_decoder_destroy_cb, dec);
4464
4465 if (ssl_cipher_init(&dec->evp,cipher_algo,sk,iv,cipher_suite->mode) < 0) {
4466 ssl_debug_printf("%s: can't create cipher id:%d mode:%d\n", G_STRFUNC,
4467 cipher_algo, cipher_suite->mode);
4468 return NULL;
4469 }
4470
4471 if (cipher_suite->enc != ENC_NULL && sn_key != NULL) {
4472 if (cipher_suite->enc == ENC_AES || cipher_suite->enc == ENC_AES256) {
4473 mode = MODE_ECB;
4474 } else if (cipher_suite->enc == ENC_CHACHA20) {
4475 mode = MODE_STREAM;
4476 } else {
4477 ssl_debug_printf("not supported encryption algorithm for DTLSv1.3\n");
4478 return NULL;
4479 }
4480
4481 if (ssl_cipher_init(&dec->sn_evp, cipher_algo, sn_key, NULL, mode) < 0) {
4482 ssl_debug_printf("%s: can't create cipher id:%d mode:%d for seq number decryption\n", G_STRFUNC,
4483 cipher_algo, MODE_ECB);
4484 ssl_cipher_cleanup(&dec->evp);
4485 dec->evp = NULL;
4486 return NULL;
4487 }
4488 } else {
4489 dec->sn_evp = NULL;
4490 }
4491
4492 dec->dtls13_aad.data = NULL;
4493 dec->dtls13_aad.data_len = 0;
4494 ssl_debug_printf("decoder initialized (digest len %d)\n", ssl_cipher_suite_dig(cipher_suite)->len);
4495 return dec;
4496 }
4497
4498 static bool
4499 ssl_decoder_destroy_cb(wmem_allocator_t *allocator _U_, wmem_cb_event_t event _U_, void *user_data)
4500 {
4501 SslDecoder *dec = (SslDecoder *) user_data;
4502
4503 if (dec->evp)
4504 ssl_cipher_cleanup(&dec->evp);
4505 if (dec->sn_evp)
4506 ssl_cipher_cleanup(&dec->sn_evp);
4507
4508 #if defined (HAVE_ZLIB) || defined (HAVE_ZLIBNG)
4509 if (dec->decomp != NULL && dec->decomp->compression == 1 /* DEFLATE */)
4510 ZLIB_PREFIX(inflateEnd)(&dec->decomp->istream);
4511 #endif
4512
4513 return false;
4514 }
4515 /* }}} */
4516
4517 /* (Pre-)master secrets calculations {{{ */
4518 #ifdef HAVE_LIBGNUTLS
4519 static bool
4520 ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
4521 StringInfo *encrypted_pre_master,
4522 GHashTable *key_hash);
4523 #endif /* HAVE_LIBGNUTLS */
4524
4525 static bool
4526 ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
4527 bool is_pre_master, GHashTable *ht, StringInfo *key);
4528
4529 bool
4530 ssl_generate_pre_master_secret(SslDecryptSession *ssl_session,
4531 uint32_t length, tvbuff_t *tvb, uint32_t offset,
4532 const char *ssl_psk, packet_info *pinfo,
4533 #ifdef HAVE_LIBGNUTLS
4534 GHashTable *key_hash,
4535 #endif
4536 const ssl_master_key_map_t *mk_map)
4537 {
4538 /* check for required session data */
4539 ssl_debug_printf("%s: found SSL_HND_CLIENT_KEY_EXCHG, state %X\n",
4540 G_STRFUNC, ssl_session->state);
4541 if ((ssl_session->state & (SSL_CIPHER|SSL_CLIENT_RANDOM|SSL_SERVER_RANDOM|SSL_VERSION)) !=
4542 (SSL_CIPHER|SSL_CLIENT_RANDOM|SSL_SERVER_RANDOM|SSL_VERSION)) {
4543 ssl_debug_printf("%s: not enough data to generate key (required state %X)\n", G_STRFUNC,
4544 (SSL_CIPHER|SSL_CLIENT_RANDOM|SSL_SERVER_RANDOM|SSL_VERSION));
4545 return false;
4546 }
4547
4548 if (ssl_session->session.version == TLSV1DOT3_VERSION) {
4549 ssl_debug_printf("%s: detected TLS 1.3 which has no pre-master secrets\n", G_STRFUNC);
4550 return false;
4551 }
4552
4553 /* check to see if the PMS was provided to us*/
4554 if (ssl_restore_master_key(ssl_session, "Unencrypted pre-master secret", true,
4555 mk_map->pms, &ssl_session->client_random)) {
4556 return true;
4557 }
4558
4559 if (ssl_session->cipher_suite->kex == KEX_PSK)
4560 {
4561 /* calculate pre master secret*/
4562 StringInfo pre_master_secret;
4563 unsigned psk_len, pre_master_len;
4564
4565 if (!ssl_psk || (ssl_psk[0] == 0)) {
4566 ssl_debug_printf("%s: can't find pre-shared key\n", G_STRFUNC);
4567 return false;
4568 }
4569
4570 /* convert hex string into char*/
4571 if (!from_hex(&ssl_session->psk, ssl_psk, strlen(ssl_psk))) {
4572 ssl_debug_printf("%s: ssl.psk/dtls.psk contains invalid hex\n",
4573 G_STRFUNC);
4574 return false;
4575 }
4576
4577 psk_len = ssl_session->psk.data_len;
4578 if (psk_len >= (2 << 15)) {
4579 ssl_debug_printf("%s: ssl.psk/dtls.psk must not be larger than 2^15 - 1\n",
4580 G_STRFUNC);
4581 return false;
4582 }
4583
4584
4585 pre_master_len = psk_len * 2 + 4;
4586
4587 pre_master_secret.data = (unsigned char *)wmem_alloc(wmem_file_scope(), pre_master_len);
4588 pre_master_secret.data_len = pre_master_len;
4589 /* 2 bytes psk_len*/
4590 pre_master_secret.data[0] = psk_len >> 8;
4591 pre_master_secret.data[1] = psk_len & 0xFF;
4592 /* psk_len bytes times 0*/
4593 memset(&pre_master_secret.data[2], 0, psk_len);
4594 /* 2 bytes psk_len*/
4595 pre_master_secret.data[psk_len + 2] = psk_len >> 8;
4596 pre_master_secret.data[psk_len + 3] = psk_len & 0xFF;
4597 /* psk*/
4598 memcpy(&pre_master_secret.data[psk_len + 4], ssl_session->psk.data, psk_len);
4599
4600 ssl_session->pre_master_secret.data = pre_master_secret.data;
4601 ssl_session->pre_master_secret.data_len = pre_master_len;
4602 /*ssl_debug_printf("pre master secret",&ssl->pre_master_secret);*/
4603
4604 /* Remove the master secret if it was there.
4605 This forces keying material regeneration in
4606 case we're renegotiating */
4607 ssl_session->state &= ~(SSL_MASTER_SECRET|SSL_HAVE_SESSION_KEY);
4608 ssl_session->state |= SSL_PRE_MASTER_SECRET;
4609 return true;
4610 }
4611 else
4612 {
4613 unsigned encrlen, skip;
4614 encrlen = length;
4615 skip = 0;
4616
4617 /* get encrypted data, on tls1 we have to skip two bytes
4618 * (it's the encrypted len and should be equal to record len - 2)
4619 * in case of rsa1024 that would be 128 + 2 = 130; for psk not necessary
4620 */
4621 if (ssl_session->cipher_suite->kex == KEX_RSA &&
4622 (ssl_session->session.version == TLSV1_VERSION ||
4623 ssl_session->session.version == TLSV1DOT1_VERSION ||
4624 ssl_session->session.version == TLSV1DOT2_VERSION ||
4625 ssl_session->session.version == DTLSV1DOT0_VERSION ||
4626 ssl_session->session.version == DTLSV1DOT2_VERSION ||
4627 ssl_session->session.version == TLCPV1_VERSION ))
4628 {
4629 encrlen = tvb_get_ntohs(tvb, offset);
4630 skip = 2;
4631 if (encrlen > length - 2)
4632 {
4633 ssl_debug_printf("%s: wrong encrypted length (%d max %d)\n",
4634 G_STRFUNC, encrlen, length);
4635 return false;
4636 }
4637 }
4638 /* the valid lower bound is higher than 8, but it is sufficient for the
4639 * ssl keylog file below */
4640 if (encrlen < 8) {
4641 ssl_debug_printf("%s: invalid encrypted pre-master key length %d\n",
4642 G_STRFUNC, encrlen);
4643 return false;
4644 }
4645
4646 StringInfo encrypted_pre_master = {
4647 .data = (unsigned char *)tvb_memdup(pinfo->pool, tvb, offset + skip, encrlen),
4648 .data_len = encrlen,
4649 };
4650
4651 #ifdef HAVE_LIBGNUTLS
4652 /* Try to lookup an appropriate RSA private key to decrypt the Encrypted Pre-Master Secret. */
4653 if (ssl_session->cert_key_id) {
4654 if (ssl_decrypt_pre_master_secret(ssl_session, &encrypted_pre_master, key_hash))
4655 return true;
4656
4657 ssl_debug_printf("%s: can't decrypt pre-master secret\n",
4658 G_STRFUNC);
4659 }
4660 #endif /* HAVE_LIBGNUTLS */
4661
4662 /* try to find the pre-master secret from the encrypted one. The
4663 * ssl key logfile stores only the first 8 bytes, so truncate it */
4664 encrypted_pre_master.data_len = 8;
4665 if (ssl_restore_master_key(ssl_session, "Encrypted pre-master secret",
4666 true, mk_map->pre_master, &encrypted_pre_master))
4667 return true;
4668 }
4669 return false;
4670 }
4671
4672 /* Used for (D)TLS 1.2 and earlier versions (not with TLS 1.3). */
4673 int
4674 ssl_generate_keyring_material(SslDecryptSession*ssl_session)
4675 {
4676 StringInfo key_block = { NULL, 0 };
4677 uint8_t _iv_c[MAX_BLOCK_SIZE],_iv_s[MAX_BLOCK_SIZE];
4678 uint8_t _key_c[MAX_KEY_SIZE],_key_s[MAX_KEY_SIZE];
4679 int needed;
4680 int cipher_algo = -1; /* special value (-1) for NULL encryption */
4681 unsigned encr_key_len, write_iv_len = 0;
4682 bool is_export_cipher;
4683 uint8_t *ptr, *c_iv = NULL, *s_iv = NULL;
4684 uint8_t *c_wk = NULL, *s_wk = NULL, *c_mk = NULL, *s_mk = NULL;
4685 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
4686
4687 /* (D)TLS 1.3 is handled directly in tls13_change_key. */
4688 if (ssl_session->session.version == TLSV1DOT3_VERSION || ssl_session->session.version == DTLSV1DOT3_VERSION) {
4689 ssl_debug_printf("%s: detected TLS 1.3. Should not have been called!\n", G_STRFUNC);
4690 return -1;
4691 }
4692
4693 /* check for enough info to proceed */
4694 unsigned need_all = SSL_CIPHER|SSL_CLIENT_RANDOM|SSL_SERVER_RANDOM|SSL_VERSION;
4695 unsigned need_any = SSL_MASTER_SECRET | SSL_PRE_MASTER_SECRET;
4696 if (((ssl_session->state & need_all) != need_all) || ((ssl_session->state & need_any) == 0)) {
4697 ssl_debug_printf("ssl_generate_keyring_material not enough data to generate key "
4698 "(0x%02X required 0x%02X or 0x%02X)\n", ssl_session->state,
4699 need_all|SSL_MASTER_SECRET, need_all|SSL_PRE_MASTER_SECRET);
4700 /* Special case: for NULL encryption, allow dissection of data even if
4701 * the Client Hello is missing (MAC keys are now skipped though). */
4702 need_all = SSL_CIPHER|SSL_VERSION;
4703 if ((ssl_session->state & need_all) == need_all &&
4704 cipher_suite->enc == ENC_NULL) {
4705 ssl_debug_printf("%s NULL cipher found, will create a decoder but "
4706 "skip MAC validation as keys are missing.\n", G_STRFUNC);
4707 goto create_decoders;
4708 }
4709
4710 return -1;
4711 }
4712
4713 /* if master key is not available, generate is from the pre-master secret */
4714 if (!(ssl_session->state & SSL_MASTER_SECRET)) {
4715 if ((ssl_session->state & SSL_EXTENDED_MASTER_SECRET_MASK) == SSL_EXTENDED_MASTER_SECRET_MASK) {
4716 StringInfo handshake_hashed_data;
4717 int ret;
4718
4719 handshake_hashed_data.data = NULL;
4720 handshake_hashed_data.data_len = 0;
4721
4722 ssl_debug_printf("%s:PRF(pre_master_secret_extended)\n", G_STRFUNC);
4723 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4724 DISSECTOR_ASSERT(ssl_session->handshake_data.data_len > 0);
4725
4726 switch(ssl_session->session.version) {
4727 case TLSV1_VERSION:
4728 case TLSV1DOT1_VERSION:
4729 case DTLSV1DOT0_VERSION:
4730 case DTLSV1DOT0_OPENSSL_VERSION:
4731 case TLCPV1_VERSION:
4732 ret = tls_handshake_hash(ssl_session, &handshake_hashed_data);
4733 break;
4734 default:
4735 switch (cipher_suite->dig) {
4736 case DIG_SHA384:
4737 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA384, &handshake_hashed_data);
4738 break;
4739 default:
4740 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA256, &handshake_hashed_data);
4741 break;
4742 }
4743 break;
4744 }
4745 if (ret) {
4746 ssl_debug_printf("%s can't generate handshake hash\n", G_STRFUNC);
4747 return -1;
4748 }
4749
4750 wmem_free(wmem_file_scope(), ssl_session->handshake_data.data);
4751 ssl_session->handshake_data.data = NULL;
4752 ssl_session->handshake_data.data_len = 0;
4753
4754 if (!prf(ssl_session, &ssl_session->pre_master_secret, "extended master secret",
4755 &handshake_hashed_data,
4756 NULL, &ssl_session->master_secret,
4757 SSL_MASTER_SECRET_LENGTH)) {
4758 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC);
4759 g_free(handshake_hashed_data.data);
4760 return -1;
4761 }
4762 g_free(handshake_hashed_data.data);
4763 } else {
4764 ssl_debug_printf("%s:PRF(pre_master_secret)\n", G_STRFUNC);
4765 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4766 ssl_print_string("client random",&ssl_session->client_random);
4767 ssl_print_string("server random",&ssl_session->server_random);
4768 if (!prf(ssl_session, &ssl_session->pre_master_secret, "master secret",
4769 &ssl_session->client_random,
4770 &ssl_session->server_random, &ssl_session->master_secret,
4771 SSL_MASTER_SECRET_LENGTH)) {
4772 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC);
4773 return -1;
4774 }
4775 }
4776 ssl_print_string("master secret",&ssl_session->master_secret);
4777
4778 /* the pre-master secret has been 'consumed' so we must clear it now */
4779 ssl_session->state &= ~SSL_PRE_MASTER_SECRET;
4780 ssl_session->state |= SSL_MASTER_SECRET;
4781 }
4782
4783 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
4784 if (cipher_suite->enc != ENC_NULL) {
4785 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START];
4786 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC, cipher_name);
4787 cipher_algo = ssl_get_cipher_by_name(cipher_name);
4788 if (cipher_algo == 0) {
4789 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC, cipher_name);
4790 return -1;
4791 }
4792 }
4793
4794 /* Export ciphers consume less material from the key block. */
4795 encr_key_len = ssl_get_cipher_export_keymat_size(cipher_suite->number);
4796 is_export_cipher = encr_key_len > 0;
4797 if (!is_export_cipher && cipher_suite->enc != ENC_NULL) {
4798 encr_key_len = (unsigned)gcry_cipher_get_algo_keylen(cipher_algo);
4799 }
4800
4801 if (cipher_suite->mode == MODE_CBC) {
4802 write_iv_len = (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
4803 } else if (cipher_suite->mode == MODE_GCM || cipher_suite->mode == MODE_CCM || cipher_suite->mode == MODE_CCM_8) {
4804 /* account for a four-byte salt for client and server side (from
4805 * client_write_IV and server_write_IV), see GCMNonce (RFC 5288) */
4806 write_iv_len = 4;
4807 } else if (cipher_suite->mode == MODE_POLY1305) {
4808 /* RFC 7905: SecurityParameters.fixed_iv_length is twelve bytes */
4809 write_iv_len = 12;
4810 }
4811
4812 /* Compute the key block. First figure out how much data we need */
4813 needed = ssl_cipher_suite_dig(cipher_suite)->len*2; /* MAC key */
4814 needed += 2 * encr_key_len; /* encryption key */
4815 needed += 2 * write_iv_len; /* write IV */
4816
4817 key_block.data = (unsigned char *)g_malloc(needed);
4818 ssl_debug_printf("%s sess key generation\n", G_STRFUNC);
4819 if (!prf(ssl_session, &ssl_session->master_secret, "key expansion",
4820 &ssl_session->server_random,&ssl_session->client_random,
4821 &key_block, needed)) {
4822 ssl_debug_printf("%s can't generate key_block\n", G_STRFUNC);
4823 goto fail;
4824 }
4825 ssl_print_string("key expansion", &key_block);
4826
4827 ptr=key_block.data;
4828 /* client/server write MAC key (for non-AEAD ciphers) */
4829 if (cipher_suite->mode == MODE_STREAM || cipher_suite->mode == MODE_CBC) {
4830 c_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
4831 s_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
4832 }
4833 /* client/server write encryption key */
4834 c_wk=ptr; ptr += encr_key_len;
4835 s_wk=ptr; ptr += encr_key_len;
4836 /* client/server write IV (used as IV (for CBC) or salt (for AEAD)) */
4837 if (write_iv_len > 0) {
4838 c_iv=ptr; ptr += write_iv_len;
4839 s_iv=ptr; /* ptr += write_iv_len; */
4840 }
4841
4842 /* export ciphers work with a smaller key length */
4843 if (is_export_cipher) {
4844 if (cipher_suite->mode == MODE_CBC) {
4845
4846 /* We only have room for MAX_BLOCK_SIZE bytes IVs, but that's
4847 all we should need. This is a sanity check */
4848 if (write_iv_len > MAX_BLOCK_SIZE) {
4849 ssl_debug_printf("%s cipher suite block must be at most %d nut is %d\n",
4850 G_STRFUNC, MAX_BLOCK_SIZE, write_iv_len);
4851 goto fail;
4852 }
4853
4854 if(ssl_session->session.version==SSLV3_VERSION){
4855 /* The length of these fields are ignored by this caller */
4856 StringInfo iv_c, iv_s;
4857 iv_c.data = _iv_c;
4858 iv_s.data = _iv_s;
4859
4860 ssl_debug_printf("%s ssl3_generate_export_iv\n", G_STRFUNC);
4861 if (!ssl3_generate_export_iv(&ssl_session->client_random,
4862 &ssl_session->server_random, &iv_c, write_iv_len)) {
4863 goto fail;
4864 }
4865 ssl_debug_printf("%s ssl3_generate_export_iv(2)\n", G_STRFUNC);
4866 if (!ssl3_generate_export_iv(&ssl_session->server_random,
4867 &ssl_session->client_random, &iv_s, write_iv_len)) {
4868 goto fail;
4869 }
4870 }
4871 else{
4872 uint8_t _iv_block[MAX_BLOCK_SIZE * 2];
4873 StringInfo iv_block;
4874 StringInfo key_null;
4875 uint8_t _key_null;
4876
4877 key_null.data = &_key_null;
4878 key_null.data_len = 0;
4879
4880 iv_block.data = _iv_block;
4881
4882 ssl_debug_printf("%s prf(iv_block)\n", G_STRFUNC);
4883 if (!prf(ssl_session, &key_null, "IV block",
4884 &ssl_session->client_random,
4885 &ssl_session->server_random, &iv_block,
4886 write_iv_len * 2)) {
4887 ssl_debug_printf("%s can't generate tls31 iv block\n", G_STRFUNC);
4888 goto fail;
4889 }
4890
4891 memcpy(_iv_c, iv_block.data, write_iv_len);
4892 memcpy(_iv_s, iv_block.data + write_iv_len, write_iv_len);
4893 }
4894
4895 c_iv=_iv_c;
4896 s_iv=_iv_s;
4897 }
4898
4899 if (ssl_session->session.version==SSLV3_VERSION){
4900
4901 SSL_MD5_CTX md5;
4902 ssl_debug_printf("%s MD5(client_random)\n", G_STRFUNC);
4903
4904 if (ssl_md5_init(&md5) != 0)
4905 goto fail;
4906 ssl_md5_update(&md5,c_wk,encr_key_len);
4907 ssl_md5_update(&md5,ssl_session->client_random.data,
4908 ssl_session->client_random.data_len);
4909 ssl_md5_update(&md5,ssl_session->server_random.data,
4910 ssl_session->server_random.data_len);
4911 ssl_md5_final(_key_c,&md5);
4912 ssl_md5_cleanup(&md5);
4913 c_wk=_key_c;
4914
4915 if (ssl_md5_init(&md5) != 0)
4916 goto fail;
4917 ssl_debug_printf("%s MD5(server_random)\n", G_STRFUNC);
4918 ssl_md5_update(&md5,s_wk,encr_key_len);
4919 ssl_md5_update(&md5,ssl_session->server_random.data,
4920 ssl_session->server_random.data_len);
4921 ssl_md5_update(&md5,ssl_session->client_random.data,
4922 ssl_session->client_random.data_len);
4923 ssl_md5_final(_key_s,&md5);
4924 ssl_md5_cleanup(&md5);
4925 s_wk=_key_s;
4926 }
4927 else{
4928 StringInfo key_c, key_s, k;
4929 key_c.data = _key_c;
4930 key_s.data = _key_s;
4931
4932 k.data = c_wk;
4933 k.data_len = encr_key_len;
4934 ssl_debug_printf("%s PRF(key_c)\n", G_STRFUNC);
4935 if (!prf(ssl_session, &k, "client write key",
4936 &ssl_session->client_random,
4937 &ssl_session->server_random, &key_c, sizeof(_key_c))) {
4938 ssl_debug_printf("%s can't generate tll31 server key \n", G_STRFUNC);
4939 goto fail;
4940 }
4941 c_wk=_key_c;
4942
4943 k.data = s_wk;
4944 k.data_len = encr_key_len;
4945 ssl_debug_printf("%s PRF(key_s)\n", G_STRFUNC);
4946 if (!prf(ssl_session, &k, "server write key",
4947 &ssl_session->client_random,
4948 &ssl_session->server_random, &key_s, sizeof(_key_s))) {
4949 ssl_debug_printf("%s can't generate tll31 client key \n", G_STRFUNC);
4950 goto fail;
4951 }
4952 s_wk=_key_s;
4953 }
4954 }
4955
4956 /* show key material info */
4957 if (c_mk != NULL) {
4958 ssl_print_data("Client MAC key",c_mk,ssl_cipher_suite_dig(cipher_suite)->len);
4959 ssl_print_data("Server MAC key",s_mk,ssl_cipher_suite_dig(cipher_suite)->len);
4960 }
4961 ssl_print_data("Client Write key", c_wk, encr_key_len);
4962 ssl_print_data("Server Write key", s_wk, encr_key_len);
4963 /* used as IV for CBC mode and the AEAD implicit nonce (salt) */
4964 if (write_iv_len > 0) {
4965 ssl_print_data("Client Write IV", c_iv, write_iv_len);
4966 ssl_print_data("Server Write IV", s_iv, write_iv_len);
4967 }
4968
4969 create_decoders:
4970 /* create both client and server ciphers*/
4971 ssl_debug_printf("%s ssl_create_decoder(client)\n", G_STRFUNC);
4972 ssl_session->client_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, c_mk, c_wk, NULL, c_iv, write_iv_len);
4973 if (!ssl_session->client_new) {
4974 ssl_debug_printf("%s can't init client decoder\n", G_STRFUNC);
4975 goto fail;
4976 }
4977 ssl_debug_printf("%s ssl_create_decoder(server)\n", G_STRFUNC);
4978 ssl_session->server_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, s_mk, s_wk, NULL, s_iv, write_iv_len);
4979 if (!ssl_session->server_new) {
4980 ssl_debug_printf("%s can't init server decoder\n", G_STRFUNC);
4981 goto fail;
4982 }
4983
4984 /* Continue the SSL stream after renegotiation with new keys. */
4985 ssl_session->client_new->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
4986 ssl_session->server_new->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
4987
4988 ssl_debug_printf("%s: client seq %" PRIu64 ", server seq %" PRIu64 "\n",
4989 G_STRFUNC, ssl_session->client_new->seq, ssl_session->server_new->seq);
4990 g_free(key_block.data);
4991 ssl_session->state |= SSL_HAVE_SESSION_KEY;
4992 return 0;
4993
4994 fail:
4995 g_free(key_block.data);
4996 return -1;
4997 }
4998
4999 /* Generated the key material based on the given secret. */
5000 bool
5001 tls13_generate_keys(SslDecryptSession *ssl_session, const StringInfo *secret, bool is_from_server)
5002 {
5003 bool success = false;
5004 unsigned char *write_key = NULL, *write_iv = NULL;
5005 unsigned char *sn_key = NULL;
5006 SslDecoder *decoder;
5007 unsigned key_length, iv_length;
5008 int hash_algo;
5009 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
5010 int cipher_algo;
5011
5012 if ((ssl_session->session.version != TLSV1DOT3_VERSION) && (ssl_session->session.version != DTLSV1DOT3_VERSION)) {
5013 ssl_debug_printf("%s only usable for TLS 1.3, not %#x!\n", G_STRFUNC,
5014 ssl_session->session.version);
5015 return false;
5016 }
5017
5018 if (cipher_suite == NULL) {
5019 ssl_debug_printf("%s Unknown cipher\n", G_STRFUNC);
5020 return false;
5021 }
5022
5023 if (cipher_suite->kex != KEX_TLS13) {
5024 ssl_debug_printf("%s Invalid cipher suite 0x%04x spotted!\n", G_STRFUNC, cipher_suite->number);
5025 return false;
5026 }
5027
5028 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
5029 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START];
5030 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC, cipher_name);
5031 cipher_algo = ssl_get_cipher_by_name(cipher_name);
5032 if (cipher_algo == 0) {
5033 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC, cipher_name);
5034 return false;
5035 }
5036
5037 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
5038 hash_algo = ssl_get_digest_by_name(hash_name);
5039 if (!hash_algo) {
5040 ssl_debug_printf("%s can't find hash function %s\n", G_STRFUNC, hash_name);
5041 return false;
5042 }
5043
5044 key_length = (unsigned) gcry_cipher_get_algo_keylen(cipher_algo);
5045 /* AES-GCM/AES-CCM/Poly1305-ChaCha20 all have N_MIN=N_MAX = 12. */
5046 iv_length = 12;
5047 ssl_debug_printf("%s key_length %u iv_length %u\n", G_STRFUNC, key_length, iv_length);
5048
5049 const char *label_prefix = tls13_hkdf_label_prefix(ssl_session);
5050 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "key", key_length, &write_key)) {
5051 ssl_debug_printf("%s write_key expansion failed\n", G_STRFUNC);
5052 return false;
5053 }
5054 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "iv", iv_length, &write_iv)) {
5055 ssl_debug_printf("%s write_iv expansion failed\n", G_STRFUNC);
5056 goto end;
5057 }
5058
5059 if (ssl_session->session.version == DTLSV1DOT3_VERSION) {
5060 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "sn", key_length, &sn_key)) {
5061 ssl_debug_printf("%s sn_key expansion failed\n", G_STRFUNC);
5062 goto end;
5063 }
5064 }
5065
5066 ssl_print_data(is_from_server ? "Server Write Key" : "Client Write Key", write_key, key_length);
5067 ssl_print_data(is_from_server ? "Server Write IV" : "Client Write IV", write_iv, iv_length);
5068 if (ssl_session->session.version == DTLSV1DOT3_VERSION) {
5069 ssl_print_data(is_from_server ? "Server Write SN" : "Client Write SN", sn_key, key_length);
5070 }
5071
5072 ssl_debug_printf("%s ssl_create_decoder(%s)\n", G_STRFUNC, is_from_server ? "server" : "client");
5073 decoder = ssl_create_decoder(cipher_suite, cipher_algo, 0, NULL, write_key, sn_key, write_iv, iv_length);
5074 if (!decoder) {
5075 ssl_debug_printf("%s can't init %s decoder\n", G_STRFUNC, is_from_server ? "server" : "client");
5076 goto end;
5077 }
5078
5079 /* Continue the TLS session with new keys, but reuse old flow to keep things
5080 * like "Follow TLS" working (by linking application data records). */
5081 if (is_from_server) {
5082 decoder->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
5083 ssl_session->server = decoder;
5084 } else {
5085 decoder->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
5086 ssl_session->client = decoder;
5087 }
5088 ssl_debug_printf("%s %s ready using cipher suite 0x%04x (cipher %s hash %s)\n", G_STRFUNC,
5089 is_from_server ? "Server" : "Client", cipher_suite->number, cipher_name, hash_name);
5090 success = true;
5091
5092 end:
5093 wmem_free(NULL, write_key);
5094 wmem_free(NULL, write_iv);
5095 if (sn_key)
5096 wmem_free(NULL, sn_key);
5097 return success;
5098 }
5099 /* (Pre-)master secrets calculations }}} */
5100
5101 #ifdef HAVE_LIBGNUTLS
5102 /* Decrypt RSA pre-master secret using RSA private key. {{{ */
5103 static bool
5104 ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
5105 StringInfo *encrypted_pre_master, GHashTable *key_hash)
5106 {
5107 int ret;
5108
5109 if (!encrypted_pre_master)
5110 return false;
5111
5112 if (KEX_IS_DH(ssl_session->cipher_suite->kex)) {
5113 ssl_debug_printf("%s: session uses Diffie-Hellman key exchange "
5114 "(cipher suite 0x%04X %s) and cannot be decrypted "
5115 "using a RSA private key file.\n",
5116 G_STRFUNC, ssl_session->session.cipher,
5117 val_to_str_ext_const(ssl_session->session.cipher,
5118 &ssl_31_ciphersuite_ext, "unknown"));
5119 return false;
5120 } else if (ssl_session->cipher_suite->kex != KEX_RSA) {
5121 ssl_debug_printf("%s key exchange %d different from KEX_RSA (%d)\n",
5122 G_STRFUNC, ssl_session->cipher_suite->kex, KEX_RSA);
5123 return false;
5124 }
5125
5126 gnutls_privkey_t pk = (gnutls_privkey_t)g_hash_table_lookup(key_hash, ssl_session->cert_key_id);
5127
5128 ssl_print_string("pre master encrypted", encrypted_pre_master);
5129 ssl_debug_printf("%s: RSA_private_decrypt\n", G_STRFUNC);
5130 const gnutls_datum_t epms = { encrypted_pre_master->data, encrypted_pre_master->data_len };
5131 gnutls_datum_t pms = { 0 };
5132 if (pk) {
5133 // Try to decrypt using the RSA keys table from (D)TLS preferences.
5134 ret = gnutls_privkey_decrypt_data(pk, 0, &epms, &pms);
5135 } else {
5136 // Try to decrypt using a hardware token.
5137 ret = secrets_rsa_decrypt(ssl_session->cert_key_id, epms.data, epms.size, &pms.data, &pms.size);
5138 }
5139 if (ret < 0) {
5140 ssl_debug_printf("%s: decryption failed: %d (%s)\n", G_STRFUNC, ret, gnutls_strerror(ret));
5141 return false;
5142 }
5143
5144 if (pms.size != 48) {
5145 ssl_debug_printf("%s wrong pre_master_secret length (%d, expected %d)\n",
5146 G_STRFUNC, pms.size, 48);
5147 if (pk) {
5148 gnutls_free(pms.data);
5149 } else {
5150 g_free(pms.data);
5151 }
5152 return false;
5153 }
5154
5155 ssl_session->pre_master_secret.data = (uint8_t *)wmem_memdup(wmem_file_scope(), pms.data, 48);
5156 ssl_session->pre_master_secret.data_len = 48;
5157 if (pk) {
5158 gnutls_free(pms.data);
5159 } else {
5160 g_free(pms.data);
5161 }
5162 ssl_print_string("pre master secret", &ssl_session->pre_master_secret);
5163
5164 /* Remove the master secret if it was there.
5165 This forces keying material regeneration in
5166 case we're renegotiating */
5167 ssl_session->state &= ~(SSL_MASTER_SECRET|SSL_HAVE_SESSION_KEY);
5168 ssl_session->state |= SSL_PRE_MASTER_SECRET;
5169 return true;
5170 } /* }}} */
5171 #endif /* HAVE_LIBGNUTLS */
5172
5173 /* Decryption integrity check {{{ */
5174
5175 static int
5176 tls_check_mac(SslDecoder*decoder, int ct, int ver, uint8_t* data,
5177 uint32_t datalen, uint8_t* mac)
5178 {
5179 SSL_HMAC hm;
5180 int md;
5181 uint32_t len;
5182 uint8_t buf[DIGEST_MAX_SIZE];
5183 int16_t temp;
5184
5185 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5186 ssl_debug_printf("tls_check_mac mac type:%s md %d\n",
5187 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5188
5189 if (ssl_hmac_init(&hm,md) != 0)
5190 return -1;
5191 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5192 return -1;
5193
5194 /* hash sequence number */
5195 phton64(buf, decoder->seq);
5196
5197 decoder->seq++;
5198
5199 ssl_hmac_update(&hm,buf,8);
5200
5201 /* hash content type */
5202 buf[0]=ct;
5203 ssl_hmac_update(&hm,buf,1);
5204
5205 /* hash version,data length and data*/
5206 /* *((int16_t*)buf) = g_htons(ver); */
5207 temp = g_htons(ver);
5208 memcpy(buf, &temp, 2);
5209 ssl_hmac_update(&hm,buf,2);
5210
5211 /* *((int16_t*)buf) = g_htons(datalen); */
5212 temp = g_htons(datalen);
5213 memcpy(buf, &temp, 2);
5214 ssl_hmac_update(&hm,buf,2);
5215 ssl_hmac_update(&hm,data,datalen);
5216
5217 /* get digest and digest len*/
5218 len = sizeof(buf);
5219 ssl_hmac_final(&hm,buf,&len);
5220 ssl_hmac_cleanup(&hm);
5221 ssl_print_data("Mac", buf, len);
5222 if(memcmp(mac,buf,len))
5223 return -1;
5224
5225 return 0;
5226 }
5227
5228 static int
5229 ssl3_check_mac(SslDecoder*decoder,int ct,uint8_t* data,
5230 uint32_t datalen, uint8_t* mac)
5231 {
5232 SSL_MD mc;
5233 int md;
5234 uint32_t len;
5235 uint8_t buf[64],dgst[20];
5236 int pad_ct;
5237 int16_t temp;
5238
5239 pad_ct=(decoder->cipher_suite->dig==DIG_SHA)?40:48;
5240
5241 /* get cipher used for digest computation */
5242 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5243 if (ssl_md_init(&mc,md) !=0)
5244 return -1;
5245
5246 /* do hash computation on data && padding */
5247 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5248
5249 /* hash padding*/
5250 memset(buf,0x36,pad_ct);
5251 ssl_md_update(&mc,buf,pad_ct);
5252
5253 /* hash sequence number */
5254 phton64(buf, decoder->seq);
5255 decoder->seq++;
5256 ssl_md_update(&mc,buf,8);
5257
5258 /* hash content type */
5259 buf[0]=ct;
5260 ssl_md_update(&mc,buf,1);
5261
5262 /* hash data length in network byte order and data*/
5263 /* *((int16_t* )buf) = g_htons(datalen); */
5264 temp = g_htons(datalen);
5265 memcpy(buf, &temp, 2);
5266 ssl_md_update(&mc,buf,2);
5267 ssl_md_update(&mc,data,datalen);
5268
5269 /* get partial digest */
5270 ssl_md_final(&mc,dgst,&len);
5271 ssl_md_reset(&mc);
5272
5273 /* hash mac key */
5274 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5275
5276 /* hash padding and partial digest*/
5277 memset(buf,0x5c,pad_ct);
5278 ssl_md_update(&mc,buf,pad_ct);
5279 ssl_md_update(&mc,dgst,len);
5280
5281 ssl_md_final(&mc,dgst,&len);
5282 ssl_md_cleanup(&mc);
5283
5284 if(memcmp(mac,dgst,len))
5285 return -1;
5286
5287 return 0;
5288 }
5289
5290 static int
5291 dtls_check_mac(SslDecryptSession *ssl, SslDecoder*decoder, int ct, uint8_t* data,
5292 uint32_t datalen, uint8_t* mac, const unsigned char *cid, uint8_t cidl)
5293 {
5294 SSL_HMAC hm;
5295 int md;
5296 uint32_t len;
5297 uint8_t buf[DIGEST_MAX_SIZE];
5298 int16_t temp;
5299
5300 int ver = ssl->session.version;
5301 bool is_cid = ((ct == SSL_ID_TLS12_CID) && (ver == DTLSV1DOT2_VERSION));
5302
5303 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5304 ssl_debug_printf("dtls_check_mac mac type:%s md %d\n",
5305 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5306
5307 if (ssl_hmac_init(&hm,md) != 0)
5308 return -1;
5309 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5310 return -1;
5311
5312 ssl_debug_printf("dtls_check_mac seq: %" PRIu64 " epoch: %d\n",decoder->seq,decoder->epoch);
5313
5314 if (is_cid && !ssl->session.deprecated_cid) {
5315 /* hash seq num placeholder */
5316 memset(buf,0xFF,8);
5317 ssl_hmac_update(&hm,buf,8);
5318
5319 /* hash content type + cid length + content type */
5320 buf[0]=ct;
5321 buf[1]=cidl;
5322 buf[2]=ct;
5323 ssl_hmac_update(&hm,buf,3);
5324
5325 /* hash version */
5326 temp = g_htons(ver);
5327 memcpy(buf, &temp, 2);
5328 ssl_hmac_update(&hm,buf,2);
5329
5330 /* hash sequence number */
5331 phton64(buf, decoder->seq);
5332 buf[0]=decoder->epoch>>8;
5333 buf[1]=(uint8_t)decoder->epoch;
5334 ssl_hmac_update(&hm,buf,8);
5335
5336 /* hash cid */
5337 ssl_hmac_update(&hm,cid,cidl);
5338 } else {
5339 /* hash sequence number */
5340 phton64(buf, decoder->seq);
5341 buf[0]=decoder->epoch>>8;
5342 buf[1]=(uint8_t)decoder->epoch;
5343 ssl_hmac_update(&hm,buf,8);
5344
5345 /* hash content type */
5346 buf[0]=ct;
5347 ssl_hmac_update(&hm,buf,1);
5348
5349 /* hash version */
5350 temp = g_htons(ver);
5351 memcpy(buf, &temp, 2);
5352 ssl_hmac_update(&hm,buf,2);
5353
5354 if (is_cid && ssl->session.deprecated_cid) {
5355 /* hash cid */
5356 ssl_hmac_update(&hm,cid,cidl);
5357
5358 /* hash cid length */
5359 buf[0] = cidl;
5360 ssl_hmac_update(&hm,buf,1);
5361 }
5362 }
5363
5364 /* data length and data */
5365 temp = g_htons(datalen);
5366 memcpy(buf, &temp, 2);
5367 ssl_hmac_update(&hm,buf,2);
5368 ssl_hmac_update(&hm,data,datalen);
5369
5370 /* get digest and digest len */
5371 len = sizeof(buf);
5372 ssl_hmac_final(&hm,buf,&len);
5373 ssl_hmac_cleanup(&hm);
5374 ssl_print_data("Mac", buf, len);
5375 if(memcmp(mac,buf,len))
5376 return -1;
5377
5378 return 0;
5379 }
5380 /* Decryption integrity check }}} */
5381
5382
5383 static bool
5384 tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder,
5385 uint8_t ct, uint16_t record_version,
5386 bool ignore_mac_failed,
5387 const unsigned char *in, uint16_t inl,
5388 const unsigned char *cid, uint8_t cidl,
5389 StringInfo *out_str, unsigned *outl)
5390 {
5391 /* RFC 5246 (TLS 1.2) 6.2.3.3 defines the TLSCipherText.fragment as:
5392 * GenericAEADCipher: { nonce_explicit, [content] }
5393 * In TLS 1.3 this explicit nonce is gone.
5394 * With AES GCM/CCM, "[content]" is actually the concatenation of the
5395 * ciphertext and authentication tag.
5396 */
5397 const uint16_t version = ssl->session.version;
5398 const bool is_v12 = version == TLSV1DOT2_VERSION || version == DTLSV1DOT2_VERSION || version == TLCPV1_VERSION;
5399 gcry_error_t err;
5400 const unsigned char *explicit_nonce = NULL, *ciphertext;
5401 unsigned ciphertext_len, auth_tag_len;
5402 unsigned char nonce[12];
5403 const ssl_cipher_mode_t cipher_mode = decoder->cipher_suite->mode;
5404 const bool is_cid = ct == SSL_ID_TLS12_CID && version == DTLSV1DOT2_VERSION;
5405 const uint8_t draft_version = ssl->session.tls13_draft_version;
5406 const unsigned char *auth_tag_wire;
5407 unsigned char auth_tag_calc[16];
5408 unsigned char *aad = NULL;
5409 unsigned aad_len = 0;
5410
5411 switch (cipher_mode) {
5412 case MODE_GCM:
5413 case MODE_CCM:
5414 case MODE_POLY1305:
5415 auth_tag_len = 16;
5416 break;
5417 case MODE_CCM_8:
5418 auth_tag_len = 8;
5419 break;
5420 default:
5421 ssl_debug_printf("%s unsupported cipher!\n", G_STRFUNC);
5422 return false;
5423 }
5424
5425 /* Parse input into explicit nonce (TLS 1.2 only), ciphertext and tag. */
5426 if (is_v12 && cipher_mode != MODE_POLY1305) {
5427 if (inl < EXPLICIT_NONCE_LEN + auth_tag_len) {
5428 ssl_debug_printf("%s input %d is too small for explicit nonce %d and auth tag %d\n",
5429 G_STRFUNC, inl, EXPLICIT_NONCE_LEN, auth_tag_len);
5430 return false;
5431 }
5432 explicit_nonce = in;
5433 ciphertext = explicit_nonce + EXPLICIT_NONCE_LEN;
5434 ciphertext_len = inl - EXPLICIT_NONCE_LEN - auth_tag_len;
5435 } else if (version == TLSV1DOT3_VERSION || version == DTLSV1DOT3_VERSION || cipher_mode == MODE_POLY1305) {
5436 if (inl < auth_tag_len) {
5437 ssl_debug_printf("%s input %d has no space for auth tag %d\n", G_STRFUNC, inl, auth_tag_len);
5438 return false;
5439 }
5440 ciphertext = in;
5441 ciphertext_len = inl - auth_tag_len;
5442 } else {
5443 ssl_debug_printf("%s Unexpected TLS version %#x\n", G_STRFUNC, version);
5444 return false;
5445 }
5446 auth_tag_wire = ciphertext + ciphertext_len;
5447
5448 /*
5449 * Nonce construction is version-specific. Note that AEAD_CHACHA20_POLY1305
5450 * (RFC 7905) uses a nonce construction similar to TLS 1.3.
5451 */
5452 if (is_v12 && cipher_mode != MODE_POLY1305) {
5453 DISSECTOR_ASSERT(decoder->write_iv.data_len == IMPLICIT_NONCE_LEN);
5454 /* Implicit (4) and explicit (8) part of nonce. */
5455 memcpy(nonce, decoder->write_iv.data, IMPLICIT_NONCE_LEN);
5456 memcpy(nonce + IMPLICIT_NONCE_LEN, explicit_nonce, EXPLICIT_NONCE_LEN);
5457
5458 } else if (version == TLSV1DOT3_VERSION || version == DTLSV1DOT3_VERSION || cipher_mode == MODE_POLY1305) {
5459 /*
5460 * Technically the nonce length must be at least 8 bytes, but for
5461 * AES-GCM, AES-CCM and Poly1305-ChaCha20 the nonce length is exact 12.
5462 */
5463 const unsigned nonce_len = 12;
5464 DISSECTOR_ASSERT(decoder->write_iv.data_len == nonce_len);
5465 memcpy(nonce, decoder->write_iv.data, decoder->write_iv.data_len);
5466 /* Sequence number is left-padded with zeroes and XORed with write_iv */
5467 phton64(nonce + nonce_len - 8, pntoh64(nonce + nonce_len - 8) ^ decoder->seq);
5468 ssl_debug_printf("%s seq %" PRIu64 "\n", G_STRFUNC, decoder->seq);
5469 }
5470
5471 /* Set nonce and additional authentication data */
5472 gcry_cipher_reset(decoder->evp);
5473 ssl_print_data("nonce", nonce, 12);
5474 err = gcry_cipher_setiv(decoder->evp, nonce, 12);
5475 if (err) {
5476 ssl_debug_printf("%s failed to set nonce: %s\n", G_STRFUNC, gcry_strerror(err));
5477 return false;
5478 }
5479
5480 /* (D)TLS 1.2 needs specific AAD, TLS 1.3 (before -25) uses empty AAD. */
5481 if (is_cid) { /* if connection ID */
5482 if (ssl->session.deprecated_cid) {
5483 aad_len = 14 + cidl;
5484 aad = wmem_alloc(wmem_packet_scope(), aad_len);
5485 phton64(aad, decoder->seq); /* record sequence number */
5486 phton16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5487 aad[8] = ct; /* TLSCompressed.type */
5488 phton16(aad + 9, record_version); /* TLSCompressed.version */
5489 memcpy(aad + 11, cid, cidl); /* cid */
5490 aad[11 + cidl] = cidl; /* cid_length */
5491 phton16(aad + 12 + cidl, ciphertext_len); /* TLSCompressed.length */
5492 } else {
5493 aad_len = 23 + cidl;
5494 aad = wmem_alloc(wmem_packet_scope(), aad_len);
5495 memset(aad, 0xFF, 8); /* seq_num_placeholder */
5496 aad[8] = ct; /* TLSCompressed.type */
5497 aad[9] = cidl; /* cid_length */
5498 aad[10] = ct; /* TLSCompressed.type */
5499 phton16(aad + 11, record_version); /* TLSCompressed.version */
5500 phton64(aad + 13, decoder->seq); /* record sequence number */
5501 phton16(aad + 13, decoder->epoch); /* DTLS 1.2 includes epoch. */
5502 memcpy(aad + 21, cid, cidl); /* cid */
5503 phton16(aad + 21 + cidl, ciphertext_len); /* TLSCompressed.length */
5504 }
5505 } else if (is_v12) {
5506 aad_len = 13;
5507 aad = wmem_alloc(wmem_packet_scope(), aad_len);
5508 phton64(aad, decoder->seq); /* record sequence number */
5509 if (version == DTLSV1DOT2_VERSION) {
5510 phton16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5511 }
5512 aad[8] = ct; /* TLSCompressed.type */
5513 phton16(aad + 9, record_version); /* TLSCompressed.version */
5514 phton16(aad + 11, ciphertext_len); /* TLSCompressed.length */
5515 } else if (version == DTLSV1DOT3_VERSION) {
5516 aad_len = decoder->dtls13_aad.data_len;
5517 aad = decoder->dtls13_aad.data;
5518 } else if (draft_version >= 25 || draft_version == 0) {
5519 aad_len = 5;
5520 aad = wmem_alloc(wmem_packet_scope(), aad_len);
5521 aad[0] = ct; /* TLSCiphertext.opaque_type (23) */
5522 phton16(aad + 1, record_version); /* TLSCiphertext.legacy_record_version (0x0303) */
5523 phton16(aad + 3, inl); /* TLSCiphertext.length */
5524 }
5525
5526 if (decoder->cipher_suite->mode == MODE_CCM || decoder->cipher_suite->mode == MODE_CCM_8) {
5527 /* size of plaintext, additional authenticated data and auth tag. */
5528 uint64_t lengths[3] = { ciphertext_len, aad_len, auth_tag_len };
5529
5530 gcry_cipher_ctl(decoder->evp, GCRYCTL_SET_CCM_LENGTHS, lengths, sizeof(lengths));
5531 }
5532
5533 if (aad && aad_len > 0) {
5534 ssl_print_data("AAD", aad, aad_len);
5535 err = gcry_cipher_authenticate(decoder->evp, aad, aad_len);
5536 if (err) {
5537 ssl_debug_printf("%s failed to set AAD: %s\n", G_STRFUNC, gcry_strerror(err));
5538 return false;
5539 }
5540 }
5541
5542 /* Decrypt now that nonce and AAD are set. */
5543 err = gcry_cipher_decrypt(decoder->evp, out_str->data, out_str->data_len, ciphertext, ciphertext_len);
5544 if (err) {
5545 ssl_debug_printf("%s decrypt failed: %s\n", G_STRFUNC, gcry_strerror(err));
5546 return false;
5547 }
5548
5549 /* Check authentication tag for authenticity (replaces MAC) */
5550 err = gcry_cipher_gettag(decoder->evp, auth_tag_calc, auth_tag_len);
5551 if (err == 0 && !memcmp(auth_tag_calc, auth_tag_wire, auth_tag_len)) {
5552 ssl_print_data("auth_tag(OK)", auth_tag_calc, auth_tag_len);
5553 } else {
5554 if (err) {
5555 ssl_debug_printf("%s cannot obtain tag: %s\n", G_STRFUNC, gcry_strerror(err));
5556 } else {
5557 ssl_debug_printf("%s auth tag mismatch\n", G_STRFUNC);
5558 ssl_print_data("auth_tag(expect)", auth_tag_calc, auth_tag_len);
5559 ssl_print_data("auth_tag(actual)", auth_tag_wire, auth_tag_len);
5560 }
5561 if (ignore_mac_failed) {
5562 ssl_debug_printf("%s: auth check failed, but ignored for troubleshooting ;-)\n", G_STRFUNC);
5563 } else {
5564 return false;
5565 }
5566 }
5567
5568 /*
5569 * Increment the (implicit) sequence number for TLS 1.2/1.3 and TLCP 1.1. This is done
5570 * after successful authentication to ensure that early data is skipped when
5571 * CLIENT_EARLY_TRAFFIC_SECRET keys are unavailable.
5572 */
5573 if (version == TLSV1DOT2_VERSION || version == TLSV1DOT3_VERSION || version == TLCPV1_VERSION) {
5574 decoder->seq++;
5575 }
5576
5577 ssl_print_data("Plaintext", out_str->data, ciphertext_len);
5578 *outl = ciphertext_len;
5579 return true;
5580 }
5581
5582 /* Record decryption glue based on security parameters {{{ */
5583 /* Assume that we are called only for a non-NULL decoder which also means that
5584 * we have a non-NULL decoder->cipher_suite. */
5585 int
5586 ssl_decrypt_record(SslDecryptSession *ssl, SslDecoder *decoder, uint8_t ct, uint16_t record_version,
5587 bool ignore_mac_failed,
5588 const unsigned char *in, uint16_t inl, const unsigned char *cid, uint8_t cidl,
5589 StringInfo *comp_str, StringInfo *out_str, unsigned *outl)
5590 {
5591 unsigned pad, worklen, uncomplen, maclen, mac_fraglen = 0;
5592 uint8_t *mac = NULL, *mac_frag = NULL;
5593
5594 ssl_debug_printf("ssl_decrypt_record ciphertext len %d\n", inl);
5595 ssl_print_data("Ciphertext",in, inl);
5596
5597 if (((ssl->session.version == TLSV1DOT3_VERSION || ssl->session.version == DTLSV1DOT3_VERSION))
5598 != (decoder->cipher_suite->kex == KEX_TLS13)) {
5599 ssl_debug_printf("%s Invalid cipher suite for the protocol version!\n", G_STRFUNC);
5600 return -1;
5601 }
5602
5603 /* ensure we have enough storage space for decrypted data */
5604 if (inl > out_str->data_len)
5605 {
5606 ssl_debug_printf("ssl_decrypt_record: allocating %d bytes for decrypt data (old len %d)\n",
5607 inl + 32, out_str->data_len);
5608 ssl_data_realloc(out_str, inl + 32);
5609 }
5610
5611 /* AEAD ciphers (GenericAEADCipher in TLS 1.2; TLS 1.3) have no padding nor
5612 * a separate MAC, so use a different routine for simplicity. */
5613 if (decoder->cipher_suite->mode == MODE_GCM ||
5614 decoder->cipher_suite->mode == MODE_CCM ||
5615 decoder->cipher_suite->mode == MODE_CCM_8 ||
5616 decoder->cipher_suite->mode == MODE_POLY1305 ||
5617 ssl->session.version == TLSV1DOT3_VERSION ||
5618 ssl->session.version == DTLSV1DOT3_VERSION) {
5619
5620 if (!tls_decrypt_aead_record(ssl, decoder, ct, record_version, ignore_mac_failed, in, inl, cid, cidl, out_str, &worklen)) {
5621 /* decryption failed */
5622 return -1;
5623 }
5624
5625 goto skip_mac;
5626 }
5627
5628 /* RFC 6101/2246: SSLCipherText/TLSCipherText has two structures for types:
5629 * (notation: { unencrypted, [ encrypted ] })
5630 * GenericStreamCipher: { [content, mac] }
5631 * GenericBlockCipher: { IV (TLS 1.1+), [content, mac, padding, padding_len] }
5632 * RFC 5426 (TLS 1.2): TLSCipherText has additionally:
5633 * GenericAEADCipher: { nonce_explicit, [content] }
5634 * RFC 4347 (DTLS): based on TLS 1.1, only GenericBlockCipher is supported.
5635 * RFC 6347 (DTLS 1.2): based on TLS 1.2, includes GenericAEADCipher too.
5636 */
5637
5638 maclen = ssl_cipher_suite_dig(decoder->cipher_suite)->len;
5639
5640 /* (TLS 1.1 and later, DTLS) Extract explicit IV for GenericBlockCipher */
5641 if (decoder->cipher_suite->mode == MODE_CBC) {
5642 unsigned blocksize = 0;
5643
5644 switch (ssl->session.version) {
5645 case TLSV1DOT1_VERSION:
5646 case TLSV1DOT2_VERSION:
5647 case DTLSV1DOT0_VERSION:
5648 case DTLSV1DOT2_VERSION:
5649 case DTLSV1DOT3_VERSION:
5650 case DTLSV1DOT0_OPENSSL_VERSION:
5651 case TLCPV1_VERSION:
5652 blocksize = ssl_get_cipher_blocksize(decoder->cipher_suite);
5653 if (inl < blocksize) {
5654 ssl_debug_printf("ssl_decrypt_record failed: input %d has no space for IV %d\n",
5655 inl, blocksize);
5656 return -1;
5657 }
5658 pad = gcry_cipher_setiv(decoder->evp, in, blocksize);
5659 if (pad != 0) {
5660 ssl_debug_printf("ssl_decrypt_record failed: failed to set IV: %s %s\n",
5661 gcry_strsource (pad), gcry_strerror (pad));
5662 }
5663
5664 inl -= blocksize;
5665 in += blocksize;
5666 break;
5667 }
5668
5669 /* Encrypt-then-MAC for (D)TLS (RFC 7366) */
5670 if (ssl->state & SSL_ENCRYPT_THEN_MAC) {
5671 /*
5672 * MAC is calculated over (IV + ) ENCRYPTED contents:
5673 *
5674 * MAC(MAC_write_key, ... +
5675 * IV + // for TLS 1.1 or greater
5676 * TLSCiphertext.enc_content);
5677 */
5678 if (inl < maclen) {
5679 ssl_debug_printf("%s failed: input %d has no space for MAC %d\n",
5680 G_STRFUNC, inl, maclen);
5681 return -1;
5682 }
5683 inl -= maclen;
5684 mac = (uint8_t *)in + inl;
5685 mac_frag = (uint8_t *)in - blocksize;
5686 mac_fraglen = blocksize + inl;
5687 }
5688 }
5689
5690 /* First decrypt*/
5691 if ((pad = ssl_cipher_decrypt(&decoder->evp, out_str->data, out_str->data_len, in, inl)) != 0) {
5692 ssl_debug_printf("ssl_decrypt_record failed: ssl_cipher_decrypt: %s %s\n", gcry_strsource (pad),
5693 gcry_strerror (pad));
5694 return -1;
5695 }
5696
5697 ssl_print_data("Plaintext", out_str->data, inl);
5698 worklen=inl;
5699
5700
5701 /* strip padding for GenericBlockCipher */
5702 if (decoder->cipher_suite->mode == MODE_CBC) {
5703 if (inl < 1) { /* Should this check happen earlier? */
5704 ssl_debug_printf("ssl_decrypt_record failed: input length %d too small\n", inl);
5705 return -1;
5706 }
5707 pad=out_str->data[inl-1];
5708 if (worklen <= pad) {
5709 ssl_debug_printf("ssl_decrypt_record failed: padding %d too large for work %d\n",
5710 pad, worklen);
5711 return -1;
5712 }
5713 worklen-=(pad+1);
5714 ssl_debug_printf("ssl_decrypt_record found padding %d final len %d\n",
5715 pad, worklen);
5716 }
5717
5718 /* MAC for GenericStreamCipher and GenericBlockCipher.
5719 * (normal case without Encrypt-then-MAC (RFC 7366) extension. */
5720 if (!mac) {
5721 /*
5722 * MAC is calculated over the DECRYPTED contents:
5723 *
5724 * MAC(MAC_write_key, ... + TLSCompressed.fragment);
5725 */
5726 if (worklen < maclen) {
5727 ssl_debug_printf("%s wrong record len/padding outlen %d\n work %d\n", G_STRFUNC, *outl, worklen);
5728 return -1;
5729 }
5730 worklen -= maclen;
5731 mac = out_str->data + worklen;
5732 mac_frag = out_str->data;
5733 mac_fraglen = worklen;
5734 }
5735
5736 /* If NULL encryption active and no keys are available, do not bother
5737 * checking the MAC. We do not have keys for that. */
5738 if (decoder->cipher_suite->mode == MODE_STREAM &&
5739 decoder->cipher_suite->enc == ENC_NULL &&
5740 !(ssl->state & SSL_MASTER_SECRET)) {
5741 ssl_debug_printf("MAC check skipped due to missing keys\n");
5742 goto skip_mac;
5743 }
5744
5745 /* Now check the MAC */
5746 ssl_debug_printf("checking mac (len %d, version %X, ct %d seq %" PRIu64 ")\n",
5747 worklen, ssl->session.version, ct, decoder->seq);
5748 if(ssl->session.version==SSLV3_VERSION){
5749 if(ssl3_check_mac(decoder,ct,mac_frag,mac_fraglen,mac) < 0) {
5750 if(ignore_mac_failed) {
5751 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5752 }
5753 else{
5754 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5755 return -1;
5756 }
5757 }
5758 else{
5759 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5760 }
5761 }
5762 else if(ssl->session.version==TLSV1_VERSION || ssl->session.version==TLSV1DOT1_VERSION || ssl->session.version==TLSV1DOT2_VERSION || ssl->session.version==TLCPV1_VERSION){
5763 if(tls_check_mac(decoder,ct,ssl->session.version,mac_frag,mac_fraglen,mac)< 0) {
5764 if(ignore_mac_failed) {
5765 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5766 }
5767 else{
5768 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5769 return -1;
5770 }
5771 }
5772 else{
5773 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5774 }
5775 }
5776 else if(ssl->session.version==DTLSV1DOT0_VERSION ||
5777 ssl->session.version==DTLSV1DOT2_VERSION ||
5778 ssl->session.version==DTLSV1DOT0_OPENSSL_VERSION){
5779 /* Try rfc-compliant mac first, and if failed, try old openssl's non-rfc-compliant mac */
5780 if(dtls_check_mac(ssl,decoder,ct,mac_frag,mac_fraglen,mac,cid,cidl)>= 0) {
5781 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5782 }
5783 else if(tls_check_mac(decoder,ct,TLSV1_VERSION,mac_frag,mac_fraglen,mac)>= 0) {
5784 ssl_debug_printf("ssl_decrypt_record: dtls rfc-compliant mac failed, but old openssl's non-rfc-compliant mac ok\n");
5785 }
5786 else if(ignore_mac_failed) {
5787 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5788 }
5789 else{
5790 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5791 return -1;
5792 }
5793 }
5794 skip_mac:
5795
5796 *outl = worklen;
5797
5798 if (decoder->compression > 0) {
5799 ssl_debug_printf("ssl_decrypt_record: compression method %d\n", decoder->compression);
5800 ssl_data_copy(comp_str, out_str);
5801 ssl_print_data("Plaintext compressed", comp_str->data, worklen);
5802 if (!decoder->decomp) {
5803 ssl_debug_printf("decrypt_ssl3_record: no decoder available\n");
5804 return -1;
5805 }
5806 if (ssl_decompress_record(decoder->decomp, comp_str->data, worklen, out_str, &uncomplen) < 0) return -1;
5807 ssl_print_data("Plaintext uncompressed", out_str->data, uncomplen);
5808 *outl = uncomplen;
5809 }
5810
5811 return 0;
5812 }
5813 /* Record decryption glue based on security parameters }}} */
5814
5815
5816
5817 #ifdef HAVE_LIBGNUTLS
5818
5819 /* RSA private key file processing {{{ */
5820 static void
5821 ssl_find_private_key_by_pubkey(SslDecryptSession *ssl,
5822 gnutls_datum_t *subjectPublicKeyInfo)
5823 {
5824 gnutls_pubkey_t pubkey = NULL;
5825 cert_key_id_t key_id;
5826 size_t key_id_len = sizeof(key_id);
5827 int r;
5828
5829 if (!subjectPublicKeyInfo->size) {
5830 ssl_debug_printf("%s: could not find SubjectPublicKeyInfo\n", G_STRFUNC);
5831 return;
5832 }
5833
5834 r = gnutls_pubkey_init(&pubkey);
5835 if (r < 0) {
5836 ssl_debug_printf("%s: failed to init pubkey: %s\n",
5837 G_STRFUNC, gnutls_strerror(r));
5838 return;
5839 }
5840
5841 r = gnutls_pubkey_import(pubkey, subjectPublicKeyInfo, GNUTLS_X509_FMT_DER);
5842 if (r < 0) {
5843 ssl_debug_printf("%s: failed to import pubkey from handshake: %s\n",
5844 G_STRFUNC, gnutls_strerror(r));
5845 goto end;
5846 }
5847
5848 if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL) != GNUTLS_PK_RSA) {
5849 ssl_debug_printf("%s: Not a RSA public key - ignoring.\n", G_STRFUNC);
5850 goto end;
5851 }
5852
5853 /* Generate a 20-byte SHA-1 hash. */
5854 r = gnutls_pubkey_get_key_id(pubkey, 0, key_id.key_id, &key_id_len);
5855 if (r < 0) {
5856 ssl_debug_printf("%s: failed to extract key id from pubkey: %s\n",
5857 G_STRFUNC, gnutls_strerror(r));
5858 goto end;
5859 }
5860
5861 if (key_id_len != sizeof(key_id)) {
5862 ssl_debug_printf("%s: expected Key ID size %zu, got %zu\n",
5863 G_STRFUNC, sizeof(key_id), key_id_len);
5864 goto end;
5865 }
5866
5867 ssl_print_data("Certificate.KeyID", key_id.key_id, key_id_len);
5868 ssl->cert_key_id = wmem_new(wmem_file_scope(), cert_key_id_t);
5869 *ssl->cert_key_id = key_id;
5870
5871 end:
5872 gnutls_pubkey_deinit(pubkey);
5873 }
5874
5875 /* RSA private key file processing }}} */
5876 #endif /* HAVE_LIBGNUTLS */
5877
5878 /*--- Start of dissector-related code below ---*/
5879
5880 /* get ssl data for this session. if no ssl data is found allocate a new one*/
5881 SslDecryptSession *
5882 ssl_get_session(conversation_t *conversation, dissector_handle_t tls_handle)
5883 {
5884 void *conv_data;
5885 SslDecryptSession *ssl_session;
5886 int proto_ssl;
5887
5888 proto_ssl = dissector_handle_get_protocol_index(tls_handle);
5889 conv_data = conversation_get_proto_data(conversation, proto_ssl);
5890 if (conv_data != NULL)
5891 return (SslDecryptSession *)conv_data;
5892
5893 /* no previous SSL conversation info, initialize it. */
5894 ssl_session = wmem_new0(wmem_file_scope(), SslDecryptSession);
5895
5896 /* data_len is the part that is meaningful, not the allocated length */
5897 ssl_session->master_secret.data_len = 0;
5898 ssl_session->master_secret.data = ssl_session->_master_secret;
5899 ssl_session->session_id.data_len = 0;
5900 ssl_session->session_id.data = ssl_session->_session_id;
5901 ssl_session->client_random.data_len = 0;
5902 ssl_session->client_random.data = ssl_session->_client_random;
5903 ssl_session->server_random.data_len = 0;
5904 ssl_session->server_random.data = ssl_session->_server_random;
5905 ssl_session->session_ticket.data_len = 0;
5906 ssl_session->session_ticket.data = NULL; /* will be re-alloced as needed */
5907 ssl_session->server_data_for_iv.data_len = 0;
5908 ssl_session->server_data_for_iv.data = ssl_session->_server_data_for_iv;
5909 ssl_session->client_data_for_iv.data_len = 0;
5910 ssl_session->client_data_for_iv.data = ssl_session->_client_data_for_iv;
5911 ssl_session->app_data_segment.data = NULL;
5912 ssl_session->app_data_segment.data_len = 0;
5913 ssl_session->handshake_data.data=NULL;
5914 ssl_session->handshake_data.data_len=0;
5915
5916 /* Initialize parameters which are not necessary specific to decryption. */
5917 ssl_session->session.version = SSL_VER_UNKNOWN;
5918 clear_address(&ssl_session->session.srv_addr);
5919 ssl_session->session.srv_ptype = PT_NONE;
5920 ssl_session->session.srv_port = 0;
5921 ssl_session->session.dtls13_current_epoch[0] = ssl_session->session.dtls13_current_epoch[1] = 0;
5922 ssl_session->session.dtls13_next_seq_num[0] = ssl_session->session.dtls13_next_seq_num[1] = 0;
5923
5924 conversation_add_proto_data(conversation, proto_ssl, ssl_session);
5925 return ssl_session;
5926 }
5927
5928 void ssl_reset_session(SslSession *session, SslDecryptSession *ssl, bool is_client)
5929 {
5930 if (ssl) {
5931 /* Ensure that secrets are not restored using stale identifiers. Split
5932 * between client and server in case the packets somehow got out of order. */
5933 int clear_flags = SSL_HAVE_SESSION_KEY | SSL_MASTER_SECRET | SSL_PRE_MASTER_SECRET;
5934
5935 if (is_client) {
5936 clear_flags |= SSL_CLIENT_EXTENDED_MASTER_SECRET;
5937 ssl->session_id.data_len = 0;
5938 ssl->session_ticket.data_len = 0;
5939 ssl->master_secret.data_len = 0;
5940 ssl->client_random.data_len = 0;
5941 ssl->has_early_data = false;
5942 if (ssl->handshake_data.data_len > 0) {
5943 // The EMS handshake hash starts with at the Client Hello,
5944 // ensure that any messages before it are forgotten.
5945 wmem_free(wmem_file_scope(), ssl->handshake_data.data);
5946 ssl->handshake_data.data = NULL;
5947 ssl->handshake_data.data_len = 0;
5948 }
5949 } else {
5950 clear_flags |= SSL_SERVER_EXTENDED_MASTER_SECRET | SSL_NEW_SESSION_TICKET;
5951 ssl->server_random.data_len = 0;
5952 ssl->pre_master_secret.data_len = 0;
5953 #ifdef HAVE_LIBGNUTLS
5954 ssl->cert_key_id = NULL;
5955 #endif
5956 ssl->psk.data_len = 0;
5957 }
5958
5959 if (ssl->state & clear_flags) {
5960 ssl_debug_printf("%s detected renegotiation, clearing 0x%02x (%s side)\n",
5961 G_STRFUNC, ssl->state & clear_flags, is_client ? "client" : "server");
5962 ssl->state &= ~clear_flags;
5963 }
5964 }
5965
5966 /* These flags might be used for non-decryption purposes and may affect the
5967 * dissection, so reset them as well. */
5968 if (is_client) {
5969 session->client_cert_type = 0;
5970 } else {
5971 session->compression = 0;
5972 session->server_cert_type = 0;
5973 /* session->is_session_resumed is already handled in the ServerHello dissection. */
5974 }
5975 session->dtls13_next_seq_num[0] = session->dtls13_next_seq_num[1] = 0;
5976 session->dtls13_current_epoch[0] = session->dtls13_current_epoch[1] = 0;
5977 }
5978
5979 void
5980 tls_set_appdata_dissector(dissector_handle_t tls_handle, packet_info *pinfo,
5981 dissector_handle_t app_handle)
5982 {
5983 conversation_t *conversation;
5984 SslSession *session;
5985
5986 /* Ignore if the TLS or other dissector is disabled. */
5987 if (!tls_handle || !app_handle)
5988 return;
5989
5990 conversation = find_or_create_conversation(pinfo);
5991 session = &ssl_get_session(conversation, tls_handle)->session;
5992 session->app_handle = app_handle;
5993 }
5994
5995 static uint32_t
5996 ssl_starttls(dissector_handle_t tls_handle, packet_info *pinfo,
5997 dissector_handle_t app_handle, uint32_t last_nontls_frame)
5998 {
5999 conversation_t *conversation;
6000 SslSession *session;
6001
6002 /* Ignore if the TLS dissector is disabled. */
6003 if (!tls_handle)
6004 return 0;
6005 /* The caller should always pass a valid handle to its own dissector. */
6006 DISSECTOR_ASSERT(app_handle);
6007
6008 conversation = find_or_create_conversation(pinfo);
6009 session = &ssl_get_session(conversation, tls_handle)->session;
6010
6011 ssl_debug_printf("%s: old frame %d, app_handle=%p (%s)\n", G_STRFUNC,
6012 session->last_nontls_frame,
6013 (void *)session->app_handle,
6014 dissector_handle_get_dissector_name(session->app_handle));
6015 ssl_debug_printf("%s: current frame %d, app_handle=%p (%s)\n", G_STRFUNC,
6016 pinfo->num, (void *)app_handle,
6017 dissector_handle_get_dissector_name(app_handle));
6018
6019 /* Do not switch again if a dissector did it before. */
6020 if (session->last_nontls_frame) {
6021 ssl_debug_printf("%s: not overriding previous app handle!\n", G_STRFUNC);
6022 return session->last_nontls_frame;
6023 }
6024
6025 session->app_handle = app_handle;
6026 /* The TLS dissector should be called first for this conversation. */
6027 conversation_set_dissector(conversation, tls_handle);
6028 /* TLS starts after this frame. */
6029 session->last_nontls_frame = last_nontls_frame;
6030 return 0;
6031 }
6032
6033 /* ssl_starttls_ack: mark future frames as encrypted. */
6034 uint32_t
6035 ssl_starttls_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6036 dissector_handle_t app_handle)
6037 {
6038 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num);
6039 }
6040
6041 uint32_t
6042 ssl_starttls_post_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6043 dissector_handle_t app_handle)
6044 {
6045 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num - 1);
6046 }
6047
6048 dissector_handle_t
6049 ssl_find_appdata_dissector(const char *name)
6050 {
6051 /* Accept 'http' for backwards compatibility and sanity. */
6052 if (!strcmp(name, "http"))
6053 name = "http-over-tls";
6054 /* XXX - Should this check to see if the dissector is actually added for
6055 * Decode As in the appropriate table?
6056 */
6057 return find_dissector(name);
6058 }
6059
6060 /* Functions for TLS/DTLS sessions and RSA private keys hashtables. {{{ */
6061 static int
6062 ssl_equal (const void *v, const void *v2)
6063 {
6064 const StringInfo *val1;
6065 const StringInfo *val2;
6066 val1 = (const StringInfo *)v;
6067 val2 = (const StringInfo *)v2;
6068
6069 if (val1->data_len == val2->data_len &&
6070 !memcmp(val1->data, val2->data, val2->data_len)) {
6071 return 1;
6072 }
6073 return 0;
6074 }
6075
6076 static unsigned
6077 ssl_hash (const void *v)
6078 {
6079 unsigned l,hash;
6080 const StringInfo* id;
6081 const unsigned* cur;
6082 hash = 0;
6083 id = (const StringInfo*) v;
6084
6085 /* id and id->data are mallocated in ssl_save_master_key(). As such 'data'
6086 * should be aligned for any kind of access (for example as a unsigned as
6087 * is done below). The intermediate void* cast is to prevent "cast
6088 * increases required alignment of target type" warnings on CPUs (such
6089 * as SPARCs) that do not allow misaligned memory accesses.
6090 */
6091 cur = (const unsigned*)(void*) id->data;
6092
6093 for (l=4; (l < id->data_len); l+=4, cur++)
6094 hash = hash ^ (*cur);
6095
6096 return hash;
6097 }
6098 /* Functions for TLS/DTLS sessions and RSA private keys hashtables. }}} */
6099
6100 /* Handling of association between tls/dtls ports and clear text protocol. {{{ */
6101 void
6102 ssl_association_add(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool tcp)
6103 {
6104 DISSECTOR_ASSERT(main_handle);
6105 DISSECTOR_ASSERT(subdissector_handle);
6106 /* Registration is required for Export PDU feature to work properly. */
6107 DISSECTOR_ASSERT_HINT(dissector_handle_get_dissector_name(subdissector_handle),
6108 "SSL appdata dissectors must register with register_dissector()!");
6109 ssl_debug_printf("association_add %s port %d handle %p\n", dissector_table_name, port, (void *)subdissector_handle);
6110
6111 if (port) {
6112 dissector_add_uint(dissector_table_name, port, subdissector_handle);
6113 if (tcp)
6114 dissector_add_uint("tcp.port", port, main_handle);
6115 else
6116 dissector_add_uint("udp.port", port, main_handle);
6117 dissector_add_uint("sctp.port", port, main_handle);
6118 } else {
6119 dissector_add_for_decode_as(dissector_table_name, subdissector_handle);
6120 }
6121 }
6122
6123 void
6124 ssl_association_remove(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool tcp)
6125 {
6126 ssl_debug_printf("ssl_association_remove removing %s %u - handle %p\n",
6127 tcp?"TCP":"UDP", port, (void *)subdissector_handle);
6128 if (main_handle) {
6129 dissector_delete_uint(tcp?"tcp.port":"udp.port", port, main_handle);
6130 dissector_delete_uint("sctp.port", port, main_handle);
6131 }
6132
6133 if (port) {
6134 dissector_delete_uint(dissector_table_name, port, subdissector_handle);
6135 }
6136 }
6137
6138 void
6139 ssl_set_server(SslSession *session, address *addr, port_type ptype, uint32_t port)
6140 {
6141 copy_address_wmem(wmem_file_scope(), &session->srv_addr, addr);
6142 session->srv_ptype = ptype;
6143 session->srv_port = port;
6144 }
6145
6146 int
6147 ssl_packet_from_server(SslSession *session, dissector_table_t table, const packet_info *pinfo)
6148 {
6149 int ret;
6150 if (session && session->srv_addr.type != AT_NONE) {
6151 ret = (session->srv_ptype == pinfo->ptype) &&
6152 (session->srv_port == pinfo->srcport) &&
6153 addresses_equal(&session->srv_addr, &pinfo->src);
6154 } else {
6155 ret = (dissector_get_uint_handle(table, pinfo->srcport) != 0);
6156 }
6157
6158 ssl_debug_printf("packet_from_server: is from server - %s\n", (ret)?"TRUE":"FALSE");
6159 return ret;
6160 }
6161 /* Handling of association between tls/dtls ports and clear text protocol. }}} */
6162
6163
6164 /* Links SSL records with the real packet data. {{{ */
6165 SslPacketInfo *
6166 tls_add_packet_info(int proto, packet_info *pinfo, uint8_t curr_layer_num_ssl)
6167 {
6168 SslPacketInfo *pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6169 if (!pi) {
6170 pi = wmem_new0(wmem_file_scope(), SslPacketInfo);
6171 pi->srcport = pinfo->srcport;
6172 pi->destport = pinfo->destport;
6173 p_add_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl, pi);
6174 }
6175
6176 return pi;
6177 }
6178
6179 /**
6180 * Remembers the decrypted TLS record fragment (TLSInnerPlaintext in TLS 1.3) to
6181 * avoid the need for a decoder in the second pass. Additionally, it remembers
6182 * sequence numbers (for reassembly and Follow TLS Stream).
6183 *
6184 * @param proto The protocol identifier (proto_ssl or proto_dtls).
6185 * @param pinfo The packet where the record originates from.
6186 * @param data Decrypted data to store in the record.
6187 * @param data_len Length of decrypted record data.
6188 * @param record_id The identifier for this record within the current packet.
6189 * @param flow Information about sequence numbers, etc.
6190 * @param type TLS Content Type (such as handshake or application_data).
6191 * @param curr_layer_num_ssl The layer identifier for this TLS session.
6192 */
6193 void
6194 ssl_add_record_info(int proto, packet_info *pinfo, const unsigned char *data, int data_len, int record_id, SslFlow *flow, ContentType type, uint8_t curr_layer_num_ssl)
6195 {
6196 SslRecordInfo* rec, **prec;
6197 SslPacketInfo *pi = tls_add_packet_info(proto, pinfo, curr_layer_num_ssl);
6198
6199 rec = wmem_new(wmem_file_scope(), SslRecordInfo);
6200 rec->plain_data = (unsigned char *)wmem_memdup(wmem_file_scope(), data, data_len);
6201 rec->data_len = data_len;
6202 rec->id = record_id;
6203 rec->type = type;
6204 rec->next = NULL;
6205
6206 if (flow && type == SSL_ID_APP_DATA) {
6207 rec->seq = flow->byte_seq;
6208 rec->flow = flow;
6209 flow->byte_seq += data_len;
6210 ssl_debug_printf("%s stored decrypted record seq=%d nxtseq=%d flow=%p\n",
6211 G_STRFUNC, rec->seq, rec->seq + data_len, (void*)flow);
6212 }
6213
6214 /* Remember decrypted records. */
6215 prec = &pi->records;
6216 while (*prec) prec = &(*prec)->next;
6217 *prec = rec;
6218 }
6219
6220 /* search in packet data for the specified id; return a newly created tvb for the associated data */
6221 tvbuff_t*
6222 ssl_get_record_info(tvbuff_t *parent_tvb, int proto, packet_info *pinfo, int record_id, uint8_t curr_layer_num_ssl, SslRecordInfo **matched_record)
6223 {
6224 SslRecordInfo* rec;
6225 SslPacketInfo* pi;
6226 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6227
6228 if (!pi)
6229 return NULL;
6230
6231 for (rec = pi->records; rec; rec = rec->next)
6232 if (rec->id == record_id) {
6233 *matched_record = rec;
6234 /* link new real_data_tvb with a parent tvb so it is freed when frame dissection is complete */
6235 return tvb_new_child_real_data(parent_tvb, rec->plain_data, rec->data_len, rec->data_len);
6236 }
6237
6238 return NULL;
6239 }
6240 /* Links SSL records with the real packet data. }}} */
6241
6242 /* initialize/reset per capture state data (ssl sessions cache). {{{ */
6243 void
6244 ssl_common_init(ssl_master_key_map_t *mk_map,
6245 StringInfo *decrypted_data, StringInfo *compressed_data)
6246 {
6247 mk_map->session = g_hash_table_new(ssl_hash, ssl_equal);
6248 mk_map->tickets = g_hash_table_new(ssl_hash, ssl_equal);
6249 mk_map->crandom = g_hash_table_new(ssl_hash, ssl_equal);
6250 mk_map->pre_master = g_hash_table_new(ssl_hash, ssl_equal);
6251 mk_map->pms = g_hash_table_new(ssl_hash, ssl_equal);
6252 mk_map->tls13_client_early = g_hash_table_new(ssl_hash, ssl_equal);
6253 mk_map->tls13_client_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6254 mk_map->tls13_server_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6255 mk_map->tls13_client_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6256 mk_map->tls13_server_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6257 mk_map->tls13_early_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6258 mk_map->tls13_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6259
6260 mk_map->used_crandom = g_hash_table_new(ssl_hash, ssl_equal);
6261
6262 ssl_data_alloc(decrypted_data, 32);
6263 ssl_data_alloc(compressed_data, 32);
6264 }
6265
6266 void
6267 ssl_common_cleanup(ssl_master_key_map_t *mk_map, FILE **ssl_keylog_file,
6268 StringInfo *decrypted_data, StringInfo *compressed_data)
6269 {
6270 g_hash_table_destroy(mk_map->session);
6271 g_hash_table_destroy(mk_map->tickets);
6272 g_hash_table_destroy(mk_map->crandom);
6273 g_hash_table_destroy(mk_map->pre_master);
6274 g_hash_table_destroy(mk_map->pms);
6275 g_hash_table_destroy(mk_map->tls13_client_early);
6276 g_hash_table_destroy(mk_map->tls13_client_handshake);
6277 g_hash_table_destroy(mk_map->tls13_server_handshake);
6278 g_hash_table_destroy(mk_map->tls13_client_appdata);
6279 g_hash_table_destroy(mk_map->tls13_server_appdata);
6280 g_hash_table_destroy(mk_map->tls13_early_exporter);
6281 g_hash_table_destroy(mk_map->tls13_exporter);
6282
6283 g_hash_table_destroy(mk_map->used_crandom);
6284
6285 g_free(decrypted_data->data);
6286 g_free(compressed_data->data);
6287
6288 /* close the previous keylog file now that the cache are cleared, this
6289 * allows the cache to be filled with the full keylog file contents. */
6290 if (*ssl_keylog_file) {
6291 fclose(*ssl_keylog_file);
6292 *ssl_keylog_file = NULL;
6293 }
6294 }
6295 /* }}} */
6296
6297 /* parse ssl related preferences (private keys and ports association strings) */
6298 #if defined(HAVE_LIBGNUTLS)
6299 /* Load a single RSA key file item from preferences. {{{ */
6300 void
6301 ssl_parse_key_list(const ssldecrypt_assoc_t *uats, GHashTable *key_hash, const char* dissector_table_name, dissector_handle_t main_handle, bool tcp)
6302 {
6303 gnutls_x509_privkey_t x509_priv_key;
6304 gnutls_privkey_t priv_key = NULL;
6305 FILE* fp = NULL;
6306 int ret;
6307 size_t key_id_len = 20;
6308 unsigned char *key_id = NULL;
6309 char *err = NULL;
6310 dissector_handle_t handle;
6311 /* try to load keys file first */
6312 fp = ws_fopen(uats->keyfile, "rb");
6313 if (!fp) {
6314 report_open_failure(uats->keyfile, errno, false);
6315 return;
6316 }
6317
6318 if ((int)strlen(uats->password) == 0) {
6319 x509_priv_key = rsa_load_pem_key(fp, &err);
6320 } else {
6321 x509_priv_key = rsa_load_pkcs12(fp, uats->password, &err);
6322 }
6323 fclose(fp);
6324
6325 if (!x509_priv_key) {
6326 if (err) {
6327 report_failure("Can't load private key from %s: %s",
6328 uats->keyfile, err);
6329 g_free(err);
6330 } else
6331 report_failure("Can't load private key from %s: unknown error",
6332 uats->keyfile);
6333 return;
6334 }
6335 if (err) {
6336 report_failure("Load of private key from %s \"succeeded\" with error %s",
6337 uats->keyfile, err);
6338 g_free(err);
6339 }
6340
6341 gnutls_privkey_init(&priv_key);
6342 ret = gnutls_privkey_import_x509(priv_key, x509_priv_key,
6343 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE|GNUTLS_PRIVKEY_IMPORT_COPY);
6344 if (ret < 0) {
6345 report_failure("Can't convert private key %s: %s",
6346 uats->keyfile, gnutls_strerror(ret));
6347 goto end;
6348 }
6349
6350 key_id = (unsigned char *) g_malloc0(key_id_len);
6351 ret = gnutls_x509_privkey_get_key_id(x509_priv_key, 0, key_id, &key_id_len);
6352 if (ret < 0) {
6353 report_failure("Can't calculate public key ID for %s: %s",
6354 uats->keyfile, gnutls_strerror(ret));
6355 goto end;
6356 }
6357 ssl_print_data("KeyID", key_id, key_id_len);
6358 if (key_id_len != 20) {
6359 report_failure("Expected Key ID size %u for %s, got %zu", 20,
6360 uats->keyfile, key_id_len);
6361 goto end;
6362 }
6363
6364 g_hash_table_replace(key_hash, key_id, priv_key);
6365 key_id = NULL; /* used in key_hash, do not free. */
6366 priv_key = NULL;
6367 ssl_debug_printf("ssl_init private key file %s successfully loaded.\n", uats->keyfile);
6368
6369 handle = ssl_find_appdata_dissector(uats->protocol);
6370 if (handle) {
6371 /* Port to subprotocol mapping */
6372 uint16_t port = 0;
6373 if (ws_strtou16(uats->port, NULL, &port)) {
6374 if (port > 0) {
6375 ssl_debug_printf("ssl_init port '%d' filename '%s' password(only for p12 file) '%s'\n",
6376 port, uats->keyfile, uats->password);
6377
6378 ssl_association_add(dissector_table_name, main_handle, handle, port, tcp);
6379 }
6380 } else {
6381 if (strcmp(uats->port, "start_tls"))
6382 ssl_debug_printf("invalid ssl_init_port: %s\n", uats->port);
6383 }
6384 }
6385
6386 end:
6387 gnutls_x509_privkey_deinit(x509_priv_key);
6388 gnutls_privkey_deinit(priv_key);
6389 g_free(key_id);
6390 }
6391 /* }}} */
6392 #endif
6393
6394
6395 /* Store/load a known (pre-)master secret from/for this SSL session. {{{ */
6396 /** store a known (pre-)master secret into cache */
6397 static void
6398 ssl_save_master_key(const char *label, GHashTable *ht, StringInfo *key,
6399 StringInfo *mk)
6400 {
6401 StringInfo *ht_key, *master_secret;
6402
6403 if (key->data_len == 0) {
6404 ssl_debug_printf("%s: not saving empty %s!\n", G_STRFUNC, label);
6405 return;
6406 }
6407
6408 if (mk->data_len == 0) {
6409 ssl_debug_printf("%s not saving empty (pre-)master secret for %s!\n",
6410 G_STRFUNC, label);
6411 return;
6412 }
6413
6414 /* ssl_hash() depends on session_ticket->data being aligned for unsigned access
6415 * so be careful in changing how it is allocated. */
6416 ht_key = ssl_data_clone(key);
6417 master_secret = ssl_data_clone(mk);
6418 g_hash_table_insert(ht, ht_key, master_secret);
6419
6420 ssl_debug_printf("%s inserted (pre-)master secret for %s\n", G_STRFUNC, label);
6421 ssl_print_string("stored key", ht_key);
6422 ssl_print_string("stored (pre-)master secret", master_secret);
6423 }
6424
6425 /** restore a (pre-)master secret given some key in the cache */
6426 static bool
6427 ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
6428 bool is_pre_master, GHashTable *ht, StringInfo *key)
6429 {
6430 StringInfo *ms;
6431
6432 if (key->data_len == 0) {
6433 ssl_debug_printf("%s can't restore %smaster secret using an empty %s\n",
6434 G_STRFUNC, is_pre_master ? "pre-" : "", label);
6435 return false;
6436 }
6437
6438 ms = (StringInfo *)g_hash_table_lookup(ht, key);
6439 if (!ms) {
6440 ssl_debug_printf("%s can't find %smaster secret by %s\n", G_STRFUNC,
6441 is_pre_master ? "pre-" : "", label);
6442 return false;
6443 }
6444
6445 /* (pre)master secret found, clear knowledge of other keys and set it in the
6446 * current conversation */
6447 ssl->state &= ~(SSL_MASTER_SECRET | SSL_PRE_MASTER_SECRET |
6448 SSL_HAVE_SESSION_KEY);
6449 if (is_pre_master) {
6450 /* unlike master secret, pre-master secret has a variable size (48 for
6451 * RSA, varying for PSK) and is therefore not statically allocated */
6452 ssl->pre_master_secret.data = (unsigned char *) wmem_alloc(wmem_file_scope(),
6453 ms->data_len);
6454 ssl_data_set(&ssl->pre_master_secret, ms->data, ms->data_len);
6455 ssl->state |= SSL_PRE_MASTER_SECRET;
6456 } else {
6457 ssl_data_set(&ssl->master_secret, ms->data, ms->data_len);
6458 ssl->state |= SSL_MASTER_SECRET;
6459 }
6460 ssl_debug_printf("%s %smaster secret retrieved using %s\n", G_STRFUNC,
6461 is_pre_master ? "pre-" : "", label);
6462 ssl_print_string(label, key);
6463 ssl_print_string("(pre-)master secret", ms);
6464 return true;
6465 }
6466 /* Store/load a known (pre-)master secret from/for this SSL session. }}} */
6467
6468 /* Should be called when all parameters are ready (after ChangeCipherSpec), and
6469 * the decoder should be attempted to be initialized. {{{*/
6470 void
6471 ssl_finalize_decryption(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
6472 {
6473 if (ssl->session.version == TLSV1DOT3_VERSION) {
6474 /* TLS 1.3 implementations only provide secrets derived from the master
6475 * secret which are loaded in tls13_change_key. No master secrets can be
6476 * loaded here, so just return. */
6477 return;
6478 }
6479 ssl_debug_printf("%s state = 0x%02X\n", G_STRFUNC, ssl->state);
6480 if (ssl->state & SSL_HAVE_SESSION_KEY) {
6481 ssl_debug_printf(" session key already available, nothing to do.\n");
6482 return;
6483 }
6484 if (!(ssl->state & SSL_CIPHER)) {
6485 ssl_debug_printf(" Cipher suite (Server Hello) is missing!\n");
6486 return;
6487 }
6488
6489 /* for decryption, there needs to be a master secret (which can be derived
6490 * from pre-master secret). If missing, try to pick a master key from cache
6491 * (an earlier packet in the capture or key logfile). */
6492 if (!(ssl->state & (SSL_MASTER_SECRET | SSL_PRE_MASTER_SECRET)) &&
6493 !ssl_restore_master_key(ssl, "Session ID", false,
6494 mk_map->session, &ssl->session_id) &&
6495 (!ssl->session.is_session_resumed ||
6496 !ssl_restore_master_key(ssl, "Session Ticket", false,
6497 mk_map->tickets, &ssl->session_ticket)) &&
6498 !ssl_restore_master_key(ssl, "Client Random", false,
6499 mk_map->crandom, &ssl->client_random)) {
6500 if (ssl->cipher_suite->enc != ENC_NULL) {
6501 /* how unfortunate, the master secret could not be found */
6502 ssl_debug_printf(" Cannot find master secret\n");
6503 return;
6504 } else {
6505 ssl_debug_printf(" Cannot find master secret, continuing anyway "
6506 "because of a NULL cipher\n");
6507 }
6508 }
6509
6510 if (ssl_generate_keyring_material(ssl) < 0) {
6511 ssl_debug_printf("%s can't generate keyring material\n", G_STRFUNC);
6512 return;
6513 }
6514 /* Save Client Random/ Session ID for "SSL Export Session keys" */
6515 ssl_save_master_key("Client Random", mk_map->crandom,
6516 &ssl->client_random, &ssl->master_secret);
6517 ssl_save_master_key("Session ID", mk_map->session,
6518 &ssl->session_id, &ssl->master_secret);
6519 /* Only save the new secrets if the server sent the ticket. The client
6520 * ticket might have become stale. */
6521 if (ssl->state & SSL_NEW_SESSION_TICKET) {
6522 ssl_save_master_key("Session Ticket", mk_map->tickets,
6523 &ssl->session_ticket, &ssl->master_secret);
6524 }
6525 } /* }}} */
6526
6527 /* Load the traffic key secret from the keylog file. */
6528 StringInfo *
6529 tls13_load_secret(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6530 bool is_from_server, TLSRecordType type)
6531 {
6532 GHashTable *key_map;
6533 const char *label;
6534
6535 if (ssl->session.version != TLSV1DOT3_VERSION && ssl->session.version != DTLSV1DOT3_VERSION) {
6536 ssl_debug_printf("%s TLS version %#x is not 1.3\n", G_STRFUNC, ssl->session.version);
6537 return NULL;
6538 }
6539
6540 if (ssl->client_random.data_len == 0) {
6541 /* May happen if Hello message is missing and Finished is found. */
6542 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC);
6543 return NULL;
6544 }
6545
6546 switch (type) {
6547 case TLS_SECRET_0RTT_APP:
6548 DISSECTOR_ASSERT(!is_from_server);
6549 label = "CLIENT_EARLY_TRAFFIC_SECRET";
6550 key_map = mk_map->tls13_client_early;
6551 break;
6552 case TLS_SECRET_HANDSHAKE:
6553 if (is_from_server) {
6554 label = "SERVER_HANDSHAKE_TRAFFIC_SECRET";
6555 key_map = mk_map->tls13_server_handshake;
6556 } else {
6557 label = "CLIENT_HANDSHAKE_TRAFFIC_SECRET";
6558 key_map = mk_map->tls13_client_handshake;
6559 }
6560 break;
6561 case TLS_SECRET_APP:
6562 if (is_from_server) {
6563 label = "SERVER_TRAFFIC_SECRET_0";
6564 key_map = mk_map->tls13_server_appdata;
6565 } else {
6566 label = "CLIENT_TRAFFIC_SECRET_0";
6567 key_map = mk_map->tls13_client_appdata;
6568 }
6569 break;
6570 default:
6571 ws_assert_not_reached();
6572 }
6573
6574 /* Transitioning to new keys, mark old ones as unusable. */
6575 ssl_debug_printf("%s transitioning to new key, old state 0x%02x\n", G_STRFUNC, ssl->state);
6576 ssl->state &= ~(SSL_MASTER_SECRET | SSL_PRE_MASTER_SECRET | SSL_HAVE_SESSION_KEY);
6577
6578 StringInfo *secret = (StringInfo *)g_hash_table_lookup(key_map, &ssl->client_random);
6579 if (!secret) {
6580 ssl_debug_printf("%s Cannot find %s, decryption impossible\n", G_STRFUNC, label);
6581 /* Disable decryption, the keys are invalid. */
6582 if (is_from_server) {
6583 ssl->server = NULL;
6584 } else {
6585 ssl->client = NULL;
6586 }
6587 return NULL;
6588 }
6589
6590 /* TLS 1.3 secret found, set new keys. */
6591 ssl_debug_printf("%s Retrieved TLS 1.3 traffic secret.\n", G_STRFUNC);
6592 ssl_print_string("Client Random", &ssl->client_random);
6593 ssl_print_string(label, secret);
6594 return secret;
6595 }
6596
6597 /* Load the new key. */
6598 void
6599 tls13_change_key(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6600 bool is_from_server, TLSRecordType type)
6601 {
6602 if (ssl->state & SSL_QUIC_RECORD_LAYER) {
6603 /*
6604 * QUIC does not use the TLS record layer for message protection.
6605 * The required keys will be extracted later by QUIC.
6606 */
6607 return;
6608 }
6609
6610 StringInfo *secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
6611 if (!secret) {
6612 return;
6613 }
6614
6615 if (tls13_generate_keys(ssl, secret, is_from_server)) {
6616 /*
6617 * Remember the application traffic secret to support Key Update. The
6618 * other secrets cannot be used for this purpose, so free them.
6619 */
6620 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
6621 StringInfo *app_secret = &decoder->app_traffic_secret;
6622 if (type == TLS_SECRET_APP) {
6623 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
6624 app_secret->data,
6625 secret->data_len);
6626 ssl_data_set(app_secret, secret->data, secret->data_len);
6627 } else {
6628 wmem_free(wmem_file_scope(), app_secret->data);
6629 app_secret->data = NULL;
6630 app_secret->data_len = 0;
6631 }
6632 }
6633 }
6634
6635 /**
6636 * Update to next application data traffic secret for TLS 1.3. The previous
6637 * secret should have been set by tls13_change_key.
6638 */
6639 void
6640 tls13_key_update(SslDecryptSession *ssl, bool is_from_server)
6641 {
6642 /* RFC 8446 Section 7.2:
6643 * application_traffic_secret_N+1 =
6644 * HKDF-Expand-Label(application_traffic_secret_N,
6645 * "traffic upd", "", Hash.length)
6646 *
6647 * Both application_traffic_secret_N are of the same length (Hash.length).
6648 */
6649 const SslCipherSuite *cipher_suite = ssl->cipher_suite;
6650 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
6651 StringInfo *app_secret = decoder ? &decoder->app_traffic_secret : NULL;
6652 uint8_t tls13_draft_version = ssl->session.tls13_draft_version;
6653
6654 if (!cipher_suite || !app_secret || app_secret->data_len == 0) {
6655 ssl_debug_printf("%s Cannot perform Key Update due to missing info\n", G_STRFUNC);
6656 return;
6657 }
6658
6659 /*
6660 * Previous traffic secret is available, so find the hash function,
6661 * expand the new traffic secret and generate new keys.
6662 */
6663 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
6664 int hash_algo = ssl_get_digest_by_name(hash_name);
6665 const unsigned hash_len = app_secret->data_len;
6666 unsigned char *new_secret;
6667 const char *label = "traffic upd";
6668 if (tls13_draft_version && tls13_draft_version < 20) {
6669 label = "application traffic secret";
6670 }
6671 if (!tls13_hkdf_expand_label(hash_algo, app_secret,
6672 tls13_hkdf_label_prefix(ssl),
6673 label, hash_len, &new_secret)) {
6674 ssl_debug_printf("%s traffic_secret_N+1 expansion failed\n", G_STRFUNC);
6675 return;
6676 }
6677 ssl_data_set(app_secret, new_secret, hash_len);
6678 if (tls13_generate_keys(ssl, app_secret, is_from_server)) {
6679 /*
6680 * Remember the application traffic secret on the new decoder to
6681 * support another Key Update.
6682 */
6683 decoder = is_from_server ? ssl->server : ssl->client;
6684 app_secret = &decoder->app_traffic_secret;
6685 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
6686 app_secret->data,
6687 hash_len);
6688 ssl_data_set(app_secret, new_secret, hash_len);
6689 }
6690 wmem_free(NULL, new_secret);
6691 }
6692
6693 void
6694 tls_save_crandom(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
6695 {
6696 if (ssl && (ssl->state & SSL_CLIENT_RANDOM)) {
6697 g_hash_table_add(mk_map->used_crandom, &ssl->client_random);
6698 }
6699 }
6700
6701 /** SSL keylog file handling. {{{ */
6702
6703 static GRegex *
6704 ssl_compile_keyfile_regex(void)
6705 {
6706 #define OCTET "(?:[[:xdigit:]]{2})"
6707 const char *pattern =
6708 "(?:"
6709 /* Matches Client Hellos having this Client Random */
6710 "PMS_CLIENT_RANDOM (?<client_random_pms>" OCTET "{32}) "
6711 /* Matches first part of encrypted RSA pre-master secret */
6712 "|RSA (?<encrypted_pmk>" OCTET "{8}) "
6713 /* Pre-Master-Secret is given, it is 48 bytes for RSA,
6714 but it can be of any length for DHE */
6715 ")(?<pms>" OCTET "+)"
6716 "|(?:"
6717 /* Matches Server Hellos having a Session ID */
6718 "RSA Session-ID:(?<session_id>" OCTET "+) Master-Key:"
6719 /* Matches Client Hellos having this Client Random */
6720 "|CLIENT_RANDOM (?<client_random>" OCTET "{32}) "
6721 /* Master-Secret is given, its length is fixed */
6722 ")(?<master_secret>" OCTET "{" G_STRINGIFY(SSL_MASTER_SECRET_LENGTH) "})"
6723 "|(?"
6724 /* TLS 1.3 Client Random to Derived Secrets mapping. */
6725 ":CLIENT_EARLY_TRAFFIC_SECRET (?<client_early>" OCTET "{32})"
6726 "|CLIENT_HANDSHAKE_TRAFFIC_SECRET (?<client_handshake>" OCTET "{32})"
6727 "|SERVER_HANDSHAKE_TRAFFIC_SECRET (?<server_handshake>" OCTET "{32})"
6728 "|CLIENT_TRAFFIC_SECRET_0 (?<client_appdata>" OCTET "{32})"
6729 "|SERVER_TRAFFIC_SECRET_0 (?<server_appdata>" OCTET "{32})"
6730 "|EARLY_EXPORTER_SECRET (?<early_exporter>" OCTET "{32})"
6731 "|EXPORTER_SECRET (?<exporter>" OCTET "{32})"
6732 ") (?<derived_secret>" OCTET "+)";
6733 #undef OCTET
6734 static GRegex *regex = NULL;
6735 GError *gerr = NULL;
6736
6737 if (!regex) {
6738 regex = g_regex_new(pattern,
6739 (GRegexCompileFlags)(G_REGEX_OPTIMIZE | G_REGEX_ANCHORED | G_REGEX_RAW),
6740 G_REGEX_MATCH_ANCHORED, &gerr);
6741 if (gerr) {
6742 ssl_debug_printf("%s failed to compile regex: %s\n", G_STRFUNC,
6743 gerr->message);
6744 g_error_free(gerr);
6745 regex = NULL;
6746 }
6747 }
6748
6749 return regex;
6750 }
6751
6752 typedef struct ssl_master_key_match_group {
6753 const char *re_group_name;
6754 GHashTable *master_key_ht;
6755 } ssl_master_key_match_group_t;
6756
6757 void
6758 tls_keylog_process_lines(const ssl_master_key_map_t *mk_map, const uint8_t *data, unsigned datalen)
6759 {
6760 ssl_master_key_match_group_t mk_groups[] = {
6761 { "encrypted_pmk", mk_map->pre_master },
6762 { "session_id", mk_map->session },
6763 { "client_random", mk_map->crandom },
6764 { "client_random_pms", mk_map->pms },
6765 /* TLS 1.3 map from Client Random to derived secret. */
6766 { "client_early", mk_map->tls13_client_early },
6767 { "client_handshake", mk_map->tls13_client_handshake },
6768 { "server_handshake", mk_map->tls13_server_handshake },
6769 { "client_appdata", mk_map->tls13_client_appdata },
6770 { "server_appdata", mk_map->tls13_server_appdata },
6771 { "early_exporter", mk_map->tls13_early_exporter },
6772 { "exporter", mk_map->tls13_exporter },
6773 };
6774
6775 /* The format of the file is a series of records with one of the following formats:
6776 * - "RSA xxxx yyyy"
6777 * Where xxxx are the first 8 bytes of the encrypted pre-master secret (hex-encoded)
6778 * Where yyyy is the cleartext pre-master secret (hex-encoded)
6779 * (this is the original format introduced with bug 4349)
6780 *
6781 * - "RSA Session-ID:xxxx Master-Key:yyyy"
6782 * Where xxxx is the SSL session ID (hex-encoded)
6783 * Where yyyy is the cleartext master secret (hex-encoded)
6784 * (added to support openssl s_client Master-Key output)
6785 * This is somewhat is a misnomer because there's nothing RSA specific
6786 * about this.
6787 *
6788 * - "PMS_CLIENT_RANDOM xxxx yyyy"
6789 * Where xxxx is the client_random from the ClientHello (hex-encoded)
6790 * Where yyyy is the cleartext pre-master secret (hex-encoded)
6791 * (This format allows SSL connections to be decrypted, if a user can
6792 * capture the PMS but could not recover the MS for a specific session
6793 * with a SSL Server.)
6794 *
6795 * - "CLIENT_RANDOM xxxx yyyy"
6796 * Where xxxx is the client_random from the ClientHello (hex-encoded)
6797 * Where yyyy is the cleartext master secret (hex-encoded)
6798 * (This format allows non-RSA SSL connections to be decrypted, i.e.
6799 * ECDHE-RSA.)
6800 *
6801 * - "CLIENT_EARLY_TRAFFIC_SECRET xxxx yyyy"
6802 * - "CLIENT_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
6803 * - "SERVER_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
6804 * - "CLIENT_TRAFFIC_SECRET_0 xxxx yyyy"
6805 * - "SERVER_TRAFFIC_SECRET_0 xxxx yyyy"
6806 * - "EARLY_EXPORTER_SECRET xxxx yyyy"
6807 * - "EXPORTER_SECRET xxxx yyyy"
6808 * Where xxxx is the client_random from the ClientHello (hex-encoded)
6809 * Where yyyy is the secret (hex-encoded) derived from the early,
6810 * handshake or master secrets. (This format is introduced with TLS 1.3
6811 * and supported by BoringSSL, OpenSSL, etc. See bug 12779.)
6812 */
6813 GRegex *regex = ssl_compile_keyfile_regex();
6814 if (!regex)
6815 return;
6816
6817 const char *next_line = (const char *)data;
6818 const char *line_end = next_line + datalen;
6819 while (next_line && next_line < line_end) {
6820 const char *line = next_line;
6821 next_line = (const char *)memchr(line, '\n', line_end - line);
6822 ssize_t linelen;
6823
6824 if (next_line) {
6825 linelen = next_line - line;
6826 next_line++; /* drop LF */
6827 } else {
6828 linelen = (ssize_t)(line_end - line);
6829 }
6830 if (linelen > 0 && line[linelen - 1] == '\r') {
6831 linelen--; /* drop CR */
6832 }
6833
6834 ssl_debug_printf(" checking keylog line: %.*s\n", (int)linelen, line);
6835 GMatchInfo *mi;
6836 if (g_regex_match_full(regex, line, linelen, 0, G_REGEX_MATCH_ANCHORED, &mi, NULL)) {
6837 char *hex_key, *hex_pre_ms_or_ms;
6838 StringInfo *key = wmem_new(wmem_file_scope(), StringInfo);
6839 StringInfo *pre_ms_or_ms = NULL;
6840 GHashTable *ht = NULL;
6841
6842 /* Is the PMS being supplied with the PMS_CLIENT_RANDOM
6843 * otherwise we will use the Master Secret
6844 */
6845 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "master_secret");
6846 if (hex_pre_ms_or_ms == NULL || !*hex_pre_ms_or_ms) {
6847 g_free(hex_pre_ms_or_ms);
6848 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "pms");
6849 }
6850 if (hex_pre_ms_or_ms == NULL || !*hex_pre_ms_or_ms) {
6851 g_free(hex_pre_ms_or_ms);
6852 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "derived_secret");
6853 }
6854 /* There is always a match, otherwise the regex is wrong. */
6855 DISSECTOR_ASSERT(hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms));
6856
6857 /* convert from hex to bytes and save to hashtable */
6858 pre_ms_or_ms = wmem_new(wmem_file_scope(), StringInfo);
6859 from_hex(pre_ms_or_ms, hex_pre_ms_or_ms, strlen(hex_pre_ms_or_ms));
6860 g_free(hex_pre_ms_or_ms);
6861
6862 /* Find a master key from any format (CLIENT_RANDOM, SID, ...) */
6863 for (unsigned i = 0; i < G_N_ELEMENTS(mk_groups); i++) {
6864 ssl_master_key_match_group_t *g = &mk_groups[i];
6865 hex_key = g_match_info_fetch_named(mi, g->re_group_name);
6866 if (hex_key && *hex_key) {
6867 ssl_debug_printf(" matched %s\n", g->re_group_name);
6868 ht = g->master_key_ht;
6869 from_hex(key, hex_key, strlen(hex_key));
6870 g_free(hex_key);
6871 break;
6872 }
6873 g_free(hex_key);
6874 }
6875 DISSECTOR_ASSERT(ht); /* Cannot be reached, or regex is wrong. */
6876
6877 g_hash_table_insert(ht, key, pre_ms_or_ms);
6878
6879 } else if (linelen > 0 && line[0] != '#') {
6880 ssl_debug_printf(" unrecognized line\n");
6881 }
6882 /* always free match info even if there is no match. */
6883 g_match_info_free(mi);
6884 }
6885 }
6886
6887 void
6888 ssl_load_keyfile(const char *tls_keylog_filename, FILE **keylog_file,
6889 const ssl_master_key_map_t *mk_map)
6890 {
6891 /* no need to try if no key log file is configured. */
6892 if (!tls_keylog_filename || !*tls_keylog_filename) {
6893 ssl_debug_printf("%s dtls/tls.keylog_file is not configured!\n",
6894 G_STRFUNC);
6895 return;
6896 }
6897
6898 /* Validate regexes before even trying to use it. */
6899 if (!ssl_compile_keyfile_regex()) {
6900 return;
6901 }
6902
6903 ssl_debug_printf("trying to use TLS keylog in %s\n", tls_keylog_filename);
6904
6905 /* if the keylog file was deleted/overwritten, re-open it */
6906 if (*keylog_file && file_needs_reopen(ws_fileno(*keylog_file), tls_keylog_filename)) {
6907 ssl_debug_printf("%s file got deleted, trying to re-open\n", G_STRFUNC);
6908 fclose(*keylog_file);
6909 *keylog_file = NULL;
6910 }
6911
6912 if (*keylog_file == NULL) {
6913 *keylog_file = ws_fopen(tls_keylog_filename, "r");
6914 if (!*keylog_file) {
6915 ssl_debug_printf("%s failed to open SSL keylog\n", G_STRFUNC);
6916 return;
6917 }
6918 }
6919
6920 for (;;) {
6921 char buf[1110], *line;
6922 line = fgets(buf, sizeof(buf), *keylog_file);
6923 if (!line) {
6924 if (feof(*keylog_file)) {
6925 /* Ensure that newly appended keys can be read in the future. */
6926 clearerr(*keylog_file);
6927 } else if (ferror(*keylog_file)) {
6928 ssl_debug_printf("%s Error while reading key log file, closing it!\n", G_STRFUNC);
6929 fclose(*keylog_file);
6930 *keylog_file = NULL;
6931 }
6932 break;
6933 }
6934 tls_keylog_process_lines(mk_map, (uint8_t *)line, (int)strlen(line));
6935 }
6936 }
6937 /** SSL keylog file handling. }}} */
6938
6939 #ifdef SSL_DECRYPT_DEBUG /* {{{ */
6940
6941 static FILE* ssl_debug_file;
6942
6943 void
6944 ssl_set_debug(const char* name)
6945 {
6946 static int debug_file_must_be_closed;
6947 int use_stderr;
6948
6949 use_stderr = name?(strcmp(name, SSL_DEBUG_USE_STDERR) == 0):0;
6950
6951 if (debug_file_must_be_closed)
6952 fclose(ssl_debug_file);
6953
6954 if (use_stderr)
6955 ssl_debug_file = stderr;
6956 else if (!name || (strcmp(name, "") ==0))
6957 ssl_debug_file = NULL;
6958 else
6959 ssl_debug_file = ws_fopen(name, "w");
6960
6961 if (!use_stderr && ssl_debug_file)
6962 debug_file_must_be_closed = 1;
6963 else
6964 debug_file_must_be_closed = 0;
6965
6966 ssl_debug_printf("Wireshark SSL debug log \n\n");
6967 #ifdef HAVE_LIBGNUTLS
6968 ssl_debug_printf("GnuTLS version: %s\n", gnutls_check_version(NULL));
6969 #endif
6970 ssl_debug_printf("Libgcrypt version: %s\n", gcry_check_version(NULL));
6971 ssl_debug_printf("\n");
6972 }
6973
6974 void
6975 ssl_debug_flush(void)
6976 {
6977 if (ssl_debug_file)
6978 fflush(ssl_debug_file);
6979 }
6980
6981 void
6982 ssl_debug_printf(const char* fmt, ...)
6983 {
6984 va_list ap;
6985
6986 if (!ssl_debug_file)
6987 return;
6988
6989 va_start(ap, fmt);
6990 vfprintf(ssl_debug_file, fmt, ap);
6991 va_end(ap);
6992 }
6993
6994 void
6995 ssl_print_data(const char* name, const unsigned char* data, size_t len)
6996 {
6997 size_t i, j, k;
6998 if (!ssl_debug_file)
6999 return;
7000 fprintf(ssl_debug_file,"%s[%d]:\n",name, (int) len);
7001 for (i=0; i<len; i+=16) {
7002 fprintf(ssl_debug_file,"| ");
7003 for (j=i, k=0; k<16 && j<len; ++j, ++k)
7004 fprintf(ssl_debug_file,"%.2x ",data[j]);
7005 for (; k<16; ++k)
7006 fprintf(ssl_debug_file," ");
7007 fputc('|', ssl_debug_file);
7008 for (j=i, k=0; k<16 && j<len; ++j, ++k) {
7009 unsigned char c = data[j];
7010 if (!g_ascii_isprint(c) || (c=='\t')) c = '.';
7011 fputc(c, ssl_debug_file);
7012 }
7013 for (; k<16; ++k)
7014 fputc(' ', ssl_debug_file);
7015 fprintf(ssl_debug_file,"|\n");
7016 }
7017 }
7018
7019 void
7020 ssl_print_string(const char* name, const StringInfo* data)
7021 {
7022 ssl_print_data(name, data->data, data->data_len);
7023 }
7024 #endif /* SSL_DECRYPT_DEBUG }}} */
7025
7026 /* UAT preferences callbacks. {{{ */
7027 /* checks for SSL and DTLS UAT key list fields */
7028
7029 bool
7030 ssldecrypt_uat_fld_ip_chk_cb(void* r _U_, const char* p _U_, unsigned len _U_, const void* u1 _U_, const void* u2 _U_, char** err)
7031 {
7032 // This should be removed in favor of Decode As. Make it optional.
7033 *err = NULL;
7034 return true;
7035 }
7036
7037 bool
7038 ssldecrypt_uat_fld_port_chk_cb(void* r _U_, const char* p, unsigned len _U_, const void* u1 _U_, const void* u2 _U_, char** err)
7039 {
7040 if (!p || strlen(p) == 0u) {
7041 // This should be removed in favor of Decode As. Make it optional.
7042 *err = NULL;
7043 return true;
7044 }
7045
7046 if (strcmp(p, "start_tls") != 0){
7047 uint16_t port;
7048 if (!ws_strtou16(p, NULL, &port)) {
7049 *err = g_strdup("Invalid port given.");
7050 return false;
7051 }
7052 }
7053
7054 *err = NULL;
7055 return true;
7056 }
7057
7058 bool
7059 ssldecrypt_uat_fld_fileopen_chk_cb(void* r _U_, const char* p, unsigned len _U_, const void* u1 _U_, const void* u2 _U_, char** err)
7060 {
7061 ws_statb64 st;
7062
7063 if (!p || strlen(p) == 0u) {
7064 *err = g_strdup("No filename given.");
7065 return false;
7066 } else {
7067 if (ws_stat64(p, &st) != 0) {
7068 *err = ws_strdup_printf("File '%s' does not exist or access is denied.", p);
7069 return false;
7070 }
7071 }
7072
7073 *err = NULL;
7074 return true;
7075 }
7076
7077 bool
7078 ssldecrypt_uat_fld_password_chk_cb(void *r _U_, const char *p _U_, unsigned len _U_, const void *u1 _U_, const void *u2 _U_, char **err)
7079 {
7080 #if defined(HAVE_LIBGNUTLS)
7081 ssldecrypt_assoc_t* f = (ssldecrypt_assoc_t *)r;
7082 FILE *fp = NULL;
7083
7084 if (p && (strlen(p) > 0u)) {
7085 fp = ws_fopen(f->keyfile, "rb");
7086 if (fp) {
7087 char *msg = NULL;
7088 gnutls_x509_privkey_t priv_key = rsa_load_pkcs12(fp, p, &msg);
7089 if (!priv_key) {
7090 fclose(fp);
7091 *err = ws_strdup_printf("Could not load PKCS#12 key file: %s", msg);
7092 g_free(msg);
7093 return false;
7094 }
7095 g_free(msg);
7096 gnutls_x509_privkey_deinit(priv_key);
7097 fclose(fp);
7098 } else {
7099 *err = ws_strdup_printf("Leave this field blank if the keyfile is not PKCS#12.");
7100 return false;
7101 }
7102 }
7103
7104 *err = NULL;
7105 return true;
7106 #else
7107 *err = g_strdup("Cannot load key files, support is not compiled in.");
7108 return false;
7109 #endif
7110 }
7111 /* UAT preferences callbacks. }}} */
7112
7113 /** maximum size of ssl_association_info() string */
7114 #define SSL_ASSOC_MAX_LEN 8192
7115
7116 typedef struct ssl_association_info_callback_data
7117 {
7118 char *str;
7119 const char *table_protocol;
7120 } ssl_association_info_callback_data_t;
7121
7122 /**
7123 * callback function used by ssl_association_info() to traverse the SSL associations.
7124 */
7125 static void
7126 ssl_association_info_(const char *table _U_, void *handle, void *user_data)
7127 {
7128 ssl_association_info_callback_data_t* data = (ssl_association_info_callback_data_t*)user_data;
7129 const int l = (const int)strlen(data->str);
7130 snprintf(data->str+l, SSL_ASSOC_MAX_LEN-l, "'%s' (%s)\n", dissector_handle_get_dissector_name((dissector_handle_t)handle), dissector_handle_get_description((dissector_handle_t)handle));
7131 }
7132
7133 /**
7134 * @return an information string on the SSL protocol associations. The string must be freed.
7135 */
7136 char*
7137 ssl_association_info(const char* dissector_table_name, const char* table_protocol)
7138 {
7139 ssl_association_info_callback_data_t data;
7140
7141 data.str = (char *)g_malloc0(SSL_ASSOC_MAX_LEN);
7142 data.table_protocol = table_protocol;
7143 dissector_table_foreach_handle(dissector_table_name, ssl_association_info_, &data);
7144 return data.str;
7145 }
7146
7147
7148 /** Begin of code related to dissection of wire data. */
7149
7150 /* Helpers for dissecting Variable-Length Vectors. {{{ */
7151 bool
7152 ssl_add_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7153 unsigned offset, unsigned offset_end, uint32_t *ret_length,
7154 int hf_length, uint32_t min_value, uint32_t max_value)
7155 {
7156 unsigned veclen_size;
7157 uint32_t veclen_value;
7158 proto_item *pi;
7159
7160 DISSECTOR_ASSERT_CMPUINT(min_value, <=, max_value);
7161 if (offset > offset_end) {
7162 expert_add_info_format(pinfo, tree, &hf->ei.malformed_buffer_too_small,
7163 "Vector offset is past buffer end offset (%u > %u)",
7164 offset, offset_end);
7165 *ret_length = 0;
7166 return false; /* Cannot read length. */
7167 }
7168
7169 if (max_value > 0xffffff) {
7170 veclen_size = 4;
7171 } else if (max_value > 0xffff) {
7172 veclen_size = 3;
7173 } else if (max_value > 0xff) {
7174 veclen_size = 2;
7175 } else {
7176 veclen_size = 1;
7177 }
7178
7179 if (offset_end - offset < veclen_size) {
7180 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7181 tvb, offset, offset_end - offset,
7182 "No more room for vector of length %u",
7183 veclen_size);
7184 *ret_length = 0;
7185 return false; /* Cannot read length. */
7186 }
7187
7188 pi = proto_tree_add_item_ret_uint(tree, hf_length, tvb, offset, veclen_size, ENC_BIG_ENDIAN, &veclen_value);
7189 offset += veclen_size;
7190
7191 if (veclen_value < min_value) {
7192 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7193 "Vector length %u is smaller than minimum %u",
7194 veclen_value, min_value);
7195 } else if (veclen_value > max_value) {
7196 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7197 "Vector length %u is larger than maximum %u",
7198 veclen_value, max_value);
7199 }
7200
7201 if (offset_end - offset < veclen_value) {
7202 expert_add_info_format(pinfo, pi, &hf->ei.malformed_buffer_too_small,
7203 "Vector length %u is too large, truncating it to %u",
7204 veclen_value, offset_end - offset);
7205 *ret_length = offset_end - offset;
7206 return false; /* Length is truncated to avoid overflow. */
7207 }
7208
7209 *ret_length = veclen_value;
7210 return true; /* Length is OK. */
7211 }
7212
7213 bool
7214 ssl_end_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7215 unsigned offset, unsigned offset_end)
7216 {
7217 if (offset < offset_end) {
7218 unsigned trailing = offset_end - offset;
7219 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_trailing_data,
7220 tvb, offset, trailing,
7221 "%u trailing byte%s unprocessed",
7222 trailing, plurality(trailing, " was", "s were"));
7223 return false; /* unprocessed data warning */
7224 } else if (offset > offset_end) {
7225 /*
7226 * Returned offset runs past the end. This should not happen and is
7227 * possibly a dissector bug.
7228 */
7229 unsigned excess = offset - offset_end;
7230 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7231 tvb, offset_end, excess,
7232 "Dissector processed too much data (%u byte%s)",
7233 excess, plurality(excess, "", "s"));
7234 return false; /* overflow error */
7235 }
7236
7237 return true; /* OK, offset matches. */
7238 }
7239 /** }}} */
7240
7241
7242 static uint32_t
7243 ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7244 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7245 uint16_t version, int hf_sig_len, int hf_sig);
7246
7247 /* change_cipher_spec(20) dissection */
7248 void
7249 ssl_dissect_change_cipher_spec(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7250 packet_info *pinfo, proto_tree *tree,
7251 uint32_t offset, SslSession *session,
7252 bool is_from_server,
7253 const SslDecryptSession *ssl)
7254 {
7255 /*
7256 * struct {
7257 * enum { change_cipher_spec(1), (255) } type;
7258 * } ChangeCipherSpec;
7259 */
7260 proto_item *ti;
7261 proto_item_set_text(tree,
7262 "%s Record Layer: %s Protocol: Change Cipher Spec",
7263 val_to_str_const(session->version, ssl_version_short_names, "SSL"),
7264 val_to_str_const(SSL_ID_CHG_CIPHER_SPEC, ssl_31_content_type, "unknown"));
7265 ti = proto_tree_add_item(tree, hf->hf.change_cipher_spec, tvb, offset, 1, ENC_NA);
7266
7267 if (session->version == TLSV1DOT3_VERSION) {
7268 /* CCS is a dummy message in TLS 1.3, do not parse it further. */
7269 return;
7270 }
7271
7272 /* Remember frame number of first CCS */
7273 uint32_t *ccs_frame = is_from_server ? &session->server_ccs_frame : &session->client_ccs_frame;
7274 if (*ccs_frame == 0)
7275 *ccs_frame = pinfo->num;
7276
7277 /* Use heuristics to detect an abbreviated handshake, assume that missing
7278 * ServerHelloDone implies reusing previously negotiating keys. Then when
7279 * a Session ID or ticket is present, it must be a resumed session.
7280 * Normally this should be done at the Finished message, but that may be
7281 * encrypted so we do it here, at the last cleartext message. */
7282 if (is_from_server && ssl) {
7283 if (session->is_session_resumed) {
7284 const char *resumed = NULL;
7285 if (ssl->session_ticket.data_len) {
7286 resumed = "Session Ticket";
7287 } else if (ssl->session_id.data_len) {
7288 resumed = "Session ID";
7289 }
7290 if (resumed) {
7291 ssl_debug_printf("%s Session resumption using %s\n", G_STRFUNC, resumed);
7292 } else {
7293 /* Can happen if the capture somehow starts in the middle */
7294 ssl_debug_printf("%s No Session resumption, missing packets?\n", G_STRFUNC);
7295 }
7296 } else {
7297 ssl_debug_printf("%s Not using Session resumption\n", G_STRFUNC);
7298 }
7299 }
7300 if (is_from_server && session->is_session_resumed)
7301 expert_add_info(pinfo, ti, &hf->ei.resumed);
7302 }
7303
7304 /** Begin of handshake(22) record dissections */
7305
7306 /* Dissects a SignatureScheme (TLS 1.3) or SignatureAndHashAlgorithm (TLS 1.2).
7307 * {{{ */
7308 static void
7309 tls_dissect_signature_algorithm(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, ja4_data_t *ja4_data)
7310 {
7311 uint32_t sighash, hashalg, sigalg;
7312 proto_item *ti_sigalg;
7313 proto_tree *sigalg_tree;
7314
7315 ti_sigalg = proto_tree_add_item_ret_uint(tree, hf->hf.hs_sig_hash_alg, tvb,
7316 offset, 2, ENC_BIG_ENDIAN, &sighash);
7317 if (ja4_data) {
7318 wmem_list_append(ja4_data->sighash_list, GUINT_TO_POINTER(sighash));
7319 }
7320
7321 sigalg_tree = proto_item_add_subtree(ti_sigalg, hf->ett.hs_sig_hash_alg);
7322
7323 /* TLS 1.2: SignatureAndHashAlgorithm { hash, signature } */
7324 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_hash, tvb,
7325 offset, 1, ENC_BIG_ENDIAN, &hashalg);
7326 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_sig, tvb,
7327 offset + 1, 1, ENC_BIG_ENDIAN, &sigalg);
7328
7329 /* No TLS 1.3 SignatureScheme? Fallback to TLS 1.2 interpretation. */
7330 if (!try_val_to_str(sighash, tls13_signature_algorithm)) {
7331 proto_item_set_text(ti_sigalg, "Signature Algorithm: %s %s (0x%04x)",
7332 val_to_str_const(hashalg, tls_hash_algorithm, "Unknown"),
7333 val_to_str_const(sigalg, tls_signature_algorithm, "Unknown"),
7334 sighash);
7335 }
7336 } /* }}} */
7337
7338 /* dissect a list of hash algorithms, return the number of bytes dissected
7339 this is used for the signature algorithms extension and for the
7340 TLS1.2 certificate request. {{{ */
7341 static int
7342 ssl_dissect_hash_alg_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
7343 packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7344 {
7345 /* https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
7346 * struct {
7347 * HashAlgorithm hash;
7348 * SignatureAlgorithm signature;
7349 * } SignatureAndHashAlgorithm;
7350 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
7351 */
7352 proto_tree *subtree;
7353 proto_item *ti;
7354 unsigned sh_alg_length;
7355 uint32_t next_offset;
7356
7357 /* SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2> */
7358 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sh_alg_length,
7359 hf->hf.hs_sig_hash_alg_len, 2, UINT16_MAX - 1)) {
7360 return offset_end;
7361 }
7362 offset += 2;
7363 next_offset = offset + sh_alg_length;
7364
7365 ti = proto_tree_add_none_format(tree, hf->hf.hs_sig_hash_algs, tvb, offset, sh_alg_length,
7366 "Signature Hash Algorithms (%u algorithm%s)",
7367 sh_alg_length / 2, plurality(sh_alg_length / 2, "", "s"));
7368 subtree = proto_item_add_subtree(ti, hf->ett.hs_sig_hash_algs);
7369
7370 while (offset + 2 <= next_offset) {
7371 tls_dissect_signature_algorithm(hf, tvb, subtree, offset, ja4_data);
7372 offset += 2;
7373 }
7374
7375 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
7376 offset = next_offset;
7377 }
7378
7379 return offset;
7380 } /* }}} */
7381
7382 /* Dissection of DistinguishedName (for CertificateRequest and
7383 * certificate_authorities extension). {{{ */
7384 static uint32_t
7385 tls_dissect_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7386 proto_tree *tree, uint32_t offset, uint32_t offset_end)
7387 {
7388 proto_item *ti;
7389 proto_tree *subtree;
7390 uint32_t dnames_length, next_offset;
7391 asn1_ctx_t asn1_ctx;
7392 int dnames_count = 100; /* the maximum number of DNs to add to the tree */
7393
7394 /* Note: minimum length is 0 for TLS 1.1/1.2 and 3 for earlier/later */
7395 /* DistinguishedName certificate_authorities<0..2^16-1> */
7396 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &dnames_length,
7397 hf->hf.hs_dnames_len, 0, UINT16_MAX)) {
7398 return offset_end;
7399 }
7400 offset += 2;
7401 next_offset = offset + dnames_length;
7402
7403 if (dnames_length > 0) {
7404 ti = proto_tree_add_none_format(tree,
7405 hf->hf.hs_dnames,
7406 tvb, offset, dnames_length,
7407 "Distinguished Names (%d byte%s)",
7408 dnames_length,
7409 plurality(dnames_length, "", "s"));
7410 subtree = proto_item_add_subtree(ti, hf->ett.dnames);
7411
7412 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true, pinfo);
7413
7414 while (offset < next_offset) {
7415 /* get the length of the current certificate */
7416 uint32_t name_length;
7417
7418 if (dnames_count-- == 0) {
7419 /* stop adding to tree when the list is considered too large
7420 * https://gitlab.com/wireshark/wireshark/-/issues/16202
7421 Note: dnames_count must be set low enough not to hit the
7422 limit set by PINFO_LAYER_MAX_RECURSION_DEPTH in packet.c
7423 */
7424 ti = proto_tree_add_item(subtree, hf->hf.hs_dnames_truncated,
7425 tvb, offset, next_offset - offset, ENC_NA);
7426 proto_item_set_generated(ti);
7427 return next_offset;
7428 }
7429
7430 /* opaque DistinguishedName<1..2^16-1> */
7431 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &name_length,
7432 hf->hf.hs_dname_len, 1, UINT16_MAX)) {
7433 return next_offset;
7434 }
7435 offset += 2;
7436
7437 dissect_x509if_DistinguishedName(false, tvb, offset, &asn1_ctx,
7438 subtree, hf->hf.hs_dname);
7439 offset += name_length;
7440 }
7441 }
7442 return offset;
7443 } /* }}} */
7444
7445
7446 /** TLS Extensions (in Client Hello and Server Hello). {{{ */
7447 static int
7448 ssl_dissect_hnd_hello_ext_sig_hash_algs(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7449 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7450 {
7451 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, ja4_data);
7452 }
7453
7454 static int
7455 ssl_dissect_hnd_ext_delegated_credentials(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7456 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type)
7457 {
7458 if (hnd_type == SSL_HND_CLIENT_HELLO) {
7459 /*
7460 * struct {
7461 * SignatureScheme supported_signature_algorithm<2..2^16-2>;
7462 * } SignatureSchemeList;
7463 */
7464
7465 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL);
7466 } else {
7467 asn1_ctx_t asn1_ctx;
7468 unsigned pubkey_length, sign_length;
7469
7470 /*
7471 * struct {
7472 * uint32 valid_time;
7473 * SignatureScheme expected_cert_verify_algorithm;
7474 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
7475 * } Credential;
7476 *
7477 * struct {
7478 * Credential cred;
7479 * SignatureScheme algorithm;
7480 * opaque signature<0..2^16-1>;
7481 * } DelegatedCredential;
7482 */
7483
7484 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true, pinfo);
7485
7486 proto_tree_add_item(tree, hf->hf.hs_cred_valid_time, tvb, offset, 4, ENC_BIG_ENDIAN);
7487 offset += 4;
7488
7489 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL);
7490 offset += 2;
7491
7492 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &pubkey_length,
7493 hf->hf.hs_cred_pubkey_len, 1, G_MAXUINT24)) {
7494 return offset_end;
7495 }
7496 offset += 3;
7497 dissect_x509af_SubjectPublicKeyInfo(false, tvb, offset, &asn1_ctx, tree, hf->hf.hs_cred_pubkey);
7498 offset += pubkey_length;
7499
7500 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL);
7501 offset += 2;
7502
7503 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sign_length,
7504 hf->hf.hs_cred_signature_len, 1, UINT16_MAX)) {
7505 return offset_end;
7506 }
7507 offset += 2;
7508 proto_tree_add_item(tree, hf->hf.hs_cred_signature,
7509 tvb, offset, sign_length, ENC_ASCII|ENC_NA);
7510 offset += sign_length;
7511
7512 return offset;
7513 }
7514 }
7515
7516 static int
7517 ssl_dissect_hnd_hello_ext_alps(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7518 packet_info *pinfo, proto_tree *tree,
7519 uint32_t offset, uint32_t offset_end,
7520 uint8_t hnd_type)
7521 {
7522
7523 /* https://datatracker.ietf.org/doc/html/draft-vvv-tls-alps-01#section-4 */
7524
7525 switch (hnd_type) {
7526 case SSL_HND_CLIENT_HELLO: {
7527 proto_tree *alps_tree;
7528 proto_item *ti;
7529 uint32_t next_offset, alps_length, name_length;
7530
7531 /*
7532 * opaque ProtocolName<1..2^8-1>;
7533 * struct {
7534 * ProtocolName supported_protocols<2..2^16-1>
7535 * } ApplicationSettingsSupport;
7536 */
7537
7538 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alps_length,
7539 hf->hf.hs_ext_alps_len, 2, UINT16_MAX)) {
7540 return offset_end;
7541 }
7542 offset += 2;
7543 next_offset = offset + alps_length;
7544
7545 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alps_alpn_list,
7546 tvb, offset, alps_length, ENC_NA);
7547 alps_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alps);
7548
7549 /* Parse list (note missing check for end of vector, ssl_add_vector below
7550 * ensures that data is always available.) */
7551 while (offset < next_offset) {
7552 if (!ssl_add_vector(hf, tvb, pinfo, alps_tree, offset, next_offset, &name_length,
7553 hf->hf.hs_ext_alps_alpn_str_len, 1, UINT8_MAX)) {
7554 return next_offset;
7555 }
7556 offset++;
7557
7558 proto_tree_add_item(alps_tree, hf->hf.hs_ext_alps_alpn_str,
7559 tvb, offset, name_length, ENC_ASCII|ENC_NA);
7560 offset += name_length;
7561 }
7562
7563 return offset;
7564 }
7565 case SSL_HND_ENCRYPTED_EXTS:
7566 /* Opaque blob */
7567 proto_tree_add_item(tree, hf->hf.hs_ext_alps_settings,
7568 tvb, offset, offset_end - offset, ENC_ASCII|ENC_NA);
7569 break;
7570 }
7571
7572 return offset_end;
7573 }
7574
7575 static int
7576 ssl_dissect_hnd_hello_ext_alpn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7577 packet_info *pinfo, proto_tree *tree,
7578 uint32_t offset, uint32_t offset_end,
7579 uint8_t hnd_type, SslSession *session,
7580 bool is_dtls, ja4_data_t *ja4_data)
7581 {
7582
7583 /* https://tools.ietf.org/html/rfc7301#section-3.1
7584 * opaque ProtocolName<1..2^8-1>;
7585 * struct {
7586 * ProtocolName protocol_name_list<2..2^16-1>
7587 * } ProtocolNameList;
7588 */
7589 proto_tree *alpn_tree;
7590 proto_item *ti;
7591 uint32_t next_offset, alpn_length, name_length;
7592 uint8_t *proto_name = NULL, *client_proto_name = NULL;
7593
7594 /* ProtocolName protocol_name_list<2..2^16-1> */
7595 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alpn_length,
7596 hf->hf.hs_ext_alpn_len, 2, UINT16_MAX)) {
7597 return offset_end;
7598 }
7599 offset += 2;
7600 next_offset = offset + alpn_length;
7601
7602 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alpn_list,
7603 tvb, offset, alpn_length, ENC_NA);
7604 alpn_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alpn);
7605
7606 /* Parse list (note missing check for end of vector, ssl_add_vector below
7607 * ensures that data is always available.) */
7608 while (offset < next_offset) {
7609 /* opaque ProtocolName<1..2^8-1> */
7610 if (!ssl_add_vector(hf, tvb, pinfo, alpn_tree, offset, next_offset, &name_length,
7611 hf->hf.hs_ext_alpn_str_len, 1, UINT8_MAX)) {
7612 return next_offset;
7613 }
7614 offset++;
7615
7616 proto_tree_add_item(alpn_tree, hf->hf.hs_ext_alpn_str,
7617 tvb, offset, name_length, ENC_ASCII|ENC_NA);
7618 if (ja4_data && wmem_strbuf_get_len(ja4_data->alpn) == 0) {
7619 const char alpn_first_char = (char)tvb_get_uint8(tvb,offset);
7620 const char alpn_last_char = (char)tvb_get_uint8(tvb,offset + name_length - 1);
7621 if ((g_ascii_isprint(alpn_first_char)) && g_ascii_isprint(alpn_last_char)) {
7622 wmem_strbuf_append_printf(ja4_data->alpn, "%c%c", alpn_first_char, alpn_last_char);
7623 }
7624 else {
7625 wmem_strbuf_append_printf(ja4_data->alpn, "%x%x",(alpn_first_char >> 4) & 0x0F,
7626 alpn_last_char & 0x0F);
7627 }
7628 }
7629 /* Remember first ALPN ProtocolName entry for server. */
7630 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) {
7631 /* '\0'-terminated string for dissector table match and prefix
7632 * comparison purposes. */
7633 proto_name = tvb_get_string_enc(pinfo->pool, tvb, offset,
7634 name_length, ENC_ASCII);
7635 } else if (hnd_type == SSL_HND_CLIENT_HELLO) {
7636 client_proto_name = tvb_get_string_enc(pinfo->pool, tvb, offset,
7637 name_length, ENC_ASCII);
7638 }
7639 offset += name_length;
7640 }
7641
7642 /* If ALPN is given in ServerHello, then ProtocolNameList MUST contain
7643 * exactly one "ProtocolName". */
7644 if (proto_name) {
7645 dissector_handle_t handle;
7646
7647 session->alpn_name = wmem_strdup(wmem_file_scope(), proto_name);
7648
7649 if (is_dtls) {
7650 handle = dissector_get_string_handle(dtls_alpn_dissector_table,
7651 proto_name);
7652 } else {
7653 handle = dissector_get_string_handle(ssl_alpn_dissector_table,
7654 proto_name);
7655 if (handle == NULL) {
7656 /* Try prefix matching */
7657 for (size_t i = 0; i < G_N_ELEMENTS(ssl_alpn_prefix_match_protocols); i++) {
7658 const ssl_alpn_prefix_match_protocol_t *alpn_proto = &ssl_alpn_prefix_match_protocols[i];
7659
7660 /* string_string is inappropriate as it compares strings
7661 * while "byte strings MUST NOT be truncated" (RFC 7301) */
7662 if (g_str_has_prefix(proto_name, alpn_proto->proto_prefix)) {
7663 handle = find_dissector(alpn_proto->dissector_name);
7664 break;
7665 }
7666 }
7667 }
7668 }
7669 if (handle != NULL) {
7670 /* ProtocolName match, so set the App data dissector handle.
7671 * This may override protocols given via the UAT dialog, but
7672 * since the ALPN hint is precise, do it anyway. */
7673 ssl_debug_printf("%s: changing handle %p to %p (%s)", G_STRFUNC,
7674 (void *)session->app_handle,
7675 (void *)handle,
7676 dissector_handle_get_dissector_name(handle));
7677 session->app_handle = handle;
7678 }
7679 } else if (client_proto_name) {
7680 // No current use for looking up the handle as the only consumer of this API is currently the QUIC dissector
7681 // and it just needs the string since there are/were various HTTP/3 ALPNs to check for.
7682 session->client_alpn_name = wmem_strdup(wmem_file_scope(), client_proto_name);
7683 }
7684
7685 return offset;
7686 }
7687
7688 static int
7689 ssl_dissect_hnd_hello_ext_npn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7690 packet_info *pinfo, proto_tree *tree,
7691 uint32_t offset, uint32_t offset_end)
7692 {
7693 /* https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04#page-3
7694 * The "extension_data" field of a "next_protocol_negotiation" extension
7695 * in a "ServerHello" contains an optional list of protocols advertised
7696 * by the server. Protocols are named by opaque, non-empty byte strings
7697 * and the list of protocols is serialized as a concatenation of 8-bit,
7698 * length prefixed byte strings. Implementations MUST ensure that the
7699 * empty string is not included and that no byte strings are truncated.
7700 */
7701 uint32_t npn_length;
7702 proto_tree *npn_tree;
7703
7704 /* List is optional, do not add tree if there are no entries. */
7705 if (offset == offset_end) {
7706 return offset;
7707 }
7708
7709 npn_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_npn, NULL, "Next Protocol Negotiation");
7710
7711 while (offset < offset_end) {
7712 /* non-empty, 8-bit length prefixed strings means range 1..255 */
7713 if (!ssl_add_vector(hf, tvb, pinfo, npn_tree, offset, offset_end, &npn_length,
7714 hf->hf.hs_ext_npn_str_len, 1, UINT8_MAX)) {
7715 return offset_end;
7716 }
7717 offset++;
7718
7719 proto_tree_add_item(npn_tree, hf->hf.hs_ext_npn_str,
7720 tvb, offset, npn_length, ENC_ASCII|ENC_NA);
7721 offset += npn_length;
7722 }
7723
7724 return offset;
7725 }
7726
7727 static int
7728 ssl_dissect_hnd_hello_ext_reneg_info(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7729 packet_info *pinfo, proto_tree *tree,
7730 uint32_t offset, uint32_t offset_end)
7731 {
7732 /* https://tools.ietf.org/html/rfc5746#section-3.2
7733 * struct {
7734 * opaque renegotiated_connection<0..255>;
7735 * } RenegotiationInfo;
7736 *
7737 */
7738 proto_tree *reneg_info_tree;
7739 uint32_t reneg_info_length;
7740
7741 reneg_info_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_reneg_info, NULL, "Renegotiation Info extension");
7742
7743 /* opaque renegotiated_connection<0..255> */
7744 if (!ssl_add_vector(hf, tvb, pinfo, reneg_info_tree, offset, offset_end, &reneg_info_length,
7745 hf->hf.hs_ext_reneg_info_len, 0, 255)) {
7746 return offset_end;
7747 }
7748 offset++;
7749
7750 if (reneg_info_length > 0) {
7751 proto_tree_add_item(reneg_info_tree, hf->hf.hs_ext_reneg_info, tvb, offset, reneg_info_length, ENC_NA);
7752 offset += reneg_info_length;
7753 }
7754
7755 return offset;
7756 }
7757
7758 static int
7759 ssl_dissect_hnd_hello_ext_key_share_entry(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7760 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7761 const char **group_name_out)
7762 {
7763 /* RFC 8446 Section 4.2.8
7764 * struct {
7765 * NamedGroup group;
7766 * opaque key_exchange<1..2^16-1>;
7767 * } KeyShareEntry;
7768 */
7769 uint32_t key_exchange_length, group;
7770 proto_tree *ks_tree;
7771
7772 ks_tree = proto_tree_add_subtree(tree, tvb, offset, 4, hf->ett.hs_ext_key_share_ks, NULL, "Key Share Entry");
7773
7774 proto_tree_add_item_ret_uint(ks_tree, hf->hf.hs_ext_key_share_group, tvb, offset, 2, ENC_BIG_ENDIAN, &group);
7775 offset += 2;
7776 const char *group_name = val_to_str(group, ssl_extension_curves, "Unknown (%u)");
7777 proto_item_append_text(ks_tree, ": Group: %s", group_name);
7778 if (group_name_out) {
7779 *group_name_out = !IS_GREASE_TLS(group) ? group_name : NULL;
7780 }
7781
7782 /* opaque key_exchange<1..2^16-1> */
7783 if (!ssl_add_vector(hf, tvb, pinfo, ks_tree, offset, offset_end, &key_exchange_length,
7784 hf->hf.hs_ext_key_share_key_exchange_length, 1, UINT16_MAX)) {
7785 return offset_end; /* Bad (possible truncated) length, skip to end of KeyShare extension. */
7786 }
7787 offset += 2;
7788 proto_item_set_len(ks_tree, 2 + 2 + key_exchange_length);
7789 proto_item_append_text(ks_tree, ", Key Exchange length: %u", key_exchange_length);
7790
7791 proto_tree_add_item(ks_tree, hf->hf.hs_ext_key_share_key_exchange, tvb, offset, key_exchange_length, ENC_NA);
7792 offset += key_exchange_length;
7793
7794 return offset;
7795 }
7796
7797 static int
7798 ssl_dissect_hnd_hello_ext_key_share(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7799 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7800 uint8_t hnd_type)
7801 {
7802 proto_tree *key_share_tree;
7803 uint32_t next_offset;
7804 uint32_t client_shares_length;
7805 uint32_t group;
7806 const char *group_name = NULL;
7807
7808 if (offset_end <= offset) { /* Check if ext_len == 0 and "overflow" (offset + ext_len) > uint32_t) */
7809 return offset;
7810 }
7811
7812 key_share_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_key_share, NULL, "Key Share extension");
7813
7814 switch(hnd_type){
7815 case SSL_HND_CLIENT_HELLO:
7816 /* KeyShareEntry client_shares<0..2^16-1> */
7817 if (!ssl_add_vector(hf, tvb, pinfo, key_share_tree, offset, offset_end, &client_shares_length,
7818 hf->hf.hs_ext_key_share_client_length, 0, UINT16_MAX)) {
7819 return offset_end;
7820 }
7821 offset += 2;
7822 next_offset = offset + client_shares_length;
7823 const char *sep = " ";
7824 while (offset + 4 <= next_offset) { /* (NamedGroup (2 bytes), key_exchange (1 byte for length, 1 byte minimum data) */
7825 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, next_offset, &group_name);
7826 if (group_name) {
7827 proto_item_append_text(tree, "%s%s", sep, group_name);
7828 sep = ", ";
7829 }
7830 }
7831 if (!ssl_end_vector(hf, tvb, pinfo, key_share_tree, offset, next_offset)) {
7832 return next_offset;
7833 }
7834 break;
7835 case SSL_HND_SERVER_HELLO:
7836 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, offset_end, &group_name);
7837 if (group_name) {
7838 proto_item_append_text(tree, " %s", group_name);
7839 }
7840 break;
7841 case SSL_HND_HELLO_RETRY_REQUEST:
7842 proto_tree_add_item_ret_uint(key_share_tree, hf->hf.hs_ext_key_share_selected_group, tvb, offset, 2, ENC_BIG_ENDIAN, &group);
7843 offset += 2;
7844 group_name = val_to_str(group, ssl_extension_curves, "Unknown (%u)");
7845 proto_item_append_text(tree, " %s", group_name);
7846 break;
7847 default: /* no default */
7848 break;
7849 }
7850
7851 return offset;
7852 }
7853
7854 static int
7855 ssl_dissect_hnd_hello_ext_pre_shared_key(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7856 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7857 uint8_t hnd_type)
7858 {
7859 /* RFC 8446 Section 4.2.11
7860 * struct {
7861 * opaque identity<1..2^16-1>;
7862 * uint32 obfuscated_ticket_age;
7863 * } PskIdentity;
7864 * opaque PskBinderEntry<32..255>;
7865 * struct {
7866 * select (Handshake.msg_type) {
7867 * case client_hello:
7868 * PskIdentity identities<7..2^16-1>;
7869 * PskBinderEntry binders<33..2^16-1>;
7870 * case server_hello:
7871 * uint16 selected_identity;
7872 * };
7873 * } PreSharedKeyExtension;
7874 */
7875
7876 proto_tree *psk_tree;
7877
7878 psk_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_pre_shared_key, NULL, "Pre-Shared Key extension");
7879
7880 switch (hnd_type){
7881 case SSL_HND_CLIENT_HELLO: {
7882 uint32_t identities_length, identities_end, binders_length;
7883
7884 /* PskIdentity identities<7..2^16-1> */
7885 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &identities_length,
7886 hf->hf.hs_ext_psk_identities_length, 7, UINT16_MAX)) {
7887 return offset_end;
7888 }
7889 offset += 2;
7890 identities_end = offset + identities_length;
7891
7892 while (offset < identities_end) {
7893 uint32_t identity_length;
7894 proto_tree *identity_tree;
7895
7896 identity_tree = proto_tree_add_subtree(psk_tree, tvb, offset, 4, hf->ett.hs_ext_psk_identity, NULL, "PSK Identity (");
7897
7898 /* opaque identity<1..2^16-1> */
7899 if (!ssl_add_vector(hf, tvb, pinfo, identity_tree, offset, identities_end, &identity_length,
7900 hf->hf.hs_ext_psk_identity_identity_length, 1, UINT16_MAX)) {
7901 return identities_end;
7902 }
7903 offset += 2;
7904 proto_item_append_text(identity_tree, "length: %u)", identity_length);
7905
7906 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_identity, tvb, offset, identity_length, ENC_BIG_ENDIAN);
7907 offset += identity_length;
7908
7909 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_obfuscated_ticket_age, tvb, offset, 4, ENC_BIG_ENDIAN);
7910 offset += 4;
7911
7912 proto_item_set_len(identity_tree, 2 + identity_length + 4);
7913 }
7914 if (!ssl_end_vector(hf, tvb, pinfo, psk_tree, offset, identities_end)) {
7915 offset = identities_end;
7916 }
7917
7918 /* PskBinderEntry binders<33..2^16-1> */
7919 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &binders_length,
7920 hf->hf.hs_ext_psk_binders_length, 33, UINT16_MAX)) {
7921 return offset_end;
7922 }
7923 offset += 2;
7924
7925 proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_binders, tvb, offset, binders_length, ENC_NA);
7926 offset += binders_length;
7927 }
7928 break;
7929 case SSL_HND_SERVER_HELLO: {
7930 proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_identity_selected, tvb, offset, 2, ENC_BIG_ENDIAN);
7931 offset += 2;
7932 }
7933 break;
7934 default:
7935 break;
7936 }
7937
7938 return offset;
7939 }
7940
7941 static uint32_t
7942 ssl_dissect_hnd_hello_ext_early_data(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U_,
7943 proto_tree *tree, uint32_t offset, uint32_t offset_end _U_,
7944 uint8_t hnd_type, SslDecryptSession *ssl)
7945 {
7946 /* RFC 8446 Section 4.2.10
7947 * struct {} Empty;
7948 * struct {
7949 * select (Handshake.msg_type) {
7950 * case new_session_ticket: uint32 max_early_data_size;
7951 * case client_hello: Empty;
7952 * case encrypted_extensions: Empty;
7953 * };
7954 * } EarlyDataIndication;
7955 */
7956 switch (hnd_type) {
7957 case SSL_HND_CLIENT_HELLO:
7958 /* Remember that early_data will follow the handshake. */
7959 if (ssl) {
7960 ssl_debug_printf("%s found early_data extension\n", G_STRFUNC);
7961 ssl->has_early_data = true;
7962 }
7963 break;
7964 case SSL_HND_NEWSESSION_TICKET:
7965 proto_tree_add_item(tree, hf->hf.hs_ext_max_early_data_size, tvb, offset, 4, ENC_BIG_ENDIAN);
7966 offset += 4;
7967 break;
7968 default:
7969 break;
7970 }
7971 return offset;
7972 }
7973
7974 static uint16_t
7975 tls_try_get_version(bool is_dtls, uint16_t version, uint8_t *draft_version)
7976 {
7977 if (draft_version) {
7978 *draft_version = 0;
7979 }
7980 if (!is_dtls) {
7981 uint8_t tls13_draft = extract_tls13_draft_version(version);
7982 if (tls13_draft != 0) {
7983 /* This is TLS 1.3 (a draft version). */
7984 if (draft_version) {
7985 *draft_version = tls13_draft;
7986 }
7987 version = TLSV1DOT3_VERSION;
7988 }
7989 if (version == 0xfb17 || version == 0xfb1a) {
7990 /* Unofficial TLS 1.3 draft version for Facebook fizz. */
7991 tls13_draft = (uint8_t)version;
7992 if (draft_version) {
7993 *draft_version = tls13_draft;
7994 }
7995 version = TLSV1DOT3_VERSION;
7996 }
7997 }
7998
7999 switch (version) {
8000 case SSLV3_VERSION:
8001 case TLSV1_VERSION:
8002 case TLSV1DOT1_VERSION:
8003 case TLSV1DOT2_VERSION:
8004 case TLSV1DOT3_VERSION:
8005 case TLCPV1_VERSION:
8006 if (is_dtls)
8007 return SSL_VER_UNKNOWN;
8008 break;
8009
8010 case DTLSV1DOT0_VERSION:
8011 case DTLSV1DOT0_OPENSSL_VERSION:
8012 case DTLSV1DOT2_VERSION:
8013 case DTLSV1DOT3_VERSION:
8014 if (!is_dtls)
8015 return SSL_VER_UNKNOWN;
8016 break;
8017
8018 default: /* invalid version number */
8019 return SSL_VER_UNKNOWN;
8020 }
8021
8022 return version;
8023 }
8024
8025 static int
8026 ssl_dissect_hnd_hello_ext_supported_versions(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8027 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8028 SslSession *session, bool is_dtls, ja4_data_t *ja4_data)
8029 {
8030
8031 /* RFC 8446 Section 4.2.1
8032 * struct {
8033 * ProtocolVersion versions<2..254>; // ClientHello
8034 * } SupportedVersions;
8035 * Note that ServerHello and HelloRetryRequest are handled by the caller.
8036 */
8037 uint32_t versions_length, next_offset;
8038 /* ProtocolVersion versions<2..254> */
8039 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &versions_length,
8040 hf->hf.hs_ext_supported_versions_len, 2, 254)) {
8041 return offset_end;
8042 }
8043 offset++;
8044 next_offset = offset + versions_length;
8045
8046 unsigned version;
8047 unsigned current_version, lowest_version = SSL_VER_UNKNOWN;
8048 uint8_t draft_version, max_draft_version = 0;
8049 const char *sep = " ";
8050 while (offset + 2 <= next_offset) {
8051 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN, &version);
8052 offset += 2;
8053
8054 if (!IS_GREASE_TLS(version)) {
8055 proto_item_append_text(tree, "%s%s", sep, val_to_str(version, ssl_versions, "Unknown (0x%04x)"));
8056 sep = ", ";
8057 }
8058
8059 current_version = tls_try_get_version(is_dtls, version, &draft_version);
8060 if (session->version == SSL_VER_UNKNOWN) {
8061 if (lowest_version == SSL_VER_UNKNOWN) {
8062 lowest_version = current_version;
8063 } else if (current_version != SSL_VER_UNKNOWN) {
8064 if (!is_dtls) {
8065 lowest_version = MIN(lowest_version, current_version);
8066 } else {
8067 lowest_version = MAX(lowest_version, current_version);
8068 }
8069 }
8070 }
8071 max_draft_version = MAX(draft_version, max_draft_version);
8072 if (ja4_data && !IS_GREASE_TLS(version)) {
8073 /* The DTLS version numbers get mapped to "00" for unknown per
8074 * JA4 spec, but if JA4 ever does support DTLS we'll probably
8075 * need to take the MIN instead of MAX here for DTLS.
8076 */
8077 ja4_data->max_version = MAX(version, ja4_data->max_version);
8078 }
8079 }
8080 if (session->version == SSL_VER_UNKNOWN && lowest_version != SSL_VER_UNKNOWN) {
8081 col_set_str(pinfo->cinfo, COL_PROTOCOL,
8082 val_to_str_const(version, ssl_version_short_names, is_dtls ? "DTLS" : "TLS"));
8083 }
8084 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
8085 offset = next_offset;
8086 }
8087
8088 /* XXX remove this when draft 19 support is dropped,
8089 * this is only required for early data decryption. */
8090 if (max_draft_version) {
8091 session->tls13_draft_version = max_draft_version;
8092 }
8093
8094 return offset;
8095 }
8096
8097 static int
8098 ssl_dissect_hnd_hello_ext_cookie(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8099 packet_info *pinfo, proto_tree *tree,
8100 uint32_t offset, uint32_t offset_end)
8101 {
8102 /* RFC 8446 Section 4.2.2
8103 * struct {
8104 * opaque cookie<1..2^16-1>;
8105 * } Cookie;
8106 */
8107 uint32_t cookie_length;
8108 /* opaque cookie<1..2^16-1> */
8109 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cookie_length,
8110 hf->hf.hs_ext_cookie_len, 1, UINT16_MAX)) {
8111 return offset_end;
8112 }
8113 offset += 2;
8114
8115 proto_tree_add_item(tree, hf->hf.hs_ext_cookie, tvb, offset, cookie_length, ENC_NA);
8116 offset += cookie_length;
8117
8118 return offset;
8119 }
8120
8121 static int
8122 ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8123 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8124 {
8125 /* RFC 8446 Section 4.2.9
8126 * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
8127 *
8128 * struct {
8129 * PskKeyExchangeMode ke_modes<1..255>;
8130 * } PskKeyExchangeModes;
8131 */
8132 uint32_t ke_modes_length, next_offset;
8133
8134 /* PskKeyExchangeMode ke_modes<1..255> */
8135 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ke_modes_length,
8136 hf->hf.hs_ext_psk_ke_modes_length, 1, 255)) {
8137 return offset_end;
8138 }
8139 offset++;
8140 next_offset = offset + ke_modes_length;
8141
8142 while (offset < next_offset) {
8143 proto_tree_add_item(tree, hf->hf.hs_ext_psk_ke_mode, tvb, offset, 1, ENC_NA);
8144 offset++;
8145 }
8146
8147 return offset;
8148 }
8149
8150 static uint32_t
8151 ssl_dissect_hnd_hello_ext_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8152 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8153 {
8154 /* RFC 8446 Section 4.2.4
8155 * opaque DistinguishedName<1..2^16-1>;
8156 * struct {
8157 * DistinguishedName authorities<3..2^16-1>;
8158 * } CertificateAuthoritiesExtension;
8159 */
8160 return tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
8161 }
8162
8163 static int
8164 ssl_dissect_hnd_hello_ext_oid_filters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8165 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8166 {
8167 /* RFC 8446 Section 4.2.5
8168 * struct {
8169 * opaque certificate_extension_oid<1..2^8-1>;
8170 * opaque certificate_extension_values<0..2^16-1>;
8171 * } OIDFilter;
8172 * struct {
8173 * OIDFilter filters<0..2^16-1>;
8174 * } OIDFilterExtension;
8175 */
8176 proto_tree *subtree;
8177 uint32_t filters_length, oid_length, values_length, value_offset;
8178 asn1_ctx_t asn1_ctx;
8179 const char *oid, *name;
8180
8181 /* OIDFilter filters<0..2^16-1> */
8182 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &filters_length,
8183 hf->hf.hs_ext_psk_ke_modes_length, 0, UINT16_MAX)) {
8184 return offset_end;
8185 }
8186 offset += 2;
8187 offset_end = offset + filters_length;
8188
8189 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true, pinfo);
8190
8191 while (offset < offset_end) {
8192 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
8193 hf->ett.hs_ext_oid_filter, NULL, "OID Filter");
8194
8195 /* opaque certificate_extension_oid<1..2^8-1> */
8196 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &oid_length,
8197 hf->hf.hs_ext_oid_filters_oid_length, 1, UINT8_MAX)) {
8198 return offset_end;
8199 }
8200 offset++;
8201 dissect_ber_object_identifier_str(false, &asn1_ctx, subtree, tvb, offset,
8202 hf->hf.hs_ext_oid_filters_oid, &oid);
8203 offset += oid_length;
8204
8205 /* Append OID to tree label */
8206 name = oid_resolved_from_string(pinfo->pool, oid);
8207 proto_item_append_text(subtree, " (%s)", name ? name : oid);
8208
8209 /* opaque certificate_extension_values<0..2^16-1> */
8210 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &values_length,
8211 hf->hf.hs_ext_oid_filters_values_length, 0, UINT16_MAX)) {
8212 return offset_end;
8213 }
8214 offset += 2;
8215 proto_item_set_len(subtree, 1 + oid_length + 2 + values_length);
8216 if (values_length > 0) {
8217 value_offset = offset;
8218 value_offset = dissect_ber_identifier(pinfo, subtree, tvb, value_offset, NULL, NULL, NULL);
8219 value_offset = dissect_ber_length(pinfo, subtree, tvb, value_offset, NULL, NULL);
8220 call_ber_oid_callback(oid, tvb, value_offset, pinfo, subtree, NULL);
8221 }
8222 offset += values_length;
8223 }
8224
8225 return offset;
8226 }
8227
8228 static int
8229 ssl_dissect_hnd_hello_ext_server_name(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8230 packet_info *pinfo, proto_tree *tree,
8231 uint32_t offset, uint32_t offset_end)
8232 {
8233 /* https://tools.ietf.org/html/rfc6066#section-3
8234 *
8235 * struct {
8236 * NameType name_type;
8237 * select (name_type) {
8238 * case host_name: HostName;
8239 * } name;
8240 * } ServerName;
8241 *
8242 * enum {
8243 * host_name(0), (255)
8244 * } NameType;
8245 *
8246 * opaque HostName<1..2^16-1>;
8247 *
8248 * struct {
8249 * ServerName server_name_list<1..2^16-1>
8250 * } ServerNameList;
8251 */
8252 proto_tree *server_name_tree;
8253 uint32_t list_length, server_name_length, next_offset;
8254
8255 /* The server SHALL include "server_name" extension with empty data. */
8256 if (offset == offset_end) {
8257 return offset;
8258 }
8259
8260 server_name_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_server_name, NULL, "Server Name Indication extension");
8261
8262 /* ServerName server_name_list<1..2^16-1> */
8263 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, offset_end, &list_length,
8264 hf->hf.hs_ext_server_name_list_len, 1, UINT16_MAX)) {
8265 return offset_end;
8266 }
8267 offset += 2;
8268 next_offset = offset + list_length;
8269
8270 while (offset < next_offset) {
8271 uint32_t name_type;
8272 const uint8_t *server_name = NULL;
8273 proto_tree_add_item_ret_uint(server_name_tree, hf->hf.hs_ext_server_name_type,
8274 tvb, offset, 1, ENC_NA, &name_type);
8275 offset++;
8276
8277 /* opaque HostName<1..2^16-1> */
8278 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, next_offset, &server_name_length,
8279 hf->hf.hs_ext_server_name_len, 1, UINT16_MAX)) {
8280 return next_offset;
8281 }
8282 offset += 2;
8283
8284 proto_tree_add_item_ret_string(server_name_tree, hf->hf.hs_ext_server_name,
8285 tvb, offset, server_name_length, ENC_ASCII|ENC_NA,
8286 pinfo->pool, &server_name);
8287 offset += server_name_length;
8288 // Each type must only occur once, so we don't check for duplicates.
8289 if (name_type == 0) {
8290 proto_item_append_text(tree, " name=%s", server_name);
8291 col_append_fstr(pinfo->cinfo, COL_INFO, " (SNI=%s)", server_name);
8292
8293 if (gbl_resolv_flags.handshake_sni_addr_resolution) {
8294 // Client Hello: Client (Src) -> Server (Dst)
8295 switch (pinfo->dst.type) {
8296 case AT_IPv4:
8297 if (pinfo->dst.len == sizeof(uint32_t)) {
8298 add_ipv4_name(*(uint32_t *)pinfo->dst.data, server_name, false);
8299 }
8300 break;
8301 case AT_IPv6:
8302 if (pinfo->dst.len == sizeof(ws_in6_addr)) {
8303 add_ipv6_name(pinfo->dst.data, server_name, false);
8304 }
8305 break;
8306 }
8307 }
8308 }
8309 }
8310 return offset;
8311 }
8312
8313 static int
8314 ssl_dissect_hnd_hello_ext_session_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8315 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint8_t hnd_type, SslDecryptSession *ssl)
8316 {
8317 unsigned ext_len = offset_end - offset;
8318 if (hnd_type == SSL_HND_CLIENT_HELLO && ssl && ext_len != 0) {
8319 tvb_ensure_bytes_exist(tvb, offset, ext_len);
8320 /* Save the Session Ticket such that it can be used as identifier for
8321 * restoring a previous Master Secret (in ChangeCipherSpec) */
8322 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
8323 ssl->session_ticket.data, ext_len);
8324 ssl->session_ticket.data_len = ext_len;
8325 tvb_memcpy(tvb,ssl->session_ticket.data, offset, ext_len);
8326 }
8327 proto_tree_add_item(tree, hf->hf.hs_ext_session_ticket,
8328 tvb, offset, ext_len, ENC_NA);
8329 return offset + ext_len;
8330 }
8331
8332 static int
8333 ssl_dissect_hnd_hello_ext_cert_type(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8334 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8335 uint8_t hnd_type, uint16_t ext_type, SslSession *session)
8336 {
8337 uint8_t cert_list_length;
8338 uint8_t cert_type;
8339 proto_tree *cert_list_tree;
8340 proto_item *ti;
8341
8342 switch(hnd_type){
8343 case SSL_HND_CLIENT_HELLO:
8344 cert_list_length = tvb_get_uint8(tvb, offset);
8345 proto_tree_add_item(tree, hf->hf.hs_ext_cert_types_len,
8346 tvb, offset, 1, ENC_BIG_ENDIAN);
8347 offset += 1;
8348 if (offset_end - offset != (uint32_t)cert_list_length)
8349 return offset;
8350
8351 ti = proto_tree_add_item(tree, hf->hf.hs_ext_cert_types, tvb, offset,
8352 cert_list_length, cert_list_length);
8353 proto_item_append_text(ti, " (%d)", cert_list_length);
8354
8355 /* make this a subtree */
8356 cert_list_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_cert_types);
8357
8358 /* loop over all point formats */
8359 while (cert_list_length > 0)
8360 {
8361 proto_tree_add_item(cert_list_tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN);
8362 offset++;
8363 cert_list_length--;
8364 }
8365 break;
8366 case SSL_HND_SERVER_HELLO:
8367 case SSL_HND_ENCRYPTED_EXTENSIONS:
8368 case SSL_HND_CERTIFICATE:
8369 cert_type = tvb_get_uint8(tvb, offset);
8370 proto_tree_add_item(tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN);
8371 offset += 1;
8372 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE || ext_type == SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE) {
8373 session->client_cert_type = cert_type;
8374 }
8375 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE || ext_type == SSL_HND_HELLO_EXT_SERVER_CERT_TYPE) {
8376 session->server_cert_type = cert_type;
8377 }
8378 break;
8379 default: /* no default */
8380 break;
8381 }
8382
8383 return offset;
8384 }
8385
8386 static uint32_t
8387 ssl_dissect_hnd_hello_ext_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8388 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8389 uint8_t hnd_type, SslDecryptSession *ssl _U_)
8390 {
8391 uint32_t compress_certificate_algorithms_length, next_offset;
8392
8393 /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03#section-3.0
8394 * enum {
8395 * zlib(1),
8396 * brotli(2),
8397 * (65535)
8398 * } CertificateCompressionAlgorithm;
8399 *
8400 * struct {
8401 * CertificateCompressionAlgorithm algorithms<1..2^8-1>;
8402 * } CertificateCompressionAlgorithms;
8403 */
8404 switch (hnd_type) {
8405 case SSL_HND_CLIENT_HELLO:
8406 case SSL_HND_CERT_REQUEST:
8407 /* CertificateCompressionAlgorithm algorithms<1..2^8-1>;*/
8408 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compress_certificate_algorithms_length,
8409 hf->hf.hs_ext_compress_certificate_algorithms_length, 1, UINT8_MAX-1)) {
8410 return offset_end;
8411 }
8412 offset += 1;
8413 next_offset = offset + compress_certificate_algorithms_length;
8414
8415 while (offset < next_offset) {
8416 proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_algorithm,
8417 tvb, offset, 2, ENC_BIG_ENDIAN);
8418 offset += 2;
8419 }
8420 break;
8421 default:
8422 break;
8423 }
8424
8425 return offset;
8426 }
8427
8428 static uint32_t
8429 ssl_dissect_hnd_hello_ext_token_binding(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8430 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8431 uint8_t hnd_type, SslDecryptSession *ssl _U_)
8432 {
8433 uint32_t key_parameters_length, next_offset;
8434 proto_item *p_ti;
8435 proto_tree *p_tree;
8436
8437 /* RFC 8472
8438 *
8439 * struct {
8440 * uint8 major;
8441 * uint8 minor;
8442 * } TB_ProtocolVersion;
8443 *
8444 * enum {
8445 * rsa2048_pkcs1.5(0), rsa2048_pss(1), ecdsap256(2), (255)
8446 * } TokenBindingKeyParameters;
8447 *
8448 * struct {
8449 * TB_ProtocolVersion token_binding_version;
8450 * TokenBindingKeyParameters key_parameters_list<1..2^8-1>
8451 * } TokenBindingParameters;
8452 */
8453
8454 switch (hnd_type) {
8455 case SSL_HND_CLIENT_HELLO:
8456 case SSL_HND_SERVER_HELLO:
8457 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_major, tvb, offset, 1, ENC_BIG_ENDIAN);
8458 offset += 1;
8459 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_minor, tvb, offset, 1, ENC_BIG_ENDIAN);
8460 offset += 1;
8461
8462 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &key_parameters_length,
8463 hf->hf.hs_ext_token_binding_key_parameters_length, 1, UINT8_MAX)) {
8464 return offset_end;
8465 }
8466 offset += 1;
8467 next_offset = offset + key_parameters_length;
8468
8469 p_ti = proto_tree_add_none_format(tree,
8470 hf->hf.hs_ext_token_binding_key_parameters,
8471 tvb, offset, key_parameters_length,
8472 "Key parameters identifiers (%d identifier%s)",
8473 key_parameters_length,
8474 plurality(key_parameters_length, "", "s"));
8475 p_tree = proto_item_add_subtree(p_ti, hf->ett.hs_ext_token_binding_key_parameters);
8476
8477 while (offset < next_offset) {
8478 proto_tree_add_item(p_tree, hf->hf.hs_ext_token_binding_key_parameter,
8479 tvb, offset, 1, ENC_BIG_ENDIAN);
8480 offset += 1;
8481 }
8482
8483 if (!ssl_end_vector(hf, tvb, pinfo, p_tree, offset, next_offset)) {
8484 offset = next_offset;
8485 }
8486
8487 break;
8488 default:
8489 break;
8490 }
8491
8492 return offset;
8493 }
8494
8495 static uint32_t
8496 ssl_dissect_hnd_hello_ext_quic_transport_parameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8497 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8498 uint8_t hnd_type, SslDecryptSession *ssl _U_)
8499 {
8500 bool use_varint_encoding = true; // Whether this is draft -27 or newer.
8501 uint32_t next_offset;
8502
8503 /* https://tools.ietf.org/html/draft-ietf-quic-transport-25#section-18
8504 *
8505 * Note: the following structures are not literally defined in the spec,
8506 * they instead use an ASCII diagram.
8507 *
8508 * struct {
8509 * uint16 id;
8510 * opaque value<0..2^16-1>;
8511 * } TransportParameter; // before draft -27
8512 * TransportParameter TransportParameters<0..2^16-1>; // before draft -27
8513 *
8514 * struct {
8515 * opaque ipv4Address[4];
8516 * uint16 ipv4Port;
8517 * opaque ipv6Address[16];
8518 * uint16 ipv6Port;
8519 * opaque connectionId<0..18>;
8520 * opaque statelessResetToken[16];
8521 * } PreferredAddress;
8522 */
8523
8524 if (offset_end - offset >= 6 &&
8525 2 + (unsigned)tvb_get_ntohs(tvb, offset) == offset_end - offset &&
8526 6 + (unsigned)tvb_get_ntohs(tvb, offset + 4) <= offset_end - offset) {
8527 // Assume encoding of Transport Parameters draft -26 or older with at
8528 // least one transport parameter that has a valid length.
8529 use_varint_encoding = false;
8530 }
8531
8532 if (use_varint_encoding) {
8533 next_offset = offset_end;
8534 } else {
8535 uint32_t quic_length;
8536 // Assume draft -26 or earlier.
8537 /* TransportParameter TransportParameters<0..2^16-1>; */
8538 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &quic_length,
8539 hf->hf.hs_ext_quictp_len, 0, UINT16_MAX)) {
8540 return offset_end;
8541 }
8542 offset += 2;
8543 next_offset = offset + quic_length;
8544 }
8545
8546 while (offset < next_offset) {
8547 uint64_t parameter_type; /* 62-bit space */
8548 uint32_t parameter_length;
8549 proto_tree *parameter_tree;
8550 uint32_t parameter_end_offset;
8551 uint64_t value;
8552 uint32_t len = 0, i;
8553
8554 parameter_tree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.hs_ext_quictp_parameter,
8555 NULL, "Parameter");
8556 /* TransportParameter ID and Length. */
8557 if (use_varint_encoding) {
8558 uint64_t parameter_length64;
8559 uint32_t type_len = 0;
8560
8561 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
8562 tvb, offset, -1, ENC_VARINT_QUIC, &parameter_type, &type_len);
8563 offset += type_len;
8564
8565 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_len,
8566 tvb, offset, -1, ENC_VARINT_QUIC, &parameter_length64, &len);
8567 parameter_length = (uint32_t)parameter_length64;
8568 offset += len;
8569
8570 proto_item_set_len(parameter_tree, type_len + len + parameter_length);
8571 } else {
8572 parameter_type = tvb_get_ntohs(tvb, offset);
8573 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
8574 tvb, offset, 2, ENC_BIG_ENDIAN);
8575 offset += 2;
8576
8577 /* opaque value<0..2^16-1> */
8578 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, next_offset, &parameter_length,
8579 hf->hf.hs_ext_quictp_parameter_len_old, 0, UINT16_MAX)) {
8580 return next_offset;
8581 }
8582 offset += 2;
8583
8584 proto_item_set_len(parameter_tree, 4 + parameter_length);
8585 }
8586
8587 if (IS_GREASE_QUIC(parameter_type)) {
8588 proto_item_append_text(parameter_tree, ": GREASE");
8589 } else {
8590 proto_item_append_text(parameter_tree, ": %s", val64_to_str(parameter_type, quic_transport_parameter_id, "Unknown 0x%04x"));
8591 }
8592
8593 proto_item_append_text(parameter_tree, " (len=%u)", parameter_length);
8594 parameter_end_offset = offset + parameter_length;
8595
8596 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_value,
8597 tvb, offset, parameter_length, ENC_NA);
8598
8599 switch (parameter_type) {
8600 case SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID:
8601 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_original_destination_connection_id,
8602 tvb, offset, parameter_length, ENC_NA);
8603 offset += parameter_length;
8604 break;
8605 case SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT:
8606 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_idle_timeout,
8607 tvb, offset, -1, ENC_VARINT_QUIC, &value, &len);
8608 proto_item_append_text(parameter_tree, " %" PRIu64 " ms", value);
8609 offset += len;
8610 break;
8611 case SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN:
8612 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_stateless_reset_token,
8613 tvb, offset, 16, ENC_BIG_ENDIAN);
8614 quic_add_stateless_reset_token(pinfo, tvb, offset, NULL);
8615 offset += 16;
8616 break;
8617 case SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE:
8618 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_udp_payload_size,
8619 tvb, offset, -1, ENC_VARINT_QUIC, &value, &len);
8620 proto_item_append_text(parameter_tree, " %" PRIu64, value);
8621 /*TODO display expert info about invalid value (< 1252 or >65527) ? */
8622 offset += len;
8623 break;
8624 case SSL_HND_QUIC_TP_INITIAL_MAX_DATA:
8625 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_data,
8626 tvb, offset, -1, ENC_VARINT_QUIC, &value, &len);
8627 proto_item_append_text(parameter_tree, " %" PRIu64, value);
8628 offset += len;
8629 break;
8630 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL:
8631 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_local,
8632 tvb, offset, -1, ENC_VARINT_QUIC, &value, &len);
8633 proto_item_append_text(parameter_tree, " %" PRIu64, value);
8634 offset += len;
8635 break;
8636 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE:
8637 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_remote,
8638 tvb, offset, -1, ENC_VARINT_QUIC, &value, &len);
8639 proto_item_append_text(parameter_tree, " %" PRIu64, value);
8640 offset += len;
8641 break;
8642 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI:
8643 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_uni,
8644 tvb, offset, -1, ENC_VARINT_QUIC, &value, &len);
8645 proto_item_append_text(parameter_tree, " %" PRIu64, value);
8646 offset += len;
8647 break;
8648 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI:
8649 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_uni,
8650 tvb, offset, -1, ENC_VARINT_QUIC, &value, &len);
8651 proto_item_append_text(parameter_tree, " %" PRIu64, value);
8652 offset += len;
8653 break;
8654 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI:
8655 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_bidi,
8656 tvb, offset, -1, ENC_VARINT_QUIC, &value, &len);
8657 proto_item_append_text(parameter_tree, " %" PRIu64, value);
8658 offset += len;
8659 break;
8660 case SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT:
8661 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_ack_delay_exponent,
8662 tvb, offset, -1, ENC_VARINT_QUIC, NULL, &len);
8663 /*TODO display multiplier (x8) and expert info about invalid value (> 20) ? */
8664 offset += len;
8665 break;
8666 case SSL_HND_QUIC_TP_MAX_ACK_DELAY:
8667 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_ack_delay,
8668 tvb, offset, -1, ENC_VARINT_QUIC, &value, &len);
8669 proto_item_append_text(parameter_tree, " %" PRIu64, value);
8670 offset += len;
8671 break;
8672 case SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION:
8673 /* No Payload */
8674 break;
8675 case SSL_HND_QUIC_TP_PREFERRED_ADDRESS: {
8676 uint32_t connectionid_length;
8677 quic_cid_t cid;
8678
8679 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4address,
8680 tvb, offset, 4, ENC_BIG_ENDIAN);
8681 offset += 4;
8682 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4port,
8683 tvb, offset, 2, ENC_BIG_ENDIAN);
8684 offset += 2;
8685 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6address,
8686 tvb, offset, 16, ENC_NA);
8687 offset += 16;
8688 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6port,
8689 tvb, offset, 2, ENC_BIG_ENDIAN);
8690 offset += 2;
8691 /* XXX - Should we add these addresses and ports as addresses that the client
8692 * is allowed / expected to migrate the server address to? Right now we don't
8693 * enforce that (see RFC 9000 Section 9, which implies that while the client
8694 * can migrate to whatever address it wants, it can only migrate the server
8695 * address to the Server's Preferred Address as in 9.6. Also Issue #20165.)
8696 */
8697
8698 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, offset_end, &connectionid_length,
8699 hf->hf.hs_ext_quictp_parameter_pa_connectionid_length, 0, 20)) {
8700 break;
8701 }
8702 offset += 1;
8703
8704 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_connectionid,
8705 tvb, offset, connectionid_length, ENC_NA);
8706 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH) {
8707 cid.len = connectionid_length;
8708 // RFC 9000 5.1.1 "If the preferred_address transport
8709 // parameter is sent, the sequence number of the supplied
8710 // connection ID is 1."
8711 cid.seq_num = 1;
8712 // Multipath draft-07 "Also, the Path Identifier for the
8713 // connection ID specified in the "preferred address"
8714 // transport parameter is 0."
8715 cid.path_id = 0;
8716 tvb_memcpy(tvb, cid.cid, offset, connectionid_length);
8717 quic_add_connection(pinfo, &cid);
8718 }
8719 offset += connectionid_length;
8720
8721 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_statelessresettoken,
8722 tvb, offset, 16, ENC_NA);
8723 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH) {
8724 quic_add_stateless_reset_token(pinfo, tvb, offset, &cid);
8725 }
8726 offset += 16;
8727 }
8728 break;
8729 case SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT:
8730 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_active_connection_id_limit,
8731 tvb, offset, -1, ENC_VARINT_QUIC, &value, &len);
8732 proto_item_append_text(parameter_tree, " %" PRIu64, value);
8733 offset += len;
8734 break;
8735 case SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID:
8736 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_source_connection_id,
8737 tvb, offset, parameter_length, ENC_NA);
8738 offset += parameter_length;
8739 break;
8740 case SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID:
8741 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_retry_source_connection_id,
8742 tvb, offset, parameter_length, ENC_NA);
8743 offset += parameter_length;
8744 break;
8745 case SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE:
8746 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_datagram_frame_size,
8747 tvb, offset, -1, ENC_VARINT_QUIC, &value, &len);
8748 proto_item_append_text(parameter_tree, " %" PRIu64, value);
8749 offset += len;
8750 break;
8751 case SSL_HND_QUIC_TP_CIBIR_ENCODING:
8752 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_length,
8753 tvb, offset, -1, ENC_VARINT_QUIC, &value, &len);
8754 proto_item_append_text(parameter_tree, " Length: %" PRIu64, value);
8755 offset += len;
8756 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_offset,
8757 tvb, offset, -1, ENC_VARINT_QUIC, &value, &len);
8758 proto_item_append_text(parameter_tree, ", Offset: %" PRIu64, value);
8759 offset += len;
8760 break;
8761 case SSL_HND_QUIC_TP_LOSS_BITS:
8762 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_loss_bits,
8763 tvb, offset, -1, ENC_VARINT_QUIC, &value, &len);
8764 if (len > 0) {
8765 quic_add_loss_bits(pinfo, value);
8766 }
8767 offset += 1;
8768 break;
8769 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD:
8770 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V1:
8771 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT05:
8772 case SSL_HND_QUIC_TP_MIN_ACK_DELAY:
8773 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_min_ack_delay,
8774 tvb, offset, -1, ENC_VARINT_QUIC, &value, &len);
8775 proto_item_append_text(parameter_tree, " %" PRIu64, value);
8776 offset += len;
8777 break;
8778 case SSL_HND_QUIC_TP_GOOGLE_USER_AGENT:
8779 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_user_agent_id,
8780 tvb, offset, parameter_length, ENC_ASCII|ENC_NA);
8781 offset += parameter_length;
8782 break;
8783 case SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED:
8784 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_key_update_not_yet_supported,
8785 tvb, offset, parameter_length, ENC_NA);
8786 offset += parameter_length;
8787 break;
8788 case SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION:
8789 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_version,
8790 tvb, offset, 4, ENC_BIG_ENDIAN);
8791 offset += 4;
8792 if (hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) { /* From server */
8793 uint32_t versions_length;
8794
8795 proto_tree_add_item_ret_uint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_supported_versions_length,
8796 tvb, offset, 1, ENC_NA, &versions_length);
8797 offset += 1;
8798 for (i = 0; i < versions_length / 4; i++) {
8799 quic_proto_tree_add_version(tvb, parameter_tree,
8800 hf->hf.hs_ext_quictp_parameter_google_supported_version, offset);
8801 offset += 4;
8802 }
8803 }
8804 break;
8805 case SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT:
8806 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_initial_rtt,
8807 tvb, offset, -1, ENC_VARINT_QUIC, &value, &len);
8808 proto_item_append_text(parameter_tree, " %" PRIu64 " us", value);
8809 offset += len;
8810 break;
8811 case SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE:
8812 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_support_handshake_done,
8813 tvb, offset, parameter_length, ENC_NA);
8814 offset += parameter_length;
8815 break;
8816 case SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS:
8817 /* This field was used for non-standard Google-specific parameters encoded as a
8818 * Google QUIC_CRYPTO CHLO and it has been replaced (version >= T051) by individual
8819 * parameters. Report it as a bytes blob... */
8820 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params,
8821 tvb, offset, parameter_length, ENC_NA);
8822 /* ... and try decoding it: not sure what the first 4 bytes are (but they seems to be always 0) */
8823 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params_unknown_field,
8824 tvb, offset, 4, ENC_NA);
8825 dissect_gquic_tags(tvb, pinfo, parameter_tree, offset + 4);
8826 offset += parameter_length;
8827 break;
8828 case SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS:
8829 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_connection_options,
8830 tvb, offset, parameter_length, ENC_NA);
8831 offset += parameter_length;
8832 break;
8833 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP:
8834 /* No Payload */
8835 break;
8836 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V2:
8837 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_time_stamp_v2,
8838 tvb, offset, -1, ENC_VARINT_QUIC, &value, &len);
8839 offset += parameter_length;
8840 break;
8841 case SSL_HND_QUIC_TP_VERSION_INFORMATION:
8842 quic_proto_tree_add_version(tvb, parameter_tree,
8843 hf->hf.hs_ext_quictp_parameter_chosen_version, offset);
8844 offset += 4;
8845 for (i = 4; i < parameter_length; i += 4) {
8846 quic_proto_tree_add_version(tvb, parameter_tree,
8847 hf->hf.hs_ext_quictp_parameter_other_version, offset);
8848 offset += 4;
8849 }
8850 break;
8851 case SSL_HND_QUIC_TP_GREASE_QUIC_BIT:
8852 /* No Payload */
8853 quic_add_grease_quic_bit(pinfo);
8854 break;
8855 case SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY:
8856 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_facebook_partial_reliability,
8857 tvb, offset, -1, ENC_VARINT_QUIC, &value, &len);
8858 offset += parameter_length;
8859 break;
8860 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT04:
8861 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_multipath,
8862 tvb, offset, -1, ENC_VARINT_QUIC, &value, &len);
8863 if (value == 1) {
8864 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID);
8865 }
8866 offset += parameter_length;
8867 break;
8868 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT05:
8869 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH:
8870 /* No Payload */
8871 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID);
8872 break;
8873 case SSL_HND_QUIC_TP_INITIAL_MAX_PATHS:
8874 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_paths,
8875 tvb, offset, -1, ENC_VARINT_QUIC, &value, &len);
8876 if (value > 1) {
8877 quic_add_multipath(pinfo, QUIC_MP_PATH_ID);
8878 }
8879 /* multipath draft-07: "The value of the initial_max_paths
8880 * parameter MUST be at least 2." TODO: Expert Info? */
8881 offset += parameter_length;
8882 break;
8883 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID:
8884 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_path_id,
8885 tvb, offset, -1, ENC_VARINT_QUIC, &value, &len);
8886 if (value > 1) {
8887 quic_add_multipath(pinfo, QUIC_MP_PATH_ID);
8888 }
8889 offset += parameter_length;
8890 break;
8891 default:
8892 offset += parameter_length;
8893 /*TODO display expert info about unknown ? */
8894 break;
8895 }
8896
8897 if (!ssl_end_vector(hf, tvb, pinfo, parameter_tree, offset, parameter_end_offset)) {
8898 /* Dissection did not end at expected location, fix it. */
8899 offset = parameter_end_offset;
8900 }
8901 }
8902
8903 return offset;
8904 }
8905
8906 static int
8907 ssl_dissect_hnd_hello_common(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8908 proto_tree *tree, uint32_t offset,
8909 SslSession *session, SslDecryptSession *ssl,
8910 bool from_server, bool is_hrr)
8911 {
8912 uint8_t sessid_length;
8913 proto_tree *rnd_tree;
8914 proto_tree *ti_rnd;
8915 uint8_t draft_version = session->tls13_draft_version;
8916
8917 if (ssl) {
8918 StringInfo *rnd;
8919 if (from_server)
8920 rnd = &ssl->server_random;
8921 else
8922 rnd = &ssl->client_random;
8923
8924 /* save provided random for later keyring generation */
8925 tvb_memcpy(tvb, rnd->data, offset, 32);
8926 rnd->data_len = 32;
8927 if (from_server)
8928 ssl->state |= SSL_SERVER_RANDOM;
8929 else
8930 ssl->state |= SSL_CLIENT_RANDOM;
8931 ssl_debug_printf("%s found %s RANDOM -> state 0x%02X\n", G_STRFUNC,
8932 from_server ? "SERVER" : "CLIENT", ssl->state);
8933 }
8934
8935 ti_rnd = proto_tree_add_item(tree, hf->hf.hs_random, tvb, offset, 32, ENC_NA);
8936
8937 if ((session->version != TLSV1DOT3_VERSION) && (session->version != DTLSV1DOT3_VERSION)) { /* No time on first bytes random with TLS 1.3 */
8938
8939 rnd_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
8940 /* show the time */
8941 proto_tree_add_item(rnd_tree, hf->hf.hs_random_time,
8942 tvb, offset, 4, ENC_TIME_SECS|ENC_BIG_ENDIAN);
8943 offset += 4;
8944
8945 /* show the random bytes */
8946 proto_tree_add_item(rnd_tree, hf->hf.hs_random_bytes,
8947 tvb, offset, 28, ENC_NA);
8948 offset += 28;
8949 } else {
8950 if (is_hrr) {
8951 proto_item_append_text(ti_rnd, " (HelloRetryRequest magic)");
8952 }
8953
8954 offset += 32;
8955 }
8956
8957 /* No Session ID with TLS 1.3 on Server Hello before draft -22 */
8958 if (from_server == 0 || !(session->version == TLSV1DOT3_VERSION && draft_version > 0 && draft_version < 22)) {
8959 /* show the session id (length followed by actual Session ID) */
8960 sessid_length = tvb_get_uint8(tvb, offset);
8961 proto_tree_add_item(tree, hf->hf.hs_session_id_len,
8962 tvb, offset, 1, ENC_BIG_ENDIAN);
8963 offset++;
8964
8965 if (ssl) {
8966 /* save the authoritative SID for later use in ChangeCipherSpec.
8967 * (D)TLS restricts the SID to 32 chars, it does not make sense to
8968 * save more, so ignore larger ones. */
8969 if (from_server && sessid_length <= 32) {
8970 tvb_memcpy(tvb, ssl->session_id.data, offset, sessid_length);
8971 ssl->session_id.data_len = sessid_length;
8972 }
8973 }
8974 if (sessid_length > 0) {
8975 proto_tree_add_item(tree, hf->hf.hs_session_id,
8976 tvb, offset, sessid_length, ENC_NA);
8977 offset += sessid_length;
8978 }
8979 }
8980
8981 return offset;
8982 }
8983
8984 static int
8985 ssl_dissect_hnd_hello_ext_status_request(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8986 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8987 bool has_length)
8988 {
8989 /* TLS 1.2/1.3 status_request Client Hello Extension.
8990 * TLS 1.2 status_request_v2 CertificateStatusRequestItemV2 type.
8991 * https://tools.ietf.org/html/rfc6066#section-8 (status_request)
8992 * https://tools.ietf.org/html/rfc6961#section-2.2 (status_request_v2)
8993 * struct {
8994 * CertificateStatusType status_type;
8995 * uint16 request_length; // for status_request_v2
8996 * select (status_type) {
8997 * case ocsp: OCSPStatusRequest;
8998 * case ocsp_multi: OCSPStatusRequest;
8999 * } request;
9000 * } CertificateStatusRequest; // CertificateStatusRequestItemV2
9001 *
9002 * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
9003 * struct {
9004 * ResponderID responder_id_list<0..2^16-1>;
9005 * Extensions request_extensions;
9006 * } OCSPStatusRequest;
9007 * opaque ResponderID<1..2^16-1>;
9008 * opaque Extensions<0..2^16-1>;
9009 */
9010 unsigned cert_status_type;
9011
9012 cert_status_type = tvb_get_uint8(tvb, offset);
9013 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_type,
9014 tvb, offset, 1, ENC_NA);
9015 offset++;
9016
9017 if (has_length) {
9018 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_request_len,
9019 tvb, offset, 2, ENC_BIG_ENDIAN);
9020 offset += 2;
9021 }
9022
9023 switch (cert_status_type) {
9024 case SSL_HND_CERT_STATUS_TYPE_OCSP:
9025 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI:
9026 {
9027 uint32_t responder_id_list_len;
9028 uint32_t request_extensions_len;
9029
9030 /* ResponderID responder_id_list<0..2^16-1> */
9031 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &responder_id_list_len,
9032 hf->hf.hs_ext_cert_status_responder_id_list_len, 0, UINT16_MAX)) {
9033 return offset_end;
9034 }
9035 offset += 2;
9036 if (responder_id_list_len != 0) {
9037 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9038 tvb, offset, responder_id_list_len,
9039 "Responder ID list is not implemented, contact Wireshark"
9040 " developers if you want this to be supported");
9041 }
9042 offset += responder_id_list_len;
9043
9044 /* opaque Extensions<0..2^16-1> */
9045 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &request_extensions_len,
9046 hf->hf.hs_ext_cert_status_request_extensions_len, 0, UINT16_MAX)) {
9047 return offset_end;
9048 }
9049 offset += 2;
9050 if (request_extensions_len != 0) {
9051 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9052 tvb, offset, request_extensions_len,
9053 "Request Extensions are not implemented, contact"
9054 " Wireshark developers if you want this to be supported");
9055 }
9056 offset += request_extensions_len;
9057 break;
9058 }
9059 }
9060
9061 return offset;
9062 }
9063
9064 static unsigned
9065 ssl_dissect_hnd_hello_ext_status_request_v2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9066 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9067 {
9068 /* https://tools.ietf.org/html/rfc6961#section-2.2
9069 * struct {
9070 * CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1>;
9071 * } CertificateStatusRequestListV2;
9072 */
9073 uint32_t req_list_length, next_offset;
9074
9075 /* CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1> */
9076 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &req_list_length,
9077 hf->hf.hs_ext_cert_status_request_list_len, 1, UINT16_MAX)) {
9078 return offset_end;
9079 }
9080 offset += 2;
9081 next_offset = offset + req_list_length;
9082
9083 while (offset < next_offset) {
9084 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, tree, offset, next_offset, true);
9085 }
9086
9087 return offset;
9088 }
9089
9090 static uint32_t
9091 tls_dissect_ocsp_response(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9092 uint32_t offset, uint32_t offset_end)
9093 {
9094 uint32_t response_length;
9095 proto_item *ocsp_resp;
9096 proto_tree *ocsp_resp_tree;
9097 asn1_ctx_t asn1_ctx;
9098
9099 /* opaque OCSPResponse<1..2^24-1>; */
9100 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &response_length,
9101 hf->hf.hs_ocsp_response_len, 1, G_MAXUINT24)) {
9102 return offset_end;
9103 }
9104 offset += 3;
9105
9106 ocsp_resp = proto_tree_add_item(tree, proto_ocsp, tvb, offset,
9107 response_length, ENC_BIG_ENDIAN);
9108 proto_item_set_text(ocsp_resp, "OCSP Response");
9109 ocsp_resp_tree = proto_item_add_subtree(ocsp_resp, hf->ett.ocsp_response);
9110 if (proto_is_protocol_enabled(find_protocol_by_id(proto_ocsp))) {
9111 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true, pinfo);
9112 dissect_ocsp_OCSPResponse(false, tvb, offset, &asn1_ctx, ocsp_resp_tree, -1);
9113 }
9114 offset += response_length;
9115
9116 return offset;
9117 }
9118
9119 uint32_t
9120 tls_dissect_hnd_certificate_status(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9121 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9122 {
9123 /* TLS 1.2 "CertificateStatus" handshake message.
9124 * TLS 1.3 "status_request" Certificate extension.
9125 * struct {
9126 * CertificateStatusType status_type;
9127 * select (status_type) {
9128 * case ocsp: OCSPResponse;
9129 * case ocsp_multi: OCSPResponseList; // status_request_v2
9130 * } response;
9131 * } CertificateStatus;
9132 * opaque OCSPResponse<1..2^24-1>;
9133 * struct {
9134 * OCSPResponse ocsp_response_list<1..2^24-1>;
9135 * } OCSPResponseList; // status_request_v2
9136 */
9137 uint32_t status_type, resp_list_length, next_offset;
9138
9139 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_cert_status_type,
9140 tvb, offset, 1, ENC_BIG_ENDIAN, &status_type);
9141 offset += 1;
9142
9143 switch (status_type) {
9144 case SSL_HND_CERT_STATUS_TYPE_OCSP:
9145 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, offset_end);
9146 break;
9147
9148 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI:
9149 /* OCSPResponse ocsp_response_list<1..2^24-1> */
9150 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &resp_list_length,
9151 hf->hf.hs_ocsp_response_list_len, 1, G_MAXUINT24)) {
9152 return offset_end;
9153 }
9154 offset += 3;
9155 next_offset = offset + resp_list_length;
9156
9157 while (offset < next_offset) {
9158 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, next_offset);
9159 }
9160 break;
9161 }
9162
9163 return offset;
9164 }
9165
9166 static unsigned
9167 ssl_dissect_hnd_hello_ext_supported_groups(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9168 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9169 wmem_strbuf_t *ja3)
9170 {
9171 /* RFC 8446 Section 4.2.7
9172 * enum { ..., (0xFFFF) } NamedGroup;
9173 * struct {
9174 * NamedGroup named_group_list<2..2^16-1>
9175 * } NamedGroupList;
9176 *
9177 * NOTE: "NamedCurve" (RFC 4492) is renamed to "NamedGroup" (RFC 7919) and
9178 * the extension itself from "elliptic_curves" to "supported_groups".
9179 */
9180 uint32_t groups_length, next_offset;
9181 proto_tree *groups_tree;
9182 proto_item *ti;
9183 char *ja3_dash = "";
9184
9185 /* NamedGroup named_group_list<2..2^16-1> */
9186 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &groups_length,
9187 hf->hf.hs_ext_supported_groups_len, 2, UINT16_MAX)) {
9188 return offset_end;
9189 }
9190 offset += 2;
9191 next_offset = offset + groups_length;
9192
9193 ti = proto_tree_add_none_format(tree,
9194 hf->hf.hs_ext_supported_groups,
9195 tvb, offset, groups_length,
9196 "Supported Groups (%d group%s)",
9197 groups_length / 2,
9198 plurality(groups_length/2, "", "s"));
9199
9200 /* make this a subtree */
9201 groups_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_groups);
9202
9203 if (ja3) {
9204 wmem_strbuf_append_c(ja3, ',');
9205 }
9206 /* loop over all groups */
9207 while (offset + 2 <= offset_end) {
9208 uint32_t ext_supported_group;
9209
9210 proto_tree_add_item_ret_uint(groups_tree, hf->hf.hs_ext_supported_group, tvb, offset, 2,
9211 ENC_BIG_ENDIAN, &ext_supported_group);
9212 offset += 2;
9213 if (ja3 && !IS_GREASE_TLS(ext_supported_group)) {
9214 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_supported_group);
9215 ja3_dash = "-";
9216 }
9217 }
9218 if (!ssl_end_vector(hf, tvb, pinfo, groups_tree, offset, next_offset)) {
9219 offset = next_offset;
9220 }
9221
9222 return offset;
9223 }
9224
9225 static int
9226 ssl_dissect_hnd_hello_ext_ec_point_formats(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9227 proto_tree *tree, uint32_t offset, wmem_strbuf_t *ja3)
9228 {
9229 uint8_t ecpf_length;
9230 proto_tree *ecpf_tree;
9231 proto_item *ti;
9232
9233 ecpf_length = tvb_get_uint8(tvb, offset);
9234 proto_tree_add_item(tree, hf->hf.hs_ext_ec_point_formats_len,
9235 tvb, offset, 1, ENC_BIG_ENDIAN);
9236
9237 offset += 1;
9238 ti = proto_tree_add_none_format(tree,
9239 hf->hf.hs_ext_ec_point_formats,
9240 tvb, offset, ecpf_length,
9241 "Elliptic curves point formats (%d)",
9242 ecpf_length);
9243
9244 /* make this a subtree */
9245 ecpf_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_curves_point_formats);
9246
9247 if (ja3) {
9248 wmem_strbuf_append_c(ja3, ',');
9249 }
9250
9251 /* loop over all point formats */
9252 while (ecpf_length > 0)
9253 {
9254 uint32_t ext_ec_point_format;
9255
9256 proto_tree_add_item_ret_uint(ecpf_tree, hf->hf.hs_ext_ec_point_format, tvb, offset, 1,
9257 ENC_BIG_ENDIAN, &ext_ec_point_format);
9258 offset++;
9259 ecpf_length--;
9260 if (ja3) {
9261 wmem_strbuf_append_printf(ja3, "%i", ext_ec_point_format);
9262 if (ecpf_length > 0) {
9263 wmem_strbuf_append_c(ja3, '-');
9264 }
9265 }
9266 }
9267
9268 return offset;
9269 }
9270
9271 static int
9272 ssl_dissect_hnd_hello_ext_srp(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9273 packet_info *pinfo, proto_tree *tree,
9274 uint32_t offset, uint32_t next_offset)
9275 {
9276 /* https://tools.ietf.org/html/rfc5054#section-2.8.1
9277 * opaque srp_I<1..2^8-1>;
9278 */
9279 uint32_t username_len;
9280
9281 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, next_offset, &username_len,
9282 hf->hf.hs_ext_srp_len, 1, UINT8_MAX)) {
9283 return next_offset;
9284 }
9285 offset++;
9286
9287 proto_tree_add_item(tree, hf->hf.hs_ext_srp_username,
9288 tvb, offset, username_len, ENC_UTF_8|ENC_NA);
9289 offset += username_len;
9290
9291 return offset;
9292 }
9293
9294 static uint32_t
9295 tls_dissect_sct(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9296 uint32_t offset, uint32_t offset_end, uint16_t version)
9297 {
9298 /* https://tools.ietf.org/html/rfc6962#section-3.2
9299 * enum { v1(0), (255) } Version;
9300 * struct {
9301 * opaque key_id[32];
9302 * } LogID;
9303 * opaque CtExtensions<0..2^16-1>;
9304 * struct {
9305 * Version sct_version;
9306 * LogID id;
9307 * uint64 timestamp;
9308 * CtExtensions extensions;
9309 * digitally-signed struct { ... };
9310 * } SignedCertificateTimestamp;
9311 */
9312 uint32_t sct_version;
9313 uint64_t sct_timestamp_ms;
9314 nstime_t sct_timestamp;
9315 uint32_t exts_len;
9316 const char *log_name;
9317
9318 proto_tree_add_item_ret_uint(tree, hf->hf.sct_sct_version, tvb, offset, 1, ENC_NA, &sct_version);
9319 offset++;
9320 if (sct_version != 0) {
9321 // TODO expert info about unknown SCT version?
9322 return offset;
9323 }
9324 proto_tree_add_item(tree, hf->hf.sct_sct_logid, tvb, offset, 32, ENC_BIG_ENDIAN);
9325 log_name = bytesval_to_str(tvb_get_ptr(tvb, offset, 32), 32, ct_logids, "Unknown Log");
9326 proto_item_append_text(tree, " (%s)", log_name);
9327 offset += 32;
9328 sct_timestamp_ms = tvb_get_ntoh64(tvb, offset);
9329 sct_timestamp.secs = (time_t)(sct_timestamp_ms / 1000);
9330 sct_timestamp.nsecs = (int)((sct_timestamp_ms % 1000) * 1000000);
9331 proto_tree_add_time(tree, hf->hf.sct_sct_timestamp, tvb, offset, 8, &sct_timestamp);
9332 offset += 8;
9333 /* opaque CtExtensions<0..2^16-1> */
9334 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
9335 hf->hf.sct_sct_extensions_length, 0, UINT16_MAX)) {
9336 return offset_end;
9337 }
9338 offset += 2;
9339 if (exts_len > 0) {
9340 proto_tree_add_item(tree, hf->hf.sct_sct_extensions, tvb, offset, exts_len, ENC_BIG_ENDIAN);
9341 offset += exts_len;
9342 }
9343 offset = ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
9344 hf->hf.sct_sct_signature_length,
9345 hf->hf.sct_sct_signature);
9346 return offset;
9347 }
9348
9349 uint32_t
9350 tls_dissect_sct_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9351 uint32_t offset, uint32_t offset_end, uint16_t version)
9352 {
9353 /* https://tools.ietf.org/html/rfc6962#section-3.3
9354 * opaque SerializedSCT<1..2^16-1>;
9355 * struct {
9356 * SerializedSCT sct_list <1..2^16-1>;
9357 * } SignedCertificateTimestampList;
9358 */
9359 uint32_t list_length, sct_length, next_offset;
9360 proto_tree *subtree;
9361
9362 /* SerializedSCT sct_list <1..2^16-1> */
9363 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &list_length,
9364 hf->hf.sct_scts_length, 1, UINT16_MAX)) {
9365 return offset_end;
9366 }
9367 offset += 2;
9368
9369 while (offset < offset_end) {
9370 subtree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.sct, NULL, "Signed Certificate Timestamp");
9371
9372 /* opaque SerializedSCT<1..2^16-1> */
9373 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &sct_length,
9374 hf->hf.sct_sct_length, 1, UINT16_MAX)) {
9375 return offset_end;
9376 }
9377 offset += 2;
9378 next_offset = offset + sct_length;
9379 proto_item_set_len(subtree, 2 + sct_length);
9380 offset = tls_dissect_sct(hf, tvb, pinfo, subtree, offset, next_offset, version);
9381 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
9382 offset = next_offset;
9383 }
9384 }
9385
9386 return offset;
9387 }
9388
9389 static int
9390 dissect_ech_hpke_cipher_suite(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U_,
9391 proto_tree *tree, uint32_t offset)
9392 {
9393 uint32_t kdf_id, aead_id;
9394 proto_item *cs_ti;
9395 proto_tree *cs_tree;
9396
9397 cs_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig_cipher_suite,
9398 tvb, offset, 4, ENC_NA);
9399 cs_tree = proto_item_add_subtree(cs_ti, hf->ett.ech_hpke_cipher_suite);
9400
9401 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_kdf_id,
9402 tvb, offset, 2, ENC_BIG_ENDIAN, &kdf_id);
9403 offset += 2;
9404 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_aead_id,
9405 tvb, offset, 2, ENC_BIG_ENDIAN, &aead_id);
9406 offset += 2;
9407
9408 proto_item_append_text(cs_ti, ": %s/%s",
9409 val_to_str_const(kdf_id, kdf_id_type_vals, "Unknown"),
9410 val_to_str_const(aead_id, aead_id_type_vals, "Unknown"));
9411 return offset;
9412 }
9413
9414 static int
9415 dissect_ech_hpke_key_config(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9416 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9417 uint32_t *config_id)
9418 {
9419 uint32_t length, cipher_suite_length;
9420 proto_item *kc_ti, *css_ti;
9421 proto_tree *kc_tree, *css_tree;
9422 uint32_t original_offset = offset, next_offset;
9423
9424 kc_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig,
9425 tvb, offset, -1, ENC_NA);
9426 kc_tree = proto_item_add_subtree(kc_ti, hf->ett.ech_hpke_keyconfig);
9427
9428 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_config_id,
9429 tvb, offset, 1, ENC_BIG_ENDIAN, config_id);
9430 offset += 1;
9431 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_kem_id,
9432 tvb, offset, 2, ENC_BIG_ENDIAN);
9433 offset += 2;
9434 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_public_key_length,
9435 tvb, offset, 2, ENC_BIG_ENDIAN, &length);
9436 offset += 2;
9437 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_public_key,
9438 tvb, offset, length, ENC_NA);
9439 offset += length;
9440
9441 /* HpkeSymmetricCipherSuite cipher_suites<4..2^16-4> */
9442 if (!ssl_add_vector(hf, tvb, pinfo, kc_tree, offset, offset_end, &cipher_suite_length,
9443 hf->hf.ech_hpke_keyconfig_cipher_suites_length, 4, UINT16_MAX - 3)) {
9444 return offset_end;
9445 }
9446 offset += 2;
9447 next_offset = offset + cipher_suite_length;
9448
9449 css_ti = proto_tree_add_none_format(kc_tree,
9450 hf->hf.ech_hpke_keyconfig_cipher_suites,
9451 tvb, offset, cipher_suite_length,
9452 "Cipher Suites (%d suite%s)",
9453 cipher_suite_length / 4,
9454 plurality(cipher_suite_length / 4, "", "s"));
9455 css_tree = proto_item_add_subtree(css_ti, hf->ett.ech_hpke_cipher_suites);
9456
9457
9458 while (offset + 4 <= next_offset) {
9459 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, css_tree, offset);
9460 }
9461
9462 if (!ssl_end_vector(hf, tvb, pinfo, css_tree, offset, next_offset)) {
9463 offset = next_offset;
9464 }
9465
9466 proto_item_set_len(kc_ti, offset - original_offset);
9467
9468 return offset;
9469 }
9470
9471 static int
9472 dissect_ech_echconfig_contents(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9473 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9474 const uint8_t **public_name, uint32_t *config_id)
9475 {
9476 uint32_t public_name_length, extensions_length, next_offset;
9477
9478 offset = dissect_ech_hpke_key_config(hf, tvb, pinfo, tree, offset, offset_end, config_id);
9479 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_maximum_name_length,
9480 tvb, offset, 1, ENC_BIG_ENDIAN);
9481 offset += 1;
9482 proto_tree_add_item_ret_uint(tree, hf->hf.ech_echconfigcontents_public_name_length,
9483 tvb, offset, 1, ENC_BIG_ENDIAN, &public_name_length);
9484 offset += 1;
9485 proto_tree_add_item_ret_string(tree, hf->hf.ech_echconfigcontents_public_name,
9486 tvb, offset, public_name_length, ENC_ASCII, pinfo->pool, public_name);
9487 offset += public_name_length;
9488
9489 /* Extension extensions<0..2^16-1>; */
9490 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &extensions_length,
9491 hf->hf.ech_echconfigcontents_extensions_length, 0, UINT16_MAX)) {
9492 return offset_end;
9493 }
9494 offset += 2;
9495 next_offset = offset + extensions_length;
9496
9497 if (extensions_length > 0) {
9498 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_extensions,
9499 tvb, offset, extensions_length, ENC_NA);
9500 }
9501 offset += extensions_length;
9502
9503 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
9504 offset = next_offset;
9505 }
9506
9507 return offset;
9508 }
9509
9510 static int
9511 dissect_ech_echconfig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9512 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9513 {
9514 uint32_t version, length;
9515 proto_item *ech_ti;
9516 proto_tree *ech_tree;
9517 const uint8_t *public_name = NULL;
9518 uint32_t config_id = 0;
9519
9520 ech_ti = proto_tree_add_item(tree, hf->hf.ech_echconfig, tvb, offset, -1, ENC_NA);
9521 ech_tree = proto_item_add_subtree(ech_ti, hf->ett.ech_echconfig);
9522
9523 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_version,
9524 tvb, offset, 2, ENC_BIG_ENDIAN, &version);
9525 offset += 2;
9526 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_length,
9527 tvb, offset, 2, ENC_BIG_ENDIAN, &length);
9528 offset += 2;
9529
9530 proto_item_set_len(ech_ti, 4 + length);
9531
9532 switch(version) {
9533 case 0xfe0d:
9534 dissect_ech_echconfig_contents(hf, tvb, pinfo, ech_tree, offset, offset_end, &public_name, &config_id);
9535 proto_item_append_text(ech_ti, ": id=%d %s", config_id, public_name);
9536 break;
9537
9538 default:
9539 expert_add_info_format(pinfo, ech_ti, &hf->ei.ech_echconfig_invalid_version, "Unsupported/unknown ECHConfig version 0x%x", version);
9540 }
9541
9542 return 4 + length;
9543 }
9544
9545 uint32_t
9546 ssl_dissect_ext_ech_echconfiglist(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9547 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9548 {
9549 uint32_t echconfiglist_length, next_offset;
9550
9551 /* ECHConfig ECHConfigList<1..2^16-1>; */
9552 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &echconfiglist_length,
9553 hf->hf.ech_echconfiglist_length, 1, UINT16_MAX)) {
9554 return offset_end;
9555 }
9556 offset += 2;
9557 next_offset = offset + echconfiglist_length;
9558
9559 while (offset < next_offset) {
9560 offset += dissect_ech_echconfig(hf, tvb, pinfo, tree, offset, offset_end);
9561 }
9562
9563 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
9564 offset = next_offset;
9565 }
9566
9567 return offset;
9568 }
9569
9570 static uint32_t
9571 ssl_dissect_hnd_hello_ext_ech(ssl_common_dissect_t *hf, tvbuff_t *tvb _U_, packet_info *pinfo,
9572 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9573 uint8_t hnd_type, SslDecryptSession *ssl _U_)
9574 {
9575 uint32_t ch_type, length;
9576 proto_item *retry_ti;
9577 proto_tree *retry_tree;
9578
9579 switch (hnd_type) {
9580 case SSL_HND_CLIENT_HELLO:
9581 /*
9582 * enum { outer(0), inner(1) } ECHClientHelloType;
9583 *
9584 * struct {
9585 * ECHClientHelloType type;
9586 * select (ECHClientHello.type) {
9587 * case outer:
9588 * HpkeSymmetricCipherSuite cipher_suite;
9589 * uint8 config_id;
9590 * opaque enc<0..2^16-1>;
9591 * opaque payload<1..2^16-1>;
9592 * case inner:
9593 * Empty;
9594 * };
9595 * } ECHClientHello;
9596 */
9597
9598 proto_tree_add_item_ret_uint(tree, hf->hf.ech_clienthello_type, tvb, offset, 1, ENC_BIG_ENDIAN, &ch_type);
9599 offset += 1;
9600 switch (ch_type) {
9601 case 0: /* outer */
9602 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, tree, offset);
9603
9604 proto_tree_add_item(tree, hf->hf.ech_config_id, tvb, offset, 1, ENC_BIG_ENDIAN);
9605 offset += 1;
9606 proto_tree_add_item_ret_uint(tree, hf->hf.ech_enc_length, tvb, offset, 2, ENC_BIG_ENDIAN, &length);
9607 offset += 2;
9608 proto_tree_add_item(tree, hf->hf.ech_enc, tvb, offset, length, ENC_NA);
9609 offset += length;
9610 proto_tree_add_item_ret_uint(tree, hf->hf.ech_payload_length, tvb, offset, 2, ENC_BIG_ENDIAN, &length);
9611 offset += 2;
9612 proto_tree_add_item(tree, hf->hf.ech_payload, tvb, offset, length, ENC_NA);
9613 offset += length;
9614 break;
9615 case 1: /* inner */
9616 /* We will never be here, unless we are going to have support
9617 for extracting the ephemeral secrets from endpoints */
9618 break; /* Nothing to do, data is encrypted */
9619 }
9620 break;
9621
9622 case SSL_HND_ENCRYPTED_EXTENSIONS:
9623 /*
9624 * struct {
9625 * ECHConfigList retry_configs;
9626 * } ECHEncryptedExtensions;
9627 */
9628
9629 retry_ti = proto_tree_add_item(tree, hf->hf.ech_retry_configs, tvb, offset, offset_end - offset, ENC_NA);
9630 retry_tree = proto_item_add_subtree(retry_ti, hf->ett.ech_retry_configs);
9631 offset = ssl_dissect_ext_ech_echconfiglist(hf, tvb, pinfo, retry_tree, offset, offset_end);
9632 break;
9633
9634 case SSL_HND_HELLO_RETRY_REQUEST:
9635 /*
9636 * struct {
9637 * opaque confirmation[8];
9638 * } ECHHelloRetryRequest;
9639 */
9640
9641 proto_tree_add_item(tree, hf->hf.ech_confirmation, tvb, offset, 8, ENC_NA);
9642 offset += 8;
9643 break;
9644 }
9645
9646 return offset;
9647 }
9648
9649 static uint32_t
9650 ssl_dissect_hnd_hello_ext_esni(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9651 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9652 uint8_t hnd_type, SslDecryptSession *ssl _U_)
9653 {
9654 uint32_t record_digest_length, encrypted_sni_length;
9655
9656 switch (hnd_type) {
9657 case SSL_HND_CLIENT_HELLO:
9658 /*
9659 * struct {
9660 * CipherSuite suite;
9661 * KeyShareEntry key_share;
9662 * opaque record_digest<0..2^16-1>;
9663 * opaque encrypted_sni<0..2^16-1>;
9664 * } ClientEncryptedSNI;
9665 */
9666 proto_tree_add_item(tree, hf->hf.esni_suite, tvb, offset, 2, ENC_BIG_ENDIAN);
9667 offset += 2;
9668 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, tree, offset, offset_end, NULL);
9669
9670 /* opaque record_digest<0..2^16-1> */
9671 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &record_digest_length,
9672 hf->hf.esni_record_digest_length, 0, UINT16_MAX)) {
9673 return offset_end;
9674 }
9675 offset += 2;
9676 if (record_digest_length > 0) {
9677 proto_tree_add_item(tree, hf->hf.esni_record_digest, tvb, offset, record_digest_length, ENC_NA);
9678 offset += record_digest_length;
9679 }
9680
9681 /* opaque encrypted_sni<0..2^16-1> */
9682 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &encrypted_sni_length,
9683 hf->hf.esni_encrypted_sni_length, 0, UINT16_MAX)) {
9684 return offset_end;
9685 }
9686 offset += 2;
9687 if (encrypted_sni_length > 0) {
9688 proto_tree_add_item(tree, hf->hf.esni_encrypted_sni, tvb, offset, encrypted_sni_length, ENC_NA);
9689 offset += encrypted_sni_length;
9690 }
9691 break;
9692
9693 case SSL_HND_ENCRYPTED_EXTENSIONS:
9694 proto_tree_add_item(tree, hf->hf.esni_nonce, tvb, offset, 16, ENC_NA);
9695 offset += 16;
9696 break;
9697 }
9698
9699 return offset;
9700 }
9701 /** TLS Extensions (in Client Hello and Server Hello). }}} */
9702
9703 /* Connection ID dissection. {{{ */
9704 static uint32_t
9705 ssl_dissect_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9706 proto_tree *tree, uint32_t offset, SslDecryptSession *ssl,
9707 uint8_t cidl, uint8_t **session_cid, uint8_t *session_cidl)
9708 {
9709 /* keep track of the decrypt session only for the first pass */
9710 if (cidl > 0 && !PINFO_FD_VISITED(pinfo)) {
9711 tvb_ensure_bytes_exist(tvb, offset + 1, cidl);
9712 *session_cidl = cidl;
9713 *session_cid = (uint8_t*)wmem_alloc0(wmem_file_scope(), cidl);
9714 tvb_memcpy(tvb, *session_cid, offset + 1, cidl);
9715 if (ssl) {
9716 ssl_add_session_by_cid(ssl);
9717 }
9718 }
9719
9720 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id_length,
9721 tvb, offset, 1, ENC_NA);
9722 offset++;
9723
9724 if (cidl > 0) {
9725 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id,
9726 tvb, offset, cidl, ENC_NA);
9727 offset += cidl;
9728 }
9729
9730 return offset;
9731 }
9732
9733 static uint32_t
9734 ssl_dissect_hnd_hello_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9735 proto_tree *tree, uint32_t offset, uint8_t hnd_type,
9736 SslSession *session, SslDecryptSession *ssl)
9737 {
9738 uint8_t cidl = tvb_get_uint8(tvb, offset);
9739
9740 switch (hnd_type) {
9741 case SSL_HND_CLIENT_HELLO:
9742 session->client_cid_len_present = true;
9743 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
9744 cidl, &session->client_cid, &session->client_cid_len);
9745 case SSL_HND_SERVER_HELLO:
9746 session->server_cid_len_present = true;
9747 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
9748 cidl, &session->server_cid, &session->server_cid_len);
9749 default:
9750 return offset;
9751 }
9752 } /* }}} */
9753
9754 /* Trusted CA dissection. {{{ */
9755 static uint32_t
9756 ssl_dissect_hnd_hello_ext_trusted_ca_keys(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9757 uint32_t offset, uint32_t offset_end)
9758 {
9759 proto_item *ti;
9760 proto_tree *subtree;
9761 uint32_t keys_length, next_offset;
9762
9763 /*
9764 * struct {
9765 * TrustedAuthority trusted_authorities_list<0..2^16-1>;
9766 * } TrustedAuthorities;
9767 *
9768 * struct {
9769 * IdentifierType identifier_type;
9770 * select (identifier_type) {
9771 * case pre_agreed: struct {};
9772 * case key_sha1_hash: SHA1Hash;
9773 * case x509_name: DistinguishedName;
9774 * case cert_sha1_hash: SHA1Hash;
9775 * } identifier;
9776 * } TrustedAuthority;
9777 *
9778 * enum {
9779 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
9780 * cert_sha1_hash(3), (255)
9781 * } IdentifierType;
9782 *
9783 * opaque DistinguishedName<1..2^16-1>;
9784 *
9785 */
9786
9787
9788 /* TrustedAuthority trusted_authorities_list<0..2^16-1> */
9789 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &keys_length, hf->hf.hs_ext_trusted_ca_keys_len,
9790 0, UINT16_MAX))
9791 {
9792 return offset_end;
9793 }
9794 offset += 2;
9795 next_offset = offset + keys_length;
9796
9797 if (keys_length > 0)
9798 {
9799 ti = proto_tree_add_none_format(tree, hf->hf.hs_ext_trusted_ca_keys_list, tvb, offset, keys_length,
9800 "Trusted CA keys (%d byte%s)", keys_length, plurality(keys_length, "", "s"));
9801 subtree = proto_item_add_subtree(ti, hf->ett.hs_ext_trusted_ca_keys);
9802
9803 while (offset < next_offset)
9804 {
9805 uint32_t identifier_type;
9806 proto_tree *trusted_key_tree;
9807 proto_item *trusted_key_item;
9808 asn1_ctx_t asn1_ctx;
9809 uint32_t key_len = 0;
9810
9811 identifier_type = tvb_get_uint8(tvb, offset);
9812
9813 // Use 0 as length for now as we'll only know the size when we decode the identifier
9814 trusted_key_item = proto_tree_add_none_format(subtree, hf->hf.hs_ext_trusted_ca_key, tvb,
9815 offset, 0, "Trusted CA Key");
9816 trusted_key_tree = proto_item_add_subtree(trusted_key_item, hf->ett.hs_ext_trusted_ca_key);
9817
9818 proto_tree_add_uint(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_type, tvb,
9819 offset, 1, identifier_type);
9820 offset++;
9821
9822 /*
9823 * enum {
9824 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
9825 * cert_sha1_hash(3), (255)
9826 * } IdentifierType;
9827 */
9828 switch (identifier_type)
9829 {
9830 case 0:
9831 key_len = 0;
9832 break;
9833 case 2:
9834 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true, pinfo);
9835
9836 uint32_t name_length;
9837 /* opaque DistinguishedName<1..2^16-1> */
9838 if (!ssl_add_vector(hf, tvb, pinfo, trusted_key_tree, offset, next_offset, &name_length,
9839 hf->hf.hs_ext_trusted_ca_key_dname_len, 1, UINT16_MAX)) {
9840 return next_offset;
9841 }
9842 offset += 2;
9843
9844 dissect_x509if_DistinguishedName(false, tvb, offset, &asn1_ctx,
9845 trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_dname);
9846 offset += name_length;
9847 break;
9848 case 1:
9849 case 3:
9850 key_len = 20;
9851 /* opaque SHA1Hash[20]; */
9852 proto_tree_add_item(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_hash, tvb,
9853 offset, 20, ENC_NA);
9854 break;
9855
9856 default:
9857 key_len = 0;
9858 /*TODO display expert info about unknown ? */
9859 break;
9860 }
9861 proto_item_set_len(trusted_key_item, 1 + key_len);
9862 offset += key_len;
9863 }
9864 }
9865
9866 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset))
9867 {
9868 offset = next_offset;
9869 }
9870
9871 return offset;
9872 } /* }}} */
9873
9874
9875 /* Whether the Content and Handshake Types are valid; handle Protocol Version. {{{ */
9876 bool
9877 ssl_is_valid_content_type(uint8_t type)
9878 {
9879 switch ((ContentType) type) {
9880 case SSL_ID_CHG_CIPHER_SPEC:
9881 case SSL_ID_ALERT:
9882 case SSL_ID_HANDSHAKE:
9883 case SSL_ID_APP_DATA:
9884 case SSL_ID_HEARTBEAT:
9885 case SSL_ID_TLS12_CID:
9886 case SSL_ID_DTLS13_ACK:
9887 return true;
9888 }
9889 return false;
9890 }
9891
9892 bool
9893 ssl_is_valid_handshake_type(uint8_t hs_type, bool is_dtls)
9894 {
9895 switch ((HandshakeType) hs_type) {
9896 case SSL_HND_HELLO_VERIFY_REQUEST:
9897 /* hello_verify_request is DTLS-only */
9898 return is_dtls;
9899
9900 case SSL_HND_HELLO_REQUEST:
9901 case SSL_HND_CLIENT_HELLO:
9902 case SSL_HND_SERVER_HELLO:
9903 case SSL_HND_NEWSESSION_TICKET:
9904 case SSL_HND_END_OF_EARLY_DATA:
9905 case SSL_HND_HELLO_RETRY_REQUEST:
9906 case SSL_HND_ENCRYPTED_EXTENSIONS:
9907 case SSL_HND_CERTIFICATE:
9908 case SSL_HND_SERVER_KEY_EXCHG:
9909 case SSL_HND_CERT_REQUEST:
9910 case SSL_HND_SVR_HELLO_DONE:
9911 case SSL_HND_CERT_VERIFY:
9912 case SSL_HND_CLIENT_KEY_EXCHG:
9913 case SSL_HND_FINISHED:
9914 case SSL_HND_CERT_URL:
9915 case SSL_HND_CERT_STATUS:
9916 case SSL_HND_SUPPLEMENTAL_DATA:
9917 case SSL_HND_KEY_UPDATE:
9918 case SSL_HND_COMPRESSED_CERTIFICATE:
9919 case SSL_HND_ENCRYPTED_EXTS:
9920 return true;
9921 }
9922 return false;
9923 }
9924
9925 static bool
9926 ssl_is_authoritative_version_message(uint8_t content_type, uint8_t handshake_type,
9927 bool is_dtls)
9928 {
9929 /* Consider all valid Handshake messages (except for Client Hello) and
9930 * all other valid record types (other than Handshake) */
9931 return (content_type == SSL_ID_HANDSHAKE &&
9932 ssl_is_valid_handshake_type(handshake_type, is_dtls) &&
9933 handshake_type != SSL_HND_CLIENT_HELLO) ||
9934 (content_type != SSL_ID_HANDSHAKE &&
9935 ssl_is_valid_content_type(content_type));
9936 }
9937
9938 /**
9939 * Scan a Server Hello handshake message for the negotiated version. For TLS 1.3
9940 * draft 22 and newer, it also checks whether it is a HelloRetryRequest.
9941 * Returns true if the supported_versions extension was found, false if not.
9942 */
9943 bool
9944 tls_scan_server_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end,
9945 uint16_t *server_version, bool *is_hrr)
9946 {
9947 /* SHA256("HelloRetryRequest") */
9948 static const uint8_t tls13_hrr_random_magic[] = {
9949 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
9950 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
9951 };
9952 uint8_t session_id_length;
9953
9954 *server_version = tvb_get_ntohs(tvb, offset);
9955
9956 /*
9957 * Try to look for supported_versions extension. Minimum length:
9958 * 2 + 32 + 1 = 35 (version, random, session id length)
9959 * 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
9960 * 2 + 2 + 2 = 6 (ext type, ext len, version)
9961 *
9962 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
9963 * there's a separate expert info warning for that.
9964 */
9965 if ((*server_version == TLSV1DOT2_VERSION || *server_version == DTLSV1DOT2_VERSION) && offset_end - offset >= 46) {
9966 offset += 2;
9967 if (is_hrr) {
9968 *is_hrr = tvb_memeql(tvb, offset, tls13_hrr_random_magic, sizeof(tls13_hrr_random_magic)) == 0;
9969 }
9970 offset += 32;
9971 session_id_length = tvb_get_uint8(tvb, offset);
9972 offset++;
9973 if (offset_end - offset < session_id_length + 5u) {
9974 return false;
9975 }
9976 offset += session_id_length + 5;
9977
9978 while (offset_end - offset >= 6) {
9979 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
9980 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
9981 if (offset_end - offset < 4u + ext_len) {
9982 break; /* not enough data for type, length and data */
9983 }
9984 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS) {
9985 if (ext_len == 2) {
9986 *server_version = tvb_get_ntohs(tvb, offset + 4);
9987 }
9988 return true;
9989 }
9990 offset += 4 + ext_len;
9991 }
9992 } else {
9993 if (is_hrr) {
9994 *is_hrr = false;
9995 }
9996 }
9997 return false;
9998 }
9999
10000 /**
10001 * Scan a Client Hello handshake message to see if the supported_versions
10002 * extension is found, in which case the version field is legacy_version.
10003 */
10004 static bool
10005 tls_scan_client_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end)
10006 {
10007 uint8_t session_id_length;
10008
10009 uint16_t client_version = tvb_get_ntohs(tvb, offset);
10010
10011 /*
10012 * Try to look for supported_versions extension. Minimum length:
10013 * 2 + 32 + 1 = 35 (version, random, session id length)
10014 * 2 + 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10015 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10016 *
10017 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10018 * there's a separate expert info warning for that.
10019 */
10020 if ((client_version == TLSV1DOT2_VERSION || client_version == DTLSV1DOT2_VERSION) && offset_end - offset >= 46) {
10021 offset += 2;
10022 offset += 32;
10023 session_id_length = tvb_get_uint8(tvb, offset);
10024 offset++;
10025 if (offset_end - offset < session_id_length + 2u) {
10026 return false;
10027 }
10028 offset += session_id_length;
10029 if (client_version == DTLSV1DOT2_VERSION) {
10030 uint8_t cookie_length = tvb_get_uint8(tvb, offset);
10031 offset++;
10032 if (offset_end - offset < cookie_length + 2u) {
10033 return false;
10034 }
10035 }
10036 uint16_t cipher_suites_length = tvb_get_ntohs(tvb, offset);
10037 offset += 2;
10038 if (offset_end - offset < cipher_suites_length + 1u) {
10039 return false;
10040 }
10041 offset += cipher_suites_length;
10042 uint8_t compression_methods_length = tvb_get_uint8(tvb, offset);
10043 offset++;
10044 if (offset_end - offset < compression_methods_length + 2u) {
10045 return false;
10046 }
10047 offset += compression_methods_length + 2;
10048
10049 while (offset_end - offset >= 6) {
10050 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
10051 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
10052 if (offset_end - offset < 4u + ext_len) {
10053 break; /* not enough data for type, length and data */
10054 }
10055 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS) {
10056 return true;
10057 }
10058 offset += 4 + ext_len;
10059 }
10060 }
10061 return false;
10062 }
10063 void
10064 ssl_try_set_version(SslSession *session, SslDecryptSession *ssl,
10065 uint8_t content_type, uint8_t handshake_type,
10066 bool is_dtls, uint16_t version)
10067 {
10068 uint8_t tls13_draft = 0;
10069
10070 if (!ssl_is_authoritative_version_message(content_type, handshake_type,
10071 is_dtls))
10072 return;
10073
10074 version = tls_try_get_version(is_dtls, version, &tls13_draft);
10075 if (version == SSL_VER_UNKNOWN) {
10076 return;
10077 }
10078
10079 session->tls13_draft_version = tls13_draft;
10080 session->version = version;
10081 if (ssl) {
10082 ssl->state |= SSL_VERSION;
10083 ssl_debug_printf("%s found version 0x%04X -> state 0x%02X\n", G_STRFUNC, version, ssl->state);
10084 }
10085 }
10086
10087 void
10088 ssl_check_record_length(ssl_common_dissect_t *hf, packet_info *pinfo,
10089 ContentType content_type,
10090 unsigned record_length, proto_item *length_pi,
10091 uint16_t version, tvbuff_t *decrypted_tvb)
10092 {
10093 unsigned max_expansion;
10094 if (version == TLSV1DOT3_VERSION) {
10095 /* TLS 1.3: Max length is 2^14 + 256 */
10096 max_expansion = 256;
10097 } else {
10098 /* RFC 5246, Section 6.2.3: TLSCiphertext.fragment length MUST NOT exceed 2^14 + 2048 */
10099 max_expansion = 2048;
10100 }
10101 /*
10102 * RFC 5246 (TLS 1.2), Section 6.2.1 forbids zero-length Handshake, Alert
10103 * and ChangeCipherSpec.
10104 * RFC 6520 (Heartbeats) does not mention zero-length Heartbeat fragments,
10105 * so assume it is permitted.
10106 * RFC 6347 (DTLS 1.2) does not mention zero-length fragments either, so
10107 * assume TLS 1.2 requirements.
10108 */
10109 if (record_length == 0 &&
10110 (content_type == SSL_ID_CHG_CIPHER_SPEC ||
10111 content_type == SSL_ID_ALERT ||
10112 content_type == SSL_ID_HANDSHAKE)) {
10113 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10114 "Zero-length %s fragments are not allowed",
10115 val_to_str_const(content_type, ssl_31_content_type, "unknown"));
10116 }
10117 if (record_length > TLS_MAX_RECORD_LENGTH + max_expansion) {
10118 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10119 "TLSCiphertext length MUST NOT exceed 2^14 + %u", max_expansion);
10120 }
10121 if (decrypted_tvb && tvb_captured_length(decrypted_tvb) > TLS_MAX_RECORD_LENGTH) {
10122 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10123 "TLSPlaintext length MUST NOT exceed 2^14");
10124 }
10125 }
10126
10127 static void
10128 ssl_set_cipher(SslDecryptSession *ssl, uint16_t cipher)
10129 {
10130 /* store selected cipher suite for decryption */
10131 ssl->session.cipher = cipher;
10132
10133 const SslCipherSuite *cs = ssl_find_cipher(cipher);
10134 if (!cs) {
10135 ssl->cipher_suite = NULL;
10136 ssl->state &= ~SSL_CIPHER;
10137 ssl_debug_printf("%s can't find cipher suite 0x%04X\n", G_STRFUNC, cipher);
10138 } else if (ssl->session.version == SSLV3_VERSION && !(cs->dig == DIG_MD5 || cs->dig == DIG_SHA)) {
10139 /* A malicious packet capture contains a SSL 3.0 session using a TLS 1.2
10140 * cipher suite that uses for example MACAlgorithm SHA256. Reject that
10141 * to avoid a potential buffer overflow in ssl3_check_mac. */
10142 ssl->cipher_suite = NULL;
10143 ssl->state &= ~SSL_CIPHER;
10144 ssl_debug_printf("%s invalid SSL 3.0 cipher suite 0x%04X\n", G_STRFUNC, cipher);
10145 } else {
10146 /* Cipher found, save this for the delayed decoder init */
10147 ssl->cipher_suite = cs;
10148 ssl->state |= SSL_CIPHER;
10149 ssl_debug_printf("%s found CIPHER 0x%04X %s -> state 0x%02X\n", G_STRFUNC, cipher,
10150 val_to_str_ext_const(cipher, &ssl_31_ciphersuite_ext, "unknown"),
10151 ssl->state);
10152 }
10153 }
10154 /* }}} */
10155
10156
10157 /* Client Hello and Server Hello dissections. {{{ */
10158 static int
10159 ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
10160 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
10161 SslSession *session, SslDecryptSession *ssl,
10162 bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data);
10163 void
10164 ssl_dissect_hnd_cli_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10165 packet_info *pinfo, proto_tree *tree, uint32_t offset,
10166 uint32_t offset_end, SslSession *session,
10167 SslDecryptSession *ssl, dtls_hfs_t *dtls_hfs)
10168 {
10169 /* struct {
10170 * ProtocolVersion client_version;
10171 * Random random;
10172 * SessionID session_id;
10173 * opaque cookie<0..32>; //new field for DTLS
10174 * CipherSuite cipher_suites<2..2^16-1>;
10175 * CompressionMethod compression_methods<1..2^8-1>;
10176 * Extension client_hello_extension_list<0..2^16-1>;
10177 * } ClientHello;
10178 */
10179 proto_item *ti;
10180 proto_tree *cs_tree;
10181 uint32_t client_version;
10182 uint32_t cipher_suite_length;
10183 uint32_t compression_methods_length;
10184 uint8_t compression_method;
10185 uint32_t next_offset;
10186 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
10187 char *ja3_hash;
10188 char *ja3_dash = "";
10189 char *ja4, *ja4_r, *ja4_hash, *ja4_b, *ja4_c;
10190 ja4_data_t ja4_data;
10191 wmem_strbuf_t *ja4_a = wmem_strbuf_new(pinfo->pool, "");
10192 wmem_strbuf_t *ja4_br = wmem_strbuf_new(pinfo->pool, "");
10193 wmem_strbuf_t *ja4_cr = wmem_strbuf_new(pinfo->pool, "");
10194 wmem_list_frame_t *curr_entry;
10195
10196 ja4_data.max_version = 0;
10197 ja4_data.server_name_present = false;
10198 ja4_data.num_cipher_suites = 0;
10199 ja4_data.num_extensions = 0;
10200 ja4_data.alpn = wmem_strbuf_new(pinfo->pool, "");
10201 ja4_data.cipher_list = wmem_list_new(pinfo->pool);
10202 ja4_data.extension_list = wmem_list_new(pinfo->pool);
10203 ja4_data.sighash_list = wmem_list_new(pinfo->pool);
10204
10205 /* show the client version */
10206 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_client_version, tvb,
10207 offset, 2, ENC_BIG_ENDIAN,
10208 &client_version);
10209 if (tls_scan_client_hello(tvb, offset, offset_end)) {
10210 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
10211 }
10212 offset += 2;
10213 wmem_strbuf_append_printf(ja3, "%i,", client_version);
10214
10215 /*
10216 * Is it version 1.3?
10217 * If so, that's an error; TLS and DTLS 1.3 Client Hellos claim
10218 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
10219 * section 4.1.2 "Client Hello" and RFC 9147 Section 5.3 "Client
10220 * Hello".
10221 */
10222 if (dtls_hfs != NULL) {
10223 if (client_version == DTLSV1DOT3_VERSION) {
10224 /* Don't do that. */
10225 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10226 }
10227 } else {
10228 if (client_version == TLSV1DOT3_VERSION) {
10229 /* Don't do that. */
10230 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10231 }
10232 }
10233
10234 /* dissect fields that are present in both ClientHello and ServerHello */
10235 offset = ssl_dissect_hnd_hello_common(hf, tvb, tree, offset, session, ssl, false, false);
10236
10237 /* fields specific for DTLS (cookie_len, cookie) */
10238 if (dtls_hfs != NULL) {
10239 uint32_t cookie_length;
10240 /* opaque cookie<0..32> (for DTLS only) */
10241 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cookie_length,
10242 dtls_hfs->hf_dtls_handshake_cookie_len, 0, 32)) {
10243 return;
10244 }
10245 offset++;
10246 if (cookie_length > 0) {
10247 proto_tree_add_item(tree, dtls_hfs->hf_dtls_handshake_cookie,
10248 tvb, offset, cookie_length, ENC_NA);
10249 offset += cookie_length;
10250 }
10251 }
10252
10253 /* CipherSuite cipher_suites<2..2^16-1> */
10254 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cipher_suite_length,
10255 hf->hf.hs_cipher_suites_len, 2, UINT16_MAX)) {
10256 return;
10257 }
10258 offset += 2;
10259 next_offset = offset + cipher_suite_length;
10260 ti = proto_tree_add_none_format(tree,
10261 hf->hf.hs_cipher_suites,
10262 tvb, offset, cipher_suite_length,
10263 "Cipher Suites (%d suite%s)",
10264 cipher_suite_length / 2,
10265 plurality(cipher_suite_length/2, "", "s"));
10266 cs_tree = proto_item_add_subtree(ti, hf->ett.cipher_suites);
10267 while (offset + 2 <= next_offset) {
10268 uint32_t cipher_suite;
10269
10270 proto_tree_add_item_ret_uint(cs_tree, hf->hf.hs_cipher_suite, tvb, offset, 2,
10271 ENC_BIG_ENDIAN, &cipher_suite);
10272 offset += 2;
10273 if (!IS_GREASE_TLS(cipher_suite)) {
10274 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, cipher_suite);
10275 ja3_dash = "-";
10276 ja4_data.num_cipher_suites += 1;
10277 wmem_list_insert_sorted(ja4_data.cipher_list, GUINT_TO_POINTER(cipher_suite), wmem_compare_uint);
10278 }
10279 }
10280 wmem_strbuf_append_c(ja3, ',');
10281 if (!ssl_end_vector(hf, tvb, pinfo, cs_tree, offset, next_offset)) {
10282 offset = next_offset;
10283 }
10284
10285 /* CompressionMethod compression_methods<1..2^8-1> */
10286 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compression_methods_length,
10287 hf->hf.hs_comp_methods_len, 1, UINT8_MAX)) {
10288 return;
10289 }
10290 offset++;
10291 next_offset = offset + compression_methods_length;
10292 ti = proto_tree_add_none_format(tree,
10293 hf->hf.hs_comp_methods,
10294 tvb, offset, compression_methods_length,
10295 "Compression Methods (%u method%s)",
10296 compression_methods_length,
10297 plurality(compression_methods_length,
10298 "", "s"));
10299 cs_tree = proto_item_add_subtree(ti, hf->ett.comp_methods);
10300 while (offset < next_offset) {
10301 compression_method = tvb_get_uint8(tvb, offset);
10302 /* TODO: make reserved/private comp meth. fields selectable */
10303 if (compression_method < 64)
10304 proto_tree_add_uint(cs_tree, hf->hf.hs_comp_method,
10305 tvb, offset, 1, compression_method);
10306 else if (compression_method > 63 && compression_method < 193)
10307 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, tvb, offset, 1,
10308 compression_method, "Reserved - to be assigned by IANA (%u)",
10309 compression_method);
10310 else
10311 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, tvb, offset, 1,
10312 compression_method, "Private use range (%u)",
10313 compression_method);
10314 offset++;
10315 }
10316
10317 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
10318 if (offset < offset_end) {
10319 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
10320 offset_end, SSL_HND_CLIENT_HELLO,
10321 session, ssl, dtls_hfs != NULL, ja3, &ja4_data);
10322 if (ja4_data.max_version > 0) {
10323 client_version = ja4_data.max_version;
10324 }
10325 } else {
10326 wmem_strbuf_append_printf(ja3, ",,");
10327 }
10328
10329 if (proto_is_frame_protocol(pinfo->layers,"tcp")) {
10330 wmem_strbuf_append(ja4_a, "t");
10331 } else if (proto_is_frame_protocol(pinfo->layers,"quic")) {
10332 wmem_strbuf_append(ja4_a, "q");
10333 } else if (proto_is_frame_protocol(pinfo->layers,"dtls")) {
10334 wmem_strbuf_append(ja4_a, "d");
10335 }
10336 wmem_strbuf_append_printf(ja4_a, "%s", val_to_str_const(client_version, ssl_version_ja4_names, "00"));
10337 wmem_strbuf_append_printf(ja4_a, "%s", ja4_data.server_name_present ? "d" : "i");
10338 if (ja4_data.num_cipher_suites > 99) {
10339 wmem_strbuf_append(ja4_a, "99");
10340 } else {
10341 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_cipher_suites);
10342 }
10343 if (ja4_data.num_extensions > 99) {
10344 wmem_strbuf_append(ja4_a, "99");
10345 } else {
10346 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_extensions);
10347 }
10348 if (wmem_strbuf_get_len(ja4_data.alpn) > 0 ) {
10349 wmem_strbuf_append_printf(ja4_a, "%s", wmem_strbuf_get_str(ja4_data.alpn));
10350 } else {
10351 wmem_strbuf_append(ja4_a, "00");
10352 }
10353
10354 curr_entry = wmem_list_head(ja4_data.cipher_list);
10355 for (unsigned i = 0; i < wmem_list_count(ja4_data.cipher_list); i++) {
10356 wmem_strbuf_append_printf(ja4_br, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry)));
10357 if (i < wmem_list_count(ja4_data.cipher_list) - 1) {
10358 wmem_strbuf_append(ja4_br, ",");
10359 }
10360 curr_entry = wmem_list_frame_next(curr_entry);
10361 }
10362
10363 curr_entry = wmem_list_head(ja4_data.extension_list);
10364 for (unsigned i = 0; i < wmem_list_count(ja4_data.extension_list); i++) {
10365 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry)));
10366 if (i < wmem_list_count(ja4_data.extension_list) - 1) {
10367 wmem_strbuf_append(ja4_cr, ",");
10368 }
10369 curr_entry = wmem_list_frame_next(curr_entry);
10370 }
10371
10372 if (wmem_list_count(ja4_data.sighash_list) > 0) {
10373 wmem_strbuf_append(ja4_cr, "_");
10374 curr_entry = wmem_list_head(ja4_data.sighash_list);
10375 for (unsigned i = 0; i < wmem_list_count(ja4_data.sighash_list); i++) {
10376 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry)));
10377 if (i < wmem_list_count(ja4_data.sighash_list) - 1) {
10378 wmem_strbuf_append(ja4_cr, ",");
10379 }
10380 curr_entry = wmem_list_frame_next(curr_entry);
10381 }
10382 }
10383 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_br),-1);
10384 ja4_b = wmem_strndup(pinfo->pool, ja4_hash, 12);
10385 g_free(ja4_hash);
10386 if ( wmem_strbuf_get_len(ja4_cr) == 0 ) {
10387 ja4_hash = g_strdup("000000000000");
10388 } else {
10389 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_cr),-1);
10390 }
10391 ja4_c = wmem_strndup(pinfo->pool, ja4_hash, 12);
10392 g_free(ja4_hash);
10393
10394 ja4 = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), ja4_b, ja4_c);
10395 ja4_r = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), wmem_strbuf_get_str(ja4_br), wmem_strbuf_get_str(ja4_cr));
10396
10397 ti = proto_tree_add_string(tree, hf->hf.hs_ja4, tvb, offset, 0, ja4);
10398 proto_item_set_generated(ti);
10399 ti = proto_tree_add_string(tree, hf->hf.hs_ja4_r, tvb, offset, 0, ja4_r);
10400 proto_item_set_generated(ti);
10401
10402 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
10403 wmem_strbuf_get_len(ja3));
10404 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_full, tvb, offset, 0, wmem_strbuf_get_str(ja3));
10405 proto_item_set_generated(ti);
10406 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_hash, tvb, offset, 0, ja3_hash);
10407 proto_item_set_generated(ti);
10408 g_free(ja3_hash);
10409 }
10410
10411 void
10412 ssl_dissect_hnd_srv_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10413 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
10414 SslSession *session, SslDecryptSession *ssl,
10415 bool is_dtls, bool is_hrr)
10416 {
10417 /* struct {
10418 * ProtocolVersion server_version;
10419 * Random random;
10420 * SessionID session_id; // TLS 1.2 and before
10421 * CipherSuite cipher_suite;
10422 * CompressionMethod compression_method; // TLS 1.2 and before
10423 * Extension server_hello_extension_list<0..2^16-1>;
10424 * } ServerHello;
10425 */
10426 uint8_t draft_version = session->tls13_draft_version;
10427 proto_item *ti;
10428 uint32_t server_version;
10429 uint32_t cipher_suite;
10430 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
10431 char *ja3_hash;
10432
10433 col_set_str(pinfo->cinfo, COL_PROTOCOL,
10434 val_to_str_const(session->version, ssl_version_short_names, "SSL"));
10435
10436 /* Initially assume that the session is resumed. If this is not the case, a
10437 * ServerHelloDone will be observed before the ChangeCipherSpec message
10438 * which will reset this flag. */
10439 session->is_session_resumed = true;
10440
10441 /* show the server version */
10442 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
10443 offset, 2, ENC_BIG_ENDIAN, &server_version);
10444
10445 uint16_t supported_server_version;
10446 if (tls_scan_server_hello(tvb, offset, offset_end, &supported_server_version, NULL)) {
10447 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
10448 }
10449 /*
10450 * Is it version 1.3?
10451 * If so, that's an error; TLS and DTLS 1.3 Server Hellos claim
10452 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
10453 * section 4.1.3 "Server Hello" and RFC 9147 Section 5.4 "Server
10454 * Hello".
10455 */
10456 if (is_dtls) {
10457 if (server_version == DTLSV1DOT3_VERSION) {
10458 /* Don't do that. */
10459 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
10460 }
10461 } else {
10462 if (server_version == TLSV1DOT3_VERSION) {
10463 /* Don't do that. */
10464 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
10465 }
10466 }
10467
10468 offset += 2;
10469 wmem_strbuf_append_printf(ja3, "%i", server_version);
10470
10471 /* dissect fields that are present in both ClientHello and ServerHello */
10472 offset = ssl_dissect_hnd_hello_common(hf, tvb, tree, offset, session, ssl, true, is_hrr);
10473
10474 if (ssl) {
10475 /* store selected cipher suite for decryption */
10476 ssl_set_cipher(ssl, tvb_get_ntohs(tvb, offset));
10477 }
10478
10479 /* now the server-selected cipher suite */
10480 proto_tree_add_item_ret_uint(tree, hf->hf.hs_cipher_suite,
10481 tvb, offset, 2, ENC_BIG_ENDIAN, &cipher_suite);
10482 offset += 2;
10483 wmem_strbuf_append_printf(ja3, ",%i,", cipher_suite);
10484
10485 /* No compression with TLS 1.3 before draft -22 */
10486 if (!(session->version == TLSV1DOT3_VERSION && draft_version > 0 && draft_version < 22)) {
10487 if (ssl) {
10488 /* store selected compression method for decryption */
10489 ssl->session.compression = tvb_get_uint8(tvb, offset);
10490 }
10491 /* and the server-selected compression method */
10492 proto_tree_add_item(tree, hf->hf.hs_comp_method,
10493 tvb, offset, 1, ENC_BIG_ENDIAN);
10494 offset++;
10495 }
10496
10497 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
10498 if (offset < offset_end) {
10499 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
10500 offset_end,
10501 is_hrr ? SSL_HND_HELLO_RETRY_REQUEST : SSL_HND_SERVER_HELLO,
10502 session, ssl, is_dtls, ja3, NULL);
10503 }
10504
10505 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
10506 wmem_strbuf_get_len(ja3));
10507 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_full, tvb, offset, 0, wmem_strbuf_get_str(ja3));
10508 proto_item_set_generated(ti);
10509 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_hash, tvb, offset, 0, ja3_hash);
10510 proto_item_set_generated(ti);
10511 g_free(ja3_hash);
10512 }
10513 /* Client Hello and Server Hello dissections. }}} */
10514
10515 /* New Session Ticket dissection. {{{ */
10516 void
10517 ssl_dissect_hnd_new_ses_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10518 proto_tree *tree, uint32_t offset, uint32_t offset_end,
10519 SslSession *session, SslDecryptSession *ssl,
10520 bool is_dtls, GHashTable *session_hash)
10521 {
10522 /* https://tools.ietf.org/html/rfc5077#section-3.3 (TLS >= 1.0):
10523 * struct {
10524 * uint32 ticket_lifetime_hint;
10525 * opaque ticket<0..2^16-1>;
10526 * } NewSessionTicket;
10527 *
10528 * RFC 8446 Section 4.6.1 (TLS 1.3):
10529 * struct {
10530 * uint32 ticket_lifetime;
10531 * uint32 ticket_age_add;
10532 * opaque ticket_nonce<0..255>; // new in draft -21, updated in -22
10533 * opaque ticket<1..2^16-1>;
10534 * Extension extensions<0..2^16-2>;
10535 * } NewSessionTicket;
10536 */
10537 proto_tree *subtree;
10538 proto_item *subitem;
10539 uint32_t ticket_len;
10540 bool is_tls13 = session->version == TLSV1DOT3_VERSION || session->version == DTLSV1DOT3_VERSION;
10541 unsigned char draft_version = session->tls13_draft_version;
10542 uint32_t lifetime_hint;
10543
10544 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
10545 hf->ett.session_ticket, NULL,
10546 "TLS Session Ticket");
10547
10548 /* ticket lifetime hint */
10549 subitem = proto_tree_add_item_ret_uint(subtree, hf->hf.hs_session_ticket_lifetime_hint,
10550 tvb, offset, 4, ENC_BIG_ENDIAN, &lifetime_hint);
10551 offset += 4;
10552
10553 if (lifetime_hint >= 60) {
10554 char *time_str = unsigned_time_secs_to_str(pinfo->pool, lifetime_hint);
10555 proto_item_append_text(subitem, " (%s)", time_str);
10556 }
10557
10558 if (is_tls13) {
10559
10560 /* for TLS 1.3: ticket_age_add */
10561 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_age_add,
10562 tvb, offset, 4, ENC_BIG_ENDIAN);
10563 offset += 4;
10564
10565 /* for TLS 1.3: ticket_nonce (coming with Draft 21)*/
10566 if (draft_version == 0 || draft_version >= 21) {
10567 uint32_t ticket_nonce_len;
10568
10569 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_nonce_len,
10570 hf->hf.hs_session_ticket_nonce_len, 0, 255)) {
10571 return;
10572 }
10573 offset++;
10574
10575 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_nonce, tvb, offset, ticket_nonce_len, ENC_NA);
10576 offset += ticket_nonce_len;
10577 }
10578
10579 }
10580
10581 /* opaque ticket<0..2^16-1> (with TLS 1.3 the minimum is 1) */
10582 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_len,
10583 hf->hf.hs_session_ticket_len, is_tls13 ? 1 : 0, UINT16_MAX)) {
10584 return;
10585 }
10586 offset += 2;
10587
10588 /* Content depends on implementation, so just show data! */
10589 proto_tree_add_item(subtree, hf->hf.hs_session_ticket,
10590 tvb, offset, ticket_len, ENC_NA);
10591 /* save the session ticket to cache for ssl_finalize_decryption */
10592 if (ssl && !is_tls13) {
10593 tvb_ensure_bytes_exist(tvb, offset, ticket_len);
10594 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
10595 ssl->session_ticket.data, ticket_len);
10596 ssl->session_ticket.data_len = ticket_len;
10597 tvb_memcpy(tvb, ssl->session_ticket.data, offset, ticket_len);
10598 /* NewSessionTicket is received after the first (client)
10599 * ChangeCipherSpec, and before the second (server) ChangeCipherSpec.
10600 * Since the second CCS has already the session key available it will
10601 * just return. To ensure that the session ticket is mapped to a
10602 * master key (from the first CCS), save the ticket here too. */
10603 ssl_save_master_key("Session Ticket", session_hash,
10604 &ssl->session_ticket, &ssl->master_secret);
10605 ssl->state |= SSL_NEW_SESSION_TICKET;
10606 }
10607 offset += ticket_len;
10608
10609 if (is_tls13) {
10610 ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
10611 offset_end, SSL_HND_NEWSESSION_TICKET,
10612 session, ssl, is_dtls, NULL, NULL);
10613 }
10614 } /* }}} */
10615
10616 void
10617 ssl_dissect_hnd_hello_retry_request(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10618 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
10619 SslSession *session, SslDecryptSession *ssl,
10620 bool is_dtls)
10621 {
10622 /* https://tools.ietf.org/html/draft-ietf-tls-tls13-19#section-4.1.4
10623 * struct {
10624 * ProtocolVersion server_version;
10625 * CipherSuite cipher_suite; // not before draft -19
10626 * Extension extensions<2..2^16-1>;
10627 * } HelloRetryRequest;
10628 * Note: no longer used since draft -22
10629 */
10630 uint32_t version;
10631 uint8_t draft_version;
10632
10633 proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
10634 offset, 2, ENC_BIG_ENDIAN, &version);
10635 draft_version = extract_tls13_draft_version(version);
10636 offset += 2;
10637
10638 if (draft_version == 0 || draft_version >= 19) {
10639 proto_tree_add_item(tree, hf->hf.hs_cipher_suite,
10640 tvb, offset, 2, ENC_BIG_ENDIAN);
10641 offset += 2;
10642 }
10643
10644 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
10645 offset_end, SSL_HND_HELLO_RETRY_REQUEST,
10646 session, ssl, is_dtls, NULL, NULL);
10647 }
10648
10649 void
10650 ssl_dissect_hnd_encrypted_extensions(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10651 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
10652 SslSession *session, SslDecryptSession *ssl,
10653 bool is_dtls)
10654 {
10655 /* RFC 8446 Section 4.3.1
10656 * struct {
10657 * Extension extensions<0..2^16-1>;
10658 * } EncryptedExtensions;
10659 */
10660 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
10661 offset_end, SSL_HND_ENCRYPTED_EXTENSIONS,
10662 session, ssl, is_dtls, NULL, NULL);
10663 }
10664
10665 /* Certificate and Certificate Request dissections. {{{ */
10666 void
10667 ssl_dissect_hnd_cert(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
10668 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
10669 SslSession *session, SslDecryptSession *ssl _U_,
10670 bool is_from_server, bool is_dtls)
10671 {
10672 /* opaque ASN.1Cert<1..2^24-1>;
10673 *
10674 * Before RFC 8446 (TLS <= 1.2):
10675 * struct {
10676 * select(certificate_type) {
10677 *
10678 * // certificate type defined in RFC 7250
10679 * case RawPublicKey:
10680 * opaque ASN.1_subjectPublicKeyInfo<1..2^24-1>;
10681 *
10682 * // X.509 certificate defined in RFC 5246
10683 * case X.509:
10684 * ASN.1Cert certificate_list<0..2^24-1>;
10685 * };
10686 * } Certificate;
10687 *
10688 * RFC 8446 (since draft -20):
10689 * struct {
10690 * select(certificate_type){
10691 * case RawPublicKey:
10692 * // From RFC 7250 ASN.1_subjectPublicKeyInfo
10693 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
10694 *
10695 * case X.509:
10696 * opaque cert_data<1..2^24-1>;
10697 * }
10698 * Extension extensions<0..2^16-1>;
10699 * } CertificateEntry;
10700 * struct {
10701 * opaque certificate_request_context<0..2^8-1>;
10702 * CertificateEntry certificate_list<0..2^24-1>;
10703 * } Certificate;
10704 */
10705 enum { CERT_X509, CERT_RPK } cert_type;
10706 asn1_ctx_t asn1_ctx;
10707 #if defined(HAVE_LIBGNUTLS)
10708 gnutls_datum_t subjectPublicKeyInfo = { NULL, 0 };
10709 unsigned certificate_index = 0;
10710 #endif
10711 uint32_t next_offset, certificate_list_length, cert_length;
10712 proto_tree *subtree = tree;
10713
10714 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true, pinfo);
10715
10716 if ((is_from_server && session->server_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY) ||
10717 (!is_from_server && session->client_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY)) {
10718 cert_type = CERT_RPK;
10719 } else {
10720 cert_type = CERT_X509;
10721 }
10722
10723 #if defined(HAVE_LIBGNUTLS)
10724 /* Ask the pkcs1 dissector to return the public key details */
10725 if (ssl)
10726 asn1_ctx.private_data = &subjectPublicKeyInfo;
10727 #endif
10728
10729 /* TLS 1.3: opaque certificate_request_context<0..2^8-1> */
10730 if (session->version == TLSV1DOT3_VERSION || session->version == DTLSV1DOT3_VERSION) {
10731 uint32_t context_length;
10732 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
10733 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX)) {
10734 return;
10735 }
10736 offset++;
10737 if (context_length > 0) {
10738 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
10739 tvb, offset, context_length, ENC_NA);
10740 offset += context_length;
10741 }
10742 }
10743
10744 if ((session->version != TLSV1DOT3_VERSION && session->version != DTLSV1DOT3_VERSION) && cert_type == CERT_RPK) {
10745 /* For RPK before TLS 1.3, the single RPK is stored directly without
10746 * another "certificate_list" field. */
10747 certificate_list_length = offset_end - offset;
10748 next_offset = offset_end;
10749 } else {
10750 /* CertificateEntry certificate_list<0..2^24-1> */
10751 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &certificate_list_length,
10752 hf->hf.hs_certificates_len, 0, G_MAXUINT24)) {
10753 return;
10754 }
10755 offset += 3; /* 24-bit length value */
10756 next_offset = offset + certificate_list_length;
10757 }
10758
10759 /* RawPublicKey must have one cert, but X.509 can have multiple. */
10760 if (certificate_list_length > 0 && cert_type == CERT_X509) {
10761 proto_item *ti;
10762
10763 ti = proto_tree_add_none_format(tree,
10764 hf->hf.hs_certificates,
10765 tvb, offset, certificate_list_length,
10766 "Certificates (%u bytes)",
10767 certificate_list_length);
10768
10769 /* make it a subtree */
10770 subtree = proto_item_add_subtree(ti, hf->ett.certificates);
10771 }
10772
10773 while (offset < next_offset) {
10774 switch (cert_type) {
10775 case CERT_RPK:
10776 /* TODO add expert info if there is more than one RPK entry (certificate_index > 0) */
10777 /* opaque ASN.1_subjectPublicKeyInfo<1..2^24-1> */
10778 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
10779 hf->hf.hs_certificate_len, 1, G_MAXUINT24)) {
10780 return;
10781 }
10782 offset += 3;
10783
10784 dissect_x509af_SubjectPublicKeyInfo(false, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
10785 offset += cert_length;
10786 break;
10787 case CERT_X509:
10788 /* opaque ASN1Cert<1..2^24-1> */
10789 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
10790 hf->hf.hs_certificate_len, 1, G_MAXUINT24)) {
10791 return;
10792 }
10793 offset += 3;
10794
10795 dissect_x509af_Certificate(false, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
10796 #if defined(HAVE_LIBGNUTLS)
10797 if (is_from_server && ssl && certificate_index == 0) {
10798 ssl_find_private_key_by_pubkey(ssl, &subjectPublicKeyInfo);
10799 /* Only attempt to get the RSA modulus for the first cert. */
10800 asn1_ctx.private_data = NULL;
10801 }
10802 #endif
10803 offset += cert_length;
10804 break;
10805 }
10806
10807 /* TLS 1.3: Extension extensions<0..2^16-1> */
10808 if ((session->version == TLSV1DOT3_VERSION || session->version == DTLSV1DOT3_VERSION)) {
10809 offset = ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
10810 next_offset, SSL_HND_CERTIFICATE,
10811 session, ssl, is_dtls, NULL, NULL);
10812 }
10813
10814 #if defined(HAVE_LIBGNUTLS)
10815 certificate_index++;
10816 #endif
10817 }
10818 }
10819
10820 void
10821 ssl_dissect_hnd_cert_req(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10822 proto_tree *tree, uint32_t offset, uint32_t offset_end,
10823 SslSession *session, bool is_dtls)
10824 {
10825 /* From SSL 3.0 and up (note that since TLS 1.1 certificate_authorities can be empty):
10826 * enum {
10827 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
10828 * (255)
10829 * } ClientCertificateType;
10830 *
10831 * opaque DistinguishedName<1..2^16-1>;
10832 *
10833 * struct {
10834 * ClientCertificateType certificate_types<1..2^8-1>;
10835 * DistinguishedName certificate_authorities<3..2^16-1>;
10836 * } CertificateRequest;
10837 *
10838 *
10839 * As per TLSv1.2 (RFC 5246) the format has changed to:
10840 *
10841 * enum {
10842 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
10843 * rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
10844 * fortezza_dms_RESERVED(20), (255)
10845 * } ClientCertificateType;
10846 *
10847 * enum {
10848 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
10849 * sha512(6), (255)
10850 * } HashAlgorithm;
10851 *
10852 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
10853 * SignatureAlgorithm;
10854 *
10855 * struct {
10856 * HashAlgorithm hash;
10857 * SignatureAlgorithm signature;
10858 * } SignatureAndHashAlgorithm;
10859 *
10860 * SignatureAndHashAlgorithm
10861 * supported_signature_algorithms<2..2^16-2>;
10862 *
10863 * opaque DistinguishedName<1..2^16-1>;
10864 *
10865 * struct {
10866 * ClientCertificateType certificate_types<1..2^8-1>;
10867 * SignatureAndHashAlgorithm supported_signature_algorithms<2^16-1>;
10868 * DistinguishedName certificate_authorities<0..2^16-1>;
10869 * } CertificateRequest;
10870 *
10871 * draft-ietf-tls-tls13-18:
10872 * struct {
10873 * opaque certificate_request_context<0..2^8-1>;
10874 * SignatureScheme
10875 * supported_signature_algorithms<2..2^16-2>;
10876 * DistinguishedName certificate_authorities<0..2^16-1>;
10877 * CertificateExtension certificate_extensions<0..2^16-1>;
10878 * } CertificateRequest;
10879 *
10880 * RFC 8446 (since draft-ietf-tls-tls13-19):
10881 *
10882 * struct {
10883 * opaque certificate_request_context<0..2^8-1>;
10884 * Extension extensions<2..2^16-1>;
10885 * } CertificateRequest;
10886 */
10887 proto_item *ti;
10888 proto_tree *subtree;
10889 uint32_t next_offset;
10890 asn1_ctx_t asn1_ctx;
10891 bool is_tls13 = (session->version == TLSV1DOT3_VERSION || session->version == DTLSV1DOT3_VERSION);
10892 unsigned char draft_version = session->tls13_draft_version;
10893
10894 if (!tree)
10895 return;
10896
10897 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true, pinfo);
10898
10899 if (is_tls13) {
10900 uint32_t context_length;
10901 /* opaque certificate_request_context<0..2^8-1> */
10902 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
10903 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX)) {
10904 return;
10905 }
10906 offset++;
10907 if (context_length > 0) {
10908 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
10909 tvb, offset, context_length, ENC_NA);
10910 offset += context_length;
10911 }
10912 } else {
10913 uint32_t cert_types_count;
10914 /* ClientCertificateType certificate_types<1..2^8-1> */
10915 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cert_types_count,
10916 hf->hf.hs_cert_types_count, 1, UINT8_MAX)) {
10917 return;
10918 }
10919 offset++;
10920 next_offset = offset + cert_types_count;
10921
10922 ti = proto_tree_add_none_format(tree,
10923 hf->hf.hs_cert_types,
10924 tvb, offset, cert_types_count,
10925 "Certificate types (%u type%s)",
10926 cert_types_count,
10927 plurality(cert_types_count, "", "s"));
10928 subtree = proto_item_add_subtree(ti, hf->ett.cert_types);
10929
10930 while (offset < next_offset) {
10931 proto_tree_add_item(subtree, hf->hf.hs_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN);
10932 offset++;
10933 }
10934 }
10935
10936 if (session->version == TLSV1DOT2_VERSION || session->version == DTLSV1DOT2_VERSION ||
10937 (is_tls13 && (draft_version > 0 && draft_version < 19))) {
10938 offset = ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL);
10939 }
10940
10941 if (is_tls13 && (draft_version == 0 || draft_version >= 19)) {
10942 /*
10943 * TLS 1.3 draft 19 and newer: Extensions.
10944 * SslDecryptSession pointer is NULL because Certificate Extensions
10945 * should not influence decryption state.
10946 */
10947 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
10948 offset_end, SSL_HND_CERT_REQUEST,
10949 session, NULL, is_dtls, NULL, NULL);
10950 } else if (is_tls13 && draft_version <= 18) {
10951 /*
10952 * TLS 1.3 draft 18 and older: certificate_authorities and
10953 * certificate_extensions (a vector of OID mappings).
10954 */
10955 offset = tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
10956 ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, tree, offset, offset_end);
10957 } else {
10958 /* for TLS 1.2 and older, the certificate_authorities field. */
10959 tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
10960 }
10961 }
10962 /* Certificate and Certificate Request dissections. }}} */
10963
10964 void
10965 ssl_dissect_hnd_cli_cert_verify(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10966 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint16_t version)
10967 {
10968 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
10969 hf->hf.hs_client_cert_vrfy_sig_len,
10970 hf->hf.hs_client_cert_vrfy_sig);
10971 }
10972
10973 /* Finished dissection. {{{ */
10974 void
10975 ssl_dissect_hnd_finished(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10976 proto_tree *tree, uint32_t offset, uint32_t offset_end,
10977 const SslSession *session, ssl_hfs_t *ssl_hfs)
10978 {
10979 /* For SSLv3:
10980 * struct {
10981 * opaque md5_hash[16];
10982 * opaque sha_hash[20];
10983 * } Finished;
10984 *
10985 * For (D)TLS:
10986 * struct {
10987 * opaque verify_data[12];
10988 * } Finished;
10989 *
10990 * For TLS 1.3:
10991 * struct {
10992 * opaque verify_data[Hash.length];
10993 * }
10994 */
10995 if (!tree)
10996 return;
10997
10998 if (session->version == SSLV3_VERSION) {
10999 if (ssl_hfs != NULL) {
11000 proto_tree_add_item(tree, ssl_hfs->hs_md5_hash,
11001 tvb, offset, 16, ENC_NA);
11002 proto_tree_add_item(tree, ssl_hfs->hs_sha_hash,
11003 tvb, offset + 16, 20, ENC_NA);
11004 }
11005 } else {
11006 /* Length should be 12 for TLS before 1.3, assume this is the case. */
11007 proto_tree_add_item(tree, hf->hf.hs_finished,
11008 tvb, offset, offset_end - offset, ENC_NA);
11009 }
11010 } /* }}} */
11011
11012 /* RFC 6066 Certificate URL handshake message dissection. {{{ */
11013 void
11014 ssl_dissect_hnd_cert_url(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset)
11015 {
11016 uint16_t url_hash_len;
11017
11018 /* enum {
11019 * individual_certs(0), pkipath(1), (255)
11020 * } CertChainType;
11021 *
11022 * struct {
11023 * CertChainType type;
11024 * URLAndHash url_and_hash_list<1..2^16-1>;
11025 * } CertificateURL;
11026 *
11027 * struct {
11028 * opaque url<1..2^16-1>;
11029 * unint8 padding;
11030 * opaque SHA1Hash[20];
11031 * } URLAndHash;
11032 */
11033
11034 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_type,
11035 tvb, offset, 1, ENC_NA);
11036 offset++;
11037
11038 url_hash_len = tvb_get_ntohs(tvb, offset);
11039 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_url_hash_list_len,
11040 tvb, offset, 2, ENC_BIG_ENDIAN);
11041 offset += 2;
11042 while (url_hash_len-- > 0) {
11043 proto_item *urlhash_item;
11044 proto_tree *urlhash_tree;
11045 uint16_t url_len;
11046
11047 urlhash_item = proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_item,
11048 tvb, offset, -1, ENC_NA);
11049 urlhash_tree = proto_item_add_subtree(urlhash_item, hf->ett.urlhash);
11050
11051 url_len = tvb_get_ntohs(tvb, offset);
11052 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url_len,
11053 tvb, offset, 2, ENC_BIG_ENDIAN);
11054 offset += 2;
11055
11056 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url,
11057 tvb, offset, url_len, ENC_ASCII|ENC_NA);
11058 offset += url_len;
11059
11060 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_padding,
11061 tvb, offset, 1, ENC_NA);
11062 offset++;
11063 /* Note: RFC 6066 says that padding must be 0x01 */
11064
11065 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_sha1,
11066 tvb, offset, 20, ENC_NA);
11067 offset += 20;
11068 }
11069 } /* }}} */
11070
11071 void
11072 ssl_dissect_hnd_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11073 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11074 SslSession *session, SslDecryptSession *ssl,
11075 bool is_from_server, bool is_dtls)
11076 {
11077 uint32_t algorithm, uncompressed_length;
11078 uint32_t compressed_certificate_message_length;
11079 tvbuff_t *uncompressed_tvb = NULL;
11080 proto_item *ti;
11081 /*
11082 * enum {
11083 * zlib(1),
11084 * brotli(2),
11085 * zstd(3),
11086 * (65535)
11087 * } CertificateCompressionAlgorithm;
11088 *
11089 * struct {
11090 * CertificateCompressionAlgorithm algorithm;
11091 * uint24 uncompressed_length;
11092 * opaque compressed_certificate_message<1..2^24-1>;
11093 * } CompressedCertificate;
11094 */
11095
11096 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_algorithm,
11097 tvb, offset, 2, ENC_BIG_ENDIAN, &algorithm);
11098 offset += 2;
11099
11100 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_uncompressed_length,
11101 tvb, offset, 3, ENC_BIG_ENDIAN, &uncompressed_length);
11102 offset += 3;
11103
11104 /* opaque compressed_certificate_message<1..2^24-1>; */
11105 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compressed_certificate_message_length,
11106 hf->hf.hs_ext_compress_certificate_compressed_certificate_message_length, 1, G_MAXUINT24)) {
11107 return;
11108 }
11109 offset += 3;
11110
11111 ti = proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_compressed_certificate_message,
11112 tvb, offset, compressed_certificate_message_length, ENC_NA);
11113
11114 /* Certificate decompression following algorithm */
11115 switch (algorithm) {
11116 case 2: /* brotli */
11117 uncompressed_tvb = tvb_child_uncompress_brotli(tvb, tvb, offset, compressed_certificate_message_length);
11118 break;
11119 /* TODO: add other algorithms */
11120 }
11121
11122 if (uncompressed_tvb) {
11123 proto_tree *uncompressed_tree;
11124
11125 if (uncompressed_length != tvb_captured_length(uncompressed_tvb)) {
11126 proto_tree_add_expert_format(tree, pinfo, &hf->ei.decompression_error,
11127 tvb, offset, offset_end - offset,
11128 "Invalid uncompressed length %u (expected %u)",
11129 tvb_captured_length(uncompressed_tvb),
11130 uncompressed_length);
11131 } else {
11132 uncompressed_tree = proto_item_add_subtree(ti, hf->ett.uncompressed_certificates);
11133 ssl_dissect_hnd_cert(hf, uncompressed_tvb, uncompressed_tree,
11134 0, uncompressed_length, pinfo, session, ssl, is_from_server, is_dtls);
11135 add_new_data_source(pinfo, uncompressed_tvb, "Uncompressed certificate(s)");
11136 }
11137 }
11138 }
11139
11140 /* Dissection of TLS Extensions in Client Hello, Server Hello, etc. {{{ */
11141 static int
11142 ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11143 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
11144 SslSession *session, SslDecryptSession *ssl,
11145 bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data)
11146 {
11147 uint32_t exts_len;
11148 uint16_t ext_type;
11149 uint32_t ext_len;
11150 uint32_t next_offset;
11151 proto_tree *ext_tree;
11152 bool is_tls13 = session->version == TLSV1DOT3_VERSION;
11153 wmem_strbuf_t *ja3_sg = wmem_strbuf_new(pinfo->pool, "");
11154 wmem_strbuf_t *ja3_ecpf = wmem_strbuf_new(pinfo->pool, "");
11155 char *ja3_dash = "";
11156 unsigned supported_version;
11157
11158 /* Extension extensions<0..2^16-2> (for TLS 1.3 HRR/CR min-length is 2) */
11159 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
11160 hf->hf.hs_exts_len, 0, UINT16_MAX)) {
11161 return offset_end;
11162 }
11163 offset += 2;
11164 offset_end = offset + exts_len;
11165
11166 if (ja4_data) {
11167 ja4_data->num_extensions = 0;
11168 }
11169 while (offset_end - offset >= 4)
11170 {
11171 ext_type = tvb_get_ntohs(tvb, offset);
11172 ext_len = tvb_get_ntohs(tvb, offset + 2);
11173
11174 if (ja4_data && !IS_GREASE_TLS(ext_type)) {
11175 ja4_data->num_extensions += 1;
11176 if (ext_type != SSL_HND_HELLO_EXT_SERVER_NAME &&
11177 ext_type != SSL_HND_HELLO_EXT_ALPN) {
11178 wmem_list_insert_sorted(ja4_data->extension_list, GUINT_TO_POINTER(ext_type), wmem_compare_uint);
11179 }
11180 }
11181
11182 ext_tree = proto_tree_add_subtree_format(tree, tvb, offset, 4 + ext_len, hf->ett.hs_ext, NULL,
11183 "Extension: %s (len=%u)", val_to_str(ext_type,
11184 tls_hello_extension_types,
11185 "Unknown type %u"), ext_len);
11186
11187 proto_tree_add_uint(ext_tree, hf->hf.hs_ext_type,
11188 tvb, offset, 2, ext_type);
11189 offset += 2;
11190 if (ja3 && !IS_GREASE_TLS(ext_type)) {
11191 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_type);
11192 ja3_dash = "-";
11193 }
11194
11195 /* opaque extension_data<0..2^16-1> */
11196 if (!ssl_add_vector(hf, tvb, pinfo, ext_tree, offset, offset_end, &ext_len,
11197 hf->hf.hs_ext_len, 0, UINT16_MAX)) {
11198 return offset_end;
11199 }
11200 offset += 2;
11201 next_offset = offset + ext_len;
11202
11203 switch (ext_type) {
11204 case SSL_HND_HELLO_EXT_SERVER_NAME:
11205 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11206 offset = ssl_dissect_hnd_hello_ext_server_name(hf, tvb, pinfo, ext_tree, offset, next_offset);
11207 if (ja4_data) {
11208 ja4_data->server_name_present = true;
11209 }
11210 }
11211 break;
11212 case SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH:
11213 proto_tree_add_item(ext_tree, hf->hf.hs_ext_max_fragment_length, tvb, offset, 1, ENC_NA);
11214 offset += 1;
11215 break;
11216 case SSL_HND_HELLO_EXT_STATUS_REQUEST:
11217 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11218 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, ext_tree, offset, next_offset, false);
11219 } else if (is_tls13 && hnd_type == SSL_HND_CERTIFICATE) {
11220 offset = tls_dissect_hnd_certificate_status(hf, tvb, pinfo, ext_tree, offset, next_offset);
11221 }
11222 break;
11223 case SSL_HND_HELLO_EXT_CERT_TYPE:
11224 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
11225 offset, next_offset,
11226 hnd_type, ext_type,
11227 session);
11228 break;
11229 case SSL_HND_HELLO_EXT_SUPPORTED_GROUPS:
11230 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11231 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
11232 next_offset, ja3_sg);
11233 } else {
11234 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
11235 next_offset, NULL);
11236 }
11237 break;
11238 case SSL_HND_HELLO_EXT_EC_POINT_FORMATS:
11239 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11240 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, ja3_ecpf);
11241 } else {
11242 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, NULL);
11243 }
11244 break;
11245 break;
11246 case SSL_HND_HELLO_EXT_SRP:
11247 offset = ssl_dissect_hnd_hello_ext_srp(hf, tvb, pinfo, ext_tree, offset, next_offset);
11248 break;
11249 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS:
11250 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, ja4_data);
11251 break;
11252 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT: /* since TLS 1.3 draft -23 */
11253 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, NULL);
11254 break;
11255 case SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS:
11256 offset = ssl_dissect_hnd_ext_delegated_credentials(hf, tvb, ext_tree, pinfo, offset, next_offset, hnd_type);
11257 break;
11258 case SSL_HND_HELLO_EXT_USE_SRTP:
11259 if (is_dtls) {
11260 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11261 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, false);
11262 } else if (hnd_type == SSL_HND_SERVER_HELLO) {
11263 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, true);
11264 }
11265 } else {
11266 // XXX expert info: This extension MUST only be used with DTLS, and not with TLS.
11267 }
11268 break;
11269 case SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO:
11270 offset = ssl_dissect_hnd_hello_ext_ech(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11271 break;
11272 case SSL_HND_HELLO_EXT_HEARTBEAT:
11273 proto_tree_add_item(ext_tree, hf->hf.hs_ext_heartbeat_mode,
11274 tvb, offset, 1, ENC_BIG_ENDIAN);
11275 offset++;
11276 break;
11277 case SSL_HND_HELLO_EXT_ALPN:
11278 offset = ssl_dissect_hnd_hello_ext_alpn(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, is_dtls, ja4_data);
11279 break;
11280 case SSL_HND_HELLO_EXT_STATUS_REQUEST_V2:
11281 if (hnd_type == SSL_HND_CLIENT_HELLO)
11282 offset = ssl_dissect_hnd_hello_ext_status_request_v2(hf, tvb, pinfo, ext_tree, offset, next_offset);
11283 break;
11284 case SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP:
11285 // TLS 1.3 note: SCT only appears in EE in draft -16 and before.
11286 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS || hnd_type == SSL_HND_CERTIFICATE)
11287 offset = tls_dissect_sct_list(hf, tvb, pinfo, ext_tree, offset, next_offset, session->version);
11288 break;
11289 case SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE:
11290 case SSL_HND_HELLO_EXT_SERVER_CERT_TYPE:
11291 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
11292 offset, next_offset,
11293 hnd_type, ext_type,
11294 session);
11295 break;
11296 case SSL_HND_HELLO_EXT_PADDING:
11297 proto_tree_add_item(ext_tree, hf->hf.hs_ext_padding_data, tvb, offset, ext_len, ENC_NA);
11298 offset += ext_len;
11299 break;
11300 case SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC:
11301 if (ssl && hnd_type == SSL_HND_SERVER_HELLO) {
11302 ssl_debug_printf("%s enabling Encrypt-then-MAC\n", G_STRFUNC);
11303 ssl->state |= SSL_ENCRYPT_THEN_MAC;
11304 }
11305 break;
11306 case SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET:
11307 if (ssl) {
11308 switch (hnd_type) {
11309 case SSL_HND_CLIENT_HELLO:
11310 ssl->state |= SSL_CLIENT_EXTENDED_MASTER_SECRET;
11311 break;
11312 case SSL_HND_SERVER_HELLO:
11313 ssl->state |= SSL_SERVER_EXTENDED_MASTER_SECRET;
11314 break;
11315 default: /* no default */
11316 break;
11317 }
11318 }
11319 break;
11320 case SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE:
11321 offset = ssl_dissect_hnd_hello_ext_compress_certificate(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11322 break;
11323 case SSL_HND_HELLO_EXT_TOKEN_BINDING:
11324 offset = ssl_dissect_hnd_hello_ext_token_binding(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11325 break;
11326 case SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT:
11327 proto_tree_add_item(ext_tree, hf->hf.hs_ext_record_size_limit,
11328 tvb, offset, 2, ENC_BIG_ENDIAN);
11329 offset += 2;
11330 break;
11331 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS:
11332 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V1:
11333 offset = ssl_dissect_hnd_hello_ext_quic_transport_parameters(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11334 break;
11335 case SSL_HND_HELLO_EXT_SESSION_TICKET_TLS:
11336 offset = ssl_dissect_hnd_hello_ext_session_ticket(hf, tvb, ext_tree, offset, next_offset, hnd_type, ssl);
11337 break;
11338 case SSL_HND_HELLO_EXT_KEY_SHARE_OLD: /* used before TLS 1.3 draft -23 */
11339 case SSL_HND_HELLO_EXT_KEY_SHARE:
11340 offset = ssl_dissect_hnd_hello_ext_key_share(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11341 break;
11342 case SSL_HND_HELLO_EXT_PRE_SHARED_KEY:
11343 offset = ssl_dissect_hnd_hello_ext_pre_shared_key(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11344 break;
11345 case SSL_HND_HELLO_EXT_EARLY_DATA:
11346 case SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO:
11347 offset = ssl_dissect_hnd_hello_ext_early_data(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11348 break;
11349 case SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS:
11350 switch (hnd_type) {
11351 case SSL_HND_CLIENT_HELLO:
11352 offset = ssl_dissect_hnd_hello_ext_supported_versions(hf, tvb, pinfo, ext_tree, offset, next_offset, session, is_dtls, ja4_data);
11353 break;
11354 case SSL_HND_SERVER_HELLO:
11355 case SSL_HND_HELLO_RETRY_REQUEST:
11356 proto_tree_add_item_ret_uint(ext_tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN, &supported_version);
11357 offset += 2;
11358 proto_item_append_text(ext_tree, " %s", val_to_str(supported_version, ssl_versions, "Unknown (0x%04x)"));
11359 break;
11360 }
11361 break;
11362 case SSL_HND_HELLO_EXT_COOKIE:
11363 offset = ssl_dissect_hnd_hello_ext_cookie(hf, tvb, pinfo, ext_tree, offset, next_offset);
11364 break;
11365 case SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES:
11366 offset = ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(hf, tvb, pinfo, ext_tree, offset, next_offset);
11367 break;
11368 case SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES:
11369 offset = ssl_dissect_hnd_hello_ext_certificate_authorities(hf, tvb, pinfo, ext_tree, offset, next_offset);
11370 break;
11371 case SSL_HND_HELLO_EXT_OID_FILTERS:
11372 offset = ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, ext_tree, offset, next_offset);
11373 break;
11374 case SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH:
11375 break;
11376 case SSL_HND_HELLO_EXT_NPN:
11377 offset = ssl_dissect_hnd_hello_ext_npn(hf, tvb, pinfo, ext_tree, offset, next_offset);
11378 break;
11379 case SSL_HND_HELLO_EXT_ALPS:
11380 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11381 break;
11382 case SSL_HND_HELLO_EXT_RENEGOTIATION_INFO:
11383 offset = ssl_dissect_hnd_hello_ext_reneg_info(hf, tvb, pinfo, ext_tree, offset, next_offset);
11384 break;
11385 case SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME:
11386 offset = ssl_dissect_hnd_hello_ext_esni(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11387 break;
11388 case SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED:
11389 session->deprecated_cid = true;
11390 /* FALLTHRU */
11391 case SSL_HND_HELLO_EXT_CONNECTION_ID:
11392 offset = ssl_dissect_hnd_hello_ext_connection_id(hf, tvb, pinfo, ext_tree, offset, hnd_type, session, ssl);
11393 break;
11394 case SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS:
11395 offset = ssl_dissect_hnd_hello_ext_trusted_ca_keys(hf, tvb, pinfo, ext_tree, offset, next_offset);
11396 break;
11397 default:
11398 proto_tree_add_item(ext_tree, hf->hf.hs_ext_data,
11399 tvb, offset, ext_len, ENC_NA);
11400 offset += ext_len;
11401 break;
11402 }
11403
11404 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
11405 /* Dissection did not end at expected location, fix it. */
11406 offset = next_offset;
11407 }
11408 }
11409
11410 if (ja3) {
11411 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11412 if(wmem_strbuf_get_len(ja3_sg) > 0) {
11413 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_sg));
11414 } else {
11415 wmem_strbuf_append_c(ja3, ',');
11416 }
11417 if(wmem_strbuf_get_len(ja3_ecpf) > 0) {
11418 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_ecpf));
11419 } else {
11420 wmem_strbuf_append_c(ja3, ',');
11421 }
11422 }
11423 }
11424
11425 /* Check if Extensions vector is correctly terminated. */
11426 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, offset_end)) {
11427 offset = offset_end;
11428 }
11429
11430 return offset;
11431 } /* }}} */
11432
11433
11434 /* ClientKeyExchange algo-specific dissectors. {{{ */
11435
11436 static void
11437 dissect_ssl3_hnd_cli_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11438 proto_tree *tree, uint32_t offset,
11439 uint32_t length)
11440 {
11441 int point_len;
11442 proto_tree *ssl_ecdh_tree;
11443
11444 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
11445 hf->ett.keyex_params, NULL, "EC Diffie-Hellman Client Params");
11446
11447 /* point */
11448 point_len = tvb_get_uint8(tvb, offset);
11449 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point_len, tvb,
11450 offset, 1, ENC_BIG_ENDIAN);
11451 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point, tvb,
11452 offset + 1, point_len, ENC_NA);
11453 }
11454
11455 static void
11456 dissect_ssl3_hnd_cli_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11457 proto_tree *tree, uint32_t offset, uint32_t length)
11458 {
11459 int yc_len;
11460 proto_tree *ssl_dh_tree;
11461
11462 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
11463 hf->ett.keyex_params, NULL, "Diffie-Hellman Client Params");
11464
11465 /* ClientDiffieHellmanPublic.dh_public (explicit) */
11466 yc_len = tvb_get_ntohs(tvb, offset);
11467 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc_len, tvb,
11468 offset, 2, ENC_BIG_ENDIAN);
11469 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc, tvb,
11470 offset + 2, yc_len, ENC_NA);
11471 }
11472
11473 static void
11474 dissect_ssl3_hnd_cli_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11475 proto_tree *tree, uint32_t offset,
11476 uint32_t length, const SslSession *session)
11477 {
11478 int epms_len;
11479 proto_tree *ssl_rsa_tree;
11480
11481 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, length,
11482 hf->ett.keyex_params, NULL, "RSA Encrypted PreMaster Secret");
11483
11484 /* EncryptedPreMasterSecret.pre_master_secret */
11485 switch (session->version) {
11486 case SSLV2_VERSION:
11487 case SSLV3_VERSION:
11488 case DTLSV1DOT0_OPENSSL_VERSION:
11489 /* OpenSSL pre-0.9.8f DTLS and pre-TLS quirk: 2-octet length vector is
11490 * not present. The handshake contents represents the EPMS, see:
11491 * https://gitlab.com/wireshark/wireshark/-/issues/10222 */
11492 epms_len = length;
11493 break;
11494
11495 default:
11496 /* TLS and DTLS include vector length before EPMS */
11497 epms_len = tvb_get_ntohs(tvb, offset);
11498 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms_len, tvb,
11499 offset, 2, ENC_BIG_ENDIAN);
11500 offset += 2;
11501 break;
11502 }
11503 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms, tvb,
11504 offset, epms_len, ENC_NA);
11505 }
11506
11507 /* Used in PSK cipher suites */
11508 static uint32_t
11509 dissect_ssl3_hnd_cli_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11510 proto_tree *tree, uint32_t offset)
11511 {
11512 unsigned identity_len;
11513 proto_tree *ssl_psk_tree;
11514
11515 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
11516 hf->ett.keyex_params, NULL, "PSK Client Params");
11517 /* identity */
11518 identity_len = tvb_get_ntohs(tvb, offset);
11519 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len, tvb,
11520 offset, 2, ENC_BIG_ENDIAN);
11521 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity, tvb,
11522 offset + 2, identity_len, ENC_NA);
11523
11524 proto_item_set_len(ssl_psk_tree, 2 + identity_len);
11525 return 2 + identity_len;
11526 }
11527
11528 /* Used in RSA PSK cipher suites */
11529 static void
11530 dissect_ssl3_hnd_cli_keyex_rsa_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11531 proto_tree *tree, uint32_t offset,
11532 uint32_t length)
11533 {
11534 int identity_len, epms_len;
11535 proto_tree *ssl_psk_tree;
11536
11537 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, length,
11538 hf->ett.keyex_params, NULL, "RSA PSK Client Params");
11539
11540 /* identity */
11541 identity_len = tvb_get_ntohs(tvb, offset);
11542 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len,
11543 tvb, offset, 2, ENC_BIG_ENDIAN);
11544 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity,
11545 tvb, offset + 2, identity_len, ENC_NA);
11546 offset += 2 + identity_len;
11547
11548 /* Yc */
11549 epms_len = tvb_get_ntohs(tvb, offset);
11550 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms_len, tvb,
11551 offset, 2, ENC_BIG_ENDIAN);
11552 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms, tvb,
11553 offset + 2, epms_len, ENC_NA);
11554 }
11555
11556 /* Used in Diffie-Hellman PSK cipher suites */
11557 static void
11558 dissect_ssl3_hnd_cli_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11559 proto_tree *tree, uint32_t offset, uint32_t length)
11560 {
11561 /*
11562 * struct {
11563 * select (KeyExchangeAlgorithm) {
11564 * case diffie_hellman_psk:
11565 * opaque psk_identity<0..2^16-1>;
11566 * ClientDiffieHellmanPublic public;
11567 * } exchange_keys;
11568 * } ClientKeyExchange;
11569 */
11570
11571 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
11572 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset + psk_len, length - psk_len);
11573 }
11574
11575 /* Used in EC Diffie-Hellman PSK cipher suites */
11576 static void
11577 dissect_ssl3_hnd_cli_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11578 proto_tree *tree, uint32_t offset, uint32_t length)
11579 {
11580 /*
11581 * struct {
11582 * select (KeyExchangeAlgorithm) {
11583 * case ec_diffie_hellman_psk:
11584 * opaque psk_identity<0..2^16-1>;
11585 * ClientECDiffieHellmanPublic public;
11586 * } exchange_keys;
11587 * } ClientKeyExchange;
11588 */
11589
11590 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
11591 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset + psk_len, length - psk_len);
11592 }
11593
11594 /* Used in EC J-PAKE cipher suites */
11595 static void
11596 dissect_ssl3_hnd_cli_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11597 proto_tree *tree, uint32_t offset,
11598 uint32_t length)
11599 {
11600 /*
11601 * struct {
11602 * ECPoint V;
11603 * opaque r<1..2^8-1>;
11604 * } ECSchnorrZKP;
11605 *
11606 * struct {
11607 * ECPoint X;
11608 * ECSchnorrZKP zkp;
11609 * } ECJPAKEKeyKP;
11610 *
11611 * struct {
11612 * ECJPAKEKeyKP ecjpake_key_kp;
11613 * } ClientECJPAKEParams;
11614 *
11615 * select (KeyExchangeAlgorithm) {
11616 * case ecjpake:
11617 * ClientECJPAKEParams params;
11618 * } ClientKeyExchange;
11619 */
11620
11621 int point_len;
11622 proto_tree *ssl_ecjpake_tree;
11623
11624 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, length,
11625 hf->ett.keyex_params, NULL,
11626 "EC J-PAKE Client Params");
11627
11628 /* ECJPAKEKeyKP.X */
11629 point_len = tvb_get_uint8(tvb, offset);
11630 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc_len, tvb,
11631 offset, 1, ENC_BIG_ENDIAN);
11632 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc, tvb,
11633 offset + 1, point_len, ENC_NA);
11634 offset += 1 + point_len;
11635
11636 /* ECJPAKEKeyKP.zkp.V */
11637 point_len = tvb_get_uint8(tvb, offset);
11638 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc_len, tvb,
11639 offset, 1, ENC_BIG_ENDIAN);
11640 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc, tvb,
11641 offset + 1, point_len, ENC_NA);
11642 offset += 1 + point_len;
11643
11644 /* ECJPAKEKeyKP.zkp.r */
11645 point_len = tvb_get_uint8(tvb, offset);
11646 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc_len, tvb,
11647 offset, 1, ENC_BIG_ENDIAN);
11648 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc, tvb,
11649 offset + 1, point_len, ENC_NA);
11650 }
11651
11652 static void
11653 dissect_ssl3_hnd_cli_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11654 proto_tree *tree, uint32_t offset,
11655 uint32_t length)
11656 {
11657 int epms_len;
11658 proto_tree *ssl_ecc_sm2_tree;
11659
11660 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, length,
11661 hf->ett.keyex_params, NULL,
11662 "ECC-SM2 Encrypted PreMaster Secret");
11663
11664 epms_len = tvb_get_ntohs(tvb, offset);
11665 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms_len, tvb,
11666 offset, 2, ENC_BIG_ENDIAN);
11667 offset += 2;
11668 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms, tvb,
11669 offset, epms_len, ENC_NA);
11670 }
11671 /* ClientKeyExchange algo-specific dissectors. }}} */
11672
11673
11674 /* Dissects DigitallySigned (see RFC 5246 4.7 Cryptographic Attributes). {{{ */
11675 static uint32_t
11676 ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11677 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11678 uint16_t version, int hf_sig_len, int hf_sig)
11679 {
11680 uint32_t sig_len;
11681
11682 switch (version) {
11683 case TLSV1DOT2_VERSION:
11684 case DTLSV1DOT2_VERSION:
11685 case TLSV1DOT3_VERSION:
11686 case DTLSV1DOT3_VERSION:
11687 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL);
11688 offset += 2;
11689 break;
11690
11691 default:
11692 break;
11693 }
11694
11695 /* Sig */
11696 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sig_len,
11697 hf_sig_len, 0, UINT16_MAX)) {
11698 return offset_end;
11699 }
11700 offset += 2;
11701 proto_tree_add_item(tree, hf_sig, tvb, offset, sig_len, ENC_NA);
11702 offset += sig_len;
11703 return offset;
11704 } /* }}} */
11705
11706 /* ServerKeyExchange algo-specific dissectors. {{{ */
11707
11708 /* dissects signed_params inside a ServerKeyExchange for some keyex algos */
11709 static void
11710 dissect_ssl3_hnd_srv_keyex_sig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11711 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11712 uint16_t version)
11713 {
11714 /*
11715 * TLSv1.2 (RFC 5246 sec 7.4.8)
11716 * struct {
11717 * digitally-signed struct {
11718 * opaque handshake_messages[handshake_messages_length];
11719 * }
11720 * } CertificateVerify;
11721 *
11722 * TLSv1.0/TLSv1.1 (RFC 5436 sec 7.4.8 and 7.4.3) works essentially the same
11723 * as TLSv1.2, but the hash algorithms are not explicit in digitally-signed.
11724 *
11725 * SSLv3 (RFC 6101 sec 5.6.8) essentially works the same as TLSv1.0 but it
11726 * does more hashing including the master secret and padding.
11727 */
11728 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
11729 hf->hf.hs_server_keyex_sig_len,
11730 hf->hf.hs_server_keyex_sig);
11731 }
11732
11733 static uint32_t
11734 dissect_tls_ecparameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, uint32_t offset_end)
11735 {
11736 /*
11737 * RFC 4492 ECC cipher suites for TLS
11738 *
11739 * struct {
11740 * ECCurveType curve_type;
11741 * select (curve_type) {
11742 * case explicit_prime:
11743 * ...
11744 * case explicit_char2:
11745 * ...
11746 * case named_curve:
11747 * NamedCurve namedcurve;
11748 * };
11749 * } ECParameters;
11750 */
11751
11752 int curve_type;
11753
11754 /* ECParameters.curve_type */
11755 curve_type = tvb_get_uint8(tvb, offset);
11756 proto_tree_add_item(tree, hf->hf.hs_server_keyex_curve_type, tvb,
11757 offset, 1, ENC_BIG_ENDIAN);
11758 offset++;
11759
11760 if (curve_type != 3)
11761 return offset_end; /* only named_curves are supported */
11762
11763 /* case curve_type == named_curve; ECParameters.namedcurve */
11764 proto_tree_add_item(tree, hf->hf.hs_server_keyex_named_curve, tvb,
11765 offset, 2, ENC_BIG_ENDIAN);
11766 offset += 2;
11767
11768 return offset;
11769 }
11770
11771 static void
11772 dissect_ssl3_hnd_srv_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11773 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11774 uint16_t version, bool anon)
11775 {
11776 /*
11777 * RFC 4492 ECC cipher suites for TLS
11778 *
11779 * struct {
11780 * opaque point <1..2^8-1>;
11781 * } ECPoint;
11782 *
11783 * struct {
11784 * ECParameters curve_params;
11785 * ECPoint public;
11786 * } ServerECDHParams;
11787 *
11788 * select (KeyExchangeAlgorithm) {
11789 * case ec_diffie_hellman:
11790 * ServerECDHParams params;
11791 * Signature signed_params;
11792 * } ServerKeyExchange;
11793 */
11794
11795 int point_len;
11796 proto_tree *ssl_ecdh_tree;
11797
11798 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
11799 hf->ett.keyex_params, NULL, "EC Diffie-Hellman Server Params");
11800
11801 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecdh_tree, offset, offset_end);
11802 if (offset >= offset_end)
11803 return; /* only named_curves are supported */
11804
11805 /* ECPoint.point */
11806 point_len = tvb_get_uint8(tvb, offset);
11807 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point_len, tvb,
11808 offset, 1, ENC_BIG_ENDIAN);
11809 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point, tvb,
11810 offset + 1, point_len, ENC_NA);
11811 offset += 1 + point_len;
11812
11813 /* Signature (if non-anonymous KEX) */
11814 if (!anon) {
11815 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecdh_tree, offset, offset_end, version);
11816 }
11817 }
11818
11819 static void
11820 dissect_ssl3_hnd_srv_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11821 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11822 uint16_t version, bool anon)
11823 {
11824 int p_len, g_len, ys_len;
11825 proto_tree *ssl_dh_tree;
11826
11827 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
11828 hf->ett.keyex_params, NULL, "Diffie-Hellman Server Params");
11829
11830 /* p */
11831 p_len = tvb_get_ntohs(tvb, offset);
11832 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p_len, tvb,
11833 offset, 2, ENC_BIG_ENDIAN);
11834 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p, tvb,
11835 offset + 2, p_len, ENC_NA);
11836 offset += 2 + p_len;
11837
11838 /* g */
11839 g_len = tvb_get_ntohs(tvb, offset);
11840 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g_len, tvb,
11841 offset, 2, ENC_BIG_ENDIAN);
11842 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g, tvb,
11843 offset + 2, g_len, ENC_NA);
11844 offset += 2 + g_len;
11845
11846 /* Ys */
11847 ys_len = tvb_get_ntohs(tvb, offset);
11848 proto_tree_add_uint(ssl_dh_tree, hf->hf.hs_server_keyex_ys_len, tvb,
11849 offset, 2, ys_len);
11850 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_ys, tvb,
11851 offset + 2, ys_len, ENC_NA);
11852 offset += 2 + ys_len;
11853
11854 /* Signature (if non-anonymous KEX) */
11855 if (!anon) {
11856 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_dh_tree, offset, offset_end, version);
11857 }
11858 }
11859
11860 /* Only used in RSA-EXPORT cipher suites */
11861 static void
11862 dissect_ssl3_hnd_srv_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11863 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11864 uint16_t version)
11865 {
11866 int modulus_len, exponent_len;
11867 proto_tree *ssl_rsa_tree;
11868
11869 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
11870 hf->ett.keyex_params, NULL, "RSA-EXPORT Server Params");
11871
11872 /* modulus */
11873 modulus_len = tvb_get_ntohs(tvb, offset);
11874 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus_len, tvb,
11875 offset, 2, ENC_BIG_ENDIAN);
11876 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus, tvb,
11877 offset + 2, modulus_len, ENC_NA);
11878 offset += 2 + modulus_len;
11879
11880 /* exponent */
11881 exponent_len = tvb_get_ntohs(tvb, offset);
11882 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent_len,
11883 tvb, offset, 2, ENC_BIG_ENDIAN);
11884 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent,
11885 tvb, offset + 2, exponent_len, ENC_NA);
11886 offset += 2 + exponent_len;
11887
11888 /* Signature */
11889 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_rsa_tree, offset, offset_end, version);
11890 }
11891
11892 /* Used in RSA PSK and PSK cipher suites */
11893 static uint32_t
11894 dissect_ssl3_hnd_srv_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11895 proto_tree *tree, uint32_t offset)
11896 {
11897 unsigned hint_len;
11898 proto_tree *ssl_psk_tree;
11899
11900 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
11901 hf->ett.keyex_params, NULL, "PSK Server Params");
11902
11903 /* hint */
11904 hint_len = tvb_get_ntohs(tvb, offset);
11905 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint_len, tvb,
11906 offset, 2, ENC_BIG_ENDIAN);
11907 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint, tvb,
11908 offset + 2, hint_len, ENC_NA);
11909
11910 proto_item_set_len(ssl_psk_tree, 2 + hint_len);
11911 return 2 + hint_len;
11912 }
11913
11914 /* Used in Diffie-Hellman PSK cipher suites */
11915 static void
11916 dissect_ssl3_hnd_srv_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11917 proto_tree *tree, uint32_t offset, uint32_t offset_end)
11918 {
11919 /*
11920 * struct {
11921 * select (KeyExchangeAlgorithm) {
11922 * case diffie_hellman_psk:
11923 * opaque psk_identity_hint<0..2^16-1>;
11924 * ServerDHParams params;
11925 * };
11926 * } ServerKeyExchange;
11927 */
11928
11929 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
11930 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true);
11931 }
11932
11933 /* Used in EC Diffie-Hellman PSK cipher suites */
11934 static void
11935 dissect_ssl3_hnd_srv_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11936 proto_tree *tree, uint32_t offset, uint32_t offset_end)
11937 {
11938 /*
11939 * struct {
11940 * select (KeyExchangeAlgorithm) {
11941 * case ec_diffie_hellman_psk:
11942 * opaque psk_identity_hint<0..2^16-1>;
11943 * ServerECDHParams params;
11944 * };
11945 * } ServerKeyExchange;
11946 */
11947
11948 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
11949 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true);
11950 }
11951
11952 /* Used in EC J-PAKE cipher suites */
11953 static void
11954 dissect_ssl3_hnd_srv_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11955 proto_tree *tree, uint32_t offset, uint32_t offset_end)
11956 {
11957 /*
11958 * struct {
11959 * ECPoint V;
11960 * opaque r<1..2^8-1>;
11961 * } ECSchnorrZKP;
11962 *
11963 * struct {
11964 * ECPoint X;
11965 * ECSchnorrZKP zkp;
11966 * } ECJPAKEKeyKP;
11967 *
11968 * struct {
11969 * ECParameters curve_params;
11970 * ECJPAKEKeyKP ecjpake_key_kp;
11971 * } ServerECJPAKEParams;
11972 *
11973 * select (KeyExchangeAlgorithm) {
11974 * case ecjpake:
11975 * ServerECJPAKEParams params;
11976 * } ServerKeyExchange;
11977 */
11978
11979 int point_len;
11980 proto_tree *ssl_ecjpake_tree;
11981
11982 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
11983 hf->ett.keyex_params, NULL,
11984 "EC J-PAKE Server Params");
11985
11986 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecjpake_tree, offset, offset_end);
11987 if (offset >= offset_end)
11988 return; /* only named_curves are supported */
11989
11990 /* ECJPAKEKeyKP.X */
11991 point_len = tvb_get_uint8(tvb, offset);
11992 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs_len, tvb,
11993 offset, 1, ENC_BIG_ENDIAN);
11994 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs, tvb,
11995 offset + 1, point_len, ENC_NA);
11996 offset += 1 + point_len;
11997
11998 /* ECJPAKEKeyKP.zkp.V */
11999 point_len = tvb_get_uint8(tvb, offset);
12000 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs_len, tvb,
12001 offset, 1, ENC_BIG_ENDIAN);
12002 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs, tvb,
12003 offset + 1, point_len, ENC_NA);
12004 offset += 1 + point_len;
12005
12006 /* ECJPAKEKeyKP.zkp.r */
12007 point_len = tvb_get_uint8(tvb, offset);
12008 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs_len, tvb,
12009 offset, 1, ENC_BIG_ENDIAN);
12010 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs, tvb,
12011 offset + 1, point_len, ENC_NA);
12012 }
12013
12014 /* Only used in ECC-SM2-EXPORT cipher suites */
12015 static void
12016 dissect_ssl3_hnd_srv_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12017 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12018 uint16_t version)
12019 {
12020 proto_tree *ssl_ecc_sm2_tree;
12021
12022 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12023 hf->ett.keyex_params, NULL, "ECC-SM2-EXPORT Server Params");
12024
12025 /* Signature */
12026 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecc_sm2_tree, offset, offset_end, version);
12027 }
12028 /* ServerKeyExchange algo-specific dissectors. }}} */
12029
12030 /* Client Key Exchange and Server Key Exchange handshake dissections. {{{ */
12031 void
12032 ssl_dissect_hnd_cli_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12033 proto_tree *tree, uint32_t offset, uint32_t length,
12034 const SslSession *session)
12035 {
12036 switch (ssl_get_keyex_alg(session->cipher)) {
12037 case KEX_DH_ANON: /* RFC 5246; DHE_DSS, DHE_RSA, DH_DSS, DH_RSA, DH_ANON: ClientDiffieHellmanPublic */
12038 case KEX_DH_DSS:
12039 case KEX_DH_RSA:
12040 case KEX_DHE_DSS:
12041 case KEX_DHE_RSA:
12042 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset, length);
12043 break;
12044 case KEX_DHE_PSK: /* RFC 4279; diffie_hellman_psk: psk_identity, ClientDiffieHellmanPublic */
12045 dissect_ssl3_hnd_cli_keyex_dhe_psk(hf, tvb, tree, offset, length);
12046 break;
12047 case KEX_ECDH_ANON: /* RFC 4492; ec_diffie_hellman: ClientECDiffieHellmanPublic */
12048 case KEX_ECDH_ECDSA:
12049 case KEX_ECDH_RSA:
12050 case KEX_ECDHE_ECDSA:
12051 case KEX_ECDHE_RSA:
12052 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset, length);
12053 break;
12054 case KEX_ECDHE_PSK: /* RFC 5489; ec_diffie_hellman_psk: psk_identity, ClientECDiffieHellmanPublic */
12055 dissect_ssl3_hnd_cli_keyex_ecdh_psk(hf, tvb, tree, offset, length);
12056 break;
12057 case KEX_KRB5: /* RFC 2712; krb5: KerberosWrapper */
12058 /* XXX: implement support for KRB5 */
12059 proto_tree_add_expert_format(tree, NULL, &hf->ei.hs_ciphersuite_undecoded,
12060 tvb, offset, length,
12061 "Kerberos ciphersuites (RFC 2712) are not implemented, contact Wireshark"
12062 " developers if you want them to be supported");
12063 break;
12064 case KEX_PSK: /* RFC 4279; psk: psk_identity */
12065 dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12066 break;
12067 case KEX_RSA: /* RFC 5246; rsa: EncryptedPreMasterSecret */
12068 dissect_ssl3_hnd_cli_keyex_rsa(hf, tvb, tree, offset, length, session);
12069 break;
12070 case KEX_RSA_PSK: /* RFC 4279; rsa_psk: psk_identity, EncryptedPreMasterSecret */
12071 dissect_ssl3_hnd_cli_keyex_rsa_psk(hf, tvb, tree, offset, length);
12072 break;
12073 case KEX_SRP_SHA: /* RFC 5054; srp: ClientSRPPublic */
12074 case KEX_SRP_SHA_DSS:
12075 case KEX_SRP_SHA_RSA:
12076 /* XXX: implement support for SRP_SHA* */
12077 proto_tree_add_expert_format(tree, NULL, &hf->ei.hs_ciphersuite_undecoded,
12078 tvb, offset, length,
12079 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12080 " developers if you want them to be supported");
12081 break;
12082 case KEX_ECJPAKE: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12083 dissect_ssl3_hnd_cli_keyex_ecjpake(hf, tvb, tree, offset, length);
12084 break;
12085 case KEX_ECC_SM2: /* GB/T 38636 */
12086 dissect_ssl3_hnd_cli_keyex_ecc_sm2(hf, tvb, tree, offset, length);
12087 break;
12088 default:
12089 proto_tree_add_expert(tree, NULL, &hf->ei.hs_ciphersuite_undecoded,
12090 tvb, offset, length);
12091 break;
12092 }
12093 }
12094
12095 void
12096 ssl_dissect_hnd_srv_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12097 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12098 const SslSession *session)
12099 {
12100 switch (ssl_get_keyex_alg(session->cipher)) {
12101 case KEX_DH_ANON: /* RFC 5246; ServerDHParams */
12102 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, true);
12103 break;
12104 case KEX_DH_DSS: /* RFC 5246; not allowed */
12105 case KEX_DH_RSA:
12106 proto_tree_add_expert(tree, NULL, &hf->ei.hs_srv_keyex_illegal,
12107 tvb, offset, offset_end - offset);
12108 break;
12109 case KEX_DHE_DSS: /* RFC 5246; dhe_dss, dhe_rsa: ServerDHParams, Signature */
12110 case KEX_DHE_RSA:
12111 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, false);
12112 break;
12113 case KEX_DHE_PSK: /* RFC 4279; diffie_hellman_psk: psk_identity_hint, ServerDHParams */
12114 dissect_ssl3_hnd_srv_keyex_dhe_psk(hf, tvb, pinfo, tree, offset, offset_end);
12115 break;
12116 case KEX_ECDH_ANON: /* RFC 4492; ec_diffie_hellman: ServerECDHParams (without signature for anon) */
12117 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, true);
12118 break;
12119 case KEX_ECDHE_PSK: /* RFC 5489; psk_identity_hint, ServerECDHParams */
12120 dissect_ssl3_hnd_srv_keyex_ecdh_psk(hf, tvb, pinfo, tree, offset, offset_end);
12121 break;
12122 case KEX_ECDH_ECDSA: /* RFC 4492; ec_diffie_hellman: ServerECDHParams, Signature */
12123 case KEX_ECDH_RSA:
12124 case KEX_ECDHE_ECDSA:
12125 case KEX_ECDHE_RSA:
12126 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, false);
12127 break;
12128 case KEX_KRB5: /* RFC 2712; not allowed */
12129 proto_tree_add_expert(tree, NULL, &hf->ei.hs_srv_keyex_illegal,
12130 tvb, offset, offset_end - offset);
12131 break;
12132 case KEX_PSK: /* RFC 4279; psk, rsa: psk_identity */
12133 case KEX_RSA_PSK:
12134 dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12135 break;
12136 case KEX_RSA: /* only allowed if the public key in the server certificate is longer than 512 bits */
12137 dissect_ssl3_hnd_srv_keyex_rsa(hf, tvb, pinfo, tree, offset, offset_end, session->version);
12138 break;
12139 case KEX_ECC_SM2: /* GB/T 38636 */
12140 dissect_ssl3_hnd_srv_keyex_ecc_sm2(hf, tvb, pinfo, tree, offset, offset_end, session->version);
12141 break;
12142 case KEX_SRP_SHA: /* RFC 5054; srp: ServerSRPParams, Signature */
12143 case KEX_SRP_SHA_DSS:
12144 case KEX_SRP_SHA_RSA:
12145 /* XXX: implement support for SRP_SHA* */
12146 proto_tree_add_expert_format(tree, NULL, &hf->ei.hs_ciphersuite_undecoded,
12147 tvb, offset, offset_end - offset,
12148 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12149 " developers if you want them to be supported");
12150 break;
12151 case KEX_ECJPAKE: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12152 dissect_ssl3_hnd_srv_keyex_ecjpake(hf, tvb, tree, offset, offset_end);
12153 break;
12154 default:
12155 proto_tree_add_expert(tree, NULL, &hf->ei.hs_ciphersuite_undecoded,
12156 tvb, offset, offset_end - offset);
12157 break;
12158 }
12159 }
12160 /* Client Key Exchange and Server Key Exchange handshake dissections. }}} */
12161
12162 void
12163 tls13_dissect_hnd_key_update(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12164 proto_tree *tree, uint32_t offset)
12165 {
12166 /* RFC 8446 Section 4.6.3
12167 * enum {
12168 * update_not_requested(0), update_requested(1), (255)
12169 * } KeyUpdateRequest;
12170 *
12171 * struct {
12172 * KeyUpdateRequest request_update;
12173 * } KeyUpdate;
12174 */
12175 proto_tree_add_item(tree, hf->hf.hs_key_update_request_update, tvb, offset, 1, ENC_NA);
12176 }
12177
12178 void
12179 ssl_common_register_ssl_alpn_dissector_table(const char *name,
12180 const char *ui_name, const int proto)
12181 {
12182 ssl_alpn_dissector_table = register_dissector_table(name, ui_name,
12183 proto, FT_STRING, STRING_CASE_SENSITIVE);
12184 register_dissector_table_alias(ssl_alpn_dissector_table, "ssl.handshake.extensions_alpn_str");
12185 }
12186
12187 void
12188 ssl_common_register_dtls_alpn_dissector_table(const char *name,
12189 const char *ui_name, const int proto)
12190 {
12191 dtls_alpn_dissector_table = register_dissector_table(name, ui_name,
12192 proto, FT_STRING, STRING_CASE_SENSITIVE);
12193 register_dissector_table_alias(ssl_alpn_dissector_table, "dtls.handshake.extensions_alpn_str");
12194 }
12195
12196 void
12197 ssl_common_register_options(module_t *module, ssl_common_options_t *options, bool is_dtls)
12198 {
12199 prefs_register_string_preference(module, "psk", "Pre-Shared Key",
12200 "Pre-Shared Key as HEX string. Should be 0 to 16 bytes.",
12201 &(options->psk));
12202
12203 if (is_dtls) {
12204 prefs_register_obsolete_preference(module, "keylog_file");
12205 prefs_register_static_text_preference(module, "keylog_file_removed",
12206 "The (Pre)-Master-Secret log filename preference can be configured in the TLS protocol preferences.",
12207 "Use the TLS protocol preference to configure the keylog file for both DTLS and TLS.");
12208 return;
12209 }
12210
12211 prefs_register_filename_preference(module, "keylog_file", "(Pre)-Master-Secret log filename",
12212 "The name of a file which contains a list of \n"
12213 "(pre-)master secrets in one of the following formats:\n"
12214 "\n"
12215 "RSA <EPMS> <PMS>\n"
12216 "RSA Session-ID:<SSLID> Master-Key:<MS>\n"
12217 "CLIENT_RANDOM <CRAND> <MS>\n"
12218 "PMS_CLIENT_RANDOM <CRAND> <PMS>\n"
12219 "\n"
12220 "Where:\n"
12221 "<EPMS> = First 8 bytes of the Encrypted PMS\n"
12222 "<PMS> = The Pre-Master-Secret (PMS) used to derive the MS\n"
12223 "<SSLID> = The SSL Session ID\n"
12224 "<MS> = The Master-Secret (MS)\n"
12225 "<CRAND> = The Client's random number from the ClientHello message\n"
12226 "\n"
12227 "(All fields are in hex notation)",
12228 &(options->keylog_filename), false);
12229 }
12230
12231 void
12232 ssl_calculate_handshake_hash(SslDecryptSession *ssl_session, tvbuff_t *tvb, uint32_t offset, uint32_t length)
12233 {
12234 if (ssl_session && ssl_session->session.version != TLSV1DOT3_VERSION && !(ssl_session->state & SSL_MASTER_SECRET)) {
12235 uint32_t old_length = ssl_session->handshake_data.data_len;
12236 ssl_debug_printf("Calculating hash with offset %d %d\n", offset, length);
12237 if (tvb) {
12238 if (tvb_bytes_exist(tvb, offset, length)) {
12239 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
12240 tvb_memcpy(tvb, ssl_session->handshake_data.data + old_length, offset, length);
12241 ssl_session->handshake_data.data_len += length;
12242 }
12243 } else {
12244 /* DTLS calculates the hash as if each handshake message had been
12245 * sent as a single fragment (RFC 6347, section 4.2.6) and passes
12246 * in a null tvbuff to add 3 bytes for a zero fragment offset.
12247 */
12248 DISSECTOR_ASSERT_CMPINT(length, <, 4);
12249 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
12250 memset(ssl_session->handshake_data.data + old_length, 0, length);
12251 ssl_session->handshake_data.data_len += length;
12252 }
12253 }
12254 }
12255
12256
12257 /*
12258 * Editor modelines - https://www.wireshark.org/tools/modelines.html
12259 *
12260 * Local variables:
12261 * c-basic-offset: 4
12262 * tab-width: 8
12263 * indent-tabs-mode: nil
12264 * End:
12265 *
12266 * vi: set shiftwidth=4 tabstop=8 expandtab:
12267 * :indentSize=4:tabSize=8:noTabs=true:
12268 */
Metzes wireshark repo