Bug Summary

File:epan/dissectors/packet-tls-utils.c
Warning:line 4883, column 17
Potential leak of memory pointed to by 'handshake_hashed_data.data'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name packet-tls-utils.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -fno-delete-null-pointer-checks -mframe-pointer=all -relaxed-aliasing -fmath-errno -ffp-contract=on -fno-rounding-math -ffloat16-excess-precision=fast -fbfloat16-excess-precision=fast -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/builds/wireshark/wireshark/build -fcoverage-compilation-dir=/builds/wireshark/wireshark/build -resource-dir /usr/lib/llvm-21/lib/clang/21 -isystem /usr/include/glib-2.0 -isystem /usr/lib/x86_64-linux-gnu/glib-2.0/include -isystem /builds/wireshark/wireshark/epan/dissectors -isystem /builds/wireshark/wireshark/build/epan/dissectors -isystem /usr/include/mit-krb5 -isystem /usr/include/libxml2 -isystem /builds/wireshark/wireshark/epan -D G_DISABLE_DEPRECATED -D G_DISABLE_SINGLE_INCLUDES -D WS_BUILD_DLL -D WS_DEBUG -D WS_DEBUG_UTF_8 -I /builds/wireshark/wireshark/build -I /builds/wireshark/wireshark -I /builds/wireshark/wireshark/include -D _GLIBCXX_ASSERTIONS -internal-isystem /usr/lib/llvm-21/lib/clang/21/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/14/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -fmacro-prefix-map=/builds/wireshark/wireshark/= -fmacro-prefix-map=/builds/wireshark/wireshark/build/= -fmacro-prefix-map=../= -Wno-format-truncation -Wno-format-nonliteral -Wno-pointer-sign -std=gnu11 -ferror-limit 19 -fvisibility=hidden -fwrapv -fwrapv-pointer -fstrict-flex-arrays=3 -stack-protector 2 -fstack-clash-protection -fcf-protection=full -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fexceptions -fcolor-diagnostics -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /builds/wireshark/wireshark/sbout/2025-10-27-100323-3623-1 -x c /builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c
1/* packet-tls-utils.c
2 * ssl manipulation functions
3 * By Paolo Abeni <[email protected]>
4 *
5 * Copyright (c) 2013, Hauke Mehrtens <[email protected]>
6 * Copyright (c) 2014, Peter Wu <[email protected]>
7 *
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <[email protected]>
10 * Copyright 1998 Gerald Combs
11 *
12 * SPDX-License-Identifier: GPL-2.0-or-later
13 */
14
15#include "config.h"
16
17#include <stdlib.h>
18#include <errno(*__errno_location ()).h>
19
20#include <epan/packet.h>
21#include <epan/strutil.h>
22#include <epan/addr_resolv.h>
23#include <epan/expert.h>
24#include <epan/asn1.h>
25#include <epan/proto_data.h>
26#include <epan/oids.h>
27#include <epan/secrets.h>
28
29#include <wsutil/inet_cidr.h>
30#include <wsutil/filesystem.h>
31#include <wsutil/file_util.h>
32#include <wsutil/str_util.h>
33#include <wsutil/report_message.h>
34#include <wsutil/pint.h>
35#include <wsutil/strtoi.h>
36#include <wsutil/wsgcrypt.h>
37#include <wsutil/rsa.h>
38#include <wsutil/ws_assert.h>
39#include <wsutil/zlib_compat.h>
40#include "packet-ber.h"
41#include "packet-x509af.h"
42#include "packet-x509if.h"
43#include "packet-tls-utils.h"
44#include "packet-ocsp.h"
45#include "packet-tls.h"
46#include "packet-dtls.h"
47#include "packet-quic.h"
48#if defined(HAVE_LIBGNUTLS1)
49#include <gnutls/abstract.h>
50#include <gnutls/x509.h>
51#include <gnutls/pkcs12.h>
52#endif
53
54/* JA3/JA3S calculations must ignore GREASE values
55 * as described in RFC 8701.
56 */
57#define IS_GREASE_TLS(x)((((x) & 0x0f0f) == 0x0a0a) && (((x) & 0xff) ==
(((x)>>8) & 0xff))) ((((x) & 0x0f0f) == 0x0a0a) && \
58 (((x) & 0xff) == (((x)>>8) & 0xff)))
59
60/* Section 22.3 of RFC 9000 (QUIC) reserves values of this
61 * form for a similar purpose as GREASE.
62 */
63#define IS_GREASE_QUIC(x)((x) > 27 ? ((((x) - 27) % 31) == 0) : 0) ((x) > 27 ? ((((x) - 27) % 31) == 0) : 0)
64
65#define DTLS13_MAX_EPOCH10 10
66
67/* Lookup tables {{{ */
68const value_string ssl_version_short_names[] = {
69 { SSLV2_VERSION0x0002, "SSLv2" },
70 { SSLV3_VERSION0x300, "SSLv3" },
71 { TLSV1_VERSION0x301, "TLSv1" },
72 { TLCPV1_VERSION0x101, "TLCP" },
73 { TLSV1DOT1_VERSION0x302, "TLSv1.1" },
74 { TLSV1DOT2_VERSION0x303, "TLSv1.2" },
75 { TLSV1DOT3_VERSION0x304, "TLSv1.3" },
76 { DTLSV1DOT0_VERSION0xfeff, "DTLSv1.0" },
77 { DTLSV1DOT2_VERSION0xfefd, "DTLSv1.2" },
78 { DTLSV1DOT3_VERSION0xfefc, "DTLSv1.3" },
79 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
80 { 0x00, NULL((void*)0) }
81};
82
83const value_string ssl_versions[] = {
84 { SSLV2_VERSION0x0002, "SSL 2.0" },
85 { SSLV3_VERSION0x300, "SSL 3.0" },
86 { TLSV1_VERSION0x301, "TLS 1.0" },
87 { TLCPV1_VERSION0x101, "TLCP" },
88 { TLSV1DOT1_VERSION0x302, "TLS 1.1" },
89 { TLSV1DOT2_VERSION0x303, "TLS 1.2" },
90 { TLSV1DOT3_VERSION0x304, "TLS 1.3" },
91 { 0x7F0E, "TLS 1.3 (draft 14)" },
92 { 0x7F0F, "TLS 1.3 (draft 15)" },
93 { 0x7F10, "TLS 1.3 (draft 16)" },
94 { 0x7F11, "TLS 1.3 (draft 17)" },
95 { 0x7F12, "TLS 1.3 (draft 18)" },
96 { 0x7F13, "TLS 1.3 (draft 19)" },
97 { 0x7F14, "TLS 1.3 (draft 20)" },
98 { 0x7F15, "TLS 1.3 (draft 21)" },
99 { 0x7F16, "TLS 1.3 (draft 22)" },
100 { 0x7F17, "TLS 1.3 (draft 23)" },
101 { 0x7F18, "TLS 1.3 (draft 24)" },
102 { 0x7F19, "TLS 1.3 (draft 25)" },
103 { 0x7F1A, "TLS 1.3 (draft 26)" },
104 { 0x7F1B, "TLS 1.3 (draft 27)" },
105 { 0x7F1C, "TLS 1.3 (draft 28)" },
106 { 0xFB17, "TLS 1.3 (Facebook draft 23)" },
107 { 0xFB1A, "TLS 1.3 (Facebook draft 26)" },
108 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
109 { DTLSV1DOT0_VERSION0xfeff, "DTLS 1.0" },
110 { DTLSV1DOT2_VERSION0xfefd, "DTLS 1.2" },
111 { DTLSV1DOT3_VERSION0xfefc, "DTLS 1.3" },
112 { 0x0A0A, "Reserved (GREASE)" }, /* RFC 8701 */
113 { 0x1A1A, "Reserved (GREASE)" }, /* RFC 8701 */
114 { 0x2A2A, "Reserved (GREASE)" }, /* RFC 8701 */
115 { 0x3A3A, "Reserved (GREASE)" }, /* RFC 8701 */
116 { 0x4A4A, "Reserved (GREASE)" }, /* RFC 8701 */
117 { 0x5A5A, "Reserved (GREASE)" }, /* RFC 8701 */
118 { 0x6A6A, "Reserved (GREASE)" }, /* RFC 8701 */
119 { 0x7A7A, "Reserved (GREASE)" }, /* RFC 8701 */
120 { 0x8A8A, "Reserved (GREASE)" }, /* RFC 8701 */
121 { 0x9A9A, "Reserved (GREASE)" }, /* RFC 8701 */
122 { 0xAAAA, "Reserved (GREASE)" }, /* RFC 8701 */
123 { 0xBABA, "Reserved (GREASE)" }, /* RFC 8701 */
124 { 0xCACA, "Reserved (GREASE)" }, /* RFC 8701 */
125 { 0xDADA, "Reserved (GREASE)" }, /* RFC 8701 */
126 { 0xEAEA, "Reserved (GREASE)" }, /* RFC 8701 */
127 { 0xFAFA, "Reserved (GREASE)" }, /* RFC 8701 */
128 { 0x00, NULL((void*)0) }
129};
130
131static const value_string ssl_version_ja4_names[] = {
132 { 0x0100, "s1" },
133 { SSLV2_VERSION0x0002, "s2" },
134 { SSLV3_VERSION0x300, "s3" },
135 { TLSV1_VERSION0x301, "10" },
136 { TLSV1DOT1_VERSION0x302, "11" },
137 { TLSV1DOT2_VERSION0x303, "12" },
138 { TLSV1DOT3_VERSION0x304, "13" },
139 { DTLSV1DOT0_VERSION0xfeff, "d1" },
140 { DTLSV1DOT2_VERSION0xfefd, "d2" },
141 { DTLSV1DOT3_VERSION0xfefc, "d3" },
142 { 0x00, NULL((void*)0) }
143};
144
145const value_string ssl_20_msg_types[] = {
146 { SSL2_HND_ERROR0x00, "Error" },
147 { SSL2_HND_CLIENT_HELLO0x01, "Client Hello" },
148 { SSL2_HND_CLIENT_MASTER_KEY0x02, "Client Master Key" },
149 { SSL2_HND_CLIENT_FINISHED0x03, "Client Finished" },
150 { SSL2_HND_SERVER_HELLO0x04, "Server Hello" },
151 { SSL2_HND_SERVER_VERIFY0x05, "Server Verify" },
152 { SSL2_HND_SERVER_FINISHED0x06, "Server Finished" },
153 { SSL2_HND_REQUEST_CERTIFICATE0x07, "Request Certificate" },
154 { SSL2_HND_CLIENT_CERTIFICATE0x08, "Client Certificate" },
155 { 0x00, NULL((void*)0) }
156};
157/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
158/* Note: sorted by ascending value so value_string-ext can do a binary search */
159static const value_string ssl_20_cipher_suites[] = {
160 { 0x000000, "TLS_NULL_WITH_NULL_NULL" },
161 { 0x000001, "TLS_RSA_WITH_NULL_MD5" },
162 { 0x000002, "TLS_RSA_WITH_NULL_SHA" },
163 { 0x000003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
164 { 0x000004, "TLS_RSA_WITH_RC4_128_MD5" },
165 { 0x000005, "TLS_RSA_WITH_RC4_128_SHA" },
166 { 0x000006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
167 { 0x000007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
168 { 0x000008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
169 { 0x000009, "TLS_RSA_WITH_DES_CBC_SHA" },
170 { 0x00000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
171 { 0x00000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
172 { 0x00000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
173 { 0x00000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
174 { 0x00000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
175 { 0x00000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
176 { 0x000010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
177 { 0x000011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
178 { 0x000012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
179 { 0x000013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
180 { 0x000014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
181 { 0x000015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
182 { 0x000016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
183 { 0x000017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
184 { 0x000018, "TLS_DH_anon_WITH_RC4_128_MD5" },
185 { 0x000019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
186 { 0x00001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
187 { 0x00001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
188 { 0x00001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
189 { 0x00001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
190#if 0
191 { 0x00001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
192#endif
193 /* RFC 2712 */
194 { 0x00001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
195 { 0x00001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
196 { 0x000020, "TLS_KRB5_WITH_RC4_128_SHA" },
197 { 0x000021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
198 { 0x000022, "TLS_KRB5_WITH_DES_CBC_MD5" },
199 { 0x000023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
200 { 0x000024, "TLS_KRB5_WITH_RC4_128_MD5" },
201 { 0x000025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
202 { 0x000026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
203 { 0x000027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
204 { 0x000028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
205 { 0x000029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
206 { 0x00002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
207 { 0x00002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
208 /* RFC 4785 */
209 { 0x00002C, "TLS_PSK_WITH_NULL_SHA" },
210 { 0x00002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
211 { 0x00002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
212 /* RFC 5246 */
213 { 0x00002f, "TLS_RSA_WITH_AES_128_CBC_SHA" },
214 { 0x000030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
215 { 0x000031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
216 { 0x000032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
217 { 0x000033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
218 { 0x000034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
219 { 0x000035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
220 { 0x000036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
221 { 0x000037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
222 { 0x000038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
223 { 0x000039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
224 { 0x00003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
225 { 0x00003B, "TLS_RSA_WITH_NULL_SHA256" },
226 { 0x00003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
227 { 0x00003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
228 { 0x00003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
229 { 0x00003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
230 { 0x000040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
231 { 0x000041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
232 { 0x000042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
233 { 0x000043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
234 { 0x000044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
235 { 0x000045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
236 { 0x000046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
237 { 0x000047, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
238 { 0x000048, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
239 { 0x000049, "TLS_ECDH_ECDSA_WITH_DES_CBC_SHA" },
240 { 0x00004A, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
241 { 0x00004B, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
242 { 0x00004C, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
243 { 0x000060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
244 { 0x000061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
245 { 0x000062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
246 { 0x000063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
247 { 0x000064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
248 { 0x000065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
249 { 0x000066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
250 { 0x000067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
251 { 0x000068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
252 { 0x000069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
253 { 0x00006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
254 { 0x00006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
255 { 0x00006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
256 { 0x00006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
257 /* 0x00,0x6E-83 Unassigned */
258 { 0x000084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
259 { 0x000085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
260 { 0x000086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
261 { 0x000087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
262 { 0x000088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
263 { 0x000089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
264 /* RFC 4279 */
265 { 0x00008A, "TLS_PSK_WITH_RC4_128_SHA" },
266 { 0x00008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
267 { 0x00008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
268 { 0x00008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
269 { 0x00008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
270 { 0x00008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
271 { 0x000090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
272 { 0x000091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
273 { 0x000092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
274 { 0x000093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
275 { 0x000094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
276 { 0x000095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
277 /* RFC 4162 */
278 { 0x000096, "TLS_RSA_WITH_SEED_CBC_SHA" },
279 { 0x000097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
280 { 0x000098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
281 { 0x000099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
282 { 0x00009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
283 { 0x00009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
284 /* RFC 5288 */
285 { 0x00009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
286 { 0x00009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
287 { 0x00009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
288 { 0x00009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
289 { 0x0000A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
290 { 0x0000A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
291 { 0x0000A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
292 { 0x0000A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
293 { 0x0000A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
294 { 0x0000A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
295 { 0x0000A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
296 { 0x0000A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
297 /* RFC 5487 */
298 { 0x0000A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
299 { 0x0000A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
300 { 0x0000AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
301 { 0x0000AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
302 { 0x0000AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
303 { 0x0000AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
304 { 0x0000AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
305 { 0x0000AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
306 { 0x0000B0, "TLS_PSK_WITH_NULL_SHA256" },
307 { 0x0000B1, "TLS_PSK_WITH_NULL_SHA384" },
308 { 0x0000B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
309 { 0x0000B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
310 { 0x0000B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
311 { 0x0000B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
312 { 0x0000B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
313 { 0x0000B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
314 { 0x0000B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
315 { 0x0000B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
316 /* From RFC 5932 */
317 { 0x0000BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
318 { 0x0000BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
319 { 0x0000BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
320 { 0x0000BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
321 { 0x0000BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
322 { 0x0000BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
323 { 0x0000C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
324 { 0x0000C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
325 { 0x0000C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
326 { 0x0000C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
327 { 0x0000C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
328 { 0x0000C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
329 /* 0x00,0xC6-FE Unassigned */
330 { 0x0000FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
331 /* 0x01-BF,* Unassigned */
332 /* From RFC 4492 */
333 { 0x00c001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
334 { 0x00c002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
335 { 0x00c003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
336 { 0x00c004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
337 { 0x00c005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
338 { 0x00c006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
339 { 0x00c007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
340 { 0x00c008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
341 { 0x00c009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
342 { 0x00c00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
343 { 0x00c00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
344 { 0x00c00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
345 { 0x00c00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
346 { 0x00c00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
347 { 0x00c00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
348 { 0x00c010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
349 { 0x00c011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
350 { 0x00c012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
351 { 0x00c013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
352 { 0x00c014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
353 { 0x00c015, "TLS_ECDH_anon_WITH_NULL_SHA" },
354 { 0x00c016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
355 { 0x00c017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
356 { 0x00c018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
357 { 0x00c019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
358 /* RFC 5054 */
359 { 0x00C01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
360 { 0x00C01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
361 { 0x00C01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
362 { 0x00C01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
363 { 0x00C01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
364 { 0x00C01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
365 { 0x00C020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
366 { 0x00C021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
367 { 0x00C022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
368 /* RFC 5589 */
369 { 0x00C023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
370 { 0x00C024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
371 { 0x00C025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
372 { 0x00C026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
373 { 0x00C027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
374 { 0x00C028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
375 { 0x00C029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
376 { 0x00C02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
377 { 0x00C02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
378 { 0x00C02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
379 { 0x00C02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
380 { 0x00C02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
381 { 0x00C02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
382 { 0x00C030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
383 { 0x00C031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
384 { 0x00C032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
385 /* RFC 5489 */
386 { 0x00C033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
387 { 0x00C034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
388 { 0x00C035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
389 { 0x00C036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
390 { 0x00C037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
391 { 0x00C038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
392 { 0x00C039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
393 { 0x00C03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
394 { 0x00C03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
395 /* 0xC0,0x3C-FF Unassigned
396 0xC1-FD,* Unassigned
397 0xFE,0x00-FD Unassigned
398 0xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
399 0xFF,0x00-FF Reserved for Private Use [RFC5246]
400 */
401
402 /* old numbers used in the beginning
403 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
404 { 0x00CC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
405 { 0x00CC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
406 { 0x00CC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
407
408 /* https://tools.ietf.org/html/rfc7905 */
409 { 0x00CCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
410 { 0x00CCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
411 { 0x00CCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
412 { 0x00CCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
413 { 0x00CCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
414 { 0x00CCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
415 { 0x00CCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
416
417 /* GM/T 0024-2014 */
418 { 0x00e001, "ECDHE_SM1_SM3"},
419 { 0x00e003, "ECC_SM1_SM3"},
420 { 0x00e005, "IBSDH_SM1_SM3"},
421 { 0x00e007, "IBC_SM1_SM3"},
422 { 0x00e009, "RSA_SM1_SM3"},
423 { 0x00e00a, "RSA_SM1_SHA1"},
424 { 0x00e011, "ECDHE_SM4_CBC_SM3"},
425 { 0x00e013, "ECC_SM4_CBC_SM3"},
426 { 0x00e015, "IBSDH_SM4_CBC_SM3"},
427 { 0x00e017, "IBC_SM4_CBC_SM3"},
428 { 0x00e019, "RSA_SM4_CBC_SM3"},
429 { 0x00e01a, "RSA_SM4_CBC_SHA1"},
430 { 0x00e01c, "RSA_SM4_CBC_SHA256"},
431 { 0x00e051, "ECDHE_SM4_GCM_SM3"},
432 { 0x00e053, "ECC_SM4_GCM_SM3"},
433 { 0x00e055, "IBSDH_SM4_GCM_SM3"},
434 { 0x00e057, "IBC_SM4_GCM_SM3"},
435 { 0x00e059, "RSA_SM4_GCM_SM3"},
436 { 0x00e05a, "RSA_SM4_GCM_SHA256"},
437
438 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
439 { 0x00E410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
440 { 0x00E411, "TLS_RSA_WITH_SALSA20_SHA1" },
441 { 0x00E412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
442 { 0x00E413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
443 { 0x00E414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
444 { 0x00E415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
445 { 0x00E416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
446 { 0x00E417, "TLS_PSK_WITH_SALSA20_SHA1" },
447 { 0x00E418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
448 { 0x00E419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
449 { 0x00E41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
450 { 0x00E41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
451 { 0x00E41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
452 { 0x00E41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
453 { 0x00E41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
454 { 0x00E41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
455
456 /* these from http://www.mozilla.org/projects/
457 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
458 { 0x00fefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
459 { 0x00feff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
460 { 0x00ffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
461 { 0x00ffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
462 /* note that ciphersuites of {0x00????} are TLS cipher suites in
463 * a sslv2 client hello message; the ???? above is the two-byte
464 * tls cipher suite id
465 */
466
467 { 0x010080, "SSL2_RC4_128_WITH_MD5" },
468 { 0x020080, "SSL2_RC4_128_EXPORT40_WITH_MD5" },
469 { 0x030080, "SSL2_RC2_128_CBC_WITH_MD5" },
470 { 0x040080, "SSL2_RC2_128_CBC_EXPORT40_WITH_MD5" },
471 { 0x050080, "SSL2_IDEA_128_CBC_WITH_MD5" },
472 { 0x060040, "SSL2_DES_64_CBC_WITH_MD5" },
473 { 0x0700c0, "SSL2_DES_192_EDE3_CBC_WITH_MD5" },
474 { 0x080080, "SSL2_RC4_64_WITH_MD5" },
475
476 { 0x00, NULL((void*)0) }
477};
478
479value_string_ext ssl_20_cipher_suites_ext = VALUE_STRING_EXT_INIT(ssl_20_cipher_suites){ _try_val_to_str_ext_init, 0, (sizeof (ssl_20_cipher_suites)
/ sizeof ((ssl_20_cipher_suites)[0]))-1, ssl_20_cipher_suites
, "ssl_20_cipher_suites", ((void*)0) };
480
481
482/*
483 * Supported Groups (formerly named "EC Named Curve").
484 * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
485 */
486const value_string ssl_extension_curves[] = {
487 { 1, "sect163k1" },
488 { 2, "sect163r1" },
489 { 3, "sect163r2" },
490 { 4, "sect193r1" },
491 { 5, "sect193r2" },
492 { 6, "sect233k1" },
493 { 7, "sect233r1" },
494 { 8, "sect239k1" },
495 { 9, "sect283k1" },
496 { 10, "sect283r1" },
497 { 11, "sect409k1" },
498 { 12, "sect409r1" },
499 { 13, "sect571k1" },
500 { 14, "sect571r1" },
501 { 15, "secp160k1" },
502 { 16, "secp160r1" },
503 { 17, "secp160r2" },
504 { 18, "secp192k1" },
505 { 19, "secp192r1" },
506 { 20, "secp224k1" },
507 { 21, "secp224r1" },
508 { 22, "secp256k1" },
509 { 23, "secp256r1" },
510 { 24, "secp384r1" },
511 { 25, "secp521r1" },
512 { 26, "brainpoolP256r1" }, /* RFC 7027 */
513 { 27, "brainpoolP384r1" }, /* RFC 7027 */
514 { 28, "brainpoolP512r1" }, /* RFC 7027 */
515 { 29, "x25519" }, /* RFC 8446 / RFC 8422 */
516 { 30, "x448" }, /* RFC 8446 / RFC 8422 */
517 { 31, "brainpoolP256r1tls13" }, /* RFC8734 */
518 { 32, "brainpoolP384r1tls13" }, /* RFC8734 */
519 { 33, "brainpoolP512r1tls13" }, /* RFC8734 */
520 { 34, "GC256A" }, /* RFC9189 */
521 { 35, "GC256B" }, /* RFC9189 */
522 { 36, "GC256C" }, /* RFC9189 */
523 { 37, "GC256D" }, /* RFC9189 */
524 { 38, "GC512A" }, /* RFC9189 */
525 { 39, "GC512B" }, /* RFC9189 */
526 { 40, "GC512C" }, /* RFC9189 */
527 { 41, "curveSM2" }, /* RFC 8998 */
528 { 256, "ffdhe2048" }, /* RFC 7919 */
529 { 257, "ffdhe3072" }, /* RFC 7919 */
530 { 258, "ffdhe4096" }, /* RFC 7919 */
531 { 259, "ffdhe6144" }, /* RFC 7919 */
532 { 260, "ffdhe8192" }, /* RFC 7919 */
533 { 512, "MLKEM512"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
534 { 513, "MLKEM768"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
535 { 514, "MLKEM1024"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
536 { 2570, "Reserved (GREASE)" }, /* RFC 8701 */
537 { 4587, "SecP256r1MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-02 */
538 { 4588, "X25519MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
539 { 4589, "SecP384r1MLKEM1024" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
540 { 6682, "Reserved (GREASE)" }, /* RFC 8701 */
541 { 10794, "Reserved (GREASE)" }, /* RFC 8701 */
542 { 14906, "Reserved (GREASE)" }, /* RFC 8701 */
543 { 19018, "Reserved (GREASE)" }, /* RFC 8701 */
544 { 23130, "Reserved (GREASE)" }, /* RFC 8701 */
545 { 25497, "X25519Kyber768Draft00 (OBSOLETE)" }, /* draft-tls-westerbaan-xyber768d00-02 */
546 { 25498, "SecP256r1Kyber768Draft00 (OBSOLETE)" }, /* draft-kwiatkowski-tls-ecdhe-kyber-01 */
547 { 27242, "Reserved (GREASE)" }, /* RFC 8701 */
548 { 31354, "Reserved (GREASE)" }, /* RFC 8701 */
549 { 35466, "Reserved (GREASE)" }, /* RFC 8701 */
550 { 39578, "Reserved (GREASE)" }, /* RFC 8701 */
551 { 43690, "Reserved (GREASE)" }, /* RFC 8701 */
552 { 47802, "Reserved (GREASE)" }, /* RFC 8701 */
553 { 51914, "Reserved (GREASE)" }, /* RFC 8701 */
554 { 56026, "Reserved (GREASE)" }, /* RFC 8701 */
555 { 60138, "Reserved (GREASE)" }, /* RFC 8701 */
556 { 64250, "Reserved (GREASE)" }, /* RFC 8701 */
557 { 0xFF01, "arbitrary_explicit_prime_curves" },
558 { 0xFF02, "arbitrary_explicit_char2_curves" },
559 /* Below are various unofficial values that have been used for testing. */
560 /* PQC key exchange algorithms from OQS-OpenSSL,
561 see https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/oqs-kem-info.md
562 These use IANA unassigned values and this list may be incomplete.
563 */
564 { 0x2F00, "p256_frodo640aes" },
565 { 0x2F01, "p256_frodo640shake" },
566 { 0x2F02, "p384_frodo976aes" },
567 { 0x0203, "frodo976shake" },
568 { 0x2F03, "p384_frodo976shake" },
569 { 0x0204, "frodo1344aes" },
570 { 0x2F04, "p521_frodo1344aes" },
571 { 0x0205, "frodo1344shake" },
572 { 0x2F05, "p521_frodo1344shake" },
573 { 0x023A, "kyber512" },
574 { 0x2F3A, "p256_kyber512" },
575 { 0x023C, "kyber768" },
576 { 0x2F3C, "p384_kyber768" },
577 { 0x023D, "kyber1024" },
578 { 0x2F3D, "p521_kyber1024" },
579 { 0x0214, "ntru_hps2048509" },
580 { 0x2F14, "p256_ntru_hps2048509" },
581 { 0x0215, "ntru_hps2048677" },
582 { 0x2F15, "p384_ntru_hps2048677" },
583 { 0x0216, "ntru_hps4096821" },
584 { 0x2F16, "p521_ntru_hps4096821" },
585 { 0x0245, "ntru_hps40961229" },
586 { 0x2F45, "p521_ntru_hps40961229" },
587 { 0x0217, "ntru_hrss701" },
588 { 0x2F17, "p384_ntru_hrss701" },
589 { 0x0246, "ntru_hrss1373" },
590 { 0x2F46, "p521_ntru_hrss1373" },
591 { 0x0218, "lightsaber" },
592 { 0x2F18, "p256_lightsaber" },
593 { 0x0219, "saber" },
594 { 0x2F19, "p384_saber" },
595 { 0x021A, "firesaber" },
596 { 0x2F1A, "p521_firesaber" },
597 { 0x021B, "sidhp434" },
598 { 0x2F1B, "p256_sidhp434" },
599 { 0x021C, "sidhp503" },
600 { 0x2F1C, "p256_sidhp503" },
601 { 0x021D, "sidhp610" },
602 { 0x2F1D, "p384_sidhp610" },
603 { 0x021E, "sidhp751" },
604 { 0x2F1E, "p521_sidhp751" },
605 { 0x021F, "sikep434" },
606 { 0x2F1F, "p256_sikep434" },
607 { 0x0220, "sikep503" },
608 { 0x2F20, "p256_sikep503" },
609 { 0x0221, "sikep610" },
610 { 0x2F21, "p384_sikep610" },
611 { 0x0222, "sikep751" },
612 { 0x2F22, "p521_sikep751" },
613 { 0x0238, "bikel1" },
614 { 0x2F38, "p256_bikel1" },
615 { 0x023B, "bikel3" },
616 { 0x2F3B, "p384_bikel3" },
617 { 0x023E, "kyber90s512" },
618 { 0x2F3E, "p256_kyber90s512" },
619 { 0x023F, "kyber90s768" },
620 { 0x2F3F, "p384_kyber90s768" },
621 { 0x0240, "kyber90s1024" },
622 { 0x2F40, "p521_kyber90s1024" },
623 { 0x022C, "hqc128" },
624 { 0x2F2C, "p256_hqc128" },
625 { 0x022D, "hqc192" },
626 { 0x2F2D, "p384_hqc192" },
627 { 0x022E, "hqc256" },
628 { 0x2F2E, "p521_hqc256" },
629 { 0x022F, "ntrulpr653" },
630 { 0x2F2F, "p256_ntrulpr653" },
631 { 0x0230, "ntrulpr761" },
632 { 0x2F43, "p256_ntrulpr761" },
633 { 0x0231, "ntrulpr857" },
634 { 0x2F31, "p384_ntrulpr857" },
635 { 0x0241, "ntrulpr1277" },
636 { 0x2F41, "p521_ntrulpr1277" },
637 { 0x0232, "sntrup653" },
638 { 0x2F32, "p256_sntrup653" },
639 { 0x0233, "sntrup761" },
640 { 0x2F44, "p256_sntrup761" },
641 { 0x0234, "sntrup857" },
642 { 0x2F34, "p384_sntrup857" },
643 { 0x0242, "sntrup1277" },
644 { 0x2F42, "p521_sntrup1277" },
645 /* Other PQ key exchange algorithms, using Reserved for Private Use values
646 https://blog.cloudflare.com/post-quantum-for-all
647 https://www.ietf.org/archive/id/draft-tls-westerbaan-xyber768d00-02.txt */
648 { 0xFE30, "X25519Kyber512Draft00 (OBSOLETE)" },
649 { 0xFE31, "X25519Kyber768Draft00 (OBSOLETE)" },
650 { 0x00, NULL((void*)0) }
651};
652
653const value_string ssl_curve_types[] = {
654 { 1, "explicit_prime" },
655 { 2, "explicit_char2" },
656 { 3, "named_curve" },
657 { 0x00, NULL((void*)0) }
658};
659
660const value_string ssl_extension_ec_point_formats[] = {
661 { 0, "uncompressed" },
662 { 1, "ansiX962_compressed_prime" },
663 { 2, "ansiX962_compressed_char2" },
664 { 0x00, NULL((void*)0) }
665};
666
667const value_string ssl_20_certificate_type[] = {
668 { 0x00, "N/A" },
669 { 0x01, "X.509 Certificate" },
670 { 0x00, NULL((void*)0) }
671};
672
673const value_string ssl_31_content_type[] = {
674 { 20, "Change Cipher Spec" },
675 { 21, "Alert" },
676 { 22, "Handshake" },
677 { 23, "Application Data" },
678 { 24, "Heartbeat" },
679 { 25, "Connection ID" },
680 { 0x00, NULL((void*)0) }
681};
682
683#if 0
684/* XXX - would be used if we dissected the body of a Change Cipher Spec
685 message. */
686const value_string ssl_31_change_cipher_spec[] = {
687 { 1, "Change Cipher Spec" },
688 { 0x00, NULL((void*)0) }
689};
690#endif
691
692const value_string ssl_31_alert_level[] = {
693 { 1, "Warning" },
694 { 2, "Fatal" },
695 { 0x00, NULL((void*)0) }
696};
697
698const value_string ssl_31_alert_description[] = {
699 { 0, "Close Notify" },
700 { 1, "End of Early Data" },
701 { 10, "Unexpected Message" },
702 { 20, "Bad Record MAC" },
703 { 21, "Decryption Failed" },
704 { 22, "Record Overflow" },
705 { 30, "Decompression Failure" },
706 { 40, "Handshake Failure" },
707 { 41, "No Certificate" },
708 { 42, "Bad Certificate" },
709 { 43, "Unsupported Certificate" },
710 { 44, "Certificate Revoked" },
711 { 45, "Certificate Expired" },
712 { 46, "Certificate Unknown" },
713 { 47, "Illegal Parameter" },
714 { 48, "Unknown CA" },
715 { 49, "Access Denied" },
716 { 50, "Decode Error" },
717 { 51, "Decrypt Error" },
718 { 60, "Export Restriction" },
719 { 70, "Protocol Version" },
720 { 71, "Insufficient Security" },
721 { 80, "Internal Error" },
722 { 86, "Inappropriate Fallback" },
723 { 90, "User Canceled" },
724 { 100, "No Renegotiation" },
725 { 109, "Missing Extension" },
726 { 110, "Unsupported Extension" },
727 { 111, "Certificate Unobtainable" },
728 { 112, "Unrecognized Name" },
729 { 113, "Bad Certificate Status Response" },
730 { 114, "Bad Certificate Hash Value" },
731 { 115, "Unknown PSK Identity" },
732 { 116, "Certificate Required" },
733 { 120, "No application Protocol" },
734 { 121, "ECH Required" },
735 { 0x00, NULL((void*)0) }
736};
737
738const value_string ssl_31_handshake_type[] = {
739 { SSL_HND_HELLO_REQUEST, "Hello Request" },
740 { SSL_HND_CLIENT_HELLO, "Client Hello" },
741 { SSL_HND_SERVER_HELLO, "Server Hello" },
742 { SSL_HND_HELLO_VERIFY_REQUEST, "Hello Verify Request"},
743 { SSL_HND_NEWSESSION_TICKET, "New Session Ticket" },
744 { SSL_HND_END_OF_EARLY_DATA, "End of Early Data" },
745 { SSL_HND_HELLO_RETRY_REQUEST, "Hello Retry Request" },
746 { SSL_HND_ENCRYPTED_EXTENSIONS, "Encrypted Extensions" },
747 { SSL_HND_CERTIFICATE, "Certificate" },
748 { SSL_HND_SERVER_KEY_EXCHG, "Server Key Exchange" },
749 { SSL_HND_CERT_REQUEST, "Certificate Request" },
750 { SSL_HND_SVR_HELLO_DONE, "Server Hello Done" },
751 { SSL_HND_CERT_VERIFY, "Certificate Verify" },
752 { SSL_HND_CLIENT_KEY_EXCHG, "Client Key Exchange" },
753 { SSL_HND_FINISHED, "Finished" },
754 { SSL_HND_CERT_URL, "Client Certificate URL" },
755 { SSL_HND_CERT_STATUS, "Certificate Status" },
756 { SSL_HND_SUPPLEMENTAL_DATA, "Supplemental Data" },
757 { SSL_HND_KEY_UPDATE, "Key Update" },
758 { SSL_HND_COMPRESSED_CERTIFICATE, "Compressed Certificate" },
759 { SSL_HND_ENCRYPTED_EXTS, "Encrypted Extensions" },
760 { 0x00, NULL((void*)0) }
761};
762
763const value_string tls_heartbeat_type[] = {
764 { 1, "Request" },
765 { 2, "Response" },
766 { 0x00, NULL((void*)0) }
767};
768
769const value_string tls_heartbeat_mode[] = {
770 { 1, "Peer allowed to send requests" },
771 { 2, "Peer not allowed to send requests" },
772 { 0x00, NULL((void*)0) }
773};
774
775const value_string ssl_31_compression_method[] = {
776 { 0, "null" },
777 { 1, "DEFLATE" },
778 { 64, "LZS" },
779 { 0x00, NULL((void*)0) }
780};
781
782#if 0
783/* XXX - would be used if we dissected a Signature, as would be
784 seen in a server key exchange or certificate verify message. */
785const value_string ssl_31_key_exchange_algorithm[] = {
786 { 0, "RSA" },
787 { 1, "Diffie Hellman" },
788 { 0x00, NULL((void*)0) }
789};
790
791const value_string ssl_31_signature_algorithm[] = {
792 { 0, "Anonymous" },
793 { 1, "RSA" },
794 { 2, "DSA" },
795 { 0x00, NULL((void*)0) }
796};
797#endif
798
799const value_string ssl_31_client_certificate_type[] = {
800 { 1, "RSA Sign" },
801 { 2, "DSS Sign" },
802 { 3, "RSA Fixed DH" },
803 { 4, "DSS Fixed DH" },
804 /* GOST certificate types */
805 /* Section 3.5 of draft-chudov-cryptopro-cptls-04 */
806 { 21, "GOST R 34.10-94" },
807 { 22, "GOST R 34.10-2001" },
808 /* END GOST certificate types */
809 { 64, "ECDSA Sign" },
810 { 65, "RSA Fixed ECDH" },
811 { 66, "ECDSA Fixed ECDH" },
812 { 80, "IBC Params" },
813 { 0x00, NULL((void*)0) }
814};
815
816#if 0
817/* XXX - would be used if we dissected exchange keys, as would be
818 seen in a client key exchange message. */
819const value_string ssl_31_public_value_encoding[] = {
820 { 0, "Implicit" },
821 { 1, "Explicit" },
822 { 0x00, NULL((void*)0) }
823};
824#endif
825
826/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
827/* Note: sorted by ascending value so value_string_ext fcns can do a binary search */
828static const value_string ssl_31_ciphersuite[] = {
829 /* RFC 2246, RFC 4346, RFC 5246 */
830 { 0x0000, "TLS_NULL_WITH_NULL_NULL" },
831 { 0x0001, "TLS_RSA_WITH_NULL_MD5" },
832 { 0x0002, "TLS_RSA_WITH_NULL_SHA" },
833 { 0x0003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
834 { 0x0004, "TLS_RSA_WITH_RC4_128_MD5" },
835 { 0x0005, "TLS_RSA_WITH_RC4_128_SHA" },
836 { 0x0006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
837 { 0x0007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
838 { 0x0008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
839 { 0x0009, "TLS_RSA_WITH_DES_CBC_SHA" },
840 { 0x000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
841 { 0x000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
842 { 0x000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
843 { 0x000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
844 { 0x000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
845 { 0x000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
846 { 0x0010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
847 { 0x0011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
848 { 0x0012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
849 { 0x0013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
850 { 0x0014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
851 { 0x0015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
852 { 0x0016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
853 { 0x0017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
854 { 0x0018, "TLS_DH_anon_WITH_RC4_128_MD5" },
855 { 0x0019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
856 { 0x001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
857 { 0x001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
858
859 { 0x001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
860 { 0x001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
861#if 0 /* Because it clashes with KRB5, is never used any more, and is safe
862 to remove according to David Hopwood <[email protected]>
863 of the ietf-tls list */
864 { 0x001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
865#endif
866 /* RFC 2712 */
867 { 0x001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
868 { 0x001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
869 { 0x0020, "TLS_KRB5_WITH_RC4_128_SHA" },
870 { 0x0021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
871 { 0x0022, "TLS_KRB5_WITH_DES_CBC_MD5" },
872 { 0x0023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
873 { 0x0024, "TLS_KRB5_WITH_RC4_128_MD5" },
874 { 0x0025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
875 { 0x0026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
876 { 0x0027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
877 { 0x0028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
878 { 0x0029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
879 { 0x002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
880 { 0x002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
881 /* RFC 4785 */
882 { 0x002C, "TLS_PSK_WITH_NULL_SHA" },
883 { 0x002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
884 { 0x002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
885 /* RFC 5246 */
886 { 0x002F, "TLS_RSA_WITH_AES_128_CBC_SHA" },
887 { 0x0030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
888 { 0x0031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
889 { 0x0032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
890 { 0x0033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
891 { 0x0034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
892 { 0x0035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
893 { 0x0036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
894 { 0x0037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
895 { 0x0038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
896 { 0x0039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
897 { 0x003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
898 { 0x003B, "TLS_RSA_WITH_NULL_SHA256" },
899 { 0x003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
900 { 0x003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
901 { 0x003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
902 { 0x003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
903 { 0x0040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
904 /* RFC 4132 */
905 { 0x0041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
906 { 0x0042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
907 { 0x0043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
908 { 0x0044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
909 { 0x0045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
910 { 0x0046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
911 /* 0x00,0x60-66 Reserved to avoid conflicts with widely deployed implementations */
912 /* --- ??? --- */
913 { 0x0060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
914 { 0x0061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
915 /* draft-ietf-tls-56-bit-ciphersuites-01.txt */
916 { 0x0062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
917 { 0x0063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
918 { 0x0064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
919 { 0x0065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
920 { 0x0066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
921 /* --- ??? ---*/
922 { 0x0067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
923 { 0x0068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
924 { 0x0069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
925 { 0x006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
926 { 0x006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
927 { 0x006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
928 { 0x006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
929 /* draft-chudov-cryptopro-cptls-04.txt */
930 { 0x0080, "TLS_GOSTR341094_WITH_28147_CNT_IMIT" },
931 { 0x0081, "TLS_GOSTR341001_WITH_28147_CNT_IMIT" },
932 { 0x0082, "TLS_GOSTR341094_WITH_NULL_GOSTR3411" },
933 { 0x0083, "TLS_GOSTR341001_WITH_NULL_GOSTR3411" },
934 /* RFC 4132 */
935 { 0x0084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
936 { 0x0085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
937 { 0x0086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
938 { 0x0087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
939 { 0x0088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
940 { 0x0089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
941 /* RFC 4279 */
942 { 0x008A, "TLS_PSK_WITH_RC4_128_SHA" },
943 { 0x008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
944 { 0x008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
945 { 0x008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
946 { 0x008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
947 { 0x008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
948 { 0x0090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
949 { 0x0091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
950 { 0x0092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
951 { 0x0093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
952 { 0x0094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
953 { 0x0095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
954 /* RFC 4162 */
955 { 0x0096, "TLS_RSA_WITH_SEED_CBC_SHA" },
956 { 0x0097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
957 { 0x0098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
958 { 0x0099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
959 { 0x009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
960 { 0x009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
961 /* RFC 5288 */
962 { 0x009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
963 { 0x009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
964 { 0x009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
965 { 0x009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
966 { 0x00A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
967 { 0x00A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
968 { 0x00A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
969 { 0x00A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
970 { 0x00A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
971 { 0x00A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
972 { 0x00A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
973 { 0x00A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
974 /* RFC 5487 */
975 { 0x00A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
976 { 0x00A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
977 { 0x00AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
978 { 0x00AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
979 { 0x00AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
980 { 0x00AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
981 { 0x00AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
982 { 0x00AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
983 { 0x00B0, "TLS_PSK_WITH_NULL_SHA256" },
984 { 0x00B1, "TLS_PSK_WITH_NULL_SHA384" },
985 { 0x00B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
986 { 0x00B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
987 { 0x00B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
988 { 0x00B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
989 { 0x00B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
990 { 0x00B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
991 { 0x00B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
992 { 0x00B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
993 /* From RFC 5932 */
994 { 0x00BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
995 { 0x00BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
996 { 0x00BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
997 { 0x00BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
998 { 0x00BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
999 { 0x00BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
1000 { 0x00C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1001 { 0x00C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1002 { 0x00C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1003 { 0x00C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1004 { 0x00C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1005 { 0x00C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
1006 /* RFC 8998 */
1007 { 0x00C6, "TLS_SM4_GCM_SM3" },
1008 { 0x00C7, "TLS_SM4_CCM_SM3" },
1009 /* 0x00,0xC8-FE Unassigned */
1010 /* From RFC 5746 */
1011 { 0x00FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
1012 /* RFC 8701 */
1013 { 0x0A0A, "Reserved (GREASE)" },
1014 /* RFC 8446 */
1015 { 0x1301, "TLS_AES_128_GCM_SHA256" },
1016 { 0x1302, "TLS_AES_256_GCM_SHA384" },
1017 { 0x1303, "TLS_CHACHA20_POLY1305_SHA256" },
1018 { 0x1304, "TLS_AES_128_CCM_SHA256" },
1019 { 0x1305, "TLS_AES_128_CCM_8_SHA256" },
1020 /* RFC 8701 */
1021 { 0x1A1A, "Reserved (GREASE)" },
1022 { 0x2A2A, "Reserved (GREASE)" },
1023 { 0x3A3A, "Reserved (GREASE)" },
1024 { 0x4A4A, "Reserved (GREASE)" },
1025 /* From RFC 7507 */
1026 { 0x5600, "TLS_FALLBACK_SCSV" },
1027 /* RFC 8701 */
1028 { 0x5A5A, "Reserved (GREASE)" },
1029 { 0x6A6A, "Reserved (GREASE)" },
1030 { 0x7A7A, "Reserved (GREASE)" },
1031 { 0x8A8A, "Reserved (GREASE)" },
1032 { 0x9A9A, "Reserved (GREASE)" },
1033 { 0xAAAA, "Reserved (GREASE)" },
1034 { 0xBABA, "Reserved (GREASE)" },
1035 /* From RFC 4492 */
1036 { 0xc001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
1037 { 0xc002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
1038 { 0xc003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1039 { 0xc004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
1040 { 0xc005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
1041 { 0xc006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
1042 { 0xc007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
1043 { 0xc008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1044 { 0xc009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
1045 { 0xc00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
1046 { 0xc00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
1047 { 0xc00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
1048 { 0xc00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
1049 { 0xc00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
1050 { 0xc00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
1051 { 0xc010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
1052 { 0xc011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
1053 { 0xc012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
1054 { 0xc013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
1055 { 0xc014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
1056 { 0xc015, "TLS_ECDH_anon_WITH_NULL_SHA" },
1057 { 0xc016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
1058 { 0xc017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
1059 { 0xc018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
1060 { 0xc019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
1061 /* RFC 5054 */
1062 { 0xC01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
1063 { 0xC01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
1064 { 0xC01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
1065 { 0xC01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
1066 { 0xC01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
1067 { 0xC01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
1068 { 0xC020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
1069 { 0xC021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
1070 { 0xC022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
1071 /* RFC 5589 */
1072 { 0xC023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
1073 { 0xC024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
1074 { 0xC025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
1075 { 0xC026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
1076 { 0xC027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
1077 { 0xC028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
1078 { 0xC029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
1079 { 0xC02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
1080 { 0xC02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
1081 { 0xC02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
1082 { 0xC02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
1083 { 0xC02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
1084 { 0xC02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
1085 { 0xC030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
1086 { 0xC031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
1087 { 0xC032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
1088 /* RFC 5489 */
1089 { 0xC033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
1090 { 0xC034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
1091 { 0xC035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
1092 { 0xC036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
1093 { 0xC037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
1094 { 0xC038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
1095 { 0xC039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
1096 { 0xC03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
1097 { 0xC03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
1098 /* RFC 6209 */
1099 { 0xC03C, "TLS_RSA_WITH_ARIA_128_CBC_SHA256" },
1100 { 0xC03D, "TLS_RSA_WITH_ARIA_256_CBC_SHA384" },
1101 { 0xC03E, "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256" },
1102 { 0xC03F, "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384" },
1103 { 0xC040, "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256" },
1104 { 0xC041, "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384" },
1105 { 0xC042, "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256" },
1106 { 0xC043, "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384" },
1107 { 0xC044, "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1108 { 0xC045, "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1109 { 0xC046, "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" },
1110 { 0xC047, "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" },
1111 { 0xC048, "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1112 { 0xC049, "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1113 { 0xC04A, "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1114 { 0xC04B, "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1115 { 0xC04C, "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1116 { 0xC04D, "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1117 { 0xC04E, "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256" },
1118 { 0xC04F, "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384" },
1119 { 0xC050, "TLS_RSA_WITH_ARIA_128_GCM_SHA256" },
1120 { 0xC051, "TLS_RSA_WITH_ARIA_256_GCM_SHA384" },
1121 { 0xC052, "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1122 { 0xC053, "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1123 { 0xC054, "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256" },
1124 { 0xC055, "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384" },
1125 { 0xC056, "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256" },
1126 { 0xC057, "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384" },
1127 { 0xC058, "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256" },
1128 { 0xC059, "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384" },
1129 { 0xC05A, "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" },
1130 { 0xC05B, "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" },
1131 { 0xC05C, "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1132 { 0xC05D, "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1133 { 0xC05E, "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1134 { 0xC05F, "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1135 { 0xC060, "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1136 { 0xC061, "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1137 { 0xC062, "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256" },
1138 { 0xC063, "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384" },
1139 { 0xC064, "TLS_PSK_WITH_ARIA_128_CBC_SHA256" },
1140 { 0xC065, "TLS_PSK_WITH_ARIA_256_CBC_SHA384" },
1141 { 0xC066, "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1142 { 0xC067, "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1143 { 0xC068, "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256" },
1144 { 0xC069, "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384" },
1145 { 0xC06A, "TLS_PSK_WITH_ARIA_128_GCM_SHA256" },
1146 { 0xC06B, "TLS_PSK_WITH_ARIA_256_GCM_SHA384" },
1147 { 0xC06C, "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256" },
1148 { 0xC06D, "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384" },
1149 { 0xC06E, "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256" },
1150 { 0xC06F, "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384" },
1151 { 0xC070, "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1152 { 0xC071, "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1153 /* RFC 6367 */
1154 { 0xC072, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1155 { 0xC073, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1156 { 0xC074, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1157 { 0xC075, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1158 { 0xC076, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1159 { 0xC077, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1160 { 0xC078, "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1161 { 0xC079, "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1162 { 0xC07A, "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1163 { 0xC07B, "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1164 { 0xC07C, "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1165 { 0xC07D, "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1166 { 0xC07E, "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1167 { 0xC07F, "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1168 { 0xC080, "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1169 { 0xC081, "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1170 { 0xC082, "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1171 { 0xC083, "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1172 { 0xC084, "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" },
1173 { 0xC085, "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" },
1174 { 0xC086, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1175 { 0xC087, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1176 { 0xC088, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1177 { 0xC089, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1178 { 0xC08A, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1179 { 0xC08B, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1180 { 0xC08C, "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1181 { 0xC08D, "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1182 { 0xC08E, "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1183 { 0xC08F, "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1184 { 0xC090, "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1185 { 0xC091, "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1186 { 0xC092, "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1187 { 0xC093, "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1188 { 0xC094, "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1189 { 0xC095, "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1190 { 0xC096, "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1191 { 0xC097, "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1192 { 0xC098, "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1193 { 0xC099, "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1194 { 0xC09A, "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1195 { 0xC09B, "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1196 /* RFC 6655 */
1197 { 0xC09C, "TLS_RSA_WITH_AES_128_CCM" },
1198 { 0xC09D, "TLS_RSA_WITH_AES_256_CCM" },
1199 { 0xC09E, "TLS_DHE_RSA_WITH_AES_128_CCM" },
1200 { 0xC09F, "TLS_DHE_RSA_WITH_AES_256_CCM" },
1201 { 0xC0A0, "TLS_RSA_WITH_AES_128_CCM_8" },
1202 { 0xC0A1, "TLS_RSA_WITH_AES_256_CCM_8" },
1203 { 0xC0A2, "TLS_DHE_RSA_WITH_AES_128_CCM_8" },
1204 { 0xC0A3, "TLS_DHE_RSA_WITH_AES_256_CCM_8" },
1205 { 0xC0A4, "TLS_PSK_WITH_AES_128_CCM" },
1206 { 0xC0A5, "TLS_PSK_WITH_AES_256_CCM" },
1207 { 0xC0A6, "TLS_DHE_PSK_WITH_AES_128_CCM" },
1208 { 0xC0A7, "TLS_DHE_PSK_WITH_AES_256_CCM" },
1209 { 0xC0A8, "TLS_PSK_WITH_AES_128_CCM_8" },
1210 { 0xC0A9, "TLS_PSK_WITH_AES_256_CCM_8" },
1211 { 0xC0AA, "TLS_PSK_DHE_WITH_AES_128_CCM_8" },
1212 { 0xC0AB, "TLS_PSK_DHE_WITH_AES_256_CCM_8" },
1213 /* RFC 7251 */
1214 { 0xC0AC, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM" },
1215 { 0xC0AD, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM" },
1216 { 0xC0AE, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8" },
1217 { 0xC0AF, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8" },
1218 /* RFC 8492 */
1219 { 0xC0B0, "TLS_ECCPWD_WITH_AES_128_GCM_SHA256" },
1220 { 0xC0B1, "TLS_ECCPWD_WITH_AES_256_GCM_SHA384" },
1221 { 0xC0B2, "TLS_ECCPWD_WITH_AES_128_CCM_SHA256" },
1222 { 0xC0B3, "TLS_ECCPWD_WITH_AES_256_CCM_SHA384" },
1223 /* draft-camwinget-tls-ts13-macciphersuites */
1224 { 0xC0B4, "TLS_SHA256_SHA256" },
1225 { 0xC0B5, "TLS_SHA384_SHA384" },
1226 /* https://www.ietf.org/archive/id/draft-cragie-tls-ecjpake-01.txt */
1227 { 0xC0FF, "TLS_ECJPAKE_WITH_AES_128_CCM_8" },
1228 /* draft-smyshlyaev-tls12-gost-suites */
1229 { 0xC100, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" },
1230 { 0xC101, "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" },
1231 { 0xC102, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" },
1232 /* draft-smyshlyaev-tls13-gost-suites */
1233 { 0xC103, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L" },
1234 { 0xC104, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L" },
1235 { 0xC105, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S" },
1236 { 0xC106, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S" },
1237 /* RFC 8701 */
1238 { 0xCACA, "Reserved (GREASE)" },
1239/*
12400xC0,0xAB-FF Unassigned
12410xC1,0x03-FD,* Unassigned
12420xFE,0x00-FD Unassigned
12430xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
12440xFF,0x00-FF Reserved for Private Use [RFC5246]
1245*/
1246 /* old numbers used in the beginning
1247 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
1248 { 0xCC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1249 { 0xCC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1250 { 0xCC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1251 /* RFC 7905 */
1252 { 0xCCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1253 { 0xCCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1254 { 0xCCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1255 { 0xCCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1256 { 0xCCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1257 { 0xCCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1258 { 0xCCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1259 /* RFC 8442 */
1260 { 0xD001, "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256" },
1261 { 0xD002, "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384" },
1262 { 0xD003, "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256" },
1263 { 0xD005, "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256" },
1264 /* RFC 8701 */
1265 { 0xDADA, "Reserved (GREASE)" },
1266 /* GM/T 0024-2014 */
1267 { 0xe001, "ECDHE_SM1_SM3"},
1268 { 0xe003, "ECC_SM1_SM3"},
1269 { 0xe005, "IBSDH_SM1_SM3"},
1270 { 0xe007, "IBC_SM1_SM3"},
1271 { 0xe009, "RSA_SM1_SM3"},
1272 { 0xe00a, "RSA_SM1_SHA1"},
1273 { 0xe011, "ECDHE_SM4_CBC_SM3"},
1274 { 0xe013, "ECC_SM4_CBC_SM3"},
1275 { 0xe015, "IBSDH_SM4_CBC_SM3"},
1276 { 0xe017, "IBC_SM4_CBC_SM3"},
1277 { 0xe019, "RSA_SM4_CBC_SM3"},
1278 { 0xe01a, "RSA_SM4_CBC_SHA1"},
1279 { 0xe01c, "RSA_SM4_CBC_SHA256"},
1280 { 0xe051, "ECDHE_SM4_GCM_SM3"},
1281 { 0xe053, "ECC_SM4_GCM_SM3"},
1282 { 0xe055, "IBSDH_SM4_GCM_SM3"},
1283 { 0xe057, "IBC_SM4_GCM_SM3"},
1284 { 0xe059, "RSA_SM4_GCM_SM3"},
1285 { 0xe05a, "RSA_SM4_GCM_SHA256"},
1286 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
1287 { 0xE410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1288 { 0xE411, "TLS_RSA_WITH_SALSA20_SHA1" },
1289 { 0xE412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1290 { 0xE413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
1291 { 0xE414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
1292 { 0xE415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
1293 { 0xE416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1294 { 0xE417, "TLS_PSK_WITH_SALSA20_SHA1" },
1295 { 0xE418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1296 { 0xE419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
1297 { 0xE41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1298 { 0xE41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
1299 { 0xE41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1300 { 0xE41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
1301 { 0xE41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1302 { 0xE41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
1303 /* RFC 8701 */
1304 { 0xEAEA, "Reserved (GREASE)" },
1305 { 0xFAFA, "Reserved (GREASE)" },
1306 /* these from http://www.mozilla.org/projects/
1307 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
1308 { 0xfefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
1309 { 0xfeff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1310 /* https://datatracker.ietf.org/doc/html/rfc9189 */
1311 { 0xff85, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT"},
1312 { 0xffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1313 { 0xffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA" },
1314 /* note that ciphersuites 0xff00 - 0xffff are private */
1315 { 0x00, NULL((void*)0) }
1316};
1317
1318value_string_ext ssl_31_ciphersuite_ext = VALUE_STRING_EXT_INIT(ssl_31_ciphersuite){ _try_val_to_str_ext_init, 0, (sizeof (ssl_31_ciphersuite) /
sizeof ((ssl_31_ciphersuite)[0]))-1, ssl_31_ciphersuite, "ssl_31_ciphersuite"
, ((void*)0) };
1319
1320/* http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#tls-extensiontype-values-1 */
1321const value_string tls_hello_extension_types[] = {
1322 { SSL_HND_HELLO_EXT_SERVER_NAME0, "server_name" }, /* RFC 6066 */
1323 { SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1, "max_fragment_length" },/* RFC 6066 */
1324 { SSL_HND_HELLO_EXT_CLIENT_CERTIFICATE_URL2, "client_certificate_url" }, /* RFC 6066 */
1325 { SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3, "trusted_ca_keys" }, /* RFC 6066 */
1326 { SSL_HND_HELLO_EXT_TRUNCATED_HMAC4, "truncated_hmac" }, /* RFC 6066 */
1327 { SSL_HND_HELLO_EXT_STATUS_REQUEST5, "status_request" }, /* RFC 6066 */
1328 { SSL_HND_HELLO_EXT_USER_MAPPING6, "user_mapping" }, /* RFC 4681 */
1329 { SSL_HND_HELLO_EXT_CLIENT_AUTHZ7, "client_authz" }, /* RFC 5878 */
1330 { SSL_HND_HELLO_EXT_SERVER_AUTHZ8, "server_authz" }, /* RFC 5878 */
1331 { SSL_HND_HELLO_EXT_CERT_TYPE9, "cert_type" }, /* RFC 6091 */
1332 { SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10, "supported_groups" }, /* RFC 4492, RFC 7919 */
1333 { SSL_HND_HELLO_EXT_EC_POINT_FORMATS11, "ec_point_formats" }, /* RFC 4492 */
1334 { SSL_HND_HELLO_EXT_SRP12, "srp" }, /* RFC 5054 */
1335 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13, "signature_algorithms" }, /* RFC 5246 */
1336 { SSL_HND_HELLO_EXT_USE_SRTP14, "use_srtp" }, /* RFC 5764 */
1337 { SSL_HND_HELLO_EXT_HEARTBEAT15, "heartbeat" }, /* RFC 6520 */
1338 { SSL_HND_HELLO_EXT_ALPN16, "application_layer_protocol_negotiation" }, /* RFC 7301 */
1339 { SSL_HND_HELLO_EXT_STATUS_REQUEST_V217, "status_request_v2" }, /* RFC 6961 */
1340 { SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18, "signed_certificate_timestamp" }, /* RFC 6962 */
1341 { SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19, "client_certificate_type" }, /* RFC 7250 */
1342 { SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20, "server_certificate_type" }, /* RFC 7250 */
1343 { SSL_HND_HELLO_EXT_PADDING21, "padding" }, /* RFC 7685 */
1344 { SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22, "encrypt_then_mac" }, /* RFC 7366 */
1345 { SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23, "extended_master_secret" }, /* RFC 7627 */
1346 { SSL_HND_HELLO_EXT_TOKEN_BINDING24, "token_binding" }, /* https://tools.ietf.org/html/draft-ietf-tokbind-negotiation */
1347 { SSL_HND_HELLO_EXT_CACHED_INFO25, "cached_info" }, /* RFC 7924 */
1348 { SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27, "compress_certificate" }, /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03 */
1349 { SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28, "record_size_limit" }, /* RFC 8449 */
1350 { SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34, "delegated_credentials" }, /* draft-ietf-tls-subcerts-10.txt */
1351 { SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35, "session_ticket" }, /* RFC 5077 / RFC 8447 */
1352 { SSL_HND_HELLO_EXT_KEY_SHARE_OLD40, "Reserved (key_share)" }, /* https://tools.ietf.org/html/draft-ietf-tls-tls13-22 (removed in -23) */
1353 { SSL_HND_HELLO_EXT_PRE_SHARED_KEY41, "pre_shared_key" }, /* RFC 8446 */
1354 { SSL_HND_HELLO_EXT_EARLY_DATA42, "early_data" }, /* RFC 8446 */
1355 { SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43, "supported_versions" }, /* RFC 8446 */
1356 { SSL_HND_HELLO_EXT_COOKIE44, "cookie" }, /* RFC 8446 */
1357 { SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45, "psk_key_exchange_modes" }, /* RFC 8446 */
1358 { SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46, "Reserved (ticket_early_data_info)" }, /* draft-ietf-tls-tls13-18 (removed in -19) */
1359 { SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47, "certificate_authorities" }, /* RFC 8446 */
1360 { SSL_HND_HELLO_EXT_OID_FILTERS48, "oid_filters" }, /* RFC 8446 */
1361 { SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49, "post_handshake_auth" }, /* RFC 8446 */
1362 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50, "signature_algorithms_cert" }, /* RFC 8446 */
1363 { SSL_HND_HELLO_EXT_KEY_SHARE51, "key_share" }, /* RFC 8446 */
1364 { SSL_HND_HELLO_EXT_TRANSPARENCY_INFO52, "transparency_info" }, /* draft-ietf-trans-rfc6962-bis-41 */
1365 { SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53, "connection_id (deprecated)" }, /* draft-ietf-tls-dtls-connection-id-07 */
1366 { SSL_HND_HELLO_EXT_CONNECTION_ID54, "connection_id" }, /* RFC 9146 */
1367 { SSL_HND_HELLO_EXT_EXTERNAL_ID_HASH55, "external_id_hash" }, /* RFC 8844 */
1368 { SSL_HND_HELLO_EXT_EXTERNAL_SESSION_ID56, "external_session_id" }, /* RFC 8844 */
1369 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157, "quic_transport_parameters" }, /* draft-ietf-quic-tls-33 */
1370 { SSL_HND_HELLO_EXT_TICKET_REQUEST58, "ticket_request" }, /* draft-ietf-tls-ticketrequests-07 */
1371 { SSL_HND_HELLO_EXT_DNSSEC_CHAIN59, "dnssec_chain" }, /* RFC 9102 */
1372 { SSL_HND_HELLO_EXT_GREASE_0A0A2570, "Reserved (GREASE)" }, /* RFC 8701 */
1373 { SSL_HND_HELLO_EXT_GREASE_1A1A6682, "Reserved (GREASE)" }, /* RFC 8701 */
1374 { SSL_HND_HELLO_EXT_GREASE_2A2A10794, "Reserved (GREASE)" }, /* RFC 8701 */
1375 { SSL_HND_HELLO_EXT_NPN13172, "next_protocol_negotiation"}, /* https://datatracker.ietf.org/doc/html/draft-agl-tls-nextprotoneg-03 */
1376 { SSL_HND_HELLO_EXT_GREASE_3A3A14906, "Reserved (GREASE)" }, /* RFC 8701 */
1377 { SSL_HND_HELLO_EXT_ALPS_OLD17513, "application_settings_old" }, /* draft-vvv-tls-alps-01 */
1378 { SSL_HND_HELLO_EXT_ALPS17613, "application_settings" }, /* draft-vvv-tls-alps-01 */ /* https://chromestatus.com/feature/5149147365900288 */
1379 { SSL_HND_HELLO_EXT_GREASE_4A4A19018, "Reserved (GREASE)" }, /* RFC 8701 */
1380 { SSL_HND_HELLO_EXT_GREASE_5A5A23130, "Reserved (GREASE)" }, /* RFC 8701 */
1381 { SSL_HND_HELLO_EXT_GREASE_6A6A27242, "Reserved (GREASE)" }, /* RFC 8701 */
1382 { SSL_HND_HELLO_EXT_CHANNEL_ID_OLD30031, "channel_id_old" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
1383 https://twitter.com/ericlaw/status/274237352531083264 */
1384 { SSL_HND_HELLO_EXT_CHANNEL_ID30032, "channel_id" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-01
1385 https://code.google.com/p/chromium/codesearch#chromium/src/net/third_party/nss/ssl/sslt.h&l=209 */
1386 { SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281, "renegotiation_info" }, /* RFC 5746 */
1387 { SSL_HND_HELLO_EXT_GREASE_7A7A31354, "Reserved (GREASE)" }, /* RFC 8701 */
1388 { SSL_HND_HELLO_EXT_GREASE_8A8A35466, "Reserved (GREASE)" }, /* RFC 8701 */
1389 { SSL_HND_HELLO_EXT_GREASE_9A9A39578, "Reserved (GREASE)" }, /* RFC 8701 */
1390 { SSL_HND_HELLO_EXT_GREASE_AAAA43690, "Reserved (GREASE)" }, /* RFC 8701 */
1391 { SSL_HND_HELLO_EXT_GREASE_BABA47802, "Reserved (GREASE)" }, /* RFC 8701 */
1392 { SSL_HND_HELLO_EXT_GREASE_CACA51914, "Reserved (GREASE)" }, /* RFC 8701 */
1393 { SSL_HND_HELLO_EXT_GREASE_DADA56026, "Reserved (GREASE)" }, /* RFC 8701 */
1394 { SSL_HND_HELLO_EXT_GREASE_EAEA60138, "Reserved (GREASE)" }, /* RFC 8701 */
1395 { SSL_HND_HELLO_EXT_GREASE_FAFA64250, "Reserved (GREASE)" }, /* RFC 8701 */
1396 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445, "quic_transport_parameters (drafts version)" }, /* https://tools.ietf.org/html/draft-ietf-quic-tls */
1397 { SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486, "encrypted_server_name" }, /* https://tools.ietf.org/html/draft-ietf-tls-esni-01 */
1398 { SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037, "encrypted_client_hello" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1399 { SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768, "ech_outer_extensions" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1400 { 0, NULL((void*)0) }
1401};
1402
1403const value_string tls_hello_ext_server_name_type_vs[] = {
1404 { 0, "host_name" },
1405 { 0, NULL((void*)0) }
1406};
1407
1408/* RFC 6066 Section 4 */
1409const value_string tls_hello_ext_max_fragment_length[] = {
1410 { 1, "512" }, // 2^9
1411 { 2, "1024" }, // 2^10
1412 { 3, "2048" }, // 2^11
1413 { 4, "4096" }, // 2^12
1414 { 0, NULL((void*)0) }
1415};
1416
1417/* RFC 8446 Section 4.2.9 */
1418const value_string tls_hello_ext_psk_ke_mode[] = {
1419 { 0, "PSK-only key establishment (psk_ke)" },
1420 { 1, "PSK with (EC)DHE key establishment (psk_dhe_ke)" },
1421 { 0, NULL((void*)0) }
1422};
1423
1424/* RFC 6066 Section 6 */
1425const value_string tls_hello_ext_trusted_ca_key_type[] = {
1426 {0, "pre_agreed"},
1427 {1, "key_sha1_hash"},
1428 {2, "x509_name"},
1429 {3, "cert_sha1_hash"},
1430 {0, NULL((void*)0)}
1431};
1432
1433const value_string tls13_key_update_request[] = {
1434 { 0, "update_not_requested" },
1435 { 1, "update_requested" },
1436 { 0, NULL((void*)0) }
1437};
1438
1439/* RFC 5246 7.4.1.4.1 */
1440/* https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
1441/* Note that the TLS 1.3 SignatureScheme registry reserves all values
1442 * with first octet 0x00-0x06 and all values with second octet 0x00-0x03
1443 * for backwards compatibility with TLS 1.2 SignatureAndHashAlgorithm.
1444 *
1445 * RFC 8422 and RFC 9189 add official support in TLS 1.2 for some algorithms
1446 * originally defined for TLS 1.3, and extend the TLS SignatureAlgorithm
1447 * and TLS HashAlgorithm registries, but the new values are not compatible
1448 * with all of the TLS 1.3-only SignatureSchemes. Adding those values could
1449 * cause confusion if used to interpret one of those schemes in a
1450 * signature_algorithms extension offered in a TLS 1.3 ClientHello.
1451 */
1452const value_string tls_hash_algorithm[] = {
1453 { 0, "None" },
1454 { 1, "MD5" },
1455 { 2, "SHA1" },
1456 { 3, "SHA224" },
1457 { 4, "SHA256" },
1458 { 5, "SHA384" },
1459 { 6, "SHA512" },
1460#if 0
1461 /* RFC 8422 adds this to the HashAlgorithm registry, but it really
1462 * only applies to 0x0807 and 0x0808, not for other TLS 1.3
1463 * SignatureSchemes with 0x08 in the octet used for Hash in TLS 1.2.
1464 * E.g., we don't want to display this for 0x0806 rsa_pss_rsae_sha512.
1465 */
1466 { 8, "Intrinsic" },
1467#endif
1468 { 0, NULL((void*)0) }
1469};
1470
1471const value_string tls_signature_algorithm[] = {
1472 { 0, "Anonymous" },
1473 { 1, "RSA" },
1474 { 2, "DSA" },
1475 { 3, "ECDSA" },
1476#if 0
1477 /* As above. */
1478 { 7, "ED25519" },
1479 { 8, "ED448" },
1480 { 64, "GOSTR34102012_256" },
1481 { 65, "GOSTR34102012_512" },
1482#endif
1483 { 0, NULL((void*)0) }
1484};
1485
1486/* RFC 8446 Section 4.2.3 */
1487const value_string tls13_signature_algorithm[] = {
1488 { 0x0201, "rsa_pkcs1_sha1" },
1489 { 0x0203, "ecdsa_sha1" },
1490 { 0x0401, "rsa_pkcs1_sha256" },
1491 { 0x0403, "ecdsa_secp256r1_sha256" },
1492 { 0x0420, "rsa_pkcs1_sha256_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1493 { 0x0501, "rsa_pkcs1_sha384" },
1494 { 0x0503, "ecdsa_secp384r1_sha384" },
1495 { 0x0520, "rsa_pkcs1_sha384_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1496 { 0x0601, "rsa_pkcs1_sha512" },
1497 { 0x0603, "ecdsa_secp521r1_sha512" },
1498 { 0x0620, "rsa_pkcs1_sha512_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1499 { 0x0708, "sm2sig_sm3" },
1500 { 0x0709, "gostr34102012_256a" }, /* RFC9367 */
1501 { 0x070a, "gostr34102012_256b" }, /* RFC9367 */
1502 { 0x070b, "gostr34102012_256c" }, /* RFC9367 */
1503 { 0x070c, "gostr34102012_256d" }, /* RFC9367 */
1504 { 0x070d, "gostr34102012_512a" }, /* RFC9367 */
1505 { 0x070e, "gostr34102012_512b" }, /* RFC9367 */
1506 { 0x070f, "gostr34102012_512c" }, /* RFC9367 */
1507 { 0x0804, "rsa_pss_rsae_sha256" },
1508 { 0x0805, "rsa_pss_rsae_sha384" },
1509 { 0x0806, "rsa_pss_rsae_sha512" },
1510 { 0x0807, "ed25519" },
1511 { 0x0808, "ed448" },
1512 { 0x0809, "rsa_pss_pss_sha256" },
1513 { 0x080a, "rsa_pss_pss_sha384" },
1514 { 0x080b, "rsa_pss_pss_sha512" },
1515 { 0x081a, "ecdsa_brainpoolP256r1tls13_sha256" }, /* RFC8734 */
1516 { 0x081b, "ecdsa_brainpoolP384r1tls13_sha384" }, /* RFC8734 */
1517 { 0x081c, "ecdsa_brainpoolP512r1tls13_sha512" }, /* RFC8734 */
1518 /* PQC digital signature algorithms from OQS-OpenSSL,
1519 see https://github.com/open-quantum-safe/openssl/blob/OQS-OpenSSL_1_1_1-stable/oqs-template/oqs-sig-info.md */
1520 { 0xfea0, "dilithium2" },
1521 { 0xfea1, "p256_dilithium2" },
1522 { 0xfea2, "rsa3072_dilithium2" },
1523 { 0xfea3, "dilithium3" },
1524 { 0xfea4, "p384_dilithium3" },
1525 { 0xfea5, "dilithium5" },
1526 { 0xfea6, "p521_dilithium5" },
1527 { 0xfea7, "dilithium2_aes" },
1528 { 0xfea8, "p256_dilithium2_aes" },
1529 { 0xfea9, "rsa3072_dilithium2_aes" },
1530 { 0xfeaa, "dilithium3_aes" },
1531 { 0xfeab, "p384_dilithium3_aes" },
1532 { 0xfeac, "dilithium5_aes" },
1533 { 0xfead, "p521_dilithium5_aes" },
1534 { 0xfe0b, "falcon512" },
1535 { 0xfe0c, "p256_falcon512" },
1536 { 0xfe0d, "rsa3072_falcon512" },
1537 { 0xfe0e, "falcon1024" },
1538 { 0xfe0f, "p521_falcon1024" },
1539 { 0xfe96, "picnicl1full" },
1540 { 0xfe97, "p256_picnicl1full" },
1541 { 0xfe98, "rsa3072_picnicl1full" },
1542 { 0xfe1b, "picnic3l1" },
1543 { 0xfe1c, "p256_picnic3l1" },
1544 { 0xfe1d, "rsa3072_picnic3l1" },
1545 { 0xfe27, "rainbowIclassic" },
1546 { 0xfe28, "p256_rainbowIclassic" },
1547 { 0xfe29, "rsa3072_rainbowIclassic" },
1548 { 0xfe3c, "rainbowVclassic" },
1549 { 0xfe3d, "p521_rainbowVclassic" },
1550 { 0xfe42, "sphincsharaka128frobust" },
1551 { 0xfe43, "p256_sphincsharaka128frobust" },
1552 { 0xfe44, "rsa3072_sphincsharaka128frobust" },
1553 { 0xfe5e, "sphincssha256128frobust" },
1554 { 0xfe5f, "p256_sphincssha256128frobust" },
1555 { 0xfe60, "rsa3072_sphincssha256128frobust" },
1556 { 0xfe7a, "sphincsshake256128frobust" },
1557 { 0xfe7b, "p256_sphincsshake256128frobust" },
1558 { 0xfe7c, "rsa3072_sphincsshake256128frobust" },
1559 { 0, NULL((void*)0) }
1560};
1561
1562/* RFC 6091 3.1 */
1563const value_string tls_certificate_type[] = {
1564 { 0, "X.509" },
1565 { 1, "OpenPGP" },
1566 { SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2, "Raw Public Key" }, /* RFC 7250 */
1567 { 0, NULL((void*)0) }
1568};
1569
1570const value_string tls_cert_chain_type[] = {
1571 { SSL_HND_CERT_URL_TYPE_INDIVIDUAL_CERT1, "Individual Certificates" },
1572 { SSL_HND_CERT_URL_TYPE_PKIPATH2, "PKI Path" },
1573 { 0, NULL((void*)0) }
1574};
1575
1576const value_string tls_cert_status_type[] = {
1577 { SSL_HND_CERT_STATUS_TYPE_OCSP1, "OCSP" },
1578 { SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2, "OCSP Multi" },
1579 { 0, NULL((void*)0) }
1580};
1581
1582/* Generated by tools/make-tls-ct-logids.py
1583 * Last-Modified Sat, 13 Sep 2025 15:24:25 GMT, 186 entries. */
1584static const bytes_string ct_logids[] = {
1585 { (const uint8_t[]){
1586 0xb2, 0x1e, 0x05, 0xcc, 0x8b, 0xa2, 0xcd, 0x8a, 0x20, 0x4e, 0x87,
1587 0x66, 0xf9, 0x2b, 0xb9, 0x8a, 0x25, 0x20, 0x67, 0x6b, 0xda, 0xfa,
1588 0x70, 0xe7, 0xb2, 0x49, 0x53, 0x2d, 0xef, 0x8b, 0x90, 0x5e,
1589 },
1590 32, "Google 'Argon2020' log" },
1591 { (const uint8_t[]){
1592 0xf6, 0x5c, 0x94, 0x2f, 0xd1, 0x77, 0x30, 0x22, 0x14, 0x54, 0x18,
1593 0x08, 0x30, 0x94, 0x56, 0x8e, 0xe3, 0x4d, 0x13, 0x19, 0x33, 0xbf,
1594 0xdf, 0x0c, 0x2f, 0x20, 0x0b, 0xcc, 0x4e, 0xf1, 0x64, 0xe3,
1595 },
1596 32, "Google 'Argon2021' log" },
1597 { (const uint8_t[]){
1598 0x29, 0x79, 0xbe, 0xf0, 0x9e, 0x39, 0x39, 0x21, 0xf0, 0x56, 0x73,
1599 0x9f, 0x63, 0xa5, 0x77, 0xe5, 0xbe, 0x57, 0x7d, 0x9c, 0x60, 0x0a,
1600 0xf8, 0xf9, 0x4d, 0x5d, 0x26, 0x5c, 0x25, 0x5d, 0xc7, 0x84,
1601 },
1602 32, "Google 'Argon2022' log" },
1603 { (const uint8_t[]){
1604 0xe8, 0x3e, 0xd0, 0xda, 0x3e, 0xf5, 0x06, 0x35, 0x32, 0xe7, 0x57,
1605 0x28, 0xbc, 0x89, 0x6b, 0xc9, 0x03, 0xd3, 0xcb, 0xd1, 0x11, 0x6b,
1606 0xec, 0xeb, 0x69, 0xe1, 0x77, 0x7d, 0x6d, 0x06, 0xbd, 0x6e,
1607 },
1608 32, "Google 'Argon2023' log" },
1609 { (const uint8_t[]){
1610 0xee, 0xcd, 0xd0, 0x64, 0xd5, 0xdb, 0x1a, 0xce, 0xc5, 0x5c, 0xb7,
1611 0x9d, 0xb4, 0xcd, 0x13, 0xa2, 0x32, 0x87, 0x46, 0x7c, 0xbc, 0xec,
1612 0xde, 0xc3, 0x51, 0x48, 0x59, 0x46, 0x71, 0x1f, 0xb5, 0x9b,
1613 },
1614 32, "Google 'Argon2024' log" },
1615 { (const uint8_t[]){
1616 0x4e, 0x75, 0xa3, 0x27, 0x5c, 0x9a, 0x10, 0xc3, 0x38, 0x5b, 0x6c,
1617 0xd4, 0xdf, 0x3f, 0x52, 0xeb, 0x1d, 0xf0, 0xe0, 0x8e, 0x1b, 0x8d,
1618 0x69, 0xc0, 0xb1, 0xfa, 0x64, 0xb1, 0x62, 0x9a, 0x39, 0xdf,
1619 },
1620 32, "Google 'Argon2025h1' log" },
1621 { (const uint8_t[]){
1622 0x12, 0xf1, 0x4e, 0x34, 0xbd, 0x53, 0x72, 0x4c, 0x84, 0x06, 0x19,
1623 0xc3, 0x8f, 0x3f, 0x7a, 0x13, 0xf8, 0xe7, 0xb5, 0x62, 0x87, 0x88,
1624 0x9c, 0x6d, 0x30, 0x05, 0x84, 0xeb, 0xe5, 0x86, 0x26, 0x3a,
1625 },
1626 32, "Google 'Argon2025h2' log" },
1627 { (const uint8_t[]){
1628 0x0e, 0x57, 0x94, 0xbc, 0xf3, 0xae, 0xa9, 0x3e, 0x33, 0x1b, 0x2c,
1629 0x99, 0x07, 0xb3, 0xf7, 0x90, 0xdf, 0x9b, 0xc2, 0x3d, 0x71, 0x32,
1630 0x25, 0xdd, 0x21, 0xa9, 0x25, 0xac, 0x61, 0xc5, 0x4e, 0x21,
1631 },
1632 32, "Google 'Argon2026h1' log" },
1633 { (const uint8_t[]){
1634 0xd7, 0x6d, 0x7d, 0x10, 0xd1, 0xa7, 0xf5, 0x77, 0xc2, 0xc7, 0xe9,
1635 0x5f, 0xd7, 0x00, 0xbf, 0xf9, 0x82, 0xc9, 0x33, 0x5a, 0x65, 0xe1,
1636 0xd0, 0xb3, 0x01, 0x73, 0x17, 0xc0, 0xc8, 0xc5, 0x69, 0x77,
1637 },
1638 32, "Google 'Argon2026h2' log" },
1639 { (const uint8_t[]){
1640 0xd6, 0xd5, 0x8d, 0xa9, 0xd0, 0x17, 0x53, 0xf3, 0x6a, 0x4a, 0xa0,
1641 0xc7, 0x57, 0x49, 0x02, 0xaf, 0xeb, 0xc7, 0xdc, 0x2c, 0xd3, 0x8c,
1642 0xd9, 0xf7, 0x64, 0xc8, 0x0c, 0x89, 0x19, 0x1e, 0x9f, 0x02,
1643 },
1644 32, "Google 'Argon2027h1'" },
1645 { (const uint8_t[]){
1646 0x07, 0xb7, 0x5c, 0x1b, 0xe5, 0x7d, 0x68, 0xff, 0xf1, 0xb0, 0xc6,
1647 0x1d, 0x23, 0x15, 0xc7, 0xba, 0xe6, 0x57, 0x7c, 0x57, 0x94, 0xb7,
1648 0x6a, 0xee, 0xbc, 0x61, 0x3a, 0x1a, 0x69, 0xd3, 0xa2, 0x1c,
1649 },
1650 32, "Google 'Xenon2020' log" },
1651 { (const uint8_t[]){
1652 0x7d, 0x3e, 0xf2, 0xf8, 0x8f, 0xff, 0x88, 0x55, 0x68, 0x24, 0xc2,
1653 0xc0, 0xca, 0x9e, 0x52, 0x89, 0x79, 0x2b, 0xc5, 0x0e, 0x78, 0x09,
1654 0x7f, 0x2e, 0x6a, 0x97, 0x68, 0x99, 0x7e, 0x22, 0xf0, 0xd7,
1655 },
1656 32, "Google 'Xenon2021' log" },
1657 { (const uint8_t[]){
1658 0x46, 0xa5, 0x55, 0xeb, 0x75, 0xfa, 0x91, 0x20, 0x30, 0xb5, 0xa2,
1659 0x89, 0x69, 0xf4, 0xf3, 0x7d, 0x11, 0x2c, 0x41, 0x74, 0xbe, 0xfd,
1660 0x49, 0xb8, 0x85, 0xab, 0xf2, 0xfc, 0x70, 0xfe, 0x6d, 0x47,
1661 },
1662 32, "Google 'Xenon2022' log" },
1663 { (const uint8_t[]){
1664 0xad, 0xf7, 0xbe, 0xfa, 0x7c, 0xff, 0x10, 0xc8, 0x8b, 0x9d, 0x3d,
1665 0x9c, 0x1e, 0x3e, 0x18, 0x6a, 0xb4, 0x67, 0x29, 0x5d, 0xcf, 0xb1,
1666 0x0c, 0x24, 0xca, 0x85, 0x86, 0x34, 0xeb, 0xdc, 0x82, 0x8a,
1667 },
1668 32, "Google 'Xenon2023' log" },
1669 { (const uint8_t[]){
1670 0x76, 0xff, 0x88, 0x3f, 0x0a, 0xb6, 0xfb, 0x95, 0x51, 0xc2, 0x61,
1671 0xcc, 0xf5, 0x87, 0xba, 0x34, 0xb4, 0xa4, 0xcd, 0xbb, 0x29, 0xdc,
1672 0x68, 0x42, 0x0a, 0x9f, 0xe6, 0x67, 0x4c, 0x5a, 0x3a, 0x74,
1673 },
1674 32, "Google 'Xenon2024' log" },
1675 { (const uint8_t[]){
1676 0xcf, 0x11, 0x56, 0xee, 0xd5, 0x2e, 0x7c, 0xaf, 0xf3, 0x87, 0x5b,
1677 0xd9, 0x69, 0x2e, 0x9b, 0xe9, 0x1a, 0x71, 0x67, 0x4a, 0xb0, 0x17,
1678 0xec, 0xac, 0x01, 0xd2, 0x5b, 0x77, 0xce, 0xcc, 0x3b, 0x08,
1679 },
1680 32, "Google 'Xenon2025h1' log" },
1681 { (const uint8_t[]){
1682 0xdd, 0xdc, 0xca, 0x34, 0x95, 0xd7, 0xe1, 0x16, 0x05, 0xe7, 0x95,
1683 0x32, 0xfa, 0xc7, 0x9f, 0xf8, 0x3d, 0x1c, 0x50, 0xdf, 0xdb, 0x00,
1684 0x3a, 0x14, 0x12, 0x76, 0x0a, 0x2c, 0xac, 0xbb, 0xc8, 0x2a,
1685 },
1686 32, "Google 'Xenon2025h2' log" },
1687 { (const uint8_t[]){
1688 0x96, 0x97, 0x64, 0xbf, 0x55, 0x58, 0x97, 0xad, 0xf7, 0x43, 0x87,
1689 0x68, 0x37, 0x08, 0x42, 0x77, 0xe9, 0xf0, 0x3a, 0xd5, 0xf6, 0xa4,
1690 0xf3, 0x36, 0x6e, 0x46, 0xa4, 0x3f, 0x0f, 0xca, 0xa9, 0xc6,
1691 },
1692 32, "Google 'Xenon2026h1' log" },
1693 { (const uint8_t[]){
1694 0xd8, 0x09, 0x55, 0x3b, 0x94, 0x4f, 0x7a, 0xff, 0xc8, 0x16, 0x19,
1695 0x6f, 0x94, 0x4f, 0x85, 0xab, 0xb0, 0xf8, 0xfc, 0x5e, 0x87, 0x55,
1696 0x26, 0x0f, 0x15, 0xd1, 0x2e, 0x72, 0xbb, 0x45, 0x4b, 0x14,
1697 },
1698 32, "Google 'Xenon2026h2' log" },
1699 { (const uint8_t[]){
1700 0x44, 0xc2, 0xbd, 0x0c, 0xe9, 0x14, 0x0e, 0x64, 0xa5, 0xc9, 0x4a,
1701 0x01, 0x93, 0x0a, 0x5a, 0xa1, 0xbb, 0x35, 0x97, 0x0e, 0x00, 0xee,
1702 0x11, 0x16, 0x89, 0x68, 0x2a, 0x1c, 0x44, 0xd7, 0xb5, 0x66,
1703 },
1704 32, "Google 'Xenon2027h1'" },
1705 { (const uint8_t[]){
1706 0x68, 0xf6, 0x98, 0xf8, 0x1f, 0x64, 0x82, 0xbe, 0x3a, 0x8c, 0xee,
1707 0xb9, 0x28, 0x1d, 0x4c, 0xfc, 0x71, 0x51, 0x5d, 0x67, 0x93, 0xd4,
1708 0x44, 0xd1, 0x0a, 0x67, 0xac, 0xbb, 0x4f, 0x4f, 0xfb, 0xc4,
1709 },
1710 32, "Google 'Aviator' log" },
1711 { (const uint8_t[]){
1712 0x29, 0x3c, 0x51, 0x96, 0x54, 0xc8, 0x39, 0x65, 0xba, 0xaa, 0x50,
1713 0xfc, 0x58, 0x07, 0xd4, 0xb7, 0x6f, 0xbf, 0x58, 0x7a, 0x29, 0x72,
1714 0xdc, 0xa4, 0xc3, 0x0c, 0xf4, 0xe5, 0x45, 0x47, 0xf4, 0x78,
1715 },
1716 32, "Google 'Icarus' log" },
1717 { (const uint8_t[]){
1718 0xa4, 0xb9, 0x09, 0x90, 0xb4, 0x18, 0x58, 0x14, 0x87, 0xbb, 0x13,
1719 0xa2, 0xcc, 0x67, 0x70, 0x0a, 0x3c, 0x35, 0x98, 0x04, 0xf9, 0x1b,
1720 0xdf, 0xb8, 0xe3, 0x77, 0xcd, 0x0e, 0xc8, 0x0d, 0xdc, 0x10,
1721 },
1722 32, "Google 'Pilot' log" },
1723 { (const uint8_t[]){
1724 0xee, 0x4b, 0xbd, 0xb7, 0x75, 0xce, 0x60, 0xba, 0xe1, 0x42, 0x69,
1725 0x1f, 0xab, 0xe1, 0x9e, 0x66, 0xa3, 0x0f, 0x7e, 0x5f, 0xb0, 0x72,
1726 0xd8, 0x83, 0x00, 0xc4, 0x7b, 0x89, 0x7a, 0xa8, 0xfd, 0xcb,
1727 },
1728 32, "Google 'Rocketeer' log" },
1729 { (const uint8_t[]){
1730 0xbb, 0xd9, 0xdf, 0xbc, 0x1f, 0x8a, 0x71, 0xb5, 0x93, 0x94, 0x23,
1731 0x97, 0xaa, 0x92, 0x7b, 0x47, 0x38, 0x57, 0x95, 0x0a, 0xab, 0x52,
1732 0xe8, 0x1a, 0x90, 0x96, 0x64, 0x36, 0x8e, 0x1e, 0xd1, 0x85,
1733 },
1734 32, "Google 'Skydiver' log" },
1735 { (const uint8_t[]){
1736 0xfa, 0xd4, 0xc9, 0x7c, 0xc4, 0x9e, 0xe2, 0xf8, 0xac, 0x85, 0xc5,
1737 0xea, 0x5c, 0xea, 0x09, 0xd0, 0x22, 0x0d, 0xbb, 0xf4, 0xe4, 0x9c,
1738 0x6b, 0x50, 0x66, 0x2f, 0xf8, 0x68, 0xf8, 0x6b, 0x8c, 0x28,
1739 },
1740 32, "Google 'Argon2017' log" },
1741 { (const uint8_t[]){
1742 0xa4, 0x50, 0x12, 0x69, 0x05, 0x5a, 0x15, 0x54, 0x5e, 0x62, 0x11,
1743 0xab, 0x37, 0xbc, 0x10, 0x3f, 0x62, 0xae, 0x55, 0x76, 0xa4, 0x5e,
1744 0x4b, 0x17, 0x14, 0x45, 0x3e, 0x1b, 0x22, 0x10, 0x6a, 0x25,
1745 },
1746 32, "Google 'Argon2018' log" },
1747 { (const uint8_t[]){
1748 0x63, 0xf2, 0xdb, 0xcd, 0xe8, 0x3b, 0xcc, 0x2c, 0xcf, 0x0b, 0x72,
1749 0x84, 0x27, 0x57, 0x6b, 0x33, 0xa4, 0x8d, 0x61, 0x77, 0x8f, 0xbd,
1750 0x75, 0xa6, 0x38, 0xb1, 0xc7, 0x68, 0x54, 0x4b, 0xd8, 0x8d,
1751 },
1752 32, "Google 'Argon2019' log" },
1753 { (const uint8_t[]){
1754 0xb1, 0x0c, 0xd5, 0x59, 0xa6, 0xd6, 0x78, 0x46, 0x81, 0x1f, 0x7d,
1755 0xf9, 0xa5, 0x15, 0x32, 0x73, 0x9a, 0xc4, 0x8d, 0x70, 0x3b, 0xea,
1756 0x03, 0x23, 0xda, 0x5d, 0x38, 0x75, 0x5b, 0xc0, 0xad, 0x4e,
1757 },
1758 32, "Google 'Xenon2018' log" },
1759 { (const uint8_t[]){
1760 0x08, 0x41, 0x14, 0x98, 0x00, 0x71, 0x53, 0x2c, 0x16, 0x19, 0x04,
1761 0x60, 0xbc, 0xfc, 0x47, 0xfd, 0xc2, 0x65, 0x3a, 0xfa, 0x29, 0x2c,
1762 0x72, 0xb3, 0x7f, 0xf8, 0x63, 0xae, 0x29, 0xcc, 0xc9, 0xf0,
1763 },
1764 32, "Google 'Xenon2019' log" },
1765 { (const uint8_t[]){
1766 0xa8, 0x99, 0xd8, 0x78, 0x0c, 0x92, 0x90, 0xaa, 0xf4, 0x62, 0xf3,
1767 0x18, 0x80, 0xcc, 0xfb, 0xd5, 0x24, 0x51, 0xe9, 0x70, 0xd0, 0xfb,
1768 0xf5, 0x91, 0xef, 0x75, 0xb0, 0xd9, 0x9b, 0x64, 0x56, 0x81,
1769 },
1770 32, "Google 'Submariner' log" },
1771 { (const uint8_t[]){
1772 0x1d, 0x02, 0x4b, 0x8e, 0xb1, 0x49, 0x8b, 0x34, 0x4d, 0xfd, 0x87,
1773 0xea, 0x3e, 0xfc, 0x09, 0x96, 0xf7, 0x50, 0x6f, 0x23, 0x5d, 0x1d,
1774 0x49, 0x70, 0x61, 0xa4, 0x77, 0x3c, 0x43, 0x9c, 0x25, 0xfb,
1775 },
1776 32, "Google 'Daedalus' log" },
1777 { (const uint8_t[]){
1778 0xb0, 0xcc, 0x83, 0xe5, 0xa5, 0xf9, 0x7d, 0x6b, 0xaf, 0x7c, 0x09,
1779 0xcc, 0x28, 0x49, 0x04, 0x87, 0x2a, 0xc7, 0xe8, 0x8b, 0x13, 0x2c,
1780 0x63, 0x50, 0xb7, 0xc6, 0xfd, 0x26, 0xe1, 0x6c, 0x6c, 0x77,
1781 },
1782 32, "Google 'Testtube' log" },
1783 { (const uint8_t[]){
1784 0xc3, 0xbf, 0x03, 0xa7, 0xe1, 0xca, 0x88, 0x41, 0xc6, 0x07, 0xba,
1785 0xe3, 0xff, 0x42, 0x70, 0xfc, 0xa5, 0xec, 0x45, 0xb1, 0x86, 0xeb,
1786 0xbe, 0x4e, 0x2c, 0xf3, 0xfc, 0x77, 0x86, 0x30, 0xf5, 0xf6,
1787 },
1788 32, "Google 'Crucible' log" },
1789 { (const uint8_t[]){
1790 0x52, 0xeb, 0x4b, 0x22, 0x5e, 0xc8, 0x96, 0x97, 0x48, 0x50, 0x67,
1791 0x5f, 0x23, 0xe4, 0x3b, 0xc1, 0xd0, 0x21, 0xe3, 0x21, 0x4c, 0xe5,
1792 0x2e, 0xcd, 0x5f, 0xa8, 0x7c, 0x20, 0x3c, 0xdf, 0xca, 0x03,
1793 },
1794 32, "Google 'Solera2018' log" },
1795 { (const uint8_t[]){
1796 0x0b, 0x76, 0x0e, 0x9a, 0x8b, 0x9a, 0x68, 0x2f, 0x88, 0x98, 0x5b,
1797 0x15, 0xe9, 0x47, 0x50, 0x1a, 0x56, 0x44, 0x6b, 0xba, 0x88, 0x30,
1798 0x78, 0x5c, 0x38, 0x42, 0x99, 0x43, 0x86, 0x45, 0x0c, 0x00,
1799 },
1800 32, "Google 'Solera2019' log" },
1801 { (const uint8_t[]){
1802 0x1f, 0xc7, 0x2c, 0xe5, 0xa1, 0xb7, 0x99, 0xf4, 0x00, 0xc3, 0x59,
1803 0xbf, 0xf9, 0x6c, 0xa3, 0x91, 0x35, 0x48, 0xe8, 0x64, 0x42, 0x20,
1804 0x61, 0x09, 0x52, 0xe9, 0xba, 0x17, 0x74, 0xf7, 0xba, 0xc7,
1805 },
1806 32, "Google 'Solera2020' log" },
1807 { (const uint8_t[]){
1808 0xa3, 0xc9, 0x98, 0x45, 0xe8, 0x0a, 0xb7, 0xce, 0x00, 0x15, 0x7b,
1809 0x37, 0x42, 0xdf, 0x02, 0x07, 0xdd, 0x27, 0x2b, 0x2b, 0x60, 0x2e,
1810 0xcf, 0x98, 0xee, 0x2c, 0x12, 0xdb, 0x9c, 0x5a, 0xe7, 0xe7,
1811 },
1812 32, "Google 'Solera2021' log" },
1813 { (const uint8_t[]){
1814 0x69, 0x7a, 0xaf, 0xca, 0x1a, 0x6b, 0x53, 0x6f, 0xae, 0x21, 0x20,
1815 0x50, 0x46, 0xde, 0xba, 0xd7, 0xe0, 0xea, 0xea, 0x13, 0xd2, 0x43,
1816 0x2e, 0x6e, 0x9d, 0x8f, 0xb3, 0x79, 0xf2, 0xb9, 0xaa, 0xf3,
1817 },
1818 32, "Google 'Solera2022' log" },
1819 { (const uint8_t[]){
1820 0xf9, 0x7e, 0x97, 0xb8, 0xd3, 0x3e, 0xf7, 0xa1, 0x59, 0x02, 0xa5,
1821 0x3a, 0x19, 0xe1, 0x79, 0x90, 0xe5, 0xdc, 0x40, 0x6a, 0x03, 0x18,
1822 0x25, 0xba, 0xad, 0x93, 0xe9, 0x8f, 0x9b, 0x9c, 0x69, 0xcb,
1823 },
1824 32, "Google 'Solera2023' log" },
1825 { (const uint8_t[]){
1826 0x30, 0x24, 0xce, 0x7e, 0xeb, 0x16, 0x88, 0x62, 0x72, 0x4b, 0xea,
1827 0x70, 0x2e, 0xff, 0xf9, 0x92, 0xcf, 0xe4, 0x56, 0x43, 0x41, 0x91,
1828 0xaa, 0x59, 0x5b, 0x25, 0xf8, 0x02, 0x26, 0xc8, 0x00, 0x17,
1829 },
1830 32, "Google 'Solera2024' log" },
1831 { (const uint8_t[]){
1832 0x3f, 0xe1, 0xcb, 0x46, 0xed, 0x47, 0x35, 0x79, 0xaf, 0x01, 0x41,
1833 0xf9, 0x72, 0x4d, 0x9d, 0xc4, 0x43, 0x47, 0x2d, 0x75, 0x6e, 0x85,
1834 0xe7, 0x71, 0x9c, 0x55, 0x82, 0x48, 0x5d, 0xd4, 0xe1, 0xe4,
1835 },
1836 32, "Google 'Solera2025h1' log" },
1837 { (const uint8_t[]){
1838 0x26, 0x02, 0x39, 0x48, 0x87, 0x4c, 0xf7, 0xfc, 0xd0, 0xfb, 0x64,
1839 0x71, 0xa4, 0x3e, 0x84, 0x7e, 0xbb, 0x20, 0x0a, 0xe6, 0xe2, 0xfa,
1840 0x24, 0x23, 0x6d, 0xf6, 0xd1, 0xa6, 0x06, 0x63, 0x0f, 0xb1,
1841 },
1842 32, "Google 'Solera2025h2' log" },
1843 { (const uint8_t[]){
1844 0xc8, 0x4b, 0x90, 0x7a, 0x07, 0xbe, 0xaa, 0x29, 0xa6, 0x14, 0xc2,
1845 0x45, 0x84, 0xb7, 0xa3, 0xf6, 0x62, 0x43, 0x94, 0x68, 0x7b, 0x25,
1846 0xfe, 0x62, 0x83, 0x8b, 0x71, 0xec, 0x42, 0x2a, 0xd2, 0xf9,
1847 },
1848 32, "Google 'Solera2026h1' log" },
1849 { (const uint8_t[]){
1850 0x62, 0xe9, 0x00, 0x60, 0x04, 0xa3, 0x07, 0x95, 0x5a, 0x75, 0x44,
1851 0xb4, 0xd5, 0x84, 0xa9, 0x62, 0x68, 0xca, 0x1d, 0x6e, 0x45, 0x85,
1852 0xad, 0xf0, 0x91, 0x6d, 0xfe, 0x5f, 0xdc, 0x1f, 0x04, 0xdb,
1853 },
1854 32, "Google 'Solera2026h2' log" },
1855 { (const uint8_t[]){
1856 0x5e, 0xa7, 0x73, 0xf9, 0xdf, 0x56, 0xc0, 0xe7, 0xb5, 0x36, 0x48,
1857 0x7d, 0xd0, 0x49, 0xe0, 0x32, 0x7a, 0x91, 0x9a, 0x0c, 0x84, 0xa1,
1858 0x12, 0x12, 0x84, 0x18, 0x75, 0x96, 0x81, 0x71, 0x45, 0x58,
1859 },
1860 32, "Cloudflare 'Nimbus2020' Log" },
1861 { (const uint8_t[]){
1862 0x44, 0x94, 0x65, 0x2e, 0xb0, 0xee, 0xce, 0xaf, 0xc4, 0x40, 0x07,
1863 0xd8, 0xa8, 0xfe, 0x28, 0xc0, 0xda, 0xe6, 0x82, 0xbe, 0xd8, 0xcb,
1864 0x31, 0xb5, 0x3f, 0xd3, 0x33, 0x96, 0xb5, 0xb6, 0x81, 0xa8,
1865 },
1866 32, "Cloudflare 'Nimbus2021' Log" },
1867 { (const uint8_t[]){
1868 0x41, 0xc8, 0xca, 0xb1, 0xdf, 0x22, 0x46, 0x4a, 0x10, 0xc6, 0xa1,
1869 0x3a, 0x09, 0x42, 0x87, 0x5e, 0x4e, 0x31, 0x8b, 0x1b, 0x03, 0xeb,
1870 0xeb, 0x4b, 0xc7, 0x68, 0xf0, 0x90, 0x62, 0x96, 0x06, 0xf6,
1871 },
1872 32, "Cloudflare 'Nimbus2022' Log" },
1873 { (const uint8_t[]){
1874 0x7a, 0x32, 0x8c, 0x54, 0xd8, 0xb7, 0x2d, 0xb6, 0x20, 0xea, 0x38,
1875 0xe0, 0x52, 0x1e, 0xe9, 0x84, 0x16, 0x70, 0x32, 0x13, 0x85, 0x4d,
1876 0x3b, 0xd2, 0x2b, 0xc1, 0x3a, 0x57, 0xa3, 0x52, 0xeb, 0x52,
1877 },
1878 32, "Cloudflare 'Nimbus2023' Log" },
1879 { (const uint8_t[]){
1880 0xda, 0xb6, 0xbf, 0x6b, 0x3f, 0xb5, 0xb6, 0x22, 0x9f, 0x9b, 0xc2,
1881 0xbb, 0x5c, 0x6b, 0xe8, 0x70, 0x91, 0x71, 0x6c, 0xbb, 0x51, 0x84,
1882 0x85, 0x34, 0xbd, 0xa4, 0x3d, 0x30, 0x48, 0xd7, 0xfb, 0xab,
1883 },
1884 32, "Cloudflare 'Nimbus2024' Log" },
1885 { (const uint8_t[]){
1886 0xcc, 0xfb, 0x0f, 0x6a, 0x85, 0x71, 0x09, 0x65, 0xfe, 0x95, 0x9b,
1887 0x53, 0xce, 0xe9, 0xb2, 0x7c, 0x22, 0xe9, 0x85, 0x5c, 0x0d, 0x97,
1888 0x8d, 0xb6, 0xa9, 0x7e, 0x54, 0xc0, 0xfe, 0x4c, 0x0d, 0xb0,
1889 },
1890 32, "Cloudflare 'Nimbus2025'" },
1891 { (const uint8_t[]){
1892 0xcb, 0x38, 0xf7, 0x15, 0x89, 0x7c, 0x84, 0xa1, 0x44, 0x5f, 0x5b,
1893 0xc1, 0xdd, 0xfb, 0xc9, 0x6e, 0xf2, 0x9a, 0x59, 0xcd, 0x47, 0x0a,
1894 0x69, 0x05, 0x85, 0xb0, 0xcb, 0x14, 0xc3, 0x14, 0x58, 0xe7,
1895 },
1896 32, "Cloudflare 'Nimbus2026'" },
1897 { (const uint8_t[]){
1898 0x4c, 0x63, 0xdc, 0x98, 0xe5, 0x9c, 0x1d, 0xab, 0x88, 0xf6, 0x1e,
1899 0x8a, 0x3d, 0xde, 0xae, 0x8f, 0xab, 0x44, 0xa3, 0x37, 0x7b, 0x5f,
1900 0x9b, 0x94, 0xc3, 0xfb, 0xa1, 0x9c, 0xfc, 0xc1, 0xbe, 0x26,
1901 },
1902 32, "Cloudflare 'Nimbus2027'" },
1903 { (const uint8_t[]){
1904 0x1f, 0xbc, 0x36, 0xe0, 0x02, 0xed, 0xe9, 0x7f, 0x40, 0x19, 0x9e,
1905 0x86, 0xb3, 0x57, 0x3b, 0x8a, 0x42, 0x17, 0xd8, 0x01, 0x87, 0x74,
1906 0x6a, 0xd0, 0xda, 0x03, 0xa0, 0x60, 0x54, 0xd2, 0x0d, 0xf4,
1907 },
1908 32, "Cloudflare 'Nimbus2017' Log" },
1909 { (const uint8_t[]){
1910 0xdb, 0x74, 0xaf, 0xee, 0xcb, 0x29, 0xec, 0xb1, 0xfe, 0xca, 0x3e,
1911 0x71, 0x6d, 0x2c, 0xe5, 0xb9, 0xaa, 0xbb, 0x36, 0xf7, 0x84, 0x71,
1912 0x83, 0xc7, 0x5d, 0x9d, 0x4f, 0x37, 0xb6, 0x1f, 0xbf, 0x64,
1913 },
1914 32, "Cloudflare 'Nimbus2018' Log" },
1915 { (const uint8_t[]){
1916 0x74, 0x7e, 0xda, 0x83, 0x31, 0xad, 0x33, 0x10, 0x91, 0x21, 0x9c,
1917 0xce, 0x25, 0x4f, 0x42, 0x70, 0xc2, 0xbf, 0xfd, 0x5e, 0x42, 0x20,
1918 0x08, 0xc6, 0x37, 0x35, 0x79, 0xe6, 0x10, 0x7b, 0xcc, 0x56,
1919 },
1920 32, "Cloudflare 'Nimbus2019' Log" },
1921 { (const uint8_t[]){
1922 0x56, 0x14, 0x06, 0x9a, 0x2f, 0xd7, 0xc2, 0xec, 0xd3, 0xf5, 0xe1,
1923 0xbd, 0x44, 0xb2, 0x3e, 0xc7, 0x46, 0x76, 0xb9, 0xbc, 0x99, 0x11,
1924 0x5c, 0xc0, 0xef, 0x94, 0x98, 0x55, 0xd6, 0x89, 0xd0, 0xdd,
1925 },
1926 32, "DigiCert Log Server" },
1927 { (const uint8_t[]){
1928 0x87, 0x75, 0xbf, 0xe7, 0x59, 0x7c, 0xf8, 0x8c, 0x43, 0x99, 0x5f,
1929 0xbd, 0xf3, 0x6e, 0xff, 0x56, 0x8d, 0x47, 0x56, 0x36, 0xff, 0x4a,
1930 0xb5, 0x60, 0xc1, 0xb4, 0xea, 0xff, 0x5e, 0xa0, 0x83, 0x0f,
1931 },
1932 32, "DigiCert Log Server 2" },
1933 { (const uint8_t[]){
1934 0xf0, 0x95, 0xa4, 0x59, 0xf2, 0x00, 0xd1, 0x82, 0x40, 0x10, 0x2d,
1935 0x2f, 0x93, 0x88, 0x8e, 0xad, 0x4b, 0xfe, 0x1d, 0x47, 0xe3, 0x99,
1936 0xe1, 0xd0, 0x34, 0xa6, 0xb0, 0xa8, 0xaa, 0x8e, 0xb2, 0x73,
1937 },
1938 32, "DigiCert Yeti2020 Log" },
1939 { (const uint8_t[]){
1940 0x5c, 0xdc, 0x43, 0x92, 0xfe, 0xe6, 0xab, 0x45, 0x44, 0xb1, 0x5e,
1941 0x9a, 0xd4, 0x56, 0xe6, 0x10, 0x37, 0xfb, 0xd5, 0xfa, 0x47, 0xdc,
1942 0xa1, 0x73, 0x94, 0xb2, 0x5e, 0xe6, 0xf6, 0xc7, 0x0e, 0xca,
1943 },
1944 32, "DigiCert Yeti2021 Log" },
1945 { (const uint8_t[]){
1946 0x22, 0x45, 0x45, 0x07, 0x59, 0x55, 0x24, 0x56, 0x96, 0x3f, 0xa1,
1947 0x2f, 0xf1, 0xf7, 0x6d, 0x86, 0xe0, 0x23, 0x26, 0x63, 0xad, 0xc0,
1948 0x4b, 0x7f, 0x5d, 0xc6, 0x83, 0x5c, 0x6e, 0xe2, 0x0f, 0x02,
1949 },
1950 32, "DigiCert Yeti2022 Log" },
1951 { (const uint8_t[]){
1952 0x35, 0xcf, 0x19, 0x1b, 0xbf, 0xb1, 0x6c, 0x57, 0xbf, 0x0f, 0xad,
1953 0x4c, 0x6d, 0x42, 0xcb, 0xbb, 0xb6, 0x27, 0x20, 0x26, 0x51, 0xea,
1954 0x3f, 0xe1, 0x2a, 0xef, 0xa8, 0x03, 0xc3, 0x3b, 0xd6, 0x4c,
1955 },
1956 32, "DigiCert Yeti2023 Log" },
1957 { (const uint8_t[]){
1958 0x48, 0xb0, 0xe3, 0x6b, 0xda, 0xa6, 0x47, 0x34, 0x0f, 0xe5, 0x6a,
1959 0x02, 0xfa, 0x9d, 0x30, 0xeb, 0x1c, 0x52, 0x01, 0xcb, 0x56, 0xdd,
1960 0x2c, 0x81, 0xd9, 0xbb, 0xbf, 0xab, 0x39, 0xd8, 0x84, 0x73,
1961 },
1962 32, "DigiCert Yeti2024 Log" },
1963 { (const uint8_t[]){
1964 0x7d, 0x59, 0x1e, 0x12, 0xe1, 0x78, 0x2a, 0x7b, 0x1c, 0x61, 0x67,
1965 0x7c, 0x5e, 0xfd, 0xf8, 0xd0, 0x87, 0x5c, 0x14, 0xa0, 0x4e, 0x95,
1966 0x9e, 0xb9, 0x03, 0x2f, 0xd9, 0x0e, 0x8c, 0x2e, 0x79, 0xb8,
1967 },
1968 32, "DigiCert Yeti2025 Log" },
1969 { (const uint8_t[]){
1970 0xc6, 0x52, 0xa0, 0xec, 0x48, 0xce, 0xb3, 0xfc, 0xab, 0x17, 0x09,
1971 0x92, 0xc4, 0x3a, 0x87, 0x41, 0x33, 0x09, 0xe8, 0x00, 0x65, 0xa2,
1972 0x62, 0x52, 0x40, 0x1b, 0xa3, 0x36, 0x2a, 0x17, 0xc5, 0x65,
1973 },
1974 32, "DigiCert Nessie2020 Log" },
1975 { (const uint8_t[]){
1976 0xee, 0xc0, 0x95, 0xee, 0x8d, 0x72, 0x64, 0x0f, 0x92, 0xe3, 0xc3,
1977 0xb9, 0x1b, 0xc7, 0x12, 0xa3, 0x69, 0x6a, 0x09, 0x7b, 0x4b, 0x6a,
1978 0x1a, 0x14, 0x38, 0xe6, 0x47, 0xb2, 0xcb, 0xed, 0xc5, 0xf9,
1979 },
1980 32, "DigiCert Nessie2021 Log" },
1981 { (const uint8_t[]){
1982 0x51, 0xa3, 0xb0, 0xf5, 0xfd, 0x01, 0x79, 0x9c, 0x56, 0x6d, 0xb8,
1983 0x37, 0x78, 0x8f, 0x0c, 0xa4, 0x7a, 0xcc, 0x1b, 0x27, 0xcb, 0xf7,
1984 0x9e, 0x88, 0x42, 0x9a, 0x0d, 0xfe, 0xd4, 0x8b, 0x05, 0xe5,
1985 },
1986 32, "DigiCert Nessie2022 Log" },
1987 { (const uint8_t[]){
1988 0xb3, 0x73, 0x77, 0x07, 0xe1, 0x84, 0x50, 0xf8, 0x63, 0x86, 0xd6,
1989 0x05, 0xa9, 0xdc, 0x11, 0x09, 0x4a, 0x79, 0x2d, 0xb1, 0x67, 0x0c,
1990 0x0b, 0x87, 0xdc, 0xf0, 0x03, 0x0e, 0x79, 0x36, 0xa5, 0x9a,
1991 },
1992 32, "DigiCert Nessie2023 Log" },
1993 { (const uint8_t[]){
1994 0x73, 0xd9, 0x9e, 0x89, 0x1b, 0x4c, 0x96, 0x78, 0xa0, 0x20, 0x7d,
1995 0x47, 0x9d, 0xe6, 0xb2, 0xc6, 0x1c, 0xd0, 0x51, 0x5e, 0x71, 0x19,
1996 0x2a, 0x8c, 0x6b, 0x80, 0x10, 0x7a, 0xc1, 0x77, 0x72, 0xb5,
1997 },
1998 32, "DigiCert Nessie2024 Log" },
1999 { (const uint8_t[]){
2000 0xe6, 0xd2, 0x31, 0x63, 0x40, 0x77, 0x8c, 0xc1, 0x10, 0x41, 0x06,
2001 0xd7, 0x71, 0xb9, 0xce, 0xc1, 0xd2, 0x40, 0xf6, 0x96, 0x84, 0x86,
2002 0xfb, 0xba, 0x87, 0x32, 0x1d, 0xfd, 0x1e, 0x37, 0x8e, 0x50,
2003 },
2004 32, "DigiCert Nessie2025 Log" },
2005 { (const uint8_t[]){
2006 0xb6, 0x9d, 0xdc, 0xbc, 0x3c, 0x1a, 0xbd, 0xef, 0x6f, 0x9f, 0xd6,
2007 0x0c, 0x88, 0xb1, 0x06, 0x7b, 0x77, 0xf0, 0x82, 0x68, 0x8b, 0x2d,
2008 0x78, 0x65, 0xd0, 0x4b, 0x39, 0xab, 0xe9, 0x27, 0xa5, 0x75,
2009 },
2010 32, "DigiCert 'Wyvern2024h1' Log" },
2011 { (const uint8_t[]){
2012 0x0c, 0x2a, 0xef, 0x2c, 0x4a, 0x5b, 0x98, 0x83, 0xd4, 0xdd, 0xa3,
2013 0x82, 0xfe, 0x50, 0xfb, 0x51, 0x88, 0xb3, 0xe9, 0x73, 0x33, 0xa1,
2014 0xec, 0x53, 0xa0, 0x9d, 0xc9, 0xa7, 0x9d, 0x0d, 0x08, 0x20,
2015 },
2016 32, "DigiCert 'Wyvern2024h2' Log" },
2017 { (const uint8_t[]){
2018 0x73, 0x20, 0x22, 0x0f, 0x08, 0x16, 0x8a, 0xf9, 0xf3, 0xc4, 0xa6,
2019 0x8b, 0x0a, 0xb2, 0x6a, 0x9a, 0x4a, 0x00, 0xee, 0xf5, 0x77, 0x85,
2020 0x8a, 0x08, 0x4d, 0x05, 0x00, 0xd4, 0xa5, 0x42, 0x44, 0x59,
2021 },
2022 32, "DigiCert 'Wyvern2025h1' Log" },
2023 { (const uint8_t[]){
2024 0xed, 0x3c, 0x4b, 0xd6, 0xe8, 0x06, 0xc2, 0xa4, 0xa2, 0x00, 0x57,
2025 0xdb, 0xcb, 0x24, 0xe2, 0x38, 0x01, 0xdf, 0x51, 0x2f, 0xed, 0xc4,
2026 0x86, 0xc5, 0x70, 0x0f, 0x20, 0xdd, 0xb7, 0x3e, 0x3f, 0xe0,
2027 },
2028 32, "DigiCert 'Wyvern2025h2' Log" },
2029 { (const uint8_t[]){
2030 0x64, 0x11, 0xc4, 0x6c, 0xa4, 0x12, 0xec, 0xa7, 0x89, 0x1c, 0xa2,
2031 0x02, 0x2e, 0x00, 0xbc, 0xab, 0x4f, 0x28, 0x07, 0xd4, 0x1e, 0x35,
2032 0x27, 0xab, 0xea, 0xfe, 0xd5, 0x03, 0xc9, 0x7d, 0xcd, 0xf0,
2033 },
2034 32, "DigiCert 'Wyvern2026h1'" },
2035 { (const uint8_t[]){
2036 0xc2, 0x31, 0x7e, 0x57, 0x45, 0x19, 0xa3, 0x45, 0xee, 0x7f, 0x38,
2037 0xde, 0xb2, 0x90, 0x41, 0xeb, 0xc7, 0xc2, 0x21, 0x5a, 0x22, 0xbf,
2038 0x7f, 0xd5, 0xb5, 0xad, 0x76, 0x9a, 0xd9, 0x0e, 0x52, 0xcd,
2039 },
2040 32, "DigiCert 'Wyvern2026h2'" },
2041 { (const uint8_t[]){
2042 0x00, 0x1a, 0x5d, 0x1a, 0x1c, 0x2d, 0x93, 0x75, 0xb6, 0x48, 0x55,
2043 0x78, 0xf8, 0x2f, 0x71, 0xa1, 0xae, 0x6e, 0xef, 0x39, 0x7d, 0x29,
2044 0x7c, 0x8a, 0xe3, 0x15, 0x7b, 0xca, 0xde, 0xe1, 0xa0, 0x1e,
2045 },
2046 32, "DigiCert 'Wyvern2027h1'" },
2047 { (const uint8_t[]){
2048 0x37, 0xaa, 0x07, 0xcc, 0x21, 0x6f, 0x2e, 0x6d, 0x91, 0x9c, 0x70,
2049 0x9d, 0x24, 0xd8, 0xf7, 0x31, 0xb0, 0x0f, 0x2b, 0x14, 0x7c, 0x62,
2050 0x1c, 0xc0, 0x91, 0xa5, 0xfa, 0x1a, 0x84, 0xd8, 0x16, 0xdd,
2051 },
2052 32, "DigiCert 'Wyvern2027h2'" },
2053 { (const uint8_t[]){
2054 0xdb, 0x07, 0x6c, 0xde, 0x6a, 0x8b, 0x78, 0xec, 0x58, 0xd6, 0x05,
2055 0x64, 0x96, 0xeb, 0x6a, 0x26, 0xa8, 0xc5, 0x9e, 0x72, 0x12, 0x93,
2056 0xe8, 0xac, 0x03, 0x27, 0xdd, 0xde, 0x89, 0xdb, 0x5a, 0x2a,
2057 },
2058 32, "DigiCert 'Sphinx2024h1' Log" },
2059 { (const uint8_t[]){
2060 0xdc, 0xc9, 0x5e, 0x6f, 0xa2, 0x99, 0xb9, 0xb0, 0xfd, 0xbd, 0x6c,
2061 0xa6, 0xa3, 0x6e, 0x1d, 0x72, 0xc4, 0x21, 0x2f, 0xdd, 0x1e, 0x0f,
2062 0x47, 0x55, 0x3a, 0x36, 0xd6, 0xcf, 0x1a, 0xd1, 0x1d, 0x8d,
2063 },
2064 32, "DigiCert 'Sphinx2024h2' Log" },
2065 { (const uint8_t[]){
2066 0xde, 0x85, 0x81, 0xd7, 0x50, 0x24, 0x7c, 0x6b, 0xcd, 0xcb, 0xaf,
2067 0x56, 0x37, 0xc5, 0xe7, 0x81, 0xc6, 0x4c, 0xe4, 0x6e, 0xd6, 0x17,
2068 0x63, 0x9f, 0x8f, 0x34, 0xa7, 0x26, 0xc9, 0xe2, 0xbd, 0x37,
2069 },
2070 32, "DigiCert 'Sphinx2025h1' Log" },
2071 { (const uint8_t[]){
2072 0xa4, 0x42, 0xc5, 0x06, 0x49, 0x60, 0x61, 0x54, 0x8f, 0x0f, 0xd4,
2073 0xea, 0x9c, 0xfb, 0x7a, 0x2d, 0x26, 0x45, 0x4d, 0x87, 0xa9, 0x7f,
2074 0x2f, 0xdf, 0x45, 0x59, 0xf6, 0x27, 0x4f, 0x3a, 0x84, 0x54,
2075 },
2076 32, "DigiCert 'Sphinx2025h2' Log" },
2077 { (const uint8_t[]){
2078 0x49, 0x9c, 0x9b, 0x69, 0xde, 0x1d, 0x7c, 0xec, 0xfc, 0x36, 0xde,
2079 0xcd, 0x87, 0x64, 0xa6, 0xb8, 0x5b, 0xaf, 0x0a, 0x87, 0x80, 0x19,
2080 0xd1, 0x55, 0x52, 0xfb, 0xe9, 0xeb, 0x29, 0xdd, 0xf8, 0xc3,
2081 },
2082 32, "DigiCert 'Sphinx2026h1'" },
2083 { (const uint8_t[]){
2084 0x94, 0x4e, 0x43, 0x87, 0xfa, 0xec, 0xc1, 0xef, 0x81, 0xf3, 0x19,
2085 0x24, 0x26, 0xa8, 0x18, 0x65, 0x01, 0xc7, 0xd3, 0x5f, 0x38, 0x02,
2086 0x01, 0x3f, 0x72, 0x67, 0x7d, 0x55, 0x37, 0x2e, 0x19, 0xd8,
2087 },
2088 32, "DigiCert 'Sphinx2026h2'" },
2089 { (const uint8_t[]){
2090 0x46, 0xa2, 0x39, 0x67, 0xc6, 0x0d, 0xb6, 0x46, 0x87, 0xc6, 0x6f,
2091 0x3d, 0xf9, 0x99, 0x94, 0x76, 0x93, 0xa6, 0xa6, 0x11, 0x20, 0x84,
2092 0x57, 0xd5, 0x55, 0xe7, 0xe3, 0xd0, 0xa1, 0xd9, 0xb6, 0x46,
2093 },
2094 32, "DigiCert 'sphinx2027h1'" },
2095 { (const uint8_t[]){
2096 0x1f, 0xb0, 0xf8, 0xa9, 0x2d, 0x8a, 0xdd, 0xa1, 0x21, 0x77, 0x6c,
2097 0x05, 0xe2, 0xaa, 0x2e, 0x15, 0xba, 0xcb, 0xc6, 0x2b, 0x65, 0x39,
2098 0x36, 0x95, 0x57, 0x6a, 0xaa, 0xb5, 0x2e, 0x11, 0xd1, 0x1d,
2099 },
2100 32, "DigiCert 'sphinx2027h2'" },
2101 { (const uint8_t[]){
2102 0xdd, 0xeb, 0x1d, 0x2b, 0x7a, 0x0d, 0x4f, 0xa6, 0x20, 0x8b, 0x81,
2103 0xad, 0x81, 0x68, 0x70, 0x7e, 0x2e, 0x8e, 0x9d, 0x01, 0xd5, 0x5c,
2104 0x88, 0x8d, 0x3d, 0x11, 0xc4, 0xcd, 0xb6, 0xec, 0xbe, 0xcc,
2105 },
2106 32, "Symantec log" },
2107 { (const uint8_t[]){
2108 0xbc, 0x78, 0xe1, 0xdf, 0xc5, 0xf6, 0x3c, 0x68, 0x46, 0x49, 0x33,
2109 0x4d, 0xa1, 0x0f, 0xa1, 0x5f, 0x09, 0x79, 0x69, 0x20, 0x09, 0xc0,
2110 0x81, 0xb4, 0xf3, 0xf6, 0x91, 0x7f, 0x3e, 0xd9, 0xb8, 0xa5,
2111 },
2112 32, "Symantec 'Vega' log" },
2113 { (const uint8_t[]){
2114 0x15, 0x97, 0x04, 0x88, 0xd7, 0xb9, 0x97, 0xa0, 0x5b, 0xeb, 0x52,
2115 0x51, 0x2a, 0xde, 0xe8, 0xd2, 0xe8, 0xb4, 0xa3, 0x16, 0x52, 0x64,
2116 0x12, 0x1a, 0x9f, 0xab, 0xfb, 0xd5, 0xf8, 0x5a, 0xd9, 0x3f,
2117 },
2118 32, "Symantec 'Sirius' log" },
2119 { (const uint8_t[]){
2120 0x05, 0x9c, 0x01, 0xd3, 0x20, 0xe0, 0x07, 0x84, 0x13, 0x95, 0x80,
2121 0x49, 0x8d, 0x11, 0x7c, 0x90, 0x32, 0x66, 0xaf, 0xaf, 0x72, 0x50,
2122 0xb5, 0xaf, 0x3b, 0x46, 0xa4, 0x3e, 0x11, 0x84, 0x0d, 0x4a,
2123 },
2124 32, "DigiCert Yeti2022-2 Log" },
2125 { (const uint8_t[]){
2126 0xc1, 0x16, 0x4a, 0xe0, 0xa7, 0x72, 0xd2, 0xd4, 0x39, 0x2d, 0xc8,
2127 0x0a, 0xc1, 0x07, 0x70, 0xd4, 0xf0, 0xc4, 0x9b, 0xde, 0x99, 0x1a,
2128 0x48, 0x40, 0xc1, 0xfa, 0x07, 0x51, 0x64, 0xf6, 0x33, 0x60,
2129 },
2130 32, "DigiCert Yeti2018 Log" },
2131 { (const uint8_t[]){
2132 0xe2, 0x69, 0x4b, 0xae, 0x26, 0xe8, 0xe9, 0x40, 0x09, 0xe8, 0x86,
2133 0x1b, 0xb6, 0x3b, 0x83, 0xd4, 0x3e, 0xe7, 0xfe, 0x74, 0x88, 0xfb,
2134 0xa4, 0x8f, 0x28, 0x93, 0x01, 0x9d, 0xdd, 0xf1, 0xdb, 0xfe,
2135 },
2136 32, "DigiCert Yeti2019 Log" },
2137 { (const uint8_t[]){
2138 0x6f, 0xf1, 0x41, 0xb5, 0x64, 0x7e, 0x42, 0x22, 0xf7, 0xef, 0x05,
2139 0x2c, 0xef, 0xae, 0x7c, 0x21, 0xfd, 0x60, 0x8e, 0x27, 0xd2, 0xaf,
2140 0x5a, 0x6e, 0x9f, 0x4b, 0x8a, 0x37, 0xd6, 0x63, 0x3e, 0xe5,
2141 },
2142 32, "DigiCert Nessie2018 Log" },
2143 { (const uint8_t[]){
2144 0xfe, 0x44, 0x61, 0x08, 0xb1, 0xd0, 0x1a, 0xb7, 0x8a, 0x62, 0xcc,
2145 0xfe, 0xab, 0x6a, 0xb2, 0xb2, 0xba, 0xbf, 0xf3, 0xab, 0xda, 0xd8,
2146 0x0a, 0x4d, 0x8b, 0x30, 0xdf, 0x2d, 0x00, 0x08, 0x83, 0x0c,
2147 },
2148 32, "DigiCert Nessie2019 Log" },
2149 { (const uint8_t[]){
2150 0xa7, 0xce, 0x4a, 0x4e, 0x62, 0x07, 0xe0, 0xad, 0xde, 0xe5, 0xfd,
2151 0xaa, 0x4b, 0x1f, 0x86, 0x76, 0x87, 0x67, 0xb5, 0xd0, 0x02, 0xa5,
2152 0x5d, 0x47, 0x31, 0x0e, 0x7e, 0x67, 0x0a, 0x95, 0xea, 0xb2,
2153 },
2154 32, "Symantec Deneb" },
2155 { (const uint8_t[]){
2156 0xcd, 0xb5, 0x17, 0x9b, 0x7f, 0xc1, 0xc0, 0x46, 0xfe, 0xea, 0x31,
2157 0x13, 0x6a, 0x3f, 0x8f, 0x00, 0x2e, 0x61, 0x82, 0xfa, 0xf8, 0x89,
2158 0x6f, 0xec, 0xc8, 0xb2, 0xf5, 0xb5, 0xab, 0x60, 0x49, 0x00,
2159 },
2160 32, "Certly.IO log" },
2161 { (const uint8_t[]){
2162 0x74, 0x61, 0xb4, 0xa0, 0x9c, 0xfb, 0x3d, 0x41, 0xd7, 0x51, 0x59,
2163 0x57, 0x5b, 0x2e, 0x76, 0x49, 0xa4, 0x45, 0xa8, 0xd2, 0x77, 0x09,
2164 0xb0, 0xcc, 0x56, 0x4a, 0x64, 0x82, 0xb7, 0xeb, 0x41, 0xa3,
2165 },
2166 32, "Izenpe log" },
2167 { (const uint8_t[]){
2168 0x89, 0x41, 0x44, 0x9c, 0x70, 0x74, 0x2e, 0x06, 0xb9, 0xfc, 0x9c,
2169 0xe7, 0xb1, 0x16, 0xba, 0x00, 0x24, 0xaa, 0x36, 0xd5, 0x9a, 0xf4,
2170 0x4f, 0x02, 0x04, 0x40, 0x4f, 0x00, 0xf7, 0xea, 0x85, 0x66,
2171 },
2172 32, "Izenpe 'Argi' log" },
2173 { (const uint8_t[]){
2174 0x41, 0xb2, 0xdc, 0x2e, 0x89, 0xe6, 0x3c, 0xe4, 0xaf, 0x1b, 0xa7,
2175 0xbb, 0x29, 0xbf, 0x68, 0xc6, 0xde, 0xe6, 0xf9, 0xf1, 0xcc, 0x04,
2176 0x7e, 0x30, 0xdf, 0xfa, 0xe3, 0xb3, 0xba, 0x25, 0x92, 0x63,
2177 },
2178 32, "WoSign log" },
2179 { (const uint8_t[]){
2180 0x9e, 0x4f, 0xf7, 0x3d, 0xc3, 0xce, 0x22, 0x0b, 0x69, 0x21, 0x7c,
2181 0x89, 0x9e, 0x46, 0x80, 0x76, 0xab, 0xf8, 0xd7, 0x86, 0x36, 0xd5,
2182 0xcc, 0xfc, 0x85, 0xa3, 0x1a, 0x75, 0x62, 0x8b, 0xa8, 0x8b,
2183 },
2184 32, "WoSign CT log #1" },
2185 { (const uint8_t[]){
2186 0x63, 0xd0, 0x00, 0x60, 0x26, 0xdd, 0xe1, 0x0b, 0xb0, 0x60, 0x1f,
2187 0x45, 0x24, 0x46, 0x96, 0x5e, 0xe2, 0xb6, 0xea, 0x2c, 0xd4, 0xfb,
2188 0xc9, 0x5a, 0xc8, 0x66, 0xa5, 0x50, 0xaf, 0x90, 0x75, 0xb7,
2189 },
2190 32, "WoSign log 2" },
2191 { (const uint8_t[]){
2192 0xac, 0x3b, 0x9a, 0xed, 0x7f, 0xa9, 0x67, 0x47, 0x57, 0x15, 0x9e,
2193 0x6d, 0x7d, 0x57, 0x56, 0x72, 0xf9, 0xd9, 0x81, 0x00, 0x94, 0x1e,
2194 0x9b, 0xde, 0xff, 0xec, 0xa1, 0x31, 0x3b, 0x75, 0x78, 0x2d,
2195 },
2196 32, "Venafi log" },
2197 { (const uint8_t[]){
2198 0x03, 0x01, 0x9d, 0xf3, 0xfd, 0x85, 0xa6, 0x9a, 0x8e, 0xbd, 0x1f,
2199 0xac, 0xc6, 0xda, 0x9b, 0xa7, 0x3e, 0x46, 0x97, 0x74, 0xfe, 0x77,
2200 0xf5, 0x79, 0xfc, 0x5a, 0x08, 0xb8, 0x32, 0x8c, 0x1d, 0x6b,
2201 },
2202 32, "Venafi Gen2 CT log" },
2203 { (const uint8_t[]){
2204 0xa5, 0x77, 0xac, 0x9c, 0xed, 0x75, 0x48, 0xdd, 0x8f, 0x02, 0x5b,
2205 0x67, 0xa2, 0x41, 0x08, 0x9d, 0xf8, 0x6e, 0x0f, 0x47, 0x6e, 0xc2,
2206 0x03, 0xc2, 0xec, 0xbe, 0xdb, 0x18, 0x5f, 0x28, 0x26, 0x38,
2207 },
2208 32, "CNNIC CT log" },
2209 { (const uint8_t[]){
2210 0x34, 0xbb, 0x6a, 0xd6, 0xc3, 0xdf, 0x9c, 0x03, 0xee, 0xa8, 0xa4,
2211 0x99, 0xff, 0x78, 0x91, 0x48, 0x6c, 0x9d, 0x5e, 0x5c, 0xac, 0x92,
2212 0xd0, 0x1f, 0x7b, 0xfd, 0x1b, 0xce, 0x19, 0xdb, 0x48, 0xef,
2213 },
2214 32, "StartCom log" },
2215 { (const uint8_t[]){
2216 0x55, 0x81, 0xd4, 0xc2, 0x16, 0x90, 0x36, 0x01, 0x4a, 0xea, 0x0b,
2217 0x9b, 0x57, 0x3c, 0x53, 0xf0, 0xc0, 0xe4, 0x38, 0x78, 0x70, 0x25,
2218 0x08, 0x17, 0x2f, 0xa3, 0xaa, 0x1d, 0x07, 0x13, 0xd3, 0x0c,
2219 },
2220 32, "Sectigo 'Sabre' CT log" },
2221 { (const uint8_t[]){
2222 0xa2, 0xe2, 0xbf, 0xd6, 0x1e, 0xde, 0x2f, 0x2f, 0x07, 0xa0, 0xd6,
2223 0x4e, 0x6d, 0x37, 0xa7, 0xdc, 0x65, 0x43, 0xb0, 0xc6, 0xb5, 0x2e,
2224 0xa2, 0xda, 0xb7, 0x8a, 0xf8, 0x9a, 0x6d, 0xf5, 0x17, 0xd8,
2225 },
2226 32, "Sectigo 'Sabre2024h1'" },
2227 { (const uint8_t[]){
2228 0x19, 0x98, 0x10, 0x71, 0x09, 0xf0, 0xd6, 0x52, 0x2e, 0x30, 0x80,
2229 0xd2, 0x9e, 0x3f, 0x64, 0xbb, 0x83, 0x6e, 0x28, 0xcc, 0xf9, 0x0f,
2230 0x52, 0x8e, 0xee, 0xdf, 0xce, 0x4a, 0x3f, 0x16, 0xb4, 0xca,
2231 },
2232 32, "Sectigo 'Sabre2024h2'" },
2233 { (const uint8_t[]){
2234 0xe0, 0x92, 0xb3, 0xfc, 0x0c, 0x1d, 0xc8, 0xe7, 0x68, 0x36, 0x1f,
2235 0xde, 0x61, 0xb9, 0x96, 0x4d, 0x0a, 0x52, 0x78, 0x19, 0x8a, 0x72,
2236 0xd6, 0x72, 0xc4, 0xb0, 0x4d, 0xa5, 0x6d, 0x6f, 0x54, 0x04,
2237 },
2238 32, "Sectigo 'Sabre2025h1'" },
2239 { (const uint8_t[]){
2240 0x1a, 0x04, 0xff, 0x49, 0xd0, 0x54, 0x1d, 0x40, 0xaf, 0xf6, 0xa0,
2241 0xc3, 0xbf, 0xf1, 0xd8, 0xc4, 0x67, 0x2f, 0x4e, 0xec, 0xee, 0x23,
2242 0x40, 0x68, 0x98, 0x6b, 0x17, 0x40, 0x2e, 0xdc, 0x89, 0x7d,
2243 },
2244 32, "Sectigo 'Sabre2025h2'" },
2245 { (const uint8_t[]){
2246 0x6f, 0x53, 0x76, 0xac, 0x31, 0xf0, 0x31, 0x19, 0xd8, 0x99, 0x00,
2247 0xa4, 0x51, 0x15, 0xff, 0x77, 0x15, 0x1c, 0x11, 0xd9, 0x02, 0xc1,
2248 0x00, 0x29, 0x06, 0x8d, 0xb2, 0x08, 0x9a, 0x37, 0xd9, 0x13,
2249 },
2250 32, "Sectigo 'Mammoth' CT log" },
2251 { (const uint8_t[]){
2252 0x29, 0xd0, 0x3a, 0x1b, 0xb6, 0x74, 0xaa, 0x71, 0x1c, 0xd3, 0x03,
2253 0x5b, 0x65, 0x57, 0xc1, 0x4f, 0x8a, 0xa7, 0x8b, 0x4f, 0xe8, 0x38,
2254 0x94, 0x49, 0xec, 0xa4, 0x53, 0xf9, 0x44, 0xbd, 0x24, 0x68,
2255 },
2256 32, "Sectigo 'Mammoth2024h1'" },
2257 { (const uint8_t[]){
2258 0x50, 0x85, 0x01, 0x58, 0xdc, 0xb6, 0x05, 0x95, 0xc0, 0x0e, 0x92,
2259 0xa8, 0x11, 0x02, 0xec, 0xcd, 0xfe, 0x3f, 0x6b, 0x78, 0x58, 0x42,
2260 0x9f, 0x57, 0x98, 0x35, 0x38, 0xc9, 0xda, 0x52, 0x50, 0x63,
2261 },
2262 32, "Sectigo 'Mammoth2024h1b'" },
2263 { (const uint8_t[]){
2264 0xdf, 0xe1, 0x56, 0xeb, 0xaa, 0x05, 0xaf, 0xb5, 0x9c, 0x0f, 0x86,
2265 0x71, 0x8d, 0xa8, 0xc0, 0x32, 0x4e, 0xae, 0x56, 0xd9, 0x6e, 0xa7,
2266 0xf5, 0xa5, 0x6a, 0x01, 0xd1, 0xc1, 0x3b, 0xbe, 0x52, 0x5c,
2267 },
2268 32, "Sectigo 'Mammoth2024h2'" },
2269 { (const uint8_t[]){
2270 0x13, 0x4a, 0xdf, 0x1a, 0xb5, 0x98, 0x42, 0x09, 0x78, 0x0c, 0x6f,
2271 0xef, 0x4c, 0x7a, 0x91, 0xa4, 0x16, 0xb7, 0x23, 0x49, 0xce, 0x58,
2272 0x57, 0x6a, 0xdf, 0xae, 0xda, 0xa7, 0xc2, 0xab, 0xe0, 0x22,
2273 },
2274 32, "Sectigo 'Mammoth2025h1'" },
2275 { (const uint8_t[]){
2276 0xaf, 0x18, 0x1a, 0x28, 0xd6, 0x8c, 0xa3, 0xe0, 0xa9, 0x8a, 0x4c,
2277 0x9c, 0x67, 0xab, 0x09, 0xf8, 0xbb, 0xbc, 0x22, 0xba, 0xae, 0xbc,
2278 0xb1, 0x38, 0xa3, 0xa1, 0x9d, 0xd3, 0xf9, 0xb6, 0x03, 0x0d,
2279 },
2280 32, "Sectigo 'Mammoth2025h2'" },
2281 { (const uint8_t[]){
2282 0x25, 0x2f, 0x94, 0xc2, 0x2b, 0x29, 0xe9, 0x6e, 0x9f, 0x41, 0x1a,
2283 0x72, 0x07, 0x2b, 0x69, 0x5c, 0x5b, 0x52, 0xff, 0x97, 0xa9, 0x0d,
2284 0x25, 0x40, 0xbb, 0xfc, 0xdc, 0x51, 0xec, 0x4d, 0xee, 0x0b,
2285 },
2286 32, "Sectigo 'Mammoth2026h1'" },
2287 { (const uint8_t[]){
2288 0x94, 0xb1, 0xc1, 0x8a, 0xb0, 0xd0, 0x57, 0xc4, 0x7b, 0xe0, 0xac,
2289 0x04, 0x0e, 0x1f, 0x2c, 0xbc, 0x8d, 0xc3, 0x75, 0x72, 0x7b, 0xc9,
2290 0x51, 0xf2, 0x0a, 0x52, 0x61, 0x26, 0x86, 0x3b, 0xa7, 0x3c,
2291 },
2292 32, "Sectigo 'Mammoth2026h2'" },
2293 { (const uint8_t[]){
2294 0x56, 0x6c, 0xd5, 0xa3, 0x76, 0xbe, 0x83, 0xdf, 0xe3, 0x42, 0xb6,
2295 0x75, 0xc4, 0x9c, 0x23, 0x24, 0x98, 0xa7, 0x69, 0xba, 0xc3, 0x82,
2296 0xcb, 0xab, 0x49, 0xa3, 0x87, 0x7d, 0x9a, 0xb3, 0x2d, 0x01,
2297 },
2298 32, "Sectigo 'Sabre2026h1'" },
2299 { (const uint8_t[]){
2300 0x1f, 0x56, 0xd1, 0xab, 0x94, 0x70, 0x4a, 0x41, 0xdd, 0x3f, 0xea,
2301 0xfd, 0xf4, 0x69, 0x93, 0x55, 0x30, 0x2c, 0x14, 0x31, 0xbf, 0xe6,
2302 0x13, 0x46, 0x08, 0x9f, 0xff, 0xae, 0x79, 0x5d, 0xcc, 0x2f,
2303 },
2304 32, "Sectigo 'Sabre2026h2'" },
2305 { (const uint8_t[]){
2306 0x0d, 0x1d, 0xbc, 0x89, 0x44, 0xe9, 0xf5, 0x00, 0x55, 0x42, 0xd7,
2307 0x2d, 0x3e, 0x14, 0x4c, 0xcc, 0x43, 0x08, 0x2a, 0xb6, 0xea, 0x1e,
2308 0x94, 0xdf, 0xd7, 0x06, 0x65, 0x7d, 0x2e, 0x86, 0xf3, 0x01,
2309 },
2310 32, "Sectigo 'Elephant2025h2'" },
2311 { (const uint8_t[]){
2312 0xd1, 0x6e, 0xa9, 0xa5, 0x68, 0x07, 0x7e, 0x66, 0x35, 0xa0, 0x3f,
2313 0x37, 0xa5, 0xdd, 0xbc, 0x03, 0xa5, 0x3c, 0x41, 0x12, 0x14, 0xd4,
2314 0x88, 0x18, 0xf5, 0xe9, 0x31, 0xb3, 0x23, 0xcb, 0x95, 0x04,
2315 },
2316 32, "Sectigo 'Elephant2026h1'" },
2317 { (const uint8_t[]){
2318 0xaf, 0x67, 0x88, 0x3b, 0x57, 0xb0, 0x4e, 0xdd, 0x8f, 0xa6, 0xd9,
2319 0x7e, 0xf6, 0x2e, 0xa8, 0xeb, 0x81, 0x0a, 0xc7, 0x71, 0x60, 0xf0,
2320 0x24, 0x5e, 0x55, 0xd6, 0x0c, 0x2f, 0xe7, 0x85, 0x87, 0x3a,
2321 },
2322 32, "Sectigo 'Elephant2026h2'" },
2323 { (const uint8_t[]){
2324 0x60, 0x4c, 0x9a, 0xaf, 0x7a, 0x7f, 0x77, 0x5f, 0x01, 0xd4, 0x06,
2325 0xfc, 0x92, 0x0d, 0xc8, 0x99, 0xeb, 0x0b, 0x1c, 0x7d, 0xf8, 0xc9,
2326 0x52, 0x1b, 0xfa, 0xfa, 0x17, 0x77, 0x3b, 0x97, 0x8b, 0xc9,
2327 },
2328 32, "Sectigo 'Elephant2027h1'" },
2329 { (const uint8_t[]){
2330 0xa2, 0x49, 0x0c, 0xdc, 0xdb, 0x8e, 0x33, 0xa4, 0x00, 0x32, 0x17,
2331 0x60, 0xd6, 0xd4, 0xd5, 0x1a, 0x20, 0x36, 0x19, 0x1e, 0xa7, 0x7d,
2332 0x96, 0x8b, 0xe2, 0x6a, 0x8a, 0x00, 0xf6, 0xff, 0xff, 0xf7,
2333 },
2334 32, "Sectigo 'Elephant2027h2'" },
2335 { (const uint8_t[]){
2336 0x5c, 0xa5, 0x77, 0xd2, 0x9b, 0x7f, 0x8b, 0xaf, 0x41, 0x9e, 0xd8,
2337 0xec, 0xab, 0xfb, 0x6d, 0xcb, 0xae, 0xc3, 0x85, 0x37, 0x02, 0xd5,
2338 0x74, 0x6f, 0x17, 0x4d, 0xad, 0x3c, 0x93, 0x4a, 0xa9, 0x6a,
2339 },
2340 32, "Sectigo 'Tiger2025h2'" },
2341 { (const uint8_t[]){
2342 0x16, 0x83, 0x2d, 0xab, 0xf0, 0xa9, 0x25, 0x0f, 0x0f, 0xf0, 0x3a,
2343 0xa5, 0x45, 0xff, 0xc8, 0xbf, 0xc8, 0x23, 0xd0, 0x87, 0x4b, 0xf6,
2344 0x04, 0x29, 0x27, 0xf8, 0xe7, 0x1f, 0x33, 0x13, 0xf5, 0xfa,
2345 },
2346 32, "Sectigo 'Tiger2026h1'" },
2347 { (const uint8_t[]){
2348 0xc8, 0xa3, 0xc4, 0x7f, 0xc7, 0xb3, 0xad, 0xb9, 0x35, 0x6b, 0x01,
2349 0x3f, 0x6a, 0x7a, 0x12, 0x6d, 0xe3, 0x3a, 0x4e, 0x43, 0xa5, 0xc6,
2350 0x46, 0xf9, 0x97, 0xad, 0x39, 0x75, 0x99, 0x1d, 0xcf, 0x9a,
2351 },
2352 32, "Sectigo 'Tiger2026h2'" },
2353 { (const uint8_t[]){
2354 0x1c, 0x9f, 0x68, 0x2c, 0xe9, 0xfa, 0xf0, 0x45, 0x69, 0x50, 0xf8,
2355 0x1b, 0x96, 0x8a, 0x87, 0xdd, 0xdb, 0x32, 0x10, 0xd8, 0x4c, 0xe6,
2356 0xc8, 0xb2, 0xe3, 0x82, 0x52, 0x4a, 0xc4, 0xcf, 0x59, 0x9f,
2357 },
2358 32, "Sectigo 'Tiger2027h1'" },
2359 { (const uint8_t[]){
2360 0x03, 0x80, 0x2a, 0xc2, 0x62, 0xf6, 0xe0, 0x5e, 0x03, 0xf8, 0xbc,
2361 0x6f, 0x7b, 0x98, 0x51, 0x32, 0x4f, 0xd7, 0x6a, 0x3d, 0xf5, 0xb7,
2362 0x59, 0x51, 0x75, 0xe2, 0x22, 0xfb, 0x8e, 0x9b, 0xd5, 0xf6,
2363 },
2364 32, "Sectigo 'Tiger2027h2'" },
2365 { (const uint8_t[]){
2366 0xdb, 0x76, 0xfd, 0xad, 0xac, 0x65, 0xe7, 0xd0, 0x95, 0x08, 0x88,
2367 0x6e, 0x21, 0x59, 0xbd, 0x8b, 0x90, 0x35, 0x2f, 0x5f, 0xea, 0xd3,
2368 0xe3, 0xdc, 0x5e, 0x22, 0xeb, 0x35, 0x0a, 0xcc, 0x7b, 0x98,
2369 },
2370 32, "Sectigo 'Dodo' CT log" },
2371 { (const uint8_t[]){
2372 0xe7, 0x12, 0xf2, 0xb0, 0x37, 0x7e, 0x1a, 0x62, 0xfb, 0x8e, 0xc9,
2373 0x0c, 0x61, 0x84, 0xf1, 0xea, 0x7b, 0x37, 0xcb, 0x56, 0x1d, 0x11,
2374 0x26, 0x5b, 0xf3, 0xe0, 0xf3, 0x4b, 0xf2, 0x41, 0x54, 0x6e,
2375 },
2376 32, "Let's Encrypt 'Oak2020' log" },
2377 { (const uint8_t[]){
2378 0x94, 0x20, 0xbc, 0x1e, 0x8e, 0xd5, 0x8d, 0x6c, 0x88, 0x73, 0x1f,
2379 0x82, 0x8b, 0x22, 0x2c, 0x0d, 0xd1, 0xda, 0x4d, 0x5e, 0x6c, 0x4f,
2380 0x94, 0x3d, 0x61, 0xdb, 0x4e, 0x2f, 0x58, 0x4d, 0xa2, 0xc2,
2381 },
2382 32, "Let's Encrypt 'Oak2021' log" },
2383 { (const uint8_t[]){
2384 0xdf, 0xa5, 0x5e, 0xab, 0x68, 0x82, 0x4f, 0x1f, 0x6c, 0xad, 0xee,
2385 0xb8, 0x5f, 0x4e, 0x3e, 0x5a, 0xea, 0xcd, 0xa2, 0x12, 0xa4, 0x6a,
2386 0x5e, 0x8e, 0x3b, 0x12, 0xc0, 0x20, 0x44, 0x5c, 0x2a, 0x73,
2387 },
2388 32, "Let's Encrypt 'Oak2022' log" },
2389 { (const uint8_t[]){
2390 0xb7, 0x3e, 0xfb, 0x24, 0xdf, 0x9c, 0x4d, 0xba, 0x75, 0xf2, 0x39,
2391 0xc5, 0xba, 0x58, 0xf4, 0x6c, 0x5d, 0xfc, 0x42, 0xcf, 0x7a, 0x9f,
2392 0x35, 0xc4, 0x9e, 0x1d, 0x09, 0x81, 0x25, 0xed, 0xb4, 0x99,
2393 },
2394 32, "Let's Encrypt 'Oak2023' log" },
2395 { (const uint8_t[]){
2396 0x3b, 0x53, 0x77, 0x75, 0x3e, 0x2d, 0xb9, 0x80, 0x4e, 0x8b, 0x30,
2397 0x5b, 0x06, 0xfe, 0x40, 0x3b, 0x67, 0xd8, 0x4f, 0xc3, 0xf4, 0xc7,
2398 0xbd, 0x00, 0x0d, 0x2d, 0x72, 0x6f, 0xe1, 0xfa, 0xd4, 0x17,
2399 },
2400 32, "Let's Encrypt 'Oak2024H1' log" },
2401 { (const uint8_t[]){
2402 0x3f, 0x17, 0x4b, 0x4f, 0xd7, 0x22, 0x47, 0x58, 0x94, 0x1d, 0x65,
2403 0x1c, 0x84, 0xbe, 0x0d, 0x12, 0xed, 0x90, 0x37, 0x7f, 0x1f, 0x85,
2404 0x6a, 0xeb, 0xc1, 0xbf, 0x28, 0x85, 0xec, 0xf8, 0x64, 0x6e,
2405 },
2406 32, "Let's Encrypt 'Oak2024H2' log" },
2407 { (const uint8_t[]){
2408 0xa2, 0xe3, 0x0a, 0xe4, 0x45, 0xef, 0xbd, 0xad, 0x9b, 0x7e, 0x38,
2409 0xed, 0x47, 0x67, 0x77, 0x53, 0xd7, 0x82, 0x5b, 0x84, 0x94, 0xd7,
2410 0x2b, 0x5e, 0x1b, 0x2c, 0xc4, 0xb9, 0x50, 0xa4, 0x47, 0xe7,
2411 },
2412 32, "Let's Encrypt 'Oak2025h1'" },
2413 { (const uint8_t[]){
2414 0x0d, 0xe1, 0xf2, 0x30, 0x2b, 0xd3, 0x0d, 0xc1, 0x40, 0x62, 0x12,
2415 0x09, 0xea, 0x55, 0x2e, 0xfc, 0x47, 0x74, 0x7c, 0xb1, 0xd7, 0xe9,
2416 0x30, 0xef, 0x0e, 0x42, 0x1e, 0xb4, 0x7e, 0x4e, 0xaa, 0x34,
2417 },
2418 32, "Let's Encrypt 'Oak2025h2'" },
2419 { (const uint8_t[]){
2420 0x19, 0x86, 0xd4, 0xc7, 0x28, 0xaa, 0x6f, 0xfe, 0xba, 0x03, 0x6f,
2421 0x78, 0x2a, 0x4d, 0x01, 0x91, 0xaa, 0xce, 0x2d, 0x72, 0x31, 0x0f,
2422 0xae, 0xce, 0x5d, 0x70, 0x41, 0x2d, 0x25, 0x4c, 0xc7, 0xd4,
2423 },
2424 32, "Let's Encrypt 'Oak2026h1'" },
2425 { (const uint8_t[]){
2426 0xac, 0xab, 0x30, 0x70, 0x6c, 0xeb, 0xec, 0x84, 0x31, 0xf4, 0x13,
2427 0xd2, 0xf4, 0x91, 0x5f, 0x11, 0x1e, 0x42, 0x24, 0x43, 0xb1, 0xf2,
2428 0xa6, 0x8c, 0x4f, 0x3c, 0x2b, 0x3b, 0xa7, 0x1e, 0x02, 0xc3,
2429 },
2430 32, "Let's Encrypt 'Oak2026h2'" },
2431 { (const uint8_t[]){
2432 0x65, 0x9b, 0x33, 0x50, 0xf4, 0x3b, 0x12, 0xcc, 0x5e, 0xa5, 0xab,
2433 0x4e, 0xc7, 0x65, 0xd3, 0xfd, 0xe6, 0xc8, 0x82, 0x43, 0x77, 0x77,
2434 0x78, 0xe7, 0x20, 0x03, 0xf9, 0xeb, 0x2b, 0x8c, 0x31, 0x29,
2435 },
2436 32, "Let's Encrypt 'Oak2019' log" },
2437 { (const uint8_t[]){
2438 0x84, 0x9f, 0x5f, 0x7f, 0x58, 0xd2, 0xbf, 0x7b, 0x54, 0xec, 0xbd,
2439 0x74, 0x61, 0x1c, 0xea, 0x45, 0xc4, 0x9c, 0x98, 0xf1, 0xd6, 0x48,
2440 0x1b, 0xc6, 0xf6, 0x9e, 0x8c, 0x17, 0x4f, 0x24, 0xf3, 0xcf,
2441 },
2442 32, "Let's Encrypt 'Testflume2019' log" },
2443 { (const uint8_t[]){
2444 0x23, 0x2d, 0x41, 0xa4, 0xcd, 0xac, 0x87, 0xce, 0xd9, 0xf9, 0x43,
2445 0xf4, 0x68, 0xc2, 0x82, 0x09, 0x5a, 0xe0, 0x9d, 0x30, 0xd6, 0x2e,
2446 0x2f, 0xa6, 0x5d, 0xdc, 0x3b, 0x91, 0x9c, 0x2e, 0x46, 0x8f,
2447 },
2448 32, "Let's Encrypt 'Sapling 2022h2' log" },
2449 { (const uint8_t[]){
2450 0xc1, 0x83, 0x24, 0x0b, 0xf1, 0xa4, 0x50, 0xc7, 0x6f, 0xbb, 0x00,
2451 0x72, 0x69, 0xdc, 0xac, 0x3b, 0xe2, 0x2a, 0x48, 0x05, 0xd4, 0xdb,
2452 0xe0, 0x49, 0x66, 0xc3, 0xc8, 0xab, 0xc4, 0x47, 0xb0, 0x0c,
2453 },
2454 32, "Let's Encrypt 'Sapling 2023h1' log" },
2455 { (const uint8_t[]){
2456 0xc6, 0x3f, 0x22, 0x18, 0xc3, 0x7d, 0x56, 0xa6, 0xaa, 0x06, 0xb5,
2457 0x96, 0xda, 0x8e, 0x53, 0xd4, 0xd7, 0x15, 0x6d, 0x1e, 0x9b, 0xac,
2458 0x8e, 0x44, 0xd2, 0x20, 0x2d, 0xe6, 0x4d, 0x69, 0xd9, 0xdc,
2459 },
2460 32, "Let's Encrypt 'Testflume2020' log" },
2461 { (const uint8_t[]){
2462 0x03, 0xed, 0xf1, 0xda, 0x97, 0x76, 0xb6, 0xf3, 0x8c, 0x34, 0x1e,
2463 0x39, 0xed, 0x9d, 0x70, 0x7a, 0x75, 0x70, 0x36, 0x9c, 0xf9, 0x84,
2464 0x4f, 0x32, 0x7f, 0xe9, 0xe1, 0x41, 0x38, 0x36, 0x1b, 0x60,
2465 },
2466 32, "Let's Encrypt 'Testflume2021' log" },
2467 { (const uint8_t[]){
2468 0x23, 0x27, 0xef, 0xda, 0x35, 0x25, 0x10, 0xdb, 0xc0, 0x19, 0xef,
2469 0x49, 0x1a, 0xe3, 0xff, 0x1c, 0xc5, 0xa4, 0x79, 0xbc, 0xe3, 0x78,
2470 0x78, 0x36, 0x0e, 0xe3, 0x18, 0xcf, 0xfb, 0x64, 0xf8, 0xc8,
2471 },
2472 32, "Let's Encrypt 'Testflume2022' log" },
2473 { (const uint8_t[]){
2474 0x55, 0x34, 0xb7, 0xab, 0x5a, 0x6a, 0xc3, 0xa7, 0xcb, 0xeb, 0xa6,
2475 0x54, 0x87, 0xb2, 0xa2, 0xd7, 0x1b, 0x48, 0xf6, 0x50, 0xfa, 0x17,
2476 0xc5, 0x19, 0x7c, 0x97, 0xa0, 0xcb, 0x20, 0x76, 0xf3, 0xc6,
2477 },
2478 32, "Let's Encrypt 'Testflume2023' log" },
2479 { (const uint8_t[]){
2480 0x29, 0x6a, 0xfa, 0x2d, 0x56, 0x8b, 0xca, 0x0d, 0x2e, 0xa8, 0x44,
2481 0x95, 0x6a, 0xe9, 0x72, 0x1f, 0xc3, 0x5f, 0xa3, 0x55, 0xec, 0xda,
2482 0x99, 0x69, 0x3a, 0xaf, 0xd4, 0x58, 0xa7, 0x1a, 0xef, 0xdd,
2483 },
2484 32, "Let's Encrypt 'Clicky' log" },
2485 { (const uint8_t[]){
2486 0xa5, 0x95, 0x94, 0x3b, 0x53, 0x70, 0xbe, 0xe9, 0x06, 0xe0, 0x05,
2487 0x0d, 0x1f, 0xb5, 0xbb, 0xc6, 0xa4, 0x0e, 0x65, 0xf2, 0x65, 0xae,
2488 0x85, 0x2c, 0x76, 0x36, 0x3f, 0xad, 0xb2, 0x33, 0x36, 0xed,
2489 },
2490 32, "Trust Asia Log2020" },
2491 { (const uint8_t[]){
2492 0xa8, 0xdc, 0x52, 0xf6, 0x3d, 0x6b, 0x24, 0x25, 0xe5, 0x31, 0xe3,
2493 0x7c, 0xf4, 0xe4, 0x4a, 0x71, 0x4f, 0x14, 0x2a, 0x20, 0x80, 0x3b,
2494 0x0d, 0x04, 0xd2, 0xe2, 0xee, 0x06, 0x64, 0x79, 0x4a, 0x23,
2495 },
2496 32, "Trust Asia CT2021" },
2497 { (const uint8_t[]){
2498 0x67, 0x8d, 0xb6, 0x5b, 0x3e, 0x74, 0x43, 0xb6, 0xf3, 0xa3, 0x70,
2499 0xd5, 0xe1, 0x3a, 0xb1, 0xb4, 0x3b, 0xe0, 0xa0, 0xd3, 0x51, 0xf7,
2500 0xca, 0x74, 0x22, 0x50, 0xc7, 0xc6, 0xfa, 0x51, 0xa8, 0x8a,
2501 },
2502 32, "Trust Asia Log2021" },
2503 { (const uint8_t[]){
2504 0xc3, 0x65, 0xf9, 0xb3, 0x65, 0x4f, 0x32, 0x83, 0xc7, 0x9d, 0xa9,
2505 0x8e, 0x93, 0xd7, 0x41, 0x8f, 0x5b, 0xab, 0x7b, 0xe3, 0x25, 0x2c,
2506 0x98, 0xe1, 0xd2, 0xf0, 0x4b, 0xb9, 0xeb, 0x42, 0x7d, 0x23,
2507 },
2508 32, "Trust Asia Log2022" },
2509 { (const uint8_t[]){
2510 0xe8, 0x7e, 0xa7, 0x66, 0x0b, 0xc2, 0x6c, 0xf6, 0x00, 0x2e, 0xf5,
2511 0x72, 0x5d, 0x3f, 0xe0, 0xe3, 0x31, 0xb9, 0x39, 0x3b, 0xb9, 0x2f,
2512 0xbf, 0x58, 0xeb, 0x3b, 0x90, 0x49, 0xda, 0xf5, 0x43, 0x5a,
2513 },
2514 32, "Trust Asia Log2023" },
2515 { (const uint8_t[]){
2516 0x30, 0x6d, 0x29, 0x57, 0x6a, 0xd2, 0x1a, 0x9d, 0x4a, 0xe1, 0x2a,
2517 0xca, 0xd8, 0xaa, 0x8a, 0x78, 0x3a, 0xa6, 0x5a, 0x32, 0x11, 0x60,
2518 0xac, 0xff, 0x5b, 0x0e, 0xee, 0x4c, 0xa3, 0x20, 0x1d, 0x05,
2519 },
2520 32, "Trust Asia Log2024" },
2521 { (const uint8_t[]){
2522 0x87, 0x4f, 0xb5, 0x0d, 0xc0, 0x29, 0xd9, 0x93, 0x1d, 0xe5, 0x73,
2523 0xe9, 0xf2, 0x89, 0x9e, 0x8e, 0x45, 0x33, 0xb3, 0x92, 0xd3, 0x8b,
2524 0x0a, 0x46, 0x25, 0x74, 0xbf, 0x0f, 0xee, 0xb2, 0xfc, 0x1e,
2525 },
2526 32, "Trust Asia Log2024-2" },
2527 { (const uint8_t[]){
2528 0x28, 0xe2, 0x81, 0x38, 0xfd, 0x83, 0x21, 0x45, 0xe9, 0xa9, 0xd6,
2529 0xaa, 0x75, 0x37, 0x6d, 0x83, 0x77, 0xa8, 0x85, 0x12, 0xb3, 0xc0,
2530 0x7f, 0x72, 0x41, 0x48, 0x21, 0xdc, 0xbd, 0xe9, 0x8c, 0x66,
2531 },
2532 32, "TrustAsia Log2025a" },
2533 { (const uint8_t[]){
2534 0x28, 0x2c, 0x8b, 0xdd, 0x81, 0x0f, 0xf9, 0x09, 0x12, 0x0a, 0xce,
2535 0x16, 0xd6, 0xe0, 0xec, 0x20, 0x1b, 0xea, 0x82, 0xa3, 0xa4, 0xaf,
2536 0x19, 0xd9, 0xef, 0xfb, 0x59, 0xe8, 0x3f, 0xdc, 0x42, 0x68,
2537 },
2538 32, "TrustAsia Log2025b" },
2539 { (const uint8_t[]){
2540 0x74, 0xdb, 0x9d, 0x58, 0xf7, 0xd4, 0x7e, 0x9d, 0xfd, 0x78, 0x7a,
2541 0x16, 0x2a, 0x99, 0x1c, 0x18, 0xcf, 0x69, 0x8d, 0xa7, 0xc7, 0x29,
2542 0x91, 0x8c, 0x9a, 0x18, 0xb0, 0x45, 0x0d, 0xba, 0x44, 0xbc,
2543 },
2544 32, "TrustAsia 'log2026a'" },
2545 { (const uint8_t[]){
2546 0x25, 0xb7, 0xef, 0xde, 0xa1, 0x13, 0x01, 0x93, 0xed, 0x93, 0x07,
2547 0x97, 0x70, 0xaa, 0x32, 0x2a, 0x26, 0x62, 0x0d, 0xe3, 0x5a, 0xc8,
2548 0xaa, 0x7c, 0x75, 0x19, 0x7d, 0xe0, 0xb1, 0xa9, 0xe0, 0x65,
2549 },
2550 32, "TrustAsia 'log2026b'" },
2551 { (const uint8_t[]){
2552 0xed, 0xda, 0xeb, 0x81, 0x5c, 0x63, 0x21, 0x34, 0x49, 0xb4, 0x7b,
2553 0xe5, 0x07, 0x79, 0x05, 0xab, 0xd0, 0xd9, 0x31, 0x47, 0xc2, 0x7a,
2554 0xc5, 0x14, 0x6b, 0x3b, 0xc5, 0x8e, 0x43, 0xe9, 0xb6, 0xc7,
2555 },
2556 32, "TrustAsia 'HETU2027'" },
2557 { (const uint8_t[]){
2558 0x45, 0x35, 0x94, 0x98, 0xd9, 0x3a, 0x89, 0xe0, 0x28, 0x03, 0x08,
2559 0xd3, 0x7d, 0x62, 0x6d, 0xc4, 0x23, 0x75, 0x47, 0x58, 0xdc, 0xe0,
2560 0x37, 0x00, 0x36, 0xfb, 0xab, 0x0e, 0xdf, 0x8a, 0x6b, 0xcf,
2561 },
2562 32, "Trust Asia Log1" },
2563 { (const uint8_t[]){
2564 0xc9, 0xcf, 0x89, 0x0a, 0x21, 0x10, 0x9c, 0x66, 0x6c, 0xc1, 0x7a,
2565 0x3e, 0xd0, 0x65, 0xc9, 0x30, 0xd0, 0xe0, 0x13, 0x5a, 0x9f, 0xeb,
2566 0xa8, 0x5a, 0xf1, 0x42, 0x10, 0xb8, 0x07, 0x24, 0x21, 0xaa,
2567 },
2568 32, "GDCA CT log #1" },
2569 { (const uint8_t[]){
2570 0x92, 0x4a, 0x30, 0xf9, 0x09, 0x33, 0x6f, 0xf4, 0x35, 0xd6, 0x99,
2571 0x3a, 0x10, 0xac, 0x75, 0xa2, 0xc6, 0x41, 0x72, 0x8e, 0x7f, 0xc2,
2572 0xd6, 0x59, 0xae, 0x61, 0x88, 0xff, 0xad, 0x40, 0xce, 0x01,
2573 },
2574 32, "GDCA CT log #2" },
2575 { (const uint8_t[]){
2576 0x71, 0x7e, 0xa7, 0x42, 0x09, 0x75, 0xbe, 0x84, 0xa2, 0x72, 0x35,
2577 0x53, 0xf1, 0x77, 0x7c, 0x26, 0xdd, 0x51, 0xaf, 0x4e, 0x10, 0x21,
2578 0x44, 0x09, 0x4d, 0x90, 0x19, 0xb4, 0x62, 0xfb, 0x66, 0x68,
2579 },
2580 32, "GDCA Log 1" },
2581 { (const uint8_t[]){
2582 0x14, 0x30, 0x8d, 0x90, 0xcc, 0xd0, 0x30, 0x13, 0x50, 0x05, 0xc0,
2583 0x1c, 0xa5, 0x26, 0xd8, 0x1e, 0x84, 0xe8, 0x76, 0x24, 0xe3, 0x9b,
2584 0x62, 0x48, 0xe0, 0x8f, 0x72, 0x4a, 0xea, 0x3b, 0xb4, 0x2a,
2585 },
2586 32, "GDCA Log 2" },
2587 { (const uint8_t[]){
2588 0xe0, 0x12, 0x76, 0x29, 0xe9, 0x04, 0x96, 0x56, 0x4e, 0x3d, 0x01,
2589 0x47, 0x98, 0x44, 0x98, 0xaa, 0x48, 0xf8, 0xad, 0xb1, 0x66, 0x00,
2590 0xeb, 0x79, 0x02, 0xa1, 0xef, 0x99, 0x09, 0x90, 0x62, 0x73,
2591 },
2592 32, "PuChuangSiDa CT log" },
2593 { (const uint8_t[]){
2594 0x53, 0x7b, 0x69, 0xa3, 0x56, 0x43, 0x35, 0xa9, 0xc0, 0x49, 0x04,
2595 0xe3, 0x95, 0x93, 0xb2, 0xc2, 0x98, 0xeb, 0x8d, 0x7a, 0x6e, 0x83,
2596 0x02, 0x36, 0x35, 0xc6, 0x27, 0x24, 0x8c, 0xd6, 0xb4, 0x40,
2597 },
2598 32, "Nordu 'flimsy' log" },
2599 { (const uint8_t[]){
2600 0xaa, 0xe7, 0x0b, 0x7f, 0x3c, 0xb8, 0xd5, 0x66, 0xc8, 0x6c, 0x2f,
2601 0x16, 0x97, 0x9c, 0x9f, 0x44, 0x5f, 0x69, 0xab, 0x0e, 0xb4, 0x53,
2602 0x55, 0x89, 0xb2, 0xf7, 0x7a, 0x03, 0x01, 0x04, 0xf3, 0xcd,
2603 },
2604 32, "Nordu 'plausible' log" },
2605 { (const uint8_t[]){
2606 0xcf, 0x55, 0xe2, 0x89, 0x23, 0x49, 0x7c, 0x34, 0x0d, 0x52, 0x06,
2607 0xd0, 0x53, 0x53, 0xae, 0xb2, 0x58, 0x34, 0xb5, 0x2f, 0x1f, 0x8d,
2608 0xc9, 0x52, 0x68, 0x09, 0xf2, 0x12, 0xef, 0xdd, 0x7c, 0xa6,
2609 },
2610 32, "SHECA CT log 1" },
2611 { (const uint8_t[]){
2612 0x32, 0xdc, 0x59, 0xc2, 0xd4, 0xc4, 0x19, 0x68, 0xd5, 0x6e, 0x14,
2613 0xbc, 0x61, 0xac, 0x8f, 0x0e, 0x45, 0xdb, 0x39, 0xfa, 0xf3, 0xc1,
2614 0x55, 0xaa, 0x42, 0x52, 0xf5, 0x00, 0x1f, 0xa0, 0xc6, 0x23,
2615 },
2616 32, "SHECA CT log 2" },
2617 { (const uint8_t[]){
2618 0x96, 0x06, 0xc0, 0x2c, 0x69, 0x00, 0x33, 0xaa, 0x1d, 0x14, 0x5f,
2619 0x59, 0xc6, 0xe2, 0x64, 0x8d, 0x05, 0x49, 0xf0, 0xdf, 0x96, 0xaa,
2620 0xb8, 0xdb, 0x91, 0x5a, 0x70, 0xd8, 0xec, 0xf3, 0x90, 0xa5,
2621 },
2622 32, "Akamai CT Log" },
2623 { (const uint8_t[]){
2624 0x39, 0x37, 0x6f, 0x54, 0x5f, 0x7b, 0x46, 0x07, 0xf5, 0x97, 0x42,
2625 0xd7, 0x68, 0xcd, 0x5d, 0x24, 0x37, 0xbf, 0x34, 0x73, 0xb6, 0x53,
2626 0x4a, 0x48, 0x34, 0xbc, 0xf7, 0x2e, 0x68, 0x1c, 0x83, 0xc9,
2627 },
2628 32, "Alpha CT Log" },
2629 { (const uint8_t[]){
2630 0xb0, 0xb7, 0x84, 0xbc, 0x81, 0xc0, 0xdd, 0xc4, 0x75, 0x44, 0xe8,
2631 0x83, 0xf0, 0x59, 0x85, 0xbb, 0x90, 0x77, 0xd1, 0x34, 0xd8, 0xab,
2632 0x88, 0xb2, 0xb2, 0xe5, 0x33, 0x98, 0x0b, 0x8e, 0x50, 0x8b,
2633 },
2634 32, "Up In The Air 'Behind the Sofa' log" },
2635 { (const uint8_t[]){
2636 0x47, 0x44, 0x47, 0x7c, 0x75, 0xde, 0x42, 0x6d, 0x5c, 0x44, 0xef,
2637 0xd4, 0xa9, 0x2c, 0x96, 0x77, 0x59, 0x7f, 0x65, 0x7a, 0x8f, 0xe0,
2638 0xca, 0xdb, 0xc6, 0xd6, 0x16, 0xed, 0xa4, 0x97, 0xc4, 0x25,
2639 },
2640 32, "Qihoo 360 2020" },
2641 { (const uint8_t[]){
2642 0xc6, 0xd7, 0xed, 0x9e, 0xdb, 0x8e, 0x74, 0xf0, 0xa7, 0x1b, 0x4d,
2643 0x4a, 0x98, 0x4b, 0xcb, 0xeb, 0xab, 0xbd, 0x28, 0xcc, 0x1f, 0xd7,
2644 0x63, 0x29, 0xe8, 0x87, 0x26, 0xcd, 0x4c, 0x25, 0x46, 0x63,
2645 },
2646 32, "Qihoo 360 2021" },
2647 { (const uint8_t[]){
2648 0x66, 0x3c, 0xb0, 0x9c, 0x1f, 0xcd, 0x9b, 0xaa, 0x62, 0x76, 0x3c,
2649 0xcb, 0x53, 0x4e, 0xec, 0x80, 0x58, 0x12, 0x28, 0x05, 0x07, 0xac,
2650 0x69, 0xa4, 0x5f, 0xcd, 0x38, 0xcf, 0x4c, 0xc7, 0x4c, 0xf1,
2651 },
2652 32, "Qihoo 360 2022" },
2653 { (const uint8_t[]){
2654 0xe2, 0x64, 0x7f, 0x6e, 0xda, 0x34, 0x05, 0x03, 0xc6, 0x4d, 0x4e,
2655 0x10, 0xa8, 0x69, 0x68, 0x1f, 0xde, 0x9c, 0x5a, 0x2c, 0xf3, 0xb3,
2656 0x2d, 0x5f, 0x20, 0x0b, 0x96, 0x36, 0x05, 0x90, 0x88, 0x23,
2657 },
2658 32, "Qihoo 360 2023" },
2659 { (const uint8_t[]){
2660 0xc5, 0xcf, 0xe5, 0x4b, 0x61, 0x51, 0xb4, 0x9b, 0x14, 0x2e, 0xd2,
2661 0x63, 0xbd, 0xe7, 0x32, 0x93, 0x36, 0x37, 0x99, 0x79, 0x95, 0x50,
2662 0xae, 0x44, 0x35, 0xcd, 0x1a, 0x69, 0x97, 0xc9, 0xc3, 0xc3,
2663 },
2664 32, "Qihoo 360 v1 2020" },
2665 { (const uint8_t[]){
2666 0x48, 0x14, 0x58, 0x7c, 0xf2, 0x8b, 0x08, 0xfe, 0x68, 0x3f, 0xd2,
2667 0xbc, 0xd9, 0x45, 0x99, 0x4c, 0x2e, 0xb7, 0x4c, 0x8a, 0xe8, 0xc8,
2668 0x7f, 0xce, 0x42, 0x9b, 0x7c, 0xd3, 0x1d, 0x51, 0xbd, 0xc4,
2669 },
2670 32, "Qihoo 360 v1 2021" },
2671 { (const uint8_t[]){
2672 0x49, 0x11, 0xb8, 0xd6, 0x14, 0xcf, 0xd3, 0xd9, 0x9f, 0x16, 0xd3,
2673 0x76, 0x54, 0x5e, 0xe1, 0xb8, 0xcc, 0xfc, 0x51, 0x1f, 0x50, 0x9f,
2674 0x08, 0x0b, 0xa0, 0xa0, 0x87, 0xd9, 0x1d, 0xfa, 0xee, 0xa9,
2675 },
2676 32, "Qihoo 360 v1 2022" },
2677 { (const uint8_t[]){
2678 0xb6, 0x74, 0x0b, 0x12, 0x00, 0x2e, 0x03, 0x3f, 0xd0, 0xe7, 0xe9,
2679 0x41, 0xf4, 0xba, 0x3e, 0xe1, 0xbf, 0xc1, 0x49, 0xb5, 0x24, 0xb4,
2680 0xcf, 0x62, 0x8d, 0x53, 0xef, 0xea, 0x1f, 0x40, 0x3a, 0x8d,
2681 },
2682 32, "Qihoo 360 v1 2023" },
2683 { (const uint8_t[]){
2684 0x2e, 0xd6, 0xa4, 0x4d, 0xeb, 0x8f, 0x0c, 0x86, 0x46, 0x67, 0x76,
2685 0x9c, 0x4e, 0xdd, 0x04, 0x1f, 0x84, 0x23, 0x67, 0x55, 0xfa, 0x3a,
2686 0xac, 0xa6, 0x34, 0xd0, 0x93, 0x5d, 0xfc, 0xd5, 0x9a, 0x70,
2687 },
2688 32, "Bogus placeholder log to unbreak misbehaving CT libraries" },
2689 { (const uint8_t[]){
2690 0x39, 0xb9, 0x87, 0x88, 0x28, 0x19, 0x5f, 0x3b, 0x2d, 0x0d, 0x1b,
2691 0x48, 0x14, 0xa3, 0xae, 0x8c, 0x0d, 0x01, 0xfe, 0x48, 0x62, 0x21,
2692 0xdd, 0x69, 0x39, 0x7d, 0x76, 0xf7, 0x85, 0x74, 0x11, 0xc3,
2693 },
2694 32, "Merklemap 'CompactLog' log" },
2695 { (const uint8_t[]){
2696 0xd2, 0xfc, 0x65, 0x2f, 0xa5, 0xf9, 0xb7, 0x38, 0xb8, 0x37, 0x55,
2697 0xfa, 0x5e, 0xb1, 0x5f, 0x0b, 0x45, 0x25, 0x3f, 0x4e, 0x8f, 0xa3,
2698 0xb9, 0xb6, 0x4f, 0xd4, 0xde, 0x56, 0x62, 0xd1, 0x87, 0x08,
2699 },
2700 32, "Bogus RFC6962 log to avoid breaking misbehaving CT libraries" },
2701 { NULL((void*)0), 0, NULL((void*)0) }
2702};
2703
2704/*
2705 * Application-Layer Protocol Negotiation (ALPN) dissector tables.
2706 */
2707static dissector_table_t ssl_alpn_dissector_table;
2708static dissector_table_t dtls_alpn_dissector_table;
2709
2710/*
2711 * Special cases for prefix matching of the ALPN, if the ALPN includes
2712 * a version number for a draft or protocol revision.
2713 */
2714typedef struct ssl_alpn_prefix_match_protocol {
2715 const char *proto_prefix;
2716 const char *dissector_name;
2717} ssl_alpn_prefix_match_protocol_t;
2718
2719static const ssl_alpn_prefix_match_protocol_t ssl_alpn_prefix_match_protocols[] = {
2720 /* SPDY moves so fast, just 1, 2 and 3 are registered with IANA but there
2721 * already exists 3.1 as of this writing... match the prefix. */
2722 { "spdy/", "spdy" },
2723 /* draft-ietf-httpbis-http2-16 */
2724 { "h2-", "http2" }, /* draft versions */
2725};
2726
2727const value_string compress_certificate_algorithm_vals[] = {
2728 { 1, "zlib" },
2729 { 2, "brotli" },
2730 { 3, "zstd" },
2731 { 0, NULL((void*)0) }
2732};
2733
2734
2735const val64_string quic_transport_parameter_id[] = {
2736 { SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00, "original_destination_connection_id" },
2737 { SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01, "max_idle_timeout" },
2738 { SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02, "stateless_reset_token" },
2739 { SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03, "max_udp_payload_size" },
2740 { SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04, "initial_max_data" },
2741 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05, "initial_max_stream_data_bidi_local" },
2742 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06, "initial_max_stream_data_bidi_remote" },
2743 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07, "initial_max_stream_data_uni" },
2744 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09, "initial_max_streams_uni" },
2745 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08, "initial_max_streams_bidi" },
2746 { SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a, "ack_delay_exponent" },
2747 { SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b, "max_ack_delay" },
2748 { SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c, "disable_active_migration" },
2749 { SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d, "preferred_address" },
2750 { SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e, "active_connection_id_limit" },
2751 { SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f, "initial_source_connection_id" },
2752 { SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10, "retry_source_connection_id" },
2753 { SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20, "max_datagram_frame_size" },
2754 { SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000, "cibir_encoding" },
2755 { SSL_HND_QUIC_TP_LOSS_BITS0x1057, "loss_bits" },
2756 { SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2, "grease_quic_bit" },
2757 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157, "enable_time_stamp" },
2758 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158, "enable_time_stamp_v2" },
2759 { SSL_HND_QUIC_TP_VERSION_INFORMATION0x11, "version_information" },
2760 { SSL_HND_QUIC_TP_VERSION_INFORMATION_DRAFT0xff73db, "version_information_draft" },
2761 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a, "min_ack_delay" },
2762 { SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129, "google_user_agent" },
2763 { SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B, "google_key_update_not_yet_supported" },
2764 { SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752, "google_quic_version" },
2765 { SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127, "google_initial_rtt" },
2766 { SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A, "google_support_handshake_done" },
2767 { SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751, "google_quic_params" },
2768 { SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128, "google_connection_options" },
2769 { SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00, "facebook_partial_reliability" },
2770 { SSL_HND_QUIC_TP_ADDRESS_DISCOVERY0x9f81a176, "address_discovery" },
2771 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A, "min_ack_delay (draft-01)" },
2772 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a, "min_ack_delay (draft-05)" },
2773 { SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b, "min_ack_delay" },
2774 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04, "enable_multipath (draft-04)" },
2775 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05, "enable_multipath (draft-05)" },
2776 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06, "enable_multipath (draft-06)" },
2777 { SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07, "initial_max_paths (draft-07/08)" },
2778 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09, "initial_max_path_id (draft-09/10)" },
2779 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT110x0f739bbc1b666d11, "initial_max_path_id (draft-11)" },
2780 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT120x0f739bbc1b666d0c, "initial_max_path_id (draft-12)" },
2781 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x0f739bbc1b666d0d, "initial_max_path_id" },
2782 { 0, NULL((void*)0) }
2783};
2784
2785/* https://tools.ietf.org/html/draft-ietf-quic-address-discovery-00 */
2786const val64_string quic_address_discovery_vals[] = {
2787 { 0, "The node is willing to provide address observations to its peer, but is not interested in receiving address observations itself" },
2788 { 1, "The node is interested in receiving address observations, but it is not willing to provide address observations" },
2789 { 2, "The node is interested in receiving address observations, and it is willing to provide address observations" },
2790 { 0, NULL((void*)0) }
2791};
2792
2793/* https://tools.ietf.org/html/draft-huitema-quic-ts-03 */
2794const val64_string quic_enable_time_stamp_v2_vals[] = {
2795 { 1, "I would like to receive TIME_STAMP frames" },
2796 { 2, "I am able to generate TIME_STAMP frames" },
2797 { 3, "I am able to generate TIME_STAMP frames and I would like to receive them" },
2798 { 0, NULL((void*)0) }
2799};
2800
2801/* https://datatracker.ietf.org/doc/draft-ietf-quic-multipath/04/ */
2802const val64_string quic_enable_multipath_vals[] = {
2803 { 0, "don't support multipath" },
2804 { 1, "support multipath as defined in this document" },
2805 { 0, NULL((void*)0) }
2806};
2807
2808/* https://www.ietf.org/archive/id/draft-ietf-tls-esni-16.txt */
2809const value_string tls_hello_ext_ech_clienthello_types[] = {
2810 { 0, "Outer Client Hello" },
2811 { 1, "Inner Client Hello" },
2812 { 0, NULL((void*)0) }
2813};
2814
2815/* RFC 9180 */
2816const value_string kem_id_type_vals[] = {
2817 { 0x0000, "Reserved" },
2818 { 0x0010, "DHKEM(P-256, HKDF-SHA256)" },
2819 { 0x0011, "DHKEM(P-384, HKDF-SHA384)" },
2820 { 0x0012, "DHKEM(P-521, HKDF-SHA512)" },
2821 { 0x0020, "DHKEM(X25519, HKDF-SHA256)" },
2822 { 0x0021, "DHKEM(X448, HKDF-SHA512)" },
2823 { 0, NULL((void*)0) }
2824};
2825const value_string kdf_id_type_vals[] = {
2826 { 0x0000, "Reserved" },
2827 { 0x0001, "HKDF-SHA256" },
2828 { 0x0002, "HKDF-SHA384" },
2829 { 0x0003, "HKDF-SHA512" },
2830 { 0, NULL((void*)0) }
2831};
2832const value_string aead_id_type_vals[] = {
2833 { 0x0000, "Reserved" },
2834 { 0x0001, "AES-128-GCM" },
2835 { 0x0002, "AES-256-GCM" },
2836 { 0x0003, "ChaCha20Poly1305" },
2837 { 0xFFFF, "Export-only" },
2838 { 0, NULL((void*)0) }
2839};
2840
2841const value_string token_binding_key_parameter_vals[] = {
2842 { 0, "rsa2048_pkcs1.5" },
2843 { 1, "rsa2048_pss" },
2844 { 2, "ecdsap256" },
2845 { 0, NULL((void*)0) }
2846};
2847
2848/* Lookup tables }}} */
2849
2850void
2851quic_transport_parameter_id_base_custom(char *result, uint64_t parameter_id)
2852{
2853 const char *label;
2854 if (IS_GREASE_QUIC(parameter_id)((parameter_id) > 27 ? ((((parameter_id) - 27) % 31) == 0)
: 0)) {
2855 label = "GREASE";
2856 } else {
2857 label = val64_to_str_const(parameter_id, quic_transport_parameter_id, "Unknown");
2858 }
2859 snprintf(result, ITEM_LABEL_LENGTH240, "%s (0x%02" PRIx64"l" "x" ")", label, parameter_id);
2860}
2861
2862/* we keep this internal to packet-tls-utils, as there should be
2863 no need to access it any other way.
2864
2865 This also allows us to hide the dependency on zlib.
2866*/
2867struct _SslDecompress {
2868 int compression;
2869#ifdef USE_ZLIB_OR_ZLIBNG
2870 zlib_stream istream;
2871#endif
2872};
2873
2874/* To assist in parsing client/server key exchange messages
2875 0 indicates unknown */
2876int ssl_get_keyex_alg(int cipher)
2877{
2878 /* Map Cipher suite number to Key Exchange algorithm {{{ */
2879 switch(cipher) {
2880 case 0x0017:
2881 case 0x0018:
2882 case 0x0019:
2883 case 0x001a:
2884 case 0x001b:
2885 case 0x0034:
2886 case 0x003a:
2887 case 0x0046:
2888 case 0x006c:
2889 case 0x006d:
2890 case 0x0089:
2891 case 0x009b:
2892 case 0x00a6:
2893 case 0x00a7:
2894 case 0x00bf:
2895 case 0x00c5:
2896 case 0xc084:
2897 case 0xc085:
2898 return KEX_DH_ANON0x13;
2899 case 0x000b:
2900 case 0x000c:
2901 case 0x000d:
2902 case 0x0030:
2903 case 0x0036:
2904 case 0x003e:
2905 case 0x0042:
2906 case 0x0068:
2907 case 0x0085:
2908 case 0x0097:
2909 case 0x00a4:
2910 case 0x00a5:
2911 case 0x00bb:
2912 case 0x00c1:
2913 case 0xc082:
2914 case 0xc083:
2915 return KEX_DH_DSS0x14;
2916 case 0x000e:
2917 case 0x000f:
2918 case 0x0010:
2919 case 0x0031:
2920 case 0x0037:
2921 case 0x003f:
2922 case 0x0043:
2923 case 0x0069:
2924 case 0x0086:
2925 case 0x0098:
2926 case 0x00a0:
2927 case 0x00a1:
2928 case 0x00bc:
2929 case 0x00c2:
2930 case 0xc07e:
2931 case 0xc07f:
2932 return KEX_DH_RSA0x15;
2933 case 0x0011:
2934 case 0x0012:
2935 case 0x0013:
2936 case 0x0032:
2937 case 0x0038:
2938 case 0x0040:
2939 case 0x0044:
2940 case 0x0063:
2941 case 0x0065:
2942 case 0x0066:
2943 case 0x006a:
2944 case 0x0087:
2945 case 0x0099:
2946 case 0x00a2:
2947 case 0x00a3:
2948 case 0x00bd:
2949 case 0x00c3:
2950 case 0xc080:
2951 case 0xc081:
2952 return KEX_DHE_DSS0x10;
2953 case 0x002d:
2954 case 0x008e:
2955 case 0x008f:
2956 case 0x0090:
2957 case 0x0091:
2958 case 0x00aa:
2959 case 0x00ab:
2960 case 0x00b2:
2961 case 0x00b3:
2962 case 0x00b4:
2963 case 0x00b5:
2964 case 0xc090:
2965 case 0xc091:
2966 case 0xc096:
2967 case 0xc097:
2968 case 0xc0a6:
2969 case 0xc0a7:
2970 case 0xc0aa:
2971 case 0xc0ab:
2972 case 0xccad:
2973 case 0xe41c:
2974 case 0xe41d:
2975 return KEX_DHE_PSK0x11;
2976 case 0x0014:
2977 case 0x0015:
2978 case 0x0016:
2979 case 0x0033:
2980 case 0x0039:
2981 case 0x0045:
2982 case 0x0067:
2983 case 0x006b:
2984 case 0x0088:
2985 case 0x009a:
2986 case 0x009e:
2987 case 0x009f:
2988 case 0x00be:
2989 case 0x00c4:
2990 case 0xc07c:
2991 case 0xc07d:
2992 case 0xc09e:
2993 case 0xc09f:
2994 case 0xc0a2:
2995 case 0xc0a3:
2996 case 0xccaa:
2997 case 0xe41e:
2998 case 0xe41f:
2999 return KEX_DHE_RSA0x12;
3000 case 0xc015:
3001 case 0xc016:
3002 case 0xc017:
3003 case 0xc018:
3004 case 0xc019:
3005 return KEX_ECDH_ANON0x19;
3006 case 0xc001:
3007 case 0xc002:
3008 case 0xc003:
3009 case 0xc004:
3010 case 0xc005:
3011 case 0xc025:
3012 case 0xc026:
3013 case 0xc02d:
3014 case 0xc02e:
3015 case 0xc074:
3016 case 0xc075:
3017 case 0xc088:
3018 case 0xc089:
3019 return KEX_ECDH_ECDSA0x1a;
3020 case 0xc00b:
3021 case 0xc00c:
3022 case 0xc00d:
3023 case 0xc00e:
3024 case 0xc00f:
3025 case 0xc029:
3026 case 0xc02a:
3027 case 0xc031:
3028 case 0xc032:
3029 case 0xc078:
3030 case 0xc079:
3031 case 0xc08c:
3032 case 0xc08d:
3033 return KEX_ECDH_RSA0x1b;
3034 case 0xc006:
3035 case 0xc007:
3036 case 0xc008:
3037 case 0xc009:
3038 case 0xc00a:
3039 case 0xc023:
3040 case 0xc024:
3041 case 0xc02b:
3042 case 0xc02c:
3043 case 0xc072:
3044 case 0xc073:
3045 case 0xc086:
3046 case 0xc087:
3047 case 0xc0ac:
3048 case 0xc0ad:
3049 case 0xc0ae:
3050 case 0xc0af:
3051 case 0xcca9:
3052 case 0xe414:
3053 case 0xe415:
3054 return KEX_ECDHE_ECDSA0x16;
3055 case 0xc033:
3056 case 0xc034:
3057 case 0xc035:
3058 case 0xc036:
3059 case 0xc037:
3060 case 0xc038:
3061 case 0xc039:
3062 case 0xc03a:
3063 case 0xc03b:
3064 case 0xc09a:
3065 case 0xc09b:
3066 case 0xccac:
3067 case 0xe418:
3068 case 0xe419:
3069 case 0xd001:
3070 case 0xd002:
3071 case 0xd003:
3072 case 0xd005:
3073 return KEX_ECDHE_PSK0x17;
3074 case 0xc010:
3075 case 0xc011:
3076 case 0xc012:
3077 case 0xc013:
3078 case 0xc014:
3079 case 0xc027:
3080 case 0xc028:
3081 case 0xc02f:
3082 case 0xc030:
3083 case 0xc076:
3084 case 0xc077:
3085 case 0xc08a:
3086 case 0xc08b:
3087 case 0xcca8:
3088 case 0xe412:
3089 case 0xe413:
3090 return KEX_ECDHE_RSA0x18;
3091 case 0x001e:
3092 case 0x001f:
3093 case 0x0020:
3094 case 0x0021:
3095 case 0x0022:
3096 case 0x0023:
3097 case 0x0024:
3098 case 0x0025:
3099 case 0x0026:
3100 case 0x0027:
3101 case 0x0028:
3102 case 0x0029:
3103 case 0x002a:
3104 case 0x002b:
3105 return KEX_KRB50x1c;
3106 case 0x002c:
3107 case 0x008a:
3108 case 0x008b:
3109 case 0x008c:
3110 case 0x008d:
3111 case 0x00a8:
3112 case 0x00a9:
3113 case 0x00ae:
3114 case 0x00af:
3115 case 0x00b0:
3116 case 0x00b1:
3117 case 0xc064:
3118 case 0xc065:
3119 case 0xc08e:
3120 case 0xc08f:
3121 case 0xc094:
3122 case 0xc095:
3123 case 0xc0a4:
3124 case 0xc0a5:
3125 case 0xc0a8:
3126 case 0xc0a9:
3127 case 0xccab:
3128 case 0xe416:
3129 case 0xe417:
3130 return KEX_PSK0x1d;
3131 case 0x0001:
3132 case 0x0002:
3133 case 0x0003:
3134 case 0x0004:
3135 case 0x0005:
3136 case 0x0006:
3137 case 0x0007:
3138 case 0x0008:
3139 case 0x0009:
3140 case 0x000a:
3141 case 0x002f:
3142 case 0x0035:
3143 case 0x003b:
3144 case 0x003c:
3145 case 0x003d:
3146 case 0x0041:
3147 case 0x0060:
3148 case 0x0061:
3149 case 0x0062:
3150 case 0x0064:
3151 case 0x0084:
3152 case 0x0096:
3153 case 0x009c:
3154 case 0x009d:
3155 case 0x00ba:
3156 case 0x00c0:
3157 case 0xc07a:
3158 case 0xc07b:
3159 case 0xc09c:
3160 case 0xc09d:
3161 case 0xc0a0:
3162 case 0xc0a1:
3163 case 0xe410:
3164 case 0xe411:
3165 case 0xfefe:
3166 case 0xfeff:
3167 case 0xffe0:
3168 case 0xffe1:
3169 return KEX_RSA0x1e;
3170 case 0x002e:
3171 case 0x0092:
3172 case 0x0093:
3173 case 0x0094:
3174 case 0x0095:
3175 case 0x00ac:
3176 case 0x00ad:
3177 case 0x00b6:
3178 case 0x00b7:
3179 case 0x00b8:
3180 case 0x00b9:
3181 case 0xc092:
3182 case 0xc093:
3183 case 0xc098:
3184 case 0xc099:
3185 case 0xccae:
3186 case 0xe41a:
3187 case 0xe41b:
3188 return KEX_RSA_PSK0x1f;
3189 case 0xc01a:
3190 case 0xc01d:
3191 case 0xc020:
3192 return KEX_SRP_SHA0x20;
3193 case 0xc01c:
3194 case 0xc01f:
3195 case 0xc022:
3196 return KEX_SRP_SHA_DSS0x21;
3197 case 0xc01b:
3198 case 0xc01e:
3199 case 0xc021:
3200 return KEX_SRP_SHA_RSA0x22;
3201 case 0xc0ff:
3202 return KEX_ECJPAKE0x24;
3203 case 0xe003:
3204 case 0xe013:
3205 case 0xe053:
3206 return KEX_ECC_SM20x26;
3207 default:
3208 break;
3209 }
3210
3211 return 0;
3212 /* }}} */
3213}
3214
3215static wmem_list_t *connection_id_session_list;
3216
3217void
3218ssl_init_cid_list(void) {
3219 connection_id_session_list = wmem_list_new(wmem_file_scope());
3220}
3221
3222void
3223ssl_cleanup_cid_list(void) {
3224 wmem_destroy_list(connection_id_session_list);
3225}
3226
3227void
3228ssl_add_session_by_cid(SslDecryptSession *session)
3229{
3230 wmem_list_append(connection_id_session_list, session);
3231}
3232
3233SslDecryptSession *
3234ssl_get_session_by_cid(tvbuff_t *tvb, uint32_t offset)
3235{
3236 SslDecryptSession * ssl_cid = NULL((void*)0);
3237 wmem_list_frame_t *it = wmem_list_head(connection_id_session_list);
3238
3239 while (it != NULL((void*)0) && ssl_cid == NULL((void*)0)) {
3240 SslDecryptSession * ssl = (SslDecryptSession *)wmem_list_frame_data(it);
3241 DISSECTOR_ASSERT(ssl != NULL)((void) ((ssl != ((void*)0)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3241, "ssl != ((void*)0)"))));
3242 SslSession *session = &ssl->session;
3243
3244 if (session->client_cid_len > 0 && tvb_bytes_exist(tvb, offset, session->client_cid_len)) {
3245 if (tvb_memeql(tvb, offset, session->client_cid, session->client_cid_len) == 0) {
3246 ssl_cid = ssl;
3247 }
3248 }
3249
3250 if (session->server_cid_len > 0) {
3251 if (tvb_memeql(tvb, offset, session->server_cid, session->server_cid_len) == 0) {
3252 ssl_cid = ssl;
3253 }
3254 }
3255
3256 it = wmem_list_frame_next(it);
3257 }
3258
3259 return ssl_cid;
3260}
3261
3262/* StringInfo structure (len + data) functions {{{ */
3263
3264int
3265ssl_data_alloc(StringInfo* str, size_t len)
3266{
3267 str->data = (unsigned char *)g_malloc(len);
22
Memory is allocated
3268 /* the allocator can return a null pointer for a size equal to 0,
3269 * and that must be allowed */
3270 if (len
22.1
'len' is > 0
 > 0 && !str->data)
23
Assuming field 'data' is non-null
24
Taking false branch
3271 return -1;
3272 str->data_len = (unsigned) len;
3273 return 0;
3274}
3275
3276void
3277ssl_data_set(StringInfo* str, const unsigned char* data, unsigned len)
3278{
3279 DISSECTOR_ASSERT(data)((void) ((data) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 3279, "data"))));
3280 memcpy(str->data, data, len);
3281 str->data_len = len;
3282}
3283
3284static int
3285ssl_data_realloc(StringInfo* str, unsigned len)
3286{
3287 str->data = (unsigned char *)g_realloc(str->data, len);
3288 if (!str->data)
3289 return -1;
3290 str->data_len = len;
3291 return 0;
3292}
3293
3294static StringInfo *
3295ssl_data_clone(StringInfo *str)
3296{
3297 StringInfo *cloned_str;
3298 cloned_str = (StringInfo *) wmem_alloc0(wmem_file_scope(),
3299 sizeof(StringInfo) + str->data_len);
3300 cloned_str->data = (unsigned char *) (cloned_str + 1);
3301 ssl_data_set(cloned_str, str->data, str->data_len);
3302 return cloned_str;
3303}
3304
3305static int
3306ssl_data_copy(StringInfo* dst, StringInfo* src)
3307{
3308 if (dst->data_len < src->data_len) {
3309 if (ssl_data_realloc(dst, src->data_len))
3310 return -1;
3311 }
3312 memcpy(dst->data, src->data, src->data_len);
3313 dst->data_len = src->data_len;
3314 return 0;
3315}
3316
3317/* from_hex converts |hex_len| bytes of hex data from |in| and sets |*out| to
3318 * the result. |out->data| will be allocated using wmem_file_scope. Returns true on
3319 * success. */
3320static bool_Bool from_hex(StringInfo* out, const char* in, size_t hex_len) {
3321 size_t i;
3322
3323 if (hex_len & 1)
3324 return false0;
3325
3326 out->data = (unsigned char *)wmem_alloc(wmem_file_scope(), hex_len / 2);
3327 for (i = 0; i < hex_len / 2; i++) {
3328 int a = ws_xton(in[i*2]);
3329 int b = ws_xton(in[i*2 + 1]);
3330 if (a == -1 || b == -1)
3331 return false0;
3332 out->data[i] = a << 4 | b;
3333 }
3334 out->data_len = (unsigned)hex_len / 2;
3335 return true1;
3336}
3337/* StringInfo structure (len + data) functions }}} */
3338
3339
3340/* libgcrypt wrappers for HMAC/message digest operations {{{ */
3341/* hmac abstraction layer */
3342#define SSL_HMACgcry_md_hd_t gcry_md_hd_t
3343
3344static inline int
3345ssl_hmac_init(SSL_HMACgcry_md_hd_t* md, int algo)
3346{
3347 gcry_error_t err;
3348 const char *err_str, *err_src;
3349
3350 err = gcry_md_open(md,algo, GCRY_MD_FLAG_HMAC);
3351 if (err != 0) {
3352 err_str = gcry_strerror(err);
3353 err_src = gcry_strsource(err);
3354 ssl_debug_printf("ssl_hmac_init(): gcry_md_open failed %s/%s", err_str, err_src);
3355 return -1;
3356 }
3357 return 0;
3358}
3359
3360static inline int
3361ssl_hmac_setkey(SSL_HMACgcry_md_hd_t* md, const void * key, int len)
3362{
3363 gcry_error_t err;
3364 const char *err_str, *err_src;
3365
3366 err = gcry_md_setkey (*(md), key, len);
3367 if (err != 0) {
3368 err_str = gcry_strerror(err);
3369 err_src = gcry_strsource(err);
3370 ssl_debug_printf("ssl_hmac_setkey(): gcry_md_setkey failed %s/%s", err_str, err_src);
3371 return -1;
3372 }
3373 return 0;
3374}
3375
3376static inline int
3377ssl_hmac_reset(SSL_HMACgcry_md_hd_t* md)
3378{
3379 gcry_md_reset(*md);
3380 return 0;
3381}
3382
3383static inline void
3384ssl_hmac_update(SSL_HMACgcry_md_hd_t* md, const void* data, int len)
3385{
3386 gcry_md_write(*(md), data, len);
3387}
3388static inline void
3389ssl_hmac_final(SSL_HMACgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3390{
3391 int algo;
3392 unsigned len;
3393
3394 algo = gcry_md_get_algo (*(md));
3395 len = gcry_md_get_algo_dlen(algo);
3396 DISSECTOR_ASSERT(len <= *datalen)((void) ((len <= *datalen) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3396, "len <= *datalen"))));
3397 memcpy(data, gcry_md_read(*(md), algo), len);
3398 *datalen = len;
3399}
3400static inline void
3401ssl_hmac_cleanup(SSL_HMACgcry_md_hd_t* md)
3402{
3403 gcry_md_close(*(md));
3404}
3405
3406/* message digest abstraction layer*/
3407#define SSL_MDgcry_md_hd_t gcry_md_hd_t
3408
3409static inline int
3410ssl_md_init(SSL_MDgcry_md_hd_t* md, int algo)
3411{
3412 gcry_error_t err;
3413 const char *err_str, *err_src;
3414 err = gcry_md_open(md,algo, 0);
3415 if (err != 0) {
3416 err_str = gcry_strerror(err);
3417 err_src = gcry_strsource(err);
3418 ssl_debug_printf("ssl_md_init(): gcry_md_open failed %s/%s", err_str, err_src);
3419 return -1;
3420 }
3421 return 0;
3422}
3423static inline void
3424ssl_md_update(SSL_MDgcry_md_hd_t* md, unsigned char* data, int len)
3425{
3426 gcry_md_write(*(md), data, len);
3427}
3428static inline void
3429ssl_md_final(SSL_MDgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3430{
3431 int algo;
3432 int len;
3433 algo = gcry_md_get_algo (*(md));
3434 len = gcry_md_get_algo_dlen (algo);
3435 memcpy(data, gcry_md_read(*(md), algo), len);
3436 *datalen = len;
3437}
3438static inline void
3439ssl_md_cleanup(SSL_MDgcry_md_hd_t* md)
3440{
3441 gcry_md_close(*(md));
3442}
3443
3444static inline void
3445ssl_md_reset(SSL_MDgcry_md_hd_t* md)
3446{
3447 gcry_md_reset(*md);
3448}
3449
3450/* md5 /sha abstraction layer */
3451#define SSL_SHA_CTXgcry_md_hd_t gcry_md_hd_t
3452#define SSL_MD5_CTXgcry_md_hd_t gcry_md_hd_t
3453
3454static inline int
3455ssl_sha_init(SSL_SHA_CTXgcry_md_hd_t* md)
3456{
3457 gcry_error_t err;
3458 const char *err_str, *err_src;
3459 err = gcry_md_open(md, GCRY_MD_SHA1, 0);
3460 if (err != 0) {
3461 err_str = gcry_strerror(err);
3462 err_src = gcry_strsource(err);
3463 ssl_debug_printf("ssl_sha_init(): gcry_md_open failed %s/%s", err_str, err_src);
3464 return -1;
3465 }
3466 return 0;
3467}
3468static inline void
3469ssl_sha_update(SSL_SHA_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3470{
3471 gcry_md_write(*(md), data, len);
3472}
3473static inline void
3474ssl_sha_final(unsigned char* buf, SSL_SHA_CTXgcry_md_hd_t* md)
3475{
3476 memcpy(buf, gcry_md_read(*(md), GCRY_MD_SHA1),
3477 gcry_md_get_algo_dlen(GCRY_MD_SHA1));
3478}
3479
3480static inline void
3481ssl_sha_reset(SSL_SHA_CTXgcry_md_hd_t* md)
3482{
3483 gcry_md_reset(*md);
3484}
3485
3486static inline void
3487ssl_sha_cleanup(SSL_SHA_CTXgcry_md_hd_t* md)
3488{
3489 gcry_md_close(*(md));
3490}
3491
3492static inline int
3493ssl_md5_init(SSL_MD5_CTXgcry_md_hd_t* md)
3494{
3495 gcry_error_t err;
3496 const char *err_str, *err_src;
3497 err = gcry_md_open(md,GCRY_MD_MD5, 0);
3498 if (err != 0) {
3499 err_str = gcry_strerror(err);
3500 err_src = gcry_strsource(err);
3501 ssl_debug_printf("ssl_md5_init(): gcry_md_open failed %s/%s", err_str, err_src);
3502 return -1;
3503 }
3504 return 0;
3505}
3506static inline void
3507ssl_md5_update(SSL_MD5_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3508{
3509 gcry_md_write(*(md), data, len);
3510}
3511static inline void
3512ssl_md5_final(unsigned char* buf, SSL_MD5_CTXgcry_md_hd_t* md)
3513{
3514 memcpy(buf, gcry_md_read(*(md), GCRY_MD_MD5),
3515 gcry_md_get_algo_dlen(GCRY_MD_MD5));
3516}
3517
3518static inline void
3519ssl_md5_reset(SSL_MD5_CTXgcry_md_hd_t* md)
3520{
3521 gcry_md_reset(*md);
3522}
3523
3524static inline void
3525ssl_md5_cleanup(SSL_MD5_CTXgcry_md_hd_t* md)
3526{
3527 gcry_md_close(*(md));
3528}
3529/* libgcrypt wrappers for HMAC/message digest operations }}} */
3530
3531/* libgcrypt wrappers for Cipher state manipulation {{{ */
3532int
3533ssl_cipher_setiv(SSL_CIPHER_CTXgcry_cipher_hd_t *cipher, unsigned char* iv, int iv_len)
3534{
3535 int ret;
3536#if 0
3537 unsigned char *ivp;
3538 int i;
3539 gcry_cipher_hd_t c;
3540 c=(gcry_cipher_hd_t)*cipher;
3541#endif
3542 ssl_debug_printf("--------------------------------------------------------------------");
3543#if 0
3544 for(ivp=c->iv,i=0; i < iv_len; i++ )
3545 {
3546 ssl_debug_printf("%d ",ivp[i]);
3547 i++;
3548 }
3549#endif
3550 ssl_debug_printf("--------------------------------------------------------------------");
3551 ret = gcry_cipher_setiv(*(cipher), iv, iv_len);
3552#if 0
3553 for(ivp=c->iv,i=0; i < iv_len; i++ )
3554 {
3555 ssl_debug_printf("%d ",ivp[i]);
3556 i++;
3557 }
3558#endif
3559 ssl_debug_printf("--------------------------------------------------------------------");
3560 return ret;
3561}
3562/* stream cipher abstraction layer*/
3563static int
3564ssl_cipher_init(gcry_cipher_hd_t *cipher, int algo, unsigned char* sk,
3565 unsigned char* iv, int mode)
3566{
3567 int gcry_modes[] = {
3568 GCRY_CIPHER_MODE_STREAM,
3569 GCRY_CIPHER_MODE_CBC,
3570 GCRY_CIPHER_MODE_GCM,
3571 GCRY_CIPHER_MODE_CCM,
3572 GCRY_CIPHER_MODE_CCM,
3573 GCRY_CIPHER_MODE_POLY1305,
3574 GCRY_CIPHER_MODE_ECB, /* used for DTLSv1.3 seq number encryption */
3575 };
3576 int err;
3577 if (algo == -1) {
3578 /* NULL mode */
3579 *(cipher) = (gcry_cipher_hd_t)-1;
3580 return 0;
3581 }
3582 err = gcry_cipher_open(cipher, algo, gcry_modes[mode], 0);
3583 if (err !=0)
3584 return -1;
3585 err = gcry_cipher_setkey(*(cipher), sk, gcry_cipher_get_algo_keylen (algo));
3586 if (err != 0)
3587 return -1;
3588 /* AEAD cipher suites will set the nonce later. */
3589 if (mode == MODE_CBC) {
3590 err = gcry_cipher_setiv(*(cipher), iv, gcry_cipher_get_algo_blklen(algo));
3591 if (err != 0)
3592 return -1;
3593 }
3594 return 0;
3595}
3596static inline int
3597ssl_cipher_decrypt(gcry_cipher_hd_t *cipher, unsigned char * out, int outl,
3598 const unsigned char * in, int inl)
3599{
3600 if ((*cipher) == (gcry_cipher_hd_t)-1)
3601 {
3602 if (in && inl)
3603 memcpy(out, in, outl < inl ? outl : inl);
3604 return 0;
3605 }
3606 return gcry_cipher_decrypt ( *(cipher), out, outl, in, inl);
3607}
3608static inline int
3609ssl_get_digest_by_name(const char*name)
3610{
3611 return gcry_md_map_name(name);
3612}
3613static inline int
3614ssl_get_cipher_by_name(const char* name)
3615{
3616 return gcry_cipher_map_name(name);
3617}
3618
3619static inline void
3620ssl_cipher_cleanup(gcry_cipher_hd_t *cipher)
3621{
3622 if ((*cipher) != (gcry_cipher_hd_t)-1)
3623 gcry_cipher_close(*cipher);
3624 *cipher = NULL((void*)0);
3625}
3626/* }}} */
3627
3628/* Digests, Ciphers and Cipher Suites registry {{{ */
3629static const SslDigestAlgo digests[]={
3630 {"MD5", 16},
3631 {"SHA1", 20},
3632 {"SHA256", 32},
3633 {"SHA384", 48},
3634 {"SM3", 32},
3635 {"Not Applicable", 0},
3636};
3637
3638#define DIGEST_MAX_SIZE48 48
3639
3640/* get index digest index */
3641static const SslDigestAlgo *
3642ssl_cipher_suite_dig(const SslCipherSuite *cs) {
3643 if (!cs || cs->dig < DIG_MD50x40 || cs->dig > DIG_NA0x45) {
3644 return &digests[DIG_NA0x45 - DIG_MD50x40];
3645 }
3646 return &digests[cs->dig - DIG_MD50x40];
3647}
3648
3649static const char *ciphers[]={
3650 "DES",
3651 "3DES",
3652 "ARCFOUR", /* libgcrypt does not support rc4, but this should be 100% compatible*/
3653 "RFC2268_128", /* libgcrypt name for RC2 with a 128-bit key */
3654 "IDEA",
3655 "AES",
3656 "AES256",
3657 "CAMELLIA128",
3658 "CAMELLIA256",
3659 "SEED",
3660 "CHACHA20", /* since Libgcrypt 1.7.0 */
3661 "SM1",
3662 "SM4",
3663 "*UNKNOWN*"
3664};
3665
3666static const SslCipherSuite cipher_suites[]={
3667 {0x0001,KEX_RSA0x1e, ENC_NULL0x3D, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_NULL_MD5 */
3668 {0x0002,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA */
3669 {0x0003,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
3670 {0x0004,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_MD5 */
3671 {0x0005,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_SHA */
3672 {0x0006,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
3673 {0x0007,KEX_RSA0x1e, ENC_IDEA0x34, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_IDEA_CBC_SHA */
3674 {0x0008,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
3675 {0x0009,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_DES_CBC_SHA */
3676 {0x000A,KEX_RSA0x1e, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
3677 {0x000B,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
3678 {0x000C,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_DES_CBC_SHA */
3679 {0x000D,KEX_DH_DSS0x14, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
3680 {0x000E,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
3681 {0x000F,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_DES_CBC_SHA */
3682 {0x0010,KEX_DH_RSA0x15, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
3683 {0x0011,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
3684 {0x0012,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_DES_CBC_SHA */
3685 {0x0013,KEX_DHE_DSS0x10, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
3686 {0x0014,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
3687 {0x0015,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_DES_CBC_SHA */
3688 {0x0016,KEX_DHE_RSA0x12, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
3689 {0x0017,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
3690 {0x0018,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_WITH_RC4_128_MD5 */
3691 {0x0019,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
3692 {0x001A,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_DES_CBC_SHA */
3693 {0x001B,KEX_DH_ANON0x13, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
3694 {0x002C,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA */
3695 {0x002D,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA */
3696 {0x002E,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA */
3697 {0x002F,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA */
3698 {0x0030,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA */
3699 {0x0031,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA */
3700 {0x0032,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA */
3701 {0x0033,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */
3702 {0x0034,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA */
3703 {0x0035,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA */
3704 {0x0036,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA */
3705 {0x0037,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA */
3706 {0x0038,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA */
3707 {0x0039,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */
3708 {0x003A,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA */
3709 {0x003B,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA256 */
3710 {0x003C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA256 */
3711 {0x003D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA256 */
3712 {0x003E,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA256 */
3713 {0x003F,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA256 */
3714 {0x0040,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 */
3715 {0x0041,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA */
3716 {0x0042,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA */
3717 {0x0043,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA */
3718 {0x0044,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA */
3719 {0x0045,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA */
3720 {0x0046,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA */
3721 {0x0060,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
3722 {0x0061,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
3723 {0x0062,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
3724 {0x0063,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
3725 {0x0064,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
3726 {0x0065,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
3727 {0x0066,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_WITH_RC4_128_SHA */
3728 {0x0067,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 */
3729 {0x0068,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA256 */
3730 {0x0069,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA256 */
3731 {0x006A,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 */
3732 {0x006B,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 */
3733 {0x006C,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA256 */
3734 {0x006D,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA256 */
3735 {0x0084,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA */
3736 {0x0085,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA */
3737 {0x0086,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA */
3738 {0x0087,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA */
3739 {0x0088,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA */
3740 {0x0089,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA */
3741 {0x008A,KEX_PSK0x1d, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_RC4_128_SHA */
3742 {0x008B,KEX_PSK0x1d, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_3DES_EDE_CBC_SHA */
3743 {0x008C,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA */
3744 {0x008D,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA */
3745 {0x008E,KEX_DHE_PSK0x11, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_RC4_128_SHA */
3746 {0x008F,KEX_DHE_PSK0x11, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA */
3747 {0x0090,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA */
3748 {0x0091,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA */
3749 {0x0092,KEX_RSA_PSK0x1f, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_RC4_128_SHA */
3750 {0x0093,KEX_RSA_PSK0x1f, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA */
3751 {0x0094,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA */
3752 {0x0095,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA */
3753 {0x0096,KEX_RSA0x1e, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_SEED_CBC_SHA */
3754 {0x0097,KEX_DH_DSS0x14, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_SEED_CBC_SHA */
3755 {0x0098,KEX_DH_RSA0x15, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_SEED_CBC_SHA */
3756 {0x0099,KEX_DHE_DSS0x10, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_SEED_CBC_SHA */
3757 {0x009A,KEX_DHE_RSA0x12, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_SEED_CBC_SHA */
3758 {0x009B,KEX_DH_ANON0x13, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_SEED_CBC_SHA */
3759 {0x009C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_AES_128_GCM_SHA256 */
3760 {0x009D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_AES_256_GCM_SHA384 */
3761 {0x009E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */
3762 {0x009F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 */
3763 {0x00A0,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_128_GCM_SHA256 */
3764 {0x00A1,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_256_GCM_SHA384 */
3765 {0x00A2,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 */
3766 {0x00A3,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 */
3767 {0x00A4,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_128_GCM_SHA256 */
3768 {0x00A5,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_256_GCM_SHA384 */
3769 {0x00A6,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_AES_128_GCM_SHA256 */
3770 {0x00A7,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_AES_256_GCM_SHA384 */
3771 {0x00A8,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_AES_128_GCM_SHA256 */
3772 {0x00A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_AES_256_GCM_SHA384 */
3773 {0x00AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 */
3774 {0x00AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 */
3775 {0x00AC,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 */
3776 {0x00AD,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 */
3777 {0x00AE,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA256 */
3778 {0x00AF,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA384 */
3779 {0x00B0,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA256 */
3780 {0x00B1,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA384 */
3781 {0x00B2,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 */
3782 {0x00B3,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 */
3783 {0x00B4,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA256 */
3784 {0x00B5,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA384 */
3785 {0x00B6,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 */
3786 {0x00B7,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 */
3787 {0x00B8,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA256 */
3788 {0x00B9,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA384 */
3789 {0x00BA,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3790 {0x00BB,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3791 {0x00BC,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3792 {0x00BD,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3793 {0x00BE,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3794 {0x00BF,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 */
3795 {0x00C0,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3796 {0x00C1,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3797 {0x00C2,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3798 {0x00C3,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3799 {0x00C4,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3800 {0x00C5,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */
3801
3802 /* NOTE: TLS 1.3 cipher suites are incompatible with TLS 1.2. */
3803 {0x1301,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_AES_128_GCM_SHA256 */
3804 {0x1302,KEX_TLS130x23, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_AES_256_GCM_SHA384 */
3805 {0x1303,KEX_TLS130x23, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_CHACHA20_POLY1305_SHA256 */
3806 {0x1304,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM }, /* TLS_AES_128_CCM_SHA256 */
3807 {0x1305,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8 }, /* TLS_AES_128_CCM_8_SHA256 */
3808 {0x00C6,KEX_TLS130x23, ENC_SM40x3C, DIG_SM30x44, MODE_GCM }, /* TLS_SM4_GCM_SM3 */
3809
3810 {0xC001,KEX_ECDH_ECDSA0x1a, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_NULL_SHA */
3811 {0xC002,KEX_ECDH_ECDSA0x1a, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_RC4_128_SHA */
3812 {0xC003,KEX_ECDH_ECDSA0x1a, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA */
3813 {0xC004,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA */
3814 {0xC005,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */
3815 {0xC006,KEX_ECDHE_ECDSA0x16, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_NULL_SHA */
3816 {0xC007,KEX_ECDHE_ECDSA0x16, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_RC4_128_SHA */
3817 {0xC008,KEX_ECDHE_ECDSA0x16, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA */
3818 {0xC009,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */
3819 {0xC00A,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */
3820 {0xC00B,KEX_ECDH_RSA0x1b, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_NULL_SHA */
3821 {0xC00C,KEX_ECDH_RSA0x1b, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_RC4_128_SHA */
3822 {0xC00D,KEX_ECDH_RSA0x1b, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA */
3823 {0xC00E,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA */
3824 {0xC00F,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */
3825 {0xC0FF,KEX_ECJPAKE0x24, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECJPAKE_WITH_AES_128_CCM_8 */
3826 {0xC010,KEX_ECDHE_RSA0x18, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_NULL_SHA */
3827 {0xC011,KEX_ECDHE_RSA0x18, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_RC4_128_SHA */
3828 {0xC012,KEX_ECDHE_RSA0x18, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */
3829 {0xC013,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA */
3830 {0xC014,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */
3831 {0xC015,KEX_ECDH_ANON0x19, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_NULL_SHA */
3832 {0xC016,KEX_ECDH_ANON0x19, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_RC4_128_SHA */
3833 {0xC017,KEX_ECDH_ANON0x19, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA */
3834 {0xC018,KEX_ECDH_ANON0x19, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_128_CBC_SHA */
3835 {0xC019,KEX_ECDH_ANON0x19, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_256_CBC_SHA */
3836 {0xC01A,KEX_SRP_SHA0x20, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA */
3837 {0xC01B,KEX_SRP_SHA_RSA0x22, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA */
3838 {0xC01C,KEX_SRP_SHA_DSS0x21, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA */
3839 {0xC01D,KEX_SRP_SHA0x20, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_128_CBC_SHA */
3840 {0xC01E,KEX_SRP_SHA_RSA0x22, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA */
3841 {0xC01F,KEX_SRP_SHA_DSS0x21, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA */
3842 {0xC020,KEX_SRP_SHA0x20, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_256_CBC_SHA */
3843 {0xC021,KEX_SRP_SHA_RSA0x22, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA */
3844 {0xC022,KEX_SRP_SHA_DSS0x21, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA */
3845 {0xC023,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 */
3846 {0xC024,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */
3847 {0xC025,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 */
3848 {0xC026,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 */
3849 {0xC027,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 */
3850 {0xC028,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */
3851 {0xC029,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 */
3852 {0xC02A,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 */
3853 {0xC02B,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 */
3854 {0xC02C,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 */
3855 {0xC02D,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 */
3856 {0xC02E,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 */
3857 {0xC02F,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */
3858 {0xC030,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 */
3859 {0xC031,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 */
3860 {0xC032,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 */
3861 {0xC033,KEX_ECDHE_PSK0x17, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_RC4_128_SHA */
3862 {0xC034,KEX_ECDHE_PSK0x17, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA */
3863 {0xC035,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA */
3864 {0xC036,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA */
3865 {0xC037,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 */
3866 {0xC038,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 */
3867 {0xC039,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA */
3868 {0xC03A,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA256 */
3869 {0xC03B,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA384 */
3870 {0xC072,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3871 {0xC073,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3872 {0xC074,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3873 {0xC075,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3874 {0xC076,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3875 {0xC077,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3876 {0xC078,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3877 {0xC079,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3878 {0xC07A,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3879 {0xC07B,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3880 {0xC07C,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3881 {0xC07D,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3882 {0xC07E,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3883 {0xC07F,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3884 {0xC080,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3885 {0xC081,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3886 {0xC082,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3887 {0xC083,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3888 {0xC084,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 */
3889 {0xC085,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 */
3890 {0xC086,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3891 {0xC087,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3892 {0xC088,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3893 {0xC089,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3894 {0xC08A,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3895 {0xC08B,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3896 {0xC08C,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3897 {0xC08D,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3898 {0xC08E,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3899 {0xC08F,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3900 {0xC090,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3901 {0xC091,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3902 {0xC092,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3903 {0xC093,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3904 {0xC094,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3905 {0xC095,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3906 {0xC096,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3907 {0xC097,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3908 {0xC098,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3909 {0xC099,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3910 {0xC09A,KEX_ECDHE_PSK0x17, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3911 {0xC09B,KEX_ECDHE_PSK0x17, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3912 {0xC09C,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_128_CCM */
3913 {0xC09D,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_256_CCM */
3914 {0xC09E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_128_CCM */
3915 {0xC09F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_256_CCM */
3916 {0xC0A0,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_128_CCM_8 */
3917 {0xC0A1,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_256_CCM_8 */
3918 {0xC0A2,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_128_CCM_8 */
3919 {0xC0A3,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_256_CCM_8 */
3920 {0xC0A4,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_128_CCM */
3921 {0xC0A5,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_256_CCM */
3922 {0xC0A6,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_128_CCM */
3923 {0xC0A7,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_256_CCM */
3924 {0xC0A8,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_128_CCM_8 */
3925 {0xC0A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_256_CCM_8 */
3926 {0xC0AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_128_CCM_8 */
3927 {0xC0AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_256_CCM_8 */
3928 {0xC0AC,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM */
3929 {0xC0AD,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM */
3930 {0xC0AE,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 */
3931 {0xC0AF,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 */
3932 {0xCCA8,KEX_ECDHE_RSA0x18, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3933 {0xCCA9,KEX_ECDHE_ECDSA0x16, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */
3934 {0xCCAA,KEX_DHE_RSA0x12, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3935 {0xCCAB,KEX_PSK0x1d, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3936 {0xCCAC,KEX_ECDHE_PSK0x17, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3937 {0xCCAD,KEX_DHE_PSK0x11, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3938 {0xCCAE,KEX_RSA_PSK0x1f, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3939 {0xD001,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 */
3940 {0xD002,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 */
3941 {0xD003,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 */
3942 {0xD005,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 */
3943 /* GM */
3944 {0xe001,KEX_ECDHE_SM20x25, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM1_SM3 */
3945 {0xe003,KEX_ECC_SM20x26, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECC_SM1_SM3 */
3946 {0xe005,KEX_IBSDH_SM90x27, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM1_SM3 */
3947 {0xe007,KEX_IBC_SM90x28, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBC_SM1_SM3 */
3948 {0xe009,KEX_RSA0x1e, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* RSA_SM1_SM3 */
3949 {0xe00a,KEX_RSA0x1e, ENC_SM10x3B, DIG_SHA0x41, MODE_CBC}, /* RSA_SM1_SHA1 */
3950 {0xe011,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM4_CBC_SM3 */
3951 {0xe013,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECC_SM4_CBC_SM3 */
3952 {0xe015,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM4_CBC_SM3 */
3953 {0xe017,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBC_SM4_CBC_SM3 */
3954 {0xe019,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* RSA_SM4_CBC_SM3 */
3955 {0xe01a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA0x41, MODE_CBC}, /* RSA_SM4_CBC_SHA1 */
3956 {0xe01c,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_CBC}, /* RSA_SM4_CBC_SHA256 */
3957 {0xe051,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECDHE_SM4_GCM_SM3 */
3958 {0xe053,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECC_SM4_GCM_SM3 */
3959 {0xe055,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBSDH_SM4_GCM_SM3 */
3960 {0xe057,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBC_SM4_GCM_SM3 */
3961 {0xe059,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* RSA_SM4_GCM_SM3 */
3962 {0xe05a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_GCM}, /* RSA_SM4_GCM_SHA256 */
3963 {-1, 0, 0, 0, MODE_STREAM}
3964};
3965
3966#define MAX_BLOCK_SIZE16 16
3967#define MAX_KEY_SIZE32 32
3968
3969const SslCipherSuite *
3970ssl_find_cipher(int num)
3971{
3972 const SslCipherSuite *c;
3973 for(c=cipher_suites;c->number!=-1;c++){
3974 if(c->number==num){
3975 return c;
3976 }
3977 }
3978
3979 return NULL((void*)0);
3980}
3981
3982int
3983ssl_get_cipher_algo(const SslCipherSuite *cipher_suite)
3984{
3985 return gcry_cipher_map_name(ciphers[cipher_suite->enc - ENC_START0x30]);
3986}
3987
3988unsigned
3989ssl_get_cipher_blocksize(const SslCipherSuite *cipher_suite)
3990{
3991 int cipher_algo;
3992 if (cipher_suite->mode != MODE_CBC) return 0;
3993 cipher_algo = ssl_get_cipher_by_name(ciphers[cipher_suite->enc - ENC_START0x30]);
3994 return (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
3995}
3996
3997static unsigned
3998ssl_get_cipher_export_keymat_size(int cipher_suite_num)
3999{
4000 switch (cipher_suite_num) {
4001 /* See RFC 6101 (SSL 3.0), Table 2, column Key Material. */
4002 case 0x0003: /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
4003 case 0x0006: /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
4004 case 0x0008: /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
4005 case 0x000B: /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
4006 case 0x000E: /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
4007 case 0x0011: /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
4008 case 0x0014: /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
4009 case 0x0017: /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
4010 case 0x0019: /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
4011 return 5;
4012
4013 /* not defined in below draft, but "implemented by several vendors",
4014 * https://www.ietf.org/mail-archive/web/tls/current/msg00036.html */
4015 case 0x0060: /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
4016 case 0x0061: /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
4017 return 7;
4018
4019 /* Note: the draft states that DES_CBC needs 8 bytes, but Wireshark always
4020 * used 7. Until a pcap proves 8, let's use the old value. Link:
4021 * https://tools.ietf.org/html/draft-ietf-tls-56-bit-ciphersuites-01 */
4022 case 0x0062: /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
4023 case 0x0063: /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
4024 case 0x0064: /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
4025 case 0x0065: /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
4026 return 7;
4027
4028 default:
4029 return 0;
4030 }
4031}
4032
4033/* Digests, Ciphers and Cipher Suites registry }}} */
4034
4035
4036/* HMAC and the Pseudorandom function {{{ */
4037static int
4038tls_hash(StringInfo *secret, StringInfo *seed, int md,
4039 StringInfo *out, unsigned out_len)
4040{
4041 /* RFC 2246 5. HMAC and the pseudorandom function
4042 * '+' denotes concatenation.
4043 * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
4044 * HMAC_hash(secret, A(2) + seed) + ...
4045 * A(0) = seed
4046 * A(i) = HMAC_hash(secret, A(i - 1))
4047 */
4048 uint8_t *ptr;
4049 unsigned left, tocpy;
4050 uint8_t *A;
4051 uint8_t _A[DIGEST_MAX_SIZE48], tmp[DIGEST_MAX_SIZE48];
4052 unsigned A_l, tmp_l;
4053 SSL_HMACgcry_md_hd_t hm;
4054
4055 ptr = out->data;
4056 left = out_len;
4057
4058 ssl_print_string("tls_hash: hash secret", secret);
4059 ssl_print_string("tls_hash: hash seed", seed);
4060 /* A(0) = seed */
4061 A = seed->data;
4062 A_l = seed->data_len;
4063
4064 if (ssl_hmac_init(&hm, md) != 0) {
4065 return -1;
4066 }
4067 while (left) {
4068 /* A(i) = HMAC_hash(secret, A(i-1)) */
4069 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
4070 ssl_hmac_update(&hm, A, A_l);
4071 A_l = sizeof(_A); /* upper bound len for hash output */
4072 ssl_hmac_final(&hm, _A, &A_l);
4073 A = _A;
4074
4075 /* HMAC_hash(secret, A(i) + seed) */
4076 ssl_hmac_reset(&hm);
4077 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
4078 ssl_hmac_update(&hm, A, A_l);
4079 ssl_hmac_update(&hm, seed->data, seed->data_len);
4080 tmp_l = sizeof(tmp); /* upper bound len for hash output */
4081 ssl_hmac_final(&hm, tmp, &tmp_l);
4082 ssl_hmac_reset(&hm);
4083
4084 /* ssl_hmac_final puts the actual digest output size in tmp_l */
4085 tocpy = MIN(left, tmp_l)(((left) < (tmp_l)) ? (left) : (tmp_l));
4086 memcpy(ptr, tmp, tocpy);
4087 ptr += tocpy;
4088 left -= tocpy;
4089 }
4090 ssl_hmac_cleanup(&hm);
4091 out->data_len = out_len;
4092
4093 ssl_print_string("hash out", out);
4094 return 0;
4095}
4096
4097static bool_Bool
4098tls_prf(StringInfo* secret, const char *usage,
4099 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4100{
4101 StringInfo seed, sha_out, md5_out;
4102 uint8_t *ptr;
4103 StringInfo s1, s2;
4104 unsigned i,s_l;
4105 size_t usage_len, rnd2_len;
4106 bool_Bool success = false0;
4107 usage_len = strlen(usage);
4108 rnd2_len = rnd2 ? rnd2->data_len : 0;
4109
4110 /* initialize buffer for sha, md5 random seed*/
4111 if (ssl_data_alloc(&sha_out, MAX(out_len, 20)(((out_len) > (20)) ? (out_len) : (20))) < 0) {
4112 ssl_debug_printf("tls_prf: can't allocate sha out\n");
4113 return false0;
4114 }
4115 if (ssl_data_alloc(&md5_out, MAX(out_len, 16)(((out_len) > (16)) ? (out_len) : (16))) < 0) {
4116 ssl_debug_printf("tls_prf: can't allocate md5 out\n");
4117 goto free_sha;
4118 }
4119 if (ssl_data_alloc(&seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
4120 ssl_debug_printf("tls_prf: can't allocate rnd %d\n",
4121 (int) (usage_len+rnd1->data_len+rnd2_len));
4122 goto free_md5;
4123 }
4124
4125 ptr=seed.data;
4126 memcpy(ptr,usage,usage_len);
4127 ptr+=usage_len;
4128 memcpy(ptr,rnd1->data,rnd1->data_len);
4129 if (rnd2_len > 0) {
4130 ptr+=rnd1->data_len;
4131 memcpy(ptr,rnd2->data,rnd2->data_len);
4132 /*ptr+=rnd2->data_len;*/
4133 }
4134
4135 /* initialize buffer for client/server seeds*/
4136 s_l=secret->data_len/2 + secret->data_len%2;
4137 if (ssl_data_alloc(&s1, s_l) < 0) {
4138 ssl_debug_printf("tls_prf: can't allocate secret %d\n", s_l);
4139 goto free_seed;
4140 }
4141 if (ssl_data_alloc(&s2, s_l) < 0) {
4142 ssl_debug_printf("tls_prf: can't allocate secret(2) %d\n", s_l);
4143 goto free_s1;
4144 }
4145
4146 memcpy(s1.data,secret->data,s_l);
4147 memcpy(s2.data,secret->data + (secret->data_len - s_l),s_l);
4148
4149 ssl_debug_printf("tls_prf: tls_hash(md5 secret_len %d seed_len %d )\n", s1.data_len, seed.data_len);
4150 if(tls_hash(&s1, &seed, ssl_get_digest_by_name("MD5"), &md5_out, out_len) != 0)
4151 goto free_s2;
4152 ssl_debug_printf("tls_prf: tls_hash(sha)\n");
4153 if(tls_hash(&s2, &seed, ssl_get_digest_by_name("SHA1"), &sha_out, out_len) != 0)
4154 goto free_s2;
4155
4156 for (i = 0; i < out_len; i++)
4157 out->data[i] = md5_out.data[i] ^ sha_out.data[i];
4158 /* success, now store the new meaningful data length */
4159 out->data_len = out_len;
4160 success = true1;
4161
4162 ssl_print_string("PRF out",out);
4163free_s2:
4164 g_free(s2.data);
4165free_s1:
4166 g_free(s1.data);
4167free_seed:
4168 g_free(seed.data);
4169free_md5:
4170 g_free(md5_out.data);
4171free_sha:
4172 g_free(sha_out.data);
4173 return success;
4174}
4175
4176static bool_Bool
4177tls12_prf(int md, StringInfo* secret, const char* usage,
4178 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4179{
4180 StringInfo label_seed;
4181 int success;
4182 size_t usage_len, rnd2_len;
4183 rnd2_len = rnd2 ? rnd2->data_len : 0;
4184
4185 usage_len = strlen(usage);
4186 if (ssl_data_alloc(&label_seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
4187 ssl_debug_printf("tls12_prf: can't allocate label_seed\n");
4188 return false0;
4189 }
4190 memcpy(label_seed.data, usage, usage_len);
4191 memcpy(label_seed.data+usage_len, rnd1->data, rnd1->data_len);
4192 if (rnd2_len > 0)
4193 memcpy(label_seed.data+usage_len+rnd1->data_len, rnd2->data, rnd2->data_len);
4194
4195 ssl_debug_printf("tls12_prf: tls_hash(hash_alg %s secret_len %d seed_len %d )\n", gcry_md_algo_name(md), secret->data_len, label_seed.data_len);
4196 success = tls_hash(secret, &label_seed, md, out, out_len);
4197 g_free(label_seed.data);
4198 if(success != -1){
4199 ssl_print_string("PRF out", out);
4200 return true1;
4201 }
4202 return false0;
4203}
4204
4205static bool_Bool
4206ssl3_generate_export_iv(StringInfo *r1, StringInfo *r2,
4207 StringInfo *out, unsigned out_len)
4208{
4209 SSL_MD5_CTXgcry_md_hd_t md5;
4210 uint8_t tmp[16];
4211
4212 if (ssl_md5_init(&md5) != 0) {
4213 return false0;
4214 }
4215 ssl_md5_update(&md5,r1->data,r1->data_len);
4216 ssl_md5_update(&md5,r2->data,r2->data_len);
4217 ssl_md5_final(tmp,&md5);
4218 ssl_md5_cleanup(&md5);
4219
4220 DISSECTOR_ASSERT(out_len <= sizeof(tmp))((void) ((out_len <= sizeof(tmp)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4220, "out_len <= sizeof(tmp)"))));
4221 ssl_data_set(out, tmp, out_len);
4222 ssl_print_string("export iv", out);
4223 return true1;
4224}
4225
4226static bool_Bool
4227ssl3_prf(StringInfo* secret, const char* usage,
4228 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4229{
4230 SSL_MD5_CTXgcry_md_hd_t md5;
4231 SSL_SHA_CTXgcry_md_hd_t sha;
4232 unsigned off;
4233 int i = 0,j;
4234 uint8_t buf[20];
4235
4236 if (ssl_sha_init(&sha) != 0) {
4237 return false0;
4238 }
4239 if (ssl_md5_init(&md5) != 0) {
4240 ssl_sha_cleanup(&sha);
4241 return false0;
4242 }
4243 for (off = 0; off < out_len; off += 16) {
4244 unsigned char outbuf[16];
4245 i++;
4246
4247 ssl_debug_printf("ssl3_prf: sha1_hash(%d)\n",i);
4248 /* A, BB, CCC, ... */
4249 for(j=0;j<i;j++){
4250 buf[j]=64+i;
4251 }
4252
4253 ssl_sha_update(&sha,buf,i);
4254 ssl_sha_update(&sha,secret->data,secret->data_len);
4255
4256 if(!strcmp(usage,"client write key") || !strcmp(usage,"server write key")){
4257 if (rnd2)
4258 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4259 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4260 }
4261 else{
4262 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4263 if (rnd2)
4264 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4265 }
4266
4267 ssl_sha_final(buf,&sha);
4268 ssl_sha_reset(&sha);
4269
4270 ssl_debug_printf("ssl3_prf: md5_hash(%d) datalen %d\n",i,
4271 secret->data_len);
4272 ssl_md5_update(&md5,secret->data,secret->data_len);
4273 ssl_md5_update(&md5,buf,20);
4274 ssl_md5_final(outbuf,&md5);
4275 ssl_md5_reset(&md5);
4276
4277 memcpy(out->data + off, outbuf, MIN(out_len - off, 16)(((out_len - off) < (16)) ? (out_len - off) : (16)));
4278 }
4279 ssl_sha_cleanup(&sha);
4280 ssl_md5_cleanup(&md5);
4281 out->data_len = out_len;
4282
4283 return true1;
4284}
4285
4286/* out_len is the wanted output length for the pseudorandom function.
4287 * Ensure that ssl->cipher_suite is set. */
4288static bool_Bool
4289prf(SslDecryptSession *ssl, StringInfo *secret, const char *usage,
4290 StringInfo *rnd1, StringInfo *rnd2, StringInfo *out, unsigned out_len)
4291{
4292 switch (ssl->session.version) {
4293 case SSLV3_VERSION0x300:
4294 return ssl3_prf(secret, usage, rnd1, rnd2, out, out_len);
4295
4296 case TLSV1_VERSION0x301:
4297 case TLSV1DOT1_VERSION0x302:
4298 case DTLSV1DOT0_VERSION0xfeff:
4299 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4300 return tls_prf(secret, usage, rnd1, rnd2, out, out_len);
4301
4302 default: /* TLSv1.2 */
4303 switch (ssl->cipher_suite->dig) {
4304 case DIG_SM30x44:
4305#if GCRYPT_VERSION_NUMBER0x010a03 >= 0x010900
4306 return tls12_prf(GCRY_MD_SM3, secret, usage, rnd1, rnd2,
4307 out, out_len);
4308#else
4309 return false0;
4310#endif
4311 case DIG_SHA3840x43:
4312 return tls12_prf(GCRY_MD_SHA384, secret, usage, rnd1, rnd2,
4313 out, out_len);
4314 default:
4315 return tls12_prf(GCRY_MD_SHA256, secret, usage, rnd1, rnd2,
4316 out, out_len);
4317 }
4318 }
4319}
4320
4321static int tls_handshake_hash(SslDecryptSession* ssl, StringInfo* out)
4322{
4323 SSL_MD5_CTXgcry_md_hd_t md5;
4324 SSL_SHA_CTXgcry_md_hd_t sha;
4325
4326 if (ssl_data_alloc(out, 36) < 0)
21
Calling 'ssl_data_alloc'
25
Returned allocated memory
26
Taking false branch
4327 return -1;
4328
4329 if (ssl_md5_init(&md5) != 0)
27
Taking true branch
4330 return -1;
4331 ssl_md5_update(&md5,ssl->handshake_data.data,ssl->handshake_data.data_len);
4332 ssl_md5_final(out->data,&md5);
4333 ssl_md5_cleanup(&md5);
4334
4335 if (ssl_sha_init(&sha) != 0)
4336 return -1;
4337 ssl_sha_update(&sha,ssl->handshake_data.data,ssl->handshake_data.data_len);
4338 ssl_sha_final(out->data+16,&sha);
4339 ssl_sha_cleanup(&sha);
4340 return 0;
4341}
4342
4343static int tls12_handshake_hash(SslDecryptSession* ssl, int md, StringInfo* out)
4344{
4345 SSL_MDgcry_md_hd_t mc;
4346 uint8_t tmp[48];
4347 unsigned len;
4348
4349 if (ssl_md_init(&mc, md) != 0)
4350 return -1;
4351 ssl_md_update(&mc,ssl->handshake_data.data,ssl->handshake_data.data_len);
4352 ssl_md_final(&mc, tmp, &len);
4353 ssl_md_cleanup(&mc);
4354
4355 if (ssl_data_alloc(out, len) < 0)
4356 return -1;
4357 memcpy(out->data, tmp, len);
4358 return 0;
4359}
4360
4361/**
4362 * Obtains the label prefix used in HKDF-Expand-Label. This function can be
4363 * inlined and removed once support for draft 19 and before is dropped.
4364 */
4365static inline const char *
4366tls13_hkdf_label_prefix(SslDecryptSession *ssl_session)
4367{
4368 if (ssl_session->session.tls13_draft_version && ssl_session->session.tls13_draft_version < 20) {
4369 return "TLS 1.3, ";
4370 } else if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
4371 return "dtls13";
4372 } else {
4373 return "tls13 ";
4374 }
4375}
4376
4377/*
4378 * Computes HKDF-Expand-Label(Secret, Label, Hash(context_value), Length) with a
4379 * custom label prefix. If "context_hash" is NULL, then an empty context is
4380 * used. Otherwise it must have the same length as the hash algorithm output.
4381 */
4382bool_Bool
4383tls13_hkdf_expand_label_context(int md, const StringInfo *secret,
4384 const char *label_prefix, const char *label,
4385 const uint8_t *context_hash, uint8_t context_length,
4386 uint16_t out_len, unsigned char **out)
4387{
4388 /* RFC 8446 Section 7.1:
4389 * HKDF-Expand-Label(Secret, Label, Context, Length) =
4390 * HKDF-Expand(Secret, HkdfLabel, Length)
4391 * struct {
4392 * uint16 length = Length;
4393 * opaque label<7..255> = "tls13 " + Label; // "tls13 " is label prefix.
4394 * opaque context<0..255> = Context;
4395 * } HkdfLabel;
4396 *
4397 * RFC 5869 HMAC-based Extract-and-Expand Key Derivation Function (HKDF):
4398 * HKDF-Expand(PRK, info, L) -> OKM
4399 */
4400 gcry_error_t err;
4401 const unsigned label_prefix_length = (unsigned) strlen(label_prefix);
4402 const unsigned label_length = (unsigned) strlen(label);
4403
4404 /* Some sanity checks */
4405 DISSECTOR_ASSERT(label_length > 0 && label_prefix_length + label_length <= 255)((void) ((label_length > 0 && label_prefix_length +
label_length <= 255) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4405, "label_length > 0 && label_prefix_length + label_length <= 255"
))));
4406
4407 /* info = HkdfLabel { length, label, context } */
4408 GByteArray *info = g_byte_array_new();
4409 const uint16_t length = g_htons(out_len)(((((guint16) ( (guint16) ((guint16) (out_len) >> 8) | (
guint16) ((guint16) (out_len) << 8))))));
4410 g_byte_array_append(info, (const uint8_t *)&length, sizeof(length));
4411
4412 const uint8_t label_vector_length = label_prefix_length + label_length;
4413 g_byte_array_append(info, &label_vector_length, 1);
4414 g_byte_array_append(info, (const uint8_t *)label_prefix, label_prefix_length);
4415 g_byte_array_append(info, (const uint8_t*)label, label_length);
4416
4417 g_byte_array_append(info, &context_length, 1);
4418 if (context_length) {
4419 g_byte_array_append(info, context_hash, context_length);
4420 }
4421
4422 *out = (unsigned char *)wmem_alloc(NULL((void*)0), out_len);
4423 err = hkdf_expand(md, secret->data, secret->data_len, info->data, info->len, *out, out_len);
4424 g_byte_array_free(info, true1);
4425
4426 if (err) {
4427 ssl_debug_printf("%s failed %d: %s\n", G_STRFUNC((const char*) (__func__)), md, gcry_strerror(err));
4428 wmem_free(NULL((void*)0), *out);
4429 *out = NULL((void*)0);
4430 return false0;
4431 }
4432
4433 return true1;
4434}
4435
4436bool_Bool
4437tls13_hkdf_expand_label(int md, const StringInfo *secret,
4438 const char *label_prefix, const char *label,
4439 uint16_t out_len, unsigned char **out)
4440{
4441 return tls13_hkdf_expand_label_context(md, secret, label_prefix, label, NULL((void*)0), 0, out_len, out);
4442}
4443/* HMAC and the Pseudorandom function }}} */
4444
4445/* Record Decompression (after decryption) {{{ */
4446#ifdef USE_ZLIB_OR_ZLIBNG
4447/* memory allocation functions for zlib initialization */
4448static void* ssl_zalloc(void* opaque _U___attribute__((unused)), unsigned int no, unsigned int size)
4449{
4450 return g_malloc0(no*size);
4451}
4452static void ssl_zfree(void* opaque _U___attribute__((unused)), void* addr)
4453{
4454 g_free(addr);
4455}
4456#endif /* USE_ZLIB_OR_ZLIBNG */
4457
4458static SslDecompress*
4459ssl_create_decompressor(int compression)
4460{
4461 SslDecompress *decomp;
4462#ifdef USE_ZLIB_OR_ZLIBNG
4463 int err;
4464#endif
4465
4466 if (compression == 0) return NULL((void*)0);
4467 ssl_debug_printf("ssl_create_decompressor: compression method %d\n", compression);
4468 decomp = wmem_new(wmem_file_scope(), SslDecompress)((SslDecompress*)wmem_alloc((wmem_file_scope()), sizeof(SslDecompress
)));
4469 decomp->compression = compression;
4470 switch (decomp->compression) {
4471#ifdef USE_ZLIB_OR_ZLIBNG
4472 case 1: /* DEFLATE */
4473 decomp->istream.zalloc = ssl_zalloc;
4474 decomp->istream.zfree = ssl_zfree;
4475 decomp->istream.opaque = Z_NULL0;
4476 decomp->istream.next_in = Z_NULL0;
4477 decomp->istream.next_out = Z_NULL0;
4478 decomp->istream.avail_in = 0;
4479 decomp->istream.avail_out = 0;
4480 err = ZLIB_PREFIX(inflateInit)(&decomp->istream)inflateInit_((&decomp->istream), "1.3", (int)sizeof(z_stream
));
4481 if (err != Z_OK0) {
4482 ssl_debug_printf("ssl_create_decompressor: inflateInit_() failed - %d\n", err);
4483 return NULL((void*)0);
4484 }
4485 break;
4486#endif /* USE_ZLIB_OR_ZLIBNG */
4487 default:
4488 ssl_debug_printf("ssl_create_decompressor: unsupported compression method %d\n", decomp->compression);
4489 return NULL((void*)0);
4490 }
4491 return decomp;
4492}
4493
4494#ifdef USE_ZLIB_OR_ZLIBNG
4495static int
4496ssl_decompress_record(SslDecompress* decomp, const unsigned char* in, unsigned inl, StringInfo* out_str, unsigned* outl)
4497{
4498 int err;
4499
4500 switch (decomp->compression) {
4501 case 1: /* DEFLATE */
4502 err = Z_OK0;
4503 if (out_str->data_len < 16384) { /* maximal plain length */
4504 ssl_data_realloc(out_str, 16384);
4505 }
4506#ifdef z_constconst
4507 decomp->istream.next_in = in;
4508#else
4509DIAG_OFF(cast-qual)clang diagnostic push clang diagnostic ignored "-Wcast-qual"
4510 decomp->istream.next_in = (Bytef *)in;
4511DIAG_ON(cast-qual)clang diagnostic pop
4512#endif
4513 decomp->istream.avail_in = inl;
4514 decomp->istream.next_out = out_str->data;
4515 decomp->istream.avail_out = out_str->data_len;
4516 if (inl > 0)
4517 err = ZLIB_PREFIX(inflate)inflate(&decomp->istream, Z_SYNC_FLUSH2);
4518 if (err != Z_OK0) {
4519 ssl_debug_printf("ssl_decompress_record: inflate() failed - %d\n", err);
4520 return -1;
4521 }
4522 *outl = out_str->data_len - decomp->istream.avail_out;
4523 break;
4524 default:
4525 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4526 return -1;
4527 }
4528 return 0;
4529}
4530#else /* USE_ZLIB_OR_ZLIBNG */
4531int
4532ssl_decompress_record(SslDecompress* decomp _U___attribute__((unused)), const unsigned char* in _U___attribute__((unused)), unsigned inl _U___attribute__((unused)), StringInfo* out_str _U___attribute__((unused)), unsigned* outl _U___attribute__((unused)))
4533{
4534 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4535 return -1;
4536}
4537#endif /* USE_ZLIB_OR_ZLIBNG */
4538/* Record Decompression (after decryption) }}} */
4539
4540/* Create a new structure to store decrypted chunks. {{{ */
4541static SslFlow*
4542ssl_create_flow(void)
4543{
4544 SslFlow *flow;
4545
4546 flow = wmem_new(wmem_file_scope(), SslFlow)((SslFlow*)wmem_alloc((wmem_file_scope()), sizeof(SslFlow)));
4547 flow->byte_seq = 0;
4548 flow->flags = 0;
4549 flow->multisegment_pdus = wmem_tree_new(wmem_file_scope());
4550 return flow;
4551}
4552/* }}} */
4553
4554/* Use the negotiated security parameters for decryption. {{{ */
4555void
4556ssl_change_cipher(SslDecryptSession *ssl_session, bool_Bool server)
4557{
4558 SslDecoder **new_decoder = server ? &ssl_session->server_new : &ssl_session->client_new;
4559 SslDecoder **dest = server ? &ssl_session->server : &ssl_session->client;
4560 ssl_debug_printf("ssl_change_cipher %s%s\n", server ? "SERVER" : "CLIENT",
4561 *new_decoder ? "" : " (No decoder found - retransmission?)");
4562 if (*new_decoder) {
4563 *dest = *new_decoder;
4564 *new_decoder = NULL((void*)0);
4565 }
4566}
4567/* }}} */
4568
4569/* Init cipher state given some security parameters. {{{ */
4570static bool_Bool
4571ssl_decoder_destroy_cb(wmem_allocator_t *, wmem_cb_event_t, void *);
4572
4573static SslDecoder*
4574ssl_create_decoder(const SslCipherSuite *cipher_suite, int cipher_algo,
4575 int compression, uint8_t *mk, uint8_t *sk, uint8_t *sn_key, uint8_t *iv, unsigned iv_length)
4576{
4577 SslDecoder *dec;
4578 ssl_cipher_mode_t mode = cipher_suite->mode;
4579
4580 dec = wmem_new0(wmem_file_scope(), SslDecoder)((SslDecoder*)wmem_alloc0((wmem_file_scope()), sizeof(SslDecoder
)));
4581 /* init mac buffer: mac storage is embedded into decoder struct to save a
4582 memory allocation and waste samo more memory*/
4583 dec->cipher_suite=cipher_suite;
4584 dec->compression = compression;
4585 if ((mode == MODE_STREAM && mk != NULL((void*)0)) || mode == MODE_CBC) {
4586 // AEAD ciphers use no MAC key, but stream and block ciphers do. Note
4587 // the special case for NULL ciphers, even if there is insufficiency
4588 // keying material (including MAC key), we will can still create
4589 // decoders since "decryption" is easy for such ciphers.
4590 dec->mac_key.data = dec->_mac_key_or_write_iv;
4591 ssl_data_set(&dec->mac_key, mk, ssl_cipher_suite_dig(cipher_suite)->len);
4592 } else if (mode == MODE_GCM || mode == MODE_CCM || mode == MODE_CCM_8 || mode == MODE_POLY1305) {
4593 // Input for the nonce, to be used with AEAD ciphers.
4594 DISSECTOR_ASSERT(iv_length <= sizeof(dec->_mac_key_or_write_iv))((void) ((iv_length <= sizeof(dec->_mac_key_or_write_iv
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4594, "iv_length <= sizeof(dec->_mac_key_or_write_iv)"
))));
4595 dec->write_iv.data = dec->_mac_key_or_write_iv;
4596 ssl_data_set(&dec->write_iv, iv, iv_length);
4597 }
4598 dec->seq = 0;
4599 dec->decomp = ssl_create_decompressor(compression);
4600 wmem_register_callback(wmem_file_scope(), ssl_decoder_destroy_cb, dec);
4601
4602 if (ssl_cipher_init(&dec->evp,cipher_algo,sk,iv,cipher_suite->mode) < 0) {
4603 ssl_debug_printf("%s: can't create cipher id:%d mode:%d\n", G_STRFUNC((const char*) (__func__)),
4604 cipher_algo, cipher_suite->mode);
4605 return NULL((void*)0);
4606 }
4607
4608 if (cipher_suite->enc != ENC_NULL0x3D && sn_key != NULL((void*)0)) {
4609 if (cipher_suite->enc == ENC_AES0x35 || cipher_suite->enc == ENC_AES2560x36) {
4610 mode = MODE_ECB;
4611 } else if (cipher_suite->enc == ENC_CHACHA200x3A) {
4612 mode = MODE_STREAM;
4613 } else {
4614 ssl_debug_printf("not supported encryption algorithm for DTLSv1.3\n");
4615 return NULL((void*)0);
4616 }
4617
4618 if (ssl_cipher_init(&dec->sn_evp, cipher_algo, sn_key, NULL((void*)0), mode) < 0) {
4619 ssl_debug_printf("%s: can't create cipher id:%d mode:%d for seq number decryption\n", G_STRFUNC((const char*) (__func__)),
4620 cipher_algo, MODE_ECB);
4621 ssl_cipher_cleanup(&dec->evp);
4622 dec->evp = NULL((void*)0);
4623 return NULL((void*)0);
4624 }
4625 } else {
4626 dec->sn_evp = NULL((void*)0);
4627 }
4628
4629 dec->dtls13_aad.data = NULL((void*)0);
4630 dec->dtls13_aad.data_len = 0;
4631 ssl_debug_printf("decoder initialized (digest len %d)\n", ssl_cipher_suite_dig(cipher_suite)->len);
4632 return dec;
4633}
4634
4635static bool_Bool
4636ssl_decoder_destroy_cb(wmem_allocator_t *allocator _U___attribute__((unused)), wmem_cb_event_t event _U___attribute__((unused)), void *user_data)
4637{
4638 SslDecoder *dec = (SslDecoder *) user_data;
4639
4640 if (dec->evp)
4641 ssl_cipher_cleanup(&dec->evp);
4642 if (dec->sn_evp)
4643 ssl_cipher_cleanup(&dec->sn_evp);
4644
4645#ifdef USE_ZLIB_OR_ZLIBNG
4646 if (dec->decomp != NULL((void*)0) && dec->decomp->compression == 1 /* DEFLATE */)
4647 ZLIB_PREFIX(inflateEnd)inflateEnd(&dec->decomp->istream);
4648#endif
4649
4650 return false0;
4651}
4652/* }}} */
4653
4654/* (Pre-)master secrets calculations {{{ */
4655#ifdef HAVE_LIBGNUTLS1
4656static bool_Bool
4657ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
4658 StringInfo *encrypted_pre_master,
4659 GHashTable *key_hash);
4660#endif /* HAVE_LIBGNUTLS */
4661
4662static bool_Bool
4663ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
4664 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key);
4665
4666bool_Bool
4667ssl_generate_pre_master_secret(SslDecryptSession *ssl_session,
4668 uint32_t length, tvbuff_t *tvb, uint32_t offset,
4669 const char *ssl_psk, packet_info *pinfo,
4670#ifdef HAVE_LIBGNUTLS1
4671 GHashTable *key_hash,
4672#endif
4673 const ssl_master_key_map_t *mk_map)
4674{
4675 /* check for required session data */
4676 ssl_debug_printf("%s: found SSL_HND_CLIENT_KEY_EXCHG, state %X\n",
4677 G_STRFUNC((const char*) (__func__)), ssl_session->state);
4678 if ((ssl_session->state & (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) !=
4679 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) {
4680 ssl_debug_printf("%s: not enough data to generate key (required state %X)\n", G_STRFUNC((const char*) (__func__)),
4681 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4)));
4682 return false0;
4683 }
4684
4685 if (ssl_session->session.version == TLSV1DOT3_VERSION0x304) {
4686 ssl_debug_printf("%s: detected TLS 1.3 which has no pre-master secrets\n", G_STRFUNC((const char*) (__func__)));
4687 return false0;
4688 }
4689
4690 /* check to see if the PMS was provided to us*/
4691 if (ssl_restore_master_key(ssl_session, "Unencrypted pre-master secret", true1,
4692 mk_map->pms, &ssl_session->client_random)) {
4693 return true1;
4694 }
4695
4696 if (ssl_session->cipher_suite->kex == KEX_PSK0x1d)
4697 {
4698 /* calculate pre master secret*/
4699 StringInfo pre_master_secret;
4700 unsigned psk_len, pre_master_len;
4701
4702 if (!ssl_psk || (ssl_psk[0] == 0)) {
4703 ssl_debug_printf("%s: can't find pre-shared key\n", G_STRFUNC((const char*) (__func__)));
4704 return false0;
4705 }
4706
4707 /* convert hex string into char*/
4708 if (!from_hex(&ssl_session->psk, ssl_psk, strlen(ssl_psk))) {
4709 ssl_debug_printf("%s: ssl.psk/dtls.psk contains invalid hex\n",
4710 G_STRFUNC((const char*) (__func__)));
4711 return false0;
4712 }
4713
4714 psk_len = ssl_session->psk.data_len;
4715 if (psk_len >= (2 << 15)) {
4716 ssl_debug_printf("%s: ssl.psk/dtls.psk must not be larger than 2^15 - 1\n",
4717 G_STRFUNC((const char*) (__func__)));
4718 return false0;
4719 }
4720
4721
4722 pre_master_len = psk_len * 2 + 4;
4723
4724 pre_master_secret.data = (unsigned char *)wmem_alloc(wmem_file_scope(), pre_master_len);
4725 pre_master_secret.data_len = pre_master_len;
4726 /* 2 bytes psk_len*/
4727 pre_master_secret.data[0] = psk_len >> 8;
4728 pre_master_secret.data[1] = psk_len & 0xFF;
4729 /* psk_len bytes times 0*/
4730 memset(&pre_master_secret.data[2], 0, psk_len);
4731 /* 2 bytes psk_len*/
4732 pre_master_secret.data[psk_len + 2] = psk_len >> 8;
4733 pre_master_secret.data[psk_len + 3] = psk_len & 0xFF;
4734 /* psk*/
4735 memcpy(&pre_master_secret.data[psk_len + 4], ssl_session->psk.data, psk_len);
4736
4737 ssl_session->pre_master_secret.data = pre_master_secret.data;
4738 ssl_session->pre_master_secret.data_len = pre_master_len;
4739 /*ssl_debug_printf("pre master secret",&ssl->pre_master_secret);*/
4740
4741 /* Remove the master secret if it was there.
4742 This forces keying material regeneration in
4743 case we're renegotiating */
4744 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
4745 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
4746 return true1;
4747 }
4748 else
4749 {
4750 unsigned encrlen, skip;
4751 encrlen = length;
4752 skip = 0;
4753
4754 /* get encrypted data, on tls1 we have to skip two bytes
4755 * (it's the encrypted len and should be equal to record len - 2)
4756 * in case of rsa1024 that would be 128 + 2 = 130; for psk not necessary
4757 */
4758 if (ssl_session->cipher_suite->kex == KEX_RSA0x1e &&
4759 (ssl_session->session.version == TLSV1_VERSION0x301 ||
4760 ssl_session->session.version == TLSV1DOT1_VERSION0x302 ||
4761 ssl_session->session.version == TLSV1DOT2_VERSION0x303 ||
4762 ssl_session->session.version == DTLSV1DOT0_VERSION0xfeff ||
4763 ssl_session->session.version == DTLSV1DOT2_VERSION0xfefd ||
4764 ssl_session->session.version == TLCPV1_VERSION0x101 ))
4765 {
4766 encrlen = tvb_get_ntohs(tvb, offset);
4767 skip = 2;
4768 if (encrlen > length - 2)
4769 {
4770 ssl_debug_printf("%s: wrong encrypted length (%d max %d)\n",
4771 G_STRFUNC((const char*) (__func__)), encrlen, length);
4772 return false0;
4773 }
4774 }
4775 /* the valid lower bound is higher than 8, but it is sufficient for the
4776 * ssl keylog file below */
4777 if (encrlen < 8) {
4778 ssl_debug_printf("%s: invalid encrypted pre-master key length %d\n",
4779 G_STRFUNC((const char*) (__func__)), encrlen);
4780 return false0;
4781 }
4782
4783 StringInfo encrypted_pre_master = {
4784 .data = (unsigned char *)tvb_memdup(pinfo->pool, tvb, offset + skip, encrlen),
4785 .data_len = encrlen,
4786 };
4787
4788#ifdef HAVE_LIBGNUTLS1
4789 /* Try to lookup an appropriate RSA private key to decrypt the Encrypted Pre-Master Secret. */
4790 if (ssl_session->cert_key_id) {
4791 if (ssl_decrypt_pre_master_secret(ssl_session, &encrypted_pre_master, key_hash))
4792 return true1;
4793
4794 ssl_debug_printf("%s: can't decrypt pre-master secret\n",
4795 G_STRFUNC((const char*) (__func__)));
4796 }
4797#endif /* HAVE_LIBGNUTLS */
4798
4799 /* try to find the pre-master secret from the encrypted one. The
4800 * ssl key logfile stores only the first 8 bytes, so truncate it */
4801 encrypted_pre_master.data_len = 8;
4802 if (ssl_restore_master_key(ssl_session, "Encrypted pre-master secret",
4803 true1, mk_map->pre_master, &encrypted_pre_master))
4804 return true1;
4805 }
4806 return false0;
4807}
4808
4809/* Used for (D)TLS 1.2 and earlier versions (not with TLS 1.3). */
4810int
4811ssl_generate_keyring_material(SslDecryptSession*ssl_session)
4812{
4813 StringInfo key_block = { NULL((void*)0), 0 };
4814 uint8_t _iv_c[MAX_BLOCK_SIZE16],_iv_s[MAX_BLOCK_SIZE16];
4815 uint8_t _key_c[MAX_KEY_SIZE32],_key_s[MAX_KEY_SIZE32];
4816 int needed;
4817 int cipher_algo = -1; /* special value (-1) for NULL encryption */
4818 unsigned encr_key_len, write_iv_len = 0;
4819 bool_Bool is_export_cipher;
4820 uint8_t *ptr, *c_iv = NULL((void*)0), *s_iv = NULL((void*)0);
4821 uint8_t *c_wk = NULL((void*)0), *s_wk = NULL((void*)0), *c_mk = NULL((void*)0), *s_mk = NULL((void*)0);
4822 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
4823
4824 /* (D)TLS 1.3 is handled directly in tls13_change_key. */
4825 if (ssl_session->session.version
7.1
Field 'version' is not equal to TLSV1DOT3_VERSION
 == TLSV1DOT3_VERSION0x304 || ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
8
Assuming field 'version' is not equal to DTLSV1DOT3_VERSION
9
Taking false branch
4826 ssl_debug_printf("%s: detected TLS 1.3. Should not have been called!\n", G_STRFUNC((const char*) (__func__)));
4827 return -1;
4828 }
4829
4830 /* check for enough info to proceed */
4831 unsigned need_all = SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4);
4832 unsigned need_any = SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
4833 if (((ssl_session->state & need_all) != need_all) || ((ssl_session->state & need_any) == 0)) {
10
Assuming the condition is false
11
Assuming the condition is false
12
Taking false branch
4834 ssl_debug_printf("ssl_generate_keyring_material not enough data to generate key "
4835 "(0x%02X required 0x%02X or 0x%02X)\n", ssl_session->state,
4836 need_all|SSL_MASTER_SECRET(1<<5), need_all|SSL_PRE_MASTER_SECRET(1<<6));
4837 /* Special case: for NULL encryption, allow dissection of data even if
4838 * the Client Hello is missing (MAC keys are now skipped though). */
4839 need_all = SSL_CIPHER(1<<2)|SSL_VERSION(1<<4);
4840 if ((ssl_session->state & need_all) == need_all &&
4841 cipher_suite->enc == ENC_NULL0x3D) {
4842 ssl_debug_printf("%s NULL cipher found, will create a decoder but "
4843 "skip MAC validation as keys are missing.\n", G_STRFUNC((const char*) (__func__)));
4844 goto create_decoders;
4845 }
4846
4847 return -1;
4848 }
4849
4850 /* if master key is not available, generate is from the pre-master secret */
4851 if (!(ssl_session->state & SSL_MASTER_SECRET(1<<5))) {
13
Assuming the condition is true
14
Taking true branch
4852 if ((ssl_session->state & SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) == SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) {
15
Assuming the condition is true
16
Taking true branch
4853 StringInfo handshake_hashed_data;
4854 int ret;
4855
4856 handshake_hashed_data.data = NULL((void*)0);
4857 handshake_hashed_data.data_len = 0;
4858
4859 ssl_debug_printf("%s:PRF(pre_master_secret_extended)\n", G_STRFUNC((const char*) (__func__)));
4860 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4861 DISSECTOR_ASSERT(ssl_session->handshake_data.data_len > 0)((void) ((ssl_session->handshake_data.data_len > 0) ? (
void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4861, "ssl_session->handshake_data.data_len > 0"
))));
17
Assuming field 'data_len' is > 0
18
'?' condition is true
4862
4863 switch(ssl_session->session.version) {
19
Control jumps to 'case 257:' at line 4868
4864 case TLSV1_VERSION0x301:
4865 case TLSV1DOT1_VERSION0x302:
4866 case DTLSV1DOT0_VERSION0xfeff:
4867 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4868 case TLCPV1_VERSION0x101:
4869 ret = tls_handshake_hash(ssl_session, &handshake_hashed_data);
20
Calling 'tls_handshake_hash'
28
Returned allocated memory
4870 break;
4871 default:
4872 switch (cipher_suite->dig) {
4873 case DIG_SHA3840x43:
4874 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA384, &handshake_hashed_data);
4875 break;
4876 default:
4877 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA256, &handshake_hashed_data);
4878 break;
4879 }
4880 break;
4881 }
4882 if (ret
29.1
'ret' is -1
) {
29
 Execution continues on line 4882
30
Taking true branch
4883 ssl_debug_printf("%s can't generate handshake hash\n", G_STRFUNC((const char*) (__func__)));
31
Potential leak of memory pointed to by 'handshake_hashed_data.data'
4884 return -1;
4885 }
4886
4887 wmem_free(wmem_file_scope(), ssl_session->handshake_data.data);
4888 ssl_session->handshake_data.data = NULL((void*)0);
4889 ssl_session->handshake_data.data_len = 0;
4890
4891 if (!prf(ssl_session, &ssl_session->pre_master_secret, "extended master secret",
4892 &handshake_hashed_data,
4893 NULL((void*)0), &ssl_session->master_secret,
4894 SSL_MASTER_SECRET_LENGTH48)) {
4895 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4896 g_free(handshake_hashed_data.data);
4897 return -1;
4898 }
4899 g_free(handshake_hashed_data.data);
4900 } else {
4901 ssl_debug_printf("%s:PRF(pre_master_secret)\n", G_STRFUNC((const char*) (__func__)));
4902 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4903 ssl_print_string("client random",&ssl_session->client_random);
4904 ssl_print_string("server random",&ssl_session->server_random);
4905 if (!prf(ssl_session, &ssl_session->pre_master_secret, "master secret",
4906 &ssl_session->client_random,
4907 &ssl_session->server_random, &ssl_session->master_secret,
4908 SSL_MASTER_SECRET_LENGTH48)) {
4909 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4910 return -1;
4911 }
4912 }
4913 ssl_print_string("master secret",&ssl_session->master_secret);
4914
4915 /* the pre-master secret has been 'consumed' so we must clear it now */
4916 ssl_session->state &= ~SSL_PRE_MASTER_SECRET(1<<6);
4917 ssl_session->state |= SSL_MASTER_SECRET(1<<5);
4918 }
4919
4920 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
4921 if (cipher_suite->enc != ENC_NULL0x3D) {
4922 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
4923 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4924 cipher_algo = ssl_get_cipher_by_name(cipher_name);
4925 if (cipher_algo == 0) {
4926 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4927 return -1;
4928 }
4929 }
4930
4931 /* Export ciphers consume less material from the key block. */
4932 encr_key_len = ssl_get_cipher_export_keymat_size(cipher_suite->number);
4933 is_export_cipher = encr_key_len > 0;
4934 if (!is_export_cipher && cipher_suite->enc != ENC_NULL0x3D) {
4935 encr_key_len = (unsigned)gcry_cipher_get_algo_keylen(cipher_algo);
4936 }
4937
4938 if (cipher_suite->mode == MODE_CBC) {
4939 write_iv_len = (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
4940 } else if (cipher_suite->mode == MODE_GCM || cipher_suite->mode == MODE_CCM || cipher_suite->mode == MODE_CCM_8) {
4941 /* account for a four-byte salt for client and server side (from
4942 * client_write_IV and server_write_IV), see GCMNonce (RFC 5288) */
4943 write_iv_len = 4;
4944 } else if (cipher_suite->mode == MODE_POLY1305) {
4945 /* RFC 7905: SecurityParameters.fixed_iv_length is twelve bytes */
4946 write_iv_len = 12;
4947 }
4948
4949 /* Compute the key block. First figure out how much data we need */
4950 needed = ssl_cipher_suite_dig(cipher_suite)->len*2; /* MAC key */
4951 needed += 2 * encr_key_len; /* encryption key */
4952 needed += 2 * write_iv_len; /* write IV */
4953
4954 key_block.data = (unsigned char *)g_malloc(needed);
4955 ssl_debug_printf("%s sess key generation\n", G_STRFUNC((const char*) (__func__)));
4956 if (!prf(ssl_session, &ssl_session->master_secret, "key expansion",
4957 &ssl_session->server_random,&ssl_session->client_random,
4958 &key_block, needed)) {
4959 ssl_debug_printf("%s can't generate key_block\n", G_STRFUNC((const char*) (__func__)));
4960 goto fail;
4961 }
4962 ssl_print_string("key expansion", &key_block);
4963
4964 ptr=key_block.data;
4965 /* client/server write MAC key (for non-AEAD ciphers) */
4966 if (cipher_suite->mode == MODE_STREAM || cipher_suite->mode == MODE_CBC) {
4967 c_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
4968 s_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
4969 }
4970 /* client/server write encryption key */
4971 c_wk=ptr; ptr += encr_key_len;
4972 s_wk=ptr; ptr += encr_key_len;
4973 /* client/server write IV (used as IV (for CBC) or salt (for AEAD)) */
4974 if (write_iv_len > 0) {
4975 c_iv=ptr; ptr += write_iv_len;
4976 s_iv=ptr; /* ptr += write_iv_len; */
4977 }
4978
4979 /* export ciphers work with a smaller key length */
4980 if (is_export_cipher) {
4981 if (cipher_suite->mode == MODE_CBC) {
4982
4983 /* We only have room for MAX_BLOCK_SIZE bytes IVs, but that's
4984 all we should need. This is a sanity check */
4985 if (write_iv_len > MAX_BLOCK_SIZE16) {
4986 ssl_debug_printf("%s cipher suite block must be at most %d nut is %d\n",
4987 G_STRFUNC((const char*) (__func__)), MAX_BLOCK_SIZE16, write_iv_len);
4988 goto fail;
4989 }
4990
4991 if(ssl_session->session.version==SSLV3_VERSION0x300){
4992 /* The length of these fields are ignored by this caller */
4993 StringInfo iv_c, iv_s;
4994 iv_c.data = _iv_c;
4995 iv_s.data = _iv_s;
4996
4997 ssl_debug_printf("%s ssl3_generate_export_iv\n", G_STRFUNC((const char*) (__func__)));
4998 if (!ssl3_generate_export_iv(&ssl_session->client_random,
4999 &ssl_session->server_random, &iv_c, write_iv_len)) {
5000 goto fail;
5001 }
5002 ssl_debug_printf("%s ssl3_generate_export_iv(2)\n", G_STRFUNC((const char*) (__func__)));
5003 if (!ssl3_generate_export_iv(&ssl_session->server_random,
5004 &ssl_session->client_random, &iv_s, write_iv_len)) {
5005 goto fail;
5006 }
5007 }
5008 else{
5009 uint8_t _iv_block[MAX_BLOCK_SIZE16 * 2];
5010 StringInfo iv_block;
5011 StringInfo key_null;
5012 uint8_t _key_null;
5013
5014 key_null.data = &_key_null;
5015 key_null.data_len = 0;
5016
5017 iv_block.data = _iv_block;
5018
5019 ssl_debug_printf("%s prf(iv_block)\n", G_STRFUNC((const char*) (__func__)));
5020 if (!prf(ssl_session, &key_null, "IV block",
5021 &ssl_session->client_random,
5022 &ssl_session->server_random, &iv_block,
5023 write_iv_len * 2)) {
5024 ssl_debug_printf("%s can't generate tls31 iv block\n", G_STRFUNC((const char*) (__func__)));
5025 goto fail;
5026 }
5027
5028 memcpy(_iv_c, iv_block.data, write_iv_len);
5029 memcpy(_iv_s, iv_block.data + write_iv_len, write_iv_len);
5030 }
5031
5032 c_iv=_iv_c;
5033 s_iv=_iv_s;
5034 }
5035
5036 if (ssl_session->session.version==SSLV3_VERSION0x300){
5037
5038 SSL_MD5_CTXgcry_md_hd_t md5;
5039 ssl_debug_printf("%s MD5(client_random)\n", G_STRFUNC((const char*) (__func__)));
5040
5041 if (ssl_md5_init(&md5) != 0)
5042 goto fail;
5043 ssl_md5_update(&md5,c_wk,encr_key_len);
5044 ssl_md5_update(&md5,ssl_session->client_random.data,
5045 ssl_session->client_random.data_len);
5046 ssl_md5_update(&md5,ssl_session->server_random.data,
5047 ssl_session->server_random.data_len);
5048 ssl_md5_final(_key_c,&md5);
5049 ssl_md5_cleanup(&md5);
5050 c_wk=_key_c;
5051
5052 if (ssl_md5_init(&md5) != 0)
5053 goto fail;
5054 ssl_debug_printf("%s MD5(server_random)\n", G_STRFUNC((const char*) (__func__)));
5055 ssl_md5_update(&md5,s_wk,encr_key_len);
5056 ssl_md5_update(&md5,ssl_session->server_random.data,
5057 ssl_session->server_random.data_len);
5058 ssl_md5_update(&md5,ssl_session->client_random.data,
5059 ssl_session->client_random.data_len);
5060 ssl_md5_final(_key_s,&md5);
5061 ssl_md5_cleanup(&md5);
5062 s_wk=_key_s;
5063 }
5064 else{
5065 StringInfo key_c, key_s, k;
5066 key_c.data = _key_c;
5067 key_s.data = _key_s;
5068
5069 k.data = c_wk;
5070 k.data_len = encr_key_len;
5071 ssl_debug_printf("%s PRF(key_c)\n", G_STRFUNC((const char*) (__func__)));
5072 if (!prf(ssl_session, &k, "client write key",
5073 &ssl_session->client_random,
5074 &ssl_session->server_random, &key_c, sizeof(_key_c))) {
5075 ssl_debug_printf("%s can't generate tll31 server key \n", G_STRFUNC((const char*) (__func__)));
5076 goto fail;
5077 }
5078 c_wk=_key_c;
5079
5080 k.data = s_wk;
5081 k.data_len = encr_key_len;
5082 ssl_debug_printf("%s PRF(key_s)\n", G_STRFUNC((const char*) (__func__)));
5083 if (!prf(ssl_session, &k, "server write key",
5084 &ssl_session->client_random,
5085 &ssl_session->server_random, &key_s, sizeof(_key_s))) {
5086 ssl_debug_printf("%s can't generate tll31 client key \n", G_STRFUNC((const char*) (__func__)));
5087 goto fail;
5088 }
5089 s_wk=_key_s;
5090 }
5091 }
5092
5093 /* show key material info */
5094 if (c_mk != NULL((void*)0)) {
5095 ssl_print_data("Client MAC key",c_mk,ssl_cipher_suite_dig(cipher_suite)->len);
5096 ssl_print_data("Server MAC key",s_mk,ssl_cipher_suite_dig(cipher_suite)->len);
5097 }
5098 ssl_print_data("Client Write key", c_wk, encr_key_len);
5099 ssl_print_data("Server Write key", s_wk, encr_key_len);
5100 /* used as IV for CBC mode and the AEAD implicit nonce (salt) */
5101 if (write_iv_len > 0) {
5102 ssl_print_data("Client Write IV", c_iv, write_iv_len);
5103 ssl_print_data("Server Write IV", s_iv, write_iv_len);
5104 }
5105
5106create_decoders:
5107 /* create both client and server ciphers*/
5108 ssl_debug_printf("%s ssl_create_decoder(client)\n", G_STRFUNC((const char*) (__func__)));
5109 ssl_session->client_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, c_mk, c_wk, NULL((void*)0), c_iv, write_iv_len);
5110 if (!ssl_session->client_new) {
5111 ssl_debug_printf("%s can't init client decoder\n", G_STRFUNC((const char*) (__func__)));
5112 goto fail;
5113 }
5114 ssl_debug_printf("%s ssl_create_decoder(server)\n", G_STRFUNC((const char*) (__func__)));
5115 ssl_session->server_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, s_mk, s_wk, NULL((void*)0), s_iv, write_iv_len);
5116 if (!ssl_session->server_new) {
5117 ssl_debug_printf("%s can't init server decoder\n", G_STRFUNC((const char*) (__func__)));
5118 goto fail;
5119 }
5120
5121 /* Continue the SSL stream after renegotiation with new keys. */
5122 ssl_session->client_new->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
5123 ssl_session->server_new->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
5124
5125 ssl_debug_printf("%s: client seq %" PRIu64"l" "u" ", server seq %" PRIu64"l" "u" "\n",
5126 G_STRFUNC((const char*) (__func__)), ssl_session->client_new->seq, ssl_session->server_new->seq);
5127 g_free(key_block.data);
5128 ssl_session->state |= SSL_HAVE_SESSION_KEY(1<<3);
5129 return 0;
5130
5131fail:
5132 g_free(key_block.data);
5133 return -1;
5134}
5135
5136/* Generated the key material based on the given secret. */
5137bool_Bool
5138tls13_generate_keys(SslDecryptSession *ssl_session, const StringInfo *secret, bool_Bool is_from_server)
5139{
5140 bool_Bool success = false0;
5141 unsigned char *write_key = NULL((void*)0), *write_iv = NULL((void*)0);
5142 unsigned char *sn_key = NULL((void*)0);
5143 SslDecoder *decoder;
5144 unsigned key_length, iv_length;
5145 int hash_algo;
5146 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
5147 int cipher_algo;
5148
5149 if ((ssl_session->session.version != TLSV1DOT3_VERSION0x304) && (ssl_session->session.version != DTLSV1DOT3_VERSION0xfefc)) {
5150 ssl_debug_printf("%s only usable for TLS 1.3, not %#x!\n", G_STRFUNC((const char*) (__func__)),
5151 ssl_session->session.version);
5152 return false0;
5153 }
5154
5155 if (cipher_suite == NULL((void*)0)) {
5156 ssl_debug_printf("%s Unknown cipher\n", G_STRFUNC((const char*) (__func__)));
5157 return false0;
5158 }
5159
5160 if (cipher_suite->kex != KEX_TLS130x23) {
5161 ssl_debug_printf("%s Invalid cipher suite 0x%04x spotted!\n", G_STRFUNC((const char*) (__func__)), cipher_suite->number);
5162 return false0;
5163 }
5164
5165 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
5166 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
5167 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
5168 cipher_algo = ssl_get_cipher_by_name(cipher_name);
5169 if (cipher_algo == 0) {
5170 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
5171 return false0;
5172 }
5173
5174 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
5175 hash_algo = ssl_get_digest_by_name(hash_name);
5176 if (!hash_algo) {
5177 ssl_debug_printf("%s can't find hash function %s\n", G_STRFUNC((const char*) (__func__)), hash_name);
5178 return false0;
5179 }
5180
5181 key_length = (unsigned) gcry_cipher_get_algo_keylen(cipher_algo);
5182 /* AES-GCM/AES-CCM/Poly1305-ChaCha20 all have N_MIN=N_MAX = 12. */
5183 iv_length = 12;
5184 ssl_debug_printf("%s key_length %u iv_length %u\n", G_STRFUNC((const char*) (__func__)), key_length, iv_length);
5185
5186 const char *label_prefix = tls13_hkdf_label_prefix(ssl_session);
5187 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "key", key_length, &write_key)) {
5188 ssl_debug_printf("%s write_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
5189 return false0;
5190 }
5191 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "iv", iv_length, &write_iv)) {
5192 ssl_debug_printf("%s write_iv expansion failed\n", G_STRFUNC((const char*) (__func__)));
5193 goto end;
5194 }
5195
5196 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
5197 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "sn", key_length, &sn_key)) {
5198 ssl_debug_printf("%s sn_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
5199 goto end;
5200 }
5201 }
5202
5203 ssl_print_data(is_from_server ? "Server Write Key" : "Client Write Key", write_key, key_length);
5204 ssl_print_data(is_from_server ? "Server Write IV" : "Client Write IV", write_iv, iv_length);
5205 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
5206 ssl_print_data(is_from_server ? "Server Write SN" : "Client Write SN", sn_key, key_length);
5207 }
5208
5209 ssl_debug_printf("%s ssl_create_decoder(%s)\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
5210 decoder = ssl_create_decoder(cipher_suite, cipher_algo, 0, NULL((void*)0), write_key, sn_key, write_iv, iv_length);
5211 if (!decoder) {
5212 ssl_debug_printf("%s can't init %s decoder\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
5213 goto end;
5214 }
5215
5216 /* Continue the TLS session with new keys, but reuse old flow to keep things
5217 * like "Follow TLS" working (by linking application data records). */
5218 if (is_from_server) {
5219 decoder->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
5220 ssl_session->server = decoder;
5221 } else {
5222 decoder->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
5223 ssl_session->client = decoder;
5224 }
5225 ssl_debug_printf("%s %s ready using cipher suite 0x%04x (cipher %s hash %s)\n", G_STRFUNC((const char*) (__func__)),
5226 is_from_server ? "Server" : "Client", cipher_suite->number, cipher_name, hash_name);
5227 success = true1;
5228
5229end:
5230 wmem_free(NULL((void*)0), write_key);
5231 wmem_free(NULL((void*)0), write_iv);
5232 if (sn_key)
5233 wmem_free(NULL((void*)0), sn_key);
5234 return success;
5235}
5236/* (Pre-)master secrets calculations }}} */
5237
5238#ifdef HAVE_LIBGNUTLS1
5239/* Decrypt RSA pre-master secret using RSA private key. {{{ */
5240static bool_Bool
5241ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
5242 StringInfo *encrypted_pre_master, GHashTable *key_hash)
5243{
5244 int ret;
5245
5246 if (!encrypted_pre_master)
5247 return false0;
5248
5249 if (KEX_IS_DH(ssl_session->cipher_suite->kex)((ssl_session->cipher_suite->kex) >= 0x10 &&
(ssl_session->cipher_suite->kex) <= 0x1b)) {
5250 ssl_debug_printf("%s: session uses Diffie-Hellman key exchange "
5251 "(cipher suite 0x%04X %s) and cannot be decrypted "
5252 "using a RSA private key file.\n",
5253 G_STRFUNC((const char*) (__func__)), ssl_session->session.cipher,
5254 val_to_str_ext_const(ssl_session->session.cipher,
5255 &ssl_31_ciphersuite_ext, "unknown"));
5256 return false0;
5257 } else if (ssl_session->cipher_suite->kex != KEX_RSA0x1e) {
5258 ssl_debug_printf("%s key exchange %d different from KEX_RSA (%d)\n",
5259 G_STRFUNC((const char*) (__func__)), ssl_session->cipher_suite->kex, KEX_RSA0x1e);
5260 return false0;
5261 }
5262
5263 gnutls_privkey_t pk = (gnutls_privkey_t)g_hash_table_lookup(key_hash, ssl_session->cert_key_id);
5264
5265 ssl_print_string("pre master encrypted", encrypted_pre_master);
5266 ssl_debug_printf("%s: RSA_private_decrypt\n", G_STRFUNC((const char*) (__func__)));
5267 const gnutls_datum_t epms = { encrypted_pre_master->data, encrypted_pre_master->data_len };
5268 gnutls_datum_t pms = { 0 };
5269 if (pk) {
5270 // Try to decrypt using the RSA keys table from (D)TLS preferences.
5271 ret = gnutls_privkey_decrypt_data(pk, 0, &epms, &pms);
5272 } else {
5273 // Try to decrypt using a hardware token.
5274 ret = secrets_rsa_decrypt(ssl_session->cert_key_id, epms.data, epms.size, &pms.data, &pms.size);
5275 }
5276 if (ret < 0) {
5277 ssl_debug_printf("%s: decryption failed: %d (%s)\n", G_STRFUNC((const char*) (__func__)), ret, gnutls_strerror(ret));
5278 return false0;
5279 }
5280
5281 if (pms.size != 48) {
5282 ssl_debug_printf("%s wrong pre_master_secret length (%d, expected %d)\n",
5283 G_STRFUNC((const char*) (__func__)), pms.size, 48);
5284 if (pk) {
5285 gnutls_free(pms.data);
5286 } else {
5287 g_free(pms.data);
5288 }
5289 return false0;
5290 }
5291
5292 ssl_session->pre_master_secret.data = (uint8_t *)wmem_memdup(wmem_file_scope(), pms.data, 48);
5293 ssl_session->pre_master_secret.data_len = 48;
5294 if (pk) {
5295 gnutls_free(pms.data);
5296 } else {
5297 g_free(pms.data);
5298 }
5299 ssl_print_string("pre master secret", &ssl_session->pre_master_secret);
5300
5301 /* Remove the master secret if it was there.
5302 This forces keying material regeneration in
5303 case we're renegotiating */
5304 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
5305 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
5306 return true1;
5307} /* }}} */
5308#endif /* HAVE_LIBGNUTLS */
5309
5310/* Decryption integrity check {{{ */
5311
5312static int
5313tls_check_mac(SslDecoder*decoder, int ct, int ver, uint8_t* data,
5314 uint32_t datalen, uint8_t* mac)
5315{
5316 SSL_HMACgcry_md_hd_t hm;
5317 int md;
5318 uint32_t len;
5319 uint8_t buf[DIGEST_MAX_SIZE48];
5320 int16_t temp;
5321
5322 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5323 ssl_debug_printf("tls_check_mac mac type:%s md %d\n",
5324 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5325
5326 if (ssl_hmac_init(&hm,md) != 0)
5327 return -1;
5328 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5329 return -1;
5330
5331 /* hash sequence number */
5332 phtonu64(buf, decoder->seq);
5333
5334 decoder->seq++;
5335
5336 ssl_hmac_update(&hm,buf,8);
5337
5338 /* hash content type */
5339 buf[0]=ct;
5340 ssl_hmac_update(&hm,buf,1);
5341
5342 /* hash version,data length and data*/
5343 /* *((int16_t*)buf) = g_htons(ver); */
5344 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5345 memcpy(buf, &temp, 2);
5346 ssl_hmac_update(&hm,buf,2);
5347
5348 /* *((int16_t*)buf) = g_htons(datalen); */
5349 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5350 memcpy(buf, &temp, 2);
5351 ssl_hmac_update(&hm,buf,2);
5352 ssl_hmac_update(&hm,data,datalen);
5353
5354 /* get digest and digest len*/
5355 len = sizeof(buf);
5356 ssl_hmac_final(&hm,buf,&len);
5357 ssl_hmac_cleanup(&hm);
5358 ssl_print_data("Mac", buf, len);
5359 if(memcmp(mac,buf,len))
5360 return -1;
5361
5362 return 0;
5363}
5364
5365static int
5366ssl3_check_mac(SslDecoder*decoder,int ct,uint8_t* data,
5367 uint32_t datalen, uint8_t* mac)
5368{
5369 SSL_MDgcry_md_hd_t mc;
5370 int md;
5371 uint32_t len;
5372 uint8_t buf[64],dgst[20];
5373 int pad_ct;
5374 int16_t temp;
5375
5376 pad_ct=(decoder->cipher_suite->dig==DIG_SHA0x41)?40:48;
5377
5378 /* get cipher used for digest computation */
5379 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5380 if (ssl_md_init(&mc,md) !=0)
5381 return -1;
5382
5383 /* do hash computation on data && padding */
5384 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5385
5386 /* hash padding*/
5387 memset(buf,0x36,pad_ct);
5388 ssl_md_update(&mc,buf,pad_ct);
5389
5390 /* hash sequence number */
5391 phtonu64(buf, decoder->seq);
5392 decoder->seq++;
5393 ssl_md_update(&mc,buf,8);
5394
5395 /* hash content type */
5396 buf[0]=ct;
5397 ssl_md_update(&mc,buf,1);
5398
5399 /* hash data length in network byte order and data*/
5400 /* *((int16_t* )buf) = g_htons(datalen); */
5401 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5402 memcpy(buf, &temp, 2);
5403 ssl_md_update(&mc,buf,2);
5404 ssl_md_update(&mc,data,datalen);
5405
5406 /* get partial digest */
5407 ssl_md_final(&mc,dgst,&len);
5408 ssl_md_reset(&mc);
5409
5410 /* hash mac key */
5411 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5412
5413 /* hash padding and partial digest*/
5414 memset(buf,0x5c,pad_ct);
5415 ssl_md_update(&mc,buf,pad_ct);
5416 ssl_md_update(&mc,dgst,len);
5417
5418 ssl_md_final(&mc,dgst,&len);
5419 ssl_md_cleanup(&mc);
5420
5421 if(memcmp(mac,dgst,len))
5422 return -1;
5423
5424 return 0;
5425}
5426
5427static int
5428dtls_check_mac(SslDecryptSession *ssl, SslDecoder*decoder, int ct, uint8_t* data,
5429 uint32_t datalen, uint8_t* mac, const unsigned char *cid, uint8_t cidl)
5430{
5431 SSL_HMACgcry_md_hd_t hm;
5432 int md;
5433 uint32_t len;
5434 uint8_t buf[DIGEST_MAX_SIZE48];
5435 int16_t temp;
5436
5437 int ver = ssl->session.version;
5438 bool_Bool is_cid = ((ct == SSL_ID_TLS12_CID) && (ver == DTLSV1DOT2_VERSION0xfefd));
5439
5440 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5441 ssl_debug_printf("dtls_check_mac mac type:%s md %d\n",
5442 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5443
5444 if (ssl_hmac_init(&hm,md) != 0)
5445 return -1;
5446 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5447 return -1;
5448
5449 ssl_debug_printf("dtls_check_mac seq: %" PRIu64"l" "u" " epoch: %d\n",decoder->seq,decoder->epoch);
5450
5451 if (is_cid && !ssl->session.deprecated_cid) {
5452 /* hash seq num placeholder */
5453 memset(buf,0xFF,8);
5454 ssl_hmac_update(&hm,buf,8);
5455
5456 /* hash content type + cid length + content type */
5457 buf[0]=ct;
5458 buf[1]=cidl;
5459 buf[2]=ct;
5460 ssl_hmac_update(&hm,buf,3);
5461
5462 /* hash version */
5463 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5464 memcpy(buf, &temp, 2);
5465 ssl_hmac_update(&hm,buf,2);
5466
5467 /* hash sequence number */
5468 phtonu64(buf, decoder->seq);
5469 buf[0]=decoder->epoch>>8;
5470 buf[1]=(uint8_t)decoder->epoch;
5471 ssl_hmac_update(&hm,buf,8);
5472
5473 /* hash cid */
5474 ssl_hmac_update(&hm,cid,cidl);
5475 } else {
5476 /* hash sequence number */
5477 phtonu64(buf, decoder->seq);
5478 buf[0]=decoder->epoch>>8;
5479 buf[1]=(uint8_t)decoder->epoch;
5480 ssl_hmac_update(&hm,buf,8);
5481
5482 /* hash content type */
5483 buf[0]=ct;
5484 ssl_hmac_update(&hm,buf,1);
5485
5486 /* hash version */
5487 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5488 memcpy(buf, &temp, 2);
5489 ssl_hmac_update(&hm,buf,2);
5490
5491 if (is_cid && ssl->session.deprecated_cid) {
5492 /* hash cid */
5493 ssl_hmac_update(&hm,cid,cidl);
5494
5495 /* hash cid length */
5496 buf[0] = cidl;
5497 ssl_hmac_update(&hm,buf,1);
5498 }
5499 }
5500
5501 /* data length and data */
5502 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5503 memcpy(buf, &temp, 2);
5504 ssl_hmac_update(&hm,buf,2);
5505 ssl_hmac_update(&hm,data,datalen);
5506
5507 /* get digest and digest len */
5508 len = sizeof(buf);
5509 ssl_hmac_final(&hm,buf,&len);
5510 ssl_hmac_cleanup(&hm);
5511 ssl_print_data("Mac", buf, len);
5512 if(memcmp(mac,buf,len))
5513 return -1;
5514
5515 return 0;
5516}
5517/* Decryption integrity check }}} */
5518
5519
5520static bool_Bool
5521tls_decrypt_aead_record(wmem_allocator_t* allocator, SslDecryptSession *ssl, SslDecoder *decoder,
5522 uint8_t ct, uint16_t record_version,
5523 bool_Bool ignore_mac_failed,
5524 const unsigned char *in, uint16_t inl,
5525 const unsigned char *cid, uint8_t cidl,
5526 StringInfo *out_str, unsigned *outl)
5527{
5528 /* RFC 5246 (TLS 1.2) 6.2.3.3 defines the TLSCipherText.fragment as:
5529 * GenericAEADCipher: { nonce_explicit, [content] }
5530 * In TLS 1.3 this explicit nonce is gone.
5531 * With AES GCM/CCM, "[content]" is actually the concatenation of the
5532 * ciphertext and authentication tag.
5533 */
5534 const uint16_t version = ssl->session.version;
5535 const bool_Bool is_v12 = version == TLSV1DOT2_VERSION0x303 || version == DTLSV1DOT2_VERSION0xfefd || version == TLCPV1_VERSION0x101;
5536 gcry_error_t err;
5537 const unsigned char *explicit_nonce = NULL((void*)0), *ciphertext;
5538 unsigned ciphertext_len, auth_tag_len;
5539 unsigned char nonce[12];
5540 const ssl_cipher_mode_t cipher_mode = decoder->cipher_suite->mode;
5541 const bool_Bool is_cid = ct == SSL_ID_TLS12_CID && version == DTLSV1DOT2_VERSION0xfefd;
5542 const uint8_t draft_version = ssl->session.tls13_draft_version;
5543 const unsigned char *auth_tag_wire;
5544 unsigned char auth_tag_calc[16];
5545 unsigned char *aad = NULL((void*)0);
5546 unsigned aad_len = 0;
5547
5548 switch (cipher_mode) {
5549 case MODE_GCM:
5550 case MODE_CCM:
5551 case MODE_POLY1305:
5552 auth_tag_len = 16;
5553 break;
5554 case MODE_CCM_8:
5555 auth_tag_len = 8;
5556 break;
5557 default:
5558 ssl_debug_printf("%s unsupported cipher!\n", G_STRFUNC((const char*) (__func__)));
5559 return false0;
5560 }
5561
5562 /* Parse input into explicit nonce (TLS 1.2 only), ciphertext and tag. */
5563 if (is_v12 && cipher_mode != MODE_POLY1305) {
5564 if (inl < EXPLICIT_NONCE_LEN8 + auth_tag_len) {
5565 ssl_debug_printf("%s input %d is too small for explicit nonce %d and auth tag %d\n",
5566 G_STRFUNC((const char*) (__func__)), inl, EXPLICIT_NONCE_LEN8, auth_tag_len);
5567 return false0;
5568 }
5569 explicit_nonce = in;
5570 ciphertext = explicit_nonce + EXPLICIT_NONCE_LEN8;
5571 ciphertext_len = inl - EXPLICIT_NONCE_LEN8 - auth_tag_len;
5572 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
5573 if (inl < auth_tag_len) {
5574 ssl_debug_printf("%s input %d has no space for auth tag %d\n", G_STRFUNC((const char*) (__func__)), inl, auth_tag_len);
5575 return false0;
5576 }
5577 ciphertext = in;
5578 ciphertext_len = inl - auth_tag_len;
5579 } else {
5580 ssl_debug_printf("%s Unexpected TLS version %#x\n", G_STRFUNC((const char*) (__func__)), version);
5581 return false0;
5582 }
5583 auth_tag_wire = ciphertext + ciphertext_len;
5584
5585 /*
5586 * Nonce construction is version-specific. Note that AEAD_CHACHA20_POLY1305
5587 * (RFC 7905) uses a nonce construction similar to TLS 1.3.
5588 */
5589 if (is_v12 && cipher_mode != MODE_POLY1305) {
5590 DISSECTOR_ASSERT(decoder->write_iv.data_len == IMPLICIT_NONCE_LEN)((void) ((decoder->write_iv.data_len == 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 5590, "decoder->write_iv.data_len == 4"))));
5591 /* Implicit (4) and explicit (8) part of nonce. */
5592 memcpy(nonce, decoder->write_iv.data, IMPLICIT_NONCE_LEN4);
5593 memcpy(nonce + IMPLICIT_NONCE_LEN4, explicit_nonce, EXPLICIT_NONCE_LEN8);
5594
5595 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
5596 /*
5597 * Technically the nonce length must be at least 8 bytes, but for
5598 * AES-GCM, AES-CCM and Poly1305-ChaCha20 the nonce length is exact 12.
5599 */
5600 const unsigned nonce_len = 12;
5601 DISSECTOR_ASSERT(decoder->write_iv.data_len == nonce_len)((void) ((decoder->write_iv.data_len == nonce_len) ? (void
)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 5601, "decoder->write_iv.data_len == nonce_len"
))));
5602 memcpy(nonce, decoder->write_iv.data, decoder->write_iv.data_len);
5603 /* Sequence number is left-padded with zeroes and XORed with write_iv */
5604 phtonu64(nonce + nonce_len - 8, pntohu64(nonce + nonce_len - 8) ^ decoder->seq);
5605 ssl_debug_printf("%s seq %" PRIu64"l" "u" "\n", G_STRFUNC((const char*) (__func__)), decoder->seq);
5606 }
5607
5608 /* Set nonce and additional authentication data */
5609 gcry_cipher_reset(decoder->evp)gcry_cipher_ctl ((decoder->evp), GCRYCTL_RESET, ((void*)0)
, 0);
5610 ssl_print_data("nonce", nonce, 12);
5611 err = gcry_cipher_setiv(decoder->evp, nonce, 12);
5612 if (err) {
5613 ssl_debug_printf("%s failed to set nonce: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5614 return false0;
5615 }
5616
5617 /* (D)TLS 1.2 needs specific AAD, TLS 1.3 (before -25) uses empty AAD. */
5618 if (is_cid) { /* if connection ID */
5619 if (ssl->session.deprecated_cid) {
5620 aad_len = 14 + cidl;
5621 aad = wmem_alloc(allocator, aad_len);
5622 phtonu64(aad, decoder->seq); /* record sequence number */
5623 phtonu16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5624 aad[8] = ct; /* TLSCompressed.type */
5625 phtonu16(aad + 9, record_version); /* TLSCompressed.version */
5626 memcpy(aad + 11, cid, cidl); /* cid */
5627 aad[11 + cidl] = cidl; /* cid_length */
5628 phtonu16(aad + 12 + cidl, ciphertext_len); /* TLSCompressed.length */
5629 } else {
5630 aad_len = 23 + cidl;
5631 aad = wmem_alloc(allocator, aad_len);
5632 memset(aad, 0xFF, 8); /* seq_num_placeholder */
5633 aad[8] = ct; /* TLSCompressed.type */
5634 aad[9] = cidl; /* cid_length */
5635 aad[10] = ct; /* TLSCompressed.type */
5636 phtonu16(aad + 11, record_version); /* TLSCompressed.version */
5637 phtonu64(aad + 13, decoder->seq); /* record sequence number */
5638 phtonu16(aad + 13, decoder->epoch); /* DTLS 1.2 includes epoch. */
5639 memcpy(aad + 21, cid, cidl); /* cid */
5640 phtonu16(aad + 21 + cidl, ciphertext_len); /* TLSCompressed.length */
5641 }
5642 } else if (is_v12) {
5643 aad_len = 13;
5644 aad = wmem_alloc(allocator, aad_len);
5645 phtonu64(aad, decoder->seq); /* record sequence number */
5646 if (version == DTLSV1DOT2_VERSION0xfefd) {
5647 phtonu16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5648 }
5649 aad[8] = ct; /* TLSCompressed.type */
5650 phtonu16(aad + 9, record_version); /* TLSCompressed.version */
5651 phtonu16(aad + 11, ciphertext_len); /* TLSCompressed.length */
5652 } else if (version == DTLSV1DOT3_VERSION0xfefc) {
5653 aad_len = decoder->dtls13_aad.data_len;
5654 aad = decoder->dtls13_aad.data;
5655 } else if (draft_version >= 25 || draft_version == 0) {
5656 aad_len = 5;
5657 aad = wmem_alloc(allocator, aad_len);
5658 aad[0] = ct; /* TLSCiphertext.opaque_type (23) */
5659 phtonu16(aad + 1, record_version); /* TLSCiphertext.legacy_record_version (0x0303) */
5660 phtonu16(aad + 3, inl); /* TLSCiphertext.length */
5661 }
5662
5663 if (decoder->cipher_suite->mode == MODE_CCM || decoder->cipher_suite->mode == MODE_CCM_8) {
5664 /* size of plaintext, additional authenticated data and auth tag. */
5665 uint64_t lengths[3] = { ciphertext_len, aad_len, auth_tag_len };
5666
5667 gcry_cipher_ctl(decoder->evp, GCRYCTL_SET_CCM_LENGTHS, lengths, sizeof(lengths));
5668 }
5669
5670 if (aad && aad_len > 0) {
5671 ssl_print_data("AAD", aad, aad_len);
5672 err = gcry_cipher_authenticate(decoder->evp, aad, aad_len);
5673 if (err) {
5674 ssl_debug_printf("%s failed to set AAD: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5675 return false0;
5676 }
5677 }
5678
5679 /* Decrypt now that nonce and AAD are set. */
5680 err = gcry_cipher_decrypt(decoder->evp, out_str->data, out_str->data_len, ciphertext, ciphertext_len);
5681 if (err) {
5682 ssl_debug_printf("%s decrypt failed: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5683 return false0;
5684 }
5685
5686 /* Check authentication tag for authenticity (replaces MAC) */
5687 err = gcry_cipher_gettag(decoder->evp, auth_tag_calc, auth_tag_len);
5688 if (err == 0 && !memcmp(auth_tag_calc, auth_tag_wire, auth_tag_len)) {
5689 ssl_print_data("auth_tag(OK)", auth_tag_calc, auth_tag_len);
5690 } else {
5691 if (err) {
5692 ssl_debug_printf("%s cannot obtain tag: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5693 } else {
5694 ssl_debug_printf("%s auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
5695 ssl_print_data("auth_tag(expect)", auth_tag_calc, auth_tag_len);
5696 ssl_print_data("auth_tag(actual)", auth_tag_wire, auth_tag_len);
5697 }
5698 if (ignore_mac_failed) {
5699 ssl_debug_printf("%s: auth check failed, but ignored for troubleshooting ;-)\n", G_STRFUNC((const char*) (__func__)));
5700 } else {
5701 return false0;
5702 }
5703 }
5704
5705 /*
5706 * Increment the (implicit) sequence number for TLS 1.2/1.3 and TLCP 1.1. This is done
5707 * after successful authentication to ensure that early data is skipped when
5708 * CLIENT_EARLY_TRAFFIC_SECRET keys are unavailable.
5709 */
5710 if (version == TLSV1DOT2_VERSION0x303 || version == TLSV1DOT3_VERSION0x304 || version == TLCPV1_VERSION0x101) {
5711 decoder->seq++;
5712 }
5713
5714 ssl_print_data("Plaintext", out_str->data, ciphertext_len);
5715 *outl = ciphertext_len;
5716 return true1;
5717}
5718
5719/* Record decryption glue based on security parameters {{{ */
5720/* Assume that we are called only for a non-NULL decoder which also means that
5721 * we have a non-NULL decoder->cipher_suite. */
5722int
5723ssl_decrypt_record(wmem_allocator_t* allocator, SslDecryptSession *ssl, SslDecoder *decoder, uint8_t ct, uint16_t record_version,
5724 bool_Bool ignore_mac_failed,
5725 const unsigned char *in, uint16_t inl, const unsigned char *cid, uint8_t cidl,
5726 StringInfo *comp_str, StringInfo *out_str, unsigned *outl)
5727{
5728 unsigned pad, worklen, uncomplen, maclen, mac_fraglen = 0;
5729 uint8_t *mac = NULL((void*)0), *mac_frag = NULL((void*)0);
5730
5731 ssl_debug_printf("ssl_decrypt_record ciphertext len %d\n", inl);
5732 ssl_print_data("Ciphertext",in, inl);
5733
5734 if (((ssl->session.version == TLSV1DOT3_VERSION0x304 || ssl->session.version == DTLSV1DOT3_VERSION0xfefc))
5735 != (decoder->cipher_suite->kex == KEX_TLS130x23)) {
5736 ssl_debug_printf("%s Invalid cipher suite for the protocol version!\n", G_STRFUNC((const char*) (__func__)));
5737 return -1;
5738 }
5739
5740 /* ensure we have enough storage space for decrypted data */
5741 if (inl > out_str->data_len)
5742 {
5743 ssl_debug_printf("ssl_decrypt_record: allocating %d bytes for decrypt data (old len %d)\n",
5744 inl + 32, out_str->data_len);
5745 ssl_data_realloc(out_str, inl + 32);
5746 }
5747
5748 /* AEAD ciphers (GenericAEADCipher in TLS 1.2; TLS 1.3) have no padding nor
5749 * a separate MAC, so use a different routine for simplicity. */
5750 if (decoder->cipher_suite->mode == MODE_GCM ||
5751 decoder->cipher_suite->mode == MODE_CCM ||
5752 decoder->cipher_suite->mode == MODE_CCM_8 ||
5753 decoder->cipher_suite->mode == MODE_POLY1305 ||
5754 ssl->session.version == TLSV1DOT3_VERSION0x304 ||
5755 ssl->session.version == DTLSV1DOT3_VERSION0xfefc) {
5756
5757 if (!tls_decrypt_aead_record(allocator, ssl, decoder, ct, record_version, ignore_mac_failed, in, inl, cid, cidl, out_str, &worklen)) {
5758 /* decryption failed */
5759 return -1;
5760 }
5761
5762 goto skip_mac;
5763 }
5764
5765 /* RFC 6101/2246: SSLCipherText/TLSCipherText has two structures for types:
5766 * (notation: { unencrypted, [ encrypted ] })
5767 * GenericStreamCipher: { [content, mac] }
5768 * GenericBlockCipher: { IV (TLS 1.1+), [content, mac, padding, padding_len] }
5769 * RFC 5426 (TLS 1.2): TLSCipherText has additionally:
5770 * GenericAEADCipher: { nonce_explicit, [content] }
5771 * RFC 4347 (DTLS): based on TLS 1.1, only GenericBlockCipher is supported.
5772 * RFC 6347 (DTLS 1.2): based on TLS 1.2, includes GenericAEADCipher too.
5773 */
5774
5775 maclen = ssl_cipher_suite_dig(decoder->cipher_suite)->len;
5776
5777 /* (TLS 1.1 and later, DTLS) Extract explicit IV for GenericBlockCipher */
5778 if (decoder->cipher_suite->mode == MODE_CBC) {
5779 unsigned blocksize = 0;
5780
5781 switch (ssl->session.version) {
5782 case TLSV1DOT1_VERSION0x302:
5783 case TLSV1DOT2_VERSION0x303:
5784 case DTLSV1DOT0_VERSION0xfeff:
5785 case DTLSV1DOT2_VERSION0xfefd:
5786 case DTLSV1DOT3_VERSION0xfefc:
5787 case DTLSV1DOT0_OPENSSL_VERSION0x100:
5788 case TLCPV1_VERSION0x101:
5789 blocksize = ssl_get_cipher_blocksize(decoder->cipher_suite);
5790 if (inl < blocksize) {
5791 ssl_debug_printf("ssl_decrypt_record failed: input %d has no space for IV %d\n",
5792 inl, blocksize);
5793 return -1;
5794 }
5795 pad = gcry_cipher_setiv(decoder->evp, in, blocksize);
5796 if (pad != 0) {
5797 ssl_debug_printf("ssl_decrypt_record failed: failed to set IV: %s %s\n",
5798 gcry_strsource (pad), gcry_strerror (pad));
5799 }
5800
5801 inl -= blocksize;
5802 in += blocksize;
5803 break;
5804 }
5805
5806 /* Encrypt-then-MAC for (D)TLS (RFC 7366) */
5807 if (ssl->state & SSL_ENCRYPT_THEN_MAC(1<<11)) {
5808 /*
5809 * MAC is calculated over (IV + ) ENCRYPTED contents:
5810 *
5811 * MAC(MAC_write_key, ... +
5812 * IV + // for TLS 1.1 or greater
5813 * TLSCiphertext.enc_content);
5814 */
5815 if (inl < maclen) {
5816 ssl_debug_printf("%s failed: input %d has no space for MAC %d\n",
5817 G_STRFUNC((const char*) (__func__)), inl, maclen);
5818 return -1;
5819 }
5820 inl -= maclen;
5821 mac = (uint8_t *)in + inl;
5822 mac_frag = (uint8_t *)in - blocksize;
5823 mac_fraglen = blocksize + inl;
5824 }
5825 }
5826
5827 /* First decrypt*/
5828 if ((pad = ssl_cipher_decrypt(&decoder->evp, out_str->data, out_str->data_len, in, inl)) != 0) {
5829 ssl_debug_printf("ssl_decrypt_record failed: ssl_cipher_decrypt: %s %s\n", gcry_strsource (pad),
5830 gcry_strerror (pad));
5831 return -1;
5832 }
5833
5834 ssl_print_data("Plaintext", out_str->data, inl);
5835 worklen=inl;
5836
5837
5838 /* strip padding for GenericBlockCipher */
5839 if (decoder->cipher_suite->mode == MODE_CBC) {
5840 if (inl < 1) { /* Should this check happen earlier? */
5841 ssl_debug_printf("ssl_decrypt_record failed: input length %d too small\n", inl);
5842 return -1;
5843 }
5844 pad=out_str->data[inl-1];
5845 if (worklen <= pad) {
5846 ssl_debug_printf("ssl_decrypt_record failed: padding %d too large for work %d\n",
5847 pad, worklen);
5848 return -1;
5849 }
5850 worklen-=(pad+1);
5851 ssl_debug_printf("ssl_decrypt_record found padding %d final len %d\n",
5852 pad, worklen);
5853 }
5854
5855 /* MAC for GenericStreamCipher and GenericBlockCipher.
5856 * (normal case without Encrypt-then-MAC (RFC 7366) extension. */
5857 if (!mac) {
5858 /*
5859 * MAC is calculated over the DECRYPTED contents:
5860 *
5861 * MAC(MAC_write_key, ... + TLSCompressed.fragment);
5862 */
5863 if (worklen < maclen) {
5864 ssl_debug_printf("%s wrong record len/padding outlen %d\n work %d\n", G_STRFUNC((const char*) (__func__)), *outl, worklen);
5865 return -1;
5866 }
5867 worklen -= maclen;
5868 mac = out_str->data + worklen;
5869 mac_frag = out_str->data;
5870 mac_fraglen = worklen;
5871 }
5872
5873 /* If NULL encryption active and no keys are available, do not bother
5874 * checking the MAC. We do not have keys for that. */
5875 if (decoder->cipher_suite->mode == MODE_STREAM &&
5876 decoder->cipher_suite->enc == ENC_NULL0x3D &&
5877 !(ssl->state & SSL_MASTER_SECRET(1<<5))) {
5878 ssl_debug_printf("MAC check skipped due to missing keys\n");
5879 decoder->seq++; // Increment this for display
5880 goto skip_mac;
5881 }
5882
5883 /* Now check the MAC */
5884 ssl_debug_printf("checking mac (len %d, version %X, ct %d seq %" PRIu64"l" "u" ")\n",
5885 worklen, ssl->session.version, ct, decoder->seq);
5886 if(ssl->session.version==SSLV3_VERSION0x300){
5887 if(ssl3_check_mac(decoder,ct,mac_frag,mac_fraglen,mac) < 0) {
5888 if(ignore_mac_failed) {
5889 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5890 }
5891 else{
5892 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5893 return -1;
5894 }
5895 }
5896 else{
5897 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5898 }
5899 }
5900 else if(ssl->session.version==TLSV1_VERSION0x301 || ssl->session.version==TLSV1DOT1_VERSION0x302 || ssl->session.version==TLSV1DOT2_VERSION0x303 || ssl->session.version==TLCPV1_VERSION0x101){
5901 if(tls_check_mac(decoder,ct,ssl->session.version,mac_frag,mac_fraglen,mac)< 0) {
5902 if(ignore_mac_failed) {
5903 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5904 }
5905 else{
5906 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5907 return -1;
5908 }
5909 }
5910 else{
5911 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5912 }
5913 }
5914 else if(ssl->session.version==DTLSV1DOT0_VERSION0xfeff ||
5915 ssl->session.version==DTLSV1DOT2_VERSION0xfefd ||
5916 ssl->session.version==DTLSV1DOT0_OPENSSL_VERSION0x100){
5917 /* Try rfc-compliant mac first, and if failed, try old openssl's non-rfc-compliant mac */
5918 if(dtls_check_mac(ssl,decoder,ct,mac_frag,mac_fraglen,mac,cid,cidl)>= 0) {
5919 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5920 }
5921 else if(tls_check_mac(decoder,ct,TLSV1_VERSION0x301,mac_frag,mac_fraglen,mac)>= 0) {
5922 ssl_debug_printf("ssl_decrypt_record: dtls rfc-compliant mac failed, but old openssl's non-rfc-compliant mac ok\n");
5923 }
5924 else if(ignore_mac_failed) {
5925 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5926 }
5927 else{
5928 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5929 return -1;
5930 }
5931 }
5932skip_mac:
5933
5934 *outl = worklen;
5935
5936 if (decoder->compression > 0) {
5937 ssl_debug_printf("ssl_decrypt_record: compression method %d\n", decoder->compression);
5938 ssl_data_copy(comp_str, out_str);
5939 ssl_print_data("Plaintext compressed", comp_str->data, worklen);
5940 if (!decoder->decomp) {
5941 ssl_debug_printf("decrypt_ssl3_record: no decoder available\n");
5942 return -1;
5943 }
5944 if (ssl_decompress_record(decoder->decomp, comp_str->data, worklen, out_str, &uncomplen) < 0) return -1;
5945 ssl_print_data("Plaintext uncompressed", out_str->data, uncomplen);
5946 *outl = uncomplen;
5947 }
5948
5949 return 0;
5950}
5951/* Record decryption glue based on security parameters }}} */
5952
5953
5954
5955#ifdef HAVE_LIBGNUTLS1
5956
5957/* RSA private key file processing {{{ */
5958static void
5959ssl_find_private_key_by_pubkey(SslDecryptSession *ssl,
5960 gnutls_datum_t *subjectPublicKeyInfo)
5961{
5962 gnutls_pubkey_t pubkey = NULL((void*)0);
5963 cert_key_id_t key_id;
5964 size_t key_id_len = sizeof(key_id);
5965 int r;
5966
5967 if (!subjectPublicKeyInfo->size) {
5968 ssl_debug_printf("%s: could not find SubjectPublicKeyInfo\n", G_STRFUNC((const char*) (__func__)));
5969 return;
5970 }
5971
5972 r = gnutls_pubkey_init(&pubkey);
5973 if (r < 0) {
5974 ssl_debug_printf("%s: failed to init pubkey: %s\n",
5975 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
5976 return;
5977 }
5978
5979 r = gnutls_pubkey_import(pubkey, subjectPublicKeyInfo, GNUTLS_X509_FMT_DER);
5980 if (r < 0) {
5981 ssl_debug_printf("%s: failed to import pubkey from handshake: %s\n",
5982 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
5983 goto end;
5984 }
5985
5986 if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL((void*)0)) != GNUTLS_PK_RSA) {
5987 ssl_debug_printf("%s: Not a RSA public key - ignoring.\n", G_STRFUNC((const char*) (__func__)));
5988 goto end;
5989 }
5990
5991 /* Generate a 20-byte SHA-1 hash. */
5992 r = gnutls_pubkey_get_key_id(pubkey, 0, key_id.key_id, &key_id_len);
5993 if (r < 0) {
5994 ssl_debug_printf("%s: failed to extract key id from pubkey: %s\n",
5995 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
5996 goto end;
5997 }
5998
5999 if (key_id_len != sizeof(key_id)) {
6000 ssl_debug_printf("%s: expected Key ID size %zu, got %zu\n",
6001 G_STRFUNC((const char*) (__func__)), sizeof(key_id), key_id_len);
6002 goto end;
6003 }
6004
6005 ssl_print_data("Certificate.KeyID", key_id.key_id, key_id_len);
6006 ssl->cert_key_id = wmem_new(wmem_file_scope(), cert_key_id_t)((cert_key_id_t*)wmem_alloc((wmem_file_scope()), sizeof(cert_key_id_t
)));
6007 *ssl->cert_key_id = key_id;
6008
6009end:
6010 gnutls_pubkey_deinit(pubkey);
6011}
6012
6013/* RSA private key file processing }}} */
6014#endif /* HAVE_LIBGNUTLS */
6015
6016/*--- Start of dissector-related code below ---*/
6017
6018/* This is not a "protocol" but ensures that this gets called during
6019 * the handoff stage. */
6020void proto_reg_handoff_tls_utils(void);
6021
6022static dissector_handle_t base_tls_handle;
6023static dissector_handle_t dtls_handle;
6024
6025void
6026proto_reg_handoff_tls_utils(void)
6027{
6028 base_tls_handle = find_dissector("tls");
6029 dtls_handle = find_dissector("dtls");
6030}
6031
6032/* get ssl data for this session. if no ssl data is found allocate a new one*/
6033SslDecryptSession *
6034ssl_get_session(conversation_t *conversation, dissector_handle_t tls_handle)
6035{
6036 void *conv_data;
6037 SslDecryptSession *ssl_session;
6038 int proto_ssl;
6039
6040 /* Note proto_ssl is tls for either the main tls_handle or the
6041 * tls13_handshake handle used by QUIC. */
6042 proto_ssl = dissector_handle_get_protocol_index(tls_handle);
6043 conv_data = conversation_get_proto_data(conversation, proto_ssl);
6044 if (conv_data != NULL((void*)0))
6045 return (SslDecryptSession *)conv_data;
6046
6047 /* no previous SSL conversation info, initialize it. */
6048 ssl_session = wmem_new0(wmem_file_scope(), SslDecryptSession)((SslDecryptSession*)wmem_alloc0((wmem_file_scope()), sizeof(
SslDecryptSession)));
6049
6050 /* data_len is the part that is meaningful, not the allocated length */
6051 ssl_session->master_secret.data_len = 0;
6052 ssl_session->master_secret.data = ssl_session->_master_secret;
6053 ssl_session->session_id.data_len = 0;
6054 ssl_session->session_id.data = ssl_session->_session_id;
6055 ssl_session->client_random.data_len = 0;
6056 ssl_session->client_random.data = ssl_session->_client_random;
6057 ssl_session->server_random.data_len = 0;
6058 ssl_session->server_random.data = ssl_session->_server_random;
6059 ssl_session->session_ticket.data_len = 0;
6060 ssl_session->session_ticket.data = NULL((void*)0); /* will be re-alloced as needed */
6061 ssl_session->server_data_for_iv.data_len = 0;
6062 ssl_session->server_data_for_iv.data = ssl_session->_server_data_for_iv;
6063 ssl_session->client_data_for_iv.data_len = 0;
6064 ssl_session->client_data_for_iv.data = ssl_session->_client_data_for_iv;
6065 ssl_session->app_data_segment.data = NULL((void*)0);
6066 ssl_session->app_data_segment.data_len = 0;
6067 ssl_session->handshake_data.data=NULL((void*)0);
6068 ssl_session->handshake_data.data_len=0;
6069 ssl_session->ech_transcript.data=NULL((void*)0);
6070 ssl_session->ech_transcript.data_len=0;
6071
6072 /* Initialize parameters which are not necessary specific to decryption. */
6073 ssl_session->session.version = SSL_VER_UNKNOWN0;
6074 clear_address(&ssl_session->session.srv_addr);
6075 ssl_session->session.srv_ptype = PT_NONE;
6076 ssl_session->session.srv_port = 0;
6077 ssl_session->session.dtls13_current_epoch[0] = ssl_session->session.dtls13_current_epoch[1] = 0;
6078 ssl_session->session.dtls13_next_seq_num[0] = ssl_session->session.dtls13_next_seq_num[1] = 0;
6079 ssl_session->session.client_random.data_len = 0;
6080 ssl_session->session.client_random.data = ssl_session->session._client_random;
6081 memset(ssl_session->session.ech_confirmation, 0, sizeof(ssl_session->session.ech_confirmation));
6082 memset(ssl_session->session.hrr_ech_confirmation, 0, sizeof(ssl_session->session.hrr_ech_confirmation));
6083 memset(ssl_session->session.first_ech_auth_tag, 0, sizeof(ssl_session->session.first_ech_auth_tag));
6084 ssl_session->session.ech = false0;
6085 ssl_session->session.hrr_ech_declined = false0;
6086 ssl_session->session.first_ch_ech_frame = 0;
6087
6088 /* We want to increment the stream count for the normal tls handle and
6089 * dtls handle, but presumably not for the tls13_handshake handle used
6090 * by QUIC (it has its own Follow Stream handling, and the QUIC stream
6091 * doesn't get sent to the TLS follow tap.)
6092 */
6093 if (tls_handle == base_tls_handle) {
6094 ssl_session->session.stream = tls_increment_stream_count();
6095 } else if (tls_handle == dtls_handle) {
6096 ssl_session->session.stream = dtls_increment_stream_count();
6097 }
6098
6099 conversation_add_proto_data(conversation, proto_ssl, ssl_session);
6100 return ssl_session;
6101}
6102
6103void ssl_reset_session(SslSession *session, SslDecryptSession *ssl, bool_Bool is_client)
6104{
6105 if (ssl) {
6106 /* Ensure that secrets are not restored using stale identifiers. Split
6107 * between client and server in case the packets somehow got out of order. */
6108 int clear_flags = SSL_HAVE_SESSION_KEY(1<<3) | SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
6109
6110 if (is_client) {
6111 clear_flags |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
6112 ssl->session_id.data_len = 0;
6113 ssl->session_ticket.data_len = 0;
6114 ssl->master_secret.data_len = 0;
6115 ssl->client_random.data_len = 0;
6116 ssl->has_early_data = false0;
6117 if (ssl->handshake_data.data_len > 0) {
6118 // The EMS handshake hash starts with at the Client Hello,
6119 // ensure that any messages before it are forgotten.
6120 wmem_free(wmem_file_scope(), ssl->handshake_data.data);
6121 ssl->handshake_data.data = NULL((void*)0);
6122 ssl->handshake_data.data_len = 0;
6123 }
6124 } else {
6125 clear_flags |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8) | SSL_NEW_SESSION_TICKET(1<<10);
6126 ssl->server_random.data_len = 0;
6127 ssl->pre_master_secret.data_len = 0;
6128#ifdef HAVE_LIBGNUTLS1
6129 ssl->cert_key_id = NULL((void*)0);
6130#endif
6131 ssl->psk.data_len = 0;
6132 }
6133
6134 if (ssl->state & clear_flags) {
6135 ssl_debug_printf("%s detected renegotiation, clearing 0x%02x (%s side)\n",
6136 G_STRFUNC((const char*) (__func__)), ssl->state & clear_flags, is_client ? "client" : "server");
6137 ssl->state &= ~clear_flags;
6138 }
6139 }
6140
6141 /* These flags might be used for non-decryption purposes and may affect the
6142 * dissection, so reset them as well. */
6143 if (is_client) {
6144 session->client_cert_type = 0;
6145 } else {
6146 session->compression = 0;
6147 session->server_cert_type = 0;
6148 /* session->is_session_resumed is already handled in the ServerHello dissection. */
6149 }
6150 session->dtls13_next_seq_num[0] = session->dtls13_next_seq_num[1] = 0;
6151 session->dtls13_current_epoch[0] = session->dtls13_current_epoch[1] = 0;
6152}
6153
6154void
6155tls_set_appdata_dissector(dissector_handle_t tls_handle, packet_info *pinfo,
6156 dissector_handle_t app_handle)
6157{
6158 conversation_t *conversation;
6159 SslSession *session;
6160
6161 /* Ignore if the TLS or other dissector is disabled. */
6162 if (!tls_handle || !app_handle)
6163 return;
6164
6165 conversation = find_or_create_conversation(pinfo);
6166 session = &ssl_get_session(conversation, tls_handle)->session;
6167 session->app_handle = app_handle;
6168}
6169
6170static uint32_t
6171ssl_starttls(dissector_handle_t tls_handle, packet_info *pinfo,
6172 dissector_handle_t app_handle, uint32_t last_nontls_frame)
6173{
6174 conversation_t *conversation;
6175 SslSession *session;
6176
6177 /* Ignore if the TLS dissector is disabled. */
6178 if (!tls_handle)
6179 return 0;
6180 /* The caller should always pass a valid handle to its own dissector. */
6181 DISSECTOR_ASSERT(app_handle)((void) ((app_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6181, "app_handle"))));
6182
6183 conversation = find_or_create_conversation(pinfo);
6184 session = &ssl_get_session(conversation, tls_handle)->session;
6185
6186 ssl_debug_printf("%s: old frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
6187 session->last_nontls_frame,
6188 (void *)session->app_handle,
6189 dissector_handle_get_dissector_name(session->app_handle));
6190 ssl_debug_printf("%s: current frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
6191 pinfo->num, (void *)app_handle,
6192 dissector_handle_get_dissector_name(app_handle));
6193
6194 /* Do not switch again if a dissector did it before. */
6195 if (session->last_nontls_frame) {
6196 ssl_debug_printf("%s: not overriding previous app handle!\n", G_STRFUNC((const char*) (__func__)));
6197 return session->last_nontls_frame;
6198 }
6199
6200 session->app_handle = app_handle;
6201 /* The TLS dissector should be called first for this conversation. */
6202 conversation_set_dissector(conversation, tls_handle);
6203 /* TLS starts after this frame. */
6204 session->last_nontls_frame = last_nontls_frame;
6205 return 0;
6206}
6207
6208/* ssl_starttls_ack: mark future frames as encrypted. */
6209uint32_t
6210ssl_starttls_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6211 dissector_handle_t app_handle)
6212{
6213 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num);
6214}
6215
6216uint32_t
6217ssl_starttls_post_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6218 dissector_handle_t app_handle)
6219{
6220 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num - 1);
6221}
6222
6223dissector_handle_t
6224ssl_find_appdata_dissector(const char *name)
6225{
6226 /* Accept 'http' for backwards compatibility and sanity. */
6227 if (!strcmp(name, "http"))
6228 name = "http-over-tls";
6229 /* XXX - Should this check to see if the dissector is actually added for
6230 * Decode As in the appropriate table?
6231 */
6232 return find_dissector(name);
6233}
6234
6235/* Functions for TLS/DTLS sessions and RSA private keys hashtables. {{{ */
6236static int
6237ssl_equal (const void *v, const void *v2)
6238{
6239 const StringInfo *val1;
6240 const StringInfo *val2;
6241 val1 = (const StringInfo *)v;
6242 val2 = (const StringInfo *)v2;
6243
6244 if (val1->data_len == val2->data_len &&
6245 !memcmp(val1->data, val2->data, val2->data_len)) {
6246 return 1;
6247 }
6248 return 0;
6249}
6250
6251static unsigned
6252ssl_hash (const void *v)
6253{
6254 unsigned l,hash;
6255 const StringInfo* id;
6256 const unsigned* cur;
6257 hash = 0;
6258 id = (const StringInfo*) v;
6259
6260 /* id and id->data are mallocated in ssl_save_master_key(). As such 'data'
6261 * should be aligned for any kind of access (for example as a unsigned as
6262 * is done below). The intermediate void* cast is to prevent "cast
6263 * increases required alignment of target type" warnings on CPUs (such
6264 * as SPARCs) that do not allow misaligned memory accesses.
6265 */
6266 cur = (const unsigned*)(void*) id->data;
6267
6268 for (l=4; (l < id->data_len); l+=4, cur++)
6269 hash = hash ^ (*cur);
6270
6271 return hash;
6272}
6273/* Functions for TLS/DTLS sessions and RSA private keys hashtables. }}} */
6274
6275/* Handling of association between tls/dtls ports and clear text protocol. {{{ */
6276void
6277ssl_association_add(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6278{
6279 DISSECTOR_ASSERT(main_handle)((void) ((main_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6279, "main_handle"))));
6280 DISSECTOR_ASSERT(subdissector_handle)((void) ((subdissector_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6280, "subdissector_handle"))));
6281 /* Registration is required for Export PDU feature to work properly. */
6282 DISSECTOR_ASSERT_HINT(dissector_handle_get_dissector_name(subdissector_handle),((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6283, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))))
6283 "SSL appdata dissectors must register with register_dissector()!")((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6283, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))));
6284 ssl_debug_printf("association_add %s port %d handle %p\n", dissector_table_name, port, (void *)subdissector_handle);
6285
6286 if (port) {
6287 dissector_add_uint(dissector_table_name, port, subdissector_handle);
6288 if (tcp)
6289 dissector_add_uint("tcp.port", port, main_handle);
6290 else
6291 dissector_add_uint("udp.port", port, main_handle);
6292 dissector_add_uint("sctp.port", port, main_handle);
6293 } else {
6294 dissector_add_for_decode_as(dissector_table_name, subdissector_handle);
6295 }
6296}
6297
6298void
6299ssl_association_remove(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6300{
6301 ssl_debug_printf("ssl_association_remove removing %s %u - handle %p\n",
6302 tcp?"TCP":"UDP", port, (void *)subdissector_handle);
6303 if (main_handle) {
6304 dissector_delete_uint(tcp?"tcp.port":"udp.port", port, main_handle);
6305 dissector_delete_uint("sctp.port", port, main_handle);
6306 }
6307
6308 if (port) {
6309 dissector_delete_uint(dissector_table_name, port, subdissector_handle);
6310 }
6311}
6312
6313void
6314ssl_set_server(SslSession *session, address *addr, port_type ptype, uint32_t port)
6315{
6316 copy_address_wmem(wmem_file_scope(), &session->srv_addr, addr);
6317 session->srv_ptype = ptype;
6318 session->srv_port = port;
6319}
6320
6321int
6322ssl_packet_from_server(SslSession *session, dissector_table_t table, const packet_info *pinfo)
6323{
6324 int ret;
6325 if (session && session->srv_addr.type != AT_NONE) {
6326 ret = (session->srv_ptype == pinfo->ptype) &&
6327 (session->srv_port == pinfo->srcport) &&
6328 addresses_equal(&session->srv_addr, &pinfo->src);
6329 } else {
6330 ret = (dissector_get_uint_handle(table, pinfo->srcport) != 0);
6331 }
6332
6333 ssl_debug_printf("packet_from_server: is from server - %s\n", (ret)?"TRUE":"FALSE");
6334 return ret;
6335}
6336/* Handling of association between tls/dtls ports and clear text protocol. }}} */
6337
6338
6339/* Links SSL records with the real packet data. {{{ */
6340SslPacketInfo *
6341tls_add_packet_info(int proto, packet_info *pinfo, uint8_t curr_layer_num_ssl)
6342{
6343 SslPacketInfo *pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6344 if (!pi) {
6345 pi = wmem_new0(wmem_file_scope(), SslPacketInfo)((SslPacketInfo*)wmem_alloc0((wmem_file_scope()), sizeof(SslPacketInfo
)));
6346 pi->srcport = pinfo->srcport;
6347 pi->destport = pinfo->destport;
6348 p_add_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl, pi);
6349 }
6350
6351 return pi;
6352}
6353
6354/**
6355 * Remembers the decrypted TLS record fragment (TLSInnerPlaintext in TLS 1.3) to
6356 * avoid the need for a decoder in the second pass. Additionally, it remembers
6357 * sequence numbers (for reassembly and Follow TLS Stream).
6358 *
6359 * @param proto The protocol identifier (proto_ssl or proto_dtls).
6360 * @param pinfo The packet where the record originates from.
6361 * @param plain_data Decrypted plaintext to store in the record.
6362 * @param plain_data_len Total length of the plaintext.
6363 * @param content_len Length of the plaintext section corresponding to the record content.
6364 * @param record_id The identifier for this record within the current packet.
6365 * @param flow Information about sequence numbers, etc.
6366 * @param type TLS Content Type (such as handshake or application_data).
6367 * @param curr_layer_num_ssl The layer identifier for this TLS session.
6368 */
6369void
6370ssl_add_record_info(int proto, packet_info *pinfo,
6371 const unsigned char *plain_data, int plain_data_len, int content_len,
6372 int record_id, SslFlow *flow, ContentType type, uint8_t curr_layer_num_ssl,
6373 uint64_t record_seq)
6374{
6375 SslRecordInfo* rec, **prec;
6376 SslPacketInfo *pi = tls_add_packet_info(proto, pinfo, curr_layer_num_ssl);
6377
6378 ws_assert(content_len <= plain_data_len)do { if ((1) && !(content_len <= plain_data_len)) ws_log_fatal_full
("", LOG_LEVEL_ERROR, "epan/dissectors/packet-tls-utils.c", 6378
, __func__, "assertion failed: %s", "content_len <= plain_data_len"
); } while (0);
6379
6380 rec = wmem_new(wmem_file_scope(), SslRecordInfo)((SslRecordInfo*)wmem_alloc((wmem_file_scope()), sizeof(SslRecordInfo
)));
6381 rec->plain_data = (unsigned char *)wmem_memdup(wmem_file_scope(), plain_data, plain_data_len);
6382 rec->plain_data_len = plain_data_len;
6383 rec->content_len = content_len;
6384 rec->id = record_id;
6385 rec->type = type;
6386 rec->next = NULL((void*)0);
6387 rec->record_seq = record_seq;
6388
6389 if (flow && type == SSL_ID_APP_DATA) {
6390 rec->seq = flow->byte_seq;
6391 rec->flow = flow;
6392 flow->byte_seq += content_len;
6393 ssl_debug_printf("%s stored decrypted record seq=%d nxtseq=%d flow=%p\n",
6394 G_STRFUNC((const char*) (__func__)), rec->seq, rec->seq + content_len, (void*)flow);
6395 }
6396
6397 /* Remember decrypted records. */
6398 prec = &pi->records;
6399 while (*prec) prec = &(*prec)->next;
6400 *prec = rec;
6401}
6402
6403/* search in packet data for the specified id; return a newly created tvb for the associated data */
6404tvbuff_t*
6405ssl_get_record_info(tvbuff_t *parent_tvb, int proto, packet_info *pinfo, int record_id, uint8_t curr_layer_num_ssl, SslRecordInfo **matched_record)
6406{
6407 SslRecordInfo* rec;
6408 SslPacketInfo* pi;
6409 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6410
6411 if (!pi)
6412 return NULL((void*)0);
6413
6414 for (rec = pi->records; rec; rec = rec->next)
6415 if (rec->id == record_id) {
6416 *matched_record = rec;
6417 /* link new real_data_tvb with a parent tvb so it is freed when frame dissection is complete */
6418 return tvb_new_child_real_data(parent_tvb, rec->plain_data, rec->plain_data_len, rec->plain_data_len);
6419 }
6420
6421 return NULL((void*)0);
6422}
6423/* Links SSL records with the real packet data. }}} */
6424
6425/* initialize/reset per capture state data (ssl sessions cache). {{{ */
6426void
6427ssl_common_init(ssl_master_key_map_t *mk_map,
6428 StringInfo *decrypted_data, StringInfo *compressed_data)
6429{
6430 mk_map->session = g_hash_table_new(ssl_hash, ssl_equal);
6431 mk_map->tickets = g_hash_table_new(ssl_hash, ssl_equal);
6432 mk_map->crandom = g_hash_table_new(ssl_hash, ssl_equal);
6433 mk_map->pre_master = g_hash_table_new(ssl_hash, ssl_equal);
6434 mk_map->pms = g_hash_table_new(ssl_hash, ssl_equal);
6435 mk_map->tls13_client_early = g_hash_table_new(ssl_hash, ssl_equal);
6436 mk_map->tls13_client_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6437 mk_map->tls13_server_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6438 mk_map->tls13_client_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6439 mk_map->tls13_server_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6440 mk_map->tls13_early_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6441 mk_map->tls13_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6442
6443 mk_map->ech_secret = g_hash_table_new(ssl_hash, ssl_equal);
6444 mk_map->ech_config = g_hash_table_new(ssl_hash, ssl_equal);
6445
6446 mk_map->used_crandom = g_hash_table_new(ssl_hash, ssl_equal);
6447
6448 ssl_data_alloc(decrypted_data, 32);
6449 ssl_data_alloc(compressed_data, 32);
6450}
6451
6452void
6453ssl_common_cleanup(ssl_master_key_map_t *mk_map, FILE **ssl_keylog_file,
6454 StringInfo *decrypted_data, StringInfo *compressed_data)
6455{
6456 g_hash_table_destroy(mk_map->session);
6457 g_hash_table_destroy(mk_map->tickets);
6458 g_hash_table_destroy(mk_map->crandom);
6459 g_hash_table_destroy(mk_map->pre_master);
6460 g_hash_table_destroy(mk_map->pms);
6461 g_hash_table_destroy(mk_map->tls13_client_early);
6462 g_hash_table_destroy(mk_map->tls13_client_handshake);
6463 g_hash_table_destroy(mk_map->tls13_server_handshake);
6464 g_hash_table_destroy(mk_map->tls13_client_appdata);
6465 g_hash_table_destroy(mk_map->tls13_server_appdata);
6466 g_hash_table_destroy(mk_map->tls13_early_exporter);
6467 g_hash_table_destroy(mk_map->tls13_exporter);
6468
6469 g_hash_table_destroy(mk_map->ech_secret);
6470 g_hash_table_destroy(mk_map->ech_config);
6471
6472 g_hash_table_destroy(mk_map->used_crandom);
6473
6474 g_free(decrypted_data->data);
6475 g_free(compressed_data->data);
6476
6477 /* close the previous keylog file now that the cache are cleared, this
6478 * allows the cache to be filled with the full keylog file contents. */
6479 if (*ssl_keylog_file) {
6480 fclose(*ssl_keylog_file);
6481 *ssl_keylog_file = NULL((void*)0);
6482 }
6483}
6484/* }}} */
6485
6486/* parse ssl related preferences (private keys and ports association strings) */
6487#if defined(HAVE_LIBGNUTLS1)
6488/* Load a single RSA key file item from preferences. {{{ */
6489void
6490ssl_parse_key_list(const ssldecrypt_assoc_t *uats, GHashTable *key_hash, const char* dissector_table_name, dissector_handle_t main_handle, bool_Bool tcp)
6491{
6492 gnutls_x509_privkey_t x509_priv_key;
6493 gnutls_privkey_t priv_key = NULL((void*)0);
6494 FILE* fp = NULL((void*)0);
6495 int ret;
6496 size_t key_id_len = 20;
6497 unsigned char *key_id = NULL((void*)0);
6498 char *err = NULL((void*)0);
6499 dissector_handle_t handle;
6500 /* try to load keys file first */
6501 fp = ws_fopenfopen(uats->keyfile, "rb");
6502 if (!fp) {
6503 report_open_failure(uats->keyfile, errno(*__errno_location ()), false0);
6504 return;
6505 }
6506
6507 if ((int)strlen(uats->password) == 0) {
6508 x509_priv_key = rsa_load_pem_key(fp, &err);
6509 } else {
6510 x509_priv_key = rsa_load_pkcs12(fp, uats->password, &err);
6511 }
6512 fclose(fp);
6513
6514 if (!x509_priv_key) {
6515 if (err) {
6516 report_failure("Can't load private key from %s: %s",
6517 uats->keyfile, err);
6518 g_free(err);
6519 } else
6520 report_failure("Can't load private key from %s: unknown error",
6521 uats->keyfile);
6522 return;
6523 }
6524 if (err) {
6525 report_failure("Load of private key from %s \"succeeded\" with error %s",
6526 uats->keyfile, err);
6527 g_free(err);
6528 }
6529
6530 gnutls_privkey_init(&priv_key);
6531 ret = gnutls_privkey_import_x509(priv_key, x509_priv_key,
6532 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE|GNUTLS_PRIVKEY_IMPORT_COPY);
6533 if (ret < 0) {
6534 report_failure("Can't convert private key %s: %s",
6535 uats->keyfile, gnutls_strerror(ret));
6536 goto end;
6537 }
6538
6539 key_id = (unsigned char *) g_malloc0(key_id_len);
6540 ret = gnutls_x509_privkey_get_key_id(x509_priv_key, 0, key_id, &key_id_len);
6541 if (ret < 0) {
6542 report_failure("Can't calculate public key ID for %s: %s",
6543 uats->keyfile, gnutls_strerror(ret));
6544 goto end;
6545 }
6546 ssl_print_data("KeyID", key_id, key_id_len);
6547 if (key_id_len != 20) {
6548 report_failure("Expected Key ID size %u for %s, got %zu", 20,
6549 uats->keyfile, key_id_len);
6550 goto end;
6551 }
6552
6553 g_hash_table_replace(key_hash, key_id, priv_key);
6554 key_id = NULL((void*)0); /* used in key_hash, do not free. */
6555 priv_key = NULL((void*)0);
6556 ssl_debug_printf("ssl_init private key file %s successfully loaded.\n", uats->keyfile);
6557
6558 handle = ssl_find_appdata_dissector(uats->protocol);
6559 if (handle) {
6560 /* Port to subprotocol mapping */
6561 uint16_t port = 0;
6562 if (ws_strtou16(uats->port, NULL((void*)0), &port)) {
6563 if (port > 0) {
6564 ssl_debug_printf("ssl_init port '%d' filename '%s' password(only for p12 file) '%s'\n",
6565 port, uats->keyfile, uats->password);
6566
6567 ssl_association_add(dissector_table_name, main_handle, handle, port, tcp);
6568 }
6569 } else {
6570 if (strcmp(uats->port, "start_tls"))
6571 ssl_debug_printf("invalid ssl_init_port: %s\n", uats->port);
6572 }
6573 }
6574
6575end:
6576 gnutls_x509_privkey_deinit(x509_priv_key);
6577 gnutls_privkey_deinit(priv_key);
6578 g_free(key_id);
6579}
6580/* }}} */
6581#endif
6582
6583
6584/* Store/load a known (pre-)master secret from/for this SSL session. {{{ */
6585/** store a known (pre-)master secret into cache */
6586static void
6587ssl_save_master_key(const char *label, GHashTable *ht, StringInfo *key,
6588 StringInfo *mk)
6589{
6590 StringInfo *ht_key, *master_secret;
6591
6592 if (key->data_len == 0) {
6593 ssl_debug_printf("%s: not saving empty %s!\n", G_STRFUNC((const char*) (__func__)), label);
6594 return;
6595 }
6596
6597 if (mk->data_len == 0) {
6598 ssl_debug_printf("%s not saving empty (pre-)master secret for %s!\n",
6599 G_STRFUNC((const char*) (__func__)), label);
6600 return;
6601 }
6602
6603 /* ssl_hash() depends on session_ticket->data being aligned for unsigned access
6604 * so be careful in changing how it is allocated. */
6605 ht_key = ssl_data_clone(key);
6606 master_secret = ssl_data_clone(mk);
6607 g_hash_table_insert(ht, ht_key, master_secret);
6608
6609 ssl_debug_printf("%s inserted (pre-)master secret for %s\n", G_STRFUNC((const char*) (__func__)), label);
6610 ssl_print_string("stored key", ht_key);
6611 ssl_print_string("stored (pre-)master secret", master_secret);
6612}
6613
6614/** restore a (pre-)master secret given some key in the cache */
6615static bool_Bool
6616ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
6617 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key)
6618{
6619 StringInfo *ms;
6620
6621 if (key->data_len == 0) {
6622 ssl_debug_printf("%s can't restore %smaster secret using an empty %s\n",
6623 G_STRFUNC((const char*) (__func__)), is_pre_master ? "pre-" : "", label);
6624 return false0;
6625 }
6626
6627 ms = (StringInfo *)g_hash_table_lookup(ht, key);
6628 if (!ms) {
6629 ssl_debug_printf("%s can't find %smaster secret by %s\n", G_STRFUNC((const char*) (__func__)),
6630 is_pre_master ? "pre-" : "", label);
6631 return false0;
6632 }
6633
6634 /* (pre)master secret found, clear knowledge of other keys and set it in the
6635 * current conversation */
6636 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) |
6637 SSL_HAVE_SESSION_KEY(1<<3));
6638 if (is_pre_master) {
6639 /* unlike master secret, pre-master secret has a variable size (48 for
6640 * RSA, varying for PSK) and is therefore not statically allocated */
6641 ssl->pre_master_secret.data = (unsigned char *) wmem_alloc(wmem_file_scope(),
6642 ms->data_len);
6643 ssl_data_set(&ssl->pre_master_secret, ms->data, ms->data_len);
6644 ssl->state |= SSL_PRE_MASTER_SECRET(1<<6);
6645 } else {
6646 ssl_data_set(&ssl->master_secret, ms->data, ms->data_len);
6647 ssl->state |= SSL_MASTER_SECRET(1<<5);
6648 }
6649 ssl_debug_printf("%s %smaster secret retrieved using %s\n", G_STRFUNC((const char*) (__func__)),
6650 is_pre_master ? "pre-" : "", label);
6651 ssl_print_string(label, key);
6652 ssl_print_string("(pre-)master secret", ms);
6653 return true1;
6654}
6655/* Store/load a known (pre-)master secret from/for this SSL session. }}} */
6656
6657/* Should be called when all parameters are ready (after ChangeCipherSpec), and
6658 * the decoder should be attempted to be initialized. {{{*/
6659void
6660ssl_finalize_decryption(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
6661{
6662 if (ssl->session.version == TLSV1DOT3_VERSION0x304) {
1
Assuming field 'version' is not equal to TLSV1DOT3_VERSION
2
Taking false branch
6663 /* TLS 1.3 implementations only provide secrets derived from the master
6664 * secret which are loaded in tls13_change_key. No master secrets can be
6665 * loaded here, so just return. */
6666 return;
6667 }
6668 ssl_debug_printf("%s state = 0x%02X\n", G_STRFUNC((const char*) (__func__)), ssl->state);
6669 if (ssl->state & SSL_HAVE_SESSION_KEY(1<<3)) {
3
Assuming the condition is false
4
Taking false branch
6670 ssl_debug_printf(" session key already available, nothing to do.\n");
6671 return;
6672 }
6673 if (!(ssl->state & SSL_CIPHER(1<<2))) {
5
Assuming the condition is false
6674 ssl_debug_printf(" Cipher suite (Server Hello) is missing!\n");
6675 return;
6676 }
6677
6678 /* for decryption, there needs to be a master secret (which can be derived
6679 * from pre-master secret). If missing, try to pick a master key from cache
6680 * (an earlier packet in the capture or key logfile). */
6681 if (!(ssl->state & (SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6))) &&
6
Assuming the condition is false
6682 !ssl_restore_master_key(ssl, "Session ID", false0,
6683 mk_map->session, &ssl->session_id) &&
6684 (!ssl->session.is_session_resumed ||
6685 !ssl_restore_master_key(ssl, "Session Ticket", false0,
6686 mk_map->tickets, &ssl->session_ticket)) &&
6687 !ssl_restore_master_key(ssl, "Client Random", false0,
6688 mk_map->crandom, &ssl->client_random)) {
6689 if (ssl->cipher_suite->enc != ENC_NULL0x3D) {
6690 /* how unfortunate, the master secret could not be found */
6691 ssl_debug_printf(" Cannot find master secret\n");
6692 return;
6693 } else {
6694 ssl_debug_printf(" Cannot find master secret, continuing anyway "
6695 "because of a NULL cipher\n");
6696 }
6697 }
6698
6699 if (ssl_generate_keyring_material(ssl) < 0) {
7
Calling 'ssl_generate_keyring_material'
6700 ssl_debug_printf("%s can't generate keyring material\n", G_STRFUNC((const char*) (__func__)));
6701 return;
6702 }
6703 /* Save Client Random/ Session ID for "SSL Export Session keys" */
6704 ssl_save_master_key("Client Random", mk_map->crandom,
6705 &ssl->client_random, &ssl->master_secret);
6706 ssl_save_master_key("Session ID", mk_map->session,
6707 &ssl->session_id, &ssl->master_secret);
6708 /* Only save the new secrets if the server sent the ticket. The client
6709 * ticket might have become stale. */
6710 if (ssl->state & SSL_NEW_SESSION_TICKET(1<<10)) {
6711 ssl_save_master_key("Session Ticket", mk_map->tickets,
6712 &ssl->session_ticket, &ssl->master_secret);
6713 }
6714} /* }}} */
6715
6716/* Load the traffic key secret from the keylog file. */
6717StringInfo *
6718tls13_load_secret(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6719 bool_Bool is_from_server, TLSRecordType type)
6720{
6721 GHashTable *key_map;
6722 const char *label;
6723
6724 if (ssl->session.version != TLSV1DOT3_VERSION0x304 && ssl->session.version != DTLSV1DOT3_VERSION0xfefc) {
6725 ssl_debug_printf("%s TLS version %#x is not 1.3\n", G_STRFUNC((const char*) (__func__)), ssl->session.version);
6726 return NULL((void*)0);
6727 }
6728
6729 if (ssl->client_random.data_len == 0) {
6730 /* May happen if Hello message is missing and Finished is found. */
6731 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
6732 return NULL((void*)0);
6733 }
6734
6735 switch (type) {
6736 case TLS_SECRET_0RTT_APP:
6737 DISSECTOR_ASSERT(!is_from_server)((void) ((!is_from_server) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6737, "!is_from_server"))));
6738 label = "CLIENT_EARLY_TRAFFIC_SECRET";
6739 key_map = mk_map->tls13_client_early;
6740 break;
6741 case TLS_SECRET_HANDSHAKE:
6742 if (is_from_server) {
6743 label = "SERVER_HANDSHAKE_TRAFFIC_SECRET";
6744 key_map = mk_map->tls13_server_handshake;
6745 } else {
6746 label = "CLIENT_HANDSHAKE_TRAFFIC_SECRET";
6747 key_map = mk_map->tls13_client_handshake;
6748 }
6749 break;
6750 case TLS_SECRET_APP:
6751 if (is_from_server) {
6752 label = "SERVER_TRAFFIC_SECRET_0";
6753 key_map = mk_map->tls13_server_appdata;
6754 } else {
6755 label = "CLIENT_TRAFFIC_SECRET_0";
6756 key_map = mk_map->tls13_client_appdata;
6757 }
6758 break;
6759 default:
6760 ws_assert_not_reached()ws_log_fatal_full("", LOG_LEVEL_ERROR, "epan/dissectors/packet-tls-utils.c"
, 6760, __func__, "assertion \"not reached\" failed");
6761 }
6762
6763 /* Transitioning to new keys, mark old ones as unusable. */
6764 ssl_debug_printf("%s transitioning to new key, old state 0x%02x\n", G_STRFUNC((const char*) (__func__)), ssl->state);
6765 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) | SSL_HAVE_SESSION_KEY(1<<3));
6766
6767 StringInfo *secret = (StringInfo *)g_hash_table_lookup(key_map, &ssl->client_random);
6768 if (!secret) {
6769 ssl_debug_printf("%s Cannot find %s, decryption impossible\n", G_STRFUNC((const char*) (__func__)), label);
6770 /* Disable decryption, the keys are invalid. */
6771 if (is_from_server) {
6772 ssl->server = NULL((void*)0);
6773 } else {
6774 ssl->client = NULL((void*)0);
6775 }
6776 return NULL((void*)0);
6777 }
6778
6779 /* TLS 1.3 secret found, set new keys. */
6780 ssl_debug_printf("%s Retrieved TLS 1.3 traffic secret.\n", G_STRFUNC((const char*) (__func__)));
6781 ssl_print_string("Client Random", &ssl->client_random);
6782 ssl_print_string(label, secret);
6783 return secret;
6784}
6785
6786/* Load the new key. */
6787void
6788tls13_change_key(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6789 bool_Bool is_from_server, TLSRecordType type)
6790{
6791 if (ssl->state & SSL_QUIC_RECORD_LAYER(1<<13)) {
6792 /*
6793 * QUIC does not use the TLS record layer for message protection.
6794 * The required keys will be extracted later by QUIC.
6795 */
6796 return;
6797 }
6798
6799 StringInfo *secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
6800 if (!secret) {
6801 if (type != TLS_SECRET_HANDSHAKE) {
6802 return;
6803 }
6804 /*
6805 * Workaround for when for some reason we don't have the handshake
6806 * secret but do have the application traffic secret. (#20240)
6807 * If we can't find the handshake secret, we'll never decrypt the
6808 * Finished message, so we won't know when to change to the app
6809 * traffic key, so we do so now.
6810 */
6811 type = TLS_SECRET_APP;
6812 secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
6813 if (!secret) {
6814 return;
6815 }
6816 }
6817
6818 if (tls13_generate_keys(ssl, secret, is_from_server)) {
6819 /*
6820 * Remember the application traffic secret to support Key Update. The
6821 * other secrets cannot be used for this purpose, so free them.
6822 */
6823 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
6824 StringInfo *app_secret = &decoder->app_traffic_secret;
6825 if (type == TLS_SECRET_APP) {
6826 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
6827 app_secret->data,
6828 secret->data_len);
6829 ssl_data_set(app_secret, secret->data, secret->data_len);
6830 } else {
6831 wmem_free(wmem_file_scope(), app_secret->data);
6832 app_secret->data = NULL((void*)0);
6833 app_secret->data_len = 0;
6834 }
6835 }
6836}
6837
6838/**
6839 * Update to next application data traffic secret for TLS 1.3. The previous
6840 * secret should have been set by tls13_change_key.
6841 */
6842void
6843tls13_key_update(SslDecryptSession *ssl, bool_Bool is_from_server)
6844{
6845 /* RFC 8446 Section 7.2:
6846 * application_traffic_secret_N+1 =
6847 * HKDF-Expand-Label(application_traffic_secret_N,
6848 * "traffic upd", "", Hash.length)
6849 *
6850 * Both application_traffic_secret_N are of the same length (Hash.length).
6851 */
6852 const SslCipherSuite *cipher_suite = ssl->cipher_suite;
6853 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
6854 StringInfo *app_secret = decoder ? &decoder->app_traffic_secret : NULL((void*)0);
6855 uint8_t tls13_draft_version = ssl->session.tls13_draft_version;
6856
6857 if (!cipher_suite || !app_secret || app_secret->data_len == 0) {
6858 ssl_debug_printf("%s Cannot perform Key Update due to missing info\n", G_STRFUNC((const char*) (__func__)));
6859 return;
6860 }
6861
6862 /*
6863 * Previous traffic secret is available, so find the hash function,
6864 * expand the new traffic secret and generate new keys.
6865 */
6866 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
6867 int hash_algo = ssl_get_digest_by_name(hash_name);
6868 const unsigned hash_len = app_secret->data_len;
6869 unsigned char *new_secret;
6870 const char *label = "traffic upd";
6871 if (tls13_draft_version && tls13_draft_version < 20) {
6872 label = "application traffic secret";
6873 }
6874 if (!tls13_hkdf_expand_label(hash_algo, app_secret,
6875 tls13_hkdf_label_prefix(ssl),
6876 label, hash_len, &new_secret)) {
6877 ssl_debug_printf("%s traffic_secret_N+1 expansion failed\n", G_STRFUNC((const char*) (__func__)));
6878 return;
6879 }
6880 ssl_data_set(app_secret, new_secret, hash_len);
6881 if (tls13_generate_keys(ssl, app_secret, is_from_server)) {
6882 /*
6883 * Remember the application traffic secret on the new decoder to
6884 * support another Key Update.
6885 */
6886 decoder = is_from_server ? ssl->server : ssl->client;
6887 app_secret = &decoder->app_traffic_secret;
6888 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
6889 app_secret->data,
6890 hash_len);
6891 ssl_data_set(app_secret, new_secret, hash_len);
6892 }
6893 wmem_free(NULL((void*)0), new_secret);
6894}
6895
6896void
6897tls_save_crandom(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
6898{
6899 if (ssl && (ssl->state & SSL_CLIENT_RANDOM(1<<0))) {
6900 g_hash_table_add(mk_map->used_crandom, ssl_data_clone(&ssl->client_random));
6901 }
6902}
6903
6904/** SSL keylog file handling. {{{ */
6905
6906static GRegex *
6907ssl_compile_keyfile_regex(void)
6908{
6909#define OCTET "(?:[[:xdigit:]]{2})"
6910 const char *pattern =
6911 "(?:"
6912 /* Matches Client Hellos having this Client Random */
6913 "PMS_CLIENT_RANDOM (?<client_random_pms>" OCTET "{32}) "
6914 /* Matches first part of encrypted RSA pre-master secret */
6915 "|RSA (?<encrypted_pmk>" OCTET "{8}) "
6916 /* Pre-Master-Secret is given, it is 48 bytes for RSA,
6917 but it can be of any length for DHE */
6918 ")(?<pms>" OCTET "+)"
6919 "|(?:"
6920 /* Matches Server Hellos having a Session ID */
6921 "RSA Session-ID:(?<session_id>" OCTET "+) Master-Key:"
6922 /* Matches Client Hellos having this Client Random */
6923 "|CLIENT_RANDOM (?<client_random>" OCTET "{32}) "
6924 /* Master-Secret is given, its length is fixed */
6925 ")(?<master_secret>" OCTET "{" G_STRINGIFY(SSL_MASTER_SECRET_LENGTH)"48" "})"
6926 "|(?"
6927 /* TLS 1.3 Client Random to Derived Secrets mapping. */
6928 ":CLIENT_EARLY_TRAFFIC_SECRET (?<client_early>" OCTET "{32})"
6929 "|CLIENT_HANDSHAKE_TRAFFIC_SECRET (?<client_handshake>" OCTET "{32})"
6930 "|SERVER_HANDSHAKE_TRAFFIC_SECRET (?<server_handshake>" OCTET "{32})"
6931 "|CLIENT_TRAFFIC_SECRET_0 (?<client_appdata>" OCTET "{32})"
6932 "|SERVER_TRAFFIC_SECRET_0 (?<server_appdata>" OCTET "{32})"
6933 "|EARLY_EXPORTER_SECRET (?<early_exporter>" OCTET "{32})"
6934 "|EXPORTER_SECRET (?<exporter>" OCTET "{32})"
6935 /* ECH. Secret length is defined by HPKE KEM Nsecret and can vary between 32 and 64 bytes */
6936 /* These labels and their notation are specified in draft-ietf-tls-ech-keylogfile-01 */
6937 "|ECH_SECRET (?<ech_secret>" OCTET "{32,64})"
6938 "|ECH_CONFIG (?<ech_config>" OCTET "{22,})"
6939 ") (?<derived_secret>" OCTET "+)";
6940#undef OCTET
6941 static GRegex *regex = NULL((void*)0);
6942 GError *gerr = NULL((void*)0);
6943
6944 if (!regex) {
6945 regex = g_regex_new(pattern,
6946 (GRegexCompileFlags)(G_REGEX_OPTIMIZE | G_REGEX_ANCHORED | G_REGEX_RAW),
6947 G_REGEX_MATCH_ANCHORED, &gerr);
6948 if (gerr) {
6949 ssl_debug_printf("%s failed to compile regex: %s\n", G_STRFUNC((const char*) (__func__)),
6950 gerr->message);
6951 g_error_free(gerr);
6952 regex = NULL((void*)0);
6953 }
6954 }
6955
6956 return regex;
6957}
6958
6959typedef struct ssl_master_key_match_group {
6960 const char *re_group_name;
6961 GHashTable *master_key_ht;
6962} ssl_master_key_match_group_t;
6963
6964void
6965tls_keylog_process_lines(const ssl_master_key_map_t *mk_map, const uint8_t *data, unsigned datalen)
6966{
6967 ssl_master_key_match_group_t mk_groups[] = {
6968 { "encrypted_pmk", mk_map->pre_master },
6969 { "session_id", mk_map->session },
6970 { "client_random", mk_map->crandom },
6971 { "client_random_pms", mk_map->pms },
6972 /* TLS 1.3 map from Client Random to derived secret. */
6973 { "client_early", mk_map->tls13_client_early },
6974 { "client_handshake", mk_map->tls13_client_handshake },
6975 { "server_handshake", mk_map->tls13_server_handshake },
6976 { "client_appdata", mk_map->tls13_client_appdata },
6977 { "server_appdata", mk_map->tls13_server_appdata },
6978 { "early_exporter", mk_map->tls13_early_exporter },
6979 { "exporter", mk_map->tls13_exporter },
6980 { "ech_secret", mk_map->ech_secret },
6981 { "ech_config", mk_map->ech_config },
6982 };
6983
6984 /* The format of the file is a series of records with one of the following formats:
6985 * - "RSA xxxx yyyy"
6986 * Where xxxx are the first 8 bytes of the encrypted pre-master secret (hex-encoded)
6987 * Where yyyy is the cleartext pre-master secret (hex-encoded)
6988 * (this is the original format introduced with bug 4349)
6989 *
6990 * - "RSA Session-ID:xxxx Master-Key:yyyy"
6991 * Where xxxx is the SSL session ID (hex-encoded)
6992 * Where yyyy is the cleartext master secret (hex-encoded)
6993 * (added to support openssl s_client Master-Key output)
6994 * This is somewhat is a misnomer because there's nothing RSA specific
6995 * about this.
6996 *
6997 * - "PMS_CLIENT_RANDOM xxxx yyyy"
6998 * Where xxxx is the client_random from the ClientHello (hex-encoded)
6999 * Where yyyy is the cleartext pre-master secret (hex-encoded)
7000 * (This format allows SSL connections to be decrypted, if a user can
7001 * capture the PMS but could not recover the MS for a specific session
7002 * with a SSL Server.)
7003 *
7004 * - "CLIENT_RANDOM xxxx yyyy"
7005 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7006 * Where yyyy is the cleartext master secret (hex-encoded)
7007 * (This format allows non-RSA SSL connections to be decrypted, i.e.
7008 * ECDHE-RSA.)
7009 *
7010 * - "CLIENT_EARLY_TRAFFIC_SECRET xxxx yyyy"
7011 * - "CLIENT_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
7012 * - "SERVER_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
7013 * - "CLIENT_TRAFFIC_SECRET_0 xxxx yyyy"
7014 * - "SERVER_TRAFFIC_SECRET_0 xxxx yyyy"
7015 * - "EARLY_EXPORTER_SECRET xxxx yyyy"
7016 * - "EXPORTER_SECRET xxxx yyyy"
7017 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7018 * Where yyyy is the secret (hex-encoded) derived from the early,
7019 * handshake or master secrets. (This format is introduced with TLS 1.3
7020 * and supported by BoringSSL, OpenSSL, etc. See bug 12779.)
7021 */
7022 GRegex *regex = ssl_compile_keyfile_regex();
7023 if (!regex)
7024 return;
7025
7026 const char *next_line = (const char *)data;
7027 const char *line_end = next_line + datalen;
7028 while (next_line && next_line < line_end) {
7029 const char *line = next_line;
7030 next_line = (const char *)memchr(line, '\n', line_end - line);
7031 ssize_t linelen;
7032
7033 if (next_line) {
7034 linelen = next_line - line;
7035 next_line++; /* drop LF */
7036 } else {
7037 linelen = (ssize_t)(line_end - line);
7038 }
7039 if (linelen > 0 && line[linelen - 1] == '\r') {
7040 linelen--; /* drop CR */
7041 }
7042
7043 ssl_debug_printf(" checking keylog line: %.*s\n", (int)linelen, line);
7044 GMatchInfo *mi;
7045 if (g_regex_match_full(regex, line, linelen, 0, G_REGEX_MATCH_ANCHORED, &mi, NULL((void*)0))) {
7046 char *hex_key, *hex_pre_ms_or_ms;
7047 StringInfo *key = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
7048 StringInfo *pre_ms_or_ms = NULL((void*)0);
7049 GHashTable *ht = NULL((void*)0);
7050
7051 /* Is the PMS being supplied with the PMS_CLIENT_RANDOM
7052 * otherwise we will use the Master Secret
7053 */
7054 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "master_secret");
7055 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
7056 g_free(hex_pre_ms_or_ms);
7057 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "pms");
7058 }
7059 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
7060 g_free(hex_pre_ms_or_ms);
7061 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "derived_secret");
7062 }
7063 /* There is always a match, otherwise the regex is wrong. */
7064 DISSECTOR_ASSERT(hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms))((void) ((hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 7064, "hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms)"
))));
7065
7066 /* convert from hex to bytes and save to hashtable */
7067 pre_ms_or_ms = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
7068 from_hex(pre_ms_or_ms, hex_pre_ms_or_ms, strlen(hex_pre_ms_or_ms));
7069 g_free(hex_pre_ms_or_ms);
7070
7071 /* Find a master key from any format (CLIENT_RANDOM, SID, ...) */
7072 for (unsigned i = 0; i < G_N_ELEMENTS(mk_groups)(sizeof (mk_groups) / sizeof ((mk_groups)[0])); i++) {
7073 ssl_master_key_match_group_t *g = &mk_groups[i];
7074 hex_key = g_match_info_fetch_named(mi, g->re_group_name);
7075 if (hex_key && *hex_key) {
7076 ssl_debug_printf(" matched %s\n", g->re_group_name);
7077 ht = g->master_key_ht;
7078 from_hex(key, hex_key, strlen(hex_key));
7079 g_free(hex_key);
7080 break;
7081 }
7082 g_free(hex_key);
7083 }
7084 DISSECTOR_ASSERT(ht)((void) ((ht) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 7084, "ht")))); /* Cannot be reached, or regex is wrong. */
7085
7086 g_hash_table_insert(ht, key, pre_ms_or_ms);
7087
7088 } else if (linelen > 0 && line[0] != '#') {
7089 ssl_debug_printf(" unrecognized line\n");
7090 }
7091 /* always free match info even if there is no match. */
7092 g_match_info_free(mi);
7093 }
7094}
7095
7096void
7097ssl_load_keyfile(const char *tls_keylog_filename, FILE **keylog_file,
7098 const ssl_master_key_map_t *mk_map)
7099{
7100 /* no need to try if no key log file is configured. */
7101 if (!tls_keylog_filename || !*tls_keylog_filename) {
7102 ssl_debug_printf("%s dtls/tls.keylog_file is not configured!\n",
7103 G_STRFUNC((const char*) (__func__)));
7104 return;
7105 }
7106
7107 /* Validate regexes before even trying to use it. */
7108 if (!ssl_compile_keyfile_regex()) {
7109 return;
7110 }
7111
7112 ssl_debug_printf("trying to use TLS keylog in %s\n", tls_keylog_filename);
7113
7114 /* if the keylog file was deleted/overwritten, re-open it */
7115 if (*keylog_file && file_needs_reopen(ws_filenofileno(*keylog_file), tls_keylog_filename)) {
7116 ssl_debug_printf("%s file got deleted, trying to re-open\n", G_STRFUNC((const char*) (__func__)));
7117 fclose(*keylog_file);
7118 *keylog_file = NULL((void*)0);
7119 }
7120
7121 if (*keylog_file == NULL((void*)0)) {
7122 *keylog_file = ws_fopenfopen(tls_keylog_filename, "r");
7123 if (!*keylog_file) {
7124 ssl_debug_printf("%s failed to open SSL keylog\n", G_STRFUNC((const char*) (__func__)));
7125 return;
7126 }
7127 }
7128
7129 for (;;) {
7130 char buf[1110], *line;
7131 line = fgets(buf, sizeof(buf), *keylog_file);
7132 if (!line) {
7133 if (feof(*keylog_file)) {
7134 /* Ensure that newly appended keys can be read in the future. */
7135 clearerr(*keylog_file);
7136 } else if (ferror(*keylog_file)) {
7137 ssl_debug_printf("%s Error while reading key log file, closing it!\n", G_STRFUNC((const char*) (__func__)));
7138 fclose(*keylog_file);
7139 *keylog_file = NULL((void*)0);
7140 }
7141 break;
7142 }
7143 tls_keylog_process_lines(mk_map, (uint8_t *)line, (int)strlen(line));
7144 }
7145}
7146/** SSL keylog file handling. }}} */
7147
7148#ifdef SSL_DECRYPT_DEBUG /* {{{ */
7149
7150static FILE* ssl_debug_file;
7151
7152void
7153ssl_set_debug(const char* name)
7154{
7155 static int debug_file_must_be_closed;
7156 int use_stderr;
7157
7158 use_stderr = name?(strcmp(name, SSL_DEBUG_USE_STDERR"-") == 0):0;
7159
7160 if (debug_file_must_be_closed)
7161 fclose(ssl_debug_file);
7162
7163 if (use_stderr)
7164 ssl_debug_file = stderrstderr;
7165 else if (!name || (strcmp(name, "") ==0))
7166 ssl_debug_file = NULL((void*)0);
7167 else
7168 ssl_debug_file = ws_fopenfopen(name, "w");
7169
7170 if (!use_stderr && ssl_debug_file)
7171 debug_file_must_be_closed = 1;
7172 else
7173 debug_file_must_be_closed = 0;
7174
7175 ssl_debug_printf("Wireshark SSL debug log \n\n");
7176#ifdef HAVE_LIBGNUTLS1
7177 ssl_debug_printf("GnuTLS version: %s\n", gnutls_check_version(NULL((void*)0)));
7178#endif
7179 ssl_debug_printf("Libgcrypt version: %s\n", gcry_check_version(NULL((void*)0)));
7180 ssl_debug_printf("\n");
7181}
7182
7183void
7184ssl_debug_flush(void)
7185{
7186 if (ssl_debug_file)
7187 fflush(ssl_debug_file);
7188}
7189
7190void
7191ssl_debug_printf(const char* fmt, ...)
7192{
7193 va_list ap;
7194
7195 if (!ssl_debug_file)
7196 return;
7197
7198 va_start(ap, fmt)__builtin_va_start(ap, fmt);
7199 vfprintf(ssl_debug_file, fmt, ap);
7200 va_end(ap)__builtin_va_end(ap);
7201}
7202
7203void
7204ssl_print_data(const char* name, const unsigned char* data, size_t len)
7205{
7206 size_t i, j, k;
7207 if (!ssl_debug_file)
7208 return;
7209 fprintf(ssl_debug_file,"%s[%d]:\n",name, (int) len);
7210 for (i=0; i<len; i+=16) {
7211 fprintf(ssl_debug_file,"| ");
7212 for (j=i, k=0; k<16 && j<len; ++j, ++k)
7213 fprintf(ssl_debug_file,"%.2x ",data[j]);
7214 for (; k<16; ++k)
7215 fprintf(ssl_debug_file," ");
7216 fputc('|', ssl_debug_file);
7217 for (j=i, k=0; k<16 && j<len; ++j, ++k) {
7218 unsigned char c = data[j];
7219 if (!g_ascii_isprint(c)((g_ascii_table[(guchar) (c)] & G_ASCII_PRINT) != 0) || (c=='\t')) c = '.';
7220 fputc(c, ssl_debug_file);
7221 }
7222 for (; k<16; ++k)
7223 fputc(' ', ssl_debug_file);
7224 fprintf(ssl_debug_file,"|\n");
7225 }
7226}
7227
7228void
7229ssl_print_string(const char* name, const StringInfo* data)
7230{
7231 ssl_print_data(name, data->data, data->data_len);
7232}
7233#endif /* SSL_DECRYPT_DEBUG }}} */
7234
7235/* UAT preferences callbacks. {{{ */
7236/* checks for SSL and DTLS UAT key list fields */
7237
7238bool_Bool
7239ssldecrypt_uat_fld_ip_chk_cb(void* r _U___attribute__((unused)), const char* p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7240{
7241 // This should be removed in favor of Decode As. Make it optional.
7242 *err = NULL((void*)0);
7243 return true1;
7244}
7245
7246bool_Bool
7247ssldecrypt_uat_fld_port_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7248{
7249 if (!p || strlen(p) == 0u) {
7250 // This should be removed in favor of Decode As. Make it optional.
7251 *err = NULL((void*)0);
7252 return true1;
7253 }
7254
7255 if (strcmp(p, "start_tls") != 0){
7256 uint16_t port;
7257 if (!ws_strtou16(p, NULL((void*)0), &port)) {
7258 *err = g_strdup("Invalid port given.")g_strdup_inline ("Invalid port given.");
7259 return false0;
7260 }
7261 }
7262
7263 *err = NULL((void*)0);
7264 return true1;
7265}
7266
7267bool_Bool
7268ssldecrypt_uat_fld_fileopen_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7269{
7270 ws_statb64struct stat st;
7271
7272 if (!p || strlen(p) == 0u) {
7273 *err = g_strdup("No filename given.")g_strdup_inline ("No filename given.");
7274 return false0;
7275 } else {
7276 if (ws_stat64stat(p, &st) != 0) {
7277 *err = ws_strdup_printf("File '%s' does not exist or access is denied.", p)wmem_strdup_printf(((void*)0), "File '%s' does not exist or access is denied."
, p);
7278 return false0;
7279 }
7280 }
7281
7282 *err = NULL((void*)0);
7283 return true1;
7284}
7285
7286bool_Bool
7287ssldecrypt_uat_fld_password_chk_cb(void *r _U___attribute__((unused)), const char *p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void *u1 _U___attribute__((unused)), const void *u2 _U___attribute__((unused)), char **err)
7288{
7289#if defined(HAVE_LIBGNUTLS1)
7290 ssldecrypt_assoc_t* f = (ssldecrypt_assoc_t *)r;
7291 FILE *fp = NULL((void*)0);
7292
7293 if (p && (strlen(p) > 0u)) {
7294 fp = ws_fopenfopen(f->keyfile, "rb");
7295 if (fp) {
7296 char *msg = NULL((void*)0);
7297 gnutls_x509_privkey_t priv_key = rsa_load_pkcs12(fp, p, &msg);
7298 if (!priv_key) {
7299 fclose(fp);
7300 *err = ws_strdup_printf("Could not load PKCS#12 key file: %s", msg)wmem_strdup_printf(((void*)0), "Could not load PKCS#12 key file: %s"
, msg);
7301 g_free(msg);
7302 return false0;
7303 }
7304 g_free(msg);
7305 gnutls_x509_privkey_deinit(priv_key);
7306 fclose(fp);
7307 } else {
7308 *err = ws_strdup_printf("Leave this field blank if the keyfile is not PKCS#12.")wmem_strdup_printf(((void*)0), "Leave this field blank if the keyfile is not PKCS#12."
);
7309 return false0;
7310 }
7311 }
7312
7313 *err = NULL((void*)0);
7314 return true1;
7315#else
7316 *err = g_strdup("Cannot load key files, support is not compiled in.")g_strdup_inline ("Cannot load key files, support is not compiled in."
);
7317 return false0;
7318#endif
7319}
7320/* UAT preferences callbacks. }}} */
7321
7322/** maximum size of ssl_association_info() string */
7323#define SSL_ASSOC_MAX_LEN8192 8192
7324
7325typedef struct ssl_association_info_callback_data
7326{
7327 char *str;
7328 const char *table_protocol;
7329} ssl_association_info_callback_data_t;
7330
7331/**
7332 * callback function used by ssl_association_info() to traverse the SSL associations.
7333 */
7334static void
7335ssl_association_info_(const char *table _U___attribute__((unused)), void *handle, void *user_data)
7336{
7337 ssl_association_info_callback_data_t* data = (ssl_association_info_callback_data_t*)user_data;
7338 const int l = (const int)strlen(data->str);
7339 snprintf(data->str+l, SSL_ASSOC_MAX_LEN8192-l, "'%s' (%s)\n", dissector_handle_get_dissector_name((dissector_handle_t)handle), dissector_handle_get_description((dissector_handle_t)handle));
7340}
7341
7342/**
7343 * @return an information string on the SSL protocol associations. The string must be freed.
7344 */
7345char*
7346ssl_association_info(const char* dissector_table_name, const char* table_protocol)
7347{
7348 ssl_association_info_callback_data_t data;
7349
7350 data.str = (char *)g_malloc0(SSL_ASSOC_MAX_LEN8192);
7351 data.table_protocol = table_protocol;
7352 dissector_table_foreach_handle(dissector_table_name, ssl_association_info_, &data);
7353 return data.str;
7354}
7355
7356
7357/** Begin of code related to dissection of wire data. */
7358
7359/* Helpers for dissecting Variable-Length Vectors. {{{ */
7360bool_Bool
7361ssl_add_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7362 unsigned offset, unsigned offset_end, uint32_t *ret_length,
7363 int hf_length, uint32_t min_value, uint32_t max_value)
7364{
7365 unsigned veclen_size;
7366 uint32_t veclen_value;
7367 proto_item *pi;
7368
7369 DISSECTOR_ASSERT_CMPUINT(min_value, <=, max_value)((void) ((min_value <= max_value) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "min_value" " " "<=" " " "max_value"
" (" "%" "l" "u" " " "<=" " " "%" "l" "u" ")", "epan/dissectors/packet-tls-utils.c"
, 7369, (uint64_t)min_value, (uint64_t)max_value))));
7370 if (offset > offset_end) {
7371 expert_add_info_format(pinfo, tree, &hf->ei.malformed_buffer_too_small,
7372 "Vector offset is past buffer end offset (%u > %u)",
7373 offset, offset_end);
7374 *ret_length = 0;
7375 return false0; /* Cannot read length. */
7376 }
7377
7378 if (max_value > 0xffffff) {
7379 veclen_size = 4;
7380 } else if (max_value > 0xffff) {
7381 veclen_size = 3;
7382 } else if (max_value > 0xff) {
7383 veclen_size = 2;
7384 } else {
7385 veclen_size = 1;
7386 }
7387
7388 if (offset_end - offset < veclen_size) {
7389 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7390 tvb, offset, offset_end - offset,
7391 "No more room for vector of length %u",
7392 veclen_size);
7393 *ret_length = 0;
7394 return false0; /* Cannot read length. */
7395 }
7396
7397 pi = proto_tree_add_item_ret_uint(tree, hf_length, tvb, offset, veclen_size, ENC_BIG_ENDIAN0x00000000, &veclen_value);
7398 offset += veclen_size;
7399
7400 if (veclen_value < min_value) {
7401 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7402 "Vector length %u is smaller than minimum %u",
7403 veclen_value, min_value);
7404 } else if (veclen_value > max_value) {
7405 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7406 "Vector length %u is larger than maximum %u",
7407 veclen_value, max_value);
7408 }
7409
7410 if (offset_end - offset < veclen_value) {
7411 expert_add_info_format(pinfo, pi, &hf->ei.malformed_buffer_too_small,
7412 "Vector length %u is too large, truncating it to %u",
7413 veclen_value, offset_end - offset);
7414 *ret_length = offset_end - offset;
7415 return false0; /* Length is truncated to avoid overflow. */
7416 }
7417
7418 *ret_length = veclen_value;
7419 return true1; /* Length is OK. */
7420}
7421
7422bool_Bool
7423ssl_end_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7424 unsigned offset, unsigned offset_end)
7425{
7426 if (offset < offset_end) {
7427 unsigned trailing = offset_end - offset;
7428 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_trailing_data,
7429 tvb, offset, trailing,
7430 "%u trailing byte%s unprocessed",
7431 trailing, plurality(trailing, " was", "s were")((trailing) == 1 ? (" was") : ("s were")));
7432 return false0; /* unprocessed data warning */
7433 } else if (offset > offset_end) {
7434 /*
7435 * Returned offset runs past the end. This should not happen and is
7436 * possibly a dissector bug.
7437 */
7438 unsigned excess = offset - offset_end;
7439 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7440 tvb, offset_end, excess,
7441 "Dissector processed too much data (%u byte%s)",
7442 excess, plurality(excess, "", "s")((excess) == 1 ? ("") : ("s")));
7443 return false0; /* overflow error */
7444 }
7445
7446 return true1; /* OK, offset matches. */
7447}
7448/** }}} */
7449
7450
7451static uint32_t
7452ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7453 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7454 uint16_t version, int hf_sig_len, int hf_sig);
7455
7456/* change_cipher_spec(20) dissection */
7457void
7458ssl_dissect_change_cipher_spec(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7459 packet_info *pinfo, proto_tree *tree,
7460 uint32_t offset, SslSession *session,
7461 bool_Bool is_from_server,
7462 const SslDecryptSession *ssl)
7463{
7464 /*
7465 * struct {
7466 * enum { change_cipher_spec(1), (255) } type;
7467 * } ChangeCipherSpec;
7468 */
7469 proto_item *ti;
7470 proto_item_set_text(tree,
7471 "%s Record Layer: %s Protocol: Change Cipher Spec",
7472 val_to_str_const(session->version, ssl_version_short_names, "SSL"),
7473 val_to_str_const(SSL_ID_CHG_CIPHER_SPEC, ssl_31_content_type, "unknown"));
7474 ti = proto_tree_add_item(tree, hf->hf.change_cipher_spec, tvb, offset, 1, ENC_NA0x00000000);
7475
7476 if (session->version == TLSV1DOT3_VERSION0x304) {
7477 /* CCS is a dummy message in TLS 1.3, do not parse it further. */
7478 return;
7479 }
7480
7481 /* Remember frame number of first CCS */
7482 uint32_t *ccs_frame = is_from_server ? &session->server_ccs_frame : &session->client_ccs_frame;
7483 if (*ccs_frame == 0)
7484 *ccs_frame = pinfo->num;
7485
7486 /* Use heuristics to detect an abbreviated handshake, assume that missing
7487 * ServerHelloDone implies reusing previously negotiating keys. Then when
7488 * a Session ID or ticket is present, it must be a resumed session.
7489 * Normally this should be done at the Finished message, but that may be
7490 * encrypted so we do it here, at the last cleartext message. */
7491 if (is_from_server && ssl) {
7492 if (session->is_session_resumed) {
7493 const char *resumed = NULL((void*)0);
7494 if (ssl->session_ticket.data_len) {
7495 resumed = "Session Ticket";
7496 } else if (ssl->session_id.data_len) {
7497 resumed = "Session ID";
7498 }
7499 if (resumed) {
7500 ssl_debug_printf("%s Session resumption using %s\n", G_STRFUNC((const char*) (__func__)), resumed);
7501 } else {
7502 /* Can happen if the capture somehow starts in the middle */
7503 ssl_debug_printf("%s No Session resumption, missing packets?\n", G_STRFUNC((const char*) (__func__)));
7504 }
7505 } else {
7506 ssl_debug_printf("%s Not using Session resumption\n", G_STRFUNC((const char*) (__func__)));
7507 }
7508 }
7509 if (is_from_server && session->is_session_resumed)
7510 expert_add_info(pinfo, ti, &hf->ei.resumed);
7511}
7512
7513/** Begin of handshake(22) record dissections */
7514
7515/* Dissects a SignatureScheme (TLS 1.3) or SignatureAndHashAlgorithm (TLS 1.2).
7516 * {{{ */
7517static void
7518tls_dissect_signature_algorithm(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, ja4_data_t *ja4_data)
7519{
7520 uint32_t sighash, hashalg, sigalg;
7521 proto_item *ti_sigalg;
7522 proto_tree *sigalg_tree;
7523
7524 ti_sigalg = proto_tree_add_item_ret_uint(tree, hf->hf.hs_sig_hash_alg, tvb,
7525 offset, 2, ENC_BIG_ENDIAN0x00000000, &sighash);
7526 if (ja4_data) {
7527 wmem_list_append(ja4_data->sighash_list, GUINT_TO_POINTER(sighash)((gpointer) (gulong) (sighash)));
7528 }
7529
7530 sigalg_tree = proto_item_add_subtree(ti_sigalg, hf->ett.hs_sig_hash_alg);
7531
7532 /* TLS 1.2: SignatureAndHashAlgorithm { hash, signature } */
7533 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_hash, tvb,
7534 offset, 1, ENC_BIG_ENDIAN0x00000000, &hashalg);
7535 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_sig, tvb,
7536 offset + 1, 1, ENC_BIG_ENDIAN0x00000000, &sigalg);
7537
7538 /* No TLS 1.3 SignatureScheme? Fallback to TLS 1.2 interpretation. */
7539 if (!try_val_to_str(sighash, tls13_signature_algorithm)) {
7540 proto_item_set_text(ti_sigalg, "Signature Algorithm: %s %s (0x%04x)",
7541 val_to_str_const(hashalg, tls_hash_algorithm, "Unknown"),
7542 val_to_str_const(sigalg, tls_signature_algorithm, "Unknown"),
7543 sighash);
7544 }
7545} /* }}} */
7546
7547/* dissect a list of hash algorithms, return the number of bytes dissected
7548 this is used for the signature algorithms extension and for the
7549 TLS1.2 certificate request. {{{ */
7550static int
7551ssl_dissect_hash_alg_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
7552 packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7553{
7554 /* https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
7555 * struct {
7556 * HashAlgorithm hash;
7557 * SignatureAlgorithm signature;
7558 * } SignatureAndHashAlgorithm;
7559 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
7560 */
7561 proto_tree *subtree;
7562 proto_item *ti;
7563 unsigned sh_alg_length;
7564 uint32_t next_offset;
7565
7566 /* SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2> */
7567 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sh_alg_length,
7568 hf->hf.hs_sig_hash_alg_len, 2, UINT16_MAX(65535) - 1)) {
7569 return offset_end;
7570 }
7571 offset += 2;
7572 next_offset = offset + sh_alg_length;
7573
7574 ti = proto_tree_add_none_format(tree, hf->hf.hs_sig_hash_algs, tvb, offset, sh_alg_length,
7575 "Signature Hash Algorithms (%u algorithm%s)",
7576 sh_alg_length / 2, plurality(sh_alg_length / 2, "", "s")((sh_alg_length / 2) == 1 ? ("") : ("s")));
7577 subtree = proto_item_add_subtree(ti, hf->ett.hs_sig_hash_algs);
7578
7579 while (offset + 2 <= next_offset) {
7580 tls_dissect_signature_algorithm(hf, tvb, subtree, offset, ja4_data);
7581 offset += 2;
7582 }
7583
7584 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
7585 offset = next_offset;
7586 }
7587
7588 return offset;
7589} /* }}} */
7590
7591/* Dissection of DistinguishedName (for CertificateRequest and
7592 * certificate_authorities extension). {{{ */
7593static uint32_t
7594tls_dissect_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7595 proto_tree *tree, uint32_t offset, uint32_t offset_end)
7596{
7597 proto_item *ti;
7598 proto_tree *subtree;
7599 uint32_t dnames_length, next_offset;
7600 asn1_ctx_t asn1_ctx;
7601 int dnames_count = 100; /* the maximum number of DNs to add to the tree */
7602
7603 /* Note: minimum length is 0 for TLS 1.1/1.2 and 3 for earlier/later */
7604 /* DistinguishedName certificate_authorities<0..2^16-1> */
7605 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &dnames_length,
7606 hf->hf.hs_dnames_len, 0, UINT16_MAX(65535))) {
7607 return offset_end;
7608 }
7609 offset += 2;
7610 next_offset = offset + dnames_length;
7611
7612 if (dnames_length > 0) {
7613 ti = proto_tree_add_none_format(tree,
7614 hf->hf.hs_dnames,
7615 tvb, offset, dnames_length,
7616 "Distinguished Names (%d byte%s)",
7617 dnames_length,
7618 plurality(dnames_length, "", "s")((dnames_length) == 1 ? ("") : ("s")));
7619 subtree = proto_item_add_subtree(ti, hf->ett.dnames);
7620
7621 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7622
7623 while (offset < next_offset) {
7624 /* get the length of the current certificate */
7625 uint32_t name_length;
7626
7627 if (dnames_count-- == 0) {
7628 /* stop adding to tree when the list is considered too large
7629 * https://gitlab.com/wireshark/wireshark/-/issues/16202
7630 Note: dnames_count must be set low enough not to hit the
7631 limit set by PINFO_LAYER_MAX_RECURSION_DEPTH in packet.c
7632 */
7633 ti = proto_tree_add_item(subtree, hf->hf.hs_dnames_truncated,
7634 tvb, offset, next_offset - offset, ENC_NA0x00000000);
7635 proto_item_set_generated(ti);
7636 return next_offset;
7637 }
7638
7639 /* opaque DistinguishedName<1..2^16-1> */
7640 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &name_length,
7641 hf->hf.hs_dname_len, 1, UINT16_MAX(65535))) {
7642 return next_offset;
7643 }
7644 offset += 2;
7645
7646 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
7647 subtree, hf->hf.hs_dname);
7648 offset += name_length;
7649 }
7650 }
7651 return offset;
7652} /* }}} */
7653
7654
7655/** TLS Extensions (in Client Hello and Server Hello). {{{ */
7656static int
7657ssl_dissect_hnd_hello_ext_sig_hash_algs(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7658 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7659{
7660 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, ja4_data);
7661}
7662
7663static int
7664ssl_dissect_hnd_ext_delegated_credentials(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7665 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type)
7666{
7667 if (hnd_type == SSL_HND_CLIENT_HELLO ||
7668 hnd_type == SSL_HND_CERT_REQUEST) {
7669 /*
7670 * struct {
7671 * SignatureScheme supported_signature_algorithm<2..2^16-2>;
7672 * } SignatureSchemeList;
7673 */
7674
7675 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
7676 } else {
7677 asn1_ctx_t asn1_ctx;
7678 unsigned pubkey_length, sign_length;
7679
7680 /*
7681 * struct {
7682 * uint32 valid_time;
7683 * SignatureScheme expected_cert_verify_algorithm;
7684 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
7685 * } Credential;
7686 *
7687 * struct {
7688 * Credential cred;
7689 * SignatureScheme algorithm;
7690 * opaque signature<0..2^16-1>;
7691 * } DelegatedCredential;
7692 */
7693
7694 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7695
7696 proto_tree_add_item(tree, hf->hf.hs_cred_valid_time, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
7697 offset += 4;
7698
7699 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7700 offset += 2;
7701
7702 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &pubkey_length,
7703 hf->hf.hs_cred_pubkey_len, 1, G_MAXUINT24((1U << 24) - 1))) {
7704 return offset_end;
7705 }
7706 offset += 3;
7707 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, tree, hf->hf.hs_cred_pubkey);
7708 offset += pubkey_length;
7709
7710 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7711 offset += 2;
7712
7713 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sign_length,
7714 hf->hf.hs_cred_signature_len, 1, UINT16_MAX(65535))) {
7715 return offset_end;
7716 }
7717 offset += 2;
7718 proto_tree_add_item(tree, hf->hf.hs_cred_signature,
7719 tvb, offset, sign_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7720 offset += sign_length;
7721
7722 return offset;
7723 }
7724}
7725
7726static int
7727ssl_dissect_hnd_hello_ext_alps(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7728 packet_info *pinfo, proto_tree *tree,
7729 uint32_t offset, uint32_t offset_end,
7730 uint8_t hnd_type)
7731{
7732
7733 /* https://datatracker.ietf.org/doc/html/draft-vvv-tls-alps-01#section-4 */
7734
7735 switch (hnd_type) {
7736 case SSL_HND_CLIENT_HELLO: {
7737 proto_tree *alps_tree;
7738 proto_item *ti;
7739 uint32_t next_offset, alps_length, name_length;
7740
7741 /*
7742 * opaque ProtocolName<1..2^8-1>;
7743 * struct {
7744 * ProtocolName supported_protocols<2..2^16-1>
7745 * } ApplicationSettingsSupport;
7746 */
7747
7748 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alps_length,
7749 hf->hf.hs_ext_alps_len, 2, UINT16_MAX(65535))) {
7750 return offset_end;
7751 }
7752 offset += 2;
7753 next_offset = offset + alps_length;
7754
7755 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alps_alpn_list,
7756 tvb, offset, alps_length, ENC_NA0x00000000);
7757 alps_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alps);
7758
7759 /* Parse list (note missing check for end of vector, ssl_add_vector below
7760 * ensures that data is always available.) */
7761 while (offset < next_offset) {
7762 if (!ssl_add_vector(hf, tvb, pinfo, alps_tree, offset, next_offset, &name_length,
7763 hf->hf.hs_ext_alps_alpn_str_len, 1, UINT8_MAX(255))) {
7764 return next_offset;
7765 }
7766 offset++;
7767
7768 proto_tree_add_item(alps_tree, hf->hf.hs_ext_alps_alpn_str,
7769 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7770 offset += name_length;
7771 }
7772
7773 return offset;
7774 }
7775 case SSL_HND_ENCRYPTED_EXTS:
7776 /* Opaque blob */
7777 proto_tree_add_item(tree, hf->hf.hs_ext_alps_settings,
7778 tvb, offset, offset_end - offset, ENC_ASCII0x00000000|ENC_NA0x00000000);
7779 break;
7780 }
7781
7782 return offset_end;
7783}
7784
7785static int
7786ssl_dissect_hnd_hello_ext_alpn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7787 packet_info *pinfo, proto_tree *tree,
7788 uint32_t offset, uint32_t offset_end,
7789 uint8_t hnd_type, SslSession *session,
7790 bool_Bool is_dtls, ja4_data_t *ja4_data)
7791{
7792
7793 /* https://tools.ietf.org/html/rfc7301#section-3.1
7794 * opaque ProtocolName<1..2^8-1>;
7795 * struct {
7796 * ProtocolName protocol_name_list<2..2^16-1>
7797 * } ProtocolNameList;
7798 */
7799 proto_tree *alpn_tree;
7800 proto_item *ti;
7801 uint32_t next_offset, alpn_length, name_length;
7802 uint8_t *proto_name = NULL((void*)0), *client_proto_name = NULL((void*)0);
7803
7804 /* ProtocolName protocol_name_list<2..2^16-1> */
7805 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alpn_length,
7806 hf->hf.hs_ext_alpn_len, 2, UINT16_MAX(65535))) {
7807 return offset_end;
7808 }
7809 offset += 2;
7810 next_offset = offset + alpn_length;
7811
7812 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alpn_list,
7813 tvb, offset, alpn_length, ENC_NA0x00000000);
7814 alpn_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alpn);
7815
7816 /* Parse list (note missing check for end of vector, ssl_add_vector below
7817 * ensures that data is always available.) */
7818 while (offset < next_offset) {
7819 /* opaque ProtocolName<1..2^8-1> */
7820 if (!ssl_add_vector(hf, tvb, pinfo, alpn_tree, offset, next_offset, &name_length,
7821 hf->hf.hs_ext_alpn_str_len, 1, UINT8_MAX(255))) {
7822 return next_offset;
7823 }
7824 offset++;
7825
7826 proto_tree_add_item(alpn_tree, hf->hf.hs_ext_alpn_str,
7827 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7828 if (ja4_data && wmem_strbuf_get_len(ja4_data->alpn) == 0) {
7829 const char alpn_first_char = (char)tvb_get_uint8(tvb,offset);
7830 const char alpn_last_char = (char)tvb_get_uint8(tvb,offset + name_length - 1);
7831 if ((g_ascii_isprint(alpn_first_char)((g_ascii_table[(guchar) (alpn_first_char)] & G_ASCII_PRINT
) != 0)) && g_ascii_isprint(alpn_last_char)((g_ascii_table[(guchar) (alpn_last_char)] & G_ASCII_PRINT
) != 0)) {
7832 wmem_strbuf_append_printf(ja4_data->alpn, "%c%c", alpn_first_char, alpn_last_char);
7833 }
7834 else {
7835 wmem_strbuf_append_printf(ja4_data->alpn, "%x%x",(alpn_first_char >> 4) & 0x0F,
7836 alpn_last_char & 0x0F);
7837 }
7838 }
7839 /* Remember first ALPN ProtocolName entry for server. */
7840 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) {
7841 /* '\0'-terminated string for dissector table match and prefix
7842 * comparison purposes. */
7843 proto_name = tvb_get_string_enc(pinfo->pool, tvb, offset,
7844 name_length, ENC_ASCII0x00000000);
7845 } else if (hnd_type == SSL_HND_CLIENT_HELLO) {
7846 client_proto_name = tvb_get_string_enc(pinfo->pool, tvb, offset,
7847 name_length, ENC_ASCII0x00000000);
7848 }
7849 offset += name_length;
7850 }
7851
7852 /* If ALPN is given in ServerHello, then ProtocolNameList MUST contain
7853 * exactly one "ProtocolName". */
7854 if (proto_name) {
7855 dissector_handle_t handle;
7856
7857 session->alpn_name = wmem_strdup(wmem_file_scope(), proto_name);
7858
7859 if (is_dtls) {
7860 handle = dissector_get_string_handle(dtls_alpn_dissector_table,
7861 proto_name);
7862 } else {
7863 handle = dissector_get_string_handle(ssl_alpn_dissector_table,
7864 proto_name);
7865 if (handle == NULL((void*)0)) {
7866 /* Try prefix matching */
7867 for (size_t i = 0; i < G_N_ELEMENTS(ssl_alpn_prefix_match_protocols)(sizeof (ssl_alpn_prefix_match_protocols) / sizeof ((ssl_alpn_prefix_match_protocols
)[0])); i++) {
7868 const ssl_alpn_prefix_match_protocol_t *alpn_proto = &ssl_alpn_prefix_match_protocols[i];
7869
7870 /* string_string is inappropriate as it compares strings
7871 * while "byte strings MUST NOT be truncated" (RFC 7301) */
7872 if (g_str_has_prefix(proto_name, alpn_proto->proto_prefix)(__builtin_constant_p (alpn_proto->proto_prefix)? __extension__
({ const char * const __str = (proto_name); const char * const
__prefix = (alpn_proto->proto_prefix); gboolean __result =
(0); if (__str == ((void*)0) || __prefix == ((void*)0)) __result
= (g_str_has_prefix) (__str, __prefix); else { const size_t __str_len
= strlen (((__str) + !(__str))); const size_t __prefix_len =
strlen (((__prefix) + !(__prefix))); if (__str_len >= __prefix_len
) __result = memcmp (((__str) + !(__str)), ((__prefix) + !(__prefix
)), __prefix_len) == 0; } __result; }) : (g_str_has_prefix) (
proto_name, alpn_proto->proto_prefix) )) {
7873 handle = find_dissector(alpn_proto->dissector_name);
7874 break;
7875 }
7876 }
7877 }
7878 }
7879 if (handle != NULL((void*)0)) {
7880 /* ProtocolName match, so set the App data dissector handle.
7881 * This may override protocols given via the UAT dialog, but
7882 * since the ALPN hint is precise, do it anyway. */
7883 ssl_debug_printf("%s: changing handle %p to %p (%s)", G_STRFUNC((const char*) (__func__)),
7884 (void *)session->app_handle,
7885 (void *)handle,
7886 dissector_handle_get_dissector_name(handle));
7887 session->app_handle = handle;
7888 }
7889 } else if (client_proto_name) {
7890 // No current use for looking up the handle as the only consumer of this API is currently the QUIC dissector
7891 // and it just needs the string since there are/were various HTTP/3 ALPNs to check for.
7892 session->client_alpn_name = wmem_strdup(wmem_file_scope(), client_proto_name);
7893 }
7894
7895 return offset;
7896}
7897
7898static int
7899ssl_dissect_hnd_hello_ext_npn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7900 packet_info *pinfo, proto_tree *tree,
7901 uint32_t offset, uint32_t offset_end)
7902{
7903 /* https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04#page-3
7904 * The "extension_data" field of a "next_protocol_negotiation" extension
7905 * in a "ServerHello" contains an optional list of protocols advertised
7906 * by the server. Protocols are named by opaque, non-empty byte strings
7907 * and the list of protocols is serialized as a concatenation of 8-bit,
7908 * length prefixed byte strings. Implementations MUST ensure that the
7909 * empty string is not included and that no byte strings are truncated.
7910 */
7911 uint32_t npn_length;
7912 proto_tree *npn_tree;
7913
7914 /* List is optional, do not add tree if there are no entries. */
7915 if (offset == offset_end) {
7916 return offset;
7917 }
7918
7919 npn_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_npn, NULL((void*)0), "Next Protocol Negotiation");
7920
7921 while (offset < offset_end) {
7922 /* non-empty, 8-bit length prefixed strings means range 1..255 */
7923 if (!ssl_add_vector(hf, tvb, pinfo, npn_tree, offset, offset_end, &npn_length,
7924 hf->hf.hs_ext_npn_str_len, 1, UINT8_MAX(255))) {
7925 return offset_end;
7926 }
7927 offset++;
7928
7929 proto_tree_add_item(npn_tree, hf->hf.hs_ext_npn_str,
7930 tvb, offset, npn_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7931 offset += npn_length;
7932 }
7933
7934 return offset;
7935}
7936
7937static int
7938ssl_dissect_hnd_hello_ext_reneg_info(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7939 packet_info *pinfo, proto_tree *tree,
7940 uint32_t offset, uint32_t offset_end)
7941{
7942 /* https://tools.ietf.org/html/rfc5746#section-3.2
7943 * struct {
7944 * opaque renegotiated_connection<0..255>;
7945 * } RenegotiationInfo;
7946 *
7947 */
7948 proto_tree *reneg_info_tree;
7949 uint32_t reneg_info_length;
7950
7951 reneg_info_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_reneg_info, NULL((void*)0), "Renegotiation Info extension");
7952
7953 /* opaque renegotiated_connection<0..255> */
7954 if (!ssl_add_vector(hf, tvb, pinfo, reneg_info_tree, offset, offset_end, &reneg_info_length,
7955 hf->hf.hs_ext_reneg_info_len, 0, 255)) {
7956 return offset_end;
7957 }
7958 offset++;
7959
7960 if (reneg_info_length > 0) {
7961 proto_tree_add_item(reneg_info_tree, hf->hf.hs_ext_reneg_info, tvb, offset, reneg_info_length, ENC_NA0x00000000);
7962 offset += reneg_info_length;
7963 }
7964
7965 return offset;
7966}
7967
7968static int
7969ssl_dissect_hnd_hello_ext_key_share_entry(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7970 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7971 const char **group_name_out)
7972{
7973 /* RFC 8446 Section 4.2.8
7974 * struct {
7975 * NamedGroup group;
7976 * opaque key_exchange<1..2^16-1>;
7977 * } KeyShareEntry;
7978 */
7979 uint32_t key_exchange_length, group;
7980 proto_tree *ks_tree;
7981
7982 ks_tree = proto_tree_add_subtree(tree, tvb, offset, 4, hf->ett.hs_ext_key_share_ks, NULL((void*)0), "Key Share Entry");
7983
7984 proto_tree_add_item_ret_uint(ks_tree, hf->hf.hs_ext_key_share_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
7985 offset += 2;
7986 const char *group_name = val_to_str(pinfo->pool, group, ssl_extension_curves, "Unknown (%u)");
7987 proto_item_append_text(ks_tree, ": Group: %s", group_name);
7988 if (group_name_out) {
7989 *group_name_out = !IS_GREASE_TLS(group)((((group) & 0x0f0f) == 0x0a0a) && (((group) &
0xff) == (((group)>>8) & 0xff))) ? group_name : NULL((void*)0);
7990 }
7991
7992 /* opaque key_exchange<1..2^16-1> */
7993 if (!ssl_add_vector(hf, tvb, pinfo, ks_tree, offset, offset_end, &key_exchange_length,
7994 hf->hf.hs_ext_key_share_key_exchange_length, 1, UINT16_MAX(65535))) {
7995 return offset_end; /* Bad (possible truncated) length, skip to end of KeyShare extension. */
7996 }
7997 offset += 2;
7998 proto_item_set_len(ks_tree, 2 + 2 + key_exchange_length);
7999 proto_item_append_text(ks_tree, ", Key Exchange length: %u", key_exchange_length);
8000
8001 proto_tree_add_item(ks_tree, hf->hf.hs_ext_key_share_key_exchange, tvb, offset, key_exchange_length, ENC_NA0x00000000);
8002 offset += key_exchange_length;
8003
8004 return offset;
8005}
8006
8007static int
8008ssl_dissect_hnd_hello_ext_key_share(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8009 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8010 uint8_t hnd_type)
8011{
8012 proto_tree *key_share_tree;
8013 uint32_t next_offset;
8014 uint32_t client_shares_length;
8015 uint32_t group;
8016 const char *group_name = NULL((void*)0);
8017
8018 if (offset_end <= offset) { /* Check if ext_len == 0 and "overflow" (offset + ext_len) > uint32_t) */
8019 return offset;
8020 }
8021
8022 key_share_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_key_share, NULL((void*)0), "Key Share extension");
8023
8024 switch(hnd_type){
8025 case SSL_HND_CLIENT_HELLO:
8026 /* KeyShareEntry client_shares<0..2^16-1> */
8027 if (!ssl_add_vector(hf, tvb, pinfo, key_share_tree, offset, offset_end, &client_shares_length,
8028 hf->hf.hs_ext_key_share_client_length, 0, UINT16_MAX(65535))) {
8029 return offset_end;
8030 }
8031 offset += 2;
8032 next_offset = offset + client_shares_length;
8033 const char *sep = " ";
8034 while (offset + 4 <= next_offset) { /* (NamedGroup (2 bytes), key_exchange (1 byte for length, 1 byte minimum data) */
8035 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, next_offset, &group_name);
8036 if (group_name) {
8037 proto_item_append_text(tree, "%s%s", sep, group_name);
8038 sep = ", ";
8039 }
8040 }
8041 if (!ssl_end_vector(hf, tvb, pinfo, key_share_tree, offset, next_offset)) {
8042 return next_offset;
8043 }
8044 break;
8045 case SSL_HND_SERVER_HELLO:
8046 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, offset_end, &group_name);
8047 if (group_name) {
8048 proto_item_append_text(tree, " %s", group_name);
8049 }
8050 break;
8051 case SSL_HND_HELLO_RETRY_REQUEST:
8052 proto_tree_add_item_ret_uint(key_share_tree, hf->hf.hs_ext_key_share_selected_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
8053 offset += 2;
8054 group_name = val_to_str(pinfo->pool, group, ssl_extension_curves, "Unknown (%u)");
8055 proto_item_append_text(tree, " %s", group_name);
8056 break;
8057 default: /* no default */
8058 break;
8059 }
8060
8061 return offset;
8062}
8063
8064static int
8065ssl_dissect_hnd_hello_ext_pre_shared_key(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8066 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8067 uint8_t hnd_type)
8068{
8069 /* RFC 8446 Section 4.2.11
8070 * struct {
8071 * opaque identity<1..2^16-1>;
8072 * uint32 obfuscated_ticket_age;
8073 * } PskIdentity;
8074 * opaque PskBinderEntry<32..255>;
8075 * struct {
8076 * select (Handshake.msg_type) {
8077 * case client_hello:
8078 * PskIdentity identities<7..2^16-1>;
8079 * PskBinderEntry binders<33..2^16-1>;
8080 * case server_hello:
8081 * uint16 selected_identity;
8082 * };
8083 * } PreSharedKeyExtension;
8084 */
8085
8086 proto_tree *psk_tree;
8087
8088 psk_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_pre_shared_key, NULL((void*)0), "Pre-Shared Key extension");
8089
8090 switch (hnd_type){
8091 case SSL_HND_CLIENT_HELLO: {
8092 uint32_t identities_length, identities_end, binders_length;
8093
8094 /* PskIdentity identities<7..2^16-1> */
8095 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &identities_length,
8096 hf->hf.hs_ext_psk_identities_length, 7, UINT16_MAX(65535))) {
8097 return offset_end;
8098 }
8099 offset += 2;
8100 identities_end = offset + identities_length;
8101
8102 while (offset < identities_end) {
8103 uint32_t identity_length;
8104 proto_tree *identity_tree;
8105
8106 identity_tree = proto_tree_add_subtree(psk_tree, tvb, offset, 4, hf->ett.hs_ext_psk_identity, NULL((void*)0), "PSK Identity (");
8107
8108 /* opaque identity<1..2^16-1> */
8109 if (!ssl_add_vector(hf, tvb, pinfo, identity_tree, offset, identities_end, &identity_length,
8110 hf->hf.hs_ext_psk_identity_identity_length, 1, UINT16_MAX(65535))) {
8111 return identities_end;
8112 }
8113 offset += 2;
8114 proto_item_append_text(identity_tree, "length: %u)", identity_length);
8115
8116 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_identity, tvb, offset, identity_length, ENC_BIG_ENDIAN0x00000000);
8117 offset += identity_length;
8118
8119 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_obfuscated_ticket_age, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8120 offset += 4;
8121
8122 proto_item_set_len(identity_tree, 2 + identity_length + 4);
8123 }
8124 if (!ssl_end_vector(hf, tvb, pinfo, psk_tree, offset, identities_end)) {
8125 offset = identities_end;
8126 }
8127
8128 /* PskBinderEntry binders<33..2^16-1> */
8129 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &binders_length,
8130 hf->hf.hs_ext_psk_binders_length, 33, UINT16_MAX(65535))) {
8131 return offset_end;
8132 }
8133 offset += 2;
8134
8135 proto_item *binders_item;
8136 proto_tree *binders_tree;
8137 binders_item = proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_binders, tvb, offset, binders_length, ENC_NA0x00000000);
8138 binders_tree = proto_item_add_subtree(binders_item, hf->ett.hs_ext_psk_binders);
8139 uint32_t binders_end = offset + binders_length;
8140 while (offset < binders_end) {
8141 uint32_t binder_length;
8142 proto_item *binder_item;
8143 proto_tree *binder_tree;
8144
8145 binder_item = proto_tree_add_item(binders_tree, hf->hf.hs_ext_psk_binder, tvb, offset, 1, ENC_NA0x00000000);
8146 binder_tree = proto_item_add_subtree(binder_item, hf->ett.hs_ext_psk_binder);
8147
8148 /* opaque PskBinderEntry<32..255>; */
8149 if (!ssl_add_vector(hf, tvb, pinfo, binder_tree, offset, binders_end, &binder_length,
8150 hf->hf.hs_ext_psk_binder_binder_length, 32, 255)) {
8151 return binders_end;
8152 }
8153 offset += 1;
8154 proto_item_append_text(binder_tree, " (length: %u)", binder_length);
8155
8156 proto_tree_add_item(binder_tree, hf->hf.hs_ext_psk_binder_binder, tvb, offset, binder_length, ENC_BIG_ENDIAN0x00000000);
8157 offset += binder_length;
8158
8159 proto_item_set_end(binder_item, tvb, offset);
8160 }
8161 }
8162 break;
8163 case SSL_HND_SERVER_HELLO: {
8164 proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_identity_selected, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8165 offset += 2;
8166 }
8167 break;
8168 default:
8169 break;
8170 }
8171
8172 return offset;
8173}
8174
8175static uint32_t
8176ssl_dissect_hnd_hello_ext_early_data(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
8177 proto_tree *tree, uint32_t offset, uint32_t offset_end _U___attribute__((unused)),
8178 uint8_t hnd_type, SslDecryptSession *ssl)
8179{
8180 /* RFC 8446 Section 4.2.10
8181 * struct {} Empty;
8182 * struct {
8183 * select (Handshake.msg_type) {
8184 * case new_session_ticket: uint32 max_early_data_size;
8185 * case client_hello: Empty;
8186 * case encrypted_extensions: Empty;
8187 * };
8188 * } EarlyDataIndication;
8189 */
8190 switch (hnd_type) {
8191 case SSL_HND_CLIENT_HELLO:
8192 /* Remember that early_data will follow the handshake. */
8193 if (ssl) {
8194 ssl_debug_printf("%s found early_data extension\n", G_STRFUNC((const char*) (__func__)));
8195 ssl->has_early_data = true1;
8196 }
8197 break;
8198 case SSL_HND_NEWSESSION_TICKET:
8199 proto_tree_add_item(tree, hf->hf.hs_ext_max_early_data_size, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8200 offset += 4;
8201 break;
8202 default:
8203 break;
8204 }
8205 return offset;
8206}
8207
8208static uint16_t
8209tls_try_get_version(bool_Bool is_dtls, uint16_t version, uint8_t *draft_version)
8210{
8211 if (draft_version) {
8212 *draft_version = 0;
8213 }
8214 if (!is_dtls) {
8215 uint8_t tls13_draft = extract_tls13_draft_version(version);
8216 if (tls13_draft != 0) {
8217 /* This is TLS 1.3 (a draft version). */
8218 if (draft_version) {
8219 *draft_version = tls13_draft;
8220 }
8221 version = TLSV1DOT3_VERSION0x304;
8222 }
8223 if (version == 0xfb17 || version == 0xfb1a) {
8224 /* Unofficial TLS 1.3 draft version for Facebook fizz. */
8225 tls13_draft = (uint8_t)version;
8226 if (draft_version) {
8227 *draft_version = tls13_draft;
8228 }
8229 version = TLSV1DOT3_VERSION0x304;
8230 }
8231 }
8232
8233 switch (version) {
8234 case SSLV3_VERSION0x300:
8235 case TLSV1_VERSION0x301:
8236 case TLSV1DOT1_VERSION0x302:
8237 case TLSV1DOT2_VERSION0x303:
8238 case TLSV1DOT3_VERSION0x304:
8239 case TLCPV1_VERSION0x101:
8240 if (is_dtls)
8241 return SSL_VER_UNKNOWN0;
8242 break;
8243
8244 case DTLSV1DOT0_VERSION0xfeff:
8245 case DTLSV1DOT0_OPENSSL_VERSION0x100:
8246 case DTLSV1DOT2_VERSION0xfefd:
8247 case DTLSV1DOT3_VERSION0xfefc:
8248 if (!is_dtls)
8249 return SSL_VER_UNKNOWN0;
8250 break;
8251
8252 default: /* invalid version number */
8253 return SSL_VER_UNKNOWN0;
8254 }
8255
8256 return version;
8257}
8258
8259static int
8260ssl_dissect_hnd_hello_ext_supported_versions(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8261 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8262 SslSession *session, bool_Bool is_dtls, ja4_data_t *ja4_data)
8263{
8264
8265 /* RFC 8446 Section 4.2.1
8266 * struct {
8267 * ProtocolVersion versions<2..254>; // ClientHello
8268 * } SupportedVersions;
8269 * Note that ServerHello and HelloRetryRequest are handled by the caller.
8270 */
8271 uint32_t versions_length, next_offset;
8272 /* ProtocolVersion versions<2..254> */
8273 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &versions_length,
8274 hf->hf.hs_ext_supported_versions_len, 2, 254)) {
8275 return offset_end;
8276 }
8277 offset++;
8278 next_offset = offset + versions_length;
8279
8280 unsigned version;
8281 unsigned current_version, lowest_version = SSL_VER_UNKNOWN0;
8282 uint8_t draft_version, max_draft_version = 0;
8283 const char *sep = " ";
8284 while (offset + 2 <= next_offset) {
8285 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
8286 offset += 2;
8287
8288 if (!IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))) {
8289 proto_item_append_text(tree, "%s%s", sep, val_to_str(pinfo->pool, version, ssl_versions, "Unknown (0x%04x)"));
8290 sep = ", ";
8291 }
8292
8293 current_version = tls_try_get_version(is_dtls, version, &draft_version);
8294 if (session->version == SSL_VER_UNKNOWN0) {
8295 if (lowest_version == SSL_VER_UNKNOWN0) {
8296 lowest_version = current_version;
8297 } else if (current_version != SSL_VER_UNKNOWN0) {
8298 if (!is_dtls) {
8299 lowest_version = MIN(lowest_version, current_version)(((lowest_version) < (current_version)) ? (lowest_version)
: (current_version));
8300 } else {
8301 lowest_version = MAX(lowest_version, current_version)(((lowest_version) > (current_version)) ? (lowest_version)
: (current_version));
8302 }
8303 }
8304 }
8305 max_draft_version = MAX(draft_version, max_draft_version)(((draft_version) > (max_draft_version)) ? (draft_version)
: (max_draft_version));
8306 if (ja4_data && !IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))) {
8307 /* The DTLS version numbers get mapped to "00" for unknown per
8308 * JA4 spec, but if JA4 ever does support DTLS we'll probably
8309 * need to take the MIN instead of MAX here for DTLS.
8310 */
8311 ja4_data->max_version = MAX(version, ja4_data->max_version)(((version) > (ja4_data->max_version)) ? (version) : (ja4_data
->max_version));
8312 }
8313 }
8314 if (session->version == SSL_VER_UNKNOWN0 && lowest_version != SSL_VER_UNKNOWN0) {
8315 col_set_str(pinfo->cinfo, COL_PROTOCOL,
8316 val_to_str_const(version, ssl_version_short_names, is_dtls ? "DTLS" : "TLS"));
8317 }
8318 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
8319 offset = next_offset;
8320 }
8321
8322 /* XXX remove this when draft 19 support is dropped,
8323 * this is only required for early data decryption. */
8324 if (max_draft_version) {
8325 session->tls13_draft_version = max_draft_version;
8326 }
8327
8328 return offset;
8329}
8330
8331static int
8332ssl_dissect_hnd_hello_ext_cookie(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8333 packet_info *pinfo, proto_tree *tree,
8334 uint32_t offset, uint32_t offset_end)
8335{
8336 /* RFC 8446 Section 4.2.2
8337 * struct {
8338 * opaque cookie<1..2^16-1>;
8339 * } Cookie;
8340 */
8341 uint32_t cookie_length;
8342 /* opaque cookie<1..2^16-1> */
8343 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cookie_length,
8344 hf->hf.hs_ext_cookie_len, 1, UINT16_MAX(65535))) {
8345 return offset_end;
8346 }
8347 offset += 2;
8348
8349 proto_tree_add_item(tree, hf->hf.hs_ext_cookie, tvb, offset, cookie_length, ENC_NA0x00000000);
8350 offset += cookie_length;
8351
8352 return offset;
8353}
8354
8355static int
8356ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8357 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8358{
8359 /* RFC 8446 Section 4.2.9
8360 * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
8361 *
8362 * struct {
8363 * PskKeyExchangeMode ke_modes<1..255>;
8364 * } PskKeyExchangeModes;
8365 */
8366 uint32_t ke_modes_length, next_offset;
8367
8368 /* PskKeyExchangeMode ke_modes<1..255> */
8369 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ke_modes_length,
8370 hf->hf.hs_ext_psk_ke_modes_length, 1, 255)) {
8371 return offset_end;
8372 }
8373 offset++;
8374 next_offset = offset + ke_modes_length;
8375
8376 while (offset < next_offset) {
8377 proto_tree_add_item(tree, hf->hf.hs_ext_psk_ke_mode, tvb, offset, 1, ENC_NA0x00000000);
8378 offset++;
8379 }
8380
8381 return offset;
8382}
8383
8384static uint32_t
8385ssl_dissect_hnd_hello_ext_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8386 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8387{
8388 /* RFC 8446 Section 4.2.4
8389 * opaque DistinguishedName<1..2^16-1>;
8390 * struct {
8391 * DistinguishedName authorities<3..2^16-1>;
8392 * } CertificateAuthoritiesExtension;
8393 */
8394 return tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
8395}
8396
8397static int
8398ssl_dissect_hnd_hello_ext_oid_filters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8399 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8400{
8401 /* RFC 8446 Section 4.2.5
8402 * struct {
8403 * opaque certificate_extension_oid<1..2^8-1>;
8404 * opaque certificate_extension_values<0..2^16-1>;
8405 * } OIDFilter;
8406 * struct {
8407 * OIDFilter filters<0..2^16-1>;
8408 * } OIDFilterExtension;
8409 */
8410 proto_tree *subtree;
8411 uint32_t filters_length, oid_length, values_length, value_offset;
8412 asn1_ctx_t asn1_ctx;
8413 const char *oid, *name;
8414
8415 /* OIDFilter filters<0..2^16-1> */
8416 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &filters_length,
8417 hf->hf.hs_ext_psk_ke_modes_length, 0, UINT16_MAX(65535))) {
8418 return offset_end;
8419 }
8420 offset += 2;
8421 offset_end = offset + filters_length;
8422
8423 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
8424
8425 while (offset < offset_end) {
8426 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
8427 hf->ett.hs_ext_oid_filter, NULL((void*)0), "OID Filter");
8428
8429 /* opaque certificate_extension_oid<1..2^8-1> */
8430 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &oid_length,
8431 hf->hf.hs_ext_oid_filters_oid_length, 1, UINT8_MAX(255))) {
8432 return offset_end;
8433 }
8434 offset++;
8435 dissect_ber_object_identifier_str(false0, &asn1_ctx, subtree, tvb, offset,
8436 hf->hf.hs_ext_oid_filters_oid, &oid);
8437 offset += oid_length;
8438
8439 /* Append OID to tree label */
8440 name = oid_resolved_from_string(pinfo->pool, oid);
8441 proto_item_append_text(subtree, " (%s)", name ? name : oid);
8442
8443 /* opaque certificate_extension_values<0..2^16-1> */
8444 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &values_length,
8445 hf->hf.hs_ext_oid_filters_values_length, 0, UINT16_MAX(65535))) {
8446 return offset_end;
8447 }
8448 offset += 2;
8449 proto_item_set_len(subtree, 1 + oid_length + 2 + values_length);
8450 if (values_length > 0) {
8451 value_offset = offset;
8452 value_offset = dissect_ber_identifier(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0), NULL((void*)0));
8453 value_offset = dissect_ber_length(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0));
8454 call_ber_oid_callback(oid, tvb, value_offset, pinfo, subtree, NULL((void*)0));
8455 }
8456 offset += values_length;
8457 }
8458
8459 return offset;
8460}
8461
8462static int
8463ssl_dissect_hnd_hello_ext_server_name(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8464 packet_info *pinfo, proto_tree *tree,
8465 uint32_t offset, uint32_t offset_end)
8466{
8467 /* https://tools.ietf.org/html/rfc6066#section-3
8468 *
8469 * struct {
8470 * NameType name_type;
8471 * select (name_type) {
8472 * case host_name: HostName;
8473 * } name;
8474 * } ServerName;
8475 *
8476 * enum {
8477 * host_name(0), (255)
8478 * } NameType;
8479 *
8480 * opaque HostName<1..2^16-1>;
8481 *
8482 * struct {
8483 * ServerName server_name_list<1..2^16-1>
8484 * } ServerNameList;
8485 */
8486 proto_tree *server_name_tree;
8487 uint32_t list_length, server_name_length, next_offset;
8488
8489 /* The server SHALL include "server_name" extension with empty data. */
8490 if (offset == offset_end) {
8491 return offset;
8492 }
8493
8494 server_name_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_server_name, NULL((void*)0), "Server Name Indication extension");
8495
8496 /* ServerName server_name_list<1..2^16-1> */
8497 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, offset_end, &list_length,
8498 hf->hf.hs_ext_server_name_list_len, 1, UINT16_MAX(65535))) {
8499 return offset_end;
8500 }
8501 offset += 2;
8502 next_offset = offset + list_length;
8503
8504 while (offset < next_offset) {
8505 uint32_t name_type;
8506 const uint8_t *server_name = NULL((void*)0);
8507 proto_tree_add_item_ret_uint(server_name_tree, hf->hf.hs_ext_server_name_type,
8508 tvb, offset, 1, ENC_NA0x00000000, &name_type);
8509 offset++;
8510
8511 /* opaque HostName<1..2^16-1> */
8512 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, next_offset, &server_name_length,
8513 hf->hf.hs_ext_server_name_len, 1, UINT16_MAX(65535))) {
8514 return next_offset;
8515 }
8516 offset += 2;
8517
8518 proto_tree_add_item_ret_string(server_name_tree, hf->hf.hs_ext_server_name,
8519 tvb, offset, server_name_length, ENC_ASCII0x00000000|ENC_NA0x00000000,
8520 pinfo->pool, &server_name);
8521 offset += server_name_length;
8522 // Each type must only occur once, so we don't check for duplicates.
8523 if (name_type == 0) {
8524 proto_item_append_text(tree, " name=%s", server_name);
8525 col_append_fstr(pinfo->cinfo, COL_INFO, " (SNI=%s)", server_name);
8526
8527 if (gbl_resolv_flags.handshake_sni_addr_resolution) {
8528 // Client Hello: Client (Src) -> Server (Dst)
8529 switch (pinfo->dst.type) {
8530 case AT_IPv4:
8531 if (pinfo->dst.len == sizeof(uint32_t)) {
8532 add_ipv4_name(*(uint32_t *)pinfo->dst.data, server_name, false0);
8533 }
8534 break;
8535 case AT_IPv6:
8536 if (pinfo->dst.len == sizeof(ws_in6_addr)) {
8537 add_ipv6_name(pinfo->dst.data, server_name, false0);
8538 }
8539 break;
8540 }
8541 }
8542 }
8543 }
8544 return offset;
8545}
8546
8547static int
8548ssl_dissect_hnd_hello_ext_session_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8549 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint8_t hnd_type, SslDecryptSession *ssl)
8550{
8551 unsigned ext_len = offset_end - offset;
8552 if (hnd_type == SSL_HND_CLIENT_HELLO && ssl && ext_len != 0) {
8553 tvb_ensure_bytes_exist(tvb, offset, ext_len);
8554 /* Save the Session Ticket such that it can be used as identifier for
8555 * restoring a previous Master Secret (in ChangeCipherSpec) */
8556 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
8557 ssl->session_ticket.data, ext_len);
8558 ssl->session_ticket.data_len = ext_len;
8559 tvb_memcpy(tvb,ssl->session_ticket.data, offset, ext_len);
8560 }
8561 proto_tree_add_item(tree, hf->hf.hs_ext_session_ticket,
8562 tvb, offset, ext_len, ENC_NA0x00000000);
8563 return offset + ext_len;
8564}
8565
8566static int
8567ssl_dissect_hnd_hello_ext_cert_type(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8568 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8569 uint8_t hnd_type, uint16_t ext_type, SslSession *session)
8570{
8571 uint8_t cert_list_length;
8572 uint8_t cert_type;
8573 proto_tree *cert_list_tree;
8574 proto_item *ti;
8575
8576 switch(hnd_type){
8577 case SSL_HND_CLIENT_HELLO:
8578 cert_list_length = tvb_get_uint8(tvb, offset);
8579 proto_tree_add_item(tree, hf->hf.hs_ext_cert_types_len,
8580 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8581 offset += 1;
8582 if (offset_end - offset != (uint32_t)cert_list_length)
8583 return offset;
8584
8585 ti = proto_tree_add_item(tree, hf->hf.hs_ext_cert_types, tvb, offset,
8586 cert_list_length, cert_list_length);
8587 proto_item_append_text(ti, " (%d)", cert_list_length);
8588
8589 /* make this a subtree */
8590 cert_list_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_cert_types);
8591
8592 /* loop over all point formats */
8593 while (cert_list_length > 0)
8594 {
8595 proto_tree_add_item(cert_list_tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8596 offset++;
8597 cert_list_length--;
8598 }
8599 break;
8600 case SSL_HND_SERVER_HELLO:
8601 case SSL_HND_ENCRYPTED_EXTENSIONS:
8602 case SSL_HND_CERTIFICATE:
8603 cert_type = tvb_get_uint8(tvb, offset);
8604 proto_tree_add_item(tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8605 offset += 1;
8606 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19) {
8607 session->client_cert_type = cert_type;
8608 }
8609 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20) {
8610 session->server_cert_type = cert_type;
8611 }
8612 break;
8613 default: /* no default */
8614 break;
8615 }
8616
8617 return offset;
8618}
8619
8620static uint32_t
8621ssl_dissect_hnd_hello_ext_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8622 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8623 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8624{
8625 uint32_t compress_certificate_algorithms_length, next_offset;
8626
8627 /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03#section-3.0
8628 * enum {
8629 * zlib(1),
8630 * brotli(2),
8631 * (65535)
8632 * } CertificateCompressionAlgorithm;
8633 *
8634 * struct {
8635 * CertificateCompressionAlgorithm algorithms<1..2^8-1>;
8636 * } CertificateCompressionAlgorithms;
8637 */
8638 switch (hnd_type) {
8639 case SSL_HND_CLIENT_HELLO:
8640 case SSL_HND_CERT_REQUEST:
8641 /* CertificateCompressionAlgorithm algorithms<1..2^8-1>;*/
8642 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compress_certificate_algorithms_length,
8643 hf->hf.hs_ext_compress_certificate_algorithms_length, 1, UINT8_MAX(255)-1)) {
8644 return offset_end;
8645 }
8646 offset += 1;
8647 next_offset = offset + compress_certificate_algorithms_length;
8648
8649 while (offset < next_offset) {
8650 proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_algorithm,
8651 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8652 offset += 2;
8653 }
8654 break;
8655 default:
8656 break;
8657 }
8658
8659 return offset;
8660}
8661
8662static uint32_t
8663ssl_dissect_hnd_hello_ext_token_binding(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8664 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8665 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8666{
8667 uint32_t key_parameters_length, next_offset;
8668 proto_item *p_ti;
8669 proto_tree *p_tree;
8670
8671 /* RFC 8472
8672 *
8673 * struct {
8674 * uint8 major;
8675 * uint8 minor;
8676 * } TB_ProtocolVersion;
8677 *
8678 * enum {
8679 * rsa2048_pkcs1.5(0), rsa2048_pss(1), ecdsap256(2), (255)
8680 * } TokenBindingKeyParameters;
8681 *
8682 * struct {
8683 * TB_ProtocolVersion token_binding_version;
8684 * TokenBindingKeyParameters key_parameters_list<1..2^8-1>
8685 * } TokenBindingParameters;
8686 */
8687
8688 switch (hnd_type) {
8689 case SSL_HND_CLIENT_HELLO:
8690 case SSL_HND_SERVER_HELLO:
8691 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_major, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8692 offset += 1;
8693 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_minor, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8694 offset += 1;
8695
8696 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &key_parameters_length,
8697 hf->hf.hs_ext_token_binding_key_parameters_length, 1, UINT8_MAX(255))) {
8698 return offset_end;
8699 }
8700 offset += 1;
8701 next_offset = offset + key_parameters_length;
8702
8703 p_ti = proto_tree_add_none_format(tree,
8704 hf->hf.hs_ext_token_binding_key_parameters,
8705 tvb, offset, key_parameters_length,
8706 "Key parameters identifiers (%d identifier%s)",
8707 key_parameters_length,
8708 plurality(key_parameters_length, "", "s")((key_parameters_length) == 1 ? ("") : ("s")));
8709 p_tree = proto_item_add_subtree(p_ti, hf->ett.hs_ext_token_binding_key_parameters);
8710
8711 while (offset < next_offset) {
8712 proto_tree_add_item(p_tree, hf->hf.hs_ext_token_binding_key_parameter,
8713 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8714 offset += 1;
8715 }
8716
8717 if (!ssl_end_vector(hf, tvb, pinfo, p_tree, offset, next_offset)) {
8718 offset = next_offset;
8719 }
8720
8721 break;
8722 default:
8723 break;
8724 }
8725
8726 return offset;
8727}
8728
8729static uint32_t
8730ssl_dissect_hnd_hello_ext_quic_transport_parameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8731 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8732 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8733{
8734 bool_Bool use_varint_encoding = true1; // Whether this is draft -27 or newer.
8735 uint32_t next_offset;
8736
8737 /* https://tools.ietf.org/html/draft-ietf-quic-transport-25#section-18
8738 *
8739 * Note: the following structures are not literally defined in the spec,
8740 * they instead use an ASCII diagram.
8741 *
8742 * struct {
8743 * uint16 id;
8744 * opaque value<0..2^16-1>;
8745 * } TransportParameter; // before draft -27
8746 * TransportParameter TransportParameters<0..2^16-1>; // before draft -27
8747 *
8748 * struct {
8749 * opaque ipv4Address[4];
8750 * uint16 ipv4Port;
8751 * opaque ipv6Address[16];
8752 * uint16 ipv6Port;
8753 * opaque connectionId<0..18>;
8754 * opaque statelessResetToken[16];
8755 * } PreferredAddress;
8756 */
8757
8758 if (offset_end - offset >= 6 &&
8759 2 + (unsigned)tvb_get_ntohs(tvb, offset) == offset_end - offset &&
8760 6 + (unsigned)tvb_get_ntohs(tvb, offset + 4) <= offset_end - offset) {
8761 // Assume encoding of Transport Parameters draft -26 or older with at
8762 // least one transport parameter that has a valid length.
8763 use_varint_encoding = false0;
8764 }
8765
8766 if (use_varint_encoding) {
8767 next_offset = offset_end;
8768 } else {
8769 uint32_t quic_length;
8770 // Assume draft -26 or earlier.
8771 /* TransportParameter TransportParameters<0..2^16-1>; */
8772 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &quic_length,
8773 hf->hf.hs_ext_quictp_len, 0, UINT16_MAX(65535))) {
8774 return offset_end;
8775 }
8776 offset += 2;
8777 next_offset = offset + quic_length;
8778 }
8779
8780 while (offset < next_offset) {
8781 uint64_t parameter_type; /* 62-bit space */
8782 uint32_t parameter_length;
8783 proto_tree *parameter_tree;
8784 uint32_t parameter_end_offset;
8785 uint64_t value;
8786 uint32_t len = 0, i;
8787
8788 parameter_tree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.hs_ext_quictp_parameter,
8789 NULL((void*)0), "Parameter");
8790 /* TransportParameter ID and Length. */
8791 if (use_varint_encoding) {
8792 uint64_t parameter_length64;
8793 uint32_t type_len = 0;
8794
8795 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
8796 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_type, &type_len);
8797 offset += type_len;
8798
8799 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_len,
8800 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_length64, &len);
8801 parameter_length = (uint32_t)parameter_length64;
8802 offset += len;
8803
8804 proto_item_set_len(parameter_tree, type_len + len + parameter_length);
8805 } else {
8806 parameter_type = tvb_get_ntohs(tvb, offset);
8807 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
8808 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8809 offset += 2;
8810
8811 /* opaque value<0..2^16-1> */
8812 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, next_offset, &parameter_length,
8813 hf->hf.hs_ext_quictp_parameter_len_old, 0, UINT16_MAX(65535))) {
8814 return next_offset;
8815 }
8816 offset += 2;
8817
8818 proto_item_set_len(parameter_tree, 4 + parameter_length);
8819 }
8820
8821 if (IS_GREASE_QUIC(parameter_type)((parameter_type) > 27 ? ((((parameter_type) - 27) % 31) ==
0) : 0)) {
8822 proto_item_append_text(parameter_tree, ": GREASE");
8823 } else {
8824 proto_item_append_text(parameter_tree, ": %s", val64_to_str_wmem(pinfo->pool, parameter_type, quic_transport_parameter_id, "Unknown 0x%04x"));
8825 }
8826
8827 proto_item_append_text(parameter_tree, " (len=%u)", parameter_length);
8828 parameter_end_offset = offset + parameter_length;
8829
8830 /* Omit the value field if the parameter's length is 0. */
8831 if (parameter_length != 0) {
8832 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_value,
8833 tvb, offset, parameter_length, ENC_NA0x00000000);
8834 }
8835
8836 switch (parameter_type) {
8837 case SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00:
8838 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_original_destination_connection_id,
8839 tvb, offset, parameter_length, ENC_NA0x00000000);
8840 offset += parameter_length;
8841 break;
8842 case SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01:
8843 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_idle_timeout,
8844 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8845 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " ms", value);
8846 offset += len;
8847 break;
8848 case SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02:
8849 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_stateless_reset_token,
8850 tvb, offset, 16, ENC_BIG_ENDIAN0x00000000);
8851 quic_add_stateless_reset_token(pinfo, tvb, offset, NULL((void*)0));
8852 offset += 16;
8853 break;
8854 case SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03:
8855 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_udp_payload_size,
8856 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8857 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8858 /*TODO display expert info about invalid value (< 1252 or >65527) ? */
8859 offset += len;
8860 break;
8861 case SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04:
8862 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_data,
8863 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8864 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8865 offset += len;
8866 break;
8867 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05:
8868 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_local,
8869 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8870 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8871 offset += len;
8872 break;
8873 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06:
8874 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_remote,
8875 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8876 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8877 offset += len;
8878 break;
8879 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07:
8880 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_uni,
8881 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8882 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8883 offset += len;
8884 break;
8885 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09:
8886 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_uni,
8887 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8888 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8889 offset += len;
8890 break;
8891 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08:
8892 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_bidi,
8893 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8894 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8895 offset += len;
8896 break;
8897 case SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a:
8898 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_ack_delay_exponent,
8899 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
8900 /*TODO display multiplier (x8) and expert info about invalid value (> 20) ? */
8901 offset += len;
8902 break;
8903 case SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b:
8904 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_ack_delay,
8905 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8906 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8907 offset += len;
8908 break;
8909 case SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c:
8910 /* No Payload */
8911 break;
8912 case SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d: {
8913 uint32_t connectionid_length;
8914 quic_cid_t cid;
8915
8916 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4address,
8917 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8918 offset += 4;
8919 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4port,
8920 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8921 offset += 2;
8922 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6address,
8923 tvb, offset, 16, ENC_NA0x00000000);
8924 offset += 16;
8925 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6port,
8926 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8927 offset += 2;
8928 /* XXX - Should we add these addresses and ports as addresses that the client
8929 * is allowed / expected to migrate the server address to? Right now we don't
8930 * enforce that (see RFC 9000 Section 9, which implies that while the client
8931 * can migrate to whatever address it wants, it can only migrate the server
8932 * address to the Server's Preferred Address as in 9.6. Also Issue #20165.)
8933 */
8934
8935 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, offset_end, &connectionid_length,
8936 hf->hf.hs_ext_quictp_parameter_pa_connectionid_length, 0, 20)) {
8937 break;
8938 }
8939 offset += 1;
8940
8941 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_connectionid,
8942 tvb, offset, connectionid_length, ENC_NA0x00000000);
8943 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
8944 cid.len = connectionid_length;
8945 // RFC 9000 5.1.1 "If the preferred_address transport
8946 // parameter is sent, the sequence number of the supplied
8947 // connection ID is 1."
8948 cid.seq_num = 1;
8949 // Multipath draft-07 "Also, the Path Identifier for the
8950 // connection ID specified in the "preferred address"
8951 // transport parameter is 0."
8952 cid.path_id = 0;
8953 tvb_memcpy(tvb, cid.cid, offset, connectionid_length);
8954 quic_add_connection(pinfo, &cid);
8955 }
8956 offset += connectionid_length;
8957
8958 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_statelessresettoken,
8959 tvb, offset, 16, ENC_NA0x00000000);
8960 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
8961 quic_add_stateless_reset_token(pinfo, tvb, offset, &cid);
8962 }
8963 offset += 16;
8964 }
8965 break;
8966 case SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e:
8967 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_active_connection_id_limit,
8968 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8969 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8970 offset += len;
8971 break;
8972 case SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f:
8973 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_source_connection_id,
8974 tvb, offset, parameter_length, ENC_NA0x00000000);
8975 offset += parameter_length;
8976 break;
8977 case SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10:
8978 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_retry_source_connection_id,
8979 tvb, offset, parameter_length, ENC_NA0x00000000);
8980 offset += parameter_length;
8981 break;
8982 case SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20:
8983 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_datagram_frame_size,
8984 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8985 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8986 offset += len;
8987 break;
8988 case SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000:
8989 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_length,
8990 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8991 proto_item_append_text(parameter_tree, " Length: %" PRIu64"l" "u", value);
8992 offset += len;
8993 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_offset,
8994 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8995 proto_item_append_text(parameter_tree, ", Offset: %" PRIu64"l" "u", value);
8996 offset += len;
8997 break;
8998 case SSL_HND_QUIC_TP_LOSS_BITS0x1057:
8999 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_loss_bits,
9000 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9001 if (len > 0) {
9002 quic_add_loss_bits(pinfo, value);
9003 }
9004 offset += 1;
9005 break;
9006 case SSL_HND_QUIC_TP_ADDRESS_DISCOVERY0x9f81a176:
9007 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_address_discovery,
9008 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
9009 offset += len;
9010 break;
9011 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a:
9012 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A:
9013 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a:
9014 case SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b:
9015 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_min_ack_delay,
9016 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9017 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9018 offset += len;
9019 break;
9020 case SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129:
9021 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_user_agent_id,
9022 tvb, offset, parameter_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
9023 offset += parameter_length;
9024 break;
9025 case SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B:
9026 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_key_update_not_yet_supported,
9027 tvb, offset, parameter_length, ENC_NA0x00000000);
9028 offset += parameter_length;
9029 break;
9030 case SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752:
9031 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_version,
9032 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
9033 offset += 4;
9034 if (hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) { /* From server */
9035 uint32_t versions_length;
9036
9037 proto_tree_add_item_ret_uint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_supported_versions_length,
9038 tvb, offset, 1, ENC_NA0x00000000, &versions_length);
9039 offset += 1;
9040 for (i = 0; i < versions_length / 4; i++) {
9041 quic_proto_tree_add_version(tvb, parameter_tree,
9042 hf->hf.hs_ext_quictp_parameter_google_supported_version, offset);
9043 offset += 4;
9044 }
9045 }
9046 break;
9047 case SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127:
9048 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_initial_rtt,
9049 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9050 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " us", value);
9051 offset += len;
9052 break;
9053 case SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A:
9054 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_support_handshake_done,
9055 tvb, offset, parameter_length, ENC_NA0x00000000);
9056 offset += parameter_length;
9057 break;
9058 case SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751:
9059 /* This field was used for non-standard Google-specific parameters encoded as a
9060 * Google QUIC_CRYPTO CHLO and it has been replaced (version >= T051) by individual
9061 * parameters. Report it as a bytes blob... */
9062 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params,
9063 tvb, offset, parameter_length, ENC_NA0x00000000);
9064 /* ... and try decoding it: not sure what the first 4 bytes are (but they seems to be always 0) */
9065 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params_unknown_field,
9066 tvb, offset, 4, ENC_NA0x00000000);
9067 dissect_gquic_tags(tvb, pinfo, parameter_tree, offset + 4);
9068 offset += parameter_length;
9069 break;
9070 case SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128:
9071 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_connection_options,
9072 tvb, offset, parameter_length, ENC_NA0x00000000);
9073 offset += parameter_length;
9074 break;
9075 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157:
9076 /* No Payload */
9077 break;
9078 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158:
9079 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_time_stamp_v2,
9080 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9081 offset += parameter_length;
9082 break;
9083 case SSL_HND_QUIC_TP_VERSION_INFORMATION_DRAFT0xff73db:
9084 case SSL_HND_QUIC_TP_VERSION_INFORMATION0x11:
9085 quic_proto_tree_add_version(tvb, parameter_tree,
9086 hf->hf.hs_ext_quictp_parameter_chosen_version, offset);
9087 offset += 4;
9088 for (i = 4; i < parameter_length; i += 4) {
9089 quic_proto_tree_add_version(tvb, parameter_tree,
9090 hf->hf.hs_ext_quictp_parameter_other_version, offset);
9091 offset += 4;
9092 }
9093 break;
9094 case SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2:
9095 /* No Payload */
9096 quic_add_grease_quic_bit(pinfo);
9097 break;
9098 case SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00:
9099 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_facebook_partial_reliability,
9100 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9101 offset += parameter_length;
9102 break;
9103 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04:
9104 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_multipath,
9105 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9106 if (value == 1) {
9107 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
9108 }
9109 offset += parameter_length;
9110 break;
9111 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05:
9112 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06:
9113 /* No Payload */
9114 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
9115 break;
9116 case SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07:
9117 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_paths,
9118 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9119 if (value > 1) {
9120 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
9121 }
9122 /* multipath draft-07: "The value of the initial_max_paths
9123 * parameter MUST be at least 2." TODO: Expert Info? */
9124 offset += parameter_length;
9125 break;
9126 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09:
9127 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT110x0f739bbc1b666d11:
9128 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT120x0f739bbc1b666d0c:
9129 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x0f739bbc1b666d0d:
9130 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_path_id,
9131 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9132 /* multipath draft-09 and later: "If an endpoint receives an
9133 * initial_max_path_id transport parameter with value 0, the
9134 * peer aims to enable the multipath extension without allowing
9135 * extra paths immediately."
9136 */
9137 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
9138 offset += parameter_length;
9139 break;
9140 default:
9141 offset += parameter_length;
9142 /*TODO display expert info about unknown ? */
9143 break;
9144 }
9145
9146 if (!ssl_end_vector(hf, tvb, pinfo, parameter_tree, offset, parameter_end_offset)) {
9147 /* Dissection did not end at expected location, fix it. */
9148 offset = parameter_end_offset;
9149 }
9150 }
9151
9152 return offset;
9153}
9154
9155static int
9156ssl_dissect_hnd_hello_common(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9157 proto_tree *tree, uint32_t offset,
9158 SslSession *session, SslDecryptSession *ssl,
9159 bool_Bool from_server, bool_Bool is_hrr)
9160{
9161 uint8_t sessid_length;
9162 proto_item *ti;
9163 proto_tree *rnd_tree;
9164 proto_tree *ti_rnd;
9165 proto_tree *ech_confirm_tree;
9166 uint8_t draft_version = session->tls13_draft_version;
9167
9168 if (ssl) {
9169 StringInfo *rnd;
9170 if (from_server)
9171 rnd = &ssl->server_random;
9172 else
9173 rnd = &ssl->client_random;
9174
9175 /* save provided random for later keyring generation */
9176 tvb_memcpy(tvb, rnd->data, offset, 32);
9177 rnd->data_len = 32;
9178 if (from_server)
9179 ssl->state |= SSL_SERVER_RANDOM(1<<1);
9180 else
9181 ssl->state |= SSL_CLIENT_RANDOM(1<<0);
9182 ssl_debug_printf("%s found %s RANDOM -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)),
9183 from_server ? "SERVER" : "CLIENT", ssl->state);
9184 }
9185
9186 if (!from_server && session->client_random.data_len == 0) {
9187 session->client_random.data_len = 32;
9188 tvb_memcpy(tvb, session->client_random.data, offset, 32);
9189 }
9190
9191 ti_rnd = proto_tree_add_item(tree, hf->hf.hs_random, tvb, offset, 32, ENC_NA0x00000000);
9192
9193 if ((session->version != TLSV1DOT3_VERSION0x304) && (session->version != DTLSV1DOT3_VERSION0xfefc)) { /* No time on first bytes random with TLS 1.3 */
9194
9195 rnd_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
9196 /* show the time */
9197 proto_tree_add_item(rnd_tree, hf->hf.hs_random_time,
9198 tvb, offset, 4, ENC_TIME_SECS0x00000012|ENC_BIG_ENDIAN0x00000000);
9199 offset += 4;
9200
9201 /* show the random bytes */
9202 proto_tree_add_item(rnd_tree, hf->hf.hs_random_bytes,
9203 tvb, offset, 28, ENC_NA0x00000000);
9204 offset += 28;
9205 } else {
9206 if (is_hrr) {
9207 proto_item_append_text(ti_rnd, " (HelloRetryRequest magic)");
9208 } else if (from_server && session->ech) {
9209 ech_confirm_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
9210 proto_tree_add_item(ech_confirm_tree, hf->hf.hs_ech_confirm, tvb, offset + 24, 8, ENC_NA0x00000000);
9211 ti = proto_tree_add_bytes_with_length(ech_confirm_tree, hf->hf.hs_ech_confirm_compute, tvb, offset + 24, 0,
9212 session->ech_confirmation, 8);
9213 proto_item_set_generated(ti);
9214 if (memcmp(session->ech_confirmation, tvb_get_ptr(tvb, offset+24, 8), 8)) {
9215 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
9216 } else {
9217 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
9218 }
9219 }
9220
9221 offset += 32;
9222 }
9223
9224 /* No Session ID with TLS 1.3 on Server Hello before draft -22 */
9225 if (from_server == 0 || !(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
9226 /* show the session id (length followed by actual Session ID) */
9227 sessid_length = tvb_get_uint8(tvb, offset);
9228 proto_tree_add_item(tree, hf->hf.hs_session_id_len,
9229 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9230 offset++;
9231
9232 if (ssl) {
9233 /* save the authoritative SID for later use in ChangeCipherSpec.
9234 * (D)TLS restricts the SID to 32 chars, it does not make sense to
9235 * save more, so ignore larger ones. */
9236 if (from_server && sessid_length <= 32) {
9237 tvb_memcpy(tvb, ssl->session_id.data, offset, sessid_length);
9238 ssl->session_id.data_len = sessid_length;
9239 }
9240 }
9241 if (sessid_length > 0) {
9242 proto_tree_add_item(tree, hf->hf.hs_session_id,
9243 tvb, offset, sessid_length, ENC_NA0x00000000);
9244 offset += sessid_length;
9245 }
9246 }
9247
9248 return offset;
9249}
9250
9251static int
9252ssl_dissect_hnd_hello_ext_status_request(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9253 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9254 bool_Bool has_length)
9255{
9256 /* TLS 1.2/1.3 status_request Client Hello Extension.
9257 * TLS 1.2 status_request_v2 CertificateStatusRequestItemV2 type.
9258 * https://tools.ietf.org/html/rfc6066#section-8 (status_request)
9259 * https://tools.ietf.org/html/rfc6961#section-2.2 (status_request_v2)
9260 * struct {
9261 * CertificateStatusType status_type;
9262 * uint16 request_length; // for status_request_v2
9263 * select (status_type) {
9264 * case ocsp: OCSPStatusRequest;
9265 * case ocsp_multi: OCSPStatusRequest;
9266 * } request;
9267 * } CertificateStatusRequest; // CertificateStatusRequestItemV2
9268 *
9269 * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
9270 * struct {
9271 * ResponderID responder_id_list<0..2^16-1>;
9272 * Extensions request_extensions;
9273 * } OCSPStatusRequest;
9274 * opaque ResponderID<1..2^16-1>;
9275 * opaque Extensions<0..2^16-1>;
9276 */
9277 unsigned cert_status_type;
9278
9279 cert_status_type = tvb_get_uint8(tvb, offset);
9280 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_type,
9281 tvb, offset, 1, ENC_NA0x00000000);
9282 offset++;
9283
9284 if (has_length) {
9285 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_request_len,
9286 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9287 offset += 2;
9288 }
9289
9290 switch (cert_status_type) {
9291 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
9292 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
9293 {
9294 uint32_t responder_id_list_len;
9295 uint32_t request_extensions_len;
9296
9297 /* ResponderID responder_id_list<0..2^16-1> */
9298 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &responder_id_list_len,
9299 hf->hf.hs_ext_cert_status_responder_id_list_len, 0, UINT16_MAX(65535))) {
9300 return offset_end;
9301 }
9302 offset += 2;
9303 if (responder_id_list_len != 0) {
9304 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9305 tvb, offset, responder_id_list_len,
9306 "Responder ID list is not implemented, contact Wireshark"
9307 " developers if you want this to be supported");
9308 }
9309 offset += responder_id_list_len;
9310
9311 /* opaque Extensions<0..2^16-1> */
9312 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &request_extensions_len,
9313 hf->hf.hs_ext_cert_status_request_extensions_len, 0, UINT16_MAX(65535))) {
9314 return offset_end;
9315 }
9316 offset += 2;
9317 if (request_extensions_len != 0) {
9318 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9319 tvb, offset, request_extensions_len,
9320 "Request Extensions are not implemented, contact"
9321 " Wireshark developers if you want this to be supported");
9322 }
9323 offset += request_extensions_len;
9324 break;
9325 }
9326 }
9327
9328 return offset;
9329}
9330
9331static unsigned
9332ssl_dissect_hnd_hello_ext_status_request_v2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9333 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9334{
9335 /* https://tools.ietf.org/html/rfc6961#section-2.2
9336 * struct {
9337 * CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1>;
9338 * } CertificateStatusRequestListV2;
9339 */
9340 uint32_t req_list_length, next_offset;
9341
9342 /* CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1> */
9343 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &req_list_length,
9344 hf->hf.hs_ext_cert_status_request_list_len, 1, UINT16_MAX(65535))) {
9345 return offset_end;
9346 }
9347 offset += 2;
9348 next_offset = offset + req_list_length;
9349
9350 while (offset < next_offset) {
9351 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, tree, offset, next_offset, true1);
9352 }
9353
9354 return offset;
9355}
9356
9357static uint32_t
9358tls_dissect_ocsp_response(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9359 uint32_t offset, uint32_t offset_end)
9360{
9361 uint32_t response_length;
9362 proto_item *ocsp_resp;
9363 proto_tree *ocsp_resp_tree;
9364 asn1_ctx_t asn1_ctx;
9365
9366 /* opaque OCSPResponse<1..2^24-1>; */
9367 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &response_length,
9368 hf->hf.hs_ocsp_response_len, 1, G_MAXUINT24((1U << 24) - 1))) {
9369 return offset_end;
9370 }
9371 offset += 3;
9372
9373 ocsp_resp = proto_tree_add_item(tree, proto_ocsp, tvb, offset,
9374 response_length, ENC_BIG_ENDIAN0x00000000);
9375 proto_item_set_text(ocsp_resp, "OCSP Response");
9376 ocsp_resp_tree = proto_item_add_subtree(ocsp_resp, hf->ett.ocsp_response);
9377 if (proto_is_protocol_enabled(find_protocol_by_id(proto_ocsp))) {
9378 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
9379 dissect_ocsp_OCSPResponse(false0, tvb, offset, &asn1_ctx, ocsp_resp_tree, -1);
9380 }
9381 offset += response_length;
9382
9383 return offset;
9384}
9385
9386uint32_t
9387tls_dissect_hnd_certificate_status(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9388 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9389{
9390 /* TLS 1.2 "CertificateStatus" handshake message.
9391 * TLS 1.3 "status_request" Certificate extension.
9392 * struct {
9393 * CertificateStatusType status_type;
9394 * select (status_type) {
9395 * case ocsp: OCSPResponse;
9396 * case ocsp_multi: OCSPResponseList; // status_request_v2
9397 * } response;
9398 * } CertificateStatus;
9399 * opaque OCSPResponse<1..2^24-1>;
9400 * struct {
9401 * OCSPResponse ocsp_response_list<1..2^24-1>;
9402 * } OCSPResponseList; // status_request_v2
9403 */
9404 uint32_t status_type, resp_list_length, next_offset;
9405
9406 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_cert_status_type,
9407 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &status_type);
9408 offset += 1;
9409
9410 switch (status_type) {
9411 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
9412 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, offset_end);
9413 break;
9414
9415 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
9416 /* OCSPResponse ocsp_response_list<1..2^24-1> */
9417 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &resp_list_length,
9418 hf->hf.hs_ocsp_response_list_len, 1, G_MAXUINT24((1U << 24) - 1))) {
9419 return offset_end;
9420 }
9421 offset += 3;
9422 next_offset = offset + resp_list_length;
9423
9424 while (offset < next_offset) {
9425 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, next_offset);
9426 }
9427 break;
9428 }
9429
9430 return offset;
9431}
9432
9433static unsigned
9434ssl_dissect_hnd_hello_ext_supported_groups(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9435 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9436 wmem_strbuf_t *ja3)
9437{
9438 /* RFC 8446 Section 4.2.7
9439 * enum { ..., (0xFFFF) } NamedGroup;
9440 * struct {
9441 * NamedGroup named_group_list<2..2^16-1>
9442 * } NamedGroupList;
9443 *
9444 * NOTE: "NamedCurve" (RFC 4492) is renamed to "NamedGroup" (RFC 7919) and
9445 * the extension itself from "elliptic_curves" to "supported_groups".
9446 */
9447 uint32_t groups_length, next_offset;
9448 proto_tree *groups_tree;
9449 proto_item *ti;
9450 char *ja3_dash = "";
9451
9452 /* NamedGroup named_group_list<2..2^16-1> */
9453 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &groups_length,
9454 hf->hf.hs_ext_supported_groups_len, 2, UINT16_MAX(65535))) {
9455 return offset_end;
9456 }
9457 offset += 2;
9458 next_offset = offset + groups_length;
9459
9460 ti = proto_tree_add_none_format(tree,
9461 hf->hf.hs_ext_supported_groups,
9462 tvb, offset, groups_length,
9463 "Supported Groups (%d group%s)",
9464 groups_length / 2,
9465 plurality(groups_length/2, "", "s")((groups_length/2) == 1 ? ("") : ("s")));
9466
9467 /* make this a subtree */
9468 groups_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_groups);
9469
9470 if (ja3) {
9471 wmem_strbuf_append_c(ja3, ',');
9472 }
9473 /* loop over all groups */
9474 while (offset + 2 <= offset_end) {
9475 uint32_t ext_supported_group;
9476
9477 proto_tree_add_item_ret_uint(groups_tree, hf->hf.hs_ext_supported_group, tvb, offset, 2,
9478 ENC_BIG_ENDIAN0x00000000, &ext_supported_group);
9479 offset += 2;
9480 if (ja3 && !IS_GREASE_TLS(ext_supported_group)((((ext_supported_group) & 0x0f0f) == 0x0a0a) && (
((ext_supported_group) & 0xff) == (((ext_supported_group)
>>8) & 0xff)))) {
9481 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_supported_group);
9482 ja3_dash = "-";
9483 }
9484 }
9485 if (!ssl_end_vector(hf, tvb, pinfo, groups_tree, offset, next_offset)) {
9486 offset = next_offset;
9487 }
9488
9489 return offset;
9490}
9491
9492static int
9493ssl_dissect_hnd_hello_ext_ec_point_formats(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9494 proto_tree *tree, uint32_t offset, wmem_strbuf_t *ja3)
9495{
9496 uint8_t ecpf_length;
9497 proto_tree *ecpf_tree;
9498 proto_item *ti;
9499
9500 ecpf_length = tvb_get_uint8(tvb, offset);
9501 proto_tree_add_item(tree, hf->hf.hs_ext_ec_point_formats_len,
9502 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9503
9504 offset += 1;
9505 ti = proto_tree_add_none_format(tree,
9506 hf->hf.hs_ext_ec_point_formats,
9507 tvb, offset, ecpf_length,
9508 "Elliptic curves point formats (%d)",
9509 ecpf_length);
9510
9511 /* make this a subtree */
9512 ecpf_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_curves_point_formats);
9513
9514 if (ja3) {
9515 wmem_strbuf_append_c(ja3, ',');
9516 }
9517
9518 /* loop over all point formats */
9519 while (ecpf_length > 0)
9520 {
9521 uint32_t ext_ec_point_format;
9522
9523 proto_tree_add_item_ret_uint(ecpf_tree, hf->hf.hs_ext_ec_point_format, tvb, offset, 1,
9524 ENC_BIG_ENDIAN0x00000000, &ext_ec_point_format);
9525 offset++;
9526 ecpf_length--;
9527 if (ja3) {
9528 wmem_strbuf_append_printf(ja3, "%i", ext_ec_point_format);
9529 if (ecpf_length > 0) {
9530 wmem_strbuf_append_c(ja3, '-');
9531 }
9532 }
9533 }
9534
9535 return offset;
9536}
9537
9538static int
9539ssl_dissect_hnd_hello_ext_srp(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9540 packet_info *pinfo, proto_tree *tree,
9541 uint32_t offset, uint32_t next_offset)
9542{
9543 /* https://tools.ietf.org/html/rfc5054#section-2.8.1
9544 * opaque srp_I<1..2^8-1>;
9545 */
9546 uint32_t username_len;
9547
9548 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, next_offset, &username_len,
9549 hf->hf.hs_ext_srp_len, 1, UINT8_MAX(255))) {
9550 return next_offset;
9551 }
9552 offset++;
9553
9554 proto_tree_add_item(tree, hf->hf.hs_ext_srp_username,
9555 tvb, offset, username_len, ENC_UTF_80x00000002|ENC_NA0x00000000);
9556 offset += username_len;
9557
9558 return offset;
9559}
9560
9561static uint32_t
9562tls_dissect_sct(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9563 uint32_t offset, uint32_t offset_end, uint16_t version)
9564{
9565 /* https://tools.ietf.org/html/rfc6962#section-3.2
9566 * enum { v1(0), (255) } Version;
9567 * struct {
9568 * opaque key_id[32];
9569 * } LogID;
9570 * opaque CtExtensions<0..2^16-1>;
9571 * struct {
9572 * Version sct_version;
9573 * LogID id;
9574 * uint64 timestamp;
9575 * CtExtensions extensions;
9576 * digitally-signed struct { ... };
9577 * } SignedCertificateTimestamp;
9578 */
9579 uint32_t sct_version;
9580 uint64_t sct_timestamp_ms;
9581 nstime_t sct_timestamp;
9582 uint32_t exts_len;
9583 const char *log_name;
9584
9585 proto_tree_add_item_ret_uint(tree, hf->hf.sct_sct_version, tvb, offset, 1, ENC_NA0x00000000, &sct_version);
9586 offset++;
9587 if (sct_version != 0) {
9588 // TODO expert info about unknown SCT version?
9589 return offset;
9590 }
9591 proto_tree_add_item(tree, hf->hf.sct_sct_logid, tvb, offset, 32, ENC_BIG_ENDIAN0x00000000);
9592 log_name = bytesval_to_str_wmem(pinfo->pool, tvb_get_ptr(tvb, offset, 32), 32, ct_logids, "Unknown Log");
9593 proto_item_append_text(tree, " (%s)", log_name);
9594 offset += 32;
9595 sct_timestamp_ms = tvb_get_ntoh64(tvb, offset);
9596 sct_timestamp.secs = (time_t)(sct_timestamp_ms / 1000);
9597 sct_timestamp.nsecs = (int)((sct_timestamp_ms % 1000) * 1000000);
9598 proto_tree_add_time(tree, hf->hf.sct_sct_timestamp, tvb, offset, 8, &sct_timestamp);
9599 offset += 8;
9600 /* opaque CtExtensions<0..2^16-1> */
9601 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
9602 hf->hf.sct_sct_extensions_length, 0, UINT16_MAX(65535))) {
9603 return offset_end;
9604 }
9605 offset += 2;
9606 if (exts_len > 0) {
9607 proto_tree_add_item(tree, hf->hf.sct_sct_extensions, tvb, offset, exts_len, ENC_BIG_ENDIAN0x00000000);
9608 offset += exts_len;
9609 }
9610 offset = ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
9611 hf->hf.sct_sct_signature_length,
9612 hf->hf.sct_sct_signature);
9613 return offset;
9614}
9615
9616uint32_t
9617tls_dissect_sct_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9618 uint32_t offset, uint32_t offset_end, uint16_t version)
9619{
9620 /* https://tools.ietf.org/html/rfc6962#section-3.3
9621 * opaque SerializedSCT<1..2^16-1>;
9622 * struct {
9623 * SerializedSCT sct_list <1..2^16-1>;
9624 * } SignedCertificateTimestampList;
9625 */
9626 uint32_t list_length, sct_length, next_offset;
9627 proto_tree *subtree;
9628
9629 /* SerializedSCT sct_list <1..2^16-1> */
9630 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &list_length,
9631 hf->hf.sct_scts_length, 1, UINT16_MAX(65535))) {
9632 return offset_end;
9633 }
9634 offset += 2;
9635
9636 while (offset < offset_end) {
9637 subtree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.sct, NULL((void*)0), "Signed Certificate Timestamp");
9638
9639 /* opaque SerializedSCT<1..2^16-1> */
9640 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &sct_length,
9641 hf->hf.sct_sct_length, 1, UINT16_MAX(65535))) {
9642 return offset_end;
9643 }
9644 offset += 2;
9645 next_offset = offset + sct_length;
9646 proto_item_set_len(subtree, 2 + sct_length);
9647 offset = tls_dissect_sct(hf, tvb, pinfo, subtree, offset, next_offset, version);
9648 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
9649 offset = next_offset;
9650 }
9651 }
9652
9653 return offset;
9654}
9655
9656static int
9657dissect_ech_hpke_cipher_suite(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
9658 proto_tree *tree, uint32_t offset)
9659{
9660 uint32_t kdf_id, aead_id;
9661 proto_item *cs_ti;
9662 proto_tree *cs_tree;
9663
9664 cs_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig_cipher_suite,
9665 tvb, offset, 4, ENC_NA0x00000000);
9666 cs_tree = proto_item_add_subtree(cs_ti, hf->ett.ech_hpke_cipher_suite);
9667
9668 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_kdf_id,
9669 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &kdf_id);
9670 offset += 2;
9671 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_aead_id,
9672 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &aead_id);
9673 offset += 2;
9674
9675 proto_item_append_text(cs_ti, ": %s/%s",
9676 val_to_str_const(kdf_id, kdf_id_type_vals, "Unknown"),
9677 val_to_str_const(aead_id, aead_id_type_vals, "Unknown"));
9678 return offset;
9679}
9680
9681static int
9682dissect_ech_hpke_key_config(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9683 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9684 uint32_t *config_id)
9685{
9686 uint32_t length, cipher_suite_length;
9687 proto_item *kc_ti, *css_ti;
9688 proto_tree *kc_tree, *css_tree;
9689 uint32_t original_offset = offset, next_offset;
9690
9691 kc_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig,
9692 tvb, offset, -1, ENC_NA0x00000000);
9693 kc_tree = proto_item_add_subtree(kc_ti, hf->ett.ech_hpke_keyconfig);
9694
9695 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_config_id,
9696 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, config_id);
9697 offset += 1;
9698 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_kem_id,
9699 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9700 offset += 2;
9701 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_public_key_length,
9702 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9703 offset += 2;
9704 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_public_key,
9705 tvb, offset, length, ENC_NA0x00000000);
9706 offset += length;
9707
9708 /* HpkeSymmetricCipherSuite cipher_suites<4..2^16-4> */
9709 if (!ssl_add_vector(hf, tvb, pinfo, kc_tree, offset, offset_end, &cipher_suite_length,
9710 hf->hf.ech_hpke_keyconfig_cipher_suites_length, 4, UINT16_MAX(65535) - 3)) {
9711 return offset_end;
9712 }
9713 offset += 2;
9714 next_offset = offset + cipher_suite_length;
9715
9716 css_ti = proto_tree_add_none_format(kc_tree,
9717 hf->hf.ech_hpke_keyconfig_cipher_suites,
9718 tvb, offset, cipher_suite_length,
9719 "Cipher Suites (%d suite%s)",
9720 cipher_suite_length / 4,
9721 plurality(cipher_suite_length / 4, "", "s")((cipher_suite_length / 4) == 1 ? ("") : ("s")));
9722 css_tree = proto_item_add_subtree(css_ti, hf->ett.ech_hpke_cipher_suites);
9723
9724
9725 while (offset + 4 <= next_offset) {
9726 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, css_tree, offset);
9727 }
9728
9729 if (!ssl_end_vector(hf, tvb, pinfo, css_tree, offset, next_offset)) {
9730 offset = next_offset;
9731 }
9732
9733 proto_item_set_len(kc_ti, offset - original_offset);
9734
9735 return offset;
9736}
9737
9738static int
9739dissect_ech_echconfig_contents(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9740 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9741 const uint8_t **public_name, uint32_t *config_id)
9742{
9743 uint32_t public_name_length, extensions_length, next_offset;
9744
9745 offset = dissect_ech_hpke_key_config(hf, tvb, pinfo, tree, offset, offset_end, config_id);
9746 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_maximum_name_length,
9747 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9748 offset += 1;
9749 proto_tree_add_item_ret_uint(tree, hf->hf.ech_echconfigcontents_public_name_length,
9750 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &public_name_length);
9751 offset += 1;
9752 proto_tree_add_item_ret_string(tree, hf->hf.ech_echconfigcontents_public_name,
9753 tvb, offset, public_name_length, ENC_ASCII0x00000000, pinfo->pool, public_name);
9754 offset += public_name_length;
9755
9756 /* Extension extensions<0..2^16-1>; */
9757 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &extensions_length,
9758 hf->hf.ech_echconfigcontents_extensions_length, 0, UINT16_MAX(65535))) {
9759 return offset_end;
9760 }
9761 offset += 2;
9762 next_offset = offset + extensions_length;
9763
9764 if (extensions_length > 0) {
9765 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_extensions,
9766 tvb, offset, extensions_length, ENC_NA0x00000000);
9767 }
9768 offset += extensions_length;
9769
9770 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
9771 offset = next_offset;
9772 }
9773
9774 return offset;
9775}
9776
9777static int
9778dissect_ech_echconfig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9779 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9780{
9781 uint32_t version, length;
9782 proto_item *ech_ti;
9783 proto_tree *ech_tree;
9784 const uint8_t *public_name = NULL((void*)0);
9785 uint32_t config_id = 0;
9786
9787 ech_ti = proto_tree_add_item(tree, hf->hf.ech_echconfig, tvb, offset, -1, ENC_NA0x00000000);
9788 ech_tree = proto_item_add_subtree(ech_ti, hf->ett.ech_echconfig);
9789
9790 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_version,
9791 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
9792 offset += 2;
9793 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_length,
9794 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9795 offset += 2;
9796
9797 proto_item_set_len(ech_ti, 4 + length);
9798
9799 switch(version) {
9800 case 0xfe0d:
9801 dissect_ech_echconfig_contents(hf, tvb, pinfo, ech_tree, offset, offset_end, &public_name, &config_id);
9802 proto_item_append_text(ech_ti, ": id=%d %s", config_id, public_name);
9803 break;
9804
9805 default:
9806 expert_add_info_format(pinfo, ech_ti, &hf->ei.ech_echconfig_invalid_version, "Unsupported/unknown ECHConfig version 0x%x", version);
9807 }
9808
9809 return 4 + length;
9810}
9811
9812uint32_t
9813ssl_dissect_ext_ech_echconfiglist(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9814 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9815{
9816 uint32_t echconfiglist_length, next_offset;
9817
9818 /* ECHConfig ECHConfigList<1..2^16-1>; */
9819 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &echconfiglist_length,
9820 hf->hf.ech_echconfiglist_length, 1, UINT16_MAX(65535))) {
9821 return offset_end;
9822 }
9823 offset += 2;
9824 next_offset = offset + echconfiglist_length;
9825
9826 while (offset < next_offset) {
9827 offset += dissect_ech_echconfig(hf, tvb, pinfo, tree, offset, offset_end);
9828 }
9829
9830 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
9831 offset = next_offset;
9832 }
9833
9834 return offset;
9835}
9836
9837static uint32_t
9838ssl_dissect_hnd_ech_outer_ext(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9839 uint32_t offset, uint32_t offset_end)
9840{
9841 uint32_t ext_length, next_offset;
9842 proto_tree *ext_tree;
9843 proto_item *ti;
9844
9845 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ext_length,
9846 hf->hf.hs_ext_ech_outer_ext_len, 2, UINT8_MAX(255))) {
9847 return offset_end;
9848 }
9849 offset += 1;
9850 next_offset = offset + ext_length;
9851
9852 ti = proto_tree_add_none_format(tree,
9853 hf->hf.hs_ext_ech_outer_ext,
9854 tvb, offset, ext_length,
9855 "Outer Extensions (%d extension%s)",
9856 ext_length / 2,
9857 plurality(ext_length/2, "", "s")((ext_length/2) == 1 ? ("") : ("s")));
9858
9859 ext_tree = proto_item_add_subtree(ti, hf->ett.hs_ext);
9860
9861 while (offset + 2 <= offset_end) {
9862 proto_tree_add_item(ext_tree, hf->hf.hs_ext_type, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9863 offset += 2;
9864 }
9865
9866 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
9867 offset = next_offset;
9868 }
9869
9870 return offset;
9871}
9872
9873static uint32_t
9874// NOLINTNEXTLINE(misc-no-recursion)
9875ssl_dissect_hnd_hello_ext_ech(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9876 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9877 uint8_t hnd_type, SslSession *session, SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
9878 uint32_t initial_offset, uint32_t hello_length)
9879{
9880 uint32_t ch_type, length;
9881 proto_item *ti, *payload_ti;
9882 proto_tree *retry_tree, *payload_tree;
9883
9884 switch (hnd_type) {
9885 case SSL_HND_CLIENT_HELLO:
9886 /*
9887 * enum { outer(0), inner(1) } ECHClientHelloType;
9888 *
9889 * struct {
9890 * ECHClientHelloType type;
9891 * select (ECHClientHello.type) {
9892 * case outer:
9893 * HpkeSymmetricCipherSuite cipher_suite;
9894 * uint8 config_id;
9895 * opaque enc<0..2^16-1>;
9896 * opaque payload<1..2^16-1>;
9897 * case inner:
9898 * Empty;
9899 * };
9900 * } ECHClientHello;
9901 */
9902
9903 proto_tree_add_item_ret_uint(tree, hf->hf.ech_clienthello_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &ch_type);
9904 offset += 1;
9905 switch (ch_type) {
9906 case 0: /* outer */
9907 if (ssl && session->first_ch_ech_frame == 0) {
9908 session->first_ch_ech_frame = pinfo->num;
9909 }
9910 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, tree, offset);
9911 uint16_t kdf_id = tvb_get_ntohs(tvb, offset - 4);
9912 uint16_t aead_id = tvb_get_ntohs(tvb, offset - 2);
9913
9914 proto_tree_add_item(tree, hf->hf.ech_config_id, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9915 uint8_t config_id = tvb_get_uint8(tvb, offset);
9916 offset += 1;
9917 proto_tree_add_item_ret_uint(tree, hf->hf.ech_enc_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9918 offset += 2;
9919 proto_tree_add_item(tree, hf->hf.ech_enc, tvb, offset, length, ENC_NA0x00000000);
9920 offset += length;
9921 proto_tree_add_item_ret_uint(tree, hf->hf.ech_payload_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9922 offset += 2;
9923 payload_ti = proto_tree_add_item(tree, hf->hf.ech_payload, tvb, offset, length, ENC_NA0x00000000);
9924 offset += length;
9925
9926 if (!mk_map) {
9927 break;
9928 }
9929 if (session->client_random.data_len == 0) {
9930 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
9931 break;
9932 }
9933 StringInfo *ech_secret = (StringInfo *)g_hash_table_lookup(mk_map->ech_secret, &session->client_random);
9934 StringInfo *ech_config = (StringInfo *)g_hash_table_lookup(mk_map->ech_config, &session->client_random);
9935 if (!ech_secret || !ech_config) {
9936 ssl_debug_printf("%s Cannot find ECH_SECRET or ECH_CONFIG, Encrypted Client Hello decryption impossible\n",
9937 G_STRFUNC((const char*) (__func__)));
9938 break;
9939 }
9940
9941 if (hpke_hkdf_len(kdf_id) == 0) {
9942 ssl_debug_printf("Unsupported KDF\n");
9943 break;
9944 }
9945
9946 if (hpke_aead_key_len(aead_id) == 0) {
9947 ssl_debug_printf("Unsupported AEAD\n");
9948 break;
9949 }
9950
9951 size_t aead_nonce_len = hpke_aead_nonce_len(aead_id);
9952
9953 uint16_t version = GUINT16_FROM_BE(*(uint16_t *)ech_config->data)(((((guint16) ( (guint16) ((guint16) (*(uint16_t *)ech_config
->data) >> 8) | (guint16) ((guint16) (*(uint16_t *)ech_config
->data) << 8))))));
9954 if (version != SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037) {
9955 ssl_debug_printf("Unexpected version in ECH Config\n");
9956 break;
9957 }
9958 uint32_t ech_config_offset = 2;
9959 if (GUINT16_FROM_BE(*(uint16_t *)(ech_config->data + ech_config_offset))(((((guint16) ( (guint16) ((guint16) (*(uint16_t *)(ech_config
->data + ech_config_offset)) >> 8) | (guint16) ((guint16
) (*(uint16_t *)(ech_config->data + ech_config_offset)) <<
8)))))) != ech_config->data_len - 4) {
9960 ssl_debug_printf("Malformed ECH Config, invalid length\n");
9961 break;
9962 }
9963 ech_config_offset += 2;
9964 if (*(ech_config->data + ech_config_offset) != config_id) {
9965 ssl_debug_printf("ECH Config version mismatch\n");
9966 break;
9967 }
9968 ech_config_offset += 1;
9969 uint16_t kem_id_be = *(uint16_t *)(ech_config->data + ech_config_offset);
9970 uint16_t kem_id = GUINT16_FROM_BE(kem_id_be)(((((guint16) ( (guint16) ((guint16) (kem_id_be) >> 8) |
(guint16) ((guint16) (kem_id_be) << 8))))));
9971 uint8_t suite_id[HPKE_SUIT_ID_LEN10];
9972 hpke_suite_id(kem_id, kdf_id, aead_id, suite_id);
9973 GByteArray *info = g_byte_array_new();
9974 g_byte_array_append(info, "tls ech", 8);
9975 g_byte_array_append(info, ech_config->data, ech_config->data_len);
9976 uint8_t key[AEAD_MAX_KEY_LENGTH32];
9977 uint8_t base_nonce[HPKE_AEAD_NONCE_LENGTH12];
9978 if (hpke_key_schedule(kdf_id, aead_id, ech_secret->data, ech_secret->data_len, suite_id, info->data, info->len, HPKE_MODE_BASE0,
9979 key, base_nonce)) {
9980 g_byte_array_free(info, TRUE(!(0)));
9981 break;
9982 }
9983 g_byte_array_free(info, TRUE(!(0)));
9984 gcry_cipher_hd_t cipher;
9985 if (hpke_setup_aead(&cipher, aead_id, key) ||
9986 hpke_set_nonce(cipher, !session->hrr_ech_declined && pinfo->num > session->first_ch_ech_frame, base_nonce, aead_nonce_len)) {
9987 gcry_cipher_close(cipher);
9988 break;
9989 }
9990 const uint8_t *payload = tvb_get_ptr(tvb, offset - length, length);
9991 uint8_t *ech_aad = (uint8_t *)wmem_alloc(NULL((void*)0), hello_length);
9992 tvb_memcpy(tvb, ech_aad, initial_offset, hello_length);
9993 memset(ech_aad + offset - length - initial_offset, 0, length);
9994 if (gcry_cipher_authenticate(cipher, ech_aad, hello_length)) {
9995 gcry_cipher_close(cipher);
9996 wmem_free(NULL((void*)0), ech_aad);
9997 break;
9998 }
9999 wmem_free(NULL((void*)0), ech_aad);
10000 uint8_t *ech_decrypted_data = (uint8_t *)wmem_alloc(pinfo->pool, length - 16);
10001 if (gcry_cipher_decrypt(cipher, ech_decrypted_data, length - 16, payload, length - 16)) {
10002 gcry_cipher_close(cipher);
10003 break;
10004 }
10005 unsigned char ech_auth_tag_calc[16];
10006 if (gcry_cipher_gettag(cipher, ech_auth_tag_calc, 16)) {
10007 gcry_cipher_close(cipher);
10008 break;
10009 }
10010 if (ssl && !session->hrr_ech_declined && session->first_ch_ech_frame == pinfo->num)
10011 memcpy(session->first_ech_auth_tag, ech_auth_tag_calc, 16);
10012 gcry_cipher_close(cipher);
10013 if (memcmp(pinfo->num > session->first_ch_ech_frame ? ech_auth_tag_calc : session->first_ech_auth_tag,
10014 payload + length - 16, 16)) {
10015 ssl_debug_printf("%s ECH auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
10016 } else {
10017 payload_tree = proto_item_add_subtree(payload_ti, hf->ett.ech_decrypt);
10018 tvbuff_t *ech_tvb = tvb_new_child_real_data(tvb, ech_decrypted_data, length - 16, length - 16);
10019 add_new_data_source(pinfo, ech_tvb, "Client Hello Inner");
10020 if (ssl) {
10021 tvb_memcpy(ech_tvb, ssl->client_random.data, 2, 32);
10022 uint32_t len_offset = ssl->ech_transcript.data_len;
10023 if (ssl->ech_transcript.data_len > 0)
10024 ssl->ech_transcript.data = (unsigned char*)wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
10025 ssl->ech_transcript.data_len + hello_length + 4);
10026 else
10027 ssl->ech_transcript.data = (unsigned char*)wmem_alloc(wmem_file_scope(), hello_length + 4);
10028 ssl->ech_transcript.data[ssl->ech_transcript.data_len] = SSL_HND_CLIENT_HELLO;
10029 ssl->ech_transcript.data[ssl->ech_transcript.data_len + 1] = 0;
10030 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, 0, 34);
10031 ssl->ech_transcript.data_len += 38;
10032 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, initial_offset + 34,
10033 tvb_get_uint8(tvb, initial_offset + 34) + 1);
10034 ssl->ech_transcript.data_len += tvb_get_uint8(tvb, initial_offset + 34) + 1;
10035 uint32_t ech_offset = 35 + tvb_get_uint8(ech_tvb, 34);
10036 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10037 2 + tvb_get_ntohs(ech_tvb, ech_offset));
10038 ssl->ech_transcript.data_len += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
10039 ech_offset += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
10040 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10041 1 + tvb_get_uint8(ech_tvb, ech_offset));
10042 ssl->ech_transcript.data_len += 1 + tvb_get_uint8(ech_tvb, ech_offset);
10043 ech_offset += 1 + tvb_get_uint8(ech_tvb, ech_offset);
10044 uint32_t ech_extensions_len_offset = ssl->ech_transcript.data_len;
10045 ssl->ech_transcript.data_len += 2;
10046 uint16_t extensions_end = ech_offset + tvb_get_ntohs(ech_tvb, ech_offset) + 2;
10047 ech_offset += 2;
10048 while (extensions_end - ech_offset >= 4) {
10049 if (tvb_get_ntohs(ech_tvb, ech_offset) != SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768) {
10050 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10051 4 + tvb_get_ntohs(ech_tvb, ech_offset + 2));
10052 ssl->ech_transcript.data_len += 4 + tvb_get_ntohs(ech_tvb, ech_offset + 2);
10053 ech_offset += 4 + tvb_get_ntohs(ech_tvb, ech_offset + 2);
10054 } else if (tvb_get_ntohs(ech_tvb, ech_offset + 2) > 0) {
10055 uint8_t outer_extensions_end = tvb_get_uint8(ech_tvb, ech_offset + 4) + ech_offset + 5;
10056 ech_offset += 5;
10057 uint16_t outer_offset = initial_offset + 35 + tvb_get_uint8(tvb, initial_offset + 34);
10058 outer_offset += tvb_get_ntohs(tvb, outer_offset) + 2;
10059 outer_offset += tvb_get_uint8(tvb, outer_offset) + 3;
10060 while (outer_extensions_end - ech_offset >= 2) {
10061 while (hello_length - outer_offset >= 4) {
10062 if (tvb_get_ntohs(tvb, outer_offset) == tvb_get_ntohs(ech_tvb, ech_offset)) {
10063 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, outer_offset,
10064 4 + tvb_get_ntohs(tvb, outer_offset + 2));
10065 ssl->ech_transcript.data_len += 4 + tvb_get_ntohs(tvb, outer_offset + 2);
10066 outer_offset += 4 + tvb_get_ntohs(tvb, outer_offset + 2);
10067 break;
10068 } else {
10069 outer_offset += 4 + tvb_get_ntohs(tvb, outer_offset + 2);
10070 }
10071 }
10072 ech_offset += 2;
10073 }
10074 }
10075 }
10076 uint16_t ech_extensions_len_be = GUINT16_TO_BE(ssl->ech_transcript.data_len - ech_extensions_len_offset - 2)((((guint16) ( (guint16) ((guint16) (ssl->ech_transcript.data_len
- ech_extensions_len_offset - 2) >> 8) | (guint16) ((guint16
) (ssl->ech_transcript.data_len - ech_extensions_len_offset
- 2) << 8)))));
10077 *(ssl->ech_transcript.data + ech_extensions_len_offset) = ech_extensions_len_be & 0xff;
10078 *(ssl->ech_transcript.data + ech_extensions_len_offset + 1) = (ech_extensions_len_be >> 8);
10079 *(ssl->ech_transcript.data + len_offset + 2) = ((ssl->ech_transcript.data_len - len_offset - 4) >> 8);
10080 *(ssl->ech_transcript.data + len_offset + 3) = (ssl->ech_transcript.data_len - len_offset - 4) & 0xff;
10081 }
10082 uint32_t ech_padding_begin = (uint32_t)ssl_dissect_hnd_cli_hello(hf, ech_tvb, pinfo, payload_tree, 0, length - 16, session,
10083 ssl, NULL((void*)0), mk_map);
10084 if (ech_padding_begin < length - 16) {
10085 proto_tree_add_item(payload_tree, hf->hf.ech_padding_data, ech_tvb, ech_padding_begin, length - 16 - ech_padding_begin,
10086 ENC_NA0x00000000);
10087 }
10088 }
10089
10090 break;
10091 case 1: /* inner */
10092 break;
10093 }
10094 break;
10095
10096 case SSL_HND_ENCRYPTED_EXTENSIONS:
10097 /*
10098 * struct {
10099 * ECHConfigList retry_configs;
10100 * } ECHEncryptedExtensions;
10101 */
10102
10103 ti = proto_tree_add_item(tree, hf->hf.ech_retry_configs, tvb, offset, offset_end - offset, ENC_NA0x00000000);
10104 retry_tree = proto_item_add_subtree(ti, hf->ett.ech_retry_configs);
10105 offset = ssl_dissect_ext_ech_echconfiglist(hf, tvb, pinfo, retry_tree, offset, offset_end);
10106 break;
10107
10108 case SSL_HND_HELLO_RETRY_REQUEST:
10109 /*
10110 * struct {
10111 * opaque confirmation[8];
10112 * } ECHHelloRetryRequest;
10113 */
10114
10115 proto_tree_add_item(tree, hf->hf.ech_confirmation, tvb, offset, 8, ENC_NA0x00000000);
10116 if (session->ech) {
10117 ti = proto_tree_add_bytes_with_length(tree, hf->hf.hs_ech_confirm_compute, tvb, offset, 0, session->hrr_ech_confirmation, 8);
10118 proto_item_set_generated(ti);
10119 if (memcmp(session->hrr_ech_confirmation, tvb_get_ptr(tvb, offset, 8), 8)) {
10120 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
10121 } else {
10122 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
10123 }
10124 }
10125 offset += 8;
10126 break;
10127 }
10128
10129 return offset;
10130}
10131
10132static uint32_t
10133ssl_dissect_hnd_hello_ext_esni(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10134 proto_tree *tree, uint32_t offset, uint32_t offset_end,
10135 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
10136{
10137 uint32_t record_digest_length, encrypted_sni_length;
10138
10139 switch (hnd_type) {
10140 case SSL_HND_CLIENT_HELLO:
10141 /*
10142 * struct {
10143 * CipherSuite suite;
10144 * KeyShareEntry key_share;
10145 * opaque record_digest<0..2^16-1>;
10146 * opaque encrypted_sni<0..2^16-1>;
10147 * } ClientEncryptedSNI;
10148 */
10149 proto_tree_add_item(tree, hf->hf.esni_suite, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
10150 offset += 2;
10151 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, tree, offset, offset_end, NULL((void*)0));
10152
10153 /* opaque record_digest<0..2^16-1> */
10154 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &record_digest_length,
10155 hf->hf.esni_record_digest_length, 0, UINT16_MAX(65535))) {
10156 return offset_end;
10157 }
10158 offset += 2;
10159 if (record_digest_length > 0) {
10160 proto_tree_add_item(tree, hf->hf.esni_record_digest, tvb, offset, record_digest_length, ENC_NA0x00000000);
10161 offset += record_digest_length;
10162 }
10163
10164 /* opaque encrypted_sni<0..2^16-1> */
10165 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &encrypted_sni_length,
10166 hf->hf.esni_encrypted_sni_length, 0, UINT16_MAX(65535))) {
10167 return offset_end;
10168 }
10169 offset += 2;
10170 if (encrypted_sni_length > 0) {
10171 proto_tree_add_item(tree, hf->hf.esni_encrypted_sni, tvb, offset, encrypted_sni_length, ENC_NA0x00000000);
10172 offset += encrypted_sni_length;
10173 }
10174 break;
10175
10176 case SSL_HND_ENCRYPTED_EXTENSIONS:
10177 proto_tree_add_item(tree, hf->hf.esni_nonce, tvb, offset, 16, ENC_NA0x00000000);
10178 offset += 16;
10179 break;
10180 }
10181
10182 return offset;
10183}
10184/** TLS Extensions (in Client Hello and Server Hello). }}} */
10185
10186/* Connection ID dissection. {{{ */
10187static uint32_t
10188ssl_dissect_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10189 proto_tree *tree, uint32_t offset, SslDecryptSession *ssl,
10190 uint8_t cidl, uint8_t **session_cid, uint8_t *session_cidl)
10191{
10192 /* keep track of the decrypt session only for the first pass */
10193 if (cidl > 0 && !PINFO_FD_VISITED(pinfo)((pinfo)->fd->visited)) {
10194 tvb_ensure_bytes_exist(tvb, offset + 1, cidl);
10195 *session_cidl = cidl;
10196 *session_cid = (uint8_t*)wmem_alloc0(wmem_file_scope(), cidl);
10197 tvb_memcpy(tvb, *session_cid, offset + 1, cidl);
10198 if (ssl) {
10199 ssl_add_session_by_cid(ssl);
10200 }
10201 }
10202
10203 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id_length,
10204 tvb, offset, 1, ENC_NA0x00000000);
10205 offset++;
10206
10207 if (cidl > 0) {
10208 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id,
10209 tvb, offset, cidl, ENC_NA0x00000000);
10210 offset += cidl;
10211 }
10212
10213 return offset;
10214}
10215
10216static uint32_t
10217ssl_dissect_hnd_hello_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10218 proto_tree *tree, uint32_t offset, uint8_t hnd_type,
10219 SslSession *session, SslDecryptSession *ssl)
10220{
10221 uint8_t cidl = tvb_get_uint8(tvb, offset);
10222
10223 switch (hnd_type) {
10224 case SSL_HND_CLIENT_HELLO:
10225 session->client_cid_len_present = true1;
10226 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
10227 cidl, &session->client_cid, &session->client_cid_len);
10228 case SSL_HND_SERVER_HELLO:
10229 session->server_cid_len_present = true1;
10230 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
10231 cidl, &session->server_cid, &session->server_cid_len);
10232 default:
10233 return offset;
10234 }
10235} /* }}} */
10236
10237/* Trusted CA dissection. {{{ */
10238static uint32_t
10239ssl_dissect_hnd_hello_ext_trusted_ca_keys(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10240 uint32_t offset, uint32_t offset_end)
10241{
10242 proto_item *ti;
10243 proto_tree *subtree;
10244 uint32_t keys_length, next_offset;
10245
10246 /*
10247 * struct {
10248 * TrustedAuthority trusted_authorities_list<0..2^16-1>;
10249 * } TrustedAuthorities;
10250 *
10251 * struct {
10252 * IdentifierType identifier_type;
10253 * select (identifier_type) {
10254 * case pre_agreed: struct {};
10255 * case key_sha1_hash: SHA1Hash;
10256 * case x509_name: DistinguishedName;
10257 * case cert_sha1_hash: SHA1Hash;
10258 * } identifier;
10259 * } TrustedAuthority;
10260 *
10261 * enum {
10262 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10263 * cert_sha1_hash(3), (255)
10264 * } IdentifierType;
10265 *
10266 * opaque DistinguishedName<1..2^16-1>;
10267 *
10268 */
10269
10270
10271 /* TrustedAuthority trusted_authorities_list<0..2^16-1> */
10272 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &keys_length, hf->hf.hs_ext_trusted_ca_keys_len,
10273 0, UINT16_MAX(65535)))
10274 {
10275 return offset_end;
10276 }
10277 offset += 2;
10278 next_offset = offset + keys_length;
10279
10280 if (keys_length > 0)
10281 {
10282 ti = proto_tree_add_none_format(tree, hf->hf.hs_ext_trusted_ca_keys_list, tvb, offset, keys_length,
10283 "Trusted CA keys (%d byte%s)", keys_length, plurality(keys_length, "", "s")((keys_length) == 1 ? ("") : ("s")));
10284 subtree = proto_item_add_subtree(ti, hf->ett.hs_ext_trusted_ca_keys);
10285
10286 while (offset < next_offset)
10287 {
10288 uint32_t identifier_type;
10289 proto_tree *trusted_key_tree;
10290 proto_item *trusted_key_item;
10291 asn1_ctx_t asn1_ctx;
10292 uint32_t key_len = 0;
10293
10294 identifier_type = tvb_get_uint8(tvb, offset);
10295
10296 // Use 0 as length for now as we'll only know the size when we decode the identifier
10297 trusted_key_item = proto_tree_add_none_format(subtree, hf->hf.hs_ext_trusted_ca_key, tvb,
10298 offset, 0, "Trusted CA Key");
10299 trusted_key_tree = proto_item_add_subtree(trusted_key_item, hf->ett.hs_ext_trusted_ca_key);
10300
10301 proto_tree_add_uint(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_type, tvb,
10302 offset, 1, identifier_type);
10303 offset++;
10304
10305 /*
10306 * enum {
10307 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10308 * cert_sha1_hash(3), (255)
10309 * } IdentifierType;
10310 */
10311 switch (identifier_type)
10312 {
10313 case 0:
10314 key_len = 0;
10315 break;
10316 case 2:
10317 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
10318
10319 uint32_t name_length;
10320 /* opaque DistinguishedName<1..2^16-1> */
10321 if (!ssl_add_vector(hf, tvb, pinfo, trusted_key_tree, offset, next_offset, &name_length,
10322 hf->hf.hs_ext_trusted_ca_key_dname_len, 1, UINT16_MAX(65535))) {
10323 return next_offset;
10324 }
10325 offset += 2;
10326
10327 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
10328 trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_dname);
10329 offset += name_length;
10330 break;
10331 case 1:
10332 case 3:
10333 key_len = 20;
10334 /* opaque SHA1Hash[20]; */
10335 proto_tree_add_item(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_hash, tvb,
10336 offset, 20, ENC_NA0x00000000);
10337 break;
10338
10339 default:
10340 key_len = 0;
10341 /*TODO display expert info about unknown ? */
10342 break;
10343 }
10344 proto_item_set_len(trusted_key_item, 1 + key_len);
10345 offset += key_len;
10346 }
10347 }
10348
10349 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset))
10350 {
10351 offset = next_offset;
10352 }
10353
10354 return offset;
10355} /* }}} */
10356
10357
10358/* Whether the Content and Handshake Types are valid; handle Protocol Version. {{{ */
10359bool_Bool
10360ssl_is_valid_content_type(uint8_t type)
10361{
10362 switch ((ContentType) type) {
10363 case SSL_ID_CHG_CIPHER_SPEC:
10364 case SSL_ID_ALERT:
10365 case SSL_ID_HANDSHAKE:
10366 case SSL_ID_APP_DATA:
10367 case SSL_ID_HEARTBEAT:
10368 case SSL_ID_TLS12_CID:
10369 case SSL_ID_DTLS13_ACK:
10370 return true1;
10371 }
10372 return false0;
10373}
10374
10375bool_Bool
10376ssl_is_valid_handshake_type(uint8_t hs_type, bool_Bool is_dtls)
10377{
10378 switch ((HandshakeType) hs_type) {
10379 case SSL_HND_HELLO_VERIFY_REQUEST:
10380 /* hello_verify_request is DTLS-only */
10381 return is_dtls;
10382
10383 case SSL_HND_HELLO_REQUEST:
10384 case SSL_HND_CLIENT_HELLO:
10385 case SSL_HND_SERVER_HELLO:
10386 case SSL_HND_NEWSESSION_TICKET:
10387 case SSL_HND_END_OF_EARLY_DATA:
10388 case SSL_HND_HELLO_RETRY_REQUEST:
10389 case SSL_HND_ENCRYPTED_EXTENSIONS:
10390 case SSL_HND_CERTIFICATE:
10391 case SSL_HND_SERVER_KEY_EXCHG:
10392 case SSL_HND_CERT_REQUEST:
10393 case SSL_HND_SVR_HELLO_DONE:
10394 case SSL_HND_CERT_VERIFY:
10395 case SSL_HND_CLIENT_KEY_EXCHG:
10396 case SSL_HND_FINISHED:
10397 case SSL_HND_CERT_URL:
10398 case SSL_HND_CERT_STATUS:
10399 case SSL_HND_SUPPLEMENTAL_DATA:
10400 case SSL_HND_KEY_UPDATE:
10401 case SSL_HND_COMPRESSED_CERTIFICATE:
10402 case SSL_HND_ENCRYPTED_EXTS:
10403 return true1;
10404 case SSL_HND_MESSAGE_HASH:
10405 return false0;
10406 }
10407 return false0;
10408}
10409
10410static bool_Bool
10411ssl_is_authoritative_version_message(uint8_t content_type, uint8_t handshake_type,
10412 bool_Bool is_dtls)
10413{
10414 /* Consider all valid Handshake messages (except for Client Hello) and
10415 * all other valid record types (other than Handshake) */
10416 return (content_type == SSL_ID_HANDSHAKE &&
10417 ssl_is_valid_handshake_type(handshake_type, is_dtls) &&
10418 handshake_type != SSL_HND_CLIENT_HELLO) ||
10419 (content_type != SSL_ID_HANDSHAKE &&
10420 ssl_is_valid_content_type(content_type));
10421}
10422
10423/**
10424 * Scan a Server Hello handshake message for the negotiated version. For TLS 1.3
10425 * draft 22 and newer, it also checks whether it is a HelloRetryRequest.
10426 * Returns true if the supported_versions extension was found, false if not.
10427 */
10428bool_Bool
10429tls_scan_server_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end,
10430 uint16_t *server_version, bool_Bool *is_hrr)
10431{
10432 /* SHA256("HelloRetryRequest") */
10433 static const uint8_t tls13_hrr_random_magic[] = {
10434 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
10435 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
10436 };
10437 uint8_t session_id_length;
10438
10439 *server_version = tvb_get_ntohs(tvb, offset);
10440
10441 /*
10442 * Try to look for supported_versions extension. Minimum length:
10443 * 2 + 32 + 1 = 35 (version, random, session id length)
10444 * 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10445 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10446 *
10447 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10448 * there's a separate expert info warning for that.
10449 */
10450 if ((*server_version == TLSV1DOT2_VERSION0x303 || *server_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
10451 offset += 2;
10452 if (is_hrr) {
10453 *is_hrr = tvb_memeql(tvb, offset, tls13_hrr_random_magic, sizeof(tls13_hrr_random_magic)) == 0;
10454 }
10455 offset += 32;
10456 session_id_length = tvb_get_uint8(tvb, offset);
10457 offset++;
10458 if (offset_end - offset < session_id_length + 5u) {
10459 return false0;
10460 }
10461 offset += session_id_length + 5;
10462
10463 while (offset_end - offset >= 6) {
10464 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
10465 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
10466 if (offset_end - offset < 4u + ext_len) {
10467 break; /* not enough data for type, length and data */
10468 }
10469 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
10470 if (ext_len == 2) {
10471 *server_version = tvb_get_ntohs(tvb, offset + 4);
10472 }
10473 return true1;
10474 }
10475 offset += 4 + ext_len;
10476 }
10477 } else {
10478 if (is_hrr) {
10479 *is_hrr = false0;
10480 }
10481 }
10482 return false0;
10483}
10484
10485/**
10486 * Scan a Client Hello handshake message to see if the supported_versions
10487 * extension is found, in which case the version field is legacy_version.
10488 */
10489static bool_Bool
10490tls_scan_client_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end)
10491{
10492 uint8_t session_id_length;
10493
10494 uint16_t client_version = tvb_get_ntohs(tvb, offset);
10495
10496 /*
10497 * Try to look for supported_versions extension. Minimum length:
10498 * 2 + 32 + 1 = 35 (version, random, session id length)
10499 * 2 + 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10500 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10501 *
10502 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10503 * there's a separate expert info warning for that.
10504 */
10505 if ((client_version == TLSV1DOT2_VERSION0x303 || client_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
10506 offset += 2;
10507 offset += 32;
10508 session_id_length = tvb_get_uint8(tvb, offset);
10509 offset++;
10510 if (offset_end - offset < session_id_length + 2u) {
10511 return false0;
10512 }
10513 offset += session_id_length;
10514 if (client_version == DTLSV1DOT2_VERSION0xfefd) {
10515 uint8_t cookie_length = tvb_get_uint8(tvb, offset);
10516 offset++;
10517 if (offset_end - offset < cookie_length + 2u) {
10518 return false0;
10519 }
10520 }
10521 uint16_t cipher_suites_length = tvb_get_ntohs(tvb, offset);
10522 offset += 2;
10523 if (offset_end - offset < cipher_suites_length + 1u) {
10524 return false0;
10525 }
10526 offset += cipher_suites_length;
10527 uint8_t compression_methods_length = tvb_get_uint8(tvb, offset);
10528 offset++;
10529 if (offset_end - offset < compression_methods_length + 2u) {
10530 return false0;
10531 }
10532 offset += compression_methods_length + 2;
10533
10534 while (offset_end - offset >= 6) {
10535 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
10536 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
10537 if (offset_end - offset < 4u + ext_len) {
10538 break; /* not enough data for type, length and data */
10539 }
10540 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
10541 return true1;
10542 }
10543 offset += 4 + ext_len;
10544 }
10545 }
10546 return false0;
10547}
10548void
10549ssl_try_set_version(SslSession *session, SslDecryptSession *ssl,
10550 uint8_t content_type, uint8_t handshake_type,
10551 bool_Bool is_dtls, uint16_t version)
10552{
10553 uint8_t tls13_draft = 0;
10554
10555 if (!ssl_is_authoritative_version_message(content_type, handshake_type,
10556 is_dtls))
10557 return;
10558
10559 version = tls_try_get_version(is_dtls, version, &tls13_draft);
10560 if (version == SSL_VER_UNKNOWN0) {
10561 return;
10562 }
10563
10564 session->tls13_draft_version = tls13_draft;
10565 session->version = version;
10566 if (ssl) {
10567 ssl->state |= SSL_VERSION(1<<4);
10568 ssl_debug_printf("%s found version 0x%04X -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), version, ssl->state);
10569 }
10570}
10571
10572void
10573ssl_check_record_length(ssl_common_dissect_t *hf, packet_info *pinfo,
10574 ContentType content_type,
10575 unsigned record_length, proto_item *length_pi,
10576 uint16_t version, tvbuff_t *decrypted_tvb)
10577{
10578 unsigned max_expansion;
10579 if (version == TLSV1DOT3_VERSION0x304) {
10580 /* TLS 1.3: Max length is 2^14 + 256 */
10581 max_expansion = 256;
10582 } else {
10583 /* RFC 5246, Section 6.2.3: TLSCiphertext.fragment length MUST NOT exceed 2^14 + 2048 */
10584 max_expansion = 2048;
10585 }
10586 /*
10587 * RFC 5246 (TLS 1.2), Section 6.2.1 forbids zero-length Handshake, Alert
10588 * and ChangeCipherSpec.
10589 * RFC 6520 (Heartbeats) does not mention zero-length Heartbeat fragments,
10590 * so assume it is permitted.
10591 * RFC 6347 (DTLS 1.2) does not mention zero-length fragments either, so
10592 * assume TLS 1.2 requirements.
10593 */
10594 if (record_length == 0 &&
10595 (content_type == SSL_ID_CHG_CIPHER_SPEC ||
10596 content_type == SSL_ID_ALERT ||
10597 content_type == SSL_ID_HANDSHAKE)) {
10598 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10599 "Zero-length %s fragments are not allowed",
10600 val_to_str_const(content_type, ssl_31_content_type, "unknown"));
10601 }
10602 if (record_length > TLS_MAX_RECORD_LENGTH0x4000 + max_expansion) {
10603 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10604 "TLSCiphertext length MUST NOT exceed 2^14 + %u", max_expansion);
10605 }
10606 if (decrypted_tvb && tvb_captured_length(decrypted_tvb) > TLS_MAX_RECORD_LENGTH0x4000) {
10607 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10608 "TLSPlaintext length MUST NOT exceed 2^14");
10609 }
10610}
10611
10612static void
10613ssl_set_cipher(SslDecryptSession *ssl, uint16_t cipher)
10614{
10615 /* store selected cipher suite for decryption */
10616 ssl->session.cipher = cipher;
10617
10618 const SslCipherSuite *cs = ssl_find_cipher(cipher);
10619 if (!cs) {
10620 ssl->cipher_suite = NULL((void*)0);
10621 ssl->state &= ~SSL_CIPHER(1<<2);
10622 ssl_debug_printf("%s can't find cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10623 } else if (ssl->session.version == SSLV3_VERSION0x300 && !(cs->dig == DIG_MD50x40 || cs->dig == DIG_SHA0x41)) {
10624 /* A malicious packet capture contains a SSL 3.0 session using a TLS 1.2
10625 * cipher suite that uses for example MACAlgorithm SHA256. Reject that
10626 * to avoid a potential buffer overflow in ssl3_check_mac. */
10627 ssl->cipher_suite = NULL((void*)0);
10628 ssl->state &= ~SSL_CIPHER(1<<2);
10629 ssl_debug_printf("%s invalid SSL 3.0 cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10630 } else {
10631 /* Cipher found, save this for the delayed decoder init */
10632 ssl->cipher_suite = cs;
10633 ssl->state |= SSL_CIPHER(1<<2);
10634 ssl_debug_printf("%s found CIPHER 0x%04X %s -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), cipher,
10635 val_to_str_ext_const(cipher, &ssl_31_ciphersuite_ext, "unknown"),
10636 ssl->state);
10637 }
10638}
10639/* }}} */
10640
10641
10642/* Client Hello and Server Hello dissections. {{{ */
10643static int
10644ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
10645 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
10646 SslSession *session, SslDecryptSession *ssl,
10647 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
10648 ssl_master_key_map_t *mk_map, uint32_t initial_offset, uint32_t hello_length);
10649int
10650// NOLINTNEXTLINE(misc-no-recursion)
10651ssl_dissect_hnd_cli_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10652 packet_info *pinfo, proto_tree *tree, uint32_t offset,
10653 uint32_t offset_end, SslSession *session,
10654 SslDecryptSession *ssl, dtls_hfs_t *dtls_hfs, ssl_master_key_map_t *mk_map)
10655{
10656 /* struct {
10657 * ProtocolVersion client_version;
10658 * Random random;
10659 * SessionID session_id;
10660 * opaque cookie<0..32>; //new field for DTLS
10661 * CipherSuite cipher_suites<2..2^16-1>;
10662 * CompressionMethod compression_methods<1..2^8-1>;
10663 * Extension client_hello_extension_list<0..2^16-1>;
10664 * } ClientHello;
10665 */
10666 proto_item *ti;
10667 proto_tree *cs_tree;
10668 uint32_t client_version;
10669 uint32_t cipher_suite_length;
10670 uint32_t compression_methods_length;
10671 uint8_t compression_method;
10672 uint32_t next_offset;
10673 uint32_t initial_offset = offset;
10674 uint32_t hello_length = offset_end - initial_offset;
10675 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
10676 char *ja3_hash;
10677 char *ja3_dash = "";
10678 char *ja4, *ja4_r, *ja4_hash, *ja4_b, *ja4_c;
10679 ja4_data_t ja4_data;
10680 wmem_strbuf_t *ja4_a = wmem_strbuf_new(pinfo->pool, "");
10681 wmem_strbuf_t *ja4_br = wmem_strbuf_new(pinfo->pool, "");
10682 wmem_strbuf_t *ja4_cr = wmem_strbuf_new(pinfo->pool, "");
10683 wmem_list_frame_t *curr_entry;
10684
10685 ja4_data.max_version = 0;
10686 ja4_data.server_name_present = false0;
10687 ja4_data.num_cipher_suites = 0;
10688 ja4_data.num_extensions = 0;
10689 ja4_data.alpn = wmem_strbuf_new(pinfo->pool, "");
10690 ja4_data.cipher_list = wmem_list_new(pinfo->pool);
10691 ja4_data.extension_list = wmem_list_new(pinfo->pool);
10692 ja4_data.sighash_list = wmem_list_new(pinfo->pool);
10693
10694 /* show the client version */
10695 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_client_version, tvb,
10696 offset, 2, ENC_BIG_ENDIAN0x00000000,
10697 &client_version);
10698 if (tls_scan_client_hello(tvb, offset, offset_end)) {
10699 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
10700 }
10701 offset += 2;
10702 wmem_strbuf_append_printf(ja3, "%i,", client_version);
10703
10704 /*
10705 * Is it version 1.3?
10706 * If so, that's an error; TLS and DTLS 1.3 Client Hellos claim
10707 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
10708 * section 4.1.2 "Client Hello" and RFC 9147 Section 5.3 "Client
10709 * Hello".
10710 */
10711 if (dtls_hfs != NULL((void*)0)) {
10712 if (client_version == DTLSV1DOT3_VERSION0xfefc) {
10713 /* Don't do that. */
10714 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10715 }
10716 } else {
10717 if (client_version == TLSV1DOT3_VERSION0x304) {
10718 /* Don't do that. */
10719 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10720 }
10721 }
10722
10723 /* dissect fields that are present in both ClientHello and ServerHello */
10724 offset = ssl_dissect_hnd_hello_common(hf, tvb, pinfo, tree, offset, session, ssl, false0, false0);
10725
10726 /* fields specific for DTLS (cookie_len, cookie) */
10727 if (dtls_hfs != NULL((void*)0)) {
10728 uint32_t cookie_length;
10729 /* opaque cookie<0..32> (for DTLS only) */
10730 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cookie_length,
10731 dtls_hfs->hf_dtls_handshake_cookie_len, 0, 32)) {
10732 return offset;
10733 }
10734 offset++;
10735 if (cookie_length > 0) {
10736 proto_tree_add_item(tree, dtls_hfs->hf_dtls_handshake_cookie,
10737 tvb, offset, cookie_length, ENC_NA0x00000000);
10738 offset += cookie_length;
10739 }
10740 }
10741
10742 /* CipherSuite cipher_suites<2..2^16-1> */
10743 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cipher_suite_length,
10744 hf->hf.hs_cipher_suites_len, 2, UINT16_MAX(65535))) {
10745 return offset;
10746 }
10747 offset += 2;
10748 next_offset = offset + cipher_suite_length;
10749 ti = proto_tree_add_none_format(tree,
10750 hf->hf.hs_cipher_suites,
10751 tvb, offset, cipher_suite_length,
10752 "Cipher Suites (%d suite%s)",
10753 cipher_suite_length / 2,
10754 plurality(cipher_suite_length/2, "", "s")((cipher_suite_length/2) == 1 ? ("") : ("s")));
10755 cs_tree = proto_item_add_subtree(ti, hf->ett.cipher_suites);
10756 while (offset + 2 <= next_offset) {
10757 uint32_t cipher_suite;
10758
10759 proto_tree_add_item_ret_uint(cs_tree, hf->hf.hs_cipher_suite, tvb, offset, 2,
10760 ENC_BIG_ENDIAN0x00000000, &cipher_suite);
10761 offset += 2;
10762 if (!IS_GREASE_TLS(cipher_suite)((((cipher_suite) & 0x0f0f) == 0x0a0a) && (((cipher_suite
) & 0xff) == (((cipher_suite)>>8) & 0xff)))) {
10763 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, cipher_suite);
10764 ja3_dash = "-";
10765 ja4_data.num_cipher_suites += 1;
10766 wmem_list_insert_sorted(ja4_data.cipher_list, GUINT_TO_POINTER(cipher_suite)((gpointer) (gulong) (cipher_suite)), wmem_compare_uint);
10767 }
10768 }
10769 wmem_strbuf_append_c(ja3, ',');
10770 if (!ssl_end_vector(hf, tvb, pinfo, cs_tree, offset, next_offset)) {
10771 offset = next_offset;
10772 }
10773
10774 /* CompressionMethod compression_methods<1..2^8-1> */
10775 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compression_methods_length,
10776 hf->hf.hs_comp_methods_len, 1, UINT8_MAX(255))) {
10777 return offset;
10778 }
10779 offset++;
10780 next_offset = offset + compression_methods_length;
10781 ti = proto_tree_add_none_format(tree,
10782 hf->hf.hs_comp_methods,
10783 tvb, offset, compression_methods_length,
10784 "Compression Methods (%u method%s)",
10785 compression_methods_length,
10786 plurality(compression_methods_length,((compression_methods_length) == 1 ? ("") : ("s"))
10787 "", "s")((compression_methods_length) == 1 ? ("") : ("s")));
10788 cs_tree = proto_item_add_subtree(ti, hf->ett.comp_methods);
10789 while (offset < next_offset) {
10790 compression_method = tvb_get_uint8(tvb, offset);
10791 /* TODO: make reserved/private comp meth. fields selectable */
10792 if (compression_method < 64)
10793 proto_tree_add_uint(cs_tree, hf->hf.hs_comp_method,
10794 tvb, offset, 1, compression_method);
10795 else if (compression_method > 63 && compression_method < 193)
10796 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, tvb, offset, 1,
10797 compression_method, "Reserved - to be assigned by IANA (%u)",
10798 compression_method);
10799 else
10800 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, tvb, offset, 1,
10801 compression_method, "Private use range (%u)",
10802 compression_method);
10803 offset++;
10804 }
10805
10806 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
10807 if (offset < offset_end) {
10808 offset = ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
10809 offset_end, SSL_HND_CLIENT_HELLO,
10810 session, ssl, dtls_hfs != NULL((void*)0), ja3, &ja4_data, mk_map, initial_offset, hello_length);
10811 if (ja4_data.max_version > 0) {
10812 client_version = ja4_data.max_version;
10813 }
10814 } else {
10815 wmem_strbuf_append_printf(ja3, ",,");
10816 }
10817
10818 if (proto_is_frame_protocol(pinfo->layers,"tcp")) {
10819 wmem_strbuf_append(ja4_a, "t");
10820 } else if (proto_is_frame_protocol(pinfo->layers,"quic")) {
10821 wmem_strbuf_append(ja4_a, "q");
10822 } else if (proto_is_frame_protocol(pinfo->layers,"dtls")) {
10823 wmem_strbuf_append(ja4_a, "d");
10824 }
10825 wmem_strbuf_append_printf(ja4_a, "%s", val_to_str_const(client_version, ssl_version_ja4_names, "00"));
10826 wmem_strbuf_append_printf(ja4_a, "%s", ja4_data.server_name_present ? "d" : "i");
10827 if (ja4_data.num_cipher_suites > 99) {
10828 wmem_strbuf_append(ja4_a, "99");
10829 } else {
10830 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_cipher_suites);
10831 }
10832 if (ja4_data.num_extensions > 99) {
10833 wmem_strbuf_append(ja4_a, "99");
10834 } else {
10835 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_extensions);
10836 }
10837 if (wmem_strbuf_get_len(ja4_data.alpn) > 0 ) {
10838 wmem_strbuf_append_printf(ja4_a, "%s", wmem_strbuf_get_str(ja4_data.alpn));
10839 } else {
10840 wmem_strbuf_append(ja4_a, "00");
10841 }
10842
10843 curr_entry = wmem_list_head(ja4_data.cipher_list);
10844 for (unsigned i = 0; i < wmem_list_count(ja4_data.cipher_list); i++) {
10845 wmem_strbuf_append_printf(ja4_br, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10846 if (i < wmem_list_count(ja4_data.cipher_list) - 1) {
10847 wmem_strbuf_append(ja4_br, ",");
10848 }
10849 curr_entry = wmem_list_frame_next(curr_entry);
10850 }
10851
10852 curr_entry = wmem_list_head(ja4_data.extension_list);
10853 for (unsigned i = 0; i < wmem_list_count(ja4_data.extension_list); i++) {
10854 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10855 if (i < wmem_list_count(ja4_data.extension_list) - 1) {
10856 wmem_strbuf_append(ja4_cr, ",");
10857 }
10858 curr_entry = wmem_list_frame_next(curr_entry);
10859 }
10860
10861 if (wmem_list_count(ja4_data.sighash_list) > 0) {
10862 wmem_strbuf_append(ja4_cr, "_");
10863 curr_entry = wmem_list_head(ja4_data.sighash_list);
10864 for (unsigned i = 0; i < wmem_list_count(ja4_data.sighash_list); i++) {
10865 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10866 if (i < wmem_list_count(ja4_data.sighash_list) - 1) {
10867 wmem_strbuf_append(ja4_cr, ",");
10868 }
10869 curr_entry = wmem_list_frame_next(curr_entry);
10870 }
10871 }
10872 if ( wmem_strbuf_get_len(ja4_br) == 0 ) {
10873 ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
10874 } else {
10875 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_br),-1);
10876 }
10877 ja4_b = wmem_strndup(pinfo->pool, ja4_hash, 12);
10878
10879 g_free(ja4_hash);
10880 if ( wmem_strbuf_get_len(ja4_cr) == 0 ) {
10881 ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
10882 } else {
10883 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_cr),-1);
10884 }
10885 ja4_c = wmem_strndup(pinfo->pool, ja4_hash, 12);
10886 g_free(ja4_hash);
10887
10888 ja4 = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), ja4_b, ja4_c);
10889 ja4_r = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), wmem_strbuf_get_str(ja4_br), wmem_strbuf_get_str(ja4_cr));
10890
10891 ti = proto_tree_add_string(tree, hf->hf.hs_ja4, tvb, offset, 0, ja4);
10892 proto_item_set_generated(ti);
10893 ti = proto_tree_add_string(tree, hf->hf.hs_ja4_r, tvb, offset, 0, ja4_r);
10894 proto_item_set_generated(ti);
10895
10896 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
10897 wmem_strbuf_get_len(ja3));
10898 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_full, tvb, offset, 0, wmem_strbuf_get_str(ja3));
10899 proto_item_set_generated(ti);
10900 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_hash, tvb, offset, 0, ja3_hash);
10901 proto_item_set_generated(ti);
10902 g_free(ja3_hash);
10903 return offset;
10904}
10905
10906void
10907ssl_dissect_hnd_srv_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10908 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
10909 SslSession *session, SslDecryptSession *ssl,
10910 bool_Bool is_dtls, bool_Bool is_hrr)
10911{
10912 /* struct {
10913 * ProtocolVersion server_version;
10914 * Random random;
10915 * SessionID session_id; // TLS 1.2 and before
10916 * CipherSuite cipher_suite;
10917 * CompressionMethod compression_method; // TLS 1.2 and before
10918 * Extension server_hello_extension_list<0..2^16-1>;
10919 * } ServerHello;
10920 */
10921 uint8_t draft_version = session->tls13_draft_version;
10922 proto_item *ti;
10923 uint32_t server_version;
10924 uint32_t cipher_suite;
10925 uint32_t initial_offset = offset;
10926 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
10927 char *ja3_hash;
10928
10929 col_set_str(pinfo->cinfo, COL_PROTOCOL,
10930 val_to_str_const(session->version, ssl_version_short_names, "SSL"));
10931
10932 /* Initially assume that the session is resumed. If this is not the case, a
10933 * ServerHelloDone will be observed before the ChangeCipherSpec message
10934 * which will reset this flag. */
10935 session->is_session_resumed = true1;
10936
10937 /* show the server version */
10938 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
10939 offset, 2, ENC_BIG_ENDIAN0x00000000, &server_version);
10940
10941 uint16_t supported_server_version;
10942 if (tls_scan_server_hello(tvb, offset, offset_end, &supported_server_version, NULL((void*)0))) {
10943 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
10944 }
10945 /*
10946 * Is it version 1.3?
10947 * If so, that's an error; TLS and DTLS 1.3 Server Hellos claim
10948 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
10949 * section 4.1.3 "Server Hello" and RFC 9147 Section 5.4 "Server
10950 * Hello".
10951 */
10952 if (is_dtls) {
10953 if (server_version == DTLSV1DOT3_VERSION0xfefc) {
10954 /* Don't do that. */
10955 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
10956 }
10957 } else {
10958 if (server_version == TLSV1DOT3_VERSION0x304) {
10959 /* Don't do that. */
10960 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
10961 }
10962 }
10963
10964 offset += 2;
10965 wmem_strbuf_append_printf(ja3, "%i", server_version);
10966
10967 /* dissect fields that are present in both ClientHello and ServerHello */
10968 offset = ssl_dissect_hnd_hello_common(hf, tvb, pinfo, tree, offset, session, ssl, true1, is_hrr);
10969
10970 if (ssl) {
10971 /* store selected cipher suite for decryption */
10972 ssl_set_cipher(ssl, tvb_get_ntohs(tvb, offset));
10973 }
10974
10975 /* now the server-selected cipher suite */
10976 proto_tree_add_item_ret_uint(tree, hf->hf.hs_cipher_suite,
10977 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &cipher_suite);
10978 offset += 2;
10979 wmem_strbuf_append_printf(ja3, ",%i,", cipher_suite);
10980
10981 /* No compression with TLS 1.3 before draft -22 */
10982 if (!(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
10983 if (ssl) {
10984 /* store selected compression method for decryption */
10985 ssl->session.compression = tvb_get_uint8(tvb, offset);
10986 }
10987 /* and the server-selected compression method */
10988 proto_tree_add_item(tree, hf->hf.hs_comp_method,
10989 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
10990 offset++;
10991 }
10992
10993 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
10994 if (offset < offset_end) {
10995 offset = ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
10996 offset_end,
10997 is_hrr ? SSL_HND_HELLO_RETRY_REQUEST : SSL_HND_SERVER_HELLO,
10998 session, ssl, is_dtls, ja3, NULL((void*)0), NULL((void*)0), 0, 0);
10999 }
11000
11001 if (ssl && ssl->ech_transcript.data_len > 0 && (ssl->state & SSL_CIPHER(1<<2)) && ssl->client_random.data_len > 0) {
11002 int hash_algo = ssl_get_digest_by_name(ssl_cipher_suite_dig(ssl->cipher_suite)->name);
11003 if (hash_algo) {
11004 SSL_MDgcry_md_hd_t mc;
11005 unsigned char transcript_hash[DIGEST_MAX_SIZE48];
11006 unsigned char prk[DIGEST_MAX_SIZE48];
11007 unsigned char *ech_verify_out = NULL((void*)0);
11008 unsigned int len;
11009 ssl_md_init(&mc, hash_algo);
11010 ssl_md_update(&mc, ssl->ech_transcript.data, ssl->ech_transcript.data_len);
11011 if (is_hrr) {
11012 ssl_md_final(&mc, transcript_hash, &len);
11013 ssl_md_cleanup(&mc);
11014 wmem_free(wmem_file_scope(), ssl->ech_transcript.data);
11015 ssl->ech_transcript.data_len = 4 + len;
11016 ssl->ech_transcript.data = (unsigned char*)wmem_alloc(wmem_file_scope(), 4 + len + 4 + offset_end - initial_offset);
11017 ssl->ech_transcript.data[0] = SSL_HND_MESSAGE_HASH;
11018 ssl->ech_transcript.data[1] = 0;
11019 ssl->ech_transcript.data[2] = 0;
11020 ssl->ech_transcript.data[3] = len;
11021 memcpy(ssl->ech_transcript.data + 4, transcript_hash, len);
11022 ssl_md_init(&mc, hash_algo);
11023 ssl_md_update(&mc, ssl->ech_transcript.data, 4 + len);
11024 } else {
11025 ssl->ech_transcript.data = wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
11026 ssl->ech_transcript.data_len + 4 + offset_end - initial_offset);
11027 }
11028 if (initial_offset > 4) {
11029 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, initial_offset - 4,
11030 4 + offset_end - initial_offset);
11031 if (is_hrr)
11032 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, initial_offset-4, 38), 38);
11033 else
11034 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, initial_offset-4, 30), 30);
11035 } else {
11036 uint8_t prefix[4] = {SSL_HND_SERVER_HELLO, 0x00, 0x00, 0x00};
11037 prefix[2] = ((offset - initial_offset) >> 8);
11038 prefix[3] = (offset - initial_offset) & 0xff;
11039 memcpy(ssl->ech_transcript.data + ssl->ech_transcript.data_len, prefix, 4);
11040 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, initial_offset,
11041 offset_end - initial_offset);
11042 ssl_md_update(&mc, prefix, 4);
11043 if (is_hrr)
11044 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, initial_offset, 34), 34);
11045 else
11046 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, initial_offset, 26), 26);
11047 }
11048 ssl->ech_transcript.data_len += 4 + offset_end - initial_offset;
11049 uint8_t zeros[8] = { 0 };
11050 uint32_t confirmation_offset = initial_offset + 26;
11051 if (is_hrr) {
11052 uint32_t hrr_offset = initial_offset + 34;
11053 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, hrr_offset,
11054 tvb_get_uint8(tvb, hrr_offset) + 1), tvb_get_uint8(tvb, hrr_offset) + 1);
11055 hrr_offset += tvb_get_uint8(tvb, hrr_offset) + 1;
11056 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, hrr_offset, 3), 3);
11057 hrr_offset += 3;
11058 uint16_t extensions_end = hrr_offset + tvb_get_ntohs(tvb, hrr_offset) + 2;
11059 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, hrr_offset, 2), 2);
11060 hrr_offset += 2;
11061 while (extensions_end - hrr_offset >= 4) {
11062 if (tvb_get_ntohs(tvb, hrr_offset) == SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037 &&
11063 tvb_get_ntohs(tvb, hrr_offset + 2) == 8) {
11064 confirmation_offset = hrr_offset + 4;
11065 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, hrr_offset, 4), 4);
11066 ssl_md_update(&mc, zeros, 8);
11067 hrr_offset += 12;
11068 } else {
11069 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, hrr_offset, tvb_get_ntohs(tvb, hrr_offset + 2) + 4),
11070 tvb_get_ntohs(tvb, hrr_offset + 2) + 4);
11071 hrr_offset += tvb_get_ntohs(tvb, hrr_offset + 2) + 4;
11072 }
11073 }
11074 } else {
11075 ssl_md_update(&mc, zeros, 8);
11076 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, initial_offset + 34, offset - initial_offset - 34),
11077 offset - initial_offset - 34);
11078 }
11079 ssl_md_final(&mc, transcript_hash, &len);
11080 ssl_md_cleanup(&mc);
11081 hkdf_extract(hash_algo, NULL((void*)0), 0, ssl->client_random.data, 32, prk);
11082 StringInfo prk_string = {prk, len};
11083 if (tls13_hkdf_expand_label_context(hash_algo, &prk_string, tls13_hkdf_label_prefix(ssl),
11084 is_hrr ? "hrr ech accept confirmation" : "ech accept confirmation",
11085 transcript_hash, len, 8, &ech_verify_out)) {
11086 memcpy(is_hrr ? ssl->session.hrr_ech_confirmation : ssl->session.ech_confirmation, ech_verify_out, 8);
11087 if (tvb_memeql(tvb, confirmation_offset, ech_verify_out, 8) == -1) {
11088 if (is_hrr) {
11089 ssl->session.hrr_ech_declined = true1;
11090 ssl->session.first_ch_ech_frame = 0;
11091 }
11092 memcpy(ssl->client_random.data, ssl->session.client_random.data, ssl->session.client_random.data_len);
11093 ssl_print_data("Updated Client Random", ssl->client_random.data, 32);
11094 }
11095 wmem_free(NULL((void*)0), ech_verify_out);
11096 }
11097 ssl->session.ech = true1;
11098 }
11099 }
11100
11101 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
11102 wmem_strbuf_get_len(ja3));
11103 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_full, tvb, offset, 0, wmem_strbuf_get_str(ja3));
11104 proto_item_set_generated(ti);
11105 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_hash, tvb, offset, 0, ja3_hash);
11106 proto_item_set_generated(ti);
11107 g_free(ja3_hash);
11108}
11109/* Client Hello and Server Hello dissections. }}} */
11110
11111/* New Session Ticket dissection. {{{ */
11112void
11113ssl_dissect_hnd_new_ses_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11114 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11115 SslSession *session, SslDecryptSession *ssl,
11116 bool_Bool is_dtls, GHashTable *session_hash)
11117{
11118 /* https://tools.ietf.org/html/rfc5077#section-3.3 (TLS >= 1.0):
11119 * struct {
11120 * uint32 ticket_lifetime_hint;
11121 * opaque ticket<0..2^16-1>;
11122 * } NewSessionTicket;
11123 *
11124 * RFC 8446 Section 4.6.1 (TLS 1.3):
11125 * struct {
11126 * uint32 ticket_lifetime;
11127 * uint32 ticket_age_add;
11128 * opaque ticket_nonce<0..255>; // new in draft -21, updated in -22
11129 * opaque ticket<1..2^16-1>;
11130 * Extension extensions<0..2^16-2>;
11131 * } NewSessionTicket;
11132 */
11133 proto_tree *subtree;
11134 proto_item *subitem;
11135 uint32_t ticket_len;
11136 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc;
11137 unsigned char draft_version = session->tls13_draft_version;
11138 uint32_t lifetime_hint;
11139
11140 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
11141 hf->ett.session_ticket, NULL((void*)0),
11142 "TLS Session Ticket");
11143
11144 /* ticket lifetime hint */
11145 subitem = proto_tree_add_item_ret_uint(subtree, hf->hf.hs_session_ticket_lifetime_hint,
11146 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000, &lifetime_hint);
11147 offset += 4;
11148
11149 if (lifetime_hint >= 60) {
11150 char *time_str = unsigned_time_secs_to_str(pinfo->pool, lifetime_hint);
11151 proto_item_append_text(subitem, " (%s)", time_str);
11152 }
11153
11154 if (is_tls13) {
11155
11156 /* for TLS 1.3: ticket_age_add */
11157 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_age_add,
11158 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
11159 offset += 4;
11160
11161 /* for TLS 1.3: ticket_nonce (coming with Draft 21)*/
11162 if (draft_version == 0 || draft_version >= 21) {
11163 uint32_t ticket_nonce_len;
11164
11165 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_nonce_len,
11166 hf->hf.hs_session_ticket_nonce_len, 0, 255)) {
11167 return;
11168 }
11169 offset++;
11170
11171 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_nonce, tvb, offset, ticket_nonce_len, ENC_NA0x00000000);
11172 offset += ticket_nonce_len;
11173 }
11174
11175 }
11176
11177 /* opaque ticket<0..2^16-1> (with TLS 1.3 the minimum is 1) */
11178 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_len,
11179 hf->hf.hs_session_ticket_len, is_tls13 ? 1 : 0, UINT16_MAX(65535))) {
11180 return;
11181 }
11182 offset += 2;
11183
11184 /* Content depends on implementation, so just show data! */
11185 proto_tree_add_item(subtree, hf->hf.hs_session_ticket,
11186 tvb, offset, ticket_len, ENC_NA0x00000000);
11187 /* save the session ticket to cache for ssl_finalize_decryption */
11188 if (ssl && !is_tls13) {
11189 if (ssl->session.is_session_resumed) {
11190 /* NewSessionTicket is received in ServerHello before ChangeCipherSpec
11191 * (Abbreviated Handshake Using New Session Ticket).
11192 * Restore the master key for this session ticket before saving
11193 * it to the new session ticket. */
11194 ssl_restore_master_key(ssl, "Session Ticket", false0,
11195 session_hash, &ssl->session_ticket);
11196 }
11197 tvb_ensure_bytes_exist(tvb, offset, ticket_len);
11198 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
11199 ssl->session_ticket.data, ticket_len);
11200 ssl->session_ticket.data_len = ticket_len;
11201 tvb_memcpy(tvb, ssl->session_ticket.data, offset, ticket_len);
11202 /* NewSessionTicket is received after the first (client)
11203 * ChangeCipherSpec, and before the second (server) ChangeCipherSpec.
11204 * Since the second CCS has already the session key available it will
11205 * just return. To ensure that the session ticket is mapped to a
11206 * master key (from the first CCS), save the ticket here too. */
11207 ssl_save_master_key("Session Ticket", session_hash,
11208 &ssl->session_ticket, &ssl->master_secret);
11209 ssl->state |= SSL_NEW_SESSION_TICKET(1<<10);
11210 }
11211 offset += ticket_len;
11212
11213 if (is_tls13) {
11214 ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
11215 offset_end, SSL_HND_NEWSESSION_TICKET,
11216 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11217 }
11218} /* }}} */
11219
11220void
11221ssl_dissect_hnd_hello_retry_request(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11222 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11223 SslSession *session, SslDecryptSession *ssl,
11224 bool_Bool is_dtls)
11225{
11226 /* https://tools.ietf.org/html/draft-ietf-tls-tls13-19#section-4.1.4
11227 * struct {
11228 * ProtocolVersion server_version;
11229 * CipherSuite cipher_suite; // not before draft -19
11230 * Extension extensions<2..2^16-1>;
11231 * } HelloRetryRequest;
11232 * Note: no longer used since draft -22
11233 */
11234 uint32_t version;
11235 uint8_t draft_version;
11236
11237 proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
11238 offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
11239 draft_version = extract_tls13_draft_version(version);
11240 offset += 2;
11241
11242 if (draft_version == 0 || draft_version >= 19) {
11243 proto_tree_add_item(tree, hf->hf.hs_cipher_suite,
11244 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11245 offset += 2;
11246 }
11247
11248 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11249 offset_end, SSL_HND_HELLO_RETRY_REQUEST,
11250 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11251}
11252
11253void
11254ssl_dissect_hnd_encrypted_extensions(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11255 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11256 SslSession *session, SslDecryptSession *ssl,
11257 bool_Bool is_dtls)
11258{
11259 /* RFC 8446 Section 4.3.1
11260 * struct {
11261 * Extension extensions<0..2^16-1>;
11262 * } EncryptedExtensions;
11263 */
11264 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11265 offset_end, SSL_HND_ENCRYPTED_EXTENSIONS,
11266 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11267}
11268
11269/* Certificate and Certificate Request dissections. {{{ */
11270void
11271ssl_dissect_hnd_cert(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11272 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11273 SslSession *session, SslDecryptSession *ssl _U___attribute__((unused)),
11274 bool_Bool is_from_server, bool_Bool is_dtls)
11275{
11276 /* opaque ASN.1Cert<1..2^24-1>;
11277 *
11278 * Before RFC 8446 (TLS <= 1.2):
11279 * struct {
11280 * select(certificate_type) {
11281 *
11282 * // certificate type defined in RFC 7250
11283 * case RawPublicKey:
11284 * opaque ASN.1_subjectPublicKeyInfo<1..2^24-1>;
11285 *
11286 * // X.509 certificate defined in RFC 5246
11287 * case X.509:
11288 * ASN.1Cert certificate_list<0..2^24-1>;
11289 * };
11290 * } Certificate;
11291 *
11292 * RFC 8446 (since draft -20):
11293 * struct {
11294 * select(certificate_type){
11295 * case RawPublicKey:
11296 * // From RFC 7250 ASN.1_subjectPublicKeyInfo
11297 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
11298 *
11299 * case X.509:
11300 * opaque cert_data<1..2^24-1>;
11301 * }
11302 * Extension extensions<0..2^16-1>;
11303 * } CertificateEntry;
11304 * struct {
11305 * opaque certificate_request_context<0..2^8-1>;
11306 * CertificateEntry certificate_list<0..2^24-1>;
11307 * } Certificate;
11308 */
11309 enum { CERT_X509, CERT_RPK } cert_type;
11310 asn1_ctx_t asn1_ctx;
11311#if defined(HAVE_LIBGNUTLS1)
11312 gnutls_datum_t subjectPublicKeyInfo = { NULL((void*)0), 0 };
11313 unsigned certificate_index = 0;
11314#endif
11315 uint32_t next_offset, certificate_list_length, cert_length;
11316 proto_tree *subtree = tree;
11317
11318 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
11319
11320 if ((is_from_server && session->server_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2) ||
11321 (!is_from_server && session->client_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2)) {
11322 cert_type = CERT_RPK;
11323 } else {
11324 cert_type = CERT_X509;
11325 }
11326
11327#if defined(HAVE_LIBGNUTLS1)
11328 /* Ask the pkcs1 dissector to return the public key details */
11329 if (ssl)
11330 asn1_ctx.private_data = &subjectPublicKeyInfo;
11331#endif
11332
11333 /* TLS 1.3: opaque certificate_request_context<0..2^8-1> */
11334 if (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc) {
11335 uint32_t context_length;
11336 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
11337 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
11338 return;
11339 }
11340 offset++;
11341 if (context_length > 0) {
11342 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
11343 tvb, offset, context_length, ENC_NA0x00000000);
11344 offset += context_length;
11345 }
11346 }
11347
11348 if ((session->version != TLSV1DOT3_VERSION0x304 && session->version != DTLSV1DOT3_VERSION0xfefc) && cert_type == CERT_RPK) {
11349 /* For RPK before TLS 1.3, the single RPK is stored directly without
11350 * another "certificate_list" field. */
11351 certificate_list_length = offset_end - offset;
11352 next_offset = offset_end;
11353 } else {
11354 /* CertificateEntry certificate_list<0..2^24-1> */
11355 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &certificate_list_length,
11356 hf->hf.hs_certificates_len, 0, G_MAXUINT24((1U << 24) - 1))) {
11357 return;
11358 }
11359 offset += 3; /* 24-bit length value */
11360 next_offset = offset + certificate_list_length;
11361 }
11362
11363 /* RawPublicKey must have one cert, but X.509 can have multiple. */
11364 if (certificate_list_length > 0 && cert_type == CERT_X509) {
11365 proto_item *ti;
11366
11367 ti = proto_tree_add_none_format(tree,
11368 hf->hf.hs_certificates,
11369 tvb, offset, certificate_list_length,
11370 "Certificates (%u bytes)",
11371 certificate_list_length);
11372
11373 /* make it a subtree */
11374 subtree = proto_item_add_subtree(ti, hf->ett.certificates);
11375 }
11376
11377 while (offset < next_offset) {
11378 switch (cert_type) {
11379 case CERT_RPK:
11380 /* TODO add expert info if there is more than one RPK entry (certificate_index > 0) */
11381 /* opaque ASN.1_subjectPublicKeyInfo<1..2^24-1> */
11382 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
11383 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
11384 return;
11385 }
11386 offset += 3;
11387
11388 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
11389 offset += cert_length;
11390 break;
11391 case CERT_X509:
11392 /* opaque ASN1Cert<1..2^24-1> */
11393 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
11394 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
11395 return;
11396 }
11397 offset += 3;
11398
11399 dissect_x509af_Certificate(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
11400#if defined(HAVE_LIBGNUTLS1)
11401 if (is_from_server && ssl && certificate_index == 0) {
11402 ssl_find_private_key_by_pubkey(ssl, &subjectPublicKeyInfo);
11403 /* Only attempt to get the RSA modulus for the first cert. */
11404 asn1_ctx.private_data = NULL((void*)0);
11405 }
11406#endif
11407 offset += cert_length;
11408 break;
11409 }
11410
11411 /* TLS 1.3: Extension extensions<0..2^16-1> */
11412 if ((session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc)) {
11413 offset = ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
11414 next_offset, SSL_HND_CERTIFICATE,
11415 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11416 }
11417
11418#if defined(HAVE_LIBGNUTLS1)
11419 certificate_index++;
11420#endif
11421 }
11422}
11423
11424void
11425ssl_dissect_hnd_cert_req(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11426 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11427 SslSession *session, bool_Bool is_dtls)
11428{
11429 /* From SSL 3.0 and up (note that since TLS 1.1 certificate_authorities can be empty):
11430 * enum {
11431 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11432 * (255)
11433 * } ClientCertificateType;
11434 *
11435 * opaque DistinguishedName<1..2^16-1>;
11436 *
11437 * struct {
11438 * ClientCertificateType certificate_types<1..2^8-1>;
11439 * DistinguishedName certificate_authorities<3..2^16-1>;
11440 * } CertificateRequest;
11441 *
11442 *
11443 * As per TLSv1.2 (RFC 5246) the format has changed to:
11444 *
11445 * enum {
11446 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11447 * rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
11448 * fortezza_dms_RESERVED(20), (255)
11449 * } ClientCertificateType;
11450 *
11451 * enum {
11452 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
11453 * sha512(6), (255)
11454 * } HashAlgorithm;
11455 *
11456 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
11457 * SignatureAlgorithm;
11458 *
11459 * struct {
11460 * HashAlgorithm hash;
11461 * SignatureAlgorithm signature;
11462 * } SignatureAndHashAlgorithm;
11463 *
11464 * SignatureAndHashAlgorithm
11465 * supported_signature_algorithms<2..2^16-2>;
11466 *
11467 * opaque DistinguishedName<1..2^16-1>;
11468 *
11469 * struct {
11470 * ClientCertificateType certificate_types<1..2^8-1>;
11471 * SignatureAndHashAlgorithm supported_signature_algorithms<2^16-1>;
11472 * DistinguishedName certificate_authorities<0..2^16-1>;
11473 * } CertificateRequest;
11474 *
11475 * draft-ietf-tls-tls13-18:
11476 * struct {
11477 * opaque certificate_request_context<0..2^8-1>;
11478 * SignatureScheme
11479 * supported_signature_algorithms<2..2^16-2>;
11480 * DistinguishedName certificate_authorities<0..2^16-1>;
11481 * CertificateExtension certificate_extensions<0..2^16-1>;
11482 * } CertificateRequest;
11483 *
11484 * RFC 8446 (since draft-ietf-tls-tls13-19):
11485 *
11486 * struct {
11487 * opaque certificate_request_context<0..2^8-1>;
11488 * Extension extensions<2..2^16-1>;
11489 * } CertificateRequest;
11490 */
11491 proto_item *ti;
11492 proto_tree *subtree;
11493 uint32_t next_offset;
11494 asn1_ctx_t asn1_ctx;
11495 bool_Bool is_tls13 = (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc);
11496 unsigned char draft_version = session->tls13_draft_version;
11497
11498 if (!tree)
11499 return;
11500
11501 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
11502
11503 if (is_tls13) {
11504 uint32_t context_length;
11505 /* opaque certificate_request_context<0..2^8-1> */
11506 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
11507 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
11508 return;
11509 }
11510 offset++;
11511 if (context_length > 0) {
11512 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
11513 tvb, offset, context_length, ENC_NA0x00000000);
11514 offset += context_length;
11515 }
11516 } else {
11517 uint32_t cert_types_count;
11518 /* ClientCertificateType certificate_types<1..2^8-1> */
11519 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cert_types_count,
11520 hf->hf.hs_cert_types_count, 1, UINT8_MAX(255))) {
11521 return;
11522 }
11523 offset++;
11524 next_offset = offset + cert_types_count;
11525
11526 ti = proto_tree_add_none_format(tree,
11527 hf->hf.hs_cert_types,
11528 tvb, offset, cert_types_count,
11529 "Certificate types (%u type%s)",
11530 cert_types_count,
11531 plurality(cert_types_count, "", "s")((cert_types_count) == 1 ? ("") : ("s")));
11532 subtree = proto_item_add_subtree(ti, hf->ett.cert_types);
11533
11534 while (offset < next_offset) {
11535 proto_tree_add_item(subtree, hf->hf.hs_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11536 offset++;
11537 }
11538 }
11539
11540 if (session->version == TLSV1DOT2_VERSION0x303 || session->version == DTLSV1DOT2_VERSION0xfefd ||
11541 (is_tls13 && (draft_version > 0 && draft_version < 19))) {
11542 offset = ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
11543 }
11544
11545 if (is_tls13 && (draft_version == 0 || draft_version >= 19)) {
11546 /*
11547 * TLS 1.3 draft 19 and newer: Extensions.
11548 * SslDecryptSession pointer is NULL because Certificate Extensions
11549 * should not influence decryption state.
11550 */
11551 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11552 offset_end, SSL_HND_CERT_REQUEST,
11553 session, NULL((void*)0), is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11554 } else if (is_tls13 && draft_version <= 18) {
11555 /*
11556 * TLS 1.3 draft 18 and older: certificate_authorities and
11557 * certificate_extensions (a vector of OID mappings).
11558 */
11559 offset = tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
11560 ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, tree, offset, offset_end);
11561 } else {
11562 /* for TLS 1.2 and older, the certificate_authorities field. */
11563 tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
11564 }
11565}
11566/* Certificate and Certificate Request dissections. }}} */
11567
11568void
11569ssl_dissect_hnd_cli_cert_verify(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11570 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint16_t version)
11571{
11572 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
11573 hf->hf.hs_client_cert_vrfy_sig_len,
11574 hf->hf.hs_client_cert_vrfy_sig);
11575}
11576
11577/* Finished dissection. {{{ */
11578void
11579ssl_dissect_hnd_finished(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11580 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11581 const SslSession *session, ssl_hfs_t *ssl_hfs)
11582{
11583 /* For SSLv3:
11584 * struct {
11585 * opaque md5_hash[16];
11586 * opaque sha_hash[20];
11587 * } Finished;
11588 *
11589 * For (D)TLS:
11590 * struct {
11591 * opaque verify_data[12];
11592 * } Finished;
11593 *
11594 * For TLS 1.3:
11595 * struct {
11596 * opaque verify_data[Hash.length];
11597 * }
11598 */
11599 if (!tree)
11600 return;
11601
11602 if (session->version == SSLV3_VERSION0x300) {
11603 if (ssl_hfs != NULL((void*)0)) {
11604 proto_tree_add_item(tree, ssl_hfs->hs_md5_hash,
11605 tvb, offset, 16, ENC_NA0x00000000);
11606 proto_tree_add_item(tree, ssl_hfs->hs_sha_hash,
11607 tvb, offset + 16, 20, ENC_NA0x00000000);
11608 }
11609 } else {
11610 /* Length should be 12 for TLS before 1.3, assume this is the case. */
11611 proto_tree_add_item(tree, hf->hf.hs_finished,
11612 tvb, offset, offset_end - offset, ENC_NA0x00000000);
11613 }
11614} /* }}} */
11615
11616/* RFC 6066 Certificate URL handshake message dissection. {{{ */
11617void
11618ssl_dissect_hnd_cert_url(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset)
11619{
11620 uint16_t url_hash_len;
11621
11622 /* enum {
11623 * individual_certs(0), pkipath(1), (255)
11624 * } CertChainType;
11625 *
11626 * struct {
11627 * CertChainType type;
11628 * URLAndHash url_and_hash_list<1..2^16-1>;
11629 * } CertificateURL;
11630 *
11631 * struct {
11632 * opaque url<1..2^16-1>;
11633 * uint8 padding;
11634 * opaque SHA1Hash[20];
11635 * } URLAndHash;
11636 */
11637
11638 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_type,
11639 tvb, offset, 1, ENC_NA0x00000000);
11640 offset++;
11641
11642 url_hash_len = tvb_get_ntohs(tvb, offset);
11643 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_url_hash_list_len,
11644 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11645 offset += 2;
11646 while (url_hash_len-- > 0) {
11647 proto_item *urlhash_item;
11648 proto_tree *urlhash_tree;
11649 uint16_t url_len;
11650
11651 urlhash_item = proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_item,
11652 tvb, offset, -1, ENC_NA0x00000000);
11653 urlhash_tree = proto_item_add_subtree(urlhash_item, hf->ett.urlhash);
11654
11655 url_len = tvb_get_ntohs(tvb, offset);
11656 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url_len,
11657 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11658 offset += 2;
11659
11660 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url,
11661 tvb, offset, url_len, ENC_ASCII0x00000000|ENC_NA0x00000000);
11662 offset += url_len;
11663
11664 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_padding,
11665 tvb, offset, 1, ENC_NA0x00000000);
11666 offset++;
11667 /* Note: RFC 6066 says that padding must be 0x01 */
11668
11669 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_sha1,
11670 tvb, offset, 20, ENC_NA0x00000000);
11671 offset += 20;
11672 }
11673} /* }}} */
11674
11675void
11676ssl_dissect_hnd_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11677 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11678 SslSession *session, SslDecryptSession *ssl,
11679 bool_Bool is_from_server, bool_Bool is_dtls)
11680{
11681 uint32_t algorithm, uncompressed_length;
11682 uint32_t compressed_certificate_message_length;
11683 tvbuff_t *uncompressed_tvb = NULL((void*)0);
11684 proto_item *ti;
11685 /*
11686 * enum {
11687 * zlib(1),
11688 * brotli(2),
11689 * zstd(3),
11690 * (65535)
11691 * } CertificateCompressionAlgorithm;
11692 *
11693 * struct {
11694 * CertificateCompressionAlgorithm algorithm;
11695 * uint24 uncompressed_length;
11696 * opaque compressed_certificate_message<1..2^24-1>;
11697 * } CompressedCertificate;
11698 */
11699
11700 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_algorithm,
11701 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &algorithm);
11702 offset += 2;
11703
11704 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_uncompressed_length,
11705 tvb, offset, 3, ENC_BIG_ENDIAN0x00000000, &uncompressed_length);
11706 offset += 3;
11707
11708 /* opaque compressed_certificate_message<1..2^24-1>; */
11709 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compressed_certificate_message_length,
11710 hf->hf.hs_ext_compress_certificate_compressed_certificate_message_length, 1, G_MAXUINT24((1U << 24) - 1))) {
11711 return;
11712 }
11713 offset += 3;
11714
11715 ti = proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_compressed_certificate_message,
11716 tvb, offset, compressed_certificate_message_length, ENC_NA0x00000000);
11717
11718 /* Certificate decompression following algorithm */
11719 switch (algorithm) {
11720 case 1: /* zlib */
11721 uncompressed_tvb = tvb_child_uncompress_zlib(tvb, tvb, offset, compressed_certificate_message_length);
11722 break;
11723 case 2: /* brotli */
11724 uncompressed_tvb = tvb_child_uncompress_brotli(tvb, tvb, offset, compressed_certificate_message_length);
11725 break;
11726 case 3: /* zstd */
11727 uncompressed_tvb = tvb_child_uncompress_zstd(tvb, tvb, offset, compressed_certificate_message_length);
11728 break;
11729 }
11730
11731 if (uncompressed_tvb) {
11732 proto_tree *uncompressed_tree;
11733
11734 if (uncompressed_length != tvb_captured_length(uncompressed_tvb)) {
11735 proto_tree_add_expert_format(tree, pinfo, &hf->ei.decompression_error,
11736 tvb, offset, offset_end - offset,
11737 "Invalid uncompressed length %u (expected %u)",
11738 tvb_captured_length(uncompressed_tvb),
11739 uncompressed_length);
11740 } else {
11741 uncompressed_tree = proto_item_add_subtree(ti, hf->ett.uncompressed_certificates);
11742 ssl_dissect_hnd_cert(hf, uncompressed_tvb, uncompressed_tree,
11743 0, uncompressed_length, pinfo, session, ssl, is_from_server, is_dtls);
11744 add_new_data_source(pinfo, uncompressed_tvb, "Uncompressed certificate(s)");
11745 }
11746 }
11747}
11748
11749/* Dissection of TLS Extensions in Client Hello, Server Hello, etc. {{{ */
11750static int
11751// NOLINTNEXTLINE(misc-no-recursion)
11752ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11753 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
11754 SslSession *session, SslDecryptSession *ssl,
11755 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
11756 ssl_master_key_map_t *mk_map, uint32_t initial_offset, uint32_t hello_length)
11757{
11758 uint32_t exts_len;
11759 uint16_t ext_type;
11760 uint32_t ext_len;
11761 uint32_t next_offset;
11762 proto_item *ext_item;
11763 proto_tree *ext_tree;
11764 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304;
11765 wmem_strbuf_t *ja3_sg = wmem_strbuf_new(pinfo->pool, "");
11766 wmem_strbuf_t *ja3_ecpf = wmem_strbuf_new(pinfo->pool, "");
11767 char *ja3_dash = "";
11768 unsigned supported_version;
11769
11770 /* Extension extensions<0..2^16-2> (for TLS 1.3 HRR/CR min-length is 2) */
11771 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
11772 hf->hf.hs_exts_len, 0, UINT16_MAX(65535))) {
11773 return offset_end;
11774 }
11775 offset += 2;
11776 offset_end = offset + exts_len;
11777
11778 if (ja4_data) {
11779 ja4_data->num_extensions = 0;
11780 }
11781 while (offset_end - offset >= 4)
11782 {
11783 ext_type = tvb_get_ntohs(tvb, offset);
11784 ext_len = tvb_get_ntohs(tvb, offset + 2);
11785
11786 if (ja4_data && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {
11787 ja4_data->num_extensions += 1;
11788 if (ext_type != SSL_HND_HELLO_EXT_SERVER_NAME0 &&
11789 ext_type != SSL_HND_HELLO_EXT_ALPN16) {
11790 wmem_list_insert_sorted(ja4_data->extension_list, GUINT_TO_POINTER(ext_type)((gpointer) (gulong) (ext_type)), wmem_compare_uint);
11791 }
11792 }
11793
11794 ext_item = proto_tree_add_none_format(tree, hf->hf.hs_ext, tvb, offset, 4 + ext_len,
11795 "Extension: %s (len=%u)", val_to_str(pinfo->pool, ext_type,
11796 tls_hello_extension_types,
11797 "Unknown type %u"), ext_len);
11798 ext_tree = proto_item_add_subtree(ext_item, hf->ett.hs_ext);
11799
11800 proto_tree_add_uint(ext_tree, hf->hf.hs_ext_type,
11801 tvb, offset, 2, ext_type);
11802 offset += 2;
11803 if (ja3 && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {
11804 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_type);
11805 ja3_dash = "-";
11806 }
11807
11808 /* opaque extension_data<0..2^16-1> */
11809 if (!ssl_add_vector(hf, tvb, pinfo, ext_tree, offset, offset_end, &ext_len,
11810 hf->hf.hs_ext_len, 0, UINT16_MAX(65535))) {
11811 return offset_end;
11812 }
11813 offset += 2;
11814 next_offset = offset + ext_len;
11815
11816 switch (ext_type) {
11817 case SSL_HND_HELLO_EXT_SERVER_NAME0:
11818 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11819 offset = ssl_dissect_hnd_hello_ext_server_name(hf, tvb, pinfo, ext_tree, offset, next_offset);
11820 if (ja4_data) {
11821 ja4_data->server_name_present = true1;
11822 }
11823 }
11824 break;
11825 case SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1:
11826 proto_tree_add_item(ext_tree, hf->hf.hs_ext_max_fragment_length, tvb, offset, 1, ENC_NA0x00000000);
11827 offset += 1;
11828 break;
11829 case SSL_HND_HELLO_EXT_STATUS_REQUEST5:
11830 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11831 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, ext_tree, offset, next_offset, false0);
11832 } else if (is_tls13 && hnd_type == SSL_HND_CERTIFICATE) {
11833 offset = tls_dissect_hnd_certificate_status(hf, tvb, pinfo, ext_tree, offset, next_offset);
11834 }
11835 break;
11836 case SSL_HND_HELLO_EXT_CERT_TYPE9:
11837 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
11838 offset, next_offset,
11839 hnd_type, ext_type,
11840 session);
11841 break;
11842 case SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10:
11843 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11844 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
11845 next_offset, ja3_sg);
11846 } else {
11847 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
11848 next_offset, NULL((void*)0));
11849 }
11850 break;
11851 case SSL_HND_HELLO_EXT_EC_POINT_FORMATS11:
11852 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11853 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, ja3_ecpf);
11854 } else {
11855 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, NULL((void*)0));
11856 }
11857 break;
11858 break;
11859 case SSL_HND_HELLO_EXT_SRP12:
11860 offset = ssl_dissect_hnd_hello_ext_srp(hf, tvb, pinfo, ext_tree, offset, next_offset);
11861 break;
11862 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13:
11863 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, ja4_data);
11864 break;
11865 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50: /* since TLS 1.3 draft -23 */
11866 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, NULL((void*)0));
11867 break;
11868 case SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34:
11869 offset = ssl_dissect_hnd_ext_delegated_credentials(hf, tvb, ext_tree, pinfo, offset, next_offset, hnd_type);
11870 break;
11871 case SSL_HND_HELLO_EXT_USE_SRTP14:
11872 if (is_dtls) {
11873 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11874 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, false0);
11875 } else if (hnd_type == SSL_HND_SERVER_HELLO) {
11876 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, true1);
11877 }
11878 } else {
11879 // XXX expert info: This extension MUST only be used with DTLS, and not with TLS.
11880 }
11881 break;
11882 case SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768:
11883 offset = ssl_dissect_hnd_ech_outer_ext(hf, tvb, pinfo, ext_tree, offset, next_offset);
11884 break;
11885 case SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037:
11886 offset = ssl_dissect_hnd_hello_ext_ech(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, ssl, mk_map, initial_offset, hello_length);
11887 break;
11888 case SSL_HND_HELLO_EXT_HEARTBEAT15:
11889 proto_tree_add_item(ext_tree, hf->hf.hs_ext_heartbeat_mode,
11890 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11891 offset++;
11892 break;
11893 case SSL_HND_HELLO_EXT_ALPN16:
11894 offset = ssl_dissect_hnd_hello_ext_alpn(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, is_dtls, ja4_data);
11895 break;
11896 case SSL_HND_HELLO_EXT_STATUS_REQUEST_V217:
11897 if (hnd_type == SSL_HND_CLIENT_HELLO)
11898 offset = ssl_dissect_hnd_hello_ext_status_request_v2(hf, tvb, pinfo, ext_tree, offset, next_offset);
11899 break;
11900 case SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18:
11901 // TLS 1.3 note: SCT only appears in EE in draft -16 and before.
11902 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS || hnd_type == SSL_HND_CERTIFICATE)
11903 offset = tls_dissect_sct_list(hf, tvb, pinfo, ext_tree, offset, next_offset, session->version);
11904 break;
11905 case SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19:
11906 case SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20:
11907 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
11908 offset, next_offset,
11909 hnd_type, ext_type,
11910 session);
11911 break;
11912 case SSL_HND_HELLO_EXT_PADDING21:
11913 proto_tree_add_item(ext_tree, hf->hf.hs_ext_padding_data, tvb, offset, ext_len, ENC_NA0x00000000);
11914 offset += ext_len;
11915 break;
11916 case SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22:
11917 if (ssl && hnd_type == SSL_HND_SERVER_HELLO) {
11918 ssl_debug_printf("%s enabling Encrypt-then-MAC\n", G_STRFUNC((const char*) (__func__)));
11919 ssl->state |= SSL_ENCRYPT_THEN_MAC(1<<11);
11920 }
11921 break;
11922 case SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23:
11923 if (ssl) {
11924 switch (hnd_type) {
11925 case SSL_HND_CLIENT_HELLO:
11926 ssl->state |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
11927 break;
11928 case SSL_HND_SERVER_HELLO:
11929 ssl->state |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8);
11930 break;
11931 default: /* no default */
11932 break;
11933 }
11934 }
11935 break;
11936 case SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27:
11937 offset = ssl_dissect_hnd_hello_ext_compress_certificate(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11938 break;
11939 case SSL_HND_HELLO_EXT_TOKEN_BINDING24:
11940 offset = ssl_dissect_hnd_hello_ext_token_binding(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11941 break;
11942 case SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28:
11943 proto_tree_add_item(ext_tree, hf->hf.hs_ext_record_size_limit,
11944 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11945 offset += 2;
11946 break;
11947 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445:
11948 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157:
11949 offset = ssl_dissect_hnd_hello_ext_quic_transport_parameters(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11950 break;
11951 case SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35:
11952 offset = ssl_dissect_hnd_hello_ext_session_ticket(hf, tvb, ext_tree, offset, next_offset, hnd_type, ssl);
11953 break;
11954 case SSL_HND_HELLO_EXT_KEY_SHARE_OLD40: /* used before TLS 1.3 draft -23 */
11955 case SSL_HND_HELLO_EXT_KEY_SHARE51:
11956 offset = ssl_dissect_hnd_hello_ext_key_share(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11957 break;
11958 case SSL_HND_HELLO_EXT_PRE_SHARED_KEY41:
11959 offset = ssl_dissect_hnd_hello_ext_pre_shared_key(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11960 break;
11961 case SSL_HND_HELLO_EXT_EARLY_DATA42:
11962 case SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46:
11963 offset = ssl_dissect_hnd_hello_ext_early_data(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11964 break;
11965 case SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43:
11966 switch (hnd_type) {
11967 case SSL_HND_CLIENT_HELLO:
11968 offset = ssl_dissect_hnd_hello_ext_supported_versions(hf, tvb, pinfo, ext_tree, offset, next_offset, session, is_dtls, ja4_data);
11969 break;
11970 case SSL_HND_SERVER_HELLO:
11971 case SSL_HND_HELLO_RETRY_REQUEST:
11972 proto_tree_add_item_ret_uint(ext_tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &supported_version);
11973 offset += 2;
11974 proto_item_append_text(ext_tree, " %s", val_to_str(pinfo->pool, supported_version, ssl_versions, "Unknown (0x%04x)"));
11975 break;
11976 }
11977 break;
11978 case SSL_HND_HELLO_EXT_COOKIE44:
11979 offset = ssl_dissect_hnd_hello_ext_cookie(hf, tvb, pinfo, ext_tree, offset, next_offset);
11980 break;
11981 case SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45:
11982 offset = ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(hf, tvb, pinfo, ext_tree, offset, next_offset);
11983 break;
11984 case SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47:
11985 offset = ssl_dissect_hnd_hello_ext_certificate_authorities(hf, tvb, pinfo, ext_tree, offset, next_offset);
11986 break;
11987 case SSL_HND_HELLO_EXT_OID_FILTERS48:
11988 offset = ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, ext_tree, offset, next_offset);
11989 break;
11990 case SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49:
11991 break;
11992 case SSL_HND_HELLO_EXT_NPN13172:
11993 offset = ssl_dissect_hnd_hello_ext_npn(hf, tvb, pinfo, ext_tree, offset, next_offset);
11994 break;
11995 case SSL_HND_HELLO_EXT_ALPS_OLD17513:
11996 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11997 break;
11998 case SSL_HND_HELLO_EXT_ALPS17613:
11999 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
12000 break;
12001 case SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281:
12002 offset = ssl_dissect_hnd_hello_ext_reneg_info(hf, tvb, pinfo, ext_tree, offset, next_offset);
12003 break;
12004 case SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486:
12005 offset = ssl_dissect_hnd_hello_ext_esni(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12006 break;
12007 case SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53:
12008 session->deprecated_cid = true1;
12009 /* FALLTHRU */
12010 case SSL_HND_HELLO_EXT_CONNECTION_ID54:
12011 offset = ssl_dissect_hnd_hello_ext_connection_id(hf, tvb, pinfo, ext_tree, offset, hnd_type, session, ssl);
12012 break;
12013 case SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3:
12014 offset = ssl_dissect_hnd_hello_ext_trusted_ca_keys(hf, tvb, pinfo, ext_tree, offset, next_offset);
12015 break;
12016 default:
12017 proto_tree_add_item(ext_tree, hf->hf.hs_ext_data,
12018 tvb, offset, ext_len, ENC_NA0x00000000);
12019 offset += ext_len;
12020 break;
12021 }
12022
12023 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
12024 /* Dissection did not end at expected location, fix it. */
12025 offset = next_offset;
12026 }
12027 }
12028
12029 if (ja3) {
12030 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12031 if(wmem_strbuf_get_len(ja3_sg) > 0) {
12032 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_sg));
12033 } else {
12034 wmem_strbuf_append_c(ja3, ',');
12035 }
12036 if(wmem_strbuf_get_len(ja3_ecpf) > 0) {
12037 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_ecpf));
12038 } else {
12039 wmem_strbuf_append_c(ja3, ',');
12040 }
12041 }
12042 }
12043
12044 /* Check if Extensions vector is correctly terminated. */
12045 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, offset_end)) {
12046 offset = offset_end;
12047 }
12048
12049 return offset;
12050} /* }}} */
12051
12052
12053/* ClientKeyExchange algo-specific dissectors. {{{ */
12054
12055static void
12056dissect_ssl3_hnd_cli_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12057 proto_tree *tree, uint32_t offset,
12058 uint32_t length)
12059{
12060 int point_len;
12061 proto_tree *ssl_ecdh_tree;
12062
12063 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12064 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Client Params");
12065
12066 /* point */
12067 point_len = tvb_get_uint8(tvb, offset);
12068 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point_len, tvb,
12069 offset, 1, ENC_BIG_ENDIAN0x00000000);
12070 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point, tvb,
12071 offset + 1, point_len, ENC_NA0x00000000);
12072}
12073
12074static void
12075dissect_ssl3_hnd_cli_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12076 proto_tree *tree, uint32_t offset, uint32_t length)
12077{
12078 int yc_len;
12079 proto_tree *ssl_dh_tree;
12080
12081 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12082 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Client Params");
12083
12084 /* ClientDiffieHellmanPublic.dh_public (explicit) */
12085 yc_len = tvb_get_ntohs(tvb, offset);
12086 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc_len, tvb,
12087 offset, 2, ENC_BIG_ENDIAN0x00000000);
12088 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc, tvb,
12089 offset + 2, yc_len, ENC_NA0x00000000);
12090}
12091
12092static void
12093dissect_ssl3_hnd_cli_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12094 proto_tree *tree, uint32_t offset,
12095 uint32_t length, const SslSession *session)
12096{
12097 int epms_len;
12098 proto_tree *ssl_rsa_tree;
12099
12100 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12101 hf->ett.keyex_params, NULL((void*)0), "RSA Encrypted PreMaster Secret");
12102
12103 /* EncryptedPreMasterSecret.pre_master_secret */
12104 switch (session->version) {
12105 case SSLV2_VERSION0x0002:
12106 case SSLV3_VERSION0x300:
12107 case DTLSV1DOT0_OPENSSL_VERSION0x100:
12108 /* OpenSSL pre-0.9.8f DTLS and pre-TLS quirk: 2-octet length vector is
12109 * not present. The handshake contents represents the EPMS, see:
12110 * https://gitlab.com/wireshark/wireshark/-/issues/10222 */
12111 epms_len = length;
12112 break;
12113
12114 default:
12115 /* TLS and DTLS include vector length before EPMS */
12116 epms_len = tvb_get_ntohs(tvb, offset);
12117 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12118 offset, 2, ENC_BIG_ENDIAN0x00000000);
12119 offset += 2;
12120 break;
12121 }
12122 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms, tvb,
12123 offset, epms_len, ENC_NA0x00000000);
12124}
12125
12126/* Used in PSK cipher suites */
12127static uint32_t
12128dissect_ssl3_hnd_cli_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12129 proto_tree *tree, uint32_t offset)
12130{
12131 unsigned identity_len;
12132 proto_tree *ssl_psk_tree;
12133
12134 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
12135 hf->ett.keyex_params, NULL((void*)0), "PSK Client Params");
12136 /* identity */
12137 identity_len = tvb_get_ntohs(tvb, offset);
12138 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len, tvb,
12139 offset, 2, ENC_BIG_ENDIAN0x00000000);
12140 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity, tvb,
12141 offset + 2, identity_len, ENC_NA0x00000000);
12142
12143 proto_item_set_len(ssl_psk_tree, 2 + identity_len);
12144 return 2 + identity_len;
12145}
12146
12147/* Used in RSA PSK cipher suites */
12148static void
12149dissect_ssl3_hnd_cli_keyex_rsa_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12150 proto_tree *tree, uint32_t offset,
12151 uint32_t length)
12152{
12153 int identity_len, epms_len;
12154 proto_tree *ssl_psk_tree;
12155
12156 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12157 hf->ett.keyex_params, NULL((void*)0), "RSA PSK Client Params");
12158
12159 /* identity */
12160 identity_len = tvb_get_ntohs(tvb, offset);
12161 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len,
12162 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12163 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity,
12164 tvb, offset + 2, identity_len, ENC_NA0x00000000);
12165 offset += 2 + identity_len;
12166
12167 /* Yc */
12168 epms_len = tvb_get_ntohs(tvb, offset);
12169 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12170 offset, 2, ENC_BIG_ENDIAN0x00000000);
12171 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms, tvb,
12172 offset + 2, epms_len, ENC_NA0x00000000);
12173}
12174
12175/* Used in Diffie-Hellman PSK cipher suites */
12176static void
12177dissect_ssl3_hnd_cli_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12178 proto_tree *tree, uint32_t offset, uint32_t length)
12179{
12180 /*
12181 * struct {
12182 * select (KeyExchangeAlgorithm) {
12183 * case diffie_hellman_psk:
12184 * opaque psk_identity<0..2^16-1>;
12185 * ClientDiffieHellmanPublic public;
12186 * } exchange_keys;
12187 * } ClientKeyExchange;
12188 */
12189
12190 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12191 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset + psk_len, length - psk_len);
12192}
12193
12194/* Used in EC Diffie-Hellman PSK cipher suites */
12195static void
12196dissect_ssl3_hnd_cli_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12197 proto_tree *tree, uint32_t offset, uint32_t length)
12198{
12199 /*
12200 * struct {
12201 * select (KeyExchangeAlgorithm) {
12202 * case ec_diffie_hellman_psk:
12203 * opaque psk_identity<0..2^16-1>;
12204 * ClientECDiffieHellmanPublic public;
12205 * } exchange_keys;
12206 * } ClientKeyExchange;
12207 */
12208
12209 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12210 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset + psk_len, length - psk_len);
12211}
12212
12213/* Used in EC J-PAKE cipher suites */
12214static void
12215dissect_ssl3_hnd_cli_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12216 proto_tree *tree, uint32_t offset,
12217 uint32_t length)
12218{
12219 /*
12220 * struct {
12221 * ECPoint V;
12222 * opaque r<1..2^8-1>;
12223 * } ECSchnorrZKP;
12224 *
12225 * struct {
12226 * ECPoint X;
12227 * ECSchnorrZKP zkp;
12228 * } ECJPAKEKeyKP;
12229 *
12230 * struct {
12231 * ECJPAKEKeyKP ecjpake_key_kp;
12232 * } ClientECJPAKEParams;
12233 *
12234 * select (KeyExchangeAlgorithm) {
12235 * case ecjpake:
12236 * ClientECJPAKEParams params;
12237 * } ClientKeyExchange;
12238 */
12239
12240 int point_len;
12241 proto_tree *ssl_ecjpake_tree;
12242
12243 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12244 hf->ett.keyex_params, NULL((void*)0),
12245 "EC J-PAKE Client Params");
12246
12247 /* ECJPAKEKeyKP.X */
12248 point_len = tvb_get_uint8(tvb, offset);
12249 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc_len, tvb,
12250 offset, 1, ENC_BIG_ENDIAN0x00000000);
12251 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc, tvb,
12252 offset + 1, point_len, ENC_NA0x00000000);
12253 offset += 1 + point_len;
12254
12255 /* ECJPAKEKeyKP.zkp.V */
12256 point_len = tvb_get_uint8(tvb, offset);
12257 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc_len, tvb,
12258 offset, 1, ENC_BIG_ENDIAN0x00000000);
12259 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc, tvb,
12260 offset + 1, point_len, ENC_NA0x00000000);
12261 offset += 1 + point_len;
12262
12263 /* ECJPAKEKeyKP.zkp.r */
12264 point_len = tvb_get_uint8(tvb, offset);
12265 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc_len, tvb,
12266 offset, 1, ENC_BIG_ENDIAN0x00000000);
12267 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc, tvb,
12268 offset + 1, point_len, ENC_NA0x00000000);
12269}
12270
12271static void
12272dissect_ssl3_hnd_cli_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12273 proto_tree *tree, uint32_t offset,
12274 uint32_t length)
12275{
12276 int epms_len;
12277 proto_tree *ssl_ecc_sm2_tree;
12278
12279 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12280 hf->ett.keyex_params, NULL((void*)0),
12281 "ECC-SM2 Encrypted PreMaster Secret");
12282
12283 epms_len = tvb_get_ntohs(tvb, offset);
12284 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12285 offset, 2, ENC_BIG_ENDIAN0x00000000);
12286 offset += 2;
12287 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms, tvb,
12288 offset, epms_len, ENC_NA0x00000000);
12289}
12290/* ClientKeyExchange algo-specific dissectors. }}} */
12291
12292
12293/* Dissects DigitallySigned (see RFC 5246 4.7 Cryptographic Attributes). {{{ */
12294static uint32_t
12295ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12296 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12297 uint16_t version, int hf_sig_len, int hf_sig)
12298{
12299 uint32_t sig_len;
12300
12301 switch (version) {
12302 case TLSV1DOT2_VERSION0x303:
12303 case DTLSV1DOT2_VERSION0xfefd:
12304 case TLSV1DOT3_VERSION0x304:
12305 case DTLSV1DOT3_VERSION0xfefc:
12306 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
12307 offset += 2;
12308 break;
12309
12310 default:
12311 break;
12312 }
12313
12314 /* Sig */
12315 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sig_len,
12316 hf_sig_len, 0, UINT16_MAX(65535))) {
12317 return offset_end;
12318 }
12319 offset += 2;
12320 proto_tree_add_item(tree, hf_sig, tvb, offset, sig_len, ENC_NA0x00000000);
12321 offset += sig_len;
12322 return offset;
12323} /* }}} */
12324
12325/* ServerKeyExchange algo-specific dissectors. {{{ */
12326
12327/* dissects signed_params inside a ServerKeyExchange for some keyex algos */
12328static void
12329dissect_ssl3_hnd_srv_keyex_sig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12330 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12331 uint16_t version)
12332{
12333 /*
12334 * TLSv1.2 (RFC 5246 sec 7.4.8)
12335 * struct {
12336 * digitally-signed struct {
12337 * opaque handshake_messages[handshake_messages_length];
12338 * }
12339 * } CertificateVerify;
12340 *
12341 * TLSv1.0/TLSv1.1 (RFC 5436 sec 7.4.8 and 7.4.3) works essentially the same
12342 * as TLSv1.2, but the hash algorithms are not explicit in digitally-signed.
12343 *
12344 * SSLv3 (RFC 6101 sec 5.6.8) essentially works the same as TLSv1.0 but it
12345 * does more hashing including the master secret and padding.
12346 */
12347 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
12348 hf->hf.hs_server_keyex_sig_len,
12349 hf->hf.hs_server_keyex_sig);
12350}
12351
12352static uint32_t
12353dissect_tls_ecparameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, uint32_t offset_end)
12354{
12355 /*
12356 * RFC 4492 ECC cipher suites for TLS
12357 *
12358 * struct {
12359 * ECCurveType curve_type;
12360 * select (curve_type) {
12361 * case explicit_prime:
12362 * ...
12363 * case explicit_char2:
12364 * ...
12365 * case named_curve:
12366 * NamedCurve namedcurve;
12367 * };
12368 * } ECParameters;
12369 */
12370
12371 int curve_type;
12372
12373 /* ECParameters.curve_type */
12374 curve_type = tvb_get_uint8(tvb, offset);
12375 proto_tree_add_item(tree, hf->hf.hs_server_keyex_curve_type, tvb,
12376 offset, 1, ENC_BIG_ENDIAN0x00000000);
12377 offset++;
12378
12379 if (curve_type != 3)
12380 return offset_end; /* only named_curves are supported */
12381
12382 /* case curve_type == named_curve; ECParameters.namedcurve */
12383 proto_tree_add_item(tree, hf->hf.hs_server_keyex_named_curve, tvb,
12384 offset, 2, ENC_BIG_ENDIAN0x00000000);
12385 offset += 2;
12386
12387 return offset;
12388}
12389
12390static void
12391dissect_ssl3_hnd_srv_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12392 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12393 uint16_t version, bool_Bool anon)
12394{
12395 /*
12396 * RFC 4492 ECC cipher suites for TLS
12397 *
12398 * struct {
12399 * opaque point <1..2^8-1>;
12400 * } ECPoint;
12401 *
12402 * struct {
12403 * ECParameters curve_params;
12404 * ECPoint public;
12405 * } ServerECDHParams;
12406 *
12407 * select (KeyExchangeAlgorithm) {
12408 * case ec_diffie_hellman:
12409 * ServerECDHParams params;
12410 * Signature signed_params;
12411 * } ServerKeyExchange;
12412 */
12413
12414 int point_len;
12415 proto_tree *ssl_ecdh_tree;
12416
12417 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12418 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Server Params");
12419
12420 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecdh_tree, offset, offset_end);
12421 if (offset >= offset_end)
12422 return; /* only named_curves are supported */
12423
12424 /* ECPoint.point */
12425 point_len = tvb_get_uint8(tvb, offset);
12426 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point_len, tvb,
12427 offset, 1, ENC_BIG_ENDIAN0x00000000);
12428 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point, tvb,
12429 offset + 1, point_len, ENC_NA0x00000000);
12430 offset += 1 + point_len;
12431
12432 /* Signature (if non-anonymous KEX) */
12433 if (!anon) {
12434 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecdh_tree, offset, offset_end, version);
12435 }
12436}
12437
12438static void
12439dissect_ssl3_hnd_srv_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12440 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12441 uint16_t version, bool_Bool anon)
12442{
12443 int p_len, g_len, ys_len;
12444 proto_tree *ssl_dh_tree;
12445
12446 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12447 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Server Params");
12448
12449 /* p */
12450 p_len = tvb_get_ntohs(tvb, offset);
12451 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p_len, tvb,
12452 offset, 2, ENC_BIG_ENDIAN0x00000000);
12453 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p, tvb,
12454 offset + 2, p_len, ENC_NA0x00000000);
12455 offset += 2 + p_len;
12456
12457 /* g */
12458 g_len = tvb_get_ntohs(tvb, offset);
12459 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g_len, tvb,
12460 offset, 2, ENC_BIG_ENDIAN0x00000000);
12461 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g, tvb,
12462 offset + 2, g_len, ENC_NA0x00000000);
12463 offset += 2 + g_len;
12464
12465 /* Ys */
12466 ys_len = tvb_get_ntohs(tvb, offset);
12467 proto_tree_add_uint(ssl_dh_tree, hf->hf.hs_server_keyex_ys_len, tvb,
12468 offset, 2, ys_len);
12469 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_ys, tvb,
12470 offset + 2, ys_len, ENC_NA0x00000000);
12471 offset += 2 + ys_len;
12472
12473 /* Signature (if non-anonymous KEX) */
12474 if (!anon) {
12475 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_dh_tree, offset, offset_end, version);
12476 }
12477}
12478
12479/* Only used in RSA-EXPORT cipher suites */
12480static void
12481dissect_ssl3_hnd_srv_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12482 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12483 uint16_t version)
12484{
12485 int modulus_len, exponent_len;
12486 proto_tree *ssl_rsa_tree;
12487
12488 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12489 hf->ett.keyex_params, NULL((void*)0), "RSA-EXPORT Server Params");
12490
12491 /* modulus */
12492 modulus_len = tvb_get_ntohs(tvb, offset);
12493 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus_len, tvb,
12494 offset, 2, ENC_BIG_ENDIAN0x00000000);
12495 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus, tvb,
12496 offset + 2, modulus_len, ENC_NA0x00000000);
12497 offset += 2 + modulus_len;
12498
12499 /* exponent */
12500 exponent_len = tvb_get_ntohs(tvb, offset);
12501 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent_len,
12502 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12503 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent,
12504 tvb, offset + 2, exponent_len, ENC_NA0x00000000);
12505 offset += 2 + exponent_len;
12506
12507 /* Signature */
12508 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_rsa_tree, offset, offset_end, version);
12509}
12510
12511/* Used in RSA PSK and PSK cipher suites */
12512static uint32_t
12513dissect_ssl3_hnd_srv_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12514 proto_tree *tree, uint32_t offset)
12515{
12516 unsigned hint_len;
12517 proto_tree *ssl_psk_tree;
12518
12519 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
12520 hf->ett.keyex_params, NULL((void*)0), "PSK Server Params");
12521
12522 /* hint */
12523 hint_len = tvb_get_ntohs(tvb, offset);
12524 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint_len, tvb,
12525 offset, 2, ENC_BIG_ENDIAN0x00000000);
12526 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint, tvb,
12527 offset + 2, hint_len, ENC_NA0x00000000);
12528
12529 proto_item_set_len(ssl_psk_tree, 2 + hint_len);
12530 return 2 + hint_len;
12531}
12532
12533/* Used in Diffie-Hellman PSK cipher suites */
12534static void
12535dissect_ssl3_hnd_srv_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12536 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12537{
12538 /*
12539 * struct {
12540 * select (KeyExchangeAlgorithm) {
12541 * case diffie_hellman_psk:
12542 * opaque psk_identity_hint<0..2^16-1>;
12543 * ServerDHParams params;
12544 * };
12545 * } ServerKeyExchange;
12546 */
12547
12548 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12549 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12550}
12551
12552/* Used in EC Diffie-Hellman PSK cipher suites */
12553static void
12554dissect_ssl3_hnd_srv_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12555 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12556{
12557 /*
12558 * struct {
12559 * select (KeyExchangeAlgorithm) {
12560 * case ec_diffie_hellman_psk:
12561 * opaque psk_identity_hint<0..2^16-1>;
12562 * ServerECDHParams params;
12563 * };
12564 * } ServerKeyExchange;
12565 */
12566
12567 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12568 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12569}
12570
12571/* Used in EC J-PAKE cipher suites */
12572static void
12573dissect_ssl3_hnd_srv_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12574 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12575{
12576 /*
12577 * struct {
12578 * ECPoint V;
12579 * opaque r<1..2^8-1>;
12580 * } ECSchnorrZKP;
12581 *
12582 * struct {
12583 * ECPoint X;
12584 * ECSchnorrZKP zkp;
12585 * } ECJPAKEKeyKP;
12586 *
12587 * struct {
12588 * ECParameters curve_params;
12589 * ECJPAKEKeyKP ecjpake_key_kp;
12590 * } ServerECJPAKEParams;
12591 *
12592 * select (KeyExchangeAlgorithm) {
12593 * case ecjpake:
12594 * ServerECJPAKEParams params;
12595 * } ServerKeyExchange;
12596 */
12597
12598 int point_len;
12599 proto_tree *ssl_ecjpake_tree;
12600
12601 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12602 hf->ett.keyex_params, NULL((void*)0),
12603 "EC J-PAKE Server Params");
12604
12605 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecjpake_tree, offset, offset_end);
12606 if (offset >= offset_end)
12607 return; /* only named_curves are supported */
12608
12609 /* ECJPAKEKeyKP.X */
12610 point_len = tvb_get_uint8(tvb, offset);
12611 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs_len, tvb,
12612 offset, 1, ENC_BIG_ENDIAN0x00000000);
12613 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs, tvb,
12614 offset + 1, point_len, ENC_NA0x00000000);
12615 offset += 1 + point_len;
12616
12617 /* ECJPAKEKeyKP.zkp.V */
12618 point_len = tvb_get_uint8(tvb, offset);
12619 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs_len, tvb,
12620 offset, 1, ENC_BIG_ENDIAN0x00000000);
12621 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs, tvb,
12622 offset + 1, point_len, ENC_NA0x00000000);
12623 offset += 1 + point_len;
12624
12625 /* ECJPAKEKeyKP.zkp.r */
12626 point_len = tvb_get_uint8(tvb, offset);
12627 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs_len, tvb,
12628 offset, 1, ENC_BIG_ENDIAN0x00000000);
12629 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs, tvb,
12630 offset + 1, point_len, ENC_NA0x00000000);
12631}
12632
12633/* Only used in ECC-SM2-EXPORT cipher suites */
12634static void
12635dissect_ssl3_hnd_srv_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12636 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12637 uint16_t version)
12638{
12639 proto_tree *ssl_ecc_sm2_tree;
12640
12641 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12642 hf->ett.keyex_params, NULL((void*)0), "ECC-SM2-EXPORT Server Params");
12643
12644 /* Signature */
12645 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecc_sm2_tree, offset, offset_end, version);
12646}
12647/* ServerKeyExchange algo-specific dissectors. }}} */
12648
12649/* Client Key Exchange and Server Key Exchange handshake dissections. {{{ */
12650void
12651ssl_dissect_hnd_cli_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12652 proto_tree *tree, uint32_t offset, uint32_t length,
12653 const SslSession *session)
12654{
12655 switch (ssl_get_keyex_alg(session->cipher)) {
12656 case KEX_DH_ANON0x13: /* RFC 5246; DHE_DSS, DHE_RSA, DH_DSS, DH_RSA, DH_ANON: ClientDiffieHellmanPublic */
12657 case KEX_DH_DSS0x14:
12658 case KEX_DH_RSA0x15:
12659 case KEX_DHE_DSS0x10:
12660 case KEX_DHE_RSA0x12:
12661 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset, length);
12662 break;
12663 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity, ClientDiffieHellmanPublic */
12664 dissect_ssl3_hnd_cli_keyex_dhe_psk(hf, tvb, tree, offset, length);
12665 break;
12666 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ClientECDiffieHellmanPublic */
12667 case KEX_ECDH_ECDSA0x1a:
12668 case KEX_ECDH_RSA0x1b:
12669 case KEX_ECDHE_ECDSA0x16:
12670 case KEX_ECDHE_RSA0x18:
12671 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset, length);
12672 break;
12673 case KEX_ECDHE_PSK0x17: /* RFC 5489; ec_diffie_hellman_psk: psk_identity, ClientECDiffieHellmanPublic */
12674 dissect_ssl3_hnd_cli_keyex_ecdh_psk(hf, tvb, tree, offset, length);
12675 break;
12676 case KEX_KRB50x1c: /* RFC 2712; krb5: KerberosWrapper */
12677 /* XXX: implement support for KRB5 */
12678 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12679 tvb, offset, length,
12680 "Kerberos ciphersuites (RFC 2712) are not implemented, contact Wireshark"
12681 " developers if you want them to be supported");
12682 break;
12683 case KEX_PSK0x1d: /* RFC 4279; psk: psk_identity */
12684 dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12685 break;
12686 case KEX_RSA0x1e: /* RFC 5246; rsa: EncryptedPreMasterSecret */
12687 dissect_ssl3_hnd_cli_keyex_rsa(hf, tvb, tree, offset, length, session);
12688 break;
12689 case KEX_RSA_PSK0x1f: /* RFC 4279; rsa_psk: psk_identity, EncryptedPreMasterSecret */
12690 dissect_ssl3_hnd_cli_keyex_rsa_psk(hf, tvb, tree, offset, length);
12691 break;
12692 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ClientSRPPublic */
12693 case KEX_SRP_SHA_DSS0x21:
12694 case KEX_SRP_SHA_RSA0x22:
12695 /* XXX: implement support for SRP_SHA* */
12696 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12697 tvb, offset, length,
12698 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12699 " developers if you want them to be supported");
12700 break;
12701 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12702 dissect_ssl3_hnd_cli_keyex_ecjpake(hf, tvb, tree, offset, length);
12703 break;
12704 case KEX_ECC_SM20x26: /* GB/T 38636 */
12705 dissect_ssl3_hnd_cli_keyex_ecc_sm2(hf, tvb, tree, offset, length);
12706 break;
12707 default:
12708 if (session->cipher == 0) {
12709 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12710 tvb, offset, length,
12711 "Cipher Suite not found");
12712 } else {
12713 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12714 tvb, offset, length,
12715 "Cipher Suite 0x%04x is not implemented, "
12716 "contact Wireshark developers if you want this to be supported",
12717 session->cipher);
12718 }
12719 break;
12720 }
12721}
12722
12723void
12724ssl_dissect_hnd_srv_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12725 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12726 const SslSession *session)
12727{
12728 switch (ssl_get_keyex_alg(session->cipher)) {
12729 case KEX_DH_ANON0x13: /* RFC 5246; ServerDHParams */
12730 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
12731 break;
12732 case KEX_DH_DSS0x14: /* RFC 5246; not allowed */
12733 case KEX_DH_RSA0x15:
12734 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
12735 tvb, offset, offset_end - offset);
12736 break;
12737 case KEX_DHE_DSS0x10: /* RFC 5246; dhe_dss, dhe_rsa: ServerDHParams, Signature */
12738 case KEX_DHE_RSA0x12:
12739 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
12740 break;
12741 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity_hint, ServerDHParams */
12742 dissect_ssl3_hnd_srv_keyex_dhe_psk(hf, tvb, pinfo, tree, offset, offset_end);
12743 break;
12744 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ServerECDHParams (without signature for anon) */
12745 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
12746 break;
12747 case KEX_ECDHE_PSK0x17: /* RFC 5489; psk_identity_hint, ServerECDHParams */
12748 dissect_ssl3_hnd_srv_keyex_ecdh_psk(hf, tvb, pinfo, tree, offset, offset_end);
12749 break;
12750 case KEX_ECDH_ECDSA0x1a: /* RFC 4492; ec_diffie_hellman: ServerECDHParams, Signature */
12751 case KEX_ECDH_RSA0x1b:
12752 case KEX_ECDHE_ECDSA0x16:
12753 case KEX_ECDHE_RSA0x18:
12754 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
12755 break;
12756 case KEX_KRB50x1c: /* RFC 2712; not allowed */
12757 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
12758 tvb, offset, offset_end - offset);
12759 break;
12760 case KEX_PSK0x1d: /* RFC 4279; psk, rsa: psk_identity */
12761 case KEX_RSA_PSK0x1f:
12762 dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12763 break;
12764 case KEX_RSA0x1e: /* only allowed if the public key in the server certificate is longer than 512 bits */
12765 dissect_ssl3_hnd_srv_keyex_rsa(hf, tvb, pinfo, tree, offset, offset_end, session->version);
12766 break;
12767 case KEX_ECC_SM20x26: /* GB/T 38636 */
12768 dissect_ssl3_hnd_srv_keyex_ecc_sm2(hf, tvb, pinfo, tree, offset, offset_end, session->version);
12769 break;
12770 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ServerSRPParams, Signature */
12771 case KEX_SRP_SHA_DSS0x21:
12772 case KEX_SRP_SHA_RSA0x22:
12773 /* XXX: implement support for SRP_SHA* */
12774 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12775 tvb, offset, offset_end - offset,
12776 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12777 " developers if you want them to be supported");
12778 break;
12779 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12780 dissect_ssl3_hnd_srv_keyex_ecjpake(hf, tvb, tree, offset, offset_end);
12781 break;
12782 default:
12783 if (session->cipher == 0) {
12784 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12785 tvb, offset, offset_end - offset,
12786 "Cipher Suite not found");
12787 } else {
12788 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12789 tvb, offset, offset_end - offset,
12790 "Cipher Suite 0x%04x is not implemented, "
12791 "contact Wireshark developers if you want this to be supported",
12792 session->cipher);
12793 }
12794 break;
12795 }
12796}
12797/* Client Key Exchange and Server Key Exchange handshake dissections. }}} */
12798
12799void
12800tls13_dissect_hnd_key_update(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12801 proto_tree *tree, uint32_t offset)
12802{
12803 /* RFC 8446 Section 4.6.3
12804 * enum {
12805 * update_not_requested(0), update_requested(1), (255)
12806 * } KeyUpdateRequest;
12807 *
12808 * struct {
12809 * KeyUpdateRequest request_update;
12810 * } KeyUpdate;
12811 */
12812 proto_tree_add_item(tree, hf->hf.hs_key_update_request_update, tvb, offset, 1, ENC_NA0x00000000);
12813}
12814
12815void
12816ssl_common_register_ssl_alpn_dissector_table(const char *name,
12817 const char *ui_name, const int proto)
12818{
12819 ssl_alpn_dissector_table = register_dissector_table(name, ui_name,
12820 proto, FT_STRING, STRING_CASE_SENSITIVE0);
12821 register_dissector_table_alias(ssl_alpn_dissector_table, "ssl.handshake.extensions_alpn_str");
12822}
12823
12824void
12825ssl_common_register_dtls_alpn_dissector_table(const char *name,
12826 const char *ui_name, const int proto)
12827{
12828 dtls_alpn_dissector_table = register_dissector_table(name, ui_name,
12829 proto, FT_STRING, STRING_CASE_SENSITIVE0);
12830 register_dissector_table_alias(ssl_alpn_dissector_table, "dtls.handshake.extensions_alpn_str");
12831}
12832
12833void
12834ssl_common_register_options(module_t *module, ssl_common_options_t *options, bool_Bool is_dtls)
12835{
12836 prefs_register_string_preference(module, "psk", "Pre-Shared Key",
12837 "Pre-Shared Key as HEX string. Should be 0 to 16 bytes.",
12838 &(options->psk));
12839
12840 if (is_dtls) {
12841 prefs_register_obsolete_preference(module, "keylog_file");
12842 prefs_register_static_text_preference(module, "keylog_file_removed",
12843 "The (Pre)-Master-Secret log filename preference can be configured in the TLS protocol preferences.",
12844 "Use the TLS protocol preference to configure the keylog file for both DTLS and TLS.");
12845 return;
12846 }
12847
12848 prefs_register_filename_preference(module, "keylog_file", "(Pre)-Master-Secret log filename",
12849 "The name of a file which contains a list of \n"
12850 "(pre-)master secrets in one of the following formats:\n"
12851 "\n"
12852 "RSA <EPMS> <PMS>\n"
12853 "RSA Session-ID:<SSLID> Master-Key:<MS>\n"
12854 "CLIENT_RANDOM <CRAND> <MS>\n"
12855 "PMS_CLIENT_RANDOM <CRAND> <PMS>\n"
12856 "\n"
12857 "Where:\n"
12858 "<EPMS> = First 8 bytes of the Encrypted PMS\n"
12859 "<PMS> = The Pre-Master-Secret (PMS) used to derive the MS\n"
12860 "<SSLID> = The SSL Session ID\n"
12861 "<MS> = The Master-Secret (MS)\n"
12862 "<CRAND> = The Client's random number from the ClientHello message\n"
12863 "\n"
12864 "(All fields are in hex notation)",
12865 &(options->keylog_filename), false0);
12866}
12867
12868void
12869ssl_calculate_handshake_hash(SslDecryptSession *ssl_session, tvbuff_t *tvb, uint32_t offset, uint32_t length)
12870{
12871 if (ssl_session && ssl_session->session.version != TLSV1DOT3_VERSION0x304 && !(ssl_session->state & SSL_MASTER_SECRET(1<<5))) {
12872 uint32_t old_length = ssl_session->handshake_data.data_len;
12873 ssl_debug_printf("Calculating hash with offset %d %d\n", offset, length);
12874 if (tvb) {
12875 if (tvb_bytes_exist(tvb, offset, length)) {
12876 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
12877 tvb_memcpy(tvb, ssl_session->handshake_data.data + old_length, offset, length);
12878 ssl_session->handshake_data.data_len += length;
12879 }
12880 } else {
12881 /* DTLS calculates the hash as if each handshake message had been
12882 * sent as a single fragment (RFC 6347, section 4.2.6) and passes
12883 * in a null tvbuff to add 3 bytes for a zero fragment offset.
12884 */
12885 DISSECTOR_ASSERT_CMPINT(length, <, 4)((void) ((length < 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "length" " " "<" " " "4" " (" "%"
"l" "d" " " "<" " " "%" "l" "d" ")", "epan/dissectors/packet-tls-utils.c"
, 12885, (int64_t)length, (int64_t)4))));
12886 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
12887 memset(ssl_session->handshake_data.data + old_length, 0, length);
12888 ssl_session->handshake_data.data_len += length;
12889 }
12890 }
12891}
12892
12893
12894/*
12895 * Editor modelines - https://www.wireshark.org/tools/modelines.html
12896 *
12897 * Local variables:
12898 * c-basic-offset: 4
12899 * tab-width: 8
12900 * indent-tabs-mode: nil
12901 * End:
12902 *
12903 * vi: set shiftwidth=4 tabstop=8 expandtab:
12904 * :indentSize=4:tabSize=8:noTabs=true:
12905 */