2 * ssl manipulation functions
3 * By Paolo Abeni <paolo.abeni@email.com>
5 * Copyright (c) 2013, Hauke Mehrtens <hauke@hauke-m.de>
6 * Copyright (c) 2014, Peter Wu <peter@lekensteyn.nl>
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <gerald@wireshark.org>
10 * Copyright 1998 Gerald Combs
12 * SPDX-License-Identifier: GPL-2.0-or-later
17 #if defined(HAVE_ZLIB) && !defined(HAVE_ZLIBNG)
19 #define ZLIB_PREFIX(x) x
21 typedef z_stream zlib_stream
;
22 #endif /* HAVE_ZLIB */
25 #define ZLIB_PREFIX(x) zng_ ## x
27 typedef zng_stream zlib_stream
;
28 #endif /* HAVE_ZLIBNG */
33 #include <epan/packet.h>
34 #include <epan/strutil.h>
35 #include <epan/addr_resolv.h>
36 #include <epan/expert.h>
37 #include <epan/asn1.h>
38 #include <epan/proto_data.h>
39 #include <epan/oids.h>
40 #include <epan/secrets.h>
42 #include <wsutil/inet_cidr.h>
43 #include <wsutil/filesystem.h>
44 #include <wsutil/file_util.h>
45 #include <wsutil/str_util.h>
46 #include <wsutil/report_message.h>
47 #include <wsutil/pint.h>
48 #include <wsutil/strtoi.h>
49 #include <wsutil/wsgcrypt.h>
50 #include <wsutil/rsa.h>
51 #include <wsutil/ws_assert.h>
52 #include "packet-ber.h"
53 #include "packet-x509af.h"
54 #include "packet-x509if.h"
55 #include "packet-tls-utils.h"
56 #include "packet-ocsp.h"
57 #include "packet-tls.h"
58 #include "packet-dtls.h"
59 #include "packet-quic.h"
60 #if defined(HAVE_LIBGNUTLS)
61 #include <gnutls/abstract.h>
64 /* JA3/JA3S calculations must ignore GREASE values
65 * as described in RFC 8701.
67 #define IS_GREASE_TLS(x) ((((x) & 0x0f0f) == 0x0a0a) && \
68 (((x) & 0xff) == (((x)>>8) & 0xff)))
70 /* Section 22.3 of RFC 9000 (QUIC) reserves values of this
71 * form for a similar purpose as GREASE.
73 #define IS_GREASE_QUIC(x) ((x) > 27 ? ((((x) - 27) % 31) == 0) : 0)
75 #define DTLS13_MAX_EPOCH 10
77 /* Lookup tables {{{ */
78 const value_string ssl_version_short_names
[] = {
79 { SSLV2_VERSION
, "SSLv2" },
80 { SSLV3_VERSION
, "SSLv3" },
81 { TLSV1_VERSION
, "TLSv1" },
82 { TLCPV1_VERSION
, "TLCP" },
83 { TLSV1DOT1_VERSION
, "TLSv1.1" },
84 { TLSV1DOT2_VERSION
, "TLSv1.2" },
85 { TLSV1DOT3_VERSION
, "TLSv1.3" },
86 { DTLSV1DOT0_VERSION
, "DTLSv1.0" },
87 { DTLSV1DOT2_VERSION
, "DTLSv1.2" },
88 { DTLSV1DOT3_VERSION
, "DTLSv1.3" },
89 { DTLSV1DOT0_OPENSSL_VERSION
, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
93 const value_string ssl_versions
[] = {
94 { SSLV2_VERSION
, "SSL 2.0" },
95 { SSLV3_VERSION
, "SSL 3.0" },
96 { TLSV1_VERSION
, "TLS 1.0" },
97 { TLCPV1_VERSION
, "TLCP" },
98 { TLSV1DOT1_VERSION
, "TLS 1.1" },
99 { TLSV1DOT2_VERSION
, "TLS 1.2" },
100 { TLSV1DOT3_VERSION
, "TLS 1.3" },
101 { 0x7F0E, "TLS 1.3 (draft 14)" },
102 { 0x7F0F, "TLS 1.3 (draft 15)" },
103 { 0x7F10, "TLS 1.3 (draft 16)" },
104 { 0x7F11, "TLS 1.3 (draft 17)" },
105 { 0x7F12, "TLS 1.3 (draft 18)" },
106 { 0x7F13, "TLS 1.3 (draft 19)" },
107 { 0x7F14, "TLS 1.3 (draft 20)" },
108 { 0x7F15, "TLS 1.3 (draft 21)" },
109 { 0x7F16, "TLS 1.3 (draft 22)" },
110 { 0x7F17, "TLS 1.3 (draft 23)" },
111 { 0x7F18, "TLS 1.3 (draft 24)" },
112 { 0x7F19, "TLS 1.3 (draft 25)" },
113 { 0x7F1A, "TLS 1.3 (draft 26)" },
114 { 0x7F1B, "TLS 1.3 (draft 27)" },
115 { 0x7F1C, "TLS 1.3 (draft 28)" },
116 { 0xFB17, "TLS 1.3 (Facebook draft 23)" },
117 { 0xFB1A, "TLS 1.3 (Facebook draft 26)" },
118 { DTLSV1DOT0_OPENSSL_VERSION
, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
119 { DTLSV1DOT0_VERSION
, "DTLS 1.0" },
120 { DTLSV1DOT2_VERSION
, "DTLS 1.2" },
121 { DTLSV1DOT3_VERSION
, "DTLS 1.3" },
122 { 0x0A0A, "Reserved (GREASE)" }, /* RFC 8701 */
123 { 0x1A1A, "Reserved (GREASE)" }, /* RFC 8701 */
124 { 0x2A2A, "Reserved (GREASE)" }, /* RFC 8701 */
125 { 0x3A3A, "Reserved (GREASE)" }, /* RFC 8701 */
126 { 0x4A4A, "Reserved (GREASE)" }, /* RFC 8701 */
127 { 0x5A5A, "Reserved (GREASE)" }, /* RFC 8701 */
128 { 0x6A6A, "Reserved (GREASE)" }, /* RFC 8701 */
129 { 0x7A7A, "Reserved (GREASE)" }, /* RFC 8701 */
130 { 0x8A8A, "Reserved (GREASE)" }, /* RFC 8701 */
131 { 0x9A9A, "Reserved (GREASE)" }, /* RFC 8701 */
132 { 0xAAAA, "Reserved (GREASE)" }, /* RFC 8701 */
133 { 0xBABA, "Reserved (GREASE)" }, /* RFC 8701 */
134 { 0xCACA, "Reserved (GREASE)" }, /* RFC 8701 */
135 { 0xDADA, "Reserved (GREASE)" }, /* RFC 8701 */
136 { 0xEAEA, "Reserved (GREASE)" }, /* RFC 8701 */
137 { 0xFAFA, "Reserved (GREASE)" }, /* RFC 8701 */
141 static const value_string ssl_version_ja4_names
[] = {
143 { SSLV2_VERSION
, "s2" },
144 { SSLV3_VERSION
, "s3" },
145 { TLSV1_VERSION
, "10" },
146 { TLSV1DOT1_VERSION
, "11" },
147 { TLSV1DOT2_VERSION
, "12" },
148 { TLSV1DOT3_VERSION
, "13" },
149 { DTLSV1DOT0_VERSION
, "d1" },
150 { DTLSV1DOT2_VERSION
, "d2" },
151 { DTLSV1DOT3_VERSION
, "d3" },
155 const value_string ssl_20_msg_types
[] = {
156 { SSL2_HND_ERROR
, "Error" },
157 { SSL2_HND_CLIENT_HELLO
, "Client Hello" },
158 { SSL2_HND_CLIENT_MASTER_KEY
, "Client Master Key" },
159 { SSL2_HND_CLIENT_FINISHED
, "Client Finished" },
160 { SSL2_HND_SERVER_HELLO
, "Server Hello" },
161 { SSL2_HND_SERVER_VERIFY
, "Server Verify" },
162 { SSL2_HND_SERVER_FINISHED
, "Server Finished" },
163 { SSL2_HND_REQUEST_CERTIFICATE
, "Request Certificate" },
164 { SSL2_HND_CLIENT_CERTIFICATE
, "Client Certificate" },
167 /* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
168 /* Note: sorted by ascending value so value_string-ext can do a binary search */
169 static const value_string ssl_20_cipher_suites
[] = {
170 { 0x000000, "TLS_NULL_WITH_NULL_NULL" },
171 { 0x000001, "TLS_RSA_WITH_NULL_MD5" },
172 { 0x000002, "TLS_RSA_WITH_NULL_SHA" },
173 { 0x000003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
174 { 0x000004, "TLS_RSA_WITH_RC4_128_MD5" },
175 { 0x000005, "TLS_RSA_WITH_RC4_128_SHA" },
176 { 0x000006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
177 { 0x000007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
178 { 0x000008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
179 { 0x000009, "TLS_RSA_WITH_DES_CBC_SHA" },
180 { 0x00000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
181 { 0x00000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
182 { 0x00000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
183 { 0x00000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
184 { 0x00000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
185 { 0x00000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
186 { 0x000010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
187 { 0x000011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
188 { 0x000012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
189 { 0x000013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
190 { 0x000014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
191 { 0x000015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
192 { 0x000016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
193 { 0x000017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
194 { 0x000018, "TLS_DH_anon_WITH_RC4_128_MD5" },
195 { 0x000019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
196 { 0x00001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
197 { 0x00001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
198 { 0x00001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
199 { 0x00001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
201 { 0x00001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
204 { 0x00001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
205 { 0x00001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
206 { 0x000020, "TLS_KRB5_WITH_RC4_128_SHA" },
207 { 0x000021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
208 { 0x000022, "TLS_KRB5_WITH_DES_CBC_MD5" },
209 { 0x000023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
210 { 0x000024, "TLS_KRB5_WITH_RC4_128_MD5" },
211 { 0x000025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
212 { 0x000026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
213 { 0x000027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
214 { 0x000028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
215 { 0x000029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
216 { 0x00002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
217 { 0x00002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
219 { 0x00002C, "TLS_PSK_WITH_NULL_SHA" },
220 { 0x00002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
221 { 0x00002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
223 { 0x00002f, "TLS_RSA_WITH_AES_128_CBC_SHA" },
224 { 0x000030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
225 { 0x000031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
226 { 0x000032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
227 { 0x000033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
228 { 0x000034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
229 { 0x000035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
230 { 0x000036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
231 { 0x000037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
232 { 0x000038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
233 { 0x000039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
234 { 0x00003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
235 { 0x00003B, "TLS_RSA_WITH_NULL_SHA256" },
236 { 0x00003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
237 { 0x00003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
238 { 0x00003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
239 { 0x00003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
240 { 0x000040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
241 { 0x000041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
242 { 0x000042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
243 { 0x000043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
244 { 0x000044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
245 { 0x000045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
246 { 0x000046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
247 { 0x000047, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
248 { 0x000048, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
249 { 0x000049, "TLS_ECDH_ECDSA_WITH_DES_CBC_SHA" },
250 { 0x00004A, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
251 { 0x00004B, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
252 { 0x00004C, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
253 { 0x000060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
254 { 0x000061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
255 { 0x000062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
256 { 0x000063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
257 { 0x000064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
258 { 0x000065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
259 { 0x000066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
260 { 0x000067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
261 { 0x000068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
262 { 0x000069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
263 { 0x00006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
264 { 0x00006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
265 { 0x00006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
266 { 0x00006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
267 /* 0x00,0x6E-83 Unassigned */
268 { 0x000084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
269 { 0x000085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
270 { 0x000086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
271 { 0x000087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
272 { 0x000088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
273 { 0x000089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
275 { 0x00008A, "TLS_PSK_WITH_RC4_128_SHA" },
276 { 0x00008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
277 { 0x00008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
278 { 0x00008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
279 { 0x00008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
280 { 0x00008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
281 { 0x000090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
282 { 0x000091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
283 { 0x000092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
284 { 0x000093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
285 { 0x000094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
286 { 0x000095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
288 { 0x000096, "TLS_RSA_WITH_SEED_CBC_SHA" },
289 { 0x000097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
290 { 0x000098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
291 { 0x000099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
292 { 0x00009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
293 { 0x00009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
295 { 0x00009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
296 { 0x00009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
297 { 0x00009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
298 { 0x00009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
299 { 0x0000A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
300 { 0x0000A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
301 { 0x0000A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
302 { 0x0000A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
303 { 0x0000A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
304 { 0x0000A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
305 { 0x0000A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
306 { 0x0000A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
308 { 0x0000A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
309 { 0x0000A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
310 { 0x0000AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
311 { 0x0000AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
312 { 0x0000AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
313 { 0x0000AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
314 { 0x0000AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
315 { 0x0000AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
316 { 0x0000B0, "TLS_PSK_WITH_NULL_SHA256" },
317 { 0x0000B1, "TLS_PSK_WITH_NULL_SHA384" },
318 { 0x0000B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
319 { 0x0000B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
320 { 0x0000B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
321 { 0x0000B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
322 { 0x0000B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
323 { 0x0000B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
324 { 0x0000B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
325 { 0x0000B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
327 { 0x0000BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
328 { 0x0000BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
329 { 0x0000BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
330 { 0x0000BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
331 { 0x0000BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
332 { 0x0000BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
333 { 0x0000C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
334 { 0x0000C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
335 { 0x0000C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
336 { 0x0000C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
337 { 0x0000C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
338 { 0x0000C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
339 /* 0x00,0xC6-FE Unassigned */
340 { 0x0000FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
341 /* 0x01-BF,* Unassigned */
343 { 0x00c001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
344 { 0x00c002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
345 { 0x00c003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
346 { 0x00c004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
347 { 0x00c005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
348 { 0x00c006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
349 { 0x00c007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
350 { 0x00c008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
351 { 0x00c009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
352 { 0x00c00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
353 { 0x00c00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
354 { 0x00c00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
355 { 0x00c00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
356 { 0x00c00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
357 { 0x00c00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
358 { 0x00c010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
359 { 0x00c011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
360 { 0x00c012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
361 { 0x00c013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
362 { 0x00c014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
363 { 0x00c015, "TLS_ECDH_anon_WITH_NULL_SHA" },
364 { 0x00c016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
365 { 0x00c017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
366 { 0x00c018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
367 { 0x00c019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
369 { 0x00C01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
370 { 0x00C01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
371 { 0x00C01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
372 { 0x00C01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
373 { 0x00C01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
374 { 0x00C01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
375 { 0x00C020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
376 { 0x00C021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
377 { 0x00C022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
379 { 0x00C023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
380 { 0x00C024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
381 { 0x00C025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
382 { 0x00C026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
383 { 0x00C027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
384 { 0x00C028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
385 { 0x00C029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
386 { 0x00C02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
387 { 0x00C02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
388 { 0x00C02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
389 { 0x00C02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
390 { 0x00C02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
391 { 0x00C02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
392 { 0x00C030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
393 { 0x00C031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
394 { 0x00C032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
396 { 0x00C033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
397 { 0x00C034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
398 { 0x00C035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
399 { 0x00C036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
400 { 0x00C037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
401 { 0x00C038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
402 { 0x00C039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
403 { 0x00C03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
404 { 0x00C03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
405 /* 0xC0,0x3C-FF Unassigned
407 0xFE,0x00-FD Unassigned
408 0xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
409 0xFF,0x00-FF Reserved for Private Use [RFC5246]
412 /* old numbers used in the beginning
413 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
414 { 0x00CC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
415 { 0x00CC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
416 { 0x00CC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
418 /* https://tools.ietf.org/html/rfc7905 */
419 { 0x00CCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
420 { 0x00CCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
421 { 0x00CCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
422 { 0x00CCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
423 { 0x00CCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
424 { 0x00CCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
425 { 0x00CCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
428 { 0x00e001, "ECDHE_SM1_SM3"},
429 { 0x00e003, "ECC_SM1_SM3"},
430 { 0x00e005, "IBSDH_SM1_SM3"},
431 { 0x00e007, "IBC_SM1_SM3"},
432 { 0x00e009, "RSA_SM1_SM3"},
433 { 0x00e00a, "RSA_SM1_SHA1"},
434 { 0x00e011, "ECDHE_SM4_CBC_SM3"},
435 { 0x00e013, "ECC_SM4_CBC_SM3"},
436 { 0x00e015, "IBSDH_SM4_CBC_SM3"},
437 { 0x00e017, "IBC_SM4_CBC_SM3"},
438 { 0x00e019, "RSA_SM4_CBC_SM3"},
439 { 0x00e01a, "RSA_SM4_CBC_SHA1"},
440 { 0x00e01c, "RSA_SM4_CBC_SHA256"},
441 { 0x00e051, "ECDHE_SM4_GCM_SM3"},
442 { 0x00e053, "ECC_SM4_GCM_SM3"},
443 { 0x00e055, "IBSDH_SM4_GCM_SM3"},
444 { 0x00e057, "IBC_SM4_GCM_SM3"},
445 { 0x00e059, "RSA_SM4_GCM_SM3"},
446 { 0x00e05a, "RSA_SM4_GCM_SHA256"},
448 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
449 { 0x00E410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
450 { 0x00E411, "TLS_RSA_WITH_SALSA20_SHA1" },
451 { 0x00E412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
452 { 0x00E413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
453 { 0x00E414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
454 { 0x00E415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
455 { 0x00E416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
456 { 0x00E417, "TLS_PSK_WITH_SALSA20_SHA1" },
457 { 0x00E418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
458 { 0x00E419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
459 { 0x00E41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
460 { 0x00E41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
461 { 0x00E41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
462 { 0x00E41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
463 { 0x00E41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
464 { 0x00E41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
466 /* these from http://www.mozilla.org/projects/
467 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
468 { 0x00fefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
469 { 0x00feff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
470 { 0x00ffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
471 { 0x00ffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
472 /* note that ciphersuites of {0x00????} are TLS cipher suites in
473 * a sslv2 client hello message; the ???? above is the two-byte
474 * tls cipher suite id
477 { 0x010080, "SSL2_RC4_128_WITH_MD5" },
478 { 0x020080, "SSL2_RC4_128_EXPORT40_WITH_MD5" },
479 { 0x030080, "SSL2_RC2_128_CBC_WITH_MD5" },
480 { 0x040080, "SSL2_RC2_128_CBC_EXPORT40_WITH_MD5" },
481 { 0x050080, "SSL2_IDEA_128_CBC_WITH_MD5" },
482 { 0x060040, "SSL2_DES_64_CBC_WITH_MD5" },
483 { 0x0700c0, "SSL2_DES_192_EDE3_CBC_WITH_MD5" },
484 { 0x080080, "SSL2_RC4_64_WITH_MD5" },
489 value_string_ext ssl_20_cipher_suites_ext
= VALUE_STRING_EXT_INIT(ssl_20_cipher_suites
);
493 * Supported Groups (formerly named "EC Named Curve").
494 * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
496 const value_string ssl_extension_curves
[] = {
522 { 26, "brainpoolP256r1" }, /* RFC 7027 */
523 { 27, "brainpoolP384r1" }, /* RFC 7027 */
524 { 28, "brainpoolP512r1" }, /* RFC 7027 */
525 { 29, "x25519" }, /* RFC 8446 / RFC 8422 */
526 { 30, "x448" }, /* RFC 8446 / RFC 8422 */
527 { 31, "brainpoolP256r1tls13" }, /* RFC8734 */
528 { 32, "brainpoolP384r1tls13" }, /* RFC8734 */
529 { 33, "brainpoolP512r1tls13" }, /* RFC8734 */
530 { 34, "GC256A" }, /* RFC9189 */
531 { 35, "GC256B" }, /* RFC9189 */
532 { 36, "GC256C" }, /* RFC9189 */
533 { 37, "GC256D" }, /* RFC9189 */
534 { 38, "GC512A" }, /* RFC9189 */
535 { 39, "GC512B" }, /* RFC9189 */
536 { 40, "GC512C" }, /* RFC9189 */
537 { 41, "curveSM2" }, /* RFC 8998 */
538 { 256, "ffdhe2048" }, /* RFC 7919 */
539 { 257, "ffdhe3072" }, /* RFC 7919 */
540 { 258, "ffdhe4096" }, /* RFC 7919 */
541 { 259, "ffdhe6144" }, /* RFC 7919 */
542 { 260, "ffdhe8192" }, /* RFC 7919 */
543 { 2570, "Reserved (GREASE)" }, /* RFC 8701 */
544 { 4587, "SecP256r1MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-02 */
545 { 4588, "X25519MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-02 */
546 { 6682, "Reserved (GREASE)" }, /* RFC 8701 */
547 { 10794, "Reserved (GREASE)" }, /* RFC 8701 */
548 { 14906, "Reserved (GREASE)" }, /* RFC 8701 */
549 { 19018, "Reserved (GREASE)" }, /* RFC 8701 */
550 { 23130, "Reserved (GREASE)" }, /* RFC 8701 */
551 { 25497, "X25519Kyber768Draft00 (OBSOLETE)" }, /* draft-tls-westerbaan-xyber768d00-02 */
552 { 25498, "SecP256r1Kyber768Draft00 (OBSOLETE)" }, /* draft-kwiatkowski-tls-ecdhe-kyber-01 */
553 { 27242, "Reserved (GREASE)" }, /* RFC 8701 */
554 { 31354, "Reserved (GREASE)" }, /* RFC 8701 */
555 { 35466, "Reserved (GREASE)" }, /* RFC 8701 */
556 { 39578, "Reserved (GREASE)" }, /* RFC 8701 */
557 { 43690, "Reserved (GREASE)" }, /* RFC 8701 */
558 { 47802, "Reserved (GREASE)" }, /* RFC 8701 */
559 { 51914, "Reserved (GREASE)" }, /* RFC 8701 */
560 { 56026, "Reserved (GREASE)" }, /* RFC 8701 */
561 { 60138, "Reserved (GREASE)" }, /* RFC 8701 */
562 { 64250, "Reserved (GREASE)" }, /* RFC 8701 */
563 { 0xFF01, "arbitrary_explicit_prime_curves" },
564 { 0xFF02, "arbitrary_explicit_char2_curves" },
565 /* Below are various unofficial values that have been used for testing. */
566 /* PQC key exchange algorithms from OQS-OpenSSL,
567 see https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/oqs-kem-info.md
568 These use IANA unassigned values and this list may be incomplete.
570 { 0x0200, "frodo640aes" },
571 { 0x2F00, "p256_frodo640aes" },
572 { 0x0201, "frodo640shake" },
573 { 0x2F01, "p256_frodo640shake" },
574 { 0x0202, "frodo976aes" },
575 { 0x2F02, "p384_frodo976aes" },
576 { 0x0203, "frodo976shake" },
577 { 0x2F03, "p384_frodo976shake" },
578 { 0x0204, "frodo1344aes" },
579 { 0x2F04, "p521_frodo1344aes" },
580 { 0x0205, "frodo1344shake" },
581 { 0x2F05, "p521_frodo1344shake" },
582 { 0x023A, "kyber512" },
583 { 0x2F3A, "p256_kyber512" },
584 { 0x023C, "kyber768" },
585 { 0x2F3C, "p384_kyber768" },
586 { 0x023D, "kyber1024" },
587 { 0x2F3D, "p521_kyber1024" },
588 { 0x0214, "ntru_hps2048509" },
589 { 0x2F14, "p256_ntru_hps2048509" },
590 { 0x0215, "ntru_hps2048677" },
591 { 0x2F15, "p384_ntru_hps2048677" },
592 { 0x0216, "ntru_hps4096821" },
593 { 0x2F16, "p521_ntru_hps4096821" },
594 { 0x0245, "ntru_hps40961229" },
595 { 0x2F45, "p521_ntru_hps40961229" },
596 { 0x0217, "ntru_hrss701" },
597 { 0x2F17, "p384_ntru_hrss701" },
598 { 0x0246, "ntru_hrss1373" },
599 { 0x2F46, "p521_ntru_hrss1373" },
600 { 0x0218, "lightsaber" },
601 { 0x2F18, "p256_lightsaber" },
603 { 0x2F19, "p384_saber" },
604 { 0x021A, "firesaber" },
605 { 0x2F1A, "p521_firesaber" },
606 { 0x021B, "sidhp434" },
607 { 0x2F1B, "p256_sidhp434" },
608 { 0x021C, "sidhp503" },
609 { 0x2F1C, "p256_sidhp503" },
610 { 0x021D, "sidhp610" },
611 { 0x2F1D, "p384_sidhp610" },
612 { 0x021E, "sidhp751" },
613 { 0x2F1E, "p521_sidhp751" },
614 { 0x021F, "sikep434" },
615 { 0x2F1F, "p256_sikep434" },
616 { 0x0220, "sikep503" },
617 { 0x2F20, "p256_sikep503" },
618 { 0x0221, "sikep610" },
619 { 0x2F21, "p384_sikep610" },
620 { 0x0222, "sikep751" },
621 { 0x2F22, "p521_sikep751" },
622 { 0x0238, "bikel1" },
623 { 0x2F38, "p256_bikel1" },
624 { 0x023B, "bikel3" },
625 { 0x2F3B, "p384_bikel3" },
626 { 0x023E, "kyber90s512" },
627 { 0x2F3E, "p256_kyber90s512" },
628 { 0x023F, "kyber90s768" },
629 { 0x2F3F, "p384_kyber90s768" },
630 { 0x0240, "kyber90s1024" },
631 { 0x2F40, "p521_kyber90s1024" },
632 { 0x022C, "hqc128" },
633 { 0x2F2C, "p256_hqc128" },
634 { 0x022D, "hqc192" },
635 { 0x2F2D, "p384_hqc192" },
636 { 0x022E, "hqc256" },
637 { 0x2F2E, "p521_hqc256" },
638 { 0x022F, "ntrulpr653" },
639 { 0x2F2F, "p256_ntrulpr653" },
640 { 0x0230, "ntrulpr761" },
641 { 0x2F43, "p256_ntrulpr761" },
642 { 0x0231, "ntrulpr857" },
643 { 0x2F31, "p384_ntrulpr857" },
644 { 0x0241, "ntrulpr1277" },
645 { 0x2F41, "p521_ntrulpr1277" },
646 { 0x0232, "sntrup653" },
647 { 0x2F32, "p256_sntrup653" },
648 { 0x0233, "sntrup761" },
649 { 0x2F44, "p256_sntrup761" },
650 { 0x0234, "sntrup857" },
651 { 0x2F34, "p384_sntrup857" },
652 { 0x0242, "sntrup1277" },
653 { 0x2F42, "p521_sntrup1277" },
654 /* Other PQ key exchange algorithms, using Reserved for Private Use values
655 https://blog.cloudflare.com/post-quantum-for-all
656 https://www.ietf.org/archive/id/draft-tls-westerbaan-xyber768d00-02.txt */
657 { 0xFE30, "X25519Kyber512Draft00 (OBSOLETE)" },
658 { 0xFE31, "X25519Kyber768Draft00 (OBSOLETE)" },
662 const value_string ssl_curve_types
[] = {
663 { 1, "explicit_prime" },
664 { 2, "explicit_char2" },
665 { 3, "named_curve" },
669 const value_string ssl_extension_ec_point_formats
[] = {
670 { 0, "uncompressed" },
671 { 1, "ansiX962_compressed_prime" },
672 { 2, "ansiX962_compressed_char2" },
676 const value_string ssl_20_certificate_type
[] = {
678 { 0x01, "X.509 Certificate" },
682 const value_string ssl_31_content_type
[] = {
683 { 20, "Change Cipher Spec" },
686 { 23, "Application Data" },
688 { 25, "Connection ID" },
693 /* XXX - would be used if we dissected the body of a Change Cipher Spec
695 const value_string ssl_31_change_cipher_spec
[] = {
696 { 1, "Change Cipher Spec" },
701 const value_string ssl_31_alert_level
[] = {
707 const value_string ssl_31_alert_description
[] = {
708 { 0, "Close Notify" },
709 { 1, "End of Early Data" },
710 { 10, "Unexpected Message" },
711 { 20, "Bad Record MAC" },
712 { 21, "Decryption Failed" },
713 { 22, "Record Overflow" },
714 { 30, "Decompression Failure" },
715 { 40, "Handshake Failure" },
716 { 41, "No Certificate" },
717 { 42, "Bad Certificate" },
718 { 43, "Unsupported Certificate" },
719 { 44, "Certificate Revoked" },
720 { 45, "Certificate Expired" },
721 { 46, "Certificate Unknown" },
722 { 47, "Illegal Parameter" },
723 { 48, "Unknown CA" },
724 { 49, "Access Denied" },
725 { 50, "Decode Error" },
726 { 51, "Decrypt Error" },
727 { 60, "Export Restriction" },
728 { 70, "Protocol Version" },
729 { 71, "Insufficient Security" },
730 { 80, "Internal Error" },
731 { 86, "Inappropriate Fallback" },
732 { 90, "User Canceled" },
733 { 100, "No Renegotiation" },
734 { 109, "Missing Extension" },
735 { 110, "Unsupported Extension" },
736 { 111, "Certificate Unobtainable" },
737 { 112, "Unrecognized Name" },
738 { 113, "Bad Certificate Status Response" },
739 { 114, "Bad Certificate Hash Value" },
740 { 115, "Unknown PSK Identity" },
741 { 116, "Certificate Required" },
742 { 120, "No application Protocol" },
743 { 121, "ECH Required" },
747 const value_string ssl_31_handshake_type
[] = {
748 { SSL_HND_HELLO_REQUEST
, "Hello Request" },
749 { SSL_HND_CLIENT_HELLO
, "Client Hello" },
750 { SSL_HND_SERVER_HELLO
, "Server Hello" },
751 { SSL_HND_HELLO_VERIFY_REQUEST
, "Hello Verify Request"},
752 { SSL_HND_NEWSESSION_TICKET
, "New Session Ticket" },
753 { SSL_HND_END_OF_EARLY_DATA
, "End of Early Data" },
754 { SSL_HND_HELLO_RETRY_REQUEST
, "Hello Retry Request" },
755 { SSL_HND_ENCRYPTED_EXTENSIONS
, "Encrypted Extensions" },
756 { SSL_HND_CERTIFICATE
, "Certificate" },
757 { SSL_HND_SERVER_KEY_EXCHG
, "Server Key Exchange" },
758 { SSL_HND_CERT_REQUEST
, "Certificate Request" },
759 { SSL_HND_SVR_HELLO_DONE
, "Server Hello Done" },
760 { SSL_HND_CERT_VERIFY
, "Certificate Verify" },
761 { SSL_HND_CLIENT_KEY_EXCHG
, "Client Key Exchange" },
762 { SSL_HND_FINISHED
, "Finished" },
763 { SSL_HND_CERT_URL
, "Client Certificate URL" },
764 { SSL_HND_CERT_STATUS
, "Certificate Status" },
765 { SSL_HND_SUPPLEMENTAL_DATA
, "Supplemental Data" },
766 { SSL_HND_KEY_UPDATE
, "Key Update" },
767 { SSL_HND_COMPRESSED_CERTIFICATE
, "Compressed Certificate" },
768 { SSL_HND_ENCRYPTED_EXTS
, "Encrypted Extensions" },
772 const value_string tls_heartbeat_type
[] = {
778 const value_string tls_heartbeat_mode
[] = {
779 { 1, "Peer allowed to send requests" },
780 { 2, "Peer not allowed to send requests" },
784 const value_string ssl_31_compression_method
[] = {
792 /* XXX - would be used if we dissected a Signature, as would be
793 seen in a server key exchange or certificate verify message. */
794 const value_string ssl_31_key_exchange_algorithm
[] = {
796 { 1, "Diffie Hellman" },
800 const value_string ssl_31_signature_algorithm
[] = {
808 const value_string ssl_31_client_certificate_type
[] = {
811 { 3, "RSA Fixed DH" },
812 { 4, "DSS Fixed DH" },
813 /* GOST certificate types */
814 /* Section 3.5 of draft-chudov-cryptopro-cptls-04 */
815 { 21, "GOST R 34.10-94" },
816 { 22, "GOST R 34.10-2001" },
817 /* END GOST certificate types */
818 { 64, "ECDSA Sign" },
819 { 65, "RSA Fixed ECDH" },
820 { 66, "ECDSA Fixed ECDH" },
821 { 80, "IBC Params" },
826 /* XXX - would be used if we dissected exchange keys, as would be
827 seen in a client key exchange message. */
828 const value_string ssl_31_public_value_encoding
[] = {
835 /* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
836 /* Note: sorted by ascending value so value_string_ext fcns can do a binary search */
837 static const value_string ssl_31_ciphersuite
[] = {
838 /* RFC 2246, RFC 4346, RFC 5246 */
839 { 0x0000, "TLS_NULL_WITH_NULL_NULL" },
840 { 0x0001, "TLS_RSA_WITH_NULL_MD5" },
841 { 0x0002, "TLS_RSA_WITH_NULL_SHA" },
842 { 0x0003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
843 { 0x0004, "TLS_RSA_WITH_RC4_128_MD5" },
844 { 0x0005, "TLS_RSA_WITH_RC4_128_SHA" },
845 { 0x0006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
846 { 0x0007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
847 { 0x0008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
848 { 0x0009, "TLS_RSA_WITH_DES_CBC_SHA" },
849 { 0x000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
850 { 0x000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
851 { 0x000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
852 { 0x000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
853 { 0x000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
854 { 0x000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
855 { 0x0010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
856 { 0x0011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
857 { 0x0012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
858 { 0x0013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
859 { 0x0014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
860 { 0x0015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
861 { 0x0016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
862 { 0x0017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
863 { 0x0018, "TLS_DH_anon_WITH_RC4_128_MD5" },
864 { 0x0019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
865 { 0x001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
866 { 0x001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
868 { 0x001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
869 { 0x001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
870 #if 0 /* Because it clashes with KRB5, is never used any more, and is safe
871 to remove according to David Hopwood <david.hopwood@zetnet.co.uk>
872 of the ietf-tls list */
873 { 0x001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
876 { 0x001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
877 { 0x001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
878 { 0x0020, "TLS_KRB5_WITH_RC4_128_SHA" },
879 { 0x0021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
880 { 0x0022, "TLS_KRB5_WITH_DES_CBC_MD5" },
881 { 0x0023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
882 { 0x0024, "TLS_KRB5_WITH_RC4_128_MD5" },
883 { 0x0025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
884 { 0x0026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
885 { 0x0027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
886 { 0x0028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
887 { 0x0029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
888 { 0x002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
889 { 0x002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
891 { 0x002C, "TLS_PSK_WITH_NULL_SHA" },
892 { 0x002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
893 { 0x002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
895 { 0x002F, "TLS_RSA_WITH_AES_128_CBC_SHA" },
896 { 0x0030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
897 { 0x0031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
898 { 0x0032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
899 { 0x0033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
900 { 0x0034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
901 { 0x0035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
902 { 0x0036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
903 { 0x0037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
904 { 0x0038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
905 { 0x0039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
906 { 0x003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
907 { 0x003B, "TLS_RSA_WITH_NULL_SHA256" },
908 { 0x003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
909 { 0x003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
910 { 0x003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
911 { 0x003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
912 { 0x0040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
914 { 0x0041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
915 { 0x0042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
916 { 0x0043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
917 { 0x0044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
918 { 0x0045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
919 { 0x0046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
920 /* 0x00,0x60-66 Reserved to avoid conflicts with widely deployed implementations */
922 { 0x0060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
923 { 0x0061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
924 /* draft-ietf-tls-56-bit-ciphersuites-01.txt */
925 { 0x0062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
926 { 0x0063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
927 { 0x0064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
928 { 0x0065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
929 { 0x0066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
931 { 0x0067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
932 { 0x0068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
933 { 0x0069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
934 { 0x006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
935 { 0x006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
936 { 0x006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
937 { 0x006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
938 /* draft-chudov-cryptopro-cptls-04.txt */
939 { 0x0080, "TLS_GOSTR341094_WITH_28147_CNT_IMIT" },
940 { 0x0081, "TLS_GOSTR341001_WITH_28147_CNT_IMIT" },
941 { 0x0082, "TLS_GOSTR341094_WITH_NULL_GOSTR3411" },
942 { 0x0083, "TLS_GOSTR341001_WITH_NULL_GOSTR3411" },
944 { 0x0084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
945 { 0x0085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
946 { 0x0086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
947 { 0x0087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
948 { 0x0088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
949 { 0x0089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
951 { 0x008A, "TLS_PSK_WITH_RC4_128_SHA" },
952 { 0x008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
953 { 0x008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
954 { 0x008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
955 { 0x008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
956 { 0x008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
957 { 0x0090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
958 { 0x0091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
959 { 0x0092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
960 { 0x0093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
961 { 0x0094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
962 { 0x0095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
964 { 0x0096, "TLS_RSA_WITH_SEED_CBC_SHA" },
965 { 0x0097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
966 { 0x0098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
967 { 0x0099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
968 { 0x009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
969 { 0x009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
971 { 0x009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
972 { 0x009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
973 { 0x009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
974 { 0x009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
975 { 0x00A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
976 { 0x00A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
977 { 0x00A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
978 { 0x00A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
979 { 0x00A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
980 { 0x00A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
981 { 0x00A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
982 { 0x00A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
984 { 0x00A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
985 { 0x00A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
986 { 0x00AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
987 { 0x00AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
988 { 0x00AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
989 { 0x00AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
990 { 0x00AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
991 { 0x00AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
992 { 0x00B0, "TLS_PSK_WITH_NULL_SHA256" },
993 { 0x00B1, "TLS_PSK_WITH_NULL_SHA384" },
994 { 0x00B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
995 { 0x00B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
996 { 0x00B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
997 { 0x00B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
998 { 0x00B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
999 { 0x00B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
1000 { 0x00B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
1001 { 0x00B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
1003 { 0x00BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1004 { 0x00BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
1005 { 0x00BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1006 { 0x00BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
1007 { 0x00BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1008 { 0x00BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
1009 { 0x00C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1010 { 0x00C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1011 { 0x00C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1012 { 0x00C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1013 { 0x00C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1014 { 0x00C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
1016 { 0x00C6, "TLS_SM4_GCM_SM3" },
1017 { 0x00C7, "TLS_SM4_CCM_SM3" },
1018 /* 0x00,0xC8-FE Unassigned */
1020 { 0x00FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
1022 { 0x0A0A, "Reserved (GREASE)" },
1024 { 0x1301, "TLS_AES_128_GCM_SHA256" },
1025 { 0x1302, "TLS_AES_256_GCM_SHA384" },
1026 { 0x1303, "TLS_CHACHA20_POLY1305_SHA256" },
1027 { 0x1304, "TLS_AES_128_CCM_SHA256" },
1028 { 0x1305, "TLS_AES_128_CCM_8_SHA256" },
1030 { 0x1A1A, "Reserved (GREASE)" },
1031 { 0x2A2A, "Reserved (GREASE)" },
1032 { 0x3A3A, "Reserved (GREASE)" },
1033 { 0x4A4A, "Reserved (GREASE)" },
1035 { 0x5600, "TLS_FALLBACK_SCSV" },
1037 { 0x5A5A, "Reserved (GREASE)" },
1038 { 0x6A6A, "Reserved (GREASE)" },
1039 { 0x7A7A, "Reserved (GREASE)" },
1040 { 0x8A8A, "Reserved (GREASE)" },
1041 { 0x9A9A, "Reserved (GREASE)" },
1042 { 0xAAAA, "Reserved (GREASE)" },
1043 { 0xBABA, "Reserved (GREASE)" },
1045 { 0xc001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
1046 { 0xc002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
1047 { 0xc003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1048 { 0xc004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
1049 { 0xc005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
1050 { 0xc006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
1051 { 0xc007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
1052 { 0xc008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1053 { 0xc009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
1054 { 0xc00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
1055 { 0xc00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
1056 { 0xc00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
1057 { 0xc00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
1058 { 0xc00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
1059 { 0xc00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
1060 { 0xc010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
1061 { 0xc011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
1062 { 0xc012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
1063 { 0xc013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
1064 { 0xc014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
1065 { 0xc015, "TLS_ECDH_anon_WITH_NULL_SHA" },
1066 { 0xc016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
1067 { 0xc017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
1068 { 0xc018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
1069 { 0xc019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
1071 { 0xC01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
1072 { 0xC01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
1073 { 0xC01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
1074 { 0xC01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
1075 { 0xC01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
1076 { 0xC01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
1077 { 0xC020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
1078 { 0xC021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
1079 { 0xC022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
1081 { 0xC023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
1082 { 0xC024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
1083 { 0xC025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
1084 { 0xC026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
1085 { 0xC027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
1086 { 0xC028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
1087 { 0xC029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
1088 { 0xC02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
1089 { 0xC02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
1090 { 0xC02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
1091 { 0xC02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
1092 { 0xC02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
1093 { 0xC02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
1094 { 0xC030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
1095 { 0xC031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
1096 { 0xC032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
1098 { 0xC033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
1099 { 0xC034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
1100 { 0xC035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
1101 { 0xC036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
1102 { 0xC037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
1103 { 0xC038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
1104 { 0xC039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
1105 { 0xC03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
1106 { 0xC03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
1108 { 0xC03C, "TLS_RSA_WITH_ARIA_128_CBC_SHA256" },
1109 { 0xC03D, "TLS_RSA_WITH_ARIA_256_CBC_SHA384" },
1110 { 0xC03E, "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256" },
1111 { 0xC03F, "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384" },
1112 { 0xC040, "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256" },
1113 { 0xC041, "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384" },
1114 { 0xC042, "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256" },
1115 { 0xC043, "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384" },
1116 { 0xC044, "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1117 { 0xC045, "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1118 { 0xC046, "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" },
1119 { 0xC047, "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" },
1120 { 0xC048, "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1121 { 0xC049, "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1122 { 0xC04A, "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1123 { 0xC04B, "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1124 { 0xC04C, "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1125 { 0xC04D, "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1126 { 0xC04E, "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256" },
1127 { 0xC04F, "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384" },
1128 { 0xC050, "TLS_RSA_WITH_ARIA_128_GCM_SHA256" },
1129 { 0xC051, "TLS_RSA_WITH_ARIA_256_GCM_SHA384" },
1130 { 0xC052, "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1131 { 0xC053, "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1132 { 0xC054, "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256" },
1133 { 0xC055, "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384" },
1134 { 0xC056, "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256" },
1135 { 0xC057, "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384" },
1136 { 0xC058, "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256" },
1137 { 0xC059, "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384" },
1138 { 0xC05A, "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" },
1139 { 0xC05B, "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" },
1140 { 0xC05C, "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1141 { 0xC05D, "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1142 { 0xC05E, "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1143 { 0xC05F, "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1144 { 0xC060, "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1145 { 0xC061, "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1146 { 0xC062, "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256" },
1147 { 0xC063, "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384" },
1148 { 0xC064, "TLS_PSK_WITH_ARIA_128_CBC_SHA256" },
1149 { 0xC065, "TLS_PSK_WITH_ARIA_256_CBC_SHA384" },
1150 { 0xC066, "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1151 { 0xC067, "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1152 { 0xC068, "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256" },
1153 { 0xC069, "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384" },
1154 { 0xC06A, "TLS_PSK_WITH_ARIA_128_GCM_SHA256" },
1155 { 0xC06B, "TLS_PSK_WITH_ARIA_256_GCM_SHA384" },
1156 { 0xC06C, "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256" },
1157 { 0xC06D, "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384" },
1158 { 0xC06E, "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256" },
1159 { 0xC06F, "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384" },
1160 { 0xC070, "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1161 { 0xC071, "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1163 { 0xC072, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1164 { 0xC073, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1165 { 0xC074, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1166 { 0xC075, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1167 { 0xC076, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1168 { 0xC077, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1169 { 0xC078, "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1170 { 0xC079, "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1171 { 0xC07A, "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1172 { 0xC07B, "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1173 { 0xC07C, "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1174 { 0xC07D, "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1175 { 0xC07E, "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1176 { 0xC07F, "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1177 { 0xC080, "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1178 { 0xC081, "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1179 { 0xC082, "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1180 { 0xC083, "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1181 { 0xC084, "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" },
1182 { 0xC085, "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" },
1183 { 0xC086, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1184 { 0xC087, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1185 { 0xC088, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1186 { 0xC089, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1187 { 0xC08A, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1188 { 0xC08B, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1189 { 0xC08C, "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1190 { 0xC08D, "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1191 { 0xC08E, "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1192 { 0xC08F, "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1193 { 0xC090, "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1194 { 0xC091, "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1195 { 0xC092, "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1196 { 0xC093, "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1197 { 0xC094, "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1198 { 0xC095, "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1199 { 0xC096, "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1200 { 0xC097, "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1201 { 0xC098, "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1202 { 0xC099, "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1203 { 0xC09A, "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1204 { 0xC09B, "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1206 { 0xC09C, "TLS_RSA_WITH_AES_128_CCM" },
1207 { 0xC09D, "TLS_RSA_WITH_AES_256_CCM" },
1208 { 0xC09E, "TLS_DHE_RSA_WITH_AES_128_CCM" },
1209 { 0xC09F, "TLS_DHE_RSA_WITH_AES_256_CCM" },
1210 { 0xC0A0, "TLS_RSA_WITH_AES_128_CCM_8" },
1211 { 0xC0A1, "TLS_RSA_WITH_AES_256_CCM_8" },
1212 { 0xC0A2, "TLS_DHE_RSA_WITH_AES_128_CCM_8" },
1213 { 0xC0A3, "TLS_DHE_RSA_WITH_AES_256_CCM_8" },
1214 { 0xC0A4, "TLS_PSK_WITH_AES_128_CCM" },
1215 { 0xC0A5, "TLS_PSK_WITH_AES_256_CCM" },
1216 { 0xC0A6, "TLS_DHE_PSK_WITH_AES_128_CCM" },
1217 { 0xC0A7, "TLS_DHE_PSK_WITH_AES_256_CCM" },
1218 { 0xC0A8, "TLS_PSK_WITH_AES_128_CCM_8" },
1219 { 0xC0A9, "TLS_PSK_WITH_AES_256_CCM_8" },
1220 { 0xC0AA, "TLS_PSK_DHE_WITH_AES_128_CCM_8" },
1221 { 0xC0AB, "TLS_PSK_DHE_WITH_AES_256_CCM_8" },
1223 { 0xC0AC, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM" },
1224 { 0xC0AD, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM" },
1225 { 0xC0AE, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8" },
1226 { 0xC0AF, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8" },
1228 { 0xC0B0, "TLS_ECCPWD_WITH_AES_128_GCM_SHA256" },
1229 { 0xC0B1, "TLS_ECCPWD_WITH_AES_256_GCM_SHA384" },
1230 { 0xC0B2, "TLS_ECCPWD_WITH_AES_128_CCM_SHA256" },
1231 { 0xC0B3, "TLS_ECCPWD_WITH_AES_256_CCM_SHA384" },
1232 /* draft-camwinget-tls-ts13-macciphersuites */
1233 { 0xC0B4, "TLS_SHA256_SHA256" },
1234 { 0xC0B5, "TLS_SHA384_SHA384" },
1235 /* https://www.ietf.org/archive/id/draft-cragie-tls-ecjpake-01.txt */
1236 { 0xC0FF, "TLS_ECJPAKE_WITH_AES_128_CCM_8" },
1237 /* draft-smyshlyaev-tls12-gost-suites */
1238 { 0xC100, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" },
1239 { 0xC101, "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" },
1240 { 0xC102, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" },
1241 /* draft-smyshlyaev-tls13-gost-suites */
1242 { 0xC103, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L" },
1243 { 0xC104, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L" },
1244 { 0xC105, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S" },
1245 { 0xC106, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S" },
1247 { 0xCACA, "Reserved (GREASE)" },
1249 0xC0,0xAB-FF Unassigned
1250 0xC1,0x03-FD,* Unassigned
1251 0xFE,0x00-FD Unassigned
1252 0xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
1253 0xFF,0x00-FF Reserved for Private Use [RFC5246]
1255 /* old numbers used in the beginning
1256 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
1257 { 0xCC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1258 { 0xCC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1259 { 0xCC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1261 { 0xCCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1262 { 0xCCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1263 { 0xCCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1264 { 0xCCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1265 { 0xCCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1266 { 0xCCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1267 { 0xCCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1269 { 0xD001, "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256" },
1270 { 0xD002, "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384" },
1271 { 0xD003, "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256" },
1272 { 0xD005, "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256" },
1274 { 0xDADA, "Reserved (GREASE)" },
1275 /* GM/T 0024-2014 */
1276 { 0xe001, "ECDHE_SM1_SM3"},
1277 { 0xe003, "ECC_SM1_SM3"},
1278 { 0xe005, "IBSDH_SM1_SM3"},
1279 { 0xe007, "IBC_SM1_SM3"},
1280 { 0xe009, "RSA_SM1_SM3"},
1281 { 0xe00a, "RSA_SM1_SHA1"},
1282 { 0xe011, "ECDHE_SM4_CBC_SM3"},
1283 { 0xe013, "ECC_SM4_CBC_SM3"},
1284 { 0xe015, "IBSDH_SM4_CBC_SM3"},
1285 { 0xe017, "IBC_SM4_CBC_SM3"},
1286 { 0xe019, "RSA_SM4_CBC_SM3"},
1287 { 0xe01a, "RSA_SM4_CBC_SHA1"},
1288 { 0xe01c, "RSA_SM4_CBC_SHA256"},
1289 { 0xe051, "ECDHE_SM4_GCM_SM3"},
1290 { 0xe053, "ECC_SM4_GCM_SM3"},
1291 { 0xe055, "IBSDH_SM4_GCM_SM3"},
1292 { 0xe057, "IBC_SM4_GCM_SM3"},
1293 { 0xe059, "RSA_SM4_GCM_SM3"},
1294 { 0xe05a, "RSA_SM4_GCM_SHA256"},
1295 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
1296 { 0xE410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1297 { 0xE411, "TLS_RSA_WITH_SALSA20_SHA1" },
1298 { 0xE412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1299 { 0xE413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
1300 { 0xE414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
1301 { 0xE415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
1302 { 0xE416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1303 { 0xE417, "TLS_PSK_WITH_SALSA20_SHA1" },
1304 { 0xE418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1305 { 0xE419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
1306 { 0xE41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1307 { 0xE41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
1308 { 0xE41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1309 { 0xE41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
1310 { 0xE41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1311 { 0xE41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
1313 { 0xEAEA, "Reserved (GREASE)" },
1314 { 0xFAFA, "Reserved (GREASE)" },
1315 /* these from http://www.mozilla.org/projects/
1316 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
1317 { 0xfefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
1318 { 0xfeff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1319 { 0xffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1320 { 0xffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA" },
1321 /* note that ciphersuites 0xff00 - 0xffff are private */
1325 value_string_ext ssl_31_ciphersuite_ext
= VALUE_STRING_EXT_INIT(ssl_31_ciphersuite
);
1327 /* http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#tls-extensiontype-values-1 */
1328 const value_string tls_hello_extension_types
[] = {
1329 { SSL_HND_HELLO_EXT_SERVER_NAME
, "server_name" }, /* RFC 6066 */
1330 { SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH
, "max_fragment_length" },/* RFC 6066 */
1331 { SSL_HND_HELLO_EXT_CLIENT_CERTIFICATE_URL
, "client_certificate_url" }, /* RFC 6066 */
1332 { SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS
, "trusted_ca_keys" }, /* RFC 6066 */
1333 { SSL_HND_HELLO_EXT_TRUNCATED_HMAC
, "truncated_hmac" }, /* RFC 6066 */
1334 { SSL_HND_HELLO_EXT_STATUS_REQUEST
, "status_request" }, /* RFC 6066 */
1335 { SSL_HND_HELLO_EXT_USER_MAPPING
, "user_mapping" }, /* RFC 4681 */
1336 { SSL_HND_HELLO_EXT_CLIENT_AUTHZ
, "client_authz" }, /* RFC 5878 */
1337 { SSL_HND_HELLO_EXT_SERVER_AUTHZ
, "server_authz" }, /* RFC 5878 */
1338 { SSL_HND_HELLO_EXT_CERT_TYPE
, "cert_type" }, /* RFC 6091 */
1339 { SSL_HND_HELLO_EXT_SUPPORTED_GROUPS
, "supported_groups" }, /* RFC 4492, RFC 7919 */
1340 { SSL_HND_HELLO_EXT_EC_POINT_FORMATS
, "ec_point_formats" }, /* RFC 4492 */
1341 { SSL_HND_HELLO_EXT_SRP
, "srp" }, /* RFC 5054 */
1342 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS
, "signature_algorithms" }, /* RFC 5246 */
1343 { SSL_HND_HELLO_EXT_USE_SRTP
, "use_srtp" }, /* RFC 5764 */
1344 { SSL_HND_HELLO_EXT_HEARTBEAT
, "heartbeat" }, /* RFC 6520 */
1345 { SSL_HND_HELLO_EXT_ALPN
, "application_layer_protocol_negotiation" }, /* RFC 7301 */
1346 { SSL_HND_HELLO_EXT_STATUS_REQUEST_V2
, "status_request_v2" }, /* RFC 6961 */
1347 { SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP
, "signed_certificate_timestamp" }, /* RFC 6962 */
1348 { SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE
, "client_certificate_type" }, /* RFC 7250 */
1349 { SSL_HND_HELLO_EXT_SERVER_CERT_TYPE
, "server_certificate_type" }, /* RFC 7250 */
1350 { SSL_HND_HELLO_EXT_PADDING
, "padding" }, /* RFC 7685 */
1351 { SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC
, "encrypt_then_mac" }, /* RFC 7366 */
1352 { SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET
, "extended_master_secret" }, /* RFC 7627 */
1353 { SSL_HND_HELLO_EXT_TOKEN_BINDING
, "token_binding" }, /* https://tools.ietf.org/html/draft-ietf-tokbind-negotiation */
1354 { SSL_HND_HELLO_EXT_CACHED_INFO
, "cached_info" }, /* RFC 7924 */
1355 { SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE
, "compress_certificate" }, /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03 */
1356 { SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT
, "record_size_limit" }, /* RFC 8449 */
1357 { SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS
, "delegated_credentials" }, /* draft-ietf-tls-subcerts-10.txt */
1358 { SSL_HND_HELLO_EXT_SESSION_TICKET_TLS
, "session_ticket" }, /* RFC 5077 / RFC 8447 */
1359 { SSL_HND_HELLO_EXT_KEY_SHARE_OLD
, "Reserved (key_share)" }, /* https://tools.ietf.org/html/draft-ietf-tls-tls13-22 (removed in -23) */
1360 { SSL_HND_HELLO_EXT_PRE_SHARED_KEY
, "pre_shared_key" }, /* RFC 8446 */
1361 { SSL_HND_HELLO_EXT_EARLY_DATA
, "early_data" }, /* RFC 8446 */
1362 { SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS
, "supported_versions" }, /* RFC 8446 */
1363 { SSL_HND_HELLO_EXT_COOKIE
, "cookie" }, /* RFC 8446 */
1364 { SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES
, "psk_key_exchange_modes" }, /* RFC 8446 */
1365 { SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO
, "Reserved (ticket_early_data_info)" }, /* draft-ietf-tls-tls13-18 (removed in -19) */
1366 { SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES
, "certificate_authorities" }, /* RFC 8446 */
1367 { SSL_HND_HELLO_EXT_OID_FILTERS
, "oid_filters" }, /* RFC 8446 */
1368 { SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH
, "post_handshake_auth" }, /* RFC 8446 */
1369 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT
, "signature_algorithms_cert" }, /* RFC 8446 */
1370 { SSL_HND_HELLO_EXT_KEY_SHARE
, "key_share" }, /* RFC 8446 */
1371 { SSL_HND_HELLO_EXT_TRANSPARENCY_INFO
, "transparency_info" }, /* draft-ietf-trans-rfc6962-bis-41 */
1372 { SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED
, "connection_id (deprecated)" }, /* draft-ietf-tls-dtls-connection-id-07 */
1373 { SSL_HND_HELLO_EXT_CONNECTION_ID
, "connection_id" }, /* RFC 9146 */
1374 { SSL_HND_HELLO_EXT_EXTERNAL_ID_HASH
, "external_id_hash" }, /* RFC 8844 */
1375 { SSL_HND_HELLO_EXT_EXTERNAL_SESSION_ID
, "external_session_id" }, /* RFC 8844 */
1376 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V1
, "quic_transport_parameters" }, /* draft-ietf-quic-tls-33 */
1377 { SSL_HND_HELLO_EXT_TICKET_REQUEST
, "ticket_request" }, /* draft-ietf-tls-ticketrequests-07 */
1378 { SSL_HND_HELLO_EXT_DNSSEC_CHAIN
, "dnssec_chain" }, /* RFC 9102 */
1379 { SSL_HND_HELLO_EXT_GREASE_0A0A
, "Reserved (GREASE)" }, /* RFC 8701 */
1380 { SSL_HND_HELLO_EXT_GREASE_1A1A
, "Reserved (GREASE)" }, /* RFC 8701 */
1381 { SSL_HND_HELLO_EXT_GREASE_2A2A
, "Reserved (GREASE)" }, /* RFC 8701 */
1382 { SSL_HND_HELLO_EXT_NPN
, "next_protocol_negotiation"}, /* https://tools.ietf.org/id/draft-agl-tls-nextprotoneg-03.html */
1383 { SSL_HND_HELLO_EXT_GREASE_3A3A
, "Reserved (GREASE)" }, /* RFC 8701 */
1384 { SSL_HND_HELLO_EXT_ALPS
, "application_settings" }, /* draft-vvv-tls-alps-01 */
1385 { SSL_HND_HELLO_EXT_GREASE_4A4A
, "Reserved (GREASE)" }, /* RFC 8701 */
1386 { SSL_HND_HELLO_EXT_GREASE_5A5A
, "Reserved (GREASE)" }, /* RFC 8701 */
1387 { SSL_HND_HELLO_EXT_GREASE_6A6A
, "Reserved (GREASE)" }, /* RFC 8701 */
1388 { SSL_HND_HELLO_EXT_CHANNEL_ID_OLD
, "channel_id_old" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
1389 https://twitter.com/ericlaw/status/274237352531083264 */
1390 { SSL_HND_HELLO_EXT_CHANNEL_ID
, "channel_id" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-01
1391 https://code.google.com/p/chromium/codesearch#chromium/src/net/third_party/nss/ssl/sslt.h&l=209 */
1392 { SSL_HND_HELLO_EXT_RENEGOTIATION_INFO
, "renegotiation_info" }, /* RFC 5746 */
1393 { SSL_HND_HELLO_EXT_GREASE_7A7A
, "Reserved (GREASE)" }, /* RFC 8701 */
1394 { SSL_HND_HELLO_EXT_GREASE_8A8A
, "Reserved (GREASE)" }, /* RFC 8701 */
1395 { SSL_HND_HELLO_EXT_GREASE_9A9A
, "Reserved (GREASE)" }, /* RFC 8701 */
1396 { SSL_HND_HELLO_EXT_GREASE_AAAA
, "Reserved (GREASE)" }, /* RFC 8701 */
1397 { SSL_HND_HELLO_EXT_GREASE_BABA
, "Reserved (GREASE)" }, /* RFC 8701 */
1398 { SSL_HND_HELLO_EXT_GREASE_CACA
, "Reserved (GREASE)" }, /* RFC 8701 */
1399 { SSL_HND_HELLO_EXT_GREASE_DADA
, "Reserved (GREASE)" }, /* RFC 8701 */
1400 { SSL_HND_HELLO_EXT_GREASE_EAEA
, "Reserved (GREASE)" }, /* RFC 8701 */
1401 { SSL_HND_HELLO_EXT_GREASE_FAFA
, "Reserved (GREASE)" }, /* RFC 8701 */
1402 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS
, "quic_transport_parameters (drafts version)" }, /* https://tools.ietf.org/html/draft-ietf-quic-tls */
1403 { SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME
, "encrypted_server_name" }, /* https://tools.ietf.org/html/draft-ietf-tls-esni-01 */
1404 { SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO
, "encrypted_client_hello" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1405 { SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS
, "ech_outer_extensions" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1409 const value_string tls_hello_ext_server_name_type_vs
[] = {
1414 /* RFC 6066 Section 4 */
1415 const value_string tls_hello_ext_max_fragment_length
[] = {
1416 { 1, "512" }, // 2^9
1417 { 2, "1024" }, // 2^10
1418 { 3, "2048" }, // 2^11
1419 { 4, "4096" }, // 2^12
1423 /* RFC 8446 Section 4.2.9 */
1424 const value_string tls_hello_ext_psk_ke_mode
[] = {
1425 { 0, "PSK-only key establishment (psk_ke)" },
1426 { 1, "PSK with (EC)DHE key establishment (psk_dhe_ke)" },
1430 /* RFC 6066 Section 6 */
1431 const value_string tls_hello_ext_trusted_ca_key_type
[] = {
1433 {1, "key_sha1_hash"},
1435 {3, "cert_sha1_hash"},
1439 const value_string tls13_key_update_request
[] = {
1440 { 0, "update_not_requested" },
1441 { 1, "update_requested" },
1445 /* RFC 5246 7.4.1.4.1 */
1446 /* https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
1447 /* Note that the TLS 1.3 SignatureScheme registry reserves all values
1448 * with first octet 0x00-0x06 and all values with second octet 0x00-0x03
1449 * for backwards compatibility with TLS 1.2 SignatureAndHashAlgorithm.
1451 * RFC 8422 and RFC 9189 add official support in TLS 1.2 for some algorithms
1452 * originally defined for TLS 1.3, and extend the TLS SignatureAlgorithm
1453 * and TLS HashAlgorithm registries, but the new values are not compatible
1454 * with all of the TLS 1.3-only SignatureSchemes. Adding those values could
1455 * cause confusion if used to interpret one of those schemes in a
1456 * signature_algorithms extension offered in a TLS 1.3 ClientHello.
1458 const value_string tls_hash_algorithm
[] = {
1467 /* RFC 8422 adds this to the HashAlgorithm registry, but it really
1468 * only applies to 0x0807 and 0x0808, not for other TLS 1.3
1469 * SignatureSchemes with 0x08 in the octet used for Hash in TLS 1.2.
1470 * E.g., we don't want to display this for 0x0806 rsa_pss_rsae_sha512.
1477 const value_string tls_signature_algorithm
[] = {
1486 { 64, "GOSTR34102012_256" },
1487 { 65, "GOSTR34102012_512" },
1492 /* RFC 8446 Section 4.2.3 */
1493 const value_string tls13_signature_algorithm
[] = {
1494 { 0x0201, "rsa_pkcs1_sha1" },
1495 { 0x0203, "ecdsa_sha1" },
1496 { 0x0401, "rsa_pkcs1_sha256" },
1497 { 0x0403, "ecdsa_secp256r1_sha256" },
1498 { 0x0420, "rsa_pkcs1_sha256_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1499 { 0x0501, "rsa_pkcs1_sha384" },
1500 { 0x0503, "ecdsa_secp384r1_sha384" },
1501 { 0x0520, "rsa_pkcs1_sha384_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1502 { 0x0601, "rsa_pkcs1_sha512" },
1503 { 0x0603, "ecdsa_secp521r1_sha512" },
1504 { 0x0620, "rsa_pkcs1_sha512_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1505 { 0x0708, "sm2sig_sm3" },
1506 { 0x0709, "gostr34102012_256a" }, /* RFC9367 */
1507 { 0x070a, "gostr34102012_256b" }, /* RFC9367 */
1508 { 0x070b, "gostr34102012_256c" }, /* RFC9367 */
1509 { 0x070c, "gostr34102012_256d" }, /* RFC9367 */
1510 { 0x070d, "gostr34102012_512a" }, /* RFC9367 */
1511 { 0x070e, "gostr34102012_512b" }, /* RFC9367 */
1512 { 0x070f, "gostr34102012_512c" }, /* RFC9367 */
1513 { 0x0804, "rsa_pss_rsae_sha256" },
1514 { 0x0805, "rsa_pss_rsae_sha384" },
1515 { 0x0806, "rsa_pss_rsae_sha512" },
1516 { 0x0807, "ed25519" },
1517 { 0x0808, "ed448" },
1518 { 0x0809, "rsa_pss_pss_sha256" },
1519 { 0x080a, "rsa_pss_pss_sha384" },
1520 { 0x080b, "rsa_pss_pss_sha512" },
1521 { 0x081a, "ecdsa_brainpoolP256r1tls13_sha256" }, /* RFC8734 */
1522 { 0x081b, "ecdsa_brainpoolP384r1tls13_sha384" }, /* RFC8734 */
1523 { 0x081c, "ecdsa_brainpoolP512r1tls13_sha512" }, /* RFC8734 */
1524 /* PQC digital signature algorithms from OQS-OpenSSL,
1525 see https://github.com/open-quantum-safe/openssl/blob/OQS-OpenSSL_1_1_1-stable/oqs-template/oqs-sig-info.md */
1526 { 0xfea0, "dilithium2" },
1527 { 0xfea1, "p256_dilithium2" },
1528 { 0xfea2, "rsa3072_dilithium2" },
1529 { 0xfea3, "dilithium3" },
1530 { 0xfea4, "p384_dilithium3" },
1531 { 0xfea5, "dilithium5" },
1532 { 0xfea6, "p521_dilithium5" },
1533 { 0xfea7, "dilithium2_aes" },
1534 { 0xfea8, "p256_dilithium2_aes" },
1535 { 0xfea9, "rsa3072_dilithium2_aes" },
1536 { 0xfeaa, "dilithium3_aes" },
1537 { 0xfeab, "p384_dilithium3_aes" },
1538 { 0xfeac, "dilithium5_aes" },
1539 { 0xfead, "p521_dilithium5_aes" },
1540 { 0xfe0b, "falcon512" },
1541 { 0xfe0c, "p256_falcon512" },
1542 { 0xfe0d, "rsa3072_falcon512" },
1543 { 0xfe0e, "falcon1024" },
1544 { 0xfe0f, "p521_falcon1024" },
1545 { 0xfe96, "picnicl1full" },
1546 { 0xfe97, "p256_picnicl1full" },
1547 { 0xfe98, "rsa3072_picnicl1full" },
1548 { 0xfe1b, "picnic3l1" },
1549 { 0xfe1c, "p256_picnic3l1" },
1550 { 0xfe1d, "rsa3072_picnic3l1" },
1551 { 0xfe27, "rainbowIclassic" },
1552 { 0xfe28, "p256_rainbowIclassic" },
1553 { 0xfe29, "rsa3072_rainbowIclassic" },
1554 { 0xfe3c, "rainbowVclassic" },
1555 { 0xfe3d, "p521_rainbowVclassic" },
1556 { 0xfe42, "sphincsharaka128frobust" },
1557 { 0xfe43, "p256_sphincsharaka128frobust" },
1558 { 0xfe44, "rsa3072_sphincsharaka128frobust" },
1559 { 0xfe5e, "sphincssha256128frobust" },
1560 { 0xfe5f, "p256_sphincssha256128frobust" },
1561 { 0xfe60, "rsa3072_sphincssha256128frobust" },
1562 { 0xfe7a, "sphincsshake256128frobust" },
1563 { 0xfe7b, "p256_sphincsshake256128frobust" },
1564 { 0xfe7c, "rsa3072_sphincsshake256128frobust" },
1569 const value_string tls_certificate_type
[] = {
1572 { SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY
, "Raw Public Key" }, /* RFC 7250 */
1576 const value_string tls_cert_chain_type
[] = {
1577 { SSL_HND_CERT_URL_TYPE_INDIVIDUAL_CERT
, "Individual Certificates" },
1578 { SSL_HND_CERT_URL_TYPE_PKIPATH
, "PKI Path" },
1582 const value_string tls_cert_status_type
[] = {
1583 { SSL_HND_CERT_STATUS_TYPE_OCSP
, "OCSP" },
1584 { SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI
, "OCSP Multi" },
1588 /* Generated by tools/make-tls-ct-logids.py
1589 * Last-Modified Sat, 05 Oct 2024 13:48:00 GMT, 165 entries. */
1590 static const bytes_string ct_logids
[] = {
1591 { (const uint8_t[]){
1592 0xb2, 0x1e, 0x05, 0xcc, 0x8b, 0xa2, 0xcd, 0x8a, 0x20, 0x4e, 0x87,
1593 0x66, 0xf9, 0x2b, 0xb9, 0x8a, 0x25, 0x20, 0x67, 0x6b, 0xda, 0xfa,
1594 0x70, 0xe7, 0xb2, 0x49, 0x53, 0x2d, 0xef, 0x8b, 0x90, 0x5e,
1596 32, "Google 'Argon2020' log" },
1597 { (const uint8_t[]){
1598 0xf6, 0x5c, 0x94, 0x2f, 0xd1, 0x77, 0x30, 0x22, 0x14, 0x54, 0x18,
1599 0x08, 0x30, 0x94, 0x56, 0x8e, 0xe3, 0x4d, 0x13, 0x19, 0x33, 0xbf,
1600 0xdf, 0x0c, 0x2f, 0x20, 0x0b, 0xcc, 0x4e, 0xf1, 0x64, 0xe3,
1602 32, "Google 'Argon2021' log" },
1603 { (const uint8_t[]){
1604 0x29, 0x79, 0xbe, 0xf0, 0x9e, 0x39, 0x39, 0x21, 0xf0, 0x56, 0x73,
1605 0x9f, 0x63, 0xa5, 0x77, 0xe5, 0xbe, 0x57, 0x7d, 0x9c, 0x60, 0x0a,
1606 0xf8, 0xf9, 0x4d, 0x5d, 0x26, 0x5c, 0x25, 0x5d, 0xc7, 0x84,
1608 32, "Google 'Argon2022' log" },
1609 { (const uint8_t[]){
1610 0xe8, 0x3e, 0xd0, 0xda, 0x3e, 0xf5, 0x06, 0x35, 0x32, 0xe7, 0x57,
1611 0x28, 0xbc, 0x89, 0x6b, 0xc9, 0x03, 0xd3, 0xcb, 0xd1, 0x11, 0x6b,
1612 0xec, 0xeb, 0x69, 0xe1, 0x77, 0x7d, 0x6d, 0x06, 0xbd, 0x6e,
1614 32, "Google 'Argon2023' log" },
1615 { (const uint8_t[]){
1616 0xee, 0xcd, 0xd0, 0x64, 0xd5, 0xdb, 0x1a, 0xce, 0xc5, 0x5c, 0xb7,
1617 0x9d, 0xb4, 0xcd, 0x13, 0xa2, 0x32, 0x87, 0x46, 0x7c, 0xbc, 0xec,
1618 0xde, 0xc3, 0x51, 0x48, 0x59, 0x46, 0x71, 0x1f, 0xb5, 0x9b,
1620 32, "Google 'Argon2024' log" },
1621 { (const uint8_t[]){
1622 0x4e, 0x75, 0xa3, 0x27, 0x5c, 0x9a, 0x10, 0xc3, 0x38, 0x5b, 0x6c,
1623 0xd4, 0xdf, 0x3f, 0x52, 0xeb, 0x1d, 0xf0, 0xe0, 0x8e, 0x1b, 0x8d,
1624 0x69, 0xc0, 0xb1, 0xfa, 0x64, 0xb1, 0x62, 0x9a, 0x39, 0xdf,
1626 32, "Google 'Argon2025h1' log" },
1627 { (const uint8_t[]){
1628 0x12, 0xf1, 0x4e, 0x34, 0xbd, 0x53, 0x72, 0x4c, 0x84, 0x06, 0x19,
1629 0xc3, 0x8f, 0x3f, 0x7a, 0x13, 0xf8, 0xe7, 0xb5, 0x62, 0x87, 0x88,
1630 0x9c, 0x6d, 0x30, 0x05, 0x84, 0xeb, 0xe5, 0x86, 0x26, 0x3a,
1632 32, "Google 'Argon2025h2' log" },
1633 { (const uint8_t[]){
1634 0x0e, 0x57, 0x94, 0xbc, 0xf3, 0xae, 0xa9, 0x3e, 0x33, 0x1b, 0x2c,
1635 0x99, 0x07, 0xb3, 0xf7, 0x90, 0xdf, 0x9b, 0xc2, 0x3d, 0x71, 0x32,
1636 0x25, 0xdd, 0x21, 0xa9, 0x25, 0xac, 0x61, 0xc5, 0x4e, 0x21,
1638 32, "Google 'Argon2026h1' log" },
1639 { (const uint8_t[]){
1640 0xd7, 0x6d, 0x7d, 0x10, 0xd1, 0xa7, 0xf5, 0x77, 0xc2, 0xc7, 0xe9,
1641 0x5f, 0xd7, 0x00, 0xbf, 0xf9, 0x82, 0xc9, 0x33, 0x5a, 0x65, 0xe1,
1642 0xd0, 0xb3, 0x01, 0x73, 0x17, 0xc0, 0xc8, 0xc5, 0x69, 0x77,
1644 32, "Google 'Argon2026h2' log" },
1645 { (const uint8_t[]){
1646 0x07, 0xb7, 0x5c, 0x1b, 0xe5, 0x7d, 0x68, 0xff, 0xf1, 0xb0, 0xc6,
1647 0x1d, 0x23, 0x15, 0xc7, 0xba, 0xe6, 0x57, 0x7c, 0x57, 0x94, 0xb7,
1648 0x6a, 0xee, 0xbc, 0x61, 0x3a, 0x1a, 0x69, 0xd3, 0xa2, 0x1c,
1650 32, "Google 'Xenon2020' log" },
1651 { (const uint8_t[]){
1652 0x7d, 0x3e, 0xf2, 0xf8, 0x8f, 0xff, 0x88, 0x55, 0x68, 0x24, 0xc2,
1653 0xc0, 0xca, 0x9e, 0x52, 0x89, 0x79, 0x2b, 0xc5, 0x0e, 0x78, 0x09,
1654 0x7f, 0x2e, 0x6a, 0x97, 0x68, 0x99, 0x7e, 0x22, 0xf0, 0xd7,
1656 32, "Google 'Xenon2021' log" },
1657 { (const uint8_t[]){
1658 0x46, 0xa5, 0x55, 0xeb, 0x75, 0xfa, 0x91, 0x20, 0x30, 0xb5, 0xa2,
1659 0x89, 0x69, 0xf4, 0xf3, 0x7d, 0x11, 0x2c, 0x41, 0x74, 0xbe, 0xfd,
1660 0x49, 0xb8, 0x85, 0xab, 0xf2, 0xfc, 0x70, 0xfe, 0x6d, 0x47,
1662 32, "Google 'Xenon2022' log" },
1663 { (const uint8_t[]){
1664 0xad, 0xf7, 0xbe, 0xfa, 0x7c, 0xff, 0x10, 0xc8, 0x8b, 0x9d, 0x3d,
1665 0x9c, 0x1e, 0x3e, 0x18, 0x6a, 0xb4, 0x67, 0x29, 0x5d, 0xcf, 0xb1,
1666 0x0c, 0x24, 0xca, 0x85, 0x86, 0x34, 0xeb, 0xdc, 0x82, 0x8a,
1668 32, "Google 'Xenon2023' log" },
1669 { (const uint8_t[]){
1670 0x76, 0xff, 0x88, 0x3f, 0x0a, 0xb6, 0xfb, 0x95, 0x51, 0xc2, 0x61,
1671 0xcc, 0xf5, 0x87, 0xba, 0x34, 0xb4, 0xa4, 0xcd, 0xbb, 0x29, 0xdc,
1672 0x68, 0x42, 0x0a, 0x9f, 0xe6, 0x67, 0x4c, 0x5a, 0x3a, 0x74,
1674 32, "Google 'Xenon2024' log" },
1675 { (const uint8_t[]){
1676 0xcf, 0x11, 0x56, 0xee, 0xd5, 0x2e, 0x7c, 0xaf, 0xf3, 0x87, 0x5b,
1677 0xd9, 0x69, 0x2e, 0x9b, 0xe9, 0x1a, 0x71, 0x67, 0x4a, 0xb0, 0x17,
1678 0xec, 0xac, 0x01, 0xd2, 0x5b, 0x77, 0xce, 0xcc, 0x3b, 0x08,
1680 32, "Google 'Xenon2025h1' log" },
1681 { (const uint8_t[]){
1682 0xdd, 0xdc, 0xca, 0x34, 0x95, 0xd7, 0xe1, 0x16, 0x05, 0xe7, 0x95,
1683 0x32, 0xfa, 0xc7, 0x9f, 0xf8, 0x3d, 0x1c, 0x50, 0xdf, 0xdb, 0x00,
1684 0x3a, 0x14, 0x12, 0x76, 0x0a, 0x2c, 0xac, 0xbb, 0xc8, 0x2a,
1686 32, "Google 'Xenon2025h2' log" },
1687 { (const uint8_t[]){
1688 0x96, 0x97, 0x64, 0xbf, 0x55, 0x58, 0x97, 0xad, 0xf7, 0x43, 0x87,
1689 0x68, 0x37, 0x08, 0x42, 0x77, 0xe9, 0xf0, 0x3a, 0xd5, 0xf6, 0xa4,
1690 0xf3, 0x36, 0x6e, 0x46, 0xa4, 0x3f, 0x0f, 0xca, 0xa9, 0xc6,
1692 32, "Google 'Xenon2026h1' log" },
1693 { (const uint8_t[]){
1694 0xd8, 0x09, 0x55, 0x3b, 0x94, 0x4f, 0x7a, 0xff, 0xc8, 0x16, 0x19,
1695 0x6f, 0x94, 0x4f, 0x85, 0xab, 0xb0, 0xf8, 0xfc, 0x5e, 0x87, 0x55,
1696 0x26, 0x0f, 0x15, 0xd1, 0x2e, 0x72, 0xbb, 0x45, 0x4b, 0x14,
1698 32, "Google 'Xenon2026h2' log" },
1699 { (const uint8_t[]){
1700 0x68, 0xf6, 0x98, 0xf8, 0x1f, 0x64, 0x82, 0xbe, 0x3a, 0x8c, 0xee,
1701 0xb9, 0x28, 0x1d, 0x4c, 0xfc, 0x71, 0x51, 0x5d, 0x67, 0x93, 0xd4,
1702 0x44, 0xd1, 0x0a, 0x67, 0xac, 0xbb, 0x4f, 0x4f, 0xfb, 0xc4,
1704 32, "Google 'Aviator' log" },
1705 { (const uint8_t[]){
1706 0x29, 0x3c, 0x51, 0x96, 0x54, 0xc8, 0x39, 0x65, 0xba, 0xaa, 0x50,
1707 0xfc, 0x58, 0x07, 0xd4, 0xb7, 0x6f, 0xbf, 0x58, 0x7a, 0x29, 0x72,
1708 0xdc, 0xa4, 0xc3, 0x0c, 0xf4, 0xe5, 0x45, 0x47, 0xf4, 0x78,
1710 32, "Google 'Icarus' log" },
1711 { (const uint8_t[]){
1712 0xa4, 0xb9, 0x09, 0x90, 0xb4, 0x18, 0x58, 0x14, 0x87, 0xbb, 0x13,
1713 0xa2, 0xcc, 0x67, 0x70, 0x0a, 0x3c, 0x35, 0x98, 0x04, 0xf9, 0x1b,
1714 0xdf, 0xb8, 0xe3, 0x77, 0xcd, 0x0e, 0xc8, 0x0d, 0xdc, 0x10,
1716 32, "Google 'Pilot' log" },
1717 { (const uint8_t[]){
1718 0xee, 0x4b, 0xbd, 0xb7, 0x75, 0xce, 0x60, 0xba, 0xe1, 0x42, 0x69,
1719 0x1f, 0xab, 0xe1, 0x9e, 0x66, 0xa3, 0x0f, 0x7e, 0x5f, 0xb0, 0x72,
1720 0xd8, 0x83, 0x00, 0xc4, 0x7b, 0x89, 0x7a, 0xa8, 0xfd, 0xcb,
1722 32, "Google 'Rocketeer' log" },
1723 { (const uint8_t[]){
1724 0xbb, 0xd9, 0xdf, 0xbc, 0x1f, 0x8a, 0x71, 0xb5, 0x93, 0x94, 0x23,
1725 0x97, 0xaa, 0x92, 0x7b, 0x47, 0x38, 0x57, 0x95, 0x0a, 0xab, 0x52,
1726 0xe8, 0x1a, 0x90, 0x96, 0x64, 0x36, 0x8e, 0x1e, 0xd1, 0x85,
1728 32, "Google 'Skydiver' log" },
1729 { (const uint8_t[]){
1730 0xfa, 0xd4, 0xc9, 0x7c, 0xc4, 0x9e, 0xe2, 0xf8, 0xac, 0x85, 0xc5,
1731 0xea, 0x5c, 0xea, 0x09, 0xd0, 0x22, 0x0d, 0xbb, 0xf4, 0xe4, 0x9c,
1732 0x6b, 0x50, 0x66, 0x2f, 0xf8, 0x68, 0xf8, 0x6b, 0x8c, 0x28,
1734 32, "Google 'Argon2017' log" },
1735 { (const uint8_t[]){
1736 0xa4, 0x50, 0x12, 0x69, 0x05, 0x5a, 0x15, 0x54, 0x5e, 0x62, 0x11,
1737 0xab, 0x37, 0xbc, 0x10, 0x3f, 0x62, 0xae, 0x55, 0x76, 0xa4, 0x5e,
1738 0x4b, 0x17, 0x14, 0x45, 0x3e, 0x1b, 0x22, 0x10, 0x6a, 0x25,
1740 32, "Google 'Argon2018' log" },
1741 { (const uint8_t[]){
1742 0x63, 0xf2, 0xdb, 0xcd, 0xe8, 0x3b, 0xcc, 0x2c, 0xcf, 0x0b, 0x72,
1743 0x84, 0x27, 0x57, 0x6b, 0x33, 0xa4, 0x8d, 0x61, 0x77, 0x8f, 0xbd,
1744 0x75, 0xa6, 0x38, 0xb1, 0xc7, 0x68, 0x54, 0x4b, 0xd8, 0x8d,
1746 32, "Google 'Argon2019' log" },
1747 { (const uint8_t[]){
1748 0xb1, 0x0c, 0xd5, 0x59, 0xa6, 0xd6, 0x78, 0x46, 0x81, 0x1f, 0x7d,
1749 0xf9, 0xa5, 0x15, 0x32, 0x73, 0x9a, 0xc4, 0x8d, 0x70, 0x3b, 0xea,
1750 0x03, 0x23, 0xda, 0x5d, 0x38, 0x75, 0x5b, 0xc0, 0xad, 0x4e,
1752 32, "Google 'Xenon2018' log" },
1753 { (const uint8_t[]){
1754 0x08, 0x41, 0x14, 0x98, 0x00, 0x71, 0x53, 0x2c, 0x16, 0x19, 0x04,
1755 0x60, 0xbc, 0xfc, 0x47, 0xfd, 0xc2, 0x65, 0x3a, 0xfa, 0x29, 0x2c,
1756 0x72, 0xb3, 0x7f, 0xf8, 0x63, 0xae, 0x29, 0xcc, 0xc9, 0xf0,
1758 32, "Google 'Xenon2019' log" },
1759 { (const uint8_t[]){
1760 0xa8, 0x99, 0xd8, 0x78, 0x0c, 0x92, 0x90, 0xaa, 0xf4, 0x62, 0xf3,
1761 0x18, 0x80, 0xcc, 0xfb, 0xd5, 0x24, 0x51, 0xe9, 0x70, 0xd0, 0xfb,
1762 0xf5, 0x91, 0xef, 0x75, 0xb0, 0xd9, 0x9b, 0x64, 0x56, 0x81,
1764 32, "Google 'Submariner' log" },
1765 { (const uint8_t[]){
1766 0x1d, 0x02, 0x4b, 0x8e, 0xb1, 0x49, 0x8b, 0x34, 0x4d, 0xfd, 0x87,
1767 0xea, 0x3e, 0xfc, 0x09, 0x96, 0xf7, 0x50, 0x6f, 0x23, 0x5d, 0x1d,
1768 0x49, 0x70, 0x61, 0xa4, 0x77, 0x3c, 0x43, 0x9c, 0x25, 0xfb,
1770 32, "Google 'Daedalus' log" },
1771 { (const uint8_t[]){
1772 0xb0, 0xcc, 0x83, 0xe5, 0xa5, 0xf9, 0x7d, 0x6b, 0xaf, 0x7c, 0x09,
1773 0xcc, 0x28, 0x49, 0x04, 0x87, 0x2a, 0xc7, 0xe8, 0x8b, 0x13, 0x2c,
1774 0x63, 0x50, 0xb7, 0xc6, 0xfd, 0x26, 0xe1, 0x6c, 0x6c, 0x77,
1776 32, "Google 'Testtube' log" },
1777 { (const uint8_t[]){
1778 0xc3, 0xbf, 0x03, 0xa7, 0xe1, 0xca, 0x88, 0x41, 0xc6, 0x07, 0xba,
1779 0xe3, 0xff, 0x42, 0x70, 0xfc, 0xa5, 0xec, 0x45, 0xb1, 0x86, 0xeb,
1780 0xbe, 0x4e, 0x2c, 0xf3, 0xfc, 0x77, 0x86, 0x30, 0xf5, 0xf6,
1782 32, "Google 'Crucible' log" },
1783 { (const uint8_t[]){
1784 0x52, 0xeb, 0x4b, 0x22, 0x5e, 0xc8, 0x96, 0x97, 0x48, 0x50, 0x67,
1785 0x5f, 0x23, 0xe4, 0x3b, 0xc1, 0xd0, 0x21, 0xe3, 0x21, 0x4c, 0xe5,
1786 0x2e, 0xcd, 0x5f, 0xa8, 0x7c, 0x20, 0x3c, 0xdf, 0xca, 0x03,
1788 32, "Google 'Solera2018' log" },
1789 { (const uint8_t[]){
1790 0x0b, 0x76, 0x0e, 0x9a, 0x8b, 0x9a, 0x68, 0x2f, 0x88, 0x98, 0x5b,
1791 0x15, 0xe9, 0x47, 0x50, 0x1a, 0x56, 0x44, 0x6b, 0xba, 0x88, 0x30,
1792 0x78, 0x5c, 0x38, 0x42, 0x99, 0x43, 0x86, 0x45, 0x0c, 0x00,
1794 32, "Google 'Solera2019' log" },
1795 { (const uint8_t[]){
1796 0x1f, 0xc7, 0x2c, 0xe5, 0xa1, 0xb7, 0x99, 0xf4, 0x00, 0xc3, 0x59,
1797 0xbf, 0xf9, 0x6c, 0xa3, 0x91, 0x35, 0x48, 0xe8, 0x64, 0x42, 0x20,
1798 0x61, 0x09, 0x52, 0xe9, 0xba, 0x17, 0x74, 0xf7, 0xba, 0xc7,
1800 32, "Google 'Solera2020' log" },
1801 { (const uint8_t[]){
1802 0xa3, 0xc9, 0x98, 0x45, 0xe8, 0x0a, 0xb7, 0xce, 0x00, 0x15, 0x7b,
1803 0x37, 0x42, 0xdf, 0x02, 0x07, 0xdd, 0x27, 0x2b, 0x2b, 0x60, 0x2e,
1804 0xcf, 0x98, 0xee, 0x2c, 0x12, 0xdb, 0x9c, 0x5a, 0xe7, 0xe7,
1806 32, "Google 'Solera2021' log" },
1807 { (const uint8_t[]){
1808 0x69, 0x7a, 0xaf, 0xca, 0x1a, 0x6b, 0x53, 0x6f, 0xae, 0x21, 0x20,
1809 0x50, 0x46, 0xde, 0xba, 0xd7, 0xe0, 0xea, 0xea, 0x13, 0xd2, 0x43,
1810 0x2e, 0x6e, 0x9d, 0x8f, 0xb3, 0x79, 0xf2, 0xb9, 0xaa, 0xf3,
1812 32, "Google 'Solera2022' log" },
1813 { (const uint8_t[]){
1814 0xf9, 0x7e, 0x97, 0xb8, 0xd3, 0x3e, 0xf7, 0xa1, 0x59, 0x02, 0xa5,
1815 0x3a, 0x19, 0xe1, 0x79, 0x90, 0xe5, 0xdc, 0x40, 0x6a, 0x03, 0x18,
1816 0x25, 0xba, 0xad, 0x93, 0xe9, 0x8f, 0x9b, 0x9c, 0x69, 0xcb,
1818 32, "Google 'Solera2023' log" },
1819 { (const uint8_t[]){
1820 0x30, 0x24, 0xce, 0x7e, 0xeb, 0x16, 0x88, 0x62, 0x72, 0x4b, 0xea,
1821 0x70, 0x2e, 0xff, 0xf9, 0x92, 0xcf, 0xe4, 0x56, 0x43, 0x41, 0x91,
1822 0xaa, 0x59, 0x5b, 0x25, 0xf8, 0x02, 0x26, 0xc8, 0x00, 0x17,
1824 32, "Google 'Solera2024' log" },
1825 { (const uint8_t[]){
1826 0x3f, 0xe1, 0xcb, 0x46, 0xed, 0x47, 0x35, 0x79, 0xaf, 0x01, 0x41,
1827 0xf9, 0x72, 0x4d, 0x9d, 0xc4, 0x43, 0x47, 0x2d, 0x75, 0x6e, 0x85,
1828 0xe7, 0x71, 0x9c, 0x55, 0x82, 0x48, 0x5d, 0xd4, 0xe1, 0xe4,
1830 32, "Google 'Solera2025h1' log" },
1831 { (const uint8_t[]){
1832 0x26, 0x02, 0x39, 0x48, 0x87, 0x4c, 0xf7, 0xfc, 0xd0, 0xfb, 0x64,
1833 0x71, 0xa4, 0x3e, 0x84, 0x7e, 0xbb, 0x20, 0x0a, 0xe6, 0xe2, 0xfa,
1834 0x24, 0x23, 0x6d, 0xf6, 0xd1, 0xa6, 0x06, 0x63, 0x0f, 0xb1,
1836 32, "Google 'Solera2025h2' log" },
1837 { (const uint8_t[]){
1838 0xc8, 0x4b, 0x90, 0x7a, 0x07, 0xbe, 0xaa, 0x29, 0xa6, 0x14, 0xc2,
1839 0x45, 0x84, 0xb7, 0xa3, 0xf6, 0x62, 0x43, 0x94, 0x68, 0x7b, 0x25,
1840 0xfe, 0x62, 0x83, 0x8b, 0x71, 0xec, 0x42, 0x2a, 0xd2, 0xf9,
1842 32, "Google 'Solera2026h1' log" },
1843 { (const uint8_t[]){
1844 0x62, 0xe9, 0x00, 0x60, 0x04, 0xa3, 0x07, 0x95, 0x5a, 0x75, 0x44,
1845 0xb4, 0xd5, 0x84, 0xa9, 0x62, 0x68, 0xca, 0x1d, 0x6e, 0x45, 0x85,
1846 0xad, 0xf0, 0x91, 0x6d, 0xfe, 0x5f, 0xdc, 0x1f, 0x04, 0xdb,
1848 32, "Google 'Solera2026h2' log" },
1849 { (const uint8_t[]){
1850 0x5e, 0xa7, 0x73, 0xf9, 0xdf, 0x56, 0xc0, 0xe7, 0xb5, 0x36, 0x48,
1851 0x7d, 0xd0, 0x49, 0xe0, 0x32, 0x7a, 0x91, 0x9a, 0x0c, 0x84, 0xa1,
1852 0x12, 0x12, 0x84, 0x18, 0x75, 0x96, 0x81, 0x71, 0x45, 0x58,
1854 32, "Cloudflare 'Nimbus2020' Log" },
1855 { (const uint8_t[]){
1856 0x44, 0x94, 0x65, 0x2e, 0xb0, 0xee, 0xce, 0xaf, 0xc4, 0x40, 0x07,
1857 0xd8, 0xa8, 0xfe, 0x28, 0xc0, 0xda, 0xe6, 0x82, 0xbe, 0xd8, 0xcb,
1858 0x31, 0xb5, 0x3f, 0xd3, 0x33, 0x96, 0xb5, 0xb6, 0x81, 0xa8,
1860 32, "Cloudflare 'Nimbus2021' Log" },
1861 { (const uint8_t[]){
1862 0x41, 0xc8, 0xca, 0xb1, 0xdf, 0x22, 0x46, 0x4a, 0x10, 0xc6, 0xa1,
1863 0x3a, 0x09, 0x42, 0x87, 0x5e, 0x4e, 0x31, 0x8b, 0x1b, 0x03, 0xeb,
1864 0xeb, 0x4b, 0xc7, 0x68, 0xf0, 0x90, 0x62, 0x96, 0x06, 0xf6,
1866 32, "Cloudflare 'Nimbus2022' Log" },
1867 { (const uint8_t[]){
1868 0x7a, 0x32, 0x8c, 0x54, 0xd8, 0xb7, 0x2d, 0xb6, 0x20, 0xea, 0x38,
1869 0xe0, 0x52, 0x1e, 0xe9, 0x84, 0x16, 0x70, 0x32, 0x13, 0x85, 0x4d,
1870 0x3b, 0xd2, 0x2b, 0xc1, 0x3a, 0x57, 0xa3, 0x52, 0xeb, 0x52,
1872 32, "Cloudflare 'Nimbus2023' Log" },
1873 { (const uint8_t[]){
1874 0xda, 0xb6, 0xbf, 0x6b, 0x3f, 0xb5, 0xb6, 0x22, 0x9f, 0x9b, 0xc2,
1875 0xbb, 0x5c, 0x6b, 0xe8, 0x70, 0x91, 0x71, 0x6c, 0xbb, 0x51, 0x84,
1876 0x85, 0x34, 0xbd, 0xa4, 0x3d, 0x30, 0x48, 0xd7, 0xfb, 0xab,
1878 32, "Cloudflare 'Nimbus2024' Log" },
1879 { (const uint8_t[]){
1880 0xcc, 0xfb, 0x0f, 0x6a, 0x85, 0x71, 0x09, 0x65, 0xfe, 0x95, 0x9b,
1881 0x53, 0xce, 0xe9, 0xb2, 0x7c, 0x22, 0xe9, 0x85, 0x5c, 0x0d, 0x97,
1882 0x8d, 0xb6, 0xa9, 0x7e, 0x54, 0xc0, 0xfe, 0x4c, 0x0d, 0xb0,
1884 32, "Cloudflare 'Nimbus2025'" },
1885 { (const uint8_t[]){
1886 0xcb, 0x38, 0xf7, 0x15, 0x89, 0x7c, 0x84, 0xa1, 0x44, 0x5f, 0x5b,
1887 0xc1, 0xdd, 0xfb, 0xc9, 0x6e, 0xf2, 0x9a, 0x59, 0xcd, 0x47, 0x0a,
1888 0x69, 0x05, 0x85, 0xb0, 0xcb, 0x14, 0xc3, 0x14, 0x58, 0xe7,
1890 32, "Cloudflare 'Nimbus2026'" },
1891 { (const uint8_t[]){
1892 0x1f, 0xbc, 0x36, 0xe0, 0x02, 0xed, 0xe9, 0x7f, 0x40, 0x19, 0x9e,
1893 0x86, 0xb3, 0x57, 0x3b, 0x8a, 0x42, 0x17, 0xd8, 0x01, 0x87, 0x74,
1894 0x6a, 0xd0, 0xda, 0x03, 0xa0, 0x60, 0x54, 0xd2, 0x0d, 0xf4,
1896 32, "Cloudflare 'Nimbus2017' Log" },
1897 { (const uint8_t[]){
1898 0xdb, 0x74, 0xaf, 0xee, 0xcb, 0x29, 0xec, 0xb1, 0xfe, 0xca, 0x3e,
1899 0x71, 0x6d, 0x2c, 0xe5, 0xb9, 0xaa, 0xbb, 0x36, 0xf7, 0x84, 0x71,
1900 0x83, 0xc7, 0x5d, 0x9d, 0x4f, 0x37, 0xb6, 0x1f, 0xbf, 0x64,
1902 32, "Cloudflare 'Nimbus2018' Log" },
1903 { (const uint8_t[]){
1904 0x74, 0x7e, 0xda, 0x83, 0x31, 0xad, 0x33, 0x10, 0x91, 0x21, 0x9c,
1905 0xce, 0x25, 0x4f, 0x42, 0x70, 0xc2, 0xbf, 0xfd, 0x5e, 0x42, 0x20,
1906 0x08, 0xc6, 0x37, 0x35, 0x79, 0xe6, 0x10, 0x7b, 0xcc, 0x56,
1908 32, "Cloudflare 'Nimbus2019' Log" },
1909 { (const uint8_t[]){
1910 0x56, 0x14, 0x06, 0x9a, 0x2f, 0xd7, 0xc2, 0xec, 0xd3, 0xf5, 0xe1,
1911 0xbd, 0x44, 0xb2, 0x3e, 0xc7, 0x46, 0x76, 0xb9, 0xbc, 0x99, 0x11,
1912 0x5c, 0xc0, 0xef, 0x94, 0x98, 0x55, 0xd6, 0x89, 0xd0, 0xdd,
1914 32, "DigiCert Log Server" },
1915 { (const uint8_t[]){
1916 0x87, 0x75, 0xbf, 0xe7, 0x59, 0x7c, 0xf8, 0x8c, 0x43, 0x99, 0x5f,
1917 0xbd, 0xf3, 0x6e, 0xff, 0x56, 0x8d, 0x47, 0x56, 0x36, 0xff, 0x4a,
1918 0xb5, 0x60, 0xc1, 0xb4, 0xea, 0xff, 0x5e, 0xa0, 0x83, 0x0f,
1920 32, "DigiCert Log Server 2" },
1921 { (const uint8_t[]){
1922 0xf0, 0x95, 0xa4, 0x59, 0xf2, 0x00, 0xd1, 0x82, 0x40, 0x10, 0x2d,
1923 0x2f, 0x93, 0x88, 0x8e, 0xad, 0x4b, 0xfe, 0x1d, 0x47, 0xe3, 0x99,
1924 0xe1, 0xd0, 0x34, 0xa6, 0xb0, 0xa8, 0xaa, 0x8e, 0xb2, 0x73,
1926 32, "DigiCert Yeti2020 Log" },
1927 { (const uint8_t[]){
1928 0x5c, 0xdc, 0x43, 0x92, 0xfe, 0xe6, 0xab, 0x45, 0x44, 0xb1, 0x5e,
1929 0x9a, 0xd4, 0x56, 0xe6, 0x10, 0x37, 0xfb, 0xd5, 0xfa, 0x47, 0xdc,
1930 0xa1, 0x73, 0x94, 0xb2, 0x5e, 0xe6, 0xf6, 0xc7, 0x0e, 0xca,
1932 32, "DigiCert Yeti2021 Log" },
1933 { (const uint8_t[]){
1934 0x22, 0x45, 0x45, 0x07, 0x59, 0x55, 0x24, 0x56, 0x96, 0x3f, 0xa1,
1935 0x2f, 0xf1, 0xf7, 0x6d, 0x86, 0xe0, 0x23, 0x26, 0x63, 0xad, 0xc0,
1936 0x4b, 0x7f, 0x5d, 0xc6, 0x83, 0x5c, 0x6e, 0xe2, 0x0f, 0x02,
1938 32, "DigiCert Yeti2022 Log" },
1939 { (const uint8_t[]){
1940 0x35, 0xcf, 0x19, 0x1b, 0xbf, 0xb1, 0x6c, 0x57, 0xbf, 0x0f, 0xad,
1941 0x4c, 0x6d, 0x42, 0xcb, 0xbb, 0xb6, 0x27, 0x20, 0x26, 0x51, 0xea,
1942 0x3f, 0xe1, 0x2a, 0xef, 0xa8, 0x03, 0xc3, 0x3b, 0xd6, 0x4c,
1944 32, "DigiCert Yeti2023 Log" },
1945 { (const uint8_t[]){
1946 0x48, 0xb0, 0xe3, 0x6b, 0xda, 0xa6, 0x47, 0x34, 0x0f, 0xe5, 0x6a,
1947 0x02, 0xfa, 0x9d, 0x30, 0xeb, 0x1c, 0x52, 0x01, 0xcb, 0x56, 0xdd,
1948 0x2c, 0x81, 0xd9, 0xbb, 0xbf, 0xab, 0x39, 0xd8, 0x84, 0x73,
1950 32, "DigiCert Yeti2024 Log" },
1951 { (const uint8_t[]){
1952 0x7d, 0x59, 0x1e, 0x12, 0xe1, 0x78, 0x2a, 0x7b, 0x1c, 0x61, 0x67,
1953 0x7c, 0x5e, 0xfd, 0xf8, 0xd0, 0x87, 0x5c, 0x14, 0xa0, 0x4e, 0x95,
1954 0x9e, 0xb9, 0x03, 0x2f, 0xd9, 0x0e, 0x8c, 0x2e, 0x79, 0xb8,
1956 32, "DigiCert Yeti2025 Log" },
1957 { (const uint8_t[]){
1958 0xc6, 0x52, 0xa0, 0xec, 0x48, 0xce, 0xb3, 0xfc, 0xab, 0x17, 0x09,
1959 0x92, 0xc4, 0x3a, 0x87, 0x41, 0x33, 0x09, 0xe8, 0x00, 0x65, 0xa2,
1960 0x62, 0x52, 0x40, 0x1b, 0xa3, 0x36, 0x2a, 0x17, 0xc5, 0x65,
1962 32, "DigiCert Nessie2020 Log" },
1963 { (const uint8_t[]){
1964 0xee, 0xc0, 0x95, 0xee, 0x8d, 0x72, 0x64, 0x0f, 0x92, 0xe3, 0xc3,
1965 0xb9, 0x1b, 0xc7, 0x12, 0xa3, 0x69, 0x6a, 0x09, 0x7b, 0x4b, 0x6a,
1966 0x1a, 0x14, 0x38, 0xe6, 0x47, 0xb2, 0xcb, 0xed, 0xc5, 0xf9,
1968 32, "DigiCert Nessie2021 Log" },
1969 { (const uint8_t[]){
1970 0x51, 0xa3, 0xb0, 0xf5, 0xfd, 0x01, 0x79, 0x9c, 0x56, 0x6d, 0xb8,
1971 0x37, 0x78, 0x8f, 0x0c, 0xa4, 0x7a, 0xcc, 0x1b, 0x27, 0xcb, 0xf7,
1972 0x9e, 0x88, 0x42, 0x9a, 0x0d, 0xfe, 0xd4, 0x8b, 0x05, 0xe5,
1974 32, "DigiCert Nessie2022 Log" },
1975 { (const uint8_t[]){
1976 0xb3, 0x73, 0x77, 0x07, 0xe1, 0x84, 0x50, 0xf8, 0x63, 0x86, 0xd6,
1977 0x05, 0xa9, 0xdc, 0x11, 0x09, 0x4a, 0x79, 0x2d, 0xb1, 0x67, 0x0c,
1978 0x0b, 0x87, 0xdc, 0xf0, 0x03, 0x0e, 0x79, 0x36, 0xa5, 0x9a,
1980 32, "DigiCert Nessie2023 Log" },
1981 { (const uint8_t[]){
1982 0x73, 0xd9, 0x9e, 0x89, 0x1b, 0x4c, 0x96, 0x78, 0xa0, 0x20, 0x7d,
1983 0x47, 0x9d, 0xe6, 0xb2, 0xc6, 0x1c, 0xd0, 0x51, 0x5e, 0x71, 0x19,
1984 0x2a, 0x8c, 0x6b, 0x80, 0x10, 0x7a, 0xc1, 0x77, 0x72, 0xb5,
1986 32, "DigiCert Nessie2024 Log" },
1987 { (const uint8_t[]){
1988 0xe6, 0xd2, 0x31, 0x63, 0x40, 0x77, 0x8c, 0xc1, 0x10, 0x41, 0x06,
1989 0xd7, 0x71, 0xb9, 0xce, 0xc1, 0xd2, 0x40, 0xf6, 0x96, 0x84, 0x86,
1990 0xfb, 0xba, 0x87, 0x32, 0x1d, 0xfd, 0x1e, 0x37, 0x8e, 0x50,
1992 32, "DigiCert Nessie2025 Log" },
1993 { (const uint8_t[]){
1994 0xb6, 0x9d, 0xdc, 0xbc, 0x3c, 0x1a, 0xbd, 0xef, 0x6f, 0x9f, 0xd6,
1995 0x0c, 0x88, 0xb1, 0x06, 0x7b, 0x77, 0xf0, 0x82, 0x68, 0x8b, 0x2d,
1996 0x78, 0x65, 0xd0, 0x4b, 0x39, 0xab, 0xe9, 0x27, 0xa5, 0x75,
1998 32, "DigiCert 'Wyvern2024h1' Log" },
1999 { (const uint8_t[]){
2000 0x0c, 0x2a, 0xef, 0x2c, 0x4a, 0x5b, 0x98, 0x83, 0xd4, 0xdd, 0xa3,
2001 0x82, 0xfe, 0x50, 0xfb, 0x51, 0x88, 0xb3, 0xe9, 0x73, 0x33, 0xa1,
2002 0xec, 0x53, 0xa0, 0x9d, 0xc9, 0xa7, 0x9d, 0x0d, 0x08, 0x20,
2004 32, "DigiCert 'Wyvern2024h2' Log" },
2005 { (const uint8_t[]){
2006 0x73, 0x20, 0x22, 0x0f, 0x08, 0x16, 0x8a, 0xf9, 0xf3, 0xc4, 0xa6,
2007 0x8b, 0x0a, 0xb2, 0x6a, 0x9a, 0x4a, 0x00, 0xee, 0xf5, 0x77, 0x85,
2008 0x8a, 0x08, 0x4d, 0x05, 0x00, 0xd4, 0xa5, 0x42, 0x44, 0x59,
2010 32, "DigiCert 'Wyvern2025h1' Log" },
2011 { (const uint8_t[]){
2012 0xed, 0x3c, 0x4b, 0xd6, 0xe8, 0x06, 0xc2, 0xa4, 0xa2, 0x00, 0x57,
2013 0xdb, 0xcb, 0x24, 0xe2, 0x38, 0x01, 0xdf, 0x51, 0x2f, 0xed, 0xc4,
2014 0x86, 0xc5, 0x70, 0x0f, 0x20, 0xdd, 0xb7, 0x3e, 0x3f, 0xe0,
2016 32, "DigiCert 'Wyvern2025h2' Log" },
2017 { (const uint8_t[]){
2018 0x64, 0x11, 0xc4, 0x6c, 0xa4, 0x12, 0xec, 0xa7, 0x89, 0x1c, 0xa2,
2019 0x02, 0x2e, 0x00, 0xbc, 0xab, 0x4f, 0x28, 0x07, 0xd4, 0x1e, 0x35,
2020 0x27, 0xab, 0xea, 0xfe, 0xd5, 0x03, 0xc9, 0x7d, 0xcd, 0xf0,
2022 32, "DigiCert 'Wyvern2026h1'" },
2023 { (const uint8_t[]){
2024 0xc2, 0x31, 0x7e, 0x57, 0x45, 0x19, 0xa3, 0x45, 0xee, 0x7f, 0x38,
2025 0xde, 0xb2, 0x90, 0x41, 0xeb, 0xc7, 0xc2, 0x21, 0x5a, 0x22, 0xbf,
2026 0x7f, 0xd5, 0xb5, 0xad, 0x76, 0x9a, 0xd9, 0x0e, 0x52, 0xcd,
2028 32, "DigiCert 'Wyvern2026h2'" },
2029 { (const uint8_t[]){
2030 0xdb, 0x07, 0x6c, 0xde, 0x6a, 0x8b, 0x78, 0xec, 0x58, 0xd6, 0x05,
2031 0x64, 0x96, 0xeb, 0x6a, 0x26, 0xa8, 0xc5, 0x9e, 0x72, 0x12, 0x93,
2032 0xe8, 0xac, 0x03, 0x27, 0xdd, 0xde, 0x89, 0xdb, 0x5a, 0x2a,
2034 32, "DigiCert 'Sphinx2024h1' Log" },
2035 { (const uint8_t[]){
2036 0xdc, 0xc9, 0x5e, 0x6f, 0xa2, 0x99, 0xb9, 0xb0, 0xfd, 0xbd, 0x6c,
2037 0xa6, 0xa3, 0x6e, 0x1d, 0x72, 0xc4, 0x21, 0x2f, 0xdd, 0x1e, 0x0f,
2038 0x47, 0x55, 0x3a, 0x36, 0xd6, 0xcf, 0x1a, 0xd1, 0x1d, 0x8d,
2040 32, "DigiCert 'Sphinx2024h2' Log" },
2041 { (const uint8_t[]){
2042 0xde, 0x85, 0x81, 0xd7, 0x50, 0x24, 0x7c, 0x6b, 0xcd, 0xcb, 0xaf,
2043 0x56, 0x37, 0xc5, 0xe7, 0x81, 0xc6, 0x4c, 0xe4, 0x6e, 0xd6, 0x17,
2044 0x63, 0x9f, 0x8f, 0x34, 0xa7, 0x26, 0xc9, 0xe2, 0xbd, 0x37,
2046 32, "DigiCert 'Sphinx2025h1' Log" },
2047 { (const uint8_t[]){
2048 0xa4, 0x42, 0xc5, 0x06, 0x49, 0x60, 0x61, 0x54, 0x8f, 0x0f, 0xd4,
2049 0xea, 0x9c, 0xfb, 0x7a, 0x2d, 0x26, 0x45, 0x4d, 0x87, 0xa9, 0x7f,
2050 0x2f, 0xdf, 0x45, 0x59, 0xf6, 0x27, 0x4f, 0x3a, 0x84, 0x54,
2052 32, "DigiCert 'Sphinx2025h2' Log" },
2053 { (const uint8_t[]){
2054 0x49, 0x9c, 0x9b, 0x69, 0xde, 0x1d, 0x7c, 0xec, 0xfc, 0x36, 0xde,
2055 0xcd, 0x87, 0x64, 0xa6, 0xb8, 0x5b, 0xaf, 0x0a, 0x87, 0x80, 0x19,
2056 0xd1, 0x55, 0x52, 0xfb, 0xe9, 0xeb, 0x29, 0xdd, 0xf8, 0xc3,
2058 32, "DigiCert 'Sphinx2026h1'" },
2059 { (const uint8_t[]){
2060 0x94, 0x4e, 0x43, 0x87, 0xfa, 0xec, 0xc1, 0xef, 0x81, 0xf3, 0x19,
2061 0x24, 0x26, 0xa8, 0x18, 0x65, 0x01, 0xc7, 0xd3, 0x5f, 0x38, 0x02,
2062 0x01, 0x3f, 0x72, 0x67, 0x7d, 0x55, 0x37, 0x2e, 0x19, 0xd8,
2064 32, "DigiCert 'Sphinx2026h2'" },
2065 { (const uint8_t[]){
2066 0xdd, 0xeb, 0x1d, 0x2b, 0x7a, 0x0d, 0x4f, 0xa6, 0x20, 0x8b, 0x81,
2067 0xad, 0x81, 0x68, 0x70, 0x7e, 0x2e, 0x8e, 0x9d, 0x01, 0xd5, 0x5c,
2068 0x88, 0x8d, 0x3d, 0x11, 0xc4, 0xcd, 0xb6, 0xec, 0xbe, 0xcc,
2070 32, "Symantec log" },
2071 { (const uint8_t[]){
2072 0xbc, 0x78, 0xe1, 0xdf, 0xc5, 0xf6, 0x3c, 0x68, 0x46, 0x49, 0x33,
2073 0x4d, 0xa1, 0x0f, 0xa1, 0x5f, 0x09, 0x79, 0x69, 0x20, 0x09, 0xc0,
2074 0x81, 0xb4, 0xf3, 0xf6, 0x91, 0x7f, 0x3e, 0xd9, 0xb8, 0xa5,
2076 32, "Symantec 'Vega' log" },
2077 { (const uint8_t[]){
2078 0x15, 0x97, 0x04, 0x88, 0xd7, 0xb9, 0x97, 0xa0, 0x5b, 0xeb, 0x52,
2079 0x51, 0x2a, 0xde, 0xe8, 0xd2, 0xe8, 0xb4, 0xa3, 0x16, 0x52, 0x64,
2080 0x12, 0x1a, 0x9f, 0xab, 0xfb, 0xd5, 0xf8, 0x5a, 0xd9, 0x3f,
2082 32, "Symantec 'Sirius' log" },
2083 { (const uint8_t[]){
2084 0x05, 0x9c, 0x01, 0xd3, 0x20, 0xe0, 0x07, 0x84, 0x13, 0x95, 0x80,
2085 0x49, 0x8d, 0x11, 0x7c, 0x90, 0x32, 0x66, 0xaf, 0xaf, 0x72, 0x50,
2086 0xb5, 0xaf, 0x3b, 0x46, 0xa4, 0x3e, 0x11, 0x84, 0x0d, 0x4a,
2088 32, "DigiCert Yeti2022-2 Log" },
2089 { (const uint8_t[]){
2090 0xc1, 0x16, 0x4a, 0xe0, 0xa7, 0x72, 0xd2, 0xd4, 0x39, 0x2d, 0xc8,
2091 0x0a, 0xc1, 0x07, 0x70, 0xd4, 0xf0, 0xc4, 0x9b, 0xde, 0x99, 0x1a,
2092 0x48, 0x40, 0xc1, 0xfa, 0x07, 0x51, 0x64, 0xf6, 0x33, 0x60,
2094 32, "DigiCert Yeti2018 Log" },
2095 { (const uint8_t[]){
2096 0xe2, 0x69, 0x4b, 0xae, 0x26, 0xe8, 0xe9, 0x40, 0x09, 0xe8, 0x86,
2097 0x1b, 0xb6, 0x3b, 0x83, 0xd4, 0x3e, 0xe7, 0xfe, 0x74, 0x88, 0xfb,
2098 0xa4, 0x8f, 0x28, 0x93, 0x01, 0x9d, 0xdd, 0xf1, 0xdb, 0xfe,
2100 32, "DigiCert Yeti2019 Log" },
2101 { (const uint8_t[]){
2102 0x6f, 0xf1, 0x41, 0xb5, 0x64, 0x7e, 0x42, 0x22, 0xf7, 0xef, 0x05,
2103 0x2c, 0xef, 0xae, 0x7c, 0x21, 0xfd, 0x60, 0x8e, 0x27, 0xd2, 0xaf,
2104 0x5a, 0x6e, 0x9f, 0x4b, 0x8a, 0x37, 0xd6, 0x63, 0x3e, 0xe5,
2106 32, "DigiCert Nessie2018 Log" },
2107 { (const uint8_t[]){
2108 0xfe, 0x44, 0x61, 0x08, 0xb1, 0xd0, 0x1a, 0xb7, 0x8a, 0x62, 0xcc,
2109 0xfe, 0xab, 0x6a, 0xb2, 0xb2, 0xba, 0xbf, 0xf3, 0xab, 0xda, 0xd8,
2110 0x0a, 0x4d, 0x8b, 0x30, 0xdf, 0x2d, 0x00, 0x08, 0x83, 0x0c,
2112 32, "DigiCert Nessie2019 Log" },
2113 { (const uint8_t[]){
2114 0xa7, 0xce, 0x4a, 0x4e, 0x62, 0x07, 0xe0, 0xad, 0xde, 0xe5, 0xfd,
2115 0xaa, 0x4b, 0x1f, 0x86, 0x76, 0x87, 0x67, 0xb5, 0xd0, 0x02, 0xa5,
2116 0x5d, 0x47, 0x31, 0x0e, 0x7e, 0x67, 0x0a, 0x95, 0xea, 0xb2,
2118 32, "Symantec Deneb" },
2119 { (const uint8_t[]){
2120 0xcd, 0xb5, 0x17, 0x9b, 0x7f, 0xc1, 0xc0, 0x46, 0xfe, 0xea, 0x31,
2121 0x13, 0x6a, 0x3f, 0x8f, 0x00, 0x2e, 0x61, 0x82, 0xfa, 0xf8, 0x89,
2122 0x6f, 0xec, 0xc8, 0xb2, 0xf5, 0xb5, 0xab, 0x60, 0x49, 0x00,
2124 32, "Certly.IO log" },
2125 { (const uint8_t[]){
2126 0x74, 0x61, 0xb4, 0xa0, 0x9c, 0xfb, 0x3d, 0x41, 0xd7, 0x51, 0x59,
2127 0x57, 0x5b, 0x2e, 0x76, 0x49, 0xa4, 0x45, 0xa8, 0xd2, 0x77, 0x09,
2128 0xb0, 0xcc, 0x56, 0x4a, 0x64, 0x82, 0xb7, 0xeb, 0x41, 0xa3,
2131 { (const uint8_t[]){
2132 0x89, 0x41, 0x44, 0x9c, 0x70, 0x74, 0x2e, 0x06, 0xb9, 0xfc, 0x9c,
2133 0xe7, 0xb1, 0x16, 0xba, 0x00, 0x24, 0xaa, 0x36, 0xd5, 0x9a, 0xf4,
2134 0x4f, 0x02, 0x04, 0x40, 0x4f, 0x00, 0xf7, 0xea, 0x85, 0x66,
2136 32, "Izenpe 'Argi' log" },
2137 { (const uint8_t[]){
2138 0x41, 0xb2, 0xdc, 0x2e, 0x89, 0xe6, 0x3c, 0xe4, 0xaf, 0x1b, 0xa7,
2139 0xbb, 0x29, 0xbf, 0x68, 0xc6, 0xde, 0xe6, 0xf9, 0xf1, 0xcc, 0x04,
2140 0x7e, 0x30, 0xdf, 0xfa, 0xe3, 0xb3, 0xba, 0x25, 0x92, 0x63,
2143 { (const uint8_t[]){
2144 0x9e, 0x4f, 0xf7, 0x3d, 0xc3, 0xce, 0x22, 0x0b, 0x69, 0x21, 0x7c,
2145 0x89, 0x9e, 0x46, 0x80, 0x76, 0xab, 0xf8, 0xd7, 0x86, 0x36, 0xd5,
2146 0xcc, 0xfc, 0x85, 0xa3, 0x1a, 0x75, 0x62, 0x8b, 0xa8, 0x8b,
2148 32, "WoSign CT log #1" },
2149 { (const uint8_t[]){
2150 0x63, 0xd0, 0x00, 0x60, 0x26, 0xdd, 0xe1, 0x0b, 0xb0, 0x60, 0x1f,
2151 0x45, 0x24, 0x46, 0x96, 0x5e, 0xe2, 0xb6, 0xea, 0x2c, 0xd4, 0xfb,
2152 0xc9, 0x5a, 0xc8, 0x66, 0xa5, 0x50, 0xaf, 0x90, 0x75, 0xb7,
2154 32, "WoSign log 2" },
2155 { (const uint8_t[]){
2156 0xac, 0x3b, 0x9a, 0xed, 0x7f, 0xa9, 0x67, 0x47, 0x57, 0x15, 0x9e,
2157 0x6d, 0x7d, 0x57, 0x56, 0x72, 0xf9, 0xd9, 0x81, 0x00, 0x94, 0x1e,
2158 0x9b, 0xde, 0xff, 0xec, 0xa1, 0x31, 0x3b, 0x75, 0x78, 0x2d,
2161 { (const uint8_t[]){
2162 0x03, 0x01, 0x9d, 0xf3, 0xfd, 0x85, 0xa6, 0x9a, 0x8e, 0xbd, 0x1f,
2163 0xac, 0xc6, 0xda, 0x9b, 0xa7, 0x3e, 0x46, 0x97, 0x74, 0xfe, 0x77,
2164 0xf5, 0x79, 0xfc, 0x5a, 0x08, 0xb8, 0x32, 0x8c, 0x1d, 0x6b,
2166 32, "Venafi Gen2 CT log" },
2167 { (const uint8_t[]){
2168 0xa5, 0x77, 0xac, 0x9c, 0xed, 0x75, 0x48, 0xdd, 0x8f, 0x02, 0x5b,
2169 0x67, 0xa2, 0x41, 0x08, 0x9d, 0xf8, 0x6e, 0x0f, 0x47, 0x6e, 0xc2,
2170 0x03, 0xc2, 0xec, 0xbe, 0xdb, 0x18, 0x5f, 0x28, 0x26, 0x38,
2172 32, "CNNIC CT log" },
2173 { (const uint8_t[]){
2174 0x34, 0xbb, 0x6a, 0xd6, 0xc3, 0xdf, 0x9c, 0x03, 0xee, 0xa8, 0xa4,
2175 0x99, 0xff, 0x78, 0x91, 0x48, 0x6c, 0x9d, 0x5e, 0x5c, 0xac, 0x92,
2176 0xd0, 0x1f, 0x7b, 0xfd, 0x1b, 0xce, 0x19, 0xdb, 0x48, 0xef,
2178 32, "StartCom log" },
2179 { (const uint8_t[]){
2180 0x55, 0x81, 0xd4, 0xc2, 0x16, 0x90, 0x36, 0x01, 0x4a, 0xea, 0x0b,
2181 0x9b, 0x57, 0x3c, 0x53, 0xf0, 0xc0, 0xe4, 0x38, 0x78, 0x70, 0x25,
2182 0x08, 0x17, 0x2f, 0xa3, 0xaa, 0x1d, 0x07, 0x13, 0xd3, 0x0c,
2184 32, "Sectigo 'Sabre' CT log" },
2185 { (const uint8_t[]){
2186 0xa2, 0xe2, 0xbf, 0xd6, 0x1e, 0xde, 0x2f, 0x2f, 0x07, 0xa0, 0xd6,
2187 0x4e, 0x6d, 0x37, 0xa7, 0xdc, 0x65, 0x43, 0xb0, 0xc6, 0xb5, 0x2e,
2188 0xa2, 0xda, 0xb7, 0x8a, 0xf8, 0x9a, 0x6d, 0xf5, 0x17, 0xd8,
2190 32, "Sectigo 'Sabre2024h1'" },
2191 { (const uint8_t[]){
2192 0x19, 0x98, 0x10, 0x71, 0x09, 0xf0, 0xd6, 0x52, 0x2e, 0x30, 0x80,
2193 0xd2, 0x9e, 0x3f, 0x64, 0xbb, 0x83, 0x6e, 0x28, 0xcc, 0xf9, 0x0f,
2194 0x52, 0x8e, 0xee, 0xdf, 0xce, 0x4a, 0x3f, 0x16, 0xb4, 0xca,
2196 32, "Sectigo 'Sabre2024h2'" },
2197 { (const uint8_t[]){
2198 0xe0, 0x92, 0xb3, 0xfc, 0x0c, 0x1d, 0xc8, 0xe7, 0x68, 0x36, 0x1f,
2199 0xde, 0x61, 0xb9, 0x96, 0x4d, 0x0a, 0x52, 0x78, 0x19, 0x8a, 0x72,
2200 0xd6, 0x72, 0xc4, 0xb0, 0x4d, 0xa5, 0x6d, 0x6f, 0x54, 0x04,
2202 32, "Sectigo 'Sabre2025h1'" },
2203 { (const uint8_t[]){
2204 0x1a, 0x04, 0xff, 0x49, 0xd0, 0x54, 0x1d, 0x40, 0xaf, 0xf6, 0xa0,
2205 0xc3, 0xbf, 0xf1, 0xd8, 0xc4, 0x67, 0x2f, 0x4e, 0xec, 0xee, 0x23,
2206 0x40, 0x68, 0x98, 0x6b, 0x17, 0x40, 0x2e, 0xdc, 0x89, 0x7d,
2208 32, "Sectigo 'Sabre2025h2'" },
2209 { (const uint8_t[]){
2210 0x6f, 0x53, 0x76, 0xac, 0x31, 0xf0, 0x31, 0x19, 0xd8, 0x99, 0x00,
2211 0xa4, 0x51, 0x15, 0xff, 0x77, 0x15, 0x1c, 0x11, 0xd9, 0x02, 0xc1,
2212 0x00, 0x29, 0x06, 0x8d, 0xb2, 0x08, 0x9a, 0x37, 0xd9, 0x13,
2214 32, "Sectigo 'Mammoth' CT log" },
2215 { (const uint8_t[]){
2216 0x29, 0xd0, 0x3a, 0x1b, 0xb6, 0x74, 0xaa, 0x71, 0x1c, 0xd3, 0x03,
2217 0x5b, 0x65, 0x57, 0xc1, 0x4f, 0x8a, 0xa7, 0x8b, 0x4f, 0xe8, 0x38,
2218 0x94, 0x49, 0xec, 0xa4, 0x53, 0xf9, 0x44, 0xbd, 0x24, 0x68,
2220 32, "Sectigo 'Mammoth2024h1'" },
2221 { (const uint8_t[]){
2222 0x50, 0x85, 0x01, 0x58, 0xdc, 0xb6, 0x05, 0x95, 0xc0, 0x0e, 0x92,
2223 0xa8, 0x11, 0x02, 0xec, 0xcd, 0xfe, 0x3f, 0x6b, 0x78, 0x58, 0x42,
2224 0x9f, 0x57, 0x98, 0x35, 0x38, 0xc9, 0xda, 0x52, 0x50, 0x63,
2226 32, "Sectigo 'Mammoth2024h1b'" },
2227 { (const uint8_t[]){
2228 0xdf, 0xe1, 0x56, 0xeb, 0xaa, 0x05, 0xaf, 0xb5, 0x9c, 0x0f, 0x86,
2229 0x71, 0x8d, 0xa8, 0xc0, 0x32, 0x4e, 0xae, 0x56, 0xd9, 0x6e, 0xa7,
2230 0xf5, 0xa5, 0x6a, 0x01, 0xd1, 0xc1, 0x3b, 0xbe, 0x52, 0x5c,
2232 32, "Sectigo 'Mammoth2024h2'" },
2233 { (const uint8_t[]){
2234 0x13, 0x4a, 0xdf, 0x1a, 0xb5, 0x98, 0x42, 0x09, 0x78, 0x0c, 0x6f,
2235 0xef, 0x4c, 0x7a, 0x91, 0xa4, 0x16, 0xb7, 0x23, 0x49, 0xce, 0x58,
2236 0x57, 0x6a, 0xdf, 0xae, 0xda, 0xa7, 0xc2, 0xab, 0xe0, 0x22,
2238 32, "Sectigo 'Mammoth2025h1'" },
2239 { (const uint8_t[]){
2240 0xaf, 0x18, 0x1a, 0x28, 0xd6, 0x8c, 0xa3, 0xe0, 0xa9, 0x8a, 0x4c,
2241 0x9c, 0x67, 0xab, 0x09, 0xf8, 0xbb, 0xbc, 0x22, 0xba, 0xae, 0xbc,
2242 0xb1, 0x38, 0xa3, 0xa1, 0x9d, 0xd3, 0xf9, 0xb6, 0x03, 0x0d,
2244 32, "Sectigo 'Mammoth2025h2'" },
2245 { (const uint8_t[]){
2246 0x25, 0x2f, 0x94, 0xc2, 0x2b, 0x29, 0xe9, 0x6e, 0x9f, 0x41, 0x1a,
2247 0x72, 0x07, 0x2b, 0x69, 0x5c, 0x5b, 0x52, 0xff, 0x97, 0xa9, 0x0d,
2248 0x25, 0x40, 0xbb, 0xfc, 0xdc, 0x51, 0xec, 0x4d, 0xee, 0x0b,
2250 32, "Sectigo 'Mammoth2026h1'" },
2251 { (const uint8_t[]){
2252 0x94, 0xb1, 0xc1, 0x8a, 0xb0, 0xd0, 0x57, 0xc4, 0x7b, 0xe0, 0xac,
2253 0x04, 0x0e, 0x1f, 0x2c, 0xbc, 0x8d, 0xc3, 0x75, 0x72, 0x7b, 0xc9,
2254 0x51, 0xf2, 0x0a, 0x52, 0x61, 0x26, 0x86, 0x3b, 0xa7, 0x3c,
2256 32, "Sectigo 'Mammoth2026h2'" },
2257 { (const uint8_t[]){
2258 0x56, 0x6c, 0xd5, 0xa3, 0x76, 0xbe, 0x83, 0xdf, 0xe3, 0x42, 0xb6,
2259 0x75, 0xc4, 0x9c, 0x23, 0x24, 0x98, 0xa7, 0x69, 0xba, 0xc3, 0x82,
2260 0xcb, 0xab, 0x49, 0xa3, 0x87, 0x7d, 0x9a, 0xb3, 0x2d, 0x01,
2262 32, "Sectigo 'Sabre2026h1'" },
2263 { (const uint8_t[]){
2264 0x1f, 0x56, 0xd1, 0xab, 0x94, 0x70, 0x4a, 0x41, 0xdd, 0x3f, 0xea,
2265 0xfd, 0xf4, 0x69, 0x93, 0x55, 0x30, 0x2c, 0x14, 0x31, 0xbf, 0xe6,
2266 0x13, 0x46, 0x08, 0x9f, 0xff, 0xae, 0x79, 0x5d, 0xcc, 0x2f,
2268 32, "Sectigo 'Sabre2026h2'" },
2269 { (const uint8_t[]){
2270 0xdb, 0x76, 0xfd, 0xad, 0xac, 0x65, 0xe7, 0xd0, 0x95, 0x08, 0x88,
2271 0x6e, 0x21, 0x59, 0xbd, 0x8b, 0x90, 0x35, 0x2f, 0x5f, 0xea, 0xd3,
2272 0xe3, 0xdc, 0x5e, 0x22, 0xeb, 0x35, 0x0a, 0xcc, 0x7b, 0x98,
2274 32, "Sectigo 'Dodo' CT log" },
2275 { (const uint8_t[]){
2276 0xe7, 0x12, 0xf2, 0xb0, 0x37, 0x7e, 0x1a, 0x62, 0xfb, 0x8e, 0xc9,
2277 0x0c, 0x61, 0x84, 0xf1, 0xea, 0x7b, 0x37, 0xcb, 0x56, 0x1d, 0x11,
2278 0x26, 0x5b, 0xf3, 0xe0, 0xf3, 0x4b, 0xf2, 0x41, 0x54, 0x6e,
2280 32, "Let's Encrypt 'Oak2020' log" },
2281 { (const uint8_t[]){
2282 0x94, 0x20, 0xbc, 0x1e, 0x8e, 0xd5, 0x8d, 0x6c, 0x88, 0x73, 0x1f,
2283 0x82, 0x8b, 0x22, 0x2c, 0x0d, 0xd1, 0xda, 0x4d, 0x5e, 0x6c, 0x4f,
2284 0x94, 0x3d, 0x61, 0xdb, 0x4e, 0x2f, 0x58, 0x4d, 0xa2, 0xc2,
2286 32, "Let's Encrypt 'Oak2021' log" },
2287 { (const uint8_t[]){
2288 0xdf, 0xa5, 0x5e, 0xab, 0x68, 0x82, 0x4f, 0x1f, 0x6c, 0xad, 0xee,
2289 0xb8, 0x5f, 0x4e, 0x3e, 0x5a, 0xea, 0xcd, 0xa2, 0x12, 0xa4, 0x6a,
2290 0x5e, 0x8e, 0x3b, 0x12, 0xc0, 0x20, 0x44, 0x5c, 0x2a, 0x73,
2292 32, "Let's Encrypt 'Oak2022' log" },
2293 { (const uint8_t[]){
2294 0xb7, 0x3e, 0xfb, 0x24, 0xdf, 0x9c, 0x4d, 0xba, 0x75, 0xf2, 0x39,
2295 0xc5, 0xba, 0x58, 0xf4, 0x6c, 0x5d, 0xfc, 0x42, 0xcf, 0x7a, 0x9f,
2296 0x35, 0xc4, 0x9e, 0x1d, 0x09, 0x81, 0x25, 0xed, 0xb4, 0x99,
2298 32, "Let's Encrypt 'Oak2023' log" },
2299 { (const uint8_t[]){
2300 0x3b, 0x53, 0x77, 0x75, 0x3e, 0x2d, 0xb9, 0x80, 0x4e, 0x8b, 0x30,
2301 0x5b, 0x06, 0xfe, 0x40, 0x3b, 0x67, 0xd8, 0x4f, 0xc3, 0xf4, 0xc7,
2302 0xbd, 0x00, 0x0d, 0x2d, 0x72, 0x6f, 0xe1, 0xfa, 0xd4, 0x17,
2304 32, "Let's Encrypt 'Oak2024H1' log" },
2305 { (const uint8_t[]){
2306 0x3f, 0x17, 0x4b, 0x4f, 0xd7, 0x22, 0x47, 0x58, 0x94, 0x1d, 0x65,
2307 0x1c, 0x84, 0xbe, 0x0d, 0x12, 0xed, 0x90, 0x37, 0x7f, 0x1f, 0x85,
2308 0x6a, 0xeb, 0xc1, 0xbf, 0x28, 0x85, 0xec, 0xf8, 0x64, 0x6e,
2310 32, "Let's Encrypt 'Oak2024H2' log" },
2311 { (const uint8_t[]){
2312 0xa2, 0xe3, 0x0a, 0xe4, 0x45, 0xef, 0xbd, 0xad, 0x9b, 0x7e, 0x38,
2313 0xed, 0x47, 0x67, 0x77, 0x53, 0xd7, 0x82, 0x5b, 0x84, 0x94, 0xd7,
2314 0x2b, 0x5e, 0x1b, 0x2c, 0xc4, 0xb9, 0x50, 0xa4, 0x47, 0xe7,
2316 32, "Let's Encrypt 'Oak2025h1'" },
2317 { (const uint8_t[]){
2318 0x0d, 0xe1, 0xf2, 0x30, 0x2b, 0xd3, 0x0d, 0xc1, 0x40, 0x62, 0x12,
2319 0x09, 0xea, 0x55, 0x2e, 0xfc, 0x47, 0x74, 0x7c, 0xb1, 0xd7, 0xe9,
2320 0x30, 0xef, 0x0e, 0x42, 0x1e, 0xb4, 0x7e, 0x4e, 0xaa, 0x34,
2322 32, "Let's Encrypt 'Oak2025h2'" },
2323 { (const uint8_t[]){
2324 0x19, 0x86, 0xd4, 0xc7, 0x28, 0xaa, 0x6f, 0xfe, 0xba, 0x03, 0x6f,
2325 0x78, 0x2a, 0x4d, 0x01, 0x91, 0xaa, 0xce, 0x2d, 0x72, 0x31, 0x0f,
2326 0xae, 0xce, 0x5d, 0x70, 0x41, 0x2d, 0x25, 0x4c, 0xc7, 0xd4,
2328 32, "Let's Encrypt 'Oak2026h1'" },
2329 { (const uint8_t[]){
2330 0xac, 0xab, 0x30, 0x70, 0x6c, 0xeb, 0xec, 0x84, 0x31, 0xf4, 0x13,
2331 0xd2, 0xf4, 0x91, 0x5f, 0x11, 0x1e, 0x42, 0x24, 0x43, 0xb1, 0xf2,
2332 0xa6, 0x8c, 0x4f, 0x3c, 0x2b, 0x3b, 0xa7, 0x1e, 0x02, 0xc3,
2334 32, "Let's Encrypt 'Oak2026h2'" },
2335 { (const uint8_t[]){
2336 0x65, 0x9b, 0x33, 0x50, 0xf4, 0x3b, 0x12, 0xcc, 0x5e, 0xa5, 0xab,
2337 0x4e, 0xc7, 0x65, 0xd3, 0xfd, 0xe6, 0xc8, 0x82, 0x43, 0x77, 0x77,
2338 0x78, 0xe7, 0x20, 0x03, 0xf9, 0xeb, 0x2b, 0x8c, 0x31, 0x29,
2340 32, "Let's Encrypt 'Oak2019' log" },
2341 { (const uint8_t[]){
2342 0x84, 0x9f, 0x5f, 0x7f, 0x58, 0xd2, 0xbf, 0x7b, 0x54, 0xec, 0xbd,
2343 0x74, 0x61, 0x1c, 0xea, 0x45, 0xc4, 0x9c, 0x98, 0xf1, 0xd6, 0x48,
2344 0x1b, 0xc6, 0xf6, 0x9e, 0x8c, 0x17, 0x4f, 0x24, 0xf3, 0xcf,
2346 32, "Let's Encrypt 'Testflume2019' log" },
2347 { (const uint8_t[]){
2348 0x23, 0x2d, 0x41, 0xa4, 0xcd, 0xac, 0x87, 0xce, 0xd9, 0xf9, 0x43,
2349 0xf4, 0x68, 0xc2, 0x82, 0x09, 0x5a, 0xe0, 0x9d, 0x30, 0xd6, 0x2e,
2350 0x2f, 0xa6, 0x5d, 0xdc, 0x3b, 0x91, 0x9c, 0x2e, 0x46, 0x8f,
2352 32, "Let's Encrypt 'Sapling 2022h2' log" },
2353 { (const uint8_t[]){
2354 0xc1, 0x83, 0x24, 0x0b, 0xf1, 0xa4, 0x50, 0xc7, 0x6f, 0xbb, 0x00,
2355 0x72, 0x69, 0xdc, 0xac, 0x3b, 0xe2, 0x2a, 0x48, 0x05, 0xd4, 0xdb,
2356 0xe0, 0x49, 0x66, 0xc3, 0xc8, 0xab, 0xc4, 0x47, 0xb0, 0x0c,
2358 32, "Let's Encrypt 'Sapling 2023h1' log" },
2359 { (const uint8_t[]){
2360 0xc6, 0x3f, 0x22, 0x18, 0xc3, 0x7d, 0x56, 0xa6, 0xaa, 0x06, 0xb5,
2361 0x96, 0xda, 0x8e, 0x53, 0xd4, 0xd7, 0x15, 0x6d, 0x1e, 0x9b, 0xac,
2362 0x8e, 0x44, 0xd2, 0x20, 0x2d, 0xe6, 0x4d, 0x69, 0xd9, 0xdc,
2364 32, "Let's Encrypt 'Testflume2020' log" },
2365 { (const uint8_t[]){
2366 0x03, 0xed, 0xf1, 0xda, 0x97, 0x76, 0xb6, 0xf3, 0x8c, 0x34, 0x1e,
2367 0x39, 0xed, 0x9d, 0x70, 0x7a, 0x75, 0x70, 0x36, 0x9c, 0xf9, 0x84,
2368 0x4f, 0x32, 0x7f, 0xe9, 0xe1, 0x41, 0x38, 0x36, 0x1b, 0x60,
2370 32, "Let's Encrypt 'Testflume2021' log" },
2371 { (const uint8_t[]){
2372 0x23, 0x27, 0xef, 0xda, 0x35, 0x25, 0x10, 0xdb, 0xc0, 0x19, 0xef,
2373 0x49, 0x1a, 0xe3, 0xff, 0x1c, 0xc5, 0xa4, 0x79, 0xbc, 0xe3, 0x78,
2374 0x78, 0x36, 0x0e, 0xe3, 0x18, 0xcf, 0xfb, 0x64, 0xf8, 0xc8,
2376 32, "Let's Encrypt 'Testflume2022' log" },
2377 { (const uint8_t[]){
2378 0x55, 0x34, 0xb7, 0xab, 0x5a, 0x6a, 0xc3, 0xa7, 0xcb, 0xeb, 0xa6,
2379 0x54, 0x87, 0xb2, 0xa2, 0xd7, 0x1b, 0x48, 0xf6, 0x50, 0xfa, 0x17,
2380 0xc5, 0x19, 0x7c, 0x97, 0xa0, 0xcb, 0x20, 0x76, 0xf3, 0xc6,
2382 32, "Let's Encrypt 'Testflume2023' log" },
2383 { (const uint8_t[]){
2384 0x29, 0x6a, 0xfa, 0x2d, 0x56, 0x8b, 0xca, 0x0d, 0x2e, 0xa8, 0x44,
2385 0x95, 0x6a, 0xe9, 0x72, 0x1f, 0xc3, 0x5f, 0xa3, 0x55, 0xec, 0xda,
2386 0x99, 0x69, 0x3a, 0xaf, 0xd4, 0x58, 0xa7, 0x1a, 0xef, 0xdd,
2388 32, "Let's Encrypt 'Clicky' log" },
2389 { (const uint8_t[]){
2390 0xa5, 0x95, 0x94, 0x3b, 0x53, 0x70, 0xbe, 0xe9, 0x06, 0xe0, 0x05,
2391 0x0d, 0x1f, 0xb5, 0xbb, 0xc6, 0xa4, 0x0e, 0x65, 0xf2, 0x65, 0xae,
2392 0x85, 0x2c, 0x76, 0x36, 0x3f, 0xad, 0xb2, 0x33, 0x36, 0xed,
2394 32, "Trust Asia Log2020" },
2395 { (const uint8_t[]){
2396 0xa8, 0xdc, 0x52, 0xf6, 0x3d, 0x6b, 0x24, 0x25, 0xe5, 0x31, 0xe3,
2397 0x7c, 0xf4, 0xe4, 0x4a, 0x71, 0x4f, 0x14, 0x2a, 0x20, 0x80, 0x3b,
2398 0x0d, 0x04, 0xd2, 0xe2, 0xee, 0x06, 0x64, 0x79, 0x4a, 0x23,
2400 32, "Trust Asia CT2021" },
2401 { (const uint8_t[]){
2402 0x67, 0x8d, 0xb6, 0x5b, 0x3e, 0x74, 0x43, 0xb6, 0xf3, 0xa3, 0x70,
2403 0xd5, 0xe1, 0x3a, 0xb1, 0xb4, 0x3b, 0xe0, 0xa0, 0xd3, 0x51, 0xf7,
2404 0xca, 0x74, 0x22, 0x50, 0xc7, 0xc6, 0xfa, 0x51, 0xa8, 0x8a,
2406 32, "Trust Asia Log2021" },
2407 { (const uint8_t[]){
2408 0xc3, 0x65, 0xf9, 0xb3, 0x65, 0x4f, 0x32, 0x83, 0xc7, 0x9d, 0xa9,
2409 0x8e, 0x93, 0xd7, 0x41, 0x8f, 0x5b, 0xab, 0x7b, 0xe3, 0x25, 0x2c,
2410 0x98, 0xe1, 0xd2, 0xf0, 0x4b, 0xb9, 0xeb, 0x42, 0x7d, 0x23,
2412 32, "Trust Asia Log2022" },
2413 { (const uint8_t[]){
2414 0xe8, 0x7e, 0xa7, 0x66, 0x0b, 0xc2, 0x6c, 0xf6, 0x00, 0x2e, 0xf5,
2415 0x72, 0x5d, 0x3f, 0xe0, 0xe3, 0x31, 0xb9, 0x39, 0x3b, 0xb9, 0x2f,
2416 0xbf, 0x58, 0xeb, 0x3b, 0x90, 0x49, 0xda, 0xf5, 0x43, 0x5a,
2418 32, "Trust Asia Log2023" },
2419 { (const uint8_t[]){
2420 0x30, 0x6d, 0x29, 0x57, 0x6a, 0xd2, 0x1a, 0x9d, 0x4a, 0xe1, 0x2a,
2421 0xca, 0xd8, 0xaa, 0x8a, 0x78, 0x3a, 0xa6, 0x5a, 0x32, 0x11, 0x60,
2422 0xac, 0xff, 0x5b, 0x0e, 0xee, 0x4c, 0xa3, 0x20, 0x1d, 0x05,
2424 32, "Trust Asia Log2024" },
2425 { (const uint8_t[]){
2426 0x87, 0x4f, 0xb5, 0x0d, 0xc0, 0x29, 0xd9, 0x93, 0x1d, 0xe5, 0x73,
2427 0xe9, 0xf2, 0x89, 0x9e, 0x8e, 0x45, 0x33, 0xb3, 0x92, 0xd3, 0x8b,
2428 0x0a, 0x46, 0x25, 0x74, 0xbf, 0x0f, 0xee, 0xb2, 0xfc, 0x1e,
2430 32, "Trust Asia Log2024-2" },
2431 { (const uint8_t[]){
2432 0x28, 0xe2, 0x81, 0x38, 0xfd, 0x83, 0x21, 0x45, 0xe9, 0xa9, 0xd6,
2433 0xaa, 0x75, 0x37, 0x6d, 0x83, 0x77, 0xa8, 0x85, 0x12, 0xb3, 0xc0,
2434 0x7f, 0x72, 0x41, 0x48, 0x21, 0xdc, 0xbd, 0xe9, 0x8c, 0x66,
2436 32, "TrustAsia Log2025a" },
2437 { (const uint8_t[]){
2438 0x28, 0x2c, 0x8b, 0xdd, 0x81, 0x0f, 0xf9, 0x09, 0x12, 0x0a, 0xce,
2439 0x16, 0xd6, 0xe0, 0xec, 0x20, 0x1b, 0xea, 0x82, 0xa3, 0xa4, 0xaf,
2440 0x19, 0xd9, 0xef, 0xfb, 0x59, 0xe8, 0x3f, 0xdc, 0x42, 0x68,
2442 32, "TrustAsia Log2025b" },
2443 { (const uint8_t[]){
2444 0x74, 0xdb, 0x9d, 0x58, 0xf7, 0xd4, 0x7e, 0x9d, 0xfd, 0x78, 0x7a,
2445 0x16, 0x2a, 0x99, 0x1c, 0x18, 0xcf, 0x69, 0x8d, 0xa7, 0xc7, 0x29,
2446 0x91, 0x8c, 0x9a, 0x18, 0xb0, 0x45, 0x0d, 0xba, 0x44, 0xbc,
2448 32, "TrustAsia 'log2026a'" },
2449 { (const uint8_t[]){
2450 0x25, 0xb7, 0xef, 0xde, 0xa1, 0x13, 0x01, 0x93, 0xed, 0x93, 0x07,
2451 0x97, 0x70, 0xaa, 0x32, 0x2a, 0x26, 0x62, 0x0d, 0xe3, 0x5a, 0xc8,
2452 0xaa, 0x7c, 0x75, 0x19, 0x7d, 0xe0, 0xb1, 0xa9, 0xe0, 0x65,
2454 32, "TrustAsia 'log2026b'" },
2455 { (const uint8_t[]){
2456 0x45, 0x35, 0x94, 0x98, 0xd9, 0x3a, 0x89, 0xe0, 0x28, 0x03, 0x08,
2457 0xd3, 0x7d, 0x62, 0x6d, 0xc4, 0x23, 0x75, 0x47, 0x58, 0xdc, 0xe0,
2458 0x37, 0x00, 0x36, 0xfb, 0xab, 0x0e, 0xdf, 0x8a, 0x6b, 0xcf,
2460 32, "Trust Asia Log1" },
2461 { (const uint8_t[]){
2462 0xc9, 0xcf, 0x89, 0x0a, 0x21, 0x10, 0x9c, 0x66, 0x6c, 0xc1, 0x7a,
2463 0x3e, 0xd0, 0x65, 0xc9, 0x30, 0xd0, 0xe0, 0x13, 0x5a, 0x9f, 0xeb,
2464 0xa8, 0x5a, 0xf1, 0x42, 0x10, 0xb8, 0x07, 0x24, 0x21, 0xaa,
2466 32, "GDCA CT log #1" },
2467 { (const uint8_t[]){
2468 0x92, 0x4a, 0x30, 0xf9, 0x09, 0x33, 0x6f, 0xf4, 0x35, 0xd6, 0x99,
2469 0x3a, 0x10, 0xac, 0x75, 0xa2, 0xc6, 0x41, 0x72, 0x8e, 0x7f, 0xc2,
2470 0xd6, 0x59, 0xae, 0x61, 0x88, 0xff, 0xad, 0x40, 0xce, 0x01,
2472 32, "GDCA CT log #2" },
2473 { (const uint8_t[]){
2474 0x71, 0x7e, 0xa7, 0x42, 0x09, 0x75, 0xbe, 0x84, 0xa2, 0x72, 0x35,
2475 0x53, 0xf1, 0x77, 0x7c, 0x26, 0xdd, 0x51, 0xaf, 0x4e, 0x10, 0x21,
2476 0x44, 0x09, 0x4d, 0x90, 0x19, 0xb4, 0x62, 0xfb, 0x66, 0x68,
2479 { (const uint8_t[]){
2480 0x14, 0x30, 0x8d, 0x90, 0xcc, 0xd0, 0x30, 0x13, 0x50, 0x05, 0xc0,
2481 0x1c, 0xa5, 0x26, 0xd8, 0x1e, 0x84, 0xe8, 0x76, 0x24, 0xe3, 0x9b,
2482 0x62, 0x48, 0xe0, 0x8f, 0x72, 0x4a, 0xea, 0x3b, 0xb4, 0x2a,
2485 { (const uint8_t[]){
2486 0xe0, 0x12, 0x76, 0x29, 0xe9, 0x04, 0x96, 0x56, 0x4e, 0x3d, 0x01,
2487 0x47, 0x98, 0x44, 0x98, 0xaa, 0x48, 0xf8, 0xad, 0xb1, 0x66, 0x00,
2488 0xeb, 0x79, 0x02, 0xa1, 0xef, 0x99, 0x09, 0x90, 0x62, 0x73,
2490 32, "PuChuangSiDa CT log" },
2491 { (const uint8_t[]){
2492 0x53, 0x7b, 0x69, 0xa3, 0x56, 0x43, 0x35, 0xa9, 0xc0, 0x49, 0x04,
2493 0xe3, 0x95, 0x93, 0xb2, 0xc2, 0x98, 0xeb, 0x8d, 0x7a, 0x6e, 0x83,
2494 0x02, 0x36, 0x35, 0xc6, 0x27, 0x24, 0x8c, 0xd6, 0xb4, 0x40,
2496 32, "Nordu 'flimsy' log" },
2497 { (const uint8_t[]){
2498 0xaa, 0xe7, 0x0b, 0x7f, 0x3c, 0xb8, 0xd5, 0x66, 0xc8, 0x6c, 0x2f,
2499 0x16, 0x97, 0x9c, 0x9f, 0x44, 0x5f, 0x69, 0xab, 0x0e, 0xb4, 0x53,
2500 0x55, 0x89, 0xb2, 0xf7, 0x7a, 0x03, 0x01, 0x04, 0xf3, 0xcd,
2502 32, "Nordu 'plausible' log" },
2503 { (const uint8_t[]){
2504 0xcf, 0x55, 0xe2, 0x89, 0x23, 0x49, 0x7c, 0x34, 0x0d, 0x52, 0x06,
2505 0xd0, 0x53, 0x53, 0xae, 0xb2, 0x58, 0x34, 0xb5, 0x2f, 0x1f, 0x8d,
2506 0xc9, 0x52, 0x68, 0x09, 0xf2, 0x12, 0xef, 0xdd, 0x7c, 0xa6,
2508 32, "SHECA CT log 1" },
2509 { (const uint8_t[]){
2510 0x32, 0xdc, 0x59, 0xc2, 0xd4, 0xc4, 0x19, 0x68, 0xd5, 0x6e, 0x14,
2511 0xbc, 0x61, 0xac, 0x8f, 0x0e, 0x45, 0xdb, 0x39, 0xfa, 0xf3, 0xc1,
2512 0x55, 0xaa, 0x42, 0x52, 0xf5, 0x00, 0x1f, 0xa0, 0xc6, 0x23,
2514 32, "SHECA CT log 2" },
2515 { (const uint8_t[]){
2516 0x96, 0x06, 0xc0, 0x2c, 0x69, 0x00, 0x33, 0xaa, 0x1d, 0x14, 0x5f,
2517 0x59, 0xc6, 0xe2, 0x64, 0x8d, 0x05, 0x49, 0xf0, 0xdf, 0x96, 0xaa,
2518 0xb8, 0xdb, 0x91, 0x5a, 0x70, 0xd8, 0xec, 0xf3, 0x90, 0xa5,
2520 32, "Akamai CT Log" },
2521 { (const uint8_t[]){
2522 0x39, 0x37, 0x6f, 0x54, 0x5f, 0x7b, 0x46, 0x07, 0xf5, 0x97, 0x42,
2523 0xd7, 0x68, 0xcd, 0x5d, 0x24, 0x37, 0xbf, 0x34, 0x73, 0xb6, 0x53,
2524 0x4a, 0x48, 0x34, 0xbc, 0xf7, 0x2e, 0x68, 0x1c, 0x83, 0xc9,
2526 32, "Alpha CT Log" },
2527 { (const uint8_t[]){
2528 0xb0, 0xb7, 0x84, 0xbc, 0x81, 0xc0, 0xdd, 0xc4, 0x75, 0x44, 0xe8,
2529 0x83, 0xf0, 0x59, 0x85, 0xbb, 0x90, 0x77, 0xd1, 0x34, 0xd8, 0xab,
2530 0x88, 0xb2, 0xb2, 0xe5, 0x33, 0x98, 0x0b, 0x8e, 0x50, 0x8b,
2532 32, "Up In The Air 'Behind the Sofa' log" },
2533 { (const uint8_t[]){
2534 0x47, 0x44, 0x47, 0x7c, 0x75, 0xde, 0x42, 0x6d, 0x5c, 0x44, 0xef,
2535 0xd4, 0xa9, 0x2c, 0x96, 0x77, 0x59, 0x7f, 0x65, 0x7a, 0x8f, 0xe0,
2536 0xca, 0xdb, 0xc6, 0xd6, 0x16, 0xed, 0xa4, 0x97, 0xc4, 0x25,
2538 32, "Qihoo 360 2020" },
2539 { (const uint8_t[]){
2540 0xc6, 0xd7, 0xed, 0x9e, 0xdb, 0x8e, 0x74, 0xf0, 0xa7, 0x1b, 0x4d,
2541 0x4a, 0x98, 0x4b, 0xcb, 0xeb, 0xab, 0xbd, 0x28, 0xcc, 0x1f, 0xd7,
2542 0x63, 0x29, 0xe8, 0x87, 0x26, 0xcd, 0x4c, 0x25, 0x46, 0x63,
2544 32, "Qihoo 360 2021" },
2545 { (const uint8_t[]){
2546 0x66, 0x3c, 0xb0, 0x9c, 0x1f, 0xcd, 0x9b, 0xaa, 0x62, 0x76, 0x3c,
2547 0xcb, 0x53, 0x4e, 0xec, 0x80, 0x58, 0x12, 0x28, 0x05, 0x07, 0xac,
2548 0x69, 0xa4, 0x5f, 0xcd, 0x38, 0xcf, 0x4c, 0xc7, 0x4c, 0xf1,
2550 32, "Qihoo 360 2022" },
2551 { (const uint8_t[]){
2552 0xe2, 0x64, 0x7f, 0x6e, 0xda, 0x34, 0x05, 0x03, 0xc6, 0x4d, 0x4e,
2553 0x10, 0xa8, 0x69, 0x68, 0x1f, 0xde, 0x9c, 0x5a, 0x2c, 0xf3, 0xb3,
2554 0x2d, 0x5f, 0x20, 0x0b, 0x96, 0x36, 0x05, 0x90, 0x88, 0x23,
2556 32, "Qihoo 360 2023" },
2557 { (const uint8_t[]){
2558 0xc5, 0xcf, 0xe5, 0x4b, 0x61, 0x51, 0xb4, 0x9b, 0x14, 0x2e, 0xd2,
2559 0x63, 0xbd, 0xe7, 0x32, 0x93, 0x36, 0x37, 0x99, 0x79, 0x95, 0x50,
2560 0xae, 0x44, 0x35, 0xcd, 0x1a, 0x69, 0x97, 0xc9, 0xc3, 0xc3,
2562 32, "Qihoo 360 v1 2020" },
2563 { (const uint8_t[]){
2564 0x48, 0x14, 0x58, 0x7c, 0xf2, 0x8b, 0x08, 0xfe, 0x68, 0x3f, 0xd2,
2565 0xbc, 0xd9, 0x45, 0x99, 0x4c, 0x2e, 0xb7, 0x4c, 0x8a, 0xe8, 0xc8,
2566 0x7f, 0xce, 0x42, 0x9b, 0x7c, 0xd3, 0x1d, 0x51, 0xbd, 0xc4,
2568 32, "Qihoo 360 v1 2021" },
2569 { (const uint8_t[]){
2570 0x49, 0x11, 0xb8, 0xd6, 0x14, 0xcf, 0xd3, 0xd9, 0x9f, 0x16, 0xd3,
2571 0x76, 0x54, 0x5e, 0xe1, 0xb8, 0xcc, 0xfc, 0x51, 0x1f, 0x50, 0x9f,
2572 0x08, 0x0b, 0xa0, 0xa0, 0x87, 0xd9, 0x1d, 0xfa, 0xee, 0xa9,
2574 32, "Qihoo 360 v1 2022" },
2575 { (const uint8_t[]){
2576 0xb6, 0x74, 0x0b, 0x12, 0x00, 0x2e, 0x03, 0x3f, 0xd0, 0xe7, 0xe9,
2577 0x41, 0xf4, 0xba, 0x3e, 0xe1, 0xbf, 0xc1, 0x49, 0xb5, 0x24, 0xb4,
2578 0xcf, 0x62, 0x8d, 0x53, 0xef, 0xea, 0x1f, 0x40, 0x3a, 0x8d,
2580 32, "Qihoo 360 v1 2023" },
2585 * Application-Layer Protocol Negotiation (ALPN) dissector tables.
2587 static dissector_table_t ssl_alpn_dissector_table
;
2588 static dissector_table_t dtls_alpn_dissector_table
;
2591 * Special cases for prefix matching of the ALPN, if the ALPN includes
2592 * a version number for a draft or protocol revision.
2594 typedef struct ssl_alpn_prefix_match_protocol
{
2595 const char *proto_prefix
;
2596 const char *dissector_name
;
2597 } ssl_alpn_prefix_match_protocol_t
;
2599 static const ssl_alpn_prefix_match_protocol_t ssl_alpn_prefix_match_protocols
[] = {
2600 /* SPDY moves so fast, just 1, 2 and 3 are registered with IANA but there
2601 * already exists 3.1 as of this writing... match the prefix. */
2602 { "spdy/", "spdy" },
2603 /* draft-ietf-httpbis-http2-16 */
2604 { "h2-", "http2" }, /* draft versions */
2607 const value_string compress_certificate_algorithm_vals
[] = {
2615 const val64_string quic_transport_parameter_id
[] = {
2616 { SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID
, "original_destination_connection_id" },
2617 { SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT
, "max_idle_timeout" },
2618 { SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN
, "stateless_reset_token" },
2619 { SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE
, "max_udp_payload_size" },
2620 { SSL_HND_QUIC_TP_INITIAL_MAX_DATA
, "initial_max_data" },
2621 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL
, "initial_max_stream_data_bidi_local" },
2622 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE
, "initial_max_stream_data_bidi_remote" },
2623 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI
, "initial_max_stream_data_uni" },
2624 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI
, "initial_max_streams_uni" },
2625 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI
, "initial_max_streams_bidi" },
2626 { SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT
, "ack_delay_exponent" },
2627 { SSL_HND_QUIC_TP_MAX_ACK_DELAY
, "max_ack_delay" },
2628 { SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION
, "disable_active_migration" },
2629 { SSL_HND_QUIC_TP_PREFERRED_ADDRESS
, "preferred_address" },
2630 { SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT
, "active_connection_id_limit" },
2631 { SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID
, "initial_source_connection_id" },
2632 { SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID
, "retry_source_connection_id" },
2633 { SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE
, "max_datagram_frame_size" },
2634 { SSL_HND_QUIC_TP_CIBIR_ENCODING
, "cibir_encoding" },
2635 { SSL_HND_QUIC_TP_LOSS_BITS
, "loss_bits" },
2636 { SSL_HND_QUIC_TP_GREASE_QUIC_BIT
, "grease_quic_bit" },
2637 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP
, "enable_time_stamp" },
2638 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V2
, "enable_time_stamp_v2" },
2639 { SSL_HND_QUIC_TP_VERSION_INFORMATION
, "version_information" },
2640 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD
, "min_ack_delay" },
2641 { SSL_HND_QUIC_TP_GOOGLE_USER_AGENT
, "google_user_agent" },
2642 { SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED
, "google_key_update_not_yet_supported" },
2643 { SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION
, "google_quic_version" },
2644 { SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT
, "google_initial_rtt" },
2645 { SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE
, "google_support_handshake_done" },
2646 { SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS
, "google_quic_params" },
2647 { SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS
, "google_connection_options" },
2648 { SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY
, "facebook_partial_reliability" },
2649 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V1
, "min_ack_delay (draft-01)" },
2650 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT05
, "min_ack_delay (draft-05)" },
2651 { SSL_HND_QUIC_TP_MIN_ACK_DELAY
, "min_ack_delay" },
2652 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT04
, "enable_multipath (draft-04)" },
2653 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT05
, "enable_multipath (draft-05)" },
2654 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH
, "enable_multipath (draft-06)" },
2655 { SSL_HND_QUIC_TP_INITIAL_MAX_PATHS
, "initial_max_paths (draft-07/08)" },
2656 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT09
, "initial_max_path_id (draft-09/10)" },
2657 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID
, "initial_max_path_id" },
2661 /* https://tools.ietf.org/html/draft-huitema-quic-ts-03 */
2662 const val64_string quic_enable_time_stamp_v2_vals
[] = {
2663 { 1, "I would like to receive TIME_STAMP frames" },
2664 { 2, "I am able to generate TIME_STAMP frames" },
2665 { 3, "I am able to generate TIME_STAMP frames and I would like to receive them" },
2669 /* https://tools.ietf.org/html/draft-multipath-04 */
2670 const val64_string quic_enable_multipath_vals
[] = {
2671 { 0, "don't support multipath" },
2672 { 1, "support multipath as defined in this document" },
2676 /* https://www.ietf.org/archive/id/draft-ietf-tls-esni-16.txt */
2677 const value_string tls_hello_ext_ech_clienthello_types
[] = {
2678 { 0, "Outer Client Hello" },
2679 { 1, "Inner Client Hello" },
2684 const value_string kem_id_type_vals
[] = {
2685 { 0x0000, "Reserved" },
2686 { 0x0010, "DHKEM(P-256, HKDF-SHA256)" },
2687 { 0x0011, "DHKEM(P-384, HKDF-SHA384)" },
2688 { 0x0012, "DHKEM(P-521, HKDF-SHA512)" },
2689 { 0x0020, "DHKEM(X25519, HKDF-SHA256)" },
2690 { 0x0021, "DHKEM(X448, HKDF-SHA512)" },
2693 const value_string kdf_id_type_vals
[] = {
2694 { 0x0000, "Reserved" },
2695 { 0x0001, "HKDF-SHA256" },
2696 { 0x0002, "HKDF-SHA384" },
2697 { 0x0003, "HKDF-SHA512" },
2700 const value_string aead_id_type_vals
[] = {
2701 { 0x0000, "Reserved" },
2702 { 0x0001, "AES-128-GCM" },
2703 { 0x0002, "AES-256-GCM" },
2704 { 0x0003, "ChaCha20Poly1305" },
2705 { 0xFFFF, "Export-only" },
2709 const value_string token_binding_key_parameter_vals
[] = {
2710 { 0, "rsa2048_pkcs1.5" },
2711 { 1, "rsa2048_pss" },
2716 /* Lookup tables }}} */
2719 quic_transport_parameter_id_base_custom(char *result
, uint64_t parameter_id
)
2722 if (IS_GREASE_QUIC(parameter_id
)) {
2725 label
= val64_to_str_const(parameter_id
, quic_transport_parameter_id
, "Unknown");
2727 snprintf(result
, ITEM_LABEL_LENGTH
, "%s (0x%02" PRIx64
")", label
, parameter_id
);
2730 /* we keep this internal to packet-tls-utils, as there should be
2731 no need to access it any other way.
2733 This also allows us to hide the dependency on zlib.
2735 struct _SslDecompress
{
2737 #if defined (HAVE_ZLIB) || defined (HAVE_ZLIBNG)
2738 zlib_stream istream
;
2742 /* To assist in parsing client/server key exchange messages
2743 0 indicates unknown */
2744 int ssl_get_keyex_alg(int cipher
)
2746 /* Map Cipher suite number to Key Exchange algorithm {{{ */
2873 return KEX_ECDH_ANON
;
2887 return KEX_ECDH_ECDSA
;
2901 return KEX_ECDH_RSA
;
2922 return KEX_ECDHE_ECDSA
;
2941 return KEX_ECDHE_PSK
;
2958 return KEX_ECDHE_RSA
;
3064 return KEX_SRP_SHA_DSS
;
3068 return KEX_SRP_SHA_RSA
;
3083 static wmem_list_t
*connection_id_session_list
;
3086 ssl_init_cid_list(void) {
3087 connection_id_session_list
= wmem_list_new(wmem_file_scope());
3091 ssl_cleanup_cid_list(void) {
3092 wmem_destroy_list(connection_id_session_list
);
3096 ssl_add_session_by_cid(SslDecryptSession
*session
)
3098 wmem_list_append(connection_id_session_list
, session
);
3102 ssl_get_session_by_cid(tvbuff_t
*tvb
, uint32_t offset
)
3104 SslDecryptSession
* ssl_cid
= NULL
;
3105 wmem_list_frame_t
*it
= wmem_list_head(connection_id_session_list
);
3107 while (it
!= NULL
&& ssl_cid
== NULL
) {
3108 SslDecryptSession
* ssl
= (SslDecryptSession
*)wmem_list_frame_data(it
);
3109 DISSECTOR_ASSERT(ssl
!= NULL
);
3110 SslSession
*session
= &ssl
->session
;
3112 if (session
->client_cid_len
> 0 && tvb_bytes_exist(tvb
, offset
, session
->client_cid_len
)) {
3113 if (tvb_memeql(tvb
, offset
, session
->client_cid
, session
->client_cid_len
) == 0) {
3118 if (session
->server_cid_len
> 0) {
3119 if (tvb_memeql(tvb
, offset
, session
->server_cid
, session
->server_cid_len
) == 0) {
3124 it
= wmem_list_frame_next(it
);
3130 /* StringInfo structure (len + data) functions {{{ */
3133 ssl_data_alloc(StringInfo
* str
, size_t len
)
3135 str
->data
= (unsigned char *)g_malloc(len
);
3136 /* the allocator can return a null pointer for a size equal to 0,
3137 * and that must be allowed */
3138 if (len
> 0 && !str
->data
)
3140 str
->data_len
= (unsigned) len
;
3145 ssl_data_set(StringInfo
* str
, const unsigned char* data
, unsigned len
)
3147 DISSECTOR_ASSERT(data
);
3148 memcpy(str
->data
, data
, len
);
3149 str
->data_len
= len
;
3153 ssl_data_realloc(StringInfo
* str
, unsigned len
)
3155 str
->data
= (unsigned char *)g_realloc(str
->data
, len
);
3158 str
->data_len
= len
;
3163 ssl_data_clone(StringInfo
*str
)
3165 StringInfo
*cloned_str
;
3166 cloned_str
= (StringInfo
*) wmem_alloc0(wmem_file_scope(),
3167 sizeof(StringInfo
) + str
->data_len
);
3168 cloned_str
->data
= (unsigned char *) (cloned_str
+ 1);
3169 ssl_data_set(cloned_str
, str
->data
, str
->data_len
);
3174 ssl_data_copy(StringInfo
* dst
, StringInfo
* src
)
3176 if (dst
->data_len
< src
->data_len
) {
3177 if (ssl_data_realloc(dst
, src
->data_len
))
3180 memcpy(dst
->data
, src
->data
, src
->data_len
);
3181 dst
->data_len
= src
->data_len
;
3185 /* from_hex converts |hex_len| bytes of hex data from |in| and sets |*out| to
3186 * the result. |out->data| will be allocated using wmem_file_scope. Returns true on
3188 static bool from_hex(StringInfo
* out
, const char* in
, size_t hex_len
) {
3194 out
->data
= (unsigned char *)wmem_alloc(wmem_file_scope(), hex_len
/ 2);
3195 for (i
= 0; i
< hex_len
/ 2; i
++) {
3196 int a
= ws_xton(in
[i
*2]);
3197 int b
= ws_xton(in
[i
*2 + 1]);
3198 if (a
== -1 || b
== -1)
3200 out
->data
[i
] = a
<< 4 | b
;
3202 out
->data_len
= (unsigned)hex_len
/ 2;
3205 /* StringInfo structure (len + data) functions }}} */
3208 /* libgcrypt wrappers for HMAC/message digest operations {{{ */
3209 /* hmac abstraction layer */
3210 #define SSL_HMAC gcry_md_hd_t
3213 ssl_hmac_init(SSL_HMAC
* md
, int algo
)
3216 const char *err_str
, *err_src
;
3218 err
= gcry_md_open(md
,algo
, GCRY_MD_FLAG_HMAC
);
3220 err_str
= gcry_strerror(err
);
3221 err_src
= gcry_strsource(err
);
3222 ssl_debug_printf("ssl_hmac_init(): gcry_md_open failed %s/%s", err_str
, err_src
);
3229 ssl_hmac_setkey(SSL_HMAC
* md
, const void * key
, int len
)
3232 const char *err_str
, *err_src
;
3234 err
= gcry_md_setkey (*(md
), key
, len
);
3236 err_str
= gcry_strerror(err
);
3237 err_src
= gcry_strsource(err
);
3238 ssl_debug_printf("ssl_hmac_setkey(): gcry_md_setkey failed %s/%s", err_str
, err_src
);
3245 ssl_hmac_reset(SSL_HMAC
* md
)
3252 ssl_hmac_update(SSL_HMAC
* md
, const void* data
, int len
)
3254 gcry_md_write(*(md
), data
, len
);
3257 ssl_hmac_final(SSL_HMAC
* md
, unsigned char* data
, unsigned* datalen
)
3262 algo
= gcry_md_get_algo (*(md
));
3263 len
= gcry_md_get_algo_dlen(algo
);
3264 DISSECTOR_ASSERT(len
<= *datalen
);
3265 memcpy(data
, gcry_md_read(*(md
), algo
), len
);
3269 ssl_hmac_cleanup(SSL_HMAC
* md
)
3271 gcry_md_close(*(md
));
3274 /* message digest abstraction layer*/
3275 #define SSL_MD gcry_md_hd_t
3278 ssl_md_init(SSL_MD
* md
, int algo
)
3281 const char *err_str
, *err_src
;
3282 err
= gcry_md_open(md
,algo
, 0);
3284 err_str
= gcry_strerror(err
);
3285 err_src
= gcry_strsource(err
);
3286 ssl_debug_printf("ssl_md_init(): gcry_md_open failed %s/%s", err_str
, err_src
);
3292 ssl_md_update(SSL_MD
* md
, unsigned char* data
, int len
)
3294 gcry_md_write(*(md
), data
, len
);
3297 ssl_md_final(SSL_MD
* md
, unsigned char* data
, unsigned* datalen
)
3301 algo
= gcry_md_get_algo (*(md
));
3302 len
= gcry_md_get_algo_dlen (algo
);
3303 memcpy(data
, gcry_md_read(*(md
), algo
), len
);
3307 ssl_md_cleanup(SSL_MD
* md
)
3309 gcry_md_close(*(md
));
3313 ssl_md_reset(SSL_MD
* md
)
3318 /* md5 /sha abstraction layer */
3319 #define SSL_SHA_CTX gcry_md_hd_t
3320 #define SSL_MD5_CTX gcry_md_hd_t
3323 ssl_sha_init(SSL_SHA_CTX
* md
)
3326 const char *err_str
, *err_src
;
3327 err
= gcry_md_open(md
, GCRY_MD_SHA1
, 0);
3329 err_str
= gcry_strerror(err
);
3330 err_src
= gcry_strsource(err
);
3331 ssl_debug_printf("ssl_sha_init(): gcry_md_open failed %s/%s", err_str
, err_src
);
3337 ssl_sha_update(SSL_SHA_CTX
* md
, unsigned char* data
, int len
)
3339 gcry_md_write(*(md
), data
, len
);
3342 ssl_sha_final(unsigned char* buf
, SSL_SHA_CTX
* md
)
3344 memcpy(buf
, gcry_md_read(*(md
), GCRY_MD_SHA1
),
3345 gcry_md_get_algo_dlen(GCRY_MD_SHA1
));
3349 ssl_sha_reset(SSL_SHA_CTX
* md
)
3355 ssl_sha_cleanup(SSL_SHA_CTX
* md
)
3357 gcry_md_close(*(md
));
3361 ssl_md5_init(SSL_MD5_CTX
* md
)
3364 const char *err_str
, *err_src
;
3365 err
= gcry_md_open(md
,GCRY_MD_MD5
, 0);
3367 err_str
= gcry_strerror(err
);
3368 err_src
= gcry_strsource(err
);
3369 ssl_debug_printf("ssl_md5_init(): gcry_md_open failed %s/%s", err_str
, err_src
);
3375 ssl_md5_update(SSL_MD5_CTX
* md
, unsigned char* data
, int len
)
3377 gcry_md_write(*(md
), data
, len
);
3380 ssl_md5_final(unsigned char* buf
, SSL_MD5_CTX
* md
)
3382 memcpy(buf
, gcry_md_read(*(md
), GCRY_MD_MD5
),
3383 gcry_md_get_algo_dlen(GCRY_MD_MD5
));
3387 ssl_md5_reset(SSL_MD5_CTX
* md
)
3393 ssl_md5_cleanup(SSL_MD5_CTX
* md
)
3395 gcry_md_close(*(md
));
3397 /* libgcrypt wrappers for HMAC/message digest operations }}} */
3399 /* libgcrypt wrappers for Cipher state manipulation {{{ */
3401 ssl_cipher_setiv(SSL_CIPHER_CTX
*cipher
, unsigned char* iv
, int iv_len
)
3408 c
=(gcry_cipher_hd_t
)*cipher
;
3410 ssl_debug_printf("--------------------------------------------------------------------");
3412 for(ivp
=c
->iv
,i
=0; i
< iv_len
; i
++ )
3414 ssl_debug_printf("%d ",ivp
[i
]);
3418 ssl_debug_printf("--------------------------------------------------------------------");
3419 ret
= gcry_cipher_setiv(*(cipher
), iv
, iv_len
);
3421 for(ivp
=c
->iv
,i
=0; i
< iv_len
; i
++ )
3423 ssl_debug_printf("%d ",ivp
[i
]);
3427 ssl_debug_printf("--------------------------------------------------------------------");
3430 /* stream cipher abstraction layer*/
3432 ssl_cipher_init(gcry_cipher_hd_t
*cipher
, int algo
, unsigned char* sk
,
3433 unsigned char* iv
, int mode
)
3435 int gcry_modes
[] = {
3436 GCRY_CIPHER_MODE_STREAM
,
3437 GCRY_CIPHER_MODE_CBC
,
3438 GCRY_CIPHER_MODE_GCM
,
3439 GCRY_CIPHER_MODE_CCM
,
3440 GCRY_CIPHER_MODE_CCM
,
3441 GCRY_CIPHER_MODE_POLY1305
,
3442 GCRY_CIPHER_MODE_ECB
, /* used for DTLSv1.3 seq number encryption */
3447 *(cipher
) = (gcry_cipher_hd_t
)-1;
3450 err
= gcry_cipher_open(cipher
, algo
, gcry_modes
[mode
], 0);
3453 err
= gcry_cipher_setkey(*(cipher
), sk
, gcry_cipher_get_algo_keylen (algo
));
3456 /* AEAD cipher suites will set the nonce later. */
3457 if (mode
== MODE_CBC
) {
3458 err
= gcry_cipher_setiv(*(cipher
), iv
, gcry_cipher_get_algo_blklen(algo
));
3465 ssl_cipher_decrypt(gcry_cipher_hd_t
*cipher
, unsigned char * out
, int outl
,
3466 const unsigned char * in
, int inl
)
3468 if ((*cipher
) == (gcry_cipher_hd_t
)-1)
3471 memcpy(out
, in
, outl
< inl
? outl
: inl
);
3474 return gcry_cipher_decrypt ( *(cipher
), out
, outl
, in
, inl
);
3477 ssl_get_digest_by_name(const char*name
)
3479 return gcry_md_map_name(name
);
3482 ssl_get_cipher_by_name(const char* name
)
3484 return gcry_cipher_map_name(name
);
3488 ssl_cipher_cleanup(gcry_cipher_hd_t
*cipher
)
3490 if ((*cipher
) != (gcry_cipher_hd_t
)-1)
3491 gcry_cipher_close(*cipher
);
3496 /* Digests, Ciphers and Cipher Suites registry {{{ */
3497 static const SslDigestAlgo digests
[]={
3503 {"Not Applicable", 0},
3506 #define DIGEST_MAX_SIZE 48
3508 /* get index digest index */
3509 static const SslDigestAlgo
*
3510 ssl_cipher_suite_dig(const SslCipherSuite
*cs
) {
3511 return &digests
[cs
->dig
- DIG_MD5
];
3514 static const char *ciphers
[]={
3517 "ARCFOUR", /* libgcrypt does not support rc4, but this should be 100% compatible*/
3518 "RFC2268_128", /* libgcrypt name for RC2 with a 128-bit key */
3525 "CHACHA20", /* since Libgcrypt 1.7.0 */
3531 static const SslCipherSuite cipher_suites
[]={
3532 {0x0001,KEX_RSA
, ENC_NULL
, DIG_MD5
, MODE_STREAM
}, /* TLS_RSA_WITH_NULL_MD5 */
3533 {0x0002,KEX_RSA
, ENC_NULL
, DIG_SHA
, MODE_STREAM
}, /* TLS_RSA_WITH_NULL_SHA */
3534 {0x0003,KEX_RSA
, ENC_RC4
, DIG_MD5
, MODE_STREAM
}, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
3535 {0x0004,KEX_RSA
, ENC_RC4
, DIG_MD5
, MODE_STREAM
}, /* TLS_RSA_WITH_RC4_128_MD5 */
3536 {0x0005,KEX_RSA
, ENC_RC4
, DIG_SHA
, MODE_STREAM
}, /* TLS_RSA_WITH_RC4_128_SHA */
3537 {0x0006,KEX_RSA
, ENC_RC2
, DIG_MD5
, MODE_CBC
}, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
3538 {0x0007,KEX_RSA
, ENC_IDEA
, DIG_SHA
, MODE_CBC
}, /* TLS_RSA_WITH_IDEA_CBC_SHA */
3539 {0x0008,KEX_RSA
, ENC_DES
, DIG_SHA
, MODE_CBC
}, /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
3540 {0x0009,KEX_RSA
, ENC_DES
, DIG_SHA
, MODE_CBC
}, /* TLS_RSA_WITH_DES_CBC_SHA */
3541 {0x000A,KEX_RSA
, ENC_3DES
, DIG_SHA
, MODE_CBC
}, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
3542 {0x000B,KEX_DH_DSS
, ENC_DES
, DIG_SHA
, MODE_CBC
}, /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
3543 {0x000C,KEX_DH_DSS
, ENC_DES
, DIG_SHA
, MODE_CBC
}, /* TLS_DH_DSS_WITH_DES_CBC_SHA */
3544 {0x000D,KEX_DH_DSS
, ENC_3DES
, DIG_SHA
, MODE_CBC
}, /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
3545 {0x000E,KEX_DH_RSA
, ENC_DES
, DIG_SHA
, MODE_CBC
}, /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
3546 {0x000F,KEX_DH_RSA
, ENC_DES
, DIG_SHA
, MODE_CBC
}, /* TLS_DH_RSA_WITH_DES_CBC_SHA */
3547 {0x0010,KEX_DH_RSA
, ENC_3DES
, DIG_SHA
, MODE_CBC
}, /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
3548 {0x0011,KEX_DHE_DSS
, ENC_DES
, DIG_SHA
, MODE_CBC
}, /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
3549 {0x0012,KEX_DHE_DSS
, ENC_DES
, DIG_SHA
, MODE_CBC
}, /* TLS_DHE_DSS_WITH_DES_CBC_SHA */
3550 {0x0013,KEX_DHE_DSS
, ENC_3DES
, DIG_SHA
, MODE_CBC
}, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
3551 {0x0014,KEX_DHE_RSA
, ENC_DES
, DIG_SHA
, MODE_CBC
}, /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
3552 {0x0015,KEX_DHE_RSA
, ENC_DES
, DIG_SHA
, MODE_CBC
}, /* TLS_DHE_RSA_WITH_DES_CBC_SHA */
3553 {0x0016,KEX_DHE_RSA
, ENC_3DES
, DIG_SHA
, MODE_CBC
}, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
3554 {0x0017,KEX_DH_ANON
, ENC_RC4
, DIG_MD5
, MODE_STREAM
}, /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
3555 {0x0018,KEX_DH_ANON
, ENC_RC4
, DIG_MD5
, MODE_STREAM
}, /* TLS_DH_anon_WITH_RC4_128_MD5 */
3556 {0x0019,KEX_DH_ANON
, ENC_DES
, DIG_SHA
, MODE_CBC
}, /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
3557 {0x001A,KEX_DH_ANON
, ENC_DES
, DIG_SHA
, MODE_CBC
}, /* TLS_DH_anon_WITH_DES_CBC_SHA */
3558 {0x001B,KEX_DH_ANON
, ENC_3DES
, DIG_SHA
, MODE_CBC
}, /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
3559 {0x002C,KEX_PSK
, ENC_NULL
, DIG_SHA
, MODE_STREAM
}, /* TLS_PSK_WITH_NULL_SHA */
3560 {0x002D,KEX_DHE_PSK
, ENC_NULL
, DIG_SHA
, MODE_STREAM
}, /* TLS_DHE_PSK_WITH_NULL_SHA */
3561 {0x002E,KEX_RSA_PSK
, ENC_NULL
, DIG_SHA
, MODE_STREAM
}, /* TLS_RSA_PSK_WITH_NULL_SHA */
3562 {0x002F,KEX_RSA
, ENC_AES
, DIG_SHA
, MODE_CBC
}, /* TLS_RSA_WITH_AES_128_CBC_SHA */
3563 {0x0030,KEX_DH_DSS
, ENC_AES
, DIG_SHA
, MODE_CBC
}, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA */
3564 {0x0031,KEX_DH_RSA
, ENC_AES
, DIG_SHA
, MODE_CBC
}, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA */
3565 {0x0032,KEX_DHE_DSS
, ENC_AES
, DIG_SHA
, MODE_CBC
}, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA */
3566 {0x0033,KEX_DHE_RSA
, ENC_AES
, DIG_SHA
, MODE_CBC
}, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */
3567 {0x0034,KEX_DH_ANON
, ENC_AES
, DIG_SHA
, MODE_CBC
}, /* TLS_DH_anon_WITH_AES_128_CBC_SHA */
3568 {0x0035,KEX_RSA
, ENC_AES256
, DIG_SHA
, MODE_CBC
}, /* TLS_RSA_WITH_AES_256_CBC_SHA */
3569 {0x0036,KEX_DH_DSS
, ENC_AES256
, DIG_SHA
, MODE_CBC
}, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA */
3570 {0x0037,KEX_DH_RSA
, ENC_AES256
, DIG_SHA
, MODE_CBC
}, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA */
3571 {0x0038,KEX_DHE_DSS
, ENC_AES256
, DIG_SHA
, MODE_CBC
}, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA */
3572 {0x0039,KEX_DHE_RSA
, ENC_AES256
, DIG_SHA
, MODE_CBC
}, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */
3573 {0x003A,KEX_DH_ANON
, ENC_AES256
, DIG_SHA
, MODE_CBC
}, /* TLS_DH_anon_WITH_AES_256_CBC_SHA */
3574 {0x003B,KEX_RSA
, ENC_NULL
, DIG_SHA256
, MODE_STREAM
}, /* TLS_RSA_WITH_NULL_SHA256 */
3575 {0x003C,KEX_RSA
, ENC_AES
, DIG_SHA256
, MODE_CBC
}, /* TLS_RSA_WITH_AES_128_CBC_SHA256 */
3576 {0x003D,KEX_RSA
, ENC_AES256
, DIG_SHA256
, MODE_CBC
}, /* TLS_RSA_WITH_AES_256_CBC_SHA256 */
3577 {0x003E,KEX_DH_DSS
, ENC_AES
, DIG_SHA256
, MODE_CBC
}, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA256 */
3578 {0x003F,KEX_DH_RSA
, ENC_AES
, DIG_SHA256
, MODE_CBC
}, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA256 */
3579 {0x0040,KEX_DHE_DSS
, ENC_AES
, DIG_SHA256
, MODE_CBC
}, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 */
3580 {0x0041,KEX_RSA
, ENC_CAMELLIA128
,DIG_SHA
, MODE_CBC
}, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA */
3581 {0x0042,KEX_DH_DSS
, ENC_CAMELLIA128
,DIG_SHA
, MODE_CBC
}, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA */
3582 {0x0043,KEX_DH_RSA
, ENC_CAMELLIA128
,DIG_SHA
, MODE_CBC
}, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA */
3583 {0x0044,KEX_DHE_DSS
, ENC_CAMELLIA128
,DIG_SHA
, MODE_CBC
}, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA */
3584 {0x0045,KEX_DHE_RSA
, ENC_CAMELLIA128
,DIG_SHA
, MODE_CBC
}, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA */
3585 {0x0046,KEX_DH_ANON
, ENC_CAMELLIA128
,DIG_SHA
, MODE_CBC
}, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA */
3586 {0x0060,KEX_RSA
, ENC_RC4
, DIG_MD5
, MODE_STREAM
}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
3587 {0x0061,KEX_RSA
, ENC_RC2
, DIG_MD5
, MODE_STREAM
}, /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
3588 {0x0062,KEX_RSA
, ENC_DES
, DIG_SHA
, MODE_CBC
}, /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
3589 {0x0063,KEX_DHE_DSS
, ENC_DES
, DIG_SHA
, MODE_CBC
}, /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
3590 {0x0064,KEX_RSA
, ENC_RC4
, DIG_SHA
, MODE_STREAM
}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
3591 {0x0065,KEX_DHE_DSS
, ENC_RC4
, DIG_SHA
, MODE_STREAM
}, /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
3592 {0x0066,KEX_DHE_DSS
, ENC_RC4
, DIG_SHA
, MODE_STREAM
}, /* TLS_DHE_DSS_WITH_RC4_128_SHA */
3593 {0x0067,KEX_DHE_RSA
, ENC_AES
, DIG_SHA256
, MODE_CBC
}, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 */
3594 {0x0068,KEX_DH_DSS
, ENC_AES256
, DIG_SHA256
, MODE_CBC
}, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA256 */
3595 {0x0069,KEX_DH_RSA
, ENC_AES256
, DIG_SHA256
, MODE_CBC
}, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA256 */
3596 {0x006A,KEX_DHE_DSS
, ENC_AES256
, DIG_SHA256
, MODE_CBC
}, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 */
3597 {0x006B,KEX_DHE_RSA
, ENC_AES256
, DIG_SHA256
, MODE_CBC
}, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 */
3598 {0x006C,KEX_DH_ANON
, ENC_AES
, DIG_SHA256
, MODE_CBC
}, /* TLS_DH_anon_WITH_AES_128_CBC_SHA256 */
3599 {0x006D,KEX_DH_ANON
, ENC_AES256
, DIG_SHA256
, MODE_CBC
}, /* TLS_DH_anon_WITH_AES_256_CBC_SHA256 */
3600 {0x0084,KEX_RSA
, ENC_CAMELLIA256
,DIG_SHA
, MODE_CBC
}, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA */
3601 {0x0085,KEX_DH_DSS
, ENC_CAMELLIA256
,DIG_SHA
, MODE_CBC
}, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA */
3602 {0x0086,KEX_DH_RSA
, ENC_CAMELLIA256
,DIG_SHA
, MODE_CBC
}, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA */
3603 {0x0087,KEX_DHE_DSS
, ENC_CAMELLIA256
,DIG_SHA
, MODE_CBC
}, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA */
3604 {0x0088,KEX_DHE_RSA
, ENC_CAMELLIA256
,DIG_SHA
, MODE_CBC
}, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA */
3605 {0x0089,KEX_DH_ANON
, ENC_CAMELLIA256
,DIG_SHA
, MODE_CBC
}, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA */
3606 {0x008A,KEX_PSK
, ENC_RC4
, DIG_SHA
, MODE_STREAM
}, /* TLS_PSK_WITH_RC4_128_SHA */
3607 {0x008B,KEX_PSK
, ENC_3DES
, DIG_SHA
, MODE_CBC
}, /* TLS_PSK_WITH_3DES_EDE_CBC_SHA */
3608 {0x008C,KEX_PSK
, ENC_AES
, DIG_SHA
, MODE_CBC
}, /* TLS_PSK_WITH_AES_128_CBC_SHA */
3609 {0x008D,KEX_PSK
, ENC_AES256
, DIG_SHA
, MODE_CBC
}, /* TLS_PSK_WITH_AES_256_CBC_SHA */
3610 {0x008E,KEX_DHE_PSK
, ENC_RC4
, DIG_SHA
, MODE_STREAM
}, /* TLS_DHE_PSK_WITH_RC4_128_SHA */
3611 {0x008F,KEX_DHE_PSK
, ENC_3DES
, DIG_SHA
, MODE_CBC
}, /* TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA */
3612 {0x0090,KEX_DHE_PSK
, ENC_AES
, DIG_SHA
, MODE_CBC
}, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA */
3613 {0x0091,KEX_DHE_PSK
, ENC_AES256
, DIG_SHA
, MODE_CBC
}, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA */
3614 {0x0092,KEX_RSA_PSK
, ENC_RC4
, DIG_SHA
, MODE_STREAM
}, /* TLS_RSA_PSK_WITH_RC4_128_SHA */
3615 {0x0093,KEX_RSA_PSK
, ENC_3DES
, DIG_SHA
, MODE_CBC
}, /* TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA */
3616 {0x0094,KEX_RSA_PSK
, ENC_AES
, DIG_SHA
, MODE_CBC
}, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA */
3617 {0x0095,KEX_RSA_PSK
, ENC_AES256
, DIG_SHA
, MODE_CBC
}, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA */
3618 {0x0096,KEX_RSA
, ENC_SEED
, DIG_SHA
, MODE_CBC
}, /* TLS_RSA_WITH_SEED_CBC_SHA */
3619 {0x0097,KEX_DH_DSS
, ENC_SEED
, DIG_SHA
, MODE_CBC
}, /* TLS_DH_DSS_WITH_SEED_CBC_SHA */
3620 {0x0098,KEX_DH_RSA
, ENC_SEED
, DIG_SHA
, MODE_CBC
}, /* TLS_DH_RSA_WITH_SEED_CBC_SHA */
3621 {0x0099,KEX_DHE_DSS
, ENC_SEED
, DIG_SHA
, MODE_CBC
}, /* TLS_DHE_DSS_WITH_SEED_CBC_SHA */
3622 {0x009A,KEX_DHE_RSA
, ENC_SEED
, DIG_SHA
, MODE_CBC
}, /* TLS_DHE_RSA_WITH_SEED_CBC_SHA */
3623 {0x009B,KEX_DH_ANON
, ENC_SEED
, DIG_SHA
, MODE_CBC
}, /* TLS_DH_anon_WITH_SEED_CBC_SHA */
3624 {0x009C,KEX_RSA
, ENC_AES
, DIG_SHA256
, MODE_GCM
}, /* TLS_RSA_WITH_AES_128_GCM_SHA256 */
3625 {0x009D,KEX_RSA
, ENC_AES256
, DIG_SHA384
, MODE_GCM
}, /* TLS_RSA_WITH_AES_256_GCM_SHA384 */
3626 {0x009E,KEX_DHE_RSA
, ENC_AES
, DIG_SHA256
, MODE_GCM
}, /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */
3627 {0x009F,KEX_DHE_RSA
, ENC_AES256
, DIG_SHA384
, MODE_GCM
}, /* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 */
3628 {0x00A0,KEX_DH_RSA
, ENC_AES
, DIG_SHA256
, MODE_GCM
}, /* TLS_DH_RSA_WITH_AES_128_GCM_SHA256 */
3629 {0x00A1,KEX_DH_RSA
, ENC_AES256
, DIG_SHA384
, MODE_GCM
}, /* TLS_DH_RSA_WITH_AES_256_GCM_SHA384 */
3630 {0x00A2,KEX_DHE_DSS
, ENC_AES
, DIG_SHA256
, MODE_GCM
}, /* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 */
3631 {0x00A3,KEX_DHE_DSS
, ENC_AES256
, DIG_SHA384
, MODE_GCM
}, /* TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 */
3632 {0x00A4,KEX_DH_DSS
, ENC_AES
, DIG_SHA256
, MODE_GCM
}, /* TLS_DH_DSS_WITH_AES_128_GCM_SHA256 */
3633 {0x00A5,KEX_DH_DSS
, ENC_AES256
, DIG_SHA384
, MODE_GCM
}, /* TLS_DH_DSS_WITH_AES_256_GCM_SHA384 */
3634 {0x00A6,KEX_DH_ANON
, ENC_AES
, DIG_SHA256
, MODE_GCM
}, /* TLS_DH_anon_WITH_AES_128_GCM_SHA256 */
3635 {0x00A7,KEX_DH_ANON
, ENC_AES256
, DIG_SHA384
, MODE_GCM
}, /* TLS_DH_anon_WITH_AES_256_GCM_SHA384 */
3636 {0x00A8,KEX_PSK
, ENC_AES
, DIG_SHA256
, MODE_GCM
}, /* TLS_PSK_WITH_AES_128_GCM_SHA256 */
3637 {0x00A9,KEX_PSK
, ENC_AES256
, DIG_SHA384
, MODE_GCM
}, /* TLS_PSK_WITH_AES_256_GCM_SHA384 */
3638 {0x00AA,KEX_DHE_PSK
, ENC_AES
, DIG_SHA256
, MODE_GCM
}, /* TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 */
3639 {0x00AB,KEX_DHE_PSK
, ENC_AES256
, DIG_SHA384
, MODE_GCM
}, /* TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 */
3640 {0x00AC,KEX_RSA_PSK
, ENC_AES
, DIG_SHA256
, MODE_GCM
}, /* TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 */
3641 {0x00AD,KEX_RSA_PSK
, ENC_AES256
, DIG_SHA384
, MODE_GCM
}, /* TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 */
3642 {0x00AE,KEX_PSK
, ENC_AES
, DIG_SHA256
, MODE_CBC
}, /* TLS_PSK_WITH_AES_128_CBC_SHA256 */
3643 {0x00AF,KEX_PSK
, ENC_AES256
, DIG_SHA384
, MODE_CBC
}, /* TLS_PSK_WITH_AES_256_CBC_SHA384 */
3644 {0x00B0,KEX_PSK
, ENC_NULL
, DIG_SHA256
, MODE_STREAM
}, /* TLS_PSK_WITH_NULL_SHA256 */
3645 {0x00B1,KEX_PSK
, ENC_NULL
, DIG_SHA384
, MODE_STREAM
}, /* TLS_PSK_WITH_NULL_SHA384 */
3646 {0x00B2,KEX_DHE_PSK
, ENC_AES
, DIG_SHA256
, MODE_CBC
}, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 */
3647 {0x00B3,KEX_DHE_PSK
, ENC_AES256
, DIG_SHA384
, MODE_CBC
}, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 */
3648 {0x00B4,KEX_DHE_PSK
, ENC_NULL
, DIG_SHA256
, MODE_STREAM
}, /* TLS_DHE_PSK_WITH_NULL_SHA256 */
3649 {0x00B5,KEX_DHE_PSK
, ENC_NULL
, DIG_SHA384
, MODE_STREAM
}, /* TLS_DHE_PSK_WITH_NULL_SHA384 */
3650 {0x00B6,KEX_RSA_PSK
, ENC_AES
, DIG_SHA256
, MODE_CBC
}, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 */
3651 {0x00B7,KEX_RSA_PSK
, ENC_AES256
, DIG_SHA384
, MODE_CBC
}, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 */
3652 {0x00B8,KEX_RSA_PSK
, ENC_NULL
, DIG_SHA256
, MODE_STREAM
}, /* TLS_RSA_PSK_WITH_NULL_SHA256 */
3653 {0x00B9,KEX_RSA_PSK
, ENC_NULL
, DIG_SHA384
, MODE_STREAM
}, /* TLS_RSA_PSK_WITH_NULL_SHA384 */
3654 {0x00BA,KEX_RSA
, ENC_CAMELLIA128
,DIG_SHA256
, MODE_CBC
}, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3655 {0x00BB,KEX_DH_DSS
, ENC_CAMELLIA128
,DIG_SHA256
, MODE_CBC
}, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3656 {0x00BC,KEX_DH_RSA
, ENC_CAMELLIA128
,DIG_SHA256
, MODE_CBC
}, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3657 {0x00BD,KEX_DHE_DSS
, ENC_CAMELLIA128
,DIG_SHA256
, MODE_CBC
}, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3658 {0x00BE,KEX_DHE_RSA
, ENC_CAMELLIA128
,DIG_SHA256
, MODE_CBC
}, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3659 {0x00BF,KEX_DH_ANON
, ENC_CAMELLIA128
,DIG_SHA256
, MODE_CBC
}, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 */
3660 {0x00C0,KEX_RSA
, ENC_CAMELLIA256
,DIG_SHA256
, MODE_CBC
}, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3661 {0x00C1,KEX_DH_DSS
, ENC_CAMELLIA256
,DIG_SHA256
, MODE_CBC
}, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3662 {0x00C2,KEX_DH_RSA
, ENC_CAMELLIA256
,DIG_SHA256
, MODE_CBC
}, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3663 {0x00C3,KEX_DHE_DSS
, ENC_CAMELLIA256
,DIG_SHA256
, MODE_CBC
}, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3664 {0x00C4,KEX_DHE_RSA
, ENC_CAMELLIA256
,DIG_SHA256
, MODE_CBC
}, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3665 {0x00C5,KEX_DH_ANON
, ENC_CAMELLIA256
,DIG_SHA256
, MODE_CBC
}, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */
3667 /* NOTE: TLS 1.3 cipher suites are incompatible with TLS 1.2. */
3668 {0x1301,KEX_TLS13
, ENC_AES
, DIG_SHA256
, MODE_GCM
}, /* TLS_AES_128_GCM_SHA256 */
3669 {0x1302,KEX_TLS13
, ENC_AES256
, DIG_SHA384
, MODE_GCM
}, /* TLS_AES_256_GCM_SHA384 */
3670 {0x1303,KEX_TLS13
, ENC_CHACHA20
, DIG_SHA256
, MODE_POLY1305
}, /* TLS_CHACHA20_POLY1305_SHA256 */
3671 {0x1304,KEX_TLS13
, ENC_AES
, DIG_SHA256
, MODE_CCM
}, /* TLS_AES_128_CCM_SHA256 */
3672 {0x1305,KEX_TLS13
, ENC_AES
, DIG_SHA256
, MODE_CCM_8
}, /* TLS_AES_128_CCM_8_SHA256 */
3673 {0x00C6,KEX_TLS13
, ENC_SM4
, DIG_SM3
, MODE_GCM
}, /* TLS_SM4_GCM_SM3 */
3675 {0xC001,KEX_ECDH_ECDSA
, ENC_NULL
, DIG_SHA
, MODE_STREAM
}, /* TLS_ECDH_ECDSA_WITH_NULL_SHA */
3676 {0xC002,KEX_ECDH_ECDSA
, ENC_RC4
, DIG_SHA
, MODE_STREAM
}, /* TLS_ECDH_ECDSA_WITH_RC4_128_SHA */
3677 {0xC003,KEX_ECDH_ECDSA
, ENC_3DES
, DIG_SHA
, MODE_CBC
}, /* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA */
3678 {0xC004,KEX_ECDH_ECDSA
, ENC_AES
, DIG_SHA
, MODE_CBC
}, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA */
3679 {0xC005,KEX_ECDH_ECDSA
, ENC_AES256
, DIG_SHA
, MODE_CBC
}, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */
3680 {0xC006,KEX_ECDHE_ECDSA
, ENC_NULL
, DIG_SHA
, MODE_STREAM
}, /* TLS_ECDHE_ECDSA_WITH_NULL_SHA */
3681 {0xC007,KEX_ECDHE_ECDSA
, ENC_RC4
, DIG_SHA
, MODE_STREAM
}, /* TLS_ECDHE_ECDSA_WITH_RC4_128_SHA */
3682 {0xC008,KEX_ECDHE_ECDSA
, ENC_3DES
, DIG_SHA
, MODE_CBC
}, /* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA */
3683 {0xC009,KEX_ECDHE_ECDSA
, ENC_AES
, DIG_SHA
, MODE_CBC
}, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */
3684 {0xC00A,KEX_ECDHE_ECDSA
, ENC_AES256
, DIG_SHA
, MODE_CBC
}, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */
3685 {0xC00B,KEX_ECDH_RSA
, ENC_NULL
, DIG_SHA
, MODE_STREAM
}, /* TLS_ECDH_RSA_WITH_NULL_SHA */
3686 {0xC00C,KEX_ECDH_RSA
, ENC_RC4
, DIG_SHA
, MODE_STREAM
}, /* TLS_ECDH_RSA_WITH_RC4_128_SHA */
3687 {0xC00D,KEX_ECDH_RSA
, ENC_3DES
, DIG_SHA
, MODE_CBC
}, /* TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA */
3688 {0xC00E,KEX_ECDH_RSA
, ENC_AES
, DIG_SHA
, MODE_CBC
}, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA */
3689 {0xC00F,KEX_ECDH_RSA
, ENC_AES256
, DIG_SHA
, MODE_CBC
}, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */
3690 {0xC0FF,KEX_ECJPAKE
, ENC_AES
, DIG_NA
, MODE_CCM_8
}, /* TLS_ECJPAKE_WITH_AES_128_CCM_8 */
3691 {0xC010,KEX_ECDHE_RSA
, ENC_NULL
, DIG_SHA
, MODE_STREAM
}, /* TLS_ECDHE_RSA_WITH_NULL_SHA */
3692 {0xC011,KEX_ECDHE_RSA
, ENC_RC4
, DIG_SHA
, MODE_STREAM
}, /* TLS_ECDHE_RSA_WITH_RC4_128_SHA */
3693 {0xC012,KEX_ECDHE_RSA
, ENC_3DES
, DIG_SHA
, MODE_CBC
}, /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */
3694 {0xC013,KEX_ECDHE_RSA
, ENC_AES
, DIG_SHA
, MODE_CBC
}, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA */
3695 {0xC014,KEX_ECDHE_RSA
, ENC_AES256
, DIG_SHA
, MODE_CBC
}, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */
3696 {0xC015,KEX_ECDH_ANON
, ENC_NULL
, DIG_SHA
, MODE_STREAM
}, /* TLS_ECDH_anon_WITH_NULL_SHA */
3697 {0xC016,KEX_ECDH_ANON
, ENC_RC4
, DIG_SHA
, MODE_STREAM
}, /* TLS_ECDH_anon_WITH_RC4_128_SHA */
3698 {0xC017,KEX_ECDH_ANON
, ENC_3DES
, DIG_SHA
, MODE_CBC
}, /* TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA */
3699 {0xC018,KEX_ECDH_ANON
, ENC_AES
, DIG_SHA
, MODE_CBC
}, /* TLS_ECDH_anon_WITH_AES_128_CBC_SHA */
3700 {0xC019,KEX_ECDH_ANON
, ENC_AES256
, DIG_SHA
, MODE_CBC
}, /* TLS_ECDH_anon_WITH_AES_256_CBC_SHA */
3701 {0xC01A,KEX_SRP_SHA
, ENC_3DES
, DIG_SHA
, MODE_CBC
}, /* TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA */
3702 {0xC01B,KEX_SRP_SHA_RSA
, ENC_3DES
, DIG_SHA
, MODE_CBC
}, /* TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA */
3703 {0xC01C,KEX_SRP_SHA_DSS
, ENC_3DES
, DIG_SHA
, MODE_CBC
}, /* TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA */
3704 {0xC01D,KEX_SRP_SHA
, ENC_AES
, DIG_SHA
, MODE_CBC
}, /* TLS_SRP_SHA_WITH_AES_128_CBC_SHA */
3705 {0xC01E,KEX_SRP_SHA_RSA
, ENC_AES
, DIG_SHA
, MODE_CBC
}, /* TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA */
3706 {0xC01F,KEX_SRP_SHA_DSS
, ENC_AES
, DIG_SHA
, MODE_CBC
}, /* TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA */
3707 {0xC020,KEX_SRP_SHA
, ENC_AES256
, DIG_SHA
, MODE_CBC
}, /* TLS_SRP_SHA_WITH_AES_256_CBC_SHA */
3708 {0xC021,KEX_SRP_SHA_RSA
, ENC_AES256
, DIG_SHA
, MODE_CBC
}, /* TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA */
3709 {0xC022,KEX_SRP_SHA_DSS
, ENC_AES256
, DIG_SHA
, MODE_CBC
}, /* TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA */
3710 {0xC023,KEX_ECDHE_ECDSA
, ENC_AES
, DIG_SHA256
, MODE_CBC
}, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 */
3711 {0xC024,KEX_ECDHE_ECDSA
, ENC_AES256
, DIG_SHA384
, MODE_CBC
}, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */
3712 {0xC025,KEX_ECDH_ECDSA
, ENC_AES
, DIG_SHA256
, MODE_CBC
}, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 */
3713 {0xC026,KEX_ECDH_ECDSA
, ENC_AES256
, DIG_SHA384
, MODE_CBC
}, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 */
3714 {0xC027,KEX_ECDHE_RSA
, ENC_AES
, DIG_SHA256
, MODE_CBC
}, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 */
3715 {0xC028,KEX_ECDHE_RSA
, ENC_AES256
, DIG_SHA384
, MODE_CBC
}, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */
3716 {0xC029,KEX_ECDH_RSA
, ENC_AES
, DIG_SHA256
, MODE_CBC
}, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 */
3717 {0xC02A,KEX_ECDH_RSA
, ENC_AES256
, DIG_SHA384
, MODE_CBC
}, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 */
3718 {0xC02B,KEX_ECDHE_ECDSA
, ENC_AES
, DIG_SHA256
, MODE_GCM
}, /* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 */
3719 {0xC02C,KEX_ECDHE_ECDSA
, ENC_AES256
, DIG_SHA384
, MODE_GCM
}, /* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 */
3720 {0xC02D,KEX_ECDH_ECDSA
, ENC_AES
, DIG_SHA256
, MODE_GCM
}, /* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 */
3721 {0xC02E,KEX_ECDH_ECDSA
, ENC_AES256
, DIG_SHA384
, MODE_GCM
}, /* TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 */
3722 {0xC02F,KEX_ECDHE_RSA
, ENC_AES
, DIG_SHA256
, MODE_GCM
}, /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */
3723 {0xC030,KEX_ECDHE_RSA
, ENC_AES256
, DIG_SHA384
, MODE_GCM
}, /* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 */
3724 {0xC031,KEX_ECDH_RSA
, ENC_AES
, DIG_SHA256
, MODE_GCM
}, /* TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 */
3725 {0xC032,KEX_ECDH_RSA
, ENC_AES256
, DIG_SHA384
, MODE_GCM
}, /* TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 */
3726 {0xC033,KEX_ECDHE_PSK
, ENC_RC4
, DIG_SHA
, MODE_STREAM
}, /* TLS_ECDHE_PSK_WITH_RC4_128_SHA */
3727 {0xC034,KEX_ECDHE_PSK
, ENC_3DES
, DIG_SHA
, MODE_CBC
}, /* TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA */
3728 {0xC035,KEX_ECDHE_PSK
, ENC_AES
, DIG_SHA
, MODE_CBC
}, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA */
3729 {0xC036,KEX_ECDHE_PSK
, ENC_AES256
, DIG_SHA
, MODE_CBC
}, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA */
3730 {0xC037,KEX_ECDHE_PSK
, ENC_AES
, DIG_SHA256
, MODE_CBC
}, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 */
3731 {0xC038,KEX_ECDHE_PSK
, ENC_AES256
, DIG_SHA384
, MODE_CBC
}, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 */
3732 {0xC039,KEX_ECDHE_PSK
, ENC_NULL
, DIG_SHA
, MODE_STREAM
}, /* TLS_ECDHE_PSK_WITH_NULL_SHA */
3733 {0xC03A,KEX_ECDHE_PSK
, ENC_NULL
, DIG_SHA256
, MODE_STREAM
}, /* TLS_ECDHE_PSK_WITH_NULL_SHA256 */
3734 {0xC03B,KEX_ECDHE_PSK
, ENC_NULL
, DIG_SHA384
, MODE_STREAM
}, /* TLS_ECDHE_PSK_WITH_NULL_SHA384 */
3735 {0xC072,KEX_ECDHE_ECDSA
, ENC_CAMELLIA128
,DIG_SHA256
, MODE_CBC
}, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3736 {0xC073,KEX_ECDHE_ECDSA
, ENC_CAMELLIA256
,DIG_SHA384
, MODE_CBC
}, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3737 {0xC074,KEX_ECDH_ECDSA
, ENC_CAMELLIA128
,DIG_SHA256
, MODE_CBC
}, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3738 {0xC075,KEX_ECDH_ECDSA
, ENC_CAMELLIA256
,DIG_SHA384
, MODE_CBC
}, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3739 {0xC076,KEX_ECDHE_RSA
, ENC_CAMELLIA128
,DIG_SHA256
, MODE_CBC
}, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3740 {0xC077,KEX_ECDHE_RSA
, ENC_CAMELLIA256
,DIG_SHA384
, MODE_CBC
}, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3741 {0xC078,KEX_ECDH_RSA
, ENC_CAMELLIA128
,DIG_SHA256
, MODE_CBC
}, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3742 {0xC079,KEX_ECDH_RSA
, ENC_CAMELLIA256
,DIG_SHA384
, MODE_CBC
}, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3743 {0xC07A,KEX_RSA
, ENC_CAMELLIA128
,DIG_SHA256
, MODE_GCM
}, /* TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3744 {0xC07B,KEX_RSA
, ENC_CAMELLIA256
,DIG_SHA384
, MODE_GCM
}, /* TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3745 {0xC07C,KEX_DHE_RSA
, ENC_CAMELLIA128
,DIG_SHA256
, MODE_GCM
}, /* TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3746 {0xC07D,KEX_DHE_RSA
, ENC_CAMELLIA256
,DIG_SHA384
, MODE_GCM
}, /* TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3747 {0xC07E,KEX_DH_RSA
, ENC_CAMELLIA128
,DIG_SHA256
, MODE_GCM
}, /* TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3748 {0xC07F,KEX_DH_RSA
, ENC_CAMELLIA256
,DIG_SHA384
, MODE_GCM
}, /* TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3749 {0xC080,KEX_DHE_DSS
, ENC_CAMELLIA128
,DIG_SHA256
, MODE_GCM
}, /* TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3750 {0xC081,KEX_DHE_DSS
, ENC_CAMELLIA256
,DIG_SHA384
, MODE_GCM
}, /* TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3751 {0xC082,KEX_DH_DSS
, ENC_CAMELLIA128
,DIG_SHA256
, MODE_GCM
}, /* TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3752 {0xC083,KEX_DH_DSS
, ENC_CAMELLIA256
,DIG_SHA384
, MODE_GCM
}, /* TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3753 {0xC084,KEX_DH_ANON
, ENC_CAMELLIA128
,DIG_SHA256
, MODE_GCM
}, /* TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 */
3754 {0xC085,KEX_DH_ANON
, ENC_CAMELLIA256
,DIG_SHA384
, MODE_GCM
}, /* TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 */
3755 {0xC086,KEX_ECDHE_ECDSA
, ENC_CAMELLIA128
,DIG_SHA256
, MODE_GCM
}, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3756 {0xC087,KEX_ECDHE_ECDSA
, ENC_CAMELLIA256
,DIG_SHA384
, MODE_GCM
}, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3757 {0xC088,KEX_ECDH_ECDSA
, ENC_CAMELLIA128
,DIG_SHA256
, MODE_GCM
}, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3758 {0xC089,KEX_ECDH_ECDSA
, ENC_CAMELLIA256
,DIG_SHA384
, MODE_GCM
}, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3759 {0xC08A,KEX_ECDHE_RSA
, ENC_CAMELLIA128
,DIG_SHA256
, MODE_GCM
}, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3760 {0xC08B,KEX_ECDHE_RSA
, ENC_CAMELLIA256
,DIG_SHA384
, MODE_GCM
}, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3761 {0xC08C,KEX_ECDH_RSA
, ENC_CAMELLIA128
,DIG_SHA256
, MODE_GCM
}, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3762 {0xC08D,KEX_ECDH_RSA
, ENC_CAMELLIA256
,DIG_SHA384
, MODE_GCM
}, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3763 {0xC08E,KEX_PSK
, ENC_CAMELLIA128
,DIG_SHA256
, MODE_GCM
}, /* TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3764 {0xC08F,KEX_PSK
, ENC_CAMELLIA256
,DIG_SHA384
, MODE_GCM
}, /* TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3765 {0xC090,KEX_DHE_PSK
, ENC_CAMELLIA128
,DIG_SHA256
, MODE_GCM
}, /* TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3766 {0xC091,KEX_DHE_PSK
, ENC_CAMELLIA256
,DIG_SHA384
, MODE_GCM
}, /* TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3767 {0xC092,KEX_RSA_PSK
, ENC_CAMELLIA128
,DIG_SHA256
, MODE_GCM
}, /* TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3768 {0xC093,KEX_RSA_PSK
, ENC_CAMELLIA256
,DIG_SHA384
, MODE_GCM
}, /* TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3769 {0xC094,KEX_PSK
, ENC_CAMELLIA128
,DIG_SHA256
, MODE_CBC
}, /* TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3770 {0xC095,KEX_PSK
, ENC_CAMELLIA256
,DIG_SHA384
, MODE_CBC
}, /* TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3771 {0xC096,KEX_DHE_PSK
, ENC_CAMELLIA128
,DIG_SHA256
, MODE_CBC
}, /* TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3772 {0xC097,KEX_DHE_PSK
, ENC_CAMELLIA256
,DIG_SHA384
, MODE_CBC
}, /* TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3773 {0xC098,KEX_RSA_PSK
, ENC_CAMELLIA128
,DIG_SHA256
, MODE_CBC
}, /* TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3774 {0xC099,KEX_RSA_PSK
, ENC_CAMELLIA256
,DIG_SHA384
, MODE_CBC
}, /* TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3775 {0xC09A,KEX_ECDHE_PSK
, ENC_CAMELLIA128
,DIG_SHA256
, MODE_CBC
}, /* TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3776 {0xC09B,KEX_ECDHE_PSK
, ENC_CAMELLIA256
,DIG_SHA384
, MODE_CBC
}, /* TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3777 {0xC09C,KEX_RSA
, ENC_AES
, DIG_NA
, MODE_CCM
}, /* TLS_RSA_WITH_AES_128_CCM */
3778 {0xC09D,KEX_RSA
, ENC_AES256
, DIG_NA
, MODE_CCM
}, /* TLS_RSA_WITH_AES_256_CCM */
3779 {0xC09E,KEX_DHE_RSA
, ENC_AES
, DIG_NA
, MODE_CCM
}, /* TLS_DHE_RSA_WITH_AES_128_CCM */
3780 {0xC09F,KEX_DHE_RSA
, ENC_AES256
, DIG_NA
, MODE_CCM
}, /* TLS_DHE_RSA_WITH_AES_256_CCM */
3781 {0xC0A0,KEX_RSA
, ENC_AES
, DIG_NA
, MODE_CCM_8
}, /* TLS_RSA_WITH_AES_128_CCM_8 */
3782 {0xC0A1,KEX_RSA
, ENC_AES256
, DIG_NA
, MODE_CCM_8
}, /* TLS_RSA_WITH_AES_256_CCM_8 */
3783 {0xC0A2,KEX_DHE_RSA
, ENC_AES
, DIG_NA
, MODE_CCM_8
}, /* TLS_DHE_RSA_WITH_AES_128_CCM_8 */
3784 {0xC0A3,KEX_DHE_RSA
, ENC_AES256
, DIG_NA
, MODE_CCM_8
}, /* TLS_DHE_RSA_WITH_AES_256_CCM_8 */
3785 {0xC0A4,KEX_PSK
, ENC_AES
, DIG_NA
, MODE_CCM
}, /* TLS_PSK_WITH_AES_128_CCM */
3786 {0xC0A5,KEX_PSK
, ENC_AES256
, DIG_NA
, MODE_CCM
}, /* TLS_PSK_WITH_AES_256_CCM */
3787 {0xC0A6,KEX_DHE_PSK
, ENC_AES
, DIG_NA
, MODE_CCM
}, /* TLS_DHE_PSK_WITH_AES_128_CCM */
3788 {0xC0A7,KEX_DHE_PSK
, ENC_AES256
, DIG_NA
, MODE_CCM
}, /* TLS_DHE_PSK_WITH_AES_256_CCM */
3789 {0xC0A8,KEX_PSK
, ENC_AES
, DIG_NA
, MODE_CCM_8
}, /* TLS_PSK_WITH_AES_128_CCM_8 */
3790 {0xC0A9,KEX_PSK
, ENC_AES256
, DIG_NA
, MODE_CCM_8
}, /* TLS_PSK_WITH_AES_256_CCM_8 */
3791 {0xC0AA,KEX_DHE_PSK
, ENC_AES
, DIG_NA
, MODE_CCM_8
}, /* TLS_PSK_DHE_WITH_AES_128_CCM_8 */
3792 {0xC0AB,KEX_DHE_PSK
, ENC_AES256
, DIG_NA
, MODE_CCM_8
}, /* TLS_PSK_DHE_WITH_AES_256_CCM_8 */
3793 {0xC0AC,KEX_ECDHE_ECDSA
, ENC_AES
, DIG_NA
, MODE_CCM
}, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM */
3794 {0xC0AD,KEX_ECDHE_ECDSA
, ENC_AES256
, DIG_NA
, MODE_CCM
}, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM */
3795 {0xC0AE,KEX_ECDHE_ECDSA
, ENC_AES
, DIG_NA
, MODE_CCM_8
}, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 */
3796 {0xC0AF,KEX_ECDHE_ECDSA
, ENC_AES256
, DIG_NA
, MODE_CCM_8
}, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 */
3797 {0xCCA8,KEX_ECDHE_RSA
, ENC_CHACHA20
, DIG_SHA256
, MODE_POLY1305
}, /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3798 {0xCCA9,KEX_ECDHE_ECDSA
, ENC_CHACHA20
, DIG_SHA256
, MODE_POLY1305
}, /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */
3799 {0xCCAA,KEX_DHE_RSA
, ENC_CHACHA20
, DIG_SHA256
, MODE_POLY1305
}, /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3800 {0xCCAB,KEX_PSK
, ENC_CHACHA20
, DIG_SHA256
, MODE_POLY1305
}, /* TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3801 {0xCCAC,KEX_ECDHE_PSK
, ENC_CHACHA20
, DIG_SHA256
, MODE_POLY1305
}, /* TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3802 {0xCCAD,KEX_DHE_PSK
, ENC_CHACHA20
, DIG_SHA256
, MODE_POLY1305
}, /* TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3803 {0xCCAE,KEX_RSA_PSK
, ENC_CHACHA20
, DIG_SHA256
, MODE_POLY1305
}, /* TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3804 {0xD001,KEX_ECDHE_PSK
, ENC_AES
, DIG_SHA256
, MODE_GCM
}, /* TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 */
3805 {0xD002,KEX_ECDHE_PSK
, ENC_AES256
, DIG_SHA384
, MODE_GCM
}, /* TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 */
3806 {0xD003,KEX_ECDHE_PSK
, ENC_AES
, DIG_SHA256
, MODE_CCM_8
}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 */
3807 {0xD005,KEX_ECDHE_PSK
, ENC_AES
, DIG_SHA256
, MODE_CCM
}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 */
3809 {0xe001,KEX_ECDHE_SM2
, ENC_SM1
, DIG_SM3
, MODE_CBC
}, /* ECDHE_SM1_SM3 */
3810 {0xe003,KEX_ECC_SM2
, ENC_SM1
, DIG_SM3
, MODE_CBC
}, /* ECC_SM1_SM3 */
3811 {0xe005,KEX_IBSDH_SM9
, ENC_SM1
, DIG_SM3
, MODE_CBC
}, /* IBSDH_SM1_SM3 */
3812 {0xe007,KEX_IBC_SM9
, ENC_SM1
, DIG_SM3
, MODE_CBC
}, /* IBC_SM1_SM3 */
3813 {0xe009,KEX_RSA
, ENC_SM1
, DIG_SM3
, MODE_CBC
}, /* RSA_SM1_SM3 */
3814 {0xe00a,KEX_RSA
, ENC_SM1
, DIG_SHA
, MODE_CBC
}, /* RSA_SM1_SHA1 */
3815 {0xe011,KEX_ECDHE_SM2
, ENC_SM4
, DIG_SM3
, MODE_CBC
}, /* ECDHE_SM4_CBC_SM3 */
3816 {0xe013,KEX_ECC_SM2
, ENC_SM4
, DIG_SM3
, MODE_CBC
}, /* ECC_SM4_CBC_SM3 */
3817 {0xe015,KEX_IBSDH_SM9
, ENC_SM4
, DIG_SM3
, MODE_CBC
}, /* IBSDH_SM4_CBC_SM3 */
3818 {0xe017,KEX_IBC_SM9
, ENC_SM4
, DIG_SM3
, MODE_CBC
}, /* IBC_SM4_CBC_SM3 */
3819 {0xe019,KEX_RSA
, ENC_SM4
, DIG_SM3
, MODE_CBC
}, /* RSA_SM4_CBC_SM3 */
3820 {0xe01a,KEX_RSA
, ENC_SM4
, DIG_SHA
, MODE_CBC
}, /* RSA_SM4_CBC_SHA1 */
3821 {0xe01c,KEX_RSA
, ENC_SM4
, DIG_SHA256
, MODE_CBC
}, /* RSA_SM4_CBC_SHA256 */
3822 {0xe051,KEX_ECDHE_SM2
, ENC_SM4
, DIG_SM3
, MODE_GCM
}, /* ECDHE_SM4_GCM_SM3 */
3823 {0xe053,KEX_ECC_SM2
, ENC_SM4
, DIG_SM3
, MODE_GCM
}, /* ECC_SM4_GCM_SM3 */
3824 {0xe055,KEX_IBSDH_SM9
, ENC_SM4
, DIG_SM3
, MODE_GCM
}, /* IBSDH_SM4_GCM_SM3 */
3825 {0xe057,KEX_IBC_SM9
, ENC_SM4
, DIG_SM3
, MODE_GCM
}, /* IBC_SM4_GCM_SM3 */
3826 {0xe059,KEX_RSA
, ENC_SM4
, DIG_SM3
, MODE_GCM
}, /* RSA_SM4_GCM_SM3 */
3827 {0xe05a,KEX_RSA
, ENC_SM4
, DIG_SHA256
, MODE_GCM
}, /* RSA_SM4_GCM_SHA256 */
3828 {-1, 0, 0, 0, MODE_STREAM
}
3831 #define MAX_BLOCK_SIZE 16
3832 #define MAX_KEY_SIZE 32
3834 const SslCipherSuite
*
3835 ssl_find_cipher(int num
)
3837 const SslCipherSuite
*c
;
3838 for(c
=cipher_suites
;c
->number
!=-1;c
++){
3848 ssl_get_cipher_algo(const SslCipherSuite
*cipher_suite
)
3850 return gcry_cipher_map_name(ciphers
[cipher_suite
->enc
- ENC_START
]);
3854 ssl_get_cipher_blocksize(const SslCipherSuite
*cipher_suite
)
3857 if (cipher_suite
->mode
!= MODE_CBC
) return 0;
3858 cipher_algo
= ssl_get_cipher_by_name(ciphers
[cipher_suite
->enc
- ENC_START
]);
3859 return (unsigned)gcry_cipher_get_algo_blklen(cipher_algo
);
3863 ssl_get_cipher_export_keymat_size(int cipher_suite_num
)
3865 switch (cipher_suite_num
) {
3866 /* See RFC 6101 (SSL 3.0), Table 2, column Key Material. */
3867 case 0x0003: /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
3868 case 0x0006: /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
3869 case 0x0008: /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
3870 case 0x000B: /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
3871 case 0x000E: /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
3872 case 0x0011: /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
3873 case 0x0014: /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
3874 case 0x0017: /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
3875 case 0x0019: /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
3878 /* not defined in below draft, but "implemented by several vendors",
3879 * https://www.ietf.org/mail-archive/web/tls/current/msg00036.html */
3880 case 0x0060: /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
3881 case 0x0061: /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
3884 /* Note: the draft states that DES_CBC needs 8 bytes, but Wireshark always
3885 * used 7. Until a pcap proves 8, let's use the old value. Link:
3886 * https://tools.ietf.org/html/draft-ietf-tls-56-bit-ciphersuites-01 */
3887 case 0x0062: /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
3888 case 0x0063: /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
3889 case 0x0064: /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
3890 case 0x0065: /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
3898 /* Digests, Ciphers and Cipher Suites registry }}} */
3901 /* HMAC and the Pseudorandom function {{{ */
3903 tls_hash(StringInfo
*secret
, StringInfo
*seed
, int md
,
3904 StringInfo
*out
, unsigned out_len
)
3906 /* RFC 2246 5. HMAC and the pseudorandom function
3907 * '+' denotes concatenation.
3908 * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
3909 * HMAC_hash(secret, A(2) + seed) + ...
3911 * A(i) = HMAC_hash(secret, A(i - 1))
3914 unsigned left
, tocpy
;
3916 uint8_t _A
[DIGEST_MAX_SIZE
], tmp
[DIGEST_MAX_SIZE
];
3917 unsigned A_l
, tmp_l
;
3923 ssl_print_string("tls_hash: hash secret", secret
);
3924 ssl_print_string("tls_hash: hash seed", seed
);
3927 A_l
= seed
->data_len
;
3929 if (ssl_hmac_init(&hm
, md
) != 0) {
3933 /* A(i) = HMAC_hash(secret, A(i-1)) */
3934 ssl_hmac_setkey(&hm
, secret
->data
, secret
->data_len
);
3935 ssl_hmac_update(&hm
, A
, A_l
);
3936 A_l
= sizeof(_A
); /* upper bound len for hash output */
3937 ssl_hmac_final(&hm
, _A
, &A_l
);
3940 /* HMAC_hash(secret, A(i) + seed) */
3941 ssl_hmac_reset(&hm
);
3942 ssl_hmac_setkey(&hm
, secret
->data
, secret
->data_len
);
3943 ssl_hmac_update(&hm
, A
, A_l
);
3944 ssl_hmac_update(&hm
, seed
->data
, seed
->data_len
);
3945 tmp_l
= sizeof(tmp
); /* upper bound len for hash output */
3946 ssl_hmac_final(&hm
, tmp
, &tmp_l
);
3947 ssl_hmac_reset(&hm
);
3949 /* ssl_hmac_final puts the actual digest output size in tmp_l */
3950 tocpy
= MIN(left
, tmp_l
);
3951 memcpy(ptr
, tmp
, tocpy
);
3955 ssl_hmac_cleanup(&hm
);
3956 out
->data_len
= out_len
;
3958 ssl_print_string("hash out", out
);
3963 tls_prf(StringInfo
* secret
, const char *usage
,
3964 StringInfo
* rnd1
, StringInfo
* rnd2
, StringInfo
* out
, unsigned out_len
)
3966 StringInfo seed
, sha_out
, md5_out
;
3970 size_t usage_len
, rnd2_len
;
3971 bool success
= false;
3972 usage_len
= strlen(usage
);
3973 rnd2_len
= rnd2
? rnd2
->data_len
: 0;
3975 /* initialize buffer for sha, md5 random seed*/
3976 if (ssl_data_alloc(&sha_out
, MAX(out_len
, 20)) < 0) {
3977 ssl_debug_printf("tls_prf: can't allocate sha out\n");
3980 if (ssl_data_alloc(&md5_out
, MAX(out_len
, 16)) < 0) {
3981 ssl_debug_printf("tls_prf: can't allocate md5 out\n");
3984 if (ssl_data_alloc(&seed
, usage_len
+rnd1
->data_len
+rnd2_len
) < 0) {
3985 ssl_debug_printf("tls_prf: can't allocate rnd %d\n",
3986 (int) (usage_len
+rnd1
->data_len
+rnd2_len
));
3991 memcpy(ptr
,usage
,usage_len
);
3993 memcpy(ptr
,rnd1
->data
,rnd1
->data_len
);
3995 ptr
+=rnd1
->data_len
;
3996 memcpy(ptr
,rnd2
->data
,rnd2
->data_len
);
3997 /*ptr+=rnd2->data_len;*/
4000 /* initialize buffer for client/server seeds*/
4001 s_l
=secret
->data_len
/2 + secret
->data_len
%2;
4002 if (ssl_data_alloc(&s1
, s_l
) < 0) {
4003 ssl_debug_printf("tls_prf: can't allocate secret %d\n", s_l
);
4006 if (ssl_data_alloc(&s2
, s_l
) < 0) {
4007 ssl_debug_printf("tls_prf: can't allocate secret(2) %d\n", s_l
);
4011 memcpy(s1
.data
,secret
->data
,s_l
);
4012 memcpy(s2
.data
,secret
->data
+ (secret
->data_len
- s_l
),s_l
);
4014 ssl_debug_printf("tls_prf: tls_hash(md5 secret_len %d seed_len %d )\n", s1
.data_len
, seed
.data_len
);
4015 if(tls_hash(&s1
, &seed
, ssl_get_digest_by_name("MD5"), &md5_out
, out_len
) != 0)
4017 ssl_debug_printf("tls_prf: tls_hash(sha)\n");
4018 if(tls_hash(&s2
, &seed
, ssl_get_digest_by_name("SHA1"), &sha_out
, out_len
) != 0)
4021 for (i
= 0; i
< out_len
; i
++)
4022 out
->data
[i
] = md5_out
.data
[i
] ^ sha_out
.data
[i
];
4023 /* success, now store the new meaningful data length */
4024 out
->data_len
= out_len
;
4027 ssl_print_string("PRF out",out
);
4035 g_free(md5_out
.data
);
4037 g_free(sha_out
.data
);
4042 tls12_prf(int md
, StringInfo
* secret
, const char* usage
,
4043 StringInfo
* rnd1
, StringInfo
* rnd2
, StringInfo
* out
, unsigned out_len
)
4045 StringInfo label_seed
;
4047 size_t usage_len
, rnd2_len
;
4048 rnd2_len
= rnd2
? rnd2
->data_len
: 0;
4050 usage_len
= strlen(usage
);
4051 if (ssl_data_alloc(&label_seed
, usage_len
+rnd1
->data_len
+rnd2_len
) < 0) {
4052 ssl_debug_printf("tls12_prf: can't allocate label_seed\n");
4055 memcpy(label_seed
.data
, usage
, usage_len
);
4056 memcpy(label_seed
.data
+usage_len
, rnd1
->data
, rnd1
->data_len
);
4058 memcpy(label_seed
.data
+usage_len
+rnd1
->data_len
, rnd2
->data
, rnd2
->data_len
);
4060 ssl_debug_printf("tls12_prf: tls_hash(hash_alg %s secret_len %d seed_len %d )\n", gcry_md_algo_name(md
), secret
->data_len
, label_seed
.data_len
);
4061 success
= tls_hash(secret
, &label_seed
, md
, out
, out_len
);
4062 g_free(label_seed
.data
);
4064 ssl_print_string("PRF out", out
);
4071 ssl3_generate_export_iv(StringInfo
*r1
, StringInfo
*r2
,
4072 StringInfo
*out
, unsigned out_len
)
4077 if (ssl_md5_init(&md5
) != 0) {
4080 ssl_md5_update(&md5
,r1
->data
,r1
->data_len
);
4081 ssl_md5_update(&md5
,r2
->data
,r2
->data_len
);
4082 ssl_md5_final(tmp
,&md5
);
4083 ssl_md5_cleanup(&md5
);
4085 DISSECTOR_ASSERT(out_len
<= sizeof(tmp
));
4086 ssl_data_set(out
, tmp
, out_len
);
4087 ssl_print_string("export iv", out
);
4092 ssl3_prf(StringInfo
* secret
, const char* usage
,
4093 StringInfo
* rnd1
, StringInfo
* rnd2
, StringInfo
* out
, unsigned out_len
)
4101 if (ssl_sha_init(&sha
) != 0) {
4104 if (ssl_md5_init(&md5
) != 0) {
4105 ssl_sha_cleanup(&sha
);
4108 for (off
= 0; off
< out_len
; off
+= 16) {
4109 unsigned char outbuf
[16];
4112 ssl_debug_printf("ssl3_prf: sha1_hash(%d)\n",i
);
4113 /* A, BB, CCC, ... */
4118 ssl_sha_update(&sha
,buf
,i
);
4119 ssl_sha_update(&sha
,secret
->data
,secret
->data_len
);
4121 if(!strcmp(usage
,"client write key") || !strcmp(usage
,"server write key")){
4123 ssl_sha_update(&sha
,rnd2
->data
,rnd2
->data_len
);
4124 ssl_sha_update(&sha
,rnd1
->data
,rnd1
->data_len
);
4127 ssl_sha_update(&sha
,rnd1
->data
,rnd1
->data_len
);
4129 ssl_sha_update(&sha
,rnd2
->data
,rnd2
->data_len
);
4132 ssl_sha_final(buf
,&sha
);
4133 ssl_sha_reset(&sha
);
4135 ssl_debug_printf("ssl3_prf: md5_hash(%d) datalen %d\n",i
,
4137 ssl_md5_update(&md5
,secret
->data
,secret
->data_len
);
4138 ssl_md5_update(&md5
,buf
,20);
4139 ssl_md5_final(outbuf
,&md5
);
4140 ssl_md5_reset(&md5
);
4142 memcpy(out
->data
+ off
, outbuf
, MIN(out_len
- off
, 16));
4144 ssl_sha_cleanup(&sha
);
4145 ssl_md5_cleanup(&md5
);
4146 out
->data_len
= out_len
;
4151 /* out_len is the wanted output length for the pseudorandom function.
4152 * Ensure that ssl->cipher_suite is set. */
4154 prf(SslDecryptSession
*ssl
, StringInfo
*secret
, const char *usage
,
4155 StringInfo
*rnd1
, StringInfo
*rnd2
, StringInfo
*out
, unsigned out_len
)
4157 switch (ssl
->session
.version
) {
4159 return ssl3_prf(secret
, usage
, rnd1
, rnd2
, out
, out_len
);
4162 case TLSV1DOT1_VERSION
:
4163 case DTLSV1DOT0_VERSION
:
4164 case DTLSV1DOT0_OPENSSL_VERSION
:
4165 return tls_prf(secret
, usage
, rnd1
, rnd2
, out
, out_len
);
4167 default: /* TLSv1.2 */
4168 switch (ssl
->cipher_suite
->dig
) {
4170 #if GCRYPT_VERSION_NUMBER >= 0x010900
4171 return tls12_prf(GCRY_MD_SM3
, secret
, usage
, rnd1
, rnd2
,
4177 return tls12_prf(GCRY_MD_SHA384
, secret
, usage
, rnd1
, rnd2
,
4180 return tls12_prf(GCRY_MD_SHA256
, secret
, usage
, rnd1
, rnd2
,
4186 static int tls_handshake_hash(SslDecryptSession
* ssl
, StringInfo
* out
)
4191 if (ssl_data_alloc(out
, 36) < 0)
4194 if (ssl_md5_init(&md5
) != 0)
4196 ssl_md5_update(&md5
,ssl
->handshake_data
.data
,ssl
->handshake_data
.data_len
);
4197 ssl_md5_final(out
->data
,&md5
);
4198 ssl_md5_cleanup(&md5
);
4200 if (ssl_sha_init(&sha
) != 0)
4202 ssl_sha_update(&sha
,ssl
->handshake_data
.data
,ssl
->handshake_data
.data_len
);
4203 ssl_sha_final(out
->data
+16,&sha
);
4204 ssl_sha_cleanup(&sha
);
4208 static int tls12_handshake_hash(SslDecryptSession
* ssl
, int md
, StringInfo
* out
)
4214 if (ssl_md_init(&mc
, md
) != 0)
4216 ssl_md_update(&mc
,ssl
->handshake_data
.data
,ssl
->handshake_data
.data_len
);
4217 ssl_md_final(&mc
, tmp
, &len
);
4218 ssl_md_cleanup(&mc
);
4220 if (ssl_data_alloc(out
, len
) < 0)
4222 memcpy(out
->data
, tmp
, len
);
4227 * Obtains the label prefix used in HKDF-Expand-Label. This function can be
4228 * inlined and removed once support for draft 19 and before is dropped.
4230 static inline const char *
4231 tls13_hkdf_label_prefix(SslDecryptSession
*ssl_session
)
4233 if (ssl_session
->session
.tls13_draft_version
&& ssl_session
->session
.tls13_draft_version
< 20) {
4235 } else if (ssl_session
->session
.version
== DTLSV1DOT3_VERSION
) {
4243 * Computes HKDF-Expand-Label(Secret, Label, Hash(context_value), Length) with a
4244 * custom label prefix. If "context_hash" is NULL, then an empty context is
4245 * used. Otherwise it must have the same length as the hash algorithm output.
4248 tls13_hkdf_expand_label_context(int md
, const StringInfo
*secret
,
4249 const char *label_prefix
, const char *label
,
4250 const uint8_t *context_hash
, uint8_t context_length
,
4251 uint16_t out_len
, unsigned char **out
)
4253 /* RFC 8446 Section 7.1:
4254 * HKDF-Expand-Label(Secret, Label, Context, Length) =
4255 * HKDF-Expand(Secret, HkdfLabel, Length)
4257 * uint16 length = Length;
4258 * opaque label<7..255> = "tls13 " + Label; // "tls13 " is label prefix.
4259 * opaque context<0..255> = Context;
4262 * RFC 5869 HMAC-based Extract-and-Expand Key Derivation Function (HKDF):
4263 * HKDF-Expand(PRK, info, L) -> OKM
4266 const unsigned label_prefix_length
= (unsigned) strlen(label_prefix
);
4267 const unsigned label_length
= (unsigned) strlen(label
);
4269 /* Some sanity checks */
4270 DISSECTOR_ASSERT(label_length
> 0 && label_prefix_length
+ label_length
<= 255);
4272 /* info = HkdfLabel { length, label, context } */
4273 GByteArray
*info
= g_byte_array_new();
4274 const uint16_t length
= g_htons(out_len
);
4275 g_byte_array_append(info
, (const uint8_t *)&length
, sizeof(length
));
4277 const uint8_t label_vector_length
= label_prefix_length
+ label_length
;
4278 g_byte_array_append(info
, &label_vector_length
, 1);
4279 g_byte_array_append(info
, (const uint8_t *)label_prefix
, label_prefix_length
);
4280 g_byte_array_append(info
, (const uint8_t*)label
, label_length
);
4282 g_byte_array_append(info
, &context_length
, 1);
4283 if (context_length
) {
4284 g_byte_array_append(info
, context_hash
, context_length
);
4287 *out
= (unsigned char *)wmem_alloc(NULL
, out_len
);
4288 err
= hkdf_expand(md
, secret
->data
, secret
->data_len
, info
->data
, info
->len
, *out
, out_len
);
4289 g_byte_array_free(info
, true);
4292 ssl_debug_printf("%s failed %d: %s\n", G_STRFUNC
, md
, gcry_strerror(err
));
4293 wmem_free(NULL
, *out
);
4302 tls13_hkdf_expand_label(int md
, const StringInfo
*secret
,
4303 const char *label_prefix
, const char *label
,
4304 uint16_t out_len
, unsigned char **out
)
4306 return tls13_hkdf_expand_label_context(md
, secret
, label_prefix
, label
, NULL
, 0, out_len
, out
);
4308 /* HMAC and the Pseudorandom function }}} */
4310 /* Record Decompression (after decryption) {{{ */
4311 #if defined (HAVE_ZLIB) || defined (HAVE_ZLIBNG)
4312 /* memory allocation functions for zlib initialization */
4313 static void* ssl_zalloc(void* opaque _U_
, unsigned int no
, unsigned int size
)
4315 return g_malloc0(no
*size
);
4317 static void ssl_zfree(void* opaque _U_
, void* addr
)
4323 static SslDecompress
*
4324 ssl_create_decompressor(int compression
)
4326 SslDecompress
*decomp
;
4327 #if defined (HAVE_ZLIB) || defined (HAVE_ZLIBNG)
4331 if (compression
== 0) return NULL
;
4332 ssl_debug_printf("ssl_create_decompressor: compression method %d\n", compression
);
4333 decomp
= wmem_new(wmem_file_scope(), SslDecompress
);
4334 decomp
->compression
= compression
;
4335 switch (decomp
->compression
) {
4336 #if defined (HAVE_ZLIB) || defined (HAVE_ZLIBNG)
4337 case 1: /* DEFLATE */
4338 decomp
->istream
.zalloc
= ssl_zalloc
;
4339 decomp
->istream
.zfree
= ssl_zfree
;
4340 decomp
->istream
.opaque
= Z_NULL
;
4341 decomp
->istream
.next_in
= Z_NULL
;
4342 decomp
->istream
.next_out
= Z_NULL
;
4343 decomp
->istream
.avail_in
= 0;
4344 decomp
->istream
.avail_out
= 0;
4345 err
= ZLIB_PREFIX(inflateInit
)(&decomp
->istream
);
4347 ssl_debug_printf("ssl_create_decompressor: inflateInit_() failed - %d\n", err
);
4353 ssl_debug_printf("ssl_create_decompressor: unsupported compression method %d\n", decomp
->compression
);
4359 #if defined (HAVE_ZLIB) || defined (HAVE_ZLIBNG)
4361 ssl_decompress_record(SslDecompress
* decomp
, const unsigned char* in
, unsigned inl
, StringInfo
* out_str
, unsigned* outl
)
4365 switch (decomp
->compression
) {
4366 case 1: /* DEFLATE */
4368 if (out_str
->data_len
< 16384) { /* maximal plain length */
4369 ssl_data_realloc(out_str
, 16384);
4372 decomp
->istream
.next_in
= in
;
4375 decomp
->istream
.next_in
= (Bytef
*)in
;
4378 decomp
->istream
.avail_in
= inl
;
4379 decomp
->istream
.next_out
= out_str
->data
;
4380 decomp
->istream
.avail_out
= out_str
->data_len
;
4382 err
= ZLIB_PREFIX(inflate
)(&decomp
->istream
, Z_SYNC_FLUSH
);
4384 ssl_debug_printf("ssl_decompress_record: inflate() failed - %d\n", err
);
4387 *outl
= out_str
->data_len
- decomp
->istream
.avail_out
;
4390 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp
->compression
);
4397 ssl_decompress_record(SslDecompress
* decomp _U_
, const unsigned char* in _U_
, unsigned inl _U_
, StringInfo
* out_str _U_
, unsigned* outl _U_
)
4399 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp
->compression
);
4403 /* Record Decompression (after decryption) }}} */
4405 /* Create a new structure to store decrypted chunks. {{{ */
4407 ssl_create_flow(void)
4411 flow
= wmem_new(wmem_file_scope(), SslFlow
);
4414 flow
->multisegment_pdus
= wmem_tree_new(wmem_file_scope());
4419 /* Use the negotiated security parameters for decryption. {{{ */
4421 ssl_change_cipher(SslDecryptSession
*ssl_session
, bool server
)
4423 SslDecoder
**new_decoder
= server
? &ssl_session
->server_new
: &ssl_session
->client_new
;
4424 SslDecoder
**dest
= server
? &ssl_session
->server
: &ssl_session
->client
;
4425 ssl_debug_printf("ssl_change_cipher %s%s\n", server
? "SERVER" : "CLIENT",
4426 *new_decoder
? "" : " (No decoder found - retransmission?)");
4428 *dest
= *new_decoder
;
4429 *new_decoder
= NULL
;
4434 /* Init cipher state given some security parameters. {{{ */
4436 ssl_decoder_destroy_cb(wmem_allocator_t
*, wmem_cb_event_t
, void *);
4439 ssl_create_decoder(const SslCipherSuite
*cipher_suite
, int cipher_algo
,
4440 int compression
, uint8_t *mk
, uint8_t *sk
, uint8_t *sn_key
, uint8_t *iv
, unsigned iv_length
)
4443 ssl_cipher_mode_t mode
= cipher_suite
->mode
;
4445 dec
= wmem_new0(wmem_file_scope(), SslDecoder
);
4446 /* init mac buffer: mac storage is embedded into decoder struct to save a
4447 memory allocation and waste samo more memory*/
4448 dec
->cipher_suite
=cipher_suite
;
4449 dec
->compression
= compression
;
4450 if ((mode
== MODE_STREAM
&& mk
!= NULL
) || mode
== MODE_CBC
) {
4451 // AEAD ciphers use no MAC key, but stream and block ciphers do. Note
4452 // the special case for NULL ciphers, even if there is insufficiency
4453 // keying material (including MAC key), we will can still create
4454 // decoders since "decryption" is easy for such ciphers.
4455 dec
->mac_key
.data
= dec
->_mac_key_or_write_iv
;
4456 ssl_data_set(&dec
->mac_key
, mk
, ssl_cipher_suite_dig(cipher_suite
)->len
);
4457 } else if (mode
== MODE_GCM
|| mode
== MODE_CCM
|| mode
== MODE_CCM_8
|| mode
== MODE_POLY1305
) {
4458 // Input for the nonce, to be used with AEAD ciphers.
4459 DISSECTOR_ASSERT(iv_length
<= sizeof(dec
->_mac_key_or_write_iv
));
4460 dec
->write_iv
.data
= dec
->_mac_key_or_write_iv
;
4461 ssl_data_set(&dec
->write_iv
, iv
, iv_length
);
4464 dec
->decomp
= ssl_create_decompressor(compression
);
4465 wmem_register_callback(wmem_file_scope(), ssl_decoder_destroy_cb
, dec
);
4467 if (ssl_cipher_init(&dec
->evp
,cipher_algo
,sk
,iv
,cipher_suite
->mode
) < 0) {
4468 ssl_debug_printf("%s: can't create cipher id:%d mode:%d\n", G_STRFUNC
,
4469 cipher_algo
, cipher_suite
->mode
);
4473 if (cipher_suite
->enc
!= ENC_NULL
&& sn_key
!= NULL
) {
4474 if (cipher_suite
->enc
== ENC_AES
|| cipher_suite
->enc
== ENC_AES256
) {
4476 } else if (cipher_suite
->enc
== ENC_CHACHA20
) {
4479 ssl_debug_printf("not supported encryption algorithm for DTLSv1.3\n");
4483 if (ssl_cipher_init(&dec
->sn_evp
, cipher_algo
, sn_key
, NULL
, mode
) < 0) {
4484 ssl_debug_printf("%s: can't create cipher id:%d mode:%d for seq number decryption\n", G_STRFUNC
,
4485 cipher_algo
, MODE_ECB
);
4486 ssl_cipher_cleanup(&dec
->evp
);
4494 dec
->dtls13_aad
.data
= NULL
;
4495 dec
->dtls13_aad
.data_len
= 0;
4496 ssl_debug_printf("decoder initialized (digest len %d)\n", ssl_cipher_suite_dig(cipher_suite
)->len
);
4501 ssl_decoder_destroy_cb(wmem_allocator_t
*allocator _U_
, wmem_cb_event_t event _U_
, void *user_data
)
4503 SslDecoder
*dec
= (SslDecoder
*) user_data
;
4506 ssl_cipher_cleanup(&dec
->evp
);
4508 ssl_cipher_cleanup(&dec
->sn_evp
);
4510 #if defined (HAVE_ZLIB) || defined (HAVE_ZLIBNG)
4511 if (dec
->decomp
!= NULL
&& dec
->decomp
->compression
== 1 /* DEFLATE */)
4512 ZLIB_PREFIX(inflateEnd
)(&dec
->decomp
->istream
);
4519 /* (Pre-)master secrets calculations {{{ */
4520 #ifdef HAVE_LIBGNUTLS
4522 ssl_decrypt_pre_master_secret(SslDecryptSession
*ssl_session
,
4523 StringInfo
*encrypted_pre_master
,
4524 GHashTable
*key_hash
);
4525 #endif /* HAVE_LIBGNUTLS */
4528 ssl_restore_master_key(SslDecryptSession
*ssl
, const char *label
,
4529 bool is_pre_master
, GHashTable
*ht
, StringInfo
*key
);
4532 ssl_generate_pre_master_secret(SslDecryptSession
*ssl_session
,
4533 uint32_t length
, tvbuff_t
*tvb
, uint32_t offset
,
4534 const char *ssl_psk
, packet_info
*pinfo
,
4535 #ifdef HAVE_LIBGNUTLS
4536 GHashTable
*key_hash
,
4538 const ssl_master_key_map_t
*mk_map
)
4540 /* check for required session data */
4541 ssl_debug_printf("%s: found SSL_HND_CLIENT_KEY_EXCHG, state %X\n",
4542 G_STRFUNC
, ssl_session
->state
);
4543 if ((ssl_session
->state
& (SSL_CIPHER
|SSL_CLIENT_RANDOM
|SSL_SERVER_RANDOM
|SSL_VERSION
)) !=
4544 (SSL_CIPHER
|SSL_CLIENT_RANDOM
|SSL_SERVER_RANDOM
|SSL_VERSION
)) {
4545 ssl_debug_printf("%s: not enough data to generate key (required state %X)\n", G_STRFUNC
,
4546 (SSL_CIPHER
|SSL_CLIENT_RANDOM
|SSL_SERVER_RANDOM
|SSL_VERSION
));
4550 if (ssl_session
->session
.version
== TLSV1DOT3_VERSION
) {
4551 ssl_debug_printf("%s: detected TLS 1.3 which has no pre-master secrets\n", G_STRFUNC
);
4555 /* check to see if the PMS was provided to us*/
4556 if (ssl_restore_master_key(ssl_session
, "Unencrypted pre-master secret", true,
4557 mk_map
->pms
, &ssl_session
->client_random
)) {
4561 if (ssl_session
->cipher_suite
->kex
== KEX_PSK
)
4563 /* calculate pre master secret*/
4564 StringInfo pre_master_secret
;
4565 unsigned psk_len
, pre_master_len
;
4567 if (!ssl_psk
|| (ssl_psk
[0] == 0)) {
4568 ssl_debug_printf("%s: can't find pre-shared key\n", G_STRFUNC
);
4572 /* convert hex string into char*/
4573 if (!from_hex(&ssl_session
->psk
, ssl_psk
, strlen(ssl_psk
))) {
4574 ssl_debug_printf("%s: ssl.psk/dtls.psk contains invalid hex\n",
4579 psk_len
= ssl_session
->psk
.data_len
;
4580 if (psk_len
>= (2 << 15)) {
4581 ssl_debug_printf("%s: ssl.psk/dtls.psk must not be larger than 2^15 - 1\n",
4587 pre_master_len
= psk_len
* 2 + 4;
4589 pre_master_secret
.data
= (unsigned char *)wmem_alloc(wmem_file_scope(), pre_master_len
);
4590 pre_master_secret
.data_len
= pre_master_len
;
4591 /* 2 bytes psk_len*/
4592 pre_master_secret
.data
[0] = psk_len
>> 8;
4593 pre_master_secret
.data
[1] = psk_len
& 0xFF;
4594 /* psk_len bytes times 0*/
4595 memset(&pre_master_secret
.data
[2], 0, psk_len
);
4596 /* 2 bytes psk_len*/
4597 pre_master_secret
.data
[psk_len
+ 2] = psk_len
>> 8;
4598 pre_master_secret
.data
[psk_len
+ 3] = psk_len
& 0xFF;
4600 memcpy(&pre_master_secret
.data
[psk_len
+ 4], ssl_session
->psk
.data
, psk_len
);
4602 ssl_session
->pre_master_secret
.data
= pre_master_secret
.data
;
4603 ssl_session
->pre_master_secret
.data_len
= pre_master_len
;
4604 /*ssl_debug_printf("pre master secret",&ssl->pre_master_secret);*/
4606 /* Remove the master secret if it was there.
4607 This forces keying material regeneration in
4608 case we're renegotiating */
4609 ssl_session
->state
&= ~(SSL_MASTER_SECRET
|SSL_HAVE_SESSION_KEY
);
4610 ssl_session
->state
|= SSL_PRE_MASTER_SECRET
;
4615 unsigned encrlen
, skip
;
4619 /* get encrypted data, on tls1 we have to skip two bytes
4620 * (it's the encrypted len and should be equal to record len - 2)
4621 * in case of rsa1024 that would be 128 + 2 = 130; for psk not necessary
4623 if (ssl_session
->cipher_suite
->kex
== KEX_RSA
&&
4624 (ssl_session
->session
.version
== TLSV1_VERSION
||
4625 ssl_session
->session
.version
== TLSV1DOT1_VERSION
||
4626 ssl_session
->session
.version
== TLSV1DOT2_VERSION
||
4627 ssl_session
->session
.version
== DTLSV1DOT0_VERSION
||
4628 ssl_session
->session
.version
== DTLSV1DOT2_VERSION
||
4629 ssl_session
->session
.version
== TLCPV1_VERSION
))
4631 encrlen
= tvb_get_ntohs(tvb
, offset
);
4633 if (encrlen
> length
- 2)
4635 ssl_debug_printf("%s: wrong encrypted length (%d max %d)\n",
4636 G_STRFUNC
, encrlen
, length
);
4640 /* the valid lower bound is higher than 8, but it is sufficient for the
4641 * ssl keylog file below */
4643 ssl_debug_printf("%s: invalid encrypted pre-master key length %d\n",
4644 G_STRFUNC
, encrlen
);
4648 StringInfo encrypted_pre_master
= {
4649 .data
= (unsigned char *)tvb_memdup(pinfo
->pool
, tvb
, offset
+ skip
, encrlen
),
4650 .data_len
= encrlen
,
4653 #ifdef HAVE_LIBGNUTLS
4654 /* Try to lookup an appropriate RSA private key to decrypt the Encrypted Pre-Master Secret. */
4655 if (ssl_session
->cert_key_id
) {
4656 if (ssl_decrypt_pre_master_secret(ssl_session
, &encrypted_pre_master
, key_hash
))
4659 ssl_debug_printf("%s: can't decrypt pre-master secret\n",
4662 #endif /* HAVE_LIBGNUTLS */
4664 /* try to find the pre-master secret from the encrypted one. The
4665 * ssl key logfile stores only the first 8 bytes, so truncate it */
4666 encrypted_pre_master
.data_len
= 8;
4667 if (ssl_restore_master_key(ssl_session
, "Encrypted pre-master secret",
4668 true, mk_map
->pre_master
, &encrypted_pre_master
))
4674 /* Used for (D)TLS 1.2 and earlier versions (not with TLS 1.3). */
4676 ssl_generate_keyring_material(SslDecryptSession
*ssl_session
)
4678 StringInfo key_block
= { NULL
, 0 };
4679 uint8_t _iv_c
[MAX_BLOCK_SIZE
],_iv_s
[MAX_BLOCK_SIZE
];
4680 uint8_t _key_c
[MAX_KEY_SIZE
],_key_s
[MAX_KEY_SIZE
];
4682 int cipher_algo
= -1; /* special value (-1) for NULL encryption */
4683 unsigned encr_key_len
, write_iv_len
= 0;
4684 bool is_export_cipher
;
4685 uint8_t *ptr
, *c_iv
= NULL
, *s_iv
= NULL
;
4686 uint8_t *c_wk
= NULL
, *s_wk
= NULL
, *c_mk
= NULL
, *s_mk
= NULL
;
4687 const SslCipherSuite
*cipher_suite
= ssl_session
->cipher_suite
;
4689 /* (D)TLS 1.3 is handled directly in tls13_change_key. */
4690 if (ssl_session
->session
.version
== TLSV1DOT3_VERSION
|| ssl_session
->session
.version
== DTLSV1DOT3_VERSION
) {
4691 ssl_debug_printf("%s: detected TLS 1.3. Should not have been called!\n", G_STRFUNC
);
4695 /* check for enough info to proceed */
4696 unsigned need_all
= SSL_CIPHER
|SSL_CLIENT_RANDOM
|SSL_SERVER_RANDOM
|SSL_VERSION
;
4697 unsigned need_any
= SSL_MASTER_SECRET
| SSL_PRE_MASTER_SECRET
;
4698 if (((ssl_session
->state
& need_all
) != need_all
) || ((ssl_session
->state
& need_any
) == 0)) {
4699 ssl_debug_printf("ssl_generate_keyring_material not enough data to generate key "
4700 "(0x%02X required 0x%02X or 0x%02X)\n", ssl_session
->state
,
4701 need_all
|SSL_MASTER_SECRET
, need_all
|SSL_PRE_MASTER_SECRET
);
4702 /* Special case: for NULL encryption, allow dissection of data even if
4703 * the Client Hello is missing (MAC keys are now skipped though). */
4704 need_all
= SSL_CIPHER
|SSL_VERSION
;
4705 if ((ssl_session
->state
& need_all
) == need_all
&&
4706 cipher_suite
->enc
== ENC_NULL
) {
4707 ssl_debug_printf("%s NULL cipher found, will create a decoder but "
4708 "skip MAC validation as keys are missing.\n", G_STRFUNC
);
4709 goto create_decoders
;
4715 /* if master key is not available, generate is from the pre-master secret */
4716 if (!(ssl_session
->state
& SSL_MASTER_SECRET
)) {
4717 if ((ssl_session
->state
& SSL_EXTENDED_MASTER_SECRET_MASK
) == SSL_EXTENDED_MASTER_SECRET_MASK
) {
4718 StringInfo handshake_hashed_data
;
4721 handshake_hashed_data
.data
= NULL
;
4722 handshake_hashed_data
.data_len
= 0;
4724 ssl_debug_printf("%s:PRF(pre_master_secret_extended)\n", G_STRFUNC
);
4725 ssl_print_string("pre master secret",&ssl_session
->pre_master_secret
);
4726 DISSECTOR_ASSERT(ssl_session
->handshake_data
.data_len
> 0);
4728 switch(ssl_session
->session
.version
) {
4730 case TLSV1DOT1_VERSION
:
4731 case DTLSV1DOT0_VERSION
:
4732 case DTLSV1DOT0_OPENSSL_VERSION
:
4733 case TLCPV1_VERSION
:
4734 ret
= tls_handshake_hash(ssl_session
, &handshake_hashed_data
);
4737 switch (cipher_suite
->dig
) {
4739 ret
= tls12_handshake_hash(ssl_session
, GCRY_MD_SHA384
, &handshake_hashed_data
);
4742 ret
= tls12_handshake_hash(ssl_session
, GCRY_MD_SHA256
, &handshake_hashed_data
);
4748 ssl_debug_printf("%s can't generate handshake hash\n", G_STRFUNC
);
4752 wmem_free(wmem_file_scope(), ssl_session
->handshake_data
.data
);
4753 ssl_session
->handshake_data
.data
= NULL
;
4754 ssl_session
->handshake_data
.data_len
= 0;
4756 if (!prf(ssl_session
, &ssl_session
->pre_master_secret
, "extended master secret",
4757 &handshake_hashed_data
,
4758 NULL
, &ssl_session
->master_secret
,
4759 SSL_MASTER_SECRET_LENGTH
)) {
4760 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC
);
4761 g_free(handshake_hashed_data
.data
);
4764 g_free(handshake_hashed_data
.data
);
4766 ssl_debug_printf("%s:PRF(pre_master_secret)\n", G_STRFUNC
);
4767 ssl_print_string("pre master secret",&ssl_session
->pre_master_secret
);
4768 ssl_print_string("client random",&ssl_session
->client_random
);
4769 ssl_print_string("server random",&ssl_session
->server_random
);
4770 if (!prf(ssl_session
, &ssl_session
->pre_master_secret
, "master secret",
4771 &ssl_session
->client_random
,
4772 &ssl_session
->server_random
, &ssl_session
->master_secret
,
4773 SSL_MASTER_SECRET_LENGTH
)) {
4774 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC
);
4778 ssl_print_string("master secret",&ssl_session
->master_secret
);
4780 /* the pre-master secret has been 'consumed' so we must clear it now */
4781 ssl_session
->state
&= ~SSL_PRE_MASTER_SECRET
;
4782 ssl_session
->state
|= SSL_MASTER_SECRET
;
4785 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
4786 if (cipher_suite
->enc
!= ENC_NULL
) {
4787 const char *cipher_name
= ciphers
[cipher_suite
->enc
-ENC_START
];
4788 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC
, cipher_name
);
4789 cipher_algo
= ssl_get_cipher_by_name(cipher_name
);
4790 if (cipher_algo
== 0) {
4791 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC
, cipher_name
);
4796 /* Export ciphers consume less material from the key block. */
4797 encr_key_len
= ssl_get_cipher_export_keymat_size(cipher_suite
->number
);
4798 is_export_cipher
= encr_key_len
> 0;
4799 if (!is_export_cipher
&& cipher_suite
->enc
!= ENC_NULL
) {
4800 encr_key_len
= (unsigned)gcry_cipher_get_algo_keylen(cipher_algo
);
4803 if (cipher_suite
->mode
== MODE_CBC
) {
4804 write_iv_len
= (unsigned)gcry_cipher_get_algo_blklen(cipher_algo
);
4805 } else if (cipher_suite
->mode
== MODE_GCM
|| cipher_suite
->mode
== MODE_CCM
|| cipher_suite
->mode
== MODE_CCM_8
) {
4806 /* account for a four-byte salt for client and server side (from
4807 * client_write_IV and server_write_IV), see GCMNonce (RFC 5288) */
4809 } else if (cipher_suite
->mode
== MODE_POLY1305
) {
4810 /* RFC 7905: SecurityParameters.fixed_iv_length is twelve bytes */
4814 /* Compute the key block. First figure out how much data we need */
4815 needed
= ssl_cipher_suite_dig(cipher_suite
)->len
*2; /* MAC key */
4816 needed
+= 2 * encr_key_len
; /* encryption key */
4817 needed
+= 2 * write_iv_len
; /* write IV */
4819 key_block
.data
= (unsigned char *)g_malloc(needed
);
4820 ssl_debug_printf("%s sess key generation\n", G_STRFUNC
);
4821 if (!prf(ssl_session
, &ssl_session
->master_secret
, "key expansion",
4822 &ssl_session
->server_random
,&ssl_session
->client_random
,
4823 &key_block
, needed
)) {
4824 ssl_debug_printf("%s can't generate key_block\n", G_STRFUNC
);
4827 ssl_print_string("key expansion", &key_block
);
4830 /* client/server write MAC key (for non-AEAD ciphers) */
4831 if (cipher_suite
->mode
== MODE_STREAM
|| cipher_suite
->mode
== MODE_CBC
) {
4832 c_mk
=ptr
; ptr
+=ssl_cipher_suite_dig(cipher_suite
)->len
;
4833 s_mk
=ptr
; ptr
+=ssl_cipher_suite_dig(cipher_suite
)->len
;
4835 /* client/server write encryption key */
4836 c_wk
=ptr
; ptr
+= encr_key_len
;
4837 s_wk
=ptr
; ptr
+= encr_key_len
;
4838 /* client/server write IV (used as IV (for CBC) or salt (for AEAD)) */
4839 if (write_iv_len
> 0) {
4840 c_iv
=ptr
; ptr
+= write_iv_len
;
4841 s_iv
=ptr
; /* ptr += write_iv_len; */
4844 /* export ciphers work with a smaller key length */
4845 if (is_export_cipher
) {
4846 if (cipher_suite
->mode
== MODE_CBC
) {
4848 /* We only have room for MAX_BLOCK_SIZE bytes IVs, but that's
4849 all we should need. This is a sanity check */
4850 if (write_iv_len
> MAX_BLOCK_SIZE
) {
4851 ssl_debug_printf("%s cipher suite block must be at most %d nut is %d\n",
4852 G_STRFUNC
, MAX_BLOCK_SIZE
, write_iv_len
);
4856 if(ssl_session
->session
.version
==SSLV3_VERSION
){
4857 /* The length of these fields are ignored by this caller */
4858 StringInfo iv_c
, iv_s
;
4862 ssl_debug_printf("%s ssl3_generate_export_iv\n", G_STRFUNC
);
4863 if (!ssl3_generate_export_iv(&ssl_session
->client_random
,
4864 &ssl_session
->server_random
, &iv_c
, write_iv_len
)) {
4867 ssl_debug_printf("%s ssl3_generate_export_iv(2)\n", G_STRFUNC
);
4868 if (!ssl3_generate_export_iv(&ssl_session
->server_random
,
4869 &ssl_session
->client_random
, &iv_s
, write_iv_len
)) {
4874 uint8_t _iv_block
[MAX_BLOCK_SIZE
* 2];
4875 StringInfo iv_block
;
4876 StringInfo key_null
;
4879 key_null
.data
= &_key_null
;
4880 key_null
.data_len
= 0;
4882 iv_block
.data
= _iv_block
;
4884 ssl_debug_printf("%s prf(iv_block)\n", G_STRFUNC
);
4885 if (!prf(ssl_session
, &key_null
, "IV block",
4886 &ssl_session
->client_random
,
4887 &ssl_session
->server_random
, &iv_block
,
4888 write_iv_len
* 2)) {
4889 ssl_debug_printf("%s can't generate tls31 iv block\n", G_STRFUNC
);
4893 memcpy(_iv_c
, iv_block
.data
, write_iv_len
);
4894 memcpy(_iv_s
, iv_block
.data
+ write_iv_len
, write_iv_len
);
4901 if (ssl_session
->session
.version
==SSLV3_VERSION
){
4904 ssl_debug_printf("%s MD5(client_random)\n", G_STRFUNC
);
4906 if (ssl_md5_init(&md5
) != 0)
4908 ssl_md5_update(&md5
,c_wk
,encr_key_len
);
4909 ssl_md5_update(&md5
,ssl_session
->client_random
.data
,
4910 ssl_session
->client_random
.data_len
);
4911 ssl_md5_update(&md5
,ssl_session
->server_random
.data
,
4912 ssl_session
->server_random
.data_len
);
4913 ssl_md5_final(_key_c
,&md5
);
4914 ssl_md5_cleanup(&md5
);
4917 if (ssl_md5_init(&md5
) != 0)
4919 ssl_debug_printf("%s MD5(server_random)\n", G_STRFUNC
);
4920 ssl_md5_update(&md5
,s_wk
,encr_key_len
);
4921 ssl_md5_update(&md5
,ssl_session
->server_random
.data
,
4922 ssl_session
->server_random
.data_len
);
4923 ssl_md5_update(&md5
,ssl_session
->client_random
.data
,
4924 ssl_session
->client_random
.data_len
);
4925 ssl_md5_final(_key_s
,&md5
);
4926 ssl_md5_cleanup(&md5
);
4930 StringInfo key_c
, key_s
, k
;
4931 key_c
.data
= _key_c
;
4932 key_s
.data
= _key_s
;
4935 k
.data_len
= encr_key_len
;
4936 ssl_debug_printf("%s PRF(key_c)\n", G_STRFUNC
);
4937 if (!prf(ssl_session
, &k
, "client write key",
4938 &ssl_session
->client_random
,
4939 &ssl_session
->server_random
, &key_c
, sizeof(_key_c
))) {
4940 ssl_debug_printf("%s can't generate tll31 server key \n", G_STRFUNC
);
4946 k
.data_len
= encr_key_len
;
4947 ssl_debug_printf("%s PRF(key_s)\n", G_STRFUNC
);
4948 if (!prf(ssl_session
, &k
, "server write key",
4949 &ssl_session
->client_random
,
4950 &ssl_session
->server_random
, &key_s
, sizeof(_key_s
))) {
4951 ssl_debug_printf("%s can't generate tll31 client key \n", G_STRFUNC
);
4958 /* show key material info */
4960 ssl_print_data("Client MAC key",c_mk
,ssl_cipher_suite_dig(cipher_suite
)->len
);
4961 ssl_print_data("Server MAC key",s_mk
,ssl_cipher_suite_dig(cipher_suite
)->len
);
4963 ssl_print_data("Client Write key", c_wk
, encr_key_len
);
4964 ssl_print_data("Server Write key", s_wk
, encr_key_len
);
4965 /* used as IV for CBC mode and the AEAD implicit nonce (salt) */
4966 if (write_iv_len
> 0) {
4967 ssl_print_data("Client Write IV", c_iv
, write_iv_len
);
4968 ssl_print_data("Server Write IV", s_iv
, write_iv_len
);
4972 /* create both client and server ciphers*/
4973 ssl_debug_printf("%s ssl_create_decoder(client)\n", G_STRFUNC
);
4974 ssl_session
->client_new
= ssl_create_decoder(cipher_suite
, cipher_algo
, ssl_session
->session
.compression
, c_mk
, c_wk
, NULL
, c_iv
, write_iv_len
);
4975 if (!ssl_session
->client_new
) {
4976 ssl_debug_printf("%s can't init client decoder\n", G_STRFUNC
);
4979 ssl_debug_printf("%s ssl_create_decoder(server)\n", G_STRFUNC
);
4980 ssl_session
->server_new
= ssl_create_decoder(cipher_suite
, cipher_algo
, ssl_session
->session
.compression
, s_mk
, s_wk
, NULL
, s_iv
, write_iv_len
);
4981 if (!ssl_session
->server_new
) {
4982 ssl_debug_printf("%s can't init server decoder\n", G_STRFUNC
);
4986 /* Continue the SSL stream after renegotiation with new keys. */
4987 ssl_session
->client_new
->flow
= ssl_session
->client
? ssl_session
->client
->flow
: ssl_create_flow();
4988 ssl_session
->server_new
->flow
= ssl_session
->server
? ssl_session
->server
->flow
: ssl_create_flow();
4990 ssl_debug_printf("%s: client seq %" PRIu64
", server seq %" PRIu64
"\n",
4991 G_STRFUNC
, ssl_session
->client_new
->seq
, ssl_session
->server_new
->seq
);
4992 g_free(key_block
.data
);
4993 ssl_session
->state
|= SSL_HAVE_SESSION_KEY
;
4997 g_free(key_block
.data
);
5001 /* Generated the key material based on the given secret. */
5003 tls13_generate_keys(SslDecryptSession
*ssl_session
, const StringInfo
*secret
, bool is_from_server
)
5005 bool success
= false;
5006 unsigned char *write_key
= NULL
, *write_iv
= NULL
;
5007 unsigned char *sn_key
= NULL
;
5008 SslDecoder
*decoder
;
5009 unsigned key_length
, iv_length
;
5011 const SslCipherSuite
*cipher_suite
= ssl_session
->cipher_suite
;
5014 if ((ssl_session
->session
.version
!= TLSV1DOT3_VERSION
) && (ssl_session
->session
.version
!= DTLSV1DOT3_VERSION
)) {
5015 ssl_debug_printf("%s only usable for TLS 1.3, not %#x!\n", G_STRFUNC
,
5016 ssl_session
->session
.version
);
5020 if (cipher_suite
== NULL
) {
5021 ssl_debug_printf("%s Unknown cipher\n", G_STRFUNC
);
5025 if (cipher_suite
->kex
!= KEX_TLS13
) {
5026 ssl_debug_printf("%s Invalid cipher suite 0x%04x spotted!\n", G_STRFUNC
, cipher_suite
->number
);
5030 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
5031 const char *cipher_name
= ciphers
[cipher_suite
->enc
-ENC_START
];
5032 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC
, cipher_name
);
5033 cipher_algo
= ssl_get_cipher_by_name(cipher_name
);
5034 if (cipher_algo
== 0) {
5035 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC
, cipher_name
);
5039 const char *hash_name
= ssl_cipher_suite_dig(cipher_suite
)->name
;
5040 hash_algo
= ssl_get_digest_by_name(hash_name
);
5042 ssl_debug_printf("%s can't find hash function %s\n", G_STRFUNC
, hash_name
);
5046 key_length
= (unsigned) gcry_cipher_get_algo_keylen(cipher_algo
);
5047 /* AES-GCM/AES-CCM/Poly1305-ChaCha20 all have N_MIN=N_MAX = 12. */
5049 ssl_debug_printf("%s key_length %u iv_length %u\n", G_STRFUNC
, key_length
, iv_length
);
5051 const char *label_prefix
= tls13_hkdf_label_prefix(ssl_session
);
5052 if (!tls13_hkdf_expand_label(hash_algo
, secret
, label_prefix
, "key", key_length
, &write_key
)) {
5053 ssl_debug_printf("%s write_key expansion failed\n", G_STRFUNC
);
5056 if (!tls13_hkdf_expand_label(hash_algo
, secret
, label_prefix
, "iv", iv_length
, &write_iv
)) {
5057 ssl_debug_printf("%s write_iv expansion failed\n", G_STRFUNC
);
5061 if (ssl_session
->session
.version
== DTLSV1DOT3_VERSION
) {
5062 if (!tls13_hkdf_expand_label(hash_algo
, secret
, label_prefix
, "sn", key_length
, &sn_key
)) {
5063 ssl_debug_printf("%s sn_key expansion failed\n", G_STRFUNC
);
5068 ssl_print_data(is_from_server
? "Server Write Key" : "Client Write Key", write_key
, key_length
);
5069 ssl_print_data(is_from_server
? "Server Write IV" : "Client Write IV", write_iv
, iv_length
);
5070 if (ssl_session
->session
.version
== DTLSV1DOT3_VERSION
) {
5071 ssl_print_data(is_from_server
? "Server Write SN" : "Client Write SN", sn_key
, key_length
);
5074 ssl_debug_printf("%s ssl_create_decoder(%s)\n", G_STRFUNC
, is_from_server
? "server" : "client");
5075 decoder
= ssl_create_decoder(cipher_suite
, cipher_algo
, 0, NULL
, write_key
, sn_key
, write_iv
, iv_length
);
5077 ssl_debug_printf("%s can't init %s decoder\n", G_STRFUNC
, is_from_server
? "server" : "client");
5081 /* Continue the TLS session with new keys, but reuse old flow to keep things
5082 * like "Follow TLS" working (by linking application data records). */
5083 if (is_from_server
) {
5084 decoder
->flow
= ssl_session
->server
? ssl_session
->server
->flow
: ssl_create_flow();
5085 ssl_session
->server
= decoder
;
5087 decoder
->flow
= ssl_session
->client
? ssl_session
->client
->flow
: ssl_create_flow();
5088 ssl_session
->client
= decoder
;
5090 ssl_debug_printf("%s %s ready using cipher suite 0x%04x (cipher %s hash %s)\n", G_STRFUNC
,
5091 is_from_server
? "Server" : "Client", cipher_suite
->number
, cipher_name
, hash_name
);
5095 wmem_free(NULL
, write_key
);
5096 wmem_free(NULL
, write_iv
);
5098 wmem_free(NULL
, sn_key
);
5101 /* (Pre-)master secrets calculations }}} */
5103 #ifdef HAVE_LIBGNUTLS
5104 /* Decrypt RSA pre-master secret using RSA private key. {{{ */
5106 ssl_decrypt_pre_master_secret(SslDecryptSession
*ssl_session
,
5107 StringInfo
*encrypted_pre_master
, GHashTable
*key_hash
)
5111 if (!encrypted_pre_master
)
5114 if (KEX_IS_DH(ssl_session
->cipher_suite
->kex
)) {
5115 ssl_debug_printf("%s: session uses Diffie-Hellman key exchange "
5116 "(cipher suite 0x%04X %s) and cannot be decrypted "
5117 "using a RSA private key file.\n",
5118 G_STRFUNC
, ssl_session
->session
.cipher
,
5119 val_to_str_ext_const(ssl_session
->session
.cipher
,
5120 &ssl_31_ciphersuite_ext
, "unknown"));
5122 } else if (ssl_session
->cipher_suite
->kex
!= KEX_RSA
) {
5123 ssl_debug_printf("%s key exchange %d different from KEX_RSA (%d)\n",
5124 G_STRFUNC
, ssl_session
->cipher_suite
->kex
, KEX_RSA
);
5128 gnutls_privkey_t pk
= (gnutls_privkey_t
)g_hash_table_lookup(key_hash
, ssl_session
->cert_key_id
);
5130 ssl_print_string("pre master encrypted", encrypted_pre_master
);
5131 ssl_debug_printf("%s: RSA_private_decrypt\n", G_STRFUNC
);
5132 const gnutls_datum_t epms
= { encrypted_pre_master
->data
, encrypted_pre_master
->data_len
};
5133 gnutls_datum_t pms
= { 0 };
5135 // Try to decrypt using the RSA keys table from (D)TLS preferences.
5136 ret
= gnutls_privkey_decrypt_data(pk
, 0, &epms
, &pms
);
5138 // Try to decrypt using a hardware token.
5139 ret
= secrets_rsa_decrypt(ssl_session
->cert_key_id
, epms
.data
, epms
.size
, &pms
.data
, &pms
.size
);
5142 ssl_debug_printf("%s: decryption failed: %d (%s)\n", G_STRFUNC
, ret
, gnutls_strerror(ret
));
5146 if (pms
.size
!= 48) {
5147 ssl_debug_printf("%s wrong pre_master_secret length (%d, expected %d)\n",
5148 G_STRFUNC
, pms
.size
, 48);
5150 gnutls_free(pms
.data
);
5157 ssl_session
->pre_master_secret
.data
= (uint8_t *)wmem_memdup(wmem_file_scope(), pms
.data
, 48);
5158 ssl_session
->pre_master_secret
.data_len
= 48;
5160 gnutls_free(pms
.data
);
5164 ssl_print_string("pre master secret", &ssl_session
->pre_master_secret
);
5166 /* Remove the master secret if it was there.
5167 This forces keying material regeneration in
5168 case we're renegotiating */
5169 ssl_session
->state
&= ~(SSL_MASTER_SECRET
|SSL_HAVE_SESSION_KEY
);
5170 ssl_session
->state
|= SSL_PRE_MASTER_SECRET
;
5173 #endif /* HAVE_LIBGNUTLS */
5175 /* Decryption integrity check {{{ */
5178 tls_check_mac(SslDecoder
*decoder
, int ct
, int ver
, uint8_t* data
,
5179 uint32_t datalen
, uint8_t* mac
)
5184 uint8_t buf
[DIGEST_MAX_SIZE
];
5187 md
=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder
->cipher_suite
)->name
);
5188 ssl_debug_printf("tls_check_mac mac type:%s md %d\n",
5189 ssl_cipher_suite_dig(decoder
->cipher_suite
)->name
, md
);
5191 if (ssl_hmac_init(&hm
,md
) != 0)
5193 if (ssl_hmac_setkey(&hm
,decoder
->mac_key
.data
,decoder
->mac_key
.data_len
) != 0)
5196 /* hash sequence number */
5197 phton64(buf
, decoder
->seq
);
5201 ssl_hmac_update(&hm
,buf
,8);
5203 /* hash content type */
5205 ssl_hmac_update(&hm
,buf
,1);
5207 /* hash version,data length and data*/
5208 /* *((int16_t*)buf) = g_htons(ver); */
5209 temp
= g_htons(ver
);
5210 memcpy(buf
, &temp
, 2);
5211 ssl_hmac_update(&hm
,buf
,2);
5213 /* *((int16_t*)buf) = g_htons(datalen); */
5214 temp
= g_htons(datalen
);
5215 memcpy(buf
, &temp
, 2);
5216 ssl_hmac_update(&hm
,buf
,2);
5217 ssl_hmac_update(&hm
,data
,datalen
);
5219 /* get digest and digest len*/
5221 ssl_hmac_final(&hm
,buf
,&len
);
5222 ssl_hmac_cleanup(&hm
);
5223 ssl_print_data("Mac", buf
, len
);
5224 if(memcmp(mac
,buf
,len
))
5231 ssl3_check_mac(SslDecoder
*decoder
,int ct
,uint8_t* data
,
5232 uint32_t datalen
, uint8_t* mac
)
5237 uint8_t buf
[64],dgst
[20];
5241 pad_ct
=(decoder
->cipher_suite
->dig
==DIG_SHA
)?40:48;
5243 /* get cipher used for digest computation */
5244 md
=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder
->cipher_suite
)->name
);
5245 if (ssl_md_init(&mc
,md
) !=0)
5248 /* do hash computation on data && padding */
5249 ssl_md_update(&mc
,decoder
->mac_key
.data
,decoder
->mac_key
.data_len
);
5252 memset(buf
,0x36,pad_ct
);
5253 ssl_md_update(&mc
,buf
,pad_ct
);
5255 /* hash sequence number */
5256 phton64(buf
, decoder
->seq
);
5258 ssl_md_update(&mc
,buf
,8);
5260 /* hash content type */
5262 ssl_md_update(&mc
,buf
,1);
5264 /* hash data length in network byte order and data*/
5265 /* *((int16_t* )buf) = g_htons(datalen); */
5266 temp
= g_htons(datalen
);
5267 memcpy(buf
, &temp
, 2);
5268 ssl_md_update(&mc
,buf
,2);
5269 ssl_md_update(&mc
,data
,datalen
);
5271 /* get partial digest */
5272 ssl_md_final(&mc
,dgst
,&len
);
5276 ssl_md_update(&mc
,decoder
->mac_key
.data
,decoder
->mac_key
.data_len
);
5278 /* hash padding and partial digest*/
5279 memset(buf
,0x5c,pad_ct
);
5280 ssl_md_update(&mc
,buf
,pad_ct
);
5281 ssl_md_update(&mc
,dgst
,len
);
5283 ssl_md_final(&mc
,dgst
,&len
);
5284 ssl_md_cleanup(&mc
);
5286 if(memcmp(mac
,dgst
,len
))
5293 dtls_check_mac(SslDecryptSession
*ssl
, SslDecoder
*decoder
, int ct
, uint8_t* data
,
5294 uint32_t datalen
, uint8_t* mac
, const unsigned char *cid
, uint8_t cidl
)
5299 uint8_t buf
[DIGEST_MAX_SIZE
];
5302 int ver
= ssl
->session
.version
;
5303 bool is_cid
= ((ct
== SSL_ID_TLS12_CID
) && (ver
== DTLSV1DOT2_VERSION
));
5305 md
=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder
->cipher_suite
)->name
);
5306 ssl_debug_printf("dtls_check_mac mac type:%s md %d\n",
5307 ssl_cipher_suite_dig(decoder
->cipher_suite
)->name
, md
);
5309 if (ssl_hmac_init(&hm
,md
) != 0)
5311 if (ssl_hmac_setkey(&hm
,decoder
->mac_key
.data
,decoder
->mac_key
.data_len
) != 0)
5314 ssl_debug_printf("dtls_check_mac seq: %" PRIu64
" epoch: %d\n",decoder
->seq
,decoder
->epoch
);
5316 if (is_cid
&& !ssl
->session
.deprecated_cid
) {
5317 /* hash seq num placeholder */
5319 ssl_hmac_update(&hm
,buf
,8);
5321 /* hash content type + cid length + content type */
5325 ssl_hmac_update(&hm
,buf
,3);
5328 temp
= g_htons(ver
);
5329 memcpy(buf
, &temp
, 2);
5330 ssl_hmac_update(&hm
,buf
,2);
5332 /* hash sequence number */
5333 phton64(buf
, decoder
->seq
);
5334 buf
[0]=decoder
->epoch
>>8;
5335 buf
[1]=(uint8_t)decoder
->epoch
;
5336 ssl_hmac_update(&hm
,buf
,8);
5339 ssl_hmac_update(&hm
,cid
,cidl
);
5341 /* hash sequence number */
5342 phton64(buf
, decoder
->seq
);
5343 buf
[0]=decoder
->epoch
>>8;
5344 buf
[1]=(uint8_t)decoder
->epoch
;
5345 ssl_hmac_update(&hm
,buf
,8);
5347 /* hash content type */
5349 ssl_hmac_update(&hm
,buf
,1);
5352 temp
= g_htons(ver
);
5353 memcpy(buf
, &temp
, 2);
5354 ssl_hmac_update(&hm
,buf
,2);
5356 if (is_cid
&& ssl
->session
.deprecated_cid
) {
5358 ssl_hmac_update(&hm
,cid
,cidl
);
5360 /* hash cid length */
5362 ssl_hmac_update(&hm
,buf
,1);
5366 /* data length and data */
5367 temp
= g_htons(datalen
);
5368 memcpy(buf
, &temp
, 2);
5369 ssl_hmac_update(&hm
,buf
,2);
5370 ssl_hmac_update(&hm
,data
,datalen
);
5372 /* get digest and digest len */
5374 ssl_hmac_final(&hm
,buf
,&len
);
5375 ssl_hmac_cleanup(&hm
);
5376 ssl_print_data("Mac", buf
, len
);
5377 if(memcmp(mac
,buf
,len
))
5382 /* Decryption integrity check }}} */
5386 tls_decrypt_aead_record(SslDecryptSession
*ssl
, SslDecoder
*decoder
,
5387 uint8_t ct
, uint16_t record_version
,
5388 bool ignore_mac_failed
,
5389 const unsigned char *in
, uint16_t inl
,
5390 const unsigned char *cid
, uint8_t cidl
,
5391 StringInfo
*out_str
, unsigned *outl
)
5393 /* RFC 5246 (TLS 1.2) 6.2.3.3 defines the TLSCipherText.fragment as:
5394 * GenericAEADCipher: { nonce_explicit, [content] }
5395 * In TLS 1.3 this explicit nonce is gone.
5396 * With AES GCM/CCM, "[content]" is actually the concatenation of the
5397 * ciphertext and authentication tag.
5399 const uint16_t version
= ssl
->session
.version
;
5400 const bool is_v12
= version
== TLSV1DOT2_VERSION
|| version
== DTLSV1DOT2_VERSION
|| version
== TLCPV1_VERSION
;
5402 const unsigned char *explicit_nonce
= NULL
, *ciphertext
;
5403 unsigned ciphertext_len
, auth_tag_len
;
5404 unsigned char nonce
[12];
5405 const ssl_cipher_mode_t cipher_mode
= decoder
->cipher_suite
->mode
;
5406 const bool is_cid
= ct
== SSL_ID_TLS12_CID
&& version
== DTLSV1DOT2_VERSION
;
5407 const uint8_t draft_version
= ssl
->session
.tls13_draft_version
;
5408 const unsigned char *auth_tag_wire
;
5409 unsigned char auth_tag_calc
[16];
5410 unsigned char *aad
= NULL
;
5411 unsigned aad_len
= 0;
5413 switch (cipher_mode
) {
5423 ssl_debug_printf("%s unsupported cipher!\n", G_STRFUNC
);
5427 /* Parse input into explicit nonce (TLS 1.2 only), ciphertext and tag. */
5428 if (is_v12
&& cipher_mode
!= MODE_POLY1305
) {
5429 if (inl
< EXPLICIT_NONCE_LEN
+ auth_tag_len
) {
5430 ssl_debug_printf("%s input %d is too small for explicit nonce %d and auth tag %d\n",
5431 G_STRFUNC
, inl
, EXPLICIT_NONCE_LEN
, auth_tag_len
);
5434 explicit_nonce
= in
;
5435 ciphertext
= explicit_nonce
+ EXPLICIT_NONCE_LEN
;
5436 ciphertext_len
= inl
- EXPLICIT_NONCE_LEN
- auth_tag_len
;
5437 } else if (version
== TLSV1DOT3_VERSION
|| version
== DTLSV1DOT3_VERSION
|| cipher_mode
== MODE_POLY1305
) {
5438 if (inl
< auth_tag_len
) {
5439 ssl_debug_printf("%s input %d has no space for auth tag %d\n", G_STRFUNC
, inl
, auth_tag_len
);
5443 ciphertext_len
= inl
- auth_tag_len
;
5445 ssl_debug_printf("%s Unexpected TLS version %#x\n", G_STRFUNC
, version
);
5448 auth_tag_wire
= ciphertext
+ ciphertext_len
;
5451 * Nonce construction is version-specific. Note that AEAD_CHACHA20_POLY1305
5452 * (RFC 7905) uses a nonce construction similar to TLS 1.3.
5454 if (is_v12
&& cipher_mode
!= MODE_POLY1305
) {
5455 DISSECTOR_ASSERT(decoder
->write_iv
.data_len
== IMPLICIT_NONCE_LEN
);
5456 /* Implicit (4) and explicit (8) part of nonce. */
5457 memcpy(nonce
, decoder
->write_iv
.data
, IMPLICIT_NONCE_LEN
);
5458 memcpy(nonce
+ IMPLICIT_NONCE_LEN
, explicit_nonce
, EXPLICIT_NONCE_LEN
);
5460 } else if (version
== TLSV1DOT3_VERSION
|| version
== DTLSV1DOT3_VERSION
|| cipher_mode
== MODE_POLY1305
) {
5462 * Technically the nonce length must be at least 8 bytes, but for
5463 * AES-GCM, AES-CCM and Poly1305-ChaCha20 the nonce length is exact 12.
5465 const unsigned nonce_len
= 12;
5466 DISSECTOR_ASSERT(decoder
->write_iv
.data_len
== nonce_len
);
5467 memcpy(nonce
, decoder
->write_iv
.data
, decoder
->write_iv
.data_len
);
5468 /* Sequence number is left-padded with zeroes and XORed with write_iv */
5469 phton64(nonce
+ nonce_len
- 8, pntoh64(nonce
+ nonce_len
- 8) ^ decoder
->seq
);
5470 ssl_debug_printf("%s seq %" PRIu64
"\n", G_STRFUNC
, decoder
->seq
);
5473 /* Set nonce and additional authentication data */
5474 gcry_cipher_reset(decoder
->evp
);
5475 ssl_print_data("nonce", nonce
, 12);
5476 err
= gcry_cipher_setiv(decoder
->evp
, nonce
, 12);
5478 ssl_debug_printf("%s failed to set nonce: %s\n", G_STRFUNC
, gcry_strerror(err
));
5482 /* (D)TLS 1.2 needs specific AAD, TLS 1.3 (before -25) uses empty AAD. */
5483 if (is_cid
) { /* if connection ID */
5484 if (ssl
->session
.deprecated_cid
) {
5485 aad_len
= 14 + cidl
;
5486 aad
= wmem_alloc(wmem_packet_scope(), aad_len
);
5487 phton64(aad
, decoder
->seq
); /* record sequence number */
5488 phton16(aad
, decoder
->epoch
); /* DTLS 1.2 includes epoch. */
5489 aad
[8] = ct
; /* TLSCompressed.type */
5490 phton16(aad
+ 9, record_version
); /* TLSCompressed.version */
5491 memcpy(aad
+ 11, cid
, cidl
); /* cid */
5492 aad
[11 + cidl
] = cidl
; /* cid_length */
5493 phton16(aad
+ 12 + cidl
, ciphertext_len
); /* TLSCompressed.length */
5495 aad_len
= 23 + cidl
;
5496 aad
= wmem_alloc(wmem_packet_scope(), aad_len
);
5497 memset(aad
, 0xFF, 8); /* seq_num_placeholder */
5498 aad
[8] = ct
; /* TLSCompressed.type */
5499 aad
[9] = cidl
; /* cid_length */
5500 aad
[10] = ct
; /* TLSCompressed.type */
5501 phton16(aad
+ 11, record_version
); /* TLSCompressed.version */
5502 phton64(aad
+ 13, decoder
->seq
); /* record sequence number */
5503 phton16(aad
+ 13, decoder
->epoch
); /* DTLS 1.2 includes epoch. */
5504 memcpy(aad
+ 21, cid
, cidl
); /* cid */
5505 phton16(aad
+ 21 + cidl
, ciphertext_len
); /* TLSCompressed.length */
5507 } else if (is_v12
) {
5509 aad
= wmem_alloc(wmem_packet_scope(), aad_len
);
5510 phton64(aad
, decoder
->seq
); /* record sequence number */
5511 if (version
== DTLSV1DOT2_VERSION
) {
5512 phton16(aad
, decoder
->epoch
); /* DTLS 1.2 includes epoch. */
5514 aad
[8] = ct
; /* TLSCompressed.type */
5515 phton16(aad
+ 9, record_version
); /* TLSCompressed.version */
5516 phton16(aad
+ 11, ciphertext_len
); /* TLSCompressed.length */
5517 } else if (version
== DTLSV1DOT3_VERSION
) {
5518 aad_len
= decoder
->dtls13_aad
.data_len
;
5519 aad
= decoder
->dtls13_aad
.data
;
5520 } else if (draft_version
>= 25 || draft_version
== 0) {
5522 aad
= wmem_alloc(wmem_packet_scope(), aad_len
);
5523 aad
[0] = ct
; /* TLSCiphertext.opaque_type (23) */
5524 phton16(aad
+ 1, record_version
); /* TLSCiphertext.legacy_record_version (0x0303) */
5525 phton16(aad
+ 3, inl
); /* TLSCiphertext.length */
5528 if (decoder
->cipher_suite
->mode
== MODE_CCM
|| decoder
->cipher_suite
->mode
== MODE_CCM_8
) {
5529 /* size of plaintext, additional authenticated data and auth tag. */
5530 uint64_t lengths
[3] = { ciphertext_len
, aad_len
, auth_tag_len
};
5532 gcry_cipher_ctl(decoder
->evp
, GCRYCTL_SET_CCM_LENGTHS
, lengths
, sizeof(lengths
));
5535 if (aad
&& aad_len
> 0) {
5536 ssl_print_data("AAD", aad
, aad_len
);
5537 err
= gcry_cipher_authenticate(decoder
->evp
, aad
, aad_len
);
5539 ssl_debug_printf("%s failed to set AAD: %s\n", G_STRFUNC
, gcry_strerror(err
));
5544 /* Decrypt now that nonce and AAD are set. */
5545 err
= gcry_cipher_decrypt(decoder
->evp
, out_str
->data
, out_str
->data_len
, ciphertext
, ciphertext_len
);
5547 ssl_debug_printf("%s decrypt failed: %s\n", G_STRFUNC
, gcry_strerror(err
));
5551 /* Check authentication tag for authenticity (replaces MAC) */
5552 err
= gcry_cipher_gettag(decoder
->evp
, auth_tag_calc
, auth_tag_len
);
5553 if (err
== 0 && !memcmp(auth_tag_calc
, auth_tag_wire
, auth_tag_len
)) {
5554 ssl_print_data("auth_tag(OK)", auth_tag_calc
, auth_tag_len
);
5557 ssl_debug_printf("%s cannot obtain tag: %s\n", G_STRFUNC
, gcry_strerror(err
));
5559 ssl_debug_printf("%s auth tag mismatch\n", G_STRFUNC
);
5560 ssl_print_data("auth_tag(expect)", auth_tag_calc
, auth_tag_len
);
5561 ssl_print_data("auth_tag(actual)", auth_tag_wire
, auth_tag_len
);
5563 if (ignore_mac_failed
) {
5564 ssl_debug_printf("%s: auth check failed, but ignored for troubleshooting ;-)\n", G_STRFUNC
);
5571 * Increment the (implicit) sequence number for TLS 1.2/1.3 and TLCP 1.1. This is done
5572 * after successful authentication to ensure that early data is skipped when
5573 * CLIENT_EARLY_TRAFFIC_SECRET keys are unavailable.
5575 if (version
== TLSV1DOT2_VERSION
|| version
== TLSV1DOT3_VERSION
|| version
== TLCPV1_VERSION
) {
5579 ssl_print_data("Plaintext", out_str
->data
, ciphertext_len
);
5580 *outl
= ciphertext_len
;
5584 /* Record decryption glue based on security parameters {{{ */
5585 /* Assume that we are called only for a non-NULL decoder which also means that
5586 * we have a non-NULL decoder->cipher_suite. */
5588 ssl_decrypt_record(SslDecryptSession
*ssl
, SslDecoder
*decoder
, uint8_t ct
, uint16_t record_version
,
5589 bool ignore_mac_failed
,
5590 const unsigned char *in
, uint16_t inl
, const unsigned char *cid
, uint8_t cidl
,
5591 StringInfo
*comp_str
, StringInfo
*out_str
, unsigned *outl
)
5593 unsigned pad
, worklen
, uncomplen
, maclen
, mac_fraglen
= 0;
5594 uint8_t *mac
= NULL
, *mac_frag
= NULL
;
5596 ssl_debug_printf("ssl_decrypt_record ciphertext len %d\n", inl
);
5597 ssl_print_data("Ciphertext",in
, inl
);
5599 if (((ssl
->session
.version
== TLSV1DOT3_VERSION
|| ssl
->session
.version
== DTLSV1DOT3_VERSION
))
5600 != (decoder
->cipher_suite
->kex
== KEX_TLS13
)) {
5601 ssl_debug_printf("%s Invalid cipher suite for the protocol version!\n", G_STRFUNC
);
5605 /* ensure we have enough storage space for decrypted data */
5606 if (inl
> out_str
->data_len
)
5608 ssl_debug_printf("ssl_decrypt_record: allocating %d bytes for decrypt data (old len %d)\n",
5609 inl
+ 32, out_str
->data_len
);
5610 ssl_data_realloc(out_str
, inl
+ 32);
5613 /* AEAD ciphers (GenericAEADCipher in TLS 1.2; TLS 1.3) have no padding nor
5614 * a separate MAC, so use a different routine for simplicity. */
5615 if (decoder
->cipher_suite
->mode
== MODE_GCM
||
5616 decoder
->cipher_suite
->mode
== MODE_CCM
||
5617 decoder
->cipher_suite
->mode
== MODE_CCM_8
||
5618 decoder
->cipher_suite
->mode
== MODE_POLY1305
||
5619 ssl
->session
.version
== TLSV1DOT3_VERSION
||
5620 ssl
->session
.version
== DTLSV1DOT3_VERSION
) {
5622 if (!tls_decrypt_aead_record(ssl
, decoder
, ct
, record_version
, ignore_mac_failed
, in
, inl
, cid
, cidl
, out_str
, &worklen
)) {
5623 /* decryption failed */
5630 /* RFC 6101/2246: SSLCipherText/TLSCipherText has two structures for types:
5631 * (notation: { unencrypted, [ encrypted ] })
5632 * GenericStreamCipher: { [content, mac] }
5633 * GenericBlockCipher: { IV (TLS 1.1+), [content, mac, padding, padding_len] }
5634 * RFC 5426 (TLS 1.2): TLSCipherText has additionally:
5635 * GenericAEADCipher: { nonce_explicit, [content] }
5636 * RFC 4347 (DTLS): based on TLS 1.1, only GenericBlockCipher is supported.
5637 * RFC 6347 (DTLS 1.2): based on TLS 1.2, includes GenericAEADCipher too.
5640 maclen
= ssl_cipher_suite_dig(decoder
->cipher_suite
)->len
;
5642 /* (TLS 1.1 and later, DTLS) Extract explicit IV for GenericBlockCipher */
5643 if (decoder
->cipher_suite
->mode
== MODE_CBC
) {
5644 unsigned blocksize
= 0;
5646 switch (ssl
->session
.version
) {
5647 case TLSV1DOT1_VERSION
:
5648 case TLSV1DOT2_VERSION
:
5649 case DTLSV1DOT0_VERSION
:
5650 case DTLSV1DOT2_VERSION
:
5651 case DTLSV1DOT3_VERSION
:
5652 case DTLSV1DOT0_OPENSSL_VERSION
:
5653 case TLCPV1_VERSION
:
5654 blocksize
= ssl_get_cipher_blocksize(decoder
->cipher_suite
);
5655 if (inl
< blocksize
) {
5656 ssl_debug_printf("ssl_decrypt_record failed: input %d has no space for IV %d\n",
5660 pad
= gcry_cipher_setiv(decoder
->evp
, in
, blocksize
);
5662 ssl_debug_printf("ssl_decrypt_record failed: failed to set IV: %s %s\n",
5663 gcry_strsource (pad
), gcry_strerror (pad
));
5671 /* Encrypt-then-MAC for (D)TLS (RFC 7366) */
5672 if (ssl
->state
& SSL_ENCRYPT_THEN_MAC
) {
5674 * MAC is calculated over (IV + ) ENCRYPTED contents:
5676 * MAC(MAC_write_key, ... +
5677 * IV + // for TLS 1.1 or greater
5678 * TLSCiphertext.enc_content);
5681 ssl_debug_printf("%s failed: input %d has no space for MAC %d\n",
5682 G_STRFUNC
, inl
, maclen
);
5686 mac
= (uint8_t *)in
+ inl
;
5687 mac_frag
= (uint8_t *)in
- blocksize
;
5688 mac_fraglen
= blocksize
+ inl
;
5693 if ((pad
= ssl_cipher_decrypt(&decoder
->evp
, out_str
->data
, out_str
->data_len
, in
, inl
)) != 0) {
5694 ssl_debug_printf("ssl_decrypt_record failed: ssl_cipher_decrypt: %s %s\n", gcry_strsource (pad
),
5695 gcry_strerror (pad
));
5699 ssl_print_data("Plaintext", out_str
->data
, inl
);
5703 /* strip padding for GenericBlockCipher */
5704 if (decoder
->cipher_suite
->mode
== MODE_CBC
) {
5705 if (inl
< 1) { /* Should this check happen earlier? */
5706 ssl_debug_printf("ssl_decrypt_record failed: input length %d too small\n", inl
);
5709 pad
=out_str
->data
[inl
-1];
5710 if (worklen
<= pad
) {
5711 ssl_debug_printf("ssl_decrypt_record failed: padding %d too large for work %d\n",
5716 ssl_debug_printf("ssl_decrypt_record found padding %d final len %d\n",
5720 /* MAC for GenericStreamCipher and GenericBlockCipher.
5721 * (normal case without Encrypt-then-MAC (RFC 7366) extension. */
5724 * MAC is calculated over the DECRYPTED contents:
5726 * MAC(MAC_write_key, ... + TLSCompressed.fragment);
5728 if (worklen
< maclen
) {
5729 ssl_debug_printf("%s wrong record len/padding outlen %d\n work %d\n", G_STRFUNC
, *outl
, worklen
);
5733 mac
= out_str
->data
+ worklen
;
5734 mac_frag
= out_str
->data
;
5735 mac_fraglen
= worklen
;
5738 /* If NULL encryption active and no keys are available, do not bother
5739 * checking the MAC. We do not have keys for that. */
5740 if (decoder
->cipher_suite
->mode
== MODE_STREAM
&&
5741 decoder
->cipher_suite
->enc
== ENC_NULL
&&
5742 !(ssl
->state
& SSL_MASTER_SECRET
)) {
5743 ssl_debug_printf("MAC check skipped due to missing keys\n");
5747 /* Now check the MAC */
5748 ssl_debug_printf("checking mac (len %d, version %X, ct %d seq %" PRIu64
")\n",
5749 worklen
, ssl
->session
.version
, ct
, decoder
->seq
);
5750 if(ssl
->session
.version
==SSLV3_VERSION
){
5751 if(ssl3_check_mac(decoder
,ct
,mac_frag
,mac_fraglen
,mac
) < 0) {
5752 if(ignore_mac_failed
) {
5753 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5756 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5761 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5764 else if(ssl
->session
.version
==TLSV1_VERSION
|| ssl
->session
.version
==TLSV1DOT1_VERSION
|| ssl
->session
.version
==TLSV1DOT2_VERSION
|| ssl
->session
.version
==TLCPV1_VERSION
){
5765 if(tls_check_mac(decoder
,ct
,ssl
->session
.version
,mac_frag
,mac_fraglen
,mac
)< 0) {
5766 if(ignore_mac_failed
) {
5767 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5770 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5775 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5778 else if(ssl
->session
.version
==DTLSV1DOT0_VERSION
||
5779 ssl
->session
.version
==DTLSV1DOT2_VERSION
||
5780 ssl
->session
.version
==DTLSV1DOT0_OPENSSL_VERSION
){
5781 /* Try rfc-compliant mac first, and if failed, try old openssl's non-rfc-compliant mac */
5782 if(dtls_check_mac(ssl
,decoder
,ct
,mac_frag
,mac_fraglen
,mac
,cid
,cidl
)>= 0) {
5783 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5785 else if(tls_check_mac(decoder
,ct
,TLSV1_VERSION
,mac_frag
,mac_fraglen
,mac
)>= 0) {
5786 ssl_debug_printf("ssl_decrypt_record: dtls rfc-compliant mac failed, but old openssl's non-rfc-compliant mac ok\n");
5788 else if(ignore_mac_failed
) {
5789 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5792 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5800 if (decoder
->compression
> 0) {
5801 ssl_debug_printf("ssl_decrypt_record: compression method %d\n", decoder
->compression
);
5802 ssl_data_copy(comp_str
, out_str
);
5803 ssl_print_data("Plaintext compressed", comp_str
->data
, worklen
);
5804 if (!decoder
->decomp
) {
5805 ssl_debug_printf("decrypt_ssl3_record: no decoder available\n");
5808 if (ssl_decompress_record(decoder
->decomp
, comp_str
->data
, worklen
, out_str
, &uncomplen
) < 0) return -1;
5809 ssl_print_data("Plaintext uncompressed", out_str
->data
, uncomplen
);
5815 /* Record decryption glue based on security parameters }}} */
5819 #ifdef HAVE_LIBGNUTLS
5821 /* RSA private key file processing {{{ */
5823 ssl_find_private_key_by_pubkey(SslDecryptSession
*ssl
,
5824 gnutls_datum_t
*subjectPublicKeyInfo
)
5826 gnutls_pubkey_t pubkey
= NULL
;
5827 cert_key_id_t key_id
;
5828 size_t key_id_len
= sizeof(key_id
);
5831 if (!subjectPublicKeyInfo
->size
) {
5832 ssl_debug_printf("%s: could not find SubjectPublicKeyInfo\n", G_STRFUNC
);
5836 r
= gnutls_pubkey_init(&pubkey
);
5838 ssl_debug_printf("%s: failed to init pubkey: %s\n",
5839 G_STRFUNC
, gnutls_strerror(r
));
5843 r
= gnutls_pubkey_import(pubkey
, subjectPublicKeyInfo
, GNUTLS_X509_FMT_DER
);
5845 ssl_debug_printf("%s: failed to import pubkey from handshake: %s\n",
5846 G_STRFUNC
, gnutls_strerror(r
));
5850 if (gnutls_pubkey_get_pk_algorithm(pubkey
, NULL
) != GNUTLS_PK_RSA
) {
5851 ssl_debug_printf("%s: Not a RSA public key - ignoring.\n", G_STRFUNC
);
5855 /* Generate a 20-byte SHA-1 hash. */
5856 r
= gnutls_pubkey_get_key_id(pubkey
, 0, key_id
.key_id
, &key_id_len
);
5858 ssl_debug_printf("%s: failed to extract key id from pubkey: %s\n",
5859 G_STRFUNC
, gnutls_strerror(r
));
5863 if (key_id_len
!= sizeof(key_id
)) {
5864 ssl_debug_printf("%s: expected Key ID size %zu, got %zu\n",
5865 G_STRFUNC
, sizeof(key_id
), key_id_len
);
5869 ssl_print_data("Certificate.KeyID", key_id
.key_id
, key_id_len
);
5870 ssl
->cert_key_id
= wmem_new(wmem_file_scope(), cert_key_id_t
);
5871 *ssl
->cert_key_id
= key_id
;
5874 gnutls_pubkey_deinit(pubkey
);
5877 /* RSA private key file processing }}} */
5878 #endif /* HAVE_LIBGNUTLS */
5880 /*--- Start of dissector-related code below ---*/
5882 /* get ssl data for this session. if no ssl data is found allocate a new one*/
5884 ssl_get_session(conversation_t
*conversation
, dissector_handle_t tls_handle
)
5887 SslDecryptSession
*ssl_session
;
5890 proto_ssl
= dissector_handle_get_protocol_index(tls_handle
);
5891 conv_data
= conversation_get_proto_data(conversation
, proto_ssl
);
5892 if (conv_data
!= NULL
)
5893 return (SslDecryptSession
*)conv_data
;
5895 /* no previous SSL conversation info, initialize it. */
5896 ssl_session
= wmem_new0(wmem_file_scope(), SslDecryptSession
);
5898 /* data_len is the part that is meaningful, not the allocated length */
5899 ssl_session
->master_secret
.data_len
= 0;
5900 ssl_session
->master_secret
.data
= ssl_session
->_master_secret
;
5901 ssl_session
->session_id
.data_len
= 0;
5902 ssl_session
->session_id
.data
= ssl_session
->_session_id
;
5903 ssl_session
->client_random
.data_len
= 0;
5904 ssl_session
->client_random
.data
= ssl_session
->_client_random
;
5905 ssl_session
->server_random
.data_len
= 0;
5906 ssl_session
->server_random
.data
= ssl_session
->_server_random
;
5907 ssl_session
->session_ticket
.data_len
= 0;
5908 ssl_session
->session_ticket
.data
= NULL
; /* will be re-alloced as needed */
5909 ssl_session
->server_data_for_iv
.data_len
= 0;
5910 ssl_session
->server_data_for_iv
.data
= ssl_session
->_server_data_for_iv
;
5911 ssl_session
->client_data_for_iv
.data_len
= 0;
5912 ssl_session
->client_data_for_iv
.data
= ssl_session
->_client_data_for_iv
;
5913 ssl_session
->app_data_segment
.data
= NULL
;
5914 ssl_session
->app_data_segment
.data_len
= 0;
5915 ssl_session
->handshake_data
.data
=NULL
;
5916 ssl_session
->handshake_data
.data_len
=0;
5917 ssl_session
->ech_transcript
.data
=NULL
;
5918 ssl_session
->ech_transcript
.data_len
=0;
5920 /* Initialize parameters which are not necessary specific to decryption. */
5921 ssl_session
->session
.version
= SSL_VER_UNKNOWN
;
5922 clear_address(&ssl_session
->session
.srv_addr
);
5923 ssl_session
->session
.srv_ptype
= PT_NONE
;
5924 ssl_session
->session
.srv_port
= 0;
5925 ssl_session
->session
.dtls13_current_epoch
[0] = ssl_session
->session
.dtls13_current_epoch
[1] = 0;
5926 ssl_session
->session
.dtls13_next_seq_num
[0] = ssl_session
->session
.dtls13_next_seq_num
[1] = 0;
5927 ssl_session
->session
.client_random
.data_len
= 0;
5928 ssl_session
->session
.client_random
.data
= ssl_session
->session
._client_random
;
5929 memset(ssl_session
->session
.ech_confirmation
, 0, sizeof(ssl_session
->session
.ech_confirmation
));
5930 memset(ssl_session
->session
.hrr_ech_confirmation
, 0, sizeof(ssl_session
->session
.hrr_ech_confirmation
));
5931 memset(ssl_session
->session
.first_ech_auth_tag
, 0, sizeof(ssl_session
->session
.first_ech_auth_tag
));
5932 ssl_session
->session
.ech
= FALSE
;
5933 ssl_session
->session
.hrr_ech_declined
= FALSE
;
5934 ssl_session
->session
.first_ch_ech_frame
= 0;
5936 conversation_add_proto_data(conversation
, proto_ssl
, ssl_session
);
5940 void ssl_reset_session(SslSession
*session
, SslDecryptSession
*ssl
, bool is_client
)
5943 /* Ensure that secrets are not restored using stale identifiers. Split
5944 * between client and server in case the packets somehow got out of order. */
5945 int clear_flags
= SSL_HAVE_SESSION_KEY
| SSL_MASTER_SECRET
| SSL_PRE_MASTER_SECRET
;
5948 clear_flags
|= SSL_CLIENT_EXTENDED_MASTER_SECRET
;
5949 ssl
->session_id
.data_len
= 0;
5950 ssl
->session_ticket
.data_len
= 0;
5951 ssl
->master_secret
.data_len
= 0;
5952 ssl
->client_random
.data_len
= 0;
5953 ssl
->has_early_data
= false;
5954 if (ssl
->handshake_data
.data_len
> 0) {
5955 // The EMS handshake hash starts with at the Client Hello,
5956 // ensure that any messages before it are forgotten.
5957 wmem_free(wmem_file_scope(), ssl
->handshake_data
.data
);
5958 ssl
->handshake_data
.data
= NULL
;
5959 ssl
->handshake_data
.data_len
= 0;
5962 clear_flags
|= SSL_SERVER_EXTENDED_MASTER_SECRET
| SSL_NEW_SESSION_TICKET
;
5963 ssl
->server_random
.data_len
= 0;
5964 ssl
->pre_master_secret
.data_len
= 0;
5965 #ifdef HAVE_LIBGNUTLS
5966 ssl
->cert_key_id
= NULL
;
5968 ssl
->psk
.data_len
= 0;
5971 if (ssl
->state
& clear_flags
) {
5972 ssl_debug_printf("%s detected renegotiation, clearing 0x%02x (%s side)\n",
5973 G_STRFUNC
, ssl
->state
& clear_flags
, is_client
? "client" : "server");
5974 ssl
->state
&= ~clear_flags
;
5978 /* These flags might be used for non-decryption purposes and may affect the
5979 * dissection, so reset them as well. */
5981 session
->client_cert_type
= 0;
5983 session
->compression
= 0;
5984 session
->server_cert_type
= 0;
5985 /* session->is_session_resumed is already handled in the ServerHello dissection. */
5987 session
->dtls13_next_seq_num
[0] = session
->dtls13_next_seq_num
[1] = 0;
5988 session
->dtls13_current_epoch
[0] = session
->dtls13_current_epoch
[1] = 0;
5992 tls_set_appdata_dissector(dissector_handle_t tls_handle
, packet_info
*pinfo
,
5993 dissector_handle_t app_handle
)
5995 conversation_t
*conversation
;
5996 SslSession
*session
;
5998 /* Ignore if the TLS or other dissector is disabled. */
5999 if (!tls_handle
|| !app_handle
)
6002 conversation
= find_or_create_conversation(pinfo
);
6003 session
= &ssl_get_session(conversation
, tls_handle
)->session
;
6004 session
->app_handle
= app_handle
;
6008 ssl_starttls(dissector_handle_t tls_handle
, packet_info
*pinfo
,
6009 dissector_handle_t app_handle
, uint32_t last_nontls_frame
)
6011 conversation_t
*conversation
;
6012 SslSession
*session
;
6014 /* Ignore if the TLS dissector is disabled. */
6017 /* The caller should always pass a valid handle to its own dissector. */
6018 DISSECTOR_ASSERT(app_handle
);
6020 conversation
= find_or_create_conversation(pinfo
);
6021 session
= &ssl_get_session(conversation
, tls_handle
)->session
;
6023 ssl_debug_printf("%s: old frame %d, app_handle=%p (%s)\n", G_STRFUNC
,
6024 session
->last_nontls_frame
,
6025 (void *)session
->app_handle
,
6026 dissector_handle_get_dissector_name(session
->app_handle
));
6027 ssl_debug_printf("%s: current frame %d, app_handle=%p (%s)\n", G_STRFUNC
,
6028 pinfo
->num
, (void *)app_handle
,
6029 dissector_handle_get_dissector_name(app_handle
));
6031 /* Do not switch again if a dissector did it before. */
6032 if (session
->last_nontls_frame
) {
6033 ssl_debug_printf("%s: not overriding previous app handle!\n", G_STRFUNC
);
6034 return session
->last_nontls_frame
;
6037 session
->app_handle
= app_handle
;
6038 /* The TLS dissector should be called first for this conversation. */
6039 conversation_set_dissector(conversation
, tls_handle
);
6040 /* TLS starts after this frame. */
6041 session
->last_nontls_frame
= last_nontls_frame
;
6045 /* ssl_starttls_ack: mark future frames as encrypted. */
6047 ssl_starttls_ack(dissector_handle_t tls_handle
, packet_info
*pinfo
,
6048 dissector_handle_t app_handle
)
6050 return ssl_starttls(tls_handle
, pinfo
, app_handle
, pinfo
->num
);
6054 ssl_starttls_post_ack(dissector_handle_t tls_handle
, packet_info
*pinfo
,
6055 dissector_handle_t app_handle
)
6057 return ssl_starttls(tls_handle
, pinfo
, app_handle
, pinfo
->num
- 1);
6061 ssl_find_appdata_dissector(const char *name
)
6063 /* Accept 'http' for backwards compatibility and sanity. */
6064 if (!strcmp(name
, "http"))
6065 name
= "http-over-tls";
6066 /* XXX - Should this check to see if the dissector is actually added for
6067 * Decode As in the appropriate table?
6069 return find_dissector(name
);
6072 /* Functions for TLS/DTLS sessions and RSA private keys hashtables. {{{ */
6074 ssl_equal (const void *v
, const void *v2
)
6076 const StringInfo
*val1
;
6077 const StringInfo
*val2
;
6078 val1
= (const StringInfo
*)v
;
6079 val2
= (const StringInfo
*)v2
;
6081 if (val1
->data_len
== val2
->data_len
&&
6082 !memcmp(val1
->data
, val2
->data
, val2
->data_len
)) {
6089 ssl_hash (const void *v
)
6092 const StringInfo
* id
;
6093 const unsigned* cur
;
6095 id
= (const StringInfo
*) v
;
6097 /* id and id->data are mallocated in ssl_save_master_key(). As such 'data'
6098 * should be aligned for any kind of access (for example as a unsigned as
6099 * is done below). The intermediate void* cast is to prevent "cast
6100 * increases required alignment of target type" warnings on CPUs (such
6101 * as SPARCs) that do not allow misaligned memory accesses.
6103 cur
= (const unsigned*)(void*) id
->data
;
6105 for (l
=4; (l
< id
->data_len
); l
+=4, cur
++)
6106 hash
= hash
^ (*cur
);
6110 /* Functions for TLS/DTLS sessions and RSA private keys hashtables. }}} */
6112 /* Handling of association between tls/dtls ports and clear text protocol. {{{ */
6114 ssl_association_add(const char* dissector_table_name
, dissector_handle_t main_handle
, dissector_handle_t subdissector_handle
, unsigned port
, bool tcp
)
6116 DISSECTOR_ASSERT(main_handle
);
6117 DISSECTOR_ASSERT(subdissector_handle
);
6118 /* Registration is required for Export PDU feature to work properly. */
6119 DISSECTOR_ASSERT_HINT(dissector_handle_get_dissector_name(subdissector_handle
),
6120 "SSL appdata dissectors must register with register_dissector()!");
6121 ssl_debug_printf("association_add %s port %d handle %p\n", dissector_table_name
, port
, (void *)subdissector_handle
);
6124 dissector_add_uint(dissector_table_name
, port
, subdissector_handle
);
6126 dissector_add_uint("tcp.port", port
, main_handle
);
6128 dissector_add_uint("udp.port", port
, main_handle
);
6129 dissector_add_uint("sctp.port", port
, main_handle
);
6131 dissector_add_for_decode_as(dissector_table_name
, subdissector_handle
);
6136 ssl_association_remove(const char* dissector_table_name
, dissector_handle_t main_handle
, dissector_handle_t subdissector_handle
, unsigned port
, bool tcp
)
6138 ssl_debug_printf("ssl_association_remove removing %s %u - handle %p\n",
6139 tcp
?"TCP":"UDP", port
, (void *)subdissector_handle
);
6141 dissector_delete_uint(tcp
?"tcp.port":"udp.port", port
, main_handle
);
6142 dissector_delete_uint("sctp.port", port
, main_handle
);
6146 dissector_delete_uint(dissector_table_name
, port
, subdissector_handle
);
6151 ssl_set_server(SslSession
*session
, address
*addr
, port_type ptype
, uint32_t port
)
6153 copy_address_wmem(wmem_file_scope(), &session
->srv_addr
, addr
);
6154 session
->srv_ptype
= ptype
;
6155 session
->srv_port
= port
;
6159 ssl_packet_from_server(SslSession
*session
, dissector_table_t table
, const packet_info
*pinfo
)
6162 if (session
&& session
->srv_addr
.type
!= AT_NONE
) {
6163 ret
= (session
->srv_ptype
== pinfo
->ptype
) &&
6164 (session
->srv_port
== pinfo
->srcport
) &&
6165 addresses_equal(&session
->srv_addr
, &pinfo
->src
);
6167 ret
= (dissector_get_uint_handle(table
, pinfo
->srcport
) != 0);
6170 ssl_debug_printf("packet_from_server: is from server - %s\n", (ret
)?"TRUE":"FALSE");
6173 /* Handling of association between tls/dtls ports and clear text protocol. }}} */
6176 /* Links SSL records with the real packet data. {{{ */
6178 tls_add_packet_info(int proto
, packet_info
*pinfo
, uint8_t curr_layer_num_ssl
)
6180 SslPacketInfo
*pi
= (SslPacketInfo
*)p_get_proto_data(wmem_file_scope(), pinfo
, proto
, curr_layer_num_ssl
);
6182 pi
= wmem_new0(wmem_file_scope(), SslPacketInfo
);
6183 pi
->srcport
= pinfo
->srcport
;
6184 pi
->destport
= pinfo
->destport
;
6185 p_add_proto_data(wmem_file_scope(), pinfo
, proto
, curr_layer_num_ssl
, pi
);
6192 * Remembers the decrypted TLS record fragment (TLSInnerPlaintext in TLS 1.3) to
6193 * avoid the need for a decoder in the second pass. Additionally, it remembers
6194 * sequence numbers (for reassembly and Follow TLS Stream).
6196 * @param proto The protocol identifier (proto_ssl or proto_dtls).
6197 * @param pinfo The packet where the record originates from.
6198 * @param data Decrypted data to store in the record.
6199 * @param data_len Length of decrypted record data.
6200 * @param record_id The identifier for this record within the current packet.
6201 * @param flow Information about sequence numbers, etc.
6202 * @param type TLS Content Type (such as handshake or application_data).
6203 * @param curr_layer_num_ssl The layer identifier for this TLS session.
6206 ssl_add_record_info(int proto
, packet_info
*pinfo
, const unsigned char *data
, int data_len
, int record_id
, SslFlow
*flow
, ContentType type
, uint8_t curr_layer_num_ssl
)
6208 SslRecordInfo
* rec
, **prec
;
6209 SslPacketInfo
*pi
= tls_add_packet_info(proto
, pinfo
, curr_layer_num_ssl
);
6211 rec
= wmem_new(wmem_file_scope(), SslRecordInfo
);
6212 rec
->plain_data
= (unsigned char *)wmem_memdup(wmem_file_scope(), data
, data_len
);
6213 rec
->data_len
= data_len
;
6214 rec
->id
= record_id
;
6218 if (flow
&& type
== SSL_ID_APP_DATA
) {
6219 rec
->seq
= flow
->byte_seq
;
6221 flow
->byte_seq
+= data_len
;
6222 ssl_debug_printf("%s stored decrypted record seq=%d nxtseq=%d flow=%p\n",
6223 G_STRFUNC
, rec
->seq
, rec
->seq
+ data_len
, (void*)flow
);
6226 /* Remember decrypted records. */
6227 prec
= &pi
->records
;
6228 while (*prec
) prec
= &(*prec
)->next
;
6232 /* search in packet data for the specified id; return a newly created tvb for the associated data */
6234 ssl_get_record_info(tvbuff_t
*parent_tvb
, int proto
, packet_info
*pinfo
, int record_id
, uint8_t curr_layer_num_ssl
, SslRecordInfo
**matched_record
)
6238 pi
= (SslPacketInfo
*)p_get_proto_data(wmem_file_scope(), pinfo
, proto
, curr_layer_num_ssl
);
6243 for (rec
= pi
->records
; rec
; rec
= rec
->next
)
6244 if (rec
->id
== record_id
) {
6245 *matched_record
= rec
;
6246 /* link new real_data_tvb with a parent tvb so it is freed when frame dissection is complete */
6247 return tvb_new_child_real_data(parent_tvb
, rec
->plain_data
, rec
->data_len
, rec
->data_len
);
6252 /* Links SSL records with the real packet data. }}} */
6254 /* initialize/reset per capture state data (ssl sessions cache). {{{ */
6256 ssl_common_init(ssl_master_key_map_t
*mk_map
,
6257 StringInfo
*decrypted_data
, StringInfo
*compressed_data
)
6259 mk_map
->session
= g_hash_table_new(ssl_hash
, ssl_equal
);
6260 mk_map
->tickets
= g_hash_table_new(ssl_hash
, ssl_equal
);
6261 mk_map
->crandom
= g_hash_table_new(ssl_hash
, ssl_equal
);
6262 mk_map
->pre_master
= g_hash_table_new(ssl_hash
, ssl_equal
);
6263 mk_map
->pms
= g_hash_table_new(ssl_hash
, ssl_equal
);
6264 mk_map
->tls13_client_early
= g_hash_table_new(ssl_hash
, ssl_equal
);
6265 mk_map
->tls13_client_handshake
= g_hash_table_new(ssl_hash
, ssl_equal
);
6266 mk_map
->tls13_server_handshake
= g_hash_table_new(ssl_hash
, ssl_equal
);
6267 mk_map
->tls13_client_appdata
= g_hash_table_new(ssl_hash
, ssl_equal
);
6268 mk_map
->tls13_server_appdata
= g_hash_table_new(ssl_hash
, ssl_equal
);
6269 mk_map
->tls13_early_exporter
= g_hash_table_new(ssl_hash
, ssl_equal
);
6270 mk_map
->tls13_exporter
= g_hash_table_new(ssl_hash
, ssl_equal
);
6272 mk_map
->ech_secret
= g_hash_table_new(ssl_hash
, ssl_equal
);
6273 mk_map
->ech_config
= g_hash_table_new(ssl_hash
, ssl_equal
);
6275 mk_map
->used_crandom
= g_hash_table_new(ssl_hash
, ssl_equal
);
6277 ssl_data_alloc(decrypted_data
, 32);
6278 ssl_data_alloc(compressed_data
, 32);
6282 ssl_common_cleanup(ssl_master_key_map_t
*mk_map
, FILE **ssl_keylog_file
,
6283 StringInfo
*decrypted_data
, StringInfo
*compressed_data
)
6285 g_hash_table_destroy(mk_map
->session
);
6286 g_hash_table_destroy(mk_map
->tickets
);
6287 g_hash_table_destroy(mk_map
->crandom
);
6288 g_hash_table_destroy(mk_map
->pre_master
);
6289 g_hash_table_destroy(mk_map
->pms
);
6290 g_hash_table_destroy(mk_map
->tls13_client_early
);
6291 g_hash_table_destroy(mk_map
->tls13_client_handshake
);
6292 g_hash_table_destroy(mk_map
->tls13_server_handshake
);
6293 g_hash_table_destroy(mk_map
->tls13_client_appdata
);
6294 g_hash_table_destroy(mk_map
->tls13_server_appdata
);
6295 g_hash_table_destroy(mk_map
->tls13_early_exporter
);
6296 g_hash_table_destroy(mk_map
->tls13_exporter
);
6298 g_hash_table_destroy(mk_map
->ech_secret
);
6299 g_hash_table_destroy(mk_map
->ech_config
);
6301 g_hash_table_destroy(mk_map
->used_crandom
);
6303 g_free(decrypted_data
->data
);
6304 g_free(compressed_data
->data
);
6306 /* close the previous keylog file now that the cache are cleared, this
6307 * allows the cache to be filled with the full keylog file contents. */
6308 if (*ssl_keylog_file
) {
6309 fclose(*ssl_keylog_file
);
6310 *ssl_keylog_file
= NULL
;
6315 /* parse ssl related preferences (private keys and ports association strings) */
6316 #if defined(HAVE_LIBGNUTLS)
6317 /* Load a single RSA key file item from preferences. {{{ */
6319 ssl_parse_key_list(const ssldecrypt_assoc_t
*uats
, GHashTable
*key_hash
, const char* dissector_table_name
, dissector_handle_t main_handle
, bool tcp
)
6321 gnutls_x509_privkey_t x509_priv_key
;
6322 gnutls_privkey_t priv_key
= NULL
;
6325 size_t key_id_len
= 20;
6326 unsigned char *key_id
= NULL
;
6328 dissector_handle_t handle
;
6329 /* try to load keys file first */
6330 fp
= ws_fopen(uats
->keyfile
, "rb");
6332 report_open_failure(uats
->keyfile
, errno
, false);
6336 if ((int)strlen(uats
->password
) == 0) {
6337 x509_priv_key
= rsa_load_pem_key(fp
, &err
);
6339 x509_priv_key
= rsa_load_pkcs12(fp
, uats
->password
, &err
);
6343 if (!x509_priv_key
) {
6345 report_failure("Can't load private key from %s: %s",
6346 uats
->keyfile
, err
);
6349 report_failure("Can't load private key from %s: unknown error",
6354 report_failure("Load of private key from %s \"succeeded\" with error %s",
6355 uats
->keyfile
, err
);
6359 gnutls_privkey_init(&priv_key
);
6360 ret
= gnutls_privkey_import_x509(priv_key
, x509_priv_key
,
6361 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE
|GNUTLS_PRIVKEY_IMPORT_COPY
);
6363 report_failure("Can't convert private key %s: %s",
6364 uats
->keyfile
, gnutls_strerror(ret
));
6368 key_id
= (unsigned char *) g_malloc0(key_id_len
);
6369 ret
= gnutls_x509_privkey_get_key_id(x509_priv_key
, 0, key_id
, &key_id_len
);
6371 report_failure("Can't calculate public key ID for %s: %s",
6372 uats
->keyfile
, gnutls_strerror(ret
));
6375 ssl_print_data("KeyID", key_id
, key_id_len
);
6376 if (key_id_len
!= 20) {
6377 report_failure("Expected Key ID size %u for %s, got %zu", 20,
6378 uats
->keyfile
, key_id_len
);
6382 g_hash_table_replace(key_hash
, key_id
, priv_key
);
6383 key_id
= NULL
; /* used in key_hash, do not free. */
6385 ssl_debug_printf("ssl_init private key file %s successfully loaded.\n", uats
->keyfile
);
6387 handle
= ssl_find_appdata_dissector(uats
->protocol
);
6389 /* Port to subprotocol mapping */
6391 if (ws_strtou16(uats
->port
, NULL
, &port
)) {
6393 ssl_debug_printf("ssl_init port '%d' filename '%s' password(only for p12 file) '%s'\n",
6394 port
, uats
->keyfile
, uats
->password
);
6396 ssl_association_add(dissector_table_name
, main_handle
, handle
, port
, tcp
);
6399 if (strcmp(uats
->port
, "start_tls"))
6400 ssl_debug_printf("invalid ssl_init_port: %s\n", uats
->port
);
6405 gnutls_x509_privkey_deinit(x509_priv_key
);
6406 gnutls_privkey_deinit(priv_key
);
6413 /* Store/load a known (pre-)master secret from/for this SSL session. {{{ */
6414 /** store a known (pre-)master secret into cache */
6416 ssl_save_master_key(const char *label
, GHashTable
*ht
, StringInfo
*key
,
6419 StringInfo
*ht_key
, *master_secret
;
6421 if (key
->data_len
== 0) {
6422 ssl_debug_printf("%s: not saving empty %s!\n", G_STRFUNC
, label
);
6426 if (mk
->data_len
== 0) {
6427 ssl_debug_printf("%s not saving empty (pre-)master secret for %s!\n",
6432 /* ssl_hash() depends on session_ticket->data being aligned for unsigned access
6433 * so be careful in changing how it is allocated. */
6434 ht_key
= ssl_data_clone(key
);
6435 master_secret
= ssl_data_clone(mk
);
6436 g_hash_table_insert(ht
, ht_key
, master_secret
);
6438 ssl_debug_printf("%s inserted (pre-)master secret for %s\n", G_STRFUNC
, label
);
6439 ssl_print_string("stored key", ht_key
);
6440 ssl_print_string("stored (pre-)master secret", master_secret
);
6443 /** restore a (pre-)master secret given some key in the cache */
6445 ssl_restore_master_key(SslDecryptSession
*ssl
, const char *label
,
6446 bool is_pre_master
, GHashTable
*ht
, StringInfo
*key
)
6450 if (key
->data_len
== 0) {
6451 ssl_debug_printf("%s can't restore %smaster secret using an empty %s\n",
6452 G_STRFUNC
, is_pre_master
? "pre-" : "", label
);
6456 ms
= (StringInfo
*)g_hash_table_lookup(ht
, key
);
6458 ssl_debug_printf("%s can't find %smaster secret by %s\n", G_STRFUNC
,
6459 is_pre_master
? "pre-" : "", label
);
6463 /* (pre)master secret found, clear knowledge of other keys and set it in the
6464 * current conversation */
6465 ssl
->state
&= ~(SSL_MASTER_SECRET
| SSL_PRE_MASTER_SECRET
|
6466 SSL_HAVE_SESSION_KEY
);
6467 if (is_pre_master
) {
6468 /* unlike master secret, pre-master secret has a variable size (48 for
6469 * RSA, varying for PSK) and is therefore not statically allocated */
6470 ssl
->pre_master_secret
.data
= (unsigned char *) wmem_alloc(wmem_file_scope(),
6472 ssl_data_set(&ssl
->pre_master_secret
, ms
->data
, ms
->data_len
);
6473 ssl
->state
|= SSL_PRE_MASTER_SECRET
;
6475 ssl_data_set(&ssl
->master_secret
, ms
->data
, ms
->data_len
);
6476 ssl
->state
|= SSL_MASTER_SECRET
;
6478 ssl_debug_printf("%s %smaster secret retrieved using %s\n", G_STRFUNC
,
6479 is_pre_master
? "pre-" : "", label
);
6480 ssl_print_string(label
, key
);
6481 ssl_print_string("(pre-)master secret", ms
);
6484 /* Store/load a known (pre-)master secret from/for this SSL session. }}} */
6486 /* Should be called when all parameters are ready (after ChangeCipherSpec), and
6487 * the decoder should be attempted to be initialized. {{{*/
6489 ssl_finalize_decryption(SslDecryptSession
*ssl
, ssl_master_key_map_t
*mk_map
)
6491 if (ssl
->session
.version
== TLSV1DOT3_VERSION
) {
6492 /* TLS 1.3 implementations only provide secrets derived from the master
6493 * secret which are loaded in tls13_change_key. No master secrets can be
6494 * loaded here, so just return. */
6497 ssl_debug_printf("%s state = 0x%02X\n", G_STRFUNC
, ssl
->state
);
6498 if (ssl
->state
& SSL_HAVE_SESSION_KEY
) {
6499 ssl_debug_printf(" session key already available, nothing to do.\n");
6502 if (!(ssl
->state
& SSL_CIPHER
)) {
6503 ssl_debug_printf(" Cipher suite (Server Hello) is missing!\n");
6507 /* for decryption, there needs to be a master secret (which can be derived
6508 * from pre-master secret). If missing, try to pick a master key from cache
6509 * (an earlier packet in the capture or key logfile). */
6510 if (!(ssl
->state
& (SSL_MASTER_SECRET
| SSL_PRE_MASTER_SECRET
)) &&
6511 !ssl_restore_master_key(ssl
, "Session ID", false,
6512 mk_map
->session
, &ssl
->session_id
) &&
6513 (!ssl
->session
.is_session_resumed
||
6514 !ssl_restore_master_key(ssl
, "Session Ticket", false,
6515 mk_map
->tickets
, &ssl
->session_ticket
)) &&
6516 !ssl_restore_master_key(ssl
, "Client Random", false,
6517 mk_map
->crandom
, &ssl
->client_random
)) {
6518 if (ssl
->cipher_suite
->enc
!= ENC_NULL
) {
6519 /* how unfortunate, the master secret could not be found */
6520 ssl_debug_printf(" Cannot find master secret\n");
6523 ssl_debug_printf(" Cannot find master secret, continuing anyway "
6524 "because of a NULL cipher\n");
6528 if (ssl_generate_keyring_material(ssl
) < 0) {
6529 ssl_debug_printf("%s can't generate keyring material\n", G_STRFUNC
);
6532 /* Save Client Random/ Session ID for "SSL Export Session keys" */
6533 ssl_save_master_key("Client Random", mk_map
->crandom
,
6534 &ssl
->client_random
, &ssl
->master_secret
);
6535 ssl_save_master_key("Session ID", mk_map
->session
,
6536 &ssl
->session_id
, &ssl
->master_secret
);
6537 /* Only save the new secrets if the server sent the ticket. The client
6538 * ticket might have become stale. */
6539 if (ssl
->state
& SSL_NEW_SESSION_TICKET
) {
6540 ssl_save_master_key("Session Ticket", mk_map
->tickets
,
6541 &ssl
->session_ticket
, &ssl
->master_secret
);
6545 /* Load the traffic key secret from the keylog file. */
6547 tls13_load_secret(SslDecryptSession
*ssl
, ssl_master_key_map_t
*mk_map
,
6548 bool is_from_server
, TLSRecordType type
)
6550 GHashTable
*key_map
;
6553 if (ssl
->session
.version
!= TLSV1DOT3_VERSION
&& ssl
->session
.version
!= DTLSV1DOT3_VERSION
) {
6554 ssl_debug_printf("%s TLS version %#x is not 1.3\n", G_STRFUNC
, ssl
->session
.version
);
6558 if (ssl
->client_random
.data_len
== 0) {
6559 /* May happen if Hello message is missing and Finished is found. */
6560 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC
);
6565 case TLS_SECRET_0RTT_APP
:
6566 DISSECTOR_ASSERT(!is_from_server
);
6567 label
= "CLIENT_EARLY_TRAFFIC_SECRET";
6568 key_map
= mk_map
->tls13_client_early
;
6570 case TLS_SECRET_HANDSHAKE
:
6571 if (is_from_server
) {
6572 label
= "SERVER_HANDSHAKE_TRAFFIC_SECRET";
6573 key_map
= mk_map
->tls13_server_handshake
;
6575 label
= "CLIENT_HANDSHAKE_TRAFFIC_SECRET";
6576 key_map
= mk_map
->tls13_client_handshake
;
6579 case TLS_SECRET_APP
:
6580 if (is_from_server
) {
6581 label
= "SERVER_TRAFFIC_SECRET_0";
6582 key_map
= mk_map
->tls13_server_appdata
;
6584 label
= "CLIENT_TRAFFIC_SECRET_0";
6585 key_map
= mk_map
->tls13_client_appdata
;
6589 ws_assert_not_reached();
6592 /* Transitioning to new keys, mark old ones as unusable. */
6593 ssl_debug_printf("%s transitioning to new key, old state 0x%02x\n", G_STRFUNC
, ssl
->state
);
6594 ssl
->state
&= ~(SSL_MASTER_SECRET
| SSL_PRE_MASTER_SECRET
| SSL_HAVE_SESSION_KEY
);
6596 StringInfo
*secret
= (StringInfo
*)g_hash_table_lookup(key_map
, &ssl
->client_random
);
6598 ssl_debug_printf("%s Cannot find %s, decryption impossible\n", G_STRFUNC
, label
);
6599 /* Disable decryption, the keys are invalid. */
6600 if (is_from_server
) {
6608 /* TLS 1.3 secret found, set new keys. */
6609 ssl_debug_printf("%s Retrieved TLS 1.3 traffic secret.\n", G_STRFUNC
);
6610 ssl_print_string("Client Random", &ssl
->client_random
);
6611 ssl_print_string(label
, secret
);
6615 /* Load the new key. */
6617 tls13_change_key(SslDecryptSession
*ssl
, ssl_master_key_map_t
*mk_map
,
6618 bool is_from_server
, TLSRecordType type
)
6620 if (ssl
->state
& SSL_QUIC_RECORD_LAYER
) {
6622 * QUIC does not use the TLS record layer for message protection.
6623 * The required keys will be extracted later by QUIC.
6628 StringInfo
*secret
= tls13_load_secret(ssl
, mk_map
, is_from_server
, type
);
6633 if (tls13_generate_keys(ssl
, secret
, is_from_server
)) {
6635 * Remember the application traffic secret to support Key Update. The
6636 * other secrets cannot be used for this purpose, so free them.
6638 SslDecoder
*decoder
= is_from_server
? ssl
->server
: ssl
->client
;
6639 StringInfo
*app_secret
= &decoder
->app_traffic_secret
;
6640 if (type
== TLS_SECRET_APP
) {
6641 app_secret
->data
= (unsigned char *) wmem_realloc(wmem_file_scope(),
6644 ssl_data_set(app_secret
, secret
->data
, secret
->data_len
);
6646 wmem_free(wmem_file_scope(), app_secret
->data
);
6647 app_secret
->data
= NULL
;
6648 app_secret
->data_len
= 0;
6654 * Update to next application data traffic secret for TLS 1.3. The previous
6655 * secret should have been set by tls13_change_key.
6658 tls13_key_update(SslDecryptSession
*ssl
, bool is_from_server
)
6660 /* RFC 8446 Section 7.2:
6661 * application_traffic_secret_N+1 =
6662 * HKDF-Expand-Label(application_traffic_secret_N,
6663 * "traffic upd", "", Hash.length)
6665 * Both application_traffic_secret_N are of the same length (Hash.length).
6667 const SslCipherSuite
*cipher_suite
= ssl
->cipher_suite
;
6668 SslDecoder
*decoder
= is_from_server
? ssl
->server
: ssl
->client
;
6669 StringInfo
*app_secret
= decoder
? &decoder
->app_traffic_secret
: NULL
;
6670 uint8_t tls13_draft_version
= ssl
->session
.tls13_draft_version
;
6672 if (!cipher_suite
|| !app_secret
|| app_secret
->data_len
== 0) {
6673 ssl_debug_printf("%s Cannot perform Key Update due to missing info\n", G_STRFUNC
);
6678 * Previous traffic secret is available, so find the hash function,
6679 * expand the new traffic secret and generate new keys.
6681 const char *hash_name
= ssl_cipher_suite_dig(cipher_suite
)->name
;
6682 int hash_algo
= ssl_get_digest_by_name(hash_name
);
6683 const unsigned hash_len
= app_secret
->data_len
;
6684 unsigned char *new_secret
;
6685 const char *label
= "traffic upd";
6686 if (tls13_draft_version
&& tls13_draft_version
< 20) {
6687 label
= "application traffic secret";
6689 if (!tls13_hkdf_expand_label(hash_algo
, app_secret
,
6690 tls13_hkdf_label_prefix(ssl
),
6691 label
, hash_len
, &new_secret
)) {
6692 ssl_debug_printf("%s traffic_secret_N+1 expansion failed\n", G_STRFUNC
);
6695 ssl_data_set(app_secret
, new_secret
, hash_len
);
6696 if (tls13_generate_keys(ssl
, app_secret
, is_from_server
)) {
6698 * Remember the application traffic secret on the new decoder to
6699 * support another Key Update.
6701 decoder
= is_from_server
? ssl
->server
: ssl
->client
;
6702 app_secret
= &decoder
->app_traffic_secret
;
6703 app_secret
->data
= (unsigned char *) wmem_realloc(wmem_file_scope(),
6706 ssl_data_set(app_secret
, new_secret
, hash_len
);
6708 wmem_free(NULL
, new_secret
);
6712 tls_save_crandom(SslDecryptSession
*ssl
, ssl_master_key_map_t
*mk_map
)
6714 if (ssl
&& (ssl
->state
& SSL_CLIENT_RANDOM
)) {
6715 g_hash_table_add(mk_map
->used_crandom
, &ssl
->client_random
);
6719 /** SSL keylog file handling. {{{ */
6722 ssl_compile_keyfile_regex(void)
6724 #define OCTET "(?:[[:xdigit:]]{2})"
6725 const char *pattern
=
6727 /* Matches Client Hellos having this Client Random */
6728 "PMS_CLIENT_RANDOM (?<client_random_pms>" OCTET
"{32}) "
6729 /* Matches first part of encrypted RSA pre-master secret */
6730 "|RSA (?<encrypted_pmk>" OCTET
"{8}) "
6731 /* Pre-Master-Secret is given, it is 48 bytes for RSA,
6732 but it can be of any length for DHE */
6733 ")(?<pms>" OCTET
"+)"
6735 /* Matches Server Hellos having a Session ID */
6736 "RSA Session-ID:(?<session_id>" OCTET
"+) Master-Key:"
6737 /* Matches Client Hellos having this Client Random */
6738 "|CLIENT_RANDOM (?<client_random>" OCTET
"{32}) "
6739 /* Master-Secret is given, its length is fixed */
6740 ")(?<master_secret>" OCTET
"{" G_STRINGIFY(SSL_MASTER_SECRET_LENGTH
) "})"
6742 /* TLS 1.3 Client Random to Derived Secrets mapping. */
6743 ":CLIENT_EARLY_TRAFFIC_SECRET (?<client_early>" OCTET
"{32})"
6744 "|CLIENT_HANDSHAKE_TRAFFIC_SECRET (?<client_handshake>" OCTET
"{32})"
6745 "|SERVER_HANDSHAKE_TRAFFIC_SECRET (?<server_handshake>" OCTET
"{32})"
6746 "|CLIENT_TRAFFIC_SECRET_0 (?<client_appdata>" OCTET
"{32})"
6747 "|SERVER_TRAFFIC_SECRET_0 (?<server_appdata>" OCTET
"{32})"
6748 "|EARLY_EXPORTER_SECRET (?<early_exporter>" OCTET
"{32})"
6749 "|EXPORTER_SECRET (?<exporter>" OCTET
"{32})"
6750 /* ECH. Secret length is defined by HPKE KEM Nsecret and can vary between 32 and 64 bytes */
6751 /* These labels and their notation are specified in draft-ietf-tls-ech-keylogfile-01 */
6752 "|ECH_SECRET (?<ech_secret>" OCTET
"{32,64})"
6753 "|ECH_CONFIG (?<ech_config>" OCTET
"{22,})"
6754 ") (?<derived_secret>" OCTET
"+)";
6756 static GRegex
*regex
= NULL
;
6757 GError
*gerr
= NULL
;
6760 regex
= g_regex_new(pattern
,
6761 (GRegexCompileFlags
)(G_REGEX_OPTIMIZE
| G_REGEX_ANCHORED
| G_REGEX_RAW
),
6762 G_REGEX_MATCH_ANCHORED
, &gerr
);
6764 ssl_debug_printf("%s failed to compile regex: %s\n", G_STRFUNC
,
6774 typedef struct ssl_master_key_match_group
{
6775 const char *re_group_name
;
6776 GHashTable
*master_key_ht
;
6777 } ssl_master_key_match_group_t
;
6780 tls_keylog_process_lines(const ssl_master_key_map_t
*mk_map
, const uint8_t *data
, unsigned datalen
)
6782 ssl_master_key_match_group_t mk_groups
[] = {
6783 { "encrypted_pmk", mk_map
->pre_master
},
6784 { "session_id", mk_map
->session
},
6785 { "client_random", mk_map
->crandom
},
6786 { "client_random_pms", mk_map
->pms
},
6787 /* TLS 1.3 map from Client Random to derived secret. */
6788 { "client_early", mk_map
->tls13_client_early
},
6789 { "client_handshake", mk_map
->tls13_client_handshake
},
6790 { "server_handshake", mk_map
->tls13_server_handshake
},
6791 { "client_appdata", mk_map
->tls13_client_appdata
},
6792 { "server_appdata", mk_map
->tls13_server_appdata
},
6793 { "early_exporter", mk_map
->tls13_early_exporter
},
6794 { "exporter", mk_map
->tls13_exporter
},
6795 { "ech_secret", mk_map
->ech_secret
},
6796 { "ech_config", mk_map
->ech_config
},
6799 /* The format of the file is a series of records with one of the following formats:
6801 * Where xxxx are the first 8 bytes of the encrypted pre-master secret (hex-encoded)
6802 * Where yyyy is the cleartext pre-master secret (hex-encoded)
6803 * (this is the original format introduced with bug 4349)
6805 * - "RSA Session-ID:xxxx Master-Key:yyyy"
6806 * Where xxxx is the SSL session ID (hex-encoded)
6807 * Where yyyy is the cleartext master secret (hex-encoded)
6808 * (added to support openssl s_client Master-Key output)
6809 * This is somewhat is a misnomer because there's nothing RSA specific
6812 * - "PMS_CLIENT_RANDOM xxxx yyyy"
6813 * Where xxxx is the client_random from the ClientHello (hex-encoded)
6814 * Where yyyy is the cleartext pre-master secret (hex-encoded)
6815 * (This format allows SSL connections to be decrypted, if a user can
6816 * capture the PMS but could not recover the MS for a specific session
6817 * with a SSL Server.)
6819 * - "CLIENT_RANDOM xxxx yyyy"
6820 * Where xxxx is the client_random from the ClientHello (hex-encoded)
6821 * Where yyyy is the cleartext master secret (hex-encoded)
6822 * (This format allows non-RSA SSL connections to be decrypted, i.e.
6825 * - "CLIENT_EARLY_TRAFFIC_SECRET xxxx yyyy"
6826 * - "CLIENT_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
6827 * - "SERVER_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
6828 * - "CLIENT_TRAFFIC_SECRET_0 xxxx yyyy"
6829 * - "SERVER_TRAFFIC_SECRET_0 xxxx yyyy"
6830 * - "EARLY_EXPORTER_SECRET xxxx yyyy"
6831 * - "EXPORTER_SECRET xxxx yyyy"
6832 * Where xxxx is the client_random from the ClientHello (hex-encoded)
6833 * Where yyyy is the secret (hex-encoded) derived from the early,
6834 * handshake or master secrets. (This format is introduced with TLS 1.3
6835 * and supported by BoringSSL, OpenSSL, etc. See bug 12779.)
6837 GRegex
*regex
= ssl_compile_keyfile_regex();
6841 const char *next_line
= (const char *)data
;
6842 const char *line_end
= next_line
+ datalen
;
6843 while (next_line
&& next_line
< line_end
) {
6844 const char *line
= next_line
;
6845 next_line
= (const char *)memchr(line
, '\n', line_end
- line
);
6849 linelen
= next_line
- line
;
6850 next_line
++; /* drop LF */
6852 linelen
= (ssize_t
)(line_end
- line
);
6854 if (linelen
> 0 && line
[linelen
- 1] == '\r') {
6855 linelen
--; /* drop CR */
6858 ssl_debug_printf(" checking keylog line: %.*s\n", (int)linelen
, line
);
6860 if (g_regex_match_full(regex
, line
, linelen
, 0, G_REGEX_MATCH_ANCHORED
, &mi
, NULL
)) {
6861 char *hex_key
, *hex_pre_ms_or_ms
;
6862 StringInfo
*key
= wmem_new(wmem_file_scope(), StringInfo
);
6863 StringInfo
*pre_ms_or_ms
= NULL
;
6864 GHashTable
*ht
= NULL
;
6866 /* Is the PMS being supplied with the PMS_CLIENT_RANDOM
6867 * otherwise we will use the Master Secret
6869 hex_pre_ms_or_ms
= g_match_info_fetch_named(mi
, "master_secret");
6870 if (hex_pre_ms_or_ms
== NULL
|| !*hex_pre_ms_or_ms
) {
6871 g_free(hex_pre_ms_or_ms
);
6872 hex_pre_ms_or_ms
= g_match_info_fetch_named(mi
, "pms");
6874 if (hex_pre_ms_or_ms
== NULL
|| !*hex_pre_ms_or_ms
) {
6875 g_free(hex_pre_ms_or_ms
);
6876 hex_pre_ms_or_ms
= g_match_info_fetch_named(mi
, "derived_secret");
6878 /* There is always a match, otherwise the regex is wrong. */
6879 DISSECTOR_ASSERT(hex_pre_ms_or_ms
&& strlen(hex_pre_ms_or_ms
));
6881 /* convert from hex to bytes and save to hashtable */
6882 pre_ms_or_ms
= wmem_new(wmem_file_scope(), StringInfo
);
6883 from_hex(pre_ms_or_ms
, hex_pre_ms_or_ms
, strlen(hex_pre_ms_or_ms
));
6884 g_free(hex_pre_ms_or_ms
);
6886 /* Find a master key from any format (CLIENT_RANDOM, SID, ...) */
6887 for (unsigned i
= 0; i
< G_N_ELEMENTS(mk_groups
); i
++) {
6888 ssl_master_key_match_group_t
*g
= &mk_groups
[i
];
6889 hex_key
= g_match_info_fetch_named(mi
, g
->re_group_name
);
6890 if (hex_key
&& *hex_key
) {
6891 ssl_debug_printf(" matched %s\n", g
->re_group_name
);
6892 ht
= g
->master_key_ht
;
6893 from_hex(key
, hex_key
, strlen(hex_key
));
6899 DISSECTOR_ASSERT(ht
); /* Cannot be reached, or regex is wrong. */
6901 g_hash_table_insert(ht
, key
, pre_ms_or_ms
);
6903 } else if (linelen
> 0 && line
[0] != '#') {
6904 ssl_debug_printf(" unrecognized line\n");
6906 /* always free match info even if there is no match. */
6907 g_match_info_free(mi
);
6912 ssl_load_keyfile(const char *tls_keylog_filename
, FILE **keylog_file
,
6913 const ssl_master_key_map_t
*mk_map
)
6915 /* no need to try if no key log file is configured. */
6916 if (!tls_keylog_filename
|| !*tls_keylog_filename
) {
6917 ssl_debug_printf("%s dtls/tls.keylog_file is not configured!\n",
6922 /* Validate regexes before even trying to use it. */
6923 if (!ssl_compile_keyfile_regex()) {
6927 ssl_debug_printf("trying to use TLS keylog in %s\n", tls_keylog_filename
);
6929 /* if the keylog file was deleted/overwritten, re-open it */
6930 if (*keylog_file
&& file_needs_reopen(ws_fileno(*keylog_file
), tls_keylog_filename
)) {
6931 ssl_debug_printf("%s file got deleted, trying to re-open\n", G_STRFUNC
);
6932 fclose(*keylog_file
);
6933 *keylog_file
= NULL
;
6936 if (*keylog_file
== NULL
) {
6937 *keylog_file
= ws_fopen(tls_keylog_filename
, "r");
6938 if (!*keylog_file
) {
6939 ssl_debug_printf("%s failed to open SSL keylog\n", G_STRFUNC
);
6945 char buf
[1110], *line
;
6946 line
= fgets(buf
, sizeof(buf
), *keylog_file
);
6948 if (feof(*keylog_file
)) {
6949 /* Ensure that newly appended keys can be read in the future. */
6950 clearerr(*keylog_file
);
6951 } else if (ferror(*keylog_file
)) {
6952 ssl_debug_printf("%s Error while reading key log file, closing it!\n", G_STRFUNC
);
6953 fclose(*keylog_file
);
6954 *keylog_file
= NULL
;
6958 tls_keylog_process_lines(mk_map
, (uint8_t *)line
, (int)strlen(line
));
6961 /** SSL keylog file handling. }}} */
6963 #ifdef SSL_DECRYPT_DEBUG /* {{{ */
6965 static FILE* ssl_debug_file
;
6968 ssl_set_debug(const char* name
)
6970 static int debug_file_must_be_closed
;
6973 use_stderr
= name
?(strcmp(name
, SSL_DEBUG_USE_STDERR
) == 0):0;
6975 if (debug_file_must_be_closed
)
6976 fclose(ssl_debug_file
);
6979 ssl_debug_file
= stderr
;
6980 else if (!name
|| (strcmp(name
, "") ==0))
6981 ssl_debug_file
= NULL
;
6983 ssl_debug_file
= ws_fopen(name
, "w");
6985 if (!use_stderr
&& ssl_debug_file
)
6986 debug_file_must_be_closed
= 1;
6988 debug_file_must_be_closed
= 0;
6990 ssl_debug_printf("Wireshark SSL debug log \n\n");
6991 #ifdef HAVE_LIBGNUTLS
6992 ssl_debug_printf("GnuTLS version: %s\n", gnutls_check_version(NULL
));
6994 ssl_debug_printf("Libgcrypt version: %s\n", gcry_check_version(NULL
));
6995 ssl_debug_printf("\n");
6999 ssl_debug_flush(void)
7002 fflush(ssl_debug_file
);
7006 ssl_debug_printf(const char* fmt
, ...)
7010 if (!ssl_debug_file
)
7014 vfprintf(ssl_debug_file
, fmt
, ap
);
7019 ssl_print_data(const char* name
, const unsigned char* data
, size_t len
)
7022 if (!ssl_debug_file
)
7024 fprintf(ssl_debug_file
,"%s[%d]:\n",name
, (int) len
);
7025 for (i
=0; i
<len
; i
+=16) {
7026 fprintf(ssl_debug_file
,"| ");
7027 for (j
=i
, k
=0; k
<16 && j
<len
; ++j
, ++k
)
7028 fprintf(ssl_debug_file
,"%.2x ",data
[j
]);
7030 fprintf(ssl_debug_file
," ");
7031 fputc('|', ssl_debug_file
);
7032 for (j
=i
, k
=0; k
<16 && j
<len
; ++j
, ++k
) {
7033 unsigned char c
= data
[j
];
7034 if (!g_ascii_isprint(c
) || (c
=='\t')) c
= '.';
7035 fputc(c
, ssl_debug_file
);
7038 fputc(' ', ssl_debug_file
);
7039 fprintf(ssl_debug_file
,"|\n");
7044 ssl_print_string(const char* name
, const StringInfo
* data
)
7046 ssl_print_data(name
, data
->data
, data
->data_len
);
7048 #endif /* SSL_DECRYPT_DEBUG }}} */
7050 /* UAT preferences callbacks. {{{ */
7051 /* checks for SSL and DTLS UAT key list fields */
7054 ssldecrypt_uat_fld_ip_chk_cb(void* r _U_
, const char* p _U_
, unsigned len _U_
, const void* u1 _U_
, const void* u2 _U_
, char** err
)
7056 // This should be removed in favor of Decode As. Make it optional.
7062 ssldecrypt_uat_fld_port_chk_cb(void* r _U_
, const char* p
, unsigned len _U_
, const void* u1 _U_
, const void* u2 _U_
, char** err
)
7064 if (!p
|| strlen(p
) == 0u) {
7065 // This should be removed in favor of Decode As. Make it optional.
7070 if (strcmp(p
, "start_tls") != 0){
7072 if (!ws_strtou16(p
, NULL
, &port
)) {
7073 *err
= g_strdup("Invalid port given.");
7083 ssldecrypt_uat_fld_fileopen_chk_cb(void* r _U_
, const char* p
, unsigned len _U_
, const void* u1 _U_
, const void* u2 _U_
, char** err
)
7087 if (!p
|| strlen(p
) == 0u) {
7088 *err
= g_strdup("No filename given.");
7091 if (ws_stat64(p
, &st
) != 0) {
7092 *err
= ws_strdup_printf("File '%s' does not exist or access is denied.", p
);
7102 ssldecrypt_uat_fld_password_chk_cb(void *r _U_
, const char *p _U_
, unsigned len _U_
, const void *u1 _U_
, const void *u2 _U_
, char **err
)
7104 #if defined(HAVE_LIBGNUTLS)
7105 ssldecrypt_assoc_t
* f
= (ssldecrypt_assoc_t
*)r
;
7108 if (p
&& (strlen(p
) > 0u)) {
7109 fp
= ws_fopen(f
->keyfile
, "rb");
7112 gnutls_x509_privkey_t priv_key
= rsa_load_pkcs12(fp
, p
, &msg
);
7115 *err
= ws_strdup_printf("Could not load PKCS#12 key file: %s", msg
);
7120 gnutls_x509_privkey_deinit(priv_key
);
7123 *err
= ws_strdup_printf("Leave this field blank if the keyfile is not PKCS#12.");
7131 *err
= g_strdup("Cannot load key files, support is not compiled in.");
7135 /* UAT preferences callbacks. }}} */
7137 /** maximum size of ssl_association_info() string */
7138 #define SSL_ASSOC_MAX_LEN 8192
7140 typedef struct ssl_association_info_callback_data
7143 const char *table_protocol
;
7144 } ssl_association_info_callback_data_t
;
7147 * callback function used by ssl_association_info() to traverse the SSL associations.
7150 ssl_association_info_(const char *table _U_
, void *handle
, void *user_data
)
7152 ssl_association_info_callback_data_t
* data
= (ssl_association_info_callback_data_t
*)user_data
;
7153 const int l
= (const int)strlen(data
->str
);
7154 snprintf(data
->str
+l
, SSL_ASSOC_MAX_LEN
-l
, "'%s' (%s)\n", dissector_handle_get_dissector_name((dissector_handle_t
)handle
), dissector_handle_get_description((dissector_handle_t
)handle
));
7158 * @return an information string on the SSL protocol associations. The string must be freed.
7161 ssl_association_info(const char* dissector_table_name
, const char* table_protocol
)
7163 ssl_association_info_callback_data_t data
;
7165 data
.str
= (char *)g_malloc0(SSL_ASSOC_MAX_LEN
);
7166 data
.table_protocol
= table_protocol
;
7167 dissector_table_foreach_handle(dissector_table_name
, ssl_association_info_
, &data
);
7172 /** Begin of code related to dissection of wire data. */
7174 /* Helpers for dissecting Variable-Length Vectors. {{{ */
7176 ssl_add_vector(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
,
7177 unsigned offset
, unsigned offset_end
, uint32_t *ret_length
,
7178 int hf_length
, uint32_t min_value
, uint32_t max_value
)
7180 unsigned veclen_size
;
7181 uint32_t veclen_value
;
7184 DISSECTOR_ASSERT_CMPUINT(min_value
, <=, max_value
);
7185 if (offset
> offset_end
) {
7186 expert_add_info_format(pinfo
, tree
, &hf
->ei
.malformed_buffer_too_small
,
7187 "Vector offset is past buffer end offset (%u > %u)",
7188 offset
, offset_end
);
7190 return false; /* Cannot read length. */
7193 if (max_value
> 0xffffff) {
7195 } else if (max_value
> 0xffff) {
7197 } else if (max_value
> 0xff) {
7203 if (offset_end
- offset
< veclen_size
) {
7204 proto_tree_add_expert_format(tree
, pinfo
, &hf
->ei
.malformed_buffer_too_small
,
7205 tvb
, offset
, offset_end
- offset
,
7206 "No more room for vector of length %u",
7209 return false; /* Cannot read length. */
7212 pi
= proto_tree_add_item_ret_uint(tree
, hf_length
, tvb
, offset
, veclen_size
, ENC_BIG_ENDIAN
, &veclen_value
);
7213 offset
+= veclen_size
;
7215 if (veclen_value
< min_value
) {
7216 expert_add_info_format(pinfo
, pi
, &hf
->ei
.malformed_vector_length
,
7217 "Vector length %u is smaller than minimum %u",
7218 veclen_value
, min_value
);
7219 } else if (veclen_value
> max_value
) {
7220 expert_add_info_format(pinfo
, pi
, &hf
->ei
.malformed_vector_length
,
7221 "Vector length %u is larger than maximum %u",
7222 veclen_value
, max_value
);
7225 if (offset_end
- offset
< veclen_value
) {
7226 expert_add_info_format(pinfo
, pi
, &hf
->ei
.malformed_buffer_too_small
,
7227 "Vector length %u is too large, truncating it to %u",
7228 veclen_value
, offset_end
- offset
);
7229 *ret_length
= offset_end
- offset
;
7230 return false; /* Length is truncated to avoid overflow. */
7233 *ret_length
= veclen_value
;
7234 return true; /* Length is OK. */
7238 ssl_end_vector(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
,
7239 unsigned offset
, unsigned offset_end
)
7241 if (offset
< offset_end
) {
7242 unsigned trailing
= offset_end
- offset
;
7243 proto_tree_add_expert_format(tree
, pinfo
, &hf
->ei
.malformed_trailing_data
,
7244 tvb
, offset
, trailing
,
7245 "%u trailing byte%s unprocessed",
7246 trailing
, plurality(trailing
, " was", "s were"));
7247 return false; /* unprocessed data warning */
7248 } else if (offset
> offset_end
) {
7250 * Returned offset runs past the end. This should not happen and is
7251 * possibly a dissector bug.
7253 unsigned excess
= offset
- offset_end
;
7254 proto_tree_add_expert_format(tree
, pinfo
, &hf
->ei
.malformed_buffer_too_small
,
7255 tvb
, offset_end
, excess
,
7256 "Dissector processed too much data (%u byte%s)",
7257 excess
, plurality(excess
, "", "s"));
7258 return false; /* overflow error */
7261 return true; /* OK, offset matches. */
7267 ssl_dissect_digitally_signed(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
7268 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
,
7269 uint16_t version
, int hf_sig_len
, int hf_sig
);
7271 /* change_cipher_spec(20) dissection */
7273 ssl_dissect_change_cipher_spec(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
,
7274 packet_info
*pinfo
, proto_tree
*tree
,
7275 uint32_t offset
, SslSession
*session
,
7276 bool is_from_server
,
7277 const SslDecryptSession
*ssl
)
7281 * enum { change_cipher_spec(1), (255) } type;
7282 * } ChangeCipherSpec;
7285 proto_item_set_text(tree
,
7286 "%s Record Layer: %s Protocol: Change Cipher Spec",
7287 val_to_str_const(session
->version
, ssl_version_short_names
, "SSL"),
7288 val_to_str_const(SSL_ID_CHG_CIPHER_SPEC
, ssl_31_content_type
, "unknown"));
7289 ti
= proto_tree_add_item(tree
, hf
->hf
.change_cipher_spec
, tvb
, offset
, 1, ENC_NA
);
7291 if (session
->version
== TLSV1DOT3_VERSION
) {
7292 /* CCS is a dummy message in TLS 1.3, do not parse it further. */
7296 /* Remember frame number of first CCS */
7297 uint32_t *ccs_frame
= is_from_server
? &session
->server_ccs_frame
: &session
->client_ccs_frame
;
7298 if (*ccs_frame
== 0)
7299 *ccs_frame
= pinfo
->num
;
7301 /* Use heuristics to detect an abbreviated handshake, assume that missing
7302 * ServerHelloDone implies reusing previously negotiating keys. Then when
7303 * a Session ID or ticket is present, it must be a resumed session.
7304 * Normally this should be done at the Finished message, but that may be
7305 * encrypted so we do it here, at the last cleartext message. */
7306 if (is_from_server
&& ssl
) {
7307 if (session
->is_session_resumed
) {
7308 const char *resumed
= NULL
;
7309 if (ssl
->session_ticket
.data_len
) {
7310 resumed
= "Session Ticket";
7311 } else if (ssl
->session_id
.data_len
) {
7312 resumed
= "Session ID";
7315 ssl_debug_printf("%s Session resumption using %s\n", G_STRFUNC
, resumed
);
7317 /* Can happen if the capture somehow starts in the middle */
7318 ssl_debug_printf("%s No Session resumption, missing packets?\n", G_STRFUNC
);
7321 ssl_debug_printf("%s Not using Session resumption\n", G_STRFUNC
);
7324 if (is_from_server
&& session
->is_session_resumed
)
7325 expert_add_info(pinfo
, ti
, &hf
->ei
.resumed
);
7328 /** Begin of handshake(22) record dissections */
7330 /* Dissects a SignatureScheme (TLS 1.3) or SignatureAndHashAlgorithm (TLS 1.2).
7333 tls_dissect_signature_algorithm(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, proto_tree
*tree
, uint32_t offset
, ja4_data_t
*ja4_data
)
7335 uint32_t sighash
, hashalg
, sigalg
;
7336 proto_item
*ti_sigalg
;
7337 proto_tree
*sigalg_tree
;
7339 ti_sigalg
= proto_tree_add_item_ret_uint(tree
, hf
->hf
.hs_sig_hash_alg
, tvb
,
7340 offset
, 2, ENC_BIG_ENDIAN
, &sighash
);
7342 wmem_list_append(ja4_data
->sighash_list
, GUINT_TO_POINTER(sighash
));
7345 sigalg_tree
= proto_item_add_subtree(ti_sigalg
, hf
->ett
.hs_sig_hash_alg
);
7347 /* TLS 1.2: SignatureAndHashAlgorithm { hash, signature } */
7348 proto_tree_add_item_ret_uint(sigalg_tree
, hf
->hf
.hs_sig_hash_hash
, tvb
,
7349 offset
, 1, ENC_BIG_ENDIAN
, &hashalg
);
7350 proto_tree_add_item_ret_uint(sigalg_tree
, hf
->hf
.hs_sig_hash_sig
, tvb
,
7351 offset
+ 1, 1, ENC_BIG_ENDIAN
, &sigalg
);
7353 /* No TLS 1.3 SignatureScheme? Fallback to TLS 1.2 interpretation. */
7354 if (!try_val_to_str(sighash
, tls13_signature_algorithm
)) {
7355 proto_item_set_text(ti_sigalg
, "Signature Algorithm: %s %s (0x%04x)",
7356 val_to_str_const(hashalg
, tls_hash_algorithm
, "Unknown"),
7357 val_to_str_const(sigalg
, tls_signature_algorithm
, "Unknown"),
7362 /* dissect a list of hash algorithms, return the number of bytes dissected
7363 this is used for the signature algorithms extension and for the
7364 TLS1.2 certificate request. {{{ */
7366 ssl_dissect_hash_alg_list(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, proto_tree
*tree
,
7367 packet_info
* pinfo
, uint32_t offset
, uint32_t offset_end
, ja4_data_t
*ja4_data
)
7369 /* https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
7371 * HashAlgorithm hash;
7372 * SignatureAlgorithm signature;
7373 * } SignatureAndHashAlgorithm;
7374 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
7376 proto_tree
*subtree
;
7378 unsigned sh_alg_length
;
7379 uint32_t next_offset
;
7381 /* SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2> */
7382 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &sh_alg_length
,
7383 hf
->hf
.hs_sig_hash_alg_len
, 2, UINT16_MAX
- 1)) {
7387 next_offset
= offset
+ sh_alg_length
;
7389 ti
= proto_tree_add_none_format(tree
, hf
->hf
.hs_sig_hash_algs
, tvb
, offset
, sh_alg_length
,
7390 "Signature Hash Algorithms (%u algorithm%s)",
7391 sh_alg_length
/ 2, plurality(sh_alg_length
/ 2, "", "s"));
7392 subtree
= proto_item_add_subtree(ti
, hf
->ett
.hs_sig_hash_algs
);
7394 while (offset
+ 2 <= next_offset
) {
7395 tls_dissect_signature_algorithm(hf
, tvb
, subtree
, offset
, ja4_data
);
7399 if (!ssl_end_vector(hf
, tvb
, pinfo
, subtree
, offset
, next_offset
)) {
7400 offset
= next_offset
;
7406 /* Dissection of DistinguishedName (for CertificateRequest and
7407 * certificate_authorities extension). {{{ */
7409 tls_dissect_certificate_authorities(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
7410 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
)
7413 proto_tree
*subtree
;
7414 uint32_t dnames_length
, next_offset
;
7415 asn1_ctx_t asn1_ctx
;
7416 int dnames_count
= 100; /* the maximum number of DNs to add to the tree */
7418 /* Note: minimum length is 0 for TLS 1.1/1.2 and 3 for earlier/later */
7419 /* DistinguishedName certificate_authorities<0..2^16-1> */
7420 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &dnames_length
,
7421 hf
->hf
.hs_dnames_len
, 0, UINT16_MAX
)) {
7425 next_offset
= offset
+ dnames_length
;
7427 if (dnames_length
> 0) {
7428 ti
= proto_tree_add_none_format(tree
,
7430 tvb
, offset
, dnames_length
,
7431 "Distinguished Names (%d byte%s)",
7433 plurality(dnames_length
, "", "s"));
7434 subtree
= proto_item_add_subtree(ti
, hf
->ett
.dnames
);
7436 asn1_ctx_init(&asn1_ctx
, ASN1_ENC_BER
, true, pinfo
);
7438 while (offset
< next_offset
) {
7439 /* get the length of the current certificate */
7440 uint32_t name_length
;
7442 if (dnames_count
-- == 0) {
7443 /* stop adding to tree when the list is considered too large
7444 * https://gitlab.com/wireshark/wireshark/-/issues/16202
7445 Note: dnames_count must be set low enough not to hit the
7446 limit set by PINFO_LAYER_MAX_RECURSION_DEPTH in packet.c
7448 ti
= proto_tree_add_item(subtree
, hf
->hf
.hs_dnames_truncated
,
7449 tvb
, offset
, next_offset
- offset
, ENC_NA
);
7450 proto_item_set_generated(ti
);
7454 /* opaque DistinguishedName<1..2^16-1> */
7455 if (!ssl_add_vector(hf
, tvb
, pinfo
, subtree
, offset
, next_offset
, &name_length
,
7456 hf
->hf
.hs_dname_len
, 1, UINT16_MAX
)) {
7461 dissect_x509if_DistinguishedName(false, tvb
, offset
, &asn1_ctx
,
7462 subtree
, hf
->hf
.hs_dname
);
7463 offset
+= name_length
;
7470 /** TLS Extensions (in Client Hello and Server Hello). {{{ */
7472 ssl_dissect_hnd_hello_ext_sig_hash_algs(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
,
7473 proto_tree
*tree
, packet_info
* pinfo
, uint32_t offset
, uint32_t offset_end
, ja4_data_t
*ja4_data
)
7475 return ssl_dissect_hash_alg_list(hf
, tvb
, tree
, pinfo
, offset
, offset_end
, ja4_data
);
7479 ssl_dissect_hnd_ext_delegated_credentials(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
,
7480 proto_tree
*tree
, packet_info
* pinfo
, uint32_t offset
, uint32_t offset_end
, uint8_t hnd_type
)
7482 if (hnd_type
== SSL_HND_CLIENT_HELLO
) {
7485 * SignatureScheme supported_signature_algorithm<2..2^16-2>;
7486 * } SignatureSchemeList;
7489 return ssl_dissect_hash_alg_list(hf
, tvb
, tree
, pinfo
, offset
, offset_end
, NULL
);
7491 asn1_ctx_t asn1_ctx
;
7492 unsigned pubkey_length
, sign_length
;
7496 * uint32 valid_time;
7497 * SignatureScheme expected_cert_verify_algorithm;
7498 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
7503 * SignatureScheme algorithm;
7504 * opaque signature<0..2^16-1>;
7505 * } DelegatedCredential;
7508 asn1_ctx_init(&asn1_ctx
, ASN1_ENC_BER
, true, pinfo
);
7510 proto_tree_add_item(tree
, hf
->hf
.hs_cred_valid_time
, tvb
, offset
, 4, ENC_BIG_ENDIAN
);
7513 tls_dissect_signature_algorithm(hf
, tvb
, tree
, offset
, NULL
);
7516 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &pubkey_length
,
7517 hf
->hf
.hs_cred_pubkey_len
, 1, G_MAXUINT24
)) {
7521 dissect_x509af_SubjectPublicKeyInfo(false, tvb
, offset
, &asn1_ctx
, tree
, hf
->hf
.hs_cred_pubkey
);
7522 offset
+= pubkey_length
;
7524 tls_dissect_signature_algorithm(hf
, tvb
, tree
, offset
, NULL
);
7527 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &sign_length
,
7528 hf
->hf
.hs_cred_signature_len
, 1, UINT16_MAX
)) {
7532 proto_tree_add_item(tree
, hf
->hf
.hs_cred_signature
,
7533 tvb
, offset
, sign_length
, ENC_ASCII
|ENC_NA
);
7534 offset
+= sign_length
;
7541 ssl_dissect_hnd_hello_ext_alps(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
,
7542 packet_info
*pinfo
, proto_tree
*tree
,
7543 uint32_t offset
, uint32_t offset_end
,
7547 /* https://datatracker.ietf.org/doc/html/draft-vvv-tls-alps-01#section-4 */
7550 case SSL_HND_CLIENT_HELLO
: {
7551 proto_tree
*alps_tree
;
7553 uint32_t next_offset
, alps_length
, name_length
;
7556 * opaque ProtocolName<1..2^8-1>;
7558 * ProtocolName supported_protocols<2..2^16-1>
7559 * } ApplicationSettingsSupport;
7562 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &alps_length
,
7563 hf
->hf
.hs_ext_alps_len
, 2, UINT16_MAX
)) {
7567 next_offset
= offset
+ alps_length
;
7569 ti
= proto_tree_add_item(tree
, hf
->hf
.hs_ext_alps_alpn_list
,
7570 tvb
, offset
, alps_length
, ENC_NA
);
7571 alps_tree
= proto_item_add_subtree(ti
, hf
->ett
.hs_ext_alps
);
7573 /* Parse list (note missing check for end of vector, ssl_add_vector below
7574 * ensures that data is always available.) */
7575 while (offset
< next_offset
) {
7576 if (!ssl_add_vector(hf
, tvb
, pinfo
, alps_tree
, offset
, next_offset
, &name_length
,
7577 hf
->hf
.hs_ext_alps_alpn_str_len
, 1, UINT8_MAX
)) {
7582 proto_tree_add_item(alps_tree
, hf
->hf
.hs_ext_alps_alpn_str
,
7583 tvb
, offset
, name_length
, ENC_ASCII
|ENC_NA
);
7584 offset
+= name_length
;
7589 case SSL_HND_ENCRYPTED_EXTS
:
7591 proto_tree_add_item(tree
, hf
->hf
.hs_ext_alps_settings
,
7592 tvb
, offset
, offset_end
- offset
, ENC_ASCII
|ENC_NA
);
7600 ssl_dissect_hnd_hello_ext_alpn(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
,
7601 packet_info
*pinfo
, proto_tree
*tree
,
7602 uint32_t offset
, uint32_t offset_end
,
7603 uint8_t hnd_type
, SslSession
*session
,
7604 bool is_dtls
, ja4_data_t
*ja4_data
)
7607 /* https://tools.ietf.org/html/rfc7301#section-3.1
7608 * opaque ProtocolName<1..2^8-1>;
7610 * ProtocolName protocol_name_list<2..2^16-1>
7611 * } ProtocolNameList;
7613 proto_tree
*alpn_tree
;
7615 uint32_t next_offset
, alpn_length
, name_length
;
7616 uint8_t *proto_name
= NULL
, *client_proto_name
= NULL
;
7618 /* ProtocolName protocol_name_list<2..2^16-1> */
7619 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &alpn_length
,
7620 hf
->hf
.hs_ext_alpn_len
, 2, UINT16_MAX
)) {
7624 next_offset
= offset
+ alpn_length
;
7626 ti
= proto_tree_add_item(tree
, hf
->hf
.hs_ext_alpn_list
,
7627 tvb
, offset
, alpn_length
, ENC_NA
);
7628 alpn_tree
= proto_item_add_subtree(ti
, hf
->ett
.hs_ext_alpn
);
7630 /* Parse list (note missing check for end of vector, ssl_add_vector below
7631 * ensures that data is always available.) */
7632 while (offset
< next_offset
) {
7633 /* opaque ProtocolName<1..2^8-1> */
7634 if (!ssl_add_vector(hf
, tvb
, pinfo
, alpn_tree
, offset
, next_offset
, &name_length
,
7635 hf
->hf
.hs_ext_alpn_str_len
, 1, UINT8_MAX
)) {
7640 proto_tree_add_item(alpn_tree
, hf
->hf
.hs_ext_alpn_str
,
7641 tvb
, offset
, name_length
, ENC_ASCII
|ENC_NA
);
7642 if (ja4_data
&& wmem_strbuf_get_len(ja4_data
->alpn
) == 0) {
7643 const char alpn_first_char
= (char)tvb_get_uint8(tvb
,offset
);
7644 const char alpn_last_char
= (char)tvb_get_uint8(tvb
,offset
+ name_length
- 1);
7645 if ((g_ascii_isprint(alpn_first_char
)) && g_ascii_isprint(alpn_last_char
)) {
7646 wmem_strbuf_append_printf(ja4_data
->alpn
, "%c%c", alpn_first_char
, alpn_last_char
);
7649 wmem_strbuf_append_printf(ja4_data
->alpn
, "%x%x",(alpn_first_char
>> 4) & 0x0F,
7650 alpn_last_char
& 0x0F);
7653 /* Remember first ALPN ProtocolName entry for server. */
7654 if (hnd_type
== SSL_HND_SERVER_HELLO
|| hnd_type
== SSL_HND_ENCRYPTED_EXTENSIONS
) {
7655 /* '\0'-terminated string for dissector table match and prefix
7656 * comparison purposes. */
7657 proto_name
= tvb_get_string_enc(pinfo
->pool
, tvb
, offset
,
7658 name_length
, ENC_ASCII
);
7659 } else if (hnd_type
== SSL_HND_CLIENT_HELLO
) {
7660 client_proto_name
= tvb_get_string_enc(pinfo
->pool
, tvb
, offset
,
7661 name_length
, ENC_ASCII
);
7663 offset
+= name_length
;
7666 /* If ALPN is given in ServerHello, then ProtocolNameList MUST contain
7667 * exactly one "ProtocolName". */
7669 dissector_handle_t handle
;
7671 session
->alpn_name
= wmem_strdup(wmem_file_scope(), proto_name
);
7674 handle
= dissector_get_string_handle(dtls_alpn_dissector_table
,
7677 handle
= dissector_get_string_handle(ssl_alpn_dissector_table
,
7679 if (handle
== NULL
) {
7680 /* Try prefix matching */
7681 for (size_t i
= 0; i
< G_N_ELEMENTS(ssl_alpn_prefix_match_protocols
); i
++) {
7682 const ssl_alpn_prefix_match_protocol_t
*alpn_proto
= &ssl_alpn_prefix_match_protocols
[i
];
7684 /* string_string is inappropriate as it compares strings
7685 * while "byte strings MUST NOT be truncated" (RFC 7301) */
7686 if (g_str_has_prefix(proto_name
, alpn_proto
->proto_prefix
)) {
7687 handle
= find_dissector(alpn_proto
->dissector_name
);
7693 if (handle
!= NULL
) {
7694 /* ProtocolName match, so set the App data dissector handle.
7695 * This may override protocols given via the UAT dialog, but
7696 * since the ALPN hint is precise, do it anyway. */
7697 ssl_debug_printf("%s: changing handle %p to %p (%s)", G_STRFUNC
,
7698 (void *)session
->app_handle
,
7700 dissector_handle_get_dissector_name(handle
));
7701 session
->app_handle
= handle
;
7703 } else if (client_proto_name
) {
7704 // No current use for looking up the handle as the only consumer of this API is currently the QUIC dissector
7705 // and it just needs the string since there are/were various HTTP/3 ALPNs to check for.
7706 session
->client_alpn_name
= wmem_strdup(wmem_file_scope(), client_proto_name
);
7713 ssl_dissect_hnd_hello_ext_npn(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
,
7714 packet_info
*pinfo
, proto_tree
*tree
,
7715 uint32_t offset
, uint32_t offset_end
)
7717 /* https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04#page-3
7718 * The "extension_data" field of a "next_protocol_negotiation" extension
7719 * in a "ServerHello" contains an optional list of protocols advertised
7720 * by the server. Protocols are named by opaque, non-empty byte strings
7721 * and the list of protocols is serialized as a concatenation of 8-bit,
7722 * length prefixed byte strings. Implementations MUST ensure that the
7723 * empty string is not included and that no byte strings are truncated.
7725 uint32_t npn_length
;
7726 proto_tree
*npn_tree
;
7728 /* List is optional, do not add tree if there are no entries. */
7729 if (offset
== offset_end
) {
7733 npn_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, offset_end
- offset
, hf
->ett
.hs_ext_npn
, NULL
, "Next Protocol Negotiation");
7735 while (offset
< offset_end
) {
7736 /* non-empty, 8-bit length prefixed strings means range 1..255 */
7737 if (!ssl_add_vector(hf
, tvb
, pinfo
, npn_tree
, offset
, offset_end
, &npn_length
,
7738 hf
->hf
.hs_ext_npn_str_len
, 1, UINT8_MAX
)) {
7743 proto_tree_add_item(npn_tree
, hf
->hf
.hs_ext_npn_str
,
7744 tvb
, offset
, npn_length
, ENC_ASCII
|ENC_NA
);
7745 offset
+= npn_length
;
7752 ssl_dissect_hnd_hello_ext_reneg_info(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
,
7753 packet_info
*pinfo
, proto_tree
*tree
,
7754 uint32_t offset
, uint32_t offset_end
)
7756 /* https://tools.ietf.org/html/rfc5746#section-3.2
7758 * opaque renegotiated_connection<0..255>;
7759 * } RenegotiationInfo;
7762 proto_tree
*reneg_info_tree
;
7763 uint32_t reneg_info_length
;
7765 reneg_info_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, offset_end
- offset
, hf
->ett
.hs_ext_reneg_info
, NULL
, "Renegotiation Info extension");
7767 /* opaque renegotiated_connection<0..255> */
7768 if (!ssl_add_vector(hf
, tvb
, pinfo
, reneg_info_tree
, offset
, offset_end
, &reneg_info_length
,
7769 hf
->hf
.hs_ext_reneg_info_len
, 0, 255)) {
7774 if (reneg_info_length
> 0) {
7775 proto_tree_add_item(reneg_info_tree
, hf
->hf
.hs_ext_reneg_info
, tvb
, offset
, reneg_info_length
, ENC_NA
);
7776 offset
+= reneg_info_length
;
7783 ssl_dissect_hnd_hello_ext_key_share_entry(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
7784 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
,
7785 const char **group_name_out
)
7787 /* RFC 8446 Section 4.2.8
7790 * opaque key_exchange<1..2^16-1>;
7793 uint32_t key_exchange_length
, group
;
7794 proto_tree
*ks_tree
;
7796 ks_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, 4, hf
->ett
.hs_ext_key_share_ks
, NULL
, "Key Share Entry");
7798 proto_tree_add_item_ret_uint(ks_tree
, hf
->hf
.hs_ext_key_share_group
, tvb
, offset
, 2, ENC_BIG_ENDIAN
, &group
);
7800 const char *group_name
= val_to_str(group
, ssl_extension_curves
, "Unknown (%u)");
7801 proto_item_append_text(ks_tree
, ": Group: %s", group_name
);
7802 if (group_name_out
) {
7803 *group_name_out
= !IS_GREASE_TLS(group
) ? group_name
: NULL
;
7806 /* opaque key_exchange<1..2^16-1> */
7807 if (!ssl_add_vector(hf
, tvb
, pinfo
, ks_tree
, offset
, offset_end
, &key_exchange_length
,
7808 hf
->hf
.hs_ext_key_share_key_exchange_length
, 1, UINT16_MAX
)) {
7809 return offset_end
; /* Bad (possible truncated) length, skip to end of KeyShare extension. */
7812 proto_item_set_len(ks_tree
, 2 + 2 + key_exchange_length
);
7813 proto_item_append_text(ks_tree
, ", Key Exchange length: %u", key_exchange_length
);
7815 proto_tree_add_item(ks_tree
, hf
->hf
.hs_ext_key_share_key_exchange
, tvb
, offset
, key_exchange_length
, ENC_NA
);
7816 offset
+= key_exchange_length
;
7822 ssl_dissect_hnd_hello_ext_key_share(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
7823 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
,
7826 proto_tree
*key_share_tree
;
7827 uint32_t next_offset
;
7828 uint32_t client_shares_length
;
7830 const char *group_name
= NULL
;
7832 if (offset_end
<= offset
) { /* Check if ext_len == 0 and "overflow" (offset + ext_len) > uint32_t) */
7836 key_share_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, offset_end
- offset
, hf
->ett
.hs_ext_key_share
, NULL
, "Key Share extension");
7839 case SSL_HND_CLIENT_HELLO
:
7840 /* KeyShareEntry client_shares<0..2^16-1> */
7841 if (!ssl_add_vector(hf
, tvb
, pinfo
, key_share_tree
, offset
, offset_end
, &client_shares_length
,
7842 hf
->hf
.hs_ext_key_share_client_length
, 0, UINT16_MAX
)) {
7846 next_offset
= offset
+ client_shares_length
;
7847 const char *sep
= " ";
7848 while (offset
+ 4 <= next_offset
) { /* (NamedGroup (2 bytes), key_exchange (1 byte for length, 1 byte minimum data) */
7849 offset
= ssl_dissect_hnd_hello_ext_key_share_entry(hf
, tvb
, pinfo
, key_share_tree
, offset
, next_offset
, &group_name
);
7851 proto_item_append_text(tree
, "%s%s", sep
, group_name
);
7855 if (!ssl_end_vector(hf
, tvb
, pinfo
, key_share_tree
, offset
, next_offset
)) {
7859 case SSL_HND_SERVER_HELLO
:
7860 offset
= ssl_dissect_hnd_hello_ext_key_share_entry(hf
, tvb
, pinfo
, key_share_tree
, offset
, offset_end
, &group_name
);
7862 proto_item_append_text(tree
, " %s", group_name
);
7865 case SSL_HND_HELLO_RETRY_REQUEST
:
7866 proto_tree_add_item_ret_uint(key_share_tree
, hf
->hf
.hs_ext_key_share_selected_group
, tvb
, offset
, 2, ENC_BIG_ENDIAN
, &group
);
7868 group_name
= val_to_str(group
, ssl_extension_curves
, "Unknown (%u)");
7869 proto_item_append_text(tree
, " %s", group_name
);
7871 default: /* no default */
7879 ssl_dissect_hnd_hello_ext_pre_shared_key(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
7880 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
,
7883 /* RFC 8446 Section 4.2.11
7885 * opaque identity<1..2^16-1>;
7886 * uint32 obfuscated_ticket_age;
7888 * opaque PskBinderEntry<32..255>;
7890 * select (Handshake.msg_type) {
7891 * case client_hello:
7892 * PskIdentity identities<7..2^16-1>;
7893 * PskBinderEntry binders<33..2^16-1>;
7894 * case server_hello:
7895 * uint16 selected_identity;
7897 * } PreSharedKeyExtension;
7900 proto_tree
*psk_tree
;
7902 psk_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, offset_end
- offset
, hf
->ett
.hs_ext_pre_shared_key
, NULL
, "Pre-Shared Key extension");
7905 case SSL_HND_CLIENT_HELLO
: {
7906 uint32_t identities_length
, identities_end
, binders_length
;
7908 /* PskIdentity identities<7..2^16-1> */
7909 if (!ssl_add_vector(hf
, tvb
, pinfo
, psk_tree
, offset
, offset_end
, &identities_length
,
7910 hf
->hf
.hs_ext_psk_identities_length
, 7, UINT16_MAX
)) {
7914 identities_end
= offset
+ identities_length
;
7916 while (offset
< identities_end
) {
7917 uint32_t identity_length
;
7918 proto_tree
*identity_tree
;
7920 identity_tree
= proto_tree_add_subtree(psk_tree
, tvb
, offset
, 4, hf
->ett
.hs_ext_psk_identity
, NULL
, "PSK Identity (");
7922 /* opaque identity<1..2^16-1> */
7923 if (!ssl_add_vector(hf
, tvb
, pinfo
, identity_tree
, offset
, identities_end
, &identity_length
,
7924 hf
->hf
.hs_ext_psk_identity_identity_length
, 1, UINT16_MAX
)) {
7925 return identities_end
;
7928 proto_item_append_text(identity_tree
, "length: %u)", identity_length
);
7930 proto_tree_add_item(identity_tree
, hf
->hf
.hs_ext_psk_identity_identity
, tvb
, offset
, identity_length
, ENC_BIG_ENDIAN
);
7931 offset
+= identity_length
;
7933 proto_tree_add_item(identity_tree
, hf
->hf
.hs_ext_psk_identity_obfuscated_ticket_age
, tvb
, offset
, 4, ENC_BIG_ENDIAN
);
7936 proto_item_set_len(identity_tree
, 2 + identity_length
+ 4);
7938 if (!ssl_end_vector(hf
, tvb
, pinfo
, psk_tree
, offset
, identities_end
)) {
7939 offset
= identities_end
;
7942 /* PskBinderEntry binders<33..2^16-1> */
7943 if (!ssl_add_vector(hf
, tvb
, pinfo
, psk_tree
, offset
, offset_end
, &binders_length
,
7944 hf
->hf
.hs_ext_psk_binders_length
, 33, UINT16_MAX
)) {
7949 proto_tree_add_item(psk_tree
, hf
->hf
.hs_ext_psk_binders
, tvb
, offset
, binders_length
, ENC_NA
);
7950 offset
+= binders_length
;
7953 case SSL_HND_SERVER_HELLO
: {
7954 proto_tree_add_item(psk_tree
, hf
->hf
.hs_ext_psk_identity_selected
, tvb
, offset
, 2, ENC_BIG_ENDIAN
);
7966 ssl_dissect_hnd_hello_ext_early_data(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo _U_
,
7967 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end _U_
,
7968 uint8_t hnd_type
, SslDecryptSession
*ssl
)
7970 /* RFC 8446 Section 4.2.10
7973 * select (Handshake.msg_type) {
7974 * case new_session_ticket: uint32 max_early_data_size;
7975 * case client_hello: Empty;
7976 * case encrypted_extensions: Empty;
7978 * } EarlyDataIndication;
7981 case SSL_HND_CLIENT_HELLO
:
7982 /* Remember that early_data will follow the handshake. */
7984 ssl_debug_printf("%s found early_data extension\n", G_STRFUNC
);
7985 ssl
->has_early_data
= true;
7988 case SSL_HND_NEWSESSION_TICKET
:
7989 proto_tree_add_item(tree
, hf
->hf
.hs_ext_max_early_data_size
, tvb
, offset
, 4, ENC_BIG_ENDIAN
);
7999 tls_try_get_version(bool is_dtls
, uint16_t version
, uint8_t *draft_version
)
8001 if (draft_version
) {
8005 uint8_t tls13_draft
= extract_tls13_draft_version(version
);
8006 if (tls13_draft
!= 0) {
8007 /* This is TLS 1.3 (a draft version). */
8008 if (draft_version
) {
8009 *draft_version
= tls13_draft
;
8011 version
= TLSV1DOT3_VERSION
;
8013 if (version
== 0xfb17 || version
== 0xfb1a) {
8014 /* Unofficial TLS 1.3 draft version for Facebook fizz. */
8015 tls13_draft
= (uint8_t)version
;
8016 if (draft_version
) {
8017 *draft_version
= tls13_draft
;
8019 version
= TLSV1DOT3_VERSION
;
8026 case TLSV1DOT1_VERSION
:
8027 case TLSV1DOT2_VERSION
:
8028 case TLSV1DOT3_VERSION
:
8029 case TLCPV1_VERSION
:
8031 return SSL_VER_UNKNOWN
;
8034 case DTLSV1DOT0_VERSION
:
8035 case DTLSV1DOT0_OPENSSL_VERSION
:
8036 case DTLSV1DOT2_VERSION
:
8037 case DTLSV1DOT3_VERSION
:
8039 return SSL_VER_UNKNOWN
;
8042 default: /* invalid version number */
8043 return SSL_VER_UNKNOWN
;
8050 ssl_dissect_hnd_hello_ext_supported_versions(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
8051 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
,
8052 SslSession
*session
, bool is_dtls
, ja4_data_t
*ja4_data
)
8055 /* RFC 8446 Section 4.2.1
8057 * ProtocolVersion versions<2..254>; // ClientHello
8058 * } SupportedVersions;
8059 * Note that ServerHello and HelloRetryRequest are handled by the caller.
8061 uint32_t versions_length
, next_offset
;
8062 /* ProtocolVersion versions<2..254> */
8063 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &versions_length
,
8064 hf
->hf
.hs_ext_supported_versions_len
, 2, 254)) {
8068 next_offset
= offset
+ versions_length
;
8071 unsigned current_version
, lowest_version
= SSL_VER_UNKNOWN
;
8072 uint8_t draft_version
, max_draft_version
= 0;
8073 const char *sep
= " ";
8074 while (offset
+ 2 <= next_offset
) {
8075 proto_tree_add_item_ret_uint(tree
, hf
->hf
.hs_ext_supported_version
, tvb
, offset
, 2, ENC_BIG_ENDIAN
, &version
);
8078 if (!IS_GREASE_TLS(version
)) {
8079 proto_item_append_text(tree
, "%s%s", sep
, val_to_str(version
, ssl_versions
, "Unknown (0x%04x)"));
8083 current_version
= tls_try_get_version(is_dtls
, version
, &draft_version
);
8084 if (session
->version
== SSL_VER_UNKNOWN
) {
8085 if (lowest_version
== SSL_VER_UNKNOWN
) {
8086 lowest_version
= current_version
;
8087 } else if (current_version
!= SSL_VER_UNKNOWN
) {
8089 lowest_version
= MIN(lowest_version
, current_version
);
8091 lowest_version
= MAX(lowest_version
, current_version
);
8095 max_draft_version
= MAX(draft_version
, max_draft_version
);
8096 if (ja4_data
&& !IS_GREASE_TLS(version
)) {
8097 /* The DTLS version numbers get mapped to "00" for unknown per
8098 * JA4 spec, but if JA4 ever does support DTLS we'll probably
8099 * need to take the MIN instead of MAX here for DTLS.
8101 ja4_data
->max_version
= MAX(version
, ja4_data
->max_version
);
8104 if (session
->version
== SSL_VER_UNKNOWN
&& lowest_version
!= SSL_VER_UNKNOWN
) {
8105 col_set_str(pinfo
->cinfo
, COL_PROTOCOL
,
8106 val_to_str_const(version
, ssl_version_short_names
, is_dtls
? "DTLS" : "TLS"));
8108 if (!ssl_end_vector(hf
, tvb
, pinfo
, tree
, offset
, next_offset
)) {
8109 offset
= next_offset
;
8112 /* XXX remove this when draft 19 support is dropped,
8113 * this is only required for early data decryption. */
8114 if (max_draft_version
) {
8115 session
->tls13_draft_version
= max_draft_version
;
8122 ssl_dissect_hnd_hello_ext_cookie(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
,
8123 packet_info
*pinfo
, proto_tree
*tree
,
8124 uint32_t offset
, uint32_t offset_end
)
8126 /* RFC 8446 Section 4.2.2
8128 * opaque cookie<1..2^16-1>;
8131 uint32_t cookie_length
;
8132 /* opaque cookie<1..2^16-1> */
8133 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &cookie_length
,
8134 hf
->hf
.hs_ext_cookie_len
, 1, UINT16_MAX
)) {
8139 proto_tree_add_item(tree
, hf
->hf
.hs_ext_cookie
, tvb
, offset
, cookie_length
, ENC_NA
);
8140 offset
+= cookie_length
;
8146 ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
8147 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
)
8149 /* RFC 8446 Section 4.2.9
8150 * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
8153 * PskKeyExchangeMode ke_modes<1..255>;
8154 * } PskKeyExchangeModes;
8156 uint32_t ke_modes_length
, next_offset
;
8158 /* PskKeyExchangeMode ke_modes<1..255> */
8159 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &ke_modes_length
,
8160 hf
->hf
.hs_ext_psk_ke_modes_length
, 1, 255)) {
8164 next_offset
= offset
+ ke_modes_length
;
8166 while (offset
< next_offset
) {
8167 proto_tree_add_item(tree
, hf
->hf
.hs_ext_psk_ke_mode
, tvb
, offset
, 1, ENC_NA
);
8175 ssl_dissect_hnd_hello_ext_certificate_authorities(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
8176 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
)
8178 /* RFC 8446 Section 4.2.4
8179 * opaque DistinguishedName<1..2^16-1>;
8181 * DistinguishedName authorities<3..2^16-1>;
8182 * } CertificateAuthoritiesExtension;
8184 return tls_dissect_certificate_authorities(hf
, tvb
, pinfo
, tree
, offset
, offset_end
);
8188 ssl_dissect_hnd_hello_ext_oid_filters(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
8189 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
)
8191 /* RFC 8446 Section 4.2.5
8193 * opaque certificate_extension_oid<1..2^8-1>;
8194 * opaque certificate_extension_values<0..2^16-1>;
8197 * OIDFilter filters<0..2^16-1>;
8198 * } OIDFilterExtension;
8200 proto_tree
*subtree
;
8201 uint32_t filters_length
, oid_length
, values_length
, value_offset
;
8202 asn1_ctx_t asn1_ctx
;
8203 const char *oid
, *name
;
8205 /* OIDFilter filters<0..2^16-1> */
8206 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &filters_length
,
8207 hf
->hf
.hs_ext_psk_ke_modes_length
, 0, UINT16_MAX
)) {
8211 offset_end
= offset
+ filters_length
;
8213 asn1_ctx_init(&asn1_ctx
, ASN1_ENC_BER
, true, pinfo
);
8215 while (offset
< offset_end
) {
8216 subtree
= proto_tree_add_subtree(tree
, tvb
, offset
, offset_end
- offset
,
8217 hf
->ett
.hs_ext_oid_filter
, NULL
, "OID Filter");
8219 /* opaque certificate_extension_oid<1..2^8-1> */
8220 if (!ssl_add_vector(hf
, tvb
, pinfo
, subtree
, offset
, offset_end
, &oid_length
,
8221 hf
->hf
.hs_ext_oid_filters_oid_length
, 1, UINT8_MAX
)) {
8225 dissect_ber_object_identifier_str(false, &asn1_ctx
, subtree
, tvb
, offset
,
8226 hf
->hf
.hs_ext_oid_filters_oid
, &oid
);
8227 offset
+= oid_length
;
8229 /* Append OID to tree label */
8230 name
= oid_resolved_from_string(pinfo
->pool
, oid
);
8231 proto_item_append_text(subtree
, " (%s)", name
? name
: oid
);
8233 /* opaque certificate_extension_values<0..2^16-1> */
8234 if (!ssl_add_vector(hf
, tvb
, pinfo
, subtree
, offset
, offset_end
, &values_length
,
8235 hf
->hf
.hs_ext_oid_filters_values_length
, 0, UINT16_MAX
)) {
8239 proto_item_set_len(subtree
, 1 + oid_length
+ 2 + values_length
);
8240 if (values_length
> 0) {
8241 value_offset
= offset
;
8242 value_offset
= dissect_ber_identifier(pinfo
, subtree
, tvb
, value_offset
, NULL
, NULL
, NULL
);
8243 value_offset
= dissect_ber_length(pinfo
, subtree
, tvb
, value_offset
, NULL
, NULL
);
8244 call_ber_oid_callback(oid
, tvb
, value_offset
, pinfo
, subtree
, NULL
);
8246 offset
+= values_length
;
8253 ssl_dissect_hnd_hello_ext_server_name(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
,
8254 packet_info
*pinfo
, proto_tree
*tree
,
8255 uint32_t offset
, uint32_t offset_end
)
8257 /* https://tools.ietf.org/html/rfc6066#section-3
8260 * NameType name_type;
8261 * select (name_type) {
8262 * case host_name: HostName;
8267 * host_name(0), (255)
8270 * opaque HostName<1..2^16-1>;
8273 * ServerName server_name_list<1..2^16-1>
8276 proto_tree
*server_name_tree
;
8277 uint32_t list_length
, server_name_length
, next_offset
;
8279 /* The server SHALL include "server_name" extension with empty data. */
8280 if (offset
== offset_end
) {
8284 server_name_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, offset_end
- offset
, hf
->ett
.hs_ext_server_name
, NULL
, "Server Name Indication extension");
8286 /* ServerName server_name_list<1..2^16-1> */
8287 if (!ssl_add_vector(hf
, tvb
, pinfo
, server_name_tree
, offset
, offset_end
, &list_length
,
8288 hf
->hf
.hs_ext_server_name_list_len
, 1, UINT16_MAX
)) {
8292 next_offset
= offset
+ list_length
;
8294 while (offset
< next_offset
) {
8296 const uint8_t *server_name
= NULL
;
8297 proto_tree_add_item_ret_uint(server_name_tree
, hf
->hf
.hs_ext_server_name_type
,
8298 tvb
, offset
, 1, ENC_NA
, &name_type
);
8301 /* opaque HostName<1..2^16-1> */
8302 if (!ssl_add_vector(hf
, tvb
, pinfo
, server_name_tree
, offset
, next_offset
, &server_name_length
,
8303 hf
->hf
.hs_ext_server_name_len
, 1, UINT16_MAX
)) {
8308 proto_tree_add_item_ret_string(server_name_tree
, hf
->hf
.hs_ext_server_name
,
8309 tvb
, offset
, server_name_length
, ENC_ASCII
|ENC_NA
,
8310 pinfo
->pool
, &server_name
);
8311 offset
+= server_name_length
;
8312 // Each type must only occur once, so we don't check for duplicates.
8313 if (name_type
== 0) {
8314 proto_item_append_text(tree
, " name=%s", server_name
);
8315 col_append_fstr(pinfo
->cinfo
, COL_INFO
, " (SNI=%s)", server_name
);
8317 if (gbl_resolv_flags
.handshake_sni_addr_resolution
) {
8318 // Client Hello: Client (Src) -> Server (Dst)
8319 switch (pinfo
->dst
.type
) {
8321 if (pinfo
->dst
.len
== sizeof(uint32_t)) {
8322 add_ipv4_name(*(uint32_t *)pinfo
->dst
.data
, server_name
, false);
8326 if (pinfo
->dst
.len
== sizeof(ws_in6_addr
)) {
8327 add_ipv6_name(pinfo
->dst
.data
, server_name
, false);
8338 ssl_dissect_hnd_hello_ext_session_ticket(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
,
8339 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
, uint8_t hnd_type
, SslDecryptSession
*ssl
)
8341 unsigned ext_len
= offset_end
- offset
;
8342 if (hnd_type
== SSL_HND_CLIENT_HELLO
&& ssl
&& ext_len
!= 0) {
8343 tvb_ensure_bytes_exist(tvb
, offset
, ext_len
);
8344 /* Save the Session Ticket such that it can be used as identifier for
8345 * restoring a previous Master Secret (in ChangeCipherSpec) */
8346 ssl
->session_ticket
.data
= (unsigned char*)wmem_realloc(wmem_file_scope(),
8347 ssl
->session_ticket
.data
, ext_len
);
8348 ssl
->session_ticket
.data_len
= ext_len
;
8349 tvb_memcpy(tvb
,ssl
->session_ticket
.data
, offset
, ext_len
);
8351 proto_tree_add_item(tree
, hf
->hf
.hs_ext_session_ticket
,
8352 tvb
, offset
, ext_len
, ENC_NA
);
8353 return offset
+ ext_len
;
8357 ssl_dissect_hnd_hello_ext_cert_type(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
,
8358 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
,
8359 uint8_t hnd_type
, uint16_t ext_type
, SslSession
*session
)
8361 uint8_t cert_list_length
;
8363 proto_tree
*cert_list_tree
;
8367 case SSL_HND_CLIENT_HELLO
:
8368 cert_list_length
= tvb_get_uint8(tvb
, offset
);
8369 proto_tree_add_item(tree
, hf
->hf
.hs_ext_cert_types_len
,
8370 tvb
, offset
, 1, ENC_BIG_ENDIAN
);
8372 if (offset_end
- offset
!= (uint32_t)cert_list_length
)
8375 ti
= proto_tree_add_item(tree
, hf
->hf
.hs_ext_cert_types
, tvb
, offset
,
8376 cert_list_length
, cert_list_length
);
8377 proto_item_append_text(ti
, " (%d)", cert_list_length
);
8379 /* make this a subtree */
8380 cert_list_tree
= proto_item_add_subtree(ti
, hf
->ett
.hs_ext_cert_types
);
8382 /* loop over all point formats */
8383 while (cert_list_length
> 0)
8385 proto_tree_add_item(cert_list_tree
, hf
->hf
.hs_ext_cert_type
, tvb
, offset
, 1, ENC_BIG_ENDIAN
);
8390 case SSL_HND_SERVER_HELLO
:
8391 case SSL_HND_ENCRYPTED_EXTENSIONS
:
8392 case SSL_HND_CERTIFICATE
:
8393 cert_type
= tvb_get_uint8(tvb
, offset
);
8394 proto_tree_add_item(tree
, hf
->hf
.hs_ext_cert_type
, tvb
, offset
, 1, ENC_BIG_ENDIAN
);
8396 if (ext_type
== SSL_HND_HELLO_EXT_CERT_TYPE
|| ext_type
== SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE
) {
8397 session
->client_cert_type
= cert_type
;
8399 if (ext_type
== SSL_HND_HELLO_EXT_CERT_TYPE
|| ext_type
== SSL_HND_HELLO_EXT_SERVER_CERT_TYPE
) {
8400 session
->server_cert_type
= cert_type
;
8403 default: /* no default */
8411 ssl_dissect_hnd_hello_ext_compress_certificate(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
8412 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
,
8413 uint8_t hnd_type
, SslDecryptSession
*ssl _U_
)
8415 uint32_t compress_certificate_algorithms_length
, next_offset
;
8417 /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03#section-3.0
8422 * } CertificateCompressionAlgorithm;
8425 * CertificateCompressionAlgorithm algorithms<1..2^8-1>;
8426 * } CertificateCompressionAlgorithms;
8429 case SSL_HND_CLIENT_HELLO
:
8430 case SSL_HND_CERT_REQUEST
:
8431 /* CertificateCompressionAlgorithm algorithms<1..2^8-1>;*/
8432 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &compress_certificate_algorithms_length
,
8433 hf
->hf
.hs_ext_compress_certificate_algorithms_length
, 1, UINT8_MAX
-1)) {
8437 next_offset
= offset
+ compress_certificate_algorithms_length
;
8439 while (offset
< next_offset
) {
8440 proto_tree_add_item(tree
, hf
->hf
.hs_ext_compress_certificate_algorithm
,
8441 tvb
, offset
, 2, ENC_BIG_ENDIAN
);
8453 ssl_dissect_hnd_hello_ext_token_binding(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
8454 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
,
8455 uint8_t hnd_type
, SslDecryptSession
*ssl _U_
)
8457 uint32_t key_parameters_length
, next_offset
;
8466 * } TB_ProtocolVersion;
8469 * rsa2048_pkcs1.5(0), rsa2048_pss(1), ecdsap256(2), (255)
8470 * } TokenBindingKeyParameters;
8473 * TB_ProtocolVersion token_binding_version;
8474 * TokenBindingKeyParameters key_parameters_list<1..2^8-1>
8475 * } TokenBindingParameters;
8479 case SSL_HND_CLIENT_HELLO
:
8480 case SSL_HND_SERVER_HELLO
:
8481 proto_tree_add_item(tree
, hf
->hf
.hs_ext_token_binding_version_major
, tvb
, offset
, 1, ENC_BIG_ENDIAN
);
8483 proto_tree_add_item(tree
, hf
->hf
.hs_ext_token_binding_version_minor
, tvb
, offset
, 1, ENC_BIG_ENDIAN
);
8486 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &key_parameters_length
,
8487 hf
->hf
.hs_ext_token_binding_key_parameters_length
, 1, UINT8_MAX
)) {
8491 next_offset
= offset
+ key_parameters_length
;
8493 p_ti
= proto_tree_add_none_format(tree
,
8494 hf
->hf
.hs_ext_token_binding_key_parameters
,
8495 tvb
, offset
, key_parameters_length
,
8496 "Key parameters identifiers (%d identifier%s)",
8497 key_parameters_length
,
8498 plurality(key_parameters_length
, "", "s"));
8499 p_tree
= proto_item_add_subtree(p_ti
, hf
->ett
.hs_ext_token_binding_key_parameters
);
8501 while (offset
< next_offset
) {
8502 proto_tree_add_item(p_tree
, hf
->hf
.hs_ext_token_binding_key_parameter
,
8503 tvb
, offset
, 1, ENC_BIG_ENDIAN
);
8507 if (!ssl_end_vector(hf
, tvb
, pinfo
, p_tree
, offset
, next_offset
)) {
8508 offset
= next_offset
;
8520 ssl_dissect_hnd_hello_ext_quic_transport_parameters(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
8521 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
,
8522 uint8_t hnd_type
, SslDecryptSession
*ssl _U_
)
8524 bool use_varint_encoding
= true; // Whether this is draft -27 or newer.
8525 uint32_t next_offset
;
8527 /* https://tools.ietf.org/html/draft-ietf-quic-transport-25#section-18
8529 * Note: the following structures are not literally defined in the spec,
8530 * they instead use an ASCII diagram.
8534 * opaque value<0..2^16-1>;
8535 * } TransportParameter; // before draft -27
8536 * TransportParameter TransportParameters<0..2^16-1>; // before draft -27
8539 * opaque ipv4Address[4];
8541 * opaque ipv6Address[16];
8543 * opaque connectionId<0..18>;
8544 * opaque statelessResetToken[16];
8545 * } PreferredAddress;
8548 if (offset_end
- offset
>= 6 &&
8549 2 + (unsigned)tvb_get_ntohs(tvb
, offset
) == offset_end
- offset
&&
8550 6 + (unsigned)tvb_get_ntohs(tvb
, offset
+ 4) <= offset_end
- offset
) {
8551 // Assume encoding of Transport Parameters draft -26 or older with at
8552 // least one transport parameter that has a valid length.
8553 use_varint_encoding
= false;
8556 if (use_varint_encoding
) {
8557 next_offset
= offset_end
;
8559 uint32_t quic_length
;
8560 // Assume draft -26 or earlier.
8561 /* TransportParameter TransportParameters<0..2^16-1>; */
8562 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &quic_length
,
8563 hf
->hf
.hs_ext_quictp_len
, 0, UINT16_MAX
)) {
8567 next_offset
= offset
+ quic_length
;
8570 while (offset
< next_offset
) {
8571 uint64_t parameter_type
; /* 62-bit space */
8572 uint32_t parameter_length
;
8573 proto_tree
*parameter_tree
;
8574 uint32_t parameter_end_offset
;
8576 uint32_t len
= 0, i
;
8578 parameter_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, 2, hf
->ett
.hs_ext_quictp_parameter
,
8580 /* TransportParameter ID and Length. */
8581 if (use_varint_encoding
) {
8582 uint64_t parameter_length64
;
8583 uint32_t type_len
= 0;
8585 proto_tree_add_item_ret_varint(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_type
,
8586 tvb
, offset
, -1, ENC_VARINT_QUIC
, ¶meter_type
, &type_len
);
8589 proto_tree_add_item_ret_varint(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_len
,
8590 tvb
, offset
, -1, ENC_VARINT_QUIC
, ¶meter_length64
, &len
);
8591 parameter_length
= (uint32_t)parameter_length64
;
8594 proto_item_set_len(parameter_tree
, type_len
+ len
+ parameter_length
);
8596 parameter_type
= tvb_get_ntohs(tvb
, offset
);
8597 proto_tree_add_item(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_type
,
8598 tvb
, offset
, 2, ENC_BIG_ENDIAN
);
8601 /* opaque value<0..2^16-1> */
8602 if (!ssl_add_vector(hf
, tvb
, pinfo
, parameter_tree
, offset
, next_offset
, ¶meter_length
,
8603 hf
->hf
.hs_ext_quictp_parameter_len_old
, 0, UINT16_MAX
)) {
8608 proto_item_set_len(parameter_tree
, 4 + parameter_length
);
8611 if (IS_GREASE_QUIC(parameter_type
)) {
8612 proto_item_append_text(parameter_tree
, ": GREASE");
8614 proto_item_append_text(parameter_tree
, ": %s", val64_to_str(parameter_type
, quic_transport_parameter_id
, "Unknown 0x%04x"));
8617 proto_item_append_text(parameter_tree
, " (len=%u)", parameter_length
);
8618 parameter_end_offset
= offset
+ parameter_length
;
8620 proto_tree_add_item(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_value
,
8621 tvb
, offset
, parameter_length
, ENC_NA
);
8623 switch (parameter_type
) {
8624 case SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID
:
8625 proto_tree_add_item(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_original_destination_connection_id
,
8626 tvb
, offset
, parameter_length
, ENC_NA
);
8627 offset
+= parameter_length
;
8629 case SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT
:
8630 proto_tree_add_item_ret_varint(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_max_idle_timeout
,
8631 tvb
, offset
, -1, ENC_VARINT_QUIC
, &value
, &len
);
8632 proto_item_append_text(parameter_tree
, " %" PRIu64
" ms", value
);
8635 case SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN
:
8636 proto_tree_add_item(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_stateless_reset_token
,
8637 tvb
, offset
, 16, ENC_BIG_ENDIAN
);
8638 quic_add_stateless_reset_token(pinfo
, tvb
, offset
, NULL
);
8641 case SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE
:
8642 proto_tree_add_item_ret_varint(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_max_udp_payload_size
,
8643 tvb
, offset
, -1, ENC_VARINT_QUIC
, &value
, &len
);
8644 proto_item_append_text(parameter_tree
, " %" PRIu64
, value
);
8645 /*TODO display expert info about invalid value (< 1252 or >65527) ? */
8648 case SSL_HND_QUIC_TP_INITIAL_MAX_DATA
:
8649 proto_tree_add_item_ret_varint(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_initial_max_data
,
8650 tvb
, offset
, -1, ENC_VARINT_QUIC
, &value
, &len
);
8651 proto_item_append_text(parameter_tree
, " %" PRIu64
, value
);
8654 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL
:
8655 proto_tree_add_item_ret_varint(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_initial_max_stream_data_bidi_local
,
8656 tvb
, offset
, -1, ENC_VARINT_QUIC
, &value
, &len
);
8657 proto_item_append_text(parameter_tree
, " %" PRIu64
, value
);
8660 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE
:
8661 proto_tree_add_item_ret_varint(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_initial_max_stream_data_bidi_remote
,
8662 tvb
, offset
, -1, ENC_VARINT_QUIC
, &value
, &len
);
8663 proto_item_append_text(parameter_tree
, " %" PRIu64
, value
);
8666 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI
:
8667 proto_tree_add_item_ret_varint(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_initial_max_stream_data_uni
,
8668 tvb
, offset
, -1, ENC_VARINT_QUIC
, &value
, &len
);
8669 proto_item_append_text(parameter_tree
, " %" PRIu64
, value
);
8672 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI
:
8673 proto_tree_add_item_ret_varint(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_initial_max_streams_uni
,
8674 tvb
, offset
, -1, ENC_VARINT_QUIC
, &value
, &len
);
8675 proto_item_append_text(parameter_tree
, " %" PRIu64
, value
);
8678 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI
:
8679 proto_tree_add_item_ret_varint(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_initial_max_streams_bidi
,
8680 tvb
, offset
, -1, ENC_VARINT_QUIC
, &value
, &len
);
8681 proto_item_append_text(parameter_tree
, " %" PRIu64
, value
);
8684 case SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT
:
8685 proto_tree_add_item_ret_varint(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_ack_delay_exponent
,
8686 tvb
, offset
, -1, ENC_VARINT_QUIC
, NULL
, &len
);
8687 /*TODO display multiplier (x8) and expert info about invalid value (> 20) ? */
8690 case SSL_HND_QUIC_TP_MAX_ACK_DELAY
:
8691 proto_tree_add_item_ret_varint(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_max_ack_delay
,
8692 tvb
, offset
, -1, ENC_VARINT_QUIC
, &value
, &len
);
8693 proto_item_append_text(parameter_tree
, " %" PRIu64
, value
);
8696 case SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION
:
8699 case SSL_HND_QUIC_TP_PREFERRED_ADDRESS
: {
8700 uint32_t connectionid_length
;
8703 proto_tree_add_item(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_pa_ipv4address
,
8704 tvb
, offset
, 4, ENC_BIG_ENDIAN
);
8706 proto_tree_add_item(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_pa_ipv4port
,
8707 tvb
, offset
, 2, ENC_BIG_ENDIAN
);
8709 proto_tree_add_item(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_pa_ipv6address
,
8710 tvb
, offset
, 16, ENC_NA
);
8712 proto_tree_add_item(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_pa_ipv6port
,
8713 tvb
, offset
, 2, ENC_BIG_ENDIAN
);
8715 /* XXX - Should we add these addresses and ports as addresses that the client
8716 * is allowed / expected to migrate the server address to? Right now we don't
8717 * enforce that (see RFC 9000 Section 9, which implies that while the client
8718 * can migrate to whatever address it wants, it can only migrate the server
8719 * address to the Server's Preferred Address as in 9.6. Also Issue #20165.)
8722 if (!ssl_add_vector(hf
, tvb
, pinfo
, parameter_tree
, offset
, offset_end
, &connectionid_length
,
8723 hf
->hf
.hs_ext_quictp_parameter_pa_connectionid_length
, 0, 20)) {
8728 proto_tree_add_item(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_pa_connectionid
,
8729 tvb
, offset
, connectionid_length
, ENC_NA
);
8730 if (connectionid_length
>= 1 && connectionid_length
<= QUIC_MAX_CID_LENGTH
) {
8731 cid
.len
= connectionid_length
;
8732 // RFC 9000 5.1.1 "If the preferred_address transport
8733 // parameter is sent, the sequence number of the supplied
8734 // connection ID is 1."
8736 // Multipath draft-07 "Also, the Path Identifier for the
8737 // connection ID specified in the "preferred address"
8738 // transport parameter is 0."
8740 tvb_memcpy(tvb
, cid
.cid
, offset
, connectionid_length
);
8741 quic_add_connection(pinfo
, &cid
);
8743 offset
+= connectionid_length
;
8745 proto_tree_add_item(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_pa_statelessresettoken
,
8746 tvb
, offset
, 16, ENC_NA
);
8747 if (connectionid_length
>= 1 && connectionid_length
<= QUIC_MAX_CID_LENGTH
) {
8748 quic_add_stateless_reset_token(pinfo
, tvb
, offset
, &cid
);
8753 case SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT
:
8754 proto_tree_add_item_ret_varint(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_active_connection_id_limit
,
8755 tvb
, offset
, -1, ENC_VARINT_QUIC
, &value
, &len
);
8756 proto_item_append_text(parameter_tree
, " %" PRIu64
, value
);
8759 case SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID
:
8760 proto_tree_add_item(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_initial_source_connection_id
,
8761 tvb
, offset
, parameter_length
, ENC_NA
);
8762 offset
+= parameter_length
;
8764 case SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID
:
8765 proto_tree_add_item(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_retry_source_connection_id
,
8766 tvb
, offset
, parameter_length
, ENC_NA
);
8767 offset
+= parameter_length
;
8769 case SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE
:
8770 proto_tree_add_item_ret_varint(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_max_datagram_frame_size
,
8771 tvb
, offset
, -1, ENC_VARINT_QUIC
, &value
, &len
);
8772 proto_item_append_text(parameter_tree
, " %" PRIu64
, value
);
8775 case SSL_HND_QUIC_TP_CIBIR_ENCODING
:
8776 proto_tree_add_item_ret_varint(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_cibir_encoding_length
,
8777 tvb
, offset
, -1, ENC_VARINT_QUIC
, &value
, &len
);
8778 proto_item_append_text(parameter_tree
, " Length: %" PRIu64
, value
);
8780 proto_tree_add_item_ret_varint(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_cibir_encoding_offset
,
8781 tvb
, offset
, -1, ENC_VARINT_QUIC
, &value
, &len
);
8782 proto_item_append_text(parameter_tree
, ", Offset: %" PRIu64
, value
);
8785 case SSL_HND_QUIC_TP_LOSS_BITS
:
8786 proto_tree_add_item_ret_varint(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_loss_bits
,
8787 tvb
, offset
, -1, ENC_VARINT_QUIC
, &value
, &len
);
8789 quic_add_loss_bits(pinfo
, value
);
8793 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD
:
8794 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V1
:
8795 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT05
:
8796 case SSL_HND_QUIC_TP_MIN_ACK_DELAY
:
8797 proto_tree_add_item_ret_varint(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_min_ack_delay
,
8798 tvb
, offset
, -1, ENC_VARINT_QUIC
, &value
, &len
);
8799 proto_item_append_text(parameter_tree
, " %" PRIu64
, value
);
8802 case SSL_HND_QUIC_TP_GOOGLE_USER_AGENT
:
8803 proto_tree_add_item(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_google_user_agent_id
,
8804 tvb
, offset
, parameter_length
, ENC_ASCII
|ENC_NA
);
8805 offset
+= parameter_length
;
8807 case SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED
:
8808 proto_tree_add_item(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_google_key_update_not_yet_supported
,
8809 tvb
, offset
, parameter_length
, ENC_NA
);
8810 offset
+= parameter_length
;
8812 case SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION
:
8813 proto_tree_add_item(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_google_quic_version
,
8814 tvb
, offset
, 4, ENC_BIG_ENDIAN
);
8816 if (hnd_type
== SSL_HND_ENCRYPTED_EXTENSIONS
) { /* From server */
8817 uint32_t versions_length
;
8819 proto_tree_add_item_ret_uint(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_google_supported_versions_length
,
8820 tvb
, offset
, 1, ENC_NA
, &versions_length
);
8822 for (i
= 0; i
< versions_length
/ 4; i
++) {
8823 quic_proto_tree_add_version(tvb
, parameter_tree
,
8824 hf
->hf
.hs_ext_quictp_parameter_google_supported_version
, offset
);
8829 case SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT
:
8830 proto_tree_add_item_ret_varint(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_google_initial_rtt
,
8831 tvb
, offset
, -1, ENC_VARINT_QUIC
, &value
, &len
);
8832 proto_item_append_text(parameter_tree
, " %" PRIu64
" us", value
);
8835 case SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE
:
8836 proto_tree_add_item(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_google_support_handshake_done
,
8837 tvb
, offset
, parameter_length
, ENC_NA
);
8838 offset
+= parameter_length
;
8840 case SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS
:
8841 /* This field was used for non-standard Google-specific parameters encoded as a
8842 * Google QUIC_CRYPTO CHLO and it has been replaced (version >= T051) by individual
8843 * parameters. Report it as a bytes blob... */
8844 proto_tree_add_item(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_google_quic_params
,
8845 tvb
, offset
, parameter_length
, ENC_NA
);
8846 /* ... and try decoding it: not sure what the first 4 bytes are (but they seems to be always 0) */
8847 proto_tree_add_item(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_google_quic_params_unknown_field
,
8848 tvb
, offset
, 4, ENC_NA
);
8849 dissect_gquic_tags(tvb
, pinfo
, parameter_tree
, offset
+ 4);
8850 offset
+= parameter_length
;
8852 case SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS
:
8853 proto_tree_add_item(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_google_connection_options
,
8854 tvb
, offset
, parameter_length
, ENC_NA
);
8855 offset
+= parameter_length
;
8857 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP
:
8860 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V2
:
8861 proto_tree_add_item_ret_varint(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_enable_time_stamp_v2
,
8862 tvb
, offset
, -1, ENC_VARINT_QUIC
, &value
, &len
);
8863 offset
+= parameter_length
;
8865 case SSL_HND_QUIC_TP_VERSION_INFORMATION
:
8866 quic_proto_tree_add_version(tvb
, parameter_tree
,
8867 hf
->hf
.hs_ext_quictp_parameter_chosen_version
, offset
);
8869 for (i
= 4; i
< parameter_length
; i
+= 4) {
8870 quic_proto_tree_add_version(tvb
, parameter_tree
,
8871 hf
->hf
.hs_ext_quictp_parameter_other_version
, offset
);
8875 case SSL_HND_QUIC_TP_GREASE_QUIC_BIT
:
8877 quic_add_grease_quic_bit(pinfo
);
8879 case SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY
:
8880 proto_tree_add_item_ret_varint(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_facebook_partial_reliability
,
8881 tvb
, offset
, -1, ENC_VARINT_QUIC
, &value
, &len
);
8882 offset
+= parameter_length
;
8884 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT04
:
8885 proto_tree_add_item_ret_varint(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_enable_multipath
,
8886 tvb
, offset
, -1, ENC_VARINT_QUIC
, &value
, &len
);
8888 quic_add_multipath(pinfo
, QUIC_MP_NO_PATH_ID
);
8890 offset
+= parameter_length
;
8892 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT05
:
8893 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH
:
8895 quic_add_multipath(pinfo
, QUIC_MP_NO_PATH_ID
);
8897 case SSL_HND_QUIC_TP_INITIAL_MAX_PATHS
:
8898 proto_tree_add_item_ret_varint(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_initial_max_paths
,
8899 tvb
, offset
, -1, ENC_VARINT_QUIC
, &value
, &len
);
8901 quic_add_multipath(pinfo
, QUIC_MP_PATH_ID
);
8903 /* multipath draft-07: "The value of the initial_max_paths
8904 * parameter MUST be at least 2." TODO: Expert Info? */
8905 offset
+= parameter_length
;
8907 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT09
:
8908 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID
:
8909 proto_tree_add_item_ret_varint(parameter_tree
, hf
->hf
.hs_ext_quictp_parameter_initial_max_path_id
,
8910 tvb
, offset
, -1, ENC_VARINT_QUIC
, &value
, &len
);
8911 /* multipath draft-09 and later: "If an endpoint receives an
8912 * initial_max_path_id transport parameter with value 0, the
8913 * peer aims to enable the multipath extension without allowing
8914 * extra paths immediately."
8916 quic_add_multipath(pinfo
, QUIC_MP_PATH_ID
);
8917 offset
+= parameter_length
;
8920 offset
+= parameter_length
;
8921 /*TODO display expert info about unknown ? */
8925 if (!ssl_end_vector(hf
, tvb
, pinfo
, parameter_tree
, offset
, parameter_end_offset
)) {
8926 /* Dissection did not end at expected location, fix it. */
8927 offset
= parameter_end_offset
;
8935 ssl_dissect_hnd_hello_common(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
8936 proto_tree
*tree
, uint32_t offset
,
8937 SslSession
*session
, SslDecryptSession
*ssl
,
8938 bool from_server
, bool is_hrr
)
8940 uint8_t sessid_length
;
8942 proto_tree
*rnd_tree
;
8944 proto_tree
*ech_confirm_tree
;
8945 uint8_t draft_version
= session
->tls13_draft_version
;
8950 rnd
= &ssl
->server_random
;
8952 rnd
= &ssl
->client_random
;
8954 /* save provided random for later keyring generation */
8955 tvb_memcpy(tvb
, rnd
->data
, offset
, 32);
8958 ssl
->state
|= SSL_SERVER_RANDOM
;
8960 ssl
->state
|= SSL_CLIENT_RANDOM
;
8961 ssl_debug_printf("%s found %s RANDOM -> state 0x%02X\n", G_STRFUNC
,
8962 from_server
? "SERVER" : "CLIENT", ssl
->state
);
8965 if (!from_server
&& session
->client_random
.data_len
== 0) {
8966 session
->client_random
.data_len
= 32;
8967 tvb_memcpy(tvb
, session
->client_random
.data
, offset
, 32);
8970 ti_rnd
= proto_tree_add_item(tree
, hf
->hf
.hs_random
, tvb
, offset
, 32, ENC_NA
);
8972 if ((session
->version
!= TLSV1DOT3_VERSION
) && (session
->version
!= DTLSV1DOT3_VERSION
)) { /* No time on first bytes random with TLS 1.3 */
8974 rnd_tree
= proto_item_add_subtree(ti_rnd
, hf
->ett
.hs_random
);
8976 proto_tree_add_item(rnd_tree
, hf
->hf
.hs_random_time
,
8977 tvb
, offset
, 4, ENC_TIME_SECS
|ENC_BIG_ENDIAN
);
8980 /* show the random bytes */
8981 proto_tree_add_item(rnd_tree
, hf
->hf
.hs_random_bytes
,
8982 tvb
, offset
, 28, ENC_NA
);
8986 proto_item_append_text(ti_rnd
, " (HelloRetryRequest magic)");
8987 } else if (from_server
&& session
->ech
) {
8988 ech_confirm_tree
= proto_item_add_subtree(ti_rnd
, hf
->ett
.hs_random
);
8989 proto_tree_add_item(ech_confirm_tree
, hf
->hf
.hs_ech_confirm
, tvb
, offset
+ 24, 8, ENC_NA
);
8990 ti
= proto_tree_add_bytes_with_length(ech_confirm_tree
, hf
->hf
.hs_ech_confirm_compute
, tvb
, offset
+ 24, 0,
8991 session
->ech_confirmation
, 8);
8992 proto_item_set_generated(ti
);
8993 if (memcmp(session
->ech_confirmation
, tvb_get_ptr(tvb
, offset
+24, 8), 8)) {
8994 expert_add_info(pinfo
, ti
, &hf
->ei
.ech_rejected
);
8996 expert_add_info(pinfo
, ti
, &hf
->ei
.ech_accepted
);
9003 /* No Session ID with TLS 1.3 on Server Hello before draft -22 */
9004 if (from_server
== 0 || !(session
->version
== TLSV1DOT3_VERSION
&& draft_version
> 0 && draft_version
< 22)) {
9005 /* show the session id (length followed by actual Session ID) */
9006 sessid_length
= tvb_get_uint8(tvb
, offset
);
9007 proto_tree_add_item(tree
, hf
->hf
.hs_session_id_len
,
9008 tvb
, offset
, 1, ENC_BIG_ENDIAN
);
9012 /* save the authoritative SID for later use in ChangeCipherSpec.
9013 * (D)TLS restricts the SID to 32 chars, it does not make sense to
9014 * save more, so ignore larger ones. */
9015 if (from_server
&& sessid_length
<= 32) {
9016 tvb_memcpy(tvb
, ssl
->session_id
.data
, offset
, sessid_length
);
9017 ssl
->session_id
.data_len
= sessid_length
;
9020 if (sessid_length
> 0) {
9021 proto_tree_add_item(tree
, hf
->hf
.hs_session_id
,
9022 tvb
, offset
, sessid_length
, ENC_NA
);
9023 offset
+= sessid_length
;
9031 ssl_dissect_hnd_hello_ext_status_request(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
9032 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
,
9035 /* TLS 1.2/1.3 status_request Client Hello Extension.
9036 * TLS 1.2 status_request_v2 CertificateStatusRequestItemV2 type.
9037 * https://tools.ietf.org/html/rfc6066#section-8 (status_request)
9038 * https://tools.ietf.org/html/rfc6961#section-2.2 (status_request_v2)
9040 * CertificateStatusType status_type;
9041 * uint16 request_length; // for status_request_v2
9042 * select (status_type) {
9043 * case ocsp: OCSPStatusRequest;
9044 * case ocsp_multi: OCSPStatusRequest;
9046 * } CertificateStatusRequest; // CertificateStatusRequestItemV2
9048 * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
9050 * ResponderID responder_id_list<0..2^16-1>;
9051 * Extensions request_extensions;
9052 * } OCSPStatusRequest;
9053 * opaque ResponderID<1..2^16-1>;
9054 * opaque Extensions<0..2^16-1>;
9056 unsigned cert_status_type
;
9058 cert_status_type
= tvb_get_uint8(tvb
, offset
);
9059 proto_tree_add_item(tree
, hf
->hf
.hs_ext_cert_status_type
,
9060 tvb
, offset
, 1, ENC_NA
);
9064 proto_tree_add_item(tree
, hf
->hf
.hs_ext_cert_status_request_len
,
9065 tvb
, offset
, 2, ENC_BIG_ENDIAN
);
9069 switch (cert_status_type
) {
9070 case SSL_HND_CERT_STATUS_TYPE_OCSP
:
9071 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI
:
9073 uint32_t responder_id_list_len
;
9074 uint32_t request_extensions_len
;
9076 /* ResponderID responder_id_list<0..2^16-1> */
9077 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &responder_id_list_len
,
9078 hf
->hf
.hs_ext_cert_status_responder_id_list_len
, 0, UINT16_MAX
)) {
9082 if (responder_id_list_len
!= 0) {
9083 proto_tree_add_expert_format(tree
, pinfo
, &hf
->ei
.hs_ext_cert_status_undecoded
,
9084 tvb
, offset
, responder_id_list_len
,
9085 "Responder ID list is not implemented, contact Wireshark"
9086 " developers if you want this to be supported");
9088 offset
+= responder_id_list_len
;
9090 /* opaque Extensions<0..2^16-1> */
9091 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &request_extensions_len
,
9092 hf
->hf
.hs_ext_cert_status_request_extensions_len
, 0, UINT16_MAX
)) {
9096 if (request_extensions_len
!= 0) {
9097 proto_tree_add_expert_format(tree
, pinfo
, &hf
->ei
.hs_ext_cert_status_undecoded
,
9098 tvb
, offset
, request_extensions_len
,
9099 "Request Extensions are not implemented, contact"
9100 " Wireshark developers if you want this to be supported");
9102 offset
+= request_extensions_len
;
9111 ssl_dissect_hnd_hello_ext_status_request_v2(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
9112 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
)
9114 /* https://tools.ietf.org/html/rfc6961#section-2.2
9116 * CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1>;
9117 * } CertificateStatusRequestListV2;
9119 uint32_t req_list_length
, next_offset
;
9121 /* CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1> */
9122 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &req_list_length
,
9123 hf
->hf
.hs_ext_cert_status_request_list_len
, 1, UINT16_MAX
)) {
9127 next_offset
= offset
+ req_list_length
;
9129 while (offset
< next_offset
) {
9130 offset
= ssl_dissect_hnd_hello_ext_status_request(hf
, tvb
, pinfo
, tree
, offset
, next_offset
, true);
9137 tls_dissect_ocsp_response(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
,
9138 uint32_t offset
, uint32_t offset_end
)
9140 uint32_t response_length
;
9141 proto_item
*ocsp_resp
;
9142 proto_tree
*ocsp_resp_tree
;
9143 asn1_ctx_t asn1_ctx
;
9145 /* opaque OCSPResponse<1..2^24-1>; */
9146 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &response_length
,
9147 hf
->hf
.hs_ocsp_response_len
, 1, G_MAXUINT24
)) {
9152 ocsp_resp
= proto_tree_add_item(tree
, proto_ocsp
, tvb
, offset
,
9153 response_length
, ENC_BIG_ENDIAN
);
9154 proto_item_set_text(ocsp_resp
, "OCSP Response");
9155 ocsp_resp_tree
= proto_item_add_subtree(ocsp_resp
, hf
->ett
.ocsp_response
);
9156 if (proto_is_protocol_enabled(find_protocol_by_id(proto_ocsp
))) {
9157 asn1_ctx_init(&asn1_ctx
, ASN1_ENC_BER
, true, pinfo
);
9158 dissect_ocsp_OCSPResponse(false, tvb
, offset
, &asn1_ctx
, ocsp_resp_tree
, -1);
9160 offset
+= response_length
;
9166 tls_dissect_hnd_certificate_status(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
9167 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
)
9169 /* TLS 1.2 "CertificateStatus" handshake message.
9170 * TLS 1.3 "status_request" Certificate extension.
9172 * CertificateStatusType status_type;
9173 * select (status_type) {
9174 * case ocsp: OCSPResponse;
9175 * case ocsp_multi: OCSPResponseList; // status_request_v2
9177 * } CertificateStatus;
9178 * opaque OCSPResponse<1..2^24-1>;
9180 * OCSPResponse ocsp_response_list<1..2^24-1>;
9181 * } OCSPResponseList; // status_request_v2
9183 uint32_t status_type
, resp_list_length
, next_offset
;
9185 proto_tree_add_item_ret_uint(tree
, hf
->hf
.hs_ext_cert_status_type
,
9186 tvb
, offset
, 1, ENC_BIG_ENDIAN
, &status_type
);
9189 switch (status_type
) {
9190 case SSL_HND_CERT_STATUS_TYPE_OCSP
:
9191 offset
= tls_dissect_ocsp_response(hf
, tvb
, pinfo
, tree
, offset
, offset_end
);
9194 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI
:
9195 /* OCSPResponse ocsp_response_list<1..2^24-1> */
9196 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &resp_list_length
,
9197 hf
->hf
.hs_ocsp_response_list_len
, 1, G_MAXUINT24
)) {
9201 next_offset
= offset
+ resp_list_length
;
9203 while (offset
< next_offset
) {
9204 offset
= tls_dissect_ocsp_response(hf
, tvb
, pinfo
, tree
, offset
, next_offset
);
9213 ssl_dissect_hnd_hello_ext_supported_groups(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
9214 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
,
9217 /* RFC 8446 Section 4.2.7
9218 * enum { ..., (0xFFFF) } NamedGroup;
9220 * NamedGroup named_group_list<2..2^16-1>
9223 * NOTE: "NamedCurve" (RFC 4492) is renamed to "NamedGroup" (RFC 7919) and
9224 * the extension itself from "elliptic_curves" to "supported_groups".
9226 uint32_t groups_length
, next_offset
;
9227 proto_tree
*groups_tree
;
9229 char *ja3_dash
= "";
9231 /* NamedGroup named_group_list<2..2^16-1> */
9232 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &groups_length
,
9233 hf
->hf
.hs_ext_supported_groups_len
, 2, UINT16_MAX
)) {
9237 next_offset
= offset
+ groups_length
;
9239 ti
= proto_tree_add_none_format(tree
,
9240 hf
->hf
.hs_ext_supported_groups
,
9241 tvb
, offset
, groups_length
,
9242 "Supported Groups (%d group%s)",
9244 plurality(groups_length
/2, "", "s"));
9246 /* make this a subtree */
9247 groups_tree
= proto_item_add_subtree(ti
, hf
->ett
.hs_ext_groups
);
9250 wmem_strbuf_append_c(ja3
, ',');
9252 /* loop over all groups */
9253 while (offset
+ 2 <= offset_end
) {
9254 uint32_t ext_supported_group
;
9256 proto_tree_add_item_ret_uint(groups_tree
, hf
->hf
.hs_ext_supported_group
, tvb
, offset
, 2,
9257 ENC_BIG_ENDIAN
, &ext_supported_group
);
9259 if (ja3
&& !IS_GREASE_TLS(ext_supported_group
)) {
9260 wmem_strbuf_append_printf(ja3
, "%s%i",ja3_dash
, ext_supported_group
);
9264 if (!ssl_end_vector(hf
, tvb
, pinfo
, groups_tree
, offset
, next_offset
)) {
9265 offset
= next_offset
;
9272 ssl_dissect_hnd_hello_ext_ec_point_formats(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
,
9273 proto_tree
*tree
, uint32_t offset
, wmem_strbuf_t
*ja3
)
9275 uint8_t ecpf_length
;
9276 proto_tree
*ecpf_tree
;
9279 ecpf_length
= tvb_get_uint8(tvb
, offset
);
9280 proto_tree_add_item(tree
, hf
->hf
.hs_ext_ec_point_formats_len
,
9281 tvb
, offset
, 1, ENC_BIG_ENDIAN
);
9284 ti
= proto_tree_add_none_format(tree
,
9285 hf
->hf
.hs_ext_ec_point_formats
,
9286 tvb
, offset
, ecpf_length
,
9287 "Elliptic curves point formats (%d)",
9290 /* make this a subtree */
9291 ecpf_tree
= proto_item_add_subtree(ti
, hf
->ett
.hs_ext_curves_point_formats
);
9294 wmem_strbuf_append_c(ja3
, ',');
9297 /* loop over all point formats */
9298 while (ecpf_length
> 0)
9300 uint32_t ext_ec_point_format
;
9302 proto_tree_add_item_ret_uint(ecpf_tree
, hf
->hf
.hs_ext_ec_point_format
, tvb
, offset
, 1,
9303 ENC_BIG_ENDIAN
, &ext_ec_point_format
);
9307 wmem_strbuf_append_printf(ja3
, "%i", ext_ec_point_format
);
9308 if (ecpf_length
> 0) {
9309 wmem_strbuf_append_c(ja3
, '-');
9318 ssl_dissect_hnd_hello_ext_srp(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
,
9319 packet_info
*pinfo
, proto_tree
*tree
,
9320 uint32_t offset
, uint32_t next_offset
)
9322 /* https://tools.ietf.org/html/rfc5054#section-2.8.1
9323 * opaque srp_I<1..2^8-1>;
9325 uint32_t username_len
;
9327 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, next_offset
, &username_len
,
9328 hf
->hf
.hs_ext_srp_len
, 1, UINT8_MAX
)) {
9333 proto_tree_add_item(tree
, hf
->hf
.hs_ext_srp_username
,
9334 tvb
, offset
, username_len
, ENC_UTF_8
|ENC_NA
);
9335 offset
+= username_len
;
9341 tls_dissect_sct(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
,
9342 uint32_t offset
, uint32_t offset_end
, uint16_t version
)
9344 /* https://tools.ietf.org/html/rfc6962#section-3.2
9345 * enum { v1(0), (255) } Version;
9347 * opaque key_id[32];
9349 * opaque CtExtensions<0..2^16-1>;
9351 * Version sct_version;
9354 * CtExtensions extensions;
9355 * digitally-signed struct { ... };
9356 * } SignedCertificateTimestamp;
9358 uint32_t sct_version
;
9359 uint64_t sct_timestamp_ms
;
9360 nstime_t sct_timestamp
;
9362 const char *log_name
;
9364 proto_tree_add_item_ret_uint(tree
, hf
->hf
.sct_sct_version
, tvb
, offset
, 1, ENC_NA
, &sct_version
);
9366 if (sct_version
!= 0) {
9367 // TODO expert info about unknown SCT version?
9370 proto_tree_add_item(tree
, hf
->hf
.sct_sct_logid
, tvb
, offset
, 32, ENC_BIG_ENDIAN
);
9371 log_name
= bytesval_to_str(tvb_get_ptr(tvb
, offset
, 32), 32, ct_logids
, "Unknown Log");
9372 proto_item_append_text(tree
, " (%s)", log_name
);
9374 sct_timestamp_ms
= tvb_get_ntoh64(tvb
, offset
);
9375 sct_timestamp
.secs
= (time_t)(sct_timestamp_ms
/ 1000);
9376 sct_timestamp
.nsecs
= (int)((sct_timestamp_ms
% 1000) * 1000000);
9377 proto_tree_add_time(tree
, hf
->hf
.sct_sct_timestamp
, tvb
, offset
, 8, &sct_timestamp
);
9379 /* opaque CtExtensions<0..2^16-1> */
9380 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &exts_len
,
9381 hf
->hf
.sct_sct_extensions_length
, 0, UINT16_MAX
)) {
9386 proto_tree_add_item(tree
, hf
->hf
.sct_sct_extensions
, tvb
, offset
, exts_len
, ENC_BIG_ENDIAN
);
9389 offset
= ssl_dissect_digitally_signed(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, version
,
9390 hf
->hf
.sct_sct_signature_length
,
9391 hf
->hf
.sct_sct_signature
);
9396 tls_dissect_sct_list(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
,
9397 uint32_t offset
, uint32_t offset_end
, uint16_t version
)
9399 /* https://tools.ietf.org/html/rfc6962#section-3.3
9400 * opaque SerializedSCT<1..2^16-1>;
9402 * SerializedSCT sct_list <1..2^16-1>;
9403 * } SignedCertificateTimestampList;
9405 uint32_t list_length
, sct_length
, next_offset
;
9406 proto_tree
*subtree
;
9408 /* SerializedSCT sct_list <1..2^16-1> */
9409 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &list_length
,
9410 hf
->hf
.sct_scts_length
, 1, UINT16_MAX
)) {
9415 while (offset
< offset_end
) {
9416 subtree
= proto_tree_add_subtree(tree
, tvb
, offset
, 2, hf
->ett
.sct
, NULL
, "Signed Certificate Timestamp");
9418 /* opaque SerializedSCT<1..2^16-1> */
9419 if (!ssl_add_vector(hf
, tvb
, pinfo
, subtree
, offset
, offset_end
, &sct_length
,
9420 hf
->hf
.sct_sct_length
, 1, UINT16_MAX
)) {
9424 next_offset
= offset
+ sct_length
;
9425 proto_item_set_len(subtree
, 2 + sct_length
);
9426 offset
= tls_dissect_sct(hf
, tvb
, pinfo
, subtree
, offset
, next_offset
, version
);
9427 if (!ssl_end_vector(hf
, tvb
, pinfo
, subtree
, offset
, next_offset
)) {
9428 offset
= next_offset
;
9436 dissect_ech_hpke_cipher_suite(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo _U_
,
9437 proto_tree
*tree
, uint32_t offset
)
9439 uint32_t kdf_id
, aead_id
;
9441 proto_tree
*cs_tree
;
9443 cs_ti
= proto_tree_add_item(tree
, hf
->hf
.ech_hpke_keyconfig_cipher_suite
,
9444 tvb
, offset
, 4, ENC_NA
);
9445 cs_tree
= proto_item_add_subtree(cs_ti
, hf
->ett
.ech_hpke_cipher_suite
);
9447 proto_tree_add_item_ret_uint(cs_tree
, hf
->hf
.ech_hpke_keyconfig_cipher_suite_kdf_id
,
9448 tvb
, offset
, 2, ENC_BIG_ENDIAN
, &kdf_id
);
9450 proto_tree_add_item_ret_uint(cs_tree
, hf
->hf
.ech_hpke_keyconfig_cipher_suite_aead_id
,
9451 tvb
, offset
, 2, ENC_BIG_ENDIAN
, &aead_id
);
9454 proto_item_append_text(cs_ti
, ": %s/%s",
9455 val_to_str_const(kdf_id
, kdf_id_type_vals
, "Unknown"),
9456 val_to_str_const(aead_id
, aead_id_type_vals
, "Unknown"));
9461 dissect_ech_hpke_key_config(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
9462 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
,
9463 uint32_t *config_id
)
9465 uint32_t length
, cipher_suite_length
;
9466 proto_item
*kc_ti
, *css_ti
;
9467 proto_tree
*kc_tree
, *css_tree
;
9468 uint32_t original_offset
= offset
, next_offset
;
9470 kc_ti
= proto_tree_add_item(tree
, hf
->hf
.ech_hpke_keyconfig
,
9471 tvb
, offset
, -1, ENC_NA
);
9472 kc_tree
= proto_item_add_subtree(kc_ti
, hf
->ett
.ech_hpke_keyconfig
);
9474 proto_tree_add_item_ret_uint(kc_tree
, hf
->hf
.ech_hpke_keyconfig_config_id
,
9475 tvb
, offset
, 1, ENC_BIG_ENDIAN
, config_id
);
9477 proto_tree_add_item(kc_tree
, hf
->hf
.ech_hpke_keyconfig_kem_id
,
9478 tvb
, offset
, 2, ENC_BIG_ENDIAN
);
9480 proto_tree_add_item_ret_uint(kc_tree
, hf
->hf
.ech_hpke_keyconfig_public_key_length
,
9481 tvb
, offset
, 2, ENC_BIG_ENDIAN
, &length
);
9483 proto_tree_add_item(kc_tree
, hf
->hf
.ech_hpke_keyconfig_public_key
,
9484 tvb
, offset
, length
, ENC_NA
);
9487 /* HpkeSymmetricCipherSuite cipher_suites<4..2^16-4> */
9488 if (!ssl_add_vector(hf
, tvb
, pinfo
, kc_tree
, offset
, offset_end
, &cipher_suite_length
,
9489 hf
->hf
.ech_hpke_keyconfig_cipher_suites_length
, 4, UINT16_MAX
- 3)) {
9493 next_offset
= offset
+ cipher_suite_length
;
9495 css_ti
= proto_tree_add_none_format(kc_tree
,
9496 hf
->hf
.ech_hpke_keyconfig_cipher_suites
,
9497 tvb
, offset
, cipher_suite_length
,
9498 "Cipher Suites (%d suite%s)",
9499 cipher_suite_length
/ 4,
9500 plurality(cipher_suite_length
/ 4, "", "s"));
9501 css_tree
= proto_item_add_subtree(css_ti
, hf
->ett
.ech_hpke_cipher_suites
);
9504 while (offset
+ 4 <= next_offset
) {
9505 offset
= dissect_ech_hpke_cipher_suite(hf
, tvb
, pinfo
, css_tree
, offset
);
9508 if (!ssl_end_vector(hf
, tvb
, pinfo
, css_tree
, offset
, next_offset
)) {
9509 offset
= next_offset
;
9512 proto_item_set_len(kc_ti
, offset
- original_offset
);
9518 dissect_ech_echconfig_contents(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
9519 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
,
9520 const uint8_t **public_name
, uint32_t *config_id
)
9522 uint32_t public_name_length
, extensions_length
, next_offset
;
9524 offset
= dissect_ech_hpke_key_config(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, config_id
);
9525 proto_tree_add_item(tree
, hf
->hf
.ech_echconfigcontents_maximum_name_length
,
9526 tvb
, offset
, 1, ENC_BIG_ENDIAN
);
9528 proto_tree_add_item_ret_uint(tree
, hf
->hf
.ech_echconfigcontents_public_name_length
,
9529 tvb
, offset
, 1, ENC_BIG_ENDIAN
, &public_name_length
);
9531 proto_tree_add_item_ret_string(tree
, hf
->hf
.ech_echconfigcontents_public_name
,
9532 tvb
, offset
, public_name_length
, ENC_ASCII
, pinfo
->pool
, public_name
);
9533 offset
+= public_name_length
;
9535 /* Extension extensions<0..2^16-1>; */
9536 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &extensions_length
,
9537 hf
->hf
.ech_echconfigcontents_extensions_length
, 0, UINT16_MAX
)) {
9541 next_offset
= offset
+ extensions_length
;
9543 if (extensions_length
> 0) {
9544 proto_tree_add_item(tree
, hf
->hf
.ech_echconfigcontents_extensions
,
9545 tvb
, offset
, extensions_length
, ENC_NA
);
9547 offset
+= extensions_length
;
9549 if (!ssl_end_vector(hf
, tvb
, pinfo
, tree
, offset
, next_offset
)) {
9550 offset
= next_offset
;
9557 dissect_ech_echconfig(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
9558 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
)
9560 uint32_t version
, length
;
9562 proto_tree
*ech_tree
;
9563 const uint8_t *public_name
= NULL
;
9564 uint32_t config_id
= 0;
9566 ech_ti
= proto_tree_add_item(tree
, hf
->hf
.ech_echconfig
, tvb
, offset
, -1, ENC_NA
);
9567 ech_tree
= proto_item_add_subtree(ech_ti
, hf
->ett
.ech_echconfig
);
9569 proto_tree_add_item_ret_uint(ech_tree
, hf
->hf
.ech_echconfig_version
,
9570 tvb
, offset
, 2, ENC_BIG_ENDIAN
, &version
);
9572 proto_tree_add_item_ret_uint(ech_tree
, hf
->hf
.ech_echconfig_length
,
9573 tvb
, offset
, 2, ENC_BIG_ENDIAN
, &length
);
9576 proto_item_set_len(ech_ti
, 4 + length
);
9580 dissect_ech_echconfig_contents(hf
, tvb
, pinfo
, ech_tree
, offset
, offset_end
, &public_name
, &config_id
);
9581 proto_item_append_text(ech_ti
, ": id=%d %s", config_id
, public_name
);
9585 expert_add_info_format(pinfo
, ech_ti
, &hf
->ei
.ech_echconfig_invalid_version
, "Unsupported/unknown ECHConfig version 0x%x", version
);
9592 ssl_dissect_ext_ech_echconfiglist(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
9593 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
)
9595 uint32_t echconfiglist_length
, next_offset
;
9597 /* ECHConfig ECHConfigList<1..2^16-1>; */
9598 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &echconfiglist_length
,
9599 hf
->hf
.ech_echconfiglist_length
, 1, UINT16_MAX
)) {
9603 next_offset
= offset
+ echconfiglist_length
;
9605 while (offset
< next_offset
) {
9606 offset
+= dissect_ech_echconfig(hf
, tvb
, pinfo
, tree
, offset
, offset_end
);
9609 if (!ssl_end_vector(hf
, tvb
, pinfo
, tree
, offset
, next_offset
)) {
9610 offset
= next_offset
;
9617 ssl_dissect_hnd_ech_outer_ext(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
,
9618 uint32_t offset
, uint32_t offset_end
)
9620 uint32_t ext_length
, next_offset
;
9621 proto_tree
*ext_tree
;
9624 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &ext_length
,
9625 hf
->hf
.hs_ext_ech_outer_ext_len
, 2, G_MAXUINT8
)) {
9629 next_offset
= offset
+ ext_length
;
9631 ti
= proto_tree_add_none_format(tree
,
9632 hf
->hf
.hs_ext_ech_outer_ext
,
9633 tvb
, offset
, ext_length
,
9634 "Outer Extensions (%d extension%s)",
9636 plurality(ext_length
/2, "", "s"));
9638 ext_tree
= proto_item_add_subtree(ti
, hf
->ett
.hs_ext
);
9640 while (offset
+ 2 <= offset_end
) {
9641 proto_tree_add_item(ext_tree
, hf
->hf
.hs_ext_type
, tvb
, offset
, 2, ENC_BIG_ENDIAN
);
9645 if (!ssl_end_vector(hf
, tvb
, pinfo
, ext_tree
, offset
, next_offset
)) {
9646 offset
= next_offset
;
9653 // NOLINTNEXTLINE(misc-no-recursion)
9654 ssl_dissect_hnd_hello_ext_ech(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
9655 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
,
9656 uint8_t hnd_type
, SslSession
*session
, SslDecryptSession
*ssl
, ssl_master_key_map_t
*mk_map
,
9657 uint32_t initial_offset
, uint32_t hello_length
)
9659 uint32_t ch_type
, length
;
9660 proto_item
*ti
, *payload_ti
;
9661 proto_tree
*retry_tree
, *payload_tree
;
9664 case SSL_HND_CLIENT_HELLO
:
9666 * enum { outer(0), inner(1) } ECHClientHelloType;
9669 * ECHClientHelloType type;
9670 * select (ECHClientHello.type) {
9672 * HpkeSymmetricCipherSuite cipher_suite;
9674 * opaque enc<0..2^16-1>;
9675 * opaque payload<1..2^16-1>;
9682 proto_tree_add_item_ret_uint(tree
, hf
->hf
.ech_clienthello_type
, tvb
, offset
, 1, ENC_BIG_ENDIAN
, &ch_type
);
9686 if (ssl
&& session
->first_ch_ech_frame
== 0) {
9687 session
->first_ch_ech_frame
= pinfo
->num
;
9689 offset
= dissect_ech_hpke_cipher_suite(hf
, tvb
, pinfo
, tree
, offset
);
9690 uint16_t kdf_id
= tvb_get_ntohs(tvb
, offset
- 4);
9691 uint16_t aead_id
= tvb_get_ntohs(tvb
, offset
- 2);
9693 proto_tree_add_item(tree
, hf
->hf
.ech_config_id
, tvb
, offset
, 1, ENC_BIG_ENDIAN
);
9694 uint8_t config_id
= tvb_get_uint8(tvb
, offset
);
9696 proto_tree_add_item_ret_uint(tree
, hf
->hf
.ech_enc_length
, tvb
, offset
, 2, ENC_BIG_ENDIAN
, &length
);
9698 proto_tree_add_item(tree
, hf
->hf
.ech_enc
, tvb
, offset
, length
, ENC_NA
);
9700 proto_tree_add_item_ret_uint(tree
, hf
->hf
.ech_payload_length
, tvb
, offset
, 2, ENC_BIG_ENDIAN
, &length
);
9702 payload_ti
= proto_tree_add_item(tree
, hf
->hf
.ech_payload
, tvb
, offset
, length
, ENC_NA
);
9708 if (session
->client_random
.data_len
== 0) {
9709 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC
);
9712 StringInfo
*ech_secret
= (StringInfo
*)g_hash_table_lookup(mk_map
->ech_secret
, &session
->client_random
);
9713 StringInfo
*ech_config
= (StringInfo
*)g_hash_table_lookup(mk_map
->ech_config
, &session
->client_random
);
9714 if (!ech_secret
|| !ech_config
) {
9715 ssl_debug_printf("%s Cannot find ECH_SECRET or ECH_CONFIG, Encrypted Client Hello decryption impossible\n",
9720 if (hpke_hkdf_len(kdf_id
) == 0) {
9721 ssl_debug_printf("Unsupported KDF\n");
9725 if (hpke_aead_key_len(aead_id
) == 0) {
9726 ssl_debug_printf("Unsupported AEAD\n");
9730 size_t aead_nonce_len
= hpke_aead_nonce_len(aead_id
);
9732 uint16_t version
= GUINT16_FROM_BE(*(uint16_t *)ech_config
->data
);
9733 if (version
!= SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO
) {
9734 ssl_debug_printf("Unexpected version in ECH Config\n");
9737 uint32_t ech_config_offset
= 2;
9738 if (GUINT16_FROM_BE(*(uint16_t *)(ech_config
->data
+ ech_config_offset
)) != ech_config
->data_len
- 4) {
9739 ssl_debug_printf("Malformed ECH Config, invalid length\n");
9742 ech_config_offset
+= 2;
9743 if (*(ech_config
->data
+ ech_config_offset
) != config_id
) {
9744 ssl_debug_printf("ECH Config version mismatch\n");
9747 ech_config_offset
+= 1;
9748 uint16_t kem_id_be
= *(uint16_t *)(ech_config
->data
+ ech_config_offset
);
9749 uint16_t kem_id
= GUINT16_FROM_BE(kem_id_be
);
9750 uint8_t suite_id
[HPKE_SUIT_ID_LEN
];
9751 hpke_suite_id(kem_id
, kdf_id
, aead_id
, suite_id
);
9752 GByteArray
*info
= g_byte_array_new();
9753 g_byte_array_append(info
, "tls ech", 8);
9754 g_byte_array_append(info
, ech_config
->data
, ech_config
->data_len
);
9755 uint8_t key
[AEAD_MAX_KEY_LENGTH
];
9756 uint8_t base_nonce
[HPKE_AEAD_NONCE_LENGTH
];
9757 if (hpke_key_schedule(kdf_id
, aead_id
, ech_secret
->data
, ech_secret
->data_len
, suite_id
, info
->data
, info
->len
, HPKE_MODE_BASE
,
9759 g_byte_array_free(info
, TRUE
);
9762 g_byte_array_free(info
, TRUE
);
9763 gcry_cipher_hd_t cipher
;
9764 if (hpke_setup_aead(&cipher
, aead_id
, key
) ||
9765 hpke_set_nonce(cipher
, !session
->hrr_ech_declined
&& pinfo
->num
> session
->first_ch_ech_frame
, base_nonce
, aead_nonce_len
)) {
9766 gcry_cipher_close(cipher
);
9769 const uint8_t *payload
= tvb_get_ptr(tvb
, offset
- length
, length
);
9770 uint8_t *ech_aad
= (uint8_t *)wmem_alloc(NULL
, hello_length
);
9771 tvb_memcpy(tvb
, ech_aad
, initial_offset
, hello_length
);
9772 memset(ech_aad
+ offset
- length
- initial_offset
, 0, length
);
9773 if (gcry_cipher_authenticate(cipher
, ech_aad
, hello_length
)) {
9774 gcry_cipher_close(cipher
);
9775 wmem_free(NULL
, ech_aad
);
9778 wmem_free(NULL
, ech_aad
);
9779 uint8_t *ech_decrypted_data
= (uint8_t *)wmem_alloc(pinfo
->pool
, length
- 16);
9780 if (gcry_cipher_decrypt(cipher
, ech_decrypted_data
, length
- 16, payload
, length
- 16)) {
9781 gcry_cipher_close(cipher
);
9784 guchar ech_auth_tag_calc
[16];
9785 if (gcry_cipher_gettag(cipher
, ech_auth_tag_calc
, 16)) {
9786 gcry_cipher_close(cipher
);
9789 if (ssl
&& !session
->hrr_ech_declined
&& session
->first_ch_ech_frame
== pinfo
->num
)
9790 memcpy(session
->first_ech_auth_tag
, ech_auth_tag_calc
, 16);
9791 gcry_cipher_close(cipher
);
9792 if (memcmp(pinfo
->num
> session
->first_ch_ech_frame
? ech_auth_tag_calc
: session
->first_ech_auth_tag
,
9793 payload
+ length
- 16, 16)) {
9794 ssl_debug_printf("%s ECH auth tag mismatch\n", G_STRFUNC
);
9796 payload_tree
= proto_item_add_subtree(payload_ti
, hf
->ett
.ech_decrypt
);
9797 tvbuff_t
*ech_tvb
= tvb_new_child_real_data(tvb
, ech_decrypted_data
, length
- 16, length
- 16);
9798 add_new_data_source(pinfo
, ech_tvb
, "Client Hello Inner");
9800 tvb_memcpy(ech_tvb
, ssl
->client_random
.data
, 2, 32);
9801 uint32_t len_offset
= ssl
->ech_transcript
.data_len
;
9802 if (ssl
->ech_transcript
.data_len
> 0)
9803 ssl
->ech_transcript
.data
= (guchar
*)wmem_realloc(wmem_file_scope(), ssl
->ech_transcript
.data
,
9804 ssl
->ech_transcript
.data_len
+ hello_length
+ 4);
9806 ssl
->ech_transcript
.data
= (guchar
*)wmem_alloc(wmem_file_scope(), hello_length
+ 4);
9807 ssl
->ech_transcript
.data
[ssl
->ech_transcript
.data_len
] = SSL_HND_CLIENT_HELLO
;
9808 ssl
->ech_transcript
.data
[ssl
->ech_transcript
.data_len
+ 1] = 0;
9809 tvb_memcpy(ech_tvb
, ssl
->ech_transcript
.data
+ ssl
->ech_transcript
.data_len
+ 4, 0, 34);
9810 ssl
->ech_transcript
.data_len
+= 38;
9811 tvb_memcpy(tvb
, ssl
->ech_transcript
.data
+ ssl
->ech_transcript
.data_len
, initial_offset
+ 34,
9812 tvb_get_uint8(tvb
, initial_offset
+ 34) + 1);
9813 ssl
->ech_transcript
.data_len
+= tvb_get_uint8(tvb
, initial_offset
+ 34) + 1;
9814 uint32_t ech_offset
= 35 + tvb_get_uint8(ech_tvb
, 34);
9815 tvb_memcpy(ech_tvb
, ssl
->ech_transcript
.data
+ ssl
->ech_transcript
.data_len
, ech_offset
,
9816 2 + tvb_get_ntohs(ech_tvb
, ech_offset
));
9817 ssl
->ech_transcript
.data_len
+= 2 + tvb_get_ntohs(ech_tvb
, ech_offset
);
9818 ech_offset
+= 2 + tvb_get_ntohs(ech_tvb
, ech_offset
);
9819 tvb_memcpy(ech_tvb
, ssl
->ech_transcript
.data
+ ssl
->ech_transcript
.data_len
, ech_offset
,
9820 1 + tvb_get_uint8(ech_tvb
, ech_offset
));
9821 ssl
->ech_transcript
.data_len
+= 1 + tvb_get_uint8(ech_tvb
, ech_offset
);
9822 ech_offset
+= 1 + tvb_get_uint8(ech_tvb
, ech_offset
);
9823 uint32_t ech_extensions_len_offset
= ssl
->ech_transcript
.data_len
;
9824 ssl
->ech_transcript
.data_len
+= 2;
9825 uint16_t extensions_end
= ech_offset
+ tvb_get_ntohs(ech_tvb
, ech_offset
) + 2;
9827 while (extensions_end
- ech_offset
>= 4) {
9828 if (tvb_get_ntohs(ech_tvb
, ech_offset
) != SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS
) {
9829 tvb_memcpy(ech_tvb
, ssl
->ech_transcript
.data
+ ssl
->ech_transcript
.data_len
, ech_offset
,
9830 4 + tvb_get_ntohs(ech_tvb
, ech_offset
+ 2));
9831 ssl
->ech_transcript
.data_len
+= 4 + tvb_get_ntohs(ech_tvb
, ech_offset
+ 2);
9832 ech_offset
+= 4 + tvb_get_ntohs(ech_tvb
, ech_offset
+ 2);
9833 } else if (tvb_get_ntohs(ech_tvb
, ech_offset
+ 2) > 0) {
9834 uint8_t outer_extensions_end
= tvb_get_uint8(ech_tvb
, ech_offset
+ 4) + ech_offset
+ 5;
9836 uint16_t outer_offset
= initial_offset
+ 35 + tvb_get_uint8(tvb
, initial_offset
+ 34);
9837 outer_offset
+= tvb_get_ntohs(tvb
, outer_offset
) + 2;
9838 outer_offset
+= tvb_get_uint8(tvb
, outer_offset
) + 3;
9839 while (outer_extensions_end
- ech_offset
>= 2) {
9840 while (hello_length
- outer_offset
>= 4) {
9841 if (tvb_get_ntohs(tvb
, outer_offset
) == tvb_get_ntohs(ech_tvb
, ech_offset
)) {
9842 tvb_memcpy(tvb
, ssl
->ech_transcript
.data
+ ssl
->ech_transcript
.data_len
, outer_offset
,
9843 4 + tvb_get_ntohs(tvb
, outer_offset
+ 2));
9844 ssl
->ech_transcript
.data_len
+= 4 + tvb_get_ntohs(tvb
, outer_offset
+ 2);
9845 outer_offset
+= 4 + tvb_get_ntohs(tvb
, outer_offset
+ 2);
9848 outer_offset
+= 4 + tvb_get_ntohs(tvb
, outer_offset
+ 2);
9855 uint16_t ech_extensions_len_be
= GUINT16_TO_BE(ssl
->ech_transcript
.data_len
- ech_extensions_len_offset
- 2);
9856 *(ssl
->ech_transcript
.data
+ ech_extensions_len_offset
) = ech_extensions_len_be
& 0xff;
9857 *(ssl
->ech_transcript
.data
+ ech_extensions_len_offset
+ 1) = (ech_extensions_len_be
>> 8);
9858 *(ssl
->ech_transcript
.data
+ len_offset
+ 2) = ((ssl
->ech_transcript
.data_len
- len_offset
- 4) >> 8);
9859 *(ssl
->ech_transcript
.data
+ len_offset
+ 3) = (ssl
->ech_transcript
.data_len
- len_offset
- 4) & 0xff;
9861 uint32_t ech_padding_begin
= (uint32_t)ssl_dissect_hnd_cli_hello(hf
, ech_tvb
, pinfo
, payload_tree
, 0, length
- 16, session
,
9863 if (ech_padding_begin
< length
- 16) {
9864 proto_tree_add_item(payload_tree
, hf
->hf
.ech_padding_data
, ech_tvb
, ech_padding_begin
, length
- 16 - ech_padding_begin
,
9875 case SSL_HND_ENCRYPTED_EXTENSIONS
:
9878 * ECHConfigList retry_configs;
9879 * } ECHEncryptedExtensions;
9882 ti
= proto_tree_add_item(tree
, hf
->hf
.ech_retry_configs
, tvb
, offset
, offset_end
- offset
, ENC_NA
);
9883 retry_tree
= proto_item_add_subtree(ti
, hf
->ett
.ech_retry_configs
);
9884 offset
= ssl_dissect_ext_ech_echconfiglist(hf
, tvb
, pinfo
, retry_tree
, offset
, offset_end
);
9887 case SSL_HND_HELLO_RETRY_REQUEST
:
9890 * opaque confirmation[8];
9891 * } ECHHelloRetryRequest;
9894 proto_tree_add_item(tree
, hf
->hf
.ech_confirmation
, tvb
, offset
, 8, ENC_NA
);
9896 ti
= proto_tree_add_bytes_with_length(tree
, hf
->hf
.hs_ech_confirm_compute
, tvb
, offset
, 0, session
->hrr_ech_confirmation
, 8);
9897 proto_item_set_generated(ti
);
9898 if (memcmp(session
->hrr_ech_confirmation
, tvb_get_ptr(tvb
, offset
, 8), 8)) {
9899 expert_add_info(pinfo
, ti
, &hf
->ei
.ech_rejected
);
9901 expert_add_info(pinfo
, ti
, &hf
->ei
.ech_accepted
);
9912 ssl_dissect_hnd_hello_ext_esni(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
9913 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
,
9914 uint8_t hnd_type
, SslDecryptSession
*ssl _U_
)
9916 uint32_t record_digest_length
, encrypted_sni_length
;
9919 case SSL_HND_CLIENT_HELLO
:
9922 * CipherSuite suite;
9923 * KeyShareEntry key_share;
9924 * opaque record_digest<0..2^16-1>;
9925 * opaque encrypted_sni<0..2^16-1>;
9926 * } ClientEncryptedSNI;
9928 proto_tree_add_item(tree
, hf
->hf
.esni_suite
, tvb
, offset
, 2, ENC_BIG_ENDIAN
);
9930 offset
= ssl_dissect_hnd_hello_ext_key_share_entry(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, NULL
);
9932 /* opaque record_digest<0..2^16-1> */
9933 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &record_digest_length
,
9934 hf
->hf
.esni_record_digest_length
, 0, UINT16_MAX
)) {
9938 if (record_digest_length
> 0) {
9939 proto_tree_add_item(tree
, hf
->hf
.esni_record_digest
, tvb
, offset
, record_digest_length
, ENC_NA
);
9940 offset
+= record_digest_length
;
9943 /* opaque encrypted_sni<0..2^16-1> */
9944 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &encrypted_sni_length
,
9945 hf
->hf
.esni_encrypted_sni_length
, 0, UINT16_MAX
)) {
9949 if (encrypted_sni_length
> 0) {
9950 proto_tree_add_item(tree
, hf
->hf
.esni_encrypted_sni
, tvb
, offset
, encrypted_sni_length
, ENC_NA
);
9951 offset
+= encrypted_sni_length
;
9955 case SSL_HND_ENCRYPTED_EXTENSIONS
:
9956 proto_tree_add_item(tree
, hf
->hf
.esni_nonce
, tvb
, offset
, 16, ENC_NA
);
9963 /** TLS Extensions (in Client Hello and Server Hello). }}} */
9965 /* Connection ID dissection. {{{ */
9967 ssl_dissect_ext_connection_id(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
9968 proto_tree
*tree
, uint32_t offset
, SslDecryptSession
*ssl
,
9969 uint8_t cidl
, uint8_t **session_cid
, uint8_t *session_cidl
)
9971 /* keep track of the decrypt session only for the first pass */
9972 if (cidl
> 0 && !PINFO_FD_VISITED(pinfo
)) {
9973 tvb_ensure_bytes_exist(tvb
, offset
+ 1, cidl
);
9974 *session_cidl
= cidl
;
9975 *session_cid
= (uint8_t*)wmem_alloc0(wmem_file_scope(), cidl
);
9976 tvb_memcpy(tvb
, *session_cid
, offset
+ 1, cidl
);
9978 ssl_add_session_by_cid(ssl
);
9982 proto_tree_add_item(tree
, hf
->hf
.hs_ext_connection_id_length
,
9983 tvb
, offset
, 1, ENC_NA
);
9987 proto_tree_add_item(tree
, hf
->hf
.hs_ext_connection_id
,
9988 tvb
, offset
, cidl
, ENC_NA
);
9996 ssl_dissect_hnd_hello_ext_connection_id(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
9997 proto_tree
*tree
, uint32_t offset
, uint8_t hnd_type
,
9998 SslSession
*session
, SslDecryptSession
*ssl
)
10000 uint8_t cidl
= tvb_get_uint8(tvb
, offset
);
10002 switch (hnd_type
) {
10003 case SSL_HND_CLIENT_HELLO
:
10004 session
->client_cid_len_present
= true;
10005 return ssl_dissect_ext_connection_id(hf
, tvb
, pinfo
, tree
, offset
, ssl
,
10006 cidl
, &session
->client_cid
, &session
->client_cid_len
);
10007 case SSL_HND_SERVER_HELLO
:
10008 session
->server_cid_len_present
= true;
10009 return ssl_dissect_ext_connection_id(hf
, tvb
, pinfo
, tree
, offset
, ssl
,
10010 cidl
, &session
->server_cid
, &session
->server_cid_len
);
10016 /* Trusted CA dissection. {{{ */
10018 ssl_dissect_hnd_hello_ext_trusted_ca_keys(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
,
10019 uint32_t offset
, uint32_t offset_end
)
10022 proto_tree
*subtree
;
10023 uint32_t keys_length
, next_offset
;
10027 * TrustedAuthority trusted_authorities_list<0..2^16-1>;
10028 * } TrustedAuthorities;
10031 * IdentifierType identifier_type;
10032 * select (identifier_type) {
10033 * case pre_agreed: struct {};
10034 * case key_sha1_hash: SHA1Hash;
10035 * case x509_name: DistinguishedName;
10036 * case cert_sha1_hash: SHA1Hash;
10038 * } TrustedAuthority;
10041 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10042 * cert_sha1_hash(3), (255)
10043 * } IdentifierType;
10045 * opaque DistinguishedName<1..2^16-1>;
10050 /* TrustedAuthority trusted_authorities_list<0..2^16-1> */
10051 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &keys_length
, hf
->hf
.hs_ext_trusted_ca_keys_len
,
10057 next_offset
= offset
+ keys_length
;
10059 if (keys_length
> 0)
10061 ti
= proto_tree_add_none_format(tree
, hf
->hf
.hs_ext_trusted_ca_keys_list
, tvb
, offset
, keys_length
,
10062 "Trusted CA keys (%d byte%s)", keys_length
, plurality(keys_length
, "", "s"));
10063 subtree
= proto_item_add_subtree(ti
, hf
->ett
.hs_ext_trusted_ca_keys
);
10065 while (offset
< next_offset
)
10067 uint32_t identifier_type
;
10068 proto_tree
*trusted_key_tree
;
10069 proto_item
*trusted_key_item
;
10070 asn1_ctx_t asn1_ctx
;
10071 uint32_t key_len
= 0;
10073 identifier_type
= tvb_get_uint8(tvb
, offset
);
10075 // Use 0 as length for now as we'll only know the size when we decode the identifier
10076 trusted_key_item
= proto_tree_add_none_format(subtree
, hf
->hf
.hs_ext_trusted_ca_key
, tvb
,
10077 offset
, 0, "Trusted CA Key");
10078 trusted_key_tree
= proto_item_add_subtree(trusted_key_item
, hf
->ett
.hs_ext_trusted_ca_key
);
10080 proto_tree_add_uint(trusted_key_tree
, hf
->hf
.hs_ext_trusted_ca_key_type
, tvb
,
10081 offset
, 1, identifier_type
);
10086 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10087 * cert_sha1_hash(3), (255)
10088 * } IdentifierType;
10090 switch (identifier_type
)
10096 asn1_ctx_init(&asn1_ctx
, ASN1_ENC_BER
, true, pinfo
);
10098 uint32_t name_length
;
10099 /* opaque DistinguishedName<1..2^16-1> */
10100 if (!ssl_add_vector(hf
, tvb
, pinfo
, trusted_key_tree
, offset
, next_offset
, &name_length
,
10101 hf
->hf
.hs_ext_trusted_ca_key_dname_len
, 1, UINT16_MAX
)) {
10102 return next_offset
;
10106 dissect_x509if_DistinguishedName(false, tvb
, offset
, &asn1_ctx
,
10107 trusted_key_tree
, hf
->hf
.hs_ext_trusted_ca_key_dname
);
10108 offset
+= name_length
;
10113 /* opaque SHA1Hash[20]; */
10114 proto_tree_add_item(trusted_key_tree
, hf
->hf
.hs_ext_trusted_ca_key_hash
, tvb
,
10115 offset
, 20, ENC_NA
);
10120 /*TODO display expert info about unknown ? */
10123 proto_item_set_len(trusted_key_item
, 1 + key_len
);
10128 if (!ssl_end_vector(hf
, tvb
, pinfo
, tree
, offset
, next_offset
))
10130 offset
= next_offset
;
10137 /* Whether the Content and Handshake Types are valid; handle Protocol Version. {{{ */
10139 ssl_is_valid_content_type(uint8_t type
)
10141 switch ((ContentType
) type
) {
10142 case SSL_ID_CHG_CIPHER_SPEC
:
10144 case SSL_ID_HANDSHAKE
:
10145 case SSL_ID_APP_DATA
:
10146 case SSL_ID_HEARTBEAT
:
10147 case SSL_ID_TLS12_CID
:
10148 case SSL_ID_DTLS13_ACK
:
10155 ssl_is_valid_handshake_type(uint8_t hs_type
, bool is_dtls
)
10157 switch ((HandshakeType
) hs_type
) {
10158 case SSL_HND_HELLO_VERIFY_REQUEST
:
10159 /* hello_verify_request is DTLS-only */
10162 case SSL_HND_HELLO_REQUEST
:
10163 case SSL_HND_CLIENT_HELLO
:
10164 case SSL_HND_SERVER_HELLO
:
10165 case SSL_HND_NEWSESSION_TICKET
:
10166 case SSL_HND_END_OF_EARLY_DATA
:
10167 case SSL_HND_HELLO_RETRY_REQUEST
:
10168 case SSL_HND_ENCRYPTED_EXTENSIONS
:
10169 case SSL_HND_CERTIFICATE
:
10170 case SSL_HND_SERVER_KEY_EXCHG
:
10171 case SSL_HND_CERT_REQUEST
:
10172 case SSL_HND_SVR_HELLO_DONE
:
10173 case SSL_HND_CERT_VERIFY
:
10174 case SSL_HND_CLIENT_KEY_EXCHG
:
10175 case SSL_HND_FINISHED
:
10176 case SSL_HND_CERT_URL
:
10177 case SSL_HND_CERT_STATUS
:
10178 case SSL_HND_SUPPLEMENTAL_DATA
:
10179 case SSL_HND_KEY_UPDATE
:
10180 case SSL_HND_COMPRESSED_CERTIFICATE
:
10181 case SSL_HND_ENCRYPTED_EXTS
:
10183 case SSL_HND_MESSAGE_HASH
:
10190 ssl_is_authoritative_version_message(uint8_t content_type
, uint8_t handshake_type
,
10193 /* Consider all valid Handshake messages (except for Client Hello) and
10194 * all other valid record types (other than Handshake) */
10195 return (content_type
== SSL_ID_HANDSHAKE
&&
10196 ssl_is_valid_handshake_type(handshake_type
, is_dtls
) &&
10197 handshake_type
!= SSL_HND_CLIENT_HELLO
) ||
10198 (content_type
!= SSL_ID_HANDSHAKE
&&
10199 ssl_is_valid_content_type(content_type
));
10203 * Scan a Server Hello handshake message for the negotiated version. For TLS 1.3
10204 * draft 22 and newer, it also checks whether it is a HelloRetryRequest.
10205 * Returns true if the supported_versions extension was found, false if not.
10208 tls_scan_server_hello(tvbuff_t
*tvb
, uint32_t offset
, uint32_t offset_end
,
10209 uint16_t *server_version
, bool *is_hrr
)
10211 /* SHA256("HelloRetryRequest") */
10212 static const uint8_t tls13_hrr_random_magic
[] = {
10213 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
10214 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
10216 uint8_t session_id_length
;
10218 *server_version
= tvb_get_ntohs(tvb
, offset
);
10221 * Try to look for supported_versions extension. Minimum length:
10222 * 2 + 32 + 1 = 35 (version, random, session id length)
10223 * 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10224 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10226 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10227 * there's a separate expert info warning for that.
10229 if ((*server_version
== TLSV1DOT2_VERSION
|| *server_version
== DTLSV1DOT2_VERSION
) && offset_end
- offset
>= 46) {
10232 *is_hrr
= tvb_memeql(tvb
, offset
, tls13_hrr_random_magic
, sizeof(tls13_hrr_random_magic
)) == 0;
10235 session_id_length
= tvb_get_uint8(tvb
, offset
);
10237 if (offset_end
- offset
< session_id_length
+ 5u) {
10240 offset
+= session_id_length
+ 5;
10242 while (offset_end
- offset
>= 6) {
10243 uint16_t ext_type
= tvb_get_ntohs(tvb
, offset
);
10244 uint16_t ext_len
= tvb_get_ntohs(tvb
, offset
+ 2);
10245 if (offset_end
- offset
< 4u + ext_len
) {
10246 break; /* not enough data for type, length and data */
10248 if (ext_type
== SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS
) {
10249 if (ext_len
== 2) {
10250 *server_version
= tvb_get_ntohs(tvb
, offset
+ 4);
10254 offset
+= 4 + ext_len
;
10265 * Scan a Client Hello handshake message to see if the supported_versions
10266 * extension is found, in which case the version field is legacy_version.
10269 tls_scan_client_hello(tvbuff_t
*tvb
, uint32_t offset
, uint32_t offset_end
)
10271 uint8_t session_id_length
;
10273 uint16_t client_version
= tvb_get_ntohs(tvb
, offset
);
10276 * Try to look for supported_versions extension. Minimum length:
10277 * 2 + 32 + 1 = 35 (version, random, session id length)
10278 * 2 + 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10279 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10281 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10282 * there's a separate expert info warning for that.
10284 if ((client_version
== TLSV1DOT2_VERSION
|| client_version
== DTLSV1DOT2_VERSION
) && offset_end
- offset
>= 46) {
10287 session_id_length
= tvb_get_uint8(tvb
, offset
);
10289 if (offset_end
- offset
< session_id_length
+ 2u) {
10292 offset
+= session_id_length
;
10293 if (client_version
== DTLSV1DOT2_VERSION
) {
10294 uint8_t cookie_length
= tvb_get_uint8(tvb
, offset
);
10296 if (offset_end
- offset
< cookie_length
+ 2u) {
10300 uint16_t cipher_suites_length
= tvb_get_ntohs(tvb
, offset
);
10302 if (offset_end
- offset
< cipher_suites_length
+ 1u) {
10305 offset
+= cipher_suites_length
;
10306 uint8_t compression_methods_length
= tvb_get_uint8(tvb
, offset
);
10308 if (offset_end
- offset
< compression_methods_length
+ 2u) {
10311 offset
+= compression_methods_length
+ 2;
10313 while (offset_end
- offset
>= 6) {
10314 uint16_t ext_type
= tvb_get_ntohs(tvb
, offset
);
10315 uint16_t ext_len
= tvb_get_ntohs(tvb
, offset
+ 2);
10316 if (offset_end
- offset
< 4u + ext_len
) {
10317 break; /* not enough data for type, length and data */
10319 if (ext_type
== SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS
) {
10322 offset
+= 4 + ext_len
;
10328 ssl_try_set_version(SslSession
*session
, SslDecryptSession
*ssl
,
10329 uint8_t content_type
, uint8_t handshake_type
,
10330 bool is_dtls
, uint16_t version
)
10332 uint8_t tls13_draft
= 0;
10334 if (!ssl_is_authoritative_version_message(content_type
, handshake_type
,
10338 version
= tls_try_get_version(is_dtls
, version
, &tls13_draft
);
10339 if (version
== SSL_VER_UNKNOWN
) {
10343 session
->tls13_draft_version
= tls13_draft
;
10344 session
->version
= version
;
10346 ssl
->state
|= SSL_VERSION
;
10347 ssl_debug_printf("%s found version 0x%04X -> state 0x%02X\n", G_STRFUNC
, version
, ssl
->state
);
10352 ssl_check_record_length(ssl_common_dissect_t
*hf
, packet_info
*pinfo
,
10353 ContentType content_type
,
10354 unsigned record_length
, proto_item
*length_pi
,
10355 uint16_t version
, tvbuff_t
*decrypted_tvb
)
10357 unsigned max_expansion
;
10358 if (version
== TLSV1DOT3_VERSION
) {
10359 /* TLS 1.3: Max length is 2^14 + 256 */
10360 max_expansion
= 256;
10362 /* RFC 5246, Section 6.2.3: TLSCiphertext.fragment length MUST NOT exceed 2^14 + 2048 */
10363 max_expansion
= 2048;
10366 * RFC 5246 (TLS 1.2), Section 6.2.1 forbids zero-length Handshake, Alert
10367 * and ChangeCipherSpec.
10368 * RFC 6520 (Heartbeats) does not mention zero-length Heartbeat fragments,
10369 * so assume it is permitted.
10370 * RFC 6347 (DTLS 1.2) does not mention zero-length fragments either, so
10371 * assume TLS 1.2 requirements.
10373 if (record_length
== 0 &&
10374 (content_type
== SSL_ID_CHG_CIPHER_SPEC
||
10375 content_type
== SSL_ID_ALERT
||
10376 content_type
== SSL_ID_HANDSHAKE
)) {
10377 expert_add_info_format(pinfo
, length_pi
, &hf
->ei
.record_length_invalid
,
10378 "Zero-length %s fragments are not allowed",
10379 val_to_str_const(content_type
, ssl_31_content_type
, "unknown"));
10381 if (record_length
> TLS_MAX_RECORD_LENGTH
+ max_expansion
) {
10382 expert_add_info_format(pinfo
, length_pi
, &hf
->ei
.record_length_invalid
,
10383 "TLSCiphertext length MUST NOT exceed 2^14 + %u", max_expansion
);
10385 if (decrypted_tvb
&& tvb_captured_length(decrypted_tvb
) > TLS_MAX_RECORD_LENGTH
) {
10386 expert_add_info_format(pinfo
, length_pi
, &hf
->ei
.record_length_invalid
,
10387 "TLSPlaintext length MUST NOT exceed 2^14");
10392 ssl_set_cipher(SslDecryptSession
*ssl
, uint16_t cipher
)
10394 /* store selected cipher suite for decryption */
10395 ssl
->session
.cipher
= cipher
;
10397 const SslCipherSuite
*cs
= ssl_find_cipher(cipher
);
10399 ssl
->cipher_suite
= NULL
;
10400 ssl
->state
&= ~SSL_CIPHER
;
10401 ssl_debug_printf("%s can't find cipher suite 0x%04X\n", G_STRFUNC
, cipher
);
10402 } else if (ssl
->session
.version
== SSLV3_VERSION
&& !(cs
->dig
== DIG_MD5
|| cs
->dig
== DIG_SHA
)) {
10403 /* A malicious packet capture contains a SSL 3.0 session using a TLS 1.2
10404 * cipher suite that uses for example MACAlgorithm SHA256. Reject that
10405 * to avoid a potential buffer overflow in ssl3_check_mac. */
10406 ssl
->cipher_suite
= NULL
;
10407 ssl
->state
&= ~SSL_CIPHER
;
10408 ssl_debug_printf("%s invalid SSL 3.0 cipher suite 0x%04X\n", G_STRFUNC
, cipher
);
10410 /* Cipher found, save this for the delayed decoder init */
10411 ssl
->cipher_suite
= cs
;
10412 ssl
->state
|= SSL_CIPHER
;
10413 ssl_debug_printf("%s found CIPHER 0x%04X %s -> state 0x%02X\n", G_STRFUNC
, cipher
,
10414 val_to_str_ext_const(cipher
, &ssl_31_ciphersuite_ext
, "unknown"),
10421 /* Client Hello and Server Hello dissections. {{{ */
10423 ssl_dissect_hnd_extension(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, proto_tree
*tree
,
10424 packet_info
* pinfo
, uint32_t offset
, uint32_t offset_end
, uint8_t hnd_type
,
10425 SslSession
*session
, SslDecryptSession
*ssl
,
10426 bool is_dtls
, wmem_strbuf_t
*ja3
, ja4_data_t
*ja4_data
,
10427 ssl_master_key_map_t
*mk_map
, uint32_t initial_offset
, uint32_t hello_length
);
10429 // NOLINTNEXTLINE(misc-no-recursion)
10430 ssl_dissect_hnd_cli_hello(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
,
10431 packet_info
*pinfo
, proto_tree
*tree
, uint32_t offset
,
10432 uint32_t offset_end
, SslSession
*session
,
10433 SslDecryptSession
*ssl
, dtls_hfs_t
*dtls_hfs
, ssl_master_key_map_t
*mk_map
)
10436 * ProtocolVersion client_version;
10438 * SessionID session_id;
10439 * opaque cookie<0..32>; //new field for DTLS
10440 * CipherSuite cipher_suites<2..2^16-1>;
10441 * CompressionMethod compression_methods<1..2^8-1>;
10442 * Extension client_hello_extension_list<0..2^16-1>;
10446 proto_tree
*cs_tree
;
10447 uint32_t client_version
;
10448 uint32_t cipher_suite_length
;
10449 uint32_t compression_methods_length
;
10450 uint8_t compression_method
;
10451 uint32_t next_offset
;
10452 uint32_t initial_offset
= offset
;
10453 uint32_t hello_length
= offset_end
- initial_offset
;
10454 wmem_strbuf_t
*ja3
= wmem_strbuf_new(pinfo
->pool
, "");
10456 char *ja3_dash
= "";
10457 char *ja4
, *ja4_r
, *ja4_hash
, *ja4_b
, *ja4_c
;
10458 ja4_data_t ja4_data
;
10459 wmem_strbuf_t
*ja4_a
= wmem_strbuf_new(pinfo
->pool
, "");
10460 wmem_strbuf_t
*ja4_br
= wmem_strbuf_new(pinfo
->pool
, "");
10461 wmem_strbuf_t
*ja4_cr
= wmem_strbuf_new(pinfo
->pool
, "");
10462 wmem_list_frame_t
*curr_entry
;
10464 ja4_data
.max_version
= 0;
10465 ja4_data
.server_name_present
= false;
10466 ja4_data
.num_cipher_suites
= 0;
10467 ja4_data
.num_extensions
= 0;
10468 ja4_data
.alpn
= wmem_strbuf_new(pinfo
->pool
, "");
10469 ja4_data
.cipher_list
= wmem_list_new(pinfo
->pool
);
10470 ja4_data
.extension_list
= wmem_list_new(pinfo
->pool
);
10471 ja4_data
.sighash_list
= wmem_list_new(pinfo
->pool
);
10473 /* show the client version */
10474 ti
= proto_tree_add_item_ret_uint(tree
, hf
->hf
.hs_client_version
, tvb
,
10475 offset
, 2, ENC_BIG_ENDIAN
,
10477 if (tls_scan_client_hello(tvb
, offset
, offset_end
)) {
10478 expert_add_info(pinfo
, ti
, &hf
->ei
.legacy_version
);
10481 wmem_strbuf_append_printf(ja3
, "%i,", client_version
);
10484 * Is it version 1.3?
10485 * If so, that's an error; TLS and DTLS 1.3 Client Hellos claim
10486 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
10487 * section 4.1.2 "Client Hello" and RFC 9147 Section 5.3 "Client
10490 if (dtls_hfs
!= NULL
) {
10491 if (client_version
== DTLSV1DOT3_VERSION
) {
10492 /* Don't do that. */
10493 expert_add_info(pinfo
, ti
, &hf
->ei
.client_version_error
);
10496 if (client_version
== TLSV1DOT3_VERSION
) {
10497 /* Don't do that. */
10498 expert_add_info(pinfo
, ti
, &hf
->ei
.client_version_error
);
10502 /* dissect fields that are present in both ClientHello and ServerHello */
10503 offset
= ssl_dissect_hnd_hello_common(hf
, tvb
, pinfo
, tree
, offset
, session
, ssl
, false, false);
10505 /* fields specific for DTLS (cookie_len, cookie) */
10506 if (dtls_hfs
!= NULL
) {
10507 uint32_t cookie_length
;
10508 /* opaque cookie<0..32> (for DTLS only) */
10509 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &cookie_length
,
10510 dtls_hfs
->hf_dtls_handshake_cookie_len
, 0, 32)) {
10514 if (cookie_length
> 0) {
10515 proto_tree_add_item(tree
, dtls_hfs
->hf_dtls_handshake_cookie
,
10516 tvb
, offset
, cookie_length
, ENC_NA
);
10517 offset
+= cookie_length
;
10521 /* CipherSuite cipher_suites<2..2^16-1> */
10522 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &cipher_suite_length
,
10523 hf
->hf
.hs_cipher_suites_len
, 2, UINT16_MAX
)) {
10527 next_offset
= offset
+ cipher_suite_length
;
10528 ti
= proto_tree_add_none_format(tree
,
10529 hf
->hf
.hs_cipher_suites
,
10530 tvb
, offset
, cipher_suite_length
,
10531 "Cipher Suites (%d suite%s)",
10532 cipher_suite_length
/ 2,
10533 plurality(cipher_suite_length
/2, "", "s"));
10534 cs_tree
= proto_item_add_subtree(ti
, hf
->ett
.cipher_suites
);
10535 while (offset
+ 2 <= next_offset
) {
10536 uint32_t cipher_suite
;
10538 proto_tree_add_item_ret_uint(cs_tree
, hf
->hf
.hs_cipher_suite
, tvb
, offset
, 2,
10539 ENC_BIG_ENDIAN
, &cipher_suite
);
10541 if (!IS_GREASE_TLS(cipher_suite
)) {
10542 wmem_strbuf_append_printf(ja3
, "%s%i",ja3_dash
, cipher_suite
);
10544 ja4_data
.num_cipher_suites
+= 1;
10545 wmem_list_insert_sorted(ja4_data
.cipher_list
, GUINT_TO_POINTER(cipher_suite
), wmem_compare_uint
);
10548 wmem_strbuf_append_c(ja3
, ',');
10549 if (!ssl_end_vector(hf
, tvb
, pinfo
, cs_tree
, offset
, next_offset
)) {
10550 offset
= next_offset
;
10553 /* CompressionMethod compression_methods<1..2^8-1> */
10554 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &compression_methods_length
,
10555 hf
->hf
.hs_comp_methods_len
, 1, UINT8_MAX
)) {
10559 next_offset
= offset
+ compression_methods_length
;
10560 ti
= proto_tree_add_none_format(tree
,
10561 hf
->hf
.hs_comp_methods
,
10562 tvb
, offset
, compression_methods_length
,
10563 "Compression Methods (%u method%s)",
10564 compression_methods_length
,
10565 plurality(compression_methods_length
,
10567 cs_tree
= proto_item_add_subtree(ti
, hf
->ett
.comp_methods
);
10568 while (offset
< next_offset
) {
10569 compression_method
= tvb_get_uint8(tvb
, offset
);
10570 /* TODO: make reserved/private comp meth. fields selectable */
10571 if (compression_method
< 64)
10572 proto_tree_add_uint(cs_tree
, hf
->hf
.hs_comp_method
,
10573 tvb
, offset
, 1, compression_method
);
10574 else if (compression_method
> 63 && compression_method
< 193)
10575 proto_tree_add_uint_format_value(cs_tree
, hf
->hf
.hs_comp_method
, tvb
, offset
, 1,
10576 compression_method
, "Reserved - to be assigned by IANA (%u)",
10577 compression_method
);
10579 proto_tree_add_uint_format_value(cs_tree
, hf
->hf
.hs_comp_method
, tvb
, offset
, 1,
10580 compression_method
, "Private use range (%u)",
10581 compression_method
);
10585 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
10586 if (offset
< offset_end
) {
10587 offset
= ssl_dissect_hnd_extension(hf
, tvb
, tree
, pinfo
, offset
,
10588 offset_end
, SSL_HND_CLIENT_HELLO
,
10589 session
, ssl
, dtls_hfs
!= NULL
, ja3
, &ja4_data
, mk_map
, initial_offset
, hello_length
);
10590 if (ja4_data
.max_version
> 0) {
10591 client_version
= ja4_data
.max_version
;
10594 wmem_strbuf_append_printf(ja3
, ",,");
10597 if (proto_is_frame_protocol(pinfo
->layers
,"tcp")) {
10598 wmem_strbuf_append(ja4_a
, "t");
10599 } else if (proto_is_frame_protocol(pinfo
->layers
,"quic")) {
10600 wmem_strbuf_append(ja4_a
, "q");
10601 } else if (proto_is_frame_protocol(pinfo
->layers
,"dtls")) {
10602 wmem_strbuf_append(ja4_a
, "d");
10604 wmem_strbuf_append_printf(ja4_a
, "%s", val_to_str_const(client_version
, ssl_version_ja4_names
, "00"));
10605 wmem_strbuf_append_printf(ja4_a
, "%s", ja4_data
.server_name_present
? "d" : "i");
10606 if (ja4_data
.num_cipher_suites
> 99) {
10607 wmem_strbuf_append(ja4_a
, "99");
10609 wmem_strbuf_append_printf(ja4_a
, "%02d", ja4_data
.num_cipher_suites
);
10611 if (ja4_data
.num_extensions
> 99) {
10612 wmem_strbuf_append(ja4_a
, "99");
10614 wmem_strbuf_append_printf(ja4_a
, "%02d", ja4_data
.num_extensions
);
10616 if (wmem_strbuf_get_len(ja4_data
.alpn
) > 0 ) {
10617 wmem_strbuf_append_printf(ja4_a
, "%s", wmem_strbuf_get_str(ja4_data
.alpn
));
10619 wmem_strbuf_append(ja4_a
, "00");
10622 curr_entry
= wmem_list_head(ja4_data
.cipher_list
);
10623 for (unsigned i
= 0; i
< wmem_list_count(ja4_data
.cipher_list
); i
++) {
10624 wmem_strbuf_append_printf(ja4_br
, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry
)));
10625 if (i
< wmem_list_count(ja4_data
.cipher_list
) - 1) {
10626 wmem_strbuf_append(ja4_br
, ",");
10628 curr_entry
= wmem_list_frame_next(curr_entry
);
10631 curr_entry
= wmem_list_head(ja4_data
.extension_list
);
10632 for (unsigned i
= 0; i
< wmem_list_count(ja4_data
.extension_list
); i
++) {
10633 wmem_strbuf_append_printf(ja4_cr
, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry
)));
10634 if (i
< wmem_list_count(ja4_data
.extension_list
) - 1) {
10635 wmem_strbuf_append(ja4_cr
, ",");
10637 curr_entry
= wmem_list_frame_next(curr_entry
);
10640 if (wmem_list_count(ja4_data
.sighash_list
) > 0) {
10641 wmem_strbuf_append(ja4_cr
, "_");
10642 curr_entry
= wmem_list_head(ja4_data
.sighash_list
);
10643 for (unsigned i
= 0; i
< wmem_list_count(ja4_data
.sighash_list
); i
++) {
10644 wmem_strbuf_append_printf(ja4_cr
, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry
)));
10645 if (i
< wmem_list_count(ja4_data
.sighash_list
) - 1) {
10646 wmem_strbuf_append(ja4_cr
, ",");
10648 curr_entry
= wmem_list_frame_next(curr_entry
);
10651 ja4_hash
= g_compute_checksum_for_string(G_CHECKSUM_SHA256
, wmem_strbuf_get_str(ja4_br
),-1);
10652 ja4_b
= wmem_strndup(pinfo
->pool
, ja4_hash
, 12);
10654 if ( wmem_strbuf_get_len(ja4_cr
) == 0 ) {
10655 ja4_hash
= g_strdup("000000000000");
10657 ja4_hash
= g_compute_checksum_for_string(G_CHECKSUM_SHA256
, wmem_strbuf_get_str(ja4_cr
),-1);
10659 ja4_c
= wmem_strndup(pinfo
->pool
, ja4_hash
, 12);
10662 ja4
= wmem_strdup_printf(pinfo
->pool
, "%s_%s_%s", wmem_strbuf_get_str(ja4_a
), ja4_b
, ja4_c
);
10663 ja4_r
= wmem_strdup_printf(pinfo
->pool
, "%s_%s_%s", wmem_strbuf_get_str(ja4_a
), wmem_strbuf_get_str(ja4_br
), wmem_strbuf_get_str(ja4_cr
));
10665 ti
= proto_tree_add_string(tree
, hf
->hf
.hs_ja4
, tvb
, offset
, 0, ja4
);
10666 proto_item_set_generated(ti
);
10667 ti
= proto_tree_add_string(tree
, hf
->hf
.hs_ja4_r
, tvb
, offset
, 0, ja4_r
);
10668 proto_item_set_generated(ti
);
10670 ja3_hash
= g_compute_checksum_for_string(G_CHECKSUM_MD5
, wmem_strbuf_get_str(ja3
),
10671 wmem_strbuf_get_len(ja3
));
10672 ti
= proto_tree_add_string(tree
, hf
->hf
.hs_ja3_full
, tvb
, offset
, 0, wmem_strbuf_get_str(ja3
));
10673 proto_item_set_generated(ti
);
10674 ti
= proto_tree_add_string(tree
, hf
->hf
.hs_ja3_hash
, tvb
, offset
, 0, ja3_hash
);
10675 proto_item_set_generated(ti
);
10681 ssl_dissect_hnd_srv_hello(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
,
10682 packet_info
* pinfo
, proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
,
10683 SslSession
*session
, SslDecryptSession
*ssl
,
10684 bool is_dtls
, bool is_hrr
)
10687 * ProtocolVersion server_version;
10689 * SessionID session_id; // TLS 1.2 and before
10690 * CipherSuite cipher_suite;
10691 * CompressionMethod compression_method; // TLS 1.2 and before
10692 * Extension server_hello_extension_list<0..2^16-1>;
10695 uint8_t draft_version
= session
->tls13_draft_version
;
10697 uint32_t server_version
;
10698 uint32_t cipher_suite
;
10699 uint32_t initial_offset
= offset
;
10700 wmem_strbuf_t
*ja3
= wmem_strbuf_new(pinfo
->pool
, "");
10703 col_set_str(pinfo
->cinfo
, COL_PROTOCOL
,
10704 val_to_str_const(session
->version
, ssl_version_short_names
, "SSL"));
10706 /* Initially assume that the session is resumed. If this is not the case, a
10707 * ServerHelloDone will be observed before the ChangeCipherSpec message
10708 * which will reset this flag. */
10709 session
->is_session_resumed
= true;
10711 /* show the server version */
10712 ti
= proto_tree_add_item_ret_uint(tree
, hf
->hf
.hs_server_version
, tvb
,
10713 offset
, 2, ENC_BIG_ENDIAN
, &server_version
);
10715 uint16_t supported_server_version
;
10716 if (tls_scan_server_hello(tvb
, offset
, offset_end
, &supported_server_version
, NULL
)) {
10717 expert_add_info(pinfo
, ti
, &hf
->ei
.legacy_version
);
10720 * Is it version 1.3?
10721 * If so, that's an error; TLS and DTLS 1.3 Server Hellos claim
10722 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
10723 * section 4.1.3 "Server Hello" and RFC 9147 Section 5.4 "Server
10727 if (server_version
== DTLSV1DOT3_VERSION
) {
10728 /* Don't do that. */
10729 expert_add_info(pinfo
, ti
, &hf
->ei
.server_version_error
);
10732 if (server_version
== TLSV1DOT3_VERSION
) {
10733 /* Don't do that. */
10734 expert_add_info(pinfo
, ti
, &hf
->ei
.server_version_error
);
10739 wmem_strbuf_append_printf(ja3
, "%i", server_version
);
10741 /* dissect fields that are present in both ClientHello and ServerHello */
10742 offset
= ssl_dissect_hnd_hello_common(hf
, tvb
, pinfo
, tree
, offset
, session
, ssl
, true, is_hrr
);
10745 /* store selected cipher suite for decryption */
10746 ssl_set_cipher(ssl
, tvb_get_ntohs(tvb
, offset
));
10749 /* now the server-selected cipher suite */
10750 proto_tree_add_item_ret_uint(tree
, hf
->hf
.hs_cipher_suite
,
10751 tvb
, offset
, 2, ENC_BIG_ENDIAN
, &cipher_suite
);
10753 wmem_strbuf_append_printf(ja3
, ",%i,", cipher_suite
);
10755 /* No compression with TLS 1.3 before draft -22 */
10756 if (!(session
->version
== TLSV1DOT3_VERSION
&& draft_version
> 0 && draft_version
< 22)) {
10758 /* store selected compression method for decryption */
10759 ssl
->session
.compression
= tvb_get_uint8(tvb
, offset
);
10761 /* and the server-selected compression method */
10762 proto_tree_add_item(tree
, hf
->hf
.hs_comp_method
,
10763 tvb
, offset
, 1, ENC_BIG_ENDIAN
);
10767 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
10768 if (offset
< offset_end
) {
10769 offset
= ssl_dissect_hnd_extension(hf
, tvb
, tree
, pinfo
, offset
,
10771 is_hrr
? SSL_HND_HELLO_RETRY_REQUEST
: SSL_HND_SERVER_HELLO
,
10772 session
, ssl
, is_dtls
, ja3
, NULL
, NULL
, 0, 0);
10775 if (ssl
&& ssl
->ech_transcript
.data_len
> 0 && (ssl
->state
& SSL_CIPHER
) && ssl
->client_random
.data_len
> 0) {
10776 int hash_algo
= ssl_get_digest_by_name(ssl_cipher_suite_dig(ssl
->cipher_suite
)->name
);
10779 guchar transcript_hash
[DIGEST_MAX_SIZE
];
10780 guchar prk
[DIGEST_MAX_SIZE
];
10781 guchar
*ech_verify_out
= NULL
;
10783 ssl_md_init(&mc
, hash_algo
);
10784 ssl_md_update(&mc
, ssl
->ech_transcript
.data
, ssl
->ech_transcript
.data_len
);
10786 ssl_md_final(&mc
, transcript_hash
, &len
);
10787 ssl_md_cleanup(&mc
);
10788 wmem_free(wmem_file_scope(), ssl
->ech_transcript
.data
);
10789 ssl
->ech_transcript
.data_len
= 4 + len
;
10790 ssl
->ech_transcript
.data
= (guchar
*)wmem_alloc(wmem_file_scope(), 4 + len
+ 4 + offset_end
- initial_offset
);
10791 ssl
->ech_transcript
.data
[0] = SSL_HND_MESSAGE_HASH
;
10792 ssl
->ech_transcript
.data
[1] = 0;
10793 ssl
->ech_transcript
.data
[2] = 0;
10794 ssl
->ech_transcript
.data
[3] = len
;
10795 memcpy(ssl
->ech_transcript
.data
+ 4, transcript_hash
, len
);
10796 ssl_md_init(&mc
, hash_algo
);
10797 ssl_md_update(&mc
, ssl
->ech_transcript
.data
, 4 + len
);
10799 ssl
->ech_transcript
.data
= wmem_realloc(wmem_file_scope(), ssl
->ech_transcript
.data
,
10800 ssl
->ech_transcript
.data_len
+ 4 + offset_end
- initial_offset
);
10802 if (initial_offset
> 4) {
10803 tvb_memcpy(tvb
, ssl
->ech_transcript
.data
+ ssl
->ech_transcript
.data_len
, initial_offset
- 4,
10804 4 + offset_end
- initial_offset
);
10806 ssl_md_update(&mc
, (guchar
*)tvb_get_ptr(tvb
, initial_offset
-4, 38), 38);
10808 ssl_md_update(&mc
, (guchar
*)tvb_get_ptr(tvb
, initial_offset
-4, 30), 30);
10810 uint8_t prefix
[4] = {SSL_HND_SERVER_HELLO
, 0x00, 0x00, 0x00};
10811 prefix
[2] = ((offset
- initial_offset
) >> 8);
10812 prefix
[3] = (offset
- initial_offset
) & 0xff;
10813 memcpy(ssl
->ech_transcript
.data
+ ssl
->ech_transcript
.data_len
, prefix
, 4);
10814 tvb_memcpy(tvb
, ssl
->ech_transcript
.data
+ ssl
->ech_transcript
.data_len
+ 4, initial_offset
,
10815 offset_end
- initial_offset
);
10816 ssl_md_update(&mc
, prefix
, 4);
10818 ssl_md_update(&mc
, (guchar
*)tvb_get_ptr(tvb
, initial_offset
, 34), 34);
10820 ssl_md_update(&mc
, (guchar
*)tvb_get_ptr(tvb
, initial_offset
, 26), 26);
10822 ssl
->ech_transcript
.data_len
+= 4 + offset_end
- initial_offset
;
10823 uint8_t zeros
[8] = { 0 };
10824 uint32_t confirmation_offset
= initial_offset
+ 26;
10826 uint32_t hrr_offset
= initial_offset
+ 34;
10827 ssl_md_update(&mc
, (guchar
*)tvb_get_ptr(tvb
, hrr_offset
,
10828 tvb_get_uint8(tvb
, hrr_offset
) + 1), tvb_get_uint8(tvb
, hrr_offset
) + 1);
10829 hrr_offset
+= tvb_get_uint8(tvb
, hrr_offset
) + 1;
10830 ssl_md_update(&mc
, (guchar
*)tvb_get_ptr(tvb
, hrr_offset
, 3), 3);
10832 uint16_t extensions_end
= hrr_offset
+ tvb_get_ntohs(tvb
, hrr_offset
) + 2;
10833 ssl_md_update(&mc
, (guchar
*)tvb_get_ptr(tvb
, hrr_offset
, 2), 2);
10835 while (extensions_end
- hrr_offset
>= 4) {
10836 if (tvb_get_ntohs(tvb
, hrr_offset
) == SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO
&&
10837 tvb_get_ntohs(tvb
, hrr_offset
+ 2) == 8) {
10838 confirmation_offset
= hrr_offset
+ 4;
10839 ssl_md_update(&mc
, (guchar
*)tvb_get_ptr(tvb
, hrr_offset
, 4), 4);
10840 ssl_md_update(&mc
, zeros
, 8);
10843 ssl_md_update(&mc
, (guchar
*)tvb_get_ptr(tvb
, hrr_offset
, tvb_get_ntohs(tvb
, hrr_offset
+ 2) + 4),
10844 tvb_get_ntohs(tvb
, hrr_offset
+ 2) + 4);
10845 hrr_offset
+= tvb_get_ntohs(tvb
, hrr_offset
+ 2) + 4;
10849 ssl_md_update(&mc
, zeros
, 8);
10850 ssl_md_update(&mc
, (guchar
*)tvb_get_ptr(tvb
, initial_offset
+ 34, offset
- initial_offset
- 34),
10851 offset
- initial_offset
- 34);
10853 ssl_md_final(&mc
, transcript_hash
, &len
);
10854 ssl_md_cleanup(&mc
);
10855 hkdf_extract(hash_algo
, NULL
, 0, ssl
->client_random
.data
, 32, prk
);
10856 StringInfo prk_string
= {prk
, len
};
10857 tls13_hkdf_expand_label_context(hash_algo
, &prk_string
, tls13_hkdf_label_prefix(ssl
),
10858 is_hrr
? "hrr ech accept confirmation" : "ech accept confirmation",
10859 transcript_hash
, len
, 8, &ech_verify_out
);
10860 memcpy(is_hrr
? ssl
->session
.hrr_ech_confirmation
: ssl
->session
.ech_confirmation
, ech_verify_out
, 8);
10861 if (tvb_memeql(tvb
, confirmation_offset
, ech_verify_out
, 8) == -1) {
10863 ssl
->session
.hrr_ech_declined
= TRUE
;
10864 ssl
->session
.first_ch_ech_frame
= 0;
10866 memcpy(ssl
->client_random
.data
, ssl
->session
.client_random
.data
, ssl
->session
.client_random
.data_len
);
10867 ssl_print_data("Updated Client Random", ssl
->client_random
.data
, 32);
10869 wmem_free(NULL
, ech_verify_out
);
10870 ssl
->session
.ech
= TRUE
;
10874 ja3_hash
= g_compute_checksum_for_string(G_CHECKSUM_MD5
, wmem_strbuf_get_str(ja3
),
10875 wmem_strbuf_get_len(ja3
));
10876 ti
= proto_tree_add_string(tree
, hf
->hf
.hs_ja3s_full
, tvb
, offset
, 0, wmem_strbuf_get_str(ja3
));
10877 proto_item_set_generated(ti
);
10878 ti
= proto_tree_add_string(tree
, hf
->hf
.hs_ja3s_hash
, tvb
, offset
, 0, ja3_hash
);
10879 proto_item_set_generated(ti
);
10882 /* Client Hello and Server Hello dissections. }}} */
10884 /* New Session Ticket dissection. {{{ */
10886 ssl_dissect_hnd_new_ses_ticket(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
10887 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
,
10888 SslSession
*session
, SslDecryptSession
*ssl
,
10889 bool is_dtls
, GHashTable
*session_hash
)
10891 /* https://tools.ietf.org/html/rfc5077#section-3.3 (TLS >= 1.0):
10893 * uint32 ticket_lifetime_hint;
10894 * opaque ticket<0..2^16-1>;
10895 * } NewSessionTicket;
10897 * RFC 8446 Section 4.6.1 (TLS 1.3):
10899 * uint32 ticket_lifetime;
10900 * uint32 ticket_age_add;
10901 * opaque ticket_nonce<0..255>; // new in draft -21, updated in -22
10902 * opaque ticket<1..2^16-1>;
10903 * Extension extensions<0..2^16-2>;
10904 * } NewSessionTicket;
10906 proto_tree
*subtree
;
10907 proto_item
*subitem
;
10908 uint32_t ticket_len
;
10909 bool is_tls13
= session
->version
== TLSV1DOT3_VERSION
|| session
->version
== DTLSV1DOT3_VERSION
;
10910 unsigned char draft_version
= session
->tls13_draft_version
;
10911 uint32_t lifetime_hint
;
10913 subtree
= proto_tree_add_subtree(tree
, tvb
, offset
, offset_end
- offset
,
10914 hf
->ett
.session_ticket
, NULL
,
10915 "TLS Session Ticket");
10917 /* ticket lifetime hint */
10918 subitem
= proto_tree_add_item_ret_uint(subtree
, hf
->hf
.hs_session_ticket_lifetime_hint
,
10919 tvb
, offset
, 4, ENC_BIG_ENDIAN
, &lifetime_hint
);
10922 if (lifetime_hint
>= 60) {
10923 char *time_str
= unsigned_time_secs_to_str(pinfo
->pool
, lifetime_hint
);
10924 proto_item_append_text(subitem
, " (%s)", time_str
);
10929 /* for TLS 1.3: ticket_age_add */
10930 proto_tree_add_item(subtree
, hf
->hf
.hs_session_ticket_age_add
,
10931 tvb
, offset
, 4, ENC_BIG_ENDIAN
);
10934 /* for TLS 1.3: ticket_nonce (coming with Draft 21)*/
10935 if (draft_version
== 0 || draft_version
>= 21) {
10936 uint32_t ticket_nonce_len
;
10938 if (!ssl_add_vector(hf
, tvb
, pinfo
, subtree
, offset
, offset_end
, &ticket_nonce_len
,
10939 hf
->hf
.hs_session_ticket_nonce_len
, 0, 255)) {
10944 proto_tree_add_item(subtree
, hf
->hf
.hs_session_ticket_nonce
, tvb
, offset
, ticket_nonce_len
, ENC_NA
);
10945 offset
+= ticket_nonce_len
;
10950 /* opaque ticket<0..2^16-1> (with TLS 1.3 the minimum is 1) */
10951 if (!ssl_add_vector(hf
, tvb
, pinfo
, subtree
, offset
, offset_end
, &ticket_len
,
10952 hf
->hf
.hs_session_ticket_len
, is_tls13
? 1 : 0, UINT16_MAX
)) {
10957 /* Content depends on implementation, so just show data! */
10958 proto_tree_add_item(subtree
, hf
->hf
.hs_session_ticket
,
10959 tvb
, offset
, ticket_len
, ENC_NA
);
10960 /* save the session ticket to cache for ssl_finalize_decryption */
10961 if (ssl
&& !is_tls13
) {
10962 tvb_ensure_bytes_exist(tvb
, offset
, ticket_len
);
10963 ssl
->session_ticket
.data
= (unsigned char*)wmem_realloc(wmem_file_scope(),
10964 ssl
->session_ticket
.data
, ticket_len
);
10965 ssl
->session_ticket
.data_len
= ticket_len
;
10966 tvb_memcpy(tvb
, ssl
->session_ticket
.data
, offset
, ticket_len
);
10967 /* NewSessionTicket is received after the first (client)
10968 * ChangeCipherSpec, and before the second (server) ChangeCipherSpec.
10969 * Since the second CCS has already the session key available it will
10970 * just return. To ensure that the session ticket is mapped to a
10971 * master key (from the first CCS), save the ticket here too. */
10972 ssl_save_master_key("Session Ticket", session_hash
,
10973 &ssl
->session_ticket
, &ssl
->master_secret
);
10974 ssl
->state
|= SSL_NEW_SESSION_TICKET
;
10976 offset
+= ticket_len
;
10979 ssl_dissect_hnd_extension(hf
, tvb
, subtree
, pinfo
, offset
,
10980 offset_end
, SSL_HND_NEWSESSION_TICKET
,
10981 session
, ssl
, is_dtls
, NULL
, NULL
, NULL
, 0, 0);
10986 ssl_dissect_hnd_hello_retry_request(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
,
10987 packet_info
* pinfo
, proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
,
10988 SslSession
*session
, SslDecryptSession
*ssl
,
10991 /* https://tools.ietf.org/html/draft-ietf-tls-tls13-19#section-4.1.4
10993 * ProtocolVersion server_version;
10994 * CipherSuite cipher_suite; // not before draft -19
10995 * Extension extensions<2..2^16-1>;
10996 * } HelloRetryRequest;
10997 * Note: no longer used since draft -22
11000 uint8_t draft_version
;
11002 proto_tree_add_item_ret_uint(tree
, hf
->hf
.hs_server_version
, tvb
,
11003 offset
, 2, ENC_BIG_ENDIAN
, &version
);
11004 draft_version
= extract_tls13_draft_version(version
);
11007 if (draft_version
== 0 || draft_version
>= 19) {
11008 proto_tree_add_item(tree
, hf
->hf
.hs_cipher_suite
,
11009 tvb
, offset
, 2, ENC_BIG_ENDIAN
);
11013 ssl_dissect_hnd_extension(hf
, tvb
, tree
, pinfo
, offset
,
11014 offset_end
, SSL_HND_HELLO_RETRY_REQUEST
,
11015 session
, ssl
, is_dtls
, NULL
, NULL
, NULL
, 0, 0);
11019 ssl_dissect_hnd_encrypted_extensions(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
,
11020 packet_info
* pinfo
, proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
,
11021 SslSession
*session
, SslDecryptSession
*ssl
,
11024 /* RFC 8446 Section 4.3.1
11026 * Extension extensions<0..2^16-1>;
11027 * } EncryptedExtensions;
11029 ssl_dissect_hnd_extension(hf
, tvb
, tree
, pinfo
, offset
,
11030 offset_end
, SSL_HND_ENCRYPTED_EXTENSIONS
,
11031 session
, ssl
, is_dtls
, NULL
, NULL
, NULL
, 0, 0);
11034 /* Certificate and Certificate Request dissections. {{{ */
11036 ssl_dissect_hnd_cert(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, proto_tree
*tree
,
11037 uint32_t offset
, uint32_t offset_end
, packet_info
*pinfo
,
11038 SslSession
*session
, SslDecryptSession
*ssl _U_
,
11039 bool is_from_server
, bool is_dtls
)
11041 /* opaque ASN.1Cert<1..2^24-1>;
11043 * Before RFC 8446 (TLS <= 1.2):
11045 * select(certificate_type) {
11047 * // certificate type defined in RFC 7250
11048 * case RawPublicKey:
11049 * opaque ASN.1_subjectPublicKeyInfo<1..2^24-1>;
11051 * // X.509 certificate defined in RFC 5246
11053 * ASN.1Cert certificate_list<0..2^24-1>;
11057 * RFC 8446 (since draft -20):
11059 * select(certificate_type){
11060 * case RawPublicKey:
11061 * // From RFC 7250 ASN.1_subjectPublicKeyInfo
11062 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
11065 * opaque cert_data<1..2^24-1>;
11067 * Extension extensions<0..2^16-1>;
11068 * } CertificateEntry;
11070 * opaque certificate_request_context<0..2^8-1>;
11071 * CertificateEntry certificate_list<0..2^24-1>;
11074 enum { CERT_X509
, CERT_RPK
} cert_type
;
11075 asn1_ctx_t asn1_ctx
;
11076 #if defined(HAVE_LIBGNUTLS)
11077 gnutls_datum_t subjectPublicKeyInfo
= { NULL
, 0 };
11078 unsigned certificate_index
= 0;
11080 uint32_t next_offset
, certificate_list_length
, cert_length
;
11081 proto_tree
*subtree
= tree
;
11083 asn1_ctx_init(&asn1_ctx
, ASN1_ENC_BER
, true, pinfo
);
11085 if ((is_from_server
&& session
->server_cert_type
== SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY
) ||
11086 (!is_from_server
&& session
->client_cert_type
== SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY
)) {
11087 cert_type
= CERT_RPK
;
11089 cert_type
= CERT_X509
;
11092 #if defined(HAVE_LIBGNUTLS)
11093 /* Ask the pkcs1 dissector to return the public key details */
11095 asn1_ctx
.private_data
= &subjectPublicKeyInfo
;
11098 /* TLS 1.3: opaque certificate_request_context<0..2^8-1> */
11099 if (session
->version
== TLSV1DOT3_VERSION
|| session
->version
== DTLSV1DOT3_VERSION
) {
11100 uint32_t context_length
;
11101 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &context_length
,
11102 hf
->hf
.hs_certificate_request_context_length
, 0, UINT8_MAX
)) {
11106 if (context_length
> 0) {
11107 proto_tree_add_item(tree
, hf
->hf
.hs_certificate_request_context
,
11108 tvb
, offset
, context_length
, ENC_NA
);
11109 offset
+= context_length
;
11113 if ((session
->version
!= TLSV1DOT3_VERSION
&& session
->version
!= DTLSV1DOT3_VERSION
) && cert_type
== CERT_RPK
) {
11114 /* For RPK before TLS 1.3, the single RPK is stored directly without
11115 * another "certificate_list" field. */
11116 certificate_list_length
= offset_end
- offset
;
11117 next_offset
= offset_end
;
11119 /* CertificateEntry certificate_list<0..2^24-1> */
11120 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &certificate_list_length
,
11121 hf
->hf
.hs_certificates_len
, 0, G_MAXUINT24
)) {
11124 offset
+= 3; /* 24-bit length value */
11125 next_offset
= offset
+ certificate_list_length
;
11128 /* RawPublicKey must have one cert, but X.509 can have multiple. */
11129 if (certificate_list_length
> 0 && cert_type
== CERT_X509
) {
11132 ti
= proto_tree_add_none_format(tree
,
11133 hf
->hf
.hs_certificates
,
11134 tvb
, offset
, certificate_list_length
,
11135 "Certificates (%u bytes)",
11136 certificate_list_length
);
11138 /* make it a subtree */
11139 subtree
= proto_item_add_subtree(ti
, hf
->ett
.certificates
);
11142 while (offset
< next_offset
) {
11143 switch (cert_type
) {
11145 /* TODO add expert info if there is more than one RPK entry (certificate_index > 0) */
11146 /* opaque ASN.1_subjectPublicKeyInfo<1..2^24-1> */
11147 if (!ssl_add_vector(hf
, tvb
, pinfo
, subtree
, offset
, next_offset
, &cert_length
,
11148 hf
->hf
.hs_certificate_len
, 1, G_MAXUINT24
)) {
11153 dissect_x509af_SubjectPublicKeyInfo(false, tvb
, offset
, &asn1_ctx
, subtree
, hf
->hf
.hs_certificate
);
11154 offset
+= cert_length
;
11157 /* opaque ASN1Cert<1..2^24-1> */
11158 if (!ssl_add_vector(hf
, tvb
, pinfo
, subtree
, offset
, next_offset
, &cert_length
,
11159 hf
->hf
.hs_certificate_len
, 1, G_MAXUINT24
)) {
11164 dissect_x509af_Certificate(false, tvb
, offset
, &asn1_ctx
, subtree
, hf
->hf
.hs_certificate
);
11165 #if defined(HAVE_LIBGNUTLS)
11166 if (is_from_server
&& ssl
&& certificate_index
== 0) {
11167 ssl_find_private_key_by_pubkey(ssl
, &subjectPublicKeyInfo
);
11168 /* Only attempt to get the RSA modulus for the first cert. */
11169 asn1_ctx
.private_data
= NULL
;
11172 offset
+= cert_length
;
11176 /* TLS 1.3: Extension extensions<0..2^16-1> */
11177 if ((session
->version
== TLSV1DOT3_VERSION
|| session
->version
== DTLSV1DOT3_VERSION
)) {
11178 offset
= ssl_dissect_hnd_extension(hf
, tvb
, subtree
, pinfo
, offset
,
11179 next_offset
, SSL_HND_CERTIFICATE
,
11180 session
, ssl
, is_dtls
, NULL
, NULL
, NULL
, 0, 0);
11183 #if defined(HAVE_LIBGNUTLS)
11184 certificate_index
++;
11190 ssl_dissect_hnd_cert_req(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
11191 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
,
11192 SslSession
*session
, bool is_dtls
)
11194 /* From SSL 3.0 and up (note that since TLS 1.1 certificate_authorities can be empty):
11196 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11198 * } ClientCertificateType;
11200 * opaque DistinguishedName<1..2^16-1>;
11203 * ClientCertificateType certificate_types<1..2^8-1>;
11204 * DistinguishedName certificate_authorities<3..2^16-1>;
11205 * } CertificateRequest;
11208 * As per TLSv1.2 (RFC 5246) the format has changed to:
11211 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11212 * rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
11213 * fortezza_dms_RESERVED(20), (255)
11214 * } ClientCertificateType;
11217 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
11221 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
11222 * SignatureAlgorithm;
11225 * HashAlgorithm hash;
11226 * SignatureAlgorithm signature;
11227 * } SignatureAndHashAlgorithm;
11229 * SignatureAndHashAlgorithm
11230 * supported_signature_algorithms<2..2^16-2>;
11232 * opaque DistinguishedName<1..2^16-1>;
11235 * ClientCertificateType certificate_types<1..2^8-1>;
11236 * SignatureAndHashAlgorithm supported_signature_algorithms<2^16-1>;
11237 * DistinguishedName certificate_authorities<0..2^16-1>;
11238 * } CertificateRequest;
11240 * draft-ietf-tls-tls13-18:
11242 * opaque certificate_request_context<0..2^8-1>;
11244 * supported_signature_algorithms<2..2^16-2>;
11245 * DistinguishedName certificate_authorities<0..2^16-1>;
11246 * CertificateExtension certificate_extensions<0..2^16-1>;
11247 * } CertificateRequest;
11249 * RFC 8446 (since draft-ietf-tls-tls13-19):
11252 * opaque certificate_request_context<0..2^8-1>;
11253 * Extension extensions<2..2^16-1>;
11254 * } CertificateRequest;
11257 proto_tree
*subtree
;
11258 uint32_t next_offset
;
11259 asn1_ctx_t asn1_ctx
;
11260 bool is_tls13
= (session
->version
== TLSV1DOT3_VERSION
|| session
->version
== DTLSV1DOT3_VERSION
);
11261 unsigned char draft_version
= session
->tls13_draft_version
;
11266 asn1_ctx_init(&asn1_ctx
, ASN1_ENC_BER
, true, pinfo
);
11269 uint32_t context_length
;
11270 /* opaque certificate_request_context<0..2^8-1> */
11271 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &context_length
,
11272 hf
->hf
.hs_certificate_request_context_length
, 0, UINT8_MAX
)) {
11276 if (context_length
> 0) {
11277 proto_tree_add_item(tree
, hf
->hf
.hs_certificate_request_context
,
11278 tvb
, offset
, context_length
, ENC_NA
);
11279 offset
+= context_length
;
11282 uint32_t cert_types_count
;
11283 /* ClientCertificateType certificate_types<1..2^8-1> */
11284 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &cert_types_count
,
11285 hf
->hf
.hs_cert_types_count
, 1, UINT8_MAX
)) {
11289 next_offset
= offset
+ cert_types_count
;
11291 ti
= proto_tree_add_none_format(tree
,
11292 hf
->hf
.hs_cert_types
,
11293 tvb
, offset
, cert_types_count
,
11294 "Certificate types (%u type%s)",
11296 plurality(cert_types_count
, "", "s"));
11297 subtree
= proto_item_add_subtree(ti
, hf
->ett
.cert_types
);
11299 while (offset
< next_offset
) {
11300 proto_tree_add_item(subtree
, hf
->hf
.hs_cert_type
, tvb
, offset
, 1, ENC_BIG_ENDIAN
);
11305 if (session
->version
== TLSV1DOT2_VERSION
|| session
->version
== DTLSV1DOT2_VERSION
||
11306 (is_tls13
&& (draft_version
> 0 && draft_version
< 19))) {
11307 offset
= ssl_dissect_hash_alg_list(hf
, tvb
, tree
, pinfo
, offset
, offset_end
, NULL
);
11310 if (is_tls13
&& (draft_version
== 0 || draft_version
>= 19)) {
11312 * TLS 1.3 draft 19 and newer: Extensions.
11313 * SslDecryptSession pointer is NULL because Certificate Extensions
11314 * should not influence decryption state.
11316 ssl_dissect_hnd_extension(hf
, tvb
, tree
, pinfo
, offset
,
11317 offset_end
, SSL_HND_CERT_REQUEST
,
11318 session
, NULL
, is_dtls
, NULL
, NULL
, NULL
, 0, 0);
11319 } else if (is_tls13
&& draft_version
<= 18) {
11321 * TLS 1.3 draft 18 and older: certificate_authorities and
11322 * certificate_extensions (a vector of OID mappings).
11324 offset
= tls_dissect_certificate_authorities(hf
, tvb
, pinfo
, tree
, offset
, offset_end
);
11325 ssl_dissect_hnd_hello_ext_oid_filters(hf
, tvb
, pinfo
, tree
, offset
, offset_end
);
11327 /* for TLS 1.2 and older, the certificate_authorities field. */
11328 tls_dissect_certificate_authorities(hf
, tvb
, pinfo
, tree
, offset
, offset_end
);
11331 /* Certificate and Certificate Request dissections. }}} */
11334 ssl_dissect_hnd_cli_cert_verify(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
11335 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
, uint16_t version
)
11337 ssl_dissect_digitally_signed(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, version
,
11338 hf
->hf
.hs_client_cert_vrfy_sig_len
,
11339 hf
->hf
.hs_client_cert_vrfy_sig
);
11342 /* Finished dissection. {{{ */
11344 ssl_dissect_hnd_finished(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
,
11345 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
,
11346 const SslSession
*session
, ssl_hfs_t
*ssl_hfs
)
11350 * opaque md5_hash[16];
11351 * opaque sha_hash[20];
11356 * opaque verify_data[12];
11361 * opaque verify_data[Hash.length];
11367 if (session
->version
== SSLV3_VERSION
) {
11368 if (ssl_hfs
!= NULL
) {
11369 proto_tree_add_item(tree
, ssl_hfs
->hs_md5_hash
,
11370 tvb
, offset
, 16, ENC_NA
);
11371 proto_tree_add_item(tree
, ssl_hfs
->hs_sha_hash
,
11372 tvb
, offset
+ 16, 20, ENC_NA
);
11375 /* Length should be 12 for TLS before 1.3, assume this is the case. */
11376 proto_tree_add_item(tree
, hf
->hf
.hs_finished
,
11377 tvb
, offset
, offset_end
- offset
, ENC_NA
);
11381 /* RFC 6066 Certificate URL handshake message dissection. {{{ */
11383 ssl_dissect_hnd_cert_url(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, proto_tree
*tree
, uint32_t offset
)
11385 uint16_t url_hash_len
;
11388 * individual_certs(0), pkipath(1), (255)
11392 * CertChainType type;
11393 * URLAndHash url_and_hash_list<1..2^16-1>;
11394 * } CertificateURL;
11397 * opaque url<1..2^16-1>;
11399 * opaque SHA1Hash[20];
11403 proto_tree_add_item(tree
, hf
->hf
.hs_ext_cert_url_type
,
11404 tvb
, offset
, 1, ENC_NA
);
11407 url_hash_len
= tvb_get_ntohs(tvb
, offset
);
11408 proto_tree_add_item(tree
, hf
->hf
.hs_ext_cert_url_url_hash_list_len
,
11409 tvb
, offset
, 2, ENC_BIG_ENDIAN
);
11411 while (url_hash_len
-- > 0) {
11412 proto_item
*urlhash_item
;
11413 proto_tree
*urlhash_tree
;
11416 urlhash_item
= proto_tree_add_item(tree
, hf
->hf
.hs_ext_cert_url_item
,
11417 tvb
, offset
, -1, ENC_NA
);
11418 urlhash_tree
= proto_item_add_subtree(urlhash_item
, hf
->ett
.urlhash
);
11420 url_len
= tvb_get_ntohs(tvb
, offset
);
11421 proto_tree_add_item(urlhash_tree
, hf
->hf
.hs_ext_cert_url_url_len
,
11422 tvb
, offset
, 2, ENC_BIG_ENDIAN
);
11425 proto_tree_add_item(urlhash_tree
, hf
->hf
.hs_ext_cert_url_url
,
11426 tvb
, offset
, url_len
, ENC_ASCII
|ENC_NA
);
11429 proto_tree_add_item(urlhash_tree
, hf
->hf
.hs_ext_cert_url_padding
,
11430 tvb
, offset
, 1, ENC_NA
);
11432 /* Note: RFC 6066 says that padding must be 0x01 */
11434 proto_tree_add_item(urlhash_tree
, hf
->hf
.hs_ext_cert_url_sha1
,
11435 tvb
, offset
, 20, ENC_NA
);
11441 ssl_dissect_hnd_compress_certificate(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, proto_tree
*tree
,
11442 uint32_t offset
, uint32_t offset_end
, packet_info
*pinfo
,
11443 SslSession
*session
, SslDecryptSession
*ssl
,
11444 bool is_from_server
, bool is_dtls
)
11446 uint32_t algorithm
, uncompressed_length
;
11447 uint32_t compressed_certificate_message_length
;
11448 tvbuff_t
*uncompressed_tvb
= NULL
;
11456 * } CertificateCompressionAlgorithm;
11459 * CertificateCompressionAlgorithm algorithm;
11460 * uint24 uncompressed_length;
11461 * opaque compressed_certificate_message<1..2^24-1>;
11462 * } CompressedCertificate;
11465 proto_tree_add_item_ret_uint(tree
, hf
->hf
.hs_ext_compress_certificate_algorithm
,
11466 tvb
, offset
, 2, ENC_BIG_ENDIAN
, &algorithm
);
11469 proto_tree_add_item_ret_uint(tree
, hf
->hf
.hs_ext_compress_certificate_uncompressed_length
,
11470 tvb
, offset
, 3, ENC_BIG_ENDIAN
, &uncompressed_length
);
11473 /* opaque compressed_certificate_message<1..2^24-1>; */
11474 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &compressed_certificate_message_length
,
11475 hf
->hf
.hs_ext_compress_certificate_compressed_certificate_message_length
, 1, G_MAXUINT24
)) {
11480 ti
= proto_tree_add_item(tree
, hf
->hf
.hs_ext_compress_certificate_compressed_certificate_message
,
11481 tvb
, offset
, compressed_certificate_message_length
, ENC_NA
);
11483 /* Certificate decompression following algorithm */
11484 switch (algorithm
) {
11486 uncompressed_tvb
= tvb_child_uncompress_zlib(tvb
, tvb
, offset
, compressed_certificate_message_length
);
11488 case 2: /* brotli */
11489 uncompressed_tvb
= tvb_child_uncompress_brotli(tvb
, tvb
, offset
, compressed_certificate_message_length
);
11492 uncompressed_tvb
= tvb_child_uncompress_zstd(tvb
, tvb
, offset
, compressed_certificate_message_length
);
11496 if (uncompressed_tvb
) {
11497 proto_tree
*uncompressed_tree
;
11499 if (uncompressed_length
!= tvb_captured_length(uncompressed_tvb
)) {
11500 proto_tree_add_expert_format(tree
, pinfo
, &hf
->ei
.decompression_error
,
11501 tvb
, offset
, offset_end
- offset
,
11502 "Invalid uncompressed length %u (expected %u)",
11503 tvb_captured_length(uncompressed_tvb
),
11504 uncompressed_length
);
11506 uncompressed_tree
= proto_item_add_subtree(ti
, hf
->ett
.uncompressed_certificates
);
11507 ssl_dissect_hnd_cert(hf
, uncompressed_tvb
, uncompressed_tree
,
11508 0, uncompressed_length
, pinfo
, session
, ssl
, is_from_server
, is_dtls
);
11509 add_new_data_source(pinfo
, uncompressed_tvb
, "Uncompressed certificate(s)");
11514 /* Dissection of TLS Extensions in Client Hello, Server Hello, etc. {{{ */
11516 // NOLINTNEXTLINE(misc-no-recursion)
11517 ssl_dissect_hnd_extension(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, proto_tree
*tree
,
11518 packet_info
* pinfo
, uint32_t offset
, uint32_t offset_end
, uint8_t hnd_type
,
11519 SslSession
*session
, SslDecryptSession
*ssl
,
11520 bool is_dtls
, wmem_strbuf_t
*ja3
, ja4_data_t
*ja4_data
,
11521 ssl_master_key_map_t
*mk_map
, uint32_t initial_offset
, uint32_t hello_length
)
11526 uint32_t next_offset
;
11527 proto_tree
*ext_tree
;
11528 bool is_tls13
= session
->version
== TLSV1DOT3_VERSION
;
11529 wmem_strbuf_t
*ja3_sg
= wmem_strbuf_new(pinfo
->pool
, "");
11530 wmem_strbuf_t
*ja3_ecpf
= wmem_strbuf_new(pinfo
->pool
, "");
11531 char *ja3_dash
= "";
11532 unsigned supported_version
;
11534 /* Extension extensions<0..2^16-2> (for TLS 1.3 HRR/CR min-length is 2) */
11535 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &exts_len
,
11536 hf
->hf
.hs_exts_len
, 0, UINT16_MAX
)) {
11540 offset_end
= offset
+ exts_len
;
11543 ja4_data
->num_extensions
= 0;
11545 while (offset_end
- offset
>= 4)
11547 ext_type
= tvb_get_ntohs(tvb
, offset
);
11548 ext_len
= tvb_get_ntohs(tvb
, offset
+ 2);
11550 if (ja4_data
&& !IS_GREASE_TLS(ext_type
)) {
11551 ja4_data
->num_extensions
+= 1;
11552 if (ext_type
!= SSL_HND_HELLO_EXT_SERVER_NAME
&&
11553 ext_type
!= SSL_HND_HELLO_EXT_ALPN
) {
11554 wmem_list_insert_sorted(ja4_data
->extension_list
, GUINT_TO_POINTER(ext_type
), wmem_compare_uint
);
11558 ext_tree
= proto_tree_add_subtree_format(tree
, tvb
, offset
, 4 + ext_len
, hf
->ett
.hs_ext
, NULL
,
11559 "Extension: %s (len=%u)", val_to_str(ext_type
,
11560 tls_hello_extension_types
,
11561 "Unknown type %u"), ext_len
);
11563 proto_tree_add_uint(ext_tree
, hf
->hf
.hs_ext_type
,
11564 tvb
, offset
, 2, ext_type
);
11566 if (ja3
&& !IS_GREASE_TLS(ext_type
)) {
11567 wmem_strbuf_append_printf(ja3
, "%s%i",ja3_dash
, ext_type
);
11571 /* opaque extension_data<0..2^16-1> */
11572 if (!ssl_add_vector(hf
, tvb
, pinfo
, ext_tree
, offset
, offset_end
, &ext_len
,
11573 hf
->hf
.hs_ext_len
, 0, UINT16_MAX
)) {
11577 next_offset
= offset
+ ext_len
;
11579 switch (ext_type
) {
11580 case SSL_HND_HELLO_EXT_SERVER_NAME
:
11581 if (hnd_type
== SSL_HND_CLIENT_HELLO
) {
11582 offset
= ssl_dissect_hnd_hello_ext_server_name(hf
, tvb
, pinfo
, ext_tree
, offset
, next_offset
);
11584 ja4_data
->server_name_present
= true;
11588 case SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH
:
11589 proto_tree_add_item(ext_tree
, hf
->hf
.hs_ext_max_fragment_length
, tvb
, offset
, 1, ENC_NA
);
11592 case SSL_HND_HELLO_EXT_STATUS_REQUEST
:
11593 if (hnd_type
== SSL_HND_CLIENT_HELLO
) {
11594 offset
= ssl_dissect_hnd_hello_ext_status_request(hf
, tvb
, pinfo
, ext_tree
, offset
, next_offset
, false);
11595 } else if (is_tls13
&& hnd_type
== SSL_HND_CERTIFICATE
) {
11596 offset
= tls_dissect_hnd_certificate_status(hf
, tvb
, pinfo
, ext_tree
, offset
, next_offset
);
11599 case SSL_HND_HELLO_EXT_CERT_TYPE
:
11600 offset
= ssl_dissect_hnd_hello_ext_cert_type(hf
, tvb
, ext_tree
,
11601 offset
, next_offset
,
11602 hnd_type
, ext_type
,
11605 case SSL_HND_HELLO_EXT_SUPPORTED_GROUPS
:
11606 if (hnd_type
== SSL_HND_CLIENT_HELLO
) {
11607 offset
= ssl_dissect_hnd_hello_ext_supported_groups(hf
, tvb
, pinfo
, ext_tree
, offset
,
11608 next_offset
, ja3_sg
);
11610 offset
= ssl_dissect_hnd_hello_ext_supported_groups(hf
, tvb
, pinfo
, ext_tree
, offset
,
11611 next_offset
, NULL
);
11614 case SSL_HND_HELLO_EXT_EC_POINT_FORMATS
:
11615 if (hnd_type
== SSL_HND_CLIENT_HELLO
) {
11616 offset
= ssl_dissect_hnd_hello_ext_ec_point_formats(hf
, tvb
, ext_tree
, offset
, ja3_ecpf
);
11618 offset
= ssl_dissect_hnd_hello_ext_ec_point_formats(hf
, tvb
, ext_tree
, offset
, NULL
);
11622 case SSL_HND_HELLO_EXT_SRP
:
11623 offset
= ssl_dissect_hnd_hello_ext_srp(hf
, tvb
, pinfo
, ext_tree
, offset
, next_offset
);
11625 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS
:
11626 offset
= ssl_dissect_hnd_hello_ext_sig_hash_algs(hf
, tvb
, ext_tree
, pinfo
, offset
, next_offset
, ja4_data
);
11628 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT
: /* since TLS 1.3 draft -23 */
11629 offset
= ssl_dissect_hnd_hello_ext_sig_hash_algs(hf
, tvb
, ext_tree
, pinfo
, offset
, next_offset
, NULL
);
11631 case SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS
:
11632 offset
= ssl_dissect_hnd_ext_delegated_credentials(hf
, tvb
, ext_tree
, pinfo
, offset
, next_offset
, hnd_type
);
11634 case SSL_HND_HELLO_EXT_USE_SRTP
:
11636 if (hnd_type
== SSL_HND_CLIENT_HELLO
) {
11637 offset
= dtls_dissect_hnd_hello_ext_use_srtp(pinfo
, tvb
, ext_tree
, offset
, next_offset
, false);
11638 } else if (hnd_type
== SSL_HND_SERVER_HELLO
) {
11639 offset
= dtls_dissect_hnd_hello_ext_use_srtp(pinfo
, tvb
, ext_tree
, offset
, next_offset
, true);
11642 // XXX expert info: This extension MUST only be used with DTLS, and not with TLS.
11645 case SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS
:
11646 offset
= ssl_dissect_hnd_ech_outer_ext(hf
, tvb
, pinfo
, ext_tree
, offset
, next_offset
);
11648 case SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO
:
11649 offset
= ssl_dissect_hnd_hello_ext_ech(hf
, tvb
, pinfo
, ext_tree
, offset
, next_offset
, hnd_type
, session
, ssl
, mk_map
, initial_offset
, hello_length
);
11651 case SSL_HND_HELLO_EXT_HEARTBEAT
:
11652 proto_tree_add_item(ext_tree
, hf
->hf
.hs_ext_heartbeat_mode
,
11653 tvb
, offset
, 1, ENC_BIG_ENDIAN
);
11656 case SSL_HND_HELLO_EXT_ALPN
:
11657 offset
= ssl_dissect_hnd_hello_ext_alpn(hf
, tvb
, pinfo
, ext_tree
, offset
, next_offset
, hnd_type
, session
, is_dtls
, ja4_data
);
11659 case SSL_HND_HELLO_EXT_STATUS_REQUEST_V2
:
11660 if (hnd_type
== SSL_HND_CLIENT_HELLO
)
11661 offset
= ssl_dissect_hnd_hello_ext_status_request_v2(hf
, tvb
, pinfo
, ext_tree
, offset
, next_offset
);
11663 case SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP
:
11664 // TLS 1.3 note: SCT only appears in EE in draft -16 and before.
11665 if (hnd_type
== SSL_HND_SERVER_HELLO
|| hnd_type
== SSL_HND_ENCRYPTED_EXTENSIONS
|| hnd_type
== SSL_HND_CERTIFICATE
)
11666 offset
= tls_dissect_sct_list(hf
, tvb
, pinfo
, ext_tree
, offset
, next_offset
, session
->version
);
11668 case SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE
:
11669 case SSL_HND_HELLO_EXT_SERVER_CERT_TYPE
:
11670 offset
= ssl_dissect_hnd_hello_ext_cert_type(hf
, tvb
, ext_tree
,
11671 offset
, next_offset
,
11672 hnd_type
, ext_type
,
11675 case SSL_HND_HELLO_EXT_PADDING
:
11676 proto_tree_add_item(ext_tree
, hf
->hf
.hs_ext_padding_data
, tvb
, offset
, ext_len
, ENC_NA
);
11679 case SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC
:
11680 if (ssl
&& hnd_type
== SSL_HND_SERVER_HELLO
) {
11681 ssl_debug_printf("%s enabling Encrypt-then-MAC\n", G_STRFUNC
);
11682 ssl
->state
|= SSL_ENCRYPT_THEN_MAC
;
11685 case SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET
:
11687 switch (hnd_type
) {
11688 case SSL_HND_CLIENT_HELLO
:
11689 ssl
->state
|= SSL_CLIENT_EXTENDED_MASTER_SECRET
;
11691 case SSL_HND_SERVER_HELLO
:
11692 ssl
->state
|= SSL_SERVER_EXTENDED_MASTER_SECRET
;
11694 default: /* no default */
11699 case SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE
:
11700 offset
= ssl_dissect_hnd_hello_ext_compress_certificate(hf
, tvb
, pinfo
, ext_tree
, offset
, next_offset
, hnd_type
, ssl
);
11702 case SSL_HND_HELLO_EXT_TOKEN_BINDING
:
11703 offset
= ssl_dissect_hnd_hello_ext_token_binding(hf
, tvb
, pinfo
, ext_tree
, offset
, next_offset
, hnd_type
, ssl
);
11705 case SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT
:
11706 proto_tree_add_item(ext_tree
, hf
->hf
.hs_ext_record_size_limit
,
11707 tvb
, offset
, 2, ENC_BIG_ENDIAN
);
11710 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS
:
11711 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V1
:
11712 offset
= ssl_dissect_hnd_hello_ext_quic_transport_parameters(hf
, tvb
, pinfo
, ext_tree
, offset
, next_offset
, hnd_type
, ssl
);
11714 case SSL_HND_HELLO_EXT_SESSION_TICKET_TLS
:
11715 offset
= ssl_dissect_hnd_hello_ext_session_ticket(hf
, tvb
, ext_tree
, offset
, next_offset
, hnd_type
, ssl
);
11717 case SSL_HND_HELLO_EXT_KEY_SHARE_OLD
: /* used before TLS 1.3 draft -23 */
11718 case SSL_HND_HELLO_EXT_KEY_SHARE
:
11719 offset
= ssl_dissect_hnd_hello_ext_key_share(hf
, tvb
, pinfo
, ext_tree
, offset
, next_offset
, hnd_type
);
11721 case SSL_HND_HELLO_EXT_PRE_SHARED_KEY
:
11722 offset
= ssl_dissect_hnd_hello_ext_pre_shared_key(hf
, tvb
, pinfo
, ext_tree
, offset
, next_offset
, hnd_type
);
11724 case SSL_HND_HELLO_EXT_EARLY_DATA
:
11725 case SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO
:
11726 offset
= ssl_dissect_hnd_hello_ext_early_data(hf
, tvb
, pinfo
, ext_tree
, offset
, next_offset
, hnd_type
, ssl
);
11728 case SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS
:
11729 switch (hnd_type
) {
11730 case SSL_HND_CLIENT_HELLO
:
11731 offset
= ssl_dissect_hnd_hello_ext_supported_versions(hf
, tvb
, pinfo
, ext_tree
, offset
, next_offset
, session
, is_dtls
, ja4_data
);
11733 case SSL_HND_SERVER_HELLO
:
11734 case SSL_HND_HELLO_RETRY_REQUEST
:
11735 proto_tree_add_item_ret_uint(ext_tree
, hf
->hf
.hs_ext_supported_version
, tvb
, offset
, 2, ENC_BIG_ENDIAN
, &supported_version
);
11737 proto_item_append_text(ext_tree
, " %s", val_to_str(supported_version
, ssl_versions
, "Unknown (0x%04x)"));
11741 case SSL_HND_HELLO_EXT_COOKIE
:
11742 offset
= ssl_dissect_hnd_hello_ext_cookie(hf
, tvb
, pinfo
, ext_tree
, offset
, next_offset
);
11744 case SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES
:
11745 offset
= ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(hf
, tvb
, pinfo
, ext_tree
, offset
, next_offset
);
11747 case SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES
:
11748 offset
= ssl_dissect_hnd_hello_ext_certificate_authorities(hf
, tvb
, pinfo
, ext_tree
, offset
, next_offset
);
11750 case SSL_HND_HELLO_EXT_OID_FILTERS
:
11751 offset
= ssl_dissect_hnd_hello_ext_oid_filters(hf
, tvb
, pinfo
, ext_tree
, offset
, next_offset
);
11753 case SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH
:
11755 case SSL_HND_HELLO_EXT_NPN
:
11756 offset
= ssl_dissect_hnd_hello_ext_npn(hf
, tvb
, pinfo
, ext_tree
, offset
, next_offset
);
11758 case SSL_HND_HELLO_EXT_ALPS
:
11759 offset
= ssl_dissect_hnd_hello_ext_alps(hf
, tvb
, pinfo
, ext_tree
, offset
, next_offset
, hnd_type
);
11761 case SSL_HND_HELLO_EXT_RENEGOTIATION_INFO
:
11762 offset
= ssl_dissect_hnd_hello_ext_reneg_info(hf
, tvb
, pinfo
, ext_tree
, offset
, next_offset
);
11764 case SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME
:
11765 offset
= ssl_dissect_hnd_hello_ext_esni(hf
, tvb
, pinfo
, ext_tree
, offset
, next_offset
, hnd_type
, ssl
);
11767 case SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED
:
11768 session
->deprecated_cid
= true;
11770 case SSL_HND_HELLO_EXT_CONNECTION_ID
:
11771 offset
= ssl_dissect_hnd_hello_ext_connection_id(hf
, tvb
, pinfo
, ext_tree
, offset
, hnd_type
, session
, ssl
);
11773 case SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS
:
11774 offset
= ssl_dissect_hnd_hello_ext_trusted_ca_keys(hf
, tvb
, pinfo
, ext_tree
, offset
, next_offset
);
11777 proto_tree_add_item(ext_tree
, hf
->hf
.hs_ext_data
,
11778 tvb
, offset
, ext_len
, ENC_NA
);
11783 if (!ssl_end_vector(hf
, tvb
, pinfo
, ext_tree
, offset
, next_offset
)) {
11784 /* Dissection did not end at expected location, fix it. */
11785 offset
= next_offset
;
11790 if (hnd_type
== SSL_HND_CLIENT_HELLO
) {
11791 if(wmem_strbuf_get_len(ja3_sg
) > 0) {
11792 wmem_strbuf_append_printf(ja3
, "%s", wmem_strbuf_get_str(ja3_sg
));
11794 wmem_strbuf_append_c(ja3
, ',');
11796 if(wmem_strbuf_get_len(ja3_ecpf
) > 0) {
11797 wmem_strbuf_append_printf(ja3
, "%s", wmem_strbuf_get_str(ja3_ecpf
));
11799 wmem_strbuf_append_c(ja3
, ',');
11804 /* Check if Extensions vector is correctly terminated. */
11805 if (!ssl_end_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
)) {
11806 offset
= offset_end
;
11813 /* ClientKeyExchange algo-specific dissectors. {{{ */
11816 dissect_ssl3_hnd_cli_keyex_ecdh(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
,
11817 proto_tree
*tree
, uint32_t offset
,
11821 proto_tree
*ssl_ecdh_tree
;
11823 ssl_ecdh_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, length
,
11824 hf
->ett
.keyex_params
, NULL
, "EC Diffie-Hellman Client Params");
11827 point_len
= tvb_get_uint8(tvb
, offset
);
11828 proto_tree_add_item(ssl_ecdh_tree
, hf
->hf
.hs_client_keyex_point_len
, tvb
,
11829 offset
, 1, ENC_BIG_ENDIAN
);
11830 proto_tree_add_item(ssl_ecdh_tree
, hf
->hf
.hs_client_keyex_point
, tvb
,
11831 offset
+ 1, point_len
, ENC_NA
);
11835 dissect_ssl3_hnd_cli_keyex_dhe(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
,
11836 proto_tree
*tree
, uint32_t offset
, uint32_t length
)
11839 proto_tree
*ssl_dh_tree
;
11841 ssl_dh_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, length
,
11842 hf
->ett
.keyex_params
, NULL
, "Diffie-Hellman Client Params");
11844 /* ClientDiffieHellmanPublic.dh_public (explicit) */
11845 yc_len
= tvb_get_ntohs(tvb
, offset
);
11846 proto_tree_add_item(ssl_dh_tree
, hf
->hf
.hs_client_keyex_yc_len
, tvb
,
11847 offset
, 2, ENC_BIG_ENDIAN
);
11848 proto_tree_add_item(ssl_dh_tree
, hf
->hf
.hs_client_keyex_yc
, tvb
,
11849 offset
+ 2, yc_len
, ENC_NA
);
11853 dissect_ssl3_hnd_cli_keyex_rsa(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
,
11854 proto_tree
*tree
, uint32_t offset
,
11855 uint32_t length
, const SslSession
*session
)
11858 proto_tree
*ssl_rsa_tree
;
11860 ssl_rsa_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, length
,
11861 hf
->ett
.keyex_params
, NULL
, "RSA Encrypted PreMaster Secret");
11863 /* EncryptedPreMasterSecret.pre_master_secret */
11864 switch (session
->version
) {
11865 case SSLV2_VERSION
:
11866 case SSLV3_VERSION
:
11867 case DTLSV1DOT0_OPENSSL_VERSION
:
11868 /* OpenSSL pre-0.9.8f DTLS and pre-TLS quirk: 2-octet length vector is
11869 * not present. The handshake contents represents the EPMS, see:
11870 * https://gitlab.com/wireshark/wireshark/-/issues/10222 */
11875 /* TLS and DTLS include vector length before EPMS */
11876 epms_len
= tvb_get_ntohs(tvb
, offset
);
11877 proto_tree_add_item(ssl_rsa_tree
, hf
->hf
.hs_client_keyex_epms_len
, tvb
,
11878 offset
, 2, ENC_BIG_ENDIAN
);
11882 proto_tree_add_item(ssl_rsa_tree
, hf
->hf
.hs_client_keyex_epms
, tvb
,
11883 offset
, epms_len
, ENC_NA
);
11886 /* Used in PSK cipher suites */
11888 dissect_ssl3_hnd_cli_keyex_psk(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
,
11889 proto_tree
*tree
, uint32_t offset
)
11891 unsigned identity_len
;
11892 proto_tree
*ssl_psk_tree
;
11894 ssl_psk_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, -1,
11895 hf
->ett
.keyex_params
, NULL
, "PSK Client Params");
11897 identity_len
= tvb_get_ntohs(tvb
, offset
);
11898 proto_tree_add_item(ssl_psk_tree
, hf
->hf
.hs_client_keyex_identity_len
, tvb
,
11899 offset
, 2, ENC_BIG_ENDIAN
);
11900 proto_tree_add_item(ssl_psk_tree
, hf
->hf
.hs_client_keyex_identity
, tvb
,
11901 offset
+ 2, identity_len
, ENC_NA
);
11903 proto_item_set_len(ssl_psk_tree
, 2 + identity_len
);
11904 return 2 + identity_len
;
11907 /* Used in RSA PSK cipher suites */
11909 dissect_ssl3_hnd_cli_keyex_rsa_psk(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
,
11910 proto_tree
*tree
, uint32_t offset
,
11913 int identity_len
, epms_len
;
11914 proto_tree
*ssl_psk_tree
;
11916 ssl_psk_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, length
,
11917 hf
->ett
.keyex_params
, NULL
, "RSA PSK Client Params");
11920 identity_len
= tvb_get_ntohs(tvb
, offset
);
11921 proto_tree_add_item(ssl_psk_tree
, hf
->hf
.hs_client_keyex_identity_len
,
11922 tvb
, offset
, 2, ENC_BIG_ENDIAN
);
11923 proto_tree_add_item(ssl_psk_tree
, hf
->hf
.hs_client_keyex_identity
,
11924 tvb
, offset
+ 2, identity_len
, ENC_NA
);
11925 offset
+= 2 + identity_len
;
11928 epms_len
= tvb_get_ntohs(tvb
, offset
);
11929 proto_tree_add_item(ssl_psk_tree
, hf
->hf
.hs_client_keyex_epms_len
, tvb
,
11930 offset
, 2, ENC_BIG_ENDIAN
);
11931 proto_tree_add_item(ssl_psk_tree
, hf
->hf
.hs_client_keyex_epms
, tvb
,
11932 offset
+ 2, epms_len
, ENC_NA
);
11935 /* Used in Diffie-Hellman PSK cipher suites */
11937 dissect_ssl3_hnd_cli_keyex_dhe_psk(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
,
11938 proto_tree
*tree
, uint32_t offset
, uint32_t length
)
11942 * select (KeyExchangeAlgorithm) {
11943 * case diffie_hellman_psk:
11944 * opaque psk_identity<0..2^16-1>;
11945 * ClientDiffieHellmanPublic public;
11947 * } ClientKeyExchange;
11950 uint32_t psk_len
= dissect_ssl3_hnd_cli_keyex_psk(hf
, tvb
, tree
, offset
);
11951 dissect_ssl3_hnd_cli_keyex_dhe(hf
, tvb
, tree
, offset
+ psk_len
, length
- psk_len
);
11954 /* Used in EC Diffie-Hellman PSK cipher suites */
11956 dissect_ssl3_hnd_cli_keyex_ecdh_psk(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
,
11957 proto_tree
*tree
, uint32_t offset
, uint32_t length
)
11961 * select (KeyExchangeAlgorithm) {
11962 * case ec_diffie_hellman_psk:
11963 * opaque psk_identity<0..2^16-1>;
11964 * ClientECDiffieHellmanPublic public;
11966 * } ClientKeyExchange;
11969 uint32_t psk_len
= dissect_ssl3_hnd_cli_keyex_psk(hf
, tvb
, tree
, offset
);
11970 dissect_ssl3_hnd_cli_keyex_ecdh(hf
, tvb
, tree
, offset
+ psk_len
, length
- psk_len
);
11973 /* Used in EC J-PAKE cipher suites */
11975 dissect_ssl3_hnd_cli_keyex_ecjpake(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
,
11976 proto_tree
*tree
, uint32_t offset
,
11982 * opaque r<1..2^8-1>;
11987 * ECSchnorrZKP zkp;
11991 * ECJPAKEKeyKP ecjpake_key_kp;
11992 * } ClientECJPAKEParams;
11994 * select (KeyExchangeAlgorithm) {
11996 * ClientECJPAKEParams params;
11997 * } ClientKeyExchange;
12001 proto_tree
*ssl_ecjpake_tree
;
12003 ssl_ecjpake_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, length
,
12004 hf
->ett
.keyex_params
, NULL
,
12005 "EC J-PAKE Client Params");
12007 /* ECJPAKEKeyKP.X */
12008 point_len
= tvb_get_uint8(tvb
, offset
);
12009 proto_tree_add_item(ssl_ecjpake_tree
, hf
->hf
.hs_client_keyex_xc_len
, tvb
,
12010 offset
, 1, ENC_BIG_ENDIAN
);
12011 proto_tree_add_item(ssl_ecjpake_tree
, hf
->hf
.hs_client_keyex_xc
, tvb
,
12012 offset
+ 1, point_len
, ENC_NA
);
12013 offset
+= 1 + point_len
;
12015 /* ECJPAKEKeyKP.zkp.V */
12016 point_len
= tvb_get_uint8(tvb
, offset
);
12017 proto_tree_add_item(ssl_ecjpake_tree
, hf
->hf
.hs_client_keyex_vc_len
, tvb
,
12018 offset
, 1, ENC_BIG_ENDIAN
);
12019 proto_tree_add_item(ssl_ecjpake_tree
, hf
->hf
.hs_client_keyex_vc
, tvb
,
12020 offset
+ 1, point_len
, ENC_NA
);
12021 offset
+= 1 + point_len
;
12023 /* ECJPAKEKeyKP.zkp.r */
12024 point_len
= tvb_get_uint8(tvb
, offset
);
12025 proto_tree_add_item(ssl_ecjpake_tree
, hf
->hf
.hs_client_keyex_rc_len
, tvb
,
12026 offset
, 1, ENC_BIG_ENDIAN
);
12027 proto_tree_add_item(ssl_ecjpake_tree
, hf
->hf
.hs_client_keyex_rc
, tvb
,
12028 offset
+ 1, point_len
, ENC_NA
);
12032 dissect_ssl3_hnd_cli_keyex_ecc_sm2(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
,
12033 proto_tree
*tree
, uint32_t offset
,
12037 proto_tree
*ssl_ecc_sm2_tree
;
12039 ssl_ecc_sm2_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, length
,
12040 hf
->ett
.keyex_params
, NULL
,
12041 "ECC-SM2 Encrypted PreMaster Secret");
12043 epms_len
= tvb_get_ntohs(tvb
, offset
);
12044 proto_tree_add_item(ssl_ecc_sm2_tree
, hf
->hf
.hs_client_keyex_epms_len
, tvb
,
12045 offset
, 2, ENC_BIG_ENDIAN
);
12047 proto_tree_add_item(ssl_ecc_sm2_tree
, hf
->hf
.hs_client_keyex_epms
, tvb
,
12048 offset
, epms_len
, ENC_NA
);
12050 /* ClientKeyExchange algo-specific dissectors. }}} */
12053 /* Dissects DigitallySigned (see RFC 5246 4.7 Cryptographic Attributes). {{{ */
12055 ssl_dissect_digitally_signed(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
12056 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
,
12057 uint16_t version
, int hf_sig_len
, int hf_sig
)
12062 case TLSV1DOT2_VERSION
:
12063 case DTLSV1DOT2_VERSION
:
12064 case TLSV1DOT3_VERSION
:
12065 case DTLSV1DOT3_VERSION
:
12066 tls_dissect_signature_algorithm(hf
, tvb
, tree
, offset
, NULL
);
12075 if (!ssl_add_vector(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, &sig_len
,
12076 hf_sig_len
, 0, UINT16_MAX
)) {
12080 proto_tree_add_item(tree
, hf_sig
, tvb
, offset
, sig_len
, ENC_NA
);
12085 /* ServerKeyExchange algo-specific dissectors. {{{ */
12087 /* dissects signed_params inside a ServerKeyExchange for some keyex algos */
12089 dissect_ssl3_hnd_srv_keyex_sig(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
12090 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
,
12094 * TLSv1.2 (RFC 5246 sec 7.4.8)
12096 * digitally-signed struct {
12097 * opaque handshake_messages[handshake_messages_length];
12099 * } CertificateVerify;
12101 * TLSv1.0/TLSv1.1 (RFC 5436 sec 7.4.8 and 7.4.3) works essentially the same
12102 * as TLSv1.2, but the hash algorithms are not explicit in digitally-signed.
12104 * SSLv3 (RFC 6101 sec 5.6.8) essentially works the same as TLSv1.0 but it
12105 * does more hashing including the master secret and padding.
12107 ssl_dissect_digitally_signed(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, version
,
12108 hf
->hf
.hs_server_keyex_sig_len
,
12109 hf
->hf
.hs_server_keyex_sig
);
12113 dissect_tls_ecparameters(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
)
12116 * RFC 4492 ECC cipher suites for TLS
12119 * ECCurveType curve_type;
12120 * select (curve_type) {
12121 * case explicit_prime:
12123 * case explicit_char2:
12125 * case named_curve:
12126 * NamedCurve namedcurve;
12133 /* ECParameters.curve_type */
12134 curve_type
= tvb_get_uint8(tvb
, offset
);
12135 proto_tree_add_item(tree
, hf
->hf
.hs_server_keyex_curve_type
, tvb
,
12136 offset
, 1, ENC_BIG_ENDIAN
);
12139 if (curve_type
!= 3)
12140 return offset_end
; /* only named_curves are supported */
12142 /* case curve_type == named_curve; ECParameters.namedcurve */
12143 proto_tree_add_item(tree
, hf
->hf
.hs_server_keyex_named_curve
, tvb
,
12144 offset
, 2, ENC_BIG_ENDIAN
);
12151 dissect_ssl3_hnd_srv_keyex_ecdh(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
12152 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
,
12153 uint16_t version
, bool anon
)
12156 * RFC 4492 ECC cipher suites for TLS
12159 * opaque point <1..2^8-1>;
12163 * ECParameters curve_params;
12165 * } ServerECDHParams;
12167 * select (KeyExchangeAlgorithm) {
12168 * case ec_diffie_hellman:
12169 * ServerECDHParams params;
12170 * Signature signed_params;
12171 * } ServerKeyExchange;
12175 proto_tree
*ssl_ecdh_tree
;
12177 ssl_ecdh_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, offset_end
- offset
,
12178 hf
->ett
.keyex_params
, NULL
, "EC Diffie-Hellman Server Params");
12180 offset
= dissect_tls_ecparameters(hf
, tvb
, ssl_ecdh_tree
, offset
, offset_end
);
12181 if (offset
>= offset_end
)
12182 return; /* only named_curves are supported */
12184 /* ECPoint.point */
12185 point_len
= tvb_get_uint8(tvb
, offset
);
12186 proto_tree_add_item(ssl_ecdh_tree
, hf
->hf
.hs_server_keyex_point_len
, tvb
,
12187 offset
, 1, ENC_BIG_ENDIAN
);
12188 proto_tree_add_item(ssl_ecdh_tree
, hf
->hf
.hs_server_keyex_point
, tvb
,
12189 offset
+ 1, point_len
, ENC_NA
);
12190 offset
+= 1 + point_len
;
12192 /* Signature (if non-anonymous KEX) */
12194 dissect_ssl3_hnd_srv_keyex_sig(hf
, tvb
, pinfo
, ssl_ecdh_tree
, offset
, offset_end
, version
);
12199 dissect_ssl3_hnd_srv_keyex_dhe(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
12200 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
,
12201 uint16_t version
, bool anon
)
12203 int p_len
, g_len
, ys_len
;
12204 proto_tree
*ssl_dh_tree
;
12206 ssl_dh_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, offset_end
- offset
,
12207 hf
->ett
.keyex_params
, NULL
, "Diffie-Hellman Server Params");
12210 p_len
= tvb_get_ntohs(tvb
, offset
);
12211 proto_tree_add_item(ssl_dh_tree
, hf
->hf
.hs_server_keyex_p_len
, tvb
,
12212 offset
, 2, ENC_BIG_ENDIAN
);
12213 proto_tree_add_item(ssl_dh_tree
, hf
->hf
.hs_server_keyex_p
, tvb
,
12214 offset
+ 2, p_len
, ENC_NA
);
12215 offset
+= 2 + p_len
;
12218 g_len
= tvb_get_ntohs(tvb
, offset
);
12219 proto_tree_add_item(ssl_dh_tree
, hf
->hf
.hs_server_keyex_g_len
, tvb
,
12220 offset
, 2, ENC_BIG_ENDIAN
);
12221 proto_tree_add_item(ssl_dh_tree
, hf
->hf
.hs_server_keyex_g
, tvb
,
12222 offset
+ 2, g_len
, ENC_NA
);
12223 offset
+= 2 + g_len
;
12226 ys_len
= tvb_get_ntohs(tvb
, offset
);
12227 proto_tree_add_uint(ssl_dh_tree
, hf
->hf
.hs_server_keyex_ys_len
, tvb
,
12228 offset
, 2, ys_len
);
12229 proto_tree_add_item(ssl_dh_tree
, hf
->hf
.hs_server_keyex_ys
, tvb
,
12230 offset
+ 2, ys_len
, ENC_NA
);
12231 offset
+= 2 + ys_len
;
12233 /* Signature (if non-anonymous KEX) */
12235 dissect_ssl3_hnd_srv_keyex_sig(hf
, tvb
, pinfo
, ssl_dh_tree
, offset
, offset_end
, version
);
12239 /* Only used in RSA-EXPORT cipher suites */
12241 dissect_ssl3_hnd_srv_keyex_rsa(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
12242 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
,
12245 int modulus_len
, exponent_len
;
12246 proto_tree
*ssl_rsa_tree
;
12248 ssl_rsa_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, offset_end
- offset
,
12249 hf
->ett
.keyex_params
, NULL
, "RSA-EXPORT Server Params");
12252 modulus_len
= tvb_get_ntohs(tvb
, offset
);
12253 proto_tree_add_item(ssl_rsa_tree
, hf
->hf
.hs_server_keyex_modulus_len
, tvb
,
12254 offset
, 2, ENC_BIG_ENDIAN
);
12255 proto_tree_add_item(ssl_rsa_tree
, hf
->hf
.hs_server_keyex_modulus
, tvb
,
12256 offset
+ 2, modulus_len
, ENC_NA
);
12257 offset
+= 2 + modulus_len
;
12260 exponent_len
= tvb_get_ntohs(tvb
, offset
);
12261 proto_tree_add_item(ssl_rsa_tree
, hf
->hf
.hs_server_keyex_exponent_len
,
12262 tvb
, offset
, 2, ENC_BIG_ENDIAN
);
12263 proto_tree_add_item(ssl_rsa_tree
, hf
->hf
.hs_server_keyex_exponent
,
12264 tvb
, offset
+ 2, exponent_len
, ENC_NA
);
12265 offset
+= 2 + exponent_len
;
12268 dissect_ssl3_hnd_srv_keyex_sig(hf
, tvb
, pinfo
, ssl_rsa_tree
, offset
, offset_end
, version
);
12271 /* Used in RSA PSK and PSK cipher suites */
12273 dissect_ssl3_hnd_srv_keyex_psk(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
,
12274 proto_tree
*tree
, uint32_t offset
)
12277 proto_tree
*ssl_psk_tree
;
12279 ssl_psk_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, -1,
12280 hf
->ett
.keyex_params
, NULL
, "PSK Server Params");
12283 hint_len
= tvb_get_ntohs(tvb
, offset
);
12284 proto_tree_add_item(ssl_psk_tree
, hf
->hf
.hs_server_keyex_hint_len
, tvb
,
12285 offset
, 2, ENC_BIG_ENDIAN
);
12286 proto_tree_add_item(ssl_psk_tree
, hf
->hf
.hs_server_keyex_hint
, tvb
,
12287 offset
+ 2, hint_len
, ENC_NA
);
12289 proto_item_set_len(ssl_psk_tree
, 2 + hint_len
);
12290 return 2 + hint_len
;
12293 /* Used in Diffie-Hellman PSK cipher suites */
12295 dissect_ssl3_hnd_srv_keyex_dhe_psk(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
12296 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
)
12300 * select (KeyExchangeAlgorithm) {
12301 * case diffie_hellman_psk:
12302 * opaque psk_identity_hint<0..2^16-1>;
12303 * ServerDHParams params;
12305 * } ServerKeyExchange;
12308 uint32_t psk_len
= dissect_ssl3_hnd_srv_keyex_psk(hf
, tvb
, tree
, offset
);
12309 dissect_ssl3_hnd_srv_keyex_dhe(hf
, tvb
, pinfo
, tree
, offset
+ psk_len
, offset_end
, 0, true);
12312 /* Used in EC Diffie-Hellman PSK cipher suites */
12314 dissect_ssl3_hnd_srv_keyex_ecdh_psk(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
12315 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
)
12319 * select (KeyExchangeAlgorithm) {
12320 * case ec_diffie_hellman_psk:
12321 * opaque psk_identity_hint<0..2^16-1>;
12322 * ServerECDHParams params;
12324 * } ServerKeyExchange;
12327 uint32_t psk_len
= dissect_ssl3_hnd_srv_keyex_psk(hf
, tvb
, tree
, offset
);
12328 dissect_ssl3_hnd_srv_keyex_ecdh(hf
, tvb
, pinfo
, tree
, offset
+ psk_len
, offset_end
, 0, true);
12331 /* Used in EC J-PAKE cipher suites */
12333 dissect_ssl3_hnd_srv_keyex_ecjpake(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
,
12334 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
)
12339 * opaque r<1..2^8-1>;
12344 * ECSchnorrZKP zkp;
12348 * ECParameters curve_params;
12349 * ECJPAKEKeyKP ecjpake_key_kp;
12350 * } ServerECJPAKEParams;
12352 * select (KeyExchangeAlgorithm) {
12354 * ServerECJPAKEParams params;
12355 * } ServerKeyExchange;
12359 proto_tree
*ssl_ecjpake_tree
;
12361 ssl_ecjpake_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, offset_end
- offset
,
12362 hf
->ett
.keyex_params
, NULL
,
12363 "EC J-PAKE Server Params");
12365 offset
= dissect_tls_ecparameters(hf
, tvb
, ssl_ecjpake_tree
, offset
, offset_end
);
12366 if (offset
>= offset_end
)
12367 return; /* only named_curves are supported */
12369 /* ECJPAKEKeyKP.X */
12370 point_len
= tvb_get_uint8(tvb
, offset
);
12371 proto_tree_add_item(ssl_ecjpake_tree
, hf
->hf
.hs_server_keyex_xs_len
, tvb
,
12372 offset
, 1, ENC_BIG_ENDIAN
);
12373 proto_tree_add_item(ssl_ecjpake_tree
, hf
->hf
.hs_server_keyex_xs
, tvb
,
12374 offset
+ 1, point_len
, ENC_NA
);
12375 offset
+= 1 + point_len
;
12377 /* ECJPAKEKeyKP.zkp.V */
12378 point_len
= tvb_get_uint8(tvb
, offset
);
12379 proto_tree_add_item(ssl_ecjpake_tree
, hf
->hf
.hs_server_keyex_vs_len
, tvb
,
12380 offset
, 1, ENC_BIG_ENDIAN
);
12381 proto_tree_add_item(ssl_ecjpake_tree
, hf
->hf
.hs_server_keyex_vs
, tvb
,
12382 offset
+ 1, point_len
, ENC_NA
);
12383 offset
+= 1 + point_len
;
12385 /* ECJPAKEKeyKP.zkp.r */
12386 point_len
= tvb_get_uint8(tvb
, offset
);
12387 proto_tree_add_item(ssl_ecjpake_tree
, hf
->hf
.hs_server_keyex_rs_len
, tvb
,
12388 offset
, 1, ENC_BIG_ENDIAN
);
12389 proto_tree_add_item(ssl_ecjpake_tree
, hf
->hf
.hs_server_keyex_rs
, tvb
,
12390 offset
+ 1, point_len
, ENC_NA
);
12393 /* Only used in ECC-SM2-EXPORT cipher suites */
12395 dissect_ssl3_hnd_srv_keyex_ecc_sm2(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
12396 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
,
12399 proto_tree
*ssl_ecc_sm2_tree
;
12401 ssl_ecc_sm2_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, offset_end
- offset
,
12402 hf
->ett
.keyex_params
, NULL
, "ECC-SM2-EXPORT Server Params");
12405 dissect_ssl3_hnd_srv_keyex_sig(hf
, tvb
, pinfo
, ssl_ecc_sm2_tree
, offset
, offset_end
, version
);
12407 /* ServerKeyExchange algo-specific dissectors. }}} */
12409 /* Client Key Exchange and Server Key Exchange handshake dissections. {{{ */
12411 ssl_dissect_hnd_cli_keyex(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
,
12412 proto_tree
*tree
, uint32_t offset
, uint32_t length
,
12413 const SslSession
*session
)
12415 switch (ssl_get_keyex_alg(session
->cipher
)) {
12416 case KEX_DH_ANON
: /* RFC 5246; DHE_DSS, DHE_RSA, DH_DSS, DH_RSA, DH_ANON: ClientDiffieHellmanPublic */
12421 dissect_ssl3_hnd_cli_keyex_dhe(hf
, tvb
, tree
, offset
, length
);
12423 case KEX_DHE_PSK
: /* RFC 4279; diffie_hellman_psk: psk_identity, ClientDiffieHellmanPublic */
12424 dissect_ssl3_hnd_cli_keyex_dhe_psk(hf
, tvb
, tree
, offset
, length
);
12426 case KEX_ECDH_ANON
: /* RFC 4492; ec_diffie_hellman: ClientECDiffieHellmanPublic */
12427 case KEX_ECDH_ECDSA
:
12429 case KEX_ECDHE_ECDSA
:
12430 case KEX_ECDHE_RSA
:
12431 dissect_ssl3_hnd_cli_keyex_ecdh(hf
, tvb
, tree
, offset
, length
);
12433 case KEX_ECDHE_PSK
: /* RFC 5489; ec_diffie_hellman_psk: psk_identity, ClientECDiffieHellmanPublic */
12434 dissect_ssl3_hnd_cli_keyex_ecdh_psk(hf
, tvb
, tree
, offset
, length
);
12436 case KEX_KRB5
: /* RFC 2712; krb5: KerberosWrapper */
12437 /* XXX: implement support for KRB5 */
12438 proto_tree_add_expert_format(tree
, NULL
, &hf
->ei
.hs_ciphersuite_undecoded
,
12439 tvb
, offset
, length
,
12440 "Kerberos ciphersuites (RFC 2712) are not implemented, contact Wireshark"
12441 " developers if you want them to be supported");
12443 case KEX_PSK
: /* RFC 4279; psk: psk_identity */
12444 dissect_ssl3_hnd_cli_keyex_psk(hf
, tvb
, tree
, offset
);
12446 case KEX_RSA
: /* RFC 5246; rsa: EncryptedPreMasterSecret */
12447 dissect_ssl3_hnd_cli_keyex_rsa(hf
, tvb
, tree
, offset
, length
, session
);
12449 case KEX_RSA_PSK
: /* RFC 4279; rsa_psk: psk_identity, EncryptedPreMasterSecret */
12450 dissect_ssl3_hnd_cli_keyex_rsa_psk(hf
, tvb
, tree
, offset
, length
);
12452 case KEX_SRP_SHA
: /* RFC 5054; srp: ClientSRPPublic */
12453 case KEX_SRP_SHA_DSS
:
12454 case KEX_SRP_SHA_RSA
:
12455 /* XXX: implement support for SRP_SHA* */
12456 proto_tree_add_expert_format(tree
, NULL
, &hf
->ei
.hs_ciphersuite_undecoded
,
12457 tvb
, offset
, length
,
12458 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12459 " developers if you want them to be supported");
12461 case KEX_ECJPAKE
: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12462 dissect_ssl3_hnd_cli_keyex_ecjpake(hf
, tvb
, tree
, offset
, length
);
12464 case KEX_ECC_SM2
: /* GB/T 38636 */
12465 dissect_ssl3_hnd_cli_keyex_ecc_sm2(hf
, tvb
, tree
, offset
, length
);
12468 proto_tree_add_expert(tree
, NULL
, &hf
->ei
.hs_ciphersuite_undecoded
,
12469 tvb
, offset
, length
);
12475 ssl_dissect_hnd_srv_keyex(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
, packet_info
*pinfo
,
12476 proto_tree
*tree
, uint32_t offset
, uint32_t offset_end
,
12477 const SslSession
*session
)
12479 switch (ssl_get_keyex_alg(session
->cipher
)) {
12480 case KEX_DH_ANON
: /* RFC 5246; ServerDHParams */
12481 dissect_ssl3_hnd_srv_keyex_dhe(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, session
->version
, true);
12483 case KEX_DH_DSS
: /* RFC 5246; not allowed */
12485 proto_tree_add_expert(tree
, NULL
, &hf
->ei
.hs_srv_keyex_illegal
,
12486 tvb
, offset
, offset_end
- offset
);
12488 case KEX_DHE_DSS
: /* RFC 5246; dhe_dss, dhe_rsa: ServerDHParams, Signature */
12490 dissect_ssl3_hnd_srv_keyex_dhe(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, session
->version
, false);
12492 case KEX_DHE_PSK
: /* RFC 4279; diffie_hellman_psk: psk_identity_hint, ServerDHParams */
12493 dissect_ssl3_hnd_srv_keyex_dhe_psk(hf
, tvb
, pinfo
, tree
, offset
, offset_end
);
12495 case KEX_ECDH_ANON
: /* RFC 4492; ec_diffie_hellman: ServerECDHParams (without signature for anon) */
12496 dissect_ssl3_hnd_srv_keyex_ecdh(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, session
->version
, true);
12498 case KEX_ECDHE_PSK
: /* RFC 5489; psk_identity_hint, ServerECDHParams */
12499 dissect_ssl3_hnd_srv_keyex_ecdh_psk(hf
, tvb
, pinfo
, tree
, offset
, offset_end
);
12501 case KEX_ECDH_ECDSA
: /* RFC 4492; ec_diffie_hellman: ServerECDHParams, Signature */
12503 case KEX_ECDHE_ECDSA
:
12504 case KEX_ECDHE_RSA
:
12505 dissect_ssl3_hnd_srv_keyex_ecdh(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, session
->version
, false);
12507 case KEX_KRB5
: /* RFC 2712; not allowed */
12508 proto_tree_add_expert(tree
, NULL
, &hf
->ei
.hs_srv_keyex_illegal
,
12509 tvb
, offset
, offset_end
- offset
);
12511 case KEX_PSK
: /* RFC 4279; psk, rsa: psk_identity */
12513 dissect_ssl3_hnd_srv_keyex_psk(hf
, tvb
, tree
, offset
);
12515 case KEX_RSA
: /* only allowed if the public key in the server certificate is longer than 512 bits */
12516 dissect_ssl3_hnd_srv_keyex_rsa(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, session
->version
);
12518 case KEX_ECC_SM2
: /* GB/T 38636 */
12519 dissect_ssl3_hnd_srv_keyex_ecc_sm2(hf
, tvb
, pinfo
, tree
, offset
, offset_end
, session
->version
);
12521 case KEX_SRP_SHA
: /* RFC 5054; srp: ServerSRPParams, Signature */
12522 case KEX_SRP_SHA_DSS
:
12523 case KEX_SRP_SHA_RSA
:
12524 /* XXX: implement support for SRP_SHA* */
12525 proto_tree_add_expert_format(tree
, NULL
, &hf
->ei
.hs_ciphersuite_undecoded
,
12526 tvb
, offset
, offset_end
- offset
,
12527 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12528 " developers if you want them to be supported");
12530 case KEX_ECJPAKE
: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12531 dissect_ssl3_hnd_srv_keyex_ecjpake(hf
, tvb
, tree
, offset
, offset_end
);
12534 proto_tree_add_expert(tree
, NULL
, &hf
->ei
.hs_ciphersuite_undecoded
,
12535 tvb
, offset
, offset_end
- offset
);
12539 /* Client Key Exchange and Server Key Exchange handshake dissections. }}} */
12542 tls13_dissect_hnd_key_update(ssl_common_dissect_t
*hf
, tvbuff_t
*tvb
,
12543 proto_tree
*tree
, uint32_t offset
)
12545 /* RFC 8446 Section 4.6.3
12547 * update_not_requested(0), update_requested(1), (255)
12548 * } KeyUpdateRequest;
12551 * KeyUpdateRequest request_update;
12554 proto_tree_add_item(tree
, hf
->hf
.hs_key_update_request_update
, tvb
, offset
, 1, ENC_NA
);
12558 ssl_common_register_ssl_alpn_dissector_table(const char *name
,
12559 const char *ui_name
, const int proto
)
12561 ssl_alpn_dissector_table
= register_dissector_table(name
, ui_name
,
12562 proto
, FT_STRING
, STRING_CASE_SENSITIVE
);
12563 register_dissector_table_alias(ssl_alpn_dissector_table
, "ssl.handshake.extensions_alpn_str");
12567 ssl_common_register_dtls_alpn_dissector_table(const char *name
,
12568 const char *ui_name
, const int proto
)
12570 dtls_alpn_dissector_table
= register_dissector_table(name
, ui_name
,
12571 proto
, FT_STRING
, STRING_CASE_SENSITIVE
);
12572 register_dissector_table_alias(ssl_alpn_dissector_table
, "dtls.handshake.extensions_alpn_str");
12576 ssl_common_register_options(module_t
*module
, ssl_common_options_t
*options
, bool is_dtls
)
12578 prefs_register_string_preference(module
, "psk", "Pre-Shared Key",
12579 "Pre-Shared Key as HEX string. Should be 0 to 16 bytes.",
12583 prefs_register_obsolete_preference(module
, "keylog_file");
12584 prefs_register_static_text_preference(module
, "keylog_file_removed",
12585 "The (Pre)-Master-Secret log filename preference can be configured in the TLS protocol preferences.",
12586 "Use the TLS protocol preference to configure the keylog file for both DTLS and TLS.");
12590 prefs_register_filename_preference(module
, "keylog_file", "(Pre)-Master-Secret log filename",
12591 "The name of a file which contains a list of \n"
12592 "(pre-)master secrets in one of the following formats:\n"
12594 "RSA <EPMS> <PMS>\n"
12595 "RSA Session-ID:<SSLID> Master-Key:<MS>\n"
12596 "CLIENT_RANDOM <CRAND> <MS>\n"
12597 "PMS_CLIENT_RANDOM <CRAND> <PMS>\n"
12600 "<EPMS> = First 8 bytes of the Encrypted PMS\n"
12601 "<PMS> = The Pre-Master-Secret (PMS) used to derive the MS\n"
12602 "<SSLID> = The SSL Session ID\n"
12603 "<MS> = The Master-Secret (MS)\n"
12604 "<CRAND> = The Client's random number from the ClientHello message\n"
12606 "(All fields are in hex notation)",
12607 &(options
->keylog_filename
), false);
12611 ssl_calculate_handshake_hash(SslDecryptSession
*ssl_session
, tvbuff_t
*tvb
, uint32_t offset
, uint32_t length
)
12613 if (ssl_session
&& ssl_session
->session
.version
!= TLSV1DOT3_VERSION
&& !(ssl_session
->state
& SSL_MASTER_SECRET
)) {
12614 uint32_t old_length
= ssl_session
->handshake_data
.data_len
;
12615 ssl_debug_printf("Calculating hash with offset %d %d\n", offset
, length
);
12617 if (tvb_bytes_exist(tvb
, offset
, length
)) {
12618 ssl_session
->handshake_data
.data
= (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session
->handshake_data
.data
, old_length
+ length
);
12619 tvb_memcpy(tvb
, ssl_session
->handshake_data
.data
+ old_length
, offset
, length
);
12620 ssl_session
->handshake_data
.data_len
+= length
;
12623 /* DTLS calculates the hash as if each handshake message had been
12624 * sent as a single fragment (RFC 6347, section 4.2.6) and passes
12625 * in a null tvbuff to add 3 bytes for a zero fragment offset.
12627 DISSECTOR_ASSERT_CMPINT(length
, <, 4);
12628 ssl_session
->handshake_data
.data
= (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session
->handshake_data
.data
, old_length
+ length
);
12629 memset(ssl_session
->handshake_data
.data
+ old_length
, 0, length
);
12630 ssl_session
->handshake_data
.data_len
+= length
;
12637 * Editor modelines - https://www.wireshark.org/tools/modelines.html
12640 * c-basic-offset: 4
12642 * indent-tabs-mode: nil
12645 * vi: set shiftwidth=4 tabstop=8 expandtab:
12646 * :indentSize=4:tabSize=8:noTabs=true:
