Bug Summary

File:epan/dissectors/packet-tls-utils.c
Warning:line 4881, column 17
Potential leak of memory pointed to by 'handshake_hashed_data.data'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name packet-tls-utils.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -fno-delete-null-pointer-checks -mframe-pointer=all -relaxed-aliasing -fmath-errno -ffp-contract=on -fno-rounding-math -ffloat16-excess-precision=fast -fbfloat16-excess-precision=fast -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/builds/wireshark/wireshark/build -fcoverage-compilation-dir=/builds/wireshark/wireshark/build -resource-dir /usr/lib/llvm-21/lib/clang/21 -isystem /usr/include/glib-2.0 -isystem /usr/lib/x86_64-linux-gnu/glib-2.0/include -isystem /builds/wireshark/wireshark/epan/dissectors -isystem /builds/wireshark/wireshark/build/epan/dissectors -isystem /usr/include/mit-krb5 -isystem /usr/include/libxml2 -isystem /builds/wireshark/wireshark/epan -D G_DISABLE_DEPRECATED -D G_DISABLE_SINGLE_INCLUDES -D WS_BUILD_DLL -D WS_DEBUG -D WS_DEBUG_UTF_8 -I /builds/wireshark/wireshark/build -I /builds/wireshark/wireshark -I /builds/wireshark/wireshark/include -D _GLIBCXX_ASSERTIONS -internal-isystem /usr/lib/llvm-21/lib/clang/21/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/14/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -fmacro-prefix-map=/builds/wireshark/wireshark/= -fmacro-prefix-map=/builds/wireshark/wireshark/build/= -fmacro-prefix-map=../= -Wno-format-truncation -Wno-format-nonliteral -Wno-pointer-sign -std=gnu11 -ferror-limit 19 -fvisibility=hidden -fwrapv -fwrapv-pointer -fstrict-flex-arrays=3 -stack-protector 2 -fstack-clash-protection -fcf-protection=full -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fexceptions -fcolor-diagnostics -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /builds/wireshark/wireshark/sbout/2025-10-21-100328-3623-1 -x c /builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c
1/* packet-tls-utils.c
2 * ssl manipulation functions
3 * By Paolo Abeni <[email protected]>
4 *
5 * Copyright (c) 2013, Hauke Mehrtens <[email protected]>
6 * Copyright (c) 2014, Peter Wu <[email protected]>
7 *
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <[email protected]>
10 * Copyright 1998 Gerald Combs
11 *
12 * SPDX-License-Identifier: GPL-2.0-or-later
13 */
14
15#include "config.h"
16
17#include <stdlib.h>
18#include <errno(*__errno_location ()).h>
19
20#include <epan/packet.h>
21#include <epan/strutil.h>
22#include <epan/addr_resolv.h>
23#include <epan/expert.h>
24#include <epan/asn1.h>
25#include <epan/proto_data.h>
26#include <epan/oids.h>
27#include <epan/secrets.h>
28
29#include <wsutil/inet_cidr.h>
30#include <wsutil/filesystem.h>
31#include <wsutil/file_util.h>
32#include <wsutil/str_util.h>
33#include <wsutil/report_message.h>
34#include <wsutil/pint.h>
35#include <wsutil/strtoi.h>
36#include <wsutil/wsgcrypt.h>
37#include <wsutil/rsa.h>
38#include <wsutil/ws_assert.h>
39#include <wsutil/zlib_compat.h>
40#include "packet-ber.h"
41#include "packet-x509af.h"
42#include "packet-x509if.h"
43#include "packet-tls-utils.h"
44#include "packet-ocsp.h"
45#include "packet-tls.h"
46#include "packet-dtls.h"
47#include "packet-quic.h"
48#if defined(HAVE_LIBGNUTLS1)
49#include <gnutls/abstract.h>
50#endif
51
52/* JA3/JA3S calculations must ignore GREASE values
53 * as described in RFC 8701.
54 */
55#define IS_GREASE_TLS(x)((((x) & 0x0f0f) == 0x0a0a) && (((x) & 0xff) ==
(((x)>>8) & 0xff))) ((((x) & 0x0f0f) == 0x0a0a) && \
56 (((x) & 0xff) == (((x)>>8) & 0xff)))
57
58/* Section 22.3 of RFC 9000 (QUIC) reserves values of this
59 * form for a similar purpose as GREASE.
60 */
61#define IS_GREASE_QUIC(x)((x) > 27 ? ((((x) - 27) % 31) == 0) : 0) ((x) > 27 ? ((((x) - 27) % 31) == 0) : 0)
62
63#define DTLS13_MAX_EPOCH10 10
64
65/* Lookup tables {{{ */
66const value_string ssl_version_short_names[] = {
67 { SSLV2_VERSION0x0002, "SSLv2" },
68 { SSLV3_VERSION0x300, "SSLv3" },
69 { TLSV1_VERSION0x301, "TLSv1" },
70 { TLCPV1_VERSION0x101, "TLCP" },
71 { TLSV1DOT1_VERSION0x302, "TLSv1.1" },
72 { TLSV1DOT2_VERSION0x303, "TLSv1.2" },
73 { TLSV1DOT3_VERSION0x304, "TLSv1.3" },
74 { DTLSV1DOT0_VERSION0xfeff, "DTLSv1.0" },
75 { DTLSV1DOT2_VERSION0xfefd, "DTLSv1.2" },
76 { DTLSV1DOT3_VERSION0xfefc, "DTLSv1.3" },
77 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
78 { 0x00, NULL((void*)0) }
79};
80
81const value_string ssl_versions[] = {
82 { SSLV2_VERSION0x0002, "SSL 2.0" },
83 { SSLV3_VERSION0x300, "SSL 3.0" },
84 { TLSV1_VERSION0x301, "TLS 1.0" },
85 { TLCPV1_VERSION0x101, "TLCP" },
86 { TLSV1DOT1_VERSION0x302, "TLS 1.1" },
87 { TLSV1DOT2_VERSION0x303, "TLS 1.2" },
88 { TLSV1DOT3_VERSION0x304, "TLS 1.3" },
89 { 0x7F0E, "TLS 1.3 (draft 14)" },
90 { 0x7F0F, "TLS 1.3 (draft 15)" },
91 { 0x7F10, "TLS 1.3 (draft 16)" },
92 { 0x7F11, "TLS 1.3 (draft 17)" },
93 { 0x7F12, "TLS 1.3 (draft 18)" },
94 { 0x7F13, "TLS 1.3 (draft 19)" },
95 { 0x7F14, "TLS 1.3 (draft 20)" },
96 { 0x7F15, "TLS 1.3 (draft 21)" },
97 { 0x7F16, "TLS 1.3 (draft 22)" },
98 { 0x7F17, "TLS 1.3 (draft 23)" },
99 { 0x7F18, "TLS 1.3 (draft 24)" },
100 { 0x7F19, "TLS 1.3 (draft 25)" },
101 { 0x7F1A, "TLS 1.3 (draft 26)" },
102 { 0x7F1B, "TLS 1.3 (draft 27)" },
103 { 0x7F1C, "TLS 1.3 (draft 28)" },
104 { 0xFB17, "TLS 1.3 (Facebook draft 23)" },
105 { 0xFB1A, "TLS 1.3 (Facebook draft 26)" },
106 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
107 { DTLSV1DOT0_VERSION0xfeff, "DTLS 1.0" },
108 { DTLSV1DOT2_VERSION0xfefd, "DTLS 1.2" },
109 { DTLSV1DOT3_VERSION0xfefc, "DTLS 1.3" },
110 { 0x0A0A, "Reserved (GREASE)" }, /* RFC 8701 */
111 { 0x1A1A, "Reserved (GREASE)" }, /* RFC 8701 */
112 { 0x2A2A, "Reserved (GREASE)" }, /* RFC 8701 */
113 { 0x3A3A, "Reserved (GREASE)" }, /* RFC 8701 */
114 { 0x4A4A, "Reserved (GREASE)" }, /* RFC 8701 */
115 { 0x5A5A, "Reserved (GREASE)" }, /* RFC 8701 */
116 { 0x6A6A, "Reserved (GREASE)" }, /* RFC 8701 */
117 { 0x7A7A, "Reserved (GREASE)" }, /* RFC 8701 */
118 { 0x8A8A, "Reserved (GREASE)" }, /* RFC 8701 */
119 { 0x9A9A, "Reserved (GREASE)" }, /* RFC 8701 */
120 { 0xAAAA, "Reserved (GREASE)" }, /* RFC 8701 */
121 { 0xBABA, "Reserved (GREASE)" }, /* RFC 8701 */
122 { 0xCACA, "Reserved (GREASE)" }, /* RFC 8701 */
123 { 0xDADA, "Reserved (GREASE)" }, /* RFC 8701 */
124 { 0xEAEA, "Reserved (GREASE)" }, /* RFC 8701 */
125 { 0xFAFA, "Reserved (GREASE)" }, /* RFC 8701 */
126 { 0x00, NULL((void*)0) }
127};
128
129static const value_string ssl_version_ja4_names[] = {
130 { 0x0100, "s1" },
131 { SSLV2_VERSION0x0002, "s2" },
132 { SSLV3_VERSION0x300, "s3" },
133 { TLSV1_VERSION0x301, "10" },
134 { TLSV1DOT1_VERSION0x302, "11" },
135 { TLSV1DOT2_VERSION0x303, "12" },
136 { TLSV1DOT3_VERSION0x304, "13" },
137 { DTLSV1DOT0_VERSION0xfeff, "d1" },
138 { DTLSV1DOT2_VERSION0xfefd, "d2" },
139 { DTLSV1DOT3_VERSION0xfefc, "d3" },
140 { 0x00, NULL((void*)0) }
141};
142
143const value_string ssl_20_msg_types[] = {
144 { SSL2_HND_ERROR0x00, "Error" },
145 { SSL2_HND_CLIENT_HELLO0x01, "Client Hello" },
146 { SSL2_HND_CLIENT_MASTER_KEY0x02, "Client Master Key" },
147 { SSL2_HND_CLIENT_FINISHED0x03, "Client Finished" },
148 { SSL2_HND_SERVER_HELLO0x04, "Server Hello" },
149 { SSL2_HND_SERVER_VERIFY0x05, "Server Verify" },
150 { SSL2_HND_SERVER_FINISHED0x06, "Server Finished" },
151 { SSL2_HND_REQUEST_CERTIFICATE0x07, "Request Certificate" },
152 { SSL2_HND_CLIENT_CERTIFICATE0x08, "Client Certificate" },
153 { 0x00, NULL((void*)0) }
154};
155/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
156/* Note: sorted by ascending value so value_string-ext can do a binary search */
157static const value_string ssl_20_cipher_suites[] = {
158 { 0x000000, "TLS_NULL_WITH_NULL_NULL" },
159 { 0x000001, "TLS_RSA_WITH_NULL_MD5" },
160 { 0x000002, "TLS_RSA_WITH_NULL_SHA" },
161 { 0x000003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
162 { 0x000004, "TLS_RSA_WITH_RC4_128_MD5" },
163 { 0x000005, "TLS_RSA_WITH_RC4_128_SHA" },
164 { 0x000006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
165 { 0x000007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
166 { 0x000008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
167 { 0x000009, "TLS_RSA_WITH_DES_CBC_SHA" },
168 { 0x00000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
169 { 0x00000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
170 { 0x00000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
171 { 0x00000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
172 { 0x00000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
173 { 0x00000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
174 { 0x000010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
175 { 0x000011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
176 { 0x000012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
177 { 0x000013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
178 { 0x000014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
179 { 0x000015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
180 { 0x000016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
181 { 0x000017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
182 { 0x000018, "TLS_DH_anon_WITH_RC4_128_MD5" },
183 { 0x000019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
184 { 0x00001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
185 { 0x00001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
186 { 0x00001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
187 { 0x00001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
188#if 0
189 { 0x00001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
190#endif
191 /* RFC 2712 */
192 { 0x00001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
193 { 0x00001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
194 { 0x000020, "TLS_KRB5_WITH_RC4_128_SHA" },
195 { 0x000021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
196 { 0x000022, "TLS_KRB5_WITH_DES_CBC_MD5" },
197 { 0x000023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
198 { 0x000024, "TLS_KRB5_WITH_RC4_128_MD5" },
199 { 0x000025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
200 { 0x000026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
201 { 0x000027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
202 { 0x000028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
203 { 0x000029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
204 { 0x00002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
205 { 0x00002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
206 /* RFC 4785 */
207 { 0x00002C, "TLS_PSK_WITH_NULL_SHA" },
208 { 0x00002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
209 { 0x00002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
210 /* RFC 5246 */
211 { 0x00002f, "TLS_RSA_WITH_AES_128_CBC_SHA" },
212 { 0x000030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
213 { 0x000031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
214 { 0x000032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
215 { 0x000033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
216 { 0x000034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
217 { 0x000035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
218 { 0x000036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
219 { 0x000037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
220 { 0x000038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
221 { 0x000039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
222 { 0x00003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
223 { 0x00003B, "TLS_RSA_WITH_NULL_SHA256" },
224 { 0x00003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
225 { 0x00003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
226 { 0x00003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
227 { 0x00003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
228 { 0x000040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
229 { 0x000041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
230 { 0x000042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
231 { 0x000043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
232 { 0x000044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
233 { 0x000045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
234 { 0x000046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
235 { 0x000047, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
236 { 0x000048, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
237 { 0x000049, "TLS_ECDH_ECDSA_WITH_DES_CBC_SHA" },
238 { 0x00004A, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
239 { 0x00004B, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
240 { 0x00004C, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
241 { 0x000060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
242 { 0x000061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
243 { 0x000062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
244 { 0x000063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
245 { 0x000064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
246 { 0x000065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
247 { 0x000066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
248 { 0x000067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
249 { 0x000068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
250 { 0x000069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
251 { 0x00006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
252 { 0x00006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
253 { 0x00006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
254 { 0x00006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
255 /* 0x00,0x6E-83 Unassigned */
256 { 0x000084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
257 { 0x000085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
258 { 0x000086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
259 { 0x000087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
260 { 0x000088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
261 { 0x000089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
262 /* RFC 4279 */
263 { 0x00008A, "TLS_PSK_WITH_RC4_128_SHA" },
264 { 0x00008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
265 { 0x00008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
266 { 0x00008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
267 { 0x00008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
268 { 0x00008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
269 { 0x000090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
270 { 0x000091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
271 { 0x000092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
272 { 0x000093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
273 { 0x000094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
274 { 0x000095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
275 /* RFC 4162 */
276 { 0x000096, "TLS_RSA_WITH_SEED_CBC_SHA" },
277 { 0x000097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
278 { 0x000098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
279 { 0x000099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
280 { 0x00009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
281 { 0x00009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
282 /* RFC 5288 */
283 { 0x00009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
284 { 0x00009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
285 { 0x00009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
286 { 0x00009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
287 { 0x0000A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
288 { 0x0000A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
289 { 0x0000A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
290 { 0x0000A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
291 { 0x0000A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
292 { 0x0000A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
293 { 0x0000A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
294 { 0x0000A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
295 /* RFC 5487 */
296 { 0x0000A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
297 { 0x0000A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
298 { 0x0000AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
299 { 0x0000AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
300 { 0x0000AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
301 { 0x0000AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
302 { 0x0000AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
303 { 0x0000AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
304 { 0x0000B0, "TLS_PSK_WITH_NULL_SHA256" },
305 { 0x0000B1, "TLS_PSK_WITH_NULL_SHA384" },
306 { 0x0000B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
307 { 0x0000B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
308 { 0x0000B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
309 { 0x0000B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
310 { 0x0000B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
311 { 0x0000B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
312 { 0x0000B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
313 { 0x0000B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
314 /* From RFC 5932 */
315 { 0x0000BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
316 { 0x0000BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
317 { 0x0000BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
318 { 0x0000BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
319 { 0x0000BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
320 { 0x0000BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
321 { 0x0000C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
322 { 0x0000C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
323 { 0x0000C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
324 { 0x0000C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
325 { 0x0000C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
326 { 0x0000C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
327 /* 0x00,0xC6-FE Unassigned */
328 { 0x0000FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
329 /* 0x01-BF,* Unassigned */
330 /* From RFC 4492 */
331 { 0x00c001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
332 { 0x00c002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
333 { 0x00c003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
334 { 0x00c004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
335 { 0x00c005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
336 { 0x00c006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
337 { 0x00c007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
338 { 0x00c008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
339 { 0x00c009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
340 { 0x00c00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
341 { 0x00c00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
342 { 0x00c00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
343 { 0x00c00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
344 { 0x00c00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
345 { 0x00c00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
346 { 0x00c010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
347 { 0x00c011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
348 { 0x00c012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
349 { 0x00c013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
350 { 0x00c014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
351 { 0x00c015, "TLS_ECDH_anon_WITH_NULL_SHA" },
352 { 0x00c016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
353 { 0x00c017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
354 { 0x00c018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
355 { 0x00c019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
356 /* RFC 5054 */
357 { 0x00C01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
358 { 0x00C01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
359 { 0x00C01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
360 { 0x00C01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
361 { 0x00C01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
362 { 0x00C01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
363 { 0x00C020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
364 { 0x00C021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
365 { 0x00C022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
366 /* RFC 5589 */
367 { 0x00C023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
368 { 0x00C024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
369 { 0x00C025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
370 { 0x00C026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
371 { 0x00C027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
372 { 0x00C028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
373 { 0x00C029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
374 { 0x00C02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
375 { 0x00C02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
376 { 0x00C02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
377 { 0x00C02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
378 { 0x00C02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
379 { 0x00C02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
380 { 0x00C030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
381 { 0x00C031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
382 { 0x00C032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
383 /* RFC 5489 */
384 { 0x00C033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
385 { 0x00C034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
386 { 0x00C035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
387 { 0x00C036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
388 { 0x00C037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
389 { 0x00C038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
390 { 0x00C039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
391 { 0x00C03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
392 { 0x00C03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
393 /* 0xC0,0x3C-FF Unassigned
394 0xC1-FD,* Unassigned
395 0xFE,0x00-FD Unassigned
396 0xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
397 0xFF,0x00-FF Reserved for Private Use [RFC5246]
398 */
399
400 /* old numbers used in the beginning
401 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
402 { 0x00CC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
403 { 0x00CC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
404 { 0x00CC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
405
406 /* https://tools.ietf.org/html/rfc7905 */
407 { 0x00CCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
408 { 0x00CCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
409 { 0x00CCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
410 { 0x00CCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
411 { 0x00CCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
412 { 0x00CCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
413 { 0x00CCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
414
415 /* GM/T 0024-2014 */
416 { 0x00e001, "ECDHE_SM1_SM3"},
417 { 0x00e003, "ECC_SM1_SM3"},
418 { 0x00e005, "IBSDH_SM1_SM3"},
419 { 0x00e007, "IBC_SM1_SM3"},
420 { 0x00e009, "RSA_SM1_SM3"},
421 { 0x00e00a, "RSA_SM1_SHA1"},
422 { 0x00e011, "ECDHE_SM4_CBC_SM3"},
423 { 0x00e013, "ECC_SM4_CBC_SM3"},
424 { 0x00e015, "IBSDH_SM4_CBC_SM3"},
425 { 0x00e017, "IBC_SM4_CBC_SM3"},
426 { 0x00e019, "RSA_SM4_CBC_SM3"},
427 { 0x00e01a, "RSA_SM4_CBC_SHA1"},
428 { 0x00e01c, "RSA_SM4_CBC_SHA256"},
429 { 0x00e051, "ECDHE_SM4_GCM_SM3"},
430 { 0x00e053, "ECC_SM4_GCM_SM3"},
431 { 0x00e055, "IBSDH_SM4_GCM_SM3"},
432 { 0x00e057, "IBC_SM4_GCM_SM3"},
433 { 0x00e059, "RSA_SM4_GCM_SM3"},
434 { 0x00e05a, "RSA_SM4_GCM_SHA256"},
435
436 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
437 { 0x00E410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
438 { 0x00E411, "TLS_RSA_WITH_SALSA20_SHA1" },
439 { 0x00E412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
440 { 0x00E413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
441 { 0x00E414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
442 { 0x00E415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
443 { 0x00E416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
444 { 0x00E417, "TLS_PSK_WITH_SALSA20_SHA1" },
445 { 0x00E418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
446 { 0x00E419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
447 { 0x00E41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
448 { 0x00E41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
449 { 0x00E41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
450 { 0x00E41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
451 { 0x00E41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
452 { 0x00E41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
453
454 /* these from http://www.mozilla.org/projects/
455 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
456 { 0x00fefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
457 { 0x00feff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
458 { 0x00ffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
459 { 0x00ffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
460 /* note that ciphersuites of {0x00????} are TLS cipher suites in
461 * a sslv2 client hello message; the ???? above is the two-byte
462 * tls cipher suite id
463 */
464
465 { 0x010080, "SSL2_RC4_128_WITH_MD5" },
466 { 0x020080, "SSL2_RC4_128_EXPORT40_WITH_MD5" },
467 { 0x030080, "SSL2_RC2_128_CBC_WITH_MD5" },
468 { 0x040080, "SSL2_RC2_128_CBC_EXPORT40_WITH_MD5" },
469 { 0x050080, "SSL2_IDEA_128_CBC_WITH_MD5" },
470 { 0x060040, "SSL2_DES_64_CBC_WITH_MD5" },
471 { 0x0700c0, "SSL2_DES_192_EDE3_CBC_WITH_MD5" },
472 { 0x080080, "SSL2_RC4_64_WITH_MD5" },
473
474 { 0x00, NULL((void*)0) }
475};
476
477value_string_ext ssl_20_cipher_suites_ext = VALUE_STRING_EXT_INIT(ssl_20_cipher_suites){ _try_val_to_str_ext_init, 0, (sizeof (ssl_20_cipher_suites)
/ sizeof ((ssl_20_cipher_suites)[0]))-1, ssl_20_cipher_suites
, "ssl_20_cipher_suites", ((void*)0) };
478
479
480/*
481 * Supported Groups (formerly named "EC Named Curve").
482 * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
483 */
484const value_string ssl_extension_curves[] = {
485 { 1, "sect163k1" },
486 { 2, "sect163r1" },
487 { 3, "sect163r2" },
488 { 4, "sect193r1" },
489 { 5, "sect193r2" },
490 { 6, "sect233k1" },
491 { 7, "sect233r1" },
492 { 8, "sect239k1" },
493 { 9, "sect283k1" },
494 { 10, "sect283r1" },
495 { 11, "sect409k1" },
496 { 12, "sect409r1" },
497 { 13, "sect571k1" },
498 { 14, "sect571r1" },
499 { 15, "secp160k1" },
500 { 16, "secp160r1" },
501 { 17, "secp160r2" },
502 { 18, "secp192k1" },
503 { 19, "secp192r1" },
504 { 20, "secp224k1" },
505 { 21, "secp224r1" },
506 { 22, "secp256k1" },
507 { 23, "secp256r1" },
508 { 24, "secp384r1" },
509 { 25, "secp521r1" },
510 { 26, "brainpoolP256r1" }, /* RFC 7027 */
511 { 27, "brainpoolP384r1" }, /* RFC 7027 */
512 { 28, "brainpoolP512r1" }, /* RFC 7027 */
513 { 29, "x25519" }, /* RFC 8446 / RFC 8422 */
514 { 30, "x448" }, /* RFC 8446 / RFC 8422 */
515 { 31, "brainpoolP256r1tls13" }, /* RFC8734 */
516 { 32, "brainpoolP384r1tls13" }, /* RFC8734 */
517 { 33, "brainpoolP512r1tls13" }, /* RFC8734 */
518 { 34, "GC256A" }, /* RFC9189 */
519 { 35, "GC256B" }, /* RFC9189 */
520 { 36, "GC256C" }, /* RFC9189 */
521 { 37, "GC256D" }, /* RFC9189 */
522 { 38, "GC512A" }, /* RFC9189 */
523 { 39, "GC512B" }, /* RFC9189 */
524 { 40, "GC512C" }, /* RFC9189 */
525 { 41, "curveSM2" }, /* RFC 8998 */
526 { 256, "ffdhe2048" }, /* RFC 7919 */
527 { 257, "ffdhe3072" }, /* RFC 7919 */
528 { 258, "ffdhe4096" }, /* RFC 7919 */
529 { 259, "ffdhe6144" }, /* RFC 7919 */
530 { 260, "ffdhe8192" }, /* RFC 7919 */
531 { 512, "MLKEM512"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
532 { 513, "MLKEM768"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
533 { 514, "MLKEM1024"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
534 { 2570, "Reserved (GREASE)" }, /* RFC 8701 */
535 { 4587, "SecP256r1MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-02 */
536 { 4588, "X25519MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
537 { 4589, "SecP384r1MLKEM1024" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
538 { 6682, "Reserved (GREASE)" }, /* RFC 8701 */
539 { 10794, "Reserved (GREASE)" }, /* RFC 8701 */
540 { 14906, "Reserved (GREASE)" }, /* RFC 8701 */
541 { 19018, "Reserved (GREASE)" }, /* RFC 8701 */
542 { 23130, "Reserved (GREASE)" }, /* RFC 8701 */
543 { 25497, "X25519Kyber768Draft00 (OBSOLETE)" }, /* draft-tls-westerbaan-xyber768d00-02 */
544 { 25498, "SecP256r1Kyber768Draft00 (OBSOLETE)" }, /* draft-kwiatkowski-tls-ecdhe-kyber-01 */
545 { 27242, "Reserved (GREASE)" }, /* RFC 8701 */
546 { 31354, "Reserved (GREASE)" }, /* RFC 8701 */
547 { 35466, "Reserved (GREASE)" }, /* RFC 8701 */
548 { 39578, "Reserved (GREASE)" }, /* RFC 8701 */
549 { 43690, "Reserved (GREASE)" }, /* RFC 8701 */
550 { 47802, "Reserved (GREASE)" }, /* RFC 8701 */
551 { 51914, "Reserved (GREASE)" }, /* RFC 8701 */
552 { 56026, "Reserved (GREASE)" }, /* RFC 8701 */
553 { 60138, "Reserved (GREASE)" }, /* RFC 8701 */
554 { 64250, "Reserved (GREASE)" }, /* RFC 8701 */
555 { 0xFF01, "arbitrary_explicit_prime_curves" },
556 { 0xFF02, "arbitrary_explicit_char2_curves" },
557 /* Below are various unofficial values that have been used for testing. */
558 /* PQC key exchange algorithms from OQS-OpenSSL,
559 see https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/oqs-kem-info.md
560 These use IANA unassigned values and this list may be incomplete.
561 */
562 { 0x2F00, "p256_frodo640aes" },
563 { 0x2F01, "p256_frodo640shake" },
564 { 0x2F02, "p384_frodo976aes" },
565 { 0x0203, "frodo976shake" },
566 { 0x2F03, "p384_frodo976shake" },
567 { 0x0204, "frodo1344aes" },
568 { 0x2F04, "p521_frodo1344aes" },
569 { 0x0205, "frodo1344shake" },
570 { 0x2F05, "p521_frodo1344shake" },
571 { 0x023A, "kyber512" },
572 { 0x2F3A, "p256_kyber512" },
573 { 0x023C, "kyber768" },
574 { 0x2F3C, "p384_kyber768" },
575 { 0x023D, "kyber1024" },
576 { 0x2F3D, "p521_kyber1024" },
577 { 0x0214, "ntru_hps2048509" },
578 { 0x2F14, "p256_ntru_hps2048509" },
579 { 0x0215, "ntru_hps2048677" },
580 { 0x2F15, "p384_ntru_hps2048677" },
581 { 0x0216, "ntru_hps4096821" },
582 { 0x2F16, "p521_ntru_hps4096821" },
583 { 0x0245, "ntru_hps40961229" },
584 { 0x2F45, "p521_ntru_hps40961229" },
585 { 0x0217, "ntru_hrss701" },
586 { 0x2F17, "p384_ntru_hrss701" },
587 { 0x0246, "ntru_hrss1373" },
588 { 0x2F46, "p521_ntru_hrss1373" },
589 { 0x0218, "lightsaber" },
590 { 0x2F18, "p256_lightsaber" },
591 { 0x0219, "saber" },
592 { 0x2F19, "p384_saber" },
593 { 0x021A, "firesaber" },
594 { 0x2F1A, "p521_firesaber" },
595 { 0x021B, "sidhp434" },
596 { 0x2F1B, "p256_sidhp434" },
597 { 0x021C, "sidhp503" },
598 { 0x2F1C, "p256_sidhp503" },
599 { 0x021D, "sidhp610" },
600 { 0x2F1D, "p384_sidhp610" },
601 { 0x021E, "sidhp751" },
602 { 0x2F1E, "p521_sidhp751" },
603 { 0x021F, "sikep434" },
604 { 0x2F1F, "p256_sikep434" },
605 { 0x0220, "sikep503" },
606 { 0x2F20, "p256_sikep503" },
607 { 0x0221, "sikep610" },
608 { 0x2F21, "p384_sikep610" },
609 { 0x0222, "sikep751" },
610 { 0x2F22, "p521_sikep751" },
611 { 0x0238, "bikel1" },
612 { 0x2F38, "p256_bikel1" },
613 { 0x023B, "bikel3" },
614 { 0x2F3B, "p384_bikel3" },
615 { 0x023E, "kyber90s512" },
616 { 0x2F3E, "p256_kyber90s512" },
617 { 0x023F, "kyber90s768" },
618 { 0x2F3F, "p384_kyber90s768" },
619 { 0x0240, "kyber90s1024" },
620 { 0x2F40, "p521_kyber90s1024" },
621 { 0x022C, "hqc128" },
622 { 0x2F2C, "p256_hqc128" },
623 { 0x022D, "hqc192" },
624 { 0x2F2D, "p384_hqc192" },
625 { 0x022E, "hqc256" },
626 { 0x2F2E, "p521_hqc256" },
627 { 0x022F, "ntrulpr653" },
628 { 0x2F2F, "p256_ntrulpr653" },
629 { 0x0230, "ntrulpr761" },
630 { 0x2F43, "p256_ntrulpr761" },
631 { 0x0231, "ntrulpr857" },
632 { 0x2F31, "p384_ntrulpr857" },
633 { 0x0241, "ntrulpr1277" },
634 { 0x2F41, "p521_ntrulpr1277" },
635 { 0x0232, "sntrup653" },
636 { 0x2F32, "p256_sntrup653" },
637 { 0x0233, "sntrup761" },
638 { 0x2F44, "p256_sntrup761" },
639 { 0x0234, "sntrup857" },
640 { 0x2F34, "p384_sntrup857" },
641 { 0x0242, "sntrup1277" },
642 { 0x2F42, "p521_sntrup1277" },
643 /* Other PQ key exchange algorithms, using Reserved for Private Use values
644 https://blog.cloudflare.com/post-quantum-for-all
645 https://www.ietf.org/archive/id/draft-tls-westerbaan-xyber768d00-02.txt */
646 { 0xFE30, "X25519Kyber512Draft00 (OBSOLETE)" },
647 { 0xFE31, "X25519Kyber768Draft00 (OBSOLETE)" },
648 { 0x00, NULL((void*)0) }
649};
650
651const value_string ssl_curve_types[] = {
652 { 1, "explicit_prime" },
653 { 2, "explicit_char2" },
654 { 3, "named_curve" },
655 { 0x00, NULL((void*)0) }
656};
657
658const value_string ssl_extension_ec_point_formats[] = {
659 { 0, "uncompressed" },
660 { 1, "ansiX962_compressed_prime" },
661 { 2, "ansiX962_compressed_char2" },
662 { 0x00, NULL((void*)0) }
663};
664
665const value_string ssl_20_certificate_type[] = {
666 { 0x00, "N/A" },
667 { 0x01, "X.509 Certificate" },
668 { 0x00, NULL((void*)0) }
669};
670
671const value_string ssl_31_content_type[] = {
672 { 20, "Change Cipher Spec" },
673 { 21, "Alert" },
674 { 22, "Handshake" },
675 { 23, "Application Data" },
676 { 24, "Heartbeat" },
677 { 25, "Connection ID" },
678 { 0x00, NULL((void*)0) }
679};
680
681#if 0
682/* XXX - would be used if we dissected the body of a Change Cipher Spec
683 message. */
684const value_string ssl_31_change_cipher_spec[] = {
685 { 1, "Change Cipher Spec" },
686 { 0x00, NULL((void*)0) }
687};
688#endif
689
690const value_string ssl_31_alert_level[] = {
691 { 1, "Warning" },
692 { 2, "Fatal" },
693 { 0x00, NULL((void*)0) }
694};
695
696const value_string ssl_31_alert_description[] = {
697 { 0, "Close Notify" },
698 { 1, "End of Early Data" },
699 { 10, "Unexpected Message" },
700 { 20, "Bad Record MAC" },
701 { 21, "Decryption Failed" },
702 { 22, "Record Overflow" },
703 { 30, "Decompression Failure" },
704 { 40, "Handshake Failure" },
705 { 41, "No Certificate" },
706 { 42, "Bad Certificate" },
707 { 43, "Unsupported Certificate" },
708 { 44, "Certificate Revoked" },
709 { 45, "Certificate Expired" },
710 { 46, "Certificate Unknown" },
711 { 47, "Illegal Parameter" },
712 { 48, "Unknown CA" },
713 { 49, "Access Denied" },
714 { 50, "Decode Error" },
715 { 51, "Decrypt Error" },
716 { 60, "Export Restriction" },
717 { 70, "Protocol Version" },
718 { 71, "Insufficient Security" },
719 { 80, "Internal Error" },
720 { 86, "Inappropriate Fallback" },
721 { 90, "User Canceled" },
722 { 100, "No Renegotiation" },
723 { 109, "Missing Extension" },
724 { 110, "Unsupported Extension" },
725 { 111, "Certificate Unobtainable" },
726 { 112, "Unrecognized Name" },
727 { 113, "Bad Certificate Status Response" },
728 { 114, "Bad Certificate Hash Value" },
729 { 115, "Unknown PSK Identity" },
730 { 116, "Certificate Required" },
731 { 120, "No application Protocol" },
732 { 121, "ECH Required" },
733 { 0x00, NULL((void*)0) }
734};
735
736const value_string ssl_31_handshake_type[] = {
737 { SSL_HND_HELLO_REQUEST, "Hello Request" },
738 { SSL_HND_CLIENT_HELLO, "Client Hello" },
739 { SSL_HND_SERVER_HELLO, "Server Hello" },
740 { SSL_HND_HELLO_VERIFY_REQUEST, "Hello Verify Request"},
741 { SSL_HND_NEWSESSION_TICKET, "New Session Ticket" },
742 { SSL_HND_END_OF_EARLY_DATA, "End of Early Data" },
743 { SSL_HND_HELLO_RETRY_REQUEST, "Hello Retry Request" },
744 { SSL_HND_ENCRYPTED_EXTENSIONS, "Encrypted Extensions" },
745 { SSL_HND_CERTIFICATE, "Certificate" },
746 { SSL_HND_SERVER_KEY_EXCHG, "Server Key Exchange" },
747 { SSL_HND_CERT_REQUEST, "Certificate Request" },
748 { SSL_HND_SVR_HELLO_DONE, "Server Hello Done" },
749 { SSL_HND_CERT_VERIFY, "Certificate Verify" },
750 { SSL_HND_CLIENT_KEY_EXCHG, "Client Key Exchange" },
751 { SSL_HND_FINISHED, "Finished" },
752 { SSL_HND_CERT_URL, "Client Certificate URL" },
753 { SSL_HND_CERT_STATUS, "Certificate Status" },
754 { SSL_HND_SUPPLEMENTAL_DATA, "Supplemental Data" },
755 { SSL_HND_KEY_UPDATE, "Key Update" },
756 { SSL_HND_COMPRESSED_CERTIFICATE, "Compressed Certificate" },
757 { SSL_HND_ENCRYPTED_EXTS, "Encrypted Extensions" },
758 { 0x00, NULL((void*)0) }
759};
760
761const value_string tls_heartbeat_type[] = {
762 { 1, "Request" },
763 { 2, "Response" },
764 { 0x00, NULL((void*)0) }
765};
766
767const value_string tls_heartbeat_mode[] = {
768 { 1, "Peer allowed to send requests" },
769 { 2, "Peer not allowed to send requests" },
770 { 0x00, NULL((void*)0) }
771};
772
773const value_string ssl_31_compression_method[] = {
774 { 0, "null" },
775 { 1, "DEFLATE" },
776 { 64, "LZS" },
777 { 0x00, NULL((void*)0) }
778};
779
780#if 0
781/* XXX - would be used if we dissected a Signature, as would be
782 seen in a server key exchange or certificate verify message. */
783const value_string ssl_31_key_exchange_algorithm[] = {
784 { 0, "RSA" },
785 { 1, "Diffie Hellman" },
786 { 0x00, NULL((void*)0) }
787};
788
789const value_string ssl_31_signature_algorithm[] = {
790 { 0, "Anonymous" },
791 { 1, "RSA" },
792 { 2, "DSA" },
793 { 0x00, NULL((void*)0) }
794};
795#endif
796
797const value_string ssl_31_client_certificate_type[] = {
798 { 1, "RSA Sign" },
799 { 2, "DSS Sign" },
800 { 3, "RSA Fixed DH" },
801 { 4, "DSS Fixed DH" },
802 /* GOST certificate types */
803 /* Section 3.5 of draft-chudov-cryptopro-cptls-04 */
804 { 21, "GOST R 34.10-94" },
805 { 22, "GOST R 34.10-2001" },
806 /* END GOST certificate types */
807 { 64, "ECDSA Sign" },
808 { 65, "RSA Fixed ECDH" },
809 { 66, "ECDSA Fixed ECDH" },
810 { 80, "IBC Params" },
811 { 0x00, NULL((void*)0) }
812};
813
814#if 0
815/* XXX - would be used if we dissected exchange keys, as would be
816 seen in a client key exchange message. */
817const value_string ssl_31_public_value_encoding[] = {
818 { 0, "Implicit" },
819 { 1, "Explicit" },
820 { 0x00, NULL((void*)0) }
821};
822#endif
823
824/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
825/* Note: sorted by ascending value so value_string_ext fcns can do a binary search */
826static const value_string ssl_31_ciphersuite[] = {
827 /* RFC 2246, RFC 4346, RFC 5246 */
828 { 0x0000, "TLS_NULL_WITH_NULL_NULL" },
829 { 0x0001, "TLS_RSA_WITH_NULL_MD5" },
830 { 0x0002, "TLS_RSA_WITH_NULL_SHA" },
831 { 0x0003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
832 { 0x0004, "TLS_RSA_WITH_RC4_128_MD5" },
833 { 0x0005, "TLS_RSA_WITH_RC4_128_SHA" },
834 { 0x0006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
835 { 0x0007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
836 { 0x0008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
837 { 0x0009, "TLS_RSA_WITH_DES_CBC_SHA" },
838 { 0x000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
839 { 0x000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
840 { 0x000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
841 { 0x000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
842 { 0x000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
843 { 0x000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
844 { 0x0010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
845 { 0x0011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
846 { 0x0012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
847 { 0x0013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
848 { 0x0014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
849 { 0x0015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
850 { 0x0016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
851 { 0x0017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
852 { 0x0018, "TLS_DH_anon_WITH_RC4_128_MD5" },
853 { 0x0019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
854 { 0x001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
855 { 0x001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
856
857 { 0x001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
858 { 0x001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
859#if 0 /* Because it clashes with KRB5, is never used any more, and is safe
860 to remove according to David Hopwood <[email protected]>
861 of the ietf-tls list */
862 { 0x001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
863#endif
864 /* RFC 2712 */
865 { 0x001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
866 { 0x001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
867 { 0x0020, "TLS_KRB5_WITH_RC4_128_SHA" },
868 { 0x0021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
869 { 0x0022, "TLS_KRB5_WITH_DES_CBC_MD5" },
870 { 0x0023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
871 { 0x0024, "TLS_KRB5_WITH_RC4_128_MD5" },
872 { 0x0025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
873 { 0x0026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
874 { 0x0027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
875 { 0x0028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
876 { 0x0029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
877 { 0x002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
878 { 0x002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
879 /* RFC 4785 */
880 { 0x002C, "TLS_PSK_WITH_NULL_SHA" },
881 { 0x002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
882 { 0x002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
883 /* RFC 5246 */
884 { 0x002F, "TLS_RSA_WITH_AES_128_CBC_SHA" },
885 { 0x0030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
886 { 0x0031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
887 { 0x0032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
888 { 0x0033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
889 { 0x0034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
890 { 0x0035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
891 { 0x0036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
892 { 0x0037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
893 { 0x0038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
894 { 0x0039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
895 { 0x003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
896 { 0x003B, "TLS_RSA_WITH_NULL_SHA256" },
897 { 0x003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
898 { 0x003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
899 { 0x003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
900 { 0x003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
901 { 0x0040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
902 /* RFC 4132 */
903 { 0x0041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
904 { 0x0042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
905 { 0x0043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
906 { 0x0044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
907 { 0x0045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
908 { 0x0046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
909 /* 0x00,0x60-66 Reserved to avoid conflicts with widely deployed implementations */
910 /* --- ??? --- */
911 { 0x0060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
912 { 0x0061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
913 /* draft-ietf-tls-56-bit-ciphersuites-01.txt */
914 { 0x0062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
915 { 0x0063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
916 { 0x0064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
917 { 0x0065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
918 { 0x0066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
919 /* --- ??? ---*/
920 { 0x0067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
921 { 0x0068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
922 { 0x0069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
923 { 0x006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
924 { 0x006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
925 { 0x006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
926 { 0x006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
927 /* draft-chudov-cryptopro-cptls-04.txt */
928 { 0x0080, "TLS_GOSTR341094_WITH_28147_CNT_IMIT" },
929 { 0x0081, "TLS_GOSTR341001_WITH_28147_CNT_IMIT" },
930 { 0x0082, "TLS_GOSTR341094_WITH_NULL_GOSTR3411" },
931 { 0x0083, "TLS_GOSTR341001_WITH_NULL_GOSTR3411" },
932 /* RFC 4132 */
933 { 0x0084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
934 { 0x0085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
935 { 0x0086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
936 { 0x0087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
937 { 0x0088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
938 { 0x0089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
939 /* RFC 4279 */
940 { 0x008A, "TLS_PSK_WITH_RC4_128_SHA" },
941 { 0x008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
942 { 0x008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
943 { 0x008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
944 { 0x008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
945 { 0x008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
946 { 0x0090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
947 { 0x0091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
948 { 0x0092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
949 { 0x0093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
950 { 0x0094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
951 { 0x0095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
952 /* RFC 4162 */
953 { 0x0096, "TLS_RSA_WITH_SEED_CBC_SHA" },
954 { 0x0097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
955 { 0x0098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
956 { 0x0099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
957 { 0x009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
958 { 0x009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
959 /* RFC 5288 */
960 { 0x009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
961 { 0x009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
962 { 0x009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
963 { 0x009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
964 { 0x00A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
965 { 0x00A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
966 { 0x00A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
967 { 0x00A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
968 { 0x00A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
969 { 0x00A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
970 { 0x00A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
971 { 0x00A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
972 /* RFC 5487 */
973 { 0x00A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
974 { 0x00A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
975 { 0x00AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
976 { 0x00AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
977 { 0x00AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
978 { 0x00AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
979 { 0x00AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
980 { 0x00AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
981 { 0x00B0, "TLS_PSK_WITH_NULL_SHA256" },
982 { 0x00B1, "TLS_PSK_WITH_NULL_SHA384" },
983 { 0x00B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
984 { 0x00B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
985 { 0x00B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
986 { 0x00B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
987 { 0x00B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
988 { 0x00B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
989 { 0x00B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
990 { 0x00B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
991 /* From RFC 5932 */
992 { 0x00BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
993 { 0x00BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
994 { 0x00BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
995 { 0x00BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
996 { 0x00BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
997 { 0x00BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
998 { 0x00C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
999 { 0x00C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1000 { 0x00C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1001 { 0x00C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1002 { 0x00C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1003 { 0x00C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
1004 /* RFC 8998 */
1005 { 0x00C6, "TLS_SM4_GCM_SM3" },
1006 { 0x00C7, "TLS_SM4_CCM_SM3" },
1007 /* 0x00,0xC8-FE Unassigned */
1008 /* From RFC 5746 */
1009 { 0x00FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
1010 /* RFC 8701 */
1011 { 0x0A0A, "Reserved (GREASE)" },
1012 /* RFC 8446 */
1013 { 0x1301, "TLS_AES_128_GCM_SHA256" },
1014 { 0x1302, "TLS_AES_256_GCM_SHA384" },
1015 { 0x1303, "TLS_CHACHA20_POLY1305_SHA256" },
1016 { 0x1304, "TLS_AES_128_CCM_SHA256" },
1017 { 0x1305, "TLS_AES_128_CCM_8_SHA256" },
1018 /* RFC 8701 */
1019 { 0x1A1A, "Reserved (GREASE)" },
1020 { 0x2A2A, "Reserved (GREASE)" },
1021 { 0x3A3A, "Reserved (GREASE)" },
1022 { 0x4A4A, "Reserved (GREASE)" },
1023 /* From RFC 7507 */
1024 { 0x5600, "TLS_FALLBACK_SCSV" },
1025 /* RFC 8701 */
1026 { 0x5A5A, "Reserved (GREASE)" },
1027 { 0x6A6A, "Reserved (GREASE)" },
1028 { 0x7A7A, "Reserved (GREASE)" },
1029 { 0x8A8A, "Reserved (GREASE)" },
1030 { 0x9A9A, "Reserved (GREASE)" },
1031 { 0xAAAA, "Reserved (GREASE)" },
1032 { 0xBABA, "Reserved (GREASE)" },
1033 /* From RFC 4492 */
1034 { 0xc001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
1035 { 0xc002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
1036 { 0xc003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1037 { 0xc004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
1038 { 0xc005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
1039 { 0xc006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
1040 { 0xc007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
1041 { 0xc008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1042 { 0xc009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
1043 { 0xc00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
1044 { 0xc00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
1045 { 0xc00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
1046 { 0xc00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
1047 { 0xc00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
1048 { 0xc00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
1049 { 0xc010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
1050 { 0xc011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
1051 { 0xc012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
1052 { 0xc013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
1053 { 0xc014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
1054 { 0xc015, "TLS_ECDH_anon_WITH_NULL_SHA" },
1055 { 0xc016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
1056 { 0xc017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
1057 { 0xc018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
1058 { 0xc019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
1059 /* RFC 5054 */
1060 { 0xC01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
1061 { 0xC01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
1062 { 0xC01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
1063 { 0xC01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
1064 { 0xC01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
1065 { 0xC01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
1066 { 0xC020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
1067 { 0xC021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
1068 { 0xC022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
1069 /* RFC 5589 */
1070 { 0xC023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
1071 { 0xC024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
1072 { 0xC025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
1073 { 0xC026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
1074 { 0xC027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
1075 { 0xC028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
1076 { 0xC029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
1077 { 0xC02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
1078 { 0xC02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
1079 { 0xC02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
1080 { 0xC02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
1081 { 0xC02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
1082 { 0xC02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
1083 { 0xC030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
1084 { 0xC031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
1085 { 0xC032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
1086 /* RFC 5489 */
1087 { 0xC033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
1088 { 0xC034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
1089 { 0xC035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
1090 { 0xC036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
1091 { 0xC037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
1092 { 0xC038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
1093 { 0xC039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
1094 { 0xC03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
1095 { 0xC03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
1096 /* RFC 6209 */
1097 { 0xC03C, "TLS_RSA_WITH_ARIA_128_CBC_SHA256" },
1098 { 0xC03D, "TLS_RSA_WITH_ARIA_256_CBC_SHA384" },
1099 { 0xC03E, "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256" },
1100 { 0xC03F, "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384" },
1101 { 0xC040, "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256" },
1102 { 0xC041, "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384" },
1103 { 0xC042, "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256" },
1104 { 0xC043, "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384" },
1105 { 0xC044, "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1106 { 0xC045, "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1107 { 0xC046, "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" },
1108 { 0xC047, "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" },
1109 { 0xC048, "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1110 { 0xC049, "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1111 { 0xC04A, "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1112 { 0xC04B, "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1113 { 0xC04C, "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1114 { 0xC04D, "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1115 { 0xC04E, "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256" },
1116 { 0xC04F, "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384" },
1117 { 0xC050, "TLS_RSA_WITH_ARIA_128_GCM_SHA256" },
1118 { 0xC051, "TLS_RSA_WITH_ARIA_256_GCM_SHA384" },
1119 { 0xC052, "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1120 { 0xC053, "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1121 { 0xC054, "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256" },
1122 { 0xC055, "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384" },
1123 { 0xC056, "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256" },
1124 { 0xC057, "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384" },
1125 { 0xC058, "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256" },
1126 { 0xC059, "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384" },
1127 { 0xC05A, "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" },
1128 { 0xC05B, "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" },
1129 { 0xC05C, "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1130 { 0xC05D, "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1131 { 0xC05E, "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1132 { 0xC05F, "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1133 { 0xC060, "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1134 { 0xC061, "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1135 { 0xC062, "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256" },
1136 { 0xC063, "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384" },
1137 { 0xC064, "TLS_PSK_WITH_ARIA_128_CBC_SHA256" },
1138 { 0xC065, "TLS_PSK_WITH_ARIA_256_CBC_SHA384" },
1139 { 0xC066, "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1140 { 0xC067, "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1141 { 0xC068, "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256" },
1142 { 0xC069, "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384" },
1143 { 0xC06A, "TLS_PSK_WITH_ARIA_128_GCM_SHA256" },
1144 { 0xC06B, "TLS_PSK_WITH_ARIA_256_GCM_SHA384" },
1145 { 0xC06C, "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256" },
1146 { 0xC06D, "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384" },
1147 { 0xC06E, "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256" },
1148 { 0xC06F, "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384" },
1149 { 0xC070, "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1150 { 0xC071, "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1151 /* RFC 6367 */
1152 { 0xC072, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1153 { 0xC073, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1154 { 0xC074, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1155 { 0xC075, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1156 { 0xC076, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1157 { 0xC077, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1158 { 0xC078, "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1159 { 0xC079, "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1160 { 0xC07A, "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1161 { 0xC07B, "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1162 { 0xC07C, "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1163 { 0xC07D, "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1164 { 0xC07E, "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1165 { 0xC07F, "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1166 { 0xC080, "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1167 { 0xC081, "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1168 { 0xC082, "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1169 { 0xC083, "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1170 { 0xC084, "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" },
1171 { 0xC085, "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" },
1172 { 0xC086, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1173 { 0xC087, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1174 { 0xC088, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1175 { 0xC089, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1176 { 0xC08A, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1177 { 0xC08B, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1178 { 0xC08C, "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1179 { 0xC08D, "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1180 { 0xC08E, "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1181 { 0xC08F, "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1182 { 0xC090, "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1183 { 0xC091, "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1184 { 0xC092, "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1185 { 0xC093, "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1186 { 0xC094, "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1187 { 0xC095, "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1188 { 0xC096, "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1189 { 0xC097, "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1190 { 0xC098, "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1191 { 0xC099, "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1192 { 0xC09A, "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1193 { 0xC09B, "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1194 /* RFC 6655 */
1195 { 0xC09C, "TLS_RSA_WITH_AES_128_CCM" },
1196 { 0xC09D, "TLS_RSA_WITH_AES_256_CCM" },
1197 { 0xC09E, "TLS_DHE_RSA_WITH_AES_128_CCM" },
1198 { 0xC09F, "TLS_DHE_RSA_WITH_AES_256_CCM" },
1199 { 0xC0A0, "TLS_RSA_WITH_AES_128_CCM_8" },
1200 { 0xC0A1, "TLS_RSA_WITH_AES_256_CCM_8" },
1201 { 0xC0A2, "TLS_DHE_RSA_WITH_AES_128_CCM_8" },
1202 { 0xC0A3, "TLS_DHE_RSA_WITH_AES_256_CCM_8" },
1203 { 0xC0A4, "TLS_PSK_WITH_AES_128_CCM" },
1204 { 0xC0A5, "TLS_PSK_WITH_AES_256_CCM" },
1205 { 0xC0A6, "TLS_DHE_PSK_WITH_AES_128_CCM" },
1206 { 0xC0A7, "TLS_DHE_PSK_WITH_AES_256_CCM" },
1207 { 0xC0A8, "TLS_PSK_WITH_AES_128_CCM_8" },
1208 { 0xC0A9, "TLS_PSK_WITH_AES_256_CCM_8" },
1209 { 0xC0AA, "TLS_PSK_DHE_WITH_AES_128_CCM_8" },
1210 { 0xC0AB, "TLS_PSK_DHE_WITH_AES_256_CCM_8" },
1211 /* RFC 7251 */
1212 { 0xC0AC, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM" },
1213 { 0xC0AD, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM" },
1214 { 0xC0AE, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8" },
1215 { 0xC0AF, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8" },
1216 /* RFC 8492 */
1217 { 0xC0B0, "TLS_ECCPWD_WITH_AES_128_GCM_SHA256" },
1218 { 0xC0B1, "TLS_ECCPWD_WITH_AES_256_GCM_SHA384" },
1219 { 0xC0B2, "TLS_ECCPWD_WITH_AES_128_CCM_SHA256" },
1220 { 0xC0B3, "TLS_ECCPWD_WITH_AES_256_CCM_SHA384" },
1221 /* draft-camwinget-tls-ts13-macciphersuites */
1222 { 0xC0B4, "TLS_SHA256_SHA256" },
1223 { 0xC0B5, "TLS_SHA384_SHA384" },
1224 /* https://www.ietf.org/archive/id/draft-cragie-tls-ecjpake-01.txt */
1225 { 0xC0FF, "TLS_ECJPAKE_WITH_AES_128_CCM_8" },
1226 /* draft-smyshlyaev-tls12-gost-suites */
1227 { 0xC100, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" },
1228 { 0xC101, "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" },
1229 { 0xC102, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" },
1230 /* draft-smyshlyaev-tls13-gost-suites */
1231 { 0xC103, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L" },
1232 { 0xC104, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L" },
1233 { 0xC105, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S" },
1234 { 0xC106, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S" },
1235 /* RFC 8701 */
1236 { 0xCACA, "Reserved (GREASE)" },
1237/*
12380xC0,0xAB-FF Unassigned
12390xC1,0x03-FD,* Unassigned
12400xFE,0x00-FD Unassigned
12410xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
12420xFF,0x00-FF Reserved for Private Use [RFC5246]
1243*/
1244 /* old numbers used in the beginning
1245 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
1246 { 0xCC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1247 { 0xCC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1248 { 0xCC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1249 /* RFC 7905 */
1250 { 0xCCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1251 { 0xCCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1252 { 0xCCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1253 { 0xCCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1254 { 0xCCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1255 { 0xCCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1256 { 0xCCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1257 /* RFC 8442 */
1258 { 0xD001, "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256" },
1259 { 0xD002, "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384" },
1260 { 0xD003, "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256" },
1261 { 0xD005, "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256" },
1262 /* RFC 8701 */
1263 { 0xDADA, "Reserved (GREASE)" },
1264 /* GM/T 0024-2014 */
1265 { 0xe001, "ECDHE_SM1_SM3"},
1266 { 0xe003, "ECC_SM1_SM3"},
1267 { 0xe005, "IBSDH_SM1_SM3"},
1268 { 0xe007, "IBC_SM1_SM3"},
1269 { 0xe009, "RSA_SM1_SM3"},
1270 { 0xe00a, "RSA_SM1_SHA1"},
1271 { 0xe011, "ECDHE_SM4_CBC_SM3"},
1272 { 0xe013, "ECC_SM4_CBC_SM3"},
1273 { 0xe015, "IBSDH_SM4_CBC_SM3"},
1274 { 0xe017, "IBC_SM4_CBC_SM3"},
1275 { 0xe019, "RSA_SM4_CBC_SM3"},
1276 { 0xe01a, "RSA_SM4_CBC_SHA1"},
1277 { 0xe01c, "RSA_SM4_CBC_SHA256"},
1278 { 0xe051, "ECDHE_SM4_GCM_SM3"},
1279 { 0xe053, "ECC_SM4_GCM_SM3"},
1280 { 0xe055, "IBSDH_SM4_GCM_SM3"},
1281 { 0xe057, "IBC_SM4_GCM_SM3"},
1282 { 0xe059, "RSA_SM4_GCM_SM3"},
1283 { 0xe05a, "RSA_SM4_GCM_SHA256"},
1284 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
1285 { 0xE410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1286 { 0xE411, "TLS_RSA_WITH_SALSA20_SHA1" },
1287 { 0xE412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1288 { 0xE413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
1289 { 0xE414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
1290 { 0xE415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
1291 { 0xE416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1292 { 0xE417, "TLS_PSK_WITH_SALSA20_SHA1" },
1293 { 0xE418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1294 { 0xE419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
1295 { 0xE41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1296 { 0xE41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
1297 { 0xE41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1298 { 0xE41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
1299 { 0xE41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1300 { 0xE41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
1301 /* RFC 8701 */
1302 { 0xEAEA, "Reserved (GREASE)" },
1303 { 0xFAFA, "Reserved (GREASE)" },
1304 /* these from http://www.mozilla.org/projects/
1305 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
1306 { 0xfefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
1307 { 0xfeff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1308 /* https://datatracker.ietf.org/doc/html/rfc9189 */
1309 { 0xff85, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT"},
1310 { 0xffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1311 { 0xffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA" },
1312 /* note that ciphersuites 0xff00 - 0xffff are private */
1313 { 0x00, NULL((void*)0) }
1314};
1315
1316value_string_ext ssl_31_ciphersuite_ext = VALUE_STRING_EXT_INIT(ssl_31_ciphersuite){ _try_val_to_str_ext_init, 0, (sizeof (ssl_31_ciphersuite) /
sizeof ((ssl_31_ciphersuite)[0]))-1, ssl_31_ciphersuite, "ssl_31_ciphersuite"
, ((void*)0) };
1317
1318/* http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#tls-extensiontype-values-1 */
1319const value_string tls_hello_extension_types[] = {
1320 { SSL_HND_HELLO_EXT_SERVER_NAME0, "server_name" }, /* RFC 6066 */
1321 { SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1, "max_fragment_length" },/* RFC 6066 */
1322 { SSL_HND_HELLO_EXT_CLIENT_CERTIFICATE_URL2, "client_certificate_url" }, /* RFC 6066 */
1323 { SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3, "trusted_ca_keys" }, /* RFC 6066 */
1324 { SSL_HND_HELLO_EXT_TRUNCATED_HMAC4, "truncated_hmac" }, /* RFC 6066 */
1325 { SSL_HND_HELLO_EXT_STATUS_REQUEST5, "status_request" }, /* RFC 6066 */
1326 { SSL_HND_HELLO_EXT_USER_MAPPING6, "user_mapping" }, /* RFC 4681 */
1327 { SSL_HND_HELLO_EXT_CLIENT_AUTHZ7, "client_authz" }, /* RFC 5878 */
1328 { SSL_HND_HELLO_EXT_SERVER_AUTHZ8, "server_authz" }, /* RFC 5878 */
1329 { SSL_HND_HELLO_EXT_CERT_TYPE9, "cert_type" }, /* RFC 6091 */
1330 { SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10, "supported_groups" }, /* RFC 4492, RFC 7919 */
1331 { SSL_HND_HELLO_EXT_EC_POINT_FORMATS11, "ec_point_formats" }, /* RFC 4492 */
1332 { SSL_HND_HELLO_EXT_SRP12, "srp" }, /* RFC 5054 */
1333 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13, "signature_algorithms" }, /* RFC 5246 */
1334 { SSL_HND_HELLO_EXT_USE_SRTP14, "use_srtp" }, /* RFC 5764 */
1335 { SSL_HND_HELLO_EXT_HEARTBEAT15, "heartbeat" }, /* RFC 6520 */
1336 { SSL_HND_HELLO_EXT_ALPN16, "application_layer_protocol_negotiation" }, /* RFC 7301 */
1337 { SSL_HND_HELLO_EXT_STATUS_REQUEST_V217, "status_request_v2" }, /* RFC 6961 */
1338 { SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18, "signed_certificate_timestamp" }, /* RFC 6962 */
1339 { SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19, "client_certificate_type" }, /* RFC 7250 */
1340 { SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20, "server_certificate_type" }, /* RFC 7250 */
1341 { SSL_HND_HELLO_EXT_PADDING21, "padding" }, /* RFC 7685 */
1342 { SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22, "encrypt_then_mac" }, /* RFC 7366 */
1343 { SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23, "extended_master_secret" }, /* RFC 7627 */
1344 { SSL_HND_HELLO_EXT_TOKEN_BINDING24, "token_binding" }, /* https://tools.ietf.org/html/draft-ietf-tokbind-negotiation */
1345 { SSL_HND_HELLO_EXT_CACHED_INFO25, "cached_info" }, /* RFC 7924 */
1346 { SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27, "compress_certificate" }, /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03 */
1347 { SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28, "record_size_limit" }, /* RFC 8449 */
1348 { SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34, "delegated_credentials" }, /* draft-ietf-tls-subcerts-10.txt */
1349 { SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35, "session_ticket" }, /* RFC 5077 / RFC 8447 */
1350 { SSL_HND_HELLO_EXT_KEY_SHARE_OLD40, "Reserved (key_share)" }, /* https://tools.ietf.org/html/draft-ietf-tls-tls13-22 (removed in -23) */
1351 { SSL_HND_HELLO_EXT_PRE_SHARED_KEY41, "pre_shared_key" }, /* RFC 8446 */
1352 { SSL_HND_HELLO_EXT_EARLY_DATA42, "early_data" }, /* RFC 8446 */
1353 { SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43, "supported_versions" }, /* RFC 8446 */
1354 { SSL_HND_HELLO_EXT_COOKIE44, "cookie" }, /* RFC 8446 */
1355 { SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45, "psk_key_exchange_modes" }, /* RFC 8446 */
1356 { SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46, "Reserved (ticket_early_data_info)" }, /* draft-ietf-tls-tls13-18 (removed in -19) */
1357 { SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47, "certificate_authorities" }, /* RFC 8446 */
1358 { SSL_HND_HELLO_EXT_OID_FILTERS48, "oid_filters" }, /* RFC 8446 */
1359 { SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49, "post_handshake_auth" }, /* RFC 8446 */
1360 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50, "signature_algorithms_cert" }, /* RFC 8446 */
1361 { SSL_HND_HELLO_EXT_KEY_SHARE51, "key_share" }, /* RFC 8446 */
1362 { SSL_HND_HELLO_EXT_TRANSPARENCY_INFO52, "transparency_info" }, /* draft-ietf-trans-rfc6962-bis-41 */
1363 { SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53, "connection_id (deprecated)" }, /* draft-ietf-tls-dtls-connection-id-07 */
1364 { SSL_HND_HELLO_EXT_CONNECTION_ID54, "connection_id" }, /* RFC 9146 */
1365 { SSL_HND_HELLO_EXT_EXTERNAL_ID_HASH55, "external_id_hash" }, /* RFC 8844 */
1366 { SSL_HND_HELLO_EXT_EXTERNAL_SESSION_ID56, "external_session_id" }, /* RFC 8844 */
1367 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157, "quic_transport_parameters" }, /* draft-ietf-quic-tls-33 */
1368 { SSL_HND_HELLO_EXT_TICKET_REQUEST58, "ticket_request" }, /* draft-ietf-tls-ticketrequests-07 */
1369 { SSL_HND_HELLO_EXT_DNSSEC_CHAIN59, "dnssec_chain" }, /* RFC 9102 */
1370 { SSL_HND_HELLO_EXT_GREASE_0A0A2570, "Reserved (GREASE)" }, /* RFC 8701 */
1371 { SSL_HND_HELLO_EXT_GREASE_1A1A6682, "Reserved (GREASE)" }, /* RFC 8701 */
1372 { SSL_HND_HELLO_EXT_GREASE_2A2A10794, "Reserved (GREASE)" }, /* RFC 8701 */
1373 { SSL_HND_HELLO_EXT_NPN13172, "next_protocol_negotiation"}, /* https://datatracker.ietf.org/doc/html/draft-agl-tls-nextprotoneg-03 */
1374 { SSL_HND_HELLO_EXT_GREASE_3A3A14906, "Reserved (GREASE)" }, /* RFC 8701 */
1375 { SSL_HND_HELLO_EXT_ALPS_OLD17513, "application_settings_old" }, /* draft-vvv-tls-alps-01 */
1376 { SSL_HND_HELLO_EXT_ALPS17613, "application_settings" }, /* draft-vvv-tls-alps-01 */ /* https://chromestatus.com/feature/5149147365900288 */
1377 { SSL_HND_HELLO_EXT_GREASE_4A4A19018, "Reserved (GREASE)" }, /* RFC 8701 */
1378 { SSL_HND_HELLO_EXT_GREASE_5A5A23130, "Reserved (GREASE)" }, /* RFC 8701 */
1379 { SSL_HND_HELLO_EXT_GREASE_6A6A27242, "Reserved (GREASE)" }, /* RFC 8701 */
1380 { SSL_HND_HELLO_EXT_CHANNEL_ID_OLD30031, "channel_id_old" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
1381 https://twitter.com/ericlaw/status/274237352531083264 */
1382 { SSL_HND_HELLO_EXT_CHANNEL_ID30032, "channel_id" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-01
1383 https://code.google.com/p/chromium/codesearch#chromium/src/net/third_party/nss/ssl/sslt.h&l=209 */
1384 { SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281, "renegotiation_info" }, /* RFC 5746 */
1385 { SSL_HND_HELLO_EXT_GREASE_7A7A31354, "Reserved (GREASE)" }, /* RFC 8701 */
1386 { SSL_HND_HELLO_EXT_GREASE_8A8A35466, "Reserved (GREASE)" }, /* RFC 8701 */
1387 { SSL_HND_HELLO_EXT_GREASE_9A9A39578, "Reserved (GREASE)" }, /* RFC 8701 */
1388 { SSL_HND_HELLO_EXT_GREASE_AAAA43690, "Reserved (GREASE)" }, /* RFC 8701 */
1389 { SSL_HND_HELLO_EXT_GREASE_BABA47802, "Reserved (GREASE)" }, /* RFC 8701 */
1390 { SSL_HND_HELLO_EXT_GREASE_CACA51914, "Reserved (GREASE)" }, /* RFC 8701 */
1391 { SSL_HND_HELLO_EXT_GREASE_DADA56026, "Reserved (GREASE)" }, /* RFC 8701 */
1392 { SSL_HND_HELLO_EXT_GREASE_EAEA60138, "Reserved (GREASE)" }, /* RFC 8701 */
1393 { SSL_HND_HELLO_EXT_GREASE_FAFA64250, "Reserved (GREASE)" }, /* RFC 8701 */
1394 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445, "quic_transport_parameters (drafts version)" }, /* https://tools.ietf.org/html/draft-ietf-quic-tls */
1395 { SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486, "encrypted_server_name" }, /* https://tools.ietf.org/html/draft-ietf-tls-esni-01 */
1396 { SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037, "encrypted_client_hello" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1397 { SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768, "ech_outer_extensions" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1398 { 0, NULL((void*)0) }
1399};
1400
1401const value_string tls_hello_ext_server_name_type_vs[] = {
1402 { 0, "host_name" },
1403 { 0, NULL((void*)0) }
1404};
1405
1406/* RFC 6066 Section 4 */
1407const value_string tls_hello_ext_max_fragment_length[] = {
1408 { 1, "512" }, // 2^9
1409 { 2, "1024" }, // 2^10
1410 { 3, "2048" }, // 2^11
1411 { 4, "4096" }, // 2^12
1412 { 0, NULL((void*)0) }
1413};
1414
1415/* RFC 8446 Section 4.2.9 */
1416const value_string tls_hello_ext_psk_ke_mode[] = {
1417 { 0, "PSK-only key establishment (psk_ke)" },
1418 { 1, "PSK with (EC)DHE key establishment (psk_dhe_ke)" },
1419 { 0, NULL((void*)0) }
1420};
1421
1422/* RFC 6066 Section 6 */
1423const value_string tls_hello_ext_trusted_ca_key_type[] = {
1424 {0, "pre_agreed"},
1425 {1, "key_sha1_hash"},
1426 {2, "x509_name"},
1427 {3, "cert_sha1_hash"},
1428 {0, NULL((void*)0)}
1429};
1430
1431const value_string tls13_key_update_request[] = {
1432 { 0, "update_not_requested" },
1433 { 1, "update_requested" },
1434 { 0, NULL((void*)0) }
1435};
1436
1437/* RFC 5246 7.4.1.4.1 */
1438/* https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
1439/* Note that the TLS 1.3 SignatureScheme registry reserves all values
1440 * with first octet 0x00-0x06 and all values with second octet 0x00-0x03
1441 * for backwards compatibility with TLS 1.2 SignatureAndHashAlgorithm.
1442 *
1443 * RFC 8422 and RFC 9189 add official support in TLS 1.2 for some algorithms
1444 * originally defined for TLS 1.3, and extend the TLS SignatureAlgorithm
1445 * and TLS HashAlgorithm registries, but the new values are not compatible
1446 * with all of the TLS 1.3-only SignatureSchemes. Adding those values could
1447 * cause confusion if used to interpret one of those schemes in a
1448 * signature_algorithms extension offered in a TLS 1.3 ClientHello.
1449 */
1450const value_string tls_hash_algorithm[] = {
1451 { 0, "None" },
1452 { 1, "MD5" },
1453 { 2, "SHA1" },
1454 { 3, "SHA224" },
1455 { 4, "SHA256" },
1456 { 5, "SHA384" },
1457 { 6, "SHA512" },
1458#if 0
1459 /* RFC 8422 adds this to the HashAlgorithm registry, but it really
1460 * only applies to 0x0807 and 0x0808, not for other TLS 1.3
1461 * SignatureSchemes with 0x08 in the octet used for Hash in TLS 1.2.
1462 * E.g., we don't want to display this for 0x0806 rsa_pss_rsae_sha512.
1463 */
1464 { 8, "Intrinsic" },
1465#endif
1466 { 0, NULL((void*)0) }
1467};
1468
1469const value_string tls_signature_algorithm[] = {
1470 { 0, "Anonymous" },
1471 { 1, "RSA" },
1472 { 2, "DSA" },
1473 { 3, "ECDSA" },
1474#if 0
1475 /* As above. */
1476 { 7, "ED25519" },
1477 { 8, "ED448" },
1478 { 64, "GOSTR34102012_256" },
1479 { 65, "GOSTR34102012_512" },
1480#endif
1481 { 0, NULL((void*)0) }
1482};
1483
1484/* RFC 8446 Section 4.2.3 */
1485const value_string tls13_signature_algorithm[] = {
1486 { 0x0201, "rsa_pkcs1_sha1" },
1487 { 0x0203, "ecdsa_sha1" },
1488 { 0x0401, "rsa_pkcs1_sha256" },
1489 { 0x0403, "ecdsa_secp256r1_sha256" },
1490 { 0x0420, "rsa_pkcs1_sha256_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1491 { 0x0501, "rsa_pkcs1_sha384" },
1492 { 0x0503, "ecdsa_secp384r1_sha384" },
1493 { 0x0520, "rsa_pkcs1_sha384_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1494 { 0x0601, "rsa_pkcs1_sha512" },
1495 { 0x0603, "ecdsa_secp521r1_sha512" },
1496 { 0x0620, "rsa_pkcs1_sha512_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1497 { 0x0708, "sm2sig_sm3" },
1498 { 0x0709, "gostr34102012_256a" }, /* RFC9367 */
1499 { 0x070a, "gostr34102012_256b" }, /* RFC9367 */
1500 { 0x070b, "gostr34102012_256c" }, /* RFC9367 */
1501 { 0x070c, "gostr34102012_256d" }, /* RFC9367 */
1502 { 0x070d, "gostr34102012_512a" }, /* RFC9367 */
1503 { 0x070e, "gostr34102012_512b" }, /* RFC9367 */
1504 { 0x070f, "gostr34102012_512c" }, /* RFC9367 */
1505 { 0x0804, "rsa_pss_rsae_sha256" },
1506 { 0x0805, "rsa_pss_rsae_sha384" },
1507 { 0x0806, "rsa_pss_rsae_sha512" },
1508 { 0x0807, "ed25519" },
1509 { 0x0808, "ed448" },
1510 { 0x0809, "rsa_pss_pss_sha256" },
1511 { 0x080a, "rsa_pss_pss_sha384" },
1512 { 0x080b, "rsa_pss_pss_sha512" },
1513 { 0x081a, "ecdsa_brainpoolP256r1tls13_sha256" }, /* RFC8734 */
1514 { 0x081b, "ecdsa_brainpoolP384r1tls13_sha384" }, /* RFC8734 */
1515 { 0x081c, "ecdsa_brainpoolP512r1tls13_sha512" }, /* RFC8734 */
1516 /* PQC digital signature algorithms from OQS-OpenSSL,
1517 see https://github.com/open-quantum-safe/openssl/blob/OQS-OpenSSL_1_1_1-stable/oqs-template/oqs-sig-info.md */
1518 { 0xfea0, "dilithium2" },
1519 { 0xfea1, "p256_dilithium2" },
1520 { 0xfea2, "rsa3072_dilithium2" },
1521 { 0xfea3, "dilithium3" },
1522 { 0xfea4, "p384_dilithium3" },
1523 { 0xfea5, "dilithium5" },
1524 { 0xfea6, "p521_dilithium5" },
1525 { 0xfea7, "dilithium2_aes" },
1526 { 0xfea8, "p256_dilithium2_aes" },
1527 { 0xfea9, "rsa3072_dilithium2_aes" },
1528 { 0xfeaa, "dilithium3_aes" },
1529 { 0xfeab, "p384_dilithium3_aes" },
1530 { 0xfeac, "dilithium5_aes" },
1531 { 0xfead, "p521_dilithium5_aes" },
1532 { 0xfe0b, "falcon512" },
1533 { 0xfe0c, "p256_falcon512" },
1534 { 0xfe0d, "rsa3072_falcon512" },
1535 { 0xfe0e, "falcon1024" },
1536 { 0xfe0f, "p521_falcon1024" },
1537 { 0xfe96, "picnicl1full" },
1538 { 0xfe97, "p256_picnicl1full" },
1539 { 0xfe98, "rsa3072_picnicl1full" },
1540 { 0xfe1b, "picnic3l1" },
1541 { 0xfe1c, "p256_picnic3l1" },
1542 { 0xfe1d, "rsa3072_picnic3l1" },
1543 { 0xfe27, "rainbowIclassic" },
1544 { 0xfe28, "p256_rainbowIclassic" },
1545 { 0xfe29, "rsa3072_rainbowIclassic" },
1546 { 0xfe3c, "rainbowVclassic" },
1547 { 0xfe3d, "p521_rainbowVclassic" },
1548 { 0xfe42, "sphincsharaka128frobust" },
1549 { 0xfe43, "p256_sphincsharaka128frobust" },
1550 { 0xfe44, "rsa3072_sphincsharaka128frobust" },
1551 { 0xfe5e, "sphincssha256128frobust" },
1552 { 0xfe5f, "p256_sphincssha256128frobust" },
1553 { 0xfe60, "rsa3072_sphincssha256128frobust" },
1554 { 0xfe7a, "sphincsshake256128frobust" },
1555 { 0xfe7b, "p256_sphincsshake256128frobust" },
1556 { 0xfe7c, "rsa3072_sphincsshake256128frobust" },
1557 { 0, NULL((void*)0) }
1558};
1559
1560/* RFC 6091 3.1 */
1561const value_string tls_certificate_type[] = {
1562 { 0, "X.509" },
1563 { 1, "OpenPGP" },
1564 { SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2, "Raw Public Key" }, /* RFC 7250 */
1565 { 0, NULL((void*)0) }
1566};
1567
1568const value_string tls_cert_chain_type[] = {
1569 { SSL_HND_CERT_URL_TYPE_INDIVIDUAL_CERT1, "Individual Certificates" },
1570 { SSL_HND_CERT_URL_TYPE_PKIPATH2, "PKI Path" },
1571 { 0, NULL((void*)0) }
1572};
1573
1574const value_string tls_cert_status_type[] = {
1575 { SSL_HND_CERT_STATUS_TYPE_OCSP1, "OCSP" },
1576 { SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2, "OCSP Multi" },
1577 { 0, NULL((void*)0) }
1578};
1579
1580/* Generated by tools/make-tls-ct-logids.py
1581 * Last-Modified Sat, 13 Sep 2025 15:24:25 GMT, 186 entries. */
1582static const bytes_string ct_logids[] = {
1583 { (const uint8_t[]){
1584 0xb2, 0x1e, 0x05, 0xcc, 0x8b, 0xa2, 0xcd, 0x8a, 0x20, 0x4e, 0x87,
1585 0x66, 0xf9, 0x2b, 0xb9, 0x8a, 0x25, 0x20, 0x67, 0x6b, 0xda, 0xfa,
1586 0x70, 0xe7, 0xb2, 0x49, 0x53, 0x2d, 0xef, 0x8b, 0x90, 0x5e,
1587 },
1588 32, "Google 'Argon2020' log" },
1589 { (const uint8_t[]){
1590 0xf6, 0x5c, 0x94, 0x2f, 0xd1, 0x77, 0x30, 0x22, 0x14, 0x54, 0x18,
1591 0x08, 0x30, 0x94, 0x56, 0x8e, 0xe3, 0x4d, 0x13, 0x19, 0x33, 0xbf,
1592 0xdf, 0x0c, 0x2f, 0x20, 0x0b, 0xcc, 0x4e, 0xf1, 0x64, 0xe3,
1593 },
1594 32, "Google 'Argon2021' log" },
1595 { (const uint8_t[]){
1596 0x29, 0x79, 0xbe, 0xf0, 0x9e, 0x39, 0x39, 0x21, 0xf0, 0x56, 0x73,
1597 0x9f, 0x63, 0xa5, 0x77, 0xe5, 0xbe, 0x57, 0x7d, 0x9c, 0x60, 0x0a,
1598 0xf8, 0xf9, 0x4d, 0x5d, 0x26, 0x5c, 0x25, 0x5d, 0xc7, 0x84,
1599 },
1600 32, "Google 'Argon2022' log" },
1601 { (const uint8_t[]){
1602 0xe8, 0x3e, 0xd0, 0xda, 0x3e, 0xf5, 0x06, 0x35, 0x32, 0xe7, 0x57,
1603 0x28, 0xbc, 0x89, 0x6b, 0xc9, 0x03, 0xd3, 0xcb, 0xd1, 0x11, 0x6b,
1604 0xec, 0xeb, 0x69, 0xe1, 0x77, 0x7d, 0x6d, 0x06, 0xbd, 0x6e,
1605 },
1606 32, "Google 'Argon2023' log" },
1607 { (const uint8_t[]){
1608 0xee, 0xcd, 0xd0, 0x64, 0xd5, 0xdb, 0x1a, 0xce, 0xc5, 0x5c, 0xb7,
1609 0x9d, 0xb4, 0xcd, 0x13, 0xa2, 0x32, 0x87, 0x46, 0x7c, 0xbc, 0xec,
1610 0xde, 0xc3, 0x51, 0x48, 0x59, 0x46, 0x71, 0x1f, 0xb5, 0x9b,
1611 },
1612 32, "Google 'Argon2024' log" },
1613 { (const uint8_t[]){
1614 0x4e, 0x75, 0xa3, 0x27, 0x5c, 0x9a, 0x10, 0xc3, 0x38, 0x5b, 0x6c,
1615 0xd4, 0xdf, 0x3f, 0x52, 0xeb, 0x1d, 0xf0, 0xe0, 0x8e, 0x1b, 0x8d,
1616 0x69, 0xc0, 0xb1, 0xfa, 0x64, 0xb1, 0x62, 0x9a, 0x39, 0xdf,
1617 },
1618 32, "Google 'Argon2025h1' log" },
1619 { (const uint8_t[]){
1620 0x12, 0xf1, 0x4e, 0x34, 0xbd, 0x53, 0x72, 0x4c, 0x84, 0x06, 0x19,
1621 0xc3, 0x8f, 0x3f, 0x7a, 0x13, 0xf8, 0xe7, 0xb5, 0x62, 0x87, 0x88,
1622 0x9c, 0x6d, 0x30, 0x05, 0x84, 0xeb, 0xe5, 0x86, 0x26, 0x3a,
1623 },
1624 32, "Google 'Argon2025h2' log" },
1625 { (const uint8_t[]){
1626 0x0e, 0x57, 0x94, 0xbc, 0xf3, 0xae, 0xa9, 0x3e, 0x33, 0x1b, 0x2c,
1627 0x99, 0x07, 0xb3, 0xf7, 0x90, 0xdf, 0x9b, 0xc2, 0x3d, 0x71, 0x32,
1628 0x25, 0xdd, 0x21, 0xa9, 0x25, 0xac, 0x61, 0xc5, 0x4e, 0x21,
1629 },
1630 32, "Google 'Argon2026h1' log" },
1631 { (const uint8_t[]){
1632 0xd7, 0x6d, 0x7d, 0x10, 0xd1, 0xa7, 0xf5, 0x77, 0xc2, 0xc7, 0xe9,
1633 0x5f, 0xd7, 0x00, 0xbf, 0xf9, 0x82, 0xc9, 0x33, 0x5a, 0x65, 0xe1,
1634 0xd0, 0xb3, 0x01, 0x73, 0x17, 0xc0, 0xc8, 0xc5, 0x69, 0x77,
1635 },
1636 32, "Google 'Argon2026h2' log" },
1637 { (const uint8_t[]){
1638 0xd6, 0xd5, 0x8d, 0xa9, 0xd0, 0x17, 0x53, 0xf3, 0x6a, 0x4a, 0xa0,
1639 0xc7, 0x57, 0x49, 0x02, 0xaf, 0xeb, 0xc7, 0xdc, 0x2c, 0xd3, 0x8c,
1640 0xd9, 0xf7, 0x64, 0xc8, 0x0c, 0x89, 0x19, 0x1e, 0x9f, 0x02,
1641 },
1642 32, "Google 'Argon2027h1'" },
1643 { (const uint8_t[]){
1644 0x07, 0xb7, 0x5c, 0x1b, 0xe5, 0x7d, 0x68, 0xff, 0xf1, 0xb0, 0xc6,
1645 0x1d, 0x23, 0x15, 0xc7, 0xba, 0xe6, 0x57, 0x7c, 0x57, 0x94, 0xb7,
1646 0x6a, 0xee, 0xbc, 0x61, 0x3a, 0x1a, 0x69, 0xd3, 0xa2, 0x1c,
1647 },
1648 32, "Google 'Xenon2020' log" },
1649 { (const uint8_t[]){
1650 0x7d, 0x3e, 0xf2, 0xf8, 0x8f, 0xff, 0x88, 0x55, 0x68, 0x24, 0xc2,
1651 0xc0, 0xca, 0x9e, 0x52, 0x89, 0x79, 0x2b, 0xc5, 0x0e, 0x78, 0x09,
1652 0x7f, 0x2e, 0x6a, 0x97, 0x68, 0x99, 0x7e, 0x22, 0xf0, 0xd7,
1653 },
1654 32, "Google 'Xenon2021' log" },
1655 { (const uint8_t[]){
1656 0x46, 0xa5, 0x55, 0xeb, 0x75, 0xfa, 0x91, 0x20, 0x30, 0xb5, 0xa2,
1657 0x89, 0x69, 0xf4, 0xf3, 0x7d, 0x11, 0x2c, 0x41, 0x74, 0xbe, 0xfd,
1658 0x49, 0xb8, 0x85, 0xab, 0xf2, 0xfc, 0x70, 0xfe, 0x6d, 0x47,
1659 },
1660 32, "Google 'Xenon2022' log" },
1661 { (const uint8_t[]){
1662 0xad, 0xf7, 0xbe, 0xfa, 0x7c, 0xff, 0x10, 0xc8, 0x8b, 0x9d, 0x3d,
1663 0x9c, 0x1e, 0x3e, 0x18, 0x6a, 0xb4, 0x67, 0x29, 0x5d, 0xcf, 0xb1,
1664 0x0c, 0x24, 0xca, 0x85, 0x86, 0x34, 0xeb, 0xdc, 0x82, 0x8a,
1665 },
1666 32, "Google 'Xenon2023' log" },
1667 { (const uint8_t[]){
1668 0x76, 0xff, 0x88, 0x3f, 0x0a, 0xb6, 0xfb, 0x95, 0x51, 0xc2, 0x61,
1669 0xcc, 0xf5, 0x87, 0xba, 0x34, 0xb4, 0xa4, 0xcd, 0xbb, 0x29, 0xdc,
1670 0x68, 0x42, 0x0a, 0x9f, 0xe6, 0x67, 0x4c, 0x5a, 0x3a, 0x74,
1671 },
1672 32, "Google 'Xenon2024' log" },
1673 { (const uint8_t[]){
1674 0xcf, 0x11, 0x56, 0xee, 0xd5, 0x2e, 0x7c, 0xaf, 0xf3, 0x87, 0x5b,
1675 0xd9, 0x69, 0x2e, 0x9b, 0xe9, 0x1a, 0x71, 0x67, 0x4a, 0xb0, 0x17,
1676 0xec, 0xac, 0x01, 0xd2, 0x5b, 0x77, 0xce, 0xcc, 0x3b, 0x08,
1677 },
1678 32, "Google 'Xenon2025h1' log" },
1679 { (const uint8_t[]){
1680 0xdd, 0xdc, 0xca, 0x34, 0x95, 0xd7, 0xe1, 0x16, 0x05, 0xe7, 0x95,
1681 0x32, 0xfa, 0xc7, 0x9f, 0xf8, 0x3d, 0x1c, 0x50, 0xdf, 0xdb, 0x00,
1682 0x3a, 0x14, 0x12, 0x76, 0x0a, 0x2c, 0xac, 0xbb, 0xc8, 0x2a,
1683 },
1684 32, "Google 'Xenon2025h2' log" },
1685 { (const uint8_t[]){
1686 0x96, 0x97, 0x64, 0xbf, 0x55, 0x58, 0x97, 0xad, 0xf7, 0x43, 0x87,
1687 0x68, 0x37, 0x08, 0x42, 0x77, 0xe9, 0xf0, 0x3a, 0xd5, 0xf6, 0xa4,
1688 0xf3, 0x36, 0x6e, 0x46, 0xa4, 0x3f, 0x0f, 0xca, 0xa9, 0xc6,
1689 },
1690 32, "Google 'Xenon2026h1' log" },
1691 { (const uint8_t[]){
1692 0xd8, 0x09, 0x55, 0x3b, 0x94, 0x4f, 0x7a, 0xff, 0xc8, 0x16, 0x19,
1693 0x6f, 0x94, 0x4f, 0x85, 0xab, 0xb0, 0xf8, 0xfc, 0x5e, 0x87, 0x55,
1694 0x26, 0x0f, 0x15, 0xd1, 0x2e, 0x72, 0xbb, 0x45, 0x4b, 0x14,
1695 },
1696 32, "Google 'Xenon2026h2' log" },
1697 { (const uint8_t[]){
1698 0x44, 0xc2, 0xbd, 0x0c, 0xe9, 0x14, 0x0e, 0x64, 0xa5, 0xc9, 0x4a,
1699 0x01, 0x93, 0x0a, 0x5a, 0xa1, 0xbb, 0x35, 0x97, 0x0e, 0x00, 0xee,
1700 0x11, 0x16, 0x89, 0x68, 0x2a, 0x1c, 0x44, 0xd7, 0xb5, 0x66,
1701 },
1702 32, "Google 'Xenon2027h1'" },
1703 { (const uint8_t[]){
1704 0x68, 0xf6, 0x98, 0xf8, 0x1f, 0x64, 0x82, 0xbe, 0x3a, 0x8c, 0xee,
1705 0xb9, 0x28, 0x1d, 0x4c, 0xfc, 0x71, 0x51, 0x5d, 0x67, 0x93, 0xd4,
1706 0x44, 0xd1, 0x0a, 0x67, 0xac, 0xbb, 0x4f, 0x4f, 0xfb, 0xc4,
1707 },
1708 32, "Google 'Aviator' log" },
1709 { (const uint8_t[]){
1710 0x29, 0x3c, 0x51, 0x96, 0x54, 0xc8, 0x39, 0x65, 0xba, 0xaa, 0x50,
1711 0xfc, 0x58, 0x07, 0xd4, 0xb7, 0x6f, 0xbf, 0x58, 0x7a, 0x29, 0x72,
1712 0xdc, 0xa4, 0xc3, 0x0c, 0xf4, 0xe5, 0x45, 0x47, 0xf4, 0x78,
1713 },
1714 32, "Google 'Icarus' log" },
1715 { (const uint8_t[]){
1716 0xa4, 0xb9, 0x09, 0x90, 0xb4, 0x18, 0x58, 0x14, 0x87, 0xbb, 0x13,
1717 0xa2, 0xcc, 0x67, 0x70, 0x0a, 0x3c, 0x35, 0x98, 0x04, 0xf9, 0x1b,
1718 0xdf, 0xb8, 0xe3, 0x77, 0xcd, 0x0e, 0xc8, 0x0d, 0xdc, 0x10,
1719 },
1720 32, "Google 'Pilot' log" },
1721 { (const uint8_t[]){
1722 0xee, 0x4b, 0xbd, 0xb7, 0x75, 0xce, 0x60, 0xba, 0xe1, 0x42, 0x69,
1723 0x1f, 0xab, 0xe1, 0x9e, 0x66, 0xa3, 0x0f, 0x7e, 0x5f, 0xb0, 0x72,
1724 0xd8, 0x83, 0x00, 0xc4, 0x7b, 0x89, 0x7a, 0xa8, 0xfd, 0xcb,
1725 },
1726 32, "Google 'Rocketeer' log" },
1727 { (const uint8_t[]){
1728 0xbb, 0xd9, 0xdf, 0xbc, 0x1f, 0x8a, 0x71, 0xb5, 0x93, 0x94, 0x23,
1729 0x97, 0xaa, 0x92, 0x7b, 0x47, 0x38, 0x57, 0x95, 0x0a, 0xab, 0x52,
1730 0xe8, 0x1a, 0x90, 0x96, 0x64, 0x36, 0x8e, 0x1e, 0xd1, 0x85,
1731 },
1732 32, "Google 'Skydiver' log" },
1733 { (const uint8_t[]){
1734 0xfa, 0xd4, 0xc9, 0x7c, 0xc4, 0x9e, 0xe2, 0xf8, 0xac, 0x85, 0xc5,
1735 0xea, 0x5c, 0xea, 0x09, 0xd0, 0x22, 0x0d, 0xbb, 0xf4, 0xe4, 0x9c,
1736 0x6b, 0x50, 0x66, 0x2f, 0xf8, 0x68, 0xf8, 0x6b, 0x8c, 0x28,
1737 },
1738 32, "Google 'Argon2017' log" },
1739 { (const uint8_t[]){
1740 0xa4, 0x50, 0x12, 0x69, 0x05, 0x5a, 0x15, 0x54, 0x5e, 0x62, 0x11,
1741 0xab, 0x37, 0xbc, 0x10, 0x3f, 0x62, 0xae, 0x55, 0x76, 0xa4, 0x5e,
1742 0x4b, 0x17, 0x14, 0x45, 0x3e, 0x1b, 0x22, 0x10, 0x6a, 0x25,
1743 },
1744 32, "Google 'Argon2018' log" },
1745 { (const uint8_t[]){
1746 0x63, 0xf2, 0xdb, 0xcd, 0xe8, 0x3b, 0xcc, 0x2c, 0xcf, 0x0b, 0x72,
1747 0x84, 0x27, 0x57, 0x6b, 0x33, 0xa4, 0x8d, 0x61, 0x77, 0x8f, 0xbd,
1748 0x75, 0xa6, 0x38, 0xb1, 0xc7, 0x68, 0x54, 0x4b, 0xd8, 0x8d,
1749 },
1750 32, "Google 'Argon2019' log" },
1751 { (const uint8_t[]){
1752 0xb1, 0x0c, 0xd5, 0x59, 0xa6, 0xd6, 0x78, 0x46, 0x81, 0x1f, 0x7d,
1753 0xf9, 0xa5, 0x15, 0x32, 0x73, 0x9a, 0xc4, 0x8d, 0x70, 0x3b, 0xea,
1754 0x03, 0x23, 0xda, 0x5d, 0x38, 0x75, 0x5b, 0xc0, 0xad, 0x4e,
1755 },
1756 32, "Google 'Xenon2018' log" },
1757 { (const uint8_t[]){
1758 0x08, 0x41, 0x14, 0x98, 0x00, 0x71, 0x53, 0x2c, 0x16, 0x19, 0x04,
1759 0x60, 0xbc, 0xfc, 0x47, 0xfd, 0xc2, 0x65, 0x3a, 0xfa, 0x29, 0x2c,
1760 0x72, 0xb3, 0x7f, 0xf8, 0x63, 0xae, 0x29, 0xcc, 0xc9, 0xf0,
1761 },
1762 32, "Google 'Xenon2019' log" },
1763 { (const uint8_t[]){
1764 0xa8, 0x99, 0xd8, 0x78, 0x0c, 0x92, 0x90, 0xaa, 0xf4, 0x62, 0xf3,
1765 0x18, 0x80, 0xcc, 0xfb, 0xd5, 0x24, 0x51, 0xe9, 0x70, 0xd0, 0xfb,
1766 0xf5, 0x91, 0xef, 0x75, 0xb0, 0xd9, 0x9b, 0x64, 0x56, 0x81,
1767 },
1768 32, "Google 'Submariner' log" },
1769 { (const uint8_t[]){
1770 0x1d, 0x02, 0x4b, 0x8e, 0xb1, 0x49, 0x8b, 0x34, 0x4d, 0xfd, 0x87,
1771 0xea, 0x3e, 0xfc, 0x09, 0x96, 0xf7, 0x50, 0x6f, 0x23, 0x5d, 0x1d,
1772 0x49, 0x70, 0x61, 0xa4, 0x77, 0x3c, 0x43, 0x9c, 0x25, 0xfb,
1773 },
1774 32, "Google 'Daedalus' log" },
1775 { (const uint8_t[]){
1776 0xb0, 0xcc, 0x83, 0xe5, 0xa5, 0xf9, 0x7d, 0x6b, 0xaf, 0x7c, 0x09,
1777 0xcc, 0x28, 0x49, 0x04, 0x87, 0x2a, 0xc7, 0xe8, 0x8b, 0x13, 0x2c,
1778 0x63, 0x50, 0xb7, 0xc6, 0xfd, 0x26, 0xe1, 0x6c, 0x6c, 0x77,
1779 },
1780 32, "Google 'Testtube' log" },
1781 { (const uint8_t[]){
1782 0xc3, 0xbf, 0x03, 0xa7, 0xe1, 0xca, 0x88, 0x41, 0xc6, 0x07, 0xba,
1783 0xe3, 0xff, 0x42, 0x70, 0xfc, 0xa5, 0xec, 0x45, 0xb1, 0x86, 0xeb,
1784 0xbe, 0x4e, 0x2c, 0xf3, 0xfc, 0x77, 0x86, 0x30, 0xf5, 0xf6,
1785 },
1786 32, "Google 'Crucible' log" },
1787 { (const uint8_t[]){
1788 0x52, 0xeb, 0x4b, 0x22, 0x5e, 0xc8, 0x96, 0x97, 0x48, 0x50, 0x67,
1789 0x5f, 0x23, 0xe4, 0x3b, 0xc1, 0xd0, 0x21, 0xe3, 0x21, 0x4c, 0xe5,
1790 0x2e, 0xcd, 0x5f, 0xa8, 0x7c, 0x20, 0x3c, 0xdf, 0xca, 0x03,
1791 },
1792 32, "Google 'Solera2018' log" },
1793 { (const uint8_t[]){
1794 0x0b, 0x76, 0x0e, 0x9a, 0x8b, 0x9a, 0x68, 0x2f, 0x88, 0x98, 0x5b,
1795 0x15, 0xe9, 0x47, 0x50, 0x1a, 0x56, 0x44, 0x6b, 0xba, 0x88, 0x30,
1796 0x78, 0x5c, 0x38, 0x42, 0x99, 0x43, 0x86, 0x45, 0x0c, 0x00,
1797 },
1798 32, "Google 'Solera2019' log" },
1799 { (const uint8_t[]){
1800 0x1f, 0xc7, 0x2c, 0xe5, 0xa1, 0xb7, 0x99, 0xf4, 0x00, 0xc3, 0x59,
1801 0xbf, 0xf9, 0x6c, 0xa3, 0x91, 0x35, 0x48, 0xe8, 0x64, 0x42, 0x20,
1802 0x61, 0x09, 0x52, 0xe9, 0xba, 0x17, 0x74, 0xf7, 0xba, 0xc7,
1803 },
1804 32, "Google 'Solera2020' log" },
1805 { (const uint8_t[]){
1806 0xa3, 0xc9, 0x98, 0x45, 0xe8, 0x0a, 0xb7, 0xce, 0x00, 0x15, 0x7b,
1807 0x37, 0x42, 0xdf, 0x02, 0x07, 0xdd, 0x27, 0x2b, 0x2b, 0x60, 0x2e,
1808 0xcf, 0x98, 0xee, 0x2c, 0x12, 0xdb, 0x9c, 0x5a, 0xe7, 0xe7,
1809 },
1810 32, "Google 'Solera2021' log" },
1811 { (const uint8_t[]){
1812 0x69, 0x7a, 0xaf, 0xca, 0x1a, 0x6b, 0x53, 0x6f, 0xae, 0x21, 0x20,
1813 0x50, 0x46, 0xde, 0xba, 0xd7, 0xe0, 0xea, 0xea, 0x13, 0xd2, 0x43,
1814 0x2e, 0x6e, 0x9d, 0x8f, 0xb3, 0x79, 0xf2, 0xb9, 0xaa, 0xf3,
1815 },
1816 32, "Google 'Solera2022' log" },
1817 { (const uint8_t[]){
1818 0xf9, 0x7e, 0x97, 0xb8, 0xd3, 0x3e, 0xf7, 0xa1, 0x59, 0x02, 0xa5,
1819 0x3a, 0x19, 0xe1, 0x79, 0x90, 0xe5, 0xdc, 0x40, 0x6a, 0x03, 0x18,
1820 0x25, 0xba, 0xad, 0x93, 0xe9, 0x8f, 0x9b, 0x9c, 0x69, 0xcb,
1821 },
1822 32, "Google 'Solera2023' log" },
1823 { (const uint8_t[]){
1824 0x30, 0x24, 0xce, 0x7e, 0xeb, 0x16, 0x88, 0x62, 0x72, 0x4b, 0xea,
1825 0x70, 0x2e, 0xff, 0xf9, 0x92, 0xcf, 0xe4, 0x56, 0x43, 0x41, 0x91,
1826 0xaa, 0x59, 0x5b, 0x25, 0xf8, 0x02, 0x26, 0xc8, 0x00, 0x17,
1827 },
1828 32, "Google 'Solera2024' log" },
1829 { (const uint8_t[]){
1830 0x3f, 0xe1, 0xcb, 0x46, 0xed, 0x47, 0x35, 0x79, 0xaf, 0x01, 0x41,
1831 0xf9, 0x72, 0x4d, 0x9d, 0xc4, 0x43, 0x47, 0x2d, 0x75, 0x6e, 0x85,
1832 0xe7, 0x71, 0x9c, 0x55, 0x82, 0x48, 0x5d, 0xd4, 0xe1, 0xe4,
1833 },
1834 32, "Google 'Solera2025h1' log" },
1835 { (const uint8_t[]){
1836 0x26, 0x02, 0x39, 0x48, 0x87, 0x4c, 0xf7, 0xfc, 0xd0, 0xfb, 0x64,
1837 0x71, 0xa4, 0x3e, 0x84, 0x7e, 0xbb, 0x20, 0x0a, 0xe6, 0xe2, 0xfa,
1838 0x24, 0x23, 0x6d, 0xf6, 0xd1, 0xa6, 0x06, 0x63, 0x0f, 0xb1,
1839 },
1840 32, "Google 'Solera2025h2' log" },
1841 { (const uint8_t[]){
1842 0xc8, 0x4b, 0x90, 0x7a, 0x07, 0xbe, 0xaa, 0x29, 0xa6, 0x14, 0xc2,
1843 0x45, 0x84, 0xb7, 0xa3, 0xf6, 0x62, 0x43, 0x94, 0x68, 0x7b, 0x25,
1844 0xfe, 0x62, 0x83, 0x8b, 0x71, 0xec, 0x42, 0x2a, 0xd2, 0xf9,
1845 },
1846 32, "Google 'Solera2026h1' log" },
1847 { (const uint8_t[]){
1848 0x62, 0xe9, 0x00, 0x60, 0x04, 0xa3, 0x07, 0x95, 0x5a, 0x75, 0x44,
1849 0xb4, 0xd5, 0x84, 0xa9, 0x62, 0x68, 0xca, 0x1d, 0x6e, 0x45, 0x85,
1850 0xad, 0xf0, 0x91, 0x6d, 0xfe, 0x5f, 0xdc, 0x1f, 0x04, 0xdb,
1851 },
1852 32, "Google 'Solera2026h2' log" },
1853 { (const uint8_t[]){
1854 0x5e, 0xa7, 0x73, 0xf9, 0xdf, 0x56, 0xc0, 0xe7, 0xb5, 0x36, 0x48,
1855 0x7d, 0xd0, 0x49, 0xe0, 0x32, 0x7a, 0x91, 0x9a, 0x0c, 0x84, 0xa1,
1856 0x12, 0x12, 0x84, 0x18, 0x75, 0x96, 0x81, 0x71, 0x45, 0x58,
1857 },
1858 32, "Cloudflare 'Nimbus2020' Log" },
1859 { (const uint8_t[]){
1860 0x44, 0x94, 0x65, 0x2e, 0xb0, 0xee, 0xce, 0xaf, 0xc4, 0x40, 0x07,
1861 0xd8, 0xa8, 0xfe, 0x28, 0xc0, 0xda, 0xe6, 0x82, 0xbe, 0xd8, 0xcb,
1862 0x31, 0xb5, 0x3f, 0xd3, 0x33, 0x96, 0xb5, 0xb6, 0x81, 0xa8,
1863 },
1864 32, "Cloudflare 'Nimbus2021' Log" },
1865 { (const uint8_t[]){
1866 0x41, 0xc8, 0xca, 0xb1, 0xdf, 0x22, 0x46, 0x4a, 0x10, 0xc6, 0xa1,
1867 0x3a, 0x09, 0x42, 0x87, 0x5e, 0x4e, 0x31, 0x8b, 0x1b, 0x03, 0xeb,
1868 0xeb, 0x4b, 0xc7, 0x68, 0xf0, 0x90, 0x62, 0x96, 0x06, 0xf6,
1869 },
1870 32, "Cloudflare 'Nimbus2022' Log" },
1871 { (const uint8_t[]){
1872 0x7a, 0x32, 0x8c, 0x54, 0xd8, 0xb7, 0x2d, 0xb6, 0x20, 0xea, 0x38,
1873 0xe0, 0x52, 0x1e, 0xe9, 0x84, 0x16, 0x70, 0x32, 0x13, 0x85, 0x4d,
1874 0x3b, 0xd2, 0x2b, 0xc1, 0x3a, 0x57, 0xa3, 0x52, 0xeb, 0x52,
1875 },
1876 32, "Cloudflare 'Nimbus2023' Log" },
1877 { (const uint8_t[]){
1878 0xda, 0xb6, 0xbf, 0x6b, 0x3f, 0xb5, 0xb6, 0x22, 0x9f, 0x9b, 0xc2,
1879 0xbb, 0x5c, 0x6b, 0xe8, 0x70, 0x91, 0x71, 0x6c, 0xbb, 0x51, 0x84,
1880 0x85, 0x34, 0xbd, 0xa4, 0x3d, 0x30, 0x48, 0xd7, 0xfb, 0xab,
1881 },
1882 32, "Cloudflare 'Nimbus2024' Log" },
1883 { (const uint8_t[]){
1884 0xcc, 0xfb, 0x0f, 0x6a, 0x85, 0x71, 0x09, 0x65, 0xfe, 0x95, 0x9b,
1885 0x53, 0xce, 0xe9, 0xb2, 0x7c, 0x22, 0xe9, 0x85, 0x5c, 0x0d, 0x97,
1886 0x8d, 0xb6, 0xa9, 0x7e, 0x54, 0xc0, 0xfe, 0x4c, 0x0d, 0xb0,
1887 },
1888 32, "Cloudflare 'Nimbus2025'" },
1889 { (const uint8_t[]){
1890 0xcb, 0x38, 0xf7, 0x15, 0x89, 0x7c, 0x84, 0xa1, 0x44, 0x5f, 0x5b,
1891 0xc1, 0xdd, 0xfb, 0xc9, 0x6e, 0xf2, 0x9a, 0x59, 0xcd, 0x47, 0x0a,
1892 0x69, 0x05, 0x85, 0xb0, 0xcb, 0x14, 0xc3, 0x14, 0x58, 0xe7,
1893 },
1894 32, "Cloudflare 'Nimbus2026'" },
1895 { (const uint8_t[]){
1896 0x4c, 0x63, 0xdc, 0x98, 0xe5, 0x9c, 0x1d, 0xab, 0x88, 0xf6, 0x1e,
1897 0x8a, 0x3d, 0xde, 0xae, 0x8f, 0xab, 0x44, 0xa3, 0x37, 0x7b, 0x5f,
1898 0x9b, 0x94, 0xc3, 0xfb, 0xa1, 0x9c, 0xfc, 0xc1, 0xbe, 0x26,
1899 },
1900 32, "Cloudflare 'Nimbus2027'" },
1901 { (const uint8_t[]){
1902 0x1f, 0xbc, 0x36, 0xe0, 0x02, 0xed, 0xe9, 0x7f, 0x40, 0x19, 0x9e,
1903 0x86, 0xb3, 0x57, 0x3b, 0x8a, 0x42, 0x17, 0xd8, 0x01, 0x87, 0x74,
1904 0x6a, 0xd0, 0xda, 0x03, 0xa0, 0x60, 0x54, 0xd2, 0x0d, 0xf4,
1905 },
1906 32, "Cloudflare 'Nimbus2017' Log" },
1907 { (const uint8_t[]){
1908 0xdb, 0x74, 0xaf, 0xee, 0xcb, 0x29, 0xec, 0xb1, 0xfe, 0xca, 0x3e,
1909 0x71, 0x6d, 0x2c, 0xe5, 0xb9, 0xaa, 0xbb, 0x36, 0xf7, 0x84, 0x71,
1910 0x83, 0xc7, 0x5d, 0x9d, 0x4f, 0x37, 0xb6, 0x1f, 0xbf, 0x64,
1911 },
1912 32, "Cloudflare 'Nimbus2018' Log" },
1913 { (const uint8_t[]){
1914 0x74, 0x7e, 0xda, 0x83, 0x31, 0xad, 0x33, 0x10, 0x91, 0x21, 0x9c,
1915 0xce, 0x25, 0x4f, 0x42, 0x70, 0xc2, 0xbf, 0xfd, 0x5e, 0x42, 0x20,
1916 0x08, 0xc6, 0x37, 0x35, 0x79, 0xe6, 0x10, 0x7b, 0xcc, 0x56,
1917 },
1918 32, "Cloudflare 'Nimbus2019' Log" },
1919 { (const uint8_t[]){
1920 0x56, 0x14, 0x06, 0x9a, 0x2f, 0xd7, 0xc2, 0xec, 0xd3, 0xf5, 0xe1,
1921 0xbd, 0x44, 0xb2, 0x3e, 0xc7, 0x46, 0x76, 0xb9, 0xbc, 0x99, 0x11,
1922 0x5c, 0xc0, 0xef, 0x94, 0x98, 0x55, 0xd6, 0x89, 0xd0, 0xdd,
1923 },
1924 32, "DigiCert Log Server" },
1925 { (const uint8_t[]){
1926 0x87, 0x75, 0xbf, 0xe7, 0x59, 0x7c, 0xf8, 0x8c, 0x43, 0x99, 0x5f,
1927 0xbd, 0xf3, 0x6e, 0xff, 0x56, 0x8d, 0x47, 0x56, 0x36, 0xff, 0x4a,
1928 0xb5, 0x60, 0xc1, 0xb4, 0xea, 0xff, 0x5e, 0xa0, 0x83, 0x0f,
1929 },
1930 32, "DigiCert Log Server 2" },
1931 { (const uint8_t[]){
1932 0xf0, 0x95, 0xa4, 0x59, 0xf2, 0x00, 0xd1, 0x82, 0x40, 0x10, 0x2d,
1933 0x2f, 0x93, 0x88, 0x8e, 0xad, 0x4b, 0xfe, 0x1d, 0x47, 0xe3, 0x99,
1934 0xe1, 0xd0, 0x34, 0xa6, 0xb0, 0xa8, 0xaa, 0x8e, 0xb2, 0x73,
1935 },
1936 32, "DigiCert Yeti2020 Log" },
1937 { (const uint8_t[]){
1938 0x5c, 0xdc, 0x43, 0x92, 0xfe, 0xe6, 0xab, 0x45, 0x44, 0xb1, 0x5e,
1939 0x9a, 0xd4, 0x56, 0xe6, 0x10, 0x37, 0xfb, 0xd5, 0xfa, 0x47, 0xdc,
1940 0xa1, 0x73, 0x94, 0xb2, 0x5e, 0xe6, 0xf6, 0xc7, 0x0e, 0xca,
1941 },
1942 32, "DigiCert Yeti2021 Log" },
1943 { (const uint8_t[]){
1944 0x22, 0x45, 0x45, 0x07, 0x59, 0x55, 0x24, 0x56, 0x96, 0x3f, 0xa1,
1945 0x2f, 0xf1, 0xf7, 0x6d, 0x86, 0xe0, 0x23, 0x26, 0x63, 0xad, 0xc0,
1946 0x4b, 0x7f, 0x5d, 0xc6, 0x83, 0x5c, 0x6e, 0xe2, 0x0f, 0x02,
1947 },
1948 32, "DigiCert Yeti2022 Log" },
1949 { (const uint8_t[]){
1950 0x35, 0xcf, 0x19, 0x1b, 0xbf, 0xb1, 0x6c, 0x57, 0xbf, 0x0f, 0xad,
1951 0x4c, 0x6d, 0x42, 0xcb, 0xbb, 0xb6, 0x27, 0x20, 0x26, 0x51, 0xea,
1952 0x3f, 0xe1, 0x2a, 0xef, 0xa8, 0x03, 0xc3, 0x3b, 0xd6, 0x4c,
1953 },
1954 32, "DigiCert Yeti2023 Log" },
1955 { (const uint8_t[]){
1956 0x48, 0xb0, 0xe3, 0x6b, 0xda, 0xa6, 0x47, 0x34, 0x0f, 0xe5, 0x6a,
1957 0x02, 0xfa, 0x9d, 0x30, 0xeb, 0x1c, 0x52, 0x01, 0xcb, 0x56, 0xdd,
1958 0x2c, 0x81, 0xd9, 0xbb, 0xbf, 0xab, 0x39, 0xd8, 0x84, 0x73,
1959 },
1960 32, "DigiCert Yeti2024 Log" },
1961 { (const uint8_t[]){
1962 0x7d, 0x59, 0x1e, 0x12, 0xe1, 0x78, 0x2a, 0x7b, 0x1c, 0x61, 0x67,
1963 0x7c, 0x5e, 0xfd, 0xf8, 0xd0, 0x87, 0x5c, 0x14, 0xa0, 0x4e, 0x95,
1964 0x9e, 0xb9, 0x03, 0x2f, 0xd9, 0x0e, 0x8c, 0x2e, 0x79, 0xb8,
1965 },
1966 32, "DigiCert Yeti2025 Log" },
1967 { (const uint8_t[]){
1968 0xc6, 0x52, 0xa0, 0xec, 0x48, 0xce, 0xb3, 0xfc, 0xab, 0x17, 0x09,
1969 0x92, 0xc4, 0x3a, 0x87, 0x41, 0x33, 0x09, 0xe8, 0x00, 0x65, 0xa2,
1970 0x62, 0x52, 0x40, 0x1b, 0xa3, 0x36, 0x2a, 0x17, 0xc5, 0x65,
1971 },
1972 32, "DigiCert Nessie2020 Log" },
1973 { (const uint8_t[]){
1974 0xee, 0xc0, 0x95, 0xee, 0x8d, 0x72, 0x64, 0x0f, 0x92, 0xe3, 0xc3,
1975 0xb9, 0x1b, 0xc7, 0x12, 0xa3, 0x69, 0x6a, 0x09, 0x7b, 0x4b, 0x6a,
1976 0x1a, 0x14, 0x38, 0xe6, 0x47, 0xb2, 0xcb, 0xed, 0xc5, 0xf9,
1977 },
1978 32, "DigiCert Nessie2021 Log" },
1979 { (const uint8_t[]){
1980 0x51, 0xa3, 0xb0, 0xf5, 0xfd, 0x01, 0x79, 0x9c, 0x56, 0x6d, 0xb8,
1981 0x37, 0x78, 0x8f, 0x0c, 0xa4, 0x7a, 0xcc, 0x1b, 0x27, 0xcb, 0xf7,
1982 0x9e, 0x88, 0x42, 0x9a, 0x0d, 0xfe, 0xd4, 0x8b, 0x05, 0xe5,
1983 },
1984 32, "DigiCert Nessie2022 Log" },
1985 { (const uint8_t[]){
1986 0xb3, 0x73, 0x77, 0x07, 0xe1, 0x84, 0x50, 0xf8, 0x63, 0x86, 0xd6,
1987 0x05, 0xa9, 0xdc, 0x11, 0x09, 0x4a, 0x79, 0x2d, 0xb1, 0x67, 0x0c,
1988 0x0b, 0x87, 0xdc, 0xf0, 0x03, 0x0e, 0x79, 0x36, 0xa5, 0x9a,
1989 },
1990 32, "DigiCert Nessie2023 Log" },
1991 { (const uint8_t[]){
1992 0x73, 0xd9, 0x9e, 0x89, 0x1b, 0x4c, 0x96, 0x78, 0xa0, 0x20, 0x7d,
1993 0x47, 0x9d, 0xe6, 0xb2, 0xc6, 0x1c, 0xd0, 0x51, 0x5e, 0x71, 0x19,
1994 0x2a, 0x8c, 0x6b, 0x80, 0x10, 0x7a, 0xc1, 0x77, 0x72, 0xb5,
1995 },
1996 32, "DigiCert Nessie2024 Log" },
1997 { (const uint8_t[]){
1998 0xe6, 0xd2, 0x31, 0x63, 0x40, 0x77, 0x8c, 0xc1, 0x10, 0x41, 0x06,
1999 0xd7, 0x71, 0xb9, 0xce, 0xc1, 0xd2, 0x40, 0xf6, 0x96, 0x84, 0x86,
2000 0xfb, 0xba, 0x87, 0x32, 0x1d, 0xfd, 0x1e, 0x37, 0x8e, 0x50,
2001 },
2002 32, "DigiCert Nessie2025 Log" },
2003 { (const uint8_t[]){
2004 0xb6, 0x9d, 0xdc, 0xbc, 0x3c, 0x1a, 0xbd, 0xef, 0x6f, 0x9f, 0xd6,
2005 0x0c, 0x88, 0xb1, 0x06, 0x7b, 0x77, 0xf0, 0x82, 0x68, 0x8b, 0x2d,
2006 0x78, 0x65, 0xd0, 0x4b, 0x39, 0xab, 0xe9, 0x27, 0xa5, 0x75,
2007 },
2008 32, "DigiCert 'Wyvern2024h1' Log" },
2009 { (const uint8_t[]){
2010 0x0c, 0x2a, 0xef, 0x2c, 0x4a, 0x5b, 0x98, 0x83, 0xd4, 0xdd, 0xa3,
2011 0x82, 0xfe, 0x50, 0xfb, 0x51, 0x88, 0xb3, 0xe9, 0x73, 0x33, 0xa1,
2012 0xec, 0x53, 0xa0, 0x9d, 0xc9, 0xa7, 0x9d, 0x0d, 0x08, 0x20,
2013 },
2014 32, "DigiCert 'Wyvern2024h2' Log" },
2015 { (const uint8_t[]){
2016 0x73, 0x20, 0x22, 0x0f, 0x08, 0x16, 0x8a, 0xf9, 0xf3, 0xc4, 0xa6,
2017 0x8b, 0x0a, 0xb2, 0x6a, 0x9a, 0x4a, 0x00, 0xee, 0xf5, 0x77, 0x85,
2018 0x8a, 0x08, 0x4d, 0x05, 0x00, 0xd4, 0xa5, 0x42, 0x44, 0x59,
2019 },
2020 32, "DigiCert 'Wyvern2025h1' Log" },
2021 { (const uint8_t[]){
2022 0xed, 0x3c, 0x4b, 0xd6, 0xe8, 0x06, 0xc2, 0xa4, 0xa2, 0x00, 0x57,
2023 0xdb, 0xcb, 0x24, 0xe2, 0x38, 0x01, 0xdf, 0x51, 0x2f, 0xed, 0xc4,
2024 0x86, 0xc5, 0x70, 0x0f, 0x20, 0xdd, 0xb7, 0x3e, 0x3f, 0xe0,
2025 },
2026 32, "DigiCert 'Wyvern2025h2' Log" },
2027 { (const uint8_t[]){
2028 0x64, 0x11, 0xc4, 0x6c, 0xa4, 0x12, 0xec, 0xa7, 0x89, 0x1c, 0xa2,
2029 0x02, 0x2e, 0x00, 0xbc, 0xab, 0x4f, 0x28, 0x07, 0xd4, 0x1e, 0x35,
2030 0x27, 0xab, 0xea, 0xfe, 0xd5, 0x03, 0xc9, 0x7d, 0xcd, 0xf0,
2031 },
2032 32, "DigiCert 'Wyvern2026h1'" },
2033 { (const uint8_t[]){
2034 0xc2, 0x31, 0x7e, 0x57, 0x45, 0x19, 0xa3, 0x45, 0xee, 0x7f, 0x38,
2035 0xde, 0xb2, 0x90, 0x41, 0xeb, 0xc7, 0xc2, 0x21, 0x5a, 0x22, 0xbf,
2036 0x7f, 0xd5, 0xb5, 0xad, 0x76, 0x9a, 0xd9, 0x0e, 0x52, 0xcd,
2037 },
2038 32, "DigiCert 'Wyvern2026h2'" },
2039 { (const uint8_t[]){
2040 0x00, 0x1a, 0x5d, 0x1a, 0x1c, 0x2d, 0x93, 0x75, 0xb6, 0x48, 0x55,
2041 0x78, 0xf8, 0x2f, 0x71, 0xa1, 0xae, 0x6e, 0xef, 0x39, 0x7d, 0x29,
2042 0x7c, 0x8a, 0xe3, 0x15, 0x7b, 0xca, 0xde, 0xe1, 0xa0, 0x1e,
2043 },
2044 32, "DigiCert 'Wyvern2027h1'" },
2045 { (const uint8_t[]){
2046 0x37, 0xaa, 0x07, 0xcc, 0x21, 0x6f, 0x2e, 0x6d, 0x91, 0x9c, 0x70,
2047 0x9d, 0x24, 0xd8, 0xf7, 0x31, 0xb0, 0x0f, 0x2b, 0x14, 0x7c, 0x62,
2048 0x1c, 0xc0, 0x91, 0xa5, 0xfa, 0x1a, 0x84, 0xd8, 0x16, 0xdd,
2049 },
2050 32, "DigiCert 'Wyvern2027h2'" },
2051 { (const uint8_t[]){
2052 0xdb, 0x07, 0x6c, 0xde, 0x6a, 0x8b, 0x78, 0xec, 0x58, 0xd6, 0x05,
2053 0x64, 0x96, 0xeb, 0x6a, 0x26, 0xa8, 0xc5, 0x9e, 0x72, 0x12, 0x93,
2054 0xe8, 0xac, 0x03, 0x27, 0xdd, 0xde, 0x89, 0xdb, 0x5a, 0x2a,
2055 },
2056 32, "DigiCert 'Sphinx2024h1' Log" },
2057 { (const uint8_t[]){
2058 0xdc, 0xc9, 0x5e, 0x6f, 0xa2, 0x99, 0xb9, 0xb0, 0xfd, 0xbd, 0x6c,
2059 0xa6, 0xa3, 0x6e, 0x1d, 0x72, 0xc4, 0x21, 0x2f, 0xdd, 0x1e, 0x0f,
2060 0x47, 0x55, 0x3a, 0x36, 0xd6, 0xcf, 0x1a, 0xd1, 0x1d, 0x8d,
2061 },
2062 32, "DigiCert 'Sphinx2024h2' Log" },
2063 { (const uint8_t[]){
2064 0xde, 0x85, 0x81, 0xd7, 0x50, 0x24, 0x7c, 0x6b, 0xcd, 0xcb, 0xaf,
2065 0x56, 0x37, 0xc5, 0xe7, 0x81, 0xc6, 0x4c, 0xe4, 0x6e, 0xd6, 0x17,
2066 0x63, 0x9f, 0x8f, 0x34, 0xa7, 0x26, 0xc9, 0xe2, 0xbd, 0x37,
2067 },
2068 32, "DigiCert 'Sphinx2025h1' Log" },
2069 { (const uint8_t[]){
2070 0xa4, 0x42, 0xc5, 0x06, 0x49, 0x60, 0x61, 0x54, 0x8f, 0x0f, 0xd4,
2071 0xea, 0x9c, 0xfb, 0x7a, 0x2d, 0x26, 0x45, 0x4d, 0x87, 0xa9, 0x7f,
2072 0x2f, 0xdf, 0x45, 0x59, 0xf6, 0x27, 0x4f, 0x3a, 0x84, 0x54,
2073 },
2074 32, "DigiCert 'Sphinx2025h2' Log" },
2075 { (const uint8_t[]){
2076 0x49, 0x9c, 0x9b, 0x69, 0xde, 0x1d, 0x7c, 0xec, 0xfc, 0x36, 0xde,
2077 0xcd, 0x87, 0x64, 0xa6, 0xb8, 0x5b, 0xaf, 0x0a, 0x87, 0x80, 0x19,
2078 0xd1, 0x55, 0x52, 0xfb, 0xe9, 0xeb, 0x29, 0xdd, 0xf8, 0xc3,
2079 },
2080 32, "DigiCert 'Sphinx2026h1'" },
2081 { (const uint8_t[]){
2082 0x94, 0x4e, 0x43, 0x87, 0xfa, 0xec, 0xc1, 0xef, 0x81, 0xf3, 0x19,
2083 0x24, 0x26, 0xa8, 0x18, 0x65, 0x01, 0xc7, 0xd3, 0x5f, 0x38, 0x02,
2084 0x01, 0x3f, 0x72, 0x67, 0x7d, 0x55, 0x37, 0x2e, 0x19, 0xd8,
2085 },
2086 32, "DigiCert 'Sphinx2026h2'" },
2087 { (const uint8_t[]){
2088 0x46, 0xa2, 0x39, 0x67, 0xc6, 0x0d, 0xb6, 0x46, 0x87, 0xc6, 0x6f,
2089 0x3d, 0xf9, 0x99, 0x94, 0x76, 0x93, 0xa6, 0xa6, 0x11, 0x20, 0x84,
2090 0x57, 0xd5, 0x55, 0xe7, 0xe3, 0xd0, 0xa1, 0xd9, 0xb6, 0x46,
2091 },
2092 32, "DigiCert 'sphinx2027h1'" },
2093 { (const uint8_t[]){
2094 0x1f, 0xb0, 0xf8, 0xa9, 0x2d, 0x8a, 0xdd, 0xa1, 0x21, 0x77, 0x6c,
2095 0x05, 0xe2, 0xaa, 0x2e, 0x15, 0xba, 0xcb, 0xc6, 0x2b, 0x65, 0x39,
2096 0x36, 0x95, 0x57, 0x6a, 0xaa, 0xb5, 0x2e, 0x11, 0xd1, 0x1d,
2097 },
2098 32, "DigiCert 'sphinx2027h2'" },
2099 { (const uint8_t[]){
2100 0xdd, 0xeb, 0x1d, 0x2b, 0x7a, 0x0d, 0x4f, 0xa6, 0x20, 0x8b, 0x81,
2101 0xad, 0x81, 0x68, 0x70, 0x7e, 0x2e, 0x8e, 0x9d, 0x01, 0xd5, 0x5c,
2102 0x88, 0x8d, 0x3d, 0x11, 0xc4, 0xcd, 0xb6, 0xec, 0xbe, 0xcc,
2103 },
2104 32, "Symantec log" },
2105 { (const uint8_t[]){
2106 0xbc, 0x78, 0xe1, 0xdf, 0xc5, 0xf6, 0x3c, 0x68, 0x46, 0x49, 0x33,
2107 0x4d, 0xa1, 0x0f, 0xa1, 0x5f, 0x09, 0x79, 0x69, 0x20, 0x09, 0xc0,
2108 0x81, 0xb4, 0xf3, 0xf6, 0x91, 0x7f, 0x3e, 0xd9, 0xb8, 0xa5,
2109 },
2110 32, "Symantec 'Vega' log" },
2111 { (const uint8_t[]){
2112 0x15, 0x97, 0x04, 0x88, 0xd7, 0xb9, 0x97, 0xa0, 0x5b, 0xeb, 0x52,
2113 0x51, 0x2a, 0xde, 0xe8, 0xd2, 0xe8, 0xb4, 0xa3, 0x16, 0x52, 0x64,
2114 0x12, 0x1a, 0x9f, 0xab, 0xfb, 0xd5, 0xf8, 0x5a, 0xd9, 0x3f,
2115 },
2116 32, "Symantec 'Sirius' log" },
2117 { (const uint8_t[]){
2118 0x05, 0x9c, 0x01, 0xd3, 0x20, 0xe0, 0x07, 0x84, 0x13, 0x95, 0x80,
2119 0x49, 0x8d, 0x11, 0x7c, 0x90, 0x32, 0x66, 0xaf, 0xaf, 0x72, 0x50,
2120 0xb5, 0xaf, 0x3b, 0x46, 0xa4, 0x3e, 0x11, 0x84, 0x0d, 0x4a,
2121 },
2122 32, "DigiCert Yeti2022-2 Log" },
2123 { (const uint8_t[]){
2124 0xc1, 0x16, 0x4a, 0xe0, 0xa7, 0x72, 0xd2, 0xd4, 0x39, 0x2d, 0xc8,
2125 0x0a, 0xc1, 0x07, 0x70, 0xd4, 0xf0, 0xc4, 0x9b, 0xde, 0x99, 0x1a,
2126 0x48, 0x40, 0xc1, 0xfa, 0x07, 0x51, 0x64, 0xf6, 0x33, 0x60,
2127 },
2128 32, "DigiCert Yeti2018 Log" },
2129 { (const uint8_t[]){
2130 0xe2, 0x69, 0x4b, 0xae, 0x26, 0xe8, 0xe9, 0x40, 0x09, 0xe8, 0x86,
2131 0x1b, 0xb6, 0x3b, 0x83, 0xd4, 0x3e, 0xe7, 0xfe, 0x74, 0x88, 0xfb,
2132 0xa4, 0x8f, 0x28, 0x93, 0x01, 0x9d, 0xdd, 0xf1, 0xdb, 0xfe,
2133 },
2134 32, "DigiCert Yeti2019 Log" },
2135 { (const uint8_t[]){
2136 0x6f, 0xf1, 0x41, 0xb5, 0x64, 0x7e, 0x42, 0x22, 0xf7, 0xef, 0x05,
2137 0x2c, 0xef, 0xae, 0x7c, 0x21, 0xfd, 0x60, 0x8e, 0x27, 0xd2, 0xaf,
2138 0x5a, 0x6e, 0x9f, 0x4b, 0x8a, 0x37, 0xd6, 0x63, 0x3e, 0xe5,
2139 },
2140 32, "DigiCert Nessie2018 Log" },
2141 { (const uint8_t[]){
2142 0xfe, 0x44, 0x61, 0x08, 0xb1, 0xd0, 0x1a, 0xb7, 0x8a, 0x62, 0xcc,
2143 0xfe, 0xab, 0x6a, 0xb2, 0xb2, 0xba, 0xbf, 0xf3, 0xab, 0xda, 0xd8,
2144 0x0a, 0x4d, 0x8b, 0x30, 0xdf, 0x2d, 0x00, 0x08, 0x83, 0x0c,
2145 },
2146 32, "DigiCert Nessie2019 Log" },
2147 { (const uint8_t[]){
2148 0xa7, 0xce, 0x4a, 0x4e, 0x62, 0x07, 0xe0, 0xad, 0xde, 0xe5, 0xfd,
2149 0xaa, 0x4b, 0x1f, 0x86, 0x76, 0x87, 0x67, 0xb5, 0xd0, 0x02, 0xa5,
2150 0x5d, 0x47, 0x31, 0x0e, 0x7e, 0x67, 0x0a, 0x95, 0xea, 0xb2,
2151 },
2152 32, "Symantec Deneb" },
2153 { (const uint8_t[]){
2154 0xcd, 0xb5, 0x17, 0x9b, 0x7f, 0xc1, 0xc0, 0x46, 0xfe, 0xea, 0x31,
2155 0x13, 0x6a, 0x3f, 0x8f, 0x00, 0x2e, 0x61, 0x82, 0xfa, 0xf8, 0x89,
2156 0x6f, 0xec, 0xc8, 0xb2, 0xf5, 0xb5, 0xab, 0x60, 0x49, 0x00,
2157 },
2158 32, "Certly.IO log" },
2159 { (const uint8_t[]){
2160 0x74, 0x61, 0xb4, 0xa0, 0x9c, 0xfb, 0x3d, 0x41, 0xd7, 0x51, 0x59,
2161 0x57, 0x5b, 0x2e, 0x76, 0x49, 0xa4, 0x45, 0xa8, 0xd2, 0x77, 0x09,
2162 0xb0, 0xcc, 0x56, 0x4a, 0x64, 0x82, 0xb7, 0xeb, 0x41, 0xa3,
2163 },
2164 32, "Izenpe log" },
2165 { (const uint8_t[]){
2166 0x89, 0x41, 0x44, 0x9c, 0x70, 0x74, 0x2e, 0x06, 0xb9, 0xfc, 0x9c,
2167 0xe7, 0xb1, 0x16, 0xba, 0x00, 0x24, 0xaa, 0x36, 0xd5, 0x9a, 0xf4,
2168 0x4f, 0x02, 0x04, 0x40, 0x4f, 0x00, 0xf7, 0xea, 0x85, 0x66,
2169 },
2170 32, "Izenpe 'Argi' log" },
2171 { (const uint8_t[]){
2172 0x41, 0xb2, 0xdc, 0x2e, 0x89, 0xe6, 0x3c, 0xe4, 0xaf, 0x1b, 0xa7,
2173 0xbb, 0x29, 0xbf, 0x68, 0xc6, 0xde, 0xe6, 0xf9, 0xf1, 0xcc, 0x04,
2174 0x7e, 0x30, 0xdf, 0xfa, 0xe3, 0xb3, 0xba, 0x25, 0x92, 0x63,
2175 },
2176 32, "WoSign log" },
2177 { (const uint8_t[]){
2178 0x9e, 0x4f, 0xf7, 0x3d, 0xc3, 0xce, 0x22, 0x0b, 0x69, 0x21, 0x7c,
2179 0x89, 0x9e, 0x46, 0x80, 0x76, 0xab, 0xf8, 0xd7, 0x86, 0x36, 0xd5,
2180 0xcc, 0xfc, 0x85, 0xa3, 0x1a, 0x75, 0x62, 0x8b, 0xa8, 0x8b,
2181 },
2182 32, "WoSign CT log #1" },
2183 { (const uint8_t[]){
2184 0x63, 0xd0, 0x00, 0x60, 0x26, 0xdd, 0xe1, 0x0b, 0xb0, 0x60, 0x1f,
2185 0x45, 0x24, 0x46, 0x96, 0x5e, 0xe2, 0xb6, 0xea, 0x2c, 0xd4, 0xfb,
2186 0xc9, 0x5a, 0xc8, 0x66, 0xa5, 0x50, 0xaf, 0x90, 0x75, 0xb7,
2187 },
2188 32, "WoSign log 2" },
2189 { (const uint8_t[]){
2190 0xac, 0x3b, 0x9a, 0xed, 0x7f, 0xa9, 0x67, 0x47, 0x57, 0x15, 0x9e,
2191 0x6d, 0x7d, 0x57, 0x56, 0x72, 0xf9, 0xd9, 0x81, 0x00, 0x94, 0x1e,
2192 0x9b, 0xde, 0xff, 0xec, 0xa1, 0x31, 0x3b, 0x75, 0x78, 0x2d,
2193 },
2194 32, "Venafi log" },
2195 { (const uint8_t[]){
2196 0x03, 0x01, 0x9d, 0xf3, 0xfd, 0x85, 0xa6, 0x9a, 0x8e, 0xbd, 0x1f,
2197 0xac, 0xc6, 0xda, 0x9b, 0xa7, 0x3e, 0x46, 0x97, 0x74, 0xfe, 0x77,
2198 0xf5, 0x79, 0xfc, 0x5a, 0x08, 0xb8, 0x32, 0x8c, 0x1d, 0x6b,
2199 },
2200 32, "Venafi Gen2 CT log" },
2201 { (const uint8_t[]){
2202 0xa5, 0x77, 0xac, 0x9c, 0xed, 0x75, 0x48, 0xdd, 0x8f, 0x02, 0x5b,
2203 0x67, 0xa2, 0x41, 0x08, 0x9d, 0xf8, 0x6e, 0x0f, 0x47, 0x6e, 0xc2,
2204 0x03, 0xc2, 0xec, 0xbe, 0xdb, 0x18, 0x5f, 0x28, 0x26, 0x38,
2205 },
2206 32, "CNNIC CT log" },
2207 { (const uint8_t[]){
2208 0x34, 0xbb, 0x6a, 0xd6, 0xc3, 0xdf, 0x9c, 0x03, 0xee, 0xa8, 0xa4,
2209 0x99, 0xff, 0x78, 0x91, 0x48, 0x6c, 0x9d, 0x5e, 0x5c, 0xac, 0x92,
2210 0xd0, 0x1f, 0x7b, 0xfd, 0x1b, 0xce, 0x19, 0xdb, 0x48, 0xef,
2211 },
2212 32, "StartCom log" },
2213 { (const uint8_t[]){
2214 0x55, 0x81, 0xd4, 0xc2, 0x16, 0x90, 0x36, 0x01, 0x4a, 0xea, 0x0b,
2215 0x9b, 0x57, 0x3c, 0x53, 0xf0, 0xc0, 0xe4, 0x38, 0x78, 0x70, 0x25,
2216 0x08, 0x17, 0x2f, 0xa3, 0xaa, 0x1d, 0x07, 0x13, 0xd3, 0x0c,
2217 },
2218 32, "Sectigo 'Sabre' CT log" },
2219 { (const uint8_t[]){
2220 0xa2, 0xe2, 0xbf, 0xd6, 0x1e, 0xde, 0x2f, 0x2f, 0x07, 0xa0, 0xd6,
2221 0x4e, 0x6d, 0x37, 0xa7, 0xdc, 0x65, 0x43, 0xb0, 0xc6, 0xb5, 0x2e,
2222 0xa2, 0xda, 0xb7, 0x8a, 0xf8, 0x9a, 0x6d, 0xf5, 0x17, 0xd8,
2223 },
2224 32, "Sectigo 'Sabre2024h1'" },
2225 { (const uint8_t[]){
2226 0x19, 0x98, 0x10, 0x71, 0x09, 0xf0, 0xd6, 0x52, 0x2e, 0x30, 0x80,
2227 0xd2, 0x9e, 0x3f, 0x64, 0xbb, 0x83, 0x6e, 0x28, 0xcc, 0xf9, 0x0f,
2228 0x52, 0x8e, 0xee, 0xdf, 0xce, 0x4a, 0x3f, 0x16, 0xb4, 0xca,
2229 },
2230 32, "Sectigo 'Sabre2024h2'" },
2231 { (const uint8_t[]){
2232 0xe0, 0x92, 0xb3, 0xfc, 0x0c, 0x1d, 0xc8, 0xe7, 0x68, 0x36, 0x1f,
2233 0xde, 0x61, 0xb9, 0x96, 0x4d, 0x0a, 0x52, 0x78, 0x19, 0x8a, 0x72,
2234 0xd6, 0x72, 0xc4, 0xb0, 0x4d, 0xa5, 0x6d, 0x6f, 0x54, 0x04,
2235 },
2236 32, "Sectigo 'Sabre2025h1'" },
2237 { (const uint8_t[]){
2238 0x1a, 0x04, 0xff, 0x49, 0xd0, 0x54, 0x1d, 0x40, 0xaf, 0xf6, 0xa0,
2239 0xc3, 0xbf, 0xf1, 0xd8, 0xc4, 0x67, 0x2f, 0x4e, 0xec, 0xee, 0x23,
2240 0x40, 0x68, 0x98, 0x6b, 0x17, 0x40, 0x2e, 0xdc, 0x89, 0x7d,
2241 },
2242 32, "Sectigo 'Sabre2025h2'" },
2243 { (const uint8_t[]){
2244 0x6f, 0x53, 0x76, 0xac, 0x31, 0xf0, 0x31, 0x19, 0xd8, 0x99, 0x00,
2245 0xa4, 0x51, 0x15, 0xff, 0x77, 0x15, 0x1c, 0x11, 0xd9, 0x02, 0xc1,
2246 0x00, 0x29, 0x06, 0x8d, 0xb2, 0x08, 0x9a, 0x37, 0xd9, 0x13,
2247 },
2248 32, "Sectigo 'Mammoth' CT log" },
2249 { (const uint8_t[]){
2250 0x29, 0xd0, 0x3a, 0x1b, 0xb6, 0x74, 0xaa, 0x71, 0x1c, 0xd3, 0x03,
2251 0x5b, 0x65, 0x57, 0xc1, 0x4f, 0x8a, 0xa7, 0x8b, 0x4f, 0xe8, 0x38,
2252 0x94, 0x49, 0xec, 0xa4, 0x53, 0xf9, 0x44, 0xbd, 0x24, 0x68,
2253 },
2254 32, "Sectigo 'Mammoth2024h1'" },
2255 { (const uint8_t[]){
2256 0x50, 0x85, 0x01, 0x58, 0xdc, 0xb6, 0x05, 0x95, 0xc0, 0x0e, 0x92,
2257 0xa8, 0x11, 0x02, 0xec, 0xcd, 0xfe, 0x3f, 0x6b, 0x78, 0x58, 0x42,
2258 0x9f, 0x57, 0x98, 0x35, 0x38, 0xc9, 0xda, 0x52, 0x50, 0x63,
2259 },
2260 32, "Sectigo 'Mammoth2024h1b'" },
2261 { (const uint8_t[]){
2262 0xdf, 0xe1, 0x56, 0xeb, 0xaa, 0x05, 0xaf, 0xb5, 0x9c, 0x0f, 0x86,
2263 0x71, 0x8d, 0xa8, 0xc0, 0x32, 0x4e, 0xae, 0x56, 0xd9, 0x6e, 0xa7,
2264 0xf5, 0xa5, 0x6a, 0x01, 0xd1, 0xc1, 0x3b, 0xbe, 0x52, 0x5c,
2265 },
2266 32, "Sectigo 'Mammoth2024h2'" },
2267 { (const uint8_t[]){
2268 0x13, 0x4a, 0xdf, 0x1a, 0xb5, 0x98, 0x42, 0x09, 0x78, 0x0c, 0x6f,
2269 0xef, 0x4c, 0x7a, 0x91, 0xa4, 0x16, 0xb7, 0x23, 0x49, 0xce, 0x58,
2270 0x57, 0x6a, 0xdf, 0xae, 0xda, 0xa7, 0xc2, 0xab, 0xe0, 0x22,
2271 },
2272 32, "Sectigo 'Mammoth2025h1'" },
2273 { (const uint8_t[]){
2274 0xaf, 0x18, 0x1a, 0x28, 0xd6, 0x8c, 0xa3, 0xe0, 0xa9, 0x8a, 0x4c,
2275 0x9c, 0x67, 0xab, 0x09, 0xf8, 0xbb, 0xbc, 0x22, 0xba, 0xae, 0xbc,
2276 0xb1, 0x38, 0xa3, 0xa1, 0x9d, 0xd3, 0xf9, 0xb6, 0x03, 0x0d,
2277 },
2278 32, "Sectigo 'Mammoth2025h2'" },
2279 { (const uint8_t[]){
2280 0x25, 0x2f, 0x94, 0xc2, 0x2b, 0x29, 0xe9, 0x6e, 0x9f, 0x41, 0x1a,
2281 0x72, 0x07, 0x2b, 0x69, 0x5c, 0x5b, 0x52, 0xff, 0x97, 0xa9, 0x0d,
2282 0x25, 0x40, 0xbb, 0xfc, 0xdc, 0x51, 0xec, 0x4d, 0xee, 0x0b,
2283 },
2284 32, "Sectigo 'Mammoth2026h1'" },
2285 { (const uint8_t[]){
2286 0x94, 0xb1, 0xc1, 0x8a, 0xb0, 0xd0, 0x57, 0xc4, 0x7b, 0xe0, 0xac,
2287 0x04, 0x0e, 0x1f, 0x2c, 0xbc, 0x8d, 0xc3, 0x75, 0x72, 0x7b, 0xc9,
2288 0x51, 0xf2, 0x0a, 0x52, 0x61, 0x26, 0x86, 0x3b, 0xa7, 0x3c,
2289 },
2290 32, "Sectigo 'Mammoth2026h2'" },
2291 { (const uint8_t[]){
2292 0x56, 0x6c, 0xd5, 0xa3, 0x76, 0xbe, 0x83, 0xdf, 0xe3, 0x42, 0xb6,
2293 0x75, 0xc4, 0x9c, 0x23, 0x24, 0x98, 0xa7, 0x69, 0xba, 0xc3, 0x82,
2294 0xcb, 0xab, 0x49, 0xa3, 0x87, 0x7d, 0x9a, 0xb3, 0x2d, 0x01,
2295 },
2296 32, "Sectigo 'Sabre2026h1'" },
2297 { (const uint8_t[]){
2298 0x1f, 0x56, 0xd1, 0xab, 0x94, 0x70, 0x4a, 0x41, 0xdd, 0x3f, 0xea,
2299 0xfd, 0xf4, 0x69, 0x93, 0x55, 0x30, 0x2c, 0x14, 0x31, 0xbf, 0xe6,
2300 0x13, 0x46, 0x08, 0x9f, 0xff, 0xae, 0x79, 0x5d, 0xcc, 0x2f,
2301 },
2302 32, "Sectigo 'Sabre2026h2'" },
2303 { (const uint8_t[]){
2304 0x0d, 0x1d, 0xbc, 0x89, 0x44, 0xe9, 0xf5, 0x00, 0x55, 0x42, 0xd7,
2305 0x2d, 0x3e, 0x14, 0x4c, 0xcc, 0x43, 0x08, 0x2a, 0xb6, 0xea, 0x1e,
2306 0x94, 0xdf, 0xd7, 0x06, 0x65, 0x7d, 0x2e, 0x86, 0xf3, 0x01,
2307 },
2308 32, "Sectigo 'Elephant2025h2'" },
2309 { (const uint8_t[]){
2310 0xd1, 0x6e, 0xa9, 0xa5, 0x68, 0x07, 0x7e, 0x66, 0x35, 0xa0, 0x3f,
2311 0x37, 0xa5, 0xdd, 0xbc, 0x03, 0xa5, 0x3c, 0x41, 0x12, 0x14, 0xd4,
2312 0x88, 0x18, 0xf5, 0xe9, 0x31, 0xb3, 0x23, 0xcb, 0x95, 0x04,
2313 },
2314 32, "Sectigo 'Elephant2026h1'" },
2315 { (const uint8_t[]){
2316 0xaf, 0x67, 0x88, 0x3b, 0x57, 0xb0, 0x4e, 0xdd, 0x8f, 0xa6, 0xd9,
2317 0x7e, 0xf6, 0x2e, 0xa8, 0xeb, 0x81, 0x0a, 0xc7, 0x71, 0x60, 0xf0,
2318 0x24, 0x5e, 0x55, 0xd6, 0x0c, 0x2f, 0xe7, 0x85, 0x87, 0x3a,
2319 },
2320 32, "Sectigo 'Elephant2026h2'" },
2321 { (const uint8_t[]){
2322 0x60, 0x4c, 0x9a, 0xaf, 0x7a, 0x7f, 0x77, 0x5f, 0x01, 0xd4, 0x06,
2323 0xfc, 0x92, 0x0d, 0xc8, 0x99, 0xeb, 0x0b, 0x1c, 0x7d, 0xf8, 0xc9,
2324 0x52, 0x1b, 0xfa, 0xfa, 0x17, 0x77, 0x3b, 0x97, 0x8b, 0xc9,
2325 },
2326 32, "Sectigo 'Elephant2027h1'" },
2327 { (const uint8_t[]){
2328 0xa2, 0x49, 0x0c, 0xdc, 0xdb, 0x8e, 0x33, 0xa4, 0x00, 0x32, 0x17,
2329 0x60, 0xd6, 0xd4, 0xd5, 0x1a, 0x20, 0x36, 0x19, 0x1e, 0xa7, 0x7d,
2330 0x96, 0x8b, 0xe2, 0x6a, 0x8a, 0x00, 0xf6, 0xff, 0xff, 0xf7,
2331 },
2332 32, "Sectigo 'Elephant2027h2'" },
2333 { (const uint8_t[]){
2334 0x5c, 0xa5, 0x77, 0xd2, 0x9b, 0x7f, 0x8b, 0xaf, 0x41, 0x9e, 0xd8,
2335 0xec, 0xab, 0xfb, 0x6d, 0xcb, 0xae, 0xc3, 0x85, 0x37, 0x02, 0xd5,
2336 0x74, 0x6f, 0x17, 0x4d, 0xad, 0x3c, 0x93, 0x4a, 0xa9, 0x6a,
2337 },
2338 32, "Sectigo 'Tiger2025h2'" },
2339 { (const uint8_t[]){
2340 0x16, 0x83, 0x2d, 0xab, 0xf0, 0xa9, 0x25, 0x0f, 0x0f, 0xf0, 0x3a,
2341 0xa5, 0x45, 0xff, 0xc8, 0xbf, 0xc8, 0x23, 0xd0, 0x87, 0x4b, 0xf6,
2342 0x04, 0x29, 0x27, 0xf8, 0xe7, 0x1f, 0x33, 0x13, 0xf5, 0xfa,
2343 },
2344 32, "Sectigo 'Tiger2026h1'" },
2345 { (const uint8_t[]){
2346 0xc8, 0xa3, 0xc4, 0x7f, 0xc7, 0xb3, 0xad, 0xb9, 0x35, 0x6b, 0x01,
2347 0x3f, 0x6a, 0x7a, 0x12, 0x6d, 0xe3, 0x3a, 0x4e, 0x43, 0xa5, 0xc6,
2348 0x46, 0xf9, 0x97, 0xad, 0x39, 0x75, 0x99, 0x1d, 0xcf, 0x9a,
2349 },
2350 32, "Sectigo 'Tiger2026h2'" },
2351 { (const uint8_t[]){
2352 0x1c, 0x9f, 0x68, 0x2c, 0xe9, 0xfa, 0xf0, 0x45, 0x69, 0x50, 0xf8,
2353 0x1b, 0x96, 0x8a, 0x87, 0xdd, 0xdb, 0x32, 0x10, 0xd8, 0x4c, 0xe6,
2354 0xc8, 0xb2, 0xe3, 0x82, 0x52, 0x4a, 0xc4, 0xcf, 0x59, 0x9f,
2355 },
2356 32, "Sectigo 'Tiger2027h1'" },
2357 { (const uint8_t[]){
2358 0x03, 0x80, 0x2a, 0xc2, 0x62, 0xf6, 0xe0, 0x5e, 0x03, 0xf8, 0xbc,
2359 0x6f, 0x7b, 0x98, 0x51, 0x32, 0x4f, 0xd7, 0x6a, 0x3d, 0xf5, 0xb7,
2360 0x59, 0x51, 0x75, 0xe2, 0x22, 0xfb, 0x8e, 0x9b, 0xd5, 0xf6,
2361 },
2362 32, "Sectigo 'Tiger2027h2'" },
2363 { (const uint8_t[]){
2364 0xdb, 0x76, 0xfd, 0xad, 0xac, 0x65, 0xe7, 0xd0, 0x95, 0x08, 0x88,
2365 0x6e, 0x21, 0x59, 0xbd, 0x8b, 0x90, 0x35, 0x2f, 0x5f, 0xea, 0xd3,
2366 0xe3, 0xdc, 0x5e, 0x22, 0xeb, 0x35, 0x0a, 0xcc, 0x7b, 0x98,
2367 },
2368 32, "Sectigo 'Dodo' CT log" },
2369 { (const uint8_t[]){
2370 0xe7, 0x12, 0xf2, 0xb0, 0x37, 0x7e, 0x1a, 0x62, 0xfb, 0x8e, 0xc9,
2371 0x0c, 0x61, 0x84, 0xf1, 0xea, 0x7b, 0x37, 0xcb, 0x56, 0x1d, 0x11,
2372 0x26, 0x5b, 0xf3, 0xe0, 0xf3, 0x4b, 0xf2, 0x41, 0x54, 0x6e,
2373 },
2374 32, "Let's Encrypt 'Oak2020' log" },
2375 { (const uint8_t[]){
2376 0x94, 0x20, 0xbc, 0x1e, 0x8e, 0xd5, 0x8d, 0x6c, 0x88, 0x73, 0x1f,
2377 0x82, 0x8b, 0x22, 0x2c, 0x0d, 0xd1, 0xda, 0x4d, 0x5e, 0x6c, 0x4f,
2378 0x94, 0x3d, 0x61, 0xdb, 0x4e, 0x2f, 0x58, 0x4d, 0xa2, 0xc2,
2379 },
2380 32, "Let's Encrypt 'Oak2021' log" },
2381 { (const uint8_t[]){
2382 0xdf, 0xa5, 0x5e, 0xab, 0x68, 0x82, 0x4f, 0x1f, 0x6c, 0xad, 0xee,
2383 0xb8, 0x5f, 0x4e, 0x3e, 0x5a, 0xea, 0xcd, 0xa2, 0x12, 0xa4, 0x6a,
2384 0x5e, 0x8e, 0x3b, 0x12, 0xc0, 0x20, 0x44, 0x5c, 0x2a, 0x73,
2385 },
2386 32, "Let's Encrypt 'Oak2022' log" },
2387 { (const uint8_t[]){
2388 0xb7, 0x3e, 0xfb, 0x24, 0xdf, 0x9c, 0x4d, 0xba, 0x75, 0xf2, 0x39,
2389 0xc5, 0xba, 0x58, 0xf4, 0x6c, 0x5d, 0xfc, 0x42, 0xcf, 0x7a, 0x9f,
2390 0x35, 0xc4, 0x9e, 0x1d, 0x09, 0x81, 0x25, 0xed, 0xb4, 0x99,
2391 },
2392 32, "Let's Encrypt 'Oak2023' log" },
2393 { (const uint8_t[]){
2394 0x3b, 0x53, 0x77, 0x75, 0x3e, 0x2d, 0xb9, 0x80, 0x4e, 0x8b, 0x30,
2395 0x5b, 0x06, 0xfe, 0x40, 0x3b, 0x67, 0xd8, 0x4f, 0xc3, 0xf4, 0xc7,
2396 0xbd, 0x00, 0x0d, 0x2d, 0x72, 0x6f, 0xe1, 0xfa, 0xd4, 0x17,
2397 },
2398 32, "Let's Encrypt 'Oak2024H1' log" },
2399 { (const uint8_t[]){
2400 0x3f, 0x17, 0x4b, 0x4f, 0xd7, 0x22, 0x47, 0x58, 0x94, 0x1d, 0x65,
2401 0x1c, 0x84, 0xbe, 0x0d, 0x12, 0xed, 0x90, 0x37, 0x7f, 0x1f, 0x85,
2402 0x6a, 0xeb, 0xc1, 0xbf, 0x28, 0x85, 0xec, 0xf8, 0x64, 0x6e,
2403 },
2404 32, "Let's Encrypt 'Oak2024H2' log" },
2405 { (const uint8_t[]){
2406 0xa2, 0xe3, 0x0a, 0xe4, 0x45, 0xef, 0xbd, 0xad, 0x9b, 0x7e, 0x38,
2407 0xed, 0x47, 0x67, 0x77, 0x53, 0xd7, 0x82, 0x5b, 0x84, 0x94, 0xd7,
2408 0x2b, 0x5e, 0x1b, 0x2c, 0xc4, 0xb9, 0x50, 0xa4, 0x47, 0xe7,
2409 },
2410 32, "Let's Encrypt 'Oak2025h1'" },
2411 { (const uint8_t[]){
2412 0x0d, 0xe1, 0xf2, 0x30, 0x2b, 0xd3, 0x0d, 0xc1, 0x40, 0x62, 0x12,
2413 0x09, 0xea, 0x55, 0x2e, 0xfc, 0x47, 0x74, 0x7c, 0xb1, 0xd7, 0xe9,
2414 0x30, 0xef, 0x0e, 0x42, 0x1e, 0xb4, 0x7e, 0x4e, 0xaa, 0x34,
2415 },
2416 32, "Let's Encrypt 'Oak2025h2'" },
2417 { (const uint8_t[]){
2418 0x19, 0x86, 0xd4, 0xc7, 0x28, 0xaa, 0x6f, 0xfe, 0xba, 0x03, 0x6f,
2419 0x78, 0x2a, 0x4d, 0x01, 0x91, 0xaa, 0xce, 0x2d, 0x72, 0x31, 0x0f,
2420 0xae, 0xce, 0x5d, 0x70, 0x41, 0x2d, 0x25, 0x4c, 0xc7, 0xd4,
2421 },
2422 32, "Let's Encrypt 'Oak2026h1'" },
2423 { (const uint8_t[]){
2424 0xac, 0xab, 0x30, 0x70, 0x6c, 0xeb, 0xec, 0x84, 0x31, 0xf4, 0x13,
2425 0xd2, 0xf4, 0x91, 0x5f, 0x11, 0x1e, 0x42, 0x24, 0x43, 0xb1, 0xf2,
2426 0xa6, 0x8c, 0x4f, 0x3c, 0x2b, 0x3b, 0xa7, 0x1e, 0x02, 0xc3,
2427 },
2428 32, "Let's Encrypt 'Oak2026h2'" },
2429 { (const uint8_t[]){
2430 0x65, 0x9b, 0x33, 0x50, 0xf4, 0x3b, 0x12, 0xcc, 0x5e, 0xa5, 0xab,
2431 0x4e, 0xc7, 0x65, 0xd3, 0xfd, 0xe6, 0xc8, 0x82, 0x43, 0x77, 0x77,
2432 0x78, 0xe7, 0x20, 0x03, 0xf9, 0xeb, 0x2b, 0x8c, 0x31, 0x29,
2433 },
2434 32, "Let's Encrypt 'Oak2019' log" },
2435 { (const uint8_t[]){
2436 0x84, 0x9f, 0x5f, 0x7f, 0x58, 0xd2, 0xbf, 0x7b, 0x54, 0xec, 0xbd,
2437 0x74, 0x61, 0x1c, 0xea, 0x45, 0xc4, 0x9c, 0x98, 0xf1, 0xd6, 0x48,
2438 0x1b, 0xc6, 0xf6, 0x9e, 0x8c, 0x17, 0x4f, 0x24, 0xf3, 0xcf,
2439 },
2440 32, "Let's Encrypt 'Testflume2019' log" },
2441 { (const uint8_t[]){
2442 0x23, 0x2d, 0x41, 0xa4, 0xcd, 0xac, 0x87, 0xce, 0xd9, 0xf9, 0x43,
2443 0xf4, 0x68, 0xc2, 0x82, 0x09, 0x5a, 0xe0, 0x9d, 0x30, 0xd6, 0x2e,
2444 0x2f, 0xa6, 0x5d, 0xdc, 0x3b, 0x91, 0x9c, 0x2e, 0x46, 0x8f,
2445 },
2446 32, "Let's Encrypt 'Sapling 2022h2' log" },
2447 { (const uint8_t[]){
2448 0xc1, 0x83, 0x24, 0x0b, 0xf1, 0xa4, 0x50, 0xc7, 0x6f, 0xbb, 0x00,
2449 0x72, 0x69, 0xdc, 0xac, 0x3b, 0xe2, 0x2a, 0x48, 0x05, 0xd4, 0xdb,
2450 0xe0, 0x49, 0x66, 0xc3, 0xc8, 0xab, 0xc4, 0x47, 0xb0, 0x0c,
2451 },
2452 32, "Let's Encrypt 'Sapling 2023h1' log" },
2453 { (const uint8_t[]){
2454 0xc6, 0x3f, 0x22, 0x18, 0xc3, 0x7d, 0x56, 0xa6, 0xaa, 0x06, 0xb5,
2455 0x96, 0xda, 0x8e, 0x53, 0xd4, 0xd7, 0x15, 0x6d, 0x1e, 0x9b, 0xac,
2456 0x8e, 0x44, 0xd2, 0x20, 0x2d, 0xe6, 0x4d, 0x69, 0xd9, 0xdc,
2457 },
2458 32, "Let's Encrypt 'Testflume2020' log" },
2459 { (const uint8_t[]){
2460 0x03, 0xed, 0xf1, 0xda, 0x97, 0x76, 0xb6, 0xf3, 0x8c, 0x34, 0x1e,
2461 0x39, 0xed, 0x9d, 0x70, 0x7a, 0x75, 0x70, 0x36, 0x9c, 0xf9, 0x84,
2462 0x4f, 0x32, 0x7f, 0xe9, 0xe1, 0x41, 0x38, 0x36, 0x1b, 0x60,
2463 },
2464 32, "Let's Encrypt 'Testflume2021' log" },
2465 { (const uint8_t[]){
2466 0x23, 0x27, 0xef, 0xda, 0x35, 0x25, 0x10, 0xdb, 0xc0, 0x19, 0xef,
2467 0x49, 0x1a, 0xe3, 0xff, 0x1c, 0xc5, 0xa4, 0x79, 0xbc, 0xe3, 0x78,
2468 0x78, 0x36, 0x0e, 0xe3, 0x18, 0xcf, 0xfb, 0x64, 0xf8, 0xc8,
2469 },
2470 32, "Let's Encrypt 'Testflume2022' log" },
2471 { (const uint8_t[]){
2472 0x55, 0x34, 0xb7, 0xab, 0x5a, 0x6a, 0xc3, 0xa7, 0xcb, 0xeb, 0xa6,
2473 0x54, 0x87, 0xb2, 0xa2, 0xd7, 0x1b, 0x48, 0xf6, 0x50, 0xfa, 0x17,
2474 0xc5, 0x19, 0x7c, 0x97, 0xa0, 0xcb, 0x20, 0x76, 0xf3, 0xc6,
2475 },
2476 32, "Let's Encrypt 'Testflume2023' log" },
2477 { (const uint8_t[]){
2478 0x29, 0x6a, 0xfa, 0x2d, 0x56, 0x8b, 0xca, 0x0d, 0x2e, 0xa8, 0x44,
2479 0x95, 0x6a, 0xe9, 0x72, 0x1f, 0xc3, 0x5f, 0xa3, 0x55, 0xec, 0xda,
2480 0x99, 0x69, 0x3a, 0xaf, 0xd4, 0x58, 0xa7, 0x1a, 0xef, 0xdd,
2481 },
2482 32, "Let's Encrypt 'Clicky' log" },
2483 { (const uint8_t[]){
2484 0xa5, 0x95, 0x94, 0x3b, 0x53, 0x70, 0xbe, 0xe9, 0x06, 0xe0, 0x05,
2485 0x0d, 0x1f, 0xb5, 0xbb, 0xc6, 0xa4, 0x0e, 0x65, 0xf2, 0x65, 0xae,
2486 0x85, 0x2c, 0x76, 0x36, 0x3f, 0xad, 0xb2, 0x33, 0x36, 0xed,
2487 },
2488 32, "Trust Asia Log2020" },
2489 { (const uint8_t[]){
2490 0xa8, 0xdc, 0x52, 0xf6, 0x3d, 0x6b, 0x24, 0x25, 0xe5, 0x31, 0xe3,
2491 0x7c, 0xf4, 0xe4, 0x4a, 0x71, 0x4f, 0x14, 0x2a, 0x20, 0x80, 0x3b,
2492 0x0d, 0x04, 0xd2, 0xe2, 0xee, 0x06, 0x64, 0x79, 0x4a, 0x23,
2493 },
2494 32, "Trust Asia CT2021" },
2495 { (const uint8_t[]){
2496 0x67, 0x8d, 0xb6, 0x5b, 0x3e, 0x74, 0x43, 0xb6, 0xf3, 0xa3, 0x70,
2497 0xd5, 0xe1, 0x3a, 0xb1, 0xb4, 0x3b, 0xe0, 0xa0, 0xd3, 0x51, 0xf7,
2498 0xca, 0x74, 0x22, 0x50, 0xc7, 0xc6, 0xfa, 0x51, 0xa8, 0x8a,
2499 },
2500 32, "Trust Asia Log2021" },
2501 { (const uint8_t[]){
2502 0xc3, 0x65, 0xf9, 0xb3, 0x65, 0x4f, 0x32, 0x83, 0xc7, 0x9d, 0xa9,
2503 0x8e, 0x93, 0xd7, 0x41, 0x8f, 0x5b, 0xab, 0x7b, 0xe3, 0x25, 0x2c,
2504 0x98, 0xe1, 0xd2, 0xf0, 0x4b, 0xb9, 0xeb, 0x42, 0x7d, 0x23,
2505 },
2506 32, "Trust Asia Log2022" },
2507 { (const uint8_t[]){
2508 0xe8, 0x7e, 0xa7, 0x66, 0x0b, 0xc2, 0x6c, 0xf6, 0x00, 0x2e, 0xf5,
2509 0x72, 0x5d, 0x3f, 0xe0, 0xe3, 0x31, 0xb9, 0x39, 0x3b, 0xb9, 0x2f,
2510 0xbf, 0x58, 0xeb, 0x3b, 0x90, 0x49, 0xda, 0xf5, 0x43, 0x5a,
2511 },
2512 32, "Trust Asia Log2023" },
2513 { (const uint8_t[]){
2514 0x30, 0x6d, 0x29, 0x57, 0x6a, 0xd2, 0x1a, 0x9d, 0x4a, 0xe1, 0x2a,
2515 0xca, 0xd8, 0xaa, 0x8a, 0x78, 0x3a, 0xa6, 0x5a, 0x32, 0x11, 0x60,
2516 0xac, 0xff, 0x5b, 0x0e, 0xee, 0x4c, 0xa3, 0x20, 0x1d, 0x05,
2517 },
2518 32, "Trust Asia Log2024" },
2519 { (const uint8_t[]){
2520 0x87, 0x4f, 0xb5, 0x0d, 0xc0, 0x29, 0xd9, 0x93, 0x1d, 0xe5, 0x73,
2521 0xe9, 0xf2, 0x89, 0x9e, 0x8e, 0x45, 0x33, 0xb3, 0x92, 0xd3, 0x8b,
2522 0x0a, 0x46, 0x25, 0x74, 0xbf, 0x0f, 0xee, 0xb2, 0xfc, 0x1e,
2523 },
2524 32, "Trust Asia Log2024-2" },
2525 { (const uint8_t[]){
2526 0x28, 0xe2, 0x81, 0x38, 0xfd, 0x83, 0x21, 0x45, 0xe9, 0xa9, 0xd6,
2527 0xaa, 0x75, 0x37, 0x6d, 0x83, 0x77, 0xa8, 0x85, 0x12, 0xb3, 0xc0,
2528 0x7f, 0x72, 0x41, 0x48, 0x21, 0xdc, 0xbd, 0xe9, 0x8c, 0x66,
2529 },
2530 32, "TrustAsia Log2025a" },
2531 { (const uint8_t[]){
2532 0x28, 0x2c, 0x8b, 0xdd, 0x81, 0x0f, 0xf9, 0x09, 0x12, 0x0a, 0xce,
2533 0x16, 0xd6, 0xe0, 0xec, 0x20, 0x1b, 0xea, 0x82, 0xa3, 0xa4, 0xaf,
2534 0x19, 0xd9, 0xef, 0xfb, 0x59, 0xe8, 0x3f, 0xdc, 0x42, 0x68,
2535 },
2536 32, "TrustAsia Log2025b" },
2537 { (const uint8_t[]){
2538 0x74, 0xdb, 0x9d, 0x58, 0xf7, 0xd4, 0x7e, 0x9d, 0xfd, 0x78, 0x7a,
2539 0x16, 0x2a, 0x99, 0x1c, 0x18, 0xcf, 0x69, 0x8d, 0xa7, 0xc7, 0x29,
2540 0x91, 0x8c, 0x9a, 0x18, 0xb0, 0x45, 0x0d, 0xba, 0x44, 0xbc,
2541 },
2542 32, "TrustAsia 'log2026a'" },
2543 { (const uint8_t[]){
2544 0x25, 0xb7, 0xef, 0xde, 0xa1, 0x13, 0x01, 0x93, 0xed, 0x93, 0x07,
2545 0x97, 0x70, 0xaa, 0x32, 0x2a, 0x26, 0x62, 0x0d, 0xe3, 0x5a, 0xc8,
2546 0xaa, 0x7c, 0x75, 0x19, 0x7d, 0xe0, 0xb1, 0xa9, 0xe0, 0x65,
2547 },
2548 32, "TrustAsia 'log2026b'" },
2549 { (const uint8_t[]){
2550 0xed, 0xda, 0xeb, 0x81, 0x5c, 0x63, 0x21, 0x34, 0x49, 0xb4, 0x7b,
2551 0xe5, 0x07, 0x79, 0x05, 0xab, 0xd0, 0xd9, 0x31, 0x47, 0xc2, 0x7a,
2552 0xc5, 0x14, 0x6b, 0x3b, 0xc5, 0x8e, 0x43, 0xe9, 0xb6, 0xc7,
2553 },
2554 32, "TrustAsia 'HETU2027'" },
2555 { (const uint8_t[]){
2556 0x45, 0x35, 0x94, 0x98, 0xd9, 0x3a, 0x89, 0xe0, 0x28, 0x03, 0x08,
2557 0xd3, 0x7d, 0x62, 0x6d, 0xc4, 0x23, 0x75, 0x47, 0x58, 0xdc, 0xe0,
2558 0x37, 0x00, 0x36, 0xfb, 0xab, 0x0e, 0xdf, 0x8a, 0x6b, 0xcf,
2559 },
2560 32, "Trust Asia Log1" },
2561 { (const uint8_t[]){
2562 0xc9, 0xcf, 0x89, 0x0a, 0x21, 0x10, 0x9c, 0x66, 0x6c, 0xc1, 0x7a,
2563 0x3e, 0xd0, 0x65, 0xc9, 0x30, 0xd0, 0xe0, 0x13, 0x5a, 0x9f, 0xeb,
2564 0xa8, 0x5a, 0xf1, 0x42, 0x10, 0xb8, 0x07, 0x24, 0x21, 0xaa,
2565 },
2566 32, "GDCA CT log #1" },
2567 { (const uint8_t[]){
2568 0x92, 0x4a, 0x30, 0xf9, 0x09, 0x33, 0x6f, 0xf4, 0x35, 0xd6, 0x99,
2569 0x3a, 0x10, 0xac, 0x75, 0xa2, 0xc6, 0x41, 0x72, 0x8e, 0x7f, 0xc2,
2570 0xd6, 0x59, 0xae, 0x61, 0x88, 0xff, 0xad, 0x40, 0xce, 0x01,
2571 },
2572 32, "GDCA CT log #2" },
2573 { (const uint8_t[]){
2574 0x71, 0x7e, 0xa7, 0x42, 0x09, 0x75, 0xbe, 0x84, 0xa2, 0x72, 0x35,
2575 0x53, 0xf1, 0x77, 0x7c, 0x26, 0xdd, 0x51, 0xaf, 0x4e, 0x10, 0x21,
2576 0x44, 0x09, 0x4d, 0x90, 0x19, 0xb4, 0x62, 0xfb, 0x66, 0x68,
2577 },
2578 32, "GDCA Log 1" },
2579 { (const uint8_t[]){
2580 0x14, 0x30, 0x8d, 0x90, 0xcc, 0xd0, 0x30, 0x13, 0x50, 0x05, 0xc0,
2581 0x1c, 0xa5, 0x26, 0xd8, 0x1e, 0x84, 0xe8, 0x76, 0x24, 0xe3, 0x9b,
2582 0x62, 0x48, 0xe0, 0x8f, 0x72, 0x4a, 0xea, 0x3b, 0xb4, 0x2a,
2583 },
2584 32, "GDCA Log 2" },
2585 { (const uint8_t[]){
2586 0xe0, 0x12, 0x76, 0x29, 0xe9, 0x04, 0x96, 0x56, 0x4e, 0x3d, 0x01,
2587 0x47, 0x98, 0x44, 0x98, 0xaa, 0x48, 0xf8, 0xad, 0xb1, 0x66, 0x00,
2588 0xeb, 0x79, 0x02, 0xa1, 0xef, 0x99, 0x09, 0x90, 0x62, 0x73,
2589 },
2590 32, "PuChuangSiDa CT log" },
2591 { (const uint8_t[]){
2592 0x53, 0x7b, 0x69, 0xa3, 0x56, 0x43, 0x35, 0xa9, 0xc0, 0x49, 0x04,
2593 0xe3, 0x95, 0x93, 0xb2, 0xc2, 0x98, 0xeb, 0x8d, 0x7a, 0x6e, 0x83,
2594 0x02, 0x36, 0x35, 0xc6, 0x27, 0x24, 0x8c, 0xd6, 0xb4, 0x40,
2595 },
2596 32, "Nordu 'flimsy' log" },
2597 { (const uint8_t[]){
2598 0xaa, 0xe7, 0x0b, 0x7f, 0x3c, 0xb8, 0xd5, 0x66, 0xc8, 0x6c, 0x2f,
2599 0x16, 0x97, 0x9c, 0x9f, 0x44, 0x5f, 0x69, 0xab, 0x0e, 0xb4, 0x53,
2600 0x55, 0x89, 0xb2, 0xf7, 0x7a, 0x03, 0x01, 0x04, 0xf3, 0xcd,
2601 },
2602 32, "Nordu 'plausible' log" },
2603 { (const uint8_t[]){
2604 0xcf, 0x55, 0xe2, 0x89, 0x23, 0x49, 0x7c, 0x34, 0x0d, 0x52, 0x06,
2605 0xd0, 0x53, 0x53, 0xae, 0xb2, 0x58, 0x34, 0xb5, 0x2f, 0x1f, 0x8d,
2606 0xc9, 0x52, 0x68, 0x09, 0xf2, 0x12, 0xef, 0xdd, 0x7c, 0xa6,
2607 },
2608 32, "SHECA CT log 1" },
2609 { (const uint8_t[]){
2610 0x32, 0xdc, 0x59, 0xc2, 0xd4, 0xc4, 0x19, 0x68, 0xd5, 0x6e, 0x14,
2611 0xbc, 0x61, 0xac, 0x8f, 0x0e, 0x45, 0xdb, 0x39, 0xfa, 0xf3, 0xc1,
2612 0x55, 0xaa, 0x42, 0x52, 0xf5, 0x00, 0x1f, 0xa0, 0xc6, 0x23,
2613 },
2614 32, "SHECA CT log 2" },
2615 { (const uint8_t[]){
2616 0x96, 0x06, 0xc0, 0x2c, 0x69, 0x00, 0x33, 0xaa, 0x1d, 0x14, 0x5f,
2617 0x59, 0xc6, 0xe2, 0x64, 0x8d, 0x05, 0x49, 0xf0, 0xdf, 0x96, 0xaa,
2618 0xb8, 0xdb, 0x91, 0x5a, 0x70, 0xd8, 0xec, 0xf3, 0x90, 0xa5,
2619 },
2620 32, "Akamai CT Log" },
2621 { (const uint8_t[]){
2622 0x39, 0x37, 0x6f, 0x54, 0x5f, 0x7b, 0x46, 0x07, 0xf5, 0x97, 0x42,
2623 0xd7, 0x68, 0xcd, 0x5d, 0x24, 0x37, 0xbf, 0x34, 0x73, 0xb6, 0x53,
2624 0x4a, 0x48, 0x34, 0xbc, 0xf7, 0x2e, 0x68, 0x1c, 0x83, 0xc9,
2625 },
2626 32, "Alpha CT Log" },
2627 { (const uint8_t[]){
2628 0xb0, 0xb7, 0x84, 0xbc, 0x81, 0xc0, 0xdd, 0xc4, 0x75, 0x44, 0xe8,
2629 0x83, 0xf0, 0x59, 0x85, 0xbb, 0x90, 0x77, 0xd1, 0x34, 0xd8, 0xab,
2630 0x88, 0xb2, 0xb2, 0xe5, 0x33, 0x98, 0x0b, 0x8e, 0x50, 0x8b,
2631 },
2632 32, "Up In The Air 'Behind the Sofa' log" },
2633 { (const uint8_t[]){
2634 0x47, 0x44, 0x47, 0x7c, 0x75, 0xde, 0x42, 0x6d, 0x5c, 0x44, 0xef,
2635 0xd4, 0xa9, 0x2c, 0x96, 0x77, 0x59, 0x7f, 0x65, 0x7a, 0x8f, 0xe0,
2636 0xca, 0xdb, 0xc6, 0xd6, 0x16, 0xed, 0xa4, 0x97, 0xc4, 0x25,
2637 },
2638 32, "Qihoo 360 2020" },
2639 { (const uint8_t[]){
2640 0xc6, 0xd7, 0xed, 0x9e, 0xdb, 0x8e, 0x74, 0xf0, 0xa7, 0x1b, 0x4d,
2641 0x4a, 0x98, 0x4b, 0xcb, 0xeb, 0xab, 0xbd, 0x28, 0xcc, 0x1f, 0xd7,
2642 0x63, 0x29, 0xe8, 0x87, 0x26, 0xcd, 0x4c, 0x25, 0x46, 0x63,
2643 },
2644 32, "Qihoo 360 2021" },
2645 { (const uint8_t[]){
2646 0x66, 0x3c, 0xb0, 0x9c, 0x1f, 0xcd, 0x9b, 0xaa, 0x62, 0x76, 0x3c,
2647 0xcb, 0x53, 0x4e, 0xec, 0x80, 0x58, 0x12, 0x28, 0x05, 0x07, 0xac,
2648 0x69, 0xa4, 0x5f, 0xcd, 0x38, 0xcf, 0x4c, 0xc7, 0x4c, 0xf1,
2649 },
2650 32, "Qihoo 360 2022" },
2651 { (const uint8_t[]){
2652 0xe2, 0x64, 0x7f, 0x6e, 0xda, 0x34, 0x05, 0x03, 0xc6, 0x4d, 0x4e,
2653 0x10, 0xa8, 0x69, 0x68, 0x1f, 0xde, 0x9c, 0x5a, 0x2c, 0xf3, 0xb3,
2654 0x2d, 0x5f, 0x20, 0x0b, 0x96, 0x36, 0x05, 0x90, 0x88, 0x23,
2655 },
2656 32, "Qihoo 360 2023" },
2657 { (const uint8_t[]){
2658 0xc5, 0xcf, 0xe5, 0x4b, 0x61, 0x51, 0xb4, 0x9b, 0x14, 0x2e, 0xd2,
2659 0x63, 0xbd, 0xe7, 0x32, 0x93, 0x36, 0x37, 0x99, 0x79, 0x95, 0x50,
2660 0xae, 0x44, 0x35, 0xcd, 0x1a, 0x69, 0x97, 0xc9, 0xc3, 0xc3,
2661 },
2662 32, "Qihoo 360 v1 2020" },
2663 { (const uint8_t[]){
2664 0x48, 0x14, 0x58, 0x7c, 0xf2, 0x8b, 0x08, 0xfe, 0x68, 0x3f, 0xd2,
2665 0xbc, 0xd9, 0x45, 0x99, 0x4c, 0x2e, 0xb7, 0x4c, 0x8a, 0xe8, 0xc8,
2666 0x7f, 0xce, 0x42, 0x9b, 0x7c, 0xd3, 0x1d, 0x51, 0xbd, 0xc4,
2667 },
2668 32, "Qihoo 360 v1 2021" },
2669 { (const uint8_t[]){
2670 0x49, 0x11, 0xb8, 0xd6, 0x14, 0xcf, 0xd3, 0xd9, 0x9f, 0x16, 0xd3,
2671 0x76, 0x54, 0x5e, 0xe1, 0xb8, 0xcc, 0xfc, 0x51, 0x1f, 0x50, 0x9f,
2672 0x08, 0x0b, 0xa0, 0xa0, 0x87, 0xd9, 0x1d, 0xfa, 0xee, 0xa9,
2673 },
2674 32, "Qihoo 360 v1 2022" },
2675 { (const uint8_t[]){
2676 0xb6, 0x74, 0x0b, 0x12, 0x00, 0x2e, 0x03, 0x3f, 0xd0, 0xe7, 0xe9,
2677 0x41, 0xf4, 0xba, 0x3e, 0xe1, 0xbf, 0xc1, 0x49, 0xb5, 0x24, 0xb4,
2678 0xcf, 0x62, 0x8d, 0x53, 0xef, 0xea, 0x1f, 0x40, 0x3a, 0x8d,
2679 },
2680 32, "Qihoo 360 v1 2023" },
2681 { (const uint8_t[]){
2682 0x2e, 0xd6, 0xa4, 0x4d, 0xeb, 0x8f, 0x0c, 0x86, 0x46, 0x67, 0x76,
2683 0x9c, 0x4e, 0xdd, 0x04, 0x1f, 0x84, 0x23, 0x67, 0x55, 0xfa, 0x3a,
2684 0xac, 0xa6, 0x34, 0xd0, 0x93, 0x5d, 0xfc, 0xd5, 0x9a, 0x70,
2685 },
2686 32, "Bogus placeholder log to unbreak misbehaving CT libraries" },
2687 { (const uint8_t[]){
2688 0x39, 0xb9, 0x87, 0x88, 0x28, 0x19, 0x5f, 0x3b, 0x2d, 0x0d, 0x1b,
2689 0x48, 0x14, 0xa3, 0xae, 0x8c, 0x0d, 0x01, 0xfe, 0x48, 0x62, 0x21,
2690 0xdd, 0x69, 0x39, 0x7d, 0x76, 0xf7, 0x85, 0x74, 0x11, 0xc3,
2691 },
2692 32, "Merklemap 'CompactLog' log" },
2693 { (const uint8_t[]){
2694 0xd2, 0xfc, 0x65, 0x2f, 0xa5, 0xf9, 0xb7, 0x38, 0xb8, 0x37, 0x55,
2695 0xfa, 0x5e, 0xb1, 0x5f, 0x0b, 0x45, 0x25, 0x3f, 0x4e, 0x8f, 0xa3,
2696 0xb9, 0xb6, 0x4f, 0xd4, 0xde, 0x56, 0x62, 0xd1, 0x87, 0x08,
2697 },
2698 32, "Bogus RFC6962 log to avoid breaking misbehaving CT libraries" },
2699 { NULL((void*)0), 0, NULL((void*)0) }
2700};
2701
2702/*
2703 * Application-Layer Protocol Negotiation (ALPN) dissector tables.
2704 */
2705static dissector_table_t ssl_alpn_dissector_table;
2706static dissector_table_t dtls_alpn_dissector_table;
2707
2708/*
2709 * Special cases for prefix matching of the ALPN, if the ALPN includes
2710 * a version number for a draft or protocol revision.
2711 */
2712typedef struct ssl_alpn_prefix_match_protocol {
2713 const char *proto_prefix;
2714 const char *dissector_name;
2715} ssl_alpn_prefix_match_protocol_t;
2716
2717static const ssl_alpn_prefix_match_protocol_t ssl_alpn_prefix_match_protocols[] = {
2718 /* SPDY moves so fast, just 1, 2 and 3 are registered with IANA but there
2719 * already exists 3.1 as of this writing... match the prefix. */
2720 { "spdy/", "spdy" },
2721 /* draft-ietf-httpbis-http2-16 */
2722 { "h2-", "http2" }, /* draft versions */
2723};
2724
2725const value_string compress_certificate_algorithm_vals[] = {
2726 { 1, "zlib" },
2727 { 2, "brotli" },
2728 { 3, "zstd" },
2729 { 0, NULL((void*)0) }
2730};
2731
2732
2733const val64_string quic_transport_parameter_id[] = {
2734 { SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00, "original_destination_connection_id" },
2735 { SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01, "max_idle_timeout" },
2736 { SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02, "stateless_reset_token" },
2737 { SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03, "max_udp_payload_size" },
2738 { SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04, "initial_max_data" },
2739 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05, "initial_max_stream_data_bidi_local" },
2740 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06, "initial_max_stream_data_bidi_remote" },
2741 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07, "initial_max_stream_data_uni" },
2742 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09, "initial_max_streams_uni" },
2743 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08, "initial_max_streams_bidi" },
2744 { SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a, "ack_delay_exponent" },
2745 { SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b, "max_ack_delay" },
2746 { SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c, "disable_active_migration" },
2747 { SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d, "preferred_address" },
2748 { SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e, "active_connection_id_limit" },
2749 { SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f, "initial_source_connection_id" },
2750 { SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10, "retry_source_connection_id" },
2751 { SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20, "max_datagram_frame_size" },
2752 { SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000, "cibir_encoding" },
2753 { SSL_HND_QUIC_TP_LOSS_BITS0x1057, "loss_bits" },
2754 { SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2, "grease_quic_bit" },
2755 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157, "enable_time_stamp" },
2756 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158, "enable_time_stamp_v2" },
2757 { SSL_HND_QUIC_TP_VERSION_INFORMATION0x11, "version_information" },
2758 { SSL_HND_QUIC_TP_VERSION_INFORMATION_DRAFT0xff73db, "version_information_draft" },
2759 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a, "min_ack_delay" },
2760 { SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129, "google_user_agent" },
2761 { SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B, "google_key_update_not_yet_supported" },
2762 { SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752, "google_quic_version" },
2763 { SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127, "google_initial_rtt" },
2764 { SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A, "google_support_handshake_done" },
2765 { SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751, "google_quic_params" },
2766 { SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128, "google_connection_options" },
2767 { SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00, "facebook_partial_reliability" },
2768 { SSL_HND_QUIC_TP_ADDRESS_DISCOVERY0x9f81a176, "address_discovery" },
2769 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A, "min_ack_delay (draft-01)" },
2770 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a, "min_ack_delay (draft-05)" },
2771 { SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b, "min_ack_delay" },
2772 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04, "enable_multipath (draft-04)" },
2773 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05, "enable_multipath (draft-05)" },
2774 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06, "enable_multipath (draft-06)" },
2775 { SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07, "initial_max_paths (draft-07/08)" },
2776 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09, "initial_max_path_id (draft-09/10)" },
2777 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT110x0f739bbc1b666d11, "initial_max_path_id (draft-11)" },
2778 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT120x0f739bbc1b666d0c, "initial_max_path_id (draft-12)" },
2779 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x0f739bbc1b666d0d, "initial_max_path_id" },
2780 { 0, NULL((void*)0) }
2781};
2782
2783/* https://tools.ietf.org/html/draft-ietf-quic-address-discovery-00 */
2784const val64_string quic_address_discovery_vals[] = {
2785 { 0, "The node is willing to provide address observations to its peer, but is not interested in receiving address observations itself" },
2786 { 1, "The node is interested in receiving address observations, but it is not willing to provide address observations" },
2787 { 2, "The node is interested in receiving address observations, and it is willing to provide address observations" },
2788 { 0, NULL((void*)0) }
2789};
2790
2791/* https://tools.ietf.org/html/draft-huitema-quic-ts-03 */
2792const val64_string quic_enable_time_stamp_v2_vals[] = {
2793 { 1, "I would like to receive TIME_STAMP frames" },
2794 { 2, "I am able to generate TIME_STAMP frames" },
2795 { 3, "I am able to generate TIME_STAMP frames and I would like to receive them" },
2796 { 0, NULL((void*)0) }
2797};
2798
2799/* https://datatracker.ietf.org/doc/draft-ietf-quic-multipath/04/ */
2800const val64_string quic_enable_multipath_vals[] = {
2801 { 0, "don't support multipath" },
2802 { 1, "support multipath as defined in this document" },
2803 { 0, NULL((void*)0) }
2804};
2805
2806/* https://www.ietf.org/archive/id/draft-ietf-tls-esni-16.txt */
2807const value_string tls_hello_ext_ech_clienthello_types[] = {
2808 { 0, "Outer Client Hello" },
2809 { 1, "Inner Client Hello" },
2810 { 0, NULL((void*)0) }
2811};
2812
2813/* RFC 9180 */
2814const value_string kem_id_type_vals[] = {
2815 { 0x0000, "Reserved" },
2816 { 0x0010, "DHKEM(P-256, HKDF-SHA256)" },
2817 { 0x0011, "DHKEM(P-384, HKDF-SHA384)" },
2818 { 0x0012, "DHKEM(P-521, HKDF-SHA512)" },
2819 { 0x0020, "DHKEM(X25519, HKDF-SHA256)" },
2820 { 0x0021, "DHKEM(X448, HKDF-SHA512)" },
2821 { 0, NULL((void*)0) }
2822};
2823const value_string kdf_id_type_vals[] = {
2824 { 0x0000, "Reserved" },
2825 { 0x0001, "HKDF-SHA256" },
2826 { 0x0002, "HKDF-SHA384" },
2827 { 0x0003, "HKDF-SHA512" },
2828 { 0, NULL((void*)0) }
2829};
2830const value_string aead_id_type_vals[] = {
2831 { 0x0000, "Reserved" },
2832 { 0x0001, "AES-128-GCM" },
2833 { 0x0002, "AES-256-GCM" },
2834 { 0x0003, "ChaCha20Poly1305" },
2835 { 0xFFFF, "Export-only" },
2836 { 0, NULL((void*)0) }
2837};
2838
2839const value_string token_binding_key_parameter_vals[] = {
2840 { 0, "rsa2048_pkcs1.5" },
2841 { 1, "rsa2048_pss" },
2842 { 2, "ecdsap256" },
2843 { 0, NULL((void*)0) }
2844};
2845
2846/* Lookup tables }}} */
2847
2848void
2849quic_transport_parameter_id_base_custom(char *result, uint64_t parameter_id)
2850{
2851 const char *label;
2852 if (IS_GREASE_QUIC(parameter_id)((parameter_id) > 27 ? ((((parameter_id) - 27) % 31) == 0)
: 0)) {
2853 label = "GREASE";
2854 } else {
2855 label = val64_to_str_const(parameter_id, quic_transport_parameter_id, "Unknown");
2856 }
2857 snprintf(result, ITEM_LABEL_LENGTH240, "%s (0x%02" PRIx64"l" "x" ")", label, parameter_id);
2858}
2859
2860/* we keep this internal to packet-tls-utils, as there should be
2861 no need to access it any other way.
2862
2863 This also allows us to hide the dependency on zlib.
2864*/
2865struct _SslDecompress {
2866 int compression;
2867#ifdef USE_ZLIB_OR_ZLIBNG
2868 zlib_stream istream;
2869#endif
2870};
2871
2872/* To assist in parsing client/server key exchange messages
2873 0 indicates unknown */
2874int ssl_get_keyex_alg(int cipher)
2875{
2876 /* Map Cipher suite number to Key Exchange algorithm {{{ */
2877 switch(cipher) {
2878 case 0x0017:
2879 case 0x0018:
2880 case 0x0019:
2881 case 0x001a:
2882 case 0x001b:
2883 case 0x0034:
2884 case 0x003a:
2885 case 0x0046:
2886 case 0x006c:
2887 case 0x006d:
2888 case 0x0089:
2889 case 0x009b:
2890 case 0x00a6:
2891 case 0x00a7:
2892 case 0x00bf:
2893 case 0x00c5:
2894 case 0xc084:
2895 case 0xc085:
2896 return KEX_DH_ANON0x13;
2897 case 0x000b:
2898 case 0x000c:
2899 case 0x000d:
2900 case 0x0030:
2901 case 0x0036:
2902 case 0x003e:
2903 case 0x0042:
2904 case 0x0068:
2905 case 0x0085:
2906 case 0x0097:
2907 case 0x00a4:
2908 case 0x00a5:
2909 case 0x00bb:
2910 case 0x00c1:
2911 case 0xc082:
2912 case 0xc083:
2913 return KEX_DH_DSS0x14;
2914 case 0x000e:
2915 case 0x000f:
2916 case 0x0010:
2917 case 0x0031:
2918 case 0x0037:
2919 case 0x003f:
2920 case 0x0043:
2921 case 0x0069:
2922 case 0x0086:
2923 case 0x0098:
2924 case 0x00a0:
2925 case 0x00a1:
2926 case 0x00bc:
2927 case 0x00c2:
2928 case 0xc07e:
2929 case 0xc07f:
2930 return KEX_DH_RSA0x15;
2931 case 0x0011:
2932 case 0x0012:
2933 case 0x0013:
2934 case 0x0032:
2935 case 0x0038:
2936 case 0x0040:
2937 case 0x0044:
2938 case 0x0063:
2939 case 0x0065:
2940 case 0x0066:
2941 case 0x006a:
2942 case 0x0087:
2943 case 0x0099:
2944 case 0x00a2:
2945 case 0x00a3:
2946 case 0x00bd:
2947 case 0x00c3:
2948 case 0xc080:
2949 case 0xc081:
2950 return KEX_DHE_DSS0x10;
2951 case 0x002d:
2952 case 0x008e:
2953 case 0x008f:
2954 case 0x0090:
2955 case 0x0091:
2956 case 0x00aa:
2957 case 0x00ab:
2958 case 0x00b2:
2959 case 0x00b3:
2960 case 0x00b4:
2961 case 0x00b5:
2962 case 0xc090:
2963 case 0xc091:
2964 case 0xc096:
2965 case 0xc097:
2966 case 0xc0a6:
2967 case 0xc0a7:
2968 case 0xc0aa:
2969 case 0xc0ab:
2970 case 0xccad:
2971 case 0xe41c:
2972 case 0xe41d:
2973 return KEX_DHE_PSK0x11;
2974 case 0x0014:
2975 case 0x0015:
2976 case 0x0016:
2977 case 0x0033:
2978 case 0x0039:
2979 case 0x0045:
2980 case 0x0067:
2981 case 0x006b:
2982 case 0x0088:
2983 case 0x009a:
2984 case 0x009e:
2985 case 0x009f:
2986 case 0x00be:
2987 case 0x00c4:
2988 case 0xc07c:
2989 case 0xc07d:
2990 case 0xc09e:
2991 case 0xc09f:
2992 case 0xc0a2:
2993 case 0xc0a3:
2994 case 0xccaa:
2995 case 0xe41e:
2996 case 0xe41f:
2997 return KEX_DHE_RSA0x12;
2998 case 0xc015:
2999 case 0xc016:
3000 case 0xc017:
3001 case 0xc018:
3002 case 0xc019:
3003 return KEX_ECDH_ANON0x19;
3004 case 0xc001:
3005 case 0xc002:
3006 case 0xc003:
3007 case 0xc004:
3008 case 0xc005:
3009 case 0xc025:
3010 case 0xc026:
3011 case 0xc02d:
3012 case 0xc02e:
3013 case 0xc074:
3014 case 0xc075:
3015 case 0xc088:
3016 case 0xc089:
3017 return KEX_ECDH_ECDSA0x1a;
3018 case 0xc00b:
3019 case 0xc00c:
3020 case 0xc00d:
3021 case 0xc00e:
3022 case 0xc00f:
3023 case 0xc029:
3024 case 0xc02a:
3025 case 0xc031:
3026 case 0xc032:
3027 case 0xc078:
3028 case 0xc079:
3029 case 0xc08c:
3030 case 0xc08d:
3031 return KEX_ECDH_RSA0x1b;
3032 case 0xc006:
3033 case 0xc007:
3034 case 0xc008:
3035 case 0xc009:
3036 case 0xc00a:
3037 case 0xc023:
3038 case 0xc024:
3039 case 0xc02b:
3040 case 0xc02c:
3041 case 0xc072:
3042 case 0xc073:
3043 case 0xc086:
3044 case 0xc087:
3045 case 0xc0ac:
3046 case 0xc0ad:
3047 case 0xc0ae:
3048 case 0xc0af:
3049 case 0xcca9:
3050 case 0xe414:
3051 case 0xe415:
3052 return KEX_ECDHE_ECDSA0x16;
3053 case 0xc033:
3054 case 0xc034:
3055 case 0xc035:
3056 case 0xc036:
3057 case 0xc037:
3058 case 0xc038:
3059 case 0xc039:
3060 case 0xc03a:
3061 case 0xc03b:
3062 case 0xc09a:
3063 case 0xc09b:
3064 case 0xccac:
3065 case 0xe418:
3066 case 0xe419:
3067 case 0xd001:
3068 case 0xd002:
3069 case 0xd003:
3070 case 0xd005:
3071 return KEX_ECDHE_PSK0x17;
3072 case 0xc010:
3073 case 0xc011:
3074 case 0xc012:
3075 case 0xc013:
3076 case 0xc014:
3077 case 0xc027:
3078 case 0xc028:
3079 case 0xc02f:
3080 case 0xc030:
3081 case 0xc076:
3082 case 0xc077:
3083 case 0xc08a:
3084 case 0xc08b:
3085 case 0xcca8:
3086 case 0xe412:
3087 case 0xe413:
3088 return KEX_ECDHE_RSA0x18;
3089 case 0x001e:
3090 case 0x001f:
3091 case 0x0020:
3092 case 0x0021:
3093 case 0x0022:
3094 case 0x0023:
3095 case 0x0024:
3096 case 0x0025:
3097 case 0x0026:
3098 case 0x0027:
3099 case 0x0028:
3100 case 0x0029:
3101 case 0x002a:
3102 case 0x002b:
3103 return KEX_KRB50x1c;
3104 case 0x002c:
3105 case 0x008a:
3106 case 0x008b:
3107 case 0x008c:
3108 case 0x008d:
3109 case 0x00a8:
3110 case 0x00a9:
3111 case 0x00ae:
3112 case 0x00af:
3113 case 0x00b0:
3114 case 0x00b1:
3115 case 0xc064:
3116 case 0xc065:
3117 case 0xc08e:
3118 case 0xc08f:
3119 case 0xc094:
3120 case 0xc095:
3121 case 0xc0a4:
3122 case 0xc0a5:
3123 case 0xc0a8:
3124 case 0xc0a9:
3125 case 0xccab:
3126 case 0xe416:
3127 case 0xe417:
3128 return KEX_PSK0x1d;
3129 case 0x0001:
3130 case 0x0002:
3131 case 0x0003:
3132 case 0x0004:
3133 case 0x0005:
3134 case 0x0006:
3135 case 0x0007:
3136 case 0x0008:
3137 case 0x0009:
3138 case 0x000a:
3139 case 0x002f:
3140 case 0x0035:
3141 case 0x003b:
3142 case 0x003c:
3143 case 0x003d:
3144 case 0x0041:
3145 case 0x0060:
3146 case 0x0061:
3147 case 0x0062:
3148 case 0x0064:
3149 case 0x0084:
3150 case 0x0096:
3151 case 0x009c:
3152 case 0x009d:
3153 case 0x00ba:
3154 case 0x00c0:
3155 case 0xc07a:
3156 case 0xc07b:
3157 case 0xc09c:
3158 case 0xc09d:
3159 case 0xc0a0:
3160 case 0xc0a1:
3161 case 0xe410:
3162 case 0xe411:
3163 case 0xfefe:
3164 case 0xfeff:
3165 case 0xffe0:
3166 case 0xffe1:
3167 return KEX_RSA0x1e;
3168 case 0x002e:
3169 case 0x0092:
3170 case 0x0093:
3171 case 0x0094:
3172 case 0x0095:
3173 case 0x00ac:
3174 case 0x00ad:
3175 case 0x00b6:
3176 case 0x00b7:
3177 case 0x00b8:
3178 case 0x00b9:
3179 case 0xc092:
3180 case 0xc093:
3181 case 0xc098:
3182 case 0xc099:
3183 case 0xccae:
3184 case 0xe41a:
3185 case 0xe41b:
3186 return KEX_RSA_PSK0x1f;
3187 case 0xc01a:
3188 case 0xc01d:
3189 case 0xc020:
3190 return KEX_SRP_SHA0x20;
3191 case 0xc01c:
3192 case 0xc01f:
3193 case 0xc022:
3194 return KEX_SRP_SHA_DSS0x21;
3195 case 0xc01b:
3196 case 0xc01e:
3197 case 0xc021:
3198 return KEX_SRP_SHA_RSA0x22;
3199 case 0xc0ff:
3200 return KEX_ECJPAKE0x24;
3201 case 0xe003:
3202 case 0xe013:
3203 case 0xe053:
3204 return KEX_ECC_SM20x26;
3205 default:
3206 break;
3207 }
3208
3209 return 0;
3210 /* }}} */
3211}
3212
3213static wmem_list_t *connection_id_session_list;
3214
3215void
3216ssl_init_cid_list(void) {
3217 connection_id_session_list = wmem_list_new(wmem_file_scope());
3218}
3219
3220void
3221ssl_cleanup_cid_list(void) {
3222 wmem_destroy_list(connection_id_session_list);
3223}
3224
3225void
3226ssl_add_session_by_cid(SslDecryptSession *session)
3227{
3228 wmem_list_append(connection_id_session_list, session);
3229}
3230
3231SslDecryptSession *
3232ssl_get_session_by_cid(tvbuff_t *tvb, uint32_t offset)
3233{
3234 SslDecryptSession * ssl_cid = NULL((void*)0);
3235 wmem_list_frame_t *it = wmem_list_head(connection_id_session_list);
3236
3237 while (it != NULL((void*)0) && ssl_cid == NULL((void*)0)) {
3238 SslDecryptSession * ssl = (SslDecryptSession *)wmem_list_frame_data(it);
3239 DISSECTOR_ASSERT(ssl != NULL)((void) ((ssl != ((void*)0)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3239, "ssl != ((void*)0)"))));
3240 SslSession *session = &ssl->session;
3241
3242 if (session->client_cid_len > 0 && tvb_bytes_exist(tvb, offset, session->client_cid_len)) {
3243 if (tvb_memeql(tvb, offset, session->client_cid, session->client_cid_len) == 0) {
3244 ssl_cid = ssl;
3245 }
3246 }
3247
3248 if (session->server_cid_len > 0) {
3249 if (tvb_memeql(tvb, offset, session->server_cid, session->server_cid_len) == 0) {
3250 ssl_cid = ssl;
3251 }
3252 }
3253
3254 it = wmem_list_frame_next(it);
3255 }
3256
3257 return ssl_cid;
3258}
3259
3260/* StringInfo structure (len + data) functions {{{ */
3261
3262int
3263ssl_data_alloc(StringInfo* str, size_t len)
3264{
3265 str->data = (unsigned char *)g_malloc(len);
22
Memory is allocated
3266 /* the allocator can return a null pointer for a size equal to 0,
3267 * and that must be allowed */
3268 if (len
22.1
'len' is > 0
 > 0 && !str->data)
23
Assuming field 'data' is non-null
24
Taking false branch
3269 return -1;
3270 str->data_len = (unsigned) len;
3271 return 0;
3272}
3273
3274void
3275ssl_data_set(StringInfo* str, const unsigned char* data, unsigned len)
3276{
3277 DISSECTOR_ASSERT(data)((void) ((data) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 3277, "data"))));
3278 memcpy(str->data, data, len);
3279 str->data_len = len;
3280}
3281
3282static int
3283ssl_data_realloc(StringInfo* str, unsigned len)
3284{
3285 str->data = (unsigned char *)g_realloc(str->data, len);
3286 if (!str->data)
3287 return -1;
3288 str->data_len = len;
3289 return 0;
3290}
3291
3292static StringInfo *
3293ssl_data_clone(StringInfo *str)
3294{
3295 StringInfo *cloned_str;
3296 cloned_str = (StringInfo *) wmem_alloc0(wmem_file_scope(),
3297 sizeof(StringInfo) + str->data_len);
3298 cloned_str->data = (unsigned char *) (cloned_str + 1);
3299 ssl_data_set(cloned_str, str->data, str->data_len);
3300 return cloned_str;
3301}
3302
3303static int
3304ssl_data_copy(StringInfo* dst, StringInfo* src)
3305{
3306 if (dst->data_len < src->data_len) {
3307 if (ssl_data_realloc(dst, src->data_len))
3308 return -1;
3309 }
3310 memcpy(dst->data, src->data, src->data_len);
3311 dst->data_len = src->data_len;
3312 return 0;
3313}
3314
3315/* from_hex converts |hex_len| bytes of hex data from |in| and sets |*out| to
3316 * the result. |out->data| will be allocated using wmem_file_scope. Returns true on
3317 * success. */
3318static bool_Bool from_hex(StringInfo* out, const char* in, size_t hex_len) {
3319 size_t i;
3320
3321 if (hex_len & 1)
3322 return false0;
3323
3324 out->data = (unsigned char *)wmem_alloc(wmem_file_scope(), hex_len / 2);
3325 for (i = 0; i < hex_len / 2; i++) {
3326 int a = ws_xton(in[i*2]);
3327 int b = ws_xton(in[i*2 + 1]);
3328 if (a == -1 || b == -1)
3329 return false0;
3330 out->data[i] = a << 4 | b;
3331 }
3332 out->data_len = (unsigned)hex_len / 2;
3333 return true1;
3334}
3335/* StringInfo structure (len + data) functions }}} */
3336
3337
3338/* libgcrypt wrappers for HMAC/message digest operations {{{ */
3339/* hmac abstraction layer */
3340#define SSL_HMACgcry_md_hd_t gcry_md_hd_t
3341
3342static inline int
3343ssl_hmac_init(SSL_HMACgcry_md_hd_t* md, int algo)
3344{
3345 gcry_error_t err;
3346 const char *err_str, *err_src;
3347
3348 err = gcry_md_open(md,algo, GCRY_MD_FLAG_HMAC);
3349 if (err != 0) {
3350 err_str = gcry_strerror(err);
3351 err_src = gcry_strsource(err);
3352 ssl_debug_printf("ssl_hmac_init(): gcry_md_open failed %s/%s", err_str, err_src);
3353 return -1;
3354 }
3355 return 0;
3356}
3357
3358static inline int
3359ssl_hmac_setkey(SSL_HMACgcry_md_hd_t* md, const void * key, int len)
3360{
3361 gcry_error_t err;
3362 const char *err_str, *err_src;
3363
3364 err = gcry_md_setkey (*(md), key, len);
3365 if (err != 0) {
3366 err_str = gcry_strerror(err);
3367 err_src = gcry_strsource(err);
3368 ssl_debug_printf("ssl_hmac_setkey(): gcry_md_setkey failed %s/%s", err_str, err_src);
3369 return -1;
3370 }
3371 return 0;
3372}
3373
3374static inline int
3375ssl_hmac_reset(SSL_HMACgcry_md_hd_t* md)
3376{
3377 gcry_md_reset(*md);
3378 return 0;
3379}
3380
3381static inline void
3382ssl_hmac_update(SSL_HMACgcry_md_hd_t* md, const void* data, int len)
3383{
3384 gcry_md_write(*(md), data, len);
3385}
3386static inline void
3387ssl_hmac_final(SSL_HMACgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3388{
3389 int algo;
3390 unsigned len;
3391
3392 algo = gcry_md_get_algo (*(md));
3393 len = gcry_md_get_algo_dlen(algo);
3394 DISSECTOR_ASSERT(len <= *datalen)((void) ((len <= *datalen) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3394, "len <= *datalen"))));
3395 memcpy(data, gcry_md_read(*(md), algo), len);
3396 *datalen = len;
3397}
3398static inline void
3399ssl_hmac_cleanup(SSL_HMACgcry_md_hd_t* md)
3400{
3401 gcry_md_close(*(md));
3402}
3403
3404/* message digest abstraction layer*/
3405#define SSL_MDgcry_md_hd_t gcry_md_hd_t
3406
3407static inline int
3408ssl_md_init(SSL_MDgcry_md_hd_t* md, int algo)
3409{
3410 gcry_error_t err;
3411 const char *err_str, *err_src;
3412 err = gcry_md_open(md,algo, 0);
3413 if (err != 0) {
3414 err_str = gcry_strerror(err);
3415 err_src = gcry_strsource(err);
3416 ssl_debug_printf("ssl_md_init(): gcry_md_open failed %s/%s", err_str, err_src);
3417 return -1;
3418 }
3419 return 0;
3420}
3421static inline void
3422ssl_md_update(SSL_MDgcry_md_hd_t* md, unsigned char* data, int len)
3423{
3424 gcry_md_write(*(md), data, len);
3425}
3426static inline void
3427ssl_md_final(SSL_MDgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3428{
3429 int algo;
3430 int len;
3431 algo = gcry_md_get_algo (*(md));
3432 len = gcry_md_get_algo_dlen (algo);
3433 memcpy(data, gcry_md_read(*(md), algo), len);
3434 *datalen = len;
3435}
3436static inline void
3437ssl_md_cleanup(SSL_MDgcry_md_hd_t* md)
3438{
3439 gcry_md_close(*(md));
3440}
3441
3442static inline void
3443ssl_md_reset(SSL_MDgcry_md_hd_t* md)
3444{
3445 gcry_md_reset(*md);
3446}
3447
3448/* md5 /sha abstraction layer */
3449#define SSL_SHA_CTXgcry_md_hd_t gcry_md_hd_t
3450#define SSL_MD5_CTXgcry_md_hd_t gcry_md_hd_t
3451
3452static inline int
3453ssl_sha_init(SSL_SHA_CTXgcry_md_hd_t* md)
3454{
3455 gcry_error_t err;
3456 const char *err_str, *err_src;
3457 err = gcry_md_open(md, GCRY_MD_SHA1, 0);
3458 if (err != 0) {
3459 err_str = gcry_strerror(err);
3460 err_src = gcry_strsource(err);
3461 ssl_debug_printf("ssl_sha_init(): gcry_md_open failed %s/%s", err_str, err_src);
3462 return -1;
3463 }
3464 return 0;
3465}
3466static inline void
3467ssl_sha_update(SSL_SHA_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3468{
3469 gcry_md_write(*(md), data, len);
3470}
3471static inline void
3472ssl_sha_final(unsigned char* buf, SSL_SHA_CTXgcry_md_hd_t* md)
3473{
3474 memcpy(buf, gcry_md_read(*(md), GCRY_MD_SHA1),
3475 gcry_md_get_algo_dlen(GCRY_MD_SHA1));
3476}
3477
3478static inline void
3479ssl_sha_reset(SSL_SHA_CTXgcry_md_hd_t* md)
3480{
3481 gcry_md_reset(*md);
3482}
3483
3484static inline void
3485ssl_sha_cleanup(SSL_SHA_CTXgcry_md_hd_t* md)
3486{
3487 gcry_md_close(*(md));
3488}
3489
3490static inline int
3491ssl_md5_init(SSL_MD5_CTXgcry_md_hd_t* md)
3492{
3493 gcry_error_t err;
3494 const char *err_str, *err_src;
3495 err = gcry_md_open(md,GCRY_MD_MD5, 0);
3496 if (err != 0) {
3497 err_str = gcry_strerror(err);
3498 err_src = gcry_strsource(err);
3499 ssl_debug_printf("ssl_md5_init(): gcry_md_open failed %s/%s", err_str, err_src);
3500 return -1;
3501 }
3502 return 0;
3503}
3504static inline void
3505ssl_md5_update(SSL_MD5_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3506{
3507 gcry_md_write(*(md), data, len);
3508}
3509static inline void
3510ssl_md5_final(unsigned char* buf, SSL_MD5_CTXgcry_md_hd_t* md)
3511{
3512 memcpy(buf, gcry_md_read(*(md), GCRY_MD_MD5),
3513 gcry_md_get_algo_dlen(GCRY_MD_MD5));
3514}
3515
3516static inline void
3517ssl_md5_reset(SSL_MD5_CTXgcry_md_hd_t* md)
3518{
3519 gcry_md_reset(*md);
3520}
3521
3522static inline void
3523ssl_md5_cleanup(SSL_MD5_CTXgcry_md_hd_t* md)
3524{
3525 gcry_md_close(*(md));
3526}
3527/* libgcrypt wrappers for HMAC/message digest operations }}} */
3528
3529/* libgcrypt wrappers for Cipher state manipulation {{{ */
3530int
3531ssl_cipher_setiv(SSL_CIPHER_CTXgcry_cipher_hd_t *cipher, unsigned char* iv, int iv_len)
3532{
3533 int ret;
3534#if 0
3535 unsigned char *ivp;
3536 int i;
3537 gcry_cipher_hd_t c;
3538 c=(gcry_cipher_hd_t)*cipher;
3539#endif
3540 ssl_debug_printf("--------------------------------------------------------------------");
3541#if 0
3542 for(ivp=c->iv,i=0; i < iv_len; i++ )
3543 {
3544 ssl_debug_printf("%d ",ivp[i]);
3545 i++;
3546 }
3547#endif
3548 ssl_debug_printf("--------------------------------------------------------------------");
3549 ret = gcry_cipher_setiv(*(cipher), iv, iv_len);
3550#if 0
3551 for(ivp=c->iv,i=0; i < iv_len; i++ )
3552 {
3553 ssl_debug_printf("%d ",ivp[i]);
3554 i++;
3555 }
3556#endif
3557 ssl_debug_printf("--------------------------------------------------------------------");
3558 return ret;
3559}
3560/* stream cipher abstraction layer*/
3561static int
3562ssl_cipher_init(gcry_cipher_hd_t *cipher, int algo, unsigned char* sk,
3563 unsigned char* iv, int mode)
3564{
3565 int gcry_modes[] = {
3566 GCRY_CIPHER_MODE_STREAM,
3567 GCRY_CIPHER_MODE_CBC,
3568 GCRY_CIPHER_MODE_GCM,
3569 GCRY_CIPHER_MODE_CCM,
3570 GCRY_CIPHER_MODE_CCM,
3571 GCRY_CIPHER_MODE_POLY1305,
3572 GCRY_CIPHER_MODE_ECB, /* used for DTLSv1.3 seq number encryption */
3573 };
3574 int err;
3575 if (algo == -1) {
3576 /* NULL mode */
3577 *(cipher) = (gcry_cipher_hd_t)-1;
3578 return 0;
3579 }
3580 err = gcry_cipher_open(cipher, algo, gcry_modes[mode], 0);
3581 if (err !=0)
3582 return -1;
3583 err = gcry_cipher_setkey(*(cipher), sk, gcry_cipher_get_algo_keylen (algo));
3584 if (err != 0)
3585 return -1;
3586 /* AEAD cipher suites will set the nonce later. */
3587 if (mode == MODE_CBC) {
3588 err = gcry_cipher_setiv(*(cipher), iv, gcry_cipher_get_algo_blklen(algo));
3589 if (err != 0)
3590 return -1;
3591 }
3592 return 0;
3593}
3594static inline int
3595ssl_cipher_decrypt(gcry_cipher_hd_t *cipher, unsigned char * out, int outl,
3596 const unsigned char * in, int inl)
3597{
3598 if ((*cipher) == (gcry_cipher_hd_t)-1)
3599 {
3600 if (in && inl)
3601 memcpy(out, in, outl < inl ? outl : inl);
3602 return 0;
3603 }
3604 return gcry_cipher_decrypt ( *(cipher), out, outl, in, inl);
3605}
3606static inline int
3607ssl_get_digest_by_name(const char*name)
3608{
3609 return gcry_md_map_name(name);
3610}
3611static inline int
3612ssl_get_cipher_by_name(const char* name)
3613{
3614 return gcry_cipher_map_name(name);
3615}
3616
3617static inline void
3618ssl_cipher_cleanup(gcry_cipher_hd_t *cipher)
3619{
3620 if ((*cipher) != (gcry_cipher_hd_t)-1)
3621 gcry_cipher_close(*cipher);
3622 *cipher = NULL((void*)0);
3623}
3624/* }}} */
3625
3626/* Digests, Ciphers and Cipher Suites registry {{{ */
3627static const SslDigestAlgo digests[]={
3628 {"MD5", 16},
3629 {"SHA1", 20},
3630 {"SHA256", 32},
3631 {"SHA384", 48},
3632 {"SM3", 32},
3633 {"Not Applicable", 0},
3634};
3635
3636#define DIGEST_MAX_SIZE48 48
3637
3638/* get index digest index */
3639static const SslDigestAlgo *
3640ssl_cipher_suite_dig(const SslCipherSuite *cs) {
3641 if (!cs || cs->dig < DIG_MD50x40 || cs->dig > DIG_NA0x45) {
3642 return &digests[DIG_NA0x45 - DIG_MD50x40];
3643 }
3644 return &digests[cs->dig - DIG_MD50x40];
3645}
3646
3647static const char *ciphers[]={
3648 "DES",
3649 "3DES",
3650 "ARCFOUR", /* libgcrypt does not support rc4, but this should be 100% compatible*/
3651 "RFC2268_128", /* libgcrypt name for RC2 with a 128-bit key */
3652 "IDEA",
3653 "AES",
3654 "AES256",
3655 "CAMELLIA128",
3656 "CAMELLIA256",
3657 "SEED",
3658 "CHACHA20", /* since Libgcrypt 1.7.0 */
3659 "SM1",
3660 "SM4",
3661 "*UNKNOWN*"
3662};
3663
3664static const SslCipherSuite cipher_suites[]={
3665 {0x0001,KEX_RSA0x1e, ENC_NULL0x3D, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_NULL_MD5 */
3666 {0x0002,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA */
3667 {0x0003,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
3668 {0x0004,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_MD5 */
3669 {0x0005,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_SHA */
3670 {0x0006,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
3671 {0x0007,KEX_RSA0x1e, ENC_IDEA0x34, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_IDEA_CBC_SHA */
3672 {0x0008,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
3673 {0x0009,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_DES_CBC_SHA */
3674 {0x000A,KEX_RSA0x1e, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
3675 {0x000B,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
3676 {0x000C,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_DES_CBC_SHA */
3677 {0x000D,KEX_DH_DSS0x14, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
3678 {0x000E,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
3679 {0x000F,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_DES_CBC_SHA */
3680 {0x0010,KEX_DH_RSA0x15, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
3681 {0x0011,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
3682 {0x0012,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_DES_CBC_SHA */
3683 {0x0013,KEX_DHE_DSS0x10, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
3684 {0x0014,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
3685 {0x0015,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_DES_CBC_SHA */
3686 {0x0016,KEX_DHE_RSA0x12, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
3687 {0x0017,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
3688 {0x0018,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_WITH_RC4_128_MD5 */
3689 {0x0019,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
3690 {0x001A,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_DES_CBC_SHA */
3691 {0x001B,KEX_DH_ANON0x13, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
3692 {0x002C,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA */
3693 {0x002D,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA */
3694 {0x002E,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA */
3695 {0x002F,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA */
3696 {0x0030,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA */
3697 {0x0031,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA */
3698 {0x0032,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA */
3699 {0x0033,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */
3700 {0x0034,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA */
3701 {0x0035,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA */
3702 {0x0036,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA */
3703 {0x0037,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA */
3704 {0x0038,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA */
3705 {0x0039,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */
3706 {0x003A,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA */
3707 {0x003B,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA256 */
3708 {0x003C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA256 */
3709 {0x003D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA256 */
3710 {0x003E,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA256 */
3711 {0x003F,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA256 */
3712 {0x0040,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 */
3713 {0x0041,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA */
3714 {0x0042,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA */
3715 {0x0043,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA */
3716 {0x0044,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA */
3717 {0x0045,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA */
3718 {0x0046,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA */
3719 {0x0060,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
3720 {0x0061,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
3721 {0x0062,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
3722 {0x0063,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
3723 {0x0064,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
3724 {0x0065,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
3725 {0x0066,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_WITH_RC4_128_SHA */
3726 {0x0067,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 */
3727 {0x0068,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA256 */
3728 {0x0069,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA256 */
3729 {0x006A,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 */
3730 {0x006B,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 */
3731 {0x006C,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA256 */
3732 {0x006D,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA256 */
3733 {0x0084,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA */
3734 {0x0085,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA */
3735 {0x0086,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA */
3736 {0x0087,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA */
3737 {0x0088,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA */
3738 {0x0089,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA */
3739 {0x008A,KEX_PSK0x1d, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_RC4_128_SHA */
3740 {0x008B,KEX_PSK0x1d, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_3DES_EDE_CBC_SHA */
3741 {0x008C,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA */
3742 {0x008D,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA */
3743 {0x008E,KEX_DHE_PSK0x11, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_RC4_128_SHA */
3744 {0x008F,KEX_DHE_PSK0x11, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA */
3745 {0x0090,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA */
3746 {0x0091,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA */
3747 {0x0092,KEX_RSA_PSK0x1f, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_RC4_128_SHA */
3748 {0x0093,KEX_RSA_PSK0x1f, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA */
3749 {0x0094,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA */
3750 {0x0095,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA */
3751 {0x0096,KEX_RSA0x1e, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_SEED_CBC_SHA */
3752 {0x0097,KEX_DH_DSS0x14, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_SEED_CBC_SHA */
3753 {0x0098,KEX_DH_RSA0x15, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_SEED_CBC_SHA */
3754 {0x0099,KEX_DHE_DSS0x10, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_SEED_CBC_SHA */
3755 {0x009A,KEX_DHE_RSA0x12, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_SEED_CBC_SHA */
3756 {0x009B,KEX_DH_ANON0x13, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_SEED_CBC_SHA */
3757 {0x009C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_AES_128_GCM_SHA256 */
3758 {0x009D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_AES_256_GCM_SHA384 */
3759 {0x009E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */
3760 {0x009F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 */
3761 {0x00A0,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_128_GCM_SHA256 */
3762 {0x00A1,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_256_GCM_SHA384 */
3763 {0x00A2,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 */
3764 {0x00A3,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 */
3765 {0x00A4,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_128_GCM_SHA256 */
3766 {0x00A5,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_256_GCM_SHA384 */
3767 {0x00A6,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_AES_128_GCM_SHA256 */
3768 {0x00A7,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_AES_256_GCM_SHA384 */
3769 {0x00A8,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_AES_128_GCM_SHA256 */
3770 {0x00A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_AES_256_GCM_SHA384 */
3771 {0x00AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 */
3772 {0x00AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 */
3773 {0x00AC,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 */
3774 {0x00AD,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 */
3775 {0x00AE,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA256 */
3776 {0x00AF,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA384 */
3777 {0x00B0,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA256 */
3778 {0x00B1,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA384 */
3779 {0x00B2,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 */
3780 {0x00B3,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 */
3781 {0x00B4,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA256 */
3782 {0x00B5,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA384 */
3783 {0x00B6,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 */
3784 {0x00B7,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 */
3785 {0x00B8,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA256 */
3786 {0x00B9,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA384 */
3787 {0x00BA,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3788 {0x00BB,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3789 {0x00BC,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3790 {0x00BD,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3791 {0x00BE,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3792 {0x00BF,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 */
3793 {0x00C0,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3794 {0x00C1,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3795 {0x00C2,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3796 {0x00C3,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3797 {0x00C4,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3798 {0x00C5,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */
3799
3800 /* NOTE: TLS 1.3 cipher suites are incompatible with TLS 1.2. */
3801 {0x1301,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_AES_128_GCM_SHA256 */
3802 {0x1302,KEX_TLS130x23, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_AES_256_GCM_SHA384 */
3803 {0x1303,KEX_TLS130x23, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_CHACHA20_POLY1305_SHA256 */
3804 {0x1304,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM }, /* TLS_AES_128_CCM_SHA256 */
3805 {0x1305,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8 }, /* TLS_AES_128_CCM_8_SHA256 */
3806 {0x00C6,KEX_TLS130x23, ENC_SM40x3C, DIG_SM30x44, MODE_GCM }, /* TLS_SM4_GCM_SM3 */
3807
3808 {0xC001,KEX_ECDH_ECDSA0x1a, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_NULL_SHA */
3809 {0xC002,KEX_ECDH_ECDSA0x1a, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_RC4_128_SHA */
3810 {0xC003,KEX_ECDH_ECDSA0x1a, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA */
3811 {0xC004,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA */
3812 {0xC005,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */
3813 {0xC006,KEX_ECDHE_ECDSA0x16, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_NULL_SHA */
3814 {0xC007,KEX_ECDHE_ECDSA0x16, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_RC4_128_SHA */
3815 {0xC008,KEX_ECDHE_ECDSA0x16, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA */
3816 {0xC009,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */
3817 {0xC00A,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */
3818 {0xC00B,KEX_ECDH_RSA0x1b, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_NULL_SHA */
3819 {0xC00C,KEX_ECDH_RSA0x1b, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_RC4_128_SHA */
3820 {0xC00D,KEX_ECDH_RSA0x1b, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA */
3821 {0xC00E,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA */
3822 {0xC00F,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */
3823 {0xC0FF,KEX_ECJPAKE0x24, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECJPAKE_WITH_AES_128_CCM_8 */
3824 {0xC010,KEX_ECDHE_RSA0x18, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_NULL_SHA */
3825 {0xC011,KEX_ECDHE_RSA0x18, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_RC4_128_SHA */
3826 {0xC012,KEX_ECDHE_RSA0x18, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */
3827 {0xC013,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA */
3828 {0xC014,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */
3829 {0xC015,KEX_ECDH_ANON0x19, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_NULL_SHA */
3830 {0xC016,KEX_ECDH_ANON0x19, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_RC4_128_SHA */
3831 {0xC017,KEX_ECDH_ANON0x19, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA */
3832 {0xC018,KEX_ECDH_ANON0x19, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_128_CBC_SHA */
3833 {0xC019,KEX_ECDH_ANON0x19, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_256_CBC_SHA */
3834 {0xC01A,KEX_SRP_SHA0x20, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA */
3835 {0xC01B,KEX_SRP_SHA_RSA0x22, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA */
3836 {0xC01C,KEX_SRP_SHA_DSS0x21, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA */
3837 {0xC01D,KEX_SRP_SHA0x20, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_128_CBC_SHA */
3838 {0xC01E,KEX_SRP_SHA_RSA0x22, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA */
3839 {0xC01F,KEX_SRP_SHA_DSS0x21, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA */
3840 {0xC020,KEX_SRP_SHA0x20, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_256_CBC_SHA */
3841 {0xC021,KEX_SRP_SHA_RSA0x22, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA */
3842 {0xC022,KEX_SRP_SHA_DSS0x21, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA */
3843 {0xC023,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 */
3844 {0xC024,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */
3845 {0xC025,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 */
3846 {0xC026,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 */
3847 {0xC027,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 */
3848 {0xC028,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */
3849 {0xC029,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 */
3850 {0xC02A,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 */
3851 {0xC02B,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 */
3852 {0xC02C,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 */
3853 {0xC02D,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 */
3854 {0xC02E,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 */
3855 {0xC02F,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */
3856 {0xC030,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 */
3857 {0xC031,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 */
3858 {0xC032,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 */
3859 {0xC033,KEX_ECDHE_PSK0x17, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_RC4_128_SHA */
3860 {0xC034,KEX_ECDHE_PSK0x17, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA */
3861 {0xC035,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA */
3862 {0xC036,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA */
3863 {0xC037,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 */
3864 {0xC038,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 */
3865 {0xC039,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA */
3866 {0xC03A,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA256 */
3867 {0xC03B,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA384 */
3868 {0xC072,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3869 {0xC073,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3870 {0xC074,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3871 {0xC075,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3872 {0xC076,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3873 {0xC077,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3874 {0xC078,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3875 {0xC079,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3876 {0xC07A,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3877 {0xC07B,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3878 {0xC07C,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3879 {0xC07D,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3880 {0xC07E,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3881 {0xC07F,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3882 {0xC080,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3883 {0xC081,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3884 {0xC082,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3885 {0xC083,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3886 {0xC084,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 */
3887 {0xC085,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 */
3888 {0xC086,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3889 {0xC087,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3890 {0xC088,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3891 {0xC089,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3892 {0xC08A,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3893 {0xC08B,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3894 {0xC08C,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3895 {0xC08D,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3896 {0xC08E,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3897 {0xC08F,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3898 {0xC090,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3899 {0xC091,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3900 {0xC092,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3901 {0xC093,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3902 {0xC094,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3903 {0xC095,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3904 {0xC096,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3905 {0xC097,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3906 {0xC098,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3907 {0xC099,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3908 {0xC09A,KEX_ECDHE_PSK0x17, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3909 {0xC09B,KEX_ECDHE_PSK0x17, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3910 {0xC09C,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_128_CCM */
3911 {0xC09D,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_256_CCM */
3912 {0xC09E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_128_CCM */
3913 {0xC09F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_256_CCM */
3914 {0xC0A0,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_128_CCM_8 */
3915 {0xC0A1,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_256_CCM_8 */
3916 {0xC0A2,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_128_CCM_8 */
3917 {0xC0A3,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_256_CCM_8 */
3918 {0xC0A4,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_128_CCM */
3919 {0xC0A5,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_256_CCM */
3920 {0xC0A6,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_128_CCM */
3921 {0xC0A7,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_256_CCM */
3922 {0xC0A8,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_128_CCM_8 */
3923 {0xC0A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_256_CCM_8 */
3924 {0xC0AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_128_CCM_8 */
3925 {0xC0AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_256_CCM_8 */
3926 {0xC0AC,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM */
3927 {0xC0AD,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM */
3928 {0xC0AE,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 */
3929 {0xC0AF,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 */
3930 {0xCCA8,KEX_ECDHE_RSA0x18, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3931 {0xCCA9,KEX_ECDHE_ECDSA0x16, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */
3932 {0xCCAA,KEX_DHE_RSA0x12, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3933 {0xCCAB,KEX_PSK0x1d, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3934 {0xCCAC,KEX_ECDHE_PSK0x17, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3935 {0xCCAD,KEX_DHE_PSK0x11, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3936 {0xCCAE,KEX_RSA_PSK0x1f, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3937 {0xD001,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 */
3938 {0xD002,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 */
3939 {0xD003,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 */
3940 {0xD005,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 */
3941 /* GM */
3942 {0xe001,KEX_ECDHE_SM20x25, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM1_SM3 */
3943 {0xe003,KEX_ECC_SM20x26, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECC_SM1_SM3 */
3944 {0xe005,KEX_IBSDH_SM90x27, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM1_SM3 */
3945 {0xe007,KEX_IBC_SM90x28, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBC_SM1_SM3 */
3946 {0xe009,KEX_RSA0x1e, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* RSA_SM1_SM3 */
3947 {0xe00a,KEX_RSA0x1e, ENC_SM10x3B, DIG_SHA0x41, MODE_CBC}, /* RSA_SM1_SHA1 */
3948 {0xe011,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM4_CBC_SM3 */
3949 {0xe013,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECC_SM4_CBC_SM3 */
3950 {0xe015,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM4_CBC_SM3 */
3951 {0xe017,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBC_SM4_CBC_SM3 */
3952 {0xe019,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* RSA_SM4_CBC_SM3 */
3953 {0xe01a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA0x41, MODE_CBC}, /* RSA_SM4_CBC_SHA1 */
3954 {0xe01c,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_CBC}, /* RSA_SM4_CBC_SHA256 */
3955 {0xe051,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECDHE_SM4_GCM_SM3 */
3956 {0xe053,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECC_SM4_GCM_SM3 */
3957 {0xe055,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBSDH_SM4_GCM_SM3 */
3958 {0xe057,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBC_SM4_GCM_SM3 */
3959 {0xe059,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* RSA_SM4_GCM_SM3 */
3960 {0xe05a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_GCM}, /* RSA_SM4_GCM_SHA256 */
3961 {-1, 0, 0, 0, MODE_STREAM}
3962};
3963
3964#define MAX_BLOCK_SIZE16 16
3965#define MAX_KEY_SIZE32 32
3966
3967const SslCipherSuite *
3968ssl_find_cipher(int num)
3969{
3970 const SslCipherSuite *c;
3971 for(c=cipher_suites;c->number!=-1;c++){
3972 if(c->number==num){
3973 return c;
3974 }
3975 }
3976
3977 return NULL((void*)0);
3978}
3979
3980int
3981ssl_get_cipher_algo(const SslCipherSuite *cipher_suite)
3982{
3983 return gcry_cipher_map_name(ciphers[cipher_suite->enc - ENC_START0x30]);
3984}
3985
3986unsigned
3987ssl_get_cipher_blocksize(const SslCipherSuite *cipher_suite)
3988{
3989 int cipher_algo;
3990 if (cipher_suite->mode != MODE_CBC) return 0;
3991 cipher_algo = ssl_get_cipher_by_name(ciphers[cipher_suite->enc - ENC_START0x30]);
3992 return (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
3993}
3994
3995static unsigned
3996ssl_get_cipher_export_keymat_size(int cipher_suite_num)
3997{
3998 switch (cipher_suite_num) {
3999 /* See RFC 6101 (SSL 3.0), Table 2, column Key Material. */
4000 case 0x0003: /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
4001 case 0x0006: /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
4002 case 0x0008: /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
4003 case 0x000B: /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
4004 case 0x000E: /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
4005 case 0x0011: /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
4006 case 0x0014: /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
4007 case 0x0017: /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
4008 case 0x0019: /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
4009 return 5;
4010
4011 /* not defined in below draft, but "implemented by several vendors",
4012 * https://www.ietf.org/mail-archive/web/tls/current/msg00036.html */
4013 case 0x0060: /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
4014 case 0x0061: /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
4015 return 7;
4016
4017 /* Note: the draft states that DES_CBC needs 8 bytes, but Wireshark always
4018 * used 7. Until a pcap proves 8, let's use the old value. Link:
4019 * https://tools.ietf.org/html/draft-ietf-tls-56-bit-ciphersuites-01 */
4020 case 0x0062: /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
4021 case 0x0063: /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
4022 case 0x0064: /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
4023 case 0x0065: /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
4024 return 7;
4025
4026 default:
4027 return 0;
4028 }
4029}
4030
4031/* Digests, Ciphers and Cipher Suites registry }}} */
4032
4033
4034/* HMAC and the Pseudorandom function {{{ */
4035static int
4036tls_hash(StringInfo *secret, StringInfo *seed, int md,
4037 StringInfo *out, unsigned out_len)
4038{
4039 /* RFC 2246 5. HMAC and the pseudorandom function
4040 * '+' denotes concatenation.
4041 * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
4042 * HMAC_hash(secret, A(2) + seed) + ...
4043 * A(0) = seed
4044 * A(i) = HMAC_hash(secret, A(i - 1))
4045 */
4046 uint8_t *ptr;
4047 unsigned left, tocpy;
4048 uint8_t *A;
4049 uint8_t _A[DIGEST_MAX_SIZE48], tmp[DIGEST_MAX_SIZE48];
4050 unsigned A_l, tmp_l;
4051 SSL_HMACgcry_md_hd_t hm;
4052
4053 ptr = out->data;
4054 left = out_len;
4055
4056 ssl_print_string("tls_hash: hash secret", secret);
4057 ssl_print_string("tls_hash: hash seed", seed);
4058 /* A(0) = seed */
4059 A = seed->data;
4060 A_l = seed->data_len;
4061
4062 if (ssl_hmac_init(&hm, md) != 0) {
4063 return -1;
4064 }
4065 while (left) {
4066 /* A(i) = HMAC_hash(secret, A(i-1)) */
4067 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
4068 ssl_hmac_update(&hm, A, A_l);
4069 A_l = sizeof(_A); /* upper bound len for hash output */
4070 ssl_hmac_final(&hm, _A, &A_l);
4071 A = _A;
4072
4073 /* HMAC_hash(secret, A(i) + seed) */
4074 ssl_hmac_reset(&hm);
4075 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
4076 ssl_hmac_update(&hm, A, A_l);
4077 ssl_hmac_update(&hm, seed->data, seed->data_len);
4078 tmp_l = sizeof(tmp); /* upper bound len for hash output */
4079 ssl_hmac_final(&hm, tmp, &tmp_l);
4080 ssl_hmac_reset(&hm);
4081
4082 /* ssl_hmac_final puts the actual digest output size in tmp_l */
4083 tocpy = MIN(left, tmp_l)(((left) < (tmp_l)) ? (left) : (tmp_l));
4084 memcpy(ptr, tmp, tocpy);
4085 ptr += tocpy;
4086 left -= tocpy;
4087 }
4088 ssl_hmac_cleanup(&hm);
4089 out->data_len = out_len;
4090
4091 ssl_print_string("hash out", out);
4092 return 0;
4093}
4094
4095static bool_Bool
4096tls_prf(StringInfo* secret, const char *usage,
4097 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4098{
4099 StringInfo seed, sha_out, md5_out;
4100 uint8_t *ptr;
4101 StringInfo s1, s2;
4102 unsigned i,s_l;
4103 size_t usage_len, rnd2_len;
4104 bool_Bool success = false0;
4105 usage_len = strlen(usage);
4106 rnd2_len = rnd2 ? rnd2->data_len : 0;
4107
4108 /* initialize buffer for sha, md5 random seed*/
4109 if (ssl_data_alloc(&sha_out, MAX(out_len, 20)(((out_len) > (20)) ? (out_len) : (20))) < 0) {
4110 ssl_debug_printf("tls_prf: can't allocate sha out\n");
4111 return false0;
4112 }
4113 if (ssl_data_alloc(&md5_out, MAX(out_len, 16)(((out_len) > (16)) ? (out_len) : (16))) < 0) {
4114 ssl_debug_printf("tls_prf: can't allocate md5 out\n");
4115 goto free_sha;
4116 }
4117 if (ssl_data_alloc(&seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
4118 ssl_debug_printf("tls_prf: can't allocate rnd %d\n",
4119 (int) (usage_len+rnd1->data_len+rnd2_len));
4120 goto free_md5;
4121 }
4122
4123 ptr=seed.data;
4124 memcpy(ptr,usage,usage_len);
4125 ptr+=usage_len;
4126 memcpy(ptr,rnd1->data,rnd1->data_len);
4127 if (rnd2_len > 0) {
4128 ptr+=rnd1->data_len;
4129 memcpy(ptr,rnd2->data,rnd2->data_len);
4130 /*ptr+=rnd2->data_len;*/
4131 }
4132
4133 /* initialize buffer for client/server seeds*/
4134 s_l=secret->data_len/2 + secret->data_len%2;
4135 if (ssl_data_alloc(&s1, s_l) < 0) {
4136 ssl_debug_printf("tls_prf: can't allocate secret %d\n", s_l);
4137 goto free_seed;
4138 }
4139 if (ssl_data_alloc(&s2, s_l) < 0) {
4140 ssl_debug_printf("tls_prf: can't allocate secret(2) %d\n", s_l);
4141 goto free_s1;
4142 }
4143
4144 memcpy(s1.data,secret->data,s_l);
4145 memcpy(s2.data,secret->data + (secret->data_len - s_l),s_l);
4146
4147 ssl_debug_printf("tls_prf: tls_hash(md5 secret_len %d seed_len %d )\n", s1.data_len, seed.data_len);
4148 if(tls_hash(&s1, &seed, ssl_get_digest_by_name("MD5"), &md5_out, out_len) != 0)
4149 goto free_s2;
4150 ssl_debug_printf("tls_prf: tls_hash(sha)\n");
4151 if(tls_hash(&s2, &seed, ssl_get_digest_by_name("SHA1"), &sha_out, out_len) != 0)
4152 goto free_s2;
4153
4154 for (i = 0; i < out_len; i++)
4155 out->data[i] = md5_out.data[i] ^ sha_out.data[i];
4156 /* success, now store the new meaningful data length */
4157 out->data_len = out_len;
4158 success = true1;
4159
4160 ssl_print_string("PRF out",out);
4161free_s2:
4162 g_free(s2.data);
4163free_s1:
4164 g_free(s1.data);
4165free_seed:
4166 g_free(seed.data);
4167free_md5:
4168 g_free(md5_out.data);
4169free_sha:
4170 g_free(sha_out.data);
4171 return success;
4172}
4173
4174static bool_Bool
4175tls12_prf(int md, StringInfo* secret, const char* usage,
4176 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4177{
4178 StringInfo label_seed;
4179 int success;
4180 size_t usage_len, rnd2_len;
4181 rnd2_len = rnd2 ? rnd2->data_len : 0;
4182
4183 usage_len = strlen(usage);
4184 if (ssl_data_alloc(&label_seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
4185 ssl_debug_printf("tls12_prf: can't allocate label_seed\n");
4186 return false0;
4187 }
4188 memcpy(label_seed.data, usage, usage_len);
4189 memcpy(label_seed.data+usage_len, rnd1->data, rnd1->data_len);
4190 if (rnd2_len > 0)
4191 memcpy(label_seed.data+usage_len+rnd1->data_len, rnd2->data, rnd2->data_len);
4192
4193 ssl_debug_printf("tls12_prf: tls_hash(hash_alg %s secret_len %d seed_len %d )\n", gcry_md_algo_name(md), secret->data_len, label_seed.data_len);
4194 success = tls_hash(secret, &label_seed, md, out, out_len);
4195 g_free(label_seed.data);
4196 if(success != -1){
4197 ssl_print_string("PRF out", out);
4198 return true1;
4199 }
4200 return false0;
4201}
4202
4203static bool_Bool
4204ssl3_generate_export_iv(StringInfo *r1, StringInfo *r2,
4205 StringInfo *out, unsigned out_len)
4206{
4207 SSL_MD5_CTXgcry_md_hd_t md5;
4208 uint8_t tmp[16];
4209
4210 if (ssl_md5_init(&md5) != 0) {
4211 return false0;
4212 }
4213 ssl_md5_update(&md5,r1->data,r1->data_len);
4214 ssl_md5_update(&md5,r2->data,r2->data_len);
4215 ssl_md5_final(tmp,&md5);
4216 ssl_md5_cleanup(&md5);
4217
4218 DISSECTOR_ASSERT(out_len <= sizeof(tmp))((void) ((out_len <= sizeof(tmp)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4218, "out_len <= sizeof(tmp)"))));
4219 ssl_data_set(out, tmp, out_len);
4220 ssl_print_string("export iv", out);
4221 return true1;
4222}
4223
4224static bool_Bool
4225ssl3_prf(StringInfo* secret, const char* usage,
4226 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4227{
4228 SSL_MD5_CTXgcry_md_hd_t md5;
4229 SSL_SHA_CTXgcry_md_hd_t sha;
4230 unsigned off;
4231 int i = 0,j;
4232 uint8_t buf[20];
4233
4234 if (ssl_sha_init(&sha) != 0) {
4235 return false0;
4236 }
4237 if (ssl_md5_init(&md5) != 0) {
4238 ssl_sha_cleanup(&sha);
4239 return false0;
4240 }
4241 for (off = 0; off < out_len; off += 16) {
4242 unsigned char outbuf[16];
4243 i++;
4244
4245 ssl_debug_printf("ssl3_prf: sha1_hash(%d)\n",i);
4246 /* A, BB, CCC, ... */
4247 for(j=0;j<i;j++){
4248 buf[j]=64+i;
4249 }
4250
4251 ssl_sha_update(&sha,buf,i);
4252 ssl_sha_update(&sha,secret->data,secret->data_len);
4253
4254 if(!strcmp(usage,"client write key") || !strcmp(usage,"server write key")){
4255 if (rnd2)
4256 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4257 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4258 }
4259 else{
4260 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4261 if (rnd2)
4262 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4263 }
4264
4265 ssl_sha_final(buf,&sha);
4266 ssl_sha_reset(&sha);
4267
4268 ssl_debug_printf("ssl3_prf: md5_hash(%d) datalen %d\n",i,
4269 secret->data_len);
4270 ssl_md5_update(&md5,secret->data,secret->data_len);
4271 ssl_md5_update(&md5,buf,20);
4272 ssl_md5_final(outbuf,&md5);
4273 ssl_md5_reset(&md5);
4274
4275 memcpy(out->data + off, outbuf, MIN(out_len - off, 16)(((out_len - off) < (16)) ? (out_len - off) : (16)));
4276 }
4277 ssl_sha_cleanup(&sha);
4278 ssl_md5_cleanup(&md5);
4279 out->data_len = out_len;
4280
4281 return true1;
4282}
4283
4284/* out_len is the wanted output length for the pseudorandom function.
4285 * Ensure that ssl->cipher_suite is set. */
4286static bool_Bool
4287prf(SslDecryptSession *ssl, StringInfo *secret, const char *usage,
4288 StringInfo *rnd1, StringInfo *rnd2, StringInfo *out, unsigned out_len)
4289{
4290 switch (ssl->session.version) {
4291 case SSLV3_VERSION0x300:
4292 return ssl3_prf(secret, usage, rnd1, rnd2, out, out_len);
4293
4294 case TLSV1_VERSION0x301:
4295 case TLSV1DOT1_VERSION0x302:
4296 case DTLSV1DOT0_VERSION0xfeff:
4297 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4298 return tls_prf(secret, usage, rnd1, rnd2, out, out_len);
4299
4300 default: /* TLSv1.2 */
4301 switch (ssl->cipher_suite->dig) {
4302 case DIG_SM30x44:
4303#if GCRYPT_VERSION_NUMBER0x010a03 >= 0x010900
4304 return tls12_prf(GCRY_MD_SM3, secret, usage, rnd1, rnd2,
4305 out, out_len);
4306#else
4307 return false0;
4308#endif
4309 case DIG_SHA3840x43:
4310 return tls12_prf(GCRY_MD_SHA384, secret, usage, rnd1, rnd2,
4311 out, out_len);
4312 default:
4313 return tls12_prf(GCRY_MD_SHA256, secret, usage, rnd1, rnd2,
4314 out, out_len);
4315 }
4316 }
4317}
4318
4319static int tls_handshake_hash(SslDecryptSession* ssl, StringInfo* out)
4320{
4321 SSL_MD5_CTXgcry_md_hd_t md5;
4322 SSL_SHA_CTXgcry_md_hd_t sha;
4323
4324 if (ssl_data_alloc(out, 36) < 0)
21
Calling 'ssl_data_alloc'
25
Returned allocated memory
26
Taking false branch
4325 return -1;
4326
4327 if (ssl_md5_init(&md5) != 0)
27
Taking true branch
4328 return -1;
4329 ssl_md5_update(&md5,ssl->handshake_data.data,ssl->handshake_data.data_len);
4330 ssl_md5_final(out->data,&md5);
4331 ssl_md5_cleanup(&md5);
4332
4333 if (ssl_sha_init(&sha) != 0)
4334 return -1;
4335 ssl_sha_update(&sha,ssl->handshake_data.data,ssl->handshake_data.data_len);
4336 ssl_sha_final(out->data+16,&sha);
4337 ssl_sha_cleanup(&sha);
4338 return 0;
4339}
4340
4341static int tls12_handshake_hash(SslDecryptSession* ssl, int md, StringInfo* out)
4342{
4343 SSL_MDgcry_md_hd_t mc;
4344 uint8_t tmp[48];
4345 unsigned len;
4346
4347 if (ssl_md_init(&mc, md) != 0)
4348 return -1;
4349 ssl_md_update(&mc,ssl->handshake_data.data,ssl->handshake_data.data_len);
4350 ssl_md_final(&mc, tmp, &len);
4351 ssl_md_cleanup(&mc);
4352
4353 if (ssl_data_alloc(out, len) < 0)
4354 return -1;
4355 memcpy(out->data, tmp, len);
4356 return 0;
4357}
4358
4359/**
4360 * Obtains the label prefix used in HKDF-Expand-Label. This function can be
4361 * inlined and removed once support for draft 19 and before is dropped.
4362 */
4363static inline const char *
4364tls13_hkdf_label_prefix(SslDecryptSession *ssl_session)
4365{
4366 if (ssl_session->session.tls13_draft_version && ssl_session->session.tls13_draft_version < 20) {
4367 return "TLS 1.3, ";
4368 } else if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
4369 return "dtls13";
4370 } else {
4371 return "tls13 ";
4372 }
4373}
4374
4375/*
4376 * Computes HKDF-Expand-Label(Secret, Label, Hash(context_value), Length) with a
4377 * custom label prefix. If "context_hash" is NULL, then an empty context is
4378 * used. Otherwise it must have the same length as the hash algorithm output.
4379 */
4380bool_Bool
4381tls13_hkdf_expand_label_context(int md, const StringInfo *secret,
4382 const char *label_prefix, const char *label,
4383 const uint8_t *context_hash, uint8_t context_length,
4384 uint16_t out_len, unsigned char **out)
4385{
4386 /* RFC 8446 Section 7.1:
4387 * HKDF-Expand-Label(Secret, Label, Context, Length) =
4388 * HKDF-Expand(Secret, HkdfLabel, Length)
4389 * struct {
4390 * uint16 length = Length;
4391 * opaque label<7..255> = "tls13 " + Label; // "tls13 " is label prefix.
4392 * opaque context<0..255> = Context;
4393 * } HkdfLabel;
4394 *
4395 * RFC 5869 HMAC-based Extract-and-Expand Key Derivation Function (HKDF):
4396 * HKDF-Expand(PRK, info, L) -> OKM
4397 */
4398 gcry_error_t err;
4399 const unsigned label_prefix_length = (unsigned) strlen(label_prefix);
4400 const unsigned label_length = (unsigned) strlen(label);
4401
4402 /* Some sanity checks */
4403 DISSECTOR_ASSERT(label_length > 0 && label_prefix_length + label_length <= 255)((void) ((label_length > 0 && label_prefix_length +
label_length <= 255) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4403, "label_length > 0 && label_prefix_length + label_length <= 255"
))));
4404
4405 /* info = HkdfLabel { length, label, context } */
4406 GByteArray *info = g_byte_array_new();
4407 const uint16_t length = g_htons(out_len)(((((guint16) ( (guint16) ((guint16) (out_len) >> 8) | (
guint16) ((guint16) (out_len) << 8))))));
4408 g_byte_array_append(info, (const uint8_t *)&length, sizeof(length));
4409
4410 const uint8_t label_vector_length = label_prefix_length + label_length;
4411 g_byte_array_append(info, &label_vector_length, 1);
4412 g_byte_array_append(info, (const uint8_t *)label_prefix, label_prefix_length);
4413 g_byte_array_append(info, (const uint8_t*)label, label_length);
4414
4415 g_byte_array_append(info, &context_length, 1);
4416 if (context_length) {
4417 g_byte_array_append(info, context_hash, context_length);
4418 }
4419
4420 *out = (unsigned char *)wmem_alloc(NULL((void*)0), out_len);
4421 err = hkdf_expand(md, secret->data, secret->data_len, info->data, info->len, *out, out_len);
4422 g_byte_array_free(info, true1);
4423
4424 if (err) {
4425 ssl_debug_printf("%s failed %d: %s\n", G_STRFUNC((const char*) (__func__)), md, gcry_strerror(err));
4426 wmem_free(NULL((void*)0), *out);
4427 *out = NULL((void*)0);
4428 return false0;
4429 }
4430
4431 return true1;
4432}
4433
4434bool_Bool
4435tls13_hkdf_expand_label(int md, const StringInfo *secret,
4436 const char *label_prefix, const char *label,
4437 uint16_t out_len, unsigned char **out)
4438{
4439 return tls13_hkdf_expand_label_context(md, secret, label_prefix, label, NULL((void*)0), 0, out_len, out);
4440}
4441/* HMAC and the Pseudorandom function }}} */
4442
4443/* Record Decompression (after decryption) {{{ */
4444#ifdef USE_ZLIB_OR_ZLIBNG
4445/* memory allocation functions for zlib initialization */
4446static void* ssl_zalloc(void* opaque _U___attribute__((unused)), unsigned int no, unsigned int size)
4447{
4448 return g_malloc0(no*size);
4449}
4450static void ssl_zfree(void* opaque _U___attribute__((unused)), void* addr)
4451{
4452 g_free(addr);
4453}
4454#endif /* USE_ZLIB_OR_ZLIBNG */
4455
4456static SslDecompress*
4457ssl_create_decompressor(int compression)
4458{
4459 SslDecompress *decomp;
4460#ifdef USE_ZLIB_OR_ZLIBNG
4461 int err;
4462#endif
4463
4464 if (compression == 0) return NULL((void*)0);
4465 ssl_debug_printf("ssl_create_decompressor: compression method %d\n", compression);
4466 decomp = wmem_new(wmem_file_scope(), SslDecompress)((SslDecompress*)wmem_alloc((wmem_file_scope()), sizeof(SslDecompress
)));
4467 decomp->compression = compression;
4468 switch (decomp->compression) {
4469#ifdef USE_ZLIB_OR_ZLIBNG
4470 case 1: /* DEFLATE */
4471 decomp->istream.zalloc = ssl_zalloc;
4472 decomp->istream.zfree = ssl_zfree;
4473 decomp->istream.opaque = Z_NULL0;
4474 decomp->istream.next_in = Z_NULL0;
4475 decomp->istream.next_out = Z_NULL0;
4476 decomp->istream.avail_in = 0;
4477 decomp->istream.avail_out = 0;
4478 err = ZLIB_PREFIX(inflateInit)(&decomp->istream)inflateInit_((&decomp->istream), "1.3", (int)sizeof(z_stream
));
4479 if (err != Z_OK0) {
4480 ssl_debug_printf("ssl_create_decompressor: inflateInit_() failed - %d\n", err);
4481 return NULL((void*)0);
4482 }
4483 break;
4484#endif /* USE_ZLIB_OR_ZLIBNG */
4485 default:
4486 ssl_debug_printf("ssl_create_decompressor: unsupported compression method %d\n", decomp->compression);
4487 return NULL((void*)0);
4488 }
4489 return decomp;
4490}
4491
4492#ifdef USE_ZLIB_OR_ZLIBNG
4493static int
4494ssl_decompress_record(SslDecompress* decomp, const unsigned char* in, unsigned inl, StringInfo* out_str, unsigned* outl)
4495{
4496 int err;
4497
4498 switch (decomp->compression) {
4499 case 1: /* DEFLATE */
4500 err = Z_OK0;
4501 if (out_str->data_len < 16384) { /* maximal plain length */
4502 ssl_data_realloc(out_str, 16384);
4503 }
4504#ifdef z_constconst
4505 decomp->istream.next_in = in;
4506#else
4507DIAG_OFF(cast-qual)clang diagnostic push clang diagnostic ignored "-Wcast-qual"
4508 decomp->istream.next_in = (Bytef *)in;
4509DIAG_ON(cast-qual)clang diagnostic pop
4510#endif
4511 decomp->istream.avail_in = inl;
4512 decomp->istream.next_out = out_str->data;
4513 decomp->istream.avail_out = out_str->data_len;
4514 if (inl > 0)
4515 err = ZLIB_PREFIX(inflate)inflate(&decomp->istream, Z_SYNC_FLUSH2);
4516 if (err != Z_OK0) {
4517 ssl_debug_printf("ssl_decompress_record: inflate() failed - %d\n", err);
4518 return -1;
4519 }
4520 *outl = out_str->data_len - decomp->istream.avail_out;
4521 break;
4522 default:
4523 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4524 return -1;
4525 }
4526 return 0;
4527}
4528#else /* USE_ZLIB_OR_ZLIBNG */
4529int
4530ssl_decompress_record(SslDecompress* decomp _U___attribute__((unused)), const unsigned char* in _U___attribute__((unused)), unsigned inl _U___attribute__((unused)), StringInfo* out_str _U___attribute__((unused)), unsigned* outl _U___attribute__((unused)))
4531{
4532 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4533 return -1;
4534}
4535#endif /* USE_ZLIB_OR_ZLIBNG */
4536/* Record Decompression (after decryption) }}} */
4537
4538/* Create a new structure to store decrypted chunks. {{{ */
4539static SslFlow*
4540ssl_create_flow(void)
4541{
4542 SslFlow *flow;
4543
4544 flow = wmem_new(wmem_file_scope(), SslFlow)((SslFlow*)wmem_alloc((wmem_file_scope()), sizeof(SslFlow)));
4545 flow->byte_seq = 0;
4546 flow->flags = 0;
4547 flow->multisegment_pdus = wmem_tree_new(wmem_file_scope());
4548 return flow;
4549}
4550/* }}} */
4551
4552/* Use the negotiated security parameters for decryption. {{{ */
4553void
4554ssl_change_cipher(SslDecryptSession *ssl_session, bool_Bool server)
4555{
4556 SslDecoder **new_decoder = server ? &ssl_session->server_new : &ssl_session->client_new;
4557 SslDecoder **dest = server ? &ssl_session->server : &ssl_session->client;
4558 ssl_debug_printf("ssl_change_cipher %s%s\n", server ? "SERVER" : "CLIENT",
4559 *new_decoder ? "" : " (No decoder found - retransmission?)");
4560 if (*new_decoder) {
4561 *dest = *new_decoder;
4562 *new_decoder = NULL((void*)0);
4563 }
4564}
4565/* }}} */
4566
4567/* Init cipher state given some security parameters. {{{ */
4568static bool_Bool
4569ssl_decoder_destroy_cb(wmem_allocator_t *, wmem_cb_event_t, void *);
4570
4571static SslDecoder*
4572ssl_create_decoder(const SslCipherSuite *cipher_suite, int cipher_algo,
4573 int compression, uint8_t *mk, uint8_t *sk, uint8_t *sn_key, uint8_t *iv, unsigned iv_length)
4574{
4575 SslDecoder *dec;
4576 ssl_cipher_mode_t mode = cipher_suite->mode;
4577
4578 dec = wmem_new0(wmem_file_scope(), SslDecoder)((SslDecoder*)wmem_alloc0((wmem_file_scope()), sizeof(SslDecoder
)));
4579 /* init mac buffer: mac storage is embedded into decoder struct to save a
4580 memory allocation and waste samo more memory*/
4581 dec->cipher_suite=cipher_suite;
4582 dec->compression = compression;
4583 if ((mode == MODE_STREAM && mk != NULL((void*)0)) || mode == MODE_CBC) {
4584 // AEAD ciphers use no MAC key, but stream and block ciphers do. Note
4585 // the special case for NULL ciphers, even if there is insufficiency
4586 // keying material (including MAC key), we will can still create
4587 // decoders since "decryption" is easy for such ciphers.
4588 dec->mac_key.data = dec->_mac_key_or_write_iv;
4589 ssl_data_set(&dec->mac_key, mk, ssl_cipher_suite_dig(cipher_suite)->len);
4590 } else if (mode == MODE_GCM || mode == MODE_CCM || mode == MODE_CCM_8 || mode == MODE_POLY1305) {
4591 // Input for the nonce, to be used with AEAD ciphers.
4592 DISSECTOR_ASSERT(iv_length <= sizeof(dec->_mac_key_or_write_iv))((void) ((iv_length <= sizeof(dec->_mac_key_or_write_iv
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4592, "iv_length <= sizeof(dec->_mac_key_or_write_iv)"
))));
4593 dec->write_iv.data = dec->_mac_key_or_write_iv;
4594 ssl_data_set(&dec->write_iv, iv, iv_length);
4595 }
4596 dec->seq = 0;
4597 dec->decomp = ssl_create_decompressor(compression);
4598 wmem_register_callback(wmem_file_scope(), ssl_decoder_destroy_cb, dec);
4599
4600 if (ssl_cipher_init(&dec->evp,cipher_algo,sk,iv,cipher_suite->mode) < 0) {
4601 ssl_debug_printf("%s: can't create cipher id:%d mode:%d\n", G_STRFUNC((const char*) (__func__)),
4602 cipher_algo, cipher_suite->mode);
4603 return NULL((void*)0);
4604 }
4605
4606 if (cipher_suite->enc != ENC_NULL0x3D && sn_key != NULL((void*)0)) {
4607 if (cipher_suite->enc == ENC_AES0x35 || cipher_suite->enc == ENC_AES2560x36) {
4608 mode = MODE_ECB;
4609 } else if (cipher_suite->enc == ENC_CHACHA200x3A) {
4610 mode = MODE_STREAM;
4611 } else {
4612 ssl_debug_printf("not supported encryption algorithm for DTLSv1.3\n");
4613 return NULL((void*)0);
4614 }
4615
4616 if (ssl_cipher_init(&dec->sn_evp, cipher_algo, sn_key, NULL((void*)0), mode) < 0) {
4617 ssl_debug_printf("%s: can't create cipher id:%d mode:%d for seq number decryption\n", G_STRFUNC((const char*) (__func__)),
4618 cipher_algo, MODE_ECB);
4619 ssl_cipher_cleanup(&dec->evp);
4620 dec->evp = NULL((void*)0);
4621 return NULL((void*)0);
4622 }
4623 } else {
4624 dec->sn_evp = NULL((void*)0);
4625 }
4626
4627 dec->dtls13_aad.data = NULL((void*)0);
4628 dec->dtls13_aad.data_len = 0;
4629 ssl_debug_printf("decoder initialized (digest len %d)\n", ssl_cipher_suite_dig(cipher_suite)->len);
4630 return dec;
4631}
4632
4633static bool_Bool
4634ssl_decoder_destroy_cb(wmem_allocator_t *allocator _U___attribute__((unused)), wmem_cb_event_t event _U___attribute__((unused)), void *user_data)
4635{
4636 SslDecoder *dec = (SslDecoder *) user_data;
4637
4638 if (dec->evp)
4639 ssl_cipher_cleanup(&dec->evp);
4640 if (dec->sn_evp)
4641 ssl_cipher_cleanup(&dec->sn_evp);
4642
4643#ifdef USE_ZLIB_OR_ZLIBNG
4644 if (dec->decomp != NULL((void*)0) && dec->decomp->compression == 1 /* DEFLATE */)
4645 ZLIB_PREFIX(inflateEnd)inflateEnd(&dec->decomp->istream);
4646#endif
4647
4648 return false0;
4649}
4650/* }}} */
4651
4652/* (Pre-)master secrets calculations {{{ */
4653#ifdef HAVE_LIBGNUTLS1
4654static bool_Bool
4655ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
4656 StringInfo *encrypted_pre_master,
4657 GHashTable *key_hash);
4658#endif /* HAVE_LIBGNUTLS */
4659
4660static bool_Bool
4661ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
4662 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key);
4663
4664bool_Bool
4665ssl_generate_pre_master_secret(SslDecryptSession *ssl_session,
4666 uint32_t length, tvbuff_t *tvb, uint32_t offset,
4667 const char *ssl_psk, packet_info *pinfo,
4668#ifdef HAVE_LIBGNUTLS1
4669 GHashTable *key_hash,
4670#endif
4671 const ssl_master_key_map_t *mk_map)
4672{
4673 /* check for required session data */
4674 ssl_debug_printf("%s: found SSL_HND_CLIENT_KEY_EXCHG, state %X\n",
4675 G_STRFUNC((const char*) (__func__)), ssl_session->state);
4676 if ((ssl_session->state & (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) !=
4677 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) {
4678 ssl_debug_printf("%s: not enough data to generate key (required state %X)\n", G_STRFUNC((const char*) (__func__)),
4679 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4)));
4680 return false0;
4681 }
4682
4683 if (ssl_session->session.version == TLSV1DOT3_VERSION0x304) {
4684 ssl_debug_printf("%s: detected TLS 1.3 which has no pre-master secrets\n", G_STRFUNC((const char*) (__func__)));
4685 return false0;
4686 }
4687
4688 /* check to see if the PMS was provided to us*/
4689 if (ssl_restore_master_key(ssl_session, "Unencrypted pre-master secret", true1,
4690 mk_map->pms, &ssl_session->client_random)) {
4691 return true1;
4692 }
4693
4694 if (ssl_session->cipher_suite->kex == KEX_PSK0x1d)
4695 {
4696 /* calculate pre master secret*/
4697 StringInfo pre_master_secret;
4698 unsigned psk_len, pre_master_len;
4699
4700 if (!ssl_psk || (ssl_psk[0] == 0)) {
4701 ssl_debug_printf("%s: can't find pre-shared key\n", G_STRFUNC((const char*) (__func__)));
4702 return false0;
4703 }
4704
4705 /* convert hex string into char*/
4706 if (!from_hex(&ssl_session->psk, ssl_psk, strlen(ssl_psk))) {
4707 ssl_debug_printf("%s: ssl.psk/dtls.psk contains invalid hex\n",
4708 G_STRFUNC((const char*) (__func__)));
4709 return false0;
4710 }
4711
4712 psk_len = ssl_session->psk.data_len;
4713 if (psk_len >= (2 << 15)) {
4714 ssl_debug_printf("%s: ssl.psk/dtls.psk must not be larger than 2^15 - 1\n",
4715 G_STRFUNC((const char*) (__func__)));
4716 return false0;
4717 }
4718
4719
4720 pre_master_len = psk_len * 2 + 4;
4721
4722 pre_master_secret.data = (unsigned char *)wmem_alloc(wmem_file_scope(), pre_master_len);
4723 pre_master_secret.data_len = pre_master_len;
4724 /* 2 bytes psk_len*/
4725 pre_master_secret.data[0] = psk_len >> 8;
4726 pre_master_secret.data[1] = psk_len & 0xFF;
4727 /* psk_len bytes times 0*/
4728 memset(&pre_master_secret.data[2], 0, psk_len);
4729 /* 2 bytes psk_len*/
4730 pre_master_secret.data[psk_len + 2] = psk_len >> 8;
4731 pre_master_secret.data[psk_len + 3] = psk_len & 0xFF;
4732 /* psk*/
4733 memcpy(&pre_master_secret.data[psk_len + 4], ssl_session->psk.data, psk_len);
4734
4735 ssl_session->pre_master_secret.data = pre_master_secret.data;
4736 ssl_session->pre_master_secret.data_len = pre_master_len;
4737 /*ssl_debug_printf("pre master secret",&ssl->pre_master_secret);*/
4738
4739 /* Remove the master secret if it was there.
4740 This forces keying material regeneration in
4741 case we're renegotiating */
4742 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
4743 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
4744 return true1;
4745 }
4746 else
4747 {
4748 unsigned encrlen, skip;
4749 encrlen = length;
4750 skip = 0;
4751
4752 /* get encrypted data, on tls1 we have to skip two bytes
4753 * (it's the encrypted len and should be equal to record len - 2)
4754 * in case of rsa1024 that would be 128 + 2 = 130; for psk not necessary
4755 */
4756 if (ssl_session->cipher_suite->kex == KEX_RSA0x1e &&
4757 (ssl_session->session.version == TLSV1_VERSION0x301 ||
4758 ssl_session->session.version == TLSV1DOT1_VERSION0x302 ||
4759 ssl_session->session.version == TLSV1DOT2_VERSION0x303 ||
4760 ssl_session->session.version == DTLSV1DOT0_VERSION0xfeff ||
4761 ssl_session->session.version == DTLSV1DOT2_VERSION0xfefd ||
4762 ssl_session->session.version == TLCPV1_VERSION0x101 ))
4763 {
4764 encrlen = tvb_get_ntohs(tvb, offset);
4765 skip = 2;
4766 if (encrlen > length - 2)
4767 {
4768 ssl_debug_printf("%s: wrong encrypted length (%d max %d)\n",
4769 G_STRFUNC((const char*) (__func__)), encrlen, length);
4770 return false0;
4771 }
4772 }
4773 /* the valid lower bound is higher than 8, but it is sufficient for the
4774 * ssl keylog file below */
4775 if (encrlen < 8) {
4776 ssl_debug_printf("%s: invalid encrypted pre-master key length %d\n",
4777 G_STRFUNC((const char*) (__func__)), encrlen);
4778 return false0;
4779 }
4780
4781 StringInfo encrypted_pre_master = {
4782 .data = (unsigned char *)tvb_memdup(pinfo->pool, tvb, offset + skip, encrlen),
4783 .data_len = encrlen,
4784 };
4785
4786#ifdef HAVE_LIBGNUTLS1
4787 /* Try to lookup an appropriate RSA private key to decrypt the Encrypted Pre-Master Secret. */
4788 if (ssl_session->cert_key_id) {
4789 if (ssl_decrypt_pre_master_secret(ssl_session, &encrypted_pre_master, key_hash))
4790 return true1;
4791
4792 ssl_debug_printf("%s: can't decrypt pre-master secret\n",
4793 G_STRFUNC((const char*) (__func__)));
4794 }
4795#endif /* HAVE_LIBGNUTLS */
4796
4797 /* try to find the pre-master secret from the encrypted one. The
4798 * ssl key logfile stores only the first 8 bytes, so truncate it */
4799 encrypted_pre_master.data_len = 8;
4800 if (ssl_restore_master_key(ssl_session, "Encrypted pre-master secret",
4801 true1, mk_map->pre_master, &encrypted_pre_master))
4802 return true1;
4803 }
4804 return false0;
4805}
4806
4807/* Used for (D)TLS 1.2 and earlier versions (not with TLS 1.3). */
4808int
4809ssl_generate_keyring_material(SslDecryptSession*ssl_session)
4810{
4811 StringInfo key_block = { NULL((void*)0), 0 };
4812 uint8_t _iv_c[MAX_BLOCK_SIZE16],_iv_s[MAX_BLOCK_SIZE16];
4813 uint8_t _key_c[MAX_KEY_SIZE32],_key_s[MAX_KEY_SIZE32];
4814 int needed;
4815 int cipher_algo = -1; /* special value (-1) for NULL encryption */
4816 unsigned encr_key_len, write_iv_len = 0;
4817 bool_Bool is_export_cipher;
4818 uint8_t *ptr, *c_iv = NULL((void*)0), *s_iv = NULL((void*)0);
4819 uint8_t *c_wk = NULL((void*)0), *s_wk = NULL((void*)0), *c_mk = NULL((void*)0), *s_mk = NULL((void*)0);
4820 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
4821
4822 /* (D)TLS 1.3 is handled directly in tls13_change_key. */
4823 if (ssl_session->session.version
7.1
Field 'version' is not equal to TLSV1DOT3_VERSION
 == TLSV1DOT3_VERSION0x304 || ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
8
Assuming field 'version' is not equal to DTLSV1DOT3_VERSION
9
Taking false branch
4824 ssl_debug_printf("%s: detected TLS 1.3. Should not have been called!\n", G_STRFUNC((const char*) (__func__)));
4825 return -1;
4826 }
4827
4828 /* check for enough info to proceed */
4829 unsigned need_all = SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4);
4830 unsigned need_any = SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
4831 if (((ssl_session->state & need_all) != need_all) || ((ssl_session->state & need_any) == 0)) {
10
Assuming the condition is false
11
Assuming the condition is false
12
Taking false branch
4832 ssl_debug_printf("ssl_generate_keyring_material not enough data to generate key "
4833 "(0x%02X required 0x%02X or 0x%02X)\n", ssl_session->state,
4834 need_all|SSL_MASTER_SECRET(1<<5), need_all|SSL_PRE_MASTER_SECRET(1<<6));
4835 /* Special case: for NULL encryption, allow dissection of data even if
4836 * the Client Hello is missing (MAC keys are now skipped though). */
4837 need_all = SSL_CIPHER(1<<2)|SSL_VERSION(1<<4);
4838 if ((ssl_session->state & need_all) == need_all &&
4839 cipher_suite->enc == ENC_NULL0x3D) {
4840 ssl_debug_printf("%s NULL cipher found, will create a decoder but "
4841 "skip MAC validation as keys are missing.\n", G_STRFUNC((const char*) (__func__)));
4842 goto create_decoders;
4843 }
4844
4845 return -1;
4846 }
4847
4848 /* if master key is not available, generate is from the pre-master secret */
4849 if (!(ssl_session->state & SSL_MASTER_SECRET(1<<5))) {
13
Assuming the condition is true
14
Taking true branch
4850 if ((ssl_session->state & SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) == SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) {
15
Assuming the condition is true
16
Taking true branch
4851 StringInfo handshake_hashed_data;
4852 int ret;
4853
4854 handshake_hashed_data.data = NULL((void*)0);
4855 handshake_hashed_data.data_len = 0;
4856
4857 ssl_debug_printf("%s:PRF(pre_master_secret_extended)\n", G_STRFUNC((const char*) (__func__)));
4858 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4859 DISSECTOR_ASSERT(ssl_session->handshake_data.data_len > 0)((void) ((ssl_session->handshake_data.data_len > 0) ? (
void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4859, "ssl_session->handshake_data.data_len > 0"
))));
17
Assuming field 'data_len' is > 0
18
'?' condition is true
4860
4861 switch(ssl_session->session.version) {
19
Control jumps to 'case 257:' at line 4866
4862 case TLSV1_VERSION0x301:
4863 case TLSV1DOT1_VERSION0x302:
4864 case DTLSV1DOT0_VERSION0xfeff:
4865 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4866 case TLCPV1_VERSION0x101:
4867 ret = tls_handshake_hash(ssl_session, &handshake_hashed_data);
20
Calling 'tls_handshake_hash'
28
Returned allocated memory
4868 break;
4869 default:
4870 switch (cipher_suite->dig) {
4871 case DIG_SHA3840x43:
4872 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA384, &handshake_hashed_data);
4873 break;
4874 default:
4875 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA256, &handshake_hashed_data);
4876 break;
4877 }
4878 break;
4879 }
4880 if (ret
29.1
'ret' is -1
) {
29
 Execution continues on line 4880
30
Taking true branch
4881 ssl_debug_printf("%s can't generate handshake hash\n", G_STRFUNC((const char*) (__func__)));
31
Potential leak of memory pointed to by 'handshake_hashed_data.data'
4882 return -1;
4883 }
4884
4885 wmem_free(wmem_file_scope(), ssl_session->handshake_data.data);
4886 ssl_session->handshake_data.data = NULL((void*)0);
4887 ssl_session->handshake_data.data_len = 0;
4888
4889 if (!prf(ssl_session, &ssl_session->pre_master_secret, "extended master secret",
4890 &handshake_hashed_data,
4891 NULL((void*)0), &ssl_session->master_secret,
4892 SSL_MASTER_SECRET_LENGTH48)) {
4893 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4894 g_free(handshake_hashed_data.data);
4895 return -1;
4896 }
4897 g_free(handshake_hashed_data.data);
4898 } else {
4899 ssl_debug_printf("%s:PRF(pre_master_secret)\n", G_STRFUNC((const char*) (__func__)));
4900 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4901 ssl_print_string("client random",&ssl_session->client_random);
4902 ssl_print_string("server random",&ssl_session->server_random);
4903 if (!prf(ssl_session, &ssl_session->pre_master_secret, "master secret",
4904 &ssl_session->client_random,
4905 &ssl_session->server_random, &ssl_session->master_secret,
4906 SSL_MASTER_SECRET_LENGTH48)) {
4907 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4908 return -1;
4909 }
4910 }
4911 ssl_print_string("master secret",&ssl_session->master_secret);
4912
4913 /* the pre-master secret has been 'consumed' so we must clear it now */
4914 ssl_session->state &= ~SSL_PRE_MASTER_SECRET(1<<6);
4915 ssl_session->state |= SSL_MASTER_SECRET(1<<5);
4916 }
4917
4918 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
4919 if (cipher_suite->enc != ENC_NULL0x3D) {
4920 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
4921 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4922 cipher_algo = ssl_get_cipher_by_name(cipher_name);
4923 if (cipher_algo == 0) {
4924 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4925 return -1;
4926 }
4927 }
4928
4929 /* Export ciphers consume less material from the key block. */
4930 encr_key_len = ssl_get_cipher_export_keymat_size(cipher_suite->number);
4931 is_export_cipher = encr_key_len > 0;
4932 if (!is_export_cipher && cipher_suite->enc != ENC_NULL0x3D) {
4933 encr_key_len = (unsigned)gcry_cipher_get_algo_keylen(cipher_algo);
4934 }
4935
4936 if (cipher_suite->mode == MODE_CBC) {
4937 write_iv_len = (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
4938 } else if (cipher_suite->mode == MODE_GCM || cipher_suite->mode == MODE_CCM || cipher_suite->mode == MODE_CCM_8) {
4939 /* account for a four-byte salt for client and server side (from
4940 * client_write_IV and server_write_IV), see GCMNonce (RFC 5288) */
4941 write_iv_len = 4;
4942 } else if (cipher_suite->mode == MODE_POLY1305) {
4943 /* RFC 7905: SecurityParameters.fixed_iv_length is twelve bytes */
4944 write_iv_len = 12;
4945 }
4946
4947 /* Compute the key block. First figure out how much data we need */
4948 needed = ssl_cipher_suite_dig(cipher_suite)->len*2; /* MAC key */
4949 needed += 2 * encr_key_len; /* encryption key */
4950 needed += 2 * write_iv_len; /* write IV */
4951
4952 key_block.data = (unsigned char *)g_malloc(needed);
4953 ssl_debug_printf("%s sess key generation\n", G_STRFUNC((const char*) (__func__)));
4954 if (!prf(ssl_session, &ssl_session->master_secret, "key expansion",
4955 &ssl_session->server_random,&ssl_session->client_random,
4956 &key_block, needed)) {
4957 ssl_debug_printf("%s can't generate key_block\n", G_STRFUNC((const char*) (__func__)));
4958 goto fail;
4959 }
4960 ssl_print_string("key expansion", &key_block);
4961
4962 ptr=key_block.data;
4963 /* client/server write MAC key (for non-AEAD ciphers) */
4964 if (cipher_suite->mode == MODE_STREAM || cipher_suite->mode == MODE_CBC) {
4965 c_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
4966 s_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
4967 }
4968 /* client/server write encryption key */
4969 c_wk=ptr; ptr += encr_key_len;
4970 s_wk=ptr; ptr += encr_key_len;
4971 /* client/server write IV (used as IV (for CBC) or salt (for AEAD)) */
4972 if (write_iv_len > 0) {
4973 c_iv=ptr; ptr += write_iv_len;
4974 s_iv=ptr; /* ptr += write_iv_len; */
4975 }
4976
4977 /* export ciphers work with a smaller key length */
4978 if (is_export_cipher) {
4979 if (cipher_suite->mode == MODE_CBC) {
4980
4981 /* We only have room for MAX_BLOCK_SIZE bytes IVs, but that's
4982 all we should need. This is a sanity check */
4983 if (write_iv_len > MAX_BLOCK_SIZE16) {
4984 ssl_debug_printf("%s cipher suite block must be at most %d nut is %d\n",
4985 G_STRFUNC((const char*) (__func__)), MAX_BLOCK_SIZE16, write_iv_len);
4986 goto fail;
4987 }
4988
4989 if(ssl_session->session.version==SSLV3_VERSION0x300){
4990 /* The length of these fields are ignored by this caller */
4991 StringInfo iv_c, iv_s;
4992 iv_c.data = _iv_c;
4993 iv_s.data = _iv_s;
4994
4995 ssl_debug_printf("%s ssl3_generate_export_iv\n", G_STRFUNC((const char*) (__func__)));
4996 if (!ssl3_generate_export_iv(&ssl_session->client_random,
4997 &ssl_session->server_random, &iv_c, write_iv_len)) {
4998 goto fail;
4999 }
5000 ssl_debug_printf("%s ssl3_generate_export_iv(2)\n", G_STRFUNC((const char*) (__func__)));
5001 if (!ssl3_generate_export_iv(&ssl_session->server_random,
5002 &ssl_session->client_random, &iv_s, write_iv_len)) {
5003 goto fail;
5004 }
5005 }
5006 else{
5007 uint8_t _iv_block[MAX_BLOCK_SIZE16 * 2];
5008 StringInfo iv_block;
5009 StringInfo key_null;
5010 uint8_t _key_null;
5011
5012 key_null.data = &_key_null;
5013 key_null.data_len = 0;
5014
5015 iv_block.data = _iv_block;
5016
5017 ssl_debug_printf("%s prf(iv_block)\n", G_STRFUNC((const char*) (__func__)));
5018 if (!prf(ssl_session, &key_null, "IV block",
5019 &ssl_session->client_random,
5020 &ssl_session->server_random, &iv_block,
5021 write_iv_len * 2)) {
5022 ssl_debug_printf("%s can't generate tls31 iv block\n", G_STRFUNC((const char*) (__func__)));
5023 goto fail;
5024 }
5025
5026 memcpy(_iv_c, iv_block.data, write_iv_len);
5027 memcpy(_iv_s, iv_block.data + write_iv_len, write_iv_len);
5028 }
5029
5030 c_iv=_iv_c;
5031 s_iv=_iv_s;
5032 }
5033
5034 if (ssl_session->session.version==SSLV3_VERSION0x300){
5035
5036 SSL_MD5_CTXgcry_md_hd_t md5;
5037 ssl_debug_printf("%s MD5(client_random)\n", G_STRFUNC((const char*) (__func__)));
5038
5039 if (ssl_md5_init(&md5) != 0)
5040 goto fail;
5041 ssl_md5_update(&md5,c_wk,encr_key_len);
5042 ssl_md5_update(&md5,ssl_session->client_random.data,
5043 ssl_session->client_random.data_len);
5044 ssl_md5_update(&md5,ssl_session->server_random.data,
5045 ssl_session->server_random.data_len);
5046 ssl_md5_final(_key_c,&md5);
5047 ssl_md5_cleanup(&md5);
5048 c_wk=_key_c;
5049
5050 if (ssl_md5_init(&md5) != 0)
5051 goto fail;
5052 ssl_debug_printf("%s MD5(server_random)\n", G_STRFUNC((const char*) (__func__)));
5053 ssl_md5_update(&md5,s_wk,encr_key_len);
5054 ssl_md5_update(&md5,ssl_session->server_random.data,
5055 ssl_session->server_random.data_len);
5056 ssl_md5_update(&md5,ssl_session->client_random.data,
5057 ssl_session->client_random.data_len);
5058 ssl_md5_final(_key_s,&md5);
5059 ssl_md5_cleanup(&md5);
5060 s_wk=_key_s;
5061 }
5062 else{
5063 StringInfo key_c, key_s, k;
5064 key_c.data = _key_c;
5065 key_s.data = _key_s;
5066
5067 k.data = c_wk;
5068 k.data_len = encr_key_len;
5069 ssl_debug_printf("%s PRF(key_c)\n", G_STRFUNC((const char*) (__func__)));
5070 if (!prf(ssl_session, &k, "client write key",
5071 &ssl_session->client_random,
5072 &ssl_session->server_random, &key_c, sizeof(_key_c))) {
5073 ssl_debug_printf("%s can't generate tll31 server key \n", G_STRFUNC((const char*) (__func__)));
5074 goto fail;
5075 }
5076 c_wk=_key_c;
5077
5078 k.data = s_wk;
5079 k.data_len = encr_key_len;
5080 ssl_debug_printf("%s PRF(key_s)\n", G_STRFUNC((const char*) (__func__)));
5081 if (!prf(ssl_session, &k, "server write key",
5082 &ssl_session->client_random,
5083 &ssl_session->server_random, &key_s, sizeof(_key_s))) {
5084 ssl_debug_printf("%s can't generate tll31 client key \n", G_STRFUNC((const char*) (__func__)));
5085 goto fail;
5086 }
5087 s_wk=_key_s;
5088 }
5089 }
5090
5091 /* show key material info */
5092 if (c_mk != NULL((void*)0)) {
5093 ssl_print_data("Client MAC key",c_mk,ssl_cipher_suite_dig(cipher_suite)->len);
5094 ssl_print_data("Server MAC key",s_mk,ssl_cipher_suite_dig(cipher_suite)->len);
5095 }
5096 ssl_print_data("Client Write key", c_wk, encr_key_len);
5097 ssl_print_data("Server Write key", s_wk, encr_key_len);
5098 /* used as IV for CBC mode and the AEAD implicit nonce (salt) */
5099 if (write_iv_len > 0) {
5100 ssl_print_data("Client Write IV", c_iv, write_iv_len);
5101 ssl_print_data("Server Write IV", s_iv, write_iv_len);
5102 }
5103
5104create_decoders:
5105 /* create both client and server ciphers*/
5106 ssl_debug_printf("%s ssl_create_decoder(client)\n", G_STRFUNC((const char*) (__func__)));
5107 ssl_session->client_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, c_mk, c_wk, NULL((void*)0), c_iv, write_iv_len);
5108 if (!ssl_session->client_new) {
5109 ssl_debug_printf("%s can't init client decoder\n", G_STRFUNC((const char*) (__func__)));
5110 goto fail;
5111 }
5112 ssl_debug_printf("%s ssl_create_decoder(server)\n", G_STRFUNC((const char*) (__func__)));
5113 ssl_session->server_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, s_mk, s_wk, NULL((void*)0), s_iv, write_iv_len);
5114 if (!ssl_session->server_new) {
5115 ssl_debug_printf("%s can't init server decoder\n", G_STRFUNC((const char*) (__func__)));
5116 goto fail;
5117 }
5118
5119 /* Continue the SSL stream after renegotiation with new keys. */
5120 ssl_session->client_new->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
5121 ssl_session->server_new->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
5122
5123 ssl_debug_printf("%s: client seq %" PRIu64"l" "u" ", server seq %" PRIu64"l" "u" "\n",
5124 G_STRFUNC((const char*) (__func__)), ssl_session->client_new->seq, ssl_session->server_new->seq);
5125 g_free(key_block.data);
5126 ssl_session->state |= SSL_HAVE_SESSION_KEY(1<<3);
5127 return 0;
5128
5129fail:
5130 g_free(key_block.data);
5131 return -1;
5132}
5133
5134/* Generated the key material based on the given secret. */
5135bool_Bool
5136tls13_generate_keys(SslDecryptSession *ssl_session, const StringInfo *secret, bool_Bool is_from_server)
5137{
5138 bool_Bool success = false0;
5139 unsigned char *write_key = NULL((void*)0), *write_iv = NULL((void*)0);
5140 unsigned char *sn_key = NULL((void*)0);
5141 SslDecoder *decoder;
5142 unsigned key_length, iv_length;
5143 int hash_algo;
5144 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
5145 int cipher_algo;
5146
5147 if ((ssl_session->session.version != TLSV1DOT3_VERSION0x304) && (ssl_session->session.version != DTLSV1DOT3_VERSION0xfefc)) {
5148 ssl_debug_printf("%s only usable for TLS 1.3, not %#x!\n", G_STRFUNC((const char*) (__func__)),
5149 ssl_session->session.version);
5150 return false0;
5151 }
5152
5153 if (cipher_suite == NULL((void*)0)) {
5154 ssl_debug_printf("%s Unknown cipher\n", G_STRFUNC((const char*) (__func__)));
5155 return false0;
5156 }
5157
5158 if (cipher_suite->kex != KEX_TLS130x23) {
5159 ssl_debug_printf("%s Invalid cipher suite 0x%04x spotted!\n", G_STRFUNC((const char*) (__func__)), cipher_suite->number);
5160 return false0;
5161 }
5162
5163 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
5164 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
5165 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
5166 cipher_algo = ssl_get_cipher_by_name(cipher_name);
5167 if (cipher_algo == 0) {
5168 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
5169 return false0;
5170 }
5171
5172 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
5173 hash_algo = ssl_get_digest_by_name(hash_name);
5174 if (!hash_algo) {
5175 ssl_debug_printf("%s can't find hash function %s\n", G_STRFUNC((const char*) (__func__)), hash_name);
5176 return false0;
5177 }
5178
5179 key_length = (unsigned) gcry_cipher_get_algo_keylen(cipher_algo);
5180 /* AES-GCM/AES-CCM/Poly1305-ChaCha20 all have N_MIN=N_MAX = 12. */
5181 iv_length = 12;
5182 ssl_debug_printf("%s key_length %u iv_length %u\n", G_STRFUNC((const char*) (__func__)), key_length, iv_length);
5183
5184 const char *label_prefix = tls13_hkdf_label_prefix(ssl_session);
5185 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "key", key_length, &write_key)) {
5186 ssl_debug_printf("%s write_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
5187 return false0;
5188 }
5189 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "iv", iv_length, &write_iv)) {
5190 ssl_debug_printf("%s write_iv expansion failed\n", G_STRFUNC((const char*) (__func__)));
5191 goto end;
5192 }
5193
5194 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
5195 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "sn", key_length, &sn_key)) {
5196 ssl_debug_printf("%s sn_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
5197 goto end;
5198 }
5199 }
5200
5201 ssl_print_data(is_from_server ? "Server Write Key" : "Client Write Key", write_key, key_length);
5202 ssl_print_data(is_from_server ? "Server Write IV" : "Client Write IV", write_iv, iv_length);
5203 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
5204 ssl_print_data(is_from_server ? "Server Write SN" : "Client Write SN", sn_key, key_length);
5205 }
5206
5207 ssl_debug_printf("%s ssl_create_decoder(%s)\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
5208 decoder = ssl_create_decoder(cipher_suite, cipher_algo, 0, NULL((void*)0), write_key, sn_key, write_iv, iv_length);
5209 if (!decoder) {
5210 ssl_debug_printf("%s can't init %s decoder\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
5211 goto end;
5212 }
5213
5214 /* Continue the TLS session with new keys, but reuse old flow to keep things
5215 * like "Follow TLS" working (by linking application data records). */
5216 if (is_from_server) {
5217 decoder->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
5218 ssl_session->server = decoder;
5219 } else {
5220 decoder->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
5221 ssl_session->client = decoder;
5222 }
5223 ssl_debug_printf("%s %s ready using cipher suite 0x%04x (cipher %s hash %s)\n", G_STRFUNC((const char*) (__func__)),
5224 is_from_server ? "Server" : "Client", cipher_suite->number, cipher_name, hash_name);
5225 success = true1;
5226
5227end:
5228 wmem_free(NULL((void*)0), write_key);
5229 wmem_free(NULL((void*)0), write_iv);
5230 if (sn_key)
5231 wmem_free(NULL((void*)0), sn_key);
5232 return success;
5233}
5234/* (Pre-)master secrets calculations }}} */
5235
5236#ifdef HAVE_LIBGNUTLS1
5237/* Decrypt RSA pre-master secret using RSA private key. {{{ */
5238static bool_Bool
5239ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
5240 StringInfo *encrypted_pre_master, GHashTable *key_hash)
5241{
5242 int ret;
5243
5244 if (!encrypted_pre_master)
5245 return false0;
5246
5247 if (KEX_IS_DH(ssl_session->cipher_suite->kex)((ssl_session->cipher_suite->kex) >= 0x10 &&
(ssl_session->cipher_suite->kex) <= 0x1b)) {
5248 ssl_debug_printf("%s: session uses Diffie-Hellman key exchange "
5249 "(cipher suite 0x%04X %s) and cannot be decrypted "
5250 "using a RSA private key file.\n",
5251 G_STRFUNC((const char*) (__func__)), ssl_session->session.cipher,
5252 val_to_str_ext_const(ssl_session->session.cipher,
5253 &ssl_31_ciphersuite_ext, "unknown"));
5254 return false0;
5255 } else if (ssl_session->cipher_suite->kex != KEX_RSA0x1e) {
5256 ssl_debug_printf("%s key exchange %d different from KEX_RSA (%d)\n",
5257 G_STRFUNC((const char*) (__func__)), ssl_session->cipher_suite->kex, KEX_RSA0x1e);
5258 return false0;
5259 }
5260
5261 gnutls_privkey_t pk = (gnutls_privkey_t)g_hash_table_lookup(key_hash, ssl_session->cert_key_id);
5262
5263 ssl_print_string("pre master encrypted", encrypted_pre_master);
5264 ssl_debug_printf("%s: RSA_private_decrypt\n", G_STRFUNC((const char*) (__func__)));
5265 const gnutls_datum_t epms = { encrypted_pre_master->data, encrypted_pre_master->data_len };
5266 gnutls_datum_t pms = { 0 };
5267 if (pk) {
5268 // Try to decrypt using the RSA keys table from (D)TLS preferences.
5269 ret = gnutls_privkey_decrypt_data(pk, 0, &epms, &pms);
5270 } else {
5271 // Try to decrypt using a hardware token.
5272 ret = secrets_rsa_decrypt(ssl_session->cert_key_id, epms.data, epms.size, &pms.data, &pms.size);
5273 }
5274 if (ret < 0) {
5275 ssl_debug_printf("%s: decryption failed: %d (%s)\n", G_STRFUNC((const char*) (__func__)), ret, gnutls_strerror(ret));
5276 return false0;
5277 }
5278
5279 if (pms.size != 48) {
5280 ssl_debug_printf("%s wrong pre_master_secret length (%d, expected %d)\n",
5281 G_STRFUNC((const char*) (__func__)), pms.size, 48);
5282 if (pk) {
5283 gnutls_free(pms.data);
5284 } else {
5285 g_free(pms.data);
5286 }
5287 return false0;
5288 }
5289
5290 ssl_session->pre_master_secret.data = (uint8_t *)wmem_memdup(wmem_file_scope(), pms.data, 48);
5291 ssl_session->pre_master_secret.data_len = 48;
5292 if (pk) {
5293 gnutls_free(pms.data);
5294 } else {
5295 g_free(pms.data);
5296 }
5297 ssl_print_string("pre master secret", &ssl_session->pre_master_secret);
5298
5299 /* Remove the master secret if it was there.
5300 This forces keying material regeneration in
5301 case we're renegotiating */
5302 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
5303 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
5304 return true1;
5305} /* }}} */
5306#endif /* HAVE_LIBGNUTLS */
5307
5308/* Decryption integrity check {{{ */
5309
5310static int
5311tls_check_mac(SslDecoder*decoder, int ct, int ver, uint8_t* data,
5312 uint32_t datalen, uint8_t* mac)
5313{
5314 SSL_HMACgcry_md_hd_t hm;
5315 int md;
5316 uint32_t len;
5317 uint8_t buf[DIGEST_MAX_SIZE48];
5318 int16_t temp;
5319
5320 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5321 ssl_debug_printf("tls_check_mac mac type:%s md %d\n",
5322 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5323
5324 if (ssl_hmac_init(&hm,md) != 0)
5325 return -1;
5326 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5327 return -1;
5328
5329 /* hash sequence number */
5330 phtonu64(buf, decoder->seq);
5331
5332 decoder->seq++;
5333
5334 ssl_hmac_update(&hm,buf,8);
5335
5336 /* hash content type */
5337 buf[0]=ct;
5338 ssl_hmac_update(&hm,buf,1);
5339
5340 /* hash version,data length and data*/
5341 /* *((int16_t*)buf) = g_htons(ver); */
5342 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5343 memcpy(buf, &temp, 2);
5344 ssl_hmac_update(&hm,buf,2);
5345
5346 /* *((int16_t*)buf) = g_htons(datalen); */
5347 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5348 memcpy(buf, &temp, 2);
5349 ssl_hmac_update(&hm,buf,2);
5350 ssl_hmac_update(&hm,data,datalen);
5351
5352 /* get digest and digest len*/
5353 len = sizeof(buf);
5354 ssl_hmac_final(&hm,buf,&len);
5355 ssl_hmac_cleanup(&hm);
5356 ssl_print_data("Mac", buf, len);
5357 if(memcmp(mac,buf,len))
5358 return -1;
5359
5360 return 0;
5361}
5362
5363static int
5364ssl3_check_mac(SslDecoder*decoder,int ct,uint8_t* data,
5365 uint32_t datalen, uint8_t* mac)
5366{
5367 SSL_MDgcry_md_hd_t mc;
5368 int md;
5369 uint32_t len;
5370 uint8_t buf[64],dgst[20];
5371 int pad_ct;
5372 int16_t temp;
5373
5374 pad_ct=(decoder->cipher_suite->dig==DIG_SHA0x41)?40:48;
5375
5376 /* get cipher used for digest computation */
5377 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5378 if (ssl_md_init(&mc,md) !=0)
5379 return -1;
5380
5381 /* do hash computation on data && padding */
5382 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5383
5384 /* hash padding*/
5385 memset(buf,0x36,pad_ct);
5386 ssl_md_update(&mc,buf,pad_ct);
5387
5388 /* hash sequence number */
5389 phtonu64(buf, decoder->seq);
5390 decoder->seq++;
5391 ssl_md_update(&mc,buf,8);
5392
5393 /* hash content type */
5394 buf[0]=ct;
5395 ssl_md_update(&mc,buf,1);
5396
5397 /* hash data length in network byte order and data*/
5398 /* *((int16_t* )buf) = g_htons(datalen); */
5399 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5400 memcpy(buf, &temp, 2);
5401 ssl_md_update(&mc,buf,2);
5402 ssl_md_update(&mc,data,datalen);
5403
5404 /* get partial digest */
5405 ssl_md_final(&mc,dgst,&len);
5406 ssl_md_reset(&mc);
5407
5408 /* hash mac key */
5409 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5410
5411 /* hash padding and partial digest*/
5412 memset(buf,0x5c,pad_ct);
5413 ssl_md_update(&mc,buf,pad_ct);
5414 ssl_md_update(&mc,dgst,len);
5415
5416 ssl_md_final(&mc,dgst,&len);
5417 ssl_md_cleanup(&mc);
5418
5419 if(memcmp(mac,dgst,len))
5420 return -1;
5421
5422 return 0;
5423}
5424
5425static int
5426dtls_check_mac(SslDecryptSession *ssl, SslDecoder*decoder, int ct, uint8_t* data,
5427 uint32_t datalen, uint8_t* mac, const unsigned char *cid, uint8_t cidl)
5428{
5429 SSL_HMACgcry_md_hd_t hm;
5430 int md;
5431 uint32_t len;
5432 uint8_t buf[DIGEST_MAX_SIZE48];
5433 int16_t temp;
5434
5435 int ver = ssl->session.version;
5436 bool_Bool is_cid = ((ct == SSL_ID_TLS12_CID) && (ver == DTLSV1DOT2_VERSION0xfefd));
5437
5438 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5439 ssl_debug_printf("dtls_check_mac mac type:%s md %d\n",
5440 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5441
5442 if (ssl_hmac_init(&hm,md) != 0)
5443 return -1;
5444 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5445 return -1;
5446
5447 ssl_debug_printf("dtls_check_mac seq: %" PRIu64"l" "u" " epoch: %d\n",decoder->seq,decoder->epoch);
5448
5449 if (is_cid && !ssl->session.deprecated_cid) {
5450 /* hash seq num placeholder */
5451 memset(buf,0xFF,8);
5452 ssl_hmac_update(&hm,buf,8);
5453
5454 /* hash content type + cid length + content type */
5455 buf[0]=ct;
5456 buf[1]=cidl;
5457 buf[2]=ct;
5458 ssl_hmac_update(&hm,buf,3);
5459
5460 /* hash version */
5461 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5462 memcpy(buf, &temp, 2);
5463 ssl_hmac_update(&hm,buf,2);
5464
5465 /* hash sequence number */
5466 phtonu64(buf, decoder->seq);
5467 buf[0]=decoder->epoch>>8;
5468 buf[1]=(uint8_t)decoder->epoch;
5469 ssl_hmac_update(&hm,buf,8);
5470
5471 /* hash cid */
5472 ssl_hmac_update(&hm,cid,cidl);
5473 } else {
5474 /* hash sequence number */
5475 phtonu64(buf, decoder->seq);
5476 buf[0]=decoder->epoch>>8;
5477 buf[1]=(uint8_t)decoder->epoch;
5478 ssl_hmac_update(&hm,buf,8);
5479
5480 /* hash content type */
5481 buf[0]=ct;
5482 ssl_hmac_update(&hm,buf,1);
5483
5484 /* hash version */
5485 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5486 memcpy(buf, &temp, 2);
5487 ssl_hmac_update(&hm,buf,2);
5488
5489 if (is_cid && ssl->session.deprecated_cid) {
5490 /* hash cid */
5491 ssl_hmac_update(&hm,cid,cidl);
5492
5493 /* hash cid length */
5494 buf[0] = cidl;
5495 ssl_hmac_update(&hm,buf,1);
5496 }
5497 }
5498
5499 /* data length and data */
5500 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5501 memcpy(buf, &temp, 2);
5502 ssl_hmac_update(&hm,buf,2);
5503 ssl_hmac_update(&hm,data,datalen);
5504
5505 /* get digest and digest len */
5506 len = sizeof(buf);
5507 ssl_hmac_final(&hm,buf,&len);
5508 ssl_hmac_cleanup(&hm);
5509 ssl_print_data("Mac", buf, len);
5510 if(memcmp(mac,buf,len))
5511 return -1;
5512
5513 return 0;
5514}
5515/* Decryption integrity check }}} */
5516
5517
5518static bool_Bool
5519tls_decrypt_aead_record(wmem_allocator_t* allocator, SslDecryptSession *ssl, SslDecoder *decoder,
5520 uint8_t ct, uint16_t record_version,
5521 bool_Bool ignore_mac_failed,
5522 const unsigned char *in, uint16_t inl,
5523 const unsigned char *cid, uint8_t cidl,
5524 StringInfo *out_str, unsigned *outl)
5525{
5526 /* RFC 5246 (TLS 1.2) 6.2.3.3 defines the TLSCipherText.fragment as:
5527 * GenericAEADCipher: { nonce_explicit, [content] }
5528 * In TLS 1.3 this explicit nonce is gone.
5529 * With AES GCM/CCM, "[content]" is actually the concatenation of the
5530 * ciphertext and authentication tag.
5531 */
5532 const uint16_t version = ssl->session.version;
5533 const bool_Bool is_v12 = version == TLSV1DOT2_VERSION0x303 || version == DTLSV1DOT2_VERSION0xfefd || version == TLCPV1_VERSION0x101;
5534 gcry_error_t err;
5535 const unsigned char *explicit_nonce = NULL((void*)0), *ciphertext;
5536 unsigned ciphertext_len, auth_tag_len;
5537 unsigned char nonce[12];
5538 const ssl_cipher_mode_t cipher_mode = decoder->cipher_suite->mode;
5539 const bool_Bool is_cid = ct == SSL_ID_TLS12_CID && version == DTLSV1DOT2_VERSION0xfefd;
5540 const uint8_t draft_version = ssl->session.tls13_draft_version;
5541 const unsigned char *auth_tag_wire;
5542 unsigned char auth_tag_calc[16];
5543 unsigned char *aad = NULL((void*)0);
5544 unsigned aad_len = 0;
5545
5546 switch (cipher_mode) {
5547 case MODE_GCM:
5548 case MODE_CCM:
5549 case MODE_POLY1305:
5550 auth_tag_len = 16;
5551 break;
5552 case MODE_CCM_8:
5553 auth_tag_len = 8;
5554 break;
5555 default:
5556 ssl_debug_printf("%s unsupported cipher!\n", G_STRFUNC((const char*) (__func__)));
5557 return false0;
5558 }
5559
5560 /* Parse input into explicit nonce (TLS 1.2 only), ciphertext and tag. */
5561 if (is_v12 && cipher_mode != MODE_POLY1305) {
5562 if (inl < EXPLICIT_NONCE_LEN8 + auth_tag_len) {
5563 ssl_debug_printf("%s input %d is too small for explicit nonce %d and auth tag %d\n",
5564 G_STRFUNC((const char*) (__func__)), inl, EXPLICIT_NONCE_LEN8, auth_tag_len);
5565 return false0;
5566 }
5567 explicit_nonce = in;
5568 ciphertext = explicit_nonce + EXPLICIT_NONCE_LEN8;
5569 ciphertext_len = inl - EXPLICIT_NONCE_LEN8 - auth_tag_len;
5570 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
5571 if (inl < auth_tag_len) {
5572 ssl_debug_printf("%s input %d has no space for auth tag %d\n", G_STRFUNC((const char*) (__func__)), inl, auth_tag_len);
5573 return false0;
5574 }
5575 ciphertext = in;
5576 ciphertext_len = inl - auth_tag_len;
5577 } else {
5578 ssl_debug_printf("%s Unexpected TLS version %#x\n", G_STRFUNC((const char*) (__func__)), version);
5579 return false0;
5580 }
5581 auth_tag_wire = ciphertext + ciphertext_len;
5582
5583 /*
5584 * Nonce construction is version-specific. Note that AEAD_CHACHA20_POLY1305
5585 * (RFC 7905) uses a nonce construction similar to TLS 1.3.
5586 */
5587 if (is_v12 && cipher_mode != MODE_POLY1305) {
5588 DISSECTOR_ASSERT(decoder->write_iv.data_len == IMPLICIT_NONCE_LEN)((void) ((decoder->write_iv.data_len == 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 5588, "decoder->write_iv.data_len == 4"))));
5589 /* Implicit (4) and explicit (8) part of nonce. */
5590 memcpy(nonce, decoder->write_iv.data, IMPLICIT_NONCE_LEN4);
5591 memcpy(nonce + IMPLICIT_NONCE_LEN4, explicit_nonce, EXPLICIT_NONCE_LEN8);
5592
5593 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
5594 /*
5595 * Technically the nonce length must be at least 8 bytes, but for
5596 * AES-GCM, AES-CCM and Poly1305-ChaCha20 the nonce length is exact 12.
5597 */
5598 const unsigned nonce_len = 12;
5599 DISSECTOR_ASSERT(decoder->write_iv.data_len == nonce_len)((void) ((decoder->write_iv.data_len == nonce_len) ? (void
)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 5599, "decoder->write_iv.data_len == nonce_len"
))));
5600 memcpy(nonce, decoder->write_iv.data, decoder->write_iv.data_len);
5601 /* Sequence number is left-padded with zeroes and XORed with write_iv */
5602 phtonu64(nonce + nonce_len - 8, pntohu64(nonce + nonce_len - 8) ^ decoder->seq);
5603 ssl_debug_printf("%s seq %" PRIu64"l" "u" "\n", G_STRFUNC((const char*) (__func__)), decoder->seq);
5604 }
5605
5606 /* Set nonce and additional authentication data */
5607 gcry_cipher_reset(decoder->evp)gcry_cipher_ctl ((decoder->evp), GCRYCTL_RESET, ((void*)0)
, 0);
5608 ssl_print_data("nonce", nonce, 12);
5609 err = gcry_cipher_setiv(decoder->evp, nonce, 12);
5610 if (err) {
5611 ssl_debug_printf("%s failed to set nonce: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5612 return false0;
5613 }
5614
5615 /* (D)TLS 1.2 needs specific AAD, TLS 1.3 (before -25) uses empty AAD. */
5616 if (is_cid) { /* if connection ID */
5617 if (ssl->session.deprecated_cid) {
5618 aad_len = 14 + cidl;
5619 aad = wmem_alloc(allocator, aad_len);
5620 phtonu64(aad, decoder->seq); /* record sequence number */
5621 phtonu16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5622 aad[8] = ct; /* TLSCompressed.type */
5623 phtonu16(aad + 9, record_version); /* TLSCompressed.version */
5624 memcpy(aad + 11, cid, cidl); /* cid */
5625 aad[11 + cidl] = cidl; /* cid_length */
5626 phtonu16(aad + 12 + cidl, ciphertext_len); /* TLSCompressed.length */
5627 } else {
5628 aad_len = 23 + cidl;
5629 aad = wmem_alloc(allocator, aad_len);
5630 memset(aad, 0xFF, 8); /* seq_num_placeholder */
5631 aad[8] = ct; /* TLSCompressed.type */
5632 aad[9] = cidl; /* cid_length */
5633 aad[10] = ct; /* TLSCompressed.type */
5634 phtonu16(aad + 11, record_version); /* TLSCompressed.version */
5635 phtonu64(aad + 13, decoder->seq); /* record sequence number */
5636 phtonu16(aad + 13, decoder->epoch); /* DTLS 1.2 includes epoch. */
5637 memcpy(aad + 21, cid, cidl); /* cid */
5638 phtonu16(aad + 21 + cidl, ciphertext_len); /* TLSCompressed.length */
5639 }
5640 } else if (is_v12) {
5641 aad_len = 13;
5642 aad = wmem_alloc(allocator, aad_len);
5643 phtonu64(aad, decoder->seq); /* record sequence number */
5644 if (version == DTLSV1DOT2_VERSION0xfefd) {
5645 phtonu16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5646 }
5647 aad[8] = ct; /* TLSCompressed.type */
5648 phtonu16(aad + 9, record_version); /* TLSCompressed.version */
5649 phtonu16(aad + 11, ciphertext_len); /* TLSCompressed.length */
5650 } else if (version == DTLSV1DOT3_VERSION0xfefc) {
5651 aad_len = decoder->dtls13_aad.data_len;
5652 aad = decoder->dtls13_aad.data;
5653 } else if (draft_version >= 25 || draft_version == 0) {
5654 aad_len = 5;
5655 aad = wmem_alloc(allocator, aad_len);
5656 aad[0] = ct; /* TLSCiphertext.opaque_type (23) */
5657 phtonu16(aad + 1, record_version); /* TLSCiphertext.legacy_record_version (0x0303) */
5658 phtonu16(aad + 3, inl); /* TLSCiphertext.length */
5659 }
5660
5661 if (decoder->cipher_suite->mode == MODE_CCM || decoder->cipher_suite->mode == MODE_CCM_8) {
5662 /* size of plaintext, additional authenticated data and auth tag. */
5663 uint64_t lengths[3] = { ciphertext_len, aad_len, auth_tag_len };
5664
5665 gcry_cipher_ctl(decoder->evp, GCRYCTL_SET_CCM_LENGTHS, lengths, sizeof(lengths));
5666 }
5667
5668 if (aad && aad_len > 0) {
5669 ssl_print_data("AAD", aad, aad_len);
5670 err = gcry_cipher_authenticate(decoder->evp, aad, aad_len);
5671 if (err) {
5672 ssl_debug_printf("%s failed to set AAD: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5673 return false0;
5674 }
5675 }
5676
5677 /* Decrypt now that nonce and AAD are set. */
5678 err = gcry_cipher_decrypt(decoder->evp, out_str->data, out_str->data_len, ciphertext, ciphertext_len);
5679 if (err) {
5680 ssl_debug_printf("%s decrypt failed: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5681 return false0;
5682 }
5683
5684 /* Check authentication tag for authenticity (replaces MAC) */
5685 err = gcry_cipher_gettag(decoder->evp, auth_tag_calc, auth_tag_len);
5686 if (err == 0 && !memcmp(auth_tag_calc, auth_tag_wire, auth_tag_len)) {
5687 ssl_print_data("auth_tag(OK)", auth_tag_calc, auth_tag_len);
5688 } else {
5689 if (err) {
5690 ssl_debug_printf("%s cannot obtain tag: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5691 } else {
5692 ssl_debug_printf("%s auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
5693 ssl_print_data("auth_tag(expect)", auth_tag_calc, auth_tag_len);
5694 ssl_print_data("auth_tag(actual)", auth_tag_wire, auth_tag_len);
5695 }
5696 if (ignore_mac_failed) {
5697 ssl_debug_printf("%s: auth check failed, but ignored for troubleshooting ;-)\n", G_STRFUNC((const char*) (__func__)));
5698 } else {
5699 return false0;
5700 }
5701 }
5702
5703 /*
5704 * Increment the (implicit) sequence number for TLS 1.2/1.3 and TLCP 1.1. This is done
5705 * after successful authentication to ensure that early data is skipped when
5706 * CLIENT_EARLY_TRAFFIC_SECRET keys are unavailable.
5707 */
5708 if (version == TLSV1DOT2_VERSION0x303 || version == TLSV1DOT3_VERSION0x304 || version == TLCPV1_VERSION0x101) {
5709 decoder->seq++;
5710 }
5711
5712 ssl_print_data("Plaintext", out_str->data, ciphertext_len);
5713 *outl = ciphertext_len;
5714 return true1;
5715}
5716
5717/* Record decryption glue based on security parameters {{{ */
5718/* Assume that we are called only for a non-NULL decoder which also means that
5719 * we have a non-NULL decoder->cipher_suite. */
5720int
5721ssl_decrypt_record(wmem_allocator_t* allocator, SslDecryptSession *ssl, SslDecoder *decoder, uint8_t ct, uint16_t record_version,
5722 bool_Bool ignore_mac_failed,
5723 const unsigned char *in, uint16_t inl, const unsigned char *cid, uint8_t cidl,
5724 StringInfo *comp_str, StringInfo *out_str, unsigned *outl)
5725{
5726 unsigned pad, worklen, uncomplen, maclen, mac_fraglen = 0;
5727 uint8_t *mac = NULL((void*)0), *mac_frag = NULL((void*)0);
5728
5729 ssl_debug_printf("ssl_decrypt_record ciphertext len %d\n", inl);
5730 ssl_print_data("Ciphertext",in, inl);
5731
5732 if (((ssl->session.version == TLSV1DOT3_VERSION0x304 || ssl->session.version == DTLSV1DOT3_VERSION0xfefc))
5733 != (decoder->cipher_suite->kex == KEX_TLS130x23)) {
5734 ssl_debug_printf("%s Invalid cipher suite for the protocol version!\n", G_STRFUNC((const char*) (__func__)));
5735 return -1;
5736 }
5737
5738 /* ensure we have enough storage space for decrypted data */
5739 if (inl > out_str->data_len)
5740 {
5741 ssl_debug_printf("ssl_decrypt_record: allocating %d bytes for decrypt data (old len %d)\n",
5742 inl + 32, out_str->data_len);
5743 ssl_data_realloc(out_str, inl + 32);
5744 }
5745
5746 /* AEAD ciphers (GenericAEADCipher in TLS 1.2; TLS 1.3) have no padding nor
5747 * a separate MAC, so use a different routine for simplicity. */
5748 if (decoder->cipher_suite->mode == MODE_GCM ||
5749 decoder->cipher_suite->mode == MODE_CCM ||
5750 decoder->cipher_suite->mode == MODE_CCM_8 ||
5751 decoder->cipher_suite->mode == MODE_POLY1305 ||
5752 ssl->session.version == TLSV1DOT3_VERSION0x304 ||
5753 ssl->session.version == DTLSV1DOT3_VERSION0xfefc) {
5754
5755 if (!tls_decrypt_aead_record(allocator, ssl, decoder, ct, record_version, ignore_mac_failed, in, inl, cid, cidl, out_str, &worklen)) {
5756 /* decryption failed */
5757 return -1;
5758 }
5759
5760 goto skip_mac;
5761 }
5762
5763 /* RFC 6101/2246: SSLCipherText/TLSCipherText has two structures for types:
5764 * (notation: { unencrypted, [ encrypted ] })
5765 * GenericStreamCipher: { [content, mac] }
5766 * GenericBlockCipher: { IV (TLS 1.1+), [content, mac, padding, padding_len] }
5767 * RFC 5426 (TLS 1.2): TLSCipherText has additionally:
5768 * GenericAEADCipher: { nonce_explicit, [content] }
5769 * RFC 4347 (DTLS): based on TLS 1.1, only GenericBlockCipher is supported.
5770 * RFC 6347 (DTLS 1.2): based on TLS 1.2, includes GenericAEADCipher too.
5771 */
5772
5773 maclen = ssl_cipher_suite_dig(decoder->cipher_suite)->len;
5774
5775 /* (TLS 1.1 and later, DTLS) Extract explicit IV for GenericBlockCipher */
5776 if (decoder->cipher_suite->mode == MODE_CBC) {
5777 unsigned blocksize = 0;
5778
5779 switch (ssl->session.version) {
5780 case TLSV1DOT1_VERSION0x302:
5781 case TLSV1DOT2_VERSION0x303:
5782 case DTLSV1DOT0_VERSION0xfeff:
5783 case DTLSV1DOT2_VERSION0xfefd:
5784 case DTLSV1DOT3_VERSION0xfefc:
5785 case DTLSV1DOT0_OPENSSL_VERSION0x100:
5786 case TLCPV1_VERSION0x101:
5787 blocksize = ssl_get_cipher_blocksize(decoder->cipher_suite);
5788 if (inl < blocksize) {
5789 ssl_debug_printf("ssl_decrypt_record failed: input %d has no space for IV %d\n",
5790 inl, blocksize);
5791 return -1;
5792 }
5793 pad = gcry_cipher_setiv(decoder->evp, in, blocksize);
5794 if (pad != 0) {
5795 ssl_debug_printf("ssl_decrypt_record failed: failed to set IV: %s %s\n",
5796 gcry_strsource (pad), gcry_strerror (pad));
5797 }
5798
5799 inl -= blocksize;
5800 in += blocksize;
5801 break;
5802 }
5803
5804 /* Encrypt-then-MAC for (D)TLS (RFC 7366) */
5805 if (ssl->state & SSL_ENCRYPT_THEN_MAC(1<<11)) {
5806 /*
5807 * MAC is calculated over (IV + ) ENCRYPTED contents:
5808 *
5809 * MAC(MAC_write_key, ... +
5810 * IV + // for TLS 1.1 or greater
5811 * TLSCiphertext.enc_content);
5812 */
5813 if (inl < maclen) {
5814 ssl_debug_printf("%s failed: input %d has no space for MAC %d\n",
5815 G_STRFUNC((const char*) (__func__)), inl, maclen);
5816 return -1;
5817 }
5818 inl -= maclen;
5819 mac = (uint8_t *)in + inl;
5820 mac_frag = (uint8_t *)in - blocksize;
5821 mac_fraglen = blocksize + inl;
5822 }
5823 }
5824
5825 /* First decrypt*/
5826 if ((pad = ssl_cipher_decrypt(&decoder->evp, out_str->data, out_str->data_len, in, inl)) != 0) {
5827 ssl_debug_printf("ssl_decrypt_record failed: ssl_cipher_decrypt: %s %s\n", gcry_strsource (pad),
5828 gcry_strerror (pad));
5829 return -1;
5830 }
5831
5832 ssl_print_data("Plaintext", out_str->data, inl);
5833 worklen=inl;
5834
5835
5836 /* strip padding for GenericBlockCipher */
5837 if (decoder->cipher_suite->mode == MODE_CBC) {
5838 if (inl < 1) { /* Should this check happen earlier? */
5839 ssl_debug_printf("ssl_decrypt_record failed: input length %d too small\n", inl);
5840 return -1;
5841 }
5842 pad=out_str->data[inl-1];
5843 if (worklen <= pad) {
5844 ssl_debug_printf("ssl_decrypt_record failed: padding %d too large for work %d\n",
5845 pad, worklen);
5846 return -1;
5847 }
5848 worklen-=(pad+1);
5849 ssl_debug_printf("ssl_decrypt_record found padding %d final len %d\n",
5850 pad, worklen);
5851 }
5852
5853 /* MAC for GenericStreamCipher and GenericBlockCipher.
5854 * (normal case without Encrypt-then-MAC (RFC 7366) extension. */
5855 if (!mac) {
5856 /*
5857 * MAC is calculated over the DECRYPTED contents:
5858 *
5859 * MAC(MAC_write_key, ... + TLSCompressed.fragment);
5860 */
5861 if (worklen < maclen) {
5862 ssl_debug_printf("%s wrong record len/padding outlen %d\n work %d\n", G_STRFUNC((const char*) (__func__)), *outl, worklen);
5863 return -1;
5864 }
5865 worklen -= maclen;
5866 mac = out_str->data + worklen;
5867 mac_frag = out_str->data;
5868 mac_fraglen = worklen;
5869 }
5870
5871 /* If NULL encryption active and no keys are available, do not bother
5872 * checking the MAC. We do not have keys for that. */
5873 if (decoder->cipher_suite->mode == MODE_STREAM &&
5874 decoder->cipher_suite->enc == ENC_NULL0x3D &&
5875 !(ssl->state & SSL_MASTER_SECRET(1<<5))) {
5876 ssl_debug_printf("MAC check skipped due to missing keys\n");
5877 decoder->seq++; // Increment this for display
5878 goto skip_mac;
5879 }
5880
5881 /* Now check the MAC */
5882 ssl_debug_printf("checking mac (len %d, version %X, ct %d seq %" PRIu64"l" "u" ")\n",
5883 worklen, ssl->session.version, ct, decoder->seq);
5884 if(ssl->session.version==SSLV3_VERSION0x300){
5885 if(ssl3_check_mac(decoder,ct,mac_frag,mac_fraglen,mac) < 0) {
5886 if(ignore_mac_failed) {
5887 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5888 }
5889 else{
5890 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5891 return -1;
5892 }
5893 }
5894 else{
5895 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5896 }
5897 }
5898 else if(ssl->session.version==TLSV1_VERSION0x301 || ssl->session.version==TLSV1DOT1_VERSION0x302 || ssl->session.version==TLSV1DOT2_VERSION0x303 || ssl->session.version==TLCPV1_VERSION0x101){
5899 if(tls_check_mac(decoder,ct,ssl->session.version,mac_frag,mac_fraglen,mac)< 0) {
5900 if(ignore_mac_failed) {
5901 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5902 }
5903 else{
5904 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5905 return -1;
5906 }
5907 }
5908 else{
5909 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5910 }
5911 }
5912 else if(ssl->session.version==DTLSV1DOT0_VERSION0xfeff ||
5913 ssl->session.version==DTLSV1DOT2_VERSION0xfefd ||
5914 ssl->session.version==DTLSV1DOT0_OPENSSL_VERSION0x100){
5915 /* Try rfc-compliant mac first, and if failed, try old openssl's non-rfc-compliant mac */
5916 if(dtls_check_mac(ssl,decoder,ct,mac_frag,mac_fraglen,mac,cid,cidl)>= 0) {
5917 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5918 }
5919 else if(tls_check_mac(decoder,ct,TLSV1_VERSION0x301,mac_frag,mac_fraglen,mac)>= 0) {
5920 ssl_debug_printf("ssl_decrypt_record: dtls rfc-compliant mac failed, but old openssl's non-rfc-compliant mac ok\n");
5921 }
5922 else if(ignore_mac_failed) {
5923 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5924 }
5925 else{
5926 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5927 return -1;
5928 }
5929 }
5930skip_mac:
5931
5932 *outl = worklen;
5933
5934 if (decoder->compression > 0) {
5935 ssl_debug_printf("ssl_decrypt_record: compression method %d\n", decoder->compression);
5936 ssl_data_copy(comp_str, out_str);
5937 ssl_print_data("Plaintext compressed", comp_str->data, worklen);
5938 if (!decoder->decomp) {
5939 ssl_debug_printf("decrypt_ssl3_record: no decoder available\n");
5940 return -1;
5941 }
5942 if (ssl_decompress_record(decoder->decomp, comp_str->data, worklen, out_str, &uncomplen) < 0) return -1;
5943 ssl_print_data("Plaintext uncompressed", out_str->data, uncomplen);
5944 *outl = uncomplen;
5945 }
5946
5947 return 0;
5948}
5949/* Record decryption glue based on security parameters }}} */
5950
5951
5952
5953#ifdef HAVE_LIBGNUTLS1
5954
5955/* RSA private key file processing {{{ */
5956static void
5957ssl_find_private_key_by_pubkey(SslDecryptSession *ssl,
5958 gnutls_datum_t *subjectPublicKeyInfo)
5959{
5960 gnutls_pubkey_t pubkey = NULL((void*)0);
5961 cert_key_id_t key_id;
5962 size_t key_id_len = sizeof(key_id);
5963 int r;
5964
5965 if (!subjectPublicKeyInfo->size) {
5966 ssl_debug_printf("%s: could not find SubjectPublicKeyInfo\n", G_STRFUNC((const char*) (__func__)));
5967 return;
5968 }
5969
5970 r = gnutls_pubkey_init(&pubkey);
5971 if (r < 0) {
5972 ssl_debug_printf("%s: failed to init pubkey: %s\n",
5973 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
5974 return;
5975 }
5976
5977 r = gnutls_pubkey_import(pubkey, subjectPublicKeyInfo, GNUTLS_X509_FMT_DER);
5978 if (r < 0) {
5979 ssl_debug_printf("%s: failed to import pubkey from handshake: %s\n",
5980 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
5981 goto end;
5982 }
5983
5984 if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL((void*)0)) != GNUTLS_PK_RSA) {
5985 ssl_debug_printf("%s: Not a RSA public key - ignoring.\n", G_STRFUNC((const char*) (__func__)));
5986 goto end;
5987 }
5988
5989 /* Generate a 20-byte SHA-1 hash. */
5990 r = gnutls_pubkey_get_key_id(pubkey, 0, key_id.key_id, &key_id_len);
5991 if (r < 0) {
5992 ssl_debug_printf("%s: failed to extract key id from pubkey: %s\n",
5993 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
5994 goto end;
5995 }
5996
5997 if (key_id_len != sizeof(key_id)) {
5998 ssl_debug_printf("%s: expected Key ID size %zu, got %zu\n",
5999 G_STRFUNC((const char*) (__func__)), sizeof(key_id), key_id_len);
6000 goto end;
6001 }
6002
6003 ssl_print_data("Certificate.KeyID", key_id.key_id, key_id_len);
6004 ssl->cert_key_id = wmem_new(wmem_file_scope(), cert_key_id_t)((cert_key_id_t*)wmem_alloc((wmem_file_scope()), sizeof(cert_key_id_t
)));
6005 *ssl->cert_key_id = key_id;
6006
6007end:
6008 gnutls_pubkey_deinit(pubkey);
6009}
6010
6011/* RSA private key file processing }}} */
6012#endif /* HAVE_LIBGNUTLS */
6013
6014/*--- Start of dissector-related code below ---*/
6015
6016/* This is not a "protocol" but ensures that this gets called during
6017 * the handoff stage. */
6018void proto_reg_handoff_tls_utils(void);
6019
6020static dissector_handle_t base_tls_handle;
6021static dissector_handle_t dtls_handle;
6022
6023void
6024proto_reg_handoff_tls_utils(void)
6025{
6026 base_tls_handle = find_dissector("tls");
6027 dtls_handle = find_dissector("dtls");
6028}
6029
6030/* get ssl data for this session. if no ssl data is found allocate a new one*/
6031SslDecryptSession *
6032ssl_get_session(conversation_t *conversation, dissector_handle_t tls_handle)
6033{
6034 void *conv_data;
6035 SslDecryptSession *ssl_session;
6036 int proto_ssl;
6037
6038 /* Note proto_ssl is tls for either the main tls_handle or the
6039 * tls13_handshake handle used by QUIC. */
6040 proto_ssl = dissector_handle_get_protocol_index(tls_handle);
6041 conv_data = conversation_get_proto_data(conversation, proto_ssl);
6042 if (conv_data != NULL((void*)0))
6043 return (SslDecryptSession *)conv_data;
6044
6045 /* no previous SSL conversation info, initialize it. */
6046 ssl_session = wmem_new0(wmem_file_scope(), SslDecryptSession)((SslDecryptSession*)wmem_alloc0((wmem_file_scope()), sizeof(
SslDecryptSession)));
6047
6048 /* data_len is the part that is meaningful, not the allocated length */
6049 ssl_session->master_secret.data_len = 0;
6050 ssl_session->master_secret.data = ssl_session->_master_secret;
6051 ssl_session->session_id.data_len = 0;
6052 ssl_session->session_id.data = ssl_session->_session_id;
6053 ssl_session->client_random.data_len = 0;
6054 ssl_session->client_random.data = ssl_session->_client_random;
6055 ssl_session->server_random.data_len = 0;
6056 ssl_session->server_random.data = ssl_session->_server_random;
6057 ssl_session->session_ticket.data_len = 0;
6058 ssl_session->session_ticket.data = NULL((void*)0); /* will be re-alloced as needed */
6059 ssl_session->server_data_for_iv.data_len = 0;
6060 ssl_session->server_data_for_iv.data = ssl_session->_server_data_for_iv;
6061 ssl_session->client_data_for_iv.data_len = 0;
6062 ssl_session->client_data_for_iv.data = ssl_session->_client_data_for_iv;
6063 ssl_session->app_data_segment.data = NULL((void*)0);
6064 ssl_session->app_data_segment.data_len = 0;
6065 ssl_session->handshake_data.data=NULL((void*)0);
6066 ssl_session->handshake_data.data_len=0;
6067 ssl_session->ech_transcript.data=NULL((void*)0);
6068 ssl_session->ech_transcript.data_len=0;
6069
6070 /* Initialize parameters which are not necessary specific to decryption. */
6071 ssl_session->session.version = SSL_VER_UNKNOWN0;
6072 clear_address(&ssl_session->session.srv_addr);
6073 ssl_session->session.srv_ptype = PT_NONE;
6074 ssl_session->session.srv_port = 0;
6075 ssl_session->session.dtls13_current_epoch[0] = ssl_session->session.dtls13_current_epoch[1] = 0;
6076 ssl_session->session.dtls13_next_seq_num[0] = ssl_session->session.dtls13_next_seq_num[1] = 0;
6077 ssl_session->session.client_random.data_len = 0;
6078 ssl_session->session.client_random.data = ssl_session->session._client_random;
6079 memset(ssl_session->session.ech_confirmation, 0, sizeof(ssl_session->session.ech_confirmation));
6080 memset(ssl_session->session.hrr_ech_confirmation, 0, sizeof(ssl_session->session.hrr_ech_confirmation));
6081 memset(ssl_session->session.first_ech_auth_tag, 0, sizeof(ssl_session->session.first_ech_auth_tag));
6082 ssl_session->session.ech = false0;
6083 ssl_session->session.hrr_ech_declined = false0;
6084 ssl_session->session.first_ch_ech_frame = 0;
6085
6086 /* We want to increment the stream count for the normal tls handle and
6087 * dtls handle, but presumably not for the tls13_handshake handle used
6088 * by QUIC (it has its own Follow Stream handling, and the QUIC stream
6089 * doesn't get sent to the TLS follow tap.)
6090 */
6091 if (tls_handle == base_tls_handle) {
6092 ssl_session->session.stream = tls_increment_stream_count();
6093 } else if (tls_handle == dtls_handle) {
6094 ssl_session->session.stream = dtls_increment_stream_count();
6095 }
6096
6097 conversation_add_proto_data(conversation, proto_ssl, ssl_session);
6098 return ssl_session;
6099}
6100
6101void ssl_reset_session(SslSession *session, SslDecryptSession *ssl, bool_Bool is_client)
6102{
6103 if (ssl) {
6104 /* Ensure that secrets are not restored using stale identifiers. Split
6105 * between client and server in case the packets somehow got out of order. */
6106 int clear_flags = SSL_HAVE_SESSION_KEY(1<<3) | SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
6107
6108 if (is_client) {
6109 clear_flags |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
6110 ssl->session_id.data_len = 0;
6111 ssl->session_ticket.data_len = 0;
6112 ssl->master_secret.data_len = 0;
6113 ssl->client_random.data_len = 0;
6114 ssl->has_early_data = false0;
6115 if (ssl->handshake_data.data_len > 0) {
6116 // The EMS handshake hash starts with at the Client Hello,
6117 // ensure that any messages before it are forgotten.
6118 wmem_free(wmem_file_scope(), ssl->handshake_data.data);
6119 ssl->handshake_data.data = NULL((void*)0);
6120 ssl->handshake_data.data_len = 0;
6121 }
6122 } else {
6123 clear_flags |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8) | SSL_NEW_SESSION_TICKET(1<<10);
6124 ssl->server_random.data_len = 0;
6125 ssl->pre_master_secret.data_len = 0;
6126#ifdef HAVE_LIBGNUTLS1
6127 ssl->cert_key_id = NULL((void*)0);
6128#endif
6129 ssl->psk.data_len = 0;
6130 }
6131
6132 if (ssl->state & clear_flags) {
6133 ssl_debug_printf("%s detected renegotiation, clearing 0x%02x (%s side)\n",
6134 G_STRFUNC((const char*) (__func__)), ssl->state & clear_flags, is_client ? "client" : "server");
6135 ssl->state &= ~clear_flags;
6136 }
6137 }
6138
6139 /* These flags might be used for non-decryption purposes and may affect the
6140 * dissection, so reset them as well. */
6141 if (is_client) {
6142 session->client_cert_type = 0;
6143 } else {
6144 session->compression = 0;
6145 session->server_cert_type = 0;
6146 /* session->is_session_resumed is already handled in the ServerHello dissection. */
6147 }
6148 session->dtls13_next_seq_num[0] = session->dtls13_next_seq_num[1] = 0;
6149 session->dtls13_current_epoch[0] = session->dtls13_current_epoch[1] = 0;
6150}
6151
6152void
6153tls_set_appdata_dissector(dissector_handle_t tls_handle, packet_info *pinfo,
6154 dissector_handle_t app_handle)
6155{
6156 conversation_t *conversation;
6157 SslSession *session;
6158
6159 /* Ignore if the TLS or other dissector is disabled. */
6160 if (!tls_handle || !app_handle)
6161 return;
6162
6163 conversation = find_or_create_conversation(pinfo);
6164 session = &ssl_get_session(conversation, tls_handle)->session;
6165 session->app_handle = app_handle;
6166}
6167
6168static uint32_t
6169ssl_starttls(dissector_handle_t tls_handle, packet_info *pinfo,
6170 dissector_handle_t app_handle, uint32_t last_nontls_frame)
6171{
6172 conversation_t *conversation;
6173 SslSession *session;
6174
6175 /* Ignore if the TLS dissector is disabled. */
6176 if (!tls_handle)
6177 return 0;
6178 /* The caller should always pass a valid handle to its own dissector. */
6179 DISSECTOR_ASSERT(app_handle)((void) ((app_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6179, "app_handle"))));
6180
6181 conversation = find_or_create_conversation(pinfo);
6182 session = &ssl_get_session(conversation, tls_handle)->session;
6183
6184 ssl_debug_printf("%s: old frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
6185 session->last_nontls_frame,
6186 (void *)session->app_handle,
6187 dissector_handle_get_dissector_name(session->app_handle));
6188 ssl_debug_printf("%s: current frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
6189 pinfo->num, (void *)app_handle,
6190 dissector_handle_get_dissector_name(app_handle));
6191
6192 /* Do not switch again if a dissector did it before. */
6193 if (session->last_nontls_frame) {
6194 ssl_debug_printf("%s: not overriding previous app handle!\n", G_STRFUNC((const char*) (__func__)));
6195 return session->last_nontls_frame;
6196 }
6197
6198 session->app_handle = app_handle;
6199 /* The TLS dissector should be called first for this conversation. */
6200 conversation_set_dissector(conversation, tls_handle);
6201 /* TLS starts after this frame. */
6202 session->last_nontls_frame = last_nontls_frame;
6203 return 0;
6204}
6205
6206/* ssl_starttls_ack: mark future frames as encrypted. */
6207uint32_t
6208ssl_starttls_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6209 dissector_handle_t app_handle)
6210{
6211 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num);
6212}
6213
6214uint32_t
6215ssl_starttls_post_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6216 dissector_handle_t app_handle)
6217{
6218 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num - 1);
6219}
6220
6221dissector_handle_t
6222ssl_find_appdata_dissector(const char *name)
6223{
6224 /* Accept 'http' for backwards compatibility and sanity. */
6225 if (!strcmp(name, "http"))
6226 name = "http-over-tls";
6227 /* XXX - Should this check to see if the dissector is actually added for
6228 * Decode As in the appropriate table?
6229 */
6230 return find_dissector(name);
6231}
6232
6233/* Functions for TLS/DTLS sessions and RSA private keys hashtables. {{{ */
6234static int
6235ssl_equal (const void *v, const void *v2)
6236{
6237 const StringInfo *val1;
6238 const StringInfo *val2;
6239 val1 = (const StringInfo *)v;
6240 val2 = (const StringInfo *)v2;
6241
6242 if (val1->data_len == val2->data_len &&
6243 !memcmp(val1->data, val2->data, val2->data_len)) {
6244 return 1;
6245 }
6246 return 0;
6247}
6248
6249static unsigned
6250ssl_hash (const void *v)
6251{
6252 unsigned l,hash;
6253 const StringInfo* id;
6254 const unsigned* cur;
6255 hash = 0;
6256 id = (const StringInfo*) v;
6257
6258 /* id and id->data are mallocated in ssl_save_master_key(). As such 'data'
6259 * should be aligned for any kind of access (for example as a unsigned as
6260 * is done below). The intermediate void* cast is to prevent "cast
6261 * increases required alignment of target type" warnings on CPUs (such
6262 * as SPARCs) that do not allow misaligned memory accesses.
6263 */
6264 cur = (const unsigned*)(void*) id->data;
6265
6266 for (l=4; (l < id->data_len); l+=4, cur++)
6267 hash = hash ^ (*cur);
6268
6269 return hash;
6270}
6271/* Functions for TLS/DTLS sessions and RSA private keys hashtables. }}} */
6272
6273/* Handling of association between tls/dtls ports and clear text protocol. {{{ */
6274void
6275ssl_association_add(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6276{
6277 DISSECTOR_ASSERT(main_handle)((void) ((main_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6277, "main_handle"))));
6278 DISSECTOR_ASSERT(subdissector_handle)((void) ((subdissector_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6278, "subdissector_handle"))));
6279 /* Registration is required for Export PDU feature to work properly. */
6280 DISSECTOR_ASSERT_HINT(dissector_handle_get_dissector_name(subdissector_handle),((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6281, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))))
6281 "SSL appdata dissectors must register with register_dissector()!")((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6281, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))));
6282 ssl_debug_printf("association_add %s port %d handle %p\n", dissector_table_name, port, (void *)subdissector_handle);
6283
6284 if (port) {
6285 dissector_add_uint(dissector_table_name, port, subdissector_handle);
6286 if (tcp)
6287 dissector_add_uint("tcp.port", port, main_handle);
6288 else
6289 dissector_add_uint("udp.port", port, main_handle);
6290 dissector_add_uint("sctp.port", port, main_handle);
6291 } else {
6292 dissector_add_for_decode_as(dissector_table_name, subdissector_handle);
6293 }
6294}
6295
6296void
6297ssl_association_remove(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6298{
6299 ssl_debug_printf("ssl_association_remove removing %s %u - handle %p\n",
6300 tcp?"TCP":"UDP", port, (void *)subdissector_handle);
6301 if (main_handle) {
6302 dissector_delete_uint(tcp?"tcp.port":"udp.port", port, main_handle);
6303 dissector_delete_uint("sctp.port", port, main_handle);
6304 }
6305
6306 if (port) {
6307 dissector_delete_uint(dissector_table_name, port, subdissector_handle);
6308 }
6309}
6310
6311void
6312ssl_set_server(SslSession *session, address *addr, port_type ptype, uint32_t port)
6313{
6314 copy_address_wmem(wmem_file_scope(), &session->srv_addr, addr);
6315 session->srv_ptype = ptype;
6316 session->srv_port = port;
6317}
6318
6319int
6320ssl_packet_from_server(SslSession *session, dissector_table_t table, const packet_info *pinfo)
6321{
6322 int ret;
6323 if (session && session->srv_addr.type != AT_NONE) {
6324 ret = (session->srv_ptype == pinfo->ptype) &&
6325 (session->srv_port == pinfo->srcport) &&
6326 addresses_equal(&session->srv_addr, &pinfo->src);
6327 } else {
6328 ret = (dissector_get_uint_handle(table, pinfo->srcport) != 0);
6329 }
6330
6331 ssl_debug_printf("packet_from_server: is from server - %s\n", (ret)?"TRUE":"FALSE");
6332 return ret;
6333}
6334/* Handling of association between tls/dtls ports and clear text protocol. }}} */
6335
6336
6337/* Links SSL records with the real packet data. {{{ */
6338SslPacketInfo *
6339tls_add_packet_info(int proto, packet_info *pinfo, uint8_t curr_layer_num_ssl)
6340{
6341 SslPacketInfo *pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6342 if (!pi) {
6343 pi = wmem_new0(wmem_file_scope(), SslPacketInfo)((SslPacketInfo*)wmem_alloc0((wmem_file_scope()), sizeof(SslPacketInfo
)));
6344 pi->srcport = pinfo->srcport;
6345 pi->destport = pinfo->destport;
6346 p_add_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl, pi);
6347 }
6348
6349 return pi;
6350}
6351
6352/**
6353 * Remembers the decrypted TLS record fragment (TLSInnerPlaintext in TLS 1.3) to
6354 * avoid the need for a decoder in the second pass. Additionally, it remembers
6355 * sequence numbers (for reassembly and Follow TLS Stream).
6356 *
6357 * @param proto The protocol identifier (proto_ssl or proto_dtls).
6358 * @param pinfo The packet where the record originates from.
6359 * @param plain_data Decrypted plaintext to store in the record.
6360 * @param plain_data_len Total length of the plaintext.
6361 * @param content_len Length of the plaintext section corresponding to the record content.
6362 * @param record_id The identifier for this record within the current packet.
6363 * @param flow Information about sequence numbers, etc.
6364 * @param type TLS Content Type (such as handshake or application_data).
6365 * @param curr_layer_num_ssl The layer identifier for this TLS session.
6366 */
6367void
6368ssl_add_record_info(int proto, packet_info *pinfo,
6369 const unsigned char *plain_data, int plain_data_len, int content_len,
6370 int record_id, SslFlow *flow, ContentType type, uint8_t curr_layer_num_ssl,
6371 uint64_t record_seq)
6372{
6373 SslRecordInfo* rec, **prec;
6374 SslPacketInfo *pi = tls_add_packet_info(proto, pinfo, curr_layer_num_ssl);
6375
6376 ws_assert(content_len <= plain_data_len)do { if ((1) && !(content_len <= plain_data_len)) ws_log_fatal_full
("", LOG_LEVEL_ERROR, "epan/dissectors/packet-tls-utils.c", 6376
, __func__, "assertion failed: %s", "content_len <= plain_data_len"
); } while (0);
6377
6378 rec = wmem_new(wmem_file_scope(), SslRecordInfo)((SslRecordInfo*)wmem_alloc((wmem_file_scope()), sizeof(SslRecordInfo
)));
6379 rec->plain_data = (unsigned char *)wmem_memdup(wmem_file_scope(), plain_data, plain_data_len);
6380 rec->plain_data_len = plain_data_len;
6381 rec->content_len = content_len;
6382 rec->id = record_id;
6383 rec->type = type;
6384 rec->next = NULL((void*)0);
6385 rec->record_seq = record_seq;
6386
6387 if (flow && type == SSL_ID_APP_DATA) {
6388 rec->seq = flow->byte_seq;
6389 rec->flow = flow;
6390 flow->byte_seq += content_len;
6391 ssl_debug_printf("%s stored decrypted record seq=%d nxtseq=%d flow=%p\n",
6392 G_STRFUNC((const char*) (__func__)), rec->seq, rec->seq + content_len, (void*)flow);
6393 }
6394
6395 /* Remember decrypted records. */
6396 prec = &pi->records;
6397 while (*prec) prec = &(*prec)->next;
6398 *prec = rec;
6399}
6400
6401/* search in packet data for the specified id; return a newly created tvb for the associated data */
6402tvbuff_t*
6403ssl_get_record_info(tvbuff_t *parent_tvb, int proto, packet_info *pinfo, int record_id, uint8_t curr_layer_num_ssl, SslRecordInfo **matched_record)
6404{
6405 SslRecordInfo* rec;
6406 SslPacketInfo* pi;
6407 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6408
6409 if (!pi)
6410 return NULL((void*)0);
6411
6412 for (rec = pi->records; rec; rec = rec->next)
6413 if (rec->id == record_id) {
6414 *matched_record = rec;
6415 /* link new real_data_tvb with a parent tvb so it is freed when frame dissection is complete */
6416 return tvb_new_child_real_data(parent_tvb, rec->plain_data, rec->plain_data_len, rec->plain_data_len);
6417 }
6418
6419 return NULL((void*)0);
6420}
6421/* Links SSL records with the real packet data. }}} */
6422
6423/* initialize/reset per capture state data (ssl sessions cache). {{{ */
6424void
6425ssl_common_init(ssl_master_key_map_t *mk_map,
6426 StringInfo *decrypted_data, StringInfo *compressed_data)
6427{
6428 mk_map->session = g_hash_table_new(ssl_hash, ssl_equal);
6429 mk_map->tickets = g_hash_table_new(ssl_hash, ssl_equal);
6430 mk_map->crandom = g_hash_table_new(ssl_hash, ssl_equal);
6431 mk_map->pre_master = g_hash_table_new(ssl_hash, ssl_equal);
6432 mk_map->pms = g_hash_table_new(ssl_hash, ssl_equal);
6433 mk_map->tls13_client_early = g_hash_table_new(ssl_hash, ssl_equal);
6434 mk_map->tls13_client_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6435 mk_map->tls13_server_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6436 mk_map->tls13_client_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6437 mk_map->tls13_server_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6438 mk_map->tls13_early_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6439 mk_map->tls13_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6440
6441 mk_map->ech_secret = g_hash_table_new(ssl_hash, ssl_equal);
6442 mk_map->ech_config = g_hash_table_new(ssl_hash, ssl_equal);
6443
6444 mk_map->used_crandom = g_hash_table_new(ssl_hash, ssl_equal);
6445
6446 ssl_data_alloc(decrypted_data, 32);
6447 ssl_data_alloc(compressed_data, 32);
6448}
6449
6450void
6451ssl_common_cleanup(ssl_master_key_map_t *mk_map, FILE **ssl_keylog_file,
6452 StringInfo *decrypted_data, StringInfo *compressed_data)
6453{
6454 g_hash_table_destroy(mk_map->session);
6455 g_hash_table_destroy(mk_map->tickets);
6456 g_hash_table_destroy(mk_map->crandom);
6457 g_hash_table_destroy(mk_map->pre_master);
6458 g_hash_table_destroy(mk_map->pms);
6459 g_hash_table_destroy(mk_map->tls13_client_early);
6460 g_hash_table_destroy(mk_map->tls13_client_handshake);
6461 g_hash_table_destroy(mk_map->tls13_server_handshake);
6462 g_hash_table_destroy(mk_map->tls13_client_appdata);
6463 g_hash_table_destroy(mk_map->tls13_server_appdata);
6464 g_hash_table_destroy(mk_map->tls13_early_exporter);
6465 g_hash_table_destroy(mk_map->tls13_exporter);
6466
6467 g_hash_table_destroy(mk_map->ech_secret);
6468 g_hash_table_destroy(mk_map->ech_config);
6469
6470 g_hash_table_destroy(mk_map->used_crandom);
6471
6472 g_free(decrypted_data->data);
6473 g_free(compressed_data->data);
6474
6475 /* close the previous keylog file now that the cache are cleared, this
6476 * allows the cache to be filled with the full keylog file contents. */
6477 if (*ssl_keylog_file) {
6478 fclose(*ssl_keylog_file);
6479 *ssl_keylog_file = NULL((void*)0);
6480 }
6481}
6482/* }}} */
6483
6484/* parse ssl related preferences (private keys and ports association strings) */
6485#if defined(HAVE_LIBGNUTLS1)
6486/* Load a single RSA key file item from preferences. {{{ */
6487void
6488ssl_parse_key_list(const ssldecrypt_assoc_t *uats, GHashTable *key_hash, const char* dissector_table_name, dissector_handle_t main_handle, bool_Bool tcp)
6489{
6490 gnutls_x509_privkey_t x509_priv_key;
6491 gnutls_privkey_t priv_key = NULL((void*)0);
6492 FILE* fp = NULL((void*)0);
6493 int ret;
6494 size_t key_id_len = 20;
6495 unsigned char *key_id = NULL((void*)0);
6496 char *err = NULL((void*)0);
6497 dissector_handle_t handle;
6498 /* try to load keys file first */
6499 fp = ws_fopenfopen(uats->keyfile, "rb");
6500 if (!fp) {
6501 report_open_failure(uats->keyfile, errno(*__errno_location ()), false0);
6502 return;
6503 }
6504
6505 if ((int)strlen(uats->password) == 0) {
6506 x509_priv_key = rsa_load_pem_key(fp, &err);
6507 } else {
6508 x509_priv_key = rsa_load_pkcs12(fp, uats->password, &err);
6509 }
6510 fclose(fp);
6511
6512 if (!x509_priv_key) {
6513 if (err) {
6514 report_failure("Can't load private key from %s: %s",
6515 uats->keyfile, err);
6516 g_free(err);
6517 } else
6518 report_failure("Can't load private key from %s: unknown error",
6519 uats->keyfile);
6520 return;
6521 }
6522 if (err) {
6523 report_failure("Load of private key from %s \"succeeded\" with error %s",
6524 uats->keyfile, err);
6525 g_free(err);
6526 }
6527
6528 gnutls_privkey_init(&priv_key);
6529 ret = gnutls_privkey_import_x509(priv_key, x509_priv_key,
6530 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE|GNUTLS_PRIVKEY_IMPORT_COPY);
6531 if (ret < 0) {
6532 report_failure("Can't convert private key %s: %s",
6533 uats->keyfile, gnutls_strerror(ret));
6534 goto end;
6535 }
6536
6537 key_id = (unsigned char *) g_malloc0(key_id_len);
6538 ret = gnutls_x509_privkey_get_key_id(x509_priv_key, 0, key_id, &key_id_len);
6539 if (ret < 0) {
6540 report_failure("Can't calculate public key ID for %s: %s",
6541 uats->keyfile, gnutls_strerror(ret));
6542 goto end;
6543 }
6544 ssl_print_data("KeyID", key_id, key_id_len);
6545 if (key_id_len != 20) {
6546 report_failure("Expected Key ID size %u for %s, got %zu", 20,
6547 uats->keyfile, key_id_len);
6548 goto end;
6549 }
6550
6551 g_hash_table_replace(key_hash, key_id, priv_key);
6552 key_id = NULL((void*)0); /* used in key_hash, do not free. */
6553 priv_key = NULL((void*)0);
6554 ssl_debug_printf("ssl_init private key file %s successfully loaded.\n", uats->keyfile);
6555
6556 handle = ssl_find_appdata_dissector(uats->protocol);
6557 if (handle) {
6558 /* Port to subprotocol mapping */
6559 uint16_t port = 0;
6560 if (ws_strtou16(uats->port, NULL((void*)0), &port)) {
6561 if (port > 0) {
6562 ssl_debug_printf("ssl_init port '%d' filename '%s' password(only for p12 file) '%s'\n",
6563 port, uats->keyfile, uats->password);
6564
6565 ssl_association_add(dissector_table_name, main_handle, handle, port, tcp);
6566 }
6567 } else {
6568 if (strcmp(uats->port, "start_tls"))
6569 ssl_debug_printf("invalid ssl_init_port: %s\n", uats->port);
6570 }
6571 }
6572
6573end:
6574 gnutls_x509_privkey_deinit(x509_priv_key);
6575 gnutls_privkey_deinit(priv_key);
6576 g_free(key_id);
6577}
6578/* }}} */
6579#endif
6580
6581
6582/* Store/load a known (pre-)master secret from/for this SSL session. {{{ */
6583/** store a known (pre-)master secret into cache */
6584static void
6585ssl_save_master_key(const char *label, GHashTable *ht, StringInfo *key,
6586 StringInfo *mk)
6587{
6588 StringInfo *ht_key, *master_secret;
6589
6590 if (key->data_len == 0) {
6591 ssl_debug_printf("%s: not saving empty %s!\n", G_STRFUNC((const char*) (__func__)), label);
6592 return;
6593 }
6594
6595 if (mk->data_len == 0) {
6596 ssl_debug_printf("%s not saving empty (pre-)master secret for %s!\n",
6597 G_STRFUNC((const char*) (__func__)), label);
6598 return;
6599 }
6600
6601 /* ssl_hash() depends on session_ticket->data being aligned for unsigned access
6602 * so be careful in changing how it is allocated. */
6603 ht_key = ssl_data_clone(key);
6604 master_secret = ssl_data_clone(mk);
6605 g_hash_table_insert(ht, ht_key, master_secret);
6606
6607 ssl_debug_printf("%s inserted (pre-)master secret for %s\n", G_STRFUNC((const char*) (__func__)), label);
6608 ssl_print_string("stored key", ht_key);
6609 ssl_print_string("stored (pre-)master secret", master_secret);
6610}
6611
6612/** restore a (pre-)master secret given some key in the cache */
6613static bool_Bool
6614ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
6615 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key)
6616{
6617 StringInfo *ms;
6618
6619 if (key->data_len == 0) {
6620 ssl_debug_printf("%s can't restore %smaster secret using an empty %s\n",
6621 G_STRFUNC((const char*) (__func__)), is_pre_master ? "pre-" : "", label);
6622 return false0;
6623 }
6624
6625 ms = (StringInfo *)g_hash_table_lookup(ht, key);
6626 if (!ms) {
6627 ssl_debug_printf("%s can't find %smaster secret by %s\n", G_STRFUNC((const char*) (__func__)),
6628 is_pre_master ? "pre-" : "", label);
6629 return false0;
6630 }
6631
6632 /* (pre)master secret found, clear knowledge of other keys and set it in the
6633 * current conversation */
6634 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) |
6635 SSL_HAVE_SESSION_KEY(1<<3));
6636 if (is_pre_master) {
6637 /* unlike master secret, pre-master secret has a variable size (48 for
6638 * RSA, varying for PSK) and is therefore not statically allocated */
6639 ssl->pre_master_secret.data = (unsigned char *) wmem_alloc(wmem_file_scope(),
6640 ms->data_len);
6641 ssl_data_set(&ssl->pre_master_secret, ms->data, ms->data_len);
6642 ssl->state |= SSL_PRE_MASTER_SECRET(1<<6);
6643 } else {
6644 ssl_data_set(&ssl->master_secret, ms->data, ms->data_len);
6645 ssl->state |= SSL_MASTER_SECRET(1<<5);
6646 }
6647 ssl_debug_printf("%s %smaster secret retrieved using %s\n", G_STRFUNC((const char*) (__func__)),
6648 is_pre_master ? "pre-" : "", label);
6649 ssl_print_string(label, key);
6650 ssl_print_string("(pre-)master secret", ms);
6651 return true1;
6652}
6653/* Store/load a known (pre-)master secret from/for this SSL session. }}} */
6654
6655/* Should be called when all parameters are ready (after ChangeCipherSpec), and
6656 * the decoder should be attempted to be initialized. {{{*/
6657void
6658ssl_finalize_decryption(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
6659{
6660 if (ssl->session.version == TLSV1DOT3_VERSION0x304) {
1
Assuming field 'version' is not equal to TLSV1DOT3_VERSION
2
Taking false branch
6661 /* TLS 1.3 implementations only provide secrets derived from the master
6662 * secret which are loaded in tls13_change_key. No master secrets can be
6663 * loaded here, so just return. */
6664 return;
6665 }
6666 ssl_debug_printf("%s state = 0x%02X\n", G_STRFUNC((const char*) (__func__)), ssl->state);
6667 if (ssl->state & SSL_HAVE_SESSION_KEY(1<<3)) {
3
Assuming the condition is false
4
Taking false branch
6668 ssl_debug_printf(" session key already available, nothing to do.\n");
6669 return;
6670 }
6671 if (!(ssl->state & SSL_CIPHER(1<<2))) {
5
Assuming the condition is false
6672 ssl_debug_printf(" Cipher suite (Server Hello) is missing!\n");
6673 return;
6674 }
6675
6676 /* for decryption, there needs to be a master secret (which can be derived
6677 * from pre-master secret). If missing, try to pick a master key from cache
6678 * (an earlier packet in the capture or key logfile). */
6679 if (!(ssl->state & (SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6))) &&
6
Assuming the condition is false
6680 !ssl_restore_master_key(ssl, "Session ID", false0,
6681 mk_map->session, &ssl->session_id) &&
6682 (!ssl->session.is_session_resumed ||
6683 !ssl_restore_master_key(ssl, "Session Ticket", false0,
6684 mk_map->tickets, &ssl->session_ticket)) &&
6685 !ssl_restore_master_key(ssl, "Client Random", false0,
6686 mk_map->crandom, &ssl->client_random)) {
6687 if (ssl->cipher_suite->enc != ENC_NULL0x3D) {
6688 /* how unfortunate, the master secret could not be found */
6689 ssl_debug_printf(" Cannot find master secret\n");
6690 return;
6691 } else {
6692 ssl_debug_printf(" Cannot find master secret, continuing anyway "
6693 "because of a NULL cipher\n");
6694 }
6695 }
6696
6697 if (ssl_generate_keyring_material(ssl) < 0) {
7
Calling 'ssl_generate_keyring_material'
6698 ssl_debug_printf("%s can't generate keyring material\n", G_STRFUNC((const char*) (__func__)));
6699 return;
6700 }
6701 /* Save Client Random/ Session ID for "SSL Export Session keys" */
6702 ssl_save_master_key("Client Random", mk_map->crandom,
6703 &ssl->client_random, &ssl->master_secret);
6704 ssl_save_master_key("Session ID", mk_map->session,
6705 &ssl->session_id, &ssl->master_secret);
6706 /* Only save the new secrets if the server sent the ticket. The client
6707 * ticket might have become stale. */
6708 if (ssl->state & SSL_NEW_SESSION_TICKET(1<<10)) {
6709 ssl_save_master_key("Session Ticket", mk_map->tickets,
6710 &ssl->session_ticket, &ssl->master_secret);
6711 }
6712} /* }}} */
6713
6714/* Load the traffic key secret from the keylog file. */
6715StringInfo *
6716tls13_load_secret(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6717 bool_Bool is_from_server, TLSRecordType type)
6718{
6719 GHashTable *key_map;
6720 const char *label;
6721
6722 if (ssl->session.version != TLSV1DOT3_VERSION0x304 && ssl->session.version != DTLSV1DOT3_VERSION0xfefc) {
6723 ssl_debug_printf("%s TLS version %#x is not 1.3\n", G_STRFUNC((const char*) (__func__)), ssl->session.version);
6724 return NULL((void*)0);
6725 }
6726
6727 if (ssl->client_random.data_len == 0) {
6728 /* May happen if Hello message is missing and Finished is found. */
6729 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
6730 return NULL((void*)0);
6731 }
6732
6733 switch (type) {
6734 case TLS_SECRET_0RTT_APP:
6735 DISSECTOR_ASSERT(!is_from_server)((void) ((!is_from_server) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6735, "!is_from_server"))));
6736 label = "CLIENT_EARLY_TRAFFIC_SECRET";
6737 key_map = mk_map->tls13_client_early;
6738 break;
6739 case TLS_SECRET_HANDSHAKE:
6740 if (is_from_server) {
6741 label = "SERVER_HANDSHAKE_TRAFFIC_SECRET";
6742 key_map = mk_map->tls13_server_handshake;
6743 } else {
6744 label = "CLIENT_HANDSHAKE_TRAFFIC_SECRET";
6745 key_map = mk_map->tls13_client_handshake;
6746 }
6747 break;
6748 case TLS_SECRET_APP:
6749 if (is_from_server) {
6750 label = "SERVER_TRAFFIC_SECRET_0";
6751 key_map = mk_map->tls13_server_appdata;
6752 } else {
6753 label = "CLIENT_TRAFFIC_SECRET_0";
6754 key_map = mk_map->tls13_client_appdata;
6755 }
6756 break;
6757 default:
6758 ws_assert_not_reached()ws_log_fatal_full("", LOG_LEVEL_ERROR, "epan/dissectors/packet-tls-utils.c"
, 6758, __func__, "assertion \"not reached\" failed");
6759 }
6760
6761 /* Transitioning to new keys, mark old ones as unusable. */
6762 ssl_debug_printf("%s transitioning to new key, old state 0x%02x\n", G_STRFUNC((const char*) (__func__)), ssl->state);
6763 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) | SSL_HAVE_SESSION_KEY(1<<3));
6764
6765 StringInfo *secret = (StringInfo *)g_hash_table_lookup(key_map, &ssl->client_random);
6766 if (!secret) {
6767 ssl_debug_printf("%s Cannot find %s, decryption impossible\n", G_STRFUNC((const char*) (__func__)), label);
6768 /* Disable decryption, the keys are invalid. */
6769 if (is_from_server) {
6770 ssl->server = NULL((void*)0);
6771 } else {
6772 ssl->client = NULL((void*)0);
6773 }
6774 return NULL((void*)0);
6775 }
6776
6777 /* TLS 1.3 secret found, set new keys. */
6778 ssl_debug_printf("%s Retrieved TLS 1.3 traffic secret.\n", G_STRFUNC((const char*) (__func__)));
6779 ssl_print_string("Client Random", &ssl->client_random);
6780 ssl_print_string(label, secret);
6781 return secret;
6782}
6783
6784/* Load the new key. */
6785void
6786tls13_change_key(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6787 bool_Bool is_from_server, TLSRecordType type)
6788{
6789 if (ssl->state & SSL_QUIC_RECORD_LAYER(1<<13)) {
6790 /*
6791 * QUIC does not use the TLS record layer for message protection.
6792 * The required keys will be extracted later by QUIC.
6793 */
6794 return;
6795 }
6796
6797 StringInfo *secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
6798 if (!secret) {
6799 if (type != TLS_SECRET_HANDSHAKE) {
6800 return;
6801 }
6802 /*
6803 * Workaround for when for some reason we don't have the handshake
6804 * secret but do have the application traffic secret. (#20240)
6805 * If we can't find the handshake secret, we'll never decrypt the
6806 * Finished message, so we won't know when to change to the app
6807 * traffic key, so we do so now.
6808 */
6809 type = TLS_SECRET_APP;
6810 secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
6811 if (!secret) {
6812 return;
6813 }
6814 }
6815
6816 if (tls13_generate_keys(ssl, secret, is_from_server)) {
6817 /*
6818 * Remember the application traffic secret to support Key Update. The
6819 * other secrets cannot be used for this purpose, so free them.
6820 */
6821 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
6822 StringInfo *app_secret = &decoder->app_traffic_secret;
6823 if (type == TLS_SECRET_APP) {
6824 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
6825 app_secret->data,
6826 secret->data_len);
6827 ssl_data_set(app_secret, secret->data, secret->data_len);
6828 } else {
6829 wmem_free(wmem_file_scope(), app_secret->data);
6830 app_secret->data = NULL((void*)0);
6831 app_secret->data_len = 0;
6832 }
6833 }
6834}
6835
6836/**
6837 * Update to next application data traffic secret for TLS 1.3. The previous
6838 * secret should have been set by tls13_change_key.
6839 */
6840void
6841tls13_key_update(SslDecryptSession *ssl, bool_Bool is_from_server)
6842{
6843 /* RFC 8446 Section 7.2:
6844 * application_traffic_secret_N+1 =
6845 * HKDF-Expand-Label(application_traffic_secret_N,
6846 * "traffic upd", "", Hash.length)
6847 *
6848 * Both application_traffic_secret_N are of the same length (Hash.length).
6849 */
6850 const SslCipherSuite *cipher_suite = ssl->cipher_suite;
6851 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
6852 StringInfo *app_secret = decoder ? &decoder->app_traffic_secret : NULL((void*)0);
6853 uint8_t tls13_draft_version = ssl->session.tls13_draft_version;
6854
6855 if (!cipher_suite || !app_secret || app_secret->data_len == 0) {
6856 ssl_debug_printf("%s Cannot perform Key Update due to missing info\n", G_STRFUNC((const char*) (__func__)));
6857 return;
6858 }
6859
6860 /*
6861 * Previous traffic secret is available, so find the hash function,
6862 * expand the new traffic secret and generate new keys.
6863 */
6864 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
6865 int hash_algo = ssl_get_digest_by_name(hash_name);
6866 const unsigned hash_len = app_secret->data_len;
6867 unsigned char *new_secret;
6868 const char *label = "traffic upd";
6869 if (tls13_draft_version && tls13_draft_version < 20) {
6870 label = "application traffic secret";
6871 }
6872 if (!tls13_hkdf_expand_label(hash_algo, app_secret,
6873 tls13_hkdf_label_prefix(ssl),
6874 label, hash_len, &new_secret)) {
6875 ssl_debug_printf("%s traffic_secret_N+1 expansion failed\n", G_STRFUNC((const char*) (__func__)));
6876 return;
6877 }
6878 ssl_data_set(app_secret, new_secret, hash_len);
6879 if (tls13_generate_keys(ssl, app_secret, is_from_server)) {
6880 /*
6881 * Remember the application traffic secret on the new decoder to
6882 * support another Key Update.
6883 */
6884 decoder = is_from_server ? ssl->server : ssl->client;
6885 app_secret = &decoder->app_traffic_secret;
6886 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
6887 app_secret->data,
6888 hash_len);
6889 ssl_data_set(app_secret, new_secret, hash_len);
6890 }
6891 wmem_free(NULL((void*)0), new_secret);
6892}
6893
6894void
6895tls_save_crandom(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
6896{
6897 if (ssl && (ssl->state & SSL_CLIENT_RANDOM(1<<0))) {
6898 g_hash_table_add(mk_map->used_crandom, ssl_data_clone(&ssl->client_random));
6899 }
6900}
6901
6902/** SSL keylog file handling. {{{ */
6903
6904static GRegex *
6905ssl_compile_keyfile_regex(void)
6906{
6907#define OCTET "(?:[[:xdigit:]]{2})"
6908 const char *pattern =
6909 "(?:"
6910 /* Matches Client Hellos having this Client Random */
6911 "PMS_CLIENT_RANDOM (?<client_random_pms>" OCTET "{32}) "
6912 /* Matches first part of encrypted RSA pre-master secret */
6913 "|RSA (?<encrypted_pmk>" OCTET "{8}) "
6914 /* Pre-Master-Secret is given, it is 48 bytes for RSA,
6915 but it can be of any length for DHE */
6916 ")(?<pms>" OCTET "+)"
6917 "|(?:"
6918 /* Matches Server Hellos having a Session ID */
6919 "RSA Session-ID:(?<session_id>" OCTET "+) Master-Key:"
6920 /* Matches Client Hellos having this Client Random */
6921 "|CLIENT_RANDOM (?<client_random>" OCTET "{32}) "
6922 /* Master-Secret is given, its length is fixed */
6923 ")(?<master_secret>" OCTET "{" G_STRINGIFY(SSL_MASTER_SECRET_LENGTH)"48" "})"
6924 "|(?"
6925 /* TLS 1.3 Client Random to Derived Secrets mapping. */
6926 ":CLIENT_EARLY_TRAFFIC_SECRET (?<client_early>" OCTET "{32})"
6927 "|CLIENT_HANDSHAKE_TRAFFIC_SECRET (?<client_handshake>" OCTET "{32})"
6928 "|SERVER_HANDSHAKE_TRAFFIC_SECRET (?<server_handshake>" OCTET "{32})"
6929 "|CLIENT_TRAFFIC_SECRET_0 (?<client_appdata>" OCTET "{32})"
6930 "|SERVER_TRAFFIC_SECRET_0 (?<server_appdata>" OCTET "{32})"
6931 "|EARLY_EXPORTER_SECRET (?<early_exporter>" OCTET "{32})"
6932 "|EXPORTER_SECRET (?<exporter>" OCTET "{32})"
6933 /* ECH. Secret length is defined by HPKE KEM Nsecret and can vary between 32 and 64 bytes */
6934 /* These labels and their notation are specified in draft-ietf-tls-ech-keylogfile-01 */
6935 "|ECH_SECRET (?<ech_secret>" OCTET "{32,64})"
6936 "|ECH_CONFIG (?<ech_config>" OCTET "{22,})"
6937 ") (?<derived_secret>" OCTET "+)";
6938#undef OCTET
6939 static GRegex *regex = NULL((void*)0);
6940 GError *gerr = NULL((void*)0);
6941
6942 if (!regex) {
6943 regex = g_regex_new(pattern,
6944 (GRegexCompileFlags)(G_REGEX_OPTIMIZE | G_REGEX_ANCHORED | G_REGEX_RAW),
6945 G_REGEX_MATCH_ANCHORED, &gerr);
6946 if (gerr) {
6947 ssl_debug_printf("%s failed to compile regex: %s\n", G_STRFUNC((const char*) (__func__)),
6948 gerr->message);
6949 g_error_free(gerr);
6950 regex = NULL((void*)0);
6951 }
6952 }
6953
6954 return regex;
6955}
6956
6957typedef struct ssl_master_key_match_group {
6958 const char *re_group_name;
6959 GHashTable *master_key_ht;
6960} ssl_master_key_match_group_t;
6961
6962void
6963tls_keylog_process_lines(const ssl_master_key_map_t *mk_map, const uint8_t *data, unsigned datalen)
6964{
6965 ssl_master_key_match_group_t mk_groups[] = {
6966 { "encrypted_pmk", mk_map->pre_master },
6967 { "session_id", mk_map->session },
6968 { "client_random", mk_map->crandom },
6969 { "client_random_pms", mk_map->pms },
6970 /* TLS 1.3 map from Client Random to derived secret. */
6971 { "client_early", mk_map->tls13_client_early },
6972 { "client_handshake", mk_map->tls13_client_handshake },
6973 { "server_handshake", mk_map->tls13_server_handshake },
6974 { "client_appdata", mk_map->tls13_client_appdata },
6975 { "server_appdata", mk_map->tls13_server_appdata },
6976 { "early_exporter", mk_map->tls13_early_exporter },
6977 { "exporter", mk_map->tls13_exporter },
6978 { "ech_secret", mk_map->ech_secret },
6979 { "ech_config", mk_map->ech_config },
6980 };
6981
6982 /* The format of the file is a series of records with one of the following formats:
6983 * - "RSA xxxx yyyy"
6984 * Where xxxx are the first 8 bytes of the encrypted pre-master secret (hex-encoded)
6985 * Where yyyy is the cleartext pre-master secret (hex-encoded)
6986 * (this is the original format introduced with bug 4349)
6987 *
6988 * - "RSA Session-ID:xxxx Master-Key:yyyy"
6989 * Where xxxx is the SSL session ID (hex-encoded)
6990 * Where yyyy is the cleartext master secret (hex-encoded)
6991 * (added to support openssl s_client Master-Key output)
6992 * This is somewhat is a misnomer because there's nothing RSA specific
6993 * about this.
6994 *
6995 * - "PMS_CLIENT_RANDOM xxxx yyyy"
6996 * Where xxxx is the client_random from the ClientHello (hex-encoded)
6997 * Where yyyy is the cleartext pre-master secret (hex-encoded)
6998 * (This format allows SSL connections to be decrypted, if a user can
6999 * capture the PMS but could not recover the MS for a specific session
7000 * with a SSL Server.)
7001 *
7002 * - "CLIENT_RANDOM xxxx yyyy"
7003 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7004 * Where yyyy is the cleartext master secret (hex-encoded)
7005 * (This format allows non-RSA SSL connections to be decrypted, i.e.
7006 * ECDHE-RSA.)
7007 *
7008 * - "CLIENT_EARLY_TRAFFIC_SECRET xxxx yyyy"
7009 * - "CLIENT_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
7010 * - "SERVER_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
7011 * - "CLIENT_TRAFFIC_SECRET_0 xxxx yyyy"
7012 * - "SERVER_TRAFFIC_SECRET_0 xxxx yyyy"
7013 * - "EARLY_EXPORTER_SECRET xxxx yyyy"
7014 * - "EXPORTER_SECRET xxxx yyyy"
7015 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7016 * Where yyyy is the secret (hex-encoded) derived from the early,
7017 * handshake or master secrets. (This format is introduced with TLS 1.3
7018 * and supported by BoringSSL, OpenSSL, etc. See bug 12779.)
7019 */
7020 GRegex *regex = ssl_compile_keyfile_regex();
7021 if (!regex)
7022 return;
7023
7024 const char *next_line = (const char *)data;
7025 const char *line_end = next_line + datalen;
7026 while (next_line && next_line < line_end) {
7027 const char *line = next_line;
7028 next_line = (const char *)memchr(line, '\n', line_end - line);
7029 ssize_t linelen;
7030
7031 if (next_line) {
7032 linelen = next_line - line;
7033 next_line++; /* drop LF */
7034 } else {
7035 linelen = (ssize_t)(line_end - line);
7036 }
7037 if (linelen > 0 && line[linelen - 1] == '\r') {
7038 linelen--; /* drop CR */
7039 }
7040
7041 ssl_debug_printf(" checking keylog line: %.*s\n", (int)linelen, line);
7042 GMatchInfo *mi;
7043 if (g_regex_match_full(regex, line, linelen, 0, G_REGEX_MATCH_ANCHORED, &mi, NULL((void*)0))) {
7044 char *hex_key, *hex_pre_ms_or_ms;
7045 StringInfo *key = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
7046 StringInfo *pre_ms_or_ms = NULL((void*)0);
7047 GHashTable *ht = NULL((void*)0);
7048
7049 /* Is the PMS being supplied with the PMS_CLIENT_RANDOM
7050 * otherwise we will use the Master Secret
7051 */
7052 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "master_secret");
7053 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
7054 g_free(hex_pre_ms_or_ms);
7055 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "pms");
7056 }
7057 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
7058 g_free(hex_pre_ms_or_ms);
7059 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "derived_secret");
7060 }
7061 /* There is always a match, otherwise the regex is wrong. */
7062 DISSECTOR_ASSERT(hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms))((void) ((hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 7062, "hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms)"
))));
7063
7064 /* convert from hex to bytes and save to hashtable */
7065 pre_ms_or_ms = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
7066 from_hex(pre_ms_or_ms, hex_pre_ms_or_ms, strlen(hex_pre_ms_or_ms));
7067 g_free(hex_pre_ms_or_ms);
7068
7069 /* Find a master key from any format (CLIENT_RANDOM, SID, ...) */
7070 for (unsigned i = 0; i < G_N_ELEMENTS(mk_groups)(sizeof (mk_groups) / sizeof ((mk_groups)[0])); i++) {
7071 ssl_master_key_match_group_t *g = &mk_groups[i];
7072 hex_key = g_match_info_fetch_named(mi, g->re_group_name);
7073 if (hex_key && *hex_key) {
7074 ssl_debug_printf(" matched %s\n", g->re_group_name);
7075 ht = g->master_key_ht;
7076 from_hex(key, hex_key, strlen(hex_key));
7077 g_free(hex_key);
7078 break;
7079 }
7080 g_free(hex_key);
7081 }
7082 DISSECTOR_ASSERT(ht)((void) ((ht) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 7082, "ht")))); /* Cannot be reached, or regex is wrong. */
7083
7084 g_hash_table_insert(ht, key, pre_ms_or_ms);
7085
7086 } else if (linelen > 0 && line[0] != '#') {
7087 ssl_debug_printf(" unrecognized line\n");
7088 }
7089 /* always free match info even if there is no match. */
7090 g_match_info_free(mi);
7091 }
7092}
7093
7094void
7095ssl_load_keyfile(const char *tls_keylog_filename, FILE **keylog_file,
7096 const ssl_master_key_map_t *mk_map)
7097{
7098 /* no need to try if no key log file is configured. */
7099 if (!tls_keylog_filename || !*tls_keylog_filename) {
7100 ssl_debug_printf("%s dtls/tls.keylog_file is not configured!\n",
7101 G_STRFUNC((const char*) (__func__)));
7102 return;
7103 }
7104
7105 /* Validate regexes before even trying to use it. */
7106 if (!ssl_compile_keyfile_regex()) {
7107 return;
7108 }
7109
7110 ssl_debug_printf("trying to use TLS keylog in %s\n", tls_keylog_filename);
7111
7112 /* if the keylog file was deleted/overwritten, re-open it */
7113 if (*keylog_file && file_needs_reopen(ws_filenofileno(*keylog_file), tls_keylog_filename)) {
7114 ssl_debug_printf("%s file got deleted, trying to re-open\n", G_STRFUNC((const char*) (__func__)));
7115 fclose(*keylog_file);
7116 *keylog_file = NULL((void*)0);
7117 }
7118
7119 if (*keylog_file == NULL((void*)0)) {
7120 *keylog_file = ws_fopenfopen(tls_keylog_filename, "r");
7121 if (!*keylog_file) {
7122 ssl_debug_printf("%s failed to open SSL keylog\n", G_STRFUNC((const char*) (__func__)));
7123 return;
7124 }
7125 }
7126
7127 for (;;) {
7128 char buf[1110], *line;
7129 line = fgets(buf, sizeof(buf), *keylog_file);
7130 if (!line) {
7131 if (feof(*keylog_file)) {
7132 /* Ensure that newly appended keys can be read in the future. */
7133 clearerr(*keylog_file);
7134 } else if (ferror(*keylog_file)) {
7135 ssl_debug_printf("%s Error while reading key log file, closing it!\n", G_STRFUNC((const char*) (__func__)));
7136 fclose(*keylog_file);
7137 *keylog_file = NULL((void*)0);
7138 }
7139 break;
7140 }
7141 tls_keylog_process_lines(mk_map, (uint8_t *)line, (int)strlen(line));
7142 }
7143}
7144/** SSL keylog file handling. }}} */
7145
7146#ifdef SSL_DECRYPT_DEBUG /* {{{ */
7147
7148static FILE* ssl_debug_file;
7149
7150void
7151ssl_set_debug(const char* name)
7152{
7153 static int debug_file_must_be_closed;
7154 int use_stderr;
7155
7156 use_stderr = name?(strcmp(name, SSL_DEBUG_USE_STDERR"-") == 0):0;
7157
7158 if (debug_file_must_be_closed)
7159 fclose(ssl_debug_file);
7160
7161 if (use_stderr)
7162 ssl_debug_file = stderrstderr;
7163 else if (!name || (strcmp(name, "") ==0))
7164 ssl_debug_file = NULL((void*)0);
7165 else
7166 ssl_debug_file = ws_fopenfopen(name, "w");
7167
7168 if (!use_stderr && ssl_debug_file)
7169 debug_file_must_be_closed = 1;
7170 else
7171 debug_file_must_be_closed = 0;
7172
7173 ssl_debug_printf("Wireshark SSL debug log \n\n");
7174#ifdef HAVE_LIBGNUTLS1
7175 ssl_debug_printf("GnuTLS version: %s\n", gnutls_check_version(NULL((void*)0)));
7176#endif
7177 ssl_debug_printf("Libgcrypt version: %s\n", gcry_check_version(NULL((void*)0)));
7178 ssl_debug_printf("\n");
7179}
7180
7181void
7182ssl_debug_flush(void)
7183{
7184 if (ssl_debug_file)
7185 fflush(ssl_debug_file);
7186}
7187
7188void
7189ssl_debug_printf(const char* fmt, ...)
7190{
7191 va_list ap;
7192
7193 if (!ssl_debug_file)
7194 return;
7195
7196 va_start(ap, fmt)__builtin_va_start(ap, fmt);
7197 vfprintf(ssl_debug_file, fmt, ap);
7198 va_end(ap)__builtin_va_end(ap);
7199}
7200
7201void
7202ssl_print_data(const char* name, const unsigned char* data, size_t len)
7203{
7204 size_t i, j, k;
7205 if (!ssl_debug_file)
7206 return;
7207 fprintf(ssl_debug_file,"%s[%d]:\n",name, (int) len);
7208 for (i=0; i<len; i+=16) {
7209 fprintf(ssl_debug_file,"| ");
7210 for (j=i, k=0; k<16 && j<len; ++j, ++k)
7211 fprintf(ssl_debug_file,"%.2x ",data[j]);
7212 for (; k<16; ++k)
7213 fprintf(ssl_debug_file," ");
7214 fputc('|', ssl_debug_file);
7215 for (j=i, k=0; k<16 && j<len; ++j, ++k) {
7216 unsigned char c = data[j];
7217 if (!g_ascii_isprint(c)((g_ascii_table[(guchar) (c)] & G_ASCII_PRINT) != 0) || (c=='\t')) c = '.';
7218 fputc(c, ssl_debug_file);
7219 }
7220 for (; k<16; ++k)
7221 fputc(' ', ssl_debug_file);
7222 fprintf(ssl_debug_file,"|\n");
7223 }
7224}
7225
7226void
7227ssl_print_string(const char* name, const StringInfo* data)
7228{
7229 ssl_print_data(name, data->data, data->data_len);
7230}
7231#endif /* SSL_DECRYPT_DEBUG }}} */
7232
7233/* UAT preferences callbacks. {{{ */
7234/* checks for SSL and DTLS UAT key list fields */
7235
7236bool_Bool
7237ssldecrypt_uat_fld_ip_chk_cb(void* r _U___attribute__((unused)), const char* p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7238{
7239 // This should be removed in favor of Decode As. Make it optional.
7240 *err = NULL((void*)0);
7241 return true1;
7242}
7243
7244bool_Bool
7245ssldecrypt_uat_fld_port_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7246{
7247 if (!p || strlen(p) == 0u) {
7248 // This should be removed in favor of Decode As. Make it optional.
7249 *err = NULL((void*)0);
7250 return true1;
7251 }
7252
7253 if (strcmp(p, "start_tls") != 0){
7254 uint16_t port;
7255 if (!ws_strtou16(p, NULL((void*)0), &port)) {
7256 *err = g_strdup("Invalid port given.")g_strdup_inline ("Invalid port given.");
7257 return false0;
7258 }
7259 }
7260
7261 *err = NULL((void*)0);
7262 return true1;
7263}
7264
7265bool_Bool
7266ssldecrypt_uat_fld_fileopen_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7267{
7268 ws_statb64struct stat st;
7269
7270 if (!p || strlen(p) == 0u) {
7271 *err = g_strdup("No filename given.")g_strdup_inline ("No filename given.");
7272 return false0;
7273 } else {
7274 if (ws_stat64stat(p, &st) != 0) {
7275 *err = ws_strdup_printf("File '%s' does not exist or access is denied.", p)wmem_strdup_printf(((void*)0), "File '%s' does not exist or access is denied."
, p);
7276 return false0;
7277 }
7278 }
7279
7280 *err = NULL((void*)0);
7281 return true1;
7282}
7283
7284bool_Bool
7285ssldecrypt_uat_fld_password_chk_cb(void *r _U___attribute__((unused)), const char *p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void *u1 _U___attribute__((unused)), const void *u2 _U___attribute__((unused)), char **err)
7286{
7287#if defined(HAVE_LIBGNUTLS1)
7288 ssldecrypt_assoc_t* f = (ssldecrypt_assoc_t *)r;
7289 FILE *fp = NULL((void*)0);
7290
7291 if (p && (strlen(p) > 0u)) {
7292 fp = ws_fopenfopen(f->keyfile, "rb");
7293 if (fp) {
7294 char *msg = NULL((void*)0);
7295 gnutls_x509_privkey_t priv_key = rsa_load_pkcs12(fp, p, &msg);
7296 if (!priv_key) {
7297 fclose(fp);
7298 *err = ws_strdup_printf("Could not load PKCS#12 key file: %s", msg)wmem_strdup_printf(((void*)0), "Could not load PKCS#12 key file: %s"
, msg);
7299 g_free(msg);
7300 return false0;
7301 }
7302 g_free(msg);
7303 gnutls_x509_privkey_deinit(priv_key);
7304 fclose(fp);
7305 } else {
7306 *err = ws_strdup_printf("Leave this field blank if the keyfile is not PKCS#12.")wmem_strdup_printf(((void*)0), "Leave this field blank if the keyfile is not PKCS#12."
);
7307 return false0;
7308 }
7309 }
7310
7311 *err = NULL((void*)0);
7312 return true1;
7313#else
7314 *err = g_strdup("Cannot load key files, support is not compiled in.")g_strdup_inline ("Cannot load key files, support is not compiled in."
);
7315 return false0;
7316#endif
7317}
7318/* UAT preferences callbacks. }}} */
7319
7320/** maximum size of ssl_association_info() string */
7321#define SSL_ASSOC_MAX_LEN8192 8192
7322
7323typedef struct ssl_association_info_callback_data
7324{
7325 char *str;
7326 const char *table_protocol;
7327} ssl_association_info_callback_data_t;
7328
7329/**
7330 * callback function used by ssl_association_info() to traverse the SSL associations.
7331 */
7332static void
7333ssl_association_info_(const char *table _U___attribute__((unused)), void *handle, void *user_data)
7334{
7335 ssl_association_info_callback_data_t* data = (ssl_association_info_callback_data_t*)user_data;
7336 const int l = (const int)strlen(data->str);
7337 snprintf(data->str+l, SSL_ASSOC_MAX_LEN8192-l, "'%s' (%s)\n", dissector_handle_get_dissector_name((dissector_handle_t)handle), dissector_handle_get_description((dissector_handle_t)handle));
7338}
7339
7340/**
7341 * @return an information string on the SSL protocol associations. The string must be freed.
7342 */
7343char*
7344ssl_association_info(const char* dissector_table_name, const char* table_protocol)
7345{
7346 ssl_association_info_callback_data_t data;
7347
7348 data.str = (char *)g_malloc0(SSL_ASSOC_MAX_LEN8192);
7349 data.table_protocol = table_protocol;
7350 dissector_table_foreach_handle(dissector_table_name, ssl_association_info_, &data);
7351 return data.str;
7352}
7353
7354
7355/** Begin of code related to dissection of wire data. */
7356
7357/* Helpers for dissecting Variable-Length Vectors. {{{ */
7358bool_Bool
7359ssl_add_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7360 unsigned offset, unsigned offset_end, uint32_t *ret_length,
7361 int hf_length, uint32_t min_value, uint32_t max_value)
7362{
7363 unsigned veclen_size;
7364 uint32_t veclen_value;
7365 proto_item *pi;
7366
7367 DISSECTOR_ASSERT_CMPUINT(min_value, <=, max_value)((void) ((min_value <= max_value) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "min_value" " " "<=" " " "max_value"
" (" "%" "l" "u" " " "<=" " " "%" "l" "u" ")", "epan/dissectors/packet-tls-utils.c"
, 7367, (uint64_t)min_value, (uint64_t)max_value))));
7368 if (offset > offset_end) {
7369 expert_add_info_format(pinfo, tree, &hf->ei.malformed_buffer_too_small,
7370 "Vector offset is past buffer end offset (%u > %u)",
7371 offset, offset_end);
7372 *ret_length = 0;
7373 return false0; /* Cannot read length. */
7374 }
7375
7376 if (max_value > 0xffffff) {
7377 veclen_size = 4;
7378 } else if (max_value > 0xffff) {
7379 veclen_size = 3;
7380 } else if (max_value > 0xff) {
7381 veclen_size = 2;
7382 } else {
7383 veclen_size = 1;
7384 }
7385
7386 if (offset_end - offset < veclen_size) {
7387 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7388 tvb, offset, offset_end - offset,
7389 "No more room for vector of length %u",
7390 veclen_size);
7391 *ret_length = 0;
7392 return false0; /* Cannot read length. */
7393 }
7394
7395 pi = proto_tree_add_item_ret_uint(tree, hf_length, tvb, offset, veclen_size, ENC_BIG_ENDIAN0x00000000, &veclen_value);
7396 offset += veclen_size;
7397
7398 if (veclen_value < min_value) {
7399 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7400 "Vector length %u is smaller than minimum %u",
7401 veclen_value, min_value);
7402 } else if (veclen_value > max_value) {
7403 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7404 "Vector length %u is larger than maximum %u",
7405 veclen_value, max_value);
7406 }
7407
7408 if (offset_end - offset < veclen_value) {
7409 expert_add_info_format(pinfo, pi, &hf->ei.malformed_buffer_too_small,
7410 "Vector length %u is too large, truncating it to %u",
7411 veclen_value, offset_end - offset);
7412 *ret_length = offset_end - offset;
7413 return false0; /* Length is truncated to avoid overflow. */
7414 }
7415
7416 *ret_length = veclen_value;
7417 return true1; /* Length is OK. */
7418}
7419
7420bool_Bool
7421ssl_end_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7422 unsigned offset, unsigned offset_end)
7423{
7424 if (offset < offset_end) {
7425 unsigned trailing = offset_end - offset;
7426 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_trailing_data,
7427 tvb, offset, trailing,
7428 "%u trailing byte%s unprocessed",
7429 trailing, plurality(trailing, " was", "s were")((trailing) == 1 ? (" was") : ("s were")));
7430 return false0; /* unprocessed data warning */
7431 } else if (offset > offset_end) {
7432 /*
7433 * Returned offset runs past the end. This should not happen and is
7434 * possibly a dissector bug.
7435 */
7436 unsigned excess = offset - offset_end;
7437 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7438 tvb, offset_end, excess,
7439 "Dissector processed too much data (%u byte%s)",
7440 excess, plurality(excess, "", "s")((excess) == 1 ? ("") : ("s")));
7441 return false0; /* overflow error */
7442 }
7443
7444 return true1; /* OK, offset matches. */
7445}
7446/** }}} */
7447
7448
7449static uint32_t
7450ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7451 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7452 uint16_t version, int hf_sig_len, int hf_sig);
7453
7454/* change_cipher_spec(20) dissection */
7455void
7456ssl_dissect_change_cipher_spec(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7457 packet_info *pinfo, proto_tree *tree,
7458 uint32_t offset, SslSession *session,
7459 bool_Bool is_from_server,
7460 const SslDecryptSession *ssl)
7461{
7462 /*
7463 * struct {
7464 * enum { change_cipher_spec(1), (255) } type;
7465 * } ChangeCipherSpec;
7466 */
7467 proto_item *ti;
7468 proto_item_set_text(tree,
7469 "%s Record Layer: %s Protocol: Change Cipher Spec",
7470 val_to_str_const(session->version, ssl_version_short_names, "SSL"),
7471 val_to_str_const(SSL_ID_CHG_CIPHER_SPEC, ssl_31_content_type, "unknown"));
7472 ti = proto_tree_add_item(tree, hf->hf.change_cipher_spec, tvb, offset, 1, ENC_NA0x00000000);
7473
7474 if (session->version == TLSV1DOT3_VERSION0x304) {
7475 /* CCS is a dummy message in TLS 1.3, do not parse it further. */
7476 return;
7477 }
7478
7479 /* Remember frame number of first CCS */
7480 uint32_t *ccs_frame = is_from_server ? &session->server_ccs_frame : &session->client_ccs_frame;
7481 if (*ccs_frame == 0)
7482 *ccs_frame = pinfo->num;
7483
7484 /* Use heuristics to detect an abbreviated handshake, assume that missing
7485 * ServerHelloDone implies reusing previously negotiating keys. Then when
7486 * a Session ID or ticket is present, it must be a resumed session.
7487 * Normally this should be done at the Finished message, but that may be
7488 * encrypted so we do it here, at the last cleartext message. */
7489 if (is_from_server && ssl) {
7490 if (session->is_session_resumed) {
7491 const char *resumed = NULL((void*)0);
7492 if (ssl->session_ticket.data_len) {
7493 resumed = "Session Ticket";
7494 } else if (ssl->session_id.data_len) {
7495 resumed = "Session ID";
7496 }
7497 if (resumed) {
7498 ssl_debug_printf("%s Session resumption using %s\n", G_STRFUNC((const char*) (__func__)), resumed);
7499 } else {
7500 /* Can happen if the capture somehow starts in the middle */
7501 ssl_debug_printf("%s No Session resumption, missing packets?\n", G_STRFUNC((const char*) (__func__)));
7502 }
7503 } else {
7504 ssl_debug_printf("%s Not using Session resumption\n", G_STRFUNC((const char*) (__func__)));
7505 }
7506 }
7507 if (is_from_server && session->is_session_resumed)
7508 expert_add_info(pinfo, ti, &hf->ei.resumed);
7509}
7510
7511/** Begin of handshake(22) record dissections */
7512
7513/* Dissects a SignatureScheme (TLS 1.3) or SignatureAndHashAlgorithm (TLS 1.2).
7514 * {{{ */
7515static void
7516tls_dissect_signature_algorithm(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, ja4_data_t *ja4_data)
7517{
7518 uint32_t sighash, hashalg, sigalg;
7519 proto_item *ti_sigalg;
7520 proto_tree *sigalg_tree;
7521
7522 ti_sigalg = proto_tree_add_item_ret_uint(tree, hf->hf.hs_sig_hash_alg, tvb,
7523 offset, 2, ENC_BIG_ENDIAN0x00000000, &sighash);
7524 if (ja4_data) {
7525 wmem_list_append(ja4_data->sighash_list, GUINT_TO_POINTER(sighash)((gpointer) (gulong) (sighash)));
7526 }
7527
7528 sigalg_tree = proto_item_add_subtree(ti_sigalg, hf->ett.hs_sig_hash_alg);
7529
7530 /* TLS 1.2: SignatureAndHashAlgorithm { hash, signature } */
7531 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_hash, tvb,
7532 offset, 1, ENC_BIG_ENDIAN0x00000000, &hashalg);
7533 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_sig, tvb,
7534 offset + 1, 1, ENC_BIG_ENDIAN0x00000000, &sigalg);
7535
7536 /* No TLS 1.3 SignatureScheme? Fallback to TLS 1.2 interpretation. */
7537 if (!try_val_to_str(sighash, tls13_signature_algorithm)) {
7538 proto_item_set_text(ti_sigalg, "Signature Algorithm: %s %s (0x%04x)",
7539 val_to_str_const(hashalg, tls_hash_algorithm, "Unknown"),
7540 val_to_str_const(sigalg, tls_signature_algorithm, "Unknown"),
7541 sighash);
7542 }
7543} /* }}} */
7544
7545/* dissect a list of hash algorithms, return the number of bytes dissected
7546 this is used for the signature algorithms extension and for the
7547 TLS1.2 certificate request. {{{ */
7548static int
7549ssl_dissect_hash_alg_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
7550 packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7551{
7552 /* https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
7553 * struct {
7554 * HashAlgorithm hash;
7555 * SignatureAlgorithm signature;
7556 * } SignatureAndHashAlgorithm;
7557 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
7558 */
7559 proto_tree *subtree;
7560 proto_item *ti;
7561 unsigned sh_alg_length;
7562 uint32_t next_offset;
7563
7564 /* SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2> */
7565 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sh_alg_length,
7566 hf->hf.hs_sig_hash_alg_len, 2, UINT16_MAX(65535) - 1)) {
7567 return offset_end;
7568 }
7569 offset += 2;
7570 next_offset = offset + sh_alg_length;
7571
7572 ti = proto_tree_add_none_format(tree, hf->hf.hs_sig_hash_algs, tvb, offset, sh_alg_length,
7573 "Signature Hash Algorithms (%u algorithm%s)",
7574 sh_alg_length / 2, plurality(sh_alg_length / 2, "", "s")((sh_alg_length / 2) == 1 ? ("") : ("s")));
7575 subtree = proto_item_add_subtree(ti, hf->ett.hs_sig_hash_algs);
7576
7577 while (offset + 2 <= next_offset) {
7578 tls_dissect_signature_algorithm(hf, tvb, subtree, offset, ja4_data);
7579 offset += 2;
7580 }
7581
7582 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
7583 offset = next_offset;
7584 }
7585
7586 return offset;
7587} /* }}} */
7588
7589/* Dissection of DistinguishedName (for CertificateRequest and
7590 * certificate_authorities extension). {{{ */
7591static uint32_t
7592tls_dissect_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7593 proto_tree *tree, uint32_t offset, uint32_t offset_end)
7594{
7595 proto_item *ti;
7596 proto_tree *subtree;
7597 uint32_t dnames_length, next_offset;
7598 asn1_ctx_t asn1_ctx;
7599 int dnames_count = 100; /* the maximum number of DNs to add to the tree */
7600
7601 /* Note: minimum length is 0 for TLS 1.1/1.2 and 3 for earlier/later */
7602 /* DistinguishedName certificate_authorities<0..2^16-1> */
7603 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &dnames_length,
7604 hf->hf.hs_dnames_len, 0, UINT16_MAX(65535))) {
7605 return offset_end;
7606 }
7607 offset += 2;
7608 next_offset = offset + dnames_length;
7609
7610 if (dnames_length > 0) {
7611 ti = proto_tree_add_none_format(tree,
7612 hf->hf.hs_dnames,
7613 tvb, offset, dnames_length,
7614 "Distinguished Names (%d byte%s)",
7615 dnames_length,
7616 plurality(dnames_length, "", "s")((dnames_length) == 1 ? ("") : ("s")));
7617 subtree = proto_item_add_subtree(ti, hf->ett.dnames);
7618
7619 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7620
7621 while (offset < next_offset) {
7622 /* get the length of the current certificate */
7623 uint32_t name_length;
7624
7625 if (dnames_count-- == 0) {
7626 /* stop adding to tree when the list is considered too large
7627 * https://gitlab.com/wireshark/wireshark/-/issues/16202
7628 Note: dnames_count must be set low enough not to hit the
7629 limit set by PINFO_LAYER_MAX_RECURSION_DEPTH in packet.c
7630 */
7631 ti = proto_tree_add_item(subtree, hf->hf.hs_dnames_truncated,
7632 tvb, offset, next_offset - offset, ENC_NA0x00000000);
7633 proto_item_set_generated(ti);
7634 return next_offset;
7635 }
7636
7637 /* opaque DistinguishedName<1..2^16-1> */
7638 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &name_length,
7639 hf->hf.hs_dname_len, 1, UINT16_MAX(65535))) {
7640 return next_offset;
7641 }
7642 offset += 2;
7643
7644 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
7645 subtree, hf->hf.hs_dname);
7646 offset += name_length;
7647 }
7648 }
7649 return offset;
7650} /* }}} */
7651
7652
7653/** TLS Extensions (in Client Hello and Server Hello). {{{ */
7654static int
7655ssl_dissect_hnd_hello_ext_sig_hash_algs(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7656 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7657{
7658 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, ja4_data);
7659}
7660
7661static int
7662ssl_dissect_hnd_ext_delegated_credentials(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7663 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type)
7664{
7665 if (hnd_type == SSL_HND_CLIENT_HELLO ||
7666 hnd_type == SSL_HND_CERT_REQUEST) {
7667 /*
7668 * struct {
7669 * SignatureScheme supported_signature_algorithm<2..2^16-2>;
7670 * } SignatureSchemeList;
7671 */
7672
7673 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
7674 } else {
7675 asn1_ctx_t asn1_ctx;
7676 unsigned pubkey_length, sign_length;
7677
7678 /*
7679 * struct {
7680 * uint32 valid_time;
7681 * SignatureScheme expected_cert_verify_algorithm;
7682 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
7683 * } Credential;
7684 *
7685 * struct {
7686 * Credential cred;
7687 * SignatureScheme algorithm;
7688 * opaque signature<0..2^16-1>;
7689 * } DelegatedCredential;
7690 */
7691
7692 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7693
7694 proto_tree_add_item(tree, hf->hf.hs_cred_valid_time, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
7695 offset += 4;
7696
7697 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7698 offset += 2;
7699
7700 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &pubkey_length,
7701 hf->hf.hs_cred_pubkey_len, 1, G_MAXUINT24((1U << 24) - 1))) {
7702 return offset_end;
7703 }
7704 offset += 3;
7705 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, tree, hf->hf.hs_cred_pubkey);
7706 offset += pubkey_length;
7707
7708 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7709 offset += 2;
7710
7711 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sign_length,
7712 hf->hf.hs_cred_signature_len, 1, UINT16_MAX(65535))) {
7713 return offset_end;
7714 }
7715 offset += 2;
7716 proto_tree_add_item(tree, hf->hf.hs_cred_signature,
7717 tvb, offset, sign_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7718 offset += sign_length;
7719
7720 return offset;
7721 }
7722}
7723
7724static int
7725ssl_dissect_hnd_hello_ext_alps(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7726 packet_info *pinfo, proto_tree *tree,
7727 uint32_t offset, uint32_t offset_end,
7728 uint8_t hnd_type)
7729{
7730
7731 /* https://datatracker.ietf.org/doc/html/draft-vvv-tls-alps-01#section-4 */
7732
7733 switch (hnd_type) {
7734 case SSL_HND_CLIENT_HELLO: {
7735 proto_tree *alps_tree;
7736 proto_item *ti;
7737 uint32_t next_offset, alps_length, name_length;
7738
7739 /*
7740 * opaque ProtocolName<1..2^8-1>;
7741 * struct {
7742 * ProtocolName supported_protocols<2..2^16-1>
7743 * } ApplicationSettingsSupport;
7744 */
7745
7746 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alps_length,
7747 hf->hf.hs_ext_alps_len, 2, UINT16_MAX(65535))) {
7748 return offset_end;
7749 }
7750 offset += 2;
7751 next_offset = offset + alps_length;
7752
7753 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alps_alpn_list,
7754 tvb, offset, alps_length, ENC_NA0x00000000);
7755 alps_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alps);
7756
7757 /* Parse list (note missing check for end of vector, ssl_add_vector below
7758 * ensures that data is always available.) */
7759 while (offset < next_offset) {
7760 if (!ssl_add_vector(hf, tvb, pinfo, alps_tree, offset, next_offset, &name_length,
7761 hf->hf.hs_ext_alps_alpn_str_len, 1, UINT8_MAX(255))) {
7762 return next_offset;
7763 }
7764 offset++;
7765
7766 proto_tree_add_item(alps_tree, hf->hf.hs_ext_alps_alpn_str,
7767 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7768 offset += name_length;
7769 }
7770
7771 return offset;
7772 }
7773 case SSL_HND_ENCRYPTED_EXTS:
7774 /* Opaque blob */
7775 proto_tree_add_item(tree, hf->hf.hs_ext_alps_settings,
7776 tvb, offset, offset_end - offset, ENC_ASCII0x00000000|ENC_NA0x00000000);
7777 break;
7778 }
7779
7780 return offset_end;
7781}
7782
7783static int
7784ssl_dissect_hnd_hello_ext_alpn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7785 packet_info *pinfo, proto_tree *tree,
7786 uint32_t offset, uint32_t offset_end,
7787 uint8_t hnd_type, SslSession *session,
7788 bool_Bool is_dtls, ja4_data_t *ja4_data)
7789{
7790
7791 /* https://tools.ietf.org/html/rfc7301#section-3.1
7792 * opaque ProtocolName<1..2^8-1>;
7793 * struct {
7794 * ProtocolName protocol_name_list<2..2^16-1>
7795 * } ProtocolNameList;
7796 */
7797 proto_tree *alpn_tree;
7798 proto_item *ti;
7799 uint32_t next_offset, alpn_length, name_length;
7800 uint8_t *proto_name = NULL((void*)0), *client_proto_name = NULL((void*)0);
7801
7802 /* ProtocolName protocol_name_list<2..2^16-1> */
7803 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alpn_length,
7804 hf->hf.hs_ext_alpn_len, 2, UINT16_MAX(65535))) {
7805 return offset_end;
7806 }
7807 offset += 2;
7808 next_offset = offset + alpn_length;
7809
7810 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alpn_list,
7811 tvb, offset, alpn_length, ENC_NA0x00000000);
7812 alpn_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alpn);
7813
7814 /* Parse list (note missing check for end of vector, ssl_add_vector below
7815 * ensures that data is always available.) */
7816 while (offset < next_offset) {
7817 /* opaque ProtocolName<1..2^8-1> */
7818 if (!ssl_add_vector(hf, tvb, pinfo, alpn_tree, offset, next_offset, &name_length,
7819 hf->hf.hs_ext_alpn_str_len, 1, UINT8_MAX(255))) {
7820 return next_offset;
7821 }
7822 offset++;
7823
7824 proto_tree_add_item(alpn_tree, hf->hf.hs_ext_alpn_str,
7825 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7826 if (ja4_data && wmem_strbuf_get_len(ja4_data->alpn) == 0) {
7827 const char alpn_first_char = (char)tvb_get_uint8(tvb,offset);
7828 const char alpn_last_char = (char)tvb_get_uint8(tvb,offset + name_length - 1);
7829 if ((g_ascii_isprint(alpn_first_char)((g_ascii_table[(guchar) (alpn_first_char)] & G_ASCII_PRINT
) != 0)) && g_ascii_isprint(alpn_last_char)((g_ascii_table[(guchar) (alpn_last_char)] & G_ASCII_PRINT
) != 0)) {
7830 wmem_strbuf_append_printf(ja4_data->alpn, "%c%c", alpn_first_char, alpn_last_char);
7831 }
7832 else {
7833 wmem_strbuf_append_printf(ja4_data->alpn, "%x%x",(alpn_first_char >> 4) & 0x0F,
7834 alpn_last_char & 0x0F);
7835 }
7836 }
7837 /* Remember first ALPN ProtocolName entry for server. */
7838 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) {
7839 /* '\0'-terminated string for dissector table match and prefix
7840 * comparison purposes. */
7841 proto_name = tvb_get_string_enc(pinfo->pool, tvb, offset,
7842 name_length, ENC_ASCII0x00000000);
7843 } else if (hnd_type == SSL_HND_CLIENT_HELLO) {
7844 client_proto_name = tvb_get_string_enc(pinfo->pool, tvb, offset,
7845 name_length, ENC_ASCII0x00000000);
7846 }
7847 offset += name_length;
7848 }
7849
7850 /* If ALPN is given in ServerHello, then ProtocolNameList MUST contain
7851 * exactly one "ProtocolName". */
7852 if (proto_name) {
7853 dissector_handle_t handle;
7854
7855 session->alpn_name = wmem_strdup(wmem_file_scope(), proto_name);
7856
7857 if (is_dtls) {
7858 handle = dissector_get_string_handle(dtls_alpn_dissector_table,
7859 proto_name);
7860 } else {
7861 handle = dissector_get_string_handle(ssl_alpn_dissector_table,
7862 proto_name);
7863 if (handle == NULL((void*)0)) {
7864 /* Try prefix matching */
7865 for (size_t i = 0; i < G_N_ELEMENTS(ssl_alpn_prefix_match_protocols)(sizeof (ssl_alpn_prefix_match_protocols) / sizeof ((ssl_alpn_prefix_match_protocols
)[0])); i++) {
7866 const ssl_alpn_prefix_match_protocol_t *alpn_proto = &ssl_alpn_prefix_match_protocols[i];
7867
7868 /* string_string is inappropriate as it compares strings
7869 * while "byte strings MUST NOT be truncated" (RFC 7301) */
7870 if (g_str_has_prefix(proto_name, alpn_proto->proto_prefix)(__builtin_constant_p (alpn_proto->proto_prefix)? __extension__
({ const char * const __str = (proto_name); const char * const
__prefix = (alpn_proto->proto_prefix); gboolean __result =
(0); if (__str == ((void*)0) || __prefix == ((void*)0)) __result
= (g_str_has_prefix) (__str, __prefix); else { const size_t __str_len
= strlen (((__str) + !(__str))); const size_t __prefix_len =
strlen (((__prefix) + !(__prefix))); if (__str_len >= __prefix_len
) __result = memcmp (((__str) + !(__str)), ((__prefix) + !(__prefix
)), __prefix_len) == 0; } __result; }) : (g_str_has_prefix) (
proto_name, alpn_proto->proto_prefix) )) {
7871 handle = find_dissector(alpn_proto->dissector_name);
7872 break;
7873 }
7874 }
7875 }
7876 }
7877 if (handle != NULL((void*)0)) {
7878 /* ProtocolName match, so set the App data dissector handle.
7879 * This may override protocols given via the UAT dialog, but
7880 * since the ALPN hint is precise, do it anyway. */
7881 ssl_debug_printf("%s: changing handle %p to %p (%s)", G_STRFUNC((const char*) (__func__)),
7882 (void *)session->app_handle,
7883 (void *)handle,
7884 dissector_handle_get_dissector_name(handle));
7885 session->app_handle = handle;
7886 }
7887 } else if (client_proto_name) {
7888 // No current use for looking up the handle as the only consumer of this API is currently the QUIC dissector
7889 // and it just needs the string since there are/were various HTTP/3 ALPNs to check for.
7890 session->client_alpn_name = wmem_strdup(wmem_file_scope(), client_proto_name);
7891 }
7892
7893 return offset;
7894}
7895
7896static int
7897ssl_dissect_hnd_hello_ext_npn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7898 packet_info *pinfo, proto_tree *tree,
7899 uint32_t offset, uint32_t offset_end)
7900{
7901 /* https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04#page-3
7902 * The "extension_data" field of a "next_protocol_negotiation" extension
7903 * in a "ServerHello" contains an optional list of protocols advertised
7904 * by the server. Protocols are named by opaque, non-empty byte strings
7905 * and the list of protocols is serialized as a concatenation of 8-bit,
7906 * length prefixed byte strings. Implementations MUST ensure that the
7907 * empty string is not included and that no byte strings are truncated.
7908 */
7909 uint32_t npn_length;
7910 proto_tree *npn_tree;
7911
7912 /* List is optional, do not add tree if there are no entries. */
7913 if (offset == offset_end) {
7914 return offset;
7915 }
7916
7917 npn_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_npn, NULL((void*)0), "Next Protocol Negotiation");
7918
7919 while (offset < offset_end) {
7920 /* non-empty, 8-bit length prefixed strings means range 1..255 */
7921 if (!ssl_add_vector(hf, tvb, pinfo, npn_tree, offset, offset_end, &npn_length,
7922 hf->hf.hs_ext_npn_str_len, 1, UINT8_MAX(255))) {
7923 return offset_end;
7924 }
7925 offset++;
7926
7927 proto_tree_add_item(npn_tree, hf->hf.hs_ext_npn_str,
7928 tvb, offset, npn_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7929 offset += npn_length;
7930 }
7931
7932 return offset;
7933}
7934
7935static int
7936ssl_dissect_hnd_hello_ext_reneg_info(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7937 packet_info *pinfo, proto_tree *tree,
7938 uint32_t offset, uint32_t offset_end)
7939{
7940 /* https://tools.ietf.org/html/rfc5746#section-3.2
7941 * struct {
7942 * opaque renegotiated_connection<0..255>;
7943 * } RenegotiationInfo;
7944 *
7945 */
7946 proto_tree *reneg_info_tree;
7947 uint32_t reneg_info_length;
7948
7949 reneg_info_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_reneg_info, NULL((void*)0), "Renegotiation Info extension");
7950
7951 /* opaque renegotiated_connection<0..255> */
7952 if (!ssl_add_vector(hf, tvb, pinfo, reneg_info_tree, offset, offset_end, &reneg_info_length,
7953 hf->hf.hs_ext_reneg_info_len, 0, 255)) {
7954 return offset_end;
7955 }
7956 offset++;
7957
7958 if (reneg_info_length > 0) {
7959 proto_tree_add_item(reneg_info_tree, hf->hf.hs_ext_reneg_info, tvb, offset, reneg_info_length, ENC_NA0x00000000);
7960 offset += reneg_info_length;
7961 }
7962
7963 return offset;
7964}
7965
7966static int
7967ssl_dissect_hnd_hello_ext_key_share_entry(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7968 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7969 const char **group_name_out)
7970{
7971 /* RFC 8446 Section 4.2.8
7972 * struct {
7973 * NamedGroup group;
7974 * opaque key_exchange<1..2^16-1>;
7975 * } KeyShareEntry;
7976 */
7977 uint32_t key_exchange_length, group;
7978 proto_tree *ks_tree;
7979
7980 ks_tree = proto_tree_add_subtree(tree, tvb, offset, 4, hf->ett.hs_ext_key_share_ks, NULL((void*)0), "Key Share Entry");
7981
7982 proto_tree_add_item_ret_uint(ks_tree, hf->hf.hs_ext_key_share_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
7983 offset += 2;
7984 const char *group_name = val_to_str(pinfo->pool, group, ssl_extension_curves, "Unknown (%u)");
7985 proto_item_append_text(ks_tree, ": Group: %s", group_name);
7986 if (group_name_out) {
7987 *group_name_out = !IS_GREASE_TLS(group)((((group) & 0x0f0f) == 0x0a0a) && (((group) &
0xff) == (((group)>>8) & 0xff))) ? group_name : NULL((void*)0);
7988 }
7989
7990 /* opaque key_exchange<1..2^16-1> */
7991 if (!ssl_add_vector(hf, tvb, pinfo, ks_tree, offset, offset_end, &key_exchange_length,
7992 hf->hf.hs_ext_key_share_key_exchange_length, 1, UINT16_MAX(65535))) {
7993 return offset_end; /* Bad (possible truncated) length, skip to end of KeyShare extension. */
7994 }
7995 offset += 2;
7996 proto_item_set_len(ks_tree, 2 + 2 + key_exchange_length);
7997 proto_item_append_text(ks_tree, ", Key Exchange length: %u", key_exchange_length);
7998
7999 proto_tree_add_item(ks_tree, hf->hf.hs_ext_key_share_key_exchange, tvb, offset, key_exchange_length, ENC_NA0x00000000);
8000 offset += key_exchange_length;
8001
8002 return offset;
8003}
8004
8005static int
8006ssl_dissect_hnd_hello_ext_key_share(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8007 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8008 uint8_t hnd_type)
8009{
8010 proto_tree *key_share_tree;
8011 uint32_t next_offset;
8012 uint32_t client_shares_length;
8013 uint32_t group;
8014 const char *group_name = NULL((void*)0);
8015
8016 if (offset_end <= offset) { /* Check if ext_len == 0 and "overflow" (offset + ext_len) > uint32_t) */
8017 return offset;
8018 }
8019
8020 key_share_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_key_share, NULL((void*)0), "Key Share extension");
8021
8022 switch(hnd_type){
8023 case SSL_HND_CLIENT_HELLO:
8024 /* KeyShareEntry client_shares<0..2^16-1> */
8025 if (!ssl_add_vector(hf, tvb, pinfo, key_share_tree, offset, offset_end, &client_shares_length,
8026 hf->hf.hs_ext_key_share_client_length, 0, UINT16_MAX(65535))) {
8027 return offset_end;
8028 }
8029 offset += 2;
8030 next_offset = offset + client_shares_length;
8031 const char *sep = " ";
8032 while (offset + 4 <= next_offset) { /* (NamedGroup (2 bytes), key_exchange (1 byte for length, 1 byte minimum data) */
8033 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, next_offset, &group_name);
8034 if (group_name) {
8035 proto_item_append_text(tree, "%s%s", sep, group_name);
8036 sep = ", ";
8037 }
8038 }
8039 if (!ssl_end_vector(hf, tvb, pinfo, key_share_tree, offset, next_offset)) {
8040 return next_offset;
8041 }
8042 break;
8043 case SSL_HND_SERVER_HELLO:
8044 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, offset_end, &group_name);
8045 if (group_name) {
8046 proto_item_append_text(tree, " %s", group_name);
8047 }
8048 break;
8049 case SSL_HND_HELLO_RETRY_REQUEST:
8050 proto_tree_add_item_ret_uint(key_share_tree, hf->hf.hs_ext_key_share_selected_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
8051 offset += 2;
8052 group_name = val_to_str(pinfo->pool, group, ssl_extension_curves, "Unknown (%u)");
8053 proto_item_append_text(tree, " %s", group_name);
8054 break;
8055 default: /* no default */
8056 break;
8057 }
8058
8059 return offset;
8060}
8061
8062static int
8063ssl_dissect_hnd_hello_ext_pre_shared_key(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8064 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8065 uint8_t hnd_type)
8066{
8067 /* RFC 8446 Section 4.2.11
8068 * struct {
8069 * opaque identity<1..2^16-1>;
8070 * uint32 obfuscated_ticket_age;
8071 * } PskIdentity;
8072 * opaque PskBinderEntry<32..255>;
8073 * struct {
8074 * select (Handshake.msg_type) {
8075 * case client_hello:
8076 * PskIdentity identities<7..2^16-1>;
8077 * PskBinderEntry binders<33..2^16-1>;
8078 * case server_hello:
8079 * uint16 selected_identity;
8080 * };
8081 * } PreSharedKeyExtension;
8082 */
8083
8084 proto_tree *psk_tree;
8085
8086 psk_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_pre_shared_key, NULL((void*)0), "Pre-Shared Key extension");
8087
8088 switch (hnd_type){
8089 case SSL_HND_CLIENT_HELLO: {
8090 uint32_t identities_length, identities_end, binders_length;
8091
8092 /* PskIdentity identities<7..2^16-1> */
8093 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &identities_length,
8094 hf->hf.hs_ext_psk_identities_length, 7, UINT16_MAX(65535))) {
8095 return offset_end;
8096 }
8097 offset += 2;
8098 identities_end = offset + identities_length;
8099
8100 while (offset < identities_end) {
8101 uint32_t identity_length;
8102 proto_tree *identity_tree;
8103
8104 identity_tree = proto_tree_add_subtree(psk_tree, tvb, offset, 4, hf->ett.hs_ext_psk_identity, NULL((void*)0), "PSK Identity (");
8105
8106 /* opaque identity<1..2^16-1> */
8107 if (!ssl_add_vector(hf, tvb, pinfo, identity_tree, offset, identities_end, &identity_length,
8108 hf->hf.hs_ext_psk_identity_identity_length, 1, UINT16_MAX(65535))) {
8109 return identities_end;
8110 }
8111 offset += 2;
8112 proto_item_append_text(identity_tree, "length: %u)", identity_length);
8113
8114 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_identity, tvb, offset, identity_length, ENC_BIG_ENDIAN0x00000000);
8115 offset += identity_length;
8116
8117 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_obfuscated_ticket_age, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8118 offset += 4;
8119
8120 proto_item_set_len(identity_tree, 2 + identity_length + 4);
8121 }
8122 if (!ssl_end_vector(hf, tvb, pinfo, psk_tree, offset, identities_end)) {
8123 offset = identities_end;
8124 }
8125
8126 /* PskBinderEntry binders<33..2^16-1> */
8127 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &binders_length,
8128 hf->hf.hs_ext_psk_binders_length, 33, UINT16_MAX(65535))) {
8129 return offset_end;
8130 }
8131 offset += 2;
8132
8133 proto_item *binders_item;
8134 proto_tree *binders_tree;
8135 binders_item = proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_binders, tvb, offset, binders_length, ENC_NA0x00000000);
8136 binders_tree = proto_item_add_subtree(binders_item, hf->ett.hs_ext_psk_binders);
8137 uint32_t binders_end = offset + binders_length;
8138 while (offset < binders_end) {
8139 uint32_t binder_length;
8140 proto_item *binder_item;
8141 proto_tree *binder_tree;
8142
8143 binder_item = proto_tree_add_item(binders_tree, hf->hf.hs_ext_psk_binder, tvb, offset, 1, ENC_NA0x00000000);
8144 binder_tree = proto_item_add_subtree(binder_item, hf->ett.hs_ext_psk_binder);
8145
8146 /* opaque PskBinderEntry<32..255>; */
8147 if (!ssl_add_vector(hf, tvb, pinfo, binder_tree, offset, binders_end, &binder_length,
8148 hf->hf.hs_ext_psk_binder_binder_length, 32, 255)) {
8149 return binders_end;
8150 }
8151 offset += 1;
8152 proto_item_append_text(binder_tree, " (length: %u)", binder_length);
8153
8154 proto_tree_add_item(binder_tree, hf->hf.hs_ext_psk_binder_binder, tvb, offset, binder_length, ENC_BIG_ENDIAN0x00000000);
8155 offset += binder_length;
8156
8157 proto_item_set_end(binder_item, tvb, offset);
8158 }
8159 }
8160 break;
8161 case SSL_HND_SERVER_HELLO: {
8162 proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_identity_selected, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8163 offset += 2;
8164 }
8165 break;
8166 default:
8167 break;
8168 }
8169
8170 return offset;
8171}
8172
8173static uint32_t
8174ssl_dissect_hnd_hello_ext_early_data(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
8175 proto_tree *tree, uint32_t offset, uint32_t offset_end _U___attribute__((unused)),
8176 uint8_t hnd_type, SslDecryptSession *ssl)
8177{
8178 /* RFC 8446 Section 4.2.10
8179 * struct {} Empty;
8180 * struct {
8181 * select (Handshake.msg_type) {
8182 * case new_session_ticket: uint32 max_early_data_size;
8183 * case client_hello: Empty;
8184 * case encrypted_extensions: Empty;
8185 * };
8186 * } EarlyDataIndication;
8187 */
8188 switch (hnd_type) {
8189 case SSL_HND_CLIENT_HELLO:
8190 /* Remember that early_data will follow the handshake. */
8191 if (ssl) {
8192 ssl_debug_printf("%s found early_data extension\n", G_STRFUNC((const char*) (__func__)));
8193 ssl->has_early_data = true1;
8194 }
8195 break;
8196 case SSL_HND_NEWSESSION_TICKET:
8197 proto_tree_add_item(tree, hf->hf.hs_ext_max_early_data_size, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8198 offset += 4;
8199 break;
8200 default:
8201 break;
8202 }
8203 return offset;
8204}
8205
8206static uint16_t
8207tls_try_get_version(bool_Bool is_dtls, uint16_t version, uint8_t *draft_version)
8208{
8209 if (draft_version) {
8210 *draft_version = 0;
8211 }
8212 if (!is_dtls) {
8213 uint8_t tls13_draft = extract_tls13_draft_version(version);
8214 if (tls13_draft != 0) {
8215 /* This is TLS 1.3 (a draft version). */
8216 if (draft_version) {
8217 *draft_version = tls13_draft;
8218 }
8219 version = TLSV1DOT3_VERSION0x304;
8220 }
8221 if (version == 0xfb17 || version == 0xfb1a) {
8222 /* Unofficial TLS 1.3 draft version for Facebook fizz. */
8223 tls13_draft = (uint8_t)version;
8224 if (draft_version) {
8225 *draft_version = tls13_draft;
8226 }
8227 version = TLSV1DOT3_VERSION0x304;
8228 }
8229 }
8230
8231 switch (version) {
8232 case SSLV3_VERSION0x300:
8233 case TLSV1_VERSION0x301:
8234 case TLSV1DOT1_VERSION0x302:
8235 case TLSV1DOT2_VERSION0x303:
8236 case TLSV1DOT3_VERSION0x304:
8237 case TLCPV1_VERSION0x101:
8238 if (is_dtls)
8239 return SSL_VER_UNKNOWN0;
8240 break;
8241
8242 case DTLSV1DOT0_VERSION0xfeff:
8243 case DTLSV1DOT0_OPENSSL_VERSION0x100:
8244 case DTLSV1DOT2_VERSION0xfefd:
8245 case DTLSV1DOT3_VERSION0xfefc:
8246 if (!is_dtls)
8247 return SSL_VER_UNKNOWN0;
8248 break;
8249
8250 default: /* invalid version number */
8251 return SSL_VER_UNKNOWN0;
8252 }
8253
8254 return version;
8255}
8256
8257static int
8258ssl_dissect_hnd_hello_ext_supported_versions(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8259 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8260 SslSession *session, bool_Bool is_dtls, ja4_data_t *ja4_data)
8261{
8262
8263 /* RFC 8446 Section 4.2.1
8264 * struct {
8265 * ProtocolVersion versions<2..254>; // ClientHello
8266 * } SupportedVersions;
8267 * Note that ServerHello and HelloRetryRequest are handled by the caller.
8268 */
8269 uint32_t versions_length, next_offset;
8270 /* ProtocolVersion versions<2..254> */
8271 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &versions_length,
8272 hf->hf.hs_ext_supported_versions_len, 2, 254)) {
8273 return offset_end;
8274 }
8275 offset++;
8276 next_offset = offset + versions_length;
8277
8278 unsigned version;
8279 unsigned current_version, lowest_version = SSL_VER_UNKNOWN0;
8280 uint8_t draft_version, max_draft_version = 0;
8281 const char *sep = " ";
8282 while (offset + 2 <= next_offset) {
8283 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
8284 offset += 2;
8285
8286 if (!IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))) {
8287 proto_item_append_text(tree, "%s%s", sep, val_to_str(pinfo->pool, version, ssl_versions, "Unknown (0x%04x)"));
8288 sep = ", ";
8289 }
8290
8291 current_version = tls_try_get_version(is_dtls, version, &draft_version);
8292 if (session->version == SSL_VER_UNKNOWN0) {
8293 if (lowest_version == SSL_VER_UNKNOWN0) {
8294 lowest_version = current_version;
8295 } else if (current_version != SSL_VER_UNKNOWN0) {
8296 if (!is_dtls) {
8297 lowest_version = MIN(lowest_version, current_version)(((lowest_version) < (current_version)) ? (lowest_version)
: (current_version));
8298 } else {
8299 lowest_version = MAX(lowest_version, current_version)(((lowest_version) > (current_version)) ? (lowest_version)
: (current_version));
8300 }
8301 }
8302 }
8303 max_draft_version = MAX(draft_version, max_draft_version)(((draft_version) > (max_draft_version)) ? (draft_version)
: (max_draft_version));
8304 if (ja4_data && !IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))) {
8305 /* The DTLS version numbers get mapped to "00" for unknown per
8306 * JA4 spec, but if JA4 ever does support DTLS we'll probably
8307 * need to take the MIN instead of MAX here for DTLS.
8308 */
8309 ja4_data->max_version = MAX(version, ja4_data->max_version)(((version) > (ja4_data->max_version)) ? (version) : (ja4_data
->max_version));
8310 }
8311 }
8312 if (session->version == SSL_VER_UNKNOWN0 && lowest_version != SSL_VER_UNKNOWN0) {
8313 col_set_str(pinfo->cinfo, COL_PROTOCOL,
8314 val_to_str_const(version, ssl_version_short_names, is_dtls ? "DTLS" : "TLS"));
8315 }
8316 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
8317 offset = next_offset;
8318 }
8319
8320 /* XXX remove this when draft 19 support is dropped,
8321 * this is only required for early data decryption. */
8322 if (max_draft_version) {
8323 session->tls13_draft_version = max_draft_version;
8324 }
8325
8326 return offset;
8327}
8328
8329static int
8330ssl_dissect_hnd_hello_ext_cookie(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8331 packet_info *pinfo, proto_tree *tree,
8332 uint32_t offset, uint32_t offset_end)
8333{
8334 /* RFC 8446 Section 4.2.2
8335 * struct {
8336 * opaque cookie<1..2^16-1>;
8337 * } Cookie;
8338 */
8339 uint32_t cookie_length;
8340 /* opaque cookie<1..2^16-1> */
8341 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cookie_length,
8342 hf->hf.hs_ext_cookie_len, 1, UINT16_MAX(65535))) {
8343 return offset_end;
8344 }
8345 offset += 2;
8346
8347 proto_tree_add_item(tree, hf->hf.hs_ext_cookie, tvb, offset, cookie_length, ENC_NA0x00000000);
8348 offset += cookie_length;
8349
8350 return offset;
8351}
8352
8353static int
8354ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8355 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8356{
8357 /* RFC 8446 Section 4.2.9
8358 * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
8359 *
8360 * struct {
8361 * PskKeyExchangeMode ke_modes<1..255>;
8362 * } PskKeyExchangeModes;
8363 */
8364 uint32_t ke_modes_length, next_offset;
8365
8366 /* PskKeyExchangeMode ke_modes<1..255> */
8367 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ke_modes_length,
8368 hf->hf.hs_ext_psk_ke_modes_length, 1, 255)) {
8369 return offset_end;
8370 }
8371 offset++;
8372 next_offset = offset + ke_modes_length;
8373
8374 while (offset < next_offset) {
8375 proto_tree_add_item(tree, hf->hf.hs_ext_psk_ke_mode, tvb, offset, 1, ENC_NA0x00000000);
8376 offset++;
8377 }
8378
8379 return offset;
8380}
8381
8382static uint32_t
8383ssl_dissect_hnd_hello_ext_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8384 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8385{
8386 /* RFC 8446 Section 4.2.4
8387 * opaque DistinguishedName<1..2^16-1>;
8388 * struct {
8389 * DistinguishedName authorities<3..2^16-1>;
8390 * } CertificateAuthoritiesExtension;
8391 */
8392 return tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
8393}
8394
8395static int
8396ssl_dissect_hnd_hello_ext_oid_filters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8397 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8398{
8399 /* RFC 8446 Section 4.2.5
8400 * struct {
8401 * opaque certificate_extension_oid<1..2^8-1>;
8402 * opaque certificate_extension_values<0..2^16-1>;
8403 * } OIDFilter;
8404 * struct {
8405 * OIDFilter filters<0..2^16-1>;
8406 * } OIDFilterExtension;
8407 */
8408 proto_tree *subtree;
8409 uint32_t filters_length, oid_length, values_length, value_offset;
8410 asn1_ctx_t asn1_ctx;
8411 const char *oid, *name;
8412
8413 /* OIDFilter filters<0..2^16-1> */
8414 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &filters_length,
8415 hf->hf.hs_ext_psk_ke_modes_length, 0, UINT16_MAX(65535))) {
8416 return offset_end;
8417 }
8418 offset += 2;
8419 offset_end = offset + filters_length;
8420
8421 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
8422
8423 while (offset < offset_end) {
8424 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
8425 hf->ett.hs_ext_oid_filter, NULL((void*)0), "OID Filter");
8426
8427 /* opaque certificate_extension_oid<1..2^8-1> */
8428 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &oid_length,
8429 hf->hf.hs_ext_oid_filters_oid_length, 1, UINT8_MAX(255))) {
8430 return offset_end;
8431 }
8432 offset++;
8433 dissect_ber_object_identifier_str(false0, &asn1_ctx, subtree, tvb, offset,
8434 hf->hf.hs_ext_oid_filters_oid, &oid);
8435 offset += oid_length;
8436
8437 /* Append OID to tree label */
8438 name = oid_resolved_from_string(pinfo->pool, oid);
8439 proto_item_append_text(subtree, " (%s)", name ? name : oid);
8440
8441 /* opaque certificate_extension_values<0..2^16-1> */
8442 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &values_length,
8443 hf->hf.hs_ext_oid_filters_values_length, 0, UINT16_MAX(65535))) {
8444 return offset_end;
8445 }
8446 offset += 2;
8447 proto_item_set_len(subtree, 1 + oid_length + 2 + values_length);
8448 if (values_length > 0) {
8449 value_offset = offset;
8450 value_offset = dissect_ber_identifier(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0), NULL((void*)0));
8451 value_offset = dissect_ber_length(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0));
8452 call_ber_oid_callback(oid, tvb, value_offset, pinfo, subtree, NULL((void*)0));
8453 }
8454 offset += values_length;
8455 }
8456
8457 return offset;
8458}
8459
8460static int
8461ssl_dissect_hnd_hello_ext_server_name(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8462 packet_info *pinfo, proto_tree *tree,
8463 uint32_t offset, uint32_t offset_end)
8464{
8465 /* https://tools.ietf.org/html/rfc6066#section-3
8466 *
8467 * struct {
8468 * NameType name_type;
8469 * select (name_type) {
8470 * case host_name: HostName;
8471 * } name;
8472 * } ServerName;
8473 *
8474 * enum {
8475 * host_name(0), (255)
8476 * } NameType;
8477 *
8478 * opaque HostName<1..2^16-1>;
8479 *
8480 * struct {
8481 * ServerName server_name_list<1..2^16-1>
8482 * } ServerNameList;
8483 */
8484 proto_tree *server_name_tree;
8485 uint32_t list_length, server_name_length, next_offset;
8486
8487 /* The server SHALL include "server_name" extension with empty data. */
8488 if (offset == offset_end) {
8489 return offset;
8490 }
8491
8492 server_name_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_server_name, NULL((void*)0), "Server Name Indication extension");
8493
8494 /* ServerName server_name_list<1..2^16-1> */
8495 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, offset_end, &list_length,
8496 hf->hf.hs_ext_server_name_list_len, 1, UINT16_MAX(65535))) {
8497 return offset_end;
8498 }
8499 offset += 2;
8500 next_offset = offset + list_length;
8501
8502 while (offset < next_offset) {
8503 uint32_t name_type;
8504 const uint8_t *server_name = NULL((void*)0);
8505 proto_tree_add_item_ret_uint(server_name_tree, hf->hf.hs_ext_server_name_type,
8506 tvb, offset, 1, ENC_NA0x00000000, &name_type);
8507 offset++;
8508
8509 /* opaque HostName<1..2^16-1> */
8510 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, next_offset, &server_name_length,
8511 hf->hf.hs_ext_server_name_len, 1, UINT16_MAX(65535))) {
8512 return next_offset;
8513 }
8514 offset += 2;
8515
8516 proto_tree_add_item_ret_string(server_name_tree, hf->hf.hs_ext_server_name,
8517 tvb, offset, server_name_length, ENC_ASCII0x00000000|ENC_NA0x00000000,
8518 pinfo->pool, &server_name);
8519 offset += server_name_length;
8520 // Each type must only occur once, so we don't check for duplicates.
8521 if (name_type == 0) {
8522 proto_item_append_text(tree, " name=%s", server_name);
8523 col_append_fstr(pinfo->cinfo, COL_INFO, " (SNI=%s)", server_name);
8524
8525 if (gbl_resolv_flags.handshake_sni_addr_resolution) {
8526 // Client Hello: Client (Src) -> Server (Dst)
8527 switch (pinfo->dst.type) {
8528 case AT_IPv4:
8529 if (pinfo->dst.len == sizeof(uint32_t)) {
8530 add_ipv4_name(*(uint32_t *)pinfo->dst.data, server_name, false0);
8531 }
8532 break;
8533 case AT_IPv6:
8534 if (pinfo->dst.len == sizeof(ws_in6_addr)) {
8535 add_ipv6_name(pinfo->dst.data, server_name, false0);
8536 }
8537 break;
8538 }
8539 }
8540 }
8541 }
8542 return offset;
8543}
8544
8545static int
8546ssl_dissect_hnd_hello_ext_session_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8547 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint8_t hnd_type, SslDecryptSession *ssl)
8548{
8549 unsigned ext_len = offset_end - offset;
8550 if (hnd_type == SSL_HND_CLIENT_HELLO && ssl && ext_len != 0) {
8551 tvb_ensure_bytes_exist(tvb, offset, ext_len);
8552 /* Save the Session Ticket such that it can be used as identifier for
8553 * restoring a previous Master Secret (in ChangeCipherSpec) */
8554 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
8555 ssl->session_ticket.data, ext_len);
8556 ssl->session_ticket.data_len = ext_len;
8557 tvb_memcpy(tvb,ssl->session_ticket.data, offset, ext_len);
8558 }
8559 proto_tree_add_item(tree, hf->hf.hs_ext_session_ticket,
8560 tvb, offset, ext_len, ENC_NA0x00000000);
8561 return offset + ext_len;
8562}
8563
8564static int
8565ssl_dissect_hnd_hello_ext_cert_type(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8566 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8567 uint8_t hnd_type, uint16_t ext_type, SslSession *session)
8568{
8569 uint8_t cert_list_length;
8570 uint8_t cert_type;
8571 proto_tree *cert_list_tree;
8572 proto_item *ti;
8573
8574 switch(hnd_type){
8575 case SSL_HND_CLIENT_HELLO:
8576 cert_list_length = tvb_get_uint8(tvb, offset);
8577 proto_tree_add_item(tree, hf->hf.hs_ext_cert_types_len,
8578 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8579 offset += 1;
8580 if (offset_end - offset != (uint32_t)cert_list_length)
8581 return offset;
8582
8583 ti = proto_tree_add_item(tree, hf->hf.hs_ext_cert_types, tvb, offset,
8584 cert_list_length, cert_list_length);
8585 proto_item_append_text(ti, " (%d)", cert_list_length);
8586
8587 /* make this a subtree */
8588 cert_list_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_cert_types);
8589
8590 /* loop over all point formats */
8591 while (cert_list_length > 0)
8592 {
8593 proto_tree_add_item(cert_list_tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8594 offset++;
8595 cert_list_length--;
8596 }
8597 break;
8598 case SSL_HND_SERVER_HELLO:
8599 case SSL_HND_ENCRYPTED_EXTENSIONS:
8600 case SSL_HND_CERTIFICATE:
8601 cert_type = tvb_get_uint8(tvb, offset);
8602 proto_tree_add_item(tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8603 offset += 1;
8604 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19) {
8605 session->client_cert_type = cert_type;
8606 }
8607 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20) {
8608 session->server_cert_type = cert_type;
8609 }
8610 break;
8611 default: /* no default */
8612 break;
8613 }
8614
8615 return offset;
8616}
8617
8618static uint32_t
8619ssl_dissect_hnd_hello_ext_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8620 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8621 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8622{
8623 uint32_t compress_certificate_algorithms_length, next_offset;
8624
8625 /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03#section-3.0
8626 * enum {
8627 * zlib(1),
8628 * brotli(2),
8629 * (65535)
8630 * } CertificateCompressionAlgorithm;
8631 *
8632 * struct {
8633 * CertificateCompressionAlgorithm algorithms<1..2^8-1>;
8634 * } CertificateCompressionAlgorithms;
8635 */
8636 switch (hnd_type) {
8637 case SSL_HND_CLIENT_HELLO:
8638 case SSL_HND_CERT_REQUEST:
8639 /* CertificateCompressionAlgorithm algorithms<1..2^8-1>;*/
8640 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compress_certificate_algorithms_length,
8641 hf->hf.hs_ext_compress_certificate_algorithms_length, 1, UINT8_MAX(255)-1)) {
8642 return offset_end;
8643 }
8644 offset += 1;
8645 next_offset = offset + compress_certificate_algorithms_length;
8646
8647 while (offset < next_offset) {
8648 proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_algorithm,
8649 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8650 offset += 2;
8651 }
8652 break;
8653 default:
8654 break;
8655 }
8656
8657 return offset;
8658}
8659
8660static uint32_t
8661ssl_dissect_hnd_hello_ext_token_binding(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8662 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8663 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8664{
8665 uint32_t key_parameters_length, next_offset;
8666 proto_item *p_ti;
8667 proto_tree *p_tree;
8668
8669 /* RFC 8472
8670 *
8671 * struct {
8672 * uint8 major;
8673 * uint8 minor;
8674 * } TB_ProtocolVersion;
8675 *
8676 * enum {
8677 * rsa2048_pkcs1.5(0), rsa2048_pss(1), ecdsap256(2), (255)
8678 * } TokenBindingKeyParameters;
8679 *
8680 * struct {
8681 * TB_ProtocolVersion token_binding_version;
8682 * TokenBindingKeyParameters key_parameters_list<1..2^8-1>
8683 * } TokenBindingParameters;
8684 */
8685
8686 switch (hnd_type) {
8687 case SSL_HND_CLIENT_HELLO:
8688 case SSL_HND_SERVER_HELLO:
8689 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_major, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8690 offset += 1;
8691 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_minor, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8692 offset += 1;
8693
8694 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &key_parameters_length,
8695 hf->hf.hs_ext_token_binding_key_parameters_length, 1, UINT8_MAX(255))) {
8696 return offset_end;
8697 }
8698 offset += 1;
8699 next_offset = offset + key_parameters_length;
8700
8701 p_ti = proto_tree_add_none_format(tree,
8702 hf->hf.hs_ext_token_binding_key_parameters,
8703 tvb, offset, key_parameters_length,
8704 "Key parameters identifiers (%d identifier%s)",
8705 key_parameters_length,
8706 plurality(key_parameters_length, "", "s")((key_parameters_length) == 1 ? ("") : ("s")));
8707 p_tree = proto_item_add_subtree(p_ti, hf->ett.hs_ext_token_binding_key_parameters);
8708
8709 while (offset < next_offset) {
8710 proto_tree_add_item(p_tree, hf->hf.hs_ext_token_binding_key_parameter,
8711 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8712 offset += 1;
8713 }
8714
8715 if (!ssl_end_vector(hf, tvb, pinfo, p_tree, offset, next_offset)) {
8716 offset = next_offset;
8717 }
8718
8719 break;
8720 default:
8721 break;
8722 }
8723
8724 return offset;
8725}
8726
8727static uint32_t
8728ssl_dissect_hnd_hello_ext_quic_transport_parameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8729 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8730 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8731{
8732 bool_Bool use_varint_encoding = true1; // Whether this is draft -27 or newer.
8733 uint32_t next_offset;
8734
8735 /* https://tools.ietf.org/html/draft-ietf-quic-transport-25#section-18
8736 *
8737 * Note: the following structures are not literally defined in the spec,
8738 * they instead use an ASCII diagram.
8739 *
8740 * struct {
8741 * uint16 id;
8742 * opaque value<0..2^16-1>;
8743 * } TransportParameter; // before draft -27
8744 * TransportParameter TransportParameters<0..2^16-1>; // before draft -27
8745 *
8746 * struct {
8747 * opaque ipv4Address[4];
8748 * uint16 ipv4Port;
8749 * opaque ipv6Address[16];
8750 * uint16 ipv6Port;
8751 * opaque connectionId<0..18>;
8752 * opaque statelessResetToken[16];
8753 * } PreferredAddress;
8754 */
8755
8756 if (offset_end - offset >= 6 &&
8757 2 + (unsigned)tvb_get_ntohs(tvb, offset) == offset_end - offset &&
8758 6 + (unsigned)tvb_get_ntohs(tvb, offset + 4) <= offset_end - offset) {
8759 // Assume encoding of Transport Parameters draft -26 or older with at
8760 // least one transport parameter that has a valid length.
8761 use_varint_encoding = false0;
8762 }
8763
8764 if (use_varint_encoding) {
8765 next_offset = offset_end;
8766 } else {
8767 uint32_t quic_length;
8768 // Assume draft -26 or earlier.
8769 /* TransportParameter TransportParameters<0..2^16-1>; */
8770 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &quic_length,
8771 hf->hf.hs_ext_quictp_len, 0, UINT16_MAX(65535))) {
8772 return offset_end;
8773 }
8774 offset += 2;
8775 next_offset = offset + quic_length;
8776 }
8777
8778 while (offset < next_offset) {
8779 uint64_t parameter_type; /* 62-bit space */
8780 uint32_t parameter_length;
8781 proto_tree *parameter_tree;
8782 uint32_t parameter_end_offset;
8783 uint64_t value;
8784 uint32_t len = 0, i;
8785
8786 parameter_tree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.hs_ext_quictp_parameter,
8787 NULL((void*)0), "Parameter");
8788 /* TransportParameter ID and Length. */
8789 if (use_varint_encoding) {
8790 uint64_t parameter_length64;
8791 uint32_t type_len = 0;
8792
8793 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
8794 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_type, &type_len);
8795 offset += type_len;
8796
8797 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_len,
8798 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_length64, &len);
8799 parameter_length = (uint32_t)parameter_length64;
8800 offset += len;
8801
8802 proto_item_set_len(parameter_tree, type_len + len + parameter_length);
8803 } else {
8804 parameter_type = tvb_get_ntohs(tvb, offset);
8805 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
8806 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8807 offset += 2;
8808
8809 /* opaque value<0..2^16-1> */
8810 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, next_offset, &parameter_length,
8811 hf->hf.hs_ext_quictp_parameter_len_old, 0, UINT16_MAX(65535))) {
8812 return next_offset;
8813 }
8814 offset += 2;
8815
8816 proto_item_set_len(parameter_tree, 4 + parameter_length);
8817 }
8818
8819 if (IS_GREASE_QUIC(parameter_type)((parameter_type) > 27 ? ((((parameter_type) - 27) % 31) ==
0) : 0)) {
8820 proto_item_append_text(parameter_tree, ": GREASE");
8821 } else {
8822 proto_item_append_text(parameter_tree, ": %s", val64_to_str_wmem(pinfo->pool, parameter_type, quic_transport_parameter_id, "Unknown 0x%04x"));
8823 }
8824
8825 proto_item_append_text(parameter_tree, " (len=%u)", parameter_length);
8826 parameter_end_offset = offset + parameter_length;
8827
8828 /* Omit the value field if the parameter's length is 0. */
8829 if (parameter_length != 0) {
8830 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_value,
8831 tvb, offset, parameter_length, ENC_NA0x00000000);
8832 }
8833
8834 switch (parameter_type) {
8835 case SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00:
8836 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_original_destination_connection_id,
8837 tvb, offset, parameter_length, ENC_NA0x00000000);
8838 offset += parameter_length;
8839 break;
8840 case SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01:
8841 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_idle_timeout,
8842 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8843 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " ms", value);
8844 offset += len;
8845 break;
8846 case SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02:
8847 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_stateless_reset_token,
8848 tvb, offset, 16, ENC_BIG_ENDIAN0x00000000);
8849 quic_add_stateless_reset_token(pinfo, tvb, offset, NULL((void*)0));
8850 offset += 16;
8851 break;
8852 case SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03:
8853 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_udp_payload_size,
8854 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8855 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8856 /*TODO display expert info about invalid value (< 1252 or >65527) ? */
8857 offset += len;
8858 break;
8859 case SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04:
8860 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_data,
8861 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8862 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8863 offset += len;
8864 break;
8865 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05:
8866 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_local,
8867 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8868 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8869 offset += len;
8870 break;
8871 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06:
8872 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_remote,
8873 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8874 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8875 offset += len;
8876 break;
8877 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07:
8878 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_uni,
8879 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8880 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8881 offset += len;
8882 break;
8883 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09:
8884 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_uni,
8885 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8886 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8887 offset += len;
8888 break;
8889 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08:
8890 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_bidi,
8891 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8892 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8893 offset += len;
8894 break;
8895 case SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a:
8896 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_ack_delay_exponent,
8897 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
8898 /*TODO display multiplier (x8) and expert info about invalid value (> 20) ? */
8899 offset += len;
8900 break;
8901 case SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b:
8902 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_ack_delay,
8903 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8904 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8905 offset += len;
8906 break;
8907 case SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c:
8908 /* No Payload */
8909 break;
8910 case SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d: {
8911 uint32_t connectionid_length;
8912 quic_cid_t cid;
8913
8914 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4address,
8915 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8916 offset += 4;
8917 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4port,
8918 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8919 offset += 2;
8920 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6address,
8921 tvb, offset, 16, ENC_NA0x00000000);
8922 offset += 16;
8923 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6port,
8924 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8925 offset += 2;
8926 /* XXX - Should we add these addresses and ports as addresses that the client
8927 * is allowed / expected to migrate the server address to? Right now we don't
8928 * enforce that (see RFC 9000 Section 9, which implies that while the client
8929 * can migrate to whatever address it wants, it can only migrate the server
8930 * address to the Server's Preferred Address as in 9.6. Also Issue #20165.)
8931 */
8932
8933 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, offset_end, &connectionid_length,
8934 hf->hf.hs_ext_quictp_parameter_pa_connectionid_length, 0, 20)) {
8935 break;
8936 }
8937 offset += 1;
8938
8939 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_connectionid,
8940 tvb, offset, connectionid_length, ENC_NA0x00000000);
8941 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
8942 cid.len = connectionid_length;
8943 // RFC 9000 5.1.1 "If the preferred_address transport
8944 // parameter is sent, the sequence number of the supplied
8945 // connection ID is 1."
8946 cid.seq_num = 1;
8947 // Multipath draft-07 "Also, the Path Identifier for the
8948 // connection ID specified in the "preferred address"
8949 // transport parameter is 0."
8950 cid.path_id = 0;
8951 tvb_memcpy(tvb, cid.cid, offset, connectionid_length);
8952 quic_add_connection(pinfo, &cid);
8953 }
8954 offset += connectionid_length;
8955
8956 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_statelessresettoken,
8957 tvb, offset, 16, ENC_NA0x00000000);
8958 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
8959 quic_add_stateless_reset_token(pinfo, tvb, offset, &cid);
8960 }
8961 offset += 16;
8962 }
8963 break;
8964 case SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e:
8965 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_active_connection_id_limit,
8966 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8967 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8968 offset += len;
8969 break;
8970 case SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f:
8971 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_source_connection_id,
8972 tvb, offset, parameter_length, ENC_NA0x00000000);
8973 offset += parameter_length;
8974 break;
8975 case SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10:
8976 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_retry_source_connection_id,
8977 tvb, offset, parameter_length, ENC_NA0x00000000);
8978 offset += parameter_length;
8979 break;
8980 case SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20:
8981 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_datagram_frame_size,
8982 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8983 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8984 offset += len;
8985 break;
8986 case SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000:
8987 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_length,
8988 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8989 proto_item_append_text(parameter_tree, " Length: %" PRIu64"l" "u", value);
8990 offset += len;
8991 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_offset,
8992 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8993 proto_item_append_text(parameter_tree, ", Offset: %" PRIu64"l" "u", value);
8994 offset += len;
8995 break;
8996 case SSL_HND_QUIC_TP_LOSS_BITS0x1057:
8997 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_loss_bits,
8998 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8999 if (len > 0) {
9000 quic_add_loss_bits(pinfo, value);
9001 }
9002 offset += 1;
9003 break;
9004 case SSL_HND_QUIC_TP_ADDRESS_DISCOVERY0x9f81a176:
9005 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_address_discovery,
9006 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
9007 offset += len;
9008 break;
9009 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a:
9010 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A:
9011 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a:
9012 case SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b:
9013 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_min_ack_delay,
9014 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9015 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9016 offset += len;
9017 break;
9018 case SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129:
9019 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_user_agent_id,
9020 tvb, offset, parameter_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
9021 offset += parameter_length;
9022 break;
9023 case SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B:
9024 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_key_update_not_yet_supported,
9025 tvb, offset, parameter_length, ENC_NA0x00000000);
9026 offset += parameter_length;
9027 break;
9028 case SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752:
9029 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_version,
9030 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
9031 offset += 4;
9032 if (hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) { /* From server */
9033 uint32_t versions_length;
9034
9035 proto_tree_add_item_ret_uint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_supported_versions_length,
9036 tvb, offset, 1, ENC_NA0x00000000, &versions_length);
9037 offset += 1;
9038 for (i = 0; i < versions_length / 4; i++) {
9039 quic_proto_tree_add_version(tvb, parameter_tree,
9040 hf->hf.hs_ext_quictp_parameter_google_supported_version, offset);
9041 offset += 4;
9042 }
9043 }
9044 break;
9045 case SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127:
9046 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_initial_rtt,
9047 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9048 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " us", value);
9049 offset += len;
9050 break;
9051 case SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A:
9052 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_support_handshake_done,
9053 tvb, offset, parameter_length, ENC_NA0x00000000);
9054 offset += parameter_length;
9055 break;
9056 case SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751:
9057 /* This field was used for non-standard Google-specific parameters encoded as a
9058 * Google QUIC_CRYPTO CHLO and it has been replaced (version >= T051) by individual
9059 * parameters. Report it as a bytes blob... */
9060 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params,
9061 tvb, offset, parameter_length, ENC_NA0x00000000);
9062 /* ... and try decoding it: not sure what the first 4 bytes are (but they seems to be always 0) */
9063 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params_unknown_field,
9064 tvb, offset, 4, ENC_NA0x00000000);
9065 dissect_gquic_tags(tvb, pinfo, parameter_tree, offset + 4);
9066 offset += parameter_length;
9067 break;
9068 case SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128:
9069 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_connection_options,
9070 tvb, offset, parameter_length, ENC_NA0x00000000);
9071 offset += parameter_length;
9072 break;
9073 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157:
9074 /* No Payload */
9075 break;
9076 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158:
9077 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_time_stamp_v2,
9078 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9079 offset += parameter_length;
9080 break;
9081 case SSL_HND_QUIC_TP_VERSION_INFORMATION_DRAFT0xff73db:
9082 case SSL_HND_QUIC_TP_VERSION_INFORMATION0x11:
9083 quic_proto_tree_add_version(tvb, parameter_tree,
9084 hf->hf.hs_ext_quictp_parameter_chosen_version, offset);
9085 offset += 4;
9086 for (i = 4; i < parameter_length; i += 4) {
9087 quic_proto_tree_add_version(tvb, parameter_tree,
9088 hf->hf.hs_ext_quictp_parameter_other_version, offset);
9089 offset += 4;
9090 }
9091 break;
9092 case SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2:
9093 /* No Payload */
9094 quic_add_grease_quic_bit(pinfo);
9095 break;
9096 case SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00:
9097 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_facebook_partial_reliability,
9098 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9099 offset += parameter_length;
9100 break;
9101 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04:
9102 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_multipath,
9103 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9104 if (value == 1) {
9105 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
9106 }
9107 offset += parameter_length;
9108 break;
9109 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05:
9110 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06:
9111 /* No Payload */
9112 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
9113 break;
9114 case SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07:
9115 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_paths,
9116 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9117 if (value > 1) {
9118 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
9119 }
9120 /* multipath draft-07: "The value of the initial_max_paths
9121 * parameter MUST be at least 2." TODO: Expert Info? */
9122 offset += parameter_length;
9123 break;
9124 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09:
9125 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT110x0f739bbc1b666d11:
9126 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT120x0f739bbc1b666d0c:
9127 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x0f739bbc1b666d0d:
9128 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_path_id,
9129 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9130 /* multipath draft-09 and later: "If an endpoint receives an
9131 * initial_max_path_id transport parameter with value 0, the
9132 * peer aims to enable the multipath extension without allowing
9133 * extra paths immediately."
9134 */
9135 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
9136 offset += parameter_length;
9137 break;
9138 default:
9139 offset += parameter_length;
9140 /*TODO display expert info about unknown ? */
9141 break;
9142 }
9143
9144 if (!ssl_end_vector(hf, tvb, pinfo, parameter_tree, offset, parameter_end_offset)) {
9145 /* Dissection did not end at expected location, fix it. */
9146 offset = parameter_end_offset;
9147 }
9148 }
9149
9150 return offset;
9151}
9152
9153static int
9154ssl_dissect_hnd_hello_common(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9155 proto_tree *tree, uint32_t offset,
9156 SslSession *session, SslDecryptSession *ssl,
9157 bool_Bool from_server, bool_Bool is_hrr)
9158{
9159 uint8_t sessid_length;
9160 proto_item *ti;
9161 proto_tree *rnd_tree;
9162 proto_tree *ti_rnd;
9163 proto_tree *ech_confirm_tree;
9164 uint8_t draft_version = session->tls13_draft_version;
9165
9166 if (ssl) {
9167 StringInfo *rnd;
9168 if (from_server)
9169 rnd = &ssl->server_random;
9170 else
9171 rnd = &ssl->client_random;
9172
9173 /* save provided random for later keyring generation */
9174 tvb_memcpy(tvb, rnd->data, offset, 32);
9175 rnd->data_len = 32;
9176 if (from_server)
9177 ssl->state |= SSL_SERVER_RANDOM(1<<1);
9178 else
9179 ssl->state |= SSL_CLIENT_RANDOM(1<<0);
9180 ssl_debug_printf("%s found %s RANDOM -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)),
9181 from_server ? "SERVER" : "CLIENT", ssl->state);
9182 }
9183
9184 if (!from_server && session->client_random.data_len == 0) {
9185 session->client_random.data_len = 32;
9186 tvb_memcpy(tvb, session->client_random.data, offset, 32);
9187 }
9188
9189 ti_rnd = proto_tree_add_item(tree, hf->hf.hs_random, tvb, offset, 32, ENC_NA0x00000000);
9190
9191 if ((session->version != TLSV1DOT3_VERSION0x304) && (session->version != DTLSV1DOT3_VERSION0xfefc)) { /* No time on first bytes random with TLS 1.3 */
9192
9193 rnd_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
9194 /* show the time */
9195 proto_tree_add_item(rnd_tree, hf->hf.hs_random_time,
9196 tvb, offset, 4, ENC_TIME_SECS0x00000012|ENC_BIG_ENDIAN0x00000000);
9197 offset += 4;
9198
9199 /* show the random bytes */
9200 proto_tree_add_item(rnd_tree, hf->hf.hs_random_bytes,
9201 tvb, offset, 28, ENC_NA0x00000000);
9202 offset += 28;
9203 } else {
9204 if (is_hrr) {
9205 proto_item_append_text(ti_rnd, " (HelloRetryRequest magic)");
9206 } else if (from_server && session->ech) {
9207 ech_confirm_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
9208 proto_tree_add_item(ech_confirm_tree, hf->hf.hs_ech_confirm, tvb, offset + 24, 8, ENC_NA0x00000000);
9209 ti = proto_tree_add_bytes_with_length(ech_confirm_tree, hf->hf.hs_ech_confirm_compute, tvb, offset + 24, 0,
9210 session->ech_confirmation, 8);
9211 proto_item_set_generated(ti);
9212 if (memcmp(session->ech_confirmation, tvb_get_ptr(tvb, offset+24, 8), 8)) {
9213 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
9214 } else {
9215 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
9216 }
9217 }
9218
9219 offset += 32;
9220 }
9221
9222 /* No Session ID with TLS 1.3 on Server Hello before draft -22 */
9223 if (from_server == 0 || !(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
9224 /* show the session id (length followed by actual Session ID) */
9225 sessid_length = tvb_get_uint8(tvb, offset);
9226 proto_tree_add_item(tree, hf->hf.hs_session_id_len,
9227 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9228 offset++;
9229
9230 if (ssl) {
9231 /* save the authoritative SID for later use in ChangeCipherSpec.
9232 * (D)TLS restricts the SID to 32 chars, it does not make sense to
9233 * save more, so ignore larger ones. */
9234 if (from_server && sessid_length <= 32) {
9235 tvb_memcpy(tvb, ssl->session_id.data, offset, sessid_length);
9236 ssl->session_id.data_len = sessid_length;
9237 }
9238 }
9239 if (sessid_length > 0) {
9240 proto_tree_add_item(tree, hf->hf.hs_session_id,
9241 tvb, offset, sessid_length, ENC_NA0x00000000);
9242 offset += sessid_length;
9243 }
9244 }
9245
9246 return offset;
9247}
9248
9249static int
9250ssl_dissect_hnd_hello_ext_status_request(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9251 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9252 bool_Bool has_length)
9253{
9254 /* TLS 1.2/1.3 status_request Client Hello Extension.
9255 * TLS 1.2 status_request_v2 CertificateStatusRequestItemV2 type.
9256 * https://tools.ietf.org/html/rfc6066#section-8 (status_request)
9257 * https://tools.ietf.org/html/rfc6961#section-2.2 (status_request_v2)
9258 * struct {
9259 * CertificateStatusType status_type;
9260 * uint16 request_length; // for status_request_v2
9261 * select (status_type) {
9262 * case ocsp: OCSPStatusRequest;
9263 * case ocsp_multi: OCSPStatusRequest;
9264 * } request;
9265 * } CertificateStatusRequest; // CertificateStatusRequestItemV2
9266 *
9267 * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
9268 * struct {
9269 * ResponderID responder_id_list<0..2^16-1>;
9270 * Extensions request_extensions;
9271 * } OCSPStatusRequest;
9272 * opaque ResponderID<1..2^16-1>;
9273 * opaque Extensions<0..2^16-1>;
9274 */
9275 unsigned cert_status_type;
9276
9277 cert_status_type = tvb_get_uint8(tvb, offset);
9278 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_type,
9279 tvb, offset, 1, ENC_NA0x00000000);
9280 offset++;
9281
9282 if (has_length) {
9283 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_request_len,
9284 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9285 offset += 2;
9286 }
9287
9288 switch (cert_status_type) {
9289 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
9290 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
9291 {
9292 uint32_t responder_id_list_len;
9293 uint32_t request_extensions_len;
9294
9295 /* ResponderID responder_id_list<0..2^16-1> */
9296 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &responder_id_list_len,
9297 hf->hf.hs_ext_cert_status_responder_id_list_len, 0, UINT16_MAX(65535))) {
9298 return offset_end;
9299 }
9300 offset += 2;
9301 if (responder_id_list_len != 0) {
9302 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9303 tvb, offset, responder_id_list_len,
9304 "Responder ID list is not implemented, contact Wireshark"
9305 " developers if you want this to be supported");
9306 }
9307 offset += responder_id_list_len;
9308
9309 /* opaque Extensions<0..2^16-1> */
9310 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &request_extensions_len,
9311 hf->hf.hs_ext_cert_status_request_extensions_len, 0, UINT16_MAX(65535))) {
9312 return offset_end;
9313 }
9314 offset += 2;
9315 if (request_extensions_len != 0) {
9316 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9317 tvb, offset, request_extensions_len,
9318 "Request Extensions are not implemented, contact"
9319 " Wireshark developers if you want this to be supported");
9320 }
9321 offset += request_extensions_len;
9322 break;
9323 }
9324 }
9325
9326 return offset;
9327}
9328
9329static unsigned
9330ssl_dissect_hnd_hello_ext_status_request_v2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9331 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9332{
9333 /* https://tools.ietf.org/html/rfc6961#section-2.2
9334 * struct {
9335 * CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1>;
9336 * } CertificateStatusRequestListV2;
9337 */
9338 uint32_t req_list_length, next_offset;
9339
9340 /* CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1> */
9341 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &req_list_length,
9342 hf->hf.hs_ext_cert_status_request_list_len, 1, UINT16_MAX(65535))) {
9343 return offset_end;
9344 }
9345 offset += 2;
9346 next_offset = offset + req_list_length;
9347
9348 while (offset < next_offset) {
9349 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, tree, offset, next_offset, true1);
9350 }
9351
9352 return offset;
9353}
9354
9355static uint32_t
9356tls_dissect_ocsp_response(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9357 uint32_t offset, uint32_t offset_end)
9358{
9359 uint32_t response_length;
9360 proto_item *ocsp_resp;
9361 proto_tree *ocsp_resp_tree;
9362 asn1_ctx_t asn1_ctx;
9363
9364 /* opaque OCSPResponse<1..2^24-1>; */
9365 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &response_length,
9366 hf->hf.hs_ocsp_response_len, 1, G_MAXUINT24((1U << 24) - 1))) {
9367 return offset_end;
9368 }
9369 offset += 3;
9370
9371 ocsp_resp = proto_tree_add_item(tree, proto_ocsp, tvb, offset,
9372 response_length, ENC_BIG_ENDIAN0x00000000);
9373 proto_item_set_text(ocsp_resp, "OCSP Response");
9374 ocsp_resp_tree = proto_item_add_subtree(ocsp_resp, hf->ett.ocsp_response);
9375 if (proto_is_protocol_enabled(find_protocol_by_id(proto_ocsp))) {
9376 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
9377 dissect_ocsp_OCSPResponse(false0, tvb, offset, &asn1_ctx, ocsp_resp_tree, -1);
9378 }
9379 offset += response_length;
9380
9381 return offset;
9382}
9383
9384uint32_t
9385tls_dissect_hnd_certificate_status(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9386 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9387{
9388 /* TLS 1.2 "CertificateStatus" handshake message.
9389 * TLS 1.3 "status_request" Certificate extension.
9390 * struct {
9391 * CertificateStatusType status_type;
9392 * select (status_type) {
9393 * case ocsp: OCSPResponse;
9394 * case ocsp_multi: OCSPResponseList; // status_request_v2
9395 * } response;
9396 * } CertificateStatus;
9397 * opaque OCSPResponse<1..2^24-1>;
9398 * struct {
9399 * OCSPResponse ocsp_response_list<1..2^24-1>;
9400 * } OCSPResponseList; // status_request_v2
9401 */
9402 uint32_t status_type, resp_list_length, next_offset;
9403
9404 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_cert_status_type,
9405 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &status_type);
9406 offset += 1;
9407
9408 switch (status_type) {
9409 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
9410 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, offset_end);
9411 break;
9412
9413 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
9414 /* OCSPResponse ocsp_response_list<1..2^24-1> */
9415 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &resp_list_length,
9416 hf->hf.hs_ocsp_response_list_len, 1, G_MAXUINT24((1U << 24) - 1))) {
9417 return offset_end;
9418 }
9419 offset += 3;
9420 next_offset = offset + resp_list_length;
9421
9422 while (offset < next_offset) {
9423 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, next_offset);
9424 }
9425 break;
9426 }
9427
9428 return offset;
9429}
9430
9431static unsigned
9432ssl_dissect_hnd_hello_ext_supported_groups(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9433 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9434 wmem_strbuf_t *ja3)
9435{
9436 /* RFC 8446 Section 4.2.7
9437 * enum { ..., (0xFFFF) } NamedGroup;
9438 * struct {
9439 * NamedGroup named_group_list<2..2^16-1>
9440 * } NamedGroupList;
9441 *
9442 * NOTE: "NamedCurve" (RFC 4492) is renamed to "NamedGroup" (RFC 7919) and
9443 * the extension itself from "elliptic_curves" to "supported_groups".
9444 */
9445 uint32_t groups_length, next_offset;
9446 proto_tree *groups_tree;
9447 proto_item *ti;
9448 char *ja3_dash = "";
9449
9450 /* NamedGroup named_group_list<2..2^16-1> */
9451 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &groups_length,
9452 hf->hf.hs_ext_supported_groups_len, 2, UINT16_MAX(65535))) {
9453 return offset_end;
9454 }
9455 offset += 2;
9456 next_offset = offset + groups_length;
9457
9458 ti = proto_tree_add_none_format(tree,
9459 hf->hf.hs_ext_supported_groups,
9460 tvb, offset, groups_length,
9461 "Supported Groups (%d group%s)",
9462 groups_length / 2,
9463 plurality(groups_length/2, "", "s")((groups_length/2) == 1 ? ("") : ("s")));
9464
9465 /* make this a subtree */
9466 groups_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_groups);
9467
9468 if (ja3) {
9469 wmem_strbuf_append_c(ja3, ',');
9470 }
9471 /* loop over all groups */
9472 while (offset + 2 <= offset_end) {
9473 uint32_t ext_supported_group;
9474
9475 proto_tree_add_item_ret_uint(groups_tree, hf->hf.hs_ext_supported_group, tvb, offset, 2,
9476 ENC_BIG_ENDIAN0x00000000, &ext_supported_group);
9477 offset += 2;
9478 if (ja3 && !IS_GREASE_TLS(ext_supported_group)((((ext_supported_group) & 0x0f0f) == 0x0a0a) && (
((ext_supported_group) & 0xff) == (((ext_supported_group)
>>8) & 0xff)))) {
9479 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_supported_group);
9480 ja3_dash = "-";
9481 }
9482 }
9483 if (!ssl_end_vector(hf, tvb, pinfo, groups_tree, offset, next_offset)) {
9484 offset = next_offset;
9485 }
9486
9487 return offset;
9488}
9489
9490static int
9491ssl_dissect_hnd_hello_ext_ec_point_formats(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9492 proto_tree *tree, uint32_t offset, wmem_strbuf_t *ja3)
9493{
9494 uint8_t ecpf_length;
9495 proto_tree *ecpf_tree;
9496 proto_item *ti;
9497
9498 ecpf_length = tvb_get_uint8(tvb, offset);
9499 proto_tree_add_item(tree, hf->hf.hs_ext_ec_point_formats_len,
9500 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9501
9502 offset += 1;
9503 ti = proto_tree_add_none_format(tree,
9504 hf->hf.hs_ext_ec_point_formats,
9505 tvb, offset, ecpf_length,
9506 "Elliptic curves point formats (%d)",
9507 ecpf_length);
9508
9509 /* make this a subtree */
9510 ecpf_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_curves_point_formats);
9511
9512 if (ja3) {
9513 wmem_strbuf_append_c(ja3, ',');
9514 }
9515
9516 /* loop over all point formats */
9517 while (ecpf_length > 0)
9518 {
9519 uint32_t ext_ec_point_format;
9520
9521 proto_tree_add_item_ret_uint(ecpf_tree, hf->hf.hs_ext_ec_point_format, tvb, offset, 1,
9522 ENC_BIG_ENDIAN0x00000000, &ext_ec_point_format);
9523 offset++;
9524 ecpf_length--;
9525 if (ja3) {
9526 wmem_strbuf_append_printf(ja3, "%i", ext_ec_point_format);
9527 if (ecpf_length > 0) {
9528 wmem_strbuf_append_c(ja3, '-');
9529 }
9530 }
9531 }
9532
9533 return offset;
9534}
9535
9536static int
9537ssl_dissect_hnd_hello_ext_srp(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9538 packet_info *pinfo, proto_tree *tree,
9539 uint32_t offset, uint32_t next_offset)
9540{
9541 /* https://tools.ietf.org/html/rfc5054#section-2.8.1
9542 * opaque srp_I<1..2^8-1>;
9543 */
9544 uint32_t username_len;
9545
9546 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, next_offset, &username_len,
9547 hf->hf.hs_ext_srp_len, 1, UINT8_MAX(255))) {
9548 return next_offset;
9549 }
9550 offset++;
9551
9552 proto_tree_add_item(tree, hf->hf.hs_ext_srp_username,
9553 tvb, offset, username_len, ENC_UTF_80x00000002|ENC_NA0x00000000);
9554 offset += username_len;
9555
9556 return offset;
9557}
9558
9559static uint32_t
9560tls_dissect_sct(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9561 uint32_t offset, uint32_t offset_end, uint16_t version)
9562{
9563 /* https://tools.ietf.org/html/rfc6962#section-3.2
9564 * enum { v1(0), (255) } Version;
9565 * struct {
9566 * opaque key_id[32];
9567 * } LogID;
9568 * opaque CtExtensions<0..2^16-1>;
9569 * struct {
9570 * Version sct_version;
9571 * LogID id;
9572 * uint64 timestamp;
9573 * CtExtensions extensions;
9574 * digitally-signed struct { ... };
9575 * } SignedCertificateTimestamp;
9576 */
9577 uint32_t sct_version;
9578 uint64_t sct_timestamp_ms;
9579 nstime_t sct_timestamp;
9580 uint32_t exts_len;
9581 const char *log_name;
9582
9583 proto_tree_add_item_ret_uint(tree, hf->hf.sct_sct_version, tvb, offset, 1, ENC_NA0x00000000, &sct_version);
9584 offset++;
9585 if (sct_version != 0) {
9586 // TODO expert info about unknown SCT version?
9587 return offset;
9588 }
9589 proto_tree_add_item(tree, hf->hf.sct_sct_logid, tvb, offset, 32, ENC_BIG_ENDIAN0x00000000);
9590 log_name = bytesval_to_str_wmem(pinfo->pool, tvb_get_ptr(tvb, offset, 32), 32, ct_logids, "Unknown Log");
9591 proto_item_append_text(tree, " (%s)", log_name);
9592 offset += 32;
9593 sct_timestamp_ms = tvb_get_ntoh64(tvb, offset);
9594 sct_timestamp.secs = (time_t)(sct_timestamp_ms / 1000);
9595 sct_timestamp.nsecs = (int)((sct_timestamp_ms % 1000) * 1000000);
9596 proto_tree_add_time(tree, hf->hf.sct_sct_timestamp, tvb, offset, 8, &sct_timestamp);
9597 offset += 8;
9598 /* opaque CtExtensions<0..2^16-1> */
9599 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
9600 hf->hf.sct_sct_extensions_length, 0, UINT16_MAX(65535))) {
9601 return offset_end;
9602 }
9603 offset += 2;
9604 if (exts_len > 0) {
9605 proto_tree_add_item(tree, hf->hf.sct_sct_extensions, tvb, offset, exts_len, ENC_BIG_ENDIAN0x00000000);
9606 offset += exts_len;
9607 }
9608 offset = ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
9609 hf->hf.sct_sct_signature_length,
9610 hf->hf.sct_sct_signature);
9611 return offset;
9612}
9613
9614uint32_t
9615tls_dissect_sct_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9616 uint32_t offset, uint32_t offset_end, uint16_t version)
9617{
9618 /* https://tools.ietf.org/html/rfc6962#section-3.3
9619 * opaque SerializedSCT<1..2^16-1>;
9620 * struct {
9621 * SerializedSCT sct_list <1..2^16-1>;
9622 * } SignedCertificateTimestampList;
9623 */
9624 uint32_t list_length, sct_length, next_offset;
9625 proto_tree *subtree;
9626
9627 /* SerializedSCT sct_list <1..2^16-1> */
9628 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &list_length,
9629 hf->hf.sct_scts_length, 1, UINT16_MAX(65535))) {
9630 return offset_end;
9631 }
9632 offset += 2;
9633
9634 while (offset < offset_end) {
9635 subtree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.sct, NULL((void*)0), "Signed Certificate Timestamp");
9636
9637 /* opaque SerializedSCT<1..2^16-1> */
9638 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &sct_length,
9639 hf->hf.sct_sct_length, 1, UINT16_MAX(65535))) {
9640 return offset_end;
9641 }
9642 offset += 2;
9643 next_offset = offset + sct_length;
9644 proto_item_set_len(subtree, 2 + sct_length);
9645 offset = tls_dissect_sct(hf, tvb, pinfo, subtree, offset, next_offset, version);
9646 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
9647 offset = next_offset;
9648 }
9649 }
9650
9651 return offset;
9652}
9653
9654static int
9655dissect_ech_hpke_cipher_suite(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
9656 proto_tree *tree, uint32_t offset)
9657{
9658 uint32_t kdf_id, aead_id;
9659 proto_item *cs_ti;
9660 proto_tree *cs_tree;
9661
9662 cs_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig_cipher_suite,
9663 tvb, offset, 4, ENC_NA0x00000000);
9664 cs_tree = proto_item_add_subtree(cs_ti, hf->ett.ech_hpke_cipher_suite);
9665
9666 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_kdf_id,
9667 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &kdf_id);
9668 offset += 2;
9669 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_aead_id,
9670 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &aead_id);
9671 offset += 2;
9672
9673 proto_item_append_text(cs_ti, ": %s/%s",
9674 val_to_str_const(kdf_id, kdf_id_type_vals, "Unknown"),
9675 val_to_str_const(aead_id, aead_id_type_vals, "Unknown"));
9676 return offset;
9677}
9678
9679static int
9680dissect_ech_hpke_key_config(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9681 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9682 uint32_t *config_id)
9683{
9684 uint32_t length, cipher_suite_length;
9685 proto_item *kc_ti, *css_ti;
9686 proto_tree *kc_tree, *css_tree;
9687 uint32_t original_offset = offset, next_offset;
9688
9689 kc_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig,
9690 tvb, offset, -1, ENC_NA0x00000000);
9691 kc_tree = proto_item_add_subtree(kc_ti, hf->ett.ech_hpke_keyconfig);
9692
9693 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_config_id,
9694 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, config_id);
9695 offset += 1;
9696 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_kem_id,
9697 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9698 offset += 2;
9699 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_public_key_length,
9700 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9701 offset += 2;
9702 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_public_key,
9703 tvb, offset, length, ENC_NA0x00000000);
9704 offset += length;
9705
9706 /* HpkeSymmetricCipherSuite cipher_suites<4..2^16-4> */
9707 if (!ssl_add_vector(hf, tvb, pinfo, kc_tree, offset, offset_end, &cipher_suite_length,
9708 hf->hf.ech_hpke_keyconfig_cipher_suites_length, 4, UINT16_MAX(65535) - 3)) {
9709 return offset_end;
9710 }
9711 offset += 2;
9712 next_offset = offset + cipher_suite_length;
9713
9714 css_ti = proto_tree_add_none_format(kc_tree,
9715 hf->hf.ech_hpke_keyconfig_cipher_suites,
9716 tvb, offset, cipher_suite_length,
9717 "Cipher Suites (%d suite%s)",
9718 cipher_suite_length / 4,
9719 plurality(cipher_suite_length / 4, "", "s")((cipher_suite_length / 4) == 1 ? ("") : ("s")));
9720 css_tree = proto_item_add_subtree(css_ti, hf->ett.ech_hpke_cipher_suites);
9721
9722
9723 while (offset + 4 <= next_offset) {
9724 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, css_tree, offset);
9725 }
9726
9727 if (!ssl_end_vector(hf, tvb, pinfo, css_tree, offset, next_offset)) {
9728 offset = next_offset;
9729 }
9730
9731 proto_item_set_len(kc_ti, offset - original_offset);
9732
9733 return offset;
9734}
9735
9736static int
9737dissect_ech_echconfig_contents(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9738 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9739 const uint8_t **public_name, uint32_t *config_id)
9740{
9741 uint32_t public_name_length, extensions_length, next_offset;
9742
9743 offset = dissect_ech_hpke_key_config(hf, tvb, pinfo, tree, offset, offset_end, config_id);
9744 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_maximum_name_length,
9745 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9746 offset += 1;
9747 proto_tree_add_item_ret_uint(tree, hf->hf.ech_echconfigcontents_public_name_length,
9748 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &public_name_length);
9749 offset += 1;
9750 proto_tree_add_item_ret_string(tree, hf->hf.ech_echconfigcontents_public_name,
9751 tvb, offset, public_name_length, ENC_ASCII0x00000000, pinfo->pool, public_name);
9752 offset += public_name_length;
9753
9754 /* Extension extensions<0..2^16-1>; */
9755 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &extensions_length,
9756 hf->hf.ech_echconfigcontents_extensions_length, 0, UINT16_MAX(65535))) {
9757 return offset_end;
9758 }
9759 offset += 2;
9760 next_offset = offset + extensions_length;
9761
9762 if (extensions_length > 0) {
9763 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_extensions,
9764 tvb, offset, extensions_length, ENC_NA0x00000000);
9765 }
9766 offset += extensions_length;
9767
9768 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
9769 offset = next_offset;
9770 }
9771
9772 return offset;
9773}
9774
9775static int
9776dissect_ech_echconfig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9777 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9778{
9779 uint32_t version, length;
9780 proto_item *ech_ti;
9781 proto_tree *ech_tree;
9782 const uint8_t *public_name = NULL((void*)0);
9783 uint32_t config_id = 0;
9784
9785 ech_ti = proto_tree_add_item(tree, hf->hf.ech_echconfig, tvb, offset, -1, ENC_NA0x00000000);
9786 ech_tree = proto_item_add_subtree(ech_ti, hf->ett.ech_echconfig);
9787
9788 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_version,
9789 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
9790 offset += 2;
9791 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_length,
9792 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9793 offset += 2;
9794
9795 proto_item_set_len(ech_ti, 4 + length);
9796
9797 switch(version) {
9798 case 0xfe0d:
9799 dissect_ech_echconfig_contents(hf, tvb, pinfo, ech_tree, offset, offset_end, &public_name, &config_id);
9800 proto_item_append_text(ech_ti, ": id=%d %s", config_id, public_name);
9801 break;
9802
9803 default:
9804 expert_add_info_format(pinfo, ech_ti, &hf->ei.ech_echconfig_invalid_version, "Unsupported/unknown ECHConfig version 0x%x", version);
9805 }
9806
9807 return 4 + length;
9808}
9809
9810uint32_t
9811ssl_dissect_ext_ech_echconfiglist(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9812 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9813{
9814 uint32_t echconfiglist_length, next_offset;
9815
9816 /* ECHConfig ECHConfigList<1..2^16-1>; */
9817 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &echconfiglist_length,
9818 hf->hf.ech_echconfiglist_length, 1, UINT16_MAX(65535))) {
9819 return offset_end;
9820 }
9821 offset += 2;
9822 next_offset = offset + echconfiglist_length;
9823
9824 while (offset < next_offset) {
9825 offset += dissect_ech_echconfig(hf, tvb, pinfo, tree, offset, offset_end);
9826 }
9827
9828 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
9829 offset = next_offset;
9830 }
9831
9832 return offset;
9833}
9834
9835static uint32_t
9836ssl_dissect_hnd_ech_outer_ext(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9837 uint32_t offset, uint32_t offset_end)
9838{
9839 uint32_t ext_length, next_offset;
9840 proto_tree *ext_tree;
9841 proto_item *ti;
9842
9843 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ext_length,
9844 hf->hf.hs_ext_ech_outer_ext_len, 2, UINT8_MAX(255))) {
9845 return offset_end;
9846 }
9847 offset += 1;
9848 next_offset = offset + ext_length;
9849
9850 ti = proto_tree_add_none_format(tree,
9851 hf->hf.hs_ext_ech_outer_ext,
9852 tvb, offset, ext_length,
9853 "Outer Extensions (%d extension%s)",
9854 ext_length / 2,
9855 plurality(ext_length/2, "", "s")((ext_length/2) == 1 ? ("") : ("s")));
9856
9857 ext_tree = proto_item_add_subtree(ti, hf->ett.hs_ext);
9858
9859 while (offset + 2 <= offset_end) {
9860 proto_tree_add_item(ext_tree, hf->hf.hs_ext_type, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9861 offset += 2;
9862 }
9863
9864 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
9865 offset = next_offset;
9866 }
9867
9868 return offset;
9869}
9870
9871static uint32_t
9872// NOLINTNEXTLINE(misc-no-recursion)
9873ssl_dissect_hnd_hello_ext_ech(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9874 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9875 uint8_t hnd_type, SslSession *session, SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
9876 uint32_t initial_offset, uint32_t hello_length)
9877{
9878 uint32_t ch_type, length;
9879 proto_item *ti, *payload_ti;
9880 proto_tree *retry_tree, *payload_tree;
9881
9882 switch (hnd_type) {
9883 case SSL_HND_CLIENT_HELLO:
9884 /*
9885 * enum { outer(0), inner(1) } ECHClientHelloType;
9886 *
9887 * struct {
9888 * ECHClientHelloType type;
9889 * select (ECHClientHello.type) {
9890 * case outer:
9891 * HpkeSymmetricCipherSuite cipher_suite;
9892 * uint8 config_id;
9893 * opaque enc<0..2^16-1>;
9894 * opaque payload<1..2^16-1>;
9895 * case inner:
9896 * Empty;
9897 * };
9898 * } ECHClientHello;
9899 */
9900
9901 proto_tree_add_item_ret_uint(tree, hf->hf.ech_clienthello_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &ch_type);
9902 offset += 1;
9903 switch (ch_type) {
9904 case 0: /* outer */
9905 if (ssl && session->first_ch_ech_frame == 0) {
9906 session->first_ch_ech_frame = pinfo->num;
9907 }
9908 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, tree, offset);
9909 uint16_t kdf_id = tvb_get_ntohs(tvb, offset - 4);
9910 uint16_t aead_id = tvb_get_ntohs(tvb, offset - 2);
9911
9912 proto_tree_add_item(tree, hf->hf.ech_config_id, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9913 uint8_t config_id = tvb_get_uint8(tvb, offset);
9914 offset += 1;
9915 proto_tree_add_item_ret_uint(tree, hf->hf.ech_enc_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9916 offset += 2;
9917 proto_tree_add_item(tree, hf->hf.ech_enc, tvb, offset, length, ENC_NA0x00000000);
9918 offset += length;
9919 proto_tree_add_item_ret_uint(tree, hf->hf.ech_payload_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9920 offset += 2;
9921 payload_ti = proto_tree_add_item(tree, hf->hf.ech_payload, tvb, offset, length, ENC_NA0x00000000);
9922 offset += length;
9923
9924 if (!mk_map) {
9925 break;
9926 }
9927 if (session->client_random.data_len == 0) {
9928 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
9929 break;
9930 }
9931 StringInfo *ech_secret = (StringInfo *)g_hash_table_lookup(mk_map->ech_secret, &session->client_random);
9932 StringInfo *ech_config = (StringInfo *)g_hash_table_lookup(mk_map->ech_config, &session->client_random);
9933 if (!ech_secret || !ech_config) {
9934 ssl_debug_printf("%s Cannot find ECH_SECRET or ECH_CONFIG, Encrypted Client Hello decryption impossible\n",
9935 G_STRFUNC((const char*) (__func__)));
9936 break;
9937 }
9938
9939 if (hpke_hkdf_len(kdf_id) == 0) {
9940 ssl_debug_printf("Unsupported KDF\n");
9941 break;
9942 }
9943
9944 if (hpke_aead_key_len(aead_id) == 0) {
9945 ssl_debug_printf("Unsupported AEAD\n");
9946 break;
9947 }
9948
9949 size_t aead_nonce_len = hpke_aead_nonce_len(aead_id);
9950
9951 uint16_t version = GUINT16_FROM_BE(*(uint16_t *)ech_config->data)(((((guint16) ( (guint16) ((guint16) (*(uint16_t *)ech_config
->data) >> 8) | (guint16) ((guint16) (*(uint16_t *)ech_config
->data) << 8))))));
9952 if (version != SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037) {
9953 ssl_debug_printf("Unexpected version in ECH Config\n");
9954 break;
9955 }
9956 uint32_t ech_config_offset = 2;
9957 if (GUINT16_FROM_BE(*(uint16_t *)(ech_config->data + ech_config_offset))(((((guint16) ( (guint16) ((guint16) (*(uint16_t *)(ech_config
->data + ech_config_offset)) >> 8) | (guint16) ((guint16
) (*(uint16_t *)(ech_config->data + ech_config_offset)) <<
8)))))) != ech_config->data_len - 4) {
9958 ssl_debug_printf("Malformed ECH Config, invalid length\n");
9959 break;
9960 }
9961 ech_config_offset += 2;
9962 if (*(ech_config->data + ech_config_offset) != config_id) {
9963 ssl_debug_printf("ECH Config version mismatch\n");
9964 break;
9965 }
9966 ech_config_offset += 1;
9967 uint16_t kem_id_be = *(uint16_t *)(ech_config->data + ech_config_offset);
9968 uint16_t kem_id = GUINT16_FROM_BE(kem_id_be)(((((guint16) ( (guint16) ((guint16) (kem_id_be) >> 8) |
(guint16) ((guint16) (kem_id_be) << 8))))));
9969 uint8_t suite_id[HPKE_SUIT_ID_LEN10];
9970 hpke_suite_id(kem_id, kdf_id, aead_id, suite_id);
9971 GByteArray *info = g_byte_array_new();
9972 g_byte_array_append(info, "tls ech", 8);
9973 g_byte_array_append(info, ech_config->data, ech_config->data_len);
9974 uint8_t key[AEAD_MAX_KEY_LENGTH32];
9975 uint8_t base_nonce[HPKE_AEAD_NONCE_LENGTH12];
9976 if (hpke_key_schedule(kdf_id, aead_id, ech_secret->data, ech_secret->data_len, suite_id, info->data, info->len, HPKE_MODE_BASE0,
9977 key, base_nonce)) {
9978 g_byte_array_free(info, TRUE(!(0)));
9979 break;
9980 }
9981 g_byte_array_free(info, TRUE(!(0)));
9982 gcry_cipher_hd_t cipher;
9983 if (hpke_setup_aead(&cipher, aead_id, key) ||
9984 hpke_set_nonce(cipher, !session->hrr_ech_declined && pinfo->num > session->first_ch_ech_frame, base_nonce, aead_nonce_len)) {
9985 gcry_cipher_close(cipher);
9986 break;
9987 }
9988 const uint8_t *payload = tvb_get_ptr(tvb, offset - length, length);
9989 uint8_t *ech_aad = (uint8_t *)wmem_alloc(NULL((void*)0), hello_length);
9990 tvb_memcpy(tvb, ech_aad, initial_offset, hello_length);
9991 memset(ech_aad + offset - length - initial_offset, 0, length);
9992 if (gcry_cipher_authenticate(cipher, ech_aad, hello_length)) {
9993 gcry_cipher_close(cipher);
9994 wmem_free(NULL((void*)0), ech_aad);
9995 break;
9996 }
9997 wmem_free(NULL((void*)0), ech_aad);
9998 uint8_t *ech_decrypted_data = (uint8_t *)wmem_alloc(pinfo->pool, length - 16);
9999 if (gcry_cipher_decrypt(cipher, ech_decrypted_data, length - 16, payload, length - 16)) {
10000 gcry_cipher_close(cipher);
10001 break;
10002 }
10003 unsigned char ech_auth_tag_calc[16];
10004 if (gcry_cipher_gettag(cipher, ech_auth_tag_calc, 16)) {
10005 gcry_cipher_close(cipher);
10006 break;
10007 }
10008 if (ssl && !session->hrr_ech_declined && session->first_ch_ech_frame == pinfo->num)
10009 memcpy(session->first_ech_auth_tag, ech_auth_tag_calc, 16);
10010 gcry_cipher_close(cipher);
10011 if (memcmp(pinfo->num > session->first_ch_ech_frame ? ech_auth_tag_calc : session->first_ech_auth_tag,
10012 payload + length - 16, 16)) {
10013 ssl_debug_printf("%s ECH auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
10014 } else {
10015 payload_tree = proto_item_add_subtree(payload_ti, hf->ett.ech_decrypt);
10016 tvbuff_t *ech_tvb = tvb_new_child_real_data(tvb, ech_decrypted_data, length - 16, length - 16);
10017 add_new_data_source(pinfo, ech_tvb, "Client Hello Inner");
10018 if (ssl) {
10019 tvb_memcpy(ech_tvb, ssl->client_random.data, 2, 32);
10020 uint32_t len_offset = ssl->ech_transcript.data_len;
10021 if (ssl->ech_transcript.data_len > 0)
10022 ssl->ech_transcript.data = (unsigned char*)wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
10023 ssl->ech_transcript.data_len + hello_length + 4);
10024 else
10025 ssl->ech_transcript.data = (unsigned char*)wmem_alloc(wmem_file_scope(), hello_length + 4);
10026 ssl->ech_transcript.data[ssl->ech_transcript.data_len] = SSL_HND_CLIENT_HELLO;
10027 ssl->ech_transcript.data[ssl->ech_transcript.data_len + 1] = 0;
10028 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, 0, 34);
10029 ssl->ech_transcript.data_len += 38;
10030 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, initial_offset + 34,
10031 tvb_get_uint8(tvb, initial_offset + 34) + 1);
10032 ssl->ech_transcript.data_len += tvb_get_uint8(tvb, initial_offset + 34) + 1;
10033 uint32_t ech_offset = 35 + tvb_get_uint8(ech_tvb, 34);
10034 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10035 2 + tvb_get_ntohs(ech_tvb, ech_offset));
10036 ssl->ech_transcript.data_len += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
10037 ech_offset += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
10038 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10039 1 + tvb_get_uint8(ech_tvb, ech_offset));
10040 ssl->ech_transcript.data_len += 1 + tvb_get_uint8(ech_tvb, ech_offset);
10041 ech_offset += 1 + tvb_get_uint8(ech_tvb, ech_offset);
10042 uint32_t ech_extensions_len_offset = ssl->ech_transcript.data_len;
10043 ssl->ech_transcript.data_len += 2;
10044 uint16_t extensions_end = ech_offset + tvb_get_ntohs(ech_tvb, ech_offset) + 2;
10045 ech_offset += 2;
10046 while (extensions_end - ech_offset >= 4) {
10047 if (tvb_get_ntohs(ech_tvb, ech_offset) != SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768) {
10048 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10049 4 + tvb_get_ntohs(ech_tvb, ech_offset + 2));
10050 ssl->ech_transcript.data_len += 4 + tvb_get_ntohs(ech_tvb, ech_offset + 2);
10051 ech_offset += 4 + tvb_get_ntohs(ech_tvb, ech_offset + 2);
10052 } else if (tvb_get_ntohs(ech_tvb, ech_offset + 2) > 0) {
10053 uint8_t outer_extensions_end = tvb_get_uint8(ech_tvb, ech_offset + 4) + ech_offset + 5;
10054 ech_offset += 5;
10055 uint16_t outer_offset = initial_offset + 35 + tvb_get_uint8(tvb, initial_offset + 34);
10056 outer_offset += tvb_get_ntohs(tvb, outer_offset) + 2;
10057 outer_offset += tvb_get_uint8(tvb, outer_offset) + 3;
10058 while (outer_extensions_end - ech_offset >= 2) {
10059 while (hello_length - outer_offset >= 4) {
10060 if (tvb_get_ntohs(tvb, outer_offset) == tvb_get_ntohs(ech_tvb, ech_offset)) {
10061 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, outer_offset,
10062 4 + tvb_get_ntohs(tvb, outer_offset + 2));
10063 ssl->ech_transcript.data_len += 4 + tvb_get_ntohs(tvb, outer_offset + 2);
10064 outer_offset += 4 + tvb_get_ntohs(tvb, outer_offset + 2);
10065 break;
10066 } else {
10067 outer_offset += 4 + tvb_get_ntohs(tvb, outer_offset + 2);
10068 }
10069 }
10070 ech_offset += 2;
10071 }
10072 }
10073 }
10074 uint16_t ech_extensions_len_be = GUINT16_TO_BE(ssl->ech_transcript.data_len - ech_extensions_len_offset - 2)((((guint16) ( (guint16) ((guint16) (ssl->ech_transcript.data_len
- ech_extensions_len_offset - 2) >> 8) | (guint16) ((guint16
) (ssl->ech_transcript.data_len - ech_extensions_len_offset
- 2) << 8)))));
10075 *(ssl->ech_transcript.data + ech_extensions_len_offset) = ech_extensions_len_be & 0xff;
10076 *(ssl->ech_transcript.data + ech_extensions_len_offset + 1) = (ech_extensions_len_be >> 8);
10077 *(ssl->ech_transcript.data + len_offset + 2) = ((ssl->ech_transcript.data_len - len_offset - 4) >> 8);
10078 *(ssl->ech_transcript.data + len_offset + 3) = (ssl->ech_transcript.data_len - len_offset - 4) & 0xff;
10079 }
10080 uint32_t ech_padding_begin = (uint32_t)ssl_dissect_hnd_cli_hello(hf, ech_tvb, pinfo, payload_tree, 0, length - 16, session,
10081 ssl, NULL((void*)0), mk_map);
10082 if (ech_padding_begin < length - 16) {
10083 proto_tree_add_item(payload_tree, hf->hf.ech_padding_data, ech_tvb, ech_padding_begin, length - 16 - ech_padding_begin,
10084 ENC_NA0x00000000);
10085 }
10086 }
10087
10088 break;
10089 case 1: /* inner */
10090 break;
10091 }
10092 break;
10093
10094 case SSL_HND_ENCRYPTED_EXTENSIONS:
10095 /*
10096 * struct {
10097 * ECHConfigList retry_configs;
10098 * } ECHEncryptedExtensions;
10099 */
10100
10101 ti = proto_tree_add_item(tree, hf->hf.ech_retry_configs, tvb, offset, offset_end - offset, ENC_NA0x00000000);
10102 retry_tree = proto_item_add_subtree(ti, hf->ett.ech_retry_configs);
10103 offset = ssl_dissect_ext_ech_echconfiglist(hf, tvb, pinfo, retry_tree, offset, offset_end);
10104 break;
10105
10106 case SSL_HND_HELLO_RETRY_REQUEST:
10107 /*
10108 * struct {
10109 * opaque confirmation[8];
10110 * } ECHHelloRetryRequest;
10111 */
10112
10113 proto_tree_add_item(tree, hf->hf.ech_confirmation, tvb, offset, 8, ENC_NA0x00000000);
10114 if (session->ech) {
10115 ti = proto_tree_add_bytes_with_length(tree, hf->hf.hs_ech_confirm_compute, tvb, offset, 0, session->hrr_ech_confirmation, 8);
10116 proto_item_set_generated(ti);
10117 if (memcmp(session->hrr_ech_confirmation, tvb_get_ptr(tvb, offset, 8), 8)) {
10118 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
10119 } else {
10120 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
10121 }
10122 }
10123 offset += 8;
10124 break;
10125 }
10126
10127 return offset;
10128}
10129
10130static uint32_t
10131ssl_dissect_hnd_hello_ext_esni(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10132 proto_tree *tree, uint32_t offset, uint32_t offset_end,
10133 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
10134{
10135 uint32_t record_digest_length, encrypted_sni_length;
10136
10137 switch (hnd_type) {
10138 case SSL_HND_CLIENT_HELLO:
10139 /*
10140 * struct {
10141 * CipherSuite suite;
10142 * KeyShareEntry key_share;
10143 * opaque record_digest<0..2^16-1>;
10144 * opaque encrypted_sni<0..2^16-1>;
10145 * } ClientEncryptedSNI;
10146 */
10147 proto_tree_add_item(tree, hf->hf.esni_suite, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
10148 offset += 2;
10149 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, tree, offset, offset_end, NULL((void*)0));
10150
10151 /* opaque record_digest<0..2^16-1> */
10152 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &record_digest_length,
10153 hf->hf.esni_record_digest_length, 0, UINT16_MAX(65535))) {
10154 return offset_end;
10155 }
10156 offset += 2;
10157 if (record_digest_length > 0) {
10158 proto_tree_add_item(tree, hf->hf.esni_record_digest, tvb, offset, record_digest_length, ENC_NA0x00000000);
10159 offset += record_digest_length;
10160 }
10161
10162 /* opaque encrypted_sni<0..2^16-1> */
10163 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &encrypted_sni_length,
10164 hf->hf.esni_encrypted_sni_length, 0, UINT16_MAX(65535))) {
10165 return offset_end;
10166 }
10167 offset += 2;
10168 if (encrypted_sni_length > 0) {
10169 proto_tree_add_item(tree, hf->hf.esni_encrypted_sni, tvb, offset, encrypted_sni_length, ENC_NA0x00000000);
10170 offset += encrypted_sni_length;
10171 }
10172 break;
10173
10174 case SSL_HND_ENCRYPTED_EXTENSIONS:
10175 proto_tree_add_item(tree, hf->hf.esni_nonce, tvb, offset, 16, ENC_NA0x00000000);
10176 offset += 16;
10177 break;
10178 }
10179
10180 return offset;
10181}
10182/** TLS Extensions (in Client Hello and Server Hello). }}} */
10183
10184/* Connection ID dissection. {{{ */
10185static uint32_t
10186ssl_dissect_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10187 proto_tree *tree, uint32_t offset, SslDecryptSession *ssl,
10188 uint8_t cidl, uint8_t **session_cid, uint8_t *session_cidl)
10189{
10190 /* keep track of the decrypt session only for the first pass */
10191 if (cidl > 0 && !PINFO_FD_VISITED(pinfo)((pinfo)->fd->visited)) {
10192 tvb_ensure_bytes_exist(tvb, offset + 1, cidl);
10193 *session_cidl = cidl;
10194 *session_cid = (uint8_t*)wmem_alloc0(wmem_file_scope(), cidl);
10195 tvb_memcpy(tvb, *session_cid, offset + 1, cidl);
10196 if (ssl) {
10197 ssl_add_session_by_cid(ssl);
10198 }
10199 }
10200
10201 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id_length,
10202 tvb, offset, 1, ENC_NA0x00000000);
10203 offset++;
10204
10205 if (cidl > 0) {
10206 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id,
10207 tvb, offset, cidl, ENC_NA0x00000000);
10208 offset += cidl;
10209 }
10210
10211 return offset;
10212}
10213
10214static uint32_t
10215ssl_dissect_hnd_hello_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10216 proto_tree *tree, uint32_t offset, uint8_t hnd_type,
10217 SslSession *session, SslDecryptSession *ssl)
10218{
10219 uint8_t cidl = tvb_get_uint8(tvb, offset);
10220
10221 switch (hnd_type) {
10222 case SSL_HND_CLIENT_HELLO:
10223 session->client_cid_len_present = true1;
10224 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
10225 cidl, &session->client_cid, &session->client_cid_len);
10226 case SSL_HND_SERVER_HELLO:
10227 session->server_cid_len_present = true1;
10228 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
10229 cidl, &session->server_cid, &session->server_cid_len);
10230 default:
10231 return offset;
10232 }
10233} /* }}} */
10234
10235/* Trusted CA dissection. {{{ */
10236static uint32_t
10237ssl_dissect_hnd_hello_ext_trusted_ca_keys(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10238 uint32_t offset, uint32_t offset_end)
10239{
10240 proto_item *ti;
10241 proto_tree *subtree;
10242 uint32_t keys_length, next_offset;
10243
10244 /*
10245 * struct {
10246 * TrustedAuthority trusted_authorities_list<0..2^16-1>;
10247 * } TrustedAuthorities;
10248 *
10249 * struct {
10250 * IdentifierType identifier_type;
10251 * select (identifier_type) {
10252 * case pre_agreed: struct {};
10253 * case key_sha1_hash: SHA1Hash;
10254 * case x509_name: DistinguishedName;
10255 * case cert_sha1_hash: SHA1Hash;
10256 * } identifier;
10257 * } TrustedAuthority;
10258 *
10259 * enum {
10260 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10261 * cert_sha1_hash(3), (255)
10262 * } IdentifierType;
10263 *
10264 * opaque DistinguishedName<1..2^16-1>;
10265 *
10266 */
10267
10268
10269 /* TrustedAuthority trusted_authorities_list<0..2^16-1> */
10270 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &keys_length, hf->hf.hs_ext_trusted_ca_keys_len,
10271 0, UINT16_MAX(65535)))
10272 {
10273 return offset_end;
10274 }
10275 offset += 2;
10276 next_offset = offset + keys_length;
10277
10278 if (keys_length > 0)
10279 {
10280 ti = proto_tree_add_none_format(tree, hf->hf.hs_ext_trusted_ca_keys_list, tvb, offset, keys_length,
10281 "Trusted CA keys (%d byte%s)", keys_length, plurality(keys_length, "", "s")((keys_length) == 1 ? ("") : ("s")));
10282 subtree = proto_item_add_subtree(ti, hf->ett.hs_ext_trusted_ca_keys);
10283
10284 while (offset < next_offset)
10285 {
10286 uint32_t identifier_type;
10287 proto_tree *trusted_key_tree;
10288 proto_item *trusted_key_item;
10289 asn1_ctx_t asn1_ctx;
10290 uint32_t key_len = 0;
10291
10292 identifier_type = tvb_get_uint8(tvb, offset);
10293
10294 // Use 0 as length for now as we'll only know the size when we decode the identifier
10295 trusted_key_item = proto_tree_add_none_format(subtree, hf->hf.hs_ext_trusted_ca_key, tvb,
10296 offset, 0, "Trusted CA Key");
10297 trusted_key_tree = proto_item_add_subtree(trusted_key_item, hf->ett.hs_ext_trusted_ca_key);
10298
10299 proto_tree_add_uint(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_type, tvb,
10300 offset, 1, identifier_type);
10301 offset++;
10302
10303 /*
10304 * enum {
10305 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10306 * cert_sha1_hash(3), (255)
10307 * } IdentifierType;
10308 */
10309 switch (identifier_type)
10310 {
10311 case 0:
10312 key_len = 0;
10313 break;
10314 case 2:
10315 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
10316
10317 uint32_t name_length;
10318 /* opaque DistinguishedName<1..2^16-1> */
10319 if (!ssl_add_vector(hf, tvb, pinfo, trusted_key_tree, offset, next_offset, &name_length,
10320 hf->hf.hs_ext_trusted_ca_key_dname_len, 1, UINT16_MAX(65535))) {
10321 return next_offset;
10322 }
10323 offset += 2;
10324
10325 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
10326 trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_dname);
10327 offset += name_length;
10328 break;
10329 case 1:
10330 case 3:
10331 key_len = 20;
10332 /* opaque SHA1Hash[20]; */
10333 proto_tree_add_item(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_hash, tvb,
10334 offset, 20, ENC_NA0x00000000);
10335 break;
10336
10337 default:
10338 key_len = 0;
10339 /*TODO display expert info about unknown ? */
10340 break;
10341 }
10342 proto_item_set_len(trusted_key_item, 1 + key_len);
10343 offset += key_len;
10344 }
10345 }
10346
10347 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset))
10348 {
10349 offset = next_offset;
10350 }
10351
10352 return offset;
10353} /* }}} */
10354
10355
10356/* Whether the Content and Handshake Types are valid; handle Protocol Version. {{{ */
10357bool_Bool
10358ssl_is_valid_content_type(uint8_t type)
10359{
10360 switch ((ContentType) type) {
10361 case SSL_ID_CHG_CIPHER_SPEC:
10362 case SSL_ID_ALERT:
10363 case SSL_ID_HANDSHAKE:
10364 case SSL_ID_APP_DATA:
10365 case SSL_ID_HEARTBEAT:
10366 case SSL_ID_TLS12_CID:
10367 case SSL_ID_DTLS13_ACK:
10368 return true1;
10369 }
10370 return false0;
10371}
10372
10373bool_Bool
10374ssl_is_valid_handshake_type(uint8_t hs_type, bool_Bool is_dtls)
10375{
10376 switch ((HandshakeType) hs_type) {
10377 case SSL_HND_HELLO_VERIFY_REQUEST:
10378 /* hello_verify_request is DTLS-only */
10379 return is_dtls;
10380
10381 case SSL_HND_HELLO_REQUEST:
10382 case SSL_HND_CLIENT_HELLO:
10383 case SSL_HND_SERVER_HELLO:
10384 case SSL_HND_NEWSESSION_TICKET:
10385 case SSL_HND_END_OF_EARLY_DATA:
10386 case SSL_HND_HELLO_RETRY_REQUEST:
10387 case SSL_HND_ENCRYPTED_EXTENSIONS:
10388 case SSL_HND_CERTIFICATE:
10389 case SSL_HND_SERVER_KEY_EXCHG:
10390 case SSL_HND_CERT_REQUEST:
10391 case SSL_HND_SVR_HELLO_DONE:
10392 case SSL_HND_CERT_VERIFY:
10393 case SSL_HND_CLIENT_KEY_EXCHG:
10394 case SSL_HND_FINISHED:
10395 case SSL_HND_CERT_URL:
10396 case SSL_HND_CERT_STATUS:
10397 case SSL_HND_SUPPLEMENTAL_DATA:
10398 case SSL_HND_KEY_UPDATE:
10399 case SSL_HND_COMPRESSED_CERTIFICATE:
10400 case SSL_HND_ENCRYPTED_EXTS:
10401 return true1;
10402 case SSL_HND_MESSAGE_HASH:
10403 return false0;
10404 }
10405 return false0;
10406}
10407
10408static bool_Bool
10409ssl_is_authoritative_version_message(uint8_t content_type, uint8_t handshake_type,
10410 bool_Bool is_dtls)
10411{
10412 /* Consider all valid Handshake messages (except for Client Hello) and
10413 * all other valid record types (other than Handshake) */
10414 return (content_type == SSL_ID_HANDSHAKE &&
10415 ssl_is_valid_handshake_type(handshake_type, is_dtls) &&
10416 handshake_type != SSL_HND_CLIENT_HELLO) ||
10417 (content_type != SSL_ID_HANDSHAKE &&
10418 ssl_is_valid_content_type(content_type));
10419}
10420
10421/**
10422 * Scan a Server Hello handshake message for the negotiated version. For TLS 1.3
10423 * draft 22 and newer, it also checks whether it is a HelloRetryRequest.
10424 * Returns true if the supported_versions extension was found, false if not.
10425 */
10426bool_Bool
10427tls_scan_server_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end,
10428 uint16_t *server_version, bool_Bool *is_hrr)
10429{
10430 /* SHA256("HelloRetryRequest") */
10431 static const uint8_t tls13_hrr_random_magic[] = {
10432 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
10433 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
10434 };
10435 uint8_t session_id_length;
10436
10437 *server_version = tvb_get_ntohs(tvb, offset);
10438
10439 /*
10440 * Try to look for supported_versions extension. Minimum length:
10441 * 2 + 32 + 1 = 35 (version, random, session id length)
10442 * 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10443 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10444 *
10445 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10446 * there's a separate expert info warning for that.
10447 */
10448 if ((*server_version == TLSV1DOT2_VERSION0x303 || *server_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
10449 offset += 2;
10450 if (is_hrr) {
10451 *is_hrr = tvb_memeql(tvb, offset, tls13_hrr_random_magic, sizeof(tls13_hrr_random_magic)) == 0;
10452 }
10453 offset += 32;
10454 session_id_length = tvb_get_uint8(tvb, offset);
10455 offset++;
10456 if (offset_end - offset < session_id_length + 5u) {
10457 return false0;
10458 }
10459 offset += session_id_length + 5;
10460
10461 while (offset_end - offset >= 6) {
10462 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
10463 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
10464 if (offset_end - offset < 4u + ext_len) {
10465 break; /* not enough data for type, length and data */
10466 }
10467 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
10468 if (ext_len == 2) {
10469 *server_version = tvb_get_ntohs(tvb, offset + 4);
10470 }
10471 return true1;
10472 }
10473 offset += 4 + ext_len;
10474 }
10475 } else {
10476 if (is_hrr) {
10477 *is_hrr = false0;
10478 }
10479 }
10480 return false0;
10481}
10482
10483/**
10484 * Scan a Client Hello handshake message to see if the supported_versions
10485 * extension is found, in which case the version field is legacy_version.
10486 */
10487static bool_Bool
10488tls_scan_client_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end)
10489{
10490 uint8_t session_id_length;
10491
10492 uint16_t client_version = tvb_get_ntohs(tvb, offset);
10493
10494 /*
10495 * Try to look for supported_versions extension. Minimum length:
10496 * 2 + 32 + 1 = 35 (version, random, session id length)
10497 * 2 + 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10498 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10499 *
10500 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10501 * there's a separate expert info warning for that.
10502 */
10503 if ((client_version == TLSV1DOT2_VERSION0x303 || client_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
10504 offset += 2;
10505 offset += 32;
10506 session_id_length = tvb_get_uint8(tvb, offset);
10507 offset++;
10508 if (offset_end - offset < session_id_length + 2u) {
10509 return false0;
10510 }
10511 offset += session_id_length;
10512 if (client_version == DTLSV1DOT2_VERSION0xfefd) {
10513 uint8_t cookie_length = tvb_get_uint8(tvb, offset);
10514 offset++;
10515 if (offset_end - offset < cookie_length + 2u) {
10516 return false0;
10517 }
10518 }
10519 uint16_t cipher_suites_length = tvb_get_ntohs(tvb, offset);
10520 offset += 2;
10521 if (offset_end - offset < cipher_suites_length + 1u) {
10522 return false0;
10523 }
10524 offset += cipher_suites_length;
10525 uint8_t compression_methods_length = tvb_get_uint8(tvb, offset);
10526 offset++;
10527 if (offset_end - offset < compression_methods_length + 2u) {
10528 return false0;
10529 }
10530 offset += compression_methods_length + 2;
10531
10532 while (offset_end - offset >= 6) {
10533 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
10534 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
10535 if (offset_end - offset < 4u + ext_len) {
10536 break; /* not enough data for type, length and data */
10537 }
10538 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
10539 return true1;
10540 }
10541 offset += 4 + ext_len;
10542 }
10543 }
10544 return false0;
10545}
10546void
10547ssl_try_set_version(SslSession *session, SslDecryptSession *ssl,
10548 uint8_t content_type, uint8_t handshake_type,
10549 bool_Bool is_dtls, uint16_t version)
10550{
10551 uint8_t tls13_draft = 0;
10552
10553 if (!ssl_is_authoritative_version_message(content_type, handshake_type,
10554 is_dtls))
10555 return;
10556
10557 version = tls_try_get_version(is_dtls, version, &tls13_draft);
10558 if (version == SSL_VER_UNKNOWN0) {
10559 return;
10560 }
10561
10562 session->tls13_draft_version = tls13_draft;
10563 session->version = version;
10564 if (ssl) {
10565 ssl->state |= SSL_VERSION(1<<4);
10566 ssl_debug_printf("%s found version 0x%04X -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), version, ssl->state);
10567 }
10568}
10569
10570void
10571ssl_check_record_length(ssl_common_dissect_t *hf, packet_info *pinfo,
10572 ContentType content_type,
10573 unsigned record_length, proto_item *length_pi,
10574 uint16_t version, tvbuff_t *decrypted_tvb)
10575{
10576 unsigned max_expansion;
10577 if (version == TLSV1DOT3_VERSION0x304) {
10578 /* TLS 1.3: Max length is 2^14 + 256 */
10579 max_expansion = 256;
10580 } else {
10581 /* RFC 5246, Section 6.2.3: TLSCiphertext.fragment length MUST NOT exceed 2^14 + 2048 */
10582 max_expansion = 2048;
10583 }
10584 /*
10585 * RFC 5246 (TLS 1.2), Section 6.2.1 forbids zero-length Handshake, Alert
10586 * and ChangeCipherSpec.
10587 * RFC 6520 (Heartbeats) does not mention zero-length Heartbeat fragments,
10588 * so assume it is permitted.
10589 * RFC 6347 (DTLS 1.2) does not mention zero-length fragments either, so
10590 * assume TLS 1.2 requirements.
10591 */
10592 if (record_length == 0 &&
10593 (content_type == SSL_ID_CHG_CIPHER_SPEC ||
10594 content_type == SSL_ID_ALERT ||
10595 content_type == SSL_ID_HANDSHAKE)) {
10596 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10597 "Zero-length %s fragments are not allowed",
10598 val_to_str_const(content_type, ssl_31_content_type, "unknown"));
10599 }
10600 if (record_length > TLS_MAX_RECORD_LENGTH0x4000 + max_expansion) {
10601 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10602 "TLSCiphertext length MUST NOT exceed 2^14 + %u", max_expansion);
10603 }
10604 if (decrypted_tvb && tvb_captured_length(decrypted_tvb) > TLS_MAX_RECORD_LENGTH0x4000) {
10605 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10606 "TLSPlaintext length MUST NOT exceed 2^14");
10607 }
10608}
10609
10610static void
10611ssl_set_cipher(SslDecryptSession *ssl, uint16_t cipher)
10612{
10613 /* store selected cipher suite for decryption */
10614 ssl->session.cipher = cipher;
10615
10616 const SslCipherSuite *cs = ssl_find_cipher(cipher);
10617 if (!cs) {
10618 ssl->cipher_suite = NULL((void*)0);
10619 ssl->state &= ~SSL_CIPHER(1<<2);
10620 ssl_debug_printf("%s can't find cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10621 } else if (ssl->session.version == SSLV3_VERSION0x300 && !(cs->dig == DIG_MD50x40 || cs->dig == DIG_SHA0x41)) {
10622 /* A malicious packet capture contains a SSL 3.0 session using a TLS 1.2
10623 * cipher suite that uses for example MACAlgorithm SHA256. Reject that
10624 * to avoid a potential buffer overflow in ssl3_check_mac. */
10625 ssl->cipher_suite = NULL((void*)0);
10626 ssl->state &= ~SSL_CIPHER(1<<2);
10627 ssl_debug_printf("%s invalid SSL 3.0 cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10628 } else {
10629 /* Cipher found, save this for the delayed decoder init */
10630 ssl->cipher_suite = cs;
10631 ssl->state |= SSL_CIPHER(1<<2);
10632 ssl_debug_printf("%s found CIPHER 0x%04X %s -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), cipher,
10633 val_to_str_ext_const(cipher, &ssl_31_ciphersuite_ext, "unknown"),
10634 ssl->state);
10635 }
10636}
10637/* }}} */
10638
10639
10640/* Client Hello and Server Hello dissections. {{{ */
10641static int
10642ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
10643 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
10644 SslSession *session, SslDecryptSession *ssl,
10645 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
10646 ssl_master_key_map_t *mk_map, uint32_t initial_offset, uint32_t hello_length);
10647int
10648// NOLINTNEXTLINE(misc-no-recursion)
10649ssl_dissect_hnd_cli_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10650 packet_info *pinfo, proto_tree *tree, uint32_t offset,
10651 uint32_t offset_end, SslSession *session,
10652 SslDecryptSession *ssl, dtls_hfs_t *dtls_hfs, ssl_master_key_map_t *mk_map)
10653{
10654 /* struct {
10655 * ProtocolVersion client_version;
10656 * Random random;
10657 * SessionID session_id;
10658 * opaque cookie<0..32>; //new field for DTLS
10659 * CipherSuite cipher_suites<2..2^16-1>;
10660 * CompressionMethod compression_methods<1..2^8-1>;
10661 * Extension client_hello_extension_list<0..2^16-1>;
10662 * } ClientHello;
10663 */
10664 proto_item *ti;
10665 proto_tree *cs_tree;
10666 uint32_t client_version;
10667 uint32_t cipher_suite_length;
10668 uint32_t compression_methods_length;
10669 uint8_t compression_method;
10670 uint32_t next_offset;
10671 uint32_t initial_offset = offset;
10672 uint32_t hello_length = offset_end - initial_offset;
10673 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
10674 char *ja3_hash;
10675 char *ja3_dash = "";
10676 char *ja4, *ja4_r, *ja4_hash, *ja4_b, *ja4_c;
10677 ja4_data_t ja4_data;
10678 wmem_strbuf_t *ja4_a = wmem_strbuf_new(pinfo->pool, "");
10679 wmem_strbuf_t *ja4_br = wmem_strbuf_new(pinfo->pool, "");
10680 wmem_strbuf_t *ja4_cr = wmem_strbuf_new(pinfo->pool, "");
10681 wmem_list_frame_t *curr_entry;
10682
10683 ja4_data.max_version = 0;
10684 ja4_data.server_name_present = false0;
10685 ja4_data.num_cipher_suites = 0;
10686 ja4_data.num_extensions = 0;
10687 ja4_data.alpn = wmem_strbuf_new(pinfo->pool, "");
10688 ja4_data.cipher_list = wmem_list_new(pinfo->pool);
10689 ja4_data.extension_list = wmem_list_new(pinfo->pool);
10690 ja4_data.sighash_list = wmem_list_new(pinfo->pool);
10691
10692 /* show the client version */
10693 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_client_version, tvb,
10694 offset, 2, ENC_BIG_ENDIAN0x00000000,
10695 &client_version);
10696 if (tls_scan_client_hello(tvb, offset, offset_end)) {
10697 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
10698 }
10699 offset += 2;
10700 wmem_strbuf_append_printf(ja3, "%i,", client_version);
10701
10702 /*
10703 * Is it version 1.3?
10704 * If so, that's an error; TLS and DTLS 1.3 Client Hellos claim
10705 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
10706 * section 4.1.2 "Client Hello" and RFC 9147 Section 5.3 "Client
10707 * Hello".
10708 */
10709 if (dtls_hfs != NULL((void*)0)) {
10710 if (client_version == DTLSV1DOT3_VERSION0xfefc) {
10711 /* Don't do that. */
10712 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10713 }
10714 } else {
10715 if (client_version == TLSV1DOT3_VERSION0x304) {
10716 /* Don't do that. */
10717 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10718 }
10719 }
10720
10721 /* dissect fields that are present in both ClientHello and ServerHello */
10722 offset = ssl_dissect_hnd_hello_common(hf, tvb, pinfo, tree, offset, session, ssl, false0, false0);
10723
10724 /* fields specific for DTLS (cookie_len, cookie) */
10725 if (dtls_hfs != NULL((void*)0)) {
10726 uint32_t cookie_length;
10727 /* opaque cookie<0..32> (for DTLS only) */
10728 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cookie_length,
10729 dtls_hfs->hf_dtls_handshake_cookie_len, 0, 32)) {
10730 return offset;
10731 }
10732 offset++;
10733 if (cookie_length > 0) {
10734 proto_tree_add_item(tree, dtls_hfs->hf_dtls_handshake_cookie,
10735 tvb, offset, cookie_length, ENC_NA0x00000000);
10736 offset += cookie_length;
10737 }
10738 }
10739
10740 /* CipherSuite cipher_suites<2..2^16-1> */
10741 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cipher_suite_length,
10742 hf->hf.hs_cipher_suites_len, 2, UINT16_MAX(65535))) {
10743 return offset;
10744 }
10745 offset += 2;
10746 next_offset = offset + cipher_suite_length;
10747 ti = proto_tree_add_none_format(tree,
10748 hf->hf.hs_cipher_suites,
10749 tvb, offset, cipher_suite_length,
10750 "Cipher Suites (%d suite%s)",
10751 cipher_suite_length / 2,
10752 plurality(cipher_suite_length/2, "", "s")((cipher_suite_length/2) == 1 ? ("") : ("s")));
10753 cs_tree = proto_item_add_subtree(ti, hf->ett.cipher_suites);
10754 while (offset + 2 <= next_offset) {
10755 uint32_t cipher_suite;
10756
10757 proto_tree_add_item_ret_uint(cs_tree, hf->hf.hs_cipher_suite, tvb, offset, 2,
10758 ENC_BIG_ENDIAN0x00000000, &cipher_suite);
10759 offset += 2;
10760 if (!IS_GREASE_TLS(cipher_suite)((((cipher_suite) & 0x0f0f) == 0x0a0a) && (((cipher_suite
) & 0xff) == (((cipher_suite)>>8) & 0xff)))) {
10761 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, cipher_suite);
10762 ja3_dash = "-";
10763 ja4_data.num_cipher_suites += 1;
10764 wmem_list_insert_sorted(ja4_data.cipher_list, GUINT_TO_POINTER(cipher_suite)((gpointer) (gulong) (cipher_suite)), wmem_compare_uint);
10765 }
10766 }
10767 wmem_strbuf_append_c(ja3, ',');
10768 if (!ssl_end_vector(hf, tvb, pinfo, cs_tree, offset, next_offset)) {
10769 offset = next_offset;
10770 }
10771
10772 /* CompressionMethod compression_methods<1..2^8-1> */
10773 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compression_methods_length,
10774 hf->hf.hs_comp_methods_len, 1, UINT8_MAX(255))) {
10775 return offset;
10776 }
10777 offset++;
10778 next_offset = offset + compression_methods_length;
10779 ti = proto_tree_add_none_format(tree,
10780 hf->hf.hs_comp_methods,
10781 tvb, offset, compression_methods_length,
10782 "Compression Methods (%u method%s)",
10783 compression_methods_length,
10784 plurality(compression_methods_length,((compression_methods_length) == 1 ? ("") : ("s"))
10785 "", "s")((compression_methods_length) == 1 ? ("") : ("s")));
10786 cs_tree = proto_item_add_subtree(ti, hf->ett.comp_methods);
10787 while (offset < next_offset) {
10788 compression_method = tvb_get_uint8(tvb, offset);
10789 /* TODO: make reserved/private comp meth. fields selectable */
10790 if (compression_method < 64)
10791 proto_tree_add_uint(cs_tree, hf->hf.hs_comp_method,
10792 tvb, offset, 1, compression_method);
10793 else if (compression_method > 63 && compression_method < 193)
10794 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, tvb, offset, 1,
10795 compression_method, "Reserved - to be assigned by IANA (%u)",
10796 compression_method);
10797 else
10798 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, tvb, offset, 1,
10799 compression_method, "Private use range (%u)",
10800 compression_method);
10801 offset++;
10802 }
10803
10804 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
10805 if (offset < offset_end) {
10806 offset = ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
10807 offset_end, SSL_HND_CLIENT_HELLO,
10808 session, ssl, dtls_hfs != NULL((void*)0), ja3, &ja4_data, mk_map, initial_offset, hello_length);
10809 if (ja4_data.max_version > 0) {
10810 client_version = ja4_data.max_version;
10811 }
10812 } else {
10813 wmem_strbuf_append_printf(ja3, ",,");
10814 }
10815
10816 if (proto_is_frame_protocol(pinfo->layers,"tcp")) {
10817 wmem_strbuf_append(ja4_a, "t");
10818 } else if (proto_is_frame_protocol(pinfo->layers,"quic")) {
10819 wmem_strbuf_append(ja4_a, "q");
10820 } else if (proto_is_frame_protocol(pinfo->layers,"dtls")) {
10821 wmem_strbuf_append(ja4_a, "d");
10822 }
10823 wmem_strbuf_append_printf(ja4_a, "%s", val_to_str_const(client_version, ssl_version_ja4_names, "00"));
10824 wmem_strbuf_append_printf(ja4_a, "%s", ja4_data.server_name_present ? "d" : "i");
10825 if (ja4_data.num_cipher_suites > 99) {
10826 wmem_strbuf_append(ja4_a, "99");
10827 } else {
10828 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_cipher_suites);
10829 }
10830 if (ja4_data.num_extensions > 99) {
10831 wmem_strbuf_append(ja4_a, "99");
10832 } else {
10833 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_extensions);
10834 }
10835 if (wmem_strbuf_get_len(ja4_data.alpn) > 0 ) {
10836 wmem_strbuf_append_printf(ja4_a, "%s", wmem_strbuf_get_str(ja4_data.alpn));
10837 } else {
10838 wmem_strbuf_append(ja4_a, "00");
10839 }
10840
10841 curr_entry = wmem_list_head(ja4_data.cipher_list);
10842 for (unsigned i = 0; i < wmem_list_count(ja4_data.cipher_list); i++) {
10843 wmem_strbuf_append_printf(ja4_br, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10844 if (i < wmem_list_count(ja4_data.cipher_list) - 1) {
10845 wmem_strbuf_append(ja4_br, ",");
10846 }
10847 curr_entry = wmem_list_frame_next(curr_entry);
10848 }
10849
10850 curr_entry = wmem_list_head(ja4_data.extension_list);
10851 for (unsigned i = 0; i < wmem_list_count(ja4_data.extension_list); i++) {
10852 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10853 if (i < wmem_list_count(ja4_data.extension_list) - 1) {
10854 wmem_strbuf_append(ja4_cr, ",");
10855 }
10856 curr_entry = wmem_list_frame_next(curr_entry);
10857 }
10858
10859 if (wmem_list_count(ja4_data.sighash_list) > 0) {
10860 wmem_strbuf_append(ja4_cr, "_");
10861 curr_entry = wmem_list_head(ja4_data.sighash_list);
10862 for (unsigned i = 0; i < wmem_list_count(ja4_data.sighash_list); i++) {
10863 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10864 if (i < wmem_list_count(ja4_data.sighash_list) - 1) {
10865 wmem_strbuf_append(ja4_cr, ",");
10866 }
10867 curr_entry = wmem_list_frame_next(curr_entry);
10868 }
10869 }
10870 if ( wmem_strbuf_get_len(ja4_br) == 0 ) {
10871 ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
10872 } else {
10873 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_br),-1);
10874 }
10875 ja4_b = wmem_strndup(pinfo->pool, ja4_hash, 12);
10876
10877 g_free(ja4_hash);
10878 if ( wmem_strbuf_get_len(ja4_cr) == 0 ) {
10879 ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
10880 } else {
10881 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_cr),-1);
10882 }
10883 ja4_c = wmem_strndup(pinfo->pool, ja4_hash, 12);
10884 g_free(ja4_hash);
10885
10886 ja4 = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), ja4_b, ja4_c);
10887 ja4_r = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), wmem_strbuf_get_str(ja4_br), wmem_strbuf_get_str(ja4_cr));
10888
10889 ti = proto_tree_add_string(tree, hf->hf.hs_ja4, tvb, offset, 0, ja4);
10890 proto_item_set_generated(ti);
10891 ti = proto_tree_add_string(tree, hf->hf.hs_ja4_r, tvb, offset, 0, ja4_r);
10892 proto_item_set_generated(ti);
10893
10894 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
10895 wmem_strbuf_get_len(ja3));
10896 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_full, tvb, offset, 0, wmem_strbuf_get_str(ja3));
10897 proto_item_set_generated(ti);
10898 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_hash, tvb, offset, 0, ja3_hash);
10899 proto_item_set_generated(ti);
10900 g_free(ja3_hash);
10901 return offset;
10902}
10903
10904void
10905ssl_dissect_hnd_srv_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10906 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
10907 SslSession *session, SslDecryptSession *ssl,
10908 bool_Bool is_dtls, bool_Bool is_hrr)
10909{
10910 /* struct {
10911 * ProtocolVersion server_version;
10912 * Random random;
10913 * SessionID session_id; // TLS 1.2 and before
10914 * CipherSuite cipher_suite;
10915 * CompressionMethod compression_method; // TLS 1.2 and before
10916 * Extension server_hello_extension_list<0..2^16-1>;
10917 * } ServerHello;
10918 */
10919 uint8_t draft_version = session->tls13_draft_version;
10920 proto_item *ti;
10921 uint32_t server_version;
10922 uint32_t cipher_suite;
10923 uint32_t initial_offset = offset;
10924 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
10925 char *ja3_hash;
10926
10927 col_set_str(pinfo->cinfo, COL_PROTOCOL,
10928 val_to_str_const(session->version, ssl_version_short_names, "SSL"));
10929
10930 /* Initially assume that the session is resumed. If this is not the case, a
10931 * ServerHelloDone will be observed before the ChangeCipherSpec message
10932 * which will reset this flag. */
10933 session->is_session_resumed = true1;
10934
10935 /* show the server version */
10936 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
10937 offset, 2, ENC_BIG_ENDIAN0x00000000, &server_version);
10938
10939 uint16_t supported_server_version;
10940 if (tls_scan_server_hello(tvb, offset, offset_end, &supported_server_version, NULL((void*)0))) {
10941 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
10942 }
10943 /*
10944 * Is it version 1.3?
10945 * If so, that's an error; TLS and DTLS 1.3 Server Hellos claim
10946 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
10947 * section 4.1.3 "Server Hello" and RFC 9147 Section 5.4 "Server
10948 * Hello".
10949 */
10950 if (is_dtls) {
10951 if (server_version == DTLSV1DOT3_VERSION0xfefc) {
10952 /* Don't do that. */
10953 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
10954 }
10955 } else {
10956 if (server_version == TLSV1DOT3_VERSION0x304) {
10957 /* Don't do that. */
10958 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
10959 }
10960 }
10961
10962 offset += 2;
10963 wmem_strbuf_append_printf(ja3, "%i", server_version);
10964
10965 /* dissect fields that are present in both ClientHello and ServerHello */
10966 offset = ssl_dissect_hnd_hello_common(hf, tvb, pinfo, tree, offset, session, ssl, true1, is_hrr);
10967
10968 if (ssl) {
10969 /* store selected cipher suite for decryption */
10970 ssl_set_cipher(ssl, tvb_get_ntohs(tvb, offset));
10971 }
10972
10973 /* now the server-selected cipher suite */
10974 proto_tree_add_item_ret_uint(tree, hf->hf.hs_cipher_suite,
10975 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &cipher_suite);
10976 offset += 2;
10977 wmem_strbuf_append_printf(ja3, ",%i,", cipher_suite);
10978
10979 /* No compression with TLS 1.3 before draft -22 */
10980 if (!(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
10981 if (ssl) {
10982 /* store selected compression method for decryption */
10983 ssl->session.compression = tvb_get_uint8(tvb, offset);
10984 }
10985 /* and the server-selected compression method */
10986 proto_tree_add_item(tree, hf->hf.hs_comp_method,
10987 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
10988 offset++;
10989 }
10990
10991 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
10992 if (offset < offset_end) {
10993 offset = ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
10994 offset_end,
10995 is_hrr ? SSL_HND_HELLO_RETRY_REQUEST : SSL_HND_SERVER_HELLO,
10996 session, ssl, is_dtls, ja3, NULL((void*)0), NULL((void*)0), 0, 0);
10997 }
10998
10999 if (ssl && ssl->ech_transcript.data_len > 0 && (ssl->state & SSL_CIPHER(1<<2)) && ssl->client_random.data_len > 0) {
11000 int hash_algo = ssl_get_digest_by_name(ssl_cipher_suite_dig(ssl->cipher_suite)->name);
11001 if (hash_algo) {
11002 SSL_MDgcry_md_hd_t mc;
11003 unsigned char transcript_hash[DIGEST_MAX_SIZE48];
11004 unsigned char prk[DIGEST_MAX_SIZE48];
11005 unsigned char *ech_verify_out = NULL((void*)0);
11006 unsigned int len;
11007 ssl_md_init(&mc, hash_algo);
11008 ssl_md_update(&mc, ssl->ech_transcript.data, ssl->ech_transcript.data_len);
11009 if (is_hrr) {
11010 ssl_md_final(&mc, transcript_hash, &len);
11011 ssl_md_cleanup(&mc);
11012 wmem_free(wmem_file_scope(), ssl->ech_transcript.data);
11013 ssl->ech_transcript.data_len = 4 + len;
11014 ssl->ech_transcript.data = (unsigned char*)wmem_alloc(wmem_file_scope(), 4 + len + 4 + offset_end - initial_offset);
11015 ssl->ech_transcript.data[0] = SSL_HND_MESSAGE_HASH;
11016 ssl->ech_transcript.data[1] = 0;
11017 ssl->ech_transcript.data[2] = 0;
11018 ssl->ech_transcript.data[3] = len;
11019 memcpy(ssl->ech_transcript.data + 4, transcript_hash, len);
11020 ssl_md_init(&mc, hash_algo);
11021 ssl_md_update(&mc, ssl->ech_transcript.data, 4 + len);
11022 } else {
11023 ssl->ech_transcript.data = wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
11024 ssl->ech_transcript.data_len + 4 + offset_end - initial_offset);
11025 }
11026 if (initial_offset > 4) {
11027 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, initial_offset - 4,
11028 4 + offset_end - initial_offset);
11029 if (is_hrr)
11030 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, initial_offset-4, 38), 38);
11031 else
11032 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, initial_offset-4, 30), 30);
11033 } else {
11034 uint8_t prefix[4] = {SSL_HND_SERVER_HELLO, 0x00, 0x00, 0x00};
11035 prefix[2] = ((offset - initial_offset) >> 8);
11036 prefix[3] = (offset - initial_offset) & 0xff;
11037 memcpy(ssl->ech_transcript.data + ssl->ech_transcript.data_len, prefix, 4);
11038 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, initial_offset,
11039 offset_end - initial_offset);
11040 ssl_md_update(&mc, prefix, 4);
11041 if (is_hrr)
11042 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, initial_offset, 34), 34);
11043 else
11044 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, initial_offset, 26), 26);
11045 }
11046 ssl->ech_transcript.data_len += 4 + offset_end - initial_offset;
11047 uint8_t zeros[8] = { 0 };
11048 uint32_t confirmation_offset = initial_offset + 26;
11049 if (is_hrr) {
11050 uint32_t hrr_offset = initial_offset + 34;
11051 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, hrr_offset,
11052 tvb_get_uint8(tvb, hrr_offset) + 1), tvb_get_uint8(tvb, hrr_offset) + 1);
11053 hrr_offset += tvb_get_uint8(tvb, hrr_offset) + 1;
11054 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, hrr_offset, 3), 3);
11055 hrr_offset += 3;
11056 uint16_t extensions_end = hrr_offset + tvb_get_ntohs(tvb, hrr_offset) + 2;
11057 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, hrr_offset, 2), 2);
11058 hrr_offset += 2;
11059 while (extensions_end - hrr_offset >= 4) {
11060 if (tvb_get_ntohs(tvb, hrr_offset) == SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037 &&
11061 tvb_get_ntohs(tvb, hrr_offset + 2) == 8) {
11062 confirmation_offset = hrr_offset + 4;
11063 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, hrr_offset, 4), 4);
11064 ssl_md_update(&mc, zeros, 8);
11065 hrr_offset += 12;
11066 } else {
11067 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, hrr_offset, tvb_get_ntohs(tvb, hrr_offset + 2) + 4),
11068 tvb_get_ntohs(tvb, hrr_offset + 2) + 4);
11069 hrr_offset += tvb_get_ntohs(tvb, hrr_offset + 2) + 4;
11070 }
11071 }
11072 } else {
11073 ssl_md_update(&mc, zeros, 8);
11074 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, initial_offset + 34, offset - initial_offset - 34),
11075 offset - initial_offset - 34);
11076 }
11077 ssl_md_final(&mc, transcript_hash, &len);
11078 ssl_md_cleanup(&mc);
11079 hkdf_extract(hash_algo, NULL((void*)0), 0, ssl->client_random.data, 32, prk);
11080 StringInfo prk_string = {prk, len};
11081 if (tls13_hkdf_expand_label_context(hash_algo, &prk_string, tls13_hkdf_label_prefix(ssl),
11082 is_hrr ? "hrr ech accept confirmation" : "ech accept confirmation",
11083 transcript_hash, len, 8, &ech_verify_out)) {
11084 memcpy(is_hrr ? ssl->session.hrr_ech_confirmation : ssl->session.ech_confirmation, ech_verify_out, 8);
11085 if (tvb_memeql(tvb, confirmation_offset, ech_verify_out, 8) == -1) {
11086 if (is_hrr) {
11087 ssl->session.hrr_ech_declined = true1;
11088 ssl->session.first_ch_ech_frame = 0;
11089 }
11090 memcpy(ssl->client_random.data, ssl->session.client_random.data, ssl->session.client_random.data_len);
11091 ssl_print_data("Updated Client Random", ssl->client_random.data, 32);
11092 }
11093 wmem_free(NULL((void*)0), ech_verify_out);
11094 }
11095 ssl->session.ech = true1;
11096 }
11097 }
11098
11099 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
11100 wmem_strbuf_get_len(ja3));
11101 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_full, tvb, offset, 0, wmem_strbuf_get_str(ja3));
11102 proto_item_set_generated(ti);
11103 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_hash, tvb, offset, 0, ja3_hash);
11104 proto_item_set_generated(ti);
11105 g_free(ja3_hash);
11106}
11107/* Client Hello and Server Hello dissections. }}} */
11108
11109/* New Session Ticket dissection. {{{ */
11110void
11111ssl_dissect_hnd_new_ses_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11112 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11113 SslSession *session, SslDecryptSession *ssl,
11114 bool_Bool is_dtls, GHashTable *session_hash)
11115{
11116 /* https://tools.ietf.org/html/rfc5077#section-3.3 (TLS >= 1.0):
11117 * struct {
11118 * uint32 ticket_lifetime_hint;
11119 * opaque ticket<0..2^16-1>;
11120 * } NewSessionTicket;
11121 *
11122 * RFC 8446 Section 4.6.1 (TLS 1.3):
11123 * struct {
11124 * uint32 ticket_lifetime;
11125 * uint32 ticket_age_add;
11126 * opaque ticket_nonce<0..255>; // new in draft -21, updated in -22
11127 * opaque ticket<1..2^16-1>;
11128 * Extension extensions<0..2^16-2>;
11129 * } NewSessionTicket;
11130 */
11131 proto_tree *subtree;
11132 proto_item *subitem;
11133 uint32_t ticket_len;
11134 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc;
11135 unsigned char draft_version = session->tls13_draft_version;
11136 uint32_t lifetime_hint;
11137
11138 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
11139 hf->ett.session_ticket, NULL((void*)0),
11140 "TLS Session Ticket");
11141
11142 /* ticket lifetime hint */
11143 subitem = proto_tree_add_item_ret_uint(subtree, hf->hf.hs_session_ticket_lifetime_hint,
11144 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000, &lifetime_hint);
11145 offset += 4;
11146
11147 if (lifetime_hint >= 60) {
11148 char *time_str = unsigned_time_secs_to_str(pinfo->pool, lifetime_hint);
11149 proto_item_append_text(subitem, " (%s)", time_str);
11150 }
11151
11152 if (is_tls13) {
11153
11154 /* for TLS 1.3: ticket_age_add */
11155 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_age_add,
11156 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
11157 offset += 4;
11158
11159 /* for TLS 1.3: ticket_nonce (coming with Draft 21)*/
11160 if (draft_version == 0 || draft_version >= 21) {
11161 uint32_t ticket_nonce_len;
11162
11163 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_nonce_len,
11164 hf->hf.hs_session_ticket_nonce_len, 0, 255)) {
11165 return;
11166 }
11167 offset++;
11168
11169 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_nonce, tvb, offset, ticket_nonce_len, ENC_NA0x00000000);
11170 offset += ticket_nonce_len;
11171 }
11172
11173 }
11174
11175 /* opaque ticket<0..2^16-1> (with TLS 1.3 the minimum is 1) */
11176 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_len,
11177 hf->hf.hs_session_ticket_len, is_tls13 ? 1 : 0, UINT16_MAX(65535))) {
11178 return;
11179 }
11180 offset += 2;
11181
11182 /* Content depends on implementation, so just show data! */
11183 proto_tree_add_item(subtree, hf->hf.hs_session_ticket,
11184 tvb, offset, ticket_len, ENC_NA0x00000000);
11185 /* save the session ticket to cache for ssl_finalize_decryption */
11186 if (ssl && !is_tls13) {
11187 if (ssl->session.is_session_resumed) {
11188 /* NewSessionTicket is received in ServerHello before ChangeCipherSpec
11189 * (Abbreviated Handshake Using New Session Ticket).
11190 * Restore the master key for this session ticket before saving
11191 * it to the new session ticket. */
11192 ssl_restore_master_key(ssl, "Session Ticket", false0,
11193 session_hash, &ssl->session_ticket);
11194 }
11195 tvb_ensure_bytes_exist(tvb, offset, ticket_len);
11196 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
11197 ssl->session_ticket.data, ticket_len);
11198 ssl->session_ticket.data_len = ticket_len;
11199 tvb_memcpy(tvb, ssl->session_ticket.data, offset, ticket_len);
11200 /* NewSessionTicket is received after the first (client)
11201 * ChangeCipherSpec, and before the second (server) ChangeCipherSpec.
11202 * Since the second CCS has already the session key available it will
11203 * just return. To ensure that the session ticket is mapped to a
11204 * master key (from the first CCS), save the ticket here too. */
11205 ssl_save_master_key("Session Ticket", session_hash,
11206 &ssl->session_ticket, &ssl->master_secret);
11207 ssl->state |= SSL_NEW_SESSION_TICKET(1<<10);
11208 }
11209 offset += ticket_len;
11210
11211 if (is_tls13) {
11212 ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
11213 offset_end, SSL_HND_NEWSESSION_TICKET,
11214 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11215 }
11216} /* }}} */
11217
11218void
11219ssl_dissect_hnd_hello_retry_request(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11220 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11221 SslSession *session, SslDecryptSession *ssl,
11222 bool_Bool is_dtls)
11223{
11224 /* https://tools.ietf.org/html/draft-ietf-tls-tls13-19#section-4.1.4
11225 * struct {
11226 * ProtocolVersion server_version;
11227 * CipherSuite cipher_suite; // not before draft -19
11228 * Extension extensions<2..2^16-1>;
11229 * } HelloRetryRequest;
11230 * Note: no longer used since draft -22
11231 */
11232 uint32_t version;
11233 uint8_t draft_version;
11234
11235 proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
11236 offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
11237 draft_version = extract_tls13_draft_version(version);
11238 offset += 2;
11239
11240 if (draft_version == 0 || draft_version >= 19) {
11241 proto_tree_add_item(tree, hf->hf.hs_cipher_suite,
11242 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11243 offset += 2;
11244 }
11245
11246 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11247 offset_end, SSL_HND_HELLO_RETRY_REQUEST,
11248 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11249}
11250
11251void
11252ssl_dissect_hnd_encrypted_extensions(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11253 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11254 SslSession *session, SslDecryptSession *ssl,
11255 bool_Bool is_dtls)
11256{
11257 /* RFC 8446 Section 4.3.1
11258 * struct {
11259 * Extension extensions<0..2^16-1>;
11260 * } EncryptedExtensions;
11261 */
11262 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11263 offset_end, SSL_HND_ENCRYPTED_EXTENSIONS,
11264 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11265}
11266
11267/* Certificate and Certificate Request dissections. {{{ */
11268void
11269ssl_dissect_hnd_cert(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11270 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11271 SslSession *session, SslDecryptSession *ssl _U___attribute__((unused)),
11272 bool_Bool is_from_server, bool_Bool is_dtls)
11273{
11274 /* opaque ASN.1Cert<1..2^24-1>;
11275 *
11276 * Before RFC 8446 (TLS <= 1.2):
11277 * struct {
11278 * select(certificate_type) {
11279 *
11280 * // certificate type defined in RFC 7250
11281 * case RawPublicKey:
11282 * opaque ASN.1_subjectPublicKeyInfo<1..2^24-1>;
11283 *
11284 * // X.509 certificate defined in RFC 5246
11285 * case X.509:
11286 * ASN.1Cert certificate_list<0..2^24-1>;
11287 * };
11288 * } Certificate;
11289 *
11290 * RFC 8446 (since draft -20):
11291 * struct {
11292 * select(certificate_type){
11293 * case RawPublicKey:
11294 * // From RFC 7250 ASN.1_subjectPublicKeyInfo
11295 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
11296 *
11297 * case X.509:
11298 * opaque cert_data<1..2^24-1>;
11299 * }
11300 * Extension extensions<0..2^16-1>;
11301 * } CertificateEntry;
11302 * struct {
11303 * opaque certificate_request_context<0..2^8-1>;
11304 * CertificateEntry certificate_list<0..2^24-1>;
11305 * } Certificate;
11306 */
11307 enum { CERT_X509, CERT_RPK } cert_type;
11308 asn1_ctx_t asn1_ctx;
11309#if defined(HAVE_LIBGNUTLS1)
11310 gnutls_datum_t subjectPublicKeyInfo = { NULL((void*)0), 0 };
11311 unsigned certificate_index = 0;
11312#endif
11313 uint32_t next_offset, certificate_list_length, cert_length;
11314 proto_tree *subtree = tree;
11315
11316 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
11317
11318 if ((is_from_server && session->server_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2) ||
11319 (!is_from_server && session->client_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2)) {
11320 cert_type = CERT_RPK;
11321 } else {
11322 cert_type = CERT_X509;
11323 }
11324
11325#if defined(HAVE_LIBGNUTLS1)
11326 /* Ask the pkcs1 dissector to return the public key details */
11327 if (ssl)
11328 asn1_ctx.private_data = &subjectPublicKeyInfo;
11329#endif
11330
11331 /* TLS 1.3: opaque certificate_request_context<0..2^8-1> */
11332 if (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc) {
11333 uint32_t context_length;
11334 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
11335 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
11336 return;
11337 }
11338 offset++;
11339 if (context_length > 0) {
11340 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
11341 tvb, offset, context_length, ENC_NA0x00000000);
11342 offset += context_length;
11343 }
11344 }
11345
11346 if ((session->version != TLSV1DOT3_VERSION0x304 && session->version != DTLSV1DOT3_VERSION0xfefc) && cert_type == CERT_RPK) {
11347 /* For RPK before TLS 1.3, the single RPK is stored directly without
11348 * another "certificate_list" field. */
11349 certificate_list_length = offset_end - offset;
11350 next_offset = offset_end;
11351 } else {
11352 /* CertificateEntry certificate_list<0..2^24-1> */
11353 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &certificate_list_length,
11354 hf->hf.hs_certificates_len, 0, G_MAXUINT24((1U << 24) - 1))) {
11355 return;
11356 }
11357 offset += 3; /* 24-bit length value */
11358 next_offset = offset + certificate_list_length;
11359 }
11360
11361 /* RawPublicKey must have one cert, but X.509 can have multiple. */
11362 if (certificate_list_length > 0 && cert_type == CERT_X509) {
11363 proto_item *ti;
11364
11365 ti = proto_tree_add_none_format(tree,
11366 hf->hf.hs_certificates,
11367 tvb, offset, certificate_list_length,
11368 "Certificates (%u bytes)",
11369 certificate_list_length);
11370
11371 /* make it a subtree */
11372 subtree = proto_item_add_subtree(ti, hf->ett.certificates);
11373 }
11374
11375 while (offset < next_offset) {
11376 switch (cert_type) {
11377 case CERT_RPK:
11378 /* TODO add expert info if there is more than one RPK entry (certificate_index > 0) */
11379 /* opaque ASN.1_subjectPublicKeyInfo<1..2^24-1> */
11380 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
11381 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
11382 return;
11383 }
11384 offset += 3;
11385
11386 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
11387 offset += cert_length;
11388 break;
11389 case CERT_X509:
11390 /* opaque ASN1Cert<1..2^24-1> */
11391 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
11392 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
11393 return;
11394 }
11395 offset += 3;
11396
11397 dissect_x509af_Certificate(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
11398#if defined(HAVE_LIBGNUTLS1)
11399 if (is_from_server && ssl && certificate_index == 0) {
11400 ssl_find_private_key_by_pubkey(ssl, &subjectPublicKeyInfo);
11401 /* Only attempt to get the RSA modulus for the first cert. */
11402 asn1_ctx.private_data = NULL((void*)0);
11403 }
11404#endif
11405 offset += cert_length;
11406 break;
11407 }
11408
11409 /* TLS 1.3: Extension extensions<0..2^16-1> */
11410 if ((session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc)) {
11411 offset = ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
11412 next_offset, SSL_HND_CERTIFICATE,
11413 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11414 }
11415
11416#if defined(HAVE_LIBGNUTLS1)
11417 certificate_index++;
11418#endif
11419 }
11420}
11421
11422void
11423ssl_dissect_hnd_cert_req(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11424 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11425 SslSession *session, bool_Bool is_dtls)
11426{
11427 /* From SSL 3.0 and up (note that since TLS 1.1 certificate_authorities can be empty):
11428 * enum {
11429 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11430 * (255)
11431 * } ClientCertificateType;
11432 *
11433 * opaque DistinguishedName<1..2^16-1>;
11434 *
11435 * struct {
11436 * ClientCertificateType certificate_types<1..2^8-1>;
11437 * DistinguishedName certificate_authorities<3..2^16-1>;
11438 * } CertificateRequest;
11439 *
11440 *
11441 * As per TLSv1.2 (RFC 5246) the format has changed to:
11442 *
11443 * enum {
11444 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11445 * rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
11446 * fortezza_dms_RESERVED(20), (255)
11447 * } ClientCertificateType;
11448 *
11449 * enum {
11450 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
11451 * sha512(6), (255)
11452 * } HashAlgorithm;
11453 *
11454 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
11455 * SignatureAlgorithm;
11456 *
11457 * struct {
11458 * HashAlgorithm hash;
11459 * SignatureAlgorithm signature;
11460 * } SignatureAndHashAlgorithm;
11461 *
11462 * SignatureAndHashAlgorithm
11463 * supported_signature_algorithms<2..2^16-2>;
11464 *
11465 * opaque DistinguishedName<1..2^16-1>;
11466 *
11467 * struct {
11468 * ClientCertificateType certificate_types<1..2^8-1>;
11469 * SignatureAndHashAlgorithm supported_signature_algorithms<2^16-1>;
11470 * DistinguishedName certificate_authorities<0..2^16-1>;
11471 * } CertificateRequest;
11472 *
11473 * draft-ietf-tls-tls13-18:
11474 * struct {
11475 * opaque certificate_request_context<0..2^8-1>;
11476 * SignatureScheme
11477 * supported_signature_algorithms<2..2^16-2>;
11478 * DistinguishedName certificate_authorities<0..2^16-1>;
11479 * CertificateExtension certificate_extensions<0..2^16-1>;
11480 * } CertificateRequest;
11481 *
11482 * RFC 8446 (since draft-ietf-tls-tls13-19):
11483 *
11484 * struct {
11485 * opaque certificate_request_context<0..2^8-1>;
11486 * Extension extensions<2..2^16-1>;
11487 * } CertificateRequest;
11488 */
11489 proto_item *ti;
11490 proto_tree *subtree;
11491 uint32_t next_offset;
11492 asn1_ctx_t asn1_ctx;
11493 bool_Bool is_tls13 = (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc);
11494 unsigned char draft_version = session->tls13_draft_version;
11495
11496 if (!tree)
11497 return;
11498
11499 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
11500
11501 if (is_tls13) {
11502 uint32_t context_length;
11503 /* opaque certificate_request_context<0..2^8-1> */
11504 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
11505 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
11506 return;
11507 }
11508 offset++;
11509 if (context_length > 0) {
11510 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
11511 tvb, offset, context_length, ENC_NA0x00000000);
11512 offset += context_length;
11513 }
11514 } else {
11515 uint32_t cert_types_count;
11516 /* ClientCertificateType certificate_types<1..2^8-1> */
11517 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cert_types_count,
11518 hf->hf.hs_cert_types_count, 1, UINT8_MAX(255))) {
11519 return;
11520 }
11521 offset++;
11522 next_offset = offset + cert_types_count;
11523
11524 ti = proto_tree_add_none_format(tree,
11525 hf->hf.hs_cert_types,
11526 tvb, offset, cert_types_count,
11527 "Certificate types (%u type%s)",
11528 cert_types_count,
11529 plurality(cert_types_count, "", "s")((cert_types_count) == 1 ? ("") : ("s")));
11530 subtree = proto_item_add_subtree(ti, hf->ett.cert_types);
11531
11532 while (offset < next_offset) {
11533 proto_tree_add_item(subtree, hf->hf.hs_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11534 offset++;
11535 }
11536 }
11537
11538 if (session->version == TLSV1DOT2_VERSION0x303 || session->version == DTLSV1DOT2_VERSION0xfefd ||
11539 (is_tls13 && (draft_version > 0 && draft_version < 19))) {
11540 offset = ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
11541 }
11542
11543 if (is_tls13 && (draft_version == 0 || draft_version >= 19)) {
11544 /*
11545 * TLS 1.3 draft 19 and newer: Extensions.
11546 * SslDecryptSession pointer is NULL because Certificate Extensions
11547 * should not influence decryption state.
11548 */
11549 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11550 offset_end, SSL_HND_CERT_REQUEST,
11551 session, NULL((void*)0), is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11552 } else if (is_tls13 && draft_version <= 18) {
11553 /*
11554 * TLS 1.3 draft 18 and older: certificate_authorities and
11555 * certificate_extensions (a vector of OID mappings).
11556 */
11557 offset = tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
11558 ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, tree, offset, offset_end);
11559 } else {
11560 /* for TLS 1.2 and older, the certificate_authorities field. */
11561 tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
11562 }
11563}
11564/* Certificate and Certificate Request dissections. }}} */
11565
11566void
11567ssl_dissect_hnd_cli_cert_verify(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11568 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint16_t version)
11569{
11570 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
11571 hf->hf.hs_client_cert_vrfy_sig_len,
11572 hf->hf.hs_client_cert_vrfy_sig);
11573}
11574
11575/* Finished dissection. {{{ */
11576void
11577ssl_dissect_hnd_finished(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11578 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11579 const SslSession *session, ssl_hfs_t *ssl_hfs)
11580{
11581 /* For SSLv3:
11582 * struct {
11583 * opaque md5_hash[16];
11584 * opaque sha_hash[20];
11585 * } Finished;
11586 *
11587 * For (D)TLS:
11588 * struct {
11589 * opaque verify_data[12];
11590 * } Finished;
11591 *
11592 * For TLS 1.3:
11593 * struct {
11594 * opaque verify_data[Hash.length];
11595 * }
11596 */
11597 if (!tree)
11598 return;
11599
11600 if (session->version == SSLV3_VERSION0x300) {
11601 if (ssl_hfs != NULL((void*)0)) {
11602 proto_tree_add_item(tree, ssl_hfs->hs_md5_hash,
11603 tvb, offset, 16, ENC_NA0x00000000);
11604 proto_tree_add_item(tree, ssl_hfs->hs_sha_hash,
11605 tvb, offset + 16, 20, ENC_NA0x00000000);
11606 }
11607 } else {
11608 /* Length should be 12 for TLS before 1.3, assume this is the case. */
11609 proto_tree_add_item(tree, hf->hf.hs_finished,
11610 tvb, offset, offset_end - offset, ENC_NA0x00000000);
11611 }
11612} /* }}} */
11613
11614/* RFC 6066 Certificate URL handshake message dissection. {{{ */
11615void
11616ssl_dissect_hnd_cert_url(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset)
11617{
11618 uint16_t url_hash_len;
11619
11620 /* enum {
11621 * individual_certs(0), pkipath(1), (255)
11622 * } CertChainType;
11623 *
11624 * struct {
11625 * CertChainType type;
11626 * URLAndHash url_and_hash_list<1..2^16-1>;
11627 * } CertificateURL;
11628 *
11629 * struct {
11630 * opaque url<1..2^16-1>;
11631 * uint8 padding;
11632 * opaque SHA1Hash[20];
11633 * } URLAndHash;
11634 */
11635
11636 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_type,
11637 tvb, offset, 1, ENC_NA0x00000000);
11638 offset++;
11639
11640 url_hash_len = tvb_get_ntohs(tvb, offset);
11641 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_url_hash_list_len,
11642 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11643 offset += 2;
11644 while (url_hash_len-- > 0) {
11645 proto_item *urlhash_item;
11646 proto_tree *urlhash_tree;
11647 uint16_t url_len;
11648
11649 urlhash_item = proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_item,
11650 tvb, offset, -1, ENC_NA0x00000000);
11651 urlhash_tree = proto_item_add_subtree(urlhash_item, hf->ett.urlhash);
11652
11653 url_len = tvb_get_ntohs(tvb, offset);
11654 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url_len,
11655 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11656 offset += 2;
11657
11658 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url,
11659 tvb, offset, url_len, ENC_ASCII0x00000000|ENC_NA0x00000000);
11660 offset += url_len;
11661
11662 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_padding,
11663 tvb, offset, 1, ENC_NA0x00000000);
11664 offset++;
11665 /* Note: RFC 6066 says that padding must be 0x01 */
11666
11667 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_sha1,
11668 tvb, offset, 20, ENC_NA0x00000000);
11669 offset += 20;
11670 }
11671} /* }}} */
11672
11673void
11674ssl_dissect_hnd_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11675 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11676 SslSession *session, SslDecryptSession *ssl,
11677 bool_Bool is_from_server, bool_Bool is_dtls)
11678{
11679 uint32_t algorithm, uncompressed_length;
11680 uint32_t compressed_certificate_message_length;
11681 tvbuff_t *uncompressed_tvb = NULL((void*)0);
11682 proto_item *ti;
11683 /*
11684 * enum {
11685 * zlib(1),
11686 * brotli(2),
11687 * zstd(3),
11688 * (65535)
11689 * } CertificateCompressionAlgorithm;
11690 *
11691 * struct {
11692 * CertificateCompressionAlgorithm algorithm;
11693 * uint24 uncompressed_length;
11694 * opaque compressed_certificate_message<1..2^24-1>;
11695 * } CompressedCertificate;
11696 */
11697
11698 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_algorithm,
11699 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &algorithm);
11700 offset += 2;
11701
11702 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_uncompressed_length,
11703 tvb, offset, 3, ENC_BIG_ENDIAN0x00000000, &uncompressed_length);
11704 offset += 3;
11705
11706 /* opaque compressed_certificate_message<1..2^24-1>; */
11707 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compressed_certificate_message_length,
11708 hf->hf.hs_ext_compress_certificate_compressed_certificate_message_length, 1, G_MAXUINT24((1U << 24) - 1))) {
11709 return;
11710 }
11711 offset += 3;
11712
11713 ti = proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_compressed_certificate_message,
11714 tvb, offset, compressed_certificate_message_length, ENC_NA0x00000000);
11715
11716 /* Certificate decompression following algorithm */
11717 switch (algorithm) {
11718 case 1: /* zlib */
11719 uncompressed_tvb = tvb_child_uncompress_zlib(tvb, tvb, offset, compressed_certificate_message_length);
11720 break;
11721 case 2: /* brotli */
11722 uncompressed_tvb = tvb_child_uncompress_brotli(tvb, tvb, offset, compressed_certificate_message_length);
11723 break;
11724 case 3: /* zstd */
11725 uncompressed_tvb = tvb_child_uncompress_zstd(tvb, tvb, offset, compressed_certificate_message_length);
11726 break;
11727 }
11728
11729 if (uncompressed_tvb) {
11730 proto_tree *uncompressed_tree;
11731
11732 if (uncompressed_length != tvb_captured_length(uncompressed_tvb)) {
11733 proto_tree_add_expert_format(tree, pinfo, &hf->ei.decompression_error,
11734 tvb, offset, offset_end - offset,
11735 "Invalid uncompressed length %u (expected %u)",
11736 tvb_captured_length(uncompressed_tvb),
11737 uncompressed_length);
11738 } else {
11739 uncompressed_tree = proto_item_add_subtree(ti, hf->ett.uncompressed_certificates);
11740 ssl_dissect_hnd_cert(hf, uncompressed_tvb, uncompressed_tree,
11741 0, uncompressed_length, pinfo, session, ssl, is_from_server, is_dtls);
11742 add_new_data_source(pinfo, uncompressed_tvb, "Uncompressed certificate(s)");
11743 }
11744 }
11745}
11746
11747/* Dissection of TLS Extensions in Client Hello, Server Hello, etc. {{{ */
11748static int
11749// NOLINTNEXTLINE(misc-no-recursion)
11750ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11751 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
11752 SslSession *session, SslDecryptSession *ssl,
11753 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
11754 ssl_master_key_map_t *mk_map, uint32_t initial_offset, uint32_t hello_length)
11755{
11756 uint32_t exts_len;
11757 uint16_t ext_type;
11758 uint32_t ext_len;
11759 uint32_t next_offset;
11760 proto_item *ext_item;
11761 proto_tree *ext_tree;
11762 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304;
11763 wmem_strbuf_t *ja3_sg = wmem_strbuf_new(pinfo->pool, "");
11764 wmem_strbuf_t *ja3_ecpf = wmem_strbuf_new(pinfo->pool, "");
11765 char *ja3_dash = "";
11766 unsigned supported_version;
11767
11768 /* Extension extensions<0..2^16-2> (for TLS 1.3 HRR/CR min-length is 2) */
11769 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
11770 hf->hf.hs_exts_len, 0, UINT16_MAX(65535))) {
11771 return offset_end;
11772 }
11773 offset += 2;
11774 offset_end = offset + exts_len;
11775
11776 if (ja4_data) {
11777 ja4_data->num_extensions = 0;
11778 }
11779 while (offset_end - offset >= 4)
11780 {
11781 ext_type = tvb_get_ntohs(tvb, offset);
11782 ext_len = tvb_get_ntohs(tvb, offset + 2);
11783
11784 if (ja4_data && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {
11785 ja4_data->num_extensions += 1;
11786 if (ext_type != SSL_HND_HELLO_EXT_SERVER_NAME0 &&
11787 ext_type != SSL_HND_HELLO_EXT_ALPN16) {
11788 wmem_list_insert_sorted(ja4_data->extension_list, GUINT_TO_POINTER(ext_type)((gpointer) (gulong) (ext_type)), wmem_compare_uint);
11789 }
11790 }
11791
11792 ext_item = proto_tree_add_none_format(tree, hf->hf.hs_ext, tvb, offset, 4 + ext_len,
11793 "Extension: %s (len=%u)", val_to_str(pinfo->pool, ext_type,
11794 tls_hello_extension_types,
11795 "Unknown type %u"), ext_len);
11796 ext_tree = proto_item_add_subtree(ext_item, hf->ett.hs_ext);
11797
11798 proto_tree_add_uint(ext_tree, hf->hf.hs_ext_type,
11799 tvb, offset, 2, ext_type);
11800 offset += 2;
11801 if (ja3 && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {
11802 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_type);
11803 ja3_dash = "-";
11804 }
11805
11806 /* opaque extension_data<0..2^16-1> */
11807 if (!ssl_add_vector(hf, tvb, pinfo, ext_tree, offset, offset_end, &ext_len,
11808 hf->hf.hs_ext_len, 0, UINT16_MAX(65535))) {
11809 return offset_end;
11810 }
11811 offset += 2;
11812 next_offset = offset + ext_len;
11813
11814 switch (ext_type) {
11815 case SSL_HND_HELLO_EXT_SERVER_NAME0:
11816 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11817 offset = ssl_dissect_hnd_hello_ext_server_name(hf, tvb, pinfo, ext_tree, offset, next_offset);
11818 if (ja4_data) {
11819 ja4_data->server_name_present = true1;
11820 }
11821 }
11822 break;
11823 case SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1:
11824 proto_tree_add_item(ext_tree, hf->hf.hs_ext_max_fragment_length, tvb, offset, 1, ENC_NA0x00000000);
11825 offset += 1;
11826 break;
11827 case SSL_HND_HELLO_EXT_STATUS_REQUEST5:
11828 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11829 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, ext_tree, offset, next_offset, false0);
11830 } else if (is_tls13 && hnd_type == SSL_HND_CERTIFICATE) {
11831 offset = tls_dissect_hnd_certificate_status(hf, tvb, pinfo, ext_tree, offset, next_offset);
11832 }
11833 break;
11834 case SSL_HND_HELLO_EXT_CERT_TYPE9:
11835 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
11836 offset, next_offset,
11837 hnd_type, ext_type,
11838 session);
11839 break;
11840 case SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10:
11841 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11842 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
11843 next_offset, ja3_sg);
11844 } else {
11845 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
11846 next_offset, NULL((void*)0));
11847 }
11848 break;
11849 case SSL_HND_HELLO_EXT_EC_POINT_FORMATS11:
11850 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11851 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, ja3_ecpf);
11852 } else {
11853 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, NULL((void*)0));
11854 }
11855 break;
11856 break;
11857 case SSL_HND_HELLO_EXT_SRP12:
11858 offset = ssl_dissect_hnd_hello_ext_srp(hf, tvb, pinfo, ext_tree, offset, next_offset);
11859 break;
11860 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13:
11861 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, ja4_data);
11862 break;
11863 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50: /* since TLS 1.3 draft -23 */
11864 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, NULL((void*)0));
11865 break;
11866 case SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34:
11867 offset = ssl_dissect_hnd_ext_delegated_credentials(hf, tvb, ext_tree, pinfo, offset, next_offset, hnd_type);
11868 break;
11869 case SSL_HND_HELLO_EXT_USE_SRTP14:
11870 if (is_dtls) {
11871 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11872 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, false0);
11873 } else if (hnd_type == SSL_HND_SERVER_HELLO) {
11874 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, true1);
11875 }
11876 } else {
11877 // XXX expert info: This extension MUST only be used with DTLS, and not with TLS.
11878 }
11879 break;
11880 case SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768:
11881 offset = ssl_dissect_hnd_ech_outer_ext(hf, tvb, pinfo, ext_tree, offset, next_offset);
11882 break;
11883 case SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037:
11884 offset = ssl_dissect_hnd_hello_ext_ech(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, ssl, mk_map, initial_offset, hello_length);
11885 break;
11886 case SSL_HND_HELLO_EXT_HEARTBEAT15:
11887 proto_tree_add_item(ext_tree, hf->hf.hs_ext_heartbeat_mode,
11888 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11889 offset++;
11890 break;
11891 case SSL_HND_HELLO_EXT_ALPN16:
11892 offset = ssl_dissect_hnd_hello_ext_alpn(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, is_dtls, ja4_data);
11893 break;
11894 case SSL_HND_HELLO_EXT_STATUS_REQUEST_V217:
11895 if (hnd_type == SSL_HND_CLIENT_HELLO)
11896 offset = ssl_dissect_hnd_hello_ext_status_request_v2(hf, tvb, pinfo, ext_tree, offset, next_offset);
11897 break;
11898 case SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18:
11899 // TLS 1.3 note: SCT only appears in EE in draft -16 and before.
11900 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS || hnd_type == SSL_HND_CERTIFICATE)
11901 offset = tls_dissect_sct_list(hf, tvb, pinfo, ext_tree, offset, next_offset, session->version);
11902 break;
11903 case SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19:
11904 case SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20:
11905 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
11906 offset, next_offset,
11907 hnd_type, ext_type,
11908 session);
11909 break;
11910 case SSL_HND_HELLO_EXT_PADDING21:
11911 proto_tree_add_item(ext_tree, hf->hf.hs_ext_padding_data, tvb, offset, ext_len, ENC_NA0x00000000);
11912 offset += ext_len;
11913 break;
11914 case SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22:
11915 if (ssl && hnd_type == SSL_HND_SERVER_HELLO) {
11916 ssl_debug_printf("%s enabling Encrypt-then-MAC\n", G_STRFUNC((const char*) (__func__)));
11917 ssl->state |= SSL_ENCRYPT_THEN_MAC(1<<11);
11918 }
11919 break;
11920 case SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23:
11921 if (ssl) {
11922 switch (hnd_type) {
11923 case SSL_HND_CLIENT_HELLO:
11924 ssl->state |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
11925 break;
11926 case SSL_HND_SERVER_HELLO:
11927 ssl->state |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8);
11928 break;
11929 default: /* no default */
11930 break;
11931 }
11932 }
11933 break;
11934 case SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27:
11935 offset = ssl_dissect_hnd_hello_ext_compress_certificate(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11936 break;
11937 case SSL_HND_HELLO_EXT_TOKEN_BINDING24:
11938 offset = ssl_dissect_hnd_hello_ext_token_binding(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11939 break;
11940 case SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28:
11941 proto_tree_add_item(ext_tree, hf->hf.hs_ext_record_size_limit,
11942 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11943 offset += 2;
11944 break;
11945 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445:
11946 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157:
11947 offset = ssl_dissect_hnd_hello_ext_quic_transport_parameters(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11948 break;
11949 case SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35:
11950 offset = ssl_dissect_hnd_hello_ext_session_ticket(hf, tvb, ext_tree, offset, next_offset, hnd_type, ssl);
11951 break;
11952 case SSL_HND_HELLO_EXT_KEY_SHARE_OLD40: /* used before TLS 1.3 draft -23 */
11953 case SSL_HND_HELLO_EXT_KEY_SHARE51:
11954 offset = ssl_dissect_hnd_hello_ext_key_share(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11955 break;
11956 case SSL_HND_HELLO_EXT_PRE_SHARED_KEY41:
11957 offset = ssl_dissect_hnd_hello_ext_pre_shared_key(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11958 break;
11959 case SSL_HND_HELLO_EXT_EARLY_DATA42:
11960 case SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46:
11961 offset = ssl_dissect_hnd_hello_ext_early_data(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11962 break;
11963 case SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43:
11964 switch (hnd_type) {
11965 case SSL_HND_CLIENT_HELLO:
11966 offset = ssl_dissect_hnd_hello_ext_supported_versions(hf, tvb, pinfo, ext_tree, offset, next_offset, session, is_dtls, ja4_data);
11967 break;
11968 case SSL_HND_SERVER_HELLO:
11969 case SSL_HND_HELLO_RETRY_REQUEST:
11970 proto_tree_add_item_ret_uint(ext_tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &supported_version);
11971 offset += 2;
11972 proto_item_append_text(ext_tree, " %s", val_to_str(pinfo->pool, supported_version, ssl_versions, "Unknown (0x%04x)"));
11973 break;
11974 }
11975 break;
11976 case SSL_HND_HELLO_EXT_COOKIE44:
11977 offset = ssl_dissect_hnd_hello_ext_cookie(hf, tvb, pinfo, ext_tree, offset, next_offset);
11978 break;
11979 case SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45:
11980 offset = ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(hf, tvb, pinfo, ext_tree, offset, next_offset);
11981 break;
11982 case SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47:
11983 offset = ssl_dissect_hnd_hello_ext_certificate_authorities(hf, tvb, pinfo, ext_tree, offset, next_offset);
11984 break;
11985 case SSL_HND_HELLO_EXT_OID_FILTERS48:
11986 offset = ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, ext_tree, offset, next_offset);
11987 break;
11988 case SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49:
11989 break;
11990 case SSL_HND_HELLO_EXT_NPN13172:
11991 offset = ssl_dissect_hnd_hello_ext_npn(hf, tvb, pinfo, ext_tree, offset, next_offset);
11992 break;
11993 case SSL_HND_HELLO_EXT_ALPS_OLD17513:
11994 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11995 break;
11996 case SSL_HND_HELLO_EXT_ALPS17613:
11997 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11998 break;
11999 case SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281:
12000 offset = ssl_dissect_hnd_hello_ext_reneg_info(hf, tvb, pinfo, ext_tree, offset, next_offset);
12001 break;
12002 case SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486:
12003 offset = ssl_dissect_hnd_hello_ext_esni(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12004 break;
12005 case SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53:
12006 session->deprecated_cid = true1;
12007 /* FALLTHRU */
12008 case SSL_HND_HELLO_EXT_CONNECTION_ID54:
12009 offset = ssl_dissect_hnd_hello_ext_connection_id(hf, tvb, pinfo, ext_tree, offset, hnd_type, session, ssl);
12010 break;
12011 case SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3:
12012 offset = ssl_dissect_hnd_hello_ext_trusted_ca_keys(hf, tvb, pinfo, ext_tree, offset, next_offset);
12013 break;
12014 default:
12015 proto_tree_add_item(ext_tree, hf->hf.hs_ext_data,
12016 tvb, offset, ext_len, ENC_NA0x00000000);
12017 offset += ext_len;
12018 break;
12019 }
12020
12021 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
12022 /* Dissection did not end at expected location, fix it. */
12023 offset = next_offset;
12024 }
12025 }
12026
12027 if (ja3) {
12028 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12029 if(wmem_strbuf_get_len(ja3_sg) > 0) {
12030 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_sg));
12031 } else {
12032 wmem_strbuf_append_c(ja3, ',');
12033 }
12034 if(wmem_strbuf_get_len(ja3_ecpf) > 0) {
12035 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_ecpf));
12036 } else {
12037 wmem_strbuf_append_c(ja3, ',');
12038 }
12039 }
12040 }
12041
12042 /* Check if Extensions vector is correctly terminated. */
12043 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, offset_end)) {
12044 offset = offset_end;
12045 }
12046
12047 return offset;
12048} /* }}} */
12049
12050
12051/* ClientKeyExchange algo-specific dissectors. {{{ */
12052
12053static void
12054dissect_ssl3_hnd_cli_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12055 proto_tree *tree, uint32_t offset,
12056 uint32_t length)
12057{
12058 int point_len;
12059 proto_tree *ssl_ecdh_tree;
12060
12061 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12062 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Client Params");
12063
12064 /* point */
12065 point_len = tvb_get_uint8(tvb, offset);
12066 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point_len, tvb,
12067 offset, 1, ENC_BIG_ENDIAN0x00000000);
12068 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point, tvb,
12069 offset + 1, point_len, ENC_NA0x00000000);
12070}
12071
12072static void
12073dissect_ssl3_hnd_cli_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12074 proto_tree *tree, uint32_t offset, uint32_t length)
12075{
12076 int yc_len;
12077 proto_tree *ssl_dh_tree;
12078
12079 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12080 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Client Params");
12081
12082 /* ClientDiffieHellmanPublic.dh_public (explicit) */
12083 yc_len = tvb_get_ntohs(tvb, offset);
12084 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc_len, tvb,
12085 offset, 2, ENC_BIG_ENDIAN0x00000000);
12086 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc, tvb,
12087 offset + 2, yc_len, ENC_NA0x00000000);
12088}
12089
12090static void
12091dissect_ssl3_hnd_cli_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12092 proto_tree *tree, uint32_t offset,
12093 uint32_t length, const SslSession *session)
12094{
12095 int epms_len;
12096 proto_tree *ssl_rsa_tree;
12097
12098 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12099 hf->ett.keyex_params, NULL((void*)0), "RSA Encrypted PreMaster Secret");
12100
12101 /* EncryptedPreMasterSecret.pre_master_secret */
12102 switch (session->version) {
12103 case SSLV2_VERSION0x0002:
12104 case SSLV3_VERSION0x300:
12105 case DTLSV1DOT0_OPENSSL_VERSION0x100:
12106 /* OpenSSL pre-0.9.8f DTLS and pre-TLS quirk: 2-octet length vector is
12107 * not present. The handshake contents represents the EPMS, see:
12108 * https://gitlab.com/wireshark/wireshark/-/issues/10222 */
12109 epms_len = length;
12110 break;
12111
12112 default:
12113 /* TLS and DTLS include vector length before EPMS */
12114 epms_len = tvb_get_ntohs(tvb, offset);
12115 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12116 offset, 2, ENC_BIG_ENDIAN0x00000000);
12117 offset += 2;
12118 break;
12119 }
12120 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms, tvb,
12121 offset, epms_len, ENC_NA0x00000000);
12122}
12123
12124/* Used in PSK cipher suites */
12125static uint32_t
12126dissect_ssl3_hnd_cli_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12127 proto_tree *tree, uint32_t offset)
12128{
12129 unsigned identity_len;
12130 proto_tree *ssl_psk_tree;
12131
12132 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
12133 hf->ett.keyex_params, NULL((void*)0), "PSK Client Params");
12134 /* identity */
12135 identity_len = tvb_get_ntohs(tvb, offset);
12136 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len, tvb,
12137 offset, 2, ENC_BIG_ENDIAN0x00000000);
12138 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity, tvb,
12139 offset + 2, identity_len, ENC_NA0x00000000);
12140
12141 proto_item_set_len(ssl_psk_tree, 2 + identity_len);
12142 return 2 + identity_len;
12143}
12144
12145/* Used in RSA PSK cipher suites */
12146static void
12147dissect_ssl3_hnd_cli_keyex_rsa_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12148 proto_tree *tree, uint32_t offset,
12149 uint32_t length)
12150{
12151 int identity_len, epms_len;
12152 proto_tree *ssl_psk_tree;
12153
12154 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12155 hf->ett.keyex_params, NULL((void*)0), "RSA PSK Client Params");
12156
12157 /* identity */
12158 identity_len = tvb_get_ntohs(tvb, offset);
12159 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len,
12160 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12161 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity,
12162 tvb, offset + 2, identity_len, ENC_NA0x00000000);
12163 offset += 2 + identity_len;
12164
12165 /* Yc */
12166 epms_len = tvb_get_ntohs(tvb, offset);
12167 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12168 offset, 2, ENC_BIG_ENDIAN0x00000000);
12169 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms, tvb,
12170 offset + 2, epms_len, ENC_NA0x00000000);
12171}
12172
12173/* Used in Diffie-Hellman PSK cipher suites */
12174static void
12175dissect_ssl3_hnd_cli_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12176 proto_tree *tree, uint32_t offset, uint32_t length)
12177{
12178 /*
12179 * struct {
12180 * select (KeyExchangeAlgorithm) {
12181 * case diffie_hellman_psk:
12182 * opaque psk_identity<0..2^16-1>;
12183 * ClientDiffieHellmanPublic public;
12184 * } exchange_keys;
12185 * } ClientKeyExchange;
12186 */
12187
12188 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12189 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset + psk_len, length - psk_len);
12190}
12191
12192/* Used in EC Diffie-Hellman PSK cipher suites */
12193static void
12194dissect_ssl3_hnd_cli_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12195 proto_tree *tree, uint32_t offset, uint32_t length)
12196{
12197 /*
12198 * struct {
12199 * select (KeyExchangeAlgorithm) {
12200 * case ec_diffie_hellman_psk:
12201 * opaque psk_identity<0..2^16-1>;
12202 * ClientECDiffieHellmanPublic public;
12203 * } exchange_keys;
12204 * } ClientKeyExchange;
12205 */
12206
12207 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12208 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset + psk_len, length - psk_len);
12209}
12210
12211/* Used in EC J-PAKE cipher suites */
12212static void
12213dissect_ssl3_hnd_cli_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12214 proto_tree *tree, uint32_t offset,
12215 uint32_t length)
12216{
12217 /*
12218 * struct {
12219 * ECPoint V;
12220 * opaque r<1..2^8-1>;
12221 * } ECSchnorrZKP;
12222 *
12223 * struct {
12224 * ECPoint X;
12225 * ECSchnorrZKP zkp;
12226 * } ECJPAKEKeyKP;
12227 *
12228 * struct {
12229 * ECJPAKEKeyKP ecjpake_key_kp;
12230 * } ClientECJPAKEParams;
12231 *
12232 * select (KeyExchangeAlgorithm) {
12233 * case ecjpake:
12234 * ClientECJPAKEParams params;
12235 * } ClientKeyExchange;
12236 */
12237
12238 int point_len;
12239 proto_tree *ssl_ecjpake_tree;
12240
12241 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12242 hf->ett.keyex_params, NULL((void*)0),
12243 "EC J-PAKE Client Params");
12244
12245 /* ECJPAKEKeyKP.X */
12246 point_len = tvb_get_uint8(tvb, offset);
12247 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc_len, tvb,
12248 offset, 1, ENC_BIG_ENDIAN0x00000000);
12249 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc, tvb,
12250 offset + 1, point_len, ENC_NA0x00000000);
12251 offset += 1 + point_len;
12252
12253 /* ECJPAKEKeyKP.zkp.V */
12254 point_len = tvb_get_uint8(tvb, offset);
12255 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc_len, tvb,
12256 offset, 1, ENC_BIG_ENDIAN0x00000000);
12257 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc, tvb,
12258 offset + 1, point_len, ENC_NA0x00000000);
12259 offset += 1 + point_len;
12260
12261 /* ECJPAKEKeyKP.zkp.r */
12262 point_len = tvb_get_uint8(tvb, offset);
12263 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc_len, tvb,
12264 offset, 1, ENC_BIG_ENDIAN0x00000000);
12265 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc, tvb,
12266 offset + 1, point_len, ENC_NA0x00000000);
12267}
12268
12269static void
12270dissect_ssl3_hnd_cli_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12271 proto_tree *tree, uint32_t offset,
12272 uint32_t length)
12273{
12274 int epms_len;
12275 proto_tree *ssl_ecc_sm2_tree;
12276
12277 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12278 hf->ett.keyex_params, NULL((void*)0),
12279 "ECC-SM2 Encrypted PreMaster Secret");
12280
12281 epms_len = tvb_get_ntohs(tvb, offset);
12282 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12283 offset, 2, ENC_BIG_ENDIAN0x00000000);
12284 offset += 2;
12285 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms, tvb,
12286 offset, epms_len, ENC_NA0x00000000);
12287}
12288/* ClientKeyExchange algo-specific dissectors. }}} */
12289
12290
12291/* Dissects DigitallySigned (see RFC 5246 4.7 Cryptographic Attributes). {{{ */
12292static uint32_t
12293ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12294 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12295 uint16_t version, int hf_sig_len, int hf_sig)
12296{
12297 uint32_t sig_len;
12298
12299 switch (version) {
12300 case TLSV1DOT2_VERSION0x303:
12301 case DTLSV1DOT2_VERSION0xfefd:
12302 case TLSV1DOT3_VERSION0x304:
12303 case DTLSV1DOT3_VERSION0xfefc:
12304 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
12305 offset += 2;
12306 break;
12307
12308 default:
12309 break;
12310 }
12311
12312 /* Sig */
12313 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sig_len,
12314 hf_sig_len, 0, UINT16_MAX(65535))) {
12315 return offset_end;
12316 }
12317 offset += 2;
12318 proto_tree_add_item(tree, hf_sig, tvb, offset, sig_len, ENC_NA0x00000000);
12319 offset += sig_len;
12320 return offset;
12321} /* }}} */
12322
12323/* ServerKeyExchange algo-specific dissectors. {{{ */
12324
12325/* dissects signed_params inside a ServerKeyExchange for some keyex algos */
12326static void
12327dissect_ssl3_hnd_srv_keyex_sig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12328 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12329 uint16_t version)
12330{
12331 /*
12332 * TLSv1.2 (RFC 5246 sec 7.4.8)
12333 * struct {
12334 * digitally-signed struct {
12335 * opaque handshake_messages[handshake_messages_length];
12336 * }
12337 * } CertificateVerify;
12338 *
12339 * TLSv1.0/TLSv1.1 (RFC 5436 sec 7.4.8 and 7.4.3) works essentially the same
12340 * as TLSv1.2, but the hash algorithms are not explicit in digitally-signed.
12341 *
12342 * SSLv3 (RFC 6101 sec 5.6.8) essentially works the same as TLSv1.0 but it
12343 * does more hashing including the master secret and padding.
12344 */
12345 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
12346 hf->hf.hs_server_keyex_sig_len,
12347 hf->hf.hs_server_keyex_sig);
12348}
12349
12350static uint32_t
12351dissect_tls_ecparameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, uint32_t offset_end)
12352{
12353 /*
12354 * RFC 4492 ECC cipher suites for TLS
12355 *
12356 * struct {
12357 * ECCurveType curve_type;
12358 * select (curve_type) {
12359 * case explicit_prime:
12360 * ...
12361 * case explicit_char2:
12362 * ...
12363 * case named_curve:
12364 * NamedCurve namedcurve;
12365 * };
12366 * } ECParameters;
12367 */
12368
12369 int curve_type;
12370
12371 /* ECParameters.curve_type */
12372 curve_type = tvb_get_uint8(tvb, offset);
12373 proto_tree_add_item(tree, hf->hf.hs_server_keyex_curve_type, tvb,
12374 offset, 1, ENC_BIG_ENDIAN0x00000000);
12375 offset++;
12376
12377 if (curve_type != 3)
12378 return offset_end; /* only named_curves are supported */
12379
12380 /* case curve_type == named_curve; ECParameters.namedcurve */
12381 proto_tree_add_item(tree, hf->hf.hs_server_keyex_named_curve, tvb,
12382 offset, 2, ENC_BIG_ENDIAN0x00000000);
12383 offset += 2;
12384
12385 return offset;
12386}
12387
12388static void
12389dissect_ssl3_hnd_srv_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12390 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12391 uint16_t version, bool_Bool anon)
12392{
12393 /*
12394 * RFC 4492 ECC cipher suites for TLS
12395 *
12396 * struct {
12397 * opaque point <1..2^8-1>;
12398 * } ECPoint;
12399 *
12400 * struct {
12401 * ECParameters curve_params;
12402 * ECPoint public;
12403 * } ServerECDHParams;
12404 *
12405 * select (KeyExchangeAlgorithm) {
12406 * case ec_diffie_hellman:
12407 * ServerECDHParams params;
12408 * Signature signed_params;
12409 * } ServerKeyExchange;
12410 */
12411
12412 int point_len;
12413 proto_tree *ssl_ecdh_tree;
12414
12415 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12416 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Server Params");
12417
12418 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecdh_tree, offset, offset_end);
12419 if (offset >= offset_end)
12420 return; /* only named_curves are supported */
12421
12422 /* ECPoint.point */
12423 point_len = tvb_get_uint8(tvb, offset);
12424 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point_len, tvb,
12425 offset, 1, ENC_BIG_ENDIAN0x00000000);
12426 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point, tvb,
12427 offset + 1, point_len, ENC_NA0x00000000);
12428 offset += 1 + point_len;
12429
12430 /* Signature (if non-anonymous KEX) */
12431 if (!anon) {
12432 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecdh_tree, offset, offset_end, version);
12433 }
12434}
12435
12436static void
12437dissect_ssl3_hnd_srv_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12438 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12439 uint16_t version, bool_Bool anon)
12440{
12441 int p_len, g_len, ys_len;
12442 proto_tree *ssl_dh_tree;
12443
12444 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12445 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Server Params");
12446
12447 /* p */
12448 p_len = tvb_get_ntohs(tvb, offset);
12449 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p_len, tvb,
12450 offset, 2, ENC_BIG_ENDIAN0x00000000);
12451 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p, tvb,
12452 offset + 2, p_len, ENC_NA0x00000000);
12453 offset += 2 + p_len;
12454
12455 /* g */
12456 g_len = tvb_get_ntohs(tvb, offset);
12457 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g_len, tvb,
12458 offset, 2, ENC_BIG_ENDIAN0x00000000);
12459 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g, tvb,
12460 offset + 2, g_len, ENC_NA0x00000000);
12461 offset += 2 + g_len;
12462
12463 /* Ys */
12464 ys_len = tvb_get_ntohs(tvb, offset);
12465 proto_tree_add_uint(ssl_dh_tree, hf->hf.hs_server_keyex_ys_len, tvb,
12466 offset, 2, ys_len);
12467 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_ys, tvb,
12468 offset + 2, ys_len, ENC_NA0x00000000);
12469 offset += 2 + ys_len;
12470
12471 /* Signature (if non-anonymous KEX) */
12472 if (!anon) {
12473 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_dh_tree, offset, offset_end, version);
12474 }
12475}
12476
12477/* Only used in RSA-EXPORT cipher suites */
12478static void
12479dissect_ssl3_hnd_srv_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12480 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12481 uint16_t version)
12482{
12483 int modulus_len, exponent_len;
12484 proto_tree *ssl_rsa_tree;
12485
12486 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12487 hf->ett.keyex_params, NULL((void*)0), "RSA-EXPORT Server Params");
12488
12489 /* modulus */
12490 modulus_len = tvb_get_ntohs(tvb, offset);
12491 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus_len, tvb,
12492 offset, 2, ENC_BIG_ENDIAN0x00000000);
12493 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus, tvb,
12494 offset + 2, modulus_len, ENC_NA0x00000000);
12495 offset += 2 + modulus_len;
12496
12497 /* exponent */
12498 exponent_len = tvb_get_ntohs(tvb, offset);
12499 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent_len,
12500 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12501 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent,
12502 tvb, offset + 2, exponent_len, ENC_NA0x00000000);
12503 offset += 2 + exponent_len;
12504
12505 /* Signature */
12506 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_rsa_tree, offset, offset_end, version);
12507}
12508
12509/* Used in RSA PSK and PSK cipher suites */
12510static uint32_t
12511dissect_ssl3_hnd_srv_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12512 proto_tree *tree, uint32_t offset)
12513{
12514 unsigned hint_len;
12515 proto_tree *ssl_psk_tree;
12516
12517 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
12518 hf->ett.keyex_params, NULL((void*)0), "PSK Server Params");
12519
12520 /* hint */
12521 hint_len = tvb_get_ntohs(tvb, offset);
12522 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint_len, tvb,
12523 offset, 2, ENC_BIG_ENDIAN0x00000000);
12524 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint, tvb,
12525 offset + 2, hint_len, ENC_NA0x00000000);
12526
12527 proto_item_set_len(ssl_psk_tree, 2 + hint_len);
12528 return 2 + hint_len;
12529}
12530
12531/* Used in Diffie-Hellman PSK cipher suites */
12532static void
12533dissect_ssl3_hnd_srv_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12534 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12535{
12536 /*
12537 * struct {
12538 * select (KeyExchangeAlgorithm) {
12539 * case diffie_hellman_psk:
12540 * opaque psk_identity_hint<0..2^16-1>;
12541 * ServerDHParams params;
12542 * };
12543 * } ServerKeyExchange;
12544 */
12545
12546 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12547 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12548}
12549
12550/* Used in EC Diffie-Hellman PSK cipher suites */
12551static void
12552dissect_ssl3_hnd_srv_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12553 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12554{
12555 /*
12556 * struct {
12557 * select (KeyExchangeAlgorithm) {
12558 * case ec_diffie_hellman_psk:
12559 * opaque psk_identity_hint<0..2^16-1>;
12560 * ServerECDHParams params;
12561 * };
12562 * } ServerKeyExchange;
12563 */
12564
12565 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12566 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12567}
12568
12569/* Used in EC J-PAKE cipher suites */
12570static void
12571dissect_ssl3_hnd_srv_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12572 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12573{
12574 /*
12575 * struct {
12576 * ECPoint V;
12577 * opaque r<1..2^8-1>;
12578 * } ECSchnorrZKP;
12579 *
12580 * struct {
12581 * ECPoint X;
12582 * ECSchnorrZKP zkp;
12583 * } ECJPAKEKeyKP;
12584 *
12585 * struct {
12586 * ECParameters curve_params;
12587 * ECJPAKEKeyKP ecjpake_key_kp;
12588 * } ServerECJPAKEParams;
12589 *
12590 * select (KeyExchangeAlgorithm) {
12591 * case ecjpake:
12592 * ServerECJPAKEParams params;
12593 * } ServerKeyExchange;
12594 */
12595
12596 int point_len;
12597 proto_tree *ssl_ecjpake_tree;
12598
12599 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12600 hf->ett.keyex_params, NULL((void*)0),
12601 "EC J-PAKE Server Params");
12602
12603 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecjpake_tree, offset, offset_end);
12604 if (offset >= offset_end)
12605 return; /* only named_curves are supported */
12606
12607 /* ECJPAKEKeyKP.X */
12608 point_len = tvb_get_uint8(tvb, offset);
12609 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs_len, tvb,
12610 offset, 1, ENC_BIG_ENDIAN0x00000000);
12611 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs, tvb,
12612 offset + 1, point_len, ENC_NA0x00000000);
12613 offset += 1 + point_len;
12614
12615 /* ECJPAKEKeyKP.zkp.V */
12616 point_len = tvb_get_uint8(tvb, offset);
12617 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs_len, tvb,
12618 offset, 1, ENC_BIG_ENDIAN0x00000000);
12619 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs, tvb,
12620 offset + 1, point_len, ENC_NA0x00000000);
12621 offset += 1 + point_len;
12622
12623 /* ECJPAKEKeyKP.zkp.r */
12624 point_len = tvb_get_uint8(tvb, offset);
12625 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs_len, tvb,
12626 offset, 1, ENC_BIG_ENDIAN0x00000000);
12627 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs, tvb,
12628 offset + 1, point_len, ENC_NA0x00000000);
12629}
12630
12631/* Only used in ECC-SM2-EXPORT cipher suites */
12632static void
12633dissect_ssl3_hnd_srv_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12634 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12635 uint16_t version)
12636{
12637 proto_tree *ssl_ecc_sm2_tree;
12638
12639 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12640 hf->ett.keyex_params, NULL((void*)0), "ECC-SM2-EXPORT Server Params");
12641
12642 /* Signature */
12643 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecc_sm2_tree, offset, offset_end, version);
12644}
12645/* ServerKeyExchange algo-specific dissectors. }}} */
12646
12647/* Client Key Exchange and Server Key Exchange handshake dissections. {{{ */
12648void
12649ssl_dissect_hnd_cli_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12650 proto_tree *tree, uint32_t offset, uint32_t length,
12651 const SslSession *session)
12652{
12653 switch (ssl_get_keyex_alg(session->cipher)) {
12654 case KEX_DH_ANON0x13: /* RFC 5246; DHE_DSS, DHE_RSA, DH_DSS, DH_RSA, DH_ANON: ClientDiffieHellmanPublic */
12655 case KEX_DH_DSS0x14:
12656 case KEX_DH_RSA0x15:
12657 case KEX_DHE_DSS0x10:
12658 case KEX_DHE_RSA0x12:
12659 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset, length);
12660 break;
12661 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity, ClientDiffieHellmanPublic */
12662 dissect_ssl3_hnd_cli_keyex_dhe_psk(hf, tvb, tree, offset, length);
12663 break;
12664 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ClientECDiffieHellmanPublic */
12665 case KEX_ECDH_ECDSA0x1a:
12666 case KEX_ECDH_RSA0x1b:
12667 case KEX_ECDHE_ECDSA0x16:
12668 case KEX_ECDHE_RSA0x18:
12669 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset, length);
12670 break;
12671 case KEX_ECDHE_PSK0x17: /* RFC 5489; ec_diffie_hellman_psk: psk_identity, ClientECDiffieHellmanPublic */
12672 dissect_ssl3_hnd_cli_keyex_ecdh_psk(hf, tvb, tree, offset, length);
12673 break;
12674 case KEX_KRB50x1c: /* RFC 2712; krb5: KerberosWrapper */
12675 /* XXX: implement support for KRB5 */
12676 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12677 tvb, offset, length,
12678 "Kerberos ciphersuites (RFC 2712) are not implemented, contact Wireshark"
12679 " developers if you want them to be supported");
12680 break;
12681 case KEX_PSK0x1d: /* RFC 4279; psk: psk_identity */
12682 dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12683 break;
12684 case KEX_RSA0x1e: /* RFC 5246; rsa: EncryptedPreMasterSecret */
12685 dissect_ssl3_hnd_cli_keyex_rsa(hf, tvb, tree, offset, length, session);
12686 break;
12687 case KEX_RSA_PSK0x1f: /* RFC 4279; rsa_psk: psk_identity, EncryptedPreMasterSecret */
12688 dissect_ssl3_hnd_cli_keyex_rsa_psk(hf, tvb, tree, offset, length);
12689 break;
12690 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ClientSRPPublic */
12691 case KEX_SRP_SHA_DSS0x21:
12692 case KEX_SRP_SHA_RSA0x22:
12693 /* XXX: implement support for SRP_SHA* */
12694 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12695 tvb, offset, length,
12696 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12697 " developers if you want them to be supported");
12698 break;
12699 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12700 dissect_ssl3_hnd_cli_keyex_ecjpake(hf, tvb, tree, offset, length);
12701 break;
12702 case KEX_ECC_SM20x26: /* GB/T 38636 */
12703 dissect_ssl3_hnd_cli_keyex_ecc_sm2(hf, tvb, tree, offset, length);
12704 break;
12705 default:
12706 if (session->cipher == 0) {
12707 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12708 tvb, offset, length,
12709 "Cipher Suite not found");
12710 } else {
12711 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12712 tvb, offset, length,
12713 "Cipher Suite 0x%04x is not implemented, "
12714 "contact Wireshark developers if you want this to be supported",
12715 session->cipher);
12716 }
12717 break;
12718 }
12719}
12720
12721void
12722ssl_dissect_hnd_srv_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12723 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12724 const SslSession *session)
12725{
12726 switch (ssl_get_keyex_alg(session->cipher)) {
12727 case KEX_DH_ANON0x13: /* RFC 5246; ServerDHParams */
12728 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
12729 break;
12730 case KEX_DH_DSS0x14: /* RFC 5246; not allowed */
12731 case KEX_DH_RSA0x15:
12732 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
12733 tvb, offset, offset_end - offset);
12734 break;
12735 case KEX_DHE_DSS0x10: /* RFC 5246; dhe_dss, dhe_rsa: ServerDHParams, Signature */
12736 case KEX_DHE_RSA0x12:
12737 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
12738 break;
12739 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity_hint, ServerDHParams */
12740 dissect_ssl3_hnd_srv_keyex_dhe_psk(hf, tvb, pinfo, tree, offset, offset_end);
12741 break;
12742 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ServerECDHParams (without signature for anon) */
12743 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
12744 break;
12745 case KEX_ECDHE_PSK0x17: /* RFC 5489; psk_identity_hint, ServerECDHParams */
12746 dissect_ssl3_hnd_srv_keyex_ecdh_psk(hf, tvb, pinfo, tree, offset, offset_end);
12747 break;
12748 case KEX_ECDH_ECDSA0x1a: /* RFC 4492; ec_diffie_hellman: ServerECDHParams, Signature */
12749 case KEX_ECDH_RSA0x1b:
12750 case KEX_ECDHE_ECDSA0x16:
12751 case KEX_ECDHE_RSA0x18:
12752 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
12753 break;
12754 case KEX_KRB50x1c: /* RFC 2712; not allowed */
12755 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
12756 tvb, offset, offset_end - offset);
12757 break;
12758 case KEX_PSK0x1d: /* RFC 4279; psk, rsa: psk_identity */
12759 case KEX_RSA_PSK0x1f:
12760 dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12761 break;
12762 case KEX_RSA0x1e: /* only allowed if the public key in the server certificate is longer than 512 bits */
12763 dissect_ssl3_hnd_srv_keyex_rsa(hf, tvb, pinfo, tree, offset, offset_end, session->version);
12764 break;
12765 case KEX_ECC_SM20x26: /* GB/T 38636 */
12766 dissect_ssl3_hnd_srv_keyex_ecc_sm2(hf, tvb, pinfo, tree, offset, offset_end, session->version);
12767 break;
12768 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ServerSRPParams, Signature */
12769 case KEX_SRP_SHA_DSS0x21:
12770 case KEX_SRP_SHA_RSA0x22:
12771 /* XXX: implement support for SRP_SHA* */
12772 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12773 tvb, offset, offset_end - offset,
12774 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12775 " developers if you want them to be supported");
12776 break;
12777 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12778 dissect_ssl3_hnd_srv_keyex_ecjpake(hf, tvb, tree, offset, offset_end);
12779 break;
12780 default:
12781 if (session->cipher == 0) {
12782 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12783 tvb, offset, offset_end - offset,
12784 "Cipher Suite not found");
12785 } else {
12786 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12787 tvb, offset, offset_end - offset,
12788 "Cipher Suite 0x%04x is not implemented, "
12789 "contact Wireshark developers if you want this to be supported",
12790 session->cipher);
12791 }
12792 break;
12793 }
12794}
12795/* Client Key Exchange and Server Key Exchange handshake dissections. }}} */
12796
12797void
12798tls13_dissect_hnd_key_update(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12799 proto_tree *tree, uint32_t offset)
12800{
12801 /* RFC 8446 Section 4.6.3
12802 * enum {
12803 * update_not_requested(0), update_requested(1), (255)
12804 * } KeyUpdateRequest;
12805 *
12806 * struct {
12807 * KeyUpdateRequest request_update;
12808 * } KeyUpdate;
12809 */
12810 proto_tree_add_item(tree, hf->hf.hs_key_update_request_update, tvb, offset, 1, ENC_NA0x00000000);
12811}
12812
12813void
12814ssl_common_register_ssl_alpn_dissector_table(const char *name,
12815 const char *ui_name, const int proto)
12816{
12817 ssl_alpn_dissector_table = register_dissector_table(name, ui_name,
12818 proto, FT_STRING, STRING_CASE_SENSITIVE0);
12819 register_dissector_table_alias(ssl_alpn_dissector_table, "ssl.handshake.extensions_alpn_str");
12820}
12821
12822void
12823ssl_common_register_dtls_alpn_dissector_table(const char *name,
12824 const char *ui_name, const int proto)
12825{
12826 dtls_alpn_dissector_table = register_dissector_table(name, ui_name,
12827 proto, FT_STRING, STRING_CASE_SENSITIVE0);
12828 register_dissector_table_alias(ssl_alpn_dissector_table, "dtls.handshake.extensions_alpn_str");
12829}
12830
12831void
12832ssl_common_register_options(module_t *module, ssl_common_options_t *options, bool_Bool is_dtls)
12833{
12834 prefs_register_string_preference(module, "psk", "Pre-Shared Key",
12835 "Pre-Shared Key as HEX string. Should be 0 to 16 bytes.",
12836 &(options->psk));
12837
12838 if (is_dtls) {
12839 prefs_register_obsolete_preference(module, "keylog_file");
12840 prefs_register_static_text_preference(module, "keylog_file_removed",
12841 "The (Pre)-Master-Secret log filename preference can be configured in the TLS protocol preferences.",
12842 "Use the TLS protocol preference to configure the keylog file for both DTLS and TLS.");
12843 return;
12844 }
12845
12846 prefs_register_filename_preference(module, "keylog_file", "(Pre)-Master-Secret log filename",
12847 "The name of a file which contains a list of \n"
12848 "(pre-)master secrets in one of the following formats:\n"
12849 "\n"
12850 "RSA <EPMS> <PMS>\n"
12851 "RSA Session-ID:<SSLID> Master-Key:<MS>\n"
12852 "CLIENT_RANDOM <CRAND> <MS>\n"
12853 "PMS_CLIENT_RANDOM <CRAND> <PMS>\n"
12854 "\n"
12855 "Where:\n"
12856 "<EPMS> = First 8 bytes of the Encrypted PMS\n"
12857 "<PMS> = The Pre-Master-Secret (PMS) used to derive the MS\n"
12858 "<SSLID> = The SSL Session ID\n"
12859 "<MS> = The Master-Secret (MS)\n"
12860 "<CRAND> = The Client's random number from the ClientHello message\n"
12861 "\n"
12862 "(All fields are in hex notation)",
12863 &(options->keylog_filename), false0);
12864}
12865
12866void
12867ssl_calculate_handshake_hash(SslDecryptSession *ssl_session, tvbuff_t *tvb, uint32_t offset, uint32_t length)
12868{
12869 if (ssl_session && ssl_session->session.version != TLSV1DOT3_VERSION0x304 && !(ssl_session->state & SSL_MASTER_SECRET(1<<5))) {
12870 uint32_t old_length = ssl_session->handshake_data.data_len;
12871 ssl_debug_printf("Calculating hash with offset %d %d\n", offset, length);
12872 if (tvb) {
12873 if (tvb_bytes_exist(tvb, offset, length)) {
12874 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
12875 tvb_memcpy(tvb, ssl_session->handshake_data.data + old_length, offset, length);
12876 ssl_session->handshake_data.data_len += length;
12877 }
12878 } else {
12879 /* DTLS calculates the hash as if each handshake message had been
12880 * sent as a single fragment (RFC 6347, section 4.2.6) and passes
12881 * in a null tvbuff to add 3 bytes for a zero fragment offset.
12882 */
12883 DISSECTOR_ASSERT_CMPINT(length, <, 4)((void) ((length < 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "length" " " "<" " " "4" " (" "%"
"l" "d" " " "<" " " "%" "l" "d" ")", "epan/dissectors/packet-tls-utils.c"
, 12883, (int64_t)length, (int64_t)4))));
12884 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
12885 memset(ssl_session->handshake_data.data + old_length, 0, length);
12886 ssl_session->handshake_data.data_len += length;
12887 }
12888 }
12889}
12890
12891
12892/*
12893 * Editor modelines - https://www.wireshark.org/tools/modelines.html
12894 *
12895 * Local variables:
12896 * c-basic-offset: 4
12897 * tab-width: 8
12898 * indent-tabs-mode: nil
12899 * End:
12900 *
12901 * vi: set shiftwidth=4 tabstop=8 expandtab:
12902 * :indentSize=4:tabSize=8:noTabs=true:
12903 */