| blob | 43d8140a9bb8c81282554141e6ba391961b73455 |
1 /* packet-dtls.c
2 * Routines for dtls dissection
3 * Copyright (c) 2006, Authesserre Samuel <sauthess@gmail.com>
4 * Copyright (c) 2007, Mikael Magnusson <mikma@users.sourceforge.net>
5 * Copyright (c) 2013, Hauke Mehrtens <hauke@hauke-m.de>
6 *
7 * Wireshark - Network traffic analyzer
8 * By Gerald Combs <gerald@wireshark.org>
9 * Copyright 1998 Gerald Combs
10 *
11 * SPDX-License-Identifier: GPL-2.0-or-later
12 *
13 *
14 * DTLS dissection and decryption.
15 * See RFC 4347 for details about DTLS specs.
16 *
17 * Notes :
18 * This dissector is based on the TLS dissector (packet-tls.c); Because of the similarity
19 * of DTLS and TLS, decryption works like TLS with RSA key exchange.
20 * This dissector uses the sames things (file, libraries) as the TLS dissector (gnutls, packet-tls-utils.h)
21 * to make it easily maintainable.
22 *
23 * It was developed to dissect and decrypt the OpenSSL v 0.9.8f DTLS implementation.
24 * It is limited to this implementation; there is no complete implementation.
25 *
26 * Implemented :
27 * - DTLS dissection
28 * - DTLS decryption (openssl one)
29 *
30 * Todo :
31 * - activate correct Mac calculation when openssl will be corrected
32 * (or if an other implementation works),
33 * corrected code is ready and commented in packet-tls-utils.h file.
34 * - add missing things (desegmentation, reordering... that aren't present in actual OpenSSL implementation)
35 */
39 #include <epan/packet.h>
40 #include <epan/to_str.h>
41 #include <epan/asn1.h>
42 #include <epan/tap.h>
43 #include <epan/reassemble.h>
44 #include <epan/uat.h>
45 #include <epan/sctpppids.h>
46 #include <epan/exported_pdu.h>
47 #include <epan/decode_as.h>
48 #include <epan/proto_data.h>
50 #include <epan/tfs.h>
51 #include <wsutil/str_util.h>
52 #include <wsutil/strtoi.h>
53 #include <wsutil/utf8_entities.h>
54 #include <wsutil/rsa.h>
55 #include <wsutil/pint.h>
63 #ifdef HAVE_LIBGNUTLS
64 /* DTLS User Access Table */
67 #endif
69 /* we need to remember the top tree so that subdissectors we call are created
70 * at the root and not deep down inside the DTLS decode
71 */
74 /*********************************************************************
75 *
76 * Protocol Constants, Variables, Data Structures
77 *
78 *********************************************************************/
80 /* https://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml */
82 #define SRTP_PROFILE_RESERVED 0x0000
83 #define SRTP_AES128_CM_HMAC_SHA1_80 0x0001
84 #define SRTP_AES128_CM_HMAC_SHA1_32 0x0002
85 #define SRTP_NULL_HMAC_SHA1_80 0x0005
86 #define SRTP_NULL_HMAC_SHA1_32 0x0006
87 #define SRTP_AEAD_AES_128_GCM 0x0007
88 #define SRTP_AEAD_AES_256_GCM 0x0008
90 #define DTLS13_FIXED_MASK 0xE0
91 #define DTLS13_C_BIT_MASK 0x10
92 #define DTLS13_S_BIT_MASK 0x08
93 #define DTLS13_L_BIT_MASK 0x04
94 #define DTLS13_HDR_EPOCH_BIT_MASK 0x3
104 };
108 "8 bits"
109 };
111 /* Initialize the protocol and registered fields */
171 /* header fields used in ssl-utils, but defined here. */
174 /* Initialize the subtree pointers */
196 #if 0
198 #endif
200 #ifdef HAVE_LIBGNUTLS
205 #endif
222 /* Fragment subtrees */
225 /* Fragment fields */
234 /* Reassembled in field */
236 /* Reassembled length field */
238 /* Reassembled data field */
239 NULL,
240 /* Tag */
241 "Message fragments"
242 };
246 /* initialize/reset per capture state data (dtls sessions cache) */
247 static void
249 {
256 /* We should have loaded "keys_list" by now. Mark it obsolete */
261 }
262 }
265 }
267 static void
269 {
272 #ifdef HAVE_LIBGNUTLS
276 }
277 #endif
280 }
282 #ifdef HAVE_LIBGNUTLS
283 /* parse dtls related preferences (private keys and ports association strings) */
284 static void
286 {
288 dissector_handle_t handle;
291 {
293 }
295 /* remove only associations created from key list */
302 }
303 }
305 /* parse private keys string, load available keys and put them in key hash*/
311 {
316 {
321 }
322 }
326 }
328 static void
330 {
333 }
335 static void
337 {
342 /* Import old-style keys */
356 }
358 }
360 }
362 }
363 }
366 /*
367 * DTLS Dissection Routines
368 *
369 */
371 /* record layer dissectors */
383 /* alert message dissector */
388 /* handshake protocol dissector */
395 /* heartbeat message dissector */
401 /* acknowledgement message dissector */
402 static void dissect_dtls_ack(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, uint32_t offset, uint32_t record_length);
408 /*
409 * Support Functions
410 *
411 */
415 /*********************************************************************
416 *
417 * Main dissector
418 *
419 *********************************************************************/
420 /*
421 * Code to actually dissect the packets
422 */
423 static int
425 {
442 /* Track the version using conversations allows
443 * us to more frequently set the protocol column properly
444 * for continuation data frames.
445 *
446 * Also: We use the copy in conv_version as our cached copy,
447 * so that we don't have to search the conversation
448 * table every time we want the version; when setting
449 * the conv_version, must set the copy in the conversation
450 * in addition to conv_version
451 */
456 /* try to get decrypt session from the connection ID only for the first pass,
457 * it should be available from the conversation in the second pass
458 */
460 // CID length is not embedded in the packet
464 // update conversation
467 ssl_session);
468 }
469 }
471 /* if session cannot be retrieved from connection ID, get or create it from conversation */
474 }
480 /* This conversation started at a different protocol and STARTTLS was
481 * used, but this packet comes too early.
482 * XXX - Does anything use STARTTLS with DTLS? Would we get here anyway,
483 * since we don't call conversation_set_dissector[_from_frame_number] for
484 * DTLS? Regardless, dissect_dtls_heur should check for this 0 and return
485 * false.
486 */
488 }
490 ssl_debug_printf("\ndissect_dtls enter frame #%u (%s)\n", pinfo->num, pinfo->fd->visited ? "already visited" : "first time");
493 /* try decryption only the first time we see this packet
494 * (to keep cipher synchronized) */
498 /* Initialize the protocol column; we'll set it later when we
499 * figure out what flavor of DTLS it is */
502 /* clear the info column */
505 /* Create display subtree for SSL as a whole */
509 /* iterate through the records in this tvbuff */
511 {
512 /* first try to dispatch off the cached version
513 * known to be associated with the conversation
514 *
515 * In fact, all versions of DTLS have the same dissector. Note as
516 * we don't set DTLS as the conversation dissector, either
517 * looks_like_dtls() passed in dissect_dtls_heur(), or this has
518 * been set to DTLS explicitly via the port or some other method,
519 * so we already think this is DTLS. We don't expect Continuation
520 * Data over UDP datagrams (unlike TCP segments), but we'll check
521 * the content type in dissect_dtls_record and mark as Continuation
522 * Data if an unknown type, so the only thing calling looks_like_dtls()
523 * here would do is additionally verify the legacy_record_version -
524 * which MUST be ignored for all purposes per RFC 9147.
525 */
536 }
537 }
539 // XXX there is no Follow DTLS Stream, is this tap needed?
542 }
545 {
553 }
559 }
560 }
563 }
565 static bool
568 {
569 /* Stronger confirmation of DTLS packet is provided by verifying the
570 * captured payload length against the remainder of the UDP packet size. */
578 /* The entire payload was captured. */
580 /* Advance offset to the end of the current DTLS record */
585 /* With the DTLS 1.3 Unified Header, the legacy_record_version
586 * field is encrypted, so our heuristics are weaker. Only accept
587 * the frame if we already have seen DTLS (with the correct CID,
588 * if the CID is included) on the connection.
589 * N.B. - We don't call conversation_set_dissector_from_frame_number
590 * like in packet-tls.c because DTLS is commonly multiplexed with
591 * SRTP/SRTCP/STUN/TURN/ZRTP per RFC 7983. (And now QUIC, RFC 9443.)
592 */
594 /* CID length is not embedded in the packet */
600 /* No CID, just look for a session on this conversation. Don't
601 * call ssl_get_session here, as we don't want to allocate a new
602 * session. */
606 }
609 }
615 /* Length not present, so the heuristic is weaker. */
617 }
621 /* CID length is not embedded in the packet */
626 }
629 }
634 }
635 }
640 }
642 }
644 /* This packet was truncated by the capture process due to a snapshot
645 * length - do our best with what we've got. */
654 /* Dissect what we've got, which might be as little as 3 bytes. */
657 }
659 /* Can this ever happen? Well, just in case ... */
662 }
663 }
665 /* One last check to see if the current offset is at least less than the
666 * original number of bytes present before truncation or we're dealing with
667 * a packet fragment that's also been truncated. */
671 }
673 }
675 static bool
677 {
703 }
704 }
706 static void
707 dtls_save_decrypted_record(packet_info *pinfo, int record_id, uint8_t content_type, uint8_t curr_layer_num_ssl, bool inner_content_type)
708 {
714 }
717 /*
718 * The actual data is followed by the content type and then zero or
719 * more padding. Scan backwards for content type, skipping padding.
720 */
722 datalen--;
723 }
724 ssl_debug_printf("%s found %d padding bytes\n", G_STRFUNC, dtls_decrypted_data_avail - datalen);
728 }
732 }
733 }
735 ssl_add_record_info(proto_dtls, pinfo, data, datalen, record_id, NULL, (ContentType)content_type, curr_layer_num_ssl);
736 }
738 static bool
740 uint8_t content_type, uint16_t record_version, uint16_t record_length, uint8_t curr_layer_num_ssl,
742 {
746 /* if we can decrypt and decryption have success
747 * add decrypted data to this packet info */
748 if (!ssl || ((ssl->session.version != DTLSV1DOT3_VERSION) && !(ssl->state & SSL_HAVE_SESSION_KEY))) {
751 }
755 /* retrieve decoder for this packet direction */
759 }
763 }
768 }
770 /* ensure we have enough storage space for decrypted data */
772 {
779 }
781 /* run decryption and add decrypted payload to protocol data, if decryption
782 * is successful*/
788 }
792 }
794 /* Non-encrypting cipher NULL-XXX */
800 }
803 dtls_save_decrypted_record(pinfo, tvb_raw_offset(tvb)+offset, content_type, curr_layer_num_ssl, ssl->session.version == DTLSV1DOT3_VERSION);
804 }
806 }
808 static void
810 {
818 }
821 /*********************************************************************
822 *
823 * DTLS Dissection Routines
824 *
825 *********************************************************************/
827 static void
832 {
835 /* show on info column what we are decoding */
838 /* app_handle discovery is done here instead of dissect_dtls_payload()
839 * because the protocol name needs to be displayed below. */
841 /* Unknown protocol handle, ssl_starttls_ack was not called before.
842 * Try to find an appropriate dissection handle and cache it. */
843 dissector_handle_t handle;
847 }
853 session->app_handle
861 ti = proto_tree_add_string(dtls_record_tree, hf_dtls_record_appdata_proto, tvb, 0, 0, dissector_handle_get_protocol_long_name(session->app_handle));
863 }
865 /* show decrypted data info, if available */
869 /* try to dissect decrypted data*/
877 }
879 /* find out a dissector using server port*/
889 }
892 }
894 /* try heuristic subdissectors */
895 dissected = dissector_try_heuristic(heur_subdissector_list, decrypted, pinfo, top_tree, &hdtbl_entry, NULL);
898 }
899 }
901 /* fallback to data dissector */
904 }
905 }
906 /* Dissect a DTLS record from version 1.2 and below */
907 static int
913 {
915 /*
916 * struct {
917 * uint8 major, minor;
918 * } ProtocolVersion;
919 *
920 *
921 * enum {
922 * change_cipher_spec(20), alert(21), handshake(22),
923 * application_data(23), (255)
924 * } ContentType;
925 *
926 * struct {
927 * ContentType type;
928 * ProtocolVersion version;
929 * uint16 epoch; // New field
930 * uint48 sequence_number; // New field
931 * uint16 length;
932 * opaque fragment[TLSPlaintext.length];
933 * } DTLSPlaintext;
934 *
935 *
936 * draft-ietf-tls-dtls-connection-id-07:
937 *
938 * struct {
939 * ContentType special_type = tls12_cid;
940 * ProtocolVersion version;
941 * uint16 epoch;
942 * uint48 sequence_number;
943 * opaque cid[cid_length]; // New field
944 * uint16 length;
945 * opaque enc_content[DTLSCiphertext.length];
946 * } DTLSCiphertext;
947 *
948 */
966 /* Connection ID length to use if any */
969 /*
970 * Get the record layer fields of interest
971 */
974 /* RFC 9147 s4.1: this is a DTLS 1.3 Unified Header record */
977 }
989 }
993 /* if we don't have a valid content_type, there's no sense
994 * continuing any further
995 */
998 /* If GUI, show unrecognized data in tree */
1004 content_type);
1007 }
1014 }
1019 }
1020 }
1021 }
1023 /*
1024 * If GUI, fill in record layer part of tree
1025 */
1027 /* add the record layer subtree header */
1032 /* show the one-byte content type */
1039 }
1041 offset++;
1043 /* add the version */
1048 /* show epoch */
1052 /* add sequence_number */
1053 proto_tree_add_uint64(dtls_record_tree, hf_dtls_record_sequence_number, tvb, offset, 6, sequence_number);
1057 /* add connection ID */
1058 proto_tree_add_item(dtls_record_tree, hf_dtls_record_connection_id, tvb, offset, cid_length, ENC_NA);
1060 }
1062 /* add the length */
1067 /*
1068 * if we don't already have a version set for this conversation,
1069 * but this message's version is authoritative (i.e., it's
1070 * not client_hello), then save the version to the conversation
1071 * structure and print the column version.
1072 */
1076 /*
1077 * if the version in the header is DTLS 1.2, this may actually be
1078 * a DTLS 1.3 handshake; this must be determined from any
1079 * supported_versions extension in the hello messages. We'll check
1080 * this later in dissect_dtls_handshake, but try to get the column
1081 * correct here on the first pass if we can.
1082 */
1083 if (next_byte == SSL_HND_SERVER_HELLO && record_length > 12 && tvb_bytes_exist(tvb, offset, 12)) {
1087 /* Only look at the first fragment. */
1089 }
1090 }
1091 }
1093 }
1097 /*
1098 * now dissect the next layer
1099 */
1100 ssl_debug_printf("dissect_dtls_record: content_type %d epoch %d seq %"PRIu64"\n", content_type, epoch, sequence_number);
1102 /* try to decrypt record on the first pass, if possible. Store decrypted
1103 * record for later usage (without having to decrypt again).
1104 * DTLSv1.3 records are decrypted from dissect_dtls13_record */
1106 decrypt_dtls_record(tvb, pinfo, offset, ssl, content_type, version, record_length, curr_layer_num_ssl, cid, cid_length);
1107 }
1108 decrypted = ssl_get_record_info(tvb, proto_dtls, pinfo, tvb_raw_offset(tvb)+offset, curr_layer_num_ssl, &record);
1117 }
1118 }
1119 ssl_check_record_length(&dissect_dtls_hf, pinfo, (ContentType)content_type, record_length, length_pi, session->version, decrypted);
1121 /* extract the real record from the connection ID record */
1126 /* if content cannot be deciphered or the content is invalid */
1133 }
1134 }
1145 }
1146 /* Heuristic: any later ChangeCipherSpec is not a resumption of this
1147 * session. Set the flag after ssl_finalize_decryption such that it has
1148 * a chance to use resume using Session Tickets. */
1153 {
1154 /* try to retrieve and use decrypted alert record, if any. */
1157 session);
1160 session);
1161 }
1163 }
1165 {
1166 /* try to retrieve and use decrypted handshake record, if any. */
1174 content_type);
1175 }
1177 }
1183 /* try to retrieve and use decrypted alert record, if any. */
1190 }
1201 }
1202 }
1206 }
1209 /* setup cryptographic keys based on dtls13_current_epoch */
1210 static int
1212 {
1214 TLSRecordType secret_type;
1220 }
1225 else
1231 /* The DTLS dissector does not support decrypting packets from epoch < N once
1232 * it decrypted a packet from epoch N. In order to do that, the dissector
1233 * needs to maintain the expected next sequence number per epoch. The added
1234 * complexity makes it not worthwhile. */
1238 }
1240 /* double check that we increment the epoch by one after hs */
1248 }
1251 {
1267 }
1273 }
1276 }
1279 /**
1280 * Reconstructs sequence numbers in DTLS 1.3.
1281 *
1282 * This function takes the expected sequence number, the low bits of the sequence number,
1283 * and a mask as input. It finds the closest number to the expected sequence number that
1284 * has the lower bits equal to @seq_low_bits.
1285 * @param expected_seq_number The expected sequence number.
1286 * @param seq_low_bits The low bits of the sequence number (encrypted).
1287 * @param len The length of @enc_seq_low_bits.
1288 * @param dec_mask The decryption mask for @enc_seq_low_bits.
1289 * @return The reconstructed dequeued sequence number.
1290 */
1291 static uint64_t dtls13_reconstruct_seq_number(uint64_t expected_seq_number, uint16_t seq_low_bits,
1293 {
1298 /* we just need 1 or 2 bytes of the xor mask */
1301 }
1310 }
1319 }
1324 }
1326 #define DTLS13_RECORD_NUMBER_MASK_SZ 16
1327 static int dtls13_get_record_number_xor_mask(SslDecoder *dec, const uint8_t *ciphertext, uint8_t *mask)
1328 {
1335 }
1339 }
1346 }
1348 }
1354 }
1356 if (gcry_cipher_encrypt(dec->sn_evp, mask, DTLS13_RECORD_NUMBER_MASK_SZ, mask, DTLS13_RECORD_NUMBER_MASK_SZ) != 0) {
1359 }
1361 }
1365 }
1367 static bool dtls13_create_aad(tvbuff_t *tvb, SslDecryptSession *ssl, bool is_from_server, uint8_t hdr_flags, uint32_t hdr_off, uint32_t hdr_size,
1369 {
1378 }
1392 /* total - 1 byte for hdr flag, 1 or 2 byte for seq suffix, 0 or 2 bytes for len */
1398 }
1404 }
1407 }
1410 }
1412 static bool dtls13_decrypt_unified_record(tvbuff_t *tvb, packet_info *pinfo, uint32_t hdr_off, uint32_t hdr_size,
1416 {
1426 }
1431 }
1433 if (dtls13_get_record_number_xor_mask(dec, tvb_get_ptr(tvb, hdr_off + hdr_size, DTLS13_RECORD_NUMBER_MASK_SZ), mask) != 0) {
1436 }
1438 sequence_number = dtls13_reconstruct_seq_number(ssl->session.dtls13_next_seq_num[is_from_server], seq_suffix, seq_length, mask);
1440 /* setup parameter for decryption of this packet */
1441 if (!dtls13_create_aad(tvb, ssl, is_from_server, hdr_flags, hdr_off, hdr_size, sequence_number, dtls_record_length)) {
1444 }
1446 /* CID is already included in dtls13_add, there is no need to add it here */
1447 success = decrypt_dtls_record(tvb, pinfo, hdr_off + hdr_size, ssl, 0, ssl->session.version, dtls_record_length, curr_layer_num_ssl, NULL, 0);
1450 }
1453 }
1455 /**
1456 * Try to guess the early data cipher using trial decryption. based on decrypt_tls13_early_data.
1457 * Requires Libgcrypt 1.6 or newer for verifying that decryption is successful.
1458 */
1459 static bool
1460 dtls13_decrypt_early_data(tvbuff_t *tvb, packet_info *pinfo, uint32_t hdr_off, uint32_t hdr_size, uint8_t hdr_flags,
1463 {
1472 };
1484 }
1493 /* Unable to create cipher (old Libgcrypt) */
1495 }
1497 success = dtls13_decrypt_unified_record(tvb, pinfo, hdr_off, hdr_size, hdr_flags, false, ssl, record_length, curr_layer_num_ssl, seq_suffix, seq_length);
1499 /* update epoch number to decrypt other 0RTT packets */
1503 }
1504 }
1507 }
1509 }
1511 static bool dtls13_setup_keys(uint8_t hdr_flags, bool is_from_server, SslDecryptSession *ssl, uint32_t dtls_record_length,
1513 {
1521 /* DTLSv1.3 minimum payload is 16 bytes */
1525 }
1527 /* determine the epoch */
1531 /* No KeyUpdate seen, we are still in the handshake (epoch 1 or 2) or using traffic_secret_0 (epoch 3) */
1535 }
1538 /* try to decrypt with the last epoch with the same low bits */
1542 }
1545 }
1550 }
1552 /* early data */
1557 }
1559 ssl_debug_printf("%s: early data received but not advertised in CH extensions, abort decryption\n", G_STRFUNC);
1561 }
1562 /* first early data packet, need to go into trial decryption */
1567 }
1568 }
1573 }
1576 }
1578 /* Dissect a DTLS record from version 1.3 */
1579 static int
1585 {
1586 /*
1587 * struct {
1588 * ContentType type;
1589 * ProtocolVersion legacy_record_version;
1590 * uint16 epoch = 0
1591 * uint48 sequence_number;
1592 * uint16 length;
1593 * opaque fragment[DTLSPlaintext.length];
1594 * } DTLSPlaintext;
1595 *
1596 * struct {
1597 * opaque content[DTLSPlaintext.length];
1598 * ContentType type;
1599 * uint8 zeros[length_of_padding];
1600 * } DTLSInnerPlaintext;
1601 *
1602 * struct {
1603 * opaque unified_hdr[variable];
1604 * opaque encrypted_record[length];
1605 * } DTLSCiphertext;
1606 *
1607 * unified_hdr:
1608 * 0 1 2 3 4 5 6 7
1609 * +-+-+-+-+-+-+-+-+
1610 * |0|0|1|C|S|L|E E|
1611 * +-+-+-+-+-+-+-+-+
1612 * | Connection ID | Legend:
1613 * | (if any, |
1614 * / length as / C - Connection ID (CID) present
1615 * | negotiated) | S - Sequence number length
1616 * +-+-+-+-+-+-+-+-+ L - Length present
1617 * | 8 or 16 bit | E - Epoch
1618 * |Sequence Number|
1619 * +-+-+-+-+-+-+-+-+
1620 * | 16 bit Length |
1621 * | (if present) |
1622 * +-+-+-+-+-+-+-+-+
1623 */
1631 NULL
1632 };
1661 /* Connection ID length to use if any */
1664 }
1667 /* Lowest 16 bits of the sequence number */
1670 }
1672 /* Lowest 8 bits of the sequence number */
1675 }
1676 /* Note: seq_suffix is encrypted if the payload is encrypted,
1677 * as per RFC 9147 section 4.2.3. To get the real sequence number,
1678 * we need to decrypt, and *then* use the result to find the sequence
1679 * number closest to one plus the last sequence number.
1680 */
1686 }
1689 }
1691 /*
1692 * If GUI, fill in record layer part of tree
1693 */
1708 proto_tree_add_item(dtls_record_tree, hf_dtls_record_connection_id, tvb, offset, cid_length, ENC_NA);
1710 }
1712 proto_tree_add_uint(dtls_record_tree, hf_dtls_record_sequence_suffix, tvb, offset, seq_length, seq_suffix);
1719 }
1724 }
1727 success = dtls13_setup_keys(hdr_flags, is_from_server, ssl, dtls_record_length, &is_first_early_data);
1730 /* try to decrypt early data */
1731 dtls13_decrypt_early_data(tvb, pinfo, hdr_start, hdr_offset - hdr_start, hdr_flags, dtls_record_length, ssl, curr_layer_num_ssl, seq_suffix, seq_length);
1733 dtls13_decrypt_unified_record(tvb, pinfo, hdr_start, hdr_offset - hdr_start, hdr_flags, is_from_server, ssl, dtls_record_length, curr_layer_num_ssl, seq_suffix, seq_length);
1734 }
1735 }
1736 }
1738 decrypted = ssl_get_record_info(tvb, proto_dtls, pinfo, tvb_raw_offset(tvb)+offset, curr_layer_num_ssl, &record);
1740 {
1741 /* on first pass add seq suffix decrypted info */
1744 // XXX - Should the cast depend on seq_length ?
1748 }
1749 }
1751 ti = proto_tree_add_uint(dtls_record_tree, hf_dtls_record_sequence_suffix_dec, tvb, hdr_start + 1 + cid_length,
1755 /* real content type*/
1757 {
1765 session);
1776 }
1784 }
1787 }
1789 /* dissects the alert message, filling in the tree */
1790 static void
1794 {
1795 /* struct {
1796 * AlertLevel level;
1797 * AlertDescription description;
1798 * } Alert;
1799 */
1811 /*
1812 * set the record layer label
1813 */
1815 /* first lookup the names for the alert level and description */
1822 /* now set the text in the record layer line */
1824 {
1828 }
1829 else
1830 {
1832 }
1835 {
1837 {
1847 }
1848 else
1849 {
1855 }
1856 }
1857 }
1859 static void
1861 {
1869 else
1875 /* be sure to increment from the current epoch just once, and to increment
1876 * again only after the new epoch was seen. This assures that the dissector
1877 * can always compute the next epoch, and avoid that duplicate packets wrongly
1878 * increment the max epoch multiple times. */
1881 }
1883 /* dissects the handshake protocol, filling the tree */
1884 static void
1890 {
1891 /* struct {
1892 * HandshakeType msg_type;
1893 * uint24 length;
1894 * uint16 message_seq; //new field
1895 * uint24 fragment_offset; //new field
1896 * uint24 fragment_length; //new field
1897 * select (HandshakeType) {
1898 * case hello_request: HelloRequest;
1899 * case client_hello: ClientHello;
1900 * case server_hello: ServerHello;
1901 * case hello_verify_request: HelloVerifyRequest; //new field
1902 * case certificate: Certificate;
1903 * case server_key_exchange: ServerKeyExchange;
1904 * case certificate_request: CertificateRequest;
1905 * case server_hello_done: ServerHelloDone;
1906 * case certificate_verify: CertificateVerify;
1907 * case client_key_exchange: ClientKeyExchange;
1908 * case finished: Finished;
1909 * } body;
1910 * } Handshake;
1911 */
1929 /* just as there can be multiple records per packet, there
1930 * can be multiple messages per record as long as they have
1931 * the same content type
1932 *
1933 * we really only care about this for handshake messages
1934 */
1936 /* set record_length to the max offset */
1940 {
1948 /* add a subtree for the handshake protocol */
1955 /* Check the fragment length in the handshake message. Assume it's an
1956 * encrypted handshake message if the message would pass
1957 * the record_length boundary. This is a workaround for the
1958 * situation where the first octet of the encrypted handshake
1959 * message is actually a known handshake message type.
1960 */
1964 }
1969 }
1970 }
1973 {
1974 /* only dissect / report messages if they're
1975 * either the first message in this record
1976 * or they're a valid message type
1977 */
1979 }
1981 /*
1982 * Update our info string
1983 */
1985 {
1987 }
1988 else
1989 {
1990 /* if we don't have a valid handshake type, just quit dissecting */
1993 }
1997 offset++;
2015 hf_dtls_handshake_fragment_length,
2017 fragment_length);
2023 {
2025 {
2027 }
2028 else
2029 {
2032 }
2033 }
2035 {
2036 /* Fragmented message, but no actual fragment... Note that if a
2037 * fragment was previously completed (reassembled_length == length),
2038 * it is already dissected. */
2041 }
2043 {
2046 /* Handle fragments of known message type, ignore others */
2048 {
2049 /* Fragmented handshake message */
2052 /* Don't pass the reassembly code data that doesn't exist */
2058 /*
2059 * Do we already have a length for this reassembly?
2060 */
2064 {
2065 /* No - set it to the length specified by this packet. */
2068 }
2069 else
2070 {
2071 /* Yes - if this packet specifies a different length,
2072 report an error. */
2074 {
2076 }
2077 }
2080 {
2081 /* Reassembled */
2084 frag_msg,
2088 }
2089 else
2090 {
2092 }
2095 }
2096 }
2099 {
2100 /* set the label text on the record layer expanding node */
2102 {
2107 }
2108 else
2109 {
2115 }
2118 {
2119 /* set the text label on the subtree node */
2122 }
2123 }
2126 {
2127 /* Skip fragmented messages not reassembled yet */
2129 }
2132 {
2134 }
2135 else
2136 {
2138 }
2141 /* Prepare for renegotiation by resetting the state. */
2143 }
2145 /*
2146 * Add handshake message (including type, length, etc.) to hash (for
2147 * Extended Master Secret). The computation must however happen as if
2148 * the message was sent in a single fragment (RFC 6347, section 4.2.6).
2149 *
2150 * Skip CertificateVerify since the handshake hash covers just
2151 * ClientHello up to and including ClientKeyExchange, but the keys are
2152 * actually retrieved in ChangeCipherSpec (which comes after that).
2153 */
2156 /* Unfragmented packet. */
2159 /*
2160 * Handshake message was fragmented over multiple messages, fake a
2161 * single fragment and add reassembled data.
2162 */
2163 /* msg_type (1), length (3), message_seq (2) */
2165 /* fragment_offset (3) equals to zero. */
2167 /* fragment_length (3) equals to length. */
2169 /* actual handshake data */
2171 }
2172 }
2174 /* now dissect the handshake message, if necessary */
2177 /* hello_request has no fields, so nothing to do! */
2182 /* ClientHello is first packet so set direction */
2184 }
2190 /* force DTLSv1.3 version if early data is seen */
2194 ssl_debug_printf("%s forcing version 0x%04X -> state 0x%02X\n", G_STRFUNC, DTLSV1DOT3_VERSION, ssl->state);
2195 }
2196 }
2208 /*
2209 * The initial ClientHello and HelloVerifyRequest are not included
2210 * in the calculation of the handshake_messages
2211 * (https://tools.ietf.org/html/rfc6347#page-18). This is also
2212 * important for correct calculation of Extended Master Secret.
2213 */
2215 ssl_debug_printf("%s erasing previous handshake_messages: %d\n", G_STRFUNC, ssl->handshake_data.data_len);
2219 }
2225 /* no need to load keylog file here as it only links a previous
2226 * master key with this Session Ticket */
2243 ssl_dissect_hnd_srv_keyex(&dissect_dtls_hf, sub_tvb, pinfo, ssl_hand_tree, 0, length, session);
2247 ssl_dissect_hnd_cert_req(&dissect_dtls_hf, sub_tvb, pinfo, ssl_hand_tree, 0, length, session, true);
2251 /* This is not an abbreviated handshake, it is certainly not resumed. */
2256 ssl_dissect_hnd_cli_cert_verify(&dissect_dtls_hf, sub_tvb, pinfo, ssl_hand_tree, 0, length, session->version);
2264 /* try to find master key from pre-master key */
2267 #ifdef HAVE_LIBGNUTLS
2268 dtls_key_hash,
2269 #endif
2272 }
2281 tls_dissect_hnd_certificate_status(&dissect_dtls_hf, sub_tvb, pinfo, ssl_hand_tree, 0, length);
2290 }
2298 ssl_dissect_hnd_encrypted_extensions(&dissect_dtls_hf, sub_tvb, pinfo, ssl_hand_tree, 0, length, session, ssl, 1);
2300 }
2301 }
2302 }
2304 /* dissects the heartbeat message, filling in the tree */
2305 static void
2310 {
2311 /* struct {
2312 * HeartbeatMessageType type;
2313 * uint16 payload_length;
2314 * opaque payload;
2315 * opaque padding;
2316 * } HeartbeatMessage;
2317 */
2330 /*
2331 * set the record layer label
2332 */
2334 /* first lookup the names for the message type and the payload length */
2341 /* now set the text in the record layer line */
2346 }
2353 type);
2363 /* Invalid heartbeat payload length, adjust to try decoding */
2368 }
2372 payload_length,
2378 padding_length,
2386 }
2387 }
2388 }
2390 /* dissects the acknowledgement message from RFC 9147 section 7 */
2391 static void
2395 {
2396 /*
2397 * section 4:
2398 * struct {
2399 * uint64 epoch;
2400 * uint64 sequence_number;
2401 * } RecordNumber;
2402 *
2403 * section 7:
2404 * struct {
2405 * RecordNumber record_numbers<0..2^16-1>;
2406 * } ACK;
2407 */
2421 /* record_numbers<2..2^16-2> */
2422 if (!ssl_add_vector(&dissect_dtls_hf, tvb, pinfo, dtls_ack_tree, offset, record_length, &record_number_length,
2425 }
2428 ti = proto_tree_add_none_format(dtls_ack_tree, hf_dtls_ack_record_numbers, tvb, offset, record_number_length,
2434 rn_tree = proto_tree_add_subtree(dtls_ack_tree, tvb, offset + i, 16, ett_dtls_ack_record_number, NULL, "");
2439 proto_item_set_text(rn_tree, "RecordNumber: epoch %" PRIu64 ", sequence number %" PRIu64, epoch, number);
2440 }
2441 }
2443 static int
2447 {
2448 /*
2449 * struct {
2450 * ProtocolVersion server_version;
2451 * opaque cookie<0..32>;
2452 * } HelloVerifyRequest;
2453 */
2457 /* show the client version */
2465 }
2466 offset++;
2469 {
2473 }
2476 }
2478 int
2482 {
2483 /* From https://tools.ietf.org/html/rfc5764#section-4.1.1
2484 *
2485 * uint8 SRTPProtectionProfile[2];
2486 *
2487 * struct {
2488 * SRTPProtectionProfiles SRTPProtectionProfiles;
2489 * opaque srtp_mki<0..255>;
2490 * } UseSRTPData;
2491 *
2492 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
2493 */
2499 /* XXX expert info, record too small */
2501 }
2503 /* SRTPProtectionProfiles list length */
2510 }
2512 /* The server, if sending the use_srtp extension, MUST return a
2513 * a single chosen profile that the client has offered.
2514 */
2518 }
2521 /* SRTPProtectionProfiles list items */
2528 }
2530 /* MKI */
2533 offset++;
2538 }
2540 /* We don't know which SRTP protection profile is chosen, unless only one
2541 * was provided.
2542 */
2580 }
2582 /* RFC 5764: It is RECOMMENDED that symmetric RTP be used with DTLS-SRTP.
2583 * RTP and RTCP traffic MAY be multiplexed on a single UDP port. (RFC 5761)
2584 *
2585 * XXX: This creates a new RTP conversation. What it _should_ do is update
2586 * a RTP conversation initiated by SDP in a previous frame with the
2587 * srtp_info. Assuming we got the SDP and decrypted it if over TLS, etc.
2588 * However, since we don't actually decrypt SRT[C]P yet, the information
2589 * carried in the SDP about payload and media types isn't that useful.
2590 * (Being able to have the stream refer back to both the DTLS-SRTP and
2591 * SDP setup frame might be useful, though.)
2592 */
2593 srtp_add_address(pinfo, PT_UDP, &pinfo->net_src, pinfo->srcport, pinfo->destport, "DTLS-SRTP", pinfo->num, RTP_MEDIA_AUDIO, NULL, srtp_info, NULL);
2594 srtp_add_address(pinfo, PT_UDP, &pinfo->net_dst, pinfo->destport, pinfo->srcport, "DTLS-SRTP", pinfo->num, RTP_MEDIA_AUDIO, NULL, srtp_info, NULL);
2595 }
2597 }
2599 /*********************************************************************
2600 *
2601 * Support Functions
2602 *
2603 *********************************************************************/
2605 /* this applies a heuristic to determine whether
2606 * or not the data beginning at offset looks like a
2607 * valid dtls record.
2608 */
2609 static int
2611 {
2612 /* have to have a valid content type followed by a valid
2613 * protocol version
2614 */
2618 /* see if the first byte is a valid content type */
2621 {
2624 }
2626 }
2628 /* now check to see if the version byte appears valid */
2632 {
2634 }
2637 }
2639 /* UAT */
2641 #if defined(HAVE_LIBGNUTLS)
2642 static void
2644 {
2652 }
2653 #endif
2655 #if 0
2656 static void
2658 {
2660 }
2661 #endif
2663 #if defined(HAVE_LIBGNUTLS)
2666 {
2677 }
2685 static bool
2686 dtlsdecrypt_uat_fld_protocol_chk_cb(void* r _U_, const char* p, unsigned len _U_, const void* u1 _U_, const void* u2 _U_, char** err)
2687 {
2689 // This should be removed in favor of Decode As. Make it optional.
2692 }
2696 // ssl_find_appdata_dissector accepts any valid dissector name so
2697 // this path cannot happen
2698 *err = ws_strdup_printf("While '%s' is a valid dissector filter name, that dissector is not configured"
2700 "If you need to decrypt '%s' over DTLS, please contact the Wireshark development team.", p, p);
2702 // The GUI validates dissector names now so this path shouldn't
2703 // occur either. (Perhaps if the UAT is hand-edited it might?)
2705 *err = ws_strdup_printf("Could not find dissector for: '%s'\nCommonly used DTLS dissectors include:\n%s", p, ssl_str);
2707 }
2709 }
2713 }
2714 #endif
2716 static void
2718 {
2722 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_dtls, pinfo->curr_layer_num);
2727 }
2731 {
2734 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_dtls, pinfo->curr_layer_num);
2739 }
2741 static void
2743 {
2747 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_dtls, pinfo->curr_layer_num);
2751 snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "destination (%s%u)", UTF8_RIGHTWARDS_ARROW, destport);
2752 }
2756 {
2759 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_dtls, pinfo->curr_layer_num);
2764 }
2766 static void
2768 {
2773 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_dtls, pinfo->curr_layer_num);
2775 {
2778 }
2780 snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "both (%u%s%u)", srcport, UTF8_LEFT_RIGHT_ARROW, destport);
2781 }
2785 /*********************************************************************
2786 *
2787 * Standard Wireshark Protocol Registration and housekeeping
2788 *
2789 *********************************************************************/
2790 void
2792 {
2794 /* Setup list of header fields See Section 1.6.1 for details*/
2800 },
2805 },
2810 },
2815 },
2820 },
2825 },
2830 },
2835 },
2840 },
2845 },
2850 },
2855 },
2860 },
2865 },
2870 },
2875 },
2880 },
2885 },
2890 },
2895 },
2900 },
2905 },
2910 },
2915 },
2920 },
2925 },
2930 },
2934 },
2938 },
2942 },
2947 },
2952 },
2956 },
2960 },
2965 },
2969 },
2974 },
2979 },
2983 },
2987 },
2991 },
2995 },
2999 },
3003 },
3007 },
3011 },
3015 },
3019 },
3023 },
3027 },
3031 },
3035 },
3039 },
3042 };
3044 /* Setup protocol subtree array */
3059 };
3062 { &ei_dtls_handshake_fragment_length_zero, { "dtls.handshake.fragment_length.zero", PI_PROTOCOL, PI_WARN, "Zero-length fragment length for fragmented message", EXPFILL }},
3063 { &ei_dtls_handshake_fragment_length_too_long, { "dtls.handshake.fragment_length.too_long", PI_PROTOCOL, PI_ERROR, "Fragment length is larger than message length", EXPFILL }},
3064 { &ei_dtls_handshake_fragment_past_end_msg, { "dtls.handshake.fragment_past_end_msg", PI_PROTOCOL, PI_ERROR, "Fragment runs past the end of the message", EXPFILL }},
3065 { &ei_dtls_msg_len_diff_fragment, { "dtls.msg_len_diff_fragment", PI_PROTOCOL, PI_ERROR, "Message length differs from value in earlier fragment", EXPFILL }},
3066 { &ei_dtls_heartbeat_payload_length, { "dtls.heartbeat_message.payload_length.invalid", PI_MALFORMED, PI_ERROR, "Invalid heartbeat payload length", EXPFILL }},
3067 { &ei_dtls_cid_invalid_content_type, { "dtls.cid.content_type.invalid", PI_MALFORMED, PI_ERROR, "Invalid real content type", EXPFILL }},
3068 { &ei_dtls_use_srtp_profiles_length, { "dtls.use_srtp.protection_profiles_length.invalid", PI_PROTOCOL, PI_ERROR, "Invalid protection profiles length", EXPFILL }},
3069 #if 0
3070 { &ei_dtls_cid_invalid_enc_content, { "dtls.cid.enc_content.invalid", PI_MALFORMED, PI_ERROR, "Invalid encrypted content", EXPFILL }},
3071 #endif
3074 };
3079 static decode_as_value_t dtls_da_values[3] = {{dtls_src_prompt, 1, dtls_da_src_values}, {dtls_dst_prompt, 1, dtls_da_dst_values}, {dtls_both_prompt, 2, dtls_da_both_values}};
3085 /* Register the protocol name and description */
3089 dtls_associations = register_dissector_table("dtls.port", "DTLS Port", proto_dtls, FT_UINT16, BASE_DEC);
3093 proto_dtls);
3095 /* Required function calls to register the header fields and
3096 * subtrees used */
3102 {
3105 #ifdef HAVE_LIBGNUTLS
3107 UAT_FLD_CSTRING_OTHER(sslkeylist_uats, ipaddr, "IP address", ssldecrypt_uat_fld_ip_chk_cb, "IPv4 or IPv6 address (unused)"),
3108 UAT_FLD_CSTRING_OTHER(sslkeylist_uats, port, "Port", ssldecrypt_uat_fld_port_chk_cb, "Port Number (optional)"),
3109 UAT_FLD_DISSECTOR_OTHER(sslkeylist_uats, protocol, "Protocol", dtlsdecrypt_uat_fld_protocol_chk_cb, "Application Layer Protocol (optional)"),
3110 UAT_FLD_FILENAME_OTHER(sslkeylist_uats, keyfile, "Key File", ssldecrypt_uat_fld_fileopen_chk_cb, "Path to the keyfile."),
3111 UAT_FLD_CSTRING_OTHER(sslkeylist_uats, password," Password (p12 file)", ssldecrypt_uat_fld_password_chk_cb, "Password"),
3112 UAT_END_FIELDS
3113 };
3123 dtlsdecrypt_copy_cb,
3125 dtlsdecrypt_free_cb,
3126 dtls_parse_uat,
3127 dtls_reset_uat,
3128 dtlskeylist_uats_flds);
3133 dtlsdecrypt_uat);
3136 "Semicolon-separated list of private RSA keys used for DTLS decryption. "
3142 "redirect dtls debug to file name; leave empty to disable debug, "
3146 prefs_register_uint_preference(dtls_module, "client_cid_length", "Client Connection ID length",
3150 prefs_register_uint_preference(dtls_module, "server_cid_length", "Server Connection ID length",
3155 }
3161 reassembly_table_register (&dtls_reassembly_table, &addresses_ports_reassembly_table_functions);
3168 heur_subdissector_list = register_heur_dissector_list_with_description("dtls", "DTLS payload fallback", proto_dtls);
3169 }
3172 /* If this dissector uses sub-dissector registration add a registration
3173 * routine. This format is required because a script is used to find
3174 * these routines and create the code that calls these routines.
3175 */
3176 void
3178 {
3181 #ifdef HAVE_LIBGNUTLS
3184 #endif
3187 heur_dissector_add("udp", dissect_dtls_heur, "DTLS over UDP", "dtls_udp", proto_dtls, HEURISTIC_ENABLE);
3188 heur_dissector_add("stun", dissect_dtls_heur, "DTLS over STUN", "dtls_stun", proto_dtls, HEURISTIC_DISABLE);
3189 heur_dissector_add("classicstun", dissect_dtls_heur, "DTLS over CLASSICSTUN", "dtls_classicstun", proto_dtls, HEURISTIC_DISABLE);
3196 }
3199 }
3201 void
3203 {
3205 }
3207 void
3209 {
3211 }
3213 /*
3214 * Editor modelines - https://www.wireshark.org/tools/modelines.html
3215 *
3216 * Local Variables:
3217 * c-basic-offset: 2
3218 * tab-width: 8
3219 * indent-tabs-mode: nil
3220 * End:
3221 *
3222 * ex: set shiftwidth=2 tabstop=8 expandtab:
3223 * :indentSize=2:tabSize=8:noTabs=true:
3224 */