Bug Summary

File:builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c
Warning:line 4942, column 17
Potential leak of memory pointed to by 'handshake_hashed_data.data'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name packet-tls-utils.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -fno-delete-null-pointer-checks -mframe-pointer=all -relaxed-aliasing -fmath-errno -ffp-contract=on -fno-rounding-math -ffloat16-excess-precision=fast -fbfloat16-excess-precision=fast -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/builds/wireshark/wireshark/build -fcoverage-compilation-dir=/builds/wireshark/wireshark/build -resource-dir /usr/lib/llvm-22/lib/clang/22 -isystem /usr/include/glib-2.0 -isystem /usr/lib/x86_64-linux-gnu/glib-2.0/include -isystem /builds/wireshark/wireshark/epan/dissectors -isystem /builds/wireshark/wireshark/build/epan/dissectors -isystem /usr/include/mit-krb5 -isystem /usr/include/libxml2 -isystem /builds/wireshark/wireshark/epan -D CARES_NO_DEPRECATED -D G_DISABLE_DEPRECATED -D G_DISABLE_SINGLE_INCLUDES -D WS_BUILD_DLL -D WS_DEBUG -D WS_DEBUG_UTF_8 -I /builds/wireshark/wireshark/build -I /builds/wireshark/wireshark -I /builds/wireshark/wireshark/include -D _GLIBCXX_ASSERTIONS -internal-isystem /usr/lib/llvm-22/lib/clang/22/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/16/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -fmacro-prefix-map=/builds/wireshark/wireshark/= -fmacro-prefix-map=/builds/wireshark/wireshark/build/= -fmacro-prefix-map=../= -Wno-format-nonliteral -std=gnu17 -ferror-limit 19 -fvisibility=hidden -fwrapv -fwrapv-pointer -fstrict-flex-arrays=3 -stack-protector 2 -fstack-clash-protection -fcf-protection=full -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fexceptions -fcolor-diagnostics -analyzer-output=html -faddrsig -fdwarf2-cfi-asm -o /builds/wireshark/wireshark/sbout/2026-06-04-100425-3529-1 -x c /builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c
1/* packet-tls-utils.c
2 * ssl manipulation functions
3 * By Paolo Abeni <[email protected]>
4 *
5 * Copyright (c) 2013, Hauke Mehrtens <[email protected]>
6 * Copyright (c) 2014, Peter Wu <[email protected]>
7 *
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <[email protected]>
10 * Copyright 1998 Gerald Combs
11 *
12 * SPDX-License-Identifier: GPL-2.0-or-later
13 */
14
15#include "config.h"
16
17#include <stdlib.h>
18#include <errno(*__errno_location ()).h>
19
20#include <epan/packet.h>
21#include <epan/strutil.h>
22#include <epan/addr_resolv.h>
23#include <epan/expert.h>
24#include <epan/asn1.h>
25#include <epan/proto_data.h>
26#include <epan/oids.h>
27#include <epan/secrets.h>
28
29#include <wsutil/inet_cidr.h>
30#include <wsutil/filesystem.h>
31#include <wsutil/file_util.h>
32#include <wsutil/str_util.h>
33#include <wsutil/report_message.h>
34#include <wsutil/pint.h>
35#include <wsutil/strtoi.h>
36#include <wsutil/wsgcrypt.h>
37#include <wsutil/rsa.h>
38#include <wsutil/ws_assert.h>
39#include <wsutil/zlib_compat.h>
40#include "packet-ber.h"
41#include "packet-x509af.h"
42#include "packet-x509if.h"
43#include "packet-tls-utils.h"
44#include "packet-ocsp.h"
45#include "packet-tls.h"
46#include "packet-dtls.h"
47#include "packet-quic.h"
48#if defined(HAVE_LIBGNUTLS1)
49#include <gnutls/abstract.h>
50#include <gnutls/x509.h>
51#include <gnutls/pkcs12.h>
52#endif
53
54/* JA3/JA3S calculations must ignore GREASE values
55 * as described in RFC 8701.
56 */
57#define IS_GREASE_TLS(x)((((x) & 0x0f0f) == 0x0a0a) && (((x) & 0xff) ==
(((x)>>8) & 0xff))) ((((x) & 0x0f0f) == 0x0a0a) && \
58 (((x) & 0xff) == (((x)>>8) & 0xff)))
59
60/* Section 22.3 of RFC 9000 (QUIC) reserves values of this
61 * form for a similar purpose as GREASE.
62 */
63#define IS_GREASE_QUIC(x)((x) > 27 ? ((((x) - 27) % 31) == 0) : 0) ((x) > 27 ? ((((x) - 27) % 31) == 0) : 0)
64
65#define DTLS13_MAX_EPOCH10 10
66
67/* Lookup tables {{{ */
68const value_string ssl_version_short_names[] = {
69 { SSLV2_VERSION0x0002, "SSLv2" },
70 { SSLV3_VERSION0x300, "SSLv3" },
71 { TLSV1_VERSION0x301, "TLSv1" },
72 { TLCPV1_VERSION0x101, "TLCP" },
73 { TLSV1DOT1_VERSION0x302, "TLSv1.1" },
74 { TLSV1DOT2_VERSION0x303, "TLSv1.2" },
75 { TLSV1DOT3_VERSION0x304, "TLSv1.3" },
76 { DTLSV1DOT0_VERSION0xfeff, "DTLSv1.0" },
77 { DTLSV1DOT2_VERSION0xfefd, "DTLSv1.2" },
78 { DTLSV1DOT3_VERSION0xfefc, "DTLSv1.3" },
79 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
80 { 0x00, NULL((void*)0) }
81};
82
83const value_string ssl_versions[] = {
84 { SSLV2_VERSION0x0002, "SSL 2.0" },
85 { SSLV3_VERSION0x300, "SSL 3.0" },
86 { TLSV1_VERSION0x301, "TLS 1.0" },
87 { TLCPV1_VERSION0x101, "TLCP" },
88 { TLSV1DOT1_VERSION0x302, "TLS 1.1" },
89 { TLSV1DOT2_VERSION0x303, "TLS 1.2" },
90 { TLSV1DOT3_VERSION0x304, "TLS 1.3" },
91 { 0x7F0E, "TLS 1.3 (draft 14)" },
92 { 0x7F0F, "TLS 1.3 (draft 15)" },
93 { 0x7F10, "TLS 1.3 (draft 16)" },
94 { 0x7F11, "TLS 1.3 (draft 17)" },
95 { 0x7F12, "TLS 1.3 (draft 18)" },
96 { 0x7F13, "TLS 1.3 (draft 19)" },
97 { 0x7F14, "TLS 1.3 (draft 20)" },
98 { 0x7F15, "TLS 1.3 (draft 21)" },
99 { 0x7F16, "TLS 1.3 (draft 22)" },
100 { 0x7F17, "TLS 1.3 (draft 23)" },
101 { 0x7F18, "TLS 1.3 (draft 24)" },
102 { 0x7F19, "TLS 1.3 (draft 25)" },
103 { 0x7F1A, "TLS 1.3 (draft 26)" },
104 { 0x7F1B, "TLS 1.3 (draft 27)" },
105 { 0x7F1C, "TLS 1.3 (draft 28)" },
106 { 0xFB17, "TLS 1.3 (Facebook draft 23)" },
107 { 0xFB1A, "TLS 1.3 (Facebook draft 26)" },
108 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
109 { DTLSV1DOT0_VERSION0xfeff, "DTLS 1.0" },
110 { DTLSV1DOT2_VERSION0xfefd, "DTLS 1.2" },
111 { DTLSV1DOT3_VERSION0xfefc, "DTLS 1.3" },
112 { 0x0A0A, "Reserved (GREASE)" }, /* RFC 8701 */
113 { 0x1A1A, "Reserved (GREASE)" }, /* RFC 8701 */
114 { 0x2A2A, "Reserved (GREASE)" }, /* RFC 8701 */
115 { 0x3A3A, "Reserved (GREASE)" }, /* RFC 8701 */
116 { 0x4A4A, "Reserved (GREASE)" }, /* RFC 8701 */
117 { 0x5A5A, "Reserved (GREASE)" }, /* RFC 8701 */
118 { 0x6A6A, "Reserved (GREASE)" }, /* RFC 8701 */
119 { 0x7A7A, "Reserved (GREASE)" }, /* RFC 8701 */
120 { 0x8A8A, "Reserved (GREASE)" }, /* RFC 8701 */
121 { 0x9A9A, "Reserved (GREASE)" }, /* RFC 8701 */
122 { 0xAAAA, "Reserved (GREASE)" }, /* RFC 8701 */
123 { 0xBABA, "Reserved (GREASE)" }, /* RFC 8701 */
124 { 0xCACA, "Reserved (GREASE)" }, /* RFC 8701 */
125 { 0xDADA, "Reserved (GREASE)" }, /* RFC 8701 */
126 { 0xEAEA, "Reserved (GREASE)" }, /* RFC 8701 */
127 { 0xFAFA, "Reserved (GREASE)" }, /* RFC 8701 */
128 { 0x00, NULL((void*)0) }
129};
130
131static const value_string ssl_version_ja4_names[] = {
132 { 0x0100, "s1" },
133 { SSLV2_VERSION0x0002, "s2" },
134 { SSLV3_VERSION0x300, "s3" },
135 { TLSV1_VERSION0x301, "10" },
136 { TLSV1DOT1_VERSION0x302, "11" },
137 { TLSV1DOT2_VERSION0x303, "12" },
138 { TLSV1DOT3_VERSION0x304, "13" },
139 { DTLSV1DOT0_VERSION0xfeff, "d1" },
140 { DTLSV1DOT2_VERSION0xfefd, "d2" },
141 { DTLSV1DOT3_VERSION0xfefc, "d3" },
142 { 0x00, NULL((void*)0) }
143};
144
145const value_string ssl_20_msg_types[] = {
146 { SSL2_HND_ERROR0x00, "Error" },
147 { SSL2_HND_CLIENT_HELLO0x01, "Client Hello" },
148 { SSL2_HND_CLIENT_MASTER_KEY0x02, "Client Master Key" },
149 { SSL2_HND_CLIENT_FINISHED0x03, "Client Finished" },
150 { SSL2_HND_SERVER_HELLO0x04, "Server Hello" },
151 { SSL2_HND_SERVER_VERIFY0x05, "Server Verify" },
152 { SSL2_HND_SERVER_FINISHED0x06, "Server Finished" },
153 { SSL2_HND_REQUEST_CERTIFICATE0x07, "Request Certificate" },
154 { SSL2_HND_CLIENT_CERTIFICATE0x08, "Client Certificate" },
155 { 0x00, NULL((void*)0) }
156};
157/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
158/* Note: sorted by ascending value so value_string-ext can do a binary search */
159static const value_string ssl_20_cipher_suites[] = {
160 { 0x000000, "TLS_NULL_WITH_NULL_NULL" },
161 { 0x000001, "TLS_RSA_WITH_NULL_MD5" },
162 { 0x000002, "TLS_RSA_WITH_NULL_SHA" },
163 { 0x000003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
164 { 0x000004, "TLS_RSA_WITH_RC4_128_MD5" },
165 { 0x000005, "TLS_RSA_WITH_RC4_128_SHA" },
166 { 0x000006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
167 { 0x000007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
168 { 0x000008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
169 { 0x000009, "TLS_RSA_WITH_DES_CBC_SHA" },
170 { 0x00000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
171 { 0x00000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
172 { 0x00000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
173 { 0x00000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
174 { 0x00000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
175 { 0x00000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
176 { 0x000010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
177 { 0x000011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
178 { 0x000012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
179 { 0x000013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
180 { 0x000014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
181 { 0x000015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
182 { 0x000016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
183 { 0x000017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
184 { 0x000018, "TLS_DH_anon_WITH_RC4_128_MD5" },
185 { 0x000019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
186 { 0x00001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
187 { 0x00001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
188 { 0x00001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
189 { 0x00001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
190#if 0
191 { 0x00001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
192#endif
193 /* RFC 2712 */
194 { 0x00001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
195 { 0x00001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
196 { 0x000020, "TLS_KRB5_WITH_RC4_128_SHA" },
197 { 0x000021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
198 { 0x000022, "TLS_KRB5_WITH_DES_CBC_MD5" },
199 { 0x000023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
200 { 0x000024, "TLS_KRB5_WITH_RC4_128_MD5" },
201 { 0x000025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
202 { 0x000026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
203 { 0x000027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
204 { 0x000028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
205 { 0x000029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
206 { 0x00002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
207 { 0x00002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
208 /* RFC 4785 */
209 { 0x00002C, "TLS_PSK_WITH_NULL_SHA" },
210 { 0x00002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
211 { 0x00002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
212 /* RFC 5246 */
213 { 0x00002f, "TLS_RSA_WITH_AES_128_CBC_SHA" },
214 { 0x000030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
215 { 0x000031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
216 { 0x000032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
217 { 0x000033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
218 { 0x000034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
219 { 0x000035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
220 { 0x000036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
221 { 0x000037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
222 { 0x000038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
223 { 0x000039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
224 { 0x00003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
225 { 0x00003B, "TLS_RSA_WITH_NULL_SHA256" },
226 { 0x00003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
227 { 0x00003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
228 { 0x00003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
229 { 0x00003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
230 { 0x000040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
231 { 0x000041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
232 { 0x000042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
233 { 0x000043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
234 { 0x000044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
235 { 0x000045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
236 { 0x000046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
237 { 0x000047, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
238 { 0x000048, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
239 { 0x000049, "TLS_ECDH_ECDSA_WITH_DES_CBC_SHA" },
240 { 0x00004A, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
241 { 0x00004B, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
242 { 0x00004C, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
243 { 0x000060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
244 { 0x000061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
245 { 0x000062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
246 { 0x000063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
247 { 0x000064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
248 { 0x000065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
249 { 0x000066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
250 { 0x000067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
251 { 0x000068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
252 { 0x000069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
253 { 0x00006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
254 { 0x00006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
255 { 0x00006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
256 { 0x00006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
257 /* 0x00,0x6E-83 Unassigned */
258 { 0x000084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
259 { 0x000085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
260 { 0x000086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
261 { 0x000087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
262 { 0x000088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
263 { 0x000089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
264 /* RFC 4279 */
265 { 0x00008A, "TLS_PSK_WITH_RC4_128_SHA" },
266 { 0x00008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
267 { 0x00008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
268 { 0x00008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
269 { 0x00008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
270 { 0x00008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
271 { 0x000090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
272 { 0x000091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
273 { 0x000092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
274 { 0x000093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
275 { 0x000094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
276 { 0x000095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
277 /* RFC 4162 */
278 { 0x000096, "TLS_RSA_WITH_SEED_CBC_SHA" },
279 { 0x000097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
280 { 0x000098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
281 { 0x000099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
282 { 0x00009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
283 { 0x00009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
284 /* RFC 5288 */
285 { 0x00009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
286 { 0x00009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
287 { 0x00009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
288 { 0x00009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
289 { 0x0000A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
290 { 0x0000A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
291 { 0x0000A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
292 { 0x0000A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
293 { 0x0000A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
294 { 0x0000A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
295 { 0x0000A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
296 { 0x0000A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
297 /* RFC 5487 */
298 { 0x0000A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
299 { 0x0000A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
300 { 0x0000AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
301 { 0x0000AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
302 { 0x0000AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
303 { 0x0000AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
304 { 0x0000AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
305 { 0x0000AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
306 { 0x0000B0, "TLS_PSK_WITH_NULL_SHA256" },
307 { 0x0000B1, "TLS_PSK_WITH_NULL_SHA384" },
308 { 0x0000B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
309 { 0x0000B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
310 { 0x0000B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
311 { 0x0000B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
312 { 0x0000B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
313 { 0x0000B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
314 { 0x0000B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
315 { 0x0000B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
316 /* From RFC 5932 */
317 { 0x0000BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
318 { 0x0000BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
319 { 0x0000BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
320 { 0x0000BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
321 { 0x0000BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
322 { 0x0000BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
323 { 0x0000C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
324 { 0x0000C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
325 { 0x0000C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
326 { 0x0000C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
327 { 0x0000C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
328 { 0x0000C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
329 /* 0x00,0xC6-FE Unassigned */
330 { 0x0000FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
331 /* 0x01-BF,* Unassigned */
332 /* From RFC 4492 */
333 { 0x00c001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
334 { 0x00c002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
335 { 0x00c003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
336 { 0x00c004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
337 { 0x00c005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
338 { 0x00c006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
339 { 0x00c007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
340 { 0x00c008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
341 { 0x00c009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
342 { 0x00c00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
343 { 0x00c00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
344 { 0x00c00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
345 { 0x00c00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
346 { 0x00c00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
347 { 0x00c00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
348 { 0x00c010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
349 { 0x00c011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
350 { 0x00c012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
351 { 0x00c013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
352 { 0x00c014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
353 { 0x00c015, "TLS_ECDH_anon_WITH_NULL_SHA" },
354 { 0x00c016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
355 { 0x00c017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
356 { 0x00c018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
357 { 0x00c019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
358 /* RFC 5054 */
359 { 0x00C01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
360 { 0x00C01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
361 { 0x00C01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
362 { 0x00C01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
363 { 0x00C01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
364 { 0x00C01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
365 { 0x00C020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
366 { 0x00C021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
367 { 0x00C022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
368 /* RFC 5589 */
369 { 0x00C023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
370 { 0x00C024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
371 { 0x00C025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
372 { 0x00C026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
373 { 0x00C027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
374 { 0x00C028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
375 { 0x00C029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
376 { 0x00C02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
377 { 0x00C02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
378 { 0x00C02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
379 { 0x00C02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
380 { 0x00C02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
381 { 0x00C02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
382 { 0x00C030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
383 { 0x00C031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
384 { 0x00C032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
385 /* RFC 5489 */
386 { 0x00C033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
387 { 0x00C034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
388 { 0x00C035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
389 { 0x00C036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
390 { 0x00C037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
391 { 0x00C038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
392 { 0x00C039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
393 { 0x00C03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
394 { 0x00C03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
395 /* 0xC0,0x3C-FF Unassigned
396 0xC1-FD,* Unassigned
397 0xFE,0x00-FD Unassigned
398 0xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
399 0xFF,0x00-FF Reserved for Private Use [RFC5246]
400 */
401
402 /* old numbers used in the beginning
403 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
404 { 0x00CC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
405 { 0x00CC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
406 { 0x00CC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
407
408 /* https://tools.ietf.org/html/rfc7905 */
409 { 0x00CCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
410 { 0x00CCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
411 { 0x00CCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
412 { 0x00CCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
413 { 0x00CCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
414 { 0x00CCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
415 { 0x00CCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
416
417 /* GM/T 0024-2014 */
418 { 0x00e001, "ECDHE_SM1_SM3"},
419 { 0x00e003, "ECC_SM1_SM3"},
420 { 0x00e005, "IBSDH_SM1_SM3"},
421 { 0x00e007, "IBC_SM1_SM3"},
422 { 0x00e009, "RSA_SM1_SM3"},
423 { 0x00e00a, "RSA_SM1_SHA1"},
424 { 0x00e011, "ECDHE_SM4_CBC_SM3"},
425 { 0x00e013, "ECC_SM4_CBC_SM3"},
426 { 0x00e015, "IBSDH_SM4_CBC_SM3"},
427 { 0x00e017, "IBC_SM4_CBC_SM3"},
428 { 0x00e019, "RSA_SM4_CBC_SM3"},
429 { 0x00e01a, "RSA_SM4_CBC_SHA1"},
430 { 0x00e01c, "RSA_SM4_CBC_SHA256"},
431 { 0x00e051, "ECDHE_SM4_GCM_SM3"},
432 { 0x00e053, "ECC_SM4_GCM_SM3"},
433 { 0x00e055, "IBSDH_SM4_GCM_SM3"},
434 { 0x00e057, "IBC_SM4_GCM_SM3"},
435 { 0x00e059, "RSA_SM4_GCM_SM3"},
436 { 0x00e05a, "RSA_SM4_GCM_SHA256"},
437
438 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
439 { 0x00E410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
440 { 0x00E411, "TLS_RSA_WITH_SALSA20_SHA1" },
441 { 0x00E412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
442 { 0x00E413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
443 { 0x00E414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
444 { 0x00E415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
445 { 0x00E416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
446 { 0x00E417, "TLS_PSK_WITH_SALSA20_SHA1" },
447 { 0x00E418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
448 { 0x00E419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
449 { 0x00E41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
450 { 0x00E41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
451 { 0x00E41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
452 { 0x00E41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
453 { 0x00E41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
454 { 0x00E41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
455
456 /* these from http://www.mozilla.org/projects/
457 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
458 { 0x00fefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
459 { 0x00feff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
460 { 0x00ffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
461 { 0x00ffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
462 /* note that ciphersuites of {0x00????} are TLS cipher suites in
463 * a sslv2 client hello message; the ???? above is the two-byte
464 * tls cipher suite id
465 */
466
467 { 0x010080, "SSL2_RC4_128_WITH_MD5" },
468 { 0x020080, "SSL2_RC4_128_EXPORT40_WITH_MD5" },
469 { 0x030080, "SSL2_RC2_128_CBC_WITH_MD5" },
470 { 0x040080, "SSL2_RC2_128_CBC_EXPORT40_WITH_MD5" },
471 { 0x050080, "SSL2_IDEA_128_CBC_WITH_MD5" },
472 { 0x060040, "SSL2_DES_64_CBC_WITH_MD5" },
473 { 0x0700c0, "SSL2_DES_192_EDE3_CBC_WITH_MD5" },
474 { 0x080080, "SSL2_RC4_64_WITH_MD5" },
475
476 { 0x00, NULL((void*)0) }
477};
478
479value_string_ext ssl_20_cipher_suites_ext = VALUE_STRING_EXT_INIT(ssl_20_cipher_suites){ _try_val_to_str_ext_init, 0, (sizeof (ssl_20_cipher_suites)
/ sizeof ((ssl_20_cipher_suites)[0]))-1, ssl_20_cipher_suites
, "ssl_20_cipher_suites", ((void*)0) };
480
481
482/*
483 * Supported Groups (formerly named "EC Named Curve").
484 * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
485 */
486const value_string ssl_extension_curves[] = {
487 { 1, "sect163k1" },
488 { 2, "sect163r1" },
489 { 3, "sect163r2" },
490 { 4, "sect193r1" },
491 { 5, "sect193r2" },
492 { 6, "sect233k1" },
493 { 7, "sect233r1" },
494 { 8, "sect239k1" },
495 { 9, "sect283k1" },
496 { 10, "sect283r1" },
497 { 11, "sect409k1" },
498 { 12, "sect409r1" },
499 { 13, "sect571k1" },
500 { 14, "sect571r1" },
501 { 15, "secp160k1" },
502 { 16, "secp160r1" },
503 { 17, "secp160r2" },
504 { 18, "secp192k1" },
505 { 19, "secp192r1" },
506 { 20, "secp224k1" },
507 { 21, "secp224r1" },
508 { 22, "secp256k1" },
509 { 23, "secp256r1" },
510 { 24, "secp384r1" },
511 { 25, "secp521r1" },
512 { 26, "brainpoolP256r1" }, /* RFC 7027 */
513 { 27, "brainpoolP384r1" }, /* RFC 7027 */
514 { 28, "brainpoolP512r1" }, /* RFC 7027 */
515 { 29, "x25519" }, /* RFC 8446 / RFC 8422 */
516 { 30, "x448" }, /* RFC 8446 / RFC 8422 */
517 { 31, "brainpoolP256r1tls13" }, /* RFC8734 */
518 { 32, "brainpoolP384r1tls13" }, /* RFC8734 */
519 { 33, "brainpoolP512r1tls13" }, /* RFC8734 */
520 { 34, "GC256A" }, /* RFC9189 */
521 { 35, "GC256B" }, /* RFC9189 */
522 { 36, "GC256C" }, /* RFC9189 */
523 { 37, "GC256D" }, /* RFC9189 */
524 { 38, "GC512A" }, /* RFC9189 */
525 { 39, "GC512B" }, /* RFC9189 */
526 { 40, "GC512C" }, /* RFC9189 */
527 { 41, "curveSM2" }, /* RFC 8998 */
528 { 256, "ffdhe2048" }, /* RFC 7919 */
529 { 257, "ffdhe3072" }, /* RFC 7919 */
530 { 258, "ffdhe4096" }, /* RFC 7919 */
531 { 259, "ffdhe6144" }, /* RFC 7919 */
532 { 260, "ffdhe8192" }, /* RFC 7919 */
533 { 512, "MLKEM512"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
534 { 513, "MLKEM768"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
535 { 514, "MLKEM1024"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
536 { 2570, "Reserved (GREASE)" }, /* RFC 8701 */
537 { 4587, "SecP256r1MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-02 */
538 { 4588, "X25519MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
539 { 4589, "SecP384r1MLKEM1024" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
540 { 6682, "Reserved (GREASE)" }, /* RFC 8701 */
541 { 10794, "Reserved (GREASE)" }, /* RFC 8701 */
542 { 14906, "Reserved (GREASE)" }, /* RFC 8701 */
543 { 19018, "Reserved (GREASE)" }, /* RFC 8701 */
544 { 23130, "Reserved (GREASE)" }, /* RFC 8701 */
545 { 25497, "X25519Kyber768Draft00 (OBSOLETE)" }, /* draft-tls-westerbaan-xyber768d00-02 */
546 { 25498, "SecP256r1Kyber768Draft00 (OBSOLETE)" }, /* draft-kwiatkowski-tls-ecdhe-kyber-01 */
547 { 27242, "Reserved (GREASE)" }, /* RFC 8701 */
548 { 31354, "Reserved (GREASE)" }, /* RFC 8701 */
549 { 35466, "Reserved (GREASE)" }, /* RFC 8701 */
550 { 39578, "Reserved (GREASE)" }, /* RFC 8701 */
551 { 43690, "Reserved (GREASE)" }, /* RFC 8701 */
552 { 47802, "Reserved (GREASE)" }, /* RFC 8701 */
553 { 51914, "Reserved (GREASE)" }, /* RFC 8701 */
554 { 56026, "Reserved (GREASE)" }, /* RFC 8701 */
555 { 60138, "Reserved (GREASE)" }, /* RFC 8701 */
556 { 64250, "Reserved (GREASE)" }, /* RFC 8701 */
557 { 0xFF01, "arbitrary_explicit_prime_curves" },
558 { 0xFF02, "arbitrary_explicit_char2_curves" },
559 /* Below are various unofficial values that have been used for testing. */
560 /* PQC key exchange algorithms from OQS-OpenSSL,
561 see https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/oqs-kem-info.md
562 These use IANA unassigned values and this list may be incomplete.
563 */
564 { 0x2F00, "p256_frodo640aes" },
565 { 0x2F01, "p256_frodo640shake" },
566 { 0x2F02, "p384_frodo976aes" },
567 { 0x0203, "frodo976shake" },
568 { 0x2F03, "p384_frodo976shake" },
569 { 0x0204, "frodo1344aes" },
570 { 0x2F04, "p521_frodo1344aes" },
571 { 0x0205, "frodo1344shake" },
572 { 0x2F05, "p521_frodo1344shake" },
573 { 0x023A, "kyber512" },
574 { 0x2F3A, "p256_kyber512" },
575 { 0x023C, "kyber768" },
576 { 0x2F3C, "p384_kyber768" },
577 { 0x023D, "kyber1024" },
578 { 0x2F3D, "p521_kyber1024" },
579 { 0x0214, "ntru_hps2048509" },
580 { 0x2F14, "p256_ntru_hps2048509" },
581 { 0x0215, "ntru_hps2048677" },
582 { 0x2F15, "p384_ntru_hps2048677" },
583 { 0x0216, "ntru_hps4096821" },
584 { 0x2F16, "p521_ntru_hps4096821" },
585 { 0x0245, "ntru_hps40961229" },
586 { 0x2F45, "p521_ntru_hps40961229" },
587 { 0x0217, "ntru_hrss701" },
588 { 0x2F17, "p384_ntru_hrss701" },
589 { 0x0246, "ntru_hrss1373" },
590 { 0x2F46, "p521_ntru_hrss1373" },
591 { 0x0218, "lightsaber" },
592 { 0x2F18, "p256_lightsaber" },
593 { 0x0219, "saber" },
594 { 0x2F19, "p384_saber" },
595 { 0x021A, "firesaber" },
596 { 0x2F1A, "p521_firesaber" },
597 { 0x021B, "sidhp434" },
598 { 0x2F1B, "p256_sidhp434" },
599 { 0x021C, "sidhp503" },
600 { 0x2F1C, "p256_sidhp503" },
601 { 0x021D, "sidhp610" },
602 { 0x2F1D, "p384_sidhp610" },
603 { 0x021E, "sidhp751" },
604 { 0x2F1E, "p521_sidhp751" },
605 { 0x021F, "sikep434" },
606 { 0x2F1F, "p256_sikep434" },
607 { 0x0220, "sikep503" },
608 { 0x2F20, "p256_sikep503" },
609 { 0x0221, "sikep610" },
610 { 0x2F21, "p384_sikep610" },
611 { 0x0222, "sikep751" },
612 { 0x2F22, "p521_sikep751" },
613 { 0x0238, "bikel1" },
614 { 0x2F38, "p256_bikel1" },
615 { 0x023B, "bikel3" },
616 { 0x2F3B, "p384_bikel3" },
617 { 0x023E, "kyber90s512" },
618 { 0x2F3E, "p256_kyber90s512" },
619 { 0x023F, "kyber90s768" },
620 { 0x2F3F, "p384_kyber90s768" },
621 { 0x0240, "kyber90s1024" },
622 { 0x2F40, "p521_kyber90s1024" },
623 { 0x022C, "hqc128" },
624 { 0x2F2C, "p256_hqc128" },
625 { 0x022D, "hqc192" },
626 { 0x2F2D, "p384_hqc192" },
627 { 0x022E, "hqc256" },
628 { 0x2F2E, "p521_hqc256" },
629 { 0x022F, "ntrulpr653" },
630 { 0x2F2F, "p256_ntrulpr653" },
631 { 0x0230, "ntrulpr761" },
632 { 0x2F43, "p256_ntrulpr761" },
633 { 0x0231, "ntrulpr857" },
634 { 0x2F31, "p384_ntrulpr857" },
635 { 0x0241, "ntrulpr1277" },
636 { 0x2F41, "p521_ntrulpr1277" },
637 { 0x0232, "sntrup653" },
638 { 0x2F32, "p256_sntrup653" },
639 { 0x0233, "sntrup761" },
640 { 0x2F44, "p256_sntrup761" },
641 { 0x0234, "sntrup857" },
642 { 0x2F34, "p384_sntrup857" },
643 { 0x0242, "sntrup1277" },
644 { 0x2F42, "p521_sntrup1277" },
645 /* Other PQ key exchange algorithms, using Reserved for Private Use values
646 https://blog.cloudflare.com/post-quantum-for-all
647 https://www.ietf.org/archive/id/draft-tls-westerbaan-xyber768d00-02.txt */
648 { 0xFE30, "X25519Kyber512Draft00 (OBSOLETE)" },
649 { 0xFE31, "X25519Kyber768Draft00 (OBSOLETE)" },
650 { 0x00, NULL((void*)0) }
651};
652
653const value_string ssl_curve_types[] = {
654 { 1, "explicit_prime" },
655 { 2, "explicit_char2" },
656 { 3, "named_curve" },
657 { 0x00, NULL((void*)0) }
658};
659
660const value_string ssl_extension_ec_point_formats[] = {
661 { 0, "uncompressed" },
662 { 1, "ansiX962_compressed_prime" },
663 { 2, "ansiX962_compressed_char2" },
664 { 0x00, NULL((void*)0) }
665};
666
667const value_string ssl_20_certificate_type[] = {
668 { 0x00, "N/A" },
669 { 0x01, "X.509 Certificate" },
670 { 0x00, NULL((void*)0) }
671};
672
673const value_string ssl_31_content_type[] = {
674 { 20, "Change Cipher Spec" },
675 { 21, "Alert" },
676 { 22, "Handshake" },
677 { 23, "Application Data" },
678 { 24, "Heartbeat" },
679 { 25, "Connection ID" },
680 { 0x00, NULL((void*)0) }
681};
682
683#if 0
684/* XXX - would be used if we dissected the body of a Change Cipher Spec
685 message. */
686const value_string ssl_31_change_cipher_spec[] = {
687 { 1, "Change Cipher Spec" },
688 { 0x00, NULL((void*)0) }
689};
690#endif
691
692const value_string ssl_31_alert_level[] = {
693 { 1, "Warning" },
694 { 2, "Fatal" },
695 { 0x00, NULL((void*)0) }
696};
697
698const value_string ssl_31_alert_description[] = {
699 { 0, "Close Notify" },
700 { 1, "End of Early Data" },
701 { 10, "Unexpected Message" },
702 { 20, "Bad Record MAC" },
703 { 21, "Decryption Failed" },
704 { 22, "Record Overflow" },
705 { 30, "Decompression Failure" },
706 { 40, "Handshake Failure" },
707 { 41, "No Certificate" },
708 { 42, "Bad Certificate" },
709 { 43, "Unsupported Certificate" },
710 { 44, "Certificate Revoked" },
711 { 45, "Certificate Expired" },
712 { 46, "Certificate Unknown" },
713 { 47, "Illegal Parameter" },
714 { 48, "Unknown CA" },
715 { 49, "Access Denied" },
716 { 50, "Decode Error" },
717 { 51, "Decrypt Error" },
718 { 60, "Export Restriction" },
719 { 70, "Protocol Version" },
720 { 71, "Insufficient Security" },
721 { 80, "Internal Error" },
722 { 86, "Inappropriate Fallback" },
723 { 90, "User Canceled" },
724 { 100, "No Renegotiation" },
725 { 109, "Missing Extension" },
726 { 110, "Unsupported Extension" },
727 { 111, "Certificate Unobtainable" },
728 { 112, "Unrecognized Name" },
729 { 113, "Bad Certificate Status Response" },
730 { 114, "Bad Certificate Hash Value" },
731 { 115, "Unknown PSK Identity" },
732 { 116, "Certificate Required" },
733 { 120, "No application Protocol" },
734 { 121, "ECH Required" },
735 { 0x00, NULL((void*)0) }
736};
737
738const value_string ssl_31_handshake_type[] = {
739 { SSL_HND_HELLO_REQUEST, "Hello Request" },
740 { SSL_HND_CLIENT_HELLO, "Client Hello" },
741 { SSL_HND_SERVER_HELLO, "Server Hello" },
742 { SSL_HND_HELLO_VERIFY_REQUEST, "Hello Verify Request"},
743 { SSL_HND_NEWSESSION_TICKET, "New Session Ticket" },
744 { SSL_HND_END_OF_EARLY_DATA, "End of Early Data" },
745 { SSL_HND_HELLO_RETRY_REQUEST, "Hello Retry Request" },
746 { SSL_HND_ENCRYPTED_EXTENSIONS, "Encrypted Extensions" },
747 { SSL_HND_CERTIFICATE, "Certificate" },
748 { SSL_HND_SERVER_KEY_EXCHG, "Server Key Exchange" },
749 { SSL_HND_CERT_REQUEST, "Certificate Request" },
750 { SSL_HND_SVR_HELLO_DONE, "Server Hello Done" },
751 { SSL_HND_CERT_VERIFY, "Certificate Verify" },
752 { SSL_HND_CLIENT_KEY_EXCHG, "Client Key Exchange" },
753 { SSL_HND_FINISHED, "Finished" },
754 { SSL_HND_CERT_URL, "Client Certificate URL" },
755 { SSL_HND_CERT_STATUS, "Certificate Status" },
756 { SSL_HND_SUPPLEMENTAL_DATA, "Supplemental Data" },
757 { SSL_HND_KEY_UPDATE, "Key Update" },
758 { SSL_HND_COMPRESSED_CERTIFICATE, "Compressed Certificate" },
759 { SSL_HND_ENCRYPTED_EXTS, "Encrypted Extensions" },
760 { 0x00, NULL((void*)0) }
761};
762
763const value_string tls_heartbeat_type[] = {
764 { 1, "Request" },
765 { 2, "Response" },
766 { 0x00, NULL((void*)0) }
767};
768
769const value_string tls_heartbeat_mode[] = {
770 { 1, "Peer allowed to send requests" },
771 { 2, "Peer not allowed to send requests" },
772 { 0x00, NULL((void*)0) }
773};
774
775const value_string ssl_31_compression_method[] = {
776 { 0, "null" },
777 { 1, "DEFLATE" },
778 { 64, "LZS" },
779 { 0x00, NULL((void*)0) }
780};
781
782#if 0
783/* XXX - would be used if we dissected a Signature, as would be
784 seen in a server key exchange or certificate verify message. */
785const value_string ssl_31_key_exchange_algorithm[] = {
786 { 0, "RSA" },
787 { 1, "Diffie Hellman" },
788 { 0x00, NULL((void*)0) }
789};
790
791const value_string ssl_31_signature_algorithm[] = {
792 { 0, "Anonymous" },
793 { 1, "RSA" },
794 { 2, "DSA" },
795 { 0x00, NULL((void*)0) }
796};
797#endif
798
799const value_string ssl_31_client_certificate_type[] = {
800 { 1, "RSA Sign" },
801 { 2, "DSS Sign" },
802 { 3, "RSA Fixed DH" },
803 { 4, "DSS Fixed DH" },
804 /* GOST certificate types */
805 /* Section 3.5 of draft-chudov-cryptopro-cptls-04 */
806 { 21, "GOST R 34.10-94" },
807 { 22, "GOST R 34.10-2001" },
808 /* END GOST certificate types */
809 { 64, "ECDSA Sign" },
810 { 65, "RSA Fixed ECDH" },
811 { 66, "ECDSA Fixed ECDH" },
812 { 80, "IBC Params" },
813 { 0x00, NULL((void*)0) }
814};
815
816#if 0
817/* XXX - would be used if we dissected exchange keys, as would be
818 seen in a client key exchange message. */
819const value_string ssl_31_public_value_encoding[] = {
820 { 0, "Implicit" },
821 { 1, "Explicit" },
822 { 0x00, NULL((void*)0) }
823};
824#endif
825
826/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
827/* Note: sorted by ascending value so value_string_ext fcns can do a binary search */
828static const value_string ssl_31_ciphersuite[] = {
829 /* RFC 2246, RFC 4346, RFC 5246 */
830 { 0x0000, "TLS_NULL_WITH_NULL_NULL" },
831 { 0x0001, "TLS_RSA_WITH_NULL_MD5" },
832 { 0x0002, "TLS_RSA_WITH_NULL_SHA" },
833 { 0x0003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
834 { 0x0004, "TLS_RSA_WITH_RC4_128_MD5" },
835 { 0x0005, "TLS_RSA_WITH_RC4_128_SHA" },
836 { 0x0006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
837 { 0x0007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
838 { 0x0008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
839 { 0x0009, "TLS_RSA_WITH_DES_CBC_SHA" },
840 { 0x000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
841 { 0x000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
842 { 0x000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
843 { 0x000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
844 { 0x000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
845 { 0x000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
846 { 0x0010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
847 { 0x0011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
848 { 0x0012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
849 { 0x0013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
850 { 0x0014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
851 { 0x0015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
852 { 0x0016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
853 { 0x0017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
854 { 0x0018, "TLS_DH_anon_WITH_RC4_128_MD5" },
855 { 0x0019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
856 { 0x001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
857 { 0x001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
858
859 { 0x001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
860 { 0x001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
861#if 0 /* Because it clashes with KRB5, is never used any more, and is safe
862 to remove according to David Hopwood <[email protected]>
863 of the ietf-tls list */
864 { 0x001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
865#endif
866 /* RFC 2712 */
867 { 0x001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
868 { 0x001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
869 { 0x0020, "TLS_KRB5_WITH_RC4_128_SHA" },
870 { 0x0021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
871 { 0x0022, "TLS_KRB5_WITH_DES_CBC_MD5" },
872 { 0x0023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
873 { 0x0024, "TLS_KRB5_WITH_RC4_128_MD5" },
874 { 0x0025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
875 { 0x0026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
876 { 0x0027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
877 { 0x0028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
878 { 0x0029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
879 { 0x002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
880 { 0x002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
881 /* RFC 4785 */
882 { 0x002C, "TLS_PSK_WITH_NULL_SHA" },
883 { 0x002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
884 { 0x002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
885 /* RFC 5246 */
886 { 0x002F, "TLS_RSA_WITH_AES_128_CBC_SHA" },
887 { 0x0030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
888 { 0x0031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
889 { 0x0032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
890 { 0x0033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
891 { 0x0034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
892 { 0x0035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
893 { 0x0036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
894 { 0x0037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
895 { 0x0038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
896 { 0x0039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
897 { 0x003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
898 { 0x003B, "TLS_RSA_WITH_NULL_SHA256" },
899 { 0x003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
900 { 0x003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
901 { 0x003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
902 { 0x003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
903 { 0x0040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
904 /* RFC 4132 */
905 { 0x0041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
906 { 0x0042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
907 { 0x0043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
908 { 0x0044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
909 { 0x0045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
910 { 0x0046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
911 /* 0x00,0x60-66 Reserved to avoid conflicts with widely deployed implementations */
912 /* --- ??? --- */
913 { 0x0060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
914 { 0x0061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
915 /* draft-ietf-tls-56-bit-ciphersuites-01.txt */
916 { 0x0062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
917 { 0x0063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
918 { 0x0064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
919 { 0x0065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
920 { 0x0066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
921 /* --- ??? ---*/
922 { 0x0067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
923 { 0x0068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
924 { 0x0069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
925 { 0x006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
926 { 0x006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
927 { 0x006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
928 { 0x006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
929 /* draft-chudov-cryptopro-cptls-04.txt */
930 { 0x0080, "TLS_GOSTR341094_WITH_28147_CNT_IMIT" },
931 { 0x0081, "TLS_GOSTR341001_WITH_28147_CNT_IMIT" },
932 { 0x0082, "TLS_GOSTR341094_WITH_NULL_GOSTR3411" },
933 { 0x0083, "TLS_GOSTR341001_WITH_NULL_GOSTR3411" },
934 /* RFC 4132 */
935 { 0x0084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
936 { 0x0085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
937 { 0x0086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
938 { 0x0087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
939 { 0x0088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
940 { 0x0089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
941 /* RFC 4279 */
942 { 0x008A, "TLS_PSK_WITH_RC4_128_SHA" },
943 { 0x008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
944 { 0x008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
945 { 0x008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
946 { 0x008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
947 { 0x008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
948 { 0x0090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
949 { 0x0091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
950 { 0x0092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
951 { 0x0093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
952 { 0x0094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
953 { 0x0095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
954 /* RFC 4162 */
955 { 0x0096, "TLS_RSA_WITH_SEED_CBC_SHA" },
956 { 0x0097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
957 { 0x0098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
958 { 0x0099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
959 { 0x009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
960 { 0x009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
961 /* RFC 5288 */
962 { 0x009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
963 { 0x009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
964 { 0x009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
965 { 0x009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
966 { 0x00A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
967 { 0x00A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
968 { 0x00A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
969 { 0x00A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
970 { 0x00A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
971 { 0x00A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
972 { 0x00A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
973 { 0x00A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
974 /* RFC 5487 */
975 { 0x00A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
976 { 0x00A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
977 { 0x00AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
978 { 0x00AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
979 { 0x00AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
980 { 0x00AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
981 { 0x00AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
982 { 0x00AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
983 { 0x00B0, "TLS_PSK_WITH_NULL_SHA256" },
984 { 0x00B1, "TLS_PSK_WITH_NULL_SHA384" },
985 { 0x00B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
986 { 0x00B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
987 { 0x00B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
988 { 0x00B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
989 { 0x00B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
990 { 0x00B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
991 { 0x00B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
992 { 0x00B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
993 /* From RFC 5932 */
994 { 0x00BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
995 { 0x00BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
996 { 0x00BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
997 { 0x00BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
998 { 0x00BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
999 { 0x00BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
1000 { 0x00C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1001 { 0x00C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1002 { 0x00C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1003 { 0x00C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1004 { 0x00C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1005 { 0x00C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
1006 /* RFC 8998 */
1007 { 0x00C6, "TLS_SM4_GCM_SM3" },
1008 { 0x00C7, "TLS_SM4_CCM_SM3" },
1009 /* 0x00,0xC8-FE Unassigned */
1010 /* From RFC 5746 */
1011 { 0x00FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
1012 /* RFC 8701 */
1013 { 0x0A0A, "Reserved (GREASE)" },
1014 /* RFC 8446 */
1015 { 0x1301, "TLS_AES_128_GCM_SHA256" },
1016 { 0x1302, "TLS_AES_256_GCM_SHA384" },
1017 { 0x1303, "TLS_CHACHA20_POLY1305_SHA256" },
1018 { 0x1304, "TLS_AES_128_CCM_SHA256" },
1019 { 0x1305, "TLS_AES_128_CCM_8_SHA256" },
1020 /* RFC 8701 */
1021 { 0x1A1A, "Reserved (GREASE)" },
1022 { 0x2A2A, "Reserved (GREASE)" },
1023 { 0x3A3A, "Reserved (GREASE)" },
1024 { 0x4A4A, "Reserved (GREASE)" },
1025 /* From RFC 7507 */
1026 { 0x5600, "TLS_FALLBACK_SCSV" },
1027 /* RFC 8701 */
1028 { 0x5A5A, "Reserved (GREASE)" },
1029 { 0x6A6A, "Reserved (GREASE)" },
1030 { 0x7A7A, "Reserved (GREASE)" },
1031 { 0x8A8A, "Reserved (GREASE)" },
1032 { 0x9A9A, "Reserved (GREASE)" },
1033 { 0xAAAA, "Reserved (GREASE)" },
1034 { 0xBABA, "Reserved (GREASE)" },
1035 /* From RFC 4492 */
1036 { 0xc001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
1037 { 0xc002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
1038 { 0xc003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1039 { 0xc004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
1040 { 0xc005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
1041 { 0xc006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
1042 { 0xc007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
1043 { 0xc008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1044 { 0xc009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
1045 { 0xc00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
1046 { 0xc00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
1047 { 0xc00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
1048 { 0xc00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
1049 { 0xc00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
1050 { 0xc00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
1051 { 0xc010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
1052 { 0xc011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
1053 { 0xc012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
1054 { 0xc013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
1055 { 0xc014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
1056 { 0xc015, "TLS_ECDH_anon_WITH_NULL_SHA" },
1057 { 0xc016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
1058 { 0xc017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
1059 { 0xc018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
1060 { 0xc019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
1061 /* RFC 5054 */
1062 { 0xC01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
1063 { 0xC01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
1064 { 0xC01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
1065 { 0xC01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
1066 { 0xC01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
1067 { 0xC01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
1068 { 0xC020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
1069 { 0xC021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
1070 { 0xC022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
1071 /* RFC 5589 */
1072 { 0xC023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
1073 { 0xC024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
1074 { 0xC025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
1075 { 0xC026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
1076 { 0xC027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
1077 { 0xC028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
1078 { 0xC029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
1079 { 0xC02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
1080 { 0xC02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
1081 { 0xC02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
1082 { 0xC02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
1083 { 0xC02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
1084 { 0xC02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
1085 { 0xC030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
1086 { 0xC031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
1087 { 0xC032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
1088 /* RFC 5489 */
1089 { 0xC033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
1090 { 0xC034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
1091 { 0xC035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
1092 { 0xC036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
1093 { 0xC037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
1094 { 0xC038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
1095 { 0xC039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
1096 { 0xC03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
1097 { 0xC03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
1098 /* RFC 6209 */
1099 { 0xC03C, "TLS_RSA_WITH_ARIA_128_CBC_SHA256" },
1100 { 0xC03D, "TLS_RSA_WITH_ARIA_256_CBC_SHA384" },
1101 { 0xC03E, "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256" },
1102 { 0xC03F, "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384" },
1103 { 0xC040, "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256" },
1104 { 0xC041, "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384" },
1105 { 0xC042, "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256" },
1106 { 0xC043, "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384" },
1107 { 0xC044, "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1108 { 0xC045, "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1109 { 0xC046, "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" },
1110 { 0xC047, "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" },
1111 { 0xC048, "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1112 { 0xC049, "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1113 { 0xC04A, "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1114 { 0xC04B, "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1115 { 0xC04C, "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1116 { 0xC04D, "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1117 { 0xC04E, "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256" },
1118 { 0xC04F, "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384" },
1119 { 0xC050, "TLS_RSA_WITH_ARIA_128_GCM_SHA256" },
1120 { 0xC051, "TLS_RSA_WITH_ARIA_256_GCM_SHA384" },
1121 { 0xC052, "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1122 { 0xC053, "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1123 { 0xC054, "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256" },
1124 { 0xC055, "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384" },
1125 { 0xC056, "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256" },
1126 { 0xC057, "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384" },
1127 { 0xC058, "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256" },
1128 { 0xC059, "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384" },
1129 { 0xC05A, "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" },
1130 { 0xC05B, "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" },
1131 { 0xC05C, "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1132 { 0xC05D, "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1133 { 0xC05E, "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1134 { 0xC05F, "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1135 { 0xC060, "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1136 { 0xC061, "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1137 { 0xC062, "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256" },
1138 { 0xC063, "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384" },
1139 { 0xC064, "TLS_PSK_WITH_ARIA_128_CBC_SHA256" },
1140 { 0xC065, "TLS_PSK_WITH_ARIA_256_CBC_SHA384" },
1141 { 0xC066, "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1142 { 0xC067, "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1143 { 0xC068, "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256" },
1144 { 0xC069, "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384" },
1145 { 0xC06A, "TLS_PSK_WITH_ARIA_128_GCM_SHA256" },
1146 { 0xC06B, "TLS_PSK_WITH_ARIA_256_GCM_SHA384" },
1147 { 0xC06C, "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256" },
1148 { 0xC06D, "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384" },
1149 { 0xC06E, "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256" },
1150 { 0xC06F, "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384" },
1151 { 0xC070, "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1152 { 0xC071, "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1153 /* RFC 6367 */
1154 { 0xC072, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1155 { 0xC073, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1156 { 0xC074, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1157 { 0xC075, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1158 { 0xC076, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1159 { 0xC077, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1160 { 0xC078, "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1161 { 0xC079, "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1162 { 0xC07A, "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1163 { 0xC07B, "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1164 { 0xC07C, "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1165 { 0xC07D, "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1166 { 0xC07E, "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1167 { 0xC07F, "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1168 { 0xC080, "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1169 { 0xC081, "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1170 { 0xC082, "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1171 { 0xC083, "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1172 { 0xC084, "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" },
1173 { 0xC085, "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" },
1174 { 0xC086, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1175 { 0xC087, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1176 { 0xC088, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1177 { 0xC089, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1178 { 0xC08A, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1179 { 0xC08B, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1180 { 0xC08C, "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1181 { 0xC08D, "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1182 { 0xC08E, "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1183 { 0xC08F, "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1184 { 0xC090, "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1185 { 0xC091, "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1186 { 0xC092, "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1187 { 0xC093, "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1188 { 0xC094, "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1189 { 0xC095, "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1190 { 0xC096, "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1191 { 0xC097, "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1192 { 0xC098, "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1193 { 0xC099, "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1194 { 0xC09A, "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1195 { 0xC09B, "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1196 /* RFC 6655 */
1197 { 0xC09C, "TLS_RSA_WITH_AES_128_CCM" },
1198 { 0xC09D, "TLS_RSA_WITH_AES_256_CCM" },
1199 { 0xC09E, "TLS_DHE_RSA_WITH_AES_128_CCM" },
1200 { 0xC09F, "TLS_DHE_RSA_WITH_AES_256_CCM" },
1201 { 0xC0A0, "TLS_RSA_WITH_AES_128_CCM_8" },
1202 { 0xC0A1, "TLS_RSA_WITH_AES_256_CCM_8" },
1203 { 0xC0A2, "TLS_DHE_RSA_WITH_AES_128_CCM_8" },
1204 { 0xC0A3, "TLS_DHE_RSA_WITH_AES_256_CCM_8" },
1205 { 0xC0A4, "TLS_PSK_WITH_AES_128_CCM" },
1206 { 0xC0A5, "TLS_PSK_WITH_AES_256_CCM" },
1207 { 0xC0A6, "TLS_DHE_PSK_WITH_AES_128_CCM" },
1208 { 0xC0A7, "TLS_DHE_PSK_WITH_AES_256_CCM" },
1209 { 0xC0A8, "TLS_PSK_WITH_AES_128_CCM_8" },
1210 { 0xC0A9, "TLS_PSK_WITH_AES_256_CCM_8" },
1211 { 0xC0AA, "TLS_PSK_DHE_WITH_AES_128_CCM_8" },
1212 { 0xC0AB, "TLS_PSK_DHE_WITH_AES_256_CCM_8" },
1213 /* RFC 7251 */
1214 { 0xC0AC, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM" },
1215 { 0xC0AD, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM" },
1216 { 0xC0AE, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8" },
1217 { 0xC0AF, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8" },
1218 /* RFC 8492 */
1219 { 0xC0B0, "TLS_ECCPWD_WITH_AES_128_GCM_SHA256" },
1220 { 0xC0B1, "TLS_ECCPWD_WITH_AES_256_GCM_SHA384" },
1221 { 0xC0B2, "TLS_ECCPWD_WITH_AES_128_CCM_SHA256" },
1222 { 0xC0B3, "TLS_ECCPWD_WITH_AES_256_CCM_SHA384" },
1223 /* draft-camwinget-tls-ts13-macciphersuites */
1224 { 0xC0B4, "TLS_SHA256_SHA256" },
1225 { 0xC0B5, "TLS_SHA384_SHA384" },
1226 /* https://www.ietf.org/archive/id/draft-cragie-tls-ecjpake-01.txt */
1227 { 0xC0FF, "TLS_ECJPAKE_WITH_AES_128_CCM_8" },
1228 /* draft-smyshlyaev-tls12-gost-suites */
1229 { 0xC100, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" },
1230 { 0xC101, "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" },
1231 { 0xC102, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" },
1232 /* draft-smyshlyaev-tls13-gost-suites */
1233 { 0xC103, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L" },
1234 { 0xC104, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L" },
1235 { 0xC105, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S" },
1236 { 0xC106, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S" },
1237 /* RFC 8701 */
1238 { 0xCACA, "Reserved (GREASE)" },
1239/*
12400xC0,0xAB-FF Unassigned
12410xC1,0x03-FD,* Unassigned
12420xFE,0x00-FD Unassigned
12430xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
12440xFF,0x00-FF Reserved for Private Use [RFC5246]
1245*/
1246 /* old numbers used in the beginning
1247 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
1248 { 0xCC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1249 { 0xCC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1250 { 0xCC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1251 /* RFC 7905 */
1252 { 0xCCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1253 { 0xCCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1254 { 0xCCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1255 { 0xCCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1256 { 0xCCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1257 { 0xCCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1258 { 0xCCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1259 /* RFC 8442 */
1260 { 0xD001, "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256" },
1261 { 0xD002, "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384" },
1262 { 0xD003, "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256" },
1263 { 0xD005, "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256" },
1264 /* RFC 8701 */
1265 { 0xDADA, "Reserved (GREASE)" },
1266 /* GM/T 0024-2014 */
1267 { 0xe001, "ECDHE_SM1_SM3"},
1268 { 0xe003, "ECC_SM1_SM3"},
1269 { 0xe005, "IBSDH_SM1_SM3"},
1270 { 0xe007, "IBC_SM1_SM3"},
1271 { 0xe009, "RSA_SM1_SM3"},
1272 { 0xe00a, "RSA_SM1_SHA1"},
1273 { 0xe011, "ECDHE_SM4_CBC_SM3"},
1274 { 0xe013, "ECC_SM4_CBC_SM3"},
1275 { 0xe015, "IBSDH_SM4_CBC_SM3"},
1276 { 0xe017, "IBC_SM4_CBC_SM3"},
1277 { 0xe019, "RSA_SM4_CBC_SM3"},
1278 { 0xe01a, "RSA_SM4_CBC_SHA1"},
1279 { 0xe01c, "RSA_SM4_CBC_SHA256"},
1280 { 0xe051, "ECDHE_SM4_GCM_SM3"},
1281 { 0xe053, "ECC_SM4_GCM_SM3"},
1282 { 0xe055, "IBSDH_SM4_GCM_SM3"},
1283 { 0xe057, "IBC_SM4_GCM_SM3"},
1284 { 0xe059, "RSA_SM4_GCM_SM3"},
1285 { 0xe05a, "RSA_SM4_GCM_SHA256"},
1286 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
1287 { 0xE410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1288 { 0xE411, "TLS_RSA_WITH_SALSA20_SHA1" },
1289 { 0xE412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1290 { 0xE413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
1291 { 0xE414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
1292 { 0xE415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
1293 { 0xE416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1294 { 0xE417, "TLS_PSK_WITH_SALSA20_SHA1" },
1295 { 0xE418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1296 { 0xE419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
1297 { 0xE41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1298 { 0xE41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
1299 { 0xE41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1300 { 0xE41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
1301 { 0xE41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1302 { 0xE41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
1303 /* RFC 8701 */
1304 { 0xEAEA, "Reserved (GREASE)" },
1305 { 0xFAFA, "Reserved (GREASE)" },
1306 /* these from http://www.mozilla.org/projects/
1307 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
1308 { 0xfefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
1309 { 0xfeff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1310 /* https://datatracker.ietf.org/doc/html/rfc9189 */
1311 { 0xff85, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT"},
1312 { 0xffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1313 { 0xffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA" },
1314 /* note that ciphersuites 0xff00 - 0xffff are private */
1315 { 0x00, NULL((void*)0) }
1316};
1317
1318value_string_ext ssl_31_ciphersuite_ext = VALUE_STRING_EXT_INIT(ssl_31_ciphersuite){ _try_val_to_str_ext_init, 0, (sizeof (ssl_31_ciphersuite) /
sizeof ((ssl_31_ciphersuite)[0]))-1, ssl_31_ciphersuite, "ssl_31_ciphersuite"
, ((void*)0) };
1319
1320/* http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#tls-extensiontype-values-1 */
1321const value_string tls_hello_extension_types[] = {
1322 { SSL_HND_HELLO_EXT_SERVER_NAME0, "server_name" }, /* RFC 6066 */
1323 { SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1, "max_fragment_length" },/* RFC 6066 */
1324 { SSL_HND_HELLO_EXT_CLIENT_CERTIFICATE_URL2, "client_certificate_url" }, /* RFC 6066 */
1325 { SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3, "trusted_ca_keys" }, /* RFC 6066 */
1326 { SSL_HND_HELLO_EXT_TRUNCATED_HMAC4, "truncated_hmac" }, /* RFC 6066 */
1327 { SSL_HND_HELLO_EXT_STATUS_REQUEST5, "status_request" }, /* RFC 6066 */
1328 { SSL_HND_HELLO_EXT_USER_MAPPING6, "user_mapping" }, /* RFC 4681 */
1329 { SSL_HND_HELLO_EXT_CLIENT_AUTHZ7, "client_authz" }, /* RFC 5878 */
1330 { SSL_HND_HELLO_EXT_SERVER_AUTHZ8, "server_authz" }, /* RFC 5878 */
1331 { SSL_HND_HELLO_EXT_CERT_TYPE9, "cert_type" }, /* RFC 6091 */
1332 { SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10, "supported_groups" }, /* RFC 4492, RFC 7919 */
1333 { SSL_HND_HELLO_EXT_EC_POINT_FORMATS11, "ec_point_formats" }, /* RFC 4492 */
1334 { SSL_HND_HELLO_EXT_SRP12, "srp" }, /* RFC 5054 */
1335 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13, "signature_algorithms" }, /* RFC 5246 */
1336 { SSL_HND_HELLO_EXT_USE_SRTP14, "use_srtp" }, /* RFC 5764 */
1337 { SSL_HND_HELLO_EXT_HEARTBEAT15, "heartbeat" }, /* RFC 6520 */
1338 { SSL_HND_HELLO_EXT_ALPN16, "application_layer_protocol_negotiation" }, /* RFC 7301 */
1339 { SSL_HND_HELLO_EXT_STATUS_REQUEST_V217, "status_request_v2" }, /* RFC 6961 */
1340 { SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18, "signed_certificate_timestamp" }, /* RFC 6962 */
1341 { SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19, "client_certificate_type" }, /* RFC 7250 */
1342 { SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20, "server_certificate_type" }, /* RFC 7250 */
1343 { SSL_HND_HELLO_EXT_PADDING21, "padding" }, /* RFC 7685 */
1344 { SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22, "encrypt_then_mac" }, /* RFC 7366 */
1345 { SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23, "extended_master_secret" }, /* RFC 7627 */
1346 { SSL_HND_HELLO_EXT_TOKEN_BINDING24, "token_binding" }, /* https://tools.ietf.org/html/draft-ietf-tokbind-negotiation */
1347 { SSL_HND_HELLO_EXT_CACHED_INFO25, "cached_info" }, /* RFC 7924 */
1348 { SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27, "compress_certificate" }, /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03 */
1349 { SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28, "record_size_limit" }, /* RFC 8449 */
1350 { SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34, "delegated_credentials" }, /* draft-ietf-tls-subcerts-10.txt */
1351 { SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35, "session_ticket" }, /* RFC 5077 / RFC 8447 */
1352 { SSL_HND_HELLO_EXT_KEY_SHARE_OLD40, "Reserved (key_share)" }, /* https://tools.ietf.org/html/draft-ietf-tls-tls13-22 (removed in -23) */
1353 { SSL_HND_HELLO_EXT_PRE_SHARED_KEY41, "pre_shared_key" }, /* RFC 8446 */
1354 { SSL_HND_HELLO_EXT_EARLY_DATA42, "early_data" }, /* RFC 8446 */
1355 { SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43, "supported_versions" }, /* RFC 8446 */
1356 { SSL_HND_HELLO_EXT_COOKIE44, "cookie" }, /* RFC 8446 */
1357 { SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45, "psk_key_exchange_modes" }, /* RFC 8446 */
1358 { SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46, "Reserved (ticket_early_data_info)" }, /* draft-ietf-tls-tls13-18 (removed in -19) */
1359 { SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47, "certificate_authorities" }, /* RFC 8446 */
1360 { SSL_HND_HELLO_EXT_OID_FILTERS48, "oid_filters" }, /* RFC 8446 */
1361 { SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49, "post_handshake_auth" }, /* RFC 8446 */
1362 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50, "signature_algorithms_cert" }, /* RFC 8446 */
1363 { SSL_HND_HELLO_EXT_KEY_SHARE51, "key_share" }, /* RFC 8446 */
1364 { SSL_HND_HELLO_EXT_TRANSPARENCY_INFO52, "transparency_info" }, /* draft-ietf-trans-rfc6962-bis-41 */
1365 { SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53, "connection_id (deprecated)" }, /* draft-ietf-tls-dtls-connection-id-07 */
1366 { SSL_HND_HELLO_EXT_CONNECTION_ID54, "connection_id" }, /* RFC 9146 */
1367 { SSL_HND_HELLO_EXT_EXTERNAL_ID_HASH55, "external_id_hash" }, /* RFC 8844 */
1368 { SSL_HND_HELLO_EXT_EXTERNAL_SESSION_ID56, "external_session_id" }, /* RFC 8844 */
1369 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157, "quic_transport_parameters" }, /* draft-ietf-quic-tls-33 */
1370 { SSL_HND_HELLO_EXT_TICKET_REQUEST58, "ticket_request" }, /* draft-ietf-tls-ticketrequests-07 */
1371 { SSL_HND_HELLO_EXT_DNSSEC_CHAIN59, "dnssec_chain" }, /* RFC 9102 */
1372 { SSL_HND_HELLO_EXT_GREASE_0A0A2570, "Reserved (GREASE)" }, /* RFC 8701 */
1373 { SSL_HND_HELLO_EXT_GREASE_1A1A6682, "Reserved (GREASE)" }, /* RFC 8701 */
1374 { SSL_HND_HELLO_EXT_GREASE_2A2A10794, "Reserved (GREASE)" }, /* RFC 8701 */
1375 { SSL_HND_HELLO_EXT_NPN13172, "next_protocol_negotiation"}, /* https://datatracker.ietf.org/doc/html/draft-agl-tls-nextprotoneg-03 */
1376 { SSL_HND_HELLO_EXT_GREASE_3A3A14906, "Reserved (GREASE)" }, /* RFC 8701 */
1377 { SSL_HND_HELLO_EXT_ALPS_OLD17513, "application_settings_old" }, /* draft-vvv-tls-alps-01 */
1378 { SSL_HND_HELLO_EXT_ALPS17613, "application_settings" }, /* draft-vvv-tls-alps-01 */ /* https://chromestatus.com/feature/5149147365900288 */
1379 { SSL_HND_HELLO_EXT_GREASE_4A4A19018, "Reserved (GREASE)" }, /* RFC 8701 */
1380 { SSL_HND_HELLO_EXT_GREASE_5A5A23130, "Reserved (GREASE)" }, /* RFC 8701 */
1381 { SSL_HND_HELLO_EXT_GREASE_6A6A27242, "Reserved (GREASE)" }, /* RFC 8701 */
1382 { SSL_HND_HELLO_EXT_CHANNEL_ID_OLD30031, "channel_id_old" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
1383 https://twitter.com/ericlaw/status/274237352531083264 */
1384 { SSL_HND_HELLO_EXT_CHANNEL_ID30032, "channel_id" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-01
1385 https://code.google.com/p/chromium/codesearch#chromium/src/net/third_party/nss/ssl/sslt.h&l=209 */
1386 { SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281, "renegotiation_info" }, /* RFC 5746 */
1387 { SSL_HND_HELLO_EXT_GREASE_7A7A31354, "Reserved (GREASE)" }, /* RFC 8701 */
1388 { SSL_HND_HELLO_EXT_GREASE_8A8A35466, "Reserved (GREASE)" }, /* RFC 8701 */
1389 { SSL_HND_HELLO_EXT_GREASE_9A9A39578, "Reserved (GREASE)" }, /* RFC 8701 */
1390 { SSL_HND_HELLO_EXT_GREASE_AAAA43690, "Reserved (GREASE)" }, /* RFC 8701 */
1391 { SSL_HND_HELLO_EXT_GREASE_BABA47802, "Reserved (GREASE)" }, /* RFC 8701 */
1392 { SSL_HND_HELLO_EXT_GREASE_CACA51914, "Reserved (GREASE)" }, /* RFC 8701 */
1393 { SSL_HND_HELLO_EXT_GREASE_DADA56026, "Reserved (GREASE)" }, /* RFC 8701 */
1394 { SSL_HND_HELLO_EXT_GREASE_EAEA60138, "Reserved (GREASE)" }, /* RFC 8701 */
1395 { SSL_HND_HELLO_EXT_GREASE_FAFA64250, "Reserved (GREASE)" }, /* RFC 8701 */
1396 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445, "quic_transport_parameters (drafts version)" }, /* https://tools.ietf.org/html/draft-ietf-quic-tls */
1397 { SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486, "encrypted_server_name" }, /* https://tools.ietf.org/html/draft-ietf-tls-esni-01 */
1398 { SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037, "encrypted_client_hello" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1399 { SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768, "ech_outer_extensions" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1400 { 0, NULL((void*)0) }
1401};
1402
1403const value_string tls_hello_ext_server_name_type_vs[] = {
1404 { 0, "host_name" },
1405 { 0, NULL((void*)0) }
1406};
1407
1408/* RFC 6066 Section 4 */
1409const value_string tls_hello_ext_max_fragment_length[] = {
1410 { 1, "512" }, // 2^9
1411 { 2, "1024" }, // 2^10
1412 { 3, "2048" }, // 2^11
1413 { 4, "4096" }, // 2^12
1414 { 0, NULL((void*)0) }
1415};
1416
1417/* RFC 8446 Section 4.2.9 */
1418const value_string tls_hello_ext_psk_ke_mode[] = {
1419 { 0, "PSK-only key establishment (psk_ke)" },
1420 { 1, "PSK with (EC)DHE key establishment (psk_dhe_ke)" },
1421 { 0, NULL((void*)0) }
1422};
1423
1424/* RFC 6066 Section 6 */
1425const value_string tls_hello_ext_trusted_ca_key_type[] = {
1426 {0, "pre_agreed"},
1427 {1, "key_sha1_hash"},
1428 {2, "x509_name"},
1429 {3, "cert_sha1_hash"},
1430 {0, NULL((void*)0)}
1431};
1432
1433const value_string tls13_key_update_request[] = {
1434 { 0, "update_not_requested" },
1435 { 1, "update_requested" },
1436 { 0, NULL((void*)0) }
1437};
1438
1439/* RFC 5246 7.4.1.4.1 */
1440/* https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
1441/* Note that the TLS 1.3 SignatureScheme registry reserves all values
1442 * with first octet 0x00-0x06 and all values with second octet 0x00-0x03
1443 * for backwards compatibility with TLS 1.2 SignatureAndHashAlgorithm.
1444 *
1445 * RFC 8422 and RFC 9189 add official support in TLS 1.2 for some algorithms
1446 * originally defined for TLS 1.3, and extend the TLS SignatureAlgorithm
1447 * and TLS HashAlgorithm registries, but the new values are not compatible
1448 * with all of the TLS 1.3-only SignatureSchemes. Adding those values could
1449 * cause confusion if used to interpret one of those schemes in a
1450 * signature_algorithms extension offered in a TLS 1.3 ClientHello.
1451 */
1452const value_string tls_hash_algorithm[] = {
1453 { 0, "None" },
1454 { 1, "MD5" },
1455 { 2, "SHA1" },
1456 { 3, "SHA224" },
1457 { 4, "SHA256" },
1458 { 5, "SHA384" },
1459 { 6, "SHA512" },
1460#if 0
1461 /* RFC 8422 adds this to the HashAlgorithm registry, but it really
1462 * only applies to 0x0807 and 0x0808, not for other TLS 1.3
1463 * SignatureSchemes with 0x08 in the octet used for Hash in TLS 1.2.
1464 * E.g., we don't want to display this for 0x0806 rsa_pss_rsae_sha512.
1465 */
1466 { 8, "Intrinsic" },
1467#endif
1468 { 0, NULL((void*)0) }
1469};
1470
1471const value_string tls_signature_algorithm[] = {
1472 { 0, "Anonymous" },
1473 { 1, "RSA" },
1474 { 2, "DSA" },
1475 { 3, "ECDSA" },
1476#if 0
1477 /* As above. */
1478 { 7, "ED25519" },
1479 { 8, "ED448" },
1480 { 64, "GOSTR34102012_256" },
1481 { 65, "GOSTR34102012_512" },
1482#endif
1483 { 0, NULL((void*)0) }
1484};
1485
1486/* RFC 8446 Section 4.2.3 */
1487const value_string tls13_signature_algorithm[] = {
1488 { 0x0201, "rsa_pkcs1_sha1" },
1489 { 0x0203, "ecdsa_sha1" },
1490 { 0x0401, "rsa_pkcs1_sha256" },
1491 { 0x0403, "ecdsa_secp256r1_sha256" },
1492 { 0x0420, "rsa_pkcs1_sha256_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1493 { 0x0501, "rsa_pkcs1_sha384" },
1494 { 0x0503, "ecdsa_secp384r1_sha384" },
1495 { 0x0520, "rsa_pkcs1_sha384_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1496 { 0x0601, "rsa_pkcs1_sha512" },
1497 { 0x0603, "ecdsa_secp521r1_sha512" },
1498 { 0x0620, "rsa_pkcs1_sha512_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1499 { 0x0704, "eccsi_sha256" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1500 { 0x0705, "iso_ibs1" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1501 { 0x0706, "iso_ibs2" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1502 { 0x0707, "iso_chinese_ibs" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1503 { 0x0708, "sm2sig_sm3" },
1504 { 0x0709, "gostr34102012_256a" }, /* RFC9367 */
1505 { 0x070a, "gostr34102012_256b" }, /* RFC9367 */
1506 { 0x070b, "gostr34102012_256c" }, /* RFC9367 */
1507 { 0x070c, "gostr34102012_256d" }, /* RFC9367 */
1508 { 0x070d, "gostr34102012_512a" }, /* RFC9367 */
1509 { 0x070e, "gostr34102012_512b" }, /* RFC9367 */
1510 { 0x070f, "gostr34102012_512c" }, /* RFC9367 */
1511 { 0x0804, "rsa_pss_rsae_sha256" },
1512 { 0x0805, "rsa_pss_rsae_sha384" },
1513 { 0x0806, "rsa_pss_rsae_sha512" },
1514 { 0x0807, "ed25519" },
1515 { 0x0808, "ed448" },
1516 { 0x0809, "rsa_pss_pss_sha256" },
1517 { 0x080a, "rsa_pss_pss_sha384" },
1518 { 0x080b, "rsa_pss_pss_sha512" },
1519 { 0x081a, "ecdsa_brainpoolP256r1tls13_sha256" }, /* RFC8734 */
1520 { 0x081b, "ecdsa_brainpoolP384r1tls13_sha384" }, /* RFC8734 */
1521 { 0x081c, "ecdsa_brainpoolP512r1tls13_sha512" }, /* RFC8734 */
1522 { 0x0904, "mldsa44" }, /* draft-ietf-tls-mldsa-00 */
1523 { 0x0905, "mldsa65" }, /* draft-ietf-tls-mldsa-00 */
1524 { 0x0906, "mldsa87" }, /* draft-ietf-tls-mldsa-00 */
1525 { 0x0911, "slhdsa_sha2_128s" }, /* draft-reddy-tls-slhdsa-01 */
1526 { 0x0912, "slhdsa_sha2_128f" }, /* draft-reddy-tls-slhdsa-01 */
1527 { 0x0913, "slhdsa_sha2_192s" }, /* draft-reddy-tls-slhdsa-01 */
1528 { 0x0914, "slhdsa_sha2_192f" }, /* draft-reddy-tls-slhdsa-01 */
1529 { 0x0915, "slhdsa_sha2_256s" }, /* draft-reddy-tls-slhdsa-01 */
1530 { 0x0916, "slhdsa_sha2_256f" }, /* draft-reddy-tls-slhdsa-01 */
1531 { 0x0917, "slhdsa_shake_128s" }, /* draft-reddy-tls-slhdsa-01 */
1532 { 0x0918, "slhdsa_shake_128f" }, /* draft-reddy-tls-slhdsa-01 */
1533 { 0x0919, "slhdsa_shake_192s" }, /* draft-reddy-tls-slhdsa-01 */
1534 { 0x091a, "slhdsa_shake_192f" }, /* draft-reddy-tls-slhdsa-01 */
1535 { 0x091b, "slhdsa_shake_256s" }, /* draft-reddy-tls-slhdsa-01 */
1536 { 0x091c, "slhdsa_shake_256f" }, /* draft-reddy-tls-slhdsa-01 */
1537 /* PQC digital signature algorithms from OQS-OpenSSL,
1538 see https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/oqs-sig-info.md */
1539 { 0xfea0, "dilithium2" },
1540 { 0xfea1, "p256_dilithium2" },
1541 { 0xfea2, "rsa3072_dilithium2" },
1542 { 0xfea3, "dilithium3" },
1543 { 0xfea4, "p384_dilithium3" },
1544 { 0xfea5, "dilithium5" },
1545 { 0xfea6, "p521_dilithium5" },
1546 { 0xfea7, "dilithium2_aes" },
1547 { 0xfea8, "p256_dilithium2_aes" },
1548 { 0xfea9, "rsa3072_dilithium2_aes" },
1549 { 0xfeaa, "dilithium3_aes" },
1550 { 0xfeab, "p384_dilithium3_aes" },
1551 { 0xfeac, "dilithium5_aes" },
1552 { 0xfead, "p521_dilithium5_aes" },
1553 { 0xfe0b, "falcon512" },
1554 { 0xfe0c, "p256_falcon512" },
1555 { 0xfe0d, "rsa3072_falcon512" },
1556 { 0xfe0e, "falcon1024" },
1557 { 0xfe0f, "p521_falcon1024" },
1558 { 0xfe96, "picnicl1full" },
1559 { 0xfe97, "p256_picnicl1full" },
1560 { 0xfe98, "rsa3072_picnicl1full" },
1561 { 0xfe1b, "picnic3l1" },
1562 { 0xfe1c, "p256_picnic3l1" },
1563 { 0xfe1d, "rsa3072_picnic3l1" },
1564 { 0xfe27, "rainbowIclassic" },
1565 { 0xfe28, "p256_rainbowIclassic" },
1566 { 0xfe29, "rsa3072_rainbowIclassic" },
1567 { 0xfe3c, "rainbowVclassic" },
1568 { 0xfe3d, "p521_rainbowVclassic" },
1569 { 0xfe42, "sphincsharaka128frobust" },
1570 { 0xfe43, "p256_sphincsharaka128frobust" },
1571 { 0xfe44, "rsa3072_sphincsharaka128frobust" },
1572 { 0xfe5e, "sphincssha256128frobust" },
1573 { 0xfe5f, "p256_sphincssha256128frobust" },
1574 { 0xfe60, "rsa3072_sphincssha256128frobust" },
1575 { 0xfe7a, "sphincsshake256128frobust" },
1576 { 0xfe7b, "p256_sphincsshake256128frobust" },
1577 { 0xfe7c, "rsa3072_sphincsshake256128frobust" },
1578 { 0, NULL((void*)0) }
1579};
1580
1581/* RFC 6091 3.1 */
1582const value_string tls_certificate_type[] = {
1583 { 0, "X.509" },
1584 { 1, "OpenPGP" },
1585 { SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2, "Raw Public Key" }, /* RFC 7250 */
1586 { 0, NULL((void*)0) }
1587};
1588
1589const value_string tls_cert_chain_type[] = {
1590 { SSL_HND_CERT_URL_TYPE_INDIVIDUAL_CERT1, "Individual Certificates" },
1591 { SSL_HND_CERT_URL_TYPE_PKIPATH2, "PKI Path" },
1592 { 0, NULL((void*)0) }
1593};
1594
1595const value_string tls_cert_status_type[] = {
1596 { SSL_HND_CERT_STATUS_TYPE_OCSP1, "OCSP" },
1597 { SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2, "OCSP Multi" },
1598 { 0, NULL((void*)0) }
1599};
1600
1601/* Generated by tools/dissector_generators/generate-tls-ct-logids.py
1602 * Last-Modified Sat, 15 Nov 2025 14:27:28 GMT, 187 entries. */
1603static const bytes_string ct_logids[] = {
1604 { (const uint8_t[]){
1605 0xb2, 0x1e, 0x05, 0xcc, 0x8b, 0xa2, 0xcd, 0x8a, 0x20, 0x4e, 0x87,
1606 0x66, 0xf9, 0x2b, 0xb9, 0x8a, 0x25, 0x20, 0x67, 0x6b, 0xda, 0xfa,
1607 0x70, 0xe7, 0xb2, 0x49, 0x53, 0x2d, 0xef, 0x8b, 0x90, 0x5e,
1608 },
1609 32, "Google 'Argon2020' log" },
1610 { (const uint8_t[]){
1611 0xf6, 0x5c, 0x94, 0x2f, 0xd1, 0x77, 0x30, 0x22, 0x14, 0x54, 0x18,
1612 0x08, 0x30, 0x94, 0x56, 0x8e, 0xe3, 0x4d, 0x13, 0x19, 0x33, 0xbf,
1613 0xdf, 0x0c, 0x2f, 0x20, 0x0b, 0xcc, 0x4e, 0xf1, 0x64, 0xe3,
1614 },
1615 32, "Google 'Argon2021' log" },
1616 { (const uint8_t[]){
1617 0x29, 0x79, 0xbe, 0xf0, 0x9e, 0x39, 0x39, 0x21, 0xf0, 0x56, 0x73,
1618 0x9f, 0x63, 0xa5, 0x77, 0xe5, 0xbe, 0x57, 0x7d, 0x9c, 0x60, 0x0a,
1619 0xf8, 0xf9, 0x4d, 0x5d, 0x26, 0x5c, 0x25, 0x5d, 0xc7, 0x84,
1620 },
1621 32, "Google 'Argon2022' log" },
1622 { (const uint8_t[]){
1623 0xe8, 0x3e, 0xd0, 0xda, 0x3e, 0xf5, 0x06, 0x35, 0x32, 0xe7, 0x57,
1624 0x28, 0xbc, 0x89, 0x6b, 0xc9, 0x03, 0xd3, 0xcb, 0xd1, 0x11, 0x6b,
1625 0xec, 0xeb, 0x69, 0xe1, 0x77, 0x7d, 0x6d, 0x06, 0xbd, 0x6e,
1626 },
1627 32, "Google 'Argon2023' log" },
1628 { (const uint8_t[]){
1629 0xee, 0xcd, 0xd0, 0x64, 0xd5, 0xdb, 0x1a, 0xce, 0xc5, 0x5c, 0xb7,
1630 0x9d, 0xb4, 0xcd, 0x13, 0xa2, 0x32, 0x87, 0x46, 0x7c, 0xbc, 0xec,
1631 0xde, 0xc3, 0x51, 0x48, 0x59, 0x46, 0x71, 0x1f, 0xb5, 0x9b,
1632 },
1633 32, "Google 'Argon2024' log" },
1634 { (const uint8_t[]){
1635 0x4e, 0x75, 0xa3, 0x27, 0x5c, 0x9a, 0x10, 0xc3, 0x38, 0x5b, 0x6c,
1636 0xd4, 0xdf, 0x3f, 0x52, 0xeb, 0x1d, 0xf0, 0xe0, 0x8e, 0x1b, 0x8d,
1637 0x69, 0xc0, 0xb1, 0xfa, 0x64, 0xb1, 0x62, 0x9a, 0x39, 0xdf,
1638 },
1639 32, "Google 'Argon2025h1' log" },
1640 { (const uint8_t[]){
1641 0x12, 0xf1, 0x4e, 0x34, 0xbd, 0x53, 0x72, 0x4c, 0x84, 0x06, 0x19,
1642 0xc3, 0x8f, 0x3f, 0x7a, 0x13, 0xf8, 0xe7, 0xb5, 0x62, 0x87, 0x88,
1643 0x9c, 0x6d, 0x30, 0x05, 0x84, 0xeb, 0xe5, 0x86, 0x26, 0x3a,
1644 },
1645 32, "Google 'Argon2025h2' log" },
1646 { (const uint8_t[]){
1647 0x0e, 0x57, 0x94, 0xbc, 0xf3, 0xae, 0xa9, 0x3e, 0x33, 0x1b, 0x2c,
1648 0x99, 0x07, 0xb3, 0xf7, 0x90, 0xdf, 0x9b, 0xc2, 0x3d, 0x71, 0x32,
1649 0x25, 0xdd, 0x21, 0xa9, 0x25, 0xac, 0x61, 0xc5, 0x4e, 0x21,
1650 },
1651 32, "Google 'Argon2026h1' log" },
1652 { (const uint8_t[]){
1653 0xd7, 0x6d, 0x7d, 0x10, 0xd1, 0xa7, 0xf5, 0x77, 0xc2, 0xc7, 0xe9,
1654 0x5f, 0xd7, 0x00, 0xbf, 0xf9, 0x82, 0xc9, 0x33, 0x5a, 0x65, 0xe1,
1655 0xd0, 0xb3, 0x01, 0x73, 0x17, 0xc0, 0xc8, 0xc5, 0x69, 0x77,
1656 },
1657 32, "Google 'Argon2026h2' log" },
1658 { (const uint8_t[]){
1659 0xd6, 0xd5, 0x8d, 0xa9, 0xd0, 0x17, 0x53, 0xf3, 0x6a, 0x4a, 0xa0,
1660 0xc7, 0x57, 0x49, 0x02, 0xaf, 0xeb, 0xc7, 0xdc, 0x2c, 0xd3, 0x8c,
1661 0xd9, 0xf7, 0x64, 0xc8, 0x0c, 0x89, 0x19, 0x1e, 0x9f, 0x02,
1662 },
1663 32, "Google 'Argon2027h1'" },
1664 { (const uint8_t[]){
1665 0x07, 0xb7, 0x5c, 0x1b, 0xe5, 0x7d, 0x68, 0xff, 0xf1, 0xb0, 0xc6,
1666 0x1d, 0x23, 0x15, 0xc7, 0xba, 0xe6, 0x57, 0x7c, 0x57, 0x94, 0xb7,
1667 0x6a, 0xee, 0xbc, 0x61, 0x3a, 0x1a, 0x69, 0xd3, 0xa2, 0x1c,
1668 },
1669 32, "Google 'Xenon2020' log" },
1670 { (const uint8_t[]){
1671 0x7d, 0x3e, 0xf2, 0xf8, 0x8f, 0xff, 0x88, 0x55, 0x68, 0x24, 0xc2,
1672 0xc0, 0xca, 0x9e, 0x52, 0x89, 0x79, 0x2b, 0xc5, 0x0e, 0x78, 0x09,
1673 0x7f, 0x2e, 0x6a, 0x97, 0x68, 0x99, 0x7e, 0x22, 0xf0, 0xd7,
1674 },
1675 32, "Google 'Xenon2021' log" },
1676 { (const uint8_t[]){
1677 0x46, 0xa5, 0x55, 0xeb, 0x75, 0xfa, 0x91, 0x20, 0x30, 0xb5, 0xa2,
1678 0x89, 0x69, 0xf4, 0xf3, 0x7d, 0x11, 0x2c, 0x41, 0x74, 0xbe, 0xfd,
1679 0x49, 0xb8, 0x85, 0xab, 0xf2, 0xfc, 0x70, 0xfe, 0x6d, 0x47,
1680 },
1681 32, "Google 'Xenon2022' log" },
1682 { (const uint8_t[]){
1683 0xad, 0xf7, 0xbe, 0xfa, 0x7c, 0xff, 0x10, 0xc8, 0x8b, 0x9d, 0x3d,
1684 0x9c, 0x1e, 0x3e, 0x18, 0x6a, 0xb4, 0x67, 0x29, 0x5d, 0xcf, 0xb1,
1685 0x0c, 0x24, 0xca, 0x85, 0x86, 0x34, 0xeb, 0xdc, 0x82, 0x8a,
1686 },
1687 32, "Google 'Xenon2023' log" },
1688 { (const uint8_t[]){
1689 0x76, 0xff, 0x88, 0x3f, 0x0a, 0xb6, 0xfb, 0x95, 0x51, 0xc2, 0x61,
1690 0xcc, 0xf5, 0x87, 0xba, 0x34, 0xb4, 0xa4, 0xcd, 0xbb, 0x29, 0xdc,
1691 0x68, 0x42, 0x0a, 0x9f, 0xe6, 0x67, 0x4c, 0x5a, 0x3a, 0x74,
1692 },
1693 32, "Google 'Xenon2024' log" },
1694 { (const uint8_t[]){
1695 0xcf, 0x11, 0x56, 0xee, 0xd5, 0x2e, 0x7c, 0xaf, 0xf3, 0x87, 0x5b,
1696 0xd9, 0x69, 0x2e, 0x9b, 0xe9, 0x1a, 0x71, 0x67, 0x4a, 0xb0, 0x17,
1697 0xec, 0xac, 0x01, 0xd2, 0x5b, 0x77, 0xce, 0xcc, 0x3b, 0x08,
1698 },
1699 32, "Google 'Xenon2025h1' log" },
1700 { (const uint8_t[]){
1701 0xdd, 0xdc, 0xca, 0x34, 0x95, 0xd7, 0xe1, 0x16, 0x05, 0xe7, 0x95,
1702 0x32, 0xfa, 0xc7, 0x9f, 0xf8, 0x3d, 0x1c, 0x50, 0xdf, 0xdb, 0x00,
1703 0x3a, 0x14, 0x12, 0x76, 0x0a, 0x2c, 0xac, 0xbb, 0xc8, 0x2a,
1704 },
1705 32, "Google 'Xenon2025h2' log" },
1706 { (const uint8_t[]){
1707 0x96, 0x97, 0x64, 0xbf, 0x55, 0x58, 0x97, 0xad, 0xf7, 0x43, 0x87,
1708 0x68, 0x37, 0x08, 0x42, 0x77, 0xe9, 0xf0, 0x3a, 0xd5, 0xf6, 0xa4,
1709 0xf3, 0x36, 0x6e, 0x46, 0xa4, 0x3f, 0x0f, 0xca, 0xa9, 0xc6,
1710 },
1711 32, "Google 'Xenon2026h1' log" },
1712 { (const uint8_t[]){
1713 0xd8, 0x09, 0x55, 0x3b, 0x94, 0x4f, 0x7a, 0xff, 0xc8, 0x16, 0x19,
1714 0x6f, 0x94, 0x4f, 0x85, 0xab, 0xb0, 0xf8, 0xfc, 0x5e, 0x87, 0x55,
1715 0x26, 0x0f, 0x15, 0xd1, 0x2e, 0x72, 0xbb, 0x45, 0x4b, 0x14,
1716 },
1717 32, "Google 'Xenon2026h2' log" },
1718 { (const uint8_t[]){
1719 0x44, 0xc2, 0xbd, 0x0c, 0xe9, 0x14, 0x0e, 0x64, 0xa5, 0xc9, 0x4a,
1720 0x01, 0x93, 0x0a, 0x5a, 0xa1, 0xbb, 0x35, 0x97, 0x0e, 0x00, 0xee,
1721 0x11, 0x16, 0x89, 0x68, 0x2a, 0x1c, 0x44, 0xd7, 0xb5, 0x66,
1722 },
1723 32, "Google 'Xenon2027h1'" },
1724 { (const uint8_t[]){
1725 0x68, 0xf6, 0x98, 0xf8, 0x1f, 0x64, 0x82, 0xbe, 0x3a, 0x8c, 0xee,
1726 0xb9, 0x28, 0x1d, 0x4c, 0xfc, 0x71, 0x51, 0x5d, 0x67, 0x93, 0xd4,
1727 0x44, 0xd1, 0x0a, 0x67, 0xac, 0xbb, 0x4f, 0x4f, 0xfb, 0xc4,
1728 },
1729 32, "Google 'Aviator' log" },
1730 { (const uint8_t[]){
1731 0x29, 0x3c, 0x51, 0x96, 0x54, 0xc8, 0x39, 0x65, 0xba, 0xaa, 0x50,
1732 0xfc, 0x58, 0x07, 0xd4, 0xb7, 0x6f, 0xbf, 0x58, 0x7a, 0x29, 0x72,
1733 0xdc, 0xa4, 0xc3, 0x0c, 0xf4, 0xe5, 0x45, 0x47, 0xf4, 0x78,
1734 },
1735 32, "Google 'Icarus' log" },
1736 { (const uint8_t[]){
1737 0xa4, 0xb9, 0x09, 0x90, 0xb4, 0x18, 0x58, 0x14, 0x87, 0xbb, 0x13,
1738 0xa2, 0xcc, 0x67, 0x70, 0x0a, 0x3c, 0x35, 0x98, 0x04, 0xf9, 0x1b,
1739 0xdf, 0xb8, 0xe3, 0x77, 0xcd, 0x0e, 0xc8, 0x0d, 0xdc, 0x10,
1740 },
1741 32, "Google 'Pilot' log" },
1742 { (const uint8_t[]){
1743 0xee, 0x4b, 0xbd, 0xb7, 0x75, 0xce, 0x60, 0xba, 0xe1, 0x42, 0x69,
1744 0x1f, 0xab, 0xe1, 0x9e, 0x66, 0xa3, 0x0f, 0x7e, 0x5f, 0xb0, 0x72,
1745 0xd8, 0x83, 0x00, 0xc4, 0x7b, 0x89, 0x7a, 0xa8, 0xfd, 0xcb,
1746 },
1747 32, "Google 'Rocketeer' log" },
1748 { (const uint8_t[]){
1749 0xbb, 0xd9, 0xdf, 0xbc, 0x1f, 0x8a, 0x71, 0xb5, 0x93, 0x94, 0x23,
1750 0x97, 0xaa, 0x92, 0x7b, 0x47, 0x38, 0x57, 0x95, 0x0a, 0xab, 0x52,
1751 0xe8, 0x1a, 0x90, 0x96, 0x64, 0x36, 0x8e, 0x1e, 0xd1, 0x85,
1752 },
1753 32, "Google 'Skydiver' log" },
1754 { (const uint8_t[]){
1755 0xfa, 0xd4, 0xc9, 0x7c, 0xc4, 0x9e, 0xe2, 0xf8, 0xac, 0x85, 0xc5,
1756 0xea, 0x5c, 0xea, 0x09, 0xd0, 0x22, 0x0d, 0xbb, 0xf4, 0xe4, 0x9c,
1757 0x6b, 0x50, 0x66, 0x2f, 0xf8, 0x68, 0xf8, 0x6b, 0x8c, 0x28,
1758 },
1759 32, "Google 'Argon2017' log" },
1760 { (const uint8_t[]){
1761 0xa4, 0x50, 0x12, 0x69, 0x05, 0x5a, 0x15, 0x54, 0x5e, 0x62, 0x11,
1762 0xab, 0x37, 0xbc, 0x10, 0x3f, 0x62, 0xae, 0x55, 0x76, 0xa4, 0x5e,
1763 0x4b, 0x17, 0x14, 0x45, 0x3e, 0x1b, 0x22, 0x10, 0x6a, 0x25,
1764 },
1765 32, "Google 'Argon2018' log" },
1766 { (const uint8_t[]){
1767 0x63, 0xf2, 0xdb, 0xcd, 0xe8, 0x3b, 0xcc, 0x2c, 0xcf, 0x0b, 0x72,
1768 0x84, 0x27, 0x57, 0x6b, 0x33, 0xa4, 0x8d, 0x61, 0x77, 0x8f, 0xbd,
1769 0x75, 0xa6, 0x38, 0xb1, 0xc7, 0x68, 0x54, 0x4b, 0xd8, 0x8d,
1770 },
1771 32, "Google 'Argon2019' log" },
1772 { (const uint8_t[]){
1773 0xb1, 0x0c, 0xd5, 0x59, 0xa6, 0xd6, 0x78, 0x46, 0x81, 0x1f, 0x7d,
1774 0xf9, 0xa5, 0x15, 0x32, 0x73, 0x9a, 0xc4, 0x8d, 0x70, 0x3b, 0xea,
1775 0x03, 0x23, 0xda, 0x5d, 0x38, 0x75, 0x5b, 0xc0, 0xad, 0x4e,
1776 },
1777 32, "Google 'Xenon2018' log" },
1778 { (const uint8_t[]){
1779 0x08, 0x41, 0x14, 0x98, 0x00, 0x71, 0x53, 0x2c, 0x16, 0x19, 0x04,
1780 0x60, 0xbc, 0xfc, 0x47, 0xfd, 0xc2, 0x65, 0x3a, 0xfa, 0x29, 0x2c,
1781 0x72, 0xb3, 0x7f, 0xf8, 0x63, 0xae, 0x29, 0xcc, 0xc9, 0xf0,
1782 },
1783 32, "Google 'Xenon2019' log" },
1784 { (const uint8_t[]){
1785 0xa8, 0x99, 0xd8, 0x78, 0x0c, 0x92, 0x90, 0xaa, 0xf4, 0x62, 0xf3,
1786 0x18, 0x80, 0xcc, 0xfb, 0xd5, 0x24, 0x51, 0xe9, 0x70, 0xd0, 0xfb,
1787 0xf5, 0x91, 0xef, 0x75, 0xb0, 0xd9, 0x9b, 0x64, 0x56, 0x81,
1788 },
1789 32, "Google 'Submariner' log" },
1790 { (const uint8_t[]){
1791 0x1d, 0x02, 0x4b, 0x8e, 0xb1, 0x49, 0x8b, 0x34, 0x4d, 0xfd, 0x87,
1792 0xea, 0x3e, 0xfc, 0x09, 0x96, 0xf7, 0x50, 0x6f, 0x23, 0x5d, 0x1d,
1793 0x49, 0x70, 0x61, 0xa4, 0x77, 0x3c, 0x43, 0x9c, 0x25, 0xfb,
1794 },
1795 32, "Google 'Daedalus' log" },
1796 { (const uint8_t[]){
1797 0xb0, 0xcc, 0x83, 0xe5, 0xa5, 0xf9, 0x7d, 0x6b, 0xaf, 0x7c, 0x09,
1798 0xcc, 0x28, 0x49, 0x04, 0x87, 0x2a, 0xc7, 0xe8, 0x8b, 0x13, 0x2c,
1799 0x63, 0x50, 0xb7, 0xc6, 0xfd, 0x26, 0xe1, 0x6c, 0x6c, 0x77,
1800 },
1801 32, "Google 'Testtube' log" },
1802 { (const uint8_t[]){
1803 0xc3, 0xbf, 0x03, 0xa7, 0xe1, 0xca, 0x88, 0x41, 0xc6, 0x07, 0xba,
1804 0xe3, 0xff, 0x42, 0x70, 0xfc, 0xa5, 0xec, 0x45, 0xb1, 0x86, 0xeb,
1805 0xbe, 0x4e, 0x2c, 0xf3, 0xfc, 0x77, 0x86, 0x30, 0xf5, 0xf6,
1806 },
1807 32, "Google 'Crucible' log" },
1808 { (const uint8_t[]){
1809 0x52, 0xeb, 0x4b, 0x22, 0x5e, 0xc8, 0x96, 0x97, 0x48, 0x50, 0x67,
1810 0x5f, 0x23, 0xe4, 0x3b, 0xc1, 0xd0, 0x21, 0xe3, 0x21, 0x4c, 0xe5,
1811 0x2e, 0xcd, 0x5f, 0xa8, 0x7c, 0x20, 0x3c, 0xdf, 0xca, 0x03,
1812 },
1813 32, "Google 'Solera2018' log" },
1814 { (const uint8_t[]){
1815 0x0b, 0x76, 0x0e, 0x9a, 0x8b, 0x9a, 0x68, 0x2f, 0x88, 0x98, 0x5b,
1816 0x15, 0xe9, 0x47, 0x50, 0x1a, 0x56, 0x44, 0x6b, 0xba, 0x88, 0x30,
1817 0x78, 0x5c, 0x38, 0x42, 0x99, 0x43, 0x86, 0x45, 0x0c, 0x00,
1818 },
1819 32, "Google 'Solera2019' log" },
1820 { (const uint8_t[]){
1821 0x1f, 0xc7, 0x2c, 0xe5, 0xa1, 0xb7, 0x99, 0xf4, 0x00, 0xc3, 0x59,
1822 0xbf, 0xf9, 0x6c, 0xa3, 0x91, 0x35, 0x48, 0xe8, 0x64, 0x42, 0x20,
1823 0x61, 0x09, 0x52, 0xe9, 0xba, 0x17, 0x74, 0xf7, 0xba, 0xc7,
1824 },
1825 32, "Google 'Solera2020' log" },
1826 { (const uint8_t[]){
1827 0xa3, 0xc9, 0x98, 0x45, 0xe8, 0x0a, 0xb7, 0xce, 0x00, 0x15, 0x7b,
1828 0x37, 0x42, 0xdf, 0x02, 0x07, 0xdd, 0x27, 0x2b, 0x2b, 0x60, 0x2e,
1829 0xcf, 0x98, 0xee, 0x2c, 0x12, 0xdb, 0x9c, 0x5a, 0xe7, 0xe7,
1830 },
1831 32, "Google 'Solera2021' log" },
1832 { (const uint8_t[]){
1833 0x69, 0x7a, 0xaf, 0xca, 0x1a, 0x6b, 0x53, 0x6f, 0xae, 0x21, 0x20,
1834 0x50, 0x46, 0xde, 0xba, 0xd7, 0xe0, 0xea, 0xea, 0x13, 0xd2, 0x43,
1835 0x2e, 0x6e, 0x9d, 0x8f, 0xb3, 0x79, 0xf2, 0xb9, 0xaa, 0xf3,
1836 },
1837 32, "Google 'Solera2022' log" },
1838 { (const uint8_t[]){
1839 0xf9, 0x7e, 0x97, 0xb8, 0xd3, 0x3e, 0xf7, 0xa1, 0x59, 0x02, 0xa5,
1840 0x3a, 0x19, 0xe1, 0x79, 0x90, 0xe5, 0xdc, 0x40, 0x6a, 0x03, 0x18,
1841 0x25, 0xba, 0xad, 0x93, 0xe9, 0x8f, 0x9b, 0x9c, 0x69, 0xcb,
1842 },
1843 32, "Google 'Solera2023' log" },
1844 { (const uint8_t[]){
1845 0x30, 0x24, 0xce, 0x7e, 0xeb, 0x16, 0x88, 0x62, 0x72, 0x4b, 0xea,
1846 0x70, 0x2e, 0xff, 0xf9, 0x92, 0xcf, 0xe4, 0x56, 0x43, 0x41, 0x91,
1847 0xaa, 0x59, 0x5b, 0x25, 0xf8, 0x02, 0x26, 0xc8, 0x00, 0x17,
1848 },
1849 32, "Google 'Solera2024' log" },
1850 { (const uint8_t[]){
1851 0x3f, 0xe1, 0xcb, 0x46, 0xed, 0x47, 0x35, 0x79, 0xaf, 0x01, 0x41,
1852 0xf9, 0x72, 0x4d, 0x9d, 0xc4, 0x43, 0x47, 0x2d, 0x75, 0x6e, 0x85,
1853 0xe7, 0x71, 0x9c, 0x55, 0x82, 0x48, 0x5d, 0xd4, 0xe1, 0xe4,
1854 },
1855 32, "Google 'Solera2025h1' log" },
1856 { (const uint8_t[]){
1857 0x26, 0x02, 0x39, 0x48, 0x87, 0x4c, 0xf7, 0xfc, 0xd0, 0xfb, 0x64,
1858 0x71, 0xa4, 0x3e, 0x84, 0x7e, 0xbb, 0x20, 0x0a, 0xe6, 0xe2, 0xfa,
1859 0x24, 0x23, 0x6d, 0xf6, 0xd1, 0xa6, 0x06, 0x63, 0x0f, 0xb1,
1860 },
1861 32, "Google 'Solera2025h2' log" },
1862 { (const uint8_t[]){
1863 0xc8, 0x4b, 0x90, 0x7a, 0x07, 0xbe, 0xaa, 0x29, 0xa6, 0x14, 0xc2,
1864 0x45, 0x84, 0xb7, 0xa3, 0xf6, 0x62, 0x43, 0x94, 0x68, 0x7b, 0x25,
1865 0xfe, 0x62, 0x83, 0x8b, 0x71, 0xec, 0x42, 0x2a, 0xd2, 0xf9,
1866 },
1867 32, "Google 'Solera2026h1' log" },
1868 { (const uint8_t[]){
1869 0x62, 0xe9, 0x00, 0x60, 0x04, 0xa3, 0x07, 0x95, 0x5a, 0x75, 0x44,
1870 0xb4, 0xd5, 0x84, 0xa9, 0x62, 0x68, 0xca, 0x1d, 0x6e, 0x45, 0x85,
1871 0xad, 0xf0, 0x91, 0x6d, 0xfe, 0x5f, 0xdc, 0x1f, 0x04, 0xdb,
1872 },
1873 32, "Google 'Solera2026h2' log" },
1874 { (const uint8_t[]){
1875 0x3d, 0xe4, 0x92, 0xa8, 0x98, 0x93, 0xad, 0x70, 0x5e, 0x78, 0x46,
1876 0xed, 0x21, 0xd4, 0x8d, 0xca, 0xfb, 0xad, 0x13, 0x9e, 0xa6, 0x4e,
1877 0xd1, 0xe3, 0x49, 0xf9, 0x00, 0xb0, 0xa2, 0xcd, 0xa5, 0xe2,
1878 },
1879 32, "Google 'Solera2027h1' log" },
1880 { (const uint8_t[]){
1881 0x5e, 0xa7, 0x73, 0xf9, 0xdf, 0x56, 0xc0, 0xe7, 0xb5, 0x36, 0x48,
1882 0x7d, 0xd0, 0x49, 0xe0, 0x32, 0x7a, 0x91, 0x9a, 0x0c, 0x84, 0xa1,
1883 0x12, 0x12, 0x84, 0x18, 0x75, 0x96, 0x81, 0x71, 0x45, 0x58,
1884 },
1885 32, "Cloudflare 'Nimbus2020' Log" },
1886 { (const uint8_t[]){
1887 0x44, 0x94, 0x65, 0x2e, 0xb0, 0xee, 0xce, 0xaf, 0xc4, 0x40, 0x07,
1888 0xd8, 0xa8, 0xfe, 0x28, 0xc0, 0xda, 0xe6, 0x82, 0xbe, 0xd8, 0xcb,
1889 0x31, 0xb5, 0x3f, 0xd3, 0x33, 0x96, 0xb5, 0xb6, 0x81, 0xa8,
1890 },
1891 32, "Cloudflare 'Nimbus2021' Log" },
1892 { (const uint8_t[]){
1893 0x41, 0xc8, 0xca, 0xb1, 0xdf, 0x22, 0x46, 0x4a, 0x10, 0xc6, 0xa1,
1894 0x3a, 0x09, 0x42, 0x87, 0x5e, 0x4e, 0x31, 0x8b, 0x1b, 0x03, 0xeb,
1895 0xeb, 0x4b, 0xc7, 0x68, 0xf0, 0x90, 0x62, 0x96, 0x06, 0xf6,
1896 },
1897 32, "Cloudflare 'Nimbus2022' Log" },
1898 { (const uint8_t[]){
1899 0x7a, 0x32, 0x8c, 0x54, 0xd8, 0xb7, 0x2d, 0xb6, 0x20, 0xea, 0x38,
1900 0xe0, 0x52, 0x1e, 0xe9, 0x84, 0x16, 0x70, 0x32, 0x13, 0x85, 0x4d,
1901 0x3b, 0xd2, 0x2b, 0xc1, 0x3a, 0x57, 0xa3, 0x52, 0xeb, 0x52,
1902 },
1903 32, "Cloudflare 'Nimbus2023' Log" },
1904 { (const uint8_t[]){
1905 0xda, 0xb6, 0xbf, 0x6b, 0x3f, 0xb5, 0xb6, 0x22, 0x9f, 0x9b, 0xc2,
1906 0xbb, 0x5c, 0x6b, 0xe8, 0x70, 0x91, 0x71, 0x6c, 0xbb, 0x51, 0x84,
1907 0x85, 0x34, 0xbd, 0xa4, 0x3d, 0x30, 0x48, 0xd7, 0xfb, 0xab,
1908 },
1909 32, "Cloudflare 'Nimbus2024' Log" },
1910 { (const uint8_t[]){
1911 0xcc, 0xfb, 0x0f, 0x6a, 0x85, 0x71, 0x09, 0x65, 0xfe, 0x95, 0x9b,
1912 0x53, 0xce, 0xe9, 0xb2, 0x7c, 0x22, 0xe9, 0x85, 0x5c, 0x0d, 0x97,
1913 0x8d, 0xb6, 0xa9, 0x7e, 0x54, 0xc0, 0xfe, 0x4c, 0x0d, 0xb0,
1914 },
1915 32, "Cloudflare 'Nimbus2025'" },
1916 { (const uint8_t[]){
1917 0xcb, 0x38, 0xf7, 0x15, 0x89, 0x7c, 0x84, 0xa1, 0x44, 0x5f, 0x5b,
1918 0xc1, 0xdd, 0xfb, 0xc9, 0x6e, 0xf2, 0x9a, 0x59, 0xcd, 0x47, 0x0a,
1919 0x69, 0x05, 0x85, 0xb0, 0xcb, 0x14, 0xc3, 0x14, 0x58, 0xe7,
1920 },
1921 32, "Cloudflare 'Nimbus2026'" },
1922 { (const uint8_t[]){
1923 0x4c, 0x63, 0xdc, 0x98, 0xe5, 0x9c, 0x1d, 0xab, 0x88, 0xf6, 0x1e,
1924 0x8a, 0x3d, 0xde, 0xae, 0x8f, 0xab, 0x44, 0xa3, 0x37, 0x7b, 0x5f,
1925 0x9b, 0x94, 0xc3, 0xfb, 0xa1, 0x9c, 0xfc, 0xc1, 0xbe, 0x26,
1926 },
1927 32, "Cloudflare 'Nimbus2027'" },
1928 { (const uint8_t[]){
1929 0x1f, 0xbc, 0x36, 0xe0, 0x02, 0xed, 0xe9, 0x7f, 0x40, 0x19, 0x9e,
1930 0x86, 0xb3, 0x57, 0x3b, 0x8a, 0x42, 0x17, 0xd8, 0x01, 0x87, 0x74,
1931 0x6a, 0xd0, 0xda, 0x03, 0xa0, 0x60, 0x54, 0xd2, 0x0d, 0xf4,
1932 },
1933 32, "Cloudflare 'Nimbus2017' Log" },
1934 { (const uint8_t[]){
1935 0xdb, 0x74, 0xaf, 0xee, 0xcb, 0x29, 0xec, 0xb1, 0xfe, 0xca, 0x3e,
1936 0x71, 0x6d, 0x2c, 0xe5, 0xb9, 0xaa, 0xbb, 0x36, 0xf7, 0x84, 0x71,
1937 0x83, 0xc7, 0x5d, 0x9d, 0x4f, 0x37, 0xb6, 0x1f, 0xbf, 0x64,
1938 },
1939 32, "Cloudflare 'Nimbus2018' Log" },
1940 { (const uint8_t[]){
1941 0x74, 0x7e, 0xda, 0x83, 0x31, 0xad, 0x33, 0x10, 0x91, 0x21, 0x9c,
1942 0xce, 0x25, 0x4f, 0x42, 0x70, 0xc2, 0xbf, 0xfd, 0x5e, 0x42, 0x20,
1943 0x08, 0xc6, 0x37, 0x35, 0x79, 0xe6, 0x10, 0x7b, 0xcc, 0x56,
1944 },
1945 32, "Cloudflare 'Nimbus2019' Log" },
1946 { (const uint8_t[]){
1947 0x56, 0x14, 0x06, 0x9a, 0x2f, 0xd7, 0xc2, 0xec, 0xd3, 0xf5, 0xe1,
1948 0xbd, 0x44, 0xb2, 0x3e, 0xc7, 0x46, 0x76, 0xb9, 0xbc, 0x99, 0x11,
1949 0x5c, 0xc0, 0xef, 0x94, 0x98, 0x55, 0xd6, 0x89, 0xd0, 0xdd,
1950 },
1951 32, "DigiCert Log Server" },
1952 { (const uint8_t[]){
1953 0x87, 0x75, 0xbf, 0xe7, 0x59, 0x7c, 0xf8, 0x8c, 0x43, 0x99, 0x5f,
1954 0xbd, 0xf3, 0x6e, 0xff, 0x56, 0x8d, 0x47, 0x56, 0x36, 0xff, 0x4a,
1955 0xb5, 0x60, 0xc1, 0xb4, 0xea, 0xff, 0x5e, 0xa0, 0x83, 0x0f,
1956 },
1957 32, "DigiCert Log Server 2" },
1958 { (const uint8_t[]){
1959 0xf0, 0x95, 0xa4, 0x59, 0xf2, 0x00, 0xd1, 0x82, 0x40, 0x10, 0x2d,
1960 0x2f, 0x93, 0x88, 0x8e, 0xad, 0x4b, 0xfe, 0x1d, 0x47, 0xe3, 0x99,
1961 0xe1, 0xd0, 0x34, 0xa6, 0xb0, 0xa8, 0xaa, 0x8e, 0xb2, 0x73,
1962 },
1963 32, "DigiCert Yeti2020 Log" },
1964 { (const uint8_t[]){
1965 0x5c, 0xdc, 0x43, 0x92, 0xfe, 0xe6, 0xab, 0x45, 0x44, 0xb1, 0x5e,
1966 0x9a, 0xd4, 0x56, 0xe6, 0x10, 0x37, 0xfb, 0xd5, 0xfa, 0x47, 0xdc,
1967 0xa1, 0x73, 0x94, 0xb2, 0x5e, 0xe6, 0xf6, 0xc7, 0x0e, 0xca,
1968 },
1969 32, "DigiCert Yeti2021 Log" },
1970 { (const uint8_t[]){
1971 0x22, 0x45, 0x45, 0x07, 0x59, 0x55, 0x24, 0x56, 0x96, 0x3f, 0xa1,
1972 0x2f, 0xf1, 0xf7, 0x6d, 0x86, 0xe0, 0x23, 0x26, 0x63, 0xad, 0xc0,
1973 0x4b, 0x7f, 0x5d, 0xc6, 0x83, 0x5c, 0x6e, 0xe2, 0x0f, 0x02,
1974 },
1975 32, "DigiCert Yeti2022 Log" },
1976 { (const uint8_t[]){
1977 0x35, 0xcf, 0x19, 0x1b, 0xbf, 0xb1, 0x6c, 0x57, 0xbf, 0x0f, 0xad,
1978 0x4c, 0x6d, 0x42, 0xcb, 0xbb, 0xb6, 0x27, 0x20, 0x26, 0x51, 0xea,
1979 0x3f, 0xe1, 0x2a, 0xef, 0xa8, 0x03, 0xc3, 0x3b, 0xd6, 0x4c,
1980 },
1981 32, "DigiCert Yeti2023 Log" },
1982 { (const uint8_t[]){
1983 0x48, 0xb0, 0xe3, 0x6b, 0xda, 0xa6, 0x47, 0x34, 0x0f, 0xe5, 0x6a,
1984 0x02, 0xfa, 0x9d, 0x30, 0xeb, 0x1c, 0x52, 0x01, 0xcb, 0x56, 0xdd,
1985 0x2c, 0x81, 0xd9, 0xbb, 0xbf, 0xab, 0x39, 0xd8, 0x84, 0x73,
1986 },
1987 32, "DigiCert Yeti2024 Log" },
1988 { (const uint8_t[]){
1989 0x7d, 0x59, 0x1e, 0x12, 0xe1, 0x78, 0x2a, 0x7b, 0x1c, 0x61, 0x67,
1990 0x7c, 0x5e, 0xfd, 0xf8, 0xd0, 0x87, 0x5c, 0x14, 0xa0, 0x4e, 0x95,
1991 0x9e, 0xb9, 0x03, 0x2f, 0xd9, 0x0e, 0x8c, 0x2e, 0x79, 0xb8,
1992 },
1993 32, "DigiCert Yeti2025 Log" },
1994 { (const uint8_t[]){
1995 0xc6, 0x52, 0xa0, 0xec, 0x48, 0xce, 0xb3, 0xfc, 0xab, 0x17, 0x09,
1996 0x92, 0xc4, 0x3a, 0x87, 0x41, 0x33, 0x09, 0xe8, 0x00, 0x65, 0xa2,
1997 0x62, 0x52, 0x40, 0x1b, 0xa3, 0x36, 0x2a, 0x17, 0xc5, 0x65,
1998 },
1999 32, "DigiCert Nessie2020 Log" },
2000 { (const uint8_t[]){
2001 0xee, 0xc0, 0x95, 0xee, 0x8d, 0x72, 0x64, 0x0f, 0x92, 0xe3, 0xc3,
2002 0xb9, 0x1b, 0xc7, 0x12, 0xa3, 0x69, 0x6a, 0x09, 0x7b, 0x4b, 0x6a,
2003 0x1a, 0x14, 0x38, 0xe6, 0x47, 0xb2, 0xcb, 0xed, 0xc5, 0xf9,
2004 },
2005 32, "DigiCert Nessie2021 Log" },
2006 { (const uint8_t[]){
2007 0x51, 0xa3, 0xb0, 0xf5, 0xfd, 0x01, 0x79, 0x9c, 0x56, 0x6d, 0xb8,
2008 0x37, 0x78, 0x8f, 0x0c, 0xa4, 0x7a, 0xcc, 0x1b, 0x27, 0xcb, 0xf7,
2009 0x9e, 0x88, 0x42, 0x9a, 0x0d, 0xfe, 0xd4, 0x8b, 0x05, 0xe5,
2010 },
2011 32, "DigiCert Nessie2022 Log" },
2012 { (const uint8_t[]){
2013 0xb3, 0x73, 0x77, 0x07, 0xe1, 0x84, 0x50, 0xf8, 0x63, 0x86, 0xd6,
2014 0x05, 0xa9, 0xdc, 0x11, 0x09, 0x4a, 0x79, 0x2d, 0xb1, 0x67, 0x0c,
2015 0x0b, 0x87, 0xdc, 0xf0, 0x03, 0x0e, 0x79, 0x36, 0xa5, 0x9a,
2016 },
2017 32, "DigiCert Nessie2023 Log" },
2018 { (const uint8_t[]){
2019 0x73, 0xd9, 0x9e, 0x89, 0x1b, 0x4c, 0x96, 0x78, 0xa0, 0x20, 0x7d,
2020 0x47, 0x9d, 0xe6, 0xb2, 0xc6, 0x1c, 0xd0, 0x51, 0x5e, 0x71, 0x19,
2021 0x2a, 0x8c, 0x6b, 0x80, 0x10, 0x7a, 0xc1, 0x77, 0x72, 0xb5,
2022 },
2023 32, "DigiCert Nessie2024 Log" },
2024 { (const uint8_t[]){
2025 0xe6, 0xd2, 0x31, 0x63, 0x40, 0x77, 0x8c, 0xc1, 0x10, 0x41, 0x06,
2026 0xd7, 0x71, 0xb9, 0xce, 0xc1, 0xd2, 0x40, 0xf6, 0x96, 0x84, 0x86,
2027 0xfb, 0xba, 0x87, 0x32, 0x1d, 0xfd, 0x1e, 0x37, 0x8e, 0x50,
2028 },
2029 32, "DigiCert Nessie2025 Log" },
2030 { (const uint8_t[]){
2031 0xb6, 0x9d, 0xdc, 0xbc, 0x3c, 0x1a, 0xbd, 0xef, 0x6f, 0x9f, 0xd6,
2032 0x0c, 0x88, 0xb1, 0x06, 0x7b, 0x77, 0xf0, 0x82, 0x68, 0x8b, 0x2d,
2033 0x78, 0x65, 0xd0, 0x4b, 0x39, 0xab, 0xe9, 0x27, 0xa5, 0x75,
2034 },
2035 32, "DigiCert 'Wyvern2024h1' Log" },
2036 { (const uint8_t[]){
2037 0x0c, 0x2a, 0xef, 0x2c, 0x4a, 0x5b, 0x98, 0x83, 0xd4, 0xdd, 0xa3,
2038 0x82, 0xfe, 0x50, 0xfb, 0x51, 0x88, 0xb3, 0xe9, 0x73, 0x33, 0xa1,
2039 0xec, 0x53, 0xa0, 0x9d, 0xc9, 0xa7, 0x9d, 0x0d, 0x08, 0x20,
2040 },
2041 32, "DigiCert 'Wyvern2024h2' Log" },
2042 { (const uint8_t[]){
2043 0x73, 0x20, 0x22, 0x0f, 0x08, 0x16, 0x8a, 0xf9, 0xf3, 0xc4, 0xa6,
2044 0x8b, 0x0a, 0xb2, 0x6a, 0x9a, 0x4a, 0x00, 0xee, 0xf5, 0x77, 0x85,
2045 0x8a, 0x08, 0x4d, 0x05, 0x00, 0xd4, 0xa5, 0x42, 0x44, 0x59,
2046 },
2047 32, "DigiCert 'Wyvern2025h1' Log" },
2048 { (const uint8_t[]){
2049 0xed, 0x3c, 0x4b, 0xd6, 0xe8, 0x06, 0xc2, 0xa4, 0xa2, 0x00, 0x57,
2050 0xdb, 0xcb, 0x24, 0xe2, 0x38, 0x01, 0xdf, 0x51, 0x2f, 0xed, 0xc4,
2051 0x86, 0xc5, 0x70, 0x0f, 0x20, 0xdd, 0xb7, 0x3e, 0x3f, 0xe0,
2052 },
2053 32, "DigiCert 'Wyvern2025h2' Log" },
2054 { (const uint8_t[]){
2055 0x64, 0x11, 0xc4, 0x6c, 0xa4, 0x12, 0xec, 0xa7, 0x89, 0x1c, 0xa2,
2056 0x02, 0x2e, 0x00, 0xbc, 0xab, 0x4f, 0x28, 0x07, 0xd4, 0x1e, 0x35,
2057 0x27, 0xab, 0xea, 0xfe, 0xd5, 0x03, 0xc9, 0x7d, 0xcd, 0xf0,
2058 },
2059 32, "DigiCert 'Wyvern2026h1'" },
2060 { (const uint8_t[]){
2061 0xc2, 0x31, 0x7e, 0x57, 0x45, 0x19, 0xa3, 0x45, 0xee, 0x7f, 0x38,
2062 0xde, 0xb2, 0x90, 0x41, 0xeb, 0xc7, 0xc2, 0x21, 0x5a, 0x22, 0xbf,
2063 0x7f, 0xd5, 0xb5, 0xad, 0x76, 0x9a, 0xd9, 0x0e, 0x52, 0xcd,
2064 },
2065 32, "DigiCert 'Wyvern2026h2'" },
2066 { (const uint8_t[]){
2067 0x00, 0x1a, 0x5d, 0x1a, 0x1c, 0x2d, 0x93, 0x75, 0xb6, 0x48, 0x55,
2068 0x78, 0xf8, 0x2f, 0x71, 0xa1, 0xae, 0x6e, 0xef, 0x39, 0x7d, 0x29,
2069 0x7c, 0x8a, 0xe3, 0x15, 0x7b, 0xca, 0xde, 0xe1, 0xa0, 0x1e,
2070 },
2071 32, "DigiCert 'Wyvern2027h1'" },
2072 { (const uint8_t[]){
2073 0x37, 0xaa, 0x07, 0xcc, 0x21, 0x6f, 0x2e, 0x6d, 0x91, 0x9c, 0x70,
2074 0x9d, 0x24, 0xd8, 0xf7, 0x31, 0xb0, 0x0f, 0x2b, 0x14, 0x7c, 0x62,
2075 0x1c, 0xc0, 0x91, 0xa5, 0xfa, 0x1a, 0x84, 0xd8, 0x16, 0xdd,
2076 },
2077 32, "DigiCert 'Wyvern2027h2'" },
2078 { (const uint8_t[]){
2079 0xdb, 0x07, 0x6c, 0xde, 0x6a, 0x8b, 0x78, 0xec, 0x58, 0xd6, 0x05,
2080 0x64, 0x96, 0xeb, 0x6a, 0x26, 0xa8, 0xc5, 0x9e, 0x72, 0x12, 0x93,
2081 0xe8, 0xac, 0x03, 0x27, 0xdd, 0xde, 0x89, 0xdb, 0x5a, 0x2a,
2082 },
2083 32, "DigiCert 'Sphinx2024h1' Log" },
2084 { (const uint8_t[]){
2085 0xdc, 0xc9, 0x5e, 0x6f, 0xa2, 0x99, 0xb9, 0xb0, 0xfd, 0xbd, 0x6c,
2086 0xa6, 0xa3, 0x6e, 0x1d, 0x72, 0xc4, 0x21, 0x2f, 0xdd, 0x1e, 0x0f,
2087 0x47, 0x55, 0x3a, 0x36, 0xd6, 0xcf, 0x1a, 0xd1, 0x1d, 0x8d,
2088 },
2089 32, "DigiCert 'Sphinx2024h2' Log" },
2090 { (const uint8_t[]){
2091 0xde, 0x85, 0x81, 0xd7, 0x50, 0x24, 0x7c, 0x6b, 0xcd, 0xcb, 0xaf,
2092 0x56, 0x37, 0xc5, 0xe7, 0x81, 0xc6, 0x4c, 0xe4, 0x6e, 0xd6, 0x17,
2093 0x63, 0x9f, 0x8f, 0x34, 0xa7, 0x26, 0xc9, 0xe2, 0xbd, 0x37,
2094 },
2095 32, "DigiCert 'Sphinx2025h1' Log" },
2096 { (const uint8_t[]){
2097 0xa4, 0x42, 0xc5, 0x06, 0x49, 0x60, 0x61, 0x54, 0x8f, 0x0f, 0xd4,
2098 0xea, 0x9c, 0xfb, 0x7a, 0x2d, 0x26, 0x45, 0x4d, 0x87, 0xa9, 0x7f,
2099 0x2f, 0xdf, 0x45, 0x59, 0xf6, 0x27, 0x4f, 0x3a, 0x84, 0x54,
2100 },
2101 32, "DigiCert 'Sphinx2025h2' Log" },
2102 { (const uint8_t[]){
2103 0x49, 0x9c, 0x9b, 0x69, 0xde, 0x1d, 0x7c, 0xec, 0xfc, 0x36, 0xde,
2104 0xcd, 0x87, 0x64, 0xa6, 0xb8, 0x5b, 0xaf, 0x0a, 0x87, 0x80, 0x19,
2105 0xd1, 0x55, 0x52, 0xfb, 0xe9, 0xeb, 0x29, 0xdd, 0xf8, 0xc3,
2106 },
2107 32, "DigiCert 'Sphinx2026h1'" },
2108 { (const uint8_t[]){
2109 0x94, 0x4e, 0x43, 0x87, 0xfa, 0xec, 0xc1, 0xef, 0x81, 0xf3, 0x19,
2110 0x24, 0x26, 0xa8, 0x18, 0x65, 0x01, 0xc7, 0xd3, 0x5f, 0x38, 0x02,
2111 0x01, 0x3f, 0x72, 0x67, 0x7d, 0x55, 0x37, 0x2e, 0x19, 0xd8,
2112 },
2113 32, "DigiCert 'Sphinx2026h2'" },
2114 { (const uint8_t[]){
2115 0x46, 0xa2, 0x39, 0x67, 0xc6, 0x0d, 0xb6, 0x46, 0x87, 0xc6, 0x6f,
2116 0x3d, 0xf9, 0x99, 0x94, 0x76, 0x93, 0xa6, 0xa6, 0x11, 0x20, 0x84,
2117 0x57, 0xd5, 0x55, 0xe7, 0xe3, 0xd0, 0xa1, 0xd9, 0xb6, 0x46,
2118 },
2119 32, "DigiCert 'sphinx2027h1'" },
2120 { (const uint8_t[]){
2121 0x1f, 0xb0, 0xf8, 0xa9, 0x2d, 0x8a, 0xdd, 0xa1, 0x21, 0x77, 0x6c,
2122 0x05, 0xe2, 0xaa, 0x2e, 0x15, 0xba, 0xcb, 0xc6, 0x2b, 0x65, 0x39,
2123 0x36, 0x95, 0x57, 0x6a, 0xaa, 0xb5, 0x2e, 0x11, 0xd1, 0x1d,
2124 },
2125 32, "DigiCert 'sphinx2027h2'" },
2126 { (const uint8_t[]){
2127 0xdd, 0xeb, 0x1d, 0x2b, 0x7a, 0x0d, 0x4f, 0xa6, 0x20, 0x8b, 0x81,
2128 0xad, 0x81, 0x68, 0x70, 0x7e, 0x2e, 0x8e, 0x9d, 0x01, 0xd5, 0x5c,
2129 0x88, 0x8d, 0x3d, 0x11, 0xc4, 0xcd, 0xb6, 0xec, 0xbe, 0xcc,
2130 },
2131 32, "Symantec log" },
2132 { (const uint8_t[]){
2133 0xbc, 0x78, 0xe1, 0xdf, 0xc5, 0xf6, 0x3c, 0x68, 0x46, 0x49, 0x33,
2134 0x4d, 0xa1, 0x0f, 0xa1, 0x5f, 0x09, 0x79, 0x69, 0x20, 0x09, 0xc0,
2135 0x81, 0xb4, 0xf3, 0xf6, 0x91, 0x7f, 0x3e, 0xd9, 0xb8, 0xa5,
2136 },
2137 32, "Symantec 'Vega' log" },
2138 { (const uint8_t[]){
2139 0x15, 0x97, 0x04, 0x88, 0xd7, 0xb9, 0x97, 0xa0, 0x5b, 0xeb, 0x52,
2140 0x51, 0x2a, 0xde, 0xe8, 0xd2, 0xe8, 0xb4, 0xa3, 0x16, 0x52, 0x64,
2141 0x12, 0x1a, 0x9f, 0xab, 0xfb, 0xd5, 0xf8, 0x5a, 0xd9, 0x3f,
2142 },
2143 32, "Symantec 'Sirius' log" },
2144 { (const uint8_t[]){
2145 0x05, 0x9c, 0x01, 0xd3, 0x20, 0xe0, 0x07, 0x84, 0x13, 0x95, 0x80,
2146 0x49, 0x8d, 0x11, 0x7c, 0x90, 0x32, 0x66, 0xaf, 0xaf, 0x72, 0x50,
2147 0xb5, 0xaf, 0x3b, 0x46, 0xa4, 0x3e, 0x11, 0x84, 0x0d, 0x4a,
2148 },
2149 32, "DigiCert Yeti2022-2 Log" },
2150 { (const uint8_t[]){
2151 0xc1, 0x16, 0x4a, 0xe0, 0xa7, 0x72, 0xd2, 0xd4, 0x39, 0x2d, 0xc8,
2152 0x0a, 0xc1, 0x07, 0x70, 0xd4, 0xf0, 0xc4, 0x9b, 0xde, 0x99, 0x1a,
2153 0x48, 0x40, 0xc1, 0xfa, 0x07, 0x51, 0x64, 0xf6, 0x33, 0x60,
2154 },
2155 32, "DigiCert Yeti2018 Log" },
2156 { (const uint8_t[]){
2157 0xe2, 0x69, 0x4b, 0xae, 0x26, 0xe8, 0xe9, 0x40, 0x09, 0xe8, 0x86,
2158 0x1b, 0xb6, 0x3b, 0x83, 0xd4, 0x3e, 0xe7, 0xfe, 0x74, 0x88, 0xfb,
2159 0xa4, 0x8f, 0x28, 0x93, 0x01, 0x9d, 0xdd, 0xf1, 0xdb, 0xfe,
2160 },
2161 32, "DigiCert Yeti2019 Log" },
2162 { (const uint8_t[]){
2163 0x6f, 0xf1, 0x41, 0xb5, 0x64, 0x7e, 0x42, 0x22, 0xf7, 0xef, 0x05,
2164 0x2c, 0xef, 0xae, 0x7c, 0x21, 0xfd, 0x60, 0x8e, 0x27, 0xd2, 0xaf,
2165 0x5a, 0x6e, 0x9f, 0x4b, 0x8a, 0x37, 0xd6, 0x63, 0x3e, 0xe5,
2166 },
2167 32, "DigiCert Nessie2018 Log" },
2168 { (const uint8_t[]){
2169 0xfe, 0x44, 0x61, 0x08, 0xb1, 0xd0, 0x1a, 0xb7, 0x8a, 0x62, 0xcc,
2170 0xfe, 0xab, 0x6a, 0xb2, 0xb2, 0xba, 0xbf, 0xf3, 0xab, 0xda, 0xd8,
2171 0x0a, 0x4d, 0x8b, 0x30, 0xdf, 0x2d, 0x00, 0x08, 0x83, 0x0c,
2172 },
2173 32, "DigiCert Nessie2019 Log" },
2174 { (const uint8_t[]){
2175 0xa7, 0xce, 0x4a, 0x4e, 0x62, 0x07, 0xe0, 0xad, 0xde, 0xe5, 0xfd,
2176 0xaa, 0x4b, 0x1f, 0x86, 0x76, 0x87, 0x67, 0xb5, 0xd0, 0x02, 0xa5,
2177 0x5d, 0x47, 0x31, 0x0e, 0x7e, 0x67, 0x0a, 0x95, 0xea, 0xb2,
2178 },
2179 32, "Symantec Deneb" },
2180 { (const uint8_t[]){
2181 0xcd, 0xb5, 0x17, 0x9b, 0x7f, 0xc1, 0xc0, 0x46, 0xfe, 0xea, 0x31,
2182 0x13, 0x6a, 0x3f, 0x8f, 0x00, 0x2e, 0x61, 0x82, 0xfa, 0xf8, 0x89,
2183 0x6f, 0xec, 0xc8, 0xb2, 0xf5, 0xb5, 0xab, 0x60, 0x49, 0x00,
2184 },
2185 32, "Certly.IO log" },
2186 { (const uint8_t[]){
2187 0x74, 0x61, 0xb4, 0xa0, 0x9c, 0xfb, 0x3d, 0x41, 0xd7, 0x51, 0x59,
2188 0x57, 0x5b, 0x2e, 0x76, 0x49, 0xa4, 0x45, 0xa8, 0xd2, 0x77, 0x09,
2189 0xb0, 0xcc, 0x56, 0x4a, 0x64, 0x82, 0xb7, 0xeb, 0x41, 0xa3,
2190 },
2191 32, "Izenpe log" },
2192 { (const uint8_t[]){
2193 0x89, 0x41, 0x44, 0x9c, 0x70, 0x74, 0x2e, 0x06, 0xb9, 0xfc, 0x9c,
2194 0xe7, 0xb1, 0x16, 0xba, 0x00, 0x24, 0xaa, 0x36, 0xd5, 0x9a, 0xf4,
2195 0x4f, 0x02, 0x04, 0x40, 0x4f, 0x00, 0xf7, 0xea, 0x85, 0x66,
2196 },
2197 32, "Izenpe 'Argi' log" },
2198 { (const uint8_t[]){
2199 0x41, 0xb2, 0xdc, 0x2e, 0x89, 0xe6, 0x3c, 0xe4, 0xaf, 0x1b, 0xa7,
2200 0xbb, 0x29, 0xbf, 0x68, 0xc6, 0xde, 0xe6, 0xf9, 0xf1, 0xcc, 0x04,
2201 0x7e, 0x30, 0xdf, 0xfa, 0xe3, 0xb3, 0xba, 0x25, 0x92, 0x63,
2202 },
2203 32, "WoSign log" },
2204 { (const uint8_t[]){
2205 0x9e, 0x4f, 0xf7, 0x3d, 0xc3, 0xce, 0x22, 0x0b, 0x69, 0x21, 0x7c,
2206 0x89, 0x9e, 0x46, 0x80, 0x76, 0xab, 0xf8, 0xd7, 0x86, 0x36, 0xd5,
2207 0xcc, 0xfc, 0x85, 0xa3, 0x1a, 0x75, 0x62, 0x8b, 0xa8, 0x8b,
2208 },
2209 32, "WoSign CT log #1" },
2210 { (const uint8_t[]){
2211 0x63, 0xd0, 0x00, 0x60, 0x26, 0xdd, 0xe1, 0x0b, 0xb0, 0x60, 0x1f,
2212 0x45, 0x24, 0x46, 0x96, 0x5e, 0xe2, 0xb6, 0xea, 0x2c, 0xd4, 0xfb,
2213 0xc9, 0x5a, 0xc8, 0x66, 0xa5, 0x50, 0xaf, 0x90, 0x75, 0xb7,
2214 },
2215 32, "WoSign log 2" },
2216 { (const uint8_t[]){
2217 0xac, 0x3b, 0x9a, 0xed, 0x7f, 0xa9, 0x67, 0x47, 0x57, 0x15, 0x9e,
2218 0x6d, 0x7d, 0x57, 0x56, 0x72, 0xf9, 0xd9, 0x81, 0x00, 0x94, 0x1e,
2219 0x9b, 0xde, 0xff, 0xec, 0xa1, 0x31, 0x3b, 0x75, 0x78, 0x2d,
2220 },
2221 32, "Venafi log" },
2222 { (const uint8_t[]){
2223 0x03, 0x01, 0x9d, 0xf3, 0xfd, 0x85, 0xa6, 0x9a, 0x8e, 0xbd, 0x1f,
2224 0xac, 0xc6, 0xda, 0x9b, 0xa7, 0x3e, 0x46, 0x97, 0x74, 0xfe, 0x77,
2225 0xf5, 0x79, 0xfc, 0x5a, 0x08, 0xb8, 0x32, 0x8c, 0x1d, 0x6b,
2226 },
2227 32, "Venafi Gen2 CT log" },
2228 { (const uint8_t[]){
2229 0xa5, 0x77, 0xac, 0x9c, 0xed, 0x75, 0x48, 0xdd, 0x8f, 0x02, 0x5b,
2230 0x67, 0xa2, 0x41, 0x08, 0x9d, 0xf8, 0x6e, 0x0f, 0x47, 0x6e, 0xc2,
2231 0x03, 0xc2, 0xec, 0xbe, 0xdb, 0x18, 0x5f, 0x28, 0x26, 0x38,
2232 },
2233 32, "CNNIC CT log" },
2234 { (const uint8_t[]){
2235 0x34, 0xbb, 0x6a, 0xd6, 0xc3, 0xdf, 0x9c, 0x03, 0xee, 0xa8, 0xa4,
2236 0x99, 0xff, 0x78, 0x91, 0x48, 0x6c, 0x9d, 0x5e, 0x5c, 0xac, 0x92,
2237 0xd0, 0x1f, 0x7b, 0xfd, 0x1b, 0xce, 0x19, 0xdb, 0x48, 0xef,
2238 },
2239 32, "StartCom log" },
2240 { (const uint8_t[]){
2241 0x55, 0x81, 0xd4, 0xc2, 0x16, 0x90, 0x36, 0x01, 0x4a, 0xea, 0x0b,
2242 0x9b, 0x57, 0x3c, 0x53, 0xf0, 0xc0, 0xe4, 0x38, 0x78, 0x70, 0x25,
2243 0x08, 0x17, 0x2f, 0xa3, 0xaa, 0x1d, 0x07, 0x13, 0xd3, 0x0c,
2244 },
2245 32, "Sectigo 'Sabre' CT log" },
2246 { (const uint8_t[]){
2247 0xa2, 0xe2, 0xbf, 0xd6, 0x1e, 0xde, 0x2f, 0x2f, 0x07, 0xa0, 0xd6,
2248 0x4e, 0x6d, 0x37, 0xa7, 0xdc, 0x65, 0x43, 0xb0, 0xc6, 0xb5, 0x2e,
2249 0xa2, 0xda, 0xb7, 0x8a, 0xf8, 0x9a, 0x6d, 0xf5, 0x17, 0xd8,
2250 },
2251 32, "Sectigo 'Sabre2024h1'" },
2252 { (const uint8_t[]){
2253 0x19, 0x98, 0x10, 0x71, 0x09, 0xf0, 0xd6, 0x52, 0x2e, 0x30, 0x80,
2254 0xd2, 0x9e, 0x3f, 0x64, 0xbb, 0x83, 0x6e, 0x28, 0xcc, 0xf9, 0x0f,
2255 0x52, 0x8e, 0xee, 0xdf, 0xce, 0x4a, 0x3f, 0x16, 0xb4, 0xca,
2256 },
2257 32, "Sectigo 'Sabre2024h2'" },
2258 { (const uint8_t[]){
2259 0xe0, 0x92, 0xb3, 0xfc, 0x0c, 0x1d, 0xc8, 0xe7, 0x68, 0x36, 0x1f,
2260 0xde, 0x61, 0xb9, 0x96, 0x4d, 0x0a, 0x52, 0x78, 0x19, 0x8a, 0x72,
2261 0xd6, 0x72, 0xc4, 0xb0, 0x4d, 0xa5, 0x6d, 0x6f, 0x54, 0x04,
2262 },
2263 32, "Sectigo 'Sabre2025h1'" },
2264 { (const uint8_t[]){
2265 0x1a, 0x04, 0xff, 0x49, 0xd0, 0x54, 0x1d, 0x40, 0xaf, 0xf6, 0xa0,
2266 0xc3, 0xbf, 0xf1, 0xd8, 0xc4, 0x67, 0x2f, 0x4e, 0xec, 0xee, 0x23,
2267 0x40, 0x68, 0x98, 0x6b, 0x17, 0x40, 0x2e, 0xdc, 0x89, 0x7d,
2268 },
2269 32, "Sectigo 'Sabre2025h2'" },
2270 { (const uint8_t[]){
2271 0x6f, 0x53, 0x76, 0xac, 0x31, 0xf0, 0x31, 0x19, 0xd8, 0x99, 0x00,
2272 0xa4, 0x51, 0x15, 0xff, 0x77, 0x15, 0x1c, 0x11, 0xd9, 0x02, 0xc1,
2273 0x00, 0x29, 0x06, 0x8d, 0xb2, 0x08, 0x9a, 0x37, 0xd9, 0x13,
2274 },
2275 32, "Sectigo 'Mammoth' CT log" },
2276 { (const uint8_t[]){
2277 0x29, 0xd0, 0x3a, 0x1b, 0xb6, 0x74, 0xaa, 0x71, 0x1c, 0xd3, 0x03,
2278 0x5b, 0x65, 0x57, 0xc1, 0x4f, 0x8a, 0xa7, 0x8b, 0x4f, 0xe8, 0x38,
2279 0x94, 0x49, 0xec, 0xa4, 0x53, 0xf9, 0x44, 0xbd, 0x24, 0x68,
2280 },
2281 32, "Sectigo 'Mammoth2024h1'" },
2282 { (const uint8_t[]){
2283 0x50, 0x85, 0x01, 0x58, 0xdc, 0xb6, 0x05, 0x95, 0xc0, 0x0e, 0x92,
2284 0xa8, 0x11, 0x02, 0xec, 0xcd, 0xfe, 0x3f, 0x6b, 0x78, 0x58, 0x42,
2285 0x9f, 0x57, 0x98, 0x35, 0x38, 0xc9, 0xda, 0x52, 0x50, 0x63,
2286 },
2287 32, "Sectigo 'Mammoth2024h1b'" },
2288 { (const uint8_t[]){
2289 0xdf, 0xe1, 0x56, 0xeb, 0xaa, 0x05, 0xaf, 0xb5, 0x9c, 0x0f, 0x86,
2290 0x71, 0x8d, 0xa8, 0xc0, 0x32, 0x4e, 0xae, 0x56, 0xd9, 0x6e, 0xa7,
2291 0xf5, 0xa5, 0x6a, 0x01, 0xd1, 0xc1, 0x3b, 0xbe, 0x52, 0x5c,
2292 },
2293 32, "Sectigo 'Mammoth2024h2'" },
2294 { (const uint8_t[]){
2295 0x13, 0x4a, 0xdf, 0x1a, 0xb5, 0x98, 0x42, 0x09, 0x78, 0x0c, 0x6f,
2296 0xef, 0x4c, 0x7a, 0x91, 0xa4, 0x16, 0xb7, 0x23, 0x49, 0xce, 0x58,
2297 0x57, 0x6a, 0xdf, 0xae, 0xda, 0xa7, 0xc2, 0xab, 0xe0, 0x22,
2298 },
2299 32, "Sectigo 'Mammoth2025h1'" },
2300 { (const uint8_t[]){
2301 0xaf, 0x18, 0x1a, 0x28, 0xd6, 0x8c, 0xa3, 0xe0, 0xa9, 0x8a, 0x4c,
2302 0x9c, 0x67, 0xab, 0x09, 0xf8, 0xbb, 0xbc, 0x22, 0xba, 0xae, 0xbc,
2303 0xb1, 0x38, 0xa3, 0xa1, 0x9d, 0xd3, 0xf9, 0xb6, 0x03, 0x0d,
2304 },
2305 32, "Sectigo 'Mammoth2025h2'" },
2306 { (const uint8_t[]){
2307 0x25, 0x2f, 0x94, 0xc2, 0x2b, 0x29, 0xe9, 0x6e, 0x9f, 0x41, 0x1a,
2308 0x72, 0x07, 0x2b, 0x69, 0x5c, 0x5b, 0x52, 0xff, 0x97, 0xa9, 0x0d,
2309 0x25, 0x40, 0xbb, 0xfc, 0xdc, 0x51, 0xec, 0x4d, 0xee, 0x0b,
2310 },
2311 32, "Sectigo 'Mammoth2026h1'" },
2312 { (const uint8_t[]){
2313 0x94, 0xb1, 0xc1, 0x8a, 0xb0, 0xd0, 0x57, 0xc4, 0x7b, 0xe0, 0xac,
2314 0x04, 0x0e, 0x1f, 0x2c, 0xbc, 0x8d, 0xc3, 0x75, 0x72, 0x7b, 0xc9,
2315 0x51, 0xf2, 0x0a, 0x52, 0x61, 0x26, 0x86, 0x3b, 0xa7, 0x3c,
2316 },
2317 32, "Sectigo 'Mammoth2026h2'" },
2318 { (const uint8_t[]){
2319 0x56, 0x6c, 0xd5, 0xa3, 0x76, 0xbe, 0x83, 0xdf, 0xe3, 0x42, 0xb6,
2320 0x75, 0xc4, 0x9c, 0x23, 0x24, 0x98, 0xa7, 0x69, 0xba, 0xc3, 0x82,
2321 0xcb, 0xab, 0x49, 0xa3, 0x87, 0x7d, 0x9a, 0xb3, 0x2d, 0x01,
2322 },
2323 32, "Sectigo 'Sabre2026h1'" },
2324 { (const uint8_t[]){
2325 0x1f, 0x56, 0xd1, 0xab, 0x94, 0x70, 0x4a, 0x41, 0xdd, 0x3f, 0xea,
2326 0xfd, 0xf4, 0x69, 0x93, 0x55, 0x30, 0x2c, 0x14, 0x31, 0xbf, 0xe6,
2327 0x13, 0x46, 0x08, 0x9f, 0xff, 0xae, 0x79, 0x5d, 0xcc, 0x2f,
2328 },
2329 32, "Sectigo 'Sabre2026h2'" },
2330 { (const uint8_t[]){
2331 0x0d, 0x1d, 0xbc, 0x89, 0x44, 0xe9, 0xf5, 0x00, 0x55, 0x42, 0xd7,
2332 0x2d, 0x3e, 0x14, 0x4c, 0xcc, 0x43, 0x08, 0x2a, 0xb6, 0xea, 0x1e,
2333 0x94, 0xdf, 0xd7, 0x06, 0x65, 0x7d, 0x2e, 0x86, 0xf3, 0x01,
2334 },
2335 32, "Sectigo 'Elephant2025h2'" },
2336 { (const uint8_t[]){
2337 0xd1, 0x6e, 0xa9, 0xa5, 0x68, 0x07, 0x7e, 0x66, 0x35, 0xa0, 0x3f,
2338 0x37, 0xa5, 0xdd, 0xbc, 0x03, 0xa5, 0x3c, 0x41, 0x12, 0x14, 0xd4,
2339 0x88, 0x18, 0xf5, 0xe9, 0x31, 0xb3, 0x23, 0xcb, 0x95, 0x04,
2340 },
2341 32, "Sectigo 'Elephant2026h1'" },
2342 { (const uint8_t[]){
2343 0xaf, 0x67, 0x88, 0x3b, 0x57, 0xb0, 0x4e, 0xdd, 0x8f, 0xa6, 0xd9,
2344 0x7e, 0xf6, 0x2e, 0xa8, 0xeb, 0x81, 0x0a, 0xc7, 0x71, 0x60, 0xf0,
2345 0x24, 0x5e, 0x55, 0xd6, 0x0c, 0x2f, 0xe7, 0x85, 0x87, 0x3a,
2346 },
2347 32, "Sectigo 'Elephant2026h2'" },
2348 { (const uint8_t[]){
2349 0x60, 0x4c, 0x9a, 0xaf, 0x7a, 0x7f, 0x77, 0x5f, 0x01, 0xd4, 0x06,
2350 0xfc, 0x92, 0x0d, 0xc8, 0x99, 0xeb, 0x0b, 0x1c, 0x7d, 0xf8, 0xc9,
2351 0x52, 0x1b, 0xfa, 0xfa, 0x17, 0x77, 0x3b, 0x97, 0x8b, 0xc9,
2352 },
2353 32, "Sectigo 'Elephant2027h1'" },
2354 { (const uint8_t[]){
2355 0xa2, 0x49, 0x0c, 0xdc, 0xdb, 0x8e, 0x33, 0xa4, 0x00, 0x32, 0x17,
2356 0x60, 0xd6, 0xd4, 0xd5, 0x1a, 0x20, 0x36, 0x19, 0x1e, 0xa7, 0x7d,
2357 0x96, 0x8b, 0xe2, 0x6a, 0x8a, 0x00, 0xf6, 0xff, 0xff, 0xf7,
2358 },
2359 32, "Sectigo 'Elephant2027h2'" },
2360 { (const uint8_t[]){
2361 0x5c, 0xa5, 0x77, 0xd2, 0x9b, 0x7f, 0x8b, 0xaf, 0x41, 0x9e, 0xd8,
2362 0xec, 0xab, 0xfb, 0x6d, 0xcb, 0xae, 0xc3, 0x85, 0x37, 0x02, 0xd5,
2363 0x74, 0x6f, 0x17, 0x4d, 0xad, 0x3c, 0x93, 0x4a, 0xa9, 0x6a,
2364 },
2365 32, "Sectigo 'Tiger2025h2'" },
2366 { (const uint8_t[]){
2367 0x16, 0x83, 0x2d, 0xab, 0xf0, 0xa9, 0x25, 0x0f, 0x0f, 0xf0, 0x3a,
2368 0xa5, 0x45, 0xff, 0xc8, 0xbf, 0xc8, 0x23, 0xd0, 0x87, 0x4b, 0xf6,
2369 0x04, 0x29, 0x27, 0xf8, 0xe7, 0x1f, 0x33, 0x13, 0xf5, 0xfa,
2370 },
2371 32, "Sectigo 'Tiger2026h1'" },
2372 { (const uint8_t[]){
2373 0xc8, 0xa3, 0xc4, 0x7f, 0xc7, 0xb3, 0xad, 0xb9, 0x35, 0x6b, 0x01,
2374 0x3f, 0x6a, 0x7a, 0x12, 0x6d, 0xe3, 0x3a, 0x4e, 0x43, 0xa5, 0xc6,
2375 0x46, 0xf9, 0x97, 0xad, 0x39, 0x75, 0x99, 0x1d, 0xcf, 0x9a,
2376 },
2377 32, "Sectigo 'Tiger2026h2'" },
2378 { (const uint8_t[]){
2379 0x1c, 0x9f, 0x68, 0x2c, 0xe9, 0xfa, 0xf0, 0x45, 0x69, 0x50, 0xf8,
2380 0x1b, 0x96, 0x8a, 0x87, 0xdd, 0xdb, 0x32, 0x10, 0xd8, 0x4c, 0xe6,
2381 0xc8, 0xb2, 0xe3, 0x82, 0x52, 0x4a, 0xc4, 0xcf, 0x59, 0x9f,
2382 },
2383 32, "Sectigo 'Tiger2027h1'" },
2384 { (const uint8_t[]){
2385 0x03, 0x80, 0x2a, 0xc2, 0x62, 0xf6, 0xe0, 0x5e, 0x03, 0xf8, 0xbc,
2386 0x6f, 0x7b, 0x98, 0x51, 0x32, 0x4f, 0xd7, 0x6a, 0x3d, 0xf5, 0xb7,
2387 0x59, 0x51, 0x75, 0xe2, 0x22, 0xfb, 0x8e, 0x9b, 0xd5, 0xf6,
2388 },
2389 32, "Sectigo 'Tiger2027h2'" },
2390 { (const uint8_t[]){
2391 0xdb, 0x76, 0xfd, 0xad, 0xac, 0x65, 0xe7, 0xd0, 0x95, 0x08, 0x88,
2392 0x6e, 0x21, 0x59, 0xbd, 0x8b, 0x90, 0x35, 0x2f, 0x5f, 0xea, 0xd3,
2393 0xe3, 0xdc, 0x5e, 0x22, 0xeb, 0x35, 0x0a, 0xcc, 0x7b, 0x98,
2394 },
2395 32, "Sectigo 'Dodo' CT log" },
2396 { (const uint8_t[]){
2397 0xe7, 0x12, 0xf2, 0xb0, 0x37, 0x7e, 0x1a, 0x62, 0xfb, 0x8e, 0xc9,
2398 0x0c, 0x61, 0x84, 0xf1, 0xea, 0x7b, 0x37, 0xcb, 0x56, 0x1d, 0x11,
2399 0x26, 0x5b, 0xf3, 0xe0, 0xf3, 0x4b, 0xf2, 0x41, 0x54, 0x6e,
2400 },
2401 32, "Let's Encrypt 'Oak2020' log" },
2402 { (const uint8_t[]){
2403 0x94, 0x20, 0xbc, 0x1e, 0x8e, 0xd5, 0x8d, 0x6c, 0x88, 0x73, 0x1f,
2404 0x82, 0x8b, 0x22, 0x2c, 0x0d, 0xd1, 0xda, 0x4d, 0x5e, 0x6c, 0x4f,
2405 0x94, 0x3d, 0x61, 0xdb, 0x4e, 0x2f, 0x58, 0x4d, 0xa2, 0xc2,
2406 },
2407 32, "Let's Encrypt 'Oak2021' log" },
2408 { (const uint8_t[]){
2409 0xdf, 0xa5, 0x5e, 0xab, 0x68, 0x82, 0x4f, 0x1f, 0x6c, 0xad, 0xee,
2410 0xb8, 0x5f, 0x4e, 0x3e, 0x5a, 0xea, 0xcd, 0xa2, 0x12, 0xa4, 0x6a,
2411 0x5e, 0x8e, 0x3b, 0x12, 0xc0, 0x20, 0x44, 0x5c, 0x2a, 0x73,
2412 },
2413 32, "Let's Encrypt 'Oak2022' log" },
2414 { (const uint8_t[]){
2415 0xb7, 0x3e, 0xfb, 0x24, 0xdf, 0x9c, 0x4d, 0xba, 0x75, 0xf2, 0x39,
2416 0xc5, 0xba, 0x58, 0xf4, 0x6c, 0x5d, 0xfc, 0x42, 0xcf, 0x7a, 0x9f,
2417 0x35, 0xc4, 0x9e, 0x1d, 0x09, 0x81, 0x25, 0xed, 0xb4, 0x99,
2418 },
2419 32, "Let's Encrypt 'Oak2023' log" },
2420 { (const uint8_t[]){
2421 0x3b, 0x53, 0x77, 0x75, 0x3e, 0x2d, 0xb9, 0x80, 0x4e, 0x8b, 0x30,
2422 0x5b, 0x06, 0xfe, 0x40, 0x3b, 0x67, 0xd8, 0x4f, 0xc3, 0xf4, 0xc7,
2423 0xbd, 0x00, 0x0d, 0x2d, 0x72, 0x6f, 0xe1, 0xfa, 0xd4, 0x17,
2424 },
2425 32, "Let's Encrypt 'Oak2024H1' log" },
2426 { (const uint8_t[]){
2427 0x3f, 0x17, 0x4b, 0x4f, 0xd7, 0x22, 0x47, 0x58, 0x94, 0x1d, 0x65,
2428 0x1c, 0x84, 0xbe, 0x0d, 0x12, 0xed, 0x90, 0x37, 0x7f, 0x1f, 0x85,
2429 0x6a, 0xeb, 0xc1, 0xbf, 0x28, 0x85, 0xec, 0xf8, 0x64, 0x6e,
2430 },
2431 32, "Let's Encrypt 'Oak2024H2' log" },
2432 { (const uint8_t[]){
2433 0xa2, 0xe3, 0x0a, 0xe4, 0x45, 0xef, 0xbd, 0xad, 0x9b, 0x7e, 0x38,
2434 0xed, 0x47, 0x67, 0x77, 0x53, 0xd7, 0x82, 0x5b, 0x84, 0x94, 0xd7,
2435 0x2b, 0x5e, 0x1b, 0x2c, 0xc4, 0xb9, 0x50, 0xa4, 0x47, 0xe7,
2436 },
2437 32, "Let's Encrypt 'Oak2025h1'" },
2438 { (const uint8_t[]){
2439 0x0d, 0xe1, 0xf2, 0x30, 0x2b, 0xd3, 0x0d, 0xc1, 0x40, 0x62, 0x12,
2440 0x09, 0xea, 0x55, 0x2e, 0xfc, 0x47, 0x74, 0x7c, 0xb1, 0xd7, 0xe9,
2441 0x30, 0xef, 0x0e, 0x42, 0x1e, 0xb4, 0x7e, 0x4e, 0xaa, 0x34,
2442 },
2443 32, "Let's Encrypt 'Oak2025h2'" },
2444 { (const uint8_t[]){
2445 0x19, 0x86, 0xd4, 0xc7, 0x28, 0xaa, 0x6f, 0xfe, 0xba, 0x03, 0x6f,
2446 0x78, 0x2a, 0x4d, 0x01, 0x91, 0xaa, 0xce, 0x2d, 0x72, 0x31, 0x0f,
2447 0xae, 0xce, 0x5d, 0x70, 0x41, 0x2d, 0x25, 0x4c, 0xc7, 0xd4,
2448 },
2449 32, "Let's Encrypt 'Oak2026h1'" },
2450 { (const uint8_t[]){
2451 0xac, 0xab, 0x30, 0x70, 0x6c, 0xeb, 0xec, 0x84, 0x31, 0xf4, 0x13,
2452 0xd2, 0xf4, 0x91, 0x5f, 0x11, 0x1e, 0x42, 0x24, 0x43, 0xb1, 0xf2,
2453 0xa6, 0x8c, 0x4f, 0x3c, 0x2b, 0x3b, 0xa7, 0x1e, 0x02, 0xc3,
2454 },
2455 32, "Let's Encrypt 'Oak2026h2'" },
2456 { (const uint8_t[]){
2457 0x65, 0x9b, 0x33, 0x50, 0xf4, 0x3b, 0x12, 0xcc, 0x5e, 0xa5, 0xab,
2458 0x4e, 0xc7, 0x65, 0xd3, 0xfd, 0xe6, 0xc8, 0x82, 0x43, 0x77, 0x77,
2459 0x78, 0xe7, 0x20, 0x03, 0xf9, 0xeb, 0x2b, 0x8c, 0x31, 0x29,
2460 },
2461 32, "Let's Encrypt 'Oak2019' log" },
2462 { (const uint8_t[]){
2463 0x84, 0x9f, 0x5f, 0x7f, 0x58, 0xd2, 0xbf, 0x7b, 0x54, 0xec, 0xbd,
2464 0x74, 0x61, 0x1c, 0xea, 0x45, 0xc4, 0x9c, 0x98, 0xf1, 0xd6, 0x48,
2465 0x1b, 0xc6, 0xf6, 0x9e, 0x8c, 0x17, 0x4f, 0x24, 0xf3, 0xcf,
2466 },
2467 32, "Let's Encrypt 'Testflume2019' log" },
2468 { (const uint8_t[]){
2469 0x23, 0x2d, 0x41, 0xa4, 0xcd, 0xac, 0x87, 0xce, 0xd9, 0xf9, 0x43,
2470 0xf4, 0x68, 0xc2, 0x82, 0x09, 0x5a, 0xe0, 0x9d, 0x30, 0xd6, 0x2e,
2471 0x2f, 0xa6, 0x5d, 0xdc, 0x3b, 0x91, 0x9c, 0x2e, 0x46, 0x8f,
2472 },
2473 32, "Let's Encrypt 'Sapling 2022h2' log" },
2474 { (const uint8_t[]){
2475 0xc1, 0x83, 0x24, 0x0b, 0xf1, 0xa4, 0x50, 0xc7, 0x6f, 0xbb, 0x00,
2476 0x72, 0x69, 0xdc, 0xac, 0x3b, 0xe2, 0x2a, 0x48, 0x05, 0xd4, 0xdb,
2477 0xe0, 0x49, 0x66, 0xc3, 0xc8, 0xab, 0xc4, 0x47, 0xb0, 0x0c,
2478 },
2479 32, "Let's Encrypt 'Sapling 2023h1' log" },
2480 { (const uint8_t[]){
2481 0xc6, 0x3f, 0x22, 0x18, 0xc3, 0x7d, 0x56, 0xa6, 0xaa, 0x06, 0xb5,
2482 0x96, 0xda, 0x8e, 0x53, 0xd4, 0xd7, 0x15, 0x6d, 0x1e, 0x9b, 0xac,
2483 0x8e, 0x44, 0xd2, 0x20, 0x2d, 0xe6, 0x4d, 0x69, 0xd9, 0xdc,
2484 },
2485 32, "Let's Encrypt 'Testflume2020' log" },
2486 { (const uint8_t[]){
2487 0x03, 0xed, 0xf1, 0xda, 0x97, 0x76, 0xb6, 0xf3, 0x8c, 0x34, 0x1e,
2488 0x39, 0xed, 0x9d, 0x70, 0x7a, 0x75, 0x70, 0x36, 0x9c, 0xf9, 0x84,
2489 0x4f, 0x32, 0x7f, 0xe9, 0xe1, 0x41, 0x38, 0x36, 0x1b, 0x60,
2490 },
2491 32, "Let's Encrypt 'Testflume2021' log" },
2492 { (const uint8_t[]){
2493 0x23, 0x27, 0xef, 0xda, 0x35, 0x25, 0x10, 0xdb, 0xc0, 0x19, 0xef,
2494 0x49, 0x1a, 0xe3, 0xff, 0x1c, 0xc5, 0xa4, 0x79, 0xbc, 0xe3, 0x78,
2495 0x78, 0x36, 0x0e, 0xe3, 0x18, 0xcf, 0xfb, 0x64, 0xf8, 0xc8,
2496 },
2497 32, "Let's Encrypt 'Testflume2022' log" },
2498 { (const uint8_t[]){
2499 0x55, 0x34, 0xb7, 0xab, 0x5a, 0x6a, 0xc3, 0xa7, 0xcb, 0xeb, 0xa6,
2500 0x54, 0x87, 0xb2, 0xa2, 0xd7, 0x1b, 0x48, 0xf6, 0x50, 0xfa, 0x17,
2501 0xc5, 0x19, 0x7c, 0x97, 0xa0, 0xcb, 0x20, 0x76, 0xf3, 0xc6,
2502 },
2503 32, "Let's Encrypt 'Testflume2023' log" },
2504 { (const uint8_t[]){
2505 0x29, 0x6a, 0xfa, 0x2d, 0x56, 0x8b, 0xca, 0x0d, 0x2e, 0xa8, 0x44,
2506 0x95, 0x6a, 0xe9, 0x72, 0x1f, 0xc3, 0x5f, 0xa3, 0x55, 0xec, 0xda,
2507 0x99, 0x69, 0x3a, 0xaf, 0xd4, 0x58, 0xa7, 0x1a, 0xef, 0xdd,
2508 },
2509 32, "Let's Encrypt 'Clicky' log" },
2510 { (const uint8_t[]){
2511 0xa5, 0x95, 0x94, 0x3b, 0x53, 0x70, 0xbe, 0xe9, 0x06, 0xe0, 0x05,
2512 0x0d, 0x1f, 0xb5, 0xbb, 0xc6, 0xa4, 0x0e, 0x65, 0xf2, 0x65, 0xae,
2513 0x85, 0x2c, 0x76, 0x36, 0x3f, 0xad, 0xb2, 0x33, 0x36, 0xed,
2514 },
2515 32, "Trust Asia Log2020" },
2516 { (const uint8_t[]){
2517 0xa8, 0xdc, 0x52, 0xf6, 0x3d, 0x6b, 0x24, 0x25, 0xe5, 0x31, 0xe3,
2518 0x7c, 0xf4, 0xe4, 0x4a, 0x71, 0x4f, 0x14, 0x2a, 0x20, 0x80, 0x3b,
2519 0x0d, 0x04, 0xd2, 0xe2, 0xee, 0x06, 0x64, 0x79, 0x4a, 0x23,
2520 },
2521 32, "Trust Asia CT2021" },
2522 { (const uint8_t[]){
2523 0x67, 0x8d, 0xb6, 0x5b, 0x3e, 0x74, 0x43, 0xb6, 0xf3, 0xa3, 0x70,
2524 0xd5, 0xe1, 0x3a, 0xb1, 0xb4, 0x3b, 0xe0, 0xa0, 0xd3, 0x51, 0xf7,
2525 0xca, 0x74, 0x22, 0x50, 0xc7, 0xc6, 0xfa, 0x51, 0xa8, 0x8a,
2526 },
2527 32, "Trust Asia Log2021" },
2528 { (const uint8_t[]){
2529 0xc3, 0x65, 0xf9, 0xb3, 0x65, 0x4f, 0x32, 0x83, 0xc7, 0x9d, 0xa9,
2530 0x8e, 0x93, 0xd7, 0x41, 0x8f, 0x5b, 0xab, 0x7b, 0xe3, 0x25, 0x2c,
2531 0x98, 0xe1, 0xd2, 0xf0, 0x4b, 0xb9, 0xeb, 0x42, 0x7d, 0x23,
2532 },
2533 32, "Trust Asia Log2022" },
2534 { (const uint8_t[]){
2535 0xe8, 0x7e, 0xa7, 0x66, 0x0b, 0xc2, 0x6c, 0xf6, 0x00, 0x2e, 0xf5,
2536 0x72, 0x5d, 0x3f, 0xe0, 0xe3, 0x31, 0xb9, 0x39, 0x3b, 0xb9, 0x2f,
2537 0xbf, 0x58, 0xeb, 0x3b, 0x90, 0x49, 0xda, 0xf5, 0x43, 0x5a,
2538 },
2539 32, "Trust Asia Log2023" },
2540 { (const uint8_t[]){
2541 0x30, 0x6d, 0x29, 0x57, 0x6a, 0xd2, 0x1a, 0x9d, 0x4a, 0xe1, 0x2a,
2542 0xca, 0xd8, 0xaa, 0x8a, 0x78, 0x3a, 0xa6, 0x5a, 0x32, 0x11, 0x60,
2543 0xac, 0xff, 0x5b, 0x0e, 0xee, 0x4c, 0xa3, 0x20, 0x1d, 0x05,
2544 },
2545 32, "Trust Asia Log2024" },
2546 { (const uint8_t[]){
2547 0x87, 0x4f, 0xb5, 0x0d, 0xc0, 0x29, 0xd9, 0x93, 0x1d, 0xe5, 0x73,
2548 0xe9, 0xf2, 0x89, 0x9e, 0x8e, 0x45, 0x33, 0xb3, 0x92, 0xd3, 0x8b,
2549 0x0a, 0x46, 0x25, 0x74, 0xbf, 0x0f, 0xee, 0xb2, 0xfc, 0x1e,
2550 },
2551 32, "Trust Asia Log2024-2" },
2552 { (const uint8_t[]){
2553 0x28, 0xe2, 0x81, 0x38, 0xfd, 0x83, 0x21, 0x45, 0xe9, 0xa9, 0xd6,
2554 0xaa, 0x75, 0x37, 0x6d, 0x83, 0x77, 0xa8, 0x85, 0x12, 0xb3, 0xc0,
2555 0x7f, 0x72, 0x41, 0x48, 0x21, 0xdc, 0xbd, 0xe9, 0x8c, 0x66,
2556 },
2557 32, "TrustAsia Log2025a" },
2558 { (const uint8_t[]){
2559 0x28, 0x2c, 0x8b, 0xdd, 0x81, 0x0f, 0xf9, 0x09, 0x12, 0x0a, 0xce,
2560 0x16, 0xd6, 0xe0, 0xec, 0x20, 0x1b, 0xea, 0x82, 0xa3, 0xa4, 0xaf,
2561 0x19, 0xd9, 0xef, 0xfb, 0x59, 0xe8, 0x3f, 0xdc, 0x42, 0x68,
2562 },
2563 32, "TrustAsia Log2025b" },
2564 { (const uint8_t[]){
2565 0x74, 0xdb, 0x9d, 0x58, 0xf7, 0xd4, 0x7e, 0x9d, 0xfd, 0x78, 0x7a,
2566 0x16, 0x2a, 0x99, 0x1c, 0x18, 0xcf, 0x69, 0x8d, 0xa7, 0xc7, 0x29,
2567 0x91, 0x8c, 0x9a, 0x18, 0xb0, 0x45, 0x0d, 0xba, 0x44, 0xbc,
2568 },
2569 32, "TrustAsia 'log2026a'" },
2570 { (const uint8_t[]){
2571 0x25, 0xb7, 0xef, 0xde, 0xa1, 0x13, 0x01, 0x93, 0xed, 0x93, 0x07,
2572 0x97, 0x70, 0xaa, 0x32, 0x2a, 0x26, 0x62, 0x0d, 0xe3, 0x5a, 0xc8,
2573 0xaa, 0x7c, 0x75, 0x19, 0x7d, 0xe0, 0xb1, 0xa9, 0xe0, 0x65,
2574 },
2575 32, "TrustAsia 'log2026b'" },
2576 { (const uint8_t[]){
2577 0xed, 0xda, 0xeb, 0x81, 0x5c, 0x63, 0x21, 0x34, 0x49, 0xb4, 0x7b,
2578 0xe5, 0x07, 0x79, 0x05, 0xab, 0xd0, 0xd9, 0x31, 0x47, 0xc2, 0x7a,
2579 0xc5, 0x14, 0x6b, 0x3b, 0xc5, 0x8e, 0x43, 0xe9, 0xb6, 0xc7,
2580 },
2581 32, "TrustAsia 'HETU2027'" },
2582 { (const uint8_t[]){
2583 0x45, 0x35, 0x94, 0x98, 0xd9, 0x3a, 0x89, 0xe0, 0x28, 0x03, 0x08,
2584 0xd3, 0x7d, 0x62, 0x6d, 0xc4, 0x23, 0x75, 0x47, 0x58, 0xdc, 0xe0,
2585 0x37, 0x00, 0x36, 0xfb, 0xab, 0x0e, 0xdf, 0x8a, 0x6b, 0xcf,
2586 },
2587 32, "Trust Asia Log1" },
2588 { (const uint8_t[]){
2589 0xc9, 0xcf, 0x89, 0x0a, 0x21, 0x10, 0x9c, 0x66, 0x6c, 0xc1, 0x7a,
2590 0x3e, 0xd0, 0x65, 0xc9, 0x30, 0xd0, 0xe0, 0x13, 0x5a, 0x9f, 0xeb,
2591 0xa8, 0x5a, 0xf1, 0x42, 0x10, 0xb8, 0x07, 0x24, 0x21, 0xaa,
2592 },
2593 32, "GDCA CT log #1" },
2594 { (const uint8_t[]){
2595 0x92, 0x4a, 0x30, 0xf9, 0x09, 0x33, 0x6f, 0xf4, 0x35, 0xd6, 0x99,
2596 0x3a, 0x10, 0xac, 0x75, 0xa2, 0xc6, 0x41, 0x72, 0x8e, 0x7f, 0xc2,
2597 0xd6, 0x59, 0xae, 0x61, 0x88, 0xff, 0xad, 0x40, 0xce, 0x01,
2598 },
2599 32, "GDCA CT log #2" },
2600 { (const uint8_t[]){
2601 0x71, 0x7e, 0xa7, 0x42, 0x09, 0x75, 0xbe, 0x84, 0xa2, 0x72, 0x35,
2602 0x53, 0xf1, 0x77, 0x7c, 0x26, 0xdd, 0x51, 0xaf, 0x4e, 0x10, 0x21,
2603 0x44, 0x09, 0x4d, 0x90, 0x19, 0xb4, 0x62, 0xfb, 0x66, 0x68,
2604 },
2605 32, "GDCA Log 1" },
2606 { (const uint8_t[]){
2607 0x14, 0x30, 0x8d, 0x90, 0xcc, 0xd0, 0x30, 0x13, 0x50, 0x05, 0xc0,
2608 0x1c, 0xa5, 0x26, 0xd8, 0x1e, 0x84, 0xe8, 0x76, 0x24, 0xe3, 0x9b,
2609 0x62, 0x48, 0xe0, 0x8f, 0x72, 0x4a, 0xea, 0x3b, 0xb4, 0x2a,
2610 },
2611 32, "GDCA Log 2" },
2612 { (const uint8_t[]){
2613 0xe0, 0x12, 0x76, 0x29, 0xe9, 0x04, 0x96, 0x56, 0x4e, 0x3d, 0x01,
2614 0x47, 0x98, 0x44, 0x98, 0xaa, 0x48, 0xf8, 0xad, 0xb1, 0x66, 0x00,
2615 0xeb, 0x79, 0x02, 0xa1, 0xef, 0x99, 0x09, 0x90, 0x62, 0x73,
2616 },
2617 32, "PuChuangSiDa CT log" },
2618 { (const uint8_t[]){
2619 0x53, 0x7b, 0x69, 0xa3, 0x56, 0x43, 0x35, 0xa9, 0xc0, 0x49, 0x04,
2620 0xe3, 0x95, 0x93, 0xb2, 0xc2, 0x98, 0xeb, 0x8d, 0x7a, 0x6e, 0x83,
2621 0x02, 0x36, 0x35, 0xc6, 0x27, 0x24, 0x8c, 0xd6, 0xb4, 0x40,
2622 },
2623 32, "Nordu 'flimsy' log" },
2624 { (const uint8_t[]){
2625 0xaa, 0xe7, 0x0b, 0x7f, 0x3c, 0xb8, 0xd5, 0x66, 0xc8, 0x6c, 0x2f,
2626 0x16, 0x97, 0x9c, 0x9f, 0x44, 0x5f, 0x69, 0xab, 0x0e, 0xb4, 0x53,
2627 0x55, 0x89, 0xb2, 0xf7, 0x7a, 0x03, 0x01, 0x04, 0xf3, 0xcd,
2628 },
2629 32, "Nordu 'plausible' log" },
2630 { (const uint8_t[]){
2631 0xcf, 0x55, 0xe2, 0x89, 0x23, 0x49, 0x7c, 0x34, 0x0d, 0x52, 0x06,
2632 0xd0, 0x53, 0x53, 0xae, 0xb2, 0x58, 0x34, 0xb5, 0x2f, 0x1f, 0x8d,
2633 0xc9, 0x52, 0x68, 0x09, 0xf2, 0x12, 0xef, 0xdd, 0x7c, 0xa6,
2634 },
2635 32, "SHECA CT log 1" },
2636 { (const uint8_t[]){
2637 0x32, 0xdc, 0x59, 0xc2, 0xd4, 0xc4, 0x19, 0x68, 0xd5, 0x6e, 0x14,
2638 0xbc, 0x61, 0xac, 0x8f, 0x0e, 0x45, 0xdb, 0x39, 0xfa, 0xf3, 0xc1,
2639 0x55, 0xaa, 0x42, 0x52, 0xf5, 0x00, 0x1f, 0xa0, 0xc6, 0x23,
2640 },
2641 32, "SHECA CT log 2" },
2642 { (const uint8_t[]){
2643 0x96, 0x06, 0xc0, 0x2c, 0x69, 0x00, 0x33, 0xaa, 0x1d, 0x14, 0x5f,
2644 0x59, 0xc6, 0xe2, 0x64, 0x8d, 0x05, 0x49, 0xf0, 0xdf, 0x96, 0xaa,
2645 0xb8, 0xdb, 0x91, 0x5a, 0x70, 0xd8, 0xec, 0xf3, 0x90, 0xa5,
2646 },
2647 32, "Akamai CT Log" },
2648 { (const uint8_t[]){
2649 0x39, 0x37, 0x6f, 0x54, 0x5f, 0x7b, 0x46, 0x07, 0xf5, 0x97, 0x42,
2650 0xd7, 0x68, 0xcd, 0x5d, 0x24, 0x37, 0xbf, 0x34, 0x73, 0xb6, 0x53,
2651 0x4a, 0x48, 0x34, 0xbc, 0xf7, 0x2e, 0x68, 0x1c, 0x83, 0xc9,
2652 },
2653 32, "Alpha CT Log" },
2654 { (const uint8_t[]){
2655 0xb0, 0xb7, 0x84, 0xbc, 0x81, 0xc0, 0xdd, 0xc4, 0x75, 0x44, 0xe8,
2656 0x83, 0xf0, 0x59, 0x85, 0xbb, 0x90, 0x77, 0xd1, 0x34, 0xd8, 0xab,
2657 0x88, 0xb2, 0xb2, 0xe5, 0x33, 0x98, 0x0b, 0x8e, 0x50, 0x8b,
2658 },
2659 32, "Up In The Air 'Behind the Sofa' log" },
2660 { (const uint8_t[]){
2661 0x47, 0x44, 0x47, 0x7c, 0x75, 0xde, 0x42, 0x6d, 0x5c, 0x44, 0xef,
2662 0xd4, 0xa9, 0x2c, 0x96, 0x77, 0x59, 0x7f, 0x65, 0x7a, 0x8f, 0xe0,
2663 0xca, 0xdb, 0xc6, 0xd6, 0x16, 0xed, 0xa4, 0x97, 0xc4, 0x25,
2664 },
2665 32, "Qihoo 360 2020" },
2666 { (const uint8_t[]){
2667 0xc6, 0xd7, 0xed, 0x9e, 0xdb, 0x8e, 0x74, 0xf0, 0xa7, 0x1b, 0x4d,
2668 0x4a, 0x98, 0x4b, 0xcb, 0xeb, 0xab, 0xbd, 0x28, 0xcc, 0x1f, 0xd7,
2669 0x63, 0x29, 0xe8, 0x87, 0x26, 0xcd, 0x4c, 0x25, 0x46, 0x63,
2670 },
2671 32, "Qihoo 360 2021" },
2672 { (const uint8_t[]){
2673 0x66, 0x3c, 0xb0, 0x9c, 0x1f, 0xcd, 0x9b, 0xaa, 0x62, 0x76, 0x3c,
2674 0xcb, 0x53, 0x4e, 0xec, 0x80, 0x58, 0x12, 0x28, 0x05, 0x07, 0xac,
2675 0x69, 0xa4, 0x5f, 0xcd, 0x38, 0xcf, 0x4c, 0xc7, 0x4c, 0xf1,
2676 },
2677 32, "Qihoo 360 2022" },
2678 { (const uint8_t[]){
2679 0xe2, 0x64, 0x7f, 0x6e, 0xda, 0x34, 0x05, 0x03, 0xc6, 0x4d, 0x4e,
2680 0x10, 0xa8, 0x69, 0x68, 0x1f, 0xde, 0x9c, 0x5a, 0x2c, 0xf3, 0xb3,
2681 0x2d, 0x5f, 0x20, 0x0b, 0x96, 0x36, 0x05, 0x90, 0x88, 0x23,
2682 },
2683 32, "Qihoo 360 2023" },
2684 { (const uint8_t[]){
2685 0xc5, 0xcf, 0xe5, 0x4b, 0x61, 0x51, 0xb4, 0x9b, 0x14, 0x2e, 0xd2,
2686 0x63, 0xbd, 0xe7, 0x32, 0x93, 0x36, 0x37, 0x99, 0x79, 0x95, 0x50,
2687 0xae, 0x44, 0x35, 0xcd, 0x1a, 0x69, 0x97, 0xc9, 0xc3, 0xc3,
2688 },
2689 32, "Qihoo 360 v1 2020" },
2690 { (const uint8_t[]){
2691 0x48, 0x14, 0x58, 0x7c, 0xf2, 0x8b, 0x08, 0xfe, 0x68, 0x3f, 0xd2,
2692 0xbc, 0xd9, 0x45, 0x99, 0x4c, 0x2e, 0xb7, 0x4c, 0x8a, 0xe8, 0xc8,
2693 0x7f, 0xce, 0x42, 0x9b, 0x7c, 0xd3, 0x1d, 0x51, 0xbd, 0xc4,
2694 },
2695 32, "Qihoo 360 v1 2021" },
2696 { (const uint8_t[]){
2697 0x49, 0x11, 0xb8, 0xd6, 0x14, 0xcf, 0xd3, 0xd9, 0x9f, 0x16, 0xd3,
2698 0x76, 0x54, 0x5e, 0xe1, 0xb8, 0xcc, 0xfc, 0x51, 0x1f, 0x50, 0x9f,
2699 0x08, 0x0b, 0xa0, 0xa0, 0x87, 0xd9, 0x1d, 0xfa, 0xee, 0xa9,
2700 },
2701 32, "Qihoo 360 v1 2022" },
2702 { (const uint8_t[]){
2703 0xb6, 0x74, 0x0b, 0x12, 0x00, 0x2e, 0x03, 0x3f, 0xd0, 0xe7, 0xe9,
2704 0x41, 0xf4, 0xba, 0x3e, 0xe1, 0xbf, 0xc1, 0x49, 0xb5, 0x24, 0xb4,
2705 0xcf, 0x62, 0x8d, 0x53, 0xef, 0xea, 0x1f, 0x40, 0x3a, 0x8d,
2706 },
2707 32, "Qihoo 360 v1 2023" },
2708 { (const uint8_t[]){
2709 0x2e, 0xd6, 0xa4, 0x4d, 0xeb, 0x8f, 0x0c, 0x86, 0x46, 0x67, 0x76,
2710 0x9c, 0x4e, 0xdd, 0x04, 0x1f, 0x84, 0x23, 0x67, 0x55, 0xfa, 0x3a,
2711 0xac, 0xa6, 0x34, 0xd0, 0x93, 0x5d, 0xfc, 0xd5, 0x9a, 0x70,
2712 },
2713 32, "Bogus placeholder log to unbreak misbehaving CT libraries" },
2714 { (const uint8_t[]){
2715 0x39, 0xb9, 0x87, 0x88, 0x28, 0x19, 0x5f, 0x3b, 0x2d, 0x0d, 0x1b,
2716 0x48, 0x14, 0xa3, 0xae, 0x8c, 0x0d, 0x01, 0xfe, 0x48, 0x62, 0x21,
2717 0xdd, 0x69, 0x39, 0x7d, 0x76, 0xf7, 0x85, 0x74, 0x11, 0xc3,
2718 },
2719 32, "Merklemap 'CompactLog' log" },
2720 { (const uint8_t[]){
2721 0xd2, 0xfc, 0x65, 0x2f, 0xa5, 0xf9, 0xb7, 0x38, 0xb8, 0x37, 0x55,
2722 0xfa, 0x5e, 0xb1, 0x5f, 0x0b, 0x45, 0x25, 0x3f, 0x4e, 0x8f, 0xa3,
2723 0xb9, 0xb6, 0x4f, 0xd4, 0xde, 0x56, 0x62, 0xd1, 0x87, 0x08,
2724 },
2725 32, "Bogus RFC6962 log to avoid breaking misbehaving CT libraries" },
2726 { NULL((void*)0), 0, NULL((void*)0) }
2727};
2728
2729/*
2730 * Application-Layer Protocol Negotiation (ALPN) dissector tables.
2731 */
2732static dissector_table_t ssl_alpn_dissector_table;
2733static dissector_table_t dtls_alpn_dissector_table;
2734
2735/*
2736 * Special cases for prefix matching of the ALPN, if the ALPN includes
2737 * a version number for a draft or protocol revision.
2738 */
2739typedef struct ssl_alpn_prefix_match_protocol {
2740 const char *proto_prefix;
2741 const char *dissector_name;
2742} ssl_alpn_prefix_match_protocol_t;
2743
2744static const ssl_alpn_prefix_match_protocol_t ssl_alpn_prefix_match_protocols[] = {
2745 /* SPDY moves so fast, just 1, 2 and 3 are registered with IANA but there
2746 * already exists 3.1 as of this writing... match the prefix. */
2747 { "spdy/", "spdy" },
2748 /* draft-ietf-httpbis-http2-16 */
2749 { "h2-", "http2" }, /* draft versions */
2750};
2751
2752const value_string compress_certificate_algorithm_vals[] = {
2753 { 1, "zlib" },
2754 { 2, "brotli" },
2755 { 3, "zstd" },
2756 { 0, NULL((void*)0) }
2757};
2758
2759
2760const val64_string quic_transport_parameter_id[] = {
2761 { SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00, "original_destination_connection_id" },
2762 { SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01, "max_idle_timeout" },
2763 { SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02, "stateless_reset_token" },
2764 { SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03, "max_udp_payload_size" },
2765 { SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04, "initial_max_data" },
2766 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05, "initial_max_stream_data_bidi_local" },
2767 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06, "initial_max_stream_data_bidi_remote" },
2768 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07, "initial_max_stream_data_uni" },
2769 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09, "initial_max_streams_uni" },
2770 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08, "initial_max_streams_bidi" },
2771 { SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a, "ack_delay_exponent" },
2772 { SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b, "max_ack_delay" },
2773 { SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c, "disable_active_migration" },
2774 { SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d, "preferred_address" },
2775 { SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e, "active_connection_id_limit" },
2776 { SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f, "initial_source_connection_id" },
2777 { SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10, "retry_source_connection_id" },
2778 { SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20, "max_datagram_frame_size" },
2779 { SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000, "cibir_encoding" },
2780 { SSL_HND_QUIC_TP_LOSS_BITS0x1057, "loss_bits" },
2781 { SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2, "grease_quic_bit" },
2782 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157, "enable_time_stamp" },
2783 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158, "enable_time_stamp_v2" },
2784 { SSL_HND_QUIC_TP_VERSION_INFORMATION0x11, "version_information" },
2785 { SSL_HND_QUIC_TP_VERSION_INFORMATION_DRAFT0xff73db, "version_information_draft" },
2786 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a, "min_ack_delay" },
2787 { SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129, "google_user_agent" },
2788 { SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B, "google_key_update_not_yet_supported" },
2789 { SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752, "google_quic_version" },
2790 { SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127, "google_initial_rtt" },
2791 { SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A, "google_support_handshake_done" },
2792 { SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751, "google_quic_params" },
2793 { SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128, "google_connection_options" },
2794 { SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00, "facebook_partial_reliability" },
2795 { SSL_HND_QUIC_TP_ADDRESS_DISCOVERY0x9f81a176, "address_discovery" },
2796 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A, "min_ack_delay (draft-01)" },
2797 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a, "min_ack_delay (draft-05)" },
2798 { SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b, "min_ack_delay" },
2799 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04, "enable_multipath (draft-04)" },
2800 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05, "enable_multipath (draft-05)" },
2801 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06, "enable_multipath (draft-06)" },
2802 { SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07, "initial_max_paths (draft-07/08)" },
2803 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09, "initial_max_path_id (draft-09/10)" },
2804 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT110x0f739bbc1b666d11, "initial_max_path_id (draft-11)" },
2805 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT120x0f739bbc1b666d0c, "initial_max_path_id (draft-12)" },
2806 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT130x0f739bbc1b666d0d, "initial_max_path_id (draft-13)" },
2807 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x3e, "initial_max_path_id" },
2808 { 0, NULL((void*)0) }
2809};
2810
2811/* https://tools.ietf.org/html/draft-ietf-quic-address-discovery-00 */
2812const val64_string quic_address_discovery_vals[] = {
2813 { 0, "The node is willing to provide address observations to its peer, but is not interested in receiving address observations itself" },
2814 { 1, "The node is interested in receiving address observations, but it is not willing to provide address observations" },
2815 { 2, "The node is interested in receiving address observations, and it is willing to provide address observations" },
2816 { 0, NULL((void*)0) }
2817};
2818
2819/* https://tools.ietf.org/html/draft-huitema-quic-ts-03 */
2820const val64_string quic_enable_time_stamp_v2_vals[] = {
2821 { 1, "I would like to receive TIME_STAMP frames" },
2822 { 2, "I am able to generate TIME_STAMP frames" },
2823 { 3, "I am able to generate TIME_STAMP frames and I would like to receive them" },
2824 { 0, NULL((void*)0) }
2825};
2826
2827/* https://datatracker.ietf.org/doc/draft-ietf-quic-multipath/04/ */
2828const val64_string quic_enable_multipath_vals[] = {
2829 { 0, "don't support multipath" },
2830 { 1, "support multipath as defined in this document" },
2831 { 0, NULL((void*)0) }
2832};
2833
2834/* https://www.ietf.org/archive/id/draft-ietf-tls-esni-16.txt */
2835const value_string tls_hello_ext_ech_clienthello_types[] = {
2836 { 0, "Outer Client Hello" },
2837 { 1, "Inner Client Hello" },
2838 { 0, NULL((void*)0) }
2839};
2840
2841/* RFC 9180 */
2842const value_string kem_id_type_vals[] = {
2843 { 0x0000, "Reserved" },
2844 { 0x0010, "DHKEM(P-256, HKDF-SHA256)" },
2845 { 0x0011, "DHKEM(P-384, HKDF-SHA384)" },
2846 { 0x0012, "DHKEM(P-521, HKDF-SHA512)" },
2847 { 0x0020, "DHKEM(X25519, HKDF-SHA256)" },
2848 { 0x0021, "DHKEM(X448, HKDF-SHA512)" },
2849 { 0, NULL((void*)0) }
2850};
2851const value_string kdf_id_type_vals[] = {
2852 { 0x0000, "Reserved" },
2853 { 0x0001, "HKDF-SHA256" },
2854 { 0x0002, "HKDF-SHA384" },
2855 { 0x0003, "HKDF-SHA512" },
2856 { 0, NULL((void*)0) }
2857};
2858const value_string aead_id_type_vals[] = {
2859 { 0x0000, "Reserved" },
2860 { 0x0001, "AES-128-GCM" },
2861 { 0x0002, "AES-256-GCM" },
2862 { 0x0003, "ChaCha20Poly1305" },
2863 { 0xFFFF, "Export-only" },
2864 { 0, NULL((void*)0) }
2865};
2866
2867const value_string token_binding_key_parameter_vals[] = {
2868 { 0, "rsa2048_pkcs1.5" },
2869 { 1, "rsa2048_pss" },
2870 { 2, "ecdsap256" },
2871 { 0, NULL((void*)0) }
2872};
2873
2874/* Lookup tables }}} */
2875
2876void
2877quic_transport_parameter_id_base_custom(char *result, uint64_t parameter_id)
2878{
2879 const char *label;
2880 if (IS_GREASE_QUIC(parameter_id)((parameter_id) > 27 ? ((((parameter_id) - 27) % 31) == 0)
: 0)) {
2881 label = "GREASE";
2882 } else {
2883 label = val64_to_str_const(parameter_id, quic_transport_parameter_id, "Unknown");
2884 }
2885 snprintf(result, ITEM_LABEL_LENGTH240, "%s (0x%02" PRIx64"l" "x" ")", label, parameter_id);
2886}
2887
2888/* we keep this internal to packet-tls-utils, as there should be
2889 no need to access it any other way.
2890
2891 This also allows us to hide the dependency on zlib.
2892*/
2893struct _SslDecompress {
2894 int compression;
2895#ifdef USE_ZLIB_OR_ZLIBNG
2896 zlib_stream istream;
2897#endif
2898};
2899
2900/* To assist in parsing client/server key exchange messages
2901 0 indicates unknown */
2902int ssl_get_keyex_alg(int cipher)
2903{
2904 /* Map Cipher suite number to Key Exchange algorithm {{{ */
2905 switch(cipher) {
2906 case 0x0017:
2907 case 0x0018:
2908 case 0x0019:
2909 case 0x001a:
2910 case 0x001b:
2911 case 0x0034:
2912 case 0x003a:
2913 case 0x0046:
2914 case 0x006c:
2915 case 0x006d:
2916 case 0x0089:
2917 case 0x009b:
2918 case 0x00a6:
2919 case 0x00a7:
2920 case 0x00bf:
2921 case 0x00c5:
2922 case 0xc084:
2923 case 0xc085:
2924 return KEX_DH_ANON0x13;
2925 case 0x000b:
2926 case 0x000c:
2927 case 0x000d:
2928 case 0x0030:
2929 case 0x0036:
2930 case 0x003e:
2931 case 0x0042:
2932 case 0x0068:
2933 case 0x0085:
2934 case 0x0097:
2935 case 0x00a4:
2936 case 0x00a5:
2937 case 0x00bb:
2938 case 0x00c1:
2939 case 0xc082:
2940 case 0xc083:
2941 return KEX_DH_DSS0x14;
2942 case 0x000e:
2943 case 0x000f:
2944 case 0x0010:
2945 case 0x0031:
2946 case 0x0037:
2947 case 0x003f:
2948 case 0x0043:
2949 case 0x0069:
2950 case 0x0086:
2951 case 0x0098:
2952 case 0x00a0:
2953 case 0x00a1:
2954 case 0x00bc:
2955 case 0x00c2:
2956 case 0xc07e:
2957 case 0xc07f:
2958 return KEX_DH_RSA0x15;
2959 case 0x0011:
2960 case 0x0012:
2961 case 0x0013:
2962 case 0x0032:
2963 case 0x0038:
2964 case 0x0040:
2965 case 0x0044:
2966 case 0x0063:
2967 case 0x0065:
2968 case 0x0066:
2969 case 0x006a:
2970 case 0x0087:
2971 case 0x0099:
2972 case 0x00a2:
2973 case 0x00a3:
2974 case 0x00bd:
2975 case 0x00c3:
2976 case 0xc080:
2977 case 0xc081:
2978 return KEX_DHE_DSS0x10;
2979 case 0x002d:
2980 case 0x008e:
2981 case 0x008f:
2982 case 0x0090:
2983 case 0x0091:
2984 case 0x00aa:
2985 case 0x00ab:
2986 case 0x00b2:
2987 case 0x00b3:
2988 case 0x00b4:
2989 case 0x00b5:
2990 case 0xc090:
2991 case 0xc091:
2992 case 0xc096:
2993 case 0xc097:
2994 case 0xc0a6:
2995 case 0xc0a7:
2996 case 0xc0aa:
2997 case 0xc0ab:
2998 case 0xccad:
2999 case 0xe41c:
3000 case 0xe41d:
3001 return KEX_DHE_PSK0x11;
3002 case 0x0014:
3003 case 0x0015:
3004 case 0x0016:
3005 case 0x0033:
3006 case 0x0039:
3007 case 0x0045:
3008 case 0x0067:
3009 case 0x006b:
3010 case 0x0088:
3011 case 0x009a:
3012 case 0x009e:
3013 case 0x009f:
3014 case 0x00be:
3015 case 0x00c4:
3016 case 0xc07c:
3017 case 0xc07d:
3018 case 0xc09e:
3019 case 0xc09f:
3020 case 0xc0a2:
3021 case 0xc0a3:
3022 case 0xccaa:
3023 case 0xe41e:
3024 case 0xe41f:
3025 return KEX_DHE_RSA0x12;
3026 case 0xc015:
3027 case 0xc016:
3028 case 0xc017:
3029 case 0xc018:
3030 case 0xc019:
3031 return KEX_ECDH_ANON0x19;
3032 case 0xc001:
3033 case 0xc002:
3034 case 0xc003:
3035 case 0xc004:
3036 case 0xc005:
3037 case 0xc025:
3038 case 0xc026:
3039 case 0xc02d:
3040 case 0xc02e:
3041 case 0xc074:
3042 case 0xc075:
3043 case 0xc088:
3044 case 0xc089:
3045 return KEX_ECDH_ECDSA0x1a;
3046 case 0xc00b:
3047 case 0xc00c:
3048 case 0xc00d:
3049 case 0xc00e:
3050 case 0xc00f:
3051 case 0xc029:
3052 case 0xc02a:
3053 case 0xc031:
3054 case 0xc032:
3055 case 0xc078:
3056 case 0xc079:
3057 case 0xc08c:
3058 case 0xc08d:
3059 return KEX_ECDH_RSA0x1b;
3060 case 0xc006:
3061 case 0xc007:
3062 case 0xc008:
3063 case 0xc009:
3064 case 0xc00a:
3065 case 0xc023:
3066 case 0xc024:
3067 case 0xc02b:
3068 case 0xc02c:
3069 case 0xc072:
3070 case 0xc073:
3071 case 0xc086:
3072 case 0xc087:
3073 case 0xc0ac:
3074 case 0xc0ad:
3075 case 0xc0ae:
3076 case 0xc0af:
3077 case 0xcca9:
3078 case 0xe414:
3079 case 0xe415:
3080 return KEX_ECDHE_ECDSA0x16;
3081 case 0xc033:
3082 case 0xc034:
3083 case 0xc035:
3084 case 0xc036:
3085 case 0xc037:
3086 case 0xc038:
3087 case 0xc039:
3088 case 0xc03a:
3089 case 0xc03b:
3090 case 0xc09a:
3091 case 0xc09b:
3092 case 0xccac:
3093 case 0xe418:
3094 case 0xe419:
3095 case 0xd001:
3096 case 0xd002:
3097 case 0xd003:
3098 case 0xd005:
3099 return KEX_ECDHE_PSK0x17;
3100 case 0xc010:
3101 case 0xc011:
3102 case 0xc012:
3103 case 0xc013:
3104 case 0xc014:
3105 case 0xc027:
3106 case 0xc028:
3107 case 0xc02f:
3108 case 0xc030:
3109 case 0xc076:
3110 case 0xc077:
3111 case 0xc08a:
3112 case 0xc08b:
3113 case 0xcca8:
3114 case 0xe412:
3115 case 0xe413:
3116 return KEX_ECDHE_RSA0x18;
3117 case 0x001e:
3118 case 0x001f:
3119 case 0x0020:
3120 case 0x0021:
3121 case 0x0022:
3122 case 0x0023:
3123 case 0x0024:
3124 case 0x0025:
3125 case 0x0026:
3126 case 0x0027:
3127 case 0x0028:
3128 case 0x0029:
3129 case 0x002a:
3130 case 0x002b:
3131 return KEX_KRB50x1c;
3132 case 0x002c:
3133 case 0x008a:
3134 case 0x008b:
3135 case 0x008c:
3136 case 0x008d:
3137 case 0x00a8:
3138 case 0x00a9:
3139 case 0x00ae:
3140 case 0x00af:
3141 case 0x00b0:
3142 case 0x00b1:
3143 case 0xc064:
3144 case 0xc065:
3145 case 0xc08e:
3146 case 0xc08f:
3147 case 0xc094:
3148 case 0xc095:
3149 case 0xc0a4:
3150 case 0xc0a5:
3151 case 0xc0a8:
3152 case 0xc0a9:
3153 case 0xccab:
3154 case 0xe416:
3155 case 0xe417:
3156 return KEX_PSK0x1d;
3157 case 0x0001:
3158 case 0x0002:
3159 case 0x0003:
3160 case 0x0004:
3161 case 0x0005:
3162 case 0x0006:
3163 case 0x0007:
3164 case 0x0008:
3165 case 0x0009:
3166 case 0x000a:
3167 case 0x002f:
3168 case 0x0035:
3169 case 0x003b:
3170 case 0x003c:
3171 case 0x003d:
3172 case 0x0041:
3173 case 0x0060:
3174 case 0x0061:
3175 case 0x0062:
3176 case 0x0064:
3177 case 0x0084:
3178 case 0x0096:
3179 case 0x009c:
3180 case 0x009d:
3181 case 0x00ba:
3182 case 0x00c0:
3183 case 0xc07a:
3184 case 0xc07b:
3185 case 0xc09c:
3186 case 0xc09d:
3187 case 0xc0a0:
3188 case 0xc0a1:
3189 case 0xe410:
3190 case 0xe411:
3191 case 0xfefe:
3192 case 0xfeff:
3193 case 0xffe0:
3194 case 0xffe1:
3195 return KEX_RSA0x1e;
3196 case 0x002e:
3197 case 0x0092:
3198 case 0x0093:
3199 case 0x0094:
3200 case 0x0095:
3201 case 0x00ac:
3202 case 0x00ad:
3203 case 0x00b6:
3204 case 0x00b7:
3205 case 0x00b8:
3206 case 0x00b9:
3207 case 0xc092:
3208 case 0xc093:
3209 case 0xc098:
3210 case 0xc099:
3211 case 0xccae:
3212 case 0xe41a:
3213 case 0xe41b:
3214 return KEX_RSA_PSK0x1f;
3215 case 0xc01a:
3216 case 0xc01d:
3217 case 0xc020:
3218 return KEX_SRP_SHA0x20;
3219 case 0xc01c:
3220 case 0xc01f:
3221 case 0xc022:
3222 return KEX_SRP_SHA_DSS0x21;
3223 case 0xc01b:
3224 case 0xc01e:
3225 case 0xc021:
3226 return KEX_SRP_SHA_RSA0x22;
3227 case 0xc0ff:
3228 return KEX_ECJPAKE0x24;
3229 case 0xe003:
3230 case 0xe013:
3231 case 0xe053:
3232 return KEX_ECC_SM20x26;
3233 default:
3234 break;
3235 }
3236
3237 return 0;
3238 /* }}} */
3239}
3240
3241static wmem_list_t *connection_id_session_list;
3242
3243void
3244ssl_init_cid_list(void) {
3245 connection_id_session_list = wmem_list_new(wmem_file_scope());
3246}
3247
3248void
3249ssl_cleanup_cid_list(void) {
3250 wmem_destroy_list(connection_id_session_list);
3251}
3252
3253void
3254ssl_add_session_by_cid(SslDecryptSession *session)
3255{
3256 wmem_list_append(connection_id_session_list, session);
3257}
3258
3259SslDecryptSession *
3260ssl_get_session_by_cid(tvbuff_t *tvb, uint32_t offset)
3261{
3262 SslDecryptSession * ssl_cid = NULL((void*)0);
3263 wmem_list_frame_t *it = wmem_list_head(connection_id_session_list);
3264
3265 while (it != NULL((void*)0) && ssl_cid == NULL((void*)0)) {
3266 SslDecryptSession * ssl = (SslDecryptSession *)wmem_list_frame_data(it);
3267 DISSECTOR_ASSERT(ssl != NULL)((void) ((ssl != ((void*)0)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3267, "ssl != ((void*)0)"))));
3268 SslSession *session = &ssl->session;
3269
3270 if (session->client_cid_len > 0 && tvb_bytes_exist(tvb, offset, session->client_cid_len)) {
3271 if (tvb_memeql(tvb, offset, session->client_cid, session->client_cid_len) == 0) {
3272 ssl_cid = ssl;
3273 }
3274 }
3275
3276 if (session->server_cid_len > 0) {
3277 if (tvb_memeql(tvb, offset, session->server_cid, session->server_cid_len) == 0) {
3278 ssl_cid = ssl;
3279 }
3280 }
3281
3282 it = wmem_list_frame_next(it);
3283 }
3284
3285 return ssl_cid;
3286}
3287
3288/* StringInfo structure (len + data) functions {{{ */
3289
3290int
3291ssl_data_alloc(StringInfo* str, size_t len)
3292{
3293 str->data = (unsigned char *)g_malloc(len);
16
Memory is allocated
3294 /* the allocator can return a null pointer for a size equal to 0,
3295 * and that must be allowed */
3296 if (len
16.1
'len' is > 0
 > 0 && !str->data)
17
Assuming field 'data' is non-null
18
Taking false branch
3297 return -1;
3298 str->data_len = (unsigned) len;
3299 return 0;
3300}
3301
3302void
3303ssl_data_set(StringInfo* str, const unsigned char* data, unsigned len)
3304{
3305 DISSECTOR_ASSERT(data)((void) ((data) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 3305, "data"))));
3306 memcpy(str->data, data, len);
3307 str->data_len = len;
3308}
3309
3310static int
3311ssl_data_realloc(StringInfo* str, unsigned len)
3312{
3313 str->data = (unsigned char *)g_realloc(str->data, len);
3314 if (!str->data)
3315 return -1;
3316 str->data_len = len;
3317 return 0;
3318}
3319
3320static StringInfo *
3321ssl_data_clone(StringInfo *str)
3322{
3323 StringInfo *cloned_str;
3324 cloned_str = (StringInfo *) wmem_alloc0(wmem_file_scope(),
3325 sizeof(StringInfo) + str->data_len);
3326 cloned_str->data = (unsigned char *) (cloned_str + 1);
3327 ssl_data_set(cloned_str, str->data, str->data_len);
3328 return cloned_str;
3329}
3330
3331static int
3332ssl_data_copy(StringInfo* dst, StringInfo* src)
3333{
3334 if (dst->data_len < src->data_len) {
3335 if (ssl_data_realloc(dst, src->data_len))
3336 return -1;
3337 }
3338 memcpy(dst->data, src->data, src->data_len);
3339 dst->data_len = src->data_len;
3340 return 0;
3341}
3342
3343/* from_hex converts |hex_len| bytes of hex data from |in| and sets |*out| to
3344 * the result. |out->data| will be allocated using wmem_file_scope. Returns true on
3345 * success. */
3346static bool_Bool from_hex(StringInfo* out, const char* in, size_t hex_len) {
3347 size_t i;
3348
3349 if (hex_len & 1)
3350 return false0;
3351
3352 out->data = (unsigned char *)wmem_alloc(wmem_file_scope(), hex_len / 2);
3353 for (i = 0; i < hex_len / 2; i++) {
3354 int a = ws_xton(in[i*2]);
3355 int b = ws_xton(in[i*2 + 1]);
3356 if (a == -1 || b == -1)
3357 return false0;
3358 out->data[i] = a << 4 | b;
3359 }
3360 out->data_len = (unsigned)hex_len / 2;
3361 return true1;
3362}
3363/* StringInfo structure (len + data) functions }}} */
3364
3365
3366/* libgcrypt wrappers for HMAC/message digest operations {{{ */
3367/* hmac abstraction layer */
3368#define SSL_HMACgcry_md_hd_t gcry_md_hd_t
3369
3370static inline int
3371ssl_hmac_init(SSL_HMACgcry_md_hd_t* md, int algo)
3372{
3373 gcry_error_t err;
3374 const char *err_str, *err_src;
3375
3376 err = gcry_md_open(md,algo, GCRY_MD_FLAG_HMAC);
3377 if (err != 0) {
3378 err_str = gcry_strerror(err);
3379 err_src = gcry_strsource(err);
3380 ssl_debug_printf("ssl_hmac_init(): gcry_md_open failed %s/%s", err_str, err_src);
3381 return -1;
3382 }
3383 return 0;
3384}
3385
3386static inline int
3387ssl_hmac_setkey(SSL_HMACgcry_md_hd_t* md, const void * key, int len)
3388{
3389 gcry_error_t err;
3390 const char *err_str, *err_src;
3391
3392 err = gcry_md_setkey (*(md), key, len);
3393 if (err != 0) {
3394 err_str = gcry_strerror(err);
3395 err_src = gcry_strsource(err);
3396 ssl_debug_printf("ssl_hmac_setkey(): gcry_md_setkey failed %s/%s", err_str, err_src);
3397 return -1;
3398 }
3399 return 0;
3400}
3401
3402static inline int
3403ssl_hmac_reset(SSL_HMACgcry_md_hd_t* md)
3404{
3405 gcry_md_reset(*md);
3406 return 0;
3407}
3408
3409static inline void
3410ssl_hmac_update(SSL_HMACgcry_md_hd_t* md, const void* data, int len)
3411{
3412 gcry_md_write(*(md), data, len);
3413}
3414static inline void
3415ssl_hmac_final(SSL_HMACgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3416{
3417 int algo;
3418 unsigned len;
3419
3420 algo = gcry_md_get_algo (*(md));
3421 len = gcry_md_get_algo_dlen(algo);
3422 DISSECTOR_ASSERT(len <= *datalen)((void) ((len <= *datalen) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3422, "len <= *datalen"))));
3423 memcpy(data, gcry_md_read(*(md), algo), len);
3424 *datalen = len;
3425}
3426static inline void
3427ssl_hmac_cleanup(SSL_HMACgcry_md_hd_t* md)
3428{
3429 gcry_md_close(*(md));
3430}
3431
3432/* message digest abstraction layer*/
3433#define SSL_MDgcry_md_hd_t gcry_md_hd_t
3434
3435static inline int
3436ssl_md_init(SSL_MDgcry_md_hd_t* md, int algo)
3437{
3438 gcry_error_t err;
3439 const char *err_str, *err_src;
3440 err = gcry_md_open(md,algo, 0);
3441 if (err != 0) {
3442 err_str = gcry_strerror(err);
3443 err_src = gcry_strsource(err);
3444 ssl_debug_printf("ssl_md_init(): gcry_md_open failed %s/%s", err_str, err_src);
3445 return -1;
3446 }
3447 return 0;
3448}
3449static inline void
3450ssl_md_update(SSL_MDgcry_md_hd_t* md, const unsigned char* data, unsigned len)
3451{
3452 gcry_md_write(*(md), data, len);
3453}
3454static inline void
3455ssl_md_final(SSL_MDgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3456{
3457 int algo;
3458 int len;
3459 algo = gcry_md_get_algo (*(md));
3460 len = gcry_md_get_algo_dlen (algo);
3461 memcpy(data, gcry_md_read(*(md), algo), len);
3462 *datalen = len;
3463}
3464static inline void
3465ssl_md_cleanup(SSL_MDgcry_md_hd_t* md)
3466{
3467 gcry_md_close(*(md));
3468}
3469
3470static inline void
3471ssl_md_reset(SSL_MDgcry_md_hd_t* md)
3472{
3473 gcry_md_reset(*md);
3474}
3475
3476/* md5 /sha abstraction layer */
3477#define SSL_SHA_CTXgcry_md_hd_t gcry_md_hd_t
3478#define SSL_MD5_CTXgcry_md_hd_t gcry_md_hd_t
3479
3480static inline int
3481ssl_sha_init(SSL_SHA_CTXgcry_md_hd_t* md)
3482{
3483 gcry_error_t err;
3484 const char *err_str, *err_src;
3485 err = gcry_md_open(md, GCRY_MD_SHA1, 0);
3486 if (err != 0) {
3487 err_str = gcry_strerror(err);
3488 err_src = gcry_strsource(err);
3489 ssl_debug_printf("ssl_sha_init(): gcry_md_open failed %s/%s", err_str, err_src);
3490 return -1;
3491 }
3492 return 0;
3493}
3494static inline void
3495ssl_sha_update(SSL_SHA_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3496{
3497 gcry_md_write(*(md), data, len);
3498}
3499static inline void
3500ssl_sha_final(unsigned char* buf, SSL_SHA_CTXgcry_md_hd_t* md)
3501{
3502 memcpy(buf, gcry_md_read(*(md), GCRY_MD_SHA1),
3503 gcry_md_get_algo_dlen(GCRY_MD_SHA1));
3504}
3505
3506static inline void
3507ssl_sha_reset(SSL_SHA_CTXgcry_md_hd_t* md)
3508{
3509 gcry_md_reset(*md);
3510}
3511
3512static inline void
3513ssl_sha_cleanup(SSL_SHA_CTXgcry_md_hd_t* md)
3514{
3515 gcry_md_close(*(md));
3516}
3517
3518static inline int
3519ssl_md5_init(SSL_MD5_CTXgcry_md_hd_t* md)
3520{
3521 gcry_error_t err;
3522 const char *err_str, *err_src;
3523 err = gcry_md_open(md,GCRY_MD_MD5, 0);
3524 if (err != 0) {
3525 err_str = gcry_strerror(err);
3526 err_src = gcry_strsource(err);
3527 ssl_debug_printf("ssl_md5_init(): gcry_md_open failed %s/%s", err_str, err_src);
3528 return -1;
3529 }
3530 return 0;
3531}
3532static inline void
3533ssl_md5_update(SSL_MD5_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3534{
3535 gcry_md_write(*(md), data, len);
3536}
3537static inline void
3538ssl_md5_final(unsigned char* buf, SSL_MD5_CTXgcry_md_hd_t* md)
3539{
3540 memcpy(buf, gcry_md_read(*(md), GCRY_MD_MD5),
3541 gcry_md_get_algo_dlen(GCRY_MD_MD5));
3542}
3543
3544static inline void
3545ssl_md5_reset(SSL_MD5_CTXgcry_md_hd_t* md)
3546{
3547 gcry_md_reset(*md);
3548}
3549
3550static inline void
3551ssl_md5_cleanup(SSL_MD5_CTXgcry_md_hd_t* md)
3552{
3553 gcry_md_close(*(md));
3554}
3555/* libgcrypt wrappers for HMAC/message digest operations }}} */
3556
3557/* libgcrypt wrappers for Cipher state manipulation {{{ */
3558int
3559ssl_cipher_setiv(SSL_CIPHER_CTXgcry_cipher_hd_t *cipher, unsigned char* iv, int iv_len)
3560{
3561 int ret;
3562#if 0
3563 unsigned char *ivp;
3564 int i;
3565 gcry_cipher_hd_t c;
3566 c=(gcry_cipher_hd_t)*cipher;
3567#endif
3568 ssl_debug_printf("--------------------------------------------------------------------");
3569#if 0
3570 for(ivp=c->iv,i=0; i < iv_len; i++ )
3571 {
3572 ssl_debug_printf("%d ",ivp[i]);
3573 i++;
3574 }
3575#endif
3576 ssl_debug_printf("--------------------------------------------------------------------");
3577 ret = gcry_cipher_setiv(*(cipher), iv, iv_len);
3578#if 0
3579 for(ivp=c->iv,i=0; i < iv_len; i++ )
3580 {
3581 ssl_debug_printf("%d ",ivp[i]);
3582 i++;
3583 }
3584#endif
3585 ssl_debug_printf("--------------------------------------------------------------------");
3586 return ret;
3587}
3588/* stream cipher abstraction layer*/
3589static int
3590ssl_cipher_init(gcry_cipher_hd_t *cipher, int algo, unsigned char* sk,
3591 unsigned char* iv, int mode)
3592{
3593 int gcry_modes[] = {
3594 GCRY_CIPHER_MODE_STREAM,
3595 GCRY_CIPHER_MODE_CBC,
3596 GCRY_CIPHER_MODE_GCM,
3597 GCRY_CIPHER_MODE_CCM,
3598 GCRY_CIPHER_MODE_CCM,
3599 GCRY_CIPHER_MODE_POLY1305,
3600 GCRY_CIPHER_MODE_ECB, /* used for DTLSv1.3 seq number encryption */
3601 };
3602 int err;
3603 if (algo == -1) {
3604 /* NULL mode */
3605 *(cipher) = (gcry_cipher_hd_t)-1;
3606 return 0;
3607 }
3608 err = gcry_cipher_open(cipher, algo, gcry_modes[mode], 0);
3609 if (err !=0)
3610 return -1;
3611 err = gcry_cipher_setkey(*(cipher), sk, gcry_cipher_get_algo_keylen (algo));
3612 if (err != 0)
3613 return -1;
3614 /* AEAD cipher suites will set the nonce later. */
3615 if (mode == MODE_CBC) {
3616 err = gcry_cipher_setiv(*(cipher), iv, gcry_cipher_get_algo_blklen(algo));
3617 if (err != 0)
3618 return -1;
3619 }
3620 return 0;
3621}
3622static inline int
3623ssl_cipher_decrypt(gcry_cipher_hd_t *cipher, unsigned char * out, int outl,
3624 const unsigned char * in, int inl)
3625{
3626 if ((*cipher) == (gcry_cipher_hd_t)-1)
3627 {
3628 if (in && inl)
3629 memcpy(out, in, outl < inl ? outl : inl);
3630 return 0;
3631 }
3632 return gcry_cipher_decrypt ( *(cipher), out, outl, in, inl);
3633}
3634static inline int
3635ssl_get_digest_by_name(const char*name)
3636{
3637 return gcry_md_map_name(name);
3638}
3639static inline int
3640ssl_get_cipher_by_name(const char* name)
3641{
3642 return gcry_cipher_map_name(name);
3643}
3644
3645static inline void
3646ssl_cipher_cleanup(gcry_cipher_hd_t *cipher)
3647{
3648 if ((*cipher) != (gcry_cipher_hd_t)-1)
3649 gcry_cipher_close(*cipher);
3650 *cipher = NULL((void*)0);
3651}
3652/* }}} */
3653
3654/* Digests, Ciphers and Cipher Suites registry {{{ */
3655static const SslDigestAlgo digests[]={
3656 {"MD5", 16},
3657 {"SHA1", 20},
3658 {"SHA256", 32},
3659 {"SHA384", 48},
3660 {"SM3", 32},
3661 {"Not Applicable", 0},
3662};
3663
3664#define DIGEST_MAX_SIZE48 48
3665
3666/* get index digest index */
3667static const SslDigestAlgo *
3668ssl_cipher_suite_dig(const SslCipherSuite *cs) {
3669 if (!cs || cs->dig < DIG_MD50x40 || cs->dig > DIG_NA0x45) {
3670 return &digests[DIG_NA0x45 - DIG_MD50x40];
3671 }
3672 return &digests[cs->dig - DIG_MD50x40];
3673}
3674
3675static const char *ciphers[]={
3676 "DES",
3677 "3DES",
3678 "ARCFOUR", /* libgcrypt does not support rc4, but this should be 100% compatible*/
3679 "RFC2268_128", /* libgcrypt name for RC2 with a 128-bit key */
3680 "IDEA",
3681 "AES",
3682 "AES256",
3683 "CAMELLIA128",
3684 "CAMELLIA256",
3685 "SEED",
3686 "CHACHA20", /* since Libgcrypt 1.7.0 */
3687 "SM1",
3688 "SM4",
3689 "*UNKNOWN*"
3690};
3691
3692static const SslCipherSuite cipher_suites[]={
3693 {0x0001,KEX_RSA0x1e, ENC_NULL0x3D, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_NULL_MD5 */
3694 {0x0002,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA */
3695 {0x0003,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
3696 {0x0004,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_MD5 */
3697 {0x0005,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_SHA */
3698 {0x0006,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
3699 {0x0007,KEX_RSA0x1e, ENC_IDEA0x34, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_IDEA_CBC_SHA */
3700 {0x0008,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
3701 {0x0009,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_DES_CBC_SHA */
3702 {0x000A,KEX_RSA0x1e, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
3703 {0x000B,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
3704 {0x000C,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_DES_CBC_SHA */
3705 {0x000D,KEX_DH_DSS0x14, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
3706 {0x000E,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
3707 {0x000F,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_DES_CBC_SHA */
3708 {0x0010,KEX_DH_RSA0x15, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
3709 {0x0011,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
3710 {0x0012,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_DES_CBC_SHA */
3711 {0x0013,KEX_DHE_DSS0x10, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
3712 {0x0014,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
3713 {0x0015,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_DES_CBC_SHA */
3714 {0x0016,KEX_DHE_RSA0x12, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
3715 {0x0017,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
3716 {0x0018,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_WITH_RC4_128_MD5 */
3717 {0x0019,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
3718 {0x001A,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_DES_CBC_SHA */
3719 {0x001B,KEX_DH_ANON0x13, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
3720 {0x002C,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA */
3721 {0x002D,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA */
3722 {0x002E,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA */
3723 {0x002F,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA */
3724 {0x0030,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA */
3725 {0x0031,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA */
3726 {0x0032,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA */
3727 {0x0033,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */
3728 {0x0034,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA */
3729 {0x0035,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA */
3730 {0x0036,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA */
3731 {0x0037,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA */
3732 {0x0038,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA */
3733 {0x0039,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */
3734 {0x003A,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA */
3735 {0x003B,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA256 */
3736 {0x003C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA256 */
3737 {0x003D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA256 */
3738 {0x003E,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA256 */
3739 {0x003F,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA256 */
3740 {0x0040,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 */
3741 {0x0041,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA */
3742 {0x0042,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA */
3743 {0x0043,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA */
3744 {0x0044,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA */
3745 {0x0045,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA */
3746 {0x0046,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA */
3747 {0x0060,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
3748 {0x0061,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
3749 {0x0062,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
3750 {0x0063,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
3751 {0x0064,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
3752 {0x0065,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
3753 {0x0066,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_WITH_RC4_128_SHA */
3754 {0x0067,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 */
3755 {0x0068,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA256 */
3756 {0x0069,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA256 */
3757 {0x006A,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 */
3758 {0x006B,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 */
3759 {0x006C,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA256 */
3760 {0x006D,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA256 */
3761 {0x0084,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA */
3762 {0x0085,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA */
3763 {0x0086,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA */
3764 {0x0087,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA */
3765 {0x0088,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA */
3766 {0x0089,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA */
3767 {0x008A,KEX_PSK0x1d, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_RC4_128_SHA */
3768 {0x008B,KEX_PSK0x1d, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_3DES_EDE_CBC_SHA */
3769 {0x008C,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA */
3770 {0x008D,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA */
3771 {0x008E,KEX_DHE_PSK0x11, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_RC4_128_SHA */
3772 {0x008F,KEX_DHE_PSK0x11, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA */
3773 {0x0090,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA */
3774 {0x0091,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA */
3775 {0x0092,KEX_RSA_PSK0x1f, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_RC4_128_SHA */
3776 {0x0093,KEX_RSA_PSK0x1f, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA */
3777 {0x0094,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA */
3778 {0x0095,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA */
3779 {0x0096,KEX_RSA0x1e, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_SEED_CBC_SHA */
3780 {0x0097,KEX_DH_DSS0x14, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_SEED_CBC_SHA */
3781 {0x0098,KEX_DH_RSA0x15, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_SEED_CBC_SHA */
3782 {0x0099,KEX_DHE_DSS0x10, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_SEED_CBC_SHA */
3783 {0x009A,KEX_DHE_RSA0x12, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_SEED_CBC_SHA */
3784 {0x009B,KEX_DH_ANON0x13, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_SEED_CBC_SHA */
3785 {0x009C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_AES_128_GCM_SHA256 */
3786 {0x009D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_AES_256_GCM_SHA384 */
3787 {0x009E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */
3788 {0x009F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 */
3789 {0x00A0,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_128_GCM_SHA256 */
3790 {0x00A1,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_256_GCM_SHA384 */
3791 {0x00A2,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 */
3792 {0x00A3,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 */
3793 {0x00A4,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_128_GCM_SHA256 */
3794 {0x00A5,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_256_GCM_SHA384 */
3795 {0x00A6,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_AES_128_GCM_SHA256 */
3796 {0x00A7,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_AES_256_GCM_SHA384 */
3797 {0x00A8,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_AES_128_GCM_SHA256 */
3798 {0x00A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_AES_256_GCM_SHA384 */
3799 {0x00AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 */
3800 {0x00AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 */
3801 {0x00AC,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 */
3802 {0x00AD,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 */
3803 {0x00AE,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA256 */
3804 {0x00AF,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA384 */
3805 {0x00B0,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA256 */
3806 {0x00B1,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA384 */
3807 {0x00B2,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 */
3808 {0x00B3,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 */
3809 {0x00B4,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA256 */
3810 {0x00B5,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA384 */
3811 {0x00B6,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 */
3812 {0x00B7,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 */
3813 {0x00B8,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA256 */
3814 {0x00B9,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA384 */
3815 {0x00BA,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3816 {0x00BB,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3817 {0x00BC,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3818 {0x00BD,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3819 {0x00BE,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3820 {0x00BF,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 */
3821 {0x00C0,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3822 {0x00C1,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3823 {0x00C2,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3824 {0x00C3,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3825 {0x00C4,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3826 {0x00C5,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */
3827
3828 /* NOTE: TLS 1.3 cipher suites are incompatible with TLS 1.2. */
3829 {0x1301,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_AES_128_GCM_SHA256 */
3830 {0x1302,KEX_TLS130x23, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_AES_256_GCM_SHA384 */
3831 {0x1303,KEX_TLS130x23, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_CHACHA20_POLY1305_SHA256 */
3832 {0x1304,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM }, /* TLS_AES_128_CCM_SHA256 */
3833 {0x1305,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8 }, /* TLS_AES_128_CCM_8_SHA256 */
3834 {0x00C6,KEX_TLS130x23, ENC_SM40x3C, DIG_SM30x44, MODE_GCM }, /* TLS_SM4_GCM_SM3 */
3835
3836 {0xC001,KEX_ECDH_ECDSA0x1a, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_NULL_SHA */
3837 {0xC002,KEX_ECDH_ECDSA0x1a, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_RC4_128_SHA */
3838 {0xC003,KEX_ECDH_ECDSA0x1a, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA */
3839 {0xC004,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA */
3840 {0xC005,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */
3841 {0xC006,KEX_ECDHE_ECDSA0x16, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_NULL_SHA */
3842 {0xC007,KEX_ECDHE_ECDSA0x16, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_RC4_128_SHA */
3843 {0xC008,KEX_ECDHE_ECDSA0x16, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA */
3844 {0xC009,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */
3845 {0xC00A,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */
3846 {0xC00B,KEX_ECDH_RSA0x1b, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_NULL_SHA */
3847 {0xC00C,KEX_ECDH_RSA0x1b, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_RC4_128_SHA */
3848 {0xC00D,KEX_ECDH_RSA0x1b, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA */
3849 {0xC00E,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA */
3850 {0xC00F,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */
3851 {0xC0FF,KEX_ECJPAKE0x24, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECJPAKE_WITH_AES_128_CCM_8 */
3852 {0xC010,KEX_ECDHE_RSA0x18, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_NULL_SHA */
3853 {0xC011,KEX_ECDHE_RSA0x18, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_RC4_128_SHA */
3854 {0xC012,KEX_ECDHE_RSA0x18, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */
3855 {0xC013,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA */
3856 {0xC014,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */
3857 {0xC015,KEX_ECDH_ANON0x19, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_NULL_SHA */
3858 {0xC016,KEX_ECDH_ANON0x19, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_RC4_128_SHA */
3859 {0xC017,KEX_ECDH_ANON0x19, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA */
3860 {0xC018,KEX_ECDH_ANON0x19, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_128_CBC_SHA */
3861 {0xC019,KEX_ECDH_ANON0x19, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_256_CBC_SHA */
3862 {0xC01A,KEX_SRP_SHA0x20, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA */
3863 {0xC01B,KEX_SRP_SHA_RSA0x22, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA */
3864 {0xC01C,KEX_SRP_SHA_DSS0x21, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA */
3865 {0xC01D,KEX_SRP_SHA0x20, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_128_CBC_SHA */
3866 {0xC01E,KEX_SRP_SHA_RSA0x22, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA */
3867 {0xC01F,KEX_SRP_SHA_DSS0x21, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA */
3868 {0xC020,KEX_SRP_SHA0x20, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_256_CBC_SHA */
3869 {0xC021,KEX_SRP_SHA_RSA0x22, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA */
3870 {0xC022,KEX_SRP_SHA_DSS0x21, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA */
3871 {0xC023,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 */
3872 {0xC024,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */
3873 {0xC025,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 */
3874 {0xC026,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 */
3875 {0xC027,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 */
3876 {0xC028,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */
3877 {0xC029,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 */
3878 {0xC02A,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 */
3879 {0xC02B,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 */
3880 {0xC02C,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 */
3881 {0xC02D,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 */
3882 {0xC02E,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 */
3883 {0xC02F,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */
3884 {0xC030,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 */
3885 {0xC031,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 */
3886 {0xC032,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 */
3887 {0xC033,KEX_ECDHE_PSK0x17, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_RC4_128_SHA */
3888 {0xC034,KEX_ECDHE_PSK0x17, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA */
3889 {0xC035,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA */
3890 {0xC036,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA */
3891 {0xC037,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 */
3892 {0xC038,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 */
3893 {0xC039,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA */
3894 {0xC03A,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA256 */
3895 {0xC03B,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA384 */
3896 {0xC072,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3897 {0xC073,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3898 {0xC074,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3899 {0xC075,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3900 {0xC076,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3901 {0xC077,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3902 {0xC078,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3903 {0xC079,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3904 {0xC07A,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3905 {0xC07B,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3906 {0xC07C,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3907 {0xC07D,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3908 {0xC07E,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3909 {0xC07F,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3910 {0xC080,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3911 {0xC081,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3912 {0xC082,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3913 {0xC083,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3914 {0xC084,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 */
3915 {0xC085,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 */
3916 {0xC086,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3917 {0xC087,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3918 {0xC088,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3919 {0xC089,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3920 {0xC08A,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3921 {0xC08B,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3922 {0xC08C,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3923 {0xC08D,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3924 {0xC08E,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3925 {0xC08F,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3926 {0xC090,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3927 {0xC091,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3928 {0xC092,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3929 {0xC093,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3930 {0xC094,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3931 {0xC095,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3932 {0xC096,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3933 {0xC097,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3934 {0xC098,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3935 {0xC099,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3936 {0xC09A,KEX_ECDHE_PSK0x17, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3937 {0xC09B,KEX_ECDHE_PSK0x17, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3938 {0xC09C,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_128_CCM */
3939 {0xC09D,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_256_CCM */
3940 {0xC09E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_128_CCM */
3941 {0xC09F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_256_CCM */
3942 {0xC0A0,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_128_CCM_8 */
3943 {0xC0A1,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_256_CCM_8 */
3944 {0xC0A2,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_128_CCM_8 */
3945 {0xC0A3,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_256_CCM_8 */
3946 {0xC0A4,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_128_CCM */
3947 {0xC0A5,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_256_CCM */
3948 {0xC0A6,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_128_CCM */
3949 {0xC0A7,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_256_CCM */
3950 {0xC0A8,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_128_CCM_8 */
3951 {0xC0A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_256_CCM_8 */
3952 {0xC0AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_128_CCM_8 */
3953 {0xC0AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_256_CCM_8 */
3954 {0xC0AC,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM */
3955 {0xC0AD,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM */
3956 {0xC0AE,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 */
3957 {0xC0AF,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 */
3958 {0xCCA8,KEX_ECDHE_RSA0x18, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3959 {0xCCA9,KEX_ECDHE_ECDSA0x16, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */
3960 {0xCCAA,KEX_DHE_RSA0x12, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3961 {0xCCAB,KEX_PSK0x1d, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3962 {0xCCAC,KEX_ECDHE_PSK0x17, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3963 {0xCCAD,KEX_DHE_PSK0x11, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3964 {0xCCAE,KEX_RSA_PSK0x1f, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3965 {0xD001,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 */
3966 {0xD002,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 */
3967 {0xD003,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 */
3968 {0xD005,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 */
3969 /* GM */
3970 {0xe001,KEX_ECDHE_SM20x25, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM1_SM3 */
3971 {0xe003,KEX_ECC_SM20x26, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECC_SM1_SM3 */
3972 {0xe005,KEX_IBSDH_SM90x27, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM1_SM3 */
3973 {0xe007,KEX_IBC_SM90x28, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBC_SM1_SM3 */
3974 {0xe009,KEX_RSA0x1e, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* RSA_SM1_SM3 */
3975 {0xe00a,KEX_RSA0x1e, ENC_SM10x3B, DIG_SHA0x41, MODE_CBC}, /* RSA_SM1_SHA1 */
3976 {0xe011,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM4_CBC_SM3 */
3977 {0xe013,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECC_SM4_CBC_SM3 */
3978 {0xe015,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM4_CBC_SM3 */
3979 {0xe017,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBC_SM4_CBC_SM3 */
3980 {0xe019,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* RSA_SM4_CBC_SM3 */
3981 {0xe01a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA0x41, MODE_CBC}, /* RSA_SM4_CBC_SHA1 */
3982 {0xe01c,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_CBC}, /* RSA_SM4_CBC_SHA256 */
3983 {0xe051,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECDHE_SM4_GCM_SM3 */
3984 {0xe053,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECC_SM4_GCM_SM3 */
3985 {0xe055,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBSDH_SM4_GCM_SM3 */
3986 {0xe057,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBC_SM4_GCM_SM3 */
3987 {0xe059,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* RSA_SM4_GCM_SM3 */
3988 {0xe05a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_GCM}, /* RSA_SM4_GCM_SHA256 */
3989 {-1, 0, 0, 0, MODE_STREAM}
3990};
3991
3992#define MAX_BLOCK_SIZE16 16
3993#define MAX_KEY_SIZE32 32
3994
3995const SslCipherSuite *
3996ssl_find_cipher(int num)
3997{
3998 const SslCipherSuite *c;
3999 for(c=cipher_suites;c->number!=-1;c++){
4000 if(c->number==num){
4001 return c;
4002 }
4003 }
4004
4005 return NULL((void*)0);
4006}
4007
4008int
4009ssl_get_cipher_algo(const SslCipherSuite *cipher_suite)
4010{
4011 return gcry_cipher_map_name(ciphers[cipher_suite->enc - ENC_START0x30]);
4012}
4013
4014unsigned
4015ssl_get_cipher_blocksize(const SslCipherSuite *cipher_suite)
4016{
4017 int cipher_algo;
4018 if (cipher_suite->mode != MODE_CBC) return 0;
4019 cipher_algo = ssl_get_cipher_by_name(ciphers[cipher_suite->enc - ENC_START0x30]);
4020 return (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
4021}
4022
4023static unsigned
4024ssl_get_cipher_export_keymat_size(int cipher_suite_num)
4025{
4026 switch (cipher_suite_num) {
4027 /* See RFC 6101 (SSL 3.0), Table 2, column Key Material. */
4028 case 0x0003: /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
4029 case 0x0006: /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
4030 case 0x0008: /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
4031 case 0x000B: /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
4032 case 0x000E: /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
4033 case 0x0011: /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
4034 case 0x0014: /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
4035 case 0x0017: /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
4036 case 0x0019: /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
4037 return 5;
4038
4039 /* not defined in below draft, but "implemented by several vendors",
4040 * https://www.ietf.org/mail-archive/web/tls/current/msg00036.html */
4041 case 0x0060: /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
4042 case 0x0061: /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
4043 return 7;
4044
4045 /* Note: the draft states that DES_CBC needs 8 bytes, but Wireshark always
4046 * used 7. Until a pcap proves 8, let's use the old value. Link:
4047 * https://tools.ietf.org/html/draft-ietf-tls-56-bit-ciphersuites-01 */
4048 case 0x0062: /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
4049 case 0x0063: /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
4050 case 0x0064: /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
4051 case 0x0065: /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
4052 return 7;
4053
4054 default:
4055 return 0;
4056 }
4057}
4058
4059/* Digests, Ciphers and Cipher Suites registry }}} */
4060
4061
4062/* HMAC and the Pseudorandom function {{{ */
4063static int
4064tls_hash(StringInfo *secret, StringInfo *seed, int md,
4065 StringInfo *out, unsigned out_len)
4066{
4067 /* RFC 2246 5. HMAC and the pseudorandom function
4068 * '+' denotes concatenation.
4069 * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
4070 * HMAC_hash(secret, A(2) + seed) + ...
4071 * A(0) = seed
4072 * A(i) = HMAC_hash(secret, A(i - 1))
4073 */
4074 uint8_t *ptr;
4075 unsigned left, tocpy;
4076 uint8_t *A;
4077 uint8_t _A[DIGEST_MAX_SIZE48], tmp[DIGEST_MAX_SIZE48];
4078 unsigned A_l, tmp_l;
4079 SSL_HMACgcry_md_hd_t hm;
4080
4081 ptr = out->data;
4082 left = out_len;
4083
4084 ssl_print_string("tls_hash: hash secret", secret);
4085 ssl_print_string("tls_hash: hash seed", seed);
4086 /* A(0) = seed */
4087 A = seed->data;
4088 A_l = seed->data_len;
4089
4090 if (ssl_hmac_init(&hm, md) != 0) {
4091 return -1;
4092 }
4093 while (left) {
4094 /* A(i) = HMAC_hash(secret, A(i-1)) */
4095 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
4096 ssl_hmac_update(&hm, A, A_l);
4097 A_l = sizeof(_A); /* upper bound len for hash output */
4098 ssl_hmac_final(&hm, _A, &A_l);
4099 A = _A;
4100
4101 /* HMAC_hash(secret, A(i) + seed) */
4102 ssl_hmac_reset(&hm);
4103 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
4104 ssl_hmac_update(&hm, A, A_l);
4105 ssl_hmac_update(&hm, seed->data, seed->data_len);
4106 tmp_l = sizeof(tmp); /* upper bound len for hash output */
4107 ssl_hmac_final(&hm, tmp, &tmp_l);
4108 ssl_hmac_reset(&hm);
4109
4110 /* ssl_hmac_final puts the actual digest output size in tmp_l */
4111 tocpy = MIN(left, tmp_l)(((left) < (tmp_l)) ? (left) : (tmp_l));
4112 memcpy(ptr, tmp, tocpy);
4113 ptr += tocpy;
4114 left -= tocpy;
4115 }
4116 ssl_hmac_cleanup(&hm);
4117 out->data_len = out_len;
4118
4119 ssl_print_string("hash out", out);
4120 return 0;
4121}
4122
4123static bool_Bool
4124tls_prf(StringInfo* secret, const char *usage,
4125 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4126{
4127 StringInfo seed, sha_out, md5_out;
4128 uint8_t *ptr;
4129 StringInfo s1, s2;
4130 unsigned i,s_l;
4131 size_t usage_len, rnd2_len;
4132 bool_Bool success = false0;
4133 usage_len = strlen(usage);
4134 rnd2_len = rnd2 ? rnd2->data_len : 0;
4135
4136 /* initialize buffer for sha, md5 random seed*/
4137 if (ssl_data_alloc(&sha_out, MAX(out_len, 20)(((out_len) > (20)) ? (out_len) : (20))) < 0) {
4138 ssl_debug_printf("tls_prf: can't allocate sha out\n");
4139 return false0;
4140 }
4141 if (ssl_data_alloc(&md5_out, MAX(out_len, 16)(((out_len) > (16)) ? (out_len) : (16))) < 0) {
4142 ssl_debug_printf("tls_prf: can't allocate md5 out\n");
4143 goto free_sha;
4144 }
4145 if (ssl_data_alloc(&seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
4146 ssl_debug_printf("tls_prf: can't allocate rnd %d\n",
4147 (int) (usage_len+rnd1->data_len+rnd2_len));
4148 goto free_md5;
4149 }
4150
4151 ptr=seed.data;
4152 memcpy(ptr,usage,usage_len);
4153 ptr+=usage_len;
4154 memcpy(ptr,rnd1->data,rnd1->data_len);
4155 if (rnd2_len > 0) {
4156 ptr+=rnd1->data_len;
4157 memcpy(ptr,rnd2->data,rnd2->data_len);
4158 /*ptr+=rnd2->data_len;*/
4159 }
4160
4161 /* initialize buffer for client/server seeds*/
4162 s_l=secret->data_len/2 + secret->data_len%2;
4163 if (ssl_data_alloc(&s1, s_l) < 0) {
4164 ssl_debug_printf("tls_prf: can't allocate secret %d\n", s_l);
4165 goto free_seed;
4166 }
4167 if (ssl_data_alloc(&s2, s_l) < 0) {
4168 ssl_debug_printf("tls_prf: can't allocate secret(2) %d\n", s_l);
4169 goto free_s1;
4170 }
4171
4172 memcpy(s1.data,secret->data,s_l);
4173 memcpy(s2.data,secret->data + (secret->data_len - s_l),s_l);
4174
4175 ssl_debug_printf("tls_prf: tls_hash(md5 secret_len %d seed_len %d )\n", s1.data_len, seed.data_len);
4176 if(tls_hash(&s1, &seed, ssl_get_digest_by_name("MD5"), &md5_out, out_len) != 0)
4177 goto free_s2;
4178 ssl_debug_printf("tls_prf: tls_hash(sha)\n");
4179 if(tls_hash(&s2, &seed, ssl_get_digest_by_name("SHA1"), &sha_out, out_len) != 0)
4180 goto free_s2;
4181
4182 for (i = 0; i < out_len; i++)
4183 out->data[i] = md5_out.data[i] ^ sha_out.data[i];
4184 /* success, now store the new meaningful data length */
4185 out->data_len = out_len;
4186 success = true1;
4187
4188 ssl_print_string("PRF out",out);
4189free_s2:
4190 g_free(s2.data)(__builtin_object_size ((s2.data), 0) != ((size_t) - 1)) ? g_free_sized
(s2.data, __builtin_object_size ((s2.data), 0)) : (g_free) (
s2.data);
4191free_s1:
4192 g_free(s1.data)(__builtin_object_size ((s1.data), 0) != ((size_t) - 1)) ? g_free_sized
(s1.data, __builtin_object_size ((s1.data), 0)) : (g_free) (
s1.data);
4193free_seed:
4194 g_free(seed.data)(__builtin_object_size ((seed.data), 0) != ((size_t) - 1)) ? g_free_sized
(seed.data, __builtin_object_size ((seed.data), 0)) : (g_free
) (seed.data);
4195free_md5:
4196 g_free(md5_out.data)(__builtin_object_size ((md5_out.data), 0) != ((size_t) - 1))
? g_free_sized (md5_out.data, __builtin_object_size ((md5_out
.data), 0)) : (g_free) (md5_out.data);
4197free_sha:
4198 g_free(sha_out.data)(__builtin_object_size ((sha_out.data), 0) != ((size_t) - 1))
? g_free_sized (sha_out.data, __builtin_object_size ((sha_out
.data), 0)) : (g_free) (sha_out.data);
4199 return success;
4200}
4201
4202static bool_Bool
4203tls12_prf(int md, StringInfo* secret, const char* usage,
4204 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4205{
4206 StringInfo label_seed;
4207 int success;
4208 size_t usage_len, rnd2_len;
4209 rnd2_len = rnd2 ? rnd2->data_len : 0;
4210
4211 usage_len = strlen(usage);
4212 if (ssl_data_alloc(&label_seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
4213 ssl_debug_printf("tls12_prf: can't allocate label_seed\n");
4214 return false0;
4215 }
4216 memcpy(label_seed.data, usage, usage_len);
4217 memcpy(label_seed.data+usage_len, rnd1->data, rnd1->data_len);
4218 if (rnd2_len > 0)
4219 memcpy(label_seed.data+usage_len+rnd1->data_len, rnd2->data, rnd2->data_len);
4220
4221 ssl_debug_printf("tls12_prf: tls_hash(hash_alg %s secret_len %d seed_len %d )\n", gcry_md_algo_name(md), secret->data_len, label_seed.data_len);
4222 success = tls_hash(secret, &label_seed, md, out, out_len);
4223 g_free(label_seed.data)(__builtin_object_size ((label_seed.data), 0) != ((size_t) - 1
)) ? g_free_sized (label_seed.data, __builtin_object_size ((label_seed
.data), 0)) : (g_free) (label_seed.data);
4224 if(success != -1){
4225 ssl_print_string("PRF out", out);
4226 return true1;
4227 }
4228 return false0;
4229}
4230
4231static bool_Bool
4232ssl3_generate_export_iv(StringInfo *r1, StringInfo *r2,
4233 StringInfo *out, unsigned out_len)
4234{
4235 SSL_MD5_CTXgcry_md_hd_t md5;
4236 uint8_t tmp[16];
4237
4238 if (ssl_md5_init(&md5) != 0) {
4239 return false0;
4240 }
4241 ssl_md5_update(&md5,r1->data,r1->data_len);
4242 ssl_md5_update(&md5,r2->data,r2->data_len);
4243 ssl_md5_final(tmp,&md5);
4244 ssl_md5_cleanup(&md5);
4245
4246 DISSECTOR_ASSERT(out_len <= sizeof(tmp))((void) ((out_len <= sizeof(tmp)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4246, "out_len <= sizeof(tmp)"))));
4247 ssl_data_set(out, tmp, out_len);
4248 ssl_print_string("export iv", out);
4249 return true1;
4250}
4251
4252static bool_Bool
4253ssl3_prf(StringInfo* secret, const char* usage,
4254 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4255{
4256 SSL_MD5_CTXgcry_md_hd_t md5;
4257 SSL_SHA_CTXgcry_md_hd_t sha;
4258 unsigned off;
4259 int i = 0,j;
4260 uint8_t buf[20];
4261
4262 if (ssl_sha_init(&sha) != 0) {
4263 return false0;
4264 }
4265 if (ssl_md5_init(&md5) != 0) {
4266 ssl_sha_cleanup(&sha);
4267 return false0;
4268 }
4269 for (off = 0; off < out_len; off += 16) {
4270 unsigned char outbuf[16];
4271 i++;
4272
4273 ssl_debug_printf("ssl3_prf: sha1_hash(%d)\n",i);
4274 /* A, BB, CCC, ... */
4275 for(j=0;j<i;j++){
4276 buf[j]=64+i;
4277 }
4278
4279 ssl_sha_update(&sha,buf,i);
4280 ssl_sha_update(&sha,secret->data,secret->data_len);
4281
4282 if(!strcmp(usage,"client write key") || !strcmp(usage,"server write key")){
4283 if (rnd2)
4284 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4285 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4286 }
4287 else{
4288 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4289 if (rnd2)
4290 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4291 }
4292
4293 ssl_sha_final(buf,&sha);
4294 ssl_sha_reset(&sha);
4295
4296 ssl_debug_printf("ssl3_prf: md5_hash(%d) datalen %d\n",i,
4297 secret->data_len);
4298 ssl_md5_update(&md5,secret->data,secret->data_len);
4299 ssl_md5_update(&md5,buf,20);
4300 ssl_md5_final(outbuf,&md5);
4301 ssl_md5_reset(&md5);
4302
4303 memcpy(out->data + off, outbuf, MIN(out_len - off, 16)(((out_len - off) < (16)) ? (out_len - off) : (16)));
4304 }
4305 ssl_sha_cleanup(&sha);
4306 ssl_md5_cleanup(&md5);
4307 out->data_len = out_len;
4308
4309 return true1;
4310}
4311
4312/* out_len is the wanted output length for the pseudorandom function.
4313 * Ensure that ssl->cipher_suite is set. */
4314static bool_Bool
4315prf(SslDecryptSession *ssl, StringInfo *secret, const char *usage,
4316 StringInfo *rnd1, StringInfo *rnd2, StringInfo *out, unsigned out_len)
4317{
4318 switch (ssl->session.version) {
4319 case SSLV3_VERSION0x300:
4320 return ssl3_prf(secret, usage, rnd1, rnd2, out, out_len);
4321
4322 case TLSV1_VERSION0x301:
4323 case TLSV1DOT1_VERSION0x302:
4324 case DTLSV1DOT0_VERSION0xfeff:
4325 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4326 return tls_prf(secret, usage, rnd1, rnd2, out, out_len);
4327
4328 default: /* TLSv1.2 */
4329 switch (ssl->cipher_suite->dig) {
4330 case DIG_SM30x44:
4331#if GCRYPT_VERSION_NUMBER0x010c00 >= 0x010900
4332 return tls12_prf(GCRY_MD_SM3, secret, usage, rnd1, rnd2,
4333 out, out_len);
4334#else
4335 return false0;
4336#endif
4337 case DIG_SHA3840x43:
4338 return tls12_prf(GCRY_MD_SHA384, secret, usage, rnd1, rnd2,
4339 out, out_len);
4340 default:
4341 return tls12_prf(GCRY_MD_SHA256, secret, usage, rnd1, rnd2,
4342 out, out_len);
4343 }
4344 }
4345}
4346
4347static int tls_handshake_hash(SslDecryptSession* ssl, StringInfo* out)
4348{
4349 SSL_MD5_CTXgcry_md_hd_t md5;
4350 SSL_SHA_CTXgcry_md_hd_t sha;
4351
4352 if (ssl_data_alloc(out, 36) < 0)
15
Calling 'ssl_data_alloc'
19
Returned allocated memory
20
Taking false branch
4353 return -1;
4354
4355 if (ssl_md5_init(&md5) != 0)
21
Taking true branch
4356 return -1;
4357 ssl_md5_update(&md5,ssl->handshake_data.data,ssl->handshake_data.data_len);
4358 ssl_md5_final(out->data,&md5);
4359 ssl_md5_cleanup(&md5);
4360
4361 if (ssl_sha_init(&sha) != 0)
4362 return -1;
4363 ssl_sha_update(&sha,ssl->handshake_data.data,ssl->handshake_data.data_len);
4364 ssl_sha_final(out->data+16,&sha);
4365 ssl_sha_cleanup(&sha);
4366 return 0;
4367}
4368
4369static int tls12_handshake_hash(SslDecryptSession* ssl, int md, StringInfo* out)
4370{
4371 SSL_MDgcry_md_hd_t mc;
4372 uint8_t tmp[48];
4373 unsigned len;
4374
4375 if (ssl_md_init(&mc, md) != 0)
4376 return -1;
4377 ssl_md_update(&mc,ssl->handshake_data.data,ssl->handshake_data.data_len);
4378 ssl_md_final(&mc, tmp, &len);
4379 ssl_md_cleanup(&mc);
4380
4381 if (ssl_data_alloc(out, len) < 0)
4382 return -1;
4383 memcpy(out->data, tmp, len);
4384 return 0;
4385}
4386
4387bool_Bool
4388tls_load_psk(SslDecryptSession* tls_session, const char *tls_psk)
4389{
4390 if (!tls_psk || (tls_psk[0] == 0)) {
4391 ssl_debug_printf("%s: can't find pre-shared key\n", G_STRFUNC((const char*) (__func__)));
4392 return false0;
4393 }
4394
4395 wmem_free(wmem_file_scope(), tls_session->psk.data);
4396 /* convert hex string into char*/
4397 if (!from_hex(&tls_session->psk, tls_psk, strlen(tls_psk))) {
4398 ssl_debug_printf("%s: ssl.psk/dtls.psk contains invalid hex\n",
4399 G_STRFUNC((const char*) (__func__)));
4400 return false0;
4401 }
4402
4403 if (tls_session->psk.data_len >= (2 << 15)) {
4404 ssl_debug_printf("%s: ssl.psk/dtls.psk must not be larger than 2^15 - 1\n",
4405 G_STRFUNC((const char*) (__func__)));
4406 wmem_free(wmem_file_scope(), tls_session->psk.data);
4407 tls_session->psk.data = NULL((void*)0);
4408 tls_session->psk.data_len = 0;
4409 return false0;
4410 }
4411
4412 return true1;
4413}
4414
4415/**
4416 * Obtains the label prefix used in HKDF-Expand-Label. This function can be
4417 * inlined and removed once support for draft 19 and before is dropped.
4418 */
4419static inline const char *
4420tls13_hkdf_label_prefix(SslDecryptSession *ssl_session)
4421{
4422 if (ssl_session->session.tls13_draft_version && ssl_session->session.tls13_draft_version < 20) {
4423 return "TLS 1.3, ";
4424 } else if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
4425 return "dtls13";
4426 } else {
4427 return "tls13 ";
4428 }
4429}
4430
4431/*
4432 * Computes HKDF-Expand-Label(Secret, Label, Hash(context_value), Length) with a
4433 * custom label prefix. If "context_hash" is NULL, then an empty context is
4434 * used. Otherwise it must have the same length as the hash algorithm output.
4435 */
4436bool_Bool
4437tls13_hkdf_expand_label_context(int md, const StringInfo *secret,
4438 const char *label_prefix, const char *label,
4439 const uint8_t *context_hash, uint8_t context_length,
4440 uint16_t out_len, unsigned char **out)
4441{
4442 /* RFC 8446 Section 7.1:
4443 * HKDF-Expand-Label(Secret, Label, Context, Length) =
4444 * HKDF-Expand(Secret, HkdfLabel, Length)
4445 * struct {
4446 * uint16 length = Length;
4447 * opaque label<7..255> = "tls13 " + Label; // "tls13 " is label prefix.
4448 * opaque context<0..255> = Context;
4449 * } HkdfLabel;
4450 *
4451 * RFC 5869 HMAC-based Extract-and-Expand Key Derivation Function (HKDF):
4452 * HKDF-Expand(PRK, info, L) -> OKM
4453 */
4454 gcry_error_t err;
4455 const unsigned label_prefix_length = (unsigned) strlen(label_prefix);
4456 const unsigned label_length = (unsigned) strlen(label);
4457
4458 /* Some sanity checks */
4459 DISSECTOR_ASSERT(label_length > 0 && label_prefix_length + label_length <= 255)((void) ((label_length > 0 && label_prefix_length +
label_length <= 255) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4459, "label_length > 0 && label_prefix_length + label_length <= 255"
))));
4460
4461 /* info = HkdfLabel { length, label, context } */
4462 GByteArray *info = g_byte_array_new();
4463 const uint16_t length = g_htons(out_len)(((((guint16) ( (guint16) ((guint16) (out_len) >> 8) | (
guint16) ((guint16) (out_len) << 8))))));
4464 g_byte_array_append(info, (const uint8_t *)&length, sizeof(length));
4465
4466 const uint8_t label_vector_length = label_prefix_length + label_length;
4467 g_byte_array_append(info, &label_vector_length, 1);
4468 g_byte_array_append(info, (const uint8_t *)label_prefix, label_prefix_length);
4469 g_byte_array_append(info, (const uint8_t*)label, label_length);
4470
4471 g_byte_array_append(info, &context_length, 1);
4472 if (context_length) {
4473 g_byte_array_append(info, context_hash, context_length);
4474 }
4475
4476 *out = (unsigned char *)wmem_alloc(NULL((void*)0), out_len);
4477 err = hkdf_expand(md, secret->data, secret->data_len, info->data, info->len, *out, out_len);
4478 g_byte_array_free(info, true1);
4479
4480 if (err) {
4481 ssl_debug_printf("%s failed %d: %s\n", G_STRFUNC((const char*) (__func__)), md, gcry_strerror(err));
4482 wmem_free(NULL((void*)0), *out);
4483 *out = NULL((void*)0);
4484 return false0;
4485 }
4486
4487 return true1;
4488}
4489
4490bool_Bool
4491tls13_hkdf_expand_label(int md, const StringInfo *secret,
4492 const char *label_prefix, const char *label,
4493 uint16_t out_len, unsigned char **out)
4494{
4495 return tls13_hkdf_expand_label_context(md, secret, label_prefix, label, NULL((void*)0), 0, out_len, out);
4496}
4497
4498static bool_Bool
4499tls13_derive_secret(int md, const StringInfo *secret,
4500 const char *label_prefix, const char *label,
4501 const uint8_t *context, unsigned context_length,
4502 uint16_t out_len, unsigned char **out)
4503{
4504 SSL_MDgcry_md_hd_t mc;
4505 uint8_t context_hash[DIGEST_MAX_SIZE48];
4506 unsigned hash_len;
4507
4508 if (ssl_md_init(&mc, md) != 0)
4509 return false0;
4510 ssl_md_update(&mc, context, context_length);
4511 ssl_md_final(&mc, context_hash, &hash_len);
4512 ssl_md_cleanup(&mc);
4513
4514 return tls13_hkdf_expand_label_context(md, secret, label_prefix, label, context_hash, hash_len, out_len, out);
4515}
4516
4517/* HMAC and the Pseudorandom function }}} */
4518
4519/* Record Decompression (after decryption) {{{ */
4520#ifdef USE_ZLIB_OR_ZLIBNG
4521/* memory allocation functions for zlib initialization */
4522static void* ssl_zalloc(void* opaque _U___attribute__((unused)), unsigned int no, unsigned int size)
4523{
4524 return g_malloc0(no*size);
4525}
4526static void ssl_zfree(void* opaque _U___attribute__((unused)), void* addr)
4527{
4528 g_free(addr)(__builtin_object_size ((addr), 0) != ((size_t) - 1)) ? g_free_sized
(addr, __builtin_object_size ((addr), 0)) : (g_free) (addr);
4529}
4530#endif /* USE_ZLIB_OR_ZLIBNG */
4531
4532static SslDecompress*
4533ssl_create_decompressor(int compression)
4534{
4535 SslDecompress *decomp;
4536#ifdef USE_ZLIB_OR_ZLIBNG
4537 int err;
4538#endif
4539
4540 if (compression == 0) return NULL((void*)0);
4541 ssl_debug_printf("ssl_create_decompressor: compression method %d\n", compression);
4542 decomp = wmem_new(wmem_file_scope(), SslDecompress)((SslDecompress*)wmem_alloc((wmem_file_scope()), sizeof(SslDecompress
)));
4543 decomp->compression = compression;
4544 switch (decomp->compression) {
4545#ifdef USE_ZLIB_OR_ZLIBNG
4546 case 1: /* DEFLATE */
4547 decomp->istream.zalloc = ssl_zalloc;
4548 decomp->istream.zfree = ssl_zfree;
4549 decomp->istream.opaque = Z_NULL0;
4550 decomp->istream.next_in = Z_NULL0;
4551 decomp->istream.next_out = Z_NULL0;
4552 decomp->istream.avail_in = 0;
4553 decomp->istream.avail_out = 0;
4554 err = ZLIB_PREFIX(inflateInit)(&decomp->istream)inflateInit_((&decomp->istream), "1.3.1", (int)sizeof(
z_stream));
4555 if (err != Z_OK0) {
4556 ssl_debug_printf("ssl_create_decompressor: inflateInit_() failed - %d\n", err);
4557 return NULL((void*)0);
4558 }
4559 break;
4560#endif /* USE_ZLIB_OR_ZLIBNG */
4561 default:
4562 ssl_debug_printf("ssl_create_decompressor: unsupported compression method %d\n", decomp->compression);
4563 return NULL((void*)0);
4564 }
4565 return decomp;
4566}
4567
4568#ifdef USE_ZLIB_OR_ZLIBNG
4569static int
4570ssl_decompress_record(SslDecompress* decomp, const unsigned char* in, unsigned inl, StringInfo* out_str, unsigned* outl)
4571{
4572 int err;
4573
4574 switch (decomp->compression) {
4575 case 1: /* DEFLATE */
4576 err = Z_OK0;
4577 if (out_str->data_len < 16384) { /* maximal plain length */
4578 ssl_data_realloc(out_str, 16384);
4579 }
4580#ifdef z_constconst
4581 decomp->istream.next_in = in;
4582#else
4583DIAG_OFF(cast-qual)clang diagnostic push clang diagnostic ignored "-Wcast-qual"
4584 decomp->istream.next_in = (Bytef *)in;
4585DIAG_ON(cast-qual)clang diagnostic pop
4586#endif
4587 decomp->istream.avail_in = inl;
4588 decomp->istream.next_out = out_str->data;
4589 decomp->istream.avail_out = out_str->data_len;
4590 if (inl > 0)
4591 err = ZLIB_PREFIX(inflate)inflate(&decomp->istream, Z_SYNC_FLUSH2);
4592 if (err != Z_OK0) {
4593 ssl_debug_printf("ssl_decompress_record: inflate() failed - %d\n", err);
4594 return -1;
4595 }
4596 *outl = out_str->data_len - decomp->istream.avail_out;
4597 break;
4598 default:
4599 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4600 return -1;
4601 }
4602 return 0;
4603}
4604#else /* USE_ZLIB_OR_ZLIBNG */
4605int
4606ssl_decompress_record(SslDecompress* decomp _U___attribute__((unused)), const unsigned char* in _U___attribute__((unused)), unsigned inl _U___attribute__((unused)), StringInfo* out_str _U___attribute__((unused)), unsigned* outl _U___attribute__((unused)))
4607{
4608 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4609 return -1;
4610}
4611#endif /* USE_ZLIB_OR_ZLIBNG */
4612/* Record Decompression (after decryption) }}} */
4613
4614/* Create a new structure to store decrypted chunks. {{{ */
4615static SslFlow*
4616ssl_create_flow(void)
4617{
4618 SslFlow *flow;
4619
4620 flow = wmem_new(wmem_file_scope(), SslFlow)((SslFlow*)wmem_alloc((wmem_file_scope()), sizeof(SslFlow)));
4621 flow->byte_seq = 0;
4622 flow->flags = 0;
4623 flow->multisegment_pdus = wmem_tree_new(wmem_file_scope());
4624 return flow;
4625}
4626/* }}} */
4627
4628/* Use the negotiated security parameters for decryption. {{{ */
4629void
4630ssl_change_cipher(SslDecryptSession *ssl_session, bool_Bool server)
4631{
4632 SslDecoder **new_decoder = server ? &ssl_session->server_new : &ssl_session->client_new;
4633 SslDecoder **dest = server ? &ssl_session->server : &ssl_session->client;
4634 ssl_debug_printf("ssl_change_cipher %s%s\n", server ? "SERVER" : "CLIENT",
4635 *new_decoder ? "" : " (No decoder found - retransmission?)");
4636 if (*new_decoder) {
4637 *dest = *new_decoder;
4638 *new_decoder = NULL((void*)0);
4639 }
4640}
4641/* }}} */
4642
4643/* Init cipher state given some security parameters. {{{ */
4644static bool_Bool
4645ssl_decoder_destroy_cb(wmem_allocator_t *, wmem_cb_event_t, void *);
4646
4647static SslDecoder*
4648ssl_create_decoder(const SslCipherSuite *cipher_suite, int cipher_algo,
4649 int compression, uint8_t *mk, uint8_t *sk, uint8_t *sn_key, uint8_t *iv, unsigned iv_length)
4650{
4651 SslDecoder *dec;
4652 ssl_cipher_mode_t mode = cipher_suite->mode;
4653
4654 dec = wmem_new0(wmem_file_scope(), SslDecoder)((SslDecoder*)wmem_alloc0((wmem_file_scope()), sizeof(SslDecoder
)));
4655 /* init mac buffer: mac storage is embedded into decoder struct to save a
4656 memory allocation and waste samo more memory*/
4657 dec->cipher_suite=cipher_suite;
4658 dec->compression = compression;
4659 if ((mode == MODE_STREAM && mk != NULL((void*)0)) || mode == MODE_CBC) {
4660 // AEAD ciphers use no MAC key, but stream and block ciphers do. Note
4661 // the special case for NULL ciphers, even if there is insufficiency
4662 // keying material (including MAC key), we will can still create
4663 // decoders since "decryption" is easy for such ciphers.
4664 dec->mac_key.data = dec->_mac_key_or_write_iv;
4665 ssl_data_set(&dec->mac_key, mk, ssl_cipher_suite_dig(cipher_suite)->len);
4666 } else if (mode == MODE_GCM || mode == MODE_CCM || mode == MODE_CCM_8 || mode == MODE_POLY1305) {
4667 // Input for the nonce, to be used with AEAD ciphers.
4668 DISSECTOR_ASSERT(iv_length <= sizeof(dec->_mac_key_or_write_iv))((void) ((iv_length <= sizeof(dec->_mac_key_or_write_iv
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4668, "iv_length <= sizeof(dec->_mac_key_or_write_iv)"
))));
4669 dec->write_iv.data = dec->_mac_key_or_write_iv;
4670 ssl_data_set(&dec->write_iv, iv, iv_length);
4671 }
4672 dec->seq = 0;
4673 dec->decomp = ssl_create_decompressor(compression);
4674 wmem_register_callback(wmem_file_scope(), ssl_decoder_destroy_cb, dec);
4675
4676 if (ssl_cipher_init(&dec->evp,cipher_algo,sk,iv,cipher_suite->mode) < 0) {
4677 ssl_debug_printf("%s: can't create cipher id:%d mode:%d\n", G_STRFUNC((const char*) (__func__)),
4678 cipher_algo, cipher_suite->mode);
4679 return NULL((void*)0);
4680 }
4681
4682 if (cipher_suite->enc != ENC_NULL0x3D && sn_key != NULL((void*)0)) {
4683 if (cipher_suite->enc == ENC_AES0x35 || cipher_suite->enc == ENC_AES2560x36) {
4684 mode = MODE_ECB;
4685 } else if (cipher_suite->enc == ENC_CHACHA200x3A) {
4686 mode = MODE_STREAM;
4687 } else {
4688 ssl_debug_printf("not supported encryption algorithm for DTLSv1.3\n");
4689 return NULL((void*)0);
4690 }
4691
4692 if (ssl_cipher_init(&dec->sn_evp, cipher_algo, sn_key, NULL((void*)0), mode) < 0) {
4693 ssl_debug_printf("%s: can't create cipher id:%d mode:%d for seq number decryption\n", G_STRFUNC((const char*) (__func__)),
4694 cipher_algo, MODE_ECB);
4695 ssl_cipher_cleanup(&dec->evp);
4696 dec->evp = NULL((void*)0);
4697 return NULL((void*)0);
4698 }
4699 } else {
4700 dec->sn_evp = NULL((void*)0);
4701 }
4702
4703 dec->dtls13_aad.data = NULL((void*)0);
4704 dec->dtls13_aad.data_len = 0;
4705 ssl_debug_printf("decoder initialized (digest len %d)\n", ssl_cipher_suite_dig(cipher_suite)->len);
4706 return dec;
4707}
4708
4709static bool_Bool
4710ssl_decoder_destroy_cb(wmem_allocator_t *allocator _U___attribute__((unused)), wmem_cb_event_t event _U___attribute__((unused)), void *user_data)
4711{
4712 SslDecoder *dec = (SslDecoder *) user_data;
4713
4714 if (dec->evp)
4715 ssl_cipher_cleanup(&dec->evp);
4716 if (dec->sn_evp)
4717 ssl_cipher_cleanup(&dec->sn_evp);
4718
4719#ifdef USE_ZLIB_OR_ZLIBNG
4720 if (dec->decomp != NULL((void*)0) && dec->decomp->compression == 1 /* DEFLATE */)
4721 ZLIB_PREFIX(inflateEnd)inflateEnd(&dec->decomp->istream);
4722#endif
4723
4724 return false0;
4725}
4726/* }}} */
4727
4728/* (Pre-)master secrets calculations {{{ */
4729#ifdef HAVE_LIBGNUTLS1
4730static bool_Bool
4731ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
4732 StringInfo *encrypted_pre_master,
4733 GHashTable *key_hash);
4734#endif /* HAVE_LIBGNUTLS */
4735
4736static bool_Bool
4737ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
4738 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key);
4739
4740bool_Bool
4741ssl_generate_pre_master_secret(SslDecryptSession *ssl_session,
4742 uint32_t length, tvbuff_t *tvb, uint32_t offset,
4743 const char *ssl_psk, packet_info *pinfo,
4744#ifdef HAVE_LIBGNUTLS1
4745 GHashTable *key_hash,
4746#endif
4747 const ssl_master_key_map_t *mk_map)
4748{
4749 /* check for required session data */
4750 ssl_debug_printf("%s: found SSL_HND_CLIENT_KEY_EXCHG, state %X\n",
4751 G_STRFUNC((const char*) (__func__)), ssl_session->state);
4752 if ((ssl_session->state & (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) !=
4753 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) {
4754 ssl_debug_printf("%s: not enough data to generate key (required state %X)\n", G_STRFUNC((const char*) (__func__)),
4755 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4)));
4756 return false0;
4757 }
4758
4759 if (ssl_session->session.version == TLSV1DOT3_VERSION0x304) {
4760 ssl_debug_printf("%s: detected TLS 1.3 which has no pre-master secrets\n", G_STRFUNC((const char*) (__func__)));
4761 return false0;
4762 }
4763
4764 /* check to see if the PMS was provided to us*/
4765 if (ssl_restore_master_key(ssl_session, "Unencrypted pre-master secret", true1,
4766 mk_map->pms, &ssl_session->client_random)) {
4767 return true1;
4768 }
4769
4770 if (ssl_session->cipher_suite->kex == KEX_PSK0x1d)
4771 {
4772 /* calculate pre master secret*/
4773 StringInfo pre_master_secret;
4774 unsigned psk_len, pre_master_len;
4775
4776 if (!tls_load_psk(ssl_session, ssl_psk)) {
4777 return false0;
4778 }
4779 psk_len = ssl_session->psk.data_len;
4780
4781 pre_master_len = psk_len * 2 + 4;
4782
4783 pre_master_secret.data = (unsigned char *)wmem_alloc(wmem_file_scope(), pre_master_len);
4784 pre_master_secret.data_len = pre_master_len;
4785 /* 2 bytes psk_len*/
4786 pre_master_secret.data[0] = psk_len >> 8;
4787 pre_master_secret.data[1] = psk_len & 0xFF;
4788 /* psk_len bytes times 0*/
4789 memset(&pre_master_secret.data[2], 0, psk_len);
4790 /* 2 bytes psk_len*/
4791 pre_master_secret.data[psk_len + 2] = psk_len >> 8;
4792 pre_master_secret.data[psk_len + 3] = psk_len & 0xFF;
4793 /* psk*/
4794 memcpy(&pre_master_secret.data[psk_len + 4], ssl_session->psk.data, psk_len);
4795
4796 ssl_session->pre_master_secret.data = pre_master_secret.data;
4797 ssl_session->pre_master_secret.data_len = pre_master_len;
4798 /*ssl_debug_printf("pre master secret",&ssl->pre_master_secret);*/
4799
4800 /* Remove the master secret if it was there.
4801 This forces keying material regeneration in
4802 case we're renegotiating */
4803 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
4804 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
4805 return true1;
4806 }
4807 else
4808 {
4809 unsigned encrlen, skip;
4810 encrlen = length;
4811 skip = 0;
4812
4813 /* get encrypted data, on tls1 we have to skip two bytes
4814 * (it's the encrypted len and should be equal to record len - 2)
4815 * in case of rsa1024 that would be 128 + 2 = 130; for psk not necessary
4816 */
4817 if (ssl_session->cipher_suite->kex == KEX_RSA0x1e &&
4818 (ssl_session->session.version == TLSV1_VERSION0x301 ||
4819 ssl_session->session.version == TLSV1DOT1_VERSION0x302 ||
4820 ssl_session->session.version == TLSV1DOT2_VERSION0x303 ||
4821 ssl_session->session.version == DTLSV1DOT0_VERSION0xfeff ||
4822 ssl_session->session.version == DTLSV1DOT2_VERSION0xfefd ||
4823 ssl_session->session.version == TLCPV1_VERSION0x101 ))
4824 {
4825 encrlen = tvb_get_ntohs(tvb, offset);
4826 skip = 2;
4827 if (encrlen > length - 2)
4828 {
4829 ssl_debug_printf("%s: wrong encrypted length (%d max %d)\n",
4830 G_STRFUNC((const char*) (__func__)), encrlen, length);
4831 return false0;
4832 }
4833 }
4834 /* the valid lower bound is higher than 8, but it is sufficient for the
4835 * ssl keylog file below */
4836 if (encrlen < 8) {
4837 ssl_debug_printf("%s: invalid encrypted pre-master key length %d\n",
4838 G_STRFUNC((const char*) (__func__)), encrlen);
4839 return false0;
4840 }
4841
4842 StringInfo encrypted_pre_master = {
4843 .data = (unsigned char *)tvb_memdup(pinfo->pool, tvb, offset + skip, encrlen),
4844 .data_len = encrlen,
4845 };
4846
4847#ifdef HAVE_LIBGNUTLS1
4848 /* Try to lookup an appropriate RSA private key to decrypt the Encrypted Pre-Master Secret. */
4849 if (ssl_session->cert_key_id) {
4850 if (ssl_decrypt_pre_master_secret(ssl_session, &encrypted_pre_master, key_hash))
4851 return true1;
4852
4853 ssl_debug_printf("%s: can't decrypt pre-master secret\n",
4854 G_STRFUNC((const char*) (__func__)));
4855 }
4856#endif /* HAVE_LIBGNUTLS */
4857
4858 /* try to find the pre-master secret from the encrypted one. The
4859 * ssl key logfile stores only the first 8 bytes, so truncate it */
4860 encrypted_pre_master.data_len = 8;
4861 if (ssl_restore_master_key(ssl_session, "Encrypted pre-master secret",
4862 true1, mk_map->pre_master, &encrypted_pre_master))
4863 return true1;
4864 }
4865 return false0;
4866}
4867
4868/* Used for (D)TLS 1.2 and earlier versions (not with TLS 1.3). */
4869int
4870ssl_generate_keyring_material(SslDecryptSession*ssl_session)
4871{
4872 StringInfo key_block = { NULL((void*)0), 0 };
4873 uint8_t _iv_c[MAX_BLOCK_SIZE16],_iv_s[MAX_BLOCK_SIZE16];
4874 uint8_t _key_c[MAX_KEY_SIZE32],_key_s[MAX_KEY_SIZE32];
4875 int needed;
4876 int cipher_algo = -1; /* special value (-1) for NULL encryption */
4877 unsigned encr_key_len, write_iv_len = 0;
4878 bool_Bool is_export_cipher;
4879 uint8_t *ptr, *c_iv = NULL((void*)0), *s_iv = NULL((void*)0);
4880 uint8_t *c_wk = NULL((void*)0), *s_wk = NULL((void*)0), *c_mk = NULL((void*)0), *s_mk = NULL((void*)0);
4881 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
4882
4883 /* (D)TLS 1.3 is handled directly in tls13_change_key. */
4884 if (ssl_session->session.version == TLSV1DOT3_VERSION0x304 || ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
1
Assuming field 'version' is not equal to TLSV1DOT3_VERSION
2
Assuming field 'version' is not equal to DTLSV1DOT3_VERSION
3
Taking false branch
4885 ssl_debug_printf("%s: detected TLS 1.3. Should not have been called!\n", G_STRFUNC((const char*) (__func__)));
4886 return -1;
4887 }
4888
4889 /* check for enough info to proceed */
4890 unsigned need_all = SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4);
4891 unsigned need_any = SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
4892 if (((ssl_session->state & need_all) != need_all) || ((ssl_session->state & need_any) == 0)) {
4
Assuming the condition is false
5
Assuming the condition is false
6
Taking false branch
4893 ssl_debug_printf("ssl_generate_keyring_material not enough data to generate key "
4894 "(0x%02X required 0x%02X or 0x%02X)\n", ssl_session->state,
4895 need_all|SSL_MASTER_SECRET(1<<5), need_all|SSL_PRE_MASTER_SECRET(1<<6));
4896 /* Special case: for NULL encryption, allow dissection of data even if
4897 * the Client Hello is missing (MAC keys are now skipped though). */
4898 need_all = SSL_CIPHER(1<<2)|SSL_VERSION(1<<4);
4899 if ((ssl_session->state & need_all) == need_all &&
4900 cipher_suite->enc == ENC_NULL0x3D) {
4901 ssl_debug_printf("%s NULL cipher found, will create a decoder but "
4902 "skip MAC validation as keys are missing.\n", G_STRFUNC((const char*) (__func__)));
4903 goto create_decoders;
4904 }
4905
4906 return -1;
4907 }
4908
4909 /* if master key is not available, generate is from the pre-master secret */
4910 if (!(ssl_session->state & SSL_MASTER_SECRET(1<<5))) {
7
Assuming the condition is true
8
Taking true branch
4911 if ((ssl_session->state & SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) == SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) {
9
Assuming the condition is true
10
Taking true branch
4912 StringInfo handshake_hashed_data;
4913 int ret;
4914
4915 handshake_hashed_data.data = NULL((void*)0);
4916 handshake_hashed_data.data_len = 0;
4917
4918 ssl_debug_printf("%s:PRF(pre_master_secret_extended)\n", G_STRFUNC((const char*) (__func__)));
4919 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4920 DISSECTOR_ASSERT(ssl_session->handshake_data.data_len > 0)((void) ((ssl_session->handshake_data.data_len > 0) ? (
void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4920, "ssl_session->handshake_data.data_len > 0"
))));
11
Assuming field 'data_len' is > 0
12
'?' condition is true
4921
4922 switch(ssl_session->session.version) {
13
Control jumps to 'case 257:' at line 4927
4923 case TLSV1_VERSION0x301:
4924 case TLSV1DOT1_VERSION0x302:
4925 case DTLSV1DOT0_VERSION0xfeff:
4926 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4927 case TLCPV1_VERSION0x101:
4928 ret = tls_handshake_hash(ssl_session, &handshake_hashed_data);
14
Calling 'tls_handshake_hash'
22
Returned allocated memory
4929 break;
4930 default:
4931 switch (cipher_suite->dig) {
4932 case DIG_SHA3840x43:
4933 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA384, &handshake_hashed_data);
4934 break;
4935 default:
4936 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA256, &handshake_hashed_data);
4937 break;
4938 }
4939 break;
4940 }
4941 if (ret
23.1
'ret' is -1
) {
23
 Execution continues on line 4941
24
Taking true branch
4942 ssl_debug_printf("%s can't generate handshake hash\n", G_STRFUNC((const char*) (__func__)));
25
Potential leak of memory pointed to by 'handshake_hashed_data.data'
4943 return -1;
4944 }
4945
4946 wmem_free(wmem_file_scope(), ssl_session->handshake_data.data);
4947 ssl_session->handshake_data.data = NULL((void*)0);
4948 ssl_session->handshake_data.data_len = 0;
4949
4950 if (!prf(ssl_session, &ssl_session->pre_master_secret, "extended master secret",
4951 &handshake_hashed_data,
4952 NULL((void*)0), &ssl_session->master_secret,
4953 SSL_MASTER_SECRET_LENGTH48)) {
4954 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4955 g_free(handshake_hashed_data.data)(__builtin_object_size ((handshake_hashed_data.data), 0) != (
(size_t) - 1)) ? g_free_sized (handshake_hashed_data.data, __builtin_object_size
((handshake_hashed_data.data), 0)) : (g_free) (handshake_hashed_data
.data);
4956 return -1;
4957 }
4958 g_free(handshake_hashed_data.data)(__builtin_object_size ((handshake_hashed_data.data), 0) != (
(size_t) - 1)) ? g_free_sized (handshake_hashed_data.data, __builtin_object_size
((handshake_hashed_data.data), 0)) : (g_free) (handshake_hashed_data
.data);
4959 } else {
4960 ssl_debug_printf("%s:PRF(pre_master_secret)\n", G_STRFUNC((const char*) (__func__)));
4961 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4962 ssl_print_string("client random",&ssl_session->client_random);
4963 ssl_print_string("server random",&ssl_session->server_random);
4964 if (!prf(ssl_session, &ssl_session->pre_master_secret, "master secret",
4965 &ssl_session->client_random,
4966 &ssl_session->server_random, &ssl_session->master_secret,
4967 SSL_MASTER_SECRET_LENGTH48)) {
4968 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4969 return -1;
4970 }
4971 }
4972 ssl_print_string("master secret",&ssl_session->master_secret);
4973
4974 /* the pre-master secret has been 'consumed' so we must clear it now */
4975 ssl_session->state &= ~SSL_PRE_MASTER_SECRET(1<<6);
4976 ssl_session->state |= SSL_MASTER_SECRET(1<<5);
4977 }
4978
4979 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
4980 if (cipher_suite->enc != ENC_NULL0x3D) {
4981 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
4982 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4983 cipher_algo = ssl_get_cipher_by_name(cipher_name);
4984 if (cipher_algo == 0) {
4985 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4986 return -1;
4987 }
4988 }
4989
4990 /* Export ciphers consume less material from the key block. */
4991 encr_key_len = ssl_get_cipher_export_keymat_size(cipher_suite->number);
4992 is_export_cipher = encr_key_len > 0;
4993 if (!is_export_cipher && cipher_suite->enc != ENC_NULL0x3D) {
4994 encr_key_len = (unsigned)gcry_cipher_get_algo_keylen(cipher_algo);
4995 }
4996
4997 if (cipher_suite->mode == MODE_CBC) {
4998 write_iv_len = (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
4999 } else if (cipher_suite->mode == MODE_GCM || cipher_suite->mode == MODE_CCM || cipher_suite->mode == MODE_CCM_8) {
5000 /* account for a four-byte salt for client and server side (from
5001 * client_write_IV and server_write_IV), see GCMNonce (RFC 5288) */
5002 write_iv_len = 4;
5003 } else if (cipher_suite->mode == MODE_POLY1305) {
5004 /* RFC 7905: SecurityParameters.fixed_iv_length is twelve bytes */
5005 write_iv_len = 12;
5006 }
5007
5008 /* Compute the key block. First figure out how much data we need */
5009 needed = ssl_cipher_suite_dig(cipher_suite)->len*2; /* MAC key */
5010 needed += 2 * encr_key_len; /* encryption key */
5011 needed += 2 * write_iv_len; /* write IV */
5012
5013 key_block.data = (unsigned char *)g_malloc(needed);
5014 ssl_debug_printf("%s sess key generation\n", G_STRFUNC((const char*) (__func__)));
5015 if (!prf(ssl_session, &ssl_session->master_secret, "key expansion",
5016 &ssl_session->server_random,&ssl_session->client_random,
5017 &key_block, needed)) {
5018 ssl_debug_printf("%s can't generate key_block\n", G_STRFUNC((const char*) (__func__)));
5019 goto fail;
5020 }
5021 ssl_print_string("key expansion", &key_block);
5022
5023 ptr=key_block.data;
5024 /* client/server write MAC key (for non-AEAD ciphers) */
5025 if (cipher_suite->mode == MODE_STREAM || cipher_suite->mode == MODE_CBC) {
5026 c_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
5027 s_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
5028 }
5029 /* client/server write encryption key */
5030 c_wk=ptr; ptr += encr_key_len;
5031 s_wk=ptr; ptr += encr_key_len;
5032 /* client/server write IV (used as IV (for CBC) or salt (for AEAD)) */
5033 if (write_iv_len > 0) {
5034 c_iv=ptr; ptr += write_iv_len;
5035 s_iv=ptr; /* ptr += write_iv_len; */
5036 }
5037
5038 /* export ciphers work with a smaller key length */
5039 if (is_export_cipher) {
5040 if (cipher_suite->mode == MODE_CBC) {
5041
5042 /* We only have room for MAX_BLOCK_SIZE bytes IVs, but that's
5043 all we should need. This is a sanity check */
5044 if (write_iv_len > MAX_BLOCK_SIZE16) {
5045 ssl_debug_printf("%s cipher suite block must be at most %d nut is %d\n",
5046 G_STRFUNC((const char*) (__func__)), MAX_BLOCK_SIZE16, write_iv_len);
5047 goto fail;
5048 }
5049
5050 if(ssl_session->session.version==SSLV3_VERSION0x300){
5051 /* The length of these fields are ignored by this caller */
5052 StringInfo iv_c, iv_s;
5053 iv_c.data = _iv_c;
5054 iv_s.data = _iv_s;
5055
5056 ssl_debug_printf("%s ssl3_generate_export_iv\n", G_STRFUNC((const char*) (__func__)));
5057 if (!ssl3_generate_export_iv(&ssl_session->client_random,
5058 &ssl_session->server_random, &iv_c, write_iv_len)) {
5059 goto fail;
5060 }
5061 ssl_debug_printf("%s ssl3_generate_export_iv(2)\n", G_STRFUNC((const char*) (__func__)));
5062 if (!ssl3_generate_export_iv(&ssl_session->server_random,
5063 &ssl_session->client_random, &iv_s, write_iv_len)) {
5064 goto fail;
5065 }
5066 }
5067 else{
5068 uint8_t _iv_block[MAX_BLOCK_SIZE16 * 2];
5069 StringInfo iv_block;
5070 StringInfo key_null;
5071 uint8_t _key_null;
5072
5073 key_null.data = &_key_null;
5074 key_null.data_len = 0;
5075
5076 iv_block.data = _iv_block;
5077
5078 ssl_debug_printf("%s prf(iv_block)\n", G_STRFUNC((const char*) (__func__)));
5079 if (!prf(ssl_session, &key_null, "IV block",
5080 &ssl_session->client_random,
5081 &ssl_session->server_random, &iv_block,
5082 write_iv_len * 2)) {
5083 ssl_debug_printf("%s can't generate tls31 iv block\n", G_STRFUNC((const char*) (__func__)));
5084 goto fail;
5085 }
5086
5087 memcpy(_iv_c, iv_block.data, write_iv_len);
5088 memcpy(_iv_s, iv_block.data + write_iv_len, write_iv_len);
5089 }
5090
5091 c_iv=_iv_c;
5092 s_iv=_iv_s;
5093 }
5094
5095 if (ssl_session->session.version==SSLV3_VERSION0x300){
5096
5097 SSL_MD5_CTXgcry_md_hd_t md5;
5098 ssl_debug_printf("%s MD5(client_random)\n", G_STRFUNC((const char*) (__func__)));
5099
5100 if (ssl_md5_init(&md5) != 0)
5101 goto fail;
5102 ssl_md5_update(&md5,c_wk,encr_key_len);
5103 ssl_md5_update(&md5,ssl_session->client_random.data,
5104 ssl_session->client_random.data_len);
5105 ssl_md5_update(&md5,ssl_session->server_random.data,
5106 ssl_session->server_random.data_len);
5107 ssl_md5_final(_key_c,&md5);
5108 ssl_md5_cleanup(&md5);
5109 c_wk=_key_c;
5110
5111 if (ssl_md5_init(&md5) != 0)
5112 goto fail;
5113 ssl_debug_printf("%s MD5(server_random)\n", G_STRFUNC((const char*) (__func__)));
5114 ssl_md5_update(&md5,s_wk,encr_key_len);
5115 ssl_md5_update(&md5,ssl_session->server_random.data,
5116 ssl_session->server_random.data_len);
5117 ssl_md5_update(&md5,ssl_session->client_random.data,
5118 ssl_session->client_random.data_len);
5119 ssl_md5_final(_key_s,&md5);
5120 ssl_md5_cleanup(&md5);
5121 s_wk=_key_s;
5122 }
5123 else{
5124 StringInfo key_c, key_s, k;
5125 key_c.data = _key_c;
5126 key_s.data = _key_s;
5127
5128 k.data = c_wk;
5129 k.data_len = encr_key_len;
5130 ssl_debug_printf("%s PRF(key_c)\n", G_STRFUNC((const char*) (__func__)));
5131 if (!prf(ssl_session, &k, "client write key",
5132 &ssl_session->client_random,
5133 &ssl_session->server_random, &key_c, sizeof(_key_c))) {
5134 ssl_debug_printf("%s can't generate tll31 server key \n", G_STRFUNC((const char*) (__func__)));
5135 goto fail;
5136 }
5137 c_wk=_key_c;
5138
5139 k.data = s_wk;
5140 k.data_len = encr_key_len;
5141 ssl_debug_printf("%s PRF(key_s)\n", G_STRFUNC((const char*) (__func__)));
5142 if (!prf(ssl_session, &k, "server write key",
5143 &ssl_session->client_random,
5144 &ssl_session->server_random, &key_s, sizeof(_key_s))) {
5145 ssl_debug_printf("%s can't generate tll31 client key \n", G_STRFUNC((const char*) (__func__)));
5146 goto fail;
5147 }
5148 s_wk=_key_s;
5149 }
5150 }
5151
5152 /* show key material info */
5153 if (c_mk != NULL((void*)0)) {
5154 ssl_print_data("Client MAC key",c_mk,ssl_cipher_suite_dig(cipher_suite)->len);
5155 ssl_print_data("Server MAC key",s_mk,ssl_cipher_suite_dig(cipher_suite)->len);
5156 }
5157 ssl_print_data("Client Write key", c_wk, encr_key_len);
5158 ssl_print_data("Server Write key", s_wk, encr_key_len);
5159 /* used as IV for CBC mode and the AEAD implicit nonce (salt) */
5160 if (write_iv_len > 0) {
5161 ssl_print_data("Client Write IV", c_iv, write_iv_len);
5162 ssl_print_data("Server Write IV", s_iv, write_iv_len);
5163 }
5164
5165create_decoders:
5166 /* create both client and server ciphers*/
5167 ssl_debug_printf("%s ssl_create_decoder(client)\n", G_STRFUNC((const char*) (__func__)));
5168 ssl_session->client_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, c_mk, c_wk, NULL((void*)0), c_iv, write_iv_len);
5169 if (!ssl_session->client_new) {
5170 ssl_debug_printf("%s can't init client decoder\n", G_STRFUNC((const char*) (__func__)));
5171 goto fail;
5172 }
5173 ssl_debug_printf("%s ssl_create_decoder(server)\n", G_STRFUNC((const char*) (__func__)));
5174 ssl_session->server_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, s_mk, s_wk, NULL((void*)0), s_iv, write_iv_len);
5175 if (!ssl_session->server_new) {
5176 ssl_debug_printf("%s can't init server decoder\n", G_STRFUNC((const char*) (__func__)));
5177 goto fail;
5178 }
5179
5180 /* Continue the SSL stream after renegotiation with new keys. */
5181 ssl_session->client_new->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
5182 ssl_session->server_new->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
5183
5184 ssl_debug_printf("%s: client seq %" PRIu64"l" "u" ", server seq %" PRIu64"l" "u" "\n",
5185 G_STRFUNC((const char*) (__func__)), ssl_session->client_new->seq, ssl_session->server_new->seq);
5186 g_free(key_block.data)(__builtin_object_size ((key_block.data), 0) != ((size_t) - 1
)) ? g_free_sized (key_block.data, __builtin_object_size ((key_block
.data), 0)) : (g_free) (key_block.data);
5187 ssl_session->state |= SSL_HAVE_SESSION_KEY(1<<3);
5188 return 0;
5189
5190fail:
5191 g_free(key_block.data)(__builtin_object_size ((key_block.data), 0) != ((size_t) - 1
)) ? g_free_sized (key_block.data, __builtin_object_size ((key_block
.data), 0)) : (g_free) (key_block.data);
5192 return -1;
5193}
5194
5195/* Generated the key material based on the given secret. */
5196bool_Bool
5197tls13_generate_keys(SslDecryptSession *ssl_session, const StringInfo *secret, bool_Bool is_from_server)
5198{
5199 bool_Bool success = false0;
5200 unsigned char *write_key = NULL((void*)0), *write_iv = NULL((void*)0);
5201 unsigned char *sn_key = NULL((void*)0);
5202 SslDecoder *decoder;
5203 unsigned key_length, iv_length;
5204 int hash_algo;
5205 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
5206 int cipher_algo;
5207
5208 if ((ssl_session->session.version != TLSV1DOT3_VERSION0x304) && (ssl_session->session.version != DTLSV1DOT3_VERSION0xfefc)) {
5209 ssl_debug_printf("%s only usable for TLS 1.3, not %#x!\n", G_STRFUNC((const char*) (__func__)),
5210 ssl_session->session.version);
5211 return false0;
5212 }
5213
5214 if (cipher_suite == NULL((void*)0)) {
5215 ssl_debug_printf("%s Unknown cipher\n", G_STRFUNC((const char*) (__func__)));
5216 return false0;
5217 }
5218
5219 if (cipher_suite->kex != KEX_TLS130x23) {
5220 ssl_debug_printf("%s Invalid cipher suite 0x%04x spotted!\n", G_STRFUNC((const char*) (__func__)), cipher_suite->number);
5221 return false0;
5222 }
5223
5224 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
5225 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
5226 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
5227 cipher_algo = ssl_get_cipher_by_name(cipher_name);
5228 if (cipher_algo == 0) {
5229 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
5230 return false0;
5231 }
5232
5233 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
5234 hash_algo = ssl_get_digest_by_name(hash_name);
5235 if (!hash_algo) {
5236 ssl_debug_printf("%s can't find hash function %s\n", G_STRFUNC((const char*) (__func__)), hash_name);
5237 return false0;
5238 }
5239
5240 key_length = (unsigned) gcry_cipher_get_algo_keylen(cipher_algo);
5241 /* AES-GCM/AES-CCM/Poly1305-ChaCha20 all have N_MIN=N_MAX = 12. */
5242 iv_length = 12;
5243 ssl_debug_printf("%s key_length %u iv_length %u\n", G_STRFUNC((const char*) (__func__)), key_length, iv_length);
5244
5245 const char *label_prefix = tls13_hkdf_label_prefix(ssl_session);
5246 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "key", key_length, &write_key)) {
5247 ssl_debug_printf("%s write_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
5248 return false0;
5249 }
5250 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "iv", iv_length, &write_iv)) {
5251 ssl_debug_printf("%s write_iv expansion failed\n", G_STRFUNC((const char*) (__func__)));
5252 goto end;
5253 }
5254
5255 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
5256 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "sn", key_length, &sn_key)) {
5257 ssl_debug_printf("%s sn_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
5258 goto end;
5259 }
5260 }
5261
5262 ssl_print_data(is_from_server ? "Server Write Key" : "Client Write Key", write_key, key_length);
5263 ssl_print_data(is_from_server ? "Server Write IV" : "Client Write IV", write_iv, iv_length);
5264 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
5265 ssl_print_data(is_from_server ? "Server Write SN" : "Client Write SN", sn_key, key_length);
5266 }
5267
5268 ssl_debug_printf("%s ssl_create_decoder(%s)\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
5269 decoder = ssl_create_decoder(cipher_suite, cipher_algo, 0, NULL((void*)0), write_key, sn_key, write_iv, iv_length);
5270 if (!decoder) {
5271 ssl_debug_printf("%s can't init %s decoder\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
5272 goto end;
5273 }
5274
5275 /* Continue the TLS session with new keys, but reuse old flow to keep things
5276 * like "Follow TLS" working (by linking application data records). */
5277 if (is_from_server) {
5278 decoder->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
5279 ssl_session->server = decoder;
5280 } else {
5281 decoder->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
5282 ssl_session->client = decoder;
5283 }
5284 ssl_debug_printf("%s %s ready using cipher suite 0x%04x (cipher %s hash %s)\n", G_STRFUNC((const char*) (__func__)),
5285 is_from_server ? "Server" : "Client", cipher_suite->number, cipher_name, hash_name);
5286 success = true1;
5287
5288end:
5289 wmem_free(NULL((void*)0), write_key);
5290 wmem_free(NULL((void*)0), write_iv);
5291 if (sn_key)
5292 wmem_free(NULL((void*)0), sn_key);
5293 return success;
5294}
5295/* (Pre-)master secrets calculations }}} */
5296
5297#ifdef HAVE_LIBGNUTLS1
5298/* Decrypt RSA pre-master secret using RSA private key. {{{ */
5299static bool_Bool
5300ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
5301 StringInfo *encrypted_pre_master, GHashTable *key_hash)
5302{
5303 int ret;
5304
5305 if (!encrypted_pre_master)
5306 return false0;
5307
5308 if (KEX_IS_DH(ssl_session->cipher_suite->kex)((ssl_session->cipher_suite->kex) >= 0x10 &&
(ssl_session->cipher_suite->kex) <= 0x1b)) {
5309 ssl_debug_printf("%s: session uses Diffie-Hellman key exchange "
5310 "(cipher suite 0x%04X %s) and cannot be decrypted "
5311 "using a RSA private key file.\n",
5312 G_STRFUNC((const char*) (__func__)), ssl_session->session.cipher,
5313 val_to_str_ext_const(ssl_session->session.cipher,
5314 &ssl_31_ciphersuite_ext, "unknown"));
5315 return false0;
5316 } else if (ssl_session->cipher_suite->kex != KEX_RSA0x1e) {
5317 ssl_debug_printf("%s key exchange %d different from KEX_RSA (%d)\n",
5318 G_STRFUNC((const char*) (__func__)), ssl_session->cipher_suite->kex, KEX_RSA0x1e);
5319 return false0;
5320 }
5321
5322 gnutls_privkey_t pk = (gnutls_privkey_t)g_hash_table_lookup(key_hash, ssl_session->cert_key_id);
5323
5324 ssl_print_string("pre master encrypted", encrypted_pre_master);
5325 ssl_debug_printf("%s: RSA_private_decrypt\n", G_STRFUNC((const char*) (__func__)));
5326 const gnutls_datum_t epms = { encrypted_pre_master->data, encrypted_pre_master->data_len };
5327 gnutls_datum_t pms = { 0 };
5328 if (pk) {
5329 // Try to decrypt using the RSA keys table from (D)TLS preferences.
5330 char *err = NULL((void*)0);
5331 gcry_sexp_t private_key = rsa_abstract_privkey_to_sexp(pk, &err);
5332 if (!private_key) {
5333 ssl_debug_printf("%s: decryption failed: Can't export private key: %s", G_STRFUNC((const char*) (__func__)), err);
5334 g_free(err)(__builtin_object_size ((err), 0) != ((size_t) - 1)) ? g_free_sized
(err, __builtin_object_size ((err), 0)) : (g_free) (err);
5335 return false0;
5336 }
5337
5338 pms.size = (int)rsa_decrypt(encrypted_pre_master->data_len, encrypted_pre_master->data, &pms.data, private_key, "pkcs1", &err);
5339 rsa_private_key_free(private_key);
5340 if (pms.size == 0) {
5341 ssl_debug_printf("%s: decryption failed: %s\n", G_STRFUNC((const char*) (__func__)), err);
5342 g_free(err)(__builtin_object_size ((err), 0) != ((size_t) - 1)) ? g_free_sized
(err, __builtin_object_size ((err), 0)) : (g_free) (err);
5343 return false0;
5344 }
5345 } else {
5346 // Try to decrypt using a hardware token.
5347 ret = secrets_rsa_decrypt(ssl_session->cert_key_id, epms.data, epms.size, &pms.data, &pms.size);
5348 if (ret < 0) {
5349 ssl_debug_printf("%s: decryption failed: %d (%s)\n", G_STRFUNC((const char*) (__func__)), ret, gnutls_strerror(ret));
5350 return false0;
5351 }
5352 }
5353
5354 if (pms.size != 48) {
5355 ssl_debug_printf("%s wrong pre_master_secret length (%d, expected %d)\n",
5356 G_STRFUNC((const char*) (__func__)), pms.size, 48);
5357 g_free(pms.data)(__builtin_object_size ((pms.data), 0) != ((size_t) - 1)) ? g_free_sized
(pms.data, __builtin_object_size ((pms.data), 0)) : (g_free)
(pms.data);
5358 return false0;
5359 }
5360
5361 ssl_session->pre_master_secret.data = (uint8_t *)wmem_memdup(wmem_file_scope(), pms.data, 48);
5362 ssl_session->pre_master_secret.data_len = 48;
5363 g_free(pms.data)(__builtin_object_size ((pms.data), 0) != ((size_t) - 1)) ? g_free_sized
(pms.data, __builtin_object_size ((pms.data), 0)) : (g_free)
(pms.data);
5364 ssl_print_string("pre master secret", &ssl_session->pre_master_secret);
5365
5366 /* Remove the master secret if it was there.
5367 This forces keying material regeneration in
5368 case we're renegotiating */
5369 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
5370 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
5371 return true1;
5372} /* }}} */
5373#endif /* HAVE_LIBGNUTLS */
5374
5375/* Decryption integrity check {{{ */
5376
5377static int
5378tls_check_mac(SslDecoder*decoder, int ct, int ver, uint8_t* data,
5379 uint32_t datalen, uint8_t* mac)
5380{
5381 SSL_HMACgcry_md_hd_t hm;
5382 int md;
5383 uint32_t len;
5384 uint8_t buf[DIGEST_MAX_SIZE48];
5385 int16_t temp;
5386
5387 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5388 ssl_debug_printf("tls_check_mac mac type:%s md %d\n",
5389 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5390
5391 if (ssl_hmac_init(&hm,md) != 0)
5392 return -1;
5393 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5394 return -1;
5395
5396 /* hash sequence number */
5397 phtonu64(buf, decoder->seq);
5398
5399 decoder->seq++;
5400
5401 ssl_hmac_update(&hm,buf,8);
5402
5403 /* hash content type */
5404 buf[0]=ct;
5405 ssl_hmac_update(&hm,buf,1);
5406
5407 /* hash version,data length and data*/
5408 /* *((int16_t*)buf) = g_htons(ver); */
5409 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5410 memcpy(buf, &temp, 2);
5411 ssl_hmac_update(&hm,buf,2);
5412
5413 /* *((int16_t*)buf) = g_htons(datalen); */
5414 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5415 memcpy(buf, &temp, 2);
5416 ssl_hmac_update(&hm,buf,2);
5417 ssl_hmac_update(&hm,data,datalen);
5418
5419 /* get digest and digest len*/
5420 len = sizeof(buf);
5421 ssl_hmac_final(&hm,buf,&len);
5422 ssl_hmac_cleanup(&hm);
5423 ssl_print_data("Mac", buf, len);
5424 if(memcmp(mac,buf,len))
5425 return -1;
5426
5427 return 0;
5428}
5429
5430static int
5431ssl3_check_mac(SslDecoder*decoder,int ct,uint8_t* data,
5432 uint32_t datalen, uint8_t* mac)
5433{
5434 SSL_MDgcry_md_hd_t mc;
5435 int md;
5436 uint32_t len;
5437 uint8_t buf[64],dgst[20];
5438 int pad_ct;
5439 int16_t temp;
5440
5441 pad_ct=(decoder->cipher_suite->dig==DIG_SHA0x41)?40:48;
5442
5443 /* get cipher used for digest computation */
5444 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5445 if (ssl_md_init(&mc,md) !=0)
5446 return -1;
5447
5448 /* do hash computation on data && padding */
5449 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5450
5451 /* hash padding*/
5452 memset(buf,0x36,pad_ct);
5453 ssl_md_update(&mc,buf,pad_ct);
5454
5455 /* hash sequence number */
5456 phtonu64(buf, decoder->seq);
5457 decoder->seq++;
5458 ssl_md_update(&mc,buf,8);
5459
5460 /* hash content type */
5461 buf[0]=ct;
5462 ssl_md_update(&mc,buf,1);
5463
5464 /* hash data length in network byte order and data*/
5465 /* *((int16_t* )buf) = g_htons(datalen); */
5466 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5467 memcpy(buf, &temp, 2);
5468 ssl_md_update(&mc,buf,2);
5469 ssl_md_update(&mc,data,datalen);
5470
5471 /* get partial digest */
5472 ssl_md_final(&mc,dgst,&len);
5473 ssl_md_reset(&mc);
5474
5475 /* hash mac key */
5476 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5477
5478 /* hash padding and partial digest*/
5479 memset(buf,0x5c,pad_ct);
5480 ssl_md_update(&mc,buf,pad_ct);
5481 ssl_md_update(&mc,dgst,len);
5482
5483 ssl_md_final(&mc,dgst,&len);
5484 ssl_md_cleanup(&mc);
5485
5486 if(memcmp(mac,dgst,len))
5487 return -1;
5488
5489 return 0;
5490}
5491
5492static int
5493dtls_check_mac(SslDecryptSession *ssl, SslDecoder*decoder, int ct, uint8_t* data,
5494 uint32_t datalen, uint8_t* mac, const unsigned char *cid, uint8_t cidl)
5495{
5496 SSL_HMACgcry_md_hd_t hm;
5497 int md;
5498 uint32_t len;
5499 uint8_t buf[DIGEST_MAX_SIZE48];
5500 int16_t temp;
5501
5502 int ver = ssl->session.version;
5503 bool_Bool is_cid = ((ct == SSL_ID_TLS12_CID) && (ver == DTLSV1DOT2_VERSION0xfefd));
5504
5505 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5506 ssl_debug_printf("dtls_check_mac mac type:%s md %d\n",
5507 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5508
5509 if (ssl_hmac_init(&hm,md) != 0)
5510 return -1;
5511 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5512 return -1;
5513
5514 ssl_debug_printf("dtls_check_mac seq: %" PRIu64"l" "u" " epoch: %d\n",decoder->seq,decoder->epoch);
5515
5516 if (is_cid && !ssl->session.deprecated_cid) {
5517 /* hash seq num placeholder */
5518 memset(buf,0xFF,8);
5519 ssl_hmac_update(&hm,buf,8);
5520
5521 /* hash content type + cid length + content type */
5522 buf[0]=ct;
5523 buf[1]=cidl;
5524 buf[2]=ct;
5525 ssl_hmac_update(&hm,buf,3);
5526
5527 /* hash version */
5528 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5529 memcpy(buf, &temp, 2);
5530 ssl_hmac_update(&hm,buf,2);
5531
5532 /* hash sequence number */
5533 phtonu64(buf, decoder->seq);
5534 buf[0]=decoder->epoch>>8;
5535 buf[1]=(uint8_t)decoder->epoch;
5536 ssl_hmac_update(&hm,buf,8);
5537
5538 /* hash cid */
5539 ssl_hmac_update(&hm,cid,cidl);
5540 } else {
5541 /* hash sequence number */
5542 phtonu64(buf, decoder->seq);
5543 buf[0]=decoder->epoch>>8;
5544 buf[1]=(uint8_t)decoder->epoch;
5545 ssl_hmac_update(&hm,buf,8);
5546
5547 /* hash content type */
5548 buf[0]=ct;
5549 ssl_hmac_update(&hm,buf,1);
5550
5551 /* hash version */
5552 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5553 memcpy(buf, &temp, 2);
5554 ssl_hmac_update(&hm,buf,2);
5555
5556 if (is_cid && ssl->session.deprecated_cid) {
5557 /* hash cid */
5558 ssl_hmac_update(&hm,cid,cidl);
5559
5560 /* hash cid length */
5561 buf[0] = cidl;
5562 ssl_hmac_update(&hm,buf,1);
5563 }
5564 }
5565
5566 /* data length and data */
5567 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5568 memcpy(buf, &temp, 2);
5569 ssl_hmac_update(&hm,buf,2);
5570 ssl_hmac_update(&hm,data,datalen);
5571
5572 /* get digest and digest len */
5573 len = sizeof(buf);
5574 ssl_hmac_final(&hm,buf,&len);
5575 ssl_hmac_cleanup(&hm);
5576 ssl_print_data("Mac", buf, len);
5577 if(memcmp(mac,buf,len))
5578 return -1;
5579
5580 return 0;
5581}
5582/* Decryption integrity check }}} */
5583
5584
5585static bool_Bool
5586tls_decrypt_aead_record(wmem_allocator_t* allocator, SslDecryptSession *ssl, SslDecoder *decoder,
5587 uint8_t ct, uint16_t record_version,
5588 bool_Bool ignore_mac_failed,
5589 const unsigned char *in, uint16_t inl,
5590 const unsigned char *cid, uint8_t cidl,
5591 StringInfo *out_str, unsigned *outl)
5592{
5593 /* RFC 5246 (TLS 1.2) 6.2.3.3 defines the TLSCipherText.fragment as:
5594 * GenericAEADCipher: { nonce_explicit, [content] }
5595 * In TLS 1.3 this explicit nonce is gone.
5596 * With AES GCM/CCM, "[content]" is actually the concatenation of the
5597 * ciphertext and authentication tag.
5598 */
5599 const uint16_t version = ssl->session.version;
5600 const bool_Bool is_v12 = version == TLSV1DOT2_VERSION0x303 || version == DTLSV1DOT2_VERSION0xfefd || version == TLCPV1_VERSION0x101;
5601 gcry_error_t err;
5602 const unsigned char *explicit_nonce = NULL((void*)0), *ciphertext;
5603 unsigned ciphertext_len, auth_tag_len;
5604 unsigned char nonce[12];
5605 const ssl_cipher_mode_t cipher_mode = decoder->cipher_suite->mode;
5606 const bool_Bool is_cid = ct == SSL_ID_TLS12_CID && version == DTLSV1DOT2_VERSION0xfefd;
5607 const uint8_t draft_version = ssl->session.tls13_draft_version;
5608 const unsigned char *auth_tag_wire;
5609 unsigned char auth_tag_calc[16];
5610 unsigned char *aad = NULL((void*)0);
5611 unsigned aad_len = 0;
5612
5613 switch (cipher_mode) {
5614 case MODE_GCM:
5615 case MODE_CCM:
5616 case MODE_POLY1305:
5617 auth_tag_len = 16;
5618 break;
5619 case MODE_CCM_8:
5620 auth_tag_len = 8;
5621 break;
5622 default:
5623 ssl_debug_printf("%s unsupported cipher!\n", G_STRFUNC((const char*) (__func__)));
5624 return false0;
5625 }
5626
5627 /* Parse input into explicit nonce (TLS 1.2 only), ciphertext and tag. */
5628 if (is_v12 && cipher_mode != MODE_POLY1305) {
5629 if (inl < EXPLICIT_NONCE_LEN8 + auth_tag_len) {
5630 ssl_debug_printf("%s input %d is too small for explicit nonce %d and auth tag %d\n",
5631 G_STRFUNC((const char*) (__func__)), inl, EXPLICIT_NONCE_LEN8, auth_tag_len);
5632 return false0;
5633 }
5634 explicit_nonce = in;
5635 ciphertext = explicit_nonce + EXPLICIT_NONCE_LEN8;
5636 ciphertext_len = inl - EXPLICIT_NONCE_LEN8 - auth_tag_len;
5637 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
5638 if (inl < auth_tag_len) {
5639 ssl_debug_printf("%s input %d has no space for auth tag %d\n", G_STRFUNC((const char*) (__func__)), inl, auth_tag_len);
5640 return false0;
5641 }
5642 ciphertext = in;
5643 ciphertext_len = inl - auth_tag_len;
5644 } else {
5645 ssl_debug_printf("%s Unexpected TLS version %#x\n", G_STRFUNC((const char*) (__func__)), version);
5646 return false0;
5647 }
5648 auth_tag_wire = ciphertext + ciphertext_len;
5649
5650 /*
5651 * Nonce construction is version-specific. Note that AEAD_CHACHA20_POLY1305
5652 * (RFC 7905) uses a nonce construction similar to TLS 1.3.
5653 */
5654 if (is_v12 && cipher_mode != MODE_POLY1305) {
5655 DISSECTOR_ASSERT(decoder->write_iv.data_len == IMPLICIT_NONCE_LEN)((void) ((decoder->write_iv.data_len == 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 5655, "decoder->write_iv.data_len == 4"))));
5656 /* Implicit (4) and explicit (8) part of nonce. */
5657 memcpy(nonce, decoder->write_iv.data, IMPLICIT_NONCE_LEN4);
5658 memcpy(nonce + IMPLICIT_NONCE_LEN4, explicit_nonce, EXPLICIT_NONCE_LEN8);
5659
5660 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
5661 /*
5662 * Technically the nonce length must be at least 8 bytes, but for
5663 * AES-GCM, AES-CCM and Poly1305-ChaCha20 the nonce length is exact 12.
5664 */
5665 const unsigned nonce_len = 12;
5666 DISSECTOR_ASSERT(decoder->write_iv.data_len == nonce_len)((void) ((decoder->write_iv.data_len == nonce_len) ? (void
)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 5666, "decoder->write_iv.data_len == nonce_len"
))));
5667 memcpy(nonce, decoder->write_iv.data, decoder->write_iv.data_len);
5668 /* Sequence number is left-padded with zeroes and XORed with write_iv */
5669 phtonu64(nonce + nonce_len - 8, pntohu64(nonce + nonce_len - 8) ^ decoder->seq);
5670 ssl_debug_printf("%s seq %" PRIu64"l" "u" "\n", G_STRFUNC((const char*) (__func__)), decoder->seq);
5671 }
5672
5673 /* Set nonce and additional authentication data */
5674 gcry_cipher_reset(decoder->evp)gcry_cipher_ctl ((decoder->evp), GCRYCTL_RESET, ((void*)0)
, 0);
5675 ssl_print_data("nonce", nonce, 12);
5676 err = gcry_cipher_setiv(decoder->evp, nonce, 12);
5677 if (err) {
5678 ssl_debug_printf("%s failed to set nonce: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5679 return false0;
5680 }
5681
5682 /* (D)TLS 1.2 needs specific AAD, TLS 1.3 (before -25) uses empty AAD. */
5683 if (is_cid) { /* if connection ID */
5684 if (ssl->session.deprecated_cid) {
5685 aad_len = 14 + cidl;
5686 aad = wmem_alloc(allocator, aad_len);
5687 phtonu64(aad, decoder->seq); /* record sequence number */
5688 phtonu16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5689 aad[8] = ct; /* TLSCompressed.type */
5690 phtonu16(aad + 9, record_version); /* TLSCompressed.version */
5691 memcpy(aad + 11, cid, cidl); /* cid */
5692 aad[11 + cidl] = cidl; /* cid_length */
5693 phtonu16(aad + 12 + cidl, ciphertext_len); /* TLSCompressed.length */
5694 } else {
5695 aad_len = 23 + cidl;
5696 aad = wmem_alloc(allocator, aad_len);
5697 memset(aad, 0xFF, 8); /* seq_num_placeholder */
5698 aad[8] = ct; /* TLSCompressed.type */
5699 aad[9] = cidl; /* cid_length */
5700 aad[10] = ct; /* TLSCompressed.type */
5701 phtonu16(aad + 11, record_version); /* TLSCompressed.version */
5702 phtonu64(aad + 13, decoder->seq); /* record sequence number */
5703 phtonu16(aad + 13, decoder->epoch); /* DTLS 1.2 includes epoch. */
5704 memcpy(aad + 21, cid, cidl); /* cid */
5705 phtonu16(aad + 21 + cidl, ciphertext_len); /* TLSCompressed.length */
5706 }
5707 } else if (is_v12) {
5708 aad_len = 13;
5709 aad = wmem_alloc(allocator, aad_len);
5710 phtonu64(aad, decoder->seq); /* record sequence number */
5711 if (version == DTLSV1DOT2_VERSION0xfefd) {
5712 phtonu16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5713 }
5714 aad[8] = ct; /* TLSCompressed.type */
5715 phtonu16(aad + 9, record_version); /* TLSCompressed.version */
5716 phtonu16(aad + 11, ciphertext_len); /* TLSCompressed.length */
5717 } else if (version == DTLSV1DOT3_VERSION0xfefc) {
5718 aad_len = decoder->dtls13_aad.data_len;
5719 aad = decoder->dtls13_aad.data;
5720 } else if (draft_version >= 25 || draft_version == 0) {
5721 aad_len = 5;
5722 aad = wmem_alloc(allocator, aad_len);
5723 aad[0] = ct; /* TLSCiphertext.opaque_type (23) */
5724 phtonu16(aad + 1, record_version); /* TLSCiphertext.legacy_record_version (0x0303) */
5725 phtonu16(aad + 3, inl); /* TLSCiphertext.length */
5726 }
5727
5728 if (decoder->cipher_suite->mode == MODE_CCM || decoder->cipher_suite->mode == MODE_CCM_8) {
5729 /* size of plaintext, additional authenticated data and auth tag. */
5730 uint64_t lengths[3] = { ciphertext_len, aad_len, auth_tag_len };
5731
5732 gcry_cipher_ctl(decoder->evp, GCRYCTL_SET_CCM_LENGTHS, lengths, sizeof(lengths));
5733 }
5734
5735 if (aad && aad_len > 0) {
5736 ssl_print_data("AAD", aad, aad_len);
5737 err = gcry_cipher_authenticate(decoder->evp, aad, aad_len);
5738 if (err) {
5739 ssl_debug_printf("%s failed to set AAD: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5740 return false0;
5741 }
5742 }
5743
5744 /* Decrypt now that nonce and AAD are set. */
5745 err = gcry_cipher_decrypt(decoder->evp, out_str->data, out_str->data_len, ciphertext, ciphertext_len);
5746 if (err) {
5747 ssl_debug_printf("%s decrypt failed: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5748 return false0;
5749 }
5750
5751 /* Check authentication tag for authenticity (replaces MAC) */
5752 err = gcry_cipher_gettag(decoder->evp, auth_tag_calc, auth_tag_len);
5753 if (err == 0 && !memcmp(auth_tag_calc, auth_tag_wire, auth_tag_len)) {
5754 ssl_print_data("auth_tag(OK)", auth_tag_calc, auth_tag_len);
5755 } else {
5756 if (err) {
5757 ssl_debug_printf("%s cannot obtain tag: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5758 } else {
5759 ssl_debug_printf("%s auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
5760 ssl_print_data("auth_tag(expect)", auth_tag_calc, auth_tag_len);
5761 ssl_print_data("auth_tag(actual)", auth_tag_wire, auth_tag_len);
5762 }
5763 if (ignore_mac_failed) {
5764 ssl_debug_printf("%s: auth check failed, but ignored for troubleshooting ;-)\n", G_STRFUNC((const char*) (__func__)));
5765 } else {
5766 return false0;
5767 }
5768 }
5769
5770 /*
5771 * Increment the (implicit) sequence number for TLS 1.2/1.3 and TLCP 1.1. This is done
5772 * after successful authentication to ensure that early data is skipped when
5773 * CLIENT_EARLY_TRAFFIC_SECRET keys are unavailable.
5774 */
5775 if (version == TLSV1DOT2_VERSION0x303 || version == TLSV1DOT3_VERSION0x304 || version == TLCPV1_VERSION0x101) {
5776 decoder->seq++;
5777 }
5778
5779 ssl_print_data("Plaintext", out_str->data, ciphertext_len);
5780 *outl = ciphertext_len;
5781 return true1;
5782}
5783
5784/* Record decryption glue based on security parameters {{{ */
5785/* Assume that we are called only for a non-NULL decoder which also means that
5786 * we have a non-NULL decoder->cipher_suite. */
5787int
5788ssl_decrypt_record(wmem_allocator_t* allocator, SslDecryptSession *ssl, SslDecoder *decoder, uint8_t ct, uint16_t record_version,
5789 bool_Bool ignore_mac_failed,
5790 const unsigned char *in, uint16_t inl, const unsigned char *cid, uint8_t cidl,
5791 StringInfo *comp_str, StringInfo *out_str, unsigned *outl)
5792{
5793 unsigned pad, worklen, uncomplen, maclen, mac_fraglen = 0;
5794 uint8_t *mac = NULL((void*)0), *mac_frag = NULL((void*)0);
5795
5796 ssl_debug_printf("ssl_decrypt_record ciphertext len %d\n", inl);
5797 ssl_print_data("Ciphertext",in, inl);
5798
5799 if (((ssl->session.version == TLSV1DOT3_VERSION0x304 || ssl->session.version == DTLSV1DOT3_VERSION0xfefc))
5800 != (decoder->cipher_suite->kex == KEX_TLS130x23)) {
5801 ssl_debug_printf("%s Invalid cipher suite for the protocol version!\n", G_STRFUNC((const char*) (__func__)));
5802 return -1;
5803 }
5804
5805 /* ensure we have enough storage space for decrypted data */
5806 if (inl > out_str->data_len)
5807 {
5808 ssl_debug_printf("ssl_decrypt_record: allocating %d bytes for decrypt data (old len %d)\n",
5809 inl + 32, out_str->data_len);
5810 ssl_data_realloc(out_str, inl + 32);
5811 }
5812
5813 /* AEAD ciphers (GenericAEADCipher in TLS 1.2; TLS 1.3) have no padding nor
5814 * a separate MAC, so use a different routine for simplicity. */
5815 if (decoder->cipher_suite->mode == MODE_GCM ||
5816 decoder->cipher_suite->mode == MODE_CCM ||
5817 decoder->cipher_suite->mode == MODE_CCM_8 ||
5818 decoder->cipher_suite->mode == MODE_POLY1305 ||
5819 ssl->session.version == TLSV1DOT3_VERSION0x304 ||
5820 ssl->session.version == DTLSV1DOT3_VERSION0xfefc) {
5821
5822 if (!tls_decrypt_aead_record(allocator, ssl, decoder, ct, record_version, ignore_mac_failed, in, inl, cid, cidl, out_str, &worklen)) {
5823 /* decryption failed */
5824 return -1;
5825 }
5826
5827 goto skip_mac;
5828 }
5829
5830 /* RFC 6101/2246: SSLCipherText/TLSCipherText has two structures for types:
5831 * (notation: { unencrypted, [ encrypted ] })
5832 * GenericStreamCipher: { [content, mac] }
5833 * GenericBlockCipher: { IV (TLS 1.1+), [content, mac, padding, padding_len] }
5834 * RFC 5426 (TLS 1.2): TLSCipherText has additionally:
5835 * GenericAEADCipher: { nonce_explicit, [content] }
5836 * RFC 4347 (DTLS): based on TLS 1.1, only GenericBlockCipher is supported.
5837 * RFC 6347 (DTLS 1.2): based on TLS 1.2, includes GenericAEADCipher too.
5838 */
5839
5840 maclen = ssl_cipher_suite_dig(decoder->cipher_suite)->len;
5841
5842 /* (TLS 1.1 and later, DTLS) Extract explicit IV for GenericBlockCipher */
5843 if (decoder->cipher_suite->mode == MODE_CBC) {
5844 unsigned blocksize = 0;
5845
5846 switch (ssl->session.version) {
5847 case TLSV1DOT1_VERSION0x302:
5848 case TLSV1DOT2_VERSION0x303:
5849 case DTLSV1DOT0_VERSION0xfeff:
5850 case DTLSV1DOT2_VERSION0xfefd:
5851 case DTLSV1DOT3_VERSION0xfefc:
5852 case DTLSV1DOT0_OPENSSL_VERSION0x100:
5853 case TLCPV1_VERSION0x101:
5854 blocksize = ssl_get_cipher_blocksize(decoder->cipher_suite);
5855 if (inl < blocksize) {
5856 ssl_debug_printf("ssl_decrypt_record failed: input %d has no space for IV %d\n",
5857 inl, blocksize);
5858 return -1;
5859 }
5860 pad = gcry_cipher_setiv(decoder->evp, in, blocksize);
5861 if (pad != 0) {
5862 ssl_debug_printf("ssl_decrypt_record failed: failed to set IV: %s %s\n",
5863 gcry_strsource (pad), gcry_strerror (pad));
5864 }
5865
5866 inl -= blocksize;
5867 in += blocksize;
5868 break;
5869 }
5870
5871 /* Encrypt-then-MAC for (D)TLS (RFC 7366) */
5872 if (ssl->state & SSL_ENCRYPT_THEN_MAC(1<<11)) {
5873 /*
5874 * MAC is calculated over (IV + ) ENCRYPTED contents:
5875 *
5876 * MAC(MAC_write_key, ... +
5877 * IV + // for TLS 1.1 or greater
5878 * TLSCiphertext.enc_content);
5879 */
5880 if (inl < maclen) {
5881 ssl_debug_printf("%s failed: input %d has no space for MAC %d\n",
5882 G_STRFUNC((const char*) (__func__)), inl, maclen);
5883 return -1;
5884 }
5885 inl -= maclen;
5886 mac = (uint8_t *)in + inl;
5887 mac_frag = (uint8_t *)in - blocksize;
5888 mac_fraglen = blocksize + inl;
5889 }
5890 }
5891
5892 /* First decrypt*/
5893 if ((pad = ssl_cipher_decrypt(&decoder->evp, out_str->data, out_str->data_len, in, inl)) != 0) {
5894 ssl_debug_printf("ssl_decrypt_record failed: ssl_cipher_decrypt: %s %s\n", gcry_strsource (pad),
5895 gcry_strerror (pad));
5896 return -1;
5897 }
5898
5899 ssl_print_data("Plaintext", out_str->data, inl);
5900 worklen=inl;
5901
5902
5903 /* strip padding for GenericBlockCipher */
5904 if (decoder->cipher_suite->mode == MODE_CBC) {
5905 if (inl < 1) { /* Should this check happen earlier? */
5906 ssl_debug_printf("ssl_decrypt_record failed: input length %d too small\n", inl);
5907 return -1;
5908 }
5909 pad=out_str->data[inl-1];
5910 if (worklen <= pad) {
5911 ssl_debug_printf("ssl_decrypt_record failed: padding %d too large for work %d\n",
5912 pad, worklen);
5913 return -1;
5914 }
5915 worklen-=(pad+1);
5916 ssl_debug_printf("ssl_decrypt_record found padding %d final len %d\n",
5917 pad, worklen);
5918 }
5919
5920 /* MAC for GenericStreamCipher and GenericBlockCipher.
5921 * (normal case without Encrypt-then-MAC (RFC 7366) extension. */
5922 if (!mac) {
5923 /*
5924 * MAC is calculated over the DECRYPTED contents:
5925 *
5926 * MAC(MAC_write_key, ... + TLSCompressed.fragment);
5927 */
5928 if (worklen < maclen) {
5929 ssl_debug_printf("%s wrong record len/padding outlen %d\n work %d\n", G_STRFUNC((const char*) (__func__)), *outl, worklen);
5930 return -1;
5931 }
5932 worklen -= maclen;
5933 mac = out_str->data + worklen;
5934 mac_frag = out_str->data;
5935 mac_fraglen = worklen;
5936 }
5937
5938 /* If NULL encryption active and no keys are available, do not bother
5939 * checking the MAC. We do not have keys for that. */
5940 if (decoder->cipher_suite->mode == MODE_STREAM &&
5941 decoder->cipher_suite->enc == ENC_NULL0x3D &&
5942 !(ssl->state & SSL_MASTER_SECRET(1<<5))) {
5943 ssl_debug_printf("MAC check skipped due to missing keys\n");
5944 decoder->seq++; // Increment this for display
5945 goto skip_mac;
5946 }
5947
5948 /* Now check the MAC */
5949 ssl_debug_printf("checking mac (len %d, version %X, ct %d seq %" PRIu64"l" "u" ")\n",
5950 worklen, ssl->session.version, ct, decoder->seq);
5951 if(ssl->session.version==SSLV3_VERSION0x300){
5952 if(ssl3_check_mac(decoder,ct,mac_frag,mac_fraglen,mac) < 0) {
5953 if(ignore_mac_failed) {
5954 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5955 }
5956 else{
5957 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5958 return -1;
5959 }
5960 }
5961 else{
5962 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5963 }
5964 }
5965 else if(ssl->session.version==TLSV1_VERSION0x301 || ssl->session.version==TLSV1DOT1_VERSION0x302 || ssl->session.version==TLSV1DOT2_VERSION0x303 || ssl->session.version==TLCPV1_VERSION0x101){
5966 if(tls_check_mac(decoder,ct,ssl->session.version,mac_frag,mac_fraglen,mac)< 0) {
5967 if(ignore_mac_failed) {
5968 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5969 }
5970 else{
5971 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5972 return -1;
5973 }
5974 }
5975 else{
5976 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5977 }
5978 }
5979 else if(ssl->session.version==DTLSV1DOT0_VERSION0xfeff ||
5980 ssl->session.version==DTLSV1DOT2_VERSION0xfefd ||
5981 ssl->session.version==DTLSV1DOT0_OPENSSL_VERSION0x100){
5982 /* Try rfc-compliant mac first, and if failed, try old openssl's non-rfc-compliant mac */
5983 if(dtls_check_mac(ssl,decoder,ct,mac_frag,mac_fraglen,mac,cid,cidl)>= 0) {
5984 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5985 }
5986 else if(tls_check_mac(decoder,ct,TLSV1_VERSION0x301,mac_frag,mac_fraglen,mac)>= 0) {
5987 ssl_debug_printf("ssl_decrypt_record: dtls rfc-compliant mac failed, but old openssl's non-rfc-compliant mac ok\n");
5988 }
5989 else if(ignore_mac_failed) {
5990 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5991 }
5992 else{
5993 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5994 return -1;
5995 }
5996 }
5997skip_mac:
5998
5999 *outl = worklen;
6000
6001 if (decoder->compression > 0) {
6002 ssl_debug_printf("ssl_decrypt_record: compression method %d\n", decoder->compression);
6003 ssl_data_copy(comp_str, out_str);
6004 ssl_print_data("Plaintext compressed", comp_str->data, worklen);
6005 if (!decoder->decomp) {
6006 ssl_debug_printf("decrypt_ssl3_record: no decoder available\n");
6007 return -1;
6008 }
6009 if (ssl_decompress_record(decoder->decomp, comp_str->data, worklen, out_str, &uncomplen) < 0) return -1;
6010 ssl_print_data("Plaintext uncompressed", out_str->data, uncomplen);
6011 *outl = uncomplen;
6012 }
6013
6014 return 0;
6015}
6016/* Record decryption glue based on security parameters }}} */
6017
6018
6019
6020#ifdef HAVE_LIBGNUTLS1
6021
6022/* RSA private key file processing {{{ */
6023static void
6024ssl_find_private_key_by_pubkey(SslDecryptSession *ssl,
6025 const gnutls_datum_t *subjectPublicKeyInfo)
6026{
6027 gnutls_pubkey_t pubkey = NULL((void*)0);
6028 cert_key_id_t key_id;
6029 size_t key_id_len = sizeof(key_id);
6030 int r;
6031
6032 if (!subjectPublicKeyInfo->size) {
6033 ssl_debug_printf("%s: could not find SubjectPublicKeyInfo\n", G_STRFUNC((const char*) (__func__)));
6034 return;
6035 }
6036
6037 r = gnutls_pubkey_init(&pubkey);
6038 if (r < 0) {
6039 ssl_debug_printf("%s: failed to init pubkey: %s\n",
6040 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
6041 return;
6042 }
6043
6044 r = gnutls_pubkey_import(pubkey, subjectPublicKeyInfo, GNUTLS_X509_FMT_DER);
6045 if (r < 0) {
6046 ssl_debug_printf("%s: failed to import pubkey from handshake: %s\n",
6047 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
6048 goto end;
6049 }
6050
6051 if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL((void*)0)) != GNUTLS_PK_RSA) {
6052 ssl_debug_printf("%s: Not a RSA public key - ignoring.\n", G_STRFUNC((const char*) (__func__)));
6053 goto end;
6054 }
6055
6056 /* Generate a 20-byte SHA-1 hash. */
6057 r = gnutls_pubkey_get_key_id(pubkey, 0, key_id.key_id, &key_id_len);
6058 if (r < 0) {
6059 ssl_debug_printf("%s: failed to extract key id from pubkey: %s\n",
6060 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
6061 goto end;
6062 }
6063
6064 if (key_id_len != sizeof(key_id)) {
6065 ssl_debug_printf("%s: expected Key ID size %zu, got %zu\n",
6066 G_STRFUNC((const char*) (__func__)), sizeof(key_id), key_id_len);
6067 goto end;
6068 }
6069
6070 ssl_print_data("Certificate.KeyID", key_id.key_id, key_id_len);
6071 ssl->cert_key_id = wmem_new(wmem_file_scope(), cert_key_id_t)((cert_key_id_t*)wmem_alloc((wmem_file_scope()), sizeof(cert_key_id_t
)));
6072 *ssl->cert_key_id = key_id;
6073
6074end:
6075 gnutls_pubkey_deinit(pubkey);
6076}
6077
6078/* RSA private key file processing }}} */
6079#endif /* HAVE_LIBGNUTLS */
6080
6081/*--- Start of dissector-related code below ---*/
6082
6083/* This is not a "protocol" but ensures that this gets called during
6084 * the handoff stage. */
6085void proto_reg_handoff_tls_utils(void);
6086
6087static dissector_handle_t base_tls_handle;
6088static dissector_handle_t dtls_handle;
6089
6090void
6091proto_reg_handoff_tls_utils(void)
6092{
6093 base_tls_handle = find_dissector("tls");
6094 dtls_handle = find_dissector("dtls");
6095}
6096
6097/* Look up an existing SslDecryptSession without creating one. Returns NULL if
6098 * no session exists. */
6099SslDecryptSession *
6100tls_get_session(conversation_t *conversation, int proto_ssl, uint8_t curr_layer_num)
6101{
6102 void *conv_data;
6103 wmem_map_t *session_map;
6104
6105 if (!conversation)
6106 return NULL((void*)0);
6107
6108 conv_data = conversation_get_proto_data(conversation, proto_ssl);
6109 if (conv_data == NULL((void*)0))
6110 return NULL((void*)0);
6111
6112 session_map = (wmem_map_t *)conv_data;
6113
6114 return (SslDecryptSession *)wmem_map_lookup(session_map,
6115 GUINT_TO_POINTER((unsigned)curr_layer_num)((gpointer) (gulong) ((unsigned)curr_layer_num)));
6116
6117}
6118
6119/* get ssl data for this session. if no ssl data is found allocate a new one*/
6120SslDecryptSession *
6121ssl_get_session(conversation_t *conversation, dissector_handle_t tls_handle, uint8_t curr_layer_num)
6122{
6123 void *conv_data;
6124 SslDecryptSession *ssl_session;
6125 int proto_ssl;
6126 wmem_map_t *session_map;
6127
6128 /* Note proto_ssl is tls for either the main tls_handle or the
6129 * tls13_handshake handle used by QUIC. */
6130 proto_ssl = dissector_handle_get_protocol_index(tls_handle);
6131 conv_data = conversation_get_proto_data(conversation, proto_ssl);
6132
6133 /* For nested TLS support, we store a wmem map of sessions indexed by layer number.
6134 * Using wmem_file_scope ensures the map is freed when the capture file is closed,
6135 * preventing memory leaks on capture reload. */
6136 if (conv_data != NULL((void*)0)) {
6137 session_map = (wmem_map_t *)conv_data;
6138 ssl_session = (SslDecryptSession *)wmem_map_lookup(session_map, GUINT_TO_POINTER((unsigned)curr_layer_num)((gpointer) (gulong) ((unsigned)curr_layer_num)));
6139 if (ssl_session != NULL((void*)0)) {
6140 return ssl_session;
6141 }
6142 } else {
6143 /* Create a new wmem map to store sessions by layer number */
6144 session_map = wmem_map_new(wmem_file_scope(), g_direct_hash, g_direct_equal);
6145 conversation_add_proto_data(conversation, proto_ssl, session_map);
6146 }
6147
6148 /* no previous SSL conversation info for this layer, initialize it. */
6149 ssl_session = wmem_new0(wmem_file_scope(), SslDecryptSession)((SslDecryptSession*)wmem_alloc0((wmem_file_scope()), sizeof(
SslDecryptSession)));
6150
6151 /* data_len is the part that is meaningful, not the allocated length */
6152 ssl_session->master_secret.data_len = 0;
6153 ssl_session->master_secret.data = ssl_session->_master_secret;
6154 ssl_session->session_id.data_len = 0;
6155 ssl_session->session_id.data = ssl_session->_session_id;
6156 ssl_session->client_random.data_len = 0;
6157 ssl_session->client_random.data = ssl_session->_client_random;
6158 ssl_session->server_random.data_len = 0;
6159 ssl_session->server_random.data = ssl_session->_server_random;
6160 ssl_session->session_ticket.data_len = 0;
6161 ssl_session->session_ticket.data = NULL((void*)0); /* will be re-alloced as needed */
6162 ssl_session->server_data_for_iv.data_len = 0;
6163 ssl_session->server_data_for_iv.data = ssl_session->_server_data_for_iv;
6164 ssl_session->client_data_for_iv.data_len = 0;
6165 ssl_session->client_data_for_iv.data = ssl_session->_client_data_for_iv;
6166 ssl_session->app_data_segment.data = NULL((void*)0);
6167 ssl_session->app_data_segment.data_len = 0;
6168 ssl_session->handshake_data.data=NULL((void*)0);
6169 ssl_session->handshake_data.data_len=0;
6170 ssl_session->ech_transcript.data=NULL((void*)0);
6171 ssl_session->ech_transcript.data_len=0;
6172
6173 /* Initialize parameters which are not necessary specific to decryption. */
6174 ssl_session->session.version = SSL_VER_UNKNOWN0;
6175 clear_address(&ssl_session->session.srv_addr);
6176 ssl_session->session.srv_ptype = PT_NONE;
6177 ssl_session->session.srv_port = 0;
6178 ssl_session->session.dtls13_current_epoch[0] = ssl_session->session.dtls13_current_epoch[1] = 0;
6179 ssl_session->session.dtls13_next_seq_num[0] = ssl_session->session.dtls13_next_seq_num[1] = 0;
6180 ssl_session->session.client_random.data_len = 0;
6181 ssl_session->session.client_random.data = ssl_session->session._client_random;
6182 memset(ssl_session->session.ech_confirmation, 0, sizeof(ssl_session->session.ech_confirmation));
6183 memset(ssl_session->session.hrr_ech_confirmation, 0, sizeof(ssl_session->session.hrr_ech_confirmation));
6184 memset(ssl_session->session.first_ech_auth_tag, 0, sizeof(ssl_session->session.first_ech_auth_tag));
6185 ssl_session->session.ech = false0;
6186 ssl_session->session.hrr_ech_declined = false0;
6187 ssl_session->session.first_ch_ech_frame = 0;
6188
6189 /* We want to increment the stream count for the normal tls handle and
6190 * dtls handle, but presumably not for the tls13_handshake handle used
6191 * by QUIC (it has its own Follow Stream handling, and the QUIC stream
6192 * doesn't get sent to the TLS follow tap.)
6193 */
6194 if (tls_handle == base_tls_handle) {
6195 ssl_session->session.stream = tls_increment_stream_count();
6196 } else if (tls_handle == dtls_handle) {
6197 ssl_session->session.stream = dtls_increment_stream_count();
6198 }
6199
6200 /* Store the session in the wmem map indexed by layer number */
6201 wmem_map_insert(session_map, GUINT_TO_POINTER((unsigned)curr_layer_num)((gpointer) (gulong) ((unsigned)curr_layer_num)), ssl_session);
6202
6203 return ssl_session;
6204}
6205
6206void ssl_reset_session(SslSession *session, SslDecryptSession *ssl, bool_Bool is_client)
6207{
6208 if (ssl) {
6209 /* Ensure that secrets are not restored using stale identifiers. Split
6210 * between client and server in case the packets somehow got out of order. */
6211 int clear_flags = SSL_HAVE_SESSION_KEY(1<<3) | SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
6212
6213 if (is_client) {
6214 clear_flags |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
6215 ssl->session_id.data_len = 0;
6216 ssl->session_ticket.data_len = 0;
6217 ssl->master_secret.data_len = 0;
6218 ssl->client_random.data_len = 0;
6219 ssl->has_early_data = false0;
6220 if (ssl->handshake_data.data_len > 0) {
6221 // The EMS handshake hash starts with at the Client Hello,
6222 // ensure that any messages before it are forgotten.
6223 wmem_free(wmem_file_scope(), ssl->handshake_data.data);
6224 ssl->handshake_data.data = NULL((void*)0);
6225 ssl->handshake_data.data_len = 0;
6226 }
6227 } else {
6228 clear_flags |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8) | SSL_NEW_SESSION_TICKET(1<<10);
6229 ssl->server_random.data_len = 0;
6230 ssl->pre_master_secret.data_len = 0;
6231#ifdef HAVE_LIBGNUTLS1
6232 ssl->cert_key_id = NULL((void*)0);
6233#endif
6234 ssl->has_psk = false0;
6235 ssl->has_key_share = false0;
6236 // There is no point in clearing the PSK when resetting the session,
6237 // we only store one global PSK in the prefs.
6238 //ssl->psk.data_len = 0;
6239 }
6240
6241 if (ssl->state & clear_flags) {
6242 ssl_debug_printf("%s detected renegotiation, clearing 0x%02x (%s side)\n",
6243 G_STRFUNC((const char*) (__func__)), ssl->state & clear_flags, is_client ? "client" : "server");
6244 ssl->state &= ~clear_flags;
6245 }
6246 }
6247
6248 /* These flags might be used for non-decryption purposes and may affect the
6249 * dissection, so reset them as well. */
6250 if (is_client) {
6251 session->client_cert_type = 0;
6252 } else {
6253 session->compression = 0;
6254 session->server_cert_type = 0;
6255 /* session->is_session_resumed is already handled in the ServerHello dissection. */
6256 }
6257 session->dtls13_next_seq_num[0] = session->dtls13_next_seq_num[1] = 0;
6258 session->dtls13_current_epoch[0] = session->dtls13_current_epoch[1] = 0;
6259}
6260
6261void
6262tls_set_appdata_dissector(dissector_handle_t tls_handle, packet_info *pinfo,
6263 dissector_handle_t app_handle)
6264{
6265 conversation_t *conversation;
6266 SslSession *session;
6267 int proto = dissector_handle_get_protocol_index(tls_handle);
6268 uint8_t curr_layer_num = p_get_proto_depth(pinfo, proto);
6269
6270 /* Ignore if the TLS or other dissector is disabled. */
6271 if (!tls_handle || !app_handle)
6272 return;
6273
6274 conversation = find_or_create_conversation(pinfo);
6275 session = &ssl_get_session(conversation, tls_handle, curr_layer_num)->session;
6276 session->app_handle = app_handle;
6277}
6278
6279static uint32_t
6280ssl_starttls(dissector_handle_t tls_handle, packet_info *pinfo,
6281 dissector_handle_t app_handle, uint32_t last_nontls_frame)
6282{
6283 conversation_t *conversation;
6284 SslSession *session;
6285 int proto = dissector_handle_get_protocol_index(tls_handle);
6286 uint8_t curr_layer_num = p_get_proto_depth(pinfo, proto);
6287
6288 /* Ignore if the TLS dissector is disabled. */
6289 if (!tls_handle)
6290 return 0;
6291 /* The caller should always pass a valid handle to its own dissector. */
6292 DISSECTOR_ASSERT(app_handle)((void) ((app_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6292, "app_handle"))));
6293
6294 conversation = find_or_create_conversation(pinfo);
6295 session = &ssl_get_session(conversation, tls_handle, curr_layer_num)->session;
6296
6297 ssl_debug_printf("%s: old frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
6298 session->last_nontls_frame,
6299 (void *)session->app_handle,
6300 dissector_handle_get_dissector_name(session->app_handle));
6301 ssl_debug_printf("%s: current frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
6302 pinfo->num, (void *)app_handle,
6303 dissector_handle_get_dissector_name(app_handle));
6304
6305 /* Do not switch again if a dissector did it before. */
6306 if (session->last_nontls_frame) {
6307 ssl_debug_printf("%s: not overriding previous app handle!\n", G_STRFUNC((const char*) (__func__)));
6308 return session->last_nontls_frame;
6309 }
6310
6311 session->app_handle = app_handle;
6312 /* The TLS dissector should be called first for this conversation. */
6313 conversation_set_dissector(conversation, tls_handle);
6314 /* TLS starts after this frame. */
6315 session->last_nontls_frame = last_nontls_frame;
6316 return 0;
6317}
6318
6319/* ssl_starttls_ack: mark future frames as encrypted. */
6320uint32_t
6321ssl_starttls_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6322 dissector_handle_t app_handle)
6323{
6324 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num);
6325}
6326
6327uint32_t
6328ssl_starttls_post_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6329 dissector_handle_t app_handle)
6330{
6331 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num - 1);
6332}
6333
6334dissector_handle_t
6335ssl_find_appdata_dissector(const char *name)
6336{
6337 /* Accept 'http' for backwards compatibility and sanity. */
6338 if (!strcmp(name, "http"))
6339 name = "http-over-tls";
6340 /* XXX - Should this check to see if the dissector is actually added for
6341 * Decode As in the appropriate table?
6342 */
6343 return find_dissector(name);
6344}
6345
6346/* Functions for TLS/DTLS sessions and RSA private keys hashtables. {{{ */
6347static int
6348ssl_equal (const void *v, const void *v2)
6349{
6350 const StringInfo *val1;
6351 const StringInfo *val2;
6352 val1 = (const StringInfo *)v;
6353 val2 = (const StringInfo *)v2;
6354
6355 if (val1->data_len == val2->data_len &&
6356 !memcmp(val1->data, val2->data, val2->data_len)) {
6357 return 1;
6358 }
6359 return 0;
6360}
6361
6362static unsigned
6363ssl_hash (const void *v)
6364{
6365 unsigned l,hash;
6366 const StringInfo* id;
6367 const unsigned* cur;
6368 hash = 0;
6369 id = (const StringInfo*) v;
6370
6371 /* id and id->data are mallocated in ssl_save_master_key(). As such 'data'
6372 * should be aligned for any kind of access (for example as a unsigned as
6373 * is done below). The intermediate void* cast is to prevent "cast
6374 * increases required alignment of target type" warnings on CPUs (such
6375 * as SPARCs) that do not allow misaligned memory accesses.
6376 */
6377 cur = (const unsigned*)(void*) id->data;
6378
6379 for (l=4; (l < id->data_len); l+=4, cur++)
6380 hash = hash ^ (*cur);
6381
6382 return hash;
6383}
6384/* Functions for TLS/DTLS sessions and RSA private keys hashtables. }}} */
6385
6386/* Handling of association between tls/dtls ports and clear text protocol. {{{ */
6387void
6388ssl_association_add(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6389{
6390 DISSECTOR_ASSERT(main_handle)((void) ((main_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6390, "main_handle"))));
6391 DISSECTOR_ASSERT(subdissector_handle)((void) ((subdissector_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6391, "subdissector_handle"))));
6392 /* Registration is required for Export PDU feature to work properly. */
6393 DISSECTOR_ASSERT_HINT(dissector_handle_get_dissector_name(subdissector_handle),((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6394, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))))
6394 "SSL appdata dissectors must register with register_dissector()!")((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6394, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))));
6395 ssl_debug_printf("association_add %s port %d handle %p\n", dissector_table_name, port, (void *)subdissector_handle);
6396
6397 if (port) {
6398 dissector_add_uint(dissector_table_name, port, subdissector_handle);
6399 if (tcp)
6400 dissector_add_uint("tcp.port", port, main_handle);
6401 else
6402 dissector_add_uint("udp.port", port, main_handle);
6403 dissector_add_uint("sctp.port", port, main_handle);
6404 } else {
6405 dissector_add_for_decode_as(dissector_table_name, subdissector_handle);
6406 }
6407}
6408
6409void
6410ssl_association_remove(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6411{
6412 ssl_debug_printf("ssl_association_remove removing %s %u - handle %p\n",
6413 tcp?"TCP":"UDP", port, (void *)subdissector_handle);
6414 if (main_handle) {
6415 dissector_delete_uint(tcp?"tcp.port":"udp.port", port, main_handle);
6416 dissector_delete_uint("sctp.port", port, main_handle);
6417 }
6418
6419 if (port) {
6420 dissector_delete_uint(dissector_table_name, port, subdissector_handle);
6421 }
6422}
6423
6424void
6425ssl_set_server(SslSession *session, address *addr, port_type ptype, uint32_t port)
6426{
6427 copy_address_wmem(wmem_file_scope(), &session->srv_addr, addr);
6428 session->srv_ptype = ptype;
6429 session->srv_port = port;
6430}
6431
6432int
6433ssl_packet_from_server(SslSession *session, dissector_table_t table, const packet_info *pinfo)
6434{
6435 int ret;
6436 if (session && session->srv_addr.type != AT_NONE) {
6437 ret = (session->srv_ptype == pinfo->ptype) &&
6438 (session->srv_port == pinfo->srcport) &&
6439 addresses_equal(&session->srv_addr, &pinfo->src);
6440 } else {
6441 ret = (dissector_get_uint_handle(table, pinfo->srcport) != 0);
6442 }
6443
6444 ssl_debug_printf("packet_from_server: is from server - %s\n", (ret)?"TRUE":"FALSE");
6445 return ret;
6446}
6447/* Handling of association between tls/dtls ports and clear text protocol. }}} */
6448
6449
6450/* Links SSL records with the real packet data. {{{ */
6451SslPacketInfo *
6452tls_add_packet_info(int proto, packet_info *pinfo, uint8_t curr_layer_num_ssl)
6453{
6454 SslPacketInfo *pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6455 if (!pi) {
6456 pi = wmem_new0(wmem_file_scope(), SslPacketInfo)((SslPacketInfo*)wmem_alloc0((wmem_file_scope()), sizeof(SslPacketInfo
)));
6457 pi->srcport = pinfo->srcport;
6458 pi->destport = pinfo->destport;
6459 conversation_t *conv = find_or_create_conversation_strat(pinfo);
6460 SslDecryptSession *ssl_session = tls_get_session(conv, proto, curr_layer_num_ssl);
6461 if (ssl_session) {
6462 /* This can also be called by the QUIC TLS1.3 handshake only
6463 * dissector. That is not associated with a session, or a stream,
6464 * and doesn't need the information for Follow or Decode As. */
6465 pi->stream = ssl_session->session.stream;
6466 }
6467 p_add_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl, pi);
6468 }
6469
6470 return pi;
6471}
6472
6473/**
6474 * Remembers the decrypted TLS record fragment (TLSInnerPlaintext in TLS 1.3) to
6475 * avoid the need for a decoder in the second pass. Additionally, it remembers
6476 * sequence numbers (for reassembly and Follow TLS Stream).
6477 *
6478 * @param proto The protocol identifier (proto_ssl or proto_dtls).
6479 * @param pinfo The packet where the record originates from.
6480 * @param plain_data Decrypted plaintext to store in the record.
6481 * @param plain_data_len Total length of the plaintext.
6482 * @param content_len Length of the plaintext section corresponding to the record content.
6483 * @param record_id The identifier for this record within the current packet.
6484 * @param flow Information about sequence numbers, etc.
6485 * @param type TLS Content Type (such as handshake or application_data).
6486 * @param curr_layer_num_ssl The layer identifier for this TLS session.
6487 */
6488void
6489ssl_add_record_info(int proto, packet_info *pinfo,
6490 const unsigned char *plain_data, int plain_data_len, int content_len,
6491 int record_id, SslFlow *flow, ContentType type, uint8_t curr_layer_num_ssl,
6492 uint64_t record_seq)
6493{
6494 SslRecordInfo* rec, **prec;
6495 SslPacketInfo *pi = tls_add_packet_info(proto, pinfo, curr_layer_num_ssl);
6496
6497 ws_assert(content_len <= plain_data_len)do { if ((1) && !(content_len <= plain_data_len)) ws_log_fatal_full
("", LOG_LEVEL_ERROR, "epan/dissectors/packet-tls-utils.c", 6497
, __func__, "assertion failed: %s", "content_len <= plain_data_len"
); } while (0);
6498
6499 rec = wmem_new(wmem_file_scope(), SslRecordInfo)((SslRecordInfo*)wmem_alloc((wmem_file_scope()), sizeof(SslRecordInfo
)));
6500 rec->plain_data = (unsigned char *)wmem_memdup(wmem_file_scope(), plain_data, plain_data_len);
6501 rec->plain_data_len = plain_data_len;
6502 rec->content_len = content_len;
6503 rec->id = record_id;
6504 rec->type = type;
6505 rec->next = NULL((void*)0);
6506 rec->record_seq = record_seq;
6507
6508 if (flow && type == SSL_ID_APP_DATA) {
6509 rec->seq = flow->byte_seq;
6510 rec->flow = flow;
6511 flow->byte_seq += content_len;
6512 ssl_debug_printf("%s stored decrypted record seq=%d nxtseq=%d flow=%p\n",
6513 G_STRFUNC((const char*) (__func__)), rec->seq, rec->seq + content_len, (void*)flow);
6514 }
6515
6516 /* Remember decrypted records. */
6517 prec = &pi->records;
6518 while (*prec) prec = &(*prec)->next;
6519 *prec = rec;
6520}
6521
6522/* search in packet data for the specified id; return a newly created tvb for the associated data */
6523tvbuff_t*
6524ssl_get_record_info(tvbuff_t *parent_tvb, int proto, packet_info *pinfo, int record_id, uint8_t curr_layer_num_ssl, SslRecordInfo **matched_record)
6525{
6526 SslRecordInfo* rec;
6527 SslPacketInfo* pi;
6528 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6529
6530 if (!pi)
6531 return NULL((void*)0);
6532
6533 for (rec = pi->records; rec; rec = rec->next)
6534 if (rec->id == record_id) {
6535 *matched_record = rec;
6536 /* link new real_data_tvb with a parent tvb so it is freed when frame dissection is complete */
6537 return tvb_new_child_real_data(parent_tvb, rec->plain_data, rec->plain_data_len, rec->plain_data_len);
6538 }
6539
6540 return NULL((void*)0);
6541}
6542/* Links SSL records with the real packet data. }}} */
6543
6544/* initialize/reset per capture state data (ssl sessions cache). {{{ */
6545void
6546ssl_common_init(ssl_master_key_map_t *mk_map,
6547 StringInfo *decrypted_data, StringInfo *compressed_data)
6548{
6549 mk_map->session = g_hash_table_new(ssl_hash, ssl_equal);
6550 mk_map->tickets = g_hash_table_new(ssl_hash, ssl_equal);
6551 mk_map->crandom = g_hash_table_new(ssl_hash, ssl_equal);
6552 mk_map->pre_master = g_hash_table_new(ssl_hash, ssl_equal);
6553 mk_map->pms = g_hash_table_new(ssl_hash, ssl_equal);
6554 mk_map->tls13_client_early = g_hash_table_new(ssl_hash, ssl_equal);
6555 mk_map->tls13_client_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6556 mk_map->tls13_server_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6557 mk_map->tls13_client_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6558 mk_map->tls13_server_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6559 mk_map->tls13_early_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6560 mk_map->tls13_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6561
6562 mk_map->ech_secret = g_hash_table_new(ssl_hash, ssl_equal);
6563 mk_map->ech_config = g_hash_table_new(ssl_hash, ssl_equal);
6564
6565 mk_map->used_crandom = g_hash_table_new(ssl_hash, ssl_equal);
6566
6567 ssl_data_alloc(decrypted_data, 32);
6568 ssl_data_alloc(compressed_data, 32);
6569}
6570
6571void
6572ssl_common_cleanup(ssl_master_key_map_t *mk_map, FILE **ssl_keylog_file,
6573 StringInfo *decrypted_data, StringInfo *compressed_data)
6574{
6575 g_hash_table_destroy(mk_map->session);
6576 g_hash_table_destroy(mk_map->tickets);
6577 g_hash_table_destroy(mk_map->crandom);
6578 g_hash_table_destroy(mk_map->pre_master);
6579 g_hash_table_destroy(mk_map->pms);
6580 g_hash_table_destroy(mk_map->tls13_client_early);
6581 g_hash_table_destroy(mk_map->tls13_client_handshake);
6582 g_hash_table_destroy(mk_map->tls13_server_handshake);
6583 g_hash_table_destroy(mk_map->tls13_client_appdata);
6584 g_hash_table_destroy(mk_map->tls13_server_appdata);
6585 g_hash_table_destroy(mk_map->tls13_early_exporter);
6586 g_hash_table_destroy(mk_map->tls13_exporter);
6587
6588 g_hash_table_destroy(mk_map->ech_secret);
6589 g_hash_table_destroy(mk_map->ech_config);
6590
6591 g_hash_table_destroy(mk_map->used_crandom);
6592
6593 g_free(decrypted_data->data)(__builtin_object_size ((decrypted_data->data), 0) != ((size_t
) - 1)) ? g_free_sized (decrypted_data->data, __builtin_object_size
((decrypted_data->data), 0)) : (g_free) (decrypted_data->
data);
6594 g_free(compressed_data->data)(__builtin_object_size ((compressed_data->data), 0) != ((size_t
) - 1)) ? g_free_sized (compressed_data->data, __builtin_object_size
((compressed_data->data), 0)) : (g_free) (compressed_data
->data);
6595
6596 /* close the previous keylog file now that the cache are cleared, this
6597 * allows the cache to be filled with the full keylog file contents. */
6598 if (*ssl_keylog_file) {
6599 fclose(*ssl_keylog_file);
6600 *ssl_keylog_file = NULL((void*)0);
6601 }
6602}
6603/* }}} */
6604
6605/* parse ssl related preferences (private keys and ports association strings) */
6606#if defined(HAVE_LIBGNUTLS1)
6607/* Load a single RSA key file item from preferences. {{{ */
6608void
6609ssl_parse_key_list(const ssldecrypt_assoc_t *uats, GHashTable *key_hash, const char* dissector_table_name, dissector_handle_t main_handle, bool_Bool tcp)
6610{
6611 gnutls_x509_privkey_t x509_priv_key;
6612 gnutls_privkey_t priv_key = NULL((void*)0);
6613 FILE* fp = NULL((void*)0);
6614 int ret;
6615 size_t key_id_len = 20;
6616 unsigned char *key_id = NULL((void*)0);
6617 char *err = NULL((void*)0);
6618 dissector_handle_t handle;
6619 /* try to load keys file first */
6620 fp = ws_fopenfopen(uats->keyfile, "rb");
6621 if (!fp) {
6622 report_open_failure(uats->keyfile, errno(*__errno_location ()), false0);
6623 return;
6624 }
6625
6626 if ((int)strlen(uats->password) == 0) {
6627 x509_priv_key = rsa_load_pem_key(fp, &err);
6628 } else {
6629 x509_priv_key = rsa_load_pkcs12(fp, uats->password, &err);
6630 }
6631 fclose(fp);
6632
6633 if (!x509_priv_key) {
6634 if (err) {
6635 report_failure("Can't load private key from %s: %s",
6636 uats->keyfile, err);
6637 g_free(err)(__builtin_object_size ((err), 0) != ((size_t) - 1)) ? g_free_sized
(err, __builtin_object_size ((err), 0)) : (g_free) (err);
6638 } else
6639 report_failure("Can't load private key from %s: unknown error",
6640 uats->keyfile);
6641 return;
6642 }
6643 if (err) {
6644 report_failure("Load of private key from %s \"succeeded\" with error %s",
6645 uats->keyfile, err);
6646 g_free(err)(__builtin_object_size ((err), 0) != ((size_t) - 1)) ? g_free_sized
(err, __builtin_object_size ((err), 0)) : (g_free) (err);
6647 }
6648
6649 gnutls_privkey_init(&priv_key);
6650 ret = gnutls_privkey_import_x509(priv_key, x509_priv_key,
6651 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE|GNUTLS_PRIVKEY_IMPORT_COPY);
6652 if (ret < 0) {
6653 report_failure("Can't convert private key %s: %s",
6654 uats->keyfile, gnutls_strerror(ret));
6655 goto end;
6656 }
6657
6658 key_id = (unsigned char *) g_malloc0(key_id_len);
6659 ret = gnutls_x509_privkey_get_key_id(x509_priv_key, 0, key_id, &key_id_len);
6660 if (ret < 0) {
6661 report_failure("Can't calculate public key ID for %s: %s",
6662 uats->keyfile, gnutls_strerror(ret));
6663 goto end;
6664 }
6665 ssl_print_data("KeyID", key_id, key_id_len);
6666 if (key_id_len != 20) {
6667 report_failure("Expected Key ID size %u for %s, got %zu", 20,
6668 uats->keyfile, key_id_len);
6669 goto end;
6670 }
6671
6672 g_hash_table_replace(key_hash, key_id, priv_key);
6673 key_id = NULL((void*)0); /* used in key_hash, do not free. */
6674 priv_key = NULL((void*)0);
6675 ssl_debug_printf("ssl_init private key file %s successfully loaded.\n", uats->keyfile);
6676
6677 handle = ssl_find_appdata_dissector(uats->protocol);
6678 if (handle) {
6679 /* Port to subprotocol mapping */
6680 uint16_t port = 0;
6681 if (ws_strtou16(uats->port, NULL((void*)0), &port)) {
6682 if (port > 0) {
6683 ssl_debug_printf("ssl_init port '%d' filename '%s' password(only for p12 file) '%s'\n",
6684 port, uats->keyfile, uats->password);
6685
6686 ssl_association_add(dissector_table_name, main_handle, handle, port, tcp);
6687 }
6688 } else {
6689 if (strcmp(uats->port, "start_tls"))
6690 ssl_debug_printf("invalid ssl_init_port: %s\n", uats->port);
6691 }
6692 }
6693
6694end:
6695 gnutls_x509_privkey_deinit(x509_priv_key);
6696 gnutls_privkey_deinit(priv_key);
6697 g_free(key_id)(__builtin_object_size ((key_id), 0) != ((size_t) - 1)) ? g_free_sized
(key_id, __builtin_object_size ((key_id), 0)) : (g_free) (key_id
);
6698}
6699/* }}} */
6700#endif
6701
6702
6703/* Store/load a known (pre-)master secret from/for this SSL session. {{{ */
6704/** store a known (pre-)master secret into cache */
6705static void
6706ssl_save_master_key(const char *label, GHashTable *ht, StringInfo *key,
6707 StringInfo *mk)
6708{
6709 StringInfo *ht_key, *master_secret;
6710
6711 if (key->data_len == 0) {
6712 ssl_debug_printf("%s: not saving empty %s!\n", G_STRFUNC((const char*) (__func__)), label);
6713 return;
6714 }
6715
6716 if (mk->data_len == 0) {
6717 ssl_debug_printf("%s not saving empty (pre-)master secret for %s!\n",
6718 G_STRFUNC((const char*) (__func__)), label);
6719 return;
6720 }
6721
6722 /* ssl_hash() depends on session_ticket->data being aligned for unsigned access
6723 * so be careful in changing how it is allocated. */
6724 ht_key = ssl_data_clone(key);
6725 master_secret = ssl_data_clone(mk);
6726 g_hash_table_insert(ht, ht_key, master_secret);
6727
6728 ssl_debug_printf("%s inserted (pre-)master secret for %s\n", G_STRFUNC((const char*) (__func__)), label);
6729 ssl_print_string("stored key", ht_key);
6730 ssl_print_string("stored (pre-)master secret", master_secret);
6731}
6732
6733/** restore a (pre-)master secret given some key in the cache */
6734static bool_Bool
6735ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
6736 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key)
6737{
6738 StringInfo *ms;
6739
6740 if (key->data_len == 0) {
6741 ssl_debug_printf("%s can't restore %smaster secret using an empty %s\n",
6742 G_STRFUNC((const char*) (__func__)), is_pre_master ? "pre-" : "", label);
6743 return false0;
6744 }
6745
6746 ms = (StringInfo *)g_hash_table_lookup(ht, key);
6747 if (!ms) {
6748 ssl_debug_printf("%s can't find %smaster secret by %s\n", G_STRFUNC((const char*) (__func__)),
6749 is_pre_master ? "pre-" : "", label);
6750 return false0;
6751 }
6752
6753 /* (pre)master secret found, clear knowledge of other keys and set it in the
6754 * current conversation */
6755 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) |
6756 SSL_HAVE_SESSION_KEY(1<<3));
6757 if (is_pre_master) {
6758 /* unlike master secret, pre-master secret has a variable size (48 for
6759 * RSA, varying for PSK) and is therefore not statically allocated */
6760 ssl->pre_master_secret.data = (unsigned char *) wmem_alloc(wmem_file_scope(),
6761 ms->data_len);
6762 ssl_data_set(&ssl->pre_master_secret, ms->data, ms->data_len);
6763 ssl->state |= SSL_PRE_MASTER_SECRET(1<<6);
6764 } else {
6765 ssl_data_set(&ssl->master_secret, ms->data, ms->data_len);
6766 ssl->state |= SSL_MASTER_SECRET(1<<5);
6767 }
6768 ssl_debug_printf("%s %smaster secret retrieved using %s\n", G_STRFUNC((const char*) (__func__)),
6769 is_pre_master ? "pre-" : "", label);
6770 ssl_print_string(label, key);
6771 ssl_print_string("(pre-)master secret", ms);
6772 return true1;
6773}
6774/* Store/load a known (pre-)master secret from/for this SSL session. }}} */
6775
6776/* Should be called when all parameters are ready (after ChangeCipherSpec), and
6777 * the decoder should be attempted to be initialized. {{{*/
6778void
6779ssl_finalize_decryption(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
6780{
6781 if (ssl->session.version == TLSV1DOT3_VERSION0x304) {
6782 /* TLS 1.3 implementations only provide secrets derived from the master
6783 * secret which are loaded in tls13_change_key. No master secrets can be
6784 * loaded here, so just return. */
6785 return;
6786 }
6787 ssl_debug_printf("%s state = 0x%02X\n", G_STRFUNC((const char*) (__func__)), ssl->state);
6788 if (ssl->state & SSL_HAVE_SESSION_KEY(1<<3)) {
6789 ssl_debug_printf(" session key already available, nothing to do.\n");
6790 return;
6791 }
6792 if (!(ssl->state & SSL_CIPHER(1<<2))) {
6793 ssl_debug_printf(" Cipher suite (Server Hello) is missing!\n");
6794 return;
6795 }
6796
6797 /* for decryption, there needs to be a master secret (which can be derived
6798 * from pre-master secret). If missing, try to pick a master key from cache
6799 * (an earlier packet in the capture or key logfile). */
6800 if (!(ssl->state & (SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6))) &&
6801 !ssl_restore_master_key(ssl, "Session ID", false0,
6802 mk_map->session, &ssl->session_id) &&
6803 (!ssl->session.is_session_resumed ||
6804 !ssl_restore_master_key(ssl, "Session Ticket", false0,
6805 mk_map->tickets, &ssl->session_ticket)) &&
6806 !ssl_restore_master_key(ssl, "Client Random", false0,
6807 mk_map->crandom, &ssl->client_random)) {
6808 if (ssl->cipher_suite->enc != ENC_NULL0x3D) {
6809 /* how unfortunate, the master secret could not be found */
6810 ssl_debug_printf(" Cannot find master secret\n");
6811 return;
6812 } else {
6813 ssl_debug_printf(" Cannot find master secret, continuing anyway "
6814 "because of a NULL cipher\n");
6815 }
6816 }
6817
6818 if (ssl_generate_keyring_material(ssl) < 0) {
6819 ssl_debug_printf("%s can't generate keyring material\n", G_STRFUNC((const char*) (__func__)));
6820 return;
6821 }
6822 /* Save Client Random/ Session ID for "SSL Export Session keys" */
6823 ssl_save_master_key("Client Random", mk_map->crandom,
6824 &ssl->client_random, &ssl->master_secret);
6825 ssl_save_master_key("Session ID", mk_map->session,
6826 &ssl->session_id, &ssl->master_secret);
6827 /* Only save the new secrets if the server sent the ticket. The client
6828 * ticket might have become stale. */
6829 if (ssl->state & SSL_NEW_SESSION_TICKET(1<<10)) {
6830 ssl_save_master_key("Session Ticket", mk_map->tickets,
6831 &ssl->session_ticket, &ssl->master_secret);
6832 }
6833} /* }}} */
6834
6835static StringInfo*
6836tls13_load_secret_from_psk(SslDecryptSession *tls, bool_Bool is_from_server,
6837 TLSRecordType type)
6838{
6839 /* XXX - In addition to an out-of-bound PSK, we could also save the
6840 * PSK from a NewSessionTicket; we would also need to compute the
6841 * resumption_master_secret. */
6842 if (tls->psk.data_len == 0)
6843 return NULL((void*)0);
6844
6845 const SslDigestAlgo *dig = ssl_cipher_suite_dig(tls->cipher_suite);
6846
6847 int hash_algo = ssl_get_digest_by_name(dig->name);
6848 if (!hash_algo) {
6849 ssl_debug_printf("%s can't find hash function %s\n", G_STRFUNC((const char*) (__func__)), dig->name);
6850 return NULL((void*)0);
6851 }
6852
6853 /* We can re-use this to store the Pseudo Random Key for each epoch. */
6854 uint8_t prk[DIGEST_MAX_SIZE48];
6855 StringInfo prk_string = { prk, dig->len };
6856 uint8_t *derived_secret;
6857
6858 uint8_t zeroes[DIGEST_MAX_SIZE48];
6859 memset(zeroes, 0, dig->len);
6860
6861 StringInfo *secret = NULL((void*)0);
6862 const char *label;
6863
6864 /* PRK = Early Secret */
6865 hkdf_extract(hash_algo, zeroes, dig->len, tls->psk.data, tls->psk.data_len, prk);
6866
6867 if (type == TLS_SECRET_0RTT_APP) {
6868 DISSECTOR_ASSERT(!is_from_server)((void) ((!is_from_server) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6868, "!is_from_server"))));
6869 label = "c e traffic";
6870 } else {
6871 if (!tls13_derive_secret(hash_algo, &prk_string, tls13_hkdf_label_prefix(tls),
6872 "derived", NULL((void*)0), 0, dig->len, &derived_secret))
6873 return NULL((void*)0);
6874
6875 /* PRK = Handshake Secret [assume no (EC)DHE.] */
6876 hkdf_extract(hash_algo, derived_secret, dig->len, zeroes, dig->len, prk);
6877 wmem_free(NULL((void*)0), derived_secret);
6878
6879 if (type == TLS_SECRET_HANDSHAKE) {
6880 label = is_from_server ? "s hs traffic" : "c hs traffic";
6881 } else {
6882 if (!tls13_derive_secret(hash_algo, &prk_string, tls13_hkdf_label_prefix(tls),
6883 "derived", NULL((void*)0), 0, dig->len, &derived_secret))
6884 return NULL((void*)0);
6885
6886 /* PRK = Master Secret */
6887 hkdf_extract(hash_algo, derived_secret, dig->len, zeroes, dig->len, prk);
6888 wmem_free(NULL((void*)0), derived_secret);
6889
6890 label = is_from_server ? "s ap traffic" : "c ap traffic";
6891 }
6892 }
6893
6894 if (!tls13_derive_secret(hash_algo, &prk_string,
6895 tls13_hkdf_label_prefix(tls), label,
6896 tls->handshake_data.data, tls->handshake_data.data_len,
6897 dig->len, &derived_secret))
6898 return NULL((void*)0);
6899
6900 secret = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
6901 secret->data = wmem_memdup(wmem_file_scope(), derived_secret, dig->len);
6902 secret->data_len = dig->len;
6903 wmem_free(NULL((void*)0), derived_secret);
6904 return secret;
6905}
6906
6907/* Load the traffic key secret from the keylog file. */
6908StringInfo *
6909tls13_load_secret(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6910 bool_Bool is_from_server, TLSRecordType type)
6911{
6912 GHashTable *key_map;
6913 const char *label;
6914
6915 if (ssl->session.version != TLSV1DOT3_VERSION0x304 && ssl->session.version != DTLSV1DOT3_VERSION0xfefc) {
6916 ssl_debug_printf("%s TLS version %#x is not 1.3\n", G_STRFUNC((const char*) (__func__)), ssl->session.version);
6917 return NULL((void*)0);
6918 }
6919
6920 if (ssl->client_random.data_len == 0) {
6921 /* May happen if Hello message is missing and Finished is found. */
6922 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
6923 return NULL((void*)0);
6924 }
6925
6926 switch (type) {
6927 case TLS_SECRET_0RTT_APP:
6928 DISSECTOR_ASSERT(!is_from_server)((void) ((!is_from_server) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6928, "!is_from_server"))));
6929 label = "CLIENT_EARLY_TRAFFIC_SECRET";
6930 key_map = mk_map->tls13_client_early;
6931 break;
6932 case TLS_SECRET_HANDSHAKE:
6933 if (is_from_server) {
6934 label = "SERVER_HANDSHAKE_TRAFFIC_SECRET";
6935 key_map = mk_map->tls13_server_handshake;
6936 } else {
6937 label = "CLIENT_HANDSHAKE_TRAFFIC_SECRET";
6938 key_map = mk_map->tls13_client_handshake;
6939 }
6940 break;
6941 case TLS_SECRET_APP:
6942 if (is_from_server) {
6943 label = "SERVER_TRAFFIC_SECRET_0";
6944 key_map = mk_map->tls13_server_appdata;
6945 } else {
6946 label = "CLIENT_TRAFFIC_SECRET_0";
6947 key_map = mk_map->tls13_client_appdata;
6948 }
6949 break;
6950 default:
6951 ws_assert_not_reached()ws_log_fatal_full("", LOG_LEVEL_ERROR, "epan/dissectors/packet-tls-utils.c"
, 6951, __func__, "assertion \"not reached\" failed");
6952 }
6953
6954 /* Transitioning to new keys, mark old ones as unusable. */
6955 ssl_debug_printf("%s transitioning to new key, old state 0x%02x\n", G_STRFUNC((const char*) (__func__)), ssl->state);
6956 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) | SSL_HAVE_SESSION_KEY(1<<3));
6957
6958 StringInfo *secret = (StringInfo *)g_hash_table_lookup(key_map, &ssl->client_random);
6959 if (!secret) {
6960 secret = tls13_load_secret_from_psk(ssl, is_from_server, type);
6961 if (secret) {
6962 ssl_debug_printf("%s Calculated TLS 1.3 traffic secret from PSK.\n", G_STRFUNC((const char*) (__func__)));
6963 /* Doing this allows us to save the secret as a DSB in a pcapng. */
6964 g_hash_table_insert(key_map, ssl_data_clone(&ssl->client_random), secret);
6965 }
6966 }
6967 if (!secret) {
6968 ssl_debug_printf("%s Cannot find %s, decryption impossible\n", G_STRFUNC((const char*) (__func__)), label);
6969 /* Disable decryption, the keys are invalid. */
6970 if (is_from_server) {
6971 ssl->server = NULL((void*)0);
6972 } else {
6973 ssl->client = NULL((void*)0);
6974 }
6975 return NULL((void*)0);
6976 }
6977
6978 /* TLS 1.3 secret found, set new keys. */
6979 ssl_debug_printf("%s Retrieved TLS 1.3 traffic secret.\n", G_STRFUNC((const char*) (__func__)));
6980 ssl_print_string("Client Random", &ssl->client_random);
6981 ssl_print_string(label, secret);
6982 return secret;
6983}
6984
6985/* Load the new key. */
6986void
6987tls13_change_key(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6988 bool_Bool is_from_server, TLSRecordType type)
6989{
6990 if (ssl->state & SSL_QUIC_RECORD_LAYER(1<<13)) {
6991 /*
6992 * QUIC does not use the TLS record layer for message protection.
6993 * The required keys will be extracted later by QUIC.
6994 */
6995 return;
6996 }
6997
6998 StringInfo *secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
6999 if (!secret) {
7000 if (type != TLS_SECRET_HANDSHAKE) {
7001 return;
7002 }
7003 /*
7004 * Workaround for when for some reason we don't have the handshake
7005 * secret but do have the application traffic secret. (#20240)
7006 * If we can't find the handshake secret, we'll never decrypt the
7007 * Finished message, so we won't know when to change to the app
7008 * traffic key, so we do so now.
7009 */
7010 type = TLS_SECRET_APP;
7011 secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
7012 if (!secret) {
7013 return;
7014 }
7015 }
7016
7017 if (tls13_generate_keys(ssl, secret, is_from_server)) {
7018 /*
7019 * Remember the application traffic secret to support Key Update. The
7020 * other secrets cannot be used for this purpose, so free them.
7021 */
7022 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
7023 StringInfo *app_secret = &decoder->app_traffic_secret;
7024 if (type == TLS_SECRET_APP) {
7025 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
7026 app_secret->data,
7027 secret->data_len);
7028 ssl_data_set(app_secret, secret->data, secret->data_len);
7029 } else {
7030 wmem_free(wmem_file_scope(), app_secret->data);
7031 app_secret->data = NULL((void*)0);
7032 app_secret->data_len = 0;
7033 }
7034 }
7035}
7036
7037/**
7038 * Update to next application data traffic secret for TLS 1.3. The previous
7039 * secret should have been set by tls13_change_key.
7040 */
7041void
7042tls13_key_update(SslDecryptSession *ssl, bool_Bool is_from_server)
7043{
7044 /* RFC 8446 Section 7.2:
7045 * application_traffic_secret_N+1 =
7046 * HKDF-Expand-Label(application_traffic_secret_N,
7047 * "traffic upd", "", Hash.length)
7048 *
7049 * Both application_traffic_secret_N are of the same length (Hash.length).
7050 */
7051 const SslCipherSuite *cipher_suite = ssl->cipher_suite;
7052 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
7053 StringInfo *app_secret = decoder ? &decoder->app_traffic_secret : NULL((void*)0);
7054 uint8_t tls13_draft_version = ssl->session.tls13_draft_version;
7055
7056 if (!cipher_suite || !app_secret || app_secret->data_len == 0) {
7057 ssl_debug_printf("%s Cannot perform Key Update due to missing info\n", G_STRFUNC((const char*) (__func__)));
7058 return;
7059 }
7060
7061 /*
7062 * Previous traffic secret is available, so find the hash function,
7063 * expand the new traffic secret and generate new keys.
7064 */
7065 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
7066 int hash_algo = ssl_get_digest_by_name(hash_name);
7067 const unsigned hash_len = app_secret->data_len;
7068 unsigned char *new_secret;
7069 const char *label = "traffic upd";
7070 if (tls13_draft_version && tls13_draft_version < 20) {
7071 label = "application traffic secret";
7072 }
7073 if (!tls13_hkdf_expand_label(hash_algo, app_secret,
7074 tls13_hkdf_label_prefix(ssl),
7075 label, hash_len, &new_secret)) {
7076 ssl_debug_printf("%s traffic_secret_N+1 expansion failed\n", G_STRFUNC((const char*) (__func__)));
7077 return;
7078 }
7079 ssl_data_set(app_secret, new_secret, hash_len);
7080 if (tls13_generate_keys(ssl, app_secret, is_from_server)) {
7081 /*
7082 * Remember the application traffic secret on the new decoder to
7083 * support another Key Update.
7084 */
7085 decoder = is_from_server ? ssl->server : ssl->client;
7086 app_secret = &decoder->app_traffic_secret;
7087 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
7088 app_secret->data,
7089 hash_len);
7090 ssl_data_set(app_secret, new_secret, hash_len);
7091 }
7092 wmem_free(NULL((void*)0), new_secret);
7093}
7094
7095void
7096tls_save_crandom(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
7097{
7098 if (ssl && (ssl->state & SSL_CLIENT_RANDOM(1<<0))) {
7099 g_hash_table_add(mk_map->used_crandom, ssl_data_clone(&ssl->client_random));
7100 }
7101}
7102
7103/** SSL keylog file handling. {{{ */
7104
7105static GRegex *
7106ssl_compile_keyfile_regex(void)
7107{
7108#define OCTET "(?:[[:xdigit:]]{2})"
7109 const char *pattern =
7110 "(?:"
7111 /* Matches Client Hellos having this Client Random */
7112 "PMS_CLIENT_RANDOM (?<client_random_pms>" OCTET "{32}) "
7113 /* Matches first part of encrypted RSA pre-master secret */
7114 "|RSA (?<encrypted_pmk>" OCTET "{8}) "
7115 /* Pre-Master-Secret is given, it is 48 bytes for RSA,
7116 but it can be of any length for DHE */
7117 ")(?<pms>" OCTET "+)"
7118 "|(?:"
7119 /* Matches Server Hellos having a Session ID */
7120 "RSA Session-ID:(?<session_id>" OCTET "+) Master-Key:"
7121 /* Matches Client Hellos having this Client Random */
7122 "|CLIENT_RANDOM (?<client_random>" OCTET "{32}) "
7123 /* Master-Secret is given, its length is fixed */
7124 ")(?<master_secret>" OCTET "{" G_STRINGIFY(SSL_MASTER_SECRET_LENGTH)"48" "})"
7125 "|(?"
7126 /* TLS 1.3 Client Random to Derived Secrets mapping. */
7127 ":CLIENT_EARLY_TRAFFIC_SECRET (?<client_early>" OCTET "{32})"
7128 "|CLIENT_HANDSHAKE_TRAFFIC_SECRET (?<client_handshake>" OCTET "{32})"
7129 "|SERVER_HANDSHAKE_TRAFFIC_SECRET (?<server_handshake>" OCTET "{32})"
7130 "|CLIENT_TRAFFIC_SECRET_0 (?<client_appdata>" OCTET "{32})"
7131 "|SERVER_TRAFFIC_SECRET_0 (?<server_appdata>" OCTET "{32})"
7132 "|EARLY_EXPORTER_SECRET (?<early_exporter>" OCTET "{32})"
7133 "|EXPORTER_SECRET (?<exporter>" OCTET "{32})"
7134 /* ECH. Secret length is defined by HPKE KEM Nsecret and can vary between 32 and 64 bytes */
7135 /* These labels and their notation are specified in draft-ietf-tls-ech-keylogfile-01 */
7136 "|ECH_SECRET (?<ech_secret>" OCTET "{32,64})"
7137 "|ECH_CONFIG (?<ech_config>" OCTET "{22,})"
7138 ") (?<derived_secret>" OCTET "+)";
7139#undef OCTET
7140 static GRegex *regex = NULL((void*)0);
7141 GError *gerr = NULL((void*)0);
7142
7143 if (!regex) {
7144 regex = g_regex_new(pattern,
7145 (GRegexCompileFlags)(G_REGEX_OPTIMIZE | G_REGEX_ANCHORED | G_REGEX_RAW),
7146 G_REGEX_MATCH_ANCHORED, &gerr);
7147 if (gerr) {
7148 ssl_debug_printf("%s failed to compile regex: %s\n", G_STRFUNC((const char*) (__func__)),
7149 gerr->message);
7150 g_error_free(gerr);
7151 regex = NULL((void*)0);
7152 }
7153 }
7154
7155 return regex;
7156}
7157
7158typedef struct ssl_master_key_match_group {
7159 const char *re_group_name;
7160 GHashTable *master_key_ht;
7161} ssl_master_key_match_group_t;
7162
7163void
7164tls_keylog_process_lines(const ssl_master_key_map_t *mk_map, const uint8_t *data, unsigned datalen)
7165{
7166 ssl_master_key_match_group_t mk_groups[] = {
7167 { "encrypted_pmk", mk_map->pre_master },
7168 { "session_id", mk_map->session },
7169 { "client_random", mk_map->crandom },
7170 { "client_random_pms", mk_map->pms },
7171 /* TLS 1.3 map from Client Random to derived secret. */
7172 { "client_early", mk_map->tls13_client_early },
7173 { "client_handshake", mk_map->tls13_client_handshake },
7174 { "server_handshake", mk_map->tls13_server_handshake },
7175 { "client_appdata", mk_map->tls13_client_appdata },
7176 { "server_appdata", mk_map->tls13_server_appdata },
7177 { "early_exporter", mk_map->tls13_early_exporter },
7178 { "exporter", mk_map->tls13_exporter },
7179 { "ech_secret", mk_map->ech_secret },
7180 { "ech_config", mk_map->ech_config },
7181 };
7182
7183 /* The format of the file is a series of records with one of the following formats:
7184 * - "RSA xxxx yyyy"
7185 * Where xxxx are the first 8 bytes of the encrypted pre-master secret (hex-encoded)
7186 * Where yyyy is the cleartext pre-master secret (hex-encoded)
7187 * (this is the original format introduced with bug 4349)
7188 *
7189 * - "RSA Session-ID:xxxx Master-Key:yyyy"
7190 * Where xxxx is the SSL session ID (hex-encoded)
7191 * Where yyyy is the cleartext master secret (hex-encoded)
7192 * (added to support openssl s_client Master-Key output)
7193 * This is somewhat is a misnomer because there's nothing RSA specific
7194 * about this.
7195 *
7196 * - "PMS_CLIENT_RANDOM xxxx yyyy"
7197 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7198 * Where yyyy is the cleartext pre-master secret (hex-encoded)
7199 * (This format allows SSL connections to be decrypted, if a user can
7200 * capture the PMS but could not recover the MS for a specific session
7201 * with a SSL Server.)
7202 *
7203 * - "CLIENT_RANDOM xxxx yyyy"
7204 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7205 * Where yyyy is the cleartext master secret (hex-encoded)
7206 * (This format allows non-RSA SSL connections to be decrypted, i.e.
7207 * ECDHE-RSA.)
7208 *
7209 * - "CLIENT_EARLY_TRAFFIC_SECRET xxxx yyyy"
7210 * - "CLIENT_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
7211 * - "SERVER_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
7212 * - "CLIENT_TRAFFIC_SECRET_0 xxxx yyyy"
7213 * - "SERVER_TRAFFIC_SECRET_0 xxxx yyyy"
7214 * - "EARLY_EXPORTER_SECRET xxxx yyyy"
7215 * - "EXPORTER_SECRET xxxx yyyy"
7216 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7217 * Where yyyy is the secret (hex-encoded) derived from the early,
7218 * handshake or master secrets. (This format is introduced with TLS 1.3
7219 * and supported by BoringSSL, OpenSSL, etc. See bug 12779.)
7220 */
7221 GRegex *regex = ssl_compile_keyfile_regex();
7222 if (!regex)
7223 return;
7224
7225 const char *next_line = (const char *)data;
7226 const char *line_end = next_line + datalen;
7227 while (next_line && next_line < line_end) {
7228 const char *line = next_line;
7229 next_line = (const char *)memchr(line, '\n', line_end - line);
7230 ssize_t linelen;
7231
7232 if (next_line) {
7233 linelen = next_line - line;
7234 next_line++; /* drop LF */
7235 } else {
7236 linelen = (ssize_t)(line_end - line);
7237 }
7238 if (linelen > 0 && line[linelen - 1] == '\r') {
7239 linelen--; /* drop CR */
7240 }
7241
7242 ssl_debug_printf(" checking keylog line: %.*s\n", (int)linelen, line);
7243 GMatchInfo *mi;
7244 if (g_regex_match_full(regex, line, linelen, 0, G_REGEX_MATCH_ANCHORED, &mi, NULL((void*)0))) {
7245 char *hex_key, *hex_pre_ms_or_ms;
7246 StringInfo *key = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
7247 StringInfo *pre_ms_or_ms = NULL((void*)0);
7248 GHashTable *ht = NULL((void*)0);
7249
7250 /* Is the PMS being supplied with the PMS_CLIENT_RANDOM
7251 * otherwise we will use the Master Secret
7252 */
7253 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "master_secret");
7254 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
7255 g_free(hex_pre_ms_or_ms)(__builtin_object_size ((hex_pre_ms_or_ms), 0) != ((size_t) -
1)) ? g_free_sized (hex_pre_ms_or_ms, __builtin_object_size (
(hex_pre_ms_or_ms), 0)) : (g_free) (hex_pre_ms_or_ms);
7256 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "pms");
7257 }
7258 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
7259 g_free(hex_pre_ms_or_ms)(__builtin_object_size ((hex_pre_ms_or_ms), 0) != ((size_t) -
1)) ? g_free_sized (hex_pre_ms_or_ms, __builtin_object_size (
(hex_pre_ms_or_ms), 0)) : (g_free) (hex_pre_ms_or_ms);
7260 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "derived_secret");
7261 }
7262 /* There is always a match, otherwise the regex is wrong. */
7263 DISSECTOR_ASSERT(hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms))((void) ((hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 7263, "hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms)"
))));
7264
7265 /* convert from hex to bytes and save to hashtable */
7266 pre_ms_or_ms = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
7267 from_hex(pre_ms_or_ms, hex_pre_ms_or_ms, strlen(hex_pre_ms_or_ms));
7268 g_free(hex_pre_ms_or_ms)(__builtin_object_size ((hex_pre_ms_or_ms), 0) != ((size_t) -
1)) ? g_free_sized (hex_pre_ms_or_ms, __builtin_object_size (
(hex_pre_ms_or_ms), 0)) : (g_free) (hex_pre_ms_or_ms);
7269
7270 /* Find a master key from any format (CLIENT_RANDOM, SID, ...) */
7271 for (unsigned i = 0; i < G_N_ELEMENTS(mk_groups)(sizeof (mk_groups) / sizeof ((mk_groups)[0])); i++) {
7272 ssl_master_key_match_group_t *g = &mk_groups[i];
7273 hex_key = g_match_info_fetch_named(mi, g->re_group_name);
7274 if (hex_key && *hex_key) {
7275 ssl_debug_printf(" matched %s\n", g->re_group_name);
7276 ht = g->master_key_ht;
7277 from_hex(key, hex_key, strlen(hex_key));
7278 g_free(hex_key)(__builtin_object_size ((hex_key), 0) != ((size_t) - 1)) ? g_free_sized
(hex_key, __builtin_object_size ((hex_key), 0)) : (g_free) (
hex_key);
7279 break;
7280 }
7281 g_free(hex_key)(__builtin_object_size ((hex_key), 0) != ((size_t) - 1)) ? g_free_sized
(hex_key, __builtin_object_size ((hex_key), 0)) : (g_free) (
hex_key);
7282 }
7283 DISSECTOR_ASSERT(ht)((void) ((ht) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 7283, "ht")))); /* Cannot be reached, or regex is wrong. */
7284
7285 g_hash_table_insert(ht, key, pre_ms_or_ms);
7286
7287 } else if (linelen > 0 && line[0] != '#') {
7288 ssl_debug_printf(" unrecognized line\n");
7289 }
7290 /* always free match info even if there is no match. */
7291 g_match_info_free(mi);
7292 }
7293}
7294
7295void
7296ssl_load_keyfile(const char *tls_keylog_filename, FILE **keylog_file,
7297 const ssl_master_key_map_t *mk_map)
7298{
7299 /* no need to try if no key log file is configured. */
7300 if (!tls_keylog_filename || !*tls_keylog_filename) {
7301 ssl_debug_printf("%s dtls/tls.keylog_file is not configured!\n",
7302 G_STRFUNC((const char*) (__func__)));
7303 return;
7304 }
7305
7306 /* Validate regexes before even trying to use it. */
7307 if (!ssl_compile_keyfile_regex()) {
7308 return;
7309 }
7310
7311 ssl_debug_printf("trying to use TLS keylog in %s\n", tls_keylog_filename);
7312
7313 /* if the keylog file was deleted/overwritten, re-open it */
7314 if (*keylog_file && file_needs_reopen(ws_filenofileno(*keylog_file), tls_keylog_filename)) {
7315 ssl_debug_printf("%s file got deleted, trying to re-open\n", G_STRFUNC((const char*) (__func__)));
7316 fclose(*keylog_file);
7317 *keylog_file = NULL((void*)0);
7318 }
7319
7320 if (*keylog_file == NULL((void*)0)) {
7321 *keylog_file = ws_fopenfopen(tls_keylog_filename, "r");
7322 if (!*keylog_file) {
7323 ssl_debug_printf("%s failed to open SSL keylog\n", G_STRFUNC((const char*) (__func__)));
7324 return;
7325 }
7326 }
7327
7328 for (;;) {
7329 char buf[1110], *line;
7330 line = fgets(buf, sizeof(buf), *keylog_file);
7331 if (!line) {
7332 if (feof(*keylog_file)) {
7333 /* Ensure that newly appended keys can be read in the future. */
7334 clearerr(*keylog_file);
7335 } else if (ferror(*keylog_file)) {
7336 ssl_debug_printf("%s Error while reading key log file, closing it!\n", G_STRFUNC((const char*) (__func__)));
7337 fclose(*keylog_file);
7338 *keylog_file = NULL((void*)0);
7339 }
7340 break;
7341 }
7342 tls_keylog_process_lines(mk_map, (uint8_t *)line, (int)strlen(line));
7343 }
7344}
7345/** SSL keylog file handling. }}} */
7346
7347#ifdef SSL_DECRYPT_DEBUG /* {{{ */
7348
7349static FILE* ssl_debug_file;
7350
7351void
7352ssl_set_debug(const char* name)
7353{
7354 static int debug_file_must_be_closed;
7355 int use_stderr;
7356
7357 use_stderr = name?(strcmp(name, SSL_DEBUG_USE_STDERR"-") == 0):0;
7358
7359 if (debug_file_must_be_closed)
7360 fclose(ssl_debug_file);
7361
7362 if (use_stderr)
7363 ssl_debug_file = stderrstderr;
7364 else if (!name || (strcmp(name, "") ==0))
7365 ssl_debug_file = NULL((void*)0);
7366 else
7367 ssl_debug_file = ws_fopenfopen(name, "w");
7368
7369 if (!use_stderr && ssl_debug_file)
7370 debug_file_must_be_closed = 1;
7371 else
7372 debug_file_must_be_closed = 0;
7373
7374 ssl_debug_printf("Wireshark SSL debug log \n\n");
7375#ifdef HAVE_LIBGNUTLS1
7376 ssl_debug_printf("GnuTLS version: %s\n", gnutls_check_version(NULL((void*)0)));
7377#endif
7378 ssl_debug_printf("Libgcrypt version: %s\n", gcry_check_version(NULL((void*)0)));
7379 ssl_debug_printf("\n");
7380}
7381
7382void
7383ssl_debug_flush(void)
7384{
7385 if (ssl_debug_file)
7386 fflush(ssl_debug_file);
7387}
7388
7389void
7390ssl_debug_printf(const char* fmt, ...)
7391{
7392 va_list ap;
7393
7394 if (!ssl_debug_file)
7395 return;
7396
7397 va_start(ap, fmt)__builtin_va_start(ap, fmt);
7398 vfprintf(ssl_debug_file, fmt, ap);
7399 va_end(ap)__builtin_va_end(ap);
7400}
7401
7402void
7403ssl_print_data(const char* name, const unsigned char* data, size_t len)
7404{
7405 size_t i, j, k;
7406 if (!ssl_debug_file)
7407 return;
7408 fprintf(ssl_debug_file,"%s[%d]:\n",name, (int) len);
7409 for (i=0; i<len; i+=16) {
7410 fprintf(ssl_debug_file,"| ");
7411 for (j=i, k=0; k<16 && j<len; ++j, ++k)
7412 fprintf(ssl_debug_file,"%.2x ",data[j]);
7413 for (; k<16; ++k)
7414 fprintf(ssl_debug_file," ");
7415 fputc('|', ssl_debug_file);
7416 for (j=i, k=0; k<16 && j<len; ++j, ++k) {
7417 unsigned char c = data[j];
7418 if (!g_ascii_isprint(c)((g_ascii_table[(guchar) (c)] & G_ASCII_PRINT) != 0) || (c=='\t')) c = '.';
7419 fputc(c, ssl_debug_file);
7420 }
7421 for (; k<16; ++k)
7422 fputc(' ', ssl_debug_file);
7423 fprintf(ssl_debug_file,"|\n");
7424 }
7425}
7426
7427void
7428ssl_print_string(const char* name, const StringInfo* data)
7429{
7430 ssl_print_data(name, data->data, data->data_len);
7431}
7432#endif /* SSL_DECRYPT_DEBUG }}} */
7433
7434/* UAT preferences callbacks. {{{ */
7435/* checks for SSL and DTLS UAT key list fields */
7436
7437bool_Bool
7438ssldecrypt_uat_fld_ip_chk_cb(void* r _U___attribute__((unused)), const char* p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7439{
7440 // This should be removed in favor of Decode As. Make it optional.
7441 *err = NULL((void*)0);
7442 return true1;
7443}
7444
7445bool_Bool
7446ssldecrypt_uat_fld_port_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7447{
7448 if (!p || strlen(p) == 0u) {
7449 // This should be removed in favor of Decode As. Make it optional.
7450 *err = NULL((void*)0);
7451 return true1;
7452 }
7453
7454 if (strcmp(p, "start_tls") != 0){
7455 uint16_t port;
7456 if (!ws_strtou16(p, NULL((void*)0), &port)) {
7457 *err = g_strdup("Invalid port given.")g_strdup_inline ("Invalid port given.");
7458 return false0;
7459 }
7460 }
7461
7462 *err = NULL((void*)0);
7463 return true1;
7464}
7465
7466bool_Bool
7467ssldecrypt_uat_fld_fileopen_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7468{
7469 ws_statb64struct stat st;
7470
7471 if (!p || strlen(p) == 0u) {
7472 *err = g_strdup("No filename given.")g_strdup_inline ("No filename given.");
7473 return false0;
7474 } else {
7475 if (ws_stat64stat(p, &st) != 0) {
7476 *err = ws_strdup_printf("File '%s' does not exist or access is denied.", p)wmem_strdup_printf(((void*)0), "File '%s' does not exist or access is denied."
, p);
7477 return false0;
7478 }
7479 }
7480
7481 *err = NULL((void*)0);
7482 return true1;
7483}
7484
7485bool_Bool
7486ssldecrypt_uat_fld_password_chk_cb(void *r _U___attribute__((unused)), const char *p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void *u1 _U___attribute__((unused)), const void *u2 _U___attribute__((unused)), char **err)
7487{
7488#if defined(HAVE_LIBGNUTLS1)
7489 ssldecrypt_assoc_t* f = (ssldecrypt_assoc_t *)r;
7490 FILE *fp = NULL((void*)0);
7491
7492 if (p && (strlen(p) > 0u)) {
7493 fp = ws_fopenfopen(f->keyfile, "rb");
7494 if (fp) {
7495 char *msg = NULL((void*)0);
7496 gnutls_x509_privkey_t priv_key = rsa_load_pkcs12(fp, p, &msg);
7497 if (!priv_key) {
7498 fclose(fp);
7499 *err = ws_strdup_printf("Could not load PKCS#12 key file: %s", msg)wmem_strdup_printf(((void*)0), "Could not load PKCS#12 key file: %s"
, msg);
7500 g_free(msg)(__builtin_object_size ((msg), 0) != ((size_t) - 1)) ? g_free_sized
(msg, __builtin_object_size ((msg), 0)) : (g_free) (msg);
7501 return false0;
7502 }
7503 g_free(msg)(__builtin_object_size ((msg), 0) != ((size_t) - 1)) ? g_free_sized
(msg, __builtin_object_size ((msg), 0)) : (g_free) (msg);
7504 gnutls_x509_privkey_deinit(priv_key);
7505 fclose(fp);
7506 } else {
7507 *err = ws_strdup_printf("Leave this field blank if the keyfile is not PKCS#12.")wmem_strdup_printf(((void*)0), "Leave this field blank if the keyfile is not PKCS#12."
);
7508 return false0;
7509 }
7510 }
7511
7512 *err = NULL((void*)0);
7513 return true1;
7514#else
7515 *err = g_strdup("Cannot load key files, support is not compiled in.")g_strdup_inline ("Cannot load key files, support is not compiled in."
);
7516 return false0;
7517#endif
7518}
7519/* UAT preferences callbacks. }}} */
7520
7521/** maximum size of ssl_association_info() string */
7522#define SSL_ASSOC_MAX_LEN8192 8192
7523
7524typedef struct ssl_association_info_callback_data
7525{
7526 char *str;
7527 const char *table_protocol;
7528} ssl_association_info_callback_data_t;
7529
7530/**
7531 * callback function used by ssl_association_info() to traverse the SSL associations.
7532 */
7533static void
7534ssl_association_info_(const char *table _U___attribute__((unused)), void *handle, void *user_data)
7535{
7536 ssl_association_info_callback_data_t* data = (ssl_association_info_callback_data_t*)user_data;
7537 const int l = (const int)strlen(data->str);
7538 snprintf(data->str+l, SSL_ASSOC_MAX_LEN8192-l, "'%s' (%s)\n", dissector_handle_get_dissector_name((dissector_handle_t)handle), dissector_handle_get_description((dissector_handle_t)handle));
7539}
7540
7541/**
7542 * @return an information string on the SSL protocol associations. The string must be freed.
7543 */
7544char*
7545ssl_association_info(const char* dissector_table_name, const char* table_protocol)
7546{
7547 ssl_association_info_callback_data_t data;
7548
7549 data.str = (char *)g_malloc0(SSL_ASSOC_MAX_LEN8192);
7550 data.table_protocol = table_protocol;
7551 dissector_table_foreach_handle(dissector_table_name, ssl_association_info_, &data);
7552 return data.str;
7553}
7554
7555
7556/** Begin of code related to dissection of wire data. */
7557
7558/* Helpers for dissecting Variable-Length Vectors. {{{ */
7559bool_Bool
7560ssl_add_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7561 unsigned offset, unsigned offset_end, uint32_t *ret_length,
7562 int hf_length, uint32_t min_value, uint32_t max_value)
7563{
7564 unsigned veclen_size;
7565 uint32_t veclen_value;
7566 proto_item *pi;
7567
7568 DISSECTOR_ASSERT_CMPUINT(min_value, <=, max_value)((void) ((min_value <= max_value) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "min_value" " " "<=" " " "max_value"
" (" "%" "l" "u" " " "<=" " " "%" "l" "u" ")", "epan/dissectors/packet-tls-utils.c"
, 7568, (uint64_t)min_value, (uint64_t)max_value))));
7569 if (offset > offset_end) {
7570 expert_add_info_format(pinfo, tree, &hf->ei.malformed_buffer_too_small,
7571 "Vector offset is past buffer end offset (%u > %u)",
7572 offset, offset_end);
7573 *ret_length = 0;
7574 return false0; /* Cannot read length. */
7575 }
7576
7577 if (max_value > 0xffffff) {
7578 veclen_size = 4;
7579 } else if (max_value > 0xffff) {
7580 veclen_size = 3;
7581 } else if (max_value > 0xff) {
7582 veclen_size = 2;
7583 } else {
7584 veclen_size = 1;
7585 }
7586
7587 if (offset_end - offset < veclen_size) {
7588 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7589 tvb, offset, offset_end - offset,
7590 "No more room for vector of length %u",
7591 veclen_size);
7592 *ret_length = 0;
7593 return false0; /* Cannot read length. */
7594 }
7595
7596 pi = proto_tree_add_item_ret_uint(tree, hf_length, tvb, offset, veclen_size, ENC_BIG_ENDIAN0x00000000, &veclen_value);
7597 offset += veclen_size;
7598
7599 if (veclen_value < min_value) {
7600 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7601 "Vector length %u is smaller than minimum %u",
7602 veclen_value, min_value);
7603 } else if (veclen_value > max_value) {
7604 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7605 "Vector length %u is larger than maximum %u",
7606 veclen_value, max_value);
7607 }
7608
7609 if (offset_end - offset < veclen_value) {
7610 expert_add_info_format(pinfo, pi, &hf->ei.malformed_buffer_too_small,
7611 "Vector length %u is too large, truncating it to %u",
7612 veclen_value, offset_end - offset);
7613 *ret_length = offset_end - offset;
7614 return false0; /* Length is truncated to avoid overflow. */
7615 }
7616
7617 *ret_length = veclen_value;
7618 return true1; /* Length is OK. */
7619}
7620
7621bool_Bool
7622ssl_end_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7623 unsigned offset, unsigned offset_end)
7624{
7625 if (offset < offset_end) {
7626 unsigned trailing = offset_end - offset;
7627 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_trailing_data,
7628 tvb, offset, trailing,
7629 "%u trailing byte%s unprocessed",
7630 trailing, plurality(trailing, " was", "s were")((trailing) == 1 ? (" was") : ("s were")));
7631 return false0; /* unprocessed data warning */
7632 } else if (offset > offset_end) {
7633 /*
7634 * Returned offset runs past the end. This should not happen and is
7635 * possibly a dissector bug.
7636 */
7637 unsigned excess = offset - offset_end;
7638 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7639 tvb, offset_end, excess,
7640 "Dissector processed too much data (%u byte%s)",
7641 excess, plurality(excess, "", "s")((excess) == 1 ? ("") : ("s")));
7642 return false0; /* overflow error */
7643 }
7644
7645 return true1; /* OK, offset matches. */
7646}
7647/** }}} */
7648
7649
7650static uint32_t
7651ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7652 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7653 uint16_t version, int hf_sig_len, int hf_sig);
7654
7655/* change_cipher_spec(20) dissection */
7656void
7657ssl_dissect_change_cipher_spec(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7658 packet_info *pinfo, proto_tree *tree,
7659 uint32_t offset, SslSession *session,
7660 bool_Bool is_from_server,
7661 const SslDecryptSession *ssl)
7662{
7663 /*
7664 * struct {
7665 * enum { change_cipher_spec(1), (255) } type;
7666 * } ChangeCipherSpec;
7667 */
7668 proto_item *ti;
7669 proto_item_set_text(tree,
7670 "%s Record Layer: %s Protocol: Change Cipher Spec",
7671 val_to_str_const(session->version, ssl_version_short_names, "SSL"),
7672 val_to_str_const(SSL_ID_CHG_CIPHER_SPEC, ssl_31_content_type, "unknown"));
7673 ti = proto_tree_add_item(tree, hf->hf.change_cipher_spec, tvb, offset, 1, ENC_NA0x00000000);
7674
7675 if (session->version == TLSV1DOT3_VERSION0x304) {
7676 /* CCS is a dummy message in TLS 1.3, do not parse it further. */
7677 return;
7678 }
7679
7680 /* Remember frame number of first CCS */
7681 uint32_t *ccs_frame = is_from_server ? &session->server_ccs_frame : &session->client_ccs_frame;
7682 if (*ccs_frame == 0)
7683 *ccs_frame = pinfo->num;
7684
7685 /* Use heuristics to detect an abbreviated handshake, assume that missing
7686 * ServerHelloDone implies reusing previously negotiating keys. Then when
7687 * a Session ID or ticket is present, it must be a resumed session.
7688 * Normally this should be done at the Finished message, but that may be
7689 * encrypted so we do it here, at the last cleartext message. */
7690 if (is_from_server && ssl) {
7691 if (session->is_session_resumed) {
7692 const char *resumed = NULL((void*)0);
7693 if (ssl->session_ticket.data_len) {
7694 resumed = "Session Ticket";
7695 } else if (ssl->session_id.data_len) {
7696 resumed = "Session ID";
7697 }
7698 if (resumed) {
7699 ssl_debug_printf("%s Session resumption using %s\n", G_STRFUNC((const char*) (__func__)), resumed);
7700 } else {
7701 /* Can happen if the capture somehow starts in the middle */
7702 ssl_debug_printf("%s No Session resumption, missing packets?\n", G_STRFUNC((const char*) (__func__)));
7703 }
7704 } else {
7705 ssl_debug_printf("%s Not using Session resumption\n", G_STRFUNC((const char*) (__func__)));
7706 }
7707 }
7708 if (is_from_server && session->is_session_resumed)
7709 expert_add_info(pinfo, ti, &hf->ei.resumed);
7710}
7711
7712/** Begin of handshake(22) record dissections */
7713
7714/* Dissects a SignatureScheme (TLS 1.3) or SignatureAndHashAlgorithm (TLS 1.2).
7715 * {{{ */
7716static void
7717tls_dissect_signature_algorithm(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, ja4_data_t *ja4_data)
7718{
7719 uint32_t sighash, hashalg, sigalg;
7720 proto_item *ti_sigalg;
7721 proto_tree *sigalg_tree;
7722
7723 ti_sigalg = proto_tree_add_item_ret_uint(tree, hf->hf.hs_sig_hash_alg, tvb,
7724 offset, 2, ENC_BIG_ENDIAN0x00000000, &sighash);
7725 if (ja4_data) {
7726 wmem_list_append(ja4_data->sighash_list, GUINT_TO_POINTER(sighash)((gpointer) (gulong) (sighash)));
7727 }
7728
7729 sigalg_tree = proto_item_add_subtree(ti_sigalg, hf->ett.hs_sig_hash_alg);
7730
7731 /* TLS 1.2: SignatureAndHashAlgorithm { hash, signature } */
7732 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_hash, tvb,
7733 offset, 1, ENC_BIG_ENDIAN0x00000000, &hashalg);
7734 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_sig, tvb,
7735 offset + 1, 1, ENC_BIG_ENDIAN0x00000000, &sigalg);
7736
7737 /* No TLS 1.3 SignatureScheme? Fallback to TLS 1.2 interpretation. */
7738 if (!try_val_to_str(sighash, tls13_signature_algorithm)) {
7739 proto_item_set_text(ti_sigalg, "Signature Algorithm: %s %s (0x%04x)",
7740 val_to_str_const(hashalg, tls_hash_algorithm, "Unknown"),
7741 val_to_str_const(sigalg, tls_signature_algorithm, "Unknown"),
7742 sighash);
7743 }
7744} /* }}} */
7745
7746/* dissect a list of hash algorithms, return the number of bytes dissected
7747 this is used for the signature algorithms extension and for the
7748 TLS1.2 certificate request. {{{ */
7749static int
7750ssl_dissect_hash_alg_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
7751 packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7752{
7753 /* https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
7754 * struct {
7755 * HashAlgorithm hash;
7756 * SignatureAlgorithm signature;
7757 * } SignatureAndHashAlgorithm;
7758 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
7759 */
7760 proto_tree *subtree;
7761 proto_item *ti;
7762 unsigned sh_alg_length;
7763 uint32_t next_offset;
7764
7765 /* SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2> */
7766 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sh_alg_length,
7767 hf->hf.hs_sig_hash_alg_len, 2, UINT16_MAX(65535) - 1)) {
7768 return offset_end;
7769 }
7770 offset += 2;
7771 next_offset = offset + sh_alg_length;
7772
7773 ti = proto_tree_add_none_format(tree, hf->hf.hs_sig_hash_algs, tvb, offset, sh_alg_length,
7774 "Signature Hash Algorithms (%u algorithm%s)",
7775 sh_alg_length / 2, plurality(sh_alg_length / 2, "", "s")((sh_alg_length / 2) == 1 ? ("") : ("s")));
7776 subtree = proto_item_add_subtree(ti, hf->ett.hs_sig_hash_algs);
7777
7778 while (offset + 2 <= next_offset) {
7779 tls_dissect_signature_algorithm(hf, tvb, subtree, offset, ja4_data);
7780 offset += 2;
7781 }
7782
7783 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
7784 offset = next_offset;
7785 }
7786
7787 return offset;
7788} /* }}} */
7789
7790/* Dissection of DistinguishedName (for CertificateRequest and
7791 * certificate_authorities extension). {{{ */
7792static uint32_t
7793tls_dissect_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7794 proto_tree *tree, uint32_t offset, uint32_t offset_end)
7795{
7796 proto_item *ti;
7797 proto_tree *subtree;
7798 uint32_t dnames_length, next_offset;
7799 asn1_ctx_t asn1_ctx;
7800 int dnames_count = 100; /* the maximum number of DNs to add to the tree */
7801
7802 /* Note: minimum length is 0 for TLS 1.1/1.2 and 3 for earlier/later */
7803 /* DistinguishedName certificate_authorities<0..2^16-1> */
7804 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &dnames_length,
7805 hf->hf.hs_dnames_len, 0, UINT16_MAX(65535))) {
7806 return offset_end;
7807 }
7808 offset += 2;
7809 next_offset = offset + dnames_length;
7810
7811 if (dnames_length > 0) {
7812 ti = proto_tree_add_none_format(tree,
7813 hf->hf.hs_dnames,
7814 tvb, offset, dnames_length,
7815 "Distinguished Names (%d byte%s)",
7816 dnames_length,
7817 plurality(dnames_length, "", "s")((dnames_length) == 1 ? ("") : ("s")));
7818 subtree = proto_item_add_subtree(ti, hf->ett.dnames);
7819
7820 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7821
7822 while (offset < next_offset) {
7823 /* get the length of the current certificate */
7824 uint32_t name_length;
7825
7826 if (dnames_count-- == 0) {
7827 /* stop adding to tree when the list is considered too large
7828 * https://gitlab.com/wireshark/wireshark/-/issues/16202
7829 Note: dnames_count must be set low enough not to hit the
7830 limit set by PINFO_LAYER_MAX_RECURSION_DEPTH in packet.c
7831 */
7832 ti = proto_tree_add_item(subtree, hf->hf.hs_dnames_truncated,
7833 tvb, offset, next_offset - offset, ENC_NA0x00000000);
7834 proto_item_set_generated(ti);
7835 return next_offset;
7836 }
7837
7838 /* opaque DistinguishedName<1..2^16-1> */
7839 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &name_length,
7840 hf->hf.hs_dname_len, 1, UINT16_MAX(65535))) {
7841 return next_offset;
7842 }
7843 offset += 2;
7844
7845 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
7846 subtree, hf->hf.hs_dname);
7847 offset += name_length;
7848 }
7849 }
7850 return offset;
7851} /* }}} */
7852
7853
7854/** TLS Extensions (in Client Hello and Server Hello). {{{ */
7855static int
7856ssl_dissect_hnd_hello_ext_sig_hash_algs(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7857 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7858{
7859 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, ja4_data);
7860}
7861
7862static int
7863ssl_dissect_hnd_ext_delegated_credentials(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7864 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type)
7865{
7866 if (hnd_type == SSL_HND_CLIENT_HELLO ||
7867 hnd_type == SSL_HND_CERT_REQUEST) {
7868 /*
7869 * struct {
7870 * SignatureScheme supported_signature_algorithm<2..2^16-2>;
7871 * } SignatureSchemeList;
7872 */
7873
7874 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
7875 } else {
7876 asn1_ctx_t asn1_ctx;
7877 unsigned pubkey_length, sign_length;
7878
7879 /*
7880 * struct {
7881 * uint32 valid_time;
7882 * SignatureScheme expected_cert_verify_algorithm;
7883 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
7884 * } Credential;
7885 *
7886 * struct {
7887 * Credential cred;
7888 * SignatureScheme algorithm;
7889 * opaque signature<0..2^16-1>;
7890 * } DelegatedCredential;
7891 */
7892
7893 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7894
7895 proto_tree_add_item(tree, hf->hf.hs_cred_valid_time, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
7896 offset += 4;
7897
7898 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7899 offset += 2;
7900
7901 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &pubkey_length,
7902 hf->hf.hs_cred_pubkey_len, 1, G_MAXUINT24((1U << 24) - 1))) {
7903 return offset_end;
7904 }
7905 offset += 3;
7906 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, tree, hf->hf.hs_cred_pubkey);
7907 offset += pubkey_length;
7908
7909 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7910 offset += 2;
7911
7912 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sign_length,
7913 hf->hf.hs_cred_signature_len, 1, UINT16_MAX(65535))) {
7914 return offset_end;
7915 }
7916 offset += 2;
7917 proto_tree_add_item(tree, hf->hf.hs_cred_signature,
7918 tvb, offset, sign_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7919 offset += sign_length;
7920
7921 return offset;
7922 }
7923}
7924
7925static int
7926ssl_dissect_hnd_hello_ext_alps(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7927 packet_info *pinfo, proto_tree *tree,
7928 uint32_t offset, uint32_t offset_end,
7929 uint8_t hnd_type)
7930{
7931
7932 /* https://datatracker.ietf.org/doc/html/draft-vvv-tls-alps-01#section-4 */
7933
7934 switch (hnd_type) {
7935 case SSL_HND_CLIENT_HELLO: {
7936 proto_tree *alps_tree;
7937 proto_item *ti;
7938 uint32_t next_offset, alps_length, name_length;
7939
7940 /*
7941 * opaque ProtocolName<1..2^8-1>;
7942 * struct {
7943 * ProtocolName supported_protocols<2..2^16-1>
7944 * } ApplicationSettingsSupport;
7945 */
7946
7947 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alps_length,
7948 hf->hf.hs_ext_alps_len, 2, UINT16_MAX(65535))) {
7949 return offset_end;
7950 }
7951 offset += 2;
7952 next_offset = offset + alps_length;
7953
7954 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alps_alpn_list,
7955 tvb, offset, alps_length, ENC_NA0x00000000);
7956 alps_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alps);
7957
7958 /* Parse list (note missing check for end of vector, ssl_add_vector below
7959 * ensures that data is always available.) */
7960 while (offset < next_offset) {
7961 if (!ssl_add_vector(hf, tvb, pinfo, alps_tree, offset, next_offset, &name_length,
7962 hf->hf.hs_ext_alps_alpn_str_len, 1, UINT8_MAX(255))) {
7963 return next_offset;
7964 }
7965 offset++;
7966
7967 proto_tree_add_item(alps_tree, hf->hf.hs_ext_alps_alpn_str,
7968 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7969 offset += name_length;
7970 }
7971
7972 return offset;
7973 }
7974 case SSL_HND_ENCRYPTED_EXTS:
7975 /* Opaque blob */
7976 proto_tree_add_item(tree, hf->hf.hs_ext_alps_settings,
7977 tvb, offset, offset_end - offset, ENC_ASCII0x00000000|ENC_NA0x00000000);
7978 break;
7979 }
7980
7981 return offset_end;
7982}
7983
7984static int
7985ssl_dissect_hnd_hello_ext_alpn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7986 packet_info *pinfo, proto_tree *tree,
7987 uint32_t offset, uint32_t offset_end,
7988 uint8_t hnd_type, SslSession *session,
7989 bool_Bool is_dtls, ja4_data_t *ja4_data)
7990{
7991
7992 /* https://tools.ietf.org/html/rfc7301#section-3.1
7993 * opaque ProtocolName<1..2^8-1>;
7994 * struct {
7995 * ProtocolName protocol_name_list<2..2^16-1>
7996 * } ProtocolNameList;
7997 */
7998 proto_tree *alpn_tree;
7999 proto_item *ti;
8000 uint32_t next_offset, alpn_length, name_length;
8001 const char *proto_name = NULL((void*)0), *client_proto_name = NULL((void*)0);
8002
8003 /* ProtocolName protocol_name_list<2..2^16-1> */
8004 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alpn_length,
8005 hf->hf.hs_ext_alpn_len, 2, UINT16_MAX(65535))) {
8006 return offset_end;
8007 }
8008 offset += 2;
8009 next_offset = offset + alpn_length;
8010
8011 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alpn_list,
8012 tvb, offset, alpn_length, ENC_NA0x00000000);
8013 alpn_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alpn);
8014
8015 /* Parse list (note missing check for end of vector, ssl_add_vector below
8016 * ensures that data is always available.) */
8017 while (offset < next_offset) {
8018 /* opaque ProtocolName<1..2^8-1> */
8019 if (!ssl_add_vector(hf, tvb, pinfo, alpn_tree, offset, next_offset, &name_length,
8020 hf->hf.hs_ext_alpn_str_len, 1, UINT8_MAX(255))) {
8021 return next_offset;
8022 }
8023 offset++;
8024
8025 proto_tree_add_item(alpn_tree, hf->hf.hs_ext_alpn_str,
8026 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
8027 if (ja4_data && wmem_strbuf_get_len(ja4_data->alpn) == 0) {
8028 const char alpn_first_char = (char)tvb_get_uint8(tvb,offset);
8029 const char alpn_last_char = (char)tvb_get_uint8(tvb,offset + name_length - 1);
8030 if ((g_ascii_isalnum(alpn_first_char)((g_ascii_table[(guchar) (alpn_first_char)] & G_ASCII_ALNUM
) != 0)) && g_ascii_isalnum(alpn_last_char)((g_ascii_table[(guchar) (alpn_last_char)] & G_ASCII_ALNUM
) != 0)) {
8031 wmem_strbuf_append_printf(ja4_data->alpn, "%c%c", alpn_first_char, alpn_last_char);
8032 }
8033 else {
8034 wmem_strbuf_append_printf(ja4_data->alpn, "%x%x",(alpn_first_char >> 4) & 0x0F,
8035 alpn_last_char & 0x0F);
8036 }
8037 }
8038 /* Remember first ALPN ProtocolName entry for server. */
8039 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) {
8040 /* '\0'-terminated string for dissector table match and prefix
8041 * comparison purposes. */
8042 proto_name = (char*)tvb_get_string_enc(pinfo->pool, tvb, offset,
8043 name_length, ENC_ASCII0x00000000);
8044 } else if (hnd_type == SSL_HND_CLIENT_HELLO) {
8045 client_proto_name = (char*)tvb_get_string_enc(pinfo->pool, tvb, offset,
8046 name_length, ENC_ASCII0x00000000);
8047 }
8048 offset += name_length;
8049 }
8050
8051 /* If ALPN is given in ServerHello, then ProtocolNameList MUST contain
8052 * exactly one "ProtocolName". */
8053 if (proto_name) {
8054 dissector_handle_t handle;
8055
8056 session->alpn_name = wmem_strdup(wmem_file_scope(), proto_name);
8057
8058 if (is_dtls) {
8059 handle = dissector_get_string_handle(dtls_alpn_dissector_table,
8060 proto_name);
8061 } else {
8062 handle = dissector_get_string_handle(ssl_alpn_dissector_table,
8063 proto_name);
8064 if (handle == NULL((void*)0)) {
8065 /* Try prefix matching */
8066 for (size_t i = 0; i < G_N_ELEMENTS(ssl_alpn_prefix_match_protocols)(sizeof (ssl_alpn_prefix_match_protocols) / sizeof ((ssl_alpn_prefix_match_protocols
)[0])); i++) {
8067 const ssl_alpn_prefix_match_protocol_t *alpn_proto = &ssl_alpn_prefix_match_protocols[i];
8068
8069 /* string_string is inappropriate as it compares strings
8070 * while "byte strings MUST NOT be truncated" (RFC 7301) */
8071 if (g_str_has_prefix(proto_name, alpn_proto->proto_prefix)(__builtin_constant_p (alpn_proto->proto_prefix)? __extension__
({ const char * const __str = (proto_name); const char * const
__prefix = (alpn_proto->proto_prefix); gboolean __result =
(0); if (__str == ((void*)0) || __prefix == ((void*)0)) __result
= (g_str_has_prefix) (__str, __prefix); else { const size_t __str_len
= strlen (((__str) + !(__str))); const size_t __prefix_len =
strlen (((__prefix) + !(__prefix))); if (__str_len >= __prefix_len
) __result = memcmp (((__str) + !(__str)), ((__prefix) + !(__prefix
)), __prefix_len) == 0; } __result; }) : (g_str_has_prefix) (
proto_name, alpn_proto->proto_prefix) )) {
8072 handle = find_dissector(alpn_proto->dissector_name);
8073 break;
8074 }
8075 }
8076 }
8077 }
8078 if (handle != NULL((void*)0)) {
8079 /* ProtocolName match, so set the App data dissector handle.
8080 * This may override protocols given via the UAT dialog, but
8081 * since the ALPN hint is precise, do it anyway. */
8082 ssl_debug_printf("%s: changing handle %p to %p (%s)", G_STRFUNC((const char*) (__func__)),
8083 (void *)session->app_handle,
8084 (void *)handle,
8085 dissector_handle_get_dissector_name(handle));
8086 session->app_handle = handle;
8087 }
8088 } else if (client_proto_name) {
8089 // No current use for looking up the handle as the only consumer of this API is currently the QUIC dissector
8090 // and it just needs the string since there are/were various HTTP/3 ALPNs to check for.
8091 session->client_alpn_name = wmem_strdup(wmem_file_scope(), client_proto_name);
8092 }
8093
8094 return offset;
8095}
8096
8097static int
8098ssl_dissect_hnd_hello_ext_npn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8099 packet_info *pinfo, proto_tree *tree,
8100 uint32_t offset, uint32_t offset_end)
8101{
8102 /* https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04#page-3
8103 * The "extension_data" field of a "next_protocol_negotiation" extension
8104 * in a "ServerHello" contains an optional list of protocols advertised
8105 * by the server. Protocols are named by opaque, non-empty byte strings
8106 * and the list of protocols is serialized as a concatenation of 8-bit,
8107 * length prefixed byte strings. Implementations MUST ensure that the
8108 * empty string is not included and that no byte strings are truncated.
8109 */
8110 uint32_t npn_length;
8111 proto_tree *npn_tree;
8112
8113 /* List is optional, do not add tree if there are no entries. */
8114 if (offset == offset_end) {
8115 return offset;
8116 }
8117
8118 npn_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_npn, NULL((void*)0), "Next Protocol Negotiation");
8119
8120 while (offset < offset_end) {
8121 /* non-empty, 8-bit length prefixed strings means range 1..255 */
8122 if (!ssl_add_vector(hf, tvb, pinfo, npn_tree, offset, offset_end, &npn_length,
8123 hf->hf.hs_ext_npn_str_len, 1, UINT8_MAX(255))) {
8124 return offset_end;
8125 }
8126 offset++;
8127
8128 proto_tree_add_item(npn_tree, hf->hf.hs_ext_npn_str,
8129 tvb, offset, npn_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
8130 offset += npn_length;
8131 }
8132
8133 return offset;
8134}
8135
8136static int
8137ssl_dissect_hnd_hello_ext_reneg_info(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8138 packet_info *pinfo, proto_tree *tree,
8139 uint32_t offset, uint32_t offset_end)
8140{
8141 /* https://tools.ietf.org/html/rfc5746#section-3.2
8142 * struct {
8143 * opaque renegotiated_connection<0..255>;
8144 * } RenegotiationInfo;
8145 *
8146 */
8147 proto_tree *reneg_info_tree;
8148 uint32_t reneg_info_length;
8149
8150 reneg_info_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_reneg_info, NULL((void*)0), "Renegotiation Info extension");
8151
8152 /* opaque renegotiated_connection<0..255> */
8153 if (!ssl_add_vector(hf, tvb, pinfo, reneg_info_tree, offset, offset_end, &reneg_info_length,
8154 hf->hf.hs_ext_reneg_info_len, 0, 255)) {
8155 return offset_end;
8156 }
8157 offset++;
8158
8159 if (reneg_info_length > 0) {
8160 proto_tree_add_item(reneg_info_tree, hf->hf.hs_ext_reneg_info, tvb, offset, reneg_info_length, ENC_NA0x00000000);
8161 offset += reneg_info_length;
8162 }
8163
8164 return offset;
8165}
8166
8167static int
8168ssl_dissect_hnd_hello_ext_key_share_entry(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8169 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8170 const char **group_name_out)
8171{
8172 /* RFC 8446 Section 4.2.8
8173 * struct {
8174 * NamedGroup group;
8175 * opaque key_exchange<1..2^16-1>;
8176 * } KeyShareEntry;
8177 */
8178 uint32_t key_exchange_length, group;
8179 proto_tree *ks_tree;
8180
8181 ks_tree = proto_tree_add_subtree(tree, tvb, offset, 4, hf->ett.hs_ext_key_share_ks, NULL((void*)0), "Key Share Entry");
8182
8183 proto_tree_add_item_ret_uint(ks_tree, hf->hf.hs_ext_key_share_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
8184 offset += 2;
8185 const char *group_name = val_to_str(pinfo->pool, group, ssl_extension_curves, "Unknown (%u)");
8186 proto_item_append_text(ks_tree, ": Group: %s", group_name);
8187 if (group_name_out) {
8188 *group_name_out = !IS_GREASE_TLS(group)((((group) & 0x0f0f) == 0x0a0a) && (((group) &
0xff) == (((group)>>8) & 0xff))) ? group_name : NULL((void*)0);
8189 }
8190
8191 /* opaque key_exchange<1..2^16-1> */
8192 if (!ssl_add_vector(hf, tvb, pinfo, ks_tree, offset, offset_end, &key_exchange_length,
8193 hf->hf.hs_ext_key_share_key_exchange_length, 1, UINT16_MAX(65535))) {
8194 return offset_end; /* Bad (possible truncated) length, skip to end of KeyShare extension. */
8195 }
8196 offset += 2;
8197 proto_item_set_len(ks_tree, 2 + 2 + key_exchange_length);
8198 proto_item_append_text(ks_tree, ", Key Exchange length: %u", key_exchange_length);
8199
8200 proto_tree_add_item(ks_tree, hf->hf.hs_ext_key_share_key_exchange, tvb, offset, key_exchange_length, ENC_NA0x00000000);
8201 offset += key_exchange_length;
8202
8203 return offset;
8204}
8205
8206static int
8207ssl_dissect_hnd_hello_ext_key_share(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8208 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8209 uint8_t hnd_type, SslDecryptSession *ssl)
8210{
8211 proto_tree *key_share_tree;
8212 uint32_t next_offset;
8213 uint32_t client_shares_length;
8214 uint32_t group;
8215 const char *group_name = NULL((void*)0);
8216
8217 if (offset_end <= offset) { /* Check if ext_len == 0 and "overflow" (offset + ext_len) > uint32_t) */
8218 return offset;
8219 }
8220
8221 key_share_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_key_share, NULL((void*)0), "Key Share extension");
8222
8223 switch(hnd_type){
8224 case SSL_HND_CLIENT_HELLO:
8225 /* KeyShareEntry client_shares<0..2^16-1> */
8226 if (!ssl_add_vector(hf, tvb, pinfo, key_share_tree, offset, offset_end, &client_shares_length,
8227 hf->hf.hs_ext_key_share_client_length, 0, UINT16_MAX(65535))) {
8228 return offset_end;
8229 }
8230 offset += 2;
8231 next_offset = offset + client_shares_length;
8232 const char *sep = " ";
8233 while (offset + 4 <= next_offset) { /* (NamedGroup (2 bytes), key_exchange (1 byte for length, 1 byte minimum data) */
8234 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, next_offset, &group_name);
8235 if (group_name) {
8236 proto_item_append_text(tree, "%s%s", sep, group_name);
8237 sep = ", ";
8238 }
8239 }
8240 if (!ssl_end_vector(hf, tvb, pinfo, key_share_tree, offset, next_offset)) {
8241 return next_offset;
8242 }
8243 break;
8244 case SSL_HND_SERVER_HELLO:
8245 if (ssl) {
8246 ssl->has_key_share = true1;
8247 }
8248 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, offset_end, &group_name);
8249 if (group_name) {
8250 proto_item_append_text(tree, " %s", group_name);
8251 }
8252 break;
8253 case SSL_HND_HELLO_RETRY_REQUEST:
8254 proto_tree_add_item_ret_uint(key_share_tree, hf->hf.hs_ext_key_share_selected_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
8255 offset += 2;
8256 group_name = val_to_str(pinfo->pool, group, ssl_extension_curves, "Unknown (%u)");
8257 proto_item_append_text(tree, " %s", group_name);
8258 break;
8259 default: /* no default */
8260 break;
8261 }
8262
8263 return offset;
8264}
8265
8266static int
8267ssl_dissect_hnd_hello_ext_pre_shared_key(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8268 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8269 uint8_t hnd_type, SslDecryptSession *ssl)
8270{
8271 /* RFC 8446 Section 4.2.11
8272 * struct {
8273 * opaque identity<1..2^16-1>;
8274 * uint32 obfuscated_ticket_age;
8275 * } PskIdentity;
8276 * opaque PskBinderEntry<32..255>;
8277 * struct {
8278 * select (Handshake.msg_type) {
8279 * case client_hello:
8280 * PskIdentity identities<7..2^16-1>;
8281 * PskBinderEntry binders<33..2^16-1>;
8282 * case server_hello:
8283 * uint16 selected_identity;
8284 * };
8285 * } PreSharedKeyExtension;
8286 */
8287
8288 proto_tree *psk_tree;
8289
8290 psk_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_pre_shared_key, NULL((void*)0), "Pre-Shared Key extension");
8291
8292 switch (hnd_type){
8293 case SSL_HND_CLIENT_HELLO: {
8294 uint32_t identities_length, identities_end, binders_length;
8295
8296 /* PskIdentity identities<7..2^16-1> */
8297 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &identities_length,
8298 hf->hf.hs_ext_psk_identities_length, 7, UINT16_MAX(65535))) {
8299 return offset_end;
8300 }
8301 offset += 2;
8302 identities_end = offset + identities_length;
8303
8304 while (offset < identities_end) {
8305 uint32_t identity_length;
8306 proto_tree *identity_tree;
8307
8308 identity_tree = proto_tree_add_subtree(psk_tree, tvb, offset, 4, hf->ett.hs_ext_psk_identity, NULL((void*)0), "PSK Identity (");
8309
8310 /* opaque identity<1..2^16-1> */
8311 if (!ssl_add_vector(hf, tvb, pinfo, identity_tree, offset, identities_end, &identity_length,
8312 hf->hf.hs_ext_psk_identity_identity_length, 1, UINT16_MAX(65535))) {
8313 return identities_end;
8314 }
8315 offset += 2;
8316 proto_item_append_text(identity_tree, "length: %u)", identity_length);
8317
8318 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_identity, tvb, offset, identity_length, ENC_BIG_ENDIAN0x00000000);
8319 offset += identity_length;
8320
8321 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_obfuscated_ticket_age, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8322 offset += 4;
8323
8324 proto_item_set_len(identity_tree, 2 + identity_length + 4);
8325 }
8326 if (!ssl_end_vector(hf, tvb, pinfo, psk_tree, offset, identities_end)) {
8327 offset = identities_end;
8328 }
8329
8330 /* PskBinderEntry binders<33..2^16-1> */
8331 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &binders_length,
8332 hf->hf.hs_ext_psk_binders_length, 33, UINT16_MAX(65535))) {
8333 return offset_end;
8334 }
8335 offset += 2;
8336
8337 proto_item *binders_item;
8338 proto_tree *binders_tree;
8339 binders_item = proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_binders, tvb, offset, binders_length, ENC_NA0x00000000);
8340 binders_tree = proto_item_add_subtree(binders_item, hf->ett.hs_ext_psk_binders);
8341 uint32_t binders_end = offset + binders_length;
8342 while (offset < binders_end) {
8343 uint32_t binder_length;
8344 proto_item *binder_item;
8345 proto_tree *binder_tree;
8346
8347 binder_item = proto_tree_add_item(binders_tree, hf->hf.hs_ext_psk_binder, tvb, offset, 1, ENC_NA0x00000000);
8348 binder_tree = proto_item_add_subtree(binder_item, hf->ett.hs_ext_psk_binder);
8349
8350 /* opaque PskBinderEntry<32..255>; */
8351 if (!ssl_add_vector(hf, tvb, pinfo, binder_tree, offset, binders_end, &binder_length,
8352 hf->hf.hs_ext_psk_binder_binder_length, 32, 255)) {
8353 return binders_end;
8354 }
8355 offset += 1;
8356 proto_item_append_text(binder_tree, " (length: %u)", binder_length);
8357
8358 proto_tree_add_item(binder_tree, hf->hf.hs_ext_psk_binder_binder, tvb, offset, binder_length, ENC_BIG_ENDIAN0x00000000);
8359 offset += binder_length;
8360
8361 proto_item_set_end(binder_item, tvb, offset);
8362 }
8363 }
8364 break;
8365 case SSL_HND_SERVER_HELLO: {
8366 if (ssl) {
8367 ssl_debug_printf("%s found pre_shared_key extension\n", G_STRFUNC((const char*) (__func__)));
8368 ssl->has_psk = true1;
8369 }
8370 proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_identity_selected, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8371 offset += 2;
8372 }
8373 break;
8374 default:
8375 break;
8376 }
8377
8378 return offset;
8379}
8380
8381static uint32_t
8382ssl_dissect_hnd_hello_ext_early_data(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
8383 proto_tree *tree, uint32_t offset, uint32_t offset_end _U___attribute__((unused)),
8384 uint8_t hnd_type, SslDecryptSession *ssl)
8385{
8386 /* RFC 8446 Section 4.2.10
8387 * struct {} Empty;
8388 * struct {
8389 * select (Handshake.msg_type) {
8390 * case new_session_ticket: uint32 max_early_data_size;
8391 * case client_hello: Empty;
8392 * case encrypted_extensions: Empty;
8393 * };
8394 * } EarlyDataIndication;
8395 */
8396 switch (hnd_type) {
8397 case SSL_HND_CLIENT_HELLO:
8398 /* Remember that early_data will follow the handshake. */
8399 if (ssl) {
8400 ssl_debug_printf("%s found early_data extension\n", G_STRFUNC((const char*) (__func__)));
8401 ssl->has_early_data = true1;
8402 }
8403 break;
8404 case SSL_HND_NEWSESSION_TICKET:
8405 proto_tree_add_item(tree, hf->hf.hs_ext_max_early_data_size, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8406 offset += 4;
8407 break;
8408 default:
8409 break;
8410 }
8411 return offset;
8412}
8413
8414static uint16_t
8415tls_try_get_version(bool_Bool is_dtls, uint16_t version, uint8_t *draft_version)
8416{
8417 if (draft_version) {
8418 *draft_version = 0;
8419 }
8420 if (!is_dtls) {
8421 uint8_t tls13_draft = extract_tls13_draft_version(version);
8422 if (tls13_draft != 0) {
8423 /* This is TLS 1.3 (a draft version). */
8424 if (draft_version) {
8425 *draft_version = tls13_draft;
8426 }
8427 version = TLSV1DOT3_VERSION0x304;
8428 }
8429 if (version == 0xfb17 || version == 0xfb1a) {
8430 /* Unofficial TLS 1.3 draft version for Facebook fizz. */
8431 tls13_draft = (uint8_t)version;
8432 if (draft_version) {
8433 *draft_version = tls13_draft;
8434 }
8435 version = TLSV1DOT3_VERSION0x304;
8436 }
8437 }
8438
8439 switch (version) {
8440 case SSLV3_VERSION0x300:
8441 case TLSV1_VERSION0x301:
8442 case TLSV1DOT1_VERSION0x302:
8443 case TLSV1DOT2_VERSION0x303:
8444 case TLSV1DOT3_VERSION0x304:
8445 case TLCPV1_VERSION0x101:
8446 if (is_dtls)
8447 return SSL_VER_UNKNOWN0;
8448 break;
8449
8450 case DTLSV1DOT0_VERSION0xfeff:
8451 case DTLSV1DOT0_OPENSSL_VERSION0x100:
8452 case DTLSV1DOT2_VERSION0xfefd:
8453 case DTLSV1DOT3_VERSION0xfefc:
8454 if (!is_dtls)
8455 return SSL_VER_UNKNOWN0;
8456 break;
8457
8458 default: /* invalid version number */
8459 return SSL_VER_UNKNOWN0;
8460 }
8461
8462 return version;
8463}
8464
8465static int
8466ssl_dissect_hnd_hello_ext_supported_versions(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8467 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8468 SslSession *session, bool_Bool is_dtls, ja4_data_t *ja4_data)
8469{
8470
8471 /* RFC 8446 Section 4.2.1
8472 * struct {
8473 * ProtocolVersion versions<2..254>; // ClientHello
8474 * } SupportedVersions;
8475 * Note that ServerHello and HelloRetryRequest are handled by the caller.
8476 */
8477 uint32_t versions_length, next_offset;
8478 /* ProtocolVersion versions<2..254> */
8479 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &versions_length,
8480 hf->hf.hs_ext_supported_versions_len, 2, 254)) {
8481 return offset_end;
8482 }
8483 offset++;
8484 next_offset = offset + versions_length;
8485
8486 unsigned version;
8487 unsigned current_version, lowest_version = SSL_VER_UNKNOWN0;
8488 uint8_t draft_version, max_draft_version = 0;
8489 const char *sep = " ";
8490 while (offset + 2 <= next_offset) {
8491 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
8492 offset += 2;
8493
8494 if (!IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))) {
8495 proto_item_append_text(tree, "%s%s", sep, val_to_str(pinfo->pool, version, ssl_versions, "Unknown (0x%04x)"));
8496 sep = ", ";
8497 }
8498
8499 current_version = tls_try_get_version(is_dtls, version, &draft_version);
8500 if (session->version == SSL_VER_UNKNOWN0) {
8501 if (lowest_version == SSL_VER_UNKNOWN0) {
8502 lowest_version = current_version;
8503 } else if (current_version != SSL_VER_UNKNOWN0) {
8504 if (!is_dtls) {
8505 lowest_version = MIN(lowest_version, current_version)(((lowest_version) < (current_version)) ? (lowest_version)
: (current_version));
8506 } else {
8507 lowest_version = MAX(lowest_version, current_version)(((lowest_version) > (current_version)) ? (lowest_version)
: (current_version));
8508 }
8509 }
8510 }
8511 max_draft_version = MAX(draft_version, max_draft_version)(((draft_version) > (max_draft_version)) ? (draft_version)
: (max_draft_version));
8512 if (ja4_data && !IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))) {
8513 /* The DTLS version numbers get mapped to "00" for unknown per
8514 * JA4 spec, but if JA4 ever does support DTLS we'll probably
8515 * need to take the MIN instead of MAX here for DTLS.
8516 */
8517 ja4_data->max_version = MAX(version, ja4_data->max_version)(((version) > (ja4_data->max_version)) ? (version) : (ja4_data
->max_version));
8518 }
8519 }
8520 if (session->version == SSL_VER_UNKNOWN0 && lowest_version != SSL_VER_UNKNOWN0) {
8521 col_set_str(pinfo->cinfo, COL_PROTOCOL,
8522 val_to_str_const(version, ssl_version_short_names, is_dtls ? "DTLS" : "TLS"));
8523 }
8524 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
8525 offset = next_offset;
8526 }
8527
8528 /* XXX remove this when draft 19 support is dropped,
8529 * this is only required for early data decryption. */
8530 if (max_draft_version) {
8531 session->tls13_draft_version = max_draft_version;
8532 }
8533
8534 return offset;
8535}
8536
8537static int
8538ssl_dissect_hnd_hello_ext_cookie(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8539 packet_info *pinfo, proto_tree *tree,
8540 uint32_t offset, uint32_t offset_end)
8541{
8542 /* RFC 8446 Section 4.2.2
8543 * struct {
8544 * opaque cookie<1..2^16-1>;
8545 * } Cookie;
8546 */
8547 uint32_t cookie_length;
8548 /* opaque cookie<1..2^16-1> */
8549 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cookie_length,
8550 hf->hf.hs_ext_cookie_len, 1, UINT16_MAX(65535))) {
8551 return offset_end;
8552 }
8553 offset += 2;
8554
8555 proto_tree_add_item(tree, hf->hf.hs_ext_cookie, tvb, offset, cookie_length, ENC_NA0x00000000);
8556 offset += cookie_length;
8557
8558 return offset;
8559}
8560
8561static int
8562ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8563 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8564{
8565 /* RFC 8446 Section 4.2.9
8566 * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
8567 *
8568 * struct {
8569 * PskKeyExchangeMode ke_modes<1..255>;
8570 * } PskKeyExchangeModes;
8571 */
8572 uint32_t ke_modes_length, next_offset;
8573
8574 /* PskKeyExchangeMode ke_modes<1..255> */
8575 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ke_modes_length,
8576 hf->hf.hs_ext_psk_ke_modes_length, 1, 255)) {
8577 return offset_end;
8578 }
8579 offset++;
8580 next_offset = offset + ke_modes_length;
8581
8582 while (offset < next_offset) {
8583 proto_tree_add_item(tree, hf->hf.hs_ext_psk_ke_mode, tvb, offset, 1, ENC_NA0x00000000);
8584 offset++;
8585 }
8586
8587 return offset;
8588}
8589
8590static uint32_t
8591ssl_dissect_hnd_hello_ext_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8592 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8593{
8594 /* RFC 8446 Section 4.2.4
8595 * opaque DistinguishedName<1..2^16-1>;
8596 * struct {
8597 * DistinguishedName authorities<3..2^16-1>;
8598 * } CertificateAuthoritiesExtension;
8599 */
8600 return tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
8601}
8602
8603static int
8604ssl_dissect_hnd_hello_ext_oid_filters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8605 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8606{
8607 /* RFC 8446 Section 4.2.5
8608 * struct {
8609 * opaque certificate_extension_oid<1..2^8-1>;
8610 * opaque certificate_extension_values<0..2^16-1>;
8611 * } OIDFilter;
8612 * struct {
8613 * OIDFilter filters<0..2^16-1>;
8614 * } OIDFilterExtension;
8615 */
8616 proto_tree *subtree;
8617 uint32_t filters_length, oid_length, values_length, value_offset;
8618 asn1_ctx_t asn1_ctx;
8619 const char *oid, *name;
8620
8621 /* OIDFilter filters<0..2^16-1> */
8622 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &filters_length,
8623 hf->hf.hs_ext_psk_ke_modes_length, 0, UINT16_MAX(65535))) {
8624 return offset_end;
8625 }
8626 offset += 2;
8627 offset_end = offset + filters_length;
8628
8629 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
8630
8631 while (offset < offset_end) {
8632 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
8633 hf->ett.hs_ext_oid_filter, NULL((void*)0), "OID Filter");
8634
8635 /* opaque certificate_extension_oid<1..2^8-1> */
8636 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &oid_length,
8637 hf->hf.hs_ext_oid_filters_oid_length, 1, UINT8_MAX(255))) {
8638 return offset_end;
8639 }
8640 offset++;
8641 dissect_ber_object_identifier_str(false0, &asn1_ctx, subtree, tvb, offset,
8642 hf->hf.hs_ext_oid_filters_oid, &oid);
8643 offset += oid_length;
8644
8645 /* Append OID to tree label */
8646 name = oid_resolved_from_string(pinfo->pool, oid);
8647 proto_item_append_text(subtree, " (%s)", name ? name : oid);
8648
8649 /* opaque certificate_extension_values<0..2^16-1> */
8650 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &values_length,
8651 hf->hf.hs_ext_oid_filters_values_length, 0, UINT16_MAX(65535))) {
8652 return offset_end;
8653 }
8654 offset += 2;
8655 proto_item_set_len(subtree, 1 + oid_length + 2 + values_length);
8656 if (values_length > 0) {
8657 value_offset = offset;
8658 value_offset = dissect_ber_identifier(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0), NULL((void*)0));
8659 value_offset = dissect_ber_length(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0));
8660 call_ber_oid_callback(oid, tvb, value_offset, pinfo, subtree, NULL((void*)0));
8661 }
8662 offset += values_length;
8663 }
8664
8665 return offset;
8666}
8667
8668static int
8669ssl_dissect_hnd_hello_ext_server_name(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8670 packet_info *pinfo, proto_tree *tree,
8671 uint32_t offset, uint32_t offset_end)
8672{
8673 /* https://tools.ietf.org/html/rfc6066#section-3
8674 *
8675 * struct {
8676 * NameType name_type;
8677 * select (name_type) {
8678 * case host_name: HostName;
8679 * } name;
8680 * } ServerName;
8681 *
8682 * enum {
8683 * host_name(0), (255)
8684 * } NameType;
8685 *
8686 * opaque HostName<1..2^16-1>;
8687 *
8688 * struct {
8689 * ServerName server_name_list<1..2^16-1>
8690 * } ServerNameList;
8691 */
8692 proto_tree *server_name_tree;
8693 uint32_t list_length, server_name_length, next_offset;
8694
8695 /* The server SHALL include "server_name" extension with empty data. */
8696 if (offset == offset_end) {
8697 return offset;
8698 }
8699
8700 server_name_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_server_name, NULL((void*)0), "Server Name Indication extension");
8701
8702 /* ServerName server_name_list<1..2^16-1> */
8703 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, offset_end, &list_length,
8704 hf->hf.hs_ext_server_name_list_len, 1, UINT16_MAX(65535))) {
8705 return offset_end;
8706 }
8707 offset += 2;
8708 next_offset = offset + list_length;
8709
8710 while (offset < next_offset) {
8711 uint32_t name_type;
8712 const char *server_name = NULL((void*)0);
8713 proto_tree_add_item_ret_uint(server_name_tree, hf->hf.hs_ext_server_name_type,
8714 tvb, offset, 1, ENC_NA0x00000000, &name_type);
8715 offset++;
8716
8717 /* opaque HostName<1..2^16-1> */
8718 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, next_offset, &server_name_length,
8719 hf->hf.hs_ext_server_name_len, 1, UINT16_MAX(65535))) {
8720 return next_offset;
8721 }
8722 offset += 2;
8723
8724 proto_tree_add_item_ret_string(server_name_tree, hf->hf.hs_ext_server_name,
8725 tvb, offset, server_name_length, ENC_ASCII0x00000000|ENC_NA0x00000000,
8726 pinfo->pool, (const uint8_t**)&server_name);
8727 offset += server_name_length;
8728 // Each type must only occur once, so we don't check for duplicates.
8729 if (name_type == 0) {
8730 proto_item_append_text(tree, " name=%s", server_name);
8731 col_append_fstr(pinfo->cinfo, COL_INFO, " (SNI=%s)", server_name);
8732
8733 if (gbl_resolv_flags.handshake_sni_addr_resolution) {
8734 // Client Hello: Client (Src) -> Server (Dst)
8735 switch (pinfo->dst.type) {
8736 case AT_IPv4:
8737 if (pinfo->dst.len == sizeof(uint32_t)) {
8738 add_ipv4_name(*(uint32_t *)pinfo->dst.data, server_name, false0);
8739 }
8740 break;
8741 case AT_IPv6:
8742 if (pinfo->dst.len == sizeof(ws_in6_addr)) {
8743 add_ipv6_name(pinfo->dst.data, server_name, false0);
8744 }
8745 break;
8746 }
8747 }
8748 }
8749 }
8750 return offset;
8751}
8752
8753static int
8754ssl_dissect_hnd_hello_ext_session_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8755 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint8_t hnd_type, SslDecryptSession *ssl)
8756{
8757 unsigned ext_len = offset_end - offset;
8758 if (hnd_type == SSL_HND_CLIENT_HELLO && ssl && ext_len != 0) {
8759 tvb_ensure_bytes_exist(tvb, offset, ext_len);
8760 /* Save the Session Ticket such that it can be used as identifier for
8761 * restoring a previous Master Secret (in ChangeCipherSpec) */
8762 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
8763 ssl->session_ticket.data, ext_len);
8764 ssl->session_ticket.data_len = ext_len;
8765 tvb_memcpy(tvb,ssl->session_ticket.data, offset, ext_len);
8766 }
8767 proto_tree_add_item(tree, hf->hf.hs_ext_session_ticket,
8768 tvb, offset, ext_len, ENC_NA0x00000000);
8769 return offset + ext_len;
8770}
8771
8772static int
8773ssl_dissect_hnd_hello_ext_cert_type(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8774 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8775 uint8_t hnd_type, uint16_t ext_type, SslSession *session)
8776{
8777 uint8_t cert_list_length;
8778 uint8_t cert_type;
8779 proto_tree *cert_list_tree;
8780 proto_item *ti;
8781
8782 switch(hnd_type){
8783 case SSL_HND_CLIENT_HELLO:
8784 cert_list_length = tvb_get_uint8(tvb, offset);
8785 proto_tree_add_item(tree, hf->hf.hs_ext_cert_types_len,
8786 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8787 offset += 1;
8788 if (offset_end - offset != (uint32_t)cert_list_length)
8789 return offset;
8790
8791 ti = proto_tree_add_item(tree, hf->hf.hs_ext_cert_types, tvb, offset,
8792 cert_list_length, cert_list_length);
8793 proto_item_append_text(ti, " (%d)", cert_list_length);
8794
8795 /* make this a subtree */
8796 cert_list_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_cert_types);
8797
8798 /* loop over all point formats */
8799 while (cert_list_length > 0)
8800 {
8801 proto_tree_add_item(cert_list_tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8802 offset++;
8803 cert_list_length--;
8804 }
8805 break;
8806 case SSL_HND_SERVER_HELLO:
8807 case SSL_HND_ENCRYPTED_EXTENSIONS:
8808 case SSL_HND_CERTIFICATE:
8809 cert_type = tvb_get_uint8(tvb, offset);
8810 proto_tree_add_item(tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8811 offset += 1;
8812 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19) {
8813 session->client_cert_type = cert_type;
8814 }
8815 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20) {
8816 session->server_cert_type = cert_type;
8817 }
8818 break;
8819 default: /* no default */
8820 break;
8821 }
8822
8823 return offset;
8824}
8825
8826static uint32_t
8827ssl_dissect_hnd_hello_ext_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8828 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8829 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8830{
8831 uint32_t compress_certificate_algorithms_length, next_offset;
8832
8833 /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03#section-3.0
8834 * enum {
8835 * zlib(1),
8836 * brotli(2),
8837 * (65535)
8838 * } CertificateCompressionAlgorithm;
8839 *
8840 * struct {
8841 * CertificateCompressionAlgorithm algorithms<1..2^8-1>;
8842 * } CertificateCompressionAlgorithms;
8843 */
8844 switch (hnd_type) {
8845 case SSL_HND_CLIENT_HELLO:
8846 case SSL_HND_CERT_REQUEST:
8847 /* CertificateCompressionAlgorithm algorithms<1..2^8-1>;*/
8848 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compress_certificate_algorithms_length,
8849 hf->hf.hs_ext_compress_certificate_algorithms_length, 1, UINT8_MAX(255)-1)) {
8850 return offset_end;
8851 }
8852 offset += 1;
8853 next_offset = offset + compress_certificate_algorithms_length;
8854
8855 while (offset < next_offset) {
8856 proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_algorithm,
8857 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8858 offset += 2;
8859 }
8860 break;
8861 default:
8862 break;
8863 }
8864
8865 return offset;
8866}
8867
8868static uint32_t
8869ssl_dissect_hnd_hello_ext_token_binding(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8870 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8871 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8872{
8873 uint32_t key_parameters_length, next_offset;
8874 proto_item *p_ti;
8875 proto_tree *p_tree;
8876
8877 /* RFC 8472
8878 *
8879 * struct {
8880 * uint8 major;
8881 * uint8 minor;
8882 * } TB_ProtocolVersion;
8883 *
8884 * enum {
8885 * rsa2048_pkcs1.5(0), rsa2048_pss(1), ecdsap256(2), (255)
8886 * } TokenBindingKeyParameters;
8887 *
8888 * struct {
8889 * TB_ProtocolVersion token_binding_version;
8890 * TokenBindingKeyParameters key_parameters_list<1..2^8-1>
8891 * } TokenBindingParameters;
8892 */
8893
8894 switch (hnd_type) {
8895 case SSL_HND_CLIENT_HELLO:
8896 case SSL_HND_SERVER_HELLO:
8897 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_major, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8898 offset += 1;
8899 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_minor, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8900 offset += 1;
8901
8902 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &key_parameters_length,
8903 hf->hf.hs_ext_token_binding_key_parameters_length, 1, UINT8_MAX(255))) {
8904 return offset_end;
8905 }
8906 offset += 1;
8907 next_offset = offset + key_parameters_length;
8908
8909 p_ti = proto_tree_add_none_format(tree,
8910 hf->hf.hs_ext_token_binding_key_parameters,
8911 tvb, offset, key_parameters_length,
8912 "Key parameters identifiers (%d identifier%s)",
8913 key_parameters_length,
8914 plurality(key_parameters_length, "", "s")((key_parameters_length) == 1 ? ("") : ("s")));
8915 p_tree = proto_item_add_subtree(p_ti, hf->ett.hs_ext_token_binding_key_parameters);
8916
8917 while (offset < next_offset) {
8918 proto_tree_add_item(p_tree, hf->hf.hs_ext_token_binding_key_parameter,
8919 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8920 offset += 1;
8921 }
8922
8923 if (!ssl_end_vector(hf, tvb, pinfo, p_tree, offset, next_offset)) {
8924 offset = next_offset;
8925 }
8926
8927 break;
8928 default:
8929 break;
8930 }
8931
8932 return offset;
8933}
8934
8935static uint32_t
8936ssl_dissect_hnd_hello_ext_quic_transport_parameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8937 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8938 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8939{
8940 bool_Bool use_varint_encoding = true1; // Whether this is draft -27 or newer.
8941 uint32_t next_offset;
8942
8943 /* https://tools.ietf.org/html/draft-ietf-quic-transport-25#section-18
8944 *
8945 * Note: the following structures are not literally defined in the spec,
8946 * they instead use an ASCII diagram.
8947 *
8948 * struct {
8949 * uint16 id;
8950 * opaque value<0..2^16-1>;
8951 * } TransportParameter; // before draft -27
8952 * TransportParameter TransportParameters<0..2^16-1>; // before draft -27
8953 *
8954 * struct {
8955 * opaque ipv4Address[4];
8956 * uint16 ipv4Port;
8957 * opaque ipv6Address[16];
8958 * uint16 ipv6Port;
8959 * opaque connectionId<0..18>;
8960 * opaque statelessResetToken[16];
8961 * } PreferredAddress;
8962 */
8963
8964 if (offset_end - offset >= 6 &&
8965 2 + (unsigned)tvb_get_ntohs(tvb, offset) == offset_end - offset &&
8966 6 + (unsigned)tvb_get_ntohs(tvb, offset + 4) <= offset_end - offset) {
8967 // Assume encoding of Transport Parameters draft -26 or older with at
8968 // least one transport parameter that has a valid length.
8969 use_varint_encoding = false0;
8970 }
8971
8972 if (use_varint_encoding) {
8973 next_offset = offset_end;
8974 } else {
8975 uint32_t quic_length;
8976 // Assume draft -26 or earlier.
8977 /* TransportParameter TransportParameters<0..2^16-1>; */
8978 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &quic_length,
8979 hf->hf.hs_ext_quictp_len, 0, UINT16_MAX(65535))) {
8980 return offset_end;
8981 }
8982 offset += 2;
8983 next_offset = offset + quic_length;
8984 }
8985
8986 while (offset < next_offset) {
8987 uint64_t parameter_type; /* 62-bit space */
8988 uint32_t parameter_length;
8989 proto_tree *parameter_tree;
8990 uint32_t parameter_end_offset;
8991 uint64_t value;
8992 uint32_t i;
8993 int len = 0;
8994
8995 parameter_tree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.hs_ext_quictp_parameter,
8996 NULL((void*)0), "Parameter");
8997 /* TransportParameter ID and Length. */
8998 if (use_varint_encoding) {
8999 uint64_t parameter_length64;
9000 int type_len = 0;
9001
9002 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
9003 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_type, &type_len);
9004 offset += type_len;
9005
9006 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_len,
9007 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_length64, &len);
9008 parameter_length = (uint32_t)parameter_length64;
9009 offset += len;
9010
9011 proto_item_set_len(parameter_tree, type_len + len + parameter_length);
9012 } else {
9013 parameter_type = tvb_get_ntohs(tvb, offset);
9014 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
9015 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9016 offset += 2;
9017
9018 /* opaque value<0..2^16-1> */
9019 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, next_offset, &parameter_length,
9020 hf->hf.hs_ext_quictp_parameter_len_old, 0, UINT16_MAX(65535))) {
9021 return next_offset;
9022 }
9023 offset += 2;
9024
9025 proto_item_set_len(parameter_tree, 4 + parameter_length);
9026 }
9027
9028 if (IS_GREASE_QUIC(parameter_type)((parameter_type) > 27 ? ((((parameter_type) - 27) % 31) ==
0) : 0)) {
9029 proto_item_append_text(parameter_tree, ": GREASE");
9030 } else {
9031 proto_item_append_text(parameter_tree, ": %s", val64_to_str_wmem(pinfo->pool, parameter_type, quic_transport_parameter_id, "Unknown 0x%04x"));
9032 }
9033
9034 proto_item_append_text(parameter_tree, " (len=%u)", parameter_length);
9035 parameter_end_offset = offset + parameter_length;
9036
9037 /* Omit the value field if the parameter's length is 0. */
9038 if (parameter_length != 0) {
9039 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_value,
9040 tvb, offset, parameter_length, ENC_NA0x00000000);
9041 }
9042
9043 switch (parameter_type) {
9044 case SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00:
9045 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_original_destination_connection_id,
9046 tvb, offset, parameter_length, ENC_NA0x00000000);
9047 offset += parameter_length;
9048 break;
9049 case SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01:
9050 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_idle_timeout,
9051 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9052 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " ms", value);
9053 offset += len;
9054 break;
9055 case SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02:
9056 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_stateless_reset_token,
9057 tvb, offset, 16, ENC_BIG_ENDIAN0x00000000);
9058 quic_add_stateless_reset_token(pinfo, tvb, offset, NULL((void*)0));
9059 offset += 16;
9060 break;
9061 case SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03:
9062 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_udp_payload_size,
9063 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9064 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9065 /*TODO display expert info about invalid value (< 1252 or >65527) ? */
9066 offset += len;
9067 break;
9068 case SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04:
9069 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_data,
9070 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9071 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9072 offset += len;
9073 break;
9074 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05:
9075 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_local,
9076 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9077 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9078 offset += len;
9079 break;
9080 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06:
9081 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_remote,
9082 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9083 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9084 offset += len;
9085 break;
9086 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07:
9087 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_uni,
9088 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9089 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9090 offset += len;
9091 break;
9092 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09:
9093 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_uni,
9094 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9095 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9096 offset += len;
9097 break;
9098 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08:
9099 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_bidi,
9100 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9101 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9102 offset += len;
9103 break;
9104 case SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a:
9105 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_ack_delay_exponent,
9106 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
9107 /*TODO display multiplier (x8) and expert info about invalid value (> 20) ? */
9108 offset += len;
9109 break;
9110 case SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b:
9111 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_ack_delay,
9112 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9113 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9114 offset += len;
9115 break;
9116 case SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c:
9117 /* No Payload */
9118 break;
9119 case SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d: {
9120 uint32_t connectionid_length;
9121 quic_cid_t cid;
9122
9123 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4address,
9124 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
9125 offset += 4;
9126 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4port,
9127 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9128 offset += 2;
9129 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6address,
9130 tvb, offset, 16, ENC_NA0x00000000);
9131 offset += 16;
9132 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6port,
9133 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9134 offset += 2;
9135 /* XXX - Should we add these addresses and ports as addresses that the client
9136 * is allowed / expected to migrate the server address to? Right now we don't
9137 * enforce that (see RFC 9000 Section 9, which implies that while the client
9138 * can migrate to whatever address it wants, it can only migrate the server
9139 * address to the Server's Preferred Address as in 9.6. Also Issue #20165.)
9140 */
9141
9142 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, offset_end, &connectionid_length,
9143 hf->hf.hs_ext_quictp_parameter_pa_connectionid_length, 0, 20)) {
9144 break;
9145 }
9146 offset += 1;
9147
9148 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_connectionid,
9149 tvb, offset, connectionid_length, ENC_NA0x00000000);
9150 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
9151 cid.len = connectionid_length;
9152 // RFC 9000 5.1.1 "If the preferred_address transport
9153 // parameter is sent, the sequence number of the supplied
9154 // connection ID is 1."
9155 cid.seq_num = 1;
9156 // Multipath draft-07 "Also, the Path Identifier for the
9157 // connection ID specified in the "preferred address"
9158 // transport parameter is 0."
9159 cid.path_id = 0;
9160 tvb_memcpy(tvb, cid.cid, offset, connectionid_length);
9161 quic_add_connection(pinfo, &cid);
9162 }
9163 offset += connectionid_length;
9164
9165 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_statelessresettoken,
9166 tvb, offset, 16, ENC_NA0x00000000);
9167 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
9168 quic_add_stateless_reset_token(pinfo, tvb, offset, &cid);
9169 }
9170 offset += 16;
9171 }
9172 break;
9173 case SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e:
9174 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_active_connection_id_limit,
9175 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9176 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9177 offset += len;
9178 break;
9179 case SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f:
9180 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_source_connection_id,
9181 tvb, offset, parameter_length, ENC_NA0x00000000);
9182 offset += parameter_length;
9183 break;
9184 case SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10:
9185 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_retry_source_connection_id,
9186 tvb, offset, parameter_length, ENC_NA0x00000000);
9187 offset += parameter_length;
9188 break;
9189 case SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20:
9190 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_datagram_frame_size,
9191 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9192 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9193 offset += len;
9194 break;
9195 case SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000:
9196 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_length,
9197 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9198 proto_item_append_text(parameter_tree, " Length: %" PRIu64"l" "u", value);
9199 offset += len;
9200 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_offset,
9201 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9202 proto_item_append_text(parameter_tree, ", Offset: %" PRIu64"l" "u", value);
9203 offset += len;
9204 break;
9205 case SSL_HND_QUIC_TP_LOSS_BITS0x1057:
9206 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_loss_bits,
9207 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9208 if (len > 0) {
9209 quic_add_loss_bits(pinfo, value);
9210 }
9211 offset += 1;
9212 break;
9213 case SSL_HND_QUIC_TP_ADDRESS_DISCOVERY0x9f81a176:
9214 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_address_discovery,
9215 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
9216 offset += len;
9217 break;
9218 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a:
9219 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A:
9220 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a:
9221 case SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b:
9222 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_min_ack_delay,
9223 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9224 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9225 offset += len;
9226 break;
9227 case SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129:
9228 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_user_agent_id,
9229 tvb, offset, parameter_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
9230 offset += parameter_length;
9231 break;
9232 case SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B:
9233 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_key_update_not_yet_supported,
9234 tvb, offset, parameter_length, ENC_NA0x00000000);
9235 offset += parameter_length;
9236 break;
9237 case SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752:
9238 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_version,
9239 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
9240 offset += 4;
9241 if (hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) { /* From server */
9242 uint32_t versions_length;
9243
9244 proto_tree_add_item_ret_uint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_supported_versions_length,
9245 tvb, offset, 1, ENC_NA0x00000000, &versions_length);
9246 offset += 1;
9247 for (i = 0; i < versions_length / 4; i++) {
9248 quic_proto_tree_add_version(tvb, parameter_tree,
9249 hf->hf.hs_ext_quictp_parameter_google_supported_version, offset);
9250 offset += 4;
9251 }
9252 }
9253 break;
9254 case SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127:
9255 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_initial_rtt,
9256 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9257 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " us", value);
9258 offset += len;
9259 break;
9260 case SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A:
9261 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_support_handshake_done,
9262 tvb, offset, parameter_length, ENC_NA0x00000000);
9263 offset += parameter_length;
9264 break;
9265 case SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751:
9266 /* This field was used for non-standard Google-specific parameters encoded as a
9267 * Google QUIC_CRYPTO CHLO and it has been replaced (version >= T051) by individual
9268 * parameters. Report it as a bytes blob... */
9269 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params,
9270 tvb, offset, parameter_length, ENC_NA0x00000000);
9271 /* ... and try decoding it: not sure what the first 4 bytes are (but they seems to be always 0) */
9272 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params_unknown_field,
9273 tvb, offset, 4, ENC_NA0x00000000);
9274 dissect_gquic_tags(tvb, pinfo, parameter_tree, offset + 4);
9275 offset += parameter_length;
9276 break;
9277 case SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128:
9278 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_connection_options,
9279 tvb, offset, parameter_length, ENC_NA0x00000000);
9280 offset += parameter_length;
9281 break;
9282 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157:
9283 /* No Payload */
9284 break;
9285 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158:
9286 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_time_stamp_v2,
9287 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9288 offset += parameter_length;
9289 break;
9290 case SSL_HND_QUIC_TP_VERSION_INFORMATION_DRAFT0xff73db:
9291 case SSL_HND_QUIC_TP_VERSION_INFORMATION0x11:
9292 quic_proto_tree_add_version(tvb, parameter_tree,
9293 hf->hf.hs_ext_quictp_parameter_chosen_version, offset);
9294 offset += 4;
9295 for (i = 4; i < parameter_length; i += 4) {
9296 quic_proto_tree_add_version(tvb, parameter_tree,
9297 hf->hf.hs_ext_quictp_parameter_other_version, offset);
9298 offset += 4;
9299 }
9300 break;
9301 case SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2:
9302 /* No Payload */
9303 quic_add_grease_quic_bit(pinfo);
9304 break;
9305 case SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00:
9306 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_facebook_partial_reliability,
9307 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9308 offset += parameter_length;
9309 break;
9310 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04:
9311 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_multipath,
9312 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9313 if (value == 1) {
9314 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
9315 }
9316 offset += parameter_length;
9317 break;
9318 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05:
9319 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06:
9320 /* No Payload */
9321 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
9322 break;
9323 case SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07:
9324 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_paths,
9325 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9326 if (value > 1) {
9327 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
9328 }
9329 /* multipath draft-07: "The value of the initial_max_paths
9330 * parameter MUST be at least 2." TODO: Expert Info? */
9331 offset += parameter_length;
9332 break;
9333 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09:
9334 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT110x0f739bbc1b666d11:
9335 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT120x0f739bbc1b666d0c:
9336 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT130x0f739bbc1b666d0d:
9337 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x3e:
9338 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_path_id,
9339 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9340 /* multipath draft-09 and later: "If an endpoint receives an
9341 * initial_max_path_id transport parameter with value 0, the
9342 * peer aims to enable the multipath extension without allowing
9343 * extra paths immediately."
9344 */
9345 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
9346 offset += parameter_length;
9347 break;
9348 default:
9349 offset += parameter_length;
9350 /*TODO display expert info about unknown ? */
9351 break;
9352 }
9353
9354 if (!ssl_end_vector(hf, tvb, pinfo, parameter_tree, offset, parameter_end_offset)) {
9355 /* Dissection did not end at expected location, fix it. */
9356 offset = parameter_end_offset;
9357 }
9358 }
9359
9360 return offset;
9361}
9362
9363static int
9364ssl_dissect_hnd_hello_common(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9365 proto_tree *tree, uint32_t offset,
9366 SslSession *session, SslDecryptSession *ssl,
9367 bool_Bool from_server, bool_Bool is_hrr)
9368{
9369 uint8_t sessid_length;
9370 proto_item *ti;
9371 proto_tree *rnd_tree;
9372 proto_tree *ti_rnd;
9373 proto_tree *ech_confirm_tree;
9374 uint8_t draft_version = session->tls13_draft_version;
9375
9376 if (ssl) {
9377 StringInfo *rnd;
9378 if (from_server)
9379 rnd = &ssl->server_random;
9380 else
9381 rnd = &ssl->client_random;
9382
9383 /* save provided random for later keyring generation */
9384 tvb_memcpy(tvb, rnd->data, offset, 32);
9385 rnd->data_len = 32;
9386 if (from_server)
9387 ssl->state |= SSL_SERVER_RANDOM(1<<1);
9388 else
9389 ssl->state |= SSL_CLIENT_RANDOM(1<<0);
9390 ssl_debug_printf("%s found %s RANDOM -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)),
9391 from_server ? "SERVER" : "CLIENT", ssl->state);
9392 }
9393
9394 if (!from_server && session->client_random.data_len == 0) {
9395 session->client_random.data_len = 32;
9396 tvb_memcpy(tvb, session->client_random.data, offset, 32);
9397 }
9398
9399 ti_rnd = proto_tree_add_item(tree, hf->hf.hs_random, tvb, offset, 32, ENC_NA0x00000000);
9400
9401 if ((session->version != TLSV1DOT3_VERSION0x304) && (session->version != DTLSV1DOT3_VERSION0xfefc)) { /* No time on first bytes random with TLS 1.3 */
9402
9403 rnd_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
9404 /* show the time */
9405 proto_tree_add_item(rnd_tree, hf->hf.hs_random_time,
9406 tvb, offset, 4, ENC_TIME_SECS0x00000012|ENC_BIG_ENDIAN0x00000000);
9407 offset += 4;
9408
9409 /* show the random bytes */
9410 proto_tree_add_item(rnd_tree, hf->hf.hs_random_bytes,
9411 tvb, offset, 28, ENC_NA0x00000000);
9412 offset += 28;
9413 } else {
9414 if (is_hrr) {
9415 proto_item_append_text(ti_rnd, " (HelloRetryRequest magic)");
9416 } else if (from_server && session->ech) {
9417 ech_confirm_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
9418 proto_tree_add_item(ech_confirm_tree, hf->hf.hs_ech_confirm, tvb, offset + 24, 8, ENC_NA0x00000000);
9419 ti = proto_tree_add_bytes_with_length(ech_confirm_tree, hf->hf.hs_ech_confirm_compute, tvb, offset + 24, 0,
9420 session->ech_confirmation, 8);
9421 proto_item_set_generated(ti);
9422 if (memcmp(session->ech_confirmation, tvb_get_ptr(tvb, offset+24, 8), 8)) {
9423 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
9424 } else {
9425 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
9426 }
9427 }
9428
9429 offset += 32;
9430 }
9431
9432 /* No Session ID with TLS 1.3 on Server Hello before draft -22 */
9433 if (from_server == 0 || !(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
9434 /* show the session id (length followed by actual Session ID) */
9435 sessid_length = tvb_get_uint8(tvb, offset);
9436 proto_tree_add_item(tree, hf->hf.hs_session_id_len,
9437 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9438 offset++;
9439
9440 if (ssl) {
9441 /* save the authoritative SID for later use in ChangeCipherSpec.
9442 * (D)TLS restricts the SID to 32 chars, it does not make sense to
9443 * save more, so ignore larger ones. To support ECH, also save
9444 * the SID from the ClientHelloOuter. */
9445 if (sessid_length <= 32 && (from_server || sessid_length > 0)) {
9446 tvb_memcpy(tvb, ssl->session_id.data, offset, sessid_length);
9447 ssl->session_id.data_len = sessid_length;
9448 }
9449 }
9450 if (sessid_length > 0) {
9451 proto_tree_add_item(tree, hf->hf.hs_session_id,
9452 tvb, offset, sessid_length, ENC_NA0x00000000);
9453 offset += sessid_length;
9454 }
9455 }
9456
9457 return offset;
9458}
9459
9460static int
9461ssl_dissect_hnd_hello_ext_status_request(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9462 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9463 bool_Bool has_length)
9464{
9465 /* TLS 1.2/1.3 status_request Client Hello Extension.
9466 * TLS 1.2 status_request_v2 CertificateStatusRequestItemV2 type.
9467 * https://tools.ietf.org/html/rfc6066#section-8 (status_request)
9468 * https://tools.ietf.org/html/rfc6961#section-2.2 (status_request_v2)
9469 * struct {
9470 * CertificateStatusType status_type;
9471 * uint16 request_length; // for status_request_v2
9472 * select (status_type) {
9473 * case ocsp: OCSPStatusRequest;
9474 * case ocsp_multi: OCSPStatusRequest;
9475 * } request;
9476 * } CertificateStatusRequest; // CertificateStatusRequestItemV2
9477 *
9478 * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
9479 * struct {
9480 * ResponderID responder_id_list<0..2^16-1>;
9481 * Extensions request_extensions;
9482 * } OCSPStatusRequest;
9483 * opaque ResponderID<1..2^16-1>;
9484 * opaque Extensions<0..2^16-1>;
9485 */
9486 unsigned cert_status_type;
9487
9488 cert_status_type = tvb_get_uint8(tvb, offset);
9489 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_type,
9490 tvb, offset, 1, ENC_NA0x00000000);
9491 offset++;
9492
9493 if (has_length) {
9494 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_request_len,
9495 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9496 offset += 2;
9497 }
9498
9499 switch (cert_status_type) {
9500 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
9501 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
9502 {
9503 uint32_t responder_id_list_len;
9504 uint32_t request_extensions_len;
9505
9506 /* ResponderID responder_id_list<0..2^16-1> */
9507 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &responder_id_list_len,
9508 hf->hf.hs_ext_cert_status_responder_id_list_len, 0, UINT16_MAX(65535))) {
9509 return offset_end;
9510 }
9511 offset += 2;
9512 if (responder_id_list_len != 0) {
9513 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9514 tvb, offset, responder_id_list_len,
9515 "Responder ID list is not implemented, contact Wireshark"
9516 " developers if you want this to be supported");
9517 }
9518 offset += responder_id_list_len;
9519
9520 /* opaque Extensions<0..2^16-1> */
9521 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &request_extensions_len,
9522 hf->hf.hs_ext_cert_status_request_extensions_len, 0, UINT16_MAX(65535))) {
9523 return offset_end;
9524 }
9525 offset += 2;
9526 if (request_extensions_len != 0) {
9527 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9528 tvb, offset, request_extensions_len,
9529 "Request Extensions are not implemented, contact"
9530 " Wireshark developers if you want this to be supported");
9531 }
9532 offset += request_extensions_len;
9533 break;
9534 }
9535 }
9536
9537 return offset;
9538}
9539
9540static unsigned
9541ssl_dissect_hnd_hello_ext_status_request_v2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9542 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9543{
9544 /* https://tools.ietf.org/html/rfc6961#section-2.2
9545 * struct {
9546 * CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1>;
9547 * } CertificateStatusRequestListV2;
9548 */
9549 uint32_t req_list_length, next_offset;
9550
9551 /* CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1> */
9552 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &req_list_length,
9553 hf->hf.hs_ext_cert_status_request_list_len, 1, UINT16_MAX(65535))) {
9554 return offset_end;
9555 }
9556 offset += 2;
9557 next_offset = offset + req_list_length;
9558
9559 while (offset < next_offset) {
9560 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, tree, offset, next_offset, true1);
9561 }
9562
9563 return offset;
9564}
9565
9566static uint32_t
9567tls_dissect_ocsp_response(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9568 uint32_t offset, uint32_t offset_end)
9569{
9570 uint32_t response_length;
9571 proto_item *ocsp_resp;
9572 proto_tree *ocsp_resp_tree;
9573 asn1_ctx_t asn1_ctx;
9574
9575 /* opaque OCSPResponse<1..2^24-1>; */
9576 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &response_length,
9577 hf->hf.hs_ocsp_response_len, 1, G_MAXUINT24((1U << 24) - 1))) {
9578 return offset_end;
9579 }
9580 offset += 3;
9581
9582 ocsp_resp = proto_tree_add_item(tree, proto_ocsp, tvb, offset,
9583 response_length, ENC_BIG_ENDIAN0x00000000);
9584 proto_item_set_text(ocsp_resp, "OCSP Response");
9585 ocsp_resp_tree = proto_item_add_subtree(ocsp_resp, hf->ett.ocsp_response);
9586 if (proto_is_protocol_enabled(find_protocol_by_id(proto_ocsp))) {
9587 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
9588 dissect_ocsp_OCSPResponse(false0, tvb, offset, &asn1_ctx, ocsp_resp_tree, -1);
9589 }
9590 offset += response_length;
9591
9592 return offset;
9593}
9594
9595uint32_t
9596tls_dissect_hnd_certificate_status(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9597 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9598{
9599 /* TLS 1.2 "CertificateStatus" handshake message.
9600 * TLS 1.3 "status_request" Certificate extension.
9601 * struct {
9602 * CertificateStatusType status_type;
9603 * select (status_type) {
9604 * case ocsp: OCSPResponse;
9605 * case ocsp_multi: OCSPResponseList; // status_request_v2
9606 * } response;
9607 * } CertificateStatus;
9608 * opaque OCSPResponse<1..2^24-1>;
9609 * struct {
9610 * OCSPResponse ocsp_response_list<1..2^24-1>;
9611 * } OCSPResponseList; // status_request_v2
9612 */
9613 uint32_t status_type, resp_list_length, next_offset;
9614
9615 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_cert_status_type,
9616 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &status_type);
9617 offset += 1;
9618
9619 switch (status_type) {
9620 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
9621 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, offset_end);
9622 break;
9623
9624 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
9625 /* OCSPResponse ocsp_response_list<1..2^24-1> */
9626 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &resp_list_length,
9627 hf->hf.hs_ocsp_response_list_len, 1, G_MAXUINT24((1U << 24) - 1))) {
9628 return offset_end;
9629 }
9630 offset += 3;
9631 next_offset = offset + resp_list_length;
9632
9633 while (offset < next_offset) {
9634 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, next_offset);
9635 }
9636 break;
9637 }
9638
9639 return offset;
9640}
9641
9642static unsigned
9643ssl_dissect_hnd_hello_ext_supported_groups(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9644 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9645 wmem_strbuf_t *ja3)
9646{
9647 /* RFC 8446 Section 4.2.7
9648 * enum { ..., (0xFFFF) } NamedGroup;
9649 * struct {
9650 * NamedGroup named_group_list<2..2^16-1>
9651 * } NamedGroupList;
9652 *
9653 * NOTE: "NamedCurve" (RFC 4492) is renamed to "NamedGroup" (RFC 7919) and
9654 * the extension itself from "elliptic_curves" to "supported_groups".
9655 */
9656 uint32_t groups_length, next_offset;
9657 proto_tree *groups_tree;
9658 proto_item *ti;
9659 char *ja3_dash = "";
9660
9661 /* NamedGroup named_group_list<2..2^16-1> */
9662 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &groups_length,
9663 hf->hf.hs_ext_supported_groups_len, 2, UINT16_MAX(65535))) {
9664 return offset_end;
9665 }
9666 offset += 2;
9667 next_offset = offset + groups_length;
9668
9669 ti = proto_tree_add_none_format(tree,
9670 hf->hf.hs_ext_supported_groups,
9671 tvb, offset, groups_length,
9672 "Supported Groups (%d group%s)",
9673 groups_length / 2,
9674 plurality(groups_length/2, "", "s")((groups_length/2) == 1 ? ("") : ("s")));
9675
9676 /* make this a subtree */
9677 groups_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_groups);
9678
9679 if (ja3) {
9680 wmem_strbuf_append_c(ja3, ',');
9681 }
9682 /* loop over all groups */
9683 while (offset + 2 <= offset_end) {
9684 uint32_t ext_supported_group;
9685
9686 proto_tree_add_item_ret_uint(groups_tree, hf->hf.hs_ext_supported_group, tvb, offset, 2,
9687 ENC_BIG_ENDIAN0x00000000, &ext_supported_group);
9688 offset += 2;
9689 if (ja3 && !IS_GREASE_TLS(ext_supported_group)((((ext_supported_group) & 0x0f0f) == 0x0a0a) && (
((ext_supported_group) & 0xff) == (((ext_supported_group)
>>8) & 0xff)))) {
9690 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_supported_group);
9691 ja3_dash = "-";
9692 }
9693 }
9694 if (!ssl_end_vector(hf, tvb, pinfo, groups_tree, offset, next_offset)) {
9695 offset = next_offset;
9696 }
9697
9698 return offset;
9699}
9700
9701static int
9702ssl_dissect_hnd_hello_ext_ec_point_formats(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9703 proto_tree *tree, uint32_t offset, wmem_strbuf_t *ja3)
9704{
9705 uint8_t ecpf_length;
9706 proto_tree *ecpf_tree;
9707 proto_item *ti;
9708
9709 ecpf_length = tvb_get_uint8(tvb, offset);
9710 proto_tree_add_item(tree, hf->hf.hs_ext_ec_point_formats_len,
9711 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9712
9713 offset += 1;
9714 ti = proto_tree_add_none_format(tree,
9715 hf->hf.hs_ext_ec_point_formats,
9716 tvb, offset, ecpf_length,
9717 "Elliptic curves point formats (%d)",
9718 ecpf_length);
9719
9720 /* make this a subtree */
9721 ecpf_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_curves_point_formats);
9722
9723 if (ja3) {
9724 wmem_strbuf_append_c(ja3, ',');
9725 }
9726
9727 /* loop over all point formats */
9728 while (ecpf_length > 0)
9729 {
9730 uint32_t ext_ec_point_format;
9731
9732 proto_tree_add_item_ret_uint(ecpf_tree, hf->hf.hs_ext_ec_point_format, tvb, offset, 1,
9733 ENC_BIG_ENDIAN0x00000000, &ext_ec_point_format);
9734 offset++;
9735 ecpf_length--;
9736 if (ja3) {
9737 wmem_strbuf_append_printf(ja3, "%i", ext_ec_point_format);
9738 if (ecpf_length > 0) {
9739 wmem_strbuf_append_c(ja3, '-');
9740 }
9741 }
9742 }
9743
9744 return offset;
9745}
9746
9747static int
9748ssl_dissect_hnd_hello_ext_srp(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9749 packet_info *pinfo, proto_tree *tree,
9750 uint32_t offset, uint32_t next_offset)
9751{
9752 /* https://tools.ietf.org/html/rfc5054#section-2.8.1
9753 * opaque srp_I<1..2^8-1>;
9754 */
9755 uint32_t username_len;
9756
9757 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, next_offset, &username_len,
9758 hf->hf.hs_ext_srp_len, 1, UINT8_MAX(255))) {
9759 return next_offset;
9760 }
9761 offset++;
9762
9763 proto_tree_add_item(tree, hf->hf.hs_ext_srp_username,
9764 tvb, offset, username_len, ENC_UTF_80x00000002|ENC_NA0x00000000);
9765 offset += username_len;
9766
9767 return offset;
9768}
9769
9770static uint32_t
9771tls_dissect_sct(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9772 uint32_t offset, uint32_t offset_end, uint16_t version)
9773{
9774 /* https://tools.ietf.org/html/rfc6962#section-3.2
9775 * enum { v1(0), (255) } Version;
9776 * struct {
9777 * opaque key_id[32];
9778 * } LogID;
9779 * opaque CtExtensions<0..2^16-1>;
9780 * struct {
9781 * Version sct_version;
9782 * LogID id;
9783 * uint64 timestamp;
9784 * CtExtensions extensions;
9785 * digitally-signed struct { ... };
9786 * } SignedCertificateTimestamp;
9787 */
9788 uint32_t sct_version;
9789 uint64_t sct_timestamp_ms;
9790 nstime_t sct_timestamp;
9791 uint32_t exts_len;
9792 const char *log_name;
9793
9794 proto_tree_add_item_ret_uint(tree, hf->hf.sct_sct_version, tvb, offset, 1, ENC_NA0x00000000, &sct_version);
9795 offset++;
9796 if (sct_version != 0) {
9797 // TODO expert info about unknown SCT version?
9798 return offset;
9799 }
9800 proto_tree_add_item(tree, hf->hf.sct_sct_logid, tvb, offset, 32, ENC_BIG_ENDIAN0x00000000);
9801 log_name = bytesval_to_str_wmem(pinfo->pool, tvb_get_ptr(tvb, offset, 32), 32, ct_logids, "Unknown Log");
9802 proto_item_append_text(tree, " (%s)", log_name);
9803 offset += 32;
9804 sct_timestamp_ms = tvb_get_ntoh64(tvb, offset);
9805 sct_timestamp.secs = (time_t)(sct_timestamp_ms / 1000);
9806 sct_timestamp.nsecs = (int)((sct_timestamp_ms % 1000) * 1000000);
9807 proto_tree_add_time(tree, hf->hf.sct_sct_timestamp, tvb, offset, 8, &sct_timestamp);
9808 offset += 8;
9809 /* opaque CtExtensions<0..2^16-1> */
9810 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
9811 hf->hf.sct_sct_extensions_length, 0, UINT16_MAX(65535))) {
9812 return offset_end;
9813 }
9814 offset += 2;
9815 if (exts_len > 0) {
9816 proto_tree_add_item(tree, hf->hf.sct_sct_extensions, tvb, offset, exts_len, ENC_BIG_ENDIAN0x00000000);
9817 offset += exts_len;
9818 }
9819 offset = ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
9820 hf->hf.sct_sct_signature_length,
9821 hf->hf.sct_sct_signature);
9822 return offset;
9823}
9824
9825uint32_t
9826tls_dissect_sct_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9827 uint32_t offset, uint32_t offset_end, uint16_t version)
9828{
9829 /* https://tools.ietf.org/html/rfc6962#section-3.3
9830 * opaque SerializedSCT<1..2^16-1>;
9831 * struct {
9832 * SerializedSCT sct_list <1..2^16-1>;
9833 * } SignedCertificateTimestampList;
9834 */
9835 uint32_t list_length, sct_length, next_offset;
9836 proto_tree *subtree;
9837
9838 /* SerializedSCT sct_list <1..2^16-1> */
9839 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &list_length,
9840 hf->hf.sct_scts_length, 1, UINT16_MAX(65535))) {
9841 return offset_end;
9842 }
9843 offset += 2;
9844
9845 while (offset < offset_end) {
9846 subtree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.sct, NULL((void*)0), "Signed Certificate Timestamp");
9847
9848 /* opaque SerializedSCT<1..2^16-1> */
9849 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &sct_length,
9850 hf->hf.sct_sct_length, 1, UINT16_MAX(65535))) {
9851 return offset_end;
9852 }
9853 offset += 2;
9854 next_offset = offset + sct_length;
9855 proto_item_set_len(subtree, 2 + sct_length);
9856 offset = tls_dissect_sct(hf, tvb, pinfo, subtree, offset, next_offset, version);
9857 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
9858 offset = next_offset;
9859 }
9860 }
9861
9862 return offset;
9863}
9864
9865static int
9866dissect_ech_hpke_cipher_suite(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
9867 proto_tree *tree, uint32_t offset)
9868{
9869 uint32_t kdf_id, aead_id;
9870 proto_item *cs_ti;
9871 proto_tree *cs_tree;
9872
9873 cs_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig_cipher_suite,
9874 tvb, offset, 4, ENC_NA0x00000000);
9875 cs_tree = proto_item_add_subtree(cs_ti, hf->ett.ech_hpke_cipher_suite);
9876
9877 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_kdf_id,
9878 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &kdf_id);
9879 offset += 2;
9880 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_aead_id,
9881 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &aead_id);
9882 offset += 2;
9883
9884 proto_item_append_text(cs_ti, ": %s/%s",
9885 val_to_str_const(kdf_id, kdf_id_type_vals, "Unknown"),
9886 val_to_str_const(aead_id, aead_id_type_vals, "Unknown"));
9887 return offset;
9888}
9889
9890static int
9891dissect_ech_hpke_key_config(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9892 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9893 uint32_t *config_id)
9894{
9895 uint32_t length, cipher_suite_length;
9896 proto_item *kc_ti, *css_ti;
9897 proto_tree *kc_tree, *css_tree;
9898 uint32_t original_offset = offset, next_offset;
9899
9900 kc_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig,
9901 tvb, offset, -1, ENC_NA0x00000000);
9902 kc_tree = proto_item_add_subtree(kc_ti, hf->ett.ech_hpke_keyconfig);
9903
9904 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_config_id,
9905 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, config_id);
9906 offset += 1;
9907 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_kem_id,
9908 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9909 offset += 2;
9910 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_public_key_length,
9911 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9912 offset += 2;
9913 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_public_key,
9914 tvb, offset, length, ENC_NA0x00000000);
9915 offset += length;
9916
9917 /* HpkeSymmetricCipherSuite cipher_suites<4..2^16-4> */
9918 if (!ssl_add_vector(hf, tvb, pinfo, kc_tree, offset, offset_end, &cipher_suite_length,
9919 hf->hf.ech_hpke_keyconfig_cipher_suites_length, 4, UINT16_MAX(65535) - 3)) {
9920 return offset_end;
9921 }
9922 offset += 2;
9923 next_offset = offset + cipher_suite_length;
9924
9925 css_ti = proto_tree_add_none_format(kc_tree,
9926 hf->hf.ech_hpke_keyconfig_cipher_suites,
9927 tvb, offset, cipher_suite_length,
9928 "Cipher Suites (%d suite%s)",
9929 cipher_suite_length / 4,
9930 plurality(cipher_suite_length / 4, "", "s")((cipher_suite_length / 4) == 1 ? ("") : ("s")));
9931 css_tree = proto_item_add_subtree(css_ti, hf->ett.ech_hpke_cipher_suites);
9932
9933
9934 while (offset + 4 <= next_offset) {
9935 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, css_tree, offset);
9936 }
9937
9938 if (!ssl_end_vector(hf, tvb, pinfo, css_tree, offset, next_offset)) {
9939 offset = next_offset;
9940 }
9941
9942 proto_item_set_len(kc_ti, offset - original_offset);
9943
9944 return offset;
9945}
9946
9947static int
9948dissect_ech_echconfig_contents(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9949 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9950 const uint8_t **public_name, uint32_t *config_id)
9951{
9952 uint32_t public_name_length, extensions_length, next_offset;
9953
9954 offset = dissect_ech_hpke_key_config(hf, tvb, pinfo, tree, offset, offset_end, config_id);
9955 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_maximum_name_length,
9956 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9957 offset += 1;
9958 proto_tree_add_item_ret_uint(tree, hf->hf.ech_echconfigcontents_public_name_length,
9959 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &public_name_length);
9960 offset += 1;
9961 proto_tree_add_item_ret_string(tree, hf->hf.ech_echconfigcontents_public_name,
9962 tvb, offset, public_name_length, ENC_ASCII0x00000000, pinfo->pool, public_name);
9963 offset += public_name_length;
9964
9965 /* Extension extensions<0..2^16-1>; */
9966 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &extensions_length,
9967 hf->hf.ech_echconfigcontents_extensions_length, 0, UINT16_MAX(65535))) {
9968 return offset_end;
9969 }
9970 offset += 2;
9971 next_offset = offset + extensions_length;
9972
9973 if (extensions_length > 0) {
9974 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_extensions,
9975 tvb, offset, extensions_length, ENC_NA0x00000000);
9976 }
9977 offset += extensions_length;
9978
9979 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
9980 offset = next_offset;
9981 }
9982
9983 return offset;
9984}
9985
9986static int
9987dissect_ech_echconfig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9988 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9989{
9990 uint32_t version, length;
9991 proto_item *ech_ti;
9992 proto_tree *ech_tree;
9993 const uint8_t *public_name = NULL((void*)0);
9994 uint32_t config_id = 0;
9995
9996 ech_ti = proto_tree_add_item(tree, hf->hf.ech_echconfig, tvb, offset, -1, ENC_NA0x00000000);
9997 ech_tree = proto_item_add_subtree(ech_ti, hf->ett.ech_echconfig);
9998
9999 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_version,
10000 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
10001 offset += 2;
10002 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_length,
10003 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
10004 offset += 2;
10005
10006 proto_item_set_len(ech_ti, 4 + length);
10007
10008 switch(version) {
10009 case 0xfe0d:
10010 dissect_ech_echconfig_contents(hf, tvb, pinfo, ech_tree, offset, offset_end, &public_name, &config_id);
10011 proto_item_append_text(ech_ti, ": id=%d %s", config_id, public_name);
10012 break;
10013
10014 default:
10015 expert_add_info_format(pinfo, ech_ti, &hf->ei.ech_echconfig_invalid_version, "Unsupported/unknown ECHConfig version 0x%x", version);
10016 }
10017
10018 return 4 + length;
10019}
10020
10021uint32_t
10022ssl_dissect_ext_ech_echconfiglist(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10023 proto_tree *tree, uint32_t offset, uint32_t offset_end)
10024{
10025 uint32_t echconfiglist_length, next_offset;
10026
10027 /* ECHConfig ECHConfigList<1..2^16-1>; */
10028 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &echconfiglist_length,
10029 hf->hf.ech_echconfiglist_length, 1, UINT16_MAX(65535))) {
10030 return offset_end;
10031 }
10032 offset += 2;
10033 next_offset = offset + echconfiglist_length;
10034
10035 while (offset < next_offset) {
10036 offset += dissect_ech_echconfig(hf, tvb, pinfo, tree, offset, offset_end);
10037 }
10038
10039 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
10040 offset = next_offset;
10041 }
10042
10043 return offset;
10044}
10045
10046static uint32_t
10047ssl_dissect_hnd_ech_outer_ext(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10048 uint32_t offset, uint32_t offset_end)
10049{
10050 uint32_t ext_length, next_offset;
10051 proto_tree *ext_tree;
10052 proto_item *ti;
10053
10054 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ext_length,
10055 hf->hf.hs_ext_ech_outer_ext_len, 2, UINT8_MAX(255))) {
10056 return offset_end;
10057 }
10058 offset += 1;
10059 next_offset = offset + ext_length;
10060
10061 ti = proto_tree_add_none_format(tree,
10062 hf->hf.hs_ext_ech_outer_ext,
10063 tvb, offset, ext_length,
10064 "Outer Extensions (%d extension%s)",
10065 ext_length / 2,
10066 plurality(ext_length/2, "", "s")((ext_length/2) == 1 ? ("") : ("s")));
10067
10068 ext_tree = proto_item_add_subtree(ti, hf->ett.hs_ext);
10069
10070 while (offset + 2 <= offset_end) {
10071 proto_tree_add_item(ext_tree, hf->hf.hs_ext_type, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
10072 offset += 2;
10073 }
10074
10075 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
10076 offset = next_offset;
10077 }
10078
10079 return offset;
10080}
10081
10082static uint32_t
10083// NOLINTNEXTLINE(misc-no-recursion)
10084ssl_dissect_hnd_hello_ext_ech(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10085 proto_tree *tree, uint32_t offset, uint32_t offset_end,
10086 uint8_t hnd_type, SslSession *session, SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
10087{
10088 uint32_t ch_type, length;
10089 proto_item *ti, *payload_ti;
10090 proto_tree *retry_tree, *payload_tree;
10091 uint32_t hello_length = tvb_reported_length(tvb);
10092
10093 switch (hnd_type) {
10094 case SSL_HND_CLIENT_HELLO:
10095 /*
10096 * enum { outer(0), inner(1) } ECHClientHelloType;
10097 *
10098 * struct {
10099 * ECHClientHelloType type;
10100 * select (ECHClientHello.type) {
10101 * case outer:
10102 * HpkeSymmetricCipherSuite cipher_suite;
10103 * uint8 config_id;
10104 * opaque enc<0..2^16-1>;
10105 * opaque payload<1..2^16-1>;
10106 * case inner:
10107 * Empty;
10108 * };
10109 * } ECHClientHello;
10110 */
10111
10112 proto_tree_add_item_ret_uint(tree, hf->hf.ech_clienthello_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &ch_type);
10113 offset += 1;
10114 switch (ch_type) {
10115 case 0: /* outer */
10116 if (ssl && session->first_ch_ech_frame == 0) {
10117 session->first_ch_ech_frame = pinfo->num;
10118 }
10119 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, tree, offset);
10120 uint16_t kdf_id = tvb_get_ntohs(tvb, offset - 4);
10121 uint16_t aead_id = tvb_get_ntohs(tvb, offset - 2);
10122
10123 proto_tree_add_item(tree, hf->hf.ech_config_id, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
10124 uint8_t config_id = tvb_get_uint8(tvb, offset);
10125 offset += 1;
10126 proto_tree_add_item_ret_uint(tree, hf->hf.ech_enc_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
10127 offset += 2;
10128 proto_tree_add_item(tree, hf->hf.ech_enc, tvb, offset, length, ENC_NA0x00000000);
10129 offset += length;
10130 proto_tree_add_item_ret_uint(tree, hf->hf.ech_payload_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
10131 offset += 2;
10132 payload_ti = proto_tree_add_item(tree, hf->hf.ech_payload, tvb, offset, length, ENC_NA0x00000000);
10133 offset += length;
10134
10135 if (!mk_map) {
10136 break;
10137 }
10138 if (session->client_random.data_len == 0) {
10139 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
10140 break;
10141 }
10142 StringInfo *ech_secret = (StringInfo *)g_hash_table_lookup(mk_map->ech_secret, &session->client_random);
10143 StringInfo *ech_config = (StringInfo *)g_hash_table_lookup(mk_map->ech_config, &session->client_random);
10144 if (!ech_secret || !ech_config) {
10145 ssl_debug_printf("%s Cannot find ECH_SECRET or ECH_CONFIG, Encrypted Client Hello decryption impossible\n",
10146 G_STRFUNC((const char*) (__func__)));
10147 break;
10148 }
10149
10150 if (hpke_hkdf_len(kdf_id) == 0) {
10151 ssl_debug_printf("Unsupported KDF\n");
10152 break;
10153 }
10154
10155 if (hpke_aead_key_len(aead_id) == 0) {
10156 ssl_debug_printf("Unsupported AEAD\n");
10157 break;
10158 }
10159
10160 size_t aead_nonce_len = hpke_aead_nonce_len(aead_id);
10161
10162 unsigned aead_auth_tag_len = hpke_aead_auth_tag_len(aead_id);
10163 if (length < aead_auth_tag_len) {
10164 ssl_debug_printf("Encrypted payload length %u < Cipher suite authentication tag length %u.\n", length, aead_auth_tag_len);
10165 break;
10166 }
10167 unsigned decrypted_len = length - aead_auth_tag_len;
10168
10169 uint16_t version = GUINT16_FROM_BE(*(uint16_t *)ech_config->data)(((((guint16) ( (guint16) ((guint16) (*(uint16_t *)ech_config
->data) >> 8) | (guint16) ((guint16) (*(uint16_t *)ech_config
->data) << 8))))));
10170 if (version != SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037) {
10171 ssl_debug_printf("Unexpected version in ECH Config\n");
10172 break;
10173 }
10174 uint32_t ech_config_offset = 2;
10175 if (GUINT16_FROM_BE(*(uint16_t *)(ech_config->data + ech_config_offset))(((((guint16) ( (guint16) ((guint16) (*(uint16_t *)(ech_config
->data + ech_config_offset)) >> 8) | (guint16) ((guint16
) (*(uint16_t *)(ech_config->data + ech_config_offset)) <<
8)))))) != ech_config->data_len - 4) {
10176 ssl_debug_printf("Malformed ECH Config, invalid length\n");
10177 break;
10178 }
10179 ech_config_offset += 2;
10180 if (*(ech_config->data + ech_config_offset) != config_id) {
10181 ssl_debug_printf("ECH Config version mismatch\n");
10182 break;
10183 }
10184 ech_config_offset += 1;
10185 uint16_t kem_id_be = *(uint16_t *)(ech_config->data + ech_config_offset);
10186 uint16_t kem_id = GUINT16_FROM_BE(kem_id_be)(((((guint16) ( (guint16) ((guint16) (kem_id_be) >> 8) |
(guint16) ((guint16) (kem_id_be) << 8))))));
10187 uint8_t suite_id[HPKE_SUIT_ID_LEN10];
10188 hpke_suite_id(kem_id, kdf_id, aead_id, suite_id);
10189 GByteArray *info = g_byte_array_new();
10190 g_byte_array_append(info, (const uint8_t*)"tls ech", 8);
10191 g_byte_array_append(info, ech_config->data, ech_config->data_len);
10192 uint8_t key[AEAD_MAX_KEY_LENGTH32];
10193 uint8_t base_nonce[HPKE_AEAD_NONCE_LENGTH12];
10194 if (hpke_key_schedule(kdf_id, aead_id, ech_secret->data, ech_secret->data_len, suite_id, info->data, info->len, HPKE_MODE_BASE0,
10195 key, base_nonce)) {
10196 g_byte_array_free(info, TRUE(!(0)));
10197 break;
10198 }
10199 g_byte_array_free(info, TRUE(!(0)));
10200 gcry_cipher_hd_t cipher;
10201 if (hpke_setup_aead(&cipher, aead_id, key) ||
10202 hpke_set_nonce(cipher, !session->hrr_ech_declined && pinfo->num > session->first_ch_ech_frame, base_nonce, aead_nonce_len)) {
10203 gcry_cipher_close(cipher);
10204 break;
10205 }
10206 const uint8_t *payload = tvb_get_ptr(tvb, offset - length, length);
10207 uint8_t *ech_aad = (uint8_t *)wmem_alloc(NULL((void*)0), hello_length);
10208 tvb_memcpy(tvb, ech_aad, 0, hello_length);
10209 memset(ech_aad + offset - length, 0, length);
10210 if (gcry_cipher_authenticate(cipher, ech_aad, hello_length)) {
10211 gcry_cipher_close(cipher);
10212 wmem_free(NULL((void*)0), ech_aad);
10213 break;
10214 }
10215 wmem_free(NULL((void*)0), ech_aad);
10216 uint8_t *ech_decrypted_data = (uint8_t *)wmem_alloc(pinfo->pool, decrypted_len);
10217 if (gcry_cipher_decrypt(cipher, ech_decrypted_data, decrypted_len, payload, decrypted_len)) {
10218 gcry_cipher_close(cipher);
10219 break;
10220 }
10221 unsigned char *ech_auth_tag_calc = wmem_alloc0(pinfo->pool, aead_auth_tag_len);
10222 if (gcry_cipher_gettag(cipher, ech_auth_tag_calc, aead_auth_tag_len)) {
10223 gcry_cipher_close(cipher);
10224 break;
10225 }
10226 if (ssl && !session->hrr_ech_declined && session->first_ch_ech_frame == pinfo->num)
10227 memcpy(session->first_ech_auth_tag, ech_auth_tag_calc, aead_auth_tag_len);
10228 gcry_cipher_close(cipher);
10229 if (memcmp(pinfo->num > session->first_ch_ech_frame ? ech_auth_tag_calc : session->first_ech_auth_tag,
10230 payload + decrypted_len, aead_auth_tag_len)) {
10231 ssl_debug_printf("%s ECH auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
10232 } else {
10233 payload_tree = proto_item_add_subtree(payload_ti, hf->ett.ech_decrypt);
10234 tvbuff_t *ech_tvb = tvb_new_child_real_data(tvb, ech_decrypted_data, decrypted_len, decrypted_len);
10235 add_new_data_source(pinfo, ech_tvb, "Client Hello Inner");
10236 if (ssl) {
10237 tvb_memcpy(ech_tvb, ssl->client_random.data, 2, 32);
10238 uint32_t len_offset = ssl->ech_transcript.data_len;
10239 if (ssl->ech_transcript.data_len > 0)
10240 ssl->ech_transcript.data = (unsigned char*)wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
10241 ssl->ech_transcript.data_len + hello_length + 4);
10242 else
10243 ssl->ech_transcript.data = (unsigned char*)wmem_alloc(wmem_file_scope(), hello_length + 4);
10244 ssl->ech_transcript.data[ssl->ech_transcript.data_len] = SSL_HND_CLIENT_HELLO;
10245 ssl->ech_transcript.data[ssl->ech_transcript.data_len + 1] = 0;
10246 /* Copy ClientHelloInner up to the legacy_session_id field. */
10247 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, 0, 34);
10248 ssl->ech_transcript.data_len += 38;
10249 /* Now copy the legacy_session_id field from ClientHelloOuter. */
10250 ssl->ech_transcript.data[ssl->ech_transcript.data_len] = ssl->session_id.data_len;
10251 ssl->ech_transcript.data_len++;
10252 memcpy(&ssl->ech_transcript.data[ssl->ech_transcript.data_len], ssl->session_id.data, ssl->session_id.data_len);
10253 ssl->ech_transcript.data_len += ssl->session_id.data_len;
10254 /* Skip past the legacy_session_id field in ClientHelloInner
10255 * (which should be the empty string, i.e. just a 0 size.) */
10256 uint32_t ech_offset = 35 + tvb_get_uint8(ech_tvb, 34);
10257 /* Copy the Cipher Suites from ClientHelloInner. */
10258 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10259 2 + tvb_get_ntohs(ech_tvb, ech_offset));
10260 ssl->ech_transcript.data_len += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
10261 ech_offset += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
10262 /* Copy the Compression Methods */
10263 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10264 1 + tvb_get_uint8(ech_tvb, ech_offset));
10265 ssl->ech_transcript.data_len += 1 + tvb_get_uint8(ech_tvb, ech_offset);
10266 ech_offset += 1 + tvb_get_uint8(ech_tvb, ech_offset);
10267 /* Now replace extensions in ech_outer_extensions with the
10268 * data from ClientHelloOuter. */
10269 uint32_t ech_extensions_len_offset = ssl->ech_transcript.data_len;
10270 ssl->ech_transcript.data_len += 2;
10271 uint32_t extensions_end = ech_offset + tvb_get_ntohs(ech_tvb, ech_offset) + 2;
10272 ech_offset += 2;
10273 while (extensions_end - ech_offset >= 4) {
10274 uint16_t ext_type = tvb_get_ntohs(ech_tvb, ech_offset);
10275 ech_offset += 2;
10276 uint16_t ext_len = tvb_get_ntohs(ech_tvb, ech_offset);
10277 ech_offset += 2;
10278 if (ext_type != SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768) {
10279 /* Copy this extension directly */
10280 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len,
10281 ech_offset - 4, 4 + ext_len);
10282 ssl->ech_transcript.data_len += 4 + ext_len;
10283 ech_offset += ext_len;
10284 } else if (ext_len > 0) {
10285 unsigned num_ech_outer_extensions = tvb_get_uint8(ech_tvb, ech_offset);
10286 ech_offset += 1;
10287 uint32_t ech_outer_extensions_end = ech_offset + num_ech_outer_extensions;
10288 /* In ClientHelloOuter, skip past the legacy_session_id */
10289 uint32_t outer_offset = 35 + tvb_get_uint8(tvb, 34);
10290 /* Skip past Cipher Suites */
10291 outer_offset += tvb_get_ntohs(tvb, outer_offset) + 2;
10292 /* Skip past Compression Methods */
10293 outer_offset += tvb_get_uint8(tvb, outer_offset) + 3;
10294 /* Now at the start of ClientHelloOuter's extensions */
10295 while (ech_outer_extensions_end - ech_offset >= 2) {
10296 ext_type = tvb_get_ntohs(ech_tvb, ech_offset);
10297 if (ext_type == SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037) {
10298 ssl_debug_printf("Illegal parameter; encrypted_client_hello cannot appear within ech_outer_extensions\n");
10299 /* This could lead to a buffer overflow by
10300 * making the post-copying ClientHelloInner
10301 * longer than ClientHelloOuter and is
10302 * illegal, so don't copy. */
10303 break;
10304 }
10305 bool_Bool found = false0;
10306 while (tvb_reported_length_remaining(tvb, outer_offset) >= 4) {
10307 uint16_t outer_ext_type = tvb_get_ntohs(tvb, outer_offset);
10308 uint16_t outer_ext_len = tvb_get_ntohs(tvb, outer_offset + 2);
10309 if (ext_type == outer_ext_type) {
10310 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, outer_offset,
10311 4 + outer_ext_len);
10312 ssl->ech_transcript.data_len += 4 + outer_ext_len;
10313 outer_offset += 4 + outer_ext_len;
10314 found = true1;
10315 break;
10316 } else {
10317 outer_offset += 4 + outer_ext_len;
10318 }
10319 }
10320 if (!found) {
10321 ssl_debug_printf("Extension %s was not found in ClientHelloOuter (possibly out of order or referenced more than once)\n", val_to_str(pinfo->pool, ext_type, tls_hello_extension_types, "unknown (0x%02x)"));
10322 }
10323 ech_offset += 2;
10324 }
10325 }
10326 }
10327 uint16_t ech_extensions_len_be = GUINT16_TO_BE(ssl->ech_transcript.data_len - ech_extensions_len_offset - 2)((((guint16) ( (guint16) ((guint16) (ssl->ech_transcript.data_len
- ech_extensions_len_offset - 2) >> 8) | (guint16) ((guint16
) (ssl->ech_transcript.data_len - ech_extensions_len_offset
- 2) << 8)))));
10328 *(ssl->ech_transcript.data + ech_extensions_len_offset) = ech_extensions_len_be & 0xff;
10329 *(ssl->ech_transcript.data + ech_extensions_len_offset + 1) = (ech_extensions_len_be >> 8);
10330 *(ssl->ech_transcript.data + len_offset + 2) = ((ssl->ech_transcript.data_len - len_offset - 4) >> 8);
10331 *(ssl->ech_transcript.data + len_offset + 3) = (ssl->ech_transcript.data_len - len_offset - 4) & 0xff;
10332 }
10333 uint32_t ech_padding_begin = (uint32_t)ssl_dissect_hnd_cli_hello(hf, ech_tvb, pinfo, payload_tree, 0, decrypted_len, session,
10334 ssl, NULL((void*)0), mk_map);
10335 if (ech_padding_begin < decrypted_len) {
10336 proto_tree_add_item(payload_tree, hf->hf.ech_padding_data, ech_tvb, ech_padding_begin, decrypted_len - ech_padding_begin,
10337 ENC_NA0x00000000);
10338 }
10339 }
10340
10341 break;
10342 case 1: /* inner */
10343 break;
10344 }
10345 break;
10346
10347 case SSL_HND_ENCRYPTED_EXTENSIONS:
10348 /*
10349 * struct {
10350 * ECHConfigList retry_configs;
10351 * } ECHEncryptedExtensions;
10352 */
10353
10354 ti = proto_tree_add_item(tree, hf->hf.ech_retry_configs, tvb, offset, offset_end - offset, ENC_NA0x00000000);
10355 retry_tree = proto_item_add_subtree(ti, hf->ett.ech_retry_configs);
10356 offset = ssl_dissect_ext_ech_echconfiglist(hf, tvb, pinfo, retry_tree, offset, offset_end);
10357 break;
10358
10359 case SSL_HND_HELLO_RETRY_REQUEST:
10360 /*
10361 * struct {
10362 * opaque confirmation[8];
10363 * } ECHHelloRetryRequest;
10364 */
10365
10366 proto_tree_add_item(tree, hf->hf.ech_confirmation, tvb, offset, 8, ENC_NA0x00000000);
10367 if (session->ech) {
10368 ti = proto_tree_add_bytes_with_length(tree, hf->hf.hs_ech_confirm_compute, tvb, offset, 0, session->hrr_ech_confirmation, 8);
10369 proto_item_set_generated(ti);
10370 if (memcmp(session->hrr_ech_confirmation, tvb_get_ptr(tvb, offset, 8), 8)) {
10371 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
10372 } else {
10373 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
10374 }
10375 }
10376 offset += 8;
10377 break;
10378 }
10379
10380 return offset;
10381}
10382
10383static uint32_t
10384ssl_dissect_hnd_hello_ext_esni(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10385 proto_tree *tree, uint32_t offset, uint32_t offset_end,
10386 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
10387{
10388 uint32_t record_digest_length, encrypted_sni_length;
10389
10390 switch (hnd_type) {
10391 case SSL_HND_CLIENT_HELLO:
10392 /*
10393 * struct {
10394 * CipherSuite suite;
10395 * KeyShareEntry key_share;
10396 * opaque record_digest<0..2^16-1>;
10397 * opaque encrypted_sni<0..2^16-1>;
10398 * } ClientEncryptedSNI;
10399 */
10400 proto_tree_add_item(tree, hf->hf.esni_suite, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
10401 offset += 2;
10402 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, tree, offset, offset_end, NULL((void*)0));
10403
10404 /* opaque record_digest<0..2^16-1> */
10405 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &record_digest_length,
10406 hf->hf.esni_record_digest_length, 0, UINT16_MAX(65535))) {
10407 return offset_end;
10408 }
10409 offset += 2;
10410 if (record_digest_length > 0) {
10411 proto_tree_add_item(tree, hf->hf.esni_record_digest, tvb, offset, record_digest_length, ENC_NA0x00000000);
10412 offset += record_digest_length;
10413 }
10414
10415 /* opaque encrypted_sni<0..2^16-1> */
10416 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &encrypted_sni_length,
10417 hf->hf.esni_encrypted_sni_length, 0, UINT16_MAX(65535))) {
10418 return offset_end;
10419 }
10420 offset += 2;
10421 if (encrypted_sni_length > 0) {
10422 proto_tree_add_item(tree, hf->hf.esni_encrypted_sni, tvb, offset, encrypted_sni_length, ENC_NA0x00000000);
10423 offset += encrypted_sni_length;
10424 }
10425 break;
10426
10427 case SSL_HND_ENCRYPTED_EXTENSIONS:
10428 proto_tree_add_item(tree, hf->hf.esni_nonce, tvb, offset, 16, ENC_NA0x00000000);
10429 offset += 16;
10430 break;
10431 }
10432
10433 return offset;
10434}
10435/** TLS Extensions (in Client Hello and Server Hello). }}} */
10436
10437/* Connection ID dissection. {{{ */
10438static uint32_t
10439ssl_dissect_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10440 proto_tree *tree, uint32_t offset, SslDecryptSession *ssl,
10441 uint8_t cidl, uint8_t **session_cid, uint8_t *session_cidl)
10442{
10443 /* keep track of the decrypt session only for the first pass */
10444 if (cidl > 0 && !PINFO_FD_VISITED(pinfo)((pinfo)->fd->visited)) {
10445 tvb_ensure_bytes_exist(tvb, offset + 1, cidl);
10446 *session_cidl = cidl;
10447 *session_cid = (uint8_t*)wmem_alloc0(wmem_file_scope(), cidl);
10448 tvb_memcpy(tvb, *session_cid, offset + 1, cidl);
10449 if (ssl) {
10450 ssl_add_session_by_cid(ssl);
10451 }
10452 }
10453
10454 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id_length,
10455 tvb, offset, 1, ENC_NA0x00000000);
10456 offset++;
10457
10458 if (cidl > 0) {
10459 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id,
10460 tvb, offset, cidl, ENC_NA0x00000000);
10461 offset += cidl;
10462 }
10463
10464 return offset;
10465}
10466
10467static uint32_t
10468ssl_dissect_hnd_hello_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10469 proto_tree *tree, uint32_t offset, uint8_t hnd_type,
10470 SslSession *session, SslDecryptSession *ssl)
10471{
10472 uint8_t cidl = tvb_get_uint8(tvb, offset);
10473
10474 switch (hnd_type) {
10475 case SSL_HND_CLIENT_HELLO:
10476 session->client_cid_len_present = true1;
10477 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
10478 cidl, &session->client_cid, &session->client_cid_len);
10479 case SSL_HND_SERVER_HELLO:
10480 session->server_cid_len_present = true1;
10481 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
10482 cidl, &session->server_cid, &session->server_cid_len);
10483 default:
10484 return offset;
10485 }
10486} /* }}} */
10487
10488/* Trusted CA dissection. {{{ */
10489static uint32_t
10490ssl_dissect_hnd_hello_ext_trusted_ca_keys(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10491 uint32_t offset, uint32_t offset_end)
10492{
10493 proto_item *ti;
10494 proto_tree *subtree;
10495 uint32_t keys_length, next_offset;
10496
10497 /*
10498 * struct {
10499 * TrustedAuthority trusted_authorities_list<0..2^16-1>;
10500 * } TrustedAuthorities;
10501 *
10502 * struct {
10503 * IdentifierType identifier_type;
10504 * select (identifier_type) {
10505 * case pre_agreed: struct {};
10506 * case key_sha1_hash: SHA1Hash;
10507 * case x509_name: DistinguishedName;
10508 * case cert_sha1_hash: SHA1Hash;
10509 * } identifier;
10510 * } TrustedAuthority;
10511 *
10512 * enum {
10513 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10514 * cert_sha1_hash(3), (255)
10515 * } IdentifierType;
10516 *
10517 * opaque DistinguishedName<1..2^16-1>;
10518 *
10519 */
10520
10521
10522 /* TrustedAuthority trusted_authorities_list<0..2^16-1> */
10523 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &keys_length, hf->hf.hs_ext_trusted_ca_keys_len,
10524 0, UINT16_MAX(65535)))
10525 {
10526 return offset_end;
10527 }
10528 offset += 2;
10529 next_offset = offset + keys_length;
10530
10531 if (keys_length > 0)
10532 {
10533 ti = proto_tree_add_none_format(tree, hf->hf.hs_ext_trusted_ca_keys_list, tvb, offset, keys_length,
10534 "Trusted CA keys (%d byte%s)", keys_length, plurality(keys_length, "", "s")((keys_length) == 1 ? ("") : ("s")));
10535 subtree = proto_item_add_subtree(ti, hf->ett.hs_ext_trusted_ca_keys);
10536
10537 while (offset < next_offset)
10538 {
10539 uint32_t identifier_type;
10540 proto_tree *trusted_key_tree;
10541 proto_item *trusted_key_item;
10542 asn1_ctx_t asn1_ctx;
10543 uint32_t key_len = 0;
10544
10545 identifier_type = tvb_get_uint8(tvb, offset);
10546
10547 // Use 0 as length for now as we'll only know the size when we decode the identifier
10548 trusted_key_item = proto_tree_add_none_format(subtree, hf->hf.hs_ext_trusted_ca_key, tvb,
10549 offset, 0, "Trusted CA Key");
10550 trusted_key_tree = proto_item_add_subtree(trusted_key_item, hf->ett.hs_ext_trusted_ca_key);
10551
10552 proto_tree_add_uint(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_type, tvb,
10553 offset, 1, identifier_type);
10554 offset++;
10555
10556 /*
10557 * enum {
10558 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10559 * cert_sha1_hash(3), (255)
10560 * } IdentifierType;
10561 */
10562 switch (identifier_type)
10563 {
10564 case 0:
10565 key_len = 0;
10566 break;
10567 case 2:
10568 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
10569
10570 uint32_t name_length;
10571 /* opaque DistinguishedName<1..2^16-1> */
10572 if (!ssl_add_vector(hf, tvb, pinfo, trusted_key_tree, offset, next_offset, &name_length,
10573 hf->hf.hs_ext_trusted_ca_key_dname_len, 1, UINT16_MAX(65535))) {
10574 return next_offset;
10575 }
10576 offset += 2;
10577
10578 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
10579 trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_dname);
10580 offset += name_length;
10581 break;
10582 case 1:
10583 case 3:
10584 key_len = 20;
10585 /* opaque SHA1Hash[20]; */
10586 proto_tree_add_item(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_hash, tvb,
10587 offset, 20, ENC_NA0x00000000);
10588 break;
10589
10590 default:
10591 key_len = 0;
10592 /*TODO display expert info about unknown ? */
10593 break;
10594 }
10595 proto_item_set_len(trusted_key_item, 1 + key_len);
10596 offset += key_len;
10597 }
10598 }
10599
10600 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset))
10601 {
10602 offset = next_offset;
10603 }
10604
10605 return offset;
10606} /* }}} */
10607
10608
10609/* Whether the Content and Handshake Types are valid; handle Protocol Version. {{{ */
10610bool_Bool
10611ssl_is_valid_content_type(uint8_t type)
10612{
10613 switch ((ContentType) type) {
10614 case SSL_ID_CHG_CIPHER_SPEC:
10615 case SSL_ID_ALERT:
10616 case SSL_ID_HANDSHAKE:
10617 case SSL_ID_APP_DATA:
10618 case SSL_ID_HEARTBEAT:
10619 case SSL_ID_TLS12_CID:
10620 case SSL_ID_DTLS13_ACK:
10621 return true1;
10622 }
10623 return false0;
10624}
10625
10626bool_Bool
10627ssl_is_valid_handshake_type(uint8_t hs_type, bool_Bool is_dtls)
10628{
10629 switch ((HandshakeType) hs_type) {
10630 case SSL_HND_HELLO_VERIFY_REQUEST:
10631 /* hello_verify_request is DTLS-only */
10632 return is_dtls;
10633
10634 case SSL_HND_HELLO_REQUEST:
10635 case SSL_HND_CLIENT_HELLO:
10636 case SSL_HND_SERVER_HELLO:
10637 case SSL_HND_NEWSESSION_TICKET:
10638 case SSL_HND_END_OF_EARLY_DATA:
10639 case SSL_HND_HELLO_RETRY_REQUEST:
10640 case SSL_HND_ENCRYPTED_EXTENSIONS:
10641 case SSL_HND_CERTIFICATE:
10642 case SSL_HND_SERVER_KEY_EXCHG:
10643 case SSL_HND_CERT_REQUEST:
10644 case SSL_HND_SVR_HELLO_DONE:
10645 case SSL_HND_CERT_VERIFY:
10646 case SSL_HND_CLIENT_KEY_EXCHG:
10647 case SSL_HND_FINISHED:
10648 case SSL_HND_CERT_URL:
10649 case SSL_HND_CERT_STATUS:
10650 case SSL_HND_SUPPLEMENTAL_DATA:
10651 case SSL_HND_KEY_UPDATE:
10652 case SSL_HND_COMPRESSED_CERTIFICATE:
10653 case SSL_HND_ENCRYPTED_EXTS:
10654 return true1;
10655 case SSL_HND_MESSAGE_HASH:
10656 return false0;
10657 }
10658 return false0;
10659}
10660
10661static bool_Bool
10662ssl_is_authoritative_version_message(uint8_t content_type, uint8_t handshake_type,
10663 bool_Bool is_dtls)
10664{
10665 /* Consider all valid Handshake messages (except for Client Hello) and
10666 * all other valid record types (other than Handshake) */
10667 return (content_type == SSL_ID_HANDSHAKE &&
10668 ssl_is_valid_handshake_type(handshake_type, is_dtls) &&
10669 handshake_type != SSL_HND_CLIENT_HELLO) ||
10670 (content_type != SSL_ID_HANDSHAKE &&
10671 ssl_is_valid_content_type(content_type));
10672}
10673
10674/**
10675 * Scan a Server Hello handshake message for the negotiated version. For TLS 1.3
10676 * draft 22 and newer, it also checks whether it is a HelloRetryRequest.
10677 * Returns true if the supported_versions extension was found, false if not.
10678 */
10679bool_Bool
10680tls_scan_server_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end,
10681 uint16_t *server_version, bool_Bool *is_hrr)
10682{
10683 /* SHA256("HelloRetryRequest") */
10684 static const uint8_t tls13_hrr_random_magic[] = {
10685 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
10686 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
10687 };
10688 uint8_t session_id_length;
10689
10690 *server_version = tvb_get_ntohs(tvb, offset);
10691
10692 /*
10693 * Try to look for supported_versions extension. Minimum length:
10694 * 2 + 32 + 1 = 35 (version, random, session id length)
10695 * 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10696 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10697 *
10698 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10699 * there's a separate expert info warning for that.
10700 */
10701 if ((*server_version == TLSV1DOT2_VERSION0x303 || *server_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
10702 offset += 2;
10703 if (is_hrr) {
10704 *is_hrr = tvb_memeql(tvb, offset, tls13_hrr_random_magic, sizeof(tls13_hrr_random_magic)) == 0;
10705 }
10706 offset += 32;
10707 session_id_length = tvb_get_uint8(tvb, offset);
10708 offset++;
10709 if (offset_end - offset < session_id_length + 5u) {
10710 return false0;
10711 }
10712 offset += session_id_length + 5;
10713
10714 while (offset_end - offset >= 6) {
10715 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
10716 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
10717 if (offset_end - offset < 4u + ext_len) {
10718 break; /* not enough data for type, length and data */
10719 }
10720 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
10721 if (ext_len == 2) {
10722 *server_version = tvb_get_ntohs(tvb, offset + 4);
10723 }
10724 return true1;
10725 }
10726 offset += 4 + ext_len;
10727 }
10728 } else {
10729 if (is_hrr) {
10730 *is_hrr = false0;
10731 }
10732 }
10733 return false0;
10734}
10735
10736/**
10737 * Scan a Client Hello handshake message to see if the supported_versions
10738 * extension is found, in which case the version field is legacy_version.
10739 */
10740static bool_Bool
10741tls_scan_client_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end)
10742{
10743 uint8_t session_id_length;
10744
10745 uint16_t client_version = tvb_get_ntohs(tvb, offset);
10746
10747 /*
10748 * Try to look for supported_versions extension. Minimum length:
10749 * 2 + 32 + 1 = 35 (version, random, session id length)
10750 * 2 + 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10751 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10752 *
10753 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10754 * there's a separate expert info warning for that.
10755 */
10756 if ((client_version == TLSV1DOT2_VERSION0x303 || client_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
10757 offset += 2;
10758 offset += 32;
10759 session_id_length = tvb_get_uint8(tvb, offset);
10760 offset++;
10761 if (offset_end - offset < session_id_length + 2u) {
10762 return false0;
10763 }
10764 offset += session_id_length;
10765 if (client_version == DTLSV1DOT2_VERSION0xfefd) {
10766 uint8_t cookie_length = tvb_get_uint8(tvb, offset);
10767 offset++;
10768 if (offset_end - offset < cookie_length + 2u) {
10769 return false0;
10770 }
10771 }
10772 uint16_t cipher_suites_length = tvb_get_ntohs(tvb, offset);
10773 offset += 2;
10774 if (offset_end - offset < cipher_suites_length + 1u) {
10775 return false0;
10776 }
10777 offset += cipher_suites_length;
10778 uint8_t compression_methods_length = tvb_get_uint8(tvb, offset);
10779 offset++;
10780 if (offset_end - offset < compression_methods_length + 2u) {
10781 return false0;
10782 }
10783 offset += compression_methods_length + 2;
10784
10785 while (offset_end - offset >= 6) {
10786 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
10787 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
10788 if (offset_end - offset < 4u + ext_len) {
10789 break; /* not enough data for type, length and data */
10790 }
10791 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
10792 return true1;
10793 }
10794 offset += 4 + ext_len;
10795 }
10796 }
10797 return false0;
10798}
10799void
10800ssl_try_set_version(SslSession *session, SslDecryptSession *ssl,
10801 uint8_t content_type, uint8_t handshake_type,
10802 bool_Bool is_dtls, uint16_t version)
10803{
10804 uint8_t tls13_draft = 0;
10805
10806 if (!ssl_is_authoritative_version_message(content_type, handshake_type,
10807 is_dtls))
10808 return;
10809
10810 version = tls_try_get_version(is_dtls, version, &tls13_draft);
10811 if (version == SSL_VER_UNKNOWN0) {
10812 return;
10813 }
10814
10815 session->tls13_draft_version = tls13_draft;
10816 session->version = version;
10817 if (ssl) {
10818 ssl->state |= SSL_VERSION(1<<4);
10819 ssl_debug_printf("%s found version 0x%04X -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), version, ssl->state);
10820 }
10821}
10822
10823void
10824ssl_check_record_length(ssl_common_dissect_t *hf, packet_info *pinfo,
10825 ContentType content_type,
10826 unsigned record_length, proto_item *length_pi,
10827 uint16_t version, tvbuff_t *decrypted_tvb)
10828{
10829 unsigned max_expansion;
10830 if (version == TLSV1DOT3_VERSION0x304) {
10831 /* TLS 1.3: Max length is 2^14 + 256 */
10832 max_expansion = 256;
10833 } else {
10834 /* RFC 5246, Section 6.2.3: TLSCiphertext.fragment length MUST NOT exceed 2^14 + 2048 */
10835 max_expansion = 2048;
10836 }
10837 /*
10838 * RFC 5246 (TLS 1.2), Section 6.2.1 forbids zero-length Handshake, Alert
10839 * and ChangeCipherSpec.
10840 * RFC 6520 (Heartbeats) does not mention zero-length Heartbeat fragments,
10841 * so assume it is permitted.
10842 * RFC 6347 (DTLS 1.2) does not mention zero-length fragments either, so
10843 * assume TLS 1.2 requirements.
10844 */
10845 if (record_length == 0 &&
10846 (content_type == SSL_ID_CHG_CIPHER_SPEC ||
10847 content_type == SSL_ID_ALERT ||
10848 content_type == SSL_ID_HANDSHAKE)) {
10849 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10850 "Zero-length %s fragments are not allowed",
10851 val_to_str_const(content_type, ssl_31_content_type, "unknown"));
10852 }
10853 if (record_length > TLS_MAX_RECORD_LENGTH0x4000 + max_expansion) {
10854 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10855 "TLSCiphertext length MUST NOT exceed 2^14 + %u", max_expansion);
10856 }
10857 if (decrypted_tvb && tvb_captured_length(decrypted_tvb) > TLS_MAX_RECORD_LENGTH0x4000) {
10858 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10859 "TLSPlaintext length MUST NOT exceed 2^14");
10860 }
10861}
10862
10863static void
10864ssl_set_cipher(SslDecryptSession *ssl, uint16_t cipher)
10865{
10866 /* store selected cipher suite for decryption */
10867 ssl->session.cipher = cipher;
10868
10869 const SslCipherSuite *cs = ssl_find_cipher(cipher);
10870 if (!cs) {
10871 ssl->cipher_suite = NULL((void*)0);
10872 ssl->state &= ~SSL_CIPHER(1<<2);
10873 ssl_debug_printf("%s can't find cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10874 } else if (ssl->session.version == SSLV3_VERSION0x300 && !(cs->dig == DIG_MD50x40 || cs->dig == DIG_SHA0x41)) {
10875 /* A malicious packet capture contains a SSL 3.0 session using a TLS 1.2
10876 * cipher suite that uses for example MACAlgorithm SHA256. Reject that
10877 * to avoid a potential buffer overflow in ssl3_check_mac. */
10878 ssl->cipher_suite = NULL((void*)0);
10879 ssl->state &= ~SSL_CIPHER(1<<2);
10880 ssl_debug_printf("%s invalid SSL 3.0 cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10881 } else {
10882 /* Cipher found, save this for the delayed decoder init */
10883 ssl->cipher_suite = cs;
10884 ssl->state |= SSL_CIPHER(1<<2);
10885 ssl_debug_printf("%s found CIPHER 0x%04X %s -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), cipher,
10886 val_to_str_ext_const(cipher, &ssl_31_ciphersuite_ext, "unknown"),
10887 ssl->state);
10888 }
10889}
10890/* }}} */
10891
10892
10893/* Client Hello and Server Hello dissections. {{{ */
10894static int
10895ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
10896 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
10897 SslSession *session, SslDecryptSession *ssl,
10898 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
10899 ssl_master_key_map_t *mk_map);
10900int
10901// NOLINTNEXTLINE(misc-no-recursion)
10902ssl_dissect_hnd_cli_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10903 packet_info *pinfo, proto_tree *tree, uint32_t offset,
10904 uint32_t offset_end, SslSession *session,
10905 SslDecryptSession *ssl, dtls_hfs_t *dtls_hfs, ssl_master_key_map_t *mk_map)
10906{
10907 /* struct {
10908 * ProtocolVersion client_version;
10909 * Random random;
10910 * SessionID session_id;
10911 * opaque cookie<0..32>; //new field for DTLS
10912 * CipherSuite cipher_suites<2..2^16-1>;
10913 * CompressionMethod compression_methods<1..2^8-1>;
10914 * Extension client_hello_extension_list<0..2^16-1>;
10915 * } ClientHello;
10916 */
10917 proto_item *ti;
10918 proto_tree *cs_tree;
10919 uint32_t client_version;
10920 uint32_t cipher_suite_length;
10921 uint32_t compression_methods_length;
10922 uint8_t compression_method;
10923 uint32_t next_offset;
10924 uint32_t initial_offset = offset;
10925 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
10926 char *ja3_hash;
10927 char *ja3_dash = "";
10928 char *ja4, *ja4_r, *ja4_hash, *ja4_b, *ja4_c;
10929 ja4_data_t ja4_data;
10930 wmem_strbuf_t *ja4_a = wmem_strbuf_new(pinfo->pool, "");
10931 wmem_strbuf_t *ja4_br = wmem_strbuf_new(pinfo->pool, "");
10932 wmem_strbuf_t *ja4_cr = wmem_strbuf_new(pinfo->pool, "");
10933 wmem_list_frame_t *curr_entry;
10934
10935 DISSECTOR_ASSERT_CMPINT(initial_offset, <=, offset_end)((void) ((initial_offset <= offset_end) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "initial_offset" " " "<=" " " "offset_end"
" (" "%" "l" "d" " " "<=" " " "%" "l" "d" ")", "epan/dissectors/packet-tls-utils.c"
, 10935, (int64_t)initial_offset, (int64_t)offset_end))));
10936 tvbuff_t *hello_tvb = tvb_new_subset_length(tvb, initial_offset, offset_end - initial_offset);
10937 offset = 0;
10938 offset_end = tvb_reported_length(hello_tvb);
10939
10940 ja4_data.max_version = 0;
10941 ja4_data.server_name_present = false0;
10942 ja4_data.num_cipher_suites = 0;
10943 ja4_data.num_extensions = 0;
10944 ja4_data.alpn = wmem_strbuf_new(pinfo->pool, "");
10945 ja4_data.cipher_list = wmem_list_new(pinfo->pool);
10946 ja4_data.extension_list = wmem_list_new(pinfo->pool);
10947 ja4_data.sighash_list = wmem_list_new(pinfo->pool);
10948
10949 /* show the client version */
10950 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_client_version, hello_tvb,
10951 offset, 2, ENC_BIG_ENDIAN0x00000000,
10952 &client_version);
10953 if (tls_scan_client_hello(hello_tvb, offset, offset_end)) {
10954 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
10955 }
10956 offset += 2;
10957 wmem_strbuf_append_printf(ja3, "%i,", client_version);
10958
10959 /*
10960 * Is it version 1.3?
10961 * If so, that's an error; TLS and DTLS 1.3 Client Hellos claim
10962 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
10963 * section 4.1.2 "Client Hello" and RFC 9147 Section 5.3 "Client
10964 * Hello".
10965 */
10966 if (dtls_hfs != NULL((void*)0)) {
10967 if (client_version == DTLSV1DOT3_VERSION0xfefc) {
10968 /* Don't do that. */
10969 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10970 }
10971 } else {
10972 if (client_version == TLSV1DOT3_VERSION0x304) {
10973 /* Don't do that. */
10974 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10975 }
10976 }
10977
10978 /* dissect fields that are present in both ClientHello and ServerHello */
10979 offset = ssl_dissect_hnd_hello_common(hf, hello_tvb, pinfo, tree, offset, session, ssl, false0, false0);
10980
10981 /* fields specific for DTLS (cookie_len, cookie) */
10982 if (dtls_hfs != NULL((void*)0)) {
10983 uint32_t cookie_length;
10984 /* opaque cookie<0..32> (for DTLS only) */
10985 if (!ssl_add_vector(hf, hello_tvb, pinfo, tree, offset, offset_end, &cookie_length,
10986 dtls_hfs->hf_dtls_handshake_cookie_len, 0, 32)) {
10987 return offset;
10988 }
10989 offset++;
10990 if (cookie_length > 0) {
10991 proto_tree_add_item(tree, dtls_hfs->hf_dtls_handshake_cookie,
10992 hello_tvb, offset, cookie_length, ENC_NA0x00000000);
10993 offset += cookie_length;
10994 }
10995 }
10996
10997 /* CipherSuite cipher_suites<2..2^16-1> */
10998 if (!ssl_add_vector(hf, hello_tvb, pinfo, tree, offset, offset_end, &cipher_suite_length,
10999 hf->hf.hs_cipher_suites_len, 2, UINT16_MAX(65535))) {
11000 return offset;
11001 }
11002 offset += 2;
11003 next_offset = offset + cipher_suite_length;
11004 ti = proto_tree_add_none_format(tree,
11005 hf->hf.hs_cipher_suites,
11006 hello_tvb, offset, cipher_suite_length,
11007 "Cipher Suites (%d suite%s)",
11008 cipher_suite_length / 2,
11009 plurality(cipher_suite_length/2, "", "s")((cipher_suite_length/2) == 1 ? ("") : ("s")));
11010 cs_tree = proto_item_add_subtree(ti, hf->ett.cipher_suites);
11011 while (offset + 2 <= next_offset) {
11012 uint32_t cipher_suite;
11013
11014 proto_tree_add_item_ret_uint(cs_tree, hf->hf.hs_cipher_suite, hello_tvb, offset, 2,
11015 ENC_BIG_ENDIAN0x00000000, &cipher_suite);
11016 offset += 2;
11017 if (!IS_GREASE_TLS(cipher_suite)((((cipher_suite) & 0x0f0f) == 0x0a0a) && (((cipher_suite
) & 0xff) == (((cipher_suite)>>8) & 0xff)))) {
11018 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, cipher_suite);
11019 ja3_dash = "-";
11020 ja4_data.num_cipher_suites += 1;
11021 wmem_list_insert_sorted(ja4_data.cipher_list, GUINT_TO_POINTER(cipher_suite)((gpointer) (gulong) (cipher_suite)), wmem_compare_uint);
11022 }
11023 }
11024 wmem_strbuf_append_c(ja3, ',');
11025 if (!ssl_end_vector(hf, hello_tvb, pinfo, cs_tree, offset, next_offset)) {
11026 offset = next_offset;
11027 }
11028
11029 /* CompressionMethod compression_methods<1..2^8-1> */
11030 if (!ssl_add_vector(hf, hello_tvb, pinfo, tree, offset, offset_end, &compression_methods_length,
11031 hf->hf.hs_comp_methods_len, 1, UINT8_MAX(255))) {
11032 return offset;
11033 }
11034 offset++;
11035 next_offset = offset + compression_methods_length;
11036 ti = proto_tree_add_none_format(tree,
11037 hf->hf.hs_comp_methods,
11038 hello_tvb, offset, compression_methods_length,
11039 "Compression Methods (%u method%s)",
11040 compression_methods_length,
11041 plurality(compression_methods_length,((compression_methods_length) == 1 ? ("") : ("s"))
11042 "", "s")((compression_methods_length) == 1 ? ("") : ("s")));
11043 cs_tree = proto_item_add_subtree(ti, hf->ett.comp_methods);
11044 while (offset < next_offset) {
11045 compression_method = tvb_get_uint8(hello_tvb, offset);
11046 /* TODO: make reserved/private comp meth. fields selectable */
11047 if (compression_method < 64)
11048 proto_tree_add_uint(cs_tree, hf->hf.hs_comp_method,
11049 hello_tvb, offset, 1, compression_method);
11050 else if (compression_method > 63 && compression_method < 193)
11051 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, hello_tvb, offset, 1,
11052 compression_method, "Reserved - to be assigned by IANA (%u)",
11053 compression_method);
11054 else
11055 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, hello_tvb, offset, 1,
11056 compression_method, "Private use range (%u)",
11057 compression_method);
11058 offset++;
11059 }
11060
11061 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
11062 if (offset < offset_end) {
11063 offset = ssl_dissect_hnd_extension(hf, hello_tvb, tree, pinfo, offset,
11064 offset_end, SSL_HND_CLIENT_HELLO,
11065 session, ssl, dtls_hfs != NULL((void*)0), ja3, &ja4_data, mk_map);
11066 if (ja4_data.max_version > 0) {
11067 client_version = ja4_data.max_version;
11068 }
11069 } else {
11070 wmem_strbuf_append_printf(ja3, ",,");
11071 }
11072
11073 if (proto_is_frame_protocol(pinfo->layers,"tcp")) {
11074 wmem_strbuf_append(ja4_a, "t");
11075 } else if (proto_is_frame_protocol(pinfo->layers,"quic")) {
11076 wmem_strbuf_append(ja4_a, "q");
11077 } else if (proto_is_frame_protocol(pinfo->layers,"dtls")) {
11078 wmem_strbuf_append(ja4_a, "d");
11079 }
11080 wmem_strbuf_append_printf(ja4_a, "%s", val_to_str_const(client_version, ssl_version_ja4_names, "00"));
11081 wmem_strbuf_append_printf(ja4_a, "%s", ja4_data.server_name_present ? "d" : "i");
11082 if (ja4_data.num_cipher_suites > 99) {
11083 wmem_strbuf_append(ja4_a, "99");
11084 } else {
11085 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_cipher_suites);
11086 }
11087 if (ja4_data.num_extensions > 99) {
11088 wmem_strbuf_append(ja4_a, "99");
11089 } else {
11090 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_extensions);
11091 }
11092 if (wmem_strbuf_get_len(ja4_data.alpn) > 0 ) {
11093 wmem_strbuf_append_printf(ja4_a, "%s", wmem_strbuf_get_str(ja4_data.alpn));
11094 } else {
11095 wmem_strbuf_append(ja4_a, "00");
11096 }
11097
11098 curr_entry = wmem_list_head(ja4_data.cipher_list);
11099 for (unsigned i = 0; i < wmem_list_count(ja4_data.cipher_list); i++) {
11100 wmem_strbuf_append_printf(ja4_br, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
11101 if (i < wmem_list_count(ja4_data.cipher_list) - 1) {
11102 wmem_strbuf_append(ja4_br, ",");
11103 }
11104 curr_entry = wmem_list_frame_next(curr_entry);
11105 }
11106
11107 curr_entry = wmem_list_head(ja4_data.extension_list);
11108 for (unsigned i = 0; i < wmem_list_count(ja4_data.extension_list); i++) {
11109 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
11110 if (i < wmem_list_count(ja4_data.extension_list) - 1) {
11111 wmem_strbuf_append(ja4_cr, ",");
11112 }
11113 curr_entry = wmem_list_frame_next(curr_entry);
11114 }
11115
11116 if (wmem_list_count(ja4_data.sighash_list) > 0) {
11117 wmem_strbuf_append(ja4_cr, "_");
11118 curr_entry = wmem_list_head(ja4_data.sighash_list);
11119 for (unsigned i = 0; i < wmem_list_count(ja4_data.sighash_list); i++) {
11120 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
11121 if (i < wmem_list_count(ja4_data.sighash_list) - 1) {
11122 wmem_strbuf_append(ja4_cr, ",");
11123 }
11124 curr_entry = wmem_list_frame_next(curr_entry);
11125 }
11126 }
11127 if ( wmem_strbuf_get_len(ja4_br) == 0 ) {
11128 ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
11129 } else {
11130 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_br),-1);
11131 }
11132 ja4_b = wmem_strndup(pinfo->pool, ja4_hash, 12);
11133
11134 g_free(ja4_hash)(__builtin_object_size ((ja4_hash), 0) != ((size_t) - 1)) ? g_free_sized
(ja4_hash, __builtin_object_size ((ja4_hash), 0)) : (g_free)
(ja4_hash);
11135 if ( wmem_strbuf_get_len(ja4_cr) == 0 ) {
11136 ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
11137 } else {
11138 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_cr),-1);
11139 }
11140 ja4_c = wmem_strndup(pinfo->pool, ja4_hash, 12);
11141 g_free(ja4_hash)(__builtin_object_size ((ja4_hash), 0) != ((size_t) - 1)) ? g_free_sized
(ja4_hash, __builtin_object_size ((ja4_hash), 0)) : (g_free)
(ja4_hash);
11142
11143 ja4 = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), ja4_b, ja4_c);
11144 ja4_r = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), wmem_strbuf_get_str(ja4_br), wmem_strbuf_get_str(ja4_cr));
11145
11146 ti = proto_tree_add_string(tree, hf->hf.hs_ja4, hello_tvb, offset, 0, ja4);
11147 proto_item_set_generated(ti);
11148 ti = proto_tree_add_string(tree, hf->hf.hs_ja4_r, hello_tvb, offset, 0, ja4_r);
11149 proto_item_set_generated(ti);
11150
11151 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
11152 wmem_strbuf_get_len(ja3));
11153 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_full, hello_tvb, offset, 0, wmem_strbuf_get_str(ja3));
11154 proto_item_set_generated(ti);
11155 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_hash, hello_tvb, offset, 0, ja3_hash);
11156 proto_item_set_generated(ti);
11157 g_free(ja3_hash)(__builtin_object_size ((ja3_hash), 0) != ((size_t) - 1)) ? g_free_sized
(ja3_hash, __builtin_object_size ((ja3_hash), 0)) : (g_free)
(ja3_hash);
11158 return initial_offset + offset;
11159}
11160
11161void
11162ssl_dissect_hnd_srv_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11163 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11164 SslSession *session, SslDecryptSession *ssl,
11165 bool_Bool is_dtls, bool_Bool is_hrr)
11166{
11167 /* struct {
11168 * ProtocolVersion server_version;
11169 * Random random;
11170 * SessionID session_id; // TLS 1.2 and before
11171 * CipherSuite cipher_suite;
11172 * CompressionMethod compression_method; // TLS 1.2 and before
11173 * Extension server_hello_extension_list<0..2^16-1>;
11174 * } ServerHello;
11175 */
11176 uint8_t draft_version = session->tls13_draft_version;
11177 proto_item *ti;
11178 uint32_t server_version;
11179 uint32_t cipher_suite;
11180 uint32_t initial_offset = offset;
11181 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
11182 char *ja3_hash;
11183
11184 col_set_str(pinfo->cinfo, COL_PROTOCOL,
11185 val_to_str_const(session->version, ssl_version_short_names, "SSL"));
11186
11187 /* Initially assume that the session is resumed. If this is not the case, a
11188 * ServerHelloDone will be observed before the ChangeCipherSpec message
11189 * which will reset this flag. */
11190 session->is_session_resumed = true1;
11191
11192 /* show the server version */
11193 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
11194 offset, 2, ENC_BIG_ENDIAN0x00000000, &server_version);
11195
11196 uint16_t supported_server_version;
11197 if (tls_scan_server_hello(tvb, offset, offset_end, &supported_server_version, NULL((void*)0))) {
11198 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
11199 }
11200 /*
11201 * Is it version 1.3?
11202 * If so, that's an error; TLS and DTLS 1.3 Server Hellos claim
11203 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
11204 * section 4.1.3 "Server Hello" and RFC 9147 Section 5.4 "Server
11205 * Hello".
11206 */
11207 if (is_dtls) {
11208 if (server_version == DTLSV1DOT3_VERSION0xfefc) {
11209 /* Don't do that. */
11210 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
11211 }
11212 } else {
11213 if (server_version == TLSV1DOT3_VERSION0x304) {
11214 /* Don't do that. */
11215 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
11216 }
11217 }
11218
11219 offset += 2;
11220 wmem_strbuf_append_printf(ja3, "%i", server_version);
11221
11222 /* dissect fields that are present in both ClientHello and ServerHello */
11223 offset = ssl_dissect_hnd_hello_common(hf, tvb, pinfo, tree, offset, session, ssl, true1, is_hrr);
11224
11225 if (ssl) {
11226 /* store selected cipher suite for decryption */
11227 ssl_set_cipher(ssl, tvb_get_ntohs(tvb, offset));
11228 }
11229
11230 /* now the server-selected cipher suite */
11231 proto_tree_add_item_ret_uint(tree, hf->hf.hs_cipher_suite,
11232 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &cipher_suite);
11233 offset += 2;
11234 wmem_strbuf_append_printf(ja3, ",%i,", cipher_suite);
11235
11236 /* No compression with TLS 1.3 before draft -22 */
11237 if (!(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
11238 if (ssl) {
11239 /* store selected compression method for decryption */
11240 ssl->session.compression = tvb_get_uint8(tvb, offset);
11241 }
11242 /* and the server-selected compression method */
11243 proto_tree_add_item(tree, hf->hf.hs_comp_method,
11244 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11245 offset++;
11246 }
11247
11248 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
11249 if (offset < offset_end) {
11250 offset = ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11251 offset_end,
11252 is_hrr ? SSL_HND_HELLO_RETRY_REQUEST : SSL_HND_SERVER_HELLO,
11253 session, ssl, is_dtls, ja3, NULL((void*)0), NULL((void*)0));
11254 }
11255
11256 if (ssl && ssl->ech_transcript.data_len > 0 && (ssl->state & SSL_CIPHER(1<<2)) && ssl->client_random.data_len > 0) {
11257 int hash_algo = ssl_get_digest_by_name(ssl_cipher_suite_dig(ssl->cipher_suite)->name);
11258 if (hash_algo) {
11259 SSL_MDgcry_md_hd_t mc;
11260 unsigned char transcript_hash[DIGEST_MAX_SIZE48];
11261 unsigned char prk[DIGEST_MAX_SIZE48];
11262 unsigned char *ech_verify_out = NULL((void*)0);
11263 unsigned int len;
11264 ssl_md_init(&mc, hash_algo);
11265 ssl_md_update(&mc, ssl->ech_transcript.data, ssl->ech_transcript.data_len);
11266 if (is_hrr) {
11267 ssl_md_final(&mc, transcript_hash, &len);
11268 ssl_md_cleanup(&mc);
11269 wmem_free(wmem_file_scope(), ssl->ech_transcript.data);
11270 ssl->ech_transcript.data_len = 4 + len;
11271 ssl->ech_transcript.data = (unsigned char*)wmem_alloc(wmem_file_scope(), 4 + len + 4 + offset_end - initial_offset);
11272 ssl->ech_transcript.data[0] = SSL_HND_MESSAGE_HASH;
11273 ssl->ech_transcript.data[1] = 0;
11274 ssl->ech_transcript.data[2] = 0;
11275 ssl->ech_transcript.data[3] = len;
11276 memcpy(ssl->ech_transcript.data + 4, transcript_hash, len);
11277 ssl_md_init(&mc, hash_algo);
11278 ssl_md_update(&mc, ssl->ech_transcript.data, 4 + len);
11279 } else {
11280 ssl->ech_transcript.data = wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
11281 ssl->ech_transcript.data_len + 4 + offset_end - initial_offset);
11282 }
11283 if (initial_offset > 4) {
11284 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, initial_offset - 4,
11285 4 + offset_end - initial_offset);
11286 if (is_hrr)
11287 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset-4, 38), 38);
11288 else
11289 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset-4, 30), 30);
11290 } else {
11291 uint8_t prefix[4] = {SSL_HND_SERVER_HELLO, 0x00, 0x00, 0x00};
11292 prefix[2] = ((offset - initial_offset) >> 8);
11293 prefix[3] = (offset - initial_offset) & 0xff;
11294 memcpy(ssl->ech_transcript.data + ssl->ech_transcript.data_len, prefix, 4);
11295 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, initial_offset,
11296 offset_end - initial_offset);
11297 ssl_md_update(&mc, prefix, 4);
11298 if (is_hrr)
11299 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset, 34), 34);
11300 else
11301 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset, 26), 26);
11302 }
11303 ssl->ech_transcript.data_len += 4 + offset_end - initial_offset;
11304 uint8_t zeros[8] = { 0 };
11305 uint32_t confirmation_offset = initial_offset + 26;
11306 if (is_hrr) {
11307 uint32_t hrr_offset = initial_offset + 34;
11308 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset,
11309 tvb_get_uint8(tvb, hrr_offset) + 1), tvb_get_uint8(tvb, hrr_offset) + 1);
11310 hrr_offset += tvb_get_uint8(tvb, hrr_offset) + 1;
11311 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, 3), 3);
11312 hrr_offset += 3;
11313 uint32_t extensions_end = hrr_offset + tvb_get_ntohs(tvb, hrr_offset) + 2;
11314 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, 2), 2);
11315 hrr_offset += 2;
11316 while (extensions_end - hrr_offset >= 4) {
11317 if (tvb_get_ntohs(tvb, hrr_offset) == SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037 &&
11318 tvb_get_ntohs(tvb, hrr_offset + 2) == 8) {
11319 confirmation_offset = hrr_offset + 4;
11320 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, 4), 4);
11321 ssl_md_update(&mc, zeros, 8);
11322 hrr_offset += 12;
11323 } else {
11324 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, tvb_get_ntohs(tvb, hrr_offset + 2) + 4),
11325 tvb_get_ntohs(tvb, hrr_offset + 2) + 4);
11326 hrr_offset += tvb_get_ntohs(tvb, hrr_offset + 2) + 4;
11327 }
11328 }
11329 } else {
11330 ssl_md_update(&mc, zeros, 8);
11331 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset + 34, offset - initial_offset - 34),
11332 offset - initial_offset - 34);
11333 }
11334 ssl_md_final(&mc, transcript_hash, &len);
11335 ssl_md_cleanup(&mc);
11336 hkdf_extract(hash_algo, NULL((void*)0), 0, ssl->client_random.data, 32, prk);
11337 StringInfo prk_string = {prk, len};
11338 if (tls13_hkdf_expand_label_context(hash_algo, &prk_string, tls13_hkdf_label_prefix(ssl),
11339 is_hrr ? "hrr ech accept confirmation" : "ech accept confirmation",
11340 transcript_hash, len, 8, &ech_verify_out)) {
11341 memcpy(is_hrr ? ssl->session.hrr_ech_confirmation : ssl->session.ech_confirmation, ech_verify_out, 8);
11342 if (tvb_memeql(tvb, confirmation_offset, ech_verify_out, 8) == -1) {
11343 if (is_hrr) {
11344 ssl->session.hrr_ech_declined = true1;
11345 ssl->session.first_ch_ech_frame = 0;
11346 }
11347 memcpy(ssl->client_random.data, ssl->session.client_random.data, ssl->session.client_random.data_len);
11348 ssl_print_data("Updated Client Random", ssl->client_random.data, 32);
11349 }
11350 wmem_free(NULL((void*)0), ech_verify_out);
11351 }
11352 ssl->session.ech = true1;
11353 }
11354 }
11355
11356 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
11357 wmem_strbuf_get_len(ja3));
11358 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_full, tvb, offset, 0, wmem_strbuf_get_str(ja3));
11359 proto_item_set_generated(ti);
11360 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_hash, tvb, offset, 0, ja3_hash);
11361 proto_item_set_generated(ti);
11362 g_free(ja3_hash)(__builtin_object_size ((ja3_hash), 0) != ((size_t) - 1)) ? g_free_sized
(ja3_hash, __builtin_object_size ((ja3_hash), 0)) : (g_free)
(ja3_hash);
11363}
11364/* Client Hello and Server Hello dissections. }}} */
11365
11366/* New Session Ticket dissection. {{{ */
11367void
11368ssl_dissect_hnd_new_ses_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11369 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11370 SslSession *session, SslDecryptSession *ssl,
11371 bool_Bool is_dtls, GHashTable *session_hash)
11372{
11373 /* https://tools.ietf.org/html/rfc5077#section-3.3 (TLS >= 1.0):
11374 * struct {
11375 * uint32 ticket_lifetime_hint;
11376 * opaque ticket<0..2^16-1>;
11377 * } NewSessionTicket;
11378 *
11379 * RFC 8446 Section 4.6.1 (TLS 1.3):
11380 * struct {
11381 * uint32 ticket_lifetime;
11382 * uint32 ticket_age_add;
11383 * opaque ticket_nonce<0..255>; // new in draft -21, updated in -22
11384 * opaque ticket<1..2^16-1>;
11385 * Extension extensions<0..2^16-2>;
11386 * } NewSessionTicket;
11387 */
11388 proto_tree *subtree;
11389 proto_item *subitem;
11390 uint32_t ticket_len;
11391 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc;
11392 unsigned char draft_version = session->tls13_draft_version;
11393 uint32_t lifetime_hint;
11394
11395 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
11396 hf->ett.session_ticket, NULL((void*)0),
11397 "TLS Session Ticket");
11398
11399 /* ticket lifetime hint */
11400 subitem = proto_tree_add_item_ret_uint(subtree, hf->hf.hs_session_ticket_lifetime_hint,
11401 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000, &lifetime_hint);
11402 offset += 4;
11403
11404 if (lifetime_hint >= 60) {
11405 char *time_str = unsigned_time_secs_to_str(pinfo->pool, lifetime_hint);
11406 proto_item_append_text(subitem, " (%s)", time_str);
11407 }
11408
11409 if (is_tls13) {
11410
11411 /* for TLS 1.3: ticket_age_add */
11412 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_age_add,
11413 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
11414 offset += 4;
11415
11416 /* for TLS 1.3: ticket_nonce (coming with Draft 21)*/
11417 if (draft_version == 0 || draft_version >= 21) {
11418 uint32_t ticket_nonce_len;
11419
11420 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_nonce_len,
11421 hf->hf.hs_session_ticket_nonce_len, 0, 255)) {
11422 return;
11423 }
11424 offset++;
11425
11426 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_nonce, tvb, offset, ticket_nonce_len, ENC_NA0x00000000);
11427 offset += ticket_nonce_len;
11428 }
11429
11430 }
11431
11432 /* opaque ticket<0..2^16-1> (with TLS 1.3 the minimum is 1) */
11433 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_len,
11434 hf->hf.hs_session_ticket_len, is_tls13 ? 1 : 0, UINT16_MAX(65535))) {
11435 return;
11436 }
11437 offset += 2;
11438
11439 /* Content depends on implementation, so just show data! */
11440 proto_tree_add_item(subtree, hf->hf.hs_session_ticket,
11441 tvb, offset, ticket_len, ENC_NA0x00000000);
11442 /* save the session ticket to cache for ssl_finalize_decryption */
11443 if (ssl && !is_tls13) {
11444 if (ssl->session.is_session_resumed) {
11445 /* NewSessionTicket is received in ServerHello before ChangeCipherSpec
11446 * (Abbreviated Handshake Using New Session Ticket).
11447 * Restore the master key for this session ticket before saving
11448 * it to the new session ticket. */
11449 ssl_restore_master_key(ssl, "Session Ticket", false0,
11450 session_hash, &ssl->session_ticket);
11451 }
11452 tvb_ensure_bytes_exist(tvb, offset, ticket_len);
11453 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
11454 ssl->session_ticket.data, ticket_len);
11455 ssl->session_ticket.data_len = ticket_len;
11456 tvb_memcpy(tvb, ssl->session_ticket.data, offset, ticket_len);
11457 /* NewSessionTicket is received after the first (client)
11458 * ChangeCipherSpec, and before the second (server) ChangeCipherSpec.
11459 * Since the second CCS has already the session key available it will
11460 * just return. To ensure that the session ticket is mapped to a
11461 * master key (from the first CCS), save the ticket here too. */
11462 ssl_save_master_key("Session Ticket", session_hash,
11463 &ssl->session_ticket, &ssl->master_secret);
11464 ssl->state |= SSL_NEW_SESSION_TICKET(1<<10);
11465 }
11466 offset += ticket_len;
11467
11468 if (is_tls13) {
11469 ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
11470 offset_end, SSL_HND_NEWSESSION_TICKET,
11471 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11472 }
11473} /* }}} */
11474
11475void
11476ssl_dissect_hnd_hello_retry_request(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11477 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11478 SslSession *session, SslDecryptSession *ssl,
11479 bool_Bool is_dtls)
11480{
11481 /* https://tools.ietf.org/html/draft-ietf-tls-tls13-19#section-4.1.4
11482 * struct {
11483 * ProtocolVersion server_version;
11484 * CipherSuite cipher_suite; // not before draft -19
11485 * Extension extensions<2..2^16-1>;
11486 * } HelloRetryRequest;
11487 * Note: no longer used since draft -22
11488 */
11489 uint32_t version;
11490 uint8_t draft_version;
11491
11492 proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
11493 offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
11494 draft_version = extract_tls13_draft_version(version);
11495 offset += 2;
11496
11497 if (draft_version == 0 || draft_version >= 19) {
11498 proto_tree_add_item(tree, hf->hf.hs_cipher_suite,
11499 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11500 offset += 2;
11501 }
11502
11503 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11504 offset_end, SSL_HND_HELLO_RETRY_REQUEST,
11505 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11506}
11507
11508void
11509ssl_dissect_hnd_encrypted_extensions(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11510 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11511 SslSession *session, SslDecryptSession *ssl,
11512 bool_Bool is_dtls)
11513{
11514 /* RFC 8446 Section 4.3.1
11515 * struct {
11516 * Extension extensions<0..2^16-1>;
11517 * } EncryptedExtensions;
11518 */
11519 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11520 offset_end, SSL_HND_ENCRYPTED_EXTENSIONS,
11521 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11522}
11523
11524/* Certificate and Certificate Request dissections. {{{ */
11525void
11526ssl_dissect_hnd_cert(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11527 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11528 SslSession *session, SslDecryptSession *ssl _U___attribute__((unused)),
11529 bool_Bool is_from_server, bool_Bool is_dtls)
11530{
11531 /* opaque ASN.1Cert<1..2^24-1>;
11532 *
11533 * Before RFC 8446 (TLS <= 1.2):
11534 * struct {
11535 * select(certificate_type) {
11536 *
11537 * // certificate type defined in RFC 7250
11538 * case RawPublicKey:
11539 * opaque ASN.1_subjectPublicKeyInfo<1..2^24-1>;
11540 *
11541 * // X.509 certificate defined in RFC 5246
11542 * case X.509:
11543 * ASN.1Cert certificate_list<0..2^24-1>;
11544 * };
11545 * } Certificate;
11546 *
11547 * RFC 8446 (since draft -20):
11548 * struct {
11549 * select(certificate_type){
11550 * case RawPublicKey:
11551 * // From RFC 7250 ASN.1_subjectPublicKeyInfo
11552 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
11553 *
11554 * case X.509:
11555 * opaque cert_data<1..2^24-1>;
11556 * }
11557 * Extension extensions<0..2^16-1>;
11558 * } CertificateEntry;
11559 * struct {
11560 * opaque certificate_request_context<0..2^8-1>;
11561 * CertificateEntry certificate_list<0..2^24-1>;
11562 * } Certificate;
11563 */
11564 enum { CERT_X509, CERT_RPK } cert_type;
11565 asn1_ctx_t asn1_ctx;
11566#if defined(HAVE_LIBGNUTLS1)
11567 gnutls_datum_t subjectPublicKeyInfo = { NULL((void*)0), 0 };
11568 unsigned certificate_index = 0;
11569#endif
11570 uint32_t next_offset, certificate_list_length, cert_length;
11571 proto_tree *subtree = tree;
11572
11573 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
11574
11575 if ((is_from_server && session->server_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2) ||
11576 (!is_from_server && session->client_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2)) {
11577 cert_type = CERT_RPK;
11578 } else {
11579 cert_type = CERT_X509;
11580 }
11581
11582#if defined(HAVE_LIBGNUTLS1)
11583 /* Ask the pkcs1 dissector to return the public key details */
11584 if (ssl)
11585 asn1_ctx.private_data = &subjectPublicKeyInfo;
11586#endif
11587
11588 /* TLS 1.3: opaque certificate_request_context<0..2^8-1> */
11589 if (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc) {
11590 uint32_t context_length;
11591 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
11592 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
11593 return;
11594 }
11595 offset++;
11596 if (context_length > 0) {
11597 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
11598 tvb, offset, context_length, ENC_NA0x00000000);
11599 offset += context_length;
11600 }
11601 }
11602
11603 if ((session->version != TLSV1DOT3_VERSION0x304 && session->version != DTLSV1DOT3_VERSION0xfefc) && cert_type == CERT_RPK) {
11604 /* For RPK before TLS 1.3, the single RPK is stored directly without
11605 * another "certificate_list" field. */
11606 certificate_list_length = offset_end - offset;
11607 next_offset = offset_end;
11608 } else {
11609 /* CertificateEntry certificate_list<0..2^24-1> */
11610 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &certificate_list_length,
11611 hf->hf.hs_certificates_len, 0, G_MAXUINT24((1U << 24) - 1))) {
11612 return;
11613 }
11614 offset += 3; /* 24-bit length value */
11615 next_offset = offset + certificate_list_length;
11616 }
11617
11618 /* RawPublicKey must have one cert, but X.509 can have multiple. */
11619 if (certificate_list_length > 0 && cert_type == CERT_X509) {
11620 proto_item *ti;
11621
11622 ti = proto_tree_add_none_format(tree,
11623 hf->hf.hs_certificates,
11624 tvb, offset, certificate_list_length,
11625 "Certificates (%u bytes)",
11626 certificate_list_length);
11627
11628 /* make it a subtree */
11629 subtree = proto_item_add_subtree(ti, hf->ett.certificates);
11630 }
11631
11632 while (offset < next_offset) {
11633 switch (cert_type) {
11634 case CERT_RPK:
11635 /* TODO add expert info if there is more than one RPK entry (certificate_index > 0) */
11636 /* opaque ASN.1_subjectPublicKeyInfo<1..2^24-1> */
11637 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
11638 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
11639 return;
11640 }
11641 offset += 3;
11642
11643 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
11644 offset += cert_length;
11645 break;
11646 case CERT_X509:
11647 /* opaque ASN1Cert<1..2^24-1> */
11648 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
11649 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
11650 return;
11651 }
11652 offset += 3;
11653
11654 dissect_x509af_Certificate(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
11655#if defined(HAVE_LIBGNUTLS1)
11656 if (is_from_server && ssl && certificate_index == 0) {
11657 ssl_find_private_key_by_pubkey(ssl, &subjectPublicKeyInfo);
11658 /* Only attempt to get the RSA modulus for the first cert. */
11659 asn1_ctx.private_data = NULL((void*)0);
11660 }
11661#endif
11662 offset += cert_length;
11663 break;
11664 }
11665
11666 /* TLS 1.3: Extension extensions<0..2^16-1> */
11667 if ((session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc)) {
11668 offset = ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
11669 next_offset, SSL_HND_CERTIFICATE,
11670 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11671 }
11672
11673#if defined(HAVE_LIBGNUTLS1)
11674 certificate_index++;
11675#endif
11676 }
11677}
11678
11679void
11680ssl_dissect_hnd_cert_req(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11681 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11682 SslSession *session, bool_Bool is_dtls)
11683{
11684 /* From SSL 3.0 and up (note that since TLS 1.1 certificate_authorities can be empty):
11685 * enum {
11686 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11687 * (255)
11688 * } ClientCertificateType;
11689 *
11690 * opaque DistinguishedName<1..2^16-1>;
11691 *
11692 * struct {
11693 * ClientCertificateType certificate_types<1..2^8-1>;
11694 * DistinguishedName certificate_authorities<3..2^16-1>;
11695 * } CertificateRequest;
11696 *
11697 *
11698 * As per TLSv1.2 (RFC 5246) the format has changed to:
11699 *
11700 * enum {
11701 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11702 * rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
11703 * fortezza_dms_RESERVED(20), (255)
11704 * } ClientCertificateType;
11705 *
11706 * enum {
11707 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
11708 * sha512(6), (255)
11709 * } HashAlgorithm;
11710 *
11711 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
11712 * SignatureAlgorithm;
11713 *
11714 * struct {
11715 * HashAlgorithm hash;
11716 * SignatureAlgorithm signature;
11717 * } SignatureAndHashAlgorithm;
11718 *
11719 * SignatureAndHashAlgorithm
11720 * supported_signature_algorithms<2..2^16-2>;
11721 *
11722 * opaque DistinguishedName<1..2^16-1>;
11723 *
11724 * struct {
11725 * ClientCertificateType certificate_types<1..2^8-1>;
11726 * SignatureAndHashAlgorithm supported_signature_algorithms<2^16-1>;
11727 * DistinguishedName certificate_authorities<0..2^16-1>;
11728 * } CertificateRequest;
11729 *
11730 * draft-ietf-tls-tls13-18:
11731 * struct {
11732 * opaque certificate_request_context<0..2^8-1>;
11733 * SignatureScheme
11734 * supported_signature_algorithms<2..2^16-2>;
11735 * DistinguishedName certificate_authorities<0..2^16-1>;
11736 * CertificateExtension certificate_extensions<0..2^16-1>;
11737 * } CertificateRequest;
11738 *
11739 * RFC 8446 (since draft-ietf-tls-tls13-19):
11740 *
11741 * struct {
11742 * opaque certificate_request_context<0..2^8-1>;
11743 * Extension extensions<2..2^16-1>;
11744 * } CertificateRequest;
11745 */
11746 proto_item *ti;
11747 proto_tree *subtree;
11748 uint32_t next_offset;
11749 asn1_ctx_t asn1_ctx;
11750 bool_Bool is_tls13 = (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc);
11751 unsigned char draft_version = session->tls13_draft_version;
11752
11753 if (!tree)
11754 return;
11755
11756 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
11757
11758 if (is_tls13) {
11759 uint32_t context_length;
11760 /* opaque certificate_request_context<0..2^8-1> */
11761 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
11762 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
11763 return;
11764 }
11765 offset++;
11766 if (context_length > 0) {
11767 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
11768 tvb, offset, context_length, ENC_NA0x00000000);
11769 offset += context_length;
11770 }
11771 } else {
11772 uint32_t cert_types_count;
11773 /* ClientCertificateType certificate_types<1..2^8-1> */
11774 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cert_types_count,
11775 hf->hf.hs_cert_types_count, 1, UINT8_MAX(255))) {
11776 return;
11777 }
11778 offset++;
11779 next_offset = offset + cert_types_count;
11780
11781 ti = proto_tree_add_none_format(tree,
11782 hf->hf.hs_cert_types,
11783 tvb, offset, cert_types_count,
11784 "Certificate types (%u type%s)",
11785 cert_types_count,
11786 plurality(cert_types_count, "", "s")((cert_types_count) == 1 ? ("") : ("s")));
11787 subtree = proto_item_add_subtree(ti, hf->ett.cert_types);
11788
11789 while (offset < next_offset) {
11790 proto_tree_add_item(subtree, hf->hf.hs_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11791 offset++;
11792 }
11793 }
11794
11795 if (session->version == TLSV1DOT2_VERSION0x303 || session->version == DTLSV1DOT2_VERSION0xfefd ||
11796 (is_tls13 && (draft_version > 0 && draft_version < 19))) {
11797 offset = ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
11798 }
11799
11800 if (is_tls13 && (draft_version == 0 || draft_version >= 19)) {
11801 /*
11802 * TLS 1.3 draft 19 and newer: Extensions.
11803 * SslDecryptSession pointer is NULL because Certificate Extensions
11804 * should not influence decryption state.
11805 */
11806 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11807 offset_end, SSL_HND_CERT_REQUEST,
11808 session, NULL((void*)0), is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11809 } else if (is_tls13 && draft_version <= 18) {
11810 /*
11811 * TLS 1.3 draft 18 and older: certificate_authorities and
11812 * certificate_extensions (a vector of OID mappings).
11813 */
11814 offset = tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
11815 ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, tree, offset, offset_end);
11816 } else {
11817 /* for TLS 1.2 and older, the certificate_authorities field. */
11818 tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
11819 }
11820}
11821/* Certificate and Certificate Request dissections. }}} */
11822
11823void
11824ssl_dissect_hnd_cli_cert_verify(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11825 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint16_t version)
11826{
11827 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
11828 hf->hf.hs_client_cert_vrfy_sig_len,
11829 hf->hf.hs_client_cert_vrfy_sig);
11830}
11831
11832/* Finished dissection. {{{ */
11833void
11834ssl_dissect_hnd_finished(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11835 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11836 const SslSession *session, ssl_hfs_t *ssl_hfs)
11837{
11838 /* For SSLv3:
11839 * struct {
11840 * opaque md5_hash[16];
11841 * opaque sha_hash[20];
11842 * } Finished;
11843 *
11844 * For (D)TLS:
11845 * struct {
11846 * opaque verify_data[12];
11847 * } Finished;
11848 *
11849 * For TLS 1.3:
11850 * struct {
11851 * opaque verify_data[Hash.length];
11852 * }
11853 */
11854 if (!tree)
11855 return;
11856
11857 if (session->version == SSLV3_VERSION0x300) {
11858 if (ssl_hfs != NULL((void*)0)) {
11859 proto_tree_add_item(tree, ssl_hfs->hs_md5_hash,
11860 tvb, offset, 16, ENC_NA0x00000000);
11861 proto_tree_add_item(tree, ssl_hfs->hs_sha_hash,
11862 tvb, offset + 16, 20, ENC_NA0x00000000);
11863 }
11864 } else {
11865 /* Length should be 12 for TLS before 1.3, assume this is the case. */
11866 proto_tree_add_item(tree, hf->hf.hs_finished,
11867 tvb, offset, offset_end - offset, ENC_NA0x00000000);
11868 }
11869} /* }}} */
11870
11871/* RFC 6066 Certificate URL handshake message dissection. {{{ */
11872void
11873ssl_dissect_hnd_cert_url(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset)
11874{
11875 uint16_t url_hash_len;
11876
11877 /* enum {
11878 * individual_certs(0), pkipath(1), (255)
11879 * } CertChainType;
11880 *
11881 * struct {
11882 * CertChainType type;
11883 * URLAndHash url_and_hash_list<1..2^16-1>;
11884 * } CertificateURL;
11885 *
11886 * struct {
11887 * opaque url<1..2^16-1>;
11888 * uint8 padding;
11889 * opaque SHA1Hash[20];
11890 * } URLAndHash;
11891 */
11892
11893 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_type,
11894 tvb, offset, 1, ENC_NA0x00000000);
11895 offset++;
11896
11897 url_hash_len = tvb_get_ntohs(tvb, offset);
11898 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_url_hash_list_len,
11899 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11900 offset += 2;
11901 while (url_hash_len-- > 0) {
11902 proto_item *urlhash_item;
11903 proto_tree *urlhash_tree;
11904 uint16_t url_len;
11905
11906 urlhash_item = proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_item,
11907 tvb, offset, -1, ENC_NA0x00000000);
11908 urlhash_tree = proto_item_add_subtree(urlhash_item, hf->ett.urlhash);
11909
11910 url_len = tvb_get_ntohs(tvb, offset);
11911 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url_len,
11912 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11913 offset += 2;
11914
11915 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url,
11916 tvb, offset, url_len, ENC_ASCII0x00000000|ENC_NA0x00000000);
11917 offset += url_len;
11918
11919 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_padding,
11920 tvb, offset, 1, ENC_NA0x00000000);
11921 offset++;
11922 /* Note: RFC 6066 says that padding must be 0x01 */
11923
11924 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_sha1,
11925 tvb, offset, 20, ENC_NA0x00000000);
11926 offset += 20;
11927 }
11928} /* }}} */
11929
11930void
11931ssl_dissect_hnd_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11932 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11933 SslSession *session, SslDecryptSession *ssl,
11934 bool_Bool is_from_server, bool_Bool is_dtls)
11935{
11936 uint32_t algorithm, uncompressed_length;
11937 uint32_t compressed_certificate_message_length;
11938 tvbuff_t *uncompressed_tvb = NULL((void*)0);
11939 proto_item *ti;
11940 /*
11941 * enum {
11942 * zlib(1),
11943 * brotli(2),
11944 * zstd(3),
11945 * (65535)
11946 * } CertificateCompressionAlgorithm;
11947 *
11948 * struct {
11949 * CertificateCompressionAlgorithm algorithm;
11950 * uint24 uncompressed_length;
11951 * opaque compressed_certificate_message<1..2^24-1>;
11952 * } CompressedCertificate;
11953 */
11954
11955 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_algorithm,
11956 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &algorithm);
11957 offset += 2;
11958
11959 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_uncompressed_length,
11960 tvb, offset, 3, ENC_BIG_ENDIAN0x00000000, &uncompressed_length);
11961 offset += 3;
11962
11963 /* opaque compressed_certificate_message<1..2^24-1>; */
11964 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compressed_certificate_message_length,
11965 hf->hf.hs_ext_compress_certificate_compressed_certificate_message_length, 1, G_MAXUINT24((1U << 24) - 1))) {
11966 return;
11967 }
11968 offset += 3;
11969
11970 ti = proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_compressed_certificate_message,
11971 tvb, offset, compressed_certificate_message_length, ENC_NA0x00000000);
11972
11973 /* Certificate decompression following algorithm */
11974 switch (algorithm) {
11975 case 1: /* zlib */
11976 uncompressed_tvb = tvb_child_uncompress_zlib(tvb, tvb, offset, compressed_certificate_message_length);
11977 break;
11978 case 2: /* brotli */
11979 uncompressed_tvb = tvb_child_uncompress_brotli(tvb, tvb, offset, compressed_certificate_message_length);
11980 break;
11981 case 3: /* zstd */
11982 uncompressed_tvb = tvb_child_uncompress_zstd(tvb, tvb, offset, compressed_certificate_message_length);
11983 break;
11984 }
11985
11986 if (uncompressed_tvb) {
11987 proto_tree *uncompressed_tree;
11988
11989 if (uncompressed_length != tvb_captured_length(uncompressed_tvb)) {
11990 proto_tree_add_expert_format(tree, pinfo, &hf->ei.decompression_error,
11991 tvb, offset, offset_end - offset,
11992 "Invalid uncompressed length %u (expected %u)",
11993 tvb_captured_length(uncompressed_tvb),
11994 uncompressed_length);
11995 } else {
11996 uncompressed_tree = proto_item_add_subtree(ti, hf->ett.uncompressed_certificates);
11997 ssl_dissect_hnd_cert(hf, uncompressed_tvb, uncompressed_tree,
11998 0, uncompressed_length, pinfo, session, ssl, is_from_server, is_dtls);
11999 add_new_data_source(pinfo, uncompressed_tvb, "Uncompressed certificate(s)");
12000 }
12001 }
12002}
12003
12004/* Dissection of TLS Extensions in Client Hello, Server Hello, etc. {{{ */
12005static int
12006// NOLINTNEXTLINE(misc-no-recursion)
12007ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
12008 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
12009 SslSession *session, SslDecryptSession *ssl,
12010 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
12011 ssl_master_key_map_t *mk_map)
12012{
12013 uint32_t exts_len;
12014 uint16_t ext_type;
12015 uint32_t ext_len;
12016 uint32_t next_offset;
12017 proto_item *ext_item;
12018 proto_tree *ext_tree;
12019 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304;
12020 wmem_strbuf_t *ja3_sg = wmem_strbuf_new(pinfo->pool, "");
12021 wmem_strbuf_t *ja3_ecpf = wmem_strbuf_new(pinfo->pool, "");
12022 char *ja3_dash = "";
12023 unsigned supported_version;
12024
12025 /* Extension extensions<0..2^16-2> (for TLS 1.3 HRR/CR min-length is 2) */
12026 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
12027 hf->hf.hs_exts_len, 0, UINT16_MAX(65535))) {
12028 return offset_end;
12029 }
12030 offset += 2;
12031 offset_end = offset + exts_len;
12032
12033 if (ja4_data) {
12034 ja4_data->num_extensions = 0;
12035 }
12036 while (offset_end - offset >= 4)
12037 {
12038 ext_type = tvb_get_ntohs(tvb, offset);
12039 ext_len = tvb_get_ntohs(tvb, offset + 2);
12040
12041 if (ja4_data && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {
12042 ja4_data->num_extensions += 1;
12043 if (ext_type != SSL_HND_HELLO_EXT_SERVER_NAME0 &&
12044 ext_type != SSL_HND_HELLO_EXT_ALPN16) {
12045 wmem_list_insert_sorted(ja4_data->extension_list, GUINT_TO_POINTER(ext_type)((gpointer) (gulong) (ext_type)), wmem_compare_uint);
12046 }
12047 }
12048
12049 ext_item = proto_tree_add_none_format(tree, hf->hf.hs_ext, tvb, offset, 4 + ext_len,
12050 "Extension: %s (len=%u)", val_to_str(pinfo->pool, ext_type,
12051 tls_hello_extension_types,
12052 "Unknown type %u"), ext_len);
12053 ext_tree = proto_item_add_subtree(ext_item, hf->ett.hs_ext);
12054
12055 proto_tree_add_uint(ext_tree, hf->hf.hs_ext_type,
12056 tvb, offset, 2, ext_type);
12057 offset += 2;
12058 if (ja3 && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {
12059 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_type);
12060 ja3_dash = "-";
12061 }
12062
12063 /* opaque extension_data<0..2^16-1> */
12064 if (!ssl_add_vector(hf, tvb, pinfo, ext_tree, offset, offset_end, &ext_len,
12065 hf->hf.hs_ext_len, 0, UINT16_MAX(65535))) {
12066 return offset_end;
12067 }
12068 offset += 2;
12069 next_offset = offset + ext_len;
12070
12071 switch (ext_type) {
12072 case SSL_HND_HELLO_EXT_SERVER_NAME0:
12073 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12074 offset = ssl_dissect_hnd_hello_ext_server_name(hf, tvb, pinfo, ext_tree, offset, next_offset);
12075 if (ja4_data) {
12076 ja4_data->server_name_present = true1;
12077 }
12078 }
12079 break;
12080 case SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1:
12081 proto_tree_add_item(ext_tree, hf->hf.hs_ext_max_fragment_length, tvb, offset, 1, ENC_NA0x00000000);
12082 offset += 1;
12083 break;
12084 case SSL_HND_HELLO_EXT_STATUS_REQUEST5:
12085 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12086 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, ext_tree, offset, next_offset, false0);
12087 } else if (is_tls13 && hnd_type == SSL_HND_CERTIFICATE) {
12088 offset = tls_dissect_hnd_certificate_status(hf, tvb, pinfo, ext_tree, offset, next_offset);
12089 }
12090 break;
12091 case SSL_HND_HELLO_EXT_CERT_TYPE9:
12092 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
12093 offset, next_offset,
12094 hnd_type, ext_type,
12095 session);
12096 break;
12097 case SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10:
12098 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12099 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
12100 next_offset, ja3_sg);
12101 } else {
12102 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
12103 next_offset, NULL((void*)0));
12104 }
12105 break;
12106 case SSL_HND_HELLO_EXT_EC_POINT_FORMATS11:
12107 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12108 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, ja3_ecpf);
12109 } else {
12110 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, NULL((void*)0));
12111 }
12112 break;
12113 break;
12114 case SSL_HND_HELLO_EXT_SRP12:
12115 offset = ssl_dissect_hnd_hello_ext_srp(hf, tvb, pinfo, ext_tree, offset, next_offset);
12116 break;
12117 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13:
12118 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, ja4_data);
12119 break;
12120 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50: /* since TLS 1.3 draft -23 */
12121 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, NULL((void*)0));
12122 break;
12123 case SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34:
12124 offset = ssl_dissect_hnd_ext_delegated_credentials(hf, tvb, ext_tree, pinfo, offset, next_offset, hnd_type);
12125 break;
12126 case SSL_HND_HELLO_EXT_USE_SRTP14:
12127 if (is_dtls) {
12128 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12129 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, false0);
12130 } else if (hnd_type == SSL_HND_SERVER_HELLO) {
12131 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, true1);
12132 }
12133 } else {
12134 // XXX expert info: This extension MUST only be used with DTLS, and not with TLS.
12135 }
12136 break;
12137 case SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768:
12138 offset = ssl_dissect_hnd_ech_outer_ext(hf, tvb, pinfo, ext_tree, offset, next_offset);
12139 break;
12140 case SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037:
12141 offset = ssl_dissect_hnd_hello_ext_ech(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, ssl, mk_map);
12142 break;
12143 case SSL_HND_HELLO_EXT_HEARTBEAT15:
12144 proto_tree_add_item(ext_tree, hf->hf.hs_ext_heartbeat_mode,
12145 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
12146 offset++;
12147 break;
12148 case SSL_HND_HELLO_EXT_ALPN16:
12149 offset = ssl_dissect_hnd_hello_ext_alpn(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, is_dtls, ja4_data);
12150 break;
12151 case SSL_HND_HELLO_EXT_STATUS_REQUEST_V217:
12152 if (hnd_type == SSL_HND_CLIENT_HELLO)
12153 offset = ssl_dissect_hnd_hello_ext_status_request_v2(hf, tvb, pinfo, ext_tree, offset, next_offset);
12154 break;
12155 case SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18:
12156 // TLS 1.3 note: SCT only appears in EE in draft -16 and before.
12157 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS || hnd_type == SSL_HND_CERTIFICATE)
12158 offset = tls_dissect_sct_list(hf, tvb, pinfo, ext_tree, offset, next_offset, session->version);
12159 break;
12160 case SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19:
12161 case SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20:
12162 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
12163 offset, next_offset,
12164 hnd_type, ext_type,
12165 session);
12166 break;
12167 case SSL_HND_HELLO_EXT_PADDING21:
12168 proto_tree_add_item(ext_tree, hf->hf.hs_ext_padding_data, tvb, offset, ext_len, ENC_NA0x00000000);
12169 offset += ext_len;
12170 break;
12171 case SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22:
12172 if (ssl && hnd_type == SSL_HND_SERVER_HELLO) {
12173 ssl_debug_printf("%s enabling Encrypt-then-MAC\n", G_STRFUNC((const char*) (__func__)));
12174 ssl->state |= SSL_ENCRYPT_THEN_MAC(1<<11);
12175 }
12176 break;
12177 case SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23:
12178 if (ssl) {
12179 switch (hnd_type) {
12180 case SSL_HND_CLIENT_HELLO:
12181 ssl->state |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
12182 break;
12183 case SSL_HND_SERVER_HELLO:
12184 ssl->state |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8);
12185 break;
12186 default: /* no default */
12187 break;
12188 }
12189 }
12190 break;
12191 case SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27:
12192 offset = ssl_dissect_hnd_hello_ext_compress_certificate(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12193 break;
12194 case SSL_HND_HELLO_EXT_TOKEN_BINDING24:
12195 offset = ssl_dissect_hnd_hello_ext_token_binding(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12196 break;
12197 case SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28:
12198 proto_tree_add_item(ext_tree, hf->hf.hs_ext_record_size_limit,
12199 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12200 offset += 2;
12201 break;
12202 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445:
12203 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157:
12204 offset = ssl_dissect_hnd_hello_ext_quic_transport_parameters(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12205 break;
12206 case SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35:
12207 offset = ssl_dissect_hnd_hello_ext_session_ticket(hf, tvb, ext_tree, offset, next_offset, hnd_type, ssl);
12208 break;
12209 case SSL_HND_HELLO_EXT_KEY_SHARE_OLD40: /* used before TLS 1.3 draft -23 */
12210 case SSL_HND_HELLO_EXT_KEY_SHARE51:
12211 offset = ssl_dissect_hnd_hello_ext_key_share(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12212 break;
12213 case SSL_HND_HELLO_EXT_PRE_SHARED_KEY41:
12214 offset = ssl_dissect_hnd_hello_ext_pre_shared_key(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12215 break;
12216 case SSL_HND_HELLO_EXT_EARLY_DATA42:
12217 case SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46:
12218 offset = ssl_dissect_hnd_hello_ext_early_data(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12219 break;
12220 case SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43:
12221 switch (hnd_type) {
12222 case SSL_HND_CLIENT_HELLO:
12223 offset = ssl_dissect_hnd_hello_ext_supported_versions(hf, tvb, pinfo, ext_tree, offset, next_offset, session, is_dtls, ja4_data);
12224 break;
12225 case SSL_HND_SERVER_HELLO:
12226 case SSL_HND_HELLO_RETRY_REQUEST:
12227 proto_tree_add_item_ret_uint(ext_tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &supported_version);
12228 offset += 2;
12229 proto_item_append_text(ext_tree, " %s", val_to_str(pinfo->pool, supported_version, ssl_versions, "Unknown (0x%04x)"));
12230 break;
12231 }
12232 break;
12233 case SSL_HND_HELLO_EXT_COOKIE44:
12234 offset = ssl_dissect_hnd_hello_ext_cookie(hf, tvb, pinfo, ext_tree, offset, next_offset);
12235 break;
12236 case SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45:
12237 offset = ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(hf, tvb, pinfo, ext_tree, offset, next_offset);
12238 break;
12239 case SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47:
12240 offset = ssl_dissect_hnd_hello_ext_certificate_authorities(hf, tvb, pinfo, ext_tree, offset, next_offset);
12241 break;
12242 case SSL_HND_HELLO_EXT_OID_FILTERS48:
12243 offset = ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, ext_tree, offset, next_offset);
12244 break;
12245 case SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49:
12246 break;
12247 case SSL_HND_HELLO_EXT_NPN13172:
12248 offset = ssl_dissect_hnd_hello_ext_npn(hf, tvb, pinfo, ext_tree, offset, next_offset);
12249 break;
12250 case SSL_HND_HELLO_EXT_ALPS_OLD17513:
12251 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
12252 break;
12253 case SSL_HND_HELLO_EXT_ALPS17613:
12254 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
12255 break;
12256 case SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281:
12257 offset = ssl_dissect_hnd_hello_ext_reneg_info(hf, tvb, pinfo, ext_tree, offset, next_offset);
12258 break;
12259 case SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486:
12260 offset = ssl_dissect_hnd_hello_ext_esni(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12261 break;
12262 case SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53:
12263 session->deprecated_cid = true1;
12264 /* FALLTHRU */
12265 case SSL_HND_HELLO_EXT_CONNECTION_ID54:
12266 offset = ssl_dissect_hnd_hello_ext_connection_id(hf, tvb, pinfo, ext_tree, offset, hnd_type, session, ssl);
12267 break;
12268 case SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3:
12269 offset = ssl_dissect_hnd_hello_ext_trusted_ca_keys(hf, tvb, pinfo, ext_tree, offset, next_offset);
12270 break;
12271 default:
12272 proto_tree_add_item(ext_tree, hf->hf.hs_ext_data,
12273 tvb, offset, ext_len, ENC_NA0x00000000);
12274 offset += ext_len;
12275 break;
12276 }
12277
12278 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
12279 /* Dissection did not end at expected location, fix it. */
12280 offset = next_offset;
12281 }
12282 }
12283
12284 if (ja3) {
12285 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12286 if(wmem_strbuf_get_len(ja3_sg) > 0) {
12287 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_sg));
12288 } else {
12289 wmem_strbuf_append_c(ja3, ',');
12290 }
12291 if(wmem_strbuf_get_len(ja3_ecpf) > 0) {
12292 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_ecpf));
12293 } else {
12294 wmem_strbuf_append_c(ja3, ',');
12295 }
12296 }
12297 }
12298
12299 /* Check if Extensions vector is correctly terminated. */
12300 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, offset_end)) {
12301 offset = offset_end;
12302 }
12303
12304 return offset;
12305} /* }}} */
12306
12307
12308/* ClientKeyExchange algo-specific dissectors. {{{ */
12309
12310static void
12311dissect_ssl3_hnd_cli_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12312 proto_tree *tree, uint32_t offset,
12313 uint32_t length)
12314{
12315 int point_len;
12316 proto_tree *ssl_ecdh_tree;
12317
12318 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12319 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Client Params");
12320
12321 /* point */
12322 point_len = tvb_get_uint8(tvb, offset);
12323 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point_len, tvb,
12324 offset, 1, ENC_BIG_ENDIAN0x00000000);
12325 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point, tvb,
12326 offset + 1, point_len, ENC_NA0x00000000);
12327}
12328
12329static void
12330dissect_ssl3_hnd_cli_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12331 proto_tree *tree, uint32_t offset, uint32_t length)
12332{
12333 int yc_len;
12334 proto_tree *ssl_dh_tree;
12335
12336 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12337 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Client Params");
12338
12339 /* ClientDiffieHellmanPublic.dh_public (explicit) */
12340 yc_len = tvb_get_ntohs(tvb, offset);
12341 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc_len, tvb,
12342 offset, 2, ENC_BIG_ENDIAN0x00000000);
12343 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc, tvb,
12344 offset + 2, yc_len, ENC_NA0x00000000);
12345}
12346
12347static void
12348dissect_ssl3_hnd_cli_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12349 proto_tree *tree, uint32_t offset,
12350 uint32_t length, const SslSession *session)
12351{
12352 int epms_len;
12353 proto_tree *ssl_rsa_tree;
12354
12355 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12356 hf->ett.keyex_params, NULL((void*)0), "RSA Encrypted PreMaster Secret");
12357
12358 /* EncryptedPreMasterSecret.pre_master_secret */
12359 switch (session->version) {
12360 case SSLV2_VERSION0x0002:
12361 case SSLV3_VERSION0x300:
12362 case DTLSV1DOT0_OPENSSL_VERSION0x100:
12363 /* OpenSSL pre-0.9.8f DTLS and pre-TLS quirk: 2-octet length vector is
12364 * not present. The handshake contents represents the EPMS, see:
12365 * https://gitlab.com/wireshark/wireshark/-/issues/10222 */
12366 epms_len = length;
12367 break;
12368
12369 default:
12370 /* TLS and DTLS include vector length before EPMS */
12371 epms_len = tvb_get_ntohs(tvb, offset);
12372 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12373 offset, 2, ENC_BIG_ENDIAN0x00000000);
12374 offset += 2;
12375 break;
12376 }
12377 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms, tvb,
12378 offset, epms_len, ENC_NA0x00000000);
12379}
12380
12381/* Used in PSK cipher suites */
12382static uint32_t
12383dissect_ssl3_hnd_cli_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12384 proto_tree *tree, uint32_t offset)
12385{
12386 unsigned identity_len;
12387 proto_tree *ssl_psk_tree;
12388
12389 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
12390 hf->ett.keyex_params, NULL((void*)0), "PSK Client Params");
12391 /* identity */
12392 identity_len = tvb_get_ntohs(tvb, offset);
12393 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len, tvb,
12394 offset, 2, ENC_BIG_ENDIAN0x00000000);
12395 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity, tvb,
12396 offset + 2, identity_len, ENC_NA0x00000000);
12397
12398 proto_item_set_len(ssl_psk_tree, 2 + identity_len);
12399 return 2 + identity_len;
12400}
12401
12402/* Used in RSA PSK cipher suites */
12403static void
12404dissect_ssl3_hnd_cli_keyex_rsa_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12405 proto_tree *tree, uint32_t offset,
12406 uint32_t length)
12407{
12408 int identity_len, epms_len;
12409 proto_tree *ssl_psk_tree;
12410
12411 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12412 hf->ett.keyex_params, NULL((void*)0), "RSA PSK Client Params");
12413
12414 /* identity */
12415 identity_len = tvb_get_ntohs(tvb, offset);
12416 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len,
12417 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12418 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity,
12419 tvb, offset + 2, identity_len, ENC_NA0x00000000);
12420 offset += 2 + identity_len;
12421
12422 /* Yc */
12423 epms_len = tvb_get_ntohs(tvb, offset);
12424 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12425 offset, 2, ENC_BIG_ENDIAN0x00000000);
12426 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms, tvb,
12427 offset + 2, epms_len, ENC_NA0x00000000);
12428}
12429
12430/* Used in Diffie-Hellman PSK cipher suites */
12431static void
12432dissect_ssl3_hnd_cli_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12433 proto_tree *tree, uint32_t offset, uint32_t length)
12434{
12435 /*
12436 * struct {
12437 * select (KeyExchangeAlgorithm) {
12438 * case diffie_hellman_psk:
12439 * opaque psk_identity<0..2^16-1>;
12440 * ClientDiffieHellmanPublic public;
12441 * } exchange_keys;
12442 * } ClientKeyExchange;
12443 */
12444
12445 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12446 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset + psk_len, length - psk_len);
12447}
12448
12449/* Used in EC Diffie-Hellman PSK cipher suites */
12450static void
12451dissect_ssl3_hnd_cli_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12452 proto_tree *tree, uint32_t offset, uint32_t length)
12453{
12454 /*
12455 * struct {
12456 * select (KeyExchangeAlgorithm) {
12457 * case ec_diffie_hellman_psk:
12458 * opaque psk_identity<0..2^16-1>;
12459 * ClientECDiffieHellmanPublic public;
12460 * } exchange_keys;
12461 * } ClientKeyExchange;
12462 */
12463
12464 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12465 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset + psk_len, length - psk_len);
12466}
12467
12468/* Used in EC J-PAKE cipher suites */
12469static void
12470dissect_ssl3_hnd_cli_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12471 proto_tree *tree, uint32_t offset,
12472 uint32_t length)
12473{
12474 /*
12475 * struct {
12476 * ECPoint V;
12477 * opaque r<1..2^8-1>;
12478 * } ECSchnorrZKP;
12479 *
12480 * struct {
12481 * ECPoint X;
12482 * ECSchnorrZKP zkp;
12483 * } ECJPAKEKeyKP;
12484 *
12485 * struct {
12486 * ECJPAKEKeyKP ecjpake_key_kp;
12487 * } ClientECJPAKEParams;
12488 *
12489 * select (KeyExchangeAlgorithm) {
12490 * case ecjpake:
12491 * ClientECJPAKEParams params;
12492 * } ClientKeyExchange;
12493 */
12494
12495 int point_len;
12496 proto_tree *ssl_ecjpake_tree;
12497
12498 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12499 hf->ett.keyex_params, NULL((void*)0),
12500 "EC J-PAKE Client Params");
12501
12502 /* ECJPAKEKeyKP.X */
12503 point_len = tvb_get_uint8(tvb, offset);
12504 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc_len, tvb,
12505 offset, 1, ENC_BIG_ENDIAN0x00000000);
12506 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc, tvb,
12507 offset + 1, point_len, ENC_NA0x00000000);
12508 offset += 1 + point_len;
12509
12510 /* ECJPAKEKeyKP.zkp.V */
12511 point_len = tvb_get_uint8(tvb, offset);
12512 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc_len, tvb,
12513 offset, 1, ENC_BIG_ENDIAN0x00000000);
12514 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc, tvb,
12515 offset + 1, point_len, ENC_NA0x00000000);
12516 offset += 1 + point_len;
12517
12518 /* ECJPAKEKeyKP.zkp.r */
12519 point_len = tvb_get_uint8(tvb, offset);
12520 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc_len, tvb,
12521 offset, 1, ENC_BIG_ENDIAN0x00000000);
12522 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc, tvb,
12523 offset + 1, point_len, ENC_NA0x00000000);
12524}
12525
12526static void
12527dissect_ssl3_hnd_cli_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12528 proto_tree *tree, uint32_t offset,
12529 uint32_t length)
12530{
12531 int epms_len;
12532 proto_tree *ssl_ecc_sm2_tree;
12533
12534 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12535 hf->ett.keyex_params, NULL((void*)0),
12536 "ECC-SM2 Encrypted PreMaster Secret");
12537
12538 epms_len = tvb_get_ntohs(tvb, offset);
12539 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12540 offset, 2, ENC_BIG_ENDIAN0x00000000);
12541 offset += 2;
12542 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms, tvb,
12543 offset, epms_len, ENC_NA0x00000000);
12544}
12545/* ClientKeyExchange algo-specific dissectors. }}} */
12546
12547
12548/* Dissects DigitallySigned (see RFC 5246 4.7 Cryptographic Attributes). {{{ */
12549static uint32_t
12550ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12551 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12552 uint16_t version, int hf_sig_len, int hf_sig)
12553{
12554 uint32_t sig_len;
12555
12556 switch (version) {
12557 case TLSV1DOT2_VERSION0x303:
12558 case DTLSV1DOT2_VERSION0xfefd:
12559 case TLSV1DOT3_VERSION0x304:
12560 case DTLSV1DOT3_VERSION0xfefc:
12561 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
12562 offset += 2;
12563 break;
12564
12565 default:
12566 break;
12567 }
12568
12569 /* Sig */
12570 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sig_len,
12571 hf_sig_len, 0, UINT16_MAX(65535))) {
12572 return offset_end;
12573 }
12574 offset += 2;
12575 proto_tree_add_item(tree, hf_sig, tvb, offset, sig_len, ENC_NA0x00000000);
12576 offset += sig_len;
12577 return offset;
12578} /* }}} */
12579
12580/* ServerKeyExchange algo-specific dissectors. {{{ */
12581
12582/* dissects signed_params inside a ServerKeyExchange for some keyex algos */
12583static void
12584dissect_ssl3_hnd_srv_keyex_sig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12585 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12586 uint16_t version)
12587{
12588 /*
12589 * TLSv1.2 (RFC 5246 sec 7.4.8)
12590 * struct {
12591 * digitally-signed struct {
12592 * opaque handshake_messages[handshake_messages_length];
12593 * }
12594 * } CertificateVerify;
12595 *
12596 * TLSv1.0/TLSv1.1 (RFC 5436 sec 7.4.8 and 7.4.3) works essentially the same
12597 * as TLSv1.2, but the hash algorithms are not explicit in digitally-signed.
12598 *
12599 * SSLv3 (RFC 6101 sec 5.6.8) essentially works the same as TLSv1.0 but it
12600 * does more hashing including the master secret and padding.
12601 */
12602 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
12603 hf->hf.hs_server_keyex_sig_len,
12604 hf->hf.hs_server_keyex_sig);
12605}
12606
12607static uint32_t
12608dissect_tls_ecparameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, uint32_t offset_end)
12609{
12610 /*
12611 * RFC 4492 ECC cipher suites for TLS
12612 *
12613 * struct {
12614 * ECCurveType curve_type;
12615 * select (curve_type) {
12616 * case explicit_prime:
12617 * ...
12618 * case explicit_char2:
12619 * ...
12620 * case named_curve:
12621 * NamedCurve namedcurve;
12622 * };
12623 * } ECParameters;
12624 */
12625
12626 int curve_type;
12627
12628 /* ECParameters.curve_type */
12629 curve_type = tvb_get_uint8(tvb, offset);
12630 proto_tree_add_item(tree, hf->hf.hs_server_keyex_curve_type, tvb,
12631 offset, 1, ENC_BIG_ENDIAN0x00000000);
12632 offset++;
12633
12634 if (curve_type != 3)
12635 return offset_end; /* only named_curves are supported */
12636
12637 /* case curve_type == named_curve; ECParameters.namedcurve */
12638 proto_tree_add_item(tree, hf->hf.hs_server_keyex_named_curve, tvb,
12639 offset, 2, ENC_BIG_ENDIAN0x00000000);
12640 offset += 2;
12641
12642 return offset;
12643}
12644
12645static void
12646dissect_ssl3_hnd_srv_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12647 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12648 uint16_t version, bool_Bool anon)
12649{
12650 /*
12651 * RFC 4492 ECC cipher suites for TLS
12652 *
12653 * struct {
12654 * opaque point <1..2^8-1>;
12655 * } ECPoint;
12656 *
12657 * struct {
12658 * ECParameters curve_params;
12659 * ECPoint public;
12660 * } ServerECDHParams;
12661 *
12662 * select (KeyExchangeAlgorithm) {
12663 * case ec_diffie_hellman:
12664 * ServerECDHParams params;
12665 * Signature signed_params;
12666 * } ServerKeyExchange;
12667 */
12668
12669 int point_len;
12670 proto_tree *ssl_ecdh_tree;
12671
12672 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12673 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Server Params");
12674
12675 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecdh_tree, offset, offset_end);
12676 if (offset >= offset_end)
12677 return; /* only named_curves are supported */
12678
12679 /* ECPoint.point */
12680 point_len = tvb_get_uint8(tvb, offset);
12681 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point_len, tvb,
12682 offset, 1, ENC_BIG_ENDIAN0x00000000);
12683 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point, tvb,
12684 offset + 1, point_len, ENC_NA0x00000000);
12685 offset += 1 + point_len;
12686
12687 /* Signature (if non-anonymous KEX) */
12688 if (!anon) {
12689 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecdh_tree, offset, offset_end, version);
12690 }
12691}
12692
12693static void
12694dissect_ssl3_hnd_srv_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12695 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12696 uint16_t version, bool_Bool anon)
12697{
12698 int p_len, g_len, ys_len;
12699 proto_tree *ssl_dh_tree;
12700
12701 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12702 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Server Params");
12703
12704 /* p */
12705 p_len = tvb_get_ntohs(tvb, offset);
12706 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p_len, tvb,
12707 offset, 2, ENC_BIG_ENDIAN0x00000000);
12708 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p, tvb,
12709 offset + 2, p_len, ENC_NA0x00000000);
12710 offset += 2 + p_len;
12711
12712 /* g */
12713 g_len = tvb_get_ntohs(tvb, offset);
12714 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g_len, tvb,
12715 offset, 2, ENC_BIG_ENDIAN0x00000000);
12716 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g, tvb,
12717 offset + 2, g_len, ENC_NA0x00000000);
12718 offset += 2 + g_len;
12719
12720 /* Ys */
12721 ys_len = tvb_get_ntohs(tvb, offset);
12722 proto_tree_add_uint(ssl_dh_tree, hf->hf.hs_server_keyex_ys_len, tvb,
12723 offset, 2, ys_len);
12724 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_ys, tvb,
12725 offset + 2, ys_len, ENC_NA0x00000000);
12726 offset += 2 + ys_len;
12727
12728 /* Signature (if non-anonymous KEX) */
12729 if (!anon) {
12730 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_dh_tree, offset, offset_end, version);
12731 }
12732}
12733
12734/* Only used in RSA-EXPORT cipher suites */
12735static void
12736dissect_ssl3_hnd_srv_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12737 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12738 uint16_t version)
12739{
12740 int modulus_len, exponent_len;
12741 proto_tree *ssl_rsa_tree;
12742
12743 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12744 hf->ett.keyex_params, NULL((void*)0), "RSA-EXPORT Server Params");
12745
12746 /* modulus */
12747 modulus_len = tvb_get_ntohs(tvb, offset);
12748 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus_len, tvb,
12749 offset, 2, ENC_BIG_ENDIAN0x00000000);
12750 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus, tvb,
12751 offset + 2, modulus_len, ENC_NA0x00000000);
12752 offset += 2 + modulus_len;
12753
12754 /* exponent */
12755 exponent_len = tvb_get_ntohs(tvb, offset);
12756 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent_len,
12757 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12758 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent,
12759 tvb, offset + 2, exponent_len, ENC_NA0x00000000);
12760 offset += 2 + exponent_len;
12761
12762 /* Signature */
12763 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_rsa_tree, offset, offset_end, version);
12764}
12765
12766/* Used in RSA PSK and PSK cipher suites */
12767static uint32_t
12768dissect_ssl3_hnd_srv_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12769 proto_tree *tree, uint32_t offset)
12770{
12771 unsigned hint_len;
12772 proto_tree *ssl_psk_tree;
12773
12774 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
12775 hf->ett.keyex_params, NULL((void*)0), "PSK Server Params");
12776
12777 /* hint */
12778 hint_len = tvb_get_ntohs(tvb, offset);
12779 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint_len, tvb,
12780 offset, 2, ENC_BIG_ENDIAN0x00000000);
12781 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint, tvb,
12782 offset + 2, hint_len, ENC_NA0x00000000);
12783
12784 proto_item_set_len(ssl_psk_tree, 2 + hint_len);
12785 return 2 + hint_len;
12786}
12787
12788/* Used in Diffie-Hellman PSK cipher suites */
12789static void
12790dissect_ssl3_hnd_srv_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12791 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12792{
12793 /*
12794 * struct {
12795 * select (KeyExchangeAlgorithm) {
12796 * case diffie_hellman_psk:
12797 * opaque psk_identity_hint<0..2^16-1>;
12798 * ServerDHParams params;
12799 * };
12800 * } ServerKeyExchange;
12801 */
12802
12803 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12804 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12805}
12806
12807/* Used in EC Diffie-Hellman PSK cipher suites */
12808static void
12809dissect_ssl3_hnd_srv_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12810 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12811{
12812 /*
12813 * struct {
12814 * select (KeyExchangeAlgorithm) {
12815 * case ec_diffie_hellman_psk:
12816 * opaque psk_identity_hint<0..2^16-1>;
12817 * ServerECDHParams params;
12818 * };
12819 * } ServerKeyExchange;
12820 */
12821
12822 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12823 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12824}
12825
12826/* Used in EC J-PAKE cipher suites */
12827static void
12828dissect_ssl3_hnd_srv_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12829 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12830{
12831 /*
12832 * struct {
12833 * ECPoint V;
12834 * opaque r<1..2^8-1>;
12835 * } ECSchnorrZKP;
12836 *
12837 * struct {
12838 * ECPoint X;
12839 * ECSchnorrZKP zkp;
12840 * } ECJPAKEKeyKP;
12841 *
12842 * struct {
12843 * ECParameters curve_params;
12844 * ECJPAKEKeyKP ecjpake_key_kp;
12845 * } ServerECJPAKEParams;
12846 *
12847 * select (KeyExchangeAlgorithm) {
12848 * case ecjpake:
12849 * ServerECJPAKEParams params;
12850 * } ServerKeyExchange;
12851 */
12852
12853 int point_len;
12854 proto_tree *ssl_ecjpake_tree;
12855
12856 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12857 hf->ett.keyex_params, NULL((void*)0),
12858 "EC J-PAKE Server Params");
12859
12860 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecjpake_tree, offset, offset_end);
12861 if (offset >= offset_end)
12862 return; /* only named_curves are supported */
12863
12864 /* ECJPAKEKeyKP.X */
12865 point_len = tvb_get_uint8(tvb, offset);
12866 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs_len, tvb,
12867 offset, 1, ENC_BIG_ENDIAN0x00000000);
12868 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs, tvb,
12869 offset + 1, point_len, ENC_NA0x00000000);
12870 offset += 1 + point_len;
12871
12872 /* ECJPAKEKeyKP.zkp.V */
12873 point_len = tvb_get_uint8(tvb, offset);
12874 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs_len, tvb,
12875 offset, 1, ENC_BIG_ENDIAN0x00000000);
12876 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs, tvb,
12877 offset + 1, point_len, ENC_NA0x00000000);
12878 offset += 1 + point_len;
12879
12880 /* ECJPAKEKeyKP.zkp.r */
12881 point_len = tvb_get_uint8(tvb, offset);
12882 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs_len, tvb,
12883 offset, 1, ENC_BIG_ENDIAN0x00000000);
12884 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs, tvb,
12885 offset + 1, point_len, ENC_NA0x00000000);
12886}
12887
12888/* Only used in ECC-SM2-EXPORT cipher suites */
12889static void
12890dissect_ssl3_hnd_srv_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12891 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12892 uint16_t version)
12893{
12894 proto_tree *ssl_ecc_sm2_tree;
12895
12896 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12897 hf->ett.keyex_params, NULL((void*)0), "ECC-SM2-EXPORT Server Params");
12898
12899 /* Signature */
12900 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecc_sm2_tree, offset, offset_end, version);
12901}
12902/* ServerKeyExchange algo-specific dissectors. }}} */
12903
12904/* Client Key Exchange and Server Key Exchange handshake dissections. {{{ */
12905void
12906ssl_dissect_hnd_cli_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12907 proto_tree *tree, uint32_t offset, uint32_t length,
12908 const SslSession *session)
12909{
12910 switch (ssl_get_keyex_alg(session->cipher)) {
12911 case KEX_DH_ANON0x13: /* RFC 5246; DHE_DSS, DHE_RSA, DH_DSS, DH_RSA, DH_ANON: ClientDiffieHellmanPublic */
12912 case KEX_DH_DSS0x14:
12913 case KEX_DH_RSA0x15:
12914 case KEX_DHE_DSS0x10:
12915 case KEX_DHE_RSA0x12:
12916 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset, length);
12917 break;
12918 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity, ClientDiffieHellmanPublic */
12919 dissect_ssl3_hnd_cli_keyex_dhe_psk(hf, tvb, tree, offset, length);
12920 break;
12921 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ClientECDiffieHellmanPublic */
12922 case KEX_ECDH_ECDSA0x1a:
12923 case KEX_ECDH_RSA0x1b:
12924 case KEX_ECDHE_ECDSA0x16:
12925 case KEX_ECDHE_RSA0x18:
12926 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset, length);
12927 break;
12928 case KEX_ECDHE_PSK0x17: /* RFC 5489; ec_diffie_hellman_psk: psk_identity, ClientECDiffieHellmanPublic */
12929 dissect_ssl3_hnd_cli_keyex_ecdh_psk(hf, tvb, tree, offset, length);
12930 break;
12931 case KEX_KRB50x1c: /* RFC 2712; krb5: KerberosWrapper */
12932 /* XXX: implement support for KRB5 */
12933 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12934 tvb, offset, length,
12935 "Kerberos ciphersuites (RFC 2712) are not implemented, contact Wireshark"
12936 " developers if you want them to be supported");
12937 break;
12938 case KEX_PSK0x1d: /* RFC 4279; psk: psk_identity */
12939 dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12940 break;
12941 case KEX_RSA0x1e: /* RFC 5246; rsa: EncryptedPreMasterSecret */
12942 dissect_ssl3_hnd_cli_keyex_rsa(hf, tvb, tree, offset, length, session);
12943 break;
12944 case KEX_RSA_PSK0x1f: /* RFC 4279; rsa_psk: psk_identity, EncryptedPreMasterSecret */
12945 dissect_ssl3_hnd_cli_keyex_rsa_psk(hf, tvb, tree, offset, length);
12946 break;
12947 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ClientSRPPublic */
12948 case KEX_SRP_SHA_DSS0x21:
12949 case KEX_SRP_SHA_RSA0x22:
12950 /* XXX: implement support for SRP_SHA* */
12951 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12952 tvb, offset, length,
12953 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12954 " developers if you want them to be supported");
12955 break;
12956 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12957 dissect_ssl3_hnd_cli_keyex_ecjpake(hf, tvb, tree, offset, length);
12958 break;
12959 case KEX_ECC_SM20x26: /* GB/T 38636 */
12960 dissect_ssl3_hnd_cli_keyex_ecc_sm2(hf, tvb, tree, offset, length);
12961 break;
12962 default:
12963 if (session->cipher == 0) {
12964 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12965 tvb, offset, length,
12966 "Cipher Suite not found");
12967 } else {
12968 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12969 tvb, offset, length,
12970 "Cipher Suite 0x%04x is not implemented, "
12971 "contact Wireshark developers if you want this to be supported",
12972 session->cipher);
12973 }
12974 break;
12975 }
12976}
12977
12978void
12979ssl_dissect_hnd_srv_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12980 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12981 const SslSession *session)
12982{
12983 switch (ssl_get_keyex_alg(session->cipher)) {
12984 case KEX_DH_ANON0x13: /* RFC 5246; ServerDHParams */
12985 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
12986 break;
12987 case KEX_DH_DSS0x14: /* RFC 5246; not allowed */
12988 case KEX_DH_RSA0x15:
12989 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
12990 tvb, offset, offset_end - offset);
12991 break;
12992 case KEX_DHE_DSS0x10: /* RFC 5246; dhe_dss, dhe_rsa: ServerDHParams, Signature */
12993 case KEX_DHE_RSA0x12:
12994 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
12995 break;
12996 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity_hint, ServerDHParams */
12997 dissect_ssl3_hnd_srv_keyex_dhe_psk(hf, tvb, pinfo, tree, offset, offset_end);
12998 break;
12999 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ServerECDHParams (without signature for anon) */
13000 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
13001 break;
13002 case KEX_ECDHE_PSK0x17: /* RFC 5489; psk_identity_hint, ServerECDHParams */
13003 dissect_ssl3_hnd_srv_keyex_ecdh_psk(hf, tvb, pinfo, tree, offset, offset_end);
13004 break;
13005 case KEX_ECDH_ECDSA0x1a: /* RFC 4492; ec_diffie_hellman: ServerECDHParams, Signature */
13006 case KEX_ECDH_RSA0x1b:
13007 case KEX_ECDHE_ECDSA0x16:
13008 case KEX_ECDHE_RSA0x18:
13009 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
13010 break;
13011 case KEX_KRB50x1c: /* RFC 2712; not allowed */
13012 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
13013 tvb, offset, offset_end - offset);
13014 break;
13015 case KEX_PSK0x1d: /* RFC 4279; psk, rsa: psk_identity */
13016 case KEX_RSA_PSK0x1f:
13017 dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
13018 break;
13019 case KEX_RSA0x1e: /* only allowed if the public key in the server certificate is longer than 512 bits */
13020 dissect_ssl3_hnd_srv_keyex_rsa(hf, tvb, pinfo, tree, offset, offset_end, session->version);
13021 break;
13022 case KEX_ECC_SM20x26: /* GB/T 38636 */
13023 dissect_ssl3_hnd_srv_keyex_ecc_sm2(hf, tvb, pinfo, tree, offset, offset_end, session->version);
13024 break;
13025 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ServerSRPParams, Signature */
13026 case KEX_SRP_SHA_DSS0x21:
13027 case KEX_SRP_SHA_RSA0x22:
13028 /* XXX: implement support for SRP_SHA* */
13029 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
13030 tvb, offset, offset_end - offset,
13031 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
13032 " developers if you want them to be supported");
13033 break;
13034 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
13035 dissect_ssl3_hnd_srv_keyex_ecjpake(hf, tvb, tree, offset, offset_end);
13036 break;
13037 default:
13038 if (session->cipher == 0) {
13039 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
13040 tvb, offset, offset_end - offset,
13041 "Cipher Suite not found");
13042 } else {
13043 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
13044 tvb, offset, offset_end - offset,
13045 "Cipher Suite 0x%04x is not implemented, "
13046 "contact Wireshark developers if you want this to be supported",
13047 session->cipher);
13048 }
13049 break;
13050 }
13051}
13052/* Client Key Exchange and Server Key Exchange handshake dissections. }}} */
13053
13054void
13055tls13_dissect_hnd_key_update(ssl_common_dissect_t *hf, tvbuff_t *tvb,
13056 proto_tree *tree, uint32_t offset)
13057{
13058 /* RFC 8446 Section 4.6.3
13059 * enum {
13060 * update_not_requested(0), update_requested(1), (255)
13061 * } KeyUpdateRequest;
13062 *
13063 * struct {
13064 * KeyUpdateRequest request_update;
13065 * } KeyUpdate;
13066 */
13067 proto_tree_add_item(tree, hf->hf.hs_key_update_request_update, tvb, offset, 1, ENC_NA0x00000000);
13068}
13069
13070void
13071ssl_common_register_ssl_alpn_dissector_table(const char *name,
13072 const char *ui_name, const int proto)
13073{
13074 ssl_alpn_dissector_table = register_dissector_table(name, ui_name,
13075 proto, FT_STRING, STRING_CASE_SENSITIVE0);
13076 register_dissector_table_alias(ssl_alpn_dissector_table, "ssl.handshake.extensions_alpn_str");
13077}
13078
13079void
13080ssl_common_register_dtls_alpn_dissector_table(const char *name,
13081 const char *ui_name, const int proto)
13082{
13083 dtls_alpn_dissector_table = register_dissector_table(name, ui_name,
13084 proto, FT_STRING, STRING_CASE_SENSITIVE0);
13085 register_dissector_table_alias(ssl_alpn_dissector_table, "dtls.handshake.extensions_alpn_str");
13086}
13087
13088void
13089ssl_common_register_options(module_t *module, ssl_common_options_t *options, bool_Bool is_dtls)
13090{
13091 prefs_register_string_preference(module, "psk", "Pre-Shared Key",
13092 "Pre-Shared Key as HEX string. Should be 0 to 16 bytes.",
13093 &(options->psk));
13094
13095 if (is_dtls) {
13096 prefs_register_obsolete_preference(module, "keylog_file");
13097 prefs_register_static_text_preference(module, "keylog_file_removed",
13098 "The (Pre)-Master-Secret log filename preference can be configured in the TLS protocol preferences.",
13099 "Use the TLS protocol preference to configure the keylog file for both DTLS and TLS.");
13100 return;
13101 }
13102
13103 prefs_register_filename_preference(module, "keylog_file", "(Pre)-Master-Secret log filename",
13104 "The name of a file which contains a list of \n"
13105 "(pre-)master secrets in one of the following formats:\n"
13106 "\n"
13107 "RSA <EPMS> <PMS>\n"
13108 "RSA Session-ID:<SSLID> Master-Key:<MS>\n"
13109 "CLIENT_RANDOM <CRAND> <MS>\n"
13110 "PMS_CLIENT_RANDOM <CRAND> <PMS>\n"
13111 "\n"
13112 "Where:\n"
13113 "<EPMS> = First 8 bytes of the Encrypted PMS\n"
13114 "<PMS> = The Pre-Master-Secret (PMS) used to derive the MS\n"
13115 "<SSLID> = The SSL Session ID\n"
13116 "<MS> = The Master-Secret (MS)\n"
13117 "<CRAND> = The Client's random number from the ClientHello message\n"
13118 "\n"
13119 "(All fields are in hex notation)",
13120 &(options->keylog_filename), false0);
13121}
13122
13123void
13124ssl_calculate_handshake_hash(SslDecryptSession *ssl_session, tvbuff_t *tvb, uint32_t offset, uint32_t length, uint8_t msg_type, bool_Bool is_from_server)
13125{
13126 /* The handshake transcript can be used in [D]TLS 1.2 for the extended
13127 * master secret of RFC 7627, and in [D]TLS 1.3 for computing the secrets,
13128 * though the latter is only useful when pke_ke (PSK-only key exchange) is
13129 * negotiated. */
13130 if (!ssl_session)
13131 return;
13132
13133 switch (ssl_session->session.version) {
13134 /* The handshake message types used in the handshake hash are different
13135 * in different versions. [D]TLS 1.3 tracks the messages up to the
13136 * Finished, whereas 1.2 stops at the ClientKeyExchange. However, all start
13137 * at the ClientHello and include the messages up to the ServerHello, at
13138 * which point we know the version.
13139 *
13140 * XXX - However, DTLS 1.2 includes the DTLS-specific fragment info fields
13141 * in its handshake transcript, whereas DTLS 1.3 does not (using the same
13142 * format as TLS 1.3). We don't know at the point of the ClientHello which
13143 * version will be used, so PSK only likely doesn't work for DTLS 1.3 yet.
13144 */
13145 case TLSV1DOT3_VERSION0x304:
13146 case DTLSV1DOT3_VERSION0xfefc:
13147 /* In [D]TLS 1.3 only the following handshake messages are used in the
13148 * handshake transcript. EndOfEarlyData and the Client Certificate,
13149 * Certificate Verify, and Finished are used in deriving the
13150 * resumption_master_secret but not the other secrets derived from
13151 * the master secret (client or server app traffic secret, exporter
13152 * secret). We don't yet support calculating a PSK to resume via
13153 * the resumption_master_secret, so we simply stop the transcript
13154 * with the server Finished. See RFC 8446 4.4.1 & 7.1 */
13155 switch (msg_type) {
13156 case SSL_HND_CLIENT_HELLO:
13157 case SSL_HND_SERVER_HELLO:
13158 case SSL_HND_HELLO_RETRY_REQUEST:
13159 case SSL_HND_ENCRYPTED_EXTENSIONS:
13160 case SSL_HND_CERT_REQUEST:
13161 break;
13162 case SSL_HND_CERTIFICATE:
13163 case SSL_HND_CERT_VERIFY:
13164 case SSL_HND_FINISHED:
13165 if (!is_from_server)
13166 return;
13167 break;
13168 case SSL_HND_END_OF_EARLY_DATA:
13169 default:
13170 return;
13171 }
13172 break;
13173 default:
13174 /* In [D]TLS 1.2, the handshake hash for the Extended Master Secret
13175 * (RFC 7627) is calculated up to and including ClientKeyExchange,
13176 * but the keys are not retrieved until ChangeCipherSpec later. If
13177 * mutual authentication is requested by the server, an intervening
13178 * CertificateVerify message can be sent but is not to be included
13179 * in the hash. */
13180 if (msg_type == SSL_HND_CERT_VERIFY)
13181 return;
13182 if (ssl_session->state & SSL_MASTER_SECRET(1<<5))
13183 return;
13184 break;
13185 }
13186
13187 uint32_t old_length = ssl_session->handshake_data.data_len;
13188 ssl_debug_printf("Calculating hash with offset %d %d\n", offset, length);
13189 if (tvb) {
13190 if (tvb_bytes_exist(tvb, offset, length)) {
13191 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
13192 tvb_memcpy(tvb, ssl_session->handshake_data.data + old_length, offset, length);
13193 ssl_session->handshake_data.data_len += length;
13194 }
13195 } else {
13196 /* DTLS calculates the hash as if each handshake message had been
13197 * sent as a single fragment (RFC 6347, section 4.2.6) and passes
13198 * in a null tvbuff to add 3 bytes for a zero fragment offset.
13199 */
13200 DISSECTOR_ASSERT_CMPINT(length, <, 4)((void) ((length < 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "length" " " "<" " " "4" " (" "%"
"l" "d" " " "<" " " "%" "l" "d" ")", "epan/dissectors/packet-tls-utils.c"
, 13200, (int64_t)length, (int64_t)4))));
13201 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
13202 memset(ssl_session->handshake_data.data + old_length, 0, length);
13203 ssl_session->handshake_data.data_len += length;
13204 }
13205}
13206
13207
13208/*
13209 * Editor modelines - https://www.wireshark.org/tools/modelines.html
13210 *
13211 * Local variables:
13212 * c-basic-offset: 4
13213 * tab-width: 8
13214 * indent-tabs-mode: nil
13215 * End:
13216 *
13217 * vi: set shiftwidth=4 tabstop=8 expandtab:
13218 * :indentSize=4:tabSize=8:noTabs=true:
13219 */