Bug Summary

File:builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c
Warning:line 4942, column 17
Potential leak of memory pointed to by 'handshake_hashed_data.data'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name packet-tls-utils.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -fno-delete-null-pointer-checks -mframe-pointer=all -relaxed-aliasing -fmath-errno -ffp-contract=on -fno-rounding-math -ffloat16-excess-precision=fast -fbfloat16-excess-precision=fast -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/builds/wireshark/wireshark/build -fcoverage-compilation-dir=/builds/wireshark/wireshark/build -resource-dir /usr/lib/llvm-22/lib/clang/22 -isystem /usr/include/glib-2.0 -isystem /usr/lib/x86_64-linux-gnu/glib-2.0/include -isystem /builds/wireshark/wireshark/epan/dissectors -isystem /builds/wireshark/wireshark/build/epan/dissectors -isystem /usr/include/mit-krb5 -isystem /usr/include/libxml2 -isystem /builds/wireshark/wireshark/epan -D CARES_NO_DEPRECATED -D G_DISABLE_DEPRECATED -D G_DISABLE_SINGLE_INCLUDES -D WS_BUILD_DLL -D WS_DEBUG -D WS_DEBUG_UTF_8 -I /builds/wireshark/wireshark/build -I /builds/wireshark/wireshark -I /builds/wireshark/wireshark/include -D _GLIBCXX_ASSERTIONS -internal-isystem /usr/lib/llvm-22/lib/clang/22/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/16/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -fmacro-prefix-map=/builds/wireshark/wireshark/= -fmacro-prefix-map=/builds/wireshark/wireshark/build/= -fmacro-prefix-map=../= -Wno-format-nonliteral -std=gnu17 -ferror-limit 19 -fvisibility=hidden -fwrapv -fwrapv-pointer -fstrict-flex-arrays=3 -stack-protector 2 -fstack-clash-protection -fcf-protection=full -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fexceptions -fcolor-diagnostics -analyzer-output=html -faddrsig -fdwarf2-cfi-asm -o /builds/wireshark/wireshark/sbout/2026-06-05-100346-3529-1 -x c /builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c
1/* packet-tls-utils.c
2 * ssl manipulation functions
3 * By Paolo Abeni <[email protected]>
4 *
5 * Copyright (c) 2013, Hauke Mehrtens <[email protected]>
6 * Copyright (c) 2014, Peter Wu <[email protected]>
7 *
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <[email protected]>
10 * Copyright 1998 Gerald Combs
11 *
12 * SPDX-License-Identifier: GPL-2.0-or-later
13 */
14
15#include "config.h"
16
17#include <stdlib.h>
18#include <errno(*__errno_location ()).h>
19
20#include <epan/packet.h>
21#include <epan/strutil.h>
22#include <epan/addr_resolv.h>
23#include <epan/expert.h>
24#include <epan/asn1.h>
25#include <epan/proto_data.h>
26#include <epan/oids.h>
27#include <epan/secrets.h>
28
29#include <wsutil/inet_cidr.h>
30#include <wsutil/filesystem.h>
31#include <wsutil/file_util.h>
32#include <wsutil/str_util.h>
33#include <wsutil/report_message.h>
34#include <wsutil/pint.h>
35#include <wsutil/strtoi.h>
36#include <wsutil/wsgcrypt.h>
37#include <wsutil/rsa.h>
38#include <wsutil/ws_assert.h>
39#include <wsutil/zlib_compat.h>
40#include "packet-ber.h"
41#include "packet-x509af.h"
42#include "packet-x509if.h"
43#include "packet-tls-utils.h"
44#include "packet-ocsp.h"
45#include "packet-tls.h"
46#include "packet-dtls.h"
47#include "packet-quic.h"
48#if defined(HAVE_LIBGNUTLS1)
49#include <gnutls/abstract.h>
50#include <gnutls/x509.h>
51#include <gnutls/pkcs12.h>
52#endif
53
54/* JA3/JA3S calculations must ignore GREASE values
55 * as described in RFC 8701.
56 */
57#define IS_GREASE_TLS(x)((((x) & 0x0f0f) == 0x0a0a) && (((x) & 0xff) ==
(((x)>>8) & 0xff))) ((((x) & 0x0f0f) == 0x0a0a) && \
58 (((x) & 0xff) == (((x)>>8) & 0xff)))
59
60/* Section 22.3 of RFC 9000 (QUIC) reserves values of this
61 * form for a similar purpose as GREASE.
62 */
63#define IS_GREASE_QUIC(x)((x) > 27 ? ((((x) - 27) % 31) == 0) : 0) ((x) > 27 ? ((((x) - 27) % 31) == 0) : 0)
64
65#define DTLS13_MAX_EPOCH10 10
66
67/* Lookup tables {{{ */
68const value_string ssl_version_short_names[] = {
69 { SSLV2_VERSION0x0002, "SSLv2" },
70 { SSLV3_VERSION0x300, "SSLv3" },
71 { TLSV1_VERSION0x301, "TLSv1" },
72 { TLCPV1_VERSION0x101, "TLCP" },
73 { TLSV1DOT1_VERSION0x302, "TLSv1.1" },
74 { TLSV1DOT2_VERSION0x303, "TLSv1.2" },
75 { TLSV1DOT3_VERSION0x304, "TLSv1.3" },
76 { DTLSV1DOT0_VERSION0xfeff, "DTLSv1.0" },
77 { DTLSV1DOT2_VERSION0xfefd, "DTLSv1.2" },
78 { DTLSV1DOT3_VERSION0xfefc, "DTLSv1.3" },
79 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
80 { 0x00, NULL((void*)0) }
81};
82
83const value_string ssl_versions[] = {
84 { SSLV2_VERSION0x0002, "SSL 2.0" },
85 { SSLV3_VERSION0x300, "SSL 3.0" },
86 { TLSV1_VERSION0x301, "TLS 1.0" },
87 { TLCPV1_VERSION0x101, "TLCP" },
88 { TLSV1DOT1_VERSION0x302, "TLS 1.1" },
89 { TLSV1DOT2_VERSION0x303, "TLS 1.2" },
90 { TLSV1DOT3_VERSION0x304, "TLS 1.3" },
91 { 0x7F0E, "TLS 1.3 (draft 14)" },
92 { 0x7F0F, "TLS 1.3 (draft 15)" },
93 { 0x7F10, "TLS 1.3 (draft 16)" },
94 { 0x7F11, "TLS 1.3 (draft 17)" },
95 { 0x7F12, "TLS 1.3 (draft 18)" },
96 { 0x7F13, "TLS 1.3 (draft 19)" },
97 { 0x7F14, "TLS 1.3 (draft 20)" },
98 { 0x7F15, "TLS 1.3 (draft 21)" },
99 { 0x7F16, "TLS 1.3 (draft 22)" },
100 { 0x7F17, "TLS 1.3 (draft 23)" },
101 { 0x7F18, "TLS 1.3 (draft 24)" },
102 { 0x7F19, "TLS 1.3 (draft 25)" },
103 { 0x7F1A, "TLS 1.3 (draft 26)" },
104 { 0x7F1B, "TLS 1.3 (draft 27)" },
105 { 0x7F1C, "TLS 1.3 (draft 28)" },
106 { 0xFB17, "TLS 1.3 (Facebook draft 23)" },
107 { 0xFB1A, "TLS 1.3 (Facebook draft 26)" },
108 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
109 { DTLSV1DOT0_VERSION0xfeff, "DTLS 1.0" },
110 { DTLSV1DOT2_VERSION0xfefd, "DTLS 1.2" },
111 { DTLSV1DOT3_VERSION0xfefc, "DTLS 1.3" },
112 { 0x0A0A, "Reserved (GREASE)" }, /* RFC 8701 */
113 { 0x1A1A, "Reserved (GREASE)" }, /* RFC 8701 */
114 { 0x2A2A, "Reserved (GREASE)" }, /* RFC 8701 */
115 { 0x3A3A, "Reserved (GREASE)" }, /* RFC 8701 */
116 { 0x4A4A, "Reserved (GREASE)" }, /* RFC 8701 */
117 { 0x5A5A, "Reserved (GREASE)" }, /* RFC 8701 */
118 { 0x6A6A, "Reserved (GREASE)" }, /* RFC 8701 */
119 { 0x7A7A, "Reserved (GREASE)" }, /* RFC 8701 */
120 { 0x8A8A, "Reserved (GREASE)" }, /* RFC 8701 */
121 { 0x9A9A, "Reserved (GREASE)" }, /* RFC 8701 */
122 { 0xAAAA, "Reserved (GREASE)" }, /* RFC 8701 */
123 { 0xBABA, "Reserved (GREASE)" }, /* RFC 8701 */
124 { 0xCACA, "Reserved (GREASE)" }, /* RFC 8701 */
125 { 0xDADA, "Reserved (GREASE)" }, /* RFC 8701 */
126 { 0xEAEA, "Reserved (GREASE)" }, /* RFC 8701 */
127 { 0xFAFA, "Reserved (GREASE)" }, /* RFC 8701 */
128 { 0x00, NULL((void*)0) }
129};
130
131static const value_string ssl_version_ja4_names[] = {
132 { 0x0100, "s1" },
133 { SSLV2_VERSION0x0002, "s2" },
134 { SSLV3_VERSION0x300, "s3" },
135 { TLSV1_VERSION0x301, "10" },
136 { TLSV1DOT1_VERSION0x302, "11" },
137 { TLSV1DOT2_VERSION0x303, "12" },
138 { TLSV1DOT3_VERSION0x304, "13" },
139 { DTLSV1DOT0_VERSION0xfeff, "d1" },
140 { DTLSV1DOT2_VERSION0xfefd, "d2" },
141 { DTLSV1DOT3_VERSION0xfefc, "d3" },
142 { 0x00, NULL((void*)0) }
143};
144
145const value_string ssl_20_msg_types[] = {
146 { SSL2_HND_ERROR0x00, "Error" },
147 { SSL2_HND_CLIENT_HELLO0x01, "Client Hello" },
148 { SSL2_HND_CLIENT_MASTER_KEY0x02, "Client Master Key" },
149 { SSL2_HND_CLIENT_FINISHED0x03, "Client Finished" },
150 { SSL2_HND_SERVER_HELLO0x04, "Server Hello" },
151 { SSL2_HND_SERVER_VERIFY0x05, "Server Verify" },
152 { SSL2_HND_SERVER_FINISHED0x06, "Server Finished" },
153 { SSL2_HND_REQUEST_CERTIFICATE0x07, "Request Certificate" },
154 { SSL2_HND_CLIENT_CERTIFICATE0x08, "Client Certificate" },
155 { 0x00, NULL((void*)0) }
156};
157/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
158/* Note: sorted by ascending value so value_string-ext can do a binary search */
159static const value_string ssl_20_cipher_suites[] = {
160 { 0x000000, "TLS_NULL_WITH_NULL_NULL" },
161 { 0x000001, "TLS_RSA_WITH_NULL_MD5" },
162 { 0x000002, "TLS_RSA_WITH_NULL_SHA" },
163 { 0x000003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
164 { 0x000004, "TLS_RSA_WITH_RC4_128_MD5" },
165 { 0x000005, "TLS_RSA_WITH_RC4_128_SHA" },
166 { 0x000006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
167 { 0x000007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
168 { 0x000008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
169 { 0x000009, "TLS_RSA_WITH_DES_CBC_SHA" },
170 { 0x00000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
171 { 0x00000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
172 { 0x00000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
173 { 0x00000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
174 { 0x00000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
175 { 0x00000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
176 { 0x000010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
177 { 0x000011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
178 { 0x000012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
179 { 0x000013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
180 { 0x000014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
181 { 0x000015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
182 { 0x000016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
183 { 0x000017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
184 { 0x000018, "TLS_DH_anon_WITH_RC4_128_MD5" },
185 { 0x000019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
186 { 0x00001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
187 { 0x00001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
188 { 0x00001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
189 { 0x00001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
190#if 0
191 { 0x00001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
192#endif
193 /* RFC 2712 */
194 { 0x00001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
195 { 0x00001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
196 { 0x000020, "TLS_KRB5_WITH_RC4_128_SHA" },
197 { 0x000021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
198 { 0x000022, "TLS_KRB5_WITH_DES_CBC_MD5" },
199 { 0x000023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
200 { 0x000024, "TLS_KRB5_WITH_RC4_128_MD5" },
201 { 0x000025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
202 { 0x000026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
203 { 0x000027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
204 { 0x000028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
205 { 0x000029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
206 { 0x00002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
207 { 0x00002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
208 /* RFC 4785 */
209 { 0x00002C, "TLS_PSK_WITH_NULL_SHA" },
210 { 0x00002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
211 { 0x00002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
212 /* RFC 5246 */
213 { 0x00002f, "TLS_RSA_WITH_AES_128_CBC_SHA" },
214 { 0x000030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
215 { 0x000031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
216 { 0x000032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
217 { 0x000033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
218 { 0x000034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
219 { 0x000035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
220 { 0x000036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
221 { 0x000037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
222 { 0x000038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
223 { 0x000039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
224 { 0x00003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
225 { 0x00003B, "TLS_RSA_WITH_NULL_SHA256" },
226 { 0x00003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
227 { 0x00003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
228 { 0x00003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
229 { 0x00003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
230 { 0x000040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
231 { 0x000041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
232 { 0x000042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
233 { 0x000043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
234 { 0x000044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
235 { 0x000045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
236 { 0x000046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
237 { 0x000047, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
238 { 0x000048, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
239 { 0x000049, "TLS_ECDH_ECDSA_WITH_DES_CBC_SHA" },
240 { 0x00004A, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
241 { 0x00004B, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
242 { 0x00004C, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
243 { 0x000060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
244 { 0x000061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
245 { 0x000062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
246 { 0x000063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
247 { 0x000064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
248 { 0x000065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
249 { 0x000066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
250 { 0x000067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
251 { 0x000068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
252 { 0x000069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
253 { 0x00006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
254 { 0x00006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
255 { 0x00006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
256 { 0x00006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
257 /* 0x00,0x6E-83 Unassigned */
258 { 0x000084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
259 { 0x000085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
260 { 0x000086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
261 { 0x000087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
262 { 0x000088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
263 { 0x000089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
264 /* RFC 4279 */
265 { 0x00008A, "TLS_PSK_WITH_RC4_128_SHA" },
266 { 0x00008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
267 { 0x00008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
268 { 0x00008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
269 { 0x00008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
270 { 0x00008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
271 { 0x000090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
272 { 0x000091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
273 { 0x000092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
274 { 0x000093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
275 { 0x000094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
276 { 0x000095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
277 /* RFC 4162 */
278 { 0x000096, "TLS_RSA_WITH_SEED_CBC_SHA" },
279 { 0x000097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
280 { 0x000098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
281 { 0x000099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
282 { 0x00009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
283 { 0x00009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
284 /* RFC 5288 */
285 { 0x00009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
286 { 0x00009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
287 { 0x00009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
288 { 0x00009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
289 { 0x0000A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
290 { 0x0000A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
291 { 0x0000A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
292 { 0x0000A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
293 { 0x0000A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
294 { 0x0000A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
295 { 0x0000A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
296 { 0x0000A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
297 /* RFC 5487 */
298 { 0x0000A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
299 { 0x0000A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
300 { 0x0000AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
301 { 0x0000AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
302 { 0x0000AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
303 { 0x0000AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
304 { 0x0000AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
305 { 0x0000AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
306 { 0x0000B0, "TLS_PSK_WITH_NULL_SHA256" },
307 { 0x0000B1, "TLS_PSK_WITH_NULL_SHA384" },
308 { 0x0000B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
309 { 0x0000B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
310 { 0x0000B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
311 { 0x0000B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
312 { 0x0000B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
313 { 0x0000B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
314 { 0x0000B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
315 { 0x0000B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
316 /* From RFC 5932 */
317 { 0x0000BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
318 { 0x0000BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
319 { 0x0000BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
320 { 0x0000BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
321 { 0x0000BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
322 { 0x0000BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
323 { 0x0000C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
324 { 0x0000C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
325 { 0x0000C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
326 { 0x0000C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
327 { 0x0000C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
328 { 0x0000C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
329 /* 0x00,0xC6-FE Unassigned */
330 { 0x0000FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
331 /* 0x01-BF,* Unassigned */
332 /* From RFC 4492 */
333 { 0x00c001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
334 { 0x00c002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
335 { 0x00c003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
336 { 0x00c004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
337 { 0x00c005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
338 { 0x00c006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
339 { 0x00c007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
340 { 0x00c008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
341 { 0x00c009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
342 { 0x00c00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
343 { 0x00c00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
344 { 0x00c00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
345 { 0x00c00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
346 { 0x00c00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
347 { 0x00c00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
348 { 0x00c010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
349 { 0x00c011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
350 { 0x00c012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
351 { 0x00c013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
352 { 0x00c014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
353 { 0x00c015, "TLS_ECDH_anon_WITH_NULL_SHA" },
354 { 0x00c016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
355 { 0x00c017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
356 { 0x00c018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
357 { 0x00c019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
358 /* RFC 5054 */
359 { 0x00C01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
360 { 0x00C01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
361 { 0x00C01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
362 { 0x00C01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
363 { 0x00C01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
364 { 0x00C01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
365 { 0x00C020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
366 { 0x00C021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
367 { 0x00C022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
368 /* RFC 5589 */
369 { 0x00C023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
370 { 0x00C024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
371 { 0x00C025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
372 { 0x00C026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
373 { 0x00C027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
374 { 0x00C028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
375 { 0x00C029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
376 { 0x00C02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
377 { 0x00C02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
378 { 0x00C02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
379 { 0x00C02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
380 { 0x00C02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
381 { 0x00C02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
382 { 0x00C030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
383 { 0x00C031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
384 { 0x00C032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
385 /* RFC 5489 */
386 { 0x00C033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
387 { 0x00C034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
388 { 0x00C035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
389 { 0x00C036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
390 { 0x00C037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
391 { 0x00C038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
392 { 0x00C039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
393 { 0x00C03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
394 { 0x00C03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
395 /* 0xC0,0x3C-FF Unassigned
396 0xC1-FD,* Unassigned
397 0xFE,0x00-FD Unassigned
398 0xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
399 0xFF,0x00-FF Reserved for Private Use [RFC5246]
400 */
401
402 /* old numbers used in the beginning
403 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
404 { 0x00CC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
405 { 0x00CC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
406 { 0x00CC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
407
408 /* https://tools.ietf.org/html/rfc7905 */
409 { 0x00CCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
410 { 0x00CCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
411 { 0x00CCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
412 { 0x00CCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
413 { 0x00CCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
414 { 0x00CCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
415 { 0x00CCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
416
417 /* GM/T 0024-2014 */
418 { 0x00e001, "ECDHE_SM1_SM3"},
419 { 0x00e003, "ECC_SM1_SM3"},
420 { 0x00e005, "IBSDH_SM1_SM3"},
421 { 0x00e007, "IBC_SM1_SM3"},
422 { 0x00e009, "RSA_SM1_SM3"},
423 { 0x00e00a, "RSA_SM1_SHA1"},
424 { 0x00e011, "ECDHE_SM4_CBC_SM3"},
425 { 0x00e013, "ECC_SM4_CBC_SM3"},
426 { 0x00e015, "IBSDH_SM4_CBC_SM3"},
427 { 0x00e017, "IBC_SM4_CBC_SM3"},
428 { 0x00e019, "RSA_SM4_CBC_SM3"},
429 { 0x00e01a, "RSA_SM4_CBC_SHA1"},
430 { 0x00e01c, "RSA_SM4_CBC_SHA256"},
431 { 0x00e051, "ECDHE_SM4_GCM_SM3"},
432 { 0x00e053, "ECC_SM4_GCM_SM3"},
433 { 0x00e055, "IBSDH_SM4_GCM_SM3"},
434 { 0x00e057, "IBC_SM4_GCM_SM3"},
435 { 0x00e059, "RSA_SM4_GCM_SM3"},
436 { 0x00e05a, "RSA_SM4_GCM_SHA256"},
437
438 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
439 { 0x00E410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
440 { 0x00E411, "TLS_RSA_WITH_SALSA20_SHA1" },
441 { 0x00E412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
442 { 0x00E413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
443 { 0x00E414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
444 { 0x00E415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
445 { 0x00E416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
446 { 0x00E417, "TLS_PSK_WITH_SALSA20_SHA1" },
447 { 0x00E418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
448 { 0x00E419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
449 { 0x00E41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
450 { 0x00E41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
451 { 0x00E41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
452 { 0x00E41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
453 { 0x00E41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
454 { 0x00E41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
455
456 /* these from http://www.mozilla.org/projects/
457 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
458 { 0x00fefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
459 { 0x00feff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
460 { 0x00ffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
461 { 0x00ffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
462 /* note that ciphersuites of {0x00????} are TLS cipher suites in
463 * a sslv2 client hello message; the ???? above is the two-byte
464 * tls cipher suite id
465 */
466
467 { 0x010080, "SSL2_RC4_128_WITH_MD5" },
468 { 0x020080, "SSL2_RC4_128_EXPORT40_WITH_MD5" },
469 { 0x030080, "SSL2_RC2_128_CBC_WITH_MD5" },
470 { 0x040080, "SSL2_RC2_128_CBC_EXPORT40_WITH_MD5" },
471 { 0x050080, "SSL2_IDEA_128_CBC_WITH_MD5" },
472 { 0x060040, "SSL2_DES_64_CBC_WITH_MD5" },
473 { 0x0700c0, "SSL2_DES_192_EDE3_CBC_WITH_MD5" },
474 { 0x080080, "SSL2_RC4_64_WITH_MD5" },
475
476 { 0x00, NULL((void*)0) }
477};
478
479value_string_ext ssl_20_cipher_suites_ext = VALUE_STRING_EXT_INIT(ssl_20_cipher_suites){ _try_val_to_str_ext_init, 0, (sizeof (ssl_20_cipher_suites)
/ sizeof ((ssl_20_cipher_suites)[0]))-1, ssl_20_cipher_suites
, "ssl_20_cipher_suites", ((void*)0) };
480
481
482/*
483 * Supported Groups (formerly named "EC Named Curve").
484 * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
485 */
486const value_string ssl_extension_curves[] = {
487 { 1, "sect163k1" },
488 { 2, "sect163r1" },
489 { 3, "sect163r2" },
490 { 4, "sect193r1" },
491 { 5, "sect193r2" },
492 { 6, "sect233k1" },
493 { 7, "sect233r1" },
494 { 8, "sect239k1" },
495 { 9, "sect283k1" },
496 { 10, "sect283r1" },
497 { 11, "sect409k1" },
498 { 12, "sect409r1" },
499 { 13, "sect571k1" },
500 { 14, "sect571r1" },
501 { 15, "secp160k1" },
502 { 16, "secp160r1" },
503 { 17, "secp160r2" },
504 { 18, "secp192k1" },
505 { 19, "secp192r1" },
506 { 20, "secp224k1" },
507 { 21, "secp224r1" },
508 { 22, "secp256k1" },
509 { 23, "secp256r1" },
510 { 24, "secp384r1" },
511 { 25, "secp521r1" },
512 { 26, "brainpoolP256r1" }, /* RFC 7027 */
513 { 27, "brainpoolP384r1" }, /* RFC 7027 */
514 { 28, "brainpoolP512r1" }, /* RFC 7027 */
515 { 29, "x25519" }, /* RFC 8446 / RFC 8422 */
516 { 30, "x448" }, /* RFC 8446 / RFC 8422 */
517 { 31, "brainpoolP256r1tls13" }, /* RFC8734 */
518 { 32, "brainpoolP384r1tls13" }, /* RFC8734 */
519 { 33, "brainpoolP512r1tls13" }, /* RFC8734 */
520 { 34, "GC256A" }, /* RFC9189 */
521 { 35, "GC256B" }, /* RFC9189 */
522 { 36, "GC256C" }, /* RFC9189 */
523 { 37, "GC256D" }, /* RFC9189 */
524 { 38, "GC512A" }, /* RFC9189 */
525 { 39, "GC512B" }, /* RFC9189 */
526 { 40, "GC512C" }, /* RFC9189 */
527 { 41, "curveSM2" }, /* RFC 8998 */
528 { 256, "ffdhe2048" }, /* RFC 7919 */
529 { 257, "ffdhe3072" }, /* RFC 7919 */
530 { 258, "ffdhe4096" }, /* RFC 7919 */
531 { 259, "ffdhe6144" }, /* RFC 7919 */
532 { 260, "ffdhe8192" }, /* RFC 7919 */
533 { 512, "MLKEM512"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
534 { 513, "MLKEM768"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
535 { 514, "MLKEM1024"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
536 { 2570, "Reserved (GREASE)" }, /* RFC 8701 */
537 { 4587, "SecP256r1MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-02 */
538 { 4588, "X25519MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
539 { 4589, "SecP384r1MLKEM1024" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
540 { 6682, "Reserved (GREASE)" }, /* RFC 8701 */
541 { 10794, "Reserved (GREASE)" }, /* RFC 8701 */
542 { 14906, "Reserved (GREASE)" }, /* RFC 8701 */
543 { 19018, "Reserved (GREASE)" }, /* RFC 8701 */
544 { 23130, "Reserved (GREASE)" }, /* RFC 8701 */
545 { 25497, "X25519Kyber768Draft00 (OBSOLETE)" }, /* draft-tls-westerbaan-xyber768d00-02 */
546 { 25498, "SecP256r1Kyber768Draft00 (OBSOLETE)" }, /* draft-kwiatkowski-tls-ecdhe-kyber-01 */
547 { 27242, "Reserved (GREASE)" }, /* RFC 8701 */
548 { 31354, "Reserved (GREASE)" }, /* RFC 8701 */
549 { 35466, "Reserved (GREASE)" }, /* RFC 8701 */
550 { 39578, "Reserved (GREASE)" }, /* RFC 8701 */
551 { 43690, "Reserved (GREASE)" }, /* RFC 8701 */
552 { 47802, "Reserved (GREASE)" }, /* RFC 8701 */
553 { 51914, "Reserved (GREASE)" }, /* RFC 8701 */
554 { 56026, "Reserved (GREASE)" }, /* RFC 8701 */
555 { 60138, "Reserved (GREASE)" }, /* RFC 8701 */
556 { 64250, "Reserved (GREASE)" }, /* RFC 8701 */
557 { 0xFF01, "arbitrary_explicit_prime_curves" },
558 { 0xFF02, "arbitrary_explicit_char2_curves" },
559 /* Below are various unofficial values that have been used for testing. */
560 /* PQC key exchange algorithms from OQS-OpenSSL,
561 see https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/oqs-kem-info.md
562 These use IANA unassigned values and this list may be incomplete.
563 */
564 { 0x2F00, "p256_frodo640aes" },
565 { 0x2F01, "p256_frodo640shake" },
566 { 0x2F02, "p384_frodo976aes" },
567 { 0x0203, "frodo976shake" },
568 { 0x2F03, "p384_frodo976shake" },
569 { 0x0204, "frodo1344aes" },
570 { 0x2F04, "p521_frodo1344aes" },
571 { 0x0205, "frodo1344shake" },
572 { 0x2F05, "p521_frodo1344shake" },
573 { 0x023A, "kyber512" },
574 { 0x2F3A, "p256_kyber512" },
575 { 0x023C, "kyber768" },
576 { 0x2F3C, "p384_kyber768" },
577 { 0x023D, "kyber1024" },
578 { 0x2F3D, "p521_kyber1024" },
579 { 0x0214, "ntru_hps2048509" },
580 { 0x2F14, "p256_ntru_hps2048509" },
581 { 0x0215, "ntru_hps2048677" },
582 { 0x2F15, "p384_ntru_hps2048677" },
583 { 0x0216, "ntru_hps4096821" },
584 { 0x2F16, "p521_ntru_hps4096821" },
585 { 0x0245, "ntru_hps40961229" },
586 { 0x2F45, "p521_ntru_hps40961229" },
587 { 0x0217, "ntru_hrss701" },
588 { 0x2F17, "p384_ntru_hrss701" },
589 { 0x0246, "ntru_hrss1373" },
590 { 0x2F46, "p521_ntru_hrss1373" },
591 { 0x0218, "lightsaber" },
592 { 0x2F18, "p256_lightsaber" },
593 { 0x0219, "saber" },
594 { 0x2F19, "p384_saber" },
595 { 0x021A, "firesaber" },
596 { 0x2F1A, "p521_firesaber" },
597 { 0x021B, "sidhp434" },
598 { 0x2F1B, "p256_sidhp434" },
599 { 0x021C, "sidhp503" },
600 { 0x2F1C, "p256_sidhp503" },
601 { 0x021D, "sidhp610" },
602 { 0x2F1D, "p384_sidhp610" },
603 { 0x021E, "sidhp751" },
604 { 0x2F1E, "p521_sidhp751" },
605 { 0x021F, "sikep434" },
606 { 0x2F1F, "p256_sikep434" },
607 { 0x0220, "sikep503" },
608 { 0x2F20, "p256_sikep503" },
609 { 0x0221, "sikep610" },
610 { 0x2F21, "p384_sikep610" },
611 { 0x0222, "sikep751" },
612 { 0x2F22, "p521_sikep751" },
613 { 0x0238, "bikel1" },
614 { 0x2F38, "p256_bikel1" },
615 { 0x023B, "bikel3" },
616 { 0x2F3B, "p384_bikel3" },
617 { 0x023E, "kyber90s512" },
618 { 0x2F3E, "p256_kyber90s512" },
619 { 0x023F, "kyber90s768" },
620 { 0x2F3F, "p384_kyber90s768" },
621 { 0x0240, "kyber90s1024" },
622 { 0x2F40, "p521_kyber90s1024" },
623 { 0x022C, "hqc128" },
624 { 0x2F2C, "p256_hqc128" },
625 { 0x022D, "hqc192" },
626 { 0x2F2D, "p384_hqc192" },
627 { 0x022E, "hqc256" },
628 { 0x2F2E, "p521_hqc256" },
629 { 0x022F, "ntrulpr653" },
630 { 0x2F2F, "p256_ntrulpr653" },
631 { 0x0230, "ntrulpr761" },
632 { 0x2F43, "p256_ntrulpr761" },
633 { 0x0231, "ntrulpr857" },
634 { 0x2F31, "p384_ntrulpr857" },
635 { 0x0241, "ntrulpr1277" },
636 { 0x2F41, "p521_ntrulpr1277" },
637 { 0x0232, "sntrup653" },
638 { 0x2F32, "p256_sntrup653" },
639 { 0x0233, "sntrup761" },
640 { 0x2F44, "p256_sntrup761" },
641 { 0x0234, "sntrup857" },
642 { 0x2F34, "p384_sntrup857" },
643 { 0x0242, "sntrup1277" },
644 { 0x2F42, "p521_sntrup1277" },
645 /* Other PQ key exchange algorithms, using Reserved for Private Use values
646 https://blog.cloudflare.com/post-quantum-for-all
647 https://www.ietf.org/archive/id/draft-tls-westerbaan-xyber768d00-02.txt */
648 { 0xFE30, "X25519Kyber512Draft00 (OBSOLETE)" },
649 { 0xFE31, "X25519Kyber768Draft00 (OBSOLETE)" },
650 { 0x00, NULL((void*)0) }
651};
652
653const value_string ssl_curve_types[] = {
654 { 1, "explicit_prime" },
655 { 2, "explicit_char2" },
656 { 3, "named_curve" },
657 { 0x00, NULL((void*)0) }
658};
659
660const value_string ssl_extension_ec_point_formats[] = {
661 { 0, "uncompressed" },
662 { 1, "ansiX962_compressed_prime" },
663 { 2, "ansiX962_compressed_char2" },
664 { 0x00, NULL((void*)0) }
665};
666
667const value_string ssl_20_certificate_type[] = {
668 { 0x00, "N/A" },
669 { 0x01, "X.509 Certificate" },
670 { 0x00, NULL((void*)0) }
671};
672
673const value_string ssl_31_content_type[] = {
674 { 20, "Change Cipher Spec" },
675 { 21, "Alert" },
676 { 22, "Handshake" },
677 { 23, "Application Data" },
678 { 24, "Heartbeat" },
679 { 25, "Connection ID" },
680 { 0x00, NULL((void*)0) }
681};
682
683#if 0
684/* XXX - would be used if we dissected the body of a Change Cipher Spec
685 message. */
686const value_string ssl_31_change_cipher_spec[] = {
687 { 1, "Change Cipher Spec" },
688 { 0x00, NULL((void*)0) }
689};
690#endif
691
692const value_string ssl_31_alert_level[] = {
693 { 1, "Warning" },
694 { 2, "Fatal" },
695 { 0x00, NULL((void*)0) }
696};
697
698const value_string ssl_31_alert_description[] = {
699 { 0, "Close Notify" },
700 { 1, "End of Early Data" },
701 { 10, "Unexpected Message" },
702 { 20, "Bad Record MAC" },
703 { 21, "Decryption Failed" },
704 { 22, "Record Overflow" },
705 { 30, "Decompression Failure" },
706 { 40, "Handshake Failure" },
707 { 41, "No Certificate" },
708 { 42, "Bad Certificate" },
709 { 43, "Unsupported Certificate" },
710 { 44, "Certificate Revoked" },
711 { 45, "Certificate Expired" },
712 { 46, "Certificate Unknown" },
713 { 47, "Illegal Parameter" },
714 { 48, "Unknown CA" },
715 { 49, "Access Denied" },
716 { 50, "Decode Error" },
717 { 51, "Decrypt Error" },
718 { 60, "Export Restriction" },
719 { 70, "Protocol Version" },
720 { 71, "Insufficient Security" },
721 { 80, "Internal Error" },
722 { 86, "Inappropriate Fallback" },
723 { 90, "User Canceled" },
724 { 100, "No Renegotiation" },
725 { 109, "Missing Extension" },
726 { 110, "Unsupported Extension" },
727 { 111, "Certificate Unobtainable" },
728 { 112, "Unrecognized Name" },
729 { 113, "Bad Certificate Status Response" },
730 { 114, "Bad Certificate Hash Value" },
731 { 115, "Unknown PSK Identity" },
732 { 116, "Certificate Required" },
733 { 120, "No application Protocol" },
734 { 121, "ECH Required" },
735 { 0x00, NULL((void*)0) }
736};
737
738const value_string ssl_31_handshake_type[] = {
739 { SSL_HND_HELLO_REQUEST, "Hello Request" },
740 { SSL_HND_CLIENT_HELLO, "Client Hello" },
741 { SSL_HND_SERVER_HELLO, "Server Hello" },
742 { SSL_HND_HELLO_VERIFY_REQUEST, "Hello Verify Request"},
743 { SSL_HND_NEWSESSION_TICKET, "New Session Ticket" },
744 { SSL_HND_END_OF_EARLY_DATA, "End of Early Data" },
745 { SSL_HND_HELLO_RETRY_REQUEST, "Hello Retry Request" },
746 { SSL_HND_ENCRYPTED_EXTENSIONS, "Encrypted Extensions" },
747 { SSL_HND_CERTIFICATE, "Certificate" },
748 { SSL_HND_SERVER_KEY_EXCHG, "Server Key Exchange" },
749 { SSL_HND_CERT_REQUEST, "Certificate Request" },
750 { SSL_HND_SVR_HELLO_DONE, "Server Hello Done" },
751 { SSL_HND_CERT_VERIFY, "Certificate Verify" },
752 { SSL_HND_CLIENT_KEY_EXCHG, "Client Key Exchange" },
753 { SSL_HND_FINISHED, "Finished" },
754 { SSL_HND_CERT_URL, "Client Certificate URL" },
755 { SSL_HND_CERT_STATUS, "Certificate Status" },
756 { SSL_HND_SUPPLEMENTAL_DATA, "Supplemental Data" },
757 { SSL_HND_KEY_UPDATE, "Key Update" },
758 { SSL_HND_COMPRESSED_CERTIFICATE, "Compressed Certificate" },
759 { SSL_HND_ENCRYPTED_EXTS, "Encrypted Extensions" },
760 { 0x00, NULL((void*)0) }
761};
762
763const value_string tls_heartbeat_type[] = {
764 { 1, "Request" },
765 { 2, "Response" },
766 { 0x00, NULL((void*)0) }
767};
768
769const value_string tls_heartbeat_mode[] = {
770 { 1, "Peer allowed to send requests" },
771 { 2, "Peer not allowed to send requests" },
772 { 0x00, NULL((void*)0) }
773};
774
775const value_string ssl_31_compression_method[] = {
776 { 0, "null" },
777 { 1, "DEFLATE" },
778 { 64, "LZS" },
779 { 0x00, NULL((void*)0) }
780};
781
782#if 0
783/* XXX - would be used if we dissected a Signature, as would be
784 seen in a server key exchange or certificate verify message. */
785const value_string ssl_31_key_exchange_algorithm[] = {
786 { 0, "RSA" },
787 { 1, "Diffie Hellman" },
788 { 0x00, NULL((void*)0) }
789};
790
791const value_string ssl_31_signature_algorithm[] = {
792 { 0, "Anonymous" },
793 { 1, "RSA" },
794 { 2, "DSA" },
795 { 0x00, NULL((void*)0) }
796};
797#endif
798
799const value_string ssl_31_client_certificate_type[] = {
800 { 1, "RSA Sign" },
801 { 2, "DSS Sign" },
802 { 3, "RSA Fixed DH" },
803 { 4, "DSS Fixed DH" },
804 /* GOST certificate types */
805 /* Section 3.5 of draft-chudov-cryptopro-cptls-04 */
806 { 21, "GOST R 34.10-94" },
807 { 22, "GOST R 34.10-2001" },
808 /* END GOST certificate types */
809 { 64, "ECDSA Sign" },
810 { 65, "RSA Fixed ECDH" },
811 { 66, "ECDSA Fixed ECDH" },
812 { 80, "IBC Params" },
813 { 0x00, NULL((void*)0) }
814};
815
816#if 0
817/* XXX - would be used if we dissected exchange keys, as would be
818 seen in a client key exchange message. */
819const value_string ssl_31_public_value_encoding[] = {
820 { 0, "Implicit" },
821 { 1, "Explicit" },
822 { 0x00, NULL((void*)0) }
823};
824#endif
825
826/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
827/* Note: sorted by ascending value so value_string_ext fcns can do a binary search */
828static const value_string ssl_31_ciphersuite[] = {
829 /* RFC 2246, RFC 4346, RFC 5246 */
830 { 0x0000, "TLS_NULL_WITH_NULL_NULL" },
831 { 0x0001, "TLS_RSA_WITH_NULL_MD5" },
832 { 0x0002, "TLS_RSA_WITH_NULL_SHA" },
833 { 0x0003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
834 { 0x0004, "TLS_RSA_WITH_RC4_128_MD5" },
835 { 0x0005, "TLS_RSA_WITH_RC4_128_SHA" },
836 { 0x0006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
837 { 0x0007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
838 { 0x0008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
839 { 0x0009, "TLS_RSA_WITH_DES_CBC_SHA" },
840 { 0x000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
841 { 0x000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
842 { 0x000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
843 { 0x000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
844 { 0x000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
845 { 0x000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
846 { 0x0010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
847 { 0x0011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
848 { 0x0012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
849 { 0x0013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
850 { 0x0014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
851 { 0x0015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
852 { 0x0016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
853 { 0x0017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
854 { 0x0018, "TLS_DH_anon_WITH_RC4_128_MD5" },
855 { 0x0019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
856 { 0x001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
857 { 0x001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
858
859 { 0x001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
860 { 0x001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
861#if 0 /* Because it clashes with KRB5, is never used any more, and is safe
862 to remove according to David Hopwood <[email protected]>
863 of the ietf-tls list */
864 { 0x001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
865#endif
866 /* RFC 2712 */
867 { 0x001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
868 { 0x001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
869 { 0x0020, "TLS_KRB5_WITH_RC4_128_SHA" },
870 { 0x0021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
871 { 0x0022, "TLS_KRB5_WITH_DES_CBC_MD5" },
872 { 0x0023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
873 { 0x0024, "TLS_KRB5_WITH_RC4_128_MD5" },
874 { 0x0025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
875 { 0x0026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
876 { 0x0027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
877 { 0x0028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
878 { 0x0029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
879 { 0x002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
880 { 0x002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
881 /* RFC 4785 */
882 { 0x002C, "TLS_PSK_WITH_NULL_SHA" },
883 { 0x002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
884 { 0x002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
885 /* RFC 5246 */
886 { 0x002F, "TLS_RSA_WITH_AES_128_CBC_SHA" },
887 { 0x0030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
888 { 0x0031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
889 { 0x0032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
890 { 0x0033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
891 { 0x0034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
892 { 0x0035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
893 { 0x0036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
894 { 0x0037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
895 { 0x0038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
896 { 0x0039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
897 { 0x003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
898 { 0x003B, "TLS_RSA_WITH_NULL_SHA256" },
899 { 0x003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
900 { 0x003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
901 { 0x003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
902 { 0x003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
903 { 0x0040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
904 /* RFC 4132 */
905 { 0x0041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
906 { 0x0042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
907 { 0x0043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
908 { 0x0044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
909 { 0x0045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
910 { 0x0046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
911 /* 0x00,0x60-66 Reserved to avoid conflicts with widely deployed implementations */
912 /* --- ??? --- */
913 { 0x0060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
914 { 0x0061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
915 /* draft-ietf-tls-56-bit-ciphersuites-01.txt */
916 { 0x0062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
917 { 0x0063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
918 { 0x0064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
919 { 0x0065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
920 { 0x0066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
921 /* --- ??? ---*/
922 { 0x0067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
923 { 0x0068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
924 { 0x0069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
925 { 0x006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
926 { 0x006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
927 { 0x006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
928 { 0x006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
929 /* draft-chudov-cryptopro-cptls-04.txt */
930 { 0x0080, "TLS_GOSTR341094_WITH_28147_CNT_IMIT" },
931 { 0x0081, "TLS_GOSTR341001_WITH_28147_CNT_IMIT" },
932 { 0x0082, "TLS_GOSTR341094_WITH_NULL_GOSTR3411" },
933 { 0x0083, "TLS_GOSTR341001_WITH_NULL_GOSTR3411" },
934 /* RFC 4132 */
935 { 0x0084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
936 { 0x0085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
937 { 0x0086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
938 { 0x0087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
939 { 0x0088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
940 { 0x0089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
941 /* RFC 4279 */
942 { 0x008A, "TLS_PSK_WITH_RC4_128_SHA" },
943 { 0x008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
944 { 0x008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
945 { 0x008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
946 { 0x008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
947 { 0x008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
948 { 0x0090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
949 { 0x0091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
950 { 0x0092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
951 { 0x0093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
952 { 0x0094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
953 { 0x0095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
954 /* RFC 4162 */
955 { 0x0096, "TLS_RSA_WITH_SEED_CBC_SHA" },
956 { 0x0097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
957 { 0x0098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
958 { 0x0099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
959 { 0x009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
960 { 0x009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
961 /* RFC 5288 */
962 { 0x009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
963 { 0x009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
964 { 0x009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
965 { 0x009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
966 { 0x00A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
967 { 0x00A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
968 { 0x00A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
969 { 0x00A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
970 { 0x00A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
971 { 0x00A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
972 { 0x00A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
973 { 0x00A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
974 /* RFC 5487 */
975 { 0x00A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
976 { 0x00A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
977 { 0x00AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
978 { 0x00AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
979 { 0x00AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
980 { 0x00AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
981 { 0x00AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
982 { 0x00AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
983 { 0x00B0, "TLS_PSK_WITH_NULL_SHA256" },
984 { 0x00B1, "TLS_PSK_WITH_NULL_SHA384" },
985 { 0x00B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
986 { 0x00B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
987 { 0x00B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
988 { 0x00B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
989 { 0x00B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
990 { 0x00B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
991 { 0x00B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
992 { 0x00B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
993 /* From RFC 5932 */
994 { 0x00BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
995 { 0x00BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
996 { 0x00BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
997 { 0x00BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
998 { 0x00BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
999 { 0x00BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
1000 { 0x00C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1001 { 0x00C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1002 { 0x00C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1003 { 0x00C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1004 { 0x00C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1005 { 0x00C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
1006 /* RFC 8998 */
1007 { 0x00C6, "TLS_SM4_GCM_SM3" },
1008 { 0x00C7, "TLS_SM4_CCM_SM3" },
1009 /* 0x00,0xC8-FE Unassigned */
1010 /* From RFC 5746 */
1011 { 0x00FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
1012 /* RFC 8701 */
1013 { 0x0A0A, "Reserved (GREASE)" },
1014 /* RFC 8446 */
1015 { 0x1301, "TLS_AES_128_GCM_SHA256" },
1016 { 0x1302, "TLS_AES_256_GCM_SHA384" },
1017 { 0x1303, "TLS_CHACHA20_POLY1305_SHA256" },
1018 { 0x1304, "TLS_AES_128_CCM_SHA256" },
1019 { 0x1305, "TLS_AES_128_CCM_8_SHA256" },
1020 /* RFC 8701 */
1021 { 0x1A1A, "Reserved (GREASE)" },
1022 { 0x2A2A, "Reserved (GREASE)" },
1023 { 0x3A3A, "Reserved (GREASE)" },
1024 { 0x4A4A, "Reserved (GREASE)" },
1025 /* From RFC 7507 */
1026 { 0x5600, "TLS_FALLBACK_SCSV" },
1027 /* RFC 8701 */
1028 { 0x5A5A, "Reserved (GREASE)" },
1029 { 0x6A6A, "Reserved (GREASE)" },
1030 { 0x7A7A, "Reserved (GREASE)" },
1031 { 0x8A8A, "Reserved (GREASE)" },
1032 { 0x9A9A, "Reserved (GREASE)" },
1033 { 0xAAAA, "Reserved (GREASE)" },
1034 { 0xBABA, "Reserved (GREASE)" },
1035 /* From RFC 4492 */
1036 { 0xc001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
1037 { 0xc002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
1038 { 0xc003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1039 { 0xc004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
1040 { 0xc005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
1041 { 0xc006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
1042 { 0xc007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
1043 { 0xc008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1044 { 0xc009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
1045 { 0xc00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
1046 { 0xc00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
1047 { 0xc00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
1048 { 0xc00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
1049 { 0xc00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
1050 { 0xc00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
1051 { 0xc010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
1052 { 0xc011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
1053 { 0xc012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
1054 { 0xc013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
1055 { 0xc014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
1056 { 0xc015, "TLS_ECDH_anon_WITH_NULL_SHA" },
1057 { 0xc016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
1058 { 0xc017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
1059 { 0xc018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
1060 { 0xc019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
1061 /* RFC 5054 */
1062 { 0xC01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
1063 { 0xC01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
1064 { 0xC01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
1065 { 0xC01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
1066 { 0xC01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
1067 { 0xC01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
1068 { 0xC020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
1069 { 0xC021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
1070 { 0xC022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
1071 /* RFC 5589 */
1072 { 0xC023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
1073 { 0xC024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
1074 { 0xC025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
1075 { 0xC026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
1076 { 0xC027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
1077 { 0xC028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
1078 { 0xC029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
1079 { 0xC02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
1080 { 0xC02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
1081 { 0xC02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
1082 { 0xC02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
1083 { 0xC02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
1084 { 0xC02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
1085 { 0xC030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
1086 { 0xC031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
1087 { 0xC032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
1088 /* RFC 5489 */
1089 { 0xC033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
1090 { 0xC034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
1091 { 0xC035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
1092 { 0xC036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
1093 { 0xC037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
1094 { 0xC038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
1095 { 0xC039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
1096 { 0xC03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
1097 { 0xC03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
1098 /* RFC 6209 */
1099 { 0xC03C, "TLS_RSA_WITH_ARIA_128_CBC_SHA256" },
1100 { 0xC03D, "TLS_RSA_WITH_ARIA_256_CBC_SHA384" },
1101 { 0xC03E, "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256" },
1102 { 0xC03F, "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384" },
1103 { 0xC040, "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256" },
1104 { 0xC041, "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384" },
1105 { 0xC042, "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256" },
1106 { 0xC043, "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384" },
1107 { 0xC044, "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1108 { 0xC045, "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1109 { 0xC046, "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" },
1110 { 0xC047, "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" },
1111 { 0xC048, "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1112 { 0xC049, "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1113 { 0xC04A, "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1114 { 0xC04B, "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1115 { 0xC04C, "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1116 { 0xC04D, "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1117 { 0xC04E, "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256" },
1118 { 0xC04F, "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384" },
1119 { 0xC050, "TLS_RSA_WITH_ARIA_128_GCM_SHA256" },
1120 { 0xC051, "TLS_RSA_WITH_ARIA_256_GCM_SHA384" },
1121 { 0xC052, "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1122 { 0xC053, "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1123 { 0xC054, "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256" },
1124 { 0xC055, "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384" },
1125 { 0xC056, "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256" },
1126 { 0xC057, "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384" },
1127 { 0xC058, "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256" },
1128 { 0xC059, "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384" },
1129 { 0xC05A, "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" },
1130 { 0xC05B, "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" },
1131 { 0xC05C, "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1132 { 0xC05D, "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1133 { 0xC05E, "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1134 { 0xC05F, "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1135 { 0xC060, "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1136 { 0xC061, "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1137 { 0xC062, "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256" },
1138 { 0xC063, "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384" },
1139 { 0xC064, "TLS_PSK_WITH_ARIA_128_CBC_SHA256" },
1140 { 0xC065, "TLS_PSK_WITH_ARIA_256_CBC_SHA384" },
1141 { 0xC066, "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1142 { 0xC067, "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1143 { 0xC068, "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256" },
1144 { 0xC069, "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384" },
1145 { 0xC06A, "TLS_PSK_WITH_ARIA_128_GCM_SHA256" },
1146 { 0xC06B, "TLS_PSK_WITH_ARIA_256_GCM_SHA384" },
1147 { 0xC06C, "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256" },
1148 { 0xC06D, "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384" },
1149 { 0xC06E, "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256" },
1150 { 0xC06F, "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384" },
1151 { 0xC070, "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1152 { 0xC071, "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1153 /* RFC 6367 */
1154 { 0xC072, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1155 { 0xC073, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1156 { 0xC074, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1157 { 0xC075, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1158 { 0xC076, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1159 { 0xC077, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1160 { 0xC078, "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1161 { 0xC079, "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1162 { 0xC07A, "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1163 { 0xC07B, "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1164 { 0xC07C, "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1165 { 0xC07D, "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1166 { 0xC07E, "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1167 { 0xC07F, "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1168 { 0xC080, "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1169 { 0xC081, "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1170 { 0xC082, "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1171 { 0xC083, "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1172 { 0xC084, "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" },
1173 { 0xC085, "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" },
1174 { 0xC086, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1175 { 0xC087, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1176 { 0xC088, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1177 { 0xC089, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1178 { 0xC08A, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1179 { 0xC08B, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1180 { 0xC08C, "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1181 { 0xC08D, "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1182 { 0xC08E, "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1183 { 0xC08F, "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1184 { 0xC090, "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1185 { 0xC091, "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1186 { 0xC092, "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1187 { 0xC093, "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1188 { 0xC094, "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1189 { 0xC095, "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1190 { 0xC096, "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1191 { 0xC097, "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1192 { 0xC098, "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1193 { 0xC099, "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1194 { 0xC09A, "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1195 { 0xC09B, "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1196 /* RFC 6655 */
1197 { 0xC09C, "TLS_RSA_WITH_AES_128_CCM" },
1198 { 0xC09D, "TLS_RSA_WITH_AES_256_CCM" },
1199 { 0xC09E, "TLS_DHE_RSA_WITH_AES_128_CCM" },
1200 { 0xC09F, "TLS_DHE_RSA_WITH_AES_256_CCM" },
1201 { 0xC0A0, "TLS_RSA_WITH_AES_128_CCM_8" },
1202 { 0xC0A1, "TLS_RSA_WITH_AES_256_CCM_8" },
1203 { 0xC0A2, "TLS_DHE_RSA_WITH_AES_128_CCM_8" },
1204 { 0xC0A3, "TLS_DHE_RSA_WITH_AES_256_CCM_8" },
1205 { 0xC0A4, "TLS_PSK_WITH_AES_128_CCM" },
1206 { 0xC0A5, "TLS_PSK_WITH_AES_256_CCM" },
1207 { 0xC0A6, "TLS_DHE_PSK_WITH_AES_128_CCM" },
1208 { 0xC0A7, "TLS_DHE_PSK_WITH_AES_256_CCM" },
1209 { 0xC0A8, "TLS_PSK_WITH_AES_128_CCM_8" },
1210 { 0xC0A9, "TLS_PSK_WITH_AES_256_CCM_8" },
1211 { 0xC0AA, "TLS_PSK_DHE_WITH_AES_128_CCM_8" },
1212 { 0xC0AB, "TLS_PSK_DHE_WITH_AES_256_CCM_8" },
1213 /* RFC 7251 */
1214 { 0xC0AC, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM" },
1215 { 0xC0AD, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM" },
1216 { 0xC0AE, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8" },
1217 { 0xC0AF, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8" },
1218 /* RFC 8492 */
1219 { 0xC0B0, "TLS_ECCPWD_WITH_AES_128_GCM_SHA256" },
1220 { 0xC0B1, "TLS_ECCPWD_WITH_AES_256_GCM_SHA384" },
1221 { 0xC0B2, "TLS_ECCPWD_WITH_AES_128_CCM_SHA256" },
1222 { 0xC0B3, "TLS_ECCPWD_WITH_AES_256_CCM_SHA384" },
1223 /* draft-camwinget-tls-ts13-macciphersuites */
1224 { 0xC0B4, "TLS_SHA256_SHA256" },
1225 { 0xC0B5, "TLS_SHA384_SHA384" },
1226 /* https://www.ietf.org/archive/id/draft-cragie-tls-ecjpake-01.txt */
1227 { 0xC0FF, "TLS_ECJPAKE_WITH_AES_128_CCM_8" },
1228 /* draft-smyshlyaev-tls12-gost-suites */
1229 { 0xC100, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" },
1230 { 0xC101, "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" },
1231 { 0xC102, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" },
1232 /* draft-smyshlyaev-tls13-gost-suites */
1233 { 0xC103, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L" },
1234 { 0xC104, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L" },
1235 { 0xC105, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S" },
1236 { 0xC106, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S" },
1237 /* RFC 8701 */
1238 { 0xCACA, "Reserved (GREASE)" },
1239/*
12400xC0,0xAB-FF Unassigned
12410xC1,0x03-FD,* Unassigned
12420xFE,0x00-FD Unassigned
12430xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
12440xFF,0x00-FF Reserved for Private Use [RFC5246]
1245*/
1246 /* old numbers used in the beginning
1247 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
1248 { 0xCC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1249 { 0xCC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1250 { 0xCC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1251 /* RFC 7905 */
1252 { 0xCCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1253 { 0xCCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1254 { 0xCCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1255 { 0xCCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1256 { 0xCCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1257 { 0xCCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1258 { 0xCCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1259 /* RFC 8442 */
1260 { 0xD001, "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256" },
1261 { 0xD002, "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384" },
1262 { 0xD003, "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256" },
1263 { 0xD005, "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256" },
1264 /* RFC 8701 */
1265 { 0xDADA, "Reserved (GREASE)" },
1266 /* GM/T 0024-2014 */
1267 { 0xe001, "ECDHE_SM1_SM3"},
1268 { 0xe003, "ECC_SM1_SM3"},
1269 { 0xe005, "IBSDH_SM1_SM3"},
1270 { 0xe007, "IBC_SM1_SM3"},
1271 { 0xe009, "RSA_SM1_SM3"},
1272 { 0xe00a, "RSA_SM1_SHA1"},
1273 { 0xe011, "ECDHE_SM4_CBC_SM3"},
1274 { 0xe013, "ECC_SM4_CBC_SM3"},
1275 { 0xe015, "IBSDH_SM4_CBC_SM3"},
1276 { 0xe017, "IBC_SM4_CBC_SM3"},
1277 { 0xe019, "RSA_SM4_CBC_SM3"},
1278 { 0xe01a, "RSA_SM4_CBC_SHA1"},
1279 { 0xe01c, "RSA_SM4_CBC_SHA256"},
1280 { 0xe051, "ECDHE_SM4_GCM_SM3"},
1281 { 0xe053, "ECC_SM4_GCM_SM3"},
1282 { 0xe055, "IBSDH_SM4_GCM_SM3"},
1283 { 0xe057, "IBC_SM4_GCM_SM3"},
1284 { 0xe059, "RSA_SM4_GCM_SM3"},
1285 { 0xe05a, "RSA_SM4_GCM_SHA256"},
1286 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
1287 { 0xE410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1288 { 0xE411, "TLS_RSA_WITH_SALSA20_SHA1" },
1289 { 0xE412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1290 { 0xE413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
1291 { 0xE414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
1292 { 0xE415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
1293 { 0xE416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1294 { 0xE417, "TLS_PSK_WITH_SALSA20_SHA1" },
1295 { 0xE418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1296 { 0xE419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
1297 { 0xE41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1298 { 0xE41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
1299 { 0xE41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1300 { 0xE41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
1301 { 0xE41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1302 { 0xE41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
1303 /* RFC 8701 */
1304 { 0xEAEA, "Reserved (GREASE)" },
1305 { 0xFAFA, "Reserved (GREASE)" },
1306 /* these from http://www.mozilla.org/projects/
1307 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
1308 { 0xfefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
1309 { 0xfeff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1310 /* https://datatracker.ietf.org/doc/html/rfc9189 */
1311 { 0xff85, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT"},
1312 { 0xffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1313 { 0xffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA" },
1314 /* note that ciphersuites 0xff00 - 0xffff are private */
1315 { 0x00, NULL((void*)0) }
1316};
1317
1318value_string_ext ssl_31_ciphersuite_ext = VALUE_STRING_EXT_INIT(ssl_31_ciphersuite){ _try_val_to_str_ext_init, 0, (sizeof (ssl_31_ciphersuite) /
sizeof ((ssl_31_ciphersuite)[0]))-1, ssl_31_ciphersuite, "ssl_31_ciphersuite"
, ((void*)0) };
1319
1320/* http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#tls-extensiontype-values-1 */
1321const value_string tls_hello_extension_types[] = {
1322 { SSL_HND_HELLO_EXT_SERVER_NAME0, "server_name" }, /* RFC 6066 */
1323 { SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1, "max_fragment_length" },/* RFC 6066 */
1324 { SSL_HND_HELLO_EXT_CLIENT_CERTIFICATE_URL2, "client_certificate_url" }, /* RFC 6066 */
1325 { SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3, "trusted_ca_keys" }, /* RFC 6066 */
1326 { SSL_HND_HELLO_EXT_TRUNCATED_HMAC4, "truncated_hmac" }, /* RFC 6066 */
1327 { SSL_HND_HELLO_EXT_STATUS_REQUEST5, "status_request" }, /* RFC 6066 */
1328 { SSL_HND_HELLO_EXT_USER_MAPPING6, "user_mapping" }, /* RFC 4681 */
1329 { SSL_HND_HELLO_EXT_CLIENT_AUTHZ7, "client_authz" }, /* RFC 5878 */
1330 { SSL_HND_HELLO_EXT_SERVER_AUTHZ8, "server_authz" }, /* RFC 5878 */
1331 { SSL_HND_HELLO_EXT_CERT_TYPE9, "cert_type" }, /* RFC 6091 */
1332 { SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10, "supported_groups" }, /* RFC 4492, RFC 7919 */
1333 { SSL_HND_HELLO_EXT_EC_POINT_FORMATS11, "ec_point_formats" }, /* RFC 4492 */
1334 { SSL_HND_HELLO_EXT_SRP12, "srp" }, /* RFC 5054 */
1335 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13, "signature_algorithms" }, /* RFC 5246 */
1336 { SSL_HND_HELLO_EXT_USE_SRTP14, "use_srtp" }, /* RFC 5764 */
1337 { SSL_HND_HELLO_EXT_HEARTBEAT15, "heartbeat" }, /* RFC 6520 */
1338 { SSL_HND_HELLO_EXT_ALPN16, "application_layer_protocol_negotiation" }, /* RFC 7301 */
1339 { SSL_HND_HELLO_EXT_STATUS_REQUEST_V217, "status_request_v2" }, /* RFC 6961 */
1340 { SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18, "signed_certificate_timestamp" }, /* RFC 6962 */
1341 { SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19, "client_certificate_type" }, /* RFC 7250 */
1342 { SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20, "server_certificate_type" }, /* RFC 7250 */
1343 { SSL_HND_HELLO_EXT_PADDING21, "padding" }, /* RFC 7685 */
1344 { SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22, "encrypt_then_mac" }, /* RFC 7366 */
1345 { SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23, "extended_master_secret" }, /* RFC 7627 */
1346 { SSL_HND_HELLO_EXT_TOKEN_BINDING24, "token_binding" }, /* https://tools.ietf.org/html/draft-ietf-tokbind-negotiation */
1347 { SSL_HND_HELLO_EXT_CACHED_INFO25, "cached_info" }, /* RFC 7924 */
1348 { SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27, "compress_certificate" }, /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03 */
1349 { SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28, "record_size_limit" }, /* RFC 8449 */
1350 { SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34, "delegated_credentials" }, /* draft-ietf-tls-subcerts-10.txt */
1351 { SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35, "session_ticket" }, /* RFC 5077 / RFC 8447 */
1352 { SSL_HND_HELLO_EXT_KEY_SHARE_OLD40, "Reserved (key_share)" }, /* https://tools.ietf.org/html/draft-ietf-tls-tls13-22 (removed in -23) */
1353 { SSL_HND_HELLO_EXT_PRE_SHARED_KEY41, "pre_shared_key" }, /* RFC 8446 */
1354 { SSL_HND_HELLO_EXT_EARLY_DATA42, "early_data" }, /* RFC 8446 */
1355 { SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43, "supported_versions" }, /* RFC 8446 */
1356 { SSL_HND_HELLO_EXT_COOKIE44, "cookie" }, /* RFC 8446 */
1357 { SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45, "psk_key_exchange_modes" }, /* RFC 8446 */
1358 { SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46, "Reserved (ticket_early_data_info)" }, /* draft-ietf-tls-tls13-18 (removed in -19) */
1359 { SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47, "certificate_authorities" }, /* RFC 8446 */
1360 { SSL_HND_HELLO_EXT_OID_FILTERS48, "oid_filters" }, /* RFC 8446 */
1361 { SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49, "post_handshake_auth" }, /* RFC 8446 */
1362 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50, "signature_algorithms_cert" }, /* RFC 8446 */
1363 { SSL_HND_HELLO_EXT_KEY_SHARE51, "key_share" }, /* RFC 8446 */
1364 { SSL_HND_HELLO_EXT_TRANSPARENCY_INFO52, "transparency_info" }, /* draft-ietf-trans-rfc6962-bis-41 */
1365 { SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53, "connection_id (deprecated)" }, /* draft-ietf-tls-dtls-connection-id-07 */
1366 { SSL_HND_HELLO_EXT_CONNECTION_ID54, "connection_id" }, /* RFC 9146 */
1367 { SSL_HND_HELLO_EXT_EXTERNAL_ID_HASH55, "external_id_hash" }, /* RFC 8844 */
1368 { SSL_HND_HELLO_EXT_EXTERNAL_SESSION_ID56, "external_session_id" }, /* RFC 8844 */
1369 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157, "quic_transport_parameters" }, /* draft-ietf-quic-tls-33 */
1370 { SSL_HND_HELLO_EXT_TICKET_REQUEST58, "ticket_request" }, /* draft-ietf-tls-ticketrequests-07 */
1371 { SSL_HND_HELLO_EXT_DNSSEC_CHAIN59, "dnssec_chain" }, /* RFC 9102 */
1372 { SSL_HND_HELLO_EXT_GREASE_0A0A2570, "Reserved (GREASE)" }, /* RFC 8701 */
1373 { SSL_HND_HELLO_EXT_GREASE_1A1A6682, "Reserved (GREASE)" }, /* RFC 8701 */
1374 { SSL_HND_HELLO_EXT_GREASE_2A2A10794, "Reserved (GREASE)" }, /* RFC 8701 */
1375 { SSL_HND_HELLO_EXT_NPN13172, "next_protocol_negotiation"}, /* https://datatracker.ietf.org/doc/html/draft-agl-tls-nextprotoneg-03 */
1376 { SSL_HND_HELLO_EXT_GREASE_3A3A14906, "Reserved (GREASE)" }, /* RFC 8701 */
1377 { SSL_HND_HELLO_EXT_ALPS_OLD17513, "application_settings_old" }, /* draft-vvv-tls-alps-01 */
1378 { SSL_HND_HELLO_EXT_ALPS17613, "application_settings" }, /* draft-vvv-tls-alps-01 */ /* https://chromestatus.com/feature/5149147365900288 */
1379 { SSL_HND_HELLO_EXT_GREASE_4A4A19018, "Reserved (GREASE)" }, /* RFC 8701 */
1380 { SSL_HND_HELLO_EXT_GREASE_5A5A23130, "Reserved (GREASE)" }, /* RFC 8701 */
1381 { SSL_HND_HELLO_EXT_GREASE_6A6A27242, "Reserved (GREASE)" }, /* RFC 8701 */
1382 { SSL_HND_HELLO_EXT_CHANNEL_ID_OLD30031, "channel_id_old" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
1383 https://twitter.com/ericlaw/status/274237352531083264 */
1384 { SSL_HND_HELLO_EXT_CHANNEL_ID30032, "channel_id" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-01
1385 https://code.google.com/p/chromium/codesearch#chromium/src/net/third_party/nss/ssl/sslt.h&l=209 */
1386 { SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281, "renegotiation_info" }, /* RFC 5746 */
1387 { SSL_HND_HELLO_EXT_GREASE_7A7A31354, "Reserved (GREASE)" }, /* RFC 8701 */
1388 { SSL_HND_HELLO_EXT_GREASE_8A8A35466, "Reserved (GREASE)" }, /* RFC 8701 */
1389 { SSL_HND_HELLO_EXT_GREASE_9A9A39578, "Reserved (GREASE)" }, /* RFC 8701 */
1390 { SSL_HND_HELLO_EXT_GREASE_AAAA43690, "Reserved (GREASE)" }, /* RFC 8701 */
1391 { SSL_HND_HELLO_EXT_GREASE_BABA47802, "Reserved (GREASE)" }, /* RFC 8701 */
1392 { SSL_HND_HELLO_EXT_GREASE_CACA51914, "Reserved (GREASE)" }, /* RFC 8701 */
1393 { SSL_HND_HELLO_EXT_GREASE_DADA56026, "Reserved (GREASE)" }, /* RFC 8701 */
1394 { SSL_HND_HELLO_EXT_GREASE_EAEA60138, "Reserved (GREASE)" }, /* RFC 8701 */
1395 { SSL_HND_HELLO_EXT_GREASE_FAFA64250, "Reserved (GREASE)" }, /* RFC 8701 */
1396 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445, "quic_transport_parameters (drafts version)" }, /* https://tools.ietf.org/html/draft-ietf-quic-tls */
1397 { SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486, "encrypted_server_name" }, /* https://tools.ietf.org/html/draft-ietf-tls-esni-01 */
1398 { SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037, "encrypted_client_hello" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1399 { SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768, "ech_outer_extensions" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1400 { 0, NULL((void*)0) }
1401};
1402
1403const value_string tls_hello_ext_server_name_type_vs[] = {
1404 { 0, "host_name" },
1405 { 0, NULL((void*)0) }
1406};
1407
1408/* RFC 6066 Section 4 */
1409const value_string tls_hello_ext_max_fragment_length[] = {
1410 { 1, "512" }, // 2^9
1411 { 2, "1024" }, // 2^10
1412 { 3, "2048" }, // 2^11
1413 { 4, "4096" }, // 2^12
1414 { 0, NULL((void*)0) }
1415};
1416
1417/* RFC 8446 Section 4.2.9 */
1418const value_string tls_hello_ext_psk_ke_mode[] = {
1419 { 0, "PSK-only key establishment (psk_ke)" },
1420 { 1, "PSK with (EC)DHE key establishment (psk_dhe_ke)" },
1421 { 0, NULL((void*)0) }
1422};
1423
1424/* RFC 6066 Section 6 */
1425const value_string tls_hello_ext_trusted_ca_key_type[] = {
1426 {0, "pre_agreed"},
1427 {1, "key_sha1_hash"},
1428 {2, "x509_name"},
1429 {3, "cert_sha1_hash"},
1430 {0, NULL((void*)0)}
1431};
1432
1433const value_string tls13_key_update_request[] = {
1434 { 0, "update_not_requested" },
1435 { 1, "update_requested" },
1436 { 0, NULL((void*)0) }
1437};
1438
1439/* RFC 5246 7.4.1.4.1 */
1440/* https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
1441/* Note that the TLS 1.3 SignatureScheme registry reserves all values
1442 * with first octet 0x00-0x06 and all values with second octet 0x00-0x03
1443 * for backwards compatibility with TLS 1.2 SignatureAndHashAlgorithm.
1444 *
1445 * RFC 8422 and RFC 9189 add official support in TLS 1.2 for some algorithms
1446 * originally defined for TLS 1.3, and extend the TLS SignatureAlgorithm
1447 * and TLS HashAlgorithm registries, but the new values are not compatible
1448 * with all of the TLS 1.3-only SignatureSchemes. Adding those values could
1449 * cause confusion if used to interpret one of those schemes in a
1450 * signature_algorithms extension offered in a TLS 1.3 ClientHello.
1451 */
1452const value_string tls_hash_algorithm[] = {
1453 { 0, "None" },
1454 { 1, "MD5" },
1455 { 2, "SHA1" },
1456 { 3, "SHA224" },
1457 { 4, "SHA256" },
1458 { 5, "SHA384" },
1459 { 6, "SHA512" },
1460#if 0
1461 /* RFC 8422 adds this to the HashAlgorithm registry, but it really
1462 * only applies to 0x0807 and 0x0808, not for other TLS 1.3
1463 * SignatureSchemes with 0x08 in the octet used for Hash in TLS 1.2.
1464 * E.g., we don't want to display this for 0x0806 rsa_pss_rsae_sha512.
1465 */
1466 { 8, "Intrinsic" },
1467#endif
1468 { 0, NULL((void*)0) }
1469};
1470
1471const value_string tls_signature_algorithm[] = {
1472 { 0, "Anonymous" },
1473 { 1, "RSA" },
1474 { 2, "DSA" },
1475 { 3, "ECDSA" },
1476#if 0
1477 /* As above. */
1478 { 7, "ED25519" },
1479 { 8, "ED448" },
1480 { 64, "GOSTR34102012_256" },
1481 { 65, "GOSTR34102012_512" },
1482#endif
1483 { 0, NULL((void*)0) }
1484};
1485
1486/* RFC 8446 Section 4.2.3 */
1487const value_string tls13_signature_algorithm[] = {
1488 { 0x0201, "rsa_pkcs1_sha1" },
1489 { 0x0203, "ecdsa_sha1" },
1490 { 0x0401, "rsa_pkcs1_sha256" },
1491 { 0x0403, "ecdsa_secp256r1_sha256" },
1492 { 0x0420, "rsa_pkcs1_sha256_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1493 { 0x0501, "rsa_pkcs1_sha384" },
1494 { 0x0503, "ecdsa_secp384r1_sha384" },
1495 { 0x0520, "rsa_pkcs1_sha384_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1496 { 0x0601, "rsa_pkcs1_sha512" },
1497 { 0x0603, "ecdsa_secp521r1_sha512" },
1498 { 0x0620, "rsa_pkcs1_sha512_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1499 { 0x0704, "eccsi_sha256" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1500 { 0x0705, "iso_ibs1" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1501 { 0x0706, "iso_ibs2" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1502 { 0x0707, "iso_chinese_ibs" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1503 { 0x0708, "sm2sig_sm3" },
1504 { 0x0709, "gostr34102012_256a" }, /* RFC9367 */
1505 { 0x070a, "gostr34102012_256b" }, /* RFC9367 */
1506 { 0x070b, "gostr34102012_256c" }, /* RFC9367 */
1507 { 0x070c, "gostr34102012_256d" }, /* RFC9367 */
1508 { 0x070d, "gostr34102012_512a" }, /* RFC9367 */
1509 { 0x070e, "gostr34102012_512b" }, /* RFC9367 */
1510 { 0x070f, "gostr34102012_512c" }, /* RFC9367 */
1511 { 0x0804, "rsa_pss_rsae_sha256" },
1512 { 0x0805, "rsa_pss_rsae_sha384" },
1513 { 0x0806, "rsa_pss_rsae_sha512" },
1514 { 0x0807, "ed25519" },
1515 { 0x0808, "ed448" },
1516 { 0x0809, "rsa_pss_pss_sha256" },
1517 { 0x080a, "rsa_pss_pss_sha384" },
1518 { 0x080b, "rsa_pss_pss_sha512" },
1519 { 0x081a, "ecdsa_brainpoolP256r1tls13_sha256" }, /* RFC8734 */
1520 { 0x081b, "ecdsa_brainpoolP384r1tls13_sha384" }, /* RFC8734 */
1521 { 0x081c, "ecdsa_brainpoolP512r1tls13_sha512" }, /* RFC8734 */
1522 { 0x0904, "mldsa44" }, /* draft-ietf-tls-mldsa-00 */
1523 { 0x0905, "mldsa65" }, /* draft-ietf-tls-mldsa-00 */
1524 { 0x0906, "mldsa87" }, /* draft-ietf-tls-mldsa-00 */
1525 { 0x0911, "slhdsa_sha2_128s" }, /* draft-reddy-tls-slhdsa-01 */
1526 { 0x0912, "slhdsa_sha2_128f" }, /* draft-reddy-tls-slhdsa-01 */
1527 { 0x0913, "slhdsa_sha2_192s" }, /* draft-reddy-tls-slhdsa-01 */
1528 { 0x0914, "slhdsa_sha2_192f" }, /* draft-reddy-tls-slhdsa-01 */
1529 { 0x0915, "slhdsa_sha2_256s" }, /* draft-reddy-tls-slhdsa-01 */
1530 { 0x0916, "slhdsa_sha2_256f" }, /* draft-reddy-tls-slhdsa-01 */
1531 { 0x0917, "slhdsa_shake_128s" }, /* draft-reddy-tls-slhdsa-01 */
1532 { 0x0918, "slhdsa_shake_128f" }, /* draft-reddy-tls-slhdsa-01 */
1533 { 0x0919, "slhdsa_shake_192s" }, /* draft-reddy-tls-slhdsa-01 */
1534 { 0x091a, "slhdsa_shake_192f" }, /* draft-reddy-tls-slhdsa-01 */
1535 { 0x091b, "slhdsa_shake_256s" }, /* draft-reddy-tls-slhdsa-01 */
1536 { 0x091c, "slhdsa_shake_256f" }, /* draft-reddy-tls-slhdsa-01 */
1537 /* PQC digital signature algorithms from OQS-OpenSSL,
1538 see https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/oqs-sig-info.md */
1539 { 0xfea0, "dilithium2" },
1540 { 0xfea1, "p256_dilithium2" },
1541 { 0xfea2, "rsa3072_dilithium2" },
1542 { 0xfea3, "dilithium3" },
1543 { 0xfea4, "p384_dilithium3" },
1544 { 0xfea5, "dilithium5" },
1545 { 0xfea6, "p521_dilithium5" },
1546 { 0xfea7, "dilithium2_aes" },
1547 { 0xfea8, "p256_dilithium2_aes" },
1548 { 0xfea9, "rsa3072_dilithium2_aes" },
1549 { 0xfeaa, "dilithium3_aes" },
1550 { 0xfeab, "p384_dilithium3_aes" },
1551 { 0xfeac, "dilithium5_aes" },
1552 { 0xfead, "p521_dilithium5_aes" },
1553 { 0xfe0b, "falcon512" },
1554 { 0xfe0c, "p256_falcon512" },
1555 { 0xfe0d, "rsa3072_falcon512" },
1556 { 0xfe0e, "falcon1024" },
1557 { 0xfe0f, "p521_falcon1024" },
1558 { 0xfe96, "picnicl1full" },
1559 { 0xfe97, "p256_picnicl1full" },
1560 { 0xfe98, "rsa3072_picnicl1full" },
1561 { 0xfe1b, "picnic3l1" },
1562 { 0xfe1c, "p256_picnic3l1" },
1563 { 0xfe1d, "rsa3072_picnic3l1" },
1564 { 0xfe27, "rainbowIclassic" },
1565 { 0xfe28, "p256_rainbowIclassic" },
1566 { 0xfe29, "rsa3072_rainbowIclassic" },
1567 { 0xfe3c, "rainbowVclassic" },
1568 { 0xfe3d, "p521_rainbowVclassic" },
1569 { 0xfe42, "sphincsharaka128frobust" },
1570 { 0xfe43, "p256_sphincsharaka128frobust" },
1571 { 0xfe44, "rsa3072_sphincsharaka128frobust" },
1572 { 0xfe5e, "sphincssha256128frobust" },
1573 { 0xfe5f, "p256_sphincssha256128frobust" },
1574 { 0xfe60, "rsa3072_sphincssha256128frobust" },
1575 { 0xfe7a, "sphincsshake256128frobust" },
1576 { 0xfe7b, "p256_sphincsshake256128frobust" },
1577 { 0xfe7c, "rsa3072_sphincsshake256128frobust" },
1578 { 0, NULL((void*)0) }
1579};
1580
1581/* RFC 6091 3.1 */
1582const value_string tls_certificate_type[] = {
1583 { 0, "X.509" },
1584 { 1, "OpenPGP" },
1585 { SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2, "Raw Public Key" }, /* RFC 7250 */
1586 { 0, NULL((void*)0) }
1587};
1588
1589const value_string tls_cert_chain_type[] = {
1590 { SSL_HND_CERT_URL_TYPE_INDIVIDUAL_CERT1, "Individual Certificates" },
1591 { SSL_HND_CERT_URL_TYPE_PKIPATH2, "PKI Path" },
1592 { 0, NULL((void*)0) }
1593};
1594
1595const value_string tls_cert_status_type[] = {
1596 { SSL_HND_CERT_STATUS_TYPE_OCSP1, "OCSP" },
1597 { SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2, "OCSP Multi" },
1598 { 0, NULL((void*)0) }
1599};
1600
1601/* Generated by tools/dissector_generators/generate-tls-ct-logids.py
1602 * Last-Modified Sat, 15 Nov 2025 14:27:28 GMT, 187 entries. */
1603static const bytes_string ct_logids[] = {
1604 { (const uint8_t[]){
1605 0xb2, 0x1e, 0x05, 0xcc, 0x8b, 0xa2, 0xcd, 0x8a, 0x20, 0x4e, 0x87,
1606 0x66, 0xf9, 0x2b, 0xb9, 0x8a, 0x25, 0x20, 0x67, 0x6b, 0xda, 0xfa,
1607 0x70, 0xe7, 0xb2, 0x49, 0x53, 0x2d, 0xef, 0x8b, 0x90, 0x5e,
1608 },
1609 32, "Google 'Argon2020' log" },
1610 { (const uint8_t[]){
1611 0xf6, 0x5c, 0x94, 0x2f, 0xd1, 0x77, 0x30, 0x22, 0x14, 0x54, 0x18,
1612 0x08, 0x30, 0x94, 0x56, 0x8e, 0xe3, 0x4d, 0x13, 0x19, 0x33, 0xbf,
1613 0xdf, 0x0c, 0x2f, 0x20, 0x0b, 0xcc, 0x4e, 0xf1, 0x64, 0xe3,
1614 },
1615 32, "Google 'Argon2021' log" },
1616 { (const uint8_t[]){
1617 0x29, 0x79, 0xbe, 0xf0, 0x9e, 0x39, 0x39, 0x21, 0xf0, 0x56, 0x73,
1618 0x9f, 0x63, 0xa5, 0x77, 0xe5, 0xbe, 0x57, 0x7d, 0x9c, 0x60, 0x0a,
1619 0xf8, 0xf9, 0x4d, 0x5d, 0x26, 0x5c, 0x25, 0x5d, 0xc7, 0x84,
1620 },
1621 32, "Google 'Argon2022' log" },
1622 { (const uint8_t[]){
1623 0xe8, 0x3e, 0xd0, 0xda, 0x3e, 0xf5, 0x06, 0x35, 0x32, 0xe7, 0x57,
1624 0x28, 0xbc, 0x89, 0x6b, 0xc9, 0x03, 0xd3, 0xcb, 0xd1, 0x11, 0x6b,
1625 0xec, 0xeb, 0x69, 0xe1, 0x77, 0x7d, 0x6d, 0x06, 0xbd, 0x6e,
1626 },
1627 32, "Google 'Argon2023' log" },
1628 { (const uint8_t[]){
1629 0xee, 0xcd, 0xd0, 0x64, 0xd5, 0xdb, 0x1a, 0xce, 0xc5, 0x5c, 0xb7,
1630 0x9d, 0xb4, 0xcd, 0x13, 0xa2, 0x32, 0x87, 0x46, 0x7c, 0xbc, 0xec,
1631 0xde, 0xc3, 0x51, 0x48, 0x59, 0x46, 0x71, 0x1f, 0xb5, 0x9b,
1632 },
1633 32, "Google 'Argon2024' log" },
1634 { (const uint8_t[]){
1635 0x4e, 0x75, 0xa3, 0x27, 0x5c, 0x9a, 0x10, 0xc3, 0x38, 0x5b, 0x6c,
1636 0xd4, 0xdf, 0x3f, 0x52, 0xeb, 0x1d, 0xf0, 0xe0, 0x8e, 0x1b, 0x8d,
1637 0x69, 0xc0, 0xb1, 0xfa, 0x64, 0xb1, 0x62, 0x9a, 0x39, 0xdf,
1638 },
1639 32, "Google 'Argon2025h1' log" },
1640 { (const uint8_t[]){
1641 0x12, 0xf1, 0x4e, 0x34, 0xbd, 0x53, 0x72, 0x4c, 0x84, 0x06, 0x19,
1642 0xc3, 0x8f, 0x3f, 0x7a, 0x13, 0xf8, 0xe7, 0xb5, 0x62, 0x87, 0x88,
1643 0x9c, 0x6d, 0x30, 0x05, 0x84, 0xeb, 0xe5, 0x86, 0x26, 0x3a,
1644 },
1645 32, "Google 'Argon2025h2' log" },
1646 { (const uint8_t[]){
1647 0x0e, 0x57, 0x94, 0xbc, 0xf3, 0xae, 0xa9, 0x3e, 0x33, 0x1b, 0x2c,
1648 0x99, 0x07, 0xb3, 0xf7, 0x90, 0xdf, 0x9b, 0xc2, 0x3d, 0x71, 0x32,
1649 0x25, 0xdd, 0x21, 0xa9, 0x25, 0xac, 0x61, 0xc5, 0x4e, 0x21,
1650 },
1651 32, "Google 'Argon2026h1' log" },
1652 { (const uint8_t[]){
1653 0xd7, 0x6d, 0x7d, 0x10, 0xd1, 0xa7, 0xf5, 0x77, 0xc2, 0xc7, 0xe9,
1654 0x5f, 0xd7, 0x00, 0xbf, 0xf9, 0x82, 0xc9, 0x33, 0x5a, 0x65, 0xe1,
1655 0xd0, 0xb3, 0x01, 0x73, 0x17, 0xc0, 0xc8, 0xc5, 0x69, 0x77,
1656 },
1657 32, "Google 'Argon2026h2' log" },
1658 { (const uint8_t[]){
1659 0xd6, 0xd5, 0x8d, 0xa9, 0xd0, 0x17, 0x53, 0xf3, 0x6a, 0x4a, 0xa0,
1660 0xc7, 0x57, 0x49, 0x02, 0xaf, 0xeb, 0xc7, 0xdc, 0x2c, 0xd3, 0x8c,
1661 0xd9, 0xf7, 0x64, 0xc8, 0x0c, 0x89, 0x19, 0x1e, 0x9f, 0x02,
1662 },
1663 32, "Google 'Argon2027h1'" },
1664 { (const uint8_t[]){
1665 0x07, 0xb7, 0x5c, 0x1b, 0xe5, 0x7d, 0x68, 0xff, 0xf1, 0xb0, 0xc6,
1666 0x1d, 0x23, 0x15, 0xc7, 0xba, 0xe6, 0x57, 0x7c, 0x57, 0x94, 0xb7,
1667 0x6a, 0xee, 0xbc, 0x61, 0x3a, 0x1a, 0x69, 0xd3, 0xa2, 0x1c,
1668 },
1669 32, "Google 'Xenon2020' log" },
1670 { (const uint8_t[]){
1671 0x7d, 0x3e, 0xf2, 0xf8, 0x8f, 0xff, 0x88, 0x55, 0x68, 0x24, 0xc2,
1672 0xc0, 0xca, 0x9e, 0x52, 0x89, 0x79, 0x2b, 0xc5, 0x0e, 0x78, 0x09,
1673 0x7f, 0x2e, 0x6a, 0x97, 0x68, 0x99, 0x7e, 0x22, 0xf0, 0xd7,
1674 },
1675 32, "Google 'Xenon2021' log" },
1676 { (const uint8_t[]){
1677 0x46, 0xa5, 0x55, 0xeb, 0x75, 0xfa, 0x91, 0x20, 0x30, 0xb5, 0xa2,
1678 0x89, 0x69, 0xf4, 0xf3, 0x7d, 0x11, 0x2c, 0x41, 0x74, 0xbe, 0xfd,
1679 0x49, 0xb8, 0x85, 0xab, 0xf2, 0xfc, 0x70, 0xfe, 0x6d, 0x47,
1680 },
1681 32, "Google 'Xenon2022' log" },
1682 { (const uint8_t[]){
1683 0xad, 0xf7, 0xbe, 0xfa, 0x7c, 0xff, 0x10, 0xc8, 0x8b, 0x9d, 0x3d,
1684 0x9c, 0x1e, 0x3e, 0x18, 0x6a, 0xb4, 0x67, 0x29, 0x5d, 0xcf, 0xb1,
1685 0x0c, 0x24, 0xca, 0x85, 0x86, 0x34, 0xeb, 0xdc, 0x82, 0x8a,
1686 },
1687 32, "Google 'Xenon2023' log" },
1688 { (const uint8_t[]){
1689 0x76, 0xff, 0x88, 0x3f, 0x0a, 0xb6, 0xfb, 0x95, 0x51, 0xc2, 0x61,
1690 0xcc, 0xf5, 0x87, 0xba, 0x34, 0xb4, 0xa4, 0xcd, 0xbb, 0x29, 0xdc,
1691 0x68, 0x42, 0x0a, 0x9f, 0xe6, 0x67, 0x4c, 0x5a, 0x3a, 0x74,
1692 },
1693 32, "Google 'Xenon2024' log" },
1694 { (const uint8_t[]){
1695 0xcf, 0x11, 0x56, 0xee, 0xd5, 0x2e, 0x7c, 0xaf, 0xf3, 0x87, 0x5b,
1696 0xd9, 0x69, 0x2e, 0x9b, 0xe9, 0x1a, 0x71, 0x67, 0x4a, 0xb0, 0x17,
1697 0xec, 0xac, 0x01, 0xd2, 0x5b, 0x77, 0xce, 0xcc, 0x3b, 0x08,
1698 },
1699 32, "Google 'Xenon2025h1' log" },
1700 { (const uint8_t[]){
1701 0xdd, 0xdc, 0xca, 0x34, 0x95, 0xd7, 0xe1, 0x16, 0x05, 0xe7, 0x95,
1702 0x32, 0xfa, 0xc7, 0x9f, 0xf8, 0x3d, 0x1c, 0x50, 0xdf, 0xdb, 0x00,
1703 0x3a, 0x14, 0x12, 0x76, 0x0a, 0x2c, 0xac, 0xbb, 0xc8, 0x2a,
1704 },
1705 32, "Google 'Xenon2025h2' log" },
1706 { (const uint8_t[]){
1707 0x96, 0x97, 0x64, 0xbf, 0x55, 0x58, 0x97, 0xad, 0xf7, 0x43, 0x87,
1708 0x68, 0x37, 0x08, 0x42, 0x77, 0xe9, 0xf0, 0x3a, 0xd5, 0xf6, 0xa4,
1709 0xf3, 0x36, 0x6e, 0x46, 0xa4, 0x3f, 0x0f, 0xca, 0xa9, 0xc6,
1710 },
1711 32, "Google 'Xenon2026h1' log" },
1712 { (const uint8_t[]){
1713 0xd8, 0x09, 0x55, 0x3b, 0x94, 0x4f, 0x7a, 0xff, 0xc8, 0x16, 0x19,
1714 0x6f, 0x94, 0x4f, 0x85, 0xab, 0xb0, 0xf8, 0xfc, 0x5e, 0x87, 0x55,
1715 0x26, 0x0f, 0x15, 0xd1, 0x2e, 0x72, 0xbb, 0x45, 0x4b, 0x14,
1716 },
1717 32, "Google 'Xenon2026h2' log" },
1718 { (const uint8_t[]){
1719 0x44, 0xc2, 0xbd, 0x0c, 0xe9, 0x14, 0x0e, 0x64, 0xa5, 0xc9, 0x4a,
1720 0x01, 0x93, 0x0a, 0x5a, 0xa1, 0xbb, 0x35, 0x97, 0x0e, 0x00, 0xee,
1721 0x11, 0x16, 0x89, 0x68, 0x2a, 0x1c, 0x44, 0xd7, 0xb5, 0x66,
1722 },
1723 32, "Google 'Xenon2027h1'" },
1724 { (const uint8_t[]){
1725 0x68, 0xf6, 0x98, 0xf8, 0x1f, 0x64, 0x82, 0xbe, 0x3a, 0x8c, 0xee,
1726 0xb9, 0x28, 0x1d, 0x4c, 0xfc, 0x71, 0x51, 0x5d, 0x67, 0x93, 0xd4,
1727 0x44, 0xd1, 0x0a, 0x67, 0xac, 0xbb, 0x4f, 0x4f, 0xfb, 0xc4,
1728 },
1729 32, "Google 'Aviator' log" },
1730 { (const uint8_t[]){
1731 0x29, 0x3c, 0x51, 0x96, 0x54, 0xc8, 0x39, 0x65, 0xba, 0xaa, 0x50,
1732 0xfc, 0x58, 0x07, 0xd4, 0xb7, 0x6f, 0xbf, 0x58, 0x7a, 0x29, 0x72,
1733 0xdc, 0xa4, 0xc3, 0x0c, 0xf4, 0xe5, 0x45, 0x47, 0xf4, 0x78,
1734 },
1735 32, "Google 'Icarus' log" },
1736 { (const uint8_t[]){
1737 0xa4, 0xb9, 0x09, 0x90, 0xb4, 0x18, 0x58, 0x14, 0x87, 0xbb, 0x13,
1738 0xa2, 0xcc, 0x67, 0x70, 0x0a, 0x3c, 0x35, 0x98, 0x04, 0xf9, 0x1b,
1739 0xdf, 0xb8, 0xe3, 0x77, 0xcd, 0x0e, 0xc8, 0x0d, 0xdc, 0x10,
1740 },
1741 32, "Google 'Pilot' log" },
1742 { (const uint8_t[]){
1743 0xee, 0x4b, 0xbd, 0xb7, 0x75, 0xce, 0x60, 0xba, 0xe1, 0x42, 0x69,
1744 0x1f, 0xab, 0xe1, 0x9e, 0x66, 0xa3, 0x0f, 0x7e, 0x5f, 0xb0, 0x72,
1745 0xd8, 0x83, 0x00, 0xc4, 0x7b, 0x89, 0x7a, 0xa8, 0xfd, 0xcb,
1746 },
1747 32, "Google 'Rocketeer' log" },
1748 { (const uint8_t[]){
1749 0xbb, 0xd9, 0xdf, 0xbc, 0x1f, 0x8a, 0x71, 0xb5, 0x93, 0x94, 0x23,
1750 0x97, 0xaa, 0x92, 0x7b, 0x47, 0x38, 0x57, 0x95, 0x0a, 0xab, 0x52,
1751 0xe8, 0x1a, 0x90, 0x96, 0x64, 0x36, 0x8e, 0x1e, 0xd1, 0x85,
1752 },
1753 32, "Google 'Skydiver' log" },
1754 { (const uint8_t[]){
1755 0xfa, 0xd4, 0xc9, 0x7c, 0xc4, 0x9e, 0xe2, 0xf8, 0xac, 0x85, 0xc5,
1756 0xea, 0x5c, 0xea, 0x09, 0xd0, 0x22, 0x0d, 0xbb, 0xf4, 0xe4, 0x9c,
1757 0x6b, 0x50, 0x66, 0x2f, 0xf8, 0x68, 0xf8, 0x6b, 0x8c, 0x28,
1758 },
1759 32, "Google 'Argon2017' log" },
1760 { (const uint8_t[]){
1761 0xa4, 0x50, 0x12, 0x69, 0x05, 0x5a, 0x15, 0x54, 0x5e, 0x62, 0x11,
1762 0xab, 0x37, 0xbc, 0x10, 0x3f, 0x62, 0xae, 0x55, 0x76, 0xa4, 0x5e,
1763 0x4b, 0x17, 0x14, 0x45, 0x3e, 0x1b, 0x22, 0x10, 0x6a, 0x25,
1764 },
1765 32, "Google 'Argon2018' log" },
1766 { (const uint8_t[]){
1767 0x63, 0xf2, 0xdb, 0xcd, 0xe8, 0x3b, 0xcc, 0x2c, 0xcf, 0x0b, 0x72,
1768 0x84, 0x27, 0x57, 0x6b, 0x33, 0xa4, 0x8d, 0x61, 0x77, 0x8f, 0xbd,
1769 0x75, 0xa6, 0x38, 0xb1, 0xc7, 0x68, 0x54, 0x4b, 0xd8, 0x8d,
1770 },
1771 32, "Google 'Argon2019' log" },
1772 { (const uint8_t[]){
1773 0xb1, 0x0c, 0xd5, 0x59, 0xa6, 0xd6, 0x78, 0x46, 0x81, 0x1f, 0x7d,
1774 0xf9, 0xa5, 0x15, 0x32, 0x73, 0x9a, 0xc4, 0x8d, 0x70, 0x3b, 0xea,
1775 0x03, 0x23, 0xda, 0x5d, 0x38, 0x75, 0x5b, 0xc0, 0xad, 0x4e,
1776 },
1777 32, "Google 'Xenon2018' log" },
1778 { (const uint8_t[]){
1779 0x08, 0x41, 0x14, 0x98, 0x00, 0x71, 0x53, 0x2c, 0x16, 0x19, 0x04,
1780 0x60, 0xbc, 0xfc, 0x47, 0xfd, 0xc2, 0x65, 0x3a, 0xfa, 0x29, 0x2c,
1781 0x72, 0xb3, 0x7f, 0xf8, 0x63, 0xae, 0x29, 0xcc, 0xc9, 0xf0,
1782 },
1783 32, "Google 'Xenon2019' log" },
1784 { (const uint8_t[]){
1785 0xa8, 0x99, 0xd8, 0x78, 0x0c, 0x92, 0x90, 0xaa, 0xf4, 0x62, 0xf3,
1786 0x18, 0x80, 0xcc, 0xfb, 0xd5, 0x24, 0x51, 0xe9, 0x70, 0xd0, 0xfb,
1787 0xf5, 0x91, 0xef, 0x75, 0xb0, 0xd9, 0x9b, 0x64, 0x56, 0x81,
1788 },
1789 32, "Google 'Submariner' log" },
1790 { (const uint8_t[]){
1791 0x1d, 0x02, 0x4b, 0x8e, 0xb1, 0x49, 0x8b, 0x34, 0x4d, 0xfd, 0x87,
1792 0xea, 0x3e, 0xfc, 0x09, 0x96, 0xf7, 0x50, 0x6f, 0x23, 0x5d, 0x1d,
1793 0x49, 0x70, 0x61, 0xa4, 0x77, 0x3c, 0x43, 0x9c, 0x25, 0xfb,
1794 },
1795 32, "Google 'Daedalus' log" },
1796 { (const uint8_t[]){
1797 0xb0, 0xcc, 0x83, 0xe5, 0xa5, 0xf9, 0x7d, 0x6b, 0xaf, 0x7c, 0x09,
1798 0xcc, 0x28, 0x49, 0x04, 0x87, 0x2a, 0xc7, 0xe8, 0x8b, 0x13, 0x2c,
1799 0x63, 0x50, 0xb7, 0xc6, 0xfd, 0x26, 0xe1, 0x6c, 0x6c, 0x77,
1800 },
1801 32, "Google 'Testtube' log" },
1802 { (const uint8_t[]){
1803 0xc3, 0xbf, 0x03, 0xa7, 0xe1, 0xca, 0x88, 0x41, 0xc6, 0x07, 0xba,
1804 0xe3, 0xff, 0x42, 0x70, 0xfc, 0xa5, 0xec, 0x45, 0xb1, 0x86, 0xeb,
1805 0xbe, 0x4e, 0x2c, 0xf3, 0xfc, 0x77, 0x86, 0x30, 0xf5, 0xf6,
1806 },
1807 32, "Google 'Crucible' log" },
1808 { (const uint8_t[]){
1809 0x52, 0xeb, 0x4b, 0x22, 0x5e, 0xc8, 0x96, 0x97, 0x48, 0x50, 0x67,
1810 0x5f, 0x23, 0xe4, 0x3b, 0xc1, 0xd0, 0x21, 0xe3, 0x21, 0x4c, 0xe5,
1811 0x2e, 0xcd, 0x5f, 0xa8, 0x7c, 0x20, 0x3c, 0xdf, 0xca, 0x03,
1812 },
1813 32, "Google 'Solera2018' log" },
1814 { (const uint8_t[]){
1815 0x0b, 0x76, 0x0e, 0x9a, 0x8b, 0x9a, 0x68, 0x2f, 0x88, 0x98, 0x5b,
1816 0x15, 0xe9, 0x47, 0x50, 0x1a, 0x56, 0x44, 0x6b, 0xba, 0x88, 0x30,
1817 0x78, 0x5c, 0x38, 0x42, 0x99, 0x43, 0x86, 0x45, 0x0c, 0x00,
1818 },
1819 32, "Google 'Solera2019' log" },
1820 { (const uint8_t[]){
1821 0x1f, 0xc7, 0x2c, 0xe5, 0xa1, 0xb7, 0x99, 0xf4, 0x00, 0xc3, 0x59,
1822 0xbf, 0xf9, 0x6c, 0xa3, 0x91, 0x35, 0x48, 0xe8, 0x64, 0x42, 0x20,
1823 0x61, 0x09, 0x52, 0xe9, 0xba, 0x17, 0x74, 0xf7, 0xba, 0xc7,
1824 },
1825 32, "Google 'Solera2020' log" },
1826 { (const uint8_t[]){
1827 0xa3, 0xc9, 0x98, 0x45, 0xe8, 0x0a, 0xb7, 0xce, 0x00, 0x15, 0x7b,
1828 0x37, 0x42, 0xdf, 0x02, 0x07, 0xdd, 0x27, 0x2b, 0x2b, 0x60, 0x2e,
1829 0xcf, 0x98, 0xee, 0x2c, 0x12, 0xdb, 0x9c, 0x5a, 0xe7, 0xe7,
1830 },
1831 32, "Google 'Solera2021' log" },
1832 { (const uint8_t[]){
1833 0x69, 0x7a, 0xaf, 0xca, 0x1a, 0x6b, 0x53, 0x6f, 0xae, 0x21, 0x20,
1834 0x50, 0x46, 0xde, 0xba, 0xd7, 0xe0, 0xea, 0xea, 0x13, 0xd2, 0x43,
1835 0x2e, 0x6e, 0x9d, 0x8f, 0xb3, 0x79, 0xf2, 0xb9, 0xaa, 0xf3,
1836 },
1837 32, "Google 'Solera2022' log" },
1838 { (const uint8_t[]){
1839 0xf9, 0x7e, 0x97, 0xb8, 0xd3, 0x3e, 0xf7, 0xa1, 0x59, 0x02, 0xa5,
1840 0x3a, 0x19, 0xe1, 0x79, 0x90, 0xe5, 0xdc, 0x40, 0x6a, 0x03, 0x18,
1841 0x25, 0xba, 0xad, 0x93, 0xe9, 0x8f, 0x9b, 0x9c, 0x69, 0xcb,
1842 },
1843 32, "Google 'Solera2023' log" },
1844 { (const uint8_t[]){
1845 0x30, 0x24, 0xce, 0x7e, 0xeb, 0x16, 0x88, 0x62, 0x72, 0x4b, 0xea,
1846 0x70, 0x2e, 0xff, 0xf9, 0x92, 0xcf, 0xe4, 0x56, 0x43, 0x41, 0x91,
1847 0xaa, 0x59, 0x5b, 0x25, 0xf8, 0x02, 0x26, 0xc8, 0x00, 0x17,
1848 },
1849 32, "Google 'Solera2024' log" },
1850 { (const uint8_t[]){
1851 0x3f, 0xe1, 0xcb, 0x46, 0xed, 0x47, 0x35, 0x79, 0xaf, 0x01, 0x41,
1852 0xf9, 0x72, 0x4d, 0x9d, 0xc4, 0x43, 0x47, 0x2d, 0x75, 0x6e, 0x85,
1853 0xe7, 0x71, 0x9c, 0x55, 0x82, 0x48, 0x5d, 0xd4, 0xe1, 0xe4,
1854 },
1855 32, "Google 'Solera2025h1' log" },
1856 { (const uint8_t[]){
1857 0x26, 0x02, 0x39, 0x48, 0x87, 0x4c, 0xf7, 0xfc, 0xd0, 0xfb, 0x64,
1858 0x71, 0xa4, 0x3e, 0x84, 0x7e, 0xbb, 0x20, 0x0a, 0xe6, 0xe2, 0xfa,
1859 0x24, 0x23, 0x6d, 0xf6, 0xd1, 0xa6, 0x06, 0x63, 0x0f, 0xb1,
1860 },
1861 32, "Google 'Solera2025h2' log" },
1862 { (const uint8_t[]){
1863 0xc8, 0x4b, 0x90, 0x7a, 0x07, 0xbe, 0xaa, 0x29, 0xa6, 0x14, 0xc2,
1864 0x45, 0x84, 0xb7, 0xa3, 0xf6, 0x62, 0x43, 0x94, 0x68, 0x7b, 0x25,
1865 0xfe, 0x62, 0x83, 0x8b, 0x71, 0xec, 0x42, 0x2a, 0xd2, 0xf9,
1866 },
1867 32, "Google 'Solera2026h1' log" },
1868 { (const uint8_t[]){
1869 0x62, 0xe9, 0x00, 0x60, 0x04, 0xa3, 0x07, 0x95, 0x5a, 0x75, 0x44,
1870 0xb4, 0xd5, 0x84, 0xa9, 0x62, 0x68, 0xca, 0x1d, 0x6e, 0x45, 0x85,
1871 0xad, 0xf0, 0x91, 0x6d, 0xfe, 0x5f, 0xdc, 0x1f, 0x04, 0xdb,
1872 },
1873 32, "Google 'Solera2026h2' log" },
1874 { (const uint8_t[]){
1875 0x3d, 0xe4, 0x92, 0xa8, 0x98, 0x93, 0xad, 0x70, 0x5e, 0x78, 0x46,
1876 0xed, 0x21, 0xd4, 0x8d, 0xca, 0xfb, 0xad, 0x13, 0x9e, 0xa6, 0x4e,
1877 0xd1, 0xe3, 0x49, 0xf9, 0x00, 0xb0, 0xa2, 0xcd, 0xa5, 0xe2,
1878 },
1879 32, "Google 'Solera2027h1' log" },
1880 { (const uint8_t[]){
1881 0x5e, 0xa7, 0x73, 0xf9, 0xdf, 0x56, 0xc0, 0xe7, 0xb5, 0x36, 0x48,
1882 0x7d, 0xd0, 0x49, 0xe0, 0x32, 0x7a, 0x91, 0x9a, 0x0c, 0x84, 0xa1,
1883 0x12, 0x12, 0x84, 0x18, 0x75, 0x96, 0x81, 0x71, 0x45, 0x58,
1884 },
1885 32, "Cloudflare 'Nimbus2020' Log" },
1886 { (const uint8_t[]){
1887 0x44, 0x94, 0x65, 0x2e, 0xb0, 0xee, 0xce, 0xaf, 0xc4, 0x40, 0x07,
1888 0xd8, 0xa8, 0xfe, 0x28, 0xc0, 0xda, 0xe6, 0x82, 0xbe, 0xd8, 0xcb,
1889 0x31, 0xb5, 0x3f, 0xd3, 0x33, 0x96, 0xb5, 0xb6, 0x81, 0xa8,
1890 },
1891 32, "Cloudflare 'Nimbus2021' Log" },
1892 { (const uint8_t[]){
1893 0x41, 0xc8, 0xca, 0xb1, 0xdf, 0x22, 0x46, 0x4a, 0x10, 0xc6, 0xa1,
1894 0x3a, 0x09, 0x42, 0x87, 0x5e, 0x4e, 0x31, 0x8b, 0x1b, 0x03, 0xeb,
1895 0xeb, 0x4b, 0xc7, 0x68, 0xf0, 0x90, 0x62, 0x96, 0x06, 0xf6,
1896 },
1897 32, "Cloudflare 'Nimbus2022' Log" },
1898 { (const uint8_t[]){
1899 0x7a, 0x32, 0x8c, 0x54, 0xd8, 0xb7, 0x2d, 0xb6, 0x20, 0xea, 0x38,
1900 0xe0, 0x52, 0x1e, 0xe9, 0x84, 0x16, 0x70, 0x32, 0x13, 0x85, 0x4d,
1901 0x3b, 0xd2, 0x2b, 0xc1, 0x3a, 0x57, 0xa3, 0x52, 0xeb, 0x52,
1902 },
1903 32, "Cloudflare 'Nimbus2023' Log" },
1904 { (const uint8_t[]){
1905 0xda, 0xb6, 0xbf, 0x6b, 0x3f, 0xb5, 0xb6, 0x22, 0x9f, 0x9b, 0xc2,
1906 0xbb, 0x5c, 0x6b, 0xe8, 0x70, 0x91, 0x71, 0x6c, 0xbb, 0x51, 0x84,
1907 0x85, 0x34, 0xbd, 0xa4, 0x3d, 0x30, 0x48, 0xd7, 0xfb, 0xab,
1908 },
1909 32, "Cloudflare 'Nimbus2024' Log" },
1910 { (const uint8_t[]){
1911 0xcc, 0xfb, 0x0f, 0x6a, 0x85, 0x71, 0x09, 0x65, 0xfe, 0x95, 0x9b,
1912 0x53, 0xce, 0xe9, 0xb2, 0x7c, 0x22, 0xe9, 0x85, 0x5c, 0x0d, 0x97,
1913 0x8d, 0xb6, 0xa9, 0x7e, 0x54, 0xc0, 0xfe, 0x4c, 0x0d, 0xb0,
1914 },
1915 32, "Cloudflare 'Nimbus2025'" },
1916 { (const uint8_t[]){
1917 0xcb, 0x38, 0xf7, 0x15, 0x89, 0x7c, 0x84, 0xa1, 0x44, 0x5f, 0x5b,
1918 0xc1, 0xdd, 0xfb, 0xc9, 0x6e, 0xf2, 0x9a, 0x59, 0xcd, 0x47, 0x0a,
1919 0x69, 0x05, 0x85, 0xb0, 0xcb, 0x14, 0xc3, 0x14, 0x58, 0xe7,
1920 },
1921 32, "Cloudflare 'Nimbus2026'" },
1922 { (const uint8_t[]){
1923 0x4c, 0x63, 0xdc, 0x98, 0xe5, 0x9c, 0x1d, 0xab, 0x88, 0xf6, 0x1e,
1924 0x8a, 0x3d, 0xde, 0xae, 0x8f, 0xab, 0x44, 0xa3, 0x37, 0x7b, 0x5f,
1925 0x9b, 0x94, 0xc3, 0xfb, 0xa1, 0x9c, 0xfc, 0xc1, 0xbe, 0x26,
1926 },
1927 32, "Cloudflare 'Nimbus2027'" },
1928 { (const uint8_t[]){
1929 0x1f, 0xbc, 0x36, 0xe0, 0x02, 0xed, 0xe9, 0x7f, 0x40, 0x19, 0x9e,
1930 0x86, 0xb3, 0x57, 0x3b, 0x8a, 0x42, 0x17, 0xd8, 0x01, 0x87, 0x74,
1931 0x6a, 0xd0, 0xda, 0x03, 0xa0, 0x60, 0x54, 0xd2, 0x0d, 0xf4,
1932 },
1933 32, "Cloudflare 'Nimbus2017' Log" },
1934 { (const uint8_t[]){
1935 0xdb, 0x74, 0xaf, 0xee, 0xcb, 0x29, 0xec, 0xb1, 0xfe, 0xca, 0x3e,
1936 0x71, 0x6d, 0x2c, 0xe5, 0xb9, 0xaa, 0xbb, 0x36, 0xf7, 0x84, 0x71,
1937 0x83, 0xc7, 0x5d, 0x9d, 0x4f, 0x37, 0xb6, 0x1f, 0xbf, 0x64,
1938 },
1939 32, "Cloudflare 'Nimbus2018' Log" },
1940 { (const uint8_t[]){
1941 0x74, 0x7e, 0xda, 0x83, 0x31, 0xad, 0x33, 0x10, 0x91, 0x21, 0x9c,
1942 0xce, 0x25, 0x4f, 0x42, 0x70, 0xc2, 0xbf, 0xfd, 0x5e, 0x42, 0x20,
1943 0x08, 0xc6, 0x37, 0x35, 0x79, 0xe6, 0x10, 0x7b, 0xcc, 0x56,
1944 },
1945 32, "Cloudflare 'Nimbus2019' Log" },
1946 { (const uint8_t[]){
1947 0x56, 0x14, 0x06, 0x9a, 0x2f, 0xd7, 0xc2, 0xec, 0xd3, 0xf5, 0xe1,
1948 0xbd, 0x44, 0xb2, 0x3e, 0xc7, 0x46, 0x76, 0xb9, 0xbc, 0x99, 0x11,
1949 0x5c, 0xc0, 0xef, 0x94, 0x98, 0x55, 0xd6, 0x89, 0xd0, 0xdd,
1950 },
1951 32, "DigiCert Log Server" },
1952 { (const uint8_t[]){
1953 0x87, 0x75, 0xbf, 0xe7, 0x59, 0x7c, 0xf8, 0x8c, 0x43, 0x99, 0x5f,
1954 0xbd, 0xf3, 0x6e, 0xff, 0x56, 0x8d, 0x47, 0x56, 0x36, 0xff, 0x4a,
1955 0xb5, 0x60, 0xc1, 0xb4, 0xea, 0xff, 0x5e, 0xa0, 0x83, 0x0f,
1956 },
1957 32, "DigiCert Log Server 2" },
1958 { (const uint8_t[]){
1959 0xf0, 0x95, 0xa4, 0x59, 0xf2, 0x00, 0xd1, 0x82, 0x40, 0x10, 0x2d,
1960 0x2f, 0x93, 0x88, 0x8e, 0xad, 0x4b, 0xfe, 0x1d, 0x47, 0xe3, 0x99,
1961 0xe1, 0xd0, 0x34, 0xa6, 0xb0, 0xa8, 0xaa, 0x8e, 0xb2, 0x73,
1962 },
1963 32, "DigiCert Yeti2020 Log" },
1964 { (const uint8_t[]){
1965 0x5c, 0xdc, 0x43, 0x92, 0xfe, 0xe6, 0xab, 0x45, 0x44, 0xb1, 0x5e,
1966 0x9a, 0xd4, 0x56, 0xe6, 0x10, 0x37, 0xfb, 0xd5, 0xfa, 0x47, 0xdc,
1967 0xa1, 0x73, 0x94, 0xb2, 0x5e, 0xe6, 0xf6, 0xc7, 0x0e, 0xca,
1968 },
1969 32, "DigiCert Yeti2021 Log" },
1970 { (const uint8_t[]){
1971 0x22, 0x45, 0x45, 0x07, 0x59, 0x55, 0x24, 0x56, 0x96, 0x3f, 0xa1,
1972 0x2f, 0xf1, 0xf7, 0x6d, 0x86, 0xe0, 0x23, 0x26, 0x63, 0xad, 0xc0,
1973 0x4b, 0x7f, 0x5d, 0xc6, 0x83, 0x5c, 0x6e, 0xe2, 0x0f, 0x02,
1974 },
1975 32, "DigiCert Yeti2022 Log" },
1976 { (const uint8_t[]){
1977 0x35, 0xcf, 0x19, 0x1b, 0xbf, 0xb1, 0x6c, 0x57, 0xbf, 0x0f, 0xad,
1978 0x4c, 0x6d, 0x42, 0xcb, 0xbb, 0xb6, 0x27, 0x20, 0x26, 0x51, 0xea,
1979 0x3f, 0xe1, 0x2a, 0xef, 0xa8, 0x03, 0xc3, 0x3b, 0xd6, 0x4c,
1980 },
1981 32, "DigiCert Yeti2023 Log" },
1982 { (const uint8_t[]){
1983 0x48, 0xb0, 0xe3, 0x6b, 0xda, 0xa6, 0x47, 0x34, 0x0f, 0xe5, 0x6a,
1984 0x02, 0xfa, 0x9d, 0x30, 0xeb, 0x1c, 0x52, 0x01, 0xcb, 0x56, 0xdd,
1985 0x2c, 0x81, 0xd9, 0xbb, 0xbf, 0xab, 0x39, 0xd8, 0x84, 0x73,
1986 },
1987 32, "DigiCert Yeti2024 Log" },
1988 { (const uint8_t[]){
1989 0x7d, 0x59, 0x1e, 0x12, 0xe1, 0x78, 0x2a, 0x7b, 0x1c, 0x61, 0x67,
1990 0x7c, 0x5e, 0xfd, 0xf8, 0xd0, 0x87, 0x5c, 0x14, 0xa0, 0x4e, 0x95,
1991 0x9e, 0xb9, 0x03, 0x2f, 0xd9, 0x0e, 0x8c, 0x2e, 0x79, 0xb8,
1992 },
1993 32, "DigiCert Yeti2025 Log" },
1994 { (const uint8_t[]){
1995 0xc6, 0x52, 0xa0, 0xec, 0x48, 0xce, 0xb3, 0xfc, 0xab, 0x17, 0x09,
1996 0x92, 0xc4, 0x3a, 0x87, 0x41, 0x33, 0x09, 0xe8, 0x00, 0x65, 0xa2,
1997 0x62, 0x52, 0x40, 0x1b, 0xa3, 0x36, 0x2a, 0x17, 0xc5, 0x65,
1998 },
1999 32, "DigiCert Nessie2020 Log" },
2000 { (const uint8_t[]){
2001 0xee, 0xc0, 0x95, 0xee, 0x8d, 0x72, 0x64, 0x0f, 0x92, 0xe3, 0xc3,
2002 0xb9, 0x1b, 0xc7, 0x12, 0xa3, 0x69, 0x6a, 0x09, 0x7b, 0x4b, 0x6a,
2003 0x1a, 0x14, 0x38, 0xe6, 0x47, 0xb2, 0xcb, 0xed, 0xc5, 0xf9,
2004 },
2005 32, "DigiCert Nessie2021 Log" },
2006 { (const uint8_t[]){
2007 0x51, 0xa3, 0xb0, 0xf5, 0xfd, 0x01, 0x79, 0x9c, 0x56, 0x6d, 0xb8,
2008 0x37, 0x78, 0x8f, 0x0c, 0xa4, 0x7a, 0xcc, 0x1b, 0x27, 0xcb, 0xf7,
2009 0x9e, 0x88, 0x42, 0x9a, 0x0d, 0xfe, 0xd4, 0x8b, 0x05, 0xe5,
2010 },
2011 32, "DigiCert Nessie2022 Log" },
2012 { (const uint8_t[]){
2013 0xb3, 0x73, 0x77, 0x07, 0xe1, 0x84, 0x50, 0xf8, 0x63, 0x86, 0xd6,
2014 0x05, 0xa9, 0xdc, 0x11, 0x09, 0x4a, 0x79, 0x2d, 0xb1, 0x67, 0x0c,
2015 0x0b, 0x87, 0xdc, 0xf0, 0x03, 0x0e, 0x79, 0x36, 0xa5, 0x9a,
2016 },
2017 32, "DigiCert Nessie2023 Log" },
2018 { (const uint8_t[]){
2019 0x73, 0xd9, 0x9e, 0x89, 0x1b, 0x4c, 0x96, 0x78, 0xa0, 0x20, 0x7d,
2020 0x47, 0x9d, 0xe6, 0xb2, 0xc6, 0x1c, 0xd0, 0x51, 0x5e, 0x71, 0x19,
2021 0x2a, 0x8c, 0x6b, 0x80, 0x10, 0x7a, 0xc1, 0x77, 0x72, 0xb5,
2022 },
2023 32, "DigiCert Nessie2024 Log" },
2024 { (const uint8_t[]){
2025 0xe6, 0xd2, 0x31, 0x63, 0x40, 0x77, 0x8c, 0xc1, 0x10, 0x41, 0x06,
2026 0xd7, 0x71, 0xb9, 0xce, 0xc1, 0xd2, 0x40, 0xf6, 0x96, 0x84, 0x86,
2027 0xfb, 0xba, 0x87, 0x32, 0x1d, 0xfd, 0x1e, 0x37, 0x8e, 0x50,
2028 },
2029 32, "DigiCert Nessie2025 Log" },
2030 { (const uint8_t[]){
2031 0xb6, 0x9d, 0xdc, 0xbc, 0x3c, 0x1a, 0xbd, 0xef, 0x6f, 0x9f, 0xd6,
2032 0x0c, 0x88, 0xb1, 0x06, 0x7b, 0x77, 0xf0, 0x82, 0x68, 0x8b, 0x2d,
2033 0x78, 0x65, 0xd0, 0x4b, 0x39, 0xab, 0xe9, 0x27, 0xa5, 0x75,
2034 },
2035 32, "DigiCert 'Wyvern2024h1' Log" },
2036 { (const uint8_t[]){
2037 0x0c, 0x2a, 0xef, 0x2c, 0x4a, 0x5b, 0x98, 0x83, 0xd4, 0xdd, 0xa3,
2038 0x82, 0xfe, 0x50, 0xfb, 0x51, 0x88, 0xb3, 0xe9, 0x73, 0x33, 0xa1,
2039 0xec, 0x53, 0xa0, 0x9d, 0xc9, 0xa7, 0x9d, 0x0d, 0x08, 0x20,
2040 },
2041 32, "DigiCert 'Wyvern2024h2' Log" },
2042 { (const uint8_t[]){
2043 0x73, 0x20, 0x22, 0x0f, 0x08, 0x16, 0x8a, 0xf9, 0xf3, 0xc4, 0xa6,
2044 0x8b, 0x0a, 0xb2, 0x6a, 0x9a, 0x4a, 0x00, 0xee, 0xf5, 0x77, 0x85,
2045 0x8a, 0x08, 0x4d, 0x05, 0x00, 0xd4, 0xa5, 0x42, 0x44, 0x59,
2046 },
2047 32, "DigiCert 'Wyvern2025h1' Log" },
2048 { (const uint8_t[]){
2049 0xed, 0x3c, 0x4b, 0xd6, 0xe8, 0x06, 0xc2, 0xa4, 0xa2, 0x00, 0x57,
2050 0xdb, 0xcb, 0x24, 0xe2, 0x38, 0x01, 0xdf, 0x51, 0x2f, 0xed, 0xc4,
2051 0x86, 0xc5, 0x70, 0x0f, 0x20, 0xdd, 0xb7, 0x3e, 0x3f, 0xe0,
2052 },
2053 32, "DigiCert 'Wyvern2025h2' Log" },
2054 { (const uint8_t[]){
2055 0x64, 0x11, 0xc4, 0x6c, 0xa4, 0x12, 0xec, 0xa7, 0x89, 0x1c, 0xa2,
2056 0x02, 0x2e, 0x00, 0xbc, 0xab, 0x4f, 0x28, 0x07, 0xd4, 0x1e, 0x35,
2057 0x27, 0xab, 0xea, 0xfe, 0xd5, 0x03, 0xc9, 0x7d, 0xcd, 0xf0,
2058 },
2059 32, "DigiCert 'Wyvern2026h1'" },
2060 { (const uint8_t[]){
2061 0xc2, 0x31, 0x7e, 0x57, 0x45, 0x19, 0xa3, 0x45, 0xee, 0x7f, 0x38,
2062 0xde, 0xb2, 0x90, 0x41, 0xeb, 0xc7, 0xc2, 0x21, 0x5a, 0x22, 0xbf,
2063 0x7f, 0xd5, 0xb5, 0xad, 0x76, 0x9a, 0xd9, 0x0e, 0x52, 0xcd,
2064 },
2065 32, "DigiCert 'Wyvern2026h2'" },
2066 { (const uint8_t[]){
2067 0x00, 0x1a, 0x5d, 0x1a, 0x1c, 0x2d, 0x93, 0x75, 0xb6, 0x48, 0x55,
2068 0x78, 0xf8, 0x2f, 0x71, 0xa1, 0xae, 0x6e, 0xef, 0x39, 0x7d, 0x29,
2069 0x7c, 0x8a, 0xe3, 0x15, 0x7b, 0xca, 0xde, 0xe1, 0xa0, 0x1e,
2070 },
2071 32, "DigiCert 'Wyvern2027h1'" },
2072 { (const uint8_t[]){
2073 0x37, 0xaa, 0x07, 0xcc, 0x21, 0x6f, 0x2e, 0x6d, 0x91, 0x9c, 0x70,
2074 0x9d, 0x24, 0xd8, 0xf7, 0x31, 0xb0, 0x0f, 0x2b, 0x14, 0x7c, 0x62,
2075 0x1c, 0xc0, 0x91, 0xa5, 0xfa, 0x1a, 0x84, 0xd8, 0x16, 0xdd,
2076 },
2077 32, "DigiCert 'Wyvern2027h2'" },
2078 { (const uint8_t[]){
2079 0xdb, 0x07, 0x6c, 0xde, 0x6a, 0x8b, 0x78, 0xec, 0x58, 0xd6, 0x05,
2080 0x64, 0x96, 0xeb, 0x6a, 0x26, 0xa8, 0xc5, 0x9e, 0x72, 0x12, 0x93,
2081 0xe8, 0xac, 0x03, 0x27, 0xdd, 0xde, 0x89, 0xdb, 0x5a, 0x2a,
2082 },
2083 32, "DigiCert 'Sphinx2024h1' Log" },
2084 { (const uint8_t[]){
2085 0xdc, 0xc9, 0x5e, 0x6f, 0xa2, 0x99, 0xb9, 0xb0, 0xfd, 0xbd, 0x6c,
2086 0xa6, 0xa3, 0x6e, 0x1d, 0x72, 0xc4, 0x21, 0x2f, 0xdd, 0x1e, 0x0f,
2087 0x47, 0x55, 0x3a, 0x36, 0xd6, 0xcf, 0x1a, 0xd1, 0x1d, 0x8d,
2088 },
2089 32, "DigiCert 'Sphinx2024h2' Log" },
2090 { (const uint8_t[]){
2091 0xde, 0x85, 0x81, 0xd7, 0x50, 0x24, 0x7c, 0x6b, 0xcd, 0xcb, 0xaf,
2092 0x56, 0x37, 0xc5, 0xe7, 0x81, 0xc6, 0x4c, 0xe4, 0x6e, 0xd6, 0x17,
2093 0x63, 0x9f, 0x8f, 0x34, 0xa7, 0x26, 0xc9, 0xe2, 0xbd, 0x37,
2094 },
2095 32, "DigiCert 'Sphinx2025h1' Log" },
2096 { (const uint8_t[]){
2097 0xa4, 0x42, 0xc5, 0x06, 0x49, 0x60, 0x61, 0x54, 0x8f, 0x0f, 0xd4,
2098 0xea, 0x9c, 0xfb, 0x7a, 0x2d, 0x26, 0x45, 0x4d, 0x87, 0xa9, 0x7f,
2099 0x2f, 0xdf, 0x45, 0x59, 0xf6, 0x27, 0x4f, 0x3a, 0x84, 0x54,
2100 },
2101 32, "DigiCert 'Sphinx2025h2' Log" },
2102 { (const uint8_t[]){
2103 0x49, 0x9c, 0x9b, 0x69, 0xde, 0x1d, 0x7c, 0xec, 0xfc, 0x36, 0xde,
2104 0xcd, 0x87, 0x64, 0xa6, 0xb8, 0x5b, 0xaf, 0x0a, 0x87, 0x80, 0x19,
2105 0xd1, 0x55, 0x52, 0xfb, 0xe9, 0xeb, 0x29, 0xdd, 0xf8, 0xc3,
2106 },
2107 32, "DigiCert 'Sphinx2026h1'" },
2108 { (const uint8_t[]){
2109 0x94, 0x4e, 0x43, 0x87, 0xfa, 0xec, 0xc1, 0xef, 0x81, 0xf3, 0x19,
2110 0x24, 0x26, 0xa8, 0x18, 0x65, 0x01, 0xc7, 0xd3, 0x5f, 0x38, 0x02,
2111 0x01, 0x3f, 0x72, 0x67, 0x7d, 0x55, 0x37, 0x2e, 0x19, 0xd8,
2112 },
2113 32, "DigiCert 'Sphinx2026h2'" },
2114 { (const uint8_t[]){
2115 0x46, 0xa2, 0x39, 0x67, 0xc6, 0x0d, 0xb6, 0x46, 0x87, 0xc6, 0x6f,
2116 0x3d, 0xf9, 0x99, 0x94, 0x76, 0x93, 0xa6, 0xa6, 0x11, 0x20, 0x84,
2117 0x57, 0xd5, 0x55, 0xe7, 0xe3, 0xd0, 0xa1, 0xd9, 0xb6, 0x46,
2118 },
2119 32, "DigiCert 'sphinx2027h1'" },
2120 { (const uint8_t[]){
2121 0x1f, 0xb0, 0xf8, 0xa9, 0x2d, 0x8a, 0xdd, 0xa1, 0x21, 0x77, 0x6c,
2122 0x05, 0xe2, 0xaa, 0x2e, 0x15, 0xba, 0xcb, 0xc6, 0x2b, 0x65, 0x39,
2123 0x36, 0x95, 0x57, 0x6a, 0xaa, 0xb5, 0x2e, 0x11, 0xd1, 0x1d,
2124 },
2125 32, "DigiCert 'sphinx2027h2'" },
2126 { (const uint8_t[]){
2127 0xdd, 0xeb, 0x1d, 0x2b, 0x7a, 0x0d, 0x4f, 0xa6, 0x20, 0x8b, 0x81,
2128 0xad, 0x81, 0x68, 0x70, 0x7e, 0x2e, 0x8e, 0x9d, 0x01, 0xd5, 0x5c,
2129 0x88, 0x8d, 0x3d, 0x11, 0xc4, 0xcd, 0xb6, 0xec, 0xbe, 0xcc,
2130 },
2131 32, "Symantec log" },
2132 { (const uint8_t[]){
2133 0xbc, 0x78, 0xe1, 0xdf, 0xc5, 0xf6, 0x3c, 0x68, 0x46, 0x49, 0x33,
2134 0x4d, 0xa1, 0x0f, 0xa1, 0x5f, 0x09, 0x79, 0x69, 0x20, 0x09, 0xc0,
2135 0x81, 0xb4, 0xf3, 0xf6, 0x91, 0x7f, 0x3e, 0xd9, 0xb8, 0xa5,
2136 },
2137 32, "Symantec 'Vega' log" },
2138 { (const uint8_t[]){
2139 0x15, 0x97, 0x04, 0x88, 0xd7, 0xb9, 0x97, 0xa0, 0x5b, 0xeb, 0x52,
2140 0x51, 0x2a, 0xde, 0xe8, 0xd2, 0xe8, 0xb4, 0xa3, 0x16, 0x52, 0x64,
2141 0x12, 0x1a, 0x9f, 0xab, 0xfb, 0xd5, 0xf8, 0x5a, 0xd9, 0x3f,
2142 },
2143 32, "Symantec 'Sirius' log" },
2144 { (const uint8_t[]){
2145 0x05, 0x9c, 0x01, 0xd3, 0x20, 0xe0, 0x07, 0x84, 0x13, 0x95, 0x80,
2146 0x49, 0x8d, 0x11, 0x7c, 0x90, 0x32, 0x66, 0xaf, 0xaf, 0x72, 0x50,
2147 0xb5, 0xaf, 0x3b, 0x46, 0xa4, 0x3e, 0x11, 0x84, 0x0d, 0x4a,
2148 },
2149 32, "DigiCert Yeti2022-2 Log" },
2150 { (const uint8_t[]){
2151 0xc1, 0x16, 0x4a, 0xe0, 0xa7, 0x72, 0xd2, 0xd4, 0x39, 0x2d, 0xc8,
2152 0x0a, 0xc1, 0x07, 0x70, 0xd4, 0xf0, 0xc4, 0x9b, 0xde, 0x99, 0x1a,
2153 0x48, 0x40, 0xc1, 0xfa, 0x07, 0x51, 0x64, 0xf6, 0x33, 0x60,
2154 },
2155 32, "DigiCert Yeti2018 Log" },
2156 { (const uint8_t[]){
2157 0xe2, 0x69, 0x4b, 0xae, 0x26, 0xe8, 0xe9, 0x40, 0x09, 0xe8, 0x86,
2158 0x1b, 0xb6, 0x3b, 0x83, 0xd4, 0x3e, 0xe7, 0xfe, 0x74, 0x88, 0xfb,
2159 0xa4, 0x8f, 0x28, 0x93, 0x01, 0x9d, 0xdd, 0xf1, 0xdb, 0xfe,
2160 },
2161 32, "DigiCert Yeti2019 Log" },
2162 { (const uint8_t[]){
2163 0x6f, 0xf1, 0x41, 0xb5, 0x64, 0x7e, 0x42, 0x22, 0xf7, 0xef, 0x05,
2164 0x2c, 0xef, 0xae, 0x7c, 0x21, 0xfd, 0x60, 0x8e, 0x27, 0xd2, 0xaf,
2165 0x5a, 0x6e, 0x9f, 0x4b, 0x8a, 0x37, 0xd6, 0x63, 0x3e, 0xe5,
2166 },
2167 32, "DigiCert Nessie2018 Log" },
2168 { (const uint8_t[]){
2169 0xfe, 0x44, 0x61, 0x08, 0xb1, 0xd0, 0x1a, 0xb7, 0x8a, 0x62, 0xcc,
2170 0xfe, 0xab, 0x6a, 0xb2, 0xb2, 0xba, 0xbf, 0xf3, 0xab, 0xda, 0xd8,
2171 0x0a, 0x4d, 0x8b, 0x30, 0xdf, 0x2d, 0x00, 0x08, 0x83, 0x0c,
2172 },
2173 32, "DigiCert Nessie2019 Log" },
2174 { (const uint8_t[]){
2175 0xa7, 0xce, 0x4a, 0x4e, 0x62, 0x07, 0xe0, 0xad, 0xde, 0xe5, 0xfd,
2176 0xaa, 0x4b, 0x1f, 0x86, 0x76, 0x87, 0x67, 0xb5, 0xd0, 0x02, 0xa5,
2177 0x5d, 0x47, 0x31, 0x0e, 0x7e, 0x67, 0x0a, 0x95, 0xea, 0xb2,
2178 },
2179 32, "Symantec Deneb" },
2180 { (const uint8_t[]){
2181 0xcd, 0xb5, 0x17, 0x9b, 0x7f, 0xc1, 0xc0, 0x46, 0xfe, 0xea, 0x31,
2182 0x13, 0x6a, 0x3f, 0x8f, 0x00, 0x2e, 0x61, 0x82, 0xfa, 0xf8, 0x89,
2183 0x6f, 0xec, 0xc8, 0xb2, 0xf5, 0xb5, 0xab, 0x60, 0x49, 0x00,
2184 },
2185 32, "Certly.IO log" },
2186 { (const uint8_t[]){
2187 0x74, 0x61, 0xb4, 0xa0, 0x9c, 0xfb, 0x3d, 0x41, 0xd7, 0x51, 0x59,
2188 0x57, 0x5b, 0x2e, 0x76, 0x49, 0xa4, 0x45, 0xa8, 0xd2, 0x77, 0x09,
2189 0xb0, 0xcc, 0x56, 0x4a, 0x64, 0x82, 0xb7, 0xeb, 0x41, 0xa3,
2190 },
2191 32, "Izenpe log" },
2192 { (const uint8_t[]){
2193 0x89, 0x41, 0x44, 0x9c, 0x70, 0x74, 0x2e, 0x06, 0xb9, 0xfc, 0x9c,
2194 0xe7, 0xb1, 0x16, 0xba, 0x00, 0x24, 0xaa, 0x36, 0xd5, 0x9a, 0xf4,
2195 0x4f, 0x02, 0x04, 0x40, 0x4f, 0x00, 0xf7, 0xea, 0x85, 0x66,
2196 },
2197 32, "Izenpe 'Argi' log" },
2198 { (const uint8_t[]){
2199 0x41, 0xb2, 0xdc, 0x2e, 0x89, 0xe6, 0x3c, 0xe4, 0xaf, 0x1b, 0xa7,
2200 0xbb, 0x29, 0xbf, 0x68, 0xc6, 0xde, 0xe6, 0xf9, 0xf1, 0xcc, 0x04,
2201 0x7e, 0x30, 0xdf, 0xfa, 0xe3, 0xb3, 0xba, 0x25, 0x92, 0x63,
2202 },
2203 32, "WoSign log" },
2204 { (const uint8_t[]){
2205 0x9e, 0x4f, 0xf7, 0x3d, 0xc3, 0xce, 0x22, 0x0b, 0x69, 0x21, 0x7c,
2206 0x89, 0x9e, 0x46, 0x80, 0x76, 0xab, 0xf8, 0xd7, 0x86, 0x36, 0xd5,
2207 0xcc, 0xfc, 0x85, 0xa3, 0x1a, 0x75, 0x62, 0x8b, 0xa8, 0x8b,
2208 },
2209 32, "WoSign CT log #1" },
2210 { (const uint8_t[]){
2211 0x63, 0xd0, 0x00, 0x60, 0x26, 0xdd, 0xe1, 0x0b, 0xb0, 0x60, 0x1f,
2212 0x45, 0x24, 0x46, 0x96, 0x5e, 0xe2, 0xb6, 0xea, 0x2c, 0xd4, 0xfb,
2213 0xc9, 0x5a, 0xc8, 0x66, 0xa5, 0x50, 0xaf, 0x90, 0x75, 0xb7,
2214 },
2215 32, "WoSign log 2" },
2216 { (const uint8_t[]){
2217 0xac, 0x3b, 0x9a, 0xed, 0x7f, 0xa9, 0x67, 0x47, 0x57, 0x15, 0x9e,
2218 0x6d, 0x7d, 0x57, 0x56, 0x72, 0xf9, 0xd9, 0x81, 0x00, 0x94, 0x1e,
2219 0x9b, 0xde, 0xff, 0xec, 0xa1, 0x31, 0x3b, 0x75, 0x78, 0x2d,
2220 },
2221 32, "Venafi log" },
2222 { (const uint8_t[]){
2223 0x03, 0x01, 0x9d, 0xf3, 0xfd, 0x85, 0xa6, 0x9a, 0x8e, 0xbd, 0x1f,
2224 0xac, 0xc6, 0xda, 0x9b, 0xa7, 0x3e, 0x46, 0x97, 0x74, 0xfe, 0x77,
2225 0xf5, 0x79, 0xfc, 0x5a, 0x08, 0xb8, 0x32, 0x8c, 0x1d, 0x6b,
2226 },
2227 32, "Venafi Gen2 CT log" },
2228 { (const uint8_t[]){
2229 0xa5, 0x77, 0xac, 0x9c, 0xed, 0x75, 0x48, 0xdd, 0x8f, 0x02, 0x5b,
2230 0x67, 0xa2, 0x41, 0x08, 0x9d, 0xf8, 0x6e, 0x0f, 0x47, 0x6e, 0xc2,
2231 0x03, 0xc2, 0xec, 0xbe, 0xdb, 0x18, 0x5f, 0x28, 0x26, 0x38,
2232 },
2233 32, "CNNIC CT log" },
2234 { (const uint8_t[]){
2235 0x34, 0xbb, 0x6a, 0xd6, 0xc3, 0xdf, 0x9c, 0x03, 0xee, 0xa8, 0xa4,
2236 0x99, 0xff, 0x78, 0x91, 0x48, 0x6c, 0x9d, 0x5e, 0x5c, 0xac, 0x92,
2237 0xd0, 0x1f, 0x7b, 0xfd, 0x1b, 0xce, 0x19, 0xdb, 0x48, 0xef,
2238 },
2239 32, "StartCom log" },
2240 { (const uint8_t[]){
2241 0x55, 0x81, 0xd4, 0xc2, 0x16, 0x90, 0x36, 0x01, 0x4a, 0xea, 0x0b,
2242 0x9b, 0x57, 0x3c, 0x53, 0xf0, 0xc0, 0xe4, 0x38, 0x78, 0x70, 0x25,
2243 0x08, 0x17, 0x2f, 0xa3, 0xaa, 0x1d, 0x07, 0x13, 0xd3, 0x0c,
2244 },
2245 32, "Sectigo 'Sabre' CT log" },
2246 { (const uint8_t[]){
2247 0xa2, 0xe2, 0xbf, 0xd6, 0x1e, 0xde, 0x2f, 0x2f, 0x07, 0xa0, 0xd6,
2248 0x4e, 0x6d, 0x37, 0xa7, 0xdc, 0x65, 0x43, 0xb0, 0xc6, 0xb5, 0x2e,
2249 0xa2, 0xda, 0xb7, 0x8a, 0xf8, 0x9a, 0x6d, 0xf5, 0x17, 0xd8,
2250 },
2251 32, "Sectigo 'Sabre2024h1'" },
2252 { (const uint8_t[]){
2253 0x19, 0x98, 0x10, 0x71, 0x09, 0xf0, 0xd6, 0x52, 0x2e, 0x30, 0x80,
2254 0xd2, 0x9e, 0x3f, 0x64, 0xbb, 0x83, 0x6e, 0x28, 0xcc, 0xf9, 0x0f,
2255 0x52, 0x8e, 0xee, 0xdf, 0xce, 0x4a, 0x3f, 0x16, 0xb4, 0xca,
2256 },
2257 32, "Sectigo 'Sabre2024h2'" },
2258 { (const uint8_t[]){
2259 0xe0, 0x92, 0xb3, 0xfc, 0x0c, 0x1d, 0xc8, 0xe7, 0x68, 0x36, 0x1f,
2260 0xde, 0x61, 0xb9, 0x96, 0x4d, 0x0a, 0x52, 0x78, 0x19, 0x8a, 0x72,
2261 0xd6, 0x72, 0xc4, 0xb0, 0x4d, 0xa5, 0x6d, 0x6f, 0x54, 0x04,
2262 },
2263 32, "Sectigo 'Sabre2025h1'" },
2264 { (const uint8_t[]){
2265 0x1a, 0x04, 0xff, 0x49, 0xd0, 0x54, 0x1d, 0x40, 0xaf, 0xf6, 0xa0,
2266 0xc3, 0xbf, 0xf1, 0xd8, 0xc4, 0x67, 0x2f, 0x4e, 0xec, 0xee, 0x23,
2267 0x40, 0x68, 0x98, 0x6b, 0x17, 0x40, 0x2e, 0xdc, 0x89, 0x7d,
2268 },
2269 32, "Sectigo 'Sabre2025h2'" },
2270 { (const uint8_t[]){
2271 0x6f, 0x53, 0x76, 0xac, 0x31, 0xf0, 0x31, 0x19, 0xd8, 0x99, 0x00,
2272 0xa4, 0x51, 0x15, 0xff, 0x77, 0x15, 0x1c, 0x11, 0xd9, 0x02, 0xc1,
2273 0x00, 0x29, 0x06, 0x8d, 0xb2, 0x08, 0x9a, 0x37, 0xd9, 0x13,
2274 },
2275 32, "Sectigo 'Mammoth' CT log" },
2276 { (const uint8_t[]){
2277 0x29, 0xd0, 0x3a, 0x1b, 0xb6, 0x74, 0xaa, 0x71, 0x1c, 0xd3, 0x03,
2278 0x5b, 0x65, 0x57, 0xc1, 0x4f, 0x8a, 0xa7, 0x8b, 0x4f, 0xe8, 0x38,
2279 0x94, 0x49, 0xec, 0xa4, 0x53, 0xf9, 0x44, 0xbd, 0x24, 0x68,
2280 },
2281 32, "Sectigo 'Mammoth2024h1'" },
2282 { (const uint8_t[]){
2283 0x50, 0x85, 0x01, 0x58, 0xdc, 0xb6, 0x05, 0x95, 0xc0, 0x0e, 0x92,
2284 0xa8, 0x11, 0x02, 0xec, 0xcd, 0xfe, 0x3f, 0x6b, 0x78, 0x58, 0x42,
2285 0x9f, 0x57, 0x98, 0x35, 0x38, 0xc9, 0xda, 0x52, 0x50, 0x63,
2286 },
2287 32, "Sectigo 'Mammoth2024h1b'" },
2288 { (const uint8_t[]){
2289 0xdf, 0xe1, 0x56, 0xeb, 0xaa, 0x05, 0xaf, 0xb5, 0x9c, 0x0f, 0x86,
2290 0x71, 0x8d, 0xa8, 0xc0, 0x32, 0x4e, 0xae, 0x56, 0xd9, 0x6e, 0xa7,
2291 0xf5, 0xa5, 0x6a, 0x01, 0xd1, 0xc1, 0x3b, 0xbe, 0x52, 0x5c,
2292 },
2293 32, "Sectigo 'Mammoth2024h2'" },
2294 { (const uint8_t[]){
2295 0x13, 0x4a, 0xdf, 0x1a, 0xb5, 0x98, 0x42, 0x09, 0x78, 0x0c, 0x6f,
2296 0xef, 0x4c, 0x7a, 0x91, 0xa4, 0x16, 0xb7, 0x23, 0x49, 0xce, 0x58,
2297 0x57, 0x6a, 0xdf, 0xae, 0xda, 0xa7, 0xc2, 0xab, 0xe0, 0x22,
2298 },
2299 32, "Sectigo 'Mammoth2025h1'" },
2300 { (const uint8_t[]){
2301 0xaf, 0x18, 0x1a, 0x28, 0xd6, 0x8c, 0xa3, 0xe0, 0xa9, 0x8a, 0x4c,
2302 0x9c, 0x67, 0xab, 0x09, 0xf8, 0xbb, 0xbc, 0x22, 0xba, 0xae, 0xbc,
2303 0xb1, 0x38, 0xa3, 0xa1, 0x9d, 0xd3, 0xf9, 0xb6, 0x03, 0x0d,
2304 },
2305 32, "Sectigo 'Mammoth2025h2'" },
2306 { (const uint8_t[]){
2307 0x25, 0x2f, 0x94, 0xc2, 0x2b, 0x29, 0xe9, 0x6e, 0x9f, 0x41, 0x1a,
2308 0x72, 0x07, 0x2b, 0x69, 0x5c, 0x5b, 0x52, 0xff, 0x97, 0xa9, 0x0d,
2309 0x25, 0x40, 0xbb, 0xfc, 0xdc, 0x51, 0xec, 0x4d, 0xee, 0x0b,
2310 },
2311 32, "Sectigo 'Mammoth2026h1'" },
2312 { (const uint8_t[]){
2313 0x94, 0xb1, 0xc1, 0x8a, 0xb0, 0xd0, 0x57, 0xc4, 0x7b, 0xe0, 0xac,
2314 0x04, 0x0e, 0x1f, 0x2c, 0xbc, 0x8d, 0xc3, 0x75, 0x72, 0x7b, 0xc9,
2315 0x51, 0xf2, 0x0a, 0x52, 0x61, 0x26, 0x86, 0x3b, 0xa7, 0x3c,
2316 },
2317 32, "Sectigo 'Mammoth2026h2'" },
2318 { (const uint8_t[]){
2319 0x56, 0x6c, 0xd5, 0xa3, 0x76, 0xbe, 0x83, 0xdf, 0xe3, 0x42, 0xb6,
2320 0x75, 0xc4, 0x9c, 0x23, 0x24, 0x98, 0xa7, 0x69, 0xba, 0xc3, 0x82,
2321 0xcb, 0xab, 0x49, 0xa3, 0x87, 0x7d, 0x9a, 0xb3, 0x2d, 0x01,
2322 },
2323 32, "Sectigo 'Sabre2026h1'" },
2324 { (const uint8_t[]){
2325 0x1f, 0x56, 0xd1, 0xab, 0x94, 0x70, 0x4a, 0x41, 0xdd, 0x3f, 0xea,
2326 0xfd, 0xf4, 0x69, 0x93, 0x55, 0x30, 0x2c, 0x14, 0x31, 0xbf, 0xe6,
2327 0x13, 0x46, 0x08, 0x9f, 0xff, 0xae, 0x79, 0x5d, 0xcc, 0x2f,
2328 },
2329 32, "Sectigo 'Sabre2026h2'" },
2330 { (const uint8_t[]){
2331 0x0d, 0x1d, 0xbc, 0x89, 0x44, 0xe9, 0xf5, 0x00, 0x55, 0x42, 0xd7,
2332 0x2d, 0x3e, 0x14, 0x4c, 0xcc, 0x43, 0x08, 0x2a, 0xb6, 0xea, 0x1e,
2333 0x94, 0xdf, 0xd7, 0x06, 0x65, 0x7d, 0x2e, 0x86, 0xf3, 0x01,
2334 },
2335 32, "Sectigo 'Elephant2025h2'" },
2336 { (const uint8_t[]){
2337 0xd1, 0x6e, 0xa9, 0xa5, 0x68, 0x07, 0x7e, 0x66, 0x35, 0xa0, 0x3f,
2338 0x37, 0xa5, 0xdd, 0xbc, 0x03, 0xa5, 0x3c, 0x41, 0x12, 0x14, 0xd4,
2339 0x88, 0x18, 0xf5, 0xe9, 0x31, 0xb3, 0x23, 0xcb, 0x95, 0x04,
2340 },
2341 32, "Sectigo 'Elephant2026h1'" },
2342 { (const uint8_t[]){
2343 0xaf, 0x67, 0x88, 0x3b, 0x57, 0xb0, 0x4e, 0xdd, 0x8f, 0xa6, 0xd9,
2344 0x7e, 0xf6, 0x2e, 0xa8, 0xeb, 0x81, 0x0a, 0xc7, 0x71, 0x60, 0xf0,
2345 0x24, 0x5e, 0x55, 0xd6, 0x0c, 0x2f, 0xe7, 0x85, 0x87, 0x3a,
2346 },
2347 32, "Sectigo 'Elephant2026h2'" },
2348 { (const uint8_t[]){
2349 0x60, 0x4c, 0x9a, 0xaf, 0x7a, 0x7f, 0x77, 0x5f, 0x01, 0xd4, 0x06,
2350 0xfc, 0x92, 0x0d, 0xc8, 0x99, 0xeb, 0x0b, 0x1c, 0x7d, 0xf8, 0xc9,
2351 0x52, 0x1b, 0xfa, 0xfa, 0x17, 0x77, 0x3b, 0x97, 0x8b, 0xc9,
2352 },
2353 32, "Sectigo 'Elephant2027h1'" },
2354 { (const uint8_t[]){
2355 0xa2, 0x49, 0x0c, 0xdc, 0xdb, 0x8e, 0x33, 0xa4, 0x00, 0x32, 0x17,
2356 0x60, 0xd6, 0xd4, 0xd5, 0x1a, 0x20, 0x36, 0x19, 0x1e, 0xa7, 0x7d,
2357 0x96, 0x8b, 0xe2, 0x6a, 0x8a, 0x00, 0xf6, 0xff, 0xff, 0xf7,
2358 },
2359 32, "Sectigo 'Elephant2027h2'" },
2360 { (const uint8_t[]){
2361 0x5c, 0xa5, 0x77, 0xd2, 0x9b, 0x7f, 0x8b, 0xaf, 0x41, 0x9e, 0xd8,
2362 0xec, 0xab, 0xfb, 0x6d, 0xcb, 0xae, 0xc3, 0x85, 0x37, 0x02, 0xd5,
2363 0x74, 0x6f, 0x17, 0x4d, 0xad, 0x3c, 0x93, 0x4a, 0xa9, 0x6a,
2364 },
2365 32, "Sectigo 'Tiger2025h2'" },
2366 { (const uint8_t[]){
2367 0x16, 0x83, 0x2d, 0xab, 0xf0, 0xa9, 0x25, 0x0f, 0x0f, 0xf0, 0x3a,
2368 0xa5, 0x45, 0xff, 0xc8, 0xbf, 0xc8, 0x23, 0xd0, 0x87, 0x4b, 0xf6,
2369 0x04, 0x29, 0x27, 0xf8, 0xe7, 0x1f, 0x33, 0x13, 0xf5, 0xfa,
2370 },
2371 32, "Sectigo 'Tiger2026h1'" },
2372 { (const uint8_t[]){
2373 0xc8, 0xa3, 0xc4, 0x7f, 0xc7, 0xb3, 0xad, 0xb9, 0x35, 0x6b, 0x01,
2374 0x3f, 0x6a, 0x7a, 0x12, 0x6d, 0xe3, 0x3a, 0x4e, 0x43, 0xa5, 0xc6,
2375 0x46, 0xf9, 0x97, 0xad, 0x39, 0x75, 0x99, 0x1d, 0xcf, 0x9a,
2376 },
2377 32, "Sectigo 'Tiger2026h2'" },
2378 { (const uint8_t[]){
2379 0x1c, 0x9f, 0x68, 0x2c, 0xe9, 0xfa, 0xf0, 0x45, 0x69, 0x50, 0xf8,
2380 0x1b, 0x96, 0x8a, 0x87, 0xdd, 0xdb, 0x32, 0x10, 0xd8, 0x4c, 0xe6,
2381 0xc8, 0xb2, 0xe3, 0x82, 0x52, 0x4a, 0xc4, 0xcf, 0x59, 0x9f,
2382 },
2383 32, "Sectigo 'Tiger2027h1'" },
2384 { (const uint8_t[]){
2385 0x03, 0x80, 0x2a, 0xc2, 0x62, 0xf6, 0xe0, 0x5e, 0x03, 0xf8, 0xbc,
2386 0x6f, 0x7b, 0x98, 0x51, 0x32, 0x4f, 0xd7, 0x6a, 0x3d, 0xf5, 0xb7,
2387 0x59, 0x51, 0x75, 0xe2, 0x22, 0xfb, 0x8e, 0x9b, 0xd5, 0xf6,
2388 },
2389 32, "Sectigo 'Tiger2027h2'" },
2390 { (const uint8_t[]){
2391 0xdb, 0x76, 0xfd, 0xad, 0xac, 0x65, 0xe7, 0xd0, 0x95, 0x08, 0x88,
2392 0x6e, 0x21, 0x59, 0xbd, 0x8b, 0x90, 0x35, 0x2f, 0x5f, 0xea, 0xd3,
2393 0xe3, 0xdc, 0x5e, 0x22, 0xeb, 0x35, 0x0a, 0xcc, 0x7b, 0x98,
2394 },
2395 32, "Sectigo 'Dodo' CT log" },
2396 { (const uint8_t[]){
2397 0xe7, 0x12, 0xf2, 0xb0, 0x37, 0x7e, 0x1a, 0x62, 0xfb, 0x8e, 0xc9,
2398 0x0c, 0x61, 0x84, 0xf1, 0xea, 0x7b, 0x37, 0xcb, 0x56, 0x1d, 0x11,
2399 0x26, 0x5b, 0xf3, 0xe0, 0xf3, 0x4b, 0xf2, 0x41, 0x54, 0x6e,
2400 },
2401 32, "Let's Encrypt 'Oak2020' log" },
2402 { (const uint8_t[]){
2403 0x94, 0x20, 0xbc, 0x1e, 0x8e, 0xd5, 0x8d, 0x6c, 0x88, 0x73, 0x1f,
2404 0x82, 0x8b, 0x22, 0x2c, 0x0d, 0xd1, 0xda, 0x4d, 0x5e, 0x6c, 0x4f,
2405 0x94, 0x3d, 0x61, 0xdb, 0x4e, 0x2f, 0x58, 0x4d, 0xa2, 0xc2,
2406 },
2407 32, "Let's Encrypt 'Oak2021' log" },
2408 { (const uint8_t[]){
2409 0xdf, 0xa5, 0x5e, 0xab, 0x68, 0x82, 0x4f, 0x1f, 0x6c, 0xad, 0xee,
2410 0xb8, 0x5f, 0x4e, 0x3e, 0x5a, 0xea, 0xcd, 0xa2, 0x12, 0xa4, 0x6a,
2411 0x5e, 0x8e, 0x3b, 0x12, 0xc0, 0x20, 0x44, 0x5c, 0x2a, 0x73,
2412 },
2413 32, "Let's Encrypt 'Oak2022' log" },
2414 { (const uint8_t[]){
2415 0xb7, 0x3e, 0xfb, 0x24, 0xdf, 0x9c, 0x4d, 0xba, 0x75, 0xf2, 0x39,
2416 0xc5, 0xba, 0x58, 0xf4, 0x6c, 0x5d, 0xfc, 0x42, 0xcf, 0x7a, 0x9f,
2417 0x35, 0xc4, 0x9e, 0x1d, 0x09, 0x81, 0x25, 0xed, 0xb4, 0x99,
2418 },
2419 32, "Let's Encrypt 'Oak2023' log" },
2420 { (const uint8_t[]){
2421 0x3b, 0x53, 0x77, 0x75, 0x3e, 0x2d, 0xb9, 0x80, 0x4e, 0x8b, 0x30,
2422 0x5b, 0x06, 0xfe, 0x40, 0x3b, 0x67, 0xd8, 0x4f, 0xc3, 0xf4, 0xc7,
2423 0xbd, 0x00, 0x0d, 0x2d, 0x72, 0x6f, 0xe1, 0xfa, 0xd4, 0x17,
2424 },
2425 32, "Let's Encrypt 'Oak2024H1' log" },
2426 { (const uint8_t[]){
2427 0x3f, 0x17, 0x4b, 0x4f, 0xd7, 0x22, 0x47, 0x58, 0x94, 0x1d, 0x65,
2428 0x1c, 0x84, 0xbe, 0x0d, 0x12, 0xed, 0x90, 0x37, 0x7f, 0x1f, 0x85,
2429 0x6a, 0xeb, 0xc1, 0xbf, 0x28, 0x85, 0xec, 0xf8, 0x64, 0x6e,
2430 },
2431 32, "Let's Encrypt 'Oak2024H2' log" },
2432 { (const uint8_t[]){
2433 0xa2, 0xe3, 0x0a, 0xe4, 0x45, 0xef, 0xbd, 0xad, 0x9b, 0x7e, 0x38,
2434 0xed, 0x47, 0x67, 0x77, 0x53, 0xd7, 0x82, 0x5b, 0x84, 0x94, 0xd7,
2435 0x2b, 0x5e, 0x1b, 0x2c, 0xc4, 0xb9, 0x50, 0xa4, 0x47, 0xe7,
2436 },
2437 32, "Let's Encrypt 'Oak2025h1'" },
2438 { (const uint8_t[]){
2439 0x0d, 0xe1, 0xf2, 0x30, 0x2b, 0xd3, 0x0d, 0xc1, 0x40, 0x62, 0x12,
2440 0x09, 0xea, 0x55, 0x2e, 0xfc, 0x47, 0x74, 0x7c, 0xb1, 0xd7, 0xe9,
2441 0x30, 0xef, 0x0e, 0x42, 0x1e, 0xb4, 0x7e, 0x4e, 0xaa, 0x34,
2442 },
2443 32, "Let's Encrypt 'Oak2025h2'" },
2444 { (const uint8_t[]){
2445 0x19, 0x86, 0xd4, 0xc7, 0x28, 0xaa, 0x6f, 0xfe, 0xba, 0x03, 0x6f,
2446 0x78, 0x2a, 0x4d, 0x01, 0x91, 0xaa, 0xce, 0x2d, 0x72, 0x31, 0x0f,
2447 0xae, 0xce, 0x5d, 0x70, 0x41, 0x2d, 0x25, 0x4c, 0xc7, 0xd4,
2448 },
2449 32, "Let's Encrypt 'Oak2026h1'" },
2450 { (const uint8_t[]){
2451 0xac, 0xab, 0x30, 0x70, 0x6c, 0xeb, 0xec, 0x84, 0x31, 0xf4, 0x13,
2452 0xd2, 0xf4, 0x91, 0x5f, 0x11, 0x1e, 0x42, 0x24, 0x43, 0xb1, 0xf2,
2453 0xa6, 0x8c, 0x4f, 0x3c, 0x2b, 0x3b, 0xa7, 0x1e, 0x02, 0xc3,
2454 },
2455 32, "Let's Encrypt 'Oak2026h2'" },
2456 { (const uint8_t[]){
2457 0x65, 0x9b, 0x33, 0x50, 0xf4, 0x3b, 0x12, 0xcc, 0x5e, 0xa5, 0xab,
2458 0x4e, 0xc7, 0x65, 0xd3, 0xfd, 0xe6, 0xc8, 0x82, 0x43, 0x77, 0x77,
2459 0x78, 0xe7, 0x20, 0x03, 0xf9, 0xeb, 0x2b, 0x8c, 0x31, 0x29,
2460 },
2461 32, "Let's Encrypt 'Oak2019' log" },
2462 { (const uint8_t[]){
2463 0x84, 0x9f, 0x5f, 0x7f, 0x58, 0xd2, 0xbf, 0x7b, 0x54, 0xec, 0xbd,
2464 0x74, 0x61, 0x1c, 0xea, 0x45, 0xc4, 0x9c, 0x98, 0xf1, 0xd6, 0x48,
2465 0x1b, 0xc6, 0xf6, 0x9e, 0x8c, 0x17, 0x4f, 0x24, 0xf3, 0xcf,
2466 },
2467 32, "Let's Encrypt 'Testflume2019' log" },
2468 { (const uint8_t[]){
2469 0x23, 0x2d, 0x41, 0xa4, 0xcd, 0xac, 0x87, 0xce, 0xd9, 0xf9, 0x43,
2470 0xf4, 0x68, 0xc2, 0x82, 0x09, 0x5a, 0xe0, 0x9d, 0x30, 0xd6, 0x2e,
2471 0x2f, 0xa6, 0x5d, 0xdc, 0x3b, 0x91, 0x9c, 0x2e, 0x46, 0x8f,
2472 },
2473 32, "Let's Encrypt 'Sapling 2022h2' log" },
2474 { (const uint8_t[]){
2475 0xc1, 0x83, 0x24, 0x0b, 0xf1, 0xa4, 0x50, 0xc7, 0x6f, 0xbb, 0x00,
2476 0x72, 0x69, 0xdc, 0xac, 0x3b, 0xe2, 0x2a, 0x48, 0x05, 0xd4, 0xdb,
2477 0xe0, 0x49, 0x66, 0xc3, 0xc8, 0xab, 0xc4, 0x47, 0xb0, 0x0c,
2478 },
2479 32, "Let's Encrypt 'Sapling 2023h1' log" },
2480 { (const uint8_t[]){
2481 0xc6, 0x3f, 0x22, 0x18, 0xc3, 0x7d, 0x56, 0xa6, 0xaa, 0x06, 0xb5,
2482 0x96, 0xda, 0x8e, 0x53, 0xd4, 0xd7, 0x15, 0x6d, 0x1e, 0x9b, 0xac,
2483 0x8e, 0x44, 0xd2, 0x20, 0x2d, 0xe6, 0x4d, 0x69, 0xd9, 0xdc,
2484 },
2485 32, "Let's Encrypt 'Testflume2020' log" },
2486 { (const uint8_t[]){
2487 0x03, 0xed, 0xf1, 0xda, 0x97, 0x76, 0xb6, 0xf3, 0x8c, 0x34, 0x1e,
2488 0x39, 0xed, 0x9d, 0x70, 0x7a, 0x75, 0x70, 0x36, 0x9c, 0xf9, 0x84,
2489 0x4f, 0x32, 0x7f, 0xe9, 0xe1, 0x41, 0x38, 0x36, 0x1b, 0x60,
2490 },
2491 32, "Let's Encrypt 'Testflume2021' log" },
2492 { (const uint8_t[]){
2493 0x23, 0x27, 0xef, 0xda, 0x35, 0x25, 0x10, 0xdb, 0xc0, 0x19, 0xef,
2494 0x49, 0x1a, 0xe3, 0xff, 0x1c, 0xc5, 0xa4, 0x79, 0xbc, 0xe3, 0x78,
2495 0x78, 0x36, 0x0e, 0xe3, 0x18, 0xcf, 0xfb, 0x64, 0xf8, 0xc8,
2496 },
2497 32, "Let's Encrypt 'Testflume2022' log" },
2498 { (const uint8_t[]){
2499 0x55, 0x34, 0xb7, 0xab, 0x5a, 0x6a, 0xc3, 0xa7, 0xcb, 0xeb, 0xa6,
2500 0x54, 0x87, 0xb2, 0xa2, 0xd7, 0x1b, 0x48, 0xf6, 0x50, 0xfa, 0x17,
2501 0xc5, 0x19, 0x7c, 0x97, 0xa0, 0xcb, 0x20, 0x76, 0xf3, 0xc6,
2502 },
2503 32, "Let's Encrypt 'Testflume2023' log" },
2504 { (const uint8_t[]){
2505 0x29, 0x6a, 0xfa, 0x2d, 0x56, 0x8b, 0xca, 0x0d, 0x2e, 0xa8, 0x44,
2506 0x95, 0x6a, 0xe9, 0x72, 0x1f, 0xc3, 0x5f, 0xa3, 0x55, 0xec, 0xda,
2507 0x99, 0x69, 0x3a, 0xaf, 0xd4, 0x58, 0xa7, 0x1a, 0xef, 0xdd,
2508 },
2509 32, "Let's Encrypt 'Clicky' log" },
2510 { (const uint8_t[]){
2511 0xa5, 0x95, 0x94, 0x3b, 0x53, 0x70, 0xbe, 0xe9, 0x06, 0xe0, 0x05,
2512 0x0d, 0x1f, 0xb5, 0xbb, 0xc6, 0xa4, 0x0e, 0x65, 0xf2, 0x65, 0xae,
2513 0x85, 0x2c, 0x76, 0x36, 0x3f, 0xad, 0xb2, 0x33, 0x36, 0xed,
2514 },
2515 32, "Trust Asia Log2020" },
2516 { (const uint8_t[]){
2517 0xa8, 0xdc, 0x52, 0xf6, 0x3d, 0x6b, 0x24, 0x25, 0xe5, 0x31, 0xe3,
2518 0x7c, 0xf4, 0xe4, 0x4a, 0x71, 0x4f, 0x14, 0x2a, 0x20, 0x80, 0x3b,
2519 0x0d, 0x04, 0xd2, 0xe2, 0xee, 0x06, 0x64, 0x79, 0x4a, 0x23,
2520 },
2521 32, "Trust Asia CT2021" },
2522 { (const uint8_t[]){
2523 0x67, 0x8d, 0xb6, 0x5b, 0x3e, 0x74, 0x43, 0xb6, 0xf3, 0xa3, 0x70,
2524 0xd5, 0xe1, 0x3a, 0xb1, 0xb4, 0x3b, 0xe0, 0xa0, 0xd3, 0x51, 0xf7,
2525 0xca, 0x74, 0x22, 0x50, 0xc7, 0xc6, 0xfa, 0x51, 0xa8, 0x8a,
2526 },
2527 32, "Trust Asia Log2021" },
2528 { (const uint8_t[]){
2529 0xc3, 0x65, 0xf9, 0xb3, 0x65, 0x4f, 0x32, 0x83, 0xc7, 0x9d, 0xa9,
2530 0x8e, 0x93, 0xd7, 0x41, 0x8f, 0x5b, 0xab, 0x7b, 0xe3, 0x25, 0x2c,
2531 0x98, 0xe1, 0xd2, 0xf0, 0x4b, 0xb9, 0xeb, 0x42, 0x7d, 0x23,
2532 },
2533 32, "Trust Asia Log2022" },
2534 { (const uint8_t[]){
2535 0xe8, 0x7e, 0xa7, 0x66, 0x0b, 0xc2, 0x6c, 0xf6, 0x00, 0x2e, 0xf5,
2536 0x72, 0x5d, 0x3f, 0xe0, 0xe3, 0x31, 0xb9, 0x39, 0x3b, 0xb9, 0x2f,
2537 0xbf, 0x58, 0xeb, 0x3b, 0x90, 0x49, 0xda, 0xf5, 0x43, 0x5a,
2538 },
2539 32, "Trust Asia Log2023" },
2540 { (const uint8_t[]){
2541 0x30, 0x6d, 0x29, 0x57, 0x6a, 0xd2, 0x1a, 0x9d, 0x4a, 0xe1, 0x2a,
2542 0xca, 0xd8, 0xaa, 0x8a, 0x78, 0x3a, 0xa6, 0x5a, 0x32, 0x11, 0x60,
2543 0xac, 0xff, 0x5b, 0x0e, 0xee, 0x4c, 0xa3, 0x20, 0x1d, 0x05,
2544 },
2545 32, "Trust Asia Log2024" },
2546 { (const uint8_t[]){
2547 0x87, 0x4f, 0xb5, 0x0d, 0xc0, 0x29, 0xd9, 0x93, 0x1d, 0xe5, 0x73,
2548 0xe9, 0xf2, 0x89, 0x9e, 0x8e, 0x45, 0x33, 0xb3, 0x92, 0xd3, 0x8b,
2549 0x0a, 0x46, 0x25, 0x74, 0xbf, 0x0f, 0xee, 0xb2, 0xfc, 0x1e,
2550 },
2551 32, "Trust Asia Log2024-2" },
2552 { (const uint8_t[]){
2553 0x28, 0xe2, 0x81, 0x38, 0xfd, 0x83, 0x21, 0x45, 0xe9, 0xa9, 0xd6,
2554 0xaa, 0x75, 0x37, 0x6d, 0x83, 0x77, 0xa8, 0x85, 0x12, 0xb3, 0xc0,
2555 0x7f, 0x72, 0x41, 0x48, 0x21, 0xdc, 0xbd, 0xe9, 0x8c, 0x66,
2556 },
2557 32, "TrustAsia Log2025a" },
2558 { (const uint8_t[]){
2559 0x28, 0x2c, 0x8b, 0xdd, 0x81, 0x0f, 0xf9, 0x09, 0x12, 0x0a, 0xce,
2560 0x16, 0xd6, 0xe0, 0xec, 0x20, 0x1b, 0xea, 0x82, 0xa3, 0xa4, 0xaf,
2561 0x19, 0xd9, 0xef, 0xfb, 0x59, 0xe8, 0x3f, 0xdc, 0x42, 0x68,
2562 },
2563 32, "TrustAsia Log2025b" },
2564 { (const uint8_t[]){
2565 0x74, 0xdb, 0x9d, 0x58, 0xf7, 0xd4, 0x7e, 0x9d, 0xfd, 0x78, 0x7a,
2566 0x16, 0x2a, 0x99, 0x1c, 0x18, 0xcf, 0x69, 0x8d, 0xa7, 0xc7, 0x29,
2567 0x91, 0x8c, 0x9a, 0x18, 0xb0, 0x45, 0x0d, 0xba, 0x44, 0xbc,
2568 },
2569 32, "TrustAsia 'log2026a'" },
2570 { (const uint8_t[]){
2571 0x25, 0xb7, 0xef, 0xde, 0xa1, 0x13, 0x01, 0x93, 0xed, 0x93, 0x07,
2572 0x97, 0x70, 0xaa, 0x32, 0x2a, 0x26, 0x62, 0x0d, 0xe3, 0x5a, 0xc8,
2573 0xaa, 0x7c, 0x75, 0x19, 0x7d, 0xe0, 0xb1, 0xa9, 0xe0, 0x65,
2574 },
2575 32, "TrustAsia 'log2026b'" },
2576 { (const uint8_t[]){
2577 0xed, 0xda, 0xeb, 0x81, 0x5c, 0x63, 0x21, 0x34, 0x49, 0xb4, 0x7b,
2578 0xe5, 0x07, 0x79, 0x05, 0xab, 0xd0, 0xd9, 0x31, 0x47, 0xc2, 0x7a,
2579 0xc5, 0x14, 0x6b, 0x3b, 0xc5, 0x8e, 0x43, 0xe9, 0xb6, 0xc7,
2580 },
2581 32, "TrustAsia 'HETU2027'" },
2582 { (const uint8_t[]){
2583 0x45, 0x35, 0x94, 0x98, 0xd9, 0x3a, 0x89, 0xe0, 0x28, 0x03, 0x08,
2584 0xd3, 0x7d, 0x62, 0x6d, 0xc4, 0x23, 0x75, 0x47, 0x58, 0xdc, 0xe0,
2585 0x37, 0x00, 0x36, 0xfb, 0xab, 0x0e, 0xdf, 0x8a, 0x6b, 0xcf,
2586 },
2587 32, "Trust Asia Log1" },
2588 { (const uint8_t[]){
2589 0xc9, 0xcf, 0x89, 0x0a, 0x21, 0x10, 0x9c, 0x66, 0x6c, 0xc1, 0x7a,
2590 0x3e, 0xd0, 0x65, 0xc9, 0x30, 0xd0, 0xe0, 0x13, 0x5a, 0x9f, 0xeb,
2591 0xa8, 0x5a, 0xf1, 0x42, 0x10, 0xb8, 0x07, 0x24, 0x21, 0xaa,
2592 },
2593 32, "GDCA CT log #1" },
2594 { (const uint8_t[]){
2595 0x92, 0x4a, 0x30, 0xf9, 0x09, 0x33, 0x6f, 0xf4, 0x35, 0xd6, 0x99,
2596 0x3a, 0x10, 0xac, 0x75, 0xa2, 0xc6, 0x41, 0x72, 0x8e, 0x7f, 0xc2,
2597 0xd6, 0x59, 0xae, 0x61, 0x88, 0xff, 0xad, 0x40, 0xce, 0x01,
2598 },
2599 32, "GDCA CT log #2" },
2600 { (const uint8_t[]){
2601 0x71, 0x7e, 0xa7, 0x42, 0x09, 0x75, 0xbe, 0x84, 0xa2, 0x72, 0x35,
2602 0x53, 0xf1, 0x77, 0x7c, 0x26, 0xdd, 0x51, 0xaf, 0x4e, 0x10, 0x21,
2603 0x44, 0x09, 0x4d, 0x90, 0x19, 0xb4, 0x62, 0xfb, 0x66, 0x68,
2604 },
2605 32, "GDCA Log 1" },
2606 { (const uint8_t[]){
2607 0x14, 0x30, 0x8d, 0x90, 0xcc, 0xd0, 0x30, 0x13, 0x50, 0x05, 0xc0,
2608 0x1c, 0xa5, 0x26, 0xd8, 0x1e, 0x84, 0xe8, 0x76, 0x24, 0xe3, 0x9b,
2609 0x62, 0x48, 0xe0, 0x8f, 0x72, 0x4a, 0xea, 0x3b, 0xb4, 0x2a,
2610 },
2611 32, "GDCA Log 2" },
2612 { (const uint8_t[]){
2613 0xe0, 0x12, 0x76, 0x29, 0xe9, 0x04, 0x96, 0x56, 0x4e, 0x3d, 0x01,
2614 0x47, 0x98, 0x44, 0x98, 0xaa, 0x48, 0xf8, 0xad, 0xb1, 0x66, 0x00,
2615 0xeb, 0x79, 0x02, 0xa1, 0xef, 0x99, 0x09, 0x90, 0x62, 0x73,
2616 },
2617 32, "PuChuangSiDa CT log" },
2618 { (const uint8_t[]){
2619 0x53, 0x7b, 0x69, 0xa3, 0x56, 0x43, 0x35, 0xa9, 0xc0, 0x49, 0x04,
2620 0xe3, 0x95, 0x93, 0xb2, 0xc2, 0x98, 0xeb, 0x8d, 0x7a, 0x6e, 0x83,
2621 0x02, 0x36, 0x35, 0xc6, 0x27, 0x24, 0x8c, 0xd6, 0xb4, 0x40,
2622 },
2623 32, "Nordu 'flimsy' log" },
2624 { (const uint8_t[]){
2625 0xaa, 0xe7, 0x0b, 0x7f, 0x3c, 0xb8, 0xd5, 0x66, 0xc8, 0x6c, 0x2f,
2626 0x16, 0x97, 0x9c, 0x9f, 0x44, 0x5f, 0x69, 0xab, 0x0e, 0xb4, 0x53,
2627 0x55, 0x89, 0xb2, 0xf7, 0x7a, 0x03, 0x01, 0x04, 0xf3, 0xcd,
2628 },
2629 32, "Nordu 'plausible' log" },
2630 { (const uint8_t[]){
2631 0xcf, 0x55, 0xe2, 0x89, 0x23, 0x49, 0x7c, 0x34, 0x0d, 0x52, 0x06,
2632 0xd0, 0x53, 0x53, 0xae, 0xb2, 0x58, 0x34, 0xb5, 0x2f, 0x1f, 0x8d,
2633 0xc9, 0x52, 0x68, 0x09, 0xf2, 0x12, 0xef, 0xdd, 0x7c, 0xa6,
2634 },
2635 32, "SHECA CT log 1" },
2636 { (const uint8_t[]){
2637 0x32, 0xdc, 0x59, 0xc2, 0xd4, 0xc4, 0x19, 0x68, 0xd5, 0x6e, 0x14,
2638 0xbc, 0x61, 0xac, 0x8f, 0x0e, 0x45, 0xdb, 0x39, 0xfa, 0xf3, 0xc1,
2639 0x55, 0xaa, 0x42, 0x52, 0xf5, 0x00, 0x1f, 0xa0, 0xc6, 0x23,
2640 },
2641 32, "SHECA CT log 2" },
2642 { (const uint8_t[]){
2643 0x96, 0x06, 0xc0, 0x2c, 0x69, 0x00, 0x33, 0xaa, 0x1d, 0x14, 0x5f,
2644 0x59, 0xc6, 0xe2, 0x64, 0x8d, 0x05, 0x49, 0xf0, 0xdf, 0x96, 0xaa,
2645 0xb8, 0xdb, 0x91, 0x5a, 0x70, 0xd8, 0xec, 0xf3, 0x90, 0xa5,
2646 },
2647 32, "Akamai CT Log" },
2648 { (const uint8_t[]){
2649 0x39, 0x37, 0x6f, 0x54, 0x5f, 0x7b, 0x46, 0x07, 0xf5, 0x97, 0x42,
2650 0xd7, 0x68, 0xcd, 0x5d, 0x24, 0x37, 0xbf, 0x34, 0x73, 0xb6, 0x53,
2651 0x4a, 0x48, 0x34, 0xbc, 0xf7, 0x2e, 0x68, 0x1c, 0x83, 0xc9,
2652 },
2653 32, "Alpha CT Log" },
2654 { (const uint8_t[]){
2655 0xb0, 0xb7, 0x84, 0xbc, 0x81, 0xc0, 0xdd, 0xc4, 0x75, 0x44, 0xe8,
2656 0x83, 0xf0, 0x59, 0x85, 0xbb, 0x90, 0x77, 0xd1, 0x34, 0xd8, 0xab,
2657 0x88, 0xb2, 0xb2, 0xe5, 0x33, 0x98, 0x0b, 0x8e, 0x50, 0x8b,
2658 },
2659 32, "Up In The Air 'Behind the Sofa' log" },
2660 { (const uint8_t[]){
2661 0x47, 0x44, 0x47, 0x7c, 0x75, 0xde, 0x42, 0x6d, 0x5c, 0x44, 0xef,
2662 0xd4, 0xa9, 0x2c, 0x96, 0x77, 0x59, 0x7f, 0x65, 0x7a, 0x8f, 0xe0,
2663 0xca, 0xdb, 0xc6, 0xd6, 0x16, 0xed, 0xa4, 0x97, 0xc4, 0x25,
2664 },
2665 32, "Qihoo 360 2020" },
2666 { (const uint8_t[]){
2667 0xc6, 0xd7, 0xed, 0x9e, 0xdb, 0x8e, 0x74, 0xf0, 0xa7, 0x1b, 0x4d,
2668 0x4a, 0x98, 0x4b, 0xcb, 0xeb, 0xab, 0xbd, 0x28, 0xcc, 0x1f, 0xd7,
2669 0x63, 0x29, 0xe8, 0x87, 0x26, 0xcd, 0x4c, 0x25, 0x46, 0x63,
2670 },
2671 32, "Qihoo 360 2021" },
2672 { (const uint8_t[]){
2673 0x66, 0x3c, 0xb0, 0x9c, 0x1f, 0xcd, 0x9b, 0xaa, 0x62, 0x76, 0x3c,
2674 0xcb, 0x53, 0x4e, 0xec, 0x80, 0x58, 0x12, 0x28, 0x05, 0x07, 0xac,
2675 0x69, 0xa4, 0x5f, 0xcd, 0x38, 0xcf, 0x4c, 0xc7, 0x4c, 0xf1,
2676 },
2677 32, "Qihoo 360 2022" },
2678 { (const uint8_t[]){
2679 0xe2, 0x64, 0x7f, 0x6e, 0xda, 0x34, 0x05, 0x03, 0xc6, 0x4d, 0x4e,
2680 0x10, 0xa8, 0x69, 0x68, 0x1f, 0xde, 0x9c, 0x5a, 0x2c, 0xf3, 0xb3,
2681 0x2d, 0x5f, 0x20, 0x0b, 0x96, 0x36, 0x05, 0x90, 0x88, 0x23,
2682 },
2683 32, "Qihoo 360 2023" },
2684 { (const uint8_t[]){
2685 0xc5, 0xcf, 0xe5, 0x4b, 0x61, 0x51, 0xb4, 0x9b, 0x14, 0x2e, 0xd2,
2686 0x63, 0xbd, 0xe7, 0x32, 0x93, 0x36, 0x37, 0x99, 0x79, 0x95, 0x50,
2687 0xae, 0x44, 0x35, 0xcd, 0x1a, 0x69, 0x97, 0xc9, 0xc3, 0xc3,
2688 },
2689 32, "Qihoo 360 v1 2020" },
2690 { (const uint8_t[]){
2691 0x48, 0x14, 0x58, 0x7c, 0xf2, 0x8b, 0x08, 0xfe, 0x68, 0x3f, 0xd2,
2692 0xbc, 0xd9, 0x45, 0x99, 0x4c, 0x2e, 0xb7, 0x4c, 0x8a, 0xe8, 0xc8,
2693 0x7f, 0xce, 0x42, 0x9b, 0x7c, 0xd3, 0x1d, 0x51, 0xbd, 0xc4,
2694 },
2695 32, "Qihoo 360 v1 2021" },
2696 { (const uint8_t[]){
2697 0x49, 0x11, 0xb8, 0xd6, 0x14, 0xcf, 0xd3, 0xd9, 0x9f, 0x16, 0xd3,
2698 0x76, 0x54, 0x5e, 0xe1, 0xb8, 0xcc, 0xfc, 0x51, 0x1f, 0x50, 0x9f,
2699 0x08, 0x0b, 0xa0, 0xa0, 0x87, 0xd9, 0x1d, 0xfa, 0xee, 0xa9,
2700 },
2701 32, "Qihoo 360 v1 2022" },
2702 { (const uint8_t[]){
2703 0xb6, 0x74, 0x0b, 0x12, 0x00, 0x2e, 0x03, 0x3f, 0xd0, 0xe7, 0xe9,
2704 0x41, 0xf4, 0xba, 0x3e, 0xe1, 0xbf, 0xc1, 0x49, 0xb5, 0x24, 0xb4,
2705 0xcf, 0x62, 0x8d, 0x53, 0xef, 0xea, 0x1f, 0x40, 0x3a, 0x8d,
2706 },
2707 32, "Qihoo 360 v1 2023" },
2708 { (const uint8_t[]){
2709 0x2e, 0xd6, 0xa4, 0x4d, 0xeb, 0x8f, 0x0c, 0x86, 0x46, 0x67, 0x76,
2710 0x9c, 0x4e, 0xdd, 0x04, 0x1f, 0x84, 0x23, 0x67, 0x55, 0xfa, 0x3a,
2711 0xac, 0xa6, 0x34, 0xd0, 0x93, 0x5d, 0xfc, 0xd5, 0x9a, 0x70,
2712 },
2713 32, "Bogus placeholder log to unbreak misbehaving CT libraries" },
2714 { (const uint8_t[]){
2715 0x39, 0xb9, 0x87, 0x88, 0x28, 0x19, 0x5f, 0x3b, 0x2d, 0x0d, 0x1b,
2716 0x48, 0x14, 0xa3, 0xae, 0x8c, 0x0d, 0x01, 0xfe, 0x48, 0x62, 0x21,
2717 0xdd, 0x69, 0x39, 0x7d, 0x76, 0xf7, 0x85, 0x74, 0x11, 0xc3,
2718 },
2719 32, "Merklemap 'CompactLog' log" },
2720 { (const uint8_t[]){
2721 0xd2, 0xfc, 0x65, 0x2f, 0xa5, 0xf9, 0xb7, 0x38, 0xb8, 0x37, 0x55,
2722 0xfa, 0x5e, 0xb1, 0x5f, 0x0b, 0x45, 0x25, 0x3f, 0x4e, 0x8f, 0xa3,
2723 0xb9, 0xb6, 0x4f, 0xd4, 0xde, 0x56, 0x62, 0xd1, 0x87, 0x08,
2724 },
2725 32, "Bogus RFC6962 log to avoid breaking misbehaving CT libraries" },
2726 { NULL((void*)0), 0, NULL((void*)0) }
2727};
2728
2729/*
2730 * Application-Layer Protocol Negotiation (ALPN) dissector tables.
2731 */
2732static dissector_table_t ssl_alpn_dissector_table;
2733static dissector_table_t dtls_alpn_dissector_table;
2734
2735/*
2736 * Special cases for prefix matching of the ALPN, if the ALPN includes
2737 * a version number for a draft or protocol revision.
2738 */
2739typedef struct ssl_alpn_prefix_match_protocol {
2740 const char *proto_prefix;
2741 const char *dissector_name;
2742} ssl_alpn_prefix_match_protocol_t;
2743
2744static const ssl_alpn_prefix_match_protocol_t ssl_alpn_prefix_match_protocols[] = {
2745 /* SPDY moves so fast, just 1, 2 and 3 are registered with IANA but there
2746 * already exists 3.1 as of this writing... match the prefix. */
2747 { "spdy/", "spdy" },
2748 /* draft-ietf-httpbis-http2-16 */
2749 { "h2-", "http2" }, /* draft versions */
2750};
2751
2752const value_string compress_certificate_algorithm_vals[] = {
2753 { 1, "zlib" },
2754 { 2, "brotli" },
2755 { 3, "zstd" },
2756 { 0, NULL((void*)0) }
2757};
2758
2759
2760const val64_string quic_transport_parameter_id[] = {
2761 { SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00, "original_destination_connection_id" },
2762 { SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01, "max_idle_timeout" },
2763 { SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02, "stateless_reset_token" },
2764 { SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03, "max_udp_payload_size" },
2765 { SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04, "initial_max_data" },
2766 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05, "initial_max_stream_data_bidi_local" },
2767 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06, "initial_max_stream_data_bidi_remote" },
2768 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07, "initial_max_stream_data_uni" },
2769 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09, "initial_max_streams_uni" },
2770 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08, "initial_max_streams_bidi" },
2771 { SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a, "ack_delay_exponent" },
2772 { SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b, "max_ack_delay" },
2773 { SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c, "disable_active_migration" },
2774 { SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d, "preferred_address" },
2775 { SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e, "active_connection_id_limit" },
2776 { SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f, "initial_source_connection_id" },
2777 { SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10, "retry_source_connection_id" },
2778 { SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20, "max_datagram_frame_size" },
2779 { SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000, "cibir_encoding" },
2780 { SSL_HND_QUIC_TP_LOSS_BITS0x1057, "loss_bits" },
2781 { SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2, "grease_quic_bit" },
2782 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157, "enable_time_stamp" },
2783 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158, "enable_time_stamp_v2" },
2784 { SSL_HND_QUIC_TP_VERSION_INFORMATION0x11, "version_information" },
2785 { SSL_HND_QUIC_TP_VERSION_INFORMATION_DRAFT0xff73db, "version_information_draft" },
2786 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a, "min_ack_delay" },
2787 { SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129, "google_user_agent" },
2788 { SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B, "google_key_update_not_yet_supported" },
2789 { SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752, "google_quic_version" },
2790 { SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127, "google_initial_rtt" },
2791 { SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A, "google_support_handshake_done" },
2792 { SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751, "google_quic_params" },
2793 { SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128, "google_connection_options" },
2794 { SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00, "facebook_partial_reliability" },
2795 { SSL_HND_QUIC_TP_ADDRESS_DISCOVERY0x9f81a176, "address_discovery" },
2796 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A, "min_ack_delay (draft-01)" },
2797 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a, "min_ack_delay (draft-05)" },
2798 { SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b, "min_ack_delay" },
2799 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04, "enable_multipath (draft-04)" },
2800 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05, "enable_multipath (draft-05)" },
2801 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06, "enable_multipath (draft-06)" },
2802 { SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07, "initial_max_paths (draft-07/08)" },
2803 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09, "initial_max_path_id (draft-09/10)" },
2804 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT110x0f739bbc1b666d11, "initial_max_path_id (draft-11)" },
2805 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT120x0f739bbc1b666d0c, "initial_max_path_id (draft-12)" },
2806 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT130x0f739bbc1b666d0d, "initial_max_path_id (draft-13)" },
2807 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x3e, "initial_max_path_id" },
2808 { 0, NULL((void*)0) }
2809};
2810
2811/* https://tools.ietf.org/html/draft-ietf-quic-address-discovery-00 */
2812const val64_string quic_address_discovery_vals[] = {
2813 { 0, "The node is willing to provide address observations to its peer, but is not interested in receiving address observations itself" },
2814 { 1, "The node is interested in receiving address observations, but it is not willing to provide address observations" },
2815 { 2, "The node is interested in receiving address observations, and it is willing to provide address observations" },
2816 { 0, NULL((void*)0) }
2817};
2818
2819/* https://tools.ietf.org/html/draft-huitema-quic-ts-03 */
2820const val64_string quic_enable_time_stamp_v2_vals[] = {
2821 { 1, "I would like to receive TIME_STAMP frames" },
2822 { 2, "I am able to generate TIME_STAMP frames" },
2823 { 3, "I am able to generate TIME_STAMP frames and I would like to receive them" },
2824 { 0, NULL((void*)0) }
2825};
2826
2827/* https://datatracker.ietf.org/doc/draft-ietf-quic-multipath/04/ */
2828const val64_string quic_enable_multipath_vals[] = {
2829 { 0, "don't support multipath" },
2830 { 1, "support multipath as defined in this document" },
2831 { 0, NULL((void*)0) }
2832};
2833
2834/* https://www.ietf.org/archive/id/draft-ietf-tls-esni-16.txt */
2835const value_string tls_hello_ext_ech_clienthello_types[] = {
2836 { 0, "Outer Client Hello" },
2837 { 1, "Inner Client Hello" },
2838 { 0, NULL((void*)0) }
2839};
2840
2841/* RFC 9180 */
2842const value_string kem_id_type_vals[] = {
2843 { 0x0000, "Reserved" },
2844 { 0x0010, "DHKEM(P-256, HKDF-SHA256)" },
2845 { 0x0011, "DHKEM(P-384, HKDF-SHA384)" },
2846 { 0x0012, "DHKEM(P-521, HKDF-SHA512)" },
2847 { 0x0020, "DHKEM(X25519, HKDF-SHA256)" },
2848 { 0x0021, "DHKEM(X448, HKDF-SHA512)" },
2849 { 0, NULL((void*)0) }
2850};
2851const value_string kdf_id_type_vals[] = {
2852 { 0x0000, "Reserved" },
2853 { 0x0001, "HKDF-SHA256" },
2854 { 0x0002, "HKDF-SHA384" },
2855 { 0x0003, "HKDF-SHA512" },
2856 { 0, NULL((void*)0) }
2857};
2858const value_string aead_id_type_vals[] = {
2859 { 0x0000, "Reserved" },
2860 { 0x0001, "AES-128-GCM" },
2861 { 0x0002, "AES-256-GCM" },
2862 { 0x0003, "ChaCha20Poly1305" },
2863 { 0xFFFF, "Export-only" },
2864 { 0, NULL((void*)0) }
2865};
2866
2867const value_string token_binding_key_parameter_vals[] = {
2868 { 0, "rsa2048_pkcs1.5" },
2869 { 1, "rsa2048_pss" },
2870 { 2, "ecdsap256" },
2871 { 0, NULL((void*)0) }
2872};
2873
2874/* Lookup tables }}} */
2875
2876void
2877quic_transport_parameter_id_base_custom(char *result, uint64_t parameter_id)
2878{
2879 const char *label;
2880 if (IS_GREASE_QUIC(parameter_id)((parameter_id) > 27 ? ((((parameter_id) - 27) % 31) == 0)
: 0)) {
2881 label = "GREASE";
2882 } else {
2883 label = val64_to_str_const(parameter_id, quic_transport_parameter_id, "Unknown");
2884 }
2885 snprintf(result, ITEM_LABEL_LENGTH240, "%s (0x%02" PRIx64"l" "x" ")", label, parameter_id);
2886}
2887
2888/* we keep this internal to packet-tls-utils, as there should be
2889 no need to access it any other way.
2890
2891 This also allows us to hide the dependency on zlib.
2892*/
2893struct _SslDecompress {
2894 int compression;
2895#ifdef USE_ZLIB_OR_ZLIBNG
2896 zlib_stream istream;
2897#endif
2898};
2899
2900/* To assist in parsing client/server key exchange messages
2901 0 indicates unknown */
2902int ssl_get_keyex_alg(int cipher)
2903{
2904 /* Map Cipher suite number to Key Exchange algorithm {{{ */
2905 switch(cipher) {
2906 case 0x0017:
2907 case 0x0018:
2908 case 0x0019:
2909 case 0x001a:
2910 case 0x001b:
2911 case 0x0034:
2912 case 0x003a:
2913 case 0x0046:
2914 case 0x006c:
2915 case 0x006d:
2916 case 0x0089:
2917 case 0x009b:
2918 case 0x00a6:
2919 case 0x00a7:
2920 case 0x00bf:
2921 case 0x00c5:
2922 case 0xc084:
2923 case 0xc085:
2924 return KEX_DH_ANON0x13;
2925 case 0x000b:
2926 case 0x000c:
2927 case 0x000d:
2928 case 0x0030:
2929 case 0x0036:
2930 case 0x003e:
2931 case 0x0042:
2932 case 0x0068:
2933 case 0x0085:
2934 case 0x0097:
2935 case 0x00a4:
2936 case 0x00a5:
2937 case 0x00bb:
2938 case 0x00c1:
2939 case 0xc082:
2940 case 0xc083:
2941 return KEX_DH_DSS0x14;
2942 case 0x000e:
2943 case 0x000f:
2944 case 0x0010:
2945 case 0x0031:
2946 case 0x0037:
2947 case 0x003f:
2948 case 0x0043:
2949 case 0x0069:
2950 case 0x0086:
2951 case 0x0098:
2952 case 0x00a0:
2953 case 0x00a1:
2954 case 0x00bc:
2955 case 0x00c2:
2956 case 0xc07e:
2957 case 0xc07f:
2958 return KEX_DH_RSA0x15;
2959 case 0x0011:
2960 case 0x0012:
2961 case 0x0013:
2962 case 0x0032:
2963 case 0x0038:
2964 case 0x0040:
2965 case 0x0044:
2966 case 0x0063:
2967 case 0x0065:
2968 case 0x0066:
2969 case 0x006a:
2970 case 0x0087:
2971 case 0x0099:
2972 case 0x00a2:
2973 case 0x00a3:
2974 case 0x00bd:
2975 case 0x00c3:
2976 case 0xc080:
2977 case 0xc081:
2978 return KEX_DHE_DSS0x10;
2979 case 0x002d:
2980 case 0x008e:
2981 case 0x008f:
2982 case 0x0090:
2983 case 0x0091:
2984 case 0x00aa:
2985 case 0x00ab:
2986 case 0x00b2:
2987 case 0x00b3:
2988 case 0x00b4:
2989 case 0x00b5:
2990 case 0xc090:
2991 case 0xc091:
2992 case 0xc096:
2993 case 0xc097:
2994 case 0xc0a6:
2995 case 0xc0a7:
2996 case 0xc0aa:
2997 case 0xc0ab:
2998 case 0xccad:
2999 case 0xe41c:
3000 case 0xe41d:
3001 return KEX_DHE_PSK0x11;
3002 case 0x0014:
3003 case 0x0015:
3004 case 0x0016:
3005 case 0x0033:
3006 case 0x0039:
3007 case 0x0045:
3008 case 0x0067:
3009 case 0x006b:
3010 case 0x0088:
3011 case 0x009a:
3012 case 0x009e:
3013 case 0x009f:
3014 case 0x00be:
3015 case 0x00c4:
3016 case 0xc07c:
3017 case 0xc07d:
3018 case 0xc09e:
3019 case 0xc09f:
3020 case 0xc0a2:
3021 case 0xc0a3:
3022 case 0xccaa:
3023 case 0xe41e:
3024 case 0xe41f:
3025 return KEX_DHE_RSA0x12;
3026 case 0xc015:
3027 case 0xc016:
3028 case 0xc017:
3029 case 0xc018:
3030 case 0xc019:
3031 return KEX_ECDH_ANON0x19;
3032 case 0xc001:
3033 case 0xc002:
3034 case 0xc003:
3035 case 0xc004:
3036 case 0xc005:
3037 case 0xc025:
3038 case 0xc026:
3039 case 0xc02d:
3040 case 0xc02e:
3041 case 0xc074:
3042 case 0xc075:
3043 case 0xc088:
3044 case 0xc089:
3045 return KEX_ECDH_ECDSA0x1a;
3046 case 0xc00b:
3047 case 0xc00c:
3048 case 0xc00d:
3049 case 0xc00e:
3050 case 0xc00f:
3051 case 0xc029:
3052 case 0xc02a:
3053 case 0xc031:
3054 case 0xc032:
3055 case 0xc078:
3056 case 0xc079:
3057 case 0xc08c:
3058 case 0xc08d:
3059 return KEX_ECDH_RSA0x1b;
3060 case 0xc006:
3061 case 0xc007:
3062 case 0xc008:
3063 case 0xc009:
3064 case 0xc00a:
3065 case 0xc023:
3066 case 0xc024:
3067 case 0xc02b:
3068 case 0xc02c:
3069 case 0xc072:
3070 case 0xc073:
3071 case 0xc086:
3072 case 0xc087:
3073 case 0xc0ac:
3074 case 0xc0ad:
3075 case 0xc0ae:
3076 case 0xc0af:
3077 case 0xcca9:
3078 case 0xe414:
3079 case 0xe415:
3080 return KEX_ECDHE_ECDSA0x16;
3081 case 0xc033:
3082 case 0xc034:
3083 case 0xc035:
3084 case 0xc036:
3085 case 0xc037:
3086 case 0xc038:
3087 case 0xc039:
3088 case 0xc03a:
3089 case 0xc03b:
3090 case 0xc09a:
3091 case 0xc09b:
3092 case 0xccac:
3093 case 0xe418:
3094 case 0xe419:
3095 case 0xd001:
3096 case 0xd002:
3097 case 0xd003:
3098 case 0xd005:
3099 return KEX_ECDHE_PSK0x17;
3100 case 0xc010:
3101 case 0xc011:
3102 case 0xc012:
3103 case 0xc013:
3104 case 0xc014:
3105 case 0xc027:
3106 case 0xc028:
3107 case 0xc02f:
3108 case 0xc030:
3109 case 0xc076:
3110 case 0xc077:
3111 case 0xc08a:
3112 case 0xc08b:
3113 case 0xcca8:
3114 case 0xe412:
3115 case 0xe413:
3116 return KEX_ECDHE_RSA0x18;
3117 case 0x001e:
3118 case 0x001f:
3119 case 0x0020:
3120 case 0x0021:
3121 case 0x0022:
3122 case 0x0023:
3123 case 0x0024:
3124 case 0x0025:
3125 case 0x0026:
3126 case 0x0027:
3127 case 0x0028:
3128 case 0x0029:
3129 case 0x002a:
3130 case 0x002b:
3131 return KEX_KRB50x1c;
3132 case 0x002c:
3133 case 0x008a:
3134 case 0x008b:
3135 case 0x008c:
3136 case 0x008d:
3137 case 0x00a8:
3138 case 0x00a9:
3139 case 0x00ae:
3140 case 0x00af:
3141 case 0x00b0:
3142 case 0x00b1:
3143 case 0xc064:
3144 case 0xc065:
3145 case 0xc08e:
3146 case 0xc08f:
3147 case 0xc094:
3148 case 0xc095:
3149 case 0xc0a4:
3150 case 0xc0a5:
3151 case 0xc0a8:
3152 case 0xc0a9:
3153 case 0xccab:
3154 case 0xe416:
3155 case 0xe417:
3156 return KEX_PSK0x1d;
3157 case 0x0001:
3158 case 0x0002:
3159 case 0x0003:
3160 case 0x0004:
3161 case 0x0005:
3162 case 0x0006:
3163 case 0x0007:
3164 case 0x0008:
3165 case 0x0009:
3166 case 0x000a:
3167 case 0x002f:
3168 case 0x0035:
3169 case 0x003b:
3170 case 0x003c:
3171 case 0x003d:
3172 case 0x0041:
3173 case 0x0060:
3174 case 0x0061:
3175 case 0x0062:
3176 case 0x0064:
3177 case 0x0084:
3178 case 0x0096:
3179 case 0x009c:
3180 case 0x009d:
3181 case 0x00ba:
3182 case 0x00c0:
3183 case 0xc07a:
3184 case 0xc07b:
3185 case 0xc09c:
3186 case 0xc09d:
3187 case 0xc0a0:
3188 case 0xc0a1:
3189 case 0xe410:
3190 case 0xe411:
3191 case 0xfefe:
3192 case 0xfeff:
3193 case 0xffe0:
3194 case 0xffe1:
3195 return KEX_RSA0x1e;
3196 case 0x002e:
3197 case 0x0092:
3198 case 0x0093:
3199 case 0x0094:
3200 case 0x0095:
3201 case 0x00ac:
3202 case 0x00ad:
3203 case 0x00b6:
3204 case 0x00b7:
3205 case 0x00b8:
3206 case 0x00b9:
3207 case 0xc092:
3208 case 0xc093:
3209 case 0xc098:
3210 case 0xc099:
3211 case 0xccae:
3212 case 0xe41a:
3213 case 0xe41b:
3214 return KEX_RSA_PSK0x1f;
3215 case 0xc01a:
3216 case 0xc01d:
3217 case 0xc020:
3218 return KEX_SRP_SHA0x20;
3219 case 0xc01c:
3220 case 0xc01f:
3221 case 0xc022:
3222 return KEX_SRP_SHA_DSS0x21;
3223 case 0xc01b:
3224 case 0xc01e:
3225 case 0xc021:
3226 return KEX_SRP_SHA_RSA0x22;
3227 case 0xc0ff:
3228 return KEX_ECJPAKE0x24;
3229 case 0xe003:
3230 case 0xe013:
3231 case 0xe053:
3232 return KEX_ECC_SM20x26;
3233 default:
3234 break;
3235 }
3236
3237 return 0;
3238 /* }}} */
3239}
3240
3241static wmem_list_t *connection_id_session_list;
3242
3243void
3244ssl_init_cid_list(void) {
3245 connection_id_session_list = wmem_list_new(wmem_file_scope());
3246}
3247
3248void
3249ssl_cleanup_cid_list(void) {
3250 wmem_destroy_list(connection_id_session_list);
3251}
3252
3253void
3254ssl_add_session_by_cid(SslDecryptSession *session)
3255{
3256 wmem_list_append(connection_id_session_list, session);
3257}
3258
3259SslDecryptSession *
3260ssl_get_session_by_cid(tvbuff_t *tvb, uint32_t offset)
3261{
3262 SslDecryptSession * ssl_cid = NULL((void*)0);
3263 wmem_list_frame_t *it = wmem_list_head(connection_id_session_list);
3264
3265 while (it != NULL((void*)0) && ssl_cid == NULL((void*)0)) {
3266 SslDecryptSession * ssl = (SslDecryptSession *)wmem_list_frame_data(it);
3267 DISSECTOR_ASSERT(ssl != NULL)((void) ((ssl != ((void*)0)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3267, "ssl != ((void*)0)"))));
3268 SslSession *session = &ssl->session;
3269
3270 if (session->client_cid_len > 0 && tvb_bytes_exist(tvb, offset, session->client_cid_len)) {
3271 if (tvb_memeql(tvb, offset, session->client_cid, session->client_cid_len) == 0) {
3272 ssl_cid = ssl;
3273 }
3274 }
3275
3276 if (session->server_cid_len > 0) {
3277 if (tvb_memeql(tvb, offset, session->server_cid, session->server_cid_len) == 0) {
3278 ssl_cid = ssl;
3279 }
3280 }
3281
3282 it = wmem_list_frame_next(it);
3283 }
3284
3285 return ssl_cid;
3286}
3287
3288/* StringInfo structure (len + data) functions {{{ */
3289
3290int
3291ssl_data_alloc(StringInfo* str, size_t len)
3292{
3293 str->data = (unsigned char *)g_malloc(len);
16
Memory is allocated
3294 /* the allocator can return a null pointer for a size equal to 0,
3295 * and that must be allowed */
3296 if (len
16.1
'len' is > 0
 > 0 && !str->data)
17
Assuming field 'data' is non-null
18
Taking false branch
3297 return -1;
3298 str->data_len = (unsigned) len;
3299 return 0;
3300}
3301
3302void
3303ssl_data_set(StringInfo* str, const unsigned char* data, unsigned len)
3304{
3305 DISSECTOR_ASSERT(data)((void) ((data) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 3305, "data"))));
3306 memcpy(str->data, data, len);
3307 str->data_len = len;
3308}
3309
3310static int
3311ssl_data_realloc(StringInfo* str, unsigned len)
3312{
3313 str->data = (unsigned char *)g_realloc(str->data, len);
3314 if (!str->data)
3315 return -1;
3316 str->data_len = len;
3317 return 0;
3318}
3319
3320static StringInfo *
3321ssl_data_clone(StringInfo *str)
3322{
3323 StringInfo *cloned_str;
3324 cloned_str = (StringInfo *) wmem_alloc0(wmem_file_scope(),
3325 sizeof(StringInfo) + str->data_len);
3326 cloned_str->data = (unsigned char *) (cloned_str + 1);
3327 ssl_data_set(cloned_str, str->data, str->data_len);
3328 return cloned_str;
3329}
3330
3331static int
3332ssl_data_copy(StringInfo* dst, StringInfo* src)
3333{
3334 if (dst->data_len < src->data_len) {
3335 if (ssl_data_realloc(dst, src->data_len))
3336 return -1;
3337 }
3338 memcpy(dst->data, src->data, src->data_len);
3339 dst->data_len = src->data_len;
3340 return 0;
3341}
3342
3343/* from_hex converts |hex_len| bytes of hex data from |in| and sets |*out| to
3344 * the result. |out->data| will be allocated using wmem_file_scope. Returns true on
3345 * success. */
3346static bool_Bool from_hex(StringInfo* out, const char* in, size_t hex_len) {
3347 size_t i;
3348
3349 if (hex_len & 1)
3350 return false0;
3351
3352 out->data = (unsigned char *)wmem_alloc(wmem_file_scope(), hex_len / 2);
3353 for (i = 0; i < hex_len / 2; i++) {
3354 int a = ws_xton(in[i*2]);
3355 int b = ws_xton(in[i*2 + 1]);
3356 if (a == -1 || b == -1)
3357 return false0;
3358 out->data[i] = a << 4 | b;
3359 }
3360 out->data_len = (unsigned)hex_len / 2;
3361 return true1;
3362}
3363/* StringInfo structure (len + data) functions }}} */
3364
3365
3366/* libgcrypt wrappers for HMAC/message digest operations {{{ */
3367/* hmac abstraction layer */
3368#define SSL_HMACgcry_md_hd_t gcry_md_hd_t
3369
3370static inline int
3371ssl_hmac_init(SSL_HMACgcry_md_hd_t* md, int algo)
3372{
3373 gcry_error_t err;
3374 const char *err_str, *err_src;
3375
3376 err = gcry_md_open(md,algo, GCRY_MD_FLAG_HMAC);
3377 if (err != 0) {
3378 err_str = gcry_strerror(err);
3379 err_src = gcry_strsource(err);
3380 ssl_debug_printf("ssl_hmac_init(): gcry_md_open failed %s/%s", err_str, err_src);
3381 return -1;
3382 }
3383 return 0;
3384}
3385
3386static inline int
3387ssl_hmac_setkey(SSL_HMACgcry_md_hd_t* md, const void * key, int len)
3388{
3389 gcry_error_t err;
3390 const char *err_str, *err_src;
3391
3392 err = gcry_md_setkey (*(md), key, len);
3393 if (err != 0) {
3394 err_str = gcry_strerror(err);
3395 err_src = gcry_strsource(err);
3396 ssl_debug_printf("ssl_hmac_setkey(): gcry_md_setkey failed %s/%s", err_str, err_src);
3397 return -1;
3398 }
3399 return 0;
3400}
3401
3402static inline int
3403ssl_hmac_reset(SSL_HMACgcry_md_hd_t* md)
3404{
3405 gcry_md_reset(*md);
3406 return 0;
3407}
3408
3409static inline void
3410ssl_hmac_update(SSL_HMACgcry_md_hd_t* md, const void* data, int len)
3411{
3412 gcry_md_write(*(md), data, len);
3413}
3414static inline void
3415ssl_hmac_final(SSL_HMACgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3416{
3417 int algo;
3418 unsigned len;
3419
3420 algo = gcry_md_get_algo (*(md));
3421 len = gcry_md_get_algo_dlen(algo);
3422 DISSECTOR_ASSERT(len <= *datalen)((void) ((len <= *datalen) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3422, "len <= *datalen"))));
3423 memcpy(data, gcry_md_read(*(md), algo), len);
3424 *datalen = len;
3425}
3426static inline void
3427ssl_hmac_cleanup(SSL_HMACgcry_md_hd_t* md)
3428{
3429 gcry_md_close(*(md));
3430}
3431
3432/* message digest abstraction layer*/
3433#define SSL_MDgcry_md_hd_t gcry_md_hd_t
3434
3435static inline int
3436ssl_md_init(SSL_MDgcry_md_hd_t* md, int algo)
3437{
3438 gcry_error_t err;
3439 const char *err_str, *err_src;
3440 err = gcry_md_open(md,algo, 0);
3441 if (err != 0) {
3442 err_str = gcry_strerror(err);
3443 err_src = gcry_strsource(err);
3444 ssl_debug_printf("ssl_md_init(): gcry_md_open failed %s/%s", err_str, err_src);
3445 return -1;
3446 }
3447 return 0;
3448}
3449static inline void
3450ssl_md_update(SSL_MDgcry_md_hd_t* md, const unsigned char* data, unsigned len)
3451{
3452 gcry_md_write(*(md), data, len);
3453}
3454static inline void
3455ssl_md_final(SSL_MDgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3456{
3457 int algo;
3458 int len;
3459 algo = gcry_md_get_algo (*(md));
3460 len = gcry_md_get_algo_dlen (algo);
3461 memcpy(data, gcry_md_read(*(md), algo), len);
3462 *datalen = len;
3463}
3464static inline void
3465ssl_md_cleanup(SSL_MDgcry_md_hd_t* md)
3466{
3467 gcry_md_close(*(md));
3468}
3469
3470static inline void
3471ssl_md_reset(SSL_MDgcry_md_hd_t* md)
3472{
3473 gcry_md_reset(*md);
3474}
3475
3476/* md5 /sha abstraction layer */
3477#define SSL_SHA_CTXgcry_md_hd_t gcry_md_hd_t
3478#define SSL_MD5_CTXgcry_md_hd_t gcry_md_hd_t
3479
3480static inline int
3481ssl_sha_init(SSL_SHA_CTXgcry_md_hd_t* md)
3482{
3483 gcry_error_t err;
3484 const char *err_str, *err_src;
3485 err = gcry_md_open(md, GCRY_MD_SHA1, 0);
3486 if (err != 0) {
3487 err_str = gcry_strerror(err);
3488 err_src = gcry_strsource(err);
3489 ssl_debug_printf("ssl_sha_init(): gcry_md_open failed %s/%s", err_str, err_src);
3490 return -1;
3491 }
3492 return 0;
3493}
3494static inline void
3495ssl_sha_update(SSL_SHA_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3496{
3497 gcry_md_write(*(md), data, len);
3498}
3499static inline void
3500ssl_sha_final(unsigned char* buf, SSL_SHA_CTXgcry_md_hd_t* md)
3501{
3502 memcpy(buf, gcry_md_read(*(md), GCRY_MD_SHA1),
3503 gcry_md_get_algo_dlen(GCRY_MD_SHA1));
3504}
3505
3506static inline void
3507ssl_sha_reset(SSL_SHA_CTXgcry_md_hd_t* md)
3508{
3509 gcry_md_reset(*md);
3510}
3511
3512static inline void
3513ssl_sha_cleanup(SSL_SHA_CTXgcry_md_hd_t* md)
3514{
3515 gcry_md_close(*(md));
3516}
3517
3518static inline int
3519ssl_md5_init(SSL_MD5_CTXgcry_md_hd_t* md)
3520{
3521 gcry_error_t err;
3522 const char *err_str, *err_src;
3523 err = gcry_md_open(md,GCRY_MD_MD5, 0);
3524 if (err != 0) {
3525 err_str = gcry_strerror(err);
3526 err_src = gcry_strsource(err);
3527 ssl_debug_printf("ssl_md5_init(): gcry_md_open failed %s/%s", err_str, err_src);
3528 return -1;
3529 }
3530 return 0;
3531}
3532static inline void
3533ssl_md5_update(SSL_MD5_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3534{
3535 gcry_md_write(*(md), data, len);
3536}
3537static inline void
3538ssl_md5_final(unsigned char* buf, SSL_MD5_CTXgcry_md_hd_t* md)
3539{
3540 memcpy(buf, gcry_md_read(*(md), GCRY_MD_MD5),
3541 gcry_md_get_algo_dlen(GCRY_MD_MD5));
3542}
3543
3544static inline void
3545ssl_md5_reset(SSL_MD5_CTXgcry_md_hd_t* md)
3546{
3547 gcry_md_reset(*md);
3548}
3549
3550static inline void
3551ssl_md5_cleanup(SSL_MD5_CTXgcry_md_hd_t* md)
3552{
3553 gcry_md_close(*(md));
3554}
3555/* libgcrypt wrappers for HMAC/message digest operations }}} */
3556
3557/* libgcrypt wrappers for Cipher state manipulation {{{ */
3558int
3559ssl_cipher_setiv(SSL_CIPHER_CTXgcry_cipher_hd_t *cipher, unsigned char* iv, int iv_len)
3560{
3561 int ret;
3562#if 0
3563 unsigned char *ivp;
3564 int i;
3565 gcry_cipher_hd_t c;
3566 c=(gcry_cipher_hd_t)*cipher;
3567#endif
3568 ssl_debug_printf("--------------------------------------------------------------------");
3569#if 0
3570 for(ivp=c->iv,i=0; i < iv_len; i++ )
3571 {
3572 ssl_debug_printf("%d ",ivp[i]);
3573 i++;
3574 }
3575#endif
3576 ssl_debug_printf("--------------------------------------------------------------------");
3577 ret = gcry_cipher_setiv(*(cipher), iv, iv_len);
3578#if 0
3579 for(ivp=c->iv,i=0; i < iv_len; i++ )
3580 {
3581 ssl_debug_printf("%d ",ivp[i]);
3582 i++;
3583 }
3584#endif
3585 ssl_debug_printf("--------------------------------------------------------------------");
3586 return ret;
3587}
3588/* stream cipher abstraction layer*/
3589static int
3590ssl_cipher_init(gcry_cipher_hd_t *cipher, int algo, unsigned char* sk,
3591 unsigned char* iv, int mode)
3592{
3593 int gcry_modes[] = {
3594 GCRY_CIPHER_MODE_STREAM,
3595 GCRY_CIPHER_MODE_CBC,
3596 GCRY_CIPHER_MODE_GCM,
3597 GCRY_CIPHER_MODE_CCM,
3598 GCRY_CIPHER_MODE_CCM,
3599 GCRY_CIPHER_MODE_POLY1305,
3600 GCRY_CIPHER_MODE_ECB, /* used for DTLSv1.3 seq number encryption */
3601 };
3602 int err;
3603 if (algo == -1) {
3604 /* NULL mode */
3605 *(cipher) = (gcry_cipher_hd_t)-1;
3606 return 0;
3607 }
3608 err = gcry_cipher_open(cipher, algo, gcry_modes[mode], 0);
3609 if (err !=0)
3610 return -1;
3611 err = gcry_cipher_setkey(*(cipher), sk, gcry_cipher_get_algo_keylen (algo));
3612 if (err != 0)
3613 return -1;
3614 /* AEAD cipher suites will set the nonce later. */
3615 if (mode == MODE_CBC) {
3616 err = gcry_cipher_setiv(*(cipher), iv, gcry_cipher_get_algo_blklen(algo));
3617 if (err != 0)
3618 return -1;
3619 }
3620 return 0;
3621}
3622static inline int
3623ssl_cipher_decrypt(gcry_cipher_hd_t *cipher, unsigned char * out, int outl,
3624 const unsigned char * in, int inl)
3625{
3626 if ((*cipher) == (gcry_cipher_hd_t)-1)
3627 {
3628 if (in && inl)
3629 memcpy(out, in, outl < inl ? outl : inl);
3630 return 0;
3631 }
3632 return gcry_cipher_decrypt ( *(cipher), out, outl, in, inl);
3633}
3634static inline int
3635ssl_get_digest_by_name(const char*name)
3636{
3637 return gcry_md_map_name(name);
3638}
3639static inline int
3640ssl_get_cipher_by_name(const char* name)
3641{
3642 return gcry_cipher_map_name(name);
3643}
3644
3645static inline void
3646ssl_cipher_cleanup(gcry_cipher_hd_t *cipher)
3647{
3648 if ((*cipher) != (gcry_cipher_hd_t)-1)
3649 gcry_cipher_close(*cipher);
3650 *cipher = NULL((void*)0);
3651}
3652/* }}} */
3653
3654/* Digests, Ciphers and Cipher Suites registry {{{ */
3655static const SslDigestAlgo digests[]={
3656 {"MD5", 16},
3657 {"SHA1", 20},
3658 {"SHA256", 32},
3659 {"SHA384", 48},
3660 {"SM3", 32},
3661 {"Not Applicable", 0},
3662};
3663
3664#define DIGEST_MAX_SIZE48 48
3665
3666/* get index digest index */
3667static const SslDigestAlgo *
3668ssl_cipher_suite_dig(const SslCipherSuite *cs) {
3669 if (!cs || cs->dig < DIG_MD50x40 || cs->dig > DIG_NA0x45) {
3670 return &digests[DIG_NA0x45 - DIG_MD50x40];
3671 }
3672 return &digests[cs->dig - DIG_MD50x40];
3673}
3674
3675static const char *ciphers[]={
3676 "DES",
3677 "3DES",
3678 "ARCFOUR", /* libgcrypt does not support rc4, but this should be 100% compatible*/
3679 "RFC2268_128", /* libgcrypt name for RC2 with a 128-bit key */
3680 "IDEA",
3681 "AES",
3682 "AES256",
3683 "CAMELLIA128",
3684 "CAMELLIA256",
3685 "SEED",
3686 "CHACHA20", /* since Libgcrypt 1.7.0 */
3687 "SM1",
3688 "SM4",
3689 "*UNKNOWN*"
3690};
3691
3692static const SslCipherSuite cipher_suites[]={
3693 {0x0001,KEX_RSA0x1e, ENC_NULL0x3D, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_NULL_MD5 */
3694 {0x0002,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA */
3695 {0x0003,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
3696 {0x0004,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_MD5 */
3697 {0x0005,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_SHA */
3698 {0x0006,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
3699 {0x0007,KEX_RSA0x1e, ENC_IDEA0x34, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_IDEA_CBC_SHA */
3700 {0x0008,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
3701 {0x0009,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_DES_CBC_SHA */
3702 {0x000A,KEX_RSA0x1e, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
3703 {0x000B,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
3704 {0x000C,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_DES_CBC_SHA */
3705 {0x000D,KEX_DH_DSS0x14, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
3706 {0x000E,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
3707 {0x000F,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_DES_CBC_SHA */
3708 {0x0010,KEX_DH_RSA0x15, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
3709 {0x0011,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
3710 {0x0012,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_DES_CBC_SHA */
3711 {0x0013,KEX_DHE_DSS0x10, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
3712 {0x0014,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
3713 {0x0015,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_DES_CBC_SHA */
3714 {0x0016,KEX_DHE_RSA0x12, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
3715 {0x0017,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
3716 {0x0018,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_WITH_RC4_128_MD5 */
3717 {0x0019,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
3718 {0x001A,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_DES_CBC_SHA */
3719 {0x001B,KEX_DH_ANON0x13, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
3720 {0x002C,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA */
3721 {0x002D,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA */
3722 {0x002E,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA */
3723 {0x002F,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA */
3724 {0x0030,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA */
3725 {0x0031,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA */
3726 {0x0032,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA */
3727 {0x0033,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */
3728 {0x0034,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA */
3729 {0x0035,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA */
3730 {0x0036,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA */
3731 {0x0037,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA */
3732 {0x0038,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA */
3733 {0x0039,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */
3734 {0x003A,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA */
3735 {0x003B,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA256 */
3736 {0x003C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA256 */
3737 {0x003D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA256 */
3738 {0x003E,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA256 */
3739 {0x003F,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA256 */
3740 {0x0040,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 */
3741 {0x0041,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA */
3742 {0x0042,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA */
3743 {0x0043,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA */
3744 {0x0044,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA */
3745 {0x0045,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA */
3746 {0x0046,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA */
3747 {0x0060,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
3748 {0x0061,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
3749 {0x0062,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
3750 {0x0063,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
3751 {0x0064,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
3752 {0x0065,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
3753 {0x0066,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_WITH_RC4_128_SHA */
3754 {0x0067,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 */
3755 {0x0068,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA256 */
3756 {0x0069,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA256 */
3757 {0x006A,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 */
3758 {0x006B,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 */
3759 {0x006C,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA256 */
3760 {0x006D,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA256 */
3761 {0x0084,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA */
3762 {0x0085,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA */
3763 {0x0086,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA */
3764 {0x0087,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA */
3765 {0x0088,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA */
3766 {0x0089,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA */
3767 {0x008A,KEX_PSK0x1d, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_RC4_128_SHA */
3768 {0x008B,KEX_PSK0x1d, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_3DES_EDE_CBC_SHA */
3769 {0x008C,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA */
3770 {0x008D,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA */
3771 {0x008E,KEX_DHE_PSK0x11, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_RC4_128_SHA */
3772 {0x008F,KEX_DHE_PSK0x11, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA */
3773 {0x0090,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA */
3774 {0x0091,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA */
3775 {0x0092,KEX_RSA_PSK0x1f, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_RC4_128_SHA */
3776 {0x0093,KEX_RSA_PSK0x1f, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA */
3777 {0x0094,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA */
3778 {0x0095,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA */
3779 {0x0096,KEX_RSA0x1e, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_SEED_CBC_SHA */
3780 {0x0097,KEX_DH_DSS0x14, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_SEED_CBC_SHA */
3781 {0x0098,KEX_DH_RSA0x15, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_SEED_CBC_SHA */
3782 {0x0099,KEX_DHE_DSS0x10, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_SEED_CBC_SHA */
3783 {0x009A,KEX_DHE_RSA0x12, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_SEED_CBC_SHA */
3784 {0x009B,KEX_DH_ANON0x13, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_SEED_CBC_SHA */
3785 {0x009C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_AES_128_GCM_SHA256 */
3786 {0x009D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_AES_256_GCM_SHA384 */
3787 {0x009E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */
3788 {0x009F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 */
3789 {0x00A0,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_128_GCM_SHA256 */
3790 {0x00A1,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_256_GCM_SHA384 */
3791 {0x00A2,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 */
3792 {0x00A3,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 */
3793 {0x00A4,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_128_GCM_SHA256 */
3794 {0x00A5,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_256_GCM_SHA384 */
3795 {0x00A6,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_AES_128_GCM_SHA256 */
3796 {0x00A7,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_AES_256_GCM_SHA384 */
3797 {0x00A8,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_AES_128_GCM_SHA256 */
3798 {0x00A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_AES_256_GCM_SHA384 */
3799 {0x00AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 */
3800 {0x00AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 */
3801 {0x00AC,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 */
3802 {0x00AD,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 */
3803 {0x00AE,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA256 */
3804 {0x00AF,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA384 */
3805 {0x00B0,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA256 */
3806 {0x00B1,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA384 */
3807 {0x00B2,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 */
3808 {0x00B3,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 */
3809 {0x00B4,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA256 */
3810 {0x00B5,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA384 */
3811 {0x00B6,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 */
3812 {0x00B7,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 */
3813 {0x00B8,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA256 */
3814 {0x00B9,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA384 */
3815 {0x00BA,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3816 {0x00BB,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3817 {0x00BC,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3818 {0x00BD,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3819 {0x00BE,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3820 {0x00BF,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 */
3821 {0x00C0,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3822 {0x00C1,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3823 {0x00C2,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3824 {0x00C3,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3825 {0x00C4,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3826 {0x00C5,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */
3827
3828 /* NOTE: TLS 1.3 cipher suites are incompatible with TLS 1.2. */
3829 {0x1301,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_AES_128_GCM_SHA256 */
3830 {0x1302,KEX_TLS130x23, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_AES_256_GCM_SHA384 */
3831 {0x1303,KEX_TLS130x23, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_CHACHA20_POLY1305_SHA256 */
3832 {0x1304,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM }, /* TLS_AES_128_CCM_SHA256 */
3833 {0x1305,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8 }, /* TLS_AES_128_CCM_8_SHA256 */
3834 {0x00C6,KEX_TLS130x23, ENC_SM40x3C, DIG_SM30x44, MODE_GCM }, /* TLS_SM4_GCM_SM3 */
3835
3836 {0xC001,KEX_ECDH_ECDSA0x1a, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_NULL_SHA */
3837 {0xC002,KEX_ECDH_ECDSA0x1a, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_RC4_128_SHA */
3838 {0xC003,KEX_ECDH_ECDSA0x1a, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA */
3839 {0xC004,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA */
3840 {0xC005,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */
3841 {0xC006,KEX_ECDHE_ECDSA0x16, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_NULL_SHA */
3842 {0xC007,KEX_ECDHE_ECDSA0x16, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_RC4_128_SHA */
3843 {0xC008,KEX_ECDHE_ECDSA0x16, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA */
3844 {0xC009,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */
3845 {0xC00A,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */
3846 {0xC00B,KEX_ECDH_RSA0x1b, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_NULL_SHA */
3847 {0xC00C,KEX_ECDH_RSA0x1b, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_RC4_128_SHA */
3848 {0xC00D,KEX_ECDH_RSA0x1b, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA */
3849 {0xC00E,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA */
3850 {0xC00F,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */
3851 {0xC0FF,KEX_ECJPAKE0x24, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECJPAKE_WITH_AES_128_CCM_8 */
3852 {0xC010,KEX_ECDHE_RSA0x18, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_NULL_SHA */
3853 {0xC011,KEX_ECDHE_RSA0x18, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_RC4_128_SHA */
3854 {0xC012,KEX_ECDHE_RSA0x18, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */
3855 {0xC013,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA */
3856 {0xC014,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */
3857 {0xC015,KEX_ECDH_ANON0x19, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_NULL_SHA */
3858 {0xC016,KEX_ECDH_ANON0x19, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_RC4_128_SHA */
3859 {0xC017,KEX_ECDH_ANON0x19, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA */
3860 {0xC018,KEX_ECDH_ANON0x19, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_128_CBC_SHA */
3861 {0xC019,KEX_ECDH_ANON0x19, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_256_CBC_SHA */
3862 {0xC01A,KEX_SRP_SHA0x20, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA */
3863 {0xC01B,KEX_SRP_SHA_RSA0x22, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA */
3864 {0xC01C,KEX_SRP_SHA_DSS0x21, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA */
3865 {0xC01D,KEX_SRP_SHA0x20, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_128_CBC_SHA */
3866 {0xC01E,KEX_SRP_SHA_RSA0x22, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA */
3867 {0xC01F,KEX_SRP_SHA_DSS0x21, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA */
3868 {0xC020,KEX_SRP_SHA0x20, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_256_CBC_SHA */
3869 {0xC021,KEX_SRP_SHA_RSA0x22, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA */
3870 {0xC022,KEX_SRP_SHA_DSS0x21, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA */
3871 {0xC023,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 */
3872 {0xC024,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */
3873 {0xC025,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 */
3874 {0xC026,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 */
3875 {0xC027,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 */
3876 {0xC028,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */
3877 {0xC029,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 */
3878 {0xC02A,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 */
3879 {0xC02B,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 */
3880 {0xC02C,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 */
3881 {0xC02D,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 */
3882 {0xC02E,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 */
3883 {0xC02F,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */
3884 {0xC030,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 */
3885 {0xC031,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 */
3886 {0xC032,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 */
3887 {0xC033,KEX_ECDHE_PSK0x17, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_RC4_128_SHA */
3888 {0xC034,KEX_ECDHE_PSK0x17, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA */
3889 {0xC035,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA */
3890 {0xC036,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA */
3891 {0xC037,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 */
3892 {0xC038,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 */
3893 {0xC039,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA */
3894 {0xC03A,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA256 */
3895 {0xC03B,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA384 */
3896 {0xC072,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3897 {0xC073,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3898 {0xC074,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3899 {0xC075,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3900 {0xC076,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3901 {0xC077,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3902 {0xC078,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3903 {0xC079,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3904 {0xC07A,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3905 {0xC07B,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3906 {0xC07C,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3907 {0xC07D,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3908 {0xC07E,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3909 {0xC07F,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3910 {0xC080,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3911 {0xC081,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3912 {0xC082,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3913 {0xC083,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3914 {0xC084,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 */
3915 {0xC085,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 */
3916 {0xC086,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3917 {0xC087,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3918 {0xC088,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3919 {0xC089,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3920 {0xC08A,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3921 {0xC08B,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3922 {0xC08C,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3923 {0xC08D,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3924 {0xC08E,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3925 {0xC08F,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3926 {0xC090,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3927 {0xC091,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3928 {0xC092,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3929 {0xC093,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3930 {0xC094,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3931 {0xC095,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3932 {0xC096,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3933 {0xC097,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3934 {0xC098,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3935 {0xC099,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3936 {0xC09A,KEX_ECDHE_PSK0x17, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3937 {0xC09B,KEX_ECDHE_PSK0x17, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3938 {0xC09C,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_128_CCM */
3939 {0xC09D,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_256_CCM */
3940 {0xC09E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_128_CCM */
3941 {0xC09F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_256_CCM */
3942 {0xC0A0,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_128_CCM_8 */
3943 {0xC0A1,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_256_CCM_8 */
3944 {0xC0A2,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_128_CCM_8 */
3945 {0xC0A3,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_256_CCM_8 */
3946 {0xC0A4,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_128_CCM */
3947 {0xC0A5,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_256_CCM */
3948 {0xC0A6,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_128_CCM */
3949 {0xC0A7,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_256_CCM */
3950 {0xC0A8,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_128_CCM_8 */
3951 {0xC0A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_256_CCM_8 */
3952 {0xC0AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_128_CCM_8 */
3953 {0xC0AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_256_CCM_8 */
3954 {0xC0AC,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM */
3955 {0xC0AD,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM */
3956 {0xC0AE,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 */
3957 {0xC0AF,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 */
3958 {0xCCA8,KEX_ECDHE_RSA0x18, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3959 {0xCCA9,KEX_ECDHE_ECDSA0x16, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */
3960 {0xCCAA,KEX_DHE_RSA0x12, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3961 {0xCCAB,KEX_PSK0x1d, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3962 {0xCCAC,KEX_ECDHE_PSK0x17, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3963 {0xCCAD,KEX_DHE_PSK0x11, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3964 {0xCCAE,KEX_RSA_PSK0x1f, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3965 {0xD001,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 */
3966 {0xD002,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 */
3967 {0xD003,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 */
3968 {0xD005,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 */
3969 /* GM */
3970 {0xe001,KEX_ECDHE_SM20x25, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM1_SM3 */
3971 {0xe003,KEX_ECC_SM20x26, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECC_SM1_SM3 */
3972 {0xe005,KEX_IBSDH_SM90x27, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM1_SM3 */
3973 {0xe007,KEX_IBC_SM90x28, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBC_SM1_SM3 */
3974 {0xe009,KEX_RSA0x1e, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* RSA_SM1_SM3 */
3975 {0xe00a,KEX_RSA0x1e, ENC_SM10x3B, DIG_SHA0x41, MODE_CBC}, /* RSA_SM1_SHA1 */
3976 {0xe011,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM4_CBC_SM3 */
3977 {0xe013,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECC_SM4_CBC_SM3 */
3978 {0xe015,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM4_CBC_SM3 */
3979 {0xe017,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBC_SM4_CBC_SM3 */
3980 {0xe019,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* RSA_SM4_CBC_SM3 */
3981 {0xe01a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA0x41, MODE_CBC}, /* RSA_SM4_CBC_SHA1 */
3982 {0xe01c,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_CBC}, /* RSA_SM4_CBC_SHA256 */
3983 {0xe051,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECDHE_SM4_GCM_SM3 */
3984 {0xe053,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECC_SM4_GCM_SM3 */
3985 {0xe055,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBSDH_SM4_GCM_SM3 */
3986 {0xe057,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBC_SM4_GCM_SM3 */
3987 {0xe059,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* RSA_SM4_GCM_SM3 */
3988 {0xe05a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_GCM}, /* RSA_SM4_GCM_SHA256 */
3989 {-1, 0, 0, 0, MODE_STREAM}
3990};
3991
3992#define MAX_BLOCK_SIZE16 16
3993#define MAX_KEY_SIZE32 32
3994
3995const SslCipherSuite *
3996ssl_find_cipher(int num)
3997{
3998 const SslCipherSuite *c;
3999 for(c=cipher_suites;c->number!=-1;c++){
4000 if(c->number==num){
4001 return c;
4002 }
4003 }
4004
4005 return NULL((void*)0);
4006}
4007
4008int
4009ssl_get_cipher_algo(const SslCipherSuite *cipher_suite)
4010{
4011 return gcry_cipher_map_name(ciphers[cipher_suite->enc - ENC_START0x30]);
4012}
4013
4014unsigned
4015ssl_get_cipher_blocksize(const SslCipherSuite *cipher_suite)
4016{
4017 int cipher_algo;
4018 if (cipher_suite->mode != MODE_CBC) return 0;
4019 cipher_algo = ssl_get_cipher_by_name(ciphers[cipher_suite->enc - ENC_START0x30]);
4020 return (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
4021}
4022
4023static unsigned
4024ssl_get_cipher_export_keymat_size(int cipher_suite_num)
4025{
4026 switch (cipher_suite_num) {
4027 /* See RFC 6101 (SSL 3.0), Table 2, column Key Material. */
4028 case 0x0003: /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
4029 case 0x0006: /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
4030 case 0x0008: /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
4031 case 0x000B: /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
4032 case 0x000E: /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
4033 case 0x0011: /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
4034 case 0x0014: /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
4035 case 0x0017: /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
4036 case 0x0019: /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
4037 return 5;
4038
4039 /* not defined in below draft, but "implemented by several vendors",
4040 * https://www.ietf.org/mail-archive/web/tls/current/msg00036.html */
4041 case 0x0060: /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
4042 case 0x0061: /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
4043 return 7;
4044
4045 /* Note: the draft states that DES_CBC needs 8 bytes, but Wireshark always
4046 * used 7. Until a pcap proves 8, let's use the old value. Link:
4047 * https://tools.ietf.org/html/draft-ietf-tls-56-bit-ciphersuites-01 */
4048 case 0x0062: /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
4049 case 0x0063: /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
4050 case 0x0064: /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
4051 case 0x0065: /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
4052 return 7;
4053
4054 default:
4055 return 0;
4056 }
4057}
4058
4059/* Digests, Ciphers and Cipher Suites registry }}} */
4060
4061
4062/* HMAC and the Pseudorandom function {{{ */
4063static int
4064tls_hash(StringInfo *secret, StringInfo *seed, int md,
4065 StringInfo *out, unsigned out_len)
4066{
4067 /* RFC 2246 5. HMAC and the pseudorandom function
4068 * '+' denotes concatenation.
4069 * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
4070 * HMAC_hash(secret, A(2) + seed) + ...
4071 * A(0) = seed
4072 * A(i) = HMAC_hash(secret, A(i - 1))
4073 */
4074 uint8_t *ptr;
4075 unsigned left, tocpy;
4076 uint8_t *A;
4077 uint8_t _A[DIGEST_MAX_SIZE48], tmp[DIGEST_MAX_SIZE48];
4078 unsigned A_l, tmp_l;
4079 SSL_HMACgcry_md_hd_t hm;
4080
4081 ptr = out->data;
4082 left = out_len;
4083
4084 ssl_print_string("tls_hash: hash secret", secret);
4085 ssl_print_string("tls_hash: hash seed", seed);
4086 /* A(0) = seed */
4087 A = seed->data;
4088 A_l = seed->data_len;
4089
4090 if (ssl_hmac_init(&hm, md) != 0) {
4091 return -1;
4092 }
4093 while (left) {
4094 /* A(i) = HMAC_hash(secret, A(i-1)) */
4095 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
4096 ssl_hmac_update(&hm, A, A_l);
4097 A_l = sizeof(_A); /* upper bound len for hash output */
4098 ssl_hmac_final(&hm, _A, &A_l);
4099 A = _A;
4100
4101 /* HMAC_hash(secret, A(i) + seed) */
4102 ssl_hmac_reset(&hm);
4103 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
4104 ssl_hmac_update(&hm, A, A_l);
4105 ssl_hmac_update(&hm, seed->data, seed->data_len);
4106 tmp_l = sizeof(tmp); /* upper bound len for hash output */
4107 ssl_hmac_final(&hm, tmp, &tmp_l);
4108 ssl_hmac_reset(&hm);
4109
4110 /* ssl_hmac_final puts the actual digest output size in tmp_l */
4111 tocpy = MIN(left, tmp_l)(((left) < (tmp_l)) ? (left) : (tmp_l));
4112 memcpy(ptr, tmp, tocpy);
4113 ptr += tocpy;
4114 left -= tocpy;
4115 }
4116 ssl_hmac_cleanup(&hm);
4117 out->data_len = out_len;
4118
4119 ssl_print_string("hash out", out);
4120 return 0;
4121}
4122
4123static bool_Bool
4124tls_prf(StringInfo* secret, const char *usage,
4125 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4126{
4127 StringInfo seed, sha_out, md5_out;
4128 uint8_t *ptr;
4129 StringInfo s1, s2;
4130 unsigned i,s_l;
4131 size_t usage_len, rnd2_len;
4132 bool_Bool success = false0;
4133 usage_len = strlen(usage);
4134 rnd2_len = rnd2 ? rnd2->data_len : 0;
4135
4136 /* initialize buffer for sha, md5 random seed*/
4137 if (ssl_data_alloc(&sha_out, MAX(out_len, 20)(((out_len) > (20)) ? (out_len) : (20))) < 0) {
4138 ssl_debug_printf("tls_prf: can't allocate sha out\n");
4139 return false0;
4140 }
4141 if (ssl_data_alloc(&md5_out, MAX(out_len, 16)(((out_len) > (16)) ? (out_len) : (16))) < 0) {
4142 ssl_debug_printf("tls_prf: can't allocate md5 out\n");
4143 goto free_sha;
4144 }
4145 if (ssl_data_alloc(&seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
4146 ssl_debug_printf("tls_prf: can't allocate rnd %d\n",
4147 (int) (usage_len+rnd1->data_len+rnd2_len));
4148 goto free_md5;
4149 }
4150
4151 ptr=seed.data;
4152 memcpy(ptr,usage,usage_len);
4153 ptr+=usage_len;
4154 memcpy(ptr,rnd1->data,rnd1->data_len);
4155 if (rnd2_len > 0) {
4156 ptr+=rnd1->data_len;
4157 memcpy(ptr,rnd2->data,rnd2->data_len);
4158 /*ptr+=rnd2->data_len;*/
4159 }
4160
4161 /* initialize buffer for client/server seeds*/
4162 s_l=secret->data_len/2 + secret->data_len%2;
4163 if (ssl_data_alloc(&s1, s_l) < 0) {
4164 ssl_debug_printf("tls_prf: can't allocate secret %d\n", s_l);
4165 goto free_seed;
4166 }
4167 if (ssl_data_alloc(&s2, s_l) < 0) {
4168 ssl_debug_printf("tls_prf: can't allocate secret(2) %d\n", s_l);
4169 goto free_s1;
4170 }
4171
4172 memcpy(s1.data,secret->data,s_l);
4173 memcpy(s2.data,secret->data + (secret->data_len - s_l),s_l);
4174
4175 ssl_debug_printf("tls_prf: tls_hash(md5 secret_len %d seed_len %d )\n", s1.data_len, seed.data_len);
4176 if(tls_hash(&s1, &seed, ssl_get_digest_by_name("MD5"), &md5_out, out_len) != 0)
4177 goto free_s2;
4178 ssl_debug_printf("tls_prf: tls_hash(sha)\n");
4179 if(tls_hash(&s2, &seed, ssl_get_digest_by_name("SHA1"), &sha_out, out_len) != 0)
4180 goto free_s2;
4181
4182 for (i = 0; i < out_len; i++)
4183 out->data[i] = md5_out.data[i] ^ sha_out.data[i];
4184 /* success, now store the new meaningful data length */
4185 out->data_len = out_len;
4186 success = true1;
4187
4188 ssl_print_string("PRF out",out);
4189free_s2:
4190 g_free(s2.data)(__builtin_object_size ((s2.data), 0) != ((size_t) - 1)) ? g_free_sized
(s2.data, __builtin_object_size ((s2.data), 0)) : (g_free) (
s2.data);
4191free_s1:
4192 g_free(s1.data)(__builtin_object_size ((s1.data), 0) != ((size_t) - 1)) ? g_free_sized
(s1.data, __builtin_object_size ((s1.data), 0)) : (g_free) (
s1.data);
4193free_seed:
4194 g_free(seed.data)(__builtin_object_size ((seed.data), 0) != ((size_t) - 1)) ? g_free_sized
(seed.data, __builtin_object_size ((seed.data), 0)) : (g_free
) (seed.data);
4195free_md5:
4196 g_free(md5_out.data)(__builtin_object_size ((md5_out.data), 0) != ((size_t) - 1))
? g_free_sized (md5_out.data, __builtin_object_size ((md5_out
.data), 0)) : (g_free) (md5_out.data);
4197free_sha:
4198 g_free(sha_out.data)(__builtin_object_size ((sha_out.data), 0) != ((size_t) - 1))
? g_free_sized (sha_out.data, __builtin_object_size ((sha_out
.data), 0)) : (g_free) (sha_out.data);
4199 return success;
4200}
4201
4202static bool_Bool
4203tls12_prf(int md, StringInfo* secret, const char* usage,
4204 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4205{
4206 StringInfo label_seed;
4207 int success;
4208 size_t usage_len, rnd2_len;
4209 rnd2_len = rnd2 ? rnd2->data_len : 0;
4210
4211 usage_len = strlen(usage);
4212 if (ssl_data_alloc(&label_seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
4213 ssl_debug_printf("tls12_prf: can't allocate label_seed\n");
4214 return false0;
4215 }
4216 memcpy(label_seed.data, usage, usage_len);
4217 memcpy(label_seed.data+usage_len, rnd1->data, rnd1->data_len);
4218 if (rnd2_len > 0)
4219 memcpy(label_seed.data+usage_len+rnd1->data_len, rnd2->data, rnd2->data_len);
4220
4221 ssl_debug_printf("tls12_prf: tls_hash(hash_alg %s secret_len %d seed_len %d )\n", gcry_md_algo_name(md), secret->data_len, label_seed.data_len);
4222 success = tls_hash(secret, &label_seed, md, out, out_len);
4223 g_free(label_seed.data)(__builtin_object_size ((label_seed.data), 0) != ((size_t) - 1
)) ? g_free_sized (label_seed.data, __builtin_object_size ((label_seed
.data), 0)) : (g_free) (label_seed.data);
4224 if(success != -1){
4225 ssl_print_string("PRF out", out);
4226 return true1;
4227 }
4228 return false0;
4229}
4230
4231static bool_Bool
4232ssl3_generate_export_iv(StringInfo *r1, StringInfo *r2,
4233 StringInfo *out, unsigned out_len)
4234{
4235 SSL_MD5_CTXgcry_md_hd_t md5;
4236 uint8_t tmp[16];
4237
4238 if (ssl_md5_init(&md5) != 0) {
4239 return false0;
4240 }
4241 ssl_md5_update(&md5,r1->data,r1->data_len);
4242 ssl_md5_update(&md5,r2->data,r2->data_len);
4243 ssl_md5_final(tmp,&md5);
4244 ssl_md5_cleanup(&md5);
4245
4246 DISSECTOR_ASSERT(out_len <= sizeof(tmp))((void) ((out_len <= sizeof(tmp)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4246, "out_len <= sizeof(tmp)"))));
4247 ssl_data_set(out, tmp, out_len);
4248 ssl_print_string("export iv", out);
4249 return true1;
4250}
4251
4252static bool_Bool
4253ssl3_prf(StringInfo* secret, const char* usage,
4254 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4255{
4256 SSL_MD5_CTXgcry_md_hd_t md5;
4257 SSL_SHA_CTXgcry_md_hd_t sha;
4258 unsigned off;
4259 int i = 0,j;
4260 uint8_t buf[20];
4261
4262 if (ssl_sha_init(&sha) != 0) {
4263 return false0;
4264 }
4265 if (ssl_md5_init(&md5) != 0) {
4266 ssl_sha_cleanup(&sha);
4267 return false0;
4268 }
4269 for (off = 0; off < out_len; off += 16) {
4270 unsigned char outbuf[16];
4271 i++;
4272
4273 ssl_debug_printf("ssl3_prf: sha1_hash(%d)\n",i);
4274 /* A, BB, CCC, ... */
4275 for(j=0;j<i;j++){
4276 buf[j]=64+i;
4277 }
4278
4279 ssl_sha_update(&sha,buf,i);
4280 ssl_sha_update(&sha,secret->data,secret->data_len);
4281
4282 if(!strcmp(usage,"client write key") || !strcmp(usage,"server write key")){
4283 if (rnd2)
4284 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4285 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4286 }
4287 else{
4288 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4289 if (rnd2)
4290 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4291 }
4292
4293 ssl_sha_final(buf,&sha);
4294 ssl_sha_reset(&sha);
4295
4296 ssl_debug_printf("ssl3_prf: md5_hash(%d) datalen %d\n",i,
4297 secret->data_len);
4298 ssl_md5_update(&md5,secret->data,secret->data_len);
4299 ssl_md5_update(&md5,buf,20);
4300 ssl_md5_final(outbuf,&md5);
4301 ssl_md5_reset(&md5);
4302
4303 memcpy(out->data + off, outbuf, MIN(out_len - off, 16)(((out_len - off) < (16)) ? (out_len - off) : (16)));
4304 }
4305 ssl_sha_cleanup(&sha);
4306 ssl_md5_cleanup(&md5);
4307 out->data_len = out_len;
4308
4309 return true1;
4310}
4311
4312/* out_len is the wanted output length for the pseudorandom function.
4313 * Ensure that ssl->cipher_suite is set. */
4314static bool_Bool
4315prf(SslDecryptSession *ssl, StringInfo *secret, const char *usage,
4316 StringInfo *rnd1, StringInfo *rnd2, StringInfo *out, unsigned out_len)
4317{
4318 switch (ssl->session.version) {
4319 case SSLV3_VERSION0x300:
4320 return ssl3_prf(secret, usage, rnd1, rnd2, out, out_len);
4321
4322 case TLSV1_VERSION0x301:
4323 case TLSV1DOT1_VERSION0x302:
4324 case DTLSV1DOT0_VERSION0xfeff:
4325 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4326 return tls_prf(secret, usage, rnd1, rnd2, out, out_len);
4327
4328 default: /* TLSv1.2 */
4329 switch (ssl->cipher_suite->dig) {
4330 case DIG_SM30x44:
4331#if GCRYPT_VERSION_NUMBER0x010c00 >= 0x010900
4332 return tls12_prf(GCRY_MD_SM3, secret, usage, rnd1, rnd2,
4333 out, out_len);
4334#else
4335 return false0;
4336#endif
4337 case DIG_SHA3840x43:
4338 return tls12_prf(GCRY_MD_SHA384, secret, usage, rnd1, rnd2,
4339 out, out_len);
4340 default:
4341 return tls12_prf(GCRY_MD_SHA256, secret, usage, rnd1, rnd2,
4342 out, out_len);
4343 }
4344 }
4345}
4346
4347static int tls_handshake_hash(SslDecryptSession* ssl, StringInfo* out)
4348{
4349 SSL_MD5_CTXgcry_md_hd_t md5;
4350 SSL_SHA_CTXgcry_md_hd_t sha;
4351
4352 if (ssl_data_alloc(out, 36) < 0)
15
Calling 'ssl_data_alloc'
19
Returned allocated memory
20
Taking false branch
4353 return -1;
4354
4355 if (ssl_md5_init(&md5) != 0)
21
Taking true branch
4356 return -1;
4357 ssl_md5_update(&md5,ssl->handshake_data.data,ssl->handshake_data.data_len);
4358 ssl_md5_final(out->data,&md5);
4359 ssl_md5_cleanup(&md5);
4360
4361 if (ssl_sha_init(&sha) != 0)
4362 return -1;
4363 ssl_sha_update(&sha,ssl->handshake_data.data,ssl->handshake_data.data_len);
4364 ssl_sha_final(out->data+16,&sha);
4365 ssl_sha_cleanup(&sha);
4366 return 0;
4367}
4368
4369static int tls12_handshake_hash(SslDecryptSession* ssl, int md, StringInfo* out)
4370{
4371 SSL_MDgcry_md_hd_t mc;
4372 uint8_t tmp[48];
4373 unsigned len;
4374
4375 if (ssl_md_init(&mc, md) != 0)
4376 return -1;
4377 ssl_md_update(&mc,ssl->handshake_data.data,ssl->handshake_data.data_len);
4378 ssl_md_final(&mc, tmp, &len);
4379 ssl_md_cleanup(&mc);
4380
4381 if (ssl_data_alloc(out, len) < 0)
4382 return -1;
4383 memcpy(out->data, tmp, len);
4384 return 0;
4385}
4386
4387bool_Bool
4388tls_load_psk(SslDecryptSession* tls_session, const char *tls_psk)
4389{
4390 if (!tls_psk || (tls_psk[0] == 0)) {
4391 ssl_debug_printf("%s: can't find pre-shared key\n", G_STRFUNC((const char*) (__func__)));
4392 return false0;
4393 }
4394
4395 wmem_free(wmem_file_scope(), tls_session->psk.data);
4396 /* convert hex string into char*/
4397 if (!from_hex(&tls_session->psk, tls_psk, strlen(tls_psk))) {
4398 ssl_debug_printf("%s: ssl.psk/dtls.psk contains invalid hex\n",
4399 G_STRFUNC((const char*) (__func__)));
4400 return false0;
4401 }
4402
4403 if (tls_session->psk.data_len >= (2 << 15)) {
4404 ssl_debug_printf("%s: ssl.psk/dtls.psk must not be larger than 2^15 - 1\n",
4405 G_STRFUNC((const char*) (__func__)));
4406 wmem_free(wmem_file_scope(), tls_session->psk.data);
4407 tls_session->psk.data = NULL((void*)0);
4408 tls_session->psk.data_len = 0;
4409 return false0;
4410 }
4411
4412 return true1;
4413}
4414
4415/**
4416 * Obtains the label prefix used in HKDF-Expand-Label. This function can be
4417 * inlined and removed once support for draft 19 and before is dropped.
4418 */
4419static inline const char *
4420tls13_hkdf_label_prefix(SslDecryptSession *ssl_session)
4421{
4422 if (ssl_session->session.tls13_draft_version && ssl_session->session.tls13_draft_version < 20) {
4423 return "TLS 1.3, ";
4424 } else if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
4425 return "dtls13";
4426 } else {
4427 return "tls13 ";
4428 }
4429}
4430
4431/*
4432 * Computes HKDF-Expand-Label(Secret, Label, Hash(context_value), Length) with a
4433 * custom label prefix. If "context_hash" is NULL, then an empty context is
4434 * used. Otherwise it must have the same length as the hash algorithm output.
4435 */
4436bool_Bool
4437tls13_hkdf_expand_label_context(int md, const StringInfo *secret,
4438 const char *label_prefix, const char *label,
4439 const uint8_t *context_hash, uint8_t context_length,
4440 uint16_t out_len, unsigned char **out)
4441{
4442 /* RFC 8446 Section 7.1:
4443 * HKDF-Expand-Label(Secret, Label, Context, Length) =
4444 * HKDF-Expand(Secret, HkdfLabel, Length)
4445 * struct {
4446 * uint16 length = Length;
4447 * opaque label<7..255> = "tls13 " + Label; // "tls13 " is label prefix.
4448 * opaque context<0..255> = Context;
4449 * } HkdfLabel;
4450 *
4451 * RFC 5869 HMAC-based Extract-and-Expand Key Derivation Function (HKDF):
4452 * HKDF-Expand(PRK, info, L) -> OKM
4453 */
4454 gcry_error_t err;
4455 const unsigned label_prefix_length = (unsigned) strlen(label_prefix);
4456 const unsigned label_length = (unsigned) strlen(label);
4457
4458 /* Some sanity checks */
4459 DISSECTOR_ASSERT(label_length > 0 && label_prefix_length + label_length <= 255)((void) ((label_length > 0 && label_prefix_length +
label_length <= 255) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4459, "label_length > 0 && label_prefix_length + label_length <= 255"
))));
4460
4461 /* info = HkdfLabel { length, label, context } */
4462 GByteArray *info = g_byte_array_new();
4463 const uint16_t length = g_htons(out_len)(((((guint16) ( (guint16) ((guint16) (out_len) >> 8) | (
guint16) ((guint16) (out_len) << 8))))));
4464 g_byte_array_append(info, (const uint8_t *)&length, sizeof(length));
4465
4466 const uint8_t label_vector_length = label_prefix_length + label_length;
4467 g_byte_array_append(info, &label_vector_length, 1);
4468 g_byte_array_append(info, (const uint8_t *)label_prefix, label_prefix_length);
4469 g_byte_array_append(info, (const uint8_t*)label, label_length);
4470
4471 g_byte_array_append(info, &context_length, 1);
4472 if (context_length) {
4473 g_byte_array_append(info, context_hash, context_length);
4474 }
4475
4476 *out = (unsigned char *)wmem_alloc(NULL((void*)0), out_len);
4477 err = hkdf_expand(md, secret->data, secret->data_len, info->data, info->len, *out, out_len);
4478 g_byte_array_free(info, true1);
4479
4480 if (err) {
4481 ssl_debug_printf("%s failed %d: %s\n", G_STRFUNC((const char*) (__func__)), md, gcry_strerror(err));
4482 wmem_free(NULL((void*)0), *out);
4483 *out = NULL((void*)0);
4484 return false0;
4485 }
4486
4487 return true1;
4488}
4489
4490bool_Bool
4491tls13_hkdf_expand_label(int md, const StringInfo *secret,
4492 const char *label_prefix, const char *label,
4493 uint16_t out_len, unsigned char **out)
4494{
4495 return tls13_hkdf_expand_label_context(md, secret, label_prefix, label, NULL((void*)0), 0, out_len, out);
4496}
4497
4498static bool_Bool
4499tls13_derive_secret(int md, const StringInfo *secret,
4500 const char *label_prefix, const char *label,
4501 const uint8_t *context, unsigned context_length,
4502 uint16_t out_len, unsigned char **out)
4503{
4504 SSL_MDgcry_md_hd_t mc;
4505 uint8_t context_hash[DIGEST_MAX_SIZE48];
4506 unsigned hash_len;
4507
4508 if (ssl_md_init(&mc, md) != 0)
4509 return false0;
4510 ssl_md_update(&mc, context, context_length);
4511 ssl_md_final(&mc, context_hash, &hash_len);
4512 ssl_md_cleanup(&mc);
4513
4514 return tls13_hkdf_expand_label_context(md, secret, label_prefix, label, context_hash, hash_len, out_len, out);
4515}
4516
4517/* HMAC and the Pseudorandom function }}} */
4518
4519/* Record Decompression (after decryption) {{{ */
4520#ifdef USE_ZLIB_OR_ZLIBNG
4521/* memory allocation functions for zlib initialization */
4522static void* ssl_zalloc(void* opaque _U___attribute__((unused)), unsigned int no, unsigned int size)
4523{
4524 return g_malloc0(no*size);
4525}
4526static void ssl_zfree(void* opaque _U___attribute__((unused)), void* addr)
4527{
4528 g_free(addr)(__builtin_object_size ((addr), 0) != ((size_t) - 1)) ? g_free_sized
(addr, __builtin_object_size ((addr), 0)) : (g_free) (addr);
4529}
4530#endif /* USE_ZLIB_OR_ZLIBNG */
4531
4532static SslDecompress*
4533ssl_create_decompressor(int compression)
4534{
4535 SslDecompress *decomp;
4536#ifdef USE_ZLIB_OR_ZLIBNG
4537 int err;
4538#endif
4539
4540 if (compression == 0) return NULL((void*)0);
4541 ssl_debug_printf("ssl_create_decompressor: compression method %d\n", compression);
4542 decomp = wmem_new(wmem_file_scope(), SslDecompress)((SslDecompress*)wmem_alloc((wmem_file_scope()), sizeof(SslDecompress
)));
4543 decomp->compression = compression;
4544 switch (decomp->compression) {
4545#ifdef USE_ZLIB_OR_ZLIBNG
4546 case 1: /* DEFLATE */
4547 decomp->istream.zalloc = ssl_zalloc;
4548 decomp->istream.zfree = ssl_zfree;
4549 decomp->istream.opaque = Z_NULL0;
4550 decomp->istream.next_in = Z_NULL0;
4551 decomp->istream.next_out = Z_NULL0;
4552 decomp->istream.avail_in = 0;
4553 decomp->istream.avail_out = 0;
4554 err = ZLIB_PREFIX(inflateInit)(&decomp->istream)inflateInit_((&decomp->istream), "1.3.1", (int)sizeof(
z_stream));
4555 if (err != Z_OK0) {
4556 ssl_debug_printf("ssl_create_decompressor: inflateInit_() failed - %d\n", err);
4557 return NULL((void*)0);
4558 }
4559 break;
4560#endif /* USE_ZLIB_OR_ZLIBNG */
4561 default:
4562 ssl_debug_printf("ssl_create_decompressor: unsupported compression method %d\n", decomp->compression);
4563 return NULL((void*)0);
4564 }
4565 return decomp;
4566}
4567
4568#ifdef USE_ZLIB_OR_ZLIBNG
4569static int
4570ssl_decompress_record(SslDecompress* decomp, const unsigned char* in, unsigned inl, StringInfo* out_str, unsigned* outl)
4571{
4572 int err;
4573
4574 switch (decomp->compression) {
4575 case 1: /* DEFLATE */
4576 err = Z_OK0;
4577 if (out_str->data_len < 16384) { /* maximal plain length */
4578 ssl_data_realloc(out_str, 16384);
4579 }
4580#ifdef z_constconst
4581 decomp->istream.next_in = in;
4582#else
4583DIAG_OFF(cast-qual)clang diagnostic push clang diagnostic ignored "-Wcast-qual"
4584 decomp->istream.next_in = (Bytef *)in;
4585DIAG_ON(cast-qual)clang diagnostic pop
4586#endif
4587 decomp->istream.avail_in = inl;
4588 decomp->istream.next_out = out_str->data;
4589 decomp->istream.avail_out = out_str->data_len;
4590 if (inl > 0)
4591 err = ZLIB_PREFIX(inflate)inflate(&decomp->istream, Z_SYNC_FLUSH2);
4592 if (err != Z_OK0) {
4593 ssl_debug_printf("ssl_decompress_record: inflate() failed - %d\n", err);
4594 return -1;
4595 }
4596 *outl = out_str->data_len - decomp->istream.avail_out;
4597 break;
4598 default:
4599 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4600 return -1;
4601 }
4602 return 0;
4603}
4604#else /* USE_ZLIB_OR_ZLIBNG */
4605int
4606ssl_decompress_record(SslDecompress* decomp _U___attribute__((unused)), const unsigned char* in _U___attribute__((unused)), unsigned inl _U___attribute__((unused)), StringInfo* out_str _U___attribute__((unused)), unsigned* outl _U___attribute__((unused)))
4607{
4608 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4609 return -1;
4610}
4611#endif /* USE_ZLIB_OR_ZLIBNG */
4612/* Record Decompression (after decryption) }}} */
4613
4614/* Create a new structure to store decrypted chunks. {{{ */
4615static SslFlow*
4616ssl_create_flow(void)
4617{
4618 SslFlow *flow;
4619
4620 flow = wmem_new(wmem_file_scope(), SslFlow)((SslFlow*)wmem_alloc((wmem_file_scope()), sizeof(SslFlow)));
4621 flow->byte_seq = 0;
4622 flow->flags = 0;
4623 flow->multisegment_pdus = wmem_tree_new(wmem_file_scope());
4624 return flow;
4625}
4626/* }}} */
4627
4628/* Use the negotiated security parameters for decryption. {{{ */
4629void
4630ssl_change_cipher(SslDecryptSession *ssl_session, bool_Bool server)
4631{
4632 SslDecoder **new_decoder = server ? &ssl_session->server_new : &ssl_session->client_new;
4633 SslDecoder **dest = server ? &ssl_session->server : &ssl_session->client;
4634 ssl_debug_printf("ssl_change_cipher %s%s\n", server ? "SERVER" : "CLIENT",
4635 *new_decoder ? "" : " (No decoder found - retransmission?)");
4636 if (*new_decoder) {
4637 *dest = *new_decoder;
4638 *new_decoder = NULL((void*)0);
4639 }
4640}
4641/* }}} */
4642
4643/* Init cipher state given some security parameters. {{{ */
4644static bool_Bool
4645ssl_decoder_destroy_cb(wmem_allocator_t *, wmem_cb_event_t, void *);
4646
4647static SslDecoder*
4648ssl_create_decoder(const SslCipherSuite *cipher_suite, int cipher_algo,
4649 int compression, uint8_t *mk, uint8_t *sk, uint8_t *sn_key, uint8_t *iv, unsigned iv_length)
4650{
4651 SslDecoder *dec;
4652 ssl_cipher_mode_t mode = cipher_suite->mode;
4653
4654 dec = wmem_new0(wmem_file_scope(), SslDecoder)((SslDecoder*)wmem_alloc0((wmem_file_scope()), sizeof(SslDecoder
)));
4655 /* init mac buffer: mac storage is embedded into decoder struct to save a
4656 memory allocation and waste samo more memory*/
4657 dec->cipher_suite=cipher_suite;
4658 dec->compression = compression;
4659 if ((mode == MODE_STREAM && mk != NULL((void*)0)) || mode == MODE_CBC) {
4660 // AEAD ciphers use no MAC key, but stream and block ciphers do. Note
4661 // the special case for NULL ciphers, even if there is insufficiency
4662 // keying material (including MAC key), we will can still create
4663 // decoders since "decryption" is easy for such ciphers.
4664 dec->mac_key.data = dec->_mac_key_or_write_iv;
4665 ssl_data_set(&dec->mac_key, mk, ssl_cipher_suite_dig(cipher_suite)->len);
4666 } else if (mode == MODE_GCM || mode == MODE_CCM || mode == MODE_CCM_8 || mode == MODE_POLY1305) {
4667 // Input for the nonce, to be used with AEAD ciphers.
4668 DISSECTOR_ASSERT(iv_length <= sizeof(dec->_mac_key_or_write_iv))((void) ((iv_length <= sizeof(dec->_mac_key_or_write_iv
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4668, "iv_length <= sizeof(dec->_mac_key_or_write_iv)"
))));
4669 dec->write_iv.data = dec->_mac_key_or_write_iv;
4670 ssl_data_set(&dec->write_iv, iv, iv_length);
4671 }
4672 dec->seq = 0;
4673 dec->decomp = ssl_create_decompressor(compression);
4674 wmem_register_callback(wmem_file_scope(), ssl_decoder_destroy_cb, dec);
4675
4676 if (ssl_cipher_init(&dec->evp,cipher_algo,sk,iv,cipher_suite->mode) < 0) {
4677 ssl_debug_printf("%s: can't create cipher id:%d mode:%d\n", G_STRFUNC((const char*) (__func__)),
4678 cipher_algo, cipher_suite->mode);
4679 return NULL((void*)0);
4680 }
4681
4682 if (cipher_suite->enc != ENC_NULL0x3D && sn_key != NULL((void*)0)) {
4683 if (cipher_suite->enc == ENC_AES0x35 || cipher_suite->enc == ENC_AES2560x36) {
4684 mode = MODE_ECB;
4685 } else if (cipher_suite->enc == ENC_CHACHA200x3A) {
4686 mode = MODE_STREAM;
4687 } else {
4688 ssl_debug_printf("not supported encryption algorithm for DTLSv1.3\n");
4689 return NULL((void*)0);
4690 }
4691
4692 if (ssl_cipher_init(&dec->sn_evp, cipher_algo, sn_key, NULL((void*)0), mode) < 0) {
4693 ssl_debug_printf("%s: can't create cipher id:%d mode:%d for seq number decryption\n", G_STRFUNC((const char*) (__func__)),
4694 cipher_algo, MODE_ECB);
4695 ssl_cipher_cleanup(&dec->evp);
4696 dec->evp = NULL((void*)0);
4697 return NULL((void*)0);
4698 }
4699 } else {
4700 dec->sn_evp = NULL((void*)0);
4701 }
4702
4703 dec->dtls13_aad.data = NULL((void*)0);
4704 dec->dtls13_aad.data_len = 0;
4705 ssl_debug_printf("decoder initialized (digest len %d)\n", ssl_cipher_suite_dig(cipher_suite)->len);
4706 return dec;
4707}
4708
4709static bool_Bool
4710ssl_decoder_destroy_cb(wmem_allocator_t *allocator _U___attribute__((unused)), wmem_cb_event_t event _U___attribute__((unused)), void *user_data)
4711{
4712 SslDecoder *dec = (SslDecoder *) user_data;
4713
4714 if (dec->evp)
4715 ssl_cipher_cleanup(&dec->evp);
4716 if (dec->sn_evp)
4717 ssl_cipher_cleanup(&dec->sn_evp);
4718
4719#ifdef USE_ZLIB_OR_ZLIBNG
4720 if (dec->decomp != NULL((void*)0) && dec->decomp->compression == 1 /* DEFLATE */)
4721 ZLIB_PREFIX(inflateEnd)inflateEnd(&dec->decomp->istream);
4722#endif
4723
4724 return false0;
4725}
4726/* }}} */
4727
4728/* (Pre-)master secrets calculations {{{ */
4729#ifdef HAVE_LIBGNUTLS1
4730static bool_Bool
4731ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
4732 StringInfo *encrypted_pre_master,
4733 GHashTable *key_hash);
4734#endif /* HAVE_LIBGNUTLS */
4735
4736static bool_Bool
4737ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
4738 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key);
4739
4740bool_Bool
4741ssl_generate_pre_master_secret(SslDecryptSession *ssl_session,
4742 uint32_t length, tvbuff_t *tvb, uint32_t offset,
4743 const char *ssl_psk, packet_info *pinfo,
4744#ifdef HAVE_LIBGNUTLS1
4745 GHashTable *key_hash,
4746#endif
4747 const ssl_master_key_map_t *mk_map)
4748{
4749 /* check for required session data */
4750 ssl_debug_printf("%s: found SSL_HND_CLIENT_KEY_EXCHG, state %X\n",
4751 G_STRFUNC((const char*) (__func__)), ssl_session->state);
4752 if ((ssl_session->state & (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) !=
4753 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) {
4754 ssl_debug_printf("%s: not enough data to generate key (required state %X)\n", G_STRFUNC((const char*) (__func__)),
4755 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4)));
4756 return false0;
4757 }
4758
4759 if (ssl_session->session.version == TLSV1DOT3_VERSION0x304) {
4760 ssl_debug_printf("%s: detected TLS 1.3 which has no pre-master secrets\n", G_STRFUNC((const char*) (__func__)));
4761 return false0;
4762 }
4763
4764 /* check to see if the PMS was provided to us*/
4765 if (ssl_restore_master_key(ssl_session, "Unencrypted pre-master secret", true1,
4766 mk_map->pms, &ssl_session->client_random)) {
4767 return true1;
4768 }
4769
4770 if (ssl_session->cipher_suite->kex == KEX_PSK0x1d)
4771 {
4772 /* calculate pre master secret*/
4773 StringInfo pre_master_secret;
4774 unsigned psk_len, pre_master_len;
4775
4776 if (!tls_load_psk(ssl_session, ssl_psk)) {
4777 return false0;
4778 }
4779 psk_len = ssl_session->psk.data_len;
4780
4781 pre_master_len = psk_len * 2 + 4;
4782
4783 pre_master_secret.data = (unsigned char *)wmem_alloc(wmem_file_scope(), pre_master_len);
4784 pre_master_secret.data_len = pre_master_len;
4785 /* 2 bytes psk_len*/
4786 pre_master_secret.data[0] = psk_len >> 8;
4787 pre_master_secret.data[1] = psk_len & 0xFF;
4788 /* psk_len bytes times 0*/
4789 memset(&pre_master_secret.data[2], 0, psk_len);
4790 /* 2 bytes psk_len*/
4791 pre_master_secret.data[psk_len + 2] = psk_len >> 8;
4792 pre_master_secret.data[psk_len + 3] = psk_len & 0xFF;
4793 /* psk*/
4794 memcpy(&pre_master_secret.data[psk_len + 4], ssl_session->psk.data, psk_len);
4795
4796 ssl_session->pre_master_secret.data = pre_master_secret.data;
4797 ssl_session->pre_master_secret.data_len = pre_master_len;
4798 /*ssl_debug_printf("pre master secret",&ssl->pre_master_secret);*/
4799
4800 /* Remove the master secret if it was there.
4801 This forces keying material regeneration in
4802 case we're renegotiating */
4803 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
4804 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
4805 return true1;
4806 }
4807 else
4808 {
4809 unsigned encrlen, skip;
4810 encrlen = length;
4811 skip = 0;
4812
4813 /* get encrypted data, on tls1 we have to skip two bytes
4814 * (it's the encrypted len and should be equal to record len - 2)
4815 * in case of rsa1024 that would be 128 + 2 = 130; for psk not necessary
4816 */
4817 if (ssl_session->cipher_suite->kex == KEX_RSA0x1e &&
4818 (ssl_session->session.version == TLSV1_VERSION0x301 ||
4819 ssl_session->session.version == TLSV1DOT1_VERSION0x302 ||
4820 ssl_session->session.version == TLSV1DOT2_VERSION0x303 ||
4821 ssl_session->session.version == DTLSV1DOT0_VERSION0xfeff ||
4822 ssl_session->session.version == DTLSV1DOT2_VERSION0xfefd ||
4823 ssl_session->session.version == TLCPV1_VERSION0x101 ))
4824 {
4825 encrlen = tvb_get_ntohs(tvb, offset);
4826 skip = 2;
4827 if (encrlen > length - 2)
4828 {
4829 ssl_debug_printf("%s: wrong encrypted length (%d max %d)\n",
4830 G_STRFUNC((const char*) (__func__)), encrlen, length);
4831 return false0;
4832 }
4833 }
4834 /* the valid lower bound is higher than 8, but it is sufficient for the
4835 * ssl keylog file below */
4836 if (encrlen < 8) {
4837 ssl_debug_printf("%s: invalid encrypted pre-master key length %d\n",
4838 G_STRFUNC((const char*) (__func__)), encrlen);
4839 return false0;
4840 }
4841
4842 StringInfo encrypted_pre_master = {
4843 .data = (unsigned char *)tvb_memdup(pinfo->pool, tvb, offset + skip, encrlen),
4844 .data_len = encrlen,
4845 };
4846
4847#ifdef HAVE_LIBGNUTLS1
4848 /* Try to lookup an appropriate RSA private key to decrypt the Encrypted Pre-Master Secret. */
4849 if (ssl_session->cert_key_id) {
4850 if (ssl_decrypt_pre_master_secret(ssl_session, &encrypted_pre_master, key_hash))
4851 return true1;
4852
4853 ssl_debug_printf("%s: can't decrypt pre-master secret\n",
4854 G_STRFUNC((const char*) (__func__)));
4855 }
4856#endif /* HAVE_LIBGNUTLS */
4857
4858 /* try to find the pre-master secret from the encrypted one. The
4859 * ssl key logfile stores only the first 8 bytes, so truncate it */
4860 encrypted_pre_master.data_len = 8;
4861 if (ssl_restore_master_key(ssl_session, "Encrypted pre-master secret",
4862 true1, mk_map->pre_master, &encrypted_pre_master))
4863 return true1;
4864 }
4865 return false0;
4866}
4867
4868/* Used for (D)TLS 1.2 and earlier versions (not with TLS 1.3). */
4869int
4870ssl_generate_keyring_material(SslDecryptSession*ssl_session)
4871{
4872 StringInfo key_block = { NULL((void*)0), 0 };
4873 uint8_t _iv_c[MAX_BLOCK_SIZE16],_iv_s[MAX_BLOCK_SIZE16];
4874 uint8_t _key_c[MAX_KEY_SIZE32],_key_s[MAX_KEY_SIZE32];
4875 int needed;
4876 int cipher_algo = -1; /* special value (-1) for NULL encryption */
4877 unsigned encr_key_len, write_iv_len = 0;
4878 bool_Bool is_export_cipher;
4879 uint8_t *ptr, *c_iv = NULL((void*)0), *s_iv = NULL((void*)0);
4880 uint8_t *c_wk = NULL((void*)0), *s_wk = NULL((void*)0), *c_mk = NULL((void*)0), *s_mk = NULL((void*)0);
4881 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
4882
4883 /* (D)TLS 1.3 is handled directly in tls13_change_key. */
4884 if (ssl_session->session.version == TLSV1DOT3_VERSION0x304 || ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
1
Assuming field 'version' is not equal to TLSV1DOT3_VERSION
2
Assuming field 'version' is not equal to DTLSV1DOT3_VERSION
3
Taking false branch
4885 ssl_debug_printf("%s: detected TLS 1.3. Should not have been called!\n", G_STRFUNC((const char*) (__func__)));
4886 return -1;
4887 }
4888
4889 /* check for enough info to proceed */
4890 unsigned need_all = SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4);
4891 unsigned need_any = SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
4892 if (((ssl_session->state & need_all) != need_all) || ((ssl_session->state & need_any) == 0)) {
4
Assuming the condition is false
5
Assuming the condition is false
6
Taking false branch
4893 ssl_debug_printf("ssl_generate_keyring_material not enough data to generate key "
4894 "(0x%02X required 0x%02X or 0x%02X)\n", ssl_session->state,
4895 need_all|SSL_MASTER_SECRET(1<<5), need_all|SSL_PRE_MASTER_SECRET(1<<6));
4896 /* Special case: for NULL encryption, allow dissection of data even if
4897 * the Client Hello is missing (MAC keys are now skipped though). */
4898 need_all = SSL_CIPHER(1<<2)|SSL_VERSION(1<<4);
4899 if ((ssl_session->state & need_all) == need_all &&
4900 cipher_suite->enc == ENC_NULL0x3D) {
4901 ssl_debug_printf("%s NULL cipher found, will create a decoder but "
4902 "skip MAC validation as keys are missing.\n", G_STRFUNC((const char*) (__func__)));
4903 goto create_decoders;
4904 }
4905
4906 return -1;
4907 }
4908
4909 /* if master key is not available, generate is from the pre-master secret */
4910 if (!(ssl_session->state & SSL_MASTER_SECRET(1<<5))) {
7
Assuming the condition is true
8
Taking true branch
4911 if ((ssl_session->state & SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) == SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) {
9
Assuming the condition is true
10
Taking true branch
4912 StringInfo handshake_hashed_data;
4913 int ret;
4914
4915 handshake_hashed_data.data = NULL((void*)0);
4916 handshake_hashed_data.data_len = 0;
4917
4918 ssl_debug_printf("%s:PRF(pre_master_secret_extended)\n", G_STRFUNC((const char*) (__func__)));
4919 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4920 DISSECTOR_ASSERT(ssl_session->handshake_data.data_len > 0)((void) ((ssl_session->handshake_data.data_len > 0) ? (
void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4920, "ssl_session->handshake_data.data_len > 0"
))));
11
Assuming field 'data_len' is > 0
12
'?' condition is true
4921
4922 switch(ssl_session->session.version) {
13
Control jumps to 'case 257:' at line 4927
4923 case TLSV1_VERSION0x301:
4924 case TLSV1DOT1_VERSION0x302:
4925 case DTLSV1DOT0_VERSION0xfeff:
4926 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4927 case TLCPV1_VERSION0x101:
4928 ret = tls_handshake_hash(ssl_session, &handshake_hashed_data);
14
Calling 'tls_handshake_hash'
22
Returned allocated memory
4929 break;
4930 default:
4931 switch (cipher_suite->dig) {
4932 case DIG_SHA3840x43:
4933 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA384, &handshake_hashed_data);
4934 break;
4935 default:
4936 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA256, &handshake_hashed_data);
4937 break;
4938 }
4939 break;
4940 }
4941 if (ret
23.1
'ret' is -1
) {
23
 Execution continues on line 4941
24
Taking true branch
4942 ssl_debug_printf("%s can't generate handshake hash\n", G_STRFUNC((const char*) (__func__)));
25
Potential leak of memory pointed to by 'handshake_hashed_data.data'
4943 return -1;
4944 }
4945
4946 wmem_free(wmem_file_scope(), ssl_session->handshake_data.data);
4947 ssl_session->handshake_data.data = NULL((void*)0);
4948 ssl_session->handshake_data.data_len = 0;
4949
4950 if (!prf(ssl_session, &ssl_session->pre_master_secret, "extended master secret",
4951 &handshake_hashed_data,
4952 NULL((void*)0), &ssl_session->master_secret,
4953 SSL_MASTER_SECRET_LENGTH48)) {
4954 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4955 g_free(handshake_hashed_data.data)(__builtin_object_size ((handshake_hashed_data.data), 0) != (
(size_t) - 1)) ? g_free_sized (handshake_hashed_data.data, __builtin_object_size
((handshake_hashed_data.data), 0)) : (g_free) (handshake_hashed_data
.data);
4956 return -1;
4957 }
4958 g_free(handshake_hashed_data.data)(__builtin_object_size ((handshake_hashed_data.data), 0) != (
(size_t) - 1)) ? g_free_sized (handshake_hashed_data.data, __builtin_object_size
((handshake_hashed_data.data), 0)) : (g_free) (handshake_hashed_data
.data);
4959 } else {
4960 ssl_debug_printf("%s:PRF(pre_master_secret)\n", G_STRFUNC((const char*) (__func__)));
4961 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4962 ssl_print_string("client random",&ssl_session->client_random);
4963 ssl_print_string("server random",&ssl_session->server_random);
4964 if (!prf(ssl_session, &ssl_session->pre_master_secret, "master secret",
4965 &ssl_session->client_random,
4966 &ssl_session->server_random, &ssl_session->master_secret,
4967 SSL_MASTER_SECRET_LENGTH48)) {
4968 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4969 return -1;
4970 }
4971 }
4972 ssl_print_string("master secret",&ssl_session->master_secret);
4973
4974 /* the pre-master secret has been 'consumed' so we must clear it now */
4975 ssl_session->state &= ~SSL_PRE_MASTER_SECRET(1<<6);
4976 ssl_session->state |= SSL_MASTER_SECRET(1<<5);
4977 }
4978
4979 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
4980 if (cipher_suite->enc != ENC_NULL0x3D) {
4981 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
4982 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4983 cipher_algo = ssl_get_cipher_by_name(cipher_name);
4984 if (cipher_algo == 0) {
4985 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4986 return -1;
4987 }
4988 }
4989
4990 /* Export ciphers consume less material from the key block. */
4991 encr_key_len = ssl_get_cipher_export_keymat_size(cipher_suite->number);
4992 is_export_cipher = encr_key_len > 0;
4993 if (!is_export_cipher && cipher_suite->enc != ENC_NULL0x3D) {
4994 encr_key_len = (unsigned)gcry_cipher_get_algo_keylen(cipher_algo);
4995 }
4996
4997 if (cipher_suite->mode == MODE_CBC) {
4998 write_iv_len = (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
4999 } else if (cipher_suite->mode == MODE_GCM || cipher_suite->mode == MODE_CCM || cipher_suite->mode == MODE_CCM_8) {
5000 /* account for a four-byte salt for client and server side (from
5001 * client_write_IV and server_write_IV), see GCMNonce (RFC 5288) */
5002 write_iv_len = 4;
5003 } else if (cipher_suite->mode == MODE_POLY1305) {
5004 /* RFC 7905: SecurityParameters.fixed_iv_length is twelve bytes */
5005 write_iv_len = 12;
5006 }
5007
5008 /* Compute the key block. First figure out how much data we need */
5009 needed = ssl_cipher_suite_dig(cipher_suite)->len*2; /* MAC key */
5010 needed += 2 * encr_key_len; /* encryption key */
5011 needed += 2 * write_iv_len; /* write IV */
5012
5013 key_block.data = (unsigned char *)g_malloc(needed);
5014 ssl_debug_printf("%s sess key generation\n", G_STRFUNC((const char*) (__func__)));
5015 if (!prf(ssl_session, &ssl_session->master_secret, "key expansion",
5016 &ssl_session->server_random,&ssl_session->client_random,
5017 &key_block, needed)) {
5018 ssl_debug_printf("%s can't generate key_block\n", G_STRFUNC((const char*) (__func__)));
5019 goto fail;
5020 }
5021 ssl_print_string("key expansion", &key_block);
5022
5023 ptr=key_block.data;
5024 /* client/server write MAC key (for non-AEAD ciphers) */
5025 if (cipher_suite->mode == MODE_STREAM || cipher_suite->mode == MODE_CBC) {
5026 c_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
5027 s_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
5028 }
5029 /* client/server write encryption key */
5030 c_wk=ptr; ptr += encr_key_len;
5031 s_wk=ptr; ptr += encr_key_len;
5032 /* client/server write IV (used as IV (for CBC) or salt (for AEAD)) */
5033 if (write_iv_len > 0) {
5034 c_iv=ptr; ptr += write_iv_len;
5035 s_iv=ptr; /* ptr += write_iv_len; */
5036 }
5037
5038 /* export ciphers work with a smaller key length */
5039 if (is_export_cipher) {
5040 if (cipher_suite->mode == MODE_CBC) {
5041
5042 /* We only have room for MAX_BLOCK_SIZE bytes IVs, but that's
5043 all we should need. This is a sanity check */
5044 if (write_iv_len > MAX_BLOCK_SIZE16) {
5045 ssl_debug_printf("%s cipher suite block must be at most %d nut is %d\n",
5046 G_STRFUNC((const char*) (__func__)), MAX_BLOCK_SIZE16, write_iv_len);
5047 goto fail;
5048 }
5049
5050 if(ssl_session->session.version==SSLV3_VERSION0x300){
5051 /* The length of these fields are ignored by this caller */
5052 StringInfo iv_c, iv_s;
5053 iv_c.data = _iv_c;
5054 iv_s.data = _iv_s;
5055
5056 ssl_debug_printf("%s ssl3_generate_export_iv\n", G_STRFUNC((const char*) (__func__)));
5057 if (!ssl3_generate_export_iv(&ssl_session->client_random,
5058 &ssl_session->server_random, &iv_c, write_iv_len)) {
5059 goto fail;
5060 }
5061 ssl_debug_printf("%s ssl3_generate_export_iv(2)\n", G_STRFUNC((const char*) (__func__)));
5062 if (!ssl3_generate_export_iv(&ssl_session->server_random,
5063 &ssl_session->client_random, &iv_s, write_iv_len)) {
5064 goto fail;
5065 }
5066 }
5067 else{
5068 uint8_t _iv_block[MAX_BLOCK_SIZE16 * 2];
5069 StringInfo iv_block;
5070 StringInfo key_null;
5071 uint8_t _key_null;
5072
5073 key_null.data = &_key_null;
5074 key_null.data_len = 0;
5075
5076 iv_block.data = _iv_block;
5077
5078 ssl_debug_printf("%s prf(iv_block)\n", G_STRFUNC((const char*) (__func__)));
5079 if (!prf(ssl_session, &key_null, "IV block",
5080 &ssl_session->client_random,
5081 &ssl_session->server_random, &iv_block,
5082 write_iv_len * 2)) {
5083 ssl_debug_printf("%s can't generate tls31 iv block\n", G_STRFUNC((const char*) (__func__)));
5084 goto fail;
5085 }
5086
5087 memcpy(_iv_c, iv_block.data, write_iv_len);
5088 memcpy(_iv_s, iv_block.data + write_iv_len, write_iv_len);
5089 }
5090
5091 c_iv=_iv_c;
5092 s_iv=_iv_s;
5093 }
5094
5095 if (ssl_session->session.version==SSLV3_VERSION0x300){
5096
5097 SSL_MD5_CTXgcry_md_hd_t md5;
5098 ssl_debug_printf("%s MD5(client_random)\n", G_STRFUNC((const char*) (__func__)));
5099
5100 if (ssl_md5_init(&md5) != 0)
5101 goto fail;
5102 ssl_md5_update(&md5,c_wk,encr_key_len);
5103 ssl_md5_update(&md5,ssl_session->client_random.data,
5104 ssl_session->client_random.data_len);
5105 ssl_md5_update(&md5,ssl_session->server_random.data,
5106 ssl_session->server_random.data_len);
5107 ssl_md5_final(_key_c,&md5);
5108 ssl_md5_cleanup(&md5);
5109 c_wk=_key_c;
5110
5111 if (ssl_md5_init(&md5) != 0)
5112 goto fail;
5113 ssl_debug_printf("%s MD5(server_random)\n", G_STRFUNC((const char*) (__func__)));
5114 ssl_md5_update(&md5,s_wk,encr_key_len);
5115 ssl_md5_update(&md5,ssl_session->server_random.data,
5116 ssl_session->server_random.data_len);
5117 ssl_md5_update(&md5,ssl_session->client_random.data,
5118 ssl_session->client_random.data_len);
5119 ssl_md5_final(_key_s,&md5);
5120 ssl_md5_cleanup(&md5);
5121 s_wk=_key_s;
5122 }
5123 else{
5124 StringInfo key_c, key_s, k;
5125 key_c.data = _key_c;
5126 key_s.data = _key_s;
5127
5128 k.data = c_wk;
5129 k.data_len = encr_key_len;
5130 ssl_debug_printf("%s PRF(key_c)\n", G_STRFUNC((const char*) (__func__)));
5131 if (!prf(ssl_session, &k, "client write key",
5132 &ssl_session->client_random,
5133 &ssl_session->server_random, &key_c, sizeof(_key_c))) {
5134 ssl_debug_printf("%s can't generate tll31 server key \n", G_STRFUNC((const char*) (__func__)));
5135 goto fail;
5136 }
5137 c_wk=_key_c;
5138
5139 k.data = s_wk;
5140 k.data_len = encr_key_len;
5141 ssl_debug_printf("%s PRF(key_s)\n", G_STRFUNC((const char*) (__func__)));
5142 if (!prf(ssl_session, &k, "server write key",
5143 &ssl_session->client_random,
5144 &ssl_session->server_random, &key_s, sizeof(_key_s))) {
5145 ssl_debug_printf("%s can't generate tll31 client key \n", G_STRFUNC((const char*) (__func__)));
5146 goto fail;
5147 }
5148 s_wk=_key_s;
5149 }
5150 }
5151
5152 /* show key material info */
5153 if (c_mk != NULL((void*)0)) {
5154 ssl_print_data("Client MAC key",c_mk,ssl_cipher_suite_dig(cipher_suite)->len);
5155 ssl_print_data("Server MAC key",s_mk,ssl_cipher_suite_dig(cipher_suite)->len);
5156 }
5157 ssl_print_data("Client Write key", c_wk, encr_key_len);
5158 ssl_print_data("Server Write key", s_wk, encr_key_len);
5159 /* used as IV for CBC mode and the AEAD implicit nonce (salt) */
5160 if (write_iv_len > 0) {
5161 ssl_print_data("Client Write IV", c_iv, write_iv_len);
5162 ssl_print_data("Server Write IV", s_iv, write_iv_len);
5163 }
5164
5165create_decoders:
5166 /* create both client and server ciphers*/
5167 ssl_debug_printf("%s ssl_create_decoder(client)\n", G_STRFUNC((const char*) (__func__)));
5168 ssl_session->client_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, c_mk, c_wk, NULL((void*)0), c_iv, write_iv_len);
5169 if (!ssl_session->client_new) {
5170 ssl_debug_printf("%s can't init client decoder\n", G_STRFUNC((const char*) (__func__)));
5171 goto fail;
5172 }
5173 ssl_debug_printf("%s ssl_create_decoder(server)\n", G_STRFUNC((const char*) (__func__)));
5174 ssl_session->server_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, s_mk, s_wk, NULL((void*)0), s_iv, write_iv_len);
5175 if (!ssl_session->server_new) {
5176 ssl_debug_printf("%s can't init server decoder\n", G_STRFUNC((const char*) (__func__)));
5177 goto fail;
5178 }
5179
5180 /* Continue the SSL stream after renegotiation with new keys. */
5181 ssl_session->client_new->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
5182 ssl_session->server_new->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
5183
5184 ssl_debug_printf("%s: client seq %" PRIu64"l" "u" ", server seq %" PRIu64"l" "u" "\n",
5185 G_STRFUNC((const char*) (__func__)), ssl_session->client_new->seq, ssl_session->server_new->seq);
5186 g_free(key_block.data)(__builtin_object_size ((key_block.data), 0) != ((size_t) - 1
)) ? g_free_sized (key_block.data, __builtin_object_size ((key_block
.data), 0)) : (g_free) (key_block.data);
5187 ssl_session->state |= SSL_HAVE_SESSION_KEY(1<<3);
5188 return 0;
5189
5190fail:
5191 g_free(key_block.data)(__builtin_object_size ((key_block.data), 0) != ((size_t) - 1
)) ? g_free_sized (key_block.data, __builtin_object_size ((key_block
.data), 0)) : (g_free) (key_block.data);
5192 return -1;
5193}
5194
5195/* Generated the key material based on the given secret. */
5196bool_Bool
5197tls13_generate_keys(SslDecryptSession *ssl_session, const StringInfo *secret, bool_Bool is_from_server)
5198{
5199 bool_Bool success = false0;
5200 unsigned char *write_key = NULL((void*)0), *write_iv = NULL((void*)0);
5201 unsigned char *sn_key = NULL((void*)0);
5202 SslDecoder *decoder;
5203 unsigned key_length, iv_length;
5204 int hash_algo;
5205 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
5206 int cipher_algo;
5207
5208 if ((ssl_session->session.version != TLSV1DOT3_VERSION0x304) && (ssl_session->session.version != DTLSV1DOT3_VERSION0xfefc)) {
5209 ssl_debug_printf("%s only usable for TLS 1.3, not %#x!\n", G_STRFUNC((const char*) (__func__)),
5210 ssl_session->session.version);
5211 return false0;
5212 }
5213
5214 if (cipher_suite == NULL((void*)0)) {
5215 ssl_debug_printf("%s Unknown cipher\n", G_STRFUNC((const char*) (__func__)));
5216 return false0;
5217 }
5218
5219 if (cipher_suite->kex != KEX_TLS130x23) {
5220 ssl_debug_printf("%s Invalid cipher suite 0x%04x spotted!\n", G_STRFUNC((const char*) (__func__)), cipher_suite->number);
5221 return false0;
5222 }
5223
5224 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
5225 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
5226 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
5227 cipher_algo = ssl_get_cipher_by_name(cipher_name);
5228 if (cipher_algo == 0) {
5229 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
5230 return false0;
5231 }
5232
5233 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
5234 hash_algo = ssl_get_digest_by_name(hash_name);
5235 if (!hash_algo) {
5236 ssl_debug_printf("%s can't find hash function %s\n", G_STRFUNC((const char*) (__func__)), hash_name);
5237 return false0;
5238 }
5239
5240 key_length = (unsigned) gcry_cipher_get_algo_keylen(cipher_algo);
5241 /* AES-GCM/AES-CCM/Poly1305-ChaCha20 all have N_MIN=N_MAX = 12. */
5242 iv_length = 12;
5243 ssl_debug_printf("%s key_length %u iv_length %u\n", G_STRFUNC((const char*) (__func__)), key_length, iv_length);
5244
5245 const char *label_prefix = tls13_hkdf_label_prefix(ssl_session);
5246 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "key", key_length, &write_key)) {
5247 ssl_debug_printf("%s write_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
5248 return false0;
5249 }
5250 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "iv", iv_length, &write_iv)) {
5251 ssl_debug_printf("%s write_iv expansion failed\n", G_STRFUNC((const char*) (__func__)));
5252 goto end;
5253 }
5254
5255 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
5256 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "sn", key_length, &sn_key)) {
5257 ssl_debug_printf("%s sn_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
5258 goto end;
5259 }
5260 }
5261
5262 ssl_print_data(is_from_server ? "Server Write Key" : "Client Write Key", write_key, key_length);
5263 ssl_print_data(is_from_server ? "Server Write IV" : "Client Write IV", write_iv, iv_length);
5264 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
5265 ssl_print_data(is_from_server ? "Server Write SN" : "Client Write SN", sn_key, key_length);
5266 }
5267
5268 ssl_debug_printf("%s ssl_create_decoder(%s)\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
5269 decoder = ssl_create_decoder(cipher_suite, cipher_algo, 0, NULL((void*)0), write_key, sn_key, write_iv, iv_length);
5270 if (!decoder) {
5271 ssl_debug_printf("%s can't init %s decoder\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
5272 goto end;
5273 }
5274
5275 /* Continue the TLS session with new keys, but reuse old flow to keep things
5276 * like "Follow TLS" working (by linking application data records). */
5277 if (is_from_server) {
5278 decoder->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
5279 ssl_session->server = decoder;
5280 } else {
5281 decoder->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
5282 ssl_session->client = decoder;
5283 }
5284 ssl_debug_printf("%s %s ready using cipher suite 0x%04x (cipher %s hash %s)\n", G_STRFUNC((const char*) (__func__)),
5285 is_from_server ? "Server" : "Client", cipher_suite->number, cipher_name, hash_name);
5286 success = true1;
5287
5288end:
5289 wmem_free(NULL((void*)0), write_key);
5290 wmem_free(NULL((void*)0), write_iv);
5291 if (sn_key)
5292 wmem_free(NULL((void*)0), sn_key);
5293 return success;
5294}
5295/* (Pre-)master secrets calculations }}} */
5296
5297#ifdef HAVE_LIBGNUTLS1
5298/* Decrypt RSA pre-master secret using RSA private key. {{{ */
5299static bool_Bool
5300ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
5301 StringInfo *encrypted_pre_master, GHashTable *key_hash)
5302{
5303 int ret;
5304
5305 if (!encrypted_pre_master)
5306 return false0;
5307
5308 if (KEX_IS_DH(ssl_session->cipher_suite->kex)((ssl_session->cipher_suite->kex) >= 0x10 &&
(ssl_session->cipher_suite->kex) <= 0x1b)) {
5309 ssl_debug_printf("%s: session uses Diffie-Hellman key exchange "
5310 "(cipher suite 0x%04X %s) and cannot be decrypted "
5311 "using a RSA private key file.\n",
5312 G_STRFUNC((const char*) (__func__)), ssl_session->session.cipher,
5313 val_to_str_ext_const(ssl_session->session.cipher,
5314 &ssl_31_ciphersuite_ext, "unknown"));
5315 return false0;
5316 } else if (ssl_session->cipher_suite->kex != KEX_RSA0x1e) {
5317 ssl_debug_printf("%s key exchange %d different from KEX_RSA (%d)\n",
5318 G_STRFUNC((const char*) (__func__)), ssl_session->cipher_suite->kex, KEX_RSA0x1e);
5319 return false0;
5320 }
5321
5322 gnutls_privkey_t pk = (gnutls_privkey_t)g_hash_table_lookup(key_hash, ssl_session->cert_key_id);
5323
5324 ssl_print_string("pre master encrypted", encrypted_pre_master);
5325 ssl_debug_printf("%s: RSA_private_decrypt\n", G_STRFUNC((const char*) (__func__)));
5326 const gnutls_datum_t epms = { encrypted_pre_master->data, encrypted_pre_master->data_len };
5327 gnutls_datum_t pms = { 0 };
5328 if (pk) {
5329 // Try to decrypt using the RSA keys table from (D)TLS preferences.
5330 char *err = NULL((void*)0);
5331 gcry_sexp_t private_key = rsa_abstract_privkey_to_sexp(pk, &err);
5332 if (!private_key) {
5333 ssl_debug_printf("%s: decryption failed: Can't export private key: %s", G_STRFUNC((const char*) (__func__)), err);
5334 g_free(err)(__builtin_object_size ((err), 0) != ((size_t) - 1)) ? g_free_sized
(err, __builtin_object_size ((err), 0)) : (g_free) (err);
5335 return false0;
5336 }
5337
5338 pms.size = (int)rsa_decrypt(encrypted_pre_master->data_len, encrypted_pre_master->data, &pms.data, private_key, "pkcs1", &err);
5339 rsa_private_key_free(private_key);
5340 if (pms.size == 0) {
5341 ssl_debug_printf("%s: decryption failed: %s\n", G_STRFUNC((const char*) (__func__)), err);
5342 g_free(err)(__builtin_object_size ((err), 0) != ((size_t) - 1)) ? g_free_sized
(err, __builtin_object_size ((err), 0)) : (g_free) (err);
5343 return false0;
5344 }
5345 } else {
5346 // Try to decrypt using a hardware token.
5347 ret = secrets_rsa_decrypt(ssl_session->cert_key_id, epms.data, epms.size, &pms.data, &pms.size);
5348 if (ret < 0) {
5349 ssl_debug_printf("%s: decryption failed: %d (%s)\n", G_STRFUNC((const char*) (__func__)), ret, gnutls_strerror(ret));
5350 return false0;
5351 }
5352 }
5353
5354 if (pms.size != 48) {
5355 ssl_debug_printf("%s wrong pre_master_secret length (%d, expected %d)\n",
5356 G_STRFUNC((const char*) (__func__)), pms.size, 48);
5357 g_free(pms.data)(__builtin_object_size ((pms.data), 0) != ((size_t) - 1)) ? g_free_sized
(pms.data, __builtin_object_size ((pms.data), 0)) : (g_free)
(pms.data);
5358 return false0;
5359 }
5360
5361 ssl_session->pre_master_secret.data = (uint8_t *)wmem_memdup(wmem_file_scope(), pms.data, 48);
5362 ssl_session->pre_master_secret.data_len = 48;
5363 g_free(pms.data)(__builtin_object_size ((pms.data), 0) != ((size_t) - 1)) ? g_free_sized
(pms.data, __builtin_object_size ((pms.data), 0)) : (g_free)
(pms.data);
5364 ssl_print_string("pre master secret", &ssl_session->pre_master_secret);
5365
5366 /* Remove the master secret if it was there.
5367 This forces keying material regeneration in
5368 case we're renegotiating */
5369 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
5370 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
5371 return true1;
5372} /* }}} */
5373#endif /* HAVE_LIBGNUTLS */
5374
5375/* Decryption integrity check {{{ */
5376
5377static int
5378tls_check_mac(SslDecoder*decoder, int ct, int ver, uint8_t* data,
5379 uint32_t datalen, uint8_t* mac)
5380{
5381 SSL_HMACgcry_md_hd_t hm;
5382 int md;
5383 uint32_t len;
5384 uint8_t buf[DIGEST_MAX_SIZE48];
5385 int16_t temp;
5386
5387 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5388 ssl_debug_printf("tls_check_mac mac type:%s md %d\n",
5389 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5390
5391 if (ssl_hmac_init(&hm,md) != 0)
5392 return -1;
5393 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5394 return -1;
5395
5396 /* hash sequence number */
5397 phtonu64(buf, decoder->seq);
5398
5399 decoder->seq++;
5400
5401 ssl_hmac_update(&hm,buf,8);
5402
5403 /* hash content type */
5404 buf[0]=ct;
5405 ssl_hmac_update(&hm,buf,1);
5406
5407 /* hash version,data length and data*/
5408 /* *((int16_t*)buf) = g_htons(ver); */
5409 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5410 memcpy(buf, &temp, 2);
5411 ssl_hmac_update(&hm,buf,2);
5412
5413 /* *((int16_t*)buf) = g_htons(datalen); */
5414 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5415 memcpy(buf, &temp, 2);
5416 ssl_hmac_update(&hm,buf,2);
5417 ssl_hmac_update(&hm,data,datalen);
5418
5419 /* get digest and digest len*/
5420 len = sizeof(buf);
5421 ssl_hmac_final(&hm,buf,&len);
5422 ssl_hmac_cleanup(&hm);
5423 ssl_print_data("Mac", buf, len);
5424 if(memcmp(mac,buf,len))
5425 return -1;
5426
5427 return 0;
5428}
5429
5430static int
5431ssl3_check_mac(SslDecoder*decoder,int ct,uint8_t* data,
5432 uint32_t datalen, uint8_t* mac)
5433{
5434 SSL_MDgcry_md_hd_t mc;
5435 int md;
5436 uint32_t len;
5437 uint8_t buf[64],dgst[20];
5438 int pad_ct;
5439 int16_t temp;
5440
5441 pad_ct=(decoder->cipher_suite->dig==DIG_SHA0x41)?40:48;
5442
5443 /* get cipher used for digest computation */
5444 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5445 if (ssl_md_init(&mc,md) !=0)
5446 return -1;
5447
5448 /* do hash computation on data && padding */
5449 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5450
5451 /* hash padding*/
5452 memset(buf,0x36,pad_ct);
5453 ssl_md_update(&mc,buf,pad_ct);
5454
5455 /* hash sequence number */
5456 phtonu64(buf, decoder->seq);
5457 decoder->seq++;
5458 ssl_md_update(&mc,buf,8);
5459
5460 /* hash content type */
5461 buf[0]=ct;
5462 ssl_md_update(&mc,buf,1);
5463
5464 /* hash data length in network byte order and data*/
5465 /* *((int16_t* )buf) = g_htons(datalen); */
5466 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5467 memcpy(buf, &temp, 2);
5468 ssl_md_update(&mc,buf,2);
5469 ssl_md_update(&mc,data,datalen);
5470
5471 /* get partial digest */
5472 ssl_md_final(&mc,dgst,&len);
5473 ssl_md_reset(&mc);
5474
5475 /* hash mac key */
5476 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5477
5478 /* hash padding and partial digest*/
5479 memset(buf,0x5c,pad_ct);
5480 ssl_md_update(&mc,buf,pad_ct);
5481 ssl_md_update(&mc,dgst,len);
5482
5483 ssl_md_final(&mc,dgst,&len);
5484 ssl_md_cleanup(&mc);
5485
5486 if(memcmp(mac,dgst,len))
5487 return -1;
5488
5489 return 0;
5490}
5491
5492static int
5493dtls_check_mac(SslDecryptSession *ssl, SslDecoder*decoder, int ct, uint8_t* data,
5494 uint32_t datalen, uint8_t* mac, const unsigned char *cid, uint8_t cidl)
5495{
5496 SSL_HMACgcry_md_hd_t hm;
5497 int md;
5498 uint32_t len;
5499 uint8_t buf[DIGEST_MAX_SIZE48];
5500 int16_t temp;
5501
5502 int ver = ssl->session.version;
5503 bool_Bool is_cid = ((ct == SSL_ID_TLS12_CID) && (ver == DTLSV1DOT2_VERSION0xfefd));
5504
5505 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5506 ssl_debug_printf("dtls_check_mac mac type:%s md %d\n",
5507 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5508
5509 if (ssl_hmac_init(&hm,md) != 0)
5510 return -1;
5511 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5512 return -1;
5513
5514 ssl_debug_printf("dtls_check_mac seq: %" PRIu64"l" "u" " epoch: %d\n",decoder->seq,decoder->epoch);
5515
5516 if (is_cid && !ssl->session.deprecated_cid) {
5517 /* hash seq num placeholder */
5518 memset(buf,0xFF,8);
5519 ssl_hmac_update(&hm,buf,8);
5520
5521 /* hash content type + cid length + content type */
5522 buf[0]=ct;
5523 buf[1]=cidl;
5524 buf[2]=ct;
5525 ssl_hmac_update(&hm,buf,3);
5526
5527 /* hash version */
5528 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5529 memcpy(buf, &temp, 2);
5530 ssl_hmac_update(&hm,buf,2);
5531
5532 /* hash sequence number */
5533 phtonu64(buf, decoder->seq);
5534 buf[0]=decoder->epoch>>8;
5535 buf[1]=(uint8_t)decoder->epoch;
5536 ssl_hmac_update(&hm,buf,8);
5537
5538 /* hash cid */
5539 ssl_hmac_update(&hm,cid,cidl);
5540 } else {
5541 /* hash sequence number */
5542 phtonu64(buf, decoder->seq);
5543 buf[0]=decoder->epoch>>8;
5544 buf[1]=(uint8_t)decoder->epoch;
5545 ssl_hmac_update(&hm,buf,8);
5546
5547 /* hash content type */
5548 buf[0]=ct;
5549 ssl_hmac_update(&hm,buf,1);
5550
5551 /* hash version */
5552 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5553 memcpy(buf, &temp, 2);
5554 ssl_hmac_update(&hm,buf,2);
5555
5556 if (is_cid && ssl->session.deprecated_cid) {
5557 /* hash cid */
5558 ssl_hmac_update(&hm,cid,cidl);
5559
5560 /* hash cid length */
5561 buf[0] = cidl;
5562 ssl_hmac_update(&hm,buf,1);
5563 }
5564 }
5565
5566 /* data length and data */
5567 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5568 memcpy(buf, &temp, 2);
5569 ssl_hmac_update(&hm,buf,2);
5570 ssl_hmac_update(&hm,data,datalen);
5571
5572 /* get digest and digest len */
5573 len = sizeof(buf);
5574 ssl_hmac_final(&hm,buf,&len);
5575 ssl_hmac_cleanup(&hm);
5576 ssl_print_data("Mac", buf, len);
5577 if(memcmp(mac,buf,len))
5578 return -1;
5579
5580 return 0;
5581}
5582/* Decryption integrity check }}} */
5583
5584
5585static bool_Bool
5586tls_decrypt_aead_record(wmem_allocator_t* allocator, SslDecryptSession *ssl, SslDecoder *decoder,
5587 uint8_t ct, uint16_t record_version,
5588 bool_Bool ignore_mac_failed,
5589 const unsigned char *in, uint16_t inl,
5590 const unsigned char *cid, uint8_t cidl,
5591 StringInfo *out_str, unsigned *outl)
5592{
5593 /* RFC 5246 (TLS 1.2) 6.2.3.3 defines the TLSCipherText.fragment as:
5594 * GenericAEADCipher: { nonce_explicit, [content] }
5595 * In TLS 1.3 this explicit nonce is gone.
5596 * With AES GCM/CCM, "[content]" is actually the concatenation of the
5597 * ciphertext and authentication tag.
5598 */
5599 const uint16_t version = ssl->session.version;
5600 const bool_Bool is_v12 = version == TLSV1DOT2_VERSION0x303 || version == DTLSV1DOT2_VERSION0xfefd || version == TLCPV1_VERSION0x101;
5601 gcry_error_t err;
5602 const unsigned char *explicit_nonce = NULL((void*)0), *ciphertext;
5603 unsigned ciphertext_len, auth_tag_len;
5604 unsigned char nonce[12];
5605 const ssl_cipher_mode_t cipher_mode = decoder->cipher_suite->mode;
5606 const bool_Bool is_cid = ct == SSL_ID_TLS12_CID && version == DTLSV1DOT2_VERSION0xfefd;
5607 const uint8_t draft_version = ssl->session.tls13_draft_version;
5608 const unsigned char *auth_tag_wire;
5609 unsigned char auth_tag_calc[16];
5610 unsigned char *aad = NULL((void*)0);
5611 unsigned aad_len = 0;
5612
5613 switch (cipher_mode) {
5614 case MODE_GCM:
5615 case MODE_CCM:
5616 case MODE_POLY1305:
5617 auth_tag_len = 16;
5618 break;
5619 case MODE_CCM_8:
5620 auth_tag_len = 8;
5621 break;
5622 default:
5623 ssl_debug_printf("%s unsupported cipher!\n", G_STRFUNC((const char*) (__func__)));
5624 return false0;
5625 }
5626
5627 /* Parse input into explicit nonce (TLS 1.2 only), ciphertext and tag. */
5628 if (is_v12 && cipher_mode != MODE_POLY1305) {
5629 if (inl < EXPLICIT_NONCE_LEN8 + auth_tag_len) {
5630 ssl_debug_printf("%s input %d is too small for explicit nonce %d and auth tag %d\n",
5631 G_STRFUNC((const char*) (__func__)), inl, EXPLICIT_NONCE_LEN8, auth_tag_len);
5632 return false0;
5633 }
5634 explicit_nonce = in;
5635 ciphertext = explicit_nonce + EXPLICIT_NONCE_LEN8;
5636 ciphertext_len = inl - EXPLICIT_NONCE_LEN8 - auth_tag_len;
5637 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
5638 if (inl < auth_tag_len) {
5639 ssl_debug_printf("%s input %d has no space for auth tag %d\n", G_STRFUNC((const char*) (__func__)), inl, auth_tag_len);
5640 return false0;
5641 }
5642 ciphertext = in;
5643 ciphertext_len = inl - auth_tag_len;
5644 } else {
5645 ssl_debug_printf("%s Unexpected TLS version %#x\n", G_STRFUNC((const char*) (__func__)), version);
5646 return false0;
5647 }
5648 auth_tag_wire = ciphertext + ciphertext_len;
5649
5650 /*
5651 * Nonce construction is version-specific. Note that AEAD_CHACHA20_POLY1305
5652 * (RFC 7905) uses a nonce construction similar to TLS 1.3.
5653 */
5654 if (is_v12 && cipher_mode != MODE_POLY1305) {
5655 DISSECTOR_ASSERT(decoder->write_iv.data_len == IMPLICIT_NONCE_LEN)((void) ((decoder->write_iv.data_len == 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 5655, "decoder->write_iv.data_len == 4"))));
5656 /* Implicit (4) and explicit (8) part of nonce. */
5657 memcpy(nonce, decoder->write_iv.data, IMPLICIT_NONCE_LEN4);
5658 memcpy(nonce + IMPLICIT_NONCE_LEN4, explicit_nonce, EXPLICIT_NONCE_LEN8);
5659
5660 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
5661 /*
5662 * Technically the nonce length must be at least 8 bytes, but for
5663 * AES-GCM, AES-CCM and Poly1305-ChaCha20 the nonce length is exact 12.
5664 */
5665 const unsigned nonce_len = 12;
5666 DISSECTOR_ASSERT(decoder->write_iv.data_len == nonce_len)((void) ((decoder->write_iv.data_len == nonce_len) ? (void
)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 5666, "decoder->write_iv.data_len == nonce_len"
))));
5667 memcpy(nonce, decoder->write_iv.data, decoder->write_iv.data_len);
5668 /* Sequence number is left-padded with zeroes and XORed with write_iv */
5669 phtonu64(nonce + nonce_len - 8, pntohu64(nonce + nonce_len - 8) ^ decoder->seq);
5670 ssl_debug_printf("%s seq %" PRIu64"l" "u" "\n", G_STRFUNC((const char*) (__func__)), decoder->seq);
5671 }
5672
5673 /* Set nonce and additional authentication data */
5674 gcry_cipher_reset(decoder->evp)gcry_cipher_ctl ((decoder->evp), GCRYCTL_RESET, ((void*)0)
, 0);
5675 ssl_print_data("nonce", nonce, 12);
5676 err = gcry_cipher_setiv(decoder->evp, nonce, 12);
5677 if (err) {
5678 ssl_debug_printf("%s failed to set nonce: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5679 return false0;
5680 }
5681
5682 /* (D)TLS 1.2 needs specific AAD, TLS 1.3 (before -25) uses empty AAD. */
5683 if (is_cid) { /* if connection ID */
5684 if (ssl->session.deprecated_cid) {
5685 aad_len = 14 + cidl;
5686 aad = wmem_alloc(allocator, aad_len);
5687 phtonu64(aad, decoder->seq); /* record sequence number */
5688 phtonu16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5689 aad[8] = ct; /* TLSCompressed.type */
5690 phtonu16(aad + 9, record_version); /* TLSCompressed.version */
5691 memcpy(aad + 11, cid, cidl); /* cid */
5692 aad[11 + cidl] = cidl; /* cid_length */
5693 phtonu16(aad + 12 + cidl, ciphertext_len); /* TLSCompressed.length */
5694 } else {
5695 aad_len = 23 + cidl;
5696 aad = wmem_alloc(allocator, aad_len);
5697 memset(aad, 0xFF, 8); /* seq_num_placeholder */
5698 aad[8] = ct; /* TLSCompressed.type */
5699 aad[9] = cidl; /* cid_length */
5700 aad[10] = ct; /* TLSCompressed.type */
5701 phtonu16(aad + 11, record_version); /* TLSCompressed.version */
5702 phtonu64(aad + 13, decoder->seq); /* record sequence number */
5703 phtonu16(aad + 13, decoder->epoch); /* DTLS 1.2 includes epoch. */
5704 memcpy(aad + 21, cid, cidl); /* cid */
5705 phtonu16(aad + 21 + cidl, ciphertext_len); /* TLSCompressed.length */
5706 }
5707 } else if (is_v12) {
5708 aad_len = 13;
5709 aad = wmem_alloc(allocator, aad_len);
5710 phtonu64(aad, decoder->seq); /* record sequence number */
5711 if (version == DTLSV1DOT2_VERSION0xfefd) {
5712 phtonu16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5713 }
5714 aad[8] = ct; /* TLSCompressed.type */
5715 phtonu16(aad + 9, record_version); /* TLSCompressed.version */
5716 phtonu16(aad + 11, ciphertext_len); /* TLSCompressed.length */
5717 } else if (version == DTLSV1DOT3_VERSION0xfefc) {
5718 aad_len = decoder->dtls13_aad.data_len;
5719 aad = decoder->dtls13_aad.data;
5720 } else if (draft_version >= 25 || draft_version == 0) {
5721 aad_len = 5;
5722 aad = wmem_alloc(allocator, aad_len);
5723 aad[0] = ct; /* TLSCiphertext.opaque_type (23) */
5724 phtonu16(aad + 1, record_version); /* TLSCiphertext.legacy_record_version (0x0303) */
5725 phtonu16(aad + 3, inl); /* TLSCiphertext.length */
5726 }
5727
5728 if (decoder->cipher_suite->mode == MODE_CCM || decoder->cipher_suite->mode == MODE_CCM_8) {
5729 /* size of plaintext, additional authenticated data and auth tag. */
5730 uint64_t lengths[3] = { ciphertext_len, aad_len, auth_tag_len };
5731
5732 gcry_cipher_ctl(decoder->evp, GCRYCTL_SET_CCM_LENGTHS, lengths, sizeof(lengths));
5733 }
5734
5735 if (aad && aad_len > 0) {
5736 ssl_print_data("AAD", aad, aad_len);
5737 err = gcry_cipher_authenticate(decoder->evp, aad, aad_len);
5738 if (err) {
5739 ssl_debug_printf("%s failed to set AAD: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5740 return false0;
5741 }
5742 }
5743
5744 /* Decrypt now that nonce and AAD are set. */
5745 err = gcry_cipher_decrypt(decoder->evp, out_str->data, out_str->data_len, ciphertext, ciphertext_len);
5746 if (err) {
5747 ssl_debug_printf("%s decrypt failed: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5748 return false0;
5749 }
5750
5751 /* Check authentication tag for authenticity (replaces MAC) */
5752 err = gcry_cipher_gettag(decoder->evp, auth_tag_calc, auth_tag_len);
5753 if (err == 0 && !memcmp(auth_tag_calc, auth_tag_wire, auth_tag_len)) {
5754 ssl_print_data("auth_tag(OK)", auth_tag_calc, auth_tag_len);
5755 } else {
5756 if (err) {
5757 ssl_debug_printf("%s cannot obtain tag: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5758 } else {
5759 ssl_debug_printf("%s auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
5760 ssl_print_data("auth_tag(expect)", auth_tag_calc, auth_tag_len);
5761 ssl_print_data("auth_tag(actual)", auth_tag_wire, auth_tag_len);
5762 }
5763 if (ignore_mac_failed) {
5764 ssl_debug_printf("%s: auth check failed, but ignored for troubleshooting ;-)\n", G_STRFUNC((const char*) (__func__)));
5765 } else {
5766 return false0;
5767 }
5768 }
5769
5770 /*
5771 * Increment the (implicit) sequence number for TLS 1.2/1.3 and TLCP 1.1. This is done
5772 * after successful authentication to ensure that early data is skipped when
5773 * CLIENT_EARLY_TRAFFIC_SECRET keys are unavailable.
5774 */
5775 if (version == TLSV1DOT2_VERSION0x303 || version == TLSV1DOT3_VERSION0x304 || version == TLCPV1_VERSION0x101) {
5776 decoder->seq++;
5777 }
5778
5779 ssl_print_data("Plaintext", out_str->data, ciphertext_len);
5780 *outl = ciphertext_len;
5781 return true1;
5782}
5783
5784/* Record decryption glue based on security parameters {{{ */
5785/* Assume that we are called only for a non-NULL decoder which also means that
5786 * we have a non-NULL decoder->cipher_suite. */
5787int
5788ssl_decrypt_record(wmem_allocator_t* allocator, SslDecryptSession *ssl, SslDecoder *decoder, uint8_t ct, uint16_t record_version,
5789 bool_Bool ignore_mac_failed,
5790 const unsigned char *in, uint16_t inl, const unsigned char *cid, uint8_t cidl,
5791 StringInfo *comp_str, StringInfo *out_str, unsigned *outl)
5792{
5793 unsigned pad, worklen, uncomplen, maclen, mac_fraglen = 0;
5794 uint8_t *mac = NULL((void*)0), *mac_frag = NULL((void*)0);
5795
5796 ssl_debug_printf("ssl_decrypt_record ciphertext len %d\n", inl);
5797 ssl_print_data("Ciphertext",in, inl);
5798
5799 if (((ssl->session.version == TLSV1DOT3_VERSION0x304 || ssl->session.version == DTLSV1DOT3_VERSION0xfefc))
5800 != (decoder->cipher_suite->kex == KEX_TLS130x23)) {
5801 ssl_debug_printf("%s Invalid cipher suite for the protocol version!\n", G_STRFUNC((const char*) (__func__)));
5802 return -1;
5803 }
5804
5805 /* ensure we have enough storage space for decrypted data */
5806 if (inl > out_str->data_len)
5807 {
5808 ssl_debug_printf("ssl_decrypt_record: allocating %d bytes for decrypt data (old len %d)\n",
5809 inl + 32, out_str->data_len);
5810 ssl_data_realloc(out_str, inl + 32);
5811 }
5812
5813 /* AEAD ciphers (GenericAEADCipher in TLS 1.2; TLS 1.3) have no padding nor
5814 * a separate MAC, so use a different routine for simplicity. */
5815 if (decoder->cipher_suite->mode == MODE_GCM ||
5816 decoder->cipher_suite->mode == MODE_CCM ||
5817 decoder->cipher_suite->mode == MODE_CCM_8 ||
5818 decoder->cipher_suite->mode == MODE_POLY1305 ||
5819 ssl->session.version == TLSV1DOT3_VERSION0x304 ||
5820 ssl->session.version == DTLSV1DOT3_VERSION0xfefc) {
5821
5822 if (!tls_decrypt_aead_record(allocator, ssl, decoder, ct, record_version, ignore_mac_failed, in, inl, cid, cidl, out_str, &worklen)) {
5823 /* decryption failed */
5824 return -1;
5825 }
5826
5827 goto skip_mac;
5828 }
5829
5830 /* RFC 6101/2246: SSLCipherText/TLSCipherText has two structures for types:
5831 * (notation: { unencrypted, [ encrypted ] })
5832 * GenericStreamCipher: { [content, mac] }
5833 * GenericBlockCipher: { IV (TLS 1.1+), [content, mac, padding, padding_len] }
5834 * RFC 5426 (TLS 1.2): TLSCipherText has additionally:
5835 * GenericAEADCipher: { nonce_explicit, [content] }
5836 * RFC 4347 (DTLS): based on TLS 1.1, only GenericBlockCipher is supported.
5837 * RFC 6347 (DTLS 1.2): based on TLS 1.2, includes GenericAEADCipher too.
5838 */
5839
5840 maclen = ssl_cipher_suite_dig(decoder->cipher_suite)->len;
5841
5842 /* (TLS 1.1 and later, DTLS) Extract explicit IV for GenericBlockCipher */
5843 if (decoder->cipher_suite->mode == MODE_CBC) {
5844 unsigned blocksize = 0;
5845
5846 switch (ssl->session.version) {
5847 case TLSV1DOT1_VERSION0x302:
5848 case TLSV1DOT2_VERSION0x303:
5849 case DTLSV1DOT0_VERSION0xfeff:
5850 case DTLSV1DOT2_VERSION0xfefd:
5851 case DTLSV1DOT3_VERSION0xfefc:
5852 case DTLSV1DOT0_OPENSSL_VERSION0x100:
5853 case TLCPV1_VERSION0x101:
5854 blocksize = ssl_get_cipher_blocksize(decoder->cipher_suite);
5855 if (inl < blocksize) {
5856 ssl_debug_printf("ssl_decrypt_record failed: input %d has no space for IV %d\n",
5857 inl, blocksize);
5858 return -1;
5859 }
5860 pad = gcry_cipher_setiv(decoder->evp, in, blocksize);
5861 if (pad != 0) {
5862 ssl_debug_printf("ssl_decrypt_record failed: failed to set IV: %s %s\n",
5863 gcry_strsource (pad), gcry_strerror (pad));
5864 }
5865
5866 inl -= blocksize;
5867 in += blocksize;
5868 break;
5869 }
5870
5871 /* Encrypt-then-MAC for (D)TLS (RFC 7366) */
5872 if (ssl->state & SSL_ENCRYPT_THEN_MAC(1<<11)) {
5873 /*
5874 * MAC is calculated over (IV + ) ENCRYPTED contents:
5875 *
5876 * MAC(MAC_write_key, ... +
5877 * IV + // for TLS 1.1 or greater
5878 * TLSCiphertext.enc_content);
5879 */
5880 if (inl < maclen) {
5881 ssl_debug_printf("%s failed: input %d has no space for MAC %d\n",
5882 G_STRFUNC((const char*) (__func__)), inl, maclen);
5883 return -1;
5884 }
5885 inl -= maclen;
5886 mac = (uint8_t *)in + inl;
5887 mac_frag = (uint8_t *)in - blocksize;
5888 mac_fraglen = blocksize + inl;
5889 }
5890 }
5891
5892 /* First decrypt*/
5893 if ((pad = ssl_cipher_decrypt(&decoder->evp, out_str->data, out_str->data_len, in, inl)) != 0) {
5894 ssl_debug_printf("ssl_decrypt_record failed: ssl_cipher_decrypt: %s %s\n", gcry_strsource (pad),
5895 gcry_strerror (pad));
5896 return -1;
5897 }
5898
5899 ssl_print_data("Plaintext", out_str->data, inl);
5900 worklen=inl;
5901
5902
5903 /* strip padding for GenericBlockCipher */
5904 if (decoder->cipher_suite->mode == MODE_CBC) {
5905 if (inl < 1) { /* Should this check happen earlier? */
5906 ssl_debug_printf("ssl_decrypt_record failed: input length %d too small\n", inl);
5907 return -1;
5908 }
5909 pad=out_str->data[inl-1];
5910 if (worklen <= pad) {
5911 ssl_debug_printf("ssl_decrypt_record failed: padding %d too large for work %d\n",
5912 pad, worklen);
5913 return -1;
5914 }
5915 worklen-=(pad+1);
5916 ssl_debug_printf("ssl_decrypt_record found padding %d final len %d\n",
5917 pad, worklen);
5918 }
5919
5920 /* MAC for GenericStreamCipher and GenericBlockCipher.
5921 * (normal case without Encrypt-then-MAC (RFC 7366) extension. */
5922 if (!mac) {
5923 /*
5924 * MAC is calculated over the DECRYPTED contents:
5925 *
5926 * MAC(MAC_write_key, ... + TLSCompressed.fragment);
5927 */
5928 if (worklen < maclen) {
5929 ssl_debug_printf("%s wrong record len/padding outlen %d\n work %d\n", G_STRFUNC((const char*) (__func__)), *outl, worklen);
5930 return -1;
5931 }
5932 worklen -= maclen;
5933 mac = out_str->data + worklen;
5934 mac_frag = out_str->data;
5935 mac_fraglen = worklen;
5936 }
5937
5938 /* If NULL encryption active and no keys are available, do not bother
5939 * checking the MAC. We do not have keys for that. */
5940 if (decoder->cipher_suite->mode == MODE_STREAM &&
5941 decoder->cipher_suite->enc == ENC_NULL0x3D &&
5942 !(ssl->state & SSL_MASTER_SECRET(1<<5))) {
5943 ssl_debug_printf("MAC check skipped due to missing keys\n");
5944 decoder->seq++; // Increment this for display
5945 goto skip_mac;
5946 }
5947
5948 /* Now check the MAC */
5949 ssl_debug_printf("checking mac (len %d, version %X, ct %d seq %" PRIu64"l" "u" ")\n",
5950 worklen, ssl->session.version, ct, decoder->seq);
5951 if(ssl->session.version==SSLV3_VERSION0x300){
5952 if(ssl3_check_mac(decoder,ct,mac_frag,mac_fraglen,mac) < 0) {
5953 if(ignore_mac_failed) {
5954 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5955 }
5956 else{
5957 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5958 return -1;
5959 }
5960 }
5961 else{
5962 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5963 }
5964 }
5965 else if(ssl->session.version==TLSV1_VERSION0x301 || ssl->session.version==TLSV1DOT1_VERSION0x302 || ssl->session.version==TLSV1DOT2_VERSION0x303 || ssl->session.version==TLCPV1_VERSION0x101){
5966 if(tls_check_mac(decoder,ct,ssl->session.version,mac_frag,mac_fraglen,mac)< 0) {
5967 if(ignore_mac_failed) {
5968 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5969 }
5970 else{
5971 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5972 return -1;
5973 }
5974 }
5975 else{
5976 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5977 }
5978 }
5979 else if(ssl->session.version==DTLSV1DOT0_VERSION0xfeff ||
5980 ssl->session.version==DTLSV1DOT2_VERSION0xfefd ||
5981 ssl->session.version==DTLSV1DOT0_OPENSSL_VERSION0x100){
5982 /* Try rfc-compliant mac first, and if failed, try old openssl's non-rfc-compliant mac */
5983 if(dtls_check_mac(ssl,decoder,ct,mac_frag,mac_fraglen,mac,cid,cidl)>= 0) {
5984 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5985 }
5986 else if(tls_check_mac(decoder,ct,TLSV1_VERSION0x301,mac_frag,mac_fraglen,mac)>= 0) {
5987 ssl_debug_printf("ssl_decrypt_record: dtls rfc-compliant mac failed, but old openssl's non-rfc-compliant mac ok\n");
5988 }
5989 else if(ignore_mac_failed) {
5990 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5991 }
5992 else{
5993 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5994 return -1;
5995 }
5996 }
5997skip_mac:
5998
5999 *outl = worklen;
6000
6001 if (decoder->compression > 0) {
6002 ssl_debug_printf("ssl_decrypt_record: compression method %d\n", decoder->compression);
6003 ssl_data_copy(comp_str, out_str);
6004 ssl_print_data("Plaintext compressed", comp_str->data, worklen);
6005 if (!decoder->decomp) {
6006 ssl_debug_printf("decrypt_ssl3_record: no decoder available\n");
6007 return -1;
6008 }
6009 if (ssl_decompress_record(decoder->decomp, comp_str->data, worklen, out_str, &uncomplen) < 0) return -1;
6010 ssl_print_data("Plaintext uncompressed", out_str->data, uncomplen);
6011 *outl = uncomplen;
6012 }
6013
6014 return 0;
6015}
6016/* Record decryption glue based on security parameters }}} */
6017
6018
6019
6020#ifdef HAVE_LIBGNUTLS1
6021
6022/* RSA private key file processing {{{ */
6023static void
6024ssl_find_private_key_by_pubkey(SslDecryptSession *ssl,
6025 const gnutls_datum_t *subjectPublicKeyInfo)
6026{
6027 gnutls_pubkey_t pubkey = NULL((void*)0);
6028 cert_key_id_t key_id;
6029 size_t key_id_len = sizeof(key_id);
6030 int r;
6031
6032 if (!subjectPublicKeyInfo->size) {
6033 ssl_debug_printf("%s: could not find SubjectPublicKeyInfo\n", G_STRFUNC((const char*) (__func__)));
6034 return;
6035 }
6036
6037 r = gnutls_pubkey_init(&pubkey);
6038 if (r < 0) {
6039 ssl_debug_printf("%s: failed to init pubkey: %s\n",
6040 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
6041 return;
6042 }
6043
6044 r = gnutls_pubkey_import(pubkey, subjectPublicKeyInfo, GNUTLS_X509_FMT_DER);
6045 if (r < 0) {
6046 ssl_debug_printf("%s: failed to import pubkey from handshake: %s\n",
6047 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
6048 goto end;
6049 }
6050
6051 if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL((void*)0)) != GNUTLS_PK_RSA) {
6052 ssl_debug_printf("%s: Not a RSA public key - ignoring.\n", G_STRFUNC((const char*) (__func__)));
6053 goto end;
6054 }
6055
6056 /* Generate a 20-byte SHA-1 hash. */
6057 r = gnutls_pubkey_get_key_id(pubkey, 0, key_id.key_id, &key_id_len);
6058 if (r < 0) {
6059 ssl_debug_printf("%s: failed to extract key id from pubkey: %s\n",
6060 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
6061 goto end;
6062 }
6063
6064 if (key_id_len != sizeof(key_id)) {
6065 ssl_debug_printf("%s: expected Key ID size %zu, got %zu\n",
6066 G_STRFUNC((const char*) (__func__)), sizeof(key_id), key_id_len);
6067 goto end;
6068 }
6069
6070 ssl_print_data("Certificate.KeyID", key_id.key_id, key_id_len);
6071 ssl->cert_key_id = wmem_new(wmem_file_scope(), cert_key_id_t)((cert_key_id_t*)wmem_alloc((wmem_file_scope()), sizeof(cert_key_id_t
)));
6072 *ssl->cert_key_id = key_id;
6073
6074end:
6075 gnutls_pubkey_deinit(pubkey);
6076}
6077
6078/* RSA private key file processing }}} */
6079#endif /* HAVE_LIBGNUTLS */
6080
6081/*--- Start of dissector-related code below ---*/
6082
6083/* This is not a "protocol" but ensures that this gets called during
6084 * the handoff stage. */
6085void proto_reg_handoff_tls_utils(void);
6086
6087static dissector_handle_t base_tls_handle;
6088static dissector_handle_t dtls_handle;
6089
6090void
6091proto_reg_handoff_tls_utils(void)
6092{
6093 base_tls_handle = find_dissector("tls");
6094 dtls_handle = find_dissector("dtls");
6095}
6096
6097/* Look up an existing SslDecryptSession without creating one. Returns NULL if
6098 * no session exists. */
6099SslDecryptSession *
6100tls_get_session(conversation_t *conversation, int proto_ssl, uint8_t curr_layer_num)
6101{
6102 void *conv_data;
6103 wmem_map_t *session_map;
6104
6105 if (!conversation)
6106 return NULL((void*)0);
6107
6108 conv_data = conversation_get_proto_data(conversation, proto_ssl);
6109 if (conv_data == NULL((void*)0))
6110 return NULL((void*)0);
6111
6112 session_map = (wmem_map_t *)conv_data;
6113
6114 return (SslDecryptSession *)wmem_map_lookup(session_map,
6115 GUINT_TO_POINTER((unsigned)curr_layer_num)((gpointer) (gulong) ((unsigned)curr_layer_num)));
6116
6117}
6118
6119/* get ssl data for this session. if no ssl data is found allocate a new one*/
6120SslDecryptSession *
6121ssl_get_session(conversation_t *conversation, dissector_handle_t tls_handle, uint8_t curr_layer_num)
6122{
6123 void *conv_data;
6124 SslDecryptSession *ssl_session;
6125 int proto_ssl;
6126 wmem_map_t *session_map;
6127
6128 /* Note proto_ssl is tls for either the main tls_handle or the
6129 * tls13_handshake handle used by QUIC. */
6130 proto_ssl = dissector_handle_get_protocol_index(tls_handle);
6131 conv_data = conversation_get_proto_data(conversation, proto_ssl);
6132
6133 /* For nested TLS support, we store a wmem map of sessions indexed by layer number.
6134 * Using wmem_file_scope ensures the map is freed when the capture file is closed,
6135 * preventing memory leaks on capture reload. */
6136 if (conv_data != NULL((void*)0)) {
6137 session_map = (wmem_map_t *)conv_data;
6138 ssl_session = (SslDecryptSession *)wmem_map_lookup(session_map, GUINT_TO_POINTER((unsigned)curr_layer_num)((gpointer) (gulong) ((unsigned)curr_layer_num)));
6139 if (ssl_session != NULL((void*)0)) {
6140 return ssl_session;
6141 }
6142 } else {
6143 /* Create a new wmem map to store sessions by layer number */
6144 session_map = wmem_map_new(wmem_file_scope(), g_direct_hash, g_direct_equal);
6145 conversation_add_proto_data(conversation, proto_ssl, session_map);
6146 }
6147
6148 /* no previous SSL conversation info for this layer, initialize it. */
6149 ssl_session = wmem_new0(wmem_file_scope(), SslDecryptSession)((SslDecryptSession*)wmem_alloc0((wmem_file_scope()), sizeof(
SslDecryptSession)));
6150
6151 /* data_len is the part that is meaningful, not the allocated length */
6152 ssl_session->master_secret.data_len = 0;
6153 ssl_session->master_secret.data = ssl_session->_master_secret;
6154 ssl_session->session_id.data_len = 0;
6155 ssl_session->session_id.data = ssl_session->_session_id;
6156 ssl_session->client_random.data_len = 0;
6157 ssl_session->client_random.data = ssl_session->_client_random;
6158 ssl_session->server_random.data_len = 0;
6159 ssl_session->server_random.data = ssl_session->_server_random;
6160 ssl_session->session_ticket.data_len = 0;
6161 ssl_session->session_ticket.data = NULL((void*)0); /* will be re-alloced as needed */
6162 ssl_session->server_data_for_iv.data_len = 0;
6163 ssl_session->server_data_for_iv.data = ssl_session->_server_data_for_iv;
6164 ssl_session->client_data_for_iv.data_len = 0;
6165 ssl_session->client_data_for_iv.data = ssl_session->_client_data_for_iv;
6166 ssl_session->app_data_segment.data = NULL((void*)0);
6167 ssl_session->app_data_segment.data_len = 0;
6168 ssl_session->handshake_data.data=NULL((void*)0);
6169 ssl_session->handshake_data.data_len=0;
6170 ssl_session->ech_transcript.data=NULL((void*)0);
6171 ssl_session->ech_transcript.data_len=0;
6172
6173 /* Initialize parameters which are not necessary specific to decryption. */
6174 ssl_session->session.version = SSL_VER_UNKNOWN0;
6175 clear_address(&ssl_session->session.srv_addr);
6176 ssl_session->session.srv_ptype = PT_NONE;
6177 ssl_session->session.srv_port = 0;
6178 ssl_session->session.dtls13_current_epoch[0] = ssl_session->session.dtls13_current_epoch[1] = 0;
6179 ssl_session->session.dtls13_next_seq_num[0] = ssl_session->session.dtls13_next_seq_num[1] = 0;
6180 ssl_session->session.client_random.data_len = 0;
6181 ssl_session->session.client_random.data = ssl_session->session._client_random;
6182 memset(ssl_session->session.ech_confirmation, 0, sizeof(ssl_session->session.ech_confirmation));
6183 memset(ssl_session->session.hrr_ech_confirmation, 0, sizeof(ssl_session->session.hrr_ech_confirmation));
6184 memset(ssl_session->session.first_ech_auth_tag, 0, sizeof(ssl_session->session.first_ech_auth_tag));
6185 ssl_session->session.ech = false0;
6186 ssl_session->session.hrr_ech_declined = false0;
6187 ssl_session->session.first_ch_ech_frame = 0;
6188
6189 /* We want to increment the stream count for the normal tls handle and
6190 * dtls handle, but presumably not for the tls13_handshake handle used
6191 * by QUIC (it has its own Follow Stream handling, and the QUIC stream
6192 * doesn't get sent to the TLS follow tap.)
6193 */
6194 if (tls_handle == base_tls_handle) {
6195 ssl_session->session.stream = tls_increment_stream_count();
6196 } else if (tls_handle == dtls_handle) {
6197 ssl_session->session.stream = dtls_increment_stream_count();
6198 }
6199
6200 /* Store the session in the wmem map indexed by layer number */
6201 wmem_map_insert(session_map, GUINT_TO_POINTER((unsigned)curr_layer_num)((gpointer) (gulong) ((unsigned)curr_layer_num)), ssl_session);
6202
6203 return ssl_session;
6204}
6205
6206void ssl_reset_session(SslSession *session, SslDecryptSession *ssl, bool_Bool is_client)
6207{
6208 if (ssl) {
6209 /* Ensure that secrets are not restored using stale identifiers. Split
6210 * between client and server in case the packets somehow got out of order. */
6211 int clear_flags = SSL_HAVE_SESSION_KEY(1<<3) | SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
6212
6213 if (is_client) {
6214 clear_flags |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
6215 ssl->session_id.data_len = 0;
6216 ssl->session_ticket.data_len = 0;
6217 ssl->master_secret.data_len = 0;
6218 ssl->client_random.data_len = 0;
6219 ssl->has_early_data = false0;
6220 if (ssl->handshake_data.data_len > 0) {
6221 // The EMS handshake hash starts with at the Client Hello,
6222 // ensure that any messages before it are forgotten.
6223 wmem_free(wmem_file_scope(), ssl->handshake_data.data);
6224 ssl->handshake_data.data = NULL((void*)0);
6225 ssl->handshake_data.data_len = 0;
6226 }
6227 } else {
6228 clear_flags |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8) | SSL_NEW_SESSION_TICKET(1<<10);
6229 ssl->server_random.data_len = 0;
6230 ssl->pre_master_secret.data_len = 0;
6231#ifdef HAVE_LIBGNUTLS1
6232 ssl->cert_key_id = NULL((void*)0);
6233#endif
6234 ssl->has_psk = false0;
6235 ssl->has_key_share = false0;
6236 // There is no point in clearing the PSK when resetting the session,
6237 // we only store one global PSK in the prefs.
6238 //ssl->psk.data_len = 0;
6239 }
6240
6241 if (ssl->state & clear_flags) {
6242 ssl_debug_printf("%s detected renegotiation, clearing 0x%02x (%s side)\n",
6243 G_STRFUNC((const char*) (__func__)), ssl->state & clear_flags, is_client ? "client" : "server");
6244 ssl->state &= ~clear_flags;
6245 }
6246 }
6247
6248 /* These flags might be used for non-decryption purposes and may affect the
6249 * dissection, so reset them as well. */
6250 if (is_client) {
6251 session->client_cert_type = 0;
6252 } else {
6253 session->compression = 0;
6254 session->server_cert_type = 0;
6255 /* session->is_session_resumed is already handled in the ServerHello dissection. */
6256 }
6257 session->dtls13_next_seq_num[0] = session->dtls13_next_seq_num[1] = 0;
6258 session->dtls13_current_epoch[0] = session->dtls13_current_epoch[1] = 0;
6259}
6260
6261void
6262tls_set_appdata_dissector(dissector_handle_t tls_handle, packet_info *pinfo,
6263 dissector_handle_t app_handle)
6264{
6265 conversation_t *conversation;
6266 SslSession *session;
6267 int proto = dissector_handle_get_protocol_index(tls_handle);
6268 uint8_t curr_layer_num = p_get_proto_depth(pinfo, proto);
6269
6270 /* Ignore if the TLS or other dissector is disabled. */
6271 if (!tls_handle || !app_handle)
6272 return;
6273
6274 conversation = find_or_create_conversation(pinfo);
6275 session = &ssl_get_session(conversation, tls_handle, curr_layer_num)->session;
6276 session->app_handle = app_handle;
6277}
6278
6279static uint32_t
6280ssl_starttls(dissector_handle_t tls_handle, packet_info *pinfo,
6281 dissector_handle_t app_handle, uint32_t last_nontls_frame)
6282{
6283 conversation_t *conversation;
6284 SslSession *session;
6285 int proto = dissector_handle_get_protocol_index(tls_handle);
6286 uint8_t curr_layer_num = p_get_proto_depth(pinfo, proto);
6287
6288 /* Ignore if the TLS dissector is disabled. */
6289 if (!tls_handle)
6290 return 0;
6291 /* The caller should always pass a valid handle to its own dissector. */
6292 DISSECTOR_ASSERT(app_handle)((void) ((app_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6292, "app_handle"))));
6293
6294 conversation = find_or_create_conversation(pinfo);
6295 session = &ssl_get_session(conversation, tls_handle, curr_layer_num)->session;
6296
6297 ssl_debug_printf("%s: old frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
6298 session->last_nontls_frame,
6299 (void *)session->app_handle,
6300 dissector_handle_get_dissector_name(session->app_handle));
6301 ssl_debug_printf("%s: current frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
6302 pinfo->num, (void *)app_handle,
6303 dissector_handle_get_dissector_name(app_handle));
6304
6305 /* Do not switch again if a dissector did it before. */
6306 if (session->last_nontls_frame) {
6307 ssl_debug_printf("%s: not overriding previous app handle!\n", G_STRFUNC((const char*) (__func__)));
6308 return session->last_nontls_frame;
6309 }
6310
6311 session->app_handle = app_handle;
6312 /* The TLS dissector should be called first for this conversation. */
6313 conversation_set_dissector(conversation, tls_handle);
6314 /* TLS starts after this frame. */
6315 session->last_nontls_frame = last_nontls_frame;
6316 return 0;
6317}
6318
6319/* ssl_starttls_ack: mark future frames as encrypted. */
6320uint32_t
6321ssl_starttls_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6322 dissector_handle_t app_handle)
6323{
6324 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num);
6325}
6326
6327uint32_t
6328ssl_starttls_post_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6329 dissector_handle_t app_handle)
6330{
6331 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num - 1);
6332}
6333
6334dissector_handle_t
6335ssl_find_appdata_dissector(const char *name)
6336{
6337 /* Accept 'http' for backwards compatibility and sanity. */
6338 if (!strcmp(name, "http"))
6339 name = "http-over-tls";
6340 /* XXX - Should this check to see if the dissector is actually added for
6341 * Decode As in the appropriate table?
6342 */
6343 return find_dissector(name);
6344}
6345
6346/* Functions for TLS/DTLS sessions and RSA private keys hashtables. {{{ */
6347static int
6348ssl_equal (const void *v, const void *v2)
6349{
6350 const StringInfo *val1;
6351 const StringInfo *val2;
6352 val1 = (const StringInfo *)v;
6353 val2 = (const StringInfo *)v2;
6354
6355 if (val1->data_len == val2->data_len &&
6356 !memcmp(val1->data, val2->data, val2->data_len)) {
6357 return 1;
6358 }
6359 return 0;
6360}
6361
6362static unsigned
6363ssl_hash (const void *v)
6364{
6365 unsigned l,hash;
6366 const StringInfo* id;
6367 const unsigned* cur;
6368 hash = 0;
6369 id = (const StringInfo*) v;
6370
6371 /* id and id->data are mallocated in ssl_save_master_key(). As such 'data'
6372 * should be aligned for any kind of access (for example as a unsigned as
6373 * is done below). The intermediate void* cast is to prevent "cast
6374 * increases required alignment of target type" warnings on CPUs (such
6375 * as SPARCs) that do not allow misaligned memory accesses.
6376 */
6377 cur = (const unsigned*)(void*) id->data;
6378
6379 for (l=4; (l < id->data_len); l+=4, cur++)
6380 hash = hash ^ (*cur);
6381
6382 return hash;
6383}
6384/* Functions for TLS/DTLS sessions and RSA private keys hashtables. }}} */
6385
6386/* Handling of association between tls/dtls ports and clear text protocol. {{{ */
6387void
6388ssl_association_add(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6389{
6390 DISSECTOR_ASSERT(main_handle)((void) ((main_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6390, "main_handle"))));
6391 DISSECTOR_ASSERT(subdissector_handle)((void) ((subdissector_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6391, "subdissector_handle"))));
6392 /* Registration is required for Export PDU feature to work properly. */
6393 DISSECTOR_ASSERT_HINT(dissector_handle_get_dissector_name(subdissector_handle),((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6394, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))))
6394 "SSL appdata dissectors must register with register_dissector()!")((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6394, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))));
6395 ssl_debug_printf("association_add %s port %d handle %p\n", dissector_table_name, port, (void *)subdissector_handle);
6396
6397 if (port) {
6398 dissector_add_uint(dissector_table_name, port, subdissector_handle);
6399 if (tcp)
6400 dissector_add_uint("tcp.port", port, main_handle);
6401 else
6402 dissector_add_uint("udp.port", port, main_handle);
6403 dissector_add_uint("sctp.port", port, main_handle);
6404 } else {
6405 dissector_add_for_decode_as(dissector_table_name, subdissector_handle);
6406 }
6407}
6408
6409void
6410ssl_association_remove(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6411{
6412 ssl_debug_printf("ssl_association_remove removing %s %u - handle %p\n",
6413 tcp?"TCP":"UDP", port, (void *)subdissector_handle);
6414 if (main_handle) {
6415 dissector_delete_uint(tcp?"tcp.port":"udp.port", port, main_handle);
6416 dissector_delete_uint("sctp.port", port, main_handle);
6417 }
6418
6419 if (port) {
6420 dissector_delete_uint(dissector_table_name, port, subdissector_handle);
6421 }
6422}
6423
6424void
6425ssl_set_server(SslSession *session, address *addr, port_type ptype, uint32_t port)
6426{
6427 copy_address_wmem(wmem_file_scope(), &session->srv_addr, addr);
6428 session->srv_ptype = ptype;
6429 session->srv_port = port;
6430}
6431
6432int
6433ssl_packet_from_server(SslSession *session, dissector_table_t table, const packet_info *pinfo)
6434{
6435 int ret;
6436 if (session && session->srv_addr.type != AT_NONE) {
6437 ret = (session->srv_ptype == pinfo->ptype) &&
6438 (session->srv_port == pinfo->srcport) &&
6439 addresses_equal(&session->srv_addr, &pinfo->src);
6440 } else {
6441 ret = (dissector_get_uint_handle(table, pinfo->srcport) != 0);
6442 }
6443
6444 ssl_debug_printf("packet_from_server: is from server - %s\n", (ret)?"TRUE":"FALSE");
6445 return ret;
6446}
6447/* Handling of association between tls/dtls ports and clear text protocol. }}} */
6448
6449
6450/* Links SSL records with the real packet data. {{{ */
6451SslPacketInfo *
6452tls_add_packet_info(int proto, packet_info *pinfo, uint8_t curr_layer_num_ssl)
6453{
6454 SslPacketInfo *pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6455 if (!pi) {
6456 pi = wmem_new0(wmem_file_scope(), SslPacketInfo)((SslPacketInfo*)wmem_alloc0((wmem_file_scope()), sizeof(SslPacketInfo
)));
6457 pi->srcport = pinfo->srcport;
6458 pi->destport = pinfo->destport;
6459 conversation_t *conv = find_or_create_conversation_strat(pinfo);
6460 SslDecryptSession *ssl_session = tls_get_session(conv, proto, curr_layer_num_ssl);
6461 if (ssl_session) {
6462 /* This can also be called by the QUIC TLS1.3 handshake only
6463 * dissector. That is not associated with a session, or a stream,
6464 * and doesn't need the information for Follow or Decode As. */
6465 pi->stream = ssl_session->session.stream;
6466 }
6467 p_add_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl, pi);
6468 }
6469
6470 return pi;
6471}
6472
6473/**
6474 * Remembers the decrypted TLS record fragment (TLSInnerPlaintext in TLS 1.3) to
6475 * avoid the need for a decoder in the second pass. Additionally, it remembers
6476 * sequence numbers (for reassembly and Follow TLS Stream).
6477 *
6478 * @param proto The protocol identifier (proto_ssl or proto_dtls).
6479 * @param pinfo The packet where the record originates from.
6480 * @param plain_data Decrypted plaintext to store in the record.
6481 * @param plain_data_len Total length of the plaintext.
6482 * @param content_len Length of the plaintext section corresponding to the record content.
6483 * @param record_id The identifier for this record within the current packet.
6484 * @param flow Information about sequence numbers, etc.
6485 * @param type TLS Content Type (such as handshake or application_data).
6486 * @param curr_layer_num_ssl The layer identifier for this TLS session.
6487 */
6488void
6489ssl_add_record_info(int proto, packet_info *pinfo,
6490 const unsigned char *plain_data, int plain_data_len, int content_len,
6491 int record_id, SslFlow *flow, ContentType type, uint8_t curr_layer_num_ssl,
6492 uint64_t record_seq)
6493{
6494 SslRecordInfo* rec, **prec;
6495 SslPacketInfo *pi = tls_add_packet_info(proto, pinfo, curr_layer_num_ssl);
6496
6497 ws_assert(content_len <= plain_data_len)do { if ((1) && !(content_len <= plain_data_len)) ws_log_fatal_full
("", LOG_LEVEL_ERROR, "epan/dissectors/packet-tls-utils.c", 6497
, __func__, "assertion failed: %s", "content_len <= plain_data_len"
); } while (0);
6498
6499 rec = wmem_new(wmem_file_scope(), SslRecordInfo)((SslRecordInfo*)wmem_alloc((wmem_file_scope()), sizeof(SslRecordInfo
)));
6500 rec->plain_data = (unsigned char *)wmem_memdup(wmem_file_scope(), plain_data, plain_data_len);
6501 rec->plain_data_len = plain_data_len;
6502 rec->content_len = content_len;
6503 rec->id = record_id;
6504 rec->type = type;
6505 rec->next = NULL((void*)0);
6506 rec->record_seq = record_seq;
6507
6508 if (flow && type == SSL_ID_APP_DATA) {
6509 rec->seq = flow->byte_seq;
6510 rec->flow = flow;
6511 flow->byte_seq += content_len;
6512 ssl_debug_printf("%s stored decrypted record seq=%d nxtseq=%d flow=%p\n",
6513 G_STRFUNC((const char*) (__func__)), rec->seq, rec->seq + content_len, (void*)flow);
6514 }
6515
6516 /* Remember decrypted records. */
6517 prec = &pi->records;
6518 while (*prec) prec = &(*prec)->next;
6519 *prec = rec;
6520}
6521
6522/* search in packet data for the specified id; return a newly created tvb for the associated data */
6523tvbuff_t*
6524ssl_get_record_info(tvbuff_t *parent_tvb, int proto, packet_info *pinfo, int record_id, uint8_t curr_layer_num_ssl, SslRecordInfo **matched_record)
6525{
6526 SslRecordInfo* rec;
6527 SslPacketInfo* pi;
6528 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6529
6530 if (!pi)
6531 return NULL((void*)0);
6532
6533 for (rec = pi->records; rec; rec = rec->next)
6534 if (rec->id == record_id) {
6535 *matched_record = rec;
6536 /* link new real_data_tvb with a parent tvb so it is freed when frame dissection is complete */
6537 return tvb_new_child_real_data(parent_tvb, rec->plain_data, rec->plain_data_len, rec->plain_data_len);
6538 }
6539
6540 return NULL((void*)0);
6541}
6542/* Links SSL records with the real packet data. }}} */
6543
6544/* initialize/reset per capture state data (ssl sessions cache). {{{ */
6545void
6546ssl_common_init(ssl_master_key_map_t *mk_map,
6547 StringInfo *decrypted_data, StringInfo *compressed_data)
6548{
6549 mk_map->session = g_hash_table_new(ssl_hash, ssl_equal);
6550 mk_map->tickets = g_hash_table_new(ssl_hash, ssl_equal);
6551 mk_map->crandom = g_hash_table_new(ssl_hash, ssl_equal);
6552 mk_map->pre_master = g_hash_table_new(ssl_hash, ssl_equal);
6553 mk_map->pms = g_hash_table_new(ssl_hash, ssl_equal);
6554 mk_map->tls13_client_early = g_hash_table_new(ssl_hash, ssl_equal);
6555 mk_map->tls13_client_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6556 mk_map->tls13_server_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6557 mk_map->tls13_client_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6558 mk_map->tls13_server_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6559 mk_map->tls13_early_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6560 mk_map->tls13_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6561
6562 mk_map->ech_secret = g_hash_table_new(ssl_hash, ssl_equal);
6563 mk_map->ech_config = g_hash_table_new(ssl_hash, ssl_equal);
6564
6565 mk_map->used_crandom = g_hash_table_new(ssl_hash, ssl_equal);
6566
6567 ssl_data_alloc(decrypted_data, 32);
6568 ssl_data_alloc(compressed_data, 32);
6569}
6570
6571void
6572ssl_common_cleanup(ssl_master_key_map_t *mk_map, FILE **ssl_keylog_file,
6573 StringInfo *decrypted_data, StringInfo *compressed_data)
6574{
6575 g_hash_table_destroy(mk_map->session);
6576 g_hash_table_destroy(mk_map->tickets);
6577 g_hash_table_destroy(mk_map->crandom);
6578 g_hash_table_destroy(mk_map->pre_master);
6579 g_hash_table_destroy(mk_map->pms);
6580 g_hash_table_destroy(mk_map->tls13_client_early);
6581 g_hash_table_destroy(mk_map->tls13_client_handshake);
6582 g_hash_table_destroy(mk_map->tls13_server_handshake);
6583 g_hash_table_destroy(mk_map->tls13_client_appdata);
6584 g_hash_table_destroy(mk_map->tls13_server_appdata);
6585 g_hash_table_destroy(mk_map->tls13_early_exporter);
6586 g_hash_table_destroy(mk_map->tls13_exporter);
6587
6588 g_hash_table_destroy(mk_map->ech_secret);
6589 g_hash_table_destroy(mk_map->ech_config);
6590
6591 g_hash_table_destroy(mk_map->used_crandom);
6592
6593 g_free(decrypted_data->data)(__builtin_object_size ((decrypted_data->data), 0) != ((size_t
) - 1)) ? g_free_sized (decrypted_data->data, __builtin_object_size
((decrypted_data->data), 0)) : (g_free) (decrypted_data->
data);
6594 g_free(compressed_data->data)(__builtin_object_size ((compressed_data->data), 0) != ((size_t
) - 1)) ? g_free_sized (compressed_data->data, __builtin_object_size
((compressed_data->data), 0)) : (g_free) (compressed_data
->data);
6595
6596 /* close the previous keylog file now that the cache are cleared, this
6597 * allows the cache to be filled with the full keylog file contents. */
6598 if (*ssl_keylog_file) {
6599 fclose(*ssl_keylog_file);
6600 *ssl_keylog_file = NULL((void*)0);
6601 }
6602}
6603/* }}} */
6604
6605/* parse ssl related preferences (private keys and ports association strings) */
6606#if defined(HAVE_LIBGNUTLS1)
6607/* Load a single RSA key file item from preferences. {{{ */
6608void
6609ssl_parse_key_list(const ssldecrypt_assoc_t *uats, GHashTable *key_hash, const char* dissector_table_name, dissector_handle_t main_handle, bool_Bool tcp)
6610{
6611 gnutls_x509_privkey_t x509_priv_key;
6612 gnutls_privkey_t priv_key = NULL((void*)0);
6613 FILE* fp = NULL((void*)0);
6614 int ret;
6615 size_t key_id_len = 20;
6616 unsigned char *key_id = NULL((void*)0);
6617 char *err = NULL((void*)0);
6618 dissector_handle_t handle;
6619 /* try to load keys file first */
6620 fp = ws_fopenfopen(uats->keyfile, "rb");
6621 if (!fp) {
6622 report_open_failure(uats->keyfile, errno(*__errno_location ()), false0);
6623 return;
6624 }
6625
6626 if ((int)strlen(uats->password) == 0) {
6627 x509_priv_key = rsa_load_pem_key(fp, &err);
6628 } else {
6629 x509_priv_key = rsa_load_pkcs12(fp, uats->password, &err);
6630 }
6631 fclose(fp);
6632
6633 if (!x509_priv_key) {
6634 if (err) {
6635 report_failure("Can't load private key from %s: %s",
6636 uats->keyfile, err);
6637 g_free(err)(__builtin_object_size ((err), 0) != ((size_t) - 1)) ? g_free_sized
(err, __builtin_object_size ((err), 0)) : (g_free) (err);
6638 } else
6639 report_failure("Can't load private key from %s: unknown error",
6640 uats->keyfile);
6641 return;
6642 }
6643 if (err) {
6644 report_failure("Load of private key from %s \"succeeded\" with error %s",
6645 uats->keyfile, err);
6646 g_free(err)(__builtin_object_size ((err), 0) != ((size_t) - 1)) ? g_free_sized
(err, __builtin_object_size ((err), 0)) : (g_free) (err);
6647 }
6648
6649 gnutls_privkey_init(&priv_key);
6650 ret = gnutls_privkey_import_x509(priv_key, x509_priv_key,
6651 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE|GNUTLS_PRIVKEY_IMPORT_COPY);
6652 if (ret < 0) {
6653 report_failure("Can't convert private key %s: %s",
6654 uats->keyfile, gnutls_strerror(ret));
6655 goto end;
6656 }
6657
6658 key_id = (unsigned char *) g_malloc0(key_id_len);
6659 ret = gnutls_x509_privkey_get_key_id(x509_priv_key, 0, key_id, &key_id_len);
6660 if (ret < 0) {
6661 report_failure("Can't calculate public key ID for %s: %s",
6662 uats->keyfile, gnutls_strerror(ret));
6663 goto end;
6664 }
6665 ssl_print_data("KeyID", key_id, key_id_len);
6666 if (key_id_len != 20) {
6667 report_failure("Expected Key ID size %u for %s, got %zu", 20,
6668 uats->keyfile, key_id_len);
6669 goto end;
6670 }
6671
6672 g_hash_table_replace(key_hash, key_id, priv_key);
6673 key_id = NULL((void*)0); /* used in key_hash, do not free. */
6674 priv_key = NULL((void*)0);
6675 ssl_debug_printf("ssl_init private key file %s successfully loaded.\n", uats->keyfile);
6676
6677 handle = ssl_find_appdata_dissector(uats->protocol);
6678 if (handle) {
6679 /* Port to subprotocol mapping */
6680 uint16_t port = 0;
6681 if (ws_strtou16(uats->port, NULL((void*)0), &port)) {
6682 if (port > 0) {
6683 ssl_debug_printf("ssl_init port '%d' filename '%s' password(only for p12 file) '%s'\n",
6684 port, uats->keyfile, uats->password);
6685
6686 ssl_association_add(dissector_table_name, main_handle, handle, port, tcp);
6687 }
6688 } else {
6689 if (strcmp(uats->port, "start_tls"))
6690 ssl_debug_printf("invalid ssl_init_port: %s\n", uats->port);
6691 }
6692 }
6693
6694end:
6695 gnutls_x509_privkey_deinit(x509_priv_key);
6696 gnutls_privkey_deinit(priv_key);
6697 g_free(key_id)(__builtin_object_size ((key_id), 0) != ((size_t) - 1)) ? g_free_sized
(key_id, __builtin_object_size ((key_id), 0)) : (g_free) (key_id
);
6698}
6699/* }}} */
6700#endif
6701
6702
6703/* Store/load a known (pre-)master secret from/for this SSL session. {{{ */
6704/** store a known (pre-)master secret into cache */
6705static void
6706ssl_save_master_key(const char *label, GHashTable *ht, StringInfo *key,
6707 StringInfo *mk)
6708{
6709 StringInfo *ht_key, *master_secret;
6710
6711 if (key->data_len == 0) {
6712 ssl_debug_printf("%s: not saving empty %s!\n", G_STRFUNC((const char*) (__func__)), label);
6713 return;
6714 }
6715
6716 if (mk->data_len == 0) {
6717 ssl_debug_printf("%s not saving empty (pre-)master secret for %s!\n",
6718 G_STRFUNC((const char*) (__func__)), label);
6719 return;
6720 }
6721
6722 /* ssl_hash() depends on session_ticket->data being aligned for unsigned access
6723 * so be careful in changing how it is allocated. */
6724 ht_key = ssl_data_clone(key);
6725 master_secret = ssl_data_clone(mk);
6726 g_hash_table_insert(ht, ht_key, master_secret);
6727
6728 ssl_debug_printf("%s inserted (pre-)master secret for %s\n", G_STRFUNC((const char*) (__func__)), label);
6729 ssl_print_string("stored key", ht_key);
6730 ssl_print_string("stored (pre-)master secret", master_secret);
6731}
6732
6733/** restore a (pre-)master secret given some key in the cache */
6734static bool_Bool
6735ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
6736 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key)
6737{
6738 StringInfo *ms;
6739
6740 if (key->data_len == 0) {
6741 ssl_debug_printf("%s can't restore %smaster secret using an empty %s\n",
6742 G_STRFUNC((const char*) (__func__)), is_pre_master ? "pre-" : "", label);
6743 return false0;
6744 }
6745
6746 ms = (StringInfo *)g_hash_table_lookup(ht, key);
6747 if (!ms) {
6748 ssl_debug_printf("%s can't find %smaster secret by %s\n", G_STRFUNC((const char*) (__func__)),
6749 is_pre_master ? "pre-" : "", label);
6750 return false0;
6751 }
6752
6753 /* (pre)master secret found, clear knowledge of other keys and set it in the
6754 * current conversation */
6755 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) |
6756 SSL_HAVE_SESSION_KEY(1<<3));
6757 if (is_pre_master) {
6758 /* unlike master secret, pre-master secret has a variable size (48 for
6759 * RSA, varying for PSK) and is therefore not statically allocated */
6760 ssl->pre_master_secret.data = (unsigned char *) wmem_alloc(wmem_file_scope(),
6761 ms->data_len);
6762 ssl_data_set(&ssl->pre_master_secret, ms->data, ms->data_len);
6763 ssl->state |= SSL_PRE_MASTER_SECRET(1<<6);
6764 } else {
6765 ssl_data_set(&ssl->master_secret, ms->data, ms->data_len);
6766 ssl->state |= SSL_MASTER_SECRET(1<<5);
6767 }
6768 ssl_debug_printf("%s %smaster secret retrieved using %s\n", G_STRFUNC((const char*) (__func__)),
6769 is_pre_master ? "pre-" : "", label);
6770 ssl_print_string(label, key);
6771 ssl_print_string("(pre-)master secret", ms);
6772 return true1;
6773}
6774/* Store/load a known (pre-)master secret from/for this SSL session. }}} */
6775
6776/* Should be called when all parameters are ready (after ChangeCipherSpec), and
6777 * the decoder should be attempted to be initialized. {{{*/
6778void
6779ssl_finalize_decryption(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
6780{
6781 if (ssl->session.version == TLSV1DOT3_VERSION0x304) {
6782 /* TLS 1.3 implementations only provide secrets derived from the master
6783 * secret which are loaded in tls13_change_key. No master secrets can be
6784 * loaded here, so just return. */
6785 return;
6786 }
6787 ssl_debug_printf("%s state = 0x%02X\n", G_STRFUNC((const char*) (__func__)), ssl->state);
6788 if (ssl->state & SSL_HAVE_SESSION_KEY(1<<3)) {
6789 ssl_debug_printf(" session key already available, nothing to do.\n");
6790 return;
6791 }
6792 if (!(ssl->state & SSL_CIPHER(1<<2))) {
6793 ssl_debug_printf(" Cipher suite (Server Hello) is missing!\n");
6794 return;
6795 }
6796
6797 /* for decryption, there needs to be a master secret (which can be derived
6798 * from pre-master secret). If missing, try to pick a master key from cache
6799 * (an earlier packet in the capture or key logfile). */
6800 if (!(ssl->state & (SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6))) &&
6801 !ssl_restore_master_key(ssl, "Session ID", false0,
6802 mk_map->session, &ssl->session_id) &&
6803 (!ssl->session.is_session_resumed ||
6804 !ssl_restore_master_key(ssl, "Session Ticket", false0,
6805 mk_map->tickets, &ssl->session_ticket)) &&
6806 !ssl_restore_master_key(ssl, "Client Random", false0,
6807 mk_map->crandom, &ssl->client_random)) {
6808 if (ssl->cipher_suite->enc != ENC_NULL0x3D) {
6809 /* how unfortunate, the master secret could not be found */
6810 ssl_debug_printf(" Cannot find master secret\n");
6811 return;
6812 } else {
6813 ssl_debug_printf(" Cannot find master secret, continuing anyway "
6814 "because of a NULL cipher\n");
6815 }
6816 }
6817
6818 if (ssl_generate_keyring_material(ssl) < 0) {
6819 ssl_debug_printf("%s can't generate keyring material\n", G_STRFUNC((const char*) (__func__)));
6820 return;
6821 }
6822 /* Save Client Random/ Session ID for "SSL Export Session keys" */
6823 ssl_save_master_key("Client Random", mk_map->crandom,
6824 &ssl->client_random, &ssl->master_secret);
6825 ssl_save_master_key("Session ID", mk_map->session,
6826 &ssl->session_id, &ssl->master_secret);
6827 /* Only save the new secrets if the server sent the ticket. The client
6828 * ticket might have become stale. */
6829 if (ssl->state & SSL_NEW_SESSION_TICKET(1<<10)) {
6830 ssl_save_master_key("Session Ticket", mk_map->tickets,
6831 &ssl->session_ticket, &ssl->master_secret);
6832 }
6833} /* }}} */
6834
6835static StringInfo*
6836tls13_load_secret_from_psk(SslDecryptSession *tls, bool_Bool is_from_server,
6837 TLSRecordType type)
6838{
6839 /* XXX - In addition to an out-of-bound PSK, we could also save the
6840 * PSK from a NewSessionTicket; we would also need to compute the
6841 * resumption_master_secret. */
6842 if (tls->psk.data_len == 0)
6843 return NULL((void*)0);
6844
6845 /* We SHOULD associate each PSK with a hash algorithm (e.g., use
6846 * a UAT instead of a single global PSK string preference, preferably
6847 * following RFC 9258.) Failing that, RFC 8864 4.2.1 and 9258 say SHA-256
6848 * SHOULD be used. We will try the negotiated hash algorithm regardless
6849 * with the PSK, but fall back to SHA-256 for the Early Secret, since
6850 * that's before the Server Hello completes negotiation.
6851 */
6852 const SslDigestAlgo *dig = ssl_cipher_suite_dig(tls->cipher_suite);
6853 if (type == TLS_SECRET_0RTT_APP && dig == &digests[DIG_NA0x45 - DIG_MD50x40]) {
6854 dig = &digests[DIG_SHA2560x42 - DIG_MD50x40];
6855 ssl_debug_printf("%s assuming PSK hash function is %s\n", G_STRFUNC((const char*) (__func__)), dig->name);
6856 }
6857
6858 int hash_algo = ssl_get_digest_by_name(dig->name);
6859 if (!hash_algo) {
6860 ssl_debug_printf("%s can't find hash function %s\n", G_STRFUNC((const char*) (__func__)), dig->name);
6861 return NULL((void*)0);
6862 }
6863
6864 /* We can re-use this to store the Pseudo Random Key for each epoch. */
6865 uint8_t prk[DIGEST_MAX_SIZE48];
6866 StringInfo prk_string = { prk, dig->len };
6867 uint8_t *derived_secret;
6868
6869 uint8_t zeroes[DIGEST_MAX_SIZE48];
6870 memset(zeroes, 0, dig->len);
6871
6872 StringInfo *secret = NULL((void*)0);
6873 const char *label;
6874
6875 /* PRK = Early Secret */
6876 hkdf_extract(hash_algo, zeroes, dig->len, tls->psk.data, tls->psk.data_len, prk);
6877
6878 if (type == TLS_SECRET_0RTT_APP) {
6879 DISSECTOR_ASSERT(!is_from_server)((void) ((!is_from_server) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6879, "!is_from_server"))));
6880 label = "c e traffic";
6881 } else {
6882 if (!tls13_derive_secret(hash_algo, &prk_string, tls13_hkdf_label_prefix(tls),
6883 "derived", NULL((void*)0), 0, dig->len, &derived_secret))
6884 return NULL((void*)0);
6885
6886 /* PRK = Handshake Secret [assume no (EC)DHE.] */
6887 hkdf_extract(hash_algo, derived_secret, dig->len, zeroes, dig->len, prk);
6888 wmem_free(NULL((void*)0), derived_secret);
6889
6890 if (type == TLS_SECRET_HANDSHAKE) {
6891 label = is_from_server ? "s hs traffic" : "c hs traffic";
6892 } else {
6893 if (!tls13_derive_secret(hash_algo, &prk_string, tls13_hkdf_label_prefix(tls),
6894 "derived", NULL((void*)0), 0, dig->len, &derived_secret))
6895 return NULL((void*)0);
6896
6897 /* PRK = Master Secret */
6898 hkdf_extract(hash_algo, derived_secret, dig->len, zeroes, dig->len, prk);
6899 wmem_free(NULL((void*)0), derived_secret);
6900
6901 label = is_from_server ? "s ap traffic" : "c ap traffic";
6902 }
6903 }
6904
6905 /* XXX - If Encrypted Client Hello was accepted (do client/server pairs
6906 * support ECHO with psk_ke?) then we should use ech_transcript instead
6907 * of handshake_data. Perhaps we should consolidate some of that handling,
6908 * though note that we would have to keep both transcripts around after
6909 * the ClientHello until the ServerHello indicated whether ECHO was
6910 * accepted or not. */
6911 if (!tls13_derive_secret(hash_algo, &prk_string,
6912 tls13_hkdf_label_prefix(tls), label,
6913 tls->handshake_data.data, tls->handshake_data.data_len,
6914 dig->len, &derived_secret))
6915 return NULL((void*)0);
6916
6917 secret = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
6918 secret->data = wmem_memdup(wmem_file_scope(), derived_secret, dig->len);
6919 secret->data_len = dig->len;
6920 wmem_free(NULL((void*)0), derived_secret);
6921 return secret;
6922}
6923
6924/* Load the traffic key secret from the keylog file. */
6925StringInfo *
6926tls13_load_secret(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6927 bool_Bool is_from_server, TLSRecordType type)
6928{
6929 GHashTable *key_map;
6930 const char *label;
6931
6932 if (ssl->session.version != TLSV1DOT3_VERSION0x304 && ssl->session.version != DTLSV1DOT3_VERSION0xfefc) {
6933 ssl_debug_printf("%s TLS version %#x is not 1.3\n", G_STRFUNC((const char*) (__func__)), ssl->session.version);
6934 return NULL((void*)0);
6935 }
6936
6937 if (ssl->client_random.data_len == 0) {
6938 /* May happen if Hello message is missing and Finished is found. */
6939 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
6940 return NULL((void*)0);
6941 }
6942
6943 switch (type) {
6944 case TLS_SECRET_0RTT_APP:
6945 DISSECTOR_ASSERT(!is_from_server)((void) ((!is_from_server) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6945, "!is_from_server"))));
6946 label = "CLIENT_EARLY_TRAFFIC_SECRET";
6947 key_map = mk_map->tls13_client_early;
6948 break;
6949 case TLS_SECRET_HANDSHAKE:
6950 if (is_from_server) {
6951 label = "SERVER_HANDSHAKE_TRAFFIC_SECRET";
6952 key_map = mk_map->tls13_server_handshake;
6953 } else {
6954 label = "CLIENT_HANDSHAKE_TRAFFIC_SECRET";
6955 key_map = mk_map->tls13_client_handshake;
6956 }
6957 break;
6958 case TLS_SECRET_APP:
6959 if (is_from_server) {
6960 label = "SERVER_TRAFFIC_SECRET_0";
6961 key_map = mk_map->tls13_server_appdata;
6962 } else {
6963 label = "CLIENT_TRAFFIC_SECRET_0";
6964 key_map = mk_map->tls13_client_appdata;
6965 }
6966 break;
6967 default:
6968 ws_assert_not_reached()ws_log_fatal_full("", LOG_LEVEL_ERROR, "epan/dissectors/packet-tls-utils.c"
, 6968, __func__, "assertion \"not reached\" failed");
6969 }
6970
6971 /* Transitioning to new keys, mark old ones as unusable. */
6972 ssl_debug_printf("%s transitioning to new key, old state 0x%02x\n", G_STRFUNC((const char*) (__func__)), ssl->state);
6973 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) | SSL_HAVE_SESSION_KEY(1<<3));
6974
6975 StringInfo *secret = (StringInfo *)g_hash_table_lookup(key_map, &ssl->client_random);
6976 if (!secret) {
6977 secret = tls13_load_secret_from_psk(ssl, is_from_server, type);
6978 if (secret) {
6979 ssl_debug_printf("%s Calculated TLS 1.3 traffic secret from PSK.\n", G_STRFUNC((const char*) (__func__)));
6980 /* Doing this allows us to save the secret as a DSB in a pcapng. */
6981 g_hash_table_insert(key_map, ssl_data_clone(&ssl->client_random), secret);
6982 }
6983 }
6984 if (!secret) {
6985 ssl_debug_printf("%s Cannot find %s, decryption impossible\n", G_STRFUNC((const char*) (__func__)), label);
6986 /* Disable decryption, the keys are invalid. */
6987 if (is_from_server) {
6988 ssl->server = NULL((void*)0);
6989 } else {
6990 ssl->client = NULL((void*)0);
6991 }
6992 return NULL((void*)0);
6993 }
6994
6995 /* TLS 1.3 secret found, set new keys. */
6996 ssl_debug_printf("%s Retrieved TLS 1.3 traffic secret.\n", G_STRFUNC((const char*) (__func__)));
6997 ssl_print_string("Client Random", &ssl->client_random);
6998 ssl_print_string(label, secret);
6999 return secret;
7000}
7001
7002/* Load the new key. */
7003void
7004tls13_change_key(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
7005 bool_Bool is_from_server, TLSRecordType type)
7006{
7007 if (ssl->state & SSL_QUIC_RECORD_LAYER(1<<13)) {
7008 /*
7009 * QUIC does not use the TLS record layer for message protection.
7010 * The required keys will be extracted later by QUIC.
7011 */
7012 return;
7013 }
7014
7015 StringInfo *secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
7016 if (!secret) {
7017 if (type != TLS_SECRET_HANDSHAKE) {
7018 return;
7019 }
7020 /*
7021 * Workaround for when for some reason we don't have the handshake
7022 * secret but do have the application traffic secret. (#20240)
7023 * If we can't find the handshake secret, we'll never decrypt the
7024 * Finished message, so we won't know when to change to the app
7025 * traffic key, so we do so now.
7026 */
7027 type = TLS_SECRET_APP;
7028 secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
7029 if (!secret) {
7030 return;
7031 }
7032 }
7033
7034 if (tls13_generate_keys(ssl, secret, is_from_server)) {
7035 /*
7036 * Remember the application traffic secret to support Key Update. The
7037 * other secrets cannot be used for this purpose, so free them.
7038 */
7039 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
7040 StringInfo *app_secret = &decoder->app_traffic_secret;
7041 if (type == TLS_SECRET_APP) {
7042 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
7043 app_secret->data,
7044 secret->data_len);
7045 ssl_data_set(app_secret, secret->data, secret->data_len);
7046 } else {
7047 wmem_free(wmem_file_scope(), app_secret->data);
7048 app_secret->data = NULL((void*)0);
7049 app_secret->data_len = 0;
7050 }
7051 }
7052}
7053
7054/**
7055 * Update to next application data traffic secret for TLS 1.3. The previous
7056 * secret should have been set by tls13_change_key.
7057 */
7058void
7059tls13_key_update(SslDecryptSession *ssl, bool_Bool is_from_server)
7060{
7061 /* RFC 8446 Section 7.2:
7062 * application_traffic_secret_N+1 =
7063 * HKDF-Expand-Label(application_traffic_secret_N,
7064 * "traffic upd", "", Hash.length)
7065 *
7066 * Both application_traffic_secret_N are of the same length (Hash.length).
7067 */
7068 const SslCipherSuite *cipher_suite = ssl->cipher_suite;
7069 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
7070 StringInfo *app_secret = decoder ? &decoder->app_traffic_secret : NULL((void*)0);
7071 uint8_t tls13_draft_version = ssl->session.tls13_draft_version;
7072
7073 if (!cipher_suite || !app_secret || app_secret->data_len == 0) {
7074 ssl_debug_printf("%s Cannot perform Key Update due to missing info\n", G_STRFUNC((const char*) (__func__)));
7075 return;
7076 }
7077
7078 /*
7079 * Previous traffic secret is available, so find the hash function,
7080 * expand the new traffic secret and generate new keys.
7081 */
7082 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
7083 int hash_algo = ssl_get_digest_by_name(hash_name);
7084 const unsigned hash_len = app_secret->data_len;
7085 unsigned char *new_secret;
7086 const char *label = "traffic upd";
7087 if (tls13_draft_version && tls13_draft_version < 20) {
7088 label = "application traffic secret";
7089 }
7090 if (!tls13_hkdf_expand_label(hash_algo, app_secret,
7091 tls13_hkdf_label_prefix(ssl),
7092 label, hash_len, &new_secret)) {
7093 ssl_debug_printf("%s traffic_secret_N+1 expansion failed\n", G_STRFUNC((const char*) (__func__)));
7094 return;
7095 }
7096 ssl_data_set(app_secret, new_secret, hash_len);
7097 if (tls13_generate_keys(ssl, app_secret, is_from_server)) {
7098 /*
7099 * Remember the application traffic secret on the new decoder to
7100 * support another Key Update.
7101 */
7102 decoder = is_from_server ? ssl->server : ssl->client;
7103 app_secret = &decoder->app_traffic_secret;
7104 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
7105 app_secret->data,
7106 hash_len);
7107 ssl_data_set(app_secret, new_secret, hash_len);
7108 }
7109 wmem_free(NULL((void*)0), new_secret);
7110}
7111
7112void
7113tls_save_crandom(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
7114{
7115 if (ssl && (ssl->state & SSL_CLIENT_RANDOM(1<<0))) {
7116 g_hash_table_add(mk_map->used_crandom, ssl_data_clone(&ssl->client_random));
7117 }
7118}
7119
7120/** SSL keylog file handling. {{{ */
7121
7122static GRegex *
7123ssl_compile_keyfile_regex(void)
7124{
7125#define OCTET "(?:[[:xdigit:]]{2})"
7126 const char *pattern =
7127 "(?:"
7128 /* Matches Client Hellos having this Client Random */
7129 "PMS_CLIENT_RANDOM (?<client_random_pms>" OCTET "{32}) "
7130 /* Matches first part of encrypted RSA pre-master secret */
7131 "|RSA (?<encrypted_pmk>" OCTET "{8}) "
7132 /* Pre-Master-Secret is given, it is 48 bytes for RSA,
7133 but it can be of any length for DHE */
7134 ")(?<pms>" OCTET "+)"
7135 "|(?:"
7136 /* Matches Server Hellos having a Session ID */
7137 "RSA Session-ID:(?<session_id>" OCTET "+) Master-Key:"
7138 /* Matches Client Hellos having this Client Random */
7139 "|CLIENT_RANDOM (?<client_random>" OCTET "{32}) "
7140 /* Master-Secret is given, its length is fixed */
7141 ")(?<master_secret>" OCTET "{" G_STRINGIFY(SSL_MASTER_SECRET_LENGTH)"48" "})"
7142 "|(?"
7143 /* TLS 1.3 Client Random to Derived Secrets mapping. */
7144 ":CLIENT_EARLY_TRAFFIC_SECRET (?<client_early>" OCTET "{32})"
7145 "|CLIENT_HANDSHAKE_TRAFFIC_SECRET (?<client_handshake>" OCTET "{32})"
7146 "|SERVER_HANDSHAKE_TRAFFIC_SECRET (?<server_handshake>" OCTET "{32})"
7147 "|CLIENT_TRAFFIC_SECRET_0 (?<client_appdata>" OCTET "{32})"
7148 "|SERVER_TRAFFIC_SECRET_0 (?<server_appdata>" OCTET "{32})"
7149 "|EARLY_EXPORTER_SECRET (?<early_exporter>" OCTET "{32})"
7150 "|EXPORTER_SECRET (?<exporter>" OCTET "{32})"
7151 /* ECH. Secret length is defined by HPKE KEM Nsecret and can vary between 32 and 64 bytes */
7152 /* These labels and their notation are specified in draft-ietf-tls-ech-keylogfile-01 */
7153 "|ECH_SECRET (?<ech_secret>" OCTET "{32,64})"
7154 "|ECH_CONFIG (?<ech_config>" OCTET "{22,})"
7155 ") (?<derived_secret>" OCTET "+)";
7156#undef OCTET
7157 static GRegex *regex = NULL((void*)0);
7158 GError *gerr = NULL((void*)0);
7159
7160 if (!regex) {
7161 regex = g_regex_new(pattern,
7162 (GRegexCompileFlags)(G_REGEX_OPTIMIZE | G_REGEX_ANCHORED | G_REGEX_RAW),
7163 G_REGEX_MATCH_ANCHORED, &gerr);
7164 if (gerr) {
7165 ssl_debug_printf("%s failed to compile regex: %s\n", G_STRFUNC((const char*) (__func__)),
7166 gerr->message);
7167 g_error_free(gerr);
7168 regex = NULL((void*)0);
7169 }
7170 }
7171
7172 return regex;
7173}
7174
7175typedef struct ssl_master_key_match_group {
7176 const char *re_group_name;
7177 GHashTable *master_key_ht;
7178} ssl_master_key_match_group_t;
7179
7180void
7181tls_keylog_process_lines(const ssl_master_key_map_t *mk_map, const uint8_t *data, unsigned datalen)
7182{
7183 ssl_master_key_match_group_t mk_groups[] = {
7184 { "encrypted_pmk", mk_map->pre_master },
7185 { "session_id", mk_map->session },
7186 { "client_random", mk_map->crandom },
7187 { "client_random_pms", mk_map->pms },
7188 /* TLS 1.3 map from Client Random to derived secret. */
7189 { "client_early", mk_map->tls13_client_early },
7190 { "client_handshake", mk_map->tls13_client_handshake },
7191 { "server_handshake", mk_map->tls13_server_handshake },
7192 { "client_appdata", mk_map->tls13_client_appdata },
7193 { "server_appdata", mk_map->tls13_server_appdata },
7194 { "early_exporter", mk_map->tls13_early_exporter },
7195 { "exporter", mk_map->tls13_exporter },
7196 { "ech_secret", mk_map->ech_secret },
7197 { "ech_config", mk_map->ech_config },
7198 };
7199
7200 /* The format of the file is a series of records with one of the following formats:
7201 * - "RSA xxxx yyyy"
7202 * Where xxxx are the first 8 bytes of the encrypted pre-master secret (hex-encoded)
7203 * Where yyyy is the cleartext pre-master secret (hex-encoded)
7204 * (this is the original format introduced with bug 4349)
7205 *
7206 * - "RSA Session-ID:xxxx Master-Key:yyyy"
7207 * Where xxxx is the SSL session ID (hex-encoded)
7208 * Where yyyy is the cleartext master secret (hex-encoded)
7209 * (added to support openssl s_client Master-Key output)
7210 * This is somewhat is a misnomer because there's nothing RSA specific
7211 * about this.
7212 *
7213 * - "PMS_CLIENT_RANDOM xxxx yyyy"
7214 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7215 * Where yyyy is the cleartext pre-master secret (hex-encoded)
7216 * (This format allows SSL connections to be decrypted, if a user can
7217 * capture the PMS but could not recover the MS for a specific session
7218 * with a SSL Server.)
7219 *
7220 * - "CLIENT_RANDOM xxxx yyyy"
7221 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7222 * Where yyyy is the cleartext master secret (hex-encoded)
7223 * (This format allows non-RSA SSL connections to be decrypted, i.e.
7224 * ECDHE-RSA.)
7225 *
7226 * - "CLIENT_EARLY_TRAFFIC_SECRET xxxx yyyy"
7227 * - "CLIENT_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
7228 * - "SERVER_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
7229 * - "CLIENT_TRAFFIC_SECRET_0 xxxx yyyy"
7230 * - "SERVER_TRAFFIC_SECRET_0 xxxx yyyy"
7231 * - "EARLY_EXPORTER_SECRET xxxx yyyy"
7232 * - "EXPORTER_SECRET xxxx yyyy"
7233 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7234 * Where yyyy is the secret (hex-encoded) derived from the early,
7235 * handshake or master secrets. (This format is introduced with TLS 1.3
7236 * and supported by BoringSSL, OpenSSL, etc. See bug 12779.)
7237 */
7238 GRegex *regex = ssl_compile_keyfile_regex();
7239 if (!regex)
7240 return;
7241
7242 const char *next_line = (const char *)data;
7243 const char *line_end = next_line + datalen;
7244 while (next_line && next_line < line_end) {
7245 const char *line = next_line;
7246 next_line = (const char *)memchr(line, '\n', line_end - line);
7247 ssize_t linelen;
7248
7249 if (next_line) {
7250 linelen = next_line - line;
7251 next_line++; /* drop LF */
7252 } else {
7253 linelen = (ssize_t)(line_end - line);
7254 }
7255 if (linelen > 0 && line[linelen - 1] == '\r') {
7256 linelen--; /* drop CR */
7257 }
7258
7259 ssl_debug_printf(" checking keylog line: %.*s\n", (int)linelen, line);
7260 GMatchInfo *mi;
7261 if (g_regex_match_full(regex, line, linelen, 0, G_REGEX_MATCH_ANCHORED, &mi, NULL((void*)0))) {
7262 char *hex_key, *hex_pre_ms_or_ms;
7263 StringInfo *key = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
7264 StringInfo *pre_ms_or_ms = NULL((void*)0);
7265 GHashTable *ht = NULL((void*)0);
7266
7267 /* Is the PMS being supplied with the PMS_CLIENT_RANDOM
7268 * otherwise we will use the Master Secret
7269 */
7270 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "master_secret");
7271 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
7272 g_free(hex_pre_ms_or_ms)(__builtin_object_size ((hex_pre_ms_or_ms), 0) != ((size_t) -
1)) ? g_free_sized (hex_pre_ms_or_ms, __builtin_object_size (
(hex_pre_ms_or_ms), 0)) : (g_free) (hex_pre_ms_or_ms);
7273 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "pms");
7274 }
7275 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
7276 g_free(hex_pre_ms_or_ms)(__builtin_object_size ((hex_pre_ms_or_ms), 0) != ((size_t) -
1)) ? g_free_sized (hex_pre_ms_or_ms, __builtin_object_size (
(hex_pre_ms_or_ms), 0)) : (g_free) (hex_pre_ms_or_ms);
7277 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "derived_secret");
7278 }
7279 /* There is always a match, otherwise the regex is wrong. */
7280 DISSECTOR_ASSERT(hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms))((void) ((hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 7280, "hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms)"
))));
7281
7282 /* convert from hex to bytes and save to hashtable */
7283 pre_ms_or_ms = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
7284 from_hex(pre_ms_or_ms, hex_pre_ms_or_ms, strlen(hex_pre_ms_or_ms));
7285 g_free(hex_pre_ms_or_ms)(__builtin_object_size ((hex_pre_ms_or_ms), 0) != ((size_t) -
1)) ? g_free_sized (hex_pre_ms_or_ms, __builtin_object_size (
(hex_pre_ms_or_ms), 0)) : (g_free) (hex_pre_ms_or_ms);
7286
7287 /* Find a master key from any format (CLIENT_RANDOM, SID, ...) */
7288 for (unsigned i = 0; i < G_N_ELEMENTS(mk_groups)(sizeof (mk_groups) / sizeof ((mk_groups)[0])); i++) {
7289 ssl_master_key_match_group_t *g = &mk_groups[i];
7290 hex_key = g_match_info_fetch_named(mi, g->re_group_name);
7291 if (hex_key && *hex_key) {
7292 ssl_debug_printf(" matched %s\n", g->re_group_name);
7293 ht = g->master_key_ht;
7294 from_hex(key, hex_key, strlen(hex_key));
7295 g_free(hex_key)(__builtin_object_size ((hex_key), 0) != ((size_t) - 1)) ? g_free_sized
(hex_key, __builtin_object_size ((hex_key), 0)) : (g_free) (
hex_key);
7296 break;
7297 }
7298 g_free(hex_key)(__builtin_object_size ((hex_key), 0) != ((size_t) - 1)) ? g_free_sized
(hex_key, __builtin_object_size ((hex_key), 0)) : (g_free) (
hex_key);
7299 }
7300 DISSECTOR_ASSERT(ht)((void) ((ht) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 7300, "ht")))); /* Cannot be reached, or regex is wrong. */
7301
7302 g_hash_table_insert(ht, key, pre_ms_or_ms);
7303
7304 } else if (linelen > 0 && line[0] != '#') {
7305 ssl_debug_printf(" unrecognized line\n");
7306 }
7307 /* always free match info even if there is no match. */
7308 g_match_info_free(mi);
7309 }
7310}
7311
7312void
7313ssl_load_keyfile(const char *tls_keylog_filename, FILE **keylog_file,
7314 const ssl_master_key_map_t *mk_map)
7315{
7316 /* no need to try if no key log file is configured. */
7317 if (!tls_keylog_filename || !*tls_keylog_filename) {
7318 ssl_debug_printf("%s dtls/tls.keylog_file is not configured!\n",
7319 G_STRFUNC((const char*) (__func__)));
7320 return;
7321 }
7322
7323 /* Validate regexes before even trying to use it. */
7324 if (!ssl_compile_keyfile_regex()) {
7325 return;
7326 }
7327
7328 ssl_debug_printf("trying to use TLS keylog in %s\n", tls_keylog_filename);
7329
7330 /* if the keylog file was deleted/overwritten, re-open it */
7331 if (*keylog_file && file_needs_reopen(ws_filenofileno(*keylog_file), tls_keylog_filename)) {
7332 ssl_debug_printf("%s file got deleted, trying to re-open\n", G_STRFUNC((const char*) (__func__)));
7333 fclose(*keylog_file);
7334 *keylog_file = NULL((void*)0);
7335 }
7336
7337 if (*keylog_file == NULL((void*)0)) {
7338 *keylog_file = ws_fopenfopen(tls_keylog_filename, "r");
7339 if (!*keylog_file) {
7340 ssl_debug_printf("%s failed to open SSL keylog\n", G_STRFUNC((const char*) (__func__)));
7341 return;
7342 }
7343 }
7344
7345 for (;;) {
7346 char buf[1110], *line;
7347 line = fgets(buf, sizeof(buf), *keylog_file);
7348 if (!line) {
7349 if (feof(*keylog_file)) {
7350 /* Ensure that newly appended keys can be read in the future. */
7351 clearerr(*keylog_file);
7352 } else if (ferror(*keylog_file)) {
7353 ssl_debug_printf("%s Error while reading key log file, closing it!\n", G_STRFUNC((const char*) (__func__)));
7354 fclose(*keylog_file);
7355 *keylog_file = NULL((void*)0);
7356 }
7357 break;
7358 }
7359 tls_keylog_process_lines(mk_map, (uint8_t *)line, (int)strlen(line));
7360 }
7361}
7362/** SSL keylog file handling. }}} */
7363
7364#ifdef SSL_DECRYPT_DEBUG /* {{{ */
7365
7366static FILE* ssl_debug_file;
7367
7368void
7369ssl_set_debug(const char* name)
7370{
7371 static int debug_file_must_be_closed;
7372 int use_stderr;
7373
7374 use_stderr = name?(strcmp(name, SSL_DEBUG_USE_STDERR"-") == 0):0;
7375
7376 if (debug_file_must_be_closed)
7377 fclose(ssl_debug_file);
7378
7379 if (use_stderr)
7380 ssl_debug_file = stderrstderr;
7381 else if (!name || (strcmp(name, "") ==0))
7382 ssl_debug_file = NULL((void*)0);
7383 else
7384 ssl_debug_file = ws_fopenfopen(name, "w");
7385
7386 if (!use_stderr && ssl_debug_file)
7387 debug_file_must_be_closed = 1;
7388 else
7389 debug_file_must_be_closed = 0;
7390
7391 ssl_debug_printf("Wireshark SSL debug log \n\n");
7392#ifdef HAVE_LIBGNUTLS1
7393 ssl_debug_printf("GnuTLS version: %s\n", gnutls_check_version(NULL((void*)0)));
7394#endif
7395 ssl_debug_printf("Libgcrypt version: %s\n", gcry_check_version(NULL((void*)0)));
7396 ssl_debug_printf("\n");
7397}
7398
7399void
7400ssl_debug_flush(void)
7401{
7402 if (ssl_debug_file)
7403 fflush(ssl_debug_file);
7404}
7405
7406void
7407ssl_debug_printf(const char* fmt, ...)
7408{
7409 va_list ap;
7410
7411 if (!ssl_debug_file)
7412 return;
7413
7414 va_start(ap, fmt)__builtin_va_start(ap, fmt);
7415 vfprintf(ssl_debug_file, fmt, ap);
7416 va_end(ap)__builtin_va_end(ap);
7417}
7418
7419void
7420ssl_print_data(const char* name, const unsigned char* data, size_t len)
7421{
7422 size_t i, j, k;
7423 if (!ssl_debug_file)
7424 return;
7425 fprintf(ssl_debug_file,"%s[%d]:\n",name, (int) len);
7426 for (i=0; i<len; i+=16) {
7427 fprintf(ssl_debug_file,"| ");
7428 for (j=i, k=0; k<16 && j<len; ++j, ++k)
7429 fprintf(ssl_debug_file,"%.2x ",data[j]);
7430 for (; k<16; ++k)
7431 fprintf(ssl_debug_file," ");
7432 fputc('|', ssl_debug_file);
7433 for (j=i, k=0; k<16 && j<len; ++j, ++k) {
7434 unsigned char c = data[j];
7435 if (!g_ascii_isprint(c)((g_ascii_table[(guchar) (c)] & G_ASCII_PRINT) != 0) || (c=='\t')) c = '.';
7436 fputc(c, ssl_debug_file);
7437 }
7438 for (; k<16; ++k)
7439 fputc(' ', ssl_debug_file);
7440 fprintf(ssl_debug_file,"|\n");
7441 }
7442}
7443
7444void
7445ssl_print_string(const char* name, const StringInfo* data)
7446{
7447 ssl_print_data(name, data->data, data->data_len);
7448}
7449#endif /* SSL_DECRYPT_DEBUG }}} */
7450
7451/* UAT preferences callbacks. {{{ */
7452/* checks for SSL and DTLS UAT key list fields */
7453
7454bool_Bool
7455ssldecrypt_uat_fld_ip_chk_cb(void* r _U___attribute__((unused)), const char* p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7456{
7457 // This should be removed in favor of Decode As. Make it optional.
7458 *err = NULL((void*)0);
7459 return true1;
7460}
7461
7462bool_Bool
7463ssldecrypt_uat_fld_port_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7464{
7465 if (!p || strlen(p) == 0u) {
7466 // This should be removed in favor of Decode As. Make it optional.
7467 *err = NULL((void*)0);
7468 return true1;
7469 }
7470
7471 if (strcmp(p, "start_tls") != 0){
7472 uint16_t port;
7473 if (!ws_strtou16(p, NULL((void*)0), &port)) {
7474 *err = g_strdup("Invalid port given.")g_strdup_inline ("Invalid port given.");
7475 return false0;
7476 }
7477 }
7478
7479 *err = NULL((void*)0);
7480 return true1;
7481}
7482
7483bool_Bool
7484ssldecrypt_uat_fld_fileopen_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7485{
7486 ws_statb64struct stat st;
7487
7488 if (!p || strlen(p) == 0u) {
7489 *err = g_strdup("No filename given.")g_strdup_inline ("No filename given.");
7490 return false0;
7491 } else {
7492 if (ws_stat64stat(p, &st) != 0) {
7493 *err = ws_strdup_printf("File '%s' does not exist or access is denied.", p)wmem_strdup_printf(((void*)0), "File '%s' does not exist or access is denied."
, p);
7494 return false0;
7495 }
7496 }
7497
7498 *err = NULL((void*)0);
7499 return true1;
7500}
7501
7502bool_Bool
7503ssldecrypt_uat_fld_password_chk_cb(void *r _U___attribute__((unused)), const char *p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void *u1 _U___attribute__((unused)), const void *u2 _U___attribute__((unused)), char **err)
7504{
7505#if defined(HAVE_LIBGNUTLS1)
7506 ssldecrypt_assoc_t* f = (ssldecrypt_assoc_t *)r;
7507 FILE *fp = NULL((void*)0);
7508
7509 if (p && (strlen(p) > 0u)) {
7510 fp = ws_fopenfopen(f->keyfile, "rb");
7511 if (fp) {
7512 char *msg = NULL((void*)0);
7513 gnutls_x509_privkey_t priv_key = rsa_load_pkcs12(fp, p, &msg);
7514 if (!priv_key) {
7515 fclose(fp);
7516 *err = ws_strdup_printf("Could not load PKCS#12 key file: %s", msg)wmem_strdup_printf(((void*)0), "Could not load PKCS#12 key file: %s"
, msg);
7517 g_free(msg)(__builtin_object_size ((msg), 0) != ((size_t) - 1)) ? g_free_sized
(msg, __builtin_object_size ((msg), 0)) : (g_free) (msg);
7518 return false0;
7519 }
7520 g_free(msg)(__builtin_object_size ((msg), 0) != ((size_t) - 1)) ? g_free_sized
(msg, __builtin_object_size ((msg), 0)) : (g_free) (msg);
7521 gnutls_x509_privkey_deinit(priv_key);
7522 fclose(fp);
7523 } else {
7524 *err = ws_strdup_printf("Leave this field blank if the keyfile is not PKCS#12.")wmem_strdup_printf(((void*)0), "Leave this field blank if the keyfile is not PKCS#12."
);
7525 return false0;
7526 }
7527 }
7528
7529 *err = NULL((void*)0);
7530 return true1;
7531#else
7532 *err = g_strdup("Cannot load key files, support is not compiled in.")g_strdup_inline ("Cannot load key files, support is not compiled in."
);
7533 return false0;
7534#endif
7535}
7536/* UAT preferences callbacks. }}} */
7537
7538/** maximum size of ssl_association_info() string */
7539#define SSL_ASSOC_MAX_LEN8192 8192
7540
7541typedef struct ssl_association_info_callback_data
7542{
7543 char *str;
7544 const char *table_protocol;
7545} ssl_association_info_callback_data_t;
7546
7547/**
7548 * callback function used by ssl_association_info() to traverse the SSL associations.
7549 */
7550static void
7551ssl_association_info_(const char *table _U___attribute__((unused)), void *handle, void *user_data)
7552{
7553 ssl_association_info_callback_data_t* data = (ssl_association_info_callback_data_t*)user_data;
7554 const int l = (const int)strlen(data->str);
7555 snprintf(data->str+l, SSL_ASSOC_MAX_LEN8192-l, "'%s' (%s)\n", dissector_handle_get_dissector_name((dissector_handle_t)handle), dissector_handle_get_description((dissector_handle_t)handle));
7556}
7557
7558/**
7559 * @return an information string on the SSL protocol associations. The string must be freed.
7560 */
7561char*
7562ssl_association_info(const char* dissector_table_name, const char* table_protocol)
7563{
7564 ssl_association_info_callback_data_t data;
7565
7566 data.str = (char *)g_malloc0(SSL_ASSOC_MAX_LEN8192);
7567 data.table_protocol = table_protocol;
7568 dissector_table_foreach_handle(dissector_table_name, ssl_association_info_, &data);
7569 return data.str;
7570}
7571
7572
7573/** Begin of code related to dissection of wire data. */
7574
7575/* Helpers for dissecting Variable-Length Vectors. {{{ */
7576bool_Bool
7577ssl_add_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7578 unsigned offset, unsigned offset_end, uint32_t *ret_length,
7579 int hf_length, uint32_t min_value, uint32_t max_value)
7580{
7581 unsigned veclen_size;
7582 uint32_t veclen_value;
7583 proto_item *pi;
7584
7585 DISSECTOR_ASSERT_CMPUINT(min_value, <=, max_value)((void) ((min_value <= max_value) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "min_value" " " "<=" " " "max_value"
" (" "%" "l" "u" " " "<=" " " "%" "l" "u" ")", "epan/dissectors/packet-tls-utils.c"
, 7585, (uint64_t)min_value, (uint64_t)max_value))));
7586 if (offset > offset_end) {
7587 expert_add_info_format(pinfo, tree, &hf->ei.malformed_buffer_too_small,
7588 "Vector offset is past buffer end offset (%u > %u)",
7589 offset, offset_end);
7590 *ret_length = 0;
7591 return false0; /* Cannot read length. */
7592 }
7593
7594 if (max_value > 0xffffff) {
7595 veclen_size = 4;
7596 } else if (max_value > 0xffff) {
7597 veclen_size = 3;
7598 } else if (max_value > 0xff) {
7599 veclen_size = 2;
7600 } else {
7601 veclen_size = 1;
7602 }
7603
7604 if (offset_end - offset < veclen_size) {
7605 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7606 tvb, offset, offset_end - offset,
7607 "No more room for vector of length %u",
7608 veclen_size);
7609 *ret_length = 0;
7610 return false0; /* Cannot read length. */
7611 }
7612
7613 pi = proto_tree_add_item_ret_uint(tree, hf_length, tvb, offset, veclen_size, ENC_BIG_ENDIAN0x00000000, &veclen_value);
7614 offset += veclen_size;
7615
7616 if (veclen_value < min_value) {
7617 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7618 "Vector length %u is smaller than minimum %u",
7619 veclen_value, min_value);
7620 } else if (veclen_value > max_value) {
7621 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7622 "Vector length %u is larger than maximum %u",
7623 veclen_value, max_value);
7624 }
7625
7626 if (offset_end - offset < veclen_value) {
7627 expert_add_info_format(pinfo, pi, &hf->ei.malformed_buffer_too_small,
7628 "Vector length %u is too large, truncating it to %u",
7629 veclen_value, offset_end - offset);
7630 *ret_length = offset_end - offset;
7631 return false0; /* Length is truncated to avoid overflow. */
7632 }
7633
7634 *ret_length = veclen_value;
7635 return true1; /* Length is OK. */
7636}
7637
7638bool_Bool
7639ssl_end_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7640 unsigned offset, unsigned offset_end)
7641{
7642 if (offset < offset_end) {
7643 unsigned trailing = offset_end - offset;
7644 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_trailing_data,
7645 tvb, offset, trailing,
7646 "%u trailing byte%s unprocessed",
7647 trailing, plurality(trailing, " was", "s were")((trailing) == 1 ? (" was") : ("s were")));
7648 return false0; /* unprocessed data warning */
7649 } else if (offset > offset_end) {
7650 /*
7651 * Returned offset runs past the end. This should not happen and is
7652 * possibly a dissector bug.
7653 */
7654 unsigned excess = offset - offset_end;
7655 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7656 tvb, offset_end, excess,
7657 "Dissector processed too much data (%u byte%s)",
7658 excess, plurality(excess, "", "s")((excess) == 1 ? ("") : ("s")));
7659 return false0; /* overflow error */
7660 }
7661
7662 return true1; /* OK, offset matches. */
7663}
7664/** }}} */
7665
7666
7667static uint32_t
7668ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7669 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7670 uint16_t version, int hf_sig_len, int hf_sig);
7671
7672/* change_cipher_spec(20) dissection */
7673void
7674ssl_dissect_change_cipher_spec(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7675 packet_info *pinfo, proto_tree *tree,
7676 uint32_t offset, SslSession *session,
7677 bool_Bool is_from_server,
7678 const SslDecryptSession *ssl)
7679{
7680 /*
7681 * struct {
7682 * enum { change_cipher_spec(1), (255) } type;
7683 * } ChangeCipherSpec;
7684 */
7685 proto_item *ti;
7686 proto_item_set_text(tree,
7687 "%s Record Layer: %s Protocol: Change Cipher Spec",
7688 val_to_str_const(session->version, ssl_version_short_names, "SSL"),
7689 val_to_str_const(SSL_ID_CHG_CIPHER_SPEC, ssl_31_content_type, "unknown"));
7690 ti = proto_tree_add_item(tree, hf->hf.change_cipher_spec, tvb, offset, 1, ENC_NA0x00000000);
7691
7692 if (session->version == TLSV1DOT3_VERSION0x304) {
7693 /* CCS is a dummy message in TLS 1.3, do not parse it further. */
7694 return;
7695 }
7696
7697 /* Remember frame number of first CCS */
7698 uint32_t *ccs_frame = is_from_server ? &session->server_ccs_frame : &session->client_ccs_frame;
7699 if (*ccs_frame == 0)
7700 *ccs_frame = pinfo->num;
7701
7702 /* Use heuristics to detect an abbreviated handshake, assume that missing
7703 * ServerHelloDone implies reusing previously negotiating keys. Then when
7704 * a Session ID or ticket is present, it must be a resumed session.
7705 * Normally this should be done at the Finished message, but that may be
7706 * encrypted so we do it here, at the last cleartext message. */
7707 if (is_from_server && ssl) {
7708 if (session->is_session_resumed) {
7709 const char *resumed = NULL((void*)0);
7710 if (ssl->session_ticket.data_len) {
7711 resumed = "Session Ticket";
7712 } else if (ssl->session_id.data_len) {
7713 resumed = "Session ID";
7714 }
7715 if (resumed) {
7716 ssl_debug_printf("%s Session resumption using %s\n", G_STRFUNC((const char*) (__func__)), resumed);
7717 } else {
7718 /* Can happen if the capture somehow starts in the middle */
7719 ssl_debug_printf("%s No Session resumption, missing packets?\n", G_STRFUNC((const char*) (__func__)));
7720 }
7721 } else {
7722 ssl_debug_printf("%s Not using Session resumption\n", G_STRFUNC((const char*) (__func__)));
7723 }
7724 }
7725 if (is_from_server && session->is_session_resumed)
7726 expert_add_info(pinfo, ti, &hf->ei.resumed);
7727}
7728
7729/** Begin of handshake(22) record dissections */
7730
7731/* Dissects a SignatureScheme (TLS 1.3) or SignatureAndHashAlgorithm (TLS 1.2).
7732 * {{{ */
7733static void
7734tls_dissect_signature_algorithm(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, ja4_data_t *ja4_data)
7735{
7736 uint32_t sighash, hashalg, sigalg;
7737 proto_item *ti_sigalg;
7738 proto_tree *sigalg_tree;
7739
7740 ti_sigalg = proto_tree_add_item_ret_uint(tree, hf->hf.hs_sig_hash_alg, tvb,
7741 offset, 2, ENC_BIG_ENDIAN0x00000000, &sighash);
7742 if (ja4_data) {
7743 wmem_list_append(ja4_data->sighash_list, GUINT_TO_POINTER(sighash)((gpointer) (gulong) (sighash)));
7744 }
7745
7746 sigalg_tree = proto_item_add_subtree(ti_sigalg, hf->ett.hs_sig_hash_alg);
7747
7748 /* TLS 1.2: SignatureAndHashAlgorithm { hash, signature } */
7749 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_hash, tvb,
7750 offset, 1, ENC_BIG_ENDIAN0x00000000, &hashalg);
7751 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_sig, tvb,
7752 offset + 1, 1, ENC_BIG_ENDIAN0x00000000, &sigalg);
7753
7754 /* No TLS 1.3 SignatureScheme? Fallback to TLS 1.2 interpretation. */
7755 if (!try_val_to_str(sighash, tls13_signature_algorithm)) {
7756 proto_item_set_text(ti_sigalg, "Signature Algorithm: %s %s (0x%04x)",
7757 val_to_str_const(hashalg, tls_hash_algorithm, "Unknown"),
7758 val_to_str_const(sigalg, tls_signature_algorithm, "Unknown"),
7759 sighash);
7760 }
7761} /* }}} */
7762
7763/* dissect a list of hash algorithms, return the number of bytes dissected
7764 this is used for the signature algorithms extension and for the
7765 TLS1.2 certificate request. {{{ */
7766static int
7767ssl_dissect_hash_alg_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
7768 packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7769{
7770 /* https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
7771 * struct {
7772 * HashAlgorithm hash;
7773 * SignatureAlgorithm signature;
7774 * } SignatureAndHashAlgorithm;
7775 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
7776 */
7777 proto_tree *subtree;
7778 proto_item *ti;
7779 unsigned sh_alg_length;
7780 uint32_t next_offset;
7781
7782 /* SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2> */
7783 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sh_alg_length,
7784 hf->hf.hs_sig_hash_alg_len, 2, UINT16_MAX(65535) - 1)) {
7785 return offset_end;
7786 }
7787 offset += 2;
7788 next_offset = offset + sh_alg_length;
7789
7790 ti = proto_tree_add_none_format(tree, hf->hf.hs_sig_hash_algs, tvb, offset, sh_alg_length,
7791 "Signature Hash Algorithms (%u algorithm%s)",
7792 sh_alg_length / 2, plurality(sh_alg_length / 2, "", "s")((sh_alg_length / 2) == 1 ? ("") : ("s")));
7793 subtree = proto_item_add_subtree(ti, hf->ett.hs_sig_hash_algs);
7794
7795 while (offset + 2 <= next_offset) {
7796 tls_dissect_signature_algorithm(hf, tvb, subtree, offset, ja4_data);
7797 offset += 2;
7798 }
7799
7800 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
7801 offset = next_offset;
7802 }
7803
7804 return offset;
7805} /* }}} */
7806
7807/* Dissection of DistinguishedName (for CertificateRequest and
7808 * certificate_authorities extension). {{{ */
7809static uint32_t
7810tls_dissect_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7811 proto_tree *tree, uint32_t offset, uint32_t offset_end)
7812{
7813 proto_item *ti;
7814 proto_tree *subtree;
7815 uint32_t dnames_length, next_offset;
7816 asn1_ctx_t asn1_ctx;
7817 int dnames_count = 100; /* the maximum number of DNs to add to the tree */
7818
7819 /* Note: minimum length is 0 for TLS 1.1/1.2 and 3 for earlier/later */
7820 /* DistinguishedName certificate_authorities<0..2^16-1> */
7821 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &dnames_length,
7822 hf->hf.hs_dnames_len, 0, UINT16_MAX(65535))) {
7823 return offset_end;
7824 }
7825 offset += 2;
7826 next_offset = offset + dnames_length;
7827
7828 if (dnames_length > 0) {
7829 ti = proto_tree_add_none_format(tree,
7830 hf->hf.hs_dnames,
7831 tvb, offset, dnames_length,
7832 "Distinguished Names (%d byte%s)",
7833 dnames_length,
7834 plurality(dnames_length, "", "s")((dnames_length) == 1 ? ("") : ("s")));
7835 subtree = proto_item_add_subtree(ti, hf->ett.dnames);
7836
7837 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7838
7839 while (offset < next_offset) {
7840 /* get the length of the current certificate */
7841 uint32_t name_length;
7842
7843 if (dnames_count-- == 0) {
7844 /* stop adding to tree when the list is considered too large
7845 * https://gitlab.com/wireshark/wireshark/-/issues/16202
7846 Note: dnames_count must be set low enough not to hit the
7847 limit set by PINFO_LAYER_MAX_RECURSION_DEPTH in packet.c
7848 */
7849 ti = proto_tree_add_item(subtree, hf->hf.hs_dnames_truncated,
7850 tvb, offset, next_offset - offset, ENC_NA0x00000000);
7851 proto_item_set_generated(ti);
7852 return next_offset;
7853 }
7854
7855 /* opaque DistinguishedName<1..2^16-1> */
7856 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &name_length,
7857 hf->hf.hs_dname_len, 1, UINT16_MAX(65535))) {
7858 return next_offset;
7859 }
7860 offset += 2;
7861
7862 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
7863 subtree, hf->hf.hs_dname);
7864 offset += name_length;
7865 }
7866 }
7867 return offset;
7868} /* }}} */
7869
7870
7871/** TLS Extensions (in Client Hello and Server Hello). {{{ */
7872static int
7873ssl_dissect_hnd_hello_ext_sig_hash_algs(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7874 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7875{
7876 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, ja4_data);
7877}
7878
7879static int
7880ssl_dissect_hnd_ext_delegated_credentials(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7881 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type)
7882{
7883 if (hnd_type == SSL_HND_CLIENT_HELLO ||
7884 hnd_type == SSL_HND_CERT_REQUEST) {
7885 /*
7886 * struct {
7887 * SignatureScheme supported_signature_algorithm<2..2^16-2>;
7888 * } SignatureSchemeList;
7889 */
7890
7891 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
7892 } else {
7893 asn1_ctx_t asn1_ctx;
7894 unsigned pubkey_length, sign_length;
7895
7896 /*
7897 * struct {
7898 * uint32 valid_time;
7899 * SignatureScheme expected_cert_verify_algorithm;
7900 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
7901 * } Credential;
7902 *
7903 * struct {
7904 * Credential cred;
7905 * SignatureScheme algorithm;
7906 * opaque signature<0..2^16-1>;
7907 * } DelegatedCredential;
7908 */
7909
7910 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7911
7912 proto_tree_add_item(tree, hf->hf.hs_cred_valid_time, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
7913 offset += 4;
7914
7915 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7916 offset += 2;
7917
7918 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &pubkey_length,
7919 hf->hf.hs_cred_pubkey_len, 1, G_MAXUINT24((1U << 24) - 1))) {
7920 return offset_end;
7921 }
7922 offset += 3;
7923 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, tree, hf->hf.hs_cred_pubkey);
7924 offset += pubkey_length;
7925
7926 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7927 offset += 2;
7928
7929 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sign_length,
7930 hf->hf.hs_cred_signature_len, 1, UINT16_MAX(65535))) {
7931 return offset_end;
7932 }
7933 offset += 2;
7934 proto_tree_add_item(tree, hf->hf.hs_cred_signature,
7935 tvb, offset, sign_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7936 offset += sign_length;
7937
7938 return offset;
7939 }
7940}
7941
7942static int
7943ssl_dissect_hnd_hello_ext_alps(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7944 packet_info *pinfo, proto_tree *tree,
7945 uint32_t offset, uint32_t offset_end,
7946 uint8_t hnd_type)
7947{
7948
7949 /* https://datatracker.ietf.org/doc/html/draft-vvv-tls-alps-01#section-4 */
7950
7951 switch (hnd_type) {
7952 case SSL_HND_CLIENT_HELLO: {
7953 proto_tree *alps_tree;
7954 proto_item *ti;
7955 uint32_t next_offset, alps_length, name_length;
7956
7957 /*
7958 * opaque ProtocolName<1..2^8-1>;
7959 * struct {
7960 * ProtocolName supported_protocols<2..2^16-1>
7961 * } ApplicationSettingsSupport;
7962 */
7963
7964 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alps_length,
7965 hf->hf.hs_ext_alps_len, 2, UINT16_MAX(65535))) {
7966 return offset_end;
7967 }
7968 offset += 2;
7969 next_offset = offset + alps_length;
7970
7971 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alps_alpn_list,
7972 tvb, offset, alps_length, ENC_NA0x00000000);
7973 alps_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alps);
7974
7975 /* Parse list (note missing check for end of vector, ssl_add_vector below
7976 * ensures that data is always available.) */
7977 while (offset < next_offset) {
7978 if (!ssl_add_vector(hf, tvb, pinfo, alps_tree, offset, next_offset, &name_length,
7979 hf->hf.hs_ext_alps_alpn_str_len, 1, UINT8_MAX(255))) {
7980 return next_offset;
7981 }
7982 offset++;
7983
7984 proto_tree_add_item(alps_tree, hf->hf.hs_ext_alps_alpn_str,
7985 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7986 offset += name_length;
7987 }
7988
7989 return offset;
7990 }
7991 case SSL_HND_ENCRYPTED_EXTS:
7992 /* Opaque blob */
7993 proto_tree_add_item(tree, hf->hf.hs_ext_alps_settings,
7994 tvb, offset, offset_end - offset, ENC_ASCII0x00000000|ENC_NA0x00000000);
7995 break;
7996 }
7997
7998 return offset_end;
7999}
8000
8001static int
8002ssl_dissect_hnd_hello_ext_alpn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8003 packet_info *pinfo, proto_tree *tree,
8004 uint32_t offset, uint32_t offset_end,
8005 uint8_t hnd_type, SslSession *session,
8006 bool_Bool is_dtls, ja4_data_t *ja4_data)
8007{
8008
8009 /* https://tools.ietf.org/html/rfc7301#section-3.1
8010 * opaque ProtocolName<1..2^8-1>;
8011 * struct {
8012 * ProtocolName protocol_name_list<2..2^16-1>
8013 * } ProtocolNameList;
8014 */
8015 proto_tree *alpn_tree;
8016 proto_item *ti;
8017 uint32_t next_offset, alpn_length, name_length;
8018 const char *proto_name = NULL((void*)0), *client_proto_name = NULL((void*)0);
8019
8020 /* ProtocolName protocol_name_list<2..2^16-1> */
8021 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alpn_length,
8022 hf->hf.hs_ext_alpn_len, 2, UINT16_MAX(65535))) {
8023 return offset_end;
8024 }
8025 offset += 2;
8026 next_offset = offset + alpn_length;
8027
8028 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alpn_list,
8029 tvb, offset, alpn_length, ENC_NA0x00000000);
8030 alpn_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alpn);
8031
8032 /* Parse list (note missing check for end of vector, ssl_add_vector below
8033 * ensures that data is always available.) */
8034 while (offset < next_offset) {
8035 /* opaque ProtocolName<1..2^8-1> */
8036 if (!ssl_add_vector(hf, tvb, pinfo, alpn_tree, offset, next_offset, &name_length,
8037 hf->hf.hs_ext_alpn_str_len, 1, UINT8_MAX(255))) {
8038 return next_offset;
8039 }
8040 offset++;
8041
8042 proto_tree_add_item(alpn_tree, hf->hf.hs_ext_alpn_str,
8043 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
8044 if (ja4_data && wmem_strbuf_get_len(ja4_data->alpn) == 0) {
8045 const char alpn_first_char = (char)tvb_get_uint8(tvb,offset);
8046 const char alpn_last_char = (char)tvb_get_uint8(tvb,offset + name_length - 1);
8047 if ((g_ascii_isalnum(alpn_first_char)((g_ascii_table[(guchar) (alpn_first_char)] & G_ASCII_ALNUM
) != 0)) && g_ascii_isalnum(alpn_last_char)((g_ascii_table[(guchar) (alpn_last_char)] & G_ASCII_ALNUM
) != 0)) {
8048 wmem_strbuf_append_printf(ja4_data->alpn, "%c%c", alpn_first_char, alpn_last_char);
8049 }
8050 else {
8051 wmem_strbuf_append_printf(ja4_data->alpn, "%x%x",(alpn_first_char >> 4) & 0x0F,
8052 alpn_last_char & 0x0F);
8053 }
8054 }
8055 /* Remember first ALPN ProtocolName entry for server. */
8056 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) {
8057 /* '\0'-terminated string for dissector table match and prefix
8058 * comparison purposes. */
8059 proto_name = (char*)tvb_get_string_enc(pinfo->pool, tvb, offset,
8060 name_length, ENC_ASCII0x00000000);
8061 } else if (hnd_type == SSL_HND_CLIENT_HELLO) {
8062 client_proto_name = (char*)tvb_get_string_enc(pinfo->pool, tvb, offset,
8063 name_length, ENC_ASCII0x00000000);
8064 }
8065 offset += name_length;
8066 }
8067
8068 /* If ALPN is given in ServerHello, then ProtocolNameList MUST contain
8069 * exactly one "ProtocolName". */
8070 if (proto_name) {
8071 dissector_handle_t handle;
8072
8073 session->alpn_name = wmem_strdup(wmem_file_scope(), proto_name);
8074
8075 if (is_dtls) {
8076 handle = dissector_get_string_handle(dtls_alpn_dissector_table,
8077 proto_name);
8078 } else {
8079 handle = dissector_get_string_handle(ssl_alpn_dissector_table,
8080 proto_name);
8081 if (handle == NULL((void*)0)) {
8082 /* Try prefix matching */
8083 for (size_t i = 0; i < G_N_ELEMENTS(ssl_alpn_prefix_match_protocols)(sizeof (ssl_alpn_prefix_match_protocols) / sizeof ((ssl_alpn_prefix_match_protocols
)[0])); i++) {
8084 const ssl_alpn_prefix_match_protocol_t *alpn_proto = &ssl_alpn_prefix_match_protocols[i];
8085
8086 /* string_string is inappropriate as it compares strings
8087 * while "byte strings MUST NOT be truncated" (RFC 7301) */
8088 if (g_str_has_prefix(proto_name, alpn_proto->proto_prefix)(__builtin_constant_p (alpn_proto->proto_prefix)? __extension__
({ const char * const __str = (proto_name); const char * const
__prefix = (alpn_proto->proto_prefix); gboolean __result =
(0); if (__str == ((void*)0) || __prefix == ((void*)0)) __result
= (g_str_has_prefix) (__str, __prefix); else { const size_t __str_len
= strlen (((__str) + !(__str))); const size_t __prefix_len =
strlen (((__prefix) + !(__prefix))); if (__str_len >= __prefix_len
) __result = memcmp (((__str) + !(__str)), ((__prefix) + !(__prefix
)), __prefix_len) == 0; } __result; }) : (g_str_has_prefix) (
proto_name, alpn_proto->proto_prefix) )) {
8089 handle = find_dissector(alpn_proto->dissector_name);
8090 break;
8091 }
8092 }
8093 }
8094 }
8095 if (handle != NULL((void*)0)) {
8096 /* ProtocolName match, so set the App data dissector handle.
8097 * This may override protocols given via the UAT dialog, but
8098 * since the ALPN hint is precise, do it anyway. */
8099 ssl_debug_printf("%s: changing handle %p to %p (%s)", G_STRFUNC((const char*) (__func__)),
8100 (void *)session->app_handle,
8101 (void *)handle,
8102 dissector_handle_get_dissector_name(handle));
8103 session->app_handle = handle;
8104 }
8105 } else if (client_proto_name) {
8106 // No current use for looking up the handle as the only consumer of this API is currently the QUIC dissector
8107 // and it just needs the string since there are/were various HTTP/3 ALPNs to check for.
8108 session->client_alpn_name = wmem_strdup(wmem_file_scope(), client_proto_name);
8109 }
8110
8111 return offset;
8112}
8113
8114static int
8115ssl_dissect_hnd_hello_ext_npn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8116 packet_info *pinfo, proto_tree *tree,
8117 uint32_t offset, uint32_t offset_end)
8118{
8119 /* https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04#page-3
8120 * The "extension_data" field of a "next_protocol_negotiation" extension
8121 * in a "ServerHello" contains an optional list of protocols advertised
8122 * by the server. Protocols are named by opaque, non-empty byte strings
8123 * and the list of protocols is serialized as a concatenation of 8-bit,
8124 * length prefixed byte strings. Implementations MUST ensure that the
8125 * empty string is not included and that no byte strings are truncated.
8126 */
8127 uint32_t npn_length;
8128 proto_tree *npn_tree;
8129
8130 /* List is optional, do not add tree if there are no entries. */
8131 if (offset == offset_end) {
8132 return offset;
8133 }
8134
8135 npn_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_npn, NULL((void*)0), "Next Protocol Negotiation");
8136
8137 while (offset < offset_end) {
8138 /* non-empty, 8-bit length prefixed strings means range 1..255 */
8139 if (!ssl_add_vector(hf, tvb, pinfo, npn_tree, offset, offset_end, &npn_length,
8140 hf->hf.hs_ext_npn_str_len, 1, UINT8_MAX(255))) {
8141 return offset_end;
8142 }
8143 offset++;
8144
8145 proto_tree_add_item(npn_tree, hf->hf.hs_ext_npn_str,
8146 tvb, offset, npn_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
8147 offset += npn_length;
8148 }
8149
8150 return offset;
8151}
8152
8153static int
8154ssl_dissect_hnd_hello_ext_reneg_info(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8155 packet_info *pinfo, proto_tree *tree,
8156 uint32_t offset, uint32_t offset_end)
8157{
8158 /* https://tools.ietf.org/html/rfc5746#section-3.2
8159 * struct {
8160 * opaque renegotiated_connection<0..255>;
8161 * } RenegotiationInfo;
8162 *
8163 */
8164 proto_tree *reneg_info_tree;
8165 uint32_t reneg_info_length;
8166
8167 reneg_info_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_reneg_info, NULL((void*)0), "Renegotiation Info extension");
8168
8169 /* opaque renegotiated_connection<0..255> */
8170 if (!ssl_add_vector(hf, tvb, pinfo, reneg_info_tree, offset, offset_end, &reneg_info_length,
8171 hf->hf.hs_ext_reneg_info_len, 0, 255)) {
8172 return offset_end;
8173 }
8174 offset++;
8175
8176 if (reneg_info_length > 0) {
8177 proto_tree_add_item(reneg_info_tree, hf->hf.hs_ext_reneg_info, tvb, offset, reneg_info_length, ENC_NA0x00000000);
8178 offset += reneg_info_length;
8179 }
8180
8181 return offset;
8182}
8183
8184static int
8185ssl_dissect_hnd_hello_ext_key_share_entry(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8186 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8187 const char **group_name_out)
8188{
8189 /* RFC 8446 Section 4.2.8
8190 * struct {
8191 * NamedGroup group;
8192 * opaque key_exchange<1..2^16-1>;
8193 * } KeyShareEntry;
8194 */
8195 uint32_t key_exchange_length, group;
8196 proto_tree *ks_tree;
8197
8198 ks_tree = proto_tree_add_subtree(tree, tvb, offset, 4, hf->ett.hs_ext_key_share_ks, NULL((void*)0), "Key Share Entry");
8199
8200 proto_tree_add_item_ret_uint(ks_tree, hf->hf.hs_ext_key_share_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
8201 offset += 2;
8202 const char *group_name = val_to_str(pinfo->pool, group, ssl_extension_curves, "Unknown (%u)");
8203 proto_item_append_text(ks_tree, ": Group: %s", group_name);
8204 if (group_name_out) {
8205 *group_name_out = !IS_GREASE_TLS(group)((((group) & 0x0f0f) == 0x0a0a) && (((group) &
0xff) == (((group)>>8) & 0xff))) ? group_name : NULL((void*)0);
8206 }
8207
8208 /* opaque key_exchange<1..2^16-1> */
8209 if (!ssl_add_vector(hf, tvb, pinfo, ks_tree, offset, offset_end, &key_exchange_length,
8210 hf->hf.hs_ext_key_share_key_exchange_length, 1, UINT16_MAX(65535))) {
8211 return offset_end; /* Bad (possible truncated) length, skip to end of KeyShare extension. */
8212 }
8213 offset += 2;
8214 proto_item_set_len(ks_tree, 2 + 2 + key_exchange_length);
8215 proto_item_append_text(ks_tree, ", Key Exchange length: %u", key_exchange_length);
8216
8217 proto_tree_add_item(ks_tree, hf->hf.hs_ext_key_share_key_exchange, tvb, offset, key_exchange_length, ENC_NA0x00000000);
8218 offset += key_exchange_length;
8219
8220 return offset;
8221}
8222
8223static int
8224ssl_dissect_hnd_hello_ext_key_share(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8225 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8226 uint8_t hnd_type, SslDecryptSession *ssl)
8227{
8228 proto_tree *key_share_tree;
8229 uint32_t next_offset;
8230 uint32_t client_shares_length;
8231 uint32_t group;
8232 const char *group_name = NULL((void*)0);
8233
8234 if (offset_end <= offset) { /* Check if ext_len == 0 and "overflow" (offset + ext_len) > uint32_t) */
8235 return offset;
8236 }
8237
8238 key_share_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_key_share, NULL((void*)0), "Key Share extension");
8239
8240 switch(hnd_type){
8241 case SSL_HND_CLIENT_HELLO:
8242 /* KeyShareEntry client_shares<0..2^16-1> */
8243 if (!ssl_add_vector(hf, tvb, pinfo, key_share_tree, offset, offset_end, &client_shares_length,
8244 hf->hf.hs_ext_key_share_client_length, 0, UINT16_MAX(65535))) {
8245 return offset_end;
8246 }
8247 offset += 2;
8248 next_offset = offset + client_shares_length;
8249 const char *sep = " ";
8250 while (offset + 4 <= next_offset) { /* (NamedGroup (2 bytes), key_exchange (1 byte for length, 1 byte minimum data) */
8251 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, next_offset, &group_name);
8252 if (group_name) {
8253 proto_item_append_text(tree, "%s%s", sep, group_name);
8254 sep = ", ";
8255 }
8256 }
8257 if (!ssl_end_vector(hf, tvb, pinfo, key_share_tree, offset, next_offset)) {
8258 return next_offset;
8259 }
8260 break;
8261 case SSL_HND_SERVER_HELLO:
8262 if (ssl) {
8263 ssl->has_key_share = true1;
8264 }
8265 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, offset_end, &group_name);
8266 if (group_name) {
8267 proto_item_append_text(tree, " %s", group_name);
8268 }
8269 break;
8270 case SSL_HND_HELLO_RETRY_REQUEST:
8271 proto_tree_add_item_ret_uint(key_share_tree, hf->hf.hs_ext_key_share_selected_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
8272 offset += 2;
8273 group_name = val_to_str(pinfo->pool, group, ssl_extension_curves, "Unknown (%u)");
8274 proto_item_append_text(tree, " %s", group_name);
8275 break;
8276 default: /* no default */
8277 break;
8278 }
8279
8280 return offset;
8281}
8282
8283static int
8284ssl_dissect_hnd_hello_ext_pre_shared_key(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8285 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8286 uint8_t hnd_type, SslDecryptSession *ssl)
8287{
8288 /* RFC 8446 Section 4.2.11
8289 * struct {
8290 * opaque identity<1..2^16-1>;
8291 * uint32 obfuscated_ticket_age;
8292 * } PskIdentity;
8293 * opaque PskBinderEntry<32..255>;
8294 * struct {
8295 * select (Handshake.msg_type) {
8296 * case client_hello:
8297 * PskIdentity identities<7..2^16-1>;
8298 * PskBinderEntry binders<33..2^16-1>;
8299 * case server_hello:
8300 * uint16 selected_identity;
8301 * };
8302 * } PreSharedKeyExtension;
8303 */
8304
8305 proto_tree *psk_tree;
8306
8307 psk_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_pre_shared_key, NULL((void*)0), "Pre-Shared Key extension");
8308
8309 switch (hnd_type){
8310 case SSL_HND_CLIENT_HELLO: {
8311 uint32_t identities_length, identities_end, binders_length;
8312
8313 /* PskIdentity identities<7..2^16-1> */
8314 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &identities_length,
8315 hf->hf.hs_ext_psk_identities_length, 7, UINT16_MAX(65535))) {
8316 return offset_end;
8317 }
8318 offset += 2;
8319 identities_end = offset + identities_length;
8320
8321 while (offset < identities_end) {
8322 uint32_t identity_length;
8323 proto_tree *identity_tree;
8324
8325 identity_tree = proto_tree_add_subtree(psk_tree, tvb, offset, 4, hf->ett.hs_ext_psk_identity, NULL((void*)0), "PSK Identity (");
8326
8327 /* opaque identity<1..2^16-1> */
8328 if (!ssl_add_vector(hf, tvb, pinfo, identity_tree, offset, identities_end, &identity_length,
8329 hf->hf.hs_ext_psk_identity_identity_length, 1, UINT16_MAX(65535))) {
8330 return identities_end;
8331 }
8332 offset += 2;
8333 proto_item_append_text(identity_tree, "length: %u)", identity_length);
8334
8335 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_identity, tvb, offset, identity_length, ENC_BIG_ENDIAN0x00000000);
8336 offset += identity_length;
8337
8338 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_obfuscated_ticket_age, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8339 offset += 4;
8340
8341 proto_item_set_len(identity_tree, 2 + identity_length + 4);
8342 }
8343 if (!ssl_end_vector(hf, tvb, pinfo, psk_tree, offset, identities_end)) {
8344 offset = identities_end;
8345 }
8346
8347 /* PskBinderEntry binders<33..2^16-1> */
8348 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &binders_length,
8349 hf->hf.hs_ext_psk_binders_length, 33, UINT16_MAX(65535))) {
8350 return offset_end;
8351 }
8352 offset += 2;
8353
8354 proto_item *binders_item;
8355 proto_tree *binders_tree;
8356 binders_item = proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_binders, tvb, offset, binders_length, ENC_NA0x00000000);
8357 binders_tree = proto_item_add_subtree(binders_item, hf->ett.hs_ext_psk_binders);
8358 uint32_t binders_end = offset + binders_length;
8359 while (offset < binders_end) {
8360 uint32_t binder_length;
8361 proto_item *binder_item;
8362 proto_tree *binder_tree;
8363
8364 binder_item = proto_tree_add_item(binders_tree, hf->hf.hs_ext_psk_binder, tvb, offset, 1, ENC_NA0x00000000);
8365 binder_tree = proto_item_add_subtree(binder_item, hf->ett.hs_ext_psk_binder);
8366
8367 /* opaque PskBinderEntry<32..255>; */
8368 if (!ssl_add_vector(hf, tvb, pinfo, binder_tree, offset, binders_end, &binder_length,
8369 hf->hf.hs_ext_psk_binder_binder_length, 32, 255)) {
8370 return binders_end;
8371 }
8372 offset += 1;
8373 proto_item_append_text(binder_tree, " (length: %u)", binder_length);
8374
8375 proto_tree_add_item(binder_tree, hf->hf.hs_ext_psk_binder_binder, tvb, offset, binder_length, ENC_BIG_ENDIAN0x00000000);
8376 offset += binder_length;
8377
8378 proto_item_set_end(binder_item, tvb, offset);
8379 }
8380 }
8381 break;
8382 case SSL_HND_SERVER_HELLO: {
8383 if (ssl) {
8384 ssl_debug_printf("%s found pre_shared_key extension\n", G_STRFUNC((const char*) (__func__)));
8385 ssl->has_psk = true1;
8386 }
8387 proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_identity_selected, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8388 offset += 2;
8389 }
8390 break;
8391 default:
8392 break;
8393 }
8394
8395 return offset;
8396}
8397
8398static uint32_t
8399ssl_dissect_hnd_hello_ext_early_data(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
8400 proto_tree *tree, uint32_t offset, uint32_t offset_end _U___attribute__((unused)),
8401 uint8_t hnd_type, SslDecryptSession *ssl)
8402{
8403 /* RFC 8446 Section 4.2.10
8404 * struct {} Empty;
8405 * struct {
8406 * select (Handshake.msg_type) {
8407 * case new_session_ticket: uint32 max_early_data_size;
8408 * case client_hello: Empty;
8409 * case encrypted_extensions: Empty;
8410 * };
8411 * } EarlyDataIndication;
8412 */
8413 switch (hnd_type) {
8414 case SSL_HND_CLIENT_HELLO:
8415 /* Remember that early_data will follow the handshake. */
8416 if (ssl) {
8417 ssl_debug_printf("%s found early_data extension\n", G_STRFUNC((const char*) (__func__)));
8418 ssl->has_early_data = true1;
8419 }
8420 break;
8421 case SSL_HND_NEWSESSION_TICKET:
8422 proto_tree_add_item(tree, hf->hf.hs_ext_max_early_data_size, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8423 offset += 4;
8424 break;
8425 default:
8426 break;
8427 }
8428 return offset;
8429}
8430
8431static uint16_t
8432tls_try_get_version(bool_Bool is_dtls, uint16_t version, uint8_t *draft_version)
8433{
8434 if (draft_version) {
8435 *draft_version = 0;
8436 }
8437 if (!is_dtls) {
8438 uint8_t tls13_draft = extract_tls13_draft_version(version);
8439 if (tls13_draft != 0) {
8440 /* This is TLS 1.3 (a draft version). */
8441 if (draft_version) {
8442 *draft_version = tls13_draft;
8443 }
8444 version = TLSV1DOT3_VERSION0x304;
8445 }
8446 if (version == 0xfb17 || version == 0xfb1a) {
8447 /* Unofficial TLS 1.3 draft version for Facebook fizz. */
8448 tls13_draft = (uint8_t)version;
8449 if (draft_version) {
8450 *draft_version = tls13_draft;
8451 }
8452 version = TLSV1DOT3_VERSION0x304;
8453 }
8454 }
8455
8456 switch (version) {
8457 case SSLV3_VERSION0x300:
8458 case TLSV1_VERSION0x301:
8459 case TLSV1DOT1_VERSION0x302:
8460 case TLSV1DOT2_VERSION0x303:
8461 case TLSV1DOT3_VERSION0x304:
8462 case TLCPV1_VERSION0x101:
8463 if (is_dtls)
8464 return SSL_VER_UNKNOWN0;
8465 break;
8466
8467 case DTLSV1DOT0_VERSION0xfeff:
8468 case DTLSV1DOT0_OPENSSL_VERSION0x100:
8469 case DTLSV1DOT2_VERSION0xfefd:
8470 case DTLSV1DOT3_VERSION0xfefc:
8471 if (!is_dtls)
8472 return SSL_VER_UNKNOWN0;
8473 break;
8474
8475 default: /* invalid version number */
8476 return SSL_VER_UNKNOWN0;
8477 }
8478
8479 return version;
8480}
8481
8482static int
8483ssl_dissect_hnd_hello_ext_supported_versions(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8484 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8485 SslSession *session, bool_Bool is_dtls, ja4_data_t *ja4_data)
8486{
8487
8488 /* RFC 8446 Section 4.2.1
8489 * struct {
8490 * ProtocolVersion versions<2..254>; // ClientHello
8491 * } SupportedVersions;
8492 * Note that ServerHello and HelloRetryRequest are handled by the caller.
8493 */
8494 uint32_t versions_length, next_offset;
8495 /* ProtocolVersion versions<2..254> */
8496 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &versions_length,
8497 hf->hf.hs_ext_supported_versions_len, 2, 254)) {
8498 return offset_end;
8499 }
8500 offset++;
8501 next_offset = offset + versions_length;
8502
8503 unsigned version;
8504 unsigned current_version, lowest_version = SSL_VER_UNKNOWN0;
8505 uint8_t draft_version, max_draft_version = 0;
8506 const char *sep = " ";
8507 while (offset + 2 <= next_offset) {
8508 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
8509 offset += 2;
8510
8511 if (!IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))) {
8512 proto_item_append_text(tree, "%s%s", sep, val_to_str(pinfo->pool, version, ssl_versions, "Unknown (0x%04x)"));
8513 sep = ", ";
8514 }
8515
8516 current_version = tls_try_get_version(is_dtls, version, &draft_version);
8517 if (session->version == SSL_VER_UNKNOWN0) {
8518 if (lowest_version == SSL_VER_UNKNOWN0) {
8519 lowest_version = current_version;
8520 } else if (current_version != SSL_VER_UNKNOWN0) {
8521 if (!is_dtls) {
8522 lowest_version = MIN(lowest_version, current_version)(((lowest_version) < (current_version)) ? (lowest_version)
: (current_version));
8523 } else {
8524 lowest_version = MAX(lowest_version, current_version)(((lowest_version) > (current_version)) ? (lowest_version)
: (current_version));
8525 }
8526 }
8527 }
8528 max_draft_version = MAX(draft_version, max_draft_version)(((draft_version) > (max_draft_version)) ? (draft_version)
: (max_draft_version));
8529 if (ja4_data && !IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))) {
8530 /* The DTLS version numbers get mapped to "00" for unknown per
8531 * JA4 spec, but if JA4 ever does support DTLS we'll probably
8532 * need to take the MIN instead of MAX here for DTLS.
8533 */
8534 ja4_data->max_version = MAX(version, ja4_data->max_version)(((version) > (ja4_data->max_version)) ? (version) : (ja4_data
->max_version));
8535 }
8536 }
8537 if (session->version == SSL_VER_UNKNOWN0 && lowest_version != SSL_VER_UNKNOWN0) {
8538 col_set_str(pinfo->cinfo, COL_PROTOCOL,
8539 val_to_str_const(version, ssl_version_short_names, is_dtls ? "DTLS" : "TLS"));
8540 }
8541 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
8542 offset = next_offset;
8543 }
8544
8545 /* XXX remove this when draft 19 support is dropped,
8546 * this is only required for early data decryption. */
8547 if (max_draft_version) {
8548 session->tls13_draft_version = max_draft_version;
8549 }
8550
8551 return offset;
8552}
8553
8554static int
8555ssl_dissect_hnd_hello_ext_cookie(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8556 packet_info *pinfo, proto_tree *tree,
8557 uint32_t offset, uint32_t offset_end)
8558{
8559 /* RFC 8446 Section 4.2.2
8560 * struct {
8561 * opaque cookie<1..2^16-1>;
8562 * } Cookie;
8563 */
8564 uint32_t cookie_length;
8565 /* opaque cookie<1..2^16-1> */
8566 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cookie_length,
8567 hf->hf.hs_ext_cookie_len, 1, UINT16_MAX(65535))) {
8568 return offset_end;
8569 }
8570 offset += 2;
8571
8572 proto_tree_add_item(tree, hf->hf.hs_ext_cookie, tvb, offset, cookie_length, ENC_NA0x00000000);
8573 offset += cookie_length;
8574
8575 return offset;
8576}
8577
8578static int
8579ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8580 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8581{
8582 /* RFC 8446 Section 4.2.9
8583 * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
8584 *
8585 * struct {
8586 * PskKeyExchangeMode ke_modes<1..255>;
8587 * } PskKeyExchangeModes;
8588 */
8589 uint32_t ke_modes_length, next_offset;
8590
8591 /* PskKeyExchangeMode ke_modes<1..255> */
8592 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ke_modes_length,
8593 hf->hf.hs_ext_psk_ke_modes_length, 1, 255)) {
8594 return offset_end;
8595 }
8596 offset++;
8597 next_offset = offset + ke_modes_length;
8598
8599 while (offset < next_offset) {
8600 proto_tree_add_item(tree, hf->hf.hs_ext_psk_ke_mode, tvb, offset, 1, ENC_NA0x00000000);
8601 offset++;
8602 }
8603
8604 return offset;
8605}
8606
8607static uint32_t
8608ssl_dissect_hnd_hello_ext_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8609 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8610{
8611 /* RFC 8446 Section 4.2.4
8612 * opaque DistinguishedName<1..2^16-1>;
8613 * struct {
8614 * DistinguishedName authorities<3..2^16-1>;
8615 * } CertificateAuthoritiesExtension;
8616 */
8617 return tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
8618}
8619
8620static int
8621ssl_dissect_hnd_hello_ext_oid_filters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8622 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8623{
8624 /* RFC 8446 Section 4.2.5
8625 * struct {
8626 * opaque certificate_extension_oid<1..2^8-1>;
8627 * opaque certificate_extension_values<0..2^16-1>;
8628 * } OIDFilter;
8629 * struct {
8630 * OIDFilter filters<0..2^16-1>;
8631 * } OIDFilterExtension;
8632 */
8633 proto_tree *subtree;
8634 uint32_t filters_length, oid_length, values_length, value_offset;
8635 asn1_ctx_t asn1_ctx;
8636 const char *oid, *name;
8637
8638 /* OIDFilter filters<0..2^16-1> */
8639 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &filters_length,
8640 hf->hf.hs_ext_psk_ke_modes_length, 0, UINT16_MAX(65535))) {
8641 return offset_end;
8642 }
8643 offset += 2;
8644 offset_end = offset + filters_length;
8645
8646 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
8647
8648 while (offset < offset_end) {
8649 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
8650 hf->ett.hs_ext_oid_filter, NULL((void*)0), "OID Filter");
8651
8652 /* opaque certificate_extension_oid<1..2^8-1> */
8653 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &oid_length,
8654 hf->hf.hs_ext_oid_filters_oid_length, 1, UINT8_MAX(255))) {
8655 return offset_end;
8656 }
8657 offset++;
8658 dissect_ber_object_identifier_str(false0, &asn1_ctx, subtree, tvb, offset,
8659 hf->hf.hs_ext_oid_filters_oid, &oid);
8660 offset += oid_length;
8661
8662 /* Append OID to tree label */
8663 name = oid_resolved_from_string(pinfo->pool, oid);
8664 proto_item_append_text(subtree, " (%s)", name ? name : oid);
8665
8666 /* opaque certificate_extension_values<0..2^16-1> */
8667 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &values_length,
8668 hf->hf.hs_ext_oid_filters_values_length, 0, UINT16_MAX(65535))) {
8669 return offset_end;
8670 }
8671 offset += 2;
8672 proto_item_set_len(subtree, 1 + oid_length + 2 + values_length);
8673 if (values_length > 0) {
8674 value_offset = offset;
8675 value_offset = dissect_ber_identifier(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0), NULL((void*)0));
8676 value_offset = dissect_ber_length(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0));
8677 call_ber_oid_callback(oid, tvb, value_offset, pinfo, subtree, NULL((void*)0));
8678 }
8679 offset += values_length;
8680 }
8681
8682 return offset;
8683}
8684
8685static int
8686ssl_dissect_hnd_hello_ext_server_name(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8687 packet_info *pinfo, proto_tree *tree,
8688 uint32_t offset, uint32_t offset_end)
8689{
8690 /* https://tools.ietf.org/html/rfc6066#section-3
8691 *
8692 * struct {
8693 * NameType name_type;
8694 * select (name_type) {
8695 * case host_name: HostName;
8696 * } name;
8697 * } ServerName;
8698 *
8699 * enum {
8700 * host_name(0), (255)
8701 * } NameType;
8702 *
8703 * opaque HostName<1..2^16-1>;
8704 *
8705 * struct {
8706 * ServerName server_name_list<1..2^16-1>
8707 * } ServerNameList;
8708 */
8709 proto_tree *server_name_tree;
8710 uint32_t list_length, server_name_length, next_offset;
8711
8712 /* The server SHALL include "server_name" extension with empty data. */
8713 if (offset == offset_end) {
8714 return offset;
8715 }
8716
8717 server_name_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_server_name, NULL((void*)0), "Server Name Indication extension");
8718
8719 /* ServerName server_name_list<1..2^16-1> */
8720 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, offset_end, &list_length,
8721 hf->hf.hs_ext_server_name_list_len, 1, UINT16_MAX(65535))) {
8722 return offset_end;
8723 }
8724 offset += 2;
8725 next_offset = offset + list_length;
8726
8727 while (offset < next_offset) {
8728 uint32_t name_type;
8729 const char *server_name = NULL((void*)0);
8730 proto_tree_add_item_ret_uint(server_name_tree, hf->hf.hs_ext_server_name_type,
8731 tvb, offset, 1, ENC_NA0x00000000, &name_type);
8732 offset++;
8733
8734 /* opaque HostName<1..2^16-1> */
8735 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, next_offset, &server_name_length,
8736 hf->hf.hs_ext_server_name_len, 1, UINT16_MAX(65535))) {
8737 return next_offset;
8738 }
8739 offset += 2;
8740
8741 proto_tree_add_item_ret_string(server_name_tree, hf->hf.hs_ext_server_name,
8742 tvb, offset, server_name_length, ENC_ASCII0x00000000|ENC_NA0x00000000,
8743 pinfo->pool, (const uint8_t**)&server_name);
8744 offset += server_name_length;
8745 // Each type must only occur once, so we don't check for duplicates.
8746 if (name_type == 0) {
8747 proto_item_append_text(tree, " name=%s", server_name);
8748 col_append_fstr(pinfo->cinfo, COL_INFO, " (SNI=%s)", server_name);
8749
8750 if (gbl_resolv_flags.handshake_sni_addr_resolution) {
8751 // Client Hello: Client (Src) -> Server (Dst)
8752 switch (pinfo->dst.type) {
8753 case AT_IPv4:
8754 if (pinfo->dst.len == sizeof(uint32_t)) {
8755 add_ipv4_name(*(uint32_t *)pinfo->dst.data, server_name, false0);
8756 }
8757 break;
8758 case AT_IPv6:
8759 if (pinfo->dst.len == sizeof(ws_in6_addr)) {
8760 add_ipv6_name(pinfo->dst.data, server_name, false0);
8761 }
8762 break;
8763 }
8764 }
8765 }
8766 }
8767 return offset;
8768}
8769
8770static int
8771ssl_dissect_hnd_hello_ext_session_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8772 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint8_t hnd_type, SslDecryptSession *ssl)
8773{
8774 unsigned ext_len = offset_end - offset;
8775 if (hnd_type == SSL_HND_CLIENT_HELLO && ssl && ext_len != 0) {
8776 tvb_ensure_bytes_exist(tvb, offset, ext_len);
8777 /* Save the Session Ticket such that it can be used as identifier for
8778 * restoring a previous Master Secret (in ChangeCipherSpec) */
8779 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
8780 ssl->session_ticket.data, ext_len);
8781 ssl->session_ticket.data_len = ext_len;
8782 tvb_memcpy(tvb,ssl->session_ticket.data, offset, ext_len);
8783 }
8784 proto_tree_add_item(tree, hf->hf.hs_ext_session_ticket,
8785 tvb, offset, ext_len, ENC_NA0x00000000);
8786 return offset + ext_len;
8787}
8788
8789static int
8790ssl_dissect_hnd_hello_ext_cert_type(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8791 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8792 uint8_t hnd_type, uint16_t ext_type, SslSession *session)
8793{
8794 uint8_t cert_list_length;
8795 uint8_t cert_type;
8796 proto_tree *cert_list_tree;
8797 proto_item *ti;
8798
8799 switch(hnd_type){
8800 case SSL_HND_CLIENT_HELLO:
8801 cert_list_length = tvb_get_uint8(tvb, offset);
8802 proto_tree_add_item(tree, hf->hf.hs_ext_cert_types_len,
8803 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8804 offset += 1;
8805 if (offset_end - offset != (uint32_t)cert_list_length)
8806 return offset;
8807
8808 ti = proto_tree_add_item(tree, hf->hf.hs_ext_cert_types, tvb, offset,
8809 cert_list_length, cert_list_length);
8810 proto_item_append_text(ti, " (%d)", cert_list_length);
8811
8812 /* make this a subtree */
8813 cert_list_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_cert_types);
8814
8815 /* loop over all point formats */
8816 while (cert_list_length > 0)
8817 {
8818 proto_tree_add_item(cert_list_tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8819 offset++;
8820 cert_list_length--;
8821 }
8822 break;
8823 case SSL_HND_SERVER_HELLO:
8824 case SSL_HND_ENCRYPTED_EXTENSIONS:
8825 case SSL_HND_CERTIFICATE:
8826 cert_type = tvb_get_uint8(tvb, offset);
8827 proto_tree_add_item(tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8828 offset += 1;
8829 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19) {
8830 session->client_cert_type = cert_type;
8831 }
8832 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20) {
8833 session->server_cert_type = cert_type;
8834 }
8835 break;
8836 default: /* no default */
8837 break;
8838 }
8839
8840 return offset;
8841}
8842
8843static uint32_t
8844ssl_dissect_hnd_hello_ext_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8845 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8846 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8847{
8848 uint32_t compress_certificate_algorithms_length, next_offset;
8849
8850 /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03#section-3.0
8851 * enum {
8852 * zlib(1),
8853 * brotli(2),
8854 * (65535)
8855 * } CertificateCompressionAlgorithm;
8856 *
8857 * struct {
8858 * CertificateCompressionAlgorithm algorithms<1..2^8-1>;
8859 * } CertificateCompressionAlgorithms;
8860 */
8861 switch (hnd_type) {
8862 case SSL_HND_CLIENT_HELLO:
8863 case SSL_HND_CERT_REQUEST:
8864 /* CertificateCompressionAlgorithm algorithms<1..2^8-1>;*/
8865 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compress_certificate_algorithms_length,
8866 hf->hf.hs_ext_compress_certificate_algorithms_length, 1, UINT8_MAX(255)-1)) {
8867 return offset_end;
8868 }
8869 offset += 1;
8870 next_offset = offset + compress_certificate_algorithms_length;
8871
8872 while (offset < next_offset) {
8873 proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_algorithm,
8874 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8875 offset += 2;
8876 }
8877 break;
8878 default:
8879 break;
8880 }
8881
8882 return offset;
8883}
8884
8885static uint32_t
8886ssl_dissect_hnd_hello_ext_token_binding(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8887 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8888 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8889{
8890 uint32_t key_parameters_length, next_offset;
8891 proto_item *p_ti;
8892 proto_tree *p_tree;
8893
8894 /* RFC 8472
8895 *
8896 * struct {
8897 * uint8 major;
8898 * uint8 minor;
8899 * } TB_ProtocolVersion;
8900 *
8901 * enum {
8902 * rsa2048_pkcs1.5(0), rsa2048_pss(1), ecdsap256(2), (255)
8903 * } TokenBindingKeyParameters;
8904 *
8905 * struct {
8906 * TB_ProtocolVersion token_binding_version;
8907 * TokenBindingKeyParameters key_parameters_list<1..2^8-1>
8908 * } TokenBindingParameters;
8909 */
8910
8911 switch (hnd_type) {
8912 case SSL_HND_CLIENT_HELLO:
8913 case SSL_HND_SERVER_HELLO:
8914 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_major, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8915 offset += 1;
8916 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_minor, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8917 offset += 1;
8918
8919 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &key_parameters_length,
8920 hf->hf.hs_ext_token_binding_key_parameters_length, 1, UINT8_MAX(255))) {
8921 return offset_end;
8922 }
8923 offset += 1;
8924 next_offset = offset + key_parameters_length;
8925
8926 p_ti = proto_tree_add_none_format(tree,
8927 hf->hf.hs_ext_token_binding_key_parameters,
8928 tvb, offset, key_parameters_length,
8929 "Key parameters identifiers (%d identifier%s)",
8930 key_parameters_length,
8931 plurality(key_parameters_length, "", "s")((key_parameters_length) == 1 ? ("") : ("s")));
8932 p_tree = proto_item_add_subtree(p_ti, hf->ett.hs_ext_token_binding_key_parameters);
8933
8934 while (offset < next_offset) {
8935 proto_tree_add_item(p_tree, hf->hf.hs_ext_token_binding_key_parameter,
8936 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8937 offset += 1;
8938 }
8939
8940 if (!ssl_end_vector(hf, tvb, pinfo, p_tree, offset, next_offset)) {
8941 offset = next_offset;
8942 }
8943
8944 break;
8945 default:
8946 break;
8947 }
8948
8949 return offset;
8950}
8951
8952static uint32_t
8953ssl_dissect_hnd_hello_ext_quic_transport_parameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8954 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8955 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8956{
8957 bool_Bool use_varint_encoding = true1; // Whether this is draft -27 or newer.
8958 uint32_t next_offset;
8959
8960 /* https://tools.ietf.org/html/draft-ietf-quic-transport-25#section-18
8961 *
8962 * Note: the following structures are not literally defined in the spec,
8963 * they instead use an ASCII diagram.
8964 *
8965 * struct {
8966 * uint16 id;
8967 * opaque value<0..2^16-1>;
8968 * } TransportParameter; // before draft -27
8969 * TransportParameter TransportParameters<0..2^16-1>; // before draft -27
8970 *
8971 * struct {
8972 * opaque ipv4Address[4];
8973 * uint16 ipv4Port;
8974 * opaque ipv6Address[16];
8975 * uint16 ipv6Port;
8976 * opaque connectionId<0..18>;
8977 * opaque statelessResetToken[16];
8978 * } PreferredAddress;
8979 */
8980
8981 if (offset_end - offset >= 6 &&
8982 2 + (unsigned)tvb_get_ntohs(tvb, offset) == offset_end - offset &&
8983 6 + (unsigned)tvb_get_ntohs(tvb, offset + 4) <= offset_end - offset) {
8984 // Assume encoding of Transport Parameters draft -26 or older with at
8985 // least one transport parameter that has a valid length.
8986 use_varint_encoding = false0;
8987 }
8988
8989 if (use_varint_encoding) {
8990 next_offset = offset_end;
8991 } else {
8992 uint32_t quic_length;
8993 // Assume draft -26 or earlier.
8994 /* TransportParameter TransportParameters<0..2^16-1>; */
8995 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &quic_length,
8996 hf->hf.hs_ext_quictp_len, 0, UINT16_MAX(65535))) {
8997 return offset_end;
8998 }
8999 offset += 2;
9000 next_offset = offset + quic_length;
9001 }
9002
9003 while (offset < next_offset) {
9004 uint64_t parameter_type; /* 62-bit space */
9005 uint32_t parameter_length;
9006 proto_tree *parameter_tree;
9007 uint32_t parameter_end_offset;
9008 uint64_t value;
9009 uint32_t i;
9010 int len = 0;
9011
9012 parameter_tree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.hs_ext_quictp_parameter,
9013 NULL((void*)0), "Parameter");
9014 /* TransportParameter ID and Length. */
9015 if (use_varint_encoding) {
9016 uint64_t parameter_length64;
9017 int type_len = 0;
9018
9019 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
9020 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_type, &type_len);
9021 offset += type_len;
9022
9023 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_len,
9024 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_length64, &len);
9025 parameter_length = (uint32_t)parameter_length64;
9026 offset += len;
9027
9028 proto_item_set_len(parameter_tree, type_len + len + parameter_length);
9029 } else {
9030 parameter_type = tvb_get_ntohs(tvb, offset);
9031 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
9032 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9033 offset += 2;
9034
9035 /* opaque value<0..2^16-1> */
9036 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, next_offset, &parameter_length,
9037 hf->hf.hs_ext_quictp_parameter_len_old, 0, UINT16_MAX(65535))) {
9038 return next_offset;
9039 }
9040 offset += 2;
9041
9042 proto_item_set_len(parameter_tree, 4 + parameter_length);
9043 }
9044
9045 if (IS_GREASE_QUIC(parameter_type)((parameter_type) > 27 ? ((((parameter_type) - 27) % 31) ==
0) : 0)) {
9046 proto_item_append_text(parameter_tree, ": GREASE");
9047 } else {
9048 proto_item_append_text(parameter_tree, ": %s", val64_to_str_wmem(pinfo->pool, parameter_type, quic_transport_parameter_id, "Unknown 0x%04x"));
9049 }
9050
9051 proto_item_append_text(parameter_tree, " (len=%u)", parameter_length);
9052 parameter_end_offset = offset + parameter_length;
9053
9054 /* Omit the value field if the parameter's length is 0. */
9055 if (parameter_length != 0) {
9056 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_value,
9057 tvb, offset, parameter_length, ENC_NA0x00000000);
9058 }
9059
9060 switch (parameter_type) {
9061 case SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00:
9062 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_original_destination_connection_id,
9063 tvb, offset, parameter_length, ENC_NA0x00000000);
9064 offset += parameter_length;
9065 break;
9066 case SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01:
9067 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_idle_timeout,
9068 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9069 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " ms", value);
9070 offset += len;
9071 break;
9072 case SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02:
9073 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_stateless_reset_token,
9074 tvb, offset, 16, ENC_BIG_ENDIAN0x00000000);
9075 quic_add_stateless_reset_token(pinfo, tvb, offset, NULL((void*)0));
9076 offset += 16;
9077 break;
9078 case SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03:
9079 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_udp_payload_size,
9080 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9081 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9082 /*TODO display expert info about invalid value (< 1252 or >65527) ? */
9083 offset += len;
9084 break;
9085 case SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04:
9086 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_data,
9087 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9088 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9089 offset += len;
9090 break;
9091 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05:
9092 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_local,
9093 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9094 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9095 offset += len;
9096 break;
9097 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06:
9098 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_remote,
9099 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9100 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9101 offset += len;
9102 break;
9103 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07:
9104 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_uni,
9105 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9106 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9107 offset += len;
9108 break;
9109 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09:
9110 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_uni,
9111 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9112 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9113 offset += len;
9114 break;
9115 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08:
9116 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_bidi,
9117 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9118 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9119 offset += len;
9120 break;
9121 case SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a:
9122 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_ack_delay_exponent,
9123 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
9124 /*TODO display multiplier (x8) and expert info about invalid value (> 20) ? */
9125 offset += len;
9126 break;
9127 case SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b:
9128 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_ack_delay,
9129 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9130 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9131 offset += len;
9132 break;
9133 case SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c:
9134 /* No Payload */
9135 break;
9136 case SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d: {
9137 uint32_t connectionid_length;
9138 quic_cid_t cid;
9139
9140 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4address,
9141 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
9142 offset += 4;
9143 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4port,
9144 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9145 offset += 2;
9146 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6address,
9147 tvb, offset, 16, ENC_NA0x00000000);
9148 offset += 16;
9149 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6port,
9150 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9151 offset += 2;
9152 /* XXX - Should we add these addresses and ports as addresses that the client
9153 * is allowed / expected to migrate the server address to? Right now we don't
9154 * enforce that (see RFC 9000 Section 9, which implies that while the client
9155 * can migrate to whatever address it wants, it can only migrate the server
9156 * address to the Server's Preferred Address as in 9.6. Also Issue #20165.)
9157 */
9158
9159 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, offset_end, &connectionid_length,
9160 hf->hf.hs_ext_quictp_parameter_pa_connectionid_length, 0, 20)) {
9161 break;
9162 }
9163 offset += 1;
9164
9165 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_connectionid,
9166 tvb, offset, connectionid_length, ENC_NA0x00000000);
9167 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
9168 cid.len = connectionid_length;
9169 // RFC 9000 5.1.1 "If the preferred_address transport
9170 // parameter is sent, the sequence number of the supplied
9171 // connection ID is 1."
9172 cid.seq_num = 1;
9173 // Multipath draft-07 "Also, the Path Identifier for the
9174 // connection ID specified in the "preferred address"
9175 // transport parameter is 0."
9176 cid.path_id = 0;
9177 tvb_memcpy(tvb, cid.cid, offset, connectionid_length);
9178 quic_add_connection(pinfo, &cid);
9179 }
9180 offset += connectionid_length;
9181
9182 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_statelessresettoken,
9183 tvb, offset, 16, ENC_NA0x00000000);
9184 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
9185 quic_add_stateless_reset_token(pinfo, tvb, offset, &cid);
9186 }
9187 offset += 16;
9188 }
9189 break;
9190 case SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e:
9191 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_active_connection_id_limit,
9192 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9193 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9194 offset += len;
9195 break;
9196 case SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f:
9197 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_source_connection_id,
9198 tvb, offset, parameter_length, ENC_NA0x00000000);
9199 offset += parameter_length;
9200 break;
9201 case SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10:
9202 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_retry_source_connection_id,
9203 tvb, offset, parameter_length, ENC_NA0x00000000);
9204 offset += parameter_length;
9205 break;
9206 case SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20:
9207 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_datagram_frame_size,
9208 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9209 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9210 offset += len;
9211 break;
9212 case SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000:
9213 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_length,
9214 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9215 proto_item_append_text(parameter_tree, " Length: %" PRIu64"l" "u", value);
9216 offset += len;
9217 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_offset,
9218 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9219 proto_item_append_text(parameter_tree, ", Offset: %" PRIu64"l" "u", value);
9220 offset += len;
9221 break;
9222 case SSL_HND_QUIC_TP_LOSS_BITS0x1057:
9223 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_loss_bits,
9224 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9225 if (len > 0) {
9226 quic_add_loss_bits(pinfo, value);
9227 }
9228 offset += 1;
9229 break;
9230 case SSL_HND_QUIC_TP_ADDRESS_DISCOVERY0x9f81a176:
9231 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_address_discovery,
9232 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
9233 offset += len;
9234 break;
9235 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a:
9236 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A:
9237 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a:
9238 case SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b:
9239 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_min_ack_delay,
9240 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9241 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9242 offset += len;
9243 break;
9244 case SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129:
9245 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_user_agent_id,
9246 tvb, offset, parameter_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
9247 offset += parameter_length;
9248 break;
9249 case SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B:
9250 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_key_update_not_yet_supported,
9251 tvb, offset, parameter_length, ENC_NA0x00000000);
9252 offset += parameter_length;
9253 break;
9254 case SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752:
9255 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_version,
9256 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
9257 offset += 4;
9258 if (hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) { /* From server */
9259 uint32_t versions_length;
9260
9261 proto_tree_add_item_ret_uint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_supported_versions_length,
9262 tvb, offset, 1, ENC_NA0x00000000, &versions_length);
9263 offset += 1;
9264 for (i = 0; i < versions_length / 4; i++) {
9265 quic_proto_tree_add_version(tvb, parameter_tree,
9266 hf->hf.hs_ext_quictp_parameter_google_supported_version, offset);
9267 offset += 4;
9268 }
9269 }
9270 break;
9271 case SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127:
9272 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_initial_rtt,
9273 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9274 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " us", value);
9275 offset += len;
9276 break;
9277 case SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A:
9278 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_support_handshake_done,
9279 tvb, offset, parameter_length, ENC_NA0x00000000);
9280 offset += parameter_length;
9281 break;
9282 case SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751:
9283 /* This field was used for non-standard Google-specific parameters encoded as a
9284 * Google QUIC_CRYPTO CHLO and it has been replaced (version >= T051) by individual
9285 * parameters. Report it as a bytes blob... */
9286 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params,
9287 tvb, offset, parameter_length, ENC_NA0x00000000);
9288 /* ... and try decoding it: not sure what the first 4 bytes are (but they seems to be always 0) */
9289 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params_unknown_field,
9290 tvb, offset, 4, ENC_NA0x00000000);
9291 dissect_gquic_tags(tvb, pinfo, parameter_tree, offset + 4);
9292 offset += parameter_length;
9293 break;
9294 case SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128:
9295 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_connection_options,
9296 tvb, offset, parameter_length, ENC_NA0x00000000);
9297 offset += parameter_length;
9298 break;
9299 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157:
9300 /* No Payload */
9301 break;
9302 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158:
9303 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_time_stamp_v2,
9304 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9305 offset += parameter_length;
9306 break;
9307 case SSL_HND_QUIC_TP_VERSION_INFORMATION_DRAFT0xff73db:
9308 case SSL_HND_QUIC_TP_VERSION_INFORMATION0x11:
9309 quic_proto_tree_add_version(tvb, parameter_tree,
9310 hf->hf.hs_ext_quictp_parameter_chosen_version, offset);
9311 offset += 4;
9312 for (i = 4; i < parameter_length; i += 4) {
9313 quic_proto_tree_add_version(tvb, parameter_tree,
9314 hf->hf.hs_ext_quictp_parameter_other_version, offset);
9315 offset += 4;
9316 }
9317 break;
9318 case SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2:
9319 /* No Payload */
9320 quic_add_grease_quic_bit(pinfo);
9321 break;
9322 case SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00:
9323 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_facebook_partial_reliability,
9324 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9325 offset += parameter_length;
9326 break;
9327 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04:
9328 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_multipath,
9329 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9330 if (value == 1) {
9331 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
9332 }
9333 offset += parameter_length;
9334 break;
9335 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05:
9336 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06:
9337 /* No Payload */
9338 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
9339 break;
9340 case SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07:
9341 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_paths,
9342 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9343 if (value > 1) {
9344 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
9345 }
9346 /* multipath draft-07: "The value of the initial_max_paths
9347 * parameter MUST be at least 2." TODO: Expert Info? */
9348 offset += parameter_length;
9349 break;
9350 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09:
9351 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT110x0f739bbc1b666d11:
9352 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT120x0f739bbc1b666d0c:
9353 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT130x0f739bbc1b666d0d:
9354 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x3e:
9355 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_path_id,
9356 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9357 /* multipath draft-09 and later: "If an endpoint receives an
9358 * initial_max_path_id transport parameter with value 0, the
9359 * peer aims to enable the multipath extension without allowing
9360 * extra paths immediately."
9361 */
9362 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
9363 offset += parameter_length;
9364 break;
9365 default:
9366 offset += parameter_length;
9367 /*TODO display expert info about unknown ? */
9368 break;
9369 }
9370
9371 if (!ssl_end_vector(hf, tvb, pinfo, parameter_tree, offset, parameter_end_offset)) {
9372 /* Dissection did not end at expected location, fix it. */
9373 offset = parameter_end_offset;
9374 }
9375 }
9376
9377 return offset;
9378}
9379
9380static int
9381ssl_dissect_hnd_hello_common(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9382 proto_tree *tree, uint32_t offset,
9383 SslSession *session, SslDecryptSession *ssl,
9384 bool_Bool from_server, bool_Bool is_hrr)
9385{
9386 uint8_t sessid_length;
9387 proto_item *ti;
9388 proto_tree *rnd_tree;
9389 proto_tree *ti_rnd;
9390 proto_tree *ech_confirm_tree;
9391 uint8_t draft_version = session->tls13_draft_version;
9392
9393 if (ssl) {
9394 StringInfo *rnd;
9395 if (from_server)
9396 rnd = &ssl->server_random;
9397 else
9398 rnd = &ssl->client_random;
9399
9400 /* save provided random for later keyring generation */
9401 tvb_memcpy(tvb, rnd->data, offset, 32);
9402 rnd->data_len = 32;
9403 if (from_server)
9404 ssl->state |= SSL_SERVER_RANDOM(1<<1);
9405 else
9406 ssl->state |= SSL_CLIENT_RANDOM(1<<0);
9407 ssl_debug_printf("%s found %s RANDOM -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)),
9408 from_server ? "SERVER" : "CLIENT", ssl->state);
9409 }
9410
9411 if (!from_server && session->client_random.data_len == 0) {
9412 session->client_random.data_len = 32;
9413 tvb_memcpy(tvb, session->client_random.data, offset, 32);
9414 }
9415
9416 ti_rnd = proto_tree_add_item(tree, hf->hf.hs_random, tvb, offset, 32, ENC_NA0x00000000);
9417
9418 if ((session->version != TLSV1DOT3_VERSION0x304) && (session->version != DTLSV1DOT3_VERSION0xfefc)) { /* No time on first bytes random with TLS 1.3 */
9419
9420 rnd_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
9421 /* show the time */
9422 proto_tree_add_item(rnd_tree, hf->hf.hs_random_time,
9423 tvb, offset, 4, ENC_TIME_SECS0x00000012|ENC_BIG_ENDIAN0x00000000);
9424 offset += 4;
9425
9426 /* show the random bytes */
9427 proto_tree_add_item(rnd_tree, hf->hf.hs_random_bytes,
9428 tvb, offset, 28, ENC_NA0x00000000);
9429 offset += 28;
9430 } else {
9431 if (is_hrr) {
9432 proto_item_append_text(ti_rnd, " (HelloRetryRequest magic)");
9433 } else if (from_server && session->ech) {
9434 ech_confirm_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
9435 proto_tree_add_item(ech_confirm_tree, hf->hf.hs_ech_confirm, tvb, offset + 24, 8, ENC_NA0x00000000);
9436 ti = proto_tree_add_bytes_with_length(ech_confirm_tree, hf->hf.hs_ech_confirm_compute, tvb, offset + 24, 0,
9437 session->ech_confirmation, 8);
9438 proto_item_set_generated(ti);
9439 if (memcmp(session->ech_confirmation, tvb_get_ptr(tvb, offset+24, 8), 8)) {
9440 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
9441 } else {
9442 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
9443 }
9444 }
9445
9446 offset += 32;
9447 }
9448
9449 /* No Session ID with TLS 1.3 on Server Hello before draft -22 */
9450 if (from_server == 0 || !(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
9451 /* show the session id (length followed by actual Session ID) */
9452 sessid_length = tvb_get_uint8(tvb, offset);
9453 proto_tree_add_item(tree, hf->hf.hs_session_id_len,
9454 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9455 offset++;
9456
9457 if (ssl) {
9458 /* save the authoritative SID for later use in ChangeCipherSpec.
9459 * (D)TLS restricts the SID to 32 chars, it does not make sense to
9460 * save more, so ignore larger ones. To support ECH, also save
9461 * the SID from the ClientHelloOuter. */
9462 if (sessid_length <= 32 && (from_server || sessid_length > 0)) {
9463 tvb_memcpy(tvb, ssl->session_id.data, offset, sessid_length);
9464 ssl->session_id.data_len = sessid_length;
9465 }
9466 }
9467 if (sessid_length > 0) {
9468 proto_tree_add_item(tree, hf->hf.hs_session_id,
9469 tvb, offset, sessid_length, ENC_NA0x00000000);
9470 offset += sessid_length;
9471 }
9472 }
9473
9474 return offset;
9475}
9476
9477static int
9478ssl_dissect_hnd_hello_ext_status_request(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9479 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9480 bool_Bool has_length)
9481{
9482 /* TLS 1.2/1.3 status_request Client Hello Extension.
9483 * TLS 1.2 status_request_v2 CertificateStatusRequestItemV2 type.
9484 * https://tools.ietf.org/html/rfc6066#section-8 (status_request)
9485 * https://tools.ietf.org/html/rfc6961#section-2.2 (status_request_v2)
9486 * struct {
9487 * CertificateStatusType status_type;
9488 * uint16 request_length; // for status_request_v2
9489 * select (status_type) {
9490 * case ocsp: OCSPStatusRequest;
9491 * case ocsp_multi: OCSPStatusRequest;
9492 * } request;
9493 * } CertificateStatusRequest; // CertificateStatusRequestItemV2
9494 *
9495 * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
9496 * struct {
9497 * ResponderID responder_id_list<0..2^16-1>;
9498 * Extensions request_extensions;
9499 * } OCSPStatusRequest;
9500 * opaque ResponderID<1..2^16-1>;
9501 * opaque Extensions<0..2^16-1>;
9502 */
9503 unsigned cert_status_type;
9504
9505 cert_status_type = tvb_get_uint8(tvb, offset);
9506 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_type,
9507 tvb, offset, 1, ENC_NA0x00000000);
9508 offset++;
9509
9510 if (has_length) {
9511 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_request_len,
9512 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9513 offset += 2;
9514 }
9515
9516 switch (cert_status_type) {
9517 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
9518 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
9519 {
9520 uint32_t responder_id_list_len;
9521 uint32_t request_extensions_len;
9522
9523 /* ResponderID responder_id_list<0..2^16-1> */
9524 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &responder_id_list_len,
9525 hf->hf.hs_ext_cert_status_responder_id_list_len, 0, UINT16_MAX(65535))) {
9526 return offset_end;
9527 }
9528 offset += 2;
9529 if (responder_id_list_len != 0) {
9530 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9531 tvb, offset, responder_id_list_len,
9532 "Responder ID list is not implemented, contact Wireshark"
9533 " developers if you want this to be supported");
9534 }
9535 offset += responder_id_list_len;
9536
9537 /* opaque Extensions<0..2^16-1> */
9538 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &request_extensions_len,
9539 hf->hf.hs_ext_cert_status_request_extensions_len, 0, UINT16_MAX(65535))) {
9540 return offset_end;
9541 }
9542 offset += 2;
9543 if (request_extensions_len != 0) {
9544 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9545 tvb, offset, request_extensions_len,
9546 "Request Extensions are not implemented, contact"
9547 " Wireshark developers if you want this to be supported");
9548 }
9549 offset += request_extensions_len;
9550 break;
9551 }
9552 }
9553
9554 return offset;
9555}
9556
9557static unsigned
9558ssl_dissect_hnd_hello_ext_status_request_v2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9559 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9560{
9561 /* https://tools.ietf.org/html/rfc6961#section-2.2
9562 * struct {
9563 * CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1>;
9564 * } CertificateStatusRequestListV2;
9565 */
9566 uint32_t req_list_length, next_offset;
9567
9568 /* CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1> */
9569 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &req_list_length,
9570 hf->hf.hs_ext_cert_status_request_list_len, 1, UINT16_MAX(65535))) {
9571 return offset_end;
9572 }
9573 offset += 2;
9574 next_offset = offset + req_list_length;
9575
9576 while (offset < next_offset) {
9577 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, tree, offset, next_offset, true1);
9578 }
9579
9580 return offset;
9581}
9582
9583static uint32_t
9584tls_dissect_ocsp_response(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9585 uint32_t offset, uint32_t offset_end)
9586{
9587 uint32_t response_length;
9588 proto_item *ocsp_resp;
9589 proto_tree *ocsp_resp_tree;
9590 asn1_ctx_t asn1_ctx;
9591
9592 /* opaque OCSPResponse<1..2^24-1>; */
9593 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &response_length,
9594 hf->hf.hs_ocsp_response_len, 1, G_MAXUINT24((1U << 24) - 1))) {
9595 return offset_end;
9596 }
9597 offset += 3;
9598
9599 ocsp_resp = proto_tree_add_item(tree, proto_ocsp, tvb, offset,
9600 response_length, ENC_BIG_ENDIAN0x00000000);
9601 proto_item_set_text(ocsp_resp, "OCSP Response");
9602 ocsp_resp_tree = proto_item_add_subtree(ocsp_resp, hf->ett.ocsp_response);
9603 if (proto_is_protocol_enabled(find_protocol_by_id(proto_ocsp))) {
9604 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
9605 dissect_ocsp_OCSPResponse(false0, tvb, offset, &asn1_ctx, ocsp_resp_tree, -1);
9606 }
9607 offset += response_length;
9608
9609 return offset;
9610}
9611
9612uint32_t
9613tls_dissect_hnd_certificate_status(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9614 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9615{
9616 /* TLS 1.2 "CertificateStatus" handshake message.
9617 * TLS 1.3 "status_request" Certificate extension.
9618 * struct {
9619 * CertificateStatusType status_type;
9620 * select (status_type) {
9621 * case ocsp: OCSPResponse;
9622 * case ocsp_multi: OCSPResponseList; // status_request_v2
9623 * } response;
9624 * } CertificateStatus;
9625 * opaque OCSPResponse<1..2^24-1>;
9626 * struct {
9627 * OCSPResponse ocsp_response_list<1..2^24-1>;
9628 * } OCSPResponseList; // status_request_v2
9629 */
9630 uint32_t status_type, resp_list_length, next_offset;
9631
9632 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_cert_status_type,
9633 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &status_type);
9634 offset += 1;
9635
9636 switch (status_type) {
9637 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
9638 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, offset_end);
9639 break;
9640
9641 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
9642 /* OCSPResponse ocsp_response_list<1..2^24-1> */
9643 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &resp_list_length,
9644 hf->hf.hs_ocsp_response_list_len, 1, G_MAXUINT24((1U << 24) - 1))) {
9645 return offset_end;
9646 }
9647 offset += 3;
9648 next_offset = offset + resp_list_length;
9649
9650 while (offset < next_offset) {
9651 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, next_offset);
9652 }
9653 break;
9654 }
9655
9656 return offset;
9657}
9658
9659static unsigned
9660ssl_dissect_hnd_hello_ext_supported_groups(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9661 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9662 wmem_strbuf_t *ja3)
9663{
9664 /* RFC 8446 Section 4.2.7
9665 * enum { ..., (0xFFFF) } NamedGroup;
9666 * struct {
9667 * NamedGroup named_group_list<2..2^16-1>
9668 * } NamedGroupList;
9669 *
9670 * NOTE: "NamedCurve" (RFC 4492) is renamed to "NamedGroup" (RFC 7919) and
9671 * the extension itself from "elliptic_curves" to "supported_groups".
9672 */
9673 uint32_t groups_length, next_offset;
9674 proto_tree *groups_tree;
9675 proto_item *ti;
9676 char *ja3_dash = "";
9677
9678 /* NamedGroup named_group_list<2..2^16-1> */
9679 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &groups_length,
9680 hf->hf.hs_ext_supported_groups_len, 2, UINT16_MAX(65535))) {
9681 return offset_end;
9682 }
9683 offset += 2;
9684 next_offset = offset + groups_length;
9685
9686 ti = proto_tree_add_none_format(tree,
9687 hf->hf.hs_ext_supported_groups,
9688 tvb, offset, groups_length,
9689 "Supported Groups (%d group%s)",
9690 groups_length / 2,
9691 plurality(groups_length/2, "", "s")((groups_length/2) == 1 ? ("") : ("s")));
9692
9693 /* make this a subtree */
9694 groups_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_groups);
9695
9696 if (ja3) {
9697 wmem_strbuf_append_c(ja3, ',');
9698 }
9699 /* loop over all groups */
9700 while (offset + 2 <= offset_end) {
9701 uint32_t ext_supported_group;
9702
9703 proto_tree_add_item_ret_uint(groups_tree, hf->hf.hs_ext_supported_group, tvb, offset, 2,
9704 ENC_BIG_ENDIAN0x00000000, &ext_supported_group);
9705 offset += 2;
9706 if (ja3 && !IS_GREASE_TLS(ext_supported_group)((((ext_supported_group) & 0x0f0f) == 0x0a0a) && (
((ext_supported_group) & 0xff) == (((ext_supported_group)
>>8) & 0xff)))) {
9707 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_supported_group);
9708 ja3_dash = "-";
9709 }
9710 }
9711 if (!ssl_end_vector(hf, tvb, pinfo, groups_tree, offset, next_offset)) {
9712 offset = next_offset;
9713 }
9714
9715 return offset;
9716}
9717
9718static int
9719ssl_dissect_hnd_hello_ext_ec_point_formats(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9720 proto_tree *tree, uint32_t offset, wmem_strbuf_t *ja3)
9721{
9722 uint8_t ecpf_length;
9723 proto_tree *ecpf_tree;
9724 proto_item *ti;
9725
9726 ecpf_length = tvb_get_uint8(tvb, offset);
9727 proto_tree_add_item(tree, hf->hf.hs_ext_ec_point_formats_len,
9728 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9729
9730 offset += 1;
9731 ti = proto_tree_add_none_format(tree,
9732 hf->hf.hs_ext_ec_point_formats,
9733 tvb, offset, ecpf_length,
9734 "Elliptic curves point formats (%d)",
9735 ecpf_length);
9736
9737 /* make this a subtree */
9738 ecpf_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_curves_point_formats);
9739
9740 if (ja3) {
9741 wmem_strbuf_append_c(ja3, ',');
9742 }
9743
9744 /* loop over all point formats */
9745 while (ecpf_length > 0)
9746 {
9747 uint32_t ext_ec_point_format;
9748
9749 proto_tree_add_item_ret_uint(ecpf_tree, hf->hf.hs_ext_ec_point_format, tvb, offset, 1,
9750 ENC_BIG_ENDIAN0x00000000, &ext_ec_point_format);
9751 offset++;
9752 ecpf_length--;
9753 if (ja3) {
9754 wmem_strbuf_append_printf(ja3, "%i", ext_ec_point_format);
9755 if (ecpf_length > 0) {
9756 wmem_strbuf_append_c(ja3, '-');
9757 }
9758 }
9759 }
9760
9761 return offset;
9762}
9763
9764static int
9765ssl_dissect_hnd_hello_ext_srp(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9766 packet_info *pinfo, proto_tree *tree,
9767 uint32_t offset, uint32_t next_offset)
9768{
9769 /* https://tools.ietf.org/html/rfc5054#section-2.8.1
9770 * opaque srp_I<1..2^8-1>;
9771 */
9772 uint32_t username_len;
9773
9774 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, next_offset, &username_len,
9775 hf->hf.hs_ext_srp_len, 1, UINT8_MAX(255))) {
9776 return next_offset;
9777 }
9778 offset++;
9779
9780 proto_tree_add_item(tree, hf->hf.hs_ext_srp_username,
9781 tvb, offset, username_len, ENC_UTF_80x00000002|ENC_NA0x00000000);
9782 offset += username_len;
9783
9784 return offset;
9785}
9786
9787static uint32_t
9788tls_dissect_sct(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9789 uint32_t offset, uint32_t offset_end, uint16_t version)
9790{
9791 /* https://tools.ietf.org/html/rfc6962#section-3.2
9792 * enum { v1(0), (255) } Version;
9793 * struct {
9794 * opaque key_id[32];
9795 * } LogID;
9796 * opaque CtExtensions<0..2^16-1>;
9797 * struct {
9798 * Version sct_version;
9799 * LogID id;
9800 * uint64 timestamp;
9801 * CtExtensions extensions;
9802 * digitally-signed struct { ... };
9803 * } SignedCertificateTimestamp;
9804 */
9805 uint32_t sct_version;
9806 uint64_t sct_timestamp_ms;
9807 nstime_t sct_timestamp;
9808 uint32_t exts_len;
9809 const char *log_name;
9810
9811 proto_tree_add_item_ret_uint(tree, hf->hf.sct_sct_version, tvb, offset, 1, ENC_NA0x00000000, &sct_version);
9812 offset++;
9813 if (sct_version != 0) {
9814 // TODO expert info about unknown SCT version?
9815 return offset;
9816 }
9817 proto_tree_add_item(tree, hf->hf.sct_sct_logid, tvb, offset, 32, ENC_BIG_ENDIAN0x00000000);
9818 log_name = bytesval_to_str_wmem(pinfo->pool, tvb_get_ptr(tvb, offset, 32), 32, ct_logids, "Unknown Log");
9819 proto_item_append_text(tree, " (%s)", log_name);
9820 offset += 32;
9821 sct_timestamp_ms = tvb_get_ntoh64(tvb, offset);
9822 sct_timestamp.secs = (time_t)(sct_timestamp_ms / 1000);
9823 sct_timestamp.nsecs = (int)((sct_timestamp_ms % 1000) * 1000000);
9824 proto_tree_add_time(tree, hf->hf.sct_sct_timestamp, tvb, offset, 8, &sct_timestamp);
9825 offset += 8;
9826 /* opaque CtExtensions<0..2^16-1> */
9827 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
9828 hf->hf.sct_sct_extensions_length, 0, UINT16_MAX(65535))) {
9829 return offset_end;
9830 }
9831 offset += 2;
9832 if (exts_len > 0) {
9833 proto_tree_add_item(tree, hf->hf.sct_sct_extensions, tvb, offset, exts_len, ENC_BIG_ENDIAN0x00000000);
9834 offset += exts_len;
9835 }
9836 offset = ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
9837 hf->hf.sct_sct_signature_length,
9838 hf->hf.sct_sct_signature);
9839 return offset;
9840}
9841
9842uint32_t
9843tls_dissect_sct_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9844 uint32_t offset, uint32_t offset_end, uint16_t version)
9845{
9846 /* https://tools.ietf.org/html/rfc6962#section-3.3
9847 * opaque SerializedSCT<1..2^16-1>;
9848 * struct {
9849 * SerializedSCT sct_list <1..2^16-1>;
9850 * } SignedCertificateTimestampList;
9851 */
9852 uint32_t list_length, sct_length, next_offset;
9853 proto_tree *subtree;
9854
9855 /* SerializedSCT sct_list <1..2^16-1> */
9856 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &list_length,
9857 hf->hf.sct_scts_length, 1, UINT16_MAX(65535))) {
9858 return offset_end;
9859 }
9860 offset += 2;
9861
9862 while (offset < offset_end) {
9863 subtree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.sct, NULL((void*)0), "Signed Certificate Timestamp");
9864
9865 /* opaque SerializedSCT<1..2^16-1> */
9866 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &sct_length,
9867 hf->hf.sct_sct_length, 1, UINT16_MAX(65535))) {
9868 return offset_end;
9869 }
9870 offset += 2;
9871 next_offset = offset + sct_length;
9872 proto_item_set_len(subtree, 2 + sct_length);
9873 offset = tls_dissect_sct(hf, tvb, pinfo, subtree, offset, next_offset, version);
9874 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
9875 offset = next_offset;
9876 }
9877 }
9878
9879 return offset;
9880}
9881
9882static int
9883dissect_ech_hpke_cipher_suite(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
9884 proto_tree *tree, uint32_t offset)
9885{
9886 uint32_t kdf_id, aead_id;
9887 proto_item *cs_ti;
9888 proto_tree *cs_tree;
9889
9890 cs_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig_cipher_suite,
9891 tvb, offset, 4, ENC_NA0x00000000);
9892 cs_tree = proto_item_add_subtree(cs_ti, hf->ett.ech_hpke_cipher_suite);
9893
9894 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_kdf_id,
9895 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &kdf_id);
9896 offset += 2;
9897 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_aead_id,
9898 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &aead_id);
9899 offset += 2;
9900
9901 proto_item_append_text(cs_ti, ": %s/%s",
9902 val_to_str_const(kdf_id, kdf_id_type_vals, "Unknown"),
9903 val_to_str_const(aead_id, aead_id_type_vals, "Unknown"));
9904 return offset;
9905}
9906
9907static int
9908dissect_ech_hpke_key_config(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9909 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9910 uint32_t *config_id)
9911{
9912 uint32_t length, cipher_suite_length;
9913 proto_item *kc_ti, *css_ti;
9914 proto_tree *kc_tree, *css_tree;
9915 uint32_t original_offset = offset, next_offset;
9916
9917 kc_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig,
9918 tvb, offset, -1, ENC_NA0x00000000);
9919 kc_tree = proto_item_add_subtree(kc_ti, hf->ett.ech_hpke_keyconfig);
9920
9921 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_config_id,
9922 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, config_id);
9923 offset += 1;
9924 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_kem_id,
9925 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9926 offset += 2;
9927 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_public_key_length,
9928 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9929 offset += 2;
9930 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_public_key,
9931 tvb, offset, length, ENC_NA0x00000000);
9932 offset += length;
9933
9934 /* HpkeSymmetricCipherSuite cipher_suites<4..2^16-4> */
9935 if (!ssl_add_vector(hf, tvb, pinfo, kc_tree, offset, offset_end, &cipher_suite_length,
9936 hf->hf.ech_hpke_keyconfig_cipher_suites_length, 4, UINT16_MAX(65535) - 3)) {
9937 return offset_end;
9938 }
9939 offset += 2;
9940 next_offset = offset + cipher_suite_length;
9941
9942 css_ti = proto_tree_add_none_format(kc_tree,
9943 hf->hf.ech_hpke_keyconfig_cipher_suites,
9944 tvb, offset, cipher_suite_length,
9945 "Cipher Suites (%d suite%s)",
9946 cipher_suite_length / 4,
9947 plurality(cipher_suite_length / 4, "", "s")((cipher_suite_length / 4) == 1 ? ("") : ("s")));
9948 css_tree = proto_item_add_subtree(css_ti, hf->ett.ech_hpke_cipher_suites);
9949
9950
9951 while (offset + 4 <= next_offset) {
9952 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, css_tree, offset);
9953 }
9954
9955 if (!ssl_end_vector(hf, tvb, pinfo, css_tree, offset, next_offset)) {
9956 offset = next_offset;
9957 }
9958
9959 proto_item_set_len(kc_ti, offset - original_offset);
9960
9961 return offset;
9962}
9963
9964static int
9965dissect_ech_echconfig_contents(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9966 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9967 const uint8_t **public_name, uint32_t *config_id)
9968{
9969 uint32_t public_name_length, extensions_length, next_offset;
9970
9971 offset = dissect_ech_hpke_key_config(hf, tvb, pinfo, tree, offset, offset_end, config_id);
9972 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_maximum_name_length,
9973 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9974 offset += 1;
9975 proto_tree_add_item_ret_uint(tree, hf->hf.ech_echconfigcontents_public_name_length,
9976 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &public_name_length);
9977 offset += 1;
9978 proto_tree_add_item_ret_string(tree, hf->hf.ech_echconfigcontents_public_name,
9979 tvb, offset, public_name_length, ENC_ASCII0x00000000, pinfo->pool, public_name);
9980 offset += public_name_length;
9981
9982 /* Extension extensions<0..2^16-1>; */
9983 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &extensions_length,
9984 hf->hf.ech_echconfigcontents_extensions_length, 0, UINT16_MAX(65535))) {
9985 return offset_end;
9986 }
9987 offset += 2;
9988 next_offset = offset + extensions_length;
9989
9990 if (extensions_length > 0) {
9991 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_extensions,
9992 tvb, offset, extensions_length, ENC_NA0x00000000);
9993 }
9994 offset += extensions_length;
9995
9996 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
9997 offset = next_offset;
9998 }
9999
10000 return offset;
10001}
10002
10003static int
10004dissect_ech_echconfig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10005 proto_tree *tree, uint32_t offset, uint32_t offset_end)
10006{
10007 uint32_t version, length;
10008 proto_item *ech_ti;
10009 proto_tree *ech_tree;
10010 const uint8_t *public_name = NULL((void*)0);
10011 uint32_t config_id = 0;
10012
10013 ech_ti = proto_tree_add_item(tree, hf->hf.ech_echconfig, tvb, offset, -1, ENC_NA0x00000000);
10014 ech_tree = proto_item_add_subtree(ech_ti, hf->ett.ech_echconfig);
10015
10016 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_version,
10017 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
10018 offset += 2;
10019 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_length,
10020 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
10021 offset += 2;
10022
10023 proto_item_set_len(ech_ti, 4 + length);
10024
10025 switch(version) {
10026 case 0xfe0d:
10027 dissect_ech_echconfig_contents(hf, tvb, pinfo, ech_tree, offset, offset_end, &public_name, &config_id);
10028 proto_item_append_text(ech_ti, ": id=%d %s", config_id, public_name);
10029 break;
10030
10031 default:
10032 expert_add_info_format(pinfo, ech_ti, &hf->ei.ech_echconfig_invalid_version, "Unsupported/unknown ECHConfig version 0x%x", version);
10033 }
10034
10035 return 4 + length;
10036}
10037
10038uint32_t
10039ssl_dissect_ext_ech_echconfiglist(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10040 proto_tree *tree, uint32_t offset, uint32_t offset_end)
10041{
10042 uint32_t echconfiglist_length, next_offset;
10043
10044 /* ECHConfig ECHConfigList<1..2^16-1>; */
10045 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &echconfiglist_length,
10046 hf->hf.ech_echconfiglist_length, 1, UINT16_MAX(65535))) {
10047 return offset_end;
10048 }
10049 offset += 2;
10050 next_offset = offset + echconfiglist_length;
10051
10052 while (offset < next_offset) {
10053 offset += dissect_ech_echconfig(hf, tvb, pinfo, tree, offset, offset_end);
10054 }
10055
10056 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
10057 offset = next_offset;
10058 }
10059
10060 return offset;
10061}
10062
10063static uint32_t
10064ssl_dissect_hnd_ech_outer_ext(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10065 uint32_t offset, uint32_t offset_end)
10066{
10067 uint32_t ext_length, next_offset;
10068 proto_tree *ext_tree;
10069 proto_item *ti;
10070
10071 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ext_length,
10072 hf->hf.hs_ext_ech_outer_ext_len, 2, UINT8_MAX(255))) {
10073 return offset_end;
10074 }
10075 offset += 1;
10076 next_offset = offset + ext_length;
10077
10078 ti = proto_tree_add_none_format(tree,
10079 hf->hf.hs_ext_ech_outer_ext,
10080 tvb, offset, ext_length,
10081 "Outer Extensions (%d extension%s)",
10082 ext_length / 2,
10083 plurality(ext_length/2, "", "s")((ext_length/2) == 1 ? ("") : ("s")));
10084
10085 ext_tree = proto_item_add_subtree(ti, hf->ett.hs_ext);
10086
10087 while (offset + 2 <= offset_end) {
10088 proto_tree_add_item(ext_tree, hf->hf.hs_ext_type, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
10089 offset += 2;
10090 }
10091
10092 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
10093 offset = next_offset;
10094 }
10095
10096 return offset;
10097}
10098
10099static uint32_t
10100// NOLINTNEXTLINE(misc-no-recursion)
10101ssl_dissect_hnd_hello_ext_ech(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10102 proto_tree *tree, uint32_t offset, uint32_t offset_end,
10103 uint8_t hnd_type, SslSession *session, SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
10104{
10105 uint32_t ch_type, length;
10106 proto_item *ti, *payload_ti;
10107 proto_tree *retry_tree, *payload_tree;
10108 uint32_t hello_length = tvb_reported_length(tvb);
10109
10110 switch (hnd_type) {
10111 case SSL_HND_CLIENT_HELLO:
10112 /*
10113 * enum { outer(0), inner(1) } ECHClientHelloType;
10114 *
10115 * struct {
10116 * ECHClientHelloType type;
10117 * select (ECHClientHello.type) {
10118 * case outer:
10119 * HpkeSymmetricCipherSuite cipher_suite;
10120 * uint8 config_id;
10121 * opaque enc<0..2^16-1>;
10122 * opaque payload<1..2^16-1>;
10123 * case inner:
10124 * Empty;
10125 * };
10126 * } ECHClientHello;
10127 */
10128
10129 proto_tree_add_item_ret_uint(tree, hf->hf.ech_clienthello_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &ch_type);
10130 offset += 1;
10131 switch (ch_type) {
10132 case 0: /* outer */
10133 if (ssl && session->first_ch_ech_frame == 0) {
10134 session->first_ch_ech_frame = pinfo->num;
10135 }
10136 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, tree, offset);
10137 uint16_t kdf_id = tvb_get_ntohs(tvb, offset - 4);
10138 uint16_t aead_id = tvb_get_ntohs(tvb, offset - 2);
10139
10140 proto_tree_add_item(tree, hf->hf.ech_config_id, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
10141 uint8_t config_id = tvb_get_uint8(tvb, offset);
10142 offset += 1;
10143 proto_tree_add_item_ret_uint(tree, hf->hf.ech_enc_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
10144 offset += 2;
10145 proto_tree_add_item(tree, hf->hf.ech_enc, tvb, offset, length, ENC_NA0x00000000);
10146 offset += length;
10147 proto_tree_add_item_ret_uint(tree, hf->hf.ech_payload_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
10148 offset += 2;
10149 payload_ti = proto_tree_add_item(tree, hf->hf.ech_payload, tvb, offset, length, ENC_NA0x00000000);
10150 offset += length;
10151
10152 if (!mk_map) {
10153 break;
10154 }
10155 if (session->client_random.data_len == 0) {
10156 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
10157 break;
10158 }
10159 StringInfo *ech_secret = (StringInfo *)g_hash_table_lookup(mk_map->ech_secret, &session->client_random);
10160 StringInfo *ech_config = (StringInfo *)g_hash_table_lookup(mk_map->ech_config, &session->client_random);
10161 if (!ech_secret || !ech_config) {
10162 ssl_debug_printf("%s Cannot find ECH_SECRET or ECH_CONFIG, Encrypted Client Hello decryption impossible\n",
10163 G_STRFUNC((const char*) (__func__)));
10164 break;
10165 }
10166
10167 if (hpke_hkdf_len(kdf_id) == 0) {
10168 ssl_debug_printf("Unsupported KDF\n");
10169 break;
10170 }
10171
10172 if (hpke_aead_key_len(aead_id) == 0) {
10173 ssl_debug_printf("Unsupported AEAD\n");
10174 break;
10175 }
10176
10177 size_t aead_nonce_len = hpke_aead_nonce_len(aead_id);
10178
10179 unsigned aead_auth_tag_len = hpke_aead_auth_tag_len(aead_id);
10180 if (length < aead_auth_tag_len) {
10181 ssl_debug_printf("Encrypted payload length %u < Cipher suite authentication tag length %u.\n", length, aead_auth_tag_len);
10182 break;
10183 }
10184 unsigned decrypted_len = length - aead_auth_tag_len;
10185
10186 uint16_t version = GUINT16_FROM_BE(*(uint16_t *)ech_config->data)(((((guint16) ( (guint16) ((guint16) (*(uint16_t *)ech_config
->data) >> 8) | (guint16) ((guint16) (*(uint16_t *)ech_config
->data) << 8))))));
10187 if (version != SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037) {
10188 ssl_debug_printf("Unexpected version in ECH Config\n");
10189 break;
10190 }
10191 uint32_t ech_config_offset = 2;
10192 if (GUINT16_FROM_BE(*(uint16_t *)(ech_config->data + ech_config_offset))(((((guint16) ( (guint16) ((guint16) (*(uint16_t *)(ech_config
->data + ech_config_offset)) >> 8) | (guint16) ((guint16
) (*(uint16_t *)(ech_config->data + ech_config_offset)) <<
8)))))) != ech_config->data_len - 4) {
10193 ssl_debug_printf("Malformed ECH Config, invalid length\n");
10194 break;
10195 }
10196 ech_config_offset += 2;
10197 if (*(ech_config->data + ech_config_offset) != config_id) {
10198 ssl_debug_printf("ECH Config version mismatch\n");
10199 break;
10200 }
10201 ech_config_offset += 1;
10202 uint16_t kem_id_be = *(uint16_t *)(ech_config->data + ech_config_offset);
10203 uint16_t kem_id = GUINT16_FROM_BE(kem_id_be)(((((guint16) ( (guint16) ((guint16) (kem_id_be) >> 8) |
(guint16) ((guint16) (kem_id_be) << 8))))));
10204 uint8_t suite_id[HPKE_SUIT_ID_LEN10];
10205 hpke_suite_id(kem_id, kdf_id, aead_id, suite_id);
10206 GByteArray *info = g_byte_array_new();
10207 g_byte_array_append(info, (const uint8_t*)"tls ech", 8);
10208 g_byte_array_append(info, ech_config->data, ech_config->data_len);
10209 uint8_t key[AEAD_MAX_KEY_LENGTH32];
10210 uint8_t base_nonce[HPKE_AEAD_NONCE_LENGTH12];
10211 if (hpke_key_schedule(kdf_id, aead_id, ech_secret->data, ech_secret->data_len, suite_id, info->data, info->len, HPKE_MODE_BASE0,
10212 key, base_nonce)) {
10213 g_byte_array_free(info, TRUE(!(0)));
10214 break;
10215 }
10216 g_byte_array_free(info, TRUE(!(0)));
10217 gcry_cipher_hd_t cipher;
10218 if (hpke_setup_aead(&cipher, aead_id, key) ||
10219 hpke_set_nonce(cipher, !session->hrr_ech_declined && pinfo->num > session->first_ch_ech_frame, base_nonce, aead_nonce_len)) {
10220 gcry_cipher_close(cipher);
10221 break;
10222 }
10223 const uint8_t *payload = tvb_get_ptr(tvb, offset - length, length);
10224 uint8_t *ech_aad = (uint8_t *)wmem_alloc(NULL((void*)0), hello_length);
10225 tvb_memcpy(tvb, ech_aad, 0, hello_length);
10226 memset(ech_aad + offset - length, 0, length);
10227 if (gcry_cipher_authenticate(cipher, ech_aad, hello_length)) {
10228 gcry_cipher_close(cipher);
10229 wmem_free(NULL((void*)0), ech_aad);
10230 break;
10231 }
10232 wmem_free(NULL((void*)0), ech_aad);
10233 uint8_t *ech_decrypted_data = (uint8_t *)wmem_alloc(pinfo->pool, decrypted_len);
10234 if (gcry_cipher_decrypt(cipher, ech_decrypted_data, decrypted_len, payload, decrypted_len)) {
10235 gcry_cipher_close(cipher);
10236 break;
10237 }
10238 unsigned char *ech_auth_tag_calc = wmem_alloc0(pinfo->pool, aead_auth_tag_len);
10239 if (gcry_cipher_gettag(cipher, ech_auth_tag_calc, aead_auth_tag_len)) {
10240 gcry_cipher_close(cipher);
10241 break;
10242 }
10243 if (ssl && !session->hrr_ech_declined && session->first_ch_ech_frame == pinfo->num)
10244 memcpy(session->first_ech_auth_tag, ech_auth_tag_calc, aead_auth_tag_len);
10245 gcry_cipher_close(cipher);
10246 if (memcmp(pinfo->num > session->first_ch_ech_frame ? ech_auth_tag_calc : session->first_ech_auth_tag,
10247 payload + decrypted_len, aead_auth_tag_len)) {
10248 ssl_debug_printf("%s ECH auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
10249 } else {
10250 payload_tree = proto_item_add_subtree(payload_ti, hf->ett.ech_decrypt);
10251 tvbuff_t *ech_tvb = tvb_new_child_real_data(tvb, ech_decrypted_data, decrypted_len, decrypted_len);
10252 add_new_data_source(pinfo, ech_tvb, "Client Hello Inner");
10253 if (ssl) {
10254 tvb_memcpy(ech_tvb, ssl->client_random.data, 2, 32);
10255 uint32_t len_offset = ssl->ech_transcript.data_len;
10256 if (ssl->ech_transcript.data_len > 0)
10257 ssl->ech_transcript.data = (unsigned char*)wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
10258 ssl->ech_transcript.data_len + hello_length + 4);
10259 else
10260 ssl->ech_transcript.data = (unsigned char*)wmem_alloc(wmem_file_scope(), hello_length + 4);
10261 ssl->ech_transcript.data[ssl->ech_transcript.data_len] = SSL_HND_CLIENT_HELLO;
10262 ssl->ech_transcript.data[ssl->ech_transcript.data_len + 1] = 0;
10263 /* Copy ClientHelloInner up to the legacy_session_id field. */
10264 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, 0, 34);
10265 ssl->ech_transcript.data_len += 38;
10266 /* Now copy the legacy_session_id field from ClientHelloOuter. */
10267 ssl->ech_transcript.data[ssl->ech_transcript.data_len] = ssl->session_id.data_len;
10268 ssl->ech_transcript.data_len++;
10269 memcpy(&ssl->ech_transcript.data[ssl->ech_transcript.data_len], ssl->session_id.data, ssl->session_id.data_len);
10270 ssl->ech_transcript.data_len += ssl->session_id.data_len;
10271 /* Skip past the legacy_session_id field in ClientHelloInner
10272 * (which should be the empty string, i.e. just a 0 size.) */
10273 uint32_t ech_offset = 35 + tvb_get_uint8(ech_tvb, 34);
10274 /* Copy the Cipher Suites from ClientHelloInner. */
10275 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10276 2 + tvb_get_ntohs(ech_tvb, ech_offset));
10277 ssl->ech_transcript.data_len += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
10278 ech_offset += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
10279 /* Copy the Compression Methods */
10280 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10281 1 + tvb_get_uint8(ech_tvb, ech_offset));
10282 ssl->ech_transcript.data_len += 1 + tvb_get_uint8(ech_tvb, ech_offset);
10283 ech_offset += 1 + tvb_get_uint8(ech_tvb, ech_offset);
10284 /* Now replace extensions in ech_outer_extensions with the
10285 * data from ClientHelloOuter. */
10286 uint32_t ech_extensions_len_offset = ssl->ech_transcript.data_len;
10287 ssl->ech_transcript.data_len += 2;
10288 uint32_t extensions_end = ech_offset + tvb_get_ntohs(ech_tvb, ech_offset) + 2;
10289 ech_offset += 2;
10290 while (extensions_end - ech_offset >= 4) {
10291 uint16_t ext_type = tvb_get_ntohs(ech_tvb, ech_offset);
10292 ech_offset += 2;
10293 uint16_t ext_len = tvb_get_ntohs(ech_tvb, ech_offset);
10294 ech_offset += 2;
10295 if (ext_type != SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768) {
10296 /* Copy this extension directly */
10297 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len,
10298 ech_offset - 4, 4 + ext_len);
10299 ssl->ech_transcript.data_len += 4 + ext_len;
10300 ech_offset += ext_len;
10301 } else if (ext_len > 0) {
10302 unsigned num_ech_outer_extensions = tvb_get_uint8(ech_tvb, ech_offset);
10303 ech_offset += 1;
10304 uint32_t ech_outer_extensions_end = ech_offset + num_ech_outer_extensions;
10305 /* In ClientHelloOuter, skip past the legacy_session_id */
10306 uint32_t outer_offset = 35 + tvb_get_uint8(tvb, 34);
10307 /* Skip past Cipher Suites */
10308 outer_offset += tvb_get_ntohs(tvb, outer_offset) + 2;
10309 /* Skip past Compression Methods */
10310 outer_offset += tvb_get_uint8(tvb, outer_offset) + 3;
10311 /* Now at the start of ClientHelloOuter's extensions */
10312 while (ech_outer_extensions_end - ech_offset >= 2) {
10313 ext_type = tvb_get_ntohs(ech_tvb, ech_offset);
10314 if (ext_type == SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037) {
10315 ssl_debug_printf("Illegal parameter; encrypted_client_hello cannot appear within ech_outer_extensions\n");
10316 /* This could lead to a buffer overflow by
10317 * making the post-copying ClientHelloInner
10318 * longer than ClientHelloOuter and is
10319 * illegal, so don't copy. */
10320 break;
10321 }
10322 bool_Bool found = false0;
10323 while (tvb_reported_length_remaining(tvb, outer_offset) >= 4) {
10324 uint16_t outer_ext_type = tvb_get_ntohs(tvb, outer_offset);
10325 uint16_t outer_ext_len = tvb_get_ntohs(tvb, outer_offset + 2);
10326 if (ext_type == outer_ext_type) {
10327 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, outer_offset,
10328 4 + outer_ext_len);
10329 ssl->ech_transcript.data_len += 4 + outer_ext_len;
10330 outer_offset += 4 + outer_ext_len;
10331 found = true1;
10332 break;
10333 } else {
10334 outer_offset += 4 + outer_ext_len;
10335 }
10336 }
10337 if (!found) {
10338 ssl_debug_printf("Extension %s was not found in ClientHelloOuter (possibly out of order or referenced more than once)\n", val_to_str(pinfo->pool, ext_type, tls_hello_extension_types, "unknown (0x%02x)"));
10339 }
10340 ech_offset += 2;
10341 }
10342 }
10343 }
10344 uint16_t ech_extensions_len_be = GUINT16_TO_BE(ssl->ech_transcript.data_len - ech_extensions_len_offset - 2)((((guint16) ( (guint16) ((guint16) (ssl->ech_transcript.data_len
- ech_extensions_len_offset - 2) >> 8) | (guint16) ((guint16
) (ssl->ech_transcript.data_len - ech_extensions_len_offset
- 2) << 8)))));
10345 *(ssl->ech_transcript.data + ech_extensions_len_offset) = ech_extensions_len_be & 0xff;
10346 *(ssl->ech_transcript.data + ech_extensions_len_offset + 1) = (ech_extensions_len_be >> 8);
10347 *(ssl->ech_transcript.data + len_offset + 2) = ((ssl->ech_transcript.data_len - len_offset - 4) >> 8);
10348 *(ssl->ech_transcript.data + len_offset + 3) = (ssl->ech_transcript.data_len - len_offset - 4) & 0xff;
10349 }
10350 uint32_t ech_padding_begin = (uint32_t)ssl_dissect_hnd_cli_hello(hf, ech_tvb, pinfo, payload_tree, 0, decrypted_len, session,
10351 ssl, NULL((void*)0), mk_map);
10352 if (ech_padding_begin < decrypted_len) {
10353 proto_tree_add_item(payload_tree, hf->hf.ech_padding_data, ech_tvb, ech_padding_begin, decrypted_len - ech_padding_begin,
10354 ENC_NA0x00000000);
10355 }
10356 }
10357
10358 break;
10359 case 1: /* inner */
10360 break;
10361 }
10362 break;
10363
10364 case SSL_HND_ENCRYPTED_EXTENSIONS:
10365 /*
10366 * struct {
10367 * ECHConfigList retry_configs;
10368 * } ECHEncryptedExtensions;
10369 */
10370
10371 ti = proto_tree_add_item(tree, hf->hf.ech_retry_configs, tvb, offset, offset_end - offset, ENC_NA0x00000000);
10372 retry_tree = proto_item_add_subtree(ti, hf->ett.ech_retry_configs);
10373 offset = ssl_dissect_ext_ech_echconfiglist(hf, tvb, pinfo, retry_tree, offset, offset_end);
10374 break;
10375
10376 case SSL_HND_HELLO_RETRY_REQUEST:
10377 /*
10378 * struct {
10379 * opaque confirmation[8];
10380 * } ECHHelloRetryRequest;
10381 */
10382
10383 proto_tree_add_item(tree, hf->hf.ech_confirmation, tvb, offset, 8, ENC_NA0x00000000);
10384 if (session->ech) {
10385 ti = proto_tree_add_bytes_with_length(tree, hf->hf.hs_ech_confirm_compute, tvb, offset, 0, session->hrr_ech_confirmation, 8);
10386 proto_item_set_generated(ti);
10387 if (memcmp(session->hrr_ech_confirmation, tvb_get_ptr(tvb, offset, 8), 8)) {
10388 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
10389 } else {
10390 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
10391 }
10392 }
10393 offset += 8;
10394 break;
10395 }
10396
10397 return offset;
10398}
10399
10400static uint32_t
10401ssl_dissect_hnd_hello_ext_esni(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10402 proto_tree *tree, uint32_t offset, uint32_t offset_end,
10403 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
10404{
10405 uint32_t record_digest_length, encrypted_sni_length;
10406
10407 switch (hnd_type) {
10408 case SSL_HND_CLIENT_HELLO:
10409 /*
10410 * struct {
10411 * CipherSuite suite;
10412 * KeyShareEntry key_share;
10413 * opaque record_digest<0..2^16-1>;
10414 * opaque encrypted_sni<0..2^16-1>;
10415 * } ClientEncryptedSNI;
10416 */
10417 proto_tree_add_item(tree, hf->hf.esni_suite, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
10418 offset += 2;
10419 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, tree, offset, offset_end, NULL((void*)0));
10420
10421 /* opaque record_digest<0..2^16-1> */
10422 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &record_digest_length,
10423 hf->hf.esni_record_digest_length, 0, UINT16_MAX(65535))) {
10424 return offset_end;
10425 }
10426 offset += 2;
10427 if (record_digest_length > 0) {
10428 proto_tree_add_item(tree, hf->hf.esni_record_digest, tvb, offset, record_digest_length, ENC_NA0x00000000);
10429 offset += record_digest_length;
10430 }
10431
10432 /* opaque encrypted_sni<0..2^16-1> */
10433 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &encrypted_sni_length,
10434 hf->hf.esni_encrypted_sni_length, 0, UINT16_MAX(65535))) {
10435 return offset_end;
10436 }
10437 offset += 2;
10438 if (encrypted_sni_length > 0) {
10439 proto_tree_add_item(tree, hf->hf.esni_encrypted_sni, tvb, offset, encrypted_sni_length, ENC_NA0x00000000);
10440 offset += encrypted_sni_length;
10441 }
10442 break;
10443
10444 case SSL_HND_ENCRYPTED_EXTENSIONS:
10445 proto_tree_add_item(tree, hf->hf.esni_nonce, tvb, offset, 16, ENC_NA0x00000000);
10446 offset += 16;
10447 break;
10448 }
10449
10450 return offset;
10451}
10452/** TLS Extensions (in Client Hello and Server Hello). }}} */
10453
10454/* Connection ID dissection. {{{ */
10455static uint32_t
10456ssl_dissect_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10457 proto_tree *tree, uint32_t offset, SslDecryptSession *ssl,
10458 uint8_t cidl, uint8_t **session_cid, uint8_t *session_cidl)
10459{
10460 /* keep track of the decrypt session only for the first pass */
10461 if (cidl > 0 && !PINFO_FD_VISITED(pinfo)((pinfo)->fd->visited)) {
10462 tvb_ensure_bytes_exist(tvb, offset + 1, cidl);
10463 *session_cidl = cidl;
10464 *session_cid = (uint8_t*)wmem_alloc0(wmem_file_scope(), cidl);
10465 tvb_memcpy(tvb, *session_cid, offset + 1, cidl);
10466 if (ssl) {
10467 ssl_add_session_by_cid(ssl);
10468 }
10469 }
10470
10471 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id_length,
10472 tvb, offset, 1, ENC_NA0x00000000);
10473 offset++;
10474
10475 if (cidl > 0) {
10476 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id,
10477 tvb, offset, cidl, ENC_NA0x00000000);
10478 offset += cidl;
10479 }
10480
10481 return offset;
10482}
10483
10484static uint32_t
10485ssl_dissect_hnd_hello_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10486 proto_tree *tree, uint32_t offset, uint8_t hnd_type,
10487 SslSession *session, SslDecryptSession *ssl)
10488{
10489 uint8_t cidl = tvb_get_uint8(tvb, offset);
10490
10491 switch (hnd_type) {
10492 case SSL_HND_CLIENT_HELLO:
10493 session->client_cid_len_present = true1;
10494 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
10495 cidl, &session->client_cid, &session->client_cid_len);
10496 case SSL_HND_SERVER_HELLO:
10497 session->server_cid_len_present = true1;
10498 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
10499 cidl, &session->server_cid, &session->server_cid_len);
10500 default:
10501 return offset;
10502 }
10503} /* }}} */
10504
10505/* Trusted CA dissection. {{{ */
10506static uint32_t
10507ssl_dissect_hnd_hello_ext_trusted_ca_keys(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10508 uint32_t offset, uint32_t offset_end)
10509{
10510 proto_item *ti;
10511 proto_tree *subtree;
10512 uint32_t keys_length, next_offset;
10513
10514 /*
10515 * struct {
10516 * TrustedAuthority trusted_authorities_list<0..2^16-1>;
10517 * } TrustedAuthorities;
10518 *
10519 * struct {
10520 * IdentifierType identifier_type;
10521 * select (identifier_type) {
10522 * case pre_agreed: struct {};
10523 * case key_sha1_hash: SHA1Hash;
10524 * case x509_name: DistinguishedName;
10525 * case cert_sha1_hash: SHA1Hash;
10526 * } identifier;
10527 * } TrustedAuthority;
10528 *
10529 * enum {
10530 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10531 * cert_sha1_hash(3), (255)
10532 * } IdentifierType;
10533 *
10534 * opaque DistinguishedName<1..2^16-1>;
10535 *
10536 */
10537
10538
10539 /* TrustedAuthority trusted_authorities_list<0..2^16-1> */
10540 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &keys_length, hf->hf.hs_ext_trusted_ca_keys_len,
10541 0, UINT16_MAX(65535)))
10542 {
10543 return offset_end;
10544 }
10545 offset += 2;
10546 next_offset = offset + keys_length;
10547
10548 if (keys_length > 0)
10549 {
10550 ti = proto_tree_add_none_format(tree, hf->hf.hs_ext_trusted_ca_keys_list, tvb, offset, keys_length,
10551 "Trusted CA keys (%d byte%s)", keys_length, plurality(keys_length, "", "s")((keys_length) == 1 ? ("") : ("s")));
10552 subtree = proto_item_add_subtree(ti, hf->ett.hs_ext_trusted_ca_keys);
10553
10554 while (offset < next_offset)
10555 {
10556 uint32_t identifier_type;
10557 proto_tree *trusted_key_tree;
10558 proto_item *trusted_key_item;
10559 asn1_ctx_t asn1_ctx;
10560 uint32_t key_len = 0;
10561
10562 identifier_type = tvb_get_uint8(tvb, offset);
10563
10564 // Use 0 as length for now as we'll only know the size when we decode the identifier
10565 trusted_key_item = proto_tree_add_none_format(subtree, hf->hf.hs_ext_trusted_ca_key, tvb,
10566 offset, 0, "Trusted CA Key");
10567 trusted_key_tree = proto_item_add_subtree(trusted_key_item, hf->ett.hs_ext_trusted_ca_key);
10568
10569 proto_tree_add_uint(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_type, tvb,
10570 offset, 1, identifier_type);
10571 offset++;
10572
10573 /*
10574 * enum {
10575 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10576 * cert_sha1_hash(3), (255)
10577 * } IdentifierType;
10578 */
10579 switch (identifier_type)
10580 {
10581 case 0:
10582 key_len = 0;
10583 break;
10584 case 2:
10585 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
10586
10587 uint32_t name_length;
10588 /* opaque DistinguishedName<1..2^16-1> */
10589 if (!ssl_add_vector(hf, tvb, pinfo, trusted_key_tree, offset, next_offset, &name_length,
10590 hf->hf.hs_ext_trusted_ca_key_dname_len, 1, UINT16_MAX(65535))) {
10591 return next_offset;
10592 }
10593 offset += 2;
10594
10595 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
10596 trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_dname);
10597 offset += name_length;
10598 break;
10599 case 1:
10600 case 3:
10601 key_len = 20;
10602 /* opaque SHA1Hash[20]; */
10603 proto_tree_add_item(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_hash, tvb,
10604 offset, 20, ENC_NA0x00000000);
10605 break;
10606
10607 default:
10608 key_len = 0;
10609 /*TODO display expert info about unknown ? */
10610 break;
10611 }
10612 proto_item_set_len(trusted_key_item, 1 + key_len);
10613 offset += key_len;
10614 }
10615 }
10616
10617 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset))
10618 {
10619 offset = next_offset;
10620 }
10621
10622 return offset;
10623} /* }}} */
10624
10625
10626/* Whether the Content and Handshake Types are valid; handle Protocol Version. {{{ */
10627bool_Bool
10628ssl_is_valid_content_type(uint8_t type)
10629{
10630 switch ((ContentType) type) {
10631 case SSL_ID_CHG_CIPHER_SPEC:
10632 case SSL_ID_ALERT:
10633 case SSL_ID_HANDSHAKE:
10634 case SSL_ID_APP_DATA:
10635 case SSL_ID_HEARTBEAT:
10636 case SSL_ID_TLS12_CID:
10637 case SSL_ID_DTLS13_ACK:
10638 return true1;
10639 }
10640 return false0;
10641}
10642
10643bool_Bool
10644ssl_is_valid_handshake_type(uint8_t hs_type, bool_Bool is_dtls)
10645{
10646 switch ((HandshakeType) hs_type) {
10647 case SSL_HND_HELLO_VERIFY_REQUEST:
10648 /* hello_verify_request is DTLS-only */
10649 return is_dtls;
10650
10651 case SSL_HND_HELLO_REQUEST:
10652 case SSL_HND_CLIENT_HELLO:
10653 case SSL_HND_SERVER_HELLO:
10654 case SSL_HND_NEWSESSION_TICKET:
10655 case SSL_HND_END_OF_EARLY_DATA:
10656 case SSL_HND_HELLO_RETRY_REQUEST:
10657 case SSL_HND_ENCRYPTED_EXTENSIONS:
10658 case SSL_HND_CERTIFICATE:
10659 case SSL_HND_SERVER_KEY_EXCHG:
10660 case SSL_HND_CERT_REQUEST:
10661 case SSL_HND_SVR_HELLO_DONE:
10662 case SSL_HND_CERT_VERIFY:
10663 case SSL_HND_CLIENT_KEY_EXCHG:
10664 case SSL_HND_FINISHED:
10665 case SSL_HND_CERT_URL:
10666 case SSL_HND_CERT_STATUS:
10667 case SSL_HND_SUPPLEMENTAL_DATA:
10668 case SSL_HND_KEY_UPDATE:
10669 case SSL_HND_COMPRESSED_CERTIFICATE:
10670 case SSL_HND_ENCRYPTED_EXTS:
10671 return true1;
10672 case SSL_HND_MESSAGE_HASH:
10673 return false0;
10674 }
10675 return false0;
10676}
10677
10678static bool_Bool
10679ssl_is_authoritative_version_message(uint8_t content_type, uint8_t handshake_type,
10680 bool_Bool is_dtls)
10681{
10682 /* Consider all valid Handshake messages (except for Client Hello) and
10683 * all other valid record types (other than Handshake) */
10684 return (content_type == SSL_ID_HANDSHAKE &&
10685 ssl_is_valid_handshake_type(handshake_type, is_dtls) &&
10686 handshake_type != SSL_HND_CLIENT_HELLO) ||
10687 (content_type != SSL_ID_HANDSHAKE &&
10688 ssl_is_valid_content_type(content_type));
10689}
10690
10691/**
10692 * Scan a Server Hello handshake message for the negotiated version. For TLS 1.3
10693 * draft 22 and newer, it also checks whether it is a HelloRetryRequest.
10694 * Returns true if the supported_versions extension was found, false if not.
10695 */
10696bool_Bool
10697tls_scan_server_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end,
10698 uint16_t *server_version, bool_Bool *is_hrr)
10699{
10700 /* SHA256("HelloRetryRequest") */
10701 static const uint8_t tls13_hrr_random_magic[] = {
10702 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
10703 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
10704 };
10705 uint8_t session_id_length;
10706
10707 *server_version = tvb_get_ntohs(tvb, offset);
10708
10709 /*
10710 * Try to look for supported_versions extension. Minimum length:
10711 * 2 + 32 + 1 = 35 (version, random, session id length)
10712 * 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10713 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10714 *
10715 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10716 * there's a separate expert info warning for that.
10717 */
10718 if ((*server_version == TLSV1DOT2_VERSION0x303 || *server_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
10719 offset += 2;
10720 if (is_hrr) {
10721 *is_hrr = tvb_memeql(tvb, offset, tls13_hrr_random_magic, sizeof(tls13_hrr_random_magic)) == 0;
10722 }
10723 offset += 32;
10724 session_id_length = tvb_get_uint8(tvb, offset);
10725 offset++;
10726 if (offset_end - offset < session_id_length + 5u) {
10727 return false0;
10728 }
10729 offset += session_id_length + 5;
10730
10731 while (offset_end - offset >= 6) {
10732 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
10733 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
10734 if (offset_end - offset < 4u + ext_len) {
10735 break; /* not enough data for type, length and data */
10736 }
10737 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
10738 if (ext_len == 2) {
10739 *server_version = tvb_get_ntohs(tvb, offset + 4);
10740 }
10741 return true1;
10742 }
10743 offset += 4 + ext_len;
10744 }
10745 } else {
10746 if (is_hrr) {
10747 *is_hrr = false0;
10748 }
10749 }
10750 return false0;
10751}
10752
10753/**
10754 * Scan a Client Hello handshake message to see if the supported_versions
10755 * extension is found, in which case the version field is legacy_version.
10756 */
10757static bool_Bool
10758tls_scan_client_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end)
10759{
10760 uint8_t session_id_length;
10761
10762 uint16_t client_version = tvb_get_ntohs(tvb, offset);
10763
10764 /*
10765 * Try to look for supported_versions extension. Minimum length:
10766 * 2 + 32 + 1 = 35 (version, random, session id length)
10767 * 2 + 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10768 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10769 *
10770 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10771 * there's a separate expert info warning for that.
10772 */
10773 if ((client_version == TLSV1DOT2_VERSION0x303 || client_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
10774 offset += 2;
10775 offset += 32;
10776 session_id_length = tvb_get_uint8(tvb, offset);
10777 offset++;
10778 if (offset_end - offset < session_id_length + 2u) {
10779 return false0;
10780 }
10781 offset += session_id_length;
10782 if (client_version == DTLSV1DOT2_VERSION0xfefd) {
10783 uint8_t cookie_length = tvb_get_uint8(tvb, offset);
10784 offset++;
10785 if (offset_end - offset < cookie_length + 2u) {
10786 return false0;
10787 }
10788 }
10789 uint16_t cipher_suites_length = tvb_get_ntohs(tvb, offset);
10790 offset += 2;
10791 if (offset_end - offset < cipher_suites_length + 1u) {
10792 return false0;
10793 }
10794 offset += cipher_suites_length;
10795 uint8_t compression_methods_length = tvb_get_uint8(tvb, offset);
10796 offset++;
10797 if (offset_end - offset < compression_methods_length + 2u) {
10798 return false0;
10799 }
10800 offset += compression_methods_length + 2;
10801
10802 while (offset_end - offset >= 6) {
10803 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
10804 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
10805 if (offset_end - offset < 4u + ext_len) {
10806 break; /* not enough data for type, length and data */
10807 }
10808 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
10809 return true1;
10810 }
10811 offset += 4 + ext_len;
10812 }
10813 }
10814 return false0;
10815}
10816void
10817ssl_try_set_version(SslSession *session, SslDecryptSession *ssl,
10818 uint8_t content_type, uint8_t handshake_type,
10819 bool_Bool is_dtls, uint16_t version)
10820{
10821 uint8_t tls13_draft = 0;
10822
10823 if (!ssl_is_authoritative_version_message(content_type, handshake_type,
10824 is_dtls))
10825 return;
10826
10827 version = tls_try_get_version(is_dtls, version, &tls13_draft);
10828 if (version == SSL_VER_UNKNOWN0) {
10829 return;
10830 }
10831
10832 session->tls13_draft_version = tls13_draft;
10833 session->version = version;
10834 if (ssl) {
10835 ssl->state |= SSL_VERSION(1<<4);
10836 ssl_debug_printf("%s found version 0x%04X -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), version, ssl->state);
10837 }
10838}
10839
10840void
10841ssl_check_record_length(ssl_common_dissect_t *hf, packet_info *pinfo,
10842 ContentType content_type,
10843 unsigned record_length, proto_item *length_pi,
10844 uint16_t version, tvbuff_t *decrypted_tvb)
10845{
10846 unsigned max_expansion;
10847 if (version == TLSV1DOT3_VERSION0x304) {
10848 /* TLS 1.3: Max length is 2^14 + 256 */
10849 max_expansion = 256;
10850 } else {
10851 /* RFC 5246, Section 6.2.3: TLSCiphertext.fragment length MUST NOT exceed 2^14 + 2048 */
10852 max_expansion = 2048;
10853 }
10854 /*
10855 * RFC 5246 (TLS 1.2), Section 6.2.1 forbids zero-length Handshake, Alert
10856 * and ChangeCipherSpec.
10857 * RFC 6520 (Heartbeats) does not mention zero-length Heartbeat fragments,
10858 * so assume it is permitted.
10859 * RFC 6347 (DTLS 1.2) does not mention zero-length fragments either, so
10860 * assume TLS 1.2 requirements.
10861 */
10862 if (record_length == 0 &&
10863 (content_type == SSL_ID_CHG_CIPHER_SPEC ||
10864 content_type == SSL_ID_ALERT ||
10865 content_type == SSL_ID_HANDSHAKE)) {
10866 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10867 "Zero-length %s fragments are not allowed",
10868 val_to_str_const(content_type, ssl_31_content_type, "unknown"));
10869 }
10870 if (record_length > TLS_MAX_RECORD_LENGTH0x4000 + max_expansion) {
10871 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10872 "TLSCiphertext length MUST NOT exceed 2^14 + %u", max_expansion);
10873 }
10874 if (decrypted_tvb && tvb_captured_length(decrypted_tvb) > TLS_MAX_RECORD_LENGTH0x4000) {
10875 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10876 "TLSPlaintext length MUST NOT exceed 2^14");
10877 }
10878}
10879
10880static void
10881ssl_set_cipher(SslDecryptSession *ssl, uint16_t cipher)
10882{
10883 /* store selected cipher suite for decryption */
10884 ssl->session.cipher = cipher;
10885
10886 const SslCipherSuite *cs = ssl_find_cipher(cipher);
10887 if (!cs) {
10888 ssl->cipher_suite = NULL((void*)0);
10889 ssl->state &= ~SSL_CIPHER(1<<2);
10890 ssl_debug_printf("%s can't find cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10891 } else if (ssl->session.version == SSLV3_VERSION0x300 && !(cs->dig == DIG_MD50x40 || cs->dig == DIG_SHA0x41)) {
10892 /* A malicious packet capture contains a SSL 3.0 session using a TLS 1.2
10893 * cipher suite that uses for example MACAlgorithm SHA256. Reject that
10894 * to avoid a potential buffer overflow in ssl3_check_mac. */
10895 ssl->cipher_suite = NULL((void*)0);
10896 ssl->state &= ~SSL_CIPHER(1<<2);
10897 ssl_debug_printf("%s invalid SSL 3.0 cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10898 } else {
10899 /* Cipher found, save this for the delayed decoder init */
10900 ssl->cipher_suite = cs;
10901 ssl->state |= SSL_CIPHER(1<<2);
10902 ssl_debug_printf("%s found CIPHER 0x%04X %s -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), cipher,
10903 val_to_str_ext_const(cipher, &ssl_31_ciphersuite_ext, "unknown"),
10904 ssl->state);
10905 }
10906}
10907/* }}} */
10908
10909
10910/* Client Hello and Server Hello dissections. {{{ */
10911static int
10912ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
10913 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
10914 SslSession *session, SslDecryptSession *ssl,
10915 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
10916 ssl_master_key_map_t *mk_map);
10917int
10918// NOLINTNEXTLINE(misc-no-recursion)
10919ssl_dissect_hnd_cli_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10920 packet_info *pinfo, proto_tree *tree, uint32_t offset,
10921 uint32_t offset_end, SslSession *session,
10922 SslDecryptSession *ssl, dtls_hfs_t *dtls_hfs, ssl_master_key_map_t *mk_map)
10923{
10924 /* struct {
10925 * ProtocolVersion client_version;
10926 * Random random;
10927 * SessionID session_id;
10928 * opaque cookie<0..32>; //new field for DTLS
10929 * CipherSuite cipher_suites<2..2^16-1>;
10930 * CompressionMethod compression_methods<1..2^8-1>;
10931 * Extension client_hello_extension_list<0..2^16-1>;
10932 * } ClientHello;
10933 */
10934 proto_item *ti;
10935 proto_tree *cs_tree;
10936 uint32_t client_version;
10937 uint32_t cipher_suite_length;
10938 uint32_t compression_methods_length;
10939 uint8_t compression_method;
10940 uint32_t next_offset;
10941 uint32_t initial_offset = offset;
10942 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
10943 char *ja3_hash;
10944 char *ja3_dash = "";
10945 char *ja4, *ja4_r, *ja4_hash, *ja4_b, *ja4_c;
10946 ja4_data_t ja4_data;
10947 wmem_strbuf_t *ja4_a = wmem_strbuf_new(pinfo->pool, "");
10948 wmem_strbuf_t *ja4_br = wmem_strbuf_new(pinfo->pool, "");
10949 wmem_strbuf_t *ja4_cr = wmem_strbuf_new(pinfo->pool, "");
10950 wmem_list_frame_t *curr_entry;
10951
10952 DISSECTOR_ASSERT_CMPINT(initial_offset, <=, offset_end)((void) ((initial_offset <= offset_end) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "initial_offset" " " "<=" " " "offset_end"
" (" "%" "l" "d" " " "<=" " " "%" "l" "d" ")", "epan/dissectors/packet-tls-utils.c"
, 10952, (int64_t)initial_offset, (int64_t)offset_end))));
10953 tvbuff_t *hello_tvb = tvb_new_subset_length(tvb, initial_offset, offset_end - initial_offset);
10954 offset = 0;
10955 offset_end = tvb_reported_length(hello_tvb);
10956
10957 ja4_data.max_version = 0;
10958 ja4_data.server_name_present = false0;
10959 ja4_data.num_cipher_suites = 0;
10960 ja4_data.num_extensions = 0;
10961 ja4_data.alpn = wmem_strbuf_new(pinfo->pool, "");
10962 ja4_data.cipher_list = wmem_list_new(pinfo->pool);
10963 ja4_data.extension_list = wmem_list_new(pinfo->pool);
10964 ja4_data.sighash_list = wmem_list_new(pinfo->pool);
10965
10966 /* show the client version */
10967 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_client_version, hello_tvb,
10968 offset, 2, ENC_BIG_ENDIAN0x00000000,
10969 &client_version);
10970 if (tls_scan_client_hello(hello_tvb, offset, offset_end)) {
10971 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
10972 }
10973 offset += 2;
10974 wmem_strbuf_append_printf(ja3, "%i,", client_version);
10975
10976 /*
10977 * Is it version 1.3?
10978 * If so, that's an error; TLS and DTLS 1.3 Client Hellos claim
10979 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
10980 * section 4.1.2 "Client Hello" and RFC 9147 Section 5.3 "Client
10981 * Hello".
10982 */
10983 if (dtls_hfs != NULL((void*)0)) {
10984 if (client_version == DTLSV1DOT3_VERSION0xfefc) {
10985 /* Don't do that. */
10986 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10987 }
10988 } else {
10989 if (client_version == TLSV1DOT3_VERSION0x304) {
10990 /* Don't do that. */
10991 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10992 }
10993 }
10994
10995 /* dissect fields that are present in both ClientHello and ServerHello */
10996 offset = ssl_dissect_hnd_hello_common(hf, hello_tvb, pinfo, tree, offset, session, ssl, false0, false0);
10997
10998 /* fields specific for DTLS (cookie_len, cookie) */
10999 if (dtls_hfs != NULL((void*)0)) {
11000 uint32_t cookie_length;
11001 /* opaque cookie<0..32> (for DTLS only) */
11002 if (!ssl_add_vector(hf, hello_tvb, pinfo, tree, offset, offset_end, &cookie_length,
11003 dtls_hfs->hf_dtls_handshake_cookie_len, 0, 32)) {
11004 return offset;
11005 }
11006 offset++;
11007 if (cookie_length > 0) {
11008 proto_tree_add_item(tree, dtls_hfs->hf_dtls_handshake_cookie,
11009 hello_tvb, offset, cookie_length, ENC_NA0x00000000);
11010 offset += cookie_length;
11011 }
11012 }
11013
11014 /* CipherSuite cipher_suites<2..2^16-1> */
11015 if (!ssl_add_vector(hf, hello_tvb, pinfo, tree, offset, offset_end, &cipher_suite_length,
11016 hf->hf.hs_cipher_suites_len, 2, UINT16_MAX(65535))) {
11017 return offset;
11018 }
11019 offset += 2;
11020 next_offset = offset + cipher_suite_length;
11021 ti = proto_tree_add_none_format(tree,
11022 hf->hf.hs_cipher_suites,
11023 hello_tvb, offset, cipher_suite_length,
11024 "Cipher Suites (%d suite%s)",
11025 cipher_suite_length / 2,
11026 plurality(cipher_suite_length/2, "", "s")((cipher_suite_length/2) == 1 ? ("") : ("s")));
11027 cs_tree = proto_item_add_subtree(ti, hf->ett.cipher_suites);
11028 while (offset + 2 <= next_offset) {
11029 uint32_t cipher_suite;
11030
11031 proto_tree_add_item_ret_uint(cs_tree, hf->hf.hs_cipher_suite, hello_tvb, offset, 2,
11032 ENC_BIG_ENDIAN0x00000000, &cipher_suite);
11033 offset += 2;
11034 if (!IS_GREASE_TLS(cipher_suite)((((cipher_suite) & 0x0f0f) == 0x0a0a) && (((cipher_suite
) & 0xff) == (((cipher_suite)>>8) & 0xff)))) {
11035 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, cipher_suite);
11036 ja3_dash = "-";
11037 ja4_data.num_cipher_suites += 1;
11038 wmem_list_insert_sorted(ja4_data.cipher_list, GUINT_TO_POINTER(cipher_suite)((gpointer) (gulong) (cipher_suite)), wmem_compare_uint);
11039 }
11040 }
11041 wmem_strbuf_append_c(ja3, ',');
11042 if (!ssl_end_vector(hf, hello_tvb, pinfo, cs_tree, offset, next_offset)) {
11043 offset = next_offset;
11044 }
11045
11046 /* CompressionMethod compression_methods<1..2^8-1> */
11047 if (!ssl_add_vector(hf, hello_tvb, pinfo, tree, offset, offset_end, &compression_methods_length,
11048 hf->hf.hs_comp_methods_len, 1, UINT8_MAX(255))) {
11049 return offset;
11050 }
11051 offset++;
11052 next_offset = offset + compression_methods_length;
11053 ti = proto_tree_add_none_format(tree,
11054 hf->hf.hs_comp_methods,
11055 hello_tvb, offset, compression_methods_length,
11056 "Compression Methods (%u method%s)",
11057 compression_methods_length,
11058 plurality(compression_methods_length,((compression_methods_length) == 1 ? ("") : ("s"))
11059 "", "s")((compression_methods_length) == 1 ? ("") : ("s")));
11060 cs_tree = proto_item_add_subtree(ti, hf->ett.comp_methods);
11061 while (offset < next_offset) {
11062 compression_method = tvb_get_uint8(hello_tvb, offset);
11063 /* TODO: make reserved/private comp meth. fields selectable */
11064 if (compression_method < 64)
11065 proto_tree_add_uint(cs_tree, hf->hf.hs_comp_method,
11066 hello_tvb, offset, 1, compression_method);
11067 else if (compression_method > 63 && compression_method < 193)
11068 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, hello_tvb, offset, 1,
11069 compression_method, "Reserved - to be assigned by IANA (%u)",
11070 compression_method);
11071 else
11072 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, hello_tvb, offset, 1,
11073 compression_method, "Private use range (%u)",
11074 compression_method);
11075 offset++;
11076 }
11077
11078 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
11079 if (offset < offset_end) {
11080 offset = ssl_dissect_hnd_extension(hf, hello_tvb, tree, pinfo, offset,
11081 offset_end, SSL_HND_CLIENT_HELLO,
11082 session, ssl, dtls_hfs != NULL((void*)0), ja3, &ja4_data, mk_map);
11083 if (ja4_data.max_version > 0) {
11084 client_version = ja4_data.max_version;
11085 }
11086 } else {
11087 wmem_strbuf_append_printf(ja3, ",,");
11088 }
11089
11090 if (proto_is_frame_protocol(pinfo->layers,"tcp")) {
11091 wmem_strbuf_append(ja4_a, "t");
11092 } else if (proto_is_frame_protocol(pinfo->layers,"quic")) {
11093 wmem_strbuf_append(ja4_a, "q");
11094 } else if (proto_is_frame_protocol(pinfo->layers,"dtls")) {
11095 wmem_strbuf_append(ja4_a, "d");
11096 }
11097 wmem_strbuf_append_printf(ja4_a, "%s", val_to_str_const(client_version, ssl_version_ja4_names, "00"));
11098 wmem_strbuf_append_printf(ja4_a, "%s", ja4_data.server_name_present ? "d" : "i");
11099 if (ja4_data.num_cipher_suites > 99) {
11100 wmem_strbuf_append(ja4_a, "99");
11101 } else {
11102 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_cipher_suites);
11103 }
11104 if (ja4_data.num_extensions > 99) {
11105 wmem_strbuf_append(ja4_a, "99");
11106 } else {
11107 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_extensions);
11108 }
11109 if (wmem_strbuf_get_len(ja4_data.alpn) > 0 ) {
11110 wmem_strbuf_append_printf(ja4_a, "%s", wmem_strbuf_get_str(ja4_data.alpn));
11111 } else {
11112 wmem_strbuf_append(ja4_a, "00");
11113 }
11114
11115 curr_entry = wmem_list_head(ja4_data.cipher_list);
11116 for (unsigned i = 0; i < wmem_list_count(ja4_data.cipher_list); i++) {
11117 wmem_strbuf_append_printf(ja4_br, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
11118 if (i < wmem_list_count(ja4_data.cipher_list) - 1) {
11119 wmem_strbuf_append(ja4_br, ",");
11120 }
11121 curr_entry = wmem_list_frame_next(curr_entry);
11122 }
11123
11124 curr_entry = wmem_list_head(ja4_data.extension_list);
11125 for (unsigned i = 0; i < wmem_list_count(ja4_data.extension_list); i++) {
11126 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
11127 if (i < wmem_list_count(ja4_data.extension_list) - 1) {
11128 wmem_strbuf_append(ja4_cr, ",");
11129 }
11130 curr_entry = wmem_list_frame_next(curr_entry);
11131 }
11132
11133 if (wmem_list_count(ja4_data.sighash_list) > 0) {
11134 wmem_strbuf_append(ja4_cr, "_");
11135 curr_entry = wmem_list_head(ja4_data.sighash_list);
11136 for (unsigned i = 0; i < wmem_list_count(ja4_data.sighash_list); i++) {
11137 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
11138 if (i < wmem_list_count(ja4_data.sighash_list) - 1) {
11139 wmem_strbuf_append(ja4_cr, ",");
11140 }
11141 curr_entry = wmem_list_frame_next(curr_entry);
11142 }
11143 }
11144 if ( wmem_strbuf_get_len(ja4_br) == 0 ) {
11145 ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
11146 } else {
11147 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_br),-1);
11148 }
11149 ja4_b = wmem_strndup(pinfo->pool, ja4_hash, 12);
11150
11151 g_free(ja4_hash)(__builtin_object_size ((ja4_hash), 0) != ((size_t) - 1)) ? g_free_sized
(ja4_hash, __builtin_object_size ((ja4_hash), 0)) : (g_free)
(ja4_hash);
11152 if ( wmem_strbuf_get_len(ja4_cr) == 0 ) {
11153 ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
11154 } else {
11155 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_cr),-1);
11156 }
11157 ja4_c = wmem_strndup(pinfo->pool, ja4_hash, 12);
11158 g_free(ja4_hash)(__builtin_object_size ((ja4_hash), 0) != ((size_t) - 1)) ? g_free_sized
(ja4_hash, __builtin_object_size ((ja4_hash), 0)) : (g_free)
(ja4_hash);
11159
11160 ja4 = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), ja4_b, ja4_c);
11161 ja4_r = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), wmem_strbuf_get_str(ja4_br), wmem_strbuf_get_str(ja4_cr));
11162
11163 ti = proto_tree_add_string(tree, hf->hf.hs_ja4, hello_tvb, offset, 0, ja4);
11164 proto_item_set_generated(ti);
11165 ti = proto_tree_add_string(tree, hf->hf.hs_ja4_r, hello_tvb, offset, 0, ja4_r);
11166 proto_item_set_generated(ti);
11167
11168 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
11169 wmem_strbuf_get_len(ja3));
11170 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_full, hello_tvb, offset, 0, wmem_strbuf_get_str(ja3));
11171 proto_item_set_generated(ti);
11172 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_hash, hello_tvb, offset, 0, ja3_hash);
11173 proto_item_set_generated(ti);
11174 g_free(ja3_hash)(__builtin_object_size ((ja3_hash), 0) != ((size_t) - 1)) ? g_free_sized
(ja3_hash, __builtin_object_size ((ja3_hash), 0)) : (g_free)
(ja3_hash);
11175 return initial_offset + offset;
11176}
11177
11178void
11179ssl_dissect_hnd_srv_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11180 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11181 SslSession *session, SslDecryptSession *ssl,
11182 bool_Bool is_dtls, bool_Bool is_hrr)
11183{
11184 /* struct {
11185 * ProtocolVersion server_version;
11186 * Random random;
11187 * SessionID session_id; // TLS 1.2 and before
11188 * CipherSuite cipher_suite;
11189 * CompressionMethod compression_method; // TLS 1.2 and before
11190 * Extension server_hello_extension_list<0..2^16-1>;
11191 * } ServerHello;
11192 */
11193 uint8_t draft_version = session->tls13_draft_version;
11194 proto_item *ti;
11195 uint32_t server_version;
11196 uint32_t cipher_suite;
11197 uint32_t initial_offset = offset;
11198 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
11199 char *ja3_hash;
11200
11201 col_set_str(pinfo->cinfo, COL_PROTOCOL,
11202 val_to_str_const(session->version, ssl_version_short_names, "SSL"));
11203
11204 /* Initially assume that the session is resumed. If this is not the case, a
11205 * ServerHelloDone will be observed before the ChangeCipherSpec message
11206 * which will reset this flag. */
11207 session->is_session_resumed = true1;
11208
11209 /* show the server version */
11210 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
11211 offset, 2, ENC_BIG_ENDIAN0x00000000, &server_version);
11212
11213 uint16_t supported_server_version;
11214 if (tls_scan_server_hello(tvb, offset, offset_end, &supported_server_version, NULL((void*)0))) {
11215 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
11216 }
11217 /*
11218 * Is it version 1.3?
11219 * If so, that's an error; TLS and DTLS 1.3 Server Hellos claim
11220 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
11221 * section 4.1.3 "Server Hello" and RFC 9147 Section 5.4 "Server
11222 * Hello".
11223 */
11224 if (is_dtls) {
11225 if (server_version == DTLSV1DOT3_VERSION0xfefc) {
11226 /* Don't do that. */
11227 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
11228 }
11229 } else {
11230 if (server_version == TLSV1DOT3_VERSION0x304) {
11231 /* Don't do that. */
11232 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
11233 }
11234 }
11235
11236 offset += 2;
11237 wmem_strbuf_append_printf(ja3, "%i", server_version);
11238
11239 /* dissect fields that are present in both ClientHello and ServerHello */
11240 offset = ssl_dissect_hnd_hello_common(hf, tvb, pinfo, tree, offset, session, ssl, true1, is_hrr);
11241
11242 if (ssl) {
11243 /* store selected cipher suite for decryption */
11244 ssl_set_cipher(ssl, tvb_get_ntohs(tvb, offset));
11245 }
11246
11247 /* now the server-selected cipher suite */
11248 proto_tree_add_item_ret_uint(tree, hf->hf.hs_cipher_suite,
11249 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &cipher_suite);
11250 offset += 2;
11251 wmem_strbuf_append_printf(ja3, ",%i,", cipher_suite);
11252
11253 /* No compression with TLS 1.3 before draft -22 */
11254 if (!(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
11255 if (ssl) {
11256 /* store selected compression method for decryption */
11257 ssl->session.compression = tvb_get_uint8(tvb, offset);
11258 }
11259 /* and the server-selected compression method */
11260 proto_tree_add_item(tree, hf->hf.hs_comp_method,
11261 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11262 offset++;
11263 }
11264
11265 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
11266 if (offset < offset_end) {
11267 offset = ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11268 offset_end,
11269 is_hrr ? SSL_HND_HELLO_RETRY_REQUEST : SSL_HND_SERVER_HELLO,
11270 session, ssl, is_dtls, ja3, NULL((void*)0), NULL((void*)0));
11271 }
11272
11273 if (ssl && ssl->ech_transcript.data_len > 0 && (ssl->state & SSL_CIPHER(1<<2)) && ssl->client_random.data_len > 0) {
11274 int hash_algo = ssl_get_digest_by_name(ssl_cipher_suite_dig(ssl->cipher_suite)->name);
11275 if (hash_algo) {
11276 SSL_MDgcry_md_hd_t mc;
11277 unsigned char transcript_hash[DIGEST_MAX_SIZE48];
11278 unsigned char prk[DIGEST_MAX_SIZE48];
11279 unsigned char *ech_verify_out = NULL((void*)0);
11280 unsigned int len;
11281 ssl_md_init(&mc, hash_algo);
11282 ssl_md_update(&mc, ssl->ech_transcript.data, ssl->ech_transcript.data_len);
11283 if (is_hrr) {
11284 ssl_md_final(&mc, transcript_hash, &len);
11285 ssl_md_cleanup(&mc);
11286 wmem_free(wmem_file_scope(), ssl->ech_transcript.data);
11287 ssl->ech_transcript.data_len = 4 + len;
11288 ssl->ech_transcript.data = (unsigned char*)wmem_alloc(wmem_file_scope(), 4 + len + 4 + offset_end - initial_offset);
11289 ssl->ech_transcript.data[0] = SSL_HND_MESSAGE_HASH;
11290 ssl->ech_transcript.data[1] = 0;
11291 ssl->ech_transcript.data[2] = 0;
11292 ssl->ech_transcript.data[3] = len;
11293 memcpy(ssl->ech_transcript.data + 4, transcript_hash, len);
11294 ssl_md_init(&mc, hash_algo);
11295 ssl_md_update(&mc, ssl->ech_transcript.data, 4 + len);
11296 } else {
11297 ssl->ech_transcript.data = wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
11298 ssl->ech_transcript.data_len + 4 + offset_end - initial_offset);
11299 }
11300 if (initial_offset > 4) {
11301 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, initial_offset - 4,
11302 4 + offset_end - initial_offset);
11303 if (is_hrr)
11304 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset-4, 38), 38);
11305 else
11306 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset-4, 30), 30);
11307 } else {
11308 uint8_t prefix[4] = {SSL_HND_SERVER_HELLO, 0x00, 0x00, 0x00};
11309 prefix[2] = ((offset - initial_offset) >> 8);
11310 prefix[3] = (offset - initial_offset) & 0xff;
11311 memcpy(ssl->ech_transcript.data + ssl->ech_transcript.data_len, prefix, 4);
11312 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, initial_offset,
11313 offset_end - initial_offset);
11314 ssl_md_update(&mc, prefix, 4);
11315 if (is_hrr)
11316 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset, 34), 34);
11317 else
11318 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset, 26), 26);
11319 }
11320 ssl->ech_transcript.data_len += 4 + offset_end - initial_offset;
11321 uint8_t zeros[8] = { 0 };
11322 uint32_t confirmation_offset = initial_offset + 26;
11323 if (is_hrr) {
11324 uint32_t hrr_offset = initial_offset + 34;
11325 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset,
11326 tvb_get_uint8(tvb, hrr_offset) + 1), tvb_get_uint8(tvb, hrr_offset) + 1);
11327 hrr_offset += tvb_get_uint8(tvb, hrr_offset) + 1;
11328 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, 3), 3);
11329 hrr_offset += 3;
11330 uint32_t extensions_end = hrr_offset + tvb_get_ntohs(tvb, hrr_offset) + 2;
11331 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, 2), 2);
11332 hrr_offset += 2;
11333 while (extensions_end - hrr_offset >= 4) {
11334 if (tvb_get_ntohs(tvb, hrr_offset) == SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037 &&
11335 tvb_get_ntohs(tvb, hrr_offset + 2) == 8) {
11336 confirmation_offset = hrr_offset + 4;
11337 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, 4), 4);
11338 ssl_md_update(&mc, zeros, 8);
11339 hrr_offset += 12;
11340 } else {
11341 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, tvb_get_ntohs(tvb, hrr_offset + 2) + 4),
11342 tvb_get_ntohs(tvb, hrr_offset + 2) + 4);
11343 hrr_offset += tvb_get_ntohs(tvb, hrr_offset + 2) + 4;
11344 }
11345 }
11346 } else {
11347 ssl_md_update(&mc, zeros, 8);
11348 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset + 34, offset - initial_offset - 34),
11349 offset - initial_offset - 34);
11350 }
11351 ssl_md_final(&mc, transcript_hash, &len);
11352 ssl_md_cleanup(&mc);
11353 hkdf_extract(hash_algo, NULL((void*)0), 0, ssl->client_random.data, 32, prk);
11354 StringInfo prk_string = {prk, len};
11355 if (tls13_hkdf_expand_label_context(hash_algo, &prk_string, tls13_hkdf_label_prefix(ssl),
11356 is_hrr ? "hrr ech accept confirmation" : "ech accept confirmation",
11357 transcript_hash, len, 8, &ech_verify_out)) {
11358 memcpy(is_hrr ? ssl->session.hrr_ech_confirmation : ssl->session.ech_confirmation, ech_verify_out, 8);
11359 if (tvb_memeql(tvb, confirmation_offset, ech_verify_out, 8) == -1) {
11360 if (is_hrr) {
11361 ssl->session.hrr_ech_declined = true1;
11362 ssl->session.first_ch_ech_frame = 0;
11363 }
11364 memcpy(ssl->client_random.data, ssl->session.client_random.data, ssl->session.client_random.data_len);
11365 ssl_print_data("Updated Client Random", ssl->client_random.data, 32);
11366 }
11367 wmem_free(NULL((void*)0), ech_verify_out);
11368 }
11369 ssl->session.ech = true1;
11370 }
11371 }
11372
11373 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
11374 wmem_strbuf_get_len(ja3));
11375 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_full, tvb, offset, 0, wmem_strbuf_get_str(ja3));
11376 proto_item_set_generated(ti);
11377 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_hash, tvb, offset, 0, ja3_hash);
11378 proto_item_set_generated(ti);
11379 g_free(ja3_hash)(__builtin_object_size ((ja3_hash), 0) != ((size_t) - 1)) ? g_free_sized
(ja3_hash, __builtin_object_size ((ja3_hash), 0)) : (g_free)
(ja3_hash);
11380}
11381/* Client Hello and Server Hello dissections. }}} */
11382
11383/* New Session Ticket dissection. {{{ */
11384void
11385ssl_dissect_hnd_new_ses_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11386 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11387 SslSession *session, SslDecryptSession *ssl,
11388 bool_Bool is_dtls, GHashTable *session_hash)
11389{
11390 /* https://tools.ietf.org/html/rfc5077#section-3.3 (TLS >= 1.0):
11391 * struct {
11392 * uint32 ticket_lifetime_hint;
11393 * opaque ticket<0..2^16-1>;
11394 * } NewSessionTicket;
11395 *
11396 * RFC 8446 Section 4.6.1 (TLS 1.3):
11397 * struct {
11398 * uint32 ticket_lifetime;
11399 * uint32 ticket_age_add;
11400 * opaque ticket_nonce<0..255>; // new in draft -21, updated in -22
11401 * opaque ticket<1..2^16-1>;
11402 * Extension extensions<0..2^16-2>;
11403 * } NewSessionTicket;
11404 */
11405 proto_tree *subtree;
11406 proto_item *subitem;
11407 uint32_t ticket_len;
11408 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc;
11409 unsigned char draft_version = session->tls13_draft_version;
11410 uint32_t lifetime_hint;
11411
11412 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
11413 hf->ett.session_ticket, NULL((void*)0),
11414 "TLS Session Ticket");
11415
11416 /* ticket lifetime hint */
11417 subitem = proto_tree_add_item_ret_uint(subtree, hf->hf.hs_session_ticket_lifetime_hint,
11418 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000, &lifetime_hint);
11419 offset += 4;
11420
11421 if (lifetime_hint >= 60) {
11422 char *time_str = unsigned_time_secs_to_str(pinfo->pool, lifetime_hint);
11423 proto_item_append_text(subitem, " (%s)", time_str);
11424 }
11425
11426 if (is_tls13) {
11427
11428 /* for TLS 1.3: ticket_age_add */
11429 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_age_add,
11430 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
11431 offset += 4;
11432
11433 /* for TLS 1.3: ticket_nonce (coming with Draft 21)*/
11434 if (draft_version == 0 || draft_version >= 21) {
11435 uint32_t ticket_nonce_len;
11436
11437 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_nonce_len,
11438 hf->hf.hs_session_ticket_nonce_len, 0, 255)) {
11439 return;
11440 }
11441 offset++;
11442
11443 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_nonce, tvb, offset, ticket_nonce_len, ENC_NA0x00000000);
11444 offset += ticket_nonce_len;
11445 }
11446
11447 }
11448
11449 /* opaque ticket<0..2^16-1> (with TLS 1.3 the minimum is 1) */
11450 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_len,
11451 hf->hf.hs_session_ticket_len, is_tls13 ? 1 : 0, UINT16_MAX(65535))) {
11452 return;
11453 }
11454 offset += 2;
11455
11456 /* Content depends on implementation, so just show data! */
11457 proto_tree_add_item(subtree, hf->hf.hs_session_ticket,
11458 tvb, offset, ticket_len, ENC_NA0x00000000);
11459 /* save the session ticket to cache for ssl_finalize_decryption */
11460 if (ssl && !is_tls13) {
11461 if (ssl->session.is_session_resumed) {
11462 /* NewSessionTicket is received in ServerHello before ChangeCipherSpec
11463 * (Abbreviated Handshake Using New Session Ticket).
11464 * Restore the master key for this session ticket before saving
11465 * it to the new session ticket. */
11466 ssl_restore_master_key(ssl, "Session Ticket", false0,
11467 session_hash, &ssl->session_ticket);
11468 }
11469 tvb_ensure_bytes_exist(tvb, offset, ticket_len);
11470 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
11471 ssl->session_ticket.data, ticket_len);
11472 ssl->session_ticket.data_len = ticket_len;
11473 tvb_memcpy(tvb, ssl->session_ticket.data, offset, ticket_len);
11474 /* NewSessionTicket is received after the first (client)
11475 * ChangeCipherSpec, and before the second (server) ChangeCipherSpec.
11476 * Since the second CCS has already the session key available it will
11477 * just return. To ensure that the session ticket is mapped to a
11478 * master key (from the first CCS), save the ticket here too. */
11479 ssl_save_master_key("Session Ticket", session_hash,
11480 &ssl->session_ticket, &ssl->master_secret);
11481 ssl->state |= SSL_NEW_SESSION_TICKET(1<<10);
11482 }
11483 offset += ticket_len;
11484
11485 if (is_tls13) {
11486 ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
11487 offset_end, SSL_HND_NEWSESSION_TICKET,
11488 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11489 }
11490} /* }}} */
11491
11492void
11493ssl_dissect_hnd_hello_retry_request(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11494 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11495 SslSession *session, SslDecryptSession *ssl,
11496 bool_Bool is_dtls)
11497{
11498 /* https://tools.ietf.org/html/draft-ietf-tls-tls13-19#section-4.1.4
11499 * struct {
11500 * ProtocolVersion server_version;
11501 * CipherSuite cipher_suite; // not before draft -19
11502 * Extension extensions<2..2^16-1>;
11503 * } HelloRetryRequest;
11504 * Note: no longer used since draft -22
11505 */
11506 uint32_t version;
11507 uint8_t draft_version;
11508
11509 proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
11510 offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
11511 draft_version = extract_tls13_draft_version(version);
11512 offset += 2;
11513
11514 if (draft_version == 0 || draft_version >= 19) {
11515 proto_tree_add_item(tree, hf->hf.hs_cipher_suite,
11516 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11517 offset += 2;
11518 }
11519
11520 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11521 offset_end, SSL_HND_HELLO_RETRY_REQUEST,
11522 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11523}
11524
11525void
11526ssl_dissect_hnd_encrypted_extensions(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11527 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11528 SslSession *session, SslDecryptSession *ssl,
11529 bool_Bool is_dtls)
11530{
11531 /* RFC 8446 Section 4.3.1
11532 * struct {
11533 * Extension extensions<0..2^16-1>;
11534 * } EncryptedExtensions;
11535 */
11536 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11537 offset_end, SSL_HND_ENCRYPTED_EXTENSIONS,
11538 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11539}
11540
11541/* Certificate and Certificate Request dissections. {{{ */
11542void
11543ssl_dissect_hnd_cert(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11544 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11545 SslSession *session, SslDecryptSession *ssl _U___attribute__((unused)),
11546 bool_Bool is_from_server, bool_Bool is_dtls)
11547{
11548 /* opaque ASN.1Cert<1..2^24-1>;
11549 *
11550 * Before RFC 8446 (TLS <= 1.2):
11551 * struct {
11552 * select(certificate_type) {
11553 *
11554 * // certificate type defined in RFC 7250
11555 * case RawPublicKey:
11556 * opaque ASN.1_subjectPublicKeyInfo<1..2^24-1>;
11557 *
11558 * // X.509 certificate defined in RFC 5246
11559 * case X.509:
11560 * ASN.1Cert certificate_list<0..2^24-1>;
11561 * };
11562 * } Certificate;
11563 *
11564 * RFC 8446 (since draft -20):
11565 * struct {
11566 * select(certificate_type){
11567 * case RawPublicKey:
11568 * // From RFC 7250 ASN.1_subjectPublicKeyInfo
11569 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
11570 *
11571 * case X.509:
11572 * opaque cert_data<1..2^24-1>;
11573 * }
11574 * Extension extensions<0..2^16-1>;
11575 * } CertificateEntry;
11576 * struct {
11577 * opaque certificate_request_context<0..2^8-1>;
11578 * CertificateEntry certificate_list<0..2^24-1>;
11579 * } Certificate;
11580 */
11581 enum { CERT_X509, CERT_RPK } cert_type;
11582 asn1_ctx_t asn1_ctx;
11583#if defined(HAVE_LIBGNUTLS1)
11584 gnutls_datum_t subjectPublicKeyInfo = { NULL((void*)0), 0 };
11585 unsigned certificate_index = 0;
11586#endif
11587 uint32_t next_offset, certificate_list_length, cert_length;
11588 proto_tree *subtree = tree;
11589
11590 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
11591
11592 if ((is_from_server && session->server_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2) ||
11593 (!is_from_server && session->client_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2)) {
11594 cert_type = CERT_RPK;
11595 } else {
11596 cert_type = CERT_X509;
11597 }
11598
11599#if defined(HAVE_LIBGNUTLS1)
11600 /* Ask the pkcs1 dissector to return the public key details */
11601 if (ssl)
11602 asn1_ctx.private_data = &subjectPublicKeyInfo;
11603#endif
11604
11605 /* TLS 1.3: opaque certificate_request_context<0..2^8-1> */
11606 if (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc) {
11607 uint32_t context_length;
11608 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
11609 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
11610 return;
11611 }
11612 offset++;
11613 if (context_length > 0) {
11614 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
11615 tvb, offset, context_length, ENC_NA0x00000000);
11616 offset += context_length;
11617 }
11618 }
11619
11620 if ((session->version != TLSV1DOT3_VERSION0x304 && session->version != DTLSV1DOT3_VERSION0xfefc) && cert_type == CERT_RPK) {
11621 /* For RPK before TLS 1.3, the single RPK is stored directly without
11622 * another "certificate_list" field. */
11623 certificate_list_length = offset_end - offset;
11624 next_offset = offset_end;
11625 } else {
11626 /* CertificateEntry certificate_list<0..2^24-1> */
11627 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &certificate_list_length,
11628 hf->hf.hs_certificates_len, 0, G_MAXUINT24((1U << 24) - 1))) {
11629 return;
11630 }
11631 offset += 3; /* 24-bit length value */
11632 next_offset = offset + certificate_list_length;
11633 }
11634
11635 /* RawPublicKey must have one cert, but X.509 can have multiple. */
11636 if (certificate_list_length > 0 && cert_type == CERT_X509) {
11637 proto_item *ti;
11638
11639 ti = proto_tree_add_none_format(tree,
11640 hf->hf.hs_certificates,
11641 tvb, offset, certificate_list_length,
11642 "Certificates (%u bytes)",
11643 certificate_list_length);
11644
11645 /* make it a subtree */
11646 subtree = proto_item_add_subtree(ti, hf->ett.certificates);
11647 }
11648
11649 while (offset < next_offset) {
11650 switch (cert_type) {
11651 case CERT_RPK:
11652 /* TODO add expert info if there is more than one RPK entry (certificate_index > 0) */
11653 /* opaque ASN.1_subjectPublicKeyInfo<1..2^24-1> */
11654 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
11655 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
11656 return;
11657 }
11658 offset += 3;
11659
11660 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
11661 offset += cert_length;
11662 break;
11663 case CERT_X509:
11664 /* opaque ASN1Cert<1..2^24-1> */
11665 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
11666 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
11667 return;
11668 }
11669 offset += 3;
11670
11671 dissect_x509af_Certificate(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
11672#if defined(HAVE_LIBGNUTLS1)
11673 if (is_from_server && ssl && certificate_index == 0) {
11674 ssl_find_private_key_by_pubkey(ssl, &subjectPublicKeyInfo);
11675 /* Only attempt to get the RSA modulus for the first cert. */
11676 asn1_ctx.private_data = NULL((void*)0);
11677 }
11678#endif
11679 offset += cert_length;
11680 break;
11681 }
11682
11683 /* TLS 1.3: Extension extensions<0..2^16-1> */
11684 if ((session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc)) {
11685 offset = ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
11686 next_offset, SSL_HND_CERTIFICATE,
11687 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11688 }
11689
11690#if defined(HAVE_LIBGNUTLS1)
11691 certificate_index++;
11692#endif
11693 }
11694}
11695
11696void
11697ssl_dissect_hnd_cert_req(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11698 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11699 SslSession *session, bool_Bool is_dtls)
11700{
11701 /* From SSL 3.0 and up (note that since TLS 1.1 certificate_authorities can be empty):
11702 * enum {
11703 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11704 * (255)
11705 * } ClientCertificateType;
11706 *
11707 * opaque DistinguishedName<1..2^16-1>;
11708 *
11709 * struct {
11710 * ClientCertificateType certificate_types<1..2^8-1>;
11711 * DistinguishedName certificate_authorities<3..2^16-1>;
11712 * } CertificateRequest;
11713 *
11714 *
11715 * As per TLSv1.2 (RFC 5246) the format has changed to:
11716 *
11717 * enum {
11718 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11719 * rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
11720 * fortezza_dms_RESERVED(20), (255)
11721 * } ClientCertificateType;
11722 *
11723 * enum {
11724 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
11725 * sha512(6), (255)
11726 * } HashAlgorithm;
11727 *
11728 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
11729 * SignatureAlgorithm;
11730 *
11731 * struct {
11732 * HashAlgorithm hash;
11733 * SignatureAlgorithm signature;
11734 * } SignatureAndHashAlgorithm;
11735 *
11736 * SignatureAndHashAlgorithm
11737 * supported_signature_algorithms<2..2^16-2>;
11738 *
11739 * opaque DistinguishedName<1..2^16-1>;
11740 *
11741 * struct {
11742 * ClientCertificateType certificate_types<1..2^8-1>;
11743 * SignatureAndHashAlgorithm supported_signature_algorithms<2^16-1>;
11744 * DistinguishedName certificate_authorities<0..2^16-1>;
11745 * } CertificateRequest;
11746 *
11747 * draft-ietf-tls-tls13-18:
11748 * struct {
11749 * opaque certificate_request_context<0..2^8-1>;
11750 * SignatureScheme
11751 * supported_signature_algorithms<2..2^16-2>;
11752 * DistinguishedName certificate_authorities<0..2^16-1>;
11753 * CertificateExtension certificate_extensions<0..2^16-1>;
11754 * } CertificateRequest;
11755 *
11756 * RFC 8446 (since draft-ietf-tls-tls13-19):
11757 *
11758 * struct {
11759 * opaque certificate_request_context<0..2^8-1>;
11760 * Extension extensions<2..2^16-1>;
11761 * } CertificateRequest;
11762 */
11763 proto_item *ti;
11764 proto_tree *subtree;
11765 uint32_t next_offset;
11766 asn1_ctx_t asn1_ctx;
11767 bool_Bool is_tls13 = (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc);
11768 unsigned char draft_version = session->tls13_draft_version;
11769
11770 if (!tree)
11771 return;
11772
11773 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
11774
11775 if (is_tls13) {
11776 uint32_t context_length;
11777 /* opaque certificate_request_context<0..2^8-1> */
11778 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
11779 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
11780 return;
11781 }
11782 offset++;
11783 if (context_length > 0) {
11784 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
11785 tvb, offset, context_length, ENC_NA0x00000000);
11786 offset += context_length;
11787 }
11788 } else {
11789 uint32_t cert_types_count;
11790 /* ClientCertificateType certificate_types<1..2^8-1> */
11791 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cert_types_count,
11792 hf->hf.hs_cert_types_count, 1, UINT8_MAX(255))) {
11793 return;
11794 }
11795 offset++;
11796 next_offset = offset + cert_types_count;
11797
11798 ti = proto_tree_add_none_format(tree,
11799 hf->hf.hs_cert_types,
11800 tvb, offset, cert_types_count,
11801 "Certificate types (%u type%s)",
11802 cert_types_count,
11803 plurality(cert_types_count, "", "s")((cert_types_count) == 1 ? ("") : ("s")));
11804 subtree = proto_item_add_subtree(ti, hf->ett.cert_types);
11805
11806 while (offset < next_offset) {
11807 proto_tree_add_item(subtree, hf->hf.hs_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11808 offset++;
11809 }
11810 }
11811
11812 if (session->version == TLSV1DOT2_VERSION0x303 || session->version == DTLSV1DOT2_VERSION0xfefd ||
11813 (is_tls13 && (draft_version > 0 && draft_version < 19))) {
11814 offset = ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
11815 }
11816
11817 if (is_tls13 && (draft_version == 0 || draft_version >= 19)) {
11818 /*
11819 * TLS 1.3 draft 19 and newer: Extensions.
11820 * SslDecryptSession pointer is NULL because Certificate Extensions
11821 * should not influence decryption state.
11822 */
11823 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11824 offset_end, SSL_HND_CERT_REQUEST,
11825 session, NULL((void*)0), is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11826 } else if (is_tls13 && draft_version <= 18) {
11827 /*
11828 * TLS 1.3 draft 18 and older: certificate_authorities and
11829 * certificate_extensions (a vector of OID mappings).
11830 */
11831 offset = tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
11832 ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, tree, offset, offset_end);
11833 } else {
11834 /* for TLS 1.2 and older, the certificate_authorities field. */
11835 tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
11836 }
11837}
11838/* Certificate and Certificate Request dissections. }}} */
11839
11840void
11841ssl_dissect_hnd_cli_cert_verify(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11842 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint16_t version)
11843{
11844 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
11845 hf->hf.hs_client_cert_vrfy_sig_len,
11846 hf->hf.hs_client_cert_vrfy_sig);
11847}
11848
11849/* Finished dissection. {{{ */
11850void
11851ssl_dissect_hnd_finished(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11852 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11853 const SslSession *session, ssl_hfs_t *ssl_hfs)
11854{
11855 /* For SSLv3:
11856 * struct {
11857 * opaque md5_hash[16];
11858 * opaque sha_hash[20];
11859 * } Finished;
11860 *
11861 * For (D)TLS:
11862 * struct {
11863 * opaque verify_data[12];
11864 * } Finished;
11865 *
11866 * For TLS 1.3:
11867 * struct {
11868 * opaque verify_data[Hash.length];
11869 * }
11870 */
11871 if (!tree)
11872 return;
11873
11874 if (session->version == SSLV3_VERSION0x300) {
11875 if (ssl_hfs != NULL((void*)0)) {
11876 proto_tree_add_item(tree, ssl_hfs->hs_md5_hash,
11877 tvb, offset, 16, ENC_NA0x00000000);
11878 proto_tree_add_item(tree, ssl_hfs->hs_sha_hash,
11879 tvb, offset + 16, 20, ENC_NA0x00000000);
11880 }
11881 } else {
11882 /* Length should be 12 for TLS before 1.3, assume this is the case. */
11883 proto_tree_add_item(tree, hf->hf.hs_finished,
11884 tvb, offset, offset_end - offset, ENC_NA0x00000000);
11885 }
11886} /* }}} */
11887
11888/* RFC 6066 Certificate URL handshake message dissection. {{{ */
11889void
11890ssl_dissect_hnd_cert_url(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset)
11891{
11892 uint16_t url_hash_len;
11893
11894 /* enum {
11895 * individual_certs(0), pkipath(1), (255)
11896 * } CertChainType;
11897 *
11898 * struct {
11899 * CertChainType type;
11900 * URLAndHash url_and_hash_list<1..2^16-1>;
11901 * } CertificateURL;
11902 *
11903 * struct {
11904 * opaque url<1..2^16-1>;
11905 * uint8 padding;
11906 * opaque SHA1Hash[20];
11907 * } URLAndHash;
11908 */
11909
11910 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_type,
11911 tvb, offset, 1, ENC_NA0x00000000);
11912 offset++;
11913
11914 url_hash_len = tvb_get_ntohs(tvb, offset);
11915 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_url_hash_list_len,
11916 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11917 offset += 2;
11918 while (url_hash_len-- > 0) {
11919 proto_item *urlhash_item;
11920 proto_tree *urlhash_tree;
11921 uint16_t url_len;
11922
11923 urlhash_item = proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_item,
11924 tvb, offset, -1, ENC_NA0x00000000);
11925 urlhash_tree = proto_item_add_subtree(urlhash_item, hf->ett.urlhash);
11926
11927 url_len = tvb_get_ntohs(tvb, offset);
11928 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url_len,
11929 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11930 offset += 2;
11931
11932 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url,
11933 tvb, offset, url_len, ENC_ASCII0x00000000|ENC_NA0x00000000);
11934 offset += url_len;
11935
11936 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_padding,
11937 tvb, offset, 1, ENC_NA0x00000000);
11938 offset++;
11939 /* Note: RFC 6066 says that padding must be 0x01 */
11940
11941 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_sha1,
11942 tvb, offset, 20, ENC_NA0x00000000);
11943 offset += 20;
11944 }
11945} /* }}} */
11946
11947void
11948ssl_dissect_hnd_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11949 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11950 SslSession *session, SslDecryptSession *ssl,
11951 bool_Bool is_from_server, bool_Bool is_dtls)
11952{
11953 uint32_t algorithm, uncompressed_length;
11954 uint32_t compressed_certificate_message_length;
11955 tvbuff_t *uncompressed_tvb = NULL((void*)0);
11956 proto_item *ti;
11957 /*
11958 * enum {
11959 * zlib(1),
11960 * brotli(2),
11961 * zstd(3),
11962 * (65535)
11963 * } CertificateCompressionAlgorithm;
11964 *
11965 * struct {
11966 * CertificateCompressionAlgorithm algorithm;
11967 * uint24 uncompressed_length;
11968 * opaque compressed_certificate_message<1..2^24-1>;
11969 * } CompressedCertificate;
11970 */
11971
11972 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_algorithm,
11973 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &algorithm);
11974 offset += 2;
11975
11976 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_uncompressed_length,
11977 tvb, offset, 3, ENC_BIG_ENDIAN0x00000000, &uncompressed_length);
11978 offset += 3;
11979
11980 /* opaque compressed_certificate_message<1..2^24-1>; */
11981 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compressed_certificate_message_length,
11982 hf->hf.hs_ext_compress_certificate_compressed_certificate_message_length, 1, G_MAXUINT24((1U << 24) - 1))) {
11983 return;
11984 }
11985 offset += 3;
11986
11987 ti = proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_compressed_certificate_message,
11988 tvb, offset, compressed_certificate_message_length, ENC_NA0x00000000);
11989
11990 /* Certificate decompression following algorithm */
11991 switch (algorithm) {
11992 case 1: /* zlib */
11993 uncompressed_tvb = tvb_child_uncompress_zlib(tvb, tvb, offset, compressed_certificate_message_length);
11994 break;
11995 case 2: /* brotli */
11996 uncompressed_tvb = tvb_child_uncompress_brotli(tvb, tvb, offset, compressed_certificate_message_length);
11997 break;
11998 case 3: /* zstd */
11999 uncompressed_tvb = tvb_child_uncompress_zstd(tvb, tvb, offset, compressed_certificate_message_length);
12000 break;
12001 }
12002
12003 if (uncompressed_tvb) {
12004 proto_tree *uncompressed_tree;
12005
12006 if (uncompressed_length != tvb_captured_length(uncompressed_tvb)) {
12007 proto_tree_add_expert_format(tree, pinfo, &hf->ei.decompression_error,
12008 tvb, offset, offset_end - offset,
12009 "Invalid uncompressed length %u (expected %u)",
12010 tvb_captured_length(uncompressed_tvb),
12011 uncompressed_length);
12012 } else {
12013 uncompressed_tree = proto_item_add_subtree(ti, hf->ett.uncompressed_certificates);
12014 ssl_dissect_hnd_cert(hf, uncompressed_tvb, uncompressed_tree,
12015 0, uncompressed_length, pinfo, session, ssl, is_from_server, is_dtls);
12016 add_new_data_source(pinfo, uncompressed_tvb, "Uncompressed certificate(s)");
12017 }
12018 }
12019}
12020
12021/* Dissection of TLS Extensions in Client Hello, Server Hello, etc. {{{ */
12022static int
12023// NOLINTNEXTLINE(misc-no-recursion)
12024ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
12025 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
12026 SslSession *session, SslDecryptSession *ssl,
12027 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
12028 ssl_master_key_map_t *mk_map)
12029{
12030 uint32_t exts_len;
12031 uint16_t ext_type;
12032 uint32_t ext_len;
12033 uint32_t next_offset;
12034 proto_item *ext_item;
12035 proto_tree *ext_tree;
12036 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304;
12037 wmem_strbuf_t *ja3_sg = wmem_strbuf_new(pinfo->pool, "");
12038 wmem_strbuf_t *ja3_ecpf = wmem_strbuf_new(pinfo->pool, "");
12039 char *ja3_dash = "";
12040 unsigned supported_version;
12041
12042 /* Extension extensions<0..2^16-2> (for TLS 1.3 HRR/CR min-length is 2) */
12043 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
12044 hf->hf.hs_exts_len, 0, UINT16_MAX(65535))) {
12045 return offset_end;
12046 }
12047 offset += 2;
12048 offset_end = offset + exts_len;
12049
12050 if (ja4_data) {
12051 ja4_data->num_extensions = 0;
12052 }
12053 while (offset_end - offset >= 4)
12054 {
12055 ext_type = tvb_get_ntohs(tvb, offset);
12056 ext_len = tvb_get_ntohs(tvb, offset + 2);
12057
12058 if (ja4_data && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {
12059 ja4_data->num_extensions += 1;
12060 if (ext_type != SSL_HND_HELLO_EXT_SERVER_NAME0 &&
12061 ext_type != SSL_HND_HELLO_EXT_ALPN16) {
12062 wmem_list_insert_sorted(ja4_data->extension_list, GUINT_TO_POINTER(ext_type)((gpointer) (gulong) (ext_type)), wmem_compare_uint);
12063 }
12064 }
12065
12066 ext_item = proto_tree_add_none_format(tree, hf->hf.hs_ext, tvb, offset, 4 + ext_len,
12067 "Extension: %s (len=%u)", val_to_str(pinfo->pool, ext_type,
12068 tls_hello_extension_types,
12069 "Unknown type %u"), ext_len);
12070 ext_tree = proto_item_add_subtree(ext_item, hf->ett.hs_ext);
12071
12072 proto_tree_add_uint(ext_tree, hf->hf.hs_ext_type,
12073 tvb, offset, 2, ext_type);
12074 offset += 2;
12075 if (ja3 && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {
12076 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_type);
12077 ja3_dash = "-";
12078 }
12079
12080 /* opaque extension_data<0..2^16-1> */
12081 if (!ssl_add_vector(hf, tvb, pinfo, ext_tree, offset, offset_end, &ext_len,
12082 hf->hf.hs_ext_len, 0, UINT16_MAX(65535))) {
12083 return offset_end;
12084 }
12085 offset += 2;
12086 next_offset = offset + ext_len;
12087
12088 switch (ext_type) {
12089 case SSL_HND_HELLO_EXT_SERVER_NAME0:
12090 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12091 offset = ssl_dissect_hnd_hello_ext_server_name(hf, tvb, pinfo, ext_tree, offset, next_offset);
12092 if (ja4_data) {
12093 ja4_data->server_name_present = true1;
12094 }
12095 }
12096 break;
12097 case SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1:
12098 proto_tree_add_item(ext_tree, hf->hf.hs_ext_max_fragment_length, tvb, offset, 1, ENC_NA0x00000000);
12099 offset += 1;
12100 break;
12101 case SSL_HND_HELLO_EXT_STATUS_REQUEST5:
12102 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12103 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, ext_tree, offset, next_offset, false0);
12104 } else if (is_tls13 && hnd_type == SSL_HND_CERTIFICATE) {
12105 offset = tls_dissect_hnd_certificate_status(hf, tvb, pinfo, ext_tree, offset, next_offset);
12106 }
12107 break;
12108 case SSL_HND_HELLO_EXT_CERT_TYPE9:
12109 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
12110 offset, next_offset,
12111 hnd_type, ext_type,
12112 session);
12113 break;
12114 case SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10:
12115 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12116 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
12117 next_offset, ja3_sg);
12118 } else {
12119 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
12120 next_offset, NULL((void*)0));
12121 }
12122 break;
12123 case SSL_HND_HELLO_EXT_EC_POINT_FORMATS11:
12124 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12125 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, ja3_ecpf);
12126 } else {
12127 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, NULL((void*)0));
12128 }
12129 break;
12130 break;
12131 case SSL_HND_HELLO_EXT_SRP12:
12132 offset = ssl_dissect_hnd_hello_ext_srp(hf, tvb, pinfo, ext_tree, offset, next_offset);
12133 break;
12134 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13:
12135 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, ja4_data);
12136 break;
12137 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50: /* since TLS 1.3 draft -23 */
12138 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, NULL((void*)0));
12139 break;
12140 case SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34:
12141 offset = ssl_dissect_hnd_ext_delegated_credentials(hf, tvb, ext_tree, pinfo, offset, next_offset, hnd_type);
12142 break;
12143 case SSL_HND_HELLO_EXT_USE_SRTP14:
12144 if (is_dtls) {
12145 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12146 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, false0);
12147 } else if (hnd_type == SSL_HND_SERVER_HELLO) {
12148 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, true1);
12149 }
12150 } else {
12151 // XXX expert info: This extension MUST only be used with DTLS, and not with TLS.
12152 }
12153 break;
12154 case SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768:
12155 offset = ssl_dissect_hnd_ech_outer_ext(hf, tvb, pinfo, ext_tree, offset, next_offset);
12156 break;
12157 case SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037:
12158 offset = ssl_dissect_hnd_hello_ext_ech(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, ssl, mk_map);
12159 break;
12160 case SSL_HND_HELLO_EXT_HEARTBEAT15:
12161 proto_tree_add_item(ext_tree, hf->hf.hs_ext_heartbeat_mode,
12162 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
12163 offset++;
12164 break;
12165 case SSL_HND_HELLO_EXT_ALPN16:
12166 offset = ssl_dissect_hnd_hello_ext_alpn(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, is_dtls, ja4_data);
12167 break;
12168 case SSL_HND_HELLO_EXT_STATUS_REQUEST_V217:
12169 if (hnd_type == SSL_HND_CLIENT_HELLO)
12170 offset = ssl_dissect_hnd_hello_ext_status_request_v2(hf, tvb, pinfo, ext_tree, offset, next_offset);
12171 break;
12172 case SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18:
12173 // TLS 1.3 note: SCT only appears in EE in draft -16 and before.
12174 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS || hnd_type == SSL_HND_CERTIFICATE)
12175 offset = tls_dissect_sct_list(hf, tvb, pinfo, ext_tree, offset, next_offset, session->version);
12176 break;
12177 case SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19:
12178 case SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20:
12179 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
12180 offset, next_offset,
12181 hnd_type, ext_type,
12182 session);
12183 break;
12184 case SSL_HND_HELLO_EXT_PADDING21:
12185 proto_tree_add_item(ext_tree, hf->hf.hs_ext_padding_data, tvb, offset, ext_len, ENC_NA0x00000000);
12186 offset += ext_len;
12187 break;
12188 case SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22:
12189 if (ssl && hnd_type == SSL_HND_SERVER_HELLO) {
12190 ssl_debug_printf("%s enabling Encrypt-then-MAC\n", G_STRFUNC((const char*) (__func__)));
12191 ssl->state |= SSL_ENCRYPT_THEN_MAC(1<<11);
12192 }
12193 break;
12194 case SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23:
12195 if (ssl) {
12196 switch (hnd_type) {
12197 case SSL_HND_CLIENT_HELLO:
12198 ssl->state |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
12199 break;
12200 case SSL_HND_SERVER_HELLO:
12201 ssl->state |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8);
12202 break;
12203 default: /* no default */
12204 break;
12205 }
12206 }
12207 break;
12208 case SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27:
12209 offset = ssl_dissect_hnd_hello_ext_compress_certificate(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12210 break;
12211 case SSL_HND_HELLO_EXT_TOKEN_BINDING24:
12212 offset = ssl_dissect_hnd_hello_ext_token_binding(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12213 break;
12214 case SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28:
12215 proto_tree_add_item(ext_tree, hf->hf.hs_ext_record_size_limit,
12216 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12217 offset += 2;
12218 break;
12219 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445:
12220 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157:
12221 offset = ssl_dissect_hnd_hello_ext_quic_transport_parameters(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12222 break;
12223 case SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35:
12224 offset = ssl_dissect_hnd_hello_ext_session_ticket(hf, tvb, ext_tree, offset, next_offset, hnd_type, ssl);
12225 break;
12226 case SSL_HND_HELLO_EXT_KEY_SHARE_OLD40: /* used before TLS 1.3 draft -23 */
12227 case SSL_HND_HELLO_EXT_KEY_SHARE51:
12228 offset = ssl_dissect_hnd_hello_ext_key_share(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12229 break;
12230 case SSL_HND_HELLO_EXT_PRE_SHARED_KEY41:
12231 offset = ssl_dissect_hnd_hello_ext_pre_shared_key(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12232 break;
12233 case SSL_HND_HELLO_EXT_EARLY_DATA42:
12234 case SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46:
12235 offset = ssl_dissect_hnd_hello_ext_early_data(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12236 break;
12237 case SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43:
12238 switch (hnd_type) {
12239 case SSL_HND_CLIENT_HELLO:
12240 offset = ssl_dissect_hnd_hello_ext_supported_versions(hf, tvb, pinfo, ext_tree, offset, next_offset, session, is_dtls, ja4_data);
12241 break;
12242 case SSL_HND_SERVER_HELLO:
12243 case SSL_HND_HELLO_RETRY_REQUEST:
12244 proto_tree_add_item_ret_uint(ext_tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &supported_version);
12245 offset += 2;
12246 proto_item_append_text(ext_tree, " %s", val_to_str(pinfo->pool, supported_version, ssl_versions, "Unknown (0x%04x)"));
12247 break;
12248 }
12249 break;
12250 case SSL_HND_HELLO_EXT_COOKIE44:
12251 offset = ssl_dissect_hnd_hello_ext_cookie(hf, tvb, pinfo, ext_tree, offset, next_offset);
12252 break;
12253 case SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45:
12254 offset = ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(hf, tvb, pinfo, ext_tree, offset, next_offset);
12255 break;
12256 case SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47:
12257 offset = ssl_dissect_hnd_hello_ext_certificate_authorities(hf, tvb, pinfo, ext_tree, offset, next_offset);
12258 break;
12259 case SSL_HND_HELLO_EXT_OID_FILTERS48:
12260 offset = ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, ext_tree, offset, next_offset);
12261 break;
12262 case SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49:
12263 break;
12264 case SSL_HND_HELLO_EXT_NPN13172:
12265 offset = ssl_dissect_hnd_hello_ext_npn(hf, tvb, pinfo, ext_tree, offset, next_offset);
12266 break;
12267 case SSL_HND_HELLO_EXT_ALPS_OLD17513:
12268 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
12269 break;
12270 case SSL_HND_HELLO_EXT_ALPS17613:
12271 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
12272 break;
12273 case SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281:
12274 offset = ssl_dissect_hnd_hello_ext_reneg_info(hf, tvb, pinfo, ext_tree, offset, next_offset);
12275 break;
12276 case SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486:
12277 offset = ssl_dissect_hnd_hello_ext_esni(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12278 break;
12279 case SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53:
12280 session->deprecated_cid = true1;
12281 /* FALLTHRU */
12282 case SSL_HND_HELLO_EXT_CONNECTION_ID54:
12283 offset = ssl_dissect_hnd_hello_ext_connection_id(hf, tvb, pinfo, ext_tree, offset, hnd_type, session, ssl);
12284 break;
12285 case SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3:
12286 offset = ssl_dissect_hnd_hello_ext_trusted_ca_keys(hf, tvb, pinfo, ext_tree, offset, next_offset);
12287 break;
12288 default:
12289 proto_tree_add_item(ext_tree, hf->hf.hs_ext_data,
12290 tvb, offset, ext_len, ENC_NA0x00000000);
12291 offset += ext_len;
12292 break;
12293 }
12294
12295 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
12296 /* Dissection did not end at expected location, fix it. */
12297 offset = next_offset;
12298 }
12299 }
12300
12301 if (ja3) {
12302 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12303 if(wmem_strbuf_get_len(ja3_sg) > 0) {
12304 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_sg));
12305 } else {
12306 wmem_strbuf_append_c(ja3, ',');
12307 }
12308 if(wmem_strbuf_get_len(ja3_ecpf) > 0) {
12309 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_ecpf));
12310 } else {
12311 wmem_strbuf_append_c(ja3, ',');
12312 }
12313 }
12314 }
12315
12316 /* Check if Extensions vector is correctly terminated. */
12317 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, offset_end)) {
12318 offset = offset_end;
12319 }
12320
12321 return offset;
12322} /* }}} */
12323
12324
12325/* ClientKeyExchange algo-specific dissectors. {{{ */
12326
12327static void
12328dissect_ssl3_hnd_cli_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12329 proto_tree *tree, uint32_t offset,
12330 uint32_t length)
12331{
12332 int point_len;
12333 proto_tree *ssl_ecdh_tree;
12334
12335 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12336 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Client Params");
12337
12338 /* point */
12339 point_len = tvb_get_uint8(tvb, offset);
12340 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point_len, tvb,
12341 offset, 1, ENC_BIG_ENDIAN0x00000000);
12342 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point, tvb,
12343 offset + 1, point_len, ENC_NA0x00000000);
12344}
12345
12346static void
12347dissect_ssl3_hnd_cli_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12348 proto_tree *tree, uint32_t offset, uint32_t length)
12349{
12350 int yc_len;
12351 proto_tree *ssl_dh_tree;
12352
12353 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12354 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Client Params");
12355
12356 /* ClientDiffieHellmanPublic.dh_public (explicit) */
12357 yc_len = tvb_get_ntohs(tvb, offset);
12358 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc_len, tvb,
12359 offset, 2, ENC_BIG_ENDIAN0x00000000);
12360 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc, tvb,
12361 offset + 2, yc_len, ENC_NA0x00000000);
12362}
12363
12364static void
12365dissect_ssl3_hnd_cli_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12366 proto_tree *tree, uint32_t offset,
12367 uint32_t length, const SslSession *session)
12368{
12369 int epms_len;
12370 proto_tree *ssl_rsa_tree;
12371
12372 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12373 hf->ett.keyex_params, NULL((void*)0), "RSA Encrypted PreMaster Secret");
12374
12375 /* EncryptedPreMasterSecret.pre_master_secret */
12376 switch (session->version) {
12377 case SSLV2_VERSION0x0002:
12378 case SSLV3_VERSION0x300:
12379 case DTLSV1DOT0_OPENSSL_VERSION0x100:
12380 /* OpenSSL pre-0.9.8f DTLS and pre-TLS quirk: 2-octet length vector is
12381 * not present. The handshake contents represents the EPMS, see:
12382 * https://gitlab.com/wireshark/wireshark/-/issues/10222 */
12383 epms_len = length;
12384 break;
12385
12386 default:
12387 /* TLS and DTLS include vector length before EPMS */
12388 epms_len = tvb_get_ntohs(tvb, offset);
12389 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12390 offset, 2, ENC_BIG_ENDIAN0x00000000);
12391 offset += 2;
12392 break;
12393 }
12394 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms, tvb,
12395 offset, epms_len, ENC_NA0x00000000);
12396}
12397
12398/* Used in PSK cipher suites */
12399static uint32_t
12400dissect_ssl3_hnd_cli_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12401 proto_tree *tree, uint32_t offset)
12402{
12403 unsigned identity_len;
12404 proto_tree *ssl_psk_tree;
12405
12406 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
12407 hf->ett.keyex_params, NULL((void*)0), "PSK Client Params");
12408 /* identity */
12409 identity_len = tvb_get_ntohs(tvb, offset);
12410 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len, tvb,
12411 offset, 2, ENC_BIG_ENDIAN0x00000000);
12412 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity, tvb,
12413 offset + 2, identity_len, ENC_NA0x00000000);
12414
12415 proto_item_set_len(ssl_psk_tree, 2 + identity_len);
12416 return 2 + identity_len;
12417}
12418
12419/* Used in RSA PSK cipher suites */
12420static void
12421dissect_ssl3_hnd_cli_keyex_rsa_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12422 proto_tree *tree, uint32_t offset,
12423 uint32_t length)
12424{
12425 int identity_len, epms_len;
12426 proto_tree *ssl_psk_tree;
12427
12428 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12429 hf->ett.keyex_params, NULL((void*)0), "RSA PSK Client Params");
12430
12431 /* identity */
12432 identity_len = tvb_get_ntohs(tvb, offset);
12433 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len,
12434 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12435 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity,
12436 tvb, offset + 2, identity_len, ENC_NA0x00000000);
12437 offset += 2 + identity_len;
12438
12439 /* Yc */
12440 epms_len = tvb_get_ntohs(tvb, offset);
12441 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12442 offset, 2, ENC_BIG_ENDIAN0x00000000);
12443 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms, tvb,
12444 offset + 2, epms_len, ENC_NA0x00000000);
12445}
12446
12447/* Used in Diffie-Hellman PSK cipher suites */
12448static void
12449dissect_ssl3_hnd_cli_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12450 proto_tree *tree, uint32_t offset, uint32_t length)
12451{
12452 /*
12453 * struct {
12454 * select (KeyExchangeAlgorithm) {
12455 * case diffie_hellman_psk:
12456 * opaque psk_identity<0..2^16-1>;
12457 * ClientDiffieHellmanPublic public;
12458 * } exchange_keys;
12459 * } ClientKeyExchange;
12460 */
12461
12462 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12463 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset + psk_len, length - psk_len);
12464}
12465
12466/* Used in EC Diffie-Hellman PSK cipher suites */
12467static void
12468dissect_ssl3_hnd_cli_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12469 proto_tree *tree, uint32_t offset, uint32_t length)
12470{
12471 /*
12472 * struct {
12473 * select (KeyExchangeAlgorithm) {
12474 * case ec_diffie_hellman_psk:
12475 * opaque psk_identity<0..2^16-1>;
12476 * ClientECDiffieHellmanPublic public;
12477 * } exchange_keys;
12478 * } ClientKeyExchange;
12479 */
12480
12481 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12482 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset + psk_len, length - psk_len);
12483}
12484
12485/* Used in EC J-PAKE cipher suites */
12486static void
12487dissect_ssl3_hnd_cli_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12488 proto_tree *tree, uint32_t offset,
12489 uint32_t length)
12490{
12491 /*
12492 * struct {
12493 * ECPoint V;
12494 * opaque r<1..2^8-1>;
12495 * } ECSchnorrZKP;
12496 *
12497 * struct {
12498 * ECPoint X;
12499 * ECSchnorrZKP zkp;
12500 * } ECJPAKEKeyKP;
12501 *
12502 * struct {
12503 * ECJPAKEKeyKP ecjpake_key_kp;
12504 * } ClientECJPAKEParams;
12505 *
12506 * select (KeyExchangeAlgorithm) {
12507 * case ecjpake:
12508 * ClientECJPAKEParams params;
12509 * } ClientKeyExchange;
12510 */
12511
12512 int point_len;
12513 proto_tree *ssl_ecjpake_tree;
12514
12515 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12516 hf->ett.keyex_params, NULL((void*)0),
12517 "EC J-PAKE Client Params");
12518
12519 /* ECJPAKEKeyKP.X */
12520 point_len = tvb_get_uint8(tvb, offset);
12521 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc_len, tvb,
12522 offset, 1, ENC_BIG_ENDIAN0x00000000);
12523 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc, tvb,
12524 offset + 1, point_len, ENC_NA0x00000000);
12525 offset += 1 + point_len;
12526
12527 /* ECJPAKEKeyKP.zkp.V */
12528 point_len = tvb_get_uint8(tvb, offset);
12529 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc_len, tvb,
12530 offset, 1, ENC_BIG_ENDIAN0x00000000);
12531 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc, tvb,
12532 offset + 1, point_len, ENC_NA0x00000000);
12533 offset += 1 + point_len;
12534
12535 /* ECJPAKEKeyKP.zkp.r */
12536 point_len = tvb_get_uint8(tvb, offset);
12537 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc_len, tvb,
12538 offset, 1, ENC_BIG_ENDIAN0x00000000);
12539 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc, tvb,
12540 offset + 1, point_len, ENC_NA0x00000000);
12541}
12542
12543static void
12544dissect_ssl3_hnd_cli_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12545 proto_tree *tree, uint32_t offset,
12546 uint32_t length)
12547{
12548 int epms_len;
12549 proto_tree *ssl_ecc_sm2_tree;
12550
12551 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12552 hf->ett.keyex_params, NULL((void*)0),
12553 "ECC-SM2 Encrypted PreMaster Secret");
12554
12555 epms_len = tvb_get_ntohs(tvb, offset);
12556 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12557 offset, 2, ENC_BIG_ENDIAN0x00000000);
12558 offset += 2;
12559 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms, tvb,
12560 offset, epms_len, ENC_NA0x00000000);
12561}
12562/* ClientKeyExchange algo-specific dissectors. }}} */
12563
12564
12565/* Dissects DigitallySigned (see RFC 5246 4.7 Cryptographic Attributes). {{{ */
12566static uint32_t
12567ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12568 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12569 uint16_t version, int hf_sig_len, int hf_sig)
12570{
12571 uint32_t sig_len;
12572
12573 switch (version) {
12574 case TLSV1DOT2_VERSION0x303:
12575 case DTLSV1DOT2_VERSION0xfefd:
12576 case TLSV1DOT3_VERSION0x304:
12577 case DTLSV1DOT3_VERSION0xfefc:
12578 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
12579 offset += 2;
12580 break;
12581
12582 default:
12583 break;
12584 }
12585
12586 /* Sig */
12587 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sig_len,
12588 hf_sig_len, 0, UINT16_MAX(65535))) {
12589 return offset_end;
12590 }
12591 offset += 2;
12592 proto_tree_add_item(tree, hf_sig, tvb, offset, sig_len, ENC_NA0x00000000);
12593 offset += sig_len;
12594 return offset;
12595} /* }}} */
12596
12597/* ServerKeyExchange algo-specific dissectors. {{{ */
12598
12599/* dissects signed_params inside a ServerKeyExchange for some keyex algos */
12600static void
12601dissect_ssl3_hnd_srv_keyex_sig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12602 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12603 uint16_t version)
12604{
12605 /*
12606 * TLSv1.2 (RFC 5246 sec 7.4.8)
12607 * struct {
12608 * digitally-signed struct {
12609 * opaque handshake_messages[handshake_messages_length];
12610 * }
12611 * } CertificateVerify;
12612 *
12613 * TLSv1.0/TLSv1.1 (RFC 5436 sec 7.4.8 and 7.4.3) works essentially the same
12614 * as TLSv1.2, but the hash algorithms are not explicit in digitally-signed.
12615 *
12616 * SSLv3 (RFC 6101 sec 5.6.8) essentially works the same as TLSv1.0 but it
12617 * does more hashing including the master secret and padding.
12618 */
12619 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
12620 hf->hf.hs_server_keyex_sig_len,
12621 hf->hf.hs_server_keyex_sig);
12622}
12623
12624static uint32_t
12625dissect_tls_ecparameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, uint32_t offset_end)
12626{
12627 /*
12628 * RFC 4492 ECC cipher suites for TLS
12629 *
12630 * struct {
12631 * ECCurveType curve_type;
12632 * select (curve_type) {
12633 * case explicit_prime:
12634 * ...
12635 * case explicit_char2:
12636 * ...
12637 * case named_curve:
12638 * NamedCurve namedcurve;
12639 * };
12640 * } ECParameters;
12641 */
12642
12643 int curve_type;
12644
12645 /* ECParameters.curve_type */
12646 curve_type = tvb_get_uint8(tvb, offset);
12647 proto_tree_add_item(tree, hf->hf.hs_server_keyex_curve_type, tvb,
12648 offset, 1, ENC_BIG_ENDIAN0x00000000);
12649 offset++;
12650
12651 if (curve_type != 3)
12652 return offset_end; /* only named_curves are supported */
12653
12654 /* case curve_type == named_curve; ECParameters.namedcurve */
12655 proto_tree_add_item(tree, hf->hf.hs_server_keyex_named_curve, tvb,
12656 offset, 2, ENC_BIG_ENDIAN0x00000000);
12657 offset += 2;
12658
12659 return offset;
12660}
12661
12662static void
12663dissect_ssl3_hnd_srv_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12664 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12665 uint16_t version, bool_Bool anon)
12666{
12667 /*
12668 * RFC 4492 ECC cipher suites for TLS
12669 *
12670 * struct {
12671 * opaque point <1..2^8-1>;
12672 * } ECPoint;
12673 *
12674 * struct {
12675 * ECParameters curve_params;
12676 * ECPoint public;
12677 * } ServerECDHParams;
12678 *
12679 * select (KeyExchangeAlgorithm) {
12680 * case ec_diffie_hellman:
12681 * ServerECDHParams params;
12682 * Signature signed_params;
12683 * } ServerKeyExchange;
12684 */
12685
12686 int point_len;
12687 proto_tree *ssl_ecdh_tree;
12688
12689 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12690 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Server Params");
12691
12692 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecdh_tree, offset, offset_end);
12693 if (offset >= offset_end)
12694 return; /* only named_curves are supported */
12695
12696 /* ECPoint.point */
12697 point_len = tvb_get_uint8(tvb, offset);
12698 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point_len, tvb,
12699 offset, 1, ENC_BIG_ENDIAN0x00000000);
12700 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point, tvb,
12701 offset + 1, point_len, ENC_NA0x00000000);
12702 offset += 1 + point_len;
12703
12704 /* Signature (if non-anonymous KEX) */
12705 if (!anon) {
12706 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecdh_tree, offset, offset_end, version);
12707 }
12708}
12709
12710static void
12711dissect_ssl3_hnd_srv_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12712 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12713 uint16_t version, bool_Bool anon)
12714{
12715 int p_len, g_len, ys_len;
12716 proto_tree *ssl_dh_tree;
12717
12718 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12719 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Server Params");
12720
12721 /* p */
12722 p_len = tvb_get_ntohs(tvb, offset);
12723 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p_len, tvb,
12724 offset, 2, ENC_BIG_ENDIAN0x00000000);
12725 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p, tvb,
12726 offset + 2, p_len, ENC_NA0x00000000);
12727 offset += 2 + p_len;
12728
12729 /* g */
12730 g_len = tvb_get_ntohs(tvb, offset);
12731 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g_len, tvb,
12732 offset, 2, ENC_BIG_ENDIAN0x00000000);
12733 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g, tvb,
12734 offset + 2, g_len, ENC_NA0x00000000);
12735 offset += 2 + g_len;
12736
12737 /* Ys */
12738 ys_len = tvb_get_ntohs(tvb, offset);
12739 proto_tree_add_uint(ssl_dh_tree, hf->hf.hs_server_keyex_ys_len, tvb,
12740 offset, 2, ys_len);
12741 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_ys, tvb,
12742 offset + 2, ys_len, ENC_NA0x00000000);
12743 offset += 2 + ys_len;
12744
12745 /* Signature (if non-anonymous KEX) */
12746 if (!anon) {
12747 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_dh_tree, offset, offset_end, version);
12748 }
12749}
12750
12751/* Only used in RSA-EXPORT cipher suites */
12752static void
12753dissect_ssl3_hnd_srv_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12754 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12755 uint16_t version)
12756{
12757 int modulus_len, exponent_len;
12758 proto_tree *ssl_rsa_tree;
12759
12760 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12761 hf->ett.keyex_params, NULL((void*)0), "RSA-EXPORT Server Params");
12762
12763 /* modulus */
12764 modulus_len = tvb_get_ntohs(tvb, offset);
12765 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus_len, tvb,
12766 offset, 2, ENC_BIG_ENDIAN0x00000000);
12767 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus, tvb,
12768 offset + 2, modulus_len, ENC_NA0x00000000);
12769 offset += 2 + modulus_len;
12770
12771 /* exponent */
12772 exponent_len = tvb_get_ntohs(tvb, offset);
12773 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent_len,
12774 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12775 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent,
12776 tvb, offset + 2, exponent_len, ENC_NA0x00000000);
12777 offset += 2 + exponent_len;
12778
12779 /* Signature */
12780 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_rsa_tree, offset, offset_end, version);
12781}
12782
12783/* Used in RSA PSK and PSK cipher suites */
12784static uint32_t
12785dissect_ssl3_hnd_srv_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12786 proto_tree *tree, uint32_t offset)
12787{
12788 unsigned hint_len;
12789 proto_tree *ssl_psk_tree;
12790
12791 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
12792 hf->ett.keyex_params, NULL((void*)0), "PSK Server Params");
12793
12794 /* hint */
12795 hint_len = tvb_get_ntohs(tvb, offset);
12796 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint_len, tvb,
12797 offset, 2, ENC_BIG_ENDIAN0x00000000);
12798 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint, tvb,
12799 offset + 2, hint_len, ENC_NA0x00000000);
12800
12801 proto_item_set_len(ssl_psk_tree, 2 + hint_len);
12802 return 2 + hint_len;
12803}
12804
12805/* Used in Diffie-Hellman PSK cipher suites */
12806static void
12807dissect_ssl3_hnd_srv_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12808 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12809{
12810 /*
12811 * struct {
12812 * select (KeyExchangeAlgorithm) {
12813 * case diffie_hellman_psk:
12814 * opaque psk_identity_hint<0..2^16-1>;
12815 * ServerDHParams params;
12816 * };
12817 * } ServerKeyExchange;
12818 */
12819
12820 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12821 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12822}
12823
12824/* Used in EC Diffie-Hellman PSK cipher suites */
12825static void
12826dissect_ssl3_hnd_srv_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12827 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12828{
12829 /*
12830 * struct {
12831 * select (KeyExchangeAlgorithm) {
12832 * case ec_diffie_hellman_psk:
12833 * opaque psk_identity_hint<0..2^16-1>;
12834 * ServerECDHParams params;
12835 * };
12836 * } ServerKeyExchange;
12837 */
12838
12839 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12840 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12841}
12842
12843/* Used in EC J-PAKE cipher suites */
12844static void
12845dissect_ssl3_hnd_srv_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12846 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12847{
12848 /*
12849 * struct {
12850 * ECPoint V;
12851 * opaque r<1..2^8-1>;
12852 * } ECSchnorrZKP;
12853 *
12854 * struct {
12855 * ECPoint X;
12856 * ECSchnorrZKP zkp;
12857 * } ECJPAKEKeyKP;
12858 *
12859 * struct {
12860 * ECParameters curve_params;
12861 * ECJPAKEKeyKP ecjpake_key_kp;
12862 * } ServerECJPAKEParams;
12863 *
12864 * select (KeyExchangeAlgorithm) {
12865 * case ecjpake:
12866 * ServerECJPAKEParams params;
12867 * } ServerKeyExchange;
12868 */
12869
12870 int point_len;
12871 proto_tree *ssl_ecjpake_tree;
12872
12873 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12874 hf->ett.keyex_params, NULL((void*)0),
12875 "EC J-PAKE Server Params");
12876
12877 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecjpake_tree, offset, offset_end);
12878 if (offset >= offset_end)
12879 return; /* only named_curves are supported */
12880
12881 /* ECJPAKEKeyKP.X */
12882 point_len = tvb_get_uint8(tvb, offset);
12883 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs_len, tvb,
12884 offset, 1, ENC_BIG_ENDIAN0x00000000);
12885 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs, tvb,
12886 offset + 1, point_len, ENC_NA0x00000000);
12887 offset += 1 + point_len;
12888
12889 /* ECJPAKEKeyKP.zkp.V */
12890 point_len = tvb_get_uint8(tvb, offset);
12891 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs_len, tvb,
12892 offset, 1, ENC_BIG_ENDIAN0x00000000);
12893 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs, tvb,
12894 offset + 1, point_len, ENC_NA0x00000000);
12895 offset += 1 + point_len;
12896
12897 /* ECJPAKEKeyKP.zkp.r */
12898 point_len = tvb_get_uint8(tvb, offset);
12899 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs_len, tvb,
12900 offset, 1, ENC_BIG_ENDIAN0x00000000);
12901 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs, tvb,
12902 offset + 1, point_len, ENC_NA0x00000000);
12903}
12904
12905/* Only used in ECC-SM2-EXPORT cipher suites */
12906static void
12907dissect_ssl3_hnd_srv_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12908 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12909 uint16_t version)
12910{
12911 proto_tree *ssl_ecc_sm2_tree;
12912
12913 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12914 hf->ett.keyex_params, NULL((void*)0), "ECC-SM2-EXPORT Server Params");
12915
12916 /* Signature */
12917 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecc_sm2_tree, offset, offset_end, version);
12918}
12919/* ServerKeyExchange algo-specific dissectors. }}} */
12920
12921/* Client Key Exchange and Server Key Exchange handshake dissections. {{{ */
12922void
12923ssl_dissect_hnd_cli_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12924 proto_tree *tree, uint32_t offset, uint32_t length,
12925 const SslSession *session)
12926{
12927 switch (ssl_get_keyex_alg(session->cipher)) {
12928 case KEX_DH_ANON0x13: /* RFC 5246; DHE_DSS, DHE_RSA, DH_DSS, DH_RSA, DH_ANON: ClientDiffieHellmanPublic */
12929 case KEX_DH_DSS0x14:
12930 case KEX_DH_RSA0x15:
12931 case KEX_DHE_DSS0x10:
12932 case KEX_DHE_RSA0x12:
12933 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset, length);
12934 break;
12935 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity, ClientDiffieHellmanPublic */
12936 dissect_ssl3_hnd_cli_keyex_dhe_psk(hf, tvb, tree, offset, length);
12937 break;
12938 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ClientECDiffieHellmanPublic */
12939 case KEX_ECDH_ECDSA0x1a:
12940 case KEX_ECDH_RSA0x1b:
12941 case KEX_ECDHE_ECDSA0x16:
12942 case KEX_ECDHE_RSA0x18:
12943 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset, length);
12944 break;
12945 case KEX_ECDHE_PSK0x17: /* RFC 5489; ec_diffie_hellman_psk: psk_identity, ClientECDiffieHellmanPublic */
12946 dissect_ssl3_hnd_cli_keyex_ecdh_psk(hf, tvb, tree, offset, length);
12947 break;
12948 case KEX_KRB50x1c: /* RFC 2712; krb5: KerberosWrapper */
12949 /* XXX: implement support for KRB5 */
12950 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12951 tvb, offset, length,
12952 "Kerberos ciphersuites (RFC 2712) are not implemented, contact Wireshark"
12953 " developers if you want them to be supported");
12954 break;
12955 case KEX_PSK0x1d: /* RFC 4279; psk: psk_identity */
12956 dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12957 break;
12958 case KEX_RSA0x1e: /* RFC 5246; rsa: EncryptedPreMasterSecret */
12959 dissect_ssl3_hnd_cli_keyex_rsa(hf, tvb, tree, offset, length, session);
12960 break;
12961 case KEX_RSA_PSK0x1f: /* RFC 4279; rsa_psk: psk_identity, EncryptedPreMasterSecret */
12962 dissect_ssl3_hnd_cli_keyex_rsa_psk(hf, tvb, tree, offset, length);
12963 break;
12964 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ClientSRPPublic */
12965 case KEX_SRP_SHA_DSS0x21:
12966 case KEX_SRP_SHA_RSA0x22:
12967 /* XXX: implement support for SRP_SHA* */
12968 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12969 tvb, offset, length,
12970 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12971 " developers if you want them to be supported");
12972 break;
12973 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12974 dissect_ssl3_hnd_cli_keyex_ecjpake(hf, tvb, tree, offset, length);
12975 break;
12976 case KEX_ECC_SM20x26: /* GB/T 38636 */
12977 dissect_ssl3_hnd_cli_keyex_ecc_sm2(hf, tvb, tree, offset, length);
12978 break;
12979 default:
12980 if (session->cipher == 0) {
12981 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12982 tvb, offset, length,
12983 "Cipher Suite not found");
12984 } else {
12985 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12986 tvb, offset, length,
12987 "Cipher Suite 0x%04x is not implemented, "
12988 "contact Wireshark developers if you want this to be supported",
12989 session->cipher);
12990 }
12991 break;
12992 }
12993}
12994
12995void
12996ssl_dissect_hnd_srv_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12997 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12998 const SslSession *session)
12999{
13000 switch (ssl_get_keyex_alg(session->cipher)) {
13001 case KEX_DH_ANON0x13: /* RFC 5246; ServerDHParams */
13002 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
13003 break;
13004 case KEX_DH_DSS0x14: /* RFC 5246; not allowed */
13005 case KEX_DH_RSA0x15:
13006 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
13007 tvb, offset, offset_end - offset);
13008 break;
13009 case KEX_DHE_DSS0x10: /* RFC 5246; dhe_dss, dhe_rsa: ServerDHParams, Signature */
13010 case KEX_DHE_RSA0x12:
13011 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
13012 break;
13013 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity_hint, ServerDHParams */
13014 dissect_ssl3_hnd_srv_keyex_dhe_psk(hf, tvb, pinfo, tree, offset, offset_end);
13015 break;
13016 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ServerECDHParams (without signature for anon) */
13017 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
13018 break;
13019 case KEX_ECDHE_PSK0x17: /* RFC 5489; psk_identity_hint, ServerECDHParams */
13020 dissect_ssl3_hnd_srv_keyex_ecdh_psk(hf, tvb, pinfo, tree, offset, offset_end);
13021 break;
13022 case KEX_ECDH_ECDSA0x1a: /* RFC 4492; ec_diffie_hellman: ServerECDHParams, Signature */
13023 case KEX_ECDH_RSA0x1b:
13024 case KEX_ECDHE_ECDSA0x16:
13025 case KEX_ECDHE_RSA0x18:
13026 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
13027 break;
13028 case KEX_KRB50x1c: /* RFC 2712; not allowed */
13029 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
13030 tvb, offset, offset_end - offset);
13031 break;
13032 case KEX_PSK0x1d: /* RFC 4279; psk, rsa: psk_identity */
13033 case KEX_RSA_PSK0x1f:
13034 dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
13035 break;
13036 case KEX_RSA0x1e: /* only allowed if the public key in the server certificate is longer than 512 bits */
13037 dissect_ssl3_hnd_srv_keyex_rsa(hf, tvb, pinfo, tree, offset, offset_end, session->version);
13038 break;
13039 case KEX_ECC_SM20x26: /* GB/T 38636 */
13040 dissect_ssl3_hnd_srv_keyex_ecc_sm2(hf, tvb, pinfo, tree, offset, offset_end, session->version);
13041 break;
13042 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ServerSRPParams, Signature */
13043 case KEX_SRP_SHA_DSS0x21:
13044 case KEX_SRP_SHA_RSA0x22:
13045 /* XXX: implement support for SRP_SHA* */
13046 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
13047 tvb, offset, offset_end - offset,
13048 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
13049 " developers if you want them to be supported");
13050 break;
13051 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
13052 dissect_ssl3_hnd_srv_keyex_ecjpake(hf, tvb, tree, offset, offset_end);
13053 break;
13054 default:
13055 if (session->cipher == 0) {
13056 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
13057 tvb, offset, offset_end - offset,
13058 "Cipher Suite not found");
13059 } else {
13060 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
13061 tvb, offset, offset_end - offset,
13062 "Cipher Suite 0x%04x is not implemented, "
13063 "contact Wireshark developers if you want this to be supported",
13064 session->cipher);
13065 }
13066 break;
13067 }
13068}
13069/* Client Key Exchange and Server Key Exchange handshake dissections. }}} */
13070
13071void
13072tls13_dissect_hnd_key_update(ssl_common_dissect_t *hf, tvbuff_t *tvb,
13073 proto_tree *tree, uint32_t offset)
13074{
13075 /* RFC 8446 Section 4.6.3
13076 * enum {
13077 * update_not_requested(0), update_requested(1), (255)
13078 * } KeyUpdateRequest;
13079 *
13080 * struct {
13081 * KeyUpdateRequest request_update;
13082 * } KeyUpdate;
13083 */
13084 proto_tree_add_item(tree, hf->hf.hs_key_update_request_update, tvb, offset, 1, ENC_NA0x00000000);
13085}
13086
13087void
13088ssl_common_register_ssl_alpn_dissector_table(const char *name,
13089 const char *ui_name, const int proto)
13090{
13091 ssl_alpn_dissector_table = register_dissector_table(name, ui_name,
13092 proto, FT_STRING, STRING_CASE_SENSITIVE0);
13093 register_dissector_table_alias(ssl_alpn_dissector_table, "ssl.handshake.extensions_alpn_str");
13094}
13095
13096void
13097ssl_common_register_dtls_alpn_dissector_table(const char *name,
13098 const char *ui_name, const int proto)
13099{
13100 dtls_alpn_dissector_table = register_dissector_table(name, ui_name,
13101 proto, FT_STRING, STRING_CASE_SENSITIVE0);
13102 register_dissector_table_alias(ssl_alpn_dissector_table, "dtls.handshake.extensions_alpn_str");
13103}
13104
13105void
13106ssl_common_register_options(module_t *module, ssl_common_options_t *options, bool_Bool is_dtls)
13107{
13108 prefs_register_string_preference(module, "psk", "Pre-Shared Key",
13109 "Pre-Shared Key as HEX string. Should be 0 to 16 bytes.",
13110 &(options->psk));
13111
13112 if (is_dtls) {
13113 prefs_register_obsolete_preference(module, "keylog_file");
13114 prefs_register_static_text_preference(module, "keylog_file_removed",
13115 "The (Pre)-Master-Secret log filename preference can be configured in the TLS protocol preferences.",
13116 "Use the TLS protocol preference to configure the keylog file for both DTLS and TLS.");
13117 return;
13118 }
13119
13120 prefs_register_filename_preference(module, "keylog_file", "(Pre)-Master-Secret log filename",
13121 "The name of a file which contains a list of \n"
13122 "(pre-)master secrets in one of the following formats:\n"
13123 "\n"
13124 "RSA <EPMS> <PMS>\n"
13125 "RSA Session-ID:<SSLID> Master-Key:<MS>\n"
13126 "CLIENT_RANDOM <CRAND> <MS>\n"
13127 "PMS_CLIENT_RANDOM <CRAND> <PMS>\n"
13128 "\n"
13129 "Where:\n"
13130 "<EPMS> = First 8 bytes of the Encrypted PMS\n"
13131 "<PMS> = The Pre-Master-Secret (PMS) used to derive the MS\n"
13132 "<SSLID> = The SSL Session ID\n"
13133 "<MS> = The Master-Secret (MS)\n"
13134 "<CRAND> = The Client's random number from the ClientHello message\n"
13135 "\n"
13136 "(All fields are in hex notation)",
13137 &(options->keylog_filename), false0);
13138}
13139
13140void
13141ssl_calculate_handshake_hash(SslDecryptSession *ssl_session, tvbuff_t *tvb, uint32_t offset, uint32_t length, uint8_t msg_type, bool_Bool is_from_server)
13142{
13143 /* The handshake transcript can be used in [D]TLS 1.2 for the extended
13144 * master secret of RFC 7627, and in [D]TLS 1.3 for computing the secrets,
13145 * though the latter is only useful when pke_ke (PSK-only key exchange) is
13146 * negotiated. */
13147 if (!ssl_session)
13148 return;
13149
13150 switch (ssl_session->session.version) {
13151 /* The handshake message types used in the handshake hash are different
13152 * in different versions. [D]TLS 1.3 tracks the messages up to the
13153 * Finished, whereas 1.2 stops at the ClientKeyExchange. However, all start
13154 * at the ClientHello and include the messages up to the ServerHello, at
13155 * which point we know the version.
13156 *
13157 * XXX - However, DTLS 1.2 includes the DTLS-specific fragment info fields
13158 * in its handshake transcript, whereas DTLS 1.3 does not (using the same
13159 * format as TLS 1.3). We don't know at the point of the ClientHello which
13160 * version will be used, so PSK only likely doesn't work for DTLS 1.3 yet.
13161 *
13162 * XXX - When the server responds with a HelloRetryRequest, for subsequent
13163 * hashes (other than the first PSK Binder, see 4.2.11.2) ClientHello1 is
13164 * replaced with a synthentic handhsake message of type "message_hash",
13165 * per RFC 8446 4.4.1. We aren't concerned with that now, as a HRR generally
13166 * rules out PSK-only key exchange, which is what we calculate the hash for
13167 * here. (The possible exception is when a server sends a HRR to reject
13168 * early data but the server and client otherwise agree on psk_ke, if
13169 * any client/server pairs support that.) We do support that in the context
13170 * of computing the hash for Encrypted Client Hello; see elsewhere.
13171 */
13172 case TLSV1DOT3_VERSION0x304:
13173 case DTLSV1DOT3_VERSION0xfefc:
13174 /* In [D]TLS 1.3 only the following handshake messages are used in the
13175 * handshake transcript. EndOfEarlyData and the Client Certificate,
13176 * Certificate Verify, and Finished are used in deriving the
13177 * resumption_master_secret but not the other secrets derived from
13178 * the master secret (client or server app traffic secret, exporter
13179 * secret). We don't yet support calculating a PSK to resume via
13180 * the resumption_master_secret, so we simply stop the transcript
13181 * with the server Finished. See RFC 8446 4.4.1 & 7.1 */
13182 switch (msg_type) {
13183 case SSL_HND_CLIENT_HELLO:
13184 case SSL_HND_SERVER_HELLO:
13185 case SSL_HND_HELLO_RETRY_REQUEST:
13186 case SSL_HND_ENCRYPTED_EXTENSIONS:
13187 case SSL_HND_CERT_REQUEST:
13188 break;
13189 case SSL_HND_CERTIFICATE:
13190 case SSL_HND_CERT_VERIFY:
13191 case SSL_HND_FINISHED:
13192 if (!is_from_server)
13193 return;
13194 break;
13195 case SSL_HND_END_OF_EARLY_DATA:
13196 default:
13197 return;
13198 }
13199 break;
13200 default:
13201 /* In [D]TLS 1.2, the handshake hash for the Extended Master Secret
13202 * (RFC 7627) is calculated up to and including ClientKeyExchange,
13203 * but the keys are not retrieved until ChangeCipherSpec later. If
13204 * mutual authentication is requested by the server, an intervening
13205 * CertificateVerify message can be sent but is not to be included
13206 * in the hash. */
13207 if (msg_type == SSL_HND_CERT_VERIFY)
13208 return;
13209 if (ssl_session->state & SSL_MASTER_SECRET(1<<5))
13210 return;
13211 break;
13212 }
13213
13214 uint32_t old_length = ssl_session->handshake_data.data_len;
13215 ssl_debug_printf("Calculating hash with offset %d %d\n", offset, length);
13216 if (tvb) {
13217 if (tvb_bytes_exist(tvb, offset, length)) {
13218 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
13219 tvb_memcpy(tvb, ssl_session->handshake_data.data + old_length, offset, length);
13220 ssl_session->handshake_data.data_len += length;
13221 }
13222 } else {
13223 /* DTLS calculates the hash as if each handshake message had been
13224 * sent as a single fragment (RFC 6347, section 4.2.6) and passes
13225 * in a null tvbuff to add 3 bytes for a zero fragment offset.
13226 */
13227 DISSECTOR_ASSERT_CMPINT(length, <, 4)((void) ((length < 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "length" " " "<" " " "4" " (" "%"
"l" "d" " " "<" " " "%" "l" "d" ")", "epan/dissectors/packet-tls-utils.c"
, 13227, (int64_t)length, (int64_t)4))));
13228 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
13229 memset(ssl_session->handshake_data.data + old_length, 0, length);
13230 ssl_session->handshake_data.data_len += length;
13231 }
13232}
13233
13234
13235/*
13236 * Editor modelines - https://www.wireshark.org/tools/modelines.html
13237 *
13238 * Local variables:
13239 * c-basic-offset: 4
13240 * tab-width: 8
13241 * indent-tabs-mode: nil
13242 * End:
13243 *
13244 * vi: set shiftwidth=4 tabstop=8 expandtab:
13245 * :indentSize=4:tabSize=8:noTabs=true:
13246 */