| blob | ccffb503c496f491365c36b4b545dfad82f1070d |
1 /* packet-tls.c
2 * Routines for TLS dissection
3 * Copyright (c) 2000-2001, Scott Renfro <scott@renfro.org>
4 * Copyright 2013-2019, Peter Wu <peter@lekensteyn.nl>
5 *
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
9 *
10 * SPDX-License-Identifier: GPL-2.0-or-later
11 */
13 /*
14 * Supported protocol versions:
15 *
16 * TLS 1.3, 1.2, 1.0, and SSL 3.0. SSL 2.0 is no longer supported, except for
17 * the SSL 2.0-compatible Client Hello.
18 *
19 * Primary protocol specifications:
20 *
21 * https://tools.ietf.org/html/draft-hickman-netscape-ssl-00 - SSL 2.0
22 * https://tools.ietf.org/html/rfc6101 - SSL 3.0
23 * https://tools.ietf.org/html/rfc2246 - TLS 1.0
24 * https://tools.ietf.org/html/rfc4346 - TLS 1.1
25 * https://tools.ietf.org/html/rfc5246 - TLS 1.2
26 * https://tools.ietf.org/html/rfc8446 - TLS 1.3
27 *
28 * Important IANA registries:
29 *
30 * https://www.iana.org/assignments/tls-parameters/
31 * https://www.iana.org/assignments/tls-extensiontype-values/
32 *
33 * Notes:
34 *
35 * - Decryption needs to be performed 'sequentially', so it's done
36 * at packet reception time. This may cause a significant packet capture
37 * slow down. This also causes dissection of some ssl info that in previous
38 * dissector versions was dissected only when a proto_tree context was
39 * available
40 *
41 * We are at Packet reception if time pinfo->fd->visited == 0
42 *
43 * - Many dissection and decryption operations are implemented in
44 * epan/dissectors/packet-tls-utils.c and
45 * epan/dissectors/packet-tls-utils.h due to an overlap of functionality
46 * with DTLS (epan/dissectors/packet-dtls.c).
47 *
48 */
52 #include <epan/packet.h>
53 #include <epan/reassemble.h>
54 #include <epan/asn1.h>
55 #include <epan/tap.h>
56 #include <epan/uat.h>
57 #include <epan/addr_resolv.h>
58 #include <epan/follow.h>
59 #include <epan/exported_pdu.h>
60 #include <epan/proto_data.h>
61 #include <epan/decode_as.h>
62 #include <epan/prefs-int.h>
63 #include <epan/secrets.h>
64 #include <wiretap/secrets-types.h>
66 #include <wsutil/utf8_entities.h>
67 #include <wsutil/str_util.h>
68 #include <wsutil/strtoi.h>
69 #include <wsutil/rsa.h>
70 #include <wsutil/ws_assert.h>
71 #include <wsutil/filesystem.h>
72 #include <wsutil/report_message.h>
81 #ifdef HAVE_LIBGNUTLS
84 #endif
91 /* Try heuristic dissectors before dissectors assigned to a port.
92 * Dissectors assigned via ALPN always take precedence. */
95 /*********************************************************************
96 *
97 * Protocol Constants, Variables, Data Structures
98 *
99 *********************************************************************/
101 /* Initialize the protocol and registered fields */
168 /* Initialize the subtree pointers */
184 /* Generated from convert_proto_tree_add_text.pl */
187 /* not all of the hf_fields below make sense for TLS but we have to provide
188 them anyways to comply with the api (which was aimed for ip fragment
189 reassembly) */
204 "Segments"
205 };
207 /* Fragmented handshake messages. */
222 "Fragments"
223 };
227 static void
234 {
236 tree,
237 hf_tls_segment_data,
238 tvb,
239 offset,
240 length,
241 NULL,
246 }
251 #ifdef HAVE_LIBGNUTLS
256 #endif
265 /* List of dissectors to call for TLS data */
271 /* Forward declaration we need below */
274 /* Desegmentation of TLS streams */
275 /* table to hold defragmented TLS streams */
278 /* Table to hold fragmented TLS handshake records. */
282 /* Fragment TLS handshake reassembly functions. The records are
283 * organized by session and direction; this allows reassembly across
284 * QUIC connection migration when addresses and ports change.
285 */
292 static unsigned
294 {
297 }
299 static int
301 {
308 }
313 {
320 }
322 static void
324 {
327 }
329 static const reassembly_table_functions
330 tls_hs_reassembly_table_functions = {
331 tls_hs_fragment_hash,
332 tls_hs_fragment_equal,
333 tls_hs_fragment_temporary_key,
334 tls_hs_fragment_temporary_key,
335 tls_hs_fragment_free_temporary_key,
336 tls_hs_fragment_free_temporary_key,
337 };
339 /* initialize/reset per capture state data (ssl sessions cache) */
340 static void
342 {
350 /* We should have loaded "keys_list" by now. Mark it obsolete */
355 }
356 }
358 /* Reset the identifier for a group of handshake fragments. */
360 }
362 static void
364 {
365 #ifdef HAVE_LIBGNUTLS
369 }
370 #endif
373 }
375 ssl_master_key_map_t *
377 {
378 // Try to load new keys.
381 }
383 }
385 #ifdef HAVE_LIBGNUTLS
386 /* parse ssl related preferences (private keys and ports association strings) */
387 static void
389 {
392 dissector_handle_t handle;
397 {
399 }
401 /* remove only associations created from key list */
408 }
409 }
410 /* parse private keys string, load available keys and put them in key hash*/
422 }
423 }
426 }
428 static void
430 {
433 }
435 static void
437 {
442 /* Import old-style keys */
457 }
459 }
461 }
463 }
464 }
468 static tap_packet_status
469 ssl_follow_tap_listener(void *tapdata, packet_info *pinfo, epan_dissect_t *edt _U_, const void *ssl, tap_flags_t flags _U_)
470 {
477 /* Skip packets without decrypted payload data. */
480 /* Compute the packet's sender. */
486 }
492 }
496 /* Include only application data in the record, skipping things like
497 * Handshake messages and alerts. */
500 /* TCP segments that contain the end of two or more TLS PDUs will be
501 queued to TLS taps for each of those PDUs. Therefore a single
502 packet could be processed by this TLS tap listener multiple times.
503 The following test handles that scenario by treating the
504 follow_info->bytes_written[] values as the next expected
505 appl_data->seq. Any appl_data instances that fall below that have
506 already been processed and must be skipped. */
509 /* Allocate a follow_record_t to hold the current appl_data
510 instance's decrypted data. Even though it would be possible to
511 consolidate multiple appl_data instances into a single record, it is
512 beneficial to use a one-to-one mapping. This affords the Follow
513 Stream dialog view modes (ASCII, EBCDIC, Hex Dump, C Arrays, Raw)
514 the opportunity to accurately reflect TLS PDU boundaries. Currently
515 the Hex Dump view does by starting a new line, and the C Arrays
516 view does by starting a new array declaration. */
528 /* Add the record to the follow_info structure. */
531 }
534 }
536 /*********************************************************************
537 *
538 * Forward Declarations
539 *
540 *********************************************************************/
542 /*
543 * SSL version 3 and TLS dissectors
544 *
545 */
546 /* record layer dissector */
555 /* alert message dissector */
561 /* handshake protocol dissector */
577 /* heartbeat message dissector */
587 /*
588 * SSL version 2 dissectors
589 *
590 */
592 /* record layer dissector */
599 /* client hello dissector */
605 /* client master key dissector */
610 /* server hello dissector */
616 /*
617 * Support Functions
618 *
619 */
628 static void
631 dissector_handle_t app_handle_port,
633 static uint32_t
636 static void
637 print_tls_fragment_tree(fragment_head *ipfd_head, proto_tree *tree, proto_tree *tls_tree, packet_info *pinfo, tvbuff_t *next_tvb);
639 /*********************************************************************
640 *
641 * Main dissector
642 *
643 *********************************************************************/
644 /*
645 * Code to actually dissect the packets
646 */
647 static int
649 {
661 /*
662 * A single packet may contain multiple TLS records. Two possible scenarios:
663 *
664 * - Multiple TLS records belonging to the same TLS session.
665 * - TLS within a different encrypted TLS tunnel.
666 *
667 * To support the second case, 'curr_layer_num_ssl' is used as identifier
668 * for the current TLS layer.
669 */
686 /* it is extremely unlikely that real TLS traffic starts with four
687 * printable ascii characters; this looks like it's unencrypted
688 * text, so assume it's not ours (SSL does have some unencrypted
689 * text fields in certain packets, but you'd have to get very
690 * unlucky with TCP fragmentation to have one of those fields at the
691 * beginning of a TCP payload at the beginning of the capture where
692 * reassembly hasn't started yet) */
694 }
695 }
697 ssl_debug_printf("\ndissect_ssl enter frame #%u (%s)\n", pinfo->num, (pinfo->fd->visited)?"already visited":"first time");
699 /* Track the version using conversations to reduce the
700 * chance that a packet that simply *looks* like a v2 or
701 * v3 packet is dissected improperly. This also allows
702 * us to more frequently set the protocol column properly
703 * for continuation data frames.
704 *
705 * Also: We use the copy in conv_version as our cached copy,
706 * so that we don't have to search the conversation
707 * table every time we want the version; when setting
708 * the conv_version, must set the copy in the conversation
709 * in addition to conv_version
710 */
711 /* Get the conversation with the deinterlacing strategy,
712 * assuming it does exist, as created by an underlying proto.
713 */
714 conversation = find_conversation_strat(pinfo, conversation_pt_to_conversation_type(pinfo->ptype), 0);
719 }
728 /* This conversation started at a different protocol and STARTTLS was
729 * used, but this packet comes too early. */
731 }
733 /* try decryption only the first time we see this packet
734 * (to keep cipher synchronized) */
738 ssl_debug_printf(" conversation = %p, ssl_session = %p\n", (void *)conversation, (void *)ssl_session);
740 /* Initialize the protocol column; we'll override it later when we
741 * detect a different version or flavor of TLS (assuming we don't
742 * throw an exception before we get the chance to do so). */
745 /* clear the info column */
748 /* TCP packets and TLS records are orthogonal.
749 * A tcp packet may contain multiple ssl records and an ssl
750 * record may be spread across multiple tcp packets.
751 *
752 * This loop accounts for multiple ssl records in a single
753 * frame, but not a single ssl record across multiple tcp
754 * packets.
755 *
756 * Handling the single ssl record across multiple packets
757 * may be possible using wireshark conversations, but
758 * probably not cleanly. May have to wait for tcp stream
759 * reassembly.
760 */
762 /* Create display subtree for TLS as a whole */
764 {
767 }
768 /* iterate through the records in this tvbuff */
770 {
771 ssl_debug_printf(" record: offset = %d, reported_length_remaining = %d\n", offset, tvb_reported_length_remaining(tvb, offset));
773 /*
774 * Assume, for now, that this doesn't need desegmentation.
775 */
778 /* first try to dispatch off the cached version
779 * known to be associated with the conversation
780 */
786 ssl_session);
794 /* SSLv3/TLS record headers need at least 1+2+2 = 5 bytes. */
801 /* Not enough bytes available. Stop here. */
803 }
805 }
807 /* the version tracking code works too well ;-)
808 * at times, we may visit a v2 client hello after
809 * we already know the version of the connection;
810 * work around that here by detecting and calling
811 * the v2 dissector instead
812 */
814 {
818 ssl_session);
819 }
820 else
821 {
825 ssl_session,
827 }
830 /* that failed, so apply some heuristics based
831 * on this individual packet
832 */
834 /*
835 * If the version is unknown, assume SSLv3/TLS which has a record
836 * size of at least 5 bytes (SSLv2 record header is two or three
837 * bytes, but the data will hopefully be larger than three bytes).
838 */
845 /* Not enough bytes available. Stop here. */
847 }
849 }
852 {
853 /* looks like sslv2 client hello */
857 ssl_session);
858 }
860 {
861 /* looks like sslv3 or tls */
865 ssl_session,
867 }
868 else
869 {
870 /* looks like something unknown, so lump into
871 * continuation data
872 */
875 }
877 }
879 /* Desegmentation return check */
883 /* Make data available to ssl_follow_tap_listener */
884 tap_queue_packet(tls_follow_tap, pinfo, p_get_proto_data(wmem_file_scope(), pinfo, proto_tls, curr_layer_num_ssl));
886 }
887 }
891 /* Check for needing to reassemble at end of stream */
895 /* retrieve decoder for this packet direction. Retrieve it
896 * here because the decoder could have been created while
897 * processing the records (e.g., an Early Data HTTP request
898 * and response, with no Content-Length.) */
901 }
904 }
907 /* We want to reassemble at the end of the stream. Are we
908 * there? */
909 /* There might be more than one record, and we don't want to tell
910 * the application dissector that we got a TCP FIN if there are
911 * more app data records to come. We add the FIN here.
912 * XXX: We could have some logic to do so in dissect_ssl3_record()
913 * when we're on the last record. Note that the last record could
914 * be an alert, or this could be a FIN with no data, so we'd still
915 * have to check here anyway.)
916 */
919 }
921 /* No. Tell the TCP dissector that we want to desegment
922 * at FIN, so that it will call the TLS dissector at FIN
923 * even if there is no TCP payload.
924 *
925 * However, tell it that we've already dissected all the
926 * the data in the packet, so that we avoid getting it
927 * later and trying to decrypt the records again.
928 * (XXX: An alternative would be checking for already decrypted
929 * records before trying to decrypt on the first pass.)
930 */
936 msp = (struct tcp_multisegment_pdu *)wmem_tree_lookup32_le(decoder->flow->multisegment_pdus, decoder->flow->byte_seq);
946 /* create a new TVB structure for desegmented data */
949 /* add desegmented data to the data source list */
952 /* Show details of the reassembly */
955 /*
956 * Supply the sequence number of the first of the
957 * reassembled bytes.
958 */
961 /* indicate that this is reassembled data */
964 /* call subdissector */
968 /* XXX: Workaround for #15159. Ordinarily we
969 * return the number of bytes dissected, but zero
970 * indicates the dissector rejecting the data. If
971 * we are dissecting at FIN, but there were no new
972 * records added, we want to indicate that the
973 * dissector accepted the zero length payload so
974 * that the TLS (and, e.g. HTTP) layers don't get
975 * removed. So artificially return 1 instead.
976 * (The TCP dissector will ignore the number.)
977 */
979 }
980 }
981 }
982 }
983 }
984 }
991 /* Make data available to ssl_follow_tap_listener */
992 tap_queue_packet(tls_follow_tap, pinfo, p_get_proto_data(wmem_file_scope(), pinfo, proto_tls, curr_layer_num_ssl));
995 }
998 /*
999 * Dissect ECHConfigList structure, for use by the DNS dissector.
1000 */
1001 static int
1003 {
1006 }
1008 /*
1009 * Dissect TLS 1.3 handshake messages (without the record layer).
1010 * For use by QUIC (draft -13).
1011 */
1012 static int
1014 {
1022 /**
1023 * A value that uniquely identifies this fragment in this frame.
1024 */
1027 ssl_debug_printf("\n%s enter frame #%u (%s)\n", G_STRFUNC, pinfo->num, (pinfo->fd->visited)?"already visited":"first time");
1037 }
1039 /*
1040 * First pass: collect state (including Client Random for key matching).
1041 * Second pass: dissection only, no need to collect state.
1042 */
1045 }
1050 /* Add a proto_tls item to allow simple "tls" display filter */
1061 }
1063 static bool
1065 {
1069 /*
1070 * Heuristics should match the TLS record header.
1071 * ContentType (1), ProtocolVersion (2), Length (2)
1072 *
1073 * We do not check for an actual payload, IBM WebSphere is known
1074 * to separate the record header and payload over two separate packets.
1075 */
1078 }
1084 /* These are the common types. */
1087 }
1089 /*
1090 * Match SSLv3, TLS 1.0/1.1/1.2 (TLS 1.3 uses same value as TLS 1.0). Most
1091 * likely you'll see 0x300 (SSLv3) or 0x301 (TLS 1.1) for interoperability
1092 * reasons. Per RFC 5246 we should accept any 0x3xx value, but this is just
1093 * a heuristic that catches common/likely cases.
1094 */
1101 }
1103 /* Check for sane length, see also ssl_check_record_length in packet-tls-utils.c */
1106 }
1109 }
1111 static bool
1113 {
1114 /*
1115 * Detect SSL 2.0 compatible Client Hello as used in SSLv3 and TLS.
1116 *
1117 * https://tools.ietf.org/html/rfc5246#appendix-E.2
1118 * uint8 V2CipherSpec[3];
1119 * struct {
1120 * uint16 msg_length; // 0: highest bit must be 1
1121 * uint8 msg_type; // 2: 1 for Client Hello
1122 * Version version; // 3: equal to ClientHello.client_version
1123 * uint16 cipher_spec_length; // 5: cannot be 0, must be multiple of 3
1124 * uint16 session_id_length; // 7: zero or 16 (in TLS 1.0)
1125 * uint16 challenge_length; // 9: must be 32
1126 * // length so far: 2 + 1 + 2 + 2 + 2 + 2 = 11
1127 * V2CipherSpec cipher_specs[V2ClientHello.cipher_spec_length]; // len: min 3
1128 * opaque session_id[V2ClientHello.session_id_length]; // len: zero or 16
1129 * opaque challenge[V2ClientHello.challenge_length; // len: 32
1130 * // min. length: 11 + 3 + (0 or 16) + 32 = 46 or 62
1131 * } V2ClientHello;
1132 */
1135 }
1137 /* Assume that message length is less than 256 (at most 64 cipherspecs). */
1140 }
1142 /* msg_type must be 1 for Client Hello */
1145 }
1147 /* cipher spec length must be a non-zero multiple of 3 */
1151 }
1153 /* session ID length must be 0 or 16 in TLS 1.0 */
1157 }
1159 /* Challenge Length must be 32 */
1162 }
1165 }
1167 static bool
1169 {
1174 }
1179 }
1181 static void
1182 tls_save_decrypted_record(packet_info *pinfo, int record_id, SslDecryptSession *ssl, uint8_t content_type,
1184 {
1190 }
1193 /*
1194 * The actual data is followed by the content type and then zero or
1195 * more padding. Scan backwards for content type, skipping padding.
1196 */
1198 datalen--;
1199 }
1200 ssl_debug_printf("%s found %d padding bytes\n", G_STRFUNC, ssl_decrypted_data_avail - datalen);
1204 }
1207 /*
1208 * XXX zero-length Handshake fragments are forbidden by RFC 8446,
1209 * Section 5.1. Empty Application Data fragments are allowed though.
1210 */
1212 }
1213 }
1215 /* In TLS 1.3 only Handshake and Application Data can be fragmented.
1216 * Alert messages MUST NOT be fragmented across records, so do not
1217 * bother maintaining a flow for those. */
1220 }
1222 /**
1223 * Try to decrypt the record and update the internal cipher state.
1224 * On success, the decrypted data will be available in "ssl_decrypted_data" of
1225 * length "ssl_decrypted_data_avail".
1226 */
1227 static bool
1228 decrypt_ssl3_record(tvbuff_t *tvb, packet_info *pinfo, uint32_t offset, SslDecryptSession *ssl,
1231 {
1238 /* if we can decrypt and decryption was a success
1239 * add decrypted data to this packet info */
1244 /* retrieve decoder for this packet direction */
1248 }
1252 }
1254 /* save data to update IV if decoder is available or updated later */
1261 }
1262 ssl_data_set(data_for_iv, (const unsigned char*)tvb_get_ptr(tvb, data_for_iv_offset, data_for_iv_len), data_for_iv_len);
1267 }
1269 /* run decryption and add decrypted payload to protocol data, if decryption
1270 * is successful*/
1272 success = ssl_decrypt_record(ssl, decoder, content_type, record_version, tls_ignore_mac_failed,
1275 /* */
1277 /* save data to update IV if valid session key is obtained later */
1280 ssl_data_set(data_for_iv, (const unsigned char*)tvb_get_ptr(tvb, offset + record_length - data_for_iv_len, data_for_iv_len), data_for_iv_len);
1281 }
1283 tls_save_decrypted_record(pinfo, tvb_raw_offset(tvb)+offset, ssl, content_type, decoder, allow_fragments, curr_layer_num_ssl);
1284 }
1286 }
1288 /**
1289 * Try to guess the early data cipher using trial decryption.
1290 * Requires Libgcrypt 1.6 or newer for verifying that decryption is successful.
1291 */
1292 static bool
1297 {
1303 /* Only try trial decryption for the first record. */
1307 }
1314 tls_save_decrypted_record(pinfo, tvb_raw_offset(tvb)+offset, ssl, SSL_ID_APP_DATA, ssl->client, true, curr_layer_num_ssl);
1317 }
1319 }
1327 }
1336 };
1345 /* Unable to create cipher (old Libgcrypt) */
1347 }
1350 success = ssl_decrypt_record(ssl, ssl->client, SSL_ID_APP_DATA, 0x303, false, record, record_length, NULL, 0,
1354 tls_save_decrypted_record(pinfo, tvb_raw_offset(tvb)+offset, ssl, SSL_ID_APP_DATA, ssl->client, true, curr_layer_num_ssl);
1356 }
1357 }
1360 }
1362 }
1364 static void
1365 print_tls_fragment_tree(fragment_head *ipfd_head, proto_tree *tree, proto_tree *tls_tree, packet_info *pinfo, tvbuff_t *next_tvb)
1366 {
1369 /*
1370 * The subdissector thought it was completely
1371 * desegmented (although the stuff at the
1372 * end may, in turn, require desegmentation),
1373 * so we show a tree with all segments.
1374 */
1377 /*
1378 * The toplevel fragment subtree is now
1379 * behind all desegmented data; move it
1380 * right behind the TLS tree.
1381 */
1385 }
1386 }
1388 static uint32_t
1390 {
1391 /*
1392 * If a frame contains multiple appdata PDUs, then "first_frame" is not
1393 * sufficient to uniquely identify groups of fragments. Therefore we use
1394 * the tcp reassembly functions that also test msp->seq (the position of
1395 * the initial fragment in the TLS stream).
1396 * As a frame most likely does not have multiple PDUs (except maybe for
1397 * HTTP2), just check 'seq' at the end instead of using it in the hash.
1398 */
1400 #if 0
1403 #endif
1405 }
1407 static void
1414 {
1426 again:
1433 /*
1434 * Initialize these to assume no desegmentation.
1435 * If that's not the case, these will be set appropriately
1436 * by the subdissector.
1437 */
1441 /*
1442 * Initialize this to assume that this segment will just be
1443 * added to the middle of a desegmented chunk of data, so
1444 * that we should show it all as data.
1445 * If that's not the case, it will be set appropriately.
1446 */
1449 /* If we've seen this segment before (e.g., it's a retransmission),
1450 * there's nothing for us to do. Certainly, don't add it to the list
1451 * of multisegment_pdus (that would cause subsequent lookups to find
1452 * the retransmission instead of the original transmission, breaking
1453 * dissection of the desegmented pdu if we'd already seen the end of
1454 * the pdu).
1455 */
1461 /* This must be after the first pass. */
1467 }
1471 }
1477 /* Show what frame this was reassembled in if not this one. */
1481 }
1482 }
1486 }
1488 /* Else, find the most previous PDU starting before this sequence number */
1496 }
1498 /* OK, this PDU was found, which means the segment continues
1499 * a higher-level PDU and that we must desegment it.
1500 */
1502 /* The dissector asked for the entire segment */
1506 }
1517 /* If we consumed the entire segment there is no
1518 * other pdu starting anywhere inside this segment.
1519 * So update nxtpdu to point at least to the start
1520 * of the next segment.
1521 * (If the subdissector asks for even more data we
1522 * will advance nxtpdu even further later down in
1523 * the code.)
1524 */
1526 }
1532 }
1534 /* This segment was not found in our table, so it doesn't
1535 * contain a continuation of a higher-level PDU.
1536 * Call the normal subdissector.
1537 */
1539 /*
1540 * Supply the sequence number of this segment. We set this here
1541 * because this segment could be after another in the same packet,
1542 * in which case seq was incremented at the end of the loop.
1543 */
1549 /* Did the subdissector ask us to desegment some more data
1550 * before it could handle the packet?
1551 * If so we have to create some structures in our table but
1552 * this is something we only do the first time we see this
1553 * packet.
1554 */
1559 /*
1560 * Set "deseg_offset" to the offset in "tvb"
1561 * of the first byte of data that the
1562 * subdissector didn't process.
1563 */
1565 }
1567 /* Either no desegmentation is necessary, or this is
1568 * segment contains the beginning but not the end of
1569 * a higher-level PDU and thus isn't completely
1570 * desegmented.
1571 */
1573 }
1576 /* is it completely desegmented? */
1578 /*
1579 * Yes, we think it is.
1580 * We only call subdissector for the last segment.
1581 * Note that the last segment may include more than what
1582 * we needed.
1583 */
1585 /*
1586 * This is *not* the last segment. It is part of a PDU in the same
1587 * frame, so no another PDU can follow this one.
1588 * Do not reassemble TLS yet, it will be done in the final segment.
1589 * (If we are reassembling at FIN, we will do that in dissect_ssl()
1590 * after iterating through all the records.)
1591 * Clear the Info column and avoid displaying [TLS segment of a
1592 * reassembled PDU], the payload dissector will typically set it.
1593 * (This is needed here for the second pass.)
1594 */
1599 /*
1600 * OK, this is the last segment of the PDU and also the
1601 * last segment in this frame.
1602 * Let's call the subdissector with the desegmented
1603 * data.
1604 */
1608 /*
1609 * Reset column in case multiple TLS segments form the
1610 * PDU and this last TLS segment is not in the first TCP segment of
1611 * this frame.
1612 * XXX prevent clearing the column if the last layer is not SSL?
1613 */
1614 /* Clear column during the first pass. */
1617 /* create a new TVB structure for desegmented data */
1620 /* add desegmented data to the data source list */
1623 /*
1624 * Supply the sequence number of the first of the
1625 * reassembled bytes.
1626 */
1629 /* indicate that this is reassembled data */
1632 /* call subdissector */
1636 /*
1637 * OK, did the subdissector think it was completely
1638 * desegmented, or does it think we need even more
1639 * data?
1640 */
1643 /*
1644 * "desegment_len" isn't 0, so it needs more
1645 * data for something - and "desegment_offset"
1646 * is before "old_len", so it needs more data
1647 * to dissect the stuff we thought was
1648 * completely desegmented (as opposed to the
1649 * stuff at the beginning being completely
1650 * desegmented, but the stuff at the end
1651 * being a new higher-level PDU that also
1652 * needs desegmentation).
1653 */
1657 /* It didn't dissect anything in the reassembled TLS segment, so
1658 * remove the newly added data source. */
1660 }
1661 /* Update msp->nxtpdu to point to the new next
1662 * pdu boundary.
1663 */
1665 /* We want reassembly of at least one
1666 * more segment so set the nxtpdu
1667 * boundary to one byte into the next
1668 * segment.
1669 * This means that the next segment
1670 * will complete reassembly even if it
1671 * is only one single byte in length.
1672 */
1676 /* This is not the first segment, and we thought reassembly
1677 * would be done now, but now we know we desegment at FIN.
1678 * E.g., a HTTP response where the headers were split
1679 * across segments (so previous ONE_MORE_SEGMENT) and
1680 * also no Content-Length (so now DESEGMENT_UNTIL_FIN).
1681 */
1686 }
1687 /* Since we need at least some more data
1688 * there can be no pdu following in the
1689 * tail of this segment.
1690 */
1693 /*
1694 * Show the stuff in this TCP segment as
1695 * just raw TCP segment data.
1696 */
1700 /* Show details of the reassembly */
1703 /* Did the subdissector ask us to desegment
1704 * some more data? This means that the data
1705 * at the beginning of this segment completed
1706 * a higher-level PDU, but the data at the
1707 * end of this segment started a higher-level
1708 * PDU but didn't complete it.
1709 *
1710 * If so, we have to create some structures
1711 * in our table, but this is something we
1712 * only do the first time we see this packet.
1713 */
1718 /* The stuff we couldn't dissect
1719 * must have come from this segment,
1720 * so it's all in "tvb".
1721 *
1722 * "pinfo->desegment_offset" is
1723 * relative to the beginning of
1724 * "next_tvb"; we want an offset
1725 * relative to the beginning of "tvb".
1726 *
1727 * First, compute the offset relative
1728 * to the *end* of "next_tvb" - i.e.,
1729 * the number of bytes before the end
1730 * of "next_tvb" at which the
1731 * subdissector stopped. That's the
1732 * length of "next_tvb" minus the
1733 * offset, relative to the beginning
1734 * of "next_tvb, at which the
1735 * subdissector stopped.
1736 */
1739 /* "tvb" and "next_tvb" end at the
1740 * same byte of data, so the offset
1741 * relative to the end of "next_tvb"
1742 * of the byte at which we stopped
1743 * is also the offset relative to
1744 * the end of "tvb" of the byte at
1745 * which we stopped.
1746 *
1747 * Convert that back into an offset
1748 * relative to the beginning of
1749 * "tvb", by taking the length of
1750 * "tvb" and subtracting the offset
1751 * relative to the end.
1752 */
1754 }
1755 }
1756 }
1757 }
1760 /* If the dissector requested "reassemble until FIN"
1761 * just set this flag for the flow and let reassembly
1762 * proceed at normal. We will check/pick up these
1763 * reassembled PDUs later down in dissect_tcp() when checking
1764 * for the FIN flag.
1765 */
1768 }
1769 /*
1770 * The sequence number at which the stuff to be desegmented
1771 * starts is the sequence number of the byte at an offset
1772 * of "deseg_offset" into "tvb".
1773 *
1774 * The sequence number of the byte at an offset of "offset"
1775 * is "seq", i.e. the starting sequence number of this
1776 * segment, so the sequence number of the byte at
1777 * "deseg_offset" is "seq + (deseg_offset - offset)".
1778 */
1784 /* The subdissector asked to reassemble using the
1785 * entire next segment.
1786 * Just ask reassembly for one more byte
1787 * but set this msp flag so we can pick it up
1788 * above.
1789 */
1794 /* Set nxtseq very large so that reassembly won't happen
1795 * until we force it at the end of the stream in dissect_ssl()
1796 * outside this function.
1797 */
1803 }
1805 /* add this segment as the first one for this new pdu */
1810 }
1811 }
1817 /*
1818 * We know what other frame this PDU is reassembled in;
1819 * let the user know.
1820 */
1824 }
1826 /*
1827 * Either we didn't call the subdissector at all (i.e.,
1828 * this is a segment that contains the middle of a
1829 * higher-level PDU, but contains neither the beginning
1830 * nor the end), or the subdissector couldn't dissect it
1831 * all, as some data was missing (i.e., it set
1832 * "pinfo->desegment_len" to the amount of additional
1833 * data it needs).
1834 */
1836 /*
1837 * It couldn't, in fact, dissect any of it (the
1838 * first byte it couldn't dissect is at an offset
1839 * of "pinfo->desegment_offset" from the beginning
1840 * of the payload, and that's 0).
1841 * Just mark this as SSL.
1842 */
1846 }
1848 /*
1849 * Show what's left in the packet as just raw TCP segment
1850 * data.
1851 * XXX - remember what protocol the last subdissector
1852 * was, and report it as a continuation of that, instead?
1853 */
1856 }
1862 /* there was another pdu following this one. */
1864 /* we also have to prevent the dissector from changing the
1865 * PROTOCOL and INFO colums since what follows may be an
1866 * incomplete PDU and we don't want it be changed back from
1867 * <Protocol> to <TCP>
1868 */
1874 }
1875 }
1877 static void
1879 {
1887 }
1889 static void
1892 dissector_handle_t app_handle_port,
1894 {
1908 }
1909 /* If the appdata proto is not yet known (no STARTTLS or ALPN), try
1910 * heuristics and ports-based dissectors, order depending on preference. */
1913 /* The heuristics dissector should set the app_handle via tlsinfo
1914 * if it wants to be called in the future. */
1917 tlsinfo)) {
1924 }
1926 }
1928 /* Heuristics failed, just try the port-based dissector. */
1936 tlsinfo)) {
1943 }
1946 /* No heuristics, no port-based proto, unknown protocol. */
1950 }
1951 }
1960 }
1963 call_dissector_with_data(session->app_handle, next_tvb, pinfo, proto_tree_get_root(tree), tlsinfo);
1965 }
1967 static void
1971 dissector_handle_t app_handle_port,
1973 {
1979 /* Preserve current desegmentation ability to prevent the subdissector
1980 * from messing up the ssl desegmentation */
1983 /* try to dissect decrypted data*/
1987 /* Can we desegment this segment? */
1989 /* Yes. */
1995 /* No - just call the subdissector.
1996 Mark this as fragmented, so if somebody throws an exception,
1997 we don't report it as a malformed frame. */
2004 }
2006 /* restore desegmentation ability */
2008 }
2011 /*********************************************************************
2012 *
2013 * SSL version 3 and TLS Dissection Routines
2014 *
2015 *********************************************************************/
2016 static int
2023 {
2025 /*
2026 * struct {
2027 * uint8 major, minor;
2028 * } ProtocolVersion;
2029 *
2030 *
2031 * enum {
2032 * change_cipher_spec(20), alert(21), handshake(22),
2033 * application_data(23), (255)
2034 * } ContentType;
2035 *
2036 * struct {
2037 * ContentType type;
2038 * ProtocolVersion version;
2039 * uint16 length;
2040 * opaque fragment[TLSPlaintext.length];
2041 * } TLSPlaintext;
2042 */
2060 /* TLS 1.0/1.1 just ignores unknown records - RFC 2246 chapter 6. The TLS Record Protocol */
2066 proto_tree_add_expert(tree, pinfo, &ei_tls_ignored_unknown_record, tvb, offset, available_bytes);
2069 }
2071 /*
2072 * Is the record header split across segment boundaries?
2073 */
2075 /*
2076 * Yes - can we do reassembly?
2077 */
2080 /*
2081 * Yes. Tell the TCP dissector where the data for this
2082 * message starts in the data it handed us, and that we need
2083 * "some more data." Don't tell it exactly how many bytes we
2084 * need because if/when we ask for even more (after the header)
2085 * that will break reassembly.
2086 */
2092 /* Not enough bytes available. Stop here. */
2094 }
2095 }
2097 /*
2098 * Get the record layer fields of interest
2099 */
2107 /*
2108 * Is the record split across segment boundaries?
2109 */
2111 /*
2112 * Yes - can we do reassembly?
2113 */
2116 /*
2117 * Yes. Tell the TCP dissector where the data for this
2118 * message starts in the data it handed us, and how many
2119 * more bytes we need, and return.
2120 */
2123 /* Don't use:
2124 * pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
2125 * it avoids some minor display glitches when a frame contains
2126 * the continuation of a previous PDU together with a full new
2127 * PDU, but it completely breaks dissection for jumbo TLS frames
2128 */
2134 /* Not enough bytes available. Stop here. */
2136 }
2137 }
2140 /* if we don't have a valid content_type, there's no sense
2141 * continuing any further
2142 */
2146 }
2148 /* add the record layer subtree header */
2153 /* show the one-byte content type */
2160 }
2162 offset++;
2164 /* add the version */
2169 /* add the length */
2174 /*
2175 * if we don't already have a version set for this conversation,
2176 * but this message's version is authoritative (i.e., it's
2177 * not client_hello, then save the version to the conversation
2178 * structure and print the column version. If the message is not authoritative
2179 * (i.e. it is a Client Hello), then this version will still be used for
2180 * display purposes only (it will not be stored in the conversation).
2181 */
2185 /* Version has possibly changed, adjust the column accordingly. */
2190 }
2192 /*
2193 * now dissect the next layer
2194 */
2195 ssl_debug_printf("dissect_ssl3_record: content_type %d %s\n",content_type, val_to_str_const(content_type, ssl_31_content_type, "unknown"));
2197 /* try to decrypt record on the first pass, if possible. Store decrypted
2198 * record for later usage (without having to decrypt again). The offset is
2199 * used as 'key' to identify this record in the packet (we can have multiple
2200 * handshake records in the same frame).
2201 * In TLS 1.3, an encrypted record always has (outer) opaque_type of
2202 * "Application Data". The actual content type of the record is found
2203 * after decryption.
2204 */
2205 if (ssl && record_length && (session->version != TLSV1DOT3_VERSION || content_type == SSL_ID_APP_DATA)) {
2208 /* Try to decrypt TLS 1.3 early data first */
2211 decrypt_ok = decrypt_tls13_early_data(tvb, pinfo, offset, record_length, ssl, curr_layer_num_ssl);
2213 /* Either trial decryption failed (e.g. missing key) or end of
2214 * early data is reached. Switch to HS secrets if available. */
2217 }
2219 }
2220 }
2227 }
2228 }
2230 /* try to retrieve and use decrypted alert/handshake/appdata record, if any. */
2231 decrypted = ssl_get_record_info(tvb, proto_tls, pinfo, tvb_raw_offset(tvb)+offset, curr_layer_num_ssl, &record);
2239 }
2240 }
2241 ssl_check_record_length(&dissect_ssl3_hf, pinfo, (ContentType)content_type, record_length, length_pi, version, decrypted);
2245 if (version == TLSV1DOT3_VERSION && session->tls13_draft_version > 0 && session->tls13_draft_version < 22) {
2246 /* CCS was reintroduced in TLS 1.3 draft -22 */
2250 }
2256 /* CCS is a dummy message in TLS 1.3, do not try to load keys. */
2258 }
2264 }
2265 /* Heuristic: any later ChangeCipherSpec is not a resumption of this
2266 * session. Set the flag after ssl_finalize_decryption such that it has
2267 * a chance to use resume using Session Tickets. */
2276 }
2285 // Combine both the offset within this TCP segment and the layer
2286 // number in case a record consists of multiple reassembled TCP
2287 // segments. The exact value does not matter, but it should be
2288 // unique per frame.
2293 }
2296 {
2297 dissector_handle_t app_handle;
2299 /* show on info column what we are decoding */
2302 /* app_handle discovery is done here instead of dissect_ssl_payload()
2303 * because the protocol name needs to be displayed below. */
2306 /* Unknown protocol handle, ssl_starttls_ack was not called before.
2307 * Try to find a port-based protocol and use it if there is no
2308 * heuristics dissector (see process_ssl_payload). */
2311 }
2324 ti = proto_tree_add_string(ssl_record_tree, hf_tls_record_appdata_proto, tvb, 0, 0, dissector_handle_get_protocol_long_name(app_handle));
2326 }
2330 }
2332 /* Set app proto again in case the heuristics found a different proto. */
2341 }
2347 }
2349 dissect_ssl3_heartbeat(decrypted, pinfo, ssl_record_tree, 0, session, tvb_reported_length (decrypted), true);
2352 /* heartbeats before ChangeCipherSpec are unencrypted */
2358 }
2359 }
2360 dissect_ssl3_heartbeat(tvb, pinfo, ssl_record_tree, offset, session, record_length, plaintext);
2361 }
2366 }
2370 }
2372 /* dissects the alert message, filling in the tree */
2373 static void
2377 {
2378 /* struct {
2379 * AlertLevel level;
2380 * AlertDescription description;
2381 * } Alert;
2382 */
2390 {
2394 }
2396 /*
2397 * Assume that TLS alert records are not fragmented. Any larger message is
2398 * assumed to be encrypted.
2399 */
2408 }
2410 /*
2411 * set the record layer label
2412 */
2414 /* first lookup the names for the alert level and description */
2421 /* If this is a close_notify, mark it as the end of the stream.
2422 * (XXX: Maybe we should do this for other alerts, and maybe
2423 * reassembling at FIN should also try reassembling at RST as well?)
2424 */
2426 }
2428 /* now set the text in the record layer line */
2434 {
2444 }
2445 }
2448 /**
2449 * Checks whether a handshake message seems encrypted and cannot be dissected.
2450 */
2451 static bool
2452 is_encrypted_handshake_message(tvbuff_t *tvb, packet_info *pinfo, uint32_t offset, uint32_t offset_end,
2454 {
2461 /*
2462 * Encrypted data has additional overhead. For TLS 1.0/1.1 with stream
2463 * and block ciphers, there is at least a MAC which is at minimum 16
2464 * bytes for MD5. In TLS 1.2, AEAD adds an explicit nonce and auth tag.
2465 * For AES-GCM/CCM the auth tag is 16 bytes. AES_CCM_8 (RFC 6655) uses 8
2466 * byte auth tags, but the explicit nonce is also 8 (sums up to 16).
2467 *
2468 * So anything smaller than 16 bytes is assumed to be plaintext.
2469 */
2471 }
2473 /*
2474 * If this is not a decrypted buffer, then perhaps it is still in plaintext.
2475 * Heuristics: if the buffer is too small, it is likely not encrypted.
2476 * Otherwise assume that the Handshake does not contain two successive
2477 * HelloRequest messages (type=0x00 length=0x000000, type=0x00). If this
2478 * occurs, then we have possibly found the explicit nonce preceding the
2479 * encrypted contents for GCM/CCM cipher suites as used in TLS 1.2.
2480 */
2483 /*
2484 * TODO handle Finished message after CCS in the same frame and remove the
2485 * above nonce-based heuristic.
2486 */
2487 }
2490 /*
2491 * Assume encrypted if the message type makes no sense. If this still
2492 * leads to false positives (detecting plaintext while it should mark
2493 * stuff as encrypted), some other ideas include:
2494 * - Perform additional validation based on the message type.
2495 * - Disallow handshake fragmentation except for some common cases like
2496 * Certificate messages (due to large certificates).
2497 */
2502 // Assume handshake messages are below 64K.
2504 }
2505 }
2509 /*
2510 * Everything after the ChangeCipherSpec message should be encrypted.
2511 * At least some buggy clients send a new handshake in the clear
2512 * when renegotiating, though. (#18867).
2513 */
2514 uint32_t *ccs_frame = is_from_server ? &session->server_ccs_frame : &session->client_ccs_frame;
2524 // Assume ClientHello and ServerHello are < 1024.
2526 }
2529 /*
2530 * This is after the CCS, but looks like an unencrypted
2531 * ClientHello or ServerHello. This is a new handshake;
2532 * it's a buggy renegotiation or possibly retransmissions.
2533 */
2535 /* XXX: Resetting the CCS frame state will allow us to
2536 * detect the new handshake, but can mean false positives
2537 * on earlier frames on later passes (reporting as
2538 * cleartext handshake messages that were encrypted and
2539 * we failed to decrypt on the first pass.) Maybe we
2540 * should store some additional state, either per packet
2541 * in SslPacketInfo or more complicated information about
2542 * encrypted handshake state changes. (E.g., in a wmem_tree
2543 * store the frames where we get a CCS and the frames
2544 * where this happens.)
2545 */
2546 }
2550 }
2551 }
2552 }
2554 }
2562 {
2563 // Full handshake messages should not be saved.
2565 // 0 is a special value indicating no reassembly in progress.
2569 // The reassembly API will refuse to add fragments when not all
2570 // available data has been captured. Since we were given a tvb with at
2571 // least 'frag_len' data, we must always succeed in obtaining a subset.
2573 }
2587 // Add (subset of) record data.
2592 }
2594 /**
2595 * Populate the Info column and record layer tree item based on the message type.
2596 *
2597 * @param pinfo Packet info.
2598 * @param record_tree The Record layer tree item.
2599 * @param version Record version.
2600 * @param msg_type The message type (not necessarily the same as the first byte
2601 * of the buffer in case of HRR in TLS 1.3).
2602 * @param is_first_msg true if this is the first message in this record.
2603 * @param complete true if the buffer describes the full (encrypted) message.
2604 * @param tvb Buffer that covers the start of this handshake fragment.
2605 * @param offset Position within the record data.
2606 * @param length Length of the record fragment that is part of the handshake
2607 * message. May be smaller than the record length if this is a fragment.
2608 */
2613 {
2617 }
2619 /*
2620 * Update our info string if this is the first message (possibly a fragment
2621 * of a handshake message), or if this is a complete (reassembled) message.
2622 */
2626 /*
2627 * Only mark the first message to avoid an empty Info column. If another
2628 * message came before this one, do not bother mentioning this fragment.
2629 */
2631 }
2633 /* set the label text on the record layer expanding node */
2637 msg_type_str);
2640 }
2645 }
2652 }
2654 }
2656 /* dissects the handshake protocol, filling the tree */
2657 static void
2665 {
2666 // Handshake fragment processing:
2667 // 1. (First pass:) If a previous handshake message needed reassembly, add
2668 // (a subset of) the new data for reassembly.
2669 // 2. Did this fragment complete reassembly in the previous step?
2670 // - Yes: dissect message and continue.
2671 // - No: show details and stop.
2672 // 3. Not part of a reassembly, so this is a new handshake message. Does it
2673 // look like encrypted data?
2674 // - Yes: show details and stop.
2675 // 4. Loop through remaining handshake messages. Is there sufficient data?
2676 // - Yes: dissect message and continue with next message.
2677 // - No (first pass): Add all data for reassembly, show details and stop.
2678 // - No (second pass): Show details and stop.
2686 unsigned *hs_reassembly_id_p = is_from_server ? &session->server_hs_reassembly_id : &session->client_hs_reassembly_id;
2689 // 1. (First pass:) If a previous handshake message needed reassembly.
2691 // Continuation, so a previous fragment *must* exist.
2694 // We expect that reassembly has not completed yet.
2697 // Combine all previous segments plus data from the current record
2698 // in order to find the length.
2704 }
2706 }
2710 }
2713 // Extract the actual handshake message length (0 means unknown) and
2714 // check whether only a subset of the current record is needed.
2720 }
2721 }
2724 // Not all data has been captured. As we are missing data, the
2725 // reassembly cannot be completed nor do we know the boundary
2726 // where the next handshake message starts. Stop reassembly.
2729 // Check if the handshake message is complete.
2732 frag_info = save_tls_handshake_fragment(pinfo, curr_layer_num_tls, record_id, *hs_reassembly_id_p,
2735 // Reassembly finished, next message should not continue this message.
2737 }
2738 }
2739 }
2741 // Lookup the reassembled handshake matching this frame (if any).
2742 SslPacketInfo *pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tls, curr_layer_num_tls);
2748 }
2749 }
2750 }
2751 }
2753 // 2. Did this fragment complete reassembly in the previous step?
2757 // This is the last fragment of the handshake message.
2758 // Skip a subset of the bytes of this buffer.
2761 // Add a tree item to mark the handshake fragment.
2769 // Now display the full, reassembled handshake message.
2773 dissect_tls_handshake_full(next_tvb, pinfo, tree, 0, session, is_from_server, ssl, version, true, curr_layer_num_tls);
2776 // Skip to the next fragment in case this records ends with another
2777 // fragment for which information is presented below.
2781 }
2783 // The full TVB is in the middle of a handshake message and needs more data.
2788 }
2790 }
2792 // 3. Not part of a reassembly, so this is a new handshake message. Does it
2793 // look like encrypted data?
2794 if (is_encrypted_handshake_message(tvb, pinfo, offset, offset_end, maybe_encrypted, session, is_from_server)) {
2795 // Update Info column and record tree.
2799 }
2800 }
2802 // 4. Loop through remaining handshake messages.
2803 // The previous reassembly has been handled, so at this point, offset should
2804 // start a new, valid handshake message.
2810 }
2812 // Need more data to find the message length or complete it.
2816 frag_info = save_tls_handshake_fragment(pinfo, curr_layer_num_tls, record_id, *hs_reassembly_id_p,
2819 // The first pass must have created a new fragment.
2821 }
2828 }
2830 }
2832 dissect_tls_handshake_full(tvb, pinfo, tree, offset, session, is_from_server, ssl, version, is_first_msg, curr_layer_num_tls);
2835 }
2836 }
2838 /* Dissects a single (reassembled) Handshake message. */
2839 static void
2846 {
2847 /* struct {
2848 * HandshakeType msg_type;
2849 * uint24 length;
2850 * select (HandshakeType) {
2851 * case hello_request: HelloRequest;
2852 * case client_hello: ClientHello;
2853 * case server_hello: ServerHello;
2854 * case certificate: Certificate;
2855 * case server_key_exchange: ServerKeyExchange;
2856 * case certificate_request: CertificateRequest;
2857 * case server_hello_done: ServerHelloDone;
2858 * case certificate_verify: CertificateVerify;
2859 * case client_key_exchange: ClientKeyExchange;
2860 * case finished: Finished;
2861 * case certificate_url: CertificateURL;
2862 * case certificate_status: CertificateStatus;
2863 * case encrypted_extensions:NextProtocolNegotiationEncryptedExtension;
2864 * } body;
2865 * } Handshake;
2866 */
2874 {
2880 // The caller should have given us a fully reassembled record.
2888 {
2889 /* only dissect / report messages if they're
2890 * either the first message in this record
2891 * or they're a valid message type
2892 */
2894 }
2900 ssl_try_set_version(session, ssl, SSL_ID_HANDSHAKE, SSL_HND_SERVER_HELLO, false, server_version);
2903 }
2904 }
2906 /* Populate Info column and set record layer text. */
2911 /* if we don't have a valid handshake type, just quit dissecting */
2915 /* add a subtree for the handshake protocol */
2918 /* add nodes for the message type and message length */
2927 /* Prepare for renegotiation by resetting the state. */
2929 }
2931 /*
2932 * Add handshake message (including type, length, etc.) to hash (for
2933 * Extended Master Secret).
2934 * Hash ClientHello up to and including ClientKeyExchange. As the
2935 * premaster secret is looked up during ChangeCipherSpec processing (an
2936 * implementation detail), we must skip the CertificateVerify message
2937 * which can appear between CKE and CCS when mutual auth is enabled.
2938 */
2941 }
2943 /* now dissect the handshake message, if necessary */
2946 /* hello_request has no fields, so nothing to do! */
2951 /* ClientHello is first packet so set direction */
2954 }
2958 /*
2959 * Cannot call tls13_change_key here with TLS_SECRET_HANDSHAKE
2960 * since the server may not agree on using TLS 1.3. If
2961 * early_data is advertised, it must be TLS 1.3 though.
2962 */
2968 ssl_debug_printf("%s forcing version 0x%04X -> state 0x%02X\n", G_STRFUNC, version, ssl->state);
2969 }
2970 }
2978 /* Create client and server decoders for TLS 1.3.
2979 * Create client decoder based on HS secret only if there is
2980 * no early data, or if there is no decryptable early data. */
2984 }
2986 }
2990 /* only valid for DTLS */
2994 /* no need to load keylog file here as it only links a previous
2995 * master key with this Session Ticket */
3002 /* RFC 8446 Section 4.5 */
3007 }
3016 /* XXX expert info if used with non-TLS 1.3? */
3032 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tls, curr_layer_num_tls);
3035 }
3036 }
3037 ssl_dissect_hnd_srv_keyex(&dissect_ssl3_hf, tvb, pinfo, ssl_hand_tree, offset, offset + length, session);
3041 ssl_dissect_hnd_cert_req(&dissect_ssl3_hf, tvb, pinfo, ssl_hand_tree, offset, offset + length, session, false);
3045 /* This is not an abbreviated handshake, it is certainly not resumed. */
3050 ssl_dissect_hnd_cli_cert_verify(&dissect_ssl3_hf, tvb, pinfo, ssl_hand_tree, offset, offset + length, session->version);
3058 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tls, curr_layer_num_tls);
3061 }
3062 }
3070 /* try to find master key from pre-master key */
3073 #ifdef HAVE_LIBGNUTLS
3074 ssl_key_hash,
3075 #endif
3078 }
3087 }
3095 tls_dissect_hnd_certificate_status(&dissect_ssl3_hf, tvb, pinfo, ssl_hand_tree, offset, offset + length);
3099 /* TODO: dissect this? */
3106 }
3120 }
3121 }
3122 }
3124 /* dissects the heartbeat message, filling in the tree */
3125 static void
3130 {
3131 /* struct {
3132 * HeartbeatMessageType type;
3133 * uint16 payload_length;
3134 * opaque payload;
3135 * opaque padding;
3136 * } HeartbeatMessage;
3137 */
3152 }
3154 /*
3155 * set the record layer label
3156 */
3158 /* first lookup the names for the message type and the payload length */
3165 /* assume plaintext if the (expected) record size is smaller than the type
3166 * (1), length (2)[, payload] and padding (16) fields combined */
3169 }
3171 /* now set the text in the record layer line */
3176 }
3182 type);
3192 /* There is no room for padding... truncate the payload such that
3193 * the field can be selected (for the interested). */
3197 }
3201 payload_length,
3208 padding_length,
3216 }
3217 }
3219 /* based on https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04 */
3220 static void
3223 {
3230 offset++;
3238 offset++;
3241 }
3243 /*********************************************************************
3244 *
3245 * SSL version 2 Dissectors
3246 *
3247 *********************************************************************/
3250 /* record layer dissector */
3251 static int
3256 {
3276 /* pull first byte; if high bit is unset, then record
3277 * length is three bytes due to padding; otherwise
3278 * record length is two bytes
3279 */
3285 /*
3286 * Is the record header split across segment boundaries?
3287 */
3289 /*
3290 * Yes - can we do reassembly?
3291 */
3294 /*
3295 * Yes. Tell the TCP dissector where the data for this
3296 * message starts in the data it handed us, and that we need
3297 * "some more data." Don't tell it exactly how many bytes we
3298 * need because if/when we ask for even more (after the header)
3299 * that will break reassembly.
3300 */
3306 /* Not enough bytes available. Stop here. */
3308 }
3309 }
3311 /* parse out the record length */
3325 }
3327 /*
3328 * Is the record split across segment boundaries?
3329 */
3331 /*
3332 * Yes - Can we do reassembly?
3333 */
3336 /*
3337 * Yes. Tell the TCP dissector where the data for this
3338 * message starts in the data it handed us, and how many
3339 * more bytes we need, and return.
3340 */
3347 /* Not enough bytes available. Stop here. */
3349 }
3350 }
3353 /* add the record layer subtree header */
3358 /* pull the msg_type so we can bail if it's unknown */
3361 /* if we get a server_hello or later handshake in v2, then set
3362 * this to sslv2
3363 */
3365 {
3367 {
3369 }
3370 }
3372 /* if we get here, but don't have a version set for the
3373 * conversation, then set a version for just this frame
3374 * (e.g., on a client hello)
3375 */
3378 /* see if the msg_type is valid; if not the payload is
3379 * probably encrypted, so note that fact and bail
3380 */
3385 record_length)))
3386 {
3388 {
3393 /* Unlike SSLv3, the SSLv2 record layer does not have a
3394 * version field. To make it possible to filter on record
3395 * layer version we create a generated field with ssl
3396 * record layer version 0x0002
3397 */
3402 }
3406 }
3407 else
3408 {
3412 {
3415 msg_type_str);
3416 }
3417 }
3419 /* We have a valid message type, so move forward, filling in the
3420 * tree by adding the length, is_escape boolean and padding_length,
3421 * if present in the original packet
3422 */
3424 {
3425 /* Unlike SSLv3, the SSLv2 record layer does not have a
3426 * version field. To make it possible to filter on record
3427 * layer version we create a generated field with ssl
3428 * record layer version 0x0002
3429 */
3435 /* add the record length */
3440 record_length);
3441 }
3443 {
3447 }
3449 {
3453 }
3455 /*
3456 * dissect the record data
3457 */
3459 /* jump forward to the start of the record data */
3462 /* add the message type */
3464 {
3467 }
3470 {
3471 /* dissect the message (only handle client hello right now) */
3491 /* unimplemented */
3496 }
3497 }
3499 }
3501 static void
3505 {
3506 /* struct {
3507 * uint8 msg_type;
3508 * Version version;
3509 * uint16 cipher_spec_length;
3510 * uint16 session_id_length;
3511 * uint16 challenge_length;
3512 * V2CipherSpec cipher_specs[V2ClientHello.cipher_spec_length];
3513 * opaque session_id[V2ClientHello.session_id_length];
3514 * Random challenge;
3515 * } V2ClientHello;
3516 *
3517 * Note: when we get here, offset's already pointing at Version
3518 *
3519 */
3531 {
3532 /* invalid version; probably encrypted data */
3534 }
3538 }
3540 /* show the version */
3558 }
3568 {
3569 /* tell the user how many cipher specs they've won */
3575 /* make this a subtree and expand the actual specs below */
3578 {
3580 }
3581 }
3583 /* iterate through the cipher specs, showing them */
3585 {
3591 }
3593 /* if there's a session id, show it */
3595 {
3600 session_id_length,
3603 /* PAOLO: get session id and reset session state for key [re]negotiation */
3605 {
3610 }
3612 }
3614 /* if there's a challenge, show it */
3616 {
3620 {
3621 /* PAOLO: get client random data; we get at most 32 bytes from
3622 challenge */
3628 /* client random is padded with zero and 'right' aligned */
3633 ssl_debug_printf("dissect_ssl2_hnd_client_hello found CLIENT RANDOM -> state 0x%02X\n", ssl->state);
3634 }
3635 }
3636 }
3638 static void
3641 {
3642 /* struct {
3643 * uint8 msg_type;
3644 * V2Cipherspec cipher;
3645 * uint16 clear_key_length;
3646 * uint16 encrypted_key_length;
3647 * uint16 key_arg_length;
3648 * opaque clear_key_data[V2ClientMasterKey.clear_key_length];
3649 * opaque encrypted_key_data[V2ClientMasterKey.encrypted_key_length];
3650 * opaque key_arg_data[V2ClientMasterKey.key_arg_length];
3651 * } V2ClientMasterKey;
3652 *
3653 * Note: when we get here, offset's already pointing at cipher
3654 */
3659 /* at this point, everything we do involves the tree,
3660 * so quit now if we don't have one ;-)
3661 */
3663 {
3665 }
3667 /* show the selected cipher */
3672 /* get the fixed fields */
3688 /* show the variable length fields */
3690 {
3694 }
3697 {
3701 }
3704 {
3707 }
3709 }
3711 static void
3714 {
3715 /* struct {
3716 * uint8 msg_type;
3717 * uint8 session_id_hit;
3718 * uint8 certificate_type;
3719 * uint16 server_version;
3720 * uint16 certificate_length;
3721 * uint16 cipher_specs_length;
3722 * uint16 connection_id_length;
3723 * opaque certificate_data[V2ServerHello.certificate_length];
3724 * opaque cipher_specs_data[V2ServerHello.cipher_specs_length];
3725 * opaque connection_id_data[V2ServerHello.connection_id_length];
3726 * } V2ServerHello;
3727 *
3728 * Note: when we get here, offset's already pointing at session_id_hit
3729 */
3736 asn1_ctx_t asn1_ctx;
3740 /* everything we do only makes sense with a tree, so
3741 * quit now if we don't have one
3742 */
3744 {
3746 }
3750 {
3751 /* invalid version; probably encrypted data */
3753 }
3756 /* is there a hit? */
3761 /* what type of certificate is this? */
3766 /* now the server version */
3771 /* get the fixed fields */
3787 /* now the variable length fields */
3789 {
3790 (void)dissect_x509af_Certificate(false, tvb, offset, &asn1_ctx, tree, dissect_ssl3_hf.hf.hs_certificate);
3792 }
3795 {
3796 /* provide a collapsing node for the cipher specs */
3805 {
3807 }
3809 /* iterate through the cipher specs */
3811 {
3816 }
3817 }
3820 {
3823 }
3825 }
3833 {
3840 conversation = find_conversation(frame_num, addr_srv, addr_cli, conversation_pt_to_conversation_type(ptype), port_srv, port_cli, 0);
3843 /* create a new conversation */
3844 conversation = conversation_new(frame_num, addr_srv, addr_cli, conversation_pt_to_conversation_type(ptype), port_srv, port_cli, 0);
3846 }
3853 /* version */
3863 ssl_debug_printf("%s set version 0x%04X -> state 0x%02X\n", G_STRFUNC, ssl->session.version, ssl->state);
3866 /* API change: version number is no longer an internal value
3867 * (SSL_VER_*) but the ProtocolVersion from wire (*_VERSION) */
3870 }
3871 }
3873 /* cipher */
3881 ssl_debug_printf("ssl_set_master_secret set CIPHER 0x%04X -> state 0x%02X\n", ssl->session.cipher, ssl->state);
3882 }
3883 }
3885 /* client random */
3890 }
3892 /* server random */
3897 }
3899 /* master secret */
3904 }
3910 }
3912 /* change ciphers immediately */
3916 /* update seq numbers if available */
3917 /* TODO change API to accept 64-bit sequence numbers. */
3920 ssl_debug_printf("ssl_set_master_secret client->seq updated to %" PRIu64 "\n", ssl->client->seq);
3921 }
3924 ssl_debug_printf("ssl_set_master_secret server->seq updated to %" PRIu64 "\n", ssl->server->seq);
3925 }
3927 /* update IV from last data */
3930 ssl_cipher_setiv(&ssl->client->evp, ssl->client_data_for_iv.data + ssl->client_data_for_iv.data_len - iv_len, iv_len);
3931 ssl_print_data("ssl_set_master_secret client IV updated",ssl->client_data_for_iv.data + ssl->client_data_for_iv.data_len - iv_len, iv_len);
3932 }
3934 ssl_cipher_setiv(&ssl->server->evp, ssl->server_data_for_iv.data + ssl->server_data_for_iv.data_len - iv_len, iv_len);
3935 ssl_print_data("ssl_set_master_secret server IV updated",ssl->server_data_for_iv.data + ssl->server_data_for_iv.data_len - iv_len, iv_len);
3936 }
3937 }
3940 /*********************************************************************
3941 *
3942 * Support Functions
3943 *
3944 *********************************************************************/
3945 static int
3947 {
3952 }
3954 static int
3956 {
3961 {
3963 }
3967 {
3969 }
3971 /* 1 in 2^16 of being right; improve later if necessary */
3973 }
3975 /* this applies a heuristic to determine whether
3976 * or not the data beginning at offset looks like a
3977 * valid sslv2 record. this isn't really possible,
3978 * but we'll try to do a reasonable job anyway.
3979 */
3980 static int
3982 {
3983 /* here's the current approach:
3984 *
3985 * we only try to catch unencrypted handshake messages, so we can
3986 * assume that there is not padding. This means that the
3987 * first byte must be >= 0x80 and there must be a valid sslv2
3988 * msg_type in the third byte
3989 */
3991 /* get the first byte; must have high bit set */
3996 {
3998 }
4000 /* get the supposed msg_type byte; since we only care about
4001 * unencrypted handshake messages (we can't tell the type for
4002 * encrypted messages), we just check against that list
4003 */
4011 }
4013 }
4015 /* this applies a heuristic to determine whether
4016 * or not the data beginning at offset looks like a
4017 * valid sslv3 record. this is somewhat more reliable
4018 * than sslv2 due to the structure of the v3 protocol
4019 */
4020 static int
4022 {
4023 /* have to have a valid content type followed by a valid
4024 * protocol version
4025 */
4029 /* see if the first byte is a valid content type */
4032 {
4034 }
4036 /* now check to see if the version byte appears valid */
4046 }
4048 }
4050 /* applies a heuristic to determine whether
4051 * or not the data beginning at offset looks
4052 * like a valid, unencrypted v2 handshake message.
4053 * since it isn't possible to completely tell random
4054 * data apart from a valid message without state,
4055 * we try to help the odds.
4056 */
4057 static int
4060 {
4061 /* first byte should be a msg_type.
4062 *
4063 * - we know we only see client_hello, client_master_key,
4064 * and server_hello in the clear, so check to see if
4065 * msg_type is one of those (this gives us a 3 in 2^8
4066 * chance of saying yes with random payload)
4067 *
4068 * - for those three types that we know about, do some
4069 * further validation to reduce the chance of an error
4070 */
4076 /* fetch the msg_type */
4081 /* version follows msg byte, so verify that this is valid */
4087 /* version is three bytes after msg_type */
4093 /* sum of clear_key_length, encrypted_key_length, and key_arg_length
4094 * must be less than record length
4095 */
4101 }
4106 }
4109 }
4111 bool
4112 tls_get_cipher_info(packet_info *pinfo, uint16_t cipher_suite, int *cipher_algo, int *cipher_mode, int *hash_algo)
4113 {
4118 }
4123 }
4127 }
4131 }
4133 /* adapted from ssl_cipher_init in packet-tls-utils.c */
4135 GCRY_CIPHER_MODE_STREAM,
4136 GCRY_CIPHER_MODE_CBC,
4137 GCRY_CIPHER_MODE_GCM,
4138 GCRY_CIPHER_MODE_CCM,
4139 GCRY_CIPHER_MODE_CCM,
4140 GCRY_CIPHER_MODE_POLY1305,
4141 };
4143 GCRY_MD_MD5,
4144 GCRY_MD_SHA1,
4145 GCRY_MD_SHA256,
4146 GCRY_MD_SHA384,
4148 };
4153 /* Identifiers are unusable, fail. */
4155 }
4158 }
4161 }
4164 }
4167 }
4169 /**
4170 * Load the QUIC traffic secret from the keylog file.
4171 * Returns the secret length (at most 'secret_max_len') and the secret into
4172 * 'secret' if a secret was found, or zero otherwise.
4173 */
4174 int
4175 tls13_get_quic_secret(packet_info *pinfo, bool is_from_server, int type, unsigned secret_min_len, unsigned secret_max_len, uint8_t *secret_out)
4176 {
4182 }
4187 }
4193 }
4196 /* May happen if Hello message is missing and Finished is found. */
4199 }
4201 // Not strictly necessary as QUIC CRYPTO frames have just been processed
4202 // which also calls ssl_load_keyfile for key transitions.
4218 }
4227 }
4231 }
4238 }
4245 }
4249 {
4253 }
4255 SslDecryptSession *session = (SslDecryptSession *)conversation_get_proto_data(conv, proto_tls);
4258 }
4261 }
4265 {
4269 }
4271 SslDecryptSession *session = (SslDecryptSession *)conversation_get_proto_data(conv, proto_tls);
4274 }
4277 }
4279 /* TLS Exporters {{{ */
4280 /**
4281 * Computes the TLS 1.3 Exporter value (RFC 8446 Section 7.5).
4282 *
4283 * "secret" is the [early_]exporter_master_secret. On success, true is returned
4284 * and the key is returned via "out" (free with "wmem_free(NULL, out)").
4285 */
4286 static bool
4289 {
4290 /* TLS-Exporter(label, context_value, key_length) =
4291 * HKDF-Expand-Label(Derive-Secret(Secret, label, ""),
4292 * "exporter", Hash(context_value), key_length)
4293 *
4294 * Derive-Secret(Secret, Label, Messages) =
4295 * HKDF-Expand-Label(Secret, Label,
4296 * Transcript-Hash(Messages), Hash.length)
4297 */
4298 gcry_error_t err;
4299 gcry_md_hd_t hd;
4302 // QUIC -09 currently uses draft 23, so no need to support older TLS drafts
4308 }
4310 /* Calculate Derive-Secret(Secret, label, ""). */
4314 if (!tls13_hkdf_expand_label_context(algo, secret, label_prefix, label, hash_value, hash_len, derived_secret.data_len, &derived_secret.data)) {
4317 }
4319 /* HKDF-Expand-Label(..., "exporter", Hash(context_value), key_length) */
4323 tls13_hkdf_expand_label_context(algo, &derived_secret, label_prefix, "exporter", hash_value, hash_len, key_length, out);
4328 }
4330 /**
4331 * Exports keying material using "[early_]exporter_master_secret". See
4332 * tls13_exporter_common for more details.
4333 */
4334 bool
4338 {
4345 }
4347 /* Lookup EXPORTER_SECRET based on client_random from conversation */
4348 conversation_t *conv = find_conversation_strat(pinfo, conversation_pt_to_conversation_type(pinfo->ptype), 0);
4351 }
4356 }
4365 }
4367 return tls13_exporter_common(hash_algo, secret, label, context, context_length, key_length, out);
4368 }
4369 /* }}} */
4372 /* UAT */
4374 #ifdef HAVE_LIBGNUTLS
4375 static void
4377 {
4385 }
4389 {
4400 }
4408 static bool
4409 ssldecrypt_uat_fld_protocol_chk_cb(void* r _U_, const char* p, unsigned len _U_, const void* u1 _U_, const void* u2 _U_, char** err)
4410 {
4412 // This should be removed in favor of Decode As. Make it optional.
4415 }
4419 // ssl_find_appdata_dissector accepts any valid dissector name so
4420 // this path cannot happen
4421 *err = ws_strdup_printf("While '%s' is a valid dissector name, that dissector is not configured"
4425 // The GUI validates dissector names now so this path shouldn't
4426 // occur either. (Perhaps if the UAT is hand-edited it might?)
4428 *err = ws_strdup_printf("Could not find dissector for: '%s'\nCommonly used TLS dissectors include:\n%s", p, ssl_str);
4430 }
4432 }
4436 }
4439 static void
4441 {
4445 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tls, pinfo->curr_layer_num);
4450 }
4454 {
4457 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tls, pinfo->curr_layer_num);
4462 }
4464 static void
4466 {
4470 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tls, pinfo->curr_layer_num);
4474 snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "destination (%s%u)", UTF8_RIGHTWARDS_ARROW, destport);
4475 }
4479 {
4482 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tls, pinfo->curr_layer_num);
4487 }
4489 static void
4491 {
4496 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tls, pinfo->curr_layer_num);
4498 {
4501 }
4503 snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "both (%u%s%u)", srcport, UTF8_LEFT_RIGHT_ARROW, destport);
4504 }
4506 static void
4508 {
4510 }
4512 /*********************************************************************
4513 *
4514 * Standard Wireshark Protocol Registration and housekeeping
4515 *
4516 *********************************************************************/
4517 void
4519 {
4521 /* Setup list of header fields See Section 1.6.1 for details*/
4527 },
4532 },
4537 },
4542 },
4547 },
4552 },
4557 },
4562 },
4567 },
4572 },
4577 },
4582 },
4587 },
4592 },
4597 },
4602 },
4607 },
4612 },
4617 },
4622 },
4627 },
4632 },
4637 },
4642 },
4647 },
4652 },
4656 },
4660 },
4664 },
4669 },
4674 },
4679 },
4684 },
4689 },
4694 },
4699 },
4704 },
4709 },
4714 },
4719 },
4724 },
4729 },
4734 },
4795 },
4818 };
4820 /* Setup protocol subtree array */
4833 };
4836 { &ei_ssl2_handshake_session_id_len_error, { "tls.handshake.session_id_length.error", PI_MALFORMED, PI_ERROR, "Session ID length error", EXPFILL }},
4837 { &ei_ssl3_heartbeat_payload_length, { "tls.heartbeat_message.payload_length.invalid", PI_MALFORMED, PI_ERROR, "Invalid heartbeat payload length", EXPFILL }},
4838 { &ei_tls_unexpected_message, { "tls.unexpected_message", PI_PROTOCOL, PI_ERROR, "Unexpected message", EXPFILL }},
4840 /* Generated from convert_proto_tree_add_text.pl */
4841 { &ei_tls_ignored_unknown_record, { "tls.ignored_unknown_record", PI_PROTOCOL, PI_WARN, "Ignored Unknown Record", EXPFILL }},
4844 };
4849 static decode_as_value_t ssl_da_values[3] = {{ssl_src_prompt, 1, ssl_da_src_values}, {ssl_dst_prompt, 1, ssl_da_dst_values}, {ssl_both_prompt, 2, ssl_da_both_values}};
4855 /* Register the protocol name and description */
4859 ssl_associations = register_dissector_table("tls.port", "TLS Port", proto_tls, FT_UINT16, BASE_DEC);
4862 /* Required function calls to register the header fields and
4863 * subtrees used */
4870 {
4873 #ifdef HAVE_LIBGNUTLS
4875 UAT_FLD_CSTRING_OTHER(sslkeylist_uats, ipaddr, "IP address", ssldecrypt_uat_fld_ip_chk_cb, "IPv4 or IPv6 address (unused)"),
4876 UAT_FLD_CSTRING_OTHER(sslkeylist_uats, port, "Port", ssldecrypt_uat_fld_port_chk_cb, "Port Number (optional)"),
4877 UAT_FLD_DISSECTOR_OTHER(sslkeylist_uats, protocol, "Protocol", ssldecrypt_uat_fld_protocol_chk_cb, "Application Layer Protocol (optional)"),
4878 UAT_FLD_FILENAME_OTHER(sslkeylist_uats, keyfile, "Key File", ssldecrypt_uat_fld_fileopen_chk_cb, "Private keyfile."),
4879 UAT_FLD_CSTRING_OTHER(sslkeylist_uats, password,"Password", ssldecrypt_uat_fld_password_chk_cb, "Password (for PCKS#12 keyfile)"),
4880 UAT_END_FIELDS
4881 };
4891 ssldecrypt_copy_cb,
4892 NULL,
4893 ssldecrypt_free_cb,
4894 ssl_parse_uat,
4895 ssl_reset_uat,
4896 sslkeylist_uats_flds);
4901 ssldecrypt_uat);
4904 "Semicolon-separated list of private RSA keys used for TLS decryption. "
4910 "Redirect TLS debug to the file specified. Leave empty to disable debugging "
4917 "Whether the TLS dissector should reassemble TLS records spanning multiple TCP segments. "
4918 "To use this option, you must also enable \"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
4923 "Whether the TLS dissector should reassemble TLS Application Data spanning multiple TLS records. ",
4928 "For troubleshooting ignore the mac check result and decrypt also if the Message Authentication Code (MAC) fails.",
4931 /* Port 443 is too overloaded... */
4936 "Try to decode a packet using an heuristic sub-dissector before using a sub-dissector registered to a specific port for these ports, e.g. the overloaded port 443. An ALPN for a connection always has precedence.",
4939 }
4941 /* heuristic dissectors for any preamble e.g. CredSSP before RDP */
4942 ssl_heur_subdissector_list = register_heur_dissector_list_with_description("tls", "TLS data", proto_tls);
4946 proto_tls);
4960 /* XXX: this seems unused due to new "Follow TLS" method, remove? */
4965 register_follow_stream(proto_tls, "tls_follow", tcp_follow_conv_filter, tcp_follow_index_filter, tcp_follow_address_filter,
4968 }
4970 static int dissect_tls_sct_ber(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
4971 {
4973 /* Skip through tag and length for OCTET STRING encoding. */
4976 /*
4977 * RFC 6962 (Certificate Transparency) refers to RFC 5246 (TLS 1.2) for the
4978 * DigitallySigned format, so asssume that version.
4979 */
4980 return tls_dissect_sct_list(&dissect_ssl3_hf, tvb, pinfo, tree, offset, tvb_captured_length(tvb), TLSV1DOT2_VERSION);
4981 }
4983 /* If this dissector uses sub-dissector registration add a registration
4984 * routine. This format is required because a script is used to find
4985 * these routines and create the code that calls these routines.
4986 */
4987 void
4989 {
4995 /* ssl_parse_uat() sets (and thus overwrites) the debug file, so to
4996 * be safe, set it the empty string before calling that so we don't
4997 * overwrite their key log file.
4998 */
5004 }
5005 }
5006 }
5008 #ifdef HAVE_LIBGNUTLS
5009 /* parse key list */
5012 #endif
5014 /*
5015 * XXX the port preferences should probably be removed in favor of Decode
5016 * As. Then proto_reg_handoff_ssl can be removed from
5017 * prefs_register_protocol.
5018 */
5022 }
5027 /* Certificate Transparency extensions: 2 (Certificate), 5 (OCSP Response) */
5028 register_ber_oid_dissector("1.3.6.1.4.1.11129.2.4.2", dissect_tls_sct_ber, proto_tls, "SignedCertificateTimestampList");
5029 register_ber_oid_dissector("1.3.6.1.4.1.11129.2.4.5", dissect_tls_sct_ber, proto_tls, "SignedCertificateTimestampList");
5031 heur_dissector_add("tcp", dissect_ssl_heur, "SSL/TLS over TCP", "tls_tcp", proto_tls, HEURISTIC_ENABLE);
5033 }
5035 void
5037 {
5039 }
5041 void
5043 {
5045 }
5047 /*
5048 * Editor modelines - https://www.wireshark.org/tools/modelines.html
5049 *
5050 * Local variables:
5051 * c-basic-offset: 4
5052 * tab-width: 8
5053 * indent-tabs-mode: nil
5054 * End:
5055 *
5056 * vi: set shiftwidth=4 tabstop=8 expandtab:
5057 * :indentSize=4:tabSize=8:noTabs=true:
5058 */