epan/dissectors/pidl/ C99 drsuapi
[wireshark-sm.git] / epan / dissectors / packet-dtls.c
blob43d8140a9bb8c81282554141e6ba391961b73455
1 /* packet-dtls.c
2 * Routines for dtls dissection
3 * Copyright (c) 2006, Authesserre Samuel <sauthess@gmail.com>
4 * Copyright (c) 2007, Mikael Magnusson <mikma@users.sourceforge.net>
5 * Copyright (c) 2013, Hauke Mehrtens <hauke@hauke-m.de>
7 * Wireshark - Network traffic analyzer
8 * By Gerald Combs <gerald@wireshark.org>
9 * Copyright 1998 Gerald Combs
11 * SPDX-License-Identifier: GPL-2.0-or-later
14 * DTLS dissection and decryption.
15 * See RFC 4347 for details about DTLS specs.
17 * Notes :
18 * This dissector is based on the TLS dissector (packet-tls.c); Because of the similarity
19 * of DTLS and TLS, decryption works like TLS with RSA key exchange.
20 * This dissector uses the sames things (file, libraries) as the TLS dissector (gnutls, packet-tls-utils.h)
21 * to make it easily maintainable.
23 * It was developed to dissect and decrypt the OpenSSL v 0.9.8f DTLS implementation.
24 * It is limited to this implementation; there is no complete implementation.
26 * Implemented :
27 * - DTLS dissection
28 * - DTLS decryption (openssl one)
30 * Todo :
31 * - activate correct Mac calculation when openssl will be corrected
32 * (or if an other implementation works),
33 * corrected code is ready and commented in packet-tls-utils.h file.
34 * - add missing things (desegmentation, reordering... that aren't present in actual OpenSSL implementation)
37 #include "config.h"
39 #include <epan/packet.h>
40 #include <epan/to_str.h>
41 #include <epan/asn1.h>
42 #include <epan/tap.h>
43 #include <epan/reassemble.h>
44 #include <epan/uat.h>
45 #include <epan/sctpppids.h>
46 #include <epan/exported_pdu.h>
47 #include <epan/decode_as.h>
48 #include <epan/proto_data.h>
49 #include <epan/secrets.h> /* for privkey_hash_table_new */
50 #include <epan/tfs.h>
51 #include <wsutil/str_util.h>
52 #include <wsutil/strtoi.h>
53 #include <wsutil/utf8_entities.h>
54 #include <wsutil/rsa.h>
55 #include <wsutil/pint.h>
56 #include "packet-tls-utils.h"
57 #include "packet-dtls.h"
58 #include "packet-rtp.h"
59 #include "packet-rtcp.h"
61 void proto_register_dtls(void);
63 #ifdef HAVE_LIBGNUTLS
64 /* DTLS User Access Table */
65 static ssldecrypt_assoc_t *dtlskeylist_uats;
66 static unsigned ndtlsdecrypt;
67 #endif
69 /* we need to remember the top tree so that subdissectors we call are created
70 * at the root and not deep down inside the DTLS decode
72 static proto_tree *top_tree;
74 /*********************************************************************
76 * Protocol Constants, Variables, Data Structures
78 *********************************************************************/
80 /* https://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml */
82 #define SRTP_PROFILE_RESERVED 0x0000
83 #define SRTP_AES128_CM_HMAC_SHA1_80 0x0001
84 #define SRTP_AES128_CM_HMAC_SHA1_32 0x0002
85 #define SRTP_NULL_HMAC_SHA1_80 0x0005
86 #define SRTP_NULL_HMAC_SHA1_32 0x0006
87 #define SRTP_AEAD_AES_128_GCM 0x0007
88 #define SRTP_AEAD_AES_256_GCM 0x0008
90 #define DTLS13_FIXED_MASK 0xE0
91 #define DTLS13_C_BIT_MASK 0x10
92 #define DTLS13_S_BIT_MASK 0x08
93 #define DTLS13_L_BIT_MASK 0x04
94 #define DTLS13_HDR_EPOCH_BIT_MASK 0x3
96 static const value_string srtp_protection_profile_vals[] = {
97 { SRTP_AES128_CM_HMAC_SHA1_80, "SRTP_AES128_CM_HMAC_SHA1_80" }, /* RFC 5764 */
98 { SRTP_AES128_CM_HMAC_SHA1_32, "SRTP_AES128_CM_HMAC_SHA1_32" },
99 { SRTP_NULL_HMAC_SHA1_80, "SRTP_NULL_HMAC_SHA1_80" },
100 { SRTP_NULL_HMAC_SHA1_32, "SRTP_NULL_HMAC_SHA1_32" },
101 { SRTP_AEAD_AES_128_GCM, "SRTP_AEAD_AES_128_GCM" }, /* RFC 7714 */
102 { SRTP_AEAD_AES_256_GCM, "SRTP_AEAD_AES_256_GCM" },
103 { 0x00, NULL },
106 static const true_false_string dtls_uni_hdr_seq_tfs = {
107 "16 bits",
108 "8 bits"
111 /* Initialize the protocol and registered fields */
112 static int dtls_tap = -1;
113 static int exported_pdu_tap = -1;
114 static int proto_dtls;
115 static int hf_dtls_record;
116 static int hf_dtls_record_content_type;
117 static int hf_dtls_record_special_type;
118 static int hf_dtls_record_version;
119 static int hf_dtls_ack_record_numbers;
120 static int hf_dtls_record_epoch;
121 static int hf_dtls_record_epoch64;
122 static int hf_dtls_record_sequence_number;
123 static int hf_dtls_record_sequence_suffix;
124 static int hf_dtls_record_sequence_suffix_dec;
125 static int hf_dtls_record_connection_id;
126 static int hf_dtls_record_length;
127 static int hf_dtls_record_appdata;
128 static int hf_dtls_record_appdata_proto;
129 static int hf_dtls_record_encrypted_content;
130 static int hf_dtls_alert_message;
131 static int hf_dtls_alert_message_level;
132 static int hf_dtls_alert_message_description;
133 static int hf_dtls_handshake_protocol;
134 static int hf_dtls_handshake_type;
135 static int hf_dtls_handshake_length;
136 static int hf_dtls_handshake_message_seq;
137 static int hf_dtls_handshake_fragment_offset;
138 static int hf_dtls_handshake_fragment_length;
140 static int hf_dtls_heartbeat_message;
141 static int hf_dtls_heartbeat_message_type;
142 static int hf_dtls_heartbeat_message_payload_length;
143 static int hf_dtls_heartbeat_message_payload;
144 static int hf_dtls_heartbeat_message_padding;
146 static int hf_dtls_ack_message;
147 static int hf_dtls_ack_record_numbers_length;
148 static int hf_dtls_fragments;
149 static int hf_dtls_fragment;
150 static int hf_dtls_fragment_overlap;
151 static int hf_dtls_fragment_overlap_conflicts;
152 static int hf_dtls_fragment_multiple_tails;
153 static int hf_dtls_fragment_too_long_fragment;
154 static int hf_dtls_fragment_error;
155 static int hf_dtls_fragment_count;
156 static int hf_dtls_reassembled_in;
157 static int hf_dtls_reassembled_length;
159 static int hf_dtls_hs_ext_use_srtp_protection_profiles_length;
160 static int hf_dtls_hs_ext_use_srtp_protection_profile;
161 static int hf_dtls_hs_ext_use_srtp_mki_length;
162 static int hf_dtls_hs_ext_use_srtp_mki;
164 static int hf_dtls_uni_hdr;
165 static int hf_dtls_uni_hdr_fixed;
166 static int hf_dtls_uni_hdr_cid;
167 static int hf_dtls_uni_hdr_seq;
168 static int hf_dtls_uni_hdr_len;
169 static int hf_dtls_uni_hdr_epoch;
171 /* header fields used in ssl-utils, but defined here. */
172 static dtls_hfs_t dtls_hfs;
174 /* Initialize the subtree pointers */
175 static int ett_dtls;
176 static int ett_dtls_record;
177 static int ett_dtls_alert;
178 static int ett_dtls_handshake;
179 static int ett_dtls_heartbeat;
180 static int ett_dtls_ack;
181 static int ett_dtls_ack_record_numbers;
182 static int ett_dtls_ack_record_number;
183 static int ett_dtls_certs;
184 static int ett_dtls_uni_hdr;
186 static int ett_dtls_fragment;
187 static int ett_dtls_fragments;
189 static expert_field ei_dtls_handshake_fragment_length_too_long;
190 static expert_field ei_dtls_handshake_fragment_length_zero;
191 static expert_field ei_dtls_handshake_fragment_past_end_msg;
192 static expert_field ei_dtls_msg_len_diff_fragment;
193 static expert_field ei_dtls_heartbeat_payload_length;
194 static expert_field ei_dtls_cid_invalid_content_type;
195 static expert_field ei_dtls_use_srtp_profiles_length;
196 #if 0
197 static expert_field ei_dtls_cid_invalid_enc_content;
198 #endif
200 #ifdef HAVE_LIBGNUTLS
201 static GHashTable *dtls_key_hash;
202 static wmem_stack_t *key_list_stack;
203 static uat_t *dtlsdecrypt_uat;
204 static const char *dtls_keys_list;
205 #endif
206 static reassembly_table dtls_reassembly_table;
207 static dissector_table_t dtls_associations;
208 static dissector_handle_t dtls_handle;
209 static StringInfo dtls_compressed_data;
210 static StringInfo dtls_decrypted_data;
211 static int dtls_decrypted_data_avail;
213 static ssl_common_options_t dtls_options;
214 static const char *dtls_debug_file_name;
216 static uint32_t dtls_default_client_cid_length;
217 static uint32_t dtls_default_server_cid_length;
219 static heur_dissector_list_t heur_subdissector_list;
221 static const fragment_items dtls_frag_items = {
222 /* Fragment subtrees */
223 &ett_dtls_fragment,
224 &ett_dtls_fragments,
225 /* Fragment fields */
226 &hf_dtls_fragments,
227 &hf_dtls_fragment,
228 &hf_dtls_fragment_overlap,
229 &hf_dtls_fragment_overlap_conflicts,
230 &hf_dtls_fragment_multiple_tails,
231 &hf_dtls_fragment_too_long_fragment,
232 &hf_dtls_fragment_error,
233 &hf_dtls_fragment_count,
234 /* Reassembled in field */
235 &hf_dtls_reassembled_in,
236 /* Reassembled length field */
237 &hf_dtls_reassembled_length,
238 /* Reassembled data field */
239 NULL,
240 /* Tag */
241 "Message fragments"
244 static SSL_COMMON_LIST_T(dissect_dtls_hf);
246 /* initialize/reset per capture state data (dtls sessions cache) */
247 static void
248 dtls_init(void)
250 module_t *dtls_module = prefs_find_module("dtls");
251 pref_t *keys_list_pref;
253 ssl_data_alloc(&dtls_decrypted_data, 32);
254 ssl_data_alloc(&dtls_compressed_data, 32);
256 /* We should have loaded "keys_list" by now. Mark it obsolete */
257 if (dtls_module) {
258 keys_list_pref = prefs_find_preference(dtls_module, "keys_list");
259 if (! prefs_get_preference_obsolete(keys_list_pref)) {
260 prefs_set_preference_obsolete(keys_list_pref);
264 ssl_init_cid_list();
267 static void
268 dtls_cleanup(void)
270 ssl_cleanup_cid_list();
272 #ifdef HAVE_LIBGNUTLS
273 if (key_list_stack != NULL) {
274 wmem_destroy_stack(key_list_stack);
275 key_list_stack = NULL;
277 #endif
278 g_free(dtls_decrypted_data.data);
279 g_free(dtls_compressed_data.data);
282 #ifdef HAVE_LIBGNUTLS
283 /* parse dtls related preferences (private keys and ports association strings) */
284 static void
285 dtls_parse_uat(void)
287 unsigned i, port;
288 dissector_handle_t handle;
290 if (dtls_key_hash)
292 g_hash_table_destroy(dtls_key_hash);
295 /* remove only associations created from key list */
296 if (key_list_stack != NULL) {
297 while (wmem_stack_count(key_list_stack) > 0) {
298 port = GPOINTER_TO_UINT(wmem_stack_pop(key_list_stack));
299 handle = dissector_get_uint_handle(dtls_associations, port);
300 if (handle != NULL)
301 ssl_association_remove("dtls.port", dtls_handle, handle, port, false);
305 /* parse private keys string, load available keys and put them in key hash*/
306 dtls_key_hash = privkey_hash_table_new();
308 ssl_set_debug(dtls_debug_file_name);
310 if (ndtlsdecrypt > 0)
312 if (key_list_stack == NULL)
313 key_list_stack = wmem_stack_new(NULL);
315 for (i = 0; i < ndtlsdecrypt; i++)
317 ssldecrypt_assoc_t *d = &(dtlskeylist_uats[i]);
318 ssl_parse_key_list(d, dtls_key_hash, "dtls.port", dtls_handle, false);
319 if (key_list_stack && ws_strtou32(d->port, NULL, &port))
320 wmem_stack_push(key_list_stack, GUINT_TO_POINTER(port));
324 dissector_add_for_decode_as("sctp.port", dtls_handle);
325 dissector_add_for_decode_as("udp.port", dtls_handle);
328 static void
329 dtls_reset_uat(void)
331 g_hash_table_destroy(dtls_key_hash);
332 dtls_key_hash = NULL;
335 static void
336 dtls_parse_old_keys(void)
338 char **old_keys, **parts, *err;
339 unsigned i;
340 char *uat_entry;
342 /* Import old-style keys */
343 if (dtlsdecrypt_uat && dtls_keys_list && dtls_keys_list[0]) {
344 old_keys = g_strsplit(dtls_keys_list, ";", 0);
345 for (i = 0; old_keys[i] != NULL; i++) {
346 parts = g_strsplit(old_keys[i], ",", 4);
347 if (parts[0] && parts[1] && parts[2] && parts[3]) {
348 char *path = uat_esc(parts[3], (unsigned)strlen(parts[3]));
349 uat_entry = wmem_strdup_printf(NULL, "\"%s\",\"%s\",\"%s\",\"%s\",\"\"",
350 parts[0], parts[1], parts[2], path);
351 g_free(path);
352 if (!uat_load_str(dtlsdecrypt_uat, uat_entry, &err)) {
353 ssl_debug_printf("dtls_parse: Can't load UAT string %s: %s\n",
354 uat_entry, err);
355 g_free(err);
357 wmem_free(NULL, uat_entry);
359 g_strfreev(parts);
361 g_strfreev(old_keys);
364 #endif /* HAVE_LIBGNUTLS */
367 * DTLS Dissection Routines
371 /* record layer dissectors */
372 static int dissect_dtls_record(tvbuff_t *tvb, packet_info *pinfo,
373 proto_tree *tree, uint32_t offset,
374 SslSession *session, int is_from_server,
375 SslDecryptSession *conv_data,
376 uint8_t curr_layer_num_ssl);
377 static int dissect_dtls13_record(tvbuff_t *tvb, packet_info *pinfo,
378 proto_tree *tree, uint32_t offset,
379 SslSession *session, int is_from_server,
380 SslDecryptSession *conv_data,
381 uint8_t curr_layer_num_ssl);
383 /* alert message dissector */
384 static void dissect_dtls_alert(tvbuff_t *tvb, packet_info *pinfo,
385 proto_tree *tree, uint32_t offset,
386 const SslSession *session);
388 /* handshake protocol dissector */
389 static void dissect_dtls_handshake(tvbuff_t *tvb, packet_info *pinfo,
390 proto_tree *tree, uint32_t offset,
391 uint32_t record_length, bool maybe_encrypted,
392 SslSession *session, int is_from_server,
393 SslDecryptSession *conv_data, uint8_t content_type);
395 /* heartbeat message dissector */
396 static void dissect_dtls_heartbeat(tvbuff_t *tvb, packet_info *pinfo,
397 proto_tree *tree, uint32_t offset,
398 const SslSession *session, uint32_t record_length,
399 bool decrypted);
401 /* acknowledgement message dissector */
402 static void dissect_dtls_ack(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, uint32_t offset, uint32_t record_length);
404 static int dissect_dtls_hnd_hello_verify_request(ssl_common_dissect_t *hf, tvbuff_t *tvb,
405 packet_info *pinfo, proto_tree *tree,
406 uint32_t offset, uint32_t offset_end);
409 * Support Functions
413 static int looks_like_dtls(tvbuff_t *tvb, uint32_t offset);
415 /*********************************************************************
417 * Main dissector
419 *********************************************************************/
421 * Code to actually dissect the packets
423 static int
424 dissect_dtls(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
427 conversation_t *conversation;
428 proto_item *ti;
429 proto_tree *dtls_tree;
430 uint32_t offset;
431 SslDecryptSession *ssl_session = NULL;
432 SslSession *session = NULL;
433 int is_from_server;
434 uint8_t curr_layer_num_ssl = pinfo->curr_layer_num;
436 ti = NULL;
437 dtls_tree = NULL;
438 offset = 0;
439 ssl_session = NULL;
440 top_tree = tree;
442 /* Track the version using conversations allows
443 * us to more frequently set the protocol column properly
444 * for continuation data frames.
446 * Also: We use the copy in conv_version as our cached copy,
447 * so that we don't have to search the conversation
448 * table every time we want the version; when setting
449 * the conv_version, must set the copy in the conversation
450 * in addition to conv_version
452 conversation = find_or_create_conversation(pinfo);
454 uint8_t record_type = tvb_get_uint8(tvb, offset);
456 /* try to get decrypt session from the connection ID only for the first pass,
457 * it should be available from the conversation in the second pass
459 if (record_type == SSL_ID_TLS12_CID && !PINFO_FD_VISITED(pinfo)) {
460 // CID length is not embedded in the packet
461 ssl_session = ssl_get_session_by_cid(tvb, offset+11);
463 if (ssl_session) {
464 // update conversation
465 conversation_add_proto_data(conversation,
466 dissector_handle_get_protocol_index(dtls_handle),
467 ssl_session);
471 /* if session cannot be retrieved from connection ID, get or create it from conversation */
472 if (ssl_session == NULL) {
473 ssl_session = ssl_get_session(conversation, dtls_handle);
476 session = &ssl_session->session;
478 if (session->last_nontls_frame != 0 &&
479 session->last_nontls_frame >= pinfo->num) {
480 /* This conversation started at a different protocol and STARTTLS was
481 * used, but this packet comes too early.
482 * XXX - Does anything use STARTTLS with DTLS? Would we get here anyway,
483 * since we don't call conversation_set_dissector[_from_frame_number] for
484 * DTLS? Regardless, dissect_dtls_heur should check for this 0 and return
485 * false.
487 return 0;
490 ssl_debug_printf("\ndissect_dtls enter frame #%u (%s)\n", pinfo->num, pinfo->fd->visited ? "already visited" : "first time");
491 is_from_server = ssl_packet_from_server(session, dtls_associations, pinfo);
493 /* try decryption only the first time we see this packet
494 * (to keep cipher synchronized) */
495 if (pinfo->fd->visited)
496 ssl_session = NULL;
498 /* Initialize the protocol column; we'll set it later when we
499 * figure out what flavor of DTLS it is */
500 col_set_str(pinfo->cinfo, COL_PROTOCOL, "DTLS");
502 /* clear the info column */
503 col_clear(pinfo->cinfo, COL_INFO);
505 /* Create display subtree for SSL as a whole */
506 ti = proto_tree_add_item(tree, proto_dtls, tvb, 0, -1, ENC_NA);
507 dtls_tree = proto_item_add_subtree(ti, ett_dtls);
509 /* iterate through the records in this tvbuff */
510 while (tvb_reported_length_remaining(tvb, offset) != 0)
512 /* first try to dispatch off the cached version
513 * known to be associated with the conversation
515 * In fact, all versions of DTLS have the same dissector. Note as
516 * we don't set DTLS as the conversation dissector, either
517 * looks_like_dtls() passed in dissect_dtls_heur(), or this has
518 * been set to DTLS explicitly via the port or some other method,
519 * so we already think this is DTLS. We don't expect Continuation
520 * Data over UDP datagrams (unlike TCP segments), but we'll check
521 * the content type in dissect_dtls_record and mark as Continuation
522 * Data if an unknown type, so the only thing calling looks_like_dtls()
523 * here would do is additionally verify the legacy_record_version -
524 * which MUST be ignored for all purposes per RFC 9147.
526 switch(session->version) {
527 case DTLSV1DOT0_VERSION:
528 case DTLSV1DOT0_OPENSSL_VERSION:
529 case DTLSV1DOT2_VERSION:
530 case DTLSV1DOT3_VERSION:
531 default:
532 offset = dissect_dtls_record(tvb, pinfo, dtls_tree,
533 offset, session, is_from_server,
534 ssl_session, curr_layer_num_ssl);
535 break;
539 // XXX there is no Follow DTLS Stream, is this tap needed?
540 tap_queue_packet(dtls_tap, pinfo, NULL);
541 return tvb_captured_length(tvb);
544 static uint8_t dtls_cid_length(SslSession *session, bool is_from_server)
546 uint8_t cid_length;
548 if (is_from_server) {
549 if (session && session->client_cid_len_present) {
550 cid_length = session->client_cid_len;
551 } else {
552 cid_length = (uint8_t)dtls_default_client_cid_length;
554 } else {
555 if (session && session->server_cid_len_present) {
556 cid_length = session->server_cid_len;
557 } else {
558 cid_length = (uint8_t)dtls_default_server_cid_length;
562 return cid_length;
565 static bool
566 dissect_dtls_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
569 /* Stronger confirmation of DTLS packet is provided by verifying the
570 * captured payload length against the remainder of the UDP packet size. */
571 unsigned length = tvb_captured_length(tvb);
572 unsigned offset = 0;
573 unsigned record_length = 0;
574 SslDecryptSession *ssl_session = NULL;
575 SslSession *session = NULL;
577 if (tvb_reported_length(tvb) == length) {
578 /* The entire payload was captured. */
579 while (offset + 13 <= length && looks_like_dtls(tvb, offset)) {
580 /* Advance offset to the end of the current DTLS record */
581 uint8_t record_type = tvb_get_uint8(tvb, offset);
583 if ((record_type & DTLS13_FIXED_MASK) >> 5 == 1) {
584 offset += 1;
585 /* With the DTLS 1.3 Unified Header, the legacy_record_version
586 * field is encrypted, so our heuristics are weaker. Only accept
587 * the frame if we already have seen DTLS (with the correct CID,
588 * if the CID is included) on the connection.
589 * N.B. - We don't call conversation_set_dissector_from_frame_number
590 * like in packet-tls.c because DTLS is commonly multiplexed with
591 * SRTP/SRTCP/STUN/TURN/ZRTP per RFC 7983. (And now QUIC, RFC 9443.)
593 if (record_type & DTLS13_C_BIT_MASK) {
594 /* CID length is not embedded in the packet */
595 ssl_session = ssl_get_session_by_cid(tvb, offset);
596 session = ssl_session ? &ssl_session->session : NULL;
597 int is_from_server = ssl_packet_from_server(session, dtls_associations, pinfo);
598 offset += dtls_cid_length(session, is_from_server);
599 } else {
600 /* No CID, just look for a session on this conversation. Don't
601 * call ssl_get_session here, as we don't want to allocate a new
602 * session. */
603 conversation_t *conversation = find_or_create_conversation(pinfo);
604 ssl_session = conversation_get_proto_data(conversation, proto_dtls);
605 session = ssl_session ? &ssl_session->session : NULL;
607 if (session == NULL) {
608 return false;
610 offset += (record_type & DTLS13_S_BIT_MASK) ? 2 : 1;
611 if (record_type & DTLS13_L_BIT_MASK) {
612 record_length = tvb_get_ntohs(tvb, offset);
613 offset += 2;
614 } else {
615 /* Length not present, so the heuristic is weaker. */
616 record_length = tvb_reported_length_remaining(tvb, offset);
618 } else {
619 offset += 11;
620 if (record_type == SSL_ID_TLS12_CID) {
621 /* CID length is not embedded in the packet */
622 ssl_session = ssl_get_session_by_cid(tvb, offset);
623 session = ssl_session ? &ssl_session->session : NULL;
624 int is_from_server = ssl_packet_from_server(session, dtls_associations, pinfo);
625 offset += dtls_cid_length(session, is_from_server);
627 record_length = tvb_get_ntohs(tvb, offset);
628 offset += 2;
630 offset += record_length;
631 if (offset == length) {
632 dissect_dtls(tvb, pinfo, tree, data);
633 return true;
637 if (pinfo->fragmented && offset >= 13) {
638 dissect_dtls(tvb, pinfo, tree, data);
639 return true;
641 return false;
644 /* This packet was truncated by the capture process due to a snapshot
645 * length - do our best with what we've got. */
646 while (tvb_captured_length_remaining(tvb, offset) >= 3) {
647 if (!looks_like_dtls(tvb, offset))
648 return false;
650 offset += 3;
651 if (tvb_captured_length_remaining(tvb, offset) >= 10 ) {
652 offset += tvb_get_ntohs(tvb, offset + 8) + 10;
653 } else {
654 /* Dissect what we've got, which might be as little as 3 bytes. */
655 dissect_dtls(tvb, pinfo, tree, data);
656 return true;
658 if (offset == length) {
659 /* Can this ever happen? Well, just in case ... */
660 dissect_dtls(tvb, pinfo, tree, data);
661 return true;
665 /* One last check to see if the current offset is at least less than the
666 * original number of bytes present before truncation or we're dealing with
667 * a packet fragment that's also been truncated. */
668 if ((length >= 3) && (offset <= tvb_reported_length(tvb) || pinfo->fragmented)) {
669 dissect_dtls(tvb, pinfo, tree, data);
670 return true;
672 return false;
675 static bool
676 dtls_is_null_cipher(unsigned cipher )
678 switch(cipher) {
679 case 0x0000:
680 case 0x0001:
681 case 0x0002:
682 case 0x002c:
683 case 0x002d:
684 case 0x002e:
685 case 0x003b:
686 case 0x00b0:
687 case 0x00b1:
688 case 0x00b4:
689 case 0x00b5:
690 case 0x00b8:
691 case 0x00b9:
692 case 0xc001:
693 case 0xc006:
694 case 0xc00b:
695 case 0xc010:
696 case 0xc015:
697 case 0xc039:
698 case 0xc03a:
699 case 0xc03b:
700 return true;
701 default:
702 return false;
706 static void
707 dtls_save_decrypted_record(packet_info *pinfo, int record_id, uint8_t content_type, uint8_t curr_layer_num_ssl, bool inner_content_type)
709 const unsigned char *data = dtls_decrypted_data.data;
710 unsigned datalen = dtls_decrypted_data_avail;
712 if (datalen == 0) {
713 return;
716 if (content_type == SSL_ID_TLS12_CID || inner_content_type) {
718 * The actual data is followed by the content type and then zero or
719 * more padding. Scan backwards for content type, skipping padding.
721 while (datalen > 0 && data[datalen - 1] == 0) {
722 datalen--;
724 ssl_debug_printf("%s found %d padding bytes\n", G_STRFUNC, dtls_decrypted_data_avail - datalen);
725 if (datalen == 0) {
726 ssl_debug_printf("%s there is no room for content type!\n", G_STRFUNC);
727 return;
729 content_type = data[--datalen];
730 if (datalen == 0) {
731 return;
735 ssl_add_record_info(proto_dtls, pinfo, data, datalen, record_id, NULL, (ContentType)content_type, curr_layer_num_ssl);
738 static bool
739 decrypt_dtls_record(tvbuff_t *tvb, packet_info *pinfo, uint32_t offset, SslDecryptSession *ssl,
740 uint8_t content_type, uint16_t record_version, uint16_t record_length, uint8_t curr_layer_num_ssl,
741 const unsigned char *cid, uint8_t cid_length)
743 bool success;
744 SslDecoder *decoder;
746 /* if we can decrypt and decryption have success
747 * add decrypted data to this packet info */
748 if (!ssl || ((ssl->session.version != DTLSV1DOT3_VERSION) && !(ssl->state & SSL_HAVE_SESSION_KEY))) {
749 ssl_debug_printf("decrypt_dtls_record: no session key\n");
750 return false;
752 ssl_debug_printf("decrypt_dtls_record: app_data len %d, ssl state %X\n",
753 record_length, ssl->state);
755 /* retrieve decoder for this packet direction */
756 if (ssl_packet_from_server(&ssl->session, dtls_associations, pinfo) != 0) {
757 ssl_debug_printf("decrypt_dtls_record: using server decoder\n");
758 decoder = ssl->server;
760 else {
761 ssl_debug_printf("decrypt_dtls_record: using client decoder\n");
762 decoder = ssl->client;
765 if (!decoder && !dtls_is_null_cipher(ssl->session.cipher)) {
766 ssl_debug_printf("decrypt_dtls_record: no decoder available\n");
767 return false;
770 /* ensure we have enough storage space for decrypted data */
771 if (record_length > dtls_decrypted_data.data_len)
773 ssl_debug_printf("decrypt_dtls_record: allocating %d bytes"
774 " for decrypt data (old len %d)\n",
775 record_length + 32, dtls_decrypted_data.data_len);
776 dtls_decrypted_data.data = (unsigned char *)g_realloc(dtls_decrypted_data.data,
777 record_length + 32);
778 dtls_decrypted_data.data_len = record_length + 32;
781 /* run decryption and add decrypted payload to protocol data, if decryption
782 * is successful*/
783 dtls_decrypted_data_avail = dtls_decrypted_data.data_len;
784 if (ssl->state & SSL_HAVE_SESSION_KEY || ssl->session.version == DTLSV1DOT3_VERSION) {
785 if (!decoder) {
786 ssl_debug_printf("decrypt_dtls_record: no decoder available\n");
787 return false;
789 success = ssl_decrypt_record(ssl, decoder, content_type, record_version, false,
790 tvb_get_ptr(tvb, offset, record_length), record_length, cid, cid_length,
791 &dtls_compressed_data, &dtls_decrypted_data, &dtls_decrypted_data_avail) == 0;
793 else if (dtls_is_null_cipher(ssl->session.cipher)) {
794 /* Non-encrypting cipher NULL-XXX */
795 tvb_memcpy(tvb, dtls_decrypted_data.data, offset, record_length);
796 dtls_decrypted_data_avail = dtls_decrypted_data.data_len = record_length;
797 success = true;
798 } else {
799 success = false;
802 if (success) {
803 dtls_save_decrypted_record(pinfo, tvb_raw_offset(tvb)+offset, content_type, curr_layer_num_ssl, ssl->session.version == DTLSV1DOT3_VERSION);
805 return success;
808 static void
809 export_pdu_packet(tvbuff_t *tvb, packet_info *pinfo, uint8_t tag, const char *name)
811 exp_pdu_data_t *exp_pdu_data = export_pdu_create_common_tags(pinfo, name, tag);
813 exp_pdu_data->tvb_captured_length = tvb_captured_length(tvb);
814 exp_pdu_data->tvb_reported_length = tvb_reported_length(tvb);
815 exp_pdu_data->pdu_tvb = tvb;
817 tap_queue_packet(exported_pdu_tap, pinfo, exp_pdu_data);
821 /*********************************************************************
823 * DTLS Dissection Routines
825 *********************************************************************/
827 static void
828 dissect_dtls_appdata(tvbuff_t *tvb, packet_info *pinfo, uint32_t offset,
829 uint32_t record_length, SslSession *session,
830 proto_tree *dtls_record_tree, bool is_from_server,
831 tvbuff_t *decrypted, SslRecordInfo *record)
833 heur_dtbl_entry_t *hdtbl_entry;
834 proto_item *ti;
835 /* show on info column what we are decoding */
836 col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, "Application Data");
838 /* app_handle discovery is done here instead of dissect_dtls_payload()
839 * because the protocol name needs to be displayed below. */
840 if (!session->app_handle) {
841 /* Unknown protocol handle, ssl_starttls_ack was not called before.
842 * Try to find an appropriate dissection handle and cache it. */
843 dissector_handle_t handle;
844 handle = dissector_get_uint_handle(dtls_associations, pinfo->srcport);
845 handle = handle ? handle : dissector_get_uint_handle(dtls_associations, pinfo->destport);
846 if (handle) session->app_handle = handle;
849 proto_item_set_text(dtls_record_tree,
850 "%s Record Layer: %s Protocol: %s",
851 val_to_str_const(session->version, ssl_version_short_names, "DTLS"),
852 val_to_str_const(SSL_ID_APP_DATA, ssl_31_content_type, "unknown"),
853 session->app_handle
854 ? dissector_handle_get_protocol_long_name(session->app_handle)
855 : "Application Data");
857 proto_tree_add_item(dtls_record_tree, hf_dtls_record_appdata, tvb,
858 offset, record_length, ENC_NA);
860 if (session->app_handle) {
861 ti = proto_tree_add_string(dtls_record_tree, hf_dtls_record_appdata_proto, tvb, 0, 0, dissector_handle_get_protocol_long_name(session->app_handle));
862 proto_item_set_generated(ti);
865 /* show decrypted data info, if available */
866 if (decrypted) {
867 bool dissected;
868 uint16_t saved_match_port;
869 /* try to dissect decrypted data*/
870 ssl_debug_printf("%s decrypted len %d\n", G_STRFUNC, record->data_len);
872 saved_match_port = pinfo->match_uint;
873 if (is_from_server) {
874 pinfo->match_uint = pinfo->srcport;
875 } else {
876 pinfo->match_uint = pinfo->destport;
879 /* find out a dissector using server port*/
880 if (session->app_handle) {
881 ssl_debug_printf("%s: found handle %p (%s)\n", G_STRFUNC,
882 (void *)session->app_handle,
883 dissector_handle_get_dissector_name(session->app_handle));
884 ssl_print_data("decrypted app data", record->plain_data, record->data_len);
886 if (have_tap_listener(exported_pdu_tap)) {
887 export_pdu_packet(decrypted, pinfo, EXP_PDU_TAG_DISSECTOR_NAME,
888 dissector_handle_get_dissector_name(session->app_handle));
891 dissected = (bool)call_dissector_only(session->app_handle, decrypted, pinfo, top_tree, NULL);
893 else {
894 /* try heuristic subdissectors */
895 dissected = dissector_try_heuristic(heur_subdissector_list, decrypted, pinfo, top_tree, &hdtbl_entry, NULL);
896 if (dissected && have_tap_listener(exported_pdu_tap)) {
897 export_pdu_packet(decrypted, pinfo, EXP_PDU_TAG_HEUR_DISSECTOR_NAME, hdtbl_entry->short_name);
900 pinfo->match_uint = saved_match_port;
901 /* fallback to data dissector */
902 if (!dissected)
903 call_data_dissector(decrypted, pinfo, top_tree);
906 /* Dissect a DTLS record from version 1.2 and below */
907 static int
908 dissect_dtls_record(tvbuff_t *tvb, packet_info *pinfo,
909 proto_tree *tree, uint32_t offset,
910 SslSession *session, int is_from_server,
911 SslDecryptSession* ssl,
912 uint8_t curr_layer_num_ssl)
916 * struct {
917 * uint8 major, minor;
918 * } ProtocolVersion;
921 * enum {
922 * change_cipher_spec(20), alert(21), handshake(22),
923 * application_data(23), (255)
924 * } ContentType;
926 * struct {
927 * ContentType type;
928 * ProtocolVersion version;
929 * uint16 epoch; // New field
930 * uint48 sequence_number; // New field
931 * uint16 length;
932 * opaque fragment[TLSPlaintext.length];
933 * } DTLSPlaintext;
936 * draft-ietf-tls-dtls-connection-id-07:
938 * struct {
939 * ContentType special_type = tls12_cid;
940 * ProtocolVersion version;
941 * uint16 epoch;
942 * uint48 sequence_number;
943 * opaque cid[cid_length]; // New field
944 * uint16 length;
945 * opaque enc_content[DTLSCiphertext.length];
946 * } DTLSCiphertext;
950 uint32_t dtls_record_length;
951 uint32_t record_length;
952 uint16_t version;
953 uint16_t epoch;
954 uint64_t sequence_number;
955 uint8_t content_type;
956 unsigned content_type_offset;
957 uint8_t next_byte;
958 proto_tree *ti;
959 proto_tree *dtls_record_tree;
960 proto_item *length_pi, *ct_pi;
961 tvbuff_t *decrypted;
962 SslRecordInfo *record = NULL;
963 uint8_t *cid = NULL;
964 uint8_t cid_length;
966 /* Connection ID length to use if any */
967 cid_length = dtls_cid_length(session, is_from_server);
970 * Get the record layer fields of interest
972 content_type = tvb_get_uint8(tvb, offset);
973 if ((content_type & DTLS13_FIXED_MASK) >> 5 == 1) {
974 /* RFC 9147 s4.1: this is a DTLS 1.3 Unified Header record */
975 return dissect_dtls13_record(tvb, pinfo, tree, offset, session,
976 is_from_server, ssl, curr_layer_num_ssl);
978 version = tvb_get_ntohs(tvb, offset + 1);
979 epoch = tvb_get_ntohs(tvb, offset + 3);
980 sequence_number = tvb_get_ntoh48(tvb, offset + 5);
982 if (content_type == SSL_ID_TLS12_CID && cid_length > 0) {
983 cid = tvb_memdup(pinfo->pool, tvb, offset + 11, cid_length);
984 record_length = tvb_get_ntohs(tvb, offset + cid_length + 11);
985 dtls_record_length = 13 + cid_length + record_length;
986 } else {
987 record_length = tvb_get_ntohs(tvb, offset + 11);
988 dtls_record_length = 13 + record_length;
991 if (!ssl_is_valid_content_type(content_type)) {
993 /* if we don't have a valid content_type, there's no sense
994 * continuing any further
996 col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, "Continuation Data");
998 /* If GUI, show unrecognized data in tree */
999 ti = proto_tree_add_item(tree, hf_dtls_record, tvb,
1000 offset, dtls_record_length, ENC_NA);
1001 dtls_record_tree = proto_item_add_subtree(ti, ett_dtls_record);
1002 proto_item_set_text(dtls_record_tree, "%s Record Layer: unrecognized content type 0x%02x",
1003 val_to_str_const(session->version, ssl_version_short_names, "DTLS"),
1004 content_type);
1006 return offset + dtls_record_length;
1009 if (ssl) {
1010 if (is_from_server) {
1011 if (ssl->server) {
1012 ssl->server->seq = sequence_number;
1013 ssl->server->epoch = epoch;
1015 } else {
1016 if (ssl->client) {
1017 ssl->client->seq = sequence_number;
1018 ssl->client->epoch = epoch;
1024 * If GUI, fill in record layer part of tree
1027 /* add the record layer subtree header */
1028 ti = proto_tree_add_item(tree, hf_dtls_record, tvb,
1029 offset, dtls_record_length, ENC_NA);
1030 dtls_record_tree = proto_item_add_subtree(ti, ett_dtls_record);
1032 /* show the one-byte content type */
1033 if (content_type == SSL_ID_TLS12_CID) {
1034 ct_pi = proto_tree_add_item(dtls_record_tree, hf_dtls_record_special_type,
1035 tvb, offset, 1, ENC_BIG_ENDIAN);
1036 } else {
1037 ct_pi = proto_tree_add_item(dtls_record_tree, hf_dtls_record_content_type,
1038 tvb, offset, 1, ENC_BIG_ENDIAN);
1040 content_type_offset = offset;
1041 offset++;
1043 /* add the version */
1044 proto_tree_add_item(dtls_record_tree, hf_dtls_record_version, tvb,
1045 offset, 2, ENC_BIG_ENDIAN);
1046 offset += 2;
1048 /* show epoch */
1049 proto_tree_add_uint(dtls_record_tree, hf_dtls_record_epoch, tvb, offset, 2, epoch);
1050 offset += 2;
1052 /* add sequence_number */
1053 proto_tree_add_uint64(dtls_record_tree, hf_dtls_record_sequence_number, tvb, offset, 6, sequence_number);
1054 offset += 6;
1056 if (content_type == SSL_ID_TLS12_CID) {
1057 /* add connection ID */
1058 proto_tree_add_item(dtls_record_tree, hf_dtls_record_connection_id, tvb, offset, cid_length, ENC_NA);
1059 offset += cid_length;
1062 /* add the length */
1063 length_pi = proto_tree_add_uint(dtls_record_tree, hf_dtls_record_length, tvb,
1064 offset, 2, record_length);
1065 offset += 2; /* move past length field itself */
1068 * if we don't already have a version set for this conversation,
1069 * but this message's version is authoritative (i.e., it's
1070 * not client_hello), then save the version to the conversation
1071 * structure and print the column version.
1073 next_byte = tvb_get_uint8(tvb, offset);
1074 if (session->version == SSL_VER_UNKNOWN) {
1075 if (version == DTLSV1DOT2_VERSION && content_type == SSL_ID_HANDSHAKE) {
1077 * if the version in the header is DTLS 1.2, this may actually be
1078 * a DTLS 1.3 handshake; this must be determined from any
1079 * supported_versions extension in the hello messages. We'll check
1080 * this later in dissect_dtls_handshake, but try to get the column
1081 * correct here on the first pass if we can.
1083 if (next_byte == SSL_HND_SERVER_HELLO && record_length > 12 && tvb_bytes_exist(tvb, offset, 12)) {
1084 uint32_t fragment_offset = tvb_get_ntoh24(tvb, offset + 6);
1085 uint32_t fragment_length = tvb_get_ntoh24(tvb, offset + 9);
1086 if (fragment_offset == 0 && tvb_bytes_exist(tvb, offset + 12, fragment_length)) {
1087 /* Only look at the first fragment. */
1088 tls_scan_server_hello(tvb, offset + 12, offset + 12 + fragment_length, &version, NULL);
1092 ssl_try_set_version(session, ssl, content_type, next_byte, true, version);
1094 col_set_str(pinfo->cinfo, COL_PROTOCOL,
1095 val_to_str_const(session->version, ssl_version_short_names, "DTLS"));
1098 * now dissect the next layer
1100 ssl_debug_printf("dissect_dtls_record: content_type %d epoch %d seq %"PRIu64"\n", content_type, epoch, sequence_number);
1102 /* try to decrypt record on the first pass, if possible. Store decrypted
1103 * record for later usage (without having to decrypt again).
1104 * DTLSv1.3 records are decrypted from dissect_dtls13_record */
1105 if (ssl && (ssl->session.version != DTLSV1DOT3_VERSION)) {
1106 decrypt_dtls_record(tvb, pinfo, offset, ssl, content_type, version, record_length, curr_layer_num_ssl, cid, cid_length);
1108 decrypted = ssl_get_record_info(tvb, proto_dtls, pinfo, tvb_raw_offset(tvb)+offset, curr_layer_num_ssl, &record);
1109 if (decrypted) {
1110 add_new_data_source(pinfo, decrypted, "Decrypted DTLS");
1112 if (content_type == SSL_ID_TLS12_CID) {
1113 content_type = record->type;
1114 ti = proto_tree_add_uint(dtls_record_tree, hf_dtls_record_content_type,
1115 tvb, content_type_offset, 1, record->type);
1116 proto_item_set_generated(ti);
1119 ssl_check_record_length(&dissect_dtls_hf, pinfo, (ContentType)content_type, record_length, length_pi, session->version, decrypted);
1121 /* extract the real record from the connection ID record */
1122 if (content_type == SSL_ID_TLS12_CID) {
1123 proto_item_set_text(dtls_record_tree, "%s Record Layer: Connection ID",
1124 val_to_str_const(session->version, ssl_version_short_names, "DTLS"));
1126 /* if content cannot be deciphered or the content is invalid */
1127 if (decrypted == NULL) {
1128 col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, "Connection ID");
1129 proto_tree_add_item(dtls_record_tree, hf_dtls_record_encrypted_content, tvb,
1130 offset, record_length, ENC_NA);
1131 offset += record_length; /* skip to end of record */
1132 return offset;
1136 switch ((ContentType) content_type) {
1137 case SSL_ID_CHG_CIPHER_SPEC:
1138 col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, "Change Cipher Spec");
1139 ssl_dissect_change_cipher_spec(&dissect_dtls_hf, tvb, pinfo,
1140 dtls_record_tree, offset, session,
1141 is_from_server, ssl);
1142 if (ssl) {
1143 ssl_finalize_decryption(ssl, tls_get_master_key_map(true));
1144 ssl_change_cipher(ssl, is_from_server);
1146 /* Heuristic: any later ChangeCipherSpec is not a resumption of this
1147 * session. Set the flag after ssl_finalize_decryption such that it has
1148 * a chance to use resume using Session Tickets. */
1149 if (is_from_server)
1150 session->is_session_resumed = false;
1151 break;
1152 case SSL_ID_ALERT:
1154 /* try to retrieve and use decrypted alert record, if any. */
1155 if (decrypted) {
1156 dissect_dtls_alert(decrypted, pinfo, dtls_record_tree, 0,
1157 session);
1158 } else {
1159 dissect_dtls_alert(tvb, pinfo, dtls_record_tree, offset,
1160 session);
1162 break;
1164 case SSL_ID_HANDSHAKE:
1166 /* try to retrieve and use decrypted handshake record, if any. */
1167 if (decrypted) {
1168 dissect_dtls_handshake(decrypted, pinfo, dtls_record_tree, 0,
1169 tvb_reported_length(decrypted), false, session, is_from_server,
1170 ssl, content_type);
1171 } else {
1172 dissect_dtls_handshake(tvb, pinfo, dtls_record_tree, offset,
1173 record_length, true, session, is_from_server, ssl,
1174 content_type);
1176 break;
1178 case SSL_ID_APP_DATA:
1179 dissect_dtls_appdata(tvb, pinfo, offset, record_length, session,
1180 dtls_record_tree, is_from_server, decrypted, record);
1181 break;
1182 case SSL_ID_HEARTBEAT:
1183 /* try to retrieve and use decrypted alert record, if any. */
1184 if (decrypted) {
1185 dissect_dtls_heartbeat(decrypted, pinfo, dtls_record_tree, 0,
1186 session, tvb_reported_length (decrypted), true);
1187 } else {
1188 dissect_dtls_heartbeat(tvb, pinfo, dtls_record_tree, offset,
1189 session, record_length, false);
1191 break;
1192 case SSL_ID_TLS12_CID:
1193 expert_add_info_format(pinfo, ct_pi, &ei_dtls_cid_invalid_content_type,
1194 "Invalid content type (%d)", content_type);
1195 break;
1196 case SSL_ID_DTLS13_ACK:
1197 if (decrypted) {
1198 dissect_dtls_ack(decrypted, pinfo, dtls_record_tree, 0, tvb_reported_length(decrypted));
1199 } else {
1200 dissect_dtls_ack(tvb, pinfo, dtls_record_tree, offset, record_length);
1203 offset += record_length; /* skip to end of record */
1205 return offset;
1209 /* setup cryptographic keys based on dtls13_current_epoch */
1210 static int
1211 dtls13_load_keys_from_epoch(SslDecryptSession *session, bool is_from_server, uint64_t epoch)
1213 ssl_master_key_map_t *master_key_map = NULL;
1214 TLSRecordType secret_type;
1215 SslDecoder *dec;
1217 if (!session) {
1218 ssl_debug_printf("dtls13_load_keys_from_epoch: no session\n");
1219 return -1;
1222 dec = NULL;
1223 if (is_from_server)
1224 dec = session->server;
1225 else
1226 dec = session->client;
1228 if (dec && dec->dtls13_epoch == epoch)
1229 return 0;
1231 /* The DTLS dissector does not support decrypting packets from epoch < N once
1232 * it decrypted a packet from epoch N. In order to do that, the dissector
1233 * needs to maintain the expected next sequence number per epoch. The added
1234 * complexity makes it not worthwhile. */
1235 if (dec && dec->dtls13_epoch > epoch) {
1236 ssl_debug_printf("%s: refuse to load past epoch %" PRIu64"\n", G_STRFUNC, epoch);
1237 return 0;
1240 /* double check that we increment the epoch by one after hs */
1241 if (dec && dec->dtls13_epoch != 0 && epoch != dec->dtls13_epoch + 1)
1242 return 0;
1244 master_key_map = tls_get_master_key_map(true);
1245 if (master_key_map == NULL) {
1246 ssl_debug_printf("dtls13_load_keys_from_epoch: no master key map\n");
1247 return -1;
1250 switch (epoch)
1252 case 1:
1253 secret_type = TLS_SECRET_0RTT_APP;
1254 tls13_change_key(session, master_key_map, is_from_server, secret_type);
1255 break;
1256 case 2:
1257 secret_type = TLS_SECRET_HANDSHAKE;
1258 tls13_change_key(session, master_key_map, is_from_server, secret_type);
1259 break;
1260 case 3:
1261 secret_type = TLS_SECRET_APP;
1262 tls13_change_key(session, master_key_map, is_from_server, secret_type);
1263 break;
1264 default:
1265 tls13_key_update(session, is_from_server);
1266 break;
1269 if (is_from_server && session->server) {
1270 session->server->dtls13_epoch = epoch;
1271 } else if (session->client) {
1272 session->client->dtls13_epoch = epoch;
1275 return 0;
1280 * Reconstructs sequence numbers in DTLS 1.3.
1282 * This function takes the expected sequence number, the low bits of the sequence number,
1283 * and a mask as input. It finds the closest number to the expected sequence number that
1284 * has the lower bits equal to @seq_low_bits.
1285 * @param expected_seq_number The expected sequence number.
1286 * @param seq_low_bits The low bits of the sequence number (encrypted).
1287 * @param len The length of @enc_seq_low_bits.
1288 * @param dec_mask The decryption mask for @enc_seq_low_bits.
1289 * @return The reconstructed dequeued sequence number.
1291 static uint64_t dtls13_reconstruct_seq_number(uint64_t expected_seq_number, uint16_t seq_low_bits,
1292 int len, uint8_t *dec_mask)
1294 uint16_t expected_low_bits;
1295 uint64_t c1, c2, d1, d2;
1296 uint16_t mask;
1298 /* we just need 1 or 2 bytes of the xor mask */
1299 if (len == 1) {
1300 dec_mask[1] = 0;
1302 seq_low_bits ^= (dec_mask[0] << 8 | dec_mask[1]);
1304 mask = (len == 2) ? 0xffff : 0xff;
1305 expected_low_bits = expected_seq_number & mask;
1306 c1 = (expected_seq_number & ~(mask)) | seq_low_bits;
1308 if (expected_low_bits == seq_low_bits) {
1309 return c1;
1311 if (expected_low_bits < seq_low_bits) {
1312 d1 = c1 - expected_seq_number;
1313 c2 = c1 - (mask + 1);
1314 d2 = expected_seq_number - c2;
1315 } else {
1316 d1 = expected_seq_number - c1;
1317 c2 = c1 + (mask + 1);
1318 d2 = c2 - expected_seq_number;
1321 if (d1 < d2)
1322 return c1;
1323 return c2;
1326 #define DTLS13_RECORD_NUMBER_MASK_SZ 16
1327 static int dtls13_get_record_number_xor_mask(SslDecoder *dec, const uint8_t *ciphertext, uint8_t *mask)
1329 if (!dec->cipher_suite)
1330 return -1;
1332 if (dec->cipher_suite->enc == ENC_NULL) {
1333 memset(mask, 0, DTLS13_RECORD_NUMBER_MASK_SZ);
1334 return 0;
1337 if (!dec->sn_evp) {
1338 return -1;
1341 if (dec->cipher_suite->enc == ENC_AES || dec->cipher_suite->enc == ENC_AES256) {
1342 if (gcry_cipher_encrypt(dec->sn_evp, mask, DTLS13_RECORD_NUMBER_MASK_SZ,
1343 ciphertext, DTLS13_RECORD_NUMBER_MASK_SZ) != 0) {
1344 ssl_debug_printf("dtls1.3: record mask generation failed\n");
1345 return -1;
1347 return 0;
1350 if (dec->cipher_suite->enc == ENC_CHACHA20) {
1351 if (gcry_cipher_setiv(dec->sn_evp, ciphertext, DTLS13_RECORD_NUMBER_MASK_SZ) != 0) {
1352 ssl_debug_printf("dtls1.3: record mask generation failed: can't set iv\n");
1353 return -1;
1355 memset(mask, 0, DTLS13_RECORD_NUMBER_MASK_SZ);
1356 if (gcry_cipher_encrypt(dec->sn_evp, mask, DTLS13_RECORD_NUMBER_MASK_SZ, mask, DTLS13_RECORD_NUMBER_MASK_SZ) != 0) {
1357 ssl_debug_printf("dtls1.3: record mask generation failed\n");
1358 return -1;
1360 return 0;
1363 ssl_debug_printf("dtls1.3: unsupported cipher\n");
1364 return -1;
1367 static bool dtls13_create_aad(tvbuff_t *tvb, SslDecryptSession *ssl, bool is_from_server, uint8_t hdr_flags, uint32_t hdr_off, uint32_t hdr_size,
1368 uint64_t sequence_number, uint16_t dtls_record_length)
1370 unsigned int cid_length = 0;
1371 SslDecoder *dec = NULL;
1372 int seq_length;
1374 if (is_from_server && ssl->server) {
1375 dec = ssl->server;
1376 } else if (ssl->client) {
1377 dec = ssl->client;
1379 if (!dec)
1380 return false;
1382 dec->seq = sequence_number;
1383 dec->dtls13_aad.data = wmem_realloc(wmem_file_scope(), dec->dtls13_aad.data, hdr_size);
1384 dec->dtls13_aad.data_len = hdr_size;
1385 dec->dtls13_aad.data[0] = hdr_flags;
1386 cid_length = 0;
1388 seq_length = 1;
1389 if (hdr_flags & DTLS13_S_BIT_MASK)
1390 seq_length = 2;
1391 if (hdr_flags & DTLS13_C_BIT_MASK) {
1392 /* total - 1 byte for hdr flag, 1 or 2 byte for seq suffix, 0 or 2 bytes for len */
1393 cid_length = hdr_size - 1 - seq_length;
1394 if (hdr_flags & DTLS13_L_BIT_MASK)
1395 cid_length -= 2;
1396 DISSECTOR_ASSERT(cid_length < hdr_size);
1397 memcpy(&dec->dtls13_aad.data[1], tvb_get_ptr(tvb, hdr_off + 1, cid_length), cid_length);
1400 if (seq_length == 2) {
1401 phton16(&dec->dtls13_aad.data[1 + cid_length], (uint16_t)sequence_number);
1402 } else {
1403 dec->dtls13_aad.data[1 + cid_length] = (uint8_t)sequence_number;
1405 if (hdr_flags & DTLS13_L_BIT_MASK) {
1406 phton16(&dec->dtls13_aad.data[1 + cid_length + seq_length], dtls_record_length);
1409 return true;
1412 static bool dtls13_decrypt_unified_record(tvbuff_t *tvb, packet_info *pinfo, uint32_t hdr_off, uint32_t hdr_size,
1413 uint8_t hdr_flags, bool is_from_server,
1414 SslDecryptSession *ssl, uint32_t dtls_record_length, uint8_t curr_layer_num_ssl,
1415 uint16_t seq_suffix, uint8_t seq_length)
1417 uint8_t mask[DTLS13_RECORD_NUMBER_MASK_SZ];
1418 uint64_t sequence_number;
1419 SslDecoder *dec = NULL;
1420 bool success;
1422 if (is_from_server && ssl->server) {
1423 dec = ssl->server;
1424 } else if (ssl->client) {
1425 dec = ssl->client;
1428 if (dec == NULL) {
1429 ssl_debug_printf("dissect_dtls13_record: no decoder available\n");
1430 return false;
1433 if (dtls13_get_record_number_xor_mask(dec, tvb_get_ptr(tvb, hdr_off + hdr_size, DTLS13_RECORD_NUMBER_MASK_SZ), mask) != 0) {
1434 ssl_debug_printf("dissect_dtls13_record: can't get record number mask\n");
1435 return false;
1438 sequence_number = dtls13_reconstruct_seq_number(ssl->session.dtls13_next_seq_num[is_from_server], seq_suffix, seq_length, mask);
1440 /* setup parameter for decryption of this packet */
1441 if (!dtls13_create_aad(tvb, ssl, is_from_server, hdr_flags, hdr_off, hdr_size, sequence_number, dtls_record_length)) {
1442 ssl_debug_printf("%s: can't create AAD\n", G_STRFUNC);
1443 return false;
1446 /* CID is already included in dtls13_add, there is no need to add it here */
1447 success = decrypt_dtls_record(tvb, pinfo, hdr_off + hdr_size, ssl, 0, ssl->session.version, dtls_record_length, curr_layer_num_ssl, NULL, 0);
1448 if (sequence_number >= ssl->session.dtls13_next_seq_num[is_from_server]) {
1449 ssl->session.dtls13_next_seq_num[is_from_server] = sequence_number + 1;
1452 return success;
1456 * Try to guess the early data cipher using trial decryption. based on decrypt_tls13_early_data.
1457 * Requires Libgcrypt 1.6 or newer for verifying that decryption is successful.
1459 static bool
1460 dtls13_decrypt_early_data(tvbuff_t *tvb, packet_info *pinfo, uint32_t hdr_off, uint32_t hdr_size, uint8_t hdr_flags,
1461 uint16_t record_length, SslDecryptSession *ssl,
1462 uint8_t curr_layer_num_ssl, uint16_t seq_suffix, uint8_t seq_length)
1464 StringInfo *secret;
1466 static const uint16_t tls13_ciphers[] = {
1467 0x1301, /* TLS_AES_128_GCM_SHA256 */
1468 0x1302, /* TLS_AES_256_GCM_SHA384 */
1469 0x1303, /* TLS_CHACHA20_POLY1305_SHA256 */
1470 0x1304, /* TLS_AES_128_CCM_SHA256 */
1471 0x1305, /* TLS_AES_128_CCM_8_SHA256 */
1474 bool success = false;
1476 ssl_debug_printf("Trying early data encryption, first record / trial decryption: %s\n",
1477 !(ssl->state & SSL_SEEN_0RTT_APPDATA) ? "true" : "false");
1480 secret = tls13_load_secret(ssl, tls_get_master_key_map(true), false, TLS_SECRET_0RTT_APP);
1481 if (!secret) {
1482 ssl_debug_printf("Missing secrets, early data decryption not possible!\n");
1483 return false;
1486 for (unsigned i = 0; i < G_N_ELEMENTS(tls13_ciphers); i++) {
1487 uint16_t cipher = tls13_ciphers[i];
1489 ssl_debug_printf("Performing early data trial decryption, cipher = %#x\n", cipher);
1490 ssl->session.cipher = cipher;
1491 ssl->cipher_suite = ssl_find_cipher(cipher);
1492 if (!tls13_generate_keys(ssl, secret, false)) {
1493 /* Unable to create cipher (old Libgcrypt) */
1494 continue;
1497 success = dtls13_decrypt_unified_record(tvb, pinfo, hdr_off, hdr_size, hdr_flags, false, ssl, record_length, curr_layer_num_ssl, seq_suffix, seq_length);
1498 if (success) {
1499 /* update epoch number to decrypt other 0RTT packets */
1500 ssl->client->dtls13_epoch = 1;
1501 ssl_debug_printf("Early data decryption succeeded, cipher = %#x\n", cipher);
1502 break;
1505 if (!success) {
1506 ssl_debug_printf("Trial decryption of early data failed!\n");
1508 return success;
1511 static bool dtls13_setup_keys(uint8_t hdr_flags, bool is_from_server, SslDecryptSession *ssl, uint32_t dtls_record_length,
1512 bool *first_early_data)
1514 uint64_t epoch, curr_max_epoch;
1516 epoch = (hdr_flags & DTLS13_HDR_EPOCH_BIT_MASK);
1518 if (first_early_data != NULL)
1519 *first_early_data = false;
1521 /* DTLSv1.3 minimum payload is 16 bytes */
1522 if (dtls_record_length < 16) {
1523 ssl_debug_printf("dtls13: record too short\n");
1524 return false;
1527 /* determine the epoch */
1528 curr_max_epoch = ssl->session.dtls13_current_epoch[is_from_server];
1530 if ((curr_max_epoch & 0x3) != epoch) {
1531 /* No KeyUpdate seen, we are still in the handshake (epoch 1 or 2) or using traffic_secret_0 (epoch 3) */
1532 if (curr_max_epoch < 4) {
1533 if (epoch > curr_max_epoch) {
1534 ssl->session.dtls13_current_epoch[is_from_server] = epoch;
1536 } else {
1538 /* try to decrypt with the last epoch with the same low bits */
1539 epoch = (curr_max_epoch & ~(0x3)) | epoch;
1540 if (epoch > curr_max_epoch)
1541 epoch -= 4;
1543 } else {
1544 epoch = curr_max_epoch;
1547 if (epoch == 0) {
1548 ssl_debug_printf("dtls13: unified header with epoch 0 (plaintext)\n");
1549 return false;
1552 /* early data */
1553 if (epoch == 1) {
1554 if (ssl->session.dtls13_current_epoch[is_from_server] > 1) {
1555 ssl_debug_printf("%s: early data received after encrypted HS, abort decryption\n", G_STRFUNC);
1556 return false;
1558 if (!ssl->has_early_data) {
1559 ssl_debug_printf("%s: early data received but not advertised in CH extensions, abort decryption\n", G_STRFUNC);
1560 return false;
1562 /* first early data packet, need to go into trial decryption */
1563 if (!(ssl->client && (ssl->client->dtls13_epoch == 1))) {
1564 if (first_early_data != NULL)
1565 *first_early_data = true;
1566 return true;
1570 if (dtls13_load_keys_from_epoch(ssl, is_from_server, epoch) < 0) {
1571 ssl_debug_printf("dtls13: can't load keys\n");
1572 return false;
1575 return true;
1578 /* Dissect a DTLS record from version 1.3 */
1579 static int
1580 dissect_dtls13_record(tvbuff_t *tvb, packet_info *pinfo _U_,
1581 proto_tree *tree, uint32_t offset,
1582 SslSession *session, int is_from_server,
1583 SslDecryptSession* ssl,
1584 uint8_t curr_layer_num_ssl _U_)
1587 * struct {
1588 * ContentType type;
1589 * ProtocolVersion legacy_record_version;
1590 * uint16 epoch = 0
1591 * uint48 sequence_number;
1592 * uint16 length;
1593 * opaque fragment[DTLSPlaintext.length];
1594 * } DTLSPlaintext;
1596 * struct {
1597 * opaque content[DTLSPlaintext.length];
1598 * ContentType type;
1599 * uint8 zeros[length_of_padding];
1600 * } DTLSInnerPlaintext;
1602 * struct {
1603 * opaque unified_hdr[variable];
1604 * opaque encrypted_record[length];
1605 * } DTLSCiphertext;
1607 * unified_hdr:
1608 * 0 1 2 3 4 5 6 7
1609 * +-+-+-+-+-+-+-+-+
1610 * |0|0|1|C|S|L|E E|
1611 * +-+-+-+-+-+-+-+-+
1612 * | Connection ID | Legend:
1613 * | (if any, |
1614 * / length as / C - Connection ID (CID) present
1615 * | negotiated) | S - Sequence number length
1616 * +-+-+-+-+-+-+-+-+ L - Length present
1617 * | 8 or 16 bit | E - Epoch
1618 * |Sequence Number|
1619 * +-+-+-+-+-+-+-+-+
1620 * | 16 bit Length |
1621 * | (if present) |
1622 * +-+-+-+-+-+-+-+-+
1625 static int * const uni_hdr_flags[] = {
1626 &hf_dtls_uni_hdr_fixed,
1627 &hf_dtls_uni_hdr_cid,
1628 &hf_dtls_uni_hdr_seq,
1629 &hf_dtls_uni_hdr_len,
1630 &hf_dtls_uni_hdr_epoch,
1631 NULL
1634 proto_tree *dtls_record_tree;
1635 proto_item *ti;
1636 proto_item *length_pi;
1637 uint32_t dtls_record_length = 0;
1639 uint32_t hdr_offset = offset;
1640 uint32_t hdr_start = offset;
1641 uint8_t hdr_flags;
1642 bool c_bit; /* 1 = Connection ID field is present */
1643 bool s_bit; /* 0 = 8-bit sequence number, 1 = 16-bit */
1644 bool l_bit; /* 1 = Length field is present */
1646 uint8_t seq_length;
1647 uint8_t cid_length = 0;
1648 uint16_t seq_suffix;
1649 tvbuff_t *decrypted = NULL;
1650 SslRecordInfo *record = NULL;
1651 bool success;
1652 bool is_first_early_data;
1654 hdr_flags = tvb_get_uint8(tvb, hdr_offset);
1655 c_bit = (hdr_flags & DTLS13_C_BIT_MASK) == DTLS13_C_BIT_MASK;
1656 s_bit = (hdr_flags & DTLS13_S_BIT_MASK) == DTLS13_S_BIT_MASK;
1657 l_bit = (hdr_flags & DTLS13_L_BIT_MASK) == DTLS13_L_BIT_MASK;
1658 hdr_offset += 1;
1660 if (c_bit) {
1661 /* Connection ID length to use if any */
1662 cid_length = dtls_cid_length(session, is_from_server);
1663 hdr_offset += cid_length;
1666 if (s_bit) {
1667 /* Lowest 16 bits of the sequence number */
1668 seq_length = 2;
1669 seq_suffix = tvb_get_ntohs(tvb, hdr_offset);
1671 else {
1672 /* Lowest 8 bits of the sequence number */
1673 seq_length = 1;
1674 seq_suffix = tvb_get_uint8(tvb, hdr_offset);
1676 /* Note: seq_suffix is encrypted if the payload is encrypted,
1677 * as per RFC 9147 section 4.2.3. To get the real sequence number,
1678 * we need to decrypt, and *then* use the result to find the sequence
1679 * number closest to one plus the last sequence number.
1681 hdr_offset += seq_length;
1683 if (l_bit) {
1684 dtls_record_length = tvb_get_ntohs(tvb, hdr_offset);
1685 hdr_offset += 2;
1687 else {
1688 dtls_record_length = tvb_captured_length_remaining(tvb, hdr_offset);
1692 * If GUI, fill in record layer part of tree
1694 col_set_str(pinfo->cinfo, COL_PROTOCOL,
1695 val_to_str_const(session->version, ssl_version_short_names, "DTLS"));
1697 ti = proto_tree_add_item(tree, hf_dtls_record, tvb, offset,
1698 (hdr_offset - offset) + dtls_record_length, ENC_NA);
1699 dtls_record_tree = proto_item_add_subtree(ti, ett_dtls_record);
1701 proto_tree_add_bitmask_with_flags(dtls_record_tree, tvb, offset,
1702 hf_dtls_uni_hdr, ett_dtls_uni_hdr, uni_hdr_flags,
1703 ENC_BIG_ENDIAN, BMT_NO_INT);
1705 offset += 1;
1707 if (c_bit && cid_length > 0) {
1708 proto_tree_add_item(dtls_record_tree, hf_dtls_record_connection_id, tvb, offset, cid_length, ENC_NA);
1709 offset += cid_length;
1712 proto_tree_add_uint(dtls_record_tree, hf_dtls_record_sequence_suffix, tvb, offset, seq_length, seq_suffix);
1713 offset += seq_length;
1715 if (l_bit) {
1716 proto_tree_add_item(dtls_record_tree, hf_dtls_record_length, tvb,
1717 offset, 2, ENC_BIG_ENDIAN);
1718 offset += 2;
1720 else {
1721 length_pi = proto_tree_add_uint(dtls_record_tree, hf_dtls_record_length, tvb,
1722 offset, 0, dtls_record_length);
1723 proto_item_set_generated(length_pi);
1726 if (ssl) {
1727 success = dtls13_setup_keys(hdr_flags, is_from_server, ssl, dtls_record_length, &is_first_early_data);
1728 if (success) {
1729 if (!is_from_server && is_first_early_data) {
1730 /* try to decrypt early data */
1731 dtls13_decrypt_early_data(tvb, pinfo, hdr_start, hdr_offset - hdr_start, hdr_flags, dtls_record_length, ssl, curr_layer_num_ssl, seq_suffix, seq_length);
1732 } else {
1733 dtls13_decrypt_unified_record(tvb, pinfo, hdr_start, hdr_offset - hdr_start, hdr_flags, is_from_server, ssl, dtls_record_length, curr_layer_num_ssl, seq_suffix, seq_length);
1738 decrypted = ssl_get_record_info(tvb, proto_dtls, pinfo, tvb_raw_offset(tvb)+offset, curr_layer_num_ssl, &record);
1739 if (decrypted)
1741 /* on first pass add seq suffix decrypted info */
1742 if (ssl) {
1743 if (is_from_server && ssl->server) {
1744 // XXX - Should the cast depend on seq_length ?
1745 record->dtls13_seq_suffix = (uint16_t)ssl->server->seq;
1746 } else if (ssl->client) {
1747 record->dtls13_seq_suffix = (uint16_t)ssl->client->seq;
1751 ti = proto_tree_add_uint(dtls_record_tree, hf_dtls_record_sequence_suffix_dec, tvb, hdr_start + 1 + cid_length,
1752 seq_length, record->dtls13_seq_suffix);
1753 proto_item_set_generated(ti);
1754 add_new_data_source(pinfo, decrypted, "Decrypted DTLS");
1755 /* real content type*/
1756 switch ((record->type))
1758 case SSL_ID_HANDSHAKE:
1759 dissect_dtls_handshake(decrypted, pinfo, dtls_record_tree, 0,
1760 tvb_reported_length(decrypted), false, session, is_from_server,
1761 ssl, record->type);
1762 break;
1763 case SSL_ID_ALERT:
1764 dissect_dtls_alert(decrypted, pinfo, dtls_record_tree, 0,
1765 session);
1766 break;
1767 case SSL_ID_DTLS13_ACK:
1768 dissect_dtls_ack(decrypted, pinfo, dtls_record_tree, 0, tvb_reported_length(decrypted));
1769 break;
1770 case SSL_ID_APP_DATA:
1771 dissect_dtls_appdata(tvb, pinfo, offset, dtls_record_length, session,
1772 dtls_record_tree, is_from_server, decrypted, record);
1773 break;
1774 default:
1775 break;
1777 } else {
1778 col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, "Encrypted Data");
1779 proto_tree_add_item(dtls_record_tree, hf_dtls_record_encrypted_content, tvb,
1780 offset, dtls_record_length, ENC_NA);
1781 proto_item_set_text(dtls_record_tree,
1782 "%s Record Layer: Encrypted Data",
1783 val_to_str_const(session->version, ssl_version_short_names, "DTLS"));
1786 return offset + dtls_record_length;
1789 /* dissects the alert message, filling in the tree */
1790 static void
1791 dissect_dtls_alert(tvbuff_t *tvb, packet_info *pinfo,
1792 proto_tree *tree, uint32_t offset,
1793 const SslSession *session)
1795 /* struct {
1796 * AlertLevel level;
1797 * AlertDescription description;
1798 * } Alert;
1801 proto_tree *ti;
1802 proto_tree *ssl_alert_tree;
1803 const char *level;
1804 const char *desc;
1805 uint8_t byte;
1807 ti = proto_tree_add_item(tree, hf_dtls_alert_message, tvb,
1808 offset, 2, ENC_NA);
1809 ssl_alert_tree = proto_item_add_subtree(ti, ett_dtls_alert);
1812 * set the record layer label
1815 /* first lookup the names for the alert level and description */
1816 byte = tvb_get_uint8(tvb, offset); /* grab the level byte */
1817 level = try_val_to_str(byte, ssl_31_alert_level);
1819 byte = tvb_get_uint8(tvb, offset+1); /* grab the desc byte */
1820 desc = try_val_to_str(byte, ssl_31_alert_description);
1822 /* now set the text in the record layer line */
1823 if (level && desc)
1825 col_append_sep_fstr(pinfo->cinfo, COL_INFO,
1826 NULL, "Alert (Level: %s, Description: %s)",
1827 level, desc);
1829 else
1831 col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, "Encrypted Alert");
1834 if (tree)
1836 if (level && desc)
1838 proto_item_set_text(tree, "%s Record Layer: Alert "
1839 "(Level: %s, Description: %s)",
1840 val_to_str_const(session->version, ssl_version_short_names, "DTLS"),
1841 level, desc);
1842 proto_tree_add_item(ssl_alert_tree, hf_dtls_alert_message_level,
1843 tvb, offset++, 1, ENC_BIG_ENDIAN);
1845 proto_tree_add_item(ssl_alert_tree, hf_dtls_alert_message_description,
1846 tvb, offset, 1, ENC_BIG_ENDIAN);
1848 else
1850 proto_item_set_text(tree,
1851 "%s Record Layer: Encrypted Alert",
1852 val_to_str_const(session->version, ssl_version_short_names, "DTLS"));
1853 proto_item_set_text(ssl_alert_tree,
1854 "Alert Message: Encrypted Alert");
1859 static void
1860 dtls13_maybe_increase_max_epoch(SslDecryptSession *ssl, bool is_from_server)
1862 SslDecoder *dec;
1864 if (ssl == NULL)
1865 return;
1867 if (is_from_server)
1868 dec = ssl->server;
1869 else
1870 dec = ssl->client;
1872 if (dec == NULL)
1873 return;
1875 /* be sure to increment from the current epoch just once, and to increment
1876 * again only after the new epoch was seen. This assures that the dissector
1877 * can always compute the next epoch, and avoid that duplicate packets wrongly
1878 * increment the max epoch multiple times. */
1879 if (dec->dtls13_epoch == ssl->session.dtls13_current_epoch[is_from_server])
1880 ssl->session.dtls13_current_epoch[is_from_server]++;
1883 /* dissects the handshake protocol, filling the tree */
1884 static void
1885 dissect_dtls_handshake(tvbuff_t *tvb, packet_info *pinfo,
1886 proto_tree *tree, uint32_t offset,
1887 uint32_t record_length, bool maybe_encrypted,
1888 SslSession *session, int is_from_server,
1889 SslDecryptSession* ssl, uint8_t content_type)
1891 /* struct {
1892 * HandshakeType msg_type;
1893 * uint24 length;
1894 * uint16 message_seq; //new field
1895 * uint24 fragment_offset; //new field
1896 * uint24 fragment_length; //new field
1897 * select (HandshakeType) {
1898 * case hello_request: HelloRequest;
1899 * case client_hello: ClientHello;
1900 * case server_hello: ServerHello;
1901 * case hello_verify_request: HelloVerifyRequest; //new field
1902 * case certificate: Certificate;
1903 * case server_key_exchange: ServerKeyExchange;
1904 * case certificate_request: CertificateRequest;
1905 * case server_hello_done: ServerHelloDone;
1906 * case certificate_verify: CertificateVerify;
1907 * case client_key_exchange: ClientKeyExchange;
1908 * case finished: Finished;
1909 * } body;
1910 * } Handshake;
1913 proto_tree *ti, *length_item = NULL, *fragment_length_item = NULL;
1914 proto_tree *ssl_hand_tree;
1915 const char *msg_type_str;
1916 uint8_t msg_type;
1917 uint32_t length;
1918 uint16_t version;
1919 uint16_t message_seq;
1920 uint32_t fragment_offset;
1921 uint32_t fragment_length;
1922 bool first_iteration;
1923 uint32_t reassembled_length;
1924 tvbuff_t *sub_tvb;
1926 msg_type_str = NULL;
1927 first_iteration = true;
1929 /* just as there can be multiple records per packet, there
1930 * can be multiple messages per record as long as they have
1931 * the same content type
1933 * we really only care about this for handshake messages
1936 /* set record_length to the max offset */
1937 record_length += offset;
1938 for (; offset < record_length; offset += fragment_length,
1939 first_iteration = false) /* set up for next pass, if any */
1941 fragment_head *frag_msg = NULL;
1942 tvbuff_t *new_tvb = NULL;
1943 const char *frag_str = NULL;
1944 bool fragmented;
1945 uint32_t hs_offset = offset;
1946 bool is_hrr = 0;
1948 /* add a subtree for the handshake protocol */
1949 ti = proto_tree_add_item(tree, hf_dtls_handshake_protocol, tvb, offset, -1, ENC_NA);
1950 ssl_hand_tree = proto_item_add_subtree(ti, ett_dtls_handshake);
1952 msg_type = tvb_get_uint8(tvb, offset);
1953 fragment_length = tvb_get_ntoh24(tvb, offset + 9);
1955 /* Check the fragment length in the handshake message. Assume it's an
1956 * encrypted handshake message if the message would pass
1957 * the record_length boundary. This is a workaround for the
1958 * situation where the first octet of the encrypted handshake
1959 * message is actually a known handshake message type.
1961 if (!maybe_encrypted || offset + fragment_length <= record_length) {
1962 if (msg_type == SSL_HND_SERVER_HELLO) {
1963 tls_scan_server_hello(tvb, offset+12, fragment_length, &version, &is_hrr);
1965 if (is_hrr) {
1966 msg_type_str = try_val_to_str(SSL_HND_HELLO_RETRY_REQUEST, ssl_31_handshake_type);
1967 } else {
1968 msg_type_str = try_val_to_str(msg_type, ssl_31_handshake_type);
1972 if (!msg_type_str && !first_iteration)
1974 /* only dissect / report messages if they're
1975 * either the first message in this record
1976 * or they're a valid message type
1978 return;
1982 * Update our info string
1984 if (msg_type_str)
1986 col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, msg_type_str);
1988 else
1990 /* if we don't have a valid handshake type, just quit dissecting */
1991 col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, "Encrypted Handshake Message");
1992 return;
1995 proto_tree_add_uint(ssl_hand_tree, hf_dtls_handshake_type,
1996 tvb, offset, 1, msg_type);
1997 offset++;
1999 length = tvb_get_ntoh24(tvb, offset);
2000 length_item = proto_tree_add_uint(ssl_hand_tree, hf_dtls_handshake_length,
2001 tvb, offset, 3, length);
2002 offset += 3;
2004 message_seq = tvb_get_ntohs(tvb,offset);
2005 proto_tree_add_uint(ssl_hand_tree, hf_dtls_handshake_message_seq,
2006 tvb, offset, 2, message_seq);
2007 offset += 2;
2009 fragment_offset = tvb_get_ntoh24(tvb, offset);
2010 proto_tree_add_uint(ssl_hand_tree, hf_dtls_handshake_fragment_offset,
2011 tvb, offset, 3, fragment_offset);
2012 offset += 3;
2014 fragment_length_item = proto_tree_add_uint(ssl_hand_tree,
2015 hf_dtls_handshake_fragment_length,
2016 tvb, offset, 3,
2017 fragment_length);
2018 offset += 3;
2019 proto_item_set_len(ti, fragment_length + 12);
2021 fragmented = false;
2022 if (fragment_length + fragment_offset > length)
2024 if (fragment_offset == 0)
2026 expert_add_info(pinfo, fragment_length_item, &ei_dtls_handshake_fragment_length_too_long);
2028 else
2030 fragmented = true;
2031 expert_add_info(pinfo, fragment_length_item, &ei_dtls_handshake_fragment_past_end_msg);
2034 else if (fragment_offset > 0 && fragment_length == 0)
2036 /* Fragmented message, but no actual fragment... Note that if a
2037 * fragment was previously completed (reassembled_length == length),
2038 * it is already dissected. */
2039 expert_add_info(pinfo, fragment_length_item, &ei_dtls_handshake_fragment_length_zero);
2040 continue;
2042 else if (fragment_length < length)
2044 fragmented = true;
2046 /* Handle fragments of known message type, ignore others */
2047 if (ssl_is_valid_handshake_type(msg_type, true))
2049 /* Fragmented handshake message */
2050 pinfo->fragmented = true;
2052 /* Don't pass the reassembly code data that doesn't exist */
2053 tvb_ensure_bytes_exist(tvb, offset, fragment_length);
2055 frag_msg = fragment_add(&dtls_reassembly_table,
2056 tvb, offset, pinfo, message_seq, NULL,
2057 fragment_offset, fragment_length, true);
2059 * Do we already have a length for this reassembly?
2061 reassembled_length = fragment_get_tot_len(&dtls_reassembly_table,
2062 pinfo, message_seq, NULL);
2063 if (reassembled_length == 0)
2065 /* No - set it to the length specified by this packet. */
2066 fragment_set_tot_len(&dtls_reassembly_table,
2067 pinfo, message_seq, NULL, length);
2069 else
2071 /* Yes - if this packet specifies a different length,
2072 report an error. */
2073 if (reassembled_length != length)
2075 expert_add_info(pinfo, length_item, &ei_dtls_msg_len_diff_fragment);
2079 if (frag_msg && (fragment_length + fragment_offset) == reassembled_length)
2081 /* Reassembled */
2082 new_tvb = process_reassembled_data(tvb, offset, pinfo,
2083 "Reassembled DTLS",
2084 frag_msg,
2085 &dtls_frag_items,
2086 NULL, tree);
2087 frag_str = " (Reassembled)";
2089 else
2091 frag_str = " (Fragment)";
2094 col_append_str(pinfo->cinfo, COL_INFO, frag_str);
2098 if (tree)
2100 /* set the label text on the record layer expanding node */
2101 if (first_iteration)
2103 proto_item_set_text(tree, "%s Record Layer: %s Protocol: %s%s",
2104 val_to_str_const(session->version, ssl_version_short_names, "DTLS"),
2105 val_to_str_const(content_type, ssl_31_content_type, "unknown"),
2106 msg_type_str, (frag_str!=NULL) ? frag_str : "");
2108 else
2110 proto_item_set_text(tree, "%s Record Layer: %s Protocol: %s%s",
2111 val_to_str_const(session->version, ssl_version_short_names, "DTLS"),
2112 val_to_str_const(content_type, ssl_31_content_type, "unknown"),
2113 "Multiple Handshake Messages",
2114 (frag_str!=NULL) ? frag_str : "");
2117 if (ssl_hand_tree)
2119 /* set the text label on the subtree node */
2120 proto_item_set_text(ssl_hand_tree, "Handshake Protocol: %s%s",
2121 msg_type_str, (frag_str!=NULL) ? frag_str : "");
2125 if (fragmented && !new_tvb)
2127 /* Skip fragmented messages not reassembled yet */
2128 continue;
2131 if (new_tvb)
2133 sub_tvb = new_tvb;
2135 else
2137 sub_tvb = tvb_new_subset_length(tvb, offset, fragment_length);
2140 if ((msg_type == SSL_HND_CLIENT_HELLO || msg_type == SSL_HND_SERVER_HELLO)) {
2141 /* Prepare for renegotiation by resetting the state. */
2142 ssl_reset_session(session, ssl, msg_type == SSL_HND_CLIENT_HELLO);
2146 * Add handshake message (including type, length, etc.) to hash (for
2147 * Extended Master Secret). The computation must however happen as if
2148 * the message was sent in a single fragment (RFC 6347, section 4.2.6).
2150 * Skip CertificateVerify since the handshake hash covers just
2151 * ClientHello up to and including ClientKeyExchange, but the keys are
2152 * actually retrieved in ChangeCipherSpec (which comes after that).
2154 if (msg_type != SSL_HND_CERT_VERIFY) {
2155 if (fragment_offset == 0) {
2156 /* Unfragmented packet. */
2157 ssl_calculate_handshake_hash(ssl, tvb, hs_offset, 12 + fragment_length);
2158 } else {
2160 * Handshake message was fragmented over multiple messages, fake a
2161 * single fragment and add reassembled data.
2163 /* msg_type (1), length (3), message_seq (2) */
2164 ssl_calculate_handshake_hash(ssl, tvb, hs_offset, 6);
2165 /* fragment_offset (3) equals to zero. */
2166 ssl_calculate_handshake_hash(ssl, NULL, 0, 3);
2167 /* fragment_length (3) equals to length. */
2168 ssl_calculate_handshake_hash(ssl, tvb, hs_offset + 1, 3);
2169 /* actual handshake data */
2170 ssl_calculate_handshake_hash(ssl, sub_tvb, 0, length);
2174 /* now dissect the handshake message, if necessary */
2175 switch ((HandshakeType) msg_type) {
2176 case SSL_HND_HELLO_REQUEST:
2177 /* hello_request has no fields, so nothing to do! */
2178 break;
2180 case SSL_HND_CLIENT_HELLO:
2181 if (ssl) {
2182 /* ClientHello is first packet so set direction */
2183 ssl_set_server(session, &pinfo->dst, pinfo->ptype, pinfo->destport);
2185 ssl_dissect_hnd_cli_hello(&dissect_dtls_hf, sub_tvb, pinfo,
2186 ssl_hand_tree, 0, length, session, ssl,
2187 &dtls_hfs, NULL);
2188 if (ssl) {
2189 tls_save_crandom(ssl, tls_get_master_key_map(false));
2190 /* force DTLSv1.3 version if early data is seen */
2191 if (ssl->has_early_data) {
2192 session->version = DTLSV1DOT3_VERSION;
2193 ssl->state |= SSL_VERSION;
2194 ssl_debug_printf("%s forcing version 0x%04X -> state 0x%02X\n", G_STRFUNC, DTLSV1DOT3_VERSION, ssl->state);
2197 break;
2199 case SSL_HND_SERVER_HELLO:
2200 tls_scan_server_hello(sub_tvb, 0, fragment_length, &version, &is_hrr);
2201 ssl_try_set_version(session, ssl, SSL_ID_HANDSHAKE, SSL_HND_SERVER_HELLO, true, version);
2203 ssl_dissect_hnd_srv_hello(&dissect_dtls_hf, sub_tvb, pinfo, ssl_hand_tree,
2204 0, length, session, ssl, true, is_hrr);
2205 break;
2207 case SSL_HND_HELLO_VERIFY_REQUEST:
2209 * The initial ClientHello and HelloVerifyRequest are not included
2210 * in the calculation of the handshake_messages
2211 * (https://tools.ietf.org/html/rfc6347#page-18). This is also
2212 * important for correct calculation of Extended Master Secret.
2214 if (ssl && ssl->handshake_data.data_len) {
2215 ssl_debug_printf("%s erasing previous handshake_messages: %d\n", G_STRFUNC, ssl->handshake_data.data_len);
2216 wmem_free(wmem_file_scope(), ssl->handshake_data.data);
2217 ssl->handshake_data.data = NULL;
2218 ssl->handshake_data.data_len = 0;
2220 dissect_dtls_hnd_hello_verify_request(&dissect_dtls_hf, sub_tvb, pinfo,
2221 ssl_hand_tree, 0, length);
2222 break;
2224 case SSL_HND_NEWSESSION_TICKET:
2225 /* no need to load keylog file here as it only links a previous
2226 * master key with this Session Ticket */
2227 ssl_dissect_hnd_new_ses_ticket(&dissect_dtls_hf, sub_tvb, pinfo,
2228 ssl_hand_tree, 0, length, session, ssl, true,
2229 tls_get_master_key_map(false)->tickets);
2230 break;
2232 case SSL_HND_HELLO_RETRY_REQUEST:
2233 ssl_dissect_hnd_hello_retry_request(&dissect_dtls_hf, sub_tvb, pinfo, ssl_hand_tree,
2234 0, length, session, ssl, true);
2235 break;
2237 case SSL_HND_CERTIFICATE:
2238 ssl_dissect_hnd_cert(&dissect_dtls_hf, sub_tvb, ssl_hand_tree, 0, length,
2239 pinfo, session, ssl, is_from_server, true);
2240 break;
2242 case SSL_HND_SERVER_KEY_EXCHG:
2243 ssl_dissect_hnd_srv_keyex(&dissect_dtls_hf, sub_tvb, pinfo, ssl_hand_tree, 0, length, session);
2244 break;
2246 case SSL_HND_CERT_REQUEST:
2247 ssl_dissect_hnd_cert_req(&dissect_dtls_hf, sub_tvb, pinfo, ssl_hand_tree, 0, length, session, true);
2248 break;
2250 case SSL_HND_SVR_HELLO_DONE:
2251 /* This is not an abbreviated handshake, it is certainly not resumed. */
2252 session->is_session_resumed = false;
2253 break;
2255 case SSL_HND_CERT_VERIFY:
2256 ssl_dissect_hnd_cli_cert_verify(&dissect_dtls_hf, sub_tvb, pinfo, ssl_hand_tree, 0, length, session->version);
2257 break;
2259 case SSL_HND_CLIENT_KEY_EXCHG:
2260 ssl_dissect_hnd_cli_keyex(&dissect_dtls_hf, sub_tvb, ssl_hand_tree, 0, length, session);
2261 if (!ssl)
2262 break;
2264 /* try to find master key from pre-master key */
2265 if (!ssl_generate_pre_master_secret(ssl, length, sub_tvb, 0,
2266 dtls_options.psk, pinfo,
2267 #ifdef HAVE_LIBGNUTLS
2268 dtls_key_hash,
2269 #endif
2270 tls_get_master_key_map(true))) {
2271 ssl_debug_printf("dissect_dtls_handshake can't generate pre master secret\n");
2273 break;
2275 case SSL_HND_FINISHED:
2276 ssl_dissect_hnd_finished(&dissect_dtls_hf, sub_tvb, ssl_hand_tree,
2277 0, length, session, NULL);
2278 break;
2280 case SSL_HND_CERT_STATUS:
2281 tls_dissect_hnd_certificate_status(&dissect_dtls_hf, sub_tvb, pinfo, ssl_hand_tree, 0, length);
2282 break;
2284 case SSL_HND_CERT_URL:
2285 case SSL_HND_SUPPLEMENTAL_DATA:
2286 case SSL_HND_KEY_UPDATE:
2287 tls13_dissect_hnd_key_update(&dissect_dtls_hf, sub_tvb, ssl_hand_tree, 0);
2288 if (ssl && ssl->session.version == DTLSV1DOT3_VERSION) {
2289 dtls13_maybe_increase_max_epoch(ssl, is_from_server);
2291 break;
2292 case SSL_HND_ENCRYPTED_EXTS:
2293 case SSL_HND_END_OF_EARLY_DATA: /* TLS 1.3 */
2294 case SSL_HND_COMPRESSED_CERTIFICATE:
2295 case SSL_HND_MESSAGE_HASH:
2296 break;
2297 case SSL_HND_ENCRYPTED_EXTENSIONS: /* TLS 1.3 */
2298 ssl_dissect_hnd_encrypted_extensions(&dissect_dtls_hf, sub_tvb, pinfo, ssl_hand_tree, 0, length, session, ssl, 1);
2299 break;
2304 /* dissects the heartbeat message, filling in the tree */
2305 static void
2306 dissect_dtls_heartbeat(tvbuff_t *tvb, packet_info *pinfo,
2307 proto_tree *tree, uint32_t offset,
2308 const SslSession *session, uint32_t record_length,
2309 bool decrypted)
2311 /* struct {
2312 * HeartbeatMessageType type;
2313 * uint16 payload_length;
2314 * opaque payload;
2315 * opaque padding;
2316 * } HeartbeatMessage;
2319 proto_tree *ti;
2320 proto_tree *dtls_heartbeat_tree;
2321 const char *type;
2322 uint8_t byte;
2323 uint16_t payload_length;
2324 uint16_t padding_length;
2326 ti = proto_tree_add_item(tree, hf_dtls_heartbeat_message, tvb,
2327 offset, record_length - 32, ENC_NA);
2328 dtls_heartbeat_tree = proto_item_add_subtree(ti, ett_dtls_heartbeat);
2331 * set the record layer label
2334 /* first lookup the names for the message type and the payload length */
2335 byte = tvb_get_uint8(tvb, offset);
2336 type = try_val_to_str(byte, tls_heartbeat_type);
2338 payload_length = tvb_get_ntohs(tvb, offset + 1);
2339 padding_length = record_length - 3 - payload_length;
2341 /* now set the text in the record layer line */
2342 if (type && (payload_length <= record_length - 16 - 3)) {
2343 col_append_sep_fstr(pinfo->cinfo, COL_INFO, NULL, "Heartbeat %s", type);
2344 } else {
2345 col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, "Encrypted Heartbeat");
2348 if (tree) {
2349 if (type && ((payload_length <= record_length - 16 - 3) || decrypted)) {
2350 proto_item_set_text(tree, "%s Record Layer: Heartbeat "
2351 "%s",
2352 val_to_str_const(session->version, ssl_version_short_names, "DTLS"),
2353 type);
2354 proto_tree_add_item(dtls_heartbeat_tree, hf_dtls_heartbeat_message_type,
2355 tvb, offset, 1, ENC_BIG_ENDIAN);
2356 offset += 1;
2357 ti = proto_tree_add_uint(dtls_heartbeat_tree, hf_dtls_heartbeat_message_payload_length,
2358 tvb, offset, 2, payload_length);
2359 offset += 2;
2360 if (payload_length > record_length - 16 - 3) {
2361 expert_add_info_format(pinfo, ti, &ei_dtls_heartbeat_payload_length,
2362 "Invalid heartbeat payload length (%d)", payload_length);
2363 /* Invalid heartbeat payload length, adjust to try decoding */
2364 payload_length = record_length - 16 - 3;
2365 padding_length = 16;
2366 proto_item_append_text (ti, " (invalid, using %u to decode payload)", payload_length);
2369 proto_tree_add_bytes_format(dtls_heartbeat_tree, hf_dtls_heartbeat_message_payload,
2370 tvb, offset, payload_length,
2371 NULL, "Payload (%u byte%s)",
2372 payload_length,
2373 plurality(payload_length, "", "s"));
2374 offset += payload_length;
2375 proto_tree_add_bytes_format(dtls_heartbeat_tree, hf_dtls_heartbeat_message_padding,
2376 tvb, offset, padding_length,
2377 NULL, "Padding and HMAC (%u byte%s)",
2378 padding_length,
2379 plurality(padding_length, "", "s"));
2380 } else {
2381 proto_item_set_text(tree,
2382 "%s Record Layer: Encrypted Heartbeat",
2383 val_to_str_const(session->version, ssl_version_short_names, "DTLS"));
2384 proto_item_set_text(dtls_heartbeat_tree,
2385 "Encrypted Heartbeat Message");
2390 /* dissects the acknowledgement message from RFC 9147 section 7 */
2391 static void
2392 dissect_dtls_ack(tvbuff_t *tvb, packet_info *pinfo,
2393 proto_tree *tree, uint32_t offset,
2394 uint32_t record_length)
2397 * section 4:
2398 * struct {
2399 * uint64 epoch;
2400 * uint64 sequence_number;
2401 * } RecordNumber;
2403 * section 7:
2404 * struct {
2405 * RecordNumber record_numbers<0..2^16-1>;
2406 * } ACK;
2409 uint32_t i;
2410 uint32_t record_number_length;
2411 proto_tree *ti;
2412 proto_tree *dtls_ack_tree, *rn_tree;
2413 uint64_t epoch;
2414 uint64_t number;
2416 col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, "Acknowledgement");
2417 ti = proto_tree_add_item(tree, hf_dtls_ack_message, tvb,
2418 offset, record_length, ENC_NA);
2419 dtls_ack_tree = proto_item_add_subtree(ti, ett_dtls_ack);
2421 /* record_numbers<2..2^16-2> */
2422 if (!ssl_add_vector(&dissect_dtls_hf, tvb, pinfo, dtls_ack_tree, offset, record_length, &record_number_length,
2423 hf_dtls_ack_record_numbers_length, 2, UINT16_MAX - 1)) {
2424 return;
2427 offset += 2;
2428 ti = proto_tree_add_none_format(dtls_ack_tree, hf_dtls_ack_record_numbers, tvb, offset, record_number_length,
2429 "RecordNumbers (%u record number%s)",
2430 record_number_length / 16, plurality(record_number_length / 16, "", "s"));
2431 dtls_ack_tree = proto_item_add_subtree(ti, ett_dtls_ack_record_numbers);
2433 for (i = 0; i < record_number_length; i += 16) {
2434 rn_tree = proto_tree_add_subtree(dtls_ack_tree, tvb, offset + i, 16, ett_dtls_ack_record_number, NULL, "");
2435 proto_tree_add_item_ret_uint64(rn_tree, hf_dtls_record_epoch64, tvb,
2436 offset + i + 0, 8, ENC_BIG_ENDIAN, &epoch);
2437 proto_tree_add_item_ret_uint64(rn_tree, hf_dtls_record_sequence_number, tvb,
2438 offset + i + 8, 8, ENC_BIG_ENDIAN, &number);
2439 proto_item_set_text(rn_tree, "RecordNumber: epoch %" PRIu64 ", sequence number %" PRIu64, epoch, number);
2443 static int
2444 dissect_dtls_hnd_hello_verify_request(ssl_common_dissect_t *hf, tvbuff_t *tvb,
2445 packet_info *pinfo, proto_tree *tree,
2446 uint32_t offset, uint32_t offset_end)
2449 * struct {
2450 * ProtocolVersion server_version;
2451 * opaque cookie<0..32>;
2452 * } HelloVerifyRequest;
2455 uint32_t cookie_length;
2457 /* show the client version */
2458 proto_tree_add_item(tree, dissect_dtls_hf.hf.hs_server_version, tvb,
2459 offset, 2, ENC_BIG_ENDIAN);
2460 offset += 2;
2462 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cookie_length,
2463 dtls_hfs.hf_dtls_handshake_cookie_len, 0, 32)) {
2464 return offset;
2466 offset++;
2468 if (cookie_length > 0)
2470 proto_tree_add_item(tree, dtls_hfs.hf_dtls_handshake_cookie,
2471 tvb, offset, cookie_length, ENC_NA);
2472 offset += cookie_length;
2475 return offset;
2479 dtls_dissect_hnd_hello_ext_use_srtp(packet_info *pinfo, tvbuff_t *tvb,
2480 proto_tree *tree, uint32_t offset,
2481 uint32_t ext_len, bool is_server)
2483 /* From https://tools.ietf.org/html/rfc5764#section-4.1.1
2485 * uint8 SRTPProtectionProfile[2];
2487 * struct {
2488 * SRTPProtectionProfiles SRTPProtectionProfiles;
2489 * opaque srtp_mki<0..255>;
2490 * } UseSRTPData;
2492 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
2495 proto_item *ti;
2496 uint32_t profiles_length, profiles_end, profile, mki_length;
2498 if (ext_len < 2) {
2499 /* XXX expert info, record too small */
2500 return offset + ext_len;
2503 /* SRTPProtectionProfiles list length */
2504 ti = proto_tree_add_item_ret_uint(tree, hf_dtls_hs_ext_use_srtp_protection_profiles_length,
2505 tvb, offset, 2, ENC_BIG_ENDIAN, &profiles_length);
2506 if (profiles_length > ext_len - 2) {
2507 profiles_length = ext_len - 2;
2508 expert_add_info_format(pinfo, ti, &ei_dtls_use_srtp_profiles_length,
2509 "The protection profiles length exceeds the extension data field length");
2511 if (is_server && profiles_length != 2) {
2512 /* The server, if sending the use_srtp extension, MUST return a
2513 * a single chosen profile that the client has offered.
2515 profile = SRTP_PROFILE_RESERVED;
2516 expert_add_info_format(pinfo, ti, &ei_dtls_use_srtp_profiles_length,
2517 "The server MUST return a single chosen protection profile");
2519 offset += 2;
2521 /* SRTPProtectionProfiles list items */
2522 profiles_end = offset + profiles_length;
2523 while (offset < profiles_end) {
2524 proto_tree_add_item_ret_uint(tree,
2525 hf_dtls_hs_ext_use_srtp_protection_profile, tvb, offset, 2,
2526 ENC_BIG_ENDIAN, &profile);
2527 offset += 2;
2530 /* MKI */
2531 proto_tree_add_item_ret_uint(tree, hf_dtls_hs_ext_use_srtp_mki_length,
2532 tvb, offset, 1, ENC_NA, &mki_length);
2533 offset++;
2534 if (mki_length > 0) {
2535 proto_tree_add_item(tree, hf_dtls_hs_ext_use_srtp_mki,
2536 tvb, offset, mki_length, ENC_NA);
2537 offset += mki_length;
2540 /* We don't know which SRTP protection profile is chosen, unless only one
2541 * was provided.
2543 if (is_server || profiles_length == 2) {
2544 struct srtp_info *srtp_info = wmem_new0(wmem_file_scope(), struct srtp_info);
2545 switch(profile) {
2546 case SRTP_AES128_CM_HMAC_SHA1_80:
2547 srtp_info->encryption_algorithm = SRTP_ENC_ALG_AES_CM;
2548 srtp_info->auth_algorithm = SRTP_AUTH_ALG_HMAC_SHA1;
2549 srtp_info->auth_tag_len = 10;
2550 break;
2551 case SRTP_AES128_CM_HMAC_SHA1_32:
2552 srtp_info->encryption_algorithm = SRTP_ENC_ALG_AES_CM;
2553 srtp_info->auth_algorithm = SRTP_AUTH_ALG_HMAC_SHA1;
2554 srtp_info->auth_tag_len = 4;
2555 break;
2556 case SRTP_NULL_HMAC_SHA1_80:
2557 srtp_info->encryption_algorithm = SRTP_ENC_ALG_NULL;
2558 srtp_info->auth_algorithm = SRTP_AUTH_ALG_HMAC_SHA1;
2559 srtp_info->auth_tag_len = 10;
2560 break;
2561 case SRTP_NULL_HMAC_SHA1_32:
2562 srtp_info->encryption_algorithm = SRTP_ENC_ALG_NULL;
2563 srtp_info->auth_algorithm = SRTP_AUTH_ALG_HMAC_SHA1;
2564 srtp_info->auth_tag_len = 4;
2565 break;
2566 case SRTP_AEAD_AES_128_GCM:
2567 srtp_info->encryption_algorithm = SRTP_ENC_ALG_AES_CM;
2568 srtp_info->auth_algorithm = SRTP_AUTH_ALG_GMAC;
2569 srtp_info->auth_tag_len = 16;
2570 break;
2571 case SRTP_AEAD_AES_256_GCM:
2572 srtp_info->encryption_algorithm = SRTP_ENC_ALG_AES_CM;
2573 srtp_info->auth_algorithm = SRTP_AUTH_ALG_GMAC;
2574 srtp_info->auth_tag_len = 16;
2575 break;
2576 default:
2577 srtp_info->encryption_algorithm = SRTP_ENC_ALG_AES_CM;
2578 srtp_info->auth_algorithm = SRTP_AUTH_ALG_HMAC_SHA1;
2579 srtp_info->auth_tag_len = 10;
2581 srtp_info->mki_len = mki_length;
2582 /* RFC 5764: It is RECOMMENDED that symmetric RTP be used with DTLS-SRTP.
2583 * RTP and RTCP traffic MAY be multiplexed on a single UDP port. (RFC 5761)
2585 * XXX: This creates a new RTP conversation. What it _should_ do is update
2586 * a RTP conversation initiated by SDP in a previous frame with the
2587 * srtp_info. Assuming we got the SDP and decrypted it if over TLS, etc.
2588 * However, since we don't actually decrypt SRT[C]P yet, the information
2589 * carried in the SDP about payload and media types isn't that useful.
2590 * (Being able to have the stream refer back to both the DTLS-SRTP and
2591 * SDP setup frame might be useful, though.)
2593 srtp_add_address(pinfo, PT_UDP, &pinfo->net_src, pinfo->srcport, pinfo->destport, "DTLS-SRTP", pinfo->num, RTP_MEDIA_AUDIO, NULL, srtp_info, NULL);
2594 srtp_add_address(pinfo, PT_UDP, &pinfo->net_dst, pinfo->destport, pinfo->srcport, "DTLS-SRTP", pinfo->num, RTP_MEDIA_AUDIO, NULL, srtp_info, NULL);
2596 return offset;
2599 /*********************************************************************
2601 * Support Functions
2603 *********************************************************************/
2605 /* this applies a heuristic to determine whether
2606 * or not the data beginning at offset looks like a
2607 * valid dtls record.
2609 static int
2610 looks_like_dtls(tvbuff_t *tvb, uint32_t offset)
2612 /* have to have a valid content type followed by a valid
2613 * protocol version
2615 uint8_t byte;
2616 uint16_t version;
2618 /* see if the first byte is a valid content type */
2619 byte = tvb_get_uint8(tvb, offset);
2620 if (!ssl_is_valid_content_type(byte))
2622 if ((byte & DTLS13_FIXED_MASK) >> 5 == 1) {
2623 return 1;
2625 return 0;
2628 /* now check to see if the version byte appears valid */
2629 version = tvb_get_ntohs(tvb, offset + 1);
2630 if (version != DTLSV1DOT0_VERSION && version != DTLSV1DOT2_VERSION &&
2631 version != DTLSV1DOT0_OPENSSL_VERSION)
2633 return 0;
2636 return 1;
2639 /* UAT */
2641 #if defined(HAVE_LIBGNUTLS)
2642 static void
2643 dtlsdecrypt_free_cb(void* r)
2645 ssldecrypt_assoc_t* h = (ssldecrypt_assoc_t*)r;
2647 g_free(h->ipaddr);
2648 g_free(h->port);
2649 g_free(h->protocol);
2650 g_free(h->keyfile);
2651 g_free(h->password);
2653 #endif
2655 #if 0
2656 static void
2657 dtlsdecrypt_update_cb(void* r _U_, const char** err _U_)
2659 return;
2661 #endif
2663 #if defined(HAVE_LIBGNUTLS)
2664 static void *
2665 dtlsdecrypt_copy_cb(void* dest, const void* orig, size_t len _U_)
2667 const ssldecrypt_assoc_t* o = (const ssldecrypt_assoc_t*)orig;
2668 ssldecrypt_assoc_t* d = (ssldecrypt_assoc_t*)dest;
2670 d->ipaddr = g_strdup(o->ipaddr);
2671 d->port = g_strdup(o->port);
2672 d->protocol = g_strdup(o->protocol);
2673 d->keyfile = g_strdup(o->keyfile);
2674 d->password = g_strdup(o->password);
2676 return d;
2679 UAT_CSTRING_CB_DEF(sslkeylist_uats,ipaddr,ssldecrypt_assoc_t)
2680 UAT_CSTRING_CB_DEF(sslkeylist_uats,port,ssldecrypt_assoc_t)
2681 UAT_CSTRING_CB_DEF(sslkeylist_uats,protocol,ssldecrypt_assoc_t)
2682 UAT_FILENAME_CB_DEF(sslkeylist_uats,keyfile,ssldecrypt_assoc_t)
2683 UAT_CSTRING_CB_DEF(sslkeylist_uats,password,ssldecrypt_assoc_t)
2685 static bool
2686 dtlsdecrypt_uat_fld_protocol_chk_cb(void* r _U_, const char* p, unsigned len _U_, const void* u1 _U_, const void* u2 _U_, char** err)
2688 if (!p || strlen(p) == 0u) {
2689 // This should be removed in favor of Decode As. Make it optional.
2690 *err = NULL;
2691 return true;
2694 if (!ssl_find_appdata_dissector(p)) {
2695 if (find_dissector(p)) {
2696 // ssl_find_appdata_dissector accepts any valid dissector name so
2697 // this path cannot happen
2698 *err = ws_strdup_printf("While '%s' is a valid dissector filter name, that dissector is not configured"
2699 " to support DTLS decryption.\n\n"
2700 "If you need to decrypt '%s' over DTLS, please contact the Wireshark development team.", p, p);
2701 } else {
2702 // The GUI validates dissector names now so this path shouldn't
2703 // occur either. (Perhaps if the UAT is hand-edited it might?)
2704 char* ssl_str = ssl_association_info("dtls.port", "UDP");
2705 *err = ws_strdup_printf("Could not find dissector for: '%s'\nCommonly used DTLS dissectors include:\n%s", p, ssl_str);
2706 g_free(ssl_str);
2708 return false;
2711 *err = NULL;
2712 return true;
2714 #endif
2716 static void
2717 dtls_src_prompt(packet_info *pinfo, char *result)
2719 SslPacketInfo* pi;
2720 uint32_t srcport = pinfo->srcport;
2722 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_dtls, pinfo->curr_layer_num);
2723 if (pi != NULL)
2724 srcport = pi->srcport;
2726 snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "source (%u%s)", srcport, UTF8_RIGHTWARDS_ARROW);
2729 static void *
2730 dtls_src_value(packet_info *pinfo)
2732 SslPacketInfo* pi;
2734 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_dtls, pinfo->curr_layer_num);
2735 if (pi == NULL)
2736 return GUINT_TO_POINTER(pinfo->srcport);
2738 return GUINT_TO_POINTER(pi->srcport);
2741 static void
2742 dtls_dst_prompt(packet_info *pinfo, char *result)
2744 SslPacketInfo* pi;
2745 uint32_t destport = pinfo->destport;
2747 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_dtls, pinfo->curr_layer_num);
2748 if (pi != NULL)
2749 destport = pi->destport;
2751 snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "destination (%s%u)", UTF8_RIGHTWARDS_ARROW, destport);
2754 static void *
2755 dtls_dst_value(packet_info *pinfo)
2757 SslPacketInfo* pi;
2759 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_dtls, pinfo->curr_layer_num);
2760 if (pi == NULL)
2761 return GUINT_TO_POINTER(pinfo->destport);
2763 return GUINT_TO_POINTER(pi->destport);
2766 static void
2767 dtls_both_prompt(packet_info *pinfo, char *result)
2769 SslPacketInfo* pi;
2770 uint32_t srcport = pinfo->srcport,
2771 destport = pinfo->destport;
2773 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_dtls, pinfo->curr_layer_num);
2774 if (pi != NULL)
2776 srcport = pi->srcport;
2777 destport = pi->destport;
2780 snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "both (%u%s%u)", srcport, UTF8_LEFT_RIGHT_ARROW, destport);
2783 void proto_reg_handoff_dtls(void);
2785 /*********************************************************************
2787 * Standard Wireshark Protocol Registration and housekeeping
2789 *********************************************************************/
2790 void
2791 proto_register_dtls(void)
2794 /* Setup list of header fields See Section 1.6.1 for details*/
2795 static hf_register_info hf[] = {
2796 { &hf_dtls_record,
2797 { "Record Layer", "dtls.record",
2798 FT_NONE, BASE_NONE, NULL, 0x0,
2799 NULL, HFILL }
2801 { &hf_dtls_record_content_type,
2802 { "Content Type", "dtls.record.content_type",
2803 FT_UINT8, BASE_DEC, VALS(ssl_31_content_type), 0x0,
2804 NULL, HFILL}
2806 { &hf_dtls_record_special_type,
2807 { "Special Type", "dtls.record.special_type",
2808 FT_UINT8, BASE_DEC, VALS(ssl_31_content_type), 0x0,
2809 "Always set to value 25, actual content type is known after decryption", HFILL}
2811 { &hf_dtls_record_version,
2812 { "Version", "dtls.record.version",
2813 FT_UINT16, BASE_HEX, VALS(ssl_versions), 0x0,
2814 "Record layer version", HFILL }
2816 { &hf_dtls_record_epoch,
2817 { "Epoch", "dtls.record.epoch",
2818 FT_UINT16, BASE_DEC, NULL, 0x0,
2819 NULL, HFILL }
2821 { &hf_dtls_record_epoch64,
2822 { "Epoch", "dtls.record.epoch",
2823 FT_UINT64, BASE_DEC, NULL, 0x0,
2824 NULL, HFILL }
2826 { &hf_dtls_record_sequence_number,
2827 { "Sequence Number", "dtls.record.sequence_number",
2828 FT_UINT64, BASE_DEC, NULL, 0x0,
2829 NULL, HFILL }
2831 { &hf_dtls_record_sequence_suffix,
2832 { "Sequence Number suffix", "dtls.record.sequence_suffix",
2833 FT_UINT16, BASE_DEC, NULL, 0x0,
2834 "Lowest-order bits of the sequence number", HFILL }
2836 { &hf_dtls_record_sequence_suffix_dec,
2837 { "Sequence Number suffix (decrypted)", "dtls.record.sequence_suffix_dec",
2838 FT_UINT16, BASE_DEC, NULL, 0x0,
2839 "Lowest-order bits of the sequence number (decrypted)", HFILL }
2841 { &hf_dtls_record_connection_id,
2842 { "Connection ID", "dtls.record.connection_id",
2843 FT_BYTES, BASE_NONE, NULL, 0x0,
2844 NULL, HFILL }
2846 { &hf_dtls_record_length,
2847 { "Length", "dtls.record.length",
2848 FT_UINT16, BASE_DEC, NULL, 0x0,
2849 "Length of DTLS record data", HFILL }
2851 { &hf_dtls_record_appdata,
2852 { "Encrypted Application Data", "dtls.app_data",
2853 FT_BYTES, BASE_NONE|BASE_NO_DISPLAY_VALUE, NULL, 0x0,
2854 "Payload is encrypted application data", HFILL }
2856 { &hf_dtls_record_appdata_proto,
2857 { "Application Data Protocol", "dtls.app_data_proto",
2858 FT_STRING, BASE_NONE, NULL, 0x0,
2859 NULL, HFILL }
2861 { &hf_dtls_record_encrypted_content,
2862 { "Encrypted Record Content", "dtls.enc_content",
2863 FT_BYTES, BASE_NONE|BASE_NO_DISPLAY_VALUE, NULL, 0x0,
2864 "Encrypted record data", HFILL }
2866 { & hf_dtls_alert_message,
2867 { "Alert Message", "dtls.alert_message",
2868 FT_NONE, BASE_NONE, NULL, 0x0,
2869 NULL, HFILL }
2871 { & hf_dtls_alert_message_level,
2872 { "Level", "dtls.alert_message.level",
2873 FT_UINT8, BASE_DEC, VALS(ssl_31_alert_level), 0x0,
2874 "Alert message level", HFILL }
2876 { &hf_dtls_alert_message_description,
2877 { "Description", "dtls.alert_message.desc",
2878 FT_UINT8, BASE_DEC, VALS(ssl_31_alert_description), 0x0,
2879 "Alert message description", HFILL }
2881 { &hf_dtls_handshake_protocol,
2882 { "Handshake Protocol", "dtls.handshake",
2883 FT_NONE, BASE_NONE, NULL, 0x0,
2884 "Handshake protocol message", HFILL}
2886 { &hf_dtls_handshake_type,
2887 { "Handshake Type", "dtls.handshake.type",
2888 FT_UINT8, BASE_DEC, VALS(ssl_31_handshake_type), 0x0,
2889 "Type of handshake message", HFILL}
2891 { &hf_dtls_handshake_length,
2892 { "Length", "dtls.handshake.length",
2893 FT_UINT24, BASE_DEC, NULL, 0x0,
2894 "Length of handshake message", HFILL }
2896 { &hf_dtls_handshake_message_seq,
2897 { "Message Sequence", "dtls.handshake.message_seq",
2898 FT_UINT16, BASE_DEC, NULL, 0x0,
2899 "Message sequence of handshake message", HFILL }
2901 { &hf_dtls_handshake_fragment_offset,
2902 { "Fragment Offset", "dtls.handshake.fragment_offset",
2903 FT_UINT24, BASE_DEC, NULL, 0x0,
2904 "Fragment offset of handshake message", HFILL }
2906 { &hf_dtls_handshake_fragment_length,
2907 { "Fragment Length", "dtls.handshake.fragment_length",
2908 FT_UINT24, BASE_DEC, NULL, 0x0,
2909 "Fragment length of handshake message", HFILL }
2911 { &dtls_hfs.hf_dtls_handshake_cookie_len,
2912 { "Cookie Length", "dtls.handshake.cookie_length",
2913 FT_UINT8, BASE_DEC, NULL, 0x0,
2914 "Length of the cookie field", HFILL }
2916 { &dtls_hfs.hf_dtls_handshake_cookie,
2917 { "Cookie", "dtls.handshake.cookie",
2918 FT_BYTES, BASE_NONE, NULL, 0x0,
2919 NULL, HFILL }
2921 { &hf_dtls_heartbeat_message,
2922 { "Heartbeat Message", "dtls.heartbeat_message",
2923 FT_NONE, BASE_NONE, NULL, 0x0,
2924 NULL, HFILL }
2926 { &hf_dtls_heartbeat_message_type,
2927 { "Type", "dtls.heartbeat_message.type",
2928 FT_UINT8, BASE_DEC, VALS(tls_heartbeat_type), 0x0,
2929 "Heartbeat message type", HFILL }
2931 { &hf_dtls_heartbeat_message_payload_length,
2932 { "Payload Length", "dtls.heartbeat_message.payload_length",
2933 FT_UINT16, BASE_DEC, NULL, 0x00, NULL, HFILL }
2935 { &hf_dtls_heartbeat_message_payload,
2936 { "Payload Length", "dtls.heartbeat_message.payload",
2937 FT_BYTES, BASE_NONE, NULL, 0x00, NULL, HFILL }
2939 { &hf_dtls_heartbeat_message_padding,
2940 { "Payload Length", "dtls.heartbeat_message.padding",
2941 FT_BYTES, BASE_NONE, NULL, 0x00, NULL, HFILL }
2943 { &hf_dtls_ack_message,
2944 { "Acknowledgement Message", "dtls.ack_message",
2945 FT_NONE, BASE_NONE, NULL, 0x0,
2946 NULL, HFILL }
2948 { &hf_dtls_ack_record_numbers_length,
2949 { "Record Number Length", "dtls.ack.record_numbers_length",
2950 FT_UINT16, BASE_DEC, NULL, 0x0,
2951 NULL, HFILL }
2953 { &hf_dtls_fragments,
2954 { "Message fragments", "dtls.fragments",
2955 FT_NONE, BASE_NONE, NULL, 0x00, NULL, HFILL }
2957 { &hf_dtls_fragment,
2958 { "Message fragment", "dtls.fragment",
2959 FT_FRAMENUM, BASE_NONE, NULL, 0x00, NULL, HFILL }
2961 { &hf_dtls_ack_record_numbers,
2962 { "Record Numbers", "dtls.ack.record_numbers",
2963 FT_NONE, BASE_NONE, NULL, 0x0,
2964 NULL, HFILL }
2966 { &hf_dtls_fragment_overlap,
2967 { "Message fragment overlap", "dtls.fragment.overlap",
2968 FT_BOOLEAN, BASE_NONE, NULL, 0x0, NULL, HFILL }
2970 { &hf_dtls_fragment_overlap_conflicts,
2971 { "Message fragment overlapping with conflicting data",
2972 "dtls.fragment.overlap.conflicts",
2973 FT_BOOLEAN, BASE_NONE, NULL, 0x0, NULL, HFILL }
2975 { &hf_dtls_fragment_multiple_tails,
2976 { "Message has multiple tail fragments",
2977 "dtls.fragment.multiple_tails",
2978 FT_BOOLEAN, BASE_NONE, NULL, 0x0, NULL, HFILL }
2980 { &hf_dtls_fragment_too_long_fragment,
2981 { "Message fragment too long", "dtls.fragment.too_long_fragment",
2982 FT_BOOLEAN, BASE_NONE, NULL, 0x0, NULL, HFILL }
2984 { &hf_dtls_fragment_error,
2985 { "Message defragmentation error", "dtls.fragment.error",
2986 FT_FRAMENUM, BASE_NONE, NULL, 0x00, NULL, HFILL }
2988 { &hf_dtls_fragment_count,
2989 { "Message fragment count", "dtls.fragment.count",
2990 FT_UINT32, BASE_DEC, NULL, 0x00, NULL, HFILL }
2992 { &hf_dtls_reassembled_in,
2993 { "Reassembled in", "dtls.reassembled.in",
2994 FT_FRAMENUM, BASE_NONE, NULL, 0x00, NULL, HFILL }
2996 { &hf_dtls_reassembled_length,
2997 { "Reassembled DTLS length", "dtls.reassembled.length",
2998 FT_UINT32, BASE_DEC, NULL, 0x00, NULL, HFILL }
3000 { &hf_dtls_hs_ext_use_srtp_protection_profiles_length,
3001 { "SRTP Protection Profiles Length", "dtls.use_srtp.protection_profiles_length",
3002 FT_UINT16, BASE_DEC, NULL, 0x00, NULL, HFILL }
3004 { &hf_dtls_hs_ext_use_srtp_protection_profile,
3005 { "SRTP Protection Profile", "dtls.use_srtp.protection_profile",
3006 FT_UINT16, BASE_HEX, VALS(srtp_protection_profile_vals), 0x00, NULL, HFILL }
3008 { &hf_dtls_hs_ext_use_srtp_mki_length,
3009 { "MKI Length", "dtls.use_srtp.mki_length",
3010 FT_UINT8, BASE_DEC, NULL, 0x00, NULL, HFILL }
3012 { &hf_dtls_hs_ext_use_srtp_mki,
3013 { "MKI", "dtls.use_srtp.mki",
3014 FT_BYTES, BASE_NONE, NULL, 0x00, NULL, HFILL }
3016 { &hf_dtls_uni_hdr,
3017 { "Unified header bitmask", "dtls.unified_header.bitmask",
3018 FT_UINT8, BASE_HEX, NULL, 0x00, "DTLS 1.3 unified header bitmask", HFILL }
3020 { &hf_dtls_uni_hdr_fixed,
3021 { "Fixed bits", "dtls.unified_header.fixed",
3022 FT_UINT8, BASE_HEX, NULL, DTLS13_FIXED_MASK, NULL, HFILL }
3024 { &hf_dtls_uni_hdr_cid,
3025 { "CID field", "dtls.unified_header.cid_present",
3026 FT_BOOLEAN, 8, TFS(&tfs_present_not_present), DTLS13_C_BIT_MASK, NULL, HFILL }
3028 { &hf_dtls_uni_hdr_seq,
3029 { "Sequence number size", "dtls.unified_header.seq_size",
3030 FT_BOOLEAN, 8, TFS(&dtls_uni_hdr_seq_tfs), DTLS13_S_BIT_MASK, NULL, HFILL }
3032 { &hf_dtls_uni_hdr_len,
3033 { "Length field", "dtls.unified_header.length",
3034 FT_BOOLEAN, 8, TFS(&tfs_present_not_present), DTLS13_L_BIT_MASK, NULL, HFILL }
3036 { &hf_dtls_uni_hdr_epoch,
3037 { "Epoch lowest-order bits", "dtls.unified_header.epoch_bits",
3038 FT_UINT8, BASE_DEC, NULL, 0x03, NULL, HFILL }
3041 SSL_COMMON_HF_LIST(dissect_dtls_hf, "dtls")
3044 /* Setup protocol subtree array */
3045 static int *ett[] = {
3046 &ett_dtls,
3047 &ett_dtls_record,
3048 &ett_dtls_alert,
3049 &ett_dtls_handshake,
3050 &ett_dtls_heartbeat,
3051 &ett_dtls_ack,
3052 &ett_dtls_ack_record_number,
3053 &ett_dtls_ack_record_numbers,
3054 &ett_dtls_certs,
3055 &ett_dtls_uni_hdr,
3056 &ett_dtls_fragment,
3057 &ett_dtls_fragments,
3058 SSL_COMMON_ETT_LIST(dissect_dtls_hf)
3061 static ei_register_info ei[] = {
3062 { &ei_dtls_handshake_fragment_length_zero, { "dtls.handshake.fragment_length.zero", PI_PROTOCOL, PI_WARN, "Zero-length fragment length for fragmented message", EXPFILL }},
3063 { &ei_dtls_handshake_fragment_length_too_long, { "dtls.handshake.fragment_length.too_long", PI_PROTOCOL, PI_ERROR, "Fragment length is larger than message length", EXPFILL }},
3064 { &ei_dtls_handshake_fragment_past_end_msg, { "dtls.handshake.fragment_past_end_msg", PI_PROTOCOL, PI_ERROR, "Fragment runs past the end of the message", EXPFILL }},
3065 { &ei_dtls_msg_len_diff_fragment, { "dtls.msg_len_diff_fragment", PI_PROTOCOL, PI_ERROR, "Message length differs from value in earlier fragment", EXPFILL }},
3066 { &ei_dtls_heartbeat_payload_length, { "dtls.heartbeat_message.payload_length.invalid", PI_MALFORMED, PI_ERROR, "Invalid heartbeat payload length", EXPFILL }},
3067 { &ei_dtls_cid_invalid_content_type, { "dtls.cid.content_type.invalid", PI_MALFORMED, PI_ERROR, "Invalid real content type", EXPFILL }},
3068 { &ei_dtls_use_srtp_profiles_length, { "dtls.use_srtp.protection_profiles_length.invalid", PI_PROTOCOL, PI_ERROR, "Invalid protection profiles length", EXPFILL }},
3069 #if 0
3070 { &ei_dtls_cid_invalid_enc_content, { "dtls.cid.enc_content.invalid", PI_MALFORMED, PI_ERROR, "Invalid encrypted content", EXPFILL }},
3071 #endif
3073 SSL_COMMON_EI_LIST(dissect_dtls_hf, "dtls")
3076 static build_valid_func dtls_da_src_values[1] = {dtls_src_value};
3077 static build_valid_func dtls_da_dst_values[1] = {dtls_dst_value};
3078 static build_valid_func dtls_da_both_values[2] = {dtls_src_value, dtls_dst_value};
3079 static decode_as_value_t dtls_da_values[3] = {{dtls_src_prompt, 1, dtls_da_src_values}, {dtls_dst_prompt, 1, dtls_da_dst_values}, {dtls_both_prompt, 2, dtls_da_both_values}};
3080 static decode_as_t dtls_da = {"dtls", "dtls.port", 3, 2, dtls_da_values, "UDP", "port(s) as",
3081 decode_as_default_populate_list, decode_as_default_reset, decode_as_default_change, NULL};
3083 expert_module_t* expert_dtls;
3085 /* Register the protocol name and description */
3086 proto_dtls = proto_register_protocol("Datagram Transport Layer Security",
3087 "DTLS", "dtls");
3089 dtls_associations = register_dissector_table("dtls.port", "DTLS Port", proto_dtls, FT_UINT16, BASE_DEC);
3091 ssl_common_register_dtls_alpn_dissector_table("dtls.alpn",
3092 "DTLS Application-Layer Protocol Negotiation (ALPN) Protocol IDs",
3093 proto_dtls);
3095 /* Required function calls to register the header fields and
3096 * subtrees used */
3097 proto_register_field_array(proto_dtls, hf, array_length(hf));
3098 proto_register_subtree_array(ett, array_length(ett));
3099 expert_dtls = expert_register_protocol(proto_dtls);
3100 expert_register_field_array(expert_dtls, ei, array_length(ei));
3103 module_t *dtls_module = prefs_register_protocol(proto_dtls, proto_reg_handoff_dtls);
3105 #ifdef HAVE_LIBGNUTLS
3106 static uat_field_t dtlskeylist_uats_flds[] = {
3107 UAT_FLD_CSTRING_OTHER(sslkeylist_uats, ipaddr, "IP address", ssldecrypt_uat_fld_ip_chk_cb, "IPv4 or IPv6 address (unused)"),
3108 UAT_FLD_CSTRING_OTHER(sslkeylist_uats, port, "Port", ssldecrypt_uat_fld_port_chk_cb, "Port Number (optional)"),
3109 UAT_FLD_DISSECTOR_OTHER(sslkeylist_uats, protocol, "Protocol", dtlsdecrypt_uat_fld_protocol_chk_cb, "Application Layer Protocol (optional)"),
3110 UAT_FLD_FILENAME_OTHER(sslkeylist_uats, keyfile, "Key File", ssldecrypt_uat_fld_fileopen_chk_cb, "Path to the keyfile."),
3111 UAT_FLD_CSTRING_OTHER(sslkeylist_uats, password," Password (p12 file)", ssldecrypt_uat_fld_password_chk_cb, "Password"),
3112 UAT_END_FIELDS
3115 dtlsdecrypt_uat = uat_new("DTLS RSA Keylist",
3116 sizeof(ssldecrypt_assoc_t),
3117 "dtlsdecrypttablefile", /* filename */
3118 true, /* from_profile */
3119 &dtlskeylist_uats, /* data_ptr */
3120 &ndtlsdecrypt, /* numitems_ptr */
3121 UAT_AFFECTS_DISSECTION, /* affects dissection of packets, but not set of named fields */
3122 "ChK12ProtocolsSection", /* TODO, need revision - help */
3123 dtlsdecrypt_copy_cb,
3124 NULL, /* dtlsdecrypt_update_cb? */
3125 dtlsdecrypt_free_cb,
3126 dtls_parse_uat,
3127 dtls_reset_uat,
3128 dtlskeylist_uats_flds);
3130 prefs_register_uat_preference(dtls_module, "cfg",
3131 "RSA keys list",
3132 "A table of RSA keys for DTLS decryption",
3133 dtlsdecrypt_uat);
3135 prefs_register_string_preference(dtls_module, "keys_list", "RSA keys list (deprecated)",
3136 "Semicolon-separated list of private RSA keys used for DTLS decryption. "
3137 "Used by versions of Wireshark prior to 1.6",
3138 &dtls_keys_list);
3139 #endif /* HAVE_LIBGNUTLS */
3141 prefs_register_filename_preference(dtls_module, "debug_file", "DTLS debug file",
3142 "redirect dtls debug to file name; leave empty to disable debug, "
3143 "use \"" SSL_DEBUG_USE_STDERR "\" to redirect output to stderr\n",
3144 &dtls_debug_file_name, true);
3146 prefs_register_uint_preference(dtls_module, "client_cid_length", "Client Connection ID length",
3147 "Default client Connection ID length used when the Client Handshake message is missing",
3148 10, &dtls_default_client_cid_length);
3150 prefs_register_uint_preference(dtls_module, "server_cid_length", "Server Connection ID length",
3151 "Default server Connection ID length used when the Server Handshake message is missing",
3152 10, &dtls_default_server_cid_length);
3154 ssl_common_register_options(dtls_module, &dtls_options, true);
3157 dtls_handle = register_dissector("dtls", dissect_dtls, proto_dtls);
3159 register_init_routine(dtls_init);
3160 register_cleanup_routine(dtls_cleanup);
3161 reassembly_table_register (&dtls_reassembly_table, &addresses_ports_reassembly_table_functions);
3162 register_decode_as(&dtls_da);
3164 dtls_tap = register_tap("dtls");
3165 ssl_debug_printf("proto_register_dtls: registered tap %s:%d\n",
3166 "dtls", dtls_tap);
3168 heur_subdissector_list = register_heur_dissector_list_with_description("dtls", "DTLS payload fallback", proto_dtls);
3172 /* If this dissector uses sub-dissector registration add a registration
3173 * routine. This format is required because a script is used to find
3174 * these routines and create the code that calls these routines.
3176 void
3177 proto_reg_handoff_dtls(void)
3179 static bool initialized = false;
3181 #ifdef HAVE_LIBGNUTLS
3182 dtls_parse_uat();
3183 dtls_parse_old_keys();
3184 #endif
3186 if (initialized == false) {
3187 heur_dissector_add("udp", dissect_dtls_heur, "DTLS over UDP", "dtls_udp", proto_dtls, HEURISTIC_ENABLE);
3188 heur_dissector_add("stun", dissect_dtls_heur, "DTLS over STUN", "dtls_stun", proto_dtls, HEURISTIC_DISABLE);
3189 heur_dissector_add("classicstun", dissect_dtls_heur, "DTLS over CLASSICSTUN", "dtls_classicstun", proto_dtls, HEURISTIC_DISABLE);
3190 dissector_add_uint("sctp.ppi", DIAMETER_DTLS_PROTOCOL_ID, dtls_handle);
3191 dissector_add_uint("sctp.ppi", NGAP_OVER_DTLS_PROTOCOL_ID, dtls_handle);
3192 dissector_add_uint("sctp.ppi", XNAP_OVER_DTLS_PROTOCOL_ID, dtls_handle);
3193 dissector_add_uint("sctp.ppi", F1AP_OVER_DTLS_PROTOCOL_ID, dtls_handle);
3194 dissector_add_uint("sctp.ppi", E1AP_OVER_DTLS_PROTOCOL_ID, dtls_handle);
3195 exported_pdu_tap = find_tap_id(EXPORT_PDU_TAP_NAME_LAYER_7);
3198 initialized = true;
3201 void
3202 dtls_dissector_add(unsigned port, dissector_handle_t handle)
3204 ssl_association_add("dtls.port", dtls_handle, handle, port, false);
3207 void
3208 dtls_dissector_delete(unsigned port, dissector_handle_t handle)
3210 ssl_association_remove("dtls.port", dtls_handle, handle, port, false);
3214 * Editor modelines - https://www.wireshark.org/tools/modelines.html
3216 * Local Variables:
3217 * c-basic-offset: 2
3218 * tab-width: 8
3219 * indent-tabs-mode: nil
3220 * End:
3222 * ex: set shiftwidth=2 tabstop=8 expandtab:
3223 * :indentSize=2:tabSize=8:noTabs=true: