/builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c (2024)

1/* packet-tls-utils.c2 * ssl manipulation functions3 * By Paolo Abeni <[emailprotected]>4 *5 * Copyright (c) 2013, Hauke Mehrtens <[emailprotected]>6 * Copyright (c) 2014, Peter Wu <[emailprotected]>7 *8 * Wireshark - Network traffic analyzer9 * By Gerald Combs <[emailprotected]>10 * Copyright 1998 Gerald Combs11 *12 * SPDX-License-Identifier: GPL-2.0-or-later13 */14 15#include "config.h"16 17#if defined(HAVE_ZLIB1) && !defined(HAVE_ZLIBNG)18#define ZLIB_CONST19#define ZLIB_PREFIX(x)x x20#include <zlib.h>21typedef z_stream zlib_stream;22#endif /* HAVE_ZLIB */23 24#ifdef HAVE_ZLIBNG25#define ZLIB_PREFIX(x)x zng_ ## x26#include <zlib-ng.h>27typedef zng_stream zlib_stream;28#endif /* HAVE_ZLIBNG */29 30#include <stdlib.h>31#include <errno(*__errno_location ()).h>32 33#include <epan/packet.h>34#include <epan/strutil.h>35#include <epan/addr_resolv.h>36#include <epan/expert.h>37#include <epan/asn1.h>38#include <epan/proto_data.h>39#include <epan/oids.h>40#include <epan/secrets.h>41 42#include <wsutil/inet_cidr.h>43#include <wsutil/filesystem.h>44#include <wsutil/file_util.h>45#include <wsutil/str_util.h>46#include <wsutil/report_message.h>47#include <wsutil/pint.h>48#include <wsutil/strtoi.h>49#include <wsutil/wsgcrypt.h>50#include <wsutil/rsa.h>51#include <wsutil/ws_assert.h>52#include "packet-ber.h"53#include "packet-x509af.h"54#include "packet-x509if.h"55#include "packet-tls-utils.h"56#include "packet-ocsp.h"57#include "packet-tls.h"58#include "packet-dtls.h"59#include "packet-quic.h"60#if defined(HAVE_LIBGNUTLS1)61#include <gnutls/abstract.h>62#endif63 64/* JA3/JA3S calculations must ignore GREASE values65 * as described in RFC 8701.66 */67#define IS_GREASE_TLS(x)((((x) & 0x0f0f) == 0x0a0a) && (((x) & 0xff) ==
(((x)>>8) & 0xff))) ((((x) & 0x0f0f) == 0x0a0a) && \68 (((x) & 0xff) == (((x)>>8) & 0xff)))69 70/* Section 22.3 of RFC 9000 (QUIC) reserves values of this71 * form for a similar purpose as GREASE.72 */73#define IS_GREASE_QUIC(x)((x) > 27 ? ((((x) - 27) % 31) == 0) : 0) ((x) > 27 ? ((((x) - 27) % 31) == 0) : 0)74 75#define DTLS13_MAX_EPOCH10 1076 77/* Lookup tables {{{ */78const value_string ssl_version_short_names[] = {79 { SSLV2_VERSION0x0002, "SSLv2" },80 { SSLV3_VERSION0x300, "SSLv3" },81 { TLSV1_VERSION0x301, "TLSv1" },82 { TLCPV1_VERSION0x101, "TLCP" },83 { TLSV1DOT1_VERSION0x302, "TLSv1.1" },84 { TLSV1DOT2_VERSION0x303, "TLSv1.2" },85 { TLSV1DOT3_VERSION0x304, "TLSv1.3" },86 { DTLSV1DOT0_VERSION0xfeff, "DTLSv1.0" },87 { DTLSV1DOT2_VERSION0xfefd, "DTLSv1.2" },88 { DTLSV1DOT3_VERSION0xfefc, "DTLSv1.3" },89 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },90 { 0x00, NULL((void*)0) }91};92 93const value_string ssl_versions[] = {94 { SSLV2_VERSION0x0002, "SSL 2.0" },95 { SSLV3_VERSION0x300, "SSL 3.0" },96 { TLSV1_VERSION0x301, "TLS 1.0" },97 { TLCPV1_VERSION0x101, "TLCP" },98 { TLSV1DOT1_VERSION0x302, "TLS 1.1" },99 { TLSV1DOT2_VERSION0x303, "TLS 1.2" },100 { TLSV1DOT3_VERSION0x304, "TLS 1.3" },101 { 0x7F0E, "TLS 1.3 (draft 14)" },102 { 0x7F0F, "TLS 1.3 (draft 15)" },103 { 0x7F10, "TLS 1.3 (draft 16)" },104 { 0x7F11, "TLS 1.3 (draft 17)" },105 { 0x7F12, "TLS 1.3 (draft 18)" },106 { 0x7F13, "TLS 1.3 (draft 19)" },107 { 0x7F14, "TLS 1.3 (draft 20)" },108 { 0x7F15, "TLS 1.3 (draft 21)" },109 { 0x7F16, "TLS 1.3 (draft 22)" },110 { 0x7F17, "TLS 1.3 (draft 23)" },111 { 0x7F18, "TLS 1.3 (draft 24)" },112 { 0x7F19, "TLS 1.3 (draft 25)" },113 { 0x7F1A, "TLS 1.3 (draft 26)" },114 { 0x7F1B, "TLS 1.3 (draft 27)" },115 { 0x7F1C, "TLS 1.3 (draft 28)" },116 { 0xFB17, "TLS 1.3 (Facebook draft 23)" },117 { 0xFB1A, "TLS 1.3 (Facebook draft 26)" },118 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },119 { DTLSV1DOT0_VERSION0xfeff, "DTLS 1.0" },120 { DTLSV1DOT2_VERSION0xfefd, "DTLS 1.2" },121 { DTLSV1DOT3_VERSION0xfefc, "DTLS 1.3" },122 { 0x0A0A, "Reserved (GREASE)" }, /* RFC 8701 */123 { 0x1A1A, "Reserved (GREASE)" }, /* RFC 8701 */124 { 0x2A2A, "Reserved (GREASE)" }, /* RFC 8701 */125 { 0x3A3A, "Reserved (GREASE)" }, /* RFC 8701 */126 { 0x4A4A, "Reserved (GREASE)" }, /* RFC 8701 */127 { 0x5A5A, "Reserved (GREASE)" }, /* RFC 8701 */128 { 0x6A6A, "Reserved (GREASE)" }, /* RFC 8701 */129 { 0x7A7A, "Reserved (GREASE)" }, /* RFC 8701 */130 { 0x8A8A, "Reserved (GREASE)" }, /* RFC 8701 */131 { 0x9A9A, "Reserved (GREASE)" }, /* RFC 8701 */132 { 0xAAAA, "Reserved (GREASE)" }, /* RFC 8701 */133 { 0xBABA, "Reserved (GREASE)" }, /* RFC 8701 */134 { 0xCACA, "Reserved (GREASE)" }, /* RFC 8701 */135 { 0xDADA, "Reserved (GREASE)" }, /* RFC 8701 */136 { 0xEAEA, "Reserved (GREASE)" }, /* RFC 8701 */137 { 0xFAFA, "Reserved (GREASE)" }, /* RFC 8701 */138 { 0x00, NULL((void*)0) }139};140 141static const value_string ssl_version_ja4_names[] = {142 { 0x0100, "s1" },143 { SSLV2_VERSION0x0002, "s2" },144 { SSLV3_VERSION0x300, "s3" },145 { TLSV1_VERSION0x301, "10" },146 { TLSV1DOT1_VERSION0x302, "11" },147 { TLSV1DOT2_VERSION0x303, "12" },148 { TLSV1DOT3_VERSION0x304, "13" },149 { DTLSV1DOT0_VERSION0xfeff, "d1" },150 { DTLSV1DOT2_VERSION0xfefd, "d2" },151 { DTLSV1DOT3_VERSION0xfefc, "d3" },152 { 0x00, NULL((void*)0) }153};154 155const value_string ssl_20_msg_types[] = {156 { SSL2_HND_ERROR0x00, "Error" },157 { SSL2_HND_CLIENT_HELLO0x01, "Client Hello" },158 { SSL2_HND_CLIENT_MASTER_KEY0x02, "Client Master Key" },159 { SSL2_HND_CLIENT_FINISHED0x03, "Client Finished" },160 { SSL2_HND_SERVER_HELLO0x04, "Server Hello" },161 { SSL2_HND_SERVER_VERIFY0x05, "Server Verify" },162 { SSL2_HND_SERVER_FINISHED0x06, "Server Finished" },163 { SSL2_HND_REQUEST_CERTIFICATE0x07, "Request Certificate" },164 { SSL2_HND_CLIENT_CERTIFICATE0x08, "Client Certificate" },165 { 0x00, NULL((void*)0) }166};167/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */168/* Note: sorted by ascending value so value_string-ext can do a binary search */169static const value_string ssl_20_cipher_suites[] = {170 { 0x000000, "TLS_NULL_WITH_NULL_NULL" },171 { 0x000001, "TLS_RSA_WITH_NULL_MD5" },172 { 0x000002, "TLS_RSA_WITH_NULL_SHA" },173 { 0x000003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },174 { 0x000004, "TLS_RSA_WITH_RC4_128_MD5" },175 { 0x000005, "TLS_RSA_WITH_RC4_128_SHA" },176 { 0x000006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },177 { 0x000007, "TLS_RSA_WITH_IDEA_CBC_SHA" },178 { 0x000008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },179 { 0x000009, "TLS_RSA_WITH_DES_CBC_SHA" },180 { 0x00000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },181 { 0x00000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },182 { 0x00000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },183 { 0x00000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },184 { 0x00000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },185 { 0x00000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },186 { 0x000010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },187 { 0x000011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },188 { 0x000012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },189 { 0x000013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },190 { 0x000014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },191 { 0x000015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },192 { 0x000016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },193 { 0x000017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },194 { 0x000018, "TLS_DH_anon_WITH_RC4_128_MD5" },195 { 0x000019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },196 { 0x00001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },197 { 0x00001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },198 { 0x00001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },199 { 0x00001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },200#if 0201 { 0x00001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },202#endif203 /* RFC 2712 */204 { 0x00001E, "TLS_KRB5_WITH_DES_CBC_SHA" },205 { 0x00001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },206 { 0x000020, "TLS_KRB5_WITH_RC4_128_SHA" },207 { 0x000021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },208 { 0x000022, "TLS_KRB5_WITH_DES_CBC_MD5" },209 { 0x000023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },210 { 0x000024, "TLS_KRB5_WITH_RC4_128_MD5" },211 { 0x000025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },212 { 0x000026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },213 { 0x000027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },214 { 0x000028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },215 { 0x000029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },216 { 0x00002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },217 { 0x00002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },218 /* RFC 4785 */219 { 0x00002C, "TLS_PSK_WITH_NULL_SHA" },220 { 0x00002D, "TLS_DHE_PSK_WITH_NULL_SHA" },221 { 0x00002E, "TLS_RSA_PSK_WITH_NULL_SHA" },222 /* RFC 5246 */223 { 0x00002f, "TLS_RSA_WITH_AES_128_CBC_SHA" },224 { 0x000030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },225 { 0x000031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },226 { 0x000032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },227 { 0x000033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },228 { 0x000034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },229 { 0x000035, "TLS_RSA_WITH_AES_256_CBC_SHA" },230 { 0x000036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },231 { 0x000037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },232 { 0x000038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },233 { 0x000039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },234 { 0x00003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },235 { 0x00003B, "TLS_RSA_WITH_NULL_SHA256" },236 { 0x00003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },237 { 0x00003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },238 { 0x00003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },239 { 0x00003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },240 { 0x000040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },241 { 0x000041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },242 { 0x000042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },243 { 0x000043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },244 { 0x000044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },245 { 0x000045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },246 { 0x000046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },247 { 0x000047, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },248 { 0x000048, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },249 { 0x000049, "TLS_ECDH_ECDSA_WITH_DES_CBC_SHA" },250 { 0x00004A, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },251 { 0x00004B, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },252 { 0x00004C, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },253 { 0x000060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },254 { 0x000061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },255 { 0x000062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },256 { 0x000063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },257 { 0x000064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },258 { 0x000065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },259 { 0x000066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },260 { 0x000067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },261 { 0x000068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },262 { 0x000069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },263 { 0x00006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },264 { 0x00006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },265 { 0x00006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },266 { 0x00006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },267 /* 0x00,0x6E-83 Unassigned */268 { 0x000084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },269 { 0x000085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },270 { 0x000086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },271 { 0x000087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },272 { 0x000088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },273 { 0x000089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },274 /* RFC 4279 */275 { 0x00008A, "TLS_PSK_WITH_RC4_128_SHA" },276 { 0x00008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },277 { 0x00008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },278 { 0x00008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },279 { 0x00008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },280 { 0x00008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },281 { 0x000090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },282 { 0x000091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },283 { 0x000092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },284 { 0x000093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },285 { 0x000094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },286 { 0x000095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },287 /* RFC 4162 */288 { 0x000096, "TLS_RSA_WITH_SEED_CBC_SHA" },289 { 0x000097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },290 { 0x000098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },291 { 0x000099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },292 { 0x00009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },293 { 0x00009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },294 /* RFC 5288 */295 { 0x00009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },296 { 0x00009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },297 { 0x00009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },298 { 0x00009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },299 { 0x0000A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },300 { 0x0000A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },301 { 0x0000A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },302 { 0x0000A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },303 { 0x0000A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },304 { 0x0000A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },305 { 0x0000A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },306 { 0x0000A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },307 /* RFC 5487 */308 { 0x0000A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },309 { 0x0000A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },310 { 0x0000AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },311 { 0x0000AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },312 { 0x0000AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },313 { 0x0000AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },314 { 0x0000AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },315 { 0x0000AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },316 { 0x0000B0, "TLS_PSK_WITH_NULL_SHA256" },317 { 0x0000B1, "TLS_PSK_WITH_NULL_SHA384" },318 { 0x0000B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },319 { 0x0000B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },320 { 0x0000B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },321 { 0x0000B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },322 { 0x0000B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },323 { 0x0000B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },324 { 0x0000B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },325 { 0x0000B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },326 /* From RFC 5932 */327 { 0x0000BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },328 { 0x0000BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },329 { 0x0000BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },330 { 0x0000BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },331 { 0x0000BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },332 { 0x0000BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },333 { 0x0000C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },334 { 0x0000C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },335 { 0x0000C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },336 { 0x0000C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },337 { 0x0000C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },338 { 0x0000C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },339 /* 0x00,0xC6-FE Unassigned */340 { 0x0000FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },341 /* 0x01-BF,* Unassigned */342 /* From RFC 4492 */343 { 0x00c001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },344 { 0x00c002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },345 { 0x00c003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },346 { 0x00c004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },347 { 0x00c005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },348 { 0x00c006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },349 { 0x00c007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },350 { 0x00c008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },351 { 0x00c009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },352 { 0x00c00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },353 { 0x00c00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },354 { 0x00c00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },355 { 0x00c00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },356 { 0x00c00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },357 { 0x00c00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },358 { 0x00c010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },359 { 0x00c011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },360 { 0x00c012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },361 { 0x00c013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },362 { 0x00c014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },363 { 0x00c015, "TLS_ECDH_anon_WITH_NULL_SHA" },364 { 0x00c016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },365 { 0x00c017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },366 { 0x00c018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },367 { 0x00c019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },368 /* RFC 5054 */369 { 0x00C01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },370 { 0x00C01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },371 { 0x00C01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },372 { 0x00C01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },373 { 0x00C01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },374 { 0x00C01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },375 { 0x00C020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },376 { 0x00C021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },377 { 0x00C022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },378 /* RFC 5589 */379 { 0x00C023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },380 { 0x00C024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },381 { 0x00C025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },382 { 0x00C026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },383 { 0x00C027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },384 { 0x00C028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },385 { 0x00C029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },386 { 0x00C02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },387 { 0x00C02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },388 { 0x00C02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },389 { 0x00C02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },390 { 0x00C02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },391 { 0x00C02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },392 { 0x00C030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },393 { 0x00C031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },394 { 0x00C032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },395 /* RFC 5489 */396 { 0x00C033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },397 { 0x00C034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },398 { 0x00C035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },399 { 0x00C036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },400 { 0x00C037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },401 { 0x00C038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },402 { 0x00C039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },403 { 0x00C03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },404 { 0x00C03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },405 /* 0xC0,0x3C-FF Unassigned406 0xC1-FD,* Unassigned407 0xFE,0x00-FD Unassigned408 0xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]409 0xFF,0x00-FF Reserved for Private Use [RFC5246]410 */411 412 /* old numbers used in the beginning413 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */414 { 0x00CC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },415 { 0x00CC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },416 { 0x00CC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },417 418 /* https://tools.ietf.org/html/rfc7905 */419 { 0x00CCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },420 { 0x00CCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },421 { 0x00CCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },422 { 0x00CCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },423 { 0x00CCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },424 { 0x00CCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },425 { 0x00CCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },426 427 /* GM/T 0024-2014 */428 { 0x00e001, "ECDHE_SM1_SM3"},429 { 0x00e003, "ECC_SM1_SM3"},430 { 0x00e005, "IBSDH_SM1_SM3"},431 { 0x00e007, "IBC_SM1_SM3"},432 { 0x00e009, "RSA_SM1_SM3"},433 { 0x00e00a, "RSA_SM1_SHA1"},434 { 0x00e011, "ECDHE_SM4_CBC_SM3"},435 { 0x00e013, "ECC_SM4_CBC_SM3"},436 { 0x00e015, "IBSDH_SM4_CBC_SM3"},437 { 0x00e017, "IBC_SM4_CBC_SM3"},438 { 0x00e019, "RSA_SM4_CBC_SM3"},439 { 0x00e01a, "RSA_SM4_CBC_SHA1"},440 { 0x00e01c, "RSA_SM4_CBC_SHA256"},441 { 0x00e051, "ECDHE_SM4_GCM_SM3"},442 { 0x00e053, "ECC_SM4_GCM_SM3"},443 { 0x00e055, "IBSDH_SM4_GCM_SM3"},444 { 0x00e057, "IBC_SM4_GCM_SM3"},445 { 0x00e059, "RSA_SM4_GCM_SM3"},446 { 0x00e05a, "RSA_SM4_GCM_SHA256"},447 448 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */449 { 0x00E410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },450 { 0x00E411, "TLS_RSA_WITH_SALSA20_SHA1" },451 { 0x00E412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },452 { 0x00E413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },453 { 0x00E414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },454 { 0x00E415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },455 { 0x00E416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },456 { 0x00E417, "TLS_PSK_WITH_SALSA20_SHA1" },457 { 0x00E418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },458 { 0x00E419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },459 { 0x00E41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },460 { 0x00E41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },461 { 0x00E41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },462 { 0x00E41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },463 { 0x00E41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },464 { 0x00E41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },465 466 /* these from http://www.mozilla.org/projects/467 security/pki/nss/ssl/fips-ssl-ciphersuites.html */468 { 0x00fefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},469 { 0x00feff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },470 { 0x00ffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },471 { 0x00ffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},472 /* note that ciphersuites of {0x00????} are TLS cipher suites in473 * a sslv2 client hello message; the ???? above is the two-byte474 * tls cipher suite id475 */476 477 { 0x010080, "SSL2_RC4_128_WITH_MD5" },478 { 0x020080, "SSL2_RC4_128_EXPORT40_WITH_MD5" },479 { 0x030080, "SSL2_RC2_128_CBC_WITH_MD5" },480 { 0x040080, "SSL2_RC2_128_CBC_EXPORT40_WITH_MD5" },481 { 0x050080, "SSL2_IDEA_128_CBC_WITH_MD5" },482 { 0x060040, "SSL2_DES_64_CBC_WITH_MD5" },483 { 0x0700c0, "SSL2_DES_192_EDE3_CBC_WITH_MD5" },484 { 0x080080, "SSL2_RC4_64_WITH_MD5" },485 486 { 0x00, NULL((void*)0) }487};488 489value_string_ext ssl_20_cipher_suites_ext = VALUE_STRING_EXT_INIT(ssl_20_cipher_suites){ _try_val_to_str_ext_init, 0, (sizeof (ssl_20_cipher_suites)
/ sizeof ((ssl_20_cipher_suites)[0]))-1, ssl_20_cipher_suites
, "ssl_20_cipher_suites" };490 491 492/*493 * Supported Groups (formerly named "EC Named Curve").494 * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8495 */496const value_string ssl_extension_curves[] = {497 { 1, "sect163k1" },498 { 2, "sect163r1" },499 { 3, "sect163r2" },500 { 4, "sect193r1" },501 { 5, "sect193r2" },502 { 6, "sect233k1" },503 { 7, "sect233r1" },504 { 8, "sect239k1" },505 { 9, "sect283k1" },506 { 10, "sect283r1" },507 { 11, "sect409k1" },508 { 12, "sect409r1" },509 { 13, "sect571k1" },510 { 14, "sect571r1" },511 { 15, "secp160k1" },512 { 16, "secp160r1" },513 { 17, "secp160r2" },514 { 18, "secp192k1" },515 { 19, "secp192r1" },516 { 20, "secp224k1" },517 { 21, "secp224r1" },518 { 22, "secp256k1" },519 { 23, "secp256r1" },520 { 24, "secp384r1" },521 { 25, "secp521r1" },522 { 26, "brainpoolP256r1" }, /* RFC 7027 */523 { 27, "brainpoolP384r1" }, /* RFC 7027 */524 { 28, "brainpoolP512r1" }, /* RFC 7027 */525 { 29, "x25519" }, /* RFC 8446 / RFC 8422 */526 { 30, "x448" }, /* RFC 8446 / RFC 8422 */527 { 31, "brainpoolP256r1tls13" }, /* RFC8734 */528 { 32, "brainpoolP384r1tls13" }, /* RFC8734 */529 { 33, "brainpoolP512r1tls13" }, /* RFC8734 */530 { 34, "GC256A" }, /* RFC9189 */531 { 35, "GC256B" }, /* RFC9189 */532 { 36, "GC256C" }, /* RFC9189 */533 { 37, "GC256D" }, /* RFC9189 */534 { 38, "GC512A" }, /* RFC9189 */535 { 39, "GC512B" }, /* RFC9189 */536 { 40, "GC512C" }, /* RFC9189 */537 { 41, "curveSM2" }, /* RFC 8998 */538 { 256, "ffdhe2048" }, /* RFC 7919 */539 { 257, "ffdhe3072" }, /* RFC 7919 */540 { 258, "ffdhe4096" }, /* RFC 7919 */541 { 259, "ffdhe6144" }, /* RFC 7919 */542 { 260, "ffdhe8192" }, /* RFC 7919 */543 /* PQC key exchange algorithms from OQS-OpenSSL,544 see https://github.com/open-quantum-safe/openssl/blob/OQS-OpenSSL_1_1_1-stable/oqs-template/oqs-kem-info.md */545 { 0x0200, "frodo640aes" },546 { 0x2F00, "p256_frodo640aes" },547 { 0x0201, "frodo640shake" },548 { 0x2F01, "p256_frodo640shake" },549 { 0x0202, "frodo976aes" },550 { 0x2F02, "p384_frodo976aes" },551 { 0x0203, "frodo976shake" },552 { 0x2F03, "p384_frodo976shake" },553 { 0x0204, "frodo1344aes" },554 { 0x2F04, "p521_frodo1344aes" },555 { 0x0205, "frodo1344shake" },556 { 0x2F05, "p521_frodo1344shake" },557 { 0x023A, "kyber512" },558 { 0x2F3A, "p256_kyber512" },559 { 0x023C, "kyber768" },560 { 0x2F3C, "p384_kyber768" },561 { 0x023D, "kyber1024" },562 { 0x2F3D, "p521_kyber1024" },563 { 0x0214, "ntru_hps2048509" },564 { 0x2F14, "p256_ntru_hps2048509" },565 { 0x0215, "ntru_hps2048677" },566 { 0x2F15, "p384_ntru_hps2048677" },567 { 0x0216, "ntru_hps4096821" },568 { 0x2F16, "p521_ntru_hps4096821" },569 { 0x0245, "ntru_hps40961229" },570 { 0x2F45, "p521_ntru_hps40961229" },571 { 0x0217, "ntru_hrss701" },572 { 0x2F17, "p384_ntru_hrss701" },573 { 0x0246, "ntru_hrss1373" },574 { 0x2F46, "p521_ntru_hrss1373" },575 { 0x0218, "lightsaber" },576 { 0x2F18, "p256_lightsaber" },577 { 0x0219, "saber" },578 { 0x2F19, "p384_saber" },579 { 0x021A, "firesaber" },580 { 0x2F1A, "p521_firesaber" },581 { 0x021B, "sidhp434" },582 { 0x2F1B, "p256_sidhp434" },583 { 0x021C, "sidhp503" },584 { 0x2F1C, "p256_sidhp503" },585 { 0x021D, "sidhp610" },586 { 0x2F1D, "p384_sidhp610" },587 { 0x021E, "sidhp751" },588 { 0x2F1E, "p521_sidhp751" },589 { 0x021F, "sikep434" },590 { 0x2F1F, "p256_sikep434" },591 { 0x0220, "sikep503" },592 { 0x2F20, "p256_sikep503" },593 { 0x0221, "sikep610" },594 { 0x2F21, "p384_sikep610" },595 { 0x0222, "sikep751" },596 { 0x2F22, "p521_sikep751" },597 { 0x0238, "bikel1" },598 { 0x2F38, "p256_bikel1" },599 { 0x023B, "bikel3" },600 { 0x2F3B, "p384_bikel3" },601 { 0x023E, "kyber90s512" },602 { 0x2F3E, "p256_kyber90s512" },603 { 0x023F, "kyber90s768" },604 { 0x2F3F, "p384_kyber90s768" },605 { 0x0240, "kyber90s1024" },606 { 0x2F40, "p521_kyber90s1024" },607 { 0x022C, "hqc128" },608 { 0x2F2C, "p256_hqc128" },609 { 0x022D, "hqc192" },610 { 0x2F2D, "p384_hqc192" },611 { 0x022E, "hqc256" },612 { 0x2F2E, "p521_hqc256" },613 { 0x022F, "ntrulpr653" },614 { 0x2F2F, "p256_ntrulpr653" },615 { 0x0230, "ntrulpr761" },616 { 0x2F43, "p256_ntrulpr761" },617 { 0x0231, "ntrulpr857" },618 { 0x2F31, "p384_ntrulpr857" },619 { 0x0241, "ntrulpr1277" },620 { 0x2F41, "p521_ntrulpr1277" },621 { 0x0232, "sntrup653" },622 { 0x2F32, "p256_sntrup653" },623 { 0x0233, "sntrup761" },624 { 0x2F44, "p256_sntrup761" },625 { 0x0234, "sntrup857" },626 { 0x2F34, "p384_sntrup857" },627 { 0x0242, "sntrup1277" },628 { 0x2F42, "p521_sntrup1277" },629 /* Other PQ key exchange algorithms:630 https://blog.cloudflare.com/post-quantum-for-all631https://www.ietf.org/archive/id/draft-tls-westerbaan-xyber768d00-02.txt */632 { 0xFE30, "X25519Kyber512Draft00" },633 { 0xFE31, "X25519Kyber768Draft00 (obsolete value)" },634 { 0x6399, "X25519Kyber768Draft00" },635 { 2570, "Reserved (GREASE)" }, /* RFC 8701 */636 { 6682, "Reserved (GREASE)" }, /* RFC 8701 */637 { 10794, "Reserved (GREASE)" }, /* RFC 8701 */638 { 14906, "Reserved (GREASE)" }, /* RFC 8701 */639 { 19018, "Reserved (GREASE)" }, /* RFC 8701 */640 { 23130, "Reserved (GREASE)" }, /* RFC 8701 */641 { 27242, "Reserved (GREASE)" }, /* RFC 8701 */642 { 31354, "Reserved (GREASE)" }, /* RFC 8701 */643 { 35466, "Reserved (GREASE)" }, /* RFC 8701 */644 { 39578, "Reserved (GREASE)" }, /* RFC 8701 */645 { 43690, "Reserved (GREASE)" }, /* RFC 8701 */646 { 47802, "Reserved (GREASE)" }, /* RFC 8701 */647 { 51914, "Reserved (GREASE)" }, /* RFC 8701 */648 { 56026, "Reserved (GREASE)" }, /* RFC 8701 */649 { 60138, "Reserved (GREASE)" }, /* RFC 8701 */650 { 64250, "Reserved (GREASE)" }, /* RFC 8701 */651 { 0xFF01, "arbitrary_explicit_prime_curves" },652 { 0xFF02, "arbitrary_explicit_char2_curves" },653 { 0x00, NULL((void*)0) }654};655 656const value_string ssl_curve_types[] = {657 { 1, "explicit_prime" },658 { 2, "explicit_char2" },659 { 3, "named_curve" },660 { 0x00, NULL((void*)0) }661};662 663const value_string ssl_extension_ec_point_formats[] = {664 { 0, "uncompressed" },665 { 1, "ansiX962_compressed_prime" },666 { 2, "ansiX962_compressed_char2" },667 { 0x00, NULL((void*)0) }668};669 670const value_string ssl_20_certificate_type[] = {671 { 0x00, "N/A" },672 { 0x01, "X.509 Certificate" },673 { 0x00, NULL((void*)0) }674};675 676const value_string ssl_31_content_type[] = {677 { 20, "Change Cipher Spec" },678 { 21, "Alert" },679 { 22, "Handshake" },680 { 23, "Application Data" },681 { 24, "Heartbeat" },682 { 25, "Connection ID" },683 { 0x00, NULL((void*)0) }684};685 686#if 0687/* XXX - would be used if we dissected the body of a Change Cipher Spec688 message. */689const value_string ssl_31_change_cipher_spec[] = {690 { 1, "Change Cipher Spec" },691 { 0x00, NULL((void*)0) }692};693#endif694 695const value_string ssl_31_alert_level[] = {696 { 1, "Warning" },697 { 2, "Fatal" },698 { 0x00, NULL((void*)0) }699};700 701const value_string ssl_31_alert_description[] = {702 { 0, "Close Notify" },703 { 1, "End of Early Data" },704 { 10, "Unexpected Message" },705 { 20, "Bad Record MAC" },706 { 21, "Decryption Failed" },707 { 22, "Record Overflow" },708 { 30, "Decompression Failure" },709 { 40, "Handshake Failure" },710 { 41, "No Certificate" },711 { 42, "Bad Certificate" },712 { 43, "Unsupported Certificate" },713 { 44, "Certificate Revoked" },714 { 45, "Certificate Expired" },715 { 46, "Certificate Unknown" },716 { 47, "Illegal Parameter" },717 { 48, "Unknown CA" },718 { 49, "Access Denied" },719 { 50, "Decode Error" },720 { 51, "Decrypt Error" },721 { 60, "Export Restriction" },722 { 70, "Protocol Version" },723 { 71, "Insufficient Security" },724 { 80, "Internal Error" },725 { 86, "Inappropriate Fallback" },726 { 90, "User Canceled" },727 { 100, "No Renegotiation" },728 { 109, "Missing Extension" },729 { 110, "Unsupported Extension" },730 { 111, "Certificate Unobtainable" },731 { 112, "Unrecognized Name" },732 { 113, "Bad Certificate Status Response" },733 { 114, "Bad Certificate Hash Value" },734 { 115, "Unknown PSK Identity" },735 { 116, "Certificate Required" },736 { 120, "No application Protocol" },737 { 121, "ECH Required" },738 { 0x00, NULL((void*)0) }739};740 741const value_string ssl_31_handshake_type[] = {742 { SSL_HND_HELLO_REQUEST, "Hello Request" },743 { SSL_HND_CLIENT_HELLO, "Client Hello" },744 { SSL_HND_SERVER_HELLO, "Server Hello" },745 { SSL_HND_HELLO_VERIFY_REQUEST, "Hello Verify Request"},746 { SSL_HND_NEWSESSION_TICKET, "New Session Ticket" },747 { SSL_HND_END_OF_EARLY_DATA, "End of Early Data" },748 { SSL_HND_HELLO_RETRY_REQUEST, "Hello Retry Request" },749 { SSL_HND_ENCRYPTED_EXTENSIONS, "Encrypted Extensions" },750 { SSL_HND_CERTIFICATE, "Certificate" },751 { SSL_HND_SERVER_KEY_EXCHG, "Server Key Exchange" },752 { SSL_HND_CERT_REQUEST, "Certificate Request" },753 { SSL_HND_SVR_HELLO_DONE, "Server Hello Done" },754 { SSL_HND_CERT_VERIFY, "Certificate Verify" },755 { SSL_HND_CLIENT_KEY_EXCHG, "Client Key Exchange" },756 { SSL_HND_FINISHED, "Finished" },757 { SSL_HND_CERT_URL, "Client Certificate URL" },758 { SSL_HND_CERT_STATUS, "Certificate Status" },759 { SSL_HND_SUPPLEMENTAL_DATA, "Supplemental Data" },760 { SSL_HND_KEY_UPDATE, "Key Update" },761 { SSL_HND_COMPRESSED_CERTIFICATE, "Compressed Certificate" },762 { SSL_HND_ENCRYPTED_EXTS, "Encrypted Extensions" },763 { 0x00, NULL((void*)0) }764};765 766const value_string tls_heartbeat_type[] = {767 { 1, "Request" },768 { 2, "Response" },769 { 0x00, NULL((void*)0) }770};771 772const value_string tls_heartbeat_mode[] = {773 { 1, "Peer allowed to send requests" },774 { 2, "Peer not allowed to send requests" },775 { 0x00, NULL((void*)0) }776};777 778const value_string ssl_31_compression_method[] = {779 { 0, "null" },780 { 1, "DEFLATE" },781 { 64, "LZS" },782 { 0x00, NULL((void*)0) }783};784 785#if 0786/* XXX - would be used if we dissected a Signature, as would be787 seen in a server key exchange or certificate verify message. */788const value_string ssl_31_key_exchange_algorithm[] = {789 { 0, "RSA" },790 { 1, "Diffie Hellman" },791 { 0x00, NULL((void*)0) }792};793 794const value_string ssl_31_signature_algorithm[] = {795 { 0, "Anonymous" },796 { 1, "RSA" },797 { 2, "DSA" },798 { 0x00, NULL((void*)0) }799};800#endif801 802const value_string ssl_31_client_certificate_type[] = {803 { 1, "RSA Sign" },804 { 2, "DSS Sign" },805 { 3, "RSA Fixed DH" },806 { 4, "DSS Fixed DH" },807 /* GOST certificate types */808 /* Section 3.5 of draft-chudov-cryptopro-cptls-04 */809 { 21, "GOST R 34.10-94" },810 { 22, "GOST R 34.10-2001" },811 /* END GOST certificate types */812 { 64, "ECDSA Sign" },813 { 65, "RSA Fixed ECDH" },814 { 66, "ECDSA Fixed ECDH" },815 { 80, "IBC Params" },816 { 0x00, NULL((void*)0) }817};818 819#if 0820/* XXX - would be used if we dissected exchange keys, as would be821 seen in a client key exchange message. */822const value_string ssl_31_public_value_encoding[] = {823 { 0, "Implicit" },824 { 1, "Explicit" },825 { 0x00, NULL((void*)0) }826};827#endif828 829/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */830/* Note: sorted by ascending value so value_string_ext fcns can do a binary search */831static const value_string ssl_31_ciphersuite[] = {832 /* RFC 2246, RFC 4346, RFC 5246 */833 { 0x0000, "TLS_NULL_WITH_NULL_NULL" },834 { 0x0001, "TLS_RSA_WITH_NULL_MD5" },835 { 0x0002, "TLS_RSA_WITH_NULL_SHA" },836 { 0x0003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },837 { 0x0004, "TLS_RSA_WITH_RC4_128_MD5" },838 { 0x0005, "TLS_RSA_WITH_RC4_128_SHA" },839 { 0x0006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },840 { 0x0007, "TLS_RSA_WITH_IDEA_CBC_SHA" },841 { 0x0008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },842 { 0x0009, "TLS_RSA_WITH_DES_CBC_SHA" },843 { 0x000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },844 { 0x000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },845 { 0x000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },846 { 0x000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },847 { 0x000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },848 { 0x000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },849 { 0x0010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },850 { 0x0011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },851 { 0x0012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },852 { 0x0013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },853 { 0x0014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },854 { 0x0015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },855 { 0x0016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },856 { 0x0017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },857 { 0x0018, "TLS_DH_anon_WITH_RC4_128_MD5" },858 { 0x0019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },859 { 0x001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },860 { 0x001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },861 862 { 0x001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },863 { 0x001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },864#if 0 /* Because it clashes with KRB5, is never used any more, and is safe865 to remove according to David Hopwood <[emailprotected]>866 of the ietf-tls list */867 { 0x001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },868#endif869 /* RFC 2712 */870 { 0x001E, "TLS_KRB5_WITH_DES_CBC_SHA" },871 { 0x001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },872 { 0x0020, "TLS_KRB5_WITH_RC4_128_SHA" },873 { 0x0021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },874 { 0x0022, "TLS_KRB5_WITH_DES_CBC_MD5" },875 { 0x0023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },876 { 0x0024, "TLS_KRB5_WITH_RC4_128_MD5" },877 { 0x0025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },878 { 0x0026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },879 { 0x0027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },880 { 0x0028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },881 { 0x0029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },882 { 0x002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },883 { 0x002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },884 /* RFC 4785 */885 { 0x002C, "TLS_PSK_WITH_NULL_SHA" },886 { 0x002D, "TLS_DHE_PSK_WITH_NULL_SHA" },887 { 0x002E, "TLS_RSA_PSK_WITH_NULL_SHA" },888 /* RFC 5246 */889 { 0x002F, "TLS_RSA_WITH_AES_128_CBC_SHA" },890 { 0x0030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },891 { 0x0031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },892 { 0x0032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },893 { 0x0033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },894 { 0x0034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },895 { 0x0035, "TLS_RSA_WITH_AES_256_CBC_SHA" },896 { 0x0036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },897 { 0x0037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },898 { 0x0038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },899 { 0x0039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },900 { 0x003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },901 { 0x003B, "TLS_RSA_WITH_NULL_SHA256" },902 { 0x003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },903 { 0x003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },904 { 0x003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },905 { 0x003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },906 { 0x0040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },907 /* RFC 4132 */908 { 0x0041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },909 { 0x0042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },910 { 0x0043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },911 { 0x0044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },912 { 0x0045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },913 { 0x0046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },914 /* 0x00,0x60-66 Reserved to avoid conflicts with widely deployed implementations */915 /* --- ??? --- */916 { 0x0060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },917 { 0x0061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },918 /* draft-ietf-tls-56-bit-ciphersuites-01.txt */919 { 0x0062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },920 { 0x0063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },921 { 0x0064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },922 { 0x0065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },923 { 0x0066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },924 /* --- ??? ---*/925 { 0x0067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },926 { 0x0068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },927 { 0x0069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },928 { 0x006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },929 { 0x006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },930 { 0x006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },931 { 0x006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },932 /* draft-chudov-cryptopro-cptls-04.txt */933 { 0x0080, "TLS_GOSTR341094_WITH_28147_CNT_IMIT" },934 { 0x0081, "TLS_GOSTR341001_WITH_28147_CNT_IMIT" },935 { 0x0082, "TLS_GOSTR341094_WITH_NULL_GOSTR3411" },936 { 0x0083, "TLS_GOSTR341001_WITH_NULL_GOSTR3411" },937 /* RFC 4132 */938 { 0x0084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },939 { 0x0085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },940 { 0x0086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },941 { 0x0087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },942 { 0x0088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },943 { 0x0089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },944 /* RFC 4279 */945 { 0x008A, "TLS_PSK_WITH_RC4_128_SHA" },946 { 0x008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },947 { 0x008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },948 { 0x008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },949 { 0x008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },950 { 0x008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },951 { 0x0090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },952 { 0x0091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },953 { 0x0092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },954 { 0x0093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },955 { 0x0094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },956 { 0x0095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },957 /* RFC 4162 */958 { 0x0096, "TLS_RSA_WITH_SEED_CBC_SHA" },959 { 0x0097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },960 { 0x0098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },961 { 0x0099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },962 { 0x009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },963 { 0x009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },964 /* RFC 5288 */965 { 0x009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },966 { 0x009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },967 { 0x009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },968 { 0x009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },969 { 0x00A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },970 { 0x00A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },971 { 0x00A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },972 { 0x00A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },973 { 0x00A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },974 { 0x00A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },975 { 0x00A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },976 { 0x00A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },977 /* RFC 5487 */978 { 0x00A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },979 { 0x00A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },980 { 0x00AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },981 { 0x00AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },982 { 0x00AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },983 { 0x00AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },984 { 0x00AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },985 { 0x00AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },986 { 0x00B0, "TLS_PSK_WITH_NULL_SHA256" },987 { 0x00B1, "TLS_PSK_WITH_NULL_SHA384" },988 { 0x00B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },989 { 0x00B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },990 { 0x00B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },991 { 0x00B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },992 { 0x00B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },993 { 0x00B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },994 { 0x00B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },995 { 0x00B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },996 /* From RFC 5932 */997 { 0x00BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },998 { 0x00BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },999 { 0x00BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },1000 { 0x00BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },1001 { 0x00BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },1002 { 0x00BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },1003 { 0x00C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },1004 { 0x00C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },1005 { 0x00C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },1006 { 0x00C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },1007 { 0x00C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },1008 { 0x00C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },1009 /* RFC 8998 */1010 { 0x00C6, "TLS_SM4_GCM_SM3" },1011 { 0x00C7, "TLS_SM4_CCM_SM3" },1012 /* 0x00,0xC8-FE Unassigned */1013 /* From RFC 5746 */1014 { 0x00FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },1015 /* RFC 8701 */1016 { 0x0A0A, "Reserved (GREASE)" },1017 /* RFC 8446 */1018 { 0x1301, "TLS_AES_128_GCM_SHA256" },1019 { 0x1302, "TLS_AES_256_GCM_SHA384" },1020 { 0x1303, "TLS_CHACHA20_POLY1305_SHA256" },1021 { 0x1304, "TLS_AES_128_CCM_SHA256" },1022 { 0x1305, "TLS_AES_128_CCM_8_SHA256" },1023 /* RFC 8701 */1024 { 0x1A1A, "Reserved (GREASE)" },1025 { 0x2A2A, "Reserved (GREASE)" },1026 { 0x3A3A, "Reserved (GREASE)" },1027 { 0x4A4A, "Reserved (GREASE)" },1028 /* From RFC 7507 */1029 { 0x5600, "TLS_FALLBACK_SCSV" },1030 /* RFC 8701 */1031 { 0x5A5A, "Reserved (GREASE)" },1032 { 0x6A6A, "Reserved (GREASE)" },1033 { 0x7A7A, "Reserved (GREASE)" },1034 { 0x8A8A, "Reserved (GREASE)" },1035 { 0x9A9A, "Reserved (GREASE)" },1036 { 0xAAAA, "Reserved (GREASE)" },1037 { 0xBABA, "Reserved (GREASE)" },1038 /* From RFC 4492 */1039 { 0xc001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },1040 { 0xc002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },1041 { 0xc003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },1042 { 0xc004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },1043 { 0xc005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },1044 { 0xc006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },1045 { 0xc007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },1046 { 0xc008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },1047 { 0xc009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },1048 { 0xc00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },1049 { 0xc00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },1050 { 0xc00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },1051 { 0xc00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },1052 { 0xc00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },1053 { 0xc00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },1054 { 0xc010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },1055 { 0xc011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },1056 { 0xc012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },1057 { 0xc013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },1058 { 0xc014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },1059 { 0xc015, "TLS_ECDH_anon_WITH_NULL_SHA" },1060 { 0xc016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },1061 { 0xc017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },1062 { 0xc018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },1063 { 0xc019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },1064 /* RFC 5054 */1065 { 0xC01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },1066 { 0xC01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },1067 { 0xC01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },1068 { 0xC01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },1069 { 0xC01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },1070 { 0xC01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },1071 { 0xC020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },1072 { 0xC021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },1073 { 0xC022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },1074 /* RFC 5589 */1075 { 0xC023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },1076 { 0xC024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },1077 { 0xC025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },1078 { 0xC026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },1079 { 0xC027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },1080 { 0xC028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },1081 { 0xC029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },1082 { 0xC02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },1083 { 0xC02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },1084 { 0xC02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },1085 { 0xC02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },1086 { 0xC02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },1087 { 0xC02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },1088 { 0xC030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },1089 { 0xC031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },1090 { 0xC032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },1091 /* RFC 5489 */1092 { 0xC033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },1093 { 0xC034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },1094 { 0xC035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },1095 { 0xC036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },1096 { 0xC037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },1097 { 0xC038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },1098 { 0xC039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },1099 { 0xC03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },1100 { 0xC03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },1101 /* RFC 6209 */1102 { 0xC03C, "TLS_RSA_WITH_ARIA_128_CBC_SHA256" },1103 { 0xC03D, "TLS_RSA_WITH_ARIA_256_CBC_SHA384" },1104 { 0xC03E, "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256" },1105 { 0xC03F, "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384" },1106 { 0xC040, "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256" },1107 { 0xC041, "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384" },1108 { 0xC042, "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256" },1109 { 0xC043, "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384" },1110 { 0xC044, "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256" },1111 { 0xC045, "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384" },1112 { 0xC046, "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" },1113 { 0xC047, "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" },1114 { 0xC048, "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256" },1115 { 0xC049, "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384" },1116 { 0xC04A, "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256" },1117 { 0xC04B, "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384" },1118 { 0xC04C, "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256" },1119 { 0xC04D, "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384" },1120 { 0xC04E, "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256" },1121 { 0xC04F, "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384" },1122 { 0xC050, "TLS_RSA_WITH_ARIA_128_GCM_SHA256" },1123 { 0xC051, "TLS_RSA_WITH_ARIA_256_GCM_SHA384" },1124 { 0xC052, "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256" },1125 { 0xC053, "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384" },1126 { 0xC054, "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256" },1127 { 0xC055, "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384" },1128 { 0xC056, "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256" },1129 { 0xC057, "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384" },1130 { 0xC058, "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256" },1131 { 0xC059, "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384" },1132 { 0xC05A, "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" },1133 { 0xC05B, "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" },1134 { 0xC05C, "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256" },1135 { 0xC05D, "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384" },1136 { 0xC05E, "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256" },1137 { 0xC05F, "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384" },1138 { 0xC060, "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256" },1139 { 0xC061, "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384" },1140 { 0xC062, "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256" },1141 { 0xC063, "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384" },1142 { 0xC064, "TLS_PSK_WITH_ARIA_128_CBC_SHA256" },1143 { 0xC065, "TLS_PSK_WITH_ARIA_256_CBC_SHA384" },1144 { 0xC066, "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256" },1145 { 0xC067, "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384" },1146 { 0xC068, "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256" },1147 { 0xC069, "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384" },1148 { 0xC06A, "TLS_PSK_WITH_ARIA_128_GCM_SHA256" },1149 { 0xC06B, "TLS_PSK_WITH_ARIA_256_GCM_SHA384" },1150 { 0xC06C, "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256" },1151 { 0xC06D, "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384" },1152 { 0xC06E, "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256" },1153 { 0xC06F, "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384" },1154 { 0xC070, "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256" },1155 { 0xC071, "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384" },1156 /* RFC 6367 */1157 { 0xC072, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },1158 { 0xC073, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },1159 { 0xC074, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },1160 { 0xC075, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },1161 { 0xC076, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },1162 { 0xC077, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384" },1163 { 0xC078, "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },1164 { 0xC079, "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384" },1165 { 0xC07A, "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256" },1166 { 0xC07B, "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384" },1167 { 0xC07C, "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },1168 { 0xC07D, "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },1169 { 0xC07E, "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },1170 { 0xC07F, "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },1171 { 0xC080, "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256" },1172 { 0xC081, "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384" },1173 { 0xC082, "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256" },1174 { 0xC083, "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384" },1175 { 0xC084, "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" },1176 { 0xC085, "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" },1177 { 0xC086, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },1178 { 0xC087, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },1179 { 0xC088, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },1180 { 0xC089, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },1181 { 0xC08A, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },1182 { 0xC08B, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },1183 { 0xC08C, "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },1184 { 0xC08D, "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },1185 { 0xC08E, "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256" },1186 { 0xC08F, "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384" },1187 { 0xC090, "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256" },1188 { 0xC091, "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384" },1189 { 0xC092, "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256" },1190 { 0xC093, "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384" },1191 { 0xC094, "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256" },1192 { 0xC095, "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384" },1193 { 0xC096, "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },1194 { 0xC097, "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },1195 { 0xC098, "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256" },1196 { 0xC099, "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384" },1197 { 0xC09A, "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },1198 { 0xC09B, "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },1199 /* RFC 6655 */1200 { 0xC09C, "TLS_RSA_WITH_AES_128_CCM" },1201 { 0xC09D, "TLS_RSA_WITH_AES_256_CCM" },1202 { 0xC09E, "TLS_DHE_RSA_WITH_AES_128_CCM" },1203 { 0xC09F, "TLS_DHE_RSA_WITH_AES_256_CCM" },1204 { 0xC0A0, "TLS_RSA_WITH_AES_128_CCM_8" },1205 { 0xC0A1, "TLS_RSA_WITH_AES_256_CCM_8" },1206 { 0xC0A2, "TLS_DHE_RSA_WITH_AES_128_CCM_8" },1207 { 0xC0A3, "TLS_DHE_RSA_WITH_AES_256_CCM_8" },1208 { 0xC0A4, "TLS_PSK_WITH_AES_128_CCM" },1209 { 0xC0A5, "TLS_PSK_WITH_AES_256_CCM" },1210 { 0xC0A6, "TLS_DHE_PSK_WITH_AES_128_CCM" },1211 { 0xC0A7, "TLS_DHE_PSK_WITH_AES_256_CCM" },1212 { 0xC0A8, "TLS_PSK_WITH_AES_128_CCM_8" },1213 { 0xC0A9, "TLS_PSK_WITH_AES_256_CCM_8" },1214 { 0xC0AA, "TLS_PSK_DHE_WITH_AES_128_CCM_8" },1215 { 0xC0AB, "TLS_PSK_DHE_WITH_AES_256_CCM_8" },1216 /* RFC 7251 */1217 { 0xC0AC, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM" },1218 { 0xC0AD, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM" },1219 { 0xC0AE, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8" },1220 { 0xC0AF, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8" },1221 /* RFC 8492 */1222 { 0xC0B0, "TLS_ECCPWD_WITH_AES_128_GCM_SHA256" },1223 { 0xC0B1, "TLS_ECCPWD_WITH_AES_256_GCM_SHA384" },1224 { 0xC0B2, "TLS_ECCPWD_WITH_AES_128_CCM_SHA256" },1225 { 0xC0B3, "TLS_ECCPWD_WITH_AES_256_CCM_SHA384" },1226 /* draft-camwinget-tls-ts13-macciphersuites */1227 { 0xC0B4, "TLS_SHA256_SHA256" },1228 { 0xC0B5, "TLS_SHA384_SHA384" },1229 /* https://www.ietf.org/archive/id/draft-cragie-tls-ecjpake-01.txt */1230 { 0xC0FF, "TLS_ECJPAKE_WITH_AES_128_CCM_8" },1231 /* draft-smyshlyaev-tls12-gost-suites */1232 { 0xC100, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" },1233 { 0xC101, "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" },1234 { 0xC102, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" },1235 /* draft-smyshlyaev-tls13-gost-suites */1236 { 0xC103, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L" },1237 { 0xC104, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L" },1238 { 0xC105, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S" },1239 { 0xC106, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S" },1240 /* RFC 8701 */1241 { 0xCACA, "Reserved (GREASE)" },1242/*12430xC0,0xAB-FF Unassigned12440xC1,0x03-FD,* Unassigned12450xFE,0x00-FD Unassigned12460xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]12470xFF,0x00-FF Reserved for Private Use [RFC5246]1248*/1249 /* old numbers used in the beginning1250 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */1251 { 0xCC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },1252 { 0xCC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },1253 { 0xCC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },1254 /* RFC 7905 */1255 { 0xCCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },1256 { 0xCCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },1257 { 0xCCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },1258 { 0xCCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },1259 { 0xCCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },1260 { 0xCCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },1261 { 0xCCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },1262 /* RFC 8442 */1263 { 0xD001, "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256" },1264 { 0xD002, "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384" },1265 { 0xD003, "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256" },1266 { 0xD005, "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256" },1267 /* RFC 8701 */1268 { 0xDADA, "Reserved (GREASE)" },1269 /* GM/T 0024-2014 */1270 { 0xe001, "ECDHE_SM1_SM3"},1271 { 0xe003, "ECC_SM1_SM3"},1272 { 0xe005, "IBSDH_SM1_SM3"},1273 { 0xe007, "IBC_SM1_SM3"},1274 { 0xe009, "RSA_SM1_SM3"},1275 { 0xe00a, "RSA_SM1_SHA1"},1276 { 0xe011, "ECDHE_SM4_CBC_SM3"},1277 { 0xe013, "ECC_SM4_CBC_SM3"},1278 { 0xe015, "IBSDH_SM4_CBC_SM3"},1279 { 0xe017, "IBC_SM4_CBC_SM3"},1280 { 0xe019, "RSA_SM4_CBC_SM3"},1281 { 0xe01a, "RSA_SM4_CBC_SHA1"},1282 { 0xe01c, "RSA_SM4_CBC_SHA256"},1283 { 0xe051, "ECDHE_SM4_GCM_SM3"},1284 { 0xe053, "ECC_SM4_GCM_SM3"},1285 { 0xe055, "IBSDH_SM4_GCM_SM3"},1286 { 0xe057, "IBC_SM4_GCM_SM3"},1287 { 0xe059, "RSA_SM4_GCM_SM3"},1288 { 0xe05a, "RSA_SM4_GCM_SHA256"},1289 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */1290 { 0xE410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },1291 { 0xE411, "TLS_RSA_WITH_SALSA20_SHA1" },1292 { 0xE412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },1293 { 0xE413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },1294 { 0xE414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },1295 { 0xE415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },1296 { 0xE416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },1297 { 0xE417, "TLS_PSK_WITH_SALSA20_SHA1" },1298 { 0xE418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },1299 { 0xE419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },1300 { 0xE41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },1301 { 0xE41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },1302 { 0xE41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },1303 { 0xE41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },1304 { 0xE41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },1305 { 0xE41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },1306 /* RFC 8701 */1307 { 0xEAEA, "Reserved (GREASE)" },1308 { 0xFAFA, "Reserved (GREASE)" },1309 /* these from http://www.mozilla.org/projects/1310 security/pki/nss/ssl/fips-ssl-ciphersuites.html */1311 { 0xfefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},1312 { 0xfeff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },1313 { 0xffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },1314 { 0xffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA" },1315 /* note that ciphersuites 0xff00 - 0xffff are private */1316 { 0x00, NULL((void*)0) }1317};1318 1319value_string_ext ssl_31_ciphersuite_ext = VALUE_STRING_EXT_INIT(ssl_31_ciphersuite){ _try_val_to_str_ext_init, 0, (sizeof (ssl_31_ciphersuite) /
sizeof ((ssl_31_ciphersuite)[0]))-1, ssl_31_ciphersuite, "ssl_31_ciphersuite"
};1320 1321/* http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#tls-extensiontype-values-1 */1322const value_string tls_hello_extension_types[] = {1323 { SSL_HND_HELLO_EXT_SERVER_NAME0, "server_name" }, /* RFC 6066 */1324 { SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1, "max_fragment_length" },/* RFC 6066 */1325 { SSL_HND_HELLO_EXT_CLIENT_CERTIFICATE_URL2, "client_certificate_url" }, /* RFC 6066 */1326 { SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3, "trusted_ca_keys" }, /* RFC 6066 */1327 { SSL_HND_HELLO_EXT_TRUNCATED_HMAC4, "truncated_hmac" }, /* RFC 6066 */1328 { SSL_HND_HELLO_EXT_STATUS_REQUEST5, "status_request" }, /* RFC 6066 */1329 { SSL_HND_HELLO_EXT_USER_MAPPING6, "user_mapping" }, /* RFC 4681 */1330 { SSL_HND_HELLO_EXT_CLIENT_AUTHZ7, "client_authz" }, /* RFC 5878 */1331 { SSL_HND_HELLO_EXT_SERVER_AUTHZ8, "server_authz" }, /* RFC 5878 */1332 { SSL_HND_HELLO_EXT_CERT_TYPE9, "cert_type" }, /* RFC 6091 */1333 { SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10, "supported_groups" }, /* RFC 4492, RFC 7919 */1334 { SSL_HND_HELLO_EXT_EC_POINT_FORMATS11, "ec_point_formats" }, /* RFC 4492 */1335 { SSL_HND_HELLO_EXT_SRP12, "srp" }, /* RFC 5054 */1336 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13, "signature_algorithms" }, /* RFC 5246 */1337 { SSL_HND_HELLO_EXT_USE_SRTP14, "use_srtp" }, /* RFC 5764 */1338 { SSL_HND_HELLO_EXT_HEARTBEAT15, "heartbeat" }, /* RFC 6520 */1339 { SSL_HND_HELLO_EXT_ALPN16, "application_layer_protocol_negotiation" }, /* RFC 7301 */1340 { SSL_HND_HELLO_EXT_STATUS_REQUEST_V217, "status_request_v2" }, /* RFC 6961 */1341 { SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18, "signed_certificate_timestamp" }, /* RFC 6962 */1342 { SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19, "client_certificate_type" }, /* RFC 7250 */1343 { SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20, "server_certificate_type" }, /* RFC 7250 */1344 { SSL_HND_HELLO_EXT_PADDING21, "padding" }, /* RFC 7685 */1345 { SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22, "encrypt_then_mac" }, /* RFC 7366 */1346 { SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23, "extended_master_secret" }, /* RFC 7627 */1347 { SSL_HND_HELLO_EXT_TOKEN_BINDING24, "token_binding" }, /* https://tools.ietf.org/html/draft-ietf-tokbind-negotiation */1348 { SSL_HND_HELLO_EXT_CACHED_INFO25, "cached_info" }, /* RFC 7924 */1349 { SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27, "compress_certificate" }, /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03 */1350 { SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28, "record_size_limit" }, /* RFC 8449 */1351 { SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34, "delegated_credentials" }, /* draft-ietf-tls-subcerts-10.txt */1352 { SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35, "session_ticket" }, /* RFC 5077 / RFC 8447 */1353 { SSL_HND_HELLO_EXT_KEY_SHARE_OLD40, "Reserved (key_share)" }, /* https://tools.ietf.org/html/draft-ietf-tls-tls13-22 (removed in -23) */1354 { SSL_HND_HELLO_EXT_PRE_SHARED_KEY41, "pre_shared_key" }, /* RFC 8446 */1355 { SSL_HND_HELLO_EXT_EARLY_DATA42, "early_data" }, /* RFC 8446 */1356 { SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43, "supported_versions" }, /* RFC 8446 */1357 { SSL_HND_HELLO_EXT_COOKIE44, "cookie" }, /* RFC 8446 */1358 { SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45, "psk_key_exchange_modes" }, /* RFC 8446 */1359 { SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46, "Reserved (ticket_early_data_info)" }, /* draft-ietf-tls-tls13-18 (removed in -19) */1360 { SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47, "certificate_authorities" }, /* RFC 8446 */1361 { SSL_HND_HELLO_EXT_OID_FILTERS48, "oid_filters" }, /* RFC 8446 */1362 { SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49, "post_handshake_auth" }, /* RFC 8446 */1363 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50, "signature_algorithms_cert" }, /* RFC 8446 */1364 { SSL_HND_HELLO_EXT_KEY_SHARE51, "key_share" }, /* RFC 8446 */1365 { SSL_HND_HELLO_EXT_TRANSPARENCY_INFO52, "transparency_info" }, /* draft-ietf-trans-rfc6962-bis-41 */1366 { SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53, "connection_id (deprecated)" }, /* draft-ietf-tls-dtls-connection-id-07 */1367 { SSL_HND_HELLO_EXT_CONNECTION_ID54, "connection_id" }, /* RFC 9146 */1368 { SSL_HND_HELLO_EXT_EXTERNAL_ID_HASH55, "external_id_hash" }, /* RFC 8844 */1369 { SSL_HND_HELLO_EXT_EXTERNAL_SESSION_ID56, "external_session_id" }, /* RFC 8844 */1370 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157, "quic_transport_parameters" }, /* draft-ietf-quic-tls-33 */1371 { SSL_HND_HELLO_EXT_TICKET_REQUEST58, "ticket_request" }, /* draft-ietf-tls-ticketrequests-07 */1372 { SSL_HND_HELLO_EXT_DNSSEC_CHAIN59, "dnssec_chain" }, /* RFC 9102 */1373 { SSL_HND_HELLO_EXT_GREASE_0A0A2570, "Reserved (GREASE)" }, /* RFC 8701 */1374 { SSL_HND_HELLO_EXT_GREASE_1A1A6682, "Reserved (GREASE)" }, /* RFC 8701 */1375 { SSL_HND_HELLO_EXT_GREASE_2A2A10794, "Reserved (GREASE)" }, /* RFC 8701 */1376 { SSL_HND_HELLO_EXT_NPN13172, "next_protocol_negotiation"}, /* https://tools.ietf.org/id/draft-agl-tls-nextprotoneg-03.html */1377 { SSL_HND_HELLO_EXT_GREASE_3A3A14906, "Reserved (GREASE)" }, /* RFC 8701 */1378 { SSL_HND_HELLO_EXT_ALPS17513, "application_settings" }, /* draft-vvv-tls-alps-01 */1379 { SSL_HND_HELLO_EXT_GREASE_4A4A19018, "Reserved (GREASE)" }, /* RFC 8701 */1380 { SSL_HND_HELLO_EXT_GREASE_5A5A23130, "Reserved (GREASE)" }, /* RFC 8701 */1381 { SSL_HND_HELLO_EXT_GREASE_6A6A27242, "Reserved (GREASE)" }, /* RFC 8701 */1382 { SSL_HND_HELLO_EXT_CHANNEL_ID_OLD30031, "channel_id_old" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-001383 https://twitter.com/ericlaw/status/274237352531083264 */1384 { SSL_HND_HELLO_EXT_CHANNEL_ID30032, "channel_id" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-011385 https://code.google.com/p/chromium/codesearch#chromium/src/net/third_party/nss/ssl/sslt.h&l=209 */1386 { SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281, "renegotiation_info" }, /* RFC 5746 */1387 { SSL_HND_HELLO_EXT_GREASE_7A7A31354, "Reserved (GREASE)" }, /* RFC 8701 */1388 { SSL_HND_HELLO_EXT_GREASE_8A8A35466, "Reserved (GREASE)" }, /* RFC 8701 */1389 { SSL_HND_HELLO_EXT_GREASE_9A9A39578, "Reserved (GREASE)" }, /* RFC 8701 */1390 { SSL_HND_HELLO_EXT_GREASE_AAAA43690, "Reserved (GREASE)" }, /* RFC 8701 */1391 { SSL_HND_HELLO_EXT_GREASE_BABA47802, "Reserved (GREASE)" }, /* RFC 8701 */1392 { SSL_HND_HELLO_EXT_GREASE_CACA51914, "Reserved (GREASE)" }, /* RFC 8701 */1393 { SSL_HND_HELLO_EXT_GREASE_DADA56026, "Reserved (GREASE)" }, /* RFC 8701 */1394 { SSL_HND_HELLO_EXT_GREASE_EAEA60138, "Reserved (GREASE)" }, /* RFC 8701 */1395 { SSL_HND_HELLO_EXT_GREASE_FAFA64250, "Reserved (GREASE)" }, /* RFC 8701 */1396 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445, "quic_transport_parameters (drafts version)" }, /* https://tools.ietf.org/html/draft-ietf-quic-tls */1397 { SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486, "encrypted_server_name" }, /* https://tools.ietf.org/html/draft-ietf-tls-esni-01 */1398 { SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037, "encrypted_client_hello" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */1399 { 0, NULL((void*)0) }1400};1401 1402const value_string tls_hello_ext_server_name_type_vs[] = {1403 { 0, "host_name" },1404 { 0, NULL((void*)0) }1405};1406 1407/* RFC 6066 Section 4 */1408const value_string tls_hello_ext_max_fragment_length[] = {1409 { 1, "512" }, // 2^91410 { 2, "1024" }, // 2^101411 { 3, "2048" }, // 2^111412 { 4, "4096" }, // 2^121413 { 0, NULL((void*)0) }1414};1415 1416/* RFC 8446 Section 4.2.9 */1417const value_string tls_hello_ext_psk_ke_mode[] = {1418 { 0, "PSK-only key establishment (psk_ke)" },1419 { 1, "PSK with (EC)DHE key establishment (psk_dhe_ke)" },1420 { 0, NULL((void*)0) }1421};1422 1423const value_string tls13_key_update_request[] = {1424 { 0, "update_not_requested" },1425 { 1, "update_requested" },1426 { 0, NULL((void*)0) }1427};1428 1429/* RFC 5246 7.4.1.4.1 */1430/* https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */1431/* Note that the TLS 1.3 SignatureScheme registry reserves all values1432 * with first octet 0x00-0x06 and all values with second octet 0x00-0x031433 * for backwards compatibility with TLS 1.2 SignatureAndHashAlgorithm.1434 *1435 * RFC 8422 and RFC 9189 add official support in TLS 1.2 for some algorithms1436 * originally defined for TLS 1.3, and extend the TLS SignatureAlgorithm1437 * and TLS HashAlgorithm registries, but the new values are not compatible1438 * with all of the TLS 1.3-only SignatureSchemes. Adding those values could1439 * cause confusion if used to interpret one of those schemes in a1440 * signature_algorithms extension offered in a TLS 1.3 ClientHello.1441 */1442const value_string tls_hash_algorithm[] = {1443 { 0, "None" },1444 { 1, "MD5" },1445 { 2, "SHA1" },1446 { 3, "SHA224" },1447 { 4, "SHA256" },1448 { 5, "SHA384" },1449 { 6, "SHA512" },1450#if 01451 /* RFC 8422 adds this to the HashAlgorithm registry, but it really1452 * only applies to 0x0807 and 0x0808, not for other TLS 1.31453 * SignatureSchemes with 0x08 in the octet used for Hash in TLS 1.2.1454 * E.g., we don't want to display this for 0x0806 rsa_pss_rsae_sha512.1455 */1456 { 8, "Intrinsic" },1457#endif1458 { 0, NULL((void*)0) }1459};1460 1461const value_string tls_signature_algorithm[] = {1462 { 0, "Anonymous" },1463 { 1, "RSA" },1464 { 2, "DSA" },1465 { 3, "ECDSA" },1466#if 01467 /* As above. */1468 { 7, "ED25519" },1469 { 8, "ED448" },1470 { 64, "GOSTR34102012_256" },1471 { 65, "GOSTR34102012_512" },1472#endif1473 { 0, NULL((void*)0) }1474};1475 1476/* RFC 8446 Section 4.2.3 */1477const value_string tls13_signature_algorithm[] = {1478 { 0x0201, "rsa_pkcs1_sha1" },1479 { 0x0203, "ecdsa_sha1" },1480 { 0x0401, "rsa_pkcs1_sha256" },1481 { 0x0403, "ecdsa_secp256r1_sha256" },1482 { 0x0420, "rsa_pkcs1_sha256_legacy" }, /* draft-davidben-tls13-pkcs1-01 */1483 { 0x0501, "rsa_pkcs1_sha384" },1484 { 0x0503, "ecdsa_secp384r1_sha384" },1485 { 0x0520, "rsa_pkcs1_sha384_legacy" }, /* draft-davidben-tls13-pkcs1-01 */1486 { 0x0601, "rsa_pkcs1_sha512" },1487 { 0x0603, "ecdsa_secp521r1_sha512" },1488 { 0x0620, "rsa_pkcs1_sha512_legacy" }, /* draft-davidben-tls13-pkcs1-01 */1489 { 0x0708, "sm2sig_sm3" },1490 { 0x0709, "gostr34102012_256a" }, /* RFC9367 */1491 { 0x070a, "gostr34102012_256b" }, /* RFC9367 */1492 { 0x070b, "gostr34102012_256c" }, /* RFC9367 */1493 { 0x070c, "gostr34102012_256d" }, /* RFC9367 */1494 { 0x070d, "gostr34102012_512a" }, /* RFC9367 */1495 { 0x070e, "gostr34102012_512b" }, /* RFC9367 */1496 { 0x070f, "gostr34102012_512c" }, /* RFC9367 */1497 { 0x0804, "rsa_pss_rsae_sha256" },1498 { 0x0805, "rsa_pss_rsae_sha384" },1499 { 0x0806, "rsa_pss_rsae_sha512" },1500 { 0x0807, "ed25519" },1501 { 0x0808, "ed448" },1502 { 0x0809, "rsa_pss_pss_sha256" },1503 { 0x080a, "rsa_pss_pss_sha384" },1504 { 0x080b, "rsa_pss_pss_sha512" },1505 { 0x081a, "ecdsa_brainpoolP256r1tls13_sha256" }, /* RFC8734 */1506 { 0x081b, "ecdsa_brainpoolP384r1tls13_sha384" }, /* RFC8734 */1507 { 0x081c, "ecdsa_brainpoolP512r1tls13_sha512" }, /* RFC8734 */1508 /* PQC digital signature algorithms from OQS-OpenSSL,1509 see https://github.com/open-quantum-safe/openssl/blob/OQS-OpenSSL_1_1_1-stable/oqs-template/oqs-sig-info.md */1510 { 0xfea0, "dilithium2" },1511 { 0xfea1, "p256_dilithium2" },1512 { 0xfea2, "rsa3072_dilithium2" },1513 { 0xfea3, "dilithium3" },1514 { 0xfea4, "p384_dilithium3" },1515 { 0xfea5, "dilithium5" },1516 { 0xfea6, "p521_dilithium5" },1517 { 0xfea7, "dilithium2_aes" },1518 { 0xfea8, "p256_dilithium2_aes" },1519 { 0xfea9, "rsa3072_dilithium2_aes" },1520 { 0xfeaa, "dilithium3_aes" },1521 { 0xfeab, "p384_dilithium3_aes" },1522 { 0xfeac, "dilithium5_aes" },1523 { 0xfead, "p521_dilithium5_aes" },1524 { 0xfe0b, "falcon512" },1525 { 0xfe0c, "p256_falcon512" },1526 { 0xfe0d, "rsa3072_falcon512" },1527 { 0xfe0e, "falcon1024" },1528 { 0xfe0f, "p521_falcon1024" },1529 { 0xfe96, "picnicl1full" },1530 { 0xfe97, "p256_picnicl1full" },1531 { 0xfe98, "rsa3072_picnicl1full" },1532 { 0xfe1b, "picnic3l1" },1533 { 0xfe1c, "p256_picnic3l1" },1534 { 0xfe1d, "rsa3072_picnic3l1" },1535 { 0xfe27, "rainbowIclassic" },1536 { 0xfe28, "p256_rainbowIclassic" },1537 { 0xfe29, "rsa3072_rainbowIclassic" },1538 { 0xfe3c, "rainbowVclassic" },1539 { 0xfe3d, "p521_rainbowVclassic" },1540 { 0xfe42, "sphincsharaka128frobust" },1541 { 0xfe43, "p256_sphincsharaka128frobust" },1542 { 0xfe44, "rsa3072_sphincsharaka128frobust" },1543 { 0xfe5e, "sphincssha256128frobust" },1544 { 0xfe5f, "p256_sphincssha256128frobust" },1545 { 0xfe60, "rsa3072_sphincssha256128frobust" },1546 { 0xfe7a, "sphincsshake256128frobust" },1547 { 0xfe7b, "p256_sphincsshake256128frobust" },1548 { 0xfe7c, "rsa3072_sphincsshake256128frobust" },1549 { 0, NULL((void*)0) }1550};1551 1552/* RFC 6091 3.1 */1553const value_string tls_certificate_type[] = {1554 { 0, "X.509" },1555 { 1, "OpenPGP" },1556 { SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2, "Raw Public Key" }, /* RFC 7250 */1557 { 0, NULL((void*)0) }1558};1559 1560const value_string tls_cert_chain_type[] = {1561 { SSL_HND_CERT_URL_TYPE_INDIVIDUAL_CERT1, "Individual Certificates" },1562 { SSL_HND_CERT_URL_TYPE_PKIPATH2, "PKI Path" },1563 { 0, NULL((void*)0) }1564};1565 1566const value_string tls_cert_status_type[] = {1567 { SSL_HND_CERT_STATUS_TYPE_OCSP1, "OCSP" },1568 { SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2, "OCSP Multi" },1569 { 0, NULL((void*)0) }1570};1571 1572/* Generated by tools/make-tls-ct-logids.py1573 * Last-Modified Sat, 06 Jul 2024 13:38:00 GMT, 156 entries. */1574static const bytes_string ct_logids[] = {1575 { (const uint8_t[]){1576 0xb2, 0x1e, 0x05, 0xcc, 0x8b, 0xa2, 0xcd, 0x8a, 0x20, 0x4e, 0x87,1577 0x66, 0xf9, 0x2b, 0xb9, 0x8a, 0x25, 0x20, 0x67, 0x6b, 0xda, 0xfa,1578 0x70, 0xe7, 0xb2, 0x49, 0x53, 0x2d, 0xef, 0x8b, 0x90, 0x5e,1579 },1580 32, "Google 'Argon2020' log" },1581 { (const uint8_t[]){1582 0xf6, 0x5c, 0x94, 0x2f, 0xd1, 0x77, 0x30, 0x22, 0x14, 0x54, 0x18,1583 0x08, 0x30, 0x94, 0x56, 0x8e, 0xe3, 0x4d, 0x13, 0x19, 0x33, 0xbf,1584 0xdf, 0x0c, 0x2f, 0x20, 0x0b, 0xcc, 0x4e, 0xf1, 0x64, 0xe3,1585 },1586 32, "Google 'Argon2021' log" },1587 { (const uint8_t[]){1588 0x29, 0x79, 0xbe, 0xf0, 0x9e, 0x39, 0x39, 0x21, 0xf0, 0x56, 0x73,1589 0x9f, 0x63, 0xa5, 0x77, 0xe5, 0xbe, 0x57, 0x7d, 0x9c, 0x60, 0x0a,1590 0xf8, 0xf9, 0x4d, 0x5d, 0x26, 0x5c, 0x25, 0x5d, 0xc7, 0x84,1591 },1592 32, "Google 'Argon2022' log" },1593 { (const uint8_t[]){1594 0xe8, 0x3e, 0xd0, 0xda, 0x3e, 0xf5, 0x06, 0x35, 0x32, 0xe7, 0x57,1595 0x28, 0xbc, 0x89, 0x6b, 0xc9, 0x03, 0xd3, 0xcb, 0xd1, 0x11, 0x6b,1596 0xec, 0xeb, 0x69, 0xe1, 0x77, 0x7d, 0x6d, 0x06, 0xbd, 0x6e,1597 },1598 32, "Google 'Argon2023' log" },1599 { (const uint8_t[]){1600 0xee, 0xcd, 0xd0, 0x64, 0xd5, 0xdb, 0x1a, 0xce, 0xc5, 0x5c, 0xb7,1601 0x9d, 0xb4, 0xcd, 0x13, 0xa2, 0x32, 0x87, 0x46, 0x7c, 0xbc, 0xec,1602 0xde, 0xc3, 0x51, 0x48, 0x59, 0x46, 0x71, 0x1f, 0xb5, 0x9b,1603 },1604 32, "Google 'Argon2024' log" },1605 { (const uint8_t[]){1606 0x4e, 0x75, 0xa3, 0x27, 0x5c, 0x9a, 0x10, 0xc3, 0x38, 0x5b, 0x6c,1607 0xd4, 0xdf, 0x3f, 0x52, 0xeb, 0x1d, 0xf0, 0xe0, 0x8e, 0x1b, 0x8d,1608 0x69, 0xc0, 0xb1, 0xfa, 0x64, 0xb1, 0x62, 0x9a, 0x39, 0xdf,1609 },1610 32, "Google 'Argon2025h1' log" },1611 { (const uint8_t[]){1612 0x12, 0xf1, 0x4e, 0x34, 0xbd, 0x53, 0x72, 0x4c, 0x84, 0x06, 0x19,1613 0xc3, 0x8f, 0x3f, 0x7a, 0x13, 0xf8, 0xe7, 0xb5, 0x62, 0x87, 0x88,1614 0x9c, 0x6d, 0x30, 0x05, 0x84, 0xeb, 0xe5, 0x86, 0x26, 0x3a,1615 },1616 32, "Google 'Argon2025h2' log" },1617 { (const uint8_t[]){1618 0x0e, 0x57, 0x94, 0xbc, 0xf3, 0xae, 0xa9, 0x3e, 0x33, 0x1b, 0x2c,1619 0x99, 0x07, 0xb3, 0xf7, 0x90, 0xdf, 0x9b, 0xc2, 0x3d, 0x71, 0x32,1620 0x25, 0xdd, 0x21, 0xa9, 0x25, 0xac, 0x61, 0xc5, 0x4e, 0x21,1621 },1622 32, "Google 'Argon2026h1' log" },1623 { (const uint8_t[]){1624 0xd7, 0x6d, 0x7d, 0x10, 0xd1, 0xa7, 0xf5, 0x77, 0xc2, 0xc7, 0xe9,1625 0x5f, 0xd7, 0x00, 0xbf, 0xf9, 0x82, 0xc9, 0x33, 0x5a, 0x65, 0xe1,1626 0xd0, 0xb3, 0x01, 0x73, 0x17, 0xc0, 0xc8, 0xc5, 0x69, 0x77,1627 },1628 32, "Google 'Argon2026h2' log" },1629 { (const uint8_t[]){1630 0x07, 0xb7, 0x5c, 0x1b, 0xe5, 0x7d, 0x68, 0xff, 0xf1, 0xb0, 0xc6,1631 0x1d, 0x23, 0x15, 0xc7, 0xba, 0xe6, 0x57, 0x7c, 0x57, 0x94, 0xb7,1632 0x6a, 0xee, 0xbc, 0x61, 0x3a, 0x1a, 0x69, 0xd3, 0xa2, 0x1c,1633 },1634 32, "Google 'Xenon2020' log" },1635 { (const uint8_t[]){1636 0x7d, 0x3e, 0xf2, 0xf8, 0x8f, 0xff, 0x88, 0x55, 0x68, 0x24, 0xc2,1637 0xc0, 0xca, 0x9e, 0x52, 0x89, 0x79, 0x2b, 0xc5, 0x0e, 0x78, 0x09,1638 0x7f, 0x2e, 0x6a, 0x97, 0x68, 0x99, 0x7e, 0x22, 0xf0, 0xd7,1639 },1640 32, "Google 'Xenon2021' log" },1641 { (const uint8_t[]){1642 0x46, 0xa5, 0x55, 0xeb, 0x75, 0xfa, 0x91, 0x20, 0x30, 0xb5, 0xa2,1643 0x89, 0x69, 0xf4, 0xf3, 0x7d, 0x11, 0x2c, 0x41, 0x74, 0xbe, 0xfd,1644 0x49, 0xb8, 0x85, 0xab, 0xf2, 0xfc, 0x70, 0xfe, 0x6d, 0x47,1645 },1646 32, "Google 'Xenon2022' log" },1647 { (const uint8_t[]){1648 0xad, 0xf7, 0xbe, 0xfa, 0x7c, 0xff, 0x10, 0xc8, 0x8b, 0x9d, 0x3d,1649 0x9c, 0x1e, 0x3e, 0x18, 0x6a, 0xb4, 0x67, 0x29, 0x5d, 0xcf, 0xb1,1650 0x0c, 0x24, 0xca, 0x85, 0x86, 0x34, 0xeb, 0xdc, 0x82, 0x8a,1651 },1652 32, "Google 'Xenon2023' log" },1653 { (const uint8_t[]){1654 0x76, 0xff, 0x88, 0x3f, 0x0a, 0xb6, 0xfb, 0x95, 0x51, 0xc2, 0x61,1655 0xcc, 0xf5, 0x87, 0xba, 0x34, 0xb4, 0xa4, 0xcd, 0xbb, 0x29, 0xdc,1656 0x68, 0x42, 0x0a, 0x9f, 0xe6, 0x67, 0x4c, 0x5a, 0x3a, 0x74,1657 },1658 32, "Google 'Xenon2024' log" },1659 { (const uint8_t[]){1660 0xcf, 0x11, 0x56, 0xee, 0xd5, 0x2e, 0x7c, 0xaf, 0xf3, 0x87, 0x5b,1661 0xd9, 0x69, 0x2e, 0x9b, 0xe9, 0x1a, 0x71, 0x67, 0x4a, 0xb0, 0x17,1662 0xec, 0xac, 0x01, 0xd2, 0x5b, 0x77, 0xce, 0xcc, 0x3b, 0x08,1663 },1664 32, "Google 'Xenon2025h1' log" },1665 { (const uint8_t[]){1666 0xdd, 0xdc, 0xca, 0x34, 0x95, 0xd7, 0xe1, 0x16, 0x05, 0xe7, 0x95,1667 0x32, 0xfa, 0xc7, 0x9f, 0xf8, 0x3d, 0x1c, 0x50, 0xdf, 0xdb, 0x00,1668 0x3a, 0x14, 0x12, 0x76, 0x0a, 0x2c, 0xac, 0xbb, 0xc8, 0x2a,1669 },1670 32, "Google 'Xenon2025h2' log" },1671 { (const uint8_t[]){1672 0x96, 0x97, 0x64, 0xbf, 0x55, 0x58, 0x97, 0xad, 0xf7, 0x43, 0x87,1673 0x68, 0x37, 0x08, 0x42, 0x77, 0xe9, 0xf0, 0x3a, 0xd5, 0xf6, 0xa4,1674 0xf3, 0x36, 0x6e, 0x46, 0xa4, 0x3f, 0x0f, 0xca, 0xa9, 0xc6,1675 },1676 32, "Google 'Xenon2026h1' log" },1677 { (const uint8_t[]){1678 0xd8, 0x09, 0x55, 0x3b, 0x94, 0x4f, 0x7a, 0xff, 0xc8, 0x16, 0x19,1679 0x6f, 0x94, 0x4f, 0x85, 0xab, 0xb0, 0xf8, 0xfc, 0x5e, 0x87, 0x55,1680 0x26, 0x0f, 0x15, 0xd1, 0x2e, 0x72, 0xbb, 0x45, 0x4b, 0x14,1681 },1682 32, "Google 'Xenon2026h2' log" },1683 { (const uint8_t[]){1684 0x68, 0xf6, 0x98, 0xf8, 0x1f, 0x64, 0x82, 0xbe, 0x3a, 0x8c, 0xee,1685 0xb9, 0x28, 0x1d, 0x4c, 0xfc, 0x71, 0x51, 0x5d, 0x67, 0x93, 0xd4,1686 0x44, 0xd1, 0x0a, 0x67, 0xac, 0xbb, 0x4f, 0x4f, 0xfb, 0xc4,1687 },1688 32, "Google 'Aviator' log" },1689 { (const uint8_t[]){1690 0x29, 0x3c, 0x51, 0x96, 0x54, 0xc8, 0x39, 0x65, 0xba, 0xaa, 0x50,1691 0xfc, 0x58, 0x07, 0xd4, 0xb7, 0x6f, 0xbf, 0x58, 0x7a, 0x29, 0x72,1692 0xdc, 0xa4, 0xc3, 0x0c, 0xf4, 0xe5, 0x45, 0x47, 0xf4, 0x78,1693 },1694 32, "Google 'Icarus' log" },1695 { (const uint8_t[]){1696 0xa4, 0xb9, 0x09, 0x90, 0xb4, 0x18, 0x58, 0x14, 0x87, 0xbb, 0x13,1697 0xa2, 0xcc, 0x67, 0x70, 0x0a, 0x3c, 0x35, 0x98, 0x04, 0xf9, 0x1b,1698 0xdf, 0xb8, 0xe3, 0x77, 0xcd, 0x0e, 0xc8, 0x0d, 0xdc, 0x10,1699 },1700 32, "Google 'Pilot' log" },1701 { (const uint8_t[]){1702 0xee, 0x4b, 0xbd, 0xb7, 0x75, 0xce, 0x60, 0xba, 0xe1, 0x42, 0x69,1703 0x1f, 0xab, 0xe1, 0x9e, 0x66, 0xa3, 0x0f, 0x7e, 0x5f, 0xb0, 0x72,1704 0xd8, 0x83, 0x00, 0xc4, 0x7b, 0x89, 0x7a, 0xa8, 0xfd, 0xcb,1705 },1706 32, "Google 'Rocketeer' log" },1707 { (const uint8_t[]){1708 0xbb, 0xd9, 0xdf, 0xbc, 0x1f, 0x8a, 0x71, 0xb5, 0x93, 0x94, 0x23,1709 0x97, 0xaa, 0x92, 0x7b, 0x47, 0x38, 0x57, 0x95, 0x0a, 0xab, 0x52,1710 0xe8, 0x1a, 0x90, 0x96, 0x64, 0x36, 0x8e, 0x1e, 0xd1, 0x85,1711 },1712 32, "Google 'Skydiver' log" },1713 { (const uint8_t[]){1714 0xfa, 0xd4, 0xc9, 0x7c, 0xc4, 0x9e, 0xe2, 0xf8, 0xac, 0x85, 0xc5,1715 0xea, 0x5c, 0xea, 0x09, 0xd0, 0x22, 0x0d, 0xbb, 0xf4, 0xe4, 0x9c,1716 0x6b, 0x50, 0x66, 0x2f, 0xf8, 0x68, 0xf8, 0x6b, 0x8c, 0x28,1717 },1718 32, "Google 'Argon2017' log" },1719 { (const uint8_t[]){1720 0xa4, 0x50, 0x12, 0x69, 0x05, 0x5a, 0x15, 0x54, 0x5e, 0x62, 0x11,1721 0xab, 0x37, 0xbc, 0x10, 0x3f, 0x62, 0xae, 0x55, 0x76, 0xa4, 0x5e,1722 0x4b, 0x17, 0x14, 0x45, 0x3e, 0x1b, 0x22, 0x10, 0x6a, 0x25,1723 },1724 32, "Google 'Argon2018' log" },1725 { (const uint8_t[]){1726 0x63, 0xf2, 0xdb, 0xcd, 0xe8, 0x3b, 0xcc, 0x2c, 0xcf, 0x0b, 0x72,1727 0x84, 0x27, 0x57, 0x6b, 0x33, 0xa4, 0x8d, 0x61, 0x77, 0x8f, 0xbd,1728 0x75, 0xa6, 0x38, 0xb1, 0xc7, 0x68, 0x54, 0x4b, 0xd8, 0x8d,1729 },1730 32, "Google 'Argon2019' log" },1731 { (const uint8_t[]){1732 0xb1, 0x0c, 0xd5, 0x59, 0xa6, 0xd6, 0x78, 0x46, 0x81, 0x1f, 0x7d,1733 0xf9, 0xa5, 0x15, 0x32, 0x73, 0x9a, 0xc4, 0x8d, 0x70, 0x3b, 0xea,1734 0x03, 0x23, 0xda, 0x5d, 0x38, 0x75, 0x5b, 0xc0, 0xad, 0x4e,1735 },1736 32, "Google 'Xenon2018' log" },1737 { (const uint8_t[]){1738 0x08, 0x41, 0x14, 0x98, 0x00, 0x71, 0x53, 0x2c, 0x16, 0x19, 0x04,1739 0x60, 0xbc, 0xfc, 0x47, 0xfd, 0xc2, 0x65, 0x3a, 0xfa, 0x29, 0x2c,1740 0x72, 0xb3, 0x7f, 0xf8, 0x63, 0xae, 0x29, 0xcc, 0xc9, 0xf0,1741 },1742 32, "Google 'Xenon2019' log" },1743 { (const uint8_t[]){1744 0xa8, 0x99, 0xd8, 0x78, 0x0c, 0x92, 0x90, 0xaa, 0xf4, 0x62, 0xf3,1745 0x18, 0x80, 0xcc, 0xfb, 0xd5, 0x24, 0x51, 0xe9, 0x70, 0xd0, 0xfb,1746 0xf5, 0x91, 0xef, 0x75, 0xb0, 0xd9, 0x9b, 0x64, 0x56, 0x81,1747 },1748 32, "Google 'Submariner' log" },1749 { (const uint8_t[]){1750 0x1d, 0x02, 0x4b, 0x8e, 0xb1, 0x49, 0x8b, 0x34, 0x4d, 0xfd, 0x87,1751 0xea, 0x3e, 0xfc, 0x09, 0x96, 0xf7, 0x50, 0x6f, 0x23, 0x5d, 0x1d,1752 0x49, 0x70, 0x61, 0xa4, 0x77, 0x3c, 0x43, 0x9c, 0x25, 0xfb,1753 },1754 32, "Google 'Daedalus' log" },1755 { (const uint8_t[]){1756 0xb0, 0xcc, 0x83, 0xe5, 0xa5, 0xf9, 0x7d, 0x6b, 0xaf, 0x7c, 0x09,1757 0xcc, 0x28, 0x49, 0x04, 0x87, 0x2a, 0xc7, 0xe8, 0x8b, 0x13, 0x2c,1758 0x63, 0x50, 0xb7, 0xc6, 0xfd, 0x26, 0xe1, 0x6c, 0x6c, 0x77,1759 },1760 32, "Google 'Testtube' log" },1761 { (const uint8_t[]){1762 0xc3, 0xbf, 0x03, 0xa7, 0xe1, 0xca, 0x88, 0x41, 0xc6, 0x07, 0xba,1763 0xe3, 0xff, 0x42, 0x70, 0xfc, 0xa5, 0xec, 0x45, 0xb1, 0x86, 0xeb,1764 0xbe, 0x4e, 0x2c, 0xf3, 0xfc, 0x77, 0x86, 0x30, 0xf5, 0xf6,1765 },1766 32, "Google 'Crucible' log" },1767 { (const uint8_t[]){1768 0x52, 0xeb, 0x4b, 0x22, 0x5e, 0xc8, 0x96, 0x97, 0x48, 0x50, 0x67,1769 0x5f, 0x23, 0xe4, 0x3b, 0xc1, 0xd0, 0x21, 0xe3, 0x21, 0x4c, 0xe5,1770 0x2e, 0xcd, 0x5f, 0xa8, 0x7c, 0x20, 0x3c, 0xdf, 0xca, 0x03,1771 },1772 32, "Google 'Solera2018' log" },1773 { (const uint8_t[]){1774 0x0b, 0x76, 0x0e, 0x9a, 0x8b, 0x9a, 0x68, 0x2f, 0x88, 0x98, 0x5b,1775 0x15, 0xe9, 0x47, 0x50, 0x1a, 0x56, 0x44, 0x6b, 0xba, 0x88, 0x30,1776 0x78, 0x5c, 0x38, 0x42, 0x99, 0x43, 0x86, 0x45, 0x0c, 0x00,1777 },1778 32, "Google 'Solera2019' log" },1779 { (const uint8_t[]){1780 0x1f, 0xc7, 0x2c, 0xe5, 0xa1, 0xb7, 0x99, 0xf4, 0x00, 0xc3, 0x59,1781 0xbf, 0xf9, 0x6c, 0xa3, 0x91, 0x35, 0x48, 0xe8, 0x64, 0x42, 0x20,1782 0x61, 0x09, 0x52, 0xe9, 0xba, 0x17, 0x74, 0xf7, 0xba, 0xc7,1783 },1784 32, "Google 'Solera2020' log" },1785 { (const uint8_t[]){1786 0xa3, 0xc9, 0x98, 0x45, 0xe8, 0x0a, 0xb7, 0xce, 0x00, 0x15, 0x7b,1787 0x37, 0x42, 0xdf, 0x02, 0x07, 0xdd, 0x27, 0x2b, 0x2b, 0x60, 0x2e,1788 0xcf, 0x98, 0xee, 0x2c, 0x12, 0xdb, 0x9c, 0x5a, 0xe7, 0xe7,1789 },1790 32, "Google 'Solera2021' log" },1791 { (const uint8_t[]){1792 0x69, 0x7a, 0xaf, 0xca, 0x1a, 0x6b, 0x53, 0x6f, 0xae, 0x21, 0x20,1793 0x50, 0x46, 0xde, 0xba, 0xd7, 0xe0, 0xea, 0xea, 0x13, 0xd2, 0x43,1794 0x2e, 0x6e, 0x9d, 0x8f, 0xb3, 0x79, 0xf2, 0xb9, 0xaa, 0xf3,1795 },1796 32, "Google 'Solera2022' log" },1797 { (const uint8_t[]){1798 0xf9, 0x7e, 0x97, 0xb8, 0xd3, 0x3e, 0xf7, 0xa1, 0x59, 0x02, 0xa5,1799 0x3a, 0x19, 0xe1, 0x79, 0x90, 0xe5, 0xdc, 0x40, 0x6a, 0x03, 0x18,1800 0x25, 0xba, 0xad, 0x93, 0xe9, 0x8f, 0x9b, 0x9c, 0x69, 0xcb,1801 },1802 32, "Google 'Solera2023' log" },1803 { (const uint8_t[]){1804 0x30, 0x24, 0xce, 0x7e, 0xeb, 0x16, 0x88, 0x62, 0x72, 0x4b, 0xea,1805 0x70, 0x2e, 0xff, 0xf9, 0x92, 0xcf, 0xe4, 0x56, 0x43, 0x41, 0x91,1806 0xaa, 0x59, 0x5b, 0x25, 0xf8, 0x02, 0x26, 0xc8, 0x00, 0x17,1807 },1808 32, "Google 'Solera2024' log" },1809 { (const uint8_t[]){1810 0x3f, 0xe1, 0xcb, 0x46, 0xed, 0x47, 0x35, 0x79, 0xaf, 0x01, 0x41,1811 0xf9, 0x72, 0x4d, 0x9d, 0xc4, 0x43, 0x47, 0x2d, 0x75, 0x6e, 0x85,1812 0xe7, 0x71, 0x9c, 0x55, 0x82, 0x48, 0x5d, 0xd4, 0xe1, 0xe4,1813 },1814 32, "Google 'Solera2025h1' log" },1815 { (const uint8_t[]){1816 0x26, 0x02, 0x39, 0x48, 0x87, 0x4c, 0xf7, 0xfc, 0xd0, 0xfb, 0x64,1817 0x71, 0xa4, 0x3e, 0x84, 0x7e, 0xbb, 0x20, 0x0a, 0xe6, 0xe2, 0xfa,1818 0x24, 0x23, 0x6d, 0xf6, 0xd1, 0xa6, 0x06, 0x63, 0x0f, 0xb1,1819 },1820 32, "Google 'Solera2025h2' log" },1821 { (const uint8_t[]){1822 0x5e, 0xa7, 0x73, 0xf9, 0xdf, 0x56, 0xc0, 0xe7, 0xb5, 0x36, 0x48,1823 0x7d, 0xd0, 0x49, 0xe0, 0x32, 0x7a, 0x91, 0x9a, 0x0c, 0x84, 0xa1,1824 0x12, 0x12, 0x84, 0x18, 0x75, 0x96, 0x81, 0x71, 0x45, 0x58,1825 },1826 32, "Cloudflare 'Nimbus2020' Log" },1827 { (const uint8_t[]){1828 0x44, 0x94, 0x65, 0x2e, 0xb0, 0xee, 0xce, 0xaf, 0xc4, 0x40, 0x07,1829 0xd8, 0xa8, 0xfe, 0x28, 0xc0, 0xda, 0xe6, 0x82, 0xbe, 0xd8, 0xcb,1830 0x31, 0xb5, 0x3f, 0xd3, 0x33, 0x96, 0xb5, 0xb6, 0x81, 0xa8,1831 },1832 32, "Cloudflare 'Nimbus2021' Log" },1833 { (const uint8_t[]){1834 0x41, 0xc8, 0xca, 0xb1, 0xdf, 0x22, 0x46, 0x4a, 0x10, 0xc6, 0xa1,1835 0x3a, 0x09, 0x42, 0x87, 0x5e, 0x4e, 0x31, 0x8b, 0x1b, 0x03, 0xeb,1836 0xeb, 0x4b, 0xc7, 0x68, 0xf0, 0x90, 0x62, 0x96, 0x06, 0xf6,1837 },1838 32, "Cloudflare 'Nimbus2022' Log" },1839 { (const uint8_t[]){1840 0x7a, 0x32, 0x8c, 0x54, 0xd8, 0xb7, 0x2d, 0xb6, 0x20, 0xea, 0x38,1841 0xe0, 0x52, 0x1e, 0xe9, 0x84, 0x16, 0x70, 0x32, 0x13, 0x85, 0x4d,1842 0x3b, 0xd2, 0x2b, 0xc1, 0x3a, 0x57, 0xa3, 0x52, 0xeb, 0x52,1843 },1844 32, "Cloudflare 'Nimbus2023' Log" },1845 { (const uint8_t[]){1846 0xda, 0xb6, 0xbf, 0x6b, 0x3f, 0xb5, 0xb6, 0x22, 0x9f, 0x9b, 0xc2,1847 0xbb, 0x5c, 0x6b, 0xe8, 0x70, 0x91, 0x71, 0x6c, 0xbb, 0x51, 0x84,1848 0x85, 0x34, 0xbd, 0xa4, 0x3d, 0x30, 0x48, 0xd7, 0xfb, 0xab,1849 },1850 32, "Cloudflare 'Nimbus2024' Log" },1851 { (const uint8_t[]){1852 0xcc, 0xfb, 0x0f, 0x6a, 0x85, 0x71, 0x09, 0x65, 0xfe, 0x95, 0x9b,1853 0x53, 0xce, 0xe9, 0xb2, 0x7c, 0x22, 0xe9, 0x85, 0x5c, 0x0d, 0x97,1854 0x8d, 0xb6, 0xa9, 0x7e, 0x54, 0xc0, 0xfe, 0x4c, 0x0d, 0xb0,1855 },1856 32, "Cloudflare 'Nimbus2025'" },1857 { (const uint8_t[]){1858 0x1f, 0xbc, 0x36, 0xe0, 0x02, 0xed, 0xe9, 0x7f, 0x40, 0x19, 0x9e,1859 0x86, 0xb3, 0x57, 0x3b, 0x8a, 0x42, 0x17, 0xd8, 0x01, 0x87, 0x74,1860 0x6a, 0xd0, 0xda, 0x03, 0xa0, 0x60, 0x54, 0xd2, 0x0d, 0xf4,1861 },1862 32, "Cloudflare 'Nimbus2017' Log" },1863 { (const uint8_t[]){1864 0xdb, 0x74, 0xaf, 0xee, 0xcb, 0x29, 0xec, 0xb1, 0xfe, 0xca, 0x3e,1865 0x71, 0x6d, 0x2c, 0xe5, 0xb9, 0xaa, 0xbb, 0x36, 0xf7, 0x84, 0x71,1866 0x83, 0xc7, 0x5d, 0x9d, 0x4f, 0x37, 0xb6, 0x1f, 0xbf, 0x64,1867 },1868 32, "Cloudflare 'Nimbus2018' Log" },1869 { (const uint8_t[]){1870 0x74, 0x7e, 0xda, 0x83, 0x31, 0xad, 0x33, 0x10, 0x91, 0x21, 0x9c,1871 0xce, 0x25, 0x4f, 0x42, 0x70, 0xc2, 0xbf, 0xfd, 0x5e, 0x42, 0x20,1872 0x08, 0xc6, 0x37, 0x35, 0x79, 0xe6, 0x10, 0x7b, 0xcc, 0x56,1873 },1874 32, "Cloudflare 'Nimbus2019' Log" },1875 { (const uint8_t[]){1876 0x56, 0x14, 0x06, 0x9a, 0x2f, 0xd7, 0xc2, 0xec, 0xd3, 0xf5, 0xe1,1877 0xbd, 0x44, 0xb2, 0x3e, 0xc7, 0x46, 0x76, 0xb9, 0xbc, 0x99, 0x11,1878 0x5c, 0xc0, 0xef, 0x94, 0x98, 0x55, 0xd6, 0x89, 0xd0, 0xdd,1879 },1880 32, "DigiCert Log Server" },1881 { (const uint8_t[]){1882 0x87, 0x75, 0xbf, 0xe7, 0x59, 0x7c, 0xf8, 0x8c, 0x43, 0x99, 0x5f,1883 0xbd, 0xf3, 0x6e, 0xff, 0x56, 0x8d, 0x47, 0x56, 0x36, 0xff, 0x4a,1884 0xb5, 0x60, 0xc1, 0xb4, 0xea, 0xff, 0x5e, 0xa0, 0x83, 0x0f,1885 },1886 32, "DigiCert Log Server 2" },1887 { (const uint8_t[]){1888 0xf0, 0x95, 0xa4, 0x59, 0xf2, 0x00, 0xd1, 0x82, 0x40, 0x10, 0x2d,1889 0x2f, 0x93, 0x88, 0x8e, 0xad, 0x4b, 0xfe, 0x1d, 0x47, 0xe3, 0x99,1890 0xe1, 0xd0, 0x34, 0xa6, 0xb0, 0xa8, 0xaa, 0x8e, 0xb2, 0x73,1891 },1892 32, "DigiCert Yeti2020 Log" },1893 { (const uint8_t[]){1894 0x5c, 0xdc, 0x43, 0x92, 0xfe, 0xe6, 0xab, 0x45, 0x44, 0xb1, 0x5e,1895 0x9a, 0xd4, 0x56, 0xe6, 0x10, 0x37, 0xfb, 0xd5, 0xfa, 0x47, 0xdc,1896 0xa1, 0x73, 0x94, 0xb2, 0x5e, 0xe6, 0xf6, 0xc7, 0x0e, 0xca,1897 },1898 32, "DigiCert Yeti2021 Log" },1899 { (const uint8_t[]){1900 0x22, 0x45, 0x45, 0x07, 0x59, 0x55, 0x24, 0x56, 0x96, 0x3f, 0xa1,1901 0x2f, 0xf1, 0xf7, 0x6d, 0x86, 0xe0, 0x23, 0x26, 0x63, 0xad, 0xc0,1902 0x4b, 0x7f, 0x5d, 0xc6, 0x83, 0x5c, 0x6e, 0xe2, 0x0f, 0x02,1903 },1904 32, "DigiCert Yeti2022 Log" },1905 { (const uint8_t[]){1906 0x35, 0xcf, 0x19, 0x1b, 0xbf, 0xb1, 0x6c, 0x57, 0xbf, 0x0f, 0xad,1907 0x4c, 0x6d, 0x42, 0xcb, 0xbb, 0xb6, 0x27, 0x20, 0x26, 0x51, 0xea,1908 0x3f, 0xe1, 0x2a, 0xef, 0xa8, 0x03, 0xc3, 0x3b, 0xd6, 0x4c,1909 },1910 32, "DigiCert Yeti2023 Log" },1911 { (const uint8_t[]){1912 0x48, 0xb0, 0xe3, 0x6b, 0xda, 0xa6, 0x47, 0x34, 0x0f, 0xe5, 0x6a,1913 0x02, 0xfa, 0x9d, 0x30, 0xeb, 0x1c, 0x52, 0x01, 0xcb, 0x56, 0xdd,1914 0x2c, 0x81, 0xd9, 0xbb, 0xbf, 0xab, 0x39, 0xd8, 0x84, 0x73,1915 },1916 32, "DigiCert Yeti2024 Log" },1917 { (const uint8_t[]){1918 0x7d, 0x59, 0x1e, 0x12, 0xe1, 0x78, 0x2a, 0x7b, 0x1c, 0x61, 0x67,1919 0x7c, 0x5e, 0xfd, 0xf8, 0xd0, 0x87, 0x5c, 0x14, 0xa0, 0x4e, 0x95,1920 0x9e, 0xb9, 0x03, 0x2f, 0xd9, 0x0e, 0x8c, 0x2e, 0x79, 0xb8,1921 },1922 32, "DigiCert Yeti2025 Log" },1923 { (const uint8_t[]){1924 0xc6, 0x52, 0xa0, 0xec, 0x48, 0xce, 0xb3, 0xfc, 0xab, 0x17, 0x09,1925 0x92, 0xc4, 0x3a, 0x87, 0x41, 0x33, 0x09, 0xe8, 0x00, 0x65, 0xa2,1926 0x62, 0x52, 0x40, 0x1b, 0xa3, 0x36, 0x2a, 0x17, 0xc5, 0x65,1927 },1928 32, "DigiCert Nessie2020 Log" },1929 { (const uint8_t[]){1930 0xee, 0xc0, 0x95, 0xee, 0x8d, 0x72, 0x64, 0x0f, 0x92, 0xe3, 0xc3,1931 0xb9, 0x1b, 0xc7, 0x12, 0xa3, 0x69, 0x6a, 0x09, 0x7b, 0x4b, 0x6a,1932 0x1a, 0x14, 0x38, 0xe6, 0x47, 0xb2, 0xcb, 0xed, 0xc5, 0xf9,1933 },1934 32, "DigiCert Nessie2021 Log" },1935 { (const uint8_t[]){1936 0x51, 0xa3, 0xb0, 0xf5, 0xfd, 0x01, 0x79, 0x9c, 0x56, 0x6d, 0xb8,1937 0x37, 0x78, 0x8f, 0x0c, 0xa4, 0x7a, 0xcc, 0x1b, 0x27, 0xcb, 0xf7,1938 0x9e, 0x88, 0x42, 0x9a, 0x0d, 0xfe, 0xd4, 0x8b, 0x05, 0xe5,1939 },1940 32, "DigiCert Nessie2022 Log" },1941 { (const uint8_t[]){1942 0xb3, 0x73, 0x77, 0x07, 0xe1, 0x84, 0x50, 0xf8, 0x63, 0x86, 0xd6,1943 0x05, 0xa9, 0xdc, 0x11, 0x09, 0x4a, 0x79, 0x2d, 0xb1, 0x67, 0x0c,1944 0x0b, 0x87, 0xdc, 0xf0, 0x03, 0x0e, 0x79, 0x36, 0xa5, 0x9a,1945 },1946 32, "DigiCert Nessie2023 Log" },1947 { (const uint8_t[]){1948 0x73, 0xd9, 0x9e, 0x89, 0x1b, 0x4c, 0x96, 0x78, 0xa0, 0x20, 0x7d,1949 0x47, 0x9d, 0xe6, 0xb2, 0xc6, 0x1c, 0xd0, 0x51, 0x5e, 0x71, 0x19,1950 0x2a, 0x8c, 0x6b, 0x80, 0x10, 0x7a, 0xc1, 0x77, 0x72, 0xb5,1951 },1952 32, "DigiCert Nessie2024 Log" },1953 { (const uint8_t[]){1954 0xe6, 0xd2, 0x31, 0x63, 0x40, 0x77, 0x8c, 0xc1, 0x10, 0x41, 0x06,1955 0xd7, 0x71, 0xb9, 0xce, 0xc1, 0xd2, 0x40, 0xf6, 0x96, 0x84, 0x86,1956 0xfb, 0xba, 0x87, 0x32, 0x1d, 0xfd, 0x1e, 0x37, 0x8e, 0x50,1957 },1958 32, "DigiCert Nessie2025 Log" },1959 { (const uint8_t[]){1960 0xb6, 0x9d, 0xdc, 0xbc, 0x3c, 0x1a, 0xbd, 0xef, 0x6f, 0x9f, 0xd6,1961 0x0c, 0x88, 0xb1, 0x06, 0x7b, 0x77, 0xf0, 0x82, 0x68, 0x8b, 0x2d,1962 0x78, 0x65, 0xd0, 0x4b, 0x39, 0xab, 0xe9, 0x27, 0xa5, 0x75,1963 },1964 32, "DigiCert 'Wyvern2024h1' Log" },1965 { (const uint8_t[]){1966 0x0c, 0x2a, 0xef, 0x2c, 0x4a, 0x5b, 0x98, 0x83, 0xd4, 0xdd, 0xa3,1967 0x82, 0xfe, 0x50, 0xfb, 0x51, 0x88, 0xb3, 0xe9, 0x73, 0x33, 0xa1,1968 0xec, 0x53, 0xa0, 0x9d, 0xc9, 0xa7, 0x9d, 0x0d, 0x08, 0x20,1969 },1970 32, "DigiCert 'Wyvern2024h2' Log" },1971 { (const uint8_t[]){1972 0x73, 0x20, 0x22, 0x0f, 0x08, 0x16, 0x8a, 0xf9, 0xf3, 0xc4, 0xa6,1973 0x8b, 0x0a, 0xb2, 0x6a, 0x9a, 0x4a, 0x00, 0xee, 0xf5, 0x77, 0x85,1974 0x8a, 0x08, 0x4d, 0x05, 0x00, 0xd4, 0xa5, 0x42, 0x44, 0x59,1975 },1976 32, "DigiCert 'Wyvern2025h1' Log" },1977 { (const uint8_t[]){1978 0xed, 0x3c, 0x4b, 0xd6, 0xe8, 0x06, 0xc2, 0xa4, 0xa2, 0x00, 0x57,1979 0xdb, 0xcb, 0x24, 0xe2, 0x38, 0x01, 0xdf, 0x51, 0x2f, 0xed, 0xc4,1980 0x86, 0xc5, 0x70, 0x0f, 0x20, 0xdd, 0xb7, 0x3e, 0x3f, 0xe0,1981 },1982 32, "DigiCert 'Wyvern2025h2' Log" },1983 { (const uint8_t[]){1984 0xdb, 0x07, 0x6c, 0xde, 0x6a, 0x8b, 0x78, 0xec, 0x58, 0xd6, 0x05,1985 0x64, 0x96, 0xeb, 0x6a, 0x26, 0xa8, 0xc5, 0x9e, 0x72, 0x12, 0x93,1986 0xe8, 0xac, 0x03, 0x27, 0xdd, 0xde, 0x89, 0xdb, 0x5a, 0x2a,1987 },1988 32, "DigiCert 'Sphinx2024h1' Log" },1989 { (const uint8_t[]){1990 0xdc, 0xc9, 0x5e, 0x6f, 0xa2, 0x99, 0xb9, 0xb0, 0xfd, 0xbd, 0x6c,1991 0xa6, 0xa3, 0x6e, 0x1d, 0x72, 0xc4, 0x21, 0x2f, 0xdd, 0x1e, 0x0f,1992 0x47, 0x55, 0x3a, 0x36, 0xd6, 0xcf, 0x1a, 0xd1, 0x1d, 0x8d,1993 },1994 32, "DigiCert 'Sphinx2024h2' Log" },1995 { (const uint8_t[]){1996 0xde, 0x85, 0x81, 0xd7, 0x50, 0x24, 0x7c, 0x6b, 0xcd, 0xcb, 0xaf,1997 0x56, 0x37, 0xc5, 0xe7, 0x81, 0xc6, 0x4c, 0xe4, 0x6e, 0xd6, 0x17,1998 0x63, 0x9f, 0x8f, 0x34, 0xa7, 0x26, 0xc9, 0xe2, 0xbd, 0x37,1999 },2000 32, "DigiCert 'Sphinx2025h1' Log" },2001 { (const uint8_t[]){2002 0xa4, 0x42, 0xc5, 0x06, 0x49, 0x60, 0x61, 0x54, 0x8f, 0x0f, 0xd4,2003 0xea, 0x9c, 0xfb, 0x7a, 0x2d, 0x26, 0x45, 0x4d, 0x87, 0xa9, 0x7f,2004 0x2f, 0xdf, 0x45, 0x59, 0xf6, 0x27, 0x4f, 0x3a, 0x84, 0x54,2005 },2006 32, "DigiCert 'Sphinx2025h2' Log" },2007 { (const uint8_t[]){2008 0xdd, 0xeb, 0x1d, 0x2b, 0x7a, 0x0d, 0x4f, 0xa6, 0x20, 0x8b, 0x81,2009 0xad, 0x81, 0x68, 0x70, 0x7e, 0x2e, 0x8e, 0x9d, 0x01, 0xd5, 0x5c,2010 0x88, 0x8d, 0x3d, 0x11, 0xc4, 0xcd, 0xb6, 0xec, 0xbe, 0xcc,2011 },2012 32, "Symantec log" },2013 { (const uint8_t[]){2014 0xbc, 0x78, 0xe1, 0xdf, 0xc5, 0xf6, 0x3c, 0x68, 0x46, 0x49, 0x33,2015 0x4d, 0xa1, 0x0f, 0xa1, 0x5f, 0x09, 0x79, 0x69, 0x20, 0x09, 0xc0,2016 0x81, 0xb4, 0xf3, 0xf6, 0x91, 0x7f, 0x3e, 0xd9, 0xb8, 0xa5,2017 },2018 32, "Symantec 'Vega' log" },2019 { (const uint8_t[]){2020 0x15, 0x97, 0x04, 0x88, 0xd7, 0xb9, 0x97, 0xa0, 0x5b, 0xeb, 0x52,2021 0x51, 0x2a, 0xde, 0xe8, 0xd2, 0xe8, 0xb4, 0xa3, 0x16, 0x52, 0x64,2022 0x12, 0x1a, 0x9f, 0xab, 0xfb, 0xd5, 0xf8, 0x5a, 0xd9, 0x3f,2023 },2024 32, "Symantec 'Sirius' log" },2025 { (const uint8_t[]){2026 0x05, 0x9c, 0x01, 0xd3, 0x20, 0xe0, 0x07, 0x84, 0x13, 0x95, 0x80,2027 0x49, 0x8d, 0x11, 0x7c, 0x90, 0x32, 0x66, 0xaf, 0xaf, 0x72, 0x50,2028 0xb5, 0xaf, 0x3b, 0x46, 0xa4, 0x3e, 0x11, 0x84, 0x0d, 0x4a,2029 },2030 32, "DigiCert Yeti2022-2 Log" },2031 { (const uint8_t[]){2032 0xc1, 0x16, 0x4a, 0xe0, 0xa7, 0x72, 0xd2, 0xd4, 0x39, 0x2d, 0xc8,2033 0x0a, 0xc1, 0x07, 0x70, 0xd4, 0xf0, 0xc4, 0x9b, 0xde, 0x99, 0x1a,2034 0x48, 0x40, 0xc1, 0xfa, 0x07, 0x51, 0x64, 0xf6, 0x33, 0x60,2035 },2036 32, "DigiCert Yeti2018 Log" },2037 { (const uint8_t[]){2038 0xe2, 0x69, 0x4b, 0xae, 0x26, 0xe8, 0xe9, 0x40, 0x09, 0xe8, 0x86,2039 0x1b, 0xb6, 0x3b, 0x83, 0xd4, 0x3e, 0xe7, 0xfe, 0x74, 0x88, 0xfb,2040 0xa4, 0x8f, 0x28, 0x93, 0x01, 0x9d, 0xdd, 0xf1, 0xdb, 0xfe,2041 },2042 32, "DigiCert Yeti2019 Log" },2043 { (const uint8_t[]){2044 0x6f, 0xf1, 0x41, 0xb5, 0x64, 0x7e, 0x42, 0x22, 0xf7, 0xef, 0x05,2045 0x2c, 0xef, 0xae, 0x7c, 0x21, 0xfd, 0x60, 0x8e, 0x27, 0xd2, 0xaf,2046 0x5a, 0x6e, 0x9f, 0x4b, 0x8a, 0x37, 0xd6, 0x63, 0x3e, 0xe5,2047 },2048 32, "DigiCert Nessie2018 Log" },2049 { (const uint8_t[]){2050 0xfe, 0x44, 0x61, 0x08, 0xb1, 0xd0, 0x1a, 0xb7, 0x8a, 0x62, 0xcc,2051 0xfe, 0xab, 0x6a, 0xb2, 0xb2, 0xba, 0xbf, 0xf3, 0xab, 0xda, 0xd8,2052 0x0a, 0x4d, 0x8b, 0x30, 0xdf, 0x2d, 0x00, 0x08, 0x83, 0x0c,2053 },2054 32, "DigiCert Nessie2019 Log" },2055 { (const uint8_t[]){2056 0xa7, 0xce, 0x4a, 0x4e, 0x62, 0x07, 0xe0, 0xad, 0xde, 0xe5, 0xfd,2057 0xaa, 0x4b, 0x1f, 0x86, 0x76, 0x87, 0x67, 0xb5, 0xd0, 0x02, 0xa5,2058 0x5d, 0x47, 0x31, 0x0e, 0x7e, 0x67, 0x0a, 0x95, 0xea, 0xb2,2059 },2060 32, "Symantec Deneb" },2061 { (const uint8_t[]){2062 0xcd, 0xb5, 0x17, 0x9b, 0x7f, 0xc1, 0xc0, 0x46, 0xfe, 0xea, 0x31,2063 0x13, 0x6a, 0x3f, 0x8f, 0x00, 0x2e, 0x61, 0x82, 0xfa, 0xf8, 0x89,2064 0x6f, 0xec, 0xc8, 0xb2, 0xf5, 0xb5, 0xab, 0x60, 0x49, 0x00,2065 },2066 32, "Certly.IO log" },2067 { (const uint8_t[]){2068 0x74, 0x61, 0xb4, 0xa0, 0x9c, 0xfb, 0x3d, 0x41, 0xd7, 0x51, 0x59,2069 0x57, 0x5b, 0x2e, 0x76, 0x49, 0xa4, 0x45, 0xa8, 0xd2, 0x77, 0x09,2070 0xb0, 0xcc, 0x56, 0x4a, 0x64, 0x82, 0xb7, 0xeb, 0x41, 0xa3,2071 },2072 32, "Izenpe log" },2073 { (const uint8_t[]){2074 0x89, 0x41, 0x44, 0x9c, 0x70, 0x74, 0x2e, 0x06, 0xb9, 0xfc, 0x9c,2075 0xe7, 0xb1, 0x16, 0xba, 0x00, 0x24, 0xaa, 0x36, 0xd5, 0x9a, 0xf4,2076 0x4f, 0x02, 0x04, 0x40, 0x4f, 0x00, 0xf7, 0xea, 0x85, 0x66,2077 },2078 32, "Izenpe 'Argi' log" },2079 { (const uint8_t[]){2080 0x41, 0xb2, 0xdc, 0x2e, 0x89, 0xe6, 0x3c, 0xe4, 0xaf, 0x1b, 0xa7,2081 0xbb, 0x29, 0xbf, 0x68, 0xc6, 0xde, 0xe6, 0xf9, 0xf1, 0xcc, 0x04,2082 0x7e, 0x30, 0xdf, 0xfa, 0xe3, 0xb3, 0xba, 0x25, 0x92, 0x63,2083 },2084 32, "WoSign log" },2085 { (const uint8_t[]){2086 0x9e, 0x4f, 0xf7, 0x3d, 0xc3, 0xce, 0x22, 0x0b, 0x69, 0x21, 0x7c,2087 0x89, 0x9e, 0x46, 0x80, 0x76, 0xab, 0xf8, 0xd7, 0x86, 0x36, 0xd5,2088 0xcc, 0xfc, 0x85, 0xa3, 0x1a, 0x75, 0x62, 0x8b, 0xa8, 0x8b,2089 },2090 32, "WoSign CT log #1" },2091 { (const uint8_t[]){2092 0x63, 0xd0, 0x00, 0x60, 0x26, 0xdd, 0xe1, 0x0b, 0xb0, 0x60, 0x1f,2093 0x45, 0x24, 0x46, 0x96, 0x5e, 0xe2, 0xb6, 0xea, 0x2c, 0xd4, 0xfb,2094 0xc9, 0x5a, 0xc8, 0x66, 0xa5, 0x50, 0xaf, 0x90, 0x75, 0xb7,2095 },2096 32, "WoSign log 2" },2097 { (const uint8_t[]){2098 0xac, 0x3b, 0x9a, 0xed, 0x7f, 0xa9, 0x67, 0x47, 0x57, 0x15, 0x9e,2099 0x6d, 0x7d, 0x57, 0x56, 0x72, 0xf9, 0xd9, 0x81, 0x00, 0x94, 0x1e,2100 0x9b, 0xde, 0xff, 0xec, 0xa1, 0x31, 0x3b, 0x75, 0x78, 0x2d,2101 },2102 32, "Venafi log" },2103 { (const uint8_t[]){2104 0x03, 0x01, 0x9d, 0xf3, 0xfd, 0x85, 0xa6, 0x9a, 0x8e, 0xbd, 0x1f,2105 0xac, 0xc6, 0xda, 0x9b, 0xa7, 0x3e, 0x46, 0x97, 0x74, 0xfe, 0x77,2106 0xf5, 0x79, 0xfc, 0x5a, 0x08, 0xb8, 0x32, 0x8c, 0x1d, 0x6b,2107 },2108 32, "Venafi Gen2 CT log" },2109 { (const uint8_t[]){2110 0xa5, 0x77, 0xac, 0x9c, 0xed, 0x75, 0x48, 0xdd, 0x8f, 0x02, 0x5b,2111 0x67, 0xa2, 0x41, 0x08, 0x9d, 0xf8, 0x6e, 0x0f, 0x47, 0x6e, 0xc2,2112 0x03, 0xc2, 0xec, 0xbe, 0xdb, 0x18, 0x5f, 0x28, 0x26, 0x38,2113 },2114 32, "CNNIC CT log" },2115 { (const uint8_t[]){2116 0x34, 0xbb, 0x6a, 0xd6, 0xc3, 0xdf, 0x9c, 0x03, 0xee, 0xa8, 0xa4,2117 0x99, 0xff, 0x78, 0x91, 0x48, 0x6c, 0x9d, 0x5e, 0x5c, 0xac, 0x92,2118 0xd0, 0x1f, 0x7b, 0xfd, 0x1b, 0xce, 0x19, 0xdb, 0x48, 0xef,2119 },2120 32, "StartCom log" },2121 { (const uint8_t[]){2122 0x55, 0x81, 0xd4, 0xc2, 0x16, 0x90, 0x36, 0x01, 0x4a, 0xea, 0x0b,2123 0x9b, 0x57, 0x3c, 0x53, 0xf0, 0xc0, 0xe4, 0x38, 0x78, 0x70, 0x25,2124 0x08, 0x17, 0x2f, 0xa3, 0xaa, 0x1d, 0x07, 0x13, 0xd3, 0x0c,2125 },2126 32, "Sectigo 'Sabre' CT log" },2127 { (const uint8_t[]){2128 0xa2, 0xe2, 0xbf, 0xd6, 0x1e, 0xde, 0x2f, 0x2f, 0x07, 0xa0, 0xd6,2129 0x4e, 0x6d, 0x37, 0xa7, 0xdc, 0x65, 0x43, 0xb0, 0xc6, 0xb5, 0x2e,2130 0xa2, 0xda, 0xb7, 0x8a, 0xf8, 0x9a, 0x6d, 0xf5, 0x17, 0xd8,2131 },2132 32, "Sectigo 'Sabre2024h1'" },2133 { (const uint8_t[]){2134 0x19, 0x98, 0x10, 0x71, 0x09, 0xf0, 0xd6, 0x52, 0x2e, 0x30, 0x80,2135 0xd2, 0x9e, 0x3f, 0x64, 0xbb, 0x83, 0x6e, 0x28, 0xcc, 0xf9, 0x0f,2136 0x52, 0x8e, 0xee, 0xdf, 0xce, 0x4a, 0x3f, 0x16, 0xb4, 0xca,2137 },2138 32, "Sectigo 'Sabre2024h2'" },2139 { (const uint8_t[]){2140 0xe0, 0x92, 0xb3, 0xfc, 0x0c, 0x1d, 0xc8, 0xe7, 0x68, 0x36, 0x1f,2141 0xde, 0x61, 0xb9, 0x96, 0x4d, 0x0a, 0x52, 0x78, 0x19, 0x8a, 0x72,2142 0xd6, 0x72, 0xc4, 0xb0, 0x4d, 0xa5, 0x6d, 0x6f, 0x54, 0x04,2143 },2144 32, "Sectigo 'Sabre2025h1'" },2145 { (const uint8_t[]){2146 0x1a, 0x04, 0xff, 0x49, 0xd0, 0x54, 0x1d, 0x40, 0xaf, 0xf6, 0xa0,2147 0xc3, 0xbf, 0xf1, 0xd8, 0xc4, 0x67, 0x2f, 0x4e, 0xec, 0xee, 0x23,2148 0x40, 0x68, 0x98, 0x6b, 0x17, 0x40, 0x2e, 0xdc, 0x89, 0x7d,2149 },2150 32, "Sectigo 'Sabre2025h2'" },2151 { (const uint8_t[]){2152 0x6f, 0x53, 0x76, 0xac, 0x31, 0xf0, 0x31, 0x19, 0xd8, 0x99, 0x00,2153 0xa4, 0x51, 0x15, 0xff, 0x77, 0x15, 0x1c, 0x11, 0xd9, 0x02, 0xc1,2154 0x00, 0x29, 0x06, 0x8d, 0xb2, 0x08, 0x9a, 0x37, 0xd9, 0x13,2155 },2156 32, "Sectigo 'Mammoth' CT log" },2157 { (const uint8_t[]){2158 0x29, 0xd0, 0x3a, 0x1b, 0xb6, 0x74, 0xaa, 0x71, 0x1c, 0xd3, 0x03,2159 0x5b, 0x65, 0x57, 0xc1, 0x4f, 0x8a, 0xa7, 0x8b, 0x4f, 0xe8, 0x38,2160 0x94, 0x49, 0xec, 0xa4, 0x53, 0xf9, 0x44, 0xbd, 0x24, 0x68,2161 },2162 32, "Sectigo 'Mammoth2024h1'" },2163 { (const uint8_t[]){2164 0x50, 0x85, 0x01, 0x58, 0xdc, 0xb6, 0x05, 0x95, 0xc0, 0x0e, 0x92,2165 0xa8, 0x11, 0x02, 0xec, 0xcd, 0xfe, 0x3f, 0x6b, 0x78, 0x58, 0x42,2166 0x9f, 0x57, 0x98, 0x35, 0x38, 0xc9, 0xda, 0x52, 0x50, 0x63,2167 },2168 32, "Sectigo 'Mammoth2024h1b'" },2169 { (const uint8_t[]){2170 0xdf, 0xe1, 0x56, 0xeb, 0xaa, 0x05, 0xaf, 0xb5, 0x9c, 0x0f, 0x86,2171 0x71, 0x8d, 0xa8, 0xc0, 0x32, 0x4e, 0xae, 0x56, 0xd9, 0x6e, 0xa7,2172 0xf5, 0xa5, 0x6a, 0x01, 0xd1, 0xc1, 0x3b, 0xbe, 0x52, 0x5c,2173 },2174 32, "Sectigo 'Mammoth2024h2'" },2175 { (const uint8_t[]){2176 0x13, 0x4a, 0xdf, 0x1a, 0xb5, 0x98, 0x42, 0x09, 0x78, 0x0c, 0x6f,2177 0xef, 0x4c, 0x7a, 0x91, 0xa4, 0x16, 0xb7, 0x23, 0x49, 0xce, 0x58,2178 0x57, 0x6a, 0xdf, 0xae, 0xda, 0xa7, 0xc2, 0xab, 0xe0, 0x22,2179 },2180 32, "Sectigo 'Mammoth2025h1'" },2181 { (const uint8_t[]){2182 0xaf, 0x18, 0x1a, 0x28, 0xd6, 0x8c, 0xa3, 0xe0, 0xa9, 0x8a, 0x4c,2183 0x9c, 0x67, 0xab, 0x09, 0xf8, 0xbb, 0xbc, 0x22, 0xba, 0xae, 0xbc,2184 0xb1, 0x38, 0xa3, 0xa1, 0x9d, 0xd3, 0xf9, 0xb6, 0x03, 0x0d,2185 },2186 32, "Sectigo 'Mammoth2025h2'" },2187 { (const uint8_t[]){2188 0x25, 0x2f, 0x94, 0xc2, 0x2b, 0x29, 0xe9, 0x6e, 0x9f, 0x41, 0x1a,2189 0x72, 0x07, 0x2b, 0x69, 0x5c, 0x5b, 0x52, 0xff, 0x97, 0xa9, 0x0d,2190 0x25, 0x40, 0xbb, 0xfc, 0xdc, 0x51, 0xec, 0x4d, 0xee, 0x0b,2191 },2192 32, "Sectigo 'Mammoth2026h1'" },2193 { (const uint8_t[]){2194 0x94, 0xb1, 0xc1, 0x8a, 0xb0, 0xd0, 0x57, 0xc4, 0x7b, 0xe0, 0xac,2195 0x04, 0x0e, 0x1f, 0x2c, 0xbc, 0x8d, 0xc3, 0x75, 0x72, 0x7b, 0xc9,2196 0x51, 0xf2, 0x0a, 0x52, 0x61, 0x26, 0x86, 0x3b, 0xa7, 0x3c,2197 },2198 32, "Sectigo 'Mammoth2026h2'" },2199 { (const uint8_t[]){2200 0x56, 0x6c, 0xd5, 0xa3, 0x76, 0xbe, 0x83, 0xdf, 0xe3, 0x42, 0xb6,2201 0x75, 0xc4, 0x9c, 0x23, 0x24, 0x98, 0xa7, 0x69, 0xba, 0xc3, 0x82,2202 0xcb, 0xab, 0x49, 0xa3, 0x87, 0x7d, 0x9a, 0xb3, 0x2d, 0x01,2203 },2204 32, "Sectigo 'Sabre2026h1'" },2205 { (const uint8_t[]){2206 0x1f, 0x56, 0xd1, 0xab, 0x94, 0x70, 0x4a, 0x41, 0xdd, 0x3f, 0xea,2207 0xfd, 0xf4, 0x69, 0x93, 0x55, 0x30, 0x2c, 0x14, 0x31, 0xbf, 0xe6,2208 0x13, 0x46, 0x08, 0x9f, 0xff, 0xae, 0x79, 0x5d, 0xcc, 0x2f,2209 },2210 32, "Sectigo 'Sabre2026h2'" },2211 { (const uint8_t[]){2212 0xdb, 0x76, 0xfd, 0xad, 0xac, 0x65, 0xe7, 0xd0, 0x95, 0x08, 0x88,2213 0x6e, 0x21, 0x59, 0xbd, 0x8b, 0x90, 0x35, 0x2f, 0x5f, 0xea, 0xd3,2214 0xe3, 0xdc, 0x5e, 0x22, 0xeb, 0x35, 0x0a, 0xcc, 0x7b, 0x98,2215 },2216 32, "Sectigo 'Dodo' CT log" },2217 { (const uint8_t[]){2218 0xe7, 0x12, 0xf2, 0xb0, 0x37, 0x7e, 0x1a, 0x62, 0xfb, 0x8e, 0xc9,2219 0x0c, 0x61, 0x84, 0xf1, 0xea, 0x7b, 0x37, 0xcb, 0x56, 0x1d, 0x11,2220 0x26, 0x5b, 0xf3, 0xe0, 0xf3, 0x4b, 0xf2, 0x41, 0x54, 0x6e,2221 },2222 32, "Let's Encrypt 'Oak2020' log" },2223 { (const uint8_t[]){2224 0x94, 0x20, 0xbc, 0x1e, 0x8e, 0xd5, 0x8d, 0x6c, 0x88, 0x73, 0x1f,2225 0x82, 0x8b, 0x22, 0x2c, 0x0d, 0xd1, 0xda, 0x4d, 0x5e, 0x6c, 0x4f,2226 0x94, 0x3d, 0x61, 0xdb, 0x4e, 0x2f, 0x58, 0x4d, 0xa2, 0xc2,2227 },2228 32, "Let's Encrypt 'Oak2021' log" },2229 { (const uint8_t[]){2230 0xdf, 0xa5, 0x5e, 0xab, 0x68, 0x82, 0x4f, 0x1f, 0x6c, 0xad, 0xee,2231 0xb8, 0x5f, 0x4e, 0x3e, 0x5a, 0xea, 0xcd, 0xa2, 0x12, 0xa4, 0x6a,2232 0x5e, 0x8e, 0x3b, 0x12, 0xc0, 0x20, 0x44, 0x5c, 0x2a, 0x73,2233 },2234 32, "Let's Encrypt 'Oak2022' log" },2235 { (const uint8_t[]){2236 0xb7, 0x3e, 0xfb, 0x24, 0xdf, 0x9c, 0x4d, 0xba, 0x75, 0xf2, 0x39,2237 0xc5, 0xba, 0x58, 0xf4, 0x6c, 0x5d, 0xfc, 0x42, 0xcf, 0x7a, 0x9f,2238 0x35, 0xc4, 0x9e, 0x1d, 0x09, 0x81, 0x25, 0xed, 0xb4, 0x99,2239 },2240 32, "Let's Encrypt 'Oak2023' log" },2241 { (const uint8_t[]){2242 0x3b, 0x53, 0x77, 0x75, 0x3e, 0x2d, 0xb9, 0x80, 0x4e, 0x8b, 0x30,2243 0x5b, 0x06, 0xfe, 0x40, 0x3b, 0x67, 0xd8, 0x4f, 0xc3, 0xf4, 0xc7,2244 0xbd, 0x00, 0x0d, 0x2d, 0x72, 0x6f, 0xe1, 0xfa, 0xd4, 0x17,2245 },2246 32, "Let's Encrypt 'Oak2024H1' log" },2247 { (const uint8_t[]){2248 0x3f, 0x17, 0x4b, 0x4f, 0xd7, 0x22, 0x47, 0x58, 0x94, 0x1d, 0x65,2249 0x1c, 0x84, 0xbe, 0x0d, 0x12, 0xed, 0x90, 0x37, 0x7f, 0x1f, 0x85,2250 0x6a, 0xeb, 0xc1, 0xbf, 0x28, 0x85, 0xec, 0xf8, 0x64, 0x6e,2251 },2252 32, "Let's Encrypt 'Oak2024H2' log" },2253 { (const uint8_t[]){2254 0xa2, 0xe3, 0x0a, 0xe4, 0x45, 0xef, 0xbd, 0xad, 0x9b, 0x7e, 0x38,2255 0xed, 0x47, 0x67, 0x77, 0x53, 0xd7, 0x82, 0x5b, 0x84, 0x94, 0xd7,2256 0x2b, 0x5e, 0x1b, 0x2c, 0xc4, 0xb9, 0x50, 0xa4, 0x47, 0xe7,2257 },2258 32, "Let's Encrypt 'Oak2025h1'" },2259 { (const uint8_t[]){2260 0x0d, 0xe1, 0xf2, 0x30, 0x2b, 0xd3, 0x0d, 0xc1, 0x40, 0x62, 0x12,2261 0x09, 0xea, 0x55, 0x2e, 0xfc, 0x47, 0x74, 0x7c, 0xb1, 0xd7, 0xe9,2262 0x30, 0xef, 0x0e, 0x42, 0x1e, 0xb4, 0x7e, 0x4e, 0xaa, 0x34,2263 },2264 32, "Let's Encrypt 'Oak2025h2'" },2265 { (const uint8_t[]){2266 0x65, 0x9b, 0x33, 0x50, 0xf4, 0x3b, 0x12, 0xcc, 0x5e, 0xa5, 0xab,2267 0x4e, 0xc7, 0x65, 0xd3, 0xfd, 0xe6, 0xc8, 0x82, 0x43, 0x77, 0x77,2268 0x78, 0xe7, 0x20, 0x03, 0xf9, 0xeb, 0x2b, 0x8c, 0x31, 0x29,2269 },2270 32, "Let's Encrypt 'Oak2019' log" },2271 { (const uint8_t[]){2272 0x84, 0x9f, 0x5f, 0x7f, 0x58, 0xd2, 0xbf, 0x7b, 0x54, 0xec, 0xbd,2273 0x74, 0x61, 0x1c, 0xea, 0x45, 0xc4, 0x9c, 0x98, 0xf1, 0xd6, 0x48,2274 0x1b, 0xc6, 0xf6, 0x9e, 0x8c, 0x17, 0x4f, 0x24, 0xf3, 0xcf,2275 },2276 32, "Let's Encrypt 'Testflume2019' log" },2277 { (const uint8_t[]){2278 0x23, 0x2d, 0x41, 0xa4, 0xcd, 0xac, 0x87, 0xce, 0xd9, 0xf9, 0x43,2279 0xf4, 0x68, 0xc2, 0x82, 0x09, 0x5a, 0xe0, 0x9d, 0x30, 0xd6, 0x2e,2280 0x2f, 0xa6, 0x5d, 0xdc, 0x3b, 0x91, 0x9c, 0x2e, 0x46, 0x8f,2281 },2282 32, "Let's Encrypt 'Sapling 2022h2' log" },2283 { (const uint8_t[]){2284 0xc1, 0x83, 0x24, 0x0b, 0xf1, 0xa4, 0x50, 0xc7, 0x6f, 0xbb, 0x00,2285 0x72, 0x69, 0xdc, 0xac, 0x3b, 0xe2, 0x2a, 0x48, 0x05, 0xd4, 0xdb,2286 0xe0, 0x49, 0x66, 0xc3, 0xc8, 0xab, 0xc4, 0x47, 0xb0, 0x0c,2287 },2288 32, "Let's Encrypt 'Sapling 2023h1' log" },2289 { (const uint8_t[]){2290 0xc6, 0x3f, 0x22, 0x18, 0xc3, 0x7d, 0x56, 0xa6, 0xaa, 0x06, 0xb5,2291 0x96, 0xda, 0x8e, 0x53, 0xd4, 0xd7, 0x15, 0x6d, 0x1e, 0x9b, 0xac,2292 0x8e, 0x44, 0xd2, 0x20, 0x2d, 0xe6, 0x4d, 0x69, 0xd9, 0xdc,2293 },2294 32, "Let's Encrypt 'Testflume2020' log" },2295 { (const uint8_t[]){2296 0x03, 0xed, 0xf1, 0xda, 0x97, 0x76, 0xb6, 0xf3, 0x8c, 0x34, 0x1e,2297 0x39, 0xed, 0x9d, 0x70, 0x7a, 0x75, 0x70, 0x36, 0x9c, 0xf9, 0x84,2298 0x4f, 0x32, 0x7f, 0xe9, 0xe1, 0x41, 0x38, 0x36, 0x1b, 0x60,2299 },2300 32, "Let's Encrypt 'Testflume2021' log" },2301 { (const uint8_t[]){2302 0x23, 0x27, 0xef, 0xda, 0x35, 0x25, 0x10, 0xdb, 0xc0, 0x19, 0xef,2303 0x49, 0x1a, 0xe3, 0xff, 0x1c, 0xc5, 0xa4, 0x79, 0xbc, 0xe3, 0x78,2304 0x78, 0x36, 0x0e, 0xe3, 0x18, 0xcf, 0xfb, 0x64, 0xf8, 0xc8,2305 },2306 32, "Let's Encrypt 'Testflume2022' log" },2307 { (const uint8_t[]){2308 0x55, 0x34, 0xb7, 0xab, 0x5a, 0x6a, 0xc3, 0xa7, 0xcb, 0xeb, 0xa6,2309 0x54, 0x87, 0xb2, 0xa2, 0xd7, 0x1b, 0x48, 0xf6, 0x50, 0xfa, 0x17,2310 0xc5, 0x19, 0x7c, 0x97, 0xa0, 0xcb, 0x20, 0x76, 0xf3, 0xc6,2311 },2312 32, "Let's Encrypt 'Testflume2023' log" },2313 { (const uint8_t[]){2314 0x29, 0x6a, 0xfa, 0x2d, 0x56, 0x8b, 0xca, 0x0d, 0x2e, 0xa8, 0x44,2315 0x95, 0x6a, 0xe9, 0x72, 0x1f, 0xc3, 0x5f, 0xa3, 0x55, 0xec, 0xda,2316 0x99, 0x69, 0x3a, 0xaf, 0xd4, 0x58, 0xa7, 0x1a, 0xef, 0xdd,2317 },2318 32, "Let's Encrypt 'Clicky' log" },2319 { (const uint8_t[]){2320 0xa5, 0x95, 0x94, 0x3b, 0x53, 0x70, 0xbe, 0xe9, 0x06, 0xe0, 0x05,2321 0x0d, 0x1f, 0xb5, 0xbb, 0xc6, 0xa4, 0x0e, 0x65, 0xf2, 0x65, 0xae,2322 0x85, 0x2c, 0x76, 0x36, 0x3f, 0xad, 0xb2, 0x33, 0x36, 0xed,2323 },2324 32, "Trust Asia Log2020" },2325 { (const uint8_t[]){2326 0xa8, 0xdc, 0x52, 0xf6, 0x3d, 0x6b, 0x24, 0x25, 0xe5, 0x31, 0xe3,2327 0x7c, 0xf4, 0xe4, 0x4a, 0x71, 0x4f, 0x14, 0x2a, 0x20, 0x80, 0x3b,2328 0x0d, 0x04, 0xd2, 0xe2, 0xee, 0x06, 0x64, 0x79, 0x4a, 0x23,2329 },2330 32, "Trust Asia CT2021" },2331 { (const uint8_t[]){2332 0x67, 0x8d, 0xb6, 0x5b, 0x3e, 0x74, 0x43, 0xb6, 0xf3, 0xa3, 0x70,2333 0xd5, 0xe1, 0x3a, 0xb1, 0xb4, 0x3b, 0xe0, 0xa0, 0xd3, 0x51, 0xf7,2334 0xca, 0x74, 0x22, 0x50, 0xc7, 0xc6, 0xfa, 0x51, 0xa8, 0x8a,2335 },2336 32, "Trust Asia Log2021" },2337 { (const uint8_t[]){2338 0xc3, 0x65, 0xf9, 0xb3, 0x65, 0x4f, 0x32, 0x83, 0xc7, 0x9d, 0xa9,2339 0x8e, 0x93, 0xd7, 0x41, 0x8f, 0x5b, 0xab, 0x7b, 0xe3, 0x25, 0x2c,2340 0x98, 0xe1, 0xd2, 0xf0, 0x4b, 0xb9, 0xeb, 0x42, 0x7d, 0x23,2341 },2342 32, "Trust Asia Log2022" },2343 { (const uint8_t[]){2344 0xe8, 0x7e, 0xa7, 0x66, 0x0b, 0xc2, 0x6c, 0xf6, 0x00, 0x2e, 0xf5,2345 0x72, 0x5d, 0x3f, 0xe0, 0xe3, 0x31, 0xb9, 0x39, 0x3b, 0xb9, 0x2f,2346 0xbf, 0x58, 0xeb, 0x3b, 0x90, 0x49, 0xda, 0xf5, 0x43, 0x5a,2347 },2348 32, "Trust Asia Log2023" },2349 { (const uint8_t[]){2350 0x30, 0x6d, 0x29, 0x57, 0x6a, 0xd2, 0x1a, 0x9d, 0x4a, 0xe1, 0x2a,2351 0xca, 0xd8, 0xaa, 0x8a, 0x78, 0x3a, 0xa6, 0x5a, 0x32, 0x11, 0x60,2352 0xac, 0xff, 0x5b, 0x0e, 0xee, 0x4c, 0xa3, 0x20, 0x1d, 0x05,2353 },2354 32, "Trust Asia Log2024" },2355 { (const uint8_t[]){2356 0x87, 0x4f, 0xb5, 0x0d, 0xc0, 0x29, 0xd9, 0x93, 0x1d, 0xe5, 0x73,2357 0xe9, 0xf2, 0x89, 0x9e, 0x8e, 0x45, 0x33, 0xb3, 0x92, 0xd3, 0x8b,2358 0x0a, 0x46, 0x25, 0x74, 0xbf, 0x0f, 0xee, 0xb2, 0xfc, 0x1e,2359 },2360 32, "Trust Asia Log2024-2" },2361 { (const uint8_t[]){2362 0x28, 0xe2, 0x81, 0x38, 0xfd, 0x83, 0x21, 0x45, 0xe9, 0xa9, 0xd6,2363 0xaa, 0x75, 0x37, 0x6d, 0x83, 0x77, 0xa8, 0x85, 0x12, 0xb3, 0xc0,2364 0x7f, 0x72, 0x41, 0x48, 0x21, 0xdc, 0xbd, 0xe9, 0x8c, 0x66,2365 },2366 32, "TrustAsia Log2025a" },2367 { (const uint8_t[]){2368 0x28, 0x2c, 0x8b, 0xdd, 0x81, 0x0f, 0xf9, 0x09, 0x12, 0x0a, 0xce,2369 0x16, 0xd6, 0xe0, 0xec, 0x20, 0x1b, 0xea, 0x82, 0xa3, 0xa4, 0xaf,2370 0x19, 0xd9, 0xef, 0xfb, 0x59, 0xe8, 0x3f, 0xdc, 0x42, 0x68,2371 },2372 32, "TrustAsia Log2025b" },2373 { (const uint8_t[]){2374 0x74, 0xdb, 0x9d, 0x58, 0xf7, 0xd4, 0x7e, 0x9d, 0xfd, 0x78, 0x7a,2375 0x16, 0x2a, 0x99, 0x1c, 0x18, 0xcf, 0x69, 0x8d, 0xa7, 0xc7, 0x29,2376 0x91, 0x8c, 0x9a, 0x18, 0xb0, 0x45, 0x0d, 0xba, 0x44, 0xbc,2377 },2378 32, "TrustAsia 'log2026a'" },2379 { (const uint8_t[]){2380 0x25, 0xb7, 0xef, 0xde, 0xa1, 0x13, 0x01, 0x93, 0xed, 0x93, 0x07,2381 0x97, 0x70, 0xaa, 0x32, 0x2a, 0x26, 0x62, 0x0d, 0xe3, 0x5a, 0xc8,2382 0xaa, 0x7c, 0x75, 0x19, 0x7d, 0xe0, 0xb1, 0xa9, 0xe0, 0x65,2383 },2384 32, "TrustAsia 'log2026b'" },2385 { (const uint8_t[]){2386 0x45, 0x35, 0x94, 0x98, 0xd9, 0x3a, 0x89, 0xe0, 0x28, 0x03, 0x08,2387 0xd3, 0x7d, 0x62, 0x6d, 0xc4, 0x23, 0x75, 0x47, 0x58, 0xdc, 0xe0,2388 0x37, 0x00, 0x36, 0xfb, 0xab, 0x0e, 0xdf, 0x8a, 0x6b, 0xcf,2389 },2390 32, "Trust Asia Log1" },2391 { (const uint8_t[]){2392 0xc9, 0xcf, 0x89, 0x0a, 0x21, 0x10, 0x9c, 0x66, 0x6c, 0xc1, 0x7a,2393 0x3e, 0xd0, 0x65, 0xc9, 0x30, 0xd0, 0xe0, 0x13, 0x5a, 0x9f, 0xeb,2394 0xa8, 0x5a, 0xf1, 0x42, 0x10, 0xb8, 0x07, 0x24, 0x21, 0xaa,2395 },2396 32, "GDCA CT log #1" },2397 { (const uint8_t[]){2398 0x92, 0x4a, 0x30, 0xf9, 0x09, 0x33, 0x6f, 0xf4, 0x35, 0xd6, 0x99,2399 0x3a, 0x10, 0xac, 0x75, 0xa2, 0xc6, 0x41, 0x72, 0x8e, 0x7f, 0xc2,2400 0xd6, 0x59, 0xae, 0x61, 0x88, 0xff, 0xad, 0x40, 0xce, 0x01,2401 },2402 32, "GDCA CT log #2" },2403 { (const uint8_t[]){2404 0x71, 0x7e, 0xa7, 0x42, 0x09, 0x75, 0xbe, 0x84, 0xa2, 0x72, 0x35,2405 0x53, 0xf1, 0x77, 0x7c, 0x26, 0xdd, 0x51, 0xaf, 0x4e, 0x10, 0x21,2406 0x44, 0x09, 0x4d, 0x90, 0x19, 0xb4, 0x62, 0xfb, 0x66, 0x68,2407 },2408 32, "GDCA Log 1" },2409 { (const uint8_t[]){2410 0x14, 0x30, 0x8d, 0x90, 0xcc, 0xd0, 0x30, 0x13, 0x50, 0x05, 0xc0,2411 0x1c, 0xa5, 0x26, 0xd8, 0x1e, 0x84, 0xe8, 0x76, 0x24, 0xe3, 0x9b,2412 0x62, 0x48, 0xe0, 0x8f, 0x72, 0x4a, 0xea, 0x3b, 0xb4, 0x2a,2413 },2414 32, "GDCA Log 2" },2415 { (const uint8_t[]){2416 0xe0, 0x12, 0x76, 0x29, 0xe9, 0x04, 0x96, 0x56, 0x4e, 0x3d, 0x01,2417 0x47, 0x98, 0x44, 0x98, 0xaa, 0x48, 0xf8, 0xad, 0xb1, 0x66, 0x00,2418 0xeb, 0x79, 0x02, 0xa1, 0xef, 0x99, 0x09, 0x90, 0x62, 0x73,2419 },2420 32, "PuChuangSiDa CT log" },2421 { (const uint8_t[]){2422 0x53, 0x7b, 0x69, 0xa3, 0x56, 0x43, 0x35, 0xa9, 0xc0, 0x49, 0x04,2423 0xe3, 0x95, 0x93, 0xb2, 0xc2, 0x98, 0xeb, 0x8d, 0x7a, 0x6e, 0x83,2424 0x02, 0x36, 0x35, 0xc6, 0x27, 0x24, 0x8c, 0xd6, 0xb4, 0x40,2425 },2426 32, "Nordu 'flimsy' log" },2427 { (const uint8_t[]){2428 0xaa, 0xe7, 0x0b, 0x7f, 0x3c, 0xb8, 0xd5, 0x66, 0xc8, 0x6c, 0x2f,2429 0x16, 0x97, 0x9c, 0x9f, 0x44, 0x5f, 0x69, 0xab, 0x0e, 0xb4, 0x53,2430 0x55, 0x89, 0xb2, 0xf7, 0x7a, 0x03, 0x01, 0x04, 0xf3, 0xcd,2431 },2432 32, "Nordu 'plausible' log" },2433 { (const uint8_t[]){2434 0xcf, 0x55, 0xe2, 0x89, 0x23, 0x49, 0x7c, 0x34, 0x0d, 0x52, 0x06,2435 0xd0, 0x53, 0x53, 0xae, 0xb2, 0x58, 0x34, 0xb5, 0x2f, 0x1f, 0x8d,2436 0xc9, 0x52, 0x68, 0x09, 0xf2, 0x12, 0xef, 0xdd, 0x7c, 0xa6,2437 },2438 32, "SHECA CT log 1" },2439 { (const uint8_t[]){2440 0x32, 0xdc, 0x59, 0xc2, 0xd4, 0xc4, 0x19, 0x68, 0xd5, 0x6e, 0x14,2441 0xbc, 0x61, 0xac, 0x8f, 0x0e, 0x45, 0xdb, 0x39, 0xfa, 0xf3, 0xc1,2442 0x55, 0xaa, 0x42, 0x52, 0xf5, 0x00, 0x1f, 0xa0, 0xc6, 0x23,2443 },2444 32, "SHECA CT log 2" },2445 { (const uint8_t[]){2446 0x96, 0x06, 0xc0, 0x2c, 0x69, 0x00, 0x33, 0xaa, 0x1d, 0x14, 0x5f,2447 0x59, 0xc6, 0xe2, 0x64, 0x8d, 0x05, 0x49, 0xf0, 0xdf, 0x96, 0xaa,2448 0xb8, 0xdb, 0x91, 0x5a, 0x70, 0xd8, 0xec, 0xf3, 0x90, 0xa5,2449 },2450 32, "Akamai CT Log" },2451 { (const uint8_t[]){2452 0x39, 0x37, 0x6f, 0x54, 0x5f, 0x7b, 0x46, 0x07, 0xf5, 0x97, 0x42,2453 0xd7, 0x68, 0xcd, 0x5d, 0x24, 0x37, 0xbf, 0x34, 0x73, 0xb6, 0x53,2454 0x4a, 0x48, 0x34, 0xbc, 0xf7, 0x2e, 0x68, 0x1c, 0x83, 0xc9,2455 },2456 32, "Alpha CT Log" },2457 { (const uint8_t[]){2458 0xb0, 0xb7, 0x84, 0xbc, 0x81, 0xc0, 0xdd, 0xc4, 0x75, 0x44, 0xe8,2459 0x83, 0xf0, 0x59, 0x85, 0xbb, 0x90, 0x77, 0xd1, 0x34, 0xd8, 0xab,2460 0x88, 0xb2, 0xb2, 0xe5, 0x33, 0x98, 0x0b, 0x8e, 0x50, 0x8b,2461 },2462 32, "Up In The Air 'Behind the Sofa' log" },2463 { (const uint8_t[]){2464 0x47, 0x44, 0x47, 0x7c, 0x75, 0xde, 0x42, 0x6d, 0x5c, 0x44, 0xef,2465 0xd4, 0xa9, 0x2c, 0x96, 0x77, 0x59, 0x7f, 0x65, 0x7a, 0x8f, 0xe0,2466 0xca, 0xdb, 0xc6, 0xd6, 0x16, 0xed, 0xa4, 0x97, 0xc4, 0x25,2467 },2468 32, "Qihoo 360 2020" },2469 { (const uint8_t[]){2470 0xc6, 0xd7, 0xed, 0x9e, 0xdb, 0x8e, 0x74, 0xf0, 0xa7, 0x1b, 0x4d,2471 0x4a, 0x98, 0x4b, 0xcb, 0xeb, 0xab, 0xbd, 0x28, 0xcc, 0x1f, 0xd7,2472 0x63, 0x29, 0xe8, 0x87, 0x26, 0xcd, 0x4c, 0x25, 0x46, 0x63,2473 },2474 32, "Qihoo 360 2021" },2475 { (const uint8_t[]){2476 0x66, 0x3c, 0xb0, 0x9c, 0x1f, 0xcd, 0x9b, 0xaa, 0x62, 0x76, 0x3c,2477 0xcb, 0x53, 0x4e, 0xec, 0x80, 0x58, 0x12, 0x28, 0x05, 0x07, 0xac,2478 0x69, 0xa4, 0x5f, 0xcd, 0x38, 0xcf, 0x4c, 0xc7, 0x4c, 0xf1,2479 },2480 32, "Qihoo 360 2022" },2481 { (const uint8_t[]){2482 0xe2, 0x64, 0x7f, 0x6e, 0xda, 0x34, 0x05, 0x03, 0xc6, 0x4d, 0x4e,2483 0x10, 0xa8, 0x69, 0x68, 0x1f, 0xde, 0x9c, 0x5a, 0x2c, 0xf3, 0xb3,2484 0x2d, 0x5f, 0x20, 0x0b, 0x96, 0x36, 0x05, 0x90, 0x88, 0x23,2485 },2486 32, "Qihoo 360 2023" },2487 { (const uint8_t[]){2488 0xc5, 0xcf, 0xe5, 0x4b, 0x61, 0x51, 0xb4, 0x9b, 0x14, 0x2e, 0xd2,2489 0x63, 0xbd, 0xe7, 0x32, 0x93, 0x36, 0x37, 0x99, 0x79, 0x95, 0x50,2490 0xae, 0x44, 0x35, 0xcd, 0x1a, 0x69, 0x97, 0xc9, 0xc3, 0xc3,2491 },2492 32, "Qihoo 360 v1 2020" },2493 { (const uint8_t[]){2494 0x48, 0x14, 0x58, 0x7c, 0xf2, 0x8b, 0x08, 0xfe, 0x68, 0x3f, 0xd2,2495 0xbc, 0xd9, 0x45, 0x99, 0x4c, 0x2e, 0xb7, 0x4c, 0x8a, 0xe8, 0xc8,2496 0x7f, 0xce, 0x42, 0x9b, 0x7c, 0xd3, 0x1d, 0x51, 0xbd, 0xc4,2497 },2498 32, "Qihoo 360 v1 2021" },2499 { (const uint8_t[]){2500 0x49, 0x11, 0xb8, 0xd6, 0x14, 0xcf, 0xd3, 0xd9, 0x9f, 0x16, 0xd3,2501 0x76, 0x54, 0x5e, 0xe1, 0xb8, 0xcc, 0xfc, 0x51, 0x1f, 0x50, 0x9f,2502 0x08, 0x0b, 0xa0, 0xa0, 0x87, 0xd9, 0x1d, 0xfa, 0xee, 0xa9,2503 },2504 32, "Qihoo 360 v1 2022" },2505 { (const uint8_t[]){2506 0xb6, 0x74, 0x0b, 0x12, 0x00, 0x2e, 0x03, 0x3f, 0xd0, 0xe7, 0xe9,2507 0x41, 0xf4, 0xba, 0x3e, 0xe1, 0xbf, 0xc1, 0x49, 0xb5, 0x24, 0xb4,2508 0xcf, 0x62, 0x8d, 0x53, 0xef, 0xea, 0x1f, 0x40, 0x3a, 0x8d,2509 },2510 32, "Qihoo 360 v1 2023" },2511 { NULL((void*)0), 0, NULL((void*)0) }2512};2513 2514/*2515 * Application-Layer Protocol Negotiation (ALPN) dissector tables.2516 */2517static dissector_table_t ssl_alpn_dissector_table;2518static dissector_table_t dtls_alpn_dissector_table;2519 2520/*2521 * Special cases for prefix matching of the ALPN, if the ALPN includes2522 * a version number for a draft or protocol revision.2523 */2524typedef struct ssl_alpn_prefix_match_protocol {2525 const char *proto_prefix;2526 const char *dissector_name;2527} ssl_alpn_prefix_match_protocol_t;2528 2529static const ssl_alpn_prefix_match_protocol_t ssl_alpn_prefix_match_protocols[] = {2530 /* SPDY moves so fast, just 1, 2 and 3 are registered with IANA but there2531 * already exists 3.1 as of this writing... match the prefix. */2532 { "spdy/", "spdy" },2533 /* draft-ietf-httpbis-http2-16 */2534 { "h2-", "http2" }, /* draft versions */2535};2536 2537const value_string compress_certificate_algorithm_vals[] = {2538 { 1, "zlib" },2539 { 2, "brotli" },2540 { 3, "zstd" },2541 { 0, NULL((void*)0) }2542};2543 2544 2545const val64_string quic_transport_parameter_id[] = {2546 { SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00, "original_destination_connection_id" },2547 { SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01, "max_idle_timeout" },2548 { SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02, "stateless_reset_token" },2549 { SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03, "max_udp_payload_size" },2550 { SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04, "initial_max_data" },2551 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05, "initial_max_stream_data_bidi_local" },2552 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06, "initial_max_stream_data_bidi_remote" },2553 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07, "initial_max_stream_data_uni" },2554 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09, "initial_max_streams_uni" },2555 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08, "initial_max_streams_bidi" },2556 { SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a, "ack_delay_exponent" },2557 { SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b, "max_ack_delay" },2558 { SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c, "disable_active_migration" },2559 { SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d, "preferred_address" },2560 { SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e, "active_connection_id_limit" },2561 { SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f, "initial_source_connection_id" },2562 { SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10, "retry_source_connection_id" },2563 { SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20, "max_datagram_frame_size" },2564 { SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000, "cibir_encoding" },2565 { SSL_HND_QUIC_TP_LOSS_BITS0x1057, "loss_bits" },2566 { SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2, "grease_quic_bit" },2567 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157, "enable_time_stamp" },2568 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158, "enable_time_stamp_v2" },2569 { SSL_HND_QUIC_TP_VERSION_INFORMATION0x11, "version_information" },2570 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a, "min_ack_delay" },2571 { SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129, "google_user_agent" },2572 { SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B, "google_key_update_not_yet_supported" },2573 { SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752, "google_quic_version" },2574 { SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127, "google_initial_rtt" },2575 { SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A, "google_support_handshake_done" },2576 { SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751, "google_quic_params" },2577 { SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128, "google_connection_options" },2578 { SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00, "facebook_partial_reliability" },2579 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A, "min_ack_delay (draft-01)" },2580 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a, "min_ack_delay (draft-05)" },2581 { SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b, "min_ack_delay" },2582 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04, "enable_multipath (draft-04)" },2583 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05, "enable_multipath (draft-05)" },2584 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06, "enable_multipath (draft-06)" },2585 { SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07, "initial_max_paths (draft-07/08)" },2586 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x0f739bbc1b666d09, "initial_max_path_id" },2587 { 0, NULL((void*)0) }2588};2589 2590/* https://tools.ietf.org/html/draft-huitema-quic-ts-03 */2591const val64_string quic_enable_time_stamp_v2_vals[] = {2592 { 1, "I would like to receive TIME_STAMP frames" },2593 { 2, "I am able to generate TIME_STAMP frames" },2594 { 3, "I am able to generate TIME_STAMP frames and I would like to receive them" },2595 { 0, NULL((void*)0) }2596};2597 2598/* https://tools.ietf.org/html/draft-multipath-04 */2599const val64_string quic_enable_multipath_vals[] = {2600 { 0, "don't support multipath" },2601 { 1, "support multipath as defined in this document" },2602 { 0, NULL((void*)0) }2603};2604 2605/* https://www.ietf.org/archive/id/draft-ietf-tls-esni-16.txt */2606const value_string tls_hello_ext_ech_clienthello_types[] = {2607 { 0, "Outer Client Hello" },2608 { 1, "Inner Client Hello" },2609 { 0, NULL((void*)0) }2610};2611 2612/* RFC 9180 */2613const value_string kem_id_type_vals[] = {2614 { 0x0000, "Reserved" },2615 { 0x0010, "DHKEM(P-256, HKDF-SHA256)" },2616 { 0x0011, "DHKEM(P-384, HKDF-SHA384)" },2617 { 0x0012, "DHKEM(P-521, HKDF-SHA512)" },2618 { 0x0020, "DHKEM(X25519, HKDF-SHA256)" },2619 { 0x0021, "DHKEM(X448, HKDF-SHA512)" },2620 { 0, NULL((void*)0) }2621};2622const value_string kdf_id_type_vals[] = {2623 { 0x0000, "Reserved" },2624 { 0x0001, "HKDF-SHA256" },2625 { 0x0002, "HKDF-SHA384" },2626 { 0x0003, "HKDF-SHA512" },2627 { 0, NULL((void*)0) }2628};2629const value_string aead_id_type_vals[] = {2630 { 0x0000, "Reserved" },2631 { 0x0001, "AES-128-GCM" },2632 { 0x0002, "AES-256-GCM" },2633 { 0x0003, "ChaCha20Poly1305" },2634 { 0xFFFF, "Export-only" },2635 { 0, NULL((void*)0) }2636};2637 2638const value_string token_binding_key_parameter_vals[] = {2639 { 0, "rsa2048_pkcs1.5" },2640 { 1, "rsa2048_pss" },2641 { 2, "ecdsap256" },2642 { 0, NULL((void*)0) }2643};2644 2645/* Lookup tables }}} */2646 2647void2648quic_transport_parameter_id_base_custom(char *result, uint64_t parameter_id)2649{2650 const char *label;2651 if (IS_GREASE_QUIC(parameter_id)((parameter_id) > 27 ? ((((parameter_id) - 27) % 31) == 0)
: 0)) {2652 label = "GREASE";2653 } else {2654 label = val64_to_str_const(parameter_id, quic_transport_parameter_id, "Unknown");2655 }2656 snprintf(result, ITEM_LABEL_LENGTH240, "%s (0x%02" PRIx64"l" "x" ")", label, parameter_id);2657}2658 2659/* we keep this internal to packet-tls-utils, as there should be2660 no need to access it any other way.2661 2662 This also allows us to hide the dependency on zlib.2663*/2664struct _SslDecompress {2665 int compression;2666#if defined (HAVE_ZLIB1) || defined (HAVE_ZLIBNG)2667 zlib_stream istream;2668#endif2669};2670 2671/* To assist in parsing client/server key exchange messages2672 0 indicates unknown */2673int ssl_get_keyex_alg(int cipher)2674{2675 /* Map Cipher suite number to Key Exchange algorithm {{{ */2676 switch(cipher) {2677 case 0x0017:2678 case 0x0018:2679 case 0x0019:2680 case 0x001a:2681 case 0x001b:2682 case 0x0034:2683 case 0x003a:2684 case 0x0046:2685 case 0x006c:2686 case 0x006d:2687 case 0x0089:2688 case 0x009b:2689 case 0x00a6:2690 case 0x00a7:2691 case 0x00bf:2692 case 0x00c5:2693 case 0xc084:2694 case 0xc085:2695 return KEX_DH_ANON0x13;2696 case 0x000b:2697 case 0x000c:2698 case 0x000d:2699 case 0x0030:2700 case 0x0036:2701 case 0x003e:2702 case 0x0042:2703 case 0x0068:2704 case 0x0085:2705 case 0x0097:2706 case 0x00a4:2707 case 0x00a5:2708 case 0x00bb:2709 case 0x00c1:2710 case 0xc082:2711 case 0xc083:2712 return KEX_DH_DSS0x14;2713 case 0x000e:2714 case 0x000f:2715 case 0x0010:2716 case 0x0031:2717 case 0x0037:2718 case 0x003f:2719 case 0x0043:2720 case 0x0069:2721 case 0x0086:2722 case 0x0098:2723 case 0x00a0:2724 case 0x00a1:2725 case 0x00bc:2726 case 0x00c2:2727 case 0xc07e:2728 case 0xc07f:2729 return KEX_DH_RSA0x15;2730 case 0x0011:2731 case 0x0012:2732 case 0x0013:2733 case 0x0032:2734 case 0x0038:2735 case 0x0040:2736 case 0x0044:2737 case 0x0063:2738 case 0x0065:2739 case 0x0066:2740 case 0x006a:2741 case 0x0087:2742 case 0x0099:2743 case 0x00a2:2744 case 0x00a3:2745 case 0x00bd:2746 case 0x00c3:2747 case 0xc080:2748 case 0xc081:2749 return KEX_DHE_DSS0x10;2750 case 0x002d:2751 case 0x008e:2752 case 0x008f:2753 case 0x0090:2754 case 0x0091:2755 case 0x00aa:2756 case 0x00ab:2757 case 0x00b2:2758 case 0x00b3:2759 case 0x00b4:2760 case 0x00b5:2761 case 0xc090:2762 case 0xc091:2763 case 0xc096:2764 case 0xc097:2765 case 0xc0a6:2766 case 0xc0a7:2767 case 0xc0aa:2768 case 0xc0ab:2769 case 0xccad:2770 case 0xe41c:2771 case 0xe41d:2772 return KEX_DHE_PSK0x11;2773 case 0x0014:2774 case 0x0015:2775 case 0x0016:2776 case 0x0033:2777 case 0x0039:2778 case 0x0045:2779 case 0x0067:2780 case 0x006b:2781 case 0x0088:2782 case 0x009a:2783 case 0x009e:2784 case 0x009f:2785 case 0x00be:2786 case 0x00c4:2787 case 0xc07c:2788 case 0xc07d:2789 case 0xc09e:2790 case 0xc09f:2791 case 0xc0a2:2792 case 0xc0a3:2793 case 0xccaa:2794 case 0xe41e:2795 case 0xe41f:2796 return KEX_DHE_RSA0x12;2797 case 0xc015:2798 case 0xc016:2799 case 0xc017:2800 case 0xc018:2801 case 0xc019:2802 return KEX_ECDH_ANON0x19;2803 case 0xc001:2804 case 0xc002:2805 case 0xc003:2806 case 0xc004:2807 case 0xc005:2808 case 0xc025:2809 case 0xc026:2810 case 0xc02d:2811 case 0xc02e:2812 case 0xc074:2813 case 0xc075:2814 case 0xc088:2815 case 0xc089:2816 return KEX_ECDH_ECDSA0x1a;2817 case 0xc00b:2818 case 0xc00c:2819 case 0xc00d:2820 case 0xc00e:2821 case 0xc00f:2822 case 0xc029:2823 case 0xc02a:2824 case 0xc031:2825 case 0xc032:2826 case 0xc078:2827 case 0xc079:2828 case 0xc08c:2829 case 0xc08d:2830 return KEX_ECDH_RSA0x1b;2831 case 0xc006:2832 case 0xc007:2833 case 0xc008:2834 case 0xc009:2835 case 0xc00a:2836 case 0xc023:2837 case 0xc024:2838 case 0xc02b:2839 case 0xc02c:2840 case 0xc072:2841 case 0xc073:2842 case 0xc086:2843 case 0xc087:2844 case 0xc0ac:2845 case 0xc0ad:2846 case 0xc0ae:2847 case 0xc0af:2848 case 0xcca9:2849 case 0xe414:2850 case 0xe415:2851 return KEX_ECDHE_ECDSA0x16;2852 case 0xc033:2853 case 0xc034:2854 case 0xc035:2855 case 0xc036:2856 case 0xc037:2857 case 0xc038:2858 case 0xc039:2859 case 0xc03a:2860 case 0xc03b:2861 case 0xc09a:2862 case 0xc09b:2863 case 0xccac:2864 case 0xe418:2865 case 0xe419:2866 case 0xd001:2867 case 0xd002:2868 case 0xd003:2869 case 0xd005:2870 return KEX_ECDHE_PSK0x17;2871 case 0xc010:2872 case 0xc011:2873 case 0xc012:2874 case 0xc013:2875 case 0xc014:2876 case 0xc027:2877 case 0xc028:2878 case 0xc02f:2879 case 0xc030:2880 case 0xc076:2881 case 0xc077:2882 case 0xc08a:2883 case 0xc08b:2884 case 0xcca8:2885 case 0xe412:2886 case 0xe413:2887 return KEX_ECDHE_RSA0x18;2888 case 0x001e:2889 case 0x001f:2890 case 0x0020:2891 case 0x0021:2892 case 0x0022:2893 case 0x0023:2894 case 0x0024:2895 case 0x0025:2896 case 0x0026:2897 case 0x0027:2898 case 0x0028:2899 case 0x0029:2900 case 0x002a:2901 case 0x002b:2902 return KEX_KRB50x1c;2903 case 0x002c:2904 case 0x008a:2905 case 0x008b:2906 case 0x008c:2907 case 0x008d:2908 case 0x00a8:2909 case 0x00a9:2910 case 0x00ae:2911 case 0x00af:2912 case 0x00b0:2913 case 0x00b1:2914 case 0xc064:2915 case 0xc065:2916 case 0xc08e:2917 case 0xc08f:2918 case 0xc094:2919 case 0xc095:2920 case 0xc0a4:2921 case 0xc0a5:2922 case 0xc0a8:2923 case 0xc0a9:2924 case 0xccab:2925 case 0xe416:2926 case 0xe417:2927 return KEX_PSK0x1d;2928 case 0x0001:2929 case 0x0002:2930 case 0x0003:2931 case 0x0004:2932 case 0x0005:2933 case 0x0006:2934 case 0x0007:2935 case 0x0008:2936 case 0x0009:2937 case 0x000a:2938 case 0x002f:2939 case 0x0035:2940 case 0x003b:2941 case 0x003c:2942 case 0x003d:2943 case 0x0041:2944 case 0x0060:2945 case 0x0061:2946 case 0x0062:2947 case 0x0064:2948 case 0x0084:2949 case 0x0096:2950 case 0x009c:2951 case 0x009d:2952 case 0x00ba:2953 case 0x00c0:2954 case 0xc07a:2955 case 0xc07b:2956 case 0xc09c:2957 case 0xc09d:2958 case 0xc0a0:2959 case 0xc0a1:2960 case 0xe410:2961 case 0xe411:2962 case 0xfefe:2963 case 0xfeff:2964 case 0xffe0:2965 case 0xffe1:2966 return KEX_RSA0x1e;2967 case 0x002e:2968 case 0x0092:2969 case 0x0093:2970 case 0x0094:2971 case 0x0095:2972 case 0x00ac:2973 case 0x00ad:2974 case 0x00b6:2975 case 0x00b7:2976 case 0x00b8:2977 case 0x00b9:2978 case 0xc092:2979 case 0xc093:2980 case 0xc098:2981 case 0xc099:2982 case 0xccae:2983 case 0xe41a:2984 case 0xe41b:2985 return KEX_RSA_PSK0x1f;2986 case 0xc01a:2987 case 0xc01d:2988 case 0xc020:2989 return KEX_SRP_SHA0x20;2990 case 0xc01c:2991 case 0xc01f:2992 case 0xc022:2993 return KEX_SRP_SHA_DSS0x21;2994 case 0xc01b:2995 case 0xc01e:2996 case 0xc021:2997 return KEX_SRP_SHA_RSA0x22;2998 case 0xc0ff:2999 return KEX_ECJPAKE0x24;3000 case 0xe003:3001 case 0xe013:3002 case 0xe053:3003 return KEX_ECC_SM20x26;3004 default:3005 break;3006 }3007 3008 return 0;3009 /* }}} */3010}3011 3012static wmem_list_t *connection_id_session_list;3013 3014void3015ssl_init_cid_list(void) {3016 connection_id_session_list = wmem_list_new(wmem_file_scope());3017}3018 3019void3020ssl_cleanup_cid_list(void) {3021 wmem_destroy_list(connection_id_session_list);3022}3023 3024void3025ssl_add_session_by_cid(SslDecryptSession *session)3026{3027 wmem_list_append(connection_id_session_list, session);3028}3029 3030SslDecryptSession *3031ssl_get_session_by_cid(tvbuff_t *tvb, uint32_t offset)3032{3033 SslDecryptSession * ssl_cid = NULL((void*)0);3034 wmem_list_frame_t *it = wmem_list_head(connection_id_session_list);3035 3036 while (it != NULL((void*)0) && ssl_cid == NULL((void*)0)) {3037 SslDecryptSession * ssl = (SslDecryptSession *)wmem_list_frame_data(it);3038 DISSECTOR_ASSERT(ssl != NULL)((void) ((ssl != ((void*)0)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3038, "ssl != ((void*)0)"))));3039 SslSession *session = &ssl->session;3040 3041 if (session->client_cid_len > 0 && tvb_bytes_exist(tvb, offset, session->client_cid_len)) {3042 if (tvb_memeql(tvb, offset, session->client_cid, session->client_cid_len) == 0) {3043 ssl_cid = ssl;3044 }3045 }3046 3047 if (session->server_cid_len > 0) {3048 if (tvb_memeql(tvb, offset, session->server_cid, session->server_cid_len) == 0) {3049 ssl_cid = ssl;3050 }3051 }3052 3053 it = wmem_list_frame_next(it);3054 }3055 3056 return ssl_cid;3057}3058 3059/* StringInfo structure (len + data) functions {{{ */3060 3061int3062ssl_data_alloc(StringInfo* str, size_t len)3063{3064 str->data = (unsigned char *)g_malloc(len);3065 /* the allocator can return a null pointer for a size equal to 0,3066 * and that must be allowed */3067 if (len

22.1	'len' is > 0

> 0 && !str->data)3068 return -1;3069 str->data_len = (unsigned) len;3070 return 0;3071}3072 3073void3074ssl_data_set(StringInfo* str, const unsigned char* data, unsigned len)3075{3076 DISSECTOR_ASSERT(data)((void) ((data) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 3076, "data"))));3077 memcpy(str->data, data, len);3078 str->data_len = len;3079}3080 3081static int3082ssl_data_realloc(StringInfo* str, unsigned len)3083{3084 str->data = (unsigned char *)g_realloc(str->data, len);3085 if (!str->data)3086 return -1;3087 str->data_len = len;3088 return 0;3089}3090 3091static StringInfo *3092ssl_data_clone(StringInfo *str)3093{3094 StringInfo *cloned_str;3095 cloned_str = (StringInfo *) wmem_alloc0(wmem_file_scope(),3096 sizeof(StringInfo) + str->data_len);3097 cloned_str->data = (unsigned char *) (cloned_str + 1);3098 ssl_data_set(cloned_str, str->data, str->data_len);3099 return cloned_str;3100}3101 3102static int3103ssl_data_copy(StringInfo* dst, StringInfo* src)3104{3105 if (dst->data_len < src->data_len) {3106 if (ssl_data_realloc(dst, src->data_len))3107 return -1;3108 }3109 memcpy(dst->data, src->data, src->data_len);3110 dst->data_len = src->data_len;3111 return 0;3112}3113 3114/* from_hex converts |hex_len| bytes of hex data from |in| and sets |*out| to3115 * the result. |out->data| will be allocated using wmem_file_scope. Returns true on3116 * success. */3117static bool_Bool from_hex(StringInfo* out, const char* in, size_t hex_len) {3118 size_t i;3119 3120 if (hex_len & 1)3121 return false0;3122 3123 out->data = (unsigned char *)wmem_alloc(wmem_file_scope(), hex_len / 2);3124 for (i = 0; i < hex_len / 2; i++) {3125 int a = ws_xton(in[i*2]);3126 int b = ws_xton(in[i*2 + 1]);3127 if (a == -1 || b == -1)3128 return false0;3129 out->data[i] = a << 4 | b;3130 }3131 out->data_len = (unsigned)hex_len / 2;3132 return true1;3133}3134/* StringInfo structure (len + data) functions }}} */3135 3136 3137/* libgcrypt wrappers for HMAC/message digest operations {{{ */3138/* hmac abstraction layer */3139#define SSL_HMACgcry_md_hd_t gcry_md_hd_t3140 3141static inline int3142ssl_hmac_init(SSL_HMACgcry_md_hd_t* md, int algo)3143{3144 gcry_error_t err;3145 const char *err_str, *err_src;3146 3147 err = gcry_md_open(md,algo, GCRY_MD_FLAG_HMAC);3148 if (err != 0) {3149 err_str = gcry_strerror(err);3150 err_src = gcry_strsource(err);3151 ssl_debug_printf("ssl_hmac_init(): gcry_md_open failed %s/%s", err_str, err_src);3152 return -1;3153 }3154 return 0;3155}3156 3157static inline int3158ssl_hmac_setkey(SSL_HMACgcry_md_hd_t* md, const void * key, int len)3159{3160 gcry_error_t err;3161 const char *err_str, *err_src;3162 3163 err = gcry_md_setkey (*(md), key, len);3164 if (err != 0) {3165 err_str = gcry_strerror(err);3166 err_src = gcry_strsource(err);3167 ssl_debug_printf("ssl_hmac_setkey(): gcry_md_setkey failed %s/%s", err_str, err_src);3168 return -1;3169 }3170 return 0;3171}3172 3173static inline int3174ssl_hmac_reset(SSL_HMACgcry_md_hd_t* md)3175{3176 gcry_md_reset(*md);3177 return 0;3178}3179 3180static inline void3181ssl_hmac_update(SSL_HMACgcry_md_hd_t* md, const void* data, int len)3182{3183 gcry_md_write(*(md), data, len);3184}3185static inline void3186ssl_hmac_final(SSL_HMACgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)3187{3188 int algo;3189 unsigned len;3190 3191 algo = gcry_md_get_algo (*(md));3192 len = gcry_md_get_algo_dlen(algo);3193 DISSECTOR_ASSERT(len <= *datalen)((void) ((len <= *datalen) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3193, "len <= *datalen"))));3194 memcpy(data, gcry_md_read(*(md), algo), len);3195 *datalen = len;3196}3197static inline void3198ssl_hmac_cleanup(SSL_HMACgcry_md_hd_t* md)3199{3200 gcry_md_close(*(md));3201}3202 3203/* message digest abstraction layer*/3204#define SSL_MDgcry_md_hd_t gcry_md_hd_t3205 3206static inline int3207ssl_md_init(SSL_MDgcry_md_hd_t* md, int algo)3208{3209 gcry_error_t err;3210 const char *err_str, *err_src;3211 err = gcry_md_open(md,algo, 0);3212 if (err != 0) {3213 err_str = gcry_strerror(err);3214 err_src = gcry_strsource(err);3215 ssl_debug_printf("ssl_md_init(): gcry_md_open failed %s/%s", err_str, err_src);3216 return -1;3217 }3218 return 0;3219}3220static inline void3221ssl_md_update(SSL_MDgcry_md_hd_t* md, unsigned char* data, int len)3222{3223 gcry_md_write(*(md), data, len);3224}3225static inline void3226ssl_md_final(SSL_MDgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)3227{3228 int algo;3229 int len;3230 algo = gcry_md_get_algo (*(md));3231 len = gcry_md_get_algo_dlen (algo);3232 memcpy(data, gcry_md_read(*(md), algo), len);3233 *datalen = len;3234}3235static inline void3236ssl_md_cleanup(SSL_MDgcry_md_hd_t* md)3237{3238 gcry_md_close(*(md));3239}3240 3241static inline void3242ssl_md_reset(SSL_MDgcry_md_hd_t* md)3243{3244 gcry_md_reset(*md);3245}3246 3247/* md5 /sha abstraction layer */3248#define SSL_SHA_CTXgcry_md_hd_t gcry_md_hd_t3249#define SSL_MD5_CTXgcry_md_hd_t gcry_md_hd_t3250 3251static inline int3252ssl_sha_init(SSL_SHA_CTXgcry_md_hd_t* md)3253{3254 gcry_error_t err;3255 const char *err_str, *err_src;3256 err = gcry_md_open(md, GCRY_MD_SHA1, 0);3257 if (err != 0) {3258 err_str = gcry_strerror(err);3259 err_src = gcry_strsource(err);3260 ssl_debug_printf("ssl_sha_init(): gcry_md_open failed %s/%s", err_str, err_src);3261 return -1;3262 }3263 return 0;3264}3265static inline void3266ssl_sha_update(SSL_SHA_CTXgcry_md_hd_t* md, unsigned char* data, int len)3267{3268 gcry_md_write(*(md), data, len);3269}3270static inline void3271ssl_sha_final(unsigned char* buf, SSL_SHA_CTXgcry_md_hd_t* md)3272{3273 memcpy(buf, gcry_md_read(*(md), GCRY_MD_SHA1),3274 gcry_md_get_algo_dlen(GCRY_MD_SHA1));3275}3276 3277static inline void3278ssl_sha_reset(SSL_SHA_CTXgcry_md_hd_t* md)3279{3280 gcry_md_reset(*md);3281}3282 3283static inline void3284ssl_sha_cleanup(SSL_SHA_CTXgcry_md_hd_t* md)3285{3286 gcry_md_close(*(md));3287}3288 3289static inline int3290ssl_md5_init(SSL_MD5_CTXgcry_md_hd_t* md)3291{3292 gcry_error_t err;3293 const char *err_str, *err_src;3294 err = gcry_md_open(md,GCRY_MD_MD5, 0);3295 if (err != 0) {3296 err_str = gcry_strerror(err);3297 err_src = gcry_strsource(err);3298 ssl_debug_printf("ssl_md5_init(): gcry_md_open failed %s/%s", err_str, err_src);3299 return -1;3300 }3301 return 0;3302}3303static inline void3304ssl_md5_update(SSL_MD5_CTXgcry_md_hd_t* md, unsigned char* data, int len)3305{3306 gcry_md_write(*(md), data, len);3307}3308static inline void3309ssl_md5_final(unsigned char* buf, SSL_MD5_CTXgcry_md_hd_t* md)3310{3311 memcpy(buf, gcry_md_read(*(md), GCRY_MD_MD5),3312 gcry_md_get_algo_dlen(GCRY_MD_MD5));3313}3314 3315static inline void3316ssl_md5_reset(SSL_MD5_CTXgcry_md_hd_t* md)3317{3318 gcry_md_reset(*md);3319}3320 3321static inline void3322ssl_md5_cleanup(SSL_MD5_CTXgcry_md_hd_t* md)3323{3324 gcry_md_close(*(md));3325}3326/* libgcrypt wrappers for HMAC/message digest operations }}} */3327 3328/* libgcrypt wrappers for Cipher state manipulation {{{ */3329int3330ssl_cipher_setiv(SSL_CIPHER_CTXgcry_cipher_hd_t *cipher, unsigned char* iv, int iv_len)3331{3332 int ret;3333#if 03334 unsigned char *ivp;3335 int i;3336 gcry_cipher_hd_t c;3337 c=(gcry_cipher_hd_t)*cipher;3338#endif3339 ssl_debug_printf("--------------------------------------------------------------------");3340#if 03341 for(ivp=c->iv,i=0; i < iv_len; i++ )3342 {3343 ssl_debug_printf("%d ",ivp[i]);3344 i++;3345 }3346#endif3347 ssl_debug_printf("--------------------------------------------------------------------");3348 ret = gcry_cipher_setiv(*(cipher), iv, iv_len);3349#if 03350 for(ivp=c->iv,i=0; i < iv_len; i++ )3351 {3352 ssl_debug_printf("%d ",ivp[i]);3353 i++;3354 }3355#endif3356 ssl_debug_printf("--------------------------------------------------------------------");3357 return ret;3358}3359/* stream cipher abstraction layer*/3360static int3361ssl_cipher_init(gcry_cipher_hd_t *cipher, int algo, unsigned char* sk,3362 unsigned char* iv, int mode)3363{3364 int gcry_modes[] = {3365 GCRY_CIPHER_MODE_STREAM,3366 GCRY_CIPHER_MODE_CBC,3367 GCRY_CIPHER_MODE_GCM,3368 GCRY_CIPHER_MODE_CCM,3369 GCRY_CIPHER_MODE_CCM,3370 GCRY_CIPHER_MODE_POLY1305,3371 GCRY_CIPHER_MODE_ECB, /* used for DTLSv1.3 seq number encryption */3372 };3373 int err;3374 if (algo == -1) {3375 /* NULL mode */3376 *(cipher) = (gcry_cipher_hd_t)-1;3377 return 0;3378 }3379 err = gcry_cipher_open(cipher, algo, gcry_modes[mode], 0);3380 if (err !=0)3381 return -1;3382 err = gcry_cipher_setkey(*(cipher), sk, gcry_cipher_get_algo_keylen (algo));3383 if (err != 0)3384 return -1;3385 /* AEAD cipher suites will set the nonce later. */3386 if (mode == MODE_CBC) {3387 err = gcry_cipher_setiv(*(cipher), iv, gcry_cipher_get_algo_blklen(algo));3388 if (err != 0)3389 return -1;3390 }3391 return 0;3392}3393static inline int3394ssl_cipher_decrypt(gcry_cipher_hd_t *cipher, unsigned char * out, int outl,3395 const unsigned char * in, int inl)3396{3397 if ((*cipher) == (gcry_cipher_hd_t)-1)3398 {3399 if (in && inl)3400 memcpy(out, in, outl < inl ? outl : inl);3401 return 0;3402 }3403 return gcry_cipher_decrypt ( *(cipher), out, outl, in, inl);3404}3405static inline int3406ssl_get_digest_by_name(const char*name)3407{3408 return gcry_md_map_name(name);3409}3410static inline int3411ssl_get_cipher_by_name(const char* name)3412{3413 return gcry_cipher_map_name(name);3414}3415 3416static inline void3417ssl_cipher_cleanup(gcry_cipher_hd_t *cipher)3418{3419 if ((*cipher) != (gcry_cipher_hd_t)-1)3420 gcry_cipher_close(*cipher);3421 *cipher = NULL((void*)0);3422}3423/* }}} */3424 3425/* Digests, Ciphers and Cipher Suites registry {{{ */3426static const SslDigestAlgo digests[]={3427 {"MD5", 16},3428 {"SHA1", 20},3429 {"SHA256", 32},3430 {"SHA384", 48},3431 {"SM3", 32},3432 {"Not Applicable", 0},3433};3434 3435#define DIGEST_MAX_SIZE48 483436 3437/* get index digest index */3438static const SslDigestAlgo *3439ssl_cipher_suite_dig(const SslCipherSuite *cs) {3440 return &digests[cs->dig - DIG_MD50x40];3441}3442 3443static const char *ciphers[]={3444 "DES",3445 "3DES",3446 "ARCFOUR", /* libgcrypt does not support rc4, but this should be 100% compatible*/3447 "RFC2268_128", /* libgcrypt name for RC2 with a 128-bit key */3448 "IDEA",3449 "AES",3450 "AES256",3451 "CAMELLIA128",3452 "CAMELLIA256",3453 "SEED",3454 "CHACHA20", /* since Libgcrypt 1.7.0 */3455 "SM1",3456 "SM4",3457 "*UNKNOWN*"3458};3459 3460static const SslCipherSuite cipher_suites[]={3461 {0x0001,KEX_RSA0x1e, ENC_NULL0x3D, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_NULL_MD5 */3462 {0x0002,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA */3463 {0x0003,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */3464 {0x0004,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_MD5 */3465 {0x0005,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_SHA */3466 {0x0006,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */3467 {0x0007,KEX_RSA0x1e, ENC_IDEA0x34, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_IDEA_CBC_SHA */3468 {0x0008,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */3469 {0x0009,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_DES_CBC_SHA */3470 {0x000A,KEX_RSA0x1e, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */3471 {0x000B,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */3472 {0x000C,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_DES_CBC_SHA */3473 {0x000D,KEX_DH_DSS0x14, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */3474 {0x000E,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */3475 {0x000F,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_DES_CBC_SHA */3476 {0x0010,KEX_DH_RSA0x15, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */3477 {0x0011,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */3478 {0x0012,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_DES_CBC_SHA */3479 {0x0013,KEX_DHE_DSS0x10, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */3480 {0x0014,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */3481 {0x0015,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_DES_CBC_SHA */3482 {0x0016,KEX_DHE_RSA0x12, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */3483 {0x0017,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */3484 {0x0018,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_WITH_RC4_128_MD5 */3485 {0x0019,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */3486 {0x001A,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_DES_CBC_SHA */3487 {0x001B,KEX_DH_ANON0x13, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */3488 {0x002C,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA */3489 {0x002D,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA */3490 {0x002E,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA */3491 {0x002F,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA */3492 {0x0030,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA */3493 {0x0031,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA */3494 {0x0032,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA */3495 {0x0033,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */3496 {0x0034,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA */3497 {0x0035,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA */3498 {0x0036,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA */3499 {0x0037,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA */3500 {0x0038,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA */3501 {0x0039,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */3502 {0x003A,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA */3503 {0x003B,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA256 */3504 {0x003C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA256 */3505 {0x003D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA256 */3506 {0x003E,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA256 */3507 {0x003F,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA256 */3508 {0x0040,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 */3509 {0x0041,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA */3510 {0x0042,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA */3511 {0x0043,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA */3512 {0x0044,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA */3513 {0x0045,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA */3514 {0x0046,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA */3515 {0x0060,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */3516 {0x0061,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */3517 {0x0062,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */3518 {0x0063,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */3519 {0x0064,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */3520 {0x0065,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */3521 {0x0066,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_WITH_RC4_128_SHA */3522 {0x0067,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 */3523 {0x0068,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA256 */3524 {0x0069,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA256 */3525 {0x006A,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 */3526 {0x006B,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 */3527 {0x006C,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA256 */3528 {0x006D,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA256 */3529 {0x0084,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA */3530 {0x0085,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA */3531 {0x0086,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA */3532 {0x0087,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA */3533 {0x0088,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA */3534 {0x0089,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA */3535 {0x008A,KEX_PSK0x1d, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_RC4_128_SHA */3536 {0x008B,KEX_PSK0x1d, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_3DES_EDE_CBC_SHA */3537 {0x008C,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA */3538 {0x008D,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA */3539 {0x008E,KEX_DHE_PSK0x11, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_RC4_128_SHA */3540 {0x008F,KEX_DHE_PSK0x11, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA */3541 {0x0090,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA */3542 {0x0091,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA */3543 {0x0092,KEX_RSA_PSK0x1f, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_RC4_128_SHA */3544 {0x0093,KEX_RSA_PSK0x1f, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA */3545 {0x0094,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA */3546 {0x0095,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA */3547 {0x0096,KEX_RSA0x1e, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_SEED_CBC_SHA */3548 {0x0097,KEX_DH_DSS0x14, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_SEED_CBC_SHA */3549 {0x0098,KEX_DH_RSA0x15, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_SEED_CBC_SHA */3550 {0x0099,KEX_DHE_DSS0x10, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_SEED_CBC_SHA */3551 {0x009A,KEX_DHE_RSA0x12, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_SEED_CBC_SHA */3552 {0x009B,KEX_DH_ANON0x13, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_SEED_CBC_SHA */3553 {0x009C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_AES_128_GCM_SHA256 */3554 {0x009D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_AES_256_GCM_SHA384 */3555 {0x009E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */3556 {0x009F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 */3557 {0x00A0,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_128_GCM_SHA256 */3558 {0x00A1,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_256_GCM_SHA384 */3559 {0x00A2,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 */3560 {0x00A3,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 */3561 {0x00A4,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_128_GCM_SHA256 */3562 {0x00A5,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_256_GCM_SHA384 */3563 {0x00A6,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_AES_128_GCM_SHA256 */3564 {0x00A7,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_AES_256_GCM_SHA384 */3565 {0x00A8,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_AES_128_GCM_SHA256 */3566 {0x00A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_AES_256_GCM_SHA384 */3567 {0x00AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 */3568 {0x00AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 */3569 {0x00AC,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 */3570 {0x00AD,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 */3571 {0x00AE,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA256 */3572 {0x00AF,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA384 */3573 {0x00B0,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA256 */3574 {0x00B1,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA384 */3575 {0x00B2,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 */3576 {0x00B3,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 */3577 {0x00B4,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA256 */3578 {0x00B5,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA384 */3579 {0x00B6,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 */3580 {0x00B7,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 */3581 {0x00B8,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA256 */3582 {0x00B9,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA384 */3583 {0x00BA,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 */3584 {0x00BB,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 */3585 {0x00BC,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */3586 {0x00BD,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 */3587 {0x00BE,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */3588 {0x00BF,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 */3589 {0x00C0,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 */3590 {0x00C1,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 */3591 {0x00C2,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 */3592 {0x00C3,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 */3593 {0x00C4,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 */3594 {0x00C5,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */3595 3596 /* NOTE: TLS 1.3 cipher suites are incompatible with TLS 1.2. */3597 {0x1301,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_AES_128_GCM_SHA256 */3598 {0x1302,KEX_TLS130x23, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_AES_256_GCM_SHA384 */3599 {0x1303,KEX_TLS130x23, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_CHACHA20_POLY1305_SHA256 */3600 {0x1304,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM }, /* TLS_AES_128_CCM_SHA256 */3601 {0x1305,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8 }, /* TLS_AES_128_CCM_8_SHA256 */3602 {0x00C6,KEX_TLS130x23, ENC_SM40x3C, DIG_SM30x44, MODE_GCM }, /* TLS_SM4_GCM_SM3 */3603 3604 {0xC001,KEX_ECDH_ECDSA0x1a, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_NULL_SHA */3605 {0xC002,KEX_ECDH_ECDSA0x1a, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_RC4_128_SHA */3606 {0xC003,KEX_ECDH_ECDSA0x1a, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA */3607 {0xC004,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA */3608 {0xC005,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */3609 {0xC006,KEX_ECDHE_ECDSA0x16, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_NULL_SHA */3610 {0xC007,KEX_ECDHE_ECDSA0x16, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_RC4_128_SHA */3611 {0xC008,KEX_ECDHE_ECDSA0x16, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA */3612 {0xC009,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */3613 {0xC00A,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */3614 {0xC00B,KEX_ECDH_RSA0x1b, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_NULL_SHA */3615 {0xC00C,KEX_ECDH_RSA0x1b, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_RC4_128_SHA */3616 {0xC00D,KEX_ECDH_RSA0x1b, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA */3617 {0xC00E,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA */3618 {0xC00F,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */3619 {0xC0FF,KEX_ECJPAKE0x24, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECJPAKE_WITH_AES_128_CCM_8 */3620 {0xC010,KEX_ECDHE_RSA0x18, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_NULL_SHA */3621 {0xC011,KEX_ECDHE_RSA0x18, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_RC4_128_SHA */3622 {0xC012,KEX_ECDHE_RSA0x18, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */3623 {0xC013,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA */3624 {0xC014,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */3625 {0xC015,KEX_ECDH_ANON0x19, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_NULL_SHA */3626 {0xC016,KEX_ECDH_ANON0x19, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_RC4_128_SHA */3627 {0xC017,KEX_ECDH_ANON0x19, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA */3628 {0xC018,KEX_ECDH_ANON0x19, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_128_CBC_SHA */3629 {0xC019,KEX_ECDH_ANON0x19, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_256_CBC_SHA */3630 {0xC01A,KEX_SRP_SHA0x20, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA */3631 {0xC01B,KEX_SRP_SHA_RSA0x22, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA */3632 {0xC01C,KEX_SRP_SHA_DSS0x21, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA */3633 {0xC01D,KEX_SRP_SHA0x20, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_128_CBC_SHA */3634 {0xC01E,KEX_SRP_SHA_RSA0x22, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA */3635 {0xC01F,KEX_SRP_SHA_DSS0x21, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA */3636 {0xC020,KEX_SRP_SHA0x20, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_256_CBC_SHA */3637 {0xC021,KEX_SRP_SHA_RSA0x22, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA */3638 {0xC022,KEX_SRP_SHA_DSS0x21, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA */3639 {0xC023,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 */3640 {0xC024,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */3641 {0xC025,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 */3642 {0xC026,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 */3643 {0xC027,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 */3644 {0xC028,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */3645 {0xC029,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 */3646 {0xC02A,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 */3647 {0xC02B,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 */3648 {0xC02C,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 */3649 {0xC02D,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 */3650 {0xC02E,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 */3651 {0xC02F,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */3652 {0xC030,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 */3653 {0xC031,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 */3654 {0xC032,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 */3655 {0xC033,KEX_ECDHE_PSK0x17, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_RC4_128_SHA */3656 {0xC034,KEX_ECDHE_PSK0x17, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA */3657 {0xC035,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA */3658 {0xC036,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA */3659 {0xC037,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 */3660 {0xC038,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 */3661 {0xC039,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA */3662 {0xC03A,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA256 */3663 {0xC03B,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA384 */3664 {0xC072,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */3665 {0xC073,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */3666 {0xC074,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */3667 {0xC075,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */3668 {0xC076,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */3669 {0xC077,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 */3670 {0xC078,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */3671 {0xC079,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 */3672 {0xC07A,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 */3673 {0xC07B,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 */3674 {0xC07C,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */3675 {0xC07D,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */3676 {0xC07E,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */3677 {0xC07F,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */3678 {0xC080,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 */3679 {0xC081,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 */3680 {0xC082,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 */3681 {0xC083,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 */3682 {0xC084,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 */3683 {0xC085,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 */3684 {0xC086,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */3685 {0xC087,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */3686 {0xC088,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */3687 {0xC089,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */3688 {0xC08A,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */3689 {0xC08B,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */3690 {0xC08C,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */3691 {0xC08D,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */3692 {0xC08E,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 */3693 {0xC08F,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 */3694 {0xC090,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 */3695 {0xC091,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 */3696 {0xC092,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 */3697 {0xC093,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 */3698 {0xC094,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 */3699 {0xC095,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 */3700 {0xC096,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */3701 {0xC097,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */3702 {0xC098,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 */3703 {0xC099,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 */3704 {0xC09A,KEX_ECDHE_PSK0x17, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */3705 {0xC09B,KEX_ECDHE_PSK0x17, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */3706 {0xC09C,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_128_CCM */3707 {0xC09D,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_256_CCM */3708 {0xC09E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_128_CCM */3709 {0xC09F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_256_CCM */3710 {0xC0A0,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_128_CCM_8 */3711 {0xC0A1,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_256_CCM_8 */3712 {0xC0A2,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_128_CCM_8 */3713 {0xC0A3,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_256_CCM_8 */3714 {0xC0A4,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_128_CCM */3715 {0xC0A5,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_256_CCM */3716 {0xC0A6,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_128_CCM */3717 {0xC0A7,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_256_CCM */3718 {0xC0A8,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_128_CCM_8 */3719 {0xC0A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_256_CCM_8 */3720 {0xC0AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_128_CCM_8 */3721 {0xC0AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_256_CCM_8 */3722 {0xC0AC,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM */3723 {0xC0AD,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM */3724 {0xC0AE,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 */3725 {0xC0AF,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 */3726 {0xCCA8,KEX_ECDHE_RSA0x18, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */3727 {0xCCA9,KEX_ECDHE_ECDSA0x16, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */3728 {0xCCAA,KEX_DHE_RSA0x12, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */3729 {0xCCAB,KEX_PSK0x1d, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 */3730 {0xCCAC,KEX_ECDHE_PSK0x17, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */3731 {0xCCAD,KEX_DHE_PSK0x11, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */3732 {0xCCAE,KEX_RSA_PSK0x1f, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 */3733 {0xD001,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 */3734 {0xD002,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 */3735 {0xD003,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 */3736 {0xD005,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 */3737 /* GM */3738 {0xe001,KEX_ECDHE_SM20x25, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM1_SM3 */3739 {0xe003,KEX_ECC_SM20x26, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECC_SM1_SM3 */3740 {0xe005,KEX_IBSDH_SM90x27, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM1_SM3 */3741 {0xe007,KEX_IBC_SM90x28, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBC_SM1_SM3 */3742 {0xe009,KEX_RSA0x1e, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* RSA_SM1_SM3 */3743 {0xe00a,KEX_RSA0x1e, ENC_SM10x3B, DIG_SHA0x41, MODE_CBC}, /* RSA_SM1_SHA1 */3744 {0xe011,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM4_CBC_SM3 */3745 {0xe013,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECC_SM4_CBC_SM3 */3746 {0xe015,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM4_CBC_SM3 */3747 {0xe017,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBC_SM4_CBC_SM3 */3748 {0xe019,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* RSA_SM4_CBC_SM3 */3749 {0xe01a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA0x41, MODE_CBC}, /* RSA_SM4_CBC_SHA1 */3750 {0xe01c,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_CBC}, /* RSA_SM4_CBC_SHA256 */3751 {0xe051,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECDHE_SM4_GCM_SM3 */3752 {0xe053,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECC_SM4_GCM_SM3 */3753 {0xe055,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBSDH_SM4_GCM_SM3 */3754 {0xe057,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBC_SM4_GCM_SM3 */3755 {0xe059,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* RSA_SM4_GCM_SM3 */3756 {0xe05a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_GCM}, /* RSA_SM4_GCM_SHA256 */3757 {-1, 0, 0, 0, MODE_STREAM}3758};3759 3760#define MAX_BLOCK_SIZE16 163761#define MAX_KEY_SIZE32 323762 3763const SslCipherSuite *3764ssl_find_cipher(int num)3765{3766 const SslCipherSuite *c;3767 for(c=cipher_suites;c->number!=-1;c++){3768 if(c->number==num){3769 return c;3770 }3771 }3772 3773 return NULL((void*)0);3774}3775 3776int3777ssl_get_cipher_algo(const SslCipherSuite *cipher_suite)3778{3779 return gcry_cipher_map_name(ciphers[cipher_suite->enc - ENC_START0x30]);3780}3781 3782unsigned3783ssl_get_cipher_blocksize(const SslCipherSuite *cipher_suite)3784{3785 int cipher_algo;3786 if (cipher_suite->mode != MODE_CBC) return 0;3787 cipher_algo = ssl_get_cipher_by_name(ciphers[cipher_suite->enc - ENC_START0x30]);3788 return (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);3789}3790 3791static unsigned3792ssl_get_cipher_export_keymat_size(int cipher_suite_num)3793{3794 switch (cipher_suite_num) {3795 /* See RFC 6101 (SSL 3.0), Table 2, column Key Material. */3796 case 0x0003: /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */3797 case 0x0006: /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */3798 case 0x0008: /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */3799 case 0x000B: /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */3800 case 0x000E: /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */3801 case 0x0011: /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */3802 case 0x0014: /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */3803 case 0x0017: /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */3804 case 0x0019: /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */3805 return 5;3806 3807 /* not defined in below draft, but "implemented by several vendors",3808 * https://www.ietf.org/mail-archive/web/tls/current/msg00036.html */3809 case 0x0060: /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */3810 case 0x0061: /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */3811 return 7;3812 3813 /* Note: the draft states that DES_CBC needs 8 bytes, but Wireshark always3814 * used 7. Until a pcap proves 8, let's use the old value. Link:3815 * https://tools.ietf.org/html/draft-ietf-tls-56-bit-ciphersuites-01 */3816 case 0x0062: /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */3817 case 0x0063: /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */3818 case 0x0064: /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */3819 case 0x0065: /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */3820 return 7;3821 3822 default:3823 return 0;3824 }3825}3826 3827/* Digests, Ciphers and Cipher Suites registry }}} */3828 3829 3830/* HMAC and the Pseudorandom function {{{ */3831static int3832tls_hash(StringInfo *secret, StringInfo *seed, int md,3833 StringInfo *out, unsigned out_len)3834{3835 /* RFC 2246 5. HMAC and the pseudorandom function3836 * '+' denotes concatenation.3837 * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +3838 * HMAC_hash(secret, A(2) + seed) + ...3839 * A(0) = seed3840 * A(i) = HMAC_hash(secret, A(i - 1))3841 */3842 uint8_t *ptr;3843 unsigned left, tocpy;3844 uint8_t *A;3845 uint8_t _A[DIGEST_MAX_SIZE48], tmp[DIGEST_MAX_SIZE48];3846 unsigned A_l, tmp_l;3847 SSL_HMACgcry_md_hd_t hm;3848 3849 ptr = out->data;3850 left = out_len;3851 3852 ssl_print_string("tls_hash: hash secret", secret);3853 ssl_print_string("tls_hash: hash seed", seed);3854 /* A(0) = seed */3855 A = seed->data;3856 A_l = seed->data_len;3857 3858 if (ssl_hmac_init(&hm, md) != 0) {3859 return -1;3860 }3861 while (left) {3862 /* A(i) = HMAC_hash(secret, A(i-1)) */3863 ssl_hmac_setkey(&hm, secret->data, secret->data_len);3864 ssl_hmac_update(&hm, A, A_l);3865 A_l = sizeof(_A); /* upper bound len for hash output */3866 ssl_hmac_final(&hm, _A, &A_l);3867 A = _A;3868 3869 /* HMAC_hash(secret, A(i) + seed) */3870 ssl_hmac_reset(&hm);3871 ssl_hmac_setkey(&hm, secret->data, secret->data_len);3872 ssl_hmac_update(&hm, A, A_l);3873 ssl_hmac_update(&hm, seed->data, seed->data_len);3874 tmp_l = sizeof(tmp); /* upper bound len for hash output */3875 ssl_hmac_final(&hm, tmp, &tmp_l);3876 ssl_hmac_reset(&hm);3877 3878 /* ssl_hmac_final puts the actual digest output size in tmp_l */3879 tocpy = MIN(left, tmp_l)(((left) < (tmp_l)) ? (left) : (tmp_l));3880 memcpy(ptr, tmp, tocpy);3881 ptr += tocpy;3882 left -= tocpy;3883 }3884 ssl_hmac_cleanup(&hm);3885 out->data_len = out_len;3886 3887 ssl_print_string("hash out", out);3888 return 0;3889}3890 3891static bool_Bool3892tls_prf(StringInfo* secret, const char *usage,3893 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)3894{3895 StringInfo seed, sha_out, md5_out;3896 uint8_t *ptr;3897 StringInfo s1, s2;3898 unsigned i,s_l;3899 size_t usage_len, rnd2_len;3900 bool_Bool success = false0;3901 usage_len = strlen(usage);3902 rnd2_len = rnd2 ? rnd2->data_len : 0;3903 3904 /* initialize buffer for sha, md5 random seed*/3905 if (ssl_data_alloc(&sha_out, MAX(out_len, 20)(((out_len) > (20)) ? (out_len) : (20))) < 0) {3906 ssl_debug_printf("tls_prf: can't allocate sha out\n");3907 return false0;3908 }3909 if (ssl_data_alloc(&md5_out, MAX(out_len, 16)(((out_len) > (16)) ? (out_len) : (16))) < 0) {3910 ssl_debug_printf("tls_prf: can't allocate md5 out\n");3911 goto free_sha;3912 }3913 if (ssl_data_alloc(&seed, usage_len+rnd1->data_len+rnd2_len) < 0) {3914 ssl_debug_printf("tls_prf: can't allocate rnd %d\n",3915 (int) (usage_len+rnd1->data_len+rnd2_len));3916 goto free_md5;3917 }3918 3919 ptr=seed.data;3920 memcpy(ptr,usage,usage_len);3921 ptr+=usage_len;3922 memcpy(ptr,rnd1->data,rnd1->data_len);3923 if (rnd2_len > 0) {3924 ptr+=rnd1->data_len;3925 memcpy(ptr,rnd2->data,rnd2->data_len);3926 /*ptr+=rnd2->data_len;*/3927 }3928 3929 /* initialize buffer for client/server seeds*/3930 s_l=secret->data_len/2 + secret->data_len%2;3931 if (ssl_data_alloc(&s1, s_l) < 0) {3932 ssl_debug_printf("tls_prf: can't allocate secret %d\n", s_l);3933 goto free_seed;3934 }3935 if (ssl_data_alloc(&s2, s_l) < 0) {3936 ssl_debug_printf("tls_prf: can't allocate secret(2) %d\n", s_l);3937 goto free_s1;3938 }3939 3940 memcpy(s1.data,secret->data,s_l);3941 memcpy(s2.data,secret->data + (secret->data_len - s_l),s_l);3942 3943 ssl_debug_printf("tls_prf: tls_hash(md5 secret_len %d seed_len %d )\n", s1.data_len, seed.data_len);3944 if(tls_hash(&s1, &seed, ssl_get_digest_by_name("MD5"), &md5_out, out_len) != 0)3945 goto free_s2;3946 ssl_debug_printf("tls_prf: tls_hash(sha)\n");3947 if(tls_hash(&s2, &seed, ssl_get_digest_by_name("SHA1"), &sha_out, out_len) != 0)3948 goto free_s2;3949 3950 for (i = 0; i < out_len; i++)3951 out->data[i] = md5_out.data[i] ^ sha_out.data[i];3952 /* success, now store the new meaningful data length */3953 out->data_len = out_len;3954 success = true1;3955 3956 ssl_print_string("PRF out",out);3957free_s2:3958 g_free(s2.data);3959free_s1:3960 g_free(s1.data);3961free_seed:3962 g_free(seed.data);3963free_md5:3964 g_free(md5_out.data);3965free_sha:3966 g_free(sha_out.data);3967 return success;3968}3969 3970static bool_Bool3971tls12_prf(int md, StringInfo* secret, const char* usage,3972 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)3973{3974 StringInfo label_seed;3975 int success;3976 size_t usage_len, rnd2_len;3977 rnd2_len = rnd2 ? rnd2->data_len : 0;3978 3979 usage_len = strlen(usage);3980 if (ssl_data_alloc(&label_seed, usage_len+rnd1->data_len+rnd2_len) < 0) {3981 ssl_debug_printf("tls12_prf: can't allocate label_seed\n");3982 return false0;3983 }3984 memcpy(label_seed.data, usage, usage_len);3985 memcpy(label_seed.data+usage_len, rnd1->data, rnd1->data_len);3986 if (rnd2_len > 0)3987 memcpy(label_seed.data+usage_len+rnd1->data_len, rnd2->data, rnd2->data_len);3988 3989 ssl_debug_printf("tls12_prf: tls_hash(hash_alg %s secret_len %d seed_len %d )\n", gcry_md_algo_name(md), secret->data_len, label_seed.data_len);3990 success = tls_hash(secret, &label_seed, md, out, out_len);3991 g_free(label_seed.data);3992 if(success != -1){3993 ssl_print_string("PRF out", out);3994 return true1;3995 }3996 return false0;3997}3998 3999static bool_Bool4000ssl3_generate_export_iv(StringInfo *r1, StringInfo *r2,4001 StringInfo *out, unsigned out_len)4002{4003 SSL_MD5_CTXgcry_md_hd_t md5;4004 uint8_t tmp[16];4005 4006 if (ssl_md5_init(&md5) != 0) {4007 return false0;4008 }4009 ssl_md5_update(&md5,r1->data,r1->data_len);4010 ssl_md5_update(&md5,r2->data,r2->data_len);4011 ssl_md5_final(tmp,&md5);4012 ssl_md5_cleanup(&md5);4013 4014 DISSECTOR_ASSERT(out_len <= sizeof(tmp))((void) ((out_len <= sizeof(tmp)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4014, "out_len <= sizeof(tmp)"))));4015 ssl_data_set(out, tmp, out_len);4016 ssl_print_string("export iv", out);4017 return true1;4018}4019 4020static bool_Bool4021ssl3_prf(StringInfo* secret, const char* usage,4022 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)4023{4024 SSL_MD5_CTXgcry_md_hd_t md5;4025 SSL_SHA_CTXgcry_md_hd_t sha;4026 unsigned off;4027 int i = 0,j;4028 uint8_t buf[20];4029 4030 if (ssl_sha_init(&sha) != 0) {4031 return false0;4032 }4033 if (ssl_md5_init(&md5) != 0) {4034 ssl_sha_cleanup(&sha);4035 return false0;4036 }4037 for (off = 0; off < out_len; off += 16) {4038 unsigned char outbuf[16];4039 i++;4040 4041 ssl_debug_printf("ssl3_prf: sha1_hash(%d)\n",i);4042 /* A, BB, CCC, ... */4043 for(j=0;j<i;j++){4044 buf[j]=64+i;4045 }4046 4047 ssl_sha_update(&sha,buf,i);4048 ssl_sha_update(&sha,secret->data,secret->data_len);4049 4050 if(!strcmp(usage,"client write key") || !strcmp(usage,"server write key")){4051 if (rnd2)4052 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);4053 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);4054 }4055 else{4056 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);4057 if (rnd2)4058 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);4059 }4060 4061 ssl_sha_final(buf,&sha);4062 ssl_sha_reset(&sha);4063 4064 ssl_debug_printf("ssl3_prf: md5_hash(%d) datalen %d\n",i,4065 secret->data_len);4066 ssl_md5_update(&md5,secret->data,secret->data_len);4067 ssl_md5_update(&md5,buf,20);4068 ssl_md5_final(outbuf,&md5);4069 ssl_md5_reset(&md5);4070 4071 memcpy(out->data + off, outbuf, MIN(out_len - off, 16)(((out_len - off) < (16)) ? (out_len - off) : (16)));4072 }4073 ssl_sha_cleanup(&sha);4074 ssl_md5_cleanup(&md5);4075 out->data_len = out_len;4076 4077 return true1;4078}4079 4080/* out_len is the wanted output length for the pseudorandom function.4081 * Ensure that ssl->cipher_suite is set. */4082static bool_Bool4083prf(SslDecryptSession *ssl, StringInfo *secret, const char *usage,4084 StringInfo *rnd1, StringInfo *rnd2, StringInfo *out, unsigned out_len)4085{4086 switch (ssl->session.version) {4087 case SSLV3_VERSION0x300:4088 return ssl3_prf(secret, usage, rnd1, rnd2, out, out_len);4089 4090 case TLSV1_VERSION0x301:4091 case TLSV1DOT1_VERSION0x302:4092 case DTLSV1DOT0_VERSION0xfeff:4093 case DTLSV1DOT0_OPENSSL_VERSION0x100:4094 return tls_prf(secret, usage, rnd1, rnd2, out, out_len);4095 4096 default: /* TLSv1.2 */4097 switch (ssl->cipher_suite->dig) {4098 case DIG_SM30x44:4099#if GCRYPT_VERSION_NUMBER0x010a03 >= 0x0109004100 return tls12_prf(GCRY_MD_SM3, secret, usage, rnd1, rnd2,4101 out, out_len);4102#else4103 return false0;4104#endif4105 case DIG_SHA3840x43:4106 return tls12_prf(GCRY_MD_SHA384, secret, usage, rnd1, rnd2,4107 out, out_len);4108 default:4109 return tls12_prf(GCRY_MD_SHA256, secret, usage, rnd1, rnd2,4110 out, out_len);4111 }4112 }4113}4114 4115static int tls_handshake_hash(SslDecryptSession* ssl, StringInfo* out)4116{4117 SSL_MD5_CTXgcry_md_hd_t md5;4118 SSL_SHA_CTXgcry_md_hd_t sha;4119 4120 if (ssl_data_alloc(out, 36) < 0)4121 return -1;4122 4123 if (ssl_md5_init(&md5) != 0)4124 return -1;4125 ssl_md5_update(&md5,ssl->handshake_data.data,ssl->handshake_data.data_len);4126 ssl_md5_final(out->data,&md5);4127 ssl_md5_cleanup(&md5);4128 4129 if (ssl_sha_init(&sha) != 0)4130 return -1;4131 ssl_sha_update(&sha,ssl->handshake_data.data,ssl->handshake_data.data_len);4132 ssl_sha_final(out->data+16,&sha);4133 ssl_sha_cleanup(&sha);4134 return 0;4135}4136 4137static int tls12_handshake_hash(SslDecryptSession* ssl, int md, StringInfo* out)4138{4139 SSL_MDgcry_md_hd_t mc;4140 uint8_t tmp[48];4141 unsigned len;4142 4143 if (ssl_md_init(&mc, md) != 0)4144 return -1;4145 ssl_md_update(&mc,ssl->handshake_data.data,ssl->handshake_data.data_len);4146 ssl_md_final(&mc, tmp, &len);4147 ssl_md_cleanup(&mc);4148 4149 if (ssl_data_alloc(out, len) < 0)4150 return -1;4151 memcpy(out->data, tmp, len);4152 return 0;4153}4154 4155/**4156 * Obtains the label prefix used in HKDF-Expand-Label. This function can be4157 * inlined and removed once support for draft 19 and before is dropped.4158 */4159static inline const char *4160tls13_hkdf_label_prefix(SslDecryptSession *ssl_session)4161{4162 if (ssl_session->session.tls13_draft_version && ssl_session->session.tls13_draft_version < 20) {4163 return "TLS 1.3, ";4164 } else if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {4165 return "dtls13";4166 } else {4167 return "tls13 ";4168 }4169}4170 4171/*4172 * Computes HKDF-Expand-Label(Secret, Label, Hash(context_value), Length) with a4173 * custom label prefix. If "context_hash" is NULL, then an empty context is4174 * used. Otherwise it must have the same length as the hash algorithm output.4175 */4176bool_Bool4177tls13_hkdf_expand_label_context(int md, const StringInfo *secret,4178 const char *label_prefix, const char *label,4179 const uint8_t *context_hash, uint8_t context_length,4180 uint16_t out_len, unsigned char **out)4181{4182 /* RFC 8446 Section 7.1:4183 * HKDF-Expand-Label(Secret, Label, Context, Length) =4184 * HKDF-Expand(Secret, HkdfLabel, Length)4185 * struct {4186 * uint16 length = Length;4187 * opaque label<7..255> = "tls13 " + Label; // "tls13 " is label prefix.4188 * opaque context<0..255> = Context;4189 * } HkdfLabel;4190 *4191 * RFC 5869 HMAC-based Extract-and-Expand Key Derivation Function (HKDF):4192 * HKDF-Expand(PRK, info, L) -> OKM4193 */4194 gcry_error_t err;4195 const unsigned label_prefix_length = (unsigned) strlen(label_prefix);4196 const unsigned label_length = (unsigned) strlen(label);4197 4198 /* Some sanity checks */4199 DISSECTOR_ASSERT(label_length > 0 && label_prefix_length + label_length <= 255)((void) ((label_length > 0 && label_prefix_length +
label_length <= 255) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4199, "label_length > 0 && label_prefix_length + label_length <= 255"
))));4200 4201 /* info = HkdfLabel { length, label, context } */4202 GByteArray *info = g_byte_array_new();4203 const uint16_t length = g_htons(out_len)(((((guint16) ( (guint16) ((guint16) (out_len) >> 8) | (
guint16) ((guint16) (out_len) << 8))))));4204 g_byte_array_append(info, (const uint8_t *)&length, sizeof(length));4205 4206 const uint8_t label_vector_length = label_prefix_length + label_length;4207 g_byte_array_append(info, &label_vector_length, 1);4208 g_byte_array_append(info, (const uint8_t *)label_prefix, label_prefix_length);4209 g_byte_array_append(info, (const uint8_t*)label, label_length);4210 4211 g_byte_array_append(info, &context_length, 1);4212 if (context_length) {4213 g_byte_array_append(info, context_hash, context_length);4214 }4215 4216 *out = (unsigned char *)wmem_alloc(NULL((void*)0), out_len);4217 err = hkdf_expand(md, secret->data, secret->data_len, info->data, info->len, *out, out_len);4218 g_byte_array_free(info, true1);4219 4220 if (err) {4221 ssl_debug_printf("%s failed %d: %s\n", G_STRFUNC((const char*) (__func__)), md, gcry_strerror(err));4222 wmem_free(NULL((void*)0), *out);4223 *out = NULL((void*)0);4224 return false0;4225 }4226 4227 return true1;4228}4229 4230bool_Bool4231tls13_hkdf_expand_label(int md, const StringInfo *secret,4232 const char *label_prefix, const char *label,4233 uint16_t out_len, unsigned char **out)4234{4235 return tls13_hkdf_expand_label_context(md, secret, label_prefix, label, NULL((void*)0), 0, out_len, out);4236}4237/* HMAC and the Pseudorandom function }}} */4238 4239/* Record Decompression (after decryption) {{{ */4240#if defined (HAVE_ZLIB1) || defined (HAVE_ZLIBNG)4241/* memory allocation functions for zlib initialization */4242static void* ssl_zalloc(void* opaque _U___attribute__((unused)), unsigned int no, unsigned int size)4243{4244 return g_malloc0(no*size);4245}4246static void ssl_zfree(void* opaque _U___attribute__((unused)), void* addr)4247{4248 g_free(addr);4249}4250#endif4251 4252static SslDecompress*4253ssl_create_decompressor(int compression)4254{4255 SslDecompress *decomp;4256#if defined (HAVE_ZLIB1) || defined (HAVE_ZLIBNG)4257 int err;4258#endif4259 4260 if (compression == 0) return NULL((void*)0);4261 ssl_debug_printf("ssl_create_decompressor: compression method %d\n", compression);4262 decomp = wmem_new(wmem_file_scope(), SslDecompress)((SslDecompress*)wmem_alloc((wmem_file_scope()), sizeof(SslDecompress
)));4263 decomp->compression = compression;4264 switch (decomp->compression) {4265#if defined (HAVE_ZLIB1) || defined (HAVE_ZLIBNG)4266 case 1: /* DEFLATE */4267 decomp->istream.zalloc = ssl_zalloc;4268 decomp->istream.zfree = ssl_zfree;4269 decomp->istream.opaque = Z_NULL0;4270 decomp->istream.next_in = Z_NULL0;4271 decomp->istream.next_out = Z_NULL0;4272 decomp->istream.avail_in = 0;4273 decomp->istream.avail_out = 0;4274 err = ZLIB_PREFIX(inflateInit)(&decomp->istream)inflateInit_((&decomp->istream), "1.3", (int)sizeof(z_stream
));4275 if (err != Z_OK0) {4276 ssl_debug_printf("ssl_create_decompressor: inflateInit_() failed - %d\n", err);4277 return NULL((void*)0);4278 }4279 break;4280#endif4281 default:4282 ssl_debug_printf("ssl_create_decompressor: unsupported compression method %d\n", decomp->compression);4283 return NULL((void*)0);4284 }4285 return decomp;4286}4287 4288#if defined (HAVE_ZLIB1) || defined (HAVE_ZLIBNG)4289static int4290ssl_decompress_record(SslDecompress* decomp, const unsigned char* in, unsigned inl, StringInfo* out_str, unsigned* outl)4291{4292 int err;4293 4294 switch (decomp->compression) {4295 case 1: /* DEFLATE */4296 err = Z_OK0;4297 if (out_str->data_len < 16384) { /* maximal plain length */4298 ssl_data_realloc(out_str, 16384);4299 }4300#ifdef z_constconst4301 decomp->istream.next_in = in;4302#else4303DIAG_OFF(cast-qual)clang diagnostic push clang diagnostic ignored "-Wcast-qual"
4304 decomp->istream.next_in = (Bytef *)in;4305DIAG_ON(cast-qual)clang diagnostic pop4306#endif4307 decomp->istream.avail_in = inl;4308 decomp->istream.next_out = out_str->data;4309 decomp->istream.avail_out = out_str->data_len;4310 if (inl > 0)4311 err = ZLIB_PREFIX(inflate)inflate(&decomp->istream, Z_SYNC_FLUSH2);4312 if (err != Z_OK0) {4313 ssl_debug_printf("ssl_decompress_record: inflate() failed - %d\n", err);4314 return -1;4315 }4316 *outl = out_str->data_len - decomp->istream.avail_out;4317 break;4318 default:4319 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);4320 return -1;4321 }4322 return 0;4323}4324#else4325int4326ssl_decompress_record(SslDecompress* decomp _U___attribute__((unused)), const unsigned char* in _U___attribute__((unused)), unsigned inl _U___attribute__((unused)), StringInfo* out_str _U___attribute__((unused)), unsigned* outl _U___attribute__((unused)))4327{4328 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);4329 return -1;4330}4331#endif4332/* Record Decompression (after decryption) }}} */4333 4334/* Create a new structure to store decrypted chunks. {{{ */4335static SslFlow*4336ssl_create_flow(void)4337{4338 SslFlow *flow;4339 4340 flow = wmem_new(wmem_file_scope(), SslFlow)((SslFlow*)wmem_alloc((wmem_file_scope()), sizeof(SslFlow)));4341 flow->byte_seq = 0;4342 flow->flags = 0;4343 flow->multisegment_pdus = wmem_tree_new(wmem_file_scope());4344 return flow;4345}4346/* }}} */4347 4348/* Use the negotiated security parameters for decryption. {{{ */4349void4350ssl_change_cipher(SslDecryptSession *ssl_session, bool_Bool server)4351{4352 SslDecoder **new_decoder = server ? &ssl_session->server_new : &ssl_session->client_new;4353 SslDecoder **dest = server ? &ssl_session->server : &ssl_session->client;4354 ssl_debug_printf("ssl_change_cipher %s%s\n", server ? "SERVER" : "CLIENT",4355 *new_decoder ? "" : " (No decoder found - retransmission?)");4356 if (*new_decoder) {4357 *dest = *new_decoder;4358 *new_decoder = NULL((void*)0);4359 }4360}4361/* }}} */4362 4363/* Init cipher state given some security parameters. {{{ */4364static bool_Bool4365ssl_decoder_destroy_cb(wmem_allocator_t *, wmem_cb_event_t, void *);4366 4367static SslDecoder*4368ssl_create_decoder(const SslCipherSuite *cipher_suite, int cipher_algo,4369 int compression, uint8_t *mk, uint8_t *sk, uint8_t *sn_key, uint8_t *iv, unsigned iv_length)4370{4371 SslDecoder *dec;4372 ssl_cipher_mode_t mode = cipher_suite->mode;4373 4374 dec = wmem_new0(wmem_file_scope(), SslDecoder)((SslDecoder*)wmem_alloc0((wmem_file_scope()), sizeof(SslDecoder
)));4375 /* init mac buffer: mac storage is embedded into decoder struct to save a4376 memory allocation and waste samo more memory*/4377 dec->cipher_suite=cipher_suite;4378 dec->compression = compression;4379 if ((mode == MODE_STREAM && mk != NULL((void*)0)) || mode == MODE_CBC) {4380 // AEAD ciphers use no MAC key, but stream and block ciphers do. Note4381 // the special case for NULL ciphers, even if there is insufficiency4382 // keying material (including MAC key), we will can still create4383 // decoders since "decryption" is easy for such ciphers.4384 dec->mac_key.data = dec->_mac_key_or_write_iv;4385 ssl_data_set(&dec->mac_key, mk, ssl_cipher_suite_dig(cipher_suite)->len);4386 } else if (mode == MODE_GCM || mode == MODE_CCM || mode == MODE_CCM_8 || mode == MODE_POLY1305) {4387 // Input for the nonce, to be used with AEAD ciphers.4388 DISSECTOR_ASSERT(iv_length <= sizeof(dec->_mac_key_or_write_iv))((void) ((iv_length <= sizeof(dec->_mac_key_or_write_iv
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4388, "iv_length <= sizeof(dec->_mac_key_or_write_iv)"
))));4389 dec->write_iv.data = dec->_mac_key_or_write_iv;4390 ssl_data_set(&dec->write_iv, iv, iv_length);4391 }4392 dec->seq = 0;4393 dec->decomp = ssl_create_decompressor(compression);4394 wmem_register_callback(wmem_file_scope(), ssl_decoder_destroy_cb, dec);4395 4396 if (ssl_cipher_init(&dec->evp,cipher_algo,sk,iv,cipher_suite->mode) < 0) {4397 ssl_debug_printf("%s: can't create cipher id:%d mode:%d\n", G_STRFUNC((const char*) (__func__)),4398 cipher_algo, cipher_suite->mode);4399 return NULL((void*)0);4400 }4401 4402 if (cipher_suite->enc != ENC_NULL0x3D && sn_key != NULL((void*)0)) {4403 if (cipher_suite->enc == ENC_AES0x35 || cipher_suite->enc == ENC_AES2560x36) {4404 mode = MODE_ECB;4405 } else if (cipher_suite->enc == ENC_CHACHA200x3A) {4406 mode = MODE_STREAM;4407 } else {4408 ssl_debug_printf("not supported encryption algorithm for DTLSv1.3\n");4409 return NULL((void*)0);4410 }4411 4412 if (ssl_cipher_init(&dec->sn_evp, cipher_algo, sn_key, NULL((void*)0), mode) < 0) {4413 ssl_debug_printf("%s: can't create cipher id:%d mode:%d for seq number decryption\n", G_STRFUNC((const char*) (__func__)),4414 cipher_algo, MODE_ECB);4415 ssl_cipher_cleanup(&dec->evp);4416 dec->evp = NULL((void*)0);4417 return NULL((void*)0);4418 }4419 } else {4420 dec->sn_evp = NULL((void*)0);4421 }4422 4423 dec->dtls13_aad.data = NULL((void*)0);4424 dec->dtls13_aad.data_len = 0;4425 ssl_debug_printf("decoder initialized (digest len %d)\n", ssl_cipher_suite_dig(cipher_suite)->len);4426 return dec;4427}4428 4429static bool_Bool4430ssl_decoder_destroy_cb(wmem_allocator_t *allocator _U___attribute__((unused)), wmem_cb_event_t event _U___attribute__((unused)), void *user_data)4431{4432 SslDecoder *dec = (SslDecoder *) user_data;4433 4434 if (dec->evp)4435 ssl_cipher_cleanup(&dec->evp);4436 if (dec->sn_evp)4437 ssl_cipher_cleanup(&dec->sn_evp);4438 4439#if defined (HAVE_ZLIB1) || defined (HAVE_ZLIBNG)4440 if (dec->decomp != NULL((void*)0) && dec->decomp->compression == 1 /* DEFLATE */)4441 ZLIB_PREFIX(inflateEnd)inflateEnd(&dec->decomp->istream);4442#endif4443 4444 return false0;4445}4446/* }}} */4447 4448/* (Pre-)master secrets calculations {{{ */4449#ifdef HAVE_LIBGNUTLS14450static bool_Bool4451ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,4452 StringInfo *encrypted_pre_master,4453 GHashTable *key_hash);4454#endif /* HAVE_LIBGNUTLS */4455 4456static bool_Bool4457ssl_restore_master_key(SslDecryptSession *ssl, const char *label,4458 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key);4459 4460bool_Bool4461ssl_generate_pre_master_secret(SslDecryptSession *ssl_session,4462 uint32_t length, tvbuff_t *tvb, uint32_t offset,4463 const char *ssl_psk, packet_info *pinfo,4464#ifdef HAVE_LIBGNUTLS14465 GHashTable *key_hash,4466#endif4467 const ssl_master_key_map_t *mk_map)4468{4469 /* check for required session data */4470 ssl_debug_printf("%s: found SSL_HND_CLIENT_KEY_EXCHG, state %X\n",4471 G_STRFUNC((const char*) (__func__)), ssl_session->state);4472 if ((ssl_session->state & (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) !=4473 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) {4474 ssl_debug_printf("%s: not enough data to generate key (required state %X)\n", G_STRFUNC((const char*) (__func__)),4475 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4)));4476 return false0;4477 }4478 4479 if (ssl_session->session.version == TLSV1DOT3_VERSION0x304) {4480 ssl_debug_printf("%s: detected TLS 1.3 which has no pre-master secrets\n", G_STRFUNC((const char*) (__func__)));4481 return false0;4482 }4483 4484 /* check to see if the PMS was provided to us*/4485 if (ssl_restore_master_key(ssl_session, "Unencrypted pre-master secret", true1,4486 mk_map->pms, &ssl_session->client_random)) {4487 return true1;4488 }4489 4490 if (ssl_session->cipher_suite->kex == KEX_PSK0x1d)4491 {4492 /* calculate pre master secret*/4493 StringInfo pre_master_secret;4494 unsigned psk_len, pre_master_len;4495 4496 if (!ssl_psk || (ssl_psk[0] == 0)) {4497 ssl_debug_printf("%s: can't find pre-shared key\n", G_STRFUNC((const char*) (__func__)));4498 return false0;4499 }4500 4501 /* convert hex string into char*/4502 if (!from_hex(&ssl_session->psk, ssl_psk, strlen(ssl_psk))) {4503 ssl_debug_printf("%s: ssl.psk/dtls.psk contains invalid hex\n",4504 G_STRFUNC((const char*) (__func__)));4505 return false0;4506 }4507 4508 psk_len = ssl_session->psk.data_len;4509 if (psk_len >= (2 << 15)) {4510 ssl_debug_printf("%s: ssl.psk/dtls.psk must not be larger than 2^15 - 1\n",4511 G_STRFUNC((const char*) (__func__)));4512 return false0;4513 }4514 4515 4516 pre_master_len = psk_len * 2 + 4;4517 4518 pre_master_secret.data = (unsigned char *)wmem_alloc(wmem_file_scope(), pre_master_len);4519 pre_master_secret.data_len = pre_master_len;4520 /* 2 bytes psk_len*/4521 pre_master_secret.data[0] = psk_len >> 8;4522 pre_master_secret.data[1] = psk_len & 0xFF;4523 /* psk_len bytes times 0*/4524 memset(&pre_master_secret.data[2], 0, psk_len);4525 /* 2 bytes psk_len*/4526 pre_master_secret.data[psk_len + 2] = psk_len >> 8;4527 pre_master_secret.data[psk_len + 3] = psk_len & 0xFF;4528 /* psk*/4529 memcpy(&pre_master_secret.data[psk_len + 4], ssl_session->psk.data, psk_len);4530 4531 ssl_session->pre_master_secret.data = pre_master_secret.data;4532 ssl_session->pre_master_secret.data_len = pre_master_len;4533 /*ssl_debug_printf("pre master secret",&ssl->pre_master_secret);*/4534 4535 /* Remove the master secret if it was there.4536 This forces keying material regeneration in4537 case we're renegotiating */4538 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));4539 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);4540 return true1;4541 }4542 else4543 {4544 unsigned encrlen, skip;4545 encrlen = length;4546 skip = 0;4547 4548 /* get encrypted data, on tls1 we have to skip two bytes4549 * (it's the encrypted len and should be equal to record len - 2)4550 * in case of rsa1024 that would be 128 + 2 = 130; for psk not necessary4551 */4552 if (ssl_session->cipher_suite->kex == KEX_RSA0x1e &&4553 (ssl_session->session.version == TLSV1_VERSION0x301 ||4554 ssl_session->session.version == TLSV1DOT1_VERSION0x302 ||4555 ssl_session->session.version == TLSV1DOT2_VERSION0x303 ||4556 ssl_session->session.version == DTLSV1DOT0_VERSION0xfeff ||4557 ssl_session->session.version == DTLSV1DOT2_VERSION0xfefd ||4558 ssl_session->session.version == TLCPV1_VERSION0x101 ))4559 {4560 encrlen = tvb_get_ntohs(tvb, offset);4561 skip = 2;4562 if (encrlen > length - 2)4563 {4564 ssl_debug_printf("%s: wrong encrypted length (%d max %d)\n",4565 G_STRFUNC((const char*) (__func__)), encrlen, length);4566 return false0;4567 }4568 }4569 /* the valid lower bound is higher than 8, but it is sufficient for the4570 * ssl keylog file below */4571 if (encrlen < 8) {4572 ssl_debug_printf("%s: invalid encrypted pre-master key length %d\n",4573 G_STRFUNC((const char*) (__func__)), encrlen);4574 return false0;4575 }4576 4577 StringInfo encrypted_pre_master = {4578 .data = (unsigned char *)tvb_memdup(pinfo->pool, tvb, offset + skip, encrlen),4579 .data_len = encrlen,4580 };4581 4582#ifdef HAVE_LIBGNUTLS14583 /* Try to lookup an appropriate RSA private key to decrypt the Encrypted Pre-Master Secret. */4584 if (ssl_session->cert_key_id) {4585 if (ssl_decrypt_pre_master_secret(ssl_session, &encrypted_pre_master, key_hash))4586 return true1;4587 4588 ssl_debug_printf("%s: can't decrypt pre-master secret\n",4589 G_STRFUNC((const char*) (__func__)));4590 }4591#endif /* HAVE_LIBGNUTLS */4592 4593 /* try to find the pre-master secret from the encrypted one. The4594 * ssl key logfile stores only the first 8 bytes, so truncate it */4595 encrypted_pre_master.data_len = 8;4596 if (ssl_restore_master_key(ssl_session, "Encrypted pre-master secret",4597 true1, mk_map->pre_master, &encrypted_pre_master))4598 return true1;4599 }4600 return false0;4601}4602 4603/* Used for (D)TLS 1.2 and earlier versions (not with TLS 1.3). */4604int4605ssl_generate_keyring_material(SslDecryptSession*ssl_session)4606{4607 StringInfo key_block = { NULL((void*)0), 0 };4608 uint8_t _iv_c[MAX_BLOCK_SIZE16],_iv_s[MAX_BLOCK_SIZE16];4609 uint8_t _key_c[MAX_KEY_SIZE32],_key_s[MAX_KEY_SIZE32];4610 int needed;4611 int cipher_algo = -1; /* special value (-1) for NULL encryption */4612 unsigned encr_key_len, write_iv_len = 0;4613 bool_Bool is_export_cipher;4614 uint8_t *ptr, *c_iv = NULL((void*)0), *s_iv = NULL((void*)0);4615 uint8_t *c_wk = NULL((void*)0), *s_wk = NULL((void*)0), *c_mk = NULL((void*)0), *s_mk = NULL((void*)0);4616 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;4617 4618 /* (D)TLS 1.3 is handled directly in tls13_change_key. */4619 if (ssl_session->session.version

7.1	Field 'version' is not equal to TLSV1DOT3_VERSION

== TLSV1DOT3_VERSION0x304 || ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {4620 ssl_debug_printf("%s: detected TLS 1.3. Should not have been called!\n", G_STRFUNC((const char*) (__func__)));4621 return -1;4622 }4623 4624 /* check for enough info to proceed */4625 unsigned need_all = SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4);4626 unsigned need_any = SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);4627 if (((ssl_session->state & need_all) != need_all) || ((ssl_session->state & need_any) == 0)) {4628 ssl_debug_printf("ssl_generate_keyring_material not enough data to generate key "4629 "(0x%02X required 0x%02X or 0x%02X)\n", ssl_session->state,4630 need_all|SSL_MASTER_SECRET(1<<5), need_all|SSL_PRE_MASTER_SECRET(1<<6));4631 /* Special case: for NULL encryption, allow dissection of data even if4632 * the Client Hello is missing (MAC keys are now skipped though). */4633 need_all = SSL_CIPHER(1<<2)|SSL_VERSION(1<<4);4634 if ((ssl_session->state & need_all) == need_all &&4635 cipher_suite->enc == ENC_NULL0x3D) {4636 ssl_debug_printf("%s NULL cipher found, will create a decoder but "4637 "skip MAC validation as keys are missing.\n", G_STRFUNC((const char*) (__func__)));4638 goto create_decoders;4639 }4640 4641 return -1;4642 }4643 4644 /* if master key is not available, generate is from the pre-master secret */4645 if (!(ssl_session->state & SSL_MASTER_SECRET(1<<5))) {4646 if ((ssl_session->state & SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) == SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) {4647 StringInfo handshake_hashed_data;4648 int ret;4649 4650 handshake_hashed_data.data = NULL((void*)0);4651 handshake_hashed_data.data_len = 0;4652 4653 ssl_debug_printf("%s:PRF(pre_master_secret_extended)\n", G_STRFUNC((const char*) (__func__)));4654 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);4655 DISSECTOR_ASSERT(ssl_session->handshake_data.data_len > 0)((void) ((ssl_session->handshake_data.data_len > 0) ? (
void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4655, "ssl_session->handshake_data.data_len > 0"
))));4656 4657 switch(ssl_session->session.version) {4658 case TLSV1_VERSION0x301:4659 case TLSV1DOT1_VERSION0x302:4660 case DTLSV1DOT0_VERSION0xfeff:4661 case DTLSV1DOT0_OPENSSL_VERSION0x100:4662 case TLCPV1_VERSION0x101:4663 ret = tls_handshake_hash(ssl_session, &handshake_hashed_data);4664 break;4665 default:4666 switch (cipher_suite->dig) {4667 case DIG_SHA3840x43:4668 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA384, &handshake_hashed_data);4669 break;4670 default:4671 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA256, &handshake_hashed_data);4672 break;4673 }4674 break;4675 }4676 if (ret

29.1	'ret' is -1

) {4677 ssl_debug_printf("%s can't generate handshake hash\n", G_STRFUNC((const char*) (__func__)));4678 return -1;4679 }4680 4681 wmem_free(wmem_file_scope(), ssl_session->handshake_data.data);4682 ssl_session->handshake_data.data = NULL((void*)0);4683 ssl_session->handshake_data.data_len = 0;4684 4685 if (!prf(ssl_session, &ssl_session->pre_master_secret, "extended master secret",4686 &handshake_hashed_data,4687 NULL((void*)0), &ssl_session->master_secret,4688 SSL_MASTER_SECRET_LENGTH48)) {4689 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));4690 g_free(handshake_hashed_data.data);4691 return -1;4692 }4693 g_free(handshake_hashed_data.data);4694 } else {4695 ssl_debug_printf("%s:PRF(pre_master_secret)\n", G_STRFUNC((const char*) (__func__)));4696 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);4697 ssl_print_string("client random",&ssl_session->client_random);4698 ssl_print_string("server random",&ssl_session->server_random);4699 if (!prf(ssl_session, &ssl_session->pre_master_secret, "master secret",4700 &ssl_session->client_random,4701 &ssl_session->server_random, &ssl_session->master_secret,4702 SSL_MASTER_SECRET_LENGTH48)) {4703 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));4704 return -1;4705 }4706 }4707 ssl_print_string("master secret",&ssl_session->master_secret);4708 4709 /* the pre-master secret has been 'consumed' so we must clear it now */4710 ssl_session->state &= ~SSL_PRE_MASTER_SECRET(1<<6);4711 ssl_session->state |= SSL_MASTER_SECRET(1<<5);4712 }4713 4714 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */4715 if (cipher_suite->enc != ENC_NULL0x3D) {4716 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];4717 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);4718 cipher_algo = ssl_get_cipher_by_name(cipher_name);4719 if (cipher_algo == 0) {4720 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);4721 return -1;4722 }4723 }4724 4725 /* Export ciphers consume less material from the key block. */4726 encr_key_len = ssl_get_cipher_export_keymat_size(cipher_suite->number);4727 is_export_cipher = encr_key_len > 0;4728 if (!is_export_cipher && cipher_suite->enc != ENC_NULL0x3D) {4729 encr_key_len = (unsigned)gcry_cipher_get_algo_keylen(cipher_algo);4730 }4731 4732 if (cipher_suite->mode == MODE_CBC) {4733 write_iv_len = (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);4734 } else if (cipher_suite->mode == MODE_GCM || cipher_suite->mode == MODE_CCM || cipher_suite->mode == MODE_CCM_8) {4735 /* account for a four-byte salt for client and server side (from4736 * client_write_IV and server_write_IV), see GCMNonce (RFC 5288) */4737 write_iv_len = 4;4738 } else if (cipher_suite->mode == MODE_POLY1305) {4739 /* RFC 7905: SecurityParameters.fixed_iv_length is twelve bytes */4740 write_iv_len = 12;4741 }4742 4743 /* Compute the key block. First figure out how much data we need */4744 needed = ssl_cipher_suite_dig(cipher_suite)->len*2; /* MAC key */4745 needed += 2 * encr_key_len; /* encryption key */4746 needed += 2 * write_iv_len; /* write IV */4747 4748 key_block.data = (unsigned char *)g_malloc(needed);4749 ssl_debug_printf("%s sess key generation\n", G_STRFUNC((const char*) (__func__)));4750 if (!prf(ssl_session, &ssl_session->master_secret, "key expansion",4751 &ssl_session->server_random,&ssl_session->client_random,4752 &key_block, needed)) {4753 ssl_debug_printf("%s can't generate key_block\n", G_STRFUNC((const char*) (__func__)));4754 goto fail;4755 }4756 ssl_print_string("key expansion", &key_block);4757 4758 ptr=key_block.data;4759 /* client/server write MAC key (for non-AEAD ciphers) */4760 if (cipher_suite->mode == MODE_STREAM || cipher_suite->mode == MODE_CBC) {4761 c_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;4762 s_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;4763 }4764 /* client/server write encryption key */4765 c_wk=ptr; ptr += encr_key_len;4766 s_wk=ptr; ptr += encr_key_len;4767 /* client/server write IV (used as IV (for CBC) or salt (for AEAD)) */4768 if (write_iv_len > 0) {4769 c_iv=ptr; ptr += write_iv_len;4770 s_iv=ptr; /* ptr += write_iv_len; */4771 }4772 4773 /* export ciphers work with a smaller key length */4774 if (is_export_cipher) {4775 if (cipher_suite->mode == MODE_CBC) {4776 4777 /* We only have room for MAX_BLOCK_SIZE bytes IVs, but that's4778 all we should need. This is a sanity check */4779 if (write_iv_len > MAX_BLOCK_SIZE16) {4780 ssl_debug_printf("%s cipher suite block must be at most %d nut is %d\n",4781 G_STRFUNC((const char*) (__func__)), MAX_BLOCK_SIZE16, write_iv_len);4782 goto fail;4783 }4784 4785 if(ssl_session->session.version==SSLV3_VERSION0x300){4786 /* The length of these fields are ignored by this caller */4787 StringInfo iv_c, iv_s;4788 iv_c.data = _iv_c;4789 iv_s.data = _iv_s;4790 4791 ssl_debug_printf("%s ssl3_generate_export_iv\n", G_STRFUNC((const char*) (__func__)));4792 if (!ssl3_generate_export_iv(&ssl_session->client_random,4793 &ssl_session->server_random, &iv_c, write_iv_len)) {4794 goto fail;4795 }4796 ssl_debug_printf("%s ssl3_generate_export_iv(2)\n", G_STRFUNC((const char*) (__func__)));4797 if (!ssl3_generate_export_iv(&ssl_session->server_random,4798 &ssl_session->client_random, &iv_s, write_iv_len)) {4799 goto fail;4800 }4801 }4802 else{4803 uint8_t _iv_block[MAX_BLOCK_SIZE16 * 2];4804 StringInfo iv_block;4805 StringInfo key_null;4806 uint8_t _key_null;4807 4808 key_null.data = &_key_null;4809 key_null.data_len = 0;4810 4811 iv_block.data = _iv_block;4812 4813 ssl_debug_printf("%s prf(iv_block)\n", G_STRFUNC((const char*) (__func__)));4814 if (!prf(ssl_session, &key_null, "IV block",4815 &ssl_session->client_random,4816 &ssl_session->server_random, &iv_block,4817 write_iv_len * 2)) {4818 ssl_debug_printf("%s can't generate tls31 iv block\n", G_STRFUNC((const char*) (__func__)));4819 goto fail;4820 }4821 4822 memcpy(_iv_c, iv_block.data, write_iv_len);4823 memcpy(_iv_s, iv_block.data + write_iv_len, write_iv_len);4824 }4825 4826 c_iv=_iv_c;4827 s_iv=_iv_s;4828 }4829 4830 if (ssl_session->session.version==SSLV3_VERSION0x300){4831 4832 SSL_MD5_CTXgcry_md_hd_t md5;4833 ssl_debug_printf("%s MD5(client_random)\n", G_STRFUNC((const char*) (__func__)));4834 4835 if (ssl_md5_init(&md5) != 0)4836 goto fail;4837 ssl_md5_update(&md5,c_wk,encr_key_len);4838 ssl_md5_update(&md5,ssl_session->client_random.data,4839 ssl_session->client_random.data_len);4840 ssl_md5_update(&md5,ssl_session->server_random.data,4841 ssl_session->server_random.data_len);4842 ssl_md5_final(_key_c,&md5);4843 ssl_md5_cleanup(&md5);4844 c_wk=_key_c;4845 4846 if (ssl_md5_init(&md5) != 0)4847 goto fail;4848 ssl_debug_printf("%s MD5(server_random)\n", G_STRFUNC((const char*) (__func__)));4849 ssl_md5_update(&md5,s_wk,encr_key_len);4850 ssl_md5_update(&md5,ssl_session->server_random.data,4851 ssl_session->server_random.data_len);4852 ssl_md5_update(&md5,ssl_session->client_random.data,4853 ssl_session->client_random.data_len);4854 ssl_md5_final(_key_s,&md5);4855 ssl_md5_cleanup(&md5);4856 s_wk=_key_s;4857 }4858 else{4859 StringInfo key_c, key_s, k;4860 key_c.data = _key_c;4861 key_s.data = _key_s;4862 4863 k.data = c_wk;4864 k.data_len = encr_key_len;4865 ssl_debug_printf("%s PRF(key_c)\n", G_STRFUNC((const char*) (__func__)));4866 if (!prf(ssl_session, &k, "client write key",4867 &ssl_session->client_random,4868 &ssl_session->server_random, &key_c, sizeof(_key_c))) {4869 ssl_debug_printf("%s can't generate tll31 server key \n", G_STRFUNC((const char*) (__func__)));4870 goto fail;4871 }4872 c_wk=_key_c;4873 4874 k.data = s_wk;4875 k.data_len = encr_key_len;4876 ssl_debug_printf("%s PRF(key_s)\n", G_STRFUNC((const char*) (__func__)));4877 if (!prf(ssl_session, &k, "server write key",4878 &ssl_session->client_random,4879 &ssl_session->server_random, &key_s, sizeof(_key_s))) {4880 ssl_debug_printf("%s can't generate tll31 client key \n", G_STRFUNC((const char*) (__func__)));4881 goto fail;4882 }4883 s_wk=_key_s;4884 }4885 }4886 4887 /* show key material info */4888 if (c_mk != NULL((void*)0)) {4889 ssl_print_data("Client MAC key",c_mk,ssl_cipher_suite_dig(cipher_suite)->len);4890 ssl_print_data("Server MAC key",s_mk,ssl_cipher_suite_dig(cipher_suite)->len);4891 }4892 ssl_print_data("Client Write key", c_wk, encr_key_len);4893 ssl_print_data("Server Write key", s_wk, encr_key_len);4894 /* used as IV for CBC mode and the AEAD implicit nonce (salt) */4895 if (write_iv_len > 0) {4896 ssl_print_data("Client Write IV", c_iv, write_iv_len);4897 ssl_print_data("Server Write IV", s_iv, write_iv_len);4898 }4899 4900create_decoders:4901 /* create both client and server ciphers*/4902 ssl_debug_printf("%s ssl_create_decoder(client)\n", G_STRFUNC((const char*) (__func__)));4903 ssl_session->client_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, c_mk, c_wk, NULL((void*)0), c_iv, write_iv_len);4904 if (!ssl_session->client_new) {4905 ssl_debug_printf("%s can't init client decoder\n", G_STRFUNC((const char*) (__func__)));4906 goto fail;4907 }4908 ssl_debug_printf("%s ssl_create_decoder(server)\n", G_STRFUNC((const char*) (__func__)));4909 ssl_session->server_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, s_mk, s_wk, NULL((void*)0), s_iv, write_iv_len);4910 if (!ssl_session->server_new) {4911 ssl_debug_printf("%s can't init server decoder\n", G_STRFUNC((const char*) (__func__)));4912 goto fail;4913 }4914 4915 /* Continue the SSL stream after renegotiation with new keys. */4916 ssl_session->client_new->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();4917 ssl_session->server_new->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();4918 4919 ssl_debug_printf("%s: client seq %" PRIu64"l" "u" ", server seq %" PRIu64"l" "u" "\n",4920 G_STRFUNC((const char*) (__func__)), ssl_session->client_new->seq, ssl_session->server_new->seq);4921 g_free(key_block.data);4922 ssl_session->state |= SSL_HAVE_SESSION_KEY(1<<3);4923 return 0;4924 4925fail:4926 g_free(key_block.data);4927 return -1;4928}4929 4930/* Generated the key material based on the given secret. */4931bool_Bool4932tls13_generate_keys(SslDecryptSession *ssl_session, const StringInfo *secret, bool_Bool is_from_server)4933{4934 bool_Bool success = false0;4935 unsigned char *write_key = NULL((void*)0), *write_iv = NULL((void*)0);4936 unsigned char *sn_key = NULL((void*)0);4937 SslDecoder *decoder;4938 unsigned key_length, iv_length;4939 int hash_algo;4940 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;4941 int cipher_algo;4942 4943 if ((ssl_session->session.version != TLSV1DOT3_VERSION0x304) && (ssl_session->session.version != DTLSV1DOT3_VERSION0xfefc)) {4944 ssl_debug_printf("%s only usable for TLS 1.3, not %#x!\n", G_STRFUNC((const char*) (__func__)),4945 ssl_session->session.version);4946 return false0;4947 }4948 4949 if (cipher_suite == NULL((void*)0)) {4950 ssl_debug_printf("%s Unknown cipher\n", G_STRFUNC((const char*) (__func__)));4951 return false0;4952 }4953 4954 if (cipher_suite->kex != KEX_TLS130x23) {4955 ssl_debug_printf("%s Invalid cipher suite 0x%04x spotted!\n", G_STRFUNC((const char*) (__func__)), cipher_suite->number);4956 return false0;4957 }4958 4959 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */4960 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];4961 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);4962 cipher_algo = ssl_get_cipher_by_name(cipher_name);4963 if (cipher_algo == 0) {4964 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);4965 return false0;4966 }4967 4968 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;4969 hash_algo = ssl_get_digest_by_name(hash_name);4970 if (!hash_algo) {4971 ssl_debug_printf("%s can't find hash function %s\n", G_STRFUNC((const char*) (__func__)), hash_name);4972 return false0;4973 }4974 4975 key_length = (unsigned) gcry_cipher_get_algo_keylen(cipher_algo);4976 /* AES-GCM/AES-CCM/Poly1305-ChaCha20 all have N_MIN=N_MAX = 12. */4977 iv_length = 12;4978 ssl_debug_printf("%s key_length %u iv_length %u\n", G_STRFUNC((const char*) (__func__)), key_length, iv_length);4979 4980 const char *label_prefix = tls13_hkdf_label_prefix(ssl_session);4981 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "key", key_length, &write_key)) {4982 ssl_debug_printf("%s write_key expansion failed\n", G_STRFUNC((const char*) (__func__)));4983 return false0;4984 }4985 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "iv", iv_length, &write_iv)) {4986 ssl_debug_printf("%s write_iv expansion failed\n", G_STRFUNC((const char*) (__func__)));4987 goto end;4988 }4989 4990 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {4991 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "sn", key_length, &sn_key)) {4992 ssl_debug_printf("%s sn_key expansion failed\n", G_STRFUNC((const char*) (__func__)));4993 goto end;4994 }4995 }4996 4997 ssl_print_data(is_from_server ? "Server Write Key" : "Client Write Key", write_key, key_length);4998 ssl_print_data(is_from_server ? "Server Write IV" : "Client Write IV", write_iv, iv_length);4999 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {5000 ssl_print_data(is_from_server ? "Server Write SN" : "Client Write SN", sn_key, key_length);5001 }5002 5003 ssl_debug_printf("%s ssl_create_decoder(%s)\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");5004 decoder = ssl_create_decoder(cipher_suite, cipher_algo, 0, NULL((void*)0), write_key, sn_key, write_iv, iv_length);5005 if (!decoder) {5006 ssl_debug_printf("%s can't init %s decoder\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");5007 goto end;5008 }5009 5010 /* Continue the TLS session with new keys, but reuse old flow to keep things5011 * like "Follow TLS" working (by linking application data records). */5012 if (is_from_server) {5013 decoder->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();5014 ssl_session->server = decoder;5015 } else {5016 decoder->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();5017 ssl_session->client = decoder;5018 }5019 ssl_debug_printf("%s %s ready using cipher suite 0x%04x (cipher %s hash %s)\n", G_STRFUNC((const char*) (__func__)),5020 is_from_server ? "Server" : "Client", cipher_suite->number, cipher_name, hash_name);5021 success = true1;5022 5023end:5024 wmem_free(NULL((void*)0), write_key);5025 wmem_free(NULL((void*)0), write_iv);5026 if (sn_key)5027 wmem_free(NULL((void*)0), sn_key);5028 return success;5029}5030/* (Pre-)master secrets calculations }}} */5031 5032#ifdef HAVE_LIBGNUTLS15033/* Decrypt RSA pre-master secret using RSA private key. {{{ */5034static bool_Bool5035ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,5036 StringInfo *encrypted_pre_master, GHashTable *key_hash)5037{5038 int ret;5039 5040 if (!encrypted_pre_master)5041 return false0;5042 5043 if (KEX_IS_DH(ssl_session->cipher_suite->kex)((ssl_session->cipher_suite->kex) >= 0x10 &&
(ssl_session->cipher_suite->kex) <= 0x1b)) {5044 ssl_debug_printf("%s: session uses Diffie-Hellman key exchange "5045 "(cipher suite 0x%04X %s) and cannot be decrypted "5046 "using a RSA private key file.\n",5047 G_STRFUNC((const char*) (__func__)), ssl_session->session.cipher,5048 val_to_str_ext_const(ssl_session->session.cipher,5049 &ssl_31_ciphersuite_ext, "unknown"));5050 return false0;5051 } else if (ssl_session->cipher_suite->kex != KEX_RSA0x1e) {5052 ssl_debug_printf("%s key exchange %d different from KEX_RSA (%d)\n",5053 G_STRFUNC((const char*) (__func__)), ssl_session->cipher_suite->kex, KEX_RSA0x1e);5054 return false0;5055 }5056 5057 gnutls_privkey_t pk = (gnutls_privkey_t)g_hash_table_lookup(key_hash, ssl_session->cert_key_id);5058 5059 ssl_print_string("pre master encrypted", encrypted_pre_master);5060 ssl_debug_printf("%s: RSA_private_decrypt\n", G_STRFUNC((const char*) (__func__)));5061 const gnutls_datum_t epms = { encrypted_pre_master->data, encrypted_pre_master->data_len };5062 gnutls_datum_t pms = { 0 };5063 if (pk) {5064 // Try to decrypt using the RSA keys table from (D)TLS preferences.5065 ret = gnutls_privkey_decrypt_data(pk, 0, &epms, &pms);5066 } else {5067 // Try to decrypt using a hardware token.5068 ret = secrets_rsa_decrypt(ssl_session->cert_key_id, epms.data, epms.size, &pms.data, &pms.size);5069 }5070 if (ret < 0) {5071 ssl_debug_printf("%s: decryption failed: %d (%s)\n", G_STRFUNC((const char*) (__func__)), ret, gnutls_strerror(ret));5072 return false0;5073 }5074 5075 if (pms.size != 48) {5076 ssl_debug_printf("%s wrong pre_master_secret length (%d, expected %d)\n",5077 G_STRFUNC((const char*) (__func__)), pms.size, 48);5078 if (pk) {5079 gnutls_free(pms.data);5080 } else {5081 g_free(pms.data);5082 }5083 return false0;5084 }5085 5086 ssl_session->pre_master_secret.data = (uint8_t *)wmem_memdup(wmem_file_scope(), pms.data, 48);5087 ssl_session->pre_master_secret.data_len = 48;5088 if (pk) {5089 gnutls_free(pms.data);5090 } else {5091 g_free(pms.data);5092 }5093 ssl_print_string("pre master secret", &ssl_session->pre_master_secret);5094 5095 /* Remove the master secret if it was there.5096 This forces keying material regeneration in5097 case we're renegotiating */5098 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));5099 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);5100 return true1;5101} /* }}} */5102#endif /* HAVE_LIBGNUTLS */5103 5104/* Decryption integrity check {{{ */5105 5106static int5107tls_check_mac(SslDecoder*decoder, int ct, int ver, uint8_t* data,5108 uint32_t datalen, uint8_t* mac)5109{5110 SSL_HMACgcry_md_hd_t hm;5111 int md;5112 uint32_t len;5113 uint8_t buf[DIGEST_MAX_SIZE48];5114 int16_t temp;5115 5116 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);5117 ssl_debug_printf("tls_check_mac mac type:%s md %d\n",5118 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);5119 5120 if (ssl_hmac_init(&hm,md) != 0)5121 return -1;5122 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)5123 return -1;5124 5125 /* hash sequence number */5126 phton64(buf, decoder->seq);5127 5128 decoder->seq++;5129 5130 ssl_hmac_update(&hm,buf,8);5131 5132 /* hash content type */5133 buf[0]=ct;5134 ssl_hmac_update(&hm,buf,1);5135 5136 /* hash version,data length and data*/5137 /* *((int16_t*)buf) = g_htons(ver); */5138 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));5139 memcpy(buf, &temp, 2);5140 ssl_hmac_update(&hm,buf,2);5141 5142 /* *((int16_t*)buf) = g_htons(datalen); */5143 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));5144 memcpy(buf, &temp, 2);5145 ssl_hmac_update(&hm,buf,2);5146 ssl_hmac_update(&hm,data,datalen);5147 5148 /* get digest and digest len*/5149 len = sizeof(buf);5150 ssl_hmac_final(&hm,buf,&len);5151 ssl_hmac_cleanup(&hm);5152 ssl_print_data("Mac", buf, len);5153 if(memcmp(mac,buf,len))5154 return -1;5155 5156 return 0;5157}5158 5159static int5160ssl3_check_mac(SslDecoder*decoder,int ct,uint8_t* data,5161 uint32_t datalen, uint8_t* mac)5162{5163 SSL_MDgcry_md_hd_t mc;5164 int md;5165 uint32_t len;5166 uint8_t buf[64],dgst[20];5167 int pad_ct;5168 int16_t temp;5169 5170 pad_ct=(decoder->cipher_suite->dig==DIG_SHA0x41)?40:48;5171 5172 /* get cipher used for digest computation */5173 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);5174 if (ssl_md_init(&mc,md) !=0)5175 return -1;5176 5177 /* do hash computation on data && padding */5178 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);5179 5180 /* hash padding*/5181 memset(buf,0x36,pad_ct);5182 ssl_md_update(&mc,buf,pad_ct);5183 5184 /* hash sequence number */5185 phton64(buf, decoder->seq);5186 decoder->seq++;5187 ssl_md_update(&mc,buf,8);5188 5189 /* hash content type */5190 buf[0]=ct;5191 ssl_md_update(&mc,buf,1);5192 5193 /* hash data length in network byte order and data*/5194 /* *((int16_t* )buf) = g_htons(datalen); */5195 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));5196 memcpy(buf, &temp, 2);5197 ssl_md_update(&mc,buf,2);5198 ssl_md_update(&mc,data,datalen);5199 5200 /* get partial digest */5201 ssl_md_final(&mc,dgst,&len);5202 ssl_md_reset(&mc);5203 5204 /* hash mac key */5205 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);5206 5207 /* hash padding and partial digest*/5208 memset(buf,0x5c,pad_ct);5209 ssl_md_update(&mc,buf,pad_ct);5210 ssl_md_update(&mc,dgst,len);5211 5212 ssl_md_final(&mc,dgst,&len);5213 ssl_md_cleanup(&mc);5214 5215 if(memcmp(mac,dgst,len))5216 return -1;5217 5218 return 0;5219}5220 5221static int5222dtls_check_mac(SslDecryptSession *ssl, SslDecoder*decoder, int ct, uint8_t* data,5223 uint32_t datalen, uint8_t* mac, const unsigned char *cid, uint8_t cidl)5224{5225 SSL_HMACgcry_md_hd_t hm;5226 int md;5227 uint32_t len;5228 uint8_t buf[DIGEST_MAX_SIZE48];5229 int16_t temp;5230 5231 int ver = ssl->session.version;5232 bool_Bool is_cid = ((ct == SSL_ID_TLS12_CID) && (ver == DTLSV1DOT2_VERSION0xfefd));5233 5234 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);5235 ssl_debug_printf("dtls_check_mac mac type:%s md %d\n",5236 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);5237 5238 if (ssl_hmac_init(&hm,md) != 0)5239 return -1;5240 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)5241 return -1;5242 5243 ssl_debug_printf("dtls_check_mac seq: %" PRIu64"l" "u" " epoch: %d\n",decoder->seq,decoder->epoch);5244 5245 if (is_cid && !ssl->session.deprecated_cid) {5246 /* hash seq num placeholder */5247 memset(buf,0xFF,8);5248 ssl_hmac_update(&hm,buf,8);5249 5250 /* hash content type + cid length + content type */5251 buf[0]=ct;5252 buf[1]=cidl;5253 buf[2]=ct;5254 ssl_hmac_update(&hm,buf,3);5255 5256 /* hash version */5257 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));5258 memcpy(buf, &temp, 2);5259 ssl_hmac_update(&hm,buf,2);5260 5261 /* hash sequence number */5262 phton64(buf, decoder->seq);5263 buf[0]=decoder->epoch>>8;5264 buf[1]=(uint8_t)decoder->epoch;5265 ssl_hmac_update(&hm,buf,8);5266 5267 /* hash cid */5268 ssl_hmac_update(&hm,cid,cidl);5269 } else {5270 /* hash sequence number */5271 phton64(buf, decoder->seq);5272 buf[0]=decoder->epoch>>8;5273 buf[1]=(uint8_t)decoder->epoch;5274 ssl_hmac_update(&hm,buf,8);5275 5276 /* hash content type */5277 buf[0]=ct;5278 ssl_hmac_update(&hm,buf,1);5279 5280 /* hash version */5281 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));5282 memcpy(buf, &temp, 2);5283 ssl_hmac_update(&hm,buf,2);5284 5285 if (is_cid && ssl->session.deprecated_cid) {5286 /* hash cid */5287 ssl_hmac_update(&hm,cid,cidl);5288 5289 /* hash cid length */5290 buf[0] = cidl;5291 ssl_hmac_update(&hm,buf,1);5292 }5293 }5294 5295 /* data length and data */5296 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));5297 memcpy(buf, &temp, 2);5298 ssl_hmac_update(&hm,buf,2);5299 ssl_hmac_update(&hm,data,datalen);5300 5301 /* get digest and digest len */5302 len = sizeof(buf);5303 ssl_hmac_final(&hm,buf,&len);5304 ssl_hmac_cleanup(&hm);5305 ssl_print_data("Mac", buf, len);5306 if(memcmp(mac,buf,len))5307 return -1;5308 5309 return 0;5310}5311/* Decryption integrity check }}} */5312 5313 5314static bool_Bool5315tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder,5316 uint8_t ct, uint16_t record_version,5317 bool_Bool ignore_mac_failed,5318 const unsigned char *in, uint16_t inl,5319 const unsigned char *cid, uint8_t cidl,5320 StringInfo *out_str, unsigned *outl)5321{5322 /* RFC 5246 (TLS 1.2) 6.2.3.3 defines the TLSCipherText.fragment as:5323 * GenericAEADCipher: { nonce_explicit, [content] }5324 * In TLS 1.3 this explicit nonce is gone.5325 * With AES GCM/CCM, "[content]" is actually the concatenation of the5326 * ciphertext and authentication tag.5327 */5328 const uint16_t version = ssl->session.version;5329 const bool_Bool is_v12 = version == TLSV1DOT2_VERSION0x303 || version == DTLSV1DOT2_VERSION0xfefd || version == TLCPV1_VERSION0x101;5330 gcry_error_t err;5331 const unsigned char *explicit_nonce = NULL((void*)0), *ciphertext;5332 unsigned ciphertext_len, auth_tag_len;5333 unsigned char nonce[12];5334 const ssl_cipher_mode_t cipher_mode = decoder->cipher_suite->mode;5335 const bool_Bool is_cid = ct == SSL_ID_TLS12_CID && version == DTLSV1DOT2_VERSION0xfefd;5336 const uint8_t draft_version = ssl->session.tls13_draft_version;5337 const unsigned char *auth_tag_wire;5338 unsigned char auth_tag_calc[16];5339 unsigned char *aad = NULL((void*)0);5340 unsigned aad_len = 0;5341 5342 switch (cipher_mode) {5343 case MODE_GCM:5344 case MODE_CCM:5345 case MODE_POLY1305:5346 auth_tag_len = 16;5347 break;5348 case MODE_CCM_8:5349 auth_tag_len = 8;5350 break;5351 default:5352 ssl_debug_printf("%s unsupported cipher!\n", G_STRFUNC((const char*) (__func__)));5353 return false0;5354 }5355 5356 /* Parse input into explicit nonce (TLS 1.2 only), ciphertext and tag. */5357 if (is_v12 && cipher_mode != MODE_POLY1305) {5358 if (inl < EXPLICIT_NONCE_LEN8 + auth_tag_len) {5359 ssl_debug_printf("%s input %d is too small for explicit nonce %d and auth tag %d\n",5360 G_STRFUNC((const char*) (__func__)), inl, EXPLICIT_NONCE_LEN8, auth_tag_len);5361 return false0;5362 }5363 explicit_nonce = in;5364 ciphertext = explicit_nonce + EXPLICIT_NONCE_LEN8;5365 ciphertext_len = inl - EXPLICIT_NONCE_LEN8 - auth_tag_len;5366 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {5367 if (inl < auth_tag_len) {5368 ssl_debug_printf("%s input %d has no space for auth tag %d\n", G_STRFUNC((const char*) (__func__)), inl, auth_tag_len);5369 return false0;5370 }5371 ciphertext = in;5372 ciphertext_len = inl - auth_tag_len;5373 } else {5374 ssl_debug_printf("%s Unexpected TLS version %#x\n", G_STRFUNC((const char*) (__func__)), version);5375 return false0;5376 }5377 auth_tag_wire = ciphertext + ciphertext_len;5378 5379 /*5380 * Nonce construction is version-specific. Note that AEAD_CHACHA20_POLY13055381 * (RFC 7905) uses a nonce construction similar to TLS 1.3.5382 */5383 if (is_v12 && cipher_mode != MODE_POLY1305) {5384 DISSECTOR_ASSERT(decoder->write_iv.data_len == IMPLICIT_NONCE_LEN)((void) ((decoder->write_iv.data_len == 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 5384, "decoder->write_iv.data_len == 4"))));5385 /* Implicit (4) and explicit (8) part of nonce. */5386 memcpy(nonce, decoder->write_iv.data, IMPLICIT_NONCE_LEN4);5387 memcpy(nonce + IMPLICIT_NONCE_LEN4, explicit_nonce, EXPLICIT_NONCE_LEN8);5388 5389 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {5390 /*5391 * Technically the nonce length must be at least 8 bytes, but for5392 * AES-GCM, AES-CCM and Poly1305-ChaCha20 the nonce length is exact 12.5393 */5394 const unsigned nonce_len = 12;5395 DISSECTOR_ASSERT(decoder->write_iv.data_len == nonce_len)((void) ((decoder->write_iv.data_len == nonce_len) ? (void
)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 5395, "decoder->write_iv.data_len == nonce_len"
))));5396 memcpy(nonce, decoder->write_iv.data, decoder->write_iv.data_len);5397 /* Sequence number is left-padded with zeroes and XORed with write_iv */5398 phton64(nonce + nonce_len - 8, pntoh64(nonce + nonce_len - 8) ^ decoder->seq);5399 ssl_debug_printf("%s seq %" PRIu64"l" "u" "\n", G_STRFUNC((const char*) (__func__)), decoder->seq);5400 }5401 5402 /* Set nonce and additional authentication data */5403 gcry_cipher_reset(decoder->evp)gcry_cipher_ctl ((decoder->evp), GCRYCTL_RESET, ((void*)0)
, 0);5404 ssl_print_data("nonce", nonce, 12);5405 err = gcry_cipher_setiv(decoder->evp, nonce, 12);5406 if (err) {5407 ssl_debug_printf("%s failed to set nonce: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));5408 return false0;5409 }5410 5411 /* (D)TLS 1.2 needs specific AAD, TLS 1.3 (before -25) uses empty AAD. */5412 if (is_cid) { /* if connection ID */5413 if (ssl->session.deprecated_cid) {5414 aad_len = 14 + cidl;5415 aad = wmem_alloc(wmem_packet_scope(), aad_len);5416 phton64(aad, decoder->seq); /* record sequence number */5417 phton16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */5418 aad[8] = ct; /* TLSCompressed.type */5419 phton16(aad + 9, record_version); /* TLSCompressed.version */5420 memcpy(aad + 11, cid, cidl); /* cid */5421 aad[11 + cidl] = cidl; /* cid_length */5422 phton16(aad + 12 + cidl, ciphertext_len); /* TLSCompressed.length */5423 } else {5424 aad_len = 23 + cidl;5425 aad = wmem_alloc(wmem_packet_scope(), aad_len);5426 memset(aad, 0xFF, 8); /* seq_num_placeholder */5427 aad[8] = ct; /* TLSCompressed.type */5428 aad[9] = cidl; /* cid_length */5429 aad[10] = ct; /* TLSCompressed.type */5430 phton16(aad + 11, record_version); /* TLSCompressed.version */5431 phton64(aad + 13, decoder->seq); /* record sequence number */5432 phton16(aad + 13, decoder->epoch); /* DTLS 1.2 includes epoch. */5433 memcpy(aad + 21, cid, cidl); /* cid */5434 phton16(aad + 21 + cidl, ciphertext_len); /* TLSCompressed.length */5435 }5436 } else if (is_v12) {5437 aad_len = 13;5438 aad = wmem_alloc(wmem_packet_scope(), aad_len);5439 phton64(aad, decoder->seq); /* record sequence number */5440 if (version == DTLSV1DOT2_VERSION0xfefd) {5441 phton16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */5442 }5443 aad[8] = ct; /* TLSCompressed.type */5444 phton16(aad + 9, record_version); /* TLSCompressed.version */5445 phton16(aad + 11, ciphertext_len); /* TLSCompressed.length */5446 } else if (version == DTLSV1DOT3_VERSION0xfefc) {5447 aad_len = decoder->dtls13_aad.data_len;5448 aad = decoder->dtls13_aad.data;5449 } else if (draft_version >= 25 || draft_version == 0) {5450 aad_len = 5;5451 aad = wmem_alloc(wmem_packet_scope(), aad_len);5452 aad[0] = ct; /* TLSCiphertext.opaque_type (23) */5453 phton16(aad + 1, record_version); /* TLSCiphertext.legacy_record_version (0x0303) */5454 phton16(aad + 3, inl); /* TLSCiphertext.length */5455 }5456 5457 if (decoder->cipher_suite->mode == MODE_CCM || decoder->cipher_suite->mode == MODE_CCM_8) {5458 /* size of plaintext, additional authenticated data and auth tag. */5459 uint64_t lengths[3] = { ciphertext_len, aad_len, auth_tag_len };5460 5461 gcry_cipher_ctl(decoder->evp, GCRYCTL_SET_CCM_LENGTHS, lengths, sizeof(lengths));5462 }5463 5464 if (aad && aad_len > 0) {5465 ssl_print_data("AAD", aad, aad_len);5466 err = gcry_cipher_authenticate(decoder->evp, aad, aad_len);5467 if (err) {5468 ssl_debug_printf("%s failed to set AAD: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));5469 return false0;5470 }5471 }5472 5473 /* Decrypt now that nonce and AAD are set. */5474 err = gcry_cipher_decrypt(decoder->evp, out_str->data, out_str->data_len, ciphertext, ciphertext_len);5475 if (err) {5476 ssl_debug_printf("%s decrypt failed: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));5477 return false0;5478 }5479 5480 /* Check authentication tag for authenticity (replaces MAC) */5481 err = gcry_cipher_gettag(decoder->evp, auth_tag_calc, auth_tag_len);5482 if (err == 0 && !memcmp(auth_tag_calc, auth_tag_wire, auth_tag_len)) {5483 ssl_print_data("auth_tag(OK)", auth_tag_calc, auth_tag_len);5484 } else {5485 if (err) {5486 ssl_debug_printf("%s cannot obtain tag: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));5487 } else {5488 ssl_debug_printf("%s auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));5489 ssl_print_data("auth_tag(expect)", auth_tag_calc, auth_tag_len);5490 ssl_print_data("auth_tag(actual)", auth_tag_wire, auth_tag_len);5491 }5492 if (ignore_mac_failed) {5493 ssl_debug_printf("%s: auth check failed, but ignored for troubleshooting ;-)\n", G_STRFUNC((const char*) (__func__)));5494 } else {5495 return false0;5496 }5497 }5498 5499 /*5500 * Increment the (implicit) sequence number for TLS 1.2/1.3 and TLCP 1.1. This is done5501 * after successful authentication to ensure that early data is skipped when5502 * CLIENT_EARLY_TRAFFIC_SECRET keys are unavailable.5503 */5504 if (version == TLSV1DOT2_VERSION0x303 || version == TLSV1DOT3_VERSION0x304 || version == TLCPV1_VERSION0x101) {5505 decoder->seq++;5506 }5507 5508 ssl_print_data("Plaintext", out_str->data, ciphertext_len);5509 *outl = ciphertext_len;5510 return true1;5511}5512 5513/* Record decryption glue based on security parameters {{{ */5514/* Assume that we are called only for a non-NULL decoder which also means that5515 * we have a non-NULL decoder->cipher_suite. */5516int5517ssl_decrypt_record(SslDecryptSession *ssl, SslDecoder *decoder, uint8_t ct, uint16_t record_version,5518 bool_Bool ignore_mac_failed,5519 const unsigned char *in, uint16_t inl, const unsigned char *cid, uint8_t cidl,5520 StringInfo *comp_str, StringInfo *out_str, unsigned *outl)5521{5522 unsigned pad, worklen, uncomplen, maclen, mac_fraglen = 0;5523 uint8_t *mac = NULL((void*)0), *mac_frag = NULL((void*)0);5524 5525 ssl_debug_printf("ssl_decrypt_record ciphertext len %d\n", inl);5526 ssl_print_data("Ciphertext",in, inl);5527 5528 if (((ssl->session.version == TLSV1DOT3_VERSION0x304 || ssl->session.version == DTLSV1DOT3_VERSION0xfefc))5529 != (decoder->cipher_suite->kex == KEX_TLS130x23)) {5530 ssl_debug_printf("%s Invalid cipher suite for the protocol version!\n", G_STRFUNC((const char*) (__func__)));5531 return -1;5532 }5533 5534 /* ensure we have enough storage space for decrypted data */5535 if (inl > out_str->data_len)5536 {5537 ssl_debug_printf("ssl_decrypt_record: allocating %d bytes for decrypt data (old len %d)\n",5538 inl + 32, out_str->data_len);5539 ssl_data_realloc(out_str, inl + 32);5540 }5541 5542 /* AEAD ciphers (GenericAEADCipher in TLS 1.2; TLS 1.3) have no padding nor5543 * a separate MAC, so use a different routine for simplicity. */5544 if (decoder->cipher_suite->mode == MODE_GCM ||5545 decoder->cipher_suite->mode == MODE_CCM ||5546 decoder->cipher_suite->mode == MODE_CCM_8 ||5547 decoder->cipher_suite->mode == MODE_POLY1305 ||5548 ssl->session.version == TLSV1DOT3_VERSION0x304 ||5549 ssl->session.version == DTLSV1DOT3_VERSION0xfefc) {5550 5551 if (!tls_decrypt_aead_record(ssl, decoder, ct, record_version, ignore_mac_failed, in, inl, cid, cidl, out_str, &worklen)) {5552 /* decryption failed */5553 return -1;5554 }5555 5556 goto skip_mac;5557 }5558 5559 /* RFC 6101/2246: SSLCipherText/TLSCipherText has two structures for types:5560 * (notation: { unencrypted, [ encrypted ] })5561 * GenericStreamCipher: { [content, mac] }5562 * GenericBlockCipher: { IV (TLS 1.1+), [content, mac, padding, padding_len] }5563 * RFC 5426 (TLS 1.2): TLSCipherText has additionally:5564 * GenericAEADCipher: { nonce_explicit, [content] }5565 * RFC 4347 (DTLS): based on TLS 1.1, only GenericBlockCipher is supported.5566 * RFC 6347 (DTLS 1.2): based on TLS 1.2, includes GenericAEADCipher too.5567 */5568 5569 maclen = ssl_cipher_suite_dig(decoder->cipher_suite)->len;5570 5571 /* (TLS 1.1 and later, DTLS) Extract explicit IV for GenericBlockCipher */5572 if (decoder->cipher_suite->mode == MODE_CBC) {5573 unsigned blocksize = 0;5574 5575 switch (ssl->session.version) {5576 case TLSV1DOT1_VERSION0x302:5577 case TLSV1DOT2_VERSION0x303:5578 case DTLSV1DOT0_VERSION0xfeff:5579 case DTLSV1DOT2_VERSION0xfefd:5580 case DTLSV1DOT3_VERSION0xfefc:5581 case DTLSV1DOT0_OPENSSL_VERSION0x100:5582 case TLCPV1_VERSION0x101:5583 blocksize = ssl_get_cipher_blocksize(decoder->cipher_suite);5584 if (inl < blocksize) {5585 ssl_debug_printf("ssl_decrypt_record failed: input %d has no space for IV %d\n",5586 inl, blocksize);5587 return -1;5588 }5589 pad = gcry_cipher_setiv(decoder->evp, in, blocksize);5590 if (pad != 0) {5591 ssl_debug_printf("ssl_decrypt_record failed: failed to set IV: %s %s\n",5592 gcry_strsource (pad), gcry_strerror (pad));5593 }5594 5595 inl -= blocksize;5596 in += blocksize;5597 break;5598 }5599 5600 /* Encrypt-then-MAC for (D)TLS (RFC 7366) */5601 if (ssl->state & SSL_ENCRYPT_THEN_MAC(1<<11)) {5602 /*5603 * MAC is calculated over (IV + ) ENCRYPTED contents:5604 *5605 * MAC(MAC_write_key, ... +5606 * IV + // for TLS 1.1 or greater5607 * TLSCiphertext.enc_content);5608 */5609 if (inl < maclen) {5610 ssl_debug_printf("%s failed: input %d has no space for MAC %d\n",5611 G_STRFUNC((const char*) (__func__)), inl, maclen);5612 return -1;5613 }5614 inl -= maclen;5615 mac = (uint8_t *)in + inl;5616 mac_frag = (uint8_t *)in - blocksize;5617 mac_fraglen = blocksize + inl;5618 }5619 }5620 5621 /* First decrypt*/5622 if ((pad = ssl_cipher_decrypt(&decoder->evp, out_str->data, out_str->data_len, in, inl)) != 0) {5623 ssl_debug_printf("ssl_decrypt_record failed: ssl_cipher_decrypt: %s %s\n", gcry_strsource (pad),5624 gcry_strerror (pad));5625 return -1;5626 }5627 5628 ssl_print_data("Plaintext", out_str->data, inl);5629 worklen=inl;5630 5631 5632 /* strip padding for GenericBlockCipher */5633 if (decoder->cipher_suite->mode == MODE_CBC) {5634 if (inl < 1) { /* Should this check happen earlier? */5635 ssl_debug_printf("ssl_decrypt_record failed: input length %d too small\n", inl);5636 return -1;5637 }5638 pad=out_str->data[inl-1];5639 if (worklen <= pad) {5640 ssl_debug_printf("ssl_decrypt_record failed: padding %d too large for work %d\n",5641 pad, worklen);5642 return -1;5643 }5644 worklen-=(pad+1);5645 ssl_debug_printf("ssl_decrypt_record found padding %d final len %d\n",5646 pad, worklen);5647 }5648 5649 /* MAC for GenericStreamCipher and GenericBlockCipher.5650 * (normal case without Encrypt-then-MAC (RFC 7366) extension. */5651 if (!mac) {5652 /*5653 * MAC is calculated over the DECRYPTED contents:5654 *5655 * MAC(MAC_write_key, ... + TLSCompressed.fragment);5656 */5657 if (worklen < maclen) {5658 ssl_debug_printf("%s wrong record len/padding outlen %d\n work %d\n", G_STRFUNC((const char*) (__func__)), *outl, worklen);5659 return -1;5660 }5661 worklen -= maclen;5662 mac = out_str->data + worklen;5663 mac_frag = out_str->data;5664 mac_fraglen = worklen;5665 }5666 5667 /* If NULL encryption active and no keys are available, do not bother5668 * checking the MAC. We do not have keys for that. */5669 if (decoder->cipher_suite->mode == MODE_STREAM &&5670 decoder->cipher_suite->enc == ENC_NULL0x3D &&5671 !(ssl->state & SSL_MASTER_SECRET(1<<5))) {5672 ssl_debug_printf("MAC check skipped due to missing keys\n");5673 goto skip_mac;5674 }5675 5676 /* Now check the MAC */5677 ssl_debug_printf("checking mac (len %d, version %X, ct %d seq %" PRIu64"l" "u" ")\n",5678 worklen, ssl->session.version, ct, decoder->seq);5679 if(ssl->session.version==SSLV3_VERSION0x300){5680 if(ssl3_check_mac(decoder,ct,mac_frag,mac_fraglen,mac) < 0) {5681 if(ignore_mac_failed) {5682 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");5683 }5684 else{5685 ssl_debug_printf("ssl_decrypt_record: mac failed\n");5686 return -1;5687 }5688 }5689 else{5690 ssl_debug_printf("ssl_decrypt_record: mac ok\n");5691 }5692 }5693 else if(ssl->session.version==TLSV1_VERSION0x301 || ssl->session.version==TLSV1DOT1_VERSION0x302 || ssl->session.version==TLSV1DOT2_VERSION0x303 || ssl->session.version==TLCPV1_VERSION0x101){5694 if(tls_check_mac(decoder,ct,ssl->session.version,mac_frag,mac_fraglen,mac)< 0) {5695 if(ignore_mac_failed) {5696 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");5697 }5698 else{5699 ssl_debug_printf("ssl_decrypt_record: mac failed\n");5700 return -1;5701 }5702 }5703 else{5704 ssl_debug_printf("ssl_decrypt_record: mac ok\n");5705 }5706 }5707 else if(ssl->session.version==DTLSV1DOT0_VERSION0xfeff ||5708 ssl->session.version==DTLSV1DOT2_VERSION0xfefd ||5709 ssl->session.version==DTLSV1DOT0_OPENSSL_VERSION0x100){5710 /* Try rfc-compliant mac first, and if failed, try old openssl's non-rfc-compliant mac */5711 if(dtls_check_mac(ssl,decoder,ct,mac_frag,mac_fraglen,mac,cid,cidl)>= 0) {5712 ssl_debug_printf("ssl_decrypt_record: mac ok\n");5713 }5714 else if(tls_check_mac(decoder,ct,TLSV1_VERSION0x301,mac_frag,mac_fraglen,mac)>= 0) {5715 ssl_debug_printf("ssl_decrypt_record: dtls rfc-compliant mac failed, but old openssl's non-rfc-compliant mac ok\n");5716 }5717 else if(ignore_mac_failed) {5718 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");5719 }5720 else{5721 ssl_debug_printf("ssl_decrypt_record: mac failed\n");5722 return -1;5723 }5724 }5725skip_mac:5726 5727 *outl = worklen;5728 5729 if (decoder->compression > 0) {5730 ssl_debug_printf("ssl_decrypt_record: compression method %d\n", decoder->compression);5731 ssl_data_copy(comp_str, out_str);5732 ssl_print_data("Plaintext compressed", comp_str->data, worklen);5733 if (!decoder->decomp) {5734 ssl_debug_printf("decrypt_ssl3_record: no decoder available\n");5735 return -1;5736 }5737 if (ssl_decompress_record(decoder->decomp, comp_str->data, worklen, out_str, &uncomplen) < 0) return -1;5738 ssl_print_data("Plaintext uncompressed", out_str->data, uncomplen);5739 *outl = uncomplen;5740 }5741 5742 return 0;5743}5744/* Record decryption glue based on security parameters }}} */5745 5746 5747 5748#ifdef HAVE_LIBGNUTLS15749 5750/* RSA private key file processing {{{ */5751static void5752ssl_find_private_key_by_pubkey(SslDecryptSession *ssl,5753 gnutls_datum_t *subjectPublicKeyInfo)5754{5755 gnutls_pubkey_t pubkey = NULL((void*)0);5756 cert_key_id_t key_id;5757 size_t key_id_len = sizeof(key_id);5758 int r;5759 5760 if (!subjectPublicKeyInfo->size) {5761 ssl_debug_printf("%s: could not find SubjectPublicKeyInfo\n", G_STRFUNC((const char*) (__func__)));5762 return;5763 }5764 5765 r = gnutls_pubkey_init(&pubkey);5766 if (r < 0) {5767 ssl_debug_printf("%s: failed to init pubkey: %s\n",5768 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));5769 return;5770 }5771 5772 r = gnutls_pubkey_import(pubkey, subjectPublicKeyInfo, GNUTLS_X509_FMT_DER);5773 if (r < 0) {5774 ssl_debug_printf("%s: failed to import pubkey from handshake: %s\n",5775 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));5776 goto end;5777 }5778 5779 if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL((void*)0)) != GNUTLS_PK_RSA) {5780 ssl_debug_printf("%s: Not a RSA public key - ignoring.\n", G_STRFUNC((const char*) (__func__)));5781 goto end;5782 }5783 5784 /* Generate a 20-byte SHA-1 hash. */5785 r = gnutls_pubkey_get_key_id(pubkey, 0, key_id.key_id, &key_id_len);5786 if (r < 0) {5787 ssl_debug_printf("%s: failed to extract key id from pubkey: %s\n",5788 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));5789 goto end;5790 }5791 5792 if (key_id_len != sizeof(key_id)) {5793 ssl_debug_printf("%s: expected Key ID size %zu, got %zu\n",5794 G_STRFUNC((const char*) (__func__)), sizeof(key_id), key_id_len);5795 goto end;5796 }5797 5798 ssl_print_data("Certificate.KeyID", key_id.key_id, key_id_len);5799 ssl->cert_key_id = wmem_new(wmem_file_scope(), cert_key_id_t)((cert_key_id_t*)wmem_alloc((wmem_file_scope()), sizeof(cert_key_id_t
)));5800 *ssl->cert_key_id = key_id;5801 5802end:5803 gnutls_pubkey_deinit(pubkey);5804}5805 5806/* RSA private key file processing }}} */5807#endif /* HAVE_LIBGNUTLS */5808 5809/*--- Start of dissector-related code below ---*/5810 5811/* get ssl data for this session. if no ssl data is found allocate a new one*/5812SslDecryptSession *5813ssl_get_session(conversation_t *conversation, dissector_handle_t tls_handle)5814{5815 void *conv_data;5816 SslDecryptSession *ssl_session;5817 int proto_ssl;5818 5819 proto_ssl = dissector_handle_get_protocol_index(tls_handle);5820 conv_data = conversation_get_proto_data(conversation, proto_ssl);5821 if (conv_data != NULL((void*)0))5822 return (SslDecryptSession *)conv_data;5823 5824 /* no previous SSL conversation info, initialize it. */5825 ssl_session = wmem_new0(wmem_file_scope(), SslDecryptSession)((SslDecryptSession*)wmem_alloc0((wmem_file_scope()), sizeof(
SslDecryptSession)));5826 5827 /* data_len is the part that is meaningful, not the allocated length */5828 ssl_session->master_secret.data_len = 0;5829 ssl_session->master_secret.data = ssl_session->_master_secret;5830 ssl_session->session_id.data_len = 0;5831 ssl_session->session_id.data = ssl_session->_session_id;5832 ssl_session->client_random.data_len = 0;5833 ssl_session->client_random.data = ssl_session->_client_random;5834 ssl_session->server_random.data_len = 0;5835 ssl_session->server_random.data = ssl_session->_server_random;5836 ssl_session->session_ticket.data_len = 0;5837 ssl_session->session_ticket.data = NULL((void*)0); /* will be re-alloced as needed */5838 ssl_session->server_data_for_iv.data_len = 0;5839 ssl_session->server_data_for_iv.data = ssl_session->_server_data_for_iv;5840 ssl_session->client_data_for_iv.data_len = 0;5841 ssl_session->client_data_for_iv.data = ssl_session->_client_data_for_iv;5842 ssl_session->app_data_segment.data = NULL((void*)0);5843 ssl_session->app_data_segment.data_len = 0;5844 ssl_session->handshake_data.data=NULL((void*)0);5845 ssl_session->handshake_data.data_len=0;5846 5847 /* Initialize parameters which are not necessary specific to decryption. */5848 ssl_session->session.version = SSL_VER_UNKNOWN0;5849 clear_address(&ssl_session->session.srv_addr);5850 ssl_session->session.srv_ptype = PT_NONE;5851 ssl_session->session.srv_port = 0;5852 ssl_session->session.dtls13_current_epoch[0] = ssl_session->session.dtls13_current_epoch[1] = 0;5853 ssl_session->session.dtls13_next_seq_num[0] = ssl_session->session.dtls13_next_seq_num[1] = 0;5854 5855 conversation_add_proto_data(conversation, proto_ssl, ssl_session);5856 return ssl_session;5857}5858 5859void ssl_reset_session(SslSession *session, SslDecryptSession *ssl, bool_Bool is_client)5860{5861 if (ssl) {5862 /* Ensure that secrets are not restored using stale identifiers. Split5863 * between client and server in case the packets somehow got out of order. */5864 int clear_flags = SSL_HAVE_SESSION_KEY(1<<3) | SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);5865 5866 if (is_client) {5867 clear_flags |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);5868 ssl->session_id.data_len = 0;5869 ssl->session_ticket.data_len = 0;5870 ssl->master_secret.data_len = 0;5871 ssl->client_random.data_len = 0;5872 ssl->has_early_data = false0;5873 if (ssl->handshake_data.data_len > 0) {5874 // The EMS handshake hash starts with at the Client Hello,5875 // ensure that any messages before it are forgotten.5876 wmem_free(wmem_file_scope(), ssl->handshake_data.data);5877 ssl->handshake_data.data = NULL((void*)0);5878 ssl->handshake_data.data_len = 0;5879 }5880 } else {5881 clear_flags |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8) | SSL_NEW_SESSION_TICKET(1<<10);5882 ssl->server_random.data_len = 0;5883 ssl->pre_master_secret.data_len = 0;5884#ifdef HAVE_LIBGNUTLS15885 ssl->cert_key_id = NULL((void*)0);5886#endif5887 ssl->psk.data_len = 0;5888 }5889 5890 if (ssl->state & clear_flags) {5891 ssl_debug_printf("%s detected renegotiation, clearing 0x%02x (%s side)\n",5892 G_STRFUNC((const char*) (__func__)), ssl->state & clear_flags, is_client ? "client" : "server");5893 ssl->state &= ~clear_flags;5894 }5895 }5896 5897 /* These flags might be used for non-decryption purposes and may affect the5898 * dissection, so reset them as well. */5899 if (is_client) {5900 session->client_cert_type = 0;5901 } else {5902 session->compression = 0;5903 session->server_cert_type = 0;5904 /* session->is_session_resumed is already handled in the ServerHello dissection. */5905 }5906 session->dtls13_next_seq_num[0] = session->dtls13_next_seq_num[1] = 0;5907 session->dtls13_current_epoch[0] = session->dtls13_current_epoch[1] = 0;5908}5909 5910void5911tls_set_appdata_dissector(dissector_handle_t tls_handle, packet_info *pinfo,5912 dissector_handle_t app_handle)5913{5914 conversation_t *conversation;5915 SslSession *session;5916 5917 /* Ignore if the TLS or other dissector is disabled. */5918 if (!tls_handle || !app_handle)5919 return;5920 5921 conversation = find_or_create_conversation(pinfo);5922 session = &ssl_get_session(conversation, tls_handle)->session;5923 session->app_handle = app_handle;5924}5925 5926static uint32_t5927ssl_starttls(dissector_handle_t tls_handle, packet_info *pinfo,5928 dissector_handle_t app_handle, uint32_t last_nontls_frame)5929{5930 conversation_t *conversation;5931 SslSession *session;5932 5933 /* Ignore if the TLS dissector is disabled. */5934 if (!tls_handle)5935 return 0;5936 /* The caller should always pass a valid handle to its own dissector. */5937 DISSECTOR_ASSERT(app_handle)((void) ((app_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 5937, "app_handle"))));5938 5939 conversation = find_or_create_conversation(pinfo);5940 session = &ssl_get_session(conversation, tls_handle)->session;5941 5942 ssl_debug_printf("%s: old frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),5943 session->last_nontls_frame,5944 (void *)session->app_handle,5945 dissector_handle_get_dissector_name(session->app_handle));5946 ssl_debug_printf("%s: current frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),5947 pinfo->num, (void *)app_handle,5948 dissector_handle_get_dissector_name(app_handle));5949 5950 /* Do not switch again if a dissector did it before. */5951 if (session->last_nontls_frame) {5952 ssl_debug_printf("%s: not overriding previous app handle!\n", G_STRFUNC((const char*) (__func__)));5953 return session->last_nontls_frame;5954 }5955 5956 session->app_handle = app_handle;5957 /* The TLS dissector should be called first for this conversation. */5958 conversation_set_dissector(conversation, tls_handle);5959 /* TLS starts after this frame. */5960 session->last_nontls_frame = last_nontls_frame;5961 return 0;5962}5963 5964/* ssl_starttls_ack: mark future frames as encrypted. */5965uint32_t5966ssl_starttls_ack(dissector_handle_t tls_handle, packet_info *pinfo,5967 dissector_handle_t app_handle)5968{5969 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num);5970}5971 5972uint32_t5973ssl_starttls_post_ack(dissector_handle_t tls_handle, packet_info *pinfo,5974 dissector_handle_t app_handle)5975{5976 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num - 1);5977}5978 5979dissector_handle_t5980ssl_find_appdata_dissector(const char *name)5981{5982 /* Accept 'http' for backwards compatibility and sanity. */5983 if (!strcmp(name, "http"))5984 name = "http-over-tls";5985 return find_dissector(name);5986}5987 5988/* Functions for TLS/DTLS sessions and RSA private keys hashtables. {{{ */5989static int5990ssl_equal (const void *v, const void *v2)5991{5992 const StringInfo *val1;5993 const StringInfo *val2;5994 val1 = (const StringInfo *)v;5995 val2 = (const StringInfo *)v2;5996 5997 if (val1->data_len == val2->data_len &&5998 !memcmp(val1->data, val2->data, val2->data_len)) {5999 return 1;6000 }6001 return 0;6002}6003 6004static unsigned6005ssl_hash (const void *v)6006{6007 unsigned l,hash;6008 const StringInfo* id;6009 const unsigned* cur;6010 hash = 0;6011 id = (const StringInfo*) v;6012 6013 /* id and id->data are mallocated in ssl_save_master_key(). As such 'data'6014 * should be aligned for any kind of access (for example as a unsigned as6015 * is done below). The intermediate void* cast is to prevent "cast6016 * increases required alignment of target type" warnings on CPUs (such6017 * as SPARCs) that do not allow misaligned memory accesses.6018 */6019 cur = (const unsigned*)(void*) id->data;6020 6021 for (l=4; (l < id->data_len); l+=4, cur++)6022 hash = hash ^ (*cur);6023 6024 return hash;6025}6026/* Functions for TLS/DTLS sessions and RSA private keys hashtables. }}} */6027 6028/* Handling of association between tls/dtls ports and clear text protocol. {{{ */6029void6030ssl_association_add(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)6031{6032 DISSECTOR_ASSERT(main_handle)((void) ((main_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6032, "main_handle"))));6033 DISSECTOR_ASSERT(subdissector_handle)((void) ((subdissector_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6033, "subdissector_handle"))));6034 /* Registration is required for Export PDU feature to work properly. */6035 DISSECTOR_ASSERT_HINT(dissector_handle_get_dissector_name(subdissector_handle),((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6036, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))))6036 "SSL appdata dissectors must register with register_dissector()!")((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6036, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))));6037 ssl_debug_printf("association_add %s port %d handle %p\n", dissector_table_name, port, (void *)subdissector_handle);6038 6039 if (port) {6040 dissector_add_uint(dissector_table_name, port, subdissector_handle);6041 if (tcp)6042 dissector_add_uint("tcp.port", port, main_handle);6043 else6044 dissector_add_uint("udp.port", port, main_handle);6045 dissector_add_uint("sctp.port", port, main_handle);6046 } else {6047 dissector_add_for_decode_as(dissector_table_name, subdissector_handle);6048 }6049}6050 6051void6052ssl_association_remove(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)6053{6054 ssl_debug_printf("ssl_association_remove removing %s %u - handle %p\n",6055 tcp?"TCP":"UDP", port, (void *)subdissector_handle);6056 if (main_handle) {6057 dissector_delete_uint(tcp?"tcp.port":"udp.port", port, main_handle);6058 dissector_delete_uint("sctp.port", port, main_handle);6059 }6060 6061 if (port) {6062 dissector_delete_uint(dissector_table_name, port, subdissector_handle);6063 }6064}6065 6066void6067ssl_set_server(SslSession *session, address *addr, port_type ptype, uint32_t port)6068{6069 copy_address_wmem(wmem_file_scope(), &session->srv_addr, addr);6070 session->srv_ptype = ptype;6071 session->srv_port = port;6072}6073 6074int6075ssl_packet_from_server(SslSession *session, dissector_table_t table, const packet_info *pinfo)6076{6077 int ret;6078 if (session && session->srv_addr.type != AT_NONE) {6079 ret = (session->srv_ptype == pinfo->ptype) &&6080 (session->srv_port == pinfo->srcport) &&6081 addresses_equal(&session->srv_addr, &pinfo->src);6082 } else {6083 ret = (dissector_get_uint_handle(table, pinfo->srcport) != 0);6084 }6085 6086 ssl_debug_printf("packet_from_server: is from server - %s\n", (ret)?"TRUE":"FALSE");6087 return ret;6088}6089/* Handling of association between tls/dtls ports and clear text protocol. }}} */6090 6091 6092/* Links SSL records with the real packet data. {{{ */6093SslPacketInfo *6094tls_add_packet_info(int proto, packet_info *pinfo, uint8_t curr_layer_num_ssl)6095{6096 SslPacketInfo *pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);6097 if (!pi) {6098 pi = wmem_new0(wmem_file_scope(), SslPacketInfo)((SslPacketInfo*)wmem_alloc0((wmem_file_scope()), sizeof(SslPacketInfo
)));6099 pi->srcport = pinfo->srcport;6100 pi->destport = pinfo->destport;6101 p_add_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl, pi);6102 }6103 6104 return pi;6105}6106 6107/**6108 * Remembers the decrypted TLS record fragment (TLSInnerPlaintext in TLS 1.3) to6109 * avoid the need for a decoder in the second pass. Additionally, it remembers6110 * sequence numbers (for reassembly and Follow TLS Stream).6111 *6112 * @param proto The protocol identifier (proto_ssl or proto_dtls).6113 * @param pinfo The packet where the record originates from.6114 * @param data Decrypted data to store in the record.6115 * @param data_len Length of decrypted record data.6116 * @param record_id The identifier for this record within the current packet.6117 * @param flow Information about sequence numbers, etc.6118 * @param type TLS Content Type (such as handshake or application_data).6119 * @param curr_layer_num_ssl The layer identifier for this TLS session.6120 */6121void6122ssl_add_record_info(int proto, packet_info *pinfo, const unsigned char *data, int data_len, int record_id, SslFlow *flow, ContentType type, uint8_t curr_layer_num_ssl)6123{6124 SslRecordInfo* rec, **prec;6125 SslPacketInfo *pi = tls_add_packet_info(proto, pinfo, curr_layer_num_ssl);6126 6127 rec = wmem_new(wmem_file_scope(), SslRecordInfo)((SslRecordInfo*)wmem_alloc((wmem_file_scope()), sizeof(SslRecordInfo
)));6128 rec->plain_data = (unsigned char *)wmem_memdup(wmem_file_scope(), data, data_len);6129 rec->data_len = data_len;6130 rec->id = record_id;6131 rec->type = type;6132 rec->next = NULL((void*)0);6133 6134 if (flow && type == SSL_ID_APP_DATA) {6135 rec->seq = flow->byte_seq;6136 rec->flow = flow;6137 flow->byte_seq += data_len;6138 ssl_debug_printf("%s stored decrypted record seq=%d nxtseq=%d flow=%p\n",6139 G_STRFUNC((const char*) (__func__)), rec->seq, rec->seq + data_len, (void*)flow);6140 }6141 6142 /* Remember decrypted records. */6143 prec = &pi->records;6144 while (*prec) prec = &(*prec)->next;6145 *prec = rec;6146}6147 6148/* search in packet data for the specified id; return a newly created tvb for the associated data */6149tvbuff_t*6150ssl_get_record_info(tvbuff_t *parent_tvb, int proto, packet_info *pinfo, int record_id, uint8_t curr_layer_num_ssl, SslRecordInfo **matched_record)6151{6152 SslRecordInfo* rec;6153 SslPacketInfo* pi;6154 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);6155 6156 if (!pi)6157 return NULL((void*)0);6158 6159 for (rec = pi->records; rec; rec = rec->next)6160 if (rec->id == record_id) {6161 *matched_record = rec;6162 /* link new real_data_tvb with a parent tvb so it is freed when frame dissection is complete */6163 return tvb_new_child_real_data(parent_tvb, rec->plain_data, rec->data_len, rec->data_len);6164 }6165 6166 return NULL((void*)0);6167}6168/* Links SSL records with the real packet data. }}} */6169 6170/* initialize/reset per capture state data (ssl sessions cache). {{{ */6171void6172ssl_common_init(ssl_master_key_map_t *mk_map,6173 StringInfo *decrypted_data, StringInfo *compressed_data)6174{6175 mk_map->session = g_hash_table_new(ssl_hash, ssl_equal);6176 mk_map->tickets = g_hash_table_new(ssl_hash, ssl_equal);6177 mk_map->crandom = g_hash_table_new(ssl_hash, ssl_equal);6178 mk_map->pre_master = g_hash_table_new(ssl_hash, ssl_equal);6179 mk_map->pms = g_hash_table_new(ssl_hash, ssl_equal);6180 mk_map->tls13_client_early = g_hash_table_new(ssl_hash, ssl_equal);6181 mk_map->tls13_client_handshake = g_hash_table_new(ssl_hash, ssl_equal);6182 mk_map->tls13_server_handshake = g_hash_table_new(ssl_hash, ssl_equal);6183 mk_map->tls13_client_appdata = g_hash_table_new(ssl_hash, ssl_equal);6184 mk_map->tls13_server_appdata = g_hash_table_new(ssl_hash, ssl_equal);6185 mk_map->tls13_early_exporter = g_hash_table_new(ssl_hash, ssl_equal);6186 mk_map->tls13_exporter = g_hash_table_new(ssl_hash, ssl_equal);6187 6188 mk_map->used_crandom = g_hash_table_new(ssl_hash, ssl_equal);6189 6190 ssl_data_alloc(decrypted_data, 32);6191 ssl_data_alloc(compressed_data, 32);6192}6193 6194void6195ssl_common_cleanup(ssl_master_key_map_t *mk_map, FILE **ssl_keylog_file,6196 StringInfo *decrypted_data, StringInfo *compressed_data)6197{6198 g_hash_table_destroy(mk_map->session);6199 g_hash_table_destroy(mk_map->tickets);6200 g_hash_table_destroy(mk_map->crandom);6201 g_hash_table_destroy(mk_map->pre_master);6202 g_hash_table_destroy(mk_map->pms);6203 g_hash_table_destroy(mk_map->tls13_client_early);6204 g_hash_table_destroy(mk_map->tls13_client_handshake);6205 g_hash_table_destroy(mk_map->tls13_server_handshake);6206 g_hash_table_destroy(mk_map->tls13_client_appdata);6207 g_hash_table_destroy(mk_map->tls13_server_appdata);6208 g_hash_table_destroy(mk_map->tls13_early_exporter);6209 g_hash_table_destroy(mk_map->tls13_exporter);6210 6211 g_hash_table_destroy(mk_map->used_crandom);6212 6213 g_free(decrypted_data->data);6214 g_free(compressed_data->data);6215 6216 /* close the previous keylog file now that the cache are cleared, this6217 * allows the cache to be filled with the full keylog file contents. */6218 if (*ssl_keylog_file) {6219 fclose(*ssl_keylog_file);6220 *ssl_keylog_file = NULL((void*)0);6221 }6222}6223/* }}} */6224 6225/* parse ssl related preferences (private keys and ports association strings) */6226#if defined(HAVE_LIBGNUTLS1)6227/* Load a single RSA key file item from preferences. {{{ */6228void6229ssl_parse_key_list(const ssldecrypt_assoc_t *uats, GHashTable *key_hash, const char* dissector_table_name, dissector_handle_t main_handle, bool_Bool tcp)6230{6231 gnutls_x509_privkey_t x509_priv_key;6232 gnutls_privkey_t priv_key = NULL((void*)0);6233 FILE* fp = NULL((void*)0);6234 int ret;6235 size_t key_id_len = 20;6236 unsigned char *key_id = NULL((void*)0);6237 char *err = NULL((void*)0);6238 dissector_handle_t handle;6239 /* try to load keys file first */6240 fp = ws_fopenfopen(uats->keyfile, "rb");6241 if (!fp) {6242 report_open_failure(uats->keyfile, errno(*__errno_location ()), false0);6243 return;6244 }6245 6246 if ((int)strlen(uats->password) == 0) {6247 x509_priv_key = rsa_load_pem_key(fp, &err);6248 } else {6249 x509_priv_key = rsa_load_pkcs12(fp, uats->password, &err);6250 }6251 fclose(fp);6252 6253 if (!x509_priv_key) {6254 if (err) {6255 report_failure("Can't load private key from %s: %s",6256 uats->keyfile, err);6257 g_free(err);6258 } else6259 report_failure("Can't load private key from %s: unknown error",6260 uats->keyfile);6261 return;6262 }6263 if (err) {6264 report_failure("Load of private key from %s \"succeeded\" with error %s",6265 uats->keyfile, err);6266 g_free(err);6267 }6268 6269 gnutls_privkey_init(&priv_key);6270 ret = gnutls_privkey_import_x509(priv_key, x509_priv_key,6271 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE|GNUTLS_PRIVKEY_IMPORT_COPY);6272 if (ret < 0) {6273 report_failure("Can't convert private key %s: %s",6274 uats->keyfile, gnutls_strerror(ret));6275 goto end;6276 }6277 6278 key_id = (unsigned char *) g_malloc0(key_id_len);6279 ret = gnutls_x509_privkey_get_key_id(x509_priv_key, 0, key_id, &key_id_len);6280 if (ret < 0) {6281 report_failure("Can't calculate public key ID for %s: %s",6282 uats->keyfile, gnutls_strerror(ret));6283 goto end;6284 }6285 ssl_print_data("KeyID", key_id, key_id_len);6286 if (key_id_len != 20) {6287 report_failure("Expected Key ID size %u for %s, got %zu", 20,6288 uats->keyfile, key_id_len);6289 goto end;6290 }6291 6292 g_hash_table_replace(key_hash, key_id, priv_key);6293 key_id = NULL((void*)0); /* used in key_hash, do not free. */6294 priv_key = NULL((void*)0);6295 ssl_debug_printf("ssl_init private key file %s successfully loaded.\n", uats->keyfile);6296 6297 handle = ssl_find_appdata_dissector(uats->protocol);6298 if (handle) {6299 /* Port to subprotocol mapping */6300 uint16_t port = 0;6301 if (ws_strtou16(uats->port, NULL((void*)0), &port)) {6302 if (port > 0) {6303 ssl_debug_printf("ssl_init port '%d' filename '%s' password(only for p12 file) '%s'\n",6304 port, uats->keyfile, uats->password);6305 6306 ssl_association_add(dissector_table_name, main_handle, handle, port, tcp);6307 }6308 } else {6309 if (strcmp(uats->port, "start_tls"))6310 ssl_debug_printf("invalid ssl_init_port: %s\n", uats->port);6311 }6312 }6313 6314end:6315 gnutls_x509_privkey_deinit(x509_priv_key);6316 gnutls_privkey_deinit(priv_key);6317 g_free(key_id);6318}6319/* }}} */6320#endif6321 6322 6323/* Store/load a known (pre-)master secret from/for this SSL session. {{{ */6324/** store a known (pre-)master secret into cache */6325static void6326ssl_save_master_key(const char *label, GHashTable *ht, StringInfo *key,6327 StringInfo *mk)6328{6329 StringInfo *ht_key, *master_secret;6330 6331 if (key->data_len == 0) {6332 ssl_debug_printf("%s: not saving empty %s!\n", G_STRFUNC((const char*) (__func__)), label);6333 return;6334 }6335 6336 if (mk->data_len == 0) {6337 ssl_debug_printf("%s not saving empty (pre-)master secret for %s!\n",6338 G_STRFUNC((const char*) (__func__)), label);6339 return;6340 }6341 6342 /* ssl_hash() depends on session_ticket->data being aligned for unsigned access6343 * so be careful in changing how it is allocated. */6344 ht_key = ssl_data_clone(key);6345 master_secret = ssl_data_clone(mk);6346 g_hash_table_insert(ht, ht_key, master_secret);6347 6348 ssl_debug_printf("%s inserted (pre-)master secret for %s\n", G_STRFUNC((const char*) (__func__)), label);6349 ssl_print_string("stored key", ht_key);6350 ssl_print_string("stored (pre-)master secret", master_secret);6351}6352 6353/** restore a (pre-)master secret given some key in the cache */6354static bool_Bool6355ssl_restore_master_key(SslDecryptSession *ssl, const char *label,6356 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key)6357{6358 StringInfo *ms;6359 6360 if (key->data_len == 0) {6361 ssl_debug_printf("%s can't restore %smaster secret using an empty %s\n",6362 G_STRFUNC((const char*) (__func__)), is_pre_master ? "pre-" : "", label);6363 return false0;6364 }6365 6366 ms = (StringInfo *)g_hash_table_lookup(ht, key);6367 if (!ms) {6368 ssl_debug_printf("%s can't find %smaster secret by %s\n", G_STRFUNC((const char*) (__func__)),6369 is_pre_master ? "pre-" : "", label);6370 return false0;6371 }6372 6373 /* (pre)master secret found, clear knowledge of other keys and set it in the6374 * current conversation */6375 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) |6376 SSL_HAVE_SESSION_KEY(1<<3));6377 if (is_pre_master) {6378 /* unlike master secret, pre-master secret has a variable size (48 for6379 * RSA, varying for PSK) and is therefore not statically allocated */6380 ssl->pre_master_secret.data = (unsigned char *) wmem_alloc(wmem_file_scope(),6381 ms->data_len);6382 ssl_data_set(&ssl->pre_master_secret, ms->data, ms->data_len);6383 ssl->state |= SSL_PRE_MASTER_SECRET(1<<6);6384 } else {6385 ssl_data_set(&ssl->master_secret, ms->data, ms->data_len);6386 ssl->state |= SSL_MASTER_SECRET(1<<5);6387 }6388 ssl_debug_printf("%s %smaster secret retrieved using %s\n", G_STRFUNC((const char*) (__func__)),6389 is_pre_master ? "pre-" : "", label);6390 ssl_print_string(label, key);6391 ssl_print_string("(pre-)master secret", ms);6392 return true1;6393}6394/* Store/load a known (pre-)master secret from/for this SSL session. }}} */6395 6396/* Should be called when all parameters are ready (after ChangeCipherSpec), and6397 * the decoder should be attempted to be initialized. {{{*/6398void6399ssl_finalize_decryption(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)6400{6401 if (ssl->session.version == TLSV1DOT3_VERSION0x304) {6402 /* TLS 1.3 implementations only provide secrets derived from the master6403 * secret which are loaded in tls13_change_key. No master secrets can be6404 * loaded here, so just return. */6405 return;6406 }6407 ssl_debug_printf("%s state = 0x%02X\n", G_STRFUNC((const char*) (__func__)), ssl->state);6408 if (ssl->state & SSL_HAVE_SESSION_KEY(1<<3)) {6409 ssl_debug_printf(" session key already available, nothing to do.\n");6410 return;6411 }6412 if (!(ssl->state & SSL_CIPHER(1<<2))) {6413 ssl_debug_printf(" Cipher suite (Server Hello) is missing!\n");6414 return;6415 }6416 6417 /* for decryption, there needs to be a master secret (which can be derived6418 * from pre-master secret). If missing, try to pick a master key from cache6419 * (an earlier packet in the capture or key logfile). */6420 if (!(ssl->state & (SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6))) &&6421 !ssl_restore_master_key(ssl, "Session ID", false0,6422 mk_map->session, &ssl->session_id) &&6423 (!ssl->session.is_session_resumed ||6424 !ssl_restore_master_key(ssl, "Session Ticket", false0,6425 mk_map->tickets, &ssl->session_ticket)) &&6426 !ssl_restore_master_key(ssl, "Client Random", false0,6427 mk_map->crandom, &ssl->client_random)) {6428 if (ssl->cipher_suite->enc != ENC_NULL0x3D) {6429 /* how unfortunate, the master secret could not be found */6430 ssl_debug_printf(" Cannot find master secret\n");6431 return;6432 } else {6433 ssl_debug_printf(" Cannot find master secret, continuing anyway "6434 "because of a NULL cipher\n");6435 }6436 }6437 6438 if (ssl_generate_keyring_material(ssl) < 0) {6439 ssl_debug_printf("%s can't generate keyring material\n", G_STRFUNC((const char*) (__func__)));6440 return;6441 }6442 /* Save Client Random/ Session ID for "SSL Export Session keys" */6443 ssl_save_master_key("Client Random", mk_map->crandom,6444 &ssl->client_random, &ssl->master_secret);6445 ssl_save_master_key("Session ID", mk_map->session,6446 &ssl->session_id, &ssl->master_secret);6447 /* Only save the new secrets if the server sent the ticket. The client6448 * ticket might have become stale. */6449 if (ssl->state & SSL_NEW_SESSION_TICKET(1<<10)) {6450 ssl_save_master_key("Session Ticket", mk_map->tickets,6451 &ssl->session_ticket, &ssl->master_secret);6452 }6453} /* }}} */6454 6455/* Load the traffic key secret from the keylog file. */6456StringInfo *6457tls13_load_secret(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,6458 bool_Bool is_from_server, TLSRecordType type)6459{6460 GHashTable *key_map;6461 const char *label;6462 6463 if (ssl->session.version != TLSV1DOT3_VERSION0x304 && ssl->session.version != DTLSV1DOT3_VERSION0xfefc) {6464 ssl_debug_printf("%s TLS version %#x is not 1.3\n", G_STRFUNC((const char*) (__func__)), ssl->session.version);6465 return NULL((void*)0);6466 }6467 6468 if (ssl->client_random.data_len == 0) {6469 /* May happen if Hello message is missing and Finished is found. */6470 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));6471 return NULL((void*)0);6472 }6473 6474 switch (type) {6475 case TLS_SECRET_0RTT_APP:6476 DISSECTOR_ASSERT(!is_from_server)((void) ((!is_from_server) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6476, "!is_from_server"))));6477 label = "CLIENT_EARLY_TRAFFIC_SECRET";6478 key_map = mk_map->tls13_client_early;6479 break;6480 case TLS_SECRET_HANDSHAKE:6481 if (is_from_server) {6482 label = "SERVER_HANDSHAKE_TRAFFIC_SECRET";6483 key_map = mk_map->tls13_server_handshake;6484 } else {6485 label = "CLIENT_HANDSHAKE_TRAFFIC_SECRET";6486 key_map = mk_map->tls13_client_handshake;6487 }6488 break;6489 case TLS_SECRET_APP:6490 if (is_from_server) {6491 label = "SERVER_TRAFFIC_SECRET_0";6492 key_map = mk_map->tls13_server_appdata;6493 } else {6494 label = "CLIENT_TRAFFIC_SECRET_0";6495 key_map = mk_map->tls13_client_appdata;6496 }6497 break;6498 default:6499 ws_assert_not_reached()ws_log_fatal_full("", LOG_LEVEL_ERROR, "epan/dissectors/packet-tls-utils.c"
, 6499, __func__, "assertion \"not reached\" failed");6500 }6501 6502 /* Transitioning to new keys, mark old ones as unusable. */6503 ssl_debug_printf("%s transitioning to new key, old state 0x%02x\n", G_STRFUNC((const char*) (__func__)), ssl->state);6504 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) | SSL_HAVE_SESSION_KEY(1<<3));6505 6506 StringInfo *secret = (StringInfo *)g_hash_table_lookup(key_map, &ssl->client_random);6507 if (!secret) {6508 ssl_debug_printf("%s Cannot find %s, decryption impossible\n", G_STRFUNC((const char*) (__func__)), label);6509 /* Disable decryption, the keys are invalid. */6510 if (is_from_server) {6511 ssl->server = NULL((void*)0);6512 } else {6513 ssl->client = NULL((void*)0);6514 }6515 return NULL((void*)0);6516 }6517 6518 /* TLS 1.3 secret found, set new keys. */6519 ssl_debug_printf("%s Retrieved TLS 1.3 traffic secret.\n", G_STRFUNC((const char*) (__func__)));6520 ssl_print_string("Client Random", &ssl->client_random);6521 ssl_print_string(label, secret);6522 return secret;6523}6524 6525/* Load the new key. */6526void6527tls13_change_key(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,6528 bool_Bool is_from_server, TLSRecordType type)6529{6530 if (ssl->state & SSL_QUIC_RECORD_LAYER(1<<13)) {6531 /*6532 * QUIC does not use the TLS record layer for message protection.6533 * The required keys will be extracted later by QUIC.6534 */6535 return;6536 }6537 6538 StringInfo *secret = tls13_load_secret(ssl, mk_map, is_from_server, type);6539 if (!secret) {6540 return;6541 }6542 6543 if (tls13_generate_keys(ssl, secret, is_from_server)) {6544 /*6545 * Remember the application traffic secret to support Key Update. The6546 * other secrets cannot be used for this purpose, so free them.6547 */6548 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;6549 StringInfo *app_secret = &decoder->app_traffic_secret;6550 if (type == TLS_SECRET_APP) {6551 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),6552 app_secret->data,6553 secret->data_len);6554 ssl_data_set(app_secret, secret->data, secret->data_len);6555 } else {6556 wmem_free(wmem_file_scope(), app_secret->data);6557 app_secret->data = NULL((void*)0);6558 app_secret->data_len = 0;6559 }6560 }6561}6562 6563/**6564 * Update to next application data traffic secret for TLS 1.3. The previous6565 * secret should have been set by tls13_change_key.6566 */6567void6568tls13_key_update(SslDecryptSession *ssl, bool_Bool is_from_server)6569{6570 /* RFC 8446 Section 7.2:6571 * application_traffic_secret_N+1 =6572 * HKDF-Expand-Label(application_traffic_secret_N,6573 * "traffic upd", "", Hash.length)6574 *6575 * Both application_traffic_secret_N are of the same length (Hash.length).6576 */6577 const SslCipherSuite *cipher_suite = ssl->cipher_suite;6578 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;6579 StringInfo *app_secret = decoder ? &decoder->app_traffic_secret : NULL((void*)0);6580 uint8_t tls13_draft_version = ssl->session.tls13_draft_version;6581 6582 if (!cipher_suite || !app_secret || app_secret->data_len == 0) {6583 ssl_debug_printf("%s Cannot perform Key Update due to missing info\n", G_STRFUNC((const char*) (__func__)));6584 return;6585 }6586 6587 /*6588 * Previous traffic secret is available, so find the hash function,6589 * expand the new traffic secret and generate new keys.6590 */6591 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;6592 int hash_algo = ssl_get_digest_by_name(hash_name);6593 const unsigned hash_len = app_secret->data_len;6594 unsigned char *new_secret;6595 const char *label = "traffic upd";6596 if (tls13_draft_version && tls13_draft_version < 20) {6597 label = "application traffic secret";6598 }6599 if (!tls13_hkdf_expand_label(hash_algo, app_secret,6600 tls13_hkdf_label_prefix(ssl),6601 label, hash_len, &new_secret)) {6602 ssl_debug_printf("%s traffic_secret_N+1 expansion failed\n", G_STRFUNC((const char*) (__func__)));6603 return;6604 }6605 ssl_data_set(app_secret, new_secret, hash_len);6606 if (tls13_generate_keys(ssl, app_secret, is_from_server)) {6607 /*6608 * Remember the application traffic secret on the new decoder to6609 * support another Key Update.6610 */6611 decoder = is_from_server ? ssl->server : ssl->client;6612 app_secret = &decoder->app_traffic_secret;6613 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),6614 app_secret->data,6615 hash_len);6616 ssl_data_set(app_secret, new_secret, hash_len);6617 }6618 wmem_free(NULL((void*)0), new_secret);6619}6620 6621void6622tls_save_crandom(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)6623{6624 if (ssl && (ssl->state & SSL_CLIENT_RANDOM(1<<0))) {6625 g_hash_table_add(mk_map->used_crandom, &ssl->client_random);6626 }6627}6628 6629/** SSL keylog file handling. {{{ */6630 6631static GRegex *6632ssl_compile_keyfile_regex(void)6633{6634#define OCTET "(?:[[:xdigit:]]{2})"6635 const char *pattern =6636 "(?:"6637 /* Matches Client Hellos having this Client Random */6638 "PMS_CLIENT_RANDOM (?<client_random_pms>" OCTET "{32}) "6639 /* Matches first part of encrypted RSA pre-master secret */6640 "|RSA (?<encrypted_pmk>" OCTET "{8}) "6641 /* Pre-Master-Secret is given, it is 48 bytes for RSA,6642 but it can be of any length for DHE */6643 ")(?<pms>" OCTET "+)"6644 "|(?:"6645 /* Matches Server Hellos having a Session ID */6646 "RSA Session-ID:(?<session_id>" OCTET "+) Master-Key:"6647 /* Matches Client Hellos having this Client Random */6648 "|CLIENT_RANDOM (?<client_random>" OCTET "{32}) "6649 /* Master-Secret is given, its length is fixed */6650 ")(?<master_secret>" OCTET "{" G_STRINGIFY(SSL_MASTER_SECRET_LENGTH)"48" "})"6651 "|(?"6652 /* TLS 1.3 Client Random to Derived Secrets mapping. */6653 ":CLIENT_EARLY_TRAFFIC_SECRET (?<client_early>" OCTET "{32})"6654 "|CLIENT_HANDSHAKE_TRAFFIC_SECRET (?<client_handshake>" OCTET "{32})"6655 "|SERVER_HANDSHAKE_TRAFFIC_SECRET (?<server_handshake>" OCTET "{32})"6656 "|CLIENT_TRAFFIC_SECRET_0 (?<client_appdata>" OCTET "{32})"6657 "|SERVER_TRAFFIC_SECRET_0 (?<server_appdata>" OCTET "{32})"6658 "|EARLY_EXPORTER_SECRET (?<early_exporter>" OCTET "{32})"6659 "|EXPORTER_SECRET (?<exporter>" OCTET "{32})"6660 ") (?<derived_secret>" OCTET "+)";6661#undef OCTET6662 static GRegex *regex = NULL((void*)0);6663 GError *gerr = NULL((void*)0);6664 6665 if (!regex) {6666 regex = g_regex_new(pattern,6667 (GRegexCompileFlags)(G_REGEX_OPTIMIZE | G_REGEX_ANCHORED | G_REGEX_RAW),6668 G_REGEX_MATCH_ANCHORED, &gerr);6669 if (gerr) {6670 ssl_debug_printf("%s failed to compile regex: %s\n", G_STRFUNC((const char*) (__func__)),6671 gerr->message);6672 g_error_free(gerr);6673 regex = NULL((void*)0);6674 }6675 }6676 6677 return regex;6678}6679 6680typedef struct ssl_master_key_match_group {6681 const char *re_group_name;6682 GHashTable *master_key_ht;6683} ssl_master_key_match_group_t;6684 6685void6686tls_keylog_process_lines(const ssl_master_key_map_t *mk_map, const uint8_t *data, unsigned datalen)6687{6688 ssl_master_key_match_group_t mk_groups[] = {6689 { "encrypted_pmk", mk_map->pre_master },6690 { "session_id", mk_map->session },6691 { "client_random", mk_map->crandom },6692 { "client_random_pms", mk_map->pms },6693 /* TLS 1.3 map from Client Random to derived secret. */6694 { "client_early", mk_map->tls13_client_early },6695 { "client_handshake", mk_map->tls13_client_handshake },6696 { "server_handshake", mk_map->tls13_server_handshake },6697 { "client_appdata", mk_map->tls13_client_appdata },6698 { "server_appdata", mk_map->tls13_server_appdata },6699 { "early_exporter", mk_map->tls13_early_exporter },6700 { "exporter", mk_map->tls13_exporter },6701 };6702 6703 /* The format of the file is a series of records with one of the following formats:6704 * - "RSA xxxx yyyy"6705 * Where xxxx are the first 8 bytes of the encrypted pre-master secret (hex-encoded)6706 * Where yyyy is the cleartext pre-master secret (hex-encoded)6707 * (this is the original format introduced with bug 4349)6708 *6709 * - "RSA Session-ID:xxxx Master-Key:yyyy"6710 * Where xxxx is the SSL session ID (hex-encoded)6711 * Where yyyy is the cleartext master secret (hex-encoded)6712 * (added to support openssl s_client Master-Key output)6713 * This is somewhat is a misnomer because there's nothing RSA specific6714 * about this.6715 *6716 * - "PMS_CLIENT_RANDOM xxxx yyyy"6717 * Where xxxx is the client_random from the ClientHello (hex-encoded)6718 * Where yyyy is the cleartext pre-master secret (hex-encoded)6719 * (This format allows SSL connections to be decrypted, if a user can6720 * capture the PMS but could not recover the MS for a specific session6721 * with a SSL Server.)6722 *6723 * - "CLIENT_RANDOM xxxx yyyy"6724 * Where xxxx is the client_random from the ClientHello (hex-encoded)6725 * Where yyyy is the cleartext master secret (hex-encoded)6726 * (This format allows non-RSA SSL connections to be decrypted, i.e.6727 * ECDHE-RSA.)6728 *6729 * - "CLIENT_EARLY_TRAFFIC_SECRET xxxx yyyy"6730 * - "CLIENT_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"6731 * - "SERVER_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"6732 * - "CLIENT_TRAFFIC_SECRET_0 xxxx yyyy"6733 * - "SERVER_TRAFFIC_SECRET_0 xxxx yyyy"6734 * - "EARLY_EXPORTER_SECRET xxxx yyyy"6735 * - "EXPORTER_SECRET xxxx yyyy"6736 * Where xxxx is the client_random from the ClientHello (hex-encoded)6737 * Where yyyy is the secret (hex-encoded) derived from the early,6738 * handshake or master secrets. (This format is introduced with TLS 1.36739 * and supported by BoringSSL, OpenSSL, etc. See bug 12779.)6740 */6741 GRegex *regex = ssl_compile_keyfile_regex();6742 if (!regex)6743 return;6744 6745 const char *next_line = (const char *)data;6746 const char *line_end = next_line + datalen;6747 while (next_line && next_line < line_end) {6748 const char *line = next_line;6749 next_line = (const char *)memchr(line, '\n', line_end - line);6750 ssize_t linelen;6751 6752 if (next_line) {6753 linelen = next_line - line;6754 next_line++; /* drop LF */6755 } else {6756 linelen = (ssize_t)(line_end - line);6757 }6758 if (linelen > 0 && line[linelen - 1] == '\r') {6759 linelen--; /* drop CR */6760 }6761 6762 ssl_debug_printf(" checking keylog line: %.*s\n", (int)linelen, line);6763 GMatchInfo *mi;6764 if (g_regex_match_full(regex, line, linelen, 0, G_REGEX_MATCH_ANCHORED, &mi, NULL((void*)0))) {6765 char *hex_key, *hex_pre_ms_or_ms;6766 StringInfo *key = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));6767 StringInfo *pre_ms_or_ms = NULL((void*)0);6768 GHashTable *ht = NULL((void*)0);6769 6770 /* Is the PMS being supplied with the PMS_CLIENT_RANDOM6771 * otherwise we will use the Master Secret6772 */6773 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "master_secret");6774 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {6775 g_free(hex_pre_ms_or_ms);6776 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "pms");6777 }6778 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {6779 g_free(hex_pre_ms_or_ms);6780 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "derived_secret");6781 }6782 /* There is always a match, otherwise the regex is wrong. */6783 DISSECTOR_ASSERT(hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms))((void) ((hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 6783, "hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms)"
))));6784 6785 /* convert from hex to bytes and save to hashtable */6786 pre_ms_or_ms = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));6787 from_hex(pre_ms_or_ms, hex_pre_ms_or_ms, strlen(hex_pre_ms_or_ms));6788 g_free(hex_pre_ms_or_ms);6789 6790 /* Find a master key from any format (CLIENT_RANDOM, SID, ...) */6791 for (unsigned i = 0; i < G_N_ELEMENTS(mk_groups)(sizeof (mk_groups) / sizeof ((mk_groups)[0])); i++) {6792 ssl_master_key_match_group_t *g = &mk_groups[i];6793 hex_key = g_match_info_fetch_named(mi, g->re_group_name);6794 if (hex_key && *hex_key) {6795 ssl_debug_printf(" matched %s\n", g->re_group_name);6796 ht = g->master_key_ht;6797 from_hex(key, hex_key, strlen(hex_key));6798 g_free(hex_key);6799 break;6800 }6801 g_free(hex_key);6802 }6803 DISSECTOR_ASSERT(ht)((void) ((ht) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 6803, "ht")))); /* Cannot be reached, or regex is wrong. */6804 6805 g_hash_table_insert(ht, key, pre_ms_or_ms);6806 6807 } else if (linelen > 0 && line[0] != '#') {6808 ssl_debug_printf(" unrecognized line\n");6809 }6810 /* always free match info even if there is no match. */6811 g_match_info_free(mi);6812 }6813}6814 6815void6816ssl_load_keyfile(const char *tls_keylog_filename, FILE **keylog_file,6817 const ssl_master_key_map_t *mk_map)6818{6819 /* no need to try if no key log file is configured. */6820 if (!tls_keylog_filename || !*tls_keylog_filename) {6821 ssl_debug_printf("%s dtls/tls.keylog_file is not configured!\n",6822 G_STRFUNC((const char*) (__func__)));6823 return;6824 }6825 6826 /* Validate regexes before even trying to use it. */6827 if (!ssl_compile_keyfile_regex()) {6828 return;6829 }6830 6831 ssl_debug_printf("trying to use TLS keylog in %s\n", tls_keylog_filename);6832 6833 /* if the keylog file was deleted/overwritten, re-open it */6834 if (*keylog_file && file_needs_reopen(ws_filenofileno(*keylog_file), tls_keylog_filename)) {6835 ssl_debug_printf("%s file got deleted, trying to re-open\n", G_STRFUNC((const char*) (__func__)));6836 fclose(*keylog_file);6837 *keylog_file = NULL((void*)0);6838 }6839 6840 if (*keylog_file == NULL((void*)0)) {6841 *keylog_file = ws_fopenfopen(tls_keylog_filename, "r");6842 if (!*keylog_file) {6843 ssl_debug_printf("%s failed to open SSL keylog\n", G_STRFUNC((const char*) (__func__)));6844 return;6845 }6846 }6847 6848 for (;;) {6849 char buf[1110], *line;6850 line = fgets(buf, sizeof(buf), *keylog_file);6851 if (!line) {6852 if (feof(*keylog_file)) {6853 /* Ensure that newly appended keys can be read in the future. */6854 clearerr(*keylog_file);6855 } else if (ferror(*keylog_file)) {6856 ssl_debug_printf("%s Error while reading key log file, closing it!\n", G_STRFUNC((const char*) (__func__)));6857 fclose(*keylog_file);6858 *keylog_file = NULL((void*)0);6859 }6860 break;6861 }6862 tls_keylog_process_lines(mk_map, (uint8_t *)line, (int)strlen(line));6863 }6864}6865/** SSL keylog file handling. }}} */6866 6867#ifdef SSL_DECRYPT_DEBUG /* {{{ */6868 6869static FILE* ssl_debug_file;6870 6871void6872ssl_set_debug(const char* name)6873{6874 static int debug_file_must_be_closed;6875 int use_stderr;6876 6877 use_stderr = name?(strcmp(name, SSL_DEBUG_USE_STDERR"-") == 0):0;6878 6879 if (debug_file_must_be_closed)6880 fclose(ssl_debug_file);6881 6882 if (use_stderr)6883 ssl_debug_file = stderrstderr;6884 else if (!name || (strcmp(name, "") ==0))6885 ssl_debug_file = NULL((void*)0);6886 else6887 ssl_debug_file = ws_fopenfopen(name, "w");6888 6889 if (!use_stderr && ssl_debug_file)6890 debug_file_must_be_closed = 1;6891 else6892 debug_file_must_be_closed = 0;6893 6894 ssl_debug_printf("Wireshark SSL debug log \n\n");6895#ifdef HAVE_LIBGNUTLS16896 ssl_debug_printf("GnuTLS version: %s\n", gnutls_check_version(NULL((void*)0)));6897#endif6898 ssl_debug_printf("Libgcrypt version: %s\n", gcry_check_version(NULL((void*)0)));6899 ssl_debug_printf("\n");6900}6901 6902void6903ssl_debug_flush(void)6904{6905 if (ssl_debug_file)6906 fflush(ssl_debug_file);6907}6908 6909void6910ssl_debug_printf(const char* fmt, ...)6911{6912 va_list ap;6913 6914 if (!ssl_debug_file)6915 return;6916 6917 va_start(ap, fmt)__builtin_va_start(ap, fmt);6918 vfprintf(ssl_debug_file, fmt, ap);6919 va_end(ap)__builtin_va_end(ap);6920}6921 6922void6923ssl_print_data(const char* name, const unsigned char* data, size_t len)6924{6925 size_t i, j, k;6926 if (!ssl_debug_file)6927 return;6928 fprintf(ssl_debug_file,"%s[%d]:\n",name, (int) len);6929 for (i=0; i<len; i+=16) {6930 fprintf(ssl_debug_file,"| ");6931 for (j=i, k=0; k<16 && j<len; ++j, ++k)6932 fprintf(ssl_debug_file,"%.2x ",data[j]);6933 for (; k<16; ++k)6934 fprintf(ssl_debug_file," ");6935 fputc('|', ssl_debug_file);6936 for (j=i, k=0; k<16 && j<len; ++j, ++k) {6937 unsigned char c = data[j];6938 if (!g_ascii_isprint(c)((g_ascii_table[(guchar) (c)] & G_ASCII_PRINT) != 0) || (c=='\t')) c = '.';6939 fputc(c, ssl_debug_file);6940 }6941 for (; k<16; ++k)6942 fputc(' ', ssl_debug_file);6943 fprintf(ssl_debug_file,"|\n");6944 }6945}6946 6947void6948ssl_print_string(const char* name, const StringInfo* data)6949{6950 ssl_print_data(name, data->data, data->data_len);6951}6952#endif /* SSL_DECRYPT_DEBUG }}} */6953 6954/* UAT preferences callbacks. {{{ */6955/* checks for SSL and DTLS UAT key list fields */6956 6957bool_Bool6958ssldecrypt_uat_fld_ip_chk_cb(void* r _U___attribute__((unused)), const char* p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)6959{6960 // This should be removed in favor of Decode As. Make it optional.6961 *err = NULL((void*)0);6962 return true1;6963}6964 6965bool_Bool6966ssldecrypt_uat_fld_port_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)6967{6968 if (!p || strlen(p) == 0u) {6969 // This should be removed in favor of Decode As. Make it optional.6970 *err = NULL((void*)0);6971 return true1;6972 }6973 6974 if (strcmp(p, "start_tls") != 0){6975 uint16_t port;6976 if (!ws_strtou16(p, NULL((void*)0), &port)) {6977 *err = g_strdup("Invalid port given.")g_strdup_inline ("Invalid port given.");6978 return false0;6979 }6980 }6981 6982 *err = NULL((void*)0);6983 return true1;6984}6985 6986bool_Bool6987ssldecrypt_uat_fld_fileopen_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)6988{6989 ws_statb64struct stat st;6990 6991 if (!p || strlen(p) == 0u) {6992 *err = g_strdup("No filename given.")g_strdup_inline ("No filename given.");6993 return false0;6994 } else {6995 if (ws_stat64stat(p, &st) != 0) {6996 *err = ws_strdup_printf("File '%s' does not exist or access is denied.", p)wmem_strdup_printf(((void*)0), "File '%s' does not exist or access is denied."
, p);6997 return false0;6998 }6999 }7000 7001 *err = NULL((void*)0);7002 return true1;7003}7004 7005bool_Bool7006ssldecrypt_uat_fld_password_chk_cb(void *r _U___attribute__((unused)), const char *p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void *u1 _U___attribute__((unused)), const void *u2 _U___attribute__((unused)), char **err)7007{7008#if defined(HAVE_LIBGNUTLS1)7009 ssldecrypt_assoc_t* f = (ssldecrypt_assoc_t *)r;7010 FILE *fp = NULL((void*)0);7011 7012 if (p && (strlen(p) > 0u)) {7013 fp = ws_fopenfopen(f->keyfile, "rb");7014 if (fp) {7015 char *msg = NULL((void*)0);7016 gnutls_x509_privkey_t priv_key = rsa_load_pkcs12(fp, p, &msg);7017 if (!priv_key) {7018 fclose(fp);7019 *err = ws_strdup_printf("Could not load PKCS#12 key file: %s", msg)wmem_strdup_printf(((void*)0), "Could not load PKCS#12 key file: %s"
, msg);7020 g_free(msg);7021 return false0;7022 }7023 g_free(msg);7024 gnutls_x509_privkey_deinit(priv_key);7025 fclose(fp);7026 } else {7027 *err = ws_strdup_printf("Leave this field blank if the keyfile is not PKCS#12.")wmem_strdup_printf(((void*)0), "Leave this field blank if the keyfile is not PKCS#12."
);7028 return false0;7029 }7030 }7031 7032 *err = NULL((void*)0);7033 return true1;7034#else7035 *err = g_strdup("Cannot load key files, support is not compiled in.")g_strdup_inline ("Cannot load key files, support is not compiled in."
);7036 return false0;7037#endif7038}7039/* UAT preferences callbacks. }}} */7040 7041/** maximum size of ssl_association_info() string */7042#define SSL_ASSOC_MAX_LEN8192 81927043 7044typedef struct ssl_association_info_callback_data7045{7046 char *str;7047 const char *table_protocol;7048} ssl_association_info_callback_data_t;7049 7050/**7051 * callback function used by ssl_association_info() to traverse the SSL associations.7052 */7053static void7054ssl_association_info_(const char *table _U___attribute__((unused)), void *handle, void *user_data)7055{7056 ssl_association_info_callback_data_t* data = (ssl_association_info_callback_data_t*)user_data;7057 const int l = (const int)strlen(data->str);7058 snprintf(data->str+l, SSL_ASSOC_MAX_LEN8192-l, "'%s' %s\n", dissector_handle_get_description((dissector_handle_t)handle), data->table_protocol);7059}7060 7061/**7062 * @return an information string on the SSL protocol associations. The string has ephemeral lifetime/scope.7063 */7064char*7065ssl_association_info(const char* dissector_table_name, const char* table_protocol)7066{7067 ssl_association_info_callback_data_t data;7068 7069 data.str = (char *)g_malloc0(SSL_ASSOC_MAX_LEN8192);7070 data.table_protocol = table_protocol;7071 dissector_table_foreach_handle(dissector_table_name, ssl_association_info_, &data);7072 return data.str;7073}7074 7075 7076/** Begin of code related to dissection of wire data. */7077 7078/* Helpers for dissecting Variable-Length Vectors. {{{ */7079bool_Bool7080ssl_add_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,7081 unsigned offset, unsigned offset_end, uint32_t *ret_length,7082 int hf_length, uint32_t min_value, uint32_t max_value)7083{7084 unsigned veclen_size;7085 uint32_t veclen_value;7086 proto_item *pi;7087 7088 DISSECTOR_ASSERT_CMPUINT(min_value, <=, max_value)((void) ((min_value <= max_value) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "min_value" " " "<=" " " "max_value"
" (" "%" "l" "u" " " "<=" " " "%" "l" "u" ")", "epan/dissectors/packet-tls-utils.c"
, 7088, (uint64_t)min_value, (uint64_t)max_value))));7089 if (offset > offset_end) {7090 expert_add_info_format(pinfo, tree, &hf->ei.malformed_buffer_too_small,7091 "Vector offset is past buffer end offset (%u > %u)",7092 offset, offset_end);7093 *ret_length = 0;7094 return false0; /* Cannot read length. */7095 }7096 7097 if (max_value > 0xffffff) {7098 veclen_size = 4;7099 } else if (max_value > 0xffff) {7100 veclen_size = 3;7101 } else if (max_value > 0xff) {7102 veclen_size = 2;7103 } else {7104 veclen_size = 1;7105 }7106 7107 if (offset_end - offset < veclen_size) {7108 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,7109 tvb, offset, offset_end - offset,7110 "No more room for vector of length %u",7111 veclen_size);7112 *ret_length = 0;7113 return false0; /* Cannot read length. */7114 }7115 7116 pi = proto_tree_add_item_ret_uint(tree, hf_length, tvb, offset, veclen_size, ENC_BIG_ENDIAN0x00000000, &veclen_value);7117 offset += veclen_size;7118 7119 if (veclen_value < min_value) {7120 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,7121 "Vector length %u is smaller than minimum %u",7122 veclen_value, min_value);7123 } else if (veclen_value > max_value) {7124 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,7125 "Vector length %u is larger than maximum %u",7126 veclen_value, max_value);7127 }7128 7129 if (offset_end - offset < veclen_value) {7130 expert_add_info_format(pinfo, pi, &hf->ei.malformed_buffer_too_small,7131 "Vector length %u is too large, truncating it to %u",7132 veclen_value, offset_end - offset);7133 *ret_length = offset_end - offset;7134 return false0; /* Length is truncated to avoid overflow. */7135 }7136 7137 *ret_length = veclen_value;7138 return true1; /* Length is OK. */7139}7140 7141bool_Bool7142ssl_end_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,7143 unsigned offset, unsigned offset_end)7144{7145 if (offset < offset_end) {7146 unsigned trailing = offset_end - offset;7147 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_trailing_data,7148 tvb, offset, trailing,7149 "%u trailing byte%s unprocessed",7150 trailing, plurality(trailing, " was", "s were")((trailing) == 1 ? (" was") : ("s were")));7151 return false0; /* unprocessed data warning */7152 } else if (offset > offset_end) {7153 /*7154 * Returned offset runs past the end. This should not happen and is7155 * possibly a dissector bug.7156 */7157 unsigned excess = offset - offset_end;7158 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,7159 tvb, offset_end, excess,7160 "Dissector processed too much data (%u byte%s)",7161 excess, plurality(excess, "", "s")((excess) == 1 ? ("") : ("s")));7162 return false0; /* overflow error */7163 }7164 7165 return true1; /* OK, offset matches. */7166}7167/** }}} */7168 7169 7170static uint32_t7171ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,7172 proto_tree *tree, uint32_t offset, uint32_t offset_end,7173 uint16_t version, int hf_sig_len, int hf_sig);7174 7175/* change_cipher_spec(20) dissection */7176void7177ssl_dissect_change_cipher_spec(ssl_common_dissect_t *hf, tvbuff_t *tvb,7178 packet_info *pinfo, proto_tree *tree,7179 uint32_t offset, SslSession *session,7180 bool_Bool is_from_server,7181 const SslDecryptSession *ssl)7182{7183 /*7184 * struct {7185 * enum { change_cipher_spec(1), (255) } type;7186 * } ChangeCipherSpec;7187 */7188 proto_item *ti;7189 proto_item_set_text(tree,7190 "%s Record Layer: %s Protocol: Change Cipher Spec",7191 val_to_str_const(session->version, ssl_version_short_names, "SSL"),7192 val_to_str_const(SSL_ID_CHG_CIPHER_SPEC, ssl_31_content_type, "unknown"));7193 ti = proto_tree_add_item(tree, hf->hf.change_cipher_spec, tvb, offset, 1, ENC_NA0x00000000);7194 7195 if (session->version == TLSV1DOT3_VERSION0x304) {7196 /* CCS is a dummy message in TLS 1.3, do not parse it further. */7197 return;7198 }7199 7200 /* Remember frame number of first CCS */7201 uint32_t *ccs_frame = is_from_server ? &session->server_ccs_frame : &session->client_ccs_frame;7202 if (*ccs_frame == 0)7203 *ccs_frame = pinfo->num;7204 7205 /* Use heuristics to detect an abbreviated handshake, assume that missing7206 * ServerHelloDone implies reusing previously negotiating keys. Then when7207 * a Session ID or ticket is present, it must be a resumed session.7208 * Normally this should be done at the Finished message, but that may be7209 * encrypted so we do it here, at the last cleartext message. */7210 if (is_from_server && ssl) {7211 if (session->is_session_resumed) {7212 const char *resumed = NULL((void*)0);7213 if (ssl->session_ticket.data_len) {7214 resumed = "Session Ticket";7215 } else if (ssl->session_id.data_len) {7216 resumed = "Session ID";7217 }7218 if (resumed) {7219 ssl_debug_printf("%s Session resumption using %s\n", G_STRFUNC((const char*) (__func__)), resumed);7220 } else {7221 /* Can happen if the capture somehow starts in the middle */7222 ssl_debug_printf("%s No Session resumption, missing packets?\n", G_STRFUNC((const char*) (__func__)));7223 }7224 } else {7225 ssl_debug_printf("%s Not using Session resumption\n", G_STRFUNC((const char*) (__func__)));7226 }7227 }7228 if (is_from_server && session->is_session_resumed)7229 expert_add_info(pinfo, ti, &hf->ei.resumed);7230}7231 7232/** Begin of handshake(22) record dissections */7233 7234/* Dissects a SignatureScheme (TLS 1.3) or SignatureAndHashAlgorithm (TLS 1.2).7235 * {{{ */7236static void7237tls_dissect_signature_algorithm(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, ja4_data_t *ja4_data)7238{7239 uint32_t sighash, hashalg, sigalg;7240 proto_item *ti_sigalg;7241 proto_tree *sigalg_tree;7242 7243 ti_sigalg = proto_tree_add_item_ret_uint(tree, hf->hf.hs_sig_hash_alg, tvb,7244 offset, 2, ENC_BIG_ENDIAN0x00000000, &sighash);7245 if (ja4_data) {7246 wmem_list_append(ja4_data->sighash_list, GUINT_TO_POINTER(sighash)((gpointer) (gulong) (sighash)));7247 }7248 7249 sigalg_tree = proto_item_add_subtree(ti_sigalg, hf->ett.hs_sig_hash_alg);7250 7251 /* TLS 1.2: SignatureAndHashAlgorithm { hash, signature } */7252 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_hash, tvb,7253 offset, 1, ENC_BIG_ENDIAN0x00000000, &hashalg);7254 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_sig, tvb,7255 offset + 1, 1, ENC_BIG_ENDIAN0x00000000, &sigalg);7256 7257 /* No TLS 1.3 SignatureScheme? Fallback to TLS 1.2 interpretation. */7258 if (!try_val_to_str(sighash, tls13_signature_algorithm)) {7259 proto_item_set_text(ti_sigalg, "Signature Algorithm: %s %s (0x%04x)",7260 val_to_str_const(hashalg, tls_hash_algorithm, "Unknown"),7261 val_to_str_const(sigalg, tls_signature_algorithm, "Unknown"),7262 sighash);7263 }7264} /* }}} */7265 7266/* dissect a list of hash algorithms, return the number of bytes dissected7267 this is used for the signature algorithms extension and for the7268 TLS1.2 certificate request. {{{ */7269static int7270ssl_dissect_hash_alg_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,7271 packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)7272{7273 /* https://tools.ietf.org/html/rfc5246#section-7.4.1.4.17274 * struct {7275 * HashAlgorithm hash;7276 * SignatureAlgorithm signature;7277 * } SignatureAndHashAlgorithm;7278 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;7279 */7280 proto_tree *subtree;7281 proto_item *ti;7282 unsigned sh_alg_length;7283 uint32_t next_offset;7284 7285 /* SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2> */7286 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sh_alg_length,7287 hf->hf.hs_sig_hash_alg_len, 2, UINT16_MAX(65535) - 1)) {7288 return offset_end;7289 }7290 offset += 2;7291 next_offset = offset + sh_alg_length;7292 7293 ti = proto_tree_add_none_format(tree, hf->hf.hs_sig_hash_algs, tvb, offset, sh_alg_length,7294 "Signature Hash Algorithms (%u algorithm%s)",7295 sh_alg_length / 2, plurality(sh_alg_length / 2, "", "s")((sh_alg_length / 2) == 1 ? ("") : ("s")));7296 subtree = proto_item_add_subtree(ti, hf->ett.hs_sig_hash_algs);7297 7298 while (offset + 2 <= next_offset) {7299 tls_dissect_signature_algorithm(hf, tvb, subtree, offset, ja4_data);7300 offset += 2;7301 }7302 7303 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {7304 offset = next_offset;7305 }7306 7307 return offset;7308} /* }}} */7309 7310/* Dissection of DistinguishedName (for CertificateRequest and7311 * certificate_authorities extension). {{{ */7312static uint32_t7313tls_dissect_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,7314 proto_tree *tree, uint32_t offset, uint32_t offset_end)7315{7316 proto_item *ti;7317 proto_tree *subtree;7318 uint32_t dnames_length, next_offset;7319 asn1_ctx_t asn1_ctx;7320 int dnames_count = 100; /* the maximum number of DNs to add to the tree */7321 7322 /* Note: minimum length is 0 for TLS 1.1/1.2 and 3 for earlier/later */7323 /* DistinguishedName certificate_authorities<0..2^16-1> */7324 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &dnames_length,7325 hf->hf.hs_dnames_len, 0, UINT16_MAX(65535))) {7326 return offset_end;7327 }7328 offset += 2;7329 next_offset = offset + dnames_length;7330 7331 if (dnames_length > 0) {7332 ti = proto_tree_add_none_format(tree,7333 hf->hf.hs_dnames,7334 tvb, offset, dnames_length,7335 "Distinguished Names (%d byte%s)",7336 dnames_length,7337 plurality(dnames_length, "", "s")((dnames_length) == 1 ? ("") : ("s")));7338 subtree = proto_item_add_subtree(ti, hf->ett.dnames);7339 7340 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);7341 7342 while (offset < next_offset) {7343 /* get the length of the current certificate */7344 uint32_t name_length;7345 7346 if (dnames_count-- == 0) {7347 /* stop adding to tree when the list is considered too large7348 * https://gitlab.com/wireshark/wireshark/-/issues/162027349 Note: dnames_count must be set low enough not to hit the7350 limit set by PINFO_LAYER_MAX_RECURSION_DEPTH in packet.c7351 */7352 ti = proto_tree_add_item(subtree, hf->hf.hs_dnames_truncated,7353 tvb, offset, next_offset - offset, ENC_NA0x00000000);7354 proto_item_set_generated(ti);7355 return next_offset;7356 }7357 7358 /* opaque DistinguishedName<1..2^16-1> */7359 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &name_length,7360 hf->hf.hs_dname_len, 1, UINT16_MAX(65535))) {7361 return next_offset;7362 }7363 offset += 2;7364 7365 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,7366 subtree, hf->hf.hs_dname);7367 offset += name_length;7368 }7369 }7370 return offset;7371} /* }}} */7372 7373 7374/** TLS Extensions (in Client Hello and Server Hello). {{{ */7375static int7376ssl_dissect_hnd_hello_ext_sig_hash_algs(ssl_common_dissect_t *hf, tvbuff_t *tvb,7377 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)7378{7379 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, ja4_data);7380}7381 7382static int7383ssl_dissect_hnd_ext_delegated_credentials(ssl_common_dissect_t *hf, tvbuff_t *tvb,7384 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type)7385{7386 if (hnd_type == SSL_HND_CLIENT_HELLO) {7387 /*7388 * struct {7389 * SignatureScheme supported_signature_algorithm<2..2^16-2>;7390 * } SignatureSchemeList;7391 */7392 7393 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));7394 } else {7395 asn1_ctx_t asn1_ctx;7396 unsigned pubkey_length, sign_length;7397 7398 /*7399 * struct {7400 * uint32 valid_time;7401 * SignatureScheme expected_cert_verify_algorithm;7402 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;7403 * } Credential;7404 *7405 * struct {7406 * Credential cred;7407 * SignatureScheme algorithm;7408 * opaque signature<0..2^16-1>;7409 * } DelegatedCredential;7410 */7411 7412 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);7413 7414 proto_tree_add_item(tree, hf->hf.hs_cred_valid_time, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);7415 offset += 4;7416 7417 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));7418 offset += 2;7419 7420 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &pubkey_length,7421 hf->hf.hs_cred_pubkey_len, 1, G_MAXUINT24((1U << 24) - 1))) {7422 return offset_end;7423 }7424 offset += 3;7425 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, tree, hf->hf.hs_cred_pubkey);7426 offset += pubkey_length;7427 7428 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));7429 offset += 2;7430 7431 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sign_length,7432 hf->hf.hs_cred_signature_len, 1, UINT16_MAX(65535))) {7433 return offset_end;7434 }7435 offset += 2;7436 proto_tree_add_item(tree, hf->hf.hs_cred_signature,7437 tvb, offset, sign_length, ENC_ASCII0x00000000|ENC_NA0x00000000);7438 offset += sign_length;7439 7440 return offset;7441 }7442}7443 7444static int7445ssl_dissect_hnd_hello_ext_alps(ssl_common_dissect_t *hf, tvbuff_t *tvb,7446 packet_info *pinfo, proto_tree *tree,7447 uint32_t offset, uint32_t offset_end,7448 uint8_t hnd_type)7449{7450 7451 /* https://datatracker.ietf.org/doc/html/draft-vvv-tls-alps-01#section-4 */7452 7453 switch (hnd_type) {7454 case SSL_HND_CLIENT_HELLO: {7455 proto_tree *alps_tree;7456 proto_item *ti;7457 uint32_t next_offset, alps_length, name_length;7458 7459 /*7460 * opaque ProtocolName<1..2^8-1>;7461 * struct {7462 * ProtocolName supported_protocols<2..2^16-1>7463 * } ApplicationSettingsSupport;7464 */7465 7466 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alps_length,7467 hf->hf.hs_ext_alps_len, 2, UINT16_MAX(65535))) {7468 return offset_end;7469 }7470 offset += 2;7471 next_offset = offset + alps_length;7472 7473 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alps_alpn_list,7474 tvb, offset, alps_length, ENC_NA0x00000000);7475 alps_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alps);7476 7477 /* Parse list (note missing check for end of vector, ssl_add_vector below7478 * ensures that data is always available.) */7479 while (offset < next_offset) {7480 if (!ssl_add_vector(hf, tvb, pinfo, alps_tree, offset, next_offset, &name_length,7481 hf->hf.hs_ext_alps_alpn_str_len, 1, UINT8_MAX(255))) {7482 return next_offset;7483 }7484 offset++;7485 7486 proto_tree_add_item(alps_tree, hf->hf.hs_ext_alps_alpn_str,7487 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);7488 offset += name_length;7489 }7490 7491 return offset;7492 }7493 case SSL_HND_ENCRYPTED_EXTS:7494/* Opaque blob */7495 proto_tree_add_item(tree, hf->hf.hs_ext_alps_settings,7496 tvb, offset, offset_end - offset, ENC_ASCII0x00000000|ENC_NA0x00000000);7497 break;7498 }7499 7500 return offset_end;7501}7502 7503static int7504ssl_dissect_hnd_hello_ext_alpn(ssl_common_dissect_t *hf, tvbuff_t *tvb,7505 packet_info *pinfo, proto_tree *tree,7506 uint32_t offset, uint32_t offset_end,7507 uint8_t hnd_type, SslSession *session,7508 bool_Bool is_dtls, ja4_data_t *ja4_data)7509{7510 7511 /* https://tools.ietf.org/html/rfc7301#section-3.17512 * opaque ProtocolName<1..2^8-1>;7513 * struct {7514 * ProtocolName protocol_name_list<2..2^16-1>7515 * } ProtocolNameList;7516 */7517 proto_tree *alpn_tree;7518 proto_item *ti;7519 uint32_t next_offset, alpn_length, name_length;7520 uint8_t *proto_name = NULL((void*)0), *client_proto_name = NULL((void*)0);7521 7522 /* ProtocolName protocol_name_list<2..2^16-1> */7523 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alpn_length,7524 hf->hf.hs_ext_alpn_len, 2, UINT16_MAX(65535))) {7525 return offset_end;7526 }7527 offset += 2;7528 next_offset = offset + alpn_length;7529 7530 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alpn_list,7531 tvb, offset, alpn_length, ENC_NA0x00000000);7532 alpn_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alpn);7533 7534 /* Parse list (note missing check for end of vector, ssl_add_vector below7535 * ensures that data is always available.) */7536 while (offset < next_offset) {7537 /* opaque ProtocolName<1..2^8-1> */7538 if (!ssl_add_vector(hf, tvb, pinfo, alpn_tree, offset, next_offset, &name_length,7539 hf->hf.hs_ext_alpn_str_len, 1, UINT8_MAX(255))) {7540 return next_offset;7541 }7542 offset++;7543 7544 proto_tree_add_item(alpn_tree, hf->hf.hs_ext_alpn_str,7545 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);7546 if (ja4_data && wmem_strbuf_get_len(ja4_data->alpn) == 0) {7547 const char alpn_first_char = (char)tvb_get_uint8(tvb,offset);7548 const char alpn_last_char = (char)tvb_get_uint8(tvb,offset + name_length - 1);7549 if ((g_ascii_isprint(alpn_first_char)((g_ascii_table[(guchar) (alpn_first_char)] & G_ASCII_PRINT
) != 0)) && g_ascii_isprint(alpn_last_char)((g_ascii_table[(guchar) (alpn_last_char)] & G_ASCII_PRINT
) != 0)) {7550 wmem_strbuf_append_printf(ja4_data->alpn, "%c%c", alpn_first_char, alpn_last_char);7551 }7552 else {7553 wmem_strbuf_append_printf(ja4_data->alpn, "%x%x",(alpn_first_char >> 4) & 0x0F,7554 alpn_last_char & 0x0F);7555 }7556 }7557 /* Remember first ALPN ProtocolName entry for server. */7558 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) {7559 /* '\0'-terminated string for dissector table match and prefix7560 * comparison purposes. */7561 proto_name = tvb_get_string_enc(pinfo->pool, tvb, offset,7562 name_length, ENC_ASCII0x00000000);7563 } else if (hnd_type == SSL_HND_CLIENT_HELLO) {7564 client_proto_name = tvb_get_string_enc(pinfo->pool, tvb, offset,7565 name_length, ENC_ASCII0x00000000);7566 }7567 offset += name_length;7568 }7569 7570 /* If ALPN is given in ServerHello, then ProtocolNameList MUST contain7571 * exactly one "ProtocolName". */7572 if (proto_name) {7573 dissector_handle_t handle;7574 7575 session->alpn_name = wmem_strdup(wmem_file_scope(), proto_name);7576 7577 if (is_dtls) {7578 handle = dissector_get_string_handle(dtls_alpn_dissector_table,7579 proto_name);7580 } else {7581 handle = dissector_get_string_handle(ssl_alpn_dissector_table,7582 proto_name);7583 if (handle == NULL((void*)0)) {7584 /* Try prefix matching */7585 for (size_t i = 0; i < G_N_ELEMENTS(ssl_alpn_prefix_match_protocols)(sizeof (ssl_alpn_prefix_match_protocols) / sizeof ((ssl_alpn_prefix_match_protocols
)[0])); i++) {7586 const ssl_alpn_prefix_match_protocol_t *alpn_proto = &ssl_alpn_prefix_match_protocols[i];7587 7588 /* string_string is inappropriate as it compares strings7589 * while "byte strings MUST NOT be truncated" (RFC 7301) */7590 if (g_str_has_prefix(proto_name, alpn_proto->proto_prefix)(__builtin_constant_p (alpn_proto->proto_prefix)? __extension__
({ const char * const __str = (proto_name); const char * const
__prefix = (alpn_proto->proto_prefix); gboolean __result =
(0); if (__str == ((void*)0) || __prefix == ((void*)0)) __result
= (g_str_has_prefix) (__str, __prefix); else { const size_t __str_len
= strlen (((__str) + !(__str))); const size_t __prefix_len =
strlen (((__prefix) + !(__prefix))); if (__str_len >= __prefix_len
) __result = memcmp (((__str) + !(__str)), ((__prefix) + !(__prefix
)), __prefix_len) == 0; } __result; }) : (g_str_has_prefix) (
proto_name, alpn_proto->proto_prefix) )) {7591 handle = find_dissector(alpn_proto->dissector_name);7592 break;7593 }7594 }7595 }7596 }7597 if (handle != NULL((void*)0)) {7598 /* ProtocolName match, so set the App data dissector handle.7599 * This may override protocols given via the UAT dialog, but7600 * since the ALPN hint is precise, do it anyway. */7601 ssl_debug_printf("%s: changing handle %p to %p (%s)", G_STRFUNC((const char*) (__func__)),7602 (void *)session->app_handle,7603 (void *)handle,7604 dissector_handle_get_dissector_name(handle));7605 session->app_handle = handle;7606 }7607 } else if (client_proto_name) {7608 // No current use for looking up the handle as the only consumer of this API is currently the QUIC dissector7609 // and it just needs the string since there are/were various HTTP/3 ALPNs to check for.7610 session->client_alpn_name = wmem_strdup(wmem_file_scope(), client_proto_name);7611 }7612 7613 return offset;7614}7615 7616static int7617ssl_dissect_hnd_hello_ext_npn(ssl_common_dissect_t *hf, tvbuff_t *tvb,7618 packet_info *pinfo, proto_tree *tree,7619 uint32_t offset, uint32_t offset_end)7620{7621 /* https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04#page-37622 * The "extension_data" field of a "next_protocol_negotiation" extension7623 * in a "ServerHello" contains an optional list of protocols advertised7624 * by the server. Protocols are named by opaque, non-empty byte strings7625 * and the list of protocols is serialized as a concatenation of 8-bit,7626 * length prefixed byte strings. Implementations MUST ensure that the7627 * empty string is not included and that no byte strings are truncated.7628 */7629 uint32_t npn_length;7630 proto_tree *npn_tree;7631 7632 /* List is optional, do not add tree if there are no entries. */7633 if (offset == offset_end) {7634 return offset;7635 }7636 7637 npn_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_npn, NULL((void*)0), "Next Protocol Negotiation");7638 7639 while (offset < offset_end) {7640 /* non-empty, 8-bit length prefixed strings means range 1..255 */7641 if (!ssl_add_vector(hf, tvb, pinfo, npn_tree, offset, offset_end, &npn_length,7642 hf->hf.hs_ext_npn_str_len, 1, UINT8_MAX(255))) {7643 return offset_end;7644 }7645 offset++;7646 7647 proto_tree_add_item(npn_tree, hf->hf.hs_ext_npn_str,7648 tvb, offset, npn_length, ENC_ASCII0x00000000|ENC_NA0x00000000);7649 offset += npn_length;7650 }7651 7652 return offset;7653}7654 7655static int7656ssl_dissect_hnd_hello_ext_reneg_info(ssl_common_dissect_t *hf, tvbuff_t *tvb,7657 packet_info *pinfo, proto_tree *tree,7658 uint32_t offset, uint32_t offset_end)7659{7660 /* https://tools.ietf.org/html/rfc5746#section-3.27661 * struct {7662 * opaque renegotiated_connection<0..255>;7663 * } RenegotiationInfo;7664 *7665 */7666 proto_tree *reneg_info_tree;7667 uint32_t reneg_info_length;7668 7669 reneg_info_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_reneg_info, NULL((void*)0), "Renegotiation Info extension");7670 7671 /* opaque renegotiated_connection<0..255> */7672 if (!ssl_add_vector(hf, tvb, pinfo, reneg_info_tree, offset, offset_end, &reneg_info_length,7673 hf->hf.hs_ext_reneg_info_len, 0, 255)) {7674 return offset_end;7675 }7676 offset++;7677 7678 if (reneg_info_length > 0) {7679 proto_tree_add_item(reneg_info_tree, hf->hf.hs_ext_reneg_info, tvb, offset, reneg_info_length, ENC_NA0x00000000);7680 offset += reneg_info_length;7681 }7682 7683 return offset;7684}7685 7686static int7687ssl_dissect_hnd_hello_ext_key_share_entry(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,7688 proto_tree *tree, uint32_t offset, uint32_t offset_end,7689 const char **group_name_out)7690{7691 /* RFC 8446 Section 4.2.87692 * struct {7693 * NamedGroup group;7694 * opaque key_exchange<1..2^16-1>;7695 * } KeyShareEntry;7696 */7697 uint32_t key_exchange_length, group;7698 proto_tree *ks_tree;7699 7700 ks_tree = proto_tree_add_subtree(tree, tvb, offset, 4, hf->ett.hs_ext_key_share_ks, NULL((void*)0), "Key Share Entry");7701 7702 proto_tree_add_item_ret_uint(ks_tree, hf->hf.hs_ext_key_share_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);7703 offset += 2;7704 const char *group_name = val_to_str(group, ssl_extension_curves, "Unknown (%u)");7705 proto_item_append_text(ks_tree, ": Group: %s", group_name);7706 if (group_name_out) {7707 *group_name_out = !IS_GREASE_TLS(group)((((group) & 0x0f0f) == 0x0a0a) && (((group) &
0xff) == (((group)>>8) & 0xff))) ? group_name : NULL((void*)0);7708 }7709 7710 /* opaque key_exchange<1..2^16-1> */7711 if (!ssl_add_vector(hf, tvb, pinfo, ks_tree, offset, offset_end, &key_exchange_length,7712 hf->hf.hs_ext_key_share_key_exchange_length, 1, UINT16_MAX(65535))) {7713 return offset_end; /* Bad (possible truncated) length, skip to end of KeyShare extension. */7714 }7715 offset += 2;7716 proto_item_set_len(ks_tree, 2 + 2 + key_exchange_length);7717 proto_item_append_text(ks_tree, ", Key Exchange length: %u", key_exchange_length);7718 7719 proto_tree_add_item(ks_tree, hf->hf.hs_ext_key_share_key_exchange, tvb, offset, key_exchange_length, ENC_NA0x00000000);7720 offset += key_exchange_length;7721 7722 return offset;7723}7724 7725static int7726ssl_dissect_hnd_hello_ext_key_share(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,7727 proto_tree *tree, uint32_t offset, uint32_t offset_end,7728 uint8_t hnd_type)7729{7730 proto_tree *key_share_tree;7731 uint32_t next_offset;7732 uint32_t client_shares_length;7733 uint32_t group;7734 const char *group_name = NULL((void*)0);7735 7736 if (offset_end <= offset) { /* Check if ext_len == 0 and "overflow" (offset + ext_len) > uint32_t) */7737 return offset;7738 }7739 7740 key_share_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_key_share, NULL((void*)0), "Key Share extension");7741 7742 switch(hnd_type){7743 case SSL_HND_CLIENT_HELLO:7744 /* KeyShareEntry client_shares<0..2^16-1> */7745 if (!ssl_add_vector(hf, tvb, pinfo, key_share_tree, offset, offset_end, &client_shares_length,7746 hf->hf.hs_ext_key_share_client_length, 0, UINT16_MAX(65535))) {7747 return offset_end;7748 }7749 offset += 2;7750 next_offset = offset + client_shares_length;7751 const char *sep = " ";7752 while (offset + 4 <= next_offset) { /* (NamedGroup (2 bytes), key_exchange (1 byte for length, 1 byte minimum data) */7753 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, next_offset, &group_name);7754 if (group_name) {7755 proto_item_append_text(tree, "%s%s", sep, group_name);7756 sep = ", ";7757 }7758 }7759 if (!ssl_end_vector(hf, tvb, pinfo, key_share_tree, offset, next_offset)) {7760 return next_offset;7761 }7762 break;7763 case SSL_HND_SERVER_HELLO:7764 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, offset_end, &group_name);7765 if (group_name) {7766 proto_item_append_text(tree, " %s", group_name);7767 }7768 break;7769 case SSL_HND_HELLO_RETRY_REQUEST:7770 proto_tree_add_item_ret_uint(key_share_tree, hf->hf.hs_ext_key_share_selected_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);7771 offset += 2;7772 group_name = val_to_str(group, ssl_extension_curves, "Unknown (%u)");7773 proto_item_append_text(tree, " %s", group_name);7774 break;7775 default: /* no default */7776 break;7777 }7778 7779 return offset;7780}7781 7782static int7783ssl_dissect_hnd_hello_ext_pre_shared_key(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,7784 proto_tree *tree, uint32_t offset, uint32_t offset_end,7785 uint8_t hnd_type)7786{7787 /* RFC 8446 Section 4.2.117788 * struct {7789 * opaque identity<1..2^16-1>;7790 * uint32 obfuscated_ticket_age;7791 * } PskIdentity;7792 * opaque PskBinderEntry<32..255>;7793 * struct {7794 * select (Handshake.msg_type) {7795 * case client_hello:7796 * PskIdentity identities<7..2^16-1>;7797 * PskBinderEntry binders<33..2^16-1>;7798 * case server_hello:7799 * uint16 selected_identity;7800 * };7801 * } PreSharedKeyExtension;7802 */7803 7804 proto_tree *psk_tree;7805 7806 psk_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_pre_shared_key, NULL((void*)0), "Pre-Shared Key extension");7807 7808 switch (hnd_type){7809 case SSL_HND_CLIENT_HELLO: {7810 uint32_t identities_length, identities_end, binders_length;7811 7812 /* PskIdentity identities<7..2^16-1> */7813 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &identities_length,7814 hf->hf.hs_ext_psk_identities_length, 7, UINT16_MAX(65535))) {7815 return offset_end;7816 }7817 offset += 2;7818 identities_end = offset + identities_length;7819 7820 while (offset < identities_end) {7821 uint32_t identity_length;7822 proto_tree *identity_tree;7823 7824 identity_tree = proto_tree_add_subtree(psk_tree, tvb, offset, 4, hf->ett.hs_ext_psk_identity, NULL((void*)0), "PSK Identity (");7825 7826 /* opaque identity<1..2^16-1> */7827 if (!ssl_add_vector(hf, tvb, pinfo, identity_tree, offset, identities_end, &identity_length,7828 hf->hf.hs_ext_psk_identity_identity_length, 1, UINT16_MAX(65535))) {7829 return identities_end;7830 }7831 offset += 2;7832 proto_item_append_text(identity_tree, "length: %u)", identity_length);7833 7834 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_identity, tvb, offset, identity_length, ENC_BIG_ENDIAN0x00000000);7835 offset += identity_length;7836 7837 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_obfuscated_ticket_age, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);7838 offset += 4;7839 7840 proto_item_set_len(identity_tree, 2 + identity_length + 4);7841 }7842 if (!ssl_end_vector(hf, tvb, pinfo, psk_tree, offset, identities_end)) {7843 offset = identities_end;7844 }7845 7846 /* PskBinderEntry binders<33..2^16-1> */7847 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &binders_length,7848 hf->hf.hs_ext_psk_binders_length, 33, UINT16_MAX(65535))) {7849 return offset_end;7850 }7851 offset += 2;7852 7853 proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_binders, tvb, offset, binders_length, ENC_NA0x00000000);7854 offset += binders_length;7855 }7856 break;7857 case SSL_HND_SERVER_HELLO: {7858 proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_identity_selected, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);7859 offset += 2;7860 }7861 break;7862 default:7863 break;7864 }7865 7866 return offset;7867}7868 7869static uint32_t7870ssl_dissect_hnd_hello_ext_early_data(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),7871 proto_tree *tree, uint32_t offset, uint32_t offset_end _U___attribute__((unused)),7872 uint8_t hnd_type, SslDecryptSession *ssl)7873{7874 /* RFC 8446 Section 4.2.107875 * struct {} Empty;7876 * struct {7877 * select (Handshake.msg_type) {7878 * case new_session_ticket: uint32 max_early_data_size;7879 * case client_hello: Empty;7880 * case encrypted_extensions: Empty;7881 * };7882 * } EarlyDataIndication;7883 */7884 switch (hnd_type) {7885 case SSL_HND_CLIENT_HELLO:7886 /* Remember that early_data will follow the handshake. */7887 if (ssl) {7888 ssl_debug_printf("%s found early_data extension\n", G_STRFUNC((const char*) (__func__)));7889 ssl->has_early_data = true1;7890 }7891 break;7892 case SSL_HND_NEWSESSION_TICKET:7893 proto_tree_add_item(tree, hf->hf.hs_ext_max_early_data_size, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);7894 offset += 4;7895 break;7896 default:7897 break;7898 }7899 return offset;7900}7901 7902static uint16_t7903tls_try_get_version(bool_Bool is_dtls, uint16_t version, uint8_t *draft_version)7904{7905 if (draft_version) {7906 *draft_version = 0;7907 }7908 if (!is_dtls) {7909 uint8_t tls13_draft = extract_tls13_draft_version(version);7910 if (tls13_draft != 0) {7911 /* This is TLS 1.3 (a draft version). */7912 if (draft_version) {7913 *draft_version = tls13_draft;7914 }7915 version = TLSV1DOT3_VERSION0x304;7916 }7917 if (version == 0xfb17 || version == 0xfb1a) {7918 /* Unofficial TLS 1.3 draft version for Facebook fizz. */7919 tls13_draft = (uint8_t)version;7920 if (draft_version) {7921 *draft_version = tls13_draft;7922 }7923 version = TLSV1DOT3_VERSION0x304;7924 }7925 }7926 7927 switch (version) {7928 case SSLV3_VERSION0x300:7929 case TLSV1_VERSION0x301:7930 case TLSV1DOT1_VERSION0x302:7931 case TLSV1DOT2_VERSION0x303:7932 case TLSV1DOT3_VERSION0x304:7933 case TLCPV1_VERSION0x101:7934 if (is_dtls)7935 return SSL_VER_UNKNOWN0;7936 break;7937 7938 case DTLSV1DOT0_VERSION0xfeff:7939 case DTLSV1DOT0_OPENSSL_VERSION0x100:7940 case DTLSV1DOT2_VERSION0xfefd:7941 case DTLSV1DOT3_VERSION0xfefc:7942 if (!is_dtls)7943 return SSL_VER_UNKNOWN0;7944 break;7945 7946 default: /* invalid version number */7947 return SSL_VER_UNKNOWN0;7948 }7949 7950 return version;7951}7952 7953static int7954ssl_dissect_hnd_hello_ext_supported_versions(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,7955 proto_tree *tree, uint32_t offset, uint32_t offset_end,7956 SslSession *session, bool_Bool is_dtls, ja4_data_t *ja4_data)7957{7958 7959 /* RFC 8446 Section 4.2.17960 * struct {7961 * ProtocolVersion versions<2..254>; // ClientHello7962 * } SupportedVersions;7963 * Note that ServerHello and HelloRetryRequest are handled by the caller.7964 */7965 uint32_t versions_length, next_offset;7966 /* ProtocolVersion versions<2..254> */7967 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &versions_length,7968 hf->hf.hs_ext_supported_versions_len, 2, 254)) {7969 return offset_end;7970 }7971 offset++;7972 next_offset = offset + versions_length;7973 7974 unsigned version;7975 unsigned current_version, lowest_version = SSL_VER_UNKNOWN0;7976 uint8_t draft_version, max_draft_version = 0;7977 const char *sep = " ";7978 while (offset + 2 <= next_offset) {7979 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);7980 offset += 2;7981 7982 if (!IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))) {7983 proto_item_append_text(tree, "%s%s", sep, val_to_str(version, ssl_versions, "Unknown (0x%04x)"));7984 sep = ", ";7985 }7986 7987 current_version = tls_try_get_version(is_dtls, version, &draft_version);7988 if (session->version == SSL_VER_UNKNOWN0) {7989 if (lowest_version == SSL_VER_UNKNOWN0) {7990 lowest_version = current_version;7991 } else if (current_version != SSL_VER_UNKNOWN0) {7992 if (!is_dtls) {7993 lowest_version = MIN(lowest_version, current_version)(((lowest_version) < (current_version)) ? (lowest_version)
: (current_version));7994 } else {7995 lowest_version = MAX(lowest_version, current_version)(((lowest_version) > (current_version)) ? (lowest_version)
: (current_version));7996 }7997 }7998 }7999 max_draft_version = MAX(draft_version, max_draft_version)(((draft_version) > (max_draft_version)) ? (draft_version)
: (max_draft_version));8000 if (ja4_data && !IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))) {8001 /* The DTLS version numbers get mapped to "00" for unknown per8002 * JA4 spec, but if JA4 ever does support DTLS we'll probably8003 * need to take the MIN instead of MAX here for DTLS.8004 */8005 ja4_data->max_version = MAX(version, ja4_data->max_version)(((version) > (ja4_data->max_version)) ? (version) : (ja4_data
->max_version));8006 }8007 }8008 if (session->version == SSL_VER_UNKNOWN0 && lowest_version != SSL_VER_UNKNOWN0) {8009 col_set_str(pinfo->cinfo, COL_PROTOCOL,8010 val_to_str_const(version, ssl_version_short_names, is_dtls ? "DTLS" : "TLS"));8011 }8012 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {8013 offset = next_offset;8014 }8015 8016 /* XXX remove this when draft 19 support is dropped,8017 * this is only required for early data decryption. */8018 if (max_draft_version) {8019 session->tls13_draft_version = max_draft_version;8020 }8021 8022 return offset;8023}8024 8025static int8026ssl_dissect_hnd_hello_ext_cookie(ssl_common_dissect_t *hf, tvbuff_t *tvb,8027 packet_info *pinfo, proto_tree *tree,8028 uint32_t offset, uint32_t offset_end)8029{8030 /* RFC 8446 Section 4.2.28031 * struct {8032 * opaque cookie<1..2^16-1>;8033 * } Cookie;8034 */8035 uint32_t cookie_length;8036 /* opaque cookie<1..2^16-1> */8037 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cookie_length,8038 hf->hf.hs_ext_cookie_len, 1, UINT16_MAX(65535))) {8039 return offset_end;8040 }8041 offset += 2;8042 8043 proto_tree_add_item(tree, hf->hf.hs_ext_cookie, tvb, offset, cookie_length, ENC_NA0x00000000);8044 offset += cookie_length;8045 8046 return offset;8047}8048 8049static int8050ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,8051 proto_tree *tree, uint32_t offset, uint32_t offset_end)8052{8053 /* RFC 8446 Section 4.2.98054 * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;8055 *8056 * struct {8057 * PskKeyExchangeMode ke_modes<1..255>;8058 * } PskKeyExchangeModes;8059 */8060 uint32_t ke_modes_length, next_offset;8061 8062 /* PskKeyExchangeMode ke_modes<1..255> */8063 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ke_modes_length,8064 hf->hf.hs_ext_psk_ke_modes_length, 1, 255)) {8065 return offset_end;8066 }8067 offset++;8068 next_offset = offset + ke_modes_length;8069 8070 while (offset < next_offset) {8071 proto_tree_add_item(tree, hf->hf.hs_ext_psk_ke_mode, tvb, offset, 1, ENC_NA0x00000000);8072 offset++;8073 }8074 8075 return offset;8076}8077 8078static uint32_t8079ssl_dissect_hnd_hello_ext_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,8080 proto_tree *tree, uint32_t offset, uint32_t offset_end)8081{8082 /* RFC 8446 Section 4.2.48083 * opaque DistinguishedName<1..2^16-1>;8084 * struct {8085 * DistinguishedName authorities<3..2^16-1>;8086 * } CertificateAuthoritiesExtension;8087 */8088 return tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);8089}8090 8091static int8092ssl_dissect_hnd_hello_ext_oid_filters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,8093 proto_tree *tree, uint32_t offset, uint32_t offset_end)8094{8095 /* RFC 8446 Section 4.2.58096 * struct {8097 * opaque certificate_extension_oid<1..2^8-1>;8098 * opaque certificate_extension_values<0..2^16-1>;8099 * } OIDFilter;8100 * struct {8101 * OIDFilter filters<0..2^16-1>;8102 * } OIDFilterExtension;8103 */8104 proto_tree *subtree;8105 uint32_t filters_length, oid_length, values_length, value_offset;8106 asn1_ctx_t asn1_ctx;8107 const char *oid, *name;8108 8109 /* OIDFilter filters<0..2^16-1> */8110 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &filters_length,8111 hf->hf.hs_ext_psk_ke_modes_length, 0, UINT16_MAX(65535))) {8112 return offset_end;8113 }8114 offset += 2;8115 offset_end = offset + filters_length;8116 8117 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);8118 8119 while (offset < offset_end) {8120 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,8121 hf->ett.hs_ext_oid_filter, NULL((void*)0), "OID Filter");8122 8123 /* opaque certificate_extension_oid<1..2^8-1> */8124 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &oid_length,8125 hf->hf.hs_ext_oid_filters_oid_length, 1, UINT8_MAX(255))) {8126 return offset_end;8127 }8128 offset++;8129 dissect_ber_object_identifier_str(false0, &asn1_ctx, subtree, tvb, offset,8130 hf->hf.hs_ext_oid_filters_oid, &oid);8131 offset += oid_length;8132 8133 /* Append OID to tree label */8134 name = oid_resolved_from_string(pinfo->pool, oid);8135 proto_item_append_text(subtree, " (%s)", name ? name : oid);8136 8137 /* opaque certificate_extension_values<0..2^16-1> */8138 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &values_length,8139 hf->hf.hs_ext_oid_filters_values_length, 0, UINT16_MAX(65535))) {8140 return offset_end;8141 }8142 offset += 2;8143 proto_item_set_len(subtree, 1 + oid_length + 2 + values_length);8144 if (values_length > 0) {8145 value_offset = offset;8146 value_offset = dissect_ber_identifier(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0), NULL((void*)0));8147 value_offset = dissect_ber_length(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0));8148 call_ber_oid_callback(oid, tvb, value_offset, pinfo, subtree, NULL((void*)0));8149 }8150 offset += values_length;8151 }8152 8153 return offset;8154}8155 8156static int8157ssl_dissect_hnd_hello_ext_server_name(ssl_common_dissect_t *hf, tvbuff_t *tvb,8158 packet_info *pinfo, proto_tree *tree,8159 uint32_t offset, uint32_t offset_end)8160{8161 /* https://tools.ietf.org/html/rfc6066#section-38162 *8163 * struct {8164 * NameType name_type;8165 * select (name_type) {8166 * case host_name: HostName;8167 * } name;8168 * } ServerName;8169 *8170 * enum {8171 * host_name(0), (255)8172 * } NameType;8173 *8174 * opaque HostName<1..2^16-1>;8175 *8176 * struct {8177 * ServerName server_name_list<1..2^16-1>8178 * } ServerNameList;8179 */8180 proto_tree *server_name_tree;8181 uint32_t list_length, server_name_length, next_offset;8182 8183 /* The server SHALL include "server_name" extension with empty data. */8184 if (offset == offset_end) {8185 return offset;8186 }8187 8188 server_name_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_server_name, NULL((void*)0), "Server Name Indication extension");8189 8190 /* ServerName server_name_list<1..2^16-1> */8191 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, offset_end, &list_length,8192 hf->hf.hs_ext_server_name_list_len, 1, UINT16_MAX(65535))) {8193 return offset_end;8194 }8195 offset += 2;8196 next_offset = offset + list_length;8197 8198 while (offset < next_offset) {8199 uint32_t name_type;8200 const uint8_t *server_name = NULL((void*)0);8201 proto_tree_add_item_ret_uint(server_name_tree, hf->hf.hs_ext_server_name_type,8202 tvb, offset, 1, ENC_NA0x00000000, &name_type);8203 offset++;8204 8205 /* opaque HostName<1..2^16-1> */8206 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, next_offset, &server_name_length,8207 hf->hf.hs_ext_server_name_len, 1, UINT16_MAX(65535))) {8208 return next_offset;8209 }8210 offset += 2;8211 8212 proto_tree_add_item_ret_string(server_name_tree, hf->hf.hs_ext_server_name,8213 tvb, offset, server_name_length, ENC_ASCII0x00000000|ENC_NA0x00000000,8214 pinfo->pool, &server_name);8215 offset += server_name_length;8216 // Each type must only occur once, so we don't check for duplicates.8217 if (name_type == 0) {8218 proto_item_append_text(tree, " name=%s", server_name);8219 col_append_fstr(pinfo->cinfo, COL_INFO, " (SNI=%s)", server_name);8220 8221 if (gbl_resolv_flags.handshake_sni_addr_resolution) {8222 // Client Hello: Client (Src) -> Server (Dst)8223 switch (pinfo->dst.type) {8224 case AT_IPv4:8225 if (pinfo->dst.len == sizeof(uint32_t)) {8226 add_ipv4_name(*(uint32_t *)pinfo->dst.data, server_name, false0);8227 }8228 break;8229 case AT_IPv6:8230 if (pinfo->dst.len == sizeof(ws_in6_addr)) {8231 add_ipv6_name(pinfo->dst.data, server_name, false0);8232 }8233 break;8234 }8235 }8236 }8237 }8238 return offset;8239}8240 8241static int8242ssl_dissect_hnd_hello_ext_session_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb,8243 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint8_t hnd_type, SslDecryptSession *ssl)8244{8245 unsigned ext_len = offset_end - offset;8246 if (hnd_type == SSL_HND_CLIENT_HELLO && ssl && ext_len != 0) {8247 tvb_ensure_bytes_exist(tvb, offset, ext_len);8248 /* Save the Session Ticket such that it can be used as identifier for8249 * restoring a previous Master Secret (in ChangeCipherSpec) */8250 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),8251 ssl->session_ticket.data, ext_len);8252 ssl->session_ticket.data_len = ext_len;8253 tvb_memcpy(tvb,ssl->session_ticket.data, offset, ext_len);8254 }8255 proto_tree_add_item(tree, hf->hf.hs_ext_session_ticket,8256 tvb, offset, ext_len, ENC_NA0x00000000);8257 return offset + ext_len;8258}8259 8260static int8261ssl_dissect_hnd_hello_ext_cert_type(ssl_common_dissect_t *hf, tvbuff_t *tvb,8262 proto_tree *tree, uint32_t offset, uint32_t offset_end,8263 uint8_t hnd_type, uint16_t ext_type, SslSession *session)8264{8265 uint8_t cert_list_length;8266 uint8_t cert_type;8267 proto_tree *cert_list_tree;8268 proto_item *ti;8269 8270 switch(hnd_type){8271 case SSL_HND_CLIENT_HELLO:8272 cert_list_length = tvb_get_uint8(tvb, offset);8273 proto_tree_add_item(tree, hf->hf.hs_ext_cert_types_len,8274 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);8275 offset += 1;8276 if (offset_end - offset != (uint32_t)cert_list_length)8277 return offset;8278 8279 ti = proto_tree_add_item(tree, hf->hf.hs_ext_cert_types, tvb, offset,8280 cert_list_length, cert_list_length);8281 proto_item_append_text(ti, " (%d)", cert_list_length);8282 8283 /* make this a subtree */8284 cert_list_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_cert_types);8285 8286 /* loop over all point formats */8287 while (cert_list_length > 0)8288 {8289 proto_tree_add_item(cert_list_tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);8290 offset++;8291 cert_list_length--;8292 }8293 break;8294 case SSL_HND_SERVER_HELLO:8295 case SSL_HND_ENCRYPTED_EXTENSIONS:8296 case SSL_HND_CERTIFICATE:8297 cert_type = tvb_get_uint8(tvb, offset);8298 proto_tree_add_item(tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);8299 offset += 1;8300 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19) {8301 session->client_cert_type = cert_type;8302 }8303 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20) {8304 session->server_cert_type = cert_type;8305 }8306 break;8307 default: /* no default */8308 break;8309 }8310 8311 return offset;8312}8313 8314static uint32_t8315ssl_dissect_hnd_hello_ext_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,8316 proto_tree *tree, uint32_t offset, uint32_t offset_end,8317 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))8318{8319 uint32_t compress_certificate_algorithms_length, next_offset;8320 8321 /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03#section-3.08322 * enum {8323 * zlib(1),8324 * brotli(2),8325 * (65535)8326 * } CertificateCompressionAlgorithm;8327 *8328 * struct {8329 * CertificateCompressionAlgorithm algorithms<1..2^8-1>;8330 * } CertificateCompressionAlgorithms;8331 */8332 switch (hnd_type) {8333 case SSL_HND_CLIENT_HELLO:8334 case SSL_HND_CERT_REQUEST:8335 /* CertificateCompressionAlgorithm algorithms<1..2^8-1>;*/8336 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compress_certificate_algorithms_length,8337 hf->hf.hs_ext_compress_certificate_algorithms_length, 1, UINT8_MAX(255)-1)) {8338 return offset_end;8339 }8340 offset += 1;8341 next_offset = offset + compress_certificate_algorithms_length;8342 8343 while (offset < next_offset) {8344 proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_algorithm,8345 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);8346 offset += 2;8347 }8348 break;8349 default:8350 break;8351 }8352 8353 return offset;8354}8355 8356static uint32_t8357ssl_dissect_hnd_hello_ext_token_binding(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,8358 proto_tree *tree, uint32_t offset, uint32_t offset_end,8359 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))8360{8361 uint32_t key_parameters_length, next_offset;8362 proto_item *p_ti;8363 proto_tree *p_tree;8364 8365 /* RFC 84728366 *8367 * struct {8368 * uint8 major;8369 * uint8 minor;8370 * } TB_ProtocolVersion;8371 *8372 * enum {8373 * rsa2048_pkcs1.5(0), rsa2048_pss(1), ecdsap256(2), (255)8374 * } TokenBindingKeyParameters;8375 *8376 * struct {8377 * TB_ProtocolVersion token_binding_version;8378 * TokenBindingKeyParameters key_parameters_list<1..2^8-1>8379 * } TokenBindingParameters;8380 */8381 8382 switch (hnd_type) {8383 case SSL_HND_CLIENT_HELLO:8384 case SSL_HND_SERVER_HELLO:8385 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_major, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);8386 offset += 1;8387 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_minor, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);8388 offset += 1;8389 8390 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &key_parameters_length,8391 hf->hf.hs_ext_token_binding_key_parameters_length, 1, UINT8_MAX(255))) {8392 return offset_end;8393 }8394 offset += 1;8395 next_offset = offset + key_parameters_length;8396 8397 p_ti = proto_tree_add_none_format(tree,8398 hf->hf.hs_ext_token_binding_key_parameters,8399 tvb, offset, key_parameters_length,8400 "Key parameters identifiers (%d identifier%s)",8401 key_parameters_length,8402 plurality(key_parameters_length, "", "s")((key_parameters_length) == 1 ? ("") : ("s")));8403 p_tree = proto_item_add_subtree(p_ti, hf->ett.hs_ext_token_binding_key_parameters);8404 8405 while (offset < next_offset) {8406 proto_tree_add_item(p_tree, hf->hf.hs_ext_token_binding_key_parameter,8407 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);8408 offset += 1;8409 }8410 8411 if (!ssl_end_vector(hf, tvb, pinfo, p_tree, offset, next_offset)) {8412 offset = next_offset;8413 }8414 8415 break;8416 default:8417 break;8418 }8419 8420 return offset;8421}8422 8423static uint32_t8424ssl_dissect_hnd_hello_ext_quic_transport_parameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,8425 proto_tree *tree, uint32_t offset, uint32_t offset_end,8426 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))8427{8428 bool_Bool use_varint_encoding = true1; // Whether this is draft -27 or newer.8429 uint32_t next_offset;8430 8431 /* https://tools.ietf.org/html/draft-ietf-quic-transport-25#section-188432 *8433 * Note: the following structures are not literally defined in the spec,8434 * they instead use an ASCII diagram.8435 *8436 * struct {8437 * uint16 id;8438 * opaque value<0..2^16-1>;8439 * } TransportParameter; // before draft -278440 * TransportParameter TransportParameters<0..2^16-1>; // before draft -278441 *8442 * struct {8443 * opaque ipv4Address[4];8444 * uint16 ipv4Port;8445 * opaque ipv6Address[16];8446 * uint16 ipv6Port;8447 * opaque connectionId<0..18>;8448 * opaque statelessResetToken[16];8449 * } PreferredAddress;8450 */8451 8452 if (offset_end - offset >= 6 &&8453 2 + (unsigned)tvb_get_ntohs(tvb, offset) == offset_end - offset &&8454 6 + (unsigned)tvb_get_ntohs(tvb, offset + 4) <= offset_end - offset) {8455 // Assume encoding of Transport Parameters draft -26 or older with at8456 // least one transport parameter that has a valid length.8457 use_varint_encoding = false0;8458 }8459 8460 if (use_varint_encoding) {8461 next_offset = offset_end;8462 } else {8463 uint32_t quic_length;8464 // Assume draft -26 or earlier.8465 /* TransportParameter TransportParameters<0..2^16-1>; */8466 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &quic_length,8467 hf->hf.hs_ext_quictp_len, 0, UINT16_MAX(65535))) {8468 return offset_end;8469 }8470 offset += 2;8471 next_offset = offset + quic_length;8472 }8473 8474 while (offset < next_offset) {8475 uint64_t parameter_type; /* 62-bit space */8476 uint32_t parameter_length;8477 proto_tree *parameter_tree;8478 uint32_t parameter_end_offset;8479 uint64_t value;8480 uint32_t len = 0, i;8481 8482 parameter_tree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.hs_ext_quictp_parameter,8483 NULL((void*)0), "Parameter");8484 /* TransportParameter ID and Length. */8485 if (use_varint_encoding) {8486 uint64_t parameter_length64;8487 uint32_t type_len = 0;8488 8489 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,8490 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_type, &type_len);8491 offset += type_len;8492 8493 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_len,8494 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_length64, &len);8495 parameter_length = (uint32_t)parameter_length64;8496 offset += len;8497 8498 proto_item_set_len(parameter_tree, type_len + len + parameter_length);8499 } else {8500 parameter_type = tvb_get_ntohs(tvb, offset);8501 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,8502 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);8503 offset += 2;8504 8505 /* opaque value<0..2^16-1> */8506 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, next_offset, &parameter_length,8507 hf->hf.hs_ext_quictp_parameter_len_old, 0, UINT16_MAX(65535))) {8508 return next_offset;8509 }8510 offset += 2;8511 8512 proto_item_set_len(parameter_tree, 4 + parameter_length);8513 }8514 8515 if (IS_GREASE_QUIC(parameter_type)((parameter_type) > 27 ? ((((parameter_type) - 27) % 31) ==
0) : 0)) {8516 proto_item_append_text(parameter_tree, ": GREASE");8517 } else {8518 proto_item_append_text(parameter_tree, ": %s", val64_to_str(parameter_type, quic_transport_parameter_id, "Unknown 0x%04x"));8519 }8520 8521 proto_item_append_text(parameter_tree, " (len=%u)", parameter_length);8522 parameter_end_offset = offset + parameter_length;8523 8524 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_value,8525 tvb, offset, parameter_length, ENC_NA0x00000000);8526 8527 switch (parameter_type) {8528 case SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00:8529 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_original_destination_connection_id,8530 tvb, offset, parameter_length, ENC_NA0x00000000);8531 offset += parameter_length;8532 break;8533 case SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01:8534 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_idle_timeout,8535 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);8536 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " ms", value);8537 offset += len;8538 break;8539 case SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02:8540 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_stateless_reset_token,8541 tvb, offset, 16, ENC_BIG_ENDIAN0x00000000);8542 quic_add_stateless_reset_token(pinfo, tvb, offset, NULL((void*)0));8543 offset += 16;8544 break;8545 case SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03:8546 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_udp_payload_size,8547 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);8548 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);8549 /*TODO display expert info about invalid value (< 1252 or >65527) ? */8550 offset += len;8551 break;8552 case SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04:8553 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_data,8554 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);8555 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);8556 offset += len;8557 break;8558 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05:8559 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_local,8560 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);8561 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);8562 offset += len;8563 break;8564 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06:8565 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_remote,8566 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);8567 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);8568 offset += len;8569 break;8570 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07:8571 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_uni,8572 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);8573 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);8574 offset += len;8575 break;8576 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09:8577 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_uni,8578 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);8579 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);8580 offset += len;8581 break;8582 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08:8583 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_bidi,8584 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);8585 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);8586 offset += len;8587 break;8588 case SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a:8589 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_ack_delay_exponent,8590 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);8591 /*TODO display multiplier (x8) and expert info about invalid value (> 20) ? */8592 offset += len;8593 break;8594 case SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b:8595 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_ack_delay,8596 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);8597 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);8598 offset += len;8599 break;8600 case SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c:8601 /* No Payload */8602 break;8603 case SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d: {8604 uint32_t connectionid_length;8605 quic_cid_t cid;8606 8607 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4address,8608 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);8609 offset += 4;8610 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4port,8611 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);8612 offset += 2;8613 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6address,8614 tvb, offset, 16, ENC_NA0x00000000);8615 offset += 16;8616 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6port,8617 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);8618 offset += 2;8619 8620 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, offset_end, &connectionid_length,8621 hf->hf.hs_ext_quictp_parameter_pa_connectionid_length, 0, 20)) {8622 break;8623 }8624 offset += 1;8625 8626 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_connectionid,8627 tvb, offset, connectionid_length, ENC_NA0x00000000);8628 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {8629 cid.len = connectionid_length;8630 // RFC 9000 5.1.1 "If the preferred_address transport8631 // parameter is sent, the sequence number of the supplied8632 // connection ID is 1."8633 cid.seq_num = 1;8634 // Multipath draft-07 "Also, the Path Identifier for the8635 // connection ID specified in the "preferred address"8636 // transport parameter is 0."8637 cid.path_id = 0;8638 tvb_memcpy(tvb, cid.cid, offset, connectionid_length);8639 quic_add_connection(pinfo, &cid);8640 }8641 offset += connectionid_length;8642 8643 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_statelessresettoken,8644 tvb, offset, 16, ENC_NA0x00000000);8645 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {8646 quic_add_stateless_reset_token(pinfo, tvb, offset, &cid);8647 }8648 offset += 16;8649 }8650 break;8651 case SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e:8652 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_active_connection_id_limit,8653 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);8654 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);8655 offset += len;8656 break;8657 case SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f:8658 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_source_connection_id,8659 tvb, offset, parameter_length, ENC_NA0x00000000);8660 offset += parameter_length;8661 break;8662 case SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10:8663 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_retry_source_connection_id,8664 tvb, offset, parameter_length, ENC_NA0x00000000);8665 offset += parameter_length;8666 break;8667 case SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20:8668 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_datagram_frame_size,8669 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);8670 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);8671 offset += len;8672 break;8673 case SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000:8674 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_length,8675 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);8676 proto_item_append_text(parameter_tree, " Length: %" PRIu64"l" "u", value);8677 offset += len;8678 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_offset,8679 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);8680 proto_item_append_text(parameter_tree, ", Offset: %" PRIu64"l" "u", value);8681 offset += len;8682 break;8683 case SSL_HND_QUIC_TP_LOSS_BITS0x1057:8684 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_loss_bits,8685 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);8686 if (len > 0) {8687 quic_add_loss_bits(pinfo, value);8688 }8689 offset += 1;8690 break;8691 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a:8692 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A:8693 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a:8694 case SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b:8695 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_min_ack_delay,8696 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);8697 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);8698 offset += len;8699 break;8700 case SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129:8701 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_user_agent_id,8702 tvb, offset, parameter_length, ENC_ASCII0x00000000|ENC_NA0x00000000);8703 offset += parameter_length;8704 break;8705 case SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B:8706 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_key_update_not_yet_supported,8707 tvb, offset, parameter_length, ENC_NA0x00000000);8708 offset += parameter_length;8709 break;8710 case SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752:8711 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_version,8712 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);8713 offset += 4;8714 if (hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) { /* From server */8715 uint32_t versions_length;8716 8717 proto_tree_add_item_ret_uint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_supported_versions_length,8718 tvb, offset, 1, ENC_NA0x00000000, &versions_length);8719 offset += 1;8720 for (i = 0; i < versions_length / 4; i++) {8721 quic_proto_tree_add_version(tvb, parameter_tree,8722 hf->hf.hs_ext_quictp_parameter_google_supported_version, offset);8723 offset += 4;8724 }8725 }8726 break;8727 case SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127:8728 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_initial_rtt,8729 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);8730 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " us", value);8731 offset += len;8732 break;8733 case SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A:8734 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_support_handshake_done,8735 tvb, offset, parameter_length, ENC_NA0x00000000);8736 offset += parameter_length;8737 break;8738 case SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751:8739 /* This field was used for non-standard Google-specific parameters encoded as a8740 * Google QUIC_CRYPTO CHLO and it has been replaced (version >= T051) by individual8741 * parameters. Report it as a bytes blob... */8742 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params,8743 tvb, offset, parameter_length, ENC_NA0x00000000);8744 /* ... and try decoding it: not sure what the first 4 bytes are (but they seems to be always 0) */8745 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params_unknown_field,8746 tvb, offset, 4, ENC_NA0x00000000);8747 dissect_gquic_tags(tvb, pinfo, parameter_tree, offset + 4);8748 offset += parameter_length;8749 break;8750 case SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128:8751 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_connection_options,8752 tvb, offset, parameter_length, ENC_NA0x00000000);8753 offset += parameter_length;8754 break;8755 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157:8756 /* No Payload */8757 break;8758 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158:8759 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_time_stamp_v2,8760 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);8761 offset += parameter_length;8762 break;8763 case SSL_HND_QUIC_TP_VERSION_INFORMATION0x11:8764 quic_proto_tree_add_version(tvb, parameter_tree,8765 hf->hf.hs_ext_quictp_parameter_chosen_version, offset);8766 offset += 4;8767 for (i = 4; i < parameter_length; i += 4) {8768 quic_proto_tree_add_version(tvb, parameter_tree,8769 hf->hf.hs_ext_quictp_parameter_other_version, offset);8770 offset += 4;8771 }8772 break;8773 case SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2:8774 /* No Payload */8775 quic_add_grease_quic_bit(pinfo);8776 break;8777 case SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00:8778 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_facebook_partial_reliability,8779 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);8780 offset += parameter_length;8781 break;8782 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04:8783 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_multipath,8784 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);8785 if (value == 1) {8786 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);8787 }8788 offset += parameter_length;8789 break;8790 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05:8791 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06:8792 /* No Payload */8793 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);8794 break;8795 case SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07:8796 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_paths,8797 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);8798 if (value > 1) {8799 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);8800 }8801 /* multipath draft-07: "The value of the initial_max_paths8802 * parameter MUST be at least 2." TODO: Expert Info? */8803 offset += parameter_length;8804 break;8805 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x0f739bbc1b666d09:8806 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_path_id,8807 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);8808 if (value > 1) {8809 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);8810 }8811 offset += parameter_length;8812 break;8813 default:8814 offset += parameter_length;8815 /*TODO display expert info about unknown ? */8816 break;8817 }8818 8819 if (!ssl_end_vector(hf, tvb, pinfo, parameter_tree, offset, parameter_end_offset)) {8820 /* Dissection did not end at expected location, fix it. */8821 offset = parameter_end_offset;8822 }8823 }8824 8825 return offset;8826}8827 8828static int8829ssl_dissect_hnd_hello_common(ssl_common_dissect_t *hf, tvbuff_t *tvb,8830 proto_tree *tree, uint32_t offset,8831 SslSession *session, SslDecryptSession *ssl,8832 bool_Bool from_server, bool_Bool is_hrr)8833{8834 uint8_t sessid_length;8835 proto_tree *rnd_tree;8836 proto_tree *ti_rnd;8837 uint8_t draft_version = session->tls13_draft_version;8838 8839 if (ssl) {8840 StringInfo *rnd;8841 if (from_server)8842 rnd = &ssl->server_random;8843 else8844 rnd = &ssl->client_random;8845 8846 /* save provided random for later keyring generation */8847 tvb_memcpy(tvb, rnd->data, offset, 32);8848 rnd->data_len = 32;8849 if (from_server)8850 ssl->state |= SSL_SERVER_RANDOM(1<<1);8851 else8852 ssl->state |= SSL_CLIENT_RANDOM(1<<0);8853 ssl_debug_printf("%s found %s RANDOM -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)),8854 from_server ? "SERVER" : "CLIENT", ssl->state);8855 }8856 8857 ti_rnd = proto_tree_add_item(tree, hf->hf.hs_random, tvb, offset, 32, ENC_NA0x00000000);8858 8859 if ((session->version != TLSV1DOT3_VERSION0x304) && (session->version != DTLSV1DOT3_VERSION0xfefc)) { /* No time on first bytes random with TLS 1.3 */8860 8861 rnd_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);8862 /* show the time */8863 proto_tree_add_item(rnd_tree, hf->hf.hs_random_time,8864 tvb, offset, 4, ENC_TIME_SECS0x00000012|ENC_BIG_ENDIAN0x00000000);8865 offset += 4;8866 8867 /* show the random bytes */8868 proto_tree_add_item(rnd_tree, hf->hf.hs_random_bytes,8869 tvb, offset, 28, ENC_NA0x00000000);8870 offset += 28;8871 } else {8872 if (is_hrr) {8873 proto_item_append_text(ti_rnd, " (HelloRetryRequest magic)");8874 }8875 8876 offset += 32;8877 }8878 8879 /* No Session ID with TLS 1.3 on Server Hello before draft -22 */8880 if (from_server == 0 || !(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {8881 /* show the session id (length followed by actual Session ID) */8882 sessid_length = tvb_get_uint8(tvb, offset);8883 proto_tree_add_item(tree, hf->hf.hs_session_id_len,8884 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);8885 offset++;8886 8887 if (ssl) {8888 /* save the authoritative SID for later use in ChangeCipherSpec.8889 * (D)TLS restricts the SID to 32 chars, it does not make sense to8890 * save more, so ignore larger ones. */8891 if (from_server && sessid_length <= 32) {8892 tvb_memcpy(tvb, ssl->session_id.data, offset, sessid_length);8893 ssl->session_id.data_len = sessid_length;8894 }8895 }8896 if (sessid_length > 0) {8897 proto_tree_add_item(tree, hf->hf.hs_session_id,8898 tvb, offset, sessid_length, ENC_NA0x00000000);8899 offset += sessid_length;8900 }8901 }8902 8903 return offset;8904}8905 8906static int8907ssl_dissect_hnd_hello_ext_status_request(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,8908 proto_tree *tree, uint32_t offset, uint32_t offset_end,8909 bool_Bool has_length)8910{8911 /* TLS 1.2/1.3 status_request Client Hello Extension.8912 * TLS 1.2 status_request_v2 CertificateStatusRequestItemV2 type.8913 * https://tools.ietf.org/html/rfc6066#section-8 (status_request)8914 * https://tools.ietf.org/html/rfc6961#section-2.2 (status_request_v2)8915 * struct {8916 * CertificateStatusType status_type;8917 * uint16 request_length; // for status_request_v28918 * select (status_type) {8919 * case ocsp: OCSPStatusRequest;8920 * case ocsp_multi: OCSPStatusRequest;8921 * } request;8922 * } CertificateStatusRequest; // CertificateStatusRequestItemV28923 *8924 * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;8925 * struct {8926 * ResponderID responder_id_list<0..2^16-1>;8927 * Extensions request_extensions;8928 * } OCSPStatusRequest;8929 * opaque ResponderID<1..2^16-1>;8930 * opaque Extensions<0..2^16-1>;8931 */8932 unsigned cert_status_type;8933 8934 cert_status_type = tvb_get_uint8(tvb, offset);8935 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_type,8936 tvb, offset, 1, ENC_NA0x00000000);8937 offset++;8938 8939 if (has_length) {8940 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_request_len,8941 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);8942 offset += 2;8943 }8944 8945 switch (cert_status_type) {8946 case SSL_HND_CERT_STATUS_TYPE_OCSP1:8947 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:8948 {8949 uint32_t responder_id_list_len;8950 uint32_t request_extensions_len;8951 8952 /* ResponderID responder_id_list<0..2^16-1> */8953 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &responder_id_list_len,8954 hf->hf.hs_ext_cert_status_responder_id_list_len, 0, UINT16_MAX(65535))) {8955 return offset_end;8956 }8957 offset += 2;8958 if (responder_id_list_len != 0) {8959 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,8960 tvb, offset, responder_id_list_len,8961 "Responder ID list is not implemented, contact Wireshark"8962 " developers if you want this to be supported");8963 }8964 offset += responder_id_list_len;8965 8966 /* opaque Extensions<0..2^16-1> */8967 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &request_extensions_len,8968 hf->hf.hs_ext_cert_status_request_extensions_len, 0, UINT16_MAX(65535))) {8969 return offset_end;8970 }8971 offset += 2;8972 if (request_extensions_len != 0) {8973 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,8974 tvb, offset, request_extensions_len,8975 "Request Extensions are not implemented, contact"8976 " Wireshark developers if you want this to be supported");8977 }8978 offset += request_extensions_len;8979 break;8980 }8981 }8982 8983 return offset;8984}8985 8986static unsigned8987ssl_dissect_hnd_hello_ext_status_request_v2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,8988 proto_tree *tree, uint32_t offset, uint32_t offset_end)8989{8990 /* https://tools.ietf.org/html/rfc6961#section-2.28991 * struct {8992 * CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1>;8993 * } CertificateStatusRequestListV2;8994 */8995 uint32_t req_list_length, next_offset;8996 8997 /* CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1> */8998 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &req_list_length,8999 hf->hf.hs_ext_cert_status_request_list_len, 1, UINT16_MAX(65535))) {9000 return offset_end;9001 }9002 offset += 2;9003 next_offset = offset + req_list_length;9004 9005 while (offset < next_offset) {9006 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, tree, offset, next_offset, true1);9007 }9008 9009 return offset;9010}9011 9012static uint32_t9013tls_dissect_ocsp_response(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,9014 uint32_t offset, uint32_t offset_end)9015{9016 uint32_t response_length;9017 proto_item *ocsp_resp;9018 proto_tree *ocsp_resp_tree;9019 asn1_ctx_t asn1_ctx;9020 9021 /* opaque OCSPResponse<1..2^24-1>; */9022 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &response_length,9023 hf->hf.hs_ocsp_response_len, 1, G_MAXUINT24((1U << 24) - 1))) {9024 return offset_end;9025 }9026 offset += 3;9027 9028 ocsp_resp = proto_tree_add_item(tree, proto_ocsp, tvb, offset,9029 response_length, ENC_BIG_ENDIAN0x00000000);9030 proto_item_set_text(ocsp_resp, "OCSP Response");9031 ocsp_resp_tree = proto_item_add_subtree(ocsp_resp, hf->ett.ocsp_response);9032 if (proto_is_protocol_enabled(find_protocol_by_id(proto_ocsp))) {9033 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);9034 dissect_ocsp_OCSPResponse(false0, tvb, offset, &asn1_ctx, ocsp_resp_tree, -1);9035 }9036 offset += response_length;9037 9038 return offset;9039}9040 9041uint32_t9042tls_dissect_hnd_certificate_status(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,9043 proto_tree *tree, uint32_t offset, uint32_t offset_end)9044{9045 /* TLS 1.2 "CertificateStatus" handshake message.9046 * TLS 1.3 "status_request" Certificate extension.9047 * struct {9048 * CertificateStatusType status_type;9049 * select (status_type) {9050 * case ocsp: OCSPResponse;9051 * case ocsp_multi: OCSPResponseList; // status_request_v29052 * } response;9053 * } CertificateStatus;9054 * opaque OCSPResponse<1..2^24-1>;9055 * struct {9056 * OCSPResponse ocsp_response_list<1..2^24-1>;9057 * } OCSPResponseList; // status_request_v29058 */9059 uint32_t status_type, resp_list_length, next_offset;9060 9061 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_cert_status_type,9062 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &status_type);9063 offset += 1;9064 9065 switch (status_type) {9066 case SSL_HND_CERT_STATUS_TYPE_OCSP1:9067 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, offset_end);9068 break;9069 9070 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:9071 /* OCSPResponse ocsp_response_list<1..2^24-1> */9072 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &resp_list_length,9073 hf->hf.hs_ocsp_response_list_len, 1, G_MAXUINT24((1U << 24) - 1))) {9074 return offset_end;9075 }9076 offset += 3;9077 next_offset = offset + resp_list_length;9078 9079 while (offset < next_offset) {9080 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, next_offset);9081 }9082 break;9083 }9084 9085 return offset;9086}9087 9088static unsigned9089ssl_dissect_hnd_hello_ext_supported_groups(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,9090 proto_tree *tree, uint32_t offset, uint32_t offset_end,9091 wmem_strbuf_t *ja3)9092{9093 /* RFC 8446 Section 4.2.79094 * enum { ..., (0xFFFF) } NamedGroup;9095 * struct {9096 * NamedGroup named_group_list<2..2^16-1>9097 * } NamedGroupList;9098 *9099 * NOTE: "NamedCurve" (RFC 4492) is renamed to "NamedGroup" (RFC 7919) and9100 * the extension itself from "elliptic_curves" to "supported_groups".9101 */9102 uint32_t groups_length, next_offset;9103 proto_tree *groups_tree;9104 proto_item *ti;9105 char *ja3_dash = "";9106 9107 /* NamedGroup named_group_list<2..2^16-1> */9108 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &groups_length,9109 hf->hf.hs_ext_supported_groups_len, 2, UINT16_MAX(65535))) {9110 return offset_end;9111 }9112 offset += 2;9113 next_offset = offset + groups_length;9114 9115 ti = proto_tree_add_none_format(tree,9116 hf->hf.hs_ext_supported_groups,9117 tvb, offset, groups_length,9118 "Supported Groups (%d group%s)",9119 groups_length / 2,9120 plurality(groups_length/2, "", "s")((groups_length/2) == 1 ? ("") : ("s")));9121 9122 /* make this a subtree */9123 groups_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_groups);9124 9125 if (ja3) {9126 wmem_strbuf_append_c(ja3, ',');9127 }9128 /* loop over all groups */9129 while (offset + 2 <= offset_end) {9130 uint32_t ext_supported_group;9131 9132 proto_tree_add_item_ret_uint(groups_tree, hf->hf.hs_ext_supported_group, tvb, offset, 2,9133 ENC_BIG_ENDIAN0x00000000, &ext_supported_group);9134 offset += 2;9135 if (ja3 && !IS_GREASE_TLS(ext_supported_group)((((ext_supported_group) & 0x0f0f) == 0x0a0a) && (
((ext_supported_group) & 0xff) == (((ext_supported_group)
>>8) & 0xff)))) {9136 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_supported_group);9137 ja3_dash = "-";9138 }9139 }9140 if (!ssl_end_vector(hf, tvb, pinfo, groups_tree, offset, next_offset)) {9141 offset = next_offset;9142 }9143 9144 return offset;9145}9146 9147static int9148ssl_dissect_hnd_hello_ext_ec_point_formats(ssl_common_dissect_t *hf, tvbuff_t *tvb,9149 proto_tree *tree, uint32_t offset, wmem_strbuf_t *ja3)9150{9151 uint8_t ecpf_length;9152 proto_tree *ecpf_tree;9153 proto_item *ti;9154 9155 ecpf_length = tvb_get_uint8(tvb, offset);9156 proto_tree_add_item(tree, hf->hf.hs_ext_ec_point_formats_len,9157 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);9158 9159 offset += 1;9160 ti = proto_tree_add_none_format(tree,9161 hf->hf.hs_ext_ec_point_formats,9162 tvb, offset, ecpf_length,9163 "Elliptic curves point formats (%d)",9164 ecpf_length);9165 9166 /* make this a subtree */9167 ecpf_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_curves_point_formats);9168 9169 if (ja3) {9170 wmem_strbuf_append_c(ja3, ',');9171 }9172 9173 /* loop over all point formats */9174 while (ecpf_length > 0)9175 {9176 uint32_t ext_ec_point_format;9177 9178 proto_tree_add_item_ret_uint(ecpf_tree, hf->hf.hs_ext_ec_point_format, tvb, offset, 1,9179 ENC_BIG_ENDIAN0x00000000, &ext_ec_point_format);9180 offset++;9181 ecpf_length--;9182 if (ja3) {9183 wmem_strbuf_append_printf(ja3, "%i", ext_ec_point_format);9184 if (ecpf_length > 0) {9185 wmem_strbuf_append_c(ja3, '-');9186 }9187 }9188 }9189 9190 return offset;9191}9192 9193static int9194ssl_dissect_hnd_hello_ext_srp(ssl_common_dissect_t *hf, tvbuff_t *tvb,9195 packet_info *pinfo, proto_tree *tree,9196 uint32_t offset, uint32_t next_offset)9197{9198 /* https://tools.ietf.org/html/rfc5054#section-2.8.19199 * opaque srp_I<1..2^8-1>;9200 */9201 uint32_t username_len;9202 9203 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, next_offset, &username_len,9204 hf->hf.hs_ext_srp_len, 1, UINT8_MAX(255))) {9205 return next_offset;9206 }9207 offset++;9208 9209 proto_tree_add_item(tree, hf->hf.hs_ext_srp_username,9210 tvb, offset, username_len, ENC_UTF_80x00000002|ENC_NA0x00000000);9211 offset += username_len;9212 9213 return offset;9214}9215 9216static uint32_t9217tls_dissect_sct(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,9218 uint32_t offset, uint32_t offset_end, uint16_t version)9219{9220 /* https://tools.ietf.org/html/rfc6962#section-3.29221 * enum { v1(0), (255) } Version;9222 * struct {9223 * opaque key_id[32];9224 * } LogID;9225 * opaque CtExtensions<0..2^16-1>;9226 * struct {9227 * Version sct_version;9228 * LogID id;9229 * uint64 timestamp;9230 * CtExtensions extensions;9231 * digitally-signed struct { ... };9232 * } SignedCertificateTimestamp;9233 */9234 uint32_t sct_version;9235 uint64_t sct_timestamp_ms;9236 nstime_t sct_timestamp;9237 uint32_t exts_len;9238 const char *log_name;9239 9240 proto_tree_add_item_ret_uint(tree, hf->hf.sct_sct_version, tvb, offset, 1, ENC_NA0x00000000, &sct_version);9241 offset++;9242 if (sct_version != 0) {9243 // TODO expert info about unknown SCT version?9244 return offset;9245 }9246 proto_tree_add_item(tree, hf->hf.sct_sct_logid, tvb, offset, 32, ENC_BIG_ENDIAN0x00000000);9247 log_name = bytesval_to_str(tvb_get_ptr(tvb, offset, 32), 32, ct_logids, "Unknown Log");9248 proto_item_append_text(tree, " (%s)", log_name);9249 offset += 32;9250 sct_timestamp_ms = tvb_get_ntoh64(tvb, offset);9251 sct_timestamp.secs = (time_t)(sct_timestamp_ms / 1000);9252 sct_timestamp.nsecs = (int)((sct_timestamp_ms % 1000) * 1000000);9253 proto_tree_add_time(tree, hf->hf.sct_sct_timestamp, tvb, offset, 8, &sct_timestamp);9254 offset += 8;9255 /* opaque CtExtensions<0..2^16-1> */9256 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,9257 hf->hf.sct_sct_extensions_length, 0, UINT16_MAX(65535))) {9258 return offset_end;9259 }9260 offset += 2;9261 if (exts_len > 0) {9262 proto_tree_add_item(tree, hf->hf.sct_sct_extensions, tvb, offset, exts_len, ENC_BIG_ENDIAN0x00000000);9263 offset += exts_len;9264 }9265 offset = ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,9266 hf->hf.sct_sct_signature_length,9267 hf->hf.sct_sct_signature);9268 return offset;9269}9270 9271uint32_t9272tls_dissect_sct_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,9273 uint32_t offset, uint32_t offset_end, uint16_t version)9274{9275 /* https://tools.ietf.org/html/rfc6962#section-3.39276 * opaque SerializedSCT<1..2^16-1>;9277 * struct {9278 * SerializedSCT sct_list <1..2^16-1>;9279 * } SignedCertificateTimestampList;9280 */9281 uint32_t list_length, sct_length, next_offset;9282 proto_tree *subtree;9283 9284 /* SerializedSCT sct_list <1..2^16-1> */9285 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &list_length,9286 hf->hf.sct_scts_length, 1, UINT16_MAX(65535))) {9287 return offset_end;9288 }9289 offset += 2;9290 9291 while (offset < offset_end) {9292 subtree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.sct, NULL((void*)0), "Signed Certificate Timestamp");9293 9294 /* opaque SerializedSCT<1..2^16-1> */9295 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &sct_length,9296 hf->hf.sct_sct_length, 1, UINT16_MAX(65535))) {9297 return offset_end;9298 }9299 offset += 2;9300 next_offset = offset + sct_length;9301 proto_item_set_len(subtree, 2 + sct_length);9302 offset = tls_dissect_sct(hf, tvb, pinfo, subtree, offset, next_offset, version);9303 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {9304 offset = next_offset;9305 }9306 }9307 9308 return offset;9309}9310 9311static int9312dissect_ech_hpke_cipher_suite(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),9313 proto_tree *tree, uint32_t offset)9314{9315 uint32_t kdf_id, aead_id;9316 proto_item *cs_ti;9317 proto_tree *cs_tree;9318 9319 cs_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig_cipher_suite,9320 tvb, offset, 4, ENC_NA0x00000000);9321 cs_tree = proto_item_add_subtree(cs_ti, hf->ett.ech_hpke_cipher_suite);9322 9323 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_kdf_id,9324 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &kdf_id);9325 offset += 2;9326 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_aead_id,9327 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &aead_id);9328 offset += 2;9329 9330 proto_item_append_text(cs_ti, ": %s/%s",9331 val_to_str_const(kdf_id, kdf_id_type_vals, "Unknown"),9332 val_to_str_const(aead_id, aead_id_type_vals, "Unknown"));9333 return offset;9334}9335 9336static int9337dissect_ech_hpke_key_config(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,9338 proto_tree *tree, uint32_t offset, uint32_t offset_end,9339 uint32_t *config_id)9340{9341 uint32_t length, cipher_suite_length;9342 proto_item *kc_ti, *css_ti;9343 proto_tree *kc_tree, *css_tree;9344 uint32_t original_offset = offset, next_offset;9345 9346 kc_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig,9347 tvb, offset, -1, ENC_NA0x00000000);9348 kc_tree = proto_item_add_subtree(kc_ti, hf->ett.ech_hpke_keyconfig);9349 9350 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_config_id,9351 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, config_id);9352 offset += 1;9353 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_kem_id,9354 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);9355 offset += 2;9356 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_public_key_length,9357 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);9358 offset += 2;9359 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_public_key,9360 tvb, offset, length, ENC_NA0x00000000);9361 offset += length;9362 9363 /* HpkeSymmetricCipherSuite cipher_suites<4..2^16-4> */9364 if (!ssl_add_vector(hf, tvb, pinfo, kc_tree, offset, offset_end, &cipher_suite_length,9365 hf->hf.ech_hpke_keyconfig_cipher_suites_length, 4, UINT16_MAX(65535) - 3)) {9366 return offset_end;9367 }9368 offset += 2;9369 next_offset = offset + cipher_suite_length;9370 9371 css_ti = proto_tree_add_none_format(kc_tree,9372 hf->hf.ech_hpke_keyconfig_cipher_suites,9373 tvb, offset, cipher_suite_length,9374 "Cipher Suites (%d suite%s)",9375 cipher_suite_length / 4,9376 plurality(cipher_suite_length / 4, "", "s")((cipher_suite_length / 4) == 1 ? ("") : ("s")));9377 css_tree = proto_item_add_subtree(css_ti, hf->ett.ech_hpke_cipher_suites);9378 9379 9380 while (offset + 4 <= next_offset) {9381 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, css_tree, offset);9382 }9383 9384 if (!ssl_end_vector(hf, tvb, pinfo, css_tree, offset, next_offset)) {9385 offset = next_offset;9386 }9387 9388 proto_item_set_len(kc_ti, offset - original_offset);9389 9390 return offset;9391}9392 9393static int9394dissect_ech_echconfig_contents(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,9395 proto_tree *tree, uint32_t offset, uint32_t offset_end,9396 const uint8_t **public_name, uint32_t *config_id)9397{9398 uint32_t public_name_length, extensions_length, next_offset;9399 9400 offset = dissect_ech_hpke_key_config(hf, tvb, pinfo, tree, offset, offset_end, config_id);9401 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_maximum_name_length,9402 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);9403 offset += 1;9404 proto_tree_add_item_ret_uint(tree, hf->hf.ech_echconfigcontents_public_name_length,9405 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &public_name_length);9406 offset += 1;9407 proto_tree_add_item_ret_string(tree, hf->hf.ech_echconfigcontents_public_name,9408 tvb, offset, public_name_length, ENC_ASCII0x00000000, pinfo->pool, public_name);9409 offset += public_name_length;9410 9411 /* Extension extensions<0..2^16-1>; */9412 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &extensions_length,9413 hf->hf.ech_echconfigcontents_extensions_length, 0, UINT16_MAX(65535))) {9414 return offset_end;9415 }9416 offset += 2;9417 next_offset = offset + extensions_length;9418 9419 if (extensions_length > 0) {9420 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_extensions,9421 tvb, offset, extensions_length, ENC_NA0x00000000);9422 }9423 offset += extensions_length;9424 9425 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {9426 offset = next_offset;9427 }9428 9429 return offset;9430}9431 9432static int9433dissect_ech_echconfig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,9434 proto_tree *tree, uint32_t offset, uint32_t offset_end)9435{9436 uint32_t version, length;9437 proto_item *ech_ti;9438 proto_tree *ech_tree;9439 const uint8_t *public_name = NULL((void*)0);9440 uint32_t config_id = 0;9441 9442 ech_ti = proto_tree_add_item(tree, hf->hf.ech_echconfig, tvb, offset, -1, ENC_NA0x00000000);9443 ech_tree = proto_item_add_subtree(ech_ti, hf->ett.ech_echconfig);9444 9445 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_version,9446 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);9447 offset += 2;9448 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_length,9449 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);9450 offset += 2;9451 9452 proto_item_set_len(ech_ti, 4 + length);9453 9454 switch(version) {9455 case 0xfe0d:9456 dissect_ech_echconfig_contents(hf, tvb, pinfo, ech_tree, offset, offset_end, &public_name, &config_id);9457 proto_item_append_text(ech_ti, ": id=%d %s", config_id, public_name);9458 break;9459 9460 default:9461 expert_add_info_format(pinfo, ech_ti, &hf->ei.ech_echconfig_invalid_version, "Unsupported/unknown ECHConfig version 0x%x", version);9462 }9463 9464 return 4 + length;9465}9466 9467uint32_t9468ssl_dissect_ext_ech_echconfiglist(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,9469 proto_tree *tree, uint32_t offset, uint32_t offset_end)9470{9471 uint32_t echconfiglist_length, next_offset;9472 9473 /* ECHConfig ECHConfigList<1..2^16-1>; */9474 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &echconfiglist_length,9475 hf->hf.ech_echconfiglist_length, 1, UINT16_MAX(65535))) {9476 return offset_end;9477 }9478 offset += 2;9479 next_offset = offset + echconfiglist_length;9480 9481 while (offset < next_offset) {9482 offset += dissect_ech_echconfig(hf, tvb, pinfo, tree, offset, offset_end);9483 }9484 9485 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {9486 offset = next_offset;9487 }9488 9489 return offset;9490}9491 9492static uint32_t9493ssl_dissect_hnd_hello_ext_ech(ssl_common_dissect_t *hf, tvbuff_t *tvb _U___attribute__((unused)), packet_info *pinfo,9494 proto_tree *tree, uint32_t offset, uint32_t offset_end,9495 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))9496{9497 uint32_t ch_type, length;9498 proto_item *retry_ti;9499 proto_tree *retry_tree;9500 9501 switch (hnd_type) {9502 case SSL_HND_CLIENT_HELLO:9503 /*9504 * enum { outer(0), inner(1) } ECHClientHelloType;9505 *9506 * struct {9507 * ECHClientHelloType type;9508 * select (ECHClientHello.type) {9509 * case outer:9510 * HpkeSymmetricCipherSuite cipher_suite;9511 * uint8 config_id;9512 * opaque enc<0..2^16-1>;9513 * opaque payload<1..2^16-1>;9514 * case inner:9515 * Empty;9516 * };9517 * } ECHClientHello;9518 */9519 9520 proto_tree_add_item_ret_uint(tree, hf->hf.ech_clienthello_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &ch_type);9521 offset += 1;9522 switch (ch_type) {9523 case 0: /* outer */9524 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, tree, offset);9525 9526 proto_tree_add_item(tree, hf->hf.ech_config_id, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);9527 offset += 1;9528 proto_tree_add_item_ret_uint(tree, hf->hf.ech_enc_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);9529 offset += 2;9530 proto_tree_add_item(tree, hf->hf.ech_enc, tvb, offset, length, ENC_NA0x00000000);9531 offset += length;9532 proto_tree_add_item_ret_uint(tree, hf->hf.ech_payload_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);9533 offset += 2;9534 proto_tree_add_item(tree, hf->hf.ech_payload, tvb, offset, length, ENC_NA0x00000000);9535 offset += length;9536 break;9537 case 1: /* inner */9538 /* We will never be here, unless we are going to have support9539 for extracting the ephemeral secrets from endpoints */9540 break; /* Nothing to do, data is encrypted */9541 }9542 break;9543 9544 case SSL_HND_ENCRYPTED_EXTENSIONS:9545 /*9546 * struct {9547 * ECHConfigList retry_configs;9548 * } ECHEncryptedExtensions;9549 */9550 9551 retry_ti = proto_tree_add_item(tree, hf->hf.ech_retry_configs, tvb, offset, offset_end - offset, ENC_NA0x00000000);9552 retry_tree = proto_item_add_subtree(retry_ti, hf->ett.ech_retry_configs);9553 offset = ssl_dissect_ext_ech_echconfiglist(hf, tvb, pinfo, retry_tree, offset, offset_end);9554 break;9555 9556 case SSL_HND_HELLO_RETRY_REQUEST:9557 /*9558 * struct {9559 * opaque confirmation[8];9560 * } ECHHelloRetryRequest;9561 */9562 9563 proto_tree_add_item(tree, hf->hf.ech_confirmation, tvb, offset, 8, ENC_NA0x00000000);9564 offset += 8;9565 break;9566 }9567 9568 return offset;9569}9570 9571static uint32_t9572ssl_dissect_hnd_hello_ext_esni(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,9573 proto_tree *tree, uint32_t offset, uint32_t offset_end,9574 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))9575{9576 uint32_t record_digest_length, encrypted_sni_length;9577 9578 switch (hnd_type) {9579 case SSL_HND_CLIENT_HELLO:9580 /*9581 * struct {9582 * CipherSuite suite;9583 * KeyShareEntry key_share;9584 * opaque record_digest<0..2^16-1>;9585 * opaque encrypted_sni<0..2^16-1>;9586 * } ClientEncryptedSNI;9587 */9588 proto_tree_add_item(tree, hf->hf.esni_suite, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);9589 offset += 2;9590 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, tree, offset, offset_end, NULL((void*)0));9591 9592 /* opaque record_digest<0..2^16-1> */9593 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &record_digest_length,9594 hf->hf.esni_record_digest_length, 0, UINT16_MAX(65535))) {9595 return offset_end;9596 }9597 offset += 2;9598 if (record_digest_length > 0) {9599 proto_tree_add_item(tree, hf->hf.esni_record_digest, tvb, offset, record_digest_length, ENC_NA0x00000000);9600 offset += record_digest_length;9601 }9602 9603 /* opaque encrypted_sni<0..2^16-1> */9604 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &encrypted_sni_length,9605 hf->hf.esni_encrypted_sni_length, 0, UINT16_MAX(65535))) {9606 return offset_end;9607 }9608 offset += 2;9609 if (encrypted_sni_length > 0) {9610 proto_tree_add_item(tree, hf->hf.esni_encrypted_sni, tvb, offset, encrypted_sni_length, ENC_NA0x00000000);9611 offset += encrypted_sni_length;9612 }9613 break;9614 9615 case SSL_HND_ENCRYPTED_EXTENSIONS:9616 proto_tree_add_item(tree, hf->hf.esni_nonce, tvb, offset, 16, ENC_NA0x00000000);9617 offset += 16;9618 break;9619 }9620 9621 return offset;9622}9623/** TLS Extensions (in Client Hello and Server Hello). }}} */9624 9625/* Connection ID dissection. {{{ */9626static uint32_t9627ssl_dissect_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,9628 proto_tree *tree, uint32_t offset, SslDecryptSession *ssl,9629 uint8_t cidl, uint8_t **session_cid, uint8_t *session_cidl)9630{9631 /* keep track of the decrypt session only for the first pass */9632 if (cidl > 0 && !PINFO_FD_VISITED(pinfo)((pinfo)->fd->visited)) {9633 tvb_ensure_bytes_exist(tvb, offset + 1, cidl);9634 *session_cidl = cidl;9635 *session_cid = (uint8_t*)wmem_alloc0(wmem_file_scope(), cidl);9636 tvb_memcpy(tvb, *session_cid, offset + 1, cidl);9637 if (ssl) {9638 ssl_add_session_by_cid(ssl);9639 }9640 }9641 9642 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id_length,9643 tvb, offset, 1, ENC_NA0x00000000);9644 offset++;9645 9646 if (cidl > 0) {9647 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id,9648 tvb, offset, cidl, ENC_NA0x00000000);9649 offset += cidl;9650 }9651 9652 return offset;9653}9654 9655static uint32_t9656ssl_dissect_hnd_hello_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,9657 proto_tree *tree, uint32_t offset, uint8_t hnd_type,9658 SslSession *session, SslDecryptSession *ssl)9659{9660 uint8_t cidl = tvb_get_uint8(tvb, offset);9661 9662 switch (hnd_type) {9663 case SSL_HND_CLIENT_HELLO:9664 session->client_cid_len_present = true1;9665 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,9666 cidl, &session->client_cid, &session->client_cid_len);9667 case SSL_HND_SERVER_HELLO:9668 session->server_cid_len_present = true1;9669 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,9670 cidl, &session->server_cid, &session->server_cid_len);9671 default:9672 return offset;9673 }9674} /* }}} */9675 9676/* Whether the Content and Handshake Types are valid; handle Protocol Version. {{{ */9677bool_Bool9678ssl_is_valid_content_type(uint8_t type)9679{9680 switch ((ContentType) type) {9681 case SSL_ID_CHG_CIPHER_SPEC:9682 case SSL_ID_ALERT:9683 case SSL_ID_HANDSHAKE:9684 case SSL_ID_APP_DATA:9685 case SSL_ID_HEARTBEAT:9686 case SSL_ID_TLS12_CID:9687 case SSL_ID_DTLS13_ACK:9688 return true1;9689 }9690 return false0;9691}9692 9693bool_Bool9694ssl_is_valid_handshake_type(uint8_t hs_type, bool_Bool is_dtls)9695{9696 switch ((HandshakeType) hs_type) {9697 case SSL_HND_HELLO_VERIFY_REQUEST:9698 /* hello_verify_request is DTLS-only */9699 return is_dtls;9700 9701 case SSL_HND_HELLO_REQUEST:9702 case SSL_HND_CLIENT_HELLO:9703 case SSL_HND_SERVER_HELLO:9704 case SSL_HND_NEWSESSION_TICKET:9705 case SSL_HND_END_OF_EARLY_DATA:9706 case SSL_HND_HELLO_RETRY_REQUEST:9707 case SSL_HND_ENCRYPTED_EXTENSIONS:9708 case SSL_HND_CERTIFICATE:9709 case SSL_HND_SERVER_KEY_EXCHG:9710 case SSL_HND_CERT_REQUEST:9711 case SSL_HND_SVR_HELLO_DONE:9712 case SSL_HND_CERT_VERIFY:9713 case SSL_HND_CLIENT_KEY_EXCHG:9714 case SSL_HND_FINISHED:9715 case SSL_HND_CERT_URL:9716 case SSL_HND_CERT_STATUS:9717 case SSL_HND_SUPPLEMENTAL_DATA:9718 case SSL_HND_KEY_UPDATE:9719 case SSL_HND_COMPRESSED_CERTIFICATE:9720 case SSL_HND_ENCRYPTED_EXTS:9721 return true1;9722 }9723 return false0;9724}9725 9726static bool_Bool9727ssl_is_authoritative_version_message(uint8_t content_type, uint8_t handshake_type,9728 bool_Bool is_dtls)9729{9730 /* Consider all valid Handshake messages (except for Client Hello) and9731 * all other valid record types (other than Handshake) */9732 return (content_type == SSL_ID_HANDSHAKE &&9733 ssl_is_valid_handshake_type(handshake_type, is_dtls) &&9734 handshake_type != SSL_HND_CLIENT_HELLO) ||9735 (content_type != SSL_ID_HANDSHAKE &&9736 ssl_is_valid_content_type(content_type));9737}9738 9739/**9740 * Scan a Server Hello handshake message for the negotiated version. For TLS 1.39741 * draft 22 and newer, it also checks whether it is a HelloRetryRequest.9742 * Returns true if the supported_versions extension was found, false if not.9743 */9744bool_Bool9745tls_scan_server_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end,9746 uint16_t *server_version, bool_Bool *is_hrr)9747{9748 /* SHA256("HelloRetryRequest") */9749 static const uint8_t tls13_hrr_random_magic[] = {9750 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,9751 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c9752 };9753 uint8_t session_id_length;9754 9755 *server_version = tvb_get_ntohs(tvb, offset);9756 9757 /*9758 * Try to look for supported_versions extension. Minimum length:9759 * 2 + 32 + 1 = 35 (version, random, session id length)9760 * 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)9761 * 2 + 2 + 2 = 6 (ext type, ext len, version)9762 *9763 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,9764 * there's a separate expert info warning for that.9765 */9766 if ((*server_version == TLSV1DOT2_VERSION0x303 || *server_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {9767 offset += 2;9768 if (is_hrr) {9769 *is_hrr = tvb_memeql(tvb, offset, tls13_hrr_random_magic, sizeof(tls13_hrr_random_magic)) == 0;9770 }9771 offset += 32;9772 session_id_length = tvb_get_uint8(tvb, offset);9773 offset++;9774 if (offset_end - offset < session_id_length + 5u) {9775 return false0;9776 }9777 offset += session_id_length + 5;9778 9779 while (offset_end - offset >= 6) {9780 uint16_t ext_type = tvb_get_ntohs(tvb, offset);9781 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);9782 if (offset_end - offset < 4u + ext_len) {9783 break; /* not enough data for type, length and data */9784 }9785 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {9786 if (ext_len == 2) {9787 *server_version = tvb_get_ntohs(tvb, offset + 4);9788 }9789 return true1;9790 }9791 offset += 4 + ext_len;9792 }9793 } else {9794 if (is_hrr) {9795 *is_hrr = false0;9796 }9797 }9798 return false0;9799}9800 9801/**9802 * Scan a Client Hello handshake message to see if the supported_versions9803 * extension is found, in which case the version field is legacy_version.9804 */9805static bool_Bool9806tls_scan_client_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end)9807{9808 uint8_t session_id_length;9809 9810 uint16_t client_version = tvb_get_ntohs(tvb, offset);9811 9812 /*9813 * Try to look for supported_versions extension. Minimum length:9814 * 2 + 32 + 1 = 35 (version, random, session id length)9815 * 2 + 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)9816 * 2 + 2 + 2 = 6 (ext type, ext len, version)9817 *9818 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,9819 * there's a separate expert info warning for that.9820 */9821 if ((client_version == TLSV1DOT2_VERSION0x303 || client_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {9822 offset += 2;9823 offset += 32;9824 session_id_length = tvb_get_uint8(tvb, offset);9825 offset++;9826 if (offset_end - offset < session_id_length + 2u) {9827 return false0;9828 }9829 offset += session_id_length;9830 if (client_version == DTLSV1DOT2_VERSION0xfefd) {9831 uint8_t cookie_length = tvb_get_uint8(tvb, offset);9832 offset++;9833 if (offset_end - offset < cookie_length + 2u) {9834 return false0;9835 }9836 }9837 uint16_t cipher_suites_length = tvb_get_ntohs(tvb, offset);9838 offset += 2;9839 if (offset_end - offset < cipher_suites_length + 1u) {9840 return false0;9841 }9842 offset += cipher_suites_length;9843 uint8_t compression_methods_length = tvb_get_uint8(tvb, offset);9844 offset++;9845 if (offset_end - offset < compression_methods_length + 2u) {9846 return false0;9847 }9848 offset += compression_methods_length + 2;9849 9850 while (offset_end - offset >= 6) {9851 uint16_t ext_type = tvb_get_ntohs(tvb, offset);9852 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);9853 if (offset_end - offset < 4u + ext_len) {9854 break; /* not enough data for type, length and data */9855 }9856 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {9857 return true1;9858 }9859 offset += 4 + ext_len;9860 }9861 }9862 return false0;9863}9864void9865ssl_try_set_version(SslSession *session, SslDecryptSession *ssl,9866 uint8_t content_type, uint8_t handshake_type,9867 bool_Bool is_dtls, uint16_t version)9868{9869 uint8_t tls13_draft = 0;9870 9871 if (!ssl_is_authoritative_version_message(content_type, handshake_type,9872 is_dtls))9873 return;9874 9875 version = tls_try_get_version(is_dtls, version, &tls13_draft);9876 if (version == SSL_VER_UNKNOWN0) {9877 return;9878 }9879 9880 session->tls13_draft_version = tls13_draft;9881 session->version = version;9882 if (ssl) {9883 ssl->state |= SSL_VERSION(1<<4);9884 ssl_debug_printf("%s found version 0x%04X -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), version, ssl->state);9885 }9886}9887 9888void9889ssl_check_record_length(ssl_common_dissect_t *hf, packet_info *pinfo,9890 ContentType content_type,9891 unsigned record_length, proto_item *length_pi,9892 uint16_t version, tvbuff_t *decrypted_tvb)9893{9894 unsigned max_expansion;9895 if (version == TLSV1DOT3_VERSION0x304) {9896 /* TLS 1.3: Max length is 2^14 + 256 */9897 max_expansion = 256;9898 } else {9899 /* RFC 5246, Section 6.2.3: TLSCiphertext.fragment length MUST NOT exceed 2^14 + 2048 */9900 max_expansion = 2048;9901 }9902 /*9903 * RFC 5246 (TLS 1.2), Section 6.2.1 forbids zero-length Handshake, Alert9904 * and ChangeCipherSpec.9905 * RFC 6520 (Heartbeats) does not mention zero-length Heartbeat fragments,9906 * so assume it is permitted.9907 * RFC 6347 (DTLS 1.2) does not mention zero-length fragments either, so9908 * assume TLS 1.2 requirements.9909 */9910 if (record_length == 0 &&9911 (content_type == SSL_ID_CHG_CIPHER_SPEC ||9912 content_type == SSL_ID_ALERT ||9913 content_type == SSL_ID_HANDSHAKE)) {9914 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,9915 "Zero-length %s fragments are not allowed",9916 val_to_str_const(content_type, ssl_31_content_type, "unknown"));9917 }9918 if (record_length > TLS_MAX_RECORD_LENGTH0x4000 + max_expansion) {9919 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,9920 "TLSCiphertext length MUST NOT exceed 2^14 + %u", max_expansion);9921 }9922 if (decrypted_tvb && tvb_captured_length(decrypted_tvb) > TLS_MAX_RECORD_LENGTH0x4000) {9923 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,9924 "TLSPlaintext length MUST NOT exceed 2^14");9925 }9926}9927 9928static void9929ssl_set_cipher(SslDecryptSession *ssl, uint16_t cipher)9930{9931 /* store selected cipher suite for decryption */9932 ssl->session.cipher = cipher;9933 9934 const SslCipherSuite *cs = ssl_find_cipher(cipher);9935 if (!cs) {9936 ssl->cipher_suite = NULL((void*)0);9937 ssl->state &= ~SSL_CIPHER(1<<2);9938 ssl_debug_printf("%s can't find cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);9939 } else if (ssl->session.version == SSLV3_VERSION0x300 && !(cs->dig == DIG_MD50x40 || cs->dig == DIG_SHA0x41)) {9940 /* A malicious packet capture contains a SSL 3.0 session using a TLS 1.29941 * cipher suite that uses for example MACAlgorithm SHA256. Reject that9942 * to avoid a potential buffer overflow in ssl3_check_mac. */9943 ssl->cipher_suite = NULL((void*)0);9944 ssl->state &= ~SSL_CIPHER(1<<2);9945 ssl_debug_printf("%s invalid SSL 3.0 cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);9946 } else {9947 /* Cipher found, save this for the delayed decoder init */9948 ssl->cipher_suite = cs;9949 ssl->state |= SSL_CIPHER(1<<2);9950 ssl_debug_printf("%s found CIPHER 0x%04X %s -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), cipher,9951 val_to_str_ext_const(cipher, &ssl_31_ciphersuite_ext, "unknown"),9952 ssl->state);9953 }9954}9955/* }}} */9956 9957 9958/* Client Hello and Server Hello dissections. {{{ */9959static int9960ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,9961 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,9962 SslSession *session, SslDecryptSession *ssl,9963 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data);9964void9965ssl_dissect_hnd_cli_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,9966 packet_info *pinfo, proto_tree *tree, uint32_t offset,9967 uint32_t offset_end, SslSession *session,9968 SslDecryptSession *ssl, dtls_hfs_t *dtls_hfs)9969{9970 /* struct {9971 * ProtocolVersion client_version;9972 * Random random;9973 * SessionID session_id;9974 * opaque cookie<0..32>; //new field for DTLS9975 * CipherSuite cipher_suites<2..2^16-1>;9976 * CompressionMethod compression_methods<1..2^8-1>;9977 * Extension client_hello_extension_list<0..2^16-1>;9978 * } ClientHello;9979 */9980 proto_item *ti;9981 proto_tree *cs_tree;9982 uint32_t client_version;9983 uint32_t cipher_suite_length;9984 uint32_t compression_methods_length;9985 uint8_t compression_method;9986 uint32_t next_offset;9987 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");9988 char *ja3_hash;9989 char *ja3_dash = "";9990 char *ja4, *ja4_r, *ja4_hash, *ja4_b, *ja4_c;9991 ja4_data_t ja4_data;9992 wmem_strbuf_t *ja4_a = wmem_strbuf_new(pinfo->pool, "");9993 wmem_strbuf_t *ja4_br = wmem_strbuf_new(pinfo->pool, "");9994 wmem_strbuf_t *ja4_cr = wmem_strbuf_new(pinfo->pool, "");9995 wmem_list_frame_t *curr_entry;9996 9997 ja4_data.max_version = 0;9998 ja4_data.server_name_present = false0;9999 ja4_data.num_cipher_suites = 0;10000 ja4_data.num_extensions = 0;10001 ja4_data.alpn = wmem_strbuf_new(pinfo->pool, "");10002 ja4_data.cipher_list = wmem_list_new(pinfo->pool);10003 ja4_data.extension_list = wmem_list_new(pinfo->pool);10004 ja4_data.sighash_list = wmem_list_new(pinfo->pool);10005 10006 /* show the client version */10007 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_client_version, tvb,10008 offset, 2, ENC_BIG_ENDIAN0x00000000,10009 &client_version);10010 if (tls_scan_client_hello(tvb, offset, offset_end)) {10011 expert_add_info(pinfo, ti, &hf->ei.legacy_version);10012 }10013 offset += 2;10014 wmem_strbuf_append_printf(ja3, "%i,", client_version);10015 10016 /*10017 * Is it version 1.3?10018 * If so, that's an error; TLS and DTLS 1.3 Client Hellos claim10019 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 844610020 * section 4.1.2 "Client Hello" and RFC 9147 Section 5.3 "Client10021 * Hello".10022 */10023 if (dtls_hfs != NULL((void*)0)) {10024 if (client_version == DTLSV1DOT3_VERSION0xfefc) {10025 /* Don't do that. */10026 expert_add_info(pinfo, ti, &hf->ei.client_version_error);10027 }10028 } else {10029 if (client_version == TLSV1DOT3_VERSION0x304) {10030 /* Don't do that. */10031 expert_add_info(pinfo, ti, &hf->ei.client_version_error);10032 }10033 }10034 10035 /* dissect fields that are present in both ClientHello and ServerHello */10036 offset = ssl_dissect_hnd_hello_common(hf, tvb, tree, offset, session, ssl, false0, false0);10037 10038 /* fields specific for DTLS (cookie_len, cookie) */10039 if (dtls_hfs != NULL((void*)0)) {10040 uint32_t cookie_length;10041 /* opaque cookie<0..32> (for DTLS only) */10042 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cookie_length,10043 dtls_hfs->hf_dtls_handshake_cookie_len, 0, 32)) {10044 return;10045 }10046 offset++;10047 if (cookie_length > 0) {10048 proto_tree_add_item(tree, dtls_hfs->hf_dtls_handshake_cookie,10049 tvb, offset, cookie_length, ENC_NA0x00000000);10050 offset += cookie_length;10051 }10052 }10053 10054 /* CipherSuite cipher_suites<2..2^16-1> */10055 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cipher_suite_length,10056 hf->hf.hs_cipher_suites_len, 2, UINT16_MAX(65535))) {10057 return;10058 }10059 offset += 2;10060 next_offset = offset + cipher_suite_length;10061 ti = proto_tree_add_none_format(tree,10062 hf->hf.hs_cipher_suites,10063 tvb, offset, cipher_suite_length,10064 "Cipher Suites (%d suite%s)",10065 cipher_suite_length / 2,10066 plurality(cipher_suite_length/2, "", "s")((cipher_suite_length/2) == 1 ? ("") : ("s")));10067 cs_tree = proto_item_add_subtree(ti, hf->ett.cipher_suites);10068 while (offset + 2 <= next_offset) {10069 uint32_t cipher_suite;10070 10071 proto_tree_add_item_ret_uint(cs_tree, hf->hf.hs_cipher_suite, tvb, offset, 2,10072 ENC_BIG_ENDIAN0x00000000, &cipher_suite);10073 offset += 2;10074 if (!IS_GREASE_TLS(cipher_suite)((((cipher_suite) & 0x0f0f) == 0x0a0a) && (((cipher_suite
) & 0xff) == (((cipher_suite)>>8) & 0xff)))) {10075 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, cipher_suite);10076 ja3_dash = "-";10077 ja4_data.num_cipher_suites += 1;10078 wmem_list_insert_sorted(ja4_data.cipher_list, GUINT_TO_POINTER(cipher_suite)((gpointer) (gulong) (cipher_suite)), wmem_compare_uint);10079 }10080 }10081 wmem_strbuf_append_c(ja3, ',');10082 if (!ssl_end_vector(hf, tvb, pinfo, cs_tree, offset, next_offset)) {10083 offset = next_offset;10084 }10085 10086 /* CompressionMethod compression_methods<1..2^8-1> */10087 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compression_methods_length,10088 hf->hf.hs_comp_methods_len, 1, UINT8_MAX(255))) {10089 return;10090 }10091 offset++;10092 next_offset = offset + compression_methods_length;10093 ti = proto_tree_add_none_format(tree,10094 hf->hf.hs_comp_methods,10095 tvb, offset, compression_methods_length,10096 "Compression Methods (%u method%s)",10097 compression_methods_length,10098 plurality(compression_methods_length,((compression_methods_length) == 1 ? ("") : ("s"))10099 "", "s")((compression_methods_length) == 1 ? ("") : ("s")));10100 cs_tree = proto_item_add_subtree(ti, hf->ett.comp_methods);10101 while (offset < next_offset) {10102 compression_method = tvb_get_uint8(tvb, offset);10103 /* TODO: make reserved/private comp meth. fields selectable */10104 if (compression_method < 64)10105 proto_tree_add_uint(cs_tree, hf->hf.hs_comp_method,10106 tvb, offset, 1, compression_method);10107 else if (compression_method > 63 && compression_method < 193)10108 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, tvb, offset, 1,10109 compression_method, "Reserved - to be assigned by IANA (%u)",10110 compression_method);10111 else10112 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, tvb, offset, 1,10113 compression_method, "Private use range (%u)",10114 compression_method);10115 offset++;10116 }10117 10118 /* SSL v3.0 has no extensions, so length field can indeed be missing. */10119 if (offset < offset_end) {10120 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,10121 offset_end, SSL_HND_CLIENT_HELLO,10122 session, ssl, dtls_hfs != NULL((void*)0), ja3, &ja4_data);10123 if (ja4_data.max_version > 0) {10124 client_version = ja4_data.max_version;10125 }10126 } else {10127 wmem_strbuf_append_printf(ja3, ",,");10128 }10129 10130 if (proto_is_frame_protocol(pinfo->layers,"tcp")) {10131 wmem_strbuf_append(ja4_a, "t");10132 } else if (proto_is_frame_protocol(pinfo->layers,"quic")) {10133 wmem_strbuf_append(ja4_a, "q");10134 } else if (proto_is_frame_protocol(pinfo->layers,"dtls")) {10135 wmem_strbuf_append(ja4_a, "d");10136 }10137 wmem_strbuf_append_printf(ja4_a, "%s", val_to_str_const(client_version, ssl_version_ja4_names, "00"));10138 wmem_strbuf_append_printf(ja4_a, "%s", ja4_data.server_name_present ? "d" : "i");10139 if (ja4_data.num_cipher_suites > 99) {10140 wmem_strbuf_append(ja4_a, "99");10141 } else {10142 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_cipher_suites);10143 }10144 if (ja4_data.num_extensions > 99) {10145 wmem_strbuf_append(ja4_a, "99");10146 } else {10147 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_extensions);10148 }10149 if (wmem_strbuf_get_len(ja4_data.alpn) > 0 ) {10150 wmem_strbuf_append_printf(ja4_a, "%s", wmem_strbuf_get_str(ja4_data.alpn));10151 } else {10152 wmem_strbuf_append(ja4_a, "00");10153 }10154 10155 curr_entry = wmem_list_head(ja4_data.cipher_list);10156 for (unsigned i = 0; i < wmem_list_count(ja4_data.cipher_list); i++) {10157 wmem_strbuf_append_printf(ja4_br, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));10158 if (i < wmem_list_count(ja4_data.cipher_list) - 1) {10159 wmem_strbuf_append(ja4_br, ",");10160 }10161 curr_entry = wmem_list_frame_next(curr_entry);10162 }10163 10164 curr_entry = wmem_list_head(ja4_data.extension_list);10165 for (unsigned i = 0; i < wmem_list_count(ja4_data.extension_list); i++) {10166 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));10167 if (i < wmem_list_count(ja4_data.extension_list) - 1) {10168 wmem_strbuf_append(ja4_cr, ",");10169 }10170 curr_entry = wmem_list_frame_next(curr_entry);10171 }10172 10173 if (wmem_list_count(ja4_data.sighash_list) > 0) {10174 wmem_strbuf_append(ja4_cr, "_");10175 curr_entry = wmem_list_head(ja4_data.sighash_list);10176 for (unsigned i = 0; i < wmem_list_count(ja4_data.sighash_list); i++) {10177 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));10178 if (i < wmem_list_count(ja4_data.sighash_list) - 1) {10179 wmem_strbuf_append(ja4_cr, ",");10180 }10181 curr_entry = wmem_list_frame_next(curr_entry);10182 }10183 }10184 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_br),-1);10185 ja4_b = wmem_strndup(pinfo->pool, ja4_hash, 12);10186 g_free(ja4_hash);10187 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_cr),-1);10188 ja4_c = wmem_strndup(pinfo->pool, ja4_hash, 12);10189 g_free(ja4_hash);10190 10191 ja4 = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), ja4_b, ja4_c);10192 ja4_r = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), wmem_strbuf_get_str(ja4_br), wmem_strbuf_get_str(ja4_cr));10193 10194 ti = proto_tree_add_string(tree, hf->hf.hs_ja4, tvb, offset, 0, ja4);10195 proto_item_set_generated(ti);10196 ti = proto_tree_add_string(tree, hf->hf.hs_ja4_r, tvb, offset, 0, ja4_r);10197 proto_item_set_generated(ti);10198 10199 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),10200 wmem_strbuf_get_len(ja3));10201 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_full, tvb, offset, 0, wmem_strbuf_get_str(ja3));10202 proto_item_set_generated(ti);10203 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_hash, tvb, offset, 0, ja3_hash);10204 proto_item_set_generated(ti);10205 g_free(ja3_hash);10206}10207 10208void10209ssl_dissect_hnd_srv_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,10210 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,10211 SslSession *session, SslDecryptSession *ssl,10212 bool_Bool is_dtls, bool_Bool is_hrr)10213{10214 /* struct {10215 * ProtocolVersion server_version;10216 * Random random;10217 * SessionID session_id; // TLS 1.2 and before10218 * CipherSuite cipher_suite;10219 * CompressionMethod compression_method; // TLS 1.2 and before10220 * Extension server_hello_extension_list<0..2^16-1>;10221 * } ServerHello;10222 */10223 uint8_t draft_version = session->tls13_draft_version;10224 proto_item *ti;10225 uint32_t server_version;10226 uint32_t cipher_suite;10227 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");10228 char *ja3_hash;10229 10230 col_set_str(pinfo->cinfo, COL_PROTOCOL,10231 val_to_str_const(session->version, ssl_version_short_names, "SSL"));10232 10233 /* Initially assume that the session is resumed. If this is not the case, a10234 * ServerHelloDone will be observed before the ChangeCipherSpec message10235 * which will reset this flag. */10236 session->is_session_resumed = true1;10237 10238 /* show the server version */10239 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,10240 offset, 2, ENC_BIG_ENDIAN0x00000000, &server_version);10241 10242 uint16_t supported_server_version;10243 if (tls_scan_server_hello(tvb, offset, offset_end, &supported_server_version, NULL((void*)0))) {10244 expert_add_info(pinfo, ti, &hf->ei.legacy_version);10245 }10246 /*10247 * Is it version 1.3?10248 * If so, that's an error; TLS and DTLS 1.3 Server Hellos claim10249 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 844610250 * section 4.1.3 "Server Hello" and RFC 9147 Section 5.4 "Server10251 * Hello".10252 */10253 if (is_dtls) {10254 if (server_version == DTLSV1DOT3_VERSION0xfefc) {10255 /* Don't do that. */10256 expert_add_info(pinfo, ti, &hf->ei.server_version_error);10257 }10258 } else {10259 if (server_version == TLSV1DOT3_VERSION0x304) {10260 /* Don't do that. */10261 expert_add_info(pinfo, ti, &hf->ei.server_version_error);10262 }10263 }10264 10265 offset += 2;10266 wmem_strbuf_append_printf(ja3, "%i", server_version);10267 10268 /* dissect fields that are present in both ClientHello and ServerHello */10269 offset = ssl_dissect_hnd_hello_common(hf, tvb, tree, offset, session, ssl, true1, is_hrr);10270 10271 if (ssl) {10272 /* store selected cipher suite for decryption */10273 ssl_set_cipher(ssl, tvb_get_ntohs(tvb, offset));10274 }10275 10276 /* now the server-selected cipher suite */10277 proto_tree_add_item_ret_uint(tree, hf->hf.hs_cipher_suite,10278 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &cipher_suite);10279 offset += 2;10280 wmem_strbuf_append_printf(ja3, ",%i,", cipher_suite);10281 10282 /* No compression with TLS 1.3 before draft -22 */10283 if (!(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {10284 if (ssl) {10285 /* store selected compression method for decryption */10286 ssl->session.compression = tvb_get_uint8(tvb, offset);10287 }10288 /* and the server-selected compression method */10289 proto_tree_add_item(tree, hf->hf.hs_comp_method,10290 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);10291 offset++;10292 }10293 10294 /* SSL v3.0 has no extensions, so length field can indeed be missing. */10295 if (offset < offset_end) {10296 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,10297 offset_end,10298 is_hrr ? SSL_HND_HELLO_RETRY_REQUEST : SSL_HND_SERVER_HELLO,10299 session, ssl, is_dtls, ja3, NULL((void*)0));10300 }10301 10302 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),10303 wmem_strbuf_get_len(ja3));10304 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_full, tvb, offset, 0, wmem_strbuf_get_str(ja3));10305 proto_item_set_generated(ti);10306 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_hash, tvb, offset, 0, ja3_hash);10307 proto_item_set_generated(ti);10308 g_free(ja3_hash);10309}10310/* Client Hello and Server Hello dissections. }}} */10311 10312/* New Session Ticket dissection. {{{ */10313void10314ssl_dissect_hnd_new_ses_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,10315 proto_tree *tree, uint32_t offset, uint32_t offset_end,10316 SslSession *session, SslDecryptSession *ssl,10317 bool_Bool is_dtls, GHashTable *session_hash)10318{10319 /* https://tools.ietf.org/html/rfc5077#section-3.3 (TLS >= 1.0):10320 * struct {10321 * uint32 ticket_lifetime_hint;10322 * opaque ticket<0..2^16-1>;10323 * } NewSessionTicket;10324 *10325 * RFC 8446 Section 4.6.1 (TLS 1.3):10326 * struct {10327 * uint32 ticket_lifetime;10328 * uint32 ticket_age_add;10329 * opaque ticket_nonce<0..255>; // new in draft -21, updated in -2210330 * opaque ticket<1..2^16-1>;10331 * Extension extensions<0..2^16-2>;10332 * } NewSessionTicket;10333 */10334 proto_tree *subtree;10335 proto_item *subitem;10336 uint32_t ticket_len;10337 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc;10338 unsigned char draft_version = session->tls13_draft_version;10339 uint32_t lifetime_hint;10340 10341 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,10342 hf->ett.session_ticket, NULL((void*)0),10343 "TLS Session Ticket");10344 10345 /* ticket lifetime hint */10346 subitem = proto_tree_add_item_ret_uint(subtree, hf->hf.hs_session_ticket_lifetime_hint,10347 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000, &lifetime_hint);10348 offset += 4;10349 10350 if (lifetime_hint >= 60) {10351 char *time_str = unsigned_time_secs_to_str(pinfo->pool, lifetime_hint);10352 proto_item_append_text(subitem, " (%s)", time_str);10353 }10354 10355 if (is_tls13) {10356 10357 /* for TLS 1.3: ticket_age_add */10358 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_age_add,10359 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);10360 offset += 4;10361 10362 /* for TLS 1.3: ticket_nonce (coming with Draft 21)*/10363 if (draft_version == 0 || draft_version >= 21) {10364 uint32_t ticket_nonce_len;10365 10366 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_nonce_len,10367 hf->hf.hs_session_ticket_nonce_len, 0, 255)) {10368 return;10369 }10370 offset++;10371 10372 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_nonce, tvb, offset, ticket_nonce_len, ENC_NA0x00000000);10373 offset += ticket_nonce_len;10374 }10375 10376 }10377 10378 /* opaque ticket<0..2^16-1> (with TLS 1.3 the minimum is 1) */10379 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_len,10380 hf->hf.hs_session_ticket_len, is_tls13 ? 1 : 0, UINT16_MAX(65535))) {10381 return;10382 }10383 offset += 2;10384 10385 /* Content depends on implementation, so just show data! */10386 proto_tree_add_item(subtree, hf->hf.hs_session_ticket,10387 tvb, offset, ticket_len, ENC_NA0x00000000);10388 /* save the session ticket to cache for ssl_finalize_decryption */10389 if (ssl && !is_tls13) {10390 tvb_ensure_bytes_exist(tvb, offset, ticket_len);10391 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),10392 ssl->session_ticket.data, ticket_len);10393 ssl->session_ticket.data_len = ticket_len;10394 tvb_memcpy(tvb, ssl->session_ticket.data, offset, ticket_len);10395 /* NewSessionTicket is received after the first (client)10396 * ChangeCipherSpec, and before the second (server) ChangeCipherSpec.10397 * Since the second CCS has already the session key available it will10398 * just return. To ensure that the session ticket is mapped to a10399 * master key (from the first CCS), save the ticket here too. */10400 ssl_save_master_key("Session Ticket", session_hash,10401 &ssl->session_ticket, &ssl->master_secret);10402 ssl->state |= SSL_NEW_SESSION_TICKET(1<<10);10403 }10404 offset += ticket_len;10405 10406 if (is_tls13) {10407 ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,10408 offset_end, SSL_HND_NEWSESSION_TICKET,10409 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0));10410 }10411} /* }}} */10412 10413void10414ssl_dissect_hnd_hello_retry_request(ssl_common_dissect_t *hf, tvbuff_t *tvb,10415 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,10416 SslSession *session, SslDecryptSession *ssl,10417 bool_Bool is_dtls)10418{10419 /* https://tools.ietf.org/html/draft-ietf-tls-tls13-19#section-4.1.410420 * struct {10421 * ProtocolVersion server_version;10422 * CipherSuite cipher_suite; // not before draft -1910423 * Extension extensions<2..2^16-1>;10424 * } HelloRetryRequest;10425 * Note: no longer used since draft -2210426 */10427 uint32_t version;10428 uint8_t draft_version;10429 10430 proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,10431 offset, 2, ENC_BIG_ENDIAN0x00000000, &version);10432 draft_version = extract_tls13_draft_version(version);10433 offset += 2;10434 10435 if (draft_version == 0 || draft_version >= 19) {10436 proto_tree_add_item(tree, hf->hf.hs_cipher_suite,10437 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);10438 offset += 2;10439 }10440 10441 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,10442 offset_end, SSL_HND_HELLO_RETRY_REQUEST,10443 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0));10444}10445 10446void10447ssl_dissect_hnd_encrypted_extensions(ssl_common_dissect_t *hf, tvbuff_t *tvb,10448 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,10449 SslSession *session, SslDecryptSession *ssl,10450 bool_Bool is_dtls)10451{10452 /* RFC 8446 Section 4.3.110453 * struct {10454 * Extension extensions<0..2^16-1>;10455 * } EncryptedExtensions;10456 */10457 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,10458 offset_end, SSL_HND_ENCRYPTED_EXTENSIONS,10459 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0));10460}10461 10462/* Certificate and Certificate Request dissections. {{{ */10463void10464ssl_dissect_hnd_cert(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,10465 uint32_t offset, uint32_t offset_end, packet_info *pinfo,10466 SslSession *session, SslDecryptSession *ssl _U___attribute__((unused)),10467 bool_Bool is_from_server, bool_Bool is_dtls)10468{10469 /* opaque ASN.1Cert<1..2^24-1>;10470 *10471 * Before RFC 8446 (TLS <= 1.2):10472 * struct {10473 * select(certificate_type) {10474 *10475 * // certificate type defined in RFC 725010476 * case RawPublicKey:10477 * opaque ASN.1_subjectPublicKeyInfo<1..2^24-1>;10478 *10479 * // X.509 certificate defined in RFC 524610480 * case X.509:10481 * ASN.1Cert certificate_list<0..2^24-1>;10482 * };10483 * } Certificate;10484 *10485 * RFC 8446 (since draft -20):10486 * struct {10487 * select(certificate_type){10488 * case RawPublicKey:10489 * // From RFC 7250 ASN.1_subjectPublicKeyInfo10490 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;10491 *10492 * case X.509:10493 * opaque cert_data<1..2^24-1>;10494 * }10495 * Extension extensions<0..2^16-1>;10496 * } CertificateEntry;10497 * struct {10498 * opaque certificate_request_context<0..2^8-1>;10499 * CertificateEntry certificate_list<0..2^24-1>;10500 * } Certificate;10501 */10502 enum { CERT_X509, CERT_RPK } cert_type;10503 asn1_ctx_t asn1_ctx;10504#if defined(HAVE_LIBGNUTLS1)10505 gnutls_datum_t subjectPublicKeyInfo = { NULL((void*)0), 0 };10506 unsigned certificate_index = 0;10507#endif10508 uint32_t next_offset, certificate_list_length, cert_length;10509 proto_tree *subtree = tree;10510 10511 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);10512 10513 if ((is_from_server && session->server_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2) ||10514 (!is_from_server && session->client_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2)) {10515 cert_type = CERT_RPK;10516 } else {10517 cert_type = CERT_X509;10518 }10519 10520#if defined(HAVE_LIBGNUTLS1)10521 /* Ask the pkcs1 dissector to return the public key details */10522 if (ssl)10523 asn1_ctx.private_data = &subjectPublicKeyInfo;10524#endif10525 10526 /* TLS 1.3: opaque certificate_request_context<0..2^8-1> */10527 if (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc) {10528 uint32_t context_length;10529 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,10530 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {10531 return;10532 }10533 offset++;10534 if (context_length > 0) {10535 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,10536 tvb, offset, context_length, ENC_NA0x00000000);10537 offset += context_length;10538 }10539 }10540 10541 if ((session->version != TLSV1DOT3_VERSION0x304 && session->version != DTLSV1DOT3_VERSION0xfefc) && cert_type == CERT_RPK) {10542 /* For RPK before TLS 1.3, the single RPK is stored directly without10543 * another "certificate_list" field. */10544 certificate_list_length = offset_end - offset;10545 next_offset = offset_end;10546 } else {10547 /* CertificateEntry certificate_list<0..2^24-1> */10548 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &certificate_list_length,10549 hf->hf.hs_certificates_len, 0, G_MAXUINT24((1U << 24) - 1))) {10550 return;10551 }10552 offset += 3; /* 24-bit length value */10553 next_offset = offset + certificate_list_length;10554 }10555 10556 /* RawPublicKey must have one cert, but X.509 can have multiple. */10557 if (certificate_list_length > 0 && cert_type == CERT_X509) {10558 proto_item *ti;10559 10560 ti = proto_tree_add_none_format(tree,10561 hf->hf.hs_certificates,10562 tvb, offset, certificate_list_length,10563 "Certificates (%u bytes)",10564 certificate_list_length);10565 10566 /* make it a subtree */10567 subtree = proto_item_add_subtree(ti, hf->ett.certificates);10568 }10569 10570 while (offset < next_offset) {10571 switch (cert_type) {10572 case CERT_RPK:10573 /* TODO add expert info if there is more than one RPK entry (certificate_index > 0) */10574 /* opaque ASN.1_subjectPublicKeyInfo<1..2^24-1> */10575 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,10576 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {10577 return;10578 }10579 offset += 3;10580 10581 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);10582 offset += cert_length;10583 break;10584 case CERT_X509:10585 /* opaque ASN1Cert<1..2^24-1> */10586 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,10587 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {10588 return;10589 }10590 offset += 3;10591 10592 dissect_x509af_Certificate(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);10593#if defined(HAVE_LIBGNUTLS1)10594 if (is_from_server && ssl && certificate_index == 0) {10595 ssl_find_private_key_by_pubkey(ssl, &subjectPublicKeyInfo);10596 /* Only attempt to get the RSA modulus for the first cert. */10597 asn1_ctx.private_data = NULL((void*)0);10598 }10599#endif10600 offset += cert_length;10601 break;10602 }10603 10604 /* TLS 1.3: Extension extensions<0..2^16-1> */10605 if ((session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc)) {10606 offset = ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,10607 next_offset, SSL_HND_CERTIFICATE,10608 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0));10609 }10610 10611#if defined(HAVE_LIBGNUTLS1)10612 certificate_index++;10613#endif10614 }10615}10616 10617void10618ssl_dissect_hnd_cert_req(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,10619 proto_tree *tree, uint32_t offset, uint32_t offset_end,10620 SslSession *session, bool_Bool is_dtls)10621{10622 /* From SSL 3.0 and up (note that since TLS 1.1 certificate_authorities can be empty):10623 * enum {10624 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),10625 * (255)10626 * } ClientCertificateType;10627 *10628 * opaque DistinguishedName<1..2^16-1>;10629 *10630 * struct {10631 * ClientCertificateType certificate_types<1..2^8-1>;10632 * DistinguishedName certificate_authorities<3..2^16-1>;10633 * } CertificateRequest;10634 *10635 *10636 * As per TLSv1.2 (RFC 5246) the format has changed to:10637 *10638 * enum {10639 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),10640 * rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),10641 * fortezza_dms_RESERVED(20), (255)10642 * } ClientCertificateType;10643 *10644 * enum {10645 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),10646 * sha512(6), (255)10647 * } HashAlgorithm;10648 *10649 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }10650 * SignatureAlgorithm;10651 *10652 * struct {10653 * HashAlgorithm hash;10654 * SignatureAlgorithm signature;10655 * } SignatureAndHashAlgorithm;10656 *10657 * SignatureAndHashAlgorithm10658 * supported_signature_algorithms<2..2^16-2>;10659 *10660 * opaque DistinguishedName<1..2^16-1>;10661 *10662 * struct {10663 * ClientCertificateType certificate_types<1..2^8-1>;10664 * SignatureAndHashAlgorithm supported_signature_algorithms<2^16-1>;10665 * DistinguishedName certificate_authorities<0..2^16-1>;10666 * } CertificateRequest;10667 *10668 * draft-ietf-tls-tls13-18:10669 * struct {10670 * opaque certificate_request_context<0..2^8-1>;10671 * SignatureScheme10672 * supported_signature_algorithms<2..2^16-2>;10673 * DistinguishedName certificate_authorities<0..2^16-1>;10674 * CertificateExtension certificate_extensions<0..2^16-1>;10675 * } CertificateRequest;10676 *10677 * RFC 8446 (since draft-ietf-tls-tls13-19):10678 *10679 * struct {10680 * opaque certificate_request_context<0..2^8-1>;10681 * Extension extensions<2..2^16-1>;10682 * } CertificateRequest;10683 */10684 proto_item *ti;10685 proto_tree *subtree;10686 uint32_t next_offset;10687 asn1_ctx_t asn1_ctx;10688 bool_Bool is_tls13 = (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc);10689 unsigned char draft_version = session->tls13_draft_version;10690 10691 if (!tree)10692 return;10693 10694 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);10695 10696 if (is_tls13) {10697 uint32_t context_length;10698 /* opaque certificate_request_context<0..2^8-1> */10699 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,10700 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {10701 return;10702 }10703 offset++;10704 if (context_length > 0) {10705 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,10706 tvb, offset, context_length, ENC_NA0x00000000);10707 offset += context_length;10708 }10709 } else {10710 uint32_t cert_types_count;10711 /* ClientCertificateType certificate_types<1..2^8-1> */10712 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cert_types_count,10713 hf->hf.hs_cert_types_count, 1, UINT8_MAX(255))) {10714 return;10715 }10716 offset++;10717 next_offset = offset + cert_types_count;10718 10719 ti = proto_tree_add_none_format(tree,10720 hf->hf.hs_cert_types,10721 tvb, offset, cert_types_count,10722 "Certificate types (%u type%s)",10723 cert_types_count,10724 plurality(cert_types_count, "", "s")((cert_types_count) == 1 ? ("") : ("s")));10725 subtree = proto_item_add_subtree(ti, hf->ett.cert_types);10726 10727 while (offset < next_offset) {10728 proto_tree_add_item(subtree, hf->hf.hs_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);10729 offset++;10730 }10731 }10732 10733 if (session->version == TLSV1DOT2_VERSION0x303 || session->version == DTLSV1DOT2_VERSION0xfefd ||10734 (is_tls13 && (draft_version > 0 && draft_version < 19))) {10735 offset = ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));10736 }10737 10738 if (is_tls13 && (draft_version == 0 || draft_version >= 19)) {10739 /*10740 * TLS 1.3 draft 19 and newer: Extensions.10741 * SslDecryptSession pointer is NULL because Certificate Extensions10742 * should not influence decryption state.10743 */10744 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,10745 offset_end, SSL_HND_CERT_REQUEST,10746 session, NULL((void*)0), is_dtls, NULL((void*)0), NULL((void*)0));10747 } else if (is_tls13 && draft_version <= 18) {10748 /*10749 * TLS 1.3 draft 18 and older: certificate_authorities and10750 * certificate_extensions (a vector of OID mappings).10751 */10752 offset = tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);10753 ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, tree, offset, offset_end);10754 } else {10755 /* for TLS 1.2 and older, the certificate_authorities field. */10756 tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);10757 }10758}10759/* Certificate and Certificate Request dissections. }}} */10760 10761void10762ssl_dissect_hnd_cli_cert_verify(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,10763 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint16_t version)10764{10765 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,10766 hf->hf.hs_client_cert_vrfy_sig_len,10767 hf->hf.hs_client_cert_vrfy_sig);10768}10769 10770/* Finished dissection. {{{ */10771void10772ssl_dissect_hnd_finished(ssl_common_dissect_t *hf, tvbuff_t *tvb,10773 proto_tree *tree, uint32_t offset, uint32_t offset_end,10774 const SslSession *session, ssl_hfs_t *ssl_hfs)10775{10776 /* For SSLv3:10777 * struct {10778 * opaque md5_hash[16];10779 * opaque sha_hash[20];10780 * } Finished;10781 *10782 * For (D)TLS:10783 * struct {10784 * opaque verify_data[12];10785 * } Finished;10786 *10787 * For TLS 1.3:10788 * struct {10789 * opaque verify_data[Hash.length];10790 * }10791 */10792 if (!tree)10793 return;10794 10795 if (session->version == SSLV3_VERSION0x300) {10796 if (ssl_hfs != NULL((void*)0)) {10797 proto_tree_add_item(tree, ssl_hfs->hs_md5_hash,10798 tvb, offset, 16, ENC_NA0x00000000);10799 proto_tree_add_item(tree, ssl_hfs->hs_sha_hash,10800 tvb, offset + 16, 20, ENC_NA0x00000000);10801 }10802 } else {10803 /* Length should be 12 for TLS before 1.3, assume this is the case. */10804 proto_tree_add_item(tree, hf->hf.hs_finished,10805 tvb, offset, offset_end - offset, ENC_NA0x00000000);10806 }10807} /* }}} */10808 10809/* RFC 6066 Certificate URL handshake message dissection. {{{ */10810void10811ssl_dissect_hnd_cert_url(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset)10812{10813 uint16_t url_hash_len;10814 10815 /* enum {10816 * individual_certs(0), pkipath(1), (255)10817 * } CertChainType;10818 *10819 * struct {10820 * CertChainType type;10821 * URLAndHash url_and_hash_list<1..2^16-1>;10822 * } CertificateURL;10823 *10824 * struct {10825 * opaque url<1..2^16-1>;10826 * unint8 padding;10827 * opaque SHA1Hash[20];10828 * } URLAndHash;10829 */10830 10831 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_type,10832 tvb, offset, 1, ENC_NA0x00000000);10833 offset++;10834 10835 url_hash_len = tvb_get_ntohs(tvb, offset);10836 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_url_hash_list_len,10837 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);10838 offset += 2;10839 while (url_hash_len-- > 0) {10840 proto_item *urlhash_item;10841 proto_tree *urlhash_tree;10842 uint16_t url_len;10843 10844 urlhash_item = proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_item,10845 tvb, offset, -1, ENC_NA0x00000000);10846 urlhash_tree = proto_item_add_subtree(urlhash_item, hf->ett.urlhash);10847 10848 url_len = tvb_get_ntohs(tvb, offset);10849 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url_len,10850 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);10851 offset += 2;10852 10853 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url,10854 tvb, offset, url_len, ENC_ASCII0x00000000|ENC_NA0x00000000);10855 offset += url_len;10856 10857 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_padding,10858 tvb, offset, 1, ENC_NA0x00000000);10859 offset++;10860 /* Note: RFC 6066 says that padding must be 0x01 */10861 10862 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_sha1,10863 tvb, offset, 20, ENC_NA0x00000000);10864 offset += 20;10865 }10866} /* }}} */10867 10868void10869ssl_dissect_hnd_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,10870 uint32_t offset, uint32_t offset_end, packet_info *pinfo,10871 SslSession *session, SslDecryptSession *ssl,10872 bool_Bool is_from_server, bool_Bool is_dtls)10873{10874 uint32_t algorithm, uncompressed_length;10875 uint32_t compressed_certificate_message_length;10876 tvbuff_t *uncompressed_tvb = NULL((void*)0);10877 proto_item *ti;10878 /*10879 * enum {10880 * zlib(1),10881 * brotli(2),10882 * zstd(3),10883 * (65535)10884 * } CertificateCompressionAlgorithm;10885 *10886 * struct {10887 * CertificateCompressionAlgorithm algorithm;10888 * uint24 uncompressed_length;10889 * opaque compressed_certificate_message<1..2^24-1>;10890 * } CompressedCertificate;10891 */10892 10893 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_algorithm,10894 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &algorithm);10895 offset += 2;10896 10897 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_uncompressed_length,10898 tvb, offset, 3, ENC_BIG_ENDIAN0x00000000, &uncompressed_length);10899 offset += 3;10900 10901 /* opaque compressed_certificate_message<1..2^24-1>; */10902 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compressed_certificate_message_length,10903 hf->hf.hs_ext_compress_certificate_compressed_certificate_message_length, 1, G_MAXUINT24((1U << 24) - 1))) {10904 return;10905 }10906 offset += 3;10907 10908 ti = proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_compressed_certificate_message,10909 tvb, offset, compressed_certificate_message_length, ENC_NA0x00000000);10910 10911 /* Certificate decompression following algorithm */10912 switch (algorithm) {10913 case 2: /* brotli */10914 uncompressed_tvb = tvb_child_uncompress_brotli(tvb, tvb, offset, compressed_certificate_message_length);10915break;10916 /* TODO: add other algorithms */10917 }10918 10919 if (uncompressed_tvb) {10920 proto_tree *uncompressed_tree;10921 10922 if (uncompressed_length != tvb_captured_length(uncompressed_tvb)) {10923 proto_tree_add_expert_format(tree, pinfo, &hf->ei.decompression_error,10924 tvb, offset, offset_end - offset,10925 "Invalid uncompressed length %u (expected %u)",10926 tvb_captured_length(uncompressed_tvb),10927 uncompressed_length);10928 } else {10929 uncompressed_tree = proto_item_add_subtree(ti, hf->ett.uncompressed_certificates);10930 ssl_dissect_hnd_cert(hf, uncompressed_tvb, uncompressed_tree,10931 0, uncompressed_length, pinfo, session, ssl, is_from_server, is_dtls);10932 add_new_data_source(pinfo, uncompressed_tvb, "Uncompressed certificate(s)");10933 }10934 }10935}10936 10937/* Dissection of TLS Extensions in Client Hello, Server Hello, etc. {{{ */10938static int10939ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,10940 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,10941 SslSession *session, SslDecryptSession *ssl,10942 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data)10943{10944 uint32_t exts_len;10945 uint16_t ext_type;10946 uint32_t ext_len;10947 uint32_t next_offset;10948 proto_tree *ext_tree;10949 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304;10950 wmem_strbuf_t *ja3_sg = wmem_strbuf_new(pinfo->pool, "");10951 wmem_strbuf_t *ja3_ecpf = wmem_strbuf_new(pinfo->pool, "");10952 char *ja3_dash = "";10953 unsigned supported_version;10954 10955 /* Extension extensions<0..2^16-2> (for TLS 1.3 HRR/CR min-length is 2) */10956 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,10957 hf->hf.hs_exts_len, 0, UINT16_MAX(65535))) {10958 return offset_end;10959 }10960 offset += 2;10961 offset_end = offset + exts_len;10962 10963 if (ja4_data) {10964 ja4_data->num_extensions = 0;10965 }10966 while (offset_end - offset >= 4)10967 {10968 ext_type = tvb_get_ntohs(tvb, offset);10969 ext_len = tvb_get_ntohs(tvb, offset + 2);10970 10971 if (ja4_data && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {10972 ja4_data->num_extensions += 1;10973 if (ext_type != SSL_HND_HELLO_EXT_SERVER_NAME0 &&10974 ext_type != SSL_HND_HELLO_EXT_ALPN16) {10975 wmem_list_insert_sorted(ja4_data->extension_list, GUINT_TO_POINTER(ext_type)((gpointer) (gulong) (ext_type)), wmem_compare_uint);10976 }10977 }10978 10979 ext_tree = proto_tree_add_subtree_format(tree, tvb, offset, 4 + ext_len, hf->ett.hs_ext, NULL((void*)0),10980 "Extension: %s (len=%u)", val_to_str(ext_type,10981 tls_hello_extension_types,10982 "Unknown type %u"), ext_len);10983 10984 proto_tree_add_uint(ext_tree, hf->hf.hs_ext_type,10985 tvb, offset, 2, ext_type);10986 offset += 2;10987 if (ja3 && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {10988 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_type);10989 ja3_dash = "-";10990 }10991 10992 /* opaque extension_data<0..2^16-1> */10993 if (!ssl_add_vector(hf, tvb, pinfo, ext_tree, offset, offset_end, &ext_len,10994 hf->hf.hs_ext_len, 0, UINT16_MAX(65535))) {10995 return offset_end;10996 }10997 offset += 2;10998 next_offset = offset + ext_len;10999 11000 switch (ext_type) {11001 case SSL_HND_HELLO_EXT_SERVER_NAME0:11002 if (hnd_type == SSL_HND_CLIENT_HELLO) {11003 offset = ssl_dissect_hnd_hello_ext_server_name(hf, tvb, pinfo, ext_tree, offset, next_offset);11004 if (ja4_data) {11005 ja4_data->server_name_present = true1;11006 }11007 }11008 break;11009 case SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1:11010 proto_tree_add_item(ext_tree, hf->hf.hs_ext_max_fragment_length, tvb, offset, 1, ENC_NA0x00000000);11011 offset += 1;11012 break;11013 case SSL_HND_HELLO_EXT_STATUS_REQUEST5:11014 if (hnd_type == SSL_HND_CLIENT_HELLO) {11015 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, ext_tree, offset, next_offset, false0);11016 } else if (is_tls13 && hnd_type == SSL_HND_CERTIFICATE) {11017 offset = tls_dissect_hnd_certificate_status(hf, tvb, pinfo, ext_tree, offset, next_offset);11018 }11019 break;11020 case SSL_HND_HELLO_EXT_CERT_TYPE9:11021 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,11022 offset, next_offset,11023 hnd_type, ext_type,11024 session);11025 break;11026 case SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10:11027 if (hnd_type == SSL_HND_CLIENT_HELLO) {11028 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,11029 next_offset, ja3_sg);11030 } else {11031 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,11032 next_offset, NULL((void*)0));11033 }11034 break;11035 case SSL_HND_HELLO_EXT_EC_POINT_FORMATS11:11036 if (hnd_type == SSL_HND_CLIENT_HELLO) {11037 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, ja3_ecpf);11038 } else {11039 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, NULL((void*)0));11040 }11041 break;11042 break;11043 case SSL_HND_HELLO_EXT_SRP12:11044 offset = ssl_dissect_hnd_hello_ext_srp(hf, tvb, pinfo, ext_tree, offset, next_offset);11045 break;11046 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13:11047 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, ja4_data);11048 break;11049 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50: /* since TLS 1.3 draft -23 */11050 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, NULL((void*)0));11051 break;11052 case SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34:11053 offset = ssl_dissect_hnd_ext_delegated_credentials(hf, tvb, ext_tree, pinfo, offset, next_offset, hnd_type);11054 break;11055 case SSL_HND_HELLO_EXT_USE_SRTP14:11056 if (is_dtls) {11057 if (hnd_type == SSL_HND_CLIENT_HELLO) {11058 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, false0);11059 } else if (hnd_type == SSL_HND_SERVER_HELLO) {11060 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, true1);11061 }11062 } else {11063 // XXX expert info: This extension MUST only be used with DTLS, and not with TLS.11064 }11065 break;11066case SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037:11067 offset = ssl_dissect_hnd_hello_ext_ech(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);11068 break;11069 case SSL_HND_HELLO_EXT_HEARTBEAT15:11070 proto_tree_add_item(ext_tree, hf->hf.hs_ext_heartbeat_mode,11071 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);11072 offset++;11073 break;11074 case SSL_HND_HELLO_EXT_ALPN16:11075 offset = ssl_dissect_hnd_hello_ext_alpn(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, is_dtls, ja4_data);11076 break;11077 case SSL_HND_HELLO_EXT_STATUS_REQUEST_V217:11078 if (hnd_type == SSL_HND_CLIENT_HELLO)11079 offset = ssl_dissect_hnd_hello_ext_status_request_v2(hf, tvb, pinfo, ext_tree, offset, next_offset);11080 break;11081 case SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18:11082 // TLS 1.3 note: SCT only appears in EE in draft -16 and before.11083 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS || hnd_type == SSL_HND_CERTIFICATE)11084 offset = tls_dissect_sct_list(hf, tvb, pinfo, ext_tree, offset, next_offset, session->version);11085 break;11086 case SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19:11087 case SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20:11088 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,11089 offset, next_offset,11090 hnd_type, ext_type,11091 session);11092 break;11093 case SSL_HND_HELLO_EXT_PADDING21:11094 proto_tree_add_item(ext_tree, hf->hf.hs_ext_padding_data, tvb, offset, ext_len, ENC_NA0x00000000);11095 offset += ext_len;11096 break;11097 case SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22:11098 if (ssl && hnd_type == SSL_HND_SERVER_HELLO) {11099 ssl_debug_printf("%s enabling Encrypt-then-MAC\n", G_STRFUNC((const char*) (__func__)));11100 ssl->state |= SSL_ENCRYPT_THEN_MAC(1<<11);11101 }11102 break;11103 case SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23:11104 if (ssl) {11105 switch (hnd_type) {11106 case SSL_HND_CLIENT_HELLO:11107 ssl->state |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);11108 break;11109 case SSL_HND_SERVER_HELLO:11110 ssl->state |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8);11111 break;11112 default: /* no default */11113 break;11114 }11115 }11116 break;11117 case SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27:11118 offset = ssl_dissect_hnd_hello_ext_compress_certificate(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);11119 break;11120 case SSL_HND_HELLO_EXT_TOKEN_BINDING24:11121 offset = ssl_dissect_hnd_hello_ext_token_binding(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);11122 break;11123 case SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28:11124 proto_tree_add_item(ext_tree, hf->hf.hs_ext_record_size_limit,11125 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);11126 offset += 2;11127 break;11128 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445:11129 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157:11130 offset = ssl_dissect_hnd_hello_ext_quic_transport_parameters(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);11131 break;11132 case SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35:11133 offset = ssl_dissect_hnd_hello_ext_session_ticket(hf, tvb, ext_tree, offset, next_offset, hnd_type, ssl);11134 break;11135 case SSL_HND_HELLO_EXT_KEY_SHARE_OLD40: /* used before TLS 1.3 draft -23 */11136 case SSL_HND_HELLO_EXT_KEY_SHARE51:11137 offset = ssl_dissect_hnd_hello_ext_key_share(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);11138 break;11139 case SSL_HND_HELLO_EXT_PRE_SHARED_KEY41:11140 offset = ssl_dissect_hnd_hello_ext_pre_shared_key(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);11141 break;11142 case SSL_HND_HELLO_EXT_EARLY_DATA42:11143 case SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46:11144 offset = ssl_dissect_hnd_hello_ext_early_data(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);11145 break;11146 case SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43:11147 switch (hnd_type) {11148 case SSL_HND_CLIENT_HELLO:11149 offset = ssl_dissect_hnd_hello_ext_supported_versions(hf, tvb, pinfo, ext_tree, offset, next_offset, session, is_dtls, ja4_data);11150 break;11151 case SSL_HND_SERVER_HELLO:11152 case SSL_HND_HELLO_RETRY_REQUEST:11153 proto_tree_add_item_ret_uint(ext_tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &supported_version);11154 offset += 2;11155 proto_item_append_text(ext_tree, " %s", val_to_str(supported_version, ssl_versions, "Unknown (0x%04x)"));11156 break;11157 }11158 break;11159 case SSL_HND_HELLO_EXT_COOKIE44:11160 offset = ssl_dissect_hnd_hello_ext_cookie(hf, tvb, pinfo, ext_tree, offset, next_offset);11161 break;11162 case SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45:11163 offset = ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(hf, tvb, pinfo, ext_tree, offset, next_offset);11164 break;11165 case SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47:11166 offset = ssl_dissect_hnd_hello_ext_certificate_authorities(hf, tvb, pinfo, ext_tree, offset, next_offset);11167 break;11168 case SSL_HND_HELLO_EXT_OID_FILTERS48:11169 offset = ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, ext_tree, offset, next_offset);11170 break;11171 case SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49:11172 break;11173 case SSL_HND_HELLO_EXT_NPN13172:11174 offset = ssl_dissect_hnd_hello_ext_npn(hf, tvb, pinfo, ext_tree, offset, next_offset);11175 break;11176 case SSL_HND_HELLO_EXT_ALPS17513:11177 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);11178 break;11179 case SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281:11180 offset = ssl_dissect_hnd_hello_ext_reneg_info(hf, tvb, pinfo, ext_tree, offset, next_offset);11181 break;11182 case SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486:11183 offset = ssl_dissect_hnd_hello_ext_esni(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);11184 break;11185 case SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53:11186 session->deprecated_cid = true1;11187 /* FALLTHRU */11188 case SSL_HND_HELLO_EXT_CONNECTION_ID54:11189 offset = ssl_dissect_hnd_hello_ext_connection_id(hf, tvb, pinfo, ext_tree, offset, hnd_type, session, ssl);11190 break;11191 default:11192 proto_tree_add_item(ext_tree, hf->hf.hs_ext_data,11193 tvb, offset, ext_len, ENC_NA0x00000000);11194 offset += ext_len;11195 break;11196 }11197 11198 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {11199 /* Dissection did not end at expected location, fix it. */11200 offset = next_offset;11201 }11202 }11203 11204 if (ja3) {11205 if (hnd_type == SSL_HND_CLIENT_HELLO) {11206 if(wmem_strbuf_get_len(ja3_sg) > 0) {11207 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_sg));11208 } else {11209 wmem_strbuf_append_c(ja3, ',');11210 }11211 if(wmem_strbuf_get_len(ja3_ecpf) > 0) {11212 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_ecpf));11213 } else {11214 wmem_strbuf_append_c(ja3, ',');11215 }11216 }11217 }11218 11219 /* Check if Extensions vector is correctly terminated. */11220 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, offset_end)) {11221 offset = offset_end;11222 }11223 11224 return offset;11225} /* }}} */11226 11227 11228/* ClientKeyExchange algo-specific dissectors. {{{ */11229 11230static void11231dissect_ssl3_hnd_cli_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb,11232 proto_tree *tree, uint32_t offset,11233 uint32_t length)11234{11235 int point_len;11236 proto_tree *ssl_ecdh_tree;11237 11238 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, length,11239 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Client Params");11240 11241 /* point */11242 point_len = tvb_get_uint8(tvb, offset);11243 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point_len, tvb,11244 offset, 1, ENC_BIG_ENDIAN0x00000000);11245 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point, tvb,11246 offset + 1, point_len, ENC_NA0x00000000);11247}11248 11249static void11250dissect_ssl3_hnd_cli_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb,11251 proto_tree *tree, uint32_t offset, uint32_t length)11252{11253 int yc_len;11254 proto_tree *ssl_dh_tree;11255 11256 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, length,11257 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Client Params");11258 11259 /* ClientDiffieHellmanPublic.dh_public (explicit) */11260 yc_len = tvb_get_ntohs(tvb, offset);11261 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc_len, tvb,11262 offset, 2, ENC_BIG_ENDIAN0x00000000);11263 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc, tvb,11264 offset + 2, yc_len, ENC_NA0x00000000);11265}11266 11267static void11268dissect_ssl3_hnd_cli_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb,11269 proto_tree *tree, uint32_t offset,11270 uint32_t length, const SslSession *session)11271{11272 int epms_len;11273 proto_tree *ssl_rsa_tree;11274 11275 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, length,11276 hf->ett.keyex_params, NULL((void*)0), "RSA Encrypted PreMaster Secret");11277 11278 /* EncryptedPreMasterSecret.pre_master_secret */11279 switch (session->version) {11280 case SSLV2_VERSION0x0002:11281 case SSLV3_VERSION0x300:11282 case DTLSV1DOT0_OPENSSL_VERSION0x100:11283 /* OpenSSL pre-0.9.8f DTLS and pre-TLS quirk: 2-octet length vector is11284 * not present. The handshake contents represents the EPMS, see:11285 * https://gitlab.com/wireshark/wireshark/-/issues/10222 */11286 epms_len = length;11287 break;11288 11289 default:11290 /* TLS and DTLS include vector length before EPMS */11291 epms_len = tvb_get_ntohs(tvb, offset);11292 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms_len, tvb,11293 offset, 2, ENC_BIG_ENDIAN0x00000000);11294 offset += 2;11295 break;11296 }11297 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms, tvb,11298 offset, epms_len, ENC_NA0x00000000);11299}11300 11301/* Used in PSK cipher suites */11302static uint32_t11303dissect_ssl3_hnd_cli_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,11304 proto_tree *tree, uint32_t offset)11305{11306 unsigned identity_len;11307 proto_tree *ssl_psk_tree;11308 11309 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,11310 hf->ett.keyex_params, NULL((void*)0), "PSK Client Params");11311 /* identity */11312 identity_len = tvb_get_ntohs(tvb, offset);11313 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len, tvb,11314 offset, 2, ENC_BIG_ENDIAN0x00000000);11315 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity, tvb,11316 offset + 2, identity_len, ENC_NA0x00000000);11317 11318 proto_item_set_len(ssl_psk_tree, 2 + identity_len);11319 return 2 + identity_len;11320}11321 11322/* Used in RSA PSK cipher suites */11323static void11324dissect_ssl3_hnd_cli_keyex_rsa_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,11325 proto_tree *tree, uint32_t offset,11326 uint32_t length)11327{11328 int identity_len, epms_len;11329 proto_tree *ssl_psk_tree;11330 11331 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, length,11332 hf->ett.keyex_params, NULL((void*)0), "RSA PSK Client Params");11333 11334 /* identity */11335 identity_len = tvb_get_ntohs(tvb, offset);11336 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len,11337 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);11338 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity,11339 tvb, offset + 2, identity_len, ENC_NA0x00000000);11340 offset += 2 + identity_len;11341 11342 /* Yc */11343 epms_len = tvb_get_ntohs(tvb, offset);11344 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms_len, tvb,11345 offset, 2, ENC_BIG_ENDIAN0x00000000);11346 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms, tvb,11347 offset + 2, epms_len, ENC_NA0x00000000);11348}11349 11350/* Used in Diffie-Hellman PSK cipher suites */11351static void11352dissect_ssl3_hnd_cli_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,11353 proto_tree *tree, uint32_t offset, uint32_t length)11354{11355 /*11356 * struct {11357 * select (KeyExchangeAlgorithm) {11358 * case diffie_hellman_psk:11359 * opaque psk_identity<0..2^16-1>;11360 * ClientDiffieHellmanPublic public;11361 * } exchange_keys;11362 * } ClientKeyExchange;11363 */11364 11365 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);11366 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset + psk_len, length - psk_len);11367}11368 11369/* Used in EC Diffie-Hellman PSK cipher suites */11370static void11371dissect_ssl3_hnd_cli_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,11372 proto_tree *tree, uint32_t offset, uint32_t length)11373{11374 /*11375 * struct {11376 * select (KeyExchangeAlgorithm) {11377 * case ec_diffie_hellman_psk:11378 * opaque psk_identity<0..2^16-1>;11379 * ClientECDiffieHellmanPublic public;11380 * } exchange_keys;11381 * } ClientKeyExchange;11382 */11383 11384 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);11385 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset + psk_len, length - psk_len);11386}11387 11388/* Used in EC J-PAKE cipher suites */11389static void11390dissect_ssl3_hnd_cli_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,11391 proto_tree *tree, uint32_t offset,11392 uint32_t length)11393{11394 /*11395 * struct {11396 * ECPoint V;11397 * opaque r<1..2^8-1>;11398 * } ECSchnorrZKP;11399 *11400 * struct {11401 * ECPoint X;11402 * ECSchnorrZKP zkp;11403 * } ECJPAKEKeyKP;11404 *11405 * struct {11406 * ECJPAKEKeyKP ecjpake_key_kp;11407 * } ClientECJPAKEParams;11408 *11409 * select (KeyExchangeAlgorithm) {11410 * case ecjpake:11411 * ClientECJPAKEParams params;11412 * } ClientKeyExchange;11413 */11414 11415 int point_len;11416 proto_tree *ssl_ecjpake_tree;11417 11418 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, length,11419 hf->ett.keyex_params, NULL((void*)0),11420 "EC J-PAKE Client Params");11421 11422 /* ECJPAKEKeyKP.X */11423 point_len = tvb_get_uint8(tvb, offset);11424 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc_len, tvb,11425 offset, 1, ENC_BIG_ENDIAN0x00000000);11426 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc, tvb,11427 offset + 1, point_len, ENC_NA0x00000000);11428 offset += 1 + point_len;11429 11430 /* ECJPAKEKeyKP.zkp.V */11431 point_len = tvb_get_uint8(tvb, offset);11432 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc_len, tvb,11433 offset, 1, ENC_BIG_ENDIAN0x00000000);11434 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc, tvb,11435 offset + 1, point_len, ENC_NA0x00000000);11436 offset += 1 + point_len;11437 11438 /* ECJPAKEKeyKP.zkp.r */11439 point_len = tvb_get_uint8(tvb, offset);11440 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc_len, tvb,11441 offset, 1, ENC_BIG_ENDIAN0x00000000);11442 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc, tvb,11443 offset + 1, point_len, ENC_NA0x00000000);11444}11445 11446static void11447dissect_ssl3_hnd_cli_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb,11448 proto_tree *tree, uint32_t offset,11449 uint32_t length)11450{11451 int epms_len;11452 proto_tree *ssl_ecc_sm2_tree;11453 11454 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, length,11455 hf->ett.keyex_params, NULL((void*)0),11456 "ECC-SM2 Encrypted PreMaster Secret");11457 11458 epms_len = tvb_get_ntohs(tvb, offset);11459 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms_len, tvb,11460 offset, 2, ENC_BIG_ENDIAN0x00000000);11461 offset += 2;11462 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms, tvb,11463 offset, epms_len, ENC_NA0x00000000);11464}11465/* ClientKeyExchange algo-specific dissectors. }}} */11466 11467 11468/* Dissects DigitallySigned (see RFC 5246 4.7 Cryptographic Attributes). {{{ */11469static uint32_t11470ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,11471 proto_tree *tree, uint32_t offset, uint32_t offset_end,11472 uint16_t version, int hf_sig_len, int hf_sig)11473{11474 uint32_t sig_len;11475 11476 switch (version) {11477 case TLSV1DOT2_VERSION0x303:11478 case DTLSV1DOT2_VERSION0xfefd:11479 case TLSV1DOT3_VERSION0x304:11480 case DTLSV1DOT3_VERSION0xfefc:11481 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));11482 offset += 2;11483 break;11484 11485 default:11486 break;11487 }11488 11489 /* Sig */11490 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sig_len,11491 hf_sig_len, 0, UINT16_MAX(65535))) {11492 return offset_end;11493 }11494 offset += 2;11495 proto_tree_add_item(tree, hf_sig, tvb, offset, sig_len, ENC_NA0x00000000);11496 offset += sig_len;11497 return offset;11498} /* }}} */11499 11500/* ServerKeyExchange algo-specific dissectors. {{{ */11501 11502/* dissects signed_params inside a ServerKeyExchange for some keyex algos */11503static void11504dissect_ssl3_hnd_srv_keyex_sig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,11505 proto_tree *tree, uint32_t offset, uint32_t offset_end,11506 uint16_t version)11507{11508 /*11509 * TLSv1.2 (RFC 5246 sec 7.4.8)11510 * struct {11511 * digitally-signed struct {11512 * opaque handshake_messages[handshake_messages_length];11513 * }11514 * } CertificateVerify;11515 *11516 * TLSv1.0/TLSv1.1 (RFC 5436 sec 7.4.8 and 7.4.3) works essentially the same11517 * as TLSv1.2, but the hash algorithms are not explicit in digitally-signed.11518 *11519 * SSLv3 (RFC 6101 sec 5.6.8) essentially works the same as TLSv1.0 but it11520 * does more hashing including the master secret and padding.11521 */11522 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,11523 hf->hf.hs_server_keyex_sig_len,11524 hf->hf.hs_server_keyex_sig);11525}11526 11527static uint32_t11528dissect_tls_ecparameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, uint32_t offset_end)11529{11530 /*11531 * RFC 4492 ECC cipher suites for TLS11532 *11533 * struct {11534 * ECCurveType curve_type;11535 * select (curve_type) {11536 * case explicit_prime:11537 * ...11538 * case explicit_char2:11539 * ...11540 * case named_curve:11541 * NamedCurve namedcurve;11542 * };11543 * } ECParameters;11544 */11545 11546 int curve_type;11547 11548 /* ECParameters.curve_type */11549 curve_type = tvb_get_uint8(tvb, offset);11550 proto_tree_add_item(tree, hf->hf.hs_server_keyex_curve_type, tvb,11551 offset, 1, ENC_BIG_ENDIAN0x00000000);11552 offset++;11553 11554 if (curve_type != 3)11555 return offset_end; /* only named_curves are supported */11556 11557 /* case curve_type == named_curve; ECParameters.namedcurve */11558 proto_tree_add_item(tree, hf->hf.hs_server_keyex_named_curve, tvb,11559 offset, 2, ENC_BIG_ENDIAN0x00000000);11560 offset += 2;11561 11562 return offset;11563}11564 11565static void11566dissect_ssl3_hnd_srv_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,11567 proto_tree *tree, uint32_t offset, uint32_t offset_end,11568 uint16_t version, bool_Bool anon)11569{11570 /*11571 * RFC 4492 ECC cipher suites for TLS11572 *11573 * struct {11574 * opaque point <1..2^8-1>;11575 * } ECPoint;11576 *11577 * struct {11578 * ECParameters curve_params;11579 * ECPoint public;11580 * } ServerECDHParams;11581 *11582 * select (KeyExchangeAlgorithm) {11583 * case ec_diffie_hellman:11584 * ServerECDHParams params;11585 * Signature signed_params;11586 * } ServerKeyExchange;11587 */11588 11589 int point_len;11590 proto_tree *ssl_ecdh_tree;11591 11592 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,11593 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Server Params");11594 11595 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecdh_tree, offset, offset_end);11596 if (offset >= offset_end)11597 return; /* only named_curves are supported */11598 11599 /* ECPoint.point */11600 point_len = tvb_get_uint8(tvb, offset);11601 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point_len, tvb,11602 offset, 1, ENC_BIG_ENDIAN0x00000000);11603 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point, tvb,11604 offset + 1, point_len, ENC_NA0x00000000);11605 offset += 1 + point_len;11606 11607 /* Signature (if non-anonymous KEX) */11608 if (!anon) {11609 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecdh_tree, offset, offset_end, version);11610 }11611}11612 11613static void11614dissect_ssl3_hnd_srv_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,11615 proto_tree *tree, uint32_t offset, uint32_t offset_end,11616 uint16_t version, bool_Bool anon)11617{11618 int p_len, g_len, ys_len;11619 proto_tree *ssl_dh_tree;11620 11621 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,11622 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Server Params");11623 11624 /* p */11625 p_len = tvb_get_ntohs(tvb, offset);11626 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p_len, tvb,11627 offset, 2, ENC_BIG_ENDIAN0x00000000);11628 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p, tvb,11629 offset + 2, p_len, ENC_NA0x00000000);11630 offset += 2 + p_len;11631 11632 /* g */11633 g_len = tvb_get_ntohs(tvb, offset);11634 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g_len, tvb,11635 offset, 2, ENC_BIG_ENDIAN0x00000000);11636 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g, tvb,11637 offset + 2, g_len, ENC_NA0x00000000);11638 offset += 2 + g_len;11639 11640 /* Ys */11641 ys_len = tvb_get_ntohs(tvb, offset);11642 proto_tree_add_uint(ssl_dh_tree, hf->hf.hs_server_keyex_ys_len, tvb,11643 offset, 2, ys_len);11644 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_ys, tvb,11645 offset + 2, ys_len, ENC_NA0x00000000);11646 offset += 2 + ys_len;11647 11648 /* Signature (if non-anonymous KEX) */11649 if (!anon) {11650 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_dh_tree, offset, offset_end, version);11651 }11652}11653 11654/* Only used in RSA-EXPORT cipher suites */11655static void11656dissect_ssl3_hnd_srv_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,11657 proto_tree *tree, uint32_t offset, uint32_t offset_end,11658 uint16_t version)11659{11660 int modulus_len, exponent_len;11661 proto_tree *ssl_rsa_tree;11662 11663 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,11664 hf->ett.keyex_params, NULL((void*)0), "RSA-EXPORT Server Params");11665 11666 /* modulus */11667 modulus_len = tvb_get_ntohs(tvb, offset);11668 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus_len, tvb,11669 offset, 2, ENC_BIG_ENDIAN0x00000000);11670 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus, tvb,11671 offset + 2, modulus_len, ENC_NA0x00000000);11672 offset += 2 + modulus_len;11673 11674 /* exponent */11675 exponent_len = tvb_get_ntohs(tvb, offset);11676 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent_len,11677 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);11678 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent,11679 tvb, offset + 2, exponent_len, ENC_NA0x00000000);11680 offset += 2 + exponent_len;11681 11682 /* Signature */11683 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_rsa_tree, offset, offset_end, version);11684}11685 11686/* Used in RSA PSK and PSK cipher suites */11687static uint32_t11688dissect_ssl3_hnd_srv_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,11689 proto_tree *tree, uint32_t offset)11690{11691 unsigned hint_len;11692 proto_tree *ssl_psk_tree;11693 11694 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,11695 hf->ett.keyex_params, NULL((void*)0), "PSK Server Params");11696 11697 /* hint */11698 hint_len = tvb_get_ntohs(tvb, offset);11699 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint_len, tvb,11700 offset, 2, ENC_BIG_ENDIAN0x00000000);11701 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint, tvb,11702 offset + 2, hint_len, ENC_NA0x00000000);11703 11704 proto_item_set_len(ssl_psk_tree, 2 + hint_len);11705 return 2 + hint_len;11706}11707 11708/* Used in Diffie-Hellman PSK cipher suites */11709static void11710dissect_ssl3_hnd_srv_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,11711 proto_tree *tree, uint32_t offset, uint32_t offset_end)11712{11713 /*11714 * struct {11715 * select (KeyExchangeAlgorithm) {11716 * case diffie_hellman_psk:11717 * opaque psk_identity_hint<0..2^16-1>;11718 * ServerDHParams params;11719 * };11720 * } ServerKeyExchange;11721 */11722 11723 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);11724 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);11725}11726 11727/* Used in EC Diffie-Hellman PSK cipher suites */11728static void11729dissect_ssl3_hnd_srv_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,11730 proto_tree *tree, uint32_t offset, uint32_t offset_end)11731{11732 /*11733 * struct {11734 * select (KeyExchangeAlgorithm) {11735 * case ec_diffie_hellman_psk:11736 * opaque psk_identity_hint<0..2^16-1>;11737 * ServerECDHParams params;11738 * };11739 * } ServerKeyExchange;11740 */11741 11742 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);11743 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);11744}11745 11746/* Used in EC J-PAKE cipher suites */11747static void11748dissect_ssl3_hnd_srv_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,11749 proto_tree *tree, uint32_t offset, uint32_t offset_end)11750{11751 /*11752 * struct {11753 * ECPoint V;11754 * opaque r<1..2^8-1>;11755 * } ECSchnorrZKP;11756 *11757 * struct {11758 * ECPoint X;11759 * ECSchnorrZKP zkp;11760 * } ECJPAKEKeyKP;11761 *11762 * struct {11763 * ECParameters curve_params;11764 * ECJPAKEKeyKP ecjpake_key_kp;11765 * } ServerECJPAKEParams;11766 *11767 * select (KeyExchangeAlgorithm) {11768 * case ecjpake:11769 * ServerECJPAKEParams params;11770 * } ServerKeyExchange;11771 */11772 11773 int point_len;11774 proto_tree *ssl_ecjpake_tree;11775 11776 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,11777 hf->ett.keyex_params, NULL((void*)0),11778 "EC J-PAKE Server Params");11779 11780 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecjpake_tree, offset, offset_end);11781 if (offset >= offset_end)11782 return; /* only named_curves are supported */11783 11784 /* ECJPAKEKeyKP.X */11785 point_len = tvb_get_uint8(tvb, offset);11786 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs_len, tvb,11787 offset, 1, ENC_BIG_ENDIAN0x00000000);11788 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs, tvb,11789 offset + 1, point_len, ENC_NA0x00000000);11790 offset += 1 + point_len;11791 11792 /* ECJPAKEKeyKP.zkp.V */11793 point_len = tvb_get_uint8(tvb, offset);11794 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs_len, tvb,11795 offset, 1, ENC_BIG_ENDIAN0x00000000);11796 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs, tvb,11797 offset + 1, point_len, ENC_NA0x00000000);11798 offset += 1 + point_len;11799 11800 /* ECJPAKEKeyKP.zkp.r */11801 point_len = tvb_get_uint8(tvb, offset);11802 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs_len, tvb,11803 offset, 1, ENC_BIG_ENDIAN0x00000000);11804 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs, tvb,11805 offset + 1, point_len, ENC_NA0x00000000);11806}11807 11808/* Only used in ECC-SM2-EXPORT cipher suites */11809static void11810dissect_ssl3_hnd_srv_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,11811 proto_tree *tree, uint32_t offset, uint32_t offset_end,11812 uint16_t version)11813{11814 proto_tree *ssl_ecc_sm2_tree;11815 11816 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,11817 hf->ett.keyex_params, NULL((void*)0), "ECC-SM2-EXPORT Server Params");11818 11819 /* Signature */11820 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecc_sm2_tree, offset, offset_end, version);11821}11822/* ServerKeyExchange algo-specific dissectors. }}} */11823 11824/* Client Key Exchange and Server Key Exchange handshake dissections. {{{ */11825void11826ssl_dissect_hnd_cli_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb,11827 proto_tree *tree, uint32_t offset, uint32_t length,11828 const SslSession *session)11829{11830 switch (ssl_get_keyex_alg(session->cipher)) {11831 case KEX_DH_ANON0x13: /* RFC 5246; DHE_DSS, DHE_RSA, DH_DSS, DH_RSA, DH_ANON: ClientDiffieHellmanPublic */11832 case KEX_DH_DSS0x14:11833 case KEX_DH_RSA0x15:11834 case KEX_DHE_DSS0x10:11835 case KEX_DHE_RSA0x12:11836 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset, length);11837 break;11838 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity, ClientDiffieHellmanPublic */11839 dissect_ssl3_hnd_cli_keyex_dhe_psk(hf, tvb, tree, offset, length);11840 break;11841 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ClientECDiffieHellmanPublic */11842 case KEX_ECDH_ECDSA0x1a:11843 case KEX_ECDH_RSA0x1b:11844 case KEX_ECDHE_ECDSA0x16:11845 case KEX_ECDHE_RSA0x18:11846 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset, length);11847 break;11848 case KEX_ECDHE_PSK0x17: /* RFC 5489; ec_diffie_hellman_psk: psk_identity, ClientECDiffieHellmanPublic */11849 dissect_ssl3_hnd_cli_keyex_ecdh_psk(hf, tvb, tree, offset, length);11850 break;11851 case KEX_KRB50x1c: /* RFC 2712; krb5: KerberosWrapper */11852 /* XXX: implement support for KRB5 */11853 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,11854 tvb, offset, length,11855 "Kerberos ciphersuites (RFC 2712) are not implemented, contact Wireshark"11856 " developers if you want them to be supported");11857 break;11858 case KEX_PSK0x1d: /* RFC 4279; psk: psk_identity */11859 dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);11860 break;11861 case KEX_RSA0x1e: /* RFC 5246; rsa: EncryptedPreMasterSecret */11862 dissect_ssl3_hnd_cli_keyex_rsa(hf, tvb, tree, offset, length, session);11863 break;11864 case KEX_RSA_PSK0x1f: /* RFC 4279; rsa_psk: psk_identity, EncryptedPreMasterSecret */11865 dissect_ssl3_hnd_cli_keyex_rsa_psk(hf, tvb, tree, offset, length);11866 break;11867 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ClientSRPPublic */11868 case KEX_SRP_SHA_DSS0x21:11869 case KEX_SRP_SHA_RSA0x22:11870 /* XXX: implement support for SRP_SHA* */11871 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,11872 tvb, offset, length,11873 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"11874 " developers if you want them to be supported");11875 break;11876 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */11877 dissect_ssl3_hnd_cli_keyex_ecjpake(hf, tvb, tree, offset, length);11878 break;11879 case KEX_ECC_SM20x26: /* GB/T 38636 */11880 dissect_ssl3_hnd_cli_keyex_ecc_sm2(hf, tvb, tree, offset, length);11881 break;11882 default:11883 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,11884 tvb, offset, length);11885 break;11886 }11887}11888 11889void11890ssl_dissect_hnd_srv_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,11891 proto_tree *tree, uint32_t offset, uint32_t offset_end,11892 const SslSession *session)11893{11894 switch (ssl_get_keyex_alg(session->cipher)) {11895 case KEX_DH_ANON0x13: /* RFC 5246; ServerDHParams */11896 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);11897 break;11898 case KEX_DH_DSS0x14: /* RFC 5246; not allowed */11899 case KEX_DH_RSA0x15:11900 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,11901 tvb, offset, offset_end - offset);11902 break;11903 case KEX_DHE_DSS0x10: /* RFC 5246; dhe_dss, dhe_rsa: ServerDHParams, Signature */11904 case KEX_DHE_RSA0x12:11905 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);11906 break;11907 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity_hint, ServerDHParams */11908 dissect_ssl3_hnd_srv_keyex_dhe_psk(hf, tvb, pinfo, tree, offset, offset_end);11909 break;11910 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ServerECDHParams (without signature for anon) */11911 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);11912 break;11913 case KEX_ECDHE_PSK0x17: /* RFC 5489; psk_identity_hint, ServerECDHParams */11914 dissect_ssl3_hnd_srv_keyex_ecdh_psk(hf, tvb, pinfo, tree, offset, offset_end);11915 break;11916 case KEX_ECDH_ECDSA0x1a: /* RFC 4492; ec_diffie_hellman: ServerECDHParams, Signature */11917 case KEX_ECDH_RSA0x1b:11918 case KEX_ECDHE_ECDSA0x16:11919 case KEX_ECDHE_RSA0x18:11920 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);11921 break;11922 case KEX_KRB50x1c: /* RFC 2712; not allowed */11923 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,11924 tvb, offset, offset_end - offset);11925 break;11926 case KEX_PSK0x1d: /* RFC 4279; psk, rsa: psk_identity */11927 case KEX_RSA_PSK0x1f:11928 dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);11929 break;11930 case KEX_RSA0x1e: /* only allowed if the public key in the server certificate is longer than 512 bits */11931 dissect_ssl3_hnd_srv_keyex_rsa(hf, tvb, pinfo, tree, offset, offset_end, session->version);11932 break;11933 case KEX_ECC_SM20x26: /* GB/T 38636 */11934 dissect_ssl3_hnd_srv_keyex_ecc_sm2(hf, tvb, pinfo, tree, offset, offset_end, session->version);11935 break;11936 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ServerSRPParams, Signature */11937 case KEX_SRP_SHA_DSS0x21:11938 case KEX_SRP_SHA_RSA0x22:11939 /* XXX: implement support for SRP_SHA* */11940 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,11941 tvb, offset, offset_end - offset,11942 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"11943 " developers if you want them to be supported");11944 break;11945 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */11946 dissect_ssl3_hnd_srv_keyex_ecjpake(hf, tvb, tree, offset, offset_end);11947 break;11948 default:11949 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,11950 tvb, offset, offset_end - offset);11951 break;11952 }11953}11954/* Client Key Exchange and Server Key Exchange handshake dissections. }}} */11955 11956void11957tls13_dissect_hnd_key_update(ssl_common_dissect_t *hf, tvbuff_t *tvb,11958 proto_tree *tree, uint32_t offset)11959{11960 /* RFC 8446 Section 4.6.311961 * enum {11962 * update_not_requested(0), update_requested(1), (255)11963 * } KeyUpdateRequest;11964 *11965 * struct {11966 * KeyUpdateRequest request_update;11967 * } KeyUpdate;11968 */11969 proto_tree_add_item(tree, hf->hf.hs_key_update_request_update, tvb, offset, 1, ENC_NA0x00000000);11970}11971 11972void11973ssl_common_register_ssl_alpn_dissector_table(const char *name,11974 const char *ui_name, const int proto)11975{11976 ssl_alpn_dissector_table = register_dissector_table(name, ui_name,11977 proto, FT_STRING, STRING_CASE_SENSITIVE0);11978 register_dissector_table_alias(ssl_alpn_dissector_table, "ssl.handshake.extensions_alpn_str");11979}11980 11981void11982ssl_common_register_dtls_alpn_dissector_table(const char *name,11983 const char *ui_name, const int proto)11984{11985 dtls_alpn_dissector_table = register_dissector_table(name, ui_name,11986 proto, FT_STRING, STRING_CASE_SENSITIVE0);11987 register_dissector_table_alias(ssl_alpn_dissector_table, "dtls.handshake.extensions_alpn_str");11988}11989 11990void11991ssl_common_register_options(module_t *module, ssl_common_options_t *options, bool_Bool is_dtls)11992{11993 prefs_register_string_preference(module, "psk", "Pre-Shared Key",11994 "Pre-Shared Key as HEX string. Should be 0 to 16 bytes.",11995 &(options->psk));11996 11997 if (is_dtls) {11998 prefs_register_obsolete_preference(module, "keylog_file");11999 prefs_register_static_text_preference(module, "keylog_file_removed",12000 "The (Pre)-Master-Secret log filename preference can be configured in the TLS protocol preferences.",12001 "Use the TLS protocol preference to configure the keylog file for both DTLS and TLS.");12002 return;12003 }12004 12005 prefs_register_filename_preference(module, "keylog_file", "(Pre)-Master-Secret log filename",12006 "The name of a file which contains a list of \n"12007 "(pre-)master secrets in one of the following formats:\n"12008 "\n"12009 "RSA <EPMS> <PMS>\n"12010 "RSA Session-ID:<SSLID> Master-Key:<MS>\n"12011 "CLIENT_RANDOM <CRAND> <MS>\n"12012 "PMS_CLIENT_RANDOM <CRAND> <PMS>\n"12013 "\n"12014 "Where:\n"12015 "<EPMS> = First 8 bytes of the Encrypted PMS\n"12016 "<PMS> = The Pre-Master-Secret (PMS) used to derive the MS\n"12017 "<SSLID> = The SSL Session ID\n"12018 "<MS> = The Master-Secret (MS)\n"12019 "<CRAND> = The Client's random number from the ClientHello message\n"12020 "\n"12021 "(All fields are in hex notation)",12022 &(options->keylog_filename), false0);12023}12024 12025void12026ssl_calculate_handshake_hash(SslDecryptSession *ssl_session, tvbuff_t *tvb, uint32_t offset, uint32_t length)12027{12028 if (ssl_session && ssl_session->session.version != TLSV1DOT3_VERSION0x304 && !(ssl_session->state & SSL_MASTER_SECRET(1<<5))) {12029 uint32_t old_length = ssl_session->handshake_data.data_len;12030 ssl_debug_printf("Calculating hash with offset %d %d\n", offset, length);12031 if (tvb) {12032 if (tvb_bytes_exist(tvb, offset, length)) {12033 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);12034 tvb_memcpy(tvb, ssl_session->handshake_data.data + old_length, offset, length);12035 ssl_session->handshake_data.data_len += length;12036 }12037 } else {12038 /* DTLS calculates the hash as if each handshake message had been12039 * sent as a single fragment (RFC 6347, section 4.2.6) and passes12040 * in a null tvbuff to add 3 bytes for a zero fragment offset.12041 */12042 DISSECTOR_ASSERT_CMPINT(length, <, 4)((void) ((length < 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "length" " " "<" " " "4" " (" "%"
"l" "d" " " "<" " " "%" "l" "d" ")", "epan/dissectors/packet-tls-utils.c"
, 12042, (int64_t)length, (int64_t)4))));12043 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);12044 memset(ssl_session->handshake_data.data + old_length, 0, length);12045 ssl_session->handshake_data.data_len += length;12046 }12047 }12048}12049 12050 12051/*12052 * Editor modelines - https://www.wireshark.org/tools/modelines.html12053 *12054 * Local variables:12055 * c-basic-offset: 412056 * tab-width: 812057 * indent-tabs-mode: nil12058 * End:12059 *12060 * vi: set shiftwidth=4 tabstop=8 expandtab:12061 * :indentSize=4:tabSize=8:noTabs=true:12062 */