Bug Summary

File:epan/dissectors/packet-tls-utils.c
Warning:line 4857, column 17
Potential leak of memory pointed to by 'handshake_hashed_data.data'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name packet-tls-utils.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -fno-delete-null-pointer-checks -mframe-pointer=all -relaxed-aliasing -fmath-errno -ffp-contract=on -fno-rounding-math -ffloat16-excess-precision=fast -fbfloat16-excess-precision=fast -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/builds/wireshark/wireshark/build -fcoverage-compilation-dir=/builds/wireshark/wireshark/build -resource-dir /usr/lib/llvm-20/lib/clang/20 -isystem /usr/include/glib-2.0 -isystem /usr/lib/x86_64-linux-gnu/glib-2.0/include -isystem /builds/wireshark/wireshark/epan/dissectors -isystem /builds/wireshark/wireshark/build/epan/dissectors -isystem /usr/include/mit-krb5 -isystem /usr/include/libxml2 -isystem /builds/wireshark/wireshark/epan -D G_DISABLE_DEPRECATED -D G_DISABLE_SINGLE_INCLUDES -D WS_BUILD_DLL -D WS_DEBUG -D WS_DEBUG_UTF_8 -I /builds/wireshark/wireshark/build -I /builds/wireshark/wireshark -I /builds/wireshark/wireshark/include -D _GLIBCXX_ASSERTIONS -internal-isystem /usr/lib/llvm-20/lib/clang/20/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/14/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -fmacro-prefix-map=/builds/wireshark/wireshark/= -fmacro-prefix-map=/builds/wireshark/wireshark/build/= -fmacro-prefix-map=../= -Wno-format-truncation -Wno-format-nonliteral -Wno-pointer-sign -std=gnu11 -ferror-limit 19 -fvisibility=hidden -fwrapv -fwrapv-pointer -fstrict-flex-arrays=3 -stack-protector 2 -fstack-clash-protection -fcf-protection=full -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fexceptions -fcolor-diagnostics -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /builds/wireshark/wireshark/sbout/2025-09-12-100405-3933-1 -x c /builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c
1/* packet-tls-utils.c
2 * ssl manipulation functions
3 * By Paolo Abeni <[email protected]>
4 *
5 * Copyright (c) 2013, Hauke Mehrtens <[email protected]>
6 * Copyright (c) 2014, Peter Wu <[email protected]>
7 *
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <[email protected]>
10 * Copyright 1998 Gerald Combs
11 *
12 * SPDX-License-Identifier: GPL-2.0-or-later
13 */
14
15#include "config.h"
16
17#include <stdlib.h>
18#include <errno(*__errno_location ()).h>
19
20#include <epan/packet.h>
21#include <epan/strutil.h>
22#include <epan/addr_resolv.h>
23#include <epan/expert.h>
24#include <epan/asn1.h>
25#include <epan/proto_data.h>
26#include <epan/oids.h>
27#include <epan/secrets.h>
28
29#include <wsutil/inet_cidr.h>
30#include <wsutil/filesystem.h>
31#include <wsutil/file_util.h>
32#include <wsutil/str_util.h>
33#include <wsutil/report_message.h>
34#include <wsutil/pint.h>
35#include <wsutil/strtoi.h>
36#include <wsutil/wsgcrypt.h>
37#include <wsutil/rsa.h>
38#include <wsutil/ws_assert.h>
39#include <wsutil/zlib_compat.h>
40#include "packet-ber.h"
41#include "packet-x509af.h"
42#include "packet-x509if.h"
43#include "packet-tls-utils.h"
44#include "packet-ocsp.h"
45#include "packet-tls.h"
46#include "packet-dtls.h"
47#include "packet-quic.h"
48#if defined(HAVE_LIBGNUTLS1)
49#include <gnutls/abstract.h>
50#endif
51
52/* JA3/JA3S calculations must ignore GREASE values
53 * as described in RFC 8701.
54 */
55#define IS_GREASE_TLS(x)((((x) & 0x0f0f) == 0x0a0a) && (((x) & 0xff) ==
(((x)>>8) & 0xff))) ((((x) & 0x0f0f) == 0x0a0a) && \
56 (((x) & 0xff) == (((x)>>8) & 0xff)))
57
58/* Section 22.3 of RFC 9000 (QUIC) reserves values of this
59 * form for a similar purpose as GREASE.
60 */
61#define IS_GREASE_QUIC(x)((x) > 27 ? ((((x) - 27) % 31) == 0) : 0) ((x) > 27 ? ((((x) - 27) % 31) == 0) : 0)
62
63#define DTLS13_MAX_EPOCH10 10
64
65/* Lookup tables {{{ */
66const value_string ssl_version_short_names[] = {
67 { SSLV2_VERSION0x0002, "SSLv2" },
68 { SSLV3_VERSION0x300, "SSLv3" },
69 { TLSV1_VERSION0x301, "TLSv1" },
70 { TLCPV1_VERSION0x101, "TLCP" },
71 { TLSV1DOT1_VERSION0x302, "TLSv1.1" },
72 { TLSV1DOT2_VERSION0x303, "TLSv1.2" },
73 { TLSV1DOT3_VERSION0x304, "TLSv1.3" },
74 { DTLSV1DOT0_VERSION0xfeff, "DTLSv1.0" },
75 { DTLSV1DOT2_VERSION0xfefd, "DTLSv1.2" },
76 { DTLSV1DOT3_VERSION0xfefc, "DTLSv1.3" },
77 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
78 { 0x00, NULL((void*)0) }
79};
80
81const value_string ssl_versions[] = {
82 { SSLV2_VERSION0x0002, "SSL 2.0" },
83 { SSLV3_VERSION0x300, "SSL 3.0" },
84 { TLSV1_VERSION0x301, "TLS 1.0" },
85 { TLCPV1_VERSION0x101, "TLCP" },
86 { TLSV1DOT1_VERSION0x302, "TLS 1.1" },
87 { TLSV1DOT2_VERSION0x303, "TLS 1.2" },
88 { TLSV1DOT3_VERSION0x304, "TLS 1.3" },
89 { 0x7F0E, "TLS 1.3 (draft 14)" },
90 { 0x7F0F, "TLS 1.3 (draft 15)" },
91 { 0x7F10, "TLS 1.3 (draft 16)" },
92 { 0x7F11, "TLS 1.3 (draft 17)" },
93 { 0x7F12, "TLS 1.3 (draft 18)" },
94 { 0x7F13, "TLS 1.3 (draft 19)" },
95 { 0x7F14, "TLS 1.3 (draft 20)" },
96 { 0x7F15, "TLS 1.3 (draft 21)" },
97 { 0x7F16, "TLS 1.3 (draft 22)" },
98 { 0x7F17, "TLS 1.3 (draft 23)" },
99 { 0x7F18, "TLS 1.3 (draft 24)" },
100 { 0x7F19, "TLS 1.3 (draft 25)" },
101 { 0x7F1A, "TLS 1.3 (draft 26)" },
102 { 0x7F1B, "TLS 1.3 (draft 27)" },
103 { 0x7F1C, "TLS 1.3 (draft 28)" },
104 { 0xFB17, "TLS 1.3 (Facebook draft 23)" },
105 { 0xFB1A, "TLS 1.3 (Facebook draft 26)" },
106 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
107 { DTLSV1DOT0_VERSION0xfeff, "DTLS 1.0" },
108 { DTLSV1DOT2_VERSION0xfefd, "DTLS 1.2" },
109 { DTLSV1DOT3_VERSION0xfefc, "DTLS 1.3" },
110 { 0x0A0A, "Reserved (GREASE)" }, /* RFC 8701 */
111 { 0x1A1A, "Reserved (GREASE)" }, /* RFC 8701 */
112 { 0x2A2A, "Reserved (GREASE)" }, /* RFC 8701 */
113 { 0x3A3A, "Reserved (GREASE)" }, /* RFC 8701 */
114 { 0x4A4A, "Reserved (GREASE)" }, /* RFC 8701 */
115 { 0x5A5A, "Reserved (GREASE)" }, /* RFC 8701 */
116 { 0x6A6A, "Reserved (GREASE)" }, /* RFC 8701 */
117 { 0x7A7A, "Reserved (GREASE)" }, /* RFC 8701 */
118 { 0x8A8A, "Reserved (GREASE)" }, /* RFC 8701 */
119 { 0x9A9A, "Reserved (GREASE)" }, /* RFC 8701 */
120 { 0xAAAA, "Reserved (GREASE)" }, /* RFC 8701 */
121 { 0xBABA, "Reserved (GREASE)" }, /* RFC 8701 */
122 { 0xCACA, "Reserved (GREASE)" }, /* RFC 8701 */
123 { 0xDADA, "Reserved (GREASE)" }, /* RFC 8701 */
124 { 0xEAEA, "Reserved (GREASE)" }, /* RFC 8701 */
125 { 0xFAFA, "Reserved (GREASE)" }, /* RFC 8701 */
126 { 0x00, NULL((void*)0) }
127};
128
129static const value_string ssl_version_ja4_names[] = {
130 { 0x0100, "s1" },
131 { SSLV2_VERSION0x0002, "s2" },
132 { SSLV3_VERSION0x300, "s3" },
133 { TLSV1_VERSION0x301, "10" },
134 { TLSV1DOT1_VERSION0x302, "11" },
135 { TLSV1DOT2_VERSION0x303, "12" },
136 { TLSV1DOT3_VERSION0x304, "13" },
137 { DTLSV1DOT0_VERSION0xfeff, "d1" },
138 { DTLSV1DOT2_VERSION0xfefd, "d2" },
139 { DTLSV1DOT3_VERSION0xfefc, "d3" },
140 { 0x00, NULL((void*)0) }
141};
142
143const value_string ssl_20_msg_types[] = {
144 { SSL2_HND_ERROR0x00, "Error" },
145 { SSL2_HND_CLIENT_HELLO0x01, "Client Hello" },
146 { SSL2_HND_CLIENT_MASTER_KEY0x02, "Client Master Key" },
147 { SSL2_HND_CLIENT_FINISHED0x03, "Client Finished" },
148 { SSL2_HND_SERVER_HELLO0x04, "Server Hello" },
149 { SSL2_HND_SERVER_VERIFY0x05, "Server Verify" },
150 { SSL2_HND_SERVER_FINISHED0x06, "Server Finished" },
151 { SSL2_HND_REQUEST_CERTIFICATE0x07, "Request Certificate" },
152 { SSL2_HND_CLIENT_CERTIFICATE0x08, "Client Certificate" },
153 { 0x00, NULL((void*)0) }
154};
155/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
156/* Note: sorted by ascending value so value_string-ext can do a binary search */
157static const value_string ssl_20_cipher_suites[] = {
158 { 0x000000, "TLS_NULL_WITH_NULL_NULL" },
159 { 0x000001, "TLS_RSA_WITH_NULL_MD5" },
160 { 0x000002, "TLS_RSA_WITH_NULL_SHA" },
161 { 0x000003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
162 { 0x000004, "TLS_RSA_WITH_RC4_128_MD5" },
163 { 0x000005, "TLS_RSA_WITH_RC4_128_SHA" },
164 { 0x000006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
165 { 0x000007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
166 { 0x000008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
167 { 0x000009, "TLS_RSA_WITH_DES_CBC_SHA" },
168 { 0x00000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
169 { 0x00000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
170 { 0x00000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
171 { 0x00000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
172 { 0x00000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
173 { 0x00000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
174 { 0x000010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
175 { 0x000011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
176 { 0x000012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
177 { 0x000013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
178 { 0x000014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
179 { 0x000015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
180 { 0x000016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
181 { 0x000017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
182 { 0x000018, "TLS_DH_anon_WITH_RC4_128_MD5" },
183 { 0x000019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
184 { 0x00001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
185 { 0x00001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
186 { 0x00001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
187 { 0x00001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
188#if 0
189 { 0x00001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
190#endif
191 /* RFC 2712 */
192 { 0x00001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
193 { 0x00001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
194 { 0x000020, "TLS_KRB5_WITH_RC4_128_SHA" },
195 { 0x000021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
196 { 0x000022, "TLS_KRB5_WITH_DES_CBC_MD5" },
197 { 0x000023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
198 { 0x000024, "TLS_KRB5_WITH_RC4_128_MD5" },
199 { 0x000025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
200 { 0x000026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
201 { 0x000027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
202 { 0x000028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
203 { 0x000029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
204 { 0x00002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
205 { 0x00002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
206 /* RFC 4785 */
207 { 0x00002C, "TLS_PSK_WITH_NULL_SHA" },
208 { 0x00002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
209 { 0x00002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
210 /* RFC 5246 */
211 { 0x00002f, "TLS_RSA_WITH_AES_128_CBC_SHA" },
212 { 0x000030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
213 { 0x000031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
214 { 0x000032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
215 { 0x000033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
216 { 0x000034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
217 { 0x000035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
218 { 0x000036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
219 { 0x000037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
220 { 0x000038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
221 { 0x000039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
222 { 0x00003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
223 { 0x00003B, "TLS_RSA_WITH_NULL_SHA256" },
224 { 0x00003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
225 { 0x00003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
226 { 0x00003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
227 { 0x00003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
228 { 0x000040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
229 { 0x000041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
230 { 0x000042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
231 { 0x000043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
232 { 0x000044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
233 { 0x000045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
234 { 0x000046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
235 { 0x000047, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
236 { 0x000048, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
237 { 0x000049, "TLS_ECDH_ECDSA_WITH_DES_CBC_SHA" },
238 { 0x00004A, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
239 { 0x00004B, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
240 { 0x00004C, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
241 { 0x000060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
242 { 0x000061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
243 { 0x000062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
244 { 0x000063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
245 { 0x000064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
246 { 0x000065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
247 { 0x000066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
248 { 0x000067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
249 { 0x000068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
250 { 0x000069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
251 { 0x00006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
252 { 0x00006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
253 { 0x00006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
254 { 0x00006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
255 /* 0x00,0x6E-83 Unassigned */
256 { 0x000084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
257 { 0x000085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
258 { 0x000086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
259 { 0x000087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
260 { 0x000088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
261 { 0x000089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
262 /* RFC 4279 */
263 { 0x00008A, "TLS_PSK_WITH_RC4_128_SHA" },
264 { 0x00008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
265 { 0x00008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
266 { 0x00008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
267 { 0x00008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
268 { 0x00008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
269 { 0x000090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
270 { 0x000091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
271 { 0x000092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
272 { 0x000093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
273 { 0x000094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
274 { 0x000095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
275 /* RFC 4162 */
276 { 0x000096, "TLS_RSA_WITH_SEED_CBC_SHA" },
277 { 0x000097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
278 { 0x000098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
279 { 0x000099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
280 { 0x00009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
281 { 0x00009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
282 /* RFC 5288 */
283 { 0x00009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
284 { 0x00009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
285 { 0x00009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
286 { 0x00009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
287 { 0x0000A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
288 { 0x0000A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
289 { 0x0000A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
290 { 0x0000A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
291 { 0x0000A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
292 { 0x0000A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
293 { 0x0000A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
294 { 0x0000A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
295 /* RFC 5487 */
296 { 0x0000A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
297 { 0x0000A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
298 { 0x0000AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
299 { 0x0000AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
300 { 0x0000AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
301 { 0x0000AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
302 { 0x0000AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
303 { 0x0000AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
304 { 0x0000B0, "TLS_PSK_WITH_NULL_SHA256" },
305 { 0x0000B1, "TLS_PSK_WITH_NULL_SHA384" },
306 { 0x0000B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
307 { 0x0000B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
308 { 0x0000B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
309 { 0x0000B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
310 { 0x0000B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
311 { 0x0000B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
312 { 0x0000B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
313 { 0x0000B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
314 /* From RFC 5932 */
315 { 0x0000BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
316 { 0x0000BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
317 { 0x0000BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
318 { 0x0000BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
319 { 0x0000BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
320 { 0x0000BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
321 { 0x0000C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
322 { 0x0000C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
323 { 0x0000C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
324 { 0x0000C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
325 { 0x0000C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
326 { 0x0000C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
327 /* 0x00,0xC6-FE Unassigned */
328 { 0x0000FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
329 /* 0x01-BF,* Unassigned */
330 /* From RFC 4492 */
331 { 0x00c001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
332 { 0x00c002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
333 { 0x00c003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
334 { 0x00c004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
335 { 0x00c005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
336 { 0x00c006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
337 { 0x00c007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
338 { 0x00c008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
339 { 0x00c009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
340 { 0x00c00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
341 { 0x00c00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
342 { 0x00c00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
343 { 0x00c00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
344 { 0x00c00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
345 { 0x00c00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
346 { 0x00c010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
347 { 0x00c011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
348 { 0x00c012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
349 { 0x00c013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
350 { 0x00c014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
351 { 0x00c015, "TLS_ECDH_anon_WITH_NULL_SHA" },
352 { 0x00c016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
353 { 0x00c017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
354 { 0x00c018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
355 { 0x00c019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
356 /* RFC 5054 */
357 { 0x00C01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
358 { 0x00C01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
359 { 0x00C01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
360 { 0x00C01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
361 { 0x00C01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
362 { 0x00C01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
363 { 0x00C020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
364 { 0x00C021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
365 { 0x00C022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
366 /* RFC 5589 */
367 { 0x00C023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
368 { 0x00C024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
369 { 0x00C025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
370 { 0x00C026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
371 { 0x00C027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
372 { 0x00C028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
373 { 0x00C029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
374 { 0x00C02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
375 { 0x00C02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
376 { 0x00C02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
377 { 0x00C02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
378 { 0x00C02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
379 { 0x00C02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
380 { 0x00C030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
381 { 0x00C031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
382 { 0x00C032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
383 /* RFC 5489 */
384 { 0x00C033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
385 { 0x00C034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
386 { 0x00C035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
387 { 0x00C036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
388 { 0x00C037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
389 { 0x00C038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
390 { 0x00C039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
391 { 0x00C03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
392 { 0x00C03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
393 /* 0xC0,0x3C-FF Unassigned
394 0xC1-FD,* Unassigned
395 0xFE,0x00-FD Unassigned
396 0xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
397 0xFF,0x00-FF Reserved for Private Use [RFC5246]
398 */
399
400 /* old numbers used in the beginning
401 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
402 { 0x00CC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
403 { 0x00CC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
404 { 0x00CC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
405
406 /* https://tools.ietf.org/html/rfc7905 */
407 { 0x00CCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
408 { 0x00CCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
409 { 0x00CCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
410 { 0x00CCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
411 { 0x00CCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
412 { 0x00CCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
413 { 0x00CCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
414
415 /* GM/T 0024-2014 */
416 { 0x00e001, "ECDHE_SM1_SM3"},
417 { 0x00e003, "ECC_SM1_SM3"},
418 { 0x00e005, "IBSDH_SM1_SM3"},
419 { 0x00e007, "IBC_SM1_SM3"},
420 { 0x00e009, "RSA_SM1_SM3"},
421 { 0x00e00a, "RSA_SM1_SHA1"},
422 { 0x00e011, "ECDHE_SM4_CBC_SM3"},
423 { 0x00e013, "ECC_SM4_CBC_SM3"},
424 { 0x00e015, "IBSDH_SM4_CBC_SM3"},
425 { 0x00e017, "IBC_SM4_CBC_SM3"},
426 { 0x00e019, "RSA_SM4_CBC_SM3"},
427 { 0x00e01a, "RSA_SM4_CBC_SHA1"},
428 { 0x00e01c, "RSA_SM4_CBC_SHA256"},
429 { 0x00e051, "ECDHE_SM4_GCM_SM3"},
430 { 0x00e053, "ECC_SM4_GCM_SM3"},
431 { 0x00e055, "IBSDH_SM4_GCM_SM3"},
432 { 0x00e057, "IBC_SM4_GCM_SM3"},
433 { 0x00e059, "RSA_SM4_GCM_SM3"},
434 { 0x00e05a, "RSA_SM4_GCM_SHA256"},
435
436 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
437 { 0x00E410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
438 { 0x00E411, "TLS_RSA_WITH_SALSA20_SHA1" },
439 { 0x00E412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
440 { 0x00E413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
441 { 0x00E414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
442 { 0x00E415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
443 { 0x00E416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
444 { 0x00E417, "TLS_PSK_WITH_SALSA20_SHA1" },
445 { 0x00E418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
446 { 0x00E419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
447 { 0x00E41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
448 { 0x00E41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
449 { 0x00E41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
450 { 0x00E41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
451 { 0x00E41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
452 { 0x00E41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
453
454 /* these from http://www.mozilla.org/projects/
455 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
456 { 0x00fefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
457 { 0x00feff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
458 { 0x00ffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
459 { 0x00ffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
460 /* note that ciphersuites of {0x00????} are TLS cipher suites in
461 * a sslv2 client hello message; the ???? above is the two-byte
462 * tls cipher suite id
463 */
464
465 { 0x010080, "SSL2_RC4_128_WITH_MD5" },
466 { 0x020080, "SSL2_RC4_128_EXPORT40_WITH_MD5" },
467 { 0x030080, "SSL2_RC2_128_CBC_WITH_MD5" },
468 { 0x040080, "SSL2_RC2_128_CBC_EXPORT40_WITH_MD5" },
469 { 0x050080, "SSL2_IDEA_128_CBC_WITH_MD5" },
470 { 0x060040, "SSL2_DES_64_CBC_WITH_MD5" },
471 { 0x0700c0, "SSL2_DES_192_EDE3_CBC_WITH_MD5" },
472 { 0x080080, "SSL2_RC4_64_WITH_MD5" },
473
474 { 0x00, NULL((void*)0) }
475};
476
477value_string_ext ssl_20_cipher_suites_ext = VALUE_STRING_EXT_INIT(ssl_20_cipher_suites){ _try_val_to_str_ext_init, 0, (sizeof (ssl_20_cipher_suites)
/ sizeof ((ssl_20_cipher_suites)[0]))-1, ssl_20_cipher_suites
, "ssl_20_cipher_suites", ((void*)0) };
478
479
480/*
481 * Supported Groups (formerly named "EC Named Curve").
482 * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
483 */
484const value_string ssl_extension_curves[] = {
485 { 1, "sect163k1" },
486 { 2, "sect163r1" },
487 { 3, "sect163r2" },
488 { 4, "sect193r1" },
489 { 5, "sect193r2" },
490 { 6, "sect233k1" },
491 { 7, "sect233r1" },
492 { 8, "sect239k1" },
493 { 9, "sect283k1" },
494 { 10, "sect283r1" },
495 { 11, "sect409k1" },
496 { 12, "sect409r1" },
497 { 13, "sect571k1" },
498 { 14, "sect571r1" },
499 { 15, "secp160k1" },
500 { 16, "secp160r1" },
501 { 17, "secp160r2" },
502 { 18, "secp192k1" },
503 { 19, "secp192r1" },
504 { 20, "secp224k1" },
505 { 21, "secp224r1" },
506 { 22, "secp256k1" },
507 { 23, "secp256r1" },
508 { 24, "secp384r1" },
509 { 25, "secp521r1" },
510 { 26, "brainpoolP256r1" }, /* RFC 7027 */
511 { 27, "brainpoolP384r1" }, /* RFC 7027 */
512 { 28, "brainpoolP512r1" }, /* RFC 7027 */
513 { 29, "x25519" }, /* RFC 8446 / RFC 8422 */
514 { 30, "x448" }, /* RFC 8446 / RFC 8422 */
515 { 31, "brainpoolP256r1tls13" }, /* RFC8734 */
516 { 32, "brainpoolP384r1tls13" }, /* RFC8734 */
517 { 33, "brainpoolP512r1tls13" }, /* RFC8734 */
518 { 34, "GC256A" }, /* RFC9189 */
519 { 35, "GC256B" }, /* RFC9189 */
520 { 36, "GC256C" }, /* RFC9189 */
521 { 37, "GC256D" }, /* RFC9189 */
522 { 38, "GC512A" }, /* RFC9189 */
523 { 39, "GC512B" }, /* RFC9189 */
524 { 40, "GC512C" }, /* RFC9189 */
525 { 41, "curveSM2" }, /* RFC 8998 */
526 { 256, "ffdhe2048" }, /* RFC 7919 */
527 { 257, "ffdhe3072" }, /* RFC 7919 */
528 { 258, "ffdhe4096" }, /* RFC 7919 */
529 { 259, "ffdhe6144" }, /* RFC 7919 */
530 { 260, "ffdhe8192" }, /* RFC 7919 */
531 { 512, "MLKEM512"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
532 { 513, "MLKEM768"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
533 { 514, "MLKEM1024"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
534 { 2570, "Reserved (GREASE)" }, /* RFC 8701 */
535 { 4587, "SecP256r1MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-02 */
536 { 4588, "X25519MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
537 { 4589, "SecP384r1MLKEM1024" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
538 { 6682, "Reserved (GREASE)" }, /* RFC 8701 */
539 { 10794, "Reserved (GREASE)" }, /* RFC 8701 */
540 { 14906, "Reserved (GREASE)" }, /* RFC 8701 */
541 { 19018, "Reserved (GREASE)" }, /* RFC 8701 */
542 { 23130, "Reserved (GREASE)" }, /* RFC 8701 */
543 { 25497, "X25519Kyber768Draft00 (OBSOLETE)" }, /* draft-tls-westerbaan-xyber768d00-02 */
544 { 25498, "SecP256r1Kyber768Draft00 (OBSOLETE)" }, /* draft-kwiatkowski-tls-ecdhe-kyber-01 */
545 { 27242, "Reserved (GREASE)" }, /* RFC 8701 */
546 { 31354, "Reserved (GREASE)" }, /* RFC 8701 */
547 { 35466, "Reserved (GREASE)" }, /* RFC 8701 */
548 { 39578, "Reserved (GREASE)" }, /* RFC 8701 */
549 { 43690, "Reserved (GREASE)" }, /* RFC 8701 */
550 { 47802, "Reserved (GREASE)" }, /* RFC 8701 */
551 { 51914, "Reserved (GREASE)" }, /* RFC 8701 */
552 { 56026, "Reserved (GREASE)" }, /* RFC 8701 */
553 { 60138, "Reserved (GREASE)" }, /* RFC 8701 */
554 { 64250, "Reserved (GREASE)" }, /* RFC 8701 */
555 { 0xFF01, "arbitrary_explicit_prime_curves" },
556 { 0xFF02, "arbitrary_explicit_char2_curves" },
557 /* Below are various unofficial values that have been used for testing. */
558 /* PQC key exchange algorithms from OQS-OpenSSL,
559 see https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/oqs-kem-info.md
560 These use IANA unassigned values and this list may be incomplete.
561 */
562 { 0x2F00, "p256_frodo640aes" },
563 { 0x2F01, "p256_frodo640shake" },
564 { 0x2F02, "p384_frodo976aes" },
565 { 0x0203, "frodo976shake" },
566 { 0x2F03, "p384_frodo976shake" },
567 { 0x0204, "frodo1344aes" },
568 { 0x2F04, "p521_frodo1344aes" },
569 { 0x0205, "frodo1344shake" },
570 { 0x2F05, "p521_frodo1344shake" },
571 { 0x023A, "kyber512" },
572 { 0x2F3A, "p256_kyber512" },
573 { 0x023C, "kyber768" },
574 { 0x2F3C, "p384_kyber768" },
575 { 0x023D, "kyber1024" },
576 { 0x2F3D, "p521_kyber1024" },
577 { 0x0214, "ntru_hps2048509" },
578 { 0x2F14, "p256_ntru_hps2048509" },
579 { 0x0215, "ntru_hps2048677" },
580 { 0x2F15, "p384_ntru_hps2048677" },
581 { 0x0216, "ntru_hps4096821" },
582 { 0x2F16, "p521_ntru_hps4096821" },
583 { 0x0245, "ntru_hps40961229" },
584 { 0x2F45, "p521_ntru_hps40961229" },
585 { 0x0217, "ntru_hrss701" },
586 { 0x2F17, "p384_ntru_hrss701" },
587 { 0x0246, "ntru_hrss1373" },
588 { 0x2F46, "p521_ntru_hrss1373" },
589 { 0x0218, "lightsaber" },
590 { 0x2F18, "p256_lightsaber" },
591 { 0x0219, "saber" },
592 { 0x2F19, "p384_saber" },
593 { 0x021A, "firesaber" },
594 { 0x2F1A, "p521_firesaber" },
595 { 0x021B, "sidhp434" },
596 { 0x2F1B, "p256_sidhp434" },
597 { 0x021C, "sidhp503" },
598 { 0x2F1C, "p256_sidhp503" },
599 { 0x021D, "sidhp610" },
600 { 0x2F1D, "p384_sidhp610" },
601 { 0x021E, "sidhp751" },
602 { 0x2F1E, "p521_sidhp751" },
603 { 0x021F, "sikep434" },
604 { 0x2F1F, "p256_sikep434" },
605 { 0x0220, "sikep503" },
606 { 0x2F20, "p256_sikep503" },
607 { 0x0221, "sikep610" },
608 { 0x2F21, "p384_sikep610" },
609 { 0x0222, "sikep751" },
610 { 0x2F22, "p521_sikep751" },
611 { 0x0238, "bikel1" },
612 { 0x2F38, "p256_bikel1" },
613 { 0x023B, "bikel3" },
614 { 0x2F3B, "p384_bikel3" },
615 { 0x023E, "kyber90s512" },
616 { 0x2F3E, "p256_kyber90s512" },
617 { 0x023F, "kyber90s768" },
618 { 0x2F3F, "p384_kyber90s768" },
619 { 0x0240, "kyber90s1024" },
620 { 0x2F40, "p521_kyber90s1024" },
621 { 0x022C, "hqc128" },
622 { 0x2F2C, "p256_hqc128" },
623 { 0x022D, "hqc192" },
624 { 0x2F2D, "p384_hqc192" },
625 { 0x022E, "hqc256" },
626 { 0x2F2E, "p521_hqc256" },
627 { 0x022F, "ntrulpr653" },
628 { 0x2F2F, "p256_ntrulpr653" },
629 { 0x0230, "ntrulpr761" },
630 { 0x2F43, "p256_ntrulpr761" },
631 { 0x0231, "ntrulpr857" },
632 { 0x2F31, "p384_ntrulpr857" },
633 { 0x0241, "ntrulpr1277" },
634 { 0x2F41, "p521_ntrulpr1277" },
635 { 0x0232, "sntrup653" },
636 { 0x2F32, "p256_sntrup653" },
637 { 0x0233, "sntrup761" },
638 { 0x2F44, "p256_sntrup761" },
639 { 0x0234, "sntrup857" },
640 { 0x2F34, "p384_sntrup857" },
641 { 0x0242, "sntrup1277" },
642 { 0x2F42, "p521_sntrup1277" },
643 /* Other PQ key exchange algorithms, using Reserved for Private Use values
644 https://blog.cloudflare.com/post-quantum-for-all
645 https://www.ietf.org/archive/id/draft-tls-westerbaan-xyber768d00-02.txt */
646 { 0xFE30, "X25519Kyber512Draft00 (OBSOLETE)" },
647 { 0xFE31, "X25519Kyber768Draft00 (OBSOLETE)" },
648 { 0x00, NULL((void*)0) }
649};
650
651const value_string ssl_curve_types[] = {
652 { 1, "explicit_prime" },
653 { 2, "explicit_char2" },
654 { 3, "named_curve" },
655 { 0x00, NULL((void*)0) }
656};
657
658const value_string ssl_extension_ec_point_formats[] = {
659 { 0, "uncompressed" },
660 { 1, "ansiX962_compressed_prime" },
661 { 2, "ansiX962_compressed_char2" },
662 { 0x00, NULL((void*)0) }
663};
664
665const value_string ssl_20_certificate_type[] = {
666 { 0x00, "N/A" },
667 { 0x01, "X.509 Certificate" },
668 { 0x00, NULL((void*)0) }
669};
670
671const value_string ssl_31_content_type[] = {
672 { 20, "Change Cipher Spec" },
673 { 21, "Alert" },
674 { 22, "Handshake" },
675 { 23, "Application Data" },
676 { 24, "Heartbeat" },
677 { 25, "Connection ID" },
678 { 0x00, NULL((void*)0) }
679};
680
681#if 0
682/* XXX - would be used if we dissected the body of a Change Cipher Spec
683 message. */
684const value_string ssl_31_change_cipher_spec[] = {
685 { 1, "Change Cipher Spec" },
686 { 0x00, NULL((void*)0) }
687};
688#endif
689
690const value_string ssl_31_alert_level[] = {
691 { 1, "Warning" },
692 { 2, "Fatal" },
693 { 0x00, NULL((void*)0) }
694};
695
696const value_string ssl_31_alert_description[] = {
697 { 0, "Close Notify" },
698 { 1, "End of Early Data" },
699 { 10, "Unexpected Message" },
700 { 20, "Bad Record MAC" },
701 { 21, "Decryption Failed" },
702 { 22, "Record Overflow" },
703 { 30, "Decompression Failure" },
704 { 40, "Handshake Failure" },
705 { 41, "No Certificate" },
706 { 42, "Bad Certificate" },
707 { 43, "Unsupported Certificate" },
708 { 44, "Certificate Revoked" },
709 { 45, "Certificate Expired" },
710 { 46, "Certificate Unknown" },
711 { 47, "Illegal Parameter" },
712 { 48, "Unknown CA" },
713 { 49, "Access Denied" },
714 { 50, "Decode Error" },
715 { 51, "Decrypt Error" },
716 { 60, "Export Restriction" },
717 { 70, "Protocol Version" },
718 { 71, "Insufficient Security" },
719 { 80, "Internal Error" },
720 { 86, "Inappropriate Fallback" },
721 { 90, "User Canceled" },
722 { 100, "No Renegotiation" },
723 { 109, "Missing Extension" },
724 { 110, "Unsupported Extension" },
725 { 111, "Certificate Unobtainable" },
726 { 112, "Unrecognized Name" },
727 { 113, "Bad Certificate Status Response" },
728 { 114, "Bad Certificate Hash Value" },
729 { 115, "Unknown PSK Identity" },
730 { 116, "Certificate Required" },
731 { 120, "No application Protocol" },
732 { 121, "ECH Required" },
733 { 0x00, NULL((void*)0) }
734};
735
736const value_string ssl_31_handshake_type[] = {
737 { SSL_HND_HELLO_REQUEST, "Hello Request" },
738 { SSL_HND_CLIENT_HELLO, "Client Hello" },
739 { SSL_HND_SERVER_HELLO, "Server Hello" },
740 { SSL_HND_HELLO_VERIFY_REQUEST, "Hello Verify Request"},
741 { SSL_HND_NEWSESSION_TICKET, "New Session Ticket" },
742 { SSL_HND_END_OF_EARLY_DATA, "End of Early Data" },
743 { SSL_HND_HELLO_RETRY_REQUEST, "Hello Retry Request" },
744 { SSL_HND_ENCRYPTED_EXTENSIONS, "Encrypted Extensions" },
745 { SSL_HND_CERTIFICATE, "Certificate" },
746 { SSL_HND_SERVER_KEY_EXCHG, "Server Key Exchange" },
747 { SSL_HND_CERT_REQUEST, "Certificate Request" },
748 { SSL_HND_SVR_HELLO_DONE, "Server Hello Done" },
749 { SSL_HND_CERT_VERIFY, "Certificate Verify" },
750 { SSL_HND_CLIENT_KEY_EXCHG, "Client Key Exchange" },
751 { SSL_HND_FINISHED, "Finished" },
752 { SSL_HND_CERT_URL, "Client Certificate URL" },
753 { SSL_HND_CERT_STATUS, "Certificate Status" },
754 { SSL_HND_SUPPLEMENTAL_DATA, "Supplemental Data" },
755 { SSL_HND_KEY_UPDATE, "Key Update" },
756 { SSL_HND_COMPRESSED_CERTIFICATE, "Compressed Certificate" },
757 { SSL_HND_ENCRYPTED_EXTS, "Encrypted Extensions" },
758 { 0x00, NULL((void*)0) }
759};
760
761const value_string tls_heartbeat_type[] = {
762 { 1, "Request" },
763 { 2, "Response" },
764 { 0x00, NULL((void*)0) }
765};
766
767const value_string tls_heartbeat_mode[] = {
768 { 1, "Peer allowed to send requests" },
769 { 2, "Peer not allowed to send requests" },
770 { 0x00, NULL((void*)0) }
771};
772
773const value_string ssl_31_compression_method[] = {
774 { 0, "null" },
775 { 1, "DEFLATE" },
776 { 64, "LZS" },
777 { 0x00, NULL((void*)0) }
778};
779
780#if 0
781/* XXX - would be used if we dissected a Signature, as would be
782 seen in a server key exchange or certificate verify message. */
783const value_string ssl_31_key_exchange_algorithm[] = {
784 { 0, "RSA" },
785 { 1, "Diffie Hellman" },
786 { 0x00, NULL((void*)0) }
787};
788
789const value_string ssl_31_signature_algorithm[] = {
790 { 0, "Anonymous" },
791 { 1, "RSA" },
792 { 2, "DSA" },
793 { 0x00, NULL((void*)0) }
794};
795#endif
796
797const value_string ssl_31_client_certificate_type[] = {
798 { 1, "RSA Sign" },
799 { 2, "DSS Sign" },
800 { 3, "RSA Fixed DH" },
801 { 4, "DSS Fixed DH" },
802 /* GOST certificate types */
803 /* Section 3.5 of draft-chudov-cryptopro-cptls-04 */
804 { 21, "GOST R 34.10-94" },
805 { 22, "GOST R 34.10-2001" },
806 /* END GOST certificate types */
807 { 64, "ECDSA Sign" },
808 { 65, "RSA Fixed ECDH" },
809 { 66, "ECDSA Fixed ECDH" },
810 { 80, "IBC Params" },
811 { 0x00, NULL((void*)0) }
812};
813
814#if 0
815/* XXX - would be used if we dissected exchange keys, as would be
816 seen in a client key exchange message. */
817const value_string ssl_31_public_value_encoding[] = {
818 { 0, "Implicit" },
819 { 1, "Explicit" },
820 { 0x00, NULL((void*)0) }
821};
822#endif
823
824/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
825/* Note: sorted by ascending value so value_string_ext fcns can do a binary search */
826static const value_string ssl_31_ciphersuite[] = {
827 /* RFC 2246, RFC 4346, RFC 5246 */
828 { 0x0000, "TLS_NULL_WITH_NULL_NULL" },
829 { 0x0001, "TLS_RSA_WITH_NULL_MD5" },
830 { 0x0002, "TLS_RSA_WITH_NULL_SHA" },
831 { 0x0003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
832 { 0x0004, "TLS_RSA_WITH_RC4_128_MD5" },
833 { 0x0005, "TLS_RSA_WITH_RC4_128_SHA" },
834 { 0x0006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
835 { 0x0007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
836 { 0x0008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
837 { 0x0009, "TLS_RSA_WITH_DES_CBC_SHA" },
838 { 0x000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
839 { 0x000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
840 { 0x000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
841 { 0x000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
842 { 0x000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
843 { 0x000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
844 { 0x0010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
845 { 0x0011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
846 { 0x0012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
847 { 0x0013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
848 { 0x0014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
849 { 0x0015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
850 { 0x0016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
851 { 0x0017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
852 { 0x0018, "TLS_DH_anon_WITH_RC4_128_MD5" },
853 { 0x0019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
854 { 0x001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
855 { 0x001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
856
857 { 0x001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
858 { 0x001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
859#if 0 /* Because it clashes with KRB5, is never used any more, and is safe
860 to remove according to David Hopwood <[email protected]>
861 of the ietf-tls list */
862 { 0x001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
863#endif
864 /* RFC 2712 */
865 { 0x001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
866 { 0x001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
867 { 0x0020, "TLS_KRB5_WITH_RC4_128_SHA" },
868 { 0x0021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
869 { 0x0022, "TLS_KRB5_WITH_DES_CBC_MD5" },
870 { 0x0023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
871 { 0x0024, "TLS_KRB5_WITH_RC4_128_MD5" },
872 { 0x0025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
873 { 0x0026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
874 { 0x0027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
875 { 0x0028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
876 { 0x0029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
877 { 0x002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
878 { 0x002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
879 /* RFC 4785 */
880 { 0x002C, "TLS_PSK_WITH_NULL_SHA" },
881 { 0x002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
882 { 0x002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
883 /* RFC 5246 */
884 { 0x002F, "TLS_RSA_WITH_AES_128_CBC_SHA" },
885 { 0x0030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
886 { 0x0031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
887 { 0x0032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
888 { 0x0033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
889 { 0x0034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
890 { 0x0035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
891 { 0x0036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
892 { 0x0037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
893 { 0x0038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
894 { 0x0039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
895 { 0x003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
896 { 0x003B, "TLS_RSA_WITH_NULL_SHA256" },
897 { 0x003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
898 { 0x003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
899 { 0x003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
900 { 0x003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
901 { 0x0040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
902 /* RFC 4132 */
903 { 0x0041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
904 { 0x0042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
905 { 0x0043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
906 { 0x0044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
907 { 0x0045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
908 { 0x0046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
909 /* 0x00,0x60-66 Reserved to avoid conflicts with widely deployed implementations */
910 /* --- ??? --- */
911 { 0x0060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
912 { 0x0061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
913 /* draft-ietf-tls-56-bit-ciphersuites-01.txt */
914 { 0x0062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
915 { 0x0063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
916 { 0x0064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
917 { 0x0065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
918 { 0x0066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
919 /* --- ??? ---*/
920 { 0x0067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
921 { 0x0068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
922 { 0x0069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
923 { 0x006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
924 { 0x006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
925 { 0x006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
926 { 0x006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
927 /* draft-chudov-cryptopro-cptls-04.txt */
928 { 0x0080, "TLS_GOSTR341094_WITH_28147_CNT_IMIT" },
929 { 0x0081, "TLS_GOSTR341001_WITH_28147_CNT_IMIT" },
930 { 0x0082, "TLS_GOSTR341094_WITH_NULL_GOSTR3411" },
931 { 0x0083, "TLS_GOSTR341001_WITH_NULL_GOSTR3411" },
932 /* RFC 4132 */
933 { 0x0084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
934 { 0x0085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
935 { 0x0086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
936 { 0x0087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
937 { 0x0088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
938 { 0x0089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
939 /* RFC 4279 */
940 { 0x008A, "TLS_PSK_WITH_RC4_128_SHA" },
941 { 0x008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
942 { 0x008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
943 { 0x008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
944 { 0x008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
945 { 0x008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
946 { 0x0090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
947 { 0x0091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
948 { 0x0092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
949 { 0x0093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
950 { 0x0094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
951 { 0x0095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
952 /* RFC 4162 */
953 { 0x0096, "TLS_RSA_WITH_SEED_CBC_SHA" },
954 { 0x0097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
955 { 0x0098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
956 { 0x0099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
957 { 0x009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
958 { 0x009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
959 /* RFC 5288 */
960 { 0x009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
961 { 0x009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
962 { 0x009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
963 { 0x009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
964 { 0x00A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
965 { 0x00A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
966 { 0x00A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
967 { 0x00A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
968 { 0x00A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
969 { 0x00A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
970 { 0x00A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
971 { 0x00A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
972 /* RFC 5487 */
973 { 0x00A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
974 { 0x00A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
975 { 0x00AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
976 { 0x00AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
977 { 0x00AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
978 { 0x00AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
979 { 0x00AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
980 { 0x00AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
981 { 0x00B0, "TLS_PSK_WITH_NULL_SHA256" },
982 { 0x00B1, "TLS_PSK_WITH_NULL_SHA384" },
983 { 0x00B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
984 { 0x00B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
985 { 0x00B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
986 { 0x00B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
987 { 0x00B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
988 { 0x00B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
989 { 0x00B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
990 { 0x00B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
991 /* From RFC 5932 */
992 { 0x00BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
993 { 0x00BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
994 { 0x00BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
995 { 0x00BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
996 { 0x00BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
997 { 0x00BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
998 { 0x00C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
999 { 0x00C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1000 { 0x00C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1001 { 0x00C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1002 { 0x00C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1003 { 0x00C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
1004 /* RFC 8998 */
1005 { 0x00C6, "TLS_SM4_GCM_SM3" },
1006 { 0x00C7, "TLS_SM4_CCM_SM3" },
1007 /* 0x00,0xC8-FE Unassigned */
1008 /* From RFC 5746 */
1009 { 0x00FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
1010 /* RFC 8701 */
1011 { 0x0A0A, "Reserved (GREASE)" },
1012 /* RFC 8446 */
1013 { 0x1301, "TLS_AES_128_GCM_SHA256" },
1014 { 0x1302, "TLS_AES_256_GCM_SHA384" },
1015 { 0x1303, "TLS_CHACHA20_POLY1305_SHA256" },
1016 { 0x1304, "TLS_AES_128_CCM_SHA256" },
1017 { 0x1305, "TLS_AES_128_CCM_8_SHA256" },
1018 /* RFC 8701 */
1019 { 0x1A1A, "Reserved (GREASE)" },
1020 { 0x2A2A, "Reserved (GREASE)" },
1021 { 0x3A3A, "Reserved (GREASE)" },
1022 { 0x4A4A, "Reserved (GREASE)" },
1023 /* From RFC 7507 */
1024 { 0x5600, "TLS_FALLBACK_SCSV" },
1025 /* RFC 8701 */
1026 { 0x5A5A, "Reserved (GREASE)" },
1027 { 0x6A6A, "Reserved (GREASE)" },
1028 { 0x7A7A, "Reserved (GREASE)" },
1029 { 0x8A8A, "Reserved (GREASE)" },
1030 { 0x9A9A, "Reserved (GREASE)" },
1031 { 0xAAAA, "Reserved (GREASE)" },
1032 { 0xBABA, "Reserved (GREASE)" },
1033 /* From RFC 4492 */
1034 { 0xc001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
1035 { 0xc002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
1036 { 0xc003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1037 { 0xc004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
1038 { 0xc005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
1039 { 0xc006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
1040 { 0xc007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
1041 { 0xc008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1042 { 0xc009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
1043 { 0xc00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
1044 { 0xc00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
1045 { 0xc00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
1046 { 0xc00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
1047 { 0xc00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
1048 { 0xc00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
1049 { 0xc010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
1050 { 0xc011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
1051 { 0xc012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
1052 { 0xc013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
1053 { 0xc014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
1054 { 0xc015, "TLS_ECDH_anon_WITH_NULL_SHA" },
1055 { 0xc016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
1056 { 0xc017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
1057 { 0xc018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
1058 { 0xc019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
1059 /* RFC 5054 */
1060 { 0xC01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
1061 { 0xC01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
1062 { 0xC01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
1063 { 0xC01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
1064 { 0xC01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
1065 { 0xC01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
1066 { 0xC020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
1067 { 0xC021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
1068 { 0xC022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
1069 /* RFC 5589 */
1070 { 0xC023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
1071 { 0xC024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
1072 { 0xC025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
1073 { 0xC026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
1074 { 0xC027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
1075 { 0xC028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
1076 { 0xC029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
1077 { 0xC02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
1078 { 0xC02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
1079 { 0xC02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
1080 { 0xC02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
1081 { 0xC02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
1082 { 0xC02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
1083 { 0xC030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
1084 { 0xC031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
1085 { 0xC032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
1086 /* RFC 5489 */
1087 { 0xC033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
1088 { 0xC034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
1089 { 0xC035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
1090 { 0xC036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
1091 { 0xC037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
1092 { 0xC038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
1093 { 0xC039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
1094 { 0xC03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
1095 { 0xC03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
1096 /* RFC 6209 */
1097 { 0xC03C, "TLS_RSA_WITH_ARIA_128_CBC_SHA256" },
1098 { 0xC03D, "TLS_RSA_WITH_ARIA_256_CBC_SHA384" },
1099 { 0xC03E, "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256" },
1100 { 0xC03F, "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384" },
1101 { 0xC040, "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256" },
1102 { 0xC041, "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384" },
1103 { 0xC042, "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256" },
1104 { 0xC043, "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384" },
1105 { 0xC044, "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1106 { 0xC045, "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1107 { 0xC046, "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" },
1108 { 0xC047, "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" },
1109 { 0xC048, "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1110 { 0xC049, "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1111 { 0xC04A, "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1112 { 0xC04B, "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1113 { 0xC04C, "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1114 { 0xC04D, "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1115 { 0xC04E, "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256" },
1116 { 0xC04F, "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384" },
1117 { 0xC050, "TLS_RSA_WITH_ARIA_128_GCM_SHA256" },
1118 { 0xC051, "TLS_RSA_WITH_ARIA_256_GCM_SHA384" },
1119 { 0xC052, "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1120 { 0xC053, "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1121 { 0xC054, "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256" },
1122 { 0xC055, "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384" },
1123 { 0xC056, "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256" },
1124 { 0xC057, "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384" },
1125 { 0xC058, "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256" },
1126 { 0xC059, "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384" },
1127 { 0xC05A, "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" },
1128 { 0xC05B, "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" },
1129 { 0xC05C, "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1130 { 0xC05D, "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1131 { 0xC05E, "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1132 { 0xC05F, "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1133 { 0xC060, "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1134 { 0xC061, "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1135 { 0xC062, "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256" },
1136 { 0xC063, "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384" },
1137 { 0xC064, "TLS_PSK_WITH_ARIA_128_CBC_SHA256" },
1138 { 0xC065, "TLS_PSK_WITH_ARIA_256_CBC_SHA384" },
1139 { 0xC066, "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1140 { 0xC067, "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1141 { 0xC068, "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256" },
1142 { 0xC069, "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384" },
1143 { 0xC06A, "TLS_PSK_WITH_ARIA_128_GCM_SHA256" },
1144 { 0xC06B, "TLS_PSK_WITH_ARIA_256_GCM_SHA384" },
1145 { 0xC06C, "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256" },
1146 { 0xC06D, "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384" },
1147 { 0xC06E, "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256" },
1148 { 0xC06F, "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384" },
1149 { 0xC070, "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1150 { 0xC071, "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1151 /* RFC 6367 */
1152 { 0xC072, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1153 { 0xC073, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1154 { 0xC074, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1155 { 0xC075, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1156 { 0xC076, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1157 { 0xC077, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1158 { 0xC078, "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1159 { 0xC079, "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1160 { 0xC07A, "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1161 { 0xC07B, "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1162 { 0xC07C, "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1163 { 0xC07D, "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1164 { 0xC07E, "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1165 { 0xC07F, "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1166 { 0xC080, "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1167 { 0xC081, "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1168 { 0xC082, "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1169 { 0xC083, "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1170 { 0xC084, "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" },
1171 { 0xC085, "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" },
1172 { 0xC086, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1173 { 0xC087, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1174 { 0xC088, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1175 { 0xC089, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1176 { 0xC08A, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1177 { 0xC08B, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1178 { 0xC08C, "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1179 { 0xC08D, "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1180 { 0xC08E, "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1181 { 0xC08F, "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1182 { 0xC090, "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1183 { 0xC091, "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1184 { 0xC092, "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1185 { 0xC093, "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1186 { 0xC094, "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1187 { 0xC095, "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1188 { 0xC096, "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1189 { 0xC097, "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1190 { 0xC098, "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1191 { 0xC099, "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1192 { 0xC09A, "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1193 { 0xC09B, "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1194 /* RFC 6655 */
1195 { 0xC09C, "TLS_RSA_WITH_AES_128_CCM" },
1196 { 0xC09D, "TLS_RSA_WITH_AES_256_CCM" },
1197 { 0xC09E, "TLS_DHE_RSA_WITH_AES_128_CCM" },
1198 { 0xC09F, "TLS_DHE_RSA_WITH_AES_256_CCM" },
1199 { 0xC0A0, "TLS_RSA_WITH_AES_128_CCM_8" },
1200 { 0xC0A1, "TLS_RSA_WITH_AES_256_CCM_8" },
1201 { 0xC0A2, "TLS_DHE_RSA_WITH_AES_128_CCM_8" },
1202 { 0xC0A3, "TLS_DHE_RSA_WITH_AES_256_CCM_8" },
1203 { 0xC0A4, "TLS_PSK_WITH_AES_128_CCM" },
1204 { 0xC0A5, "TLS_PSK_WITH_AES_256_CCM" },
1205 { 0xC0A6, "TLS_DHE_PSK_WITH_AES_128_CCM" },
1206 { 0xC0A7, "TLS_DHE_PSK_WITH_AES_256_CCM" },
1207 { 0xC0A8, "TLS_PSK_WITH_AES_128_CCM_8" },
1208 { 0xC0A9, "TLS_PSK_WITH_AES_256_CCM_8" },
1209 { 0xC0AA, "TLS_PSK_DHE_WITH_AES_128_CCM_8" },
1210 { 0xC0AB, "TLS_PSK_DHE_WITH_AES_256_CCM_8" },
1211 /* RFC 7251 */
1212 { 0xC0AC, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM" },
1213 { 0xC0AD, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM" },
1214 { 0xC0AE, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8" },
1215 { 0xC0AF, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8" },
1216 /* RFC 8492 */
1217 { 0xC0B0, "TLS_ECCPWD_WITH_AES_128_GCM_SHA256" },
1218 { 0xC0B1, "TLS_ECCPWD_WITH_AES_256_GCM_SHA384" },
1219 { 0xC0B2, "TLS_ECCPWD_WITH_AES_128_CCM_SHA256" },
1220 { 0xC0B3, "TLS_ECCPWD_WITH_AES_256_CCM_SHA384" },
1221 /* draft-camwinget-tls-ts13-macciphersuites */
1222 { 0xC0B4, "TLS_SHA256_SHA256" },
1223 { 0xC0B5, "TLS_SHA384_SHA384" },
1224 /* https://www.ietf.org/archive/id/draft-cragie-tls-ecjpake-01.txt */
1225 { 0xC0FF, "TLS_ECJPAKE_WITH_AES_128_CCM_8" },
1226 /* draft-smyshlyaev-tls12-gost-suites */
1227 { 0xC100, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" },
1228 { 0xC101, "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" },
1229 { 0xC102, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" },
1230 /* draft-smyshlyaev-tls13-gost-suites */
1231 { 0xC103, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L" },
1232 { 0xC104, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L" },
1233 { 0xC105, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S" },
1234 { 0xC106, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S" },
1235 /* RFC 8701 */
1236 { 0xCACA, "Reserved (GREASE)" },
1237/*
12380xC0,0xAB-FF Unassigned
12390xC1,0x03-FD,* Unassigned
12400xFE,0x00-FD Unassigned
12410xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
12420xFF,0x00-FF Reserved for Private Use [RFC5246]
1243*/
1244 /* old numbers used in the beginning
1245 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
1246 { 0xCC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1247 { 0xCC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1248 { 0xCC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1249 /* RFC 7905 */
1250 { 0xCCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1251 { 0xCCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1252 { 0xCCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1253 { 0xCCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1254 { 0xCCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1255 { 0xCCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1256 { 0xCCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1257 /* RFC 8442 */
1258 { 0xD001, "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256" },
1259 { 0xD002, "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384" },
1260 { 0xD003, "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256" },
1261 { 0xD005, "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256" },
1262 /* RFC 8701 */
1263 { 0xDADA, "Reserved (GREASE)" },
1264 /* GM/T 0024-2014 */
1265 { 0xe001, "ECDHE_SM1_SM3"},
1266 { 0xe003, "ECC_SM1_SM3"},
1267 { 0xe005, "IBSDH_SM1_SM3"},
1268 { 0xe007, "IBC_SM1_SM3"},
1269 { 0xe009, "RSA_SM1_SM3"},
1270 { 0xe00a, "RSA_SM1_SHA1"},
1271 { 0xe011, "ECDHE_SM4_CBC_SM3"},
1272 { 0xe013, "ECC_SM4_CBC_SM3"},
1273 { 0xe015, "IBSDH_SM4_CBC_SM3"},
1274 { 0xe017, "IBC_SM4_CBC_SM3"},
1275 { 0xe019, "RSA_SM4_CBC_SM3"},
1276 { 0xe01a, "RSA_SM4_CBC_SHA1"},
1277 { 0xe01c, "RSA_SM4_CBC_SHA256"},
1278 { 0xe051, "ECDHE_SM4_GCM_SM3"},
1279 { 0xe053, "ECC_SM4_GCM_SM3"},
1280 { 0xe055, "IBSDH_SM4_GCM_SM3"},
1281 { 0xe057, "IBC_SM4_GCM_SM3"},
1282 { 0xe059, "RSA_SM4_GCM_SM3"},
1283 { 0xe05a, "RSA_SM4_GCM_SHA256"},
1284 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
1285 { 0xE410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1286 { 0xE411, "TLS_RSA_WITH_SALSA20_SHA1" },
1287 { 0xE412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1288 { 0xE413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
1289 { 0xE414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
1290 { 0xE415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
1291 { 0xE416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1292 { 0xE417, "TLS_PSK_WITH_SALSA20_SHA1" },
1293 { 0xE418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1294 { 0xE419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
1295 { 0xE41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1296 { 0xE41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
1297 { 0xE41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1298 { 0xE41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
1299 { 0xE41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1300 { 0xE41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
1301 /* RFC 8701 */
1302 { 0xEAEA, "Reserved (GREASE)" },
1303 { 0xFAFA, "Reserved (GREASE)" },
1304 /* these from http://www.mozilla.org/projects/
1305 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
1306 { 0xfefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
1307 { 0xfeff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1308 /* https://datatracker.ietf.org/doc/html/rfc9189 */
1309 { 0xff85, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT"},
1310 { 0xffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1311 { 0xffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA" },
1312 /* note that ciphersuites 0xff00 - 0xffff are private */
1313 { 0x00, NULL((void*)0) }
1314};
1315
1316value_string_ext ssl_31_ciphersuite_ext = VALUE_STRING_EXT_INIT(ssl_31_ciphersuite){ _try_val_to_str_ext_init, 0, (sizeof (ssl_31_ciphersuite) /
sizeof ((ssl_31_ciphersuite)[0]))-1, ssl_31_ciphersuite, "ssl_31_ciphersuite"
, ((void*)0) };
1317
1318/* http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#tls-extensiontype-values-1 */
1319const value_string tls_hello_extension_types[] = {
1320 { SSL_HND_HELLO_EXT_SERVER_NAME0, "server_name" }, /* RFC 6066 */
1321 { SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1, "max_fragment_length" },/* RFC 6066 */
1322 { SSL_HND_HELLO_EXT_CLIENT_CERTIFICATE_URL2, "client_certificate_url" }, /* RFC 6066 */
1323 { SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3, "trusted_ca_keys" }, /* RFC 6066 */
1324 { SSL_HND_HELLO_EXT_TRUNCATED_HMAC4, "truncated_hmac" }, /* RFC 6066 */
1325 { SSL_HND_HELLO_EXT_STATUS_REQUEST5, "status_request" }, /* RFC 6066 */
1326 { SSL_HND_HELLO_EXT_USER_MAPPING6, "user_mapping" }, /* RFC 4681 */
1327 { SSL_HND_HELLO_EXT_CLIENT_AUTHZ7, "client_authz" }, /* RFC 5878 */
1328 { SSL_HND_HELLO_EXT_SERVER_AUTHZ8, "server_authz" }, /* RFC 5878 */
1329 { SSL_HND_HELLO_EXT_CERT_TYPE9, "cert_type" }, /* RFC 6091 */
1330 { SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10, "supported_groups" }, /* RFC 4492, RFC 7919 */
1331 { SSL_HND_HELLO_EXT_EC_POINT_FORMATS11, "ec_point_formats" }, /* RFC 4492 */
1332 { SSL_HND_HELLO_EXT_SRP12, "srp" }, /* RFC 5054 */
1333 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13, "signature_algorithms" }, /* RFC 5246 */
1334 { SSL_HND_HELLO_EXT_USE_SRTP14, "use_srtp" }, /* RFC 5764 */
1335 { SSL_HND_HELLO_EXT_HEARTBEAT15, "heartbeat" }, /* RFC 6520 */
1336 { SSL_HND_HELLO_EXT_ALPN16, "application_layer_protocol_negotiation" }, /* RFC 7301 */
1337 { SSL_HND_HELLO_EXT_STATUS_REQUEST_V217, "status_request_v2" }, /* RFC 6961 */
1338 { SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18, "signed_certificate_timestamp" }, /* RFC 6962 */
1339 { SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19, "client_certificate_type" }, /* RFC 7250 */
1340 { SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20, "server_certificate_type" }, /* RFC 7250 */
1341 { SSL_HND_HELLO_EXT_PADDING21, "padding" }, /* RFC 7685 */
1342 { SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22, "encrypt_then_mac" }, /* RFC 7366 */
1343 { SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23, "extended_master_secret" }, /* RFC 7627 */
1344 { SSL_HND_HELLO_EXT_TOKEN_BINDING24, "token_binding" }, /* https://tools.ietf.org/html/draft-ietf-tokbind-negotiation */
1345 { SSL_HND_HELLO_EXT_CACHED_INFO25, "cached_info" }, /* RFC 7924 */
1346 { SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27, "compress_certificate" }, /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03 */
1347 { SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28, "record_size_limit" }, /* RFC 8449 */
1348 { SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34, "delegated_credentials" }, /* draft-ietf-tls-subcerts-10.txt */
1349 { SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35, "session_ticket" }, /* RFC 5077 / RFC 8447 */
1350 { SSL_HND_HELLO_EXT_KEY_SHARE_OLD40, "Reserved (key_share)" }, /* https://tools.ietf.org/html/draft-ietf-tls-tls13-22 (removed in -23) */
1351 { SSL_HND_HELLO_EXT_PRE_SHARED_KEY41, "pre_shared_key" }, /* RFC 8446 */
1352 { SSL_HND_HELLO_EXT_EARLY_DATA42, "early_data" }, /* RFC 8446 */
1353 { SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43, "supported_versions" }, /* RFC 8446 */
1354 { SSL_HND_HELLO_EXT_COOKIE44, "cookie" }, /* RFC 8446 */
1355 { SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45, "psk_key_exchange_modes" }, /* RFC 8446 */
1356 { SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46, "Reserved (ticket_early_data_info)" }, /* draft-ietf-tls-tls13-18 (removed in -19) */
1357 { SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47, "certificate_authorities" }, /* RFC 8446 */
1358 { SSL_HND_HELLO_EXT_OID_FILTERS48, "oid_filters" }, /* RFC 8446 */
1359 { SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49, "post_handshake_auth" }, /* RFC 8446 */
1360 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50, "signature_algorithms_cert" }, /* RFC 8446 */
1361 { SSL_HND_HELLO_EXT_KEY_SHARE51, "key_share" }, /* RFC 8446 */
1362 { SSL_HND_HELLO_EXT_TRANSPARENCY_INFO52, "transparency_info" }, /* draft-ietf-trans-rfc6962-bis-41 */
1363 { SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53, "connection_id (deprecated)" }, /* draft-ietf-tls-dtls-connection-id-07 */
1364 { SSL_HND_HELLO_EXT_CONNECTION_ID54, "connection_id" }, /* RFC 9146 */
1365 { SSL_HND_HELLO_EXT_EXTERNAL_ID_HASH55, "external_id_hash" }, /* RFC 8844 */
1366 { SSL_HND_HELLO_EXT_EXTERNAL_SESSION_ID56, "external_session_id" }, /* RFC 8844 */
1367 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157, "quic_transport_parameters" }, /* draft-ietf-quic-tls-33 */
1368 { SSL_HND_HELLO_EXT_TICKET_REQUEST58, "ticket_request" }, /* draft-ietf-tls-ticketrequests-07 */
1369 { SSL_HND_HELLO_EXT_DNSSEC_CHAIN59, "dnssec_chain" }, /* RFC 9102 */
1370 { SSL_HND_HELLO_EXT_GREASE_0A0A2570, "Reserved (GREASE)" }, /* RFC 8701 */
1371 { SSL_HND_HELLO_EXT_GREASE_1A1A6682, "Reserved (GREASE)" }, /* RFC 8701 */
1372 { SSL_HND_HELLO_EXT_GREASE_2A2A10794, "Reserved (GREASE)" }, /* RFC 8701 */
1373 { SSL_HND_HELLO_EXT_NPN13172, "next_protocol_negotiation"}, /* https://tools.ietf.org/id/draft-agl-tls-nextprotoneg-03.html */
1374 { SSL_HND_HELLO_EXT_GREASE_3A3A14906, "Reserved (GREASE)" }, /* RFC 8701 */
1375 { SSL_HND_HELLO_EXT_ALPS_OLD17513, "application_settings_old" }, /* draft-vvv-tls-alps-01 */
1376 { SSL_HND_HELLO_EXT_ALPS17613, "application_settings" }, /* draft-vvv-tls-alps-01 */ /* https://chromestatus.com/feature/5149147365900288 */
1377 { SSL_HND_HELLO_EXT_GREASE_4A4A19018, "Reserved (GREASE)" }, /* RFC 8701 */
1378 { SSL_HND_HELLO_EXT_GREASE_5A5A23130, "Reserved (GREASE)" }, /* RFC 8701 */
1379 { SSL_HND_HELLO_EXT_GREASE_6A6A27242, "Reserved (GREASE)" }, /* RFC 8701 */
1380 { SSL_HND_HELLO_EXT_CHANNEL_ID_OLD30031, "channel_id_old" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
1381 https://twitter.com/ericlaw/status/274237352531083264 */
1382 { SSL_HND_HELLO_EXT_CHANNEL_ID30032, "channel_id" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-01
1383 https://code.google.com/p/chromium/codesearch#chromium/src/net/third_party/nss/ssl/sslt.h&l=209 */
1384 { SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281, "renegotiation_info" }, /* RFC 5746 */
1385 { SSL_HND_HELLO_EXT_GREASE_7A7A31354, "Reserved (GREASE)" }, /* RFC 8701 */
1386 { SSL_HND_HELLO_EXT_GREASE_8A8A35466, "Reserved (GREASE)" }, /* RFC 8701 */
1387 { SSL_HND_HELLO_EXT_GREASE_9A9A39578, "Reserved (GREASE)" }, /* RFC 8701 */
1388 { SSL_HND_HELLO_EXT_GREASE_AAAA43690, "Reserved (GREASE)" }, /* RFC 8701 */
1389 { SSL_HND_HELLO_EXT_GREASE_BABA47802, "Reserved (GREASE)" }, /* RFC 8701 */
1390 { SSL_HND_HELLO_EXT_GREASE_CACA51914, "Reserved (GREASE)" }, /* RFC 8701 */
1391 { SSL_HND_HELLO_EXT_GREASE_DADA56026, "Reserved (GREASE)" }, /* RFC 8701 */
1392 { SSL_HND_HELLO_EXT_GREASE_EAEA60138, "Reserved (GREASE)" }, /* RFC 8701 */
1393 { SSL_HND_HELLO_EXT_GREASE_FAFA64250, "Reserved (GREASE)" }, /* RFC 8701 */
1394 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445, "quic_transport_parameters (drafts version)" }, /* https://tools.ietf.org/html/draft-ietf-quic-tls */
1395 { SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486, "encrypted_server_name" }, /* https://tools.ietf.org/html/draft-ietf-tls-esni-01 */
1396 { SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037, "encrypted_client_hello" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1397 { SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768, "ech_outer_extensions" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1398 { 0, NULL((void*)0) }
1399};
1400
1401const value_string tls_hello_ext_server_name_type_vs[] = {
1402 { 0, "host_name" },
1403 { 0, NULL((void*)0) }
1404};
1405
1406/* RFC 6066 Section 4 */
1407const value_string tls_hello_ext_max_fragment_length[] = {
1408 { 1, "512" }, // 2^9
1409 { 2, "1024" }, // 2^10
1410 { 3, "2048" }, // 2^11
1411 { 4, "4096" }, // 2^12
1412 { 0, NULL((void*)0) }
1413};
1414
1415/* RFC 8446 Section 4.2.9 */
1416const value_string tls_hello_ext_psk_ke_mode[] = {
1417 { 0, "PSK-only key establishment (psk_ke)" },
1418 { 1, "PSK with (EC)DHE key establishment (psk_dhe_ke)" },
1419 { 0, NULL((void*)0) }
1420};
1421
1422/* RFC 6066 Section 6 */
1423const value_string tls_hello_ext_trusted_ca_key_type[] = {
1424 {0, "pre_agreed"},
1425 {1, "key_sha1_hash"},
1426 {2, "x509_name"},
1427 {3, "cert_sha1_hash"},
1428 {0, NULL((void*)0)}
1429};
1430
1431const value_string tls13_key_update_request[] = {
1432 { 0, "update_not_requested" },
1433 { 1, "update_requested" },
1434 { 0, NULL((void*)0) }
1435};
1436
1437/* RFC 5246 7.4.1.4.1 */
1438/* https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
1439/* Note that the TLS 1.3 SignatureScheme registry reserves all values
1440 * with first octet 0x00-0x06 and all values with second octet 0x00-0x03
1441 * for backwards compatibility with TLS 1.2 SignatureAndHashAlgorithm.
1442 *
1443 * RFC 8422 and RFC 9189 add official support in TLS 1.2 for some algorithms
1444 * originally defined for TLS 1.3, and extend the TLS SignatureAlgorithm
1445 * and TLS HashAlgorithm registries, but the new values are not compatible
1446 * with all of the TLS 1.3-only SignatureSchemes. Adding those values could
1447 * cause confusion if used to interpret one of those schemes in a
1448 * signature_algorithms extension offered in a TLS 1.3 ClientHello.
1449 */
1450const value_string tls_hash_algorithm[] = {
1451 { 0, "None" },
1452 { 1, "MD5" },
1453 { 2, "SHA1" },
1454 { 3, "SHA224" },
1455 { 4, "SHA256" },
1456 { 5, "SHA384" },
1457 { 6, "SHA512" },
1458#if 0
1459 /* RFC 8422 adds this to the HashAlgorithm registry, but it really
1460 * only applies to 0x0807 and 0x0808, not for other TLS 1.3
1461 * SignatureSchemes with 0x08 in the octet used for Hash in TLS 1.2.
1462 * E.g., we don't want to display this for 0x0806 rsa_pss_rsae_sha512.
1463 */
1464 { 8, "Intrinsic" },
1465#endif
1466 { 0, NULL((void*)0) }
1467};
1468
1469const value_string tls_signature_algorithm[] = {
1470 { 0, "Anonymous" },
1471 { 1, "RSA" },
1472 { 2, "DSA" },
1473 { 3, "ECDSA" },
1474#if 0
1475 /* As above. */
1476 { 7, "ED25519" },
1477 { 8, "ED448" },
1478 { 64, "GOSTR34102012_256" },
1479 { 65, "GOSTR34102012_512" },
1480#endif
1481 { 0, NULL((void*)0) }
1482};
1483
1484/* RFC 8446 Section 4.2.3 */
1485const value_string tls13_signature_algorithm[] = {
1486 { 0x0201, "rsa_pkcs1_sha1" },
1487 { 0x0203, "ecdsa_sha1" },
1488 { 0x0401, "rsa_pkcs1_sha256" },
1489 { 0x0403, "ecdsa_secp256r1_sha256" },
1490 { 0x0420, "rsa_pkcs1_sha256_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1491 { 0x0501, "rsa_pkcs1_sha384" },
1492 { 0x0503, "ecdsa_secp384r1_sha384" },
1493 { 0x0520, "rsa_pkcs1_sha384_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1494 { 0x0601, "rsa_pkcs1_sha512" },
1495 { 0x0603, "ecdsa_secp521r1_sha512" },
1496 { 0x0620, "rsa_pkcs1_sha512_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1497 { 0x0708, "sm2sig_sm3" },
1498 { 0x0709, "gostr34102012_256a" }, /* RFC9367 */
1499 { 0x070a, "gostr34102012_256b" }, /* RFC9367 */
1500 { 0x070b, "gostr34102012_256c" }, /* RFC9367 */
1501 { 0x070c, "gostr34102012_256d" }, /* RFC9367 */
1502 { 0x070d, "gostr34102012_512a" }, /* RFC9367 */
1503 { 0x070e, "gostr34102012_512b" }, /* RFC9367 */
1504 { 0x070f, "gostr34102012_512c" }, /* RFC9367 */
1505 { 0x0804, "rsa_pss_rsae_sha256" },
1506 { 0x0805, "rsa_pss_rsae_sha384" },
1507 { 0x0806, "rsa_pss_rsae_sha512" },
1508 { 0x0807, "ed25519" },
1509 { 0x0808, "ed448" },
1510 { 0x0809, "rsa_pss_pss_sha256" },
1511 { 0x080a, "rsa_pss_pss_sha384" },
1512 { 0x080b, "rsa_pss_pss_sha512" },
1513 { 0x081a, "ecdsa_brainpoolP256r1tls13_sha256" }, /* RFC8734 */
1514 { 0x081b, "ecdsa_brainpoolP384r1tls13_sha384" }, /* RFC8734 */
1515 { 0x081c, "ecdsa_brainpoolP512r1tls13_sha512" }, /* RFC8734 */
1516 /* PQC digital signature algorithms from OQS-OpenSSL,
1517 see https://github.com/open-quantum-safe/openssl/blob/OQS-OpenSSL_1_1_1-stable/oqs-template/oqs-sig-info.md */
1518 { 0xfea0, "dilithium2" },
1519 { 0xfea1, "p256_dilithium2" },
1520 { 0xfea2, "rsa3072_dilithium2" },
1521 { 0xfea3, "dilithium3" },
1522 { 0xfea4, "p384_dilithium3" },
1523 { 0xfea5, "dilithium5" },
1524 { 0xfea6, "p521_dilithium5" },
1525 { 0xfea7, "dilithium2_aes" },
1526 { 0xfea8, "p256_dilithium2_aes" },
1527 { 0xfea9, "rsa3072_dilithium2_aes" },
1528 { 0xfeaa, "dilithium3_aes" },
1529 { 0xfeab, "p384_dilithium3_aes" },
1530 { 0xfeac, "dilithium5_aes" },
1531 { 0xfead, "p521_dilithium5_aes" },
1532 { 0xfe0b, "falcon512" },
1533 { 0xfe0c, "p256_falcon512" },
1534 { 0xfe0d, "rsa3072_falcon512" },
1535 { 0xfe0e, "falcon1024" },
1536 { 0xfe0f, "p521_falcon1024" },
1537 { 0xfe96, "picnicl1full" },
1538 { 0xfe97, "p256_picnicl1full" },
1539 { 0xfe98, "rsa3072_picnicl1full" },
1540 { 0xfe1b, "picnic3l1" },
1541 { 0xfe1c, "p256_picnic3l1" },
1542 { 0xfe1d, "rsa3072_picnic3l1" },
1543 { 0xfe27, "rainbowIclassic" },
1544 { 0xfe28, "p256_rainbowIclassic" },
1545 { 0xfe29, "rsa3072_rainbowIclassic" },
1546 { 0xfe3c, "rainbowVclassic" },
1547 { 0xfe3d, "p521_rainbowVclassic" },
1548 { 0xfe42, "sphincsharaka128frobust" },
1549 { 0xfe43, "p256_sphincsharaka128frobust" },
1550 { 0xfe44, "rsa3072_sphincsharaka128frobust" },
1551 { 0xfe5e, "sphincssha256128frobust" },
1552 { 0xfe5f, "p256_sphincssha256128frobust" },
1553 { 0xfe60, "rsa3072_sphincssha256128frobust" },
1554 { 0xfe7a, "sphincsshake256128frobust" },
1555 { 0xfe7b, "p256_sphincsshake256128frobust" },
1556 { 0xfe7c, "rsa3072_sphincsshake256128frobust" },
1557 { 0, NULL((void*)0) }
1558};
1559
1560/* RFC 6091 3.1 */
1561const value_string tls_certificate_type[] = {
1562 { 0, "X.509" },
1563 { 1, "OpenPGP" },
1564 { SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2, "Raw Public Key" }, /* RFC 7250 */
1565 { 0, NULL((void*)0) }
1566};
1567
1568const value_string tls_cert_chain_type[] = {
1569 { SSL_HND_CERT_URL_TYPE_INDIVIDUAL_CERT1, "Individual Certificates" },
1570 { SSL_HND_CERT_URL_TYPE_PKIPATH2, "PKI Path" },
1571 { 0, NULL((void*)0) }
1572};
1573
1574const value_string tls_cert_status_type[] = {
1575 { SSL_HND_CERT_STATUS_TYPE_OCSP1, "OCSP" },
1576 { SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2, "OCSP Multi" },
1577 { 0, NULL((void*)0) }
1578};
1579
1580/* Generated by tools/make-tls-ct-logids.py
1581 * Last-Modified Sun, 07 Sep 2025 14:46:07 GMT, 182 entries. */
1582static const bytes_string ct_logids[] = {
1583 { (const uint8_t[]){
1584 0xb2, 0x1e, 0x05, 0xcc, 0x8b, 0xa2, 0xcd, 0x8a, 0x20, 0x4e, 0x87,
1585 0x66, 0xf9, 0x2b, 0xb9, 0x8a, 0x25, 0x20, 0x67, 0x6b, 0xda, 0xfa,
1586 0x70, 0xe7, 0xb2, 0x49, 0x53, 0x2d, 0xef, 0x8b, 0x90, 0x5e,
1587 },
1588 32, "Google 'Argon2020' log" },
1589 { (const uint8_t[]){
1590 0xf6, 0x5c, 0x94, 0x2f, 0xd1, 0x77, 0x30, 0x22, 0x14, 0x54, 0x18,
1591 0x08, 0x30, 0x94, 0x56, 0x8e, 0xe3, 0x4d, 0x13, 0x19, 0x33, 0xbf,
1592 0xdf, 0x0c, 0x2f, 0x20, 0x0b, 0xcc, 0x4e, 0xf1, 0x64, 0xe3,
1593 },
1594 32, "Google 'Argon2021' log" },
1595 { (const uint8_t[]){
1596 0x29, 0x79, 0xbe, 0xf0, 0x9e, 0x39, 0x39, 0x21, 0xf0, 0x56, 0x73,
1597 0x9f, 0x63, 0xa5, 0x77, 0xe5, 0xbe, 0x57, 0x7d, 0x9c, 0x60, 0x0a,
1598 0xf8, 0xf9, 0x4d, 0x5d, 0x26, 0x5c, 0x25, 0x5d, 0xc7, 0x84,
1599 },
1600 32, "Google 'Argon2022' log" },
1601 { (const uint8_t[]){
1602 0xe8, 0x3e, 0xd0, 0xda, 0x3e, 0xf5, 0x06, 0x35, 0x32, 0xe7, 0x57,
1603 0x28, 0xbc, 0x89, 0x6b, 0xc9, 0x03, 0xd3, 0xcb, 0xd1, 0x11, 0x6b,
1604 0xec, 0xeb, 0x69, 0xe1, 0x77, 0x7d, 0x6d, 0x06, 0xbd, 0x6e,
1605 },
1606 32, "Google 'Argon2023' log" },
1607 { (const uint8_t[]){
1608 0xee, 0xcd, 0xd0, 0x64, 0xd5, 0xdb, 0x1a, 0xce, 0xc5, 0x5c, 0xb7,
1609 0x9d, 0xb4, 0xcd, 0x13, 0xa2, 0x32, 0x87, 0x46, 0x7c, 0xbc, 0xec,
1610 0xde, 0xc3, 0x51, 0x48, 0x59, 0x46, 0x71, 0x1f, 0xb5, 0x9b,
1611 },
1612 32, "Google 'Argon2024' log" },
1613 { (const uint8_t[]){
1614 0x4e, 0x75, 0xa3, 0x27, 0x5c, 0x9a, 0x10, 0xc3, 0x38, 0x5b, 0x6c,
1615 0xd4, 0xdf, 0x3f, 0x52, 0xeb, 0x1d, 0xf0, 0xe0, 0x8e, 0x1b, 0x8d,
1616 0x69, 0xc0, 0xb1, 0xfa, 0x64, 0xb1, 0x62, 0x9a, 0x39, 0xdf,
1617 },
1618 32, "Google 'Argon2025h1' log" },
1619 { (const uint8_t[]){
1620 0x12, 0xf1, 0x4e, 0x34, 0xbd, 0x53, 0x72, 0x4c, 0x84, 0x06, 0x19,
1621 0xc3, 0x8f, 0x3f, 0x7a, 0x13, 0xf8, 0xe7, 0xb5, 0x62, 0x87, 0x88,
1622 0x9c, 0x6d, 0x30, 0x05, 0x84, 0xeb, 0xe5, 0x86, 0x26, 0x3a,
1623 },
1624 32, "Google 'Argon2025h2' log" },
1625 { (const uint8_t[]){
1626 0x0e, 0x57, 0x94, 0xbc, 0xf3, 0xae, 0xa9, 0x3e, 0x33, 0x1b, 0x2c,
1627 0x99, 0x07, 0xb3, 0xf7, 0x90, 0xdf, 0x9b, 0xc2, 0x3d, 0x71, 0x32,
1628 0x25, 0xdd, 0x21, 0xa9, 0x25, 0xac, 0x61, 0xc5, 0x4e, 0x21,
1629 },
1630 32, "Google 'Argon2026h1' log" },
1631 { (const uint8_t[]){
1632 0xd7, 0x6d, 0x7d, 0x10, 0xd1, 0xa7, 0xf5, 0x77, 0xc2, 0xc7, 0xe9,
1633 0x5f, 0xd7, 0x00, 0xbf, 0xf9, 0x82, 0xc9, 0x33, 0x5a, 0x65, 0xe1,
1634 0xd0, 0xb3, 0x01, 0x73, 0x17, 0xc0, 0xc8, 0xc5, 0x69, 0x77,
1635 },
1636 32, "Google 'Argon2026h2' log" },
1637 { (const uint8_t[]){
1638 0xd6, 0xd5, 0x8d, 0xa9, 0xd0, 0x17, 0x53, 0xf3, 0x6a, 0x4a, 0xa0,
1639 0xc7, 0x57, 0x49, 0x02, 0xaf, 0xeb, 0xc7, 0xdc, 0x2c, 0xd3, 0x8c,
1640 0xd9, 0xf7, 0x64, 0xc8, 0x0c, 0x89, 0x19, 0x1e, 0x9f, 0x02,
1641 },
1642 32, "Google 'Argon2027h1'" },
1643 { (const uint8_t[]){
1644 0x07, 0xb7, 0x5c, 0x1b, 0xe5, 0x7d, 0x68, 0xff, 0xf1, 0xb0, 0xc6,
1645 0x1d, 0x23, 0x15, 0xc7, 0xba, 0xe6, 0x57, 0x7c, 0x57, 0x94, 0xb7,
1646 0x6a, 0xee, 0xbc, 0x61, 0x3a, 0x1a, 0x69, 0xd3, 0xa2, 0x1c,
1647 },
1648 32, "Google 'Xenon2020' log" },
1649 { (const uint8_t[]){
1650 0x7d, 0x3e, 0xf2, 0xf8, 0x8f, 0xff, 0x88, 0x55, 0x68, 0x24, 0xc2,
1651 0xc0, 0xca, 0x9e, 0x52, 0x89, 0x79, 0x2b, 0xc5, 0x0e, 0x78, 0x09,
1652 0x7f, 0x2e, 0x6a, 0x97, 0x68, 0x99, 0x7e, 0x22, 0xf0, 0xd7,
1653 },
1654 32, "Google 'Xenon2021' log" },
1655 { (const uint8_t[]){
1656 0x46, 0xa5, 0x55, 0xeb, 0x75, 0xfa, 0x91, 0x20, 0x30, 0xb5, 0xa2,
1657 0x89, 0x69, 0xf4, 0xf3, 0x7d, 0x11, 0x2c, 0x41, 0x74, 0xbe, 0xfd,
1658 0x49, 0xb8, 0x85, 0xab, 0xf2, 0xfc, 0x70, 0xfe, 0x6d, 0x47,
1659 },
1660 32, "Google 'Xenon2022' log" },
1661 { (const uint8_t[]){
1662 0xad, 0xf7, 0xbe, 0xfa, 0x7c, 0xff, 0x10, 0xc8, 0x8b, 0x9d, 0x3d,
1663 0x9c, 0x1e, 0x3e, 0x18, 0x6a, 0xb4, 0x67, 0x29, 0x5d, 0xcf, 0xb1,
1664 0x0c, 0x24, 0xca, 0x85, 0x86, 0x34, 0xeb, 0xdc, 0x82, 0x8a,
1665 },
1666 32, "Google 'Xenon2023' log" },
1667 { (const uint8_t[]){
1668 0x76, 0xff, 0x88, 0x3f, 0x0a, 0xb6, 0xfb, 0x95, 0x51, 0xc2, 0x61,
1669 0xcc, 0xf5, 0x87, 0xba, 0x34, 0xb4, 0xa4, 0xcd, 0xbb, 0x29, 0xdc,
1670 0x68, 0x42, 0x0a, 0x9f, 0xe6, 0x67, 0x4c, 0x5a, 0x3a, 0x74,
1671 },
1672 32, "Google 'Xenon2024' log" },
1673 { (const uint8_t[]){
1674 0xcf, 0x11, 0x56, 0xee, 0xd5, 0x2e, 0x7c, 0xaf, 0xf3, 0x87, 0x5b,
1675 0xd9, 0x69, 0x2e, 0x9b, 0xe9, 0x1a, 0x71, 0x67, 0x4a, 0xb0, 0x17,
1676 0xec, 0xac, 0x01, 0xd2, 0x5b, 0x77, 0xce, 0xcc, 0x3b, 0x08,
1677 },
1678 32, "Google 'Xenon2025h1' log" },
1679 { (const uint8_t[]){
1680 0xdd, 0xdc, 0xca, 0x34, 0x95, 0xd7, 0xe1, 0x16, 0x05, 0xe7, 0x95,
1681 0x32, 0xfa, 0xc7, 0x9f, 0xf8, 0x3d, 0x1c, 0x50, 0xdf, 0xdb, 0x00,
1682 0x3a, 0x14, 0x12, 0x76, 0x0a, 0x2c, 0xac, 0xbb, 0xc8, 0x2a,
1683 },
1684 32, "Google 'Xenon2025h2' log" },
1685 { (const uint8_t[]){
1686 0x96, 0x97, 0x64, 0xbf, 0x55, 0x58, 0x97, 0xad, 0xf7, 0x43, 0x87,
1687 0x68, 0x37, 0x08, 0x42, 0x77, 0xe9, 0xf0, 0x3a, 0xd5, 0xf6, 0xa4,
1688 0xf3, 0x36, 0x6e, 0x46, 0xa4, 0x3f, 0x0f, 0xca, 0xa9, 0xc6,
1689 },
1690 32, "Google 'Xenon2026h1' log" },
1691 { (const uint8_t[]){
1692 0xd8, 0x09, 0x55, 0x3b, 0x94, 0x4f, 0x7a, 0xff, 0xc8, 0x16, 0x19,
1693 0x6f, 0x94, 0x4f, 0x85, 0xab, 0xb0, 0xf8, 0xfc, 0x5e, 0x87, 0x55,
1694 0x26, 0x0f, 0x15, 0xd1, 0x2e, 0x72, 0xbb, 0x45, 0x4b, 0x14,
1695 },
1696 32, "Google 'Xenon2026h2' log" },
1697 { (const uint8_t[]){
1698 0x44, 0xc2, 0xbd, 0x0c, 0xe9, 0x14, 0x0e, 0x64, 0xa5, 0xc9, 0x4a,
1699 0x01, 0x93, 0x0a, 0x5a, 0xa1, 0xbb, 0x35, 0x97, 0x0e, 0x00, 0xee,
1700 0x11, 0x16, 0x89, 0x68, 0x2a, 0x1c, 0x44, 0xd7, 0xb5, 0x66,
1701 },
1702 32, "Google 'Xenon2027h1'" },
1703 { (const uint8_t[]){
1704 0x68, 0xf6, 0x98, 0xf8, 0x1f, 0x64, 0x82, 0xbe, 0x3a, 0x8c, 0xee,
1705 0xb9, 0x28, 0x1d, 0x4c, 0xfc, 0x71, 0x51, 0x5d, 0x67, 0x93, 0xd4,
1706 0x44, 0xd1, 0x0a, 0x67, 0xac, 0xbb, 0x4f, 0x4f, 0xfb, 0xc4,
1707 },
1708 32, "Google 'Aviator' log" },
1709 { (const uint8_t[]){
1710 0x29, 0x3c, 0x51, 0x96, 0x54, 0xc8, 0x39, 0x65, 0xba, 0xaa, 0x50,
1711 0xfc, 0x58, 0x07, 0xd4, 0xb7, 0x6f, 0xbf, 0x58, 0x7a, 0x29, 0x72,
1712 0xdc, 0xa4, 0xc3, 0x0c, 0xf4, 0xe5, 0x45, 0x47, 0xf4, 0x78,
1713 },
1714 32, "Google 'Icarus' log" },
1715 { (const uint8_t[]){
1716 0xa4, 0xb9, 0x09, 0x90, 0xb4, 0x18, 0x58, 0x14, 0x87, 0xbb, 0x13,
1717 0xa2, 0xcc, 0x67, 0x70, 0x0a, 0x3c, 0x35, 0x98, 0x04, 0xf9, 0x1b,
1718 0xdf, 0xb8, 0xe3, 0x77, 0xcd, 0x0e, 0xc8, 0x0d, 0xdc, 0x10,
1719 },
1720 32, "Google 'Pilot' log" },
1721 { (const uint8_t[]){
1722 0xee, 0x4b, 0xbd, 0xb7, 0x75, 0xce, 0x60, 0xba, 0xe1, 0x42, 0x69,
1723 0x1f, 0xab, 0xe1, 0x9e, 0x66, 0xa3, 0x0f, 0x7e, 0x5f, 0xb0, 0x72,
1724 0xd8, 0x83, 0x00, 0xc4, 0x7b, 0x89, 0x7a, 0xa8, 0xfd, 0xcb,
1725 },
1726 32, "Google 'Rocketeer' log" },
1727 { (const uint8_t[]){
1728 0xbb, 0xd9, 0xdf, 0xbc, 0x1f, 0x8a, 0x71, 0xb5, 0x93, 0x94, 0x23,
1729 0x97, 0xaa, 0x92, 0x7b, 0x47, 0x38, 0x57, 0x95, 0x0a, 0xab, 0x52,
1730 0xe8, 0x1a, 0x90, 0x96, 0x64, 0x36, 0x8e, 0x1e, 0xd1, 0x85,
1731 },
1732 32, "Google 'Skydiver' log" },
1733 { (const uint8_t[]){
1734 0xfa, 0xd4, 0xc9, 0x7c, 0xc4, 0x9e, 0xe2, 0xf8, 0xac, 0x85, 0xc5,
1735 0xea, 0x5c, 0xea, 0x09, 0xd0, 0x22, 0x0d, 0xbb, 0xf4, 0xe4, 0x9c,
1736 0x6b, 0x50, 0x66, 0x2f, 0xf8, 0x68, 0xf8, 0x6b, 0x8c, 0x28,
1737 },
1738 32, "Google 'Argon2017' log" },
1739 { (const uint8_t[]){
1740 0xa4, 0x50, 0x12, 0x69, 0x05, 0x5a, 0x15, 0x54, 0x5e, 0x62, 0x11,
1741 0xab, 0x37, 0xbc, 0x10, 0x3f, 0x62, 0xae, 0x55, 0x76, 0xa4, 0x5e,
1742 0x4b, 0x17, 0x14, 0x45, 0x3e, 0x1b, 0x22, 0x10, 0x6a, 0x25,
1743 },
1744 32, "Google 'Argon2018' log" },
1745 { (const uint8_t[]){
1746 0x63, 0xf2, 0xdb, 0xcd, 0xe8, 0x3b, 0xcc, 0x2c, 0xcf, 0x0b, 0x72,
1747 0x84, 0x27, 0x57, 0x6b, 0x33, 0xa4, 0x8d, 0x61, 0x77, 0x8f, 0xbd,
1748 0x75, 0xa6, 0x38, 0xb1, 0xc7, 0x68, 0x54, 0x4b, 0xd8, 0x8d,
1749 },
1750 32, "Google 'Argon2019' log" },
1751 { (const uint8_t[]){
1752 0xb1, 0x0c, 0xd5, 0x59, 0xa6, 0xd6, 0x78, 0x46, 0x81, 0x1f, 0x7d,
1753 0xf9, 0xa5, 0x15, 0x32, 0x73, 0x9a, 0xc4, 0x8d, 0x70, 0x3b, 0xea,
1754 0x03, 0x23, 0xda, 0x5d, 0x38, 0x75, 0x5b, 0xc0, 0xad, 0x4e,
1755 },
1756 32, "Google 'Xenon2018' log" },
1757 { (const uint8_t[]){
1758 0x08, 0x41, 0x14, 0x98, 0x00, 0x71, 0x53, 0x2c, 0x16, 0x19, 0x04,
1759 0x60, 0xbc, 0xfc, 0x47, 0xfd, 0xc2, 0x65, 0x3a, 0xfa, 0x29, 0x2c,
1760 0x72, 0xb3, 0x7f, 0xf8, 0x63, 0xae, 0x29, 0xcc, 0xc9, 0xf0,
1761 },
1762 32, "Google 'Xenon2019' log" },
1763 { (const uint8_t[]){
1764 0xa8, 0x99, 0xd8, 0x78, 0x0c, 0x92, 0x90, 0xaa, 0xf4, 0x62, 0xf3,
1765 0x18, 0x80, 0xcc, 0xfb, 0xd5, 0x24, 0x51, 0xe9, 0x70, 0xd0, 0xfb,
1766 0xf5, 0x91, 0xef, 0x75, 0xb0, 0xd9, 0x9b, 0x64, 0x56, 0x81,
1767 },
1768 32, "Google 'Submariner' log" },
1769 { (const uint8_t[]){
1770 0x1d, 0x02, 0x4b, 0x8e, 0xb1, 0x49, 0x8b, 0x34, 0x4d, 0xfd, 0x87,
1771 0xea, 0x3e, 0xfc, 0x09, 0x96, 0xf7, 0x50, 0x6f, 0x23, 0x5d, 0x1d,
1772 0x49, 0x70, 0x61, 0xa4, 0x77, 0x3c, 0x43, 0x9c, 0x25, 0xfb,
1773 },
1774 32, "Google 'Daedalus' log" },
1775 { (const uint8_t[]){
1776 0xb0, 0xcc, 0x83, 0xe5, 0xa5, 0xf9, 0x7d, 0x6b, 0xaf, 0x7c, 0x09,
1777 0xcc, 0x28, 0x49, 0x04, 0x87, 0x2a, 0xc7, 0xe8, 0x8b, 0x13, 0x2c,
1778 0x63, 0x50, 0xb7, 0xc6, 0xfd, 0x26, 0xe1, 0x6c, 0x6c, 0x77,
1779 },
1780 32, "Google 'Testtube' log" },
1781 { (const uint8_t[]){
1782 0xc3, 0xbf, 0x03, 0xa7, 0xe1, 0xca, 0x88, 0x41, 0xc6, 0x07, 0xba,
1783 0xe3, 0xff, 0x42, 0x70, 0xfc, 0xa5, 0xec, 0x45, 0xb1, 0x86, 0xeb,
1784 0xbe, 0x4e, 0x2c, 0xf3, 0xfc, 0x77, 0x86, 0x30, 0xf5, 0xf6,
1785 },
1786 32, "Google 'Crucible' log" },
1787 { (const uint8_t[]){
1788 0x52, 0xeb, 0x4b, 0x22, 0x5e, 0xc8, 0x96, 0x97, 0x48, 0x50, 0x67,
1789 0x5f, 0x23, 0xe4, 0x3b, 0xc1, 0xd0, 0x21, 0xe3, 0x21, 0x4c, 0xe5,
1790 0x2e, 0xcd, 0x5f, 0xa8, 0x7c, 0x20, 0x3c, 0xdf, 0xca, 0x03,
1791 },
1792 32, "Google 'Solera2018' log" },
1793 { (const uint8_t[]){
1794 0x0b, 0x76, 0x0e, 0x9a, 0x8b, 0x9a, 0x68, 0x2f, 0x88, 0x98, 0x5b,
1795 0x15, 0xe9, 0x47, 0x50, 0x1a, 0x56, 0x44, 0x6b, 0xba, 0x88, 0x30,
1796 0x78, 0x5c, 0x38, 0x42, 0x99, 0x43, 0x86, 0x45, 0x0c, 0x00,
1797 },
1798 32, "Google 'Solera2019' log" },
1799 { (const uint8_t[]){
1800 0x1f, 0xc7, 0x2c, 0xe5, 0xa1, 0xb7, 0x99, 0xf4, 0x00, 0xc3, 0x59,
1801 0xbf, 0xf9, 0x6c, 0xa3, 0x91, 0x35, 0x48, 0xe8, 0x64, 0x42, 0x20,
1802 0x61, 0x09, 0x52, 0xe9, 0xba, 0x17, 0x74, 0xf7, 0xba, 0xc7,
1803 },
1804 32, "Google 'Solera2020' log" },
1805 { (const uint8_t[]){
1806 0xa3, 0xc9, 0x98, 0x45, 0xe8, 0x0a, 0xb7, 0xce, 0x00, 0x15, 0x7b,
1807 0x37, 0x42, 0xdf, 0x02, 0x07, 0xdd, 0x27, 0x2b, 0x2b, 0x60, 0x2e,
1808 0xcf, 0x98, 0xee, 0x2c, 0x12, 0xdb, 0x9c, 0x5a, 0xe7, 0xe7,
1809 },
1810 32, "Google 'Solera2021' log" },
1811 { (const uint8_t[]){
1812 0x69, 0x7a, 0xaf, 0xca, 0x1a, 0x6b, 0x53, 0x6f, 0xae, 0x21, 0x20,
1813 0x50, 0x46, 0xde, 0xba, 0xd7, 0xe0, 0xea, 0xea, 0x13, 0xd2, 0x43,
1814 0x2e, 0x6e, 0x9d, 0x8f, 0xb3, 0x79, 0xf2, 0xb9, 0xaa, 0xf3,
1815 },
1816 32, "Google 'Solera2022' log" },
1817 { (const uint8_t[]){
1818 0xf9, 0x7e, 0x97, 0xb8, 0xd3, 0x3e, 0xf7, 0xa1, 0x59, 0x02, 0xa5,
1819 0x3a, 0x19, 0xe1, 0x79, 0x90, 0xe5, 0xdc, 0x40, 0x6a, 0x03, 0x18,
1820 0x25, 0xba, 0xad, 0x93, 0xe9, 0x8f, 0x9b, 0x9c, 0x69, 0xcb,
1821 },
1822 32, "Google 'Solera2023' log" },
1823 { (const uint8_t[]){
1824 0x30, 0x24, 0xce, 0x7e, 0xeb, 0x16, 0x88, 0x62, 0x72, 0x4b, 0xea,
1825 0x70, 0x2e, 0xff, 0xf9, 0x92, 0xcf, 0xe4, 0x56, 0x43, 0x41, 0x91,
1826 0xaa, 0x59, 0x5b, 0x25, 0xf8, 0x02, 0x26, 0xc8, 0x00, 0x17,
1827 },
1828 32, "Google 'Solera2024' log" },
1829 { (const uint8_t[]){
1830 0x3f, 0xe1, 0xcb, 0x46, 0xed, 0x47, 0x35, 0x79, 0xaf, 0x01, 0x41,
1831 0xf9, 0x72, 0x4d, 0x9d, 0xc4, 0x43, 0x47, 0x2d, 0x75, 0x6e, 0x85,
1832 0xe7, 0x71, 0x9c, 0x55, 0x82, 0x48, 0x5d, 0xd4, 0xe1, 0xe4,
1833 },
1834 32, "Google 'Solera2025h1' log" },
1835 { (const uint8_t[]){
1836 0x26, 0x02, 0x39, 0x48, 0x87, 0x4c, 0xf7, 0xfc, 0xd0, 0xfb, 0x64,
1837 0x71, 0xa4, 0x3e, 0x84, 0x7e, 0xbb, 0x20, 0x0a, 0xe6, 0xe2, 0xfa,
1838 0x24, 0x23, 0x6d, 0xf6, 0xd1, 0xa6, 0x06, 0x63, 0x0f, 0xb1,
1839 },
1840 32, "Google 'Solera2025h2' log" },
1841 { (const uint8_t[]){
1842 0xc8, 0x4b, 0x90, 0x7a, 0x07, 0xbe, 0xaa, 0x29, 0xa6, 0x14, 0xc2,
1843 0x45, 0x84, 0xb7, 0xa3, 0xf6, 0x62, 0x43, 0x94, 0x68, 0x7b, 0x25,
1844 0xfe, 0x62, 0x83, 0x8b, 0x71, 0xec, 0x42, 0x2a, 0xd2, 0xf9,
1845 },
1846 32, "Google 'Solera2026h1' log" },
1847 { (const uint8_t[]){
1848 0x62, 0xe9, 0x00, 0x60, 0x04, 0xa3, 0x07, 0x95, 0x5a, 0x75, 0x44,
1849 0xb4, 0xd5, 0x84, 0xa9, 0x62, 0x68, 0xca, 0x1d, 0x6e, 0x45, 0x85,
1850 0xad, 0xf0, 0x91, 0x6d, 0xfe, 0x5f, 0xdc, 0x1f, 0x04, 0xdb,
1851 },
1852 32, "Google 'Solera2026h2' log" },
1853 { (const uint8_t[]){
1854 0x5e, 0xa7, 0x73, 0xf9, 0xdf, 0x56, 0xc0, 0xe7, 0xb5, 0x36, 0x48,
1855 0x7d, 0xd0, 0x49, 0xe0, 0x32, 0x7a, 0x91, 0x9a, 0x0c, 0x84, 0xa1,
1856 0x12, 0x12, 0x84, 0x18, 0x75, 0x96, 0x81, 0x71, 0x45, 0x58,
1857 },
1858 32, "Cloudflare 'Nimbus2020' Log" },
1859 { (const uint8_t[]){
1860 0x44, 0x94, 0x65, 0x2e, 0xb0, 0xee, 0xce, 0xaf, 0xc4, 0x40, 0x07,
1861 0xd8, 0xa8, 0xfe, 0x28, 0xc0, 0xda, 0xe6, 0x82, 0xbe, 0xd8, 0xcb,
1862 0x31, 0xb5, 0x3f, 0xd3, 0x33, 0x96, 0xb5, 0xb6, 0x81, 0xa8,
1863 },
1864 32, "Cloudflare 'Nimbus2021' Log" },
1865 { (const uint8_t[]){
1866 0x41, 0xc8, 0xca, 0xb1, 0xdf, 0x22, 0x46, 0x4a, 0x10, 0xc6, 0xa1,
1867 0x3a, 0x09, 0x42, 0x87, 0x5e, 0x4e, 0x31, 0x8b, 0x1b, 0x03, 0xeb,
1868 0xeb, 0x4b, 0xc7, 0x68, 0xf0, 0x90, 0x62, 0x96, 0x06, 0xf6,
1869 },
1870 32, "Cloudflare 'Nimbus2022' Log" },
1871 { (const uint8_t[]){
1872 0x7a, 0x32, 0x8c, 0x54, 0xd8, 0xb7, 0x2d, 0xb6, 0x20, 0xea, 0x38,
1873 0xe0, 0x52, 0x1e, 0xe9, 0x84, 0x16, 0x70, 0x32, 0x13, 0x85, 0x4d,
1874 0x3b, 0xd2, 0x2b, 0xc1, 0x3a, 0x57, 0xa3, 0x52, 0xeb, 0x52,
1875 },
1876 32, "Cloudflare 'Nimbus2023' Log" },
1877 { (const uint8_t[]){
1878 0xda, 0xb6, 0xbf, 0x6b, 0x3f, 0xb5, 0xb6, 0x22, 0x9f, 0x9b, 0xc2,
1879 0xbb, 0x5c, 0x6b, 0xe8, 0x70, 0x91, 0x71, 0x6c, 0xbb, 0x51, 0x84,
1880 0x85, 0x34, 0xbd, 0xa4, 0x3d, 0x30, 0x48, 0xd7, 0xfb, 0xab,
1881 },
1882 32, "Cloudflare 'Nimbus2024' Log" },
1883 { (const uint8_t[]){
1884 0xcc, 0xfb, 0x0f, 0x6a, 0x85, 0x71, 0x09, 0x65, 0xfe, 0x95, 0x9b,
1885 0x53, 0xce, 0xe9, 0xb2, 0x7c, 0x22, 0xe9, 0x85, 0x5c, 0x0d, 0x97,
1886 0x8d, 0xb6, 0xa9, 0x7e, 0x54, 0xc0, 0xfe, 0x4c, 0x0d, 0xb0,
1887 },
1888 32, "Cloudflare 'Nimbus2025'" },
1889 { (const uint8_t[]){
1890 0xcb, 0x38, 0xf7, 0x15, 0x89, 0x7c, 0x84, 0xa1, 0x44, 0x5f, 0x5b,
1891 0xc1, 0xdd, 0xfb, 0xc9, 0x6e, 0xf2, 0x9a, 0x59, 0xcd, 0x47, 0x0a,
1892 0x69, 0x05, 0x85, 0xb0, 0xcb, 0x14, 0xc3, 0x14, 0x58, 0xe7,
1893 },
1894 32, "Cloudflare 'Nimbus2026'" },
1895 { (const uint8_t[]){
1896 0x4c, 0x63, 0xdc, 0x98, 0xe5, 0x9c, 0x1d, 0xab, 0x88, 0xf6, 0x1e,
1897 0x8a, 0x3d, 0xde, 0xae, 0x8f, 0xab, 0x44, 0xa3, 0x37, 0x7b, 0x5f,
1898 0x9b, 0x94, 0xc3, 0xfb, 0xa1, 0x9c, 0xfc, 0xc1, 0xbe, 0x26,
1899 },
1900 32, "Cloudflare 'Nimbus2027'" },
1901 { (const uint8_t[]){
1902 0x1f, 0xbc, 0x36, 0xe0, 0x02, 0xed, 0xe9, 0x7f, 0x40, 0x19, 0x9e,
1903 0x86, 0xb3, 0x57, 0x3b, 0x8a, 0x42, 0x17, 0xd8, 0x01, 0x87, 0x74,
1904 0x6a, 0xd0, 0xda, 0x03, 0xa0, 0x60, 0x54, 0xd2, 0x0d, 0xf4,
1905 },
1906 32, "Cloudflare 'Nimbus2017' Log" },
1907 { (const uint8_t[]){
1908 0xdb, 0x74, 0xaf, 0xee, 0xcb, 0x29, 0xec, 0xb1, 0xfe, 0xca, 0x3e,
1909 0x71, 0x6d, 0x2c, 0xe5, 0xb9, 0xaa, 0xbb, 0x36, 0xf7, 0x84, 0x71,
1910 0x83, 0xc7, 0x5d, 0x9d, 0x4f, 0x37, 0xb6, 0x1f, 0xbf, 0x64,
1911 },
1912 32, "Cloudflare 'Nimbus2018' Log" },
1913 { (const uint8_t[]){
1914 0x74, 0x7e, 0xda, 0x83, 0x31, 0xad, 0x33, 0x10, 0x91, 0x21, 0x9c,
1915 0xce, 0x25, 0x4f, 0x42, 0x70, 0xc2, 0xbf, 0xfd, 0x5e, 0x42, 0x20,
1916 0x08, 0xc6, 0x37, 0x35, 0x79, 0xe6, 0x10, 0x7b, 0xcc, 0x56,
1917 },
1918 32, "Cloudflare 'Nimbus2019' Log" },
1919 { (const uint8_t[]){
1920 0x56, 0x14, 0x06, 0x9a, 0x2f, 0xd7, 0xc2, 0xec, 0xd3, 0xf5, 0xe1,
1921 0xbd, 0x44, 0xb2, 0x3e, 0xc7, 0x46, 0x76, 0xb9, 0xbc, 0x99, 0x11,
1922 0x5c, 0xc0, 0xef, 0x94, 0x98, 0x55, 0xd6, 0x89, 0xd0, 0xdd,
1923 },
1924 32, "DigiCert Log Server" },
1925 { (const uint8_t[]){
1926 0x87, 0x75, 0xbf, 0xe7, 0x59, 0x7c, 0xf8, 0x8c, 0x43, 0x99, 0x5f,
1927 0xbd, 0xf3, 0x6e, 0xff, 0x56, 0x8d, 0x47, 0x56, 0x36, 0xff, 0x4a,
1928 0xb5, 0x60, 0xc1, 0xb4, 0xea, 0xff, 0x5e, 0xa0, 0x83, 0x0f,
1929 },
1930 32, "DigiCert Log Server 2" },
1931 { (const uint8_t[]){
1932 0xf0, 0x95, 0xa4, 0x59, 0xf2, 0x00, 0xd1, 0x82, 0x40, 0x10, 0x2d,
1933 0x2f, 0x93, 0x88, 0x8e, 0xad, 0x4b, 0xfe, 0x1d, 0x47, 0xe3, 0x99,
1934 0xe1, 0xd0, 0x34, 0xa6, 0xb0, 0xa8, 0xaa, 0x8e, 0xb2, 0x73,
1935 },
1936 32, "DigiCert Yeti2020 Log" },
1937 { (const uint8_t[]){
1938 0x5c, 0xdc, 0x43, 0x92, 0xfe, 0xe6, 0xab, 0x45, 0x44, 0xb1, 0x5e,
1939 0x9a, 0xd4, 0x56, 0xe6, 0x10, 0x37, 0xfb, 0xd5, 0xfa, 0x47, 0xdc,
1940 0xa1, 0x73, 0x94, 0xb2, 0x5e, 0xe6, 0xf6, 0xc7, 0x0e, 0xca,
1941 },
1942 32, "DigiCert Yeti2021 Log" },
1943 { (const uint8_t[]){
1944 0x22, 0x45, 0x45, 0x07, 0x59, 0x55, 0x24, 0x56, 0x96, 0x3f, 0xa1,
1945 0x2f, 0xf1, 0xf7, 0x6d, 0x86, 0xe0, 0x23, 0x26, 0x63, 0xad, 0xc0,
1946 0x4b, 0x7f, 0x5d, 0xc6, 0x83, 0x5c, 0x6e, 0xe2, 0x0f, 0x02,
1947 },
1948 32, "DigiCert Yeti2022 Log" },
1949 { (const uint8_t[]){
1950 0x35, 0xcf, 0x19, 0x1b, 0xbf, 0xb1, 0x6c, 0x57, 0xbf, 0x0f, 0xad,
1951 0x4c, 0x6d, 0x42, 0xcb, 0xbb, 0xb6, 0x27, 0x20, 0x26, 0x51, 0xea,
1952 0x3f, 0xe1, 0x2a, 0xef, 0xa8, 0x03, 0xc3, 0x3b, 0xd6, 0x4c,
1953 },
1954 32, "DigiCert Yeti2023 Log" },
1955 { (const uint8_t[]){
1956 0x48, 0xb0, 0xe3, 0x6b, 0xda, 0xa6, 0x47, 0x34, 0x0f, 0xe5, 0x6a,
1957 0x02, 0xfa, 0x9d, 0x30, 0xeb, 0x1c, 0x52, 0x01, 0xcb, 0x56, 0xdd,
1958 0x2c, 0x81, 0xd9, 0xbb, 0xbf, 0xab, 0x39, 0xd8, 0x84, 0x73,
1959 },
1960 32, "DigiCert Yeti2024 Log" },
1961 { (const uint8_t[]){
1962 0x7d, 0x59, 0x1e, 0x12, 0xe1, 0x78, 0x2a, 0x7b, 0x1c, 0x61, 0x67,
1963 0x7c, 0x5e, 0xfd, 0xf8, 0xd0, 0x87, 0x5c, 0x14, 0xa0, 0x4e, 0x95,
1964 0x9e, 0xb9, 0x03, 0x2f, 0xd9, 0x0e, 0x8c, 0x2e, 0x79, 0xb8,
1965 },
1966 32, "DigiCert Yeti2025 Log" },
1967 { (const uint8_t[]){
1968 0xc6, 0x52, 0xa0, 0xec, 0x48, 0xce, 0xb3, 0xfc, 0xab, 0x17, 0x09,
1969 0x92, 0xc4, 0x3a, 0x87, 0x41, 0x33, 0x09, 0xe8, 0x00, 0x65, 0xa2,
1970 0x62, 0x52, 0x40, 0x1b, 0xa3, 0x36, 0x2a, 0x17, 0xc5, 0x65,
1971 },
1972 32, "DigiCert Nessie2020 Log" },
1973 { (const uint8_t[]){
1974 0xee, 0xc0, 0x95, 0xee, 0x8d, 0x72, 0x64, 0x0f, 0x92, 0xe3, 0xc3,
1975 0xb9, 0x1b, 0xc7, 0x12, 0xa3, 0x69, 0x6a, 0x09, 0x7b, 0x4b, 0x6a,
1976 0x1a, 0x14, 0x38, 0xe6, 0x47, 0xb2, 0xcb, 0xed, 0xc5, 0xf9,
1977 },
1978 32, "DigiCert Nessie2021 Log" },
1979 { (const uint8_t[]){
1980 0x51, 0xa3, 0xb0, 0xf5, 0xfd, 0x01, 0x79, 0x9c, 0x56, 0x6d, 0xb8,
1981 0x37, 0x78, 0x8f, 0x0c, 0xa4, 0x7a, 0xcc, 0x1b, 0x27, 0xcb, 0xf7,
1982 0x9e, 0x88, 0x42, 0x9a, 0x0d, 0xfe, 0xd4, 0x8b, 0x05, 0xe5,
1983 },
1984 32, "DigiCert Nessie2022 Log" },
1985 { (const uint8_t[]){
1986 0xb3, 0x73, 0x77, 0x07, 0xe1, 0x84, 0x50, 0xf8, 0x63, 0x86, 0xd6,
1987 0x05, 0xa9, 0xdc, 0x11, 0x09, 0x4a, 0x79, 0x2d, 0xb1, 0x67, 0x0c,
1988 0x0b, 0x87, 0xdc, 0xf0, 0x03, 0x0e, 0x79, 0x36, 0xa5, 0x9a,
1989 },
1990 32, "DigiCert Nessie2023 Log" },
1991 { (const uint8_t[]){
1992 0x73, 0xd9, 0x9e, 0x89, 0x1b, 0x4c, 0x96, 0x78, 0xa0, 0x20, 0x7d,
1993 0x47, 0x9d, 0xe6, 0xb2, 0xc6, 0x1c, 0xd0, 0x51, 0x5e, 0x71, 0x19,
1994 0x2a, 0x8c, 0x6b, 0x80, 0x10, 0x7a, 0xc1, 0x77, 0x72, 0xb5,
1995 },
1996 32, "DigiCert Nessie2024 Log" },
1997 { (const uint8_t[]){
1998 0xe6, 0xd2, 0x31, 0x63, 0x40, 0x77, 0x8c, 0xc1, 0x10, 0x41, 0x06,
1999 0xd7, 0x71, 0xb9, 0xce, 0xc1, 0xd2, 0x40, 0xf6, 0x96, 0x84, 0x86,
2000 0xfb, 0xba, 0x87, 0x32, 0x1d, 0xfd, 0x1e, 0x37, 0x8e, 0x50,
2001 },
2002 32, "DigiCert Nessie2025 Log" },
2003 { (const uint8_t[]){
2004 0xb6, 0x9d, 0xdc, 0xbc, 0x3c, 0x1a, 0xbd, 0xef, 0x6f, 0x9f, 0xd6,
2005 0x0c, 0x88, 0xb1, 0x06, 0x7b, 0x77, 0xf0, 0x82, 0x68, 0x8b, 0x2d,
2006 0x78, 0x65, 0xd0, 0x4b, 0x39, 0xab, 0xe9, 0x27, 0xa5, 0x75,
2007 },
2008 32, "DigiCert 'Wyvern2024h1' Log" },
2009 { (const uint8_t[]){
2010 0x0c, 0x2a, 0xef, 0x2c, 0x4a, 0x5b, 0x98, 0x83, 0xd4, 0xdd, 0xa3,
2011 0x82, 0xfe, 0x50, 0xfb, 0x51, 0x88, 0xb3, 0xe9, 0x73, 0x33, 0xa1,
2012 0xec, 0x53, 0xa0, 0x9d, 0xc9, 0xa7, 0x9d, 0x0d, 0x08, 0x20,
2013 },
2014 32, "DigiCert 'Wyvern2024h2' Log" },
2015 { (const uint8_t[]){
2016 0x73, 0x20, 0x22, 0x0f, 0x08, 0x16, 0x8a, 0xf9, 0xf3, 0xc4, 0xa6,
2017 0x8b, 0x0a, 0xb2, 0x6a, 0x9a, 0x4a, 0x00, 0xee, 0xf5, 0x77, 0x85,
2018 0x8a, 0x08, 0x4d, 0x05, 0x00, 0xd4, 0xa5, 0x42, 0x44, 0x59,
2019 },
2020 32, "DigiCert 'Wyvern2025h1' Log" },
2021 { (const uint8_t[]){
2022 0xed, 0x3c, 0x4b, 0xd6, 0xe8, 0x06, 0xc2, 0xa4, 0xa2, 0x00, 0x57,
2023 0xdb, 0xcb, 0x24, 0xe2, 0x38, 0x01, 0xdf, 0x51, 0x2f, 0xed, 0xc4,
2024 0x86, 0xc5, 0x70, 0x0f, 0x20, 0xdd, 0xb7, 0x3e, 0x3f, 0xe0,
2025 },
2026 32, "DigiCert 'Wyvern2025h2' Log" },
2027 { (const uint8_t[]){
2028 0x64, 0x11, 0xc4, 0x6c, 0xa4, 0x12, 0xec, 0xa7, 0x89, 0x1c, 0xa2,
2029 0x02, 0x2e, 0x00, 0xbc, 0xab, 0x4f, 0x28, 0x07, 0xd4, 0x1e, 0x35,
2030 0x27, 0xab, 0xea, 0xfe, 0xd5, 0x03, 0xc9, 0x7d, 0xcd, 0xf0,
2031 },
2032 32, "DigiCert 'Wyvern2026h1'" },
2033 { (const uint8_t[]){
2034 0xc2, 0x31, 0x7e, 0x57, 0x45, 0x19, 0xa3, 0x45, 0xee, 0x7f, 0x38,
2035 0xde, 0xb2, 0x90, 0x41, 0xeb, 0xc7, 0xc2, 0x21, 0x5a, 0x22, 0xbf,
2036 0x7f, 0xd5, 0xb5, 0xad, 0x76, 0x9a, 0xd9, 0x0e, 0x52, 0xcd,
2037 },
2038 32, "DigiCert 'Wyvern2026h2'" },
2039 { (const uint8_t[]){
2040 0xdb, 0x07, 0x6c, 0xde, 0x6a, 0x8b, 0x78, 0xec, 0x58, 0xd6, 0x05,
2041 0x64, 0x96, 0xeb, 0x6a, 0x26, 0xa8, 0xc5, 0x9e, 0x72, 0x12, 0x93,
2042 0xe8, 0xac, 0x03, 0x27, 0xdd, 0xde, 0x89, 0xdb, 0x5a, 0x2a,
2043 },
2044 32, "DigiCert 'Sphinx2024h1' Log" },
2045 { (const uint8_t[]){
2046 0xdc, 0xc9, 0x5e, 0x6f, 0xa2, 0x99, 0xb9, 0xb0, 0xfd, 0xbd, 0x6c,
2047 0xa6, 0xa3, 0x6e, 0x1d, 0x72, 0xc4, 0x21, 0x2f, 0xdd, 0x1e, 0x0f,
2048 0x47, 0x55, 0x3a, 0x36, 0xd6, 0xcf, 0x1a, 0xd1, 0x1d, 0x8d,
2049 },
2050 32, "DigiCert 'Sphinx2024h2' Log" },
2051 { (const uint8_t[]){
2052 0xde, 0x85, 0x81, 0xd7, 0x50, 0x24, 0x7c, 0x6b, 0xcd, 0xcb, 0xaf,
2053 0x56, 0x37, 0xc5, 0xe7, 0x81, 0xc6, 0x4c, 0xe4, 0x6e, 0xd6, 0x17,
2054 0x63, 0x9f, 0x8f, 0x34, 0xa7, 0x26, 0xc9, 0xe2, 0xbd, 0x37,
2055 },
2056 32, "DigiCert 'Sphinx2025h1' Log" },
2057 { (const uint8_t[]){
2058 0xa4, 0x42, 0xc5, 0x06, 0x49, 0x60, 0x61, 0x54, 0x8f, 0x0f, 0xd4,
2059 0xea, 0x9c, 0xfb, 0x7a, 0x2d, 0x26, 0x45, 0x4d, 0x87, 0xa9, 0x7f,
2060 0x2f, 0xdf, 0x45, 0x59, 0xf6, 0x27, 0x4f, 0x3a, 0x84, 0x54,
2061 },
2062 32, "DigiCert 'Sphinx2025h2' Log" },
2063 { (const uint8_t[]){
2064 0x49, 0x9c, 0x9b, 0x69, 0xde, 0x1d, 0x7c, 0xec, 0xfc, 0x36, 0xde,
2065 0xcd, 0x87, 0x64, 0xa6, 0xb8, 0x5b, 0xaf, 0x0a, 0x87, 0x80, 0x19,
2066 0xd1, 0x55, 0x52, 0xfb, 0xe9, 0xeb, 0x29, 0xdd, 0xf8, 0xc3,
2067 },
2068 32, "DigiCert 'Sphinx2026h1'" },
2069 { (const uint8_t[]){
2070 0x94, 0x4e, 0x43, 0x87, 0xfa, 0xec, 0xc1, 0xef, 0x81, 0xf3, 0x19,
2071 0x24, 0x26, 0xa8, 0x18, 0x65, 0x01, 0xc7, 0xd3, 0x5f, 0x38, 0x02,
2072 0x01, 0x3f, 0x72, 0x67, 0x7d, 0x55, 0x37, 0x2e, 0x19, 0xd8,
2073 },
2074 32, "DigiCert 'Sphinx2026h2'" },
2075 { (const uint8_t[]){
2076 0xdd, 0xeb, 0x1d, 0x2b, 0x7a, 0x0d, 0x4f, 0xa6, 0x20, 0x8b, 0x81,
2077 0xad, 0x81, 0x68, 0x70, 0x7e, 0x2e, 0x8e, 0x9d, 0x01, 0xd5, 0x5c,
2078 0x88, 0x8d, 0x3d, 0x11, 0xc4, 0xcd, 0xb6, 0xec, 0xbe, 0xcc,
2079 },
2080 32, "Symantec log" },
2081 { (const uint8_t[]){
2082 0xbc, 0x78, 0xe1, 0xdf, 0xc5, 0xf6, 0x3c, 0x68, 0x46, 0x49, 0x33,
2083 0x4d, 0xa1, 0x0f, 0xa1, 0x5f, 0x09, 0x79, 0x69, 0x20, 0x09, 0xc0,
2084 0x81, 0xb4, 0xf3, 0xf6, 0x91, 0x7f, 0x3e, 0xd9, 0xb8, 0xa5,
2085 },
2086 32, "Symantec 'Vega' log" },
2087 { (const uint8_t[]){
2088 0x15, 0x97, 0x04, 0x88, 0xd7, 0xb9, 0x97, 0xa0, 0x5b, 0xeb, 0x52,
2089 0x51, 0x2a, 0xde, 0xe8, 0xd2, 0xe8, 0xb4, 0xa3, 0x16, 0x52, 0x64,
2090 0x12, 0x1a, 0x9f, 0xab, 0xfb, 0xd5, 0xf8, 0x5a, 0xd9, 0x3f,
2091 },
2092 32, "Symantec 'Sirius' log" },
2093 { (const uint8_t[]){
2094 0x05, 0x9c, 0x01, 0xd3, 0x20, 0xe0, 0x07, 0x84, 0x13, 0x95, 0x80,
2095 0x49, 0x8d, 0x11, 0x7c, 0x90, 0x32, 0x66, 0xaf, 0xaf, 0x72, 0x50,
2096 0xb5, 0xaf, 0x3b, 0x46, 0xa4, 0x3e, 0x11, 0x84, 0x0d, 0x4a,
2097 },
2098 32, "DigiCert Yeti2022-2 Log" },
2099 { (const uint8_t[]){
2100 0xc1, 0x16, 0x4a, 0xe0, 0xa7, 0x72, 0xd2, 0xd4, 0x39, 0x2d, 0xc8,
2101 0x0a, 0xc1, 0x07, 0x70, 0xd4, 0xf0, 0xc4, 0x9b, 0xde, 0x99, 0x1a,
2102 0x48, 0x40, 0xc1, 0xfa, 0x07, 0x51, 0x64, 0xf6, 0x33, 0x60,
2103 },
2104 32, "DigiCert Yeti2018 Log" },
2105 { (const uint8_t[]){
2106 0xe2, 0x69, 0x4b, 0xae, 0x26, 0xe8, 0xe9, 0x40, 0x09, 0xe8, 0x86,
2107 0x1b, 0xb6, 0x3b, 0x83, 0xd4, 0x3e, 0xe7, 0xfe, 0x74, 0x88, 0xfb,
2108 0xa4, 0x8f, 0x28, 0x93, 0x01, 0x9d, 0xdd, 0xf1, 0xdb, 0xfe,
2109 },
2110 32, "DigiCert Yeti2019 Log" },
2111 { (const uint8_t[]){
2112 0x6f, 0xf1, 0x41, 0xb5, 0x64, 0x7e, 0x42, 0x22, 0xf7, 0xef, 0x05,
2113 0x2c, 0xef, 0xae, 0x7c, 0x21, 0xfd, 0x60, 0x8e, 0x27, 0xd2, 0xaf,
2114 0x5a, 0x6e, 0x9f, 0x4b, 0x8a, 0x37, 0xd6, 0x63, 0x3e, 0xe5,
2115 },
2116 32, "DigiCert Nessie2018 Log" },
2117 { (const uint8_t[]){
2118 0xfe, 0x44, 0x61, 0x08, 0xb1, 0xd0, 0x1a, 0xb7, 0x8a, 0x62, 0xcc,
2119 0xfe, 0xab, 0x6a, 0xb2, 0xb2, 0xba, 0xbf, 0xf3, 0xab, 0xda, 0xd8,
2120 0x0a, 0x4d, 0x8b, 0x30, 0xdf, 0x2d, 0x00, 0x08, 0x83, 0x0c,
2121 },
2122 32, "DigiCert Nessie2019 Log" },
2123 { (const uint8_t[]){
2124 0xa7, 0xce, 0x4a, 0x4e, 0x62, 0x07, 0xe0, 0xad, 0xde, 0xe5, 0xfd,
2125 0xaa, 0x4b, 0x1f, 0x86, 0x76, 0x87, 0x67, 0xb5, 0xd0, 0x02, 0xa5,
2126 0x5d, 0x47, 0x31, 0x0e, 0x7e, 0x67, 0x0a, 0x95, 0xea, 0xb2,
2127 },
2128 32, "Symantec Deneb" },
2129 { (const uint8_t[]){
2130 0xcd, 0xb5, 0x17, 0x9b, 0x7f, 0xc1, 0xc0, 0x46, 0xfe, 0xea, 0x31,
2131 0x13, 0x6a, 0x3f, 0x8f, 0x00, 0x2e, 0x61, 0x82, 0xfa, 0xf8, 0x89,
2132 0x6f, 0xec, 0xc8, 0xb2, 0xf5, 0xb5, 0xab, 0x60, 0x49, 0x00,
2133 },
2134 32, "Certly.IO log" },
2135 { (const uint8_t[]){
2136 0x74, 0x61, 0xb4, 0xa0, 0x9c, 0xfb, 0x3d, 0x41, 0xd7, 0x51, 0x59,
2137 0x57, 0x5b, 0x2e, 0x76, 0x49, 0xa4, 0x45, 0xa8, 0xd2, 0x77, 0x09,
2138 0xb0, 0xcc, 0x56, 0x4a, 0x64, 0x82, 0xb7, 0xeb, 0x41, 0xa3,
2139 },
2140 32, "Izenpe log" },
2141 { (const uint8_t[]){
2142 0x89, 0x41, 0x44, 0x9c, 0x70, 0x74, 0x2e, 0x06, 0xb9, 0xfc, 0x9c,
2143 0xe7, 0xb1, 0x16, 0xba, 0x00, 0x24, 0xaa, 0x36, 0xd5, 0x9a, 0xf4,
2144 0x4f, 0x02, 0x04, 0x40, 0x4f, 0x00, 0xf7, 0xea, 0x85, 0x66,
2145 },
2146 32, "Izenpe 'Argi' log" },
2147 { (const uint8_t[]){
2148 0x41, 0xb2, 0xdc, 0x2e, 0x89, 0xe6, 0x3c, 0xe4, 0xaf, 0x1b, 0xa7,
2149 0xbb, 0x29, 0xbf, 0x68, 0xc6, 0xde, 0xe6, 0xf9, 0xf1, 0xcc, 0x04,
2150 0x7e, 0x30, 0xdf, 0xfa, 0xe3, 0xb3, 0xba, 0x25, 0x92, 0x63,
2151 },
2152 32, "WoSign log" },
2153 { (const uint8_t[]){
2154 0x9e, 0x4f, 0xf7, 0x3d, 0xc3, 0xce, 0x22, 0x0b, 0x69, 0x21, 0x7c,
2155 0x89, 0x9e, 0x46, 0x80, 0x76, 0xab, 0xf8, 0xd7, 0x86, 0x36, 0xd5,
2156 0xcc, 0xfc, 0x85, 0xa3, 0x1a, 0x75, 0x62, 0x8b, 0xa8, 0x8b,
2157 },
2158 32, "WoSign CT log #1" },
2159 { (const uint8_t[]){
2160 0x63, 0xd0, 0x00, 0x60, 0x26, 0xdd, 0xe1, 0x0b, 0xb0, 0x60, 0x1f,
2161 0x45, 0x24, 0x46, 0x96, 0x5e, 0xe2, 0xb6, 0xea, 0x2c, 0xd4, 0xfb,
2162 0xc9, 0x5a, 0xc8, 0x66, 0xa5, 0x50, 0xaf, 0x90, 0x75, 0xb7,
2163 },
2164 32, "WoSign log 2" },
2165 { (const uint8_t[]){
2166 0xac, 0x3b, 0x9a, 0xed, 0x7f, 0xa9, 0x67, 0x47, 0x57, 0x15, 0x9e,
2167 0x6d, 0x7d, 0x57, 0x56, 0x72, 0xf9, 0xd9, 0x81, 0x00, 0x94, 0x1e,
2168 0x9b, 0xde, 0xff, 0xec, 0xa1, 0x31, 0x3b, 0x75, 0x78, 0x2d,
2169 },
2170 32, "Venafi log" },
2171 { (const uint8_t[]){
2172 0x03, 0x01, 0x9d, 0xf3, 0xfd, 0x85, 0xa6, 0x9a, 0x8e, 0xbd, 0x1f,
2173 0xac, 0xc6, 0xda, 0x9b, 0xa7, 0x3e, 0x46, 0x97, 0x74, 0xfe, 0x77,
2174 0xf5, 0x79, 0xfc, 0x5a, 0x08, 0xb8, 0x32, 0x8c, 0x1d, 0x6b,
2175 },
2176 32, "Venafi Gen2 CT log" },
2177 { (const uint8_t[]){
2178 0xa5, 0x77, 0xac, 0x9c, 0xed, 0x75, 0x48, 0xdd, 0x8f, 0x02, 0x5b,
2179 0x67, 0xa2, 0x41, 0x08, 0x9d, 0xf8, 0x6e, 0x0f, 0x47, 0x6e, 0xc2,
2180 0x03, 0xc2, 0xec, 0xbe, 0xdb, 0x18, 0x5f, 0x28, 0x26, 0x38,
2181 },
2182 32, "CNNIC CT log" },
2183 { (const uint8_t[]){
2184 0x34, 0xbb, 0x6a, 0xd6, 0xc3, 0xdf, 0x9c, 0x03, 0xee, 0xa8, 0xa4,
2185 0x99, 0xff, 0x78, 0x91, 0x48, 0x6c, 0x9d, 0x5e, 0x5c, 0xac, 0x92,
2186 0xd0, 0x1f, 0x7b, 0xfd, 0x1b, 0xce, 0x19, 0xdb, 0x48, 0xef,
2187 },
2188 32, "StartCom log" },
2189 { (const uint8_t[]){
2190 0x55, 0x81, 0xd4, 0xc2, 0x16, 0x90, 0x36, 0x01, 0x4a, 0xea, 0x0b,
2191 0x9b, 0x57, 0x3c, 0x53, 0xf0, 0xc0, 0xe4, 0x38, 0x78, 0x70, 0x25,
2192 0x08, 0x17, 0x2f, 0xa3, 0xaa, 0x1d, 0x07, 0x13, 0xd3, 0x0c,
2193 },
2194 32, "Sectigo 'Sabre' CT log" },
2195 { (const uint8_t[]){
2196 0xa2, 0xe2, 0xbf, 0xd6, 0x1e, 0xde, 0x2f, 0x2f, 0x07, 0xa0, 0xd6,
2197 0x4e, 0x6d, 0x37, 0xa7, 0xdc, 0x65, 0x43, 0xb0, 0xc6, 0xb5, 0x2e,
2198 0xa2, 0xda, 0xb7, 0x8a, 0xf8, 0x9a, 0x6d, 0xf5, 0x17, 0xd8,
2199 },
2200 32, "Sectigo 'Sabre2024h1'" },
2201 { (const uint8_t[]){
2202 0x19, 0x98, 0x10, 0x71, 0x09, 0xf0, 0xd6, 0x52, 0x2e, 0x30, 0x80,
2203 0xd2, 0x9e, 0x3f, 0x64, 0xbb, 0x83, 0x6e, 0x28, 0xcc, 0xf9, 0x0f,
2204 0x52, 0x8e, 0xee, 0xdf, 0xce, 0x4a, 0x3f, 0x16, 0xb4, 0xca,
2205 },
2206 32, "Sectigo 'Sabre2024h2'" },
2207 { (const uint8_t[]){
2208 0xe0, 0x92, 0xb3, 0xfc, 0x0c, 0x1d, 0xc8, 0xe7, 0x68, 0x36, 0x1f,
2209 0xde, 0x61, 0xb9, 0x96, 0x4d, 0x0a, 0x52, 0x78, 0x19, 0x8a, 0x72,
2210 0xd6, 0x72, 0xc4, 0xb0, 0x4d, 0xa5, 0x6d, 0x6f, 0x54, 0x04,
2211 },
2212 32, "Sectigo 'Sabre2025h1'" },
2213 { (const uint8_t[]){
2214 0x1a, 0x04, 0xff, 0x49, 0xd0, 0x54, 0x1d, 0x40, 0xaf, 0xf6, 0xa0,
2215 0xc3, 0xbf, 0xf1, 0xd8, 0xc4, 0x67, 0x2f, 0x4e, 0xec, 0xee, 0x23,
2216 0x40, 0x68, 0x98, 0x6b, 0x17, 0x40, 0x2e, 0xdc, 0x89, 0x7d,
2217 },
2218 32, "Sectigo 'Sabre2025h2'" },
2219 { (const uint8_t[]){
2220 0x6f, 0x53, 0x76, 0xac, 0x31, 0xf0, 0x31, 0x19, 0xd8, 0x99, 0x00,
2221 0xa4, 0x51, 0x15, 0xff, 0x77, 0x15, 0x1c, 0x11, 0xd9, 0x02, 0xc1,
2222 0x00, 0x29, 0x06, 0x8d, 0xb2, 0x08, 0x9a, 0x37, 0xd9, 0x13,
2223 },
2224 32, "Sectigo 'Mammoth' CT log" },
2225 { (const uint8_t[]){
2226 0x29, 0xd0, 0x3a, 0x1b, 0xb6, 0x74, 0xaa, 0x71, 0x1c, 0xd3, 0x03,
2227 0x5b, 0x65, 0x57, 0xc1, 0x4f, 0x8a, 0xa7, 0x8b, 0x4f, 0xe8, 0x38,
2228 0x94, 0x49, 0xec, 0xa4, 0x53, 0xf9, 0x44, 0xbd, 0x24, 0x68,
2229 },
2230 32, "Sectigo 'Mammoth2024h1'" },
2231 { (const uint8_t[]){
2232 0x50, 0x85, 0x01, 0x58, 0xdc, 0xb6, 0x05, 0x95, 0xc0, 0x0e, 0x92,
2233 0xa8, 0x11, 0x02, 0xec, 0xcd, 0xfe, 0x3f, 0x6b, 0x78, 0x58, 0x42,
2234 0x9f, 0x57, 0x98, 0x35, 0x38, 0xc9, 0xda, 0x52, 0x50, 0x63,
2235 },
2236 32, "Sectigo 'Mammoth2024h1b'" },
2237 { (const uint8_t[]){
2238 0xdf, 0xe1, 0x56, 0xeb, 0xaa, 0x05, 0xaf, 0xb5, 0x9c, 0x0f, 0x86,
2239 0x71, 0x8d, 0xa8, 0xc0, 0x32, 0x4e, 0xae, 0x56, 0xd9, 0x6e, 0xa7,
2240 0xf5, 0xa5, 0x6a, 0x01, 0xd1, 0xc1, 0x3b, 0xbe, 0x52, 0x5c,
2241 },
2242 32, "Sectigo 'Mammoth2024h2'" },
2243 { (const uint8_t[]){
2244 0x13, 0x4a, 0xdf, 0x1a, 0xb5, 0x98, 0x42, 0x09, 0x78, 0x0c, 0x6f,
2245 0xef, 0x4c, 0x7a, 0x91, 0xa4, 0x16, 0xb7, 0x23, 0x49, 0xce, 0x58,
2246 0x57, 0x6a, 0xdf, 0xae, 0xda, 0xa7, 0xc2, 0xab, 0xe0, 0x22,
2247 },
2248 32, "Sectigo 'Mammoth2025h1'" },
2249 { (const uint8_t[]){
2250 0xaf, 0x18, 0x1a, 0x28, 0xd6, 0x8c, 0xa3, 0xe0, 0xa9, 0x8a, 0x4c,
2251 0x9c, 0x67, 0xab, 0x09, 0xf8, 0xbb, 0xbc, 0x22, 0xba, 0xae, 0xbc,
2252 0xb1, 0x38, 0xa3, 0xa1, 0x9d, 0xd3, 0xf9, 0xb6, 0x03, 0x0d,
2253 },
2254 32, "Sectigo 'Mammoth2025h2'" },
2255 { (const uint8_t[]){
2256 0x25, 0x2f, 0x94, 0xc2, 0x2b, 0x29, 0xe9, 0x6e, 0x9f, 0x41, 0x1a,
2257 0x72, 0x07, 0x2b, 0x69, 0x5c, 0x5b, 0x52, 0xff, 0x97, 0xa9, 0x0d,
2258 0x25, 0x40, 0xbb, 0xfc, 0xdc, 0x51, 0xec, 0x4d, 0xee, 0x0b,
2259 },
2260 32, "Sectigo 'Mammoth2026h1'" },
2261 { (const uint8_t[]){
2262 0x94, 0xb1, 0xc1, 0x8a, 0xb0, 0xd0, 0x57, 0xc4, 0x7b, 0xe0, 0xac,
2263 0x04, 0x0e, 0x1f, 0x2c, 0xbc, 0x8d, 0xc3, 0x75, 0x72, 0x7b, 0xc9,
2264 0x51, 0xf2, 0x0a, 0x52, 0x61, 0x26, 0x86, 0x3b, 0xa7, 0x3c,
2265 },
2266 32, "Sectigo 'Mammoth2026h2'" },
2267 { (const uint8_t[]){
2268 0x56, 0x6c, 0xd5, 0xa3, 0x76, 0xbe, 0x83, 0xdf, 0xe3, 0x42, 0xb6,
2269 0x75, 0xc4, 0x9c, 0x23, 0x24, 0x98, 0xa7, 0x69, 0xba, 0xc3, 0x82,
2270 0xcb, 0xab, 0x49, 0xa3, 0x87, 0x7d, 0x9a, 0xb3, 0x2d, 0x01,
2271 },
2272 32, "Sectigo 'Sabre2026h1'" },
2273 { (const uint8_t[]){
2274 0x1f, 0x56, 0xd1, 0xab, 0x94, 0x70, 0x4a, 0x41, 0xdd, 0x3f, 0xea,
2275 0xfd, 0xf4, 0x69, 0x93, 0x55, 0x30, 0x2c, 0x14, 0x31, 0xbf, 0xe6,
2276 0x13, 0x46, 0x08, 0x9f, 0xff, 0xae, 0x79, 0x5d, 0xcc, 0x2f,
2277 },
2278 32, "Sectigo 'Sabre2026h2'" },
2279 { (const uint8_t[]){
2280 0x0d, 0x1d, 0xbc, 0x89, 0x44, 0xe9, 0xf5, 0x00, 0x55, 0x42, 0xd7,
2281 0x2d, 0x3e, 0x14, 0x4c, 0xcc, 0x43, 0x08, 0x2a, 0xb6, 0xea, 0x1e,
2282 0x94, 0xdf, 0xd7, 0x06, 0x65, 0x7d, 0x2e, 0x86, 0xf3, 0x01,
2283 },
2284 32, "Sectigo 'Elephant2025h2'" },
2285 { (const uint8_t[]){
2286 0xd1, 0x6e, 0xa9, 0xa5, 0x68, 0x07, 0x7e, 0x66, 0x35, 0xa0, 0x3f,
2287 0x37, 0xa5, 0xdd, 0xbc, 0x03, 0xa5, 0x3c, 0x41, 0x12, 0x14, 0xd4,
2288 0x88, 0x18, 0xf5, 0xe9, 0x31, 0xb3, 0x23, 0xcb, 0x95, 0x04,
2289 },
2290 32, "Sectigo 'Elephant2026h1'" },
2291 { (const uint8_t[]){
2292 0xaf, 0x67, 0x88, 0x3b, 0x57, 0xb0, 0x4e, 0xdd, 0x8f, 0xa6, 0xd9,
2293 0x7e, 0xf6, 0x2e, 0xa8, 0xeb, 0x81, 0x0a, 0xc7, 0x71, 0x60, 0xf0,
2294 0x24, 0x5e, 0x55, 0xd6, 0x0c, 0x2f, 0xe7, 0x85, 0x87, 0x3a,
2295 },
2296 32, "Sectigo 'Elephant2026h2'" },
2297 { (const uint8_t[]){
2298 0x60, 0x4c, 0x9a, 0xaf, 0x7a, 0x7f, 0x77, 0x5f, 0x01, 0xd4, 0x06,
2299 0xfc, 0x92, 0x0d, 0xc8, 0x99, 0xeb, 0x0b, 0x1c, 0x7d, 0xf8, 0xc9,
2300 0x52, 0x1b, 0xfa, 0xfa, 0x17, 0x77, 0x3b, 0x97, 0x8b, 0xc9,
2301 },
2302 32, "Sectigo 'Elephant2027h1'" },
2303 { (const uint8_t[]){
2304 0xa2, 0x49, 0x0c, 0xdc, 0xdb, 0x8e, 0x33, 0xa4, 0x00, 0x32, 0x17,
2305 0x60, 0xd6, 0xd4, 0xd5, 0x1a, 0x20, 0x36, 0x19, 0x1e, 0xa7, 0x7d,
2306 0x96, 0x8b, 0xe2, 0x6a, 0x8a, 0x00, 0xf6, 0xff, 0xff, 0xf7,
2307 },
2308 32, "Sectigo 'Elephant2027h2'" },
2309 { (const uint8_t[]){
2310 0x5c, 0xa5, 0x77, 0xd2, 0x9b, 0x7f, 0x8b, 0xaf, 0x41, 0x9e, 0xd8,
2311 0xec, 0xab, 0xfb, 0x6d, 0xcb, 0xae, 0xc3, 0x85, 0x37, 0x02, 0xd5,
2312 0x74, 0x6f, 0x17, 0x4d, 0xad, 0x3c, 0x93, 0x4a, 0xa9, 0x6a,
2313 },
2314 32, "Sectigo 'Tiger2025h2'" },
2315 { (const uint8_t[]){
2316 0x16, 0x83, 0x2d, 0xab, 0xf0, 0xa9, 0x25, 0x0f, 0x0f, 0xf0, 0x3a,
2317 0xa5, 0x45, 0xff, 0xc8, 0xbf, 0xc8, 0x23, 0xd0, 0x87, 0x4b, 0xf6,
2318 0x04, 0x29, 0x27, 0xf8, 0xe7, 0x1f, 0x33, 0x13, 0xf5, 0xfa,
2319 },
2320 32, "Sectigo 'Tiger2026h1'" },
2321 { (const uint8_t[]){
2322 0xc8, 0xa3, 0xc4, 0x7f, 0xc7, 0xb3, 0xad, 0xb9, 0x35, 0x6b, 0x01,
2323 0x3f, 0x6a, 0x7a, 0x12, 0x6d, 0xe3, 0x3a, 0x4e, 0x43, 0xa5, 0xc6,
2324 0x46, 0xf9, 0x97, 0xad, 0x39, 0x75, 0x99, 0x1d, 0xcf, 0x9a,
2325 },
2326 32, "Sectigo 'Tiger2026h2'" },
2327 { (const uint8_t[]){
2328 0x1c, 0x9f, 0x68, 0x2c, 0xe9, 0xfa, 0xf0, 0x45, 0x69, 0x50, 0xf8,
2329 0x1b, 0x96, 0x8a, 0x87, 0xdd, 0xdb, 0x32, 0x10, 0xd8, 0x4c, 0xe6,
2330 0xc8, 0xb2, 0xe3, 0x82, 0x52, 0x4a, 0xc4, 0xcf, 0x59, 0x9f,
2331 },
2332 32, "Sectigo 'Tiger2027h1'" },
2333 { (const uint8_t[]){
2334 0x03, 0x80, 0x2a, 0xc2, 0x62, 0xf6, 0xe0, 0x5e, 0x03, 0xf8, 0xbc,
2335 0x6f, 0x7b, 0x98, 0x51, 0x32, 0x4f, 0xd7, 0x6a, 0x3d, 0xf5, 0xb7,
2336 0x59, 0x51, 0x75, 0xe2, 0x22, 0xfb, 0x8e, 0x9b, 0xd5, 0xf6,
2337 },
2338 32, "Sectigo 'Tiger2027h2'" },
2339 { (const uint8_t[]){
2340 0xdb, 0x76, 0xfd, 0xad, 0xac, 0x65, 0xe7, 0xd0, 0x95, 0x08, 0x88,
2341 0x6e, 0x21, 0x59, 0xbd, 0x8b, 0x90, 0x35, 0x2f, 0x5f, 0xea, 0xd3,
2342 0xe3, 0xdc, 0x5e, 0x22, 0xeb, 0x35, 0x0a, 0xcc, 0x7b, 0x98,
2343 },
2344 32, "Sectigo 'Dodo' CT log" },
2345 { (const uint8_t[]){
2346 0xe7, 0x12, 0xf2, 0xb0, 0x37, 0x7e, 0x1a, 0x62, 0xfb, 0x8e, 0xc9,
2347 0x0c, 0x61, 0x84, 0xf1, 0xea, 0x7b, 0x37, 0xcb, 0x56, 0x1d, 0x11,
2348 0x26, 0x5b, 0xf3, 0xe0, 0xf3, 0x4b, 0xf2, 0x41, 0x54, 0x6e,
2349 },
2350 32, "Let's Encrypt 'Oak2020' log" },
2351 { (const uint8_t[]){
2352 0x94, 0x20, 0xbc, 0x1e, 0x8e, 0xd5, 0x8d, 0x6c, 0x88, 0x73, 0x1f,
2353 0x82, 0x8b, 0x22, 0x2c, 0x0d, 0xd1, 0xda, 0x4d, 0x5e, 0x6c, 0x4f,
2354 0x94, 0x3d, 0x61, 0xdb, 0x4e, 0x2f, 0x58, 0x4d, 0xa2, 0xc2,
2355 },
2356 32, "Let's Encrypt 'Oak2021' log" },
2357 { (const uint8_t[]){
2358 0xdf, 0xa5, 0x5e, 0xab, 0x68, 0x82, 0x4f, 0x1f, 0x6c, 0xad, 0xee,
2359 0xb8, 0x5f, 0x4e, 0x3e, 0x5a, 0xea, 0xcd, 0xa2, 0x12, 0xa4, 0x6a,
2360 0x5e, 0x8e, 0x3b, 0x12, 0xc0, 0x20, 0x44, 0x5c, 0x2a, 0x73,
2361 },
2362 32, "Let's Encrypt 'Oak2022' log" },
2363 { (const uint8_t[]){
2364 0xb7, 0x3e, 0xfb, 0x24, 0xdf, 0x9c, 0x4d, 0xba, 0x75, 0xf2, 0x39,
2365 0xc5, 0xba, 0x58, 0xf4, 0x6c, 0x5d, 0xfc, 0x42, 0xcf, 0x7a, 0x9f,
2366 0x35, 0xc4, 0x9e, 0x1d, 0x09, 0x81, 0x25, 0xed, 0xb4, 0x99,
2367 },
2368 32, "Let's Encrypt 'Oak2023' log" },
2369 { (const uint8_t[]){
2370 0x3b, 0x53, 0x77, 0x75, 0x3e, 0x2d, 0xb9, 0x80, 0x4e, 0x8b, 0x30,
2371 0x5b, 0x06, 0xfe, 0x40, 0x3b, 0x67, 0xd8, 0x4f, 0xc3, 0xf4, 0xc7,
2372 0xbd, 0x00, 0x0d, 0x2d, 0x72, 0x6f, 0xe1, 0xfa, 0xd4, 0x17,
2373 },
2374 32, "Let's Encrypt 'Oak2024H1' log" },
2375 { (const uint8_t[]){
2376 0x3f, 0x17, 0x4b, 0x4f, 0xd7, 0x22, 0x47, 0x58, 0x94, 0x1d, 0x65,
2377 0x1c, 0x84, 0xbe, 0x0d, 0x12, 0xed, 0x90, 0x37, 0x7f, 0x1f, 0x85,
2378 0x6a, 0xeb, 0xc1, 0xbf, 0x28, 0x85, 0xec, 0xf8, 0x64, 0x6e,
2379 },
2380 32, "Let's Encrypt 'Oak2024H2' log" },
2381 { (const uint8_t[]){
2382 0xa2, 0xe3, 0x0a, 0xe4, 0x45, 0xef, 0xbd, 0xad, 0x9b, 0x7e, 0x38,
2383 0xed, 0x47, 0x67, 0x77, 0x53, 0xd7, 0x82, 0x5b, 0x84, 0x94, 0xd7,
2384 0x2b, 0x5e, 0x1b, 0x2c, 0xc4, 0xb9, 0x50, 0xa4, 0x47, 0xe7,
2385 },
2386 32, "Let's Encrypt 'Oak2025h1'" },
2387 { (const uint8_t[]){
2388 0x0d, 0xe1, 0xf2, 0x30, 0x2b, 0xd3, 0x0d, 0xc1, 0x40, 0x62, 0x12,
2389 0x09, 0xea, 0x55, 0x2e, 0xfc, 0x47, 0x74, 0x7c, 0xb1, 0xd7, 0xe9,
2390 0x30, 0xef, 0x0e, 0x42, 0x1e, 0xb4, 0x7e, 0x4e, 0xaa, 0x34,
2391 },
2392 32, "Let's Encrypt 'Oak2025h2'" },
2393 { (const uint8_t[]){
2394 0x19, 0x86, 0xd4, 0xc7, 0x28, 0xaa, 0x6f, 0xfe, 0xba, 0x03, 0x6f,
2395 0x78, 0x2a, 0x4d, 0x01, 0x91, 0xaa, 0xce, 0x2d, 0x72, 0x31, 0x0f,
2396 0xae, 0xce, 0x5d, 0x70, 0x41, 0x2d, 0x25, 0x4c, 0xc7, 0xd4,
2397 },
2398 32, "Let's Encrypt 'Oak2026h1'" },
2399 { (const uint8_t[]){
2400 0xac, 0xab, 0x30, 0x70, 0x6c, 0xeb, 0xec, 0x84, 0x31, 0xf4, 0x13,
2401 0xd2, 0xf4, 0x91, 0x5f, 0x11, 0x1e, 0x42, 0x24, 0x43, 0xb1, 0xf2,
2402 0xa6, 0x8c, 0x4f, 0x3c, 0x2b, 0x3b, 0xa7, 0x1e, 0x02, 0xc3,
2403 },
2404 32, "Let's Encrypt 'Oak2026h2'" },
2405 { (const uint8_t[]){
2406 0x65, 0x9b, 0x33, 0x50, 0xf4, 0x3b, 0x12, 0xcc, 0x5e, 0xa5, 0xab,
2407 0x4e, 0xc7, 0x65, 0xd3, 0xfd, 0xe6, 0xc8, 0x82, 0x43, 0x77, 0x77,
2408 0x78, 0xe7, 0x20, 0x03, 0xf9, 0xeb, 0x2b, 0x8c, 0x31, 0x29,
2409 },
2410 32, "Let's Encrypt 'Oak2019' log" },
2411 { (const uint8_t[]){
2412 0x84, 0x9f, 0x5f, 0x7f, 0x58, 0xd2, 0xbf, 0x7b, 0x54, 0xec, 0xbd,
2413 0x74, 0x61, 0x1c, 0xea, 0x45, 0xc4, 0x9c, 0x98, 0xf1, 0xd6, 0x48,
2414 0x1b, 0xc6, 0xf6, 0x9e, 0x8c, 0x17, 0x4f, 0x24, 0xf3, 0xcf,
2415 },
2416 32, "Let's Encrypt 'Testflume2019' log" },
2417 { (const uint8_t[]){
2418 0x23, 0x2d, 0x41, 0xa4, 0xcd, 0xac, 0x87, 0xce, 0xd9, 0xf9, 0x43,
2419 0xf4, 0x68, 0xc2, 0x82, 0x09, 0x5a, 0xe0, 0x9d, 0x30, 0xd6, 0x2e,
2420 0x2f, 0xa6, 0x5d, 0xdc, 0x3b, 0x91, 0x9c, 0x2e, 0x46, 0x8f,
2421 },
2422 32, "Let's Encrypt 'Sapling 2022h2' log" },
2423 { (const uint8_t[]){
2424 0xc1, 0x83, 0x24, 0x0b, 0xf1, 0xa4, 0x50, 0xc7, 0x6f, 0xbb, 0x00,
2425 0x72, 0x69, 0xdc, 0xac, 0x3b, 0xe2, 0x2a, 0x48, 0x05, 0xd4, 0xdb,
2426 0xe0, 0x49, 0x66, 0xc3, 0xc8, 0xab, 0xc4, 0x47, 0xb0, 0x0c,
2427 },
2428 32, "Let's Encrypt 'Sapling 2023h1' log" },
2429 { (const uint8_t[]){
2430 0xc6, 0x3f, 0x22, 0x18, 0xc3, 0x7d, 0x56, 0xa6, 0xaa, 0x06, 0xb5,
2431 0x96, 0xda, 0x8e, 0x53, 0xd4, 0xd7, 0x15, 0x6d, 0x1e, 0x9b, 0xac,
2432 0x8e, 0x44, 0xd2, 0x20, 0x2d, 0xe6, 0x4d, 0x69, 0xd9, 0xdc,
2433 },
2434 32, "Let's Encrypt 'Testflume2020' log" },
2435 { (const uint8_t[]){
2436 0x03, 0xed, 0xf1, 0xda, 0x97, 0x76, 0xb6, 0xf3, 0x8c, 0x34, 0x1e,
2437 0x39, 0xed, 0x9d, 0x70, 0x7a, 0x75, 0x70, 0x36, 0x9c, 0xf9, 0x84,
2438 0x4f, 0x32, 0x7f, 0xe9, 0xe1, 0x41, 0x38, 0x36, 0x1b, 0x60,
2439 },
2440 32, "Let's Encrypt 'Testflume2021' log" },
2441 { (const uint8_t[]){
2442 0x23, 0x27, 0xef, 0xda, 0x35, 0x25, 0x10, 0xdb, 0xc0, 0x19, 0xef,
2443 0x49, 0x1a, 0xe3, 0xff, 0x1c, 0xc5, 0xa4, 0x79, 0xbc, 0xe3, 0x78,
2444 0x78, 0x36, 0x0e, 0xe3, 0x18, 0xcf, 0xfb, 0x64, 0xf8, 0xc8,
2445 },
2446 32, "Let's Encrypt 'Testflume2022' log" },
2447 { (const uint8_t[]){
2448 0x55, 0x34, 0xb7, 0xab, 0x5a, 0x6a, 0xc3, 0xa7, 0xcb, 0xeb, 0xa6,
2449 0x54, 0x87, 0xb2, 0xa2, 0xd7, 0x1b, 0x48, 0xf6, 0x50, 0xfa, 0x17,
2450 0xc5, 0x19, 0x7c, 0x97, 0xa0, 0xcb, 0x20, 0x76, 0xf3, 0xc6,
2451 },
2452 32, "Let's Encrypt 'Testflume2023' log" },
2453 { (const uint8_t[]){
2454 0x29, 0x6a, 0xfa, 0x2d, 0x56, 0x8b, 0xca, 0x0d, 0x2e, 0xa8, 0x44,
2455 0x95, 0x6a, 0xe9, 0x72, 0x1f, 0xc3, 0x5f, 0xa3, 0x55, 0xec, 0xda,
2456 0x99, 0x69, 0x3a, 0xaf, 0xd4, 0x58, 0xa7, 0x1a, 0xef, 0xdd,
2457 },
2458 32, "Let's Encrypt 'Clicky' log" },
2459 { (const uint8_t[]){
2460 0xa5, 0x95, 0x94, 0x3b, 0x53, 0x70, 0xbe, 0xe9, 0x06, 0xe0, 0x05,
2461 0x0d, 0x1f, 0xb5, 0xbb, 0xc6, 0xa4, 0x0e, 0x65, 0xf2, 0x65, 0xae,
2462 0x85, 0x2c, 0x76, 0x36, 0x3f, 0xad, 0xb2, 0x33, 0x36, 0xed,
2463 },
2464 32, "Trust Asia Log2020" },
2465 { (const uint8_t[]){
2466 0xa8, 0xdc, 0x52, 0xf6, 0x3d, 0x6b, 0x24, 0x25, 0xe5, 0x31, 0xe3,
2467 0x7c, 0xf4, 0xe4, 0x4a, 0x71, 0x4f, 0x14, 0x2a, 0x20, 0x80, 0x3b,
2468 0x0d, 0x04, 0xd2, 0xe2, 0xee, 0x06, 0x64, 0x79, 0x4a, 0x23,
2469 },
2470 32, "Trust Asia CT2021" },
2471 { (const uint8_t[]){
2472 0x67, 0x8d, 0xb6, 0x5b, 0x3e, 0x74, 0x43, 0xb6, 0xf3, 0xa3, 0x70,
2473 0xd5, 0xe1, 0x3a, 0xb1, 0xb4, 0x3b, 0xe0, 0xa0, 0xd3, 0x51, 0xf7,
2474 0xca, 0x74, 0x22, 0x50, 0xc7, 0xc6, 0xfa, 0x51, 0xa8, 0x8a,
2475 },
2476 32, "Trust Asia Log2021" },
2477 { (const uint8_t[]){
2478 0xc3, 0x65, 0xf9, 0xb3, 0x65, 0x4f, 0x32, 0x83, 0xc7, 0x9d, 0xa9,
2479 0x8e, 0x93, 0xd7, 0x41, 0x8f, 0x5b, 0xab, 0x7b, 0xe3, 0x25, 0x2c,
2480 0x98, 0xe1, 0xd2, 0xf0, 0x4b, 0xb9, 0xeb, 0x42, 0x7d, 0x23,
2481 },
2482 32, "Trust Asia Log2022" },
2483 { (const uint8_t[]){
2484 0xe8, 0x7e, 0xa7, 0x66, 0x0b, 0xc2, 0x6c, 0xf6, 0x00, 0x2e, 0xf5,
2485 0x72, 0x5d, 0x3f, 0xe0, 0xe3, 0x31, 0xb9, 0x39, 0x3b, 0xb9, 0x2f,
2486 0xbf, 0x58, 0xeb, 0x3b, 0x90, 0x49, 0xda, 0xf5, 0x43, 0x5a,
2487 },
2488 32, "Trust Asia Log2023" },
2489 { (const uint8_t[]){
2490 0x30, 0x6d, 0x29, 0x57, 0x6a, 0xd2, 0x1a, 0x9d, 0x4a, 0xe1, 0x2a,
2491 0xca, 0xd8, 0xaa, 0x8a, 0x78, 0x3a, 0xa6, 0x5a, 0x32, 0x11, 0x60,
2492 0xac, 0xff, 0x5b, 0x0e, 0xee, 0x4c, 0xa3, 0x20, 0x1d, 0x05,
2493 },
2494 32, "Trust Asia Log2024" },
2495 { (const uint8_t[]){
2496 0x87, 0x4f, 0xb5, 0x0d, 0xc0, 0x29, 0xd9, 0x93, 0x1d, 0xe5, 0x73,
2497 0xe9, 0xf2, 0x89, 0x9e, 0x8e, 0x45, 0x33, 0xb3, 0x92, 0xd3, 0x8b,
2498 0x0a, 0x46, 0x25, 0x74, 0xbf, 0x0f, 0xee, 0xb2, 0xfc, 0x1e,
2499 },
2500 32, "Trust Asia Log2024-2" },
2501 { (const uint8_t[]){
2502 0x28, 0xe2, 0x81, 0x38, 0xfd, 0x83, 0x21, 0x45, 0xe9, 0xa9, 0xd6,
2503 0xaa, 0x75, 0x37, 0x6d, 0x83, 0x77, 0xa8, 0x85, 0x12, 0xb3, 0xc0,
2504 0x7f, 0x72, 0x41, 0x48, 0x21, 0xdc, 0xbd, 0xe9, 0x8c, 0x66,
2505 },
2506 32, "TrustAsia Log2025a" },
2507 { (const uint8_t[]){
2508 0x28, 0x2c, 0x8b, 0xdd, 0x81, 0x0f, 0xf9, 0x09, 0x12, 0x0a, 0xce,
2509 0x16, 0xd6, 0xe0, 0xec, 0x20, 0x1b, 0xea, 0x82, 0xa3, 0xa4, 0xaf,
2510 0x19, 0xd9, 0xef, 0xfb, 0x59, 0xe8, 0x3f, 0xdc, 0x42, 0x68,
2511 },
2512 32, "TrustAsia Log2025b" },
2513 { (const uint8_t[]){
2514 0x74, 0xdb, 0x9d, 0x58, 0xf7, 0xd4, 0x7e, 0x9d, 0xfd, 0x78, 0x7a,
2515 0x16, 0x2a, 0x99, 0x1c, 0x18, 0xcf, 0x69, 0x8d, 0xa7, 0xc7, 0x29,
2516 0x91, 0x8c, 0x9a, 0x18, 0xb0, 0x45, 0x0d, 0xba, 0x44, 0xbc,
2517 },
2518 32, "TrustAsia 'log2026a'" },
2519 { (const uint8_t[]){
2520 0x25, 0xb7, 0xef, 0xde, 0xa1, 0x13, 0x01, 0x93, 0xed, 0x93, 0x07,
2521 0x97, 0x70, 0xaa, 0x32, 0x2a, 0x26, 0x62, 0x0d, 0xe3, 0x5a, 0xc8,
2522 0xaa, 0x7c, 0x75, 0x19, 0x7d, 0xe0, 0xb1, 0xa9, 0xe0, 0x65,
2523 },
2524 32, "TrustAsia 'log2026b'" },
2525 { (const uint8_t[]){
2526 0xed, 0xda, 0xeb, 0x81, 0x5c, 0x63, 0x21, 0x34, 0x49, 0xb4, 0x7b,
2527 0xe5, 0x07, 0x79, 0x05, 0xab, 0xd0, 0xd9, 0x31, 0x47, 0xc2, 0x7a,
2528 0xc5, 0x14, 0x6b, 0x3b, 0xc5, 0x8e, 0x43, 0xe9, 0xb6, 0xc7,
2529 },
2530 32, "TrustAsia 'HETU2027'" },
2531 { (const uint8_t[]){
2532 0x45, 0x35, 0x94, 0x98, 0xd9, 0x3a, 0x89, 0xe0, 0x28, 0x03, 0x08,
2533 0xd3, 0x7d, 0x62, 0x6d, 0xc4, 0x23, 0x75, 0x47, 0x58, 0xdc, 0xe0,
2534 0x37, 0x00, 0x36, 0xfb, 0xab, 0x0e, 0xdf, 0x8a, 0x6b, 0xcf,
2535 },
2536 32, "Trust Asia Log1" },
2537 { (const uint8_t[]){
2538 0xc9, 0xcf, 0x89, 0x0a, 0x21, 0x10, 0x9c, 0x66, 0x6c, 0xc1, 0x7a,
2539 0x3e, 0xd0, 0x65, 0xc9, 0x30, 0xd0, 0xe0, 0x13, 0x5a, 0x9f, 0xeb,
2540 0xa8, 0x5a, 0xf1, 0x42, 0x10, 0xb8, 0x07, 0x24, 0x21, 0xaa,
2541 },
2542 32, "GDCA CT log #1" },
2543 { (const uint8_t[]){
2544 0x92, 0x4a, 0x30, 0xf9, 0x09, 0x33, 0x6f, 0xf4, 0x35, 0xd6, 0x99,
2545 0x3a, 0x10, 0xac, 0x75, 0xa2, 0xc6, 0x41, 0x72, 0x8e, 0x7f, 0xc2,
2546 0xd6, 0x59, 0xae, 0x61, 0x88, 0xff, 0xad, 0x40, 0xce, 0x01,
2547 },
2548 32, "GDCA CT log #2" },
2549 { (const uint8_t[]){
2550 0x71, 0x7e, 0xa7, 0x42, 0x09, 0x75, 0xbe, 0x84, 0xa2, 0x72, 0x35,
2551 0x53, 0xf1, 0x77, 0x7c, 0x26, 0xdd, 0x51, 0xaf, 0x4e, 0x10, 0x21,
2552 0x44, 0x09, 0x4d, 0x90, 0x19, 0xb4, 0x62, 0xfb, 0x66, 0x68,
2553 },
2554 32, "GDCA Log 1" },
2555 { (const uint8_t[]){
2556 0x14, 0x30, 0x8d, 0x90, 0xcc, 0xd0, 0x30, 0x13, 0x50, 0x05, 0xc0,
2557 0x1c, 0xa5, 0x26, 0xd8, 0x1e, 0x84, 0xe8, 0x76, 0x24, 0xe3, 0x9b,
2558 0x62, 0x48, 0xe0, 0x8f, 0x72, 0x4a, 0xea, 0x3b, 0xb4, 0x2a,
2559 },
2560 32, "GDCA Log 2" },
2561 { (const uint8_t[]){
2562 0xe0, 0x12, 0x76, 0x29, 0xe9, 0x04, 0x96, 0x56, 0x4e, 0x3d, 0x01,
2563 0x47, 0x98, 0x44, 0x98, 0xaa, 0x48, 0xf8, 0xad, 0xb1, 0x66, 0x00,
2564 0xeb, 0x79, 0x02, 0xa1, 0xef, 0x99, 0x09, 0x90, 0x62, 0x73,
2565 },
2566 32, "PuChuangSiDa CT log" },
2567 { (const uint8_t[]){
2568 0x53, 0x7b, 0x69, 0xa3, 0x56, 0x43, 0x35, 0xa9, 0xc0, 0x49, 0x04,
2569 0xe3, 0x95, 0x93, 0xb2, 0xc2, 0x98, 0xeb, 0x8d, 0x7a, 0x6e, 0x83,
2570 0x02, 0x36, 0x35, 0xc6, 0x27, 0x24, 0x8c, 0xd6, 0xb4, 0x40,
2571 },
2572 32, "Nordu 'flimsy' log" },
2573 { (const uint8_t[]){
2574 0xaa, 0xe7, 0x0b, 0x7f, 0x3c, 0xb8, 0xd5, 0x66, 0xc8, 0x6c, 0x2f,
2575 0x16, 0x97, 0x9c, 0x9f, 0x44, 0x5f, 0x69, 0xab, 0x0e, 0xb4, 0x53,
2576 0x55, 0x89, 0xb2, 0xf7, 0x7a, 0x03, 0x01, 0x04, 0xf3, 0xcd,
2577 },
2578 32, "Nordu 'plausible' log" },
2579 { (const uint8_t[]){
2580 0xcf, 0x55, 0xe2, 0x89, 0x23, 0x49, 0x7c, 0x34, 0x0d, 0x52, 0x06,
2581 0xd0, 0x53, 0x53, 0xae, 0xb2, 0x58, 0x34, 0xb5, 0x2f, 0x1f, 0x8d,
2582 0xc9, 0x52, 0x68, 0x09, 0xf2, 0x12, 0xef, 0xdd, 0x7c, 0xa6,
2583 },
2584 32, "SHECA CT log 1" },
2585 { (const uint8_t[]){
2586 0x32, 0xdc, 0x59, 0xc2, 0xd4, 0xc4, 0x19, 0x68, 0xd5, 0x6e, 0x14,
2587 0xbc, 0x61, 0xac, 0x8f, 0x0e, 0x45, 0xdb, 0x39, 0xfa, 0xf3, 0xc1,
2588 0x55, 0xaa, 0x42, 0x52, 0xf5, 0x00, 0x1f, 0xa0, 0xc6, 0x23,
2589 },
2590 32, "SHECA CT log 2" },
2591 { (const uint8_t[]){
2592 0x96, 0x06, 0xc0, 0x2c, 0x69, 0x00, 0x33, 0xaa, 0x1d, 0x14, 0x5f,
2593 0x59, 0xc6, 0xe2, 0x64, 0x8d, 0x05, 0x49, 0xf0, 0xdf, 0x96, 0xaa,
2594 0xb8, 0xdb, 0x91, 0x5a, 0x70, 0xd8, 0xec, 0xf3, 0x90, 0xa5,
2595 },
2596 32, "Akamai CT Log" },
2597 { (const uint8_t[]){
2598 0x39, 0x37, 0x6f, 0x54, 0x5f, 0x7b, 0x46, 0x07, 0xf5, 0x97, 0x42,
2599 0xd7, 0x68, 0xcd, 0x5d, 0x24, 0x37, 0xbf, 0x34, 0x73, 0xb6, 0x53,
2600 0x4a, 0x48, 0x34, 0xbc, 0xf7, 0x2e, 0x68, 0x1c, 0x83, 0xc9,
2601 },
2602 32, "Alpha CT Log" },
2603 { (const uint8_t[]){
2604 0xb0, 0xb7, 0x84, 0xbc, 0x81, 0xc0, 0xdd, 0xc4, 0x75, 0x44, 0xe8,
2605 0x83, 0xf0, 0x59, 0x85, 0xbb, 0x90, 0x77, 0xd1, 0x34, 0xd8, 0xab,
2606 0x88, 0xb2, 0xb2, 0xe5, 0x33, 0x98, 0x0b, 0x8e, 0x50, 0x8b,
2607 },
2608 32, "Up In The Air 'Behind the Sofa' log" },
2609 { (const uint8_t[]){
2610 0x47, 0x44, 0x47, 0x7c, 0x75, 0xde, 0x42, 0x6d, 0x5c, 0x44, 0xef,
2611 0xd4, 0xa9, 0x2c, 0x96, 0x77, 0x59, 0x7f, 0x65, 0x7a, 0x8f, 0xe0,
2612 0xca, 0xdb, 0xc6, 0xd6, 0x16, 0xed, 0xa4, 0x97, 0xc4, 0x25,
2613 },
2614 32, "Qihoo 360 2020" },
2615 { (const uint8_t[]){
2616 0xc6, 0xd7, 0xed, 0x9e, 0xdb, 0x8e, 0x74, 0xf0, 0xa7, 0x1b, 0x4d,
2617 0x4a, 0x98, 0x4b, 0xcb, 0xeb, 0xab, 0xbd, 0x28, 0xcc, 0x1f, 0xd7,
2618 0x63, 0x29, 0xe8, 0x87, 0x26, 0xcd, 0x4c, 0x25, 0x46, 0x63,
2619 },
2620 32, "Qihoo 360 2021" },
2621 { (const uint8_t[]){
2622 0x66, 0x3c, 0xb0, 0x9c, 0x1f, 0xcd, 0x9b, 0xaa, 0x62, 0x76, 0x3c,
2623 0xcb, 0x53, 0x4e, 0xec, 0x80, 0x58, 0x12, 0x28, 0x05, 0x07, 0xac,
2624 0x69, 0xa4, 0x5f, 0xcd, 0x38, 0xcf, 0x4c, 0xc7, 0x4c, 0xf1,
2625 },
2626 32, "Qihoo 360 2022" },
2627 { (const uint8_t[]){
2628 0xe2, 0x64, 0x7f, 0x6e, 0xda, 0x34, 0x05, 0x03, 0xc6, 0x4d, 0x4e,
2629 0x10, 0xa8, 0x69, 0x68, 0x1f, 0xde, 0x9c, 0x5a, 0x2c, 0xf3, 0xb3,
2630 0x2d, 0x5f, 0x20, 0x0b, 0x96, 0x36, 0x05, 0x90, 0x88, 0x23,
2631 },
2632 32, "Qihoo 360 2023" },
2633 { (const uint8_t[]){
2634 0xc5, 0xcf, 0xe5, 0x4b, 0x61, 0x51, 0xb4, 0x9b, 0x14, 0x2e, 0xd2,
2635 0x63, 0xbd, 0xe7, 0x32, 0x93, 0x36, 0x37, 0x99, 0x79, 0x95, 0x50,
2636 0xae, 0x44, 0x35, 0xcd, 0x1a, 0x69, 0x97, 0xc9, 0xc3, 0xc3,
2637 },
2638 32, "Qihoo 360 v1 2020" },
2639 { (const uint8_t[]){
2640 0x48, 0x14, 0x58, 0x7c, 0xf2, 0x8b, 0x08, 0xfe, 0x68, 0x3f, 0xd2,
2641 0xbc, 0xd9, 0x45, 0x99, 0x4c, 0x2e, 0xb7, 0x4c, 0x8a, 0xe8, 0xc8,
2642 0x7f, 0xce, 0x42, 0x9b, 0x7c, 0xd3, 0x1d, 0x51, 0xbd, 0xc4,
2643 },
2644 32, "Qihoo 360 v1 2021" },
2645 { (const uint8_t[]){
2646 0x49, 0x11, 0xb8, 0xd6, 0x14, 0xcf, 0xd3, 0xd9, 0x9f, 0x16, 0xd3,
2647 0x76, 0x54, 0x5e, 0xe1, 0xb8, 0xcc, 0xfc, 0x51, 0x1f, 0x50, 0x9f,
2648 0x08, 0x0b, 0xa0, 0xa0, 0x87, 0xd9, 0x1d, 0xfa, 0xee, 0xa9,
2649 },
2650 32, "Qihoo 360 v1 2022" },
2651 { (const uint8_t[]){
2652 0xb6, 0x74, 0x0b, 0x12, 0x00, 0x2e, 0x03, 0x3f, 0xd0, 0xe7, 0xe9,
2653 0x41, 0xf4, 0xba, 0x3e, 0xe1, 0xbf, 0xc1, 0x49, 0xb5, 0x24, 0xb4,
2654 0xcf, 0x62, 0x8d, 0x53, 0xef, 0xea, 0x1f, 0x40, 0x3a, 0x8d,
2655 },
2656 32, "Qihoo 360 v1 2023" },
2657 { (const uint8_t[]){
2658 0x2e, 0xd6, 0xa4, 0x4d, 0xeb, 0x8f, 0x0c, 0x86, 0x46, 0x67, 0x76,
2659 0x9c, 0x4e, 0xdd, 0x04, 0x1f, 0x84, 0x23, 0x67, 0x55, 0xfa, 0x3a,
2660 0xac, 0xa6, 0x34, 0xd0, 0x93, 0x5d, 0xfc, 0xd5, 0x9a, 0x70,
2661 },
2662 32, "Bogus placeholder log to unbreak misbehaving CT libraries" },
2663 { (const uint8_t[]){
2664 0x39, 0xb9, 0x87, 0x88, 0x28, 0x19, 0x5f, 0x3b, 0x2d, 0x0d, 0x1b,
2665 0x48, 0x14, 0xa3, 0xae, 0x8c, 0x0d, 0x01, 0xfe, 0x48, 0x62, 0x21,
2666 0xdd, 0x69, 0x39, 0x7d, 0x76, 0xf7, 0x85, 0x74, 0x11, 0xc3,
2667 },
2668 32, "Merklemap 'CompactLog' log" },
2669 { (const uint8_t[]){
2670 0xd2, 0xfc, 0x65, 0x2f, 0xa5, 0xf9, 0xb7, 0x38, 0xb8, 0x37, 0x55,
2671 0xfa, 0x5e, 0xb1, 0x5f, 0x0b, 0x45, 0x25, 0x3f, 0x4e, 0x8f, 0xa3,
2672 0xb9, 0xb6, 0x4f, 0xd4, 0xde, 0x56, 0x62, 0xd1, 0x87, 0x08,
2673 },
2674 32, "Bogus RFC6962 log to avoid breaking misbehaving CT libraries" },
2675 { NULL((void*)0), 0, NULL((void*)0) }
2676};
2677
2678/*
2679 * Application-Layer Protocol Negotiation (ALPN) dissector tables.
2680 */
2681static dissector_table_t ssl_alpn_dissector_table;
2682static dissector_table_t dtls_alpn_dissector_table;
2683
2684/*
2685 * Special cases for prefix matching of the ALPN, if the ALPN includes
2686 * a version number for a draft or protocol revision.
2687 */
2688typedef struct ssl_alpn_prefix_match_protocol {
2689 const char *proto_prefix;
2690 const char *dissector_name;
2691} ssl_alpn_prefix_match_protocol_t;
2692
2693static const ssl_alpn_prefix_match_protocol_t ssl_alpn_prefix_match_protocols[] = {
2694 /* SPDY moves so fast, just 1, 2 and 3 are registered with IANA but there
2695 * already exists 3.1 as of this writing... match the prefix. */
2696 { "spdy/", "spdy" },
2697 /* draft-ietf-httpbis-http2-16 */
2698 { "h2-", "http2" }, /* draft versions */
2699};
2700
2701const value_string compress_certificate_algorithm_vals[] = {
2702 { 1, "zlib" },
2703 { 2, "brotli" },
2704 { 3, "zstd" },
2705 { 0, NULL((void*)0) }
2706};
2707
2708
2709const val64_string quic_transport_parameter_id[] = {
2710 { SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00, "original_destination_connection_id" },
2711 { SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01, "max_idle_timeout" },
2712 { SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02, "stateless_reset_token" },
2713 { SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03, "max_udp_payload_size" },
2714 { SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04, "initial_max_data" },
2715 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05, "initial_max_stream_data_bidi_local" },
2716 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06, "initial_max_stream_data_bidi_remote" },
2717 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07, "initial_max_stream_data_uni" },
2718 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09, "initial_max_streams_uni" },
2719 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08, "initial_max_streams_bidi" },
2720 { SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a, "ack_delay_exponent" },
2721 { SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b, "max_ack_delay" },
2722 { SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c, "disable_active_migration" },
2723 { SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d, "preferred_address" },
2724 { SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e, "active_connection_id_limit" },
2725 { SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f, "initial_source_connection_id" },
2726 { SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10, "retry_source_connection_id" },
2727 { SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20, "max_datagram_frame_size" },
2728 { SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000, "cibir_encoding" },
2729 { SSL_HND_QUIC_TP_LOSS_BITS0x1057, "loss_bits" },
2730 { SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2, "grease_quic_bit" },
2731 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157, "enable_time_stamp" },
2732 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158, "enable_time_stamp_v2" },
2733 { SSL_HND_QUIC_TP_VERSION_INFORMATION0x11, "version_information" },
2734 { SSL_HND_QUIC_TP_VERSION_INFORMATION_DRAFT0xff73db, "version_information_draft" },
2735 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a, "min_ack_delay" },
2736 { SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129, "google_user_agent" },
2737 { SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B, "google_key_update_not_yet_supported" },
2738 { SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752, "google_quic_version" },
2739 { SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127, "google_initial_rtt" },
2740 { SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A, "google_support_handshake_done" },
2741 { SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751, "google_quic_params" },
2742 { SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128, "google_connection_options" },
2743 { SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00, "facebook_partial_reliability" },
2744 { SSL_HND_QUIC_TP_ADDRESS_DISCOVERY0x9f81a176, "address_discovery" },
2745 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A, "min_ack_delay (draft-01)" },
2746 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a, "min_ack_delay (draft-05)" },
2747 { SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b, "min_ack_delay" },
2748 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04, "enable_multipath (draft-04)" },
2749 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05, "enable_multipath (draft-05)" },
2750 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06, "enable_multipath (draft-06)" },
2751 { SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07, "initial_max_paths (draft-07/08)" },
2752 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09, "initial_max_path_id (draft-09/10)" },
2753 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT110x0f739bbc1b666d11, "initial_max_path_id (draft-11)" },
2754 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT120x0f739bbc1b666d0c, "initial_max_path_id (draft-12)" },
2755 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x0f739bbc1b666d0d, "initial_max_path_id" },
2756 { 0, NULL((void*)0) }
2757};
2758
2759/* https://tools.ietf.org/html/draft-ietf-quic-address-discovery-00 */
2760const val64_string quic_address_discovery_vals[] = {
2761 { 0, "The node is willing to provide address observations to its peer, but is not interested in receiving address observations itself" },
2762 { 1, "The node is interested in receiving address observations, but it is not willing to provide address observations" },
2763 { 2, "The node is interested in receiving address observations, and it is willing to provide address observations" },
2764 { 0, NULL((void*)0) }
2765};
2766
2767/* https://tools.ietf.org/html/draft-huitema-quic-ts-03 */
2768const val64_string quic_enable_time_stamp_v2_vals[] = {
2769 { 1, "I would like to receive TIME_STAMP frames" },
2770 { 2, "I am able to generate TIME_STAMP frames" },
2771 { 3, "I am able to generate TIME_STAMP frames and I would like to receive them" },
2772 { 0, NULL((void*)0) }
2773};
2774
2775/* https://tools.ietf.org/html/draft-multipath-04 */
2776const val64_string quic_enable_multipath_vals[] = {
2777 { 0, "don't support multipath" },
2778 { 1, "support multipath as defined in this document" },
2779 { 0, NULL((void*)0) }
2780};
2781
2782/* https://www.ietf.org/archive/id/draft-ietf-tls-esni-16.txt */
2783const value_string tls_hello_ext_ech_clienthello_types[] = {
2784 { 0, "Outer Client Hello" },
2785 { 1, "Inner Client Hello" },
2786 { 0, NULL((void*)0) }
2787};
2788
2789/* RFC 9180 */
2790const value_string kem_id_type_vals[] = {
2791 { 0x0000, "Reserved" },
2792 { 0x0010, "DHKEM(P-256, HKDF-SHA256)" },
2793 { 0x0011, "DHKEM(P-384, HKDF-SHA384)" },
2794 { 0x0012, "DHKEM(P-521, HKDF-SHA512)" },
2795 { 0x0020, "DHKEM(X25519, HKDF-SHA256)" },
2796 { 0x0021, "DHKEM(X448, HKDF-SHA512)" },
2797 { 0, NULL((void*)0) }
2798};
2799const value_string kdf_id_type_vals[] = {
2800 { 0x0000, "Reserved" },
2801 { 0x0001, "HKDF-SHA256" },
2802 { 0x0002, "HKDF-SHA384" },
2803 { 0x0003, "HKDF-SHA512" },
2804 { 0, NULL((void*)0) }
2805};
2806const value_string aead_id_type_vals[] = {
2807 { 0x0000, "Reserved" },
2808 { 0x0001, "AES-128-GCM" },
2809 { 0x0002, "AES-256-GCM" },
2810 { 0x0003, "ChaCha20Poly1305" },
2811 { 0xFFFF, "Export-only" },
2812 { 0, NULL((void*)0) }
2813};
2814
2815const value_string token_binding_key_parameter_vals[] = {
2816 { 0, "rsa2048_pkcs1.5" },
2817 { 1, "rsa2048_pss" },
2818 { 2, "ecdsap256" },
2819 { 0, NULL((void*)0) }
2820};
2821
2822/* Lookup tables }}} */
2823
2824void
2825quic_transport_parameter_id_base_custom(char *result, uint64_t parameter_id)
2826{
2827 const char *label;
2828 if (IS_GREASE_QUIC(parameter_id)((parameter_id) > 27 ? ((((parameter_id) - 27) % 31) == 0)
: 0)) {
2829 label = "GREASE";
2830 } else {
2831 label = val64_to_str_const(parameter_id, quic_transport_parameter_id, "Unknown");
2832 }
2833 snprintf(result, ITEM_LABEL_LENGTH240, "%s (0x%02" PRIx64"l" "x" ")", label, parameter_id);
2834}
2835
2836/* we keep this internal to packet-tls-utils, as there should be
2837 no need to access it any other way.
2838
2839 This also allows us to hide the dependency on zlib.
2840*/
2841struct _SslDecompress {
2842 int compression;
2843#ifdef USE_ZLIB_OR_ZLIBNG
2844 zlib_stream istream;
2845#endif
2846};
2847
2848/* To assist in parsing client/server key exchange messages
2849 0 indicates unknown */
2850int ssl_get_keyex_alg(int cipher)
2851{
2852 /* Map Cipher suite number to Key Exchange algorithm {{{ */
2853 switch(cipher) {
2854 case 0x0017:
2855 case 0x0018:
2856 case 0x0019:
2857 case 0x001a:
2858 case 0x001b:
2859 case 0x0034:
2860 case 0x003a:
2861 case 0x0046:
2862 case 0x006c:
2863 case 0x006d:
2864 case 0x0089:
2865 case 0x009b:
2866 case 0x00a6:
2867 case 0x00a7:
2868 case 0x00bf:
2869 case 0x00c5:
2870 case 0xc084:
2871 case 0xc085:
2872 return KEX_DH_ANON0x13;
2873 case 0x000b:
2874 case 0x000c:
2875 case 0x000d:
2876 case 0x0030:
2877 case 0x0036:
2878 case 0x003e:
2879 case 0x0042:
2880 case 0x0068:
2881 case 0x0085:
2882 case 0x0097:
2883 case 0x00a4:
2884 case 0x00a5:
2885 case 0x00bb:
2886 case 0x00c1:
2887 case 0xc082:
2888 case 0xc083:
2889 return KEX_DH_DSS0x14;
2890 case 0x000e:
2891 case 0x000f:
2892 case 0x0010:
2893 case 0x0031:
2894 case 0x0037:
2895 case 0x003f:
2896 case 0x0043:
2897 case 0x0069:
2898 case 0x0086:
2899 case 0x0098:
2900 case 0x00a0:
2901 case 0x00a1:
2902 case 0x00bc:
2903 case 0x00c2:
2904 case 0xc07e:
2905 case 0xc07f:
2906 return KEX_DH_RSA0x15;
2907 case 0x0011:
2908 case 0x0012:
2909 case 0x0013:
2910 case 0x0032:
2911 case 0x0038:
2912 case 0x0040:
2913 case 0x0044:
2914 case 0x0063:
2915 case 0x0065:
2916 case 0x0066:
2917 case 0x006a:
2918 case 0x0087:
2919 case 0x0099:
2920 case 0x00a2:
2921 case 0x00a3:
2922 case 0x00bd:
2923 case 0x00c3:
2924 case 0xc080:
2925 case 0xc081:
2926 return KEX_DHE_DSS0x10;
2927 case 0x002d:
2928 case 0x008e:
2929 case 0x008f:
2930 case 0x0090:
2931 case 0x0091:
2932 case 0x00aa:
2933 case 0x00ab:
2934 case 0x00b2:
2935 case 0x00b3:
2936 case 0x00b4:
2937 case 0x00b5:
2938 case 0xc090:
2939 case 0xc091:
2940 case 0xc096:
2941 case 0xc097:
2942 case 0xc0a6:
2943 case 0xc0a7:
2944 case 0xc0aa:
2945 case 0xc0ab:
2946 case 0xccad:
2947 case 0xe41c:
2948 case 0xe41d:
2949 return KEX_DHE_PSK0x11;
2950 case 0x0014:
2951 case 0x0015:
2952 case 0x0016:
2953 case 0x0033:
2954 case 0x0039:
2955 case 0x0045:
2956 case 0x0067:
2957 case 0x006b:
2958 case 0x0088:
2959 case 0x009a:
2960 case 0x009e:
2961 case 0x009f:
2962 case 0x00be:
2963 case 0x00c4:
2964 case 0xc07c:
2965 case 0xc07d:
2966 case 0xc09e:
2967 case 0xc09f:
2968 case 0xc0a2:
2969 case 0xc0a3:
2970 case 0xccaa:
2971 case 0xe41e:
2972 case 0xe41f:
2973 return KEX_DHE_RSA0x12;
2974 case 0xc015:
2975 case 0xc016:
2976 case 0xc017:
2977 case 0xc018:
2978 case 0xc019:
2979 return KEX_ECDH_ANON0x19;
2980 case 0xc001:
2981 case 0xc002:
2982 case 0xc003:
2983 case 0xc004:
2984 case 0xc005:
2985 case 0xc025:
2986 case 0xc026:
2987 case 0xc02d:
2988 case 0xc02e:
2989 case 0xc074:
2990 case 0xc075:
2991 case 0xc088:
2992 case 0xc089:
2993 return KEX_ECDH_ECDSA0x1a;
2994 case 0xc00b:
2995 case 0xc00c:
2996 case 0xc00d:
2997 case 0xc00e:
2998 case 0xc00f:
2999 case 0xc029:
3000 case 0xc02a:
3001 case 0xc031:
3002 case 0xc032:
3003 case 0xc078:
3004 case 0xc079:
3005 case 0xc08c:
3006 case 0xc08d:
3007 return KEX_ECDH_RSA0x1b;
3008 case 0xc006:
3009 case 0xc007:
3010 case 0xc008:
3011 case 0xc009:
3012 case 0xc00a:
3013 case 0xc023:
3014 case 0xc024:
3015 case 0xc02b:
3016 case 0xc02c:
3017 case 0xc072:
3018 case 0xc073:
3019 case 0xc086:
3020 case 0xc087:
3021 case 0xc0ac:
3022 case 0xc0ad:
3023 case 0xc0ae:
3024 case 0xc0af:
3025 case 0xcca9:
3026 case 0xe414:
3027 case 0xe415:
3028 return KEX_ECDHE_ECDSA0x16;
3029 case 0xc033:
3030 case 0xc034:
3031 case 0xc035:
3032 case 0xc036:
3033 case 0xc037:
3034 case 0xc038:
3035 case 0xc039:
3036 case 0xc03a:
3037 case 0xc03b:
3038 case 0xc09a:
3039 case 0xc09b:
3040 case 0xccac:
3041 case 0xe418:
3042 case 0xe419:
3043 case 0xd001:
3044 case 0xd002:
3045 case 0xd003:
3046 case 0xd005:
3047 return KEX_ECDHE_PSK0x17;
3048 case 0xc010:
3049 case 0xc011:
3050 case 0xc012:
3051 case 0xc013:
3052 case 0xc014:
3053 case 0xc027:
3054 case 0xc028:
3055 case 0xc02f:
3056 case 0xc030:
3057 case 0xc076:
3058 case 0xc077:
3059 case 0xc08a:
3060 case 0xc08b:
3061 case 0xcca8:
3062 case 0xe412:
3063 case 0xe413:
3064 return KEX_ECDHE_RSA0x18;
3065 case 0x001e:
3066 case 0x001f:
3067 case 0x0020:
3068 case 0x0021:
3069 case 0x0022:
3070 case 0x0023:
3071 case 0x0024:
3072 case 0x0025:
3073 case 0x0026:
3074 case 0x0027:
3075 case 0x0028:
3076 case 0x0029:
3077 case 0x002a:
3078 case 0x002b:
3079 return KEX_KRB50x1c;
3080 case 0x002c:
3081 case 0x008a:
3082 case 0x008b:
3083 case 0x008c:
3084 case 0x008d:
3085 case 0x00a8:
3086 case 0x00a9:
3087 case 0x00ae:
3088 case 0x00af:
3089 case 0x00b0:
3090 case 0x00b1:
3091 case 0xc064:
3092 case 0xc065:
3093 case 0xc08e:
3094 case 0xc08f:
3095 case 0xc094:
3096 case 0xc095:
3097 case 0xc0a4:
3098 case 0xc0a5:
3099 case 0xc0a8:
3100 case 0xc0a9:
3101 case 0xccab:
3102 case 0xe416:
3103 case 0xe417:
3104 return KEX_PSK0x1d;
3105 case 0x0001:
3106 case 0x0002:
3107 case 0x0003:
3108 case 0x0004:
3109 case 0x0005:
3110 case 0x0006:
3111 case 0x0007:
3112 case 0x0008:
3113 case 0x0009:
3114 case 0x000a:
3115 case 0x002f:
3116 case 0x0035:
3117 case 0x003b:
3118 case 0x003c:
3119 case 0x003d:
3120 case 0x0041:
3121 case 0x0060:
3122 case 0x0061:
3123 case 0x0062:
3124 case 0x0064:
3125 case 0x0084:
3126 case 0x0096:
3127 case 0x009c:
3128 case 0x009d:
3129 case 0x00ba:
3130 case 0x00c0:
3131 case 0xc07a:
3132 case 0xc07b:
3133 case 0xc09c:
3134 case 0xc09d:
3135 case 0xc0a0:
3136 case 0xc0a1:
3137 case 0xe410:
3138 case 0xe411:
3139 case 0xfefe:
3140 case 0xfeff:
3141 case 0xffe0:
3142 case 0xffe1:
3143 return KEX_RSA0x1e;
3144 case 0x002e:
3145 case 0x0092:
3146 case 0x0093:
3147 case 0x0094:
3148 case 0x0095:
3149 case 0x00ac:
3150 case 0x00ad:
3151 case 0x00b6:
3152 case 0x00b7:
3153 case 0x00b8:
3154 case 0x00b9:
3155 case 0xc092:
3156 case 0xc093:
3157 case 0xc098:
3158 case 0xc099:
3159 case 0xccae:
3160 case 0xe41a:
3161 case 0xe41b:
3162 return KEX_RSA_PSK0x1f;
3163 case 0xc01a:
3164 case 0xc01d:
3165 case 0xc020:
3166 return KEX_SRP_SHA0x20;
3167 case 0xc01c:
3168 case 0xc01f:
3169 case 0xc022:
3170 return KEX_SRP_SHA_DSS0x21;
3171 case 0xc01b:
3172 case 0xc01e:
3173 case 0xc021:
3174 return KEX_SRP_SHA_RSA0x22;
3175 case 0xc0ff:
3176 return KEX_ECJPAKE0x24;
3177 case 0xe003:
3178 case 0xe013:
3179 case 0xe053:
3180 return KEX_ECC_SM20x26;
3181 default:
3182 break;
3183 }
3184
3185 return 0;
3186 /* }}} */
3187}
3188
3189static wmem_list_t *connection_id_session_list;
3190
3191void
3192ssl_init_cid_list(void) {
3193 connection_id_session_list = wmem_list_new(wmem_file_scope());
3194}
3195
3196void
3197ssl_cleanup_cid_list(void) {
3198 wmem_destroy_list(connection_id_session_list);
3199}
3200
3201void
3202ssl_add_session_by_cid(SslDecryptSession *session)
3203{
3204 wmem_list_append(connection_id_session_list, session);
3205}
3206
3207SslDecryptSession *
3208ssl_get_session_by_cid(tvbuff_t *tvb, uint32_t offset)
3209{
3210 SslDecryptSession * ssl_cid = NULL((void*)0);
3211 wmem_list_frame_t *it = wmem_list_head(connection_id_session_list);
3212
3213 while (it != NULL((void*)0) && ssl_cid == NULL((void*)0)) {
3214 SslDecryptSession * ssl = (SslDecryptSession *)wmem_list_frame_data(it);
3215 DISSECTOR_ASSERT(ssl != NULL)((void) ((ssl != ((void*)0)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3215, "ssl != ((void*)0)"))));
3216 SslSession *session = &ssl->session;
3217
3218 if (session->client_cid_len > 0 && tvb_bytes_exist(tvb, offset, session->client_cid_len)) {
3219 if (tvb_memeql(tvb, offset, session->client_cid, session->client_cid_len) == 0) {
3220 ssl_cid = ssl;
3221 }
3222 }
3223
3224 if (session->server_cid_len > 0) {
3225 if (tvb_memeql(tvb, offset, session->server_cid, session->server_cid_len) == 0) {
3226 ssl_cid = ssl;
3227 }
3228 }
3229
3230 it = wmem_list_frame_next(it);
3231 }
3232
3233 return ssl_cid;
3234}
3235
3236/* StringInfo structure (len + data) functions {{{ */
3237
3238int
3239ssl_data_alloc(StringInfo* str, size_t len)
3240{
3241 str->data = (unsigned char *)g_malloc(len);
22
Memory is allocated
3242 /* the allocator can return a null pointer for a size equal to 0,
3243 * and that must be allowed */
3244 if (len
22.1
'len' is > 0
 > 0 && !str->data)
23
Assuming field 'data' is non-null
24
Taking false branch
3245 return -1;
3246 str->data_len = (unsigned) len;
3247 return 0;
3248}
3249
3250void
3251ssl_data_set(StringInfo* str, const unsigned char* data, unsigned len)
3252{
3253 DISSECTOR_ASSERT(data)((void) ((data) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 3253, "data"))));
3254 memcpy(str->data, data, len);
3255 str->data_len = len;
3256}
3257
3258static int
3259ssl_data_realloc(StringInfo* str, unsigned len)
3260{
3261 str->data = (unsigned char *)g_realloc(str->data, len);
3262 if (!str->data)
3263 return -1;
3264 str->data_len = len;
3265 return 0;
3266}
3267
3268static StringInfo *
3269ssl_data_clone(StringInfo *str)
3270{
3271 StringInfo *cloned_str;
3272 cloned_str = (StringInfo *) wmem_alloc0(wmem_file_scope(),
3273 sizeof(StringInfo) + str->data_len);
3274 cloned_str->data = (unsigned char *) (cloned_str + 1);
3275 ssl_data_set(cloned_str, str->data, str->data_len);
3276 return cloned_str;
3277}
3278
3279static int
3280ssl_data_copy(StringInfo* dst, StringInfo* src)
3281{
3282 if (dst->data_len < src->data_len) {
3283 if (ssl_data_realloc(dst, src->data_len))
3284 return -1;
3285 }
3286 memcpy(dst->data, src->data, src->data_len);
3287 dst->data_len = src->data_len;
3288 return 0;
3289}
3290
3291/* from_hex converts |hex_len| bytes of hex data from |in| and sets |*out| to
3292 * the result. |out->data| will be allocated using wmem_file_scope. Returns true on
3293 * success. */
3294static bool_Bool from_hex(StringInfo* out, const char* in, size_t hex_len) {
3295 size_t i;
3296
3297 if (hex_len & 1)
3298 return false0;
3299
3300 out->data = (unsigned char *)wmem_alloc(wmem_file_scope(), hex_len / 2);
3301 for (i = 0; i < hex_len / 2; i++) {
3302 int a = ws_xton(in[i*2]);
3303 int b = ws_xton(in[i*2 + 1]);
3304 if (a == -1 || b == -1)
3305 return false0;
3306 out->data[i] = a << 4 | b;
3307 }
3308 out->data_len = (unsigned)hex_len / 2;
3309 return true1;
3310}
3311/* StringInfo structure (len + data) functions }}} */
3312
3313
3314/* libgcrypt wrappers for HMAC/message digest operations {{{ */
3315/* hmac abstraction layer */
3316#define SSL_HMACgcry_md_hd_t gcry_md_hd_t
3317
3318static inline int
3319ssl_hmac_init(SSL_HMACgcry_md_hd_t* md, int algo)
3320{
3321 gcry_error_t err;
3322 const char *err_str, *err_src;
3323
3324 err = gcry_md_open(md,algo, GCRY_MD_FLAG_HMAC);
3325 if (err != 0) {
3326 err_str = gcry_strerror(err);
3327 err_src = gcry_strsource(err);
3328 ssl_debug_printf("ssl_hmac_init(): gcry_md_open failed %s/%s", err_str, err_src);
3329 return -1;
3330 }
3331 return 0;
3332}
3333
3334static inline int
3335ssl_hmac_setkey(SSL_HMACgcry_md_hd_t* md, const void * key, int len)
3336{
3337 gcry_error_t err;
3338 const char *err_str, *err_src;
3339
3340 err = gcry_md_setkey (*(md), key, len);
3341 if (err != 0) {
3342 err_str = gcry_strerror(err);
3343 err_src = gcry_strsource(err);
3344 ssl_debug_printf("ssl_hmac_setkey(): gcry_md_setkey failed %s/%s", err_str, err_src);
3345 return -1;
3346 }
3347 return 0;
3348}
3349
3350static inline int
3351ssl_hmac_reset(SSL_HMACgcry_md_hd_t* md)
3352{
3353 gcry_md_reset(*md);
3354 return 0;
3355}
3356
3357static inline void
3358ssl_hmac_update(SSL_HMACgcry_md_hd_t* md, const void* data, int len)
3359{
3360 gcry_md_write(*(md), data, len);
3361}
3362static inline void
3363ssl_hmac_final(SSL_HMACgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3364{
3365 int algo;
3366 unsigned len;
3367
3368 algo = gcry_md_get_algo (*(md));
3369 len = gcry_md_get_algo_dlen(algo);
3370 DISSECTOR_ASSERT(len <= *datalen)((void) ((len <= *datalen) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3370, "len <= *datalen"))));
3371 memcpy(data, gcry_md_read(*(md), algo), len);
3372 *datalen = len;
3373}
3374static inline void
3375ssl_hmac_cleanup(SSL_HMACgcry_md_hd_t* md)
3376{
3377 gcry_md_close(*(md));
3378}
3379
3380/* message digest abstraction layer*/
3381#define SSL_MDgcry_md_hd_t gcry_md_hd_t
3382
3383static inline int
3384ssl_md_init(SSL_MDgcry_md_hd_t* md, int algo)
3385{
3386 gcry_error_t err;
3387 const char *err_str, *err_src;
3388 err = gcry_md_open(md,algo, 0);
3389 if (err != 0) {
3390 err_str = gcry_strerror(err);
3391 err_src = gcry_strsource(err);
3392 ssl_debug_printf("ssl_md_init(): gcry_md_open failed %s/%s", err_str, err_src);
3393 return -1;
3394 }
3395 return 0;
3396}
3397static inline void
3398ssl_md_update(SSL_MDgcry_md_hd_t* md, unsigned char* data, int len)
3399{
3400 gcry_md_write(*(md), data, len);
3401}
3402static inline void
3403ssl_md_final(SSL_MDgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3404{
3405 int algo;
3406 int len;
3407 algo = gcry_md_get_algo (*(md));
3408 len = gcry_md_get_algo_dlen (algo);
3409 memcpy(data, gcry_md_read(*(md), algo), len);
3410 *datalen = len;
3411}
3412static inline void
3413ssl_md_cleanup(SSL_MDgcry_md_hd_t* md)
3414{
3415 gcry_md_close(*(md));
3416}
3417
3418static inline void
3419ssl_md_reset(SSL_MDgcry_md_hd_t* md)
3420{
3421 gcry_md_reset(*md);
3422}
3423
3424/* md5 /sha abstraction layer */
3425#define SSL_SHA_CTXgcry_md_hd_t gcry_md_hd_t
3426#define SSL_MD5_CTXgcry_md_hd_t gcry_md_hd_t
3427
3428static inline int
3429ssl_sha_init(SSL_SHA_CTXgcry_md_hd_t* md)
3430{
3431 gcry_error_t err;
3432 const char *err_str, *err_src;
3433 err = gcry_md_open(md, GCRY_MD_SHA1, 0);
3434 if (err != 0) {
3435 err_str = gcry_strerror(err);
3436 err_src = gcry_strsource(err);
3437 ssl_debug_printf("ssl_sha_init(): gcry_md_open failed %s/%s", err_str, err_src);
3438 return -1;
3439 }
3440 return 0;
3441}
3442static inline void
3443ssl_sha_update(SSL_SHA_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3444{
3445 gcry_md_write(*(md), data, len);
3446}
3447static inline void
3448ssl_sha_final(unsigned char* buf, SSL_SHA_CTXgcry_md_hd_t* md)
3449{
3450 memcpy(buf, gcry_md_read(*(md), GCRY_MD_SHA1),
3451 gcry_md_get_algo_dlen(GCRY_MD_SHA1));
3452}
3453
3454static inline void
3455ssl_sha_reset(SSL_SHA_CTXgcry_md_hd_t* md)
3456{
3457 gcry_md_reset(*md);
3458}
3459
3460static inline void
3461ssl_sha_cleanup(SSL_SHA_CTXgcry_md_hd_t* md)
3462{
3463 gcry_md_close(*(md));
3464}
3465
3466static inline int
3467ssl_md5_init(SSL_MD5_CTXgcry_md_hd_t* md)
3468{
3469 gcry_error_t err;
3470 const char *err_str, *err_src;
3471 err = gcry_md_open(md,GCRY_MD_MD5, 0);
3472 if (err != 0) {
3473 err_str = gcry_strerror(err);
3474 err_src = gcry_strsource(err);
3475 ssl_debug_printf("ssl_md5_init(): gcry_md_open failed %s/%s", err_str, err_src);
3476 return -1;
3477 }
3478 return 0;
3479}
3480static inline void
3481ssl_md5_update(SSL_MD5_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3482{
3483 gcry_md_write(*(md), data, len);
3484}
3485static inline void
3486ssl_md5_final(unsigned char* buf, SSL_MD5_CTXgcry_md_hd_t* md)
3487{
3488 memcpy(buf, gcry_md_read(*(md), GCRY_MD_MD5),
3489 gcry_md_get_algo_dlen(GCRY_MD_MD5));
3490}
3491
3492static inline void
3493ssl_md5_reset(SSL_MD5_CTXgcry_md_hd_t* md)
3494{
3495 gcry_md_reset(*md);
3496}
3497
3498static inline void
3499ssl_md5_cleanup(SSL_MD5_CTXgcry_md_hd_t* md)
3500{
3501 gcry_md_close(*(md));
3502}
3503/* libgcrypt wrappers for HMAC/message digest operations }}} */
3504
3505/* libgcrypt wrappers for Cipher state manipulation {{{ */
3506int
3507ssl_cipher_setiv(SSL_CIPHER_CTXgcry_cipher_hd_t *cipher, unsigned char* iv, int iv_len)
3508{
3509 int ret;
3510#if 0
3511 unsigned char *ivp;
3512 int i;
3513 gcry_cipher_hd_t c;
3514 c=(gcry_cipher_hd_t)*cipher;
3515#endif
3516 ssl_debug_printf("--------------------------------------------------------------------");
3517#if 0
3518 for(ivp=c->iv,i=0; i < iv_len; i++ )
3519 {
3520 ssl_debug_printf("%d ",ivp[i]);
3521 i++;
3522 }
3523#endif
3524 ssl_debug_printf("--------------------------------------------------------------------");
3525 ret = gcry_cipher_setiv(*(cipher), iv, iv_len);
3526#if 0
3527 for(ivp=c->iv,i=0; i < iv_len; i++ )
3528 {
3529 ssl_debug_printf("%d ",ivp[i]);
3530 i++;
3531 }
3532#endif
3533 ssl_debug_printf("--------------------------------------------------------------------");
3534 return ret;
3535}
3536/* stream cipher abstraction layer*/
3537static int
3538ssl_cipher_init(gcry_cipher_hd_t *cipher, int algo, unsigned char* sk,
3539 unsigned char* iv, int mode)
3540{
3541 int gcry_modes[] = {
3542 GCRY_CIPHER_MODE_STREAM,
3543 GCRY_CIPHER_MODE_CBC,
3544 GCRY_CIPHER_MODE_GCM,
3545 GCRY_CIPHER_MODE_CCM,
3546 GCRY_CIPHER_MODE_CCM,
3547 GCRY_CIPHER_MODE_POLY1305,
3548 GCRY_CIPHER_MODE_ECB, /* used for DTLSv1.3 seq number encryption */
3549 };
3550 int err;
3551 if (algo == -1) {
3552 /* NULL mode */
3553 *(cipher) = (gcry_cipher_hd_t)-1;
3554 return 0;
3555 }
3556 err = gcry_cipher_open(cipher, algo, gcry_modes[mode], 0);
3557 if (err !=0)
3558 return -1;
3559 err = gcry_cipher_setkey(*(cipher), sk, gcry_cipher_get_algo_keylen (algo));
3560 if (err != 0)
3561 return -1;
3562 /* AEAD cipher suites will set the nonce later. */
3563 if (mode == MODE_CBC) {
3564 err = gcry_cipher_setiv(*(cipher), iv, gcry_cipher_get_algo_blklen(algo));
3565 if (err != 0)
3566 return -1;
3567 }
3568 return 0;
3569}
3570static inline int
3571ssl_cipher_decrypt(gcry_cipher_hd_t *cipher, unsigned char * out, int outl,
3572 const unsigned char * in, int inl)
3573{
3574 if ((*cipher) == (gcry_cipher_hd_t)-1)
3575 {
3576 if (in && inl)
3577 memcpy(out, in, outl < inl ? outl : inl);
3578 return 0;
3579 }
3580 return gcry_cipher_decrypt ( *(cipher), out, outl, in, inl);
3581}
3582static inline int
3583ssl_get_digest_by_name(const char*name)
3584{
3585 return gcry_md_map_name(name);
3586}
3587static inline int
3588ssl_get_cipher_by_name(const char* name)
3589{
3590 return gcry_cipher_map_name(name);
3591}
3592
3593static inline void
3594ssl_cipher_cleanup(gcry_cipher_hd_t *cipher)
3595{
3596 if ((*cipher) != (gcry_cipher_hd_t)-1)
3597 gcry_cipher_close(*cipher);
3598 *cipher = NULL((void*)0);
3599}
3600/* }}} */
3601
3602/* Digests, Ciphers and Cipher Suites registry {{{ */
3603static const SslDigestAlgo digests[]={
3604 {"MD5", 16},
3605 {"SHA1", 20},
3606 {"SHA256", 32},
3607 {"SHA384", 48},
3608 {"SM3", 32},
3609 {"Not Applicable", 0},
3610};
3611
3612#define DIGEST_MAX_SIZE48 48
3613
3614/* get index digest index */
3615static const SslDigestAlgo *
3616ssl_cipher_suite_dig(const SslCipherSuite *cs) {
3617 if (!cs || cs->dig < DIG_MD50x40 || cs->dig > DIG_NA0x45) {
3618 return &digests[DIG_NA0x45 - DIG_MD50x40];
3619 }
3620 return &digests[cs->dig - DIG_MD50x40];
3621}
3622
3623static const char *ciphers[]={
3624 "DES",
3625 "3DES",
3626 "ARCFOUR", /* libgcrypt does not support rc4, but this should be 100% compatible*/
3627 "RFC2268_128", /* libgcrypt name for RC2 with a 128-bit key */
3628 "IDEA",
3629 "AES",
3630 "AES256",
3631 "CAMELLIA128",
3632 "CAMELLIA256",
3633 "SEED",
3634 "CHACHA20", /* since Libgcrypt 1.7.0 */
3635 "SM1",
3636 "SM4",
3637 "*UNKNOWN*"
3638};
3639
3640static const SslCipherSuite cipher_suites[]={
3641 {0x0001,KEX_RSA0x1e, ENC_NULL0x3D, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_NULL_MD5 */
3642 {0x0002,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA */
3643 {0x0003,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
3644 {0x0004,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_MD5 */
3645 {0x0005,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_SHA */
3646 {0x0006,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
3647 {0x0007,KEX_RSA0x1e, ENC_IDEA0x34, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_IDEA_CBC_SHA */
3648 {0x0008,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
3649 {0x0009,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_DES_CBC_SHA */
3650 {0x000A,KEX_RSA0x1e, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
3651 {0x000B,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
3652 {0x000C,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_DES_CBC_SHA */
3653 {0x000D,KEX_DH_DSS0x14, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
3654 {0x000E,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
3655 {0x000F,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_DES_CBC_SHA */
3656 {0x0010,KEX_DH_RSA0x15, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
3657 {0x0011,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
3658 {0x0012,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_DES_CBC_SHA */
3659 {0x0013,KEX_DHE_DSS0x10, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
3660 {0x0014,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
3661 {0x0015,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_DES_CBC_SHA */
3662 {0x0016,KEX_DHE_RSA0x12, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
3663 {0x0017,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
3664 {0x0018,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_WITH_RC4_128_MD5 */
3665 {0x0019,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
3666 {0x001A,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_DES_CBC_SHA */
3667 {0x001B,KEX_DH_ANON0x13, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
3668 {0x002C,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA */
3669 {0x002D,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA */
3670 {0x002E,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA */
3671 {0x002F,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA */
3672 {0x0030,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA */
3673 {0x0031,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA */
3674 {0x0032,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA */
3675 {0x0033,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */
3676 {0x0034,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA */
3677 {0x0035,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA */
3678 {0x0036,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA */
3679 {0x0037,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA */
3680 {0x0038,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA */
3681 {0x0039,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */
3682 {0x003A,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA */
3683 {0x003B,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA256 */
3684 {0x003C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA256 */
3685 {0x003D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA256 */
3686 {0x003E,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA256 */
3687 {0x003F,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA256 */
3688 {0x0040,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 */
3689 {0x0041,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA */
3690 {0x0042,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA */
3691 {0x0043,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA */
3692 {0x0044,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA */
3693 {0x0045,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA */
3694 {0x0046,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA */
3695 {0x0060,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
3696 {0x0061,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
3697 {0x0062,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
3698 {0x0063,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
3699 {0x0064,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
3700 {0x0065,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
3701 {0x0066,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_WITH_RC4_128_SHA */
3702 {0x0067,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 */
3703 {0x0068,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA256 */
3704 {0x0069,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA256 */
3705 {0x006A,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 */
3706 {0x006B,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 */
3707 {0x006C,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA256 */
3708 {0x006D,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA256 */
3709 {0x0084,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA */
3710 {0x0085,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA */
3711 {0x0086,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA */
3712 {0x0087,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA */
3713 {0x0088,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA */
3714 {0x0089,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA */
3715 {0x008A,KEX_PSK0x1d, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_RC4_128_SHA */
3716 {0x008B,KEX_PSK0x1d, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_3DES_EDE_CBC_SHA */
3717 {0x008C,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA */
3718 {0x008D,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA */
3719 {0x008E,KEX_DHE_PSK0x11, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_RC4_128_SHA */
3720 {0x008F,KEX_DHE_PSK0x11, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA */
3721 {0x0090,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA */
3722 {0x0091,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA */
3723 {0x0092,KEX_RSA_PSK0x1f, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_RC4_128_SHA */
3724 {0x0093,KEX_RSA_PSK0x1f, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA */
3725 {0x0094,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA */
3726 {0x0095,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA */
3727 {0x0096,KEX_RSA0x1e, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_SEED_CBC_SHA */
3728 {0x0097,KEX_DH_DSS0x14, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_SEED_CBC_SHA */
3729 {0x0098,KEX_DH_RSA0x15, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_SEED_CBC_SHA */
3730 {0x0099,KEX_DHE_DSS0x10, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_SEED_CBC_SHA */
3731 {0x009A,KEX_DHE_RSA0x12, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_SEED_CBC_SHA */
3732 {0x009B,KEX_DH_ANON0x13, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_SEED_CBC_SHA */
3733 {0x009C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_AES_128_GCM_SHA256 */
3734 {0x009D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_AES_256_GCM_SHA384 */
3735 {0x009E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */
3736 {0x009F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 */
3737 {0x00A0,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_128_GCM_SHA256 */
3738 {0x00A1,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_256_GCM_SHA384 */
3739 {0x00A2,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 */
3740 {0x00A3,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 */
3741 {0x00A4,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_128_GCM_SHA256 */
3742 {0x00A5,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_256_GCM_SHA384 */
3743 {0x00A6,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_AES_128_GCM_SHA256 */
3744 {0x00A7,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_AES_256_GCM_SHA384 */
3745 {0x00A8,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_AES_128_GCM_SHA256 */
3746 {0x00A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_AES_256_GCM_SHA384 */
3747 {0x00AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 */
3748 {0x00AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 */
3749 {0x00AC,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 */
3750 {0x00AD,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 */
3751 {0x00AE,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA256 */
3752 {0x00AF,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA384 */
3753 {0x00B0,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA256 */
3754 {0x00B1,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA384 */
3755 {0x00B2,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 */
3756 {0x00B3,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 */
3757 {0x00B4,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA256 */
3758 {0x00B5,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA384 */
3759 {0x00B6,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 */
3760 {0x00B7,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 */
3761 {0x00B8,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA256 */
3762 {0x00B9,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA384 */
3763 {0x00BA,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3764 {0x00BB,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3765 {0x00BC,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3766 {0x00BD,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3767 {0x00BE,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3768 {0x00BF,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 */
3769 {0x00C0,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3770 {0x00C1,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3771 {0x00C2,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3772 {0x00C3,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3773 {0x00C4,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3774 {0x00C5,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */
3775
3776 /* NOTE: TLS 1.3 cipher suites are incompatible with TLS 1.2. */
3777 {0x1301,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_AES_128_GCM_SHA256 */
3778 {0x1302,KEX_TLS130x23, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_AES_256_GCM_SHA384 */
3779 {0x1303,KEX_TLS130x23, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_CHACHA20_POLY1305_SHA256 */
3780 {0x1304,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM }, /* TLS_AES_128_CCM_SHA256 */
3781 {0x1305,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8 }, /* TLS_AES_128_CCM_8_SHA256 */
3782 {0x00C6,KEX_TLS130x23, ENC_SM40x3C, DIG_SM30x44, MODE_GCM }, /* TLS_SM4_GCM_SM3 */
3783
3784 {0xC001,KEX_ECDH_ECDSA0x1a, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_NULL_SHA */
3785 {0xC002,KEX_ECDH_ECDSA0x1a, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_RC4_128_SHA */
3786 {0xC003,KEX_ECDH_ECDSA0x1a, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA */
3787 {0xC004,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA */
3788 {0xC005,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */
3789 {0xC006,KEX_ECDHE_ECDSA0x16, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_NULL_SHA */
3790 {0xC007,KEX_ECDHE_ECDSA0x16, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_RC4_128_SHA */
3791 {0xC008,KEX_ECDHE_ECDSA0x16, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA */
3792 {0xC009,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */
3793 {0xC00A,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */
3794 {0xC00B,KEX_ECDH_RSA0x1b, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_NULL_SHA */
3795 {0xC00C,KEX_ECDH_RSA0x1b, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_RC4_128_SHA */
3796 {0xC00D,KEX_ECDH_RSA0x1b, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA */
3797 {0xC00E,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA */
3798 {0xC00F,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */
3799 {0xC0FF,KEX_ECJPAKE0x24, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECJPAKE_WITH_AES_128_CCM_8 */
3800 {0xC010,KEX_ECDHE_RSA0x18, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_NULL_SHA */
3801 {0xC011,KEX_ECDHE_RSA0x18, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_RC4_128_SHA */
3802 {0xC012,KEX_ECDHE_RSA0x18, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */
3803 {0xC013,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA */
3804 {0xC014,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */
3805 {0xC015,KEX_ECDH_ANON0x19, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_NULL_SHA */
3806 {0xC016,KEX_ECDH_ANON0x19, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_RC4_128_SHA */
3807 {0xC017,KEX_ECDH_ANON0x19, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA */
3808 {0xC018,KEX_ECDH_ANON0x19, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_128_CBC_SHA */
3809 {0xC019,KEX_ECDH_ANON0x19, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_256_CBC_SHA */
3810 {0xC01A,KEX_SRP_SHA0x20, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA */
3811 {0xC01B,KEX_SRP_SHA_RSA0x22, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA */
3812 {0xC01C,KEX_SRP_SHA_DSS0x21, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA */
3813 {0xC01D,KEX_SRP_SHA0x20, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_128_CBC_SHA */
3814 {0xC01E,KEX_SRP_SHA_RSA0x22, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA */
3815 {0xC01F,KEX_SRP_SHA_DSS0x21, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA */
3816 {0xC020,KEX_SRP_SHA0x20, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_256_CBC_SHA */
3817 {0xC021,KEX_SRP_SHA_RSA0x22, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA */
3818 {0xC022,KEX_SRP_SHA_DSS0x21, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA */
3819 {0xC023,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 */
3820 {0xC024,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */
3821 {0xC025,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 */
3822 {0xC026,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 */
3823 {0xC027,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 */
3824 {0xC028,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */
3825 {0xC029,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 */
3826 {0xC02A,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 */
3827 {0xC02B,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 */
3828 {0xC02C,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 */
3829 {0xC02D,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 */
3830 {0xC02E,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 */
3831 {0xC02F,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */
3832 {0xC030,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 */
3833 {0xC031,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 */
3834 {0xC032,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 */
3835 {0xC033,KEX_ECDHE_PSK0x17, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_RC4_128_SHA */
3836 {0xC034,KEX_ECDHE_PSK0x17, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA */
3837 {0xC035,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA */
3838 {0xC036,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA */
3839 {0xC037,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 */
3840 {0xC038,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 */
3841 {0xC039,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA */
3842 {0xC03A,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA256 */
3843 {0xC03B,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA384 */
3844 {0xC072,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3845 {0xC073,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3846 {0xC074,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3847 {0xC075,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3848 {0xC076,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3849 {0xC077,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3850 {0xC078,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3851 {0xC079,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3852 {0xC07A,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3853 {0xC07B,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3854 {0xC07C,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3855 {0xC07D,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3856 {0xC07E,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3857 {0xC07F,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3858 {0xC080,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3859 {0xC081,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3860 {0xC082,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3861 {0xC083,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3862 {0xC084,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 */
3863 {0xC085,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 */
3864 {0xC086,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3865 {0xC087,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3866 {0xC088,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3867 {0xC089,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3868 {0xC08A,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3869 {0xC08B,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3870 {0xC08C,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3871 {0xC08D,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3872 {0xC08E,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3873 {0xC08F,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3874 {0xC090,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3875 {0xC091,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3876 {0xC092,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3877 {0xC093,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3878 {0xC094,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3879 {0xC095,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3880 {0xC096,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3881 {0xC097,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3882 {0xC098,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3883 {0xC099,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3884 {0xC09A,KEX_ECDHE_PSK0x17, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3885 {0xC09B,KEX_ECDHE_PSK0x17, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3886 {0xC09C,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_128_CCM */
3887 {0xC09D,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_256_CCM */
3888 {0xC09E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_128_CCM */
3889 {0xC09F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_256_CCM */
3890 {0xC0A0,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_128_CCM_8 */
3891 {0xC0A1,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_256_CCM_8 */
3892 {0xC0A2,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_128_CCM_8 */
3893 {0xC0A3,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_256_CCM_8 */
3894 {0xC0A4,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_128_CCM */
3895 {0xC0A5,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_256_CCM */
3896 {0xC0A6,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_128_CCM */
3897 {0xC0A7,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_256_CCM */
3898 {0xC0A8,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_128_CCM_8 */
3899 {0xC0A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_256_CCM_8 */
3900 {0xC0AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_128_CCM_8 */
3901 {0xC0AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_256_CCM_8 */
3902 {0xC0AC,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM */
3903 {0xC0AD,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM */
3904 {0xC0AE,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 */
3905 {0xC0AF,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 */
3906 {0xCCA8,KEX_ECDHE_RSA0x18, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3907 {0xCCA9,KEX_ECDHE_ECDSA0x16, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */
3908 {0xCCAA,KEX_DHE_RSA0x12, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3909 {0xCCAB,KEX_PSK0x1d, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3910 {0xCCAC,KEX_ECDHE_PSK0x17, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3911 {0xCCAD,KEX_DHE_PSK0x11, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3912 {0xCCAE,KEX_RSA_PSK0x1f, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3913 {0xD001,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 */
3914 {0xD002,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 */
3915 {0xD003,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 */
3916 {0xD005,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 */
3917 /* GM */
3918 {0xe001,KEX_ECDHE_SM20x25, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM1_SM3 */
3919 {0xe003,KEX_ECC_SM20x26, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECC_SM1_SM3 */
3920 {0xe005,KEX_IBSDH_SM90x27, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM1_SM3 */
3921 {0xe007,KEX_IBC_SM90x28, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBC_SM1_SM3 */
3922 {0xe009,KEX_RSA0x1e, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* RSA_SM1_SM3 */
3923 {0xe00a,KEX_RSA0x1e, ENC_SM10x3B, DIG_SHA0x41, MODE_CBC}, /* RSA_SM1_SHA1 */
3924 {0xe011,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM4_CBC_SM3 */
3925 {0xe013,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECC_SM4_CBC_SM3 */
3926 {0xe015,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM4_CBC_SM3 */
3927 {0xe017,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBC_SM4_CBC_SM3 */
3928 {0xe019,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* RSA_SM4_CBC_SM3 */
3929 {0xe01a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA0x41, MODE_CBC}, /* RSA_SM4_CBC_SHA1 */
3930 {0xe01c,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_CBC}, /* RSA_SM4_CBC_SHA256 */
3931 {0xe051,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECDHE_SM4_GCM_SM3 */
3932 {0xe053,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECC_SM4_GCM_SM3 */
3933 {0xe055,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBSDH_SM4_GCM_SM3 */
3934 {0xe057,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBC_SM4_GCM_SM3 */
3935 {0xe059,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* RSA_SM4_GCM_SM3 */
3936 {0xe05a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_GCM}, /* RSA_SM4_GCM_SHA256 */
3937 {-1, 0, 0, 0, MODE_STREAM}
3938};
3939
3940#define MAX_BLOCK_SIZE16 16
3941#define MAX_KEY_SIZE32 32
3942
3943const SslCipherSuite *
3944ssl_find_cipher(int num)
3945{
3946 const SslCipherSuite *c;
3947 for(c=cipher_suites;c->number!=-1;c++){
3948 if(c->number==num){
3949 return c;
3950 }
3951 }
3952
3953 return NULL((void*)0);
3954}
3955
3956int
3957ssl_get_cipher_algo(const SslCipherSuite *cipher_suite)
3958{
3959 return gcry_cipher_map_name(ciphers[cipher_suite->enc - ENC_START0x30]);
3960}
3961
3962unsigned
3963ssl_get_cipher_blocksize(const SslCipherSuite *cipher_suite)
3964{
3965 int cipher_algo;
3966 if (cipher_suite->mode != MODE_CBC) return 0;
3967 cipher_algo = ssl_get_cipher_by_name(ciphers[cipher_suite->enc - ENC_START0x30]);
3968 return (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
3969}
3970
3971static unsigned
3972ssl_get_cipher_export_keymat_size(int cipher_suite_num)
3973{
3974 switch (cipher_suite_num) {
3975 /* See RFC 6101 (SSL 3.0), Table 2, column Key Material. */
3976 case 0x0003: /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
3977 case 0x0006: /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
3978 case 0x0008: /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
3979 case 0x000B: /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
3980 case 0x000E: /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
3981 case 0x0011: /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
3982 case 0x0014: /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
3983 case 0x0017: /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
3984 case 0x0019: /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
3985 return 5;
3986
3987 /* not defined in below draft, but "implemented by several vendors",
3988 * https://www.ietf.org/mail-archive/web/tls/current/msg00036.html */
3989 case 0x0060: /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
3990 case 0x0061: /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
3991 return 7;
3992
3993 /* Note: the draft states that DES_CBC needs 8 bytes, but Wireshark always
3994 * used 7. Until a pcap proves 8, let's use the old value. Link:
3995 * https://tools.ietf.org/html/draft-ietf-tls-56-bit-ciphersuites-01 */
3996 case 0x0062: /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
3997 case 0x0063: /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
3998 case 0x0064: /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
3999 case 0x0065: /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
4000 return 7;
4001
4002 default:
4003 return 0;
4004 }
4005}
4006
4007/* Digests, Ciphers and Cipher Suites registry }}} */
4008
4009
4010/* HMAC and the Pseudorandom function {{{ */
4011static int
4012tls_hash(StringInfo *secret, StringInfo *seed, int md,
4013 StringInfo *out, unsigned out_len)
4014{
4015 /* RFC 2246 5. HMAC and the pseudorandom function
4016 * '+' denotes concatenation.
4017 * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
4018 * HMAC_hash(secret, A(2) + seed) + ...
4019 * A(0) = seed
4020 * A(i) = HMAC_hash(secret, A(i - 1))
4021 */
4022 uint8_t *ptr;
4023 unsigned left, tocpy;
4024 uint8_t *A;
4025 uint8_t _A[DIGEST_MAX_SIZE48], tmp[DIGEST_MAX_SIZE48];
4026 unsigned A_l, tmp_l;
4027 SSL_HMACgcry_md_hd_t hm;
4028
4029 ptr = out->data;
4030 left = out_len;
4031
4032 ssl_print_string("tls_hash: hash secret", secret);
4033 ssl_print_string("tls_hash: hash seed", seed);
4034 /* A(0) = seed */
4035 A = seed->data;
4036 A_l = seed->data_len;
4037
4038 if (ssl_hmac_init(&hm, md) != 0) {
4039 return -1;
4040 }
4041 while (left) {
4042 /* A(i) = HMAC_hash(secret, A(i-1)) */
4043 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
4044 ssl_hmac_update(&hm, A, A_l);
4045 A_l = sizeof(_A); /* upper bound len for hash output */
4046 ssl_hmac_final(&hm, _A, &A_l);
4047 A = _A;
4048
4049 /* HMAC_hash(secret, A(i) + seed) */
4050 ssl_hmac_reset(&hm);
4051 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
4052 ssl_hmac_update(&hm, A, A_l);
4053 ssl_hmac_update(&hm, seed->data, seed->data_len);
4054 tmp_l = sizeof(tmp); /* upper bound len for hash output */
4055 ssl_hmac_final(&hm, tmp, &tmp_l);
4056 ssl_hmac_reset(&hm);
4057
4058 /* ssl_hmac_final puts the actual digest output size in tmp_l */
4059 tocpy = MIN(left, tmp_l)(((left) < (tmp_l)) ? (left) : (tmp_l));
4060 memcpy(ptr, tmp, tocpy);
4061 ptr += tocpy;
4062 left -= tocpy;
4063 }
4064 ssl_hmac_cleanup(&hm);
4065 out->data_len = out_len;
4066
4067 ssl_print_string("hash out", out);
4068 return 0;
4069}
4070
4071static bool_Bool
4072tls_prf(StringInfo* secret, const char *usage,
4073 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4074{
4075 StringInfo seed, sha_out, md5_out;
4076 uint8_t *ptr;
4077 StringInfo s1, s2;
4078 unsigned i,s_l;
4079 size_t usage_len, rnd2_len;
4080 bool_Bool success = false0;
4081 usage_len = strlen(usage);
4082 rnd2_len = rnd2 ? rnd2->data_len : 0;
4083
4084 /* initialize buffer for sha, md5 random seed*/
4085 if (ssl_data_alloc(&sha_out, MAX(out_len, 20)(((out_len) > (20)) ? (out_len) : (20))) < 0) {
4086 ssl_debug_printf("tls_prf: can't allocate sha out\n");
4087 return false0;
4088 }
4089 if (ssl_data_alloc(&md5_out, MAX(out_len, 16)(((out_len) > (16)) ? (out_len) : (16))) < 0) {
4090 ssl_debug_printf("tls_prf: can't allocate md5 out\n");
4091 goto free_sha;
4092 }
4093 if (ssl_data_alloc(&seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
4094 ssl_debug_printf("tls_prf: can't allocate rnd %d\n",
4095 (int) (usage_len+rnd1->data_len+rnd2_len));
4096 goto free_md5;
4097 }
4098
4099 ptr=seed.data;
4100 memcpy(ptr,usage,usage_len);
4101 ptr+=usage_len;
4102 memcpy(ptr,rnd1->data,rnd1->data_len);
4103 if (rnd2_len > 0) {
4104 ptr+=rnd1->data_len;
4105 memcpy(ptr,rnd2->data,rnd2->data_len);
4106 /*ptr+=rnd2->data_len;*/
4107 }
4108
4109 /* initialize buffer for client/server seeds*/
4110 s_l=secret->data_len/2 + secret->data_len%2;
4111 if (ssl_data_alloc(&s1, s_l) < 0) {
4112 ssl_debug_printf("tls_prf: can't allocate secret %d\n", s_l);
4113 goto free_seed;
4114 }
4115 if (ssl_data_alloc(&s2, s_l) < 0) {
4116 ssl_debug_printf("tls_prf: can't allocate secret(2) %d\n", s_l);
4117 goto free_s1;
4118 }
4119
4120 memcpy(s1.data,secret->data,s_l);
4121 memcpy(s2.data,secret->data + (secret->data_len - s_l),s_l);
4122
4123 ssl_debug_printf("tls_prf: tls_hash(md5 secret_len %d seed_len %d )\n", s1.data_len, seed.data_len);
4124 if(tls_hash(&s1, &seed, ssl_get_digest_by_name("MD5"), &md5_out, out_len) != 0)
4125 goto free_s2;
4126 ssl_debug_printf("tls_prf: tls_hash(sha)\n");
4127 if(tls_hash(&s2, &seed, ssl_get_digest_by_name("SHA1"), &sha_out, out_len) != 0)
4128 goto free_s2;
4129
4130 for (i = 0; i < out_len; i++)
4131 out->data[i] = md5_out.data[i] ^ sha_out.data[i];
4132 /* success, now store the new meaningful data length */
4133 out->data_len = out_len;
4134 success = true1;
4135
4136 ssl_print_string("PRF out",out);
4137free_s2:
4138 g_free(s2.data);
4139free_s1:
4140 g_free(s1.data);
4141free_seed:
4142 g_free(seed.data);
4143free_md5:
4144 g_free(md5_out.data);
4145free_sha:
4146 g_free(sha_out.data);
4147 return success;
4148}
4149
4150static bool_Bool
4151tls12_prf(int md, StringInfo* secret, const char* usage,
4152 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4153{
4154 StringInfo label_seed;
4155 int success;
4156 size_t usage_len, rnd2_len;
4157 rnd2_len = rnd2 ? rnd2->data_len : 0;
4158
4159 usage_len = strlen(usage);
4160 if (ssl_data_alloc(&label_seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
4161 ssl_debug_printf("tls12_prf: can't allocate label_seed\n");
4162 return false0;
4163 }
4164 memcpy(label_seed.data, usage, usage_len);
4165 memcpy(label_seed.data+usage_len, rnd1->data, rnd1->data_len);
4166 if (rnd2_len > 0)
4167 memcpy(label_seed.data+usage_len+rnd1->data_len, rnd2->data, rnd2->data_len);
4168
4169 ssl_debug_printf("tls12_prf: tls_hash(hash_alg %s secret_len %d seed_len %d )\n", gcry_md_algo_name(md), secret->data_len, label_seed.data_len);
4170 success = tls_hash(secret, &label_seed, md, out, out_len);
4171 g_free(label_seed.data);
4172 if(success != -1){
4173 ssl_print_string("PRF out", out);
4174 return true1;
4175 }
4176 return false0;
4177}
4178
4179static bool_Bool
4180ssl3_generate_export_iv(StringInfo *r1, StringInfo *r2,
4181 StringInfo *out, unsigned out_len)
4182{
4183 SSL_MD5_CTXgcry_md_hd_t md5;
4184 uint8_t tmp[16];
4185
4186 if (ssl_md5_init(&md5) != 0) {
4187 return false0;
4188 }
4189 ssl_md5_update(&md5,r1->data,r1->data_len);
4190 ssl_md5_update(&md5,r2->data,r2->data_len);
4191 ssl_md5_final(tmp,&md5);
4192 ssl_md5_cleanup(&md5);
4193
4194 DISSECTOR_ASSERT(out_len <= sizeof(tmp))((void) ((out_len <= sizeof(tmp)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4194, "out_len <= sizeof(tmp)"))));
4195 ssl_data_set(out, tmp, out_len);
4196 ssl_print_string("export iv", out);
4197 return true1;
4198}
4199
4200static bool_Bool
4201ssl3_prf(StringInfo* secret, const char* usage,
4202 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4203{
4204 SSL_MD5_CTXgcry_md_hd_t md5;
4205 SSL_SHA_CTXgcry_md_hd_t sha;
4206 unsigned off;
4207 int i = 0,j;
4208 uint8_t buf[20];
4209
4210 if (ssl_sha_init(&sha) != 0) {
4211 return false0;
4212 }
4213 if (ssl_md5_init(&md5) != 0) {
4214 ssl_sha_cleanup(&sha);
4215 return false0;
4216 }
4217 for (off = 0; off < out_len; off += 16) {
4218 unsigned char outbuf[16];
4219 i++;
4220
4221 ssl_debug_printf("ssl3_prf: sha1_hash(%d)\n",i);
4222 /* A, BB, CCC, ... */
4223 for(j=0;j<i;j++){
4224 buf[j]=64+i;
4225 }
4226
4227 ssl_sha_update(&sha,buf,i);
4228 ssl_sha_update(&sha,secret->data,secret->data_len);
4229
4230 if(!strcmp(usage,"client write key") || !strcmp(usage,"server write key")){
4231 if (rnd2)
4232 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4233 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4234 }
4235 else{
4236 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4237 if (rnd2)
4238 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4239 }
4240
4241 ssl_sha_final(buf,&sha);
4242 ssl_sha_reset(&sha);
4243
4244 ssl_debug_printf("ssl3_prf: md5_hash(%d) datalen %d\n",i,
4245 secret->data_len);
4246 ssl_md5_update(&md5,secret->data,secret->data_len);
4247 ssl_md5_update(&md5,buf,20);
4248 ssl_md5_final(outbuf,&md5);
4249 ssl_md5_reset(&md5);
4250
4251 memcpy(out->data + off, outbuf, MIN(out_len - off, 16)(((out_len - off) < (16)) ? (out_len - off) : (16)));
4252 }
4253 ssl_sha_cleanup(&sha);
4254 ssl_md5_cleanup(&md5);
4255 out->data_len = out_len;
4256
4257 return true1;
4258}
4259
4260/* out_len is the wanted output length for the pseudorandom function.
4261 * Ensure that ssl->cipher_suite is set. */
4262static bool_Bool
4263prf(SslDecryptSession *ssl, StringInfo *secret, const char *usage,
4264 StringInfo *rnd1, StringInfo *rnd2, StringInfo *out, unsigned out_len)
4265{
4266 switch (ssl->session.version) {
4267 case SSLV3_VERSION0x300:
4268 return ssl3_prf(secret, usage, rnd1, rnd2, out, out_len);
4269
4270 case TLSV1_VERSION0x301:
4271 case TLSV1DOT1_VERSION0x302:
4272 case DTLSV1DOT0_VERSION0xfeff:
4273 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4274 return tls_prf(secret, usage, rnd1, rnd2, out, out_len);
4275
4276 default: /* TLSv1.2 */
4277 switch (ssl->cipher_suite->dig) {
4278 case DIG_SM30x44:
4279#if GCRYPT_VERSION_NUMBER0x010a03 >= 0x010900
4280 return tls12_prf(GCRY_MD_SM3, secret, usage, rnd1, rnd2,
4281 out, out_len);
4282#else
4283 return false0;
4284#endif
4285 case DIG_SHA3840x43:
4286 return tls12_prf(GCRY_MD_SHA384, secret, usage, rnd1, rnd2,
4287 out, out_len);
4288 default:
4289 return tls12_prf(GCRY_MD_SHA256, secret, usage, rnd1, rnd2,
4290 out, out_len);
4291 }
4292 }
4293}
4294
4295static int tls_handshake_hash(SslDecryptSession* ssl, StringInfo* out)
4296{
4297 SSL_MD5_CTXgcry_md_hd_t md5;
4298 SSL_SHA_CTXgcry_md_hd_t sha;
4299
4300 if (ssl_data_alloc(out, 36) < 0)
21
Calling 'ssl_data_alloc'
25
Returned allocated memory
26
Taking false branch
4301 return -1;
4302
4303 if (ssl_md5_init(&md5) != 0)
27
Taking true branch
4304 return -1;
4305 ssl_md5_update(&md5,ssl->handshake_data.data,ssl->handshake_data.data_len);
4306 ssl_md5_final(out->data,&md5);
4307 ssl_md5_cleanup(&md5);
4308
4309 if (ssl_sha_init(&sha) != 0)
4310 return -1;
4311 ssl_sha_update(&sha,ssl->handshake_data.data,ssl->handshake_data.data_len);
4312 ssl_sha_final(out->data+16,&sha);
4313 ssl_sha_cleanup(&sha);
4314 return 0;
4315}
4316
4317static int tls12_handshake_hash(SslDecryptSession* ssl, int md, StringInfo* out)
4318{
4319 SSL_MDgcry_md_hd_t mc;
4320 uint8_t tmp[48];
4321 unsigned len;
4322
4323 if (ssl_md_init(&mc, md) != 0)
4324 return -1;
4325 ssl_md_update(&mc,ssl->handshake_data.data,ssl->handshake_data.data_len);
4326 ssl_md_final(&mc, tmp, &len);
4327 ssl_md_cleanup(&mc);
4328
4329 if (ssl_data_alloc(out, len) < 0)
4330 return -1;
4331 memcpy(out->data, tmp, len);
4332 return 0;
4333}
4334
4335/**
4336 * Obtains the label prefix used in HKDF-Expand-Label. This function can be
4337 * inlined and removed once support for draft 19 and before is dropped.
4338 */
4339static inline const char *
4340tls13_hkdf_label_prefix(SslDecryptSession *ssl_session)
4341{
4342 if (ssl_session->session.tls13_draft_version && ssl_session->session.tls13_draft_version < 20) {
4343 return "TLS 1.3, ";
4344 } else if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
4345 return "dtls13";
4346 } else {
4347 return "tls13 ";
4348 }
4349}
4350
4351/*
4352 * Computes HKDF-Expand-Label(Secret, Label, Hash(context_value), Length) with a
4353 * custom label prefix. If "context_hash" is NULL, then an empty context is
4354 * used. Otherwise it must have the same length as the hash algorithm output.
4355 */
4356bool_Bool
4357tls13_hkdf_expand_label_context(int md, const StringInfo *secret,
4358 const char *label_prefix, const char *label,
4359 const uint8_t *context_hash, uint8_t context_length,
4360 uint16_t out_len, unsigned char **out)
4361{
4362 /* RFC 8446 Section 7.1:
4363 * HKDF-Expand-Label(Secret, Label, Context, Length) =
4364 * HKDF-Expand(Secret, HkdfLabel, Length)
4365 * struct {
4366 * uint16 length = Length;
4367 * opaque label<7..255> = "tls13 " + Label; // "tls13 " is label prefix.
4368 * opaque context<0..255> = Context;
4369 * } HkdfLabel;
4370 *
4371 * RFC 5869 HMAC-based Extract-and-Expand Key Derivation Function (HKDF):
4372 * HKDF-Expand(PRK, info, L) -> OKM
4373 */
4374 gcry_error_t err;
4375 const unsigned label_prefix_length = (unsigned) strlen(label_prefix);
4376 const unsigned label_length = (unsigned) strlen(label);
4377
4378 /* Some sanity checks */
4379 DISSECTOR_ASSERT(label_length > 0 && label_prefix_length + label_length <= 255)((void) ((label_length > 0 && label_prefix_length +
label_length <= 255) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4379, "label_length > 0 && label_prefix_length + label_length <= 255"
))));
4380
4381 /* info = HkdfLabel { length, label, context } */
4382 GByteArray *info = g_byte_array_new();
4383 const uint16_t length = g_htons(out_len)(((((guint16) ( (guint16) ((guint16) (out_len) >> 8) | (
guint16) ((guint16) (out_len) << 8))))));
4384 g_byte_array_append(info, (const uint8_t *)&length, sizeof(length));
4385
4386 const uint8_t label_vector_length = label_prefix_length + label_length;
4387 g_byte_array_append(info, &label_vector_length, 1);
4388 g_byte_array_append(info, (const uint8_t *)label_prefix, label_prefix_length);
4389 g_byte_array_append(info, (const uint8_t*)label, label_length);
4390
4391 g_byte_array_append(info, &context_length, 1);
4392 if (context_length) {
4393 g_byte_array_append(info, context_hash, context_length);
4394 }
4395
4396 *out = (unsigned char *)wmem_alloc(NULL((void*)0), out_len);
4397 err = hkdf_expand(md, secret->data, secret->data_len, info->data, info->len, *out, out_len);
4398 g_byte_array_free(info, true1);
4399
4400 if (err) {
4401 ssl_debug_printf("%s failed %d: %s\n", G_STRFUNC((const char*) (__func__)), md, gcry_strerror(err));
4402 wmem_free(NULL((void*)0), *out);
4403 *out = NULL((void*)0);
4404 return false0;
4405 }
4406
4407 return true1;
4408}
4409
4410bool_Bool
4411tls13_hkdf_expand_label(int md, const StringInfo *secret,
4412 const char *label_prefix, const char *label,
4413 uint16_t out_len, unsigned char **out)
4414{
4415 return tls13_hkdf_expand_label_context(md, secret, label_prefix, label, NULL((void*)0), 0, out_len, out);
4416}
4417/* HMAC and the Pseudorandom function }}} */
4418
4419/* Record Decompression (after decryption) {{{ */
4420#ifdef USE_ZLIB_OR_ZLIBNG
4421/* memory allocation functions for zlib initialization */
4422static void* ssl_zalloc(void* opaque _U___attribute__((unused)), unsigned int no, unsigned int size)
4423{
4424 return g_malloc0(no*size);
4425}
4426static void ssl_zfree(void* opaque _U___attribute__((unused)), void* addr)
4427{
4428 g_free(addr);
4429}
4430#endif /* USE_ZLIB_OR_ZLIBNG */
4431
4432static SslDecompress*
4433ssl_create_decompressor(int compression)
4434{
4435 SslDecompress *decomp;
4436#ifdef USE_ZLIB_OR_ZLIBNG
4437 int err;
4438#endif
4439
4440 if (compression == 0) return NULL((void*)0);
4441 ssl_debug_printf("ssl_create_decompressor: compression method %d\n", compression);
4442 decomp = wmem_new(wmem_file_scope(), SslDecompress)((SslDecompress*)wmem_alloc((wmem_file_scope()), sizeof(SslDecompress
)));
4443 decomp->compression = compression;
4444 switch (decomp->compression) {
4445#ifdef USE_ZLIB_OR_ZLIBNG
4446 case 1: /* DEFLATE */
4447 decomp->istream.zalloc = ssl_zalloc;
4448 decomp->istream.zfree = ssl_zfree;
4449 decomp->istream.opaque = Z_NULL0;
4450 decomp->istream.next_in = Z_NULL0;
4451 decomp->istream.next_out = Z_NULL0;
4452 decomp->istream.avail_in = 0;
4453 decomp->istream.avail_out = 0;
4454 err = ZLIB_PREFIX(inflateInit)(&decomp->istream)inflateInit_((&decomp->istream), "1.3", (int)sizeof(z_stream
));
4455 if (err != Z_OK0) {
4456 ssl_debug_printf("ssl_create_decompressor: inflateInit_() failed - %d\n", err);
4457 return NULL((void*)0);
4458 }
4459 break;
4460#endif /* USE_ZLIB_OR_ZLIBNG */
4461 default:
4462 ssl_debug_printf("ssl_create_decompressor: unsupported compression method %d\n", decomp->compression);
4463 return NULL((void*)0);
4464 }
4465 return decomp;
4466}
4467
4468#ifdef USE_ZLIB_OR_ZLIBNG
4469static int
4470ssl_decompress_record(SslDecompress* decomp, const unsigned char* in, unsigned inl, StringInfo* out_str, unsigned* outl)
4471{
4472 int err;
4473
4474 switch (decomp->compression) {
4475 case 1: /* DEFLATE */
4476 err = Z_OK0;
4477 if (out_str->data_len < 16384) { /* maximal plain length */
4478 ssl_data_realloc(out_str, 16384);
4479 }
4480#ifdef z_constconst
4481 decomp->istream.next_in = in;
4482#else
4483DIAG_OFF(cast-qual)clang diagnostic push clang diagnostic ignored "-Wcast-qual"
4484 decomp->istream.next_in = (Bytef *)in;
4485DIAG_ON(cast-qual)clang diagnostic pop
4486#endif
4487 decomp->istream.avail_in = inl;
4488 decomp->istream.next_out = out_str->data;
4489 decomp->istream.avail_out = out_str->data_len;
4490 if (inl > 0)
4491 err = ZLIB_PREFIX(inflate)inflate(&decomp->istream, Z_SYNC_FLUSH2);
4492 if (err != Z_OK0) {
4493 ssl_debug_printf("ssl_decompress_record: inflate() failed - %d\n", err);
4494 return -1;
4495 }
4496 *outl = out_str->data_len - decomp->istream.avail_out;
4497 break;
4498 default:
4499 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4500 return -1;
4501 }
4502 return 0;
4503}
4504#else /* USE_ZLIB_OR_ZLIBNG */
4505int
4506ssl_decompress_record(SslDecompress* decomp _U___attribute__((unused)), const unsigned char* in _U___attribute__((unused)), unsigned inl _U___attribute__((unused)), StringInfo* out_str _U___attribute__((unused)), unsigned* outl _U___attribute__((unused)))
4507{
4508 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4509 return -1;
4510}
4511#endif /* USE_ZLIB_OR_ZLIBNG */
4512/* Record Decompression (after decryption) }}} */
4513
4514/* Create a new structure to store decrypted chunks. {{{ */
4515static SslFlow*
4516ssl_create_flow(void)
4517{
4518 SslFlow *flow;
4519
4520 flow = wmem_new(wmem_file_scope(), SslFlow)((SslFlow*)wmem_alloc((wmem_file_scope()), sizeof(SslFlow)));
4521 flow->byte_seq = 0;
4522 flow->flags = 0;
4523 flow->multisegment_pdus = wmem_tree_new(wmem_file_scope());
4524 return flow;
4525}
4526/* }}} */
4527
4528/* Use the negotiated security parameters for decryption. {{{ */
4529void
4530ssl_change_cipher(SslDecryptSession *ssl_session, bool_Bool server)
4531{
4532 SslDecoder **new_decoder = server ? &ssl_session->server_new : &ssl_session->client_new;
4533 SslDecoder **dest = server ? &ssl_session->server : &ssl_session->client;
4534 ssl_debug_printf("ssl_change_cipher %s%s\n", server ? "SERVER" : "CLIENT",
4535 *new_decoder ? "" : " (No decoder found - retransmission?)");
4536 if (*new_decoder) {
4537 *dest = *new_decoder;
4538 *new_decoder = NULL((void*)0);
4539 }
4540}
4541/* }}} */
4542
4543/* Init cipher state given some security parameters. {{{ */
4544static bool_Bool
4545ssl_decoder_destroy_cb(wmem_allocator_t *, wmem_cb_event_t, void *);
4546
4547static SslDecoder*
4548ssl_create_decoder(const SslCipherSuite *cipher_suite, int cipher_algo,
4549 int compression, uint8_t *mk, uint8_t *sk, uint8_t *sn_key, uint8_t *iv, unsigned iv_length)
4550{
4551 SslDecoder *dec;
4552 ssl_cipher_mode_t mode = cipher_suite->mode;
4553
4554 dec = wmem_new0(wmem_file_scope(), SslDecoder)((SslDecoder*)wmem_alloc0((wmem_file_scope()), sizeof(SslDecoder
)));
4555 /* init mac buffer: mac storage is embedded into decoder struct to save a
4556 memory allocation and waste samo more memory*/
4557 dec->cipher_suite=cipher_suite;
4558 dec->compression = compression;
4559 if ((mode == MODE_STREAM && mk != NULL((void*)0)) || mode == MODE_CBC) {
4560 // AEAD ciphers use no MAC key, but stream and block ciphers do. Note
4561 // the special case for NULL ciphers, even if there is insufficiency
4562 // keying material (including MAC key), we will can still create
4563 // decoders since "decryption" is easy for such ciphers.
4564 dec->mac_key.data = dec->_mac_key_or_write_iv;
4565 ssl_data_set(&dec->mac_key, mk, ssl_cipher_suite_dig(cipher_suite)->len);
4566 } else if (mode == MODE_GCM || mode == MODE_CCM || mode == MODE_CCM_8 || mode == MODE_POLY1305) {
4567 // Input for the nonce, to be used with AEAD ciphers.
4568 DISSECTOR_ASSERT(iv_length <= sizeof(dec->_mac_key_or_write_iv))((void) ((iv_length <= sizeof(dec->_mac_key_or_write_iv
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4568, "iv_length <= sizeof(dec->_mac_key_or_write_iv)"
))));
4569 dec->write_iv.data = dec->_mac_key_or_write_iv;
4570 ssl_data_set(&dec->write_iv, iv, iv_length);
4571 }
4572 dec->seq = 0;
4573 dec->decomp = ssl_create_decompressor(compression);
4574 wmem_register_callback(wmem_file_scope(), ssl_decoder_destroy_cb, dec);
4575
4576 if (ssl_cipher_init(&dec->evp,cipher_algo,sk,iv,cipher_suite->mode) < 0) {
4577 ssl_debug_printf("%s: can't create cipher id:%d mode:%d\n", G_STRFUNC((const char*) (__func__)),
4578 cipher_algo, cipher_suite->mode);
4579 return NULL((void*)0);
4580 }
4581
4582 if (cipher_suite->enc != ENC_NULL0x3D && sn_key != NULL((void*)0)) {
4583 if (cipher_suite->enc == ENC_AES0x35 || cipher_suite->enc == ENC_AES2560x36) {
4584 mode = MODE_ECB;
4585 } else if (cipher_suite->enc == ENC_CHACHA200x3A) {
4586 mode = MODE_STREAM;
4587 } else {
4588 ssl_debug_printf("not supported encryption algorithm for DTLSv1.3\n");
4589 return NULL((void*)0);
4590 }
4591
4592 if (ssl_cipher_init(&dec->sn_evp, cipher_algo, sn_key, NULL((void*)0), mode) < 0) {
4593 ssl_debug_printf("%s: can't create cipher id:%d mode:%d for seq number decryption\n", G_STRFUNC((const char*) (__func__)),
4594 cipher_algo, MODE_ECB);
4595 ssl_cipher_cleanup(&dec->evp);
4596 dec->evp = NULL((void*)0);
4597 return NULL((void*)0);
4598 }
4599 } else {
4600 dec->sn_evp = NULL((void*)0);
4601 }
4602
4603 dec->dtls13_aad.data = NULL((void*)0);
4604 dec->dtls13_aad.data_len = 0;
4605 ssl_debug_printf("decoder initialized (digest len %d)\n", ssl_cipher_suite_dig(cipher_suite)->len);
4606 return dec;
4607}
4608
4609static bool_Bool
4610ssl_decoder_destroy_cb(wmem_allocator_t *allocator _U___attribute__((unused)), wmem_cb_event_t event _U___attribute__((unused)), void *user_data)
4611{
4612 SslDecoder *dec = (SslDecoder *) user_data;
4613
4614 if (dec->evp)
4615 ssl_cipher_cleanup(&dec->evp);
4616 if (dec->sn_evp)
4617 ssl_cipher_cleanup(&dec->sn_evp);
4618
4619#ifdef USE_ZLIB_OR_ZLIBNG
4620 if (dec->decomp != NULL((void*)0) && dec->decomp->compression == 1 /* DEFLATE */)
4621 ZLIB_PREFIX(inflateEnd)inflateEnd(&dec->decomp->istream);
4622#endif
4623
4624 return false0;
4625}
4626/* }}} */
4627
4628/* (Pre-)master secrets calculations {{{ */
4629#ifdef HAVE_LIBGNUTLS1
4630static bool_Bool
4631ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
4632 StringInfo *encrypted_pre_master,
4633 GHashTable *key_hash);
4634#endif /* HAVE_LIBGNUTLS */
4635
4636static bool_Bool
4637ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
4638 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key);
4639
4640bool_Bool
4641ssl_generate_pre_master_secret(SslDecryptSession *ssl_session,
4642 uint32_t length, tvbuff_t *tvb, uint32_t offset,
4643 const char *ssl_psk, packet_info *pinfo,
4644#ifdef HAVE_LIBGNUTLS1
4645 GHashTable *key_hash,
4646#endif
4647 const ssl_master_key_map_t *mk_map)
4648{
4649 /* check for required session data */
4650 ssl_debug_printf("%s: found SSL_HND_CLIENT_KEY_EXCHG, state %X\n",
4651 G_STRFUNC((const char*) (__func__)), ssl_session->state);
4652 if ((ssl_session->state & (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) !=
4653 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) {
4654 ssl_debug_printf("%s: not enough data to generate key (required state %X)\n", G_STRFUNC((const char*) (__func__)),
4655 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4)));
4656 return false0;
4657 }
4658
4659 if (ssl_session->session.version == TLSV1DOT3_VERSION0x304) {
4660 ssl_debug_printf("%s: detected TLS 1.3 which has no pre-master secrets\n", G_STRFUNC((const char*) (__func__)));
4661 return false0;
4662 }
4663
4664 /* check to see if the PMS was provided to us*/
4665 if (ssl_restore_master_key(ssl_session, "Unencrypted pre-master secret", true1,
4666 mk_map->pms, &ssl_session->client_random)) {
4667 return true1;
4668 }
4669
4670 if (ssl_session->cipher_suite->kex == KEX_PSK0x1d)
4671 {
4672 /* calculate pre master secret*/
4673 StringInfo pre_master_secret;
4674 unsigned psk_len, pre_master_len;
4675
4676 if (!ssl_psk || (ssl_psk[0] == 0)) {
4677 ssl_debug_printf("%s: can't find pre-shared key\n", G_STRFUNC((const char*) (__func__)));
4678 return false0;
4679 }
4680
4681 /* convert hex string into char*/
4682 if (!from_hex(&ssl_session->psk, ssl_psk, strlen(ssl_psk))) {
4683 ssl_debug_printf("%s: ssl.psk/dtls.psk contains invalid hex\n",
4684 G_STRFUNC((const char*) (__func__)));
4685 return false0;
4686 }
4687
4688 psk_len = ssl_session->psk.data_len;
4689 if (psk_len >= (2 << 15)) {
4690 ssl_debug_printf("%s: ssl.psk/dtls.psk must not be larger than 2^15 - 1\n",
4691 G_STRFUNC((const char*) (__func__)));
4692 return false0;
4693 }
4694
4695
4696 pre_master_len = psk_len * 2 + 4;
4697
4698 pre_master_secret.data = (unsigned char *)wmem_alloc(wmem_file_scope(), pre_master_len);
4699 pre_master_secret.data_len = pre_master_len;
4700 /* 2 bytes psk_len*/
4701 pre_master_secret.data[0] = psk_len >> 8;
4702 pre_master_secret.data[1] = psk_len & 0xFF;
4703 /* psk_len bytes times 0*/
4704 memset(&pre_master_secret.data[2], 0, psk_len);
4705 /* 2 bytes psk_len*/
4706 pre_master_secret.data[psk_len + 2] = psk_len >> 8;
4707 pre_master_secret.data[psk_len + 3] = psk_len & 0xFF;
4708 /* psk*/
4709 memcpy(&pre_master_secret.data[psk_len + 4], ssl_session->psk.data, psk_len);
4710
4711 ssl_session->pre_master_secret.data = pre_master_secret.data;
4712 ssl_session->pre_master_secret.data_len = pre_master_len;
4713 /*ssl_debug_printf("pre master secret",&ssl->pre_master_secret);*/
4714
4715 /* Remove the master secret if it was there.
4716 This forces keying material regeneration in
4717 case we're renegotiating */
4718 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
4719 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
4720 return true1;
4721 }
4722 else
4723 {
4724 unsigned encrlen, skip;
4725 encrlen = length;
4726 skip = 0;
4727
4728 /* get encrypted data, on tls1 we have to skip two bytes
4729 * (it's the encrypted len and should be equal to record len - 2)
4730 * in case of rsa1024 that would be 128 + 2 = 130; for psk not necessary
4731 */
4732 if (ssl_session->cipher_suite->kex == KEX_RSA0x1e &&
4733 (ssl_session->session.version == TLSV1_VERSION0x301 ||
4734 ssl_session->session.version == TLSV1DOT1_VERSION0x302 ||
4735 ssl_session->session.version == TLSV1DOT2_VERSION0x303 ||
4736 ssl_session->session.version == DTLSV1DOT0_VERSION0xfeff ||
4737 ssl_session->session.version == DTLSV1DOT2_VERSION0xfefd ||
4738 ssl_session->session.version == TLCPV1_VERSION0x101 ))
4739 {
4740 encrlen = tvb_get_ntohs(tvb, offset);
4741 skip = 2;
4742 if (encrlen > length - 2)
4743 {
4744 ssl_debug_printf("%s: wrong encrypted length (%d max %d)\n",
4745 G_STRFUNC((const char*) (__func__)), encrlen, length);
4746 return false0;
4747 }
4748 }
4749 /* the valid lower bound is higher than 8, but it is sufficient for the
4750 * ssl keylog file below */
4751 if (encrlen < 8) {
4752 ssl_debug_printf("%s: invalid encrypted pre-master key length %d\n",
4753 G_STRFUNC((const char*) (__func__)), encrlen);
4754 return false0;
4755 }
4756
4757 StringInfo encrypted_pre_master = {
4758 .data = (unsigned char *)tvb_memdup(pinfo->pool, tvb, offset + skip, encrlen),
4759 .data_len = encrlen,
4760 };
4761
4762#ifdef HAVE_LIBGNUTLS1
4763 /* Try to lookup an appropriate RSA private key to decrypt the Encrypted Pre-Master Secret. */
4764 if (ssl_session->cert_key_id) {
4765 if (ssl_decrypt_pre_master_secret(ssl_session, &encrypted_pre_master, key_hash))
4766 return true1;
4767
4768 ssl_debug_printf("%s: can't decrypt pre-master secret\n",
4769 G_STRFUNC((const char*) (__func__)));
4770 }
4771#endif /* HAVE_LIBGNUTLS */
4772
4773 /* try to find the pre-master secret from the encrypted one. The
4774 * ssl key logfile stores only the first 8 bytes, so truncate it */
4775 encrypted_pre_master.data_len = 8;
4776 if (ssl_restore_master_key(ssl_session, "Encrypted pre-master secret",
4777 true1, mk_map->pre_master, &encrypted_pre_master))
4778 return true1;
4779 }
4780 return false0;
4781}
4782
4783/* Used for (D)TLS 1.2 and earlier versions (not with TLS 1.3). */
4784int
4785ssl_generate_keyring_material(SslDecryptSession*ssl_session)
4786{
4787 StringInfo key_block = { NULL((void*)0), 0 };
4788 uint8_t _iv_c[MAX_BLOCK_SIZE16],_iv_s[MAX_BLOCK_SIZE16];
4789 uint8_t _key_c[MAX_KEY_SIZE32],_key_s[MAX_KEY_SIZE32];
4790 int needed;
4791 int cipher_algo = -1; /* special value (-1) for NULL encryption */
4792 unsigned encr_key_len, write_iv_len = 0;
4793 bool_Bool is_export_cipher;
4794 uint8_t *ptr, *c_iv = NULL((void*)0), *s_iv = NULL((void*)0);
4795 uint8_t *c_wk = NULL((void*)0), *s_wk = NULL((void*)0), *c_mk = NULL((void*)0), *s_mk = NULL((void*)0);
4796 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
4797
4798 /* (D)TLS 1.3 is handled directly in tls13_change_key. */
4799 if (ssl_session->session.version
7.1
Field 'version' is not equal to TLSV1DOT3_VERSION
 == TLSV1DOT3_VERSION0x304 || ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
8
Assuming field 'version' is not equal to DTLSV1DOT3_VERSION
9
Taking false branch
4800 ssl_debug_printf("%s: detected TLS 1.3. Should not have been called!\n", G_STRFUNC((const char*) (__func__)));
4801 return -1;
4802 }
4803
4804 /* check for enough info to proceed */
4805 unsigned need_all = SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4);
4806 unsigned need_any = SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
4807 if (((ssl_session->state & need_all) != need_all) || ((ssl_session->state & need_any) == 0)) {
10
Assuming the condition is false
11
Assuming the condition is false
12
Taking false branch
4808 ssl_debug_printf("ssl_generate_keyring_material not enough data to generate key "
4809 "(0x%02X required 0x%02X or 0x%02X)\n", ssl_session->state,
4810 need_all|SSL_MASTER_SECRET(1<<5), need_all|SSL_PRE_MASTER_SECRET(1<<6));
4811 /* Special case: for NULL encryption, allow dissection of data even if
4812 * the Client Hello is missing (MAC keys are now skipped though). */
4813 need_all = SSL_CIPHER(1<<2)|SSL_VERSION(1<<4);
4814 if ((ssl_session->state & need_all) == need_all &&
4815 cipher_suite->enc == ENC_NULL0x3D) {
4816 ssl_debug_printf("%s NULL cipher found, will create a decoder but "
4817 "skip MAC validation as keys are missing.\n", G_STRFUNC((const char*) (__func__)));
4818 goto create_decoders;
4819 }
4820
4821 return -1;
4822 }
4823
4824 /* if master key is not available, generate is from the pre-master secret */
4825 if (!(ssl_session->state & SSL_MASTER_SECRET(1<<5))) {
13
Assuming the condition is true
14
Taking true branch
4826 if ((ssl_session->state & SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) == SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) {
15
Assuming the condition is true
16
Taking true branch
4827 StringInfo handshake_hashed_data;
4828 int ret;
4829
4830 handshake_hashed_data.data = NULL((void*)0);
4831 handshake_hashed_data.data_len = 0;
4832
4833 ssl_debug_printf("%s:PRF(pre_master_secret_extended)\n", G_STRFUNC((const char*) (__func__)));
4834 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4835 DISSECTOR_ASSERT(ssl_session->handshake_data.data_len > 0)((void) ((ssl_session->handshake_data.data_len > 0) ? (
void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4835, "ssl_session->handshake_data.data_len > 0"
))));
17
Assuming field 'data_len' is > 0
18
'?' condition is true
4836
4837 switch(ssl_session->session.version) {
19
Control jumps to 'case 257:' at line 4842
4838 case TLSV1_VERSION0x301:
4839 case TLSV1DOT1_VERSION0x302:
4840 case DTLSV1DOT0_VERSION0xfeff:
4841 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4842 case TLCPV1_VERSION0x101:
4843 ret = tls_handshake_hash(ssl_session, &handshake_hashed_data);
20
Calling 'tls_handshake_hash'
28
Returned allocated memory
4844 break;
4845 default:
4846 switch (cipher_suite->dig) {
4847 case DIG_SHA3840x43:
4848 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA384, &handshake_hashed_data);
4849 break;
4850 default:
4851 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA256, &handshake_hashed_data);
4852 break;
4853 }
4854 break;
4855 }
4856 if (ret
29.1
'ret' is -1
) {
29
 Execution continues on line 4856
30
Taking true branch
4857 ssl_debug_printf("%s can't generate handshake hash\n", G_STRFUNC((const char*) (__func__)));
31
Potential leak of memory pointed to by 'handshake_hashed_data.data'
4858 return -1;
4859 }
4860
4861 wmem_free(wmem_file_scope(), ssl_session->handshake_data.data);
4862 ssl_session->handshake_data.data = NULL((void*)0);
4863 ssl_session->handshake_data.data_len = 0;
4864
4865 if (!prf(ssl_session, &ssl_session->pre_master_secret, "extended master secret",
4866 &handshake_hashed_data,
4867 NULL((void*)0), &ssl_session->master_secret,
4868 SSL_MASTER_SECRET_LENGTH48)) {
4869 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4870 g_free(handshake_hashed_data.data);
4871 return -1;
4872 }
4873 g_free(handshake_hashed_data.data);
4874 } else {
4875 ssl_debug_printf("%s:PRF(pre_master_secret)\n", G_STRFUNC((const char*) (__func__)));
4876 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4877 ssl_print_string("client random",&ssl_session->client_random);
4878 ssl_print_string("server random",&ssl_session->server_random);
4879 if (!prf(ssl_session, &ssl_session->pre_master_secret, "master secret",
4880 &ssl_session->client_random,
4881 &ssl_session->server_random, &ssl_session->master_secret,
4882 SSL_MASTER_SECRET_LENGTH48)) {
4883 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4884 return -1;
4885 }
4886 }
4887 ssl_print_string("master secret",&ssl_session->master_secret);
4888
4889 /* the pre-master secret has been 'consumed' so we must clear it now */
4890 ssl_session->state &= ~SSL_PRE_MASTER_SECRET(1<<6);
4891 ssl_session->state |= SSL_MASTER_SECRET(1<<5);
4892 }
4893
4894 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
4895 if (cipher_suite->enc != ENC_NULL0x3D) {
4896 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
4897 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4898 cipher_algo = ssl_get_cipher_by_name(cipher_name);
4899 if (cipher_algo == 0) {
4900 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4901 return -1;
4902 }
4903 }
4904
4905 /* Export ciphers consume less material from the key block. */
4906 encr_key_len = ssl_get_cipher_export_keymat_size(cipher_suite->number);
4907 is_export_cipher = encr_key_len > 0;
4908 if (!is_export_cipher && cipher_suite->enc != ENC_NULL0x3D) {
4909 encr_key_len = (unsigned)gcry_cipher_get_algo_keylen(cipher_algo);
4910 }
4911
4912 if (cipher_suite->mode == MODE_CBC) {
4913 write_iv_len = (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
4914 } else if (cipher_suite->mode == MODE_GCM || cipher_suite->mode == MODE_CCM || cipher_suite->mode == MODE_CCM_8) {
4915 /* account for a four-byte salt for client and server side (from
4916 * client_write_IV and server_write_IV), see GCMNonce (RFC 5288) */
4917 write_iv_len = 4;
4918 } else if (cipher_suite->mode == MODE_POLY1305) {
4919 /* RFC 7905: SecurityParameters.fixed_iv_length is twelve bytes */
4920 write_iv_len = 12;
4921 }
4922
4923 /* Compute the key block. First figure out how much data we need */
4924 needed = ssl_cipher_suite_dig(cipher_suite)->len*2; /* MAC key */
4925 needed += 2 * encr_key_len; /* encryption key */
4926 needed += 2 * write_iv_len; /* write IV */
4927
4928 key_block.data = (unsigned char *)g_malloc(needed);
4929 ssl_debug_printf("%s sess key generation\n", G_STRFUNC((const char*) (__func__)));
4930 if (!prf(ssl_session, &ssl_session->master_secret, "key expansion",
4931 &ssl_session->server_random,&ssl_session->client_random,
4932 &key_block, needed)) {
4933 ssl_debug_printf("%s can't generate key_block\n", G_STRFUNC((const char*) (__func__)));
4934 goto fail;
4935 }
4936 ssl_print_string("key expansion", &key_block);
4937
4938 ptr=key_block.data;
4939 /* client/server write MAC key (for non-AEAD ciphers) */
4940 if (cipher_suite->mode == MODE_STREAM || cipher_suite->mode == MODE_CBC) {
4941 c_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
4942 s_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
4943 }
4944 /* client/server write encryption key */
4945 c_wk=ptr; ptr += encr_key_len;
4946 s_wk=ptr; ptr += encr_key_len;
4947 /* client/server write IV (used as IV (for CBC) or salt (for AEAD)) */
4948 if (write_iv_len > 0) {
4949 c_iv=ptr; ptr += write_iv_len;
4950 s_iv=ptr; /* ptr += write_iv_len; */
4951 }
4952
4953 /* export ciphers work with a smaller key length */
4954 if (is_export_cipher) {
4955 if (cipher_suite->mode == MODE_CBC) {
4956
4957 /* We only have room for MAX_BLOCK_SIZE bytes IVs, but that's
4958 all we should need. This is a sanity check */
4959 if (write_iv_len > MAX_BLOCK_SIZE16) {
4960 ssl_debug_printf("%s cipher suite block must be at most %d nut is %d\n",
4961 G_STRFUNC((const char*) (__func__)), MAX_BLOCK_SIZE16, write_iv_len);
4962 goto fail;
4963 }
4964
4965 if(ssl_session->session.version==SSLV3_VERSION0x300){
4966 /* The length of these fields are ignored by this caller */
4967 StringInfo iv_c, iv_s;
4968 iv_c.data = _iv_c;
4969 iv_s.data = _iv_s;
4970
4971 ssl_debug_printf("%s ssl3_generate_export_iv\n", G_STRFUNC((const char*) (__func__)));
4972 if (!ssl3_generate_export_iv(&ssl_session->client_random,
4973 &ssl_session->server_random, &iv_c, write_iv_len)) {
4974 goto fail;
4975 }
4976 ssl_debug_printf("%s ssl3_generate_export_iv(2)\n", G_STRFUNC((const char*) (__func__)));
4977 if (!ssl3_generate_export_iv(&ssl_session->server_random,
4978 &ssl_session->client_random, &iv_s, write_iv_len)) {
4979 goto fail;
4980 }
4981 }
4982 else{
4983 uint8_t _iv_block[MAX_BLOCK_SIZE16 * 2];
4984 StringInfo iv_block;
4985 StringInfo key_null;
4986 uint8_t _key_null;
4987
4988 key_null.data = &_key_null;
4989 key_null.data_len = 0;
4990
4991 iv_block.data = _iv_block;
4992
4993 ssl_debug_printf("%s prf(iv_block)\n", G_STRFUNC((const char*) (__func__)));
4994 if (!prf(ssl_session, &key_null, "IV block",
4995 &ssl_session->client_random,
4996 &ssl_session->server_random, &iv_block,
4997 write_iv_len * 2)) {
4998 ssl_debug_printf("%s can't generate tls31 iv block\n", G_STRFUNC((const char*) (__func__)));
4999 goto fail;
5000 }
5001
5002 memcpy(_iv_c, iv_block.data, write_iv_len);
5003 memcpy(_iv_s, iv_block.data + write_iv_len, write_iv_len);
5004 }
5005
5006 c_iv=_iv_c;
5007 s_iv=_iv_s;
5008 }
5009
5010 if (ssl_session->session.version==SSLV3_VERSION0x300){
5011
5012 SSL_MD5_CTXgcry_md_hd_t md5;
5013 ssl_debug_printf("%s MD5(client_random)\n", G_STRFUNC((const char*) (__func__)));
5014
5015 if (ssl_md5_init(&md5) != 0)
5016 goto fail;
5017 ssl_md5_update(&md5,c_wk,encr_key_len);
5018 ssl_md5_update(&md5,ssl_session->client_random.data,
5019 ssl_session->client_random.data_len);
5020 ssl_md5_update(&md5,ssl_session->server_random.data,
5021 ssl_session->server_random.data_len);
5022 ssl_md5_final(_key_c,&md5);
5023 ssl_md5_cleanup(&md5);
5024 c_wk=_key_c;
5025
5026 if (ssl_md5_init(&md5) != 0)
5027 goto fail;
5028 ssl_debug_printf("%s MD5(server_random)\n", G_STRFUNC((const char*) (__func__)));
5029 ssl_md5_update(&md5,s_wk,encr_key_len);
5030 ssl_md5_update(&md5,ssl_session->server_random.data,
5031 ssl_session->server_random.data_len);
5032 ssl_md5_update(&md5,ssl_session->client_random.data,
5033 ssl_session->client_random.data_len);
5034 ssl_md5_final(_key_s,&md5);
5035 ssl_md5_cleanup(&md5);
5036 s_wk=_key_s;
5037 }
5038 else{
5039 StringInfo key_c, key_s, k;
5040 key_c.data = _key_c;
5041 key_s.data = _key_s;
5042
5043 k.data = c_wk;
5044 k.data_len = encr_key_len;
5045 ssl_debug_printf("%s PRF(key_c)\n", G_STRFUNC((const char*) (__func__)));
5046 if (!prf(ssl_session, &k, "client write key",
5047 &ssl_session->client_random,
5048 &ssl_session->server_random, &key_c, sizeof(_key_c))) {
5049 ssl_debug_printf("%s can't generate tll31 server key \n", G_STRFUNC((const char*) (__func__)));
5050 goto fail;
5051 }
5052 c_wk=_key_c;
5053
5054 k.data = s_wk;
5055 k.data_len = encr_key_len;
5056 ssl_debug_printf("%s PRF(key_s)\n", G_STRFUNC((const char*) (__func__)));
5057 if (!prf(ssl_session, &k, "server write key",
5058 &ssl_session->client_random,
5059 &ssl_session->server_random, &key_s, sizeof(_key_s))) {
5060 ssl_debug_printf("%s can't generate tll31 client key \n", G_STRFUNC((const char*) (__func__)));
5061 goto fail;
5062 }
5063 s_wk=_key_s;
5064 }
5065 }
5066
5067 /* show key material info */
5068 if (c_mk != NULL((void*)0)) {
5069 ssl_print_data("Client MAC key",c_mk,ssl_cipher_suite_dig(cipher_suite)->len);
5070 ssl_print_data("Server MAC key",s_mk,ssl_cipher_suite_dig(cipher_suite)->len);
5071 }
5072 ssl_print_data("Client Write key", c_wk, encr_key_len);
5073 ssl_print_data("Server Write key", s_wk, encr_key_len);
5074 /* used as IV for CBC mode and the AEAD implicit nonce (salt) */
5075 if (write_iv_len > 0) {
5076 ssl_print_data("Client Write IV", c_iv, write_iv_len);
5077 ssl_print_data("Server Write IV", s_iv, write_iv_len);
5078 }
5079
5080create_decoders:
5081 /* create both client and server ciphers*/
5082 ssl_debug_printf("%s ssl_create_decoder(client)\n", G_STRFUNC((const char*) (__func__)));
5083 ssl_session->client_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, c_mk, c_wk, NULL((void*)0), c_iv, write_iv_len);
5084 if (!ssl_session->client_new) {
5085 ssl_debug_printf("%s can't init client decoder\n", G_STRFUNC((const char*) (__func__)));
5086 goto fail;
5087 }
5088 ssl_debug_printf("%s ssl_create_decoder(server)\n", G_STRFUNC((const char*) (__func__)));
5089 ssl_session->server_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, s_mk, s_wk, NULL((void*)0), s_iv, write_iv_len);
5090 if (!ssl_session->server_new) {
5091 ssl_debug_printf("%s can't init server decoder\n", G_STRFUNC((const char*) (__func__)));
5092 goto fail;
5093 }
5094
5095 /* Continue the SSL stream after renegotiation with new keys. */
5096 ssl_session->client_new->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
5097 ssl_session->server_new->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
5098
5099 ssl_debug_printf("%s: client seq %" PRIu64"l" "u" ", server seq %" PRIu64"l" "u" "\n",
5100 G_STRFUNC((const char*) (__func__)), ssl_session->client_new->seq, ssl_session->server_new->seq);
5101 g_free(key_block.data);
5102 ssl_session->state |= SSL_HAVE_SESSION_KEY(1<<3);
5103 return 0;
5104
5105fail:
5106 g_free(key_block.data);
5107 return -1;
5108}
5109
5110/* Generated the key material based on the given secret. */
5111bool_Bool
5112tls13_generate_keys(SslDecryptSession *ssl_session, const StringInfo *secret, bool_Bool is_from_server)
5113{
5114 bool_Bool success = false0;
5115 unsigned char *write_key = NULL((void*)0), *write_iv = NULL((void*)0);
5116 unsigned char *sn_key = NULL((void*)0);
5117 SslDecoder *decoder;
5118 unsigned key_length, iv_length;
5119 int hash_algo;
5120 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
5121 int cipher_algo;
5122
5123 if ((ssl_session->session.version != TLSV1DOT3_VERSION0x304) && (ssl_session->session.version != DTLSV1DOT3_VERSION0xfefc)) {
5124 ssl_debug_printf("%s only usable for TLS 1.3, not %#x!\n", G_STRFUNC((const char*) (__func__)),
5125 ssl_session->session.version);
5126 return false0;
5127 }
5128
5129 if (cipher_suite == NULL((void*)0)) {
5130 ssl_debug_printf("%s Unknown cipher\n", G_STRFUNC((const char*) (__func__)));
5131 return false0;
5132 }
5133
5134 if (cipher_suite->kex != KEX_TLS130x23) {
5135 ssl_debug_printf("%s Invalid cipher suite 0x%04x spotted!\n", G_STRFUNC((const char*) (__func__)), cipher_suite->number);
5136 return false0;
5137 }
5138
5139 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
5140 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
5141 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
5142 cipher_algo = ssl_get_cipher_by_name(cipher_name);
5143 if (cipher_algo == 0) {
5144 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
5145 return false0;
5146 }
5147
5148 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
5149 hash_algo = ssl_get_digest_by_name(hash_name);
5150 if (!hash_algo) {
5151 ssl_debug_printf("%s can't find hash function %s\n", G_STRFUNC((const char*) (__func__)), hash_name);
5152 return false0;
5153 }
5154
5155 key_length = (unsigned) gcry_cipher_get_algo_keylen(cipher_algo);
5156 /* AES-GCM/AES-CCM/Poly1305-ChaCha20 all have N_MIN=N_MAX = 12. */
5157 iv_length = 12;
5158 ssl_debug_printf("%s key_length %u iv_length %u\n", G_STRFUNC((const char*) (__func__)), key_length, iv_length);
5159
5160 const char *label_prefix = tls13_hkdf_label_prefix(ssl_session);
5161 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "key", key_length, &write_key)) {
5162 ssl_debug_printf("%s write_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
5163 return false0;
5164 }
5165 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "iv", iv_length, &write_iv)) {
5166 ssl_debug_printf("%s write_iv expansion failed\n", G_STRFUNC((const char*) (__func__)));
5167 goto end;
5168 }
5169
5170 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
5171 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "sn", key_length, &sn_key)) {
5172 ssl_debug_printf("%s sn_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
5173 goto end;
5174 }
5175 }
5176
5177 ssl_print_data(is_from_server ? "Server Write Key" : "Client Write Key", write_key, key_length);
5178 ssl_print_data(is_from_server ? "Server Write IV" : "Client Write IV", write_iv, iv_length);
5179 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
5180 ssl_print_data(is_from_server ? "Server Write SN" : "Client Write SN", sn_key, key_length);
5181 }
5182
5183 ssl_debug_printf("%s ssl_create_decoder(%s)\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
5184 decoder = ssl_create_decoder(cipher_suite, cipher_algo, 0, NULL((void*)0), write_key, sn_key, write_iv, iv_length);
5185 if (!decoder) {
5186 ssl_debug_printf("%s can't init %s decoder\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
5187 goto end;
5188 }
5189
5190 /* Continue the TLS session with new keys, but reuse old flow to keep things
5191 * like "Follow TLS" working (by linking application data records). */
5192 if (is_from_server) {
5193 decoder->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
5194 ssl_session->server = decoder;
5195 } else {
5196 decoder->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
5197 ssl_session->client = decoder;
5198 }
5199 ssl_debug_printf("%s %s ready using cipher suite 0x%04x (cipher %s hash %s)\n", G_STRFUNC((const char*) (__func__)),
5200 is_from_server ? "Server" : "Client", cipher_suite->number, cipher_name, hash_name);
5201 success = true1;
5202
5203end:
5204 wmem_free(NULL((void*)0), write_key);
5205 wmem_free(NULL((void*)0), write_iv);
5206 if (sn_key)
5207 wmem_free(NULL((void*)0), sn_key);
5208 return success;
5209}
5210/* (Pre-)master secrets calculations }}} */
5211
5212#ifdef HAVE_LIBGNUTLS1
5213/* Decrypt RSA pre-master secret using RSA private key. {{{ */
5214static bool_Bool
5215ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
5216 StringInfo *encrypted_pre_master, GHashTable *key_hash)
5217{
5218 int ret;
5219
5220 if (!encrypted_pre_master)
5221 return false0;
5222
5223 if (KEX_IS_DH(ssl_session->cipher_suite->kex)((ssl_session->cipher_suite->kex) >= 0x10 &&
(ssl_session->cipher_suite->kex) <= 0x1b)) {
5224 ssl_debug_printf("%s: session uses Diffie-Hellman key exchange "
5225 "(cipher suite 0x%04X %s) and cannot be decrypted "
5226 "using a RSA private key file.\n",
5227 G_STRFUNC((const char*) (__func__)), ssl_session->session.cipher,
5228 val_to_str_ext_const(ssl_session->session.cipher,
5229 &ssl_31_ciphersuite_ext, "unknown"));
5230 return false0;
5231 } else if (ssl_session->cipher_suite->kex != KEX_RSA0x1e) {
5232 ssl_debug_printf("%s key exchange %d different from KEX_RSA (%d)\n",
5233 G_STRFUNC((const char*) (__func__)), ssl_session->cipher_suite->kex, KEX_RSA0x1e);
5234 return false0;
5235 }
5236
5237 gnutls_privkey_t pk = (gnutls_privkey_t)g_hash_table_lookup(key_hash, ssl_session->cert_key_id);
5238
5239 ssl_print_string("pre master encrypted", encrypted_pre_master);
5240 ssl_debug_printf("%s: RSA_private_decrypt\n", G_STRFUNC((const char*) (__func__)));
5241 const gnutls_datum_t epms = { encrypted_pre_master->data, encrypted_pre_master->data_len };
5242 gnutls_datum_t pms = { 0 };
5243 if (pk) {
5244 // Try to decrypt using the RSA keys table from (D)TLS preferences.
5245 ret = gnutls_privkey_decrypt_data(pk, 0, &epms, &pms);
5246 } else {
5247 // Try to decrypt using a hardware token.
5248 ret = secrets_rsa_decrypt(ssl_session->cert_key_id, epms.data, epms.size, &pms.data, &pms.size);
5249 }
5250 if (ret < 0) {
5251 ssl_debug_printf("%s: decryption failed: %d (%s)\n", G_STRFUNC((const char*) (__func__)), ret, gnutls_strerror(ret));
5252 return false0;
5253 }
5254
5255 if (pms.size != 48) {
5256 ssl_debug_printf("%s wrong pre_master_secret length (%d, expected %d)\n",
5257 G_STRFUNC((const char*) (__func__)), pms.size, 48);
5258 if (pk) {
5259 gnutls_free(pms.data);
5260 } else {
5261 g_free(pms.data);
5262 }
5263 return false0;
5264 }
5265
5266 ssl_session->pre_master_secret.data = (uint8_t *)wmem_memdup(wmem_file_scope(), pms.data, 48);
5267 ssl_session->pre_master_secret.data_len = 48;
5268 if (pk) {
5269 gnutls_free(pms.data);
5270 } else {
5271 g_free(pms.data);
5272 }
5273 ssl_print_string("pre master secret", &ssl_session->pre_master_secret);
5274
5275 /* Remove the master secret if it was there.
5276 This forces keying material regeneration in
5277 case we're renegotiating */
5278 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
5279 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
5280 return true1;
5281} /* }}} */
5282#endif /* HAVE_LIBGNUTLS */
5283
5284/* Decryption integrity check {{{ */
5285
5286static int
5287tls_check_mac(SslDecoder*decoder, int ct, int ver, uint8_t* data,
5288 uint32_t datalen, uint8_t* mac)
5289{
5290 SSL_HMACgcry_md_hd_t hm;
5291 int md;
5292 uint32_t len;
5293 uint8_t buf[DIGEST_MAX_SIZE48];
5294 int16_t temp;
5295
5296 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5297 ssl_debug_printf("tls_check_mac mac type:%s md %d\n",
5298 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5299
5300 if (ssl_hmac_init(&hm,md) != 0)
5301 return -1;
5302 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5303 return -1;
5304
5305 /* hash sequence number */
5306 phtonu64(buf, decoder->seq);
5307
5308 decoder->seq++;
5309
5310 ssl_hmac_update(&hm,buf,8);
5311
5312 /* hash content type */
5313 buf[0]=ct;
5314 ssl_hmac_update(&hm,buf,1);
5315
5316 /* hash version,data length and data*/
5317 /* *((int16_t*)buf) = g_htons(ver); */
5318 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5319 memcpy(buf, &temp, 2);
5320 ssl_hmac_update(&hm,buf,2);
5321
5322 /* *((int16_t*)buf) = g_htons(datalen); */
5323 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5324 memcpy(buf, &temp, 2);
5325 ssl_hmac_update(&hm,buf,2);
5326 ssl_hmac_update(&hm,data,datalen);
5327
5328 /* get digest and digest len*/
5329 len = sizeof(buf);
5330 ssl_hmac_final(&hm,buf,&len);
5331 ssl_hmac_cleanup(&hm);
5332 ssl_print_data("Mac", buf, len);
5333 if(memcmp(mac,buf,len))
5334 return -1;
5335
5336 return 0;
5337}
5338
5339static int
5340ssl3_check_mac(SslDecoder*decoder,int ct,uint8_t* data,
5341 uint32_t datalen, uint8_t* mac)
5342{
5343 SSL_MDgcry_md_hd_t mc;
5344 int md;
5345 uint32_t len;
5346 uint8_t buf[64],dgst[20];
5347 int pad_ct;
5348 int16_t temp;
5349
5350 pad_ct=(decoder->cipher_suite->dig==DIG_SHA0x41)?40:48;
5351
5352 /* get cipher used for digest computation */
5353 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5354 if (ssl_md_init(&mc,md) !=0)
5355 return -1;
5356
5357 /* do hash computation on data && padding */
5358 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5359
5360 /* hash padding*/
5361 memset(buf,0x36,pad_ct);
5362 ssl_md_update(&mc,buf,pad_ct);
5363
5364 /* hash sequence number */
5365 phtonu64(buf, decoder->seq);
5366 decoder->seq++;
5367 ssl_md_update(&mc,buf,8);
5368
5369 /* hash content type */
5370 buf[0]=ct;
5371 ssl_md_update(&mc,buf,1);
5372
5373 /* hash data length in network byte order and data*/
5374 /* *((int16_t* )buf) = g_htons(datalen); */
5375 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5376 memcpy(buf, &temp, 2);
5377 ssl_md_update(&mc,buf,2);
5378 ssl_md_update(&mc,data,datalen);
5379
5380 /* get partial digest */
5381 ssl_md_final(&mc,dgst,&len);
5382 ssl_md_reset(&mc);
5383
5384 /* hash mac key */
5385 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5386
5387 /* hash padding and partial digest*/
5388 memset(buf,0x5c,pad_ct);
5389 ssl_md_update(&mc,buf,pad_ct);
5390 ssl_md_update(&mc,dgst,len);
5391
5392 ssl_md_final(&mc,dgst,&len);
5393 ssl_md_cleanup(&mc);
5394
5395 if(memcmp(mac,dgst,len))
5396 return -1;
5397
5398 return 0;
5399}
5400
5401static int
5402dtls_check_mac(SslDecryptSession *ssl, SslDecoder*decoder, int ct, uint8_t* data,
5403 uint32_t datalen, uint8_t* mac, const unsigned char *cid, uint8_t cidl)
5404{
5405 SSL_HMACgcry_md_hd_t hm;
5406 int md;
5407 uint32_t len;
5408 uint8_t buf[DIGEST_MAX_SIZE48];
5409 int16_t temp;
5410
5411 int ver = ssl->session.version;
5412 bool_Bool is_cid = ((ct == SSL_ID_TLS12_CID) && (ver == DTLSV1DOT2_VERSION0xfefd));
5413
5414 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5415 ssl_debug_printf("dtls_check_mac mac type:%s md %d\n",
5416 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5417
5418 if (ssl_hmac_init(&hm,md) != 0)
5419 return -1;
5420 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5421 return -1;
5422
5423 ssl_debug_printf("dtls_check_mac seq: %" PRIu64"l" "u" " epoch: %d\n",decoder->seq,decoder->epoch);
5424
5425 if (is_cid && !ssl->session.deprecated_cid) {
5426 /* hash seq num placeholder */
5427 memset(buf,0xFF,8);
5428 ssl_hmac_update(&hm,buf,8);
5429
5430 /* hash content type + cid length + content type */
5431 buf[0]=ct;
5432 buf[1]=cidl;
5433 buf[2]=ct;
5434 ssl_hmac_update(&hm,buf,3);
5435
5436 /* hash version */
5437 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5438 memcpy(buf, &temp, 2);
5439 ssl_hmac_update(&hm,buf,2);
5440
5441 /* hash sequence number */
5442 phtonu64(buf, decoder->seq);
5443 buf[0]=decoder->epoch>>8;
5444 buf[1]=(uint8_t)decoder->epoch;
5445 ssl_hmac_update(&hm,buf,8);
5446
5447 /* hash cid */
5448 ssl_hmac_update(&hm,cid,cidl);
5449 } else {
5450 /* hash sequence number */
5451 phtonu64(buf, decoder->seq);
5452 buf[0]=decoder->epoch>>8;
5453 buf[1]=(uint8_t)decoder->epoch;
5454 ssl_hmac_update(&hm,buf,8);
5455
5456 /* hash content type */
5457 buf[0]=ct;
5458 ssl_hmac_update(&hm,buf,1);
5459
5460 /* hash version */
5461 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5462 memcpy(buf, &temp, 2);
5463 ssl_hmac_update(&hm,buf,2);
5464
5465 if (is_cid && ssl->session.deprecated_cid) {
5466 /* hash cid */
5467 ssl_hmac_update(&hm,cid,cidl);
5468
5469 /* hash cid length */
5470 buf[0] = cidl;
5471 ssl_hmac_update(&hm,buf,1);
5472 }
5473 }
5474
5475 /* data length and data */
5476 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5477 memcpy(buf, &temp, 2);
5478 ssl_hmac_update(&hm,buf,2);
5479 ssl_hmac_update(&hm,data,datalen);
5480
5481 /* get digest and digest len */
5482 len = sizeof(buf);
5483 ssl_hmac_final(&hm,buf,&len);
5484 ssl_hmac_cleanup(&hm);
5485 ssl_print_data("Mac", buf, len);
5486 if(memcmp(mac,buf,len))
5487 return -1;
5488
5489 return 0;
5490}
5491/* Decryption integrity check }}} */
5492
5493
5494static bool_Bool
5495tls_decrypt_aead_record(wmem_allocator_t* allocator, SslDecryptSession *ssl, SslDecoder *decoder,
5496 uint8_t ct, uint16_t record_version,
5497 bool_Bool ignore_mac_failed,
5498 const unsigned char *in, uint16_t inl,
5499 const unsigned char *cid, uint8_t cidl,
5500 StringInfo *out_str, unsigned *outl)
5501{
5502 /* RFC 5246 (TLS 1.2) 6.2.3.3 defines the TLSCipherText.fragment as:
5503 * GenericAEADCipher: { nonce_explicit, [content] }
5504 * In TLS 1.3 this explicit nonce is gone.
5505 * With AES GCM/CCM, "[content]" is actually the concatenation of the
5506 * ciphertext and authentication tag.
5507 */
5508 const uint16_t version = ssl->session.version;
5509 const bool_Bool is_v12 = version == TLSV1DOT2_VERSION0x303 || version == DTLSV1DOT2_VERSION0xfefd || version == TLCPV1_VERSION0x101;
5510 gcry_error_t err;
5511 const unsigned char *explicit_nonce = NULL((void*)0), *ciphertext;
5512 unsigned ciphertext_len, auth_tag_len;
5513 unsigned char nonce[12];
5514 const ssl_cipher_mode_t cipher_mode = decoder->cipher_suite->mode;
5515 const bool_Bool is_cid = ct == SSL_ID_TLS12_CID && version == DTLSV1DOT2_VERSION0xfefd;
5516 const uint8_t draft_version = ssl->session.tls13_draft_version;
5517 const unsigned char *auth_tag_wire;
5518 unsigned char auth_tag_calc[16];
5519 unsigned char *aad = NULL((void*)0);
5520 unsigned aad_len = 0;
5521
5522 switch (cipher_mode) {
5523 case MODE_GCM:
5524 case MODE_CCM:
5525 case MODE_POLY1305:
5526 auth_tag_len = 16;
5527 break;
5528 case MODE_CCM_8:
5529 auth_tag_len = 8;
5530 break;
5531 default:
5532 ssl_debug_printf("%s unsupported cipher!\n", G_STRFUNC((const char*) (__func__)));
5533 return false0;
5534 }
5535
5536 /* Parse input into explicit nonce (TLS 1.2 only), ciphertext and tag. */
5537 if (is_v12 && cipher_mode != MODE_POLY1305) {
5538 if (inl < EXPLICIT_NONCE_LEN8 + auth_tag_len) {
5539 ssl_debug_printf("%s input %d is too small for explicit nonce %d and auth tag %d\n",
5540 G_STRFUNC((const char*) (__func__)), inl, EXPLICIT_NONCE_LEN8, auth_tag_len);
5541 return false0;
5542 }
5543 explicit_nonce = in;
5544 ciphertext = explicit_nonce + EXPLICIT_NONCE_LEN8;
5545 ciphertext_len = inl - EXPLICIT_NONCE_LEN8 - auth_tag_len;
5546 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
5547 if (inl < auth_tag_len) {
5548 ssl_debug_printf("%s input %d has no space for auth tag %d\n", G_STRFUNC((const char*) (__func__)), inl, auth_tag_len);
5549 return false0;
5550 }
5551 ciphertext = in;
5552 ciphertext_len = inl - auth_tag_len;
5553 } else {
5554 ssl_debug_printf("%s Unexpected TLS version %#x\n", G_STRFUNC((const char*) (__func__)), version);
5555 return false0;
5556 }
5557 auth_tag_wire = ciphertext + ciphertext_len;
5558
5559 /*
5560 * Nonce construction is version-specific. Note that AEAD_CHACHA20_POLY1305
5561 * (RFC 7905) uses a nonce construction similar to TLS 1.3.
5562 */
5563 if (is_v12 && cipher_mode != MODE_POLY1305) {
5564 DISSECTOR_ASSERT(decoder->write_iv.data_len == IMPLICIT_NONCE_LEN)((void) ((decoder->write_iv.data_len == 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 5564, "decoder->write_iv.data_len == 4"))));
5565 /* Implicit (4) and explicit (8) part of nonce. */
5566 memcpy(nonce, decoder->write_iv.data, IMPLICIT_NONCE_LEN4);
5567 memcpy(nonce + IMPLICIT_NONCE_LEN4, explicit_nonce, EXPLICIT_NONCE_LEN8);
5568
5569 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
5570 /*
5571 * Technically the nonce length must be at least 8 bytes, but for
5572 * AES-GCM, AES-CCM and Poly1305-ChaCha20 the nonce length is exact 12.
5573 */
5574 const unsigned nonce_len = 12;
5575 DISSECTOR_ASSERT(decoder->write_iv.data_len == nonce_len)((void) ((decoder->write_iv.data_len == nonce_len) ? (void
)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 5575, "decoder->write_iv.data_len == nonce_len"
))));
5576 memcpy(nonce, decoder->write_iv.data, decoder->write_iv.data_len);
5577 /* Sequence number is left-padded with zeroes and XORed with write_iv */
5578 phtonu64(nonce + nonce_len - 8, pntohu64(nonce + nonce_len - 8) ^ decoder->seq);
5579 ssl_debug_printf("%s seq %" PRIu64"l" "u" "\n", G_STRFUNC((const char*) (__func__)), decoder->seq);
5580 }
5581
5582 /* Set nonce and additional authentication data */
5583 gcry_cipher_reset(decoder->evp)gcry_cipher_ctl ((decoder->evp), GCRYCTL_RESET, ((void*)0)
, 0);
5584 ssl_print_data("nonce", nonce, 12);
5585 err = gcry_cipher_setiv(decoder->evp, nonce, 12);
5586 if (err) {
5587 ssl_debug_printf("%s failed to set nonce: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5588 return false0;
5589 }
5590
5591 /* (D)TLS 1.2 needs specific AAD, TLS 1.3 (before -25) uses empty AAD. */
5592 if (is_cid) { /* if connection ID */
5593 if (ssl->session.deprecated_cid) {
5594 aad_len = 14 + cidl;
5595 aad = wmem_alloc(allocator, aad_len);
5596 phtonu64(aad, decoder->seq); /* record sequence number */
5597 phtonu16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5598 aad[8] = ct; /* TLSCompressed.type */
5599 phtonu16(aad + 9, record_version); /* TLSCompressed.version */
5600 memcpy(aad + 11, cid, cidl); /* cid */
5601 aad[11 + cidl] = cidl; /* cid_length */
5602 phtonu16(aad + 12 + cidl, ciphertext_len); /* TLSCompressed.length */
5603 } else {
5604 aad_len = 23 + cidl;
5605 aad = wmem_alloc(allocator, aad_len);
5606 memset(aad, 0xFF, 8); /* seq_num_placeholder */
5607 aad[8] = ct; /* TLSCompressed.type */
5608 aad[9] = cidl; /* cid_length */
5609 aad[10] = ct; /* TLSCompressed.type */
5610 phtonu16(aad + 11, record_version); /* TLSCompressed.version */
5611 phtonu64(aad + 13, decoder->seq); /* record sequence number */
5612 phtonu16(aad + 13, decoder->epoch); /* DTLS 1.2 includes epoch. */
5613 memcpy(aad + 21, cid, cidl); /* cid */
5614 phtonu16(aad + 21 + cidl, ciphertext_len); /* TLSCompressed.length */
5615 }
5616 } else if (is_v12) {
5617 aad_len = 13;
5618 aad = wmem_alloc(allocator, aad_len);
5619 phtonu64(aad, decoder->seq); /* record sequence number */
5620 if (version == DTLSV1DOT2_VERSION0xfefd) {
5621 phtonu16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5622 }
5623 aad[8] = ct; /* TLSCompressed.type */
5624 phtonu16(aad + 9, record_version); /* TLSCompressed.version */
5625 phtonu16(aad + 11, ciphertext_len); /* TLSCompressed.length */
5626 } else if (version == DTLSV1DOT3_VERSION0xfefc) {
5627 aad_len = decoder->dtls13_aad.data_len;
5628 aad = decoder->dtls13_aad.data;
5629 } else if (draft_version >= 25 || draft_version == 0) {
5630 aad_len = 5;
5631 aad = wmem_alloc(allocator, aad_len);
5632 aad[0] = ct; /* TLSCiphertext.opaque_type (23) */
5633 phtonu16(aad + 1, record_version); /* TLSCiphertext.legacy_record_version (0x0303) */
5634 phtonu16(aad + 3, inl); /* TLSCiphertext.length */
5635 }
5636
5637 if (decoder->cipher_suite->mode == MODE_CCM || decoder->cipher_suite->mode == MODE_CCM_8) {
5638 /* size of plaintext, additional authenticated data and auth tag. */
5639 uint64_t lengths[3] = { ciphertext_len, aad_len, auth_tag_len };
5640
5641 gcry_cipher_ctl(decoder->evp, GCRYCTL_SET_CCM_LENGTHS, lengths, sizeof(lengths));
5642 }
5643
5644 if (aad && aad_len > 0) {
5645 ssl_print_data("AAD", aad, aad_len);
5646 err = gcry_cipher_authenticate(decoder->evp, aad, aad_len);
5647 if (err) {
5648 ssl_debug_printf("%s failed to set AAD: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5649 return false0;
5650 }
5651 }
5652
5653 /* Decrypt now that nonce and AAD are set. */
5654 err = gcry_cipher_decrypt(decoder->evp, out_str->data, out_str->data_len, ciphertext, ciphertext_len);
5655 if (err) {
5656 ssl_debug_printf("%s decrypt failed: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5657 return false0;
5658 }
5659
5660 /* Check authentication tag for authenticity (replaces MAC) */
5661 err = gcry_cipher_gettag(decoder->evp, auth_tag_calc, auth_tag_len);
5662 if (err == 0 && !memcmp(auth_tag_calc, auth_tag_wire, auth_tag_len)) {
5663 ssl_print_data("auth_tag(OK)", auth_tag_calc, auth_tag_len);
5664 } else {
5665 if (err) {
5666 ssl_debug_printf("%s cannot obtain tag: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5667 } else {
5668 ssl_debug_printf("%s auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
5669 ssl_print_data("auth_tag(expect)", auth_tag_calc, auth_tag_len);
5670 ssl_print_data("auth_tag(actual)", auth_tag_wire, auth_tag_len);
5671 }
5672 if (ignore_mac_failed) {
5673 ssl_debug_printf("%s: auth check failed, but ignored for troubleshooting ;-)\n", G_STRFUNC((const char*) (__func__)));
5674 } else {
5675 return false0;
5676 }
5677 }
5678
5679 /*
5680 * Increment the (implicit) sequence number for TLS 1.2/1.3 and TLCP 1.1. This is done
5681 * after successful authentication to ensure that early data is skipped when
5682 * CLIENT_EARLY_TRAFFIC_SECRET keys are unavailable.
5683 */
5684 if (version == TLSV1DOT2_VERSION0x303 || version == TLSV1DOT3_VERSION0x304 || version == TLCPV1_VERSION0x101) {
5685 decoder->seq++;
5686 }
5687
5688 ssl_print_data("Plaintext", out_str->data, ciphertext_len);
5689 *outl = ciphertext_len;
5690 return true1;
5691}
5692
5693/* Record decryption glue based on security parameters {{{ */
5694/* Assume that we are called only for a non-NULL decoder which also means that
5695 * we have a non-NULL decoder->cipher_suite. */
5696int
5697ssl_decrypt_record(wmem_allocator_t* allocator, SslDecryptSession *ssl, SslDecoder *decoder, uint8_t ct, uint16_t record_version,
5698 bool_Bool ignore_mac_failed,
5699 const unsigned char *in, uint16_t inl, const unsigned char *cid, uint8_t cidl,
5700 StringInfo *comp_str, StringInfo *out_str, unsigned *outl)
5701{
5702 unsigned pad, worklen, uncomplen, maclen, mac_fraglen = 0;
5703 uint8_t *mac = NULL((void*)0), *mac_frag = NULL((void*)0);
5704
5705 ssl_debug_printf("ssl_decrypt_record ciphertext len %d\n", inl);
5706 ssl_print_data("Ciphertext",in, inl);
5707
5708 if (((ssl->session.version == TLSV1DOT3_VERSION0x304 || ssl->session.version == DTLSV1DOT3_VERSION0xfefc))
5709 != (decoder->cipher_suite->kex == KEX_TLS130x23)) {
5710 ssl_debug_printf("%s Invalid cipher suite for the protocol version!\n", G_STRFUNC((const char*) (__func__)));
5711 return -1;
5712 }
5713
5714 /* ensure we have enough storage space for decrypted data */
5715 if (inl > out_str->data_len)
5716 {
5717 ssl_debug_printf("ssl_decrypt_record: allocating %d bytes for decrypt data (old len %d)\n",
5718 inl + 32, out_str->data_len);
5719 ssl_data_realloc(out_str, inl + 32);
5720 }
5721
5722 /* AEAD ciphers (GenericAEADCipher in TLS 1.2; TLS 1.3) have no padding nor
5723 * a separate MAC, so use a different routine for simplicity. */
5724 if (decoder->cipher_suite->mode == MODE_GCM ||
5725 decoder->cipher_suite->mode == MODE_CCM ||
5726 decoder->cipher_suite->mode == MODE_CCM_8 ||
5727 decoder->cipher_suite->mode == MODE_POLY1305 ||
5728 ssl->session.version == TLSV1DOT3_VERSION0x304 ||
5729 ssl->session.version == DTLSV1DOT3_VERSION0xfefc) {
5730
5731 if (!tls_decrypt_aead_record(allocator, ssl, decoder, ct, record_version, ignore_mac_failed, in, inl, cid, cidl, out_str, &worklen)) {
5732 /* decryption failed */
5733 return -1;
5734 }
5735
5736 goto skip_mac;
5737 }
5738
5739 /* RFC 6101/2246: SSLCipherText/TLSCipherText has two structures for types:
5740 * (notation: { unencrypted, [ encrypted ] })
5741 * GenericStreamCipher: { [content, mac] }
5742 * GenericBlockCipher: { IV (TLS 1.1+), [content, mac, padding, padding_len] }
5743 * RFC 5426 (TLS 1.2): TLSCipherText has additionally:
5744 * GenericAEADCipher: { nonce_explicit, [content] }
5745 * RFC 4347 (DTLS): based on TLS 1.1, only GenericBlockCipher is supported.
5746 * RFC 6347 (DTLS 1.2): based on TLS 1.2, includes GenericAEADCipher too.
5747 */
5748
5749 maclen = ssl_cipher_suite_dig(decoder->cipher_suite)->len;
5750
5751 /* (TLS 1.1 and later, DTLS) Extract explicit IV for GenericBlockCipher */
5752 if (decoder->cipher_suite->mode == MODE_CBC) {
5753 unsigned blocksize = 0;
5754
5755 switch (ssl->session.version) {
5756 case TLSV1DOT1_VERSION0x302:
5757 case TLSV1DOT2_VERSION0x303:
5758 case DTLSV1DOT0_VERSION0xfeff:
5759 case DTLSV1DOT2_VERSION0xfefd:
5760 case DTLSV1DOT3_VERSION0xfefc:
5761 case DTLSV1DOT0_OPENSSL_VERSION0x100:
5762 case TLCPV1_VERSION0x101:
5763 blocksize = ssl_get_cipher_blocksize(decoder->cipher_suite);
5764 if (inl < blocksize) {
5765 ssl_debug_printf("ssl_decrypt_record failed: input %d has no space for IV %d\n",
5766 inl, blocksize);
5767 return -1;
5768 }
5769 pad = gcry_cipher_setiv(decoder->evp, in, blocksize);
5770 if (pad != 0) {
5771 ssl_debug_printf("ssl_decrypt_record failed: failed to set IV: %s %s\n",
5772 gcry_strsource (pad), gcry_strerror (pad));
5773 }
5774
5775 inl -= blocksize;
5776 in += blocksize;
5777 break;
5778 }
5779
5780 /* Encrypt-then-MAC for (D)TLS (RFC 7366) */
5781 if (ssl->state & SSL_ENCRYPT_THEN_MAC(1<<11)) {
5782 /*
5783 * MAC is calculated over (IV + ) ENCRYPTED contents:
5784 *
5785 * MAC(MAC_write_key, ... +
5786 * IV + // for TLS 1.1 or greater
5787 * TLSCiphertext.enc_content);
5788 */
5789 if (inl < maclen) {
5790 ssl_debug_printf("%s failed: input %d has no space for MAC %d\n",
5791 G_STRFUNC((const char*) (__func__)), inl, maclen);
5792 return -1;
5793 }
5794 inl -= maclen;
5795 mac = (uint8_t *)in + inl;
5796 mac_frag = (uint8_t *)in - blocksize;
5797 mac_fraglen = blocksize + inl;
5798 }
5799 }
5800
5801 /* First decrypt*/
5802 if ((pad = ssl_cipher_decrypt(&decoder->evp, out_str->data, out_str->data_len, in, inl)) != 0) {
5803 ssl_debug_printf("ssl_decrypt_record failed: ssl_cipher_decrypt: %s %s\n", gcry_strsource (pad),
5804 gcry_strerror (pad));
5805 return -1;
5806 }
5807
5808 ssl_print_data("Plaintext", out_str->data, inl);
5809 worklen=inl;
5810
5811
5812 /* strip padding for GenericBlockCipher */
5813 if (decoder->cipher_suite->mode == MODE_CBC) {
5814 if (inl < 1) { /* Should this check happen earlier? */
5815 ssl_debug_printf("ssl_decrypt_record failed: input length %d too small\n", inl);
5816 return -1;
5817 }
5818 pad=out_str->data[inl-1];
5819 if (worklen <= pad) {
5820 ssl_debug_printf("ssl_decrypt_record failed: padding %d too large for work %d\n",
5821 pad, worklen);
5822 return -1;
5823 }
5824 worklen-=(pad+1);
5825 ssl_debug_printf("ssl_decrypt_record found padding %d final len %d\n",
5826 pad, worklen);
5827 }
5828
5829 /* MAC for GenericStreamCipher and GenericBlockCipher.
5830 * (normal case without Encrypt-then-MAC (RFC 7366) extension. */
5831 if (!mac) {
5832 /*
5833 * MAC is calculated over the DECRYPTED contents:
5834 *
5835 * MAC(MAC_write_key, ... + TLSCompressed.fragment);
5836 */
5837 if (worklen < maclen) {
5838 ssl_debug_printf("%s wrong record len/padding outlen %d\n work %d\n", G_STRFUNC((const char*) (__func__)), *outl, worklen);
5839 return -1;
5840 }
5841 worklen -= maclen;
5842 mac = out_str->data + worklen;
5843 mac_frag = out_str->data;
5844 mac_fraglen = worklen;
5845 }
5846
5847 /* If NULL encryption active and no keys are available, do not bother
5848 * checking the MAC. We do not have keys for that. */
5849 if (decoder->cipher_suite->mode == MODE_STREAM &&
5850 decoder->cipher_suite->enc == ENC_NULL0x3D &&
5851 !(ssl->state & SSL_MASTER_SECRET(1<<5))) {
5852 ssl_debug_printf("MAC check skipped due to missing keys\n");
5853 decoder->seq++; // Increment this for display
5854 goto skip_mac;
5855 }
5856
5857 /* Now check the MAC */
5858 ssl_debug_printf("checking mac (len %d, version %X, ct %d seq %" PRIu64"l" "u" ")\n",
5859 worklen, ssl->session.version, ct, decoder->seq);
5860 if(ssl->session.version==SSLV3_VERSION0x300){
5861 if(ssl3_check_mac(decoder,ct,mac_frag,mac_fraglen,mac) < 0) {
5862 if(ignore_mac_failed) {
5863 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5864 }
5865 else{
5866 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5867 return -1;
5868 }
5869 }
5870 else{
5871 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5872 }
5873 }
5874 else if(ssl->session.version==TLSV1_VERSION0x301 || ssl->session.version==TLSV1DOT1_VERSION0x302 || ssl->session.version==TLSV1DOT2_VERSION0x303 || ssl->session.version==TLCPV1_VERSION0x101){
5875 if(tls_check_mac(decoder,ct,ssl->session.version,mac_frag,mac_fraglen,mac)< 0) {
5876 if(ignore_mac_failed) {
5877 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5878 }
5879 else{
5880 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5881 return -1;
5882 }
5883 }
5884 else{
5885 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5886 }
5887 }
5888 else if(ssl->session.version==DTLSV1DOT0_VERSION0xfeff ||
5889 ssl->session.version==DTLSV1DOT2_VERSION0xfefd ||
5890 ssl->session.version==DTLSV1DOT0_OPENSSL_VERSION0x100){
5891 /* Try rfc-compliant mac first, and if failed, try old openssl's non-rfc-compliant mac */
5892 if(dtls_check_mac(ssl,decoder,ct,mac_frag,mac_fraglen,mac,cid,cidl)>= 0) {
5893 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5894 }
5895 else if(tls_check_mac(decoder,ct,TLSV1_VERSION0x301,mac_frag,mac_fraglen,mac)>= 0) {
5896 ssl_debug_printf("ssl_decrypt_record: dtls rfc-compliant mac failed, but old openssl's non-rfc-compliant mac ok\n");
5897 }
5898 else if(ignore_mac_failed) {
5899 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5900 }
5901 else{
5902 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5903 return -1;
5904 }
5905 }
5906skip_mac:
5907
5908 *outl = worklen;
5909
5910 if (decoder->compression > 0) {
5911 ssl_debug_printf("ssl_decrypt_record: compression method %d\n", decoder->compression);
5912 ssl_data_copy(comp_str, out_str);
5913 ssl_print_data("Plaintext compressed", comp_str->data, worklen);
5914 if (!decoder->decomp) {
5915 ssl_debug_printf("decrypt_ssl3_record: no decoder available\n");
5916 return -1;
5917 }
5918 if (ssl_decompress_record(decoder->decomp, comp_str->data, worklen, out_str, &uncomplen) < 0) return -1;
5919 ssl_print_data("Plaintext uncompressed", out_str->data, uncomplen);
5920 *outl = uncomplen;
5921 }
5922
5923 return 0;
5924}
5925/* Record decryption glue based on security parameters }}} */
5926
5927
5928
5929#ifdef HAVE_LIBGNUTLS1
5930
5931/* RSA private key file processing {{{ */
5932static void
5933ssl_find_private_key_by_pubkey(SslDecryptSession *ssl,
5934 gnutls_datum_t *subjectPublicKeyInfo)
5935{
5936 gnutls_pubkey_t pubkey = NULL((void*)0);
5937 cert_key_id_t key_id;
5938 size_t key_id_len = sizeof(key_id);
5939 int r;
5940
5941 if (!subjectPublicKeyInfo->size) {
5942 ssl_debug_printf("%s: could not find SubjectPublicKeyInfo\n", G_STRFUNC((const char*) (__func__)));
5943 return;
5944 }
5945
5946 r = gnutls_pubkey_init(&pubkey);
5947 if (r < 0) {
5948 ssl_debug_printf("%s: failed to init pubkey: %s\n",
5949 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
5950 return;
5951 }
5952
5953 r = gnutls_pubkey_import(pubkey, subjectPublicKeyInfo, GNUTLS_X509_FMT_DER);
5954 if (r < 0) {
5955 ssl_debug_printf("%s: failed to import pubkey from handshake: %s\n",
5956 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
5957 goto end;
5958 }
5959
5960 if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL((void*)0)) != GNUTLS_PK_RSA) {
5961 ssl_debug_printf("%s: Not a RSA public key - ignoring.\n", G_STRFUNC((const char*) (__func__)));
5962 goto end;
5963 }
5964
5965 /* Generate a 20-byte SHA-1 hash. */
5966 r = gnutls_pubkey_get_key_id(pubkey, 0, key_id.key_id, &key_id_len);
5967 if (r < 0) {
5968 ssl_debug_printf("%s: failed to extract key id from pubkey: %s\n",
5969 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
5970 goto end;
5971 }
5972
5973 if (key_id_len != sizeof(key_id)) {
5974 ssl_debug_printf("%s: expected Key ID size %zu, got %zu\n",
5975 G_STRFUNC((const char*) (__func__)), sizeof(key_id), key_id_len);
5976 goto end;
5977 }
5978
5979 ssl_print_data("Certificate.KeyID", key_id.key_id, key_id_len);
5980 ssl->cert_key_id = wmem_new(wmem_file_scope(), cert_key_id_t)((cert_key_id_t*)wmem_alloc((wmem_file_scope()), sizeof(cert_key_id_t
)));
5981 *ssl->cert_key_id = key_id;
5982
5983end:
5984 gnutls_pubkey_deinit(pubkey);
5985}
5986
5987/* RSA private key file processing }}} */
5988#endif /* HAVE_LIBGNUTLS */
5989
5990/*--- Start of dissector-related code below ---*/
5991
5992/* This is not a "protocol" but ensures that this gets called during
5993 * the handoff stage. */
5994void proto_reg_handoff_tls_utils(void);
5995
5996static dissector_handle_t base_tls_handle;
5997static dissector_handle_t dtls_handle;
5998
5999void
6000proto_reg_handoff_tls_utils(void)
6001{
6002 base_tls_handle = find_dissector("tls");
6003 dtls_handle = find_dissector("dtls");
6004}
6005
6006/* get ssl data for this session. if no ssl data is found allocate a new one*/
6007SslDecryptSession *
6008ssl_get_session(conversation_t *conversation, dissector_handle_t tls_handle)
6009{
6010 void *conv_data;
6011 SslDecryptSession *ssl_session;
6012 int proto_ssl;
6013
6014 /* Note proto_ssl is tls for either the main tls_handle or the
6015 * tls13_handshake handle used by QUIC. */
6016 proto_ssl = dissector_handle_get_protocol_index(tls_handle);
6017 conv_data = conversation_get_proto_data(conversation, proto_ssl);
6018 if (conv_data != NULL((void*)0))
6019 return (SslDecryptSession *)conv_data;
6020
6021 /* no previous SSL conversation info, initialize it. */
6022 ssl_session = wmem_new0(wmem_file_scope(), SslDecryptSession)((SslDecryptSession*)wmem_alloc0((wmem_file_scope()), sizeof(
SslDecryptSession)));
6023
6024 /* data_len is the part that is meaningful, not the allocated length */
6025 ssl_session->master_secret.data_len = 0;
6026 ssl_session->master_secret.data = ssl_session->_master_secret;
6027 ssl_session->session_id.data_len = 0;
6028 ssl_session->session_id.data = ssl_session->_session_id;
6029 ssl_session->client_random.data_len = 0;
6030 ssl_session->client_random.data = ssl_session->_client_random;
6031 ssl_session->server_random.data_len = 0;
6032 ssl_session->server_random.data = ssl_session->_server_random;
6033 ssl_session->session_ticket.data_len = 0;
6034 ssl_session->session_ticket.data = NULL((void*)0); /* will be re-alloced as needed */
6035 ssl_session->server_data_for_iv.data_len = 0;
6036 ssl_session->server_data_for_iv.data = ssl_session->_server_data_for_iv;
6037 ssl_session->client_data_for_iv.data_len = 0;
6038 ssl_session->client_data_for_iv.data = ssl_session->_client_data_for_iv;
6039 ssl_session->app_data_segment.data = NULL((void*)0);
6040 ssl_session->app_data_segment.data_len = 0;
6041 ssl_session->handshake_data.data=NULL((void*)0);
6042 ssl_session->handshake_data.data_len=0;
6043 ssl_session->ech_transcript.data=NULL((void*)0);
6044 ssl_session->ech_transcript.data_len=0;
6045
6046 /* Initialize parameters which are not necessary specific to decryption. */
6047 ssl_session->session.version = SSL_VER_UNKNOWN0;
6048 clear_address(&ssl_session->session.srv_addr);
6049 ssl_session->session.srv_ptype = PT_NONE;
6050 ssl_session->session.srv_port = 0;
6051 ssl_session->session.dtls13_current_epoch[0] = ssl_session->session.dtls13_current_epoch[1] = 0;
6052 ssl_session->session.dtls13_next_seq_num[0] = ssl_session->session.dtls13_next_seq_num[1] = 0;
6053 ssl_session->session.client_random.data_len = 0;
6054 ssl_session->session.client_random.data = ssl_session->session._client_random;
6055 memset(ssl_session->session.ech_confirmation, 0, sizeof(ssl_session->session.ech_confirmation));
6056 memset(ssl_session->session.hrr_ech_confirmation, 0, sizeof(ssl_session->session.hrr_ech_confirmation));
6057 memset(ssl_session->session.first_ech_auth_tag, 0, sizeof(ssl_session->session.first_ech_auth_tag));
6058 ssl_session->session.ech = false0;
6059 ssl_session->session.hrr_ech_declined = false0;
6060 ssl_session->session.first_ch_ech_frame = 0;
6061
6062 /* We want to increment the stream count for the normal tls handle and
6063 * dtls handle, but presumably not for the tls13_handshake handle used
6064 * by QUIC (it has its own Follow Stream handling, and the QUIC stream
6065 * doesn't get sent to the TLS follow tap.)
6066 */
6067 if (tls_handle == base_tls_handle) {
6068 ssl_session->session.stream = tls_increment_stream_count();
6069 } else if (tls_handle == dtls_handle) {
6070 ssl_session->session.stream = dtls_increment_stream_count();
6071 }
6072
6073 conversation_add_proto_data(conversation, proto_ssl, ssl_session);
6074 return ssl_session;
6075}
6076
6077void ssl_reset_session(SslSession *session, SslDecryptSession *ssl, bool_Bool is_client)
6078{
6079 if (ssl) {
6080 /* Ensure that secrets are not restored using stale identifiers. Split
6081 * between client and server in case the packets somehow got out of order. */
6082 int clear_flags = SSL_HAVE_SESSION_KEY(1<<3) | SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
6083
6084 if (is_client) {
6085 clear_flags |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
6086 ssl->session_id.data_len = 0;
6087 ssl->session_ticket.data_len = 0;
6088 ssl->master_secret.data_len = 0;
6089 ssl->client_random.data_len = 0;
6090 ssl->has_early_data = false0;
6091 if (ssl->handshake_data.data_len > 0) {
6092 // The EMS handshake hash starts with at the Client Hello,
6093 // ensure that any messages before it are forgotten.
6094 wmem_free(wmem_file_scope(), ssl->handshake_data.data);
6095 ssl->handshake_data.data = NULL((void*)0);
6096 ssl->handshake_data.data_len = 0;
6097 }
6098 } else {
6099 clear_flags |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8) | SSL_NEW_SESSION_TICKET(1<<10);
6100 ssl->server_random.data_len = 0;
6101 ssl->pre_master_secret.data_len = 0;
6102#ifdef HAVE_LIBGNUTLS1
6103 ssl->cert_key_id = NULL((void*)0);
6104#endif
6105 ssl->psk.data_len = 0;
6106 }
6107
6108 if (ssl->state & clear_flags) {
6109 ssl_debug_printf("%s detected renegotiation, clearing 0x%02x (%s side)\n",
6110 G_STRFUNC((const char*) (__func__)), ssl->state & clear_flags, is_client ? "client" : "server");
6111 ssl->state &= ~clear_flags;
6112 }
6113 }
6114
6115 /* These flags might be used for non-decryption purposes and may affect the
6116 * dissection, so reset them as well. */
6117 if (is_client) {
6118 session->client_cert_type = 0;
6119 } else {
6120 session->compression = 0;
6121 session->server_cert_type = 0;
6122 /* session->is_session_resumed is already handled in the ServerHello dissection. */
6123 }
6124 session->dtls13_next_seq_num[0] = session->dtls13_next_seq_num[1] = 0;
6125 session->dtls13_current_epoch[0] = session->dtls13_current_epoch[1] = 0;
6126}
6127
6128void
6129tls_set_appdata_dissector(dissector_handle_t tls_handle, packet_info *pinfo,
6130 dissector_handle_t app_handle)
6131{
6132 conversation_t *conversation;
6133 SslSession *session;
6134
6135 /* Ignore if the TLS or other dissector is disabled. */
6136 if (!tls_handle || !app_handle)
6137 return;
6138
6139 conversation = find_or_create_conversation(pinfo);
6140 session = &ssl_get_session(conversation, tls_handle)->session;
6141 session->app_handle = app_handle;
6142}
6143
6144static uint32_t
6145ssl_starttls(dissector_handle_t tls_handle, packet_info *pinfo,
6146 dissector_handle_t app_handle, uint32_t last_nontls_frame)
6147{
6148 conversation_t *conversation;
6149 SslSession *session;
6150
6151 /* Ignore if the TLS dissector is disabled. */
6152 if (!tls_handle)
6153 return 0;
6154 /* The caller should always pass a valid handle to its own dissector. */
6155 DISSECTOR_ASSERT(app_handle)((void) ((app_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6155, "app_handle"))));
6156
6157 conversation = find_or_create_conversation(pinfo);
6158 session = &ssl_get_session(conversation, tls_handle)->session;
6159
6160 ssl_debug_printf("%s: old frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
6161 session->last_nontls_frame,
6162 (void *)session->app_handle,
6163 dissector_handle_get_dissector_name(session->app_handle));
6164 ssl_debug_printf("%s: current frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
6165 pinfo->num, (void *)app_handle,
6166 dissector_handle_get_dissector_name(app_handle));
6167
6168 /* Do not switch again if a dissector did it before. */
6169 if (session->last_nontls_frame) {
6170 ssl_debug_printf("%s: not overriding previous app handle!\n", G_STRFUNC((const char*) (__func__)));
6171 return session->last_nontls_frame;
6172 }
6173
6174 session->app_handle = app_handle;
6175 /* The TLS dissector should be called first for this conversation. */
6176 conversation_set_dissector(conversation, tls_handle);
6177 /* TLS starts after this frame. */
6178 session->last_nontls_frame = last_nontls_frame;
6179 return 0;
6180}
6181
6182/* ssl_starttls_ack: mark future frames as encrypted. */
6183uint32_t
6184ssl_starttls_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6185 dissector_handle_t app_handle)
6186{
6187 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num);
6188}
6189
6190uint32_t
6191ssl_starttls_post_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6192 dissector_handle_t app_handle)
6193{
6194 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num - 1);
6195}
6196
6197dissector_handle_t
6198ssl_find_appdata_dissector(const char *name)
6199{
6200 /* Accept 'http' for backwards compatibility and sanity. */
6201 if (!strcmp(name, "http"))
6202 name = "http-over-tls";
6203 /* XXX - Should this check to see if the dissector is actually added for
6204 * Decode As in the appropriate table?
6205 */
6206 return find_dissector(name);
6207}
6208
6209/* Functions for TLS/DTLS sessions and RSA private keys hashtables. {{{ */
6210static int
6211ssl_equal (const void *v, const void *v2)
6212{
6213 const StringInfo *val1;
6214 const StringInfo *val2;
6215 val1 = (const StringInfo *)v;
6216 val2 = (const StringInfo *)v2;
6217
6218 if (val1->data_len == val2->data_len &&
6219 !memcmp(val1->data, val2->data, val2->data_len)) {
6220 return 1;
6221 }
6222 return 0;
6223}
6224
6225static unsigned
6226ssl_hash (const void *v)
6227{
6228 unsigned l,hash;
6229 const StringInfo* id;
6230 const unsigned* cur;
6231 hash = 0;
6232 id = (const StringInfo*) v;
6233
6234 /* id and id->data are mallocated in ssl_save_master_key(). As such 'data'
6235 * should be aligned for any kind of access (for example as a unsigned as
6236 * is done below). The intermediate void* cast is to prevent "cast
6237 * increases required alignment of target type" warnings on CPUs (such
6238 * as SPARCs) that do not allow misaligned memory accesses.
6239 */
6240 cur = (const unsigned*)(void*) id->data;
6241
6242 for (l=4; (l < id->data_len); l+=4, cur++)
6243 hash = hash ^ (*cur);
6244
6245 return hash;
6246}
6247/* Functions for TLS/DTLS sessions and RSA private keys hashtables. }}} */
6248
6249/* Handling of association between tls/dtls ports and clear text protocol. {{{ */
6250void
6251ssl_association_add(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6252{
6253 DISSECTOR_ASSERT(main_handle)((void) ((main_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6253, "main_handle"))));
6254 DISSECTOR_ASSERT(subdissector_handle)((void) ((subdissector_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6254, "subdissector_handle"))));
6255 /* Registration is required for Export PDU feature to work properly. */
6256 DISSECTOR_ASSERT_HINT(dissector_handle_get_dissector_name(subdissector_handle),((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6257, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))))
6257 "SSL appdata dissectors must register with register_dissector()!")((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6257, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))));
6258 ssl_debug_printf("association_add %s port %d handle %p\n", dissector_table_name, port, (void *)subdissector_handle);
6259
6260 if (port) {
6261 dissector_add_uint(dissector_table_name, port, subdissector_handle);
6262 if (tcp)
6263 dissector_add_uint("tcp.port", port, main_handle);
6264 else
6265 dissector_add_uint("udp.port", port, main_handle);
6266 dissector_add_uint("sctp.port", port, main_handle);
6267 } else {
6268 dissector_add_for_decode_as(dissector_table_name, subdissector_handle);
6269 }
6270}
6271
6272void
6273ssl_association_remove(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6274{
6275 ssl_debug_printf("ssl_association_remove removing %s %u - handle %p\n",
6276 tcp?"TCP":"UDP", port, (void *)subdissector_handle);
6277 if (main_handle) {
6278 dissector_delete_uint(tcp?"tcp.port":"udp.port", port, main_handle);
6279 dissector_delete_uint("sctp.port", port, main_handle);
6280 }
6281
6282 if (port) {
6283 dissector_delete_uint(dissector_table_name, port, subdissector_handle);
6284 }
6285}
6286
6287void
6288ssl_set_server(SslSession *session, address *addr, port_type ptype, uint32_t port)
6289{
6290 copy_address_wmem(wmem_file_scope(), &session->srv_addr, addr);
6291 session->srv_ptype = ptype;
6292 session->srv_port = port;
6293}
6294
6295int
6296ssl_packet_from_server(SslSession *session, dissector_table_t table, const packet_info *pinfo)
6297{
6298 int ret;
6299 if (session && session->srv_addr.type != AT_NONE) {
6300 ret = (session->srv_ptype == pinfo->ptype) &&
6301 (session->srv_port == pinfo->srcport) &&
6302 addresses_equal(&session->srv_addr, &pinfo->src);
6303 } else {
6304 ret = (dissector_get_uint_handle(table, pinfo->srcport) != 0);
6305 }
6306
6307 ssl_debug_printf("packet_from_server: is from server - %s\n", (ret)?"TRUE":"FALSE");
6308 return ret;
6309}
6310/* Handling of association between tls/dtls ports and clear text protocol. }}} */
6311
6312
6313/* Links SSL records with the real packet data. {{{ */
6314SslPacketInfo *
6315tls_add_packet_info(int proto, packet_info *pinfo, uint8_t curr_layer_num_ssl)
6316{
6317 SslPacketInfo *pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6318 if (!pi) {
6319 pi = wmem_new0(wmem_file_scope(), SslPacketInfo)((SslPacketInfo*)wmem_alloc0((wmem_file_scope()), sizeof(SslPacketInfo
)));
6320 pi->srcport = pinfo->srcport;
6321 pi->destport = pinfo->destport;
6322 p_add_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl, pi);
6323 }
6324
6325 return pi;
6326}
6327
6328/**
6329 * Remembers the decrypted TLS record fragment (TLSInnerPlaintext in TLS 1.3) to
6330 * avoid the need for a decoder in the second pass. Additionally, it remembers
6331 * sequence numbers (for reassembly and Follow TLS Stream).
6332 *
6333 * @param proto The protocol identifier (proto_ssl or proto_dtls).
6334 * @param pinfo The packet where the record originates from.
6335 * @param data Decrypted data to store in the record.
6336 * @param data_len Length of decrypted record data.
6337 * @param record_id The identifier for this record within the current packet.
6338 * @param flow Information about sequence numbers, etc.
6339 * @param type TLS Content Type (such as handshake or application_data).
6340 * @param curr_layer_num_ssl The layer identifier for this TLS session.
6341 */
6342void
6343ssl_add_record_info(int proto, packet_info *pinfo, const unsigned char *data, int data_len, int record_id, SslFlow *flow, ContentType type, uint8_t curr_layer_num_ssl, uint64_t record_seq)
6344{
6345 SslRecordInfo* rec, **prec;
6346 SslPacketInfo *pi = tls_add_packet_info(proto, pinfo, curr_layer_num_ssl);
6347
6348 rec = wmem_new(wmem_file_scope(), SslRecordInfo)((SslRecordInfo*)wmem_alloc((wmem_file_scope()), sizeof(SslRecordInfo
)));
6349 rec->plain_data = (unsigned char *)wmem_memdup(wmem_file_scope(), data, data_len);
6350 rec->data_len = data_len;
6351 rec->id = record_id;
6352 rec->type = type;
6353 rec->next = NULL((void*)0);
6354 rec->record_seq = record_seq;
6355
6356 if (flow && type == SSL_ID_APP_DATA) {
6357 rec->seq = flow->byte_seq;
6358 rec->flow = flow;
6359 flow->byte_seq += data_len;
6360 ssl_debug_printf("%s stored decrypted record seq=%d nxtseq=%d flow=%p\n",
6361 G_STRFUNC((const char*) (__func__)), rec->seq, rec->seq + data_len, (void*)flow);
6362 }
6363
6364 /* Remember decrypted records. */
6365 prec = &pi->records;
6366 while (*prec) prec = &(*prec)->next;
6367 *prec = rec;
6368}
6369
6370/* search in packet data for the specified id; return a newly created tvb for the associated data */
6371tvbuff_t*
6372ssl_get_record_info(tvbuff_t *parent_tvb, int proto, packet_info *pinfo, int record_id, uint8_t curr_layer_num_ssl, SslRecordInfo **matched_record)
6373{
6374 SslRecordInfo* rec;
6375 SslPacketInfo* pi;
6376 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6377
6378 if (!pi)
6379 return NULL((void*)0);
6380
6381 for (rec = pi->records; rec; rec = rec->next)
6382 if (rec->id == record_id) {
6383 *matched_record = rec;
6384 /* link new real_data_tvb with a parent tvb so it is freed when frame dissection is complete */
6385 return tvb_new_child_real_data(parent_tvb, rec->plain_data, rec->data_len, rec->data_len);
6386 }
6387
6388 return NULL((void*)0);
6389}
6390/* Links SSL records with the real packet data. }}} */
6391
6392/* initialize/reset per capture state data (ssl sessions cache). {{{ */
6393void
6394ssl_common_init(ssl_master_key_map_t *mk_map,
6395 StringInfo *decrypted_data, StringInfo *compressed_data)
6396{
6397 mk_map->session = g_hash_table_new(ssl_hash, ssl_equal);
6398 mk_map->tickets = g_hash_table_new(ssl_hash, ssl_equal);
6399 mk_map->crandom = g_hash_table_new(ssl_hash, ssl_equal);
6400 mk_map->pre_master = g_hash_table_new(ssl_hash, ssl_equal);
6401 mk_map->pms = g_hash_table_new(ssl_hash, ssl_equal);
6402 mk_map->tls13_client_early = g_hash_table_new(ssl_hash, ssl_equal);
6403 mk_map->tls13_client_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6404 mk_map->tls13_server_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6405 mk_map->tls13_client_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6406 mk_map->tls13_server_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6407 mk_map->tls13_early_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6408 mk_map->tls13_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6409
6410 mk_map->ech_secret = g_hash_table_new(ssl_hash, ssl_equal);
6411 mk_map->ech_config = g_hash_table_new(ssl_hash, ssl_equal);
6412
6413 mk_map->used_crandom = g_hash_table_new(ssl_hash, ssl_equal);
6414
6415 ssl_data_alloc(decrypted_data, 32);
6416 ssl_data_alloc(compressed_data, 32);
6417}
6418
6419void
6420ssl_common_cleanup(ssl_master_key_map_t *mk_map, FILE **ssl_keylog_file,
6421 StringInfo *decrypted_data, StringInfo *compressed_data)
6422{
6423 g_hash_table_destroy(mk_map->session);
6424 g_hash_table_destroy(mk_map->tickets);
6425 g_hash_table_destroy(mk_map->crandom);
6426 g_hash_table_destroy(mk_map->pre_master);
6427 g_hash_table_destroy(mk_map->pms);
6428 g_hash_table_destroy(mk_map->tls13_client_early);
6429 g_hash_table_destroy(mk_map->tls13_client_handshake);
6430 g_hash_table_destroy(mk_map->tls13_server_handshake);
6431 g_hash_table_destroy(mk_map->tls13_client_appdata);
6432 g_hash_table_destroy(mk_map->tls13_server_appdata);
6433 g_hash_table_destroy(mk_map->tls13_early_exporter);
6434 g_hash_table_destroy(mk_map->tls13_exporter);
6435
6436 g_hash_table_destroy(mk_map->ech_secret);
6437 g_hash_table_destroy(mk_map->ech_config);
6438
6439 g_hash_table_destroy(mk_map->used_crandom);
6440
6441 g_free(decrypted_data->data);
6442 g_free(compressed_data->data);
6443
6444 /* close the previous keylog file now that the cache are cleared, this
6445 * allows the cache to be filled with the full keylog file contents. */
6446 if (*ssl_keylog_file) {
6447 fclose(*ssl_keylog_file);
6448 *ssl_keylog_file = NULL((void*)0);
6449 }
6450}
6451/* }}} */
6452
6453/* parse ssl related preferences (private keys and ports association strings) */
6454#if defined(HAVE_LIBGNUTLS1)
6455/* Load a single RSA key file item from preferences. {{{ */
6456void
6457ssl_parse_key_list(const ssldecrypt_assoc_t *uats, GHashTable *key_hash, const char* dissector_table_name, dissector_handle_t main_handle, bool_Bool tcp)
6458{
6459 gnutls_x509_privkey_t x509_priv_key;
6460 gnutls_privkey_t priv_key = NULL((void*)0);
6461 FILE* fp = NULL((void*)0);
6462 int ret;
6463 size_t key_id_len = 20;
6464 unsigned char *key_id = NULL((void*)0);
6465 char *err = NULL((void*)0);
6466 dissector_handle_t handle;
6467 /* try to load keys file first */
6468 fp = ws_fopenfopen(uats->keyfile, "rb");
6469 if (!fp) {
6470 report_open_failure(uats->keyfile, errno(*__errno_location ()), false0);
6471 return;
6472 }
6473
6474 if ((int)strlen(uats->password) == 0) {
6475 x509_priv_key = rsa_load_pem_key(fp, &err);
6476 } else {
6477 x509_priv_key = rsa_load_pkcs12(fp, uats->password, &err);
6478 }
6479 fclose(fp);
6480
6481 if (!x509_priv_key) {
6482 if (err) {
6483 report_failure("Can't load private key from %s: %s",
6484 uats->keyfile, err);
6485 g_free(err);
6486 } else
6487 report_failure("Can't load private key from %s: unknown error",
6488 uats->keyfile);
6489 return;
6490 }
6491 if (err) {
6492 report_failure("Load of private key from %s \"succeeded\" with error %s",
6493 uats->keyfile, err);
6494 g_free(err);
6495 }
6496
6497 gnutls_privkey_init(&priv_key);
6498 ret = gnutls_privkey_import_x509(priv_key, x509_priv_key,
6499 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE|GNUTLS_PRIVKEY_IMPORT_COPY);
6500 if (ret < 0) {
6501 report_failure("Can't convert private key %s: %s",
6502 uats->keyfile, gnutls_strerror(ret));
6503 goto end;
6504 }
6505
6506 key_id = (unsigned char *) g_malloc0(key_id_len);
6507 ret = gnutls_x509_privkey_get_key_id(x509_priv_key, 0, key_id, &key_id_len);
6508 if (ret < 0) {
6509 report_failure("Can't calculate public key ID for %s: %s",
6510 uats->keyfile, gnutls_strerror(ret));
6511 goto end;
6512 }
6513 ssl_print_data("KeyID", key_id, key_id_len);
6514 if (key_id_len != 20) {
6515 report_failure("Expected Key ID size %u for %s, got %zu", 20,
6516 uats->keyfile, key_id_len);
6517 goto end;
6518 }
6519
6520 g_hash_table_replace(key_hash, key_id, priv_key);
6521 key_id = NULL((void*)0); /* used in key_hash, do not free. */
6522 priv_key = NULL((void*)0);
6523 ssl_debug_printf("ssl_init private key file %s successfully loaded.\n", uats->keyfile);
6524
6525 handle = ssl_find_appdata_dissector(uats->protocol);
6526 if (handle) {
6527 /* Port to subprotocol mapping */
6528 uint16_t port = 0;
6529 if (ws_strtou16(uats->port, NULL((void*)0), &port)) {
6530 if (port > 0) {
6531 ssl_debug_printf("ssl_init port '%d' filename '%s' password(only for p12 file) '%s'\n",
6532 port, uats->keyfile, uats->password);
6533
6534 ssl_association_add(dissector_table_name, main_handle, handle, port, tcp);
6535 }
6536 } else {
6537 if (strcmp(uats->port, "start_tls"))
6538 ssl_debug_printf("invalid ssl_init_port: %s\n", uats->port);
6539 }
6540 }
6541
6542end:
6543 gnutls_x509_privkey_deinit(x509_priv_key);
6544 gnutls_privkey_deinit(priv_key);
6545 g_free(key_id);
6546}
6547/* }}} */
6548#endif
6549
6550
6551/* Store/load a known (pre-)master secret from/for this SSL session. {{{ */
6552/** store a known (pre-)master secret into cache */
6553static void
6554ssl_save_master_key(const char *label, GHashTable *ht, StringInfo *key,
6555 StringInfo *mk)
6556{
6557 StringInfo *ht_key, *master_secret;
6558
6559 if (key->data_len == 0) {
6560 ssl_debug_printf("%s: not saving empty %s!\n", G_STRFUNC((const char*) (__func__)), label);
6561 return;
6562 }
6563
6564 if (mk->data_len == 0) {
6565 ssl_debug_printf("%s not saving empty (pre-)master secret for %s!\n",
6566 G_STRFUNC((const char*) (__func__)), label);
6567 return;
6568 }
6569
6570 /* ssl_hash() depends on session_ticket->data being aligned for unsigned access
6571 * so be careful in changing how it is allocated. */
6572 ht_key = ssl_data_clone(key);
6573 master_secret = ssl_data_clone(mk);
6574 g_hash_table_insert(ht, ht_key, master_secret);
6575
6576 ssl_debug_printf("%s inserted (pre-)master secret for %s\n", G_STRFUNC((const char*) (__func__)), label);
6577 ssl_print_string("stored key", ht_key);
6578 ssl_print_string("stored (pre-)master secret", master_secret);
6579}
6580
6581/** restore a (pre-)master secret given some key in the cache */
6582static bool_Bool
6583ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
6584 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key)
6585{
6586 StringInfo *ms;
6587
6588 if (key->data_len == 0) {
6589 ssl_debug_printf("%s can't restore %smaster secret using an empty %s\n",
6590 G_STRFUNC((const char*) (__func__)), is_pre_master ? "pre-" : "", label);
6591 return false0;
6592 }
6593
6594 ms = (StringInfo *)g_hash_table_lookup(ht, key);
6595 if (!ms) {
6596 ssl_debug_printf("%s can't find %smaster secret by %s\n", G_STRFUNC((const char*) (__func__)),
6597 is_pre_master ? "pre-" : "", label);
6598 return false0;
6599 }
6600
6601 /* (pre)master secret found, clear knowledge of other keys and set it in the
6602 * current conversation */
6603 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) |
6604 SSL_HAVE_SESSION_KEY(1<<3));
6605 if (is_pre_master) {
6606 /* unlike master secret, pre-master secret has a variable size (48 for
6607 * RSA, varying for PSK) and is therefore not statically allocated */
6608 ssl->pre_master_secret.data = (unsigned char *) wmem_alloc(wmem_file_scope(),
6609 ms->data_len);
6610 ssl_data_set(&ssl->pre_master_secret, ms->data, ms->data_len);
6611 ssl->state |= SSL_PRE_MASTER_SECRET(1<<6);
6612 } else {
6613 ssl_data_set(&ssl->master_secret, ms->data, ms->data_len);
6614 ssl->state |= SSL_MASTER_SECRET(1<<5);
6615 }
6616 ssl_debug_printf("%s %smaster secret retrieved using %s\n", G_STRFUNC((const char*) (__func__)),
6617 is_pre_master ? "pre-" : "", label);
6618 ssl_print_string(label, key);
6619 ssl_print_string("(pre-)master secret", ms);
6620 return true1;
6621}
6622/* Store/load a known (pre-)master secret from/for this SSL session. }}} */
6623
6624/* Should be called when all parameters are ready (after ChangeCipherSpec), and
6625 * the decoder should be attempted to be initialized. {{{*/
6626void
6627ssl_finalize_decryption(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
6628{
6629 if (ssl->session.version == TLSV1DOT3_VERSION0x304) {
1
Assuming field 'version' is not equal to TLSV1DOT3_VERSION
2
Taking false branch
6630 /* TLS 1.3 implementations only provide secrets derived from the master
6631 * secret which are loaded in tls13_change_key. No master secrets can be
6632 * loaded here, so just return. */
6633 return;
6634 }
6635 ssl_debug_printf("%s state = 0x%02X\n", G_STRFUNC((const char*) (__func__)), ssl->state);
6636 if (ssl->state & SSL_HAVE_SESSION_KEY(1<<3)) {
3
Assuming the condition is false
4
Taking false branch
6637 ssl_debug_printf(" session key already available, nothing to do.\n");
6638 return;
6639 }
6640 if (!(ssl->state & SSL_CIPHER(1<<2))) {
5
Assuming the condition is false
6641 ssl_debug_printf(" Cipher suite (Server Hello) is missing!\n");
6642 return;
6643 }
6644
6645 /* for decryption, there needs to be a master secret (which can be derived
6646 * from pre-master secret). If missing, try to pick a master key from cache
6647 * (an earlier packet in the capture or key logfile). */
6648 if (!(ssl->state & (SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6))) &&
6
Assuming the condition is false
6649 !ssl_restore_master_key(ssl, "Session ID", false0,
6650 mk_map->session, &ssl->session_id) &&
6651 (!ssl->session.is_session_resumed ||
6652 !ssl_restore_master_key(ssl, "Session Ticket", false0,
6653 mk_map->tickets, &ssl->session_ticket)) &&
6654 !ssl_restore_master_key(ssl, "Client Random", false0,
6655 mk_map->crandom, &ssl->client_random)) {
6656 if (ssl->cipher_suite->enc != ENC_NULL0x3D) {
6657 /* how unfortunate, the master secret could not be found */
6658 ssl_debug_printf(" Cannot find master secret\n");
6659 return;
6660 } else {
6661 ssl_debug_printf(" Cannot find master secret, continuing anyway "
6662 "because of a NULL cipher\n");
6663 }
6664 }
6665
6666 if (ssl_generate_keyring_material(ssl) < 0) {
7
Calling 'ssl_generate_keyring_material'
6667 ssl_debug_printf("%s can't generate keyring material\n", G_STRFUNC((const char*) (__func__)));
6668 return;
6669 }
6670 /* Save Client Random/ Session ID for "SSL Export Session keys" */
6671 ssl_save_master_key("Client Random", mk_map->crandom,
6672 &ssl->client_random, &ssl->master_secret);
6673 ssl_save_master_key("Session ID", mk_map->session,
6674 &ssl->session_id, &ssl->master_secret);
6675 /* Only save the new secrets if the server sent the ticket. The client
6676 * ticket might have become stale. */
6677 if (ssl->state & SSL_NEW_SESSION_TICKET(1<<10)) {
6678 ssl_save_master_key("Session Ticket", mk_map->tickets,
6679 &ssl->session_ticket, &ssl->master_secret);
6680 }
6681} /* }}} */
6682
6683/* Load the traffic key secret from the keylog file. */
6684StringInfo *
6685tls13_load_secret(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6686 bool_Bool is_from_server, TLSRecordType type)
6687{
6688 GHashTable *key_map;
6689 const char *label;
6690
6691 if (ssl->session.version != TLSV1DOT3_VERSION0x304 && ssl->session.version != DTLSV1DOT3_VERSION0xfefc) {
6692 ssl_debug_printf("%s TLS version %#x is not 1.3\n", G_STRFUNC((const char*) (__func__)), ssl->session.version);
6693 return NULL((void*)0);
6694 }
6695
6696 if (ssl->client_random.data_len == 0) {
6697 /* May happen if Hello message is missing and Finished is found. */
6698 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
6699 return NULL((void*)0);
6700 }
6701
6702 switch (type) {
6703 case TLS_SECRET_0RTT_APP:
6704 DISSECTOR_ASSERT(!is_from_server)((void) ((!is_from_server) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6704, "!is_from_server"))));
6705 label = "CLIENT_EARLY_TRAFFIC_SECRET";
6706 key_map = mk_map->tls13_client_early;
6707 break;
6708 case TLS_SECRET_HANDSHAKE:
6709 if (is_from_server) {
6710 label = "SERVER_HANDSHAKE_TRAFFIC_SECRET";
6711 key_map = mk_map->tls13_server_handshake;
6712 } else {
6713 label = "CLIENT_HANDSHAKE_TRAFFIC_SECRET";
6714 key_map = mk_map->tls13_client_handshake;
6715 }
6716 break;
6717 case TLS_SECRET_APP:
6718 if (is_from_server) {
6719 label = "SERVER_TRAFFIC_SECRET_0";
6720 key_map = mk_map->tls13_server_appdata;
6721 } else {
6722 label = "CLIENT_TRAFFIC_SECRET_0";
6723 key_map = mk_map->tls13_client_appdata;
6724 }
6725 break;
6726 default:
6727 ws_assert_not_reached()ws_log_fatal_full("", LOG_LEVEL_ERROR, "epan/dissectors/packet-tls-utils.c"
, 6727, __func__, "assertion \"not reached\" failed");
6728 }
6729
6730 /* Transitioning to new keys, mark old ones as unusable. */
6731 ssl_debug_printf("%s transitioning to new key, old state 0x%02x\n", G_STRFUNC((const char*) (__func__)), ssl->state);
6732 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) | SSL_HAVE_SESSION_KEY(1<<3));
6733
6734 StringInfo *secret = (StringInfo *)g_hash_table_lookup(key_map, &ssl->client_random);
6735 if (!secret) {
6736 ssl_debug_printf("%s Cannot find %s, decryption impossible\n", G_STRFUNC((const char*) (__func__)), label);
6737 /* Disable decryption, the keys are invalid. */
6738 if (is_from_server) {
6739 ssl->server = NULL((void*)0);
6740 } else {
6741 ssl->client = NULL((void*)0);
6742 }
6743 return NULL((void*)0);
6744 }
6745
6746 /* TLS 1.3 secret found, set new keys. */
6747 ssl_debug_printf("%s Retrieved TLS 1.3 traffic secret.\n", G_STRFUNC((const char*) (__func__)));
6748 ssl_print_string("Client Random", &ssl->client_random);
6749 ssl_print_string(label, secret);
6750 return secret;
6751}
6752
6753/* Load the new key. */
6754void
6755tls13_change_key(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6756 bool_Bool is_from_server, TLSRecordType type)
6757{
6758 if (ssl->state & SSL_QUIC_RECORD_LAYER(1<<13)) {
6759 /*
6760 * QUIC does not use the TLS record layer for message protection.
6761 * The required keys will be extracted later by QUIC.
6762 */
6763 return;
6764 }
6765
6766 StringInfo *secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
6767 if (!secret) {
6768 if (type != TLS_SECRET_HANDSHAKE) {
6769 return;
6770 }
6771 /*
6772 * Workaround for when for some reason we don't have the handshake
6773 * secret but do have the application traffic secret. (#20240)
6774 * If we can't find the handshake secret, we'll never decrypt the
6775 * Finished message, so we won't know when to change to the app
6776 * traffic key, so we do so now.
6777 */
6778 type = TLS_SECRET_APP;
6779 secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
6780 if (!secret) {
6781 return;
6782 }
6783 }
6784
6785 if (tls13_generate_keys(ssl, secret, is_from_server)) {
6786 /*
6787 * Remember the application traffic secret to support Key Update. The
6788 * other secrets cannot be used for this purpose, so free them.
6789 */
6790 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
6791 StringInfo *app_secret = &decoder->app_traffic_secret;
6792 if (type == TLS_SECRET_APP) {
6793 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
6794 app_secret->data,
6795 secret->data_len);
6796 ssl_data_set(app_secret, secret->data, secret->data_len);
6797 } else {
6798 wmem_free(wmem_file_scope(), app_secret->data);
6799 app_secret->data = NULL((void*)0);
6800 app_secret->data_len = 0;
6801 }
6802 }
6803}
6804
6805/**
6806 * Update to next application data traffic secret for TLS 1.3. The previous
6807 * secret should have been set by tls13_change_key.
6808 */
6809void
6810tls13_key_update(SslDecryptSession *ssl, bool_Bool is_from_server)
6811{
6812 /* RFC 8446 Section 7.2:
6813 * application_traffic_secret_N+1 =
6814 * HKDF-Expand-Label(application_traffic_secret_N,
6815 * "traffic upd", "", Hash.length)
6816 *
6817 * Both application_traffic_secret_N are of the same length (Hash.length).
6818 */
6819 const SslCipherSuite *cipher_suite = ssl->cipher_suite;
6820 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
6821 StringInfo *app_secret = decoder ? &decoder->app_traffic_secret : NULL((void*)0);
6822 uint8_t tls13_draft_version = ssl->session.tls13_draft_version;
6823
6824 if (!cipher_suite || !app_secret || app_secret->data_len == 0) {
6825 ssl_debug_printf("%s Cannot perform Key Update due to missing info\n", G_STRFUNC((const char*) (__func__)));
6826 return;
6827 }
6828
6829 /*
6830 * Previous traffic secret is available, so find the hash function,
6831 * expand the new traffic secret and generate new keys.
6832 */
6833 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
6834 int hash_algo = ssl_get_digest_by_name(hash_name);
6835 const unsigned hash_len = app_secret->data_len;
6836 unsigned char *new_secret;
6837 const char *label = "traffic upd";
6838 if (tls13_draft_version && tls13_draft_version < 20) {
6839 label = "application traffic secret";
6840 }
6841 if (!tls13_hkdf_expand_label(hash_algo, app_secret,
6842 tls13_hkdf_label_prefix(ssl),
6843 label, hash_len, &new_secret)) {
6844 ssl_debug_printf("%s traffic_secret_N+1 expansion failed\n", G_STRFUNC((const char*) (__func__)));
6845 return;
6846 }
6847 ssl_data_set(app_secret, new_secret, hash_len);
6848 if (tls13_generate_keys(ssl, app_secret, is_from_server)) {
6849 /*
6850 * Remember the application traffic secret on the new decoder to
6851 * support another Key Update.
6852 */
6853 decoder = is_from_server ? ssl->server : ssl->client;
6854 app_secret = &decoder->app_traffic_secret;
6855 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
6856 app_secret->data,
6857 hash_len);
6858 ssl_data_set(app_secret, new_secret, hash_len);
6859 }
6860 wmem_free(NULL((void*)0), new_secret);
6861}
6862
6863void
6864tls_save_crandom(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
6865{
6866 if (ssl && (ssl->state & SSL_CLIENT_RANDOM(1<<0))) {
6867 g_hash_table_add(mk_map->used_crandom, ssl_data_clone(&ssl->client_random));
6868 }
6869}
6870
6871/** SSL keylog file handling. {{{ */
6872
6873static GRegex *
6874ssl_compile_keyfile_regex(void)
6875{
6876#define OCTET "(?:[[:xdigit:]]{2})"
6877 const char *pattern =
6878 "(?:"
6879 /* Matches Client Hellos having this Client Random */
6880 "PMS_CLIENT_RANDOM (?<client_random_pms>" OCTET "{32}) "
6881 /* Matches first part of encrypted RSA pre-master secret */
6882 "|RSA (?<encrypted_pmk>" OCTET "{8}) "
6883 /* Pre-Master-Secret is given, it is 48 bytes for RSA,
6884 but it can be of any length for DHE */
6885 ")(?<pms>" OCTET "+)"
6886 "|(?:"
6887 /* Matches Server Hellos having a Session ID */
6888 "RSA Session-ID:(?<session_id>" OCTET "+) Master-Key:"
6889 /* Matches Client Hellos having this Client Random */
6890 "|CLIENT_RANDOM (?<client_random>" OCTET "{32}) "
6891 /* Master-Secret is given, its length is fixed */
6892 ")(?<master_secret>" OCTET "{" G_STRINGIFY(SSL_MASTER_SECRET_LENGTH)"48" "})"
6893 "|(?"
6894 /* TLS 1.3 Client Random to Derived Secrets mapping. */
6895 ":CLIENT_EARLY_TRAFFIC_SECRET (?<client_early>" OCTET "{32})"
6896 "|CLIENT_HANDSHAKE_TRAFFIC_SECRET (?<client_handshake>" OCTET "{32})"
6897 "|SERVER_HANDSHAKE_TRAFFIC_SECRET (?<server_handshake>" OCTET "{32})"
6898 "|CLIENT_TRAFFIC_SECRET_0 (?<client_appdata>" OCTET "{32})"
6899 "|SERVER_TRAFFIC_SECRET_0 (?<server_appdata>" OCTET "{32})"
6900 "|EARLY_EXPORTER_SECRET (?<early_exporter>" OCTET "{32})"
6901 "|EXPORTER_SECRET (?<exporter>" OCTET "{32})"
6902 /* ECH. Secret length is defined by HPKE KEM Nsecret and can vary between 32 and 64 bytes */
6903 /* These labels and their notation are specified in draft-ietf-tls-ech-keylogfile-01 */
6904 "|ECH_SECRET (?<ech_secret>" OCTET "{32,64})"
6905 "|ECH_CONFIG (?<ech_config>" OCTET "{22,})"
6906 ") (?<derived_secret>" OCTET "+)";
6907#undef OCTET
6908 static GRegex *regex = NULL((void*)0);
6909 GError *gerr = NULL((void*)0);
6910
6911 if (!regex) {
6912 regex = g_regex_new(pattern,
6913 (GRegexCompileFlags)(G_REGEX_OPTIMIZE | G_REGEX_ANCHORED | G_REGEX_RAW),
6914 G_REGEX_MATCH_ANCHORED, &gerr);
6915 if (gerr) {
6916 ssl_debug_printf("%s failed to compile regex: %s\n", G_STRFUNC((const char*) (__func__)),
6917 gerr->message);
6918 g_error_free(gerr);
6919 regex = NULL((void*)0);
6920 }
6921 }
6922
6923 return regex;
6924}
6925
6926typedef struct ssl_master_key_match_group {
6927 const char *re_group_name;
6928 GHashTable *master_key_ht;
6929} ssl_master_key_match_group_t;
6930
6931void
6932tls_keylog_process_lines(const ssl_master_key_map_t *mk_map, const uint8_t *data, unsigned datalen)
6933{
6934 ssl_master_key_match_group_t mk_groups[] = {
6935 { "encrypted_pmk", mk_map->pre_master },
6936 { "session_id", mk_map->session },
6937 { "client_random", mk_map->crandom },
6938 { "client_random_pms", mk_map->pms },
6939 /* TLS 1.3 map from Client Random to derived secret. */
6940 { "client_early", mk_map->tls13_client_early },
6941 { "client_handshake", mk_map->tls13_client_handshake },
6942 { "server_handshake", mk_map->tls13_server_handshake },
6943 { "client_appdata", mk_map->tls13_client_appdata },
6944 { "server_appdata", mk_map->tls13_server_appdata },
6945 { "early_exporter", mk_map->tls13_early_exporter },
6946 { "exporter", mk_map->tls13_exporter },
6947 { "ech_secret", mk_map->ech_secret },
6948 { "ech_config", mk_map->ech_config },
6949 };
6950
6951 /* The format of the file is a series of records with one of the following formats:
6952 * - "RSA xxxx yyyy"
6953 * Where xxxx are the first 8 bytes of the encrypted pre-master secret (hex-encoded)
6954 * Where yyyy is the cleartext pre-master secret (hex-encoded)
6955 * (this is the original format introduced with bug 4349)
6956 *
6957 * - "RSA Session-ID:xxxx Master-Key:yyyy"
6958 * Where xxxx is the SSL session ID (hex-encoded)
6959 * Where yyyy is the cleartext master secret (hex-encoded)
6960 * (added to support openssl s_client Master-Key output)
6961 * This is somewhat is a misnomer because there's nothing RSA specific
6962 * about this.
6963 *
6964 * - "PMS_CLIENT_RANDOM xxxx yyyy"
6965 * Where xxxx is the client_random from the ClientHello (hex-encoded)
6966 * Where yyyy is the cleartext pre-master secret (hex-encoded)
6967 * (This format allows SSL connections to be decrypted, if a user can
6968 * capture the PMS but could not recover the MS for a specific session
6969 * with a SSL Server.)
6970 *
6971 * - "CLIENT_RANDOM xxxx yyyy"
6972 * Where xxxx is the client_random from the ClientHello (hex-encoded)
6973 * Where yyyy is the cleartext master secret (hex-encoded)
6974 * (This format allows non-RSA SSL connections to be decrypted, i.e.
6975 * ECDHE-RSA.)
6976 *
6977 * - "CLIENT_EARLY_TRAFFIC_SECRET xxxx yyyy"
6978 * - "CLIENT_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
6979 * - "SERVER_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
6980 * - "CLIENT_TRAFFIC_SECRET_0 xxxx yyyy"
6981 * - "SERVER_TRAFFIC_SECRET_0 xxxx yyyy"
6982 * - "EARLY_EXPORTER_SECRET xxxx yyyy"
6983 * - "EXPORTER_SECRET xxxx yyyy"
6984 * Where xxxx is the client_random from the ClientHello (hex-encoded)
6985 * Where yyyy is the secret (hex-encoded) derived from the early,
6986 * handshake or master secrets. (This format is introduced with TLS 1.3
6987 * and supported by BoringSSL, OpenSSL, etc. See bug 12779.)
6988 */
6989 GRegex *regex = ssl_compile_keyfile_regex();
6990 if (!regex)
6991 return;
6992
6993 const char *next_line = (const char *)data;
6994 const char *line_end = next_line + datalen;
6995 while (next_line && next_line < line_end) {
6996 const char *line = next_line;
6997 next_line = (const char *)memchr(line, '\n', line_end - line);
6998 ssize_t linelen;
6999
7000 if (next_line) {
7001 linelen = next_line - line;
7002 next_line++; /* drop LF */
7003 } else {
7004 linelen = (ssize_t)(line_end - line);
7005 }
7006 if (linelen > 0 && line[linelen - 1] == '\r') {
7007 linelen--; /* drop CR */
7008 }
7009
7010 ssl_debug_printf(" checking keylog line: %.*s\n", (int)linelen, line);
7011 GMatchInfo *mi;
7012 if (g_regex_match_full(regex, line, linelen, 0, G_REGEX_MATCH_ANCHORED, &mi, NULL((void*)0))) {
7013 char *hex_key, *hex_pre_ms_or_ms;
7014 StringInfo *key = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
7015 StringInfo *pre_ms_or_ms = NULL((void*)0);
7016 GHashTable *ht = NULL((void*)0);
7017
7018 /* Is the PMS being supplied with the PMS_CLIENT_RANDOM
7019 * otherwise we will use the Master Secret
7020 */
7021 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "master_secret");
7022 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
7023 g_free(hex_pre_ms_or_ms);
7024 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "pms");
7025 }
7026 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
7027 g_free(hex_pre_ms_or_ms);
7028 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "derived_secret");
7029 }
7030 /* There is always a match, otherwise the regex is wrong. */
7031 DISSECTOR_ASSERT(hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms))((void) ((hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 7031, "hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms)"
))));
7032
7033 /* convert from hex to bytes and save to hashtable */
7034 pre_ms_or_ms = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
7035 from_hex(pre_ms_or_ms, hex_pre_ms_or_ms, strlen(hex_pre_ms_or_ms));
7036 g_free(hex_pre_ms_or_ms);
7037
7038 /* Find a master key from any format (CLIENT_RANDOM, SID, ...) */
7039 for (unsigned i = 0; i < G_N_ELEMENTS(mk_groups)(sizeof (mk_groups) / sizeof ((mk_groups)[0])); i++) {
7040 ssl_master_key_match_group_t *g = &mk_groups[i];
7041 hex_key = g_match_info_fetch_named(mi, g->re_group_name);
7042 if (hex_key && *hex_key) {
7043 ssl_debug_printf(" matched %s\n", g->re_group_name);
7044 ht = g->master_key_ht;
7045 from_hex(key, hex_key, strlen(hex_key));
7046 g_free(hex_key);
7047 break;
7048 }
7049 g_free(hex_key);
7050 }
7051 DISSECTOR_ASSERT(ht)((void) ((ht) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 7051, "ht")))); /* Cannot be reached, or regex is wrong. */
7052
7053 g_hash_table_insert(ht, key, pre_ms_or_ms);
7054
7055 } else if (linelen > 0 && line[0] != '#') {
7056 ssl_debug_printf(" unrecognized line\n");
7057 }
7058 /* always free match info even if there is no match. */
7059 g_match_info_free(mi);
7060 }
7061}
7062
7063void
7064ssl_load_keyfile(const char *tls_keylog_filename, FILE **keylog_file,
7065 const ssl_master_key_map_t *mk_map)
7066{
7067 /* no need to try if no key log file is configured. */
7068 if (!tls_keylog_filename || !*tls_keylog_filename) {
7069 ssl_debug_printf("%s dtls/tls.keylog_file is not configured!\n",
7070 G_STRFUNC((const char*) (__func__)));
7071 return;
7072 }
7073
7074 /* Validate regexes before even trying to use it. */
7075 if (!ssl_compile_keyfile_regex()) {
7076 return;
7077 }
7078
7079 ssl_debug_printf("trying to use TLS keylog in %s\n", tls_keylog_filename);
7080
7081 /* if the keylog file was deleted/overwritten, re-open it */
7082 if (*keylog_file && file_needs_reopen(ws_filenofileno(*keylog_file), tls_keylog_filename)) {
7083 ssl_debug_printf("%s file got deleted, trying to re-open\n", G_STRFUNC((const char*) (__func__)));
7084 fclose(*keylog_file);
7085 *keylog_file = NULL((void*)0);
7086 }
7087
7088 if (*keylog_file == NULL((void*)0)) {
7089 *keylog_file = ws_fopenfopen(tls_keylog_filename, "r");
7090 if (!*keylog_file) {
7091 ssl_debug_printf("%s failed to open SSL keylog\n", G_STRFUNC((const char*) (__func__)));
7092 return;
7093 }
7094 }
7095
7096 for (;;) {
7097 char buf[1110], *line;
7098 line = fgets(buf, sizeof(buf), *keylog_file);
7099 if (!line) {
7100 if (feof(*keylog_file)) {
7101 /* Ensure that newly appended keys can be read in the future. */
7102 clearerr(*keylog_file);
7103 } else if (ferror(*keylog_file)) {
7104 ssl_debug_printf("%s Error while reading key log file, closing it!\n", G_STRFUNC((const char*) (__func__)));
7105 fclose(*keylog_file);
7106 *keylog_file = NULL((void*)0);
7107 }
7108 break;
7109 }
7110 tls_keylog_process_lines(mk_map, (uint8_t *)line, (int)strlen(line));
7111 }
7112}
7113/** SSL keylog file handling. }}} */
7114
7115#ifdef SSL_DECRYPT_DEBUG /* {{{ */
7116
7117static FILE* ssl_debug_file;
7118
7119void
7120ssl_set_debug(const char* name)
7121{
7122 static int debug_file_must_be_closed;
7123 int use_stderr;
7124
7125 use_stderr = name?(strcmp(name, SSL_DEBUG_USE_STDERR"-") == 0):0;
7126
7127 if (debug_file_must_be_closed)
7128 fclose(ssl_debug_file);
7129
7130 if (use_stderr)
7131 ssl_debug_file = stderrstderr;
7132 else if (!name || (strcmp(name, "") ==0))
7133 ssl_debug_file = NULL((void*)0);
7134 else
7135 ssl_debug_file = ws_fopenfopen(name, "w");
7136
7137 if (!use_stderr && ssl_debug_file)
7138 debug_file_must_be_closed = 1;
7139 else
7140 debug_file_must_be_closed = 0;
7141
7142 ssl_debug_printf("Wireshark SSL debug log \n\n");
7143#ifdef HAVE_LIBGNUTLS1
7144 ssl_debug_printf("GnuTLS version: %s\n", gnutls_check_version(NULL((void*)0)));
7145#endif
7146 ssl_debug_printf("Libgcrypt version: %s\n", gcry_check_version(NULL((void*)0)));
7147 ssl_debug_printf("\n");
7148}
7149
7150void
7151ssl_debug_flush(void)
7152{
7153 if (ssl_debug_file)
7154 fflush(ssl_debug_file);
7155}
7156
7157void
7158ssl_debug_printf(const char* fmt, ...)
7159{
7160 va_list ap;
7161
7162 if (!ssl_debug_file)
7163 return;
7164
7165 va_start(ap, fmt)__builtin_va_start(ap, fmt);
7166 vfprintf(ssl_debug_file, fmt, ap);
7167 va_end(ap)__builtin_va_end(ap);
7168}
7169
7170void
7171ssl_print_data(const char* name, const unsigned char* data, size_t len)
7172{
7173 size_t i, j, k;
7174 if (!ssl_debug_file)
7175 return;
7176 fprintf(ssl_debug_file,"%s[%d]:\n",name, (int) len);
7177 for (i=0; i<len; i+=16) {
7178 fprintf(ssl_debug_file,"| ");
7179 for (j=i, k=0; k<16 && j<len; ++j, ++k)
7180 fprintf(ssl_debug_file,"%.2x ",data[j]);
7181 for (; k<16; ++k)
7182 fprintf(ssl_debug_file," ");
7183 fputc('|', ssl_debug_file);
7184 for (j=i, k=0; k<16 && j<len; ++j, ++k) {
7185 unsigned char c = data[j];
7186 if (!g_ascii_isprint(c)((g_ascii_table[(guchar) (c)] & G_ASCII_PRINT) != 0) || (c=='\t')) c = '.';
7187 fputc(c, ssl_debug_file);
7188 }
7189 for (; k<16; ++k)
7190 fputc(' ', ssl_debug_file);
7191 fprintf(ssl_debug_file,"|\n");
7192 }
7193}
7194
7195void
7196ssl_print_string(const char* name, const StringInfo* data)
7197{
7198 ssl_print_data(name, data->data, data->data_len);
7199}
7200#endif /* SSL_DECRYPT_DEBUG }}} */
7201
7202/* UAT preferences callbacks. {{{ */
7203/* checks for SSL and DTLS UAT key list fields */
7204
7205bool_Bool
7206ssldecrypt_uat_fld_ip_chk_cb(void* r _U___attribute__((unused)), const char* p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7207{
7208 // This should be removed in favor of Decode As. Make it optional.
7209 *err = NULL((void*)0);
7210 return true1;
7211}
7212
7213bool_Bool
7214ssldecrypt_uat_fld_port_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7215{
7216 if (!p || strlen(p) == 0u) {
7217 // This should be removed in favor of Decode As. Make it optional.
7218 *err = NULL((void*)0);
7219 return true1;
7220 }
7221
7222 if (strcmp(p, "start_tls") != 0){
7223 uint16_t port;
7224 if (!ws_strtou16(p, NULL((void*)0), &port)) {
7225 *err = g_strdup("Invalid port given.")g_strdup_inline ("Invalid port given.");
7226 return false0;
7227 }
7228 }
7229
7230 *err = NULL((void*)0);
7231 return true1;
7232}
7233
7234bool_Bool
7235ssldecrypt_uat_fld_fileopen_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7236{
7237 ws_statb64struct stat st;
7238
7239 if (!p || strlen(p) == 0u) {
7240 *err = g_strdup("No filename given.")g_strdup_inline ("No filename given.");
7241 return false0;
7242 } else {
7243 if (ws_stat64stat(p, &st) != 0) {
7244 *err = ws_strdup_printf("File '%s' does not exist or access is denied.", p)wmem_strdup_printf(((void*)0), "File '%s' does not exist or access is denied."
, p);
7245 return false0;
7246 }
7247 }
7248
7249 *err = NULL((void*)0);
7250 return true1;
7251}
7252
7253bool_Bool
7254ssldecrypt_uat_fld_password_chk_cb(void *r _U___attribute__((unused)), const char *p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void *u1 _U___attribute__((unused)), const void *u2 _U___attribute__((unused)), char **err)
7255{
7256#if defined(HAVE_LIBGNUTLS1)
7257 ssldecrypt_assoc_t* f = (ssldecrypt_assoc_t *)r;
7258 FILE *fp = NULL((void*)0);
7259
7260 if (p && (strlen(p) > 0u)) {
7261 fp = ws_fopenfopen(f->keyfile, "rb");
7262 if (fp) {
7263 char *msg = NULL((void*)0);
7264 gnutls_x509_privkey_t priv_key = rsa_load_pkcs12(fp, p, &msg);
7265 if (!priv_key) {
7266 fclose(fp);
7267 *err = ws_strdup_printf("Could not load PKCS#12 key file: %s", msg)wmem_strdup_printf(((void*)0), "Could not load PKCS#12 key file: %s"
, msg);
7268 g_free(msg);
7269 return false0;
7270 }
7271 g_free(msg);
7272 gnutls_x509_privkey_deinit(priv_key);
7273 fclose(fp);
7274 } else {
7275 *err = ws_strdup_printf("Leave this field blank if the keyfile is not PKCS#12.")wmem_strdup_printf(((void*)0), "Leave this field blank if the keyfile is not PKCS#12."
);
7276 return false0;
7277 }
7278 }
7279
7280 *err = NULL((void*)0);
7281 return true1;
7282#else
7283 *err = g_strdup("Cannot load key files, support is not compiled in.")g_strdup_inline ("Cannot load key files, support is not compiled in."
);
7284 return false0;
7285#endif
7286}
7287/* UAT preferences callbacks. }}} */
7288
7289/** maximum size of ssl_association_info() string */
7290#define SSL_ASSOC_MAX_LEN8192 8192
7291
7292typedef struct ssl_association_info_callback_data
7293{
7294 char *str;
7295 const char *table_protocol;
7296} ssl_association_info_callback_data_t;
7297
7298/**
7299 * callback function used by ssl_association_info() to traverse the SSL associations.
7300 */
7301static void
7302ssl_association_info_(const char *table _U___attribute__((unused)), void *handle, void *user_data)
7303{
7304 ssl_association_info_callback_data_t* data = (ssl_association_info_callback_data_t*)user_data;
7305 const int l = (const int)strlen(data->str);
7306 snprintf(data->str+l, SSL_ASSOC_MAX_LEN8192-l, "'%s' (%s)\n", dissector_handle_get_dissector_name((dissector_handle_t)handle), dissector_handle_get_description((dissector_handle_t)handle));
7307}
7308
7309/**
7310 * @return an information string on the SSL protocol associations. The string must be freed.
7311 */
7312char*
7313ssl_association_info(const char* dissector_table_name, const char* table_protocol)
7314{
7315 ssl_association_info_callback_data_t data;
7316
7317 data.str = (char *)g_malloc0(SSL_ASSOC_MAX_LEN8192);
7318 data.table_protocol = table_protocol;
7319 dissector_table_foreach_handle(dissector_table_name, ssl_association_info_, &data);
7320 return data.str;
7321}
7322
7323
7324/** Begin of code related to dissection of wire data. */
7325
7326/* Helpers for dissecting Variable-Length Vectors. {{{ */
7327bool_Bool
7328ssl_add_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7329 unsigned offset, unsigned offset_end, uint32_t *ret_length,
7330 int hf_length, uint32_t min_value, uint32_t max_value)
7331{
7332 unsigned veclen_size;
7333 uint32_t veclen_value;
7334 proto_item *pi;
7335
7336 DISSECTOR_ASSERT_CMPUINT(min_value, <=, max_value)((void) ((min_value <= max_value) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "min_value" " " "<=" " " "max_value"
" (" "%" "l" "u" " " "<=" " " "%" "l" "u" ")", "epan/dissectors/packet-tls-utils.c"
, 7336, (uint64_t)min_value, (uint64_t)max_value))));
7337 if (offset > offset_end) {
7338 expert_add_info_format(pinfo, tree, &hf->ei.malformed_buffer_too_small,
7339 "Vector offset is past buffer end offset (%u > %u)",
7340 offset, offset_end);
7341 *ret_length = 0;
7342 return false0; /* Cannot read length. */
7343 }
7344
7345 if (max_value > 0xffffff) {
7346 veclen_size = 4;
7347 } else if (max_value > 0xffff) {
7348 veclen_size = 3;
7349 } else if (max_value > 0xff) {
7350 veclen_size = 2;
7351 } else {
7352 veclen_size = 1;
7353 }
7354
7355 if (offset_end - offset < veclen_size) {
7356 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7357 tvb, offset, offset_end - offset,
7358 "No more room for vector of length %u",
7359 veclen_size);
7360 *ret_length = 0;
7361 return false0; /* Cannot read length. */
7362 }
7363
7364 pi = proto_tree_add_item_ret_uint(tree, hf_length, tvb, offset, veclen_size, ENC_BIG_ENDIAN0x00000000, &veclen_value);
7365 offset += veclen_size;
7366
7367 if (veclen_value < min_value) {
7368 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7369 "Vector length %u is smaller than minimum %u",
7370 veclen_value, min_value);
7371 } else if (veclen_value > max_value) {
7372 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7373 "Vector length %u is larger than maximum %u",
7374 veclen_value, max_value);
7375 }
7376
7377 if (offset_end - offset < veclen_value) {
7378 expert_add_info_format(pinfo, pi, &hf->ei.malformed_buffer_too_small,
7379 "Vector length %u is too large, truncating it to %u",
7380 veclen_value, offset_end - offset);
7381 *ret_length = offset_end - offset;
7382 return false0; /* Length is truncated to avoid overflow. */
7383 }
7384
7385 *ret_length = veclen_value;
7386 return true1; /* Length is OK. */
7387}
7388
7389bool_Bool
7390ssl_end_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7391 unsigned offset, unsigned offset_end)
7392{
7393 if (offset < offset_end) {
7394 unsigned trailing = offset_end - offset;
7395 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_trailing_data,
7396 tvb, offset, trailing,
7397 "%u trailing byte%s unprocessed",
7398 trailing, plurality(trailing, " was", "s were")((trailing) == 1 ? (" was") : ("s were")));
7399 return false0; /* unprocessed data warning */
7400 } else if (offset > offset_end) {
7401 /*
7402 * Returned offset runs past the end. This should not happen and is
7403 * possibly a dissector bug.
7404 */
7405 unsigned excess = offset - offset_end;
7406 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7407 tvb, offset_end, excess,
7408 "Dissector processed too much data (%u byte%s)",
7409 excess, plurality(excess, "", "s")((excess) == 1 ? ("") : ("s")));
7410 return false0; /* overflow error */
7411 }
7412
7413 return true1; /* OK, offset matches. */
7414}
7415/** }}} */
7416
7417
7418static uint32_t
7419ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7420 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7421 uint16_t version, int hf_sig_len, int hf_sig);
7422
7423/* change_cipher_spec(20) dissection */
7424void
7425ssl_dissect_change_cipher_spec(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7426 packet_info *pinfo, proto_tree *tree,
7427 uint32_t offset, SslSession *session,
7428 bool_Bool is_from_server,
7429 const SslDecryptSession *ssl)
7430{
7431 /*
7432 * struct {
7433 * enum { change_cipher_spec(1), (255) } type;
7434 * } ChangeCipherSpec;
7435 */
7436 proto_item *ti;
7437 proto_item_set_text(tree,
7438 "%s Record Layer: %s Protocol: Change Cipher Spec",
7439 val_to_str_const(session->version, ssl_version_short_names, "SSL"),
7440 val_to_str_const(SSL_ID_CHG_CIPHER_SPEC, ssl_31_content_type, "unknown"));
7441 ti = proto_tree_add_item(tree, hf->hf.change_cipher_spec, tvb, offset, 1, ENC_NA0x00000000);
7442
7443 if (session->version == TLSV1DOT3_VERSION0x304) {
7444 /* CCS is a dummy message in TLS 1.3, do not parse it further. */
7445 return;
7446 }
7447
7448 /* Remember frame number of first CCS */
7449 uint32_t *ccs_frame = is_from_server ? &session->server_ccs_frame : &session->client_ccs_frame;
7450 if (*ccs_frame == 0)
7451 *ccs_frame = pinfo->num;
7452
7453 /* Use heuristics to detect an abbreviated handshake, assume that missing
7454 * ServerHelloDone implies reusing previously negotiating keys. Then when
7455 * a Session ID or ticket is present, it must be a resumed session.
7456 * Normally this should be done at the Finished message, but that may be
7457 * encrypted so we do it here, at the last cleartext message. */
7458 if (is_from_server && ssl) {
7459 if (session->is_session_resumed) {
7460 const char *resumed = NULL((void*)0);
7461 if (ssl->session_ticket.data_len) {
7462 resumed = "Session Ticket";
7463 } else if (ssl->session_id.data_len) {
7464 resumed = "Session ID";
7465 }
7466 if (resumed) {
7467 ssl_debug_printf("%s Session resumption using %s\n", G_STRFUNC((const char*) (__func__)), resumed);
7468 } else {
7469 /* Can happen if the capture somehow starts in the middle */
7470 ssl_debug_printf("%s No Session resumption, missing packets?\n", G_STRFUNC((const char*) (__func__)));
7471 }
7472 } else {
7473 ssl_debug_printf("%s Not using Session resumption\n", G_STRFUNC((const char*) (__func__)));
7474 }
7475 }
7476 if (is_from_server && session->is_session_resumed)
7477 expert_add_info(pinfo, ti, &hf->ei.resumed);
7478}
7479
7480/** Begin of handshake(22) record dissections */
7481
7482/* Dissects a SignatureScheme (TLS 1.3) or SignatureAndHashAlgorithm (TLS 1.2).
7483 * {{{ */
7484static void
7485tls_dissect_signature_algorithm(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, ja4_data_t *ja4_data)
7486{
7487 uint32_t sighash, hashalg, sigalg;
7488 proto_item *ti_sigalg;
7489 proto_tree *sigalg_tree;
7490
7491 ti_sigalg = proto_tree_add_item_ret_uint(tree, hf->hf.hs_sig_hash_alg, tvb,
7492 offset, 2, ENC_BIG_ENDIAN0x00000000, &sighash);
7493 if (ja4_data) {
7494 wmem_list_append(ja4_data->sighash_list, GUINT_TO_POINTER(sighash)((gpointer) (gulong) (sighash)));
7495 }
7496
7497 sigalg_tree = proto_item_add_subtree(ti_sigalg, hf->ett.hs_sig_hash_alg);
7498
7499 /* TLS 1.2: SignatureAndHashAlgorithm { hash, signature } */
7500 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_hash, tvb,
7501 offset, 1, ENC_BIG_ENDIAN0x00000000, &hashalg);
7502 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_sig, tvb,
7503 offset + 1, 1, ENC_BIG_ENDIAN0x00000000, &sigalg);
7504
7505 /* No TLS 1.3 SignatureScheme? Fallback to TLS 1.2 interpretation. */
7506 if (!try_val_to_str(sighash, tls13_signature_algorithm)) {
7507 proto_item_set_text(ti_sigalg, "Signature Algorithm: %s %s (0x%04x)",
7508 val_to_str_const(hashalg, tls_hash_algorithm, "Unknown"),
7509 val_to_str_const(sigalg, tls_signature_algorithm, "Unknown"),
7510 sighash);
7511 }
7512} /* }}} */
7513
7514/* dissect a list of hash algorithms, return the number of bytes dissected
7515 this is used for the signature algorithms extension and for the
7516 TLS1.2 certificate request. {{{ */
7517static int
7518ssl_dissect_hash_alg_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
7519 packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7520{
7521 /* https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
7522 * struct {
7523 * HashAlgorithm hash;
7524 * SignatureAlgorithm signature;
7525 * } SignatureAndHashAlgorithm;
7526 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
7527 */
7528 proto_tree *subtree;
7529 proto_item *ti;
7530 unsigned sh_alg_length;
7531 uint32_t next_offset;
7532
7533 /* SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2> */
7534 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sh_alg_length,
7535 hf->hf.hs_sig_hash_alg_len, 2, UINT16_MAX(65535) - 1)) {
7536 return offset_end;
7537 }
7538 offset += 2;
7539 next_offset = offset + sh_alg_length;
7540
7541 ti = proto_tree_add_none_format(tree, hf->hf.hs_sig_hash_algs, tvb, offset, sh_alg_length,
7542 "Signature Hash Algorithms (%u algorithm%s)",
7543 sh_alg_length / 2, plurality(sh_alg_length / 2, "", "s")((sh_alg_length / 2) == 1 ? ("") : ("s")));
7544 subtree = proto_item_add_subtree(ti, hf->ett.hs_sig_hash_algs);
7545
7546 while (offset + 2 <= next_offset) {
7547 tls_dissect_signature_algorithm(hf, tvb, subtree, offset, ja4_data);
7548 offset += 2;
7549 }
7550
7551 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
7552 offset = next_offset;
7553 }
7554
7555 return offset;
7556} /* }}} */
7557
7558/* Dissection of DistinguishedName (for CertificateRequest and
7559 * certificate_authorities extension). {{{ */
7560static uint32_t
7561tls_dissect_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7562 proto_tree *tree, uint32_t offset, uint32_t offset_end)
7563{
7564 proto_item *ti;
7565 proto_tree *subtree;
7566 uint32_t dnames_length, next_offset;
7567 asn1_ctx_t asn1_ctx;
7568 int dnames_count = 100; /* the maximum number of DNs to add to the tree */
7569
7570 /* Note: minimum length is 0 for TLS 1.1/1.2 and 3 for earlier/later */
7571 /* DistinguishedName certificate_authorities<0..2^16-1> */
7572 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &dnames_length,
7573 hf->hf.hs_dnames_len, 0, UINT16_MAX(65535))) {
7574 return offset_end;
7575 }
7576 offset += 2;
7577 next_offset = offset + dnames_length;
7578
7579 if (dnames_length > 0) {
7580 ti = proto_tree_add_none_format(tree,
7581 hf->hf.hs_dnames,
7582 tvb, offset, dnames_length,
7583 "Distinguished Names (%d byte%s)",
7584 dnames_length,
7585 plurality(dnames_length, "", "s")((dnames_length) == 1 ? ("") : ("s")));
7586 subtree = proto_item_add_subtree(ti, hf->ett.dnames);
7587
7588 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7589
7590 while (offset < next_offset) {
7591 /* get the length of the current certificate */
7592 uint32_t name_length;
7593
7594 if (dnames_count-- == 0) {
7595 /* stop adding to tree when the list is considered too large
7596 * https://gitlab.com/wireshark/wireshark/-/issues/16202
7597 Note: dnames_count must be set low enough not to hit the
7598 limit set by PINFO_LAYER_MAX_RECURSION_DEPTH in packet.c
7599 */
7600 ti = proto_tree_add_item(subtree, hf->hf.hs_dnames_truncated,
7601 tvb, offset, next_offset - offset, ENC_NA0x00000000);
7602 proto_item_set_generated(ti);
7603 return next_offset;
7604 }
7605
7606 /* opaque DistinguishedName<1..2^16-1> */
7607 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &name_length,
7608 hf->hf.hs_dname_len, 1, UINT16_MAX(65535))) {
7609 return next_offset;
7610 }
7611 offset += 2;
7612
7613 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
7614 subtree, hf->hf.hs_dname);
7615 offset += name_length;
7616 }
7617 }
7618 return offset;
7619} /* }}} */
7620
7621
7622/** TLS Extensions (in Client Hello and Server Hello). {{{ */
7623static int
7624ssl_dissect_hnd_hello_ext_sig_hash_algs(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7625 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7626{
7627 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, ja4_data);
7628}
7629
7630static int
7631ssl_dissect_hnd_ext_delegated_credentials(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7632 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type)
7633{
7634 if (hnd_type == SSL_HND_CLIENT_HELLO) {
7635 /*
7636 * struct {
7637 * SignatureScheme supported_signature_algorithm<2..2^16-2>;
7638 * } SignatureSchemeList;
7639 */
7640
7641 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
7642 } else {
7643 asn1_ctx_t asn1_ctx;
7644 unsigned pubkey_length, sign_length;
7645
7646 /*
7647 * struct {
7648 * uint32 valid_time;
7649 * SignatureScheme expected_cert_verify_algorithm;
7650 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
7651 * } Credential;
7652 *
7653 * struct {
7654 * Credential cred;
7655 * SignatureScheme algorithm;
7656 * opaque signature<0..2^16-1>;
7657 * } DelegatedCredential;
7658 */
7659
7660 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7661
7662 proto_tree_add_item(tree, hf->hf.hs_cred_valid_time, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
7663 offset += 4;
7664
7665 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7666 offset += 2;
7667
7668 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &pubkey_length,
7669 hf->hf.hs_cred_pubkey_len, 1, G_MAXUINT24((1U << 24) - 1))) {
7670 return offset_end;
7671 }
7672 offset += 3;
7673 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, tree, hf->hf.hs_cred_pubkey);
7674 offset += pubkey_length;
7675
7676 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7677 offset += 2;
7678
7679 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sign_length,
7680 hf->hf.hs_cred_signature_len, 1, UINT16_MAX(65535))) {
7681 return offset_end;
7682 }
7683 offset += 2;
7684 proto_tree_add_item(tree, hf->hf.hs_cred_signature,
7685 tvb, offset, sign_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7686 offset += sign_length;
7687
7688 return offset;
7689 }
7690}
7691
7692static int
7693ssl_dissect_hnd_hello_ext_alps(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7694 packet_info *pinfo, proto_tree *tree,
7695 uint32_t offset, uint32_t offset_end,
7696 uint8_t hnd_type)
7697{
7698
7699 /* https://datatracker.ietf.org/doc/html/draft-vvv-tls-alps-01#section-4 */
7700
7701 switch (hnd_type) {
7702 case SSL_HND_CLIENT_HELLO: {
7703 proto_tree *alps_tree;
7704 proto_item *ti;
7705 uint32_t next_offset, alps_length, name_length;
7706
7707 /*
7708 * opaque ProtocolName<1..2^8-1>;
7709 * struct {
7710 * ProtocolName supported_protocols<2..2^16-1>
7711 * } ApplicationSettingsSupport;
7712 */
7713
7714 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alps_length,
7715 hf->hf.hs_ext_alps_len, 2, UINT16_MAX(65535))) {
7716 return offset_end;
7717 }
7718 offset += 2;
7719 next_offset = offset + alps_length;
7720
7721 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alps_alpn_list,
7722 tvb, offset, alps_length, ENC_NA0x00000000);
7723 alps_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alps);
7724
7725 /* Parse list (note missing check for end of vector, ssl_add_vector below
7726 * ensures that data is always available.) */
7727 while (offset < next_offset) {
7728 if (!ssl_add_vector(hf, tvb, pinfo, alps_tree, offset, next_offset, &name_length,
7729 hf->hf.hs_ext_alps_alpn_str_len, 1, UINT8_MAX(255))) {
7730 return next_offset;
7731 }
7732 offset++;
7733
7734 proto_tree_add_item(alps_tree, hf->hf.hs_ext_alps_alpn_str,
7735 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7736 offset += name_length;
7737 }
7738
7739 return offset;
7740 }
7741 case SSL_HND_ENCRYPTED_EXTS:
7742 /* Opaque blob */
7743 proto_tree_add_item(tree, hf->hf.hs_ext_alps_settings,
7744 tvb, offset, offset_end - offset, ENC_ASCII0x00000000|ENC_NA0x00000000);
7745 break;
7746 }
7747
7748 return offset_end;
7749}
7750
7751static int
7752ssl_dissect_hnd_hello_ext_alpn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7753 packet_info *pinfo, proto_tree *tree,
7754 uint32_t offset, uint32_t offset_end,
7755 uint8_t hnd_type, SslSession *session,
7756 bool_Bool is_dtls, ja4_data_t *ja4_data)
7757{
7758
7759 /* https://tools.ietf.org/html/rfc7301#section-3.1
7760 * opaque ProtocolName<1..2^8-1>;
7761 * struct {
7762 * ProtocolName protocol_name_list<2..2^16-1>
7763 * } ProtocolNameList;
7764 */
7765 proto_tree *alpn_tree;
7766 proto_item *ti;
7767 uint32_t next_offset, alpn_length, name_length;
7768 uint8_t *proto_name = NULL((void*)0), *client_proto_name = NULL((void*)0);
7769
7770 /* ProtocolName protocol_name_list<2..2^16-1> */
7771 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alpn_length,
7772 hf->hf.hs_ext_alpn_len, 2, UINT16_MAX(65535))) {
7773 return offset_end;
7774 }
7775 offset += 2;
7776 next_offset = offset + alpn_length;
7777
7778 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alpn_list,
7779 tvb, offset, alpn_length, ENC_NA0x00000000);
7780 alpn_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alpn);
7781
7782 /* Parse list (note missing check for end of vector, ssl_add_vector below
7783 * ensures that data is always available.) */
7784 while (offset < next_offset) {
7785 /* opaque ProtocolName<1..2^8-1> */
7786 if (!ssl_add_vector(hf, tvb, pinfo, alpn_tree, offset, next_offset, &name_length,
7787 hf->hf.hs_ext_alpn_str_len, 1, UINT8_MAX(255))) {
7788 return next_offset;
7789 }
7790 offset++;
7791
7792 proto_tree_add_item(alpn_tree, hf->hf.hs_ext_alpn_str,
7793 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7794 if (ja4_data && wmem_strbuf_get_len(ja4_data->alpn) == 0) {
7795 const char alpn_first_char = (char)tvb_get_uint8(tvb,offset);
7796 const char alpn_last_char = (char)tvb_get_uint8(tvb,offset + name_length - 1);
7797 if ((g_ascii_isprint(alpn_first_char)((g_ascii_table[(guchar) (alpn_first_char)] & G_ASCII_PRINT
) != 0)) && g_ascii_isprint(alpn_last_char)((g_ascii_table[(guchar) (alpn_last_char)] & G_ASCII_PRINT
) != 0)) {
7798 wmem_strbuf_append_printf(ja4_data->alpn, "%c%c", alpn_first_char, alpn_last_char);
7799 }
7800 else {
7801 wmem_strbuf_append_printf(ja4_data->alpn, "%x%x",(alpn_first_char >> 4) & 0x0F,
7802 alpn_last_char & 0x0F);
7803 }
7804 }
7805 /* Remember first ALPN ProtocolName entry for server. */
7806 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) {
7807 /* '\0'-terminated string for dissector table match and prefix
7808 * comparison purposes. */
7809 proto_name = tvb_get_string_enc(pinfo->pool, tvb, offset,
7810 name_length, ENC_ASCII0x00000000);
7811 } else if (hnd_type == SSL_HND_CLIENT_HELLO) {
7812 client_proto_name = tvb_get_string_enc(pinfo->pool, tvb, offset,
7813 name_length, ENC_ASCII0x00000000);
7814 }
7815 offset += name_length;
7816 }
7817
7818 /* If ALPN is given in ServerHello, then ProtocolNameList MUST contain
7819 * exactly one "ProtocolName". */
7820 if (proto_name) {
7821 dissector_handle_t handle;
7822
7823 session->alpn_name = wmem_strdup(wmem_file_scope(), proto_name);
7824
7825 if (is_dtls) {
7826 handle = dissector_get_string_handle(dtls_alpn_dissector_table,
7827 proto_name);
7828 } else {
7829 handle = dissector_get_string_handle(ssl_alpn_dissector_table,
7830 proto_name);
7831 if (handle == NULL((void*)0)) {
7832 /* Try prefix matching */
7833 for (size_t i = 0; i < G_N_ELEMENTS(ssl_alpn_prefix_match_protocols)(sizeof (ssl_alpn_prefix_match_protocols) / sizeof ((ssl_alpn_prefix_match_protocols
)[0])); i++) {
7834 const ssl_alpn_prefix_match_protocol_t *alpn_proto = &ssl_alpn_prefix_match_protocols[i];
7835
7836 /* string_string is inappropriate as it compares strings
7837 * while "byte strings MUST NOT be truncated" (RFC 7301) */
7838 if (g_str_has_prefix(proto_name, alpn_proto->proto_prefix)(__builtin_constant_p (alpn_proto->proto_prefix)? __extension__
({ const char * const __str = (proto_name); const char * const
__prefix = (alpn_proto->proto_prefix); gboolean __result =
(0); if (__str == ((void*)0) || __prefix == ((void*)0)) __result
= (g_str_has_prefix) (__str, __prefix); else { const size_t __str_len
= strlen (((__str) + !(__str))); const size_t __prefix_len =
strlen (((__prefix) + !(__prefix))); if (__str_len >= __prefix_len
) __result = memcmp (((__str) + !(__str)), ((__prefix) + !(__prefix
)), __prefix_len) == 0; } __result; }) : (g_str_has_prefix) (
proto_name, alpn_proto->proto_prefix) )) {
7839 handle = find_dissector(alpn_proto->dissector_name);
7840 break;
7841 }
7842 }
7843 }
7844 }
7845 if (handle != NULL((void*)0)) {
7846 /* ProtocolName match, so set the App data dissector handle.
7847 * This may override protocols given via the UAT dialog, but
7848 * since the ALPN hint is precise, do it anyway. */
7849 ssl_debug_printf("%s: changing handle %p to %p (%s)", G_STRFUNC((const char*) (__func__)),
7850 (void *)session->app_handle,
7851 (void *)handle,
7852 dissector_handle_get_dissector_name(handle));
7853 session->app_handle = handle;
7854 }
7855 } else if (client_proto_name) {
7856 // No current use for looking up the handle as the only consumer of this API is currently the QUIC dissector
7857 // and it just needs the string since there are/were various HTTP/3 ALPNs to check for.
7858 session->client_alpn_name = wmem_strdup(wmem_file_scope(), client_proto_name);
7859 }
7860
7861 return offset;
7862}
7863
7864static int
7865ssl_dissect_hnd_hello_ext_npn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7866 packet_info *pinfo, proto_tree *tree,
7867 uint32_t offset, uint32_t offset_end)
7868{
7869 /* https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04#page-3
7870 * The "extension_data" field of a "next_protocol_negotiation" extension
7871 * in a "ServerHello" contains an optional list of protocols advertised
7872 * by the server. Protocols are named by opaque, non-empty byte strings
7873 * and the list of protocols is serialized as a concatenation of 8-bit,
7874 * length prefixed byte strings. Implementations MUST ensure that the
7875 * empty string is not included and that no byte strings are truncated.
7876 */
7877 uint32_t npn_length;
7878 proto_tree *npn_tree;
7879
7880 /* List is optional, do not add tree if there are no entries. */
7881 if (offset == offset_end) {
7882 return offset;
7883 }
7884
7885 npn_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_npn, NULL((void*)0), "Next Protocol Negotiation");
7886
7887 while (offset < offset_end) {
7888 /* non-empty, 8-bit length prefixed strings means range 1..255 */
7889 if (!ssl_add_vector(hf, tvb, pinfo, npn_tree, offset, offset_end, &npn_length,
7890 hf->hf.hs_ext_npn_str_len, 1, UINT8_MAX(255))) {
7891 return offset_end;
7892 }
7893 offset++;
7894
7895 proto_tree_add_item(npn_tree, hf->hf.hs_ext_npn_str,
7896 tvb, offset, npn_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7897 offset += npn_length;
7898 }
7899
7900 return offset;
7901}
7902
7903static int
7904ssl_dissect_hnd_hello_ext_reneg_info(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7905 packet_info *pinfo, proto_tree *tree,
7906 uint32_t offset, uint32_t offset_end)
7907{
7908 /* https://tools.ietf.org/html/rfc5746#section-3.2
7909 * struct {
7910 * opaque renegotiated_connection<0..255>;
7911 * } RenegotiationInfo;
7912 *
7913 */
7914 proto_tree *reneg_info_tree;
7915 uint32_t reneg_info_length;
7916
7917 reneg_info_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_reneg_info, NULL((void*)0), "Renegotiation Info extension");
7918
7919 /* opaque renegotiated_connection<0..255> */
7920 if (!ssl_add_vector(hf, tvb, pinfo, reneg_info_tree, offset, offset_end, &reneg_info_length,
7921 hf->hf.hs_ext_reneg_info_len, 0, 255)) {
7922 return offset_end;
7923 }
7924 offset++;
7925
7926 if (reneg_info_length > 0) {
7927 proto_tree_add_item(reneg_info_tree, hf->hf.hs_ext_reneg_info, tvb, offset, reneg_info_length, ENC_NA0x00000000);
7928 offset += reneg_info_length;
7929 }
7930
7931 return offset;
7932}
7933
7934static int
7935ssl_dissect_hnd_hello_ext_key_share_entry(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7936 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7937 const char **group_name_out)
7938{
7939 /* RFC 8446 Section 4.2.8
7940 * struct {
7941 * NamedGroup group;
7942 * opaque key_exchange<1..2^16-1>;
7943 * } KeyShareEntry;
7944 */
7945 uint32_t key_exchange_length, group;
7946 proto_tree *ks_tree;
7947
7948 ks_tree = proto_tree_add_subtree(tree, tvb, offset, 4, hf->ett.hs_ext_key_share_ks, NULL((void*)0), "Key Share Entry");
7949
7950 proto_tree_add_item_ret_uint(ks_tree, hf->hf.hs_ext_key_share_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
7951 offset += 2;
7952 const char *group_name = val_to_str(pinfo->pool, group, ssl_extension_curves, "Unknown (%u)");
7953 proto_item_append_text(ks_tree, ": Group: %s", group_name);
7954 if (group_name_out) {
7955 *group_name_out = !IS_GREASE_TLS(group)((((group) & 0x0f0f) == 0x0a0a) && (((group) &
0xff) == (((group)>>8) & 0xff))) ? group_name : NULL((void*)0);
7956 }
7957
7958 /* opaque key_exchange<1..2^16-1> */
7959 if (!ssl_add_vector(hf, tvb, pinfo, ks_tree, offset, offset_end, &key_exchange_length,
7960 hf->hf.hs_ext_key_share_key_exchange_length, 1, UINT16_MAX(65535))) {
7961 return offset_end; /* Bad (possible truncated) length, skip to end of KeyShare extension. */
7962 }
7963 offset += 2;
7964 proto_item_set_len(ks_tree, 2 + 2 + key_exchange_length);
7965 proto_item_append_text(ks_tree, ", Key Exchange length: %u", key_exchange_length);
7966
7967 proto_tree_add_item(ks_tree, hf->hf.hs_ext_key_share_key_exchange, tvb, offset, key_exchange_length, ENC_NA0x00000000);
7968 offset += key_exchange_length;
7969
7970 return offset;
7971}
7972
7973static int
7974ssl_dissect_hnd_hello_ext_key_share(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7975 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7976 uint8_t hnd_type)
7977{
7978 proto_tree *key_share_tree;
7979 uint32_t next_offset;
7980 uint32_t client_shares_length;
7981 uint32_t group;
7982 const char *group_name = NULL((void*)0);
7983
7984 if (offset_end <= offset) { /* Check if ext_len == 0 and "overflow" (offset + ext_len) > uint32_t) */
7985 return offset;
7986 }
7987
7988 key_share_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_key_share, NULL((void*)0), "Key Share extension");
7989
7990 switch(hnd_type){
7991 case SSL_HND_CLIENT_HELLO:
7992 /* KeyShareEntry client_shares<0..2^16-1> */
7993 if (!ssl_add_vector(hf, tvb, pinfo, key_share_tree, offset, offset_end, &client_shares_length,
7994 hf->hf.hs_ext_key_share_client_length, 0, UINT16_MAX(65535))) {
7995 return offset_end;
7996 }
7997 offset += 2;
7998 next_offset = offset + client_shares_length;
7999 const char *sep = " ";
8000 while (offset + 4 <= next_offset) { /* (NamedGroup (2 bytes), key_exchange (1 byte for length, 1 byte minimum data) */
8001 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, next_offset, &group_name);
8002 if (group_name) {
8003 proto_item_append_text(tree, "%s%s", sep, group_name);
8004 sep = ", ";
8005 }
8006 }
8007 if (!ssl_end_vector(hf, tvb, pinfo, key_share_tree, offset, next_offset)) {
8008 return next_offset;
8009 }
8010 break;
8011 case SSL_HND_SERVER_HELLO:
8012 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, offset_end, &group_name);
8013 if (group_name) {
8014 proto_item_append_text(tree, " %s", group_name);
8015 }
8016 break;
8017 case SSL_HND_HELLO_RETRY_REQUEST:
8018 proto_tree_add_item_ret_uint(key_share_tree, hf->hf.hs_ext_key_share_selected_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
8019 offset += 2;
8020 group_name = val_to_str(pinfo->pool, group, ssl_extension_curves, "Unknown (%u)");
8021 proto_item_append_text(tree, " %s", group_name);
8022 break;
8023 default: /* no default */
8024 break;
8025 }
8026
8027 return offset;
8028}
8029
8030static int
8031ssl_dissect_hnd_hello_ext_pre_shared_key(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8032 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8033 uint8_t hnd_type)
8034{
8035 /* RFC 8446 Section 4.2.11
8036 * struct {
8037 * opaque identity<1..2^16-1>;
8038 * uint32 obfuscated_ticket_age;
8039 * } PskIdentity;
8040 * opaque PskBinderEntry<32..255>;
8041 * struct {
8042 * select (Handshake.msg_type) {
8043 * case client_hello:
8044 * PskIdentity identities<7..2^16-1>;
8045 * PskBinderEntry binders<33..2^16-1>;
8046 * case server_hello:
8047 * uint16 selected_identity;
8048 * };
8049 * } PreSharedKeyExtension;
8050 */
8051
8052 proto_tree *psk_tree;
8053
8054 psk_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_pre_shared_key, NULL((void*)0), "Pre-Shared Key extension");
8055
8056 switch (hnd_type){
8057 case SSL_HND_CLIENT_HELLO: {
8058 uint32_t identities_length, identities_end, binders_length;
8059
8060 /* PskIdentity identities<7..2^16-1> */
8061 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &identities_length,
8062 hf->hf.hs_ext_psk_identities_length, 7, UINT16_MAX(65535))) {
8063 return offset_end;
8064 }
8065 offset += 2;
8066 identities_end = offset + identities_length;
8067
8068 while (offset < identities_end) {
8069 uint32_t identity_length;
8070 proto_tree *identity_tree;
8071
8072 identity_tree = proto_tree_add_subtree(psk_tree, tvb, offset, 4, hf->ett.hs_ext_psk_identity, NULL((void*)0), "PSK Identity (");
8073
8074 /* opaque identity<1..2^16-1> */
8075 if (!ssl_add_vector(hf, tvb, pinfo, identity_tree, offset, identities_end, &identity_length,
8076 hf->hf.hs_ext_psk_identity_identity_length, 1, UINT16_MAX(65535))) {
8077 return identities_end;
8078 }
8079 offset += 2;
8080 proto_item_append_text(identity_tree, "length: %u)", identity_length);
8081
8082 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_identity, tvb, offset, identity_length, ENC_BIG_ENDIAN0x00000000);
8083 offset += identity_length;
8084
8085 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_obfuscated_ticket_age, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8086 offset += 4;
8087
8088 proto_item_set_len(identity_tree, 2 + identity_length + 4);
8089 }
8090 if (!ssl_end_vector(hf, tvb, pinfo, psk_tree, offset, identities_end)) {
8091 offset = identities_end;
8092 }
8093
8094 /* PskBinderEntry binders<33..2^16-1> */
8095 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &binders_length,
8096 hf->hf.hs_ext_psk_binders_length, 33, UINT16_MAX(65535))) {
8097 return offset_end;
8098 }
8099 offset += 2;
8100
8101 proto_item *binders_item;
8102 proto_tree *binders_tree;
8103 binders_item = proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_binders, tvb, offset, binders_length, ENC_NA0x00000000);
8104 binders_tree = proto_item_add_subtree(binders_item, hf->ett.hs_ext_psk_binders);
8105 uint32_t binders_end = offset + binders_length;
8106 while (offset < binders_end) {
8107 uint32_t binder_length;
8108 proto_item *binder_item;
8109 proto_tree *binder_tree;
8110
8111 binder_item = proto_tree_add_item(binders_tree, hf->hf.hs_ext_psk_binder, tvb, offset, 1, ENC_NA0x00000000);
8112 binder_tree = proto_item_add_subtree(binder_item, hf->ett.hs_ext_psk_binder);
8113
8114 /* opaque PskBinderEntry<32..255>; */
8115 if (!ssl_add_vector(hf, tvb, pinfo, binder_tree, offset, binders_end, &binder_length,
8116 hf->hf.hs_ext_psk_binder_binder_length, 32, 255)) {
8117 return binders_end;
8118 }
8119 offset += 1;
8120 proto_item_append_text(binder_tree, " (length: %u)", binder_length);
8121
8122 proto_tree_add_item(binder_tree, hf->hf.hs_ext_psk_binder_binder, tvb, offset, binder_length, ENC_BIG_ENDIAN0x00000000);
8123 offset += binder_length;
8124
8125 proto_item_set_end(binder_item, tvb, offset);
8126 }
8127 }
8128 break;
8129 case SSL_HND_SERVER_HELLO: {
8130 proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_identity_selected, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8131 offset += 2;
8132 }
8133 break;
8134 default:
8135 break;
8136 }
8137
8138 return offset;
8139}
8140
8141static uint32_t
8142ssl_dissect_hnd_hello_ext_early_data(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
8143 proto_tree *tree, uint32_t offset, uint32_t offset_end _U___attribute__((unused)),
8144 uint8_t hnd_type, SslDecryptSession *ssl)
8145{
8146 /* RFC 8446 Section 4.2.10
8147 * struct {} Empty;
8148 * struct {
8149 * select (Handshake.msg_type) {
8150 * case new_session_ticket: uint32 max_early_data_size;
8151 * case client_hello: Empty;
8152 * case encrypted_extensions: Empty;
8153 * };
8154 * } EarlyDataIndication;
8155 */
8156 switch (hnd_type) {
8157 case SSL_HND_CLIENT_HELLO:
8158 /* Remember that early_data will follow the handshake. */
8159 if (ssl) {
8160 ssl_debug_printf("%s found early_data extension\n", G_STRFUNC((const char*) (__func__)));
8161 ssl->has_early_data = true1;
8162 }
8163 break;
8164 case SSL_HND_NEWSESSION_TICKET:
8165 proto_tree_add_item(tree, hf->hf.hs_ext_max_early_data_size, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8166 offset += 4;
8167 break;
8168 default:
8169 break;
8170 }
8171 return offset;
8172}
8173
8174static uint16_t
8175tls_try_get_version(bool_Bool is_dtls, uint16_t version, uint8_t *draft_version)
8176{
8177 if (draft_version) {
8178 *draft_version = 0;
8179 }
8180 if (!is_dtls) {
8181 uint8_t tls13_draft = extract_tls13_draft_version(version);
8182 if (tls13_draft != 0) {
8183 /* This is TLS 1.3 (a draft version). */
8184 if (draft_version) {
8185 *draft_version = tls13_draft;
8186 }
8187 version = TLSV1DOT3_VERSION0x304;
8188 }
8189 if (version == 0xfb17 || version == 0xfb1a) {
8190 /* Unofficial TLS 1.3 draft version for Facebook fizz. */
8191 tls13_draft = (uint8_t)version;
8192 if (draft_version) {
8193 *draft_version = tls13_draft;
8194 }
8195 version = TLSV1DOT3_VERSION0x304;
8196 }
8197 }
8198
8199 switch (version) {
8200 case SSLV3_VERSION0x300:
8201 case TLSV1_VERSION0x301:
8202 case TLSV1DOT1_VERSION0x302:
8203 case TLSV1DOT2_VERSION0x303:
8204 case TLSV1DOT3_VERSION0x304:
8205 case TLCPV1_VERSION0x101:
8206 if (is_dtls)
8207 return SSL_VER_UNKNOWN0;
8208 break;
8209
8210 case DTLSV1DOT0_VERSION0xfeff:
8211 case DTLSV1DOT0_OPENSSL_VERSION0x100:
8212 case DTLSV1DOT2_VERSION0xfefd:
8213 case DTLSV1DOT3_VERSION0xfefc:
8214 if (!is_dtls)
8215 return SSL_VER_UNKNOWN0;
8216 break;
8217
8218 default: /* invalid version number */
8219 return SSL_VER_UNKNOWN0;
8220 }
8221
8222 return version;
8223}
8224
8225static int
8226ssl_dissect_hnd_hello_ext_supported_versions(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8227 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8228 SslSession *session, bool_Bool is_dtls, ja4_data_t *ja4_data)
8229{
8230
8231 /* RFC 8446 Section 4.2.1
8232 * struct {
8233 * ProtocolVersion versions<2..254>; // ClientHello
8234 * } SupportedVersions;
8235 * Note that ServerHello and HelloRetryRequest are handled by the caller.
8236 */
8237 uint32_t versions_length, next_offset;
8238 /* ProtocolVersion versions<2..254> */
8239 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &versions_length,
8240 hf->hf.hs_ext_supported_versions_len, 2, 254)) {
8241 return offset_end;
8242 }
8243 offset++;
8244 next_offset = offset + versions_length;
8245
8246 unsigned version;
8247 unsigned current_version, lowest_version = SSL_VER_UNKNOWN0;
8248 uint8_t draft_version, max_draft_version = 0;
8249 const char *sep = " ";
8250 while (offset + 2 <= next_offset) {
8251 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
8252 offset += 2;
8253
8254 if (!IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))) {
8255 proto_item_append_text(tree, "%s%s", sep, val_to_str(pinfo->pool, version, ssl_versions, "Unknown (0x%04x)"));
8256 sep = ", ";
8257 }
8258
8259 current_version = tls_try_get_version(is_dtls, version, &draft_version);
8260 if (session->version == SSL_VER_UNKNOWN0) {
8261 if (lowest_version == SSL_VER_UNKNOWN0) {
8262 lowest_version = current_version;
8263 } else if (current_version != SSL_VER_UNKNOWN0) {
8264 if (!is_dtls) {
8265 lowest_version = MIN(lowest_version, current_version)(((lowest_version) < (current_version)) ? (lowest_version)
: (current_version));
8266 } else {
8267 lowest_version = MAX(lowest_version, current_version)(((lowest_version) > (current_version)) ? (lowest_version)
: (current_version));
8268 }
8269 }
8270 }
8271 max_draft_version = MAX(draft_version, max_draft_version)(((draft_version) > (max_draft_version)) ? (draft_version)
: (max_draft_version));
8272 if (ja4_data && !IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))) {
8273 /* The DTLS version numbers get mapped to "00" for unknown per
8274 * JA4 spec, but if JA4 ever does support DTLS we'll probably
8275 * need to take the MIN instead of MAX here for DTLS.
8276 */
8277 ja4_data->max_version = MAX(version, ja4_data->max_version)(((version) > (ja4_data->max_version)) ? (version) : (ja4_data
->max_version));
8278 }
8279 }
8280 if (session->version == SSL_VER_UNKNOWN0 && lowest_version != SSL_VER_UNKNOWN0) {
8281 col_set_str(pinfo->cinfo, COL_PROTOCOL,
8282 val_to_str_const(version, ssl_version_short_names, is_dtls ? "DTLS" : "TLS"));
8283 }
8284 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
8285 offset = next_offset;
8286 }
8287
8288 /* XXX remove this when draft 19 support is dropped,
8289 * this is only required for early data decryption. */
8290 if (max_draft_version) {
8291 session->tls13_draft_version = max_draft_version;
8292 }
8293
8294 return offset;
8295}
8296
8297static int
8298ssl_dissect_hnd_hello_ext_cookie(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8299 packet_info *pinfo, proto_tree *tree,
8300 uint32_t offset, uint32_t offset_end)
8301{
8302 /* RFC 8446 Section 4.2.2
8303 * struct {
8304 * opaque cookie<1..2^16-1>;
8305 * } Cookie;
8306 */
8307 uint32_t cookie_length;
8308 /* opaque cookie<1..2^16-1> */
8309 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cookie_length,
8310 hf->hf.hs_ext_cookie_len, 1, UINT16_MAX(65535))) {
8311 return offset_end;
8312 }
8313 offset += 2;
8314
8315 proto_tree_add_item(tree, hf->hf.hs_ext_cookie, tvb, offset, cookie_length, ENC_NA0x00000000);
8316 offset += cookie_length;
8317
8318 return offset;
8319}
8320
8321static int
8322ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8323 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8324{
8325 /* RFC 8446 Section 4.2.9
8326 * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
8327 *
8328 * struct {
8329 * PskKeyExchangeMode ke_modes<1..255>;
8330 * } PskKeyExchangeModes;
8331 */
8332 uint32_t ke_modes_length, next_offset;
8333
8334 /* PskKeyExchangeMode ke_modes<1..255> */
8335 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ke_modes_length,
8336 hf->hf.hs_ext_psk_ke_modes_length, 1, 255)) {
8337 return offset_end;
8338 }
8339 offset++;
8340 next_offset = offset + ke_modes_length;
8341
8342 while (offset < next_offset) {
8343 proto_tree_add_item(tree, hf->hf.hs_ext_psk_ke_mode, tvb, offset, 1, ENC_NA0x00000000);
8344 offset++;
8345 }
8346
8347 return offset;
8348}
8349
8350static uint32_t
8351ssl_dissect_hnd_hello_ext_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8352 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8353{
8354 /* RFC 8446 Section 4.2.4
8355 * opaque DistinguishedName<1..2^16-1>;
8356 * struct {
8357 * DistinguishedName authorities<3..2^16-1>;
8358 * } CertificateAuthoritiesExtension;
8359 */
8360 return tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
8361}
8362
8363static int
8364ssl_dissect_hnd_hello_ext_oid_filters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8365 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8366{
8367 /* RFC 8446 Section 4.2.5
8368 * struct {
8369 * opaque certificate_extension_oid<1..2^8-1>;
8370 * opaque certificate_extension_values<0..2^16-1>;
8371 * } OIDFilter;
8372 * struct {
8373 * OIDFilter filters<0..2^16-1>;
8374 * } OIDFilterExtension;
8375 */
8376 proto_tree *subtree;
8377 uint32_t filters_length, oid_length, values_length, value_offset;
8378 asn1_ctx_t asn1_ctx;
8379 const char *oid, *name;
8380
8381 /* OIDFilter filters<0..2^16-1> */
8382 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &filters_length,
8383 hf->hf.hs_ext_psk_ke_modes_length, 0, UINT16_MAX(65535))) {
8384 return offset_end;
8385 }
8386 offset += 2;
8387 offset_end = offset + filters_length;
8388
8389 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
8390
8391 while (offset < offset_end) {
8392 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
8393 hf->ett.hs_ext_oid_filter, NULL((void*)0), "OID Filter");
8394
8395 /* opaque certificate_extension_oid<1..2^8-1> */
8396 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &oid_length,
8397 hf->hf.hs_ext_oid_filters_oid_length, 1, UINT8_MAX(255))) {
8398 return offset_end;
8399 }
8400 offset++;
8401 dissect_ber_object_identifier_str(false0, &asn1_ctx, subtree, tvb, offset,
8402 hf->hf.hs_ext_oid_filters_oid, &oid);
8403 offset += oid_length;
8404
8405 /* Append OID to tree label */
8406 name = oid_resolved_from_string(pinfo->pool, oid);
8407 proto_item_append_text(subtree, " (%s)", name ? name : oid);
8408
8409 /* opaque certificate_extension_values<0..2^16-1> */
8410 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &values_length,
8411 hf->hf.hs_ext_oid_filters_values_length, 0, UINT16_MAX(65535))) {
8412 return offset_end;
8413 }
8414 offset += 2;
8415 proto_item_set_len(subtree, 1 + oid_length + 2 + values_length);
8416 if (values_length > 0) {
8417 value_offset = offset;
8418 value_offset = dissect_ber_identifier(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0), NULL((void*)0));
8419 value_offset = dissect_ber_length(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0));
8420 call_ber_oid_callback(oid, tvb, value_offset, pinfo, subtree, NULL((void*)0));
8421 }
8422 offset += values_length;
8423 }
8424
8425 return offset;
8426}
8427
8428static int
8429ssl_dissect_hnd_hello_ext_server_name(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8430 packet_info *pinfo, proto_tree *tree,
8431 uint32_t offset, uint32_t offset_end)
8432{
8433 /* https://tools.ietf.org/html/rfc6066#section-3
8434 *
8435 * struct {
8436 * NameType name_type;
8437 * select (name_type) {
8438 * case host_name: HostName;
8439 * } name;
8440 * } ServerName;
8441 *
8442 * enum {
8443 * host_name(0), (255)
8444 * } NameType;
8445 *
8446 * opaque HostName<1..2^16-1>;
8447 *
8448 * struct {
8449 * ServerName server_name_list<1..2^16-1>
8450 * } ServerNameList;
8451 */
8452 proto_tree *server_name_tree;
8453 uint32_t list_length, server_name_length, next_offset;
8454
8455 /* The server SHALL include "server_name" extension with empty data. */
8456 if (offset == offset_end) {
8457 return offset;
8458 }
8459
8460 server_name_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_server_name, NULL((void*)0), "Server Name Indication extension");
8461
8462 /* ServerName server_name_list<1..2^16-1> */
8463 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, offset_end, &list_length,
8464 hf->hf.hs_ext_server_name_list_len, 1, UINT16_MAX(65535))) {
8465 return offset_end;
8466 }
8467 offset += 2;
8468 next_offset = offset + list_length;
8469
8470 while (offset < next_offset) {
8471 uint32_t name_type;
8472 const uint8_t *server_name = NULL((void*)0);
8473 proto_tree_add_item_ret_uint(server_name_tree, hf->hf.hs_ext_server_name_type,
8474 tvb, offset, 1, ENC_NA0x00000000, &name_type);
8475 offset++;
8476
8477 /* opaque HostName<1..2^16-1> */
8478 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, next_offset, &server_name_length,
8479 hf->hf.hs_ext_server_name_len, 1, UINT16_MAX(65535))) {
8480 return next_offset;
8481 }
8482 offset += 2;
8483
8484 proto_tree_add_item_ret_string(server_name_tree, hf->hf.hs_ext_server_name,
8485 tvb, offset, server_name_length, ENC_ASCII0x00000000|ENC_NA0x00000000,
8486 pinfo->pool, &server_name);
8487 offset += server_name_length;
8488 // Each type must only occur once, so we don't check for duplicates.
8489 if (name_type == 0) {
8490 proto_item_append_text(tree, " name=%s", server_name);
8491 col_append_fstr(pinfo->cinfo, COL_INFO, " (SNI=%s)", server_name);
8492
8493 if (gbl_resolv_flags.handshake_sni_addr_resolution) {
8494 // Client Hello: Client (Src) -> Server (Dst)
8495 switch (pinfo->dst.type) {
8496 case AT_IPv4:
8497 if (pinfo->dst.len == sizeof(uint32_t)) {
8498 add_ipv4_name(*(uint32_t *)pinfo->dst.data, server_name, false0);
8499 }
8500 break;
8501 case AT_IPv6:
8502 if (pinfo->dst.len == sizeof(ws_in6_addr)) {
8503 add_ipv6_name(pinfo->dst.data, server_name, false0);
8504 }
8505 break;
8506 }
8507 }
8508 }
8509 }
8510 return offset;
8511}
8512
8513static int
8514ssl_dissect_hnd_hello_ext_session_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8515 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint8_t hnd_type, SslDecryptSession *ssl)
8516{
8517 unsigned ext_len = offset_end - offset;
8518 if (hnd_type == SSL_HND_CLIENT_HELLO && ssl && ext_len != 0) {
8519 tvb_ensure_bytes_exist(tvb, offset, ext_len);
8520 /* Save the Session Ticket such that it can be used as identifier for
8521 * restoring a previous Master Secret (in ChangeCipherSpec) */
8522 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
8523 ssl->session_ticket.data, ext_len);
8524 ssl->session_ticket.data_len = ext_len;
8525 tvb_memcpy(tvb,ssl->session_ticket.data, offset, ext_len);
8526 }
8527 proto_tree_add_item(tree, hf->hf.hs_ext_session_ticket,
8528 tvb, offset, ext_len, ENC_NA0x00000000);
8529 return offset + ext_len;
8530}
8531
8532static int
8533ssl_dissect_hnd_hello_ext_cert_type(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8534 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8535 uint8_t hnd_type, uint16_t ext_type, SslSession *session)
8536{
8537 uint8_t cert_list_length;
8538 uint8_t cert_type;
8539 proto_tree *cert_list_tree;
8540 proto_item *ti;
8541
8542 switch(hnd_type){
8543 case SSL_HND_CLIENT_HELLO:
8544 cert_list_length = tvb_get_uint8(tvb, offset);
8545 proto_tree_add_item(tree, hf->hf.hs_ext_cert_types_len,
8546 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8547 offset += 1;
8548 if (offset_end - offset != (uint32_t)cert_list_length)
8549 return offset;
8550
8551 ti = proto_tree_add_item(tree, hf->hf.hs_ext_cert_types, tvb, offset,
8552 cert_list_length, cert_list_length);
8553 proto_item_append_text(ti, " (%d)", cert_list_length);
8554
8555 /* make this a subtree */
8556 cert_list_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_cert_types);
8557
8558 /* loop over all point formats */
8559 while (cert_list_length > 0)
8560 {
8561 proto_tree_add_item(cert_list_tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8562 offset++;
8563 cert_list_length--;
8564 }
8565 break;
8566 case SSL_HND_SERVER_HELLO:
8567 case SSL_HND_ENCRYPTED_EXTENSIONS:
8568 case SSL_HND_CERTIFICATE:
8569 cert_type = tvb_get_uint8(tvb, offset);
8570 proto_tree_add_item(tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8571 offset += 1;
8572 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19) {
8573 session->client_cert_type = cert_type;
8574 }
8575 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20) {
8576 session->server_cert_type = cert_type;
8577 }
8578 break;
8579 default: /* no default */
8580 break;
8581 }
8582
8583 return offset;
8584}
8585
8586static uint32_t
8587ssl_dissect_hnd_hello_ext_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8588 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8589 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8590{
8591 uint32_t compress_certificate_algorithms_length, next_offset;
8592
8593 /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03#section-3.0
8594 * enum {
8595 * zlib(1),
8596 * brotli(2),
8597 * (65535)
8598 * } CertificateCompressionAlgorithm;
8599 *
8600 * struct {
8601 * CertificateCompressionAlgorithm algorithms<1..2^8-1>;
8602 * } CertificateCompressionAlgorithms;
8603 */
8604 switch (hnd_type) {
8605 case SSL_HND_CLIENT_HELLO:
8606 case SSL_HND_CERT_REQUEST:
8607 /* CertificateCompressionAlgorithm algorithms<1..2^8-1>;*/
8608 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compress_certificate_algorithms_length,
8609 hf->hf.hs_ext_compress_certificate_algorithms_length, 1, UINT8_MAX(255)-1)) {
8610 return offset_end;
8611 }
8612 offset += 1;
8613 next_offset = offset + compress_certificate_algorithms_length;
8614
8615 while (offset < next_offset) {
8616 proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_algorithm,
8617 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8618 offset += 2;
8619 }
8620 break;
8621 default:
8622 break;
8623 }
8624
8625 return offset;
8626}
8627
8628static uint32_t
8629ssl_dissect_hnd_hello_ext_token_binding(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8630 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8631 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8632{
8633 uint32_t key_parameters_length, next_offset;
8634 proto_item *p_ti;
8635 proto_tree *p_tree;
8636
8637 /* RFC 8472
8638 *
8639 * struct {
8640 * uint8 major;
8641 * uint8 minor;
8642 * } TB_ProtocolVersion;
8643 *
8644 * enum {
8645 * rsa2048_pkcs1.5(0), rsa2048_pss(1), ecdsap256(2), (255)
8646 * } TokenBindingKeyParameters;
8647 *
8648 * struct {
8649 * TB_ProtocolVersion token_binding_version;
8650 * TokenBindingKeyParameters key_parameters_list<1..2^8-1>
8651 * } TokenBindingParameters;
8652 */
8653
8654 switch (hnd_type) {
8655 case SSL_HND_CLIENT_HELLO:
8656 case SSL_HND_SERVER_HELLO:
8657 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_major, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8658 offset += 1;
8659 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_minor, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8660 offset += 1;
8661
8662 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &key_parameters_length,
8663 hf->hf.hs_ext_token_binding_key_parameters_length, 1, UINT8_MAX(255))) {
8664 return offset_end;
8665 }
8666 offset += 1;
8667 next_offset = offset + key_parameters_length;
8668
8669 p_ti = proto_tree_add_none_format(tree,
8670 hf->hf.hs_ext_token_binding_key_parameters,
8671 tvb, offset, key_parameters_length,
8672 "Key parameters identifiers (%d identifier%s)",
8673 key_parameters_length,
8674 plurality(key_parameters_length, "", "s")((key_parameters_length) == 1 ? ("") : ("s")));
8675 p_tree = proto_item_add_subtree(p_ti, hf->ett.hs_ext_token_binding_key_parameters);
8676
8677 while (offset < next_offset) {
8678 proto_tree_add_item(p_tree, hf->hf.hs_ext_token_binding_key_parameter,
8679 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8680 offset += 1;
8681 }
8682
8683 if (!ssl_end_vector(hf, tvb, pinfo, p_tree, offset, next_offset)) {
8684 offset = next_offset;
8685 }
8686
8687 break;
8688 default:
8689 break;
8690 }
8691
8692 return offset;
8693}
8694
8695static uint32_t
8696ssl_dissect_hnd_hello_ext_quic_transport_parameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8697 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8698 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8699{
8700 bool_Bool use_varint_encoding = true1; // Whether this is draft -27 or newer.
8701 uint32_t next_offset;
8702
8703 /* https://tools.ietf.org/html/draft-ietf-quic-transport-25#section-18
8704 *
8705 * Note: the following structures are not literally defined in the spec,
8706 * they instead use an ASCII diagram.
8707 *
8708 * struct {
8709 * uint16 id;
8710 * opaque value<0..2^16-1>;
8711 * } TransportParameter; // before draft -27
8712 * TransportParameter TransportParameters<0..2^16-1>; // before draft -27
8713 *
8714 * struct {
8715 * opaque ipv4Address[4];
8716 * uint16 ipv4Port;
8717 * opaque ipv6Address[16];
8718 * uint16 ipv6Port;
8719 * opaque connectionId<0..18>;
8720 * opaque statelessResetToken[16];
8721 * } PreferredAddress;
8722 */
8723
8724 if (offset_end - offset >= 6 &&
8725 2 + (unsigned)tvb_get_ntohs(tvb, offset) == offset_end - offset &&
8726 6 + (unsigned)tvb_get_ntohs(tvb, offset + 4) <= offset_end - offset) {
8727 // Assume encoding of Transport Parameters draft -26 or older with at
8728 // least one transport parameter that has a valid length.
8729 use_varint_encoding = false0;
8730 }
8731
8732 if (use_varint_encoding) {
8733 next_offset = offset_end;
8734 } else {
8735 uint32_t quic_length;
8736 // Assume draft -26 or earlier.
8737 /* TransportParameter TransportParameters<0..2^16-1>; */
8738 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &quic_length,
8739 hf->hf.hs_ext_quictp_len, 0, UINT16_MAX(65535))) {
8740 return offset_end;
8741 }
8742 offset += 2;
8743 next_offset = offset + quic_length;
8744 }
8745
8746 while (offset < next_offset) {
8747 uint64_t parameter_type; /* 62-bit space */
8748 uint32_t parameter_length;
8749 proto_tree *parameter_tree;
8750 uint32_t parameter_end_offset;
8751 uint64_t value;
8752 uint32_t len = 0, i;
8753
8754 parameter_tree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.hs_ext_quictp_parameter,
8755 NULL((void*)0), "Parameter");
8756 /* TransportParameter ID and Length. */
8757 if (use_varint_encoding) {
8758 uint64_t parameter_length64;
8759 uint32_t type_len = 0;
8760
8761 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
8762 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_type, &type_len);
8763 offset += type_len;
8764
8765 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_len,
8766 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_length64, &len);
8767 parameter_length = (uint32_t)parameter_length64;
8768 offset += len;
8769
8770 proto_item_set_len(parameter_tree, type_len + len + parameter_length);
8771 } else {
8772 parameter_type = tvb_get_ntohs(tvb, offset);
8773 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
8774 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8775 offset += 2;
8776
8777 /* opaque value<0..2^16-1> */
8778 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, next_offset, &parameter_length,
8779 hf->hf.hs_ext_quictp_parameter_len_old, 0, UINT16_MAX(65535))) {
8780 return next_offset;
8781 }
8782 offset += 2;
8783
8784 proto_item_set_len(parameter_tree, 4 + parameter_length);
8785 }
8786
8787 if (IS_GREASE_QUIC(parameter_type)((parameter_type) > 27 ? ((((parameter_type) - 27) % 31) ==
0) : 0)) {
8788 proto_item_append_text(parameter_tree, ": GREASE");
8789 } else {
8790 proto_item_append_text(parameter_tree, ": %s", val64_to_str_wmem(pinfo->pool, parameter_type, quic_transport_parameter_id, "Unknown 0x%04x"));
8791 }
8792
8793 proto_item_append_text(parameter_tree, " (len=%u)", parameter_length);
8794 parameter_end_offset = offset + parameter_length;
8795
8796 /* Omit the value field if the parameter's length is 0. */
8797 if (parameter_length != 0) {
8798 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_value,
8799 tvb, offset, parameter_length, ENC_NA0x00000000);
8800 }
8801
8802 switch (parameter_type) {
8803 case SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00:
8804 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_original_destination_connection_id,
8805 tvb, offset, parameter_length, ENC_NA0x00000000);
8806 offset += parameter_length;
8807 break;
8808 case SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01:
8809 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_idle_timeout,
8810 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8811 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " ms", value);
8812 offset += len;
8813 break;
8814 case SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02:
8815 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_stateless_reset_token,
8816 tvb, offset, 16, ENC_BIG_ENDIAN0x00000000);
8817 quic_add_stateless_reset_token(pinfo, tvb, offset, NULL((void*)0));
8818 offset += 16;
8819 break;
8820 case SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03:
8821 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_udp_payload_size,
8822 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8823 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8824 /*TODO display expert info about invalid value (< 1252 or >65527) ? */
8825 offset += len;
8826 break;
8827 case SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04:
8828 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_data,
8829 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8830 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8831 offset += len;
8832 break;
8833 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05:
8834 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_local,
8835 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8836 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8837 offset += len;
8838 break;
8839 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06:
8840 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_remote,
8841 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8842 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8843 offset += len;
8844 break;
8845 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07:
8846 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_uni,
8847 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8848 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8849 offset += len;
8850 break;
8851 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09:
8852 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_uni,
8853 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8854 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8855 offset += len;
8856 break;
8857 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08:
8858 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_bidi,
8859 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8860 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8861 offset += len;
8862 break;
8863 case SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a:
8864 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_ack_delay_exponent,
8865 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
8866 /*TODO display multiplier (x8) and expert info about invalid value (> 20) ? */
8867 offset += len;
8868 break;
8869 case SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b:
8870 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_ack_delay,
8871 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8872 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8873 offset += len;
8874 break;
8875 case SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c:
8876 /* No Payload */
8877 break;
8878 case SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d: {
8879 uint32_t connectionid_length;
8880 quic_cid_t cid;
8881
8882 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4address,
8883 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8884 offset += 4;
8885 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4port,
8886 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8887 offset += 2;
8888 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6address,
8889 tvb, offset, 16, ENC_NA0x00000000);
8890 offset += 16;
8891 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6port,
8892 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8893 offset += 2;
8894 /* XXX - Should we add these addresses and ports as addresses that the client
8895 * is allowed / expected to migrate the server address to? Right now we don't
8896 * enforce that (see RFC 9000 Section 9, which implies that while the client
8897 * can migrate to whatever address it wants, it can only migrate the server
8898 * address to the Server's Preferred Address as in 9.6. Also Issue #20165.)
8899 */
8900
8901 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, offset_end, &connectionid_length,
8902 hf->hf.hs_ext_quictp_parameter_pa_connectionid_length, 0, 20)) {
8903 break;
8904 }
8905 offset += 1;
8906
8907 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_connectionid,
8908 tvb, offset, connectionid_length, ENC_NA0x00000000);
8909 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
8910 cid.len = connectionid_length;
8911 // RFC 9000 5.1.1 "If the preferred_address transport
8912 // parameter is sent, the sequence number of the supplied
8913 // connection ID is 1."
8914 cid.seq_num = 1;
8915 // Multipath draft-07 "Also, the Path Identifier for the
8916 // connection ID specified in the "preferred address"
8917 // transport parameter is 0."
8918 cid.path_id = 0;
8919 tvb_memcpy(tvb, cid.cid, offset, connectionid_length);
8920 quic_add_connection(pinfo, &cid);
8921 }
8922 offset += connectionid_length;
8923
8924 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_statelessresettoken,
8925 tvb, offset, 16, ENC_NA0x00000000);
8926 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
8927 quic_add_stateless_reset_token(pinfo, tvb, offset, &cid);
8928 }
8929 offset += 16;
8930 }
8931 break;
8932 case SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e:
8933 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_active_connection_id_limit,
8934 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8935 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8936 offset += len;
8937 break;
8938 case SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f:
8939 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_source_connection_id,
8940 tvb, offset, parameter_length, ENC_NA0x00000000);
8941 offset += parameter_length;
8942 break;
8943 case SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10:
8944 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_retry_source_connection_id,
8945 tvb, offset, parameter_length, ENC_NA0x00000000);
8946 offset += parameter_length;
8947 break;
8948 case SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20:
8949 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_datagram_frame_size,
8950 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8951 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8952 offset += len;
8953 break;
8954 case SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000:
8955 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_length,
8956 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8957 proto_item_append_text(parameter_tree, " Length: %" PRIu64"l" "u", value);
8958 offset += len;
8959 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_offset,
8960 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8961 proto_item_append_text(parameter_tree, ", Offset: %" PRIu64"l" "u", value);
8962 offset += len;
8963 break;
8964 case SSL_HND_QUIC_TP_LOSS_BITS0x1057:
8965 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_loss_bits,
8966 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8967 if (len > 0) {
8968 quic_add_loss_bits(pinfo, value);
8969 }
8970 offset += 1;
8971 break;
8972 case SSL_HND_QUIC_TP_ADDRESS_DISCOVERY0x9f81a176:
8973 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_address_discovery,
8974 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
8975 offset += len;
8976 break;
8977 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a:
8978 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A:
8979 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a:
8980 case SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b:
8981 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_min_ack_delay,
8982 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8983 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8984 offset += len;
8985 break;
8986 case SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129:
8987 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_user_agent_id,
8988 tvb, offset, parameter_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
8989 offset += parameter_length;
8990 break;
8991 case SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B:
8992 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_key_update_not_yet_supported,
8993 tvb, offset, parameter_length, ENC_NA0x00000000);
8994 offset += parameter_length;
8995 break;
8996 case SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752:
8997 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_version,
8998 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8999 offset += 4;
9000 if (hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) { /* From server */
9001 uint32_t versions_length;
9002
9003 proto_tree_add_item_ret_uint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_supported_versions_length,
9004 tvb, offset, 1, ENC_NA0x00000000, &versions_length);
9005 offset += 1;
9006 for (i = 0; i < versions_length / 4; i++) {
9007 quic_proto_tree_add_version(tvb, parameter_tree,
9008 hf->hf.hs_ext_quictp_parameter_google_supported_version, offset);
9009 offset += 4;
9010 }
9011 }
9012 break;
9013 case SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127:
9014 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_initial_rtt,
9015 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9016 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " us", value);
9017 offset += len;
9018 break;
9019 case SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A:
9020 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_support_handshake_done,
9021 tvb, offset, parameter_length, ENC_NA0x00000000);
9022 offset += parameter_length;
9023 break;
9024 case SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751:
9025 /* This field was used for non-standard Google-specific parameters encoded as a
9026 * Google QUIC_CRYPTO CHLO and it has been replaced (version >= T051) by individual
9027 * parameters. Report it as a bytes blob... */
9028 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params,
9029 tvb, offset, parameter_length, ENC_NA0x00000000);
9030 /* ... and try decoding it: not sure what the first 4 bytes are (but they seems to be always 0) */
9031 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params_unknown_field,
9032 tvb, offset, 4, ENC_NA0x00000000);
9033 dissect_gquic_tags(tvb, pinfo, parameter_tree, offset + 4);
9034 offset += parameter_length;
9035 break;
9036 case SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128:
9037 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_connection_options,
9038 tvb, offset, parameter_length, ENC_NA0x00000000);
9039 offset += parameter_length;
9040 break;
9041 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157:
9042 /* No Payload */
9043 break;
9044 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158:
9045 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_time_stamp_v2,
9046 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9047 offset += parameter_length;
9048 break;
9049 case SSL_HND_QUIC_TP_VERSION_INFORMATION_DRAFT0xff73db:
9050 case SSL_HND_QUIC_TP_VERSION_INFORMATION0x11:
9051 quic_proto_tree_add_version(tvb, parameter_tree,
9052 hf->hf.hs_ext_quictp_parameter_chosen_version, offset);
9053 offset += 4;
9054 for (i = 4; i < parameter_length; i += 4) {
9055 quic_proto_tree_add_version(tvb, parameter_tree,
9056 hf->hf.hs_ext_quictp_parameter_other_version, offset);
9057 offset += 4;
9058 }
9059 break;
9060 case SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2:
9061 /* No Payload */
9062 quic_add_grease_quic_bit(pinfo);
9063 break;
9064 case SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00:
9065 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_facebook_partial_reliability,
9066 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9067 offset += parameter_length;
9068 break;
9069 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04:
9070 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_multipath,
9071 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9072 if (value == 1) {
9073 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
9074 }
9075 offset += parameter_length;
9076 break;
9077 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05:
9078 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06:
9079 /* No Payload */
9080 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
9081 break;
9082 case SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07:
9083 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_paths,
9084 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9085 if (value > 1) {
9086 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
9087 }
9088 /* multipath draft-07: "The value of the initial_max_paths
9089 * parameter MUST be at least 2." TODO: Expert Info? */
9090 offset += parameter_length;
9091 break;
9092 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09:
9093 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT110x0f739bbc1b666d11:
9094 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT120x0f739bbc1b666d0c:
9095 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x0f739bbc1b666d0d:
9096 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_path_id,
9097 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9098 /* multipath draft-09 and later: "If an endpoint receives an
9099 * initial_max_path_id transport parameter with value 0, the
9100 * peer aims to enable the multipath extension without allowing
9101 * extra paths immediately."
9102 */
9103 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
9104 offset += parameter_length;
9105 break;
9106 default:
9107 offset += parameter_length;
9108 /*TODO display expert info about unknown ? */
9109 break;
9110 }
9111
9112 if (!ssl_end_vector(hf, tvb, pinfo, parameter_tree, offset, parameter_end_offset)) {
9113 /* Dissection did not end at expected location, fix it. */
9114 offset = parameter_end_offset;
9115 }
9116 }
9117
9118 return offset;
9119}
9120
9121static int
9122ssl_dissect_hnd_hello_common(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9123 proto_tree *tree, uint32_t offset,
9124 SslSession *session, SslDecryptSession *ssl,
9125 bool_Bool from_server, bool_Bool is_hrr)
9126{
9127 uint8_t sessid_length;
9128 proto_item *ti;
9129 proto_tree *rnd_tree;
9130 proto_tree *ti_rnd;
9131 proto_tree *ech_confirm_tree;
9132 uint8_t draft_version = session->tls13_draft_version;
9133
9134 if (ssl) {
9135 StringInfo *rnd;
9136 if (from_server)
9137 rnd = &ssl->server_random;
9138 else
9139 rnd = &ssl->client_random;
9140
9141 /* save provided random for later keyring generation */
9142 tvb_memcpy(tvb, rnd->data, offset, 32);
9143 rnd->data_len = 32;
9144 if (from_server)
9145 ssl->state |= SSL_SERVER_RANDOM(1<<1);
9146 else
9147 ssl->state |= SSL_CLIENT_RANDOM(1<<0);
9148 ssl_debug_printf("%s found %s RANDOM -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)),
9149 from_server ? "SERVER" : "CLIENT", ssl->state);
9150 }
9151
9152 if (!from_server && session->client_random.data_len == 0) {
9153 session->client_random.data_len = 32;
9154 tvb_memcpy(tvb, session->client_random.data, offset, 32);
9155 }
9156
9157 ti_rnd = proto_tree_add_item(tree, hf->hf.hs_random, tvb, offset, 32, ENC_NA0x00000000);
9158
9159 if ((session->version != TLSV1DOT3_VERSION0x304) && (session->version != DTLSV1DOT3_VERSION0xfefc)) { /* No time on first bytes random with TLS 1.3 */
9160
9161 rnd_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
9162 /* show the time */
9163 proto_tree_add_item(rnd_tree, hf->hf.hs_random_time,
9164 tvb, offset, 4, ENC_TIME_SECS0x00000012|ENC_BIG_ENDIAN0x00000000);
9165 offset += 4;
9166
9167 /* show the random bytes */
9168 proto_tree_add_item(rnd_tree, hf->hf.hs_random_bytes,
9169 tvb, offset, 28, ENC_NA0x00000000);
9170 offset += 28;
9171 } else {
9172 if (is_hrr) {
9173 proto_item_append_text(ti_rnd, " (HelloRetryRequest magic)");
9174 } else if (from_server && session->ech) {
9175 ech_confirm_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
9176 proto_tree_add_item(ech_confirm_tree, hf->hf.hs_ech_confirm, tvb, offset + 24, 8, ENC_NA0x00000000);
9177 ti = proto_tree_add_bytes_with_length(ech_confirm_tree, hf->hf.hs_ech_confirm_compute, tvb, offset + 24, 0,
9178 session->ech_confirmation, 8);
9179 proto_item_set_generated(ti);
9180 if (memcmp(session->ech_confirmation, tvb_get_ptr(tvb, offset+24, 8), 8)) {
9181 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
9182 } else {
9183 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
9184 }
9185 }
9186
9187 offset += 32;
9188 }
9189
9190 /* No Session ID with TLS 1.3 on Server Hello before draft -22 */
9191 if (from_server == 0 || !(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
9192 /* show the session id (length followed by actual Session ID) */
9193 sessid_length = tvb_get_uint8(tvb, offset);
9194 proto_tree_add_item(tree, hf->hf.hs_session_id_len,
9195 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9196 offset++;
9197
9198 if (ssl) {
9199 /* save the authoritative SID for later use in ChangeCipherSpec.
9200 * (D)TLS restricts the SID to 32 chars, it does not make sense to
9201 * save more, so ignore larger ones. */
9202 if (from_server && sessid_length <= 32) {
9203 tvb_memcpy(tvb, ssl->session_id.data, offset, sessid_length);
9204 ssl->session_id.data_len = sessid_length;
9205 }
9206 }
9207 if (sessid_length > 0) {
9208 proto_tree_add_item(tree, hf->hf.hs_session_id,
9209 tvb, offset, sessid_length, ENC_NA0x00000000);
9210 offset += sessid_length;
9211 }
9212 }
9213
9214 return offset;
9215}
9216
9217static int
9218ssl_dissect_hnd_hello_ext_status_request(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9219 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9220 bool_Bool has_length)
9221{
9222 /* TLS 1.2/1.3 status_request Client Hello Extension.
9223 * TLS 1.2 status_request_v2 CertificateStatusRequestItemV2 type.
9224 * https://tools.ietf.org/html/rfc6066#section-8 (status_request)
9225 * https://tools.ietf.org/html/rfc6961#section-2.2 (status_request_v2)
9226 * struct {
9227 * CertificateStatusType status_type;
9228 * uint16 request_length; // for status_request_v2
9229 * select (status_type) {
9230 * case ocsp: OCSPStatusRequest;
9231 * case ocsp_multi: OCSPStatusRequest;
9232 * } request;
9233 * } CertificateStatusRequest; // CertificateStatusRequestItemV2
9234 *
9235 * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
9236 * struct {
9237 * ResponderID responder_id_list<0..2^16-1>;
9238 * Extensions request_extensions;
9239 * } OCSPStatusRequest;
9240 * opaque ResponderID<1..2^16-1>;
9241 * opaque Extensions<0..2^16-1>;
9242 */
9243 unsigned cert_status_type;
9244
9245 cert_status_type = tvb_get_uint8(tvb, offset);
9246 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_type,
9247 tvb, offset, 1, ENC_NA0x00000000);
9248 offset++;
9249
9250 if (has_length) {
9251 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_request_len,
9252 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9253 offset += 2;
9254 }
9255
9256 switch (cert_status_type) {
9257 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
9258 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
9259 {
9260 uint32_t responder_id_list_len;
9261 uint32_t request_extensions_len;
9262
9263 /* ResponderID responder_id_list<0..2^16-1> */
9264 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &responder_id_list_len,
9265 hf->hf.hs_ext_cert_status_responder_id_list_len, 0, UINT16_MAX(65535))) {
9266 return offset_end;
9267 }
9268 offset += 2;
9269 if (responder_id_list_len != 0) {
9270 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9271 tvb, offset, responder_id_list_len,
9272 "Responder ID list is not implemented, contact Wireshark"
9273 " developers if you want this to be supported");
9274 }
9275 offset += responder_id_list_len;
9276
9277 /* opaque Extensions<0..2^16-1> */
9278 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &request_extensions_len,
9279 hf->hf.hs_ext_cert_status_request_extensions_len, 0, UINT16_MAX(65535))) {
9280 return offset_end;
9281 }
9282 offset += 2;
9283 if (request_extensions_len != 0) {
9284 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9285 tvb, offset, request_extensions_len,
9286 "Request Extensions are not implemented, contact"
9287 " Wireshark developers if you want this to be supported");
9288 }
9289 offset += request_extensions_len;
9290 break;
9291 }
9292 }
9293
9294 return offset;
9295}
9296
9297static unsigned
9298ssl_dissect_hnd_hello_ext_status_request_v2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9299 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9300{
9301 /* https://tools.ietf.org/html/rfc6961#section-2.2
9302 * struct {
9303 * CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1>;
9304 * } CertificateStatusRequestListV2;
9305 */
9306 uint32_t req_list_length, next_offset;
9307
9308 /* CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1> */
9309 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &req_list_length,
9310 hf->hf.hs_ext_cert_status_request_list_len, 1, UINT16_MAX(65535))) {
9311 return offset_end;
9312 }
9313 offset += 2;
9314 next_offset = offset + req_list_length;
9315
9316 while (offset < next_offset) {
9317 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, tree, offset, next_offset, true1);
9318 }
9319
9320 return offset;
9321}
9322
9323static uint32_t
9324tls_dissect_ocsp_response(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9325 uint32_t offset, uint32_t offset_end)
9326{
9327 uint32_t response_length;
9328 proto_item *ocsp_resp;
9329 proto_tree *ocsp_resp_tree;
9330 asn1_ctx_t asn1_ctx;
9331
9332 /* opaque OCSPResponse<1..2^24-1>; */
9333 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &response_length,
9334 hf->hf.hs_ocsp_response_len, 1, G_MAXUINT24((1U << 24) - 1))) {
9335 return offset_end;
9336 }
9337 offset += 3;
9338
9339 ocsp_resp = proto_tree_add_item(tree, proto_ocsp, tvb, offset,
9340 response_length, ENC_BIG_ENDIAN0x00000000);
9341 proto_item_set_text(ocsp_resp, "OCSP Response");
9342 ocsp_resp_tree = proto_item_add_subtree(ocsp_resp, hf->ett.ocsp_response);
9343 if (proto_is_protocol_enabled(find_protocol_by_id(proto_ocsp))) {
9344 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
9345 dissect_ocsp_OCSPResponse(false0, tvb, offset, &asn1_ctx, ocsp_resp_tree, -1);
9346 }
9347 offset += response_length;
9348
9349 return offset;
9350}
9351
9352uint32_t
9353tls_dissect_hnd_certificate_status(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9354 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9355{
9356 /* TLS 1.2 "CertificateStatus" handshake message.
9357 * TLS 1.3 "status_request" Certificate extension.
9358 * struct {
9359 * CertificateStatusType status_type;
9360 * select (status_type) {
9361 * case ocsp: OCSPResponse;
9362 * case ocsp_multi: OCSPResponseList; // status_request_v2
9363 * } response;
9364 * } CertificateStatus;
9365 * opaque OCSPResponse<1..2^24-1>;
9366 * struct {
9367 * OCSPResponse ocsp_response_list<1..2^24-1>;
9368 * } OCSPResponseList; // status_request_v2
9369 */
9370 uint32_t status_type, resp_list_length, next_offset;
9371
9372 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_cert_status_type,
9373 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &status_type);
9374 offset += 1;
9375
9376 switch (status_type) {
9377 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
9378 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, offset_end);
9379 break;
9380
9381 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
9382 /* OCSPResponse ocsp_response_list<1..2^24-1> */
9383 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &resp_list_length,
9384 hf->hf.hs_ocsp_response_list_len, 1, G_MAXUINT24((1U << 24) - 1))) {
9385 return offset_end;
9386 }
9387 offset += 3;
9388 next_offset = offset + resp_list_length;
9389
9390 while (offset < next_offset) {
9391 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, next_offset);
9392 }
9393 break;
9394 }
9395
9396 return offset;
9397}
9398
9399static unsigned
9400ssl_dissect_hnd_hello_ext_supported_groups(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9401 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9402 wmem_strbuf_t *ja3)
9403{
9404 /* RFC 8446 Section 4.2.7
9405 * enum { ..., (0xFFFF) } NamedGroup;
9406 * struct {
9407 * NamedGroup named_group_list<2..2^16-1>
9408 * } NamedGroupList;
9409 *
9410 * NOTE: "NamedCurve" (RFC 4492) is renamed to "NamedGroup" (RFC 7919) and
9411 * the extension itself from "elliptic_curves" to "supported_groups".
9412 */
9413 uint32_t groups_length, next_offset;
9414 proto_tree *groups_tree;
9415 proto_item *ti;
9416 char *ja3_dash = "";
9417
9418 /* NamedGroup named_group_list<2..2^16-1> */
9419 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &groups_length,
9420 hf->hf.hs_ext_supported_groups_len, 2, UINT16_MAX(65535))) {
9421 return offset_end;
9422 }
9423 offset += 2;
9424 next_offset = offset + groups_length;
9425
9426 ti = proto_tree_add_none_format(tree,
9427 hf->hf.hs_ext_supported_groups,
9428 tvb, offset, groups_length,
9429 "Supported Groups (%d group%s)",
9430 groups_length / 2,
9431 plurality(groups_length/2, "", "s")((groups_length/2) == 1 ? ("") : ("s")));
9432
9433 /* make this a subtree */
9434 groups_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_groups);
9435
9436 if (ja3) {
9437 wmem_strbuf_append_c(ja3, ',');
9438 }
9439 /* loop over all groups */
9440 while (offset + 2 <= offset_end) {
9441 uint32_t ext_supported_group;
9442
9443 proto_tree_add_item_ret_uint(groups_tree, hf->hf.hs_ext_supported_group, tvb, offset, 2,
9444 ENC_BIG_ENDIAN0x00000000, &ext_supported_group);
9445 offset += 2;
9446 if (ja3 && !IS_GREASE_TLS(ext_supported_group)((((ext_supported_group) & 0x0f0f) == 0x0a0a) && (
((ext_supported_group) & 0xff) == (((ext_supported_group)
>>8) & 0xff)))) {
9447 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_supported_group);
9448 ja3_dash = "-";
9449 }
9450 }
9451 if (!ssl_end_vector(hf, tvb, pinfo, groups_tree, offset, next_offset)) {
9452 offset = next_offset;
9453 }
9454
9455 return offset;
9456}
9457
9458static int
9459ssl_dissect_hnd_hello_ext_ec_point_formats(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9460 proto_tree *tree, uint32_t offset, wmem_strbuf_t *ja3)
9461{
9462 uint8_t ecpf_length;
9463 proto_tree *ecpf_tree;
9464 proto_item *ti;
9465
9466 ecpf_length = tvb_get_uint8(tvb, offset);
9467 proto_tree_add_item(tree, hf->hf.hs_ext_ec_point_formats_len,
9468 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9469
9470 offset += 1;
9471 ti = proto_tree_add_none_format(tree,
9472 hf->hf.hs_ext_ec_point_formats,
9473 tvb, offset, ecpf_length,
9474 "Elliptic curves point formats (%d)",
9475 ecpf_length);
9476
9477 /* make this a subtree */
9478 ecpf_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_curves_point_formats);
9479
9480 if (ja3) {
9481 wmem_strbuf_append_c(ja3, ',');
9482 }
9483
9484 /* loop over all point formats */
9485 while (ecpf_length > 0)
9486 {
9487 uint32_t ext_ec_point_format;
9488
9489 proto_tree_add_item_ret_uint(ecpf_tree, hf->hf.hs_ext_ec_point_format, tvb, offset, 1,
9490 ENC_BIG_ENDIAN0x00000000, &ext_ec_point_format);
9491 offset++;
9492 ecpf_length--;
9493 if (ja3) {
9494 wmem_strbuf_append_printf(ja3, "%i", ext_ec_point_format);
9495 if (ecpf_length > 0) {
9496 wmem_strbuf_append_c(ja3, '-');
9497 }
9498 }
9499 }
9500
9501 return offset;
9502}
9503
9504static int
9505ssl_dissect_hnd_hello_ext_srp(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9506 packet_info *pinfo, proto_tree *tree,
9507 uint32_t offset, uint32_t next_offset)
9508{
9509 /* https://tools.ietf.org/html/rfc5054#section-2.8.1
9510 * opaque srp_I<1..2^8-1>;
9511 */
9512 uint32_t username_len;
9513
9514 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, next_offset, &username_len,
9515 hf->hf.hs_ext_srp_len, 1, UINT8_MAX(255))) {
9516 return next_offset;
9517 }
9518 offset++;
9519
9520 proto_tree_add_item(tree, hf->hf.hs_ext_srp_username,
9521 tvb, offset, username_len, ENC_UTF_80x00000002|ENC_NA0x00000000);
9522 offset += username_len;
9523
9524 return offset;
9525}
9526
9527static uint32_t
9528tls_dissect_sct(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9529 uint32_t offset, uint32_t offset_end, uint16_t version)
9530{
9531 /* https://tools.ietf.org/html/rfc6962#section-3.2
9532 * enum { v1(0), (255) } Version;
9533 * struct {
9534 * opaque key_id[32];
9535 * } LogID;
9536 * opaque CtExtensions<0..2^16-1>;
9537 * struct {
9538 * Version sct_version;
9539 * LogID id;
9540 * uint64 timestamp;
9541 * CtExtensions extensions;
9542 * digitally-signed struct { ... };
9543 * } SignedCertificateTimestamp;
9544 */
9545 uint32_t sct_version;
9546 uint64_t sct_timestamp_ms;
9547 nstime_t sct_timestamp;
9548 uint32_t exts_len;
9549 const char *log_name;
9550
9551 proto_tree_add_item_ret_uint(tree, hf->hf.sct_sct_version, tvb, offset, 1, ENC_NA0x00000000, &sct_version);
9552 offset++;
9553 if (sct_version != 0) {
9554 // TODO expert info about unknown SCT version?
9555 return offset;
9556 }
9557 proto_tree_add_item(tree, hf->hf.sct_sct_logid, tvb, offset, 32, ENC_BIG_ENDIAN0x00000000);
9558 log_name = bytesval_to_str_wmem(pinfo->pool, tvb_get_ptr(tvb, offset, 32), 32, ct_logids, "Unknown Log");
9559 proto_item_append_text(tree, " (%s)", log_name);
9560 offset += 32;
9561 sct_timestamp_ms = tvb_get_ntoh64(tvb, offset);
9562 sct_timestamp.secs = (time_t)(sct_timestamp_ms / 1000);
9563 sct_timestamp.nsecs = (int)((sct_timestamp_ms % 1000) * 1000000);
9564 proto_tree_add_time(tree, hf->hf.sct_sct_timestamp, tvb, offset, 8, &sct_timestamp);
9565 offset += 8;
9566 /* opaque CtExtensions<0..2^16-1> */
9567 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
9568 hf->hf.sct_sct_extensions_length, 0, UINT16_MAX(65535))) {
9569 return offset_end;
9570 }
9571 offset += 2;
9572 if (exts_len > 0) {
9573 proto_tree_add_item(tree, hf->hf.sct_sct_extensions, tvb, offset, exts_len, ENC_BIG_ENDIAN0x00000000);
9574 offset += exts_len;
9575 }
9576 offset = ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
9577 hf->hf.sct_sct_signature_length,
9578 hf->hf.sct_sct_signature);
9579 return offset;
9580}
9581
9582uint32_t
9583tls_dissect_sct_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9584 uint32_t offset, uint32_t offset_end, uint16_t version)
9585{
9586 /* https://tools.ietf.org/html/rfc6962#section-3.3
9587 * opaque SerializedSCT<1..2^16-1>;
9588 * struct {
9589 * SerializedSCT sct_list <1..2^16-1>;
9590 * } SignedCertificateTimestampList;
9591 */
9592 uint32_t list_length, sct_length, next_offset;
9593 proto_tree *subtree;
9594
9595 /* SerializedSCT sct_list <1..2^16-1> */
9596 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &list_length,
9597 hf->hf.sct_scts_length, 1, UINT16_MAX(65535))) {
9598 return offset_end;
9599 }
9600 offset += 2;
9601
9602 while (offset < offset_end) {
9603 subtree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.sct, NULL((void*)0), "Signed Certificate Timestamp");
9604
9605 /* opaque SerializedSCT<1..2^16-1> */
9606 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &sct_length,
9607 hf->hf.sct_sct_length, 1, UINT16_MAX(65535))) {
9608 return offset_end;
9609 }
9610 offset += 2;
9611 next_offset = offset + sct_length;
9612 proto_item_set_len(subtree, 2 + sct_length);
9613 offset = tls_dissect_sct(hf, tvb, pinfo, subtree, offset, next_offset, version);
9614 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
9615 offset = next_offset;
9616 }
9617 }
9618
9619 return offset;
9620}
9621
9622static int
9623dissect_ech_hpke_cipher_suite(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
9624 proto_tree *tree, uint32_t offset)
9625{
9626 uint32_t kdf_id, aead_id;
9627 proto_item *cs_ti;
9628 proto_tree *cs_tree;
9629
9630 cs_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig_cipher_suite,
9631 tvb, offset, 4, ENC_NA0x00000000);
9632 cs_tree = proto_item_add_subtree(cs_ti, hf->ett.ech_hpke_cipher_suite);
9633
9634 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_kdf_id,
9635 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &kdf_id);
9636 offset += 2;
9637 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_aead_id,
9638 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &aead_id);
9639 offset += 2;
9640
9641 proto_item_append_text(cs_ti, ": %s/%s",
9642 val_to_str_const(kdf_id, kdf_id_type_vals, "Unknown"),
9643 val_to_str_const(aead_id, aead_id_type_vals, "Unknown"));
9644 return offset;
9645}
9646
9647static int
9648dissect_ech_hpke_key_config(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9649 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9650 uint32_t *config_id)
9651{
9652 uint32_t length, cipher_suite_length;
9653 proto_item *kc_ti, *css_ti;
9654 proto_tree *kc_tree, *css_tree;
9655 uint32_t original_offset = offset, next_offset;
9656
9657 kc_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig,
9658 tvb, offset, -1, ENC_NA0x00000000);
9659 kc_tree = proto_item_add_subtree(kc_ti, hf->ett.ech_hpke_keyconfig);
9660
9661 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_config_id,
9662 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, config_id);
9663 offset += 1;
9664 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_kem_id,
9665 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9666 offset += 2;
9667 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_public_key_length,
9668 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9669 offset += 2;
9670 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_public_key,
9671 tvb, offset, length, ENC_NA0x00000000);
9672 offset += length;
9673
9674 /* HpkeSymmetricCipherSuite cipher_suites<4..2^16-4> */
9675 if (!ssl_add_vector(hf, tvb, pinfo, kc_tree, offset, offset_end, &cipher_suite_length,
9676 hf->hf.ech_hpke_keyconfig_cipher_suites_length, 4, UINT16_MAX(65535) - 3)) {
9677 return offset_end;
9678 }
9679 offset += 2;
9680 next_offset = offset + cipher_suite_length;
9681
9682 css_ti = proto_tree_add_none_format(kc_tree,
9683 hf->hf.ech_hpke_keyconfig_cipher_suites,
9684 tvb, offset, cipher_suite_length,
9685 "Cipher Suites (%d suite%s)",
9686 cipher_suite_length / 4,
9687 plurality(cipher_suite_length / 4, "", "s")((cipher_suite_length / 4) == 1 ? ("") : ("s")));
9688 css_tree = proto_item_add_subtree(css_ti, hf->ett.ech_hpke_cipher_suites);
9689
9690
9691 while (offset + 4 <= next_offset) {
9692 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, css_tree, offset);
9693 }
9694
9695 if (!ssl_end_vector(hf, tvb, pinfo, css_tree, offset, next_offset)) {
9696 offset = next_offset;
9697 }
9698
9699 proto_item_set_len(kc_ti, offset - original_offset);
9700
9701 return offset;
9702}
9703
9704static int
9705dissect_ech_echconfig_contents(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9706 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9707 const uint8_t **public_name, uint32_t *config_id)
9708{
9709 uint32_t public_name_length, extensions_length, next_offset;
9710
9711 offset = dissect_ech_hpke_key_config(hf, tvb, pinfo, tree, offset, offset_end, config_id);
9712 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_maximum_name_length,
9713 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9714 offset += 1;
9715 proto_tree_add_item_ret_uint(tree, hf->hf.ech_echconfigcontents_public_name_length,
9716 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &public_name_length);
9717 offset += 1;
9718 proto_tree_add_item_ret_string(tree, hf->hf.ech_echconfigcontents_public_name,
9719 tvb, offset, public_name_length, ENC_ASCII0x00000000, pinfo->pool, public_name);
9720 offset += public_name_length;
9721
9722 /* Extension extensions<0..2^16-1>; */
9723 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &extensions_length,
9724 hf->hf.ech_echconfigcontents_extensions_length, 0, UINT16_MAX(65535))) {
9725 return offset_end;
9726 }
9727 offset += 2;
9728 next_offset = offset + extensions_length;
9729
9730 if (extensions_length > 0) {
9731 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_extensions,
9732 tvb, offset, extensions_length, ENC_NA0x00000000);
9733 }
9734 offset += extensions_length;
9735
9736 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
9737 offset = next_offset;
9738 }
9739
9740 return offset;
9741}
9742
9743static int
9744dissect_ech_echconfig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9745 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9746{
9747 uint32_t version, length;
9748 proto_item *ech_ti;
9749 proto_tree *ech_tree;
9750 const uint8_t *public_name = NULL((void*)0);
9751 uint32_t config_id = 0;
9752
9753 ech_ti = proto_tree_add_item(tree, hf->hf.ech_echconfig, tvb, offset, -1, ENC_NA0x00000000);
9754 ech_tree = proto_item_add_subtree(ech_ti, hf->ett.ech_echconfig);
9755
9756 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_version,
9757 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
9758 offset += 2;
9759 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_length,
9760 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9761 offset += 2;
9762
9763 proto_item_set_len(ech_ti, 4 + length);
9764
9765 switch(version) {
9766 case 0xfe0d:
9767 dissect_ech_echconfig_contents(hf, tvb, pinfo, ech_tree, offset, offset_end, &public_name, &config_id);
9768 proto_item_append_text(ech_ti, ": id=%d %s", config_id, public_name);
9769 break;
9770
9771 default:
9772 expert_add_info_format(pinfo, ech_ti, &hf->ei.ech_echconfig_invalid_version, "Unsupported/unknown ECHConfig version 0x%x", version);
9773 }
9774
9775 return 4 + length;
9776}
9777
9778uint32_t
9779ssl_dissect_ext_ech_echconfiglist(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9780 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9781{
9782 uint32_t echconfiglist_length, next_offset;
9783
9784 /* ECHConfig ECHConfigList<1..2^16-1>; */
9785 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &echconfiglist_length,
9786 hf->hf.ech_echconfiglist_length, 1, UINT16_MAX(65535))) {
9787 return offset_end;
9788 }
9789 offset += 2;
9790 next_offset = offset + echconfiglist_length;
9791
9792 while (offset < next_offset) {
9793 offset += dissect_ech_echconfig(hf, tvb, pinfo, tree, offset, offset_end);
9794 }
9795
9796 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
9797 offset = next_offset;
9798 }
9799
9800 return offset;
9801}
9802
9803static uint32_t
9804ssl_dissect_hnd_ech_outer_ext(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9805 uint32_t offset, uint32_t offset_end)
9806{
9807 uint32_t ext_length, next_offset;
9808 proto_tree *ext_tree;
9809 proto_item *ti;
9810
9811 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ext_length,
9812 hf->hf.hs_ext_ech_outer_ext_len, 2, UINT8_MAX(255))) {
9813 return offset_end;
9814 }
9815 offset += 1;
9816 next_offset = offset + ext_length;
9817
9818 ti = proto_tree_add_none_format(tree,
9819 hf->hf.hs_ext_ech_outer_ext,
9820 tvb, offset, ext_length,
9821 "Outer Extensions (%d extension%s)",
9822 ext_length / 2,
9823 plurality(ext_length/2, "", "s")((ext_length/2) == 1 ? ("") : ("s")));
9824
9825 ext_tree = proto_item_add_subtree(ti, hf->ett.hs_ext);
9826
9827 while (offset + 2 <= offset_end) {
9828 proto_tree_add_item(ext_tree, hf->hf.hs_ext_type, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9829 offset += 2;
9830 }
9831
9832 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
9833 offset = next_offset;
9834 }
9835
9836 return offset;
9837}
9838
9839static uint32_t
9840// NOLINTNEXTLINE(misc-no-recursion)
9841ssl_dissect_hnd_hello_ext_ech(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9842 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9843 uint8_t hnd_type, SslSession *session, SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
9844 uint32_t initial_offset, uint32_t hello_length)
9845{
9846 uint32_t ch_type, length;
9847 proto_item *ti, *payload_ti;
9848 proto_tree *retry_tree, *payload_tree;
9849
9850 switch (hnd_type) {
9851 case SSL_HND_CLIENT_HELLO:
9852 /*
9853 * enum { outer(0), inner(1) } ECHClientHelloType;
9854 *
9855 * struct {
9856 * ECHClientHelloType type;
9857 * select (ECHClientHello.type) {
9858 * case outer:
9859 * HpkeSymmetricCipherSuite cipher_suite;
9860 * uint8 config_id;
9861 * opaque enc<0..2^16-1>;
9862 * opaque payload<1..2^16-1>;
9863 * case inner:
9864 * Empty;
9865 * };
9866 * } ECHClientHello;
9867 */
9868
9869 proto_tree_add_item_ret_uint(tree, hf->hf.ech_clienthello_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &ch_type);
9870 offset += 1;
9871 switch (ch_type) {
9872 case 0: /* outer */
9873 if (ssl && session->first_ch_ech_frame == 0) {
9874 session->first_ch_ech_frame = pinfo->num;
9875 }
9876 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, tree, offset);
9877 uint16_t kdf_id = tvb_get_ntohs(tvb, offset - 4);
9878 uint16_t aead_id = tvb_get_ntohs(tvb, offset - 2);
9879
9880 proto_tree_add_item(tree, hf->hf.ech_config_id, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9881 uint8_t config_id = tvb_get_uint8(tvb, offset);
9882 offset += 1;
9883 proto_tree_add_item_ret_uint(tree, hf->hf.ech_enc_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9884 offset += 2;
9885 proto_tree_add_item(tree, hf->hf.ech_enc, tvb, offset, length, ENC_NA0x00000000);
9886 offset += length;
9887 proto_tree_add_item_ret_uint(tree, hf->hf.ech_payload_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9888 offset += 2;
9889 payload_ti = proto_tree_add_item(tree, hf->hf.ech_payload, tvb, offset, length, ENC_NA0x00000000);
9890 offset += length;
9891
9892 if (!mk_map) {
9893 break;
9894 }
9895 if (session->client_random.data_len == 0) {
9896 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
9897 break;
9898 }
9899 StringInfo *ech_secret = (StringInfo *)g_hash_table_lookup(mk_map->ech_secret, &session->client_random);
9900 StringInfo *ech_config = (StringInfo *)g_hash_table_lookup(mk_map->ech_config, &session->client_random);
9901 if (!ech_secret || !ech_config) {
9902 ssl_debug_printf("%s Cannot find ECH_SECRET or ECH_CONFIG, Encrypted Client Hello decryption impossible\n",
9903 G_STRFUNC((const char*) (__func__)));
9904 break;
9905 }
9906
9907 if (hpke_hkdf_len(kdf_id) == 0) {
9908 ssl_debug_printf("Unsupported KDF\n");
9909 break;
9910 }
9911
9912 if (hpke_aead_key_len(aead_id) == 0) {
9913 ssl_debug_printf("Unsupported AEAD\n");
9914 break;
9915 }
9916
9917 size_t aead_nonce_len = hpke_aead_nonce_len(aead_id);
9918
9919 uint16_t version = GUINT16_FROM_BE(*(uint16_t *)ech_config->data)(((((guint16) ( (guint16) ((guint16) (*(uint16_t *)ech_config
->data) >> 8) | (guint16) ((guint16) (*(uint16_t *)ech_config
->data) << 8))))));
9920 if (version != SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037) {
9921 ssl_debug_printf("Unexpected version in ECH Config\n");
9922 break;
9923 }
9924 uint32_t ech_config_offset = 2;
9925 if (GUINT16_FROM_BE(*(uint16_t *)(ech_config->data + ech_config_offset))(((((guint16) ( (guint16) ((guint16) (*(uint16_t *)(ech_config
->data + ech_config_offset)) >> 8) | (guint16) ((guint16
) (*(uint16_t *)(ech_config->data + ech_config_offset)) <<
8)))))) != ech_config->data_len - 4) {
9926 ssl_debug_printf("Malformed ECH Config, invalid length\n");
9927 break;
9928 }
9929 ech_config_offset += 2;
9930 if (*(ech_config->data + ech_config_offset) != config_id) {
9931 ssl_debug_printf("ECH Config version mismatch\n");
9932 break;
9933 }
9934 ech_config_offset += 1;
9935 uint16_t kem_id_be = *(uint16_t *)(ech_config->data + ech_config_offset);
9936 uint16_t kem_id = GUINT16_FROM_BE(kem_id_be)(((((guint16) ( (guint16) ((guint16) (kem_id_be) >> 8) |
(guint16) ((guint16) (kem_id_be) << 8))))));
9937 uint8_t suite_id[HPKE_SUIT_ID_LEN10];
9938 hpke_suite_id(kem_id, kdf_id, aead_id, suite_id);
9939 GByteArray *info = g_byte_array_new();
9940 g_byte_array_append(info, "tls ech", 8);
9941 g_byte_array_append(info, ech_config->data, ech_config->data_len);
9942 uint8_t key[AEAD_MAX_KEY_LENGTH32];
9943 uint8_t base_nonce[HPKE_AEAD_NONCE_LENGTH12];
9944 if (hpke_key_schedule(kdf_id, aead_id, ech_secret->data, ech_secret->data_len, suite_id, info->data, info->len, HPKE_MODE_BASE0,
9945 key, base_nonce)) {
9946 g_byte_array_free(info, TRUE(!(0)));
9947 break;
9948 }
9949 g_byte_array_free(info, TRUE(!(0)));
9950 gcry_cipher_hd_t cipher;
9951 if (hpke_setup_aead(&cipher, aead_id, key) ||
9952 hpke_set_nonce(cipher, !session->hrr_ech_declined && pinfo->num > session->first_ch_ech_frame, base_nonce, aead_nonce_len)) {
9953 gcry_cipher_close(cipher);
9954 break;
9955 }
9956 const uint8_t *payload = tvb_get_ptr(tvb, offset - length, length);
9957 uint8_t *ech_aad = (uint8_t *)wmem_alloc(NULL((void*)0), hello_length);
9958 tvb_memcpy(tvb, ech_aad, initial_offset, hello_length);
9959 memset(ech_aad + offset - length - initial_offset, 0, length);
9960 if (gcry_cipher_authenticate(cipher, ech_aad, hello_length)) {
9961 gcry_cipher_close(cipher);
9962 wmem_free(NULL((void*)0), ech_aad);
9963 break;
9964 }
9965 wmem_free(NULL((void*)0), ech_aad);
9966 uint8_t *ech_decrypted_data = (uint8_t *)wmem_alloc(pinfo->pool, length - 16);
9967 if (gcry_cipher_decrypt(cipher, ech_decrypted_data, length - 16, payload, length - 16)) {
9968 gcry_cipher_close(cipher);
9969 break;
9970 }
9971 unsigned char ech_auth_tag_calc[16];
9972 if (gcry_cipher_gettag(cipher, ech_auth_tag_calc, 16)) {
9973 gcry_cipher_close(cipher);
9974 break;
9975 }
9976 if (ssl && !session->hrr_ech_declined && session->first_ch_ech_frame == pinfo->num)
9977 memcpy(session->first_ech_auth_tag, ech_auth_tag_calc, 16);
9978 gcry_cipher_close(cipher);
9979 if (memcmp(pinfo->num > session->first_ch_ech_frame ? ech_auth_tag_calc : session->first_ech_auth_tag,
9980 payload + length - 16, 16)) {
9981 ssl_debug_printf("%s ECH auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
9982 } else {
9983 payload_tree = proto_item_add_subtree(payload_ti, hf->ett.ech_decrypt);
9984 tvbuff_t *ech_tvb = tvb_new_child_real_data(tvb, ech_decrypted_data, length - 16, length - 16);
9985 add_new_data_source(pinfo, ech_tvb, "Client Hello Inner");
9986 if (ssl) {
9987 tvb_memcpy(ech_tvb, ssl->client_random.data, 2, 32);
9988 uint32_t len_offset = ssl->ech_transcript.data_len;
9989 if (ssl->ech_transcript.data_len > 0)
9990 ssl->ech_transcript.data = (unsigned char*)wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
9991 ssl->ech_transcript.data_len + hello_length + 4);
9992 else
9993 ssl->ech_transcript.data = (unsigned char*)wmem_alloc(wmem_file_scope(), hello_length + 4);
9994 ssl->ech_transcript.data[ssl->ech_transcript.data_len] = SSL_HND_CLIENT_HELLO;
9995 ssl->ech_transcript.data[ssl->ech_transcript.data_len + 1] = 0;
9996 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, 0, 34);
9997 ssl->ech_transcript.data_len += 38;
9998 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, initial_offset + 34,
9999 tvb_get_uint8(tvb, initial_offset + 34) + 1);
10000 ssl->ech_transcript.data_len += tvb_get_uint8(tvb, initial_offset + 34) + 1;
10001 uint32_t ech_offset = 35 + tvb_get_uint8(ech_tvb, 34);
10002 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10003 2 + tvb_get_ntohs(ech_tvb, ech_offset));
10004 ssl->ech_transcript.data_len += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
10005 ech_offset += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
10006 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10007 1 + tvb_get_uint8(ech_tvb, ech_offset));
10008 ssl->ech_transcript.data_len += 1 + tvb_get_uint8(ech_tvb, ech_offset);
10009 ech_offset += 1 + tvb_get_uint8(ech_tvb, ech_offset);
10010 uint32_t ech_extensions_len_offset = ssl->ech_transcript.data_len;
10011 ssl->ech_transcript.data_len += 2;
10012 uint16_t extensions_end = ech_offset + tvb_get_ntohs(ech_tvb, ech_offset) + 2;
10013 ech_offset += 2;
10014 while (extensions_end - ech_offset >= 4) {
10015 if (tvb_get_ntohs(ech_tvb, ech_offset) != SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768) {
10016 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10017 4 + tvb_get_ntohs(ech_tvb, ech_offset + 2));
10018 ssl->ech_transcript.data_len += 4 + tvb_get_ntohs(ech_tvb, ech_offset + 2);
10019 ech_offset += 4 + tvb_get_ntohs(ech_tvb, ech_offset + 2);
10020 } else if (tvb_get_ntohs(ech_tvb, ech_offset + 2) > 0) {
10021 uint8_t outer_extensions_end = tvb_get_uint8(ech_tvb, ech_offset + 4) + ech_offset + 5;
10022 ech_offset += 5;
10023 uint16_t outer_offset = initial_offset + 35 + tvb_get_uint8(tvb, initial_offset + 34);
10024 outer_offset += tvb_get_ntohs(tvb, outer_offset) + 2;
10025 outer_offset += tvb_get_uint8(tvb, outer_offset) + 3;
10026 while (outer_extensions_end - ech_offset >= 2) {
10027 while (hello_length - outer_offset >= 4) {
10028 if (tvb_get_ntohs(tvb, outer_offset) == tvb_get_ntohs(ech_tvb, ech_offset)) {
10029 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, outer_offset,
10030 4 + tvb_get_ntohs(tvb, outer_offset + 2));
10031 ssl->ech_transcript.data_len += 4 + tvb_get_ntohs(tvb, outer_offset + 2);
10032 outer_offset += 4 + tvb_get_ntohs(tvb, outer_offset + 2);
10033 break;
10034 } else {
10035 outer_offset += 4 + tvb_get_ntohs(tvb, outer_offset + 2);
10036 }
10037 }
10038 ech_offset += 2;
10039 }
10040 }
10041 }
10042 uint16_t ech_extensions_len_be = GUINT16_TO_BE(ssl->ech_transcript.data_len - ech_extensions_len_offset - 2)((((guint16) ( (guint16) ((guint16) (ssl->ech_transcript.data_len
- ech_extensions_len_offset - 2) >> 8) | (guint16) ((guint16
) (ssl->ech_transcript.data_len - ech_extensions_len_offset
- 2) << 8)))));
10043 *(ssl->ech_transcript.data + ech_extensions_len_offset) = ech_extensions_len_be & 0xff;
10044 *(ssl->ech_transcript.data + ech_extensions_len_offset + 1) = (ech_extensions_len_be >> 8);
10045 *(ssl->ech_transcript.data + len_offset + 2) = ((ssl->ech_transcript.data_len - len_offset - 4) >> 8);
10046 *(ssl->ech_transcript.data + len_offset + 3) = (ssl->ech_transcript.data_len - len_offset - 4) & 0xff;
10047 }
10048 uint32_t ech_padding_begin = (uint32_t)ssl_dissect_hnd_cli_hello(hf, ech_tvb, pinfo, payload_tree, 0, length - 16, session,
10049 ssl, NULL((void*)0), mk_map);
10050 if (ech_padding_begin < length - 16) {
10051 proto_tree_add_item(payload_tree, hf->hf.ech_padding_data, ech_tvb, ech_padding_begin, length - 16 - ech_padding_begin,
10052 ENC_NA0x00000000);
10053 }
10054 }
10055
10056 break;
10057 case 1: /* inner */
10058 break;
10059 }
10060 break;
10061
10062 case SSL_HND_ENCRYPTED_EXTENSIONS:
10063 /*
10064 * struct {
10065 * ECHConfigList retry_configs;
10066 * } ECHEncryptedExtensions;
10067 */
10068
10069 ti = proto_tree_add_item(tree, hf->hf.ech_retry_configs, tvb, offset, offset_end - offset, ENC_NA0x00000000);
10070 retry_tree = proto_item_add_subtree(ti, hf->ett.ech_retry_configs);
10071 offset = ssl_dissect_ext_ech_echconfiglist(hf, tvb, pinfo, retry_tree, offset, offset_end);
10072 break;
10073
10074 case SSL_HND_HELLO_RETRY_REQUEST:
10075 /*
10076 * struct {
10077 * opaque confirmation[8];
10078 * } ECHHelloRetryRequest;
10079 */
10080
10081 proto_tree_add_item(tree, hf->hf.ech_confirmation, tvb, offset, 8, ENC_NA0x00000000);
10082 if (session->ech) {
10083 ti = proto_tree_add_bytes_with_length(tree, hf->hf.hs_ech_confirm_compute, tvb, offset, 0, session->hrr_ech_confirmation, 8);
10084 proto_item_set_generated(ti);
10085 if (memcmp(session->hrr_ech_confirmation, tvb_get_ptr(tvb, offset, 8), 8)) {
10086 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
10087 } else {
10088 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
10089 }
10090 }
10091 offset += 8;
10092 break;
10093 }
10094
10095 return offset;
10096}
10097
10098static uint32_t
10099ssl_dissect_hnd_hello_ext_esni(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10100 proto_tree *tree, uint32_t offset, uint32_t offset_end,
10101 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
10102{
10103 uint32_t record_digest_length, encrypted_sni_length;
10104
10105 switch (hnd_type) {
10106 case SSL_HND_CLIENT_HELLO:
10107 /*
10108 * struct {
10109 * CipherSuite suite;
10110 * KeyShareEntry key_share;
10111 * opaque record_digest<0..2^16-1>;
10112 * opaque encrypted_sni<0..2^16-1>;
10113 * } ClientEncryptedSNI;
10114 */
10115 proto_tree_add_item(tree, hf->hf.esni_suite, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
10116 offset += 2;
10117 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, tree, offset, offset_end, NULL((void*)0));
10118
10119 /* opaque record_digest<0..2^16-1> */
10120 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &record_digest_length,
10121 hf->hf.esni_record_digest_length, 0, UINT16_MAX(65535))) {
10122 return offset_end;
10123 }
10124 offset += 2;
10125 if (record_digest_length > 0) {
10126 proto_tree_add_item(tree, hf->hf.esni_record_digest, tvb, offset, record_digest_length, ENC_NA0x00000000);
10127 offset += record_digest_length;
10128 }
10129
10130 /* opaque encrypted_sni<0..2^16-1> */
10131 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &encrypted_sni_length,
10132 hf->hf.esni_encrypted_sni_length, 0, UINT16_MAX(65535))) {
10133 return offset_end;
10134 }
10135 offset += 2;
10136 if (encrypted_sni_length > 0) {
10137 proto_tree_add_item(tree, hf->hf.esni_encrypted_sni, tvb, offset, encrypted_sni_length, ENC_NA0x00000000);
10138 offset += encrypted_sni_length;
10139 }
10140 break;
10141
10142 case SSL_HND_ENCRYPTED_EXTENSIONS:
10143 proto_tree_add_item(tree, hf->hf.esni_nonce, tvb, offset, 16, ENC_NA0x00000000);
10144 offset += 16;
10145 break;
10146 }
10147
10148 return offset;
10149}
10150/** TLS Extensions (in Client Hello and Server Hello). }}} */
10151
10152/* Connection ID dissection. {{{ */
10153static uint32_t
10154ssl_dissect_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10155 proto_tree *tree, uint32_t offset, SslDecryptSession *ssl,
10156 uint8_t cidl, uint8_t **session_cid, uint8_t *session_cidl)
10157{
10158 /* keep track of the decrypt session only for the first pass */
10159 if (cidl > 0 && !PINFO_FD_VISITED(pinfo)((pinfo)->fd->visited)) {
10160 tvb_ensure_bytes_exist(tvb, offset + 1, cidl);
10161 *session_cidl = cidl;
10162 *session_cid = (uint8_t*)wmem_alloc0(wmem_file_scope(), cidl);
10163 tvb_memcpy(tvb, *session_cid, offset + 1, cidl);
10164 if (ssl) {
10165 ssl_add_session_by_cid(ssl);
10166 }
10167 }
10168
10169 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id_length,
10170 tvb, offset, 1, ENC_NA0x00000000);
10171 offset++;
10172
10173 if (cidl > 0) {
10174 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id,
10175 tvb, offset, cidl, ENC_NA0x00000000);
10176 offset += cidl;
10177 }
10178
10179 return offset;
10180}
10181
10182static uint32_t
10183ssl_dissect_hnd_hello_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10184 proto_tree *tree, uint32_t offset, uint8_t hnd_type,
10185 SslSession *session, SslDecryptSession *ssl)
10186{
10187 uint8_t cidl = tvb_get_uint8(tvb, offset);
10188
10189 switch (hnd_type) {
10190 case SSL_HND_CLIENT_HELLO:
10191 session->client_cid_len_present = true1;
10192 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
10193 cidl, &session->client_cid, &session->client_cid_len);
10194 case SSL_HND_SERVER_HELLO:
10195 session->server_cid_len_present = true1;
10196 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
10197 cidl, &session->server_cid, &session->server_cid_len);
10198 default:
10199 return offset;
10200 }
10201} /* }}} */
10202
10203/* Trusted CA dissection. {{{ */
10204static uint32_t
10205ssl_dissect_hnd_hello_ext_trusted_ca_keys(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10206 uint32_t offset, uint32_t offset_end)
10207{
10208 proto_item *ti;
10209 proto_tree *subtree;
10210 uint32_t keys_length, next_offset;
10211
10212 /*
10213 * struct {
10214 * TrustedAuthority trusted_authorities_list<0..2^16-1>;
10215 * } TrustedAuthorities;
10216 *
10217 * struct {
10218 * IdentifierType identifier_type;
10219 * select (identifier_type) {
10220 * case pre_agreed: struct {};
10221 * case key_sha1_hash: SHA1Hash;
10222 * case x509_name: DistinguishedName;
10223 * case cert_sha1_hash: SHA1Hash;
10224 * } identifier;
10225 * } TrustedAuthority;
10226 *
10227 * enum {
10228 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10229 * cert_sha1_hash(3), (255)
10230 * } IdentifierType;
10231 *
10232 * opaque DistinguishedName<1..2^16-1>;
10233 *
10234 */
10235
10236
10237 /* TrustedAuthority trusted_authorities_list<0..2^16-1> */
10238 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &keys_length, hf->hf.hs_ext_trusted_ca_keys_len,
10239 0, UINT16_MAX(65535)))
10240 {
10241 return offset_end;
10242 }
10243 offset += 2;
10244 next_offset = offset + keys_length;
10245
10246 if (keys_length > 0)
10247 {
10248 ti = proto_tree_add_none_format(tree, hf->hf.hs_ext_trusted_ca_keys_list, tvb, offset, keys_length,
10249 "Trusted CA keys (%d byte%s)", keys_length, plurality(keys_length, "", "s")((keys_length) == 1 ? ("") : ("s")));
10250 subtree = proto_item_add_subtree(ti, hf->ett.hs_ext_trusted_ca_keys);
10251
10252 while (offset < next_offset)
10253 {
10254 uint32_t identifier_type;
10255 proto_tree *trusted_key_tree;
10256 proto_item *trusted_key_item;
10257 asn1_ctx_t asn1_ctx;
10258 uint32_t key_len = 0;
10259
10260 identifier_type = tvb_get_uint8(tvb, offset);
10261
10262 // Use 0 as length for now as we'll only know the size when we decode the identifier
10263 trusted_key_item = proto_tree_add_none_format(subtree, hf->hf.hs_ext_trusted_ca_key, tvb,
10264 offset, 0, "Trusted CA Key");
10265 trusted_key_tree = proto_item_add_subtree(trusted_key_item, hf->ett.hs_ext_trusted_ca_key);
10266
10267 proto_tree_add_uint(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_type, tvb,
10268 offset, 1, identifier_type);
10269 offset++;
10270
10271 /*
10272 * enum {
10273 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10274 * cert_sha1_hash(3), (255)
10275 * } IdentifierType;
10276 */
10277 switch (identifier_type)
10278 {
10279 case 0:
10280 key_len = 0;
10281 break;
10282 case 2:
10283 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
10284
10285 uint32_t name_length;
10286 /* opaque DistinguishedName<1..2^16-1> */
10287 if (!ssl_add_vector(hf, tvb, pinfo, trusted_key_tree, offset, next_offset, &name_length,
10288 hf->hf.hs_ext_trusted_ca_key_dname_len, 1, UINT16_MAX(65535))) {
10289 return next_offset;
10290 }
10291 offset += 2;
10292
10293 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
10294 trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_dname);
10295 offset += name_length;
10296 break;
10297 case 1:
10298 case 3:
10299 key_len = 20;
10300 /* opaque SHA1Hash[20]; */
10301 proto_tree_add_item(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_hash, tvb,
10302 offset, 20, ENC_NA0x00000000);
10303 break;
10304
10305 default:
10306 key_len = 0;
10307 /*TODO display expert info about unknown ? */
10308 break;
10309 }
10310 proto_item_set_len(trusted_key_item, 1 + key_len);
10311 offset += key_len;
10312 }
10313 }
10314
10315 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset))
10316 {
10317 offset = next_offset;
10318 }
10319
10320 return offset;
10321} /* }}} */
10322
10323
10324/* Whether the Content and Handshake Types are valid; handle Protocol Version. {{{ */
10325bool_Bool
10326ssl_is_valid_content_type(uint8_t type)
10327{
10328 switch ((ContentType) type) {
10329 case SSL_ID_CHG_CIPHER_SPEC:
10330 case SSL_ID_ALERT:
10331 case SSL_ID_HANDSHAKE:
10332 case SSL_ID_APP_DATA:
10333 case SSL_ID_HEARTBEAT:
10334 case SSL_ID_TLS12_CID:
10335 case SSL_ID_DTLS13_ACK:
10336 return true1;
10337 }
10338 return false0;
10339}
10340
10341bool_Bool
10342ssl_is_valid_handshake_type(uint8_t hs_type, bool_Bool is_dtls)
10343{
10344 switch ((HandshakeType) hs_type) {
10345 case SSL_HND_HELLO_VERIFY_REQUEST:
10346 /* hello_verify_request is DTLS-only */
10347 return is_dtls;
10348
10349 case SSL_HND_HELLO_REQUEST:
10350 case SSL_HND_CLIENT_HELLO:
10351 case SSL_HND_SERVER_HELLO:
10352 case SSL_HND_NEWSESSION_TICKET:
10353 case SSL_HND_END_OF_EARLY_DATA:
10354 case SSL_HND_HELLO_RETRY_REQUEST:
10355 case SSL_HND_ENCRYPTED_EXTENSIONS:
10356 case SSL_HND_CERTIFICATE:
10357 case SSL_HND_SERVER_KEY_EXCHG:
10358 case SSL_HND_CERT_REQUEST:
10359 case SSL_HND_SVR_HELLO_DONE:
10360 case SSL_HND_CERT_VERIFY:
10361 case SSL_HND_CLIENT_KEY_EXCHG:
10362 case SSL_HND_FINISHED:
10363 case SSL_HND_CERT_URL:
10364 case SSL_HND_CERT_STATUS:
10365 case SSL_HND_SUPPLEMENTAL_DATA:
10366 case SSL_HND_KEY_UPDATE:
10367 case SSL_HND_COMPRESSED_CERTIFICATE:
10368 case SSL_HND_ENCRYPTED_EXTS:
10369 return true1;
10370 case SSL_HND_MESSAGE_HASH:
10371 return false0;
10372 }
10373 return false0;
10374}
10375
10376static bool_Bool
10377ssl_is_authoritative_version_message(uint8_t content_type, uint8_t handshake_type,
10378 bool_Bool is_dtls)
10379{
10380 /* Consider all valid Handshake messages (except for Client Hello) and
10381 * all other valid record types (other than Handshake) */
10382 return (content_type == SSL_ID_HANDSHAKE &&
10383 ssl_is_valid_handshake_type(handshake_type, is_dtls) &&
10384 handshake_type != SSL_HND_CLIENT_HELLO) ||
10385 (content_type != SSL_ID_HANDSHAKE &&
10386 ssl_is_valid_content_type(content_type));
10387}
10388
10389/**
10390 * Scan a Server Hello handshake message for the negotiated version. For TLS 1.3
10391 * draft 22 and newer, it also checks whether it is a HelloRetryRequest.
10392 * Returns true if the supported_versions extension was found, false if not.
10393 */
10394bool_Bool
10395tls_scan_server_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end,
10396 uint16_t *server_version, bool_Bool *is_hrr)
10397{
10398 /* SHA256("HelloRetryRequest") */
10399 static const uint8_t tls13_hrr_random_magic[] = {
10400 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
10401 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
10402 };
10403 uint8_t session_id_length;
10404
10405 *server_version = tvb_get_ntohs(tvb, offset);
10406
10407 /*
10408 * Try to look for supported_versions extension. Minimum length:
10409 * 2 + 32 + 1 = 35 (version, random, session id length)
10410 * 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10411 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10412 *
10413 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10414 * there's a separate expert info warning for that.
10415 */
10416 if ((*server_version == TLSV1DOT2_VERSION0x303 || *server_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
10417 offset += 2;
10418 if (is_hrr) {
10419 *is_hrr = tvb_memeql(tvb, offset, tls13_hrr_random_magic, sizeof(tls13_hrr_random_magic)) == 0;
10420 }
10421 offset += 32;
10422 session_id_length = tvb_get_uint8(tvb, offset);
10423 offset++;
10424 if (offset_end - offset < session_id_length + 5u) {
10425 return false0;
10426 }
10427 offset += session_id_length + 5;
10428
10429 while (offset_end - offset >= 6) {
10430 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
10431 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
10432 if (offset_end - offset < 4u + ext_len) {
10433 break; /* not enough data for type, length and data */
10434 }
10435 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
10436 if (ext_len == 2) {
10437 *server_version = tvb_get_ntohs(tvb, offset + 4);
10438 }
10439 return true1;
10440 }
10441 offset += 4 + ext_len;
10442 }
10443 } else {
10444 if (is_hrr) {
10445 *is_hrr = false0;
10446 }
10447 }
10448 return false0;
10449}
10450
10451/**
10452 * Scan a Client Hello handshake message to see if the supported_versions
10453 * extension is found, in which case the version field is legacy_version.
10454 */
10455static bool_Bool
10456tls_scan_client_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end)
10457{
10458 uint8_t session_id_length;
10459
10460 uint16_t client_version = tvb_get_ntohs(tvb, offset);
10461
10462 /*
10463 * Try to look for supported_versions extension. Minimum length:
10464 * 2 + 32 + 1 = 35 (version, random, session id length)
10465 * 2 + 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10466 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10467 *
10468 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10469 * there's a separate expert info warning for that.
10470 */
10471 if ((client_version == TLSV1DOT2_VERSION0x303 || client_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
10472 offset += 2;
10473 offset += 32;
10474 session_id_length = tvb_get_uint8(tvb, offset);
10475 offset++;
10476 if (offset_end - offset < session_id_length + 2u) {
10477 return false0;
10478 }
10479 offset += session_id_length;
10480 if (client_version == DTLSV1DOT2_VERSION0xfefd) {
10481 uint8_t cookie_length = tvb_get_uint8(tvb, offset);
10482 offset++;
10483 if (offset_end - offset < cookie_length + 2u) {
10484 return false0;
10485 }
10486 }
10487 uint16_t cipher_suites_length = tvb_get_ntohs(tvb, offset);
10488 offset += 2;
10489 if (offset_end - offset < cipher_suites_length + 1u) {
10490 return false0;
10491 }
10492 offset += cipher_suites_length;
10493 uint8_t compression_methods_length = tvb_get_uint8(tvb, offset);
10494 offset++;
10495 if (offset_end - offset < compression_methods_length + 2u) {
10496 return false0;
10497 }
10498 offset += compression_methods_length + 2;
10499
10500 while (offset_end - offset >= 6) {
10501 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
10502 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
10503 if (offset_end - offset < 4u + ext_len) {
10504 break; /* not enough data for type, length and data */
10505 }
10506 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
10507 return true1;
10508 }
10509 offset += 4 + ext_len;
10510 }
10511 }
10512 return false0;
10513}
10514void
10515ssl_try_set_version(SslSession *session, SslDecryptSession *ssl,
10516 uint8_t content_type, uint8_t handshake_type,
10517 bool_Bool is_dtls, uint16_t version)
10518{
10519 uint8_t tls13_draft = 0;
10520
10521 if (!ssl_is_authoritative_version_message(content_type, handshake_type,
10522 is_dtls))
10523 return;
10524
10525 version = tls_try_get_version(is_dtls, version, &tls13_draft);
10526 if (version == SSL_VER_UNKNOWN0) {
10527 return;
10528 }
10529
10530 session->tls13_draft_version = tls13_draft;
10531 session->version = version;
10532 if (ssl) {
10533 ssl->state |= SSL_VERSION(1<<4);
10534 ssl_debug_printf("%s found version 0x%04X -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), version, ssl->state);
10535 }
10536}
10537
10538void
10539ssl_check_record_length(ssl_common_dissect_t *hf, packet_info *pinfo,
10540 ContentType content_type,
10541 unsigned record_length, proto_item *length_pi,
10542 uint16_t version, tvbuff_t *decrypted_tvb)
10543{
10544 unsigned max_expansion;
10545 if (version == TLSV1DOT3_VERSION0x304) {
10546 /* TLS 1.3: Max length is 2^14 + 256 */
10547 max_expansion = 256;
10548 } else {
10549 /* RFC 5246, Section 6.2.3: TLSCiphertext.fragment length MUST NOT exceed 2^14 + 2048 */
10550 max_expansion = 2048;
10551 }
10552 /*
10553 * RFC 5246 (TLS 1.2), Section 6.2.1 forbids zero-length Handshake, Alert
10554 * and ChangeCipherSpec.
10555 * RFC 6520 (Heartbeats) does not mention zero-length Heartbeat fragments,
10556 * so assume it is permitted.
10557 * RFC 6347 (DTLS 1.2) does not mention zero-length fragments either, so
10558 * assume TLS 1.2 requirements.
10559 */
10560 if (record_length == 0 &&
10561 (content_type == SSL_ID_CHG_CIPHER_SPEC ||
10562 content_type == SSL_ID_ALERT ||
10563 content_type == SSL_ID_HANDSHAKE)) {
10564 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10565 "Zero-length %s fragments are not allowed",
10566 val_to_str_const(content_type, ssl_31_content_type, "unknown"));
10567 }
10568 if (record_length > TLS_MAX_RECORD_LENGTH0x4000 + max_expansion) {
10569 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10570 "TLSCiphertext length MUST NOT exceed 2^14 + %u", max_expansion);
10571 }
10572 if (decrypted_tvb && tvb_captured_length(decrypted_tvb) > TLS_MAX_RECORD_LENGTH0x4000) {
10573 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10574 "TLSPlaintext length MUST NOT exceed 2^14");
10575 }
10576}
10577
10578static void
10579ssl_set_cipher(SslDecryptSession *ssl, uint16_t cipher)
10580{
10581 /* store selected cipher suite for decryption */
10582 ssl->session.cipher = cipher;
10583
10584 const SslCipherSuite *cs = ssl_find_cipher(cipher);
10585 if (!cs) {
10586 ssl->cipher_suite = NULL((void*)0);
10587 ssl->state &= ~SSL_CIPHER(1<<2);
10588 ssl_debug_printf("%s can't find cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10589 } else if (ssl->session.version == SSLV3_VERSION0x300 && !(cs->dig == DIG_MD50x40 || cs->dig == DIG_SHA0x41)) {
10590 /* A malicious packet capture contains a SSL 3.0 session using a TLS 1.2
10591 * cipher suite that uses for example MACAlgorithm SHA256. Reject that
10592 * to avoid a potential buffer overflow in ssl3_check_mac. */
10593 ssl->cipher_suite = NULL((void*)0);
10594 ssl->state &= ~SSL_CIPHER(1<<2);
10595 ssl_debug_printf("%s invalid SSL 3.0 cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10596 } else {
10597 /* Cipher found, save this for the delayed decoder init */
10598 ssl->cipher_suite = cs;
10599 ssl->state |= SSL_CIPHER(1<<2);
10600 ssl_debug_printf("%s found CIPHER 0x%04X %s -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), cipher,
10601 val_to_str_ext_const(cipher, &ssl_31_ciphersuite_ext, "unknown"),
10602 ssl->state);
10603 }
10604}
10605/* }}} */
10606
10607
10608/* Client Hello and Server Hello dissections. {{{ */
10609static int
10610ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
10611 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
10612 SslSession *session, SslDecryptSession *ssl,
10613 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
10614 ssl_master_key_map_t *mk_map, uint32_t initial_offset, uint32_t hello_length);
10615int
10616// NOLINTNEXTLINE(misc-no-recursion)
10617ssl_dissect_hnd_cli_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10618 packet_info *pinfo, proto_tree *tree, uint32_t offset,
10619 uint32_t offset_end, SslSession *session,
10620 SslDecryptSession *ssl, dtls_hfs_t *dtls_hfs, ssl_master_key_map_t *mk_map)
10621{
10622 /* struct {
10623 * ProtocolVersion client_version;
10624 * Random random;
10625 * SessionID session_id;
10626 * opaque cookie<0..32>; //new field for DTLS
10627 * CipherSuite cipher_suites<2..2^16-1>;
10628 * CompressionMethod compression_methods<1..2^8-1>;
10629 * Extension client_hello_extension_list<0..2^16-1>;
10630 * } ClientHello;
10631 */
10632 proto_item *ti;
10633 proto_tree *cs_tree;
10634 uint32_t client_version;
10635 uint32_t cipher_suite_length;
10636 uint32_t compression_methods_length;
10637 uint8_t compression_method;
10638 uint32_t next_offset;
10639 uint32_t initial_offset = offset;
10640 uint32_t hello_length = offset_end - initial_offset;
10641 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
10642 char *ja3_hash;
10643 char *ja3_dash = "";
10644 char *ja4, *ja4_r, *ja4_hash, *ja4_b, *ja4_c;
10645 ja4_data_t ja4_data;
10646 wmem_strbuf_t *ja4_a = wmem_strbuf_new(pinfo->pool, "");
10647 wmem_strbuf_t *ja4_br = wmem_strbuf_new(pinfo->pool, "");
10648 wmem_strbuf_t *ja4_cr = wmem_strbuf_new(pinfo->pool, "");
10649 wmem_list_frame_t *curr_entry;
10650
10651 ja4_data.max_version = 0;
10652 ja4_data.server_name_present = false0;
10653 ja4_data.num_cipher_suites = 0;
10654 ja4_data.num_extensions = 0;
10655 ja4_data.alpn = wmem_strbuf_new(pinfo->pool, "");
10656 ja4_data.cipher_list = wmem_list_new(pinfo->pool);
10657 ja4_data.extension_list = wmem_list_new(pinfo->pool);
10658 ja4_data.sighash_list = wmem_list_new(pinfo->pool);
10659
10660 /* show the client version */
10661 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_client_version, tvb,
10662 offset, 2, ENC_BIG_ENDIAN0x00000000,
10663 &client_version);
10664 if (tls_scan_client_hello(tvb, offset, offset_end)) {
10665 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
10666 }
10667 offset += 2;
10668 wmem_strbuf_append_printf(ja3, "%i,", client_version);
10669
10670 /*
10671 * Is it version 1.3?
10672 * If so, that's an error; TLS and DTLS 1.3 Client Hellos claim
10673 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
10674 * section 4.1.2 "Client Hello" and RFC 9147 Section 5.3 "Client
10675 * Hello".
10676 */
10677 if (dtls_hfs != NULL((void*)0)) {
10678 if (client_version == DTLSV1DOT3_VERSION0xfefc) {
10679 /* Don't do that. */
10680 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10681 }
10682 } else {
10683 if (client_version == TLSV1DOT3_VERSION0x304) {
10684 /* Don't do that. */
10685 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10686 }
10687 }
10688
10689 /* dissect fields that are present in both ClientHello and ServerHello */
10690 offset = ssl_dissect_hnd_hello_common(hf, tvb, pinfo, tree, offset, session, ssl, false0, false0);
10691
10692 /* fields specific for DTLS (cookie_len, cookie) */
10693 if (dtls_hfs != NULL((void*)0)) {
10694 uint32_t cookie_length;
10695 /* opaque cookie<0..32> (for DTLS only) */
10696 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cookie_length,
10697 dtls_hfs->hf_dtls_handshake_cookie_len, 0, 32)) {
10698 return offset;
10699 }
10700 offset++;
10701 if (cookie_length > 0) {
10702 proto_tree_add_item(tree, dtls_hfs->hf_dtls_handshake_cookie,
10703 tvb, offset, cookie_length, ENC_NA0x00000000);
10704 offset += cookie_length;
10705 }
10706 }
10707
10708 /* CipherSuite cipher_suites<2..2^16-1> */
10709 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cipher_suite_length,
10710 hf->hf.hs_cipher_suites_len, 2, UINT16_MAX(65535))) {
10711 return offset;
10712 }
10713 offset += 2;
10714 next_offset = offset + cipher_suite_length;
10715 ti = proto_tree_add_none_format(tree,
10716 hf->hf.hs_cipher_suites,
10717 tvb, offset, cipher_suite_length,
10718 "Cipher Suites (%d suite%s)",
10719 cipher_suite_length / 2,
10720 plurality(cipher_suite_length/2, "", "s")((cipher_suite_length/2) == 1 ? ("") : ("s")));
10721 cs_tree = proto_item_add_subtree(ti, hf->ett.cipher_suites);
10722 while (offset + 2 <= next_offset) {
10723 uint32_t cipher_suite;
10724
10725 proto_tree_add_item_ret_uint(cs_tree, hf->hf.hs_cipher_suite, tvb, offset, 2,
10726 ENC_BIG_ENDIAN0x00000000, &cipher_suite);
10727 offset += 2;
10728 if (!IS_GREASE_TLS(cipher_suite)((((cipher_suite) & 0x0f0f) == 0x0a0a) && (((cipher_suite
) & 0xff) == (((cipher_suite)>>8) & 0xff)))) {
10729 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, cipher_suite);
10730 ja3_dash = "-";
10731 ja4_data.num_cipher_suites += 1;
10732 wmem_list_insert_sorted(ja4_data.cipher_list, GUINT_TO_POINTER(cipher_suite)((gpointer) (gulong) (cipher_suite)), wmem_compare_uint);
10733 }
10734 }
10735 wmem_strbuf_append_c(ja3, ',');
10736 if (!ssl_end_vector(hf, tvb, pinfo, cs_tree, offset, next_offset)) {
10737 offset = next_offset;
10738 }
10739
10740 /* CompressionMethod compression_methods<1..2^8-1> */
10741 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compression_methods_length,
10742 hf->hf.hs_comp_methods_len, 1, UINT8_MAX(255))) {
10743 return offset;
10744 }
10745 offset++;
10746 next_offset = offset + compression_methods_length;
10747 ti = proto_tree_add_none_format(tree,
10748 hf->hf.hs_comp_methods,
10749 tvb, offset, compression_methods_length,
10750 "Compression Methods (%u method%s)",
10751 compression_methods_length,
10752 plurality(compression_methods_length,((compression_methods_length) == 1 ? ("") : ("s"))
10753 "", "s")((compression_methods_length) == 1 ? ("") : ("s")));
10754 cs_tree = proto_item_add_subtree(ti, hf->ett.comp_methods);
10755 while (offset < next_offset) {
10756 compression_method = tvb_get_uint8(tvb, offset);
10757 /* TODO: make reserved/private comp meth. fields selectable */
10758 if (compression_method < 64)
10759 proto_tree_add_uint(cs_tree, hf->hf.hs_comp_method,
10760 tvb, offset, 1, compression_method);
10761 else if (compression_method > 63 && compression_method < 193)
10762 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, tvb, offset, 1,
10763 compression_method, "Reserved - to be assigned by IANA (%u)",
10764 compression_method);
10765 else
10766 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, tvb, offset, 1,
10767 compression_method, "Private use range (%u)",
10768 compression_method);
10769 offset++;
10770 }
10771
10772 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
10773 if (offset < offset_end) {
10774 offset = ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
10775 offset_end, SSL_HND_CLIENT_HELLO,
10776 session, ssl, dtls_hfs != NULL((void*)0), ja3, &ja4_data, mk_map, initial_offset, hello_length);
10777 if (ja4_data.max_version > 0) {
10778 client_version = ja4_data.max_version;
10779 }
10780 } else {
10781 wmem_strbuf_append_printf(ja3, ",,");
10782 }
10783
10784 if (proto_is_frame_protocol(pinfo->layers,"tcp")) {
10785 wmem_strbuf_append(ja4_a, "t");
10786 } else if (proto_is_frame_protocol(pinfo->layers,"quic")) {
10787 wmem_strbuf_append(ja4_a, "q");
10788 } else if (proto_is_frame_protocol(pinfo->layers,"dtls")) {
10789 wmem_strbuf_append(ja4_a, "d");
10790 }
10791 wmem_strbuf_append_printf(ja4_a, "%s", val_to_str_const(client_version, ssl_version_ja4_names, "00"));
10792 wmem_strbuf_append_printf(ja4_a, "%s", ja4_data.server_name_present ? "d" : "i");
10793 if (ja4_data.num_cipher_suites > 99) {
10794 wmem_strbuf_append(ja4_a, "99");
10795 } else {
10796 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_cipher_suites);
10797 }
10798 if (ja4_data.num_extensions > 99) {
10799 wmem_strbuf_append(ja4_a, "99");
10800 } else {
10801 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_extensions);
10802 }
10803 if (wmem_strbuf_get_len(ja4_data.alpn) > 0 ) {
10804 wmem_strbuf_append_printf(ja4_a, "%s", wmem_strbuf_get_str(ja4_data.alpn));
10805 } else {
10806 wmem_strbuf_append(ja4_a, "00");
10807 }
10808
10809 curr_entry = wmem_list_head(ja4_data.cipher_list);
10810 for (unsigned i = 0; i < wmem_list_count(ja4_data.cipher_list); i++) {
10811 wmem_strbuf_append_printf(ja4_br, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10812 if (i < wmem_list_count(ja4_data.cipher_list) - 1) {
10813 wmem_strbuf_append(ja4_br, ",");
10814 }
10815 curr_entry = wmem_list_frame_next(curr_entry);
10816 }
10817
10818 curr_entry = wmem_list_head(ja4_data.extension_list);
10819 for (unsigned i = 0; i < wmem_list_count(ja4_data.extension_list); i++) {
10820 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10821 if (i < wmem_list_count(ja4_data.extension_list) - 1) {
10822 wmem_strbuf_append(ja4_cr, ",");
10823 }
10824 curr_entry = wmem_list_frame_next(curr_entry);
10825 }
10826
10827 if (wmem_list_count(ja4_data.sighash_list) > 0) {
10828 wmem_strbuf_append(ja4_cr, "_");
10829 curr_entry = wmem_list_head(ja4_data.sighash_list);
10830 for (unsigned i = 0; i < wmem_list_count(ja4_data.sighash_list); i++) {
10831 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10832 if (i < wmem_list_count(ja4_data.sighash_list) - 1) {
10833 wmem_strbuf_append(ja4_cr, ",");
10834 }
10835 curr_entry = wmem_list_frame_next(curr_entry);
10836 }
10837 }
10838 if ( wmem_strbuf_get_len(ja4_br) == 0 ) {
10839 ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
10840 } else {
10841 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_br),-1);
10842 }
10843 ja4_b = wmem_strndup(pinfo->pool, ja4_hash, 12);
10844
10845 g_free(ja4_hash);
10846 if ( wmem_strbuf_get_len(ja4_cr) == 0 ) {
10847 ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
10848 } else {
10849 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_cr),-1);
10850 }
10851 ja4_c = wmem_strndup(pinfo->pool, ja4_hash, 12);
10852 g_free(ja4_hash);
10853
10854 ja4 = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), ja4_b, ja4_c);
10855 ja4_r = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), wmem_strbuf_get_str(ja4_br), wmem_strbuf_get_str(ja4_cr));
10856
10857 ti = proto_tree_add_string(tree, hf->hf.hs_ja4, tvb, offset, 0, ja4);
10858 proto_item_set_generated(ti);
10859 ti = proto_tree_add_string(tree, hf->hf.hs_ja4_r, tvb, offset, 0, ja4_r);
10860 proto_item_set_generated(ti);
10861
10862 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
10863 wmem_strbuf_get_len(ja3));
10864 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_full, tvb, offset, 0, wmem_strbuf_get_str(ja3));
10865 proto_item_set_generated(ti);
10866 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_hash, tvb, offset, 0, ja3_hash);
10867 proto_item_set_generated(ti);
10868 g_free(ja3_hash);
10869 return offset;
10870}
10871
10872void
10873ssl_dissect_hnd_srv_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10874 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
10875 SslSession *session, SslDecryptSession *ssl,
10876 bool_Bool is_dtls, bool_Bool is_hrr)
10877{
10878 /* struct {
10879 * ProtocolVersion server_version;
10880 * Random random;
10881 * SessionID session_id; // TLS 1.2 and before
10882 * CipherSuite cipher_suite;
10883 * CompressionMethod compression_method; // TLS 1.2 and before
10884 * Extension server_hello_extension_list<0..2^16-1>;
10885 * } ServerHello;
10886 */
10887 uint8_t draft_version = session->tls13_draft_version;
10888 proto_item *ti;
10889 uint32_t server_version;
10890 uint32_t cipher_suite;
10891 uint32_t initial_offset = offset;
10892 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
10893 char *ja3_hash;
10894
10895 col_set_str(pinfo->cinfo, COL_PROTOCOL,
10896 val_to_str_const(session->version, ssl_version_short_names, "SSL"));
10897
10898 /* Initially assume that the session is resumed. If this is not the case, a
10899 * ServerHelloDone will be observed before the ChangeCipherSpec message
10900 * which will reset this flag. */
10901 session->is_session_resumed = true1;
10902
10903 /* show the server version */
10904 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
10905 offset, 2, ENC_BIG_ENDIAN0x00000000, &server_version);
10906
10907 uint16_t supported_server_version;
10908 if (tls_scan_server_hello(tvb, offset, offset_end, &supported_server_version, NULL((void*)0))) {
10909 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
10910 }
10911 /*
10912 * Is it version 1.3?
10913 * If so, that's an error; TLS and DTLS 1.3 Server Hellos claim
10914 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
10915 * section 4.1.3 "Server Hello" and RFC 9147 Section 5.4 "Server
10916 * Hello".
10917 */
10918 if (is_dtls) {
10919 if (server_version == DTLSV1DOT3_VERSION0xfefc) {
10920 /* Don't do that. */
10921 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
10922 }
10923 } else {
10924 if (server_version == TLSV1DOT3_VERSION0x304) {
10925 /* Don't do that. */
10926 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
10927 }
10928 }
10929
10930 offset += 2;
10931 wmem_strbuf_append_printf(ja3, "%i", server_version);
10932
10933 /* dissect fields that are present in both ClientHello and ServerHello */
10934 offset = ssl_dissect_hnd_hello_common(hf, tvb, pinfo, tree, offset, session, ssl, true1, is_hrr);
10935
10936 if (ssl) {
10937 /* store selected cipher suite for decryption */
10938 ssl_set_cipher(ssl, tvb_get_ntohs(tvb, offset));
10939 }
10940
10941 /* now the server-selected cipher suite */
10942 proto_tree_add_item_ret_uint(tree, hf->hf.hs_cipher_suite,
10943 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &cipher_suite);
10944 offset += 2;
10945 wmem_strbuf_append_printf(ja3, ",%i,", cipher_suite);
10946
10947 /* No compression with TLS 1.3 before draft -22 */
10948 if (!(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
10949 if (ssl) {
10950 /* store selected compression method for decryption */
10951 ssl->session.compression = tvb_get_uint8(tvb, offset);
10952 }
10953 /* and the server-selected compression method */
10954 proto_tree_add_item(tree, hf->hf.hs_comp_method,
10955 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
10956 offset++;
10957 }
10958
10959 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
10960 if (offset < offset_end) {
10961 offset = ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
10962 offset_end,
10963 is_hrr ? SSL_HND_HELLO_RETRY_REQUEST : SSL_HND_SERVER_HELLO,
10964 session, ssl, is_dtls, ja3, NULL((void*)0), NULL((void*)0), 0, 0);
10965 }
10966
10967 if (ssl && ssl->ech_transcript.data_len > 0 && (ssl->state & SSL_CIPHER(1<<2)) && ssl->client_random.data_len > 0) {
10968 int hash_algo = ssl_get_digest_by_name(ssl_cipher_suite_dig(ssl->cipher_suite)->name);
10969 if (hash_algo) {
10970 SSL_MDgcry_md_hd_t mc;
10971 unsigned char transcript_hash[DIGEST_MAX_SIZE48];
10972 unsigned char prk[DIGEST_MAX_SIZE48];
10973 unsigned char *ech_verify_out = NULL((void*)0);
10974 unsigned int len;
10975 ssl_md_init(&mc, hash_algo);
10976 ssl_md_update(&mc, ssl->ech_transcript.data, ssl->ech_transcript.data_len);
10977 if (is_hrr) {
10978 ssl_md_final(&mc, transcript_hash, &len);
10979 ssl_md_cleanup(&mc);
10980 wmem_free(wmem_file_scope(), ssl->ech_transcript.data);
10981 ssl->ech_transcript.data_len = 4 + len;
10982 ssl->ech_transcript.data = (unsigned char*)wmem_alloc(wmem_file_scope(), 4 + len + 4 + offset_end - initial_offset);
10983 ssl->ech_transcript.data[0] = SSL_HND_MESSAGE_HASH;
10984 ssl->ech_transcript.data[1] = 0;
10985 ssl->ech_transcript.data[2] = 0;
10986 ssl->ech_transcript.data[3] = len;
10987 memcpy(ssl->ech_transcript.data + 4, transcript_hash, len);
10988 ssl_md_init(&mc, hash_algo);
10989 ssl_md_update(&mc, ssl->ech_transcript.data, 4 + len);
10990 } else {
10991 ssl->ech_transcript.data = wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
10992 ssl->ech_transcript.data_len + 4 + offset_end - initial_offset);
10993 }
10994 if (initial_offset > 4) {
10995 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, initial_offset - 4,
10996 4 + offset_end - initial_offset);
10997 if (is_hrr)
10998 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, initial_offset-4, 38), 38);
10999 else
11000 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, initial_offset-4, 30), 30);
11001 } else {
11002 uint8_t prefix[4] = {SSL_HND_SERVER_HELLO, 0x00, 0x00, 0x00};
11003 prefix[2] = ((offset - initial_offset) >> 8);
11004 prefix[3] = (offset - initial_offset) & 0xff;
11005 memcpy(ssl->ech_transcript.data + ssl->ech_transcript.data_len, prefix, 4);
11006 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, initial_offset,
11007 offset_end - initial_offset);
11008 ssl_md_update(&mc, prefix, 4);
11009 if (is_hrr)
11010 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, initial_offset, 34), 34);
11011 else
11012 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, initial_offset, 26), 26);
11013 }
11014 ssl->ech_transcript.data_len += 4 + offset_end - initial_offset;
11015 uint8_t zeros[8] = { 0 };
11016 uint32_t confirmation_offset = initial_offset + 26;
11017 if (is_hrr) {
11018 uint32_t hrr_offset = initial_offset + 34;
11019 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, hrr_offset,
11020 tvb_get_uint8(tvb, hrr_offset) + 1), tvb_get_uint8(tvb, hrr_offset) + 1);
11021 hrr_offset += tvb_get_uint8(tvb, hrr_offset) + 1;
11022 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, hrr_offset, 3), 3);
11023 hrr_offset += 3;
11024 uint16_t extensions_end = hrr_offset + tvb_get_ntohs(tvb, hrr_offset) + 2;
11025 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, hrr_offset, 2), 2);
11026 hrr_offset += 2;
11027 while (extensions_end - hrr_offset >= 4) {
11028 if (tvb_get_ntohs(tvb, hrr_offset) == SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037 &&
11029 tvb_get_ntohs(tvb, hrr_offset + 2) == 8) {
11030 confirmation_offset = hrr_offset + 4;
11031 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, hrr_offset, 4), 4);
11032 ssl_md_update(&mc, zeros, 8);
11033 hrr_offset += 12;
11034 } else {
11035 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, hrr_offset, tvb_get_ntohs(tvb, hrr_offset + 2) + 4),
11036 tvb_get_ntohs(tvb, hrr_offset + 2) + 4);
11037 hrr_offset += tvb_get_ntohs(tvb, hrr_offset + 2) + 4;
11038 }
11039 }
11040 } else {
11041 ssl_md_update(&mc, zeros, 8);
11042 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, initial_offset + 34, offset - initial_offset - 34),
11043 offset - initial_offset - 34);
11044 }
11045 ssl_md_final(&mc, transcript_hash, &len);
11046 ssl_md_cleanup(&mc);
11047 hkdf_extract(hash_algo, NULL((void*)0), 0, ssl->client_random.data, 32, prk);
11048 StringInfo prk_string = {prk, len};
11049 tls13_hkdf_expand_label_context(hash_algo, &prk_string, tls13_hkdf_label_prefix(ssl),
11050 is_hrr ? "hrr ech accept confirmation" : "ech accept confirmation",
11051 transcript_hash, len, 8, &ech_verify_out);
11052 memcpy(is_hrr ? ssl->session.hrr_ech_confirmation : ssl->session.ech_confirmation, ech_verify_out, 8);
11053 if (tvb_memeql(tvb, confirmation_offset, ech_verify_out, 8) == -1) {
11054 if (is_hrr) {
11055 ssl->session.hrr_ech_declined = true1;
11056 ssl->session.first_ch_ech_frame = 0;
11057 }
11058 memcpy(ssl->client_random.data, ssl->session.client_random.data, ssl->session.client_random.data_len);
11059 ssl_print_data("Updated Client Random", ssl->client_random.data, 32);
11060 }
11061 wmem_free(NULL((void*)0), ech_verify_out);
11062 ssl->session.ech = true1;
11063 }
11064 }
11065
11066 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
11067 wmem_strbuf_get_len(ja3));
11068 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_full, tvb, offset, 0, wmem_strbuf_get_str(ja3));
11069 proto_item_set_generated(ti);
11070 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_hash, tvb, offset, 0, ja3_hash);
11071 proto_item_set_generated(ti);
11072 g_free(ja3_hash);
11073}
11074/* Client Hello and Server Hello dissections. }}} */
11075
11076/* New Session Ticket dissection. {{{ */
11077void
11078ssl_dissect_hnd_new_ses_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11079 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11080 SslSession *session, SslDecryptSession *ssl,
11081 bool_Bool is_dtls, GHashTable *session_hash)
11082{
11083 /* https://tools.ietf.org/html/rfc5077#section-3.3 (TLS >= 1.0):
11084 * struct {
11085 * uint32 ticket_lifetime_hint;
11086 * opaque ticket<0..2^16-1>;
11087 * } NewSessionTicket;
11088 *
11089 * RFC 8446 Section 4.6.1 (TLS 1.3):
11090 * struct {
11091 * uint32 ticket_lifetime;
11092 * uint32 ticket_age_add;
11093 * opaque ticket_nonce<0..255>; // new in draft -21, updated in -22
11094 * opaque ticket<1..2^16-1>;
11095 * Extension extensions<0..2^16-2>;
11096 * } NewSessionTicket;
11097 */
11098 proto_tree *subtree;
11099 proto_item *subitem;
11100 uint32_t ticket_len;
11101 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc;
11102 unsigned char draft_version = session->tls13_draft_version;
11103 uint32_t lifetime_hint;
11104
11105 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
11106 hf->ett.session_ticket, NULL((void*)0),
11107 "TLS Session Ticket");
11108
11109 /* ticket lifetime hint */
11110 subitem = proto_tree_add_item_ret_uint(subtree, hf->hf.hs_session_ticket_lifetime_hint,
11111 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000, &lifetime_hint);
11112 offset += 4;
11113
11114 if (lifetime_hint >= 60) {
11115 char *time_str = unsigned_time_secs_to_str(pinfo->pool, lifetime_hint);
11116 proto_item_append_text(subitem, " (%s)", time_str);
11117 }
11118
11119 if (is_tls13) {
11120
11121 /* for TLS 1.3: ticket_age_add */
11122 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_age_add,
11123 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
11124 offset += 4;
11125
11126 /* for TLS 1.3: ticket_nonce (coming with Draft 21)*/
11127 if (draft_version == 0 || draft_version >= 21) {
11128 uint32_t ticket_nonce_len;
11129
11130 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_nonce_len,
11131 hf->hf.hs_session_ticket_nonce_len, 0, 255)) {
11132 return;
11133 }
11134 offset++;
11135
11136 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_nonce, tvb, offset, ticket_nonce_len, ENC_NA0x00000000);
11137 offset += ticket_nonce_len;
11138 }
11139
11140 }
11141
11142 /* opaque ticket<0..2^16-1> (with TLS 1.3 the minimum is 1) */
11143 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_len,
11144 hf->hf.hs_session_ticket_len, is_tls13 ? 1 : 0, UINT16_MAX(65535))) {
11145 return;
11146 }
11147 offset += 2;
11148
11149 /* Content depends on implementation, so just show data! */
11150 proto_tree_add_item(subtree, hf->hf.hs_session_ticket,
11151 tvb, offset, ticket_len, ENC_NA0x00000000);
11152 /* save the session ticket to cache for ssl_finalize_decryption */
11153 if (ssl && !is_tls13) {
11154 tvb_ensure_bytes_exist(tvb, offset, ticket_len);
11155 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
11156 ssl->session_ticket.data, ticket_len);
11157 ssl->session_ticket.data_len = ticket_len;
11158 tvb_memcpy(tvb, ssl->session_ticket.data, offset, ticket_len);
11159 /* NewSessionTicket is received after the first (client)
11160 * ChangeCipherSpec, and before the second (server) ChangeCipherSpec.
11161 * Since the second CCS has already the session key available it will
11162 * just return. To ensure that the session ticket is mapped to a
11163 * master key (from the first CCS), save the ticket here too. */
11164 ssl_save_master_key("Session Ticket", session_hash,
11165 &ssl->session_ticket, &ssl->master_secret);
11166 ssl->state |= SSL_NEW_SESSION_TICKET(1<<10);
11167 }
11168 offset += ticket_len;
11169
11170 if (is_tls13) {
11171 ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
11172 offset_end, SSL_HND_NEWSESSION_TICKET,
11173 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11174 }
11175} /* }}} */
11176
11177void
11178ssl_dissect_hnd_hello_retry_request(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11179 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11180 SslSession *session, SslDecryptSession *ssl,
11181 bool_Bool is_dtls)
11182{
11183 /* https://tools.ietf.org/html/draft-ietf-tls-tls13-19#section-4.1.4
11184 * struct {
11185 * ProtocolVersion server_version;
11186 * CipherSuite cipher_suite; // not before draft -19
11187 * Extension extensions<2..2^16-1>;
11188 * } HelloRetryRequest;
11189 * Note: no longer used since draft -22
11190 */
11191 uint32_t version;
11192 uint8_t draft_version;
11193
11194 proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
11195 offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
11196 draft_version = extract_tls13_draft_version(version);
11197 offset += 2;
11198
11199 if (draft_version == 0 || draft_version >= 19) {
11200 proto_tree_add_item(tree, hf->hf.hs_cipher_suite,
11201 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11202 offset += 2;
11203 }
11204
11205 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11206 offset_end, SSL_HND_HELLO_RETRY_REQUEST,
11207 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11208}
11209
11210void
11211ssl_dissect_hnd_encrypted_extensions(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11212 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11213 SslSession *session, SslDecryptSession *ssl,
11214 bool_Bool is_dtls)
11215{
11216 /* RFC 8446 Section 4.3.1
11217 * struct {
11218 * Extension extensions<0..2^16-1>;
11219 * } EncryptedExtensions;
11220 */
11221 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11222 offset_end, SSL_HND_ENCRYPTED_EXTENSIONS,
11223 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11224}
11225
11226/* Certificate and Certificate Request dissections. {{{ */
11227void
11228ssl_dissect_hnd_cert(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11229 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11230 SslSession *session, SslDecryptSession *ssl _U___attribute__((unused)),
11231 bool_Bool is_from_server, bool_Bool is_dtls)
11232{
11233 /* opaque ASN.1Cert<1..2^24-1>;
11234 *
11235 * Before RFC 8446 (TLS <= 1.2):
11236 * struct {
11237 * select(certificate_type) {
11238 *
11239 * // certificate type defined in RFC 7250
11240 * case RawPublicKey:
11241 * opaque ASN.1_subjectPublicKeyInfo<1..2^24-1>;
11242 *
11243 * // X.509 certificate defined in RFC 5246
11244 * case X.509:
11245 * ASN.1Cert certificate_list<0..2^24-1>;
11246 * };
11247 * } Certificate;
11248 *
11249 * RFC 8446 (since draft -20):
11250 * struct {
11251 * select(certificate_type){
11252 * case RawPublicKey:
11253 * // From RFC 7250 ASN.1_subjectPublicKeyInfo
11254 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
11255 *
11256 * case X.509:
11257 * opaque cert_data<1..2^24-1>;
11258 * }
11259 * Extension extensions<0..2^16-1>;
11260 * } CertificateEntry;
11261 * struct {
11262 * opaque certificate_request_context<0..2^8-1>;
11263 * CertificateEntry certificate_list<0..2^24-1>;
11264 * } Certificate;
11265 */
11266 enum { CERT_X509, CERT_RPK } cert_type;
11267 asn1_ctx_t asn1_ctx;
11268#if defined(HAVE_LIBGNUTLS1)
11269 gnutls_datum_t subjectPublicKeyInfo = { NULL((void*)0), 0 };
11270 unsigned certificate_index = 0;
11271#endif
11272 uint32_t next_offset, certificate_list_length, cert_length;
11273 proto_tree *subtree = tree;
11274
11275 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
11276
11277 if ((is_from_server && session->server_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2) ||
11278 (!is_from_server && session->client_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2)) {
11279 cert_type = CERT_RPK;
11280 } else {
11281 cert_type = CERT_X509;
11282 }
11283
11284#if defined(HAVE_LIBGNUTLS1)
11285 /* Ask the pkcs1 dissector to return the public key details */
11286 if (ssl)
11287 asn1_ctx.private_data = &subjectPublicKeyInfo;
11288#endif
11289
11290 /* TLS 1.3: opaque certificate_request_context<0..2^8-1> */
11291 if (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc) {
11292 uint32_t context_length;
11293 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
11294 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
11295 return;
11296 }
11297 offset++;
11298 if (context_length > 0) {
11299 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
11300 tvb, offset, context_length, ENC_NA0x00000000);
11301 offset += context_length;
11302 }
11303 }
11304
11305 if ((session->version != TLSV1DOT3_VERSION0x304 && session->version != DTLSV1DOT3_VERSION0xfefc) && cert_type == CERT_RPK) {
11306 /* For RPK before TLS 1.3, the single RPK is stored directly without
11307 * another "certificate_list" field. */
11308 certificate_list_length = offset_end - offset;
11309 next_offset = offset_end;
11310 } else {
11311 /* CertificateEntry certificate_list<0..2^24-1> */
11312 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &certificate_list_length,
11313 hf->hf.hs_certificates_len, 0, G_MAXUINT24((1U << 24) - 1))) {
11314 return;
11315 }
11316 offset += 3; /* 24-bit length value */
11317 next_offset = offset + certificate_list_length;
11318 }
11319
11320 /* RawPublicKey must have one cert, but X.509 can have multiple. */
11321 if (certificate_list_length > 0 && cert_type == CERT_X509) {
11322 proto_item *ti;
11323
11324 ti = proto_tree_add_none_format(tree,
11325 hf->hf.hs_certificates,
11326 tvb, offset, certificate_list_length,
11327 "Certificates (%u bytes)",
11328 certificate_list_length);
11329
11330 /* make it a subtree */
11331 subtree = proto_item_add_subtree(ti, hf->ett.certificates);
11332 }
11333
11334 while (offset < next_offset) {
11335 switch (cert_type) {
11336 case CERT_RPK:
11337 /* TODO add expert info if there is more than one RPK entry (certificate_index > 0) */
11338 /* opaque ASN.1_subjectPublicKeyInfo<1..2^24-1> */
11339 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
11340 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
11341 return;
11342 }
11343 offset += 3;
11344
11345 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
11346 offset += cert_length;
11347 break;
11348 case CERT_X509:
11349 /* opaque ASN1Cert<1..2^24-1> */
11350 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
11351 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
11352 return;
11353 }
11354 offset += 3;
11355
11356 dissect_x509af_Certificate(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
11357#if defined(HAVE_LIBGNUTLS1)
11358 if (is_from_server && ssl && certificate_index == 0) {
11359 ssl_find_private_key_by_pubkey(ssl, &subjectPublicKeyInfo);
11360 /* Only attempt to get the RSA modulus for the first cert. */
11361 asn1_ctx.private_data = NULL((void*)0);
11362 }
11363#endif
11364 offset += cert_length;
11365 break;
11366 }
11367
11368 /* TLS 1.3: Extension extensions<0..2^16-1> */
11369 if ((session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc)) {
11370 offset = ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
11371 next_offset, SSL_HND_CERTIFICATE,
11372 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11373 }
11374
11375#if defined(HAVE_LIBGNUTLS1)
11376 certificate_index++;
11377#endif
11378 }
11379}
11380
11381void
11382ssl_dissect_hnd_cert_req(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11383 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11384 SslSession *session, bool_Bool is_dtls)
11385{
11386 /* From SSL 3.0 and up (note that since TLS 1.1 certificate_authorities can be empty):
11387 * enum {
11388 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11389 * (255)
11390 * } ClientCertificateType;
11391 *
11392 * opaque DistinguishedName<1..2^16-1>;
11393 *
11394 * struct {
11395 * ClientCertificateType certificate_types<1..2^8-1>;
11396 * DistinguishedName certificate_authorities<3..2^16-1>;
11397 * } CertificateRequest;
11398 *
11399 *
11400 * As per TLSv1.2 (RFC 5246) the format has changed to:
11401 *
11402 * enum {
11403 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11404 * rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
11405 * fortezza_dms_RESERVED(20), (255)
11406 * } ClientCertificateType;
11407 *
11408 * enum {
11409 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
11410 * sha512(6), (255)
11411 * } HashAlgorithm;
11412 *
11413 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
11414 * SignatureAlgorithm;
11415 *
11416 * struct {
11417 * HashAlgorithm hash;
11418 * SignatureAlgorithm signature;
11419 * } SignatureAndHashAlgorithm;
11420 *
11421 * SignatureAndHashAlgorithm
11422 * supported_signature_algorithms<2..2^16-2>;
11423 *
11424 * opaque DistinguishedName<1..2^16-1>;
11425 *
11426 * struct {
11427 * ClientCertificateType certificate_types<1..2^8-1>;
11428 * SignatureAndHashAlgorithm supported_signature_algorithms<2^16-1>;
11429 * DistinguishedName certificate_authorities<0..2^16-1>;
11430 * } CertificateRequest;
11431 *
11432 * draft-ietf-tls-tls13-18:
11433 * struct {
11434 * opaque certificate_request_context<0..2^8-1>;
11435 * SignatureScheme
11436 * supported_signature_algorithms<2..2^16-2>;
11437 * DistinguishedName certificate_authorities<0..2^16-1>;
11438 * CertificateExtension certificate_extensions<0..2^16-1>;
11439 * } CertificateRequest;
11440 *
11441 * RFC 8446 (since draft-ietf-tls-tls13-19):
11442 *
11443 * struct {
11444 * opaque certificate_request_context<0..2^8-1>;
11445 * Extension extensions<2..2^16-1>;
11446 * } CertificateRequest;
11447 */
11448 proto_item *ti;
11449 proto_tree *subtree;
11450 uint32_t next_offset;
11451 asn1_ctx_t asn1_ctx;
11452 bool_Bool is_tls13 = (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc);
11453 unsigned char draft_version = session->tls13_draft_version;
11454
11455 if (!tree)
11456 return;
11457
11458 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
11459
11460 if (is_tls13) {
11461 uint32_t context_length;
11462 /* opaque certificate_request_context<0..2^8-1> */
11463 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
11464 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
11465 return;
11466 }
11467 offset++;
11468 if (context_length > 0) {
11469 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
11470 tvb, offset, context_length, ENC_NA0x00000000);
11471 offset += context_length;
11472 }
11473 } else {
11474 uint32_t cert_types_count;
11475 /* ClientCertificateType certificate_types<1..2^8-1> */
11476 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cert_types_count,
11477 hf->hf.hs_cert_types_count, 1, UINT8_MAX(255))) {
11478 return;
11479 }
11480 offset++;
11481 next_offset = offset + cert_types_count;
11482
11483 ti = proto_tree_add_none_format(tree,
11484 hf->hf.hs_cert_types,
11485 tvb, offset, cert_types_count,
11486 "Certificate types (%u type%s)",
11487 cert_types_count,
11488 plurality(cert_types_count, "", "s")((cert_types_count) == 1 ? ("") : ("s")));
11489 subtree = proto_item_add_subtree(ti, hf->ett.cert_types);
11490
11491 while (offset < next_offset) {
11492 proto_tree_add_item(subtree, hf->hf.hs_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11493 offset++;
11494 }
11495 }
11496
11497 if (session->version == TLSV1DOT2_VERSION0x303 || session->version == DTLSV1DOT2_VERSION0xfefd ||
11498 (is_tls13 && (draft_version > 0 && draft_version < 19))) {
11499 offset = ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
11500 }
11501
11502 if (is_tls13 && (draft_version == 0 || draft_version >= 19)) {
11503 /*
11504 * TLS 1.3 draft 19 and newer: Extensions.
11505 * SslDecryptSession pointer is NULL because Certificate Extensions
11506 * should not influence decryption state.
11507 */
11508 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11509 offset_end, SSL_HND_CERT_REQUEST,
11510 session, NULL((void*)0), is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11511 } else if (is_tls13 && draft_version <= 18) {
11512 /*
11513 * TLS 1.3 draft 18 and older: certificate_authorities and
11514 * certificate_extensions (a vector of OID mappings).
11515 */
11516 offset = tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
11517 ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, tree, offset, offset_end);
11518 } else {
11519 /* for TLS 1.2 and older, the certificate_authorities field. */
11520 tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
11521 }
11522}
11523/* Certificate and Certificate Request dissections. }}} */
11524
11525void
11526ssl_dissect_hnd_cli_cert_verify(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11527 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint16_t version)
11528{
11529 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
11530 hf->hf.hs_client_cert_vrfy_sig_len,
11531 hf->hf.hs_client_cert_vrfy_sig);
11532}
11533
11534/* Finished dissection. {{{ */
11535void
11536ssl_dissect_hnd_finished(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11537 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11538 const SslSession *session, ssl_hfs_t *ssl_hfs)
11539{
11540 /* For SSLv3:
11541 * struct {
11542 * opaque md5_hash[16];
11543 * opaque sha_hash[20];
11544 * } Finished;
11545 *
11546 * For (D)TLS:
11547 * struct {
11548 * opaque verify_data[12];
11549 * } Finished;
11550 *
11551 * For TLS 1.3:
11552 * struct {
11553 * opaque verify_data[Hash.length];
11554 * }
11555 */
11556 if (!tree)
11557 return;
11558
11559 if (session->version == SSLV3_VERSION0x300) {
11560 if (ssl_hfs != NULL((void*)0)) {
11561 proto_tree_add_item(tree, ssl_hfs->hs_md5_hash,
11562 tvb, offset, 16, ENC_NA0x00000000);
11563 proto_tree_add_item(tree, ssl_hfs->hs_sha_hash,
11564 tvb, offset + 16, 20, ENC_NA0x00000000);
11565 }
11566 } else {
11567 /* Length should be 12 for TLS before 1.3, assume this is the case. */
11568 proto_tree_add_item(tree, hf->hf.hs_finished,
11569 tvb, offset, offset_end - offset, ENC_NA0x00000000);
11570 }
11571} /* }}} */
11572
11573/* RFC 6066 Certificate URL handshake message dissection. {{{ */
11574void
11575ssl_dissect_hnd_cert_url(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset)
11576{
11577 uint16_t url_hash_len;
11578
11579 /* enum {
11580 * individual_certs(0), pkipath(1), (255)
11581 * } CertChainType;
11582 *
11583 * struct {
11584 * CertChainType type;
11585 * URLAndHash url_and_hash_list<1..2^16-1>;
11586 * } CertificateURL;
11587 *
11588 * struct {
11589 * opaque url<1..2^16-1>;
11590 * unint8 padding;
11591 * opaque SHA1Hash[20];
11592 * } URLAndHash;
11593 */
11594
11595 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_type,
11596 tvb, offset, 1, ENC_NA0x00000000);
11597 offset++;
11598
11599 url_hash_len = tvb_get_ntohs(tvb, offset);
11600 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_url_hash_list_len,
11601 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11602 offset += 2;
11603 while (url_hash_len-- > 0) {
11604 proto_item *urlhash_item;
11605 proto_tree *urlhash_tree;
11606 uint16_t url_len;
11607
11608 urlhash_item = proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_item,
11609 tvb, offset, -1, ENC_NA0x00000000);
11610 urlhash_tree = proto_item_add_subtree(urlhash_item, hf->ett.urlhash);
11611
11612 url_len = tvb_get_ntohs(tvb, offset);
11613 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url_len,
11614 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11615 offset += 2;
11616
11617 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url,
11618 tvb, offset, url_len, ENC_ASCII0x00000000|ENC_NA0x00000000);
11619 offset += url_len;
11620
11621 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_padding,
11622 tvb, offset, 1, ENC_NA0x00000000);
11623 offset++;
11624 /* Note: RFC 6066 says that padding must be 0x01 */
11625
11626 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_sha1,
11627 tvb, offset, 20, ENC_NA0x00000000);
11628 offset += 20;
11629 }
11630} /* }}} */
11631
11632void
11633ssl_dissect_hnd_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11634 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11635 SslSession *session, SslDecryptSession *ssl,
11636 bool_Bool is_from_server, bool_Bool is_dtls)
11637{
11638 uint32_t algorithm, uncompressed_length;
11639 uint32_t compressed_certificate_message_length;
11640 tvbuff_t *uncompressed_tvb = NULL((void*)0);
11641 proto_item *ti;
11642 /*
11643 * enum {
11644 * zlib(1),
11645 * brotli(2),
11646 * zstd(3),
11647 * (65535)
11648 * } CertificateCompressionAlgorithm;
11649 *
11650 * struct {
11651 * CertificateCompressionAlgorithm algorithm;
11652 * uint24 uncompressed_length;
11653 * opaque compressed_certificate_message<1..2^24-1>;
11654 * } CompressedCertificate;
11655 */
11656
11657 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_algorithm,
11658 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &algorithm);
11659 offset += 2;
11660
11661 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_uncompressed_length,
11662 tvb, offset, 3, ENC_BIG_ENDIAN0x00000000, &uncompressed_length);
11663 offset += 3;
11664
11665 /* opaque compressed_certificate_message<1..2^24-1>; */
11666 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compressed_certificate_message_length,
11667 hf->hf.hs_ext_compress_certificate_compressed_certificate_message_length, 1, G_MAXUINT24((1U << 24) - 1))) {
11668 return;
11669 }
11670 offset += 3;
11671
11672 ti = proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_compressed_certificate_message,
11673 tvb, offset, compressed_certificate_message_length, ENC_NA0x00000000);
11674
11675 /* Certificate decompression following algorithm */
11676 switch (algorithm) {
11677 case 1: /* zlib */
11678 uncompressed_tvb = tvb_child_uncompress_zlib(tvb, tvb, offset, compressed_certificate_message_length);
11679 break;
11680 case 2: /* brotli */
11681 uncompressed_tvb = tvb_child_uncompress_brotli(tvb, tvb, offset, compressed_certificate_message_length);
11682 break;
11683 case 3: /* zstd */
11684 uncompressed_tvb = tvb_child_uncompress_zstd(tvb, tvb, offset, compressed_certificate_message_length);
11685 break;
11686 }
11687
11688 if (uncompressed_tvb) {
11689 proto_tree *uncompressed_tree;
11690
11691 if (uncompressed_length != tvb_captured_length(uncompressed_tvb)) {
11692 proto_tree_add_expert_format(tree, pinfo, &hf->ei.decompression_error,
11693 tvb, offset, offset_end - offset,
11694 "Invalid uncompressed length %u (expected %u)",
11695 tvb_captured_length(uncompressed_tvb),
11696 uncompressed_length);
11697 } else {
11698 uncompressed_tree = proto_item_add_subtree(ti, hf->ett.uncompressed_certificates);
11699 ssl_dissect_hnd_cert(hf, uncompressed_tvb, uncompressed_tree,
11700 0, uncompressed_length, pinfo, session, ssl, is_from_server, is_dtls);
11701 add_new_data_source(pinfo, uncompressed_tvb, "Uncompressed certificate(s)");
11702 }
11703 }
11704}
11705
11706/* Dissection of TLS Extensions in Client Hello, Server Hello, etc. {{{ */
11707static int
11708// NOLINTNEXTLINE(misc-no-recursion)
11709ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11710 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
11711 SslSession *session, SslDecryptSession *ssl,
11712 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
11713 ssl_master_key_map_t *mk_map, uint32_t initial_offset, uint32_t hello_length)
11714{
11715 uint32_t exts_len;
11716 uint16_t ext_type;
11717 uint32_t ext_len;
11718 uint32_t next_offset;
11719 proto_item *ext_item;
11720 proto_tree *ext_tree;
11721 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304;
11722 wmem_strbuf_t *ja3_sg = wmem_strbuf_new(pinfo->pool, "");
11723 wmem_strbuf_t *ja3_ecpf = wmem_strbuf_new(pinfo->pool, "");
11724 char *ja3_dash = "";
11725 unsigned supported_version;
11726
11727 /* Extension extensions<0..2^16-2> (for TLS 1.3 HRR/CR min-length is 2) */
11728 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
11729 hf->hf.hs_exts_len, 0, UINT16_MAX(65535))) {
11730 return offset_end;
11731 }
11732 offset += 2;
11733 offset_end = offset + exts_len;
11734
11735 if (ja4_data) {
11736 ja4_data->num_extensions = 0;
11737 }
11738 while (offset_end - offset >= 4)
11739 {
11740 ext_type = tvb_get_ntohs(tvb, offset);
11741 ext_len = tvb_get_ntohs(tvb, offset + 2);
11742
11743 if (ja4_data && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {
11744 ja4_data->num_extensions += 1;
11745 if (ext_type != SSL_HND_HELLO_EXT_SERVER_NAME0 &&
11746 ext_type != SSL_HND_HELLO_EXT_ALPN16) {
11747 wmem_list_insert_sorted(ja4_data->extension_list, GUINT_TO_POINTER(ext_type)((gpointer) (gulong) (ext_type)), wmem_compare_uint);
11748 }
11749 }
11750
11751 ext_item = proto_tree_add_none_format(tree, hf->hf.hs_ext, tvb, offset, 4 + ext_len,
11752 "Extension: %s (len=%u)", val_to_str(pinfo->pool, ext_type,
11753 tls_hello_extension_types,
11754 "Unknown type %u"), ext_len);
11755 ext_tree = proto_item_add_subtree(ext_item, hf->ett.hs_ext);
11756
11757 proto_tree_add_uint(ext_tree, hf->hf.hs_ext_type,
11758 tvb, offset, 2, ext_type);
11759 offset += 2;
11760 if (ja3 && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {
11761 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_type);
11762 ja3_dash = "-";
11763 }
11764
11765 /* opaque extension_data<0..2^16-1> */
11766 if (!ssl_add_vector(hf, tvb, pinfo, ext_tree, offset, offset_end, &ext_len,
11767 hf->hf.hs_ext_len, 0, UINT16_MAX(65535))) {
11768 return offset_end;
11769 }
11770 offset += 2;
11771 next_offset = offset + ext_len;
11772
11773 switch (ext_type) {
11774 case SSL_HND_HELLO_EXT_SERVER_NAME0:
11775 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11776 offset = ssl_dissect_hnd_hello_ext_server_name(hf, tvb, pinfo, ext_tree, offset, next_offset);
11777 if (ja4_data) {
11778 ja4_data->server_name_present = true1;
11779 }
11780 }
11781 break;
11782 case SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1:
11783 proto_tree_add_item(ext_tree, hf->hf.hs_ext_max_fragment_length, tvb, offset, 1, ENC_NA0x00000000);
11784 offset += 1;
11785 break;
11786 case SSL_HND_HELLO_EXT_STATUS_REQUEST5:
11787 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11788 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, ext_tree, offset, next_offset, false0);
11789 } else if (is_tls13 && hnd_type == SSL_HND_CERTIFICATE) {
11790 offset = tls_dissect_hnd_certificate_status(hf, tvb, pinfo, ext_tree, offset, next_offset);
11791 }
11792 break;
11793 case SSL_HND_HELLO_EXT_CERT_TYPE9:
11794 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
11795 offset, next_offset,
11796 hnd_type, ext_type,
11797 session);
11798 break;
11799 case SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10:
11800 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11801 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
11802 next_offset, ja3_sg);
11803 } else {
11804 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
11805 next_offset, NULL((void*)0));
11806 }
11807 break;
11808 case SSL_HND_HELLO_EXT_EC_POINT_FORMATS11:
11809 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11810 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, ja3_ecpf);
11811 } else {
11812 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, NULL((void*)0));
11813 }
11814 break;
11815 break;
11816 case SSL_HND_HELLO_EXT_SRP12:
11817 offset = ssl_dissect_hnd_hello_ext_srp(hf, tvb, pinfo, ext_tree, offset, next_offset);
11818 break;
11819 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13:
11820 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, ja4_data);
11821 break;
11822 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50: /* since TLS 1.3 draft -23 */
11823 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, NULL((void*)0));
11824 break;
11825 case SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34:
11826 offset = ssl_dissect_hnd_ext_delegated_credentials(hf, tvb, ext_tree, pinfo, offset, next_offset, hnd_type);
11827 break;
11828 case SSL_HND_HELLO_EXT_USE_SRTP14:
11829 if (is_dtls) {
11830 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11831 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, false0);
11832 } else if (hnd_type == SSL_HND_SERVER_HELLO) {
11833 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, true1);
11834 }
11835 } else {
11836 // XXX expert info: This extension MUST only be used with DTLS, and not with TLS.
11837 }
11838 break;
11839 case SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768:
11840 offset = ssl_dissect_hnd_ech_outer_ext(hf, tvb, pinfo, ext_tree, offset, next_offset);
11841 break;
11842 case SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037:
11843 offset = ssl_dissect_hnd_hello_ext_ech(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, ssl, mk_map, initial_offset, hello_length);
11844 break;
11845 case SSL_HND_HELLO_EXT_HEARTBEAT15:
11846 proto_tree_add_item(ext_tree, hf->hf.hs_ext_heartbeat_mode,
11847 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11848 offset++;
11849 break;
11850 case SSL_HND_HELLO_EXT_ALPN16:
11851 offset = ssl_dissect_hnd_hello_ext_alpn(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, is_dtls, ja4_data);
11852 break;
11853 case SSL_HND_HELLO_EXT_STATUS_REQUEST_V217:
11854 if (hnd_type == SSL_HND_CLIENT_HELLO)
11855 offset = ssl_dissect_hnd_hello_ext_status_request_v2(hf, tvb, pinfo, ext_tree, offset, next_offset);
11856 break;
11857 case SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18:
11858 // TLS 1.3 note: SCT only appears in EE in draft -16 and before.
11859 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS || hnd_type == SSL_HND_CERTIFICATE)
11860 offset = tls_dissect_sct_list(hf, tvb, pinfo, ext_tree, offset, next_offset, session->version);
11861 break;
11862 case SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19:
11863 case SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20:
11864 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
11865 offset, next_offset,
11866 hnd_type, ext_type,
11867 session);
11868 break;
11869 case SSL_HND_HELLO_EXT_PADDING21:
11870 proto_tree_add_item(ext_tree, hf->hf.hs_ext_padding_data, tvb, offset, ext_len, ENC_NA0x00000000);
11871 offset += ext_len;
11872 break;
11873 case SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22:
11874 if (ssl && hnd_type == SSL_HND_SERVER_HELLO) {
11875 ssl_debug_printf("%s enabling Encrypt-then-MAC\n", G_STRFUNC((const char*) (__func__)));
11876 ssl->state |= SSL_ENCRYPT_THEN_MAC(1<<11);
11877 }
11878 break;
11879 case SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23:
11880 if (ssl) {
11881 switch (hnd_type) {
11882 case SSL_HND_CLIENT_HELLO:
11883 ssl->state |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
11884 break;
11885 case SSL_HND_SERVER_HELLO:
11886 ssl->state |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8);
11887 break;
11888 default: /* no default */
11889 break;
11890 }
11891 }
11892 break;
11893 case SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27:
11894 offset = ssl_dissect_hnd_hello_ext_compress_certificate(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11895 break;
11896 case SSL_HND_HELLO_EXT_TOKEN_BINDING24:
11897 offset = ssl_dissect_hnd_hello_ext_token_binding(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11898 break;
11899 case SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28:
11900 proto_tree_add_item(ext_tree, hf->hf.hs_ext_record_size_limit,
11901 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11902 offset += 2;
11903 break;
11904 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445:
11905 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157:
11906 offset = ssl_dissect_hnd_hello_ext_quic_transport_parameters(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11907 break;
11908 case SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35:
11909 offset = ssl_dissect_hnd_hello_ext_session_ticket(hf, tvb, ext_tree, offset, next_offset, hnd_type, ssl);
11910 break;
11911 case SSL_HND_HELLO_EXT_KEY_SHARE_OLD40: /* used before TLS 1.3 draft -23 */
11912 case SSL_HND_HELLO_EXT_KEY_SHARE51:
11913 offset = ssl_dissect_hnd_hello_ext_key_share(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11914 break;
11915 case SSL_HND_HELLO_EXT_PRE_SHARED_KEY41:
11916 offset = ssl_dissect_hnd_hello_ext_pre_shared_key(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11917 break;
11918 case SSL_HND_HELLO_EXT_EARLY_DATA42:
11919 case SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46:
11920 offset = ssl_dissect_hnd_hello_ext_early_data(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11921 break;
11922 case SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43:
11923 switch (hnd_type) {
11924 case SSL_HND_CLIENT_HELLO:
11925 offset = ssl_dissect_hnd_hello_ext_supported_versions(hf, tvb, pinfo, ext_tree, offset, next_offset, session, is_dtls, ja4_data);
11926 break;
11927 case SSL_HND_SERVER_HELLO:
11928 case SSL_HND_HELLO_RETRY_REQUEST:
11929 proto_tree_add_item_ret_uint(ext_tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &supported_version);
11930 offset += 2;
11931 proto_item_append_text(ext_tree, " %s", val_to_str(pinfo->pool, supported_version, ssl_versions, "Unknown (0x%04x)"));
11932 break;
11933 }
11934 break;
11935 case SSL_HND_HELLO_EXT_COOKIE44:
11936 offset = ssl_dissect_hnd_hello_ext_cookie(hf, tvb, pinfo, ext_tree, offset, next_offset);
11937 break;
11938 case SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45:
11939 offset = ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(hf, tvb, pinfo, ext_tree, offset, next_offset);
11940 break;
11941 case SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47:
11942 offset = ssl_dissect_hnd_hello_ext_certificate_authorities(hf, tvb, pinfo, ext_tree, offset, next_offset);
11943 break;
11944 case SSL_HND_HELLO_EXT_OID_FILTERS48:
11945 offset = ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, ext_tree, offset, next_offset);
11946 break;
11947 case SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49:
11948 break;
11949 case SSL_HND_HELLO_EXT_NPN13172:
11950 offset = ssl_dissect_hnd_hello_ext_npn(hf, tvb, pinfo, ext_tree, offset, next_offset);
11951 break;
11952 case SSL_HND_HELLO_EXT_ALPS_OLD17513:
11953 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11954 break;
11955 case SSL_HND_HELLO_EXT_ALPS17613:
11956 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11957 break;
11958 case SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281:
11959 offset = ssl_dissect_hnd_hello_ext_reneg_info(hf, tvb, pinfo, ext_tree, offset, next_offset);
11960 break;
11961 case SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486:
11962 offset = ssl_dissect_hnd_hello_ext_esni(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11963 break;
11964 case SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53:
11965 session->deprecated_cid = true1;
11966 /* FALLTHRU */
11967 case SSL_HND_HELLO_EXT_CONNECTION_ID54:
11968 offset = ssl_dissect_hnd_hello_ext_connection_id(hf, tvb, pinfo, ext_tree, offset, hnd_type, session, ssl);
11969 break;
11970 case SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3:
11971 offset = ssl_dissect_hnd_hello_ext_trusted_ca_keys(hf, tvb, pinfo, ext_tree, offset, next_offset);
11972 break;
11973 default:
11974 proto_tree_add_item(ext_tree, hf->hf.hs_ext_data,
11975 tvb, offset, ext_len, ENC_NA0x00000000);
11976 offset += ext_len;
11977 break;
11978 }
11979
11980 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
11981 /* Dissection did not end at expected location, fix it. */
11982 offset = next_offset;
11983 }
11984 }
11985
11986 if (ja3) {
11987 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11988 if(wmem_strbuf_get_len(ja3_sg) > 0) {
11989 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_sg));
11990 } else {
11991 wmem_strbuf_append_c(ja3, ',');
11992 }
11993 if(wmem_strbuf_get_len(ja3_ecpf) > 0) {
11994 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_ecpf));
11995 } else {
11996 wmem_strbuf_append_c(ja3, ',');
11997 }
11998 }
11999 }
12000
12001 /* Check if Extensions vector is correctly terminated. */
12002 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, offset_end)) {
12003 offset = offset_end;
12004 }
12005
12006 return offset;
12007} /* }}} */
12008
12009
12010/* ClientKeyExchange algo-specific dissectors. {{{ */
12011
12012static void
12013dissect_ssl3_hnd_cli_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12014 proto_tree *tree, uint32_t offset,
12015 uint32_t length)
12016{
12017 int point_len;
12018 proto_tree *ssl_ecdh_tree;
12019
12020 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12021 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Client Params");
12022
12023 /* point */
12024 point_len = tvb_get_uint8(tvb, offset);
12025 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point_len, tvb,
12026 offset, 1, ENC_BIG_ENDIAN0x00000000);
12027 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point, tvb,
12028 offset + 1, point_len, ENC_NA0x00000000);
12029}
12030
12031static void
12032dissect_ssl3_hnd_cli_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12033 proto_tree *tree, uint32_t offset, uint32_t length)
12034{
12035 int yc_len;
12036 proto_tree *ssl_dh_tree;
12037
12038 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12039 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Client Params");
12040
12041 /* ClientDiffieHellmanPublic.dh_public (explicit) */
12042 yc_len = tvb_get_ntohs(tvb, offset);
12043 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc_len, tvb,
12044 offset, 2, ENC_BIG_ENDIAN0x00000000);
12045 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc, tvb,
12046 offset + 2, yc_len, ENC_NA0x00000000);
12047}
12048
12049static void
12050dissect_ssl3_hnd_cli_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12051 proto_tree *tree, uint32_t offset,
12052 uint32_t length, const SslSession *session)
12053{
12054 int epms_len;
12055 proto_tree *ssl_rsa_tree;
12056
12057 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12058 hf->ett.keyex_params, NULL((void*)0), "RSA Encrypted PreMaster Secret");
12059
12060 /* EncryptedPreMasterSecret.pre_master_secret */
12061 switch (session->version) {
12062 case SSLV2_VERSION0x0002:
12063 case SSLV3_VERSION0x300:
12064 case DTLSV1DOT0_OPENSSL_VERSION0x100:
12065 /* OpenSSL pre-0.9.8f DTLS and pre-TLS quirk: 2-octet length vector is
12066 * not present. The handshake contents represents the EPMS, see:
12067 * https://gitlab.com/wireshark/wireshark/-/issues/10222 */
12068 epms_len = length;
12069 break;
12070
12071 default:
12072 /* TLS and DTLS include vector length before EPMS */
12073 epms_len = tvb_get_ntohs(tvb, offset);
12074 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12075 offset, 2, ENC_BIG_ENDIAN0x00000000);
12076 offset += 2;
12077 break;
12078 }
12079 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms, tvb,
12080 offset, epms_len, ENC_NA0x00000000);
12081}
12082
12083/* Used in PSK cipher suites */
12084static uint32_t
12085dissect_ssl3_hnd_cli_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12086 proto_tree *tree, uint32_t offset)
12087{
12088 unsigned identity_len;
12089 proto_tree *ssl_psk_tree;
12090
12091 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
12092 hf->ett.keyex_params, NULL((void*)0), "PSK Client Params");
12093 /* identity */
12094 identity_len = tvb_get_ntohs(tvb, offset);
12095 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len, tvb,
12096 offset, 2, ENC_BIG_ENDIAN0x00000000);
12097 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity, tvb,
12098 offset + 2, identity_len, ENC_NA0x00000000);
12099
12100 proto_item_set_len(ssl_psk_tree, 2 + identity_len);
12101 return 2 + identity_len;
12102}
12103
12104/* Used in RSA PSK cipher suites */
12105static void
12106dissect_ssl3_hnd_cli_keyex_rsa_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12107 proto_tree *tree, uint32_t offset,
12108 uint32_t length)
12109{
12110 int identity_len, epms_len;
12111 proto_tree *ssl_psk_tree;
12112
12113 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12114 hf->ett.keyex_params, NULL((void*)0), "RSA PSK Client Params");
12115
12116 /* identity */
12117 identity_len = tvb_get_ntohs(tvb, offset);
12118 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len,
12119 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12120 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity,
12121 tvb, offset + 2, identity_len, ENC_NA0x00000000);
12122 offset += 2 + identity_len;
12123
12124 /* Yc */
12125 epms_len = tvb_get_ntohs(tvb, offset);
12126 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12127 offset, 2, ENC_BIG_ENDIAN0x00000000);
12128 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms, tvb,
12129 offset + 2, epms_len, ENC_NA0x00000000);
12130}
12131
12132/* Used in Diffie-Hellman PSK cipher suites */
12133static void
12134dissect_ssl3_hnd_cli_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12135 proto_tree *tree, uint32_t offset, uint32_t length)
12136{
12137 /*
12138 * struct {
12139 * select (KeyExchangeAlgorithm) {
12140 * case diffie_hellman_psk:
12141 * opaque psk_identity<0..2^16-1>;
12142 * ClientDiffieHellmanPublic public;
12143 * } exchange_keys;
12144 * } ClientKeyExchange;
12145 */
12146
12147 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12148 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset + psk_len, length - psk_len);
12149}
12150
12151/* Used in EC Diffie-Hellman PSK cipher suites */
12152static void
12153dissect_ssl3_hnd_cli_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12154 proto_tree *tree, uint32_t offset, uint32_t length)
12155{
12156 /*
12157 * struct {
12158 * select (KeyExchangeAlgorithm) {
12159 * case ec_diffie_hellman_psk:
12160 * opaque psk_identity<0..2^16-1>;
12161 * ClientECDiffieHellmanPublic public;
12162 * } exchange_keys;
12163 * } ClientKeyExchange;
12164 */
12165
12166 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12167 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset + psk_len, length - psk_len);
12168}
12169
12170/* Used in EC J-PAKE cipher suites */
12171static void
12172dissect_ssl3_hnd_cli_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12173 proto_tree *tree, uint32_t offset,
12174 uint32_t length)
12175{
12176 /*
12177 * struct {
12178 * ECPoint V;
12179 * opaque r<1..2^8-1>;
12180 * } ECSchnorrZKP;
12181 *
12182 * struct {
12183 * ECPoint X;
12184 * ECSchnorrZKP zkp;
12185 * } ECJPAKEKeyKP;
12186 *
12187 * struct {
12188 * ECJPAKEKeyKP ecjpake_key_kp;
12189 * } ClientECJPAKEParams;
12190 *
12191 * select (KeyExchangeAlgorithm) {
12192 * case ecjpake:
12193 * ClientECJPAKEParams params;
12194 * } ClientKeyExchange;
12195 */
12196
12197 int point_len;
12198 proto_tree *ssl_ecjpake_tree;
12199
12200 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12201 hf->ett.keyex_params, NULL((void*)0),
12202 "EC J-PAKE Client Params");
12203
12204 /* ECJPAKEKeyKP.X */
12205 point_len = tvb_get_uint8(tvb, offset);
12206 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc_len, tvb,
12207 offset, 1, ENC_BIG_ENDIAN0x00000000);
12208 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc, tvb,
12209 offset + 1, point_len, ENC_NA0x00000000);
12210 offset += 1 + point_len;
12211
12212 /* ECJPAKEKeyKP.zkp.V */
12213 point_len = tvb_get_uint8(tvb, offset);
12214 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc_len, tvb,
12215 offset, 1, ENC_BIG_ENDIAN0x00000000);
12216 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc, tvb,
12217 offset + 1, point_len, ENC_NA0x00000000);
12218 offset += 1 + point_len;
12219
12220 /* ECJPAKEKeyKP.zkp.r */
12221 point_len = tvb_get_uint8(tvb, offset);
12222 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc_len, tvb,
12223 offset, 1, ENC_BIG_ENDIAN0x00000000);
12224 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc, tvb,
12225 offset + 1, point_len, ENC_NA0x00000000);
12226}
12227
12228static void
12229dissect_ssl3_hnd_cli_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12230 proto_tree *tree, uint32_t offset,
12231 uint32_t length)
12232{
12233 int epms_len;
12234 proto_tree *ssl_ecc_sm2_tree;
12235
12236 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12237 hf->ett.keyex_params, NULL((void*)0),
12238 "ECC-SM2 Encrypted PreMaster Secret");
12239
12240 epms_len = tvb_get_ntohs(tvb, offset);
12241 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12242 offset, 2, ENC_BIG_ENDIAN0x00000000);
12243 offset += 2;
12244 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms, tvb,
12245 offset, epms_len, ENC_NA0x00000000);
12246}
12247/* ClientKeyExchange algo-specific dissectors. }}} */
12248
12249
12250/* Dissects DigitallySigned (see RFC 5246 4.7 Cryptographic Attributes). {{{ */
12251static uint32_t
12252ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12253 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12254 uint16_t version, int hf_sig_len, int hf_sig)
12255{
12256 uint32_t sig_len;
12257
12258 switch (version) {
12259 case TLSV1DOT2_VERSION0x303:
12260 case DTLSV1DOT2_VERSION0xfefd:
12261 case TLSV1DOT3_VERSION0x304:
12262 case DTLSV1DOT3_VERSION0xfefc:
12263 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
12264 offset += 2;
12265 break;
12266
12267 default:
12268 break;
12269 }
12270
12271 /* Sig */
12272 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sig_len,
12273 hf_sig_len, 0, UINT16_MAX(65535))) {
12274 return offset_end;
12275 }
12276 offset += 2;
12277 proto_tree_add_item(tree, hf_sig, tvb, offset, sig_len, ENC_NA0x00000000);
12278 offset += sig_len;
12279 return offset;
12280} /* }}} */
12281
12282/* ServerKeyExchange algo-specific dissectors. {{{ */
12283
12284/* dissects signed_params inside a ServerKeyExchange for some keyex algos */
12285static void
12286dissect_ssl3_hnd_srv_keyex_sig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12287 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12288 uint16_t version)
12289{
12290 /*
12291 * TLSv1.2 (RFC 5246 sec 7.4.8)
12292 * struct {
12293 * digitally-signed struct {
12294 * opaque handshake_messages[handshake_messages_length];
12295 * }
12296 * } CertificateVerify;
12297 *
12298 * TLSv1.0/TLSv1.1 (RFC 5436 sec 7.4.8 and 7.4.3) works essentially the same
12299 * as TLSv1.2, but the hash algorithms are not explicit in digitally-signed.
12300 *
12301 * SSLv3 (RFC 6101 sec 5.6.8) essentially works the same as TLSv1.0 but it
12302 * does more hashing including the master secret and padding.
12303 */
12304 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
12305 hf->hf.hs_server_keyex_sig_len,
12306 hf->hf.hs_server_keyex_sig);
12307}
12308
12309static uint32_t
12310dissect_tls_ecparameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, uint32_t offset_end)
12311{
12312 /*
12313 * RFC 4492 ECC cipher suites for TLS
12314 *
12315 * struct {
12316 * ECCurveType curve_type;
12317 * select (curve_type) {
12318 * case explicit_prime:
12319 * ...
12320 * case explicit_char2:
12321 * ...
12322 * case named_curve:
12323 * NamedCurve namedcurve;
12324 * };
12325 * } ECParameters;
12326 */
12327
12328 int curve_type;
12329
12330 /* ECParameters.curve_type */
12331 curve_type = tvb_get_uint8(tvb, offset);
12332 proto_tree_add_item(tree, hf->hf.hs_server_keyex_curve_type, tvb,
12333 offset, 1, ENC_BIG_ENDIAN0x00000000);
12334 offset++;
12335
12336 if (curve_type != 3)
12337 return offset_end; /* only named_curves are supported */
12338
12339 /* case curve_type == named_curve; ECParameters.namedcurve */
12340 proto_tree_add_item(tree, hf->hf.hs_server_keyex_named_curve, tvb,
12341 offset, 2, ENC_BIG_ENDIAN0x00000000);
12342 offset += 2;
12343
12344 return offset;
12345}
12346
12347static void
12348dissect_ssl3_hnd_srv_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12349 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12350 uint16_t version, bool_Bool anon)
12351{
12352 /*
12353 * RFC 4492 ECC cipher suites for TLS
12354 *
12355 * struct {
12356 * opaque point <1..2^8-1>;
12357 * } ECPoint;
12358 *
12359 * struct {
12360 * ECParameters curve_params;
12361 * ECPoint public;
12362 * } ServerECDHParams;
12363 *
12364 * select (KeyExchangeAlgorithm) {
12365 * case ec_diffie_hellman:
12366 * ServerECDHParams params;
12367 * Signature signed_params;
12368 * } ServerKeyExchange;
12369 */
12370
12371 int point_len;
12372 proto_tree *ssl_ecdh_tree;
12373
12374 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12375 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Server Params");
12376
12377 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecdh_tree, offset, offset_end);
12378 if (offset >= offset_end)
12379 return; /* only named_curves are supported */
12380
12381 /* ECPoint.point */
12382 point_len = tvb_get_uint8(tvb, offset);
12383 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point_len, tvb,
12384 offset, 1, ENC_BIG_ENDIAN0x00000000);
12385 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point, tvb,
12386 offset + 1, point_len, ENC_NA0x00000000);
12387 offset += 1 + point_len;
12388
12389 /* Signature (if non-anonymous KEX) */
12390 if (!anon) {
12391 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecdh_tree, offset, offset_end, version);
12392 }
12393}
12394
12395static void
12396dissect_ssl3_hnd_srv_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12397 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12398 uint16_t version, bool_Bool anon)
12399{
12400 int p_len, g_len, ys_len;
12401 proto_tree *ssl_dh_tree;
12402
12403 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12404 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Server Params");
12405
12406 /* p */
12407 p_len = tvb_get_ntohs(tvb, offset);
12408 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p_len, tvb,
12409 offset, 2, ENC_BIG_ENDIAN0x00000000);
12410 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p, tvb,
12411 offset + 2, p_len, ENC_NA0x00000000);
12412 offset += 2 + p_len;
12413
12414 /* g */
12415 g_len = tvb_get_ntohs(tvb, offset);
12416 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g_len, tvb,
12417 offset, 2, ENC_BIG_ENDIAN0x00000000);
12418 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g, tvb,
12419 offset + 2, g_len, ENC_NA0x00000000);
12420 offset += 2 + g_len;
12421
12422 /* Ys */
12423 ys_len = tvb_get_ntohs(tvb, offset);
12424 proto_tree_add_uint(ssl_dh_tree, hf->hf.hs_server_keyex_ys_len, tvb,
12425 offset, 2, ys_len);
12426 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_ys, tvb,
12427 offset + 2, ys_len, ENC_NA0x00000000);
12428 offset += 2 + ys_len;
12429
12430 /* Signature (if non-anonymous KEX) */
12431 if (!anon) {
12432 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_dh_tree, offset, offset_end, version);
12433 }
12434}
12435
12436/* Only used in RSA-EXPORT cipher suites */
12437static void
12438dissect_ssl3_hnd_srv_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12439 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12440 uint16_t version)
12441{
12442 int modulus_len, exponent_len;
12443 proto_tree *ssl_rsa_tree;
12444
12445 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12446 hf->ett.keyex_params, NULL((void*)0), "RSA-EXPORT Server Params");
12447
12448 /* modulus */
12449 modulus_len = tvb_get_ntohs(tvb, offset);
12450 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus_len, tvb,
12451 offset, 2, ENC_BIG_ENDIAN0x00000000);
12452 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus, tvb,
12453 offset + 2, modulus_len, ENC_NA0x00000000);
12454 offset += 2 + modulus_len;
12455
12456 /* exponent */
12457 exponent_len = tvb_get_ntohs(tvb, offset);
12458 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent_len,
12459 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12460 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent,
12461 tvb, offset + 2, exponent_len, ENC_NA0x00000000);
12462 offset += 2 + exponent_len;
12463
12464 /* Signature */
12465 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_rsa_tree, offset, offset_end, version);
12466}
12467
12468/* Used in RSA PSK and PSK cipher suites */
12469static uint32_t
12470dissect_ssl3_hnd_srv_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12471 proto_tree *tree, uint32_t offset)
12472{
12473 unsigned hint_len;
12474 proto_tree *ssl_psk_tree;
12475
12476 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
12477 hf->ett.keyex_params, NULL((void*)0), "PSK Server Params");
12478
12479 /* hint */
12480 hint_len = tvb_get_ntohs(tvb, offset);
12481 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint_len, tvb,
12482 offset, 2, ENC_BIG_ENDIAN0x00000000);
12483 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint, tvb,
12484 offset + 2, hint_len, ENC_NA0x00000000);
12485
12486 proto_item_set_len(ssl_psk_tree, 2 + hint_len);
12487 return 2 + hint_len;
12488}
12489
12490/* Used in Diffie-Hellman PSK cipher suites */
12491static void
12492dissect_ssl3_hnd_srv_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12493 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12494{
12495 /*
12496 * struct {
12497 * select (KeyExchangeAlgorithm) {
12498 * case diffie_hellman_psk:
12499 * opaque psk_identity_hint<0..2^16-1>;
12500 * ServerDHParams params;
12501 * };
12502 * } ServerKeyExchange;
12503 */
12504
12505 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12506 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12507}
12508
12509/* Used in EC Diffie-Hellman PSK cipher suites */
12510static void
12511dissect_ssl3_hnd_srv_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12512 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12513{
12514 /*
12515 * struct {
12516 * select (KeyExchangeAlgorithm) {
12517 * case ec_diffie_hellman_psk:
12518 * opaque psk_identity_hint<0..2^16-1>;
12519 * ServerECDHParams params;
12520 * };
12521 * } ServerKeyExchange;
12522 */
12523
12524 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12525 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12526}
12527
12528/* Used in EC J-PAKE cipher suites */
12529static void
12530dissect_ssl3_hnd_srv_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12531 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12532{
12533 /*
12534 * struct {
12535 * ECPoint V;
12536 * opaque r<1..2^8-1>;
12537 * } ECSchnorrZKP;
12538 *
12539 * struct {
12540 * ECPoint X;
12541 * ECSchnorrZKP zkp;
12542 * } ECJPAKEKeyKP;
12543 *
12544 * struct {
12545 * ECParameters curve_params;
12546 * ECJPAKEKeyKP ecjpake_key_kp;
12547 * } ServerECJPAKEParams;
12548 *
12549 * select (KeyExchangeAlgorithm) {
12550 * case ecjpake:
12551 * ServerECJPAKEParams params;
12552 * } ServerKeyExchange;
12553 */
12554
12555 int point_len;
12556 proto_tree *ssl_ecjpake_tree;
12557
12558 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12559 hf->ett.keyex_params, NULL((void*)0),
12560 "EC J-PAKE Server Params");
12561
12562 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecjpake_tree, offset, offset_end);
12563 if (offset >= offset_end)
12564 return; /* only named_curves are supported */
12565
12566 /* ECJPAKEKeyKP.X */
12567 point_len = tvb_get_uint8(tvb, offset);
12568 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs_len, tvb,
12569 offset, 1, ENC_BIG_ENDIAN0x00000000);
12570 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs, tvb,
12571 offset + 1, point_len, ENC_NA0x00000000);
12572 offset += 1 + point_len;
12573
12574 /* ECJPAKEKeyKP.zkp.V */
12575 point_len = tvb_get_uint8(tvb, offset);
12576 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs_len, tvb,
12577 offset, 1, ENC_BIG_ENDIAN0x00000000);
12578 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs, tvb,
12579 offset + 1, point_len, ENC_NA0x00000000);
12580 offset += 1 + point_len;
12581
12582 /* ECJPAKEKeyKP.zkp.r */
12583 point_len = tvb_get_uint8(tvb, offset);
12584 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs_len, tvb,
12585 offset, 1, ENC_BIG_ENDIAN0x00000000);
12586 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs, tvb,
12587 offset + 1, point_len, ENC_NA0x00000000);
12588}
12589
12590/* Only used in ECC-SM2-EXPORT cipher suites */
12591static void
12592dissect_ssl3_hnd_srv_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12593 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12594 uint16_t version)
12595{
12596 proto_tree *ssl_ecc_sm2_tree;
12597
12598 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12599 hf->ett.keyex_params, NULL((void*)0), "ECC-SM2-EXPORT Server Params");
12600
12601 /* Signature */
12602 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecc_sm2_tree, offset, offset_end, version);
12603}
12604/* ServerKeyExchange algo-specific dissectors. }}} */
12605
12606/* Client Key Exchange and Server Key Exchange handshake dissections. {{{ */
12607void
12608ssl_dissect_hnd_cli_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12609 proto_tree *tree, uint32_t offset, uint32_t length,
12610 const SslSession *session)
12611{
12612 switch (ssl_get_keyex_alg(session->cipher)) {
12613 case KEX_DH_ANON0x13: /* RFC 5246; DHE_DSS, DHE_RSA, DH_DSS, DH_RSA, DH_ANON: ClientDiffieHellmanPublic */
12614 case KEX_DH_DSS0x14:
12615 case KEX_DH_RSA0x15:
12616 case KEX_DHE_DSS0x10:
12617 case KEX_DHE_RSA0x12:
12618 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset, length);
12619 break;
12620 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity, ClientDiffieHellmanPublic */
12621 dissect_ssl3_hnd_cli_keyex_dhe_psk(hf, tvb, tree, offset, length);
12622 break;
12623 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ClientECDiffieHellmanPublic */
12624 case KEX_ECDH_ECDSA0x1a:
12625 case KEX_ECDH_RSA0x1b:
12626 case KEX_ECDHE_ECDSA0x16:
12627 case KEX_ECDHE_RSA0x18:
12628 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset, length);
12629 break;
12630 case KEX_ECDHE_PSK0x17: /* RFC 5489; ec_diffie_hellman_psk: psk_identity, ClientECDiffieHellmanPublic */
12631 dissect_ssl3_hnd_cli_keyex_ecdh_psk(hf, tvb, tree, offset, length);
12632 break;
12633 case KEX_KRB50x1c: /* RFC 2712; krb5: KerberosWrapper */
12634 /* XXX: implement support for KRB5 */
12635 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12636 tvb, offset, length,
12637 "Kerberos ciphersuites (RFC 2712) are not implemented, contact Wireshark"
12638 " developers if you want them to be supported");
12639 break;
12640 case KEX_PSK0x1d: /* RFC 4279; psk: psk_identity */
12641 dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12642 break;
12643 case KEX_RSA0x1e: /* RFC 5246; rsa: EncryptedPreMasterSecret */
12644 dissect_ssl3_hnd_cli_keyex_rsa(hf, tvb, tree, offset, length, session);
12645 break;
12646 case KEX_RSA_PSK0x1f: /* RFC 4279; rsa_psk: psk_identity, EncryptedPreMasterSecret */
12647 dissect_ssl3_hnd_cli_keyex_rsa_psk(hf, tvb, tree, offset, length);
12648 break;
12649 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ClientSRPPublic */
12650 case KEX_SRP_SHA_DSS0x21:
12651 case KEX_SRP_SHA_RSA0x22:
12652 /* XXX: implement support for SRP_SHA* */
12653 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12654 tvb, offset, length,
12655 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12656 " developers if you want them to be supported");
12657 break;
12658 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12659 dissect_ssl3_hnd_cli_keyex_ecjpake(hf, tvb, tree, offset, length);
12660 break;
12661 case KEX_ECC_SM20x26: /* GB/T 38636 */
12662 dissect_ssl3_hnd_cli_keyex_ecc_sm2(hf, tvb, tree, offset, length);
12663 break;
12664 default:
12665 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12666 tvb, offset, length);
12667 break;
12668 }
12669}
12670
12671void
12672ssl_dissect_hnd_srv_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12673 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12674 const SslSession *session)
12675{
12676 switch (ssl_get_keyex_alg(session->cipher)) {
12677 case KEX_DH_ANON0x13: /* RFC 5246; ServerDHParams */
12678 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
12679 break;
12680 case KEX_DH_DSS0x14: /* RFC 5246; not allowed */
12681 case KEX_DH_RSA0x15:
12682 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
12683 tvb, offset, offset_end - offset);
12684 break;
12685 case KEX_DHE_DSS0x10: /* RFC 5246; dhe_dss, dhe_rsa: ServerDHParams, Signature */
12686 case KEX_DHE_RSA0x12:
12687 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
12688 break;
12689 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity_hint, ServerDHParams */
12690 dissect_ssl3_hnd_srv_keyex_dhe_psk(hf, tvb, pinfo, tree, offset, offset_end);
12691 break;
12692 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ServerECDHParams (without signature for anon) */
12693 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
12694 break;
12695 case KEX_ECDHE_PSK0x17: /* RFC 5489; psk_identity_hint, ServerECDHParams */
12696 dissect_ssl3_hnd_srv_keyex_ecdh_psk(hf, tvb, pinfo, tree, offset, offset_end);
12697 break;
12698 case KEX_ECDH_ECDSA0x1a: /* RFC 4492; ec_diffie_hellman: ServerECDHParams, Signature */
12699 case KEX_ECDH_RSA0x1b:
12700 case KEX_ECDHE_ECDSA0x16:
12701 case KEX_ECDHE_RSA0x18:
12702 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
12703 break;
12704 case KEX_KRB50x1c: /* RFC 2712; not allowed */
12705 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
12706 tvb, offset, offset_end - offset);
12707 break;
12708 case KEX_PSK0x1d: /* RFC 4279; psk, rsa: psk_identity */
12709 case KEX_RSA_PSK0x1f:
12710 dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12711 break;
12712 case KEX_RSA0x1e: /* only allowed if the public key in the server certificate is longer than 512 bits */
12713 dissect_ssl3_hnd_srv_keyex_rsa(hf, tvb, pinfo, tree, offset, offset_end, session->version);
12714 break;
12715 case KEX_ECC_SM20x26: /* GB/T 38636 */
12716 dissect_ssl3_hnd_srv_keyex_ecc_sm2(hf, tvb, pinfo, tree, offset, offset_end, session->version);
12717 break;
12718 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ServerSRPParams, Signature */
12719 case KEX_SRP_SHA_DSS0x21:
12720 case KEX_SRP_SHA_RSA0x22:
12721 /* XXX: implement support for SRP_SHA* */
12722 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12723 tvb, offset, offset_end - offset,
12724 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12725 " developers if you want them to be supported");
12726 break;
12727 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12728 dissect_ssl3_hnd_srv_keyex_ecjpake(hf, tvb, tree, offset, offset_end);
12729 break;
12730 default:
12731 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12732 tvb, offset, offset_end - offset);
12733 break;
12734 }
12735}
12736/* Client Key Exchange and Server Key Exchange handshake dissections. }}} */
12737
12738void
12739tls13_dissect_hnd_key_update(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12740 proto_tree *tree, uint32_t offset)
12741{
12742 /* RFC 8446 Section 4.6.3
12743 * enum {
12744 * update_not_requested(0), update_requested(1), (255)
12745 * } KeyUpdateRequest;
12746 *
12747 * struct {
12748 * KeyUpdateRequest request_update;
12749 * } KeyUpdate;
12750 */
12751 proto_tree_add_item(tree, hf->hf.hs_key_update_request_update, tvb, offset, 1, ENC_NA0x00000000);
12752}
12753
12754void
12755ssl_common_register_ssl_alpn_dissector_table(const char *name,
12756 const char *ui_name, const int proto)
12757{
12758 ssl_alpn_dissector_table = register_dissector_table(name, ui_name,
12759 proto, FT_STRING, STRING_CASE_SENSITIVE0);
12760 register_dissector_table_alias(ssl_alpn_dissector_table, "ssl.handshake.extensions_alpn_str");
12761}
12762
12763void
12764ssl_common_register_dtls_alpn_dissector_table(const char *name,
12765 const char *ui_name, const int proto)
12766{
12767 dtls_alpn_dissector_table = register_dissector_table(name, ui_name,
12768 proto, FT_STRING, STRING_CASE_SENSITIVE0);
12769 register_dissector_table_alias(ssl_alpn_dissector_table, "dtls.handshake.extensions_alpn_str");
12770}
12771
12772void
12773ssl_common_register_options(module_t *module, ssl_common_options_t *options, bool_Bool is_dtls)
12774{
12775 prefs_register_string_preference(module, "psk", "Pre-Shared Key",
12776 "Pre-Shared Key as HEX string. Should be 0 to 16 bytes.",
12777 &(options->psk));
12778
12779 if (is_dtls) {
12780 prefs_register_obsolete_preference(module, "keylog_file");
12781 prefs_register_static_text_preference(module, "keylog_file_removed",
12782 "The (Pre)-Master-Secret log filename preference can be configured in the TLS protocol preferences.",
12783 "Use the TLS protocol preference to configure the keylog file for both DTLS and TLS.");
12784 return;
12785 }
12786
12787 prefs_register_filename_preference(module, "keylog_file", "(Pre)-Master-Secret log filename",
12788 "The name of a file which contains a list of \n"
12789 "(pre-)master secrets in one of the following formats:\n"
12790 "\n"
12791 "RSA <EPMS> <PMS>\n"
12792 "RSA Session-ID:<SSLID> Master-Key:<MS>\n"
12793 "CLIENT_RANDOM <CRAND> <MS>\n"
12794 "PMS_CLIENT_RANDOM <CRAND> <PMS>\n"
12795 "\n"
12796 "Where:\n"
12797 "<EPMS> = First 8 bytes of the Encrypted PMS\n"
12798 "<PMS> = The Pre-Master-Secret (PMS) used to derive the MS\n"
12799 "<SSLID> = The SSL Session ID\n"
12800 "<MS> = The Master-Secret (MS)\n"
12801 "<CRAND> = The Client's random number from the ClientHello message\n"
12802 "\n"
12803 "(All fields are in hex notation)",
12804 &(options->keylog_filename), false0);
12805}
12806
12807void
12808ssl_calculate_handshake_hash(SslDecryptSession *ssl_session, tvbuff_t *tvb, uint32_t offset, uint32_t length)
12809{
12810 if (ssl_session && ssl_session->session.version != TLSV1DOT3_VERSION0x304 && !(ssl_session->state & SSL_MASTER_SECRET(1<<5))) {
12811 uint32_t old_length = ssl_session->handshake_data.data_len;
12812 ssl_debug_printf("Calculating hash with offset %d %d\n", offset, length);
12813 if (tvb) {
12814 if (tvb_bytes_exist(tvb, offset, length)) {
12815 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
12816 tvb_memcpy(tvb, ssl_session->handshake_data.data + old_length, offset, length);
12817 ssl_session->handshake_data.data_len += length;
12818 }
12819 } else {
12820 /* DTLS calculates the hash as if each handshake message had been
12821 * sent as a single fragment (RFC 6347, section 4.2.6) and passes
12822 * in a null tvbuff to add 3 bytes for a zero fragment offset.
12823 */
12824 DISSECTOR_ASSERT_CMPINT(length, <, 4)((void) ((length < 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "length" " " "<" " " "4" " (" "%"
"l" "d" " " "<" " " "%" "l" "d" ")", "epan/dissectors/packet-tls-utils.c"
, 12824, (int64_t)length, (int64_t)4))));
12825 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
12826 memset(ssl_session->handshake_data.data + old_length, 0, length);
12827 ssl_session->handshake_data.data_len += length;
12828 }
12829 }
12830}
12831
12832
12833/*
12834 * Editor modelines - https://www.wireshark.org/tools/modelines.html
12835 *
12836 * Local variables:
12837 * c-basic-offset: 4
12838 * tab-width: 8
12839 * indent-tabs-mode: nil
12840 * End:
12841 *
12842 * vi: set shiftwidth=4 tabstop=8 expandtab:
12843 * :indentSize=4:tabSize=8:noTabs=true:
12844 */