Bug Summary

File:epan/dissectors/packet-tls-utils.c
Warning:line 4889, column 17
Potential leak of memory pointed to by 'handshake_hashed_data.data'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name packet-tls-utils.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -fno-delete-null-pointer-checks -mframe-pointer=all -relaxed-aliasing -fmath-errno -ffp-contract=on -fno-rounding-math -ffloat16-excess-precision=fast -fbfloat16-excess-precision=fast -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/builds/wireshark/wireshark/build -fcoverage-compilation-dir=/builds/wireshark/wireshark/build -resource-dir /usr/lib/llvm-21/lib/clang/21 -isystem /usr/include/glib-2.0 -isystem /usr/lib/x86_64-linux-gnu/glib-2.0/include -isystem /builds/wireshark/wireshark/epan/dissectors -isystem /builds/wireshark/wireshark/build/epan/dissectors -isystem /usr/include/mit-krb5 -isystem /usr/include/libxml2 -isystem /builds/wireshark/wireshark/epan -D G_DISABLE_DEPRECATED -D G_DISABLE_SINGLE_INCLUDES -D WS_BUILD_DLL -D WS_DEBUG -D WS_DEBUG_UTF_8 -I /builds/wireshark/wireshark/build -I /builds/wireshark/wireshark -I /builds/wireshark/wireshark/include -D _GLIBCXX_ASSERTIONS -internal-isystem /usr/lib/llvm-21/lib/clang/21/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/14/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -fmacro-prefix-map=/builds/wireshark/wireshark/= -fmacro-prefix-map=/builds/wireshark/wireshark/build/= -fmacro-prefix-map=../= -Wno-format-nonliteral -std=gnu11 -ferror-limit 19 -fvisibility=hidden -fwrapv -fwrapv-pointer -fstrict-flex-arrays=3 -stack-protector 2 -fstack-clash-protection -fcf-protection=full -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fexceptions -fcolor-diagnostics -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /builds/wireshark/wireshark/sbout/2025-12-13-100343-3573-1 -x c /builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c
1/* packet-tls-utils.c
2 * ssl manipulation functions
3 * By Paolo Abeni <[email protected]>
4 *
5 * Copyright (c) 2013, Hauke Mehrtens <[email protected]>
6 * Copyright (c) 2014, Peter Wu <[email protected]>
7 *
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <[email protected]>
10 * Copyright 1998 Gerald Combs
11 *
12 * SPDX-License-Identifier: GPL-2.0-or-later
13 */
14
15#include "config.h"
16
17#include <stdlib.h>
18#include <errno(*__errno_location ()).h>
19
20#include <epan/packet.h>
21#include <epan/strutil.h>
22#include <epan/addr_resolv.h>
23#include <epan/expert.h>
24#include <epan/asn1.h>
25#include <epan/proto_data.h>
26#include <epan/oids.h>
27#include <epan/secrets.h>
28
29#include <wsutil/inet_cidr.h>
30#include <wsutil/filesystem.h>
31#include <wsutil/file_util.h>
32#include <wsutil/str_util.h>
33#include <wsutil/report_message.h>
34#include <wsutil/pint.h>
35#include <wsutil/strtoi.h>
36#include <wsutil/wsgcrypt.h>
37#include <wsutil/rsa.h>
38#include <wsutil/ws_assert.h>
39#include <wsutil/zlib_compat.h>
40#include "packet-ber.h"
41#include "packet-x509af.h"
42#include "packet-x509if.h"
43#include "packet-tls-utils.h"
44#include "packet-ocsp.h"
45#include "packet-tls.h"
46#include "packet-dtls.h"
47#include "packet-quic.h"
48#if defined(HAVE_LIBGNUTLS1)
49#include <gnutls/abstract.h>
50#include <gnutls/x509.h>
51#include <gnutls/pkcs12.h>
52#endif
53
54/* JA3/JA3S calculations must ignore GREASE values
55 * as described in RFC 8701.
56 */
57#define IS_GREASE_TLS(x)((((x) & 0x0f0f) == 0x0a0a) && (((x) & 0xff) ==
(((x)>>8) & 0xff))) ((((x) & 0x0f0f) == 0x0a0a) && \
58 (((x) & 0xff) == (((x)>>8) & 0xff)))
59
60/* Section 22.3 of RFC 9000 (QUIC) reserves values of this
61 * form for a similar purpose as GREASE.
62 */
63#define IS_GREASE_QUIC(x)((x) > 27 ? ((((x) - 27) % 31) == 0) : 0) ((x) > 27 ? ((((x) - 27) % 31) == 0) : 0)
64
65#define DTLS13_MAX_EPOCH10 10
66
67/* Lookup tables {{{ */
68const value_string ssl_version_short_names[] = {
69 { SSLV2_VERSION0x0002, "SSLv2" },
70 { SSLV3_VERSION0x300, "SSLv3" },
71 { TLSV1_VERSION0x301, "TLSv1" },
72 { TLCPV1_VERSION0x101, "TLCP" },
73 { TLSV1DOT1_VERSION0x302, "TLSv1.1" },
74 { TLSV1DOT2_VERSION0x303, "TLSv1.2" },
75 { TLSV1DOT3_VERSION0x304, "TLSv1.3" },
76 { DTLSV1DOT0_VERSION0xfeff, "DTLSv1.0" },
77 { DTLSV1DOT2_VERSION0xfefd, "DTLSv1.2" },
78 { DTLSV1DOT3_VERSION0xfefc, "DTLSv1.3" },
79 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
80 { 0x00, NULL((void*)0) }
81};
82
83const value_string ssl_versions[] = {
84 { SSLV2_VERSION0x0002, "SSL 2.0" },
85 { SSLV3_VERSION0x300, "SSL 3.0" },
86 { TLSV1_VERSION0x301, "TLS 1.0" },
87 { TLCPV1_VERSION0x101, "TLCP" },
88 { TLSV1DOT1_VERSION0x302, "TLS 1.1" },
89 { TLSV1DOT2_VERSION0x303, "TLS 1.2" },
90 { TLSV1DOT3_VERSION0x304, "TLS 1.3" },
91 { 0x7F0E, "TLS 1.3 (draft 14)" },
92 { 0x7F0F, "TLS 1.3 (draft 15)" },
93 { 0x7F10, "TLS 1.3 (draft 16)" },
94 { 0x7F11, "TLS 1.3 (draft 17)" },
95 { 0x7F12, "TLS 1.3 (draft 18)" },
96 { 0x7F13, "TLS 1.3 (draft 19)" },
97 { 0x7F14, "TLS 1.3 (draft 20)" },
98 { 0x7F15, "TLS 1.3 (draft 21)" },
99 { 0x7F16, "TLS 1.3 (draft 22)" },
100 { 0x7F17, "TLS 1.3 (draft 23)" },
101 { 0x7F18, "TLS 1.3 (draft 24)" },
102 { 0x7F19, "TLS 1.3 (draft 25)" },
103 { 0x7F1A, "TLS 1.3 (draft 26)" },
104 { 0x7F1B, "TLS 1.3 (draft 27)" },
105 { 0x7F1C, "TLS 1.3 (draft 28)" },
106 { 0xFB17, "TLS 1.3 (Facebook draft 23)" },
107 { 0xFB1A, "TLS 1.3 (Facebook draft 26)" },
108 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
109 { DTLSV1DOT0_VERSION0xfeff, "DTLS 1.0" },
110 { DTLSV1DOT2_VERSION0xfefd, "DTLS 1.2" },
111 { DTLSV1DOT3_VERSION0xfefc, "DTLS 1.3" },
112 { 0x0A0A, "Reserved (GREASE)" }, /* RFC 8701 */
113 { 0x1A1A, "Reserved (GREASE)" }, /* RFC 8701 */
114 { 0x2A2A, "Reserved (GREASE)" }, /* RFC 8701 */
115 { 0x3A3A, "Reserved (GREASE)" }, /* RFC 8701 */
116 { 0x4A4A, "Reserved (GREASE)" }, /* RFC 8701 */
117 { 0x5A5A, "Reserved (GREASE)" }, /* RFC 8701 */
118 { 0x6A6A, "Reserved (GREASE)" }, /* RFC 8701 */
119 { 0x7A7A, "Reserved (GREASE)" }, /* RFC 8701 */
120 { 0x8A8A, "Reserved (GREASE)" }, /* RFC 8701 */
121 { 0x9A9A, "Reserved (GREASE)" }, /* RFC 8701 */
122 { 0xAAAA, "Reserved (GREASE)" }, /* RFC 8701 */
123 { 0xBABA, "Reserved (GREASE)" }, /* RFC 8701 */
124 { 0xCACA, "Reserved (GREASE)" }, /* RFC 8701 */
125 { 0xDADA, "Reserved (GREASE)" }, /* RFC 8701 */
126 { 0xEAEA, "Reserved (GREASE)" }, /* RFC 8701 */
127 { 0xFAFA, "Reserved (GREASE)" }, /* RFC 8701 */
128 { 0x00, NULL((void*)0) }
129};
130
131static const value_string ssl_version_ja4_names[] = {
132 { 0x0100, "s1" },
133 { SSLV2_VERSION0x0002, "s2" },
134 { SSLV3_VERSION0x300, "s3" },
135 { TLSV1_VERSION0x301, "10" },
136 { TLSV1DOT1_VERSION0x302, "11" },
137 { TLSV1DOT2_VERSION0x303, "12" },
138 { TLSV1DOT3_VERSION0x304, "13" },
139 { DTLSV1DOT0_VERSION0xfeff, "d1" },
140 { DTLSV1DOT2_VERSION0xfefd, "d2" },
141 { DTLSV1DOT3_VERSION0xfefc, "d3" },
142 { 0x00, NULL((void*)0) }
143};
144
145const value_string ssl_20_msg_types[] = {
146 { SSL2_HND_ERROR0x00, "Error" },
147 { SSL2_HND_CLIENT_HELLO0x01, "Client Hello" },
148 { SSL2_HND_CLIENT_MASTER_KEY0x02, "Client Master Key" },
149 { SSL2_HND_CLIENT_FINISHED0x03, "Client Finished" },
150 { SSL2_HND_SERVER_HELLO0x04, "Server Hello" },
151 { SSL2_HND_SERVER_VERIFY0x05, "Server Verify" },
152 { SSL2_HND_SERVER_FINISHED0x06, "Server Finished" },
153 { SSL2_HND_REQUEST_CERTIFICATE0x07, "Request Certificate" },
154 { SSL2_HND_CLIENT_CERTIFICATE0x08, "Client Certificate" },
155 { 0x00, NULL((void*)0) }
156};
157/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
158/* Note: sorted by ascending value so value_string-ext can do a binary search */
159static const value_string ssl_20_cipher_suites[] = {
160 { 0x000000, "TLS_NULL_WITH_NULL_NULL" },
161 { 0x000001, "TLS_RSA_WITH_NULL_MD5" },
162 { 0x000002, "TLS_RSA_WITH_NULL_SHA" },
163 { 0x000003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
164 { 0x000004, "TLS_RSA_WITH_RC4_128_MD5" },
165 { 0x000005, "TLS_RSA_WITH_RC4_128_SHA" },
166 { 0x000006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
167 { 0x000007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
168 { 0x000008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
169 { 0x000009, "TLS_RSA_WITH_DES_CBC_SHA" },
170 { 0x00000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
171 { 0x00000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
172 { 0x00000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
173 { 0x00000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
174 { 0x00000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
175 { 0x00000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
176 { 0x000010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
177 { 0x000011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
178 { 0x000012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
179 { 0x000013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
180 { 0x000014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
181 { 0x000015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
182 { 0x000016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
183 { 0x000017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
184 { 0x000018, "TLS_DH_anon_WITH_RC4_128_MD5" },
185 { 0x000019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
186 { 0x00001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
187 { 0x00001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
188 { 0x00001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
189 { 0x00001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
190#if 0
191 { 0x00001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
192#endif
193 /* RFC 2712 */
194 { 0x00001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
195 { 0x00001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
196 { 0x000020, "TLS_KRB5_WITH_RC4_128_SHA" },
197 { 0x000021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
198 { 0x000022, "TLS_KRB5_WITH_DES_CBC_MD5" },
199 { 0x000023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
200 { 0x000024, "TLS_KRB5_WITH_RC4_128_MD5" },
201 { 0x000025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
202 { 0x000026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
203 { 0x000027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
204 { 0x000028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
205 { 0x000029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
206 { 0x00002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
207 { 0x00002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
208 /* RFC 4785 */
209 { 0x00002C, "TLS_PSK_WITH_NULL_SHA" },
210 { 0x00002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
211 { 0x00002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
212 /* RFC 5246 */
213 { 0x00002f, "TLS_RSA_WITH_AES_128_CBC_SHA" },
214 { 0x000030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
215 { 0x000031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
216 { 0x000032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
217 { 0x000033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
218 { 0x000034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
219 { 0x000035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
220 { 0x000036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
221 { 0x000037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
222 { 0x000038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
223 { 0x000039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
224 { 0x00003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
225 { 0x00003B, "TLS_RSA_WITH_NULL_SHA256" },
226 { 0x00003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
227 { 0x00003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
228 { 0x00003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
229 { 0x00003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
230 { 0x000040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
231 { 0x000041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
232 { 0x000042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
233 { 0x000043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
234 { 0x000044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
235 { 0x000045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
236 { 0x000046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
237 { 0x000047, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
238 { 0x000048, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
239 { 0x000049, "TLS_ECDH_ECDSA_WITH_DES_CBC_SHA" },
240 { 0x00004A, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
241 { 0x00004B, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
242 { 0x00004C, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
243 { 0x000060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
244 { 0x000061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
245 { 0x000062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
246 { 0x000063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
247 { 0x000064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
248 { 0x000065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
249 { 0x000066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
250 { 0x000067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
251 { 0x000068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
252 { 0x000069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
253 { 0x00006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
254 { 0x00006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
255 { 0x00006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
256 { 0x00006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
257 /* 0x00,0x6E-83 Unassigned */
258 { 0x000084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
259 { 0x000085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
260 { 0x000086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
261 { 0x000087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
262 { 0x000088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
263 { 0x000089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
264 /* RFC 4279 */
265 { 0x00008A, "TLS_PSK_WITH_RC4_128_SHA" },
266 { 0x00008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
267 { 0x00008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
268 { 0x00008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
269 { 0x00008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
270 { 0x00008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
271 { 0x000090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
272 { 0x000091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
273 { 0x000092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
274 { 0x000093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
275 { 0x000094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
276 { 0x000095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
277 /* RFC 4162 */
278 { 0x000096, "TLS_RSA_WITH_SEED_CBC_SHA" },
279 { 0x000097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
280 { 0x000098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
281 { 0x000099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
282 { 0x00009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
283 { 0x00009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
284 /* RFC 5288 */
285 { 0x00009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
286 { 0x00009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
287 { 0x00009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
288 { 0x00009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
289 { 0x0000A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
290 { 0x0000A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
291 { 0x0000A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
292 { 0x0000A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
293 { 0x0000A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
294 { 0x0000A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
295 { 0x0000A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
296 { 0x0000A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
297 /* RFC 5487 */
298 { 0x0000A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
299 { 0x0000A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
300 { 0x0000AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
301 { 0x0000AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
302 { 0x0000AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
303 { 0x0000AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
304 { 0x0000AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
305 { 0x0000AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
306 { 0x0000B0, "TLS_PSK_WITH_NULL_SHA256" },
307 { 0x0000B1, "TLS_PSK_WITH_NULL_SHA384" },
308 { 0x0000B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
309 { 0x0000B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
310 { 0x0000B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
311 { 0x0000B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
312 { 0x0000B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
313 { 0x0000B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
314 { 0x0000B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
315 { 0x0000B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
316 /* From RFC 5932 */
317 { 0x0000BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
318 { 0x0000BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
319 { 0x0000BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
320 { 0x0000BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
321 { 0x0000BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
322 { 0x0000BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
323 { 0x0000C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
324 { 0x0000C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
325 { 0x0000C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
326 { 0x0000C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
327 { 0x0000C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
328 { 0x0000C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
329 /* 0x00,0xC6-FE Unassigned */
330 { 0x0000FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
331 /* 0x01-BF,* Unassigned */
332 /* From RFC 4492 */
333 { 0x00c001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
334 { 0x00c002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
335 { 0x00c003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
336 { 0x00c004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
337 { 0x00c005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
338 { 0x00c006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
339 { 0x00c007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
340 { 0x00c008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
341 { 0x00c009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
342 { 0x00c00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
343 { 0x00c00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
344 { 0x00c00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
345 { 0x00c00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
346 { 0x00c00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
347 { 0x00c00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
348 { 0x00c010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
349 { 0x00c011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
350 { 0x00c012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
351 { 0x00c013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
352 { 0x00c014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
353 { 0x00c015, "TLS_ECDH_anon_WITH_NULL_SHA" },
354 { 0x00c016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
355 { 0x00c017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
356 { 0x00c018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
357 { 0x00c019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
358 /* RFC 5054 */
359 { 0x00C01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
360 { 0x00C01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
361 { 0x00C01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
362 { 0x00C01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
363 { 0x00C01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
364 { 0x00C01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
365 { 0x00C020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
366 { 0x00C021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
367 { 0x00C022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
368 /* RFC 5589 */
369 { 0x00C023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
370 { 0x00C024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
371 { 0x00C025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
372 { 0x00C026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
373 { 0x00C027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
374 { 0x00C028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
375 { 0x00C029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
376 { 0x00C02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
377 { 0x00C02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
378 { 0x00C02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
379 { 0x00C02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
380 { 0x00C02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
381 { 0x00C02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
382 { 0x00C030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
383 { 0x00C031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
384 { 0x00C032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
385 /* RFC 5489 */
386 { 0x00C033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
387 { 0x00C034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
388 { 0x00C035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
389 { 0x00C036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
390 { 0x00C037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
391 { 0x00C038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
392 { 0x00C039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
393 { 0x00C03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
394 { 0x00C03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
395 /* 0xC0,0x3C-FF Unassigned
396 0xC1-FD,* Unassigned
397 0xFE,0x00-FD Unassigned
398 0xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
399 0xFF,0x00-FF Reserved for Private Use [RFC5246]
400 */
401
402 /* old numbers used in the beginning
403 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
404 { 0x00CC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
405 { 0x00CC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
406 { 0x00CC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
407
408 /* https://tools.ietf.org/html/rfc7905 */
409 { 0x00CCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
410 { 0x00CCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
411 { 0x00CCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
412 { 0x00CCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
413 { 0x00CCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
414 { 0x00CCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
415 { 0x00CCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
416
417 /* GM/T 0024-2014 */
418 { 0x00e001, "ECDHE_SM1_SM3"},
419 { 0x00e003, "ECC_SM1_SM3"},
420 { 0x00e005, "IBSDH_SM1_SM3"},
421 { 0x00e007, "IBC_SM1_SM3"},
422 { 0x00e009, "RSA_SM1_SM3"},
423 { 0x00e00a, "RSA_SM1_SHA1"},
424 { 0x00e011, "ECDHE_SM4_CBC_SM3"},
425 { 0x00e013, "ECC_SM4_CBC_SM3"},
426 { 0x00e015, "IBSDH_SM4_CBC_SM3"},
427 { 0x00e017, "IBC_SM4_CBC_SM3"},
428 { 0x00e019, "RSA_SM4_CBC_SM3"},
429 { 0x00e01a, "RSA_SM4_CBC_SHA1"},
430 { 0x00e01c, "RSA_SM4_CBC_SHA256"},
431 { 0x00e051, "ECDHE_SM4_GCM_SM3"},
432 { 0x00e053, "ECC_SM4_GCM_SM3"},
433 { 0x00e055, "IBSDH_SM4_GCM_SM3"},
434 { 0x00e057, "IBC_SM4_GCM_SM3"},
435 { 0x00e059, "RSA_SM4_GCM_SM3"},
436 { 0x00e05a, "RSA_SM4_GCM_SHA256"},
437
438 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
439 { 0x00E410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
440 { 0x00E411, "TLS_RSA_WITH_SALSA20_SHA1" },
441 { 0x00E412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
442 { 0x00E413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
443 { 0x00E414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
444 { 0x00E415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
445 { 0x00E416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
446 { 0x00E417, "TLS_PSK_WITH_SALSA20_SHA1" },
447 { 0x00E418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
448 { 0x00E419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
449 { 0x00E41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
450 { 0x00E41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
451 { 0x00E41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
452 { 0x00E41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
453 { 0x00E41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
454 { 0x00E41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
455
456 /* these from http://www.mozilla.org/projects/
457 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
458 { 0x00fefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
459 { 0x00feff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
460 { 0x00ffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
461 { 0x00ffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
462 /* note that ciphersuites of {0x00????} are TLS cipher suites in
463 * a sslv2 client hello message; the ???? above is the two-byte
464 * tls cipher suite id
465 */
466
467 { 0x010080, "SSL2_RC4_128_WITH_MD5" },
468 { 0x020080, "SSL2_RC4_128_EXPORT40_WITH_MD5" },
469 { 0x030080, "SSL2_RC2_128_CBC_WITH_MD5" },
470 { 0x040080, "SSL2_RC2_128_CBC_EXPORT40_WITH_MD5" },
471 { 0x050080, "SSL2_IDEA_128_CBC_WITH_MD5" },
472 { 0x060040, "SSL2_DES_64_CBC_WITH_MD5" },
473 { 0x0700c0, "SSL2_DES_192_EDE3_CBC_WITH_MD5" },
474 { 0x080080, "SSL2_RC4_64_WITH_MD5" },
475
476 { 0x00, NULL((void*)0) }
477};
478
479value_string_ext ssl_20_cipher_suites_ext = VALUE_STRING_EXT_INIT(ssl_20_cipher_suites){ _try_val_to_str_ext_init, 0, (sizeof (ssl_20_cipher_suites)
/ sizeof ((ssl_20_cipher_suites)[0]))-1, ssl_20_cipher_suites
, "ssl_20_cipher_suites", ((void*)0) };
480
481
482/*
483 * Supported Groups (formerly named "EC Named Curve").
484 * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
485 */
486const value_string ssl_extension_curves[] = {
487 { 1, "sect163k1" },
488 { 2, "sect163r1" },
489 { 3, "sect163r2" },
490 { 4, "sect193r1" },
491 { 5, "sect193r2" },
492 { 6, "sect233k1" },
493 { 7, "sect233r1" },
494 { 8, "sect239k1" },
495 { 9, "sect283k1" },
496 { 10, "sect283r1" },
497 { 11, "sect409k1" },
498 { 12, "sect409r1" },
499 { 13, "sect571k1" },
500 { 14, "sect571r1" },
501 { 15, "secp160k1" },
502 { 16, "secp160r1" },
503 { 17, "secp160r2" },
504 { 18, "secp192k1" },
505 { 19, "secp192r1" },
506 { 20, "secp224k1" },
507 { 21, "secp224r1" },
508 { 22, "secp256k1" },
509 { 23, "secp256r1" },
510 { 24, "secp384r1" },
511 { 25, "secp521r1" },
512 { 26, "brainpoolP256r1" }, /* RFC 7027 */
513 { 27, "brainpoolP384r1" }, /* RFC 7027 */
514 { 28, "brainpoolP512r1" }, /* RFC 7027 */
515 { 29, "x25519" }, /* RFC 8446 / RFC 8422 */
516 { 30, "x448" }, /* RFC 8446 / RFC 8422 */
517 { 31, "brainpoolP256r1tls13" }, /* RFC8734 */
518 { 32, "brainpoolP384r1tls13" }, /* RFC8734 */
519 { 33, "brainpoolP512r1tls13" }, /* RFC8734 */
520 { 34, "GC256A" }, /* RFC9189 */
521 { 35, "GC256B" }, /* RFC9189 */
522 { 36, "GC256C" }, /* RFC9189 */
523 { 37, "GC256D" }, /* RFC9189 */
524 { 38, "GC512A" }, /* RFC9189 */
525 { 39, "GC512B" }, /* RFC9189 */
526 { 40, "GC512C" }, /* RFC9189 */
527 { 41, "curveSM2" }, /* RFC 8998 */
528 { 256, "ffdhe2048" }, /* RFC 7919 */
529 { 257, "ffdhe3072" }, /* RFC 7919 */
530 { 258, "ffdhe4096" }, /* RFC 7919 */
531 { 259, "ffdhe6144" }, /* RFC 7919 */
532 { 260, "ffdhe8192" }, /* RFC 7919 */
533 { 512, "MLKEM512"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
534 { 513, "MLKEM768"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
535 { 514, "MLKEM1024"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
536 { 2570, "Reserved (GREASE)" }, /* RFC 8701 */
537 { 4587, "SecP256r1MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-02 */
538 { 4588, "X25519MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
539 { 4589, "SecP384r1MLKEM1024" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
540 { 6682, "Reserved (GREASE)" }, /* RFC 8701 */
541 { 10794, "Reserved (GREASE)" }, /* RFC 8701 */
542 { 14906, "Reserved (GREASE)" }, /* RFC 8701 */
543 { 19018, "Reserved (GREASE)" }, /* RFC 8701 */
544 { 23130, "Reserved (GREASE)" }, /* RFC 8701 */
545 { 25497, "X25519Kyber768Draft00 (OBSOLETE)" }, /* draft-tls-westerbaan-xyber768d00-02 */
546 { 25498, "SecP256r1Kyber768Draft00 (OBSOLETE)" }, /* draft-kwiatkowski-tls-ecdhe-kyber-01 */
547 { 27242, "Reserved (GREASE)" }, /* RFC 8701 */
548 { 31354, "Reserved (GREASE)" }, /* RFC 8701 */
549 { 35466, "Reserved (GREASE)" }, /* RFC 8701 */
550 { 39578, "Reserved (GREASE)" }, /* RFC 8701 */
551 { 43690, "Reserved (GREASE)" }, /* RFC 8701 */
552 { 47802, "Reserved (GREASE)" }, /* RFC 8701 */
553 { 51914, "Reserved (GREASE)" }, /* RFC 8701 */
554 { 56026, "Reserved (GREASE)" }, /* RFC 8701 */
555 { 60138, "Reserved (GREASE)" }, /* RFC 8701 */
556 { 64250, "Reserved (GREASE)" }, /* RFC 8701 */
557 { 0xFF01, "arbitrary_explicit_prime_curves" },
558 { 0xFF02, "arbitrary_explicit_char2_curves" },
559 /* Below are various unofficial values that have been used for testing. */
560 /* PQC key exchange algorithms from OQS-OpenSSL,
561 see https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/oqs-kem-info.md
562 These use IANA unassigned values and this list may be incomplete.
563 */
564 { 0x2F00, "p256_frodo640aes" },
565 { 0x2F01, "p256_frodo640shake" },
566 { 0x2F02, "p384_frodo976aes" },
567 { 0x0203, "frodo976shake" },
568 { 0x2F03, "p384_frodo976shake" },
569 { 0x0204, "frodo1344aes" },
570 { 0x2F04, "p521_frodo1344aes" },
571 { 0x0205, "frodo1344shake" },
572 { 0x2F05, "p521_frodo1344shake" },
573 { 0x023A, "kyber512" },
574 { 0x2F3A, "p256_kyber512" },
575 { 0x023C, "kyber768" },
576 { 0x2F3C, "p384_kyber768" },
577 { 0x023D, "kyber1024" },
578 { 0x2F3D, "p521_kyber1024" },
579 { 0x0214, "ntru_hps2048509" },
580 { 0x2F14, "p256_ntru_hps2048509" },
581 { 0x0215, "ntru_hps2048677" },
582 { 0x2F15, "p384_ntru_hps2048677" },
583 { 0x0216, "ntru_hps4096821" },
584 { 0x2F16, "p521_ntru_hps4096821" },
585 { 0x0245, "ntru_hps40961229" },
586 { 0x2F45, "p521_ntru_hps40961229" },
587 { 0x0217, "ntru_hrss701" },
588 { 0x2F17, "p384_ntru_hrss701" },
589 { 0x0246, "ntru_hrss1373" },
590 { 0x2F46, "p521_ntru_hrss1373" },
591 { 0x0218, "lightsaber" },
592 { 0x2F18, "p256_lightsaber" },
593 { 0x0219, "saber" },
594 { 0x2F19, "p384_saber" },
595 { 0x021A, "firesaber" },
596 { 0x2F1A, "p521_firesaber" },
597 { 0x021B, "sidhp434" },
598 { 0x2F1B, "p256_sidhp434" },
599 { 0x021C, "sidhp503" },
600 { 0x2F1C, "p256_sidhp503" },
601 { 0x021D, "sidhp610" },
602 { 0x2F1D, "p384_sidhp610" },
603 { 0x021E, "sidhp751" },
604 { 0x2F1E, "p521_sidhp751" },
605 { 0x021F, "sikep434" },
606 { 0x2F1F, "p256_sikep434" },
607 { 0x0220, "sikep503" },
608 { 0x2F20, "p256_sikep503" },
609 { 0x0221, "sikep610" },
610 { 0x2F21, "p384_sikep610" },
611 { 0x0222, "sikep751" },
612 { 0x2F22, "p521_sikep751" },
613 { 0x0238, "bikel1" },
614 { 0x2F38, "p256_bikel1" },
615 { 0x023B, "bikel3" },
616 { 0x2F3B, "p384_bikel3" },
617 { 0x023E, "kyber90s512" },
618 { 0x2F3E, "p256_kyber90s512" },
619 { 0x023F, "kyber90s768" },
620 { 0x2F3F, "p384_kyber90s768" },
621 { 0x0240, "kyber90s1024" },
622 { 0x2F40, "p521_kyber90s1024" },
623 { 0x022C, "hqc128" },
624 { 0x2F2C, "p256_hqc128" },
625 { 0x022D, "hqc192" },
626 { 0x2F2D, "p384_hqc192" },
627 { 0x022E, "hqc256" },
628 { 0x2F2E, "p521_hqc256" },
629 { 0x022F, "ntrulpr653" },
630 { 0x2F2F, "p256_ntrulpr653" },
631 { 0x0230, "ntrulpr761" },
632 { 0x2F43, "p256_ntrulpr761" },
633 { 0x0231, "ntrulpr857" },
634 { 0x2F31, "p384_ntrulpr857" },
635 { 0x0241, "ntrulpr1277" },
636 { 0x2F41, "p521_ntrulpr1277" },
637 { 0x0232, "sntrup653" },
638 { 0x2F32, "p256_sntrup653" },
639 { 0x0233, "sntrup761" },
640 { 0x2F44, "p256_sntrup761" },
641 { 0x0234, "sntrup857" },
642 { 0x2F34, "p384_sntrup857" },
643 { 0x0242, "sntrup1277" },
644 { 0x2F42, "p521_sntrup1277" },
645 /* Other PQ key exchange algorithms, using Reserved for Private Use values
646 https://blog.cloudflare.com/post-quantum-for-all
647 https://www.ietf.org/archive/id/draft-tls-westerbaan-xyber768d00-02.txt */
648 { 0xFE30, "X25519Kyber512Draft00 (OBSOLETE)" },
649 { 0xFE31, "X25519Kyber768Draft00 (OBSOLETE)" },
650 { 0x00, NULL((void*)0) }
651};
652
653const value_string ssl_curve_types[] = {
654 { 1, "explicit_prime" },
655 { 2, "explicit_char2" },
656 { 3, "named_curve" },
657 { 0x00, NULL((void*)0) }
658};
659
660const value_string ssl_extension_ec_point_formats[] = {
661 { 0, "uncompressed" },
662 { 1, "ansiX962_compressed_prime" },
663 { 2, "ansiX962_compressed_char2" },
664 { 0x00, NULL((void*)0) }
665};
666
667const value_string ssl_20_certificate_type[] = {
668 { 0x00, "N/A" },
669 { 0x01, "X.509 Certificate" },
670 { 0x00, NULL((void*)0) }
671};
672
673const value_string ssl_31_content_type[] = {
674 { 20, "Change Cipher Spec" },
675 { 21, "Alert" },
676 { 22, "Handshake" },
677 { 23, "Application Data" },
678 { 24, "Heartbeat" },
679 { 25, "Connection ID" },
680 { 0x00, NULL((void*)0) }
681};
682
683#if 0
684/* XXX - would be used if we dissected the body of a Change Cipher Spec
685 message. */
686const value_string ssl_31_change_cipher_spec[] = {
687 { 1, "Change Cipher Spec" },
688 { 0x00, NULL((void*)0) }
689};
690#endif
691
692const value_string ssl_31_alert_level[] = {
693 { 1, "Warning" },
694 { 2, "Fatal" },
695 { 0x00, NULL((void*)0) }
696};
697
698const value_string ssl_31_alert_description[] = {
699 { 0, "Close Notify" },
700 { 1, "End of Early Data" },
701 { 10, "Unexpected Message" },
702 { 20, "Bad Record MAC" },
703 { 21, "Decryption Failed" },
704 { 22, "Record Overflow" },
705 { 30, "Decompression Failure" },
706 { 40, "Handshake Failure" },
707 { 41, "No Certificate" },
708 { 42, "Bad Certificate" },
709 { 43, "Unsupported Certificate" },
710 { 44, "Certificate Revoked" },
711 { 45, "Certificate Expired" },
712 { 46, "Certificate Unknown" },
713 { 47, "Illegal Parameter" },
714 { 48, "Unknown CA" },
715 { 49, "Access Denied" },
716 { 50, "Decode Error" },
717 { 51, "Decrypt Error" },
718 { 60, "Export Restriction" },
719 { 70, "Protocol Version" },
720 { 71, "Insufficient Security" },
721 { 80, "Internal Error" },
722 { 86, "Inappropriate Fallback" },
723 { 90, "User Canceled" },
724 { 100, "No Renegotiation" },
725 { 109, "Missing Extension" },
726 { 110, "Unsupported Extension" },
727 { 111, "Certificate Unobtainable" },
728 { 112, "Unrecognized Name" },
729 { 113, "Bad Certificate Status Response" },
730 { 114, "Bad Certificate Hash Value" },
731 { 115, "Unknown PSK Identity" },
732 { 116, "Certificate Required" },
733 { 120, "No application Protocol" },
734 { 121, "ECH Required" },
735 { 0x00, NULL((void*)0) }
736};
737
738const value_string ssl_31_handshake_type[] = {
739 { SSL_HND_HELLO_REQUEST, "Hello Request" },
740 { SSL_HND_CLIENT_HELLO, "Client Hello" },
741 { SSL_HND_SERVER_HELLO, "Server Hello" },
742 { SSL_HND_HELLO_VERIFY_REQUEST, "Hello Verify Request"},
743 { SSL_HND_NEWSESSION_TICKET, "New Session Ticket" },
744 { SSL_HND_END_OF_EARLY_DATA, "End of Early Data" },
745 { SSL_HND_HELLO_RETRY_REQUEST, "Hello Retry Request" },
746 { SSL_HND_ENCRYPTED_EXTENSIONS, "Encrypted Extensions" },
747 { SSL_HND_CERTIFICATE, "Certificate" },
748 { SSL_HND_SERVER_KEY_EXCHG, "Server Key Exchange" },
749 { SSL_HND_CERT_REQUEST, "Certificate Request" },
750 { SSL_HND_SVR_HELLO_DONE, "Server Hello Done" },
751 { SSL_HND_CERT_VERIFY, "Certificate Verify" },
752 { SSL_HND_CLIENT_KEY_EXCHG, "Client Key Exchange" },
753 { SSL_HND_FINISHED, "Finished" },
754 { SSL_HND_CERT_URL, "Client Certificate URL" },
755 { SSL_HND_CERT_STATUS, "Certificate Status" },
756 { SSL_HND_SUPPLEMENTAL_DATA, "Supplemental Data" },
757 { SSL_HND_KEY_UPDATE, "Key Update" },
758 { SSL_HND_COMPRESSED_CERTIFICATE, "Compressed Certificate" },
759 { SSL_HND_ENCRYPTED_EXTS, "Encrypted Extensions" },
760 { 0x00, NULL((void*)0) }
761};
762
763const value_string tls_heartbeat_type[] = {
764 { 1, "Request" },
765 { 2, "Response" },
766 { 0x00, NULL((void*)0) }
767};
768
769const value_string tls_heartbeat_mode[] = {
770 { 1, "Peer allowed to send requests" },
771 { 2, "Peer not allowed to send requests" },
772 { 0x00, NULL((void*)0) }
773};
774
775const value_string ssl_31_compression_method[] = {
776 { 0, "null" },
777 { 1, "DEFLATE" },
778 { 64, "LZS" },
779 { 0x00, NULL((void*)0) }
780};
781
782#if 0
783/* XXX - would be used if we dissected a Signature, as would be
784 seen in a server key exchange or certificate verify message. */
785const value_string ssl_31_key_exchange_algorithm[] = {
786 { 0, "RSA" },
787 { 1, "Diffie Hellman" },
788 { 0x00, NULL((void*)0) }
789};
790
791const value_string ssl_31_signature_algorithm[] = {
792 { 0, "Anonymous" },
793 { 1, "RSA" },
794 { 2, "DSA" },
795 { 0x00, NULL((void*)0) }
796};
797#endif
798
799const value_string ssl_31_client_certificate_type[] = {
800 { 1, "RSA Sign" },
801 { 2, "DSS Sign" },
802 { 3, "RSA Fixed DH" },
803 { 4, "DSS Fixed DH" },
804 /* GOST certificate types */
805 /* Section 3.5 of draft-chudov-cryptopro-cptls-04 */
806 { 21, "GOST R 34.10-94" },
807 { 22, "GOST R 34.10-2001" },
808 /* END GOST certificate types */
809 { 64, "ECDSA Sign" },
810 { 65, "RSA Fixed ECDH" },
811 { 66, "ECDSA Fixed ECDH" },
812 { 80, "IBC Params" },
813 { 0x00, NULL((void*)0) }
814};
815
816#if 0
817/* XXX - would be used if we dissected exchange keys, as would be
818 seen in a client key exchange message. */
819const value_string ssl_31_public_value_encoding[] = {
820 { 0, "Implicit" },
821 { 1, "Explicit" },
822 { 0x00, NULL((void*)0) }
823};
824#endif
825
826/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
827/* Note: sorted by ascending value so value_string_ext fcns can do a binary search */
828static const value_string ssl_31_ciphersuite[] = {
829 /* RFC 2246, RFC 4346, RFC 5246 */
830 { 0x0000, "TLS_NULL_WITH_NULL_NULL" },
831 { 0x0001, "TLS_RSA_WITH_NULL_MD5" },
832 { 0x0002, "TLS_RSA_WITH_NULL_SHA" },
833 { 0x0003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
834 { 0x0004, "TLS_RSA_WITH_RC4_128_MD5" },
835 { 0x0005, "TLS_RSA_WITH_RC4_128_SHA" },
836 { 0x0006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
837 { 0x0007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
838 { 0x0008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
839 { 0x0009, "TLS_RSA_WITH_DES_CBC_SHA" },
840 { 0x000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
841 { 0x000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
842 { 0x000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
843 { 0x000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
844 { 0x000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
845 { 0x000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
846 { 0x0010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
847 { 0x0011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
848 { 0x0012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
849 { 0x0013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
850 { 0x0014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
851 { 0x0015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
852 { 0x0016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
853 { 0x0017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
854 { 0x0018, "TLS_DH_anon_WITH_RC4_128_MD5" },
855 { 0x0019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
856 { 0x001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
857 { 0x001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
858
859 { 0x001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
860 { 0x001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
861#if 0 /* Because it clashes with KRB5, is never used any more, and is safe
862 to remove according to David Hopwood <[email protected]>
863 of the ietf-tls list */
864 { 0x001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
865#endif
866 /* RFC 2712 */
867 { 0x001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
868 { 0x001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
869 { 0x0020, "TLS_KRB5_WITH_RC4_128_SHA" },
870 { 0x0021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
871 { 0x0022, "TLS_KRB5_WITH_DES_CBC_MD5" },
872 { 0x0023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
873 { 0x0024, "TLS_KRB5_WITH_RC4_128_MD5" },
874 { 0x0025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
875 { 0x0026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
876 { 0x0027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
877 { 0x0028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
878 { 0x0029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
879 { 0x002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
880 { 0x002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
881 /* RFC 4785 */
882 { 0x002C, "TLS_PSK_WITH_NULL_SHA" },
883 { 0x002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
884 { 0x002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
885 /* RFC 5246 */
886 { 0x002F, "TLS_RSA_WITH_AES_128_CBC_SHA" },
887 { 0x0030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
888 { 0x0031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
889 { 0x0032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
890 { 0x0033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
891 { 0x0034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
892 { 0x0035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
893 { 0x0036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
894 { 0x0037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
895 { 0x0038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
896 { 0x0039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
897 { 0x003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
898 { 0x003B, "TLS_RSA_WITH_NULL_SHA256" },
899 { 0x003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
900 { 0x003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
901 { 0x003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
902 { 0x003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
903 { 0x0040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
904 /* RFC 4132 */
905 { 0x0041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
906 { 0x0042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
907 { 0x0043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
908 { 0x0044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
909 { 0x0045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
910 { 0x0046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
911 /* 0x00,0x60-66 Reserved to avoid conflicts with widely deployed implementations */
912 /* --- ??? --- */
913 { 0x0060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
914 { 0x0061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
915 /* draft-ietf-tls-56-bit-ciphersuites-01.txt */
916 { 0x0062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
917 { 0x0063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
918 { 0x0064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
919 { 0x0065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
920 { 0x0066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
921 /* --- ??? ---*/
922 { 0x0067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
923 { 0x0068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
924 { 0x0069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
925 { 0x006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
926 { 0x006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
927 { 0x006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
928 { 0x006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
929 /* draft-chudov-cryptopro-cptls-04.txt */
930 { 0x0080, "TLS_GOSTR341094_WITH_28147_CNT_IMIT" },
931 { 0x0081, "TLS_GOSTR341001_WITH_28147_CNT_IMIT" },
932 { 0x0082, "TLS_GOSTR341094_WITH_NULL_GOSTR3411" },
933 { 0x0083, "TLS_GOSTR341001_WITH_NULL_GOSTR3411" },
934 /* RFC 4132 */
935 { 0x0084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
936 { 0x0085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
937 { 0x0086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
938 { 0x0087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
939 { 0x0088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
940 { 0x0089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
941 /* RFC 4279 */
942 { 0x008A, "TLS_PSK_WITH_RC4_128_SHA" },
943 { 0x008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
944 { 0x008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
945 { 0x008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
946 { 0x008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
947 { 0x008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
948 { 0x0090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
949 { 0x0091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
950 { 0x0092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
951 { 0x0093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
952 { 0x0094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
953 { 0x0095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
954 /* RFC 4162 */
955 { 0x0096, "TLS_RSA_WITH_SEED_CBC_SHA" },
956 { 0x0097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
957 { 0x0098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
958 { 0x0099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
959 { 0x009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
960 { 0x009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
961 /* RFC 5288 */
962 { 0x009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
963 { 0x009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
964 { 0x009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
965 { 0x009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
966 { 0x00A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
967 { 0x00A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
968 { 0x00A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
969 { 0x00A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
970 { 0x00A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
971 { 0x00A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
972 { 0x00A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
973 { 0x00A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
974 /* RFC 5487 */
975 { 0x00A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
976 { 0x00A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
977 { 0x00AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
978 { 0x00AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
979 { 0x00AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
980 { 0x00AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
981 { 0x00AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
982 { 0x00AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
983 { 0x00B0, "TLS_PSK_WITH_NULL_SHA256" },
984 { 0x00B1, "TLS_PSK_WITH_NULL_SHA384" },
985 { 0x00B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
986 { 0x00B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
987 { 0x00B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
988 { 0x00B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
989 { 0x00B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
990 { 0x00B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
991 { 0x00B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
992 { 0x00B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
993 /* From RFC 5932 */
994 { 0x00BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
995 { 0x00BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
996 { 0x00BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
997 { 0x00BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
998 { 0x00BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
999 { 0x00BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
1000 { 0x00C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1001 { 0x00C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1002 { 0x00C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1003 { 0x00C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1004 { 0x00C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1005 { 0x00C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
1006 /* RFC 8998 */
1007 { 0x00C6, "TLS_SM4_GCM_SM3" },
1008 { 0x00C7, "TLS_SM4_CCM_SM3" },
1009 /* 0x00,0xC8-FE Unassigned */
1010 /* From RFC 5746 */
1011 { 0x00FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
1012 /* RFC 8701 */
1013 { 0x0A0A, "Reserved (GREASE)" },
1014 /* RFC 8446 */
1015 { 0x1301, "TLS_AES_128_GCM_SHA256" },
1016 { 0x1302, "TLS_AES_256_GCM_SHA384" },
1017 { 0x1303, "TLS_CHACHA20_POLY1305_SHA256" },
1018 { 0x1304, "TLS_AES_128_CCM_SHA256" },
1019 { 0x1305, "TLS_AES_128_CCM_8_SHA256" },
1020 /* RFC 8701 */
1021 { 0x1A1A, "Reserved (GREASE)" },
1022 { 0x2A2A, "Reserved (GREASE)" },
1023 { 0x3A3A, "Reserved (GREASE)" },
1024 { 0x4A4A, "Reserved (GREASE)" },
1025 /* From RFC 7507 */
1026 { 0x5600, "TLS_FALLBACK_SCSV" },
1027 /* RFC 8701 */
1028 { 0x5A5A, "Reserved (GREASE)" },
1029 { 0x6A6A, "Reserved (GREASE)" },
1030 { 0x7A7A, "Reserved (GREASE)" },
1031 { 0x8A8A, "Reserved (GREASE)" },
1032 { 0x9A9A, "Reserved (GREASE)" },
1033 { 0xAAAA, "Reserved (GREASE)" },
1034 { 0xBABA, "Reserved (GREASE)" },
1035 /* From RFC 4492 */
1036 { 0xc001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
1037 { 0xc002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
1038 { 0xc003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1039 { 0xc004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
1040 { 0xc005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
1041 { 0xc006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
1042 { 0xc007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
1043 { 0xc008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1044 { 0xc009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
1045 { 0xc00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
1046 { 0xc00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
1047 { 0xc00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
1048 { 0xc00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
1049 { 0xc00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
1050 { 0xc00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
1051 { 0xc010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
1052 { 0xc011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
1053 { 0xc012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
1054 { 0xc013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
1055 { 0xc014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
1056 { 0xc015, "TLS_ECDH_anon_WITH_NULL_SHA" },
1057 { 0xc016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
1058 { 0xc017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
1059 { 0xc018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
1060 { 0xc019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
1061 /* RFC 5054 */
1062 { 0xC01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
1063 { 0xC01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
1064 { 0xC01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
1065 { 0xC01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
1066 { 0xC01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
1067 { 0xC01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
1068 { 0xC020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
1069 { 0xC021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
1070 { 0xC022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
1071 /* RFC 5589 */
1072 { 0xC023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
1073 { 0xC024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
1074 { 0xC025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
1075 { 0xC026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
1076 { 0xC027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
1077 { 0xC028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
1078 { 0xC029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
1079 { 0xC02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
1080 { 0xC02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
1081 { 0xC02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
1082 { 0xC02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
1083 { 0xC02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
1084 { 0xC02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
1085 { 0xC030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
1086 { 0xC031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
1087 { 0xC032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
1088 /* RFC 5489 */
1089 { 0xC033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
1090 { 0xC034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
1091 { 0xC035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
1092 { 0xC036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
1093 { 0xC037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
1094 { 0xC038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
1095 { 0xC039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
1096 { 0xC03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
1097 { 0xC03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
1098 /* RFC 6209 */
1099 { 0xC03C, "TLS_RSA_WITH_ARIA_128_CBC_SHA256" },
1100 { 0xC03D, "TLS_RSA_WITH_ARIA_256_CBC_SHA384" },
1101 { 0xC03E, "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256" },
1102 { 0xC03F, "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384" },
1103 { 0xC040, "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256" },
1104 { 0xC041, "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384" },
1105 { 0xC042, "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256" },
1106 { 0xC043, "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384" },
1107 { 0xC044, "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1108 { 0xC045, "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1109 { 0xC046, "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" },
1110 { 0xC047, "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" },
1111 { 0xC048, "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1112 { 0xC049, "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1113 { 0xC04A, "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1114 { 0xC04B, "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1115 { 0xC04C, "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1116 { 0xC04D, "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1117 { 0xC04E, "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256" },
1118 { 0xC04F, "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384" },
1119 { 0xC050, "TLS_RSA_WITH_ARIA_128_GCM_SHA256" },
1120 { 0xC051, "TLS_RSA_WITH_ARIA_256_GCM_SHA384" },
1121 { 0xC052, "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1122 { 0xC053, "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1123 { 0xC054, "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256" },
1124 { 0xC055, "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384" },
1125 { 0xC056, "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256" },
1126 { 0xC057, "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384" },
1127 { 0xC058, "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256" },
1128 { 0xC059, "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384" },
1129 { 0xC05A, "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" },
1130 { 0xC05B, "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" },
1131 { 0xC05C, "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1132 { 0xC05D, "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1133 { 0xC05E, "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1134 { 0xC05F, "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1135 { 0xC060, "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1136 { 0xC061, "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1137 { 0xC062, "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256" },
1138 { 0xC063, "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384" },
1139 { 0xC064, "TLS_PSK_WITH_ARIA_128_CBC_SHA256" },
1140 { 0xC065, "TLS_PSK_WITH_ARIA_256_CBC_SHA384" },
1141 { 0xC066, "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1142 { 0xC067, "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1143 { 0xC068, "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256" },
1144 { 0xC069, "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384" },
1145 { 0xC06A, "TLS_PSK_WITH_ARIA_128_GCM_SHA256" },
1146 { 0xC06B, "TLS_PSK_WITH_ARIA_256_GCM_SHA384" },
1147 { 0xC06C, "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256" },
1148 { 0xC06D, "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384" },
1149 { 0xC06E, "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256" },
1150 { 0xC06F, "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384" },
1151 { 0xC070, "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1152 { 0xC071, "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1153 /* RFC 6367 */
1154 { 0xC072, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1155 { 0xC073, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1156 { 0xC074, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1157 { 0xC075, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1158 { 0xC076, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1159 { 0xC077, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1160 { 0xC078, "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1161 { 0xC079, "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1162 { 0xC07A, "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1163 { 0xC07B, "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1164 { 0xC07C, "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1165 { 0xC07D, "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1166 { 0xC07E, "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1167 { 0xC07F, "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1168 { 0xC080, "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1169 { 0xC081, "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1170 { 0xC082, "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1171 { 0xC083, "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1172 { 0xC084, "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" },
1173 { 0xC085, "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" },
1174 { 0xC086, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1175 { 0xC087, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1176 { 0xC088, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1177 { 0xC089, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1178 { 0xC08A, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1179 { 0xC08B, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1180 { 0xC08C, "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1181 { 0xC08D, "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1182 { 0xC08E, "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1183 { 0xC08F, "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1184 { 0xC090, "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1185 { 0xC091, "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1186 { 0xC092, "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1187 { 0xC093, "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1188 { 0xC094, "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1189 { 0xC095, "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1190 { 0xC096, "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1191 { 0xC097, "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1192 { 0xC098, "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1193 { 0xC099, "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1194 { 0xC09A, "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1195 { 0xC09B, "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1196 /* RFC 6655 */
1197 { 0xC09C, "TLS_RSA_WITH_AES_128_CCM" },
1198 { 0xC09D, "TLS_RSA_WITH_AES_256_CCM" },
1199 { 0xC09E, "TLS_DHE_RSA_WITH_AES_128_CCM" },
1200 { 0xC09F, "TLS_DHE_RSA_WITH_AES_256_CCM" },
1201 { 0xC0A0, "TLS_RSA_WITH_AES_128_CCM_8" },
1202 { 0xC0A1, "TLS_RSA_WITH_AES_256_CCM_8" },
1203 { 0xC0A2, "TLS_DHE_RSA_WITH_AES_128_CCM_8" },
1204 { 0xC0A3, "TLS_DHE_RSA_WITH_AES_256_CCM_8" },
1205 { 0xC0A4, "TLS_PSK_WITH_AES_128_CCM" },
1206 { 0xC0A5, "TLS_PSK_WITH_AES_256_CCM" },
1207 { 0xC0A6, "TLS_DHE_PSK_WITH_AES_128_CCM" },
1208 { 0xC0A7, "TLS_DHE_PSK_WITH_AES_256_CCM" },
1209 { 0xC0A8, "TLS_PSK_WITH_AES_128_CCM_8" },
1210 { 0xC0A9, "TLS_PSK_WITH_AES_256_CCM_8" },
1211 { 0xC0AA, "TLS_PSK_DHE_WITH_AES_128_CCM_8" },
1212 { 0xC0AB, "TLS_PSK_DHE_WITH_AES_256_CCM_8" },
1213 /* RFC 7251 */
1214 { 0xC0AC, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM" },
1215 { 0xC0AD, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM" },
1216 { 0xC0AE, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8" },
1217 { 0xC0AF, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8" },
1218 /* RFC 8492 */
1219 { 0xC0B0, "TLS_ECCPWD_WITH_AES_128_GCM_SHA256" },
1220 { 0xC0B1, "TLS_ECCPWD_WITH_AES_256_GCM_SHA384" },
1221 { 0xC0B2, "TLS_ECCPWD_WITH_AES_128_CCM_SHA256" },
1222 { 0xC0B3, "TLS_ECCPWD_WITH_AES_256_CCM_SHA384" },
1223 /* draft-camwinget-tls-ts13-macciphersuites */
1224 { 0xC0B4, "TLS_SHA256_SHA256" },
1225 { 0xC0B5, "TLS_SHA384_SHA384" },
1226 /* https://www.ietf.org/archive/id/draft-cragie-tls-ecjpake-01.txt */
1227 { 0xC0FF, "TLS_ECJPAKE_WITH_AES_128_CCM_8" },
1228 /* draft-smyshlyaev-tls12-gost-suites */
1229 { 0xC100, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" },
1230 { 0xC101, "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" },
1231 { 0xC102, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" },
1232 /* draft-smyshlyaev-tls13-gost-suites */
1233 { 0xC103, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L" },
1234 { 0xC104, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L" },
1235 { 0xC105, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S" },
1236 { 0xC106, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S" },
1237 /* RFC 8701 */
1238 { 0xCACA, "Reserved (GREASE)" },
1239/*
12400xC0,0xAB-FF Unassigned
12410xC1,0x03-FD,* Unassigned
12420xFE,0x00-FD Unassigned
12430xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
12440xFF,0x00-FF Reserved for Private Use [RFC5246]
1245*/
1246 /* old numbers used in the beginning
1247 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
1248 { 0xCC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1249 { 0xCC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1250 { 0xCC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1251 /* RFC 7905 */
1252 { 0xCCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1253 { 0xCCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1254 { 0xCCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1255 { 0xCCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1256 { 0xCCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1257 { 0xCCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1258 { 0xCCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1259 /* RFC 8442 */
1260 { 0xD001, "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256" },
1261 { 0xD002, "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384" },
1262 { 0xD003, "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256" },
1263 { 0xD005, "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256" },
1264 /* RFC 8701 */
1265 { 0xDADA, "Reserved (GREASE)" },
1266 /* GM/T 0024-2014 */
1267 { 0xe001, "ECDHE_SM1_SM3"},
1268 { 0xe003, "ECC_SM1_SM3"},
1269 { 0xe005, "IBSDH_SM1_SM3"},
1270 { 0xe007, "IBC_SM1_SM3"},
1271 { 0xe009, "RSA_SM1_SM3"},
1272 { 0xe00a, "RSA_SM1_SHA1"},
1273 { 0xe011, "ECDHE_SM4_CBC_SM3"},
1274 { 0xe013, "ECC_SM4_CBC_SM3"},
1275 { 0xe015, "IBSDH_SM4_CBC_SM3"},
1276 { 0xe017, "IBC_SM4_CBC_SM3"},
1277 { 0xe019, "RSA_SM4_CBC_SM3"},
1278 { 0xe01a, "RSA_SM4_CBC_SHA1"},
1279 { 0xe01c, "RSA_SM4_CBC_SHA256"},
1280 { 0xe051, "ECDHE_SM4_GCM_SM3"},
1281 { 0xe053, "ECC_SM4_GCM_SM3"},
1282 { 0xe055, "IBSDH_SM4_GCM_SM3"},
1283 { 0xe057, "IBC_SM4_GCM_SM3"},
1284 { 0xe059, "RSA_SM4_GCM_SM3"},
1285 { 0xe05a, "RSA_SM4_GCM_SHA256"},
1286 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
1287 { 0xE410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1288 { 0xE411, "TLS_RSA_WITH_SALSA20_SHA1" },
1289 { 0xE412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1290 { 0xE413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
1291 { 0xE414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
1292 { 0xE415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
1293 { 0xE416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1294 { 0xE417, "TLS_PSK_WITH_SALSA20_SHA1" },
1295 { 0xE418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1296 { 0xE419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
1297 { 0xE41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1298 { 0xE41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
1299 { 0xE41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1300 { 0xE41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
1301 { 0xE41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1302 { 0xE41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
1303 /* RFC 8701 */
1304 { 0xEAEA, "Reserved (GREASE)" },
1305 { 0xFAFA, "Reserved (GREASE)" },
1306 /* these from http://www.mozilla.org/projects/
1307 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
1308 { 0xfefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
1309 { 0xfeff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1310 /* https://datatracker.ietf.org/doc/html/rfc9189 */
1311 { 0xff85, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT"},
1312 { 0xffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1313 { 0xffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA" },
1314 /* note that ciphersuites 0xff00 - 0xffff are private */
1315 { 0x00, NULL((void*)0) }
1316};
1317
1318value_string_ext ssl_31_ciphersuite_ext = VALUE_STRING_EXT_INIT(ssl_31_ciphersuite){ _try_val_to_str_ext_init, 0, (sizeof (ssl_31_ciphersuite) /
sizeof ((ssl_31_ciphersuite)[0]))-1, ssl_31_ciphersuite, "ssl_31_ciphersuite"
, ((void*)0) };
1319
1320/* http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#tls-extensiontype-values-1 */
1321const value_string tls_hello_extension_types[] = {
1322 { SSL_HND_HELLO_EXT_SERVER_NAME0, "server_name" }, /* RFC 6066 */
1323 { SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1, "max_fragment_length" },/* RFC 6066 */
1324 { SSL_HND_HELLO_EXT_CLIENT_CERTIFICATE_URL2, "client_certificate_url" }, /* RFC 6066 */
1325 { SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3, "trusted_ca_keys" }, /* RFC 6066 */
1326 { SSL_HND_HELLO_EXT_TRUNCATED_HMAC4, "truncated_hmac" }, /* RFC 6066 */
1327 { SSL_HND_HELLO_EXT_STATUS_REQUEST5, "status_request" }, /* RFC 6066 */
1328 { SSL_HND_HELLO_EXT_USER_MAPPING6, "user_mapping" }, /* RFC 4681 */
1329 { SSL_HND_HELLO_EXT_CLIENT_AUTHZ7, "client_authz" }, /* RFC 5878 */
1330 { SSL_HND_HELLO_EXT_SERVER_AUTHZ8, "server_authz" }, /* RFC 5878 */
1331 { SSL_HND_HELLO_EXT_CERT_TYPE9, "cert_type" }, /* RFC 6091 */
1332 { SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10, "supported_groups" }, /* RFC 4492, RFC 7919 */
1333 { SSL_HND_HELLO_EXT_EC_POINT_FORMATS11, "ec_point_formats" }, /* RFC 4492 */
1334 { SSL_HND_HELLO_EXT_SRP12, "srp" }, /* RFC 5054 */
1335 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13, "signature_algorithms" }, /* RFC 5246 */
1336 { SSL_HND_HELLO_EXT_USE_SRTP14, "use_srtp" }, /* RFC 5764 */
1337 { SSL_HND_HELLO_EXT_HEARTBEAT15, "heartbeat" }, /* RFC 6520 */
1338 { SSL_HND_HELLO_EXT_ALPN16, "application_layer_protocol_negotiation" }, /* RFC 7301 */
1339 { SSL_HND_HELLO_EXT_STATUS_REQUEST_V217, "status_request_v2" }, /* RFC 6961 */
1340 { SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18, "signed_certificate_timestamp" }, /* RFC 6962 */
1341 { SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19, "client_certificate_type" }, /* RFC 7250 */
1342 { SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20, "server_certificate_type" }, /* RFC 7250 */
1343 { SSL_HND_HELLO_EXT_PADDING21, "padding" }, /* RFC 7685 */
1344 { SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22, "encrypt_then_mac" }, /* RFC 7366 */
1345 { SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23, "extended_master_secret" }, /* RFC 7627 */
1346 { SSL_HND_HELLO_EXT_TOKEN_BINDING24, "token_binding" }, /* https://tools.ietf.org/html/draft-ietf-tokbind-negotiation */
1347 { SSL_HND_HELLO_EXT_CACHED_INFO25, "cached_info" }, /* RFC 7924 */
1348 { SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27, "compress_certificate" }, /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03 */
1349 { SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28, "record_size_limit" }, /* RFC 8449 */
1350 { SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34, "delegated_credentials" }, /* draft-ietf-tls-subcerts-10.txt */
1351 { SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35, "session_ticket" }, /* RFC 5077 / RFC 8447 */
1352 { SSL_HND_HELLO_EXT_KEY_SHARE_OLD40, "Reserved (key_share)" }, /* https://tools.ietf.org/html/draft-ietf-tls-tls13-22 (removed in -23) */
1353 { SSL_HND_HELLO_EXT_PRE_SHARED_KEY41, "pre_shared_key" }, /* RFC 8446 */
1354 { SSL_HND_HELLO_EXT_EARLY_DATA42, "early_data" }, /* RFC 8446 */
1355 { SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43, "supported_versions" }, /* RFC 8446 */
1356 { SSL_HND_HELLO_EXT_COOKIE44, "cookie" }, /* RFC 8446 */
1357 { SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45, "psk_key_exchange_modes" }, /* RFC 8446 */
1358 { SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46, "Reserved (ticket_early_data_info)" }, /* draft-ietf-tls-tls13-18 (removed in -19) */
1359 { SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47, "certificate_authorities" }, /* RFC 8446 */
1360 { SSL_HND_HELLO_EXT_OID_FILTERS48, "oid_filters" }, /* RFC 8446 */
1361 { SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49, "post_handshake_auth" }, /* RFC 8446 */
1362 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50, "signature_algorithms_cert" }, /* RFC 8446 */
1363 { SSL_HND_HELLO_EXT_KEY_SHARE51, "key_share" }, /* RFC 8446 */
1364 { SSL_HND_HELLO_EXT_TRANSPARENCY_INFO52, "transparency_info" }, /* draft-ietf-trans-rfc6962-bis-41 */
1365 { SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53, "connection_id (deprecated)" }, /* draft-ietf-tls-dtls-connection-id-07 */
1366 { SSL_HND_HELLO_EXT_CONNECTION_ID54, "connection_id" }, /* RFC 9146 */
1367 { SSL_HND_HELLO_EXT_EXTERNAL_ID_HASH55, "external_id_hash" }, /* RFC 8844 */
1368 { SSL_HND_HELLO_EXT_EXTERNAL_SESSION_ID56, "external_session_id" }, /* RFC 8844 */
1369 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157, "quic_transport_parameters" }, /* draft-ietf-quic-tls-33 */
1370 { SSL_HND_HELLO_EXT_TICKET_REQUEST58, "ticket_request" }, /* draft-ietf-tls-ticketrequests-07 */
1371 { SSL_HND_HELLO_EXT_DNSSEC_CHAIN59, "dnssec_chain" }, /* RFC 9102 */
1372 { SSL_HND_HELLO_EXT_GREASE_0A0A2570, "Reserved (GREASE)" }, /* RFC 8701 */
1373 { SSL_HND_HELLO_EXT_GREASE_1A1A6682, "Reserved (GREASE)" }, /* RFC 8701 */
1374 { SSL_HND_HELLO_EXT_GREASE_2A2A10794, "Reserved (GREASE)" }, /* RFC 8701 */
1375 { SSL_HND_HELLO_EXT_NPN13172, "next_protocol_negotiation"}, /* https://datatracker.ietf.org/doc/html/draft-agl-tls-nextprotoneg-03 */
1376 { SSL_HND_HELLO_EXT_GREASE_3A3A14906, "Reserved (GREASE)" }, /* RFC 8701 */
1377 { SSL_HND_HELLO_EXT_ALPS_OLD17513, "application_settings_old" }, /* draft-vvv-tls-alps-01 */
1378 { SSL_HND_HELLO_EXT_ALPS17613, "application_settings" }, /* draft-vvv-tls-alps-01 */ /* https://chromestatus.com/feature/5149147365900288 */
1379 { SSL_HND_HELLO_EXT_GREASE_4A4A19018, "Reserved (GREASE)" }, /* RFC 8701 */
1380 { SSL_HND_HELLO_EXT_GREASE_5A5A23130, "Reserved (GREASE)" }, /* RFC 8701 */
1381 { SSL_HND_HELLO_EXT_GREASE_6A6A27242, "Reserved (GREASE)" }, /* RFC 8701 */
1382 { SSL_HND_HELLO_EXT_CHANNEL_ID_OLD30031, "channel_id_old" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
1383 https://twitter.com/ericlaw/status/274237352531083264 */
1384 { SSL_HND_HELLO_EXT_CHANNEL_ID30032, "channel_id" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-01
1385 https://code.google.com/p/chromium/codesearch#chromium/src/net/third_party/nss/ssl/sslt.h&l=209 */
1386 { SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281, "renegotiation_info" }, /* RFC 5746 */
1387 { SSL_HND_HELLO_EXT_GREASE_7A7A31354, "Reserved (GREASE)" }, /* RFC 8701 */
1388 { SSL_HND_HELLO_EXT_GREASE_8A8A35466, "Reserved (GREASE)" }, /* RFC 8701 */
1389 { SSL_HND_HELLO_EXT_GREASE_9A9A39578, "Reserved (GREASE)" }, /* RFC 8701 */
1390 { SSL_HND_HELLO_EXT_GREASE_AAAA43690, "Reserved (GREASE)" }, /* RFC 8701 */
1391 { SSL_HND_HELLO_EXT_GREASE_BABA47802, "Reserved (GREASE)" }, /* RFC 8701 */
1392 { SSL_HND_HELLO_EXT_GREASE_CACA51914, "Reserved (GREASE)" }, /* RFC 8701 */
1393 { SSL_HND_HELLO_EXT_GREASE_DADA56026, "Reserved (GREASE)" }, /* RFC 8701 */
1394 { SSL_HND_HELLO_EXT_GREASE_EAEA60138, "Reserved (GREASE)" }, /* RFC 8701 */
1395 { SSL_HND_HELLO_EXT_GREASE_FAFA64250, "Reserved (GREASE)" }, /* RFC 8701 */
1396 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445, "quic_transport_parameters (drafts version)" }, /* https://tools.ietf.org/html/draft-ietf-quic-tls */
1397 { SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486, "encrypted_server_name" }, /* https://tools.ietf.org/html/draft-ietf-tls-esni-01 */
1398 { SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037, "encrypted_client_hello" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1399 { SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768, "ech_outer_extensions" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1400 { 0, NULL((void*)0) }
1401};
1402
1403const value_string tls_hello_ext_server_name_type_vs[] = {
1404 { 0, "host_name" },
1405 { 0, NULL((void*)0) }
1406};
1407
1408/* RFC 6066 Section 4 */
1409const value_string tls_hello_ext_max_fragment_length[] = {
1410 { 1, "512" }, // 2^9
1411 { 2, "1024" }, // 2^10
1412 { 3, "2048" }, // 2^11
1413 { 4, "4096" }, // 2^12
1414 { 0, NULL((void*)0) }
1415};
1416
1417/* RFC 8446 Section 4.2.9 */
1418const value_string tls_hello_ext_psk_ke_mode[] = {
1419 { 0, "PSK-only key establishment (psk_ke)" },
1420 { 1, "PSK with (EC)DHE key establishment (psk_dhe_ke)" },
1421 { 0, NULL((void*)0) }
1422};
1423
1424/* RFC 6066 Section 6 */
1425const value_string tls_hello_ext_trusted_ca_key_type[] = {
1426 {0, "pre_agreed"},
1427 {1, "key_sha1_hash"},
1428 {2, "x509_name"},
1429 {3, "cert_sha1_hash"},
1430 {0, NULL((void*)0)}
1431};
1432
1433const value_string tls13_key_update_request[] = {
1434 { 0, "update_not_requested" },
1435 { 1, "update_requested" },
1436 { 0, NULL((void*)0) }
1437};
1438
1439/* RFC 5246 7.4.1.4.1 */
1440/* https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
1441/* Note that the TLS 1.3 SignatureScheme registry reserves all values
1442 * with first octet 0x00-0x06 and all values with second octet 0x00-0x03
1443 * for backwards compatibility with TLS 1.2 SignatureAndHashAlgorithm.
1444 *
1445 * RFC 8422 and RFC 9189 add official support in TLS 1.2 for some algorithms
1446 * originally defined for TLS 1.3, and extend the TLS SignatureAlgorithm
1447 * and TLS HashAlgorithm registries, but the new values are not compatible
1448 * with all of the TLS 1.3-only SignatureSchemes. Adding those values could
1449 * cause confusion if used to interpret one of those schemes in a
1450 * signature_algorithms extension offered in a TLS 1.3 ClientHello.
1451 */
1452const value_string tls_hash_algorithm[] = {
1453 { 0, "None" },
1454 { 1, "MD5" },
1455 { 2, "SHA1" },
1456 { 3, "SHA224" },
1457 { 4, "SHA256" },
1458 { 5, "SHA384" },
1459 { 6, "SHA512" },
1460#if 0
1461 /* RFC 8422 adds this to the HashAlgorithm registry, but it really
1462 * only applies to 0x0807 and 0x0808, not for other TLS 1.3
1463 * SignatureSchemes with 0x08 in the octet used for Hash in TLS 1.2.
1464 * E.g., we don't want to display this for 0x0806 rsa_pss_rsae_sha512.
1465 */
1466 { 8, "Intrinsic" },
1467#endif
1468 { 0, NULL((void*)0) }
1469};
1470
1471const value_string tls_signature_algorithm[] = {
1472 { 0, "Anonymous" },
1473 { 1, "RSA" },
1474 { 2, "DSA" },
1475 { 3, "ECDSA" },
1476#if 0
1477 /* As above. */
1478 { 7, "ED25519" },
1479 { 8, "ED448" },
1480 { 64, "GOSTR34102012_256" },
1481 { 65, "GOSTR34102012_512" },
1482#endif
1483 { 0, NULL((void*)0) }
1484};
1485
1486/* RFC 8446 Section 4.2.3 */
1487const value_string tls13_signature_algorithm[] = {
1488 { 0x0201, "rsa_pkcs1_sha1" },
1489 { 0x0203, "ecdsa_sha1" },
1490 { 0x0401, "rsa_pkcs1_sha256" },
1491 { 0x0403, "ecdsa_secp256r1_sha256" },
1492 { 0x0420, "rsa_pkcs1_sha256_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1493 { 0x0501, "rsa_pkcs1_sha384" },
1494 { 0x0503, "ecdsa_secp384r1_sha384" },
1495 { 0x0520, "rsa_pkcs1_sha384_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1496 { 0x0601, "rsa_pkcs1_sha512" },
1497 { 0x0603, "ecdsa_secp521r1_sha512" },
1498 { 0x0620, "rsa_pkcs1_sha512_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1499 { 0x0708, "sm2sig_sm3" },
1500 { 0x0709, "gostr34102012_256a" }, /* RFC9367 */
1501 { 0x070a, "gostr34102012_256b" }, /* RFC9367 */
1502 { 0x070b, "gostr34102012_256c" }, /* RFC9367 */
1503 { 0x070c, "gostr34102012_256d" }, /* RFC9367 */
1504 { 0x070d, "gostr34102012_512a" }, /* RFC9367 */
1505 { 0x070e, "gostr34102012_512b" }, /* RFC9367 */
1506 { 0x070f, "gostr34102012_512c" }, /* RFC9367 */
1507 { 0x0804, "rsa_pss_rsae_sha256" },
1508 { 0x0805, "rsa_pss_rsae_sha384" },
1509 { 0x0806, "rsa_pss_rsae_sha512" },
1510 { 0x0807, "ed25519" },
1511 { 0x0808, "ed448" },
1512 { 0x0809, "rsa_pss_pss_sha256" },
1513 { 0x080a, "rsa_pss_pss_sha384" },
1514 { 0x080b, "rsa_pss_pss_sha512" },
1515 { 0x081a, "ecdsa_brainpoolP256r1tls13_sha256" }, /* RFC8734 */
1516 { 0x081b, "ecdsa_brainpoolP384r1tls13_sha384" }, /* RFC8734 */
1517 { 0x081c, "ecdsa_brainpoolP512r1tls13_sha512" }, /* RFC8734 */
1518 /* PQC digital signature algorithms from OQS-OpenSSL,
1519 see https://github.com/open-quantum-safe/openssl/blob/OQS-OpenSSL_1_1_1-stable/oqs-template/oqs-sig-info.md */
1520 { 0xfea0, "dilithium2" },
1521 { 0xfea1, "p256_dilithium2" },
1522 { 0xfea2, "rsa3072_dilithium2" },
1523 { 0xfea3, "dilithium3" },
1524 { 0xfea4, "p384_dilithium3" },
1525 { 0xfea5, "dilithium5" },
1526 { 0xfea6, "p521_dilithium5" },
1527 { 0xfea7, "dilithium2_aes" },
1528 { 0xfea8, "p256_dilithium2_aes" },
1529 { 0xfea9, "rsa3072_dilithium2_aes" },
1530 { 0xfeaa, "dilithium3_aes" },
1531 { 0xfeab, "p384_dilithium3_aes" },
1532 { 0xfeac, "dilithium5_aes" },
1533 { 0xfead, "p521_dilithium5_aes" },
1534 { 0xfe0b, "falcon512" },
1535 { 0xfe0c, "p256_falcon512" },
1536 { 0xfe0d, "rsa3072_falcon512" },
1537 { 0xfe0e, "falcon1024" },
1538 { 0xfe0f, "p521_falcon1024" },
1539 { 0xfe96, "picnicl1full" },
1540 { 0xfe97, "p256_picnicl1full" },
1541 { 0xfe98, "rsa3072_picnicl1full" },
1542 { 0xfe1b, "picnic3l1" },
1543 { 0xfe1c, "p256_picnic3l1" },
1544 { 0xfe1d, "rsa3072_picnic3l1" },
1545 { 0xfe27, "rainbowIclassic" },
1546 { 0xfe28, "p256_rainbowIclassic" },
1547 { 0xfe29, "rsa3072_rainbowIclassic" },
1548 { 0xfe3c, "rainbowVclassic" },
1549 { 0xfe3d, "p521_rainbowVclassic" },
1550 { 0xfe42, "sphincsharaka128frobust" },
1551 { 0xfe43, "p256_sphincsharaka128frobust" },
1552 { 0xfe44, "rsa3072_sphincsharaka128frobust" },
1553 { 0xfe5e, "sphincssha256128frobust" },
1554 { 0xfe5f, "p256_sphincssha256128frobust" },
1555 { 0xfe60, "rsa3072_sphincssha256128frobust" },
1556 { 0xfe7a, "sphincsshake256128frobust" },
1557 { 0xfe7b, "p256_sphincsshake256128frobust" },
1558 { 0xfe7c, "rsa3072_sphincsshake256128frobust" },
1559 { 0, NULL((void*)0) }
1560};
1561
1562/* RFC 6091 3.1 */
1563const value_string tls_certificate_type[] = {
1564 { 0, "X.509" },
1565 { 1, "OpenPGP" },
1566 { SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2, "Raw Public Key" }, /* RFC 7250 */
1567 { 0, NULL((void*)0) }
1568};
1569
1570const value_string tls_cert_chain_type[] = {
1571 { SSL_HND_CERT_URL_TYPE_INDIVIDUAL_CERT1, "Individual Certificates" },
1572 { SSL_HND_CERT_URL_TYPE_PKIPATH2, "PKI Path" },
1573 { 0, NULL((void*)0) }
1574};
1575
1576const value_string tls_cert_status_type[] = {
1577 { SSL_HND_CERT_STATUS_TYPE_OCSP1, "OCSP" },
1578 { SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2, "OCSP Multi" },
1579 { 0, NULL((void*)0) }
1580};
1581
1582/* Generated by tools/make-tls-ct-logids.py
1583 * Last-Modified Sat, 15 Nov 2025 14:27:28 GMT, 187 entries. */
1584static const bytes_string ct_logids[] = {
1585 { (const uint8_t[]){
1586 0xb2, 0x1e, 0x05, 0xcc, 0x8b, 0xa2, 0xcd, 0x8a, 0x20, 0x4e, 0x87,
1587 0x66, 0xf9, 0x2b, 0xb9, 0x8a, 0x25, 0x20, 0x67, 0x6b, 0xda, 0xfa,
1588 0x70, 0xe7, 0xb2, 0x49, 0x53, 0x2d, 0xef, 0x8b, 0x90, 0x5e,
1589 },
1590 32, "Google 'Argon2020' log" },
1591 { (const uint8_t[]){
1592 0xf6, 0x5c, 0x94, 0x2f, 0xd1, 0x77, 0x30, 0x22, 0x14, 0x54, 0x18,
1593 0x08, 0x30, 0x94, 0x56, 0x8e, 0xe3, 0x4d, 0x13, 0x19, 0x33, 0xbf,
1594 0xdf, 0x0c, 0x2f, 0x20, 0x0b, 0xcc, 0x4e, 0xf1, 0x64, 0xe3,
1595 },
1596 32, "Google 'Argon2021' log" },
1597 { (const uint8_t[]){
1598 0x29, 0x79, 0xbe, 0xf0, 0x9e, 0x39, 0x39, 0x21, 0xf0, 0x56, 0x73,
1599 0x9f, 0x63, 0xa5, 0x77, 0xe5, 0xbe, 0x57, 0x7d, 0x9c, 0x60, 0x0a,
1600 0xf8, 0xf9, 0x4d, 0x5d, 0x26, 0x5c, 0x25, 0x5d, 0xc7, 0x84,
1601 },
1602 32, "Google 'Argon2022' log" },
1603 { (const uint8_t[]){
1604 0xe8, 0x3e, 0xd0, 0xda, 0x3e, 0xf5, 0x06, 0x35, 0x32, 0xe7, 0x57,
1605 0x28, 0xbc, 0x89, 0x6b, 0xc9, 0x03, 0xd3, 0xcb, 0xd1, 0x11, 0x6b,
1606 0xec, 0xeb, 0x69, 0xe1, 0x77, 0x7d, 0x6d, 0x06, 0xbd, 0x6e,
1607 },
1608 32, "Google 'Argon2023' log" },
1609 { (const uint8_t[]){
1610 0xee, 0xcd, 0xd0, 0x64, 0xd5, 0xdb, 0x1a, 0xce, 0xc5, 0x5c, 0xb7,
1611 0x9d, 0xb4, 0xcd, 0x13, 0xa2, 0x32, 0x87, 0x46, 0x7c, 0xbc, 0xec,
1612 0xde, 0xc3, 0x51, 0x48, 0x59, 0x46, 0x71, 0x1f, 0xb5, 0x9b,
1613 },
1614 32, "Google 'Argon2024' log" },
1615 { (const uint8_t[]){
1616 0x4e, 0x75, 0xa3, 0x27, 0x5c, 0x9a, 0x10, 0xc3, 0x38, 0x5b, 0x6c,
1617 0xd4, 0xdf, 0x3f, 0x52, 0xeb, 0x1d, 0xf0, 0xe0, 0x8e, 0x1b, 0x8d,
1618 0x69, 0xc0, 0xb1, 0xfa, 0x64, 0xb1, 0x62, 0x9a, 0x39, 0xdf,
1619 },
1620 32, "Google 'Argon2025h1' log" },
1621 { (const uint8_t[]){
1622 0x12, 0xf1, 0x4e, 0x34, 0xbd, 0x53, 0x72, 0x4c, 0x84, 0x06, 0x19,
1623 0xc3, 0x8f, 0x3f, 0x7a, 0x13, 0xf8, 0xe7, 0xb5, 0x62, 0x87, 0x88,
1624 0x9c, 0x6d, 0x30, 0x05, 0x84, 0xeb, 0xe5, 0x86, 0x26, 0x3a,
1625 },
1626 32, "Google 'Argon2025h2' log" },
1627 { (const uint8_t[]){
1628 0x0e, 0x57, 0x94, 0xbc, 0xf3, 0xae, 0xa9, 0x3e, 0x33, 0x1b, 0x2c,
1629 0x99, 0x07, 0xb3, 0xf7, 0x90, 0xdf, 0x9b, 0xc2, 0x3d, 0x71, 0x32,
1630 0x25, 0xdd, 0x21, 0xa9, 0x25, 0xac, 0x61, 0xc5, 0x4e, 0x21,
1631 },
1632 32, "Google 'Argon2026h1' log" },
1633 { (const uint8_t[]){
1634 0xd7, 0x6d, 0x7d, 0x10, 0xd1, 0xa7, 0xf5, 0x77, 0xc2, 0xc7, 0xe9,
1635 0x5f, 0xd7, 0x00, 0xbf, 0xf9, 0x82, 0xc9, 0x33, 0x5a, 0x65, 0xe1,
1636 0xd0, 0xb3, 0x01, 0x73, 0x17, 0xc0, 0xc8, 0xc5, 0x69, 0x77,
1637 },
1638 32, "Google 'Argon2026h2' log" },
1639 { (const uint8_t[]){
1640 0xd6, 0xd5, 0x8d, 0xa9, 0xd0, 0x17, 0x53, 0xf3, 0x6a, 0x4a, 0xa0,
1641 0xc7, 0x57, 0x49, 0x02, 0xaf, 0xeb, 0xc7, 0xdc, 0x2c, 0xd3, 0x8c,
1642 0xd9, 0xf7, 0x64, 0xc8, 0x0c, 0x89, 0x19, 0x1e, 0x9f, 0x02,
1643 },
1644 32, "Google 'Argon2027h1'" },
1645 { (const uint8_t[]){
1646 0x07, 0xb7, 0x5c, 0x1b, 0xe5, 0x7d, 0x68, 0xff, 0xf1, 0xb0, 0xc6,
1647 0x1d, 0x23, 0x15, 0xc7, 0xba, 0xe6, 0x57, 0x7c, 0x57, 0x94, 0xb7,
1648 0x6a, 0xee, 0xbc, 0x61, 0x3a, 0x1a, 0x69, 0xd3, 0xa2, 0x1c,
1649 },
1650 32, "Google 'Xenon2020' log" },
1651 { (const uint8_t[]){
1652 0x7d, 0x3e, 0xf2, 0xf8, 0x8f, 0xff, 0x88, 0x55, 0x68, 0x24, 0xc2,
1653 0xc0, 0xca, 0x9e, 0x52, 0x89, 0x79, 0x2b, 0xc5, 0x0e, 0x78, 0x09,
1654 0x7f, 0x2e, 0x6a, 0x97, 0x68, 0x99, 0x7e, 0x22, 0xf0, 0xd7,
1655 },
1656 32, "Google 'Xenon2021' log" },
1657 { (const uint8_t[]){
1658 0x46, 0xa5, 0x55, 0xeb, 0x75, 0xfa, 0x91, 0x20, 0x30, 0xb5, 0xa2,
1659 0x89, 0x69, 0xf4, 0xf3, 0x7d, 0x11, 0x2c, 0x41, 0x74, 0xbe, 0xfd,
1660 0x49, 0xb8, 0x85, 0xab, 0xf2, 0xfc, 0x70, 0xfe, 0x6d, 0x47,
1661 },
1662 32, "Google 'Xenon2022' log" },
1663 { (const uint8_t[]){
1664 0xad, 0xf7, 0xbe, 0xfa, 0x7c, 0xff, 0x10, 0xc8, 0x8b, 0x9d, 0x3d,
1665 0x9c, 0x1e, 0x3e, 0x18, 0x6a, 0xb4, 0x67, 0x29, 0x5d, 0xcf, 0xb1,
1666 0x0c, 0x24, 0xca, 0x85, 0x86, 0x34, 0xeb, 0xdc, 0x82, 0x8a,
1667 },
1668 32, "Google 'Xenon2023' log" },
1669 { (const uint8_t[]){
1670 0x76, 0xff, 0x88, 0x3f, 0x0a, 0xb6, 0xfb, 0x95, 0x51, 0xc2, 0x61,
1671 0xcc, 0xf5, 0x87, 0xba, 0x34, 0xb4, 0xa4, 0xcd, 0xbb, 0x29, 0xdc,
1672 0x68, 0x42, 0x0a, 0x9f, 0xe6, 0x67, 0x4c, 0x5a, 0x3a, 0x74,
1673 },
1674 32, "Google 'Xenon2024' log" },
1675 { (const uint8_t[]){
1676 0xcf, 0x11, 0x56, 0xee, 0xd5, 0x2e, 0x7c, 0xaf, 0xf3, 0x87, 0x5b,
1677 0xd9, 0x69, 0x2e, 0x9b, 0xe9, 0x1a, 0x71, 0x67, 0x4a, 0xb0, 0x17,
1678 0xec, 0xac, 0x01, 0xd2, 0x5b, 0x77, 0xce, 0xcc, 0x3b, 0x08,
1679 },
1680 32, "Google 'Xenon2025h1' log" },
1681 { (const uint8_t[]){
1682 0xdd, 0xdc, 0xca, 0x34, 0x95, 0xd7, 0xe1, 0x16, 0x05, 0xe7, 0x95,
1683 0x32, 0xfa, 0xc7, 0x9f, 0xf8, 0x3d, 0x1c, 0x50, 0xdf, 0xdb, 0x00,
1684 0x3a, 0x14, 0x12, 0x76, 0x0a, 0x2c, 0xac, 0xbb, 0xc8, 0x2a,
1685 },
1686 32, "Google 'Xenon2025h2' log" },
1687 { (const uint8_t[]){
1688 0x96, 0x97, 0x64, 0xbf, 0x55, 0x58, 0x97, 0xad, 0xf7, 0x43, 0x87,
1689 0x68, 0x37, 0x08, 0x42, 0x77, 0xe9, 0xf0, 0x3a, 0xd5, 0xf6, 0xa4,
1690 0xf3, 0x36, 0x6e, 0x46, 0xa4, 0x3f, 0x0f, 0xca, 0xa9, 0xc6,
1691 },
1692 32, "Google 'Xenon2026h1' log" },
1693 { (const uint8_t[]){
1694 0xd8, 0x09, 0x55, 0x3b, 0x94, 0x4f, 0x7a, 0xff, 0xc8, 0x16, 0x19,
1695 0x6f, 0x94, 0x4f, 0x85, 0xab, 0xb0, 0xf8, 0xfc, 0x5e, 0x87, 0x55,
1696 0x26, 0x0f, 0x15, 0xd1, 0x2e, 0x72, 0xbb, 0x45, 0x4b, 0x14,
1697 },
1698 32, "Google 'Xenon2026h2' log" },
1699 { (const uint8_t[]){
1700 0x44, 0xc2, 0xbd, 0x0c, 0xe9, 0x14, 0x0e, 0x64, 0xa5, 0xc9, 0x4a,
1701 0x01, 0x93, 0x0a, 0x5a, 0xa1, 0xbb, 0x35, 0x97, 0x0e, 0x00, 0xee,
1702 0x11, 0x16, 0x89, 0x68, 0x2a, 0x1c, 0x44, 0xd7, 0xb5, 0x66,
1703 },
1704 32, "Google 'Xenon2027h1'" },
1705 { (const uint8_t[]){
1706 0x68, 0xf6, 0x98, 0xf8, 0x1f, 0x64, 0x82, 0xbe, 0x3a, 0x8c, 0xee,
1707 0xb9, 0x28, 0x1d, 0x4c, 0xfc, 0x71, 0x51, 0x5d, 0x67, 0x93, 0xd4,
1708 0x44, 0xd1, 0x0a, 0x67, 0xac, 0xbb, 0x4f, 0x4f, 0xfb, 0xc4,
1709 },
1710 32, "Google 'Aviator' log" },
1711 { (const uint8_t[]){
1712 0x29, 0x3c, 0x51, 0x96, 0x54, 0xc8, 0x39, 0x65, 0xba, 0xaa, 0x50,
1713 0xfc, 0x58, 0x07, 0xd4, 0xb7, 0x6f, 0xbf, 0x58, 0x7a, 0x29, 0x72,
1714 0xdc, 0xa4, 0xc3, 0x0c, 0xf4, 0xe5, 0x45, 0x47, 0xf4, 0x78,
1715 },
1716 32, "Google 'Icarus' log" },
1717 { (const uint8_t[]){
1718 0xa4, 0xb9, 0x09, 0x90, 0xb4, 0x18, 0x58, 0x14, 0x87, 0xbb, 0x13,
1719 0xa2, 0xcc, 0x67, 0x70, 0x0a, 0x3c, 0x35, 0x98, 0x04, 0xf9, 0x1b,
1720 0xdf, 0xb8, 0xe3, 0x77, 0xcd, 0x0e, 0xc8, 0x0d, 0xdc, 0x10,
1721 },
1722 32, "Google 'Pilot' log" },
1723 { (const uint8_t[]){
1724 0xee, 0x4b, 0xbd, 0xb7, 0x75, 0xce, 0x60, 0xba, 0xe1, 0x42, 0x69,
1725 0x1f, 0xab, 0xe1, 0x9e, 0x66, 0xa3, 0x0f, 0x7e, 0x5f, 0xb0, 0x72,
1726 0xd8, 0x83, 0x00, 0xc4, 0x7b, 0x89, 0x7a, 0xa8, 0xfd, 0xcb,
1727 },
1728 32, "Google 'Rocketeer' log" },
1729 { (const uint8_t[]){
1730 0xbb, 0xd9, 0xdf, 0xbc, 0x1f, 0x8a, 0x71, 0xb5, 0x93, 0x94, 0x23,
1731 0x97, 0xaa, 0x92, 0x7b, 0x47, 0x38, 0x57, 0x95, 0x0a, 0xab, 0x52,
1732 0xe8, 0x1a, 0x90, 0x96, 0x64, 0x36, 0x8e, 0x1e, 0xd1, 0x85,
1733 },
1734 32, "Google 'Skydiver' log" },
1735 { (const uint8_t[]){
1736 0xfa, 0xd4, 0xc9, 0x7c, 0xc4, 0x9e, 0xe2, 0xf8, 0xac, 0x85, 0xc5,
1737 0xea, 0x5c, 0xea, 0x09, 0xd0, 0x22, 0x0d, 0xbb, 0xf4, 0xe4, 0x9c,
1738 0x6b, 0x50, 0x66, 0x2f, 0xf8, 0x68, 0xf8, 0x6b, 0x8c, 0x28,
1739 },
1740 32, "Google 'Argon2017' log" },
1741 { (const uint8_t[]){
1742 0xa4, 0x50, 0x12, 0x69, 0x05, 0x5a, 0x15, 0x54, 0x5e, 0x62, 0x11,
1743 0xab, 0x37, 0xbc, 0x10, 0x3f, 0x62, 0xae, 0x55, 0x76, 0xa4, 0x5e,
1744 0x4b, 0x17, 0x14, 0x45, 0x3e, 0x1b, 0x22, 0x10, 0x6a, 0x25,
1745 },
1746 32, "Google 'Argon2018' log" },
1747 { (const uint8_t[]){
1748 0x63, 0xf2, 0xdb, 0xcd, 0xe8, 0x3b, 0xcc, 0x2c, 0xcf, 0x0b, 0x72,
1749 0x84, 0x27, 0x57, 0x6b, 0x33, 0xa4, 0x8d, 0x61, 0x77, 0x8f, 0xbd,
1750 0x75, 0xa6, 0x38, 0xb1, 0xc7, 0x68, 0x54, 0x4b, 0xd8, 0x8d,
1751 },
1752 32, "Google 'Argon2019' log" },
1753 { (const uint8_t[]){
1754 0xb1, 0x0c, 0xd5, 0x59, 0xa6, 0xd6, 0x78, 0x46, 0x81, 0x1f, 0x7d,
1755 0xf9, 0xa5, 0x15, 0x32, 0x73, 0x9a, 0xc4, 0x8d, 0x70, 0x3b, 0xea,
1756 0x03, 0x23, 0xda, 0x5d, 0x38, 0x75, 0x5b, 0xc0, 0xad, 0x4e,
1757 },
1758 32, "Google 'Xenon2018' log" },
1759 { (const uint8_t[]){
1760 0x08, 0x41, 0x14, 0x98, 0x00, 0x71, 0x53, 0x2c, 0x16, 0x19, 0x04,
1761 0x60, 0xbc, 0xfc, 0x47, 0xfd, 0xc2, 0x65, 0x3a, 0xfa, 0x29, 0x2c,
1762 0x72, 0xb3, 0x7f, 0xf8, 0x63, 0xae, 0x29, 0xcc, 0xc9, 0xf0,
1763 },
1764 32, "Google 'Xenon2019' log" },
1765 { (const uint8_t[]){
1766 0xa8, 0x99, 0xd8, 0x78, 0x0c, 0x92, 0x90, 0xaa, 0xf4, 0x62, 0xf3,
1767 0x18, 0x80, 0xcc, 0xfb, 0xd5, 0x24, 0x51, 0xe9, 0x70, 0xd0, 0xfb,
1768 0xf5, 0x91, 0xef, 0x75, 0xb0, 0xd9, 0x9b, 0x64, 0x56, 0x81,
1769 },
1770 32, "Google 'Submariner' log" },
1771 { (const uint8_t[]){
1772 0x1d, 0x02, 0x4b, 0x8e, 0xb1, 0x49, 0x8b, 0x34, 0x4d, 0xfd, 0x87,
1773 0xea, 0x3e, 0xfc, 0x09, 0x96, 0xf7, 0x50, 0x6f, 0x23, 0x5d, 0x1d,
1774 0x49, 0x70, 0x61, 0xa4, 0x77, 0x3c, 0x43, 0x9c, 0x25, 0xfb,
1775 },
1776 32, "Google 'Daedalus' log" },
1777 { (const uint8_t[]){
1778 0xb0, 0xcc, 0x83, 0xe5, 0xa5, 0xf9, 0x7d, 0x6b, 0xaf, 0x7c, 0x09,
1779 0xcc, 0x28, 0x49, 0x04, 0x87, 0x2a, 0xc7, 0xe8, 0x8b, 0x13, 0x2c,
1780 0x63, 0x50, 0xb7, 0xc6, 0xfd, 0x26, 0xe1, 0x6c, 0x6c, 0x77,
1781 },
1782 32, "Google 'Testtube' log" },
1783 { (const uint8_t[]){
1784 0xc3, 0xbf, 0x03, 0xa7, 0xe1, 0xca, 0x88, 0x41, 0xc6, 0x07, 0xba,
1785 0xe3, 0xff, 0x42, 0x70, 0xfc, 0xa5, 0xec, 0x45, 0xb1, 0x86, 0xeb,
1786 0xbe, 0x4e, 0x2c, 0xf3, 0xfc, 0x77, 0x86, 0x30, 0xf5, 0xf6,
1787 },
1788 32, "Google 'Crucible' log" },
1789 { (const uint8_t[]){
1790 0x52, 0xeb, 0x4b, 0x22, 0x5e, 0xc8, 0x96, 0x97, 0x48, 0x50, 0x67,
1791 0x5f, 0x23, 0xe4, 0x3b, 0xc1, 0xd0, 0x21, 0xe3, 0x21, 0x4c, 0xe5,
1792 0x2e, 0xcd, 0x5f, 0xa8, 0x7c, 0x20, 0x3c, 0xdf, 0xca, 0x03,
1793 },
1794 32, "Google 'Solera2018' log" },
1795 { (const uint8_t[]){
1796 0x0b, 0x76, 0x0e, 0x9a, 0x8b, 0x9a, 0x68, 0x2f, 0x88, 0x98, 0x5b,
1797 0x15, 0xe9, 0x47, 0x50, 0x1a, 0x56, 0x44, 0x6b, 0xba, 0x88, 0x30,
1798 0x78, 0x5c, 0x38, 0x42, 0x99, 0x43, 0x86, 0x45, 0x0c, 0x00,
1799 },
1800 32, "Google 'Solera2019' log" },
1801 { (const uint8_t[]){
1802 0x1f, 0xc7, 0x2c, 0xe5, 0xa1, 0xb7, 0x99, 0xf4, 0x00, 0xc3, 0x59,
1803 0xbf, 0xf9, 0x6c, 0xa3, 0x91, 0x35, 0x48, 0xe8, 0x64, 0x42, 0x20,
1804 0x61, 0x09, 0x52, 0xe9, 0xba, 0x17, 0x74, 0xf7, 0xba, 0xc7,
1805 },
1806 32, "Google 'Solera2020' log" },
1807 { (const uint8_t[]){
1808 0xa3, 0xc9, 0x98, 0x45, 0xe8, 0x0a, 0xb7, 0xce, 0x00, 0x15, 0x7b,
1809 0x37, 0x42, 0xdf, 0x02, 0x07, 0xdd, 0x27, 0x2b, 0x2b, 0x60, 0x2e,
1810 0xcf, 0x98, 0xee, 0x2c, 0x12, 0xdb, 0x9c, 0x5a, 0xe7, 0xe7,
1811 },
1812 32, "Google 'Solera2021' log" },
1813 { (const uint8_t[]){
1814 0x69, 0x7a, 0xaf, 0xca, 0x1a, 0x6b, 0x53, 0x6f, 0xae, 0x21, 0x20,
1815 0x50, 0x46, 0xde, 0xba, 0xd7, 0xe0, 0xea, 0xea, 0x13, 0xd2, 0x43,
1816 0x2e, 0x6e, 0x9d, 0x8f, 0xb3, 0x79, 0xf2, 0xb9, 0xaa, 0xf3,
1817 },
1818 32, "Google 'Solera2022' log" },
1819 { (const uint8_t[]){
1820 0xf9, 0x7e, 0x97, 0xb8, 0xd3, 0x3e, 0xf7, 0xa1, 0x59, 0x02, 0xa5,
1821 0x3a, 0x19, 0xe1, 0x79, 0x90, 0xe5, 0xdc, 0x40, 0x6a, 0x03, 0x18,
1822 0x25, 0xba, 0xad, 0x93, 0xe9, 0x8f, 0x9b, 0x9c, 0x69, 0xcb,
1823 },
1824 32, "Google 'Solera2023' log" },
1825 { (const uint8_t[]){
1826 0x30, 0x24, 0xce, 0x7e, 0xeb, 0x16, 0x88, 0x62, 0x72, 0x4b, 0xea,
1827 0x70, 0x2e, 0xff, 0xf9, 0x92, 0xcf, 0xe4, 0x56, 0x43, 0x41, 0x91,
1828 0xaa, 0x59, 0x5b, 0x25, 0xf8, 0x02, 0x26, 0xc8, 0x00, 0x17,
1829 },
1830 32, "Google 'Solera2024' log" },
1831 { (const uint8_t[]){
1832 0x3f, 0xe1, 0xcb, 0x46, 0xed, 0x47, 0x35, 0x79, 0xaf, 0x01, 0x41,
1833 0xf9, 0x72, 0x4d, 0x9d, 0xc4, 0x43, 0x47, 0x2d, 0x75, 0x6e, 0x85,
1834 0xe7, 0x71, 0x9c, 0x55, 0x82, 0x48, 0x5d, 0xd4, 0xe1, 0xe4,
1835 },
1836 32, "Google 'Solera2025h1' log" },
1837 { (const uint8_t[]){
1838 0x26, 0x02, 0x39, 0x48, 0x87, 0x4c, 0xf7, 0xfc, 0xd0, 0xfb, 0x64,
1839 0x71, 0xa4, 0x3e, 0x84, 0x7e, 0xbb, 0x20, 0x0a, 0xe6, 0xe2, 0xfa,
1840 0x24, 0x23, 0x6d, 0xf6, 0xd1, 0xa6, 0x06, 0x63, 0x0f, 0xb1,
1841 },
1842 32, "Google 'Solera2025h2' log" },
1843 { (const uint8_t[]){
1844 0xc8, 0x4b, 0x90, 0x7a, 0x07, 0xbe, 0xaa, 0x29, 0xa6, 0x14, 0xc2,
1845 0x45, 0x84, 0xb7, 0xa3, 0xf6, 0x62, 0x43, 0x94, 0x68, 0x7b, 0x25,
1846 0xfe, 0x62, 0x83, 0x8b, 0x71, 0xec, 0x42, 0x2a, 0xd2, 0xf9,
1847 },
1848 32, "Google 'Solera2026h1' log" },
1849 { (const uint8_t[]){
1850 0x62, 0xe9, 0x00, 0x60, 0x04, 0xa3, 0x07, 0x95, 0x5a, 0x75, 0x44,
1851 0xb4, 0xd5, 0x84, 0xa9, 0x62, 0x68, 0xca, 0x1d, 0x6e, 0x45, 0x85,
1852 0xad, 0xf0, 0x91, 0x6d, 0xfe, 0x5f, 0xdc, 0x1f, 0x04, 0xdb,
1853 },
1854 32, "Google 'Solera2026h2' log" },
1855 { (const uint8_t[]){
1856 0x3d, 0xe4, 0x92, 0xa8, 0x98, 0x93, 0xad, 0x70, 0x5e, 0x78, 0x46,
1857 0xed, 0x21, 0xd4, 0x8d, 0xca, 0xfb, 0xad, 0x13, 0x9e, 0xa6, 0x4e,
1858 0xd1, 0xe3, 0x49, 0xf9, 0x00, 0xb0, 0xa2, 0xcd, 0xa5, 0xe2,
1859 },
1860 32, "Google 'Solera2027h1' log" },
1861 { (const uint8_t[]){
1862 0x5e, 0xa7, 0x73, 0xf9, 0xdf, 0x56, 0xc0, 0xe7, 0xb5, 0x36, 0x48,
1863 0x7d, 0xd0, 0x49, 0xe0, 0x32, 0x7a, 0x91, 0x9a, 0x0c, 0x84, 0xa1,
1864 0x12, 0x12, 0x84, 0x18, 0x75, 0x96, 0x81, 0x71, 0x45, 0x58,
1865 },
1866 32, "Cloudflare 'Nimbus2020' Log" },
1867 { (const uint8_t[]){
1868 0x44, 0x94, 0x65, 0x2e, 0xb0, 0xee, 0xce, 0xaf, 0xc4, 0x40, 0x07,
1869 0xd8, 0xa8, 0xfe, 0x28, 0xc0, 0xda, 0xe6, 0x82, 0xbe, 0xd8, 0xcb,
1870 0x31, 0xb5, 0x3f, 0xd3, 0x33, 0x96, 0xb5, 0xb6, 0x81, 0xa8,
1871 },
1872 32, "Cloudflare 'Nimbus2021' Log" },
1873 { (const uint8_t[]){
1874 0x41, 0xc8, 0xca, 0xb1, 0xdf, 0x22, 0x46, 0x4a, 0x10, 0xc6, 0xa1,
1875 0x3a, 0x09, 0x42, 0x87, 0x5e, 0x4e, 0x31, 0x8b, 0x1b, 0x03, 0xeb,
1876 0xeb, 0x4b, 0xc7, 0x68, 0xf0, 0x90, 0x62, 0x96, 0x06, 0xf6,
1877 },
1878 32, "Cloudflare 'Nimbus2022' Log" },
1879 { (const uint8_t[]){
1880 0x7a, 0x32, 0x8c, 0x54, 0xd8, 0xb7, 0x2d, 0xb6, 0x20, 0xea, 0x38,
1881 0xe0, 0x52, 0x1e, 0xe9, 0x84, 0x16, 0x70, 0x32, 0x13, 0x85, 0x4d,
1882 0x3b, 0xd2, 0x2b, 0xc1, 0x3a, 0x57, 0xa3, 0x52, 0xeb, 0x52,
1883 },
1884 32, "Cloudflare 'Nimbus2023' Log" },
1885 { (const uint8_t[]){
1886 0xda, 0xb6, 0xbf, 0x6b, 0x3f, 0xb5, 0xb6, 0x22, 0x9f, 0x9b, 0xc2,
1887 0xbb, 0x5c, 0x6b, 0xe8, 0x70, 0x91, 0x71, 0x6c, 0xbb, 0x51, 0x84,
1888 0x85, 0x34, 0xbd, 0xa4, 0x3d, 0x30, 0x48, 0xd7, 0xfb, 0xab,
1889 },
1890 32, "Cloudflare 'Nimbus2024' Log" },
1891 { (const uint8_t[]){
1892 0xcc, 0xfb, 0x0f, 0x6a, 0x85, 0x71, 0x09, 0x65, 0xfe, 0x95, 0x9b,
1893 0x53, 0xce, 0xe9, 0xb2, 0x7c, 0x22, 0xe9, 0x85, 0x5c, 0x0d, 0x97,
1894 0x8d, 0xb6, 0xa9, 0x7e, 0x54, 0xc0, 0xfe, 0x4c, 0x0d, 0xb0,
1895 },
1896 32, "Cloudflare 'Nimbus2025'" },
1897 { (const uint8_t[]){
1898 0xcb, 0x38, 0xf7, 0x15, 0x89, 0x7c, 0x84, 0xa1, 0x44, 0x5f, 0x5b,
1899 0xc1, 0xdd, 0xfb, 0xc9, 0x6e, 0xf2, 0x9a, 0x59, 0xcd, 0x47, 0x0a,
1900 0x69, 0x05, 0x85, 0xb0, 0xcb, 0x14, 0xc3, 0x14, 0x58, 0xe7,
1901 },
1902 32, "Cloudflare 'Nimbus2026'" },
1903 { (const uint8_t[]){
1904 0x4c, 0x63, 0xdc, 0x98, 0xe5, 0x9c, 0x1d, 0xab, 0x88, 0xf6, 0x1e,
1905 0x8a, 0x3d, 0xde, 0xae, 0x8f, 0xab, 0x44, 0xa3, 0x37, 0x7b, 0x5f,
1906 0x9b, 0x94, 0xc3, 0xfb, 0xa1, 0x9c, 0xfc, 0xc1, 0xbe, 0x26,
1907 },
1908 32, "Cloudflare 'Nimbus2027'" },
1909 { (const uint8_t[]){
1910 0x1f, 0xbc, 0x36, 0xe0, 0x02, 0xed, 0xe9, 0x7f, 0x40, 0x19, 0x9e,
1911 0x86, 0xb3, 0x57, 0x3b, 0x8a, 0x42, 0x17, 0xd8, 0x01, 0x87, 0x74,
1912 0x6a, 0xd0, 0xda, 0x03, 0xa0, 0x60, 0x54, 0xd2, 0x0d, 0xf4,
1913 },
1914 32, "Cloudflare 'Nimbus2017' Log" },
1915 { (const uint8_t[]){
1916 0xdb, 0x74, 0xaf, 0xee, 0xcb, 0x29, 0xec, 0xb1, 0xfe, 0xca, 0x3e,
1917 0x71, 0x6d, 0x2c, 0xe5, 0xb9, 0xaa, 0xbb, 0x36, 0xf7, 0x84, 0x71,
1918 0x83, 0xc7, 0x5d, 0x9d, 0x4f, 0x37, 0xb6, 0x1f, 0xbf, 0x64,
1919 },
1920 32, "Cloudflare 'Nimbus2018' Log" },
1921 { (const uint8_t[]){
1922 0x74, 0x7e, 0xda, 0x83, 0x31, 0xad, 0x33, 0x10, 0x91, 0x21, 0x9c,
1923 0xce, 0x25, 0x4f, 0x42, 0x70, 0xc2, 0xbf, 0xfd, 0x5e, 0x42, 0x20,
1924 0x08, 0xc6, 0x37, 0x35, 0x79, 0xe6, 0x10, 0x7b, 0xcc, 0x56,
1925 },
1926 32, "Cloudflare 'Nimbus2019' Log" },
1927 { (const uint8_t[]){
1928 0x56, 0x14, 0x06, 0x9a, 0x2f, 0xd7, 0xc2, 0xec, 0xd3, 0xf5, 0xe1,
1929 0xbd, 0x44, 0xb2, 0x3e, 0xc7, 0x46, 0x76, 0xb9, 0xbc, 0x99, 0x11,
1930 0x5c, 0xc0, 0xef, 0x94, 0x98, 0x55, 0xd6, 0x89, 0xd0, 0xdd,
1931 },
1932 32, "DigiCert Log Server" },
1933 { (const uint8_t[]){
1934 0x87, 0x75, 0xbf, 0xe7, 0x59, 0x7c, 0xf8, 0x8c, 0x43, 0x99, 0x5f,
1935 0xbd, 0xf3, 0x6e, 0xff, 0x56, 0x8d, 0x47, 0x56, 0x36, 0xff, 0x4a,
1936 0xb5, 0x60, 0xc1, 0xb4, 0xea, 0xff, 0x5e, 0xa0, 0x83, 0x0f,
1937 },
1938 32, "DigiCert Log Server 2" },
1939 { (const uint8_t[]){
1940 0xf0, 0x95, 0xa4, 0x59, 0xf2, 0x00, 0xd1, 0x82, 0x40, 0x10, 0x2d,
1941 0x2f, 0x93, 0x88, 0x8e, 0xad, 0x4b, 0xfe, 0x1d, 0x47, 0xe3, 0x99,
1942 0xe1, 0xd0, 0x34, 0xa6, 0xb0, 0xa8, 0xaa, 0x8e, 0xb2, 0x73,
1943 },
1944 32, "DigiCert Yeti2020 Log" },
1945 { (const uint8_t[]){
1946 0x5c, 0xdc, 0x43, 0x92, 0xfe, 0xe6, 0xab, 0x45, 0x44, 0xb1, 0x5e,
1947 0x9a, 0xd4, 0x56, 0xe6, 0x10, 0x37, 0xfb, 0xd5, 0xfa, 0x47, 0xdc,
1948 0xa1, 0x73, 0x94, 0xb2, 0x5e, 0xe6, 0xf6, 0xc7, 0x0e, 0xca,
1949 },
1950 32, "DigiCert Yeti2021 Log" },
1951 { (const uint8_t[]){
1952 0x22, 0x45, 0x45, 0x07, 0x59, 0x55, 0x24, 0x56, 0x96, 0x3f, 0xa1,
1953 0x2f, 0xf1, 0xf7, 0x6d, 0x86, 0xe0, 0x23, 0x26, 0x63, 0xad, 0xc0,
1954 0x4b, 0x7f, 0x5d, 0xc6, 0x83, 0x5c, 0x6e, 0xe2, 0x0f, 0x02,
1955 },
1956 32, "DigiCert Yeti2022 Log" },
1957 { (const uint8_t[]){
1958 0x35, 0xcf, 0x19, 0x1b, 0xbf, 0xb1, 0x6c, 0x57, 0xbf, 0x0f, 0xad,
1959 0x4c, 0x6d, 0x42, 0xcb, 0xbb, 0xb6, 0x27, 0x20, 0x26, 0x51, 0xea,
1960 0x3f, 0xe1, 0x2a, 0xef, 0xa8, 0x03, 0xc3, 0x3b, 0xd6, 0x4c,
1961 },
1962 32, "DigiCert Yeti2023 Log" },
1963 { (const uint8_t[]){
1964 0x48, 0xb0, 0xe3, 0x6b, 0xda, 0xa6, 0x47, 0x34, 0x0f, 0xe5, 0x6a,
1965 0x02, 0xfa, 0x9d, 0x30, 0xeb, 0x1c, 0x52, 0x01, 0xcb, 0x56, 0xdd,
1966 0x2c, 0x81, 0xd9, 0xbb, 0xbf, 0xab, 0x39, 0xd8, 0x84, 0x73,
1967 },
1968 32, "DigiCert Yeti2024 Log" },
1969 { (const uint8_t[]){
1970 0x7d, 0x59, 0x1e, 0x12, 0xe1, 0x78, 0x2a, 0x7b, 0x1c, 0x61, 0x67,
1971 0x7c, 0x5e, 0xfd, 0xf8, 0xd0, 0x87, 0x5c, 0x14, 0xa0, 0x4e, 0x95,
1972 0x9e, 0xb9, 0x03, 0x2f, 0xd9, 0x0e, 0x8c, 0x2e, 0x79, 0xb8,
1973 },
1974 32, "DigiCert Yeti2025 Log" },
1975 { (const uint8_t[]){
1976 0xc6, 0x52, 0xa0, 0xec, 0x48, 0xce, 0xb3, 0xfc, 0xab, 0x17, 0x09,
1977 0x92, 0xc4, 0x3a, 0x87, 0x41, 0x33, 0x09, 0xe8, 0x00, 0x65, 0xa2,
1978 0x62, 0x52, 0x40, 0x1b, 0xa3, 0x36, 0x2a, 0x17, 0xc5, 0x65,
1979 },
1980 32, "DigiCert Nessie2020 Log" },
1981 { (const uint8_t[]){
1982 0xee, 0xc0, 0x95, 0xee, 0x8d, 0x72, 0x64, 0x0f, 0x92, 0xe3, 0xc3,
1983 0xb9, 0x1b, 0xc7, 0x12, 0xa3, 0x69, 0x6a, 0x09, 0x7b, 0x4b, 0x6a,
1984 0x1a, 0x14, 0x38, 0xe6, 0x47, 0xb2, 0xcb, 0xed, 0xc5, 0xf9,
1985 },
1986 32, "DigiCert Nessie2021 Log" },
1987 { (const uint8_t[]){
1988 0x51, 0xa3, 0xb0, 0xf5, 0xfd, 0x01, 0x79, 0x9c, 0x56, 0x6d, 0xb8,
1989 0x37, 0x78, 0x8f, 0x0c, 0xa4, 0x7a, 0xcc, 0x1b, 0x27, 0xcb, 0xf7,
1990 0x9e, 0x88, 0x42, 0x9a, 0x0d, 0xfe, 0xd4, 0x8b, 0x05, 0xe5,
1991 },
1992 32, "DigiCert Nessie2022 Log" },
1993 { (const uint8_t[]){
1994 0xb3, 0x73, 0x77, 0x07, 0xe1, 0x84, 0x50, 0xf8, 0x63, 0x86, 0xd6,
1995 0x05, 0xa9, 0xdc, 0x11, 0x09, 0x4a, 0x79, 0x2d, 0xb1, 0x67, 0x0c,
1996 0x0b, 0x87, 0xdc, 0xf0, 0x03, 0x0e, 0x79, 0x36, 0xa5, 0x9a,
1997 },
1998 32, "DigiCert Nessie2023 Log" },
1999 { (const uint8_t[]){
2000 0x73, 0xd9, 0x9e, 0x89, 0x1b, 0x4c, 0x96, 0x78, 0xa0, 0x20, 0x7d,
2001 0x47, 0x9d, 0xe6, 0xb2, 0xc6, 0x1c, 0xd0, 0x51, 0x5e, 0x71, 0x19,
2002 0x2a, 0x8c, 0x6b, 0x80, 0x10, 0x7a, 0xc1, 0x77, 0x72, 0xb5,
2003 },
2004 32, "DigiCert Nessie2024 Log" },
2005 { (const uint8_t[]){
2006 0xe6, 0xd2, 0x31, 0x63, 0x40, 0x77, 0x8c, 0xc1, 0x10, 0x41, 0x06,
2007 0xd7, 0x71, 0xb9, 0xce, 0xc1, 0xd2, 0x40, 0xf6, 0x96, 0x84, 0x86,
2008 0xfb, 0xba, 0x87, 0x32, 0x1d, 0xfd, 0x1e, 0x37, 0x8e, 0x50,
2009 },
2010 32, "DigiCert Nessie2025 Log" },
2011 { (const uint8_t[]){
2012 0xb6, 0x9d, 0xdc, 0xbc, 0x3c, 0x1a, 0xbd, 0xef, 0x6f, 0x9f, 0xd6,
2013 0x0c, 0x88, 0xb1, 0x06, 0x7b, 0x77, 0xf0, 0x82, 0x68, 0x8b, 0x2d,
2014 0x78, 0x65, 0xd0, 0x4b, 0x39, 0xab, 0xe9, 0x27, 0xa5, 0x75,
2015 },
2016 32, "DigiCert 'Wyvern2024h1' Log" },
2017 { (const uint8_t[]){
2018 0x0c, 0x2a, 0xef, 0x2c, 0x4a, 0x5b, 0x98, 0x83, 0xd4, 0xdd, 0xa3,
2019 0x82, 0xfe, 0x50, 0xfb, 0x51, 0x88, 0xb3, 0xe9, 0x73, 0x33, 0xa1,
2020 0xec, 0x53, 0xa0, 0x9d, 0xc9, 0xa7, 0x9d, 0x0d, 0x08, 0x20,
2021 },
2022 32, "DigiCert 'Wyvern2024h2' Log" },
2023 { (const uint8_t[]){
2024 0x73, 0x20, 0x22, 0x0f, 0x08, 0x16, 0x8a, 0xf9, 0xf3, 0xc4, 0xa6,
2025 0x8b, 0x0a, 0xb2, 0x6a, 0x9a, 0x4a, 0x00, 0xee, 0xf5, 0x77, 0x85,
2026 0x8a, 0x08, 0x4d, 0x05, 0x00, 0xd4, 0xa5, 0x42, 0x44, 0x59,
2027 },
2028 32, "DigiCert 'Wyvern2025h1' Log" },
2029 { (const uint8_t[]){
2030 0xed, 0x3c, 0x4b, 0xd6, 0xe8, 0x06, 0xc2, 0xa4, 0xa2, 0x00, 0x57,
2031 0xdb, 0xcb, 0x24, 0xe2, 0x38, 0x01, 0xdf, 0x51, 0x2f, 0xed, 0xc4,
2032 0x86, 0xc5, 0x70, 0x0f, 0x20, 0xdd, 0xb7, 0x3e, 0x3f, 0xe0,
2033 },
2034 32, "DigiCert 'Wyvern2025h2' Log" },
2035 { (const uint8_t[]){
2036 0x64, 0x11, 0xc4, 0x6c, 0xa4, 0x12, 0xec, 0xa7, 0x89, 0x1c, 0xa2,
2037 0x02, 0x2e, 0x00, 0xbc, 0xab, 0x4f, 0x28, 0x07, 0xd4, 0x1e, 0x35,
2038 0x27, 0xab, 0xea, 0xfe, 0xd5, 0x03, 0xc9, 0x7d, 0xcd, 0xf0,
2039 },
2040 32, "DigiCert 'Wyvern2026h1'" },
2041 { (const uint8_t[]){
2042 0xc2, 0x31, 0x7e, 0x57, 0x45, 0x19, 0xa3, 0x45, 0xee, 0x7f, 0x38,
2043 0xde, 0xb2, 0x90, 0x41, 0xeb, 0xc7, 0xc2, 0x21, 0x5a, 0x22, 0xbf,
2044 0x7f, 0xd5, 0xb5, 0xad, 0x76, 0x9a, 0xd9, 0x0e, 0x52, 0xcd,
2045 },
2046 32, "DigiCert 'Wyvern2026h2'" },
2047 { (const uint8_t[]){
2048 0x00, 0x1a, 0x5d, 0x1a, 0x1c, 0x2d, 0x93, 0x75, 0xb6, 0x48, 0x55,
2049 0x78, 0xf8, 0x2f, 0x71, 0xa1, 0xae, 0x6e, 0xef, 0x39, 0x7d, 0x29,
2050 0x7c, 0x8a, 0xe3, 0x15, 0x7b, 0xca, 0xde, 0xe1, 0xa0, 0x1e,
2051 },
2052 32, "DigiCert 'Wyvern2027h1'" },
2053 { (const uint8_t[]){
2054 0x37, 0xaa, 0x07, 0xcc, 0x21, 0x6f, 0x2e, 0x6d, 0x91, 0x9c, 0x70,
2055 0x9d, 0x24, 0xd8, 0xf7, 0x31, 0xb0, 0x0f, 0x2b, 0x14, 0x7c, 0x62,
2056 0x1c, 0xc0, 0x91, 0xa5, 0xfa, 0x1a, 0x84, 0xd8, 0x16, 0xdd,
2057 },
2058 32, "DigiCert 'Wyvern2027h2'" },
2059 { (const uint8_t[]){
2060 0xdb, 0x07, 0x6c, 0xde, 0x6a, 0x8b, 0x78, 0xec, 0x58, 0xd6, 0x05,
2061 0x64, 0x96, 0xeb, 0x6a, 0x26, 0xa8, 0xc5, 0x9e, 0x72, 0x12, 0x93,
2062 0xe8, 0xac, 0x03, 0x27, 0xdd, 0xde, 0x89, 0xdb, 0x5a, 0x2a,
2063 },
2064 32, "DigiCert 'Sphinx2024h1' Log" },
2065 { (const uint8_t[]){
2066 0xdc, 0xc9, 0x5e, 0x6f, 0xa2, 0x99, 0xb9, 0xb0, 0xfd, 0xbd, 0x6c,
2067 0xa6, 0xa3, 0x6e, 0x1d, 0x72, 0xc4, 0x21, 0x2f, 0xdd, 0x1e, 0x0f,
2068 0x47, 0x55, 0x3a, 0x36, 0xd6, 0xcf, 0x1a, 0xd1, 0x1d, 0x8d,
2069 },
2070 32, "DigiCert 'Sphinx2024h2' Log" },
2071 { (const uint8_t[]){
2072 0xde, 0x85, 0x81, 0xd7, 0x50, 0x24, 0x7c, 0x6b, 0xcd, 0xcb, 0xaf,
2073 0x56, 0x37, 0xc5, 0xe7, 0x81, 0xc6, 0x4c, 0xe4, 0x6e, 0xd6, 0x17,
2074 0x63, 0x9f, 0x8f, 0x34, 0xa7, 0x26, 0xc9, 0xe2, 0xbd, 0x37,
2075 },
2076 32, "DigiCert 'Sphinx2025h1' Log" },
2077 { (const uint8_t[]){
2078 0xa4, 0x42, 0xc5, 0x06, 0x49, 0x60, 0x61, 0x54, 0x8f, 0x0f, 0xd4,
2079 0xea, 0x9c, 0xfb, 0x7a, 0x2d, 0x26, 0x45, 0x4d, 0x87, 0xa9, 0x7f,
2080 0x2f, 0xdf, 0x45, 0x59, 0xf6, 0x27, 0x4f, 0x3a, 0x84, 0x54,
2081 },
2082 32, "DigiCert 'Sphinx2025h2' Log" },
2083 { (const uint8_t[]){
2084 0x49, 0x9c, 0x9b, 0x69, 0xde, 0x1d, 0x7c, 0xec, 0xfc, 0x36, 0xde,
2085 0xcd, 0x87, 0x64, 0xa6, 0xb8, 0x5b, 0xaf, 0x0a, 0x87, 0x80, 0x19,
2086 0xd1, 0x55, 0x52, 0xfb, 0xe9, 0xeb, 0x29, 0xdd, 0xf8, 0xc3,
2087 },
2088 32, "DigiCert 'Sphinx2026h1'" },
2089 { (const uint8_t[]){
2090 0x94, 0x4e, 0x43, 0x87, 0xfa, 0xec, 0xc1, 0xef, 0x81, 0xf3, 0x19,
2091 0x24, 0x26, 0xa8, 0x18, 0x65, 0x01, 0xc7, 0xd3, 0x5f, 0x38, 0x02,
2092 0x01, 0x3f, 0x72, 0x67, 0x7d, 0x55, 0x37, 0x2e, 0x19, 0xd8,
2093 },
2094 32, "DigiCert 'Sphinx2026h2'" },
2095 { (const uint8_t[]){
2096 0x46, 0xa2, 0x39, 0x67, 0xc6, 0x0d, 0xb6, 0x46, 0x87, 0xc6, 0x6f,
2097 0x3d, 0xf9, 0x99, 0x94, 0x76, 0x93, 0xa6, 0xa6, 0x11, 0x20, 0x84,
2098 0x57, 0xd5, 0x55, 0xe7, 0xe3, 0xd0, 0xa1, 0xd9, 0xb6, 0x46,
2099 },
2100 32, "DigiCert 'sphinx2027h1'" },
2101 { (const uint8_t[]){
2102 0x1f, 0xb0, 0xf8, 0xa9, 0x2d, 0x8a, 0xdd, 0xa1, 0x21, 0x77, 0x6c,
2103 0x05, 0xe2, 0xaa, 0x2e, 0x15, 0xba, 0xcb, 0xc6, 0x2b, 0x65, 0x39,
2104 0x36, 0x95, 0x57, 0x6a, 0xaa, 0xb5, 0x2e, 0x11, 0xd1, 0x1d,
2105 },
2106 32, "DigiCert 'sphinx2027h2'" },
2107 { (const uint8_t[]){
2108 0xdd, 0xeb, 0x1d, 0x2b, 0x7a, 0x0d, 0x4f, 0xa6, 0x20, 0x8b, 0x81,
2109 0xad, 0x81, 0x68, 0x70, 0x7e, 0x2e, 0x8e, 0x9d, 0x01, 0xd5, 0x5c,
2110 0x88, 0x8d, 0x3d, 0x11, 0xc4, 0xcd, 0xb6, 0xec, 0xbe, 0xcc,
2111 },
2112 32, "Symantec log" },
2113 { (const uint8_t[]){
2114 0xbc, 0x78, 0xe1, 0xdf, 0xc5, 0xf6, 0x3c, 0x68, 0x46, 0x49, 0x33,
2115 0x4d, 0xa1, 0x0f, 0xa1, 0x5f, 0x09, 0x79, 0x69, 0x20, 0x09, 0xc0,
2116 0x81, 0xb4, 0xf3, 0xf6, 0x91, 0x7f, 0x3e, 0xd9, 0xb8, 0xa5,
2117 },
2118 32, "Symantec 'Vega' log" },
2119 { (const uint8_t[]){
2120 0x15, 0x97, 0x04, 0x88, 0xd7, 0xb9, 0x97, 0xa0, 0x5b, 0xeb, 0x52,
2121 0x51, 0x2a, 0xde, 0xe8, 0xd2, 0xe8, 0xb4, 0xa3, 0x16, 0x52, 0x64,
2122 0x12, 0x1a, 0x9f, 0xab, 0xfb, 0xd5, 0xf8, 0x5a, 0xd9, 0x3f,
2123 },
2124 32, "Symantec 'Sirius' log" },
2125 { (const uint8_t[]){
2126 0x05, 0x9c, 0x01, 0xd3, 0x20, 0xe0, 0x07, 0x84, 0x13, 0x95, 0x80,
2127 0x49, 0x8d, 0x11, 0x7c, 0x90, 0x32, 0x66, 0xaf, 0xaf, 0x72, 0x50,
2128 0xb5, 0xaf, 0x3b, 0x46, 0xa4, 0x3e, 0x11, 0x84, 0x0d, 0x4a,
2129 },
2130 32, "DigiCert Yeti2022-2 Log" },
2131 { (const uint8_t[]){
2132 0xc1, 0x16, 0x4a, 0xe0, 0xa7, 0x72, 0xd2, 0xd4, 0x39, 0x2d, 0xc8,
2133 0x0a, 0xc1, 0x07, 0x70, 0xd4, 0xf0, 0xc4, 0x9b, 0xde, 0x99, 0x1a,
2134 0x48, 0x40, 0xc1, 0xfa, 0x07, 0x51, 0x64, 0xf6, 0x33, 0x60,
2135 },
2136 32, "DigiCert Yeti2018 Log" },
2137 { (const uint8_t[]){
2138 0xe2, 0x69, 0x4b, 0xae, 0x26, 0xe8, 0xe9, 0x40, 0x09, 0xe8, 0x86,
2139 0x1b, 0xb6, 0x3b, 0x83, 0xd4, 0x3e, 0xe7, 0xfe, 0x74, 0x88, 0xfb,
2140 0xa4, 0x8f, 0x28, 0x93, 0x01, 0x9d, 0xdd, 0xf1, 0xdb, 0xfe,
2141 },
2142 32, "DigiCert Yeti2019 Log" },
2143 { (const uint8_t[]){
2144 0x6f, 0xf1, 0x41, 0xb5, 0x64, 0x7e, 0x42, 0x22, 0xf7, 0xef, 0x05,
2145 0x2c, 0xef, 0xae, 0x7c, 0x21, 0xfd, 0x60, 0x8e, 0x27, 0xd2, 0xaf,
2146 0x5a, 0x6e, 0x9f, 0x4b, 0x8a, 0x37, 0xd6, 0x63, 0x3e, 0xe5,
2147 },
2148 32, "DigiCert Nessie2018 Log" },
2149 { (const uint8_t[]){
2150 0xfe, 0x44, 0x61, 0x08, 0xb1, 0xd0, 0x1a, 0xb7, 0x8a, 0x62, 0xcc,
2151 0xfe, 0xab, 0x6a, 0xb2, 0xb2, 0xba, 0xbf, 0xf3, 0xab, 0xda, 0xd8,
2152 0x0a, 0x4d, 0x8b, 0x30, 0xdf, 0x2d, 0x00, 0x08, 0x83, 0x0c,
2153 },
2154 32, "DigiCert Nessie2019 Log" },
2155 { (const uint8_t[]){
2156 0xa7, 0xce, 0x4a, 0x4e, 0x62, 0x07, 0xe0, 0xad, 0xde, 0xe5, 0xfd,
2157 0xaa, 0x4b, 0x1f, 0x86, 0x76, 0x87, 0x67, 0xb5, 0xd0, 0x02, 0xa5,
2158 0x5d, 0x47, 0x31, 0x0e, 0x7e, 0x67, 0x0a, 0x95, 0xea, 0xb2,
2159 },
2160 32, "Symantec Deneb" },
2161 { (const uint8_t[]){
2162 0xcd, 0xb5, 0x17, 0x9b, 0x7f, 0xc1, 0xc0, 0x46, 0xfe, 0xea, 0x31,
2163 0x13, 0x6a, 0x3f, 0x8f, 0x00, 0x2e, 0x61, 0x82, 0xfa, 0xf8, 0x89,
2164 0x6f, 0xec, 0xc8, 0xb2, 0xf5, 0xb5, 0xab, 0x60, 0x49, 0x00,
2165 },
2166 32, "Certly.IO log" },
2167 { (const uint8_t[]){
2168 0x74, 0x61, 0xb4, 0xa0, 0x9c, 0xfb, 0x3d, 0x41, 0xd7, 0x51, 0x59,
2169 0x57, 0x5b, 0x2e, 0x76, 0x49, 0xa4, 0x45, 0xa8, 0xd2, 0x77, 0x09,
2170 0xb0, 0xcc, 0x56, 0x4a, 0x64, 0x82, 0xb7, 0xeb, 0x41, 0xa3,
2171 },
2172 32, "Izenpe log" },
2173 { (const uint8_t[]){
2174 0x89, 0x41, 0x44, 0x9c, 0x70, 0x74, 0x2e, 0x06, 0xb9, 0xfc, 0x9c,
2175 0xe7, 0xb1, 0x16, 0xba, 0x00, 0x24, 0xaa, 0x36, 0xd5, 0x9a, 0xf4,
2176 0x4f, 0x02, 0x04, 0x40, 0x4f, 0x00, 0xf7, 0xea, 0x85, 0x66,
2177 },
2178 32, "Izenpe 'Argi' log" },
2179 { (const uint8_t[]){
2180 0x41, 0xb2, 0xdc, 0x2e, 0x89, 0xe6, 0x3c, 0xe4, 0xaf, 0x1b, 0xa7,
2181 0xbb, 0x29, 0xbf, 0x68, 0xc6, 0xde, 0xe6, 0xf9, 0xf1, 0xcc, 0x04,
2182 0x7e, 0x30, 0xdf, 0xfa, 0xe3, 0xb3, 0xba, 0x25, 0x92, 0x63,
2183 },
2184 32, "WoSign log" },
2185 { (const uint8_t[]){
2186 0x9e, 0x4f, 0xf7, 0x3d, 0xc3, 0xce, 0x22, 0x0b, 0x69, 0x21, 0x7c,
2187 0x89, 0x9e, 0x46, 0x80, 0x76, 0xab, 0xf8, 0xd7, 0x86, 0x36, 0xd5,
2188 0xcc, 0xfc, 0x85, 0xa3, 0x1a, 0x75, 0x62, 0x8b, 0xa8, 0x8b,
2189 },
2190 32, "WoSign CT log #1" },
2191 { (const uint8_t[]){
2192 0x63, 0xd0, 0x00, 0x60, 0x26, 0xdd, 0xe1, 0x0b, 0xb0, 0x60, 0x1f,
2193 0x45, 0x24, 0x46, 0x96, 0x5e, 0xe2, 0xb6, 0xea, 0x2c, 0xd4, 0xfb,
2194 0xc9, 0x5a, 0xc8, 0x66, 0xa5, 0x50, 0xaf, 0x90, 0x75, 0xb7,
2195 },
2196 32, "WoSign log 2" },
2197 { (const uint8_t[]){
2198 0xac, 0x3b, 0x9a, 0xed, 0x7f, 0xa9, 0x67, 0x47, 0x57, 0x15, 0x9e,
2199 0x6d, 0x7d, 0x57, 0x56, 0x72, 0xf9, 0xd9, 0x81, 0x00, 0x94, 0x1e,
2200 0x9b, 0xde, 0xff, 0xec, 0xa1, 0x31, 0x3b, 0x75, 0x78, 0x2d,
2201 },
2202 32, "Venafi log" },
2203 { (const uint8_t[]){
2204 0x03, 0x01, 0x9d, 0xf3, 0xfd, 0x85, 0xa6, 0x9a, 0x8e, 0xbd, 0x1f,
2205 0xac, 0xc6, 0xda, 0x9b, 0xa7, 0x3e, 0x46, 0x97, 0x74, 0xfe, 0x77,
2206 0xf5, 0x79, 0xfc, 0x5a, 0x08, 0xb8, 0x32, 0x8c, 0x1d, 0x6b,
2207 },
2208 32, "Venafi Gen2 CT log" },
2209 { (const uint8_t[]){
2210 0xa5, 0x77, 0xac, 0x9c, 0xed, 0x75, 0x48, 0xdd, 0x8f, 0x02, 0x5b,
2211 0x67, 0xa2, 0x41, 0x08, 0x9d, 0xf8, 0x6e, 0x0f, 0x47, 0x6e, 0xc2,
2212 0x03, 0xc2, 0xec, 0xbe, 0xdb, 0x18, 0x5f, 0x28, 0x26, 0x38,
2213 },
2214 32, "CNNIC CT log" },
2215 { (const uint8_t[]){
2216 0x34, 0xbb, 0x6a, 0xd6, 0xc3, 0xdf, 0x9c, 0x03, 0xee, 0xa8, 0xa4,
2217 0x99, 0xff, 0x78, 0x91, 0x48, 0x6c, 0x9d, 0x5e, 0x5c, 0xac, 0x92,
2218 0xd0, 0x1f, 0x7b, 0xfd, 0x1b, 0xce, 0x19, 0xdb, 0x48, 0xef,
2219 },
2220 32, "StartCom log" },
2221 { (const uint8_t[]){
2222 0x55, 0x81, 0xd4, 0xc2, 0x16, 0x90, 0x36, 0x01, 0x4a, 0xea, 0x0b,
2223 0x9b, 0x57, 0x3c, 0x53, 0xf0, 0xc0, 0xe4, 0x38, 0x78, 0x70, 0x25,
2224 0x08, 0x17, 0x2f, 0xa3, 0xaa, 0x1d, 0x07, 0x13, 0xd3, 0x0c,
2225 },
2226 32, "Sectigo 'Sabre' CT log" },
2227 { (const uint8_t[]){
2228 0xa2, 0xe2, 0xbf, 0xd6, 0x1e, 0xde, 0x2f, 0x2f, 0x07, 0xa0, 0xd6,
2229 0x4e, 0x6d, 0x37, 0xa7, 0xdc, 0x65, 0x43, 0xb0, 0xc6, 0xb5, 0x2e,
2230 0xa2, 0xda, 0xb7, 0x8a, 0xf8, 0x9a, 0x6d, 0xf5, 0x17, 0xd8,
2231 },
2232 32, "Sectigo 'Sabre2024h1'" },
2233 { (const uint8_t[]){
2234 0x19, 0x98, 0x10, 0x71, 0x09, 0xf0, 0xd6, 0x52, 0x2e, 0x30, 0x80,
2235 0xd2, 0x9e, 0x3f, 0x64, 0xbb, 0x83, 0x6e, 0x28, 0xcc, 0xf9, 0x0f,
2236 0x52, 0x8e, 0xee, 0xdf, 0xce, 0x4a, 0x3f, 0x16, 0xb4, 0xca,
2237 },
2238 32, "Sectigo 'Sabre2024h2'" },
2239 { (const uint8_t[]){
2240 0xe0, 0x92, 0xb3, 0xfc, 0x0c, 0x1d, 0xc8, 0xe7, 0x68, 0x36, 0x1f,
2241 0xde, 0x61, 0xb9, 0x96, 0x4d, 0x0a, 0x52, 0x78, 0x19, 0x8a, 0x72,
2242 0xd6, 0x72, 0xc4, 0xb0, 0x4d, 0xa5, 0x6d, 0x6f, 0x54, 0x04,
2243 },
2244 32, "Sectigo 'Sabre2025h1'" },
2245 { (const uint8_t[]){
2246 0x1a, 0x04, 0xff, 0x49, 0xd0, 0x54, 0x1d, 0x40, 0xaf, 0xf6, 0xa0,
2247 0xc3, 0xbf, 0xf1, 0xd8, 0xc4, 0x67, 0x2f, 0x4e, 0xec, 0xee, 0x23,
2248 0x40, 0x68, 0x98, 0x6b, 0x17, 0x40, 0x2e, 0xdc, 0x89, 0x7d,
2249 },
2250 32, "Sectigo 'Sabre2025h2'" },
2251 { (const uint8_t[]){
2252 0x6f, 0x53, 0x76, 0xac, 0x31, 0xf0, 0x31, 0x19, 0xd8, 0x99, 0x00,
2253 0xa4, 0x51, 0x15, 0xff, 0x77, 0x15, 0x1c, 0x11, 0xd9, 0x02, 0xc1,
2254 0x00, 0x29, 0x06, 0x8d, 0xb2, 0x08, 0x9a, 0x37, 0xd9, 0x13,
2255 },
2256 32, "Sectigo 'Mammoth' CT log" },
2257 { (const uint8_t[]){
2258 0x29, 0xd0, 0x3a, 0x1b, 0xb6, 0x74, 0xaa, 0x71, 0x1c, 0xd3, 0x03,
2259 0x5b, 0x65, 0x57, 0xc1, 0x4f, 0x8a, 0xa7, 0x8b, 0x4f, 0xe8, 0x38,
2260 0x94, 0x49, 0xec, 0xa4, 0x53, 0xf9, 0x44, 0xbd, 0x24, 0x68,
2261 },
2262 32, "Sectigo 'Mammoth2024h1'" },
2263 { (const uint8_t[]){
2264 0x50, 0x85, 0x01, 0x58, 0xdc, 0xb6, 0x05, 0x95, 0xc0, 0x0e, 0x92,
2265 0xa8, 0x11, 0x02, 0xec, 0xcd, 0xfe, 0x3f, 0x6b, 0x78, 0x58, 0x42,
2266 0x9f, 0x57, 0x98, 0x35, 0x38, 0xc9, 0xda, 0x52, 0x50, 0x63,
2267 },
2268 32, "Sectigo 'Mammoth2024h1b'" },
2269 { (const uint8_t[]){
2270 0xdf, 0xe1, 0x56, 0xeb, 0xaa, 0x05, 0xaf, 0xb5, 0x9c, 0x0f, 0x86,
2271 0x71, 0x8d, 0xa8, 0xc0, 0x32, 0x4e, 0xae, 0x56, 0xd9, 0x6e, 0xa7,
2272 0xf5, 0xa5, 0x6a, 0x01, 0xd1, 0xc1, 0x3b, 0xbe, 0x52, 0x5c,
2273 },
2274 32, "Sectigo 'Mammoth2024h2'" },
2275 { (const uint8_t[]){
2276 0x13, 0x4a, 0xdf, 0x1a, 0xb5, 0x98, 0x42, 0x09, 0x78, 0x0c, 0x6f,
2277 0xef, 0x4c, 0x7a, 0x91, 0xa4, 0x16, 0xb7, 0x23, 0x49, 0xce, 0x58,
2278 0x57, 0x6a, 0xdf, 0xae, 0xda, 0xa7, 0xc2, 0xab, 0xe0, 0x22,
2279 },
2280 32, "Sectigo 'Mammoth2025h1'" },
2281 { (const uint8_t[]){
2282 0xaf, 0x18, 0x1a, 0x28, 0xd6, 0x8c, 0xa3, 0xe0, 0xa9, 0x8a, 0x4c,
2283 0x9c, 0x67, 0xab, 0x09, 0xf8, 0xbb, 0xbc, 0x22, 0xba, 0xae, 0xbc,
2284 0xb1, 0x38, 0xa3, 0xa1, 0x9d, 0xd3, 0xf9, 0xb6, 0x03, 0x0d,
2285 },
2286 32, "Sectigo 'Mammoth2025h2'" },
2287 { (const uint8_t[]){
2288 0x25, 0x2f, 0x94, 0xc2, 0x2b, 0x29, 0xe9, 0x6e, 0x9f, 0x41, 0x1a,
2289 0x72, 0x07, 0x2b, 0x69, 0x5c, 0x5b, 0x52, 0xff, 0x97, 0xa9, 0x0d,
2290 0x25, 0x40, 0xbb, 0xfc, 0xdc, 0x51, 0xec, 0x4d, 0xee, 0x0b,
2291 },
2292 32, "Sectigo 'Mammoth2026h1'" },
2293 { (const uint8_t[]){
2294 0x94, 0xb1, 0xc1, 0x8a, 0xb0, 0xd0, 0x57, 0xc4, 0x7b, 0xe0, 0xac,
2295 0x04, 0x0e, 0x1f, 0x2c, 0xbc, 0x8d, 0xc3, 0x75, 0x72, 0x7b, 0xc9,
2296 0x51, 0xf2, 0x0a, 0x52, 0x61, 0x26, 0x86, 0x3b, 0xa7, 0x3c,
2297 },
2298 32, "Sectigo 'Mammoth2026h2'" },
2299 { (const uint8_t[]){
2300 0x56, 0x6c, 0xd5, 0xa3, 0x76, 0xbe, 0x83, 0xdf, 0xe3, 0x42, 0xb6,
2301 0x75, 0xc4, 0x9c, 0x23, 0x24, 0x98, 0xa7, 0x69, 0xba, 0xc3, 0x82,
2302 0xcb, 0xab, 0x49, 0xa3, 0x87, 0x7d, 0x9a, 0xb3, 0x2d, 0x01,
2303 },
2304 32, "Sectigo 'Sabre2026h1'" },
2305 { (const uint8_t[]){
2306 0x1f, 0x56, 0xd1, 0xab, 0x94, 0x70, 0x4a, 0x41, 0xdd, 0x3f, 0xea,
2307 0xfd, 0xf4, 0x69, 0x93, 0x55, 0x30, 0x2c, 0x14, 0x31, 0xbf, 0xe6,
2308 0x13, 0x46, 0x08, 0x9f, 0xff, 0xae, 0x79, 0x5d, 0xcc, 0x2f,
2309 },
2310 32, "Sectigo 'Sabre2026h2'" },
2311 { (const uint8_t[]){
2312 0x0d, 0x1d, 0xbc, 0x89, 0x44, 0xe9, 0xf5, 0x00, 0x55, 0x42, 0xd7,
2313 0x2d, 0x3e, 0x14, 0x4c, 0xcc, 0x43, 0x08, 0x2a, 0xb6, 0xea, 0x1e,
2314 0x94, 0xdf, 0xd7, 0x06, 0x65, 0x7d, 0x2e, 0x86, 0xf3, 0x01,
2315 },
2316 32, "Sectigo 'Elephant2025h2'" },
2317 { (const uint8_t[]){
2318 0xd1, 0x6e, 0xa9, 0xa5, 0x68, 0x07, 0x7e, 0x66, 0x35, 0xa0, 0x3f,
2319 0x37, 0xa5, 0xdd, 0xbc, 0x03, 0xa5, 0x3c, 0x41, 0x12, 0x14, 0xd4,
2320 0x88, 0x18, 0xf5, 0xe9, 0x31, 0xb3, 0x23, 0xcb, 0x95, 0x04,
2321 },
2322 32, "Sectigo 'Elephant2026h1'" },
2323 { (const uint8_t[]){
2324 0xaf, 0x67, 0x88, 0x3b, 0x57, 0xb0, 0x4e, 0xdd, 0x8f, 0xa6, 0xd9,
2325 0x7e, 0xf6, 0x2e, 0xa8, 0xeb, 0x81, 0x0a, 0xc7, 0x71, 0x60, 0xf0,
2326 0x24, 0x5e, 0x55, 0xd6, 0x0c, 0x2f, 0xe7, 0x85, 0x87, 0x3a,
2327 },
2328 32, "Sectigo 'Elephant2026h2'" },
2329 { (const uint8_t[]){
2330 0x60, 0x4c, 0x9a, 0xaf, 0x7a, 0x7f, 0x77, 0x5f, 0x01, 0xd4, 0x06,
2331 0xfc, 0x92, 0x0d, 0xc8, 0x99, 0xeb, 0x0b, 0x1c, 0x7d, 0xf8, 0xc9,
2332 0x52, 0x1b, 0xfa, 0xfa, 0x17, 0x77, 0x3b, 0x97, 0x8b, 0xc9,
2333 },
2334 32, "Sectigo 'Elephant2027h1'" },
2335 { (const uint8_t[]){
2336 0xa2, 0x49, 0x0c, 0xdc, 0xdb, 0x8e, 0x33, 0xa4, 0x00, 0x32, 0x17,
2337 0x60, 0xd6, 0xd4, 0xd5, 0x1a, 0x20, 0x36, 0x19, 0x1e, 0xa7, 0x7d,
2338 0x96, 0x8b, 0xe2, 0x6a, 0x8a, 0x00, 0xf6, 0xff, 0xff, 0xf7,
2339 },
2340 32, "Sectigo 'Elephant2027h2'" },
2341 { (const uint8_t[]){
2342 0x5c, 0xa5, 0x77, 0xd2, 0x9b, 0x7f, 0x8b, 0xaf, 0x41, 0x9e, 0xd8,
2343 0xec, 0xab, 0xfb, 0x6d, 0xcb, 0xae, 0xc3, 0x85, 0x37, 0x02, 0xd5,
2344 0x74, 0x6f, 0x17, 0x4d, 0xad, 0x3c, 0x93, 0x4a, 0xa9, 0x6a,
2345 },
2346 32, "Sectigo 'Tiger2025h2'" },
2347 { (const uint8_t[]){
2348 0x16, 0x83, 0x2d, 0xab, 0xf0, 0xa9, 0x25, 0x0f, 0x0f, 0xf0, 0x3a,
2349 0xa5, 0x45, 0xff, 0xc8, 0xbf, 0xc8, 0x23, 0xd0, 0x87, 0x4b, 0xf6,
2350 0x04, 0x29, 0x27, 0xf8, 0xe7, 0x1f, 0x33, 0x13, 0xf5, 0xfa,
2351 },
2352 32, "Sectigo 'Tiger2026h1'" },
2353 { (const uint8_t[]){
2354 0xc8, 0xa3, 0xc4, 0x7f, 0xc7, 0xb3, 0xad, 0xb9, 0x35, 0x6b, 0x01,
2355 0x3f, 0x6a, 0x7a, 0x12, 0x6d, 0xe3, 0x3a, 0x4e, 0x43, 0xa5, 0xc6,
2356 0x46, 0xf9, 0x97, 0xad, 0x39, 0x75, 0x99, 0x1d, 0xcf, 0x9a,
2357 },
2358 32, "Sectigo 'Tiger2026h2'" },
2359 { (const uint8_t[]){
2360 0x1c, 0x9f, 0x68, 0x2c, 0xe9, 0xfa, 0xf0, 0x45, 0x69, 0x50, 0xf8,
2361 0x1b, 0x96, 0x8a, 0x87, 0xdd, 0xdb, 0x32, 0x10, 0xd8, 0x4c, 0xe6,
2362 0xc8, 0xb2, 0xe3, 0x82, 0x52, 0x4a, 0xc4, 0xcf, 0x59, 0x9f,
2363 },
2364 32, "Sectigo 'Tiger2027h1'" },
2365 { (const uint8_t[]){
2366 0x03, 0x80, 0x2a, 0xc2, 0x62, 0xf6, 0xe0, 0x5e, 0x03, 0xf8, 0xbc,
2367 0x6f, 0x7b, 0x98, 0x51, 0x32, 0x4f, 0xd7, 0x6a, 0x3d, 0xf5, 0xb7,
2368 0x59, 0x51, 0x75, 0xe2, 0x22, 0xfb, 0x8e, 0x9b, 0xd5, 0xf6,
2369 },
2370 32, "Sectigo 'Tiger2027h2'" },
2371 { (const uint8_t[]){
2372 0xdb, 0x76, 0xfd, 0xad, 0xac, 0x65, 0xe7, 0xd0, 0x95, 0x08, 0x88,
2373 0x6e, 0x21, 0x59, 0xbd, 0x8b, 0x90, 0x35, 0x2f, 0x5f, 0xea, 0xd3,
2374 0xe3, 0xdc, 0x5e, 0x22, 0xeb, 0x35, 0x0a, 0xcc, 0x7b, 0x98,
2375 },
2376 32, "Sectigo 'Dodo' CT log" },
2377 { (const uint8_t[]){
2378 0xe7, 0x12, 0xf2, 0xb0, 0x37, 0x7e, 0x1a, 0x62, 0xfb, 0x8e, 0xc9,
2379 0x0c, 0x61, 0x84, 0xf1, 0xea, 0x7b, 0x37, 0xcb, 0x56, 0x1d, 0x11,
2380 0x26, 0x5b, 0xf3, 0xe0, 0xf3, 0x4b, 0xf2, 0x41, 0x54, 0x6e,
2381 },
2382 32, "Let's Encrypt 'Oak2020' log" },
2383 { (const uint8_t[]){
2384 0x94, 0x20, 0xbc, 0x1e, 0x8e, 0xd5, 0x8d, 0x6c, 0x88, 0x73, 0x1f,
2385 0x82, 0x8b, 0x22, 0x2c, 0x0d, 0xd1, 0xda, 0x4d, 0x5e, 0x6c, 0x4f,
2386 0x94, 0x3d, 0x61, 0xdb, 0x4e, 0x2f, 0x58, 0x4d, 0xa2, 0xc2,
2387 },
2388 32, "Let's Encrypt 'Oak2021' log" },
2389 { (const uint8_t[]){
2390 0xdf, 0xa5, 0x5e, 0xab, 0x68, 0x82, 0x4f, 0x1f, 0x6c, 0xad, 0xee,
2391 0xb8, 0x5f, 0x4e, 0x3e, 0x5a, 0xea, 0xcd, 0xa2, 0x12, 0xa4, 0x6a,
2392 0x5e, 0x8e, 0x3b, 0x12, 0xc0, 0x20, 0x44, 0x5c, 0x2a, 0x73,
2393 },
2394 32, "Let's Encrypt 'Oak2022' log" },
2395 { (const uint8_t[]){
2396 0xb7, 0x3e, 0xfb, 0x24, 0xdf, 0x9c, 0x4d, 0xba, 0x75, 0xf2, 0x39,
2397 0xc5, 0xba, 0x58, 0xf4, 0x6c, 0x5d, 0xfc, 0x42, 0xcf, 0x7a, 0x9f,
2398 0x35, 0xc4, 0x9e, 0x1d, 0x09, 0x81, 0x25, 0xed, 0xb4, 0x99,
2399 },
2400 32, "Let's Encrypt 'Oak2023' log" },
2401 { (const uint8_t[]){
2402 0x3b, 0x53, 0x77, 0x75, 0x3e, 0x2d, 0xb9, 0x80, 0x4e, 0x8b, 0x30,
2403 0x5b, 0x06, 0xfe, 0x40, 0x3b, 0x67, 0xd8, 0x4f, 0xc3, 0xf4, 0xc7,
2404 0xbd, 0x00, 0x0d, 0x2d, 0x72, 0x6f, 0xe1, 0xfa, 0xd4, 0x17,
2405 },
2406 32, "Let's Encrypt 'Oak2024H1' log" },
2407 { (const uint8_t[]){
2408 0x3f, 0x17, 0x4b, 0x4f, 0xd7, 0x22, 0x47, 0x58, 0x94, 0x1d, 0x65,
2409 0x1c, 0x84, 0xbe, 0x0d, 0x12, 0xed, 0x90, 0x37, 0x7f, 0x1f, 0x85,
2410 0x6a, 0xeb, 0xc1, 0xbf, 0x28, 0x85, 0xec, 0xf8, 0x64, 0x6e,
2411 },
2412 32, "Let's Encrypt 'Oak2024H2' log" },
2413 { (const uint8_t[]){
2414 0xa2, 0xe3, 0x0a, 0xe4, 0x45, 0xef, 0xbd, 0xad, 0x9b, 0x7e, 0x38,
2415 0xed, 0x47, 0x67, 0x77, 0x53, 0xd7, 0x82, 0x5b, 0x84, 0x94, 0xd7,
2416 0x2b, 0x5e, 0x1b, 0x2c, 0xc4, 0xb9, 0x50, 0xa4, 0x47, 0xe7,
2417 },
2418 32, "Let's Encrypt 'Oak2025h1'" },
2419 { (const uint8_t[]){
2420 0x0d, 0xe1, 0xf2, 0x30, 0x2b, 0xd3, 0x0d, 0xc1, 0x40, 0x62, 0x12,
2421 0x09, 0xea, 0x55, 0x2e, 0xfc, 0x47, 0x74, 0x7c, 0xb1, 0xd7, 0xe9,
2422 0x30, 0xef, 0x0e, 0x42, 0x1e, 0xb4, 0x7e, 0x4e, 0xaa, 0x34,
2423 },
2424 32, "Let's Encrypt 'Oak2025h2'" },
2425 { (const uint8_t[]){
2426 0x19, 0x86, 0xd4, 0xc7, 0x28, 0xaa, 0x6f, 0xfe, 0xba, 0x03, 0x6f,
2427 0x78, 0x2a, 0x4d, 0x01, 0x91, 0xaa, 0xce, 0x2d, 0x72, 0x31, 0x0f,
2428 0xae, 0xce, 0x5d, 0x70, 0x41, 0x2d, 0x25, 0x4c, 0xc7, 0xd4,
2429 },
2430 32, "Let's Encrypt 'Oak2026h1'" },
2431 { (const uint8_t[]){
2432 0xac, 0xab, 0x30, 0x70, 0x6c, 0xeb, 0xec, 0x84, 0x31, 0xf4, 0x13,
2433 0xd2, 0xf4, 0x91, 0x5f, 0x11, 0x1e, 0x42, 0x24, 0x43, 0xb1, 0xf2,
2434 0xa6, 0x8c, 0x4f, 0x3c, 0x2b, 0x3b, 0xa7, 0x1e, 0x02, 0xc3,
2435 },
2436 32, "Let's Encrypt 'Oak2026h2'" },
2437 { (const uint8_t[]){
2438 0x65, 0x9b, 0x33, 0x50, 0xf4, 0x3b, 0x12, 0xcc, 0x5e, 0xa5, 0xab,
2439 0x4e, 0xc7, 0x65, 0xd3, 0xfd, 0xe6, 0xc8, 0x82, 0x43, 0x77, 0x77,
2440 0x78, 0xe7, 0x20, 0x03, 0xf9, 0xeb, 0x2b, 0x8c, 0x31, 0x29,
2441 },
2442 32, "Let's Encrypt 'Oak2019' log" },
2443 { (const uint8_t[]){
2444 0x84, 0x9f, 0x5f, 0x7f, 0x58, 0xd2, 0xbf, 0x7b, 0x54, 0xec, 0xbd,
2445 0x74, 0x61, 0x1c, 0xea, 0x45, 0xc4, 0x9c, 0x98, 0xf1, 0xd6, 0x48,
2446 0x1b, 0xc6, 0xf6, 0x9e, 0x8c, 0x17, 0x4f, 0x24, 0xf3, 0xcf,
2447 },
2448 32, "Let's Encrypt 'Testflume2019' log" },
2449 { (const uint8_t[]){
2450 0x23, 0x2d, 0x41, 0xa4, 0xcd, 0xac, 0x87, 0xce, 0xd9, 0xf9, 0x43,
2451 0xf4, 0x68, 0xc2, 0x82, 0x09, 0x5a, 0xe0, 0x9d, 0x30, 0xd6, 0x2e,
2452 0x2f, 0xa6, 0x5d, 0xdc, 0x3b, 0x91, 0x9c, 0x2e, 0x46, 0x8f,
2453 },
2454 32, "Let's Encrypt 'Sapling 2022h2' log" },
2455 { (const uint8_t[]){
2456 0xc1, 0x83, 0x24, 0x0b, 0xf1, 0xa4, 0x50, 0xc7, 0x6f, 0xbb, 0x00,
2457 0x72, 0x69, 0xdc, 0xac, 0x3b, 0xe2, 0x2a, 0x48, 0x05, 0xd4, 0xdb,
2458 0xe0, 0x49, 0x66, 0xc3, 0xc8, 0xab, 0xc4, 0x47, 0xb0, 0x0c,
2459 },
2460 32, "Let's Encrypt 'Sapling 2023h1' log" },
2461 { (const uint8_t[]){
2462 0xc6, 0x3f, 0x22, 0x18, 0xc3, 0x7d, 0x56, 0xa6, 0xaa, 0x06, 0xb5,
2463 0x96, 0xda, 0x8e, 0x53, 0xd4, 0xd7, 0x15, 0x6d, 0x1e, 0x9b, 0xac,
2464 0x8e, 0x44, 0xd2, 0x20, 0x2d, 0xe6, 0x4d, 0x69, 0xd9, 0xdc,
2465 },
2466 32, "Let's Encrypt 'Testflume2020' log" },
2467 { (const uint8_t[]){
2468 0x03, 0xed, 0xf1, 0xda, 0x97, 0x76, 0xb6, 0xf3, 0x8c, 0x34, 0x1e,
2469 0x39, 0xed, 0x9d, 0x70, 0x7a, 0x75, 0x70, 0x36, 0x9c, 0xf9, 0x84,
2470 0x4f, 0x32, 0x7f, 0xe9, 0xe1, 0x41, 0x38, 0x36, 0x1b, 0x60,
2471 },
2472 32, "Let's Encrypt 'Testflume2021' log" },
2473 { (const uint8_t[]){
2474 0x23, 0x27, 0xef, 0xda, 0x35, 0x25, 0x10, 0xdb, 0xc0, 0x19, 0xef,
2475 0x49, 0x1a, 0xe3, 0xff, 0x1c, 0xc5, 0xa4, 0x79, 0xbc, 0xe3, 0x78,
2476 0x78, 0x36, 0x0e, 0xe3, 0x18, 0xcf, 0xfb, 0x64, 0xf8, 0xc8,
2477 },
2478 32, "Let's Encrypt 'Testflume2022' log" },
2479 { (const uint8_t[]){
2480 0x55, 0x34, 0xb7, 0xab, 0x5a, 0x6a, 0xc3, 0xa7, 0xcb, 0xeb, 0xa6,
2481 0x54, 0x87, 0xb2, 0xa2, 0xd7, 0x1b, 0x48, 0xf6, 0x50, 0xfa, 0x17,
2482 0xc5, 0x19, 0x7c, 0x97, 0xa0, 0xcb, 0x20, 0x76, 0xf3, 0xc6,
2483 },
2484 32, "Let's Encrypt 'Testflume2023' log" },
2485 { (const uint8_t[]){
2486 0x29, 0x6a, 0xfa, 0x2d, 0x56, 0x8b, 0xca, 0x0d, 0x2e, 0xa8, 0x44,
2487 0x95, 0x6a, 0xe9, 0x72, 0x1f, 0xc3, 0x5f, 0xa3, 0x55, 0xec, 0xda,
2488 0x99, 0x69, 0x3a, 0xaf, 0xd4, 0x58, 0xa7, 0x1a, 0xef, 0xdd,
2489 },
2490 32, "Let's Encrypt 'Clicky' log" },
2491 { (const uint8_t[]){
2492 0xa5, 0x95, 0x94, 0x3b, 0x53, 0x70, 0xbe, 0xe9, 0x06, 0xe0, 0x05,
2493 0x0d, 0x1f, 0xb5, 0xbb, 0xc6, 0xa4, 0x0e, 0x65, 0xf2, 0x65, 0xae,
2494 0x85, 0x2c, 0x76, 0x36, 0x3f, 0xad, 0xb2, 0x33, 0x36, 0xed,
2495 },
2496 32, "Trust Asia Log2020" },
2497 { (const uint8_t[]){
2498 0xa8, 0xdc, 0x52, 0xf6, 0x3d, 0x6b, 0x24, 0x25, 0xe5, 0x31, 0xe3,
2499 0x7c, 0xf4, 0xe4, 0x4a, 0x71, 0x4f, 0x14, 0x2a, 0x20, 0x80, 0x3b,
2500 0x0d, 0x04, 0xd2, 0xe2, 0xee, 0x06, 0x64, 0x79, 0x4a, 0x23,
2501 },
2502 32, "Trust Asia CT2021" },
2503 { (const uint8_t[]){
2504 0x67, 0x8d, 0xb6, 0x5b, 0x3e, 0x74, 0x43, 0xb6, 0xf3, 0xa3, 0x70,
2505 0xd5, 0xe1, 0x3a, 0xb1, 0xb4, 0x3b, 0xe0, 0xa0, 0xd3, 0x51, 0xf7,
2506 0xca, 0x74, 0x22, 0x50, 0xc7, 0xc6, 0xfa, 0x51, 0xa8, 0x8a,
2507 },
2508 32, "Trust Asia Log2021" },
2509 { (const uint8_t[]){
2510 0xc3, 0x65, 0xf9, 0xb3, 0x65, 0x4f, 0x32, 0x83, 0xc7, 0x9d, 0xa9,
2511 0x8e, 0x93, 0xd7, 0x41, 0x8f, 0x5b, 0xab, 0x7b, 0xe3, 0x25, 0x2c,
2512 0x98, 0xe1, 0xd2, 0xf0, 0x4b, 0xb9, 0xeb, 0x42, 0x7d, 0x23,
2513 },
2514 32, "Trust Asia Log2022" },
2515 { (const uint8_t[]){
2516 0xe8, 0x7e, 0xa7, 0x66, 0x0b, 0xc2, 0x6c, 0xf6, 0x00, 0x2e, 0xf5,
2517 0x72, 0x5d, 0x3f, 0xe0, 0xe3, 0x31, 0xb9, 0x39, 0x3b, 0xb9, 0x2f,
2518 0xbf, 0x58, 0xeb, 0x3b, 0x90, 0x49, 0xda, 0xf5, 0x43, 0x5a,
2519 },
2520 32, "Trust Asia Log2023" },
2521 { (const uint8_t[]){
2522 0x30, 0x6d, 0x29, 0x57, 0x6a, 0xd2, 0x1a, 0x9d, 0x4a, 0xe1, 0x2a,
2523 0xca, 0xd8, 0xaa, 0x8a, 0x78, 0x3a, 0xa6, 0x5a, 0x32, 0x11, 0x60,
2524 0xac, 0xff, 0x5b, 0x0e, 0xee, 0x4c, 0xa3, 0x20, 0x1d, 0x05,
2525 },
2526 32, "Trust Asia Log2024" },
2527 { (const uint8_t[]){
2528 0x87, 0x4f, 0xb5, 0x0d, 0xc0, 0x29, 0xd9, 0x93, 0x1d, 0xe5, 0x73,
2529 0xe9, 0xf2, 0x89, 0x9e, 0x8e, 0x45, 0x33, 0xb3, 0x92, 0xd3, 0x8b,
2530 0x0a, 0x46, 0x25, 0x74, 0xbf, 0x0f, 0xee, 0xb2, 0xfc, 0x1e,
2531 },
2532 32, "Trust Asia Log2024-2" },
2533 { (const uint8_t[]){
2534 0x28, 0xe2, 0x81, 0x38, 0xfd, 0x83, 0x21, 0x45, 0xe9, 0xa9, 0xd6,
2535 0xaa, 0x75, 0x37, 0x6d, 0x83, 0x77, 0xa8, 0x85, 0x12, 0xb3, 0xc0,
2536 0x7f, 0x72, 0x41, 0x48, 0x21, 0xdc, 0xbd, 0xe9, 0x8c, 0x66,
2537 },
2538 32, "TrustAsia Log2025a" },
2539 { (const uint8_t[]){
2540 0x28, 0x2c, 0x8b, 0xdd, 0x81, 0x0f, 0xf9, 0x09, 0x12, 0x0a, 0xce,
2541 0x16, 0xd6, 0xe0, 0xec, 0x20, 0x1b, 0xea, 0x82, 0xa3, 0xa4, 0xaf,
2542 0x19, 0xd9, 0xef, 0xfb, 0x59, 0xe8, 0x3f, 0xdc, 0x42, 0x68,
2543 },
2544 32, "TrustAsia Log2025b" },
2545 { (const uint8_t[]){
2546 0x74, 0xdb, 0x9d, 0x58, 0xf7, 0xd4, 0x7e, 0x9d, 0xfd, 0x78, 0x7a,
2547 0x16, 0x2a, 0x99, 0x1c, 0x18, 0xcf, 0x69, 0x8d, 0xa7, 0xc7, 0x29,
2548 0x91, 0x8c, 0x9a, 0x18, 0xb0, 0x45, 0x0d, 0xba, 0x44, 0xbc,
2549 },
2550 32, "TrustAsia 'log2026a'" },
2551 { (const uint8_t[]){
2552 0x25, 0xb7, 0xef, 0xde, 0xa1, 0x13, 0x01, 0x93, 0xed, 0x93, 0x07,
2553 0x97, 0x70, 0xaa, 0x32, 0x2a, 0x26, 0x62, 0x0d, 0xe3, 0x5a, 0xc8,
2554 0xaa, 0x7c, 0x75, 0x19, 0x7d, 0xe0, 0xb1, 0xa9, 0xe0, 0x65,
2555 },
2556 32, "TrustAsia 'log2026b'" },
2557 { (const uint8_t[]){
2558 0xed, 0xda, 0xeb, 0x81, 0x5c, 0x63, 0x21, 0x34, 0x49, 0xb4, 0x7b,
2559 0xe5, 0x07, 0x79, 0x05, 0xab, 0xd0, 0xd9, 0x31, 0x47, 0xc2, 0x7a,
2560 0xc5, 0x14, 0x6b, 0x3b, 0xc5, 0x8e, 0x43, 0xe9, 0xb6, 0xc7,
2561 },
2562 32, "TrustAsia 'HETU2027'" },
2563 { (const uint8_t[]){
2564 0x45, 0x35, 0x94, 0x98, 0xd9, 0x3a, 0x89, 0xe0, 0x28, 0x03, 0x08,
2565 0xd3, 0x7d, 0x62, 0x6d, 0xc4, 0x23, 0x75, 0x47, 0x58, 0xdc, 0xe0,
2566 0x37, 0x00, 0x36, 0xfb, 0xab, 0x0e, 0xdf, 0x8a, 0x6b, 0xcf,
2567 },
2568 32, "Trust Asia Log1" },
2569 { (const uint8_t[]){
2570 0xc9, 0xcf, 0x89, 0x0a, 0x21, 0x10, 0x9c, 0x66, 0x6c, 0xc1, 0x7a,
2571 0x3e, 0xd0, 0x65, 0xc9, 0x30, 0xd0, 0xe0, 0x13, 0x5a, 0x9f, 0xeb,
2572 0xa8, 0x5a, 0xf1, 0x42, 0x10, 0xb8, 0x07, 0x24, 0x21, 0xaa,
2573 },
2574 32, "GDCA CT log #1" },
2575 { (const uint8_t[]){
2576 0x92, 0x4a, 0x30, 0xf9, 0x09, 0x33, 0x6f, 0xf4, 0x35, 0xd6, 0x99,
2577 0x3a, 0x10, 0xac, 0x75, 0xa2, 0xc6, 0x41, 0x72, 0x8e, 0x7f, 0xc2,
2578 0xd6, 0x59, 0xae, 0x61, 0x88, 0xff, 0xad, 0x40, 0xce, 0x01,
2579 },
2580 32, "GDCA CT log #2" },
2581 { (const uint8_t[]){
2582 0x71, 0x7e, 0xa7, 0x42, 0x09, 0x75, 0xbe, 0x84, 0xa2, 0x72, 0x35,
2583 0x53, 0xf1, 0x77, 0x7c, 0x26, 0xdd, 0x51, 0xaf, 0x4e, 0x10, 0x21,
2584 0x44, 0x09, 0x4d, 0x90, 0x19, 0xb4, 0x62, 0xfb, 0x66, 0x68,
2585 },
2586 32, "GDCA Log 1" },
2587 { (const uint8_t[]){
2588 0x14, 0x30, 0x8d, 0x90, 0xcc, 0xd0, 0x30, 0x13, 0x50, 0x05, 0xc0,
2589 0x1c, 0xa5, 0x26, 0xd8, 0x1e, 0x84, 0xe8, 0x76, 0x24, 0xe3, 0x9b,
2590 0x62, 0x48, 0xe0, 0x8f, 0x72, 0x4a, 0xea, 0x3b, 0xb4, 0x2a,
2591 },
2592 32, "GDCA Log 2" },
2593 { (const uint8_t[]){
2594 0xe0, 0x12, 0x76, 0x29, 0xe9, 0x04, 0x96, 0x56, 0x4e, 0x3d, 0x01,
2595 0x47, 0x98, 0x44, 0x98, 0xaa, 0x48, 0xf8, 0xad, 0xb1, 0x66, 0x00,
2596 0xeb, 0x79, 0x02, 0xa1, 0xef, 0x99, 0x09, 0x90, 0x62, 0x73,
2597 },
2598 32, "PuChuangSiDa CT log" },
2599 { (const uint8_t[]){
2600 0x53, 0x7b, 0x69, 0xa3, 0x56, 0x43, 0x35, 0xa9, 0xc0, 0x49, 0x04,
2601 0xe3, 0x95, 0x93, 0xb2, 0xc2, 0x98, 0xeb, 0x8d, 0x7a, 0x6e, 0x83,
2602 0x02, 0x36, 0x35, 0xc6, 0x27, 0x24, 0x8c, 0xd6, 0xb4, 0x40,
2603 },
2604 32, "Nordu 'flimsy' log" },
2605 { (const uint8_t[]){
2606 0xaa, 0xe7, 0x0b, 0x7f, 0x3c, 0xb8, 0xd5, 0x66, 0xc8, 0x6c, 0x2f,
2607 0x16, 0x97, 0x9c, 0x9f, 0x44, 0x5f, 0x69, 0xab, 0x0e, 0xb4, 0x53,
2608 0x55, 0x89, 0xb2, 0xf7, 0x7a, 0x03, 0x01, 0x04, 0xf3, 0xcd,
2609 },
2610 32, "Nordu 'plausible' log" },
2611 { (const uint8_t[]){
2612 0xcf, 0x55, 0xe2, 0x89, 0x23, 0x49, 0x7c, 0x34, 0x0d, 0x52, 0x06,
2613 0xd0, 0x53, 0x53, 0xae, 0xb2, 0x58, 0x34, 0xb5, 0x2f, 0x1f, 0x8d,
2614 0xc9, 0x52, 0x68, 0x09, 0xf2, 0x12, 0xef, 0xdd, 0x7c, 0xa6,
2615 },
2616 32, "SHECA CT log 1" },
2617 { (const uint8_t[]){
2618 0x32, 0xdc, 0x59, 0xc2, 0xd4, 0xc4, 0x19, 0x68, 0xd5, 0x6e, 0x14,
2619 0xbc, 0x61, 0xac, 0x8f, 0x0e, 0x45, 0xdb, 0x39, 0xfa, 0xf3, 0xc1,
2620 0x55, 0xaa, 0x42, 0x52, 0xf5, 0x00, 0x1f, 0xa0, 0xc6, 0x23,
2621 },
2622 32, "SHECA CT log 2" },
2623 { (const uint8_t[]){
2624 0x96, 0x06, 0xc0, 0x2c, 0x69, 0x00, 0x33, 0xaa, 0x1d, 0x14, 0x5f,
2625 0x59, 0xc6, 0xe2, 0x64, 0x8d, 0x05, 0x49, 0xf0, 0xdf, 0x96, 0xaa,
2626 0xb8, 0xdb, 0x91, 0x5a, 0x70, 0xd8, 0xec, 0xf3, 0x90, 0xa5,
2627 },
2628 32, "Akamai CT Log" },
2629 { (const uint8_t[]){
2630 0x39, 0x37, 0x6f, 0x54, 0x5f, 0x7b, 0x46, 0x07, 0xf5, 0x97, 0x42,
2631 0xd7, 0x68, 0xcd, 0x5d, 0x24, 0x37, 0xbf, 0x34, 0x73, 0xb6, 0x53,
2632 0x4a, 0x48, 0x34, 0xbc, 0xf7, 0x2e, 0x68, 0x1c, 0x83, 0xc9,
2633 },
2634 32, "Alpha CT Log" },
2635 { (const uint8_t[]){
2636 0xb0, 0xb7, 0x84, 0xbc, 0x81, 0xc0, 0xdd, 0xc4, 0x75, 0x44, 0xe8,
2637 0x83, 0xf0, 0x59, 0x85, 0xbb, 0x90, 0x77, 0xd1, 0x34, 0xd8, 0xab,
2638 0x88, 0xb2, 0xb2, 0xe5, 0x33, 0x98, 0x0b, 0x8e, 0x50, 0x8b,
2639 },
2640 32, "Up In The Air 'Behind the Sofa' log" },
2641 { (const uint8_t[]){
2642 0x47, 0x44, 0x47, 0x7c, 0x75, 0xde, 0x42, 0x6d, 0x5c, 0x44, 0xef,
2643 0xd4, 0xa9, 0x2c, 0x96, 0x77, 0x59, 0x7f, 0x65, 0x7a, 0x8f, 0xe0,
2644 0xca, 0xdb, 0xc6, 0xd6, 0x16, 0xed, 0xa4, 0x97, 0xc4, 0x25,
2645 },
2646 32, "Qihoo 360 2020" },
2647 { (const uint8_t[]){
2648 0xc6, 0xd7, 0xed, 0x9e, 0xdb, 0x8e, 0x74, 0xf0, 0xa7, 0x1b, 0x4d,
2649 0x4a, 0x98, 0x4b, 0xcb, 0xeb, 0xab, 0xbd, 0x28, 0xcc, 0x1f, 0xd7,
2650 0x63, 0x29, 0xe8, 0x87, 0x26, 0xcd, 0x4c, 0x25, 0x46, 0x63,
2651 },
2652 32, "Qihoo 360 2021" },
2653 { (const uint8_t[]){
2654 0x66, 0x3c, 0xb0, 0x9c, 0x1f, 0xcd, 0x9b, 0xaa, 0x62, 0x76, 0x3c,
2655 0xcb, 0x53, 0x4e, 0xec, 0x80, 0x58, 0x12, 0x28, 0x05, 0x07, 0xac,
2656 0x69, 0xa4, 0x5f, 0xcd, 0x38, 0xcf, 0x4c, 0xc7, 0x4c, 0xf1,
2657 },
2658 32, "Qihoo 360 2022" },
2659 { (const uint8_t[]){
2660 0xe2, 0x64, 0x7f, 0x6e, 0xda, 0x34, 0x05, 0x03, 0xc6, 0x4d, 0x4e,
2661 0x10, 0xa8, 0x69, 0x68, 0x1f, 0xde, 0x9c, 0x5a, 0x2c, 0xf3, 0xb3,
2662 0x2d, 0x5f, 0x20, 0x0b, 0x96, 0x36, 0x05, 0x90, 0x88, 0x23,
2663 },
2664 32, "Qihoo 360 2023" },
2665 { (const uint8_t[]){
2666 0xc5, 0xcf, 0xe5, 0x4b, 0x61, 0x51, 0xb4, 0x9b, 0x14, 0x2e, 0xd2,
2667 0x63, 0xbd, 0xe7, 0x32, 0x93, 0x36, 0x37, 0x99, 0x79, 0x95, 0x50,
2668 0xae, 0x44, 0x35, 0xcd, 0x1a, 0x69, 0x97, 0xc9, 0xc3, 0xc3,
2669 },
2670 32, "Qihoo 360 v1 2020" },
2671 { (const uint8_t[]){
2672 0x48, 0x14, 0x58, 0x7c, 0xf2, 0x8b, 0x08, 0xfe, 0x68, 0x3f, 0xd2,
2673 0xbc, 0xd9, 0x45, 0x99, 0x4c, 0x2e, 0xb7, 0x4c, 0x8a, 0xe8, 0xc8,
2674 0x7f, 0xce, 0x42, 0x9b, 0x7c, 0xd3, 0x1d, 0x51, 0xbd, 0xc4,
2675 },
2676 32, "Qihoo 360 v1 2021" },
2677 { (const uint8_t[]){
2678 0x49, 0x11, 0xb8, 0xd6, 0x14, 0xcf, 0xd3, 0xd9, 0x9f, 0x16, 0xd3,
2679 0x76, 0x54, 0x5e, 0xe1, 0xb8, 0xcc, 0xfc, 0x51, 0x1f, 0x50, 0x9f,
2680 0x08, 0x0b, 0xa0, 0xa0, 0x87, 0xd9, 0x1d, 0xfa, 0xee, 0xa9,
2681 },
2682 32, "Qihoo 360 v1 2022" },
2683 { (const uint8_t[]){
2684 0xb6, 0x74, 0x0b, 0x12, 0x00, 0x2e, 0x03, 0x3f, 0xd0, 0xe7, 0xe9,
2685 0x41, 0xf4, 0xba, 0x3e, 0xe1, 0xbf, 0xc1, 0x49, 0xb5, 0x24, 0xb4,
2686 0xcf, 0x62, 0x8d, 0x53, 0xef, 0xea, 0x1f, 0x40, 0x3a, 0x8d,
2687 },
2688 32, "Qihoo 360 v1 2023" },
2689 { (const uint8_t[]){
2690 0x2e, 0xd6, 0xa4, 0x4d, 0xeb, 0x8f, 0x0c, 0x86, 0x46, 0x67, 0x76,
2691 0x9c, 0x4e, 0xdd, 0x04, 0x1f, 0x84, 0x23, 0x67, 0x55, 0xfa, 0x3a,
2692 0xac, 0xa6, 0x34, 0xd0, 0x93, 0x5d, 0xfc, 0xd5, 0x9a, 0x70,
2693 },
2694 32, "Bogus placeholder log to unbreak misbehaving CT libraries" },
2695 { (const uint8_t[]){
2696 0x39, 0xb9, 0x87, 0x88, 0x28, 0x19, 0x5f, 0x3b, 0x2d, 0x0d, 0x1b,
2697 0x48, 0x14, 0xa3, 0xae, 0x8c, 0x0d, 0x01, 0xfe, 0x48, 0x62, 0x21,
2698 0xdd, 0x69, 0x39, 0x7d, 0x76, 0xf7, 0x85, 0x74, 0x11, 0xc3,
2699 },
2700 32, "Merklemap 'CompactLog' log" },
2701 { (const uint8_t[]){
2702 0xd2, 0xfc, 0x65, 0x2f, 0xa5, 0xf9, 0xb7, 0x38, 0xb8, 0x37, 0x55,
2703 0xfa, 0x5e, 0xb1, 0x5f, 0x0b, 0x45, 0x25, 0x3f, 0x4e, 0x8f, 0xa3,
2704 0xb9, 0xb6, 0x4f, 0xd4, 0xde, 0x56, 0x62, 0xd1, 0x87, 0x08,
2705 },
2706 32, "Bogus RFC6962 log to avoid breaking misbehaving CT libraries" },
2707 { NULL((void*)0), 0, NULL((void*)0) }
2708};
2709
2710/*
2711 * Application-Layer Protocol Negotiation (ALPN) dissector tables.
2712 */
2713static dissector_table_t ssl_alpn_dissector_table;
2714static dissector_table_t dtls_alpn_dissector_table;
2715
2716/*
2717 * Special cases for prefix matching of the ALPN, if the ALPN includes
2718 * a version number for a draft or protocol revision.
2719 */
2720typedef struct ssl_alpn_prefix_match_protocol {
2721 const char *proto_prefix;
2722 const char *dissector_name;
2723} ssl_alpn_prefix_match_protocol_t;
2724
2725static const ssl_alpn_prefix_match_protocol_t ssl_alpn_prefix_match_protocols[] = {
2726 /* SPDY moves so fast, just 1, 2 and 3 are registered with IANA but there
2727 * already exists 3.1 as of this writing... match the prefix. */
2728 { "spdy/", "spdy" },
2729 /* draft-ietf-httpbis-http2-16 */
2730 { "h2-", "http2" }, /* draft versions */
2731};
2732
2733const value_string compress_certificate_algorithm_vals[] = {
2734 { 1, "zlib" },
2735 { 2, "brotli" },
2736 { 3, "zstd" },
2737 { 0, NULL((void*)0) }
2738};
2739
2740
2741const val64_string quic_transport_parameter_id[] = {
2742 { SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00, "original_destination_connection_id" },
2743 { SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01, "max_idle_timeout" },
2744 { SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02, "stateless_reset_token" },
2745 { SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03, "max_udp_payload_size" },
2746 { SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04, "initial_max_data" },
2747 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05, "initial_max_stream_data_bidi_local" },
2748 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06, "initial_max_stream_data_bidi_remote" },
2749 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07, "initial_max_stream_data_uni" },
2750 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09, "initial_max_streams_uni" },
2751 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08, "initial_max_streams_bidi" },
2752 { SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a, "ack_delay_exponent" },
2753 { SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b, "max_ack_delay" },
2754 { SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c, "disable_active_migration" },
2755 { SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d, "preferred_address" },
2756 { SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e, "active_connection_id_limit" },
2757 { SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f, "initial_source_connection_id" },
2758 { SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10, "retry_source_connection_id" },
2759 { SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20, "max_datagram_frame_size" },
2760 { SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000, "cibir_encoding" },
2761 { SSL_HND_QUIC_TP_LOSS_BITS0x1057, "loss_bits" },
2762 { SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2, "grease_quic_bit" },
2763 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157, "enable_time_stamp" },
2764 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158, "enable_time_stamp_v2" },
2765 { SSL_HND_QUIC_TP_VERSION_INFORMATION0x11, "version_information" },
2766 { SSL_HND_QUIC_TP_VERSION_INFORMATION_DRAFT0xff73db, "version_information_draft" },
2767 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a, "min_ack_delay" },
2768 { SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129, "google_user_agent" },
2769 { SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B, "google_key_update_not_yet_supported" },
2770 { SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752, "google_quic_version" },
2771 { SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127, "google_initial_rtt" },
2772 { SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A, "google_support_handshake_done" },
2773 { SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751, "google_quic_params" },
2774 { SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128, "google_connection_options" },
2775 { SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00, "facebook_partial_reliability" },
2776 { SSL_HND_QUIC_TP_ADDRESS_DISCOVERY0x9f81a176, "address_discovery" },
2777 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A, "min_ack_delay (draft-01)" },
2778 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a, "min_ack_delay (draft-05)" },
2779 { SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b, "min_ack_delay" },
2780 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04, "enable_multipath (draft-04)" },
2781 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05, "enable_multipath (draft-05)" },
2782 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06, "enable_multipath (draft-06)" },
2783 { SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07, "initial_max_paths (draft-07/08)" },
2784 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09, "initial_max_path_id (draft-09/10)" },
2785 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT110x0f739bbc1b666d11, "initial_max_path_id (draft-11)" },
2786 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT120x0f739bbc1b666d0c, "initial_max_path_id (draft-12)" },
2787 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x0f739bbc1b666d0d, "initial_max_path_id" },
2788 { 0, NULL((void*)0) }
2789};
2790
2791/* https://tools.ietf.org/html/draft-ietf-quic-address-discovery-00 */
2792const val64_string quic_address_discovery_vals[] = {
2793 { 0, "The node is willing to provide address observations to its peer, but is not interested in receiving address observations itself" },
2794 { 1, "The node is interested in receiving address observations, but it is not willing to provide address observations" },
2795 { 2, "The node is interested in receiving address observations, and it is willing to provide address observations" },
2796 { 0, NULL((void*)0) }
2797};
2798
2799/* https://tools.ietf.org/html/draft-huitema-quic-ts-03 */
2800const val64_string quic_enable_time_stamp_v2_vals[] = {
2801 { 1, "I would like to receive TIME_STAMP frames" },
2802 { 2, "I am able to generate TIME_STAMP frames" },
2803 { 3, "I am able to generate TIME_STAMP frames and I would like to receive them" },
2804 { 0, NULL((void*)0) }
2805};
2806
2807/* https://datatracker.ietf.org/doc/draft-ietf-quic-multipath/04/ */
2808const val64_string quic_enable_multipath_vals[] = {
2809 { 0, "don't support multipath" },
2810 { 1, "support multipath as defined in this document" },
2811 { 0, NULL((void*)0) }
2812};
2813
2814/* https://www.ietf.org/archive/id/draft-ietf-tls-esni-16.txt */
2815const value_string tls_hello_ext_ech_clienthello_types[] = {
2816 { 0, "Outer Client Hello" },
2817 { 1, "Inner Client Hello" },
2818 { 0, NULL((void*)0) }
2819};
2820
2821/* RFC 9180 */
2822const value_string kem_id_type_vals[] = {
2823 { 0x0000, "Reserved" },
2824 { 0x0010, "DHKEM(P-256, HKDF-SHA256)" },
2825 { 0x0011, "DHKEM(P-384, HKDF-SHA384)" },
2826 { 0x0012, "DHKEM(P-521, HKDF-SHA512)" },
2827 { 0x0020, "DHKEM(X25519, HKDF-SHA256)" },
2828 { 0x0021, "DHKEM(X448, HKDF-SHA512)" },
2829 { 0, NULL((void*)0) }
2830};
2831const value_string kdf_id_type_vals[] = {
2832 { 0x0000, "Reserved" },
2833 { 0x0001, "HKDF-SHA256" },
2834 { 0x0002, "HKDF-SHA384" },
2835 { 0x0003, "HKDF-SHA512" },
2836 { 0, NULL((void*)0) }
2837};
2838const value_string aead_id_type_vals[] = {
2839 { 0x0000, "Reserved" },
2840 { 0x0001, "AES-128-GCM" },
2841 { 0x0002, "AES-256-GCM" },
2842 { 0x0003, "ChaCha20Poly1305" },
2843 { 0xFFFF, "Export-only" },
2844 { 0, NULL((void*)0) }
2845};
2846
2847const value_string token_binding_key_parameter_vals[] = {
2848 { 0, "rsa2048_pkcs1.5" },
2849 { 1, "rsa2048_pss" },
2850 { 2, "ecdsap256" },
2851 { 0, NULL((void*)0) }
2852};
2853
2854/* Lookup tables }}} */
2855
2856void
2857quic_transport_parameter_id_base_custom(char *result, uint64_t parameter_id)
2858{
2859 const char *label;
2860 if (IS_GREASE_QUIC(parameter_id)((parameter_id) > 27 ? ((((parameter_id) - 27) % 31) == 0)
: 0)) {
2861 label = "GREASE";
2862 } else {
2863 label = val64_to_str_const(parameter_id, quic_transport_parameter_id, "Unknown");
2864 }
2865 snprintf(result, ITEM_LABEL_LENGTH240, "%s (0x%02" PRIx64"l" "x" ")", label, parameter_id);
2866}
2867
2868/* we keep this internal to packet-tls-utils, as there should be
2869 no need to access it any other way.
2870
2871 This also allows us to hide the dependency on zlib.
2872*/
2873struct _SslDecompress {
2874 int compression;
2875#ifdef USE_ZLIB_OR_ZLIBNG
2876 zlib_stream istream;
2877#endif
2878};
2879
2880/* To assist in parsing client/server key exchange messages
2881 0 indicates unknown */
2882int ssl_get_keyex_alg(int cipher)
2883{
2884 /* Map Cipher suite number to Key Exchange algorithm {{{ */
2885 switch(cipher) {
2886 case 0x0017:
2887 case 0x0018:
2888 case 0x0019:
2889 case 0x001a:
2890 case 0x001b:
2891 case 0x0034:
2892 case 0x003a:
2893 case 0x0046:
2894 case 0x006c:
2895 case 0x006d:
2896 case 0x0089:
2897 case 0x009b:
2898 case 0x00a6:
2899 case 0x00a7:
2900 case 0x00bf:
2901 case 0x00c5:
2902 case 0xc084:
2903 case 0xc085:
2904 return KEX_DH_ANON0x13;
2905 case 0x000b:
2906 case 0x000c:
2907 case 0x000d:
2908 case 0x0030:
2909 case 0x0036:
2910 case 0x003e:
2911 case 0x0042:
2912 case 0x0068:
2913 case 0x0085:
2914 case 0x0097:
2915 case 0x00a4:
2916 case 0x00a5:
2917 case 0x00bb:
2918 case 0x00c1:
2919 case 0xc082:
2920 case 0xc083:
2921 return KEX_DH_DSS0x14;
2922 case 0x000e:
2923 case 0x000f:
2924 case 0x0010:
2925 case 0x0031:
2926 case 0x0037:
2927 case 0x003f:
2928 case 0x0043:
2929 case 0x0069:
2930 case 0x0086:
2931 case 0x0098:
2932 case 0x00a0:
2933 case 0x00a1:
2934 case 0x00bc:
2935 case 0x00c2:
2936 case 0xc07e:
2937 case 0xc07f:
2938 return KEX_DH_RSA0x15;
2939 case 0x0011:
2940 case 0x0012:
2941 case 0x0013:
2942 case 0x0032:
2943 case 0x0038:
2944 case 0x0040:
2945 case 0x0044:
2946 case 0x0063:
2947 case 0x0065:
2948 case 0x0066:
2949 case 0x006a:
2950 case 0x0087:
2951 case 0x0099:
2952 case 0x00a2:
2953 case 0x00a3:
2954 case 0x00bd:
2955 case 0x00c3:
2956 case 0xc080:
2957 case 0xc081:
2958 return KEX_DHE_DSS0x10;
2959 case 0x002d:
2960 case 0x008e:
2961 case 0x008f:
2962 case 0x0090:
2963 case 0x0091:
2964 case 0x00aa:
2965 case 0x00ab:
2966 case 0x00b2:
2967 case 0x00b3:
2968 case 0x00b4:
2969 case 0x00b5:
2970 case 0xc090:
2971 case 0xc091:
2972 case 0xc096:
2973 case 0xc097:
2974 case 0xc0a6:
2975 case 0xc0a7:
2976 case 0xc0aa:
2977 case 0xc0ab:
2978 case 0xccad:
2979 case 0xe41c:
2980 case 0xe41d:
2981 return KEX_DHE_PSK0x11;
2982 case 0x0014:
2983 case 0x0015:
2984 case 0x0016:
2985 case 0x0033:
2986 case 0x0039:
2987 case 0x0045:
2988 case 0x0067:
2989 case 0x006b:
2990 case 0x0088:
2991 case 0x009a:
2992 case 0x009e:
2993 case 0x009f:
2994 case 0x00be:
2995 case 0x00c4:
2996 case 0xc07c:
2997 case 0xc07d:
2998 case 0xc09e:
2999 case 0xc09f:
3000 case 0xc0a2:
3001 case 0xc0a3:
3002 case 0xccaa:
3003 case 0xe41e:
3004 case 0xe41f:
3005 return KEX_DHE_RSA0x12;
3006 case 0xc015:
3007 case 0xc016:
3008 case 0xc017:
3009 case 0xc018:
3010 case 0xc019:
3011 return KEX_ECDH_ANON0x19;
3012 case 0xc001:
3013 case 0xc002:
3014 case 0xc003:
3015 case 0xc004:
3016 case 0xc005:
3017 case 0xc025:
3018 case 0xc026:
3019 case 0xc02d:
3020 case 0xc02e:
3021 case 0xc074:
3022 case 0xc075:
3023 case 0xc088:
3024 case 0xc089:
3025 return KEX_ECDH_ECDSA0x1a;
3026 case 0xc00b:
3027 case 0xc00c:
3028 case 0xc00d:
3029 case 0xc00e:
3030 case 0xc00f:
3031 case 0xc029:
3032 case 0xc02a:
3033 case 0xc031:
3034 case 0xc032:
3035 case 0xc078:
3036 case 0xc079:
3037 case 0xc08c:
3038 case 0xc08d:
3039 return KEX_ECDH_RSA0x1b;
3040 case 0xc006:
3041 case 0xc007:
3042 case 0xc008:
3043 case 0xc009:
3044 case 0xc00a:
3045 case 0xc023:
3046 case 0xc024:
3047 case 0xc02b:
3048 case 0xc02c:
3049 case 0xc072:
3050 case 0xc073:
3051 case 0xc086:
3052 case 0xc087:
3053 case 0xc0ac:
3054 case 0xc0ad:
3055 case 0xc0ae:
3056 case 0xc0af:
3057 case 0xcca9:
3058 case 0xe414:
3059 case 0xe415:
3060 return KEX_ECDHE_ECDSA0x16;
3061 case 0xc033:
3062 case 0xc034:
3063 case 0xc035:
3064 case 0xc036:
3065 case 0xc037:
3066 case 0xc038:
3067 case 0xc039:
3068 case 0xc03a:
3069 case 0xc03b:
3070 case 0xc09a:
3071 case 0xc09b:
3072 case 0xccac:
3073 case 0xe418:
3074 case 0xe419:
3075 case 0xd001:
3076 case 0xd002:
3077 case 0xd003:
3078 case 0xd005:
3079 return KEX_ECDHE_PSK0x17;
3080 case 0xc010:
3081 case 0xc011:
3082 case 0xc012:
3083 case 0xc013:
3084 case 0xc014:
3085 case 0xc027:
3086 case 0xc028:
3087 case 0xc02f:
3088 case 0xc030:
3089 case 0xc076:
3090 case 0xc077:
3091 case 0xc08a:
3092 case 0xc08b:
3093 case 0xcca8:
3094 case 0xe412:
3095 case 0xe413:
3096 return KEX_ECDHE_RSA0x18;
3097 case 0x001e:
3098 case 0x001f:
3099 case 0x0020:
3100 case 0x0021:
3101 case 0x0022:
3102 case 0x0023:
3103 case 0x0024:
3104 case 0x0025:
3105 case 0x0026:
3106 case 0x0027:
3107 case 0x0028:
3108 case 0x0029:
3109 case 0x002a:
3110 case 0x002b:
3111 return KEX_KRB50x1c;
3112 case 0x002c:
3113 case 0x008a:
3114 case 0x008b:
3115 case 0x008c:
3116 case 0x008d:
3117 case 0x00a8:
3118 case 0x00a9:
3119 case 0x00ae:
3120 case 0x00af:
3121 case 0x00b0:
3122 case 0x00b1:
3123 case 0xc064:
3124 case 0xc065:
3125 case 0xc08e:
3126 case 0xc08f:
3127 case 0xc094:
3128 case 0xc095:
3129 case 0xc0a4:
3130 case 0xc0a5:
3131 case 0xc0a8:
3132 case 0xc0a9:
3133 case 0xccab:
3134 case 0xe416:
3135 case 0xe417:
3136 return KEX_PSK0x1d;
3137 case 0x0001:
3138 case 0x0002:
3139 case 0x0003:
3140 case 0x0004:
3141 case 0x0005:
3142 case 0x0006:
3143 case 0x0007:
3144 case 0x0008:
3145 case 0x0009:
3146 case 0x000a:
3147 case 0x002f:
3148 case 0x0035:
3149 case 0x003b:
3150 case 0x003c:
3151 case 0x003d:
3152 case 0x0041:
3153 case 0x0060:
3154 case 0x0061:
3155 case 0x0062:
3156 case 0x0064:
3157 case 0x0084:
3158 case 0x0096:
3159 case 0x009c:
3160 case 0x009d:
3161 case 0x00ba:
3162 case 0x00c0:
3163 case 0xc07a:
3164 case 0xc07b:
3165 case 0xc09c:
3166 case 0xc09d:
3167 case 0xc0a0:
3168 case 0xc0a1:
3169 case 0xe410:
3170 case 0xe411:
3171 case 0xfefe:
3172 case 0xfeff:
3173 case 0xffe0:
3174 case 0xffe1:
3175 return KEX_RSA0x1e;
3176 case 0x002e:
3177 case 0x0092:
3178 case 0x0093:
3179 case 0x0094:
3180 case 0x0095:
3181 case 0x00ac:
3182 case 0x00ad:
3183 case 0x00b6:
3184 case 0x00b7:
3185 case 0x00b8:
3186 case 0x00b9:
3187 case 0xc092:
3188 case 0xc093:
3189 case 0xc098:
3190 case 0xc099:
3191 case 0xccae:
3192 case 0xe41a:
3193 case 0xe41b:
3194 return KEX_RSA_PSK0x1f;
3195 case 0xc01a:
3196 case 0xc01d:
3197 case 0xc020:
3198 return KEX_SRP_SHA0x20;
3199 case 0xc01c:
3200 case 0xc01f:
3201 case 0xc022:
3202 return KEX_SRP_SHA_DSS0x21;
3203 case 0xc01b:
3204 case 0xc01e:
3205 case 0xc021:
3206 return KEX_SRP_SHA_RSA0x22;
3207 case 0xc0ff:
3208 return KEX_ECJPAKE0x24;
3209 case 0xe003:
3210 case 0xe013:
3211 case 0xe053:
3212 return KEX_ECC_SM20x26;
3213 default:
3214 break;
3215 }
3216
3217 return 0;
3218 /* }}} */
3219}
3220
3221static wmem_list_t *connection_id_session_list;
3222
3223void
3224ssl_init_cid_list(void) {
3225 connection_id_session_list = wmem_list_new(wmem_file_scope());
3226}
3227
3228void
3229ssl_cleanup_cid_list(void) {
3230 wmem_destroy_list(connection_id_session_list);
3231}
3232
3233void
3234ssl_add_session_by_cid(SslDecryptSession *session)
3235{
3236 wmem_list_append(connection_id_session_list, session);
3237}
3238
3239SslDecryptSession *
3240ssl_get_session_by_cid(tvbuff_t *tvb, uint32_t offset)
3241{
3242 SslDecryptSession * ssl_cid = NULL((void*)0);
3243 wmem_list_frame_t *it = wmem_list_head(connection_id_session_list);
3244
3245 while (it != NULL((void*)0) && ssl_cid == NULL((void*)0)) {
3246 SslDecryptSession * ssl = (SslDecryptSession *)wmem_list_frame_data(it);
3247 DISSECTOR_ASSERT(ssl != NULL)((void) ((ssl != ((void*)0)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3247, "ssl != ((void*)0)"))));
3248 SslSession *session = &ssl->session;
3249
3250 if (session->client_cid_len > 0 && tvb_bytes_exist(tvb, offset, session->client_cid_len)) {
3251 if (tvb_memeql(tvb, offset, session->client_cid, session->client_cid_len) == 0) {
3252 ssl_cid = ssl;
3253 }
3254 }
3255
3256 if (session->server_cid_len > 0) {
3257 if (tvb_memeql(tvb, offset, session->server_cid, session->server_cid_len) == 0) {
3258 ssl_cid = ssl;
3259 }
3260 }
3261
3262 it = wmem_list_frame_next(it);
3263 }
3264
3265 return ssl_cid;
3266}
3267
3268/* StringInfo structure (len + data) functions {{{ */
3269
3270int
3271ssl_data_alloc(StringInfo* str, size_t len)
3272{
3273 str->data = (unsigned char *)g_malloc(len);
22
Memory is allocated
3274 /* the allocator can return a null pointer for a size equal to 0,
3275 * and that must be allowed */
3276 if (len
22.1
'len' is > 0
 > 0 && !str->data)
23
Assuming field 'data' is non-null
24
Taking false branch
3277 return -1;
3278 str->data_len = (unsigned) len;
3279 return 0;
3280}
3281
3282void
3283ssl_data_set(StringInfo* str, const unsigned char* data, unsigned len)
3284{
3285 DISSECTOR_ASSERT(data)((void) ((data) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 3285, "data"))));
3286 memcpy(str->data, data, len);
3287 str->data_len = len;
3288}
3289
3290static int
3291ssl_data_realloc(StringInfo* str, unsigned len)
3292{
3293 str->data = (unsigned char *)g_realloc(str->data, len);
3294 if (!str->data)
3295 return -1;
3296 str->data_len = len;
3297 return 0;
3298}
3299
3300static StringInfo *
3301ssl_data_clone(StringInfo *str)
3302{
3303 StringInfo *cloned_str;
3304 cloned_str = (StringInfo *) wmem_alloc0(wmem_file_scope(),
3305 sizeof(StringInfo) + str->data_len);
3306 cloned_str->data = (unsigned char *) (cloned_str + 1);
3307 ssl_data_set(cloned_str, str->data, str->data_len);
3308 return cloned_str;
3309}
3310
3311static int
3312ssl_data_copy(StringInfo* dst, StringInfo* src)
3313{
3314 if (dst->data_len < src->data_len) {
3315 if (ssl_data_realloc(dst, src->data_len))
3316 return -1;
3317 }
3318 memcpy(dst->data, src->data, src->data_len);
3319 dst->data_len = src->data_len;
3320 return 0;
3321}
3322
3323/* from_hex converts |hex_len| bytes of hex data from |in| and sets |*out| to
3324 * the result. |out->data| will be allocated using wmem_file_scope. Returns true on
3325 * success. */
3326static bool_Bool from_hex(StringInfo* out, const char* in, size_t hex_len) {
3327 size_t i;
3328
3329 if (hex_len & 1)
3330 return false0;
3331
3332 out->data = (unsigned char *)wmem_alloc(wmem_file_scope(), hex_len / 2);
3333 for (i = 0; i < hex_len / 2; i++) {
3334 int a = ws_xton(in[i*2]);
3335 int b = ws_xton(in[i*2 + 1]);
3336 if (a == -1 || b == -1)
3337 return false0;
3338 out->data[i] = a << 4 | b;
3339 }
3340 out->data_len = (unsigned)hex_len / 2;
3341 return true1;
3342}
3343/* StringInfo structure (len + data) functions }}} */
3344
3345
3346/* libgcrypt wrappers for HMAC/message digest operations {{{ */
3347/* hmac abstraction layer */
3348#define SSL_HMACgcry_md_hd_t gcry_md_hd_t
3349
3350static inline int
3351ssl_hmac_init(SSL_HMACgcry_md_hd_t* md, int algo)
3352{
3353 gcry_error_t err;
3354 const char *err_str, *err_src;
3355
3356 err = gcry_md_open(md,algo, GCRY_MD_FLAG_HMAC);
3357 if (err != 0) {
3358 err_str = gcry_strerror(err);
3359 err_src = gcry_strsource(err);
3360 ssl_debug_printf("ssl_hmac_init(): gcry_md_open failed %s/%s", err_str, err_src);
3361 return -1;
3362 }
3363 return 0;
3364}
3365
3366static inline int
3367ssl_hmac_setkey(SSL_HMACgcry_md_hd_t* md, const void * key, int len)
3368{
3369 gcry_error_t err;
3370 const char *err_str, *err_src;
3371
3372 err = gcry_md_setkey (*(md), key, len);
3373 if (err != 0) {
3374 err_str = gcry_strerror(err);
3375 err_src = gcry_strsource(err);
3376 ssl_debug_printf("ssl_hmac_setkey(): gcry_md_setkey failed %s/%s", err_str, err_src);
3377 return -1;
3378 }
3379 return 0;
3380}
3381
3382static inline int
3383ssl_hmac_reset(SSL_HMACgcry_md_hd_t* md)
3384{
3385 gcry_md_reset(*md);
3386 return 0;
3387}
3388
3389static inline void
3390ssl_hmac_update(SSL_HMACgcry_md_hd_t* md, const void* data, int len)
3391{
3392 gcry_md_write(*(md), data, len);
3393}
3394static inline void
3395ssl_hmac_final(SSL_HMACgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3396{
3397 int algo;
3398 unsigned len;
3399
3400 algo = gcry_md_get_algo (*(md));
3401 len = gcry_md_get_algo_dlen(algo);
3402 DISSECTOR_ASSERT(len <= *datalen)((void) ((len <= *datalen) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3402, "len <= *datalen"))));
3403 memcpy(data, gcry_md_read(*(md), algo), len);
3404 *datalen = len;
3405}
3406static inline void
3407ssl_hmac_cleanup(SSL_HMACgcry_md_hd_t* md)
3408{
3409 gcry_md_close(*(md));
3410}
3411
3412/* message digest abstraction layer*/
3413#define SSL_MDgcry_md_hd_t gcry_md_hd_t
3414
3415static inline int
3416ssl_md_init(SSL_MDgcry_md_hd_t* md, int algo)
3417{
3418 gcry_error_t err;
3419 const char *err_str, *err_src;
3420 err = gcry_md_open(md,algo, 0);
3421 if (err != 0) {
3422 err_str = gcry_strerror(err);
3423 err_src = gcry_strsource(err);
3424 ssl_debug_printf("ssl_md_init(): gcry_md_open failed %s/%s", err_str, err_src);
3425 return -1;
3426 }
3427 return 0;
3428}
3429static inline void
3430ssl_md_update(SSL_MDgcry_md_hd_t* md, unsigned char* data, int len)
3431{
3432 gcry_md_write(*(md), data, len);
3433}
3434static inline void
3435ssl_md_final(SSL_MDgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3436{
3437 int algo;
3438 int len;
3439 algo = gcry_md_get_algo (*(md));
3440 len = gcry_md_get_algo_dlen (algo);
3441 memcpy(data, gcry_md_read(*(md), algo), len);
3442 *datalen = len;
3443}
3444static inline void
3445ssl_md_cleanup(SSL_MDgcry_md_hd_t* md)
3446{
3447 gcry_md_close(*(md));
3448}
3449
3450static inline void
3451ssl_md_reset(SSL_MDgcry_md_hd_t* md)
3452{
3453 gcry_md_reset(*md);
3454}
3455
3456/* md5 /sha abstraction layer */
3457#define SSL_SHA_CTXgcry_md_hd_t gcry_md_hd_t
3458#define SSL_MD5_CTXgcry_md_hd_t gcry_md_hd_t
3459
3460static inline int
3461ssl_sha_init(SSL_SHA_CTXgcry_md_hd_t* md)
3462{
3463 gcry_error_t err;
3464 const char *err_str, *err_src;
3465 err = gcry_md_open(md, GCRY_MD_SHA1, 0);
3466 if (err != 0) {
3467 err_str = gcry_strerror(err);
3468 err_src = gcry_strsource(err);
3469 ssl_debug_printf("ssl_sha_init(): gcry_md_open failed %s/%s", err_str, err_src);
3470 return -1;
3471 }
3472 return 0;
3473}
3474static inline void
3475ssl_sha_update(SSL_SHA_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3476{
3477 gcry_md_write(*(md), data, len);
3478}
3479static inline void
3480ssl_sha_final(unsigned char* buf, SSL_SHA_CTXgcry_md_hd_t* md)
3481{
3482 memcpy(buf, gcry_md_read(*(md), GCRY_MD_SHA1),
3483 gcry_md_get_algo_dlen(GCRY_MD_SHA1));
3484}
3485
3486static inline void
3487ssl_sha_reset(SSL_SHA_CTXgcry_md_hd_t* md)
3488{
3489 gcry_md_reset(*md);
3490}
3491
3492static inline void
3493ssl_sha_cleanup(SSL_SHA_CTXgcry_md_hd_t* md)
3494{
3495 gcry_md_close(*(md));
3496}
3497
3498static inline int
3499ssl_md5_init(SSL_MD5_CTXgcry_md_hd_t* md)
3500{
3501 gcry_error_t err;
3502 const char *err_str, *err_src;
3503 err = gcry_md_open(md,GCRY_MD_MD5, 0);
3504 if (err != 0) {
3505 err_str = gcry_strerror(err);
3506 err_src = gcry_strsource(err);
3507 ssl_debug_printf("ssl_md5_init(): gcry_md_open failed %s/%s", err_str, err_src);
3508 return -1;
3509 }
3510 return 0;
3511}
3512static inline void
3513ssl_md5_update(SSL_MD5_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3514{
3515 gcry_md_write(*(md), data, len);
3516}
3517static inline void
3518ssl_md5_final(unsigned char* buf, SSL_MD5_CTXgcry_md_hd_t* md)
3519{
3520 memcpy(buf, gcry_md_read(*(md), GCRY_MD_MD5),
3521 gcry_md_get_algo_dlen(GCRY_MD_MD5));
3522}
3523
3524static inline void
3525ssl_md5_reset(SSL_MD5_CTXgcry_md_hd_t* md)
3526{
3527 gcry_md_reset(*md);
3528}
3529
3530static inline void
3531ssl_md5_cleanup(SSL_MD5_CTXgcry_md_hd_t* md)
3532{
3533 gcry_md_close(*(md));
3534}
3535/* libgcrypt wrappers for HMAC/message digest operations }}} */
3536
3537/* libgcrypt wrappers for Cipher state manipulation {{{ */
3538int
3539ssl_cipher_setiv(SSL_CIPHER_CTXgcry_cipher_hd_t *cipher, unsigned char* iv, int iv_len)
3540{
3541 int ret;
3542#if 0
3543 unsigned char *ivp;
3544 int i;
3545 gcry_cipher_hd_t c;
3546 c=(gcry_cipher_hd_t)*cipher;
3547#endif
3548 ssl_debug_printf("--------------------------------------------------------------------");
3549#if 0
3550 for(ivp=c->iv,i=0; i < iv_len; i++ )
3551 {
3552 ssl_debug_printf("%d ",ivp[i]);
3553 i++;
3554 }
3555#endif
3556 ssl_debug_printf("--------------------------------------------------------------------");
3557 ret = gcry_cipher_setiv(*(cipher), iv, iv_len);
3558#if 0
3559 for(ivp=c->iv,i=0; i < iv_len; i++ )
3560 {
3561 ssl_debug_printf("%d ",ivp[i]);
3562 i++;
3563 }
3564#endif
3565 ssl_debug_printf("--------------------------------------------------------------------");
3566 return ret;
3567}
3568/* stream cipher abstraction layer*/
3569static int
3570ssl_cipher_init(gcry_cipher_hd_t *cipher, int algo, unsigned char* sk,
3571 unsigned char* iv, int mode)
3572{
3573 int gcry_modes[] = {
3574 GCRY_CIPHER_MODE_STREAM,
3575 GCRY_CIPHER_MODE_CBC,
3576 GCRY_CIPHER_MODE_GCM,
3577 GCRY_CIPHER_MODE_CCM,
3578 GCRY_CIPHER_MODE_CCM,
3579 GCRY_CIPHER_MODE_POLY1305,
3580 GCRY_CIPHER_MODE_ECB, /* used for DTLSv1.3 seq number encryption */
3581 };
3582 int err;
3583 if (algo == -1) {
3584 /* NULL mode */
3585 *(cipher) = (gcry_cipher_hd_t)-1;
3586 return 0;
3587 }
3588 err = gcry_cipher_open(cipher, algo, gcry_modes[mode], 0);
3589 if (err !=0)
3590 return -1;
3591 err = gcry_cipher_setkey(*(cipher), sk, gcry_cipher_get_algo_keylen (algo));
3592 if (err != 0)
3593 return -1;
3594 /* AEAD cipher suites will set the nonce later. */
3595 if (mode == MODE_CBC) {
3596 err = gcry_cipher_setiv(*(cipher), iv, gcry_cipher_get_algo_blklen(algo));
3597 if (err != 0)
3598 return -1;
3599 }
3600 return 0;
3601}
3602static inline int
3603ssl_cipher_decrypt(gcry_cipher_hd_t *cipher, unsigned char * out, int outl,
3604 const unsigned char * in, int inl)
3605{
3606 if ((*cipher) == (gcry_cipher_hd_t)-1)
3607 {
3608 if (in && inl)
3609 memcpy(out, in, outl < inl ? outl : inl);
3610 return 0;
3611 }
3612 return gcry_cipher_decrypt ( *(cipher), out, outl, in, inl);
3613}
3614static inline int
3615ssl_get_digest_by_name(const char*name)
3616{
3617 return gcry_md_map_name(name);
3618}
3619static inline int
3620ssl_get_cipher_by_name(const char* name)
3621{
3622 return gcry_cipher_map_name(name);
3623}
3624
3625static inline void
3626ssl_cipher_cleanup(gcry_cipher_hd_t *cipher)
3627{
3628 if ((*cipher) != (gcry_cipher_hd_t)-1)
3629 gcry_cipher_close(*cipher);
3630 *cipher = NULL((void*)0);
3631}
3632/* }}} */
3633
3634/* Digests, Ciphers and Cipher Suites registry {{{ */
3635static const SslDigestAlgo digests[]={
3636 {"MD5", 16},
3637 {"SHA1", 20},
3638 {"SHA256", 32},
3639 {"SHA384", 48},
3640 {"SM3", 32},
3641 {"Not Applicable", 0},
3642};
3643
3644#define DIGEST_MAX_SIZE48 48
3645
3646/* get index digest index */
3647static const SslDigestAlgo *
3648ssl_cipher_suite_dig(const SslCipherSuite *cs) {
3649 if (!cs || cs->dig < DIG_MD50x40 || cs->dig > DIG_NA0x45) {
3650 return &digests[DIG_NA0x45 - DIG_MD50x40];
3651 }
3652 return &digests[cs->dig - DIG_MD50x40];
3653}
3654
3655static const char *ciphers[]={
3656 "DES",
3657 "3DES",
3658 "ARCFOUR", /* libgcrypt does not support rc4, but this should be 100% compatible*/
3659 "RFC2268_128", /* libgcrypt name for RC2 with a 128-bit key */
3660 "IDEA",
3661 "AES",
3662 "AES256",
3663 "CAMELLIA128",
3664 "CAMELLIA256",
3665 "SEED",
3666 "CHACHA20", /* since Libgcrypt 1.7.0 */
3667 "SM1",
3668 "SM4",
3669 "*UNKNOWN*"
3670};
3671
3672static const SslCipherSuite cipher_suites[]={
3673 {0x0001,KEX_RSA0x1e, ENC_NULL0x3D, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_NULL_MD5 */
3674 {0x0002,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA */
3675 {0x0003,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
3676 {0x0004,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_MD5 */
3677 {0x0005,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_SHA */
3678 {0x0006,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
3679 {0x0007,KEX_RSA0x1e, ENC_IDEA0x34, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_IDEA_CBC_SHA */
3680 {0x0008,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
3681 {0x0009,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_DES_CBC_SHA */
3682 {0x000A,KEX_RSA0x1e, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
3683 {0x000B,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
3684 {0x000C,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_DES_CBC_SHA */
3685 {0x000D,KEX_DH_DSS0x14, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
3686 {0x000E,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
3687 {0x000F,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_DES_CBC_SHA */
3688 {0x0010,KEX_DH_RSA0x15, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
3689 {0x0011,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
3690 {0x0012,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_DES_CBC_SHA */
3691 {0x0013,KEX_DHE_DSS0x10, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
3692 {0x0014,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
3693 {0x0015,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_DES_CBC_SHA */
3694 {0x0016,KEX_DHE_RSA0x12, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
3695 {0x0017,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
3696 {0x0018,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_WITH_RC4_128_MD5 */
3697 {0x0019,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
3698 {0x001A,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_DES_CBC_SHA */
3699 {0x001B,KEX_DH_ANON0x13, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
3700 {0x002C,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA */
3701 {0x002D,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA */
3702 {0x002E,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA */
3703 {0x002F,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA */
3704 {0x0030,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA */
3705 {0x0031,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA */
3706 {0x0032,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA */
3707 {0x0033,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */
3708 {0x0034,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA */
3709 {0x0035,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA */
3710 {0x0036,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA */
3711 {0x0037,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA */
3712 {0x0038,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA */
3713 {0x0039,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */
3714 {0x003A,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA */
3715 {0x003B,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA256 */
3716 {0x003C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA256 */
3717 {0x003D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA256 */
3718 {0x003E,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA256 */
3719 {0x003F,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA256 */
3720 {0x0040,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 */
3721 {0x0041,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA */
3722 {0x0042,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA */
3723 {0x0043,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA */
3724 {0x0044,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA */
3725 {0x0045,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA */
3726 {0x0046,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA */
3727 {0x0060,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
3728 {0x0061,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
3729 {0x0062,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
3730 {0x0063,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
3731 {0x0064,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
3732 {0x0065,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
3733 {0x0066,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_WITH_RC4_128_SHA */
3734 {0x0067,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 */
3735 {0x0068,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA256 */
3736 {0x0069,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA256 */
3737 {0x006A,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 */
3738 {0x006B,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 */
3739 {0x006C,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA256 */
3740 {0x006D,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA256 */
3741 {0x0084,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA */
3742 {0x0085,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA */
3743 {0x0086,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA */
3744 {0x0087,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA */
3745 {0x0088,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA */
3746 {0x0089,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA */
3747 {0x008A,KEX_PSK0x1d, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_RC4_128_SHA */
3748 {0x008B,KEX_PSK0x1d, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_3DES_EDE_CBC_SHA */
3749 {0x008C,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA */
3750 {0x008D,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA */
3751 {0x008E,KEX_DHE_PSK0x11, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_RC4_128_SHA */
3752 {0x008F,KEX_DHE_PSK0x11, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA */
3753 {0x0090,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA */
3754 {0x0091,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA */
3755 {0x0092,KEX_RSA_PSK0x1f, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_RC4_128_SHA */
3756 {0x0093,KEX_RSA_PSK0x1f, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA */
3757 {0x0094,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA */
3758 {0x0095,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA */
3759 {0x0096,KEX_RSA0x1e, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_SEED_CBC_SHA */
3760 {0x0097,KEX_DH_DSS0x14, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_SEED_CBC_SHA */
3761 {0x0098,KEX_DH_RSA0x15, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_SEED_CBC_SHA */
3762 {0x0099,KEX_DHE_DSS0x10, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_SEED_CBC_SHA */
3763 {0x009A,KEX_DHE_RSA0x12, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_SEED_CBC_SHA */
3764 {0x009B,KEX_DH_ANON0x13, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_SEED_CBC_SHA */
3765 {0x009C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_AES_128_GCM_SHA256 */
3766 {0x009D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_AES_256_GCM_SHA384 */
3767 {0x009E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */
3768 {0x009F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 */
3769 {0x00A0,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_128_GCM_SHA256 */
3770 {0x00A1,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_256_GCM_SHA384 */
3771 {0x00A2,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 */
3772 {0x00A3,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 */
3773 {0x00A4,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_128_GCM_SHA256 */
3774 {0x00A5,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_256_GCM_SHA384 */
3775 {0x00A6,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_AES_128_GCM_SHA256 */
3776 {0x00A7,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_AES_256_GCM_SHA384 */
3777 {0x00A8,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_AES_128_GCM_SHA256 */
3778 {0x00A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_AES_256_GCM_SHA384 */
3779 {0x00AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 */
3780 {0x00AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 */
3781 {0x00AC,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 */
3782 {0x00AD,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 */
3783 {0x00AE,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA256 */
3784 {0x00AF,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA384 */
3785 {0x00B0,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA256 */
3786 {0x00B1,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA384 */
3787 {0x00B2,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 */
3788 {0x00B3,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 */
3789 {0x00B4,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA256 */
3790 {0x00B5,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA384 */
3791 {0x00B6,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 */
3792 {0x00B7,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 */
3793 {0x00B8,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA256 */
3794 {0x00B9,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA384 */
3795 {0x00BA,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3796 {0x00BB,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3797 {0x00BC,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3798 {0x00BD,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3799 {0x00BE,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3800 {0x00BF,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 */
3801 {0x00C0,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3802 {0x00C1,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3803 {0x00C2,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3804 {0x00C3,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3805 {0x00C4,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3806 {0x00C5,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */
3807
3808 /* NOTE: TLS 1.3 cipher suites are incompatible with TLS 1.2. */
3809 {0x1301,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_AES_128_GCM_SHA256 */
3810 {0x1302,KEX_TLS130x23, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_AES_256_GCM_SHA384 */
3811 {0x1303,KEX_TLS130x23, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_CHACHA20_POLY1305_SHA256 */
3812 {0x1304,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM }, /* TLS_AES_128_CCM_SHA256 */
3813 {0x1305,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8 }, /* TLS_AES_128_CCM_8_SHA256 */
3814 {0x00C6,KEX_TLS130x23, ENC_SM40x3C, DIG_SM30x44, MODE_GCM }, /* TLS_SM4_GCM_SM3 */
3815
3816 {0xC001,KEX_ECDH_ECDSA0x1a, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_NULL_SHA */
3817 {0xC002,KEX_ECDH_ECDSA0x1a, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_RC4_128_SHA */
3818 {0xC003,KEX_ECDH_ECDSA0x1a, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA */
3819 {0xC004,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA */
3820 {0xC005,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */
3821 {0xC006,KEX_ECDHE_ECDSA0x16, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_NULL_SHA */
3822 {0xC007,KEX_ECDHE_ECDSA0x16, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_RC4_128_SHA */
3823 {0xC008,KEX_ECDHE_ECDSA0x16, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA */
3824 {0xC009,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */
3825 {0xC00A,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */
3826 {0xC00B,KEX_ECDH_RSA0x1b, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_NULL_SHA */
3827 {0xC00C,KEX_ECDH_RSA0x1b, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_RC4_128_SHA */
3828 {0xC00D,KEX_ECDH_RSA0x1b, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA */
3829 {0xC00E,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA */
3830 {0xC00F,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */
3831 {0xC0FF,KEX_ECJPAKE0x24, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECJPAKE_WITH_AES_128_CCM_8 */
3832 {0xC010,KEX_ECDHE_RSA0x18, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_NULL_SHA */
3833 {0xC011,KEX_ECDHE_RSA0x18, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_RC4_128_SHA */
3834 {0xC012,KEX_ECDHE_RSA0x18, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */
3835 {0xC013,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA */
3836 {0xC014,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */
3837 {0xC015,KEX_ECDH_ANON0x19, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_NULL_SHA */
3838 {0xC016,KEX_ECDH_ANON0x19, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_RC4_128_SHA */
3839 {0xC017,KEX_ECDH_ANON0x19, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA */
3840 {0xC018,KEX_ECDH_ANON0x19, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_128_CBC_SHA */
3841 {0xC019,KEX_ECDH_ANON0x19, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_256_CBC_SHA */
3842 {0xC01A,KEX_SRP_SHA0x20, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA */
3843 {0xC01B,KEX_SRP_SHA_RSA0x22, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA */
3844 {0xC01C,KEX_SRP_SHA_DSS0x21, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA */
3845 {0xC01D,KEX_SRP_SHA0x20, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_128_CBC_SHA */
3846 {0xC01E,KEX_SRP_SHA_RSA0x22, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA */
3847 {0xC01F,KEX_SRP_SHA_DSS0x21, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA */
3848 {0xC020,KEX_SRP_SHA0x20, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_256_CBC_SHA */
3849 {0xC021,KEX_SRP_SHA_RSA0x22, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA */
3850 {0xC022,KEX_SRP_SHA_DSS0x21, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA */
3851 {0xC023,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 */
3852 {0xC024,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */
3853 {0xC025,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 */
3854 {0xC026,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 */
3855 {0xC027,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 */
3856 {0xC028,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */
3857 {0xC029,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 */
3858 {0xC02A,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 */
3859 {0xC02B,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 */
3860 {0xC02C,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 */
3861 {0xC02D,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 */
3862 {0xC02E,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 */
3863 {0xC02F,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */
3864 {0xC030,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 */
3865 {0xC031,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 */
3866 {0xC032,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 */
3867 {0xC033,KEX_ECDHE_PSK0x17, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_RC4_128_SHA */
3868 {0xC034,KEX_ECDHE_PSK0x17, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA */
3869 {0xC035,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA */
3870 {0xC036,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA */
3871 {0xC037,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 */
3872 {0xC038,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 */
3873 {0xC039,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA */
3874 {0xC03A,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA256 */
3875 {0xC03B,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA384 */
3876 {0xC072,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3877 {0xC073,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3878 {0xC074,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3879 {0xC075,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3880 {0xC076,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3881 {0xC077,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3882 {0xC078,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3883 {0xC079,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3884 {0xC07A,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3885 {0xC07B,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3886 {0xC07C,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3887 {0xC07D,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3888 {0xC07E,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3889 {0xC07F,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3890 {0xC080,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3891 {0xC081,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3892 {0xC082,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3893 {0xC083,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3894 {0xC084,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 */
3895 {0xC085,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 */
3896 {0xC086,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3897 {0xC087,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3898 {0xC088,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3899 {0xC089,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3900 {0xC08A,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3901 {0xC08B,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3902 {0xC08C,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3903 {0xC08D,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3904 {0xC08E,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3905 {0xC08F,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3906 {0xC090,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3907 {0xC091,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3908 {0xC092,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3909 {0xC093,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3910 {0xC094,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3911 {0xC095,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3912 {0xC096,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3913 {0xC097,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3914 {0xC098,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3915 {0xC099,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3916 {0xC09A,KEX_ECDHE_PSK0x17, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3917 {0xC09B,KEX_ECDHE_PSK0x17, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3918 {0xC09C,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_128_CCM */
3919 {0xC09D,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_256_CCM */
3920 {0xC09E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_128_CCM */
3921 {0xC09F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_256_CCM */
3922 {0xC0A0,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_128_CCM_8 */
3923 {0xC0A1,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_256_CCM_8 */
3924 {0xC0A2,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_128_CCM_8 */
3925 {0xC0A3,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_256_CCM_8 */
3926 {0xC0A4,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_128_CCM */
3927 {0xC0A5,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_256_CCM */
3928 {0xC0A6,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_128_CCM */
3929 {0xC0A7,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_256_CCM */
3930 {0xC0A8,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_128_CCM_8 */
3931 {0xC0A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_256_CCM_8 */
3932 {0xC0AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_128_CCM_8 */
3933 {0xC0AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_256_CCM_8 */
3934 {0xC0AC,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM */
3935 {0xC0AD,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM */
3936 {0xC0AE,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 */
3937 {0xC0AF,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 */
3938 {0xCCA8,KEX_ECDHE_RSA0x18, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3939 {0xCCA9,KEX_ECDHE_ECDSA0x16, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */
3940 {0xCCAA,KEX_DHE_RSA0x12, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3941 {0xCCAB,KEX_PSK0x1d, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3942 {0xCCAC,KEX_ECDHE_PSK0x17, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3943 {0xCCAD,KEX_DHE_PSK0x11, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3944 {0xCCAE,KEX_RSA_PSK0x1f, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3945 {0xD001,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 */
3946 {0xD002,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 */
3947 {0xD003,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 */
3948 {0xD005,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 */
3949 /* GM */
3950 {0xe001,KEX_ECDHE_SM20x25, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM1_SM3 */
3951 {0xe003,KEX_ECC_SM20x26, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECC_SM1_SM3 */
3952 {0xe005,KEX_IBSDH_SM90x27, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM1_SM3 */
3953 {0xe007,KEX_IBC_SM90x28, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBC_SM1_SM3 */
3954 {0xe009,KEX_RSA0x1e, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* RSA_SM1_SM3 */
3955 {0xe00a,KEX_RSA0x1e, ENC_SM10x3B, DIG_SHA0x41, MODE_CBC}, /* RSA_SM1_SHA1 */
3956 {0xe011,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM4_CBC_SM3 */
3957 {0xe013,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECC_SM4_CBC_SM3 */
3958 {0xe015,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM4_CBC_SM3 */
3959 {0xe017,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBC_SM4_CBC_SM3 */
3960 {0xe019,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* RSA_SM4_CBC_SM3 */
3961 {0xe01a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA0x41, MODE_CBC}, /* RSA_SM4_CBC_SHA1 */
3962 {0xe01c,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_CBC}, /* RSA_SM4_CBC_SHA256 */
3963 {0xe051,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECDHE_SM4_GCM_SM3 */
3964 {0xe053,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECC_SM4_GCM_SM3 */
3965 {0xe055,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBSDH_SM4_GCM_SM3 */
3966 {0xe057,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBC_SM4_GCM_SM3 */
3967 {0xe059,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* RSA_SM4_GCM_SM3 */
3968 {0xe05a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_GCM}, /* RSA_SM4_GCM_SHA256 */
3969 {-1, 0, 0, 0, MODE_STREAM}
3970};
3971
3972#define MAX_BLOCK_SIZE16 16
3973#define MAX_KEY_SIZE32 32
3974
3975const SslCipherSuite *
3976ssl_find_cipher(int num)
3977{
3978 const SslCipherSuite *c;
3979 for(c=cipher_suites;c->number!=-1;c++){
3980 if(c->number==num){
3981 return c;
3982 }
3983 }
3984
3985 return NULL((void*)0);
3986}
3987
3988int
3989ssl_get_cipher_algo(const SslCipherSuite *cipher_suite)
3990{
3991 return gcry_cipher_map_name(ciphers[cipher_suite->enc - ENC_START0x30]);
3992}
3993
3994unsigned
3995ssl_get_cipher_blocksize(const SslCipherSuite *cipher_suite)
3996{
3997 int cipher_algo;
3998 if (cipher_suite->mode != MODE_CBC) return 0;
3999 cipher_algo = ssl_get_cipher_by_name(ciphers[cipher_suite->enc - ENC_START0x30]);
4000 return (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
4001}
4002
4003static unsigned
4004ssl_get_cipher_export_keymat_size(int cipher_suite_num)
4005{
4006 switch (cipher_suite_num) {
4007 /* See RFC 6101 (SSL 3.0), Table 2, column Key Material. */
4008 case 0x0003: /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
4009 case 0x0006: /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
4010 case 0x0008: /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
4011 case 0x000B: /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
4012 case 0x000E: /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
4013 case 0x0011: /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
4014 case 0x0014: /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
4015 case 0x0017: /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
4016 case 0x0019: /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
4017 return 5;
4018
4019 /* not defined in below draft, but "implemented by several vendors",
4020 * https://www.ietf.org/mail-archive/web/tls/current/msg00036.html */
4021 case 0x0060: /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
4022 case 0x0061: /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
4023 return 7;
4024
4025 /* Note: the draft states that DES_CBC needs 8 bytes, but Wireshark always
4026 * used 7. Until a pcap proves 8, let's use the old value. Link:
4027 * https://tools.ietf.org/html/draft-ietf-tls-56-bit-ciphersuites-01 */
4028 case 0x0062: /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
4029 case 0x0063: /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
4030 case 0x0064: /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
4031 case 0x0065: /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
4032 return 7;
4033
4034 default:
4035 return 0;
4036 }
4037}
4038
4039/* Digests, Ciphers and Cipher Suites registry }}} */
4040
4041
4042/* HMAC and the Pseudorandom function {{{ */
4043static int
4044tls_hash(StringInfo *secret, StringInfo *seed, int md,
4045 StringInfo *out, unsigned out_len)
4046{
4047 /* RFC 2246 5. HMAC and the pseudorandom function
4048 * '+' denotes concatenation.
4049 * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
4050 * HMAC_hash(secret, A(2) + seed) + ...
4051 * A(0) = seed
4052 * A(i) = HMAC_hash(secret, A(i - 1))
4053 */
4054 uint8_t *ptr;
4055 unsigned left, tocpy;
4056 uint8_t *A;
4057 uint8_t _A[DIGEST_MAX_SIZE48], tmp[DIGEST_MAX_SIZE48];
4058 unsigned A_l, tmp_l;
4059 SSL_HMACgcry_md_hd_t hm;
4060
4061 ptr = out->data;
4062 left = out_len;
4063
4064 ssl_print_string("tls_hash: hash secret", secret);
4065 ssl_print_string("tls_hash: hash seed", seed);
4066 /* A(0) = seed */
4067 A = seed->data;
4068 A_l = seed->data_len;
4069
4070 if (ssl_hmac_init(&hm, md) != 0) {
4071 return -1;
4072 }
4073 while (left) {
4074 /* A(i) = HMAC_hash(secret, A(i-1)) */
4075 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
4076 ssl_hmac_update(&hm, A, A_l);
4077 A_l = sizeof(_A); /* upper bound len for hash output */
4078 ssl_hmac_final(&hm, _A, &A_l);
4079 A = _A;
4080
4081 /* HMAC_hash(secret, A(i) + seed) */
4082 ssl_hmac_reset(&hm);
4083 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
4084 ssl_hmac_update(&hm, A, A_l);
4085 ssl_hmac_update(&hm, seed->data, seed->data_len);
4086 tmp_l = sizeof(tmp); /* upper bound len for hash output */
4087 ssl_hmac_final(&hm, tmp, &tmp_l);
4088 ssl_hmac_reset(&hm);
4089
4090 /* ssl_hmac_final puts the actual digest output size in tmp_l */
4091 tocpy = MIN(left, tmp_l)(((left) < (tmp_l)) ? (left) : (tmp_l));
4092 memcpy(ptr, tmp, tocpy);
4093 ptr += tocpy;
4094 left -= tocpy;
4095 }
4096 ssl_hmac_cleanup(&hm);
4097 out->data_len = out_len;
4098
4099 ssl_print_string("hash out", out);
4100 return 0;
4101}
4102
4103static bool_Bool
4104tls_prf(StringInfo* secret, const char *usage,
4105 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4106{
4107 StringInfo seed, sha_out, md5_out;
4108 uint8_t *ptr;
4109 StringInfo s1, s2;
4110 unsigned i,s_l;
4111 size_t usage_len, rnd2_len;
4112 bool_Bool success = false0;
4113 usage_len = strlen(usage);
4114 rnd2_len = rnd2 ? rnd2->data_len : 0;
4115
4116 /* initialize buffer for sha, md5 random seed*/
4117 if (ssl_data_alloc(&sha_out, MAX(out_len, 20)(((out_len) > (20)) ? (out_len) : (20))) < 0) {
4118 ssl_debug_printf("tls_prf: can't allocate sha out\n");
4119 return false0;
4120 }
4121 if (ssl_data_alloc(&md5_out, MAX(out_len, 16)(((out_len) > (16)) ? (out_len) : (16))) < 0) {
4122 ssl_debug_printf("tls_prf: can't allocate md5 out\n");
4123 goto free_sha;
4124 }
4125 if (ssl_data_alloc(&seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
4126 ssl_debug_printf("tls_prf: can't allocate rnd %d\n",
4127 (int) (usage_len+rnd1->data_len+rnd2_len));
4128 goto free_md5;
4129 }
4130
4131 ptr=seed.data;
4132 memcpy(ptr,usage,usage_len);
4133 ptr+=usage_len;
4134 memcpy(ptr,rnd1->data,rnd1->data_len);
4135 if (rnd2_len > 0) {
4136 ptr+=rnd1->data_len;
4137 memcpy(ptr,rnd2->data,rnd2->data_len);
4138 /*ptr+=rnd2->data_len;*/
4139 }
4140
4141 /* initialize buffer for client/server seeds*/
4142 s_l=secret->data_len/2 + secret->data_len%2;
4143 if (ssl_data_alloc(&s1, s_l) < 0) {
4144 ssl_debug_printf("tls_prf: can't allocate secret %d\n", s_l);
4145 goto free_seed;
4146 }
4147 if (ssl_data_alloc(&s2, s_l) < 0) {
4148 ssl_debug_printf("tls_prf: can't allocate secret(2) %d\n", s_l);
4149 goto free_s1;
4150 }
4151
4152 memcpy(s1.data,secret->data,s_l);
4153 memcpy(s2.data,secret->data + (secret->data_len - s_l),s_l);
4154
4155 ssl_debug_printf("tls_prf: tls_hash(md5 secret_len %d seed_len %d )\n", s1.data_len, seed.data_len);
4156 if(tls_hash(&s1, &seed, ssl_get_digest_by_name("MD5"), &md5_out, out_len) != 0)
4157 goto free_s2;
4158 ssl_debug_printf("tls_prf: tls_hash(sha)\n");
4159 if(tls_hash(&s2, &seed, ssl_get_digest_by_name("SHA1"), &sha_out, out_len) != 0)
4160 goto free_s2;
4161
4162 for (i = 0; i < out_len; i++)
4163 out->data[i] = md5_out.data[i] ^ sha_out.data[i];
4164 /* success, now store the new meaningful data length */
4165 out->data_len = out_len;
4166 success = true1;
4167
4168 ssl_print_string("PRF out",out);
4169free_s2:
4170 g_free(s2.data);
4171free_s1:
4172 g_free(s1.data);
4173free_seed:
4174 g_free(seed.data);
4175free_md5:
4176 g_free(md5_out.data);
4177free_sha:
4178 g_free(sha_out.data);
4179 return success;
4180}
4181
4182static bool_Bool
4183tls12_prf(int md, StringInfo* secret, const char* usage,
4184 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4185{
4186 StringInfo label_seed;
4187 int success;
4188 size_t usage_len, rnd2_len;
4189 rnd2_len = rnd2 ? rnd2->data_len : 0;
4190
4191 usage_len = strlen(usage);
4192 if (ssl_data_alloc(&label_seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
4193 ssl_debug_printf("tls12_prf: can't allocate label_seed\n");
4194 return false0;
4195 }
4196 memcpy(label_seed.data, usage, usage_len);
4197 memcpy(label_seed.data+usage_len, rnd1->data, rnd1->data_len);
4198 if (rnd2_len > 0)
4199 memcpy(label_seed.data+usage_len+rnd1->data_len, rnd2->data, rnd2->data_len);
4200
4201 ssl_debug_printf("tls12_prf: tls_hash(hash_alg %s secret_len %d seed_len %d )\n", gcry_md_algo_name(md), secret->data_len, label_seed.data_len);
4202 success = tls_hash(secret, &label_seed, md, out, out_len);
4203 g_free(label_seed.data);
4204 if(success != -1){
4205 ssl_print_string("PRF out", out);
4206 return true1;
4207 }
4208 return false0;
4209}
4210
4211static bool_Bool
4212ssl3_generate_export_iv(StringInfo *r1, StringInfo *r2,
4213 StringInfo *out, unsigned out_len)
4214{
4215 SSL_MD5_CTXgcry_md_hd_t md5;
4216 uint8_t tmp[16];
4217
4218 if (ssl_md5_init(&md5) != 0) {
4219 return false0;
4220 }
4221 ssl_md5_update(&md5,r1->data,r1->data_len);
4222 ssl_md5_update(&md5,r2->data,r2->data_len);
4223 ssl_md5_final(tmp,&md5);
4224 ssl_md5_cleanup(&md5);
4225
4226 DISSECTOR_ASSERT(out_len <= sizeof(tmp))((void) ((out_len <= sizeof(tmp)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4226, "out_len <= sizeof(tmp)"))));
4227 ssl_data_set(out, tmp, out_len);
4228 ssl_print_string("export iv", out);
4229 return true1;
4230}
4231
4232static bool_Bool
4233ssl3_prf(StringInfo* secret, const char* usage,
4234 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4235{
4236 SSL_MD5_CTXgcry_md_hd_t md5;
4237 SSL_SHA_CTXgcry_md_hd_t sha;
4238 unsigned off;
4239 int i = 0,j;
4240 uint8_t buf[20];
4241
4242 if (ssl_sha_init(&sha) != 0) {
4243 return false0;
4244 }
4245 if (ssl_md5_init(&md5) != 0) {
4246 ssl_sha_cleanup(&sha);
4247 return false0;
4248 }
4249 for (off = 0; off < out_len; off += 16) {
4250 unsigned char outbuf[16];
4251 i++;
4252
4253 ssl_debug_printf("ssl3_prf: sha1_hash(%d)\n",i);
4254 /* A, BB, CCC, ... */
4255 for(j=0;j<i;j++){
4256 buf[j]=64+i;
4257 }
4258
4259 ssl_sha_update(&sha,buf,i);
4260 ssl_sha_update(&sha,secret->data,secret->data_len);
4261
4262 if(!strcmp(usage,"client write key") || !strcmp(usage,"server write key")){
4263 if (rnd2)
4264 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4265 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4266 }
4267 else{
4268 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4269 if (rnd2)
4270 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4271 }
4272
4273 ssl_sha_final(buf,&sha);
4274 ssl_sha_reset(&sha);
4275
4276 ssl_debug_printf("ssl3_prf: md5_hash(%d) datalen %d\n",i,
4277 secret->data_len);
4278 ssl_md5_update(&md5,secret->data,secret->data_len);
4279 ssl_md5_update(&md5,buf,20);
4280 ssl_md5_final(outbuf,&md5);
4281 ssl_md5_reset(&md5);
4282
4283 memcpy(out->data + off, outbuf, MIN(out_len - off, 16)(((out_len - off) < (16)) ? (out_len - off) : (16)));
4284 }
4285 ssl_sha_cleanup(&sha);
4286 ssl_md5_cleanup(&md5);
4287 out->data_len = out_len;
4288
4289 return true1;
4290}
4291
4292/* out_len is the wanted output length for the pseudorandom function.
4293 * Ensure that ssl->cipher_suite is set. */
4294static bool_Bool
4295prf(SslDecryptSession *ssl, StringInfo *secret, const char *usage,
4296 StringInfo *rnd1, StringInfo *rnd2, StringInfo *out, unsigned out_len)
4297{
4298 switch (ssl->session.version) {
4299 case SSLV3_VERSION0x300:
4300 return ssl3_prf(secret, usage, rnd1, rnd2, out, out_len);
4301
4302 case TLSV1_VERSION0x301:
4303 case TLSV1DOT1_VERSION0x302:
4304 case DTLSV1DOT0_VERSION0xfeff:
4305 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4306 return tls_prf(secret, usage, rnd1, rnd2, out, out_len);
4307
4308 default: /* TLSv1.2 */
4309 switch (ssl->cipher_suite->dig) {
4310 case DIG_SM30x44:
4311#if GCRYPT_VERSION_NUMBER0x010a03 >= 0x010900
4312 return tls12_prf(GCRY_MD_SM3, secret, usage, rnd1, rnd2,
4313 out, out_len);
4314#else
4315 return false0;
4316#endif
4317 case DIG_SHA3840x43:
4318 return tls12_prf(GCRY_MD_SHA384, secret, usage, rnd1, rnd2,
4319 out, out_len);
4320 default:
4321 return tls12_prf(GCRY_MD_SHA256, secret, usage, rnd1, rnd2,
4322 out, out_len);
4323 }
4324 }
4325}
4326
4327static int tls_handshake_hash(SslDecryptSession* ssl, StringInfo* out)
4328{
4329 SSL_MD5_CTXgcry_md_hd_t md5;
4330 SSL_SHA_CTXgcry_md_hd_t sha;
4331
4332 if (ssl_data_alloc(out, 36) < 0)
21
Calling 'ssl_data_alloc'
25
Returned allocated memory
26
Taking false branch
4333 return -1;
4334
4335 if (ssl_md5_init(&md5) != 0)
27
Taking true branch
4336 return -1;
4337 ssl_md5_update(&md5,ssl->handshake_data.data,ssl->handshake_data.data_len);
4338 ssl_md5_final(out->data,&md5);
4339 ssl_md5_cleanup(&md5);
4340
4341 if (ssl_sha_init(&sha) != 0)
4342 return -1;
4343 ssl_sha_update(&sha,ssl->handshake_data.data,ssl->handshake_data.data_len);
4344 ssl_sha_final(out->data+16,&sha);
4345 ssl_sha_cleanup(&sha);
4346 return 0;
4347}
4348
4349static int tls12_handshake_hash(SslDecryptSession* ssl, int md, StringInfo* out)
4350{
4351 SSL_MDgcry_md_hd_t mc;
4352 uint8_t tmp[48];
4353 unsigned len;
4354
4355 if (ssl_md_init(&mc, md) != 0)
4356 return -1;
4357 ssl_md_update(&mc,ssl->handshake_data.data,ssl->handshake_data.data_len);
4358 ssl_md_final(&mc, tmp, &len);
4359 ssl_md_cleanup(&mc);
4360
4361 if (ssl_data_alloc(out, len) < 0)
4362 return -1;
4363 memcpy(out->data, tmp, len);
4364 return 0;
4365}
4366
4367/**
4368 * Obtains the label prefix used in HKDF-Expand-Label. This function can be
4369 * inlined and removed once support for draft 19 and before is dropped.
4370 */
4371static inline const char *
4372tls13_hkdf_label_prefix(SslDecryptSession *ssl_session)
4373{
4374 if (ssl_session->session.tls13_draft_version && ssl_session->session.tls13_draft_version < 20) {
4375 return "TLS 1.3, ";
4376 } else if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
4377 return "dtls13";
4378 } else {
4379 return "tls13 ";
4380 }
4381}
4382
4383/*
4384 * Computes HKDF-Expand-Label(Secret, Label, Hash(context_value), Length) with a
4385 * custom label prefix. If "context_hash" is NULL, then an empty context is
4386 * used. Otherwise it must have the same length as the hash algorithm output.
4387 */
4388bool_Bool
4389tls13_hkdf_expand_label_context(int md, const StringInfo *secret,
4390 const char *label_prefix, const char *label,
4391 const uint8_t *context_hash, uint8_t context_length,
4392 uint16_t out_len, unsigned char **out)
4393{
4394 /* RFC 8446 Section 7.1:
4395 * HKDF-Expand-Label(Secret, Label, Context, Length) =
4396 * HKDF-Expand(Secret, HkdfLabel, Length)
4397 * struct {
4398 * uint16 length = Length;
4399 * opaque label<7..255> = "tls13 " + Label; // "tls13 " is label prefix.
4400 * opaque context<0..255> = Context;
4401 * } HkdfLabel;
4402 *
4403 * RFC 5869 HMAC-based Extract-and-Expand Key Derivation Function (HKDF):
4404 * HKDF-Expand(PRK, info, L) -> OKM
4405 */
4406 gcry_error_t err;
4407 const unsigned label_prefix_length = (unsigned) strlen(label_prefix);
4408 const unsigned label_length = (unsigned) strlen(label);
4409
4410 /* Some sanity checks */
4411 DISSECTOR_ASSERT(label_length > 0 && label_prefix_length + label_length <= 255)((void) ((label_length > 0 && label_prefix_length +
label_length <= 255) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4411, "label_length > 0 && label_prefix_length + label_length <= 255"
))));
4412
4413 /* info = HkdfLabel { length, label, context } */
4414 GByteArray *info = g_byte_array_new();
4415 const uint16_t length = g_htons(out_len)(((((guint16) ( (guint16) ((guint16) (out_len) >> 8) | (
guint16) ((guint16) (out_len) << 8))))));
4416 g_byte_array_append(info, (const uint8_t *)&length, sizeof(length));
4417
4418 const uint8_t label_vector_length = label_prefix_length + label_length;
4419 g_byte_array_append(info, &label_vector_length, 1);
4420 g_byte_array_append(info, (const uint8_t *)label_prefix, label_prefix_length);
4421 g_byte_array_append(info, (const uint8_t*)label, label_length);
4422
4423 g_byte_array_append(info, &context_length, 1);
4424 if (context_length) {
4425 g_byte_array_append(info, context_hash, context_length);
4426 }
4427
4428 *out = (unsigned char *)wmem_alloc(NULL((void*)0), out_len);
4429 err = hkdf_expand(md, secret->data, secret->data_len, info->data, info->len, *out, out_len);
4430 g_byte_array_free(info, true1);
4431
4432 if (err) {
4433 ssl_debug_printf("%s failed %d: %s\n", G_STRFUNC((const char*) (__func__)), md, gcry_strerror(err));
4434 wmem_free(NULL((void*)0), *out);
4435 *out = NULL((void*)0);
4436 return false0;
4437 }
4438
4439 return true1;
4440}
4441
4442bool_Bool
4443tls13_hkdf_expand_label(int md, const StringInfo *secret,
4444 const char *label_prefix, const char *label,
4445 uint16_t out_len, unsigned char **out)
4446{
4447 return tls13_hkdf_expand_label_context(md, secret, label_prefix, label, NULL((void*)0), 0, out_len, out);
4448}
4449/* HMAC and the Pseudorandom function }}} */
4450
4451/* Record Decompression (after decryption) {{{ */
4452#ifdef USE_ZLIB_OR_ZLIBNG
4453/* memory allocation functions for zlib initialization */
4454static void* ssl_zalloc(void* opaque _U___attribute__((unused)), unsigned int no, unsigned int size)
4455{
4456 return g_malloc0(no*size);
4457}
4458static void ssl_zfree(void* opaque _U___attribute__((unused)), void* addr)
4459{
4460 g_free(addr);
4461}
4462#endif /* USE_ZLIB_OR_ZLIBNG */
4463
4464static SslDecompress*
4465ssl_create_decompressor(int compression)
4466{
4467 SslDecompress *decomp;
4468#ifdef USE_ZLIB_OR_ZLIBNG
4469 int err;
4470#endif
4471
4472 if (compression == 0) return NULL((void*)0);
4473 ssl_debug_printf("ssl_create_decompressor: compression method %d\n", compression);
4474 decomp = wmem_new(wmem_file_scope(), SslDecompress)((SslDecompress*)wmem_alloc((wmem_file_scope()), sizeof(SslDecompress
)));
4475 decomp->compression = compression;
4476 switch (decomp->compression) {
4477#ifdef USE_ZLIB_OR_ZLIBNG
4478 case 1: /* DEFLATE */
4479 decomp->istream.zalloc = ssl_zalloc;
4480 decomp->istream.zfree = ssl_zfree;
4481 decomp->istream.opaque = Z_NULL0;
4482 decomp->istream.next_in = Z_NULL0;
4483 decomp->istream.next_out = Z_NULL0;
4484 decomp->istream.avail_in = 0;
4485 decomp->istream.avail_out = 0;
4486 err = ZLIB_PREFIX(inflateInit)(&decomp->istream)inflateInit_((&decomp->istream), "1.3", (int)sizeof(z_stream
));
4487 if (err != Z_OK0) {
4488 ssl_debug_printf("ssl_create_decompressor: inflateInit_() failed - %d\n", err);
4489 return NULL((void*)0);
4490 }
4491 break;
4492#endif /* USE_ZLIB_OR_ZLIBNG */
4493 default:
4494 ssl_debug_printf("ssl_create_decompressor: unsupported compression method %d\n", decomp->compression);
4495 return NULL((void*)0);
4496 }
4497 return decomp;
4498}
4499
4500#ifdef USE_ZLIB_OR_ZLIBNG
4501static int
4502ssl_decompress_record(SslDecompress* decomp, const unsigned char* in, unsigned inl, StringInfo* out_str, unsigned* outl)
4503{
4504 int err;
4505
4506 switch (decomp->compression) {
4507 case 1: /* DEFLATE */
4508 err = Z_OK0;
4509 if (out_str->data_len < 16384) { /* maximal plain length */
4510 ssl_data_realloc(out_str, 16384);
4511 }
4512#ifdef z_constconst
4513 decomp->istream.next_in = in;
4514#else
4515DIAG_OFF(cast-qual)clang diagnostic push clang diagnostic ignored "-Wcast-qual"
4516 decomp->istream.next_in = (Bytef *)in;
4517DIAG_ON(cast-qual)clang diagnostic pop
4518#endif
4519 decomp->istream.avail_in = inl;
4520 decomp->istream.next_out = out_str->data;
4521 decomp->istream.avail_out = out_str->data_len;
4522 if (inl > 0)
4523 err = ZLIB_PREFIX(inflate)inflate(&decomp->istream, Z_SYNC_FLUSH2);
4524 if (err != Z_OK0) {
4525 ssl_debug_printf("ssl_decompress_record: inflate() failed - %d\n", err);
4526 return -1;
4527 }
4528 *outl = out_str->data_len - decomp->istream.avail_out;
4529 break;
4530 default:
4531 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4532 return -1;
4533 }
4534 return 0;
4535}
4536#else /* USE_ZLIB_OR_ZLIBNG */
4537int
4538ssl_decompress_record(SslDecompress* decomp _U___attribute__((unused)), const unsigned char* in _U___attribute__((unused)), unsigned inl _U___attribute__((unused)), StringInfo* out_str _U___attribute__((unused)), unsigned* outl _U___attribute__((unused)))
4539{
4540 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4541 return -1;
4542}
4543#endif /* USE_ZLIB_OR_ZLIBNG */
4544/* Record Decompression (after decryption) }}} */
4545
4546/* Create a new structure to store decrypted chunks. {{{ */
4547static SslFlow*
4548ssl_create_flow(void)
4549{
4550 SslFlow *flow;
4551
4552 flow = wmem_new(wmem_file_scope(), SslFlow)((SslFlow*)wmem_alloc((wmem_file_scope()), sizeof(SslFlow)));
4553 flow->byte_seq = 0;
4554 flow->flags = 0;
4555 flow->multisegment_pdus = wmem_tree_new(wmem_file_scope());
4556 return flow;
4557}
4558/* }}} */
4559
4560/* Use the negotiated security parameters for decryption. {{{ */
4561void
4562ssl_change_cipher(SslDecryptSession *ssl_session, bool_Bool server)
4563{
4564 SslDecoder **new_decoder = server ? &ssl_session->server_new : &ssl_session->client_new;
4565 SslDecoder **dest = server ? &ssl_session->server : &ssl_session->client;
4566 ssl_debug_printf("ssl_change_cipher %s%s\n", server ? "SERVER" : "CLIENT",
4567 *new_decoder ? "" : " (No decoder found - retransmission?)");
4568 if (*new_decoder) {
4569 *dest = *new_decoder;
4570 *new_decoder = NULL((void*)0);
4571 }
4572}
4573/* }}} */
4574
4575/* Init cipher state given some security parameters. {{{ */
4576static bool_Bool
4577ssl_decoder_destroy_cb(wmem_allocator_t *, wmem_cb_event_t, void *);
4578
4579static SslDecoder*
4580ssl_create_decoder(const SslCipherSuite *cipher_suite, int cipher_algo,
4581 int compression, uint8_t *mk, uint8_t *sk, uint8_t *sn_key, uint8_t *iv, unsigned iv_length)
4582{
4583 SslDecoder *dec;
4584 ssl_cipher_mode_t mode = cipher_suite->mode;
4585
4586 dec = wmem_new0(wmem_file_scope(), SslDecoder)((SslDecoder*)wmem_alloc0((wmem_file_scope()), sizeof(SslDecoder
)));
4587 /* init mac buffer: mac storage is embedded into decoder struct to save a
4588 memory allocation and waste samo more memory*/
4589 dec->cipher_suite=cipher_suite;
4590 dec->compression = compression;
4591 if ((mode == MODE_STREAM && mk != NULL((void*)0)) || mode == MODE_CBC) {
4592 // AEAD ciphers use no MAC key, but stream and block ciphers do. Note
4593 // the special case for NULL ciphers, even if there is insufficiency
4594 // keying material (including MAC key), we will can still create
4595 // decoders since "decryption" is easy for such ciphers.
4596 dec->mac_key.data = dec->_mac_key_or_write_iv;
4597 ssl_data_set(&dec->mac_key, mk, ssl_cipher_suite_dig(cipher_suite)->len);
4598 } else if (mode == MODE_GCM || mode == MODE_CCM || mode == MODE_CCM_8 || mode == MODE_POLY1305) {
4599 // Input for the nonce, to be used with AEAD ciphers.
4600 DISSECTOR_ASSERT(iv_length <= sizeof(dec->_mac_key_or_write_iv))((void) ((iv_length <= sizeof(dec->_mac_key_or_write_iv
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4600, "iv_length <= sizeof(dec->_mac_key_or_write_iv)"
))));
4601 dec->write_iv.data = dec->_mac_key_or_write_iv;
4602 ssl_data_set(&dec->write_iv, iv, iv_length);
4603 }
4604 dec->seq = 0;
4605 dec->decomp = ssl_create_decompressor(compression);
4606 wmem_register_callback(wmem_file_scope(), ssl_decoder_destroy_cb, dec);
4607
4608 if (ssl_cipher_init(&dec->evp,cipher_algo,sk,iv,cipher_suite->mode) < 0) {
4609 ssl_debug_printf("%s: can't create cipher id:%d mode:%d\n", G_STRFUNC((const char*) (__func__)),
4610 cipher_algo, cipher_suite->mode);
4611 return NULL((void*)0);
4612 }
4613
4614 if (cipher_suite->enc != ENC_NULL0x3D && sn_key != NULL((void*)0)) {
4615 if (cipher_suite->enc == ENC_AES0x35 || cipher_suite->enc == ENC_AES2560x36) {
4616 mode = MODE_ECB;
4617 } else if (cipher_suite->enc == ENC_CHACHA200x3A) {
4618 mode = MODE_STREAM;
4619 } else {
4620 ssl_debug_printf("not supported encryption algorithm for DTLSv1.3\n");
4621 return NULL((void*)0);
4622 }
4623
4624 if (ssl_cipher_init(&dec->sn_evp, cipher_algo, sn_key, NULL((void*)0), mode) < 0) {
4625 ssl_debug_printf("%s: can't create cipher id:%d mode:%d for seq number decryption\n", G_STRFUNC((const char*) (__func__)),
4626 cipher_algo, MODE_ECB);
4627 ssl_cipher_cleanup(&dec->evp);
4628 dec->evp = NULL((void*)0);
4629 return NULL((void*)0);
4630 }
4631 } else {
4632 dec->sn_evp = NULL((void*)0);
4633 }
4634
4635 dec->dtls13_aad.data = NULL((void*)0);
4636 dec->dtls13_aad.data_len = 0;
4637 ssl_debug_printf("decoder initialized (digest len %d)\n", ssl_cipher_suite_dig(cipher_suite)->len);
4638 return dec;
4639}
4640
4641static bool_Bool
4642ssl_decoder_destroy_cb(wmem_allocator_t *allocator _U___attribute__((unused)), wmem_cb_event_t event _U___attribute__((unused)), void *user_data)
4643{
4644 SslDecoder *dec = (SslDecoder *) user_data;
4645
4646 if (dec->evp)
4647 ssl_cipher_cleanup(&dec->evp);
4648 if (dec->sn_evp)
4649 ssl_cipher_cleanup(&dec->sn_evp);
4650
4651#ifdef USE_ZLIB_OR_ZLIBNG
4652 if (dec->decomp != NULL((void*)0) && dec->decomp->compression == 1 /* DEFLATE */)
4653 ZLIB_PREFIX(inflateEnd)inflateEnd(&dec->decomp->istream);
4654#endif
4655
4656 return false0;
4657}
4658/* }}} */
4659
4660/* (Pre-)master secrets calculations {{{ */
4661#ifdef HAVE_LIBGNUTLS1
4662static bool_Bool
4663ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
4664 StringInfo *encrypted_pre_master,
4665 GHashTable *key_hash);
4666#endif /* HAVE_LIBGNUTLS */
4667
4668static bool_Bool
4669ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
4670 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key);
4671
4672bool_Bool
4673ssl_generate_pre_master_secret(SslDecryptSession *ssl_session,
4674 uint32_t length, tvbuff_t *tvb, uint32_t offset,
4675 const char *ssl_psk, packet_info *pinfo,
4676#ifdef HAVE_LIBGNUTLS1
4677 GHashTable *key_hash,
4678#endif
4679 const ssl_master_key_map_t *mk_map)
4680{
4681 /* check for required session data */
4682 ssl_debug_printf("%s: found SSL_HND_CLIENT_KEY_EXCHG, state %X\n",
4683 G_STRFUNC((const char*) (__func__)), ssl_session->state);
4684 if ((ssl_session->state & (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) !=
4685 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) {
4686 ssl_debug_printf("%s: not enough data to generate key (required state %X)\n", G_STRFUNC((const char*) (__func__)),
4687 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4)));
4688 return false0;
4689 }
4690
4691 if (ssl_session->session.version == TLSV1DOT3_VERSION0x304) {
4692 ssl_debug_printf("%s: detected TLS 1.3 which has no pre-master secrets\n", G_STRFUNC((const char*) (__func__)));
4693 return false0;
4694 }
4695
4696 /* check to see if the PMS was provided to us*/
4697 if (ssl_restore_master_key(ssl_session, "Unencrypted pre-master secret", true1,
4698 mk_map->pms, &ssl_session->client_random)) {
4699 return true1;
4700 }
4701
4702 if (ssl_session->cipher_suite->kex == KEX_PSK0x1d)
4703 {
4704 /* calculate pre master secret*/
4705 StringInfo pre_master_secret;
4706 unsigned psk_len, pre_master_len;
4707
4708 if (!ssl_psk || (ssl_psk[0] == 0)) {
4709 ssl_debug_printf("%s: can't find pre-shared key\n", G_STRFUNC((const char*) (__func__)));
4710 return false0;
4711 }
4712
4713 /* convert hex string into char*/
4714 if (!from_hex(&ssl_session->psk, ssl_psk, strlen(ssl_psk))) {
4715 ssl_debug_printf("%s: ssl.psk/dtls.psk contains invalid hex\n",
4716 G_STRFUNC((const char*) (__func__)));
4717 return false0;
4718 }
4719
4720 psk_len = ssl_session->psk.data_len;
4721 if (psk_len >= (2 << 15)) {
4722 ssl_debug_printf("%s: ssl.psk/dtls.psk must not be larger than 2^15 - 1\n",
4723 G_STRFUNC((const char*) (__func__)));
4724 return false0;
4725 }
4726
4727
4728 pre_master_len = psk_len * 2 + 4;
4729
4730 pre_master_secret.data = (unsigned char *)wmem_alloc(wmem_file_scope(), pre_master_len);
4731 pre_master_secret.data_len = pre_master_len;
4732 /* 2 bytes psk_len*/
4733 pre_master_secret.data[0] = psk_len >> 8;
4734 pre_master_secret.data[1] = psk_len & 0xFF;
4735 /* psk_len bytes times 0*/
4736 memset(&pre_master_secret.data[2], 0, psk_len);
4737 /* 2 bytes psk_len*/
4738 pre_master_secret.data[psk_len + 2] = psk_len >> 8;
4739 pre_master_secret.data[psk_len + 3] = psk_len & 0xFF;
4740 /* psk*/
4741 memcpy(&pre_master_secret.data[psk_len + 4], ssl_session->psk.data, psk_len);
4742
4743 ssl_session->pre_master_secret.data = pre_master_secret.data;
4744 ssl_session->pre_master_secret.data_len = pre_master_len;
4745 /*ssl_debug_printf("pre master secret",&ssl->pre_master_secret);*/
4746
4747 /* Remove the master secret if it was there.
4748 This forces keying material regeneration in
4749 case we're renegotiating */
4750 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
4751 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
4752 return true1;
4753 }
4754 else
4755 {
4756 unsigned encrlen, skip;
4757 encrlen = length;
4758 skip = 0;
4759
4760 /* get encrypted data, on tls1 we have to skip two bytes
4761 * (it's the encrypted len and should be equal to record len - 2)
4762 * in case of rsa1024 that would be 128 + 2 = 130; for psk not necessary
4763 */
4764 if (ssl_session->cipher_suite->kex == KEX_RSA0x1e &&
4765 (ssl_session->session.version == TLSV1_VERSION0x301 ||
4766 ssl_session->session.version == TLSV1DOT1_VERSION0x302 ||
4767 ssl_session->session.version == TLSV1DOT2_VERSION0x303 ||
4768 ssl_session->session.version == DTLSV1DOT0_VERSION0xfeff ||
4769 ssl_session->session.version == DTLSV1DOT2_VERSION0xfefd ||
4770 ssl_session->session.version == TLCPV1_VERSION0x101 ))
4771 {
4772 encrlen = tvb_get_ntohs(tvb, offset);
4773 skip = 2;
4774 if (encrlen > length - 2)
4775 {
4776 ssl_debug_printf("%s: wrong encrypted length (%d max %d)\n",
4777 G_STRFUNC((const char*) (__func__)), encrlen, length);
4778 return false0;
4779 }
4780 }
4781 /* the valid lower bound is higher than 8, but it is sufficient for the
4782 * ssl keylog file below */
4783 if (encrlen < 8) {
4784 ssl_debug_printf("%s: invalid encrypted pre-master key length %d\n",
4785 G_STRFUNC((const char*) (__func__)), encrlen);
4786 return false0;
4787 }
4788
4789 StringInfo encrypted_pre_master = {
4790 .data = (unsigned char *)tvb_memdup(pinfo->pool, tvb, offset + skip, encrlen),
4791 .data_len = encrlen,
4792 };
4793
4794#ifdef HAVE_LIBGNUTLS1
4795 /* Try to lookup an appropriate RSA private key to decrypt the Encrypted Pre-Master Secret. */
4796 if (ssl_session->cert_key_id) {
4797 if (ssl_decrypt_pre_master_secret(ssl_session, &encrypted_pre_master, key_hash))
4798 return true1;
4799
4800 ssl_debug_printf("%s: can't decrypt pre-master secret\n",
4801 G_STRFUNC((const char*) (__func__)));
4802 }
4803#endif /* HAVE_LIBGNUTLS */
4804
4805 /* try to find the pre-master secret from the encrypted one. The
4806 * ssl key logfile stores only the first 8 bytes, so truncate it */
4807 encrypted_pre_master.data_len = 8;
4808 if (ssl_restore_master_key(ssl_session, "Encrypted pre-master secret",
4809 true1, mk_map->pre_master, &encrypted_pre_master))
4810 return true1;
4811 }
4812 return false0;
4813}
4814
4815/* Used for (D)TLS 1.2 and earlier versions (not with TLS 1.3). */
4816int
4817ssl_generate_keyring_material(SslDecryptSession*ssl_session)
4818{
4819 StringInfo key_block = { NULL((void*)0), 0 };
4820 uint8_t _iv_c[MAX_BLOCK_SIZE16],_iv_s[MAX_BLOCK_SIZE16];
4821 uint8_t _key_c[MAX_KEY_SIZE32],_key_s[MAX_KEY_SIZE32];
4822 int needed;
4823 int cipher_algo = -1; /* special value (-1) for NULL encryption */
4824 unsigned encr_key_len, write_iv_len = 0;
4825 bool_Bool is_export_cipher;
4826 uint8_t *ptr, *c_iv = NULL((void*)0), *s_iv = NULL((void*)0);
4827 uint8_t *c_wk = NULL((void*)0), *s_wk = NULL((void*)0), *c_mk = NULL((void*)0), *s_mk = NULL((void*)0);
4828 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
4829
4830 /* (D)TLS 1.3 is handled directly in tls13_change_key. */
4831 if (ssl_session->session.version
7.1
Field 'version' is not equal to TLSV1DOT3_VERSION
 == TLSV1DOT3_VERSION0x304 || ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
8
Assuming field 'version' is not equal to DTLSV1DOT3_VERSION
9
Taking false branch
4832 ssl_debug_printf("%s: detected TLS 1.3. Should not have been called!\n", G_STRFUNC((const char*) (__func__)));
4833 return -1;
4834 }
4835
4836 /* check for enough info to proceed */
4837 unsigned need_all = SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4);
4838 unsigned need_any = SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
4839 if (((ssl_session->state & need_all) != need_all) || ((ssl_session->state & need_any) == 0)) {
10
Assuming the condition is false
11
Assuming the condition is false
12
Taking false branch
4840 ssl_debug_printf("ssl_generate_keyring_material not enough data to generate key "
4841 "(0x%02X required 0x%02X or 0x%02X)\n", ssl_session->state,
4842 need_all|SSL_MASTER_SECRET(1<<5), need_all|SSL_PRE_MASTER_SECRET(1<<6));
4843 /* Special case: for NULL encryption, allow dissection of data even if
4844 * the Client Hello is missing (MAC keys are now skipped though). */
4845 need_all = SSL_CIPHER(1<<2)|SSL_VERSION(1<<4);
4846 if ((ssl_session->state & need_all) == need_all &&
4847 cipher_suite->enc == ENC_NULL0x3D) {
4848 ssl_debug_printf("%s NULL cipher found, will create a decoder but "
4849 "skip MAC validation as keys are missing.\n", G_STRFUNC((const char*) (__func__)));
4850 goto create_decoders;
4851 }
4852
4853 return -1;
4854 }
4855
4856 /* if master key is not available, generate is from the pre-master secret */
4857 if (!(ssl_session->state & SSL_MASTER_SECRET(1<<5))) {
13
Assuming the condition is true
14
Taking true branch
4858 if ((ssl_session->state & SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) == SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) {
15
Assuming the condition is true
16
Taking true branch
4859 StringInfo handshake_hashed_data;
4860 int ret;
4861
4862 handshake_hashed_data.data = NULL((void*)0);
4863 handshake_hashed_data.data_len = 0;
4864
4865 ssl_debug_printf("%s:PRF(pre_master_secret_extended)\n", G_STRFUNC((const char*) (__func__)));
4866 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4867 DISSECTOR_ASSERT(ssl_session->handshake_data.data_len > 0)((void) ((ssl_session->handshake_data.data_len > 0) ? (
void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4867, "ssl_session->handshake_data.data_len > 0"
))));
17
Assuming field 'data_len' is > 0
18
'?' condition is true
4868
4869 switch(ssl_session->session.version) {
19
Control jumps to 'case 257:' at line 4874
4870 case TLSV1_VERSION0x301:
4871 case TLSV1DOT1_VERSION0x302:
4872 case DTLSV1DOT0_VERSION0xfeff:
4873 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4874 case TLCPV1_VERSION0x101:
4875 ret = tls_handshake_hash(ssl_session, &handshake_hashed_data);
20
Calling 'tls_handshake_hash'
28
Returned allocated memory
4876 break;
4877 default:
4878 switch (cipher_suite->dig) {
4879 case DIG_SHA3840x43:
4880 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA384, &handshake_hashed_data);
4881 break;
4882 default:
4883 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA256, &handshake_hashed_data);
4884 break;
4885 }
4886 break;
4887 }
4888 if (ret
29.1
'ret' is -1
) {
29
 Execution continues on line 4888
30
Taking true branch
4889 ssl_debug_printf("%s can't generate handshake hash\n", G_STRFUNC((const char*) (__func__)));
31
Potential leak of memory pointed to by 'handshake_hashed_data.data'
4890 return -1;
4891 }
4892
4893 wmem_free(wmem_file_scope(), ssl_session->handshake_data.data);
4894 ssl_session->handshake_data.data = NULL((void*)0);
4895 ssl_session->handshake_data.data_len = 0;
4896
4897 if (!prf(ssl_session, &ssl_session->pre_master_secret, "extended master secret",
4898 &handshake_hashed_data,
4899 NULL((void*)0), &ssl_session->master_secret,
4900 SSL_MASTER_SECRET_LENGTH48)) {
4901 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4902 g_free(handshake_hashed_data.data);
4903 return -1;
4904 }
4905 g_free(handshake_hashed_data.data);
4906 } else {
4907 ssl_debug_printf("%s:PRF(pre_master_secret)\n", G_STRFUNC((const char*) (__func__)));
4908 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4909 ssl_print_string("client random",&ssl_session->client_random);
4910 ssl_print_string("server random",&ssl_session->server_random);
4911 if (!prf(ssl_session, &ssl_session->pre_master_secret, "master secret",
4912 &ssl_session->client_random,
4913 &ssl_session->server_random, &ssl_session->master_secret,
4914 SSL_MASTER_SECRET_LENGTH48)) {
4915 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4916 return -1;
4917 }
4918 }
4919 ssl_print_string("master secret",&ssl_session->master_secret);
4920
4921 /* the pre-master secret has been 'consumed' so we must clear it now */
4922 ssl_session->state &= ~SSL_PRE_MASTER_SECRET(1<<6);
4923 ssl_session->state |= SSL_MASTER_SECRET(1<<5);
4924 }
4925
4926 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
4927 if (cipher_suite->enc != ENC_NULL0x3D) {
4928 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
4929 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4930 cipher_algo = ssl_get_cipher_by_name(cipher_name);
4931 if (cipher_algo == 0) {
4932 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4933 return -1;
4934 }
4935 }
4936
4937 /* Export ciphers consume less material from the key block. */
4938 encr_key_len = ssl_get_cipher_export_keymat_size(cipher_suite->number);
4939 is_export_cipher = encr_key_len > 0;
4940 if (!is_export_cipher && cipher_suite->enc != ENC_NULL0x3D) {
4941 encr_key_len = (unsigned)gcry_cipher_get_algo_keylen(cipher_algo);
4942 }
4943
4944 if (cipher_suite->mode == MODE_CBC) {
4945 write_iv_len = (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
4946 } else if (cipher_suite->mode == MODE_GCM || cipher_suite->mode == MODE_CCM || cipher_suite->mode == MODE_CCM_8) {
4947 /* account for a four-byte salt for client and server side (from
4948 * client_write_IV and server_write_IV), see GCMNonce (RFC 5288) */
4949 write_iv_len = 4;
4950 } else if (cipher_suite->mode == MODE_POLY1305) {
4951 /* RFC 7905: SecurityParameters.fixed_iv_length is twelve bytes */
4952 write_iv_len = 12;
4953 }
4954
4955 /* Compute the key block. First figure out how much data we need */
4956 needed = ssl_cipher_suite_dig(cipher_suite)->len*2; /* MAC key */
4957 needed += 2 * encr_key_len; /* encryption key */
4958 needed += 2 * write_iv_len; /* write IV */
4959
4960 key_block.data = (unsigned char *)g_malloc(needed);
4961 ssl_debug_printf("%s sess key generation\n", G_STRFUNC((const char*) (__func__)));
4962 if (!prf(ssl_session, &ssl_session->master_secret, "key expansion",
4963 &ssl_session->server_random,&ssl_session->client_random,
4964 &key_block, needed)) {
4965 ssl_debug_printf("%s can't generate key_block\n", G_STRFUNC((const char*) (__func__)));
4966 goto fail;
4967 }
4968 ssl_print_string("key expansion", &key_block);
4969
4970 ptr=key_block.data;
4971 /* client/server write MAC key (for non-AEAD ciphers) */
4972 if (cipher_suite->mode == MODE_STREAM || cipher_suite->mode == MODE_CBC) {
4973 c_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
4974 s_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
4975 }
4976 /* client/server write encryption key */
4977 c_wk=ptr; ptr += encr_key_len;
4978 s_wk=ptr; ptr += encr_key_len;
4979 /* client/server write IV (used as IV (for CBC) or salt (for AEAD)) */
4980 if (write_iv_len > 0) {
4981 c_iv=ptr; ptr += write_iv_len;
4982 s_iv=ptr; /* ptr += write_iv_len; */
4983 }
4984
4985 /* export ciphers work with a smaller key length */
4986 if (is_export_cipher) {
4987 if (cipher_suite->mode == MODE_CBC) {
4988
4989 /* We only have room for MAX_BLOCK_SIZE bytes IVs, but that's
4990 all we should need. This is a sanity check */
4991 if (write_iv_len > MAX_BLOCK_SIZE16) {
4992 ssl_debug_printf("%s cipher suite block must be at most %d nut is %d\n",
4993 G_STRFUNC((const char*) (__func__)), MAX_BLOCK_SIZE16, write_iv_len);
4994 goto fail;
4995 }
4996
4997 if(ssl_session->session.version==SSLV3_VERSION0x300){
4998 /* The length of these fields are ignored by this caller */
4999 StringInfo iv_c, iv_s;
5000 iv_c.data = _iv_c;
5001 iv_s.data = _iv_s;
5002
5003 ssl_debug_printf("%s ssl3_generate_export_iv\n", G_STRFUNC((const char*) (__func__)));
5004 if (!ssl3_generate_export_iv(&ssl_session->client_random,
5005 &ssl_session->server_random, &iv_c, write_iv_len)) {
5006 goto fail;
5007 }
5008 ssl_debug_printf("%s ssl3_generate_export_iv(2)\n", G_STRFUNC((const char*) (__func__)));
5009 if (!ssl3_generate_export_iv(&ssl_session->server_random,
5010 &ssl_session->client_random, &iv_s, write_iv_len)) {
5011 goto fail;
5012 }
5013 }
5014 else{
5015 uint8_t _iv_block[MAX_BLOCK_SIZE16 * 2];
5016 StringInfo iv_block;
5017 StringInfo key_null;
5018 uint8_t _key_null;
5019
5020 key_null.data = &_key_null;
5021 key_null.data_len = 0;
5022
5023 iv_block.data = _iv_block;
5024
5025 ssl_debug_printf("%s prf(iv_block)\n", G_STRFUNC((const char*) (__func__)));
5026 if (!prf(ssl_session, &key_null, "IV block",
5027 &ssl_session->client_random,
5028 &ssl_session->server_random, &iv_block,
5029 write_iv_len * 2)) {
5030 ssl_debug_printf("%s can't generate tls31 iv block\n", G_STRFUNC((const char*) (__func__)));
5031 goto fail;
5032 }
5033
5034 memcpy(_iv_c, iv_block.data, write_iv_len);
5035 memcpy(_iv_s, iv_block.data + write_iv_len, write_iv_len);
5036 }
5037
5038 c_iv=_iv_c;
5039 s_iv=_iv_s;
5040 }
5041
5042 if (ssl_session->session.version==SSLV3_VERSION0x300){
5043
5044 SSL_MD5_CTXgcry_md_hd_t md5;
5045 ssl_debug_printf("%s MD5(client_random)\n", G_STRFUNC((const char*) (__func__)));
5046
5047 if (ssl_md5_init(&md5) != 0)
5048 goto fail;
5049 ssl_md5_update(&md5,c_wk,encr_key_len);
5050 ssl_md5_update(&md5,ssl_session->client_random.data,
5051 ssl_session->client_random.data_len);
5052 ssl_md5_update(&md5,ssl_session->server_random.data,
5053 ssl_session->server_random.data_len);
5054 ssl_md5_final(_key_c,&md5);
5055 ssl_md5_cleanup(&md5);
5056 c_wk=_key_c;
5057
5058 if (ssl_md5_init(&md5) != 0)
5059 goto fail;
5060 ssl_debug_printf("%s MD5(server_random)\n", G_STRFUNC((const char*) (__func__)));
5061 ssl_md5_update(&md5,s_wk,encr_key_len);
5062 ssl_md5_update(&md5,ssl_session->server_random.data,
5063 ssl_session->server_random.data_len);
5064 ssl_md5_update(&md5,ssl_session->client_random.data,
5065 ssl_session->client_random.data_len);
5066 ssl_md5_final(_key_s,&md5);
5067 ssl_md5_cleanup(&md5);
5068 s_wk=_key_s;
5069 }
5070 else{
5071 StringInfo key_c, key_s, k;
5072 key_c.data = _key_c;
5073 key_s.data = _key_s;
5074
5075 k.data = c_wk;
5076 k.data_len = encr_key_len;
5077 ssl_debug_printf("%s PRF(key_c)\n", G_STRFUNC((const char*) (__func__)));
5078 if (!prf(ssl_session, &k, "client write key",
5079 &ssl_session->client_random,
5080 &ssl_session->server_random, &key_c, sizeof(_key_c))) {
5081 ssl_debug_printf("%s can't generate tll31 server key \n", G_STRFUNC((const char*) (__func__)));
5082 goto fail;
5083 }
5084 c_wk=_key_c;
5085
5086 k.data = s_wk;
5087 k.data_len = encr_key_len;
5088 ssl_debug_printf("%s PRF(key_s)\n", G_STRFUNC((const char*) (__func__)));
5089 if (!prf(ssl_session, &k, "server write key",
5090 &ssl_session->client_random,
5091 &ssl_session->server_random, &key_s, sizeof(_key_s))) {
5092 ssl_debug_printf("%s can't generate tll31 client key \n", G_STRFUNC((const char*) (__func__)));
5093 goto fail;
5094 }
5095 s_wk=_key_s;
5096 }
5097 }
5098
5099 /* show key material info */
5100 if (c_mk != NULL((void*)0)) {
5101 ssl_print_data("Client MAC key",c_mk,ssl_cipher_suite_dig(cipher_suite)->len);
5102 ssl_print_data("Server MAC key",s_mk,ssl_cipher_suite_dig(cipher_suite)->len);
5103 }
5104 ssl_print_data("Client Write key", c_wk, encr_key_len);
5105 ssl_print_data("Server Write key", s_wk, encr_key_len);
5106 /* used as IV for CBC mode and the AEAD implicit nonce (salt) */
5107 if (write_iv_len > 0) {
5108 ssl_print_data("Client Write IV", c_iv, write_iv_len);
5109 ssl_print_data("Server Write IV", s_iv, write_iv_len);
5110 }
5111
5112create_decoders:
5113 /* create both client and server ciphers*/
5114 ssl_debug_printf("%s ssl_create_decoder(client)\n", G_STRFUNC((const char*) (__func__)));
5115 ssl_session->client_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, c_mk, c_wk, NULL((void*)0), c_iv, write_iv_len);
5116 if (!ssl_session->client_new) {
5117 ssl_debug_printf("%s can't init client decoder\n", G_STRFUNC((const char*) (__func__)));
5118 goto fail;
5119 }
5120 ssl_debug_printf("%s ssl_create_decoder(server)\n", G_STRFUNC((const char*) (__func__)));
5121 ssl_session->server_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, s_mk, s_wk, NULL((void*)0), s_iv, write_iv_len);
5122 if (!ssl_session->server_new) {
5123 ssl_debug_printf("%s can't init server decoder\n", G_STRFUNC((const char*) (__func__)));
5124 goto fail;
5125 }
5126
5127 /* Continue the SSL stream after renegotiation with new keys. */
5128 ssl_session->client_new->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
5129 ssl_session->server_new->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
5130
5131 ssl_debug_printf("%s: client seq %" PRIu64"l" "u" ", server seq %" PRIu64"l" "u" "\n",
5132 G_STRFUNC((const char*) (__func__)), ssl_session->client_new->seq, ssl_session->server_new->seq);
5133 g_free(key_block.data);
5134 ssl_session->state |= SSL_HAVE_SESSION_KEY(1<<3);
5135 return 0;
5136
5137fail:
5138 g_free(key_block.data);
5139 return -1;
5140}
5141
5142/* Generated the key material based on the given secret. */
5143bool_Bool
5144tls13_generate_keys(SslDecryptSession *ssl_session, const StringInfo *secret, bool_Bool is_from_server)
5145{
5146 bool_Bool success = false0;
5147 unsigned char *write_key = NULL((void*)0), *write_iv = NULL((void*)0);
5148 unsigned char *sn_key = NULL((void*)0);
5149 SslDecoder *decoder;
5150 unsigned key_length, iv_length;
5151 int hash_algo;
5152 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
5153 int cipher_algo;
5154
5155 if ((ssl_session->session.version != TLSV1DOT3_VERSION0x304) && (ssl_session->session.version != DTLSV1DOT3_VERSION0xfefc)) {
5156 ssl_debug_printf("%s only usable for TLS 1.3, not %#x!\n", G_STRFUNC((const char*) (__func__)),
5157 ssl_session->session.version);
5158 return false0;
5159 }
5160
5161 if (cipher_suite == NULL((void*)0)) {
5162 ssl_debug_printf("%s Unknown cipher\n", G_STRFUNC((const char*) (__func__)));
5163 return false0;
5164 }
5165
5166 if (cipher_suite->kex != KEX_TLS130x23) {
5167 ssl_debug_printf("%s Invalid cipher suite 0x%04x spotted!\n", G_STRFUNC((const char*) (__func__)), cipher_suite->number);
5168 return false0;
5169 }
5170
5171 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
5172 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
5173 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
5174 cipher_algo = ssl_get_cipher_by_name(cipher_name);
5175 if (cipher_algo == 0) {
5176 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
5177 return false0;
5178 }
5179
5180 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
5181 hash_algo = ssl_get_digest_by_name(hash_name);
5182 if (!hash_algo) {
5183 ssl_debug_printf("%s can't find hash function %s\n", G_STRFUNC((const char*) (__func__)), hash_name);
5184 return false0;
5185 }
5186
5187 key_length = (unsigned) gcry_cipher_get_algo_keylen(cipher_algo);
5188 /* AES-GCM/AES-CCM/Poly1305-ChaCha20 all have N_MIN=N_MAX = 12. */
5189 iv_length = 12;
5190 ssl_debug_printf("%s key_length %u iv_length %u\n", G_STRFUNC((const char*) (__func__)), key_length, iv_length);
5191
5192 const char *label_prefix = tls13_hkdf_label_prefix(ssl_session);
5193 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "key", key_length, &write_key)) {
5194 ssl_debug_printf("%s write_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
5195 return false0;
5196 }
5197 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "iv", iv_length, &write_iv)) {
5198 ssl_debug_printf("%s write_iv expansion failed\n", G_STRFUNC((const char*) (__func__)));
5199 goto end;
5200 }
5201
5202 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
5203 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "sn", key_length, &sn_key)) {
5204 ssl_debug_printf("%s sn_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
5205 goto end;
5206 }
5207 }
5208
5209 ssl_print_data(is_from_server ? "Server Write Key" : "Client Write Key", write_key, key_length);
5210 ssl_print_data(is_from_server ? "Server Write IV" : "Client Write IV", write_iv, iv_length);
5211 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
5212 ssl_print_data(is_from_server ? "Server Write SN" : "Client Write SN", sn_key, key_length);
5213 }
5214
5215 ssl_debug_printf("%s ssl_create_decoder(%s)\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
5216 decoder = ssl_create_decoder(cipher_suite, cipher_algo, 0, NULL((void*)0), write_key, sn_key, write_iv, iv_length);
5217 if (!decoder) {
5218 ssl_debug_printf("%s can't init %s decoder\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
5219 goto end;
5220 }
5221
5222 /* Continue the TLS session with new keys, but reuse old flow to keep things
5223 * like "Follow TLS" working (by linking application data records). */
5224 if (is_from_server) {
5225 decoder->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
5226 ssl_session->server = decoder;
5227 } else {
5228 decoder->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
5229 ssl_session->client = decoder;
5230 }
5231 ssl_debug_printf("%s %s ready using cipher suite 0x%04x (cipher %s hash %s)\n", G_STRFUNC((const char*) (__func__)),
5232 is_from_server ? "Server" : "Client", cipher_suite->number, cipher_name, hash_name);
5233 success = true1;
5234
5235end:
5236 wmem_free(NULL((void*)0), write_key);
5237 wmem_free(NULL((void*)0), write_iv);
5238 if (sn_key)
5239 wmem_free(NULL((void*)0), sn_key);
5240 return success;
5241}
5242/* (Pre-)master secrets calculations }}} */
5243
5244#ifdef HAVE_LIBGNUTLS1
5245/* Decrypt RSA pre-master secret using RSA private key. {{{ */
5246static bool_Bool
5247ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
5248 StringInfo *encrypted_pre_master, GHashTable *key_hash)
5249{
5250 int ret;
5251
5252 if (!encrypted_pre_master)
5253 return false0;
5254
5255 if (KEX_IS_DH(ssl_session->cipher_suite->kex)((ssl_session->cipher_suite->kex) >= 0x10 &&
(ssl_session->cipher_suite->kex) <= 0x1b)) {
5256 ssl_debug_printf("%s: session uses Diffie-Hellman key exchange "
5257 "(cipher suite 0x%04X %s) and cannot be decrypted "
5258 "using a RSA private key file.\n",
5259 G_STRFUNC((const char*) (__func__)), ssl_session->session.cipher,
5260 val_to_str_ext_const(ssl_session->session.cipher,
5261 &ssl_31_ciphersuite_ext, "unknown"));
5262 return false0;
5263 } else if (ssl_session->cipher_suite->kex != KEX_RSA0x1e) {
5264 ssl_debug_printf("%s key exchange %d different from KEX_RSA (%d)\n",
5265 G_STRFUNC((const char*) (__func__)), ssl_session->cipher_suite->kex, KEX_RSA0x1e);
5266 return false0;
5267 }
5268
5269 gnutls_privkey_t pk = (gnutls_privkey_t)g_hash_table_lookup(key_hash, ssl_session->cert_key_id);
5270
5271 ssl_print_string("pre master encrypted", encrypted_pre_master);
5272 ssl_debug_printf("%s: RSA_private_decrypt\n", G_STRFUNC((const char*) (__func__)));
5273 const gnutls_datum_t epms = { encrypted_pre_master->data, encrypted_pre_master->data_len };
5274 gnutls_datum_t pms = { 0 };
5275 if (pk) {
5276 // Try to decrypt using the RSA keys table from (D)TLS preferences.
5277 ret = gnutls_privkey_decrypt_data(pk, 0, &epms, &pms);
5278 } else {
5279 // Try to decrypt using a hardware token.
5280 ret = secrets_rsa_decrypt(ssl_session->cert_key_id, epms.data, epms.size, &pms.data, &pms.size);
5281 }
5282 if (ret < 0) {
5283 ssl_debug_printf("%s: decryption failed: %d (%s)\n", G_STRFUNC((const char*) (__func__)), ret, gnutls_strerror(ret));
5284 return false0;
5285 }
5286
5287 if (pms.size != 48) {
5288 ssl_debug_printf("%s wrong pre_master_secret length (%d, expected %d)\n",
5289 G_STRFUNC((const char*) (__func__)), pms.size, 48);
5290 if (pk) {
5291 gnutls_free(pms.data);
5292 } else {
5293 g_free(pms.data);
5294 }
5295 return false0;
5296 }
5297
5298 ssl_session->pre_master_secret.data = (uint8_t *)wmem_memdup(wmem_file_scope(), pms.data, 48);
5299 ssl_session->pre_master_secret.data_len = 48;
5300 if (pk) {
5301 gnutls_free(pms.data);
5302 } else {
5303 g_free(pms.data);
5304 }
5305 ssl_print_string("pre master secret", &ssl_session->pre_master_secret);
5306
5307 /* Remove the master secret if it was there.
5308 This forces keying material regeneration in
5309 case we're renegotiating */
5310 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
5311 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
5312 return true1;
5313} /* }}} */
5314#endif /* HAVE_LIBGNUTLS */
5315
5316/* Decryption integrity check {{{ */
5317
5318static int
5319tls_check_mac(SslDecoder*decoder, int ct, int ver, uint8_t* data,
5320 uint32_t datalen, uint8_t* mac)
5321{
5322 SSL_HMACgcry_md_hd_t hm;
5323 int md;
5324 uint32_t len;
5325 uint8_t buf[DIGEST_MAX_SIZE48];
5326 int16_t temp;
5327
5328 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5329 ssl_debug_printf("tls_check_mac mac type:%s md %d\n",
5330 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5331
5332 if (ssl_hmac_init(&hm,md) != 0)
5333 return -1;
5334 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5335 return -1;
5336
5337 /* hash sequence number */
5338 phtonu64(buf, decoder->seq);
5339
5340 decoder->seq++;
5341
5342 ssl_hmac_update(&hm,buf,8);
5343
5344 /* hash content type */
5345 buf[0]=ct;
5346 ssl_hmac_update(&hm,buf,1);
5347
5348 /* hash version,data length and data*/
5349 /* *((int16_t*)buf) = g_htons(ver); */
5350 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5351 memcpy(buf, &temp, 2);
5352 ssl_hmac_update(&hm,buf,2);
5353
5354 /* *((int16_t*)buf) = g_htons(datalen); */
5355 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5356 memcpy(buf, &temp, 2);
5357 ssl_hmac_update(&hm,buf,2);
5358 ssl_hmac_update(&hm,data,datalen);
5359
5360 /* get digest and digest len*/
5361 len = sizeof(buf);
5362 ssl_hmac_final(&hm,buf,&len);
5363 ssl_hmac_cleanup(&hm);
5364 ssl_print_data("Mac", buf, len);
5365 if(memcmp(mac,buf,len))
5366 return -1;
5367
5368 return 0;
5369}
5370
5371static int
5372ssl3_check_mac(SslDecoder*decoder,int ct,uint8_t* data,
5373 uint32_t datalen, uint8_t* mac)
5374{
5375 SSL_MDgcry_md_hd_t mc;
5376 int md;
5377 uint32_t len;
5378 uint8_t buf[64],dgst[20];
5379 int pad_ct;
5380 int16_t temp;
5381
5382 pad_ct=(decoder->cipher_suite->dig==DIG_SHA0x41)?40:48;
5383
5384 /* get cipher used for digest computation */
5385 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5386 if (ssl_md_init(&mc,md) !=0)
5387 return -1;
5388
5389 /* do hash computation on data && padding */
5390 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5391
5392 /* hash padding*/
5393 memset(buf,0x36,pad_ct);
5394 ssl_md_update(&mc,buf,pad_ct);
5395
5396 /* hash sequence number */
5397 phtonu64(buf, decoder->seq);
5398 decoder->seq++;
5399 ssl_md_update(&mc,buf,8);
5400
5401 /* hash content type */
5402 buf[0]=ct;
5403 ssl_md_update(&mc,buf,1);
5404
5405 /* hash data length in network byte order and data*/
5406 /* *((int16_t* )buf) = g_htons(datalen); */
5407 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5408 memcpy(buf, &temp, 2);
5409 ssl_md_update(&mc,buf,2);
5410 ssl_md_update(&mc,data,datalen);
5411
5412 /* get partial digest */
5413 ssl_md_final(&mc,dgst,&len);
5414 ssl_md_reset(&mc);
5415
5416 /* hash mac key */
5417 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5418
5419 /* hash padding and partial digest*/
5420 memset(buf,0x5c,pad_ct);
5421 ssl_md_update(&mc,buf,pad_ct);
5422 ssl_md_update(&mc,dgst,len);
5423
5424 ssl_md_final(&mc,dgst,&len);
5425 ssl_md_cleanup(&mc);
5426
5427 if(memcmp(mac,dgst,len))
5428 return -1;
5429
5430 return 0;
5431}
5432
5433static int
5434dtls_check_mac(SslDecryptSession *ssl, SslDecoder*decoder, int ct, uint8_t* data,
5435 uint32_t datalen, uint8_t* mac, const unsigned char *cid, uint8_t cidl)
5436{
5437 SSL_HMACgcry_md_hd_t hm;
5438 int md;
5439 uint32_t len;
5440 uint8_t buf[DIGEST_MAX_SIZE48];
5441 int16_t temp;
5442
5443 int ver = ssl->session.version;
5444 bool_Bool is_cid = ((ct == SSL_ID_TLS12_CID) && (ver == DTLSV1DOT2_VERSION0xfefd));
5445
5446 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5447 ssl_debug_printf("dtls_check_mac mac type:%s md %d\n",
5448 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5449
5450 if (ssl_hmac_init(&hm,md) != 0)
5451 return -1;
5452 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5453 return -1;
5454
5455 ssl_debug_printf("dtls_check_mac seq: %" PRIu64"l" "u" " epoch: %d\n",decoder->seq,decoder->epoch);
5456
5457 if (is_cid && !ssl->session.deprecated_cid) {
5458 /* hash seq num placeholder */
5459 memset(buf,0xFF,8);
5460 ssl_hmac_update(&hm,buf,8);
5461
5462 /* hash content type + cid length + content type */
5463 buf[0]=ct;
5464 buf[1]=cidl;
5465 buf[2]=ct;
5466 ssl_hmac_update(&hm,buf,3);
5467
5468 /* hash version */
5469 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5470 memcpy(buf, &temp, 2);
5471 ssl_hmac_update(&hm,buf,2);
5472
5473 /* hash sequence number */
5474 phtonu64(buf, decoder->seq);
5475 buf[0]=decoder->epoch>>8;
5476 buf[1]=(uint8_t)decoder->epoch;
5477 ssl_hmac_update(&hm,buf,8);
5478
5479 /* hash cid */
5480 ssl_hmac_update(&hm,cid,cidl);
5481 } else {
5482 /* hash sequence number */
5483 phtonu64(buf, decoder->seq);
5484 buf[0]=decoder->epoch>>8;
5485 buf[1]=(uint8_t)decoder->epoch;
5486 ssl_hmac_update(&hm,buf,8);
5487
5488 /* hash content type */
5489 buf[0]=ct;
5490 ssl_hmac_update(&hm,buf,1);
5491
5492 /* hash version */
5493 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5494 memcpy(buf, &temp, 2);
5495 ssl_hmac_update(&hm,buf,2);
5496
5497 if (is_cid && ssl->session.deprecated_cid) {
5498 /* hash cid */
5499 ssl_hmac_update(&hm,cid,cidl);
5500
5501 /* hash cid length */
5502 buf[0] = cidl;
5503 ssl_hmac_update(&hm,buf,1);
5504 }
5505 }
5506
5507 /* data length and data */
5508 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5509 memcpy(buf, &temp, 2);
5510 ssl_hmac_update(&hm,buf,2);
5511 ssl_hmac_update(&hm,data,datalen);
5512
5513 /* get digest and digest len */
5514 len = sizeof(buf);
5515 ssl_hmac_final(&hm,buf,&len);
5516 ssl_hmac_cleanup(&hm);
5517 ssl_print_data("Mac", buf, len);
5518 if(memcmp(mac,buf,len))
5519 return -1;
5520
5521 return 0;
5522}
5523/* Decryption integrity check }}} */
5524
5525
5526static bool_Bool
5527tls_decrypt_aead_record(wmem_allocator_t* allocator, SslDecryptSession *ssl, SslDecoder *decoder,
5528 uint8_t ct, uint16_t record_version,
5529 bool_Bool ignore_mac_failed,
5530 const unsigned char *in, uint16_t inl,
5531 const unsigned char *cid, uint8_t cidl,
5532 StringInfo *out_str, unsigned *outl)
5533{
5534 /* RFC 5246 (TLS 1.2) 6.2.3.3 defines the TLSCipherText.fragment as:
5535 * GenericAEADCipher: { nonce_explicit, [content] }
5536 * In TLS 1.3 this explicit nonce is gone.
5537 * With AES GCM/CCM, "[content]" is actually the concatenation of the
5538 * ciphertext and authentication tag.
5539 */
5540 const uint16_t version = ssl->session.version;
5541 const bool_Bool is_v12 = version == TLSV1DOT2_VERSION0x303 || version == DTLSV1DOT2_VERSION0xfefd || version == TLCPV1_VERSION0x101;
5542 gcry_error_t err;
5543 const unsigned char *explicit_nonce = NULL((void*)0), *ciphertext;
5544 unsigned ciphertext_len, auth_tag_len;
5545 unsigned char nonce[12];
5546 const ssl_cipher_mode_t cipher_mode = decoder->cipher_suite->mode;
5547 const bool_Bool is_cid = ct == SSL_ID_TLS12_CID && version == DTLSV1DOT2_VERSION0xfefd;
5548 const uint8_t draft_version = ssl->session.tls13_draft_version;
5549 const unsigned char *auth_tag_wire;
5550 unsigned char auth_tag_calc[16];
5551 unsigned char *aad = NULL((void*)0);
5552 unsigned aad_len = 0;
5553
5554 switch (cipher_mode) {
5555 case MODE_GCM:
5556 case MODE_CCM:
5557 case MODE_POLY1305:
5558 auth_tag_len = 16;
5559 break;
5560 case MODE_CCM_8:
5561 auth_tag_len = 8;
5562 break;
5563 default:
5564 ssl_debug_printf("%s unsupported cipher!\n", G_STRFUNC((const char*) (__func__)));
5565 return false0;
5566 }
5567
5568 /* Parse input into explicit nonce (TLS 1.2 only), ciphertext and tag. */
5569 if (is_v12 && cipher_mode != MODE_POLY1305) {
5570 if (inl < EXPLICIT_NONCE_LEN8 + auth_tag_len) {
5571 ssl_debug_printf("%s input %d is too small for explicit nonce %d and auth tag %d\n",
5572 G_STRFUNC((const char*) (__func__)), inl, EXPLICIT_NONCE_LEN8, auth_tag_len);
5573 return false0;
5574 }
5575 explicit_nonce = in;
5576 ciphertext = explicit_nonce + EXPLICIT_NONCE_LEN8;
5577 ciphertext_len = inl - EXPLICIT_NONCE_LEN8 - auth_tag_len;
5578 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
5579 if (inl < auth_tag_len) {
5580 ssl_debug_printf("%s input %d has no space for auth tag %d\n", G_STRFUNC((const char*) (__func__)), inl, auth_tag_len);
5581 return false0;
5582 }
5583 ciphertext = in;
5584 ciphertext_len = inl - auth_tag_len;
5585 } else {
5586 ssl_debug_printf("%s Unexpected TLS version %#x\n", G_STRFUNC((const char*) (__func__)), version);
5587 return false0;
5588 }
5589 auth_tag_wire = ciphertext + ciphertext_len;
5590
5591 /*
5592 * Nonce construction is version-specific. Note that AEAD_CHACHA20_POLY1305
5593 * (RFC 7905) uses a nonce construction similar to TLS 1.3.
5594 */
5595 if (is_v12 && cipher_mode != MODE_POLY1305) {
5596 DISSECTOR_ASSERT(decoder->write_iv.data_len == IMPLICIT_NONCE_LEN)((void) ((decoder->write_iv.data_len == 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 5596, "decoder->write_iv.data_len == 4"))));
5597 /* Implicit (4) and explicit (8) part of nonce. */
5598 memcpy(nonce, decoder->write_iv.data, IMPLICIT_NONCE_LEN4);
5599 memcpy(nonce + IMPLICIT_NONCE_LEN4, explicit_nonce, EXPLICIT_NONCE_LEN8);
5600
5601 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
5602 /*
5603 * Technically the nonce length must be at least 8 bytes, but for
5604 * AES-GCM, AES-CCM and Poly1305-ChaCha20 the nonce length is exact 12.
5605 */
5606 const unsigned nonce_len = 12;
5607 DISSECTOR_ASSERT(decoder->write_iv.data_len == nonce_len)((void) ((decoder->write_iv.data_len == nonce_len) ? (void
)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 5607, "decoder->write_iv.data_len == nonce_len"
))));
5608 memcpy(nonce, decoder->write_iv.data, decoder->write_iv.data_len);
5609 /* Sequence number is left-padded with zeroes and XORed with write_iv */
5610 phtonu64(nonce + nonce_len - 8, pntohu64(nonce + nonce_len - 8) ^ decoder->seq);
5611 ssl_debug_printf("%s seq %" PRIu64"l" "u" "\n", G_STRFUNC((const char*) (__func__)), decoder->seq);
5612 }
5613
5614 /* Set nonce and additional authentication data */
5615 gcry_cipher_reset(decoder->evp)gcry_cipher_ctl ((decoder->evp), GCRYCTL_RESET, ((void*)0)
, 0);
5616 ssl_print_data("nonce", nonce, 12);
5617 err = gcry_cipher_setiv(decoder->evp, nonce, 12);
5618 if (err) {
5619 ssl_debug_printf("%s failed to set nonce: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5620 return false0;
5621 }
5622
5623 /* (D)TLS 1.2 needs specific AAD, TLS 1.3 (before -25) uses empty AAD. */
5624 if (is_cid) { /* if connection ID */
5625 if (ssl->session.deprecated_cid) {
5626 aad_len = 14 + cidl;
5627 aad = wmem_alloc(allocator, aad_len);
5628 phtonu64(aad, decoder->seq); /* record sequence number */
5629 phtonu16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5630 aad[8] = ct; /* TLSCompressed.type */
5631 phtonu16(aad + 9, record_version); /* TLSCompressed.version */
5632 memcpy(aad + 11, cid, cidl); /* cid */
5633 aad[11 + cidl] = cidl; /* cid_length */
5634 phtonu16(aad + 12 + cidl, ciphertext_len); /* TLSCompressed.length */
5635 } else {
5636 aad_len = 23 + cidl;
5637 aad = wmem_alloc(allocator, aad_len);
5638 memset(aad, 0xFF, 8); /* seq_num_placeholder */
5639 aad[8] = ct; /* TLSCompressed.type */
5640 aad[9] = cidl; /* cid_length */
5641 aad[10] = ct; /* TLSCompressed.type */
5642 phtonu16(aad + 11, record_version); /* TLSCompressed.version */
5643 phtonu64(aad + 13, decoder->seq); /* record sequence number */
5644 phtonu16(aad + 13, decoder->epoch); /* DTLS 1.2 includes epoch. */
5645 memcpy(aad + 21, cid, cidl); /* cid */
5646 phtonu16(aad + 21 + cidl, ciphertext_len); /* TLSCompressed.length */
5647 }
5648 } else if (is_v12) {
5649 aad_len = 13;
5650 aad = wmem_alloc(allocator, aad_len);
5651 phtonu64(aad, decoder->seq); /* record sequence number */
5652 if (version == DTLSV1DOT2_VERSION0xfefd) {
5653 phtonu16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5654 }
5655 aad[8] = ct; /* TLSCompressed.type */
5656 phtonu16(aad + 9, record_version); /* TLSCompressed.version */
5657 phtonu16(aad + 11, ciphertext_len); /* TLSCompressed.length */
5658 } else if (version == DTLSV1DOT3_VERSION0xfefc) {
5659 aad_len = decoder->dtls13_aad.data_len;
5660 aad = decoder->dtls13_aad.data;
5661 } else if (draft_version >= 25 || draft_version == 0) {
5662 aad_len = 5;
5663 aad = wmem_alloc(allocator, aad_len);
5664 aad[0] = ct; /* TLSCiphertext.opaque_type (23) */
5665 phtonu16(aad + 1, record_version); /* TLSCiphertext.legacy_record_version (0x0303) */
5666 phtonu16(aad + 3, inl); /* TLSCiphertext.length */
5667 }
5668
5669 if (decoder->cipher_suite->mode == MODE_CCM || decoder->cipher_suite->mode == MODE_CCM_8) {
5670 /* size of plaintext, additional authenticated data and auth tag. */
5671 uint64_t lengths[3] = { ciphertext_len, aad_len, auth_tag_len };
5672
5673 gcry_cipher_ctl(decoder->evp, GCRYCTL_SET_CCM_LENGTHS, lengths, sizeof(lengths));
5674 }
5675
5676 if (aad && aad_len > 0) {
5677 ssl_print_data("AAD", aad, aad_len);
5678 err = gcry_cipher_authenticate(decoder->evp, aad, aad_len);
5679 if (err) {
5680 ssl_debug_printf("%s failed to set AAD: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5681 return false0;
5682 }
5683 }
5684
5685 /* Decrypt now that nonce and AAD are set. */
5686 err = gcry_cipher_decrypt(decoder->evp, out_str->data, out_str->data_len, ciphertext, ciphertext_len);
5687 if (err) {
5688 ssl_debug_printf("%s decrypt failed: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5689 return false0;
5690 }
5691
5692 /* Check authentication tag for authenticity (replaces MAC) */
5693 err = gcry_cipher_gettag(decoder->evp, auth_tag_calc, auth_tag_len);
5694 if (err == 0 && !memcmp(auth_tag_calc, auth_tag_wire, auth_tag_len)) {
5695 ssl_print_data("auth_tag(OK)", auth_tag_calc, auth_tag_len);
5696 } else {
5697 if (err) {
5698 ssl_debug_printf("%s cannot obtain tag: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5699 } else {
5700 ssl_debug_printf("%s auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
5701 ssl_print_data("auth_tag(expect)", auth_tag_calc, auth_tag_len);
5702 ssl_print_data("auth_tag(actual)", auth_tag_wire, auth_tag_len);
5703 }
5704 if (ignore_mac_failed) {
5705 ssl_debug_printf("%s: auth check failed, but ignored for troubleshooting ;-)\n", G_STRFUNC((const char*) (__func__)));
5706 } else {
5707 return false0;
5708 }
5709 }
5710
5711 /*
5712 * Increment the (implicit) sequence number for TLS 1.2/1.3 and TLCP 1.1. This is done
5713 * after successful authentication to ensure that early data is skipped when
5714 * CLIENT_EARLY_TRAFFIC_SECRET keys are unavailable.
5715 */
5716 if (version == TLSV1DOT2_VERSION0x303 || version == TLSV1DOT3_VERSION0x304 || version == TLCPV1_VERSION0x101) {
5717 decoder->seq++;
5718 }
5719
5720 ssl_print_data("Plaintext", out_str->data, ciphertext_len);
5721 *outl = ciphertext_len;
5722 return true1;
5723}
5724
5725/* Record decryption glue based on security parameters {{{ */
5726/* Assume that we are called only for a non-NULL decoder which also means that
5727 * we have a non-NULL decoder->cipher_suite. */
5728int
5729ssl_decrypt_record(wmem_allocator_t* allocator, SslDecryptSession *ssl, SslDecoder *decoder, uint8_t ct, uint16_t record_version,
5730 bool_Bool ignore_mac_failed,
5731 const unsigned char *in, uint16_t inl, const unsigned char *cid, uint8_t cidl,
5732 StringInfo *comp_str, StringInfo *out_str, unsigned *outl)
5733{
5734 unsigned pad, worklen, uncomplen, maclen, mac_fraglen = 0;
5735 uint8_t *mac = NULL((void*)0), *mac_frag = NULL((void*)0);
5736
5737 ssl_debug_printf("ssl_decrypt_record ciphertext len %d\n", inl);
5738 ssl_print_data("Ciphertext",in, inl);
5739
5740 if (((ssl->session.version == TLSV1DOT3_VERSION0x304 || ssl->session.version == DTLSV1DOT3_VERSION0xfefc))
5741 != (decoder->cipher_suite->kex == KEX_TLS130x23)) {
5742 ssl_debug_printf("%s Invalid cipher suite for the protocol version!\n", G_STRFUNC((const char*) (__func__)));
5743 return -1;
5744 }
5745
5746 /* ensure we have enough storage space for decrypted data */
5747 if (inl > out_str->data_len)
5748 {
5749 ssl_debug_printf("ssl_decrypt_record: allocating %d bytes for decrypt data (old len %d)\n",
5750 inl + 32, out_str->data_len);
5751 ssl_data_realloc(out_str, inl + 32);
5752 }
5753
5754 /* AEAD ciphers (GenericAEADCipher in TLS 1.2; TLS 1.3) have no padding nor
5755 * a separate MAC, so use a different routine for simplicity. */
5756 if (decoder->cipher_suite->mode == MODE_GCM ||
5757 decoder->cipher_suite->mode == MODE_CCM ||
5758 decoder->cipher_suite->mode == MODE_CCM_8 ||
5759 decoder->cipher_suite->mode == MODE_POLY1305 ||
5760 ssl->session.version == TLSV1DOT3_VERSION0x304 ||
5761 ssl->session.version == DTLSV1DOT3_VERSION0xfefc) {
5762
5763 if (!tls_decrypt_aead_record(allocator, ssl, decoder, ct, record_version, ignore_mac_failed, in, inl, cid, cidl, out_str, &worklen)) {
5764 /* decryption failed */
5765 return -1;
5766 }
5767
5768 goto skip_mac;
5769 }
5770
5771 /* RFC 6101/2246: SSLCipherText/TLSCipherText has two structures for types:
5772 * (notation: { unencrypted, [ encrypted ] })
5773 * GenericStreamCipher: { [content, mac] }
5774 * GenericBlockCipher: { IV (TLS 1.1+), [content, mac, padding, padding_len] }
5775 * RFC 5426 (TLS 1.2): TLSCipherText has additionally:
5776 * GenericAEADCipher: { nonce_explicit, [content] }
5777 * RFC 4347 (DTLS): based on TLS 1.1, only GenericBlockCipher is supported.
5778 * RFC 6347 (DTLS 1.2): based on TLS 1.2, includes GenericAEADCipher too.
5779 */
5780
5781 maclen = ssl_cipher_suite_dig(decoder->cipher_suite)->len;
5782
5783 /* (TLS 1.1 and later, DTLS) Extract explicit IV for GenericBlockCipher */
5784 if (decoder->cipher_suite->mode == MODE_CBC) {
5785 unsigned blocksize = 0;
5786
5787 switch (ssl->session.version) {
5788 case TLSV1DOT1_VERSION0x302:
5789 case TLSV1DOT2_VERSION0x303:
5790 case DTLSV1DOT0_VERSION0xfeff:
5791 case DTLSV1DOT2_VERSION0xfefd:
5792 case DTLSV1DOT3_VERSION0xfefc:
5793 case DTLSV1DOT0_OPENSSL_VERSION0x100:
5794 case TLCPV1_VERSION0x101:
5795 blocksize = ssl_get_cipher_blocksize(decoder->cipher_suite);
5796 if (inl < blocksize) {
5797 ssl_debug_printf("ssl_decrypt_record failed: input %d has no space for IV %d\n",
5798 inl, blocksize);
5799 return -1;
5800 }
5801 pad = gcry_cipher_setiv(decoder->evp, in, blocksize);
5802 if (pad != 0) {
5803 ssl_debug_printf("ssl_decrypt_record failed: failed to set IV: %s %s\n",
5804 gcry_strsource (pad), gcry_strerror (pad));
5805 }
5806
5807 inl -= blocksize;
5808 in += blocksize;
5809 break;
5810 }
5811
5812 /* Encrypt-then-MAC for (D)TLS (RFC 7366) */
5813 if (ssl->state & SSL_ENCRYPT_THEN_MAC(1<<11)) {
5814 /*
5815 * MAC is calculated over (IV + ) ENCRYPTED contents:
5816 *
5817 * MAC(MAC_write_key, ... +
5818 * IV + // for TLS 1.1 or greater
5819 * TLSCiphertext.enc_content);
5820 */
5821 if (inl < maclen) {
5822 ssl_debug_printf("%s failed: input %d has no space for MAC %d\n",
5823 G_STRFUNC((const char*) (__func__)), inl, maclen);
5824 return -1;
5825 }
5826 inl -= maclen;
5827 mac = (uint8_t *)in + inl;
5828 mac_frag = (uint8_t *)in - blocksize;
5829 mac_fraglen = blocksize + inl;
5830 }
5831 }
5832
5833 /* First decrypt*/
5834 if ((pad = ssl_cipher_decrypt(&decoder->evp, out_str->data, out_str->data_len, in, inl)) != 0) {
5835 ssl_debug_printf("ssl_decrypt_record failed: ssl_cipher_decrypt: %s %s\n", gcry_strsource (pad),
5836 gcry_strerror (pad));
5837 return -1;
5838 }
5839
5840 ssl_print_data("Plaintext", out_str->data, inl);
5841 worklen=inl;
5842
5843
5844 /* strip padding for GenericBlockCipher */
5845 if (decoder->cipher_suite->mode == MODE_CBC) {
5846 if (inl < 1) { /* Should this check happen earlier? */
5847 ssl_debug_printf("ssl_decrypt_record failed: input length %d too small\n", inl);
5848 return -1;
5849 }
5850 pad=out_str->data[inl-1];
5851 if (worklen <= pad) {
5852 ssl_debug_printf("ssl_decrypt_record failed: padding %d too large for work %d\n",
5853 pad, worklen);
5854 return -1;
5855 }
5856 worklen-=(pad+1);
5857 ssl_debug_printf("ssl_decrypt_record found padding %d final len %d\n",
5858 pad, worklen);
5859 }
5860
5861 /* MAC for GenericStreamCipher and GenericBlockCipher.
5862 * (normal case without Encrypt-then-MAC (RFC 7366) extension. */
5863 if (!mac) {
5864 /*
5865 * MAC is calculated over the DECRYPTED contents:
5866 *
5867 * MAC(MAC_write_key, ... + TLSCompressed.fragment);
5868 */
5869 if (worklen < maclen) {
5870 ssl_debug_printf("%s wrong record len/padding outlen %d\n work %d\n", G_STRFUNC((const char*) (__func__)), *outl, worklen);
5871 return -1;
5872 }
5873 worklen -= maclen;
5874 mac = out_str->data + worklen;
5875 mac_frag = out_str->data;
5876 mac_fraglen = worklen;
5877 }
5878
5879 /* If NULL encryption active and no keys are available, do not bother
5880 * checking the MAC. We do not have keys for that. */
5881 if (decoder->cipher_suite->mode == MODE_STREAM &&
5882 decoder->cipher_suite->enc == ENC_NULL0x3D &&
5883 !(ssl->state & SSL_MASTER_SECRET(1<<5))) {
5884 ssl_debug_printf("MAC check skipped due to missing keys\n");
5885 decoder->seq++; // Increment this for display
5886 goto skip_mac;
5887 }
5888
5889 /* Now check the MAC */
5890 ssl_debug_printf("checking mac (len %d, version %X, ct %d seq %" PRIu64"l" "u" ")\n",
5891 worklen, ssl->session.version, ct, decoder->seq);
5892 if(ssl->session.version==SSLV3_VERSION0x300){
5893 if(ssl3_check_mac(decoder,ct,mac_frag,mac_fraglen,mac) < 0) {
5894 if(ignore_mac_failed) {
5895 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5896 }
5897 else{
5898 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5899 return -1;
5900 }
5901 }
5902 else{
5903 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5904 }
5905 }
5906 else if(ssl->session.version==TLSV1_VERSION0x301 || ssl->session.version==TLSV1DOT1_VERSION0x302 || ssl->session.version==TLSV1DOT2_VERSION0x303 || ssl->session.version==TLCPV1_VERSION0x101){
5907 if(tls_check_mac(decoder,ct,ssl->session.version,mac_frag,mac_fraglen,mac)< 0) {
5908 if(ignore_mac_failed) {
5909 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5910 }
5911 else{
5912 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5913 return -1;
5914 }
5915 }
5916 else{
5917 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5918 }
5919 }
5920 else if(ssl->session.version==DTLSV1DOT0_VERSION0xfeff ||
5921 ssl->session.version==DTLSV1DOT2_VERSION0xfefd ||
5922 ssl->session.version==DTLSV1DOT0_OPENSSL_VERSION0x100){
5923 /* Try rfc-compliant mac first, and if failed, try old openssl's non-rfc-compliant mac */
5924 if(dtls_check_mac(ssl,decoder,ct,mac_frag,mac_fraglen,mac,cid,cidl)>= 0) {
5925 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5926 }
5927 else if(tls_check_mac(decoder,ct,TLSV1_VERSION0x301,mac_frag,mac_fraglen,mac)>= 0) {
5928 ssl_debug_printf("ssl_decrypt_record: dtls rfc-compliant mac failed, but old openssl's non-rfc-compliant mac ok\n");
5929 }
5930 else if(ignore_mac_failed) {
5931 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5932 }
5933 else{
5934 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5935 return -1;
5936 }
5937 }
5938skip_mac:
5939
5940 *outl = worklen;
5941
5942 if (decoder->compression > 0) {
5943 ssl_debug_printf("ssl_decrypt_record: compression method %d\n", decoder->compression);
5944 ssl_data_copy(comp_str, out_str);
5945 ssl_print_data("Plaintext compressed", comp_str->data, worklen);
5946 if (!decoder->decomp) {
5947 ssl_debug_printf("decrypt_ssl3_record: no decoder available\n");
5948 return -1;
5949 }
5950 if (ssl_decompress_record(decoder->decomp, comp_str->data, worklen, out_str, &uncomplen) < 0) return -1;
5951 ssl_print_data("Plaintext uncompressed", out_str->data, uncomplen);
5952 *outl = uncomplen;
5953 }
5954
5955 return 0;
5956}
5957/* Record decryption glue based on security parameters }}} */
5958
5959
5960
5961#ifdef HAVE_LIBGNUTLS1
5962
5963/* RSA private key file processing {{{ */
5964static void
5965ssl_find_private_key_by_pubkey(SslDecryptSession *ssl,
5966 gnutls_datum_t *subjectPublicKeyInfo)
5967{
5968 gnutls_pubkey_t pubkey = NULL((void*)0);
5969 cert_key_id_t key_id;
5970 size_t key_id_len = sizeof(key_id);
5971 int r;
5972
5973 if (!subjectPublicKeyInfo->size) {
5974 ssl_debug_printf("%s: could not find SubjectPublicKeyInfo\n", G_STRFUNC((const char*) (__func__)));
5975 return;
5976 }
5977
5978 r = gnutls_pubkey_init(&pubkey);
5979 if (r < 0) {
5980 ssl_debug_printf("%s: failed to init pubkey: %s\n",
5981 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
5982 return;
5983 }
5984
5985 r = gnutls_pubkey_import(pubkey, subjectPublicKeyInfo, GNUTLS_X509_FMT_DER);
5986 if (r < 0) {
5987 ssl_debug_printf("%s: failed to import pubkey from handshake: %s\n",
5988 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
5989 goto end;
5990 }
5991
5992 if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL((void*)0)) != GNUTLS_PK_RSA) {
5993 ssl_debug_printf("%s: Not a RSA public key - ignoring.\n", G_STRFUNC((const char*) (__func__)));
5994 goto end;
5995 }
5996
5997 /* Generate a 20-byte SHA-1 hash. */
5998 r = gnutls_pubkey_get_key_id(pubkey, 0, key_id.key_id, &key_id_len);
5999 if (r < 0) {
6000 ssl_debug_printf("%s: failed to extract key id from pubkey: %s\n",
6001 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
6002 goto end;
6003 }
6004
6005 if (key_id_len != sizeof(key_id)) {
6006 ssl_debug_printf("%s: expected Key ID size %zu, got %zu\n",
6007 G_STRFUNC((const char*) (__func__)), sizeof(key_id), key_id_len);
6008 goto end;
6009 }
6010
6011 ssl_print_data("Certificate.KeyID", key_id.key_id, key_id_len);
6012 ssl->cert_key_id = wmem_new(wmem_file_scope(), cert_key_id_t)((cert_key_id_t*)wmem_alloc((wmem_file_scope()), sizeof(cert_key_id_t
)));
6013 *ssl->cert_key_id = key_id;
6014
6015end:
6016 gnutls_pubkey_deinit(pubkey);
6017}
6018
6019/* RSA private key file processing }}} */
6020#endif /* HAVE_LIBGNUTLS */
6021
6022/*--- Start of dissector-related code below ---*/
6023
6024/* This is not a "protocol" but ensures that this gets called during
6025 * the handoff stage. */
6026void proto_reg_handoff_tls_utils(void);
6027
6028static dissector_handle_t base_tls_handle;
6029static dissector_handle_t dtls_handle;
6030
6031void
6032proto_reg_handoff_tls_utils(void)
6033{
6034 base_tls_handle = find_dissector("tls");
6035 dtls_handle = find_dissector("dtls");
6036}
6037
6038/* get ssl data for this session. if no ssl data is found allocate a new one*/
6039SslDecryptSession *
6040ssl_get_session(conversation_t *conversation, dissector_handle_t tls_handle)
6041{
6042 void *conv_data;
6043 SslDecryptSession *ssl_session;
6044 int proto_ssl;
6045
6046 /* Note proto_ssl is tls for either the main tls_handle or the
6047 * tls13_handshake handle used by QUIC. */
6048 proto_ssl = dissector_handle_get_protocol_index(tls_handle);
6049 conv_data = conversation_get_proto_data(conversation, proto_ssl);
6050 if (conv_data != NULL((void*)0))
6051 return (SslDecryptSession *)conv_data;
6052
6053 /* no previous SSL conversation info, initialize it. */
6054 ssl_session = wmem_new0(wmem_file_scope(), SslDecryptSession)((SslDecryptSession*)wmem_alloc0((wmem_file_scope()), sizeof(
SslDecryptSession)));
6055
6056 /* data_len is the part that is meaningful, not the allocated length */
6057 ssl_session->master_secret.data_len = 0;
6058 ssl_session->master_secret.data = ssl_session->_master_secret;
6059 ssl_session->session_id.data_len = 0;
6060 ssl_session->session_id.data = ssl_session->_session_id;
6061 ssl_session->client_random.data_len = 0;
6062 ssl_session->client_random.data = ssl_session->_client_random;
6063 ssl_session->server_random.data_len = 0;
6064 ssl_session->server_random.data = ssl_session->_server_random;
6065 ssl_session->session_ticket.data_len = 0;
6066 ssl_session->session_ticket.data = NULL((void*)0); /* will be re-alloced as needed */
6067 ssl_session->server_data_for_iv.data_len = 0;
6068 ssl_session->server_data_for_iv.data = ssl_session->_server_data_for_iv;
6069 ssl_session->client_data_for_iv.data_len = 0;
6070 ssl_session->client_data_for_iv.data = ssl_session->_client_data_for_iv;
6071 ssl_session->app_data_segment.data = NULL((void*)0);
6072 ssl_session->app_data_segment.data_len = 0;
6073 ssl_session->handshake_data.data=NULL((void*)0);
6074 ssl_session->handshake_data.data_len=0;
6075 ssl_session->ech_transcript.data=NULL((void*)0);
6076 ssl_session->ech_transcript.data_len=0;
6077
6078 /* Initialize parameters which are not necessary specific to decryption. */
6079 ssl_session->session.version = SSL_VER_UNKNOWN0;
6080 clear_address(&ssl_session->session.srv_addr);
6081 ssl_session->session.srv_ptype = PT_NONE;
6082 ssl_session->session.srv_port = 0;
6083 ssl_session->session.dtls13_current_epoch[0] = ssl_session->session.dtls13_current_epoch[1] = 0;
6084 ssl_session->session.dtls13_next_seq_num[0] = ssl_session->session.dtls13_next_seq_num[1] = 0;
6085 ssl_session->session.client_random.data_len = 0;
6086 ssl_session->session.client_random.data = ssl_session->session._client_random;
6087 memset(ssl_session->session.ech_confirmation, 0, sizeof(ssl_session->session.ech_confirmation));
6088 memset(ssl_session->session.hrr_ech_confirmation, 0, sizeof(ssl_session->session.hrr_ech_confirmation));
6089 memset(ssl_session->session.first_ech_auth_tag, 0, sizeof(ssl_session->session.first_ech_auth_tag));
6090 ssl_session->session.ech = false0;
6091 ssl_session->session.hrr_ech_declined = false0;
6092 ssl_session->session.first_ch_ech_frame = 0;
6093
6094 /* We want to increment the stream count for the normal tls handle and
6095 * dtls handle, but presumably not for the tls13_handshake handle used
6096 * by QUIC (it has its own Follow Stream handling, and the QUIC stream
6097 * doesn't get sent to the TLS follow tap.)
6098 */
6099 if (tls_handle == base_tls_handle) {
6100 ssl_session->session.stream = tls_increment_stream_count();
6101 } else if (tls_handle == dtls_handle) {
6102 ssl_session->session.stream = dtls_increment_stream_count();
6103 }
6104
6105 conversation_add_proto_data(conversation, proto_ssl, ssl_session);
6106 return ssl_session;
6107}
6108
6109void ssl_reset_session(SslSession *session, SslDecryptSession *ssl, bool_Bool is_client)
6110{
6111 if (ssl) {
6112 /* Ensure that secrets are not restored using stale identifiers. Split
6113 * between client and server in case the packets somehow got out of order. */
6114 int clear_flags = SSL_HAVE_SESSION_KEY(1<<3) | SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
6115
6116 if (is_client) {
6117 clear_flags |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
6118 ssl->session_id.data_len = 0;
6119 ssl->session_ticket.data_len = 0;
6120 ssl->master_secret.data_len = 0;
6121 ssl->client_random.data_len = 0;
6122 ssl->has_early_data = false0;
6123 if (ssl->handshake_data.data_len > 0) {
6124 // The EMS handshake hash starts with at the Client Hello,
6125 // ensure that any messages before it are forgotten.
6126 wmem_free(wmem_file_scope(), ssl->handshake_data.data);
6127 ssl->handshake_data.data = NULL((void*)0);
6128 ssl->handshake_data.data_len = 0;
6129 }
6130 } else {
6131 clear_flags |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8) | SSL_NEW_SESSION_TICKET(1<<10);
6132 ssl->server_random.data_len = 0;
6133 ssl->pre_master_secret.data_len = 0;
6134#ifdef HAVE_LIBGNUTLS1
6135 ssl->cert_key_id = NULL((void*)0);
6136#endif
6137 ssl->psk.data_len = 0;
6138 }
6139
6140 if (ssl->state & clear_flags) {
6141 ssl_debug_printf("%s detected renegotiation, clearing 0x%02x (%s side)\n",
6142 G_STRFUNC((const char*) (__func__)), ssl->state & clear_flags, is_client ? "client" : "server");
6143 ssl->state &= ~clear_flags;
6144 }
6145 }
6146
6147 /* These flags might be used for non-decryption purposes and may affect the
6148 * dissection, so reset them as well. */
6149 if (is_client) {
6150 session->client_cert_type = 0;
6151 } else {
6152 session->compression = 0;
6153 session->server_cert_type = 0;
6154 /* session->is_session_resumed is already handled in the ServerHello dissection. */
6155 }
6156 session->dtls13_next_seq_num[0] = session->dtls13_next_seq_num[1] = 0;
6157 session->dtls13_current_epoch[0] = session->dtls13_current_epoch[1] = 0;
6158}
6159
6160void
6161tls_set_appdata_dissector(dissector_handle_t tls_handle, packet_info *pinfo,
6162 dissector_handle_t app_handle)
6163{
6164 conversation_t *conversation;
6165 SslSession *session;
6166
6167 /* Ignore if the TLS or other dissector is disabled. */
6168 if (!tls_handle || !app_handle)
6169 return;
6170
6171 conversation = find_or_create_conversation(pinfo);
6172 session = &ssl_get_session(conversation, tls_handle)->session;
6173 session->app_handle = app_handle;
6174}
6175
6176static uint32_t
6177ssl_starttls(dissector_handle_t tls_handle, packet_info *pinfo,
6178 dissector_handle_t app_handle, uint32_t last_nontls_frame)
6179{
6180 conversation_t *conversation;
6181 SslSession *session;
6182
6183 /* Ignore if the TLS dissector is disabled. */
6184 if (!tls_handle)
6185 return 0;
6186 /* The caller should always pass a valid handle to its own dissector. */
6187 DISSECTOR_ASSERT(app_handle)((void) ((app_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6187, "app_handle"))));
6188
6189 conversation = find_or_create_conversation(pinfo);
6190 session = &ssl_get_session(conversation, tls_handle)->session;
6191
6192 ssl_debug_printf("%s: old frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
6193 session->last_nontls_frame,
6194 (void *)session->app_handle,
6195 dissector_handle_get_dissector_name(session->app_handle));
6196 ssl_debug_printf("%s: current frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
6197 pinfo->num, (void *)app_handle,
6198 dissector_handle_get_dissector_name(app_handle));
6199
6200 /* Do not switch again if a dissector did it before. */
6201 if (session->last_nontls_frame) {
6202 ssl_debug_printf("%s: not overriding previous app handle!\n", G_STRFUNC((const char*) (__func__)));
6203 return session->last_nontls_frame;
6204 }
6205
6206 session->app_handle = app_handle;
6207 /* The TLS dissector should be called first for this conversation. */
6208 conversation_set_dissector(conversation, tls_handle);
6209 /* TLS starts after this frame. */
6210 session->last_nontls_frame = last_nontls_frame;
6211 return 0;
6212}
6213
6214/* ssl_starttls_ack: mark future frames as encrypted. */
6215uint32_t
6216ssl_starttls_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6217 dissector_handle_t app_handle)
6218{
6219 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num);
6220}
6221
6222uint32_t
6223ssl_starttls_post_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6224 dissector_handle_t app_handle)
6225{
6226 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num - 1);
6227}
6228
6229dissector_handle_t
6230ssl_find_appdata_dissector(const char *name)
6231{
6232 /* Accept 'http' for backwards compatibility and sanity. */
6233 if (!strcmp(name, "http"))
6234 name = "http-over-tls";
6235 /* XXX - Should this check to see if the dissector is actually added for
6236 * Decode As in the appropriate table?
6237 */
6238 return find_dissector(name);
6239}
6240
6241/* Functions for TLS/DTLS sessions and RSA private keys hashtables. {{{ */
6242static int
6243ssl_equal (const void *v, const void *v2)
6244{
6245 const StringInfo *val1;
6246 const StringInfo *val2;
6247 val1 = (const StringInfo *)v;
6248 val2 = (const StringInfo *)v2;
6249
6250 if (val1->data_len == val2->data_len &&
6251 !memcmp(val1->data, val2->data, val2->data_len)) {
6252 return 1;
6253 }
6254 return 0;
6255}
6256
6257static unsigned
6258ssl_hash (const void *v)
6259{
6260 unsigned l,hash;
6261 const StringInfo* id;
6262 const unsigned* cur;
6263 hash = 0;
6264 id = (const StringInfo*) v;
6265
6266 /* id and id->data are mallocated in ssl_save_master_key(). As such 'data'
6267 * should be aligned for any kind of access (for example as a unsigned as
6268 * is done below). The intermediate void* cast is to prevent "cast
6269 * increases required alignment of target type" warnings on CPUs (such
6270 * as SPARCs) that do not allow misaligned memory accesses.
6271 */
6272 cur = (const unsigned*)(void*) id->data;
6273
6274 for (l=4; (l < id->data_len); l+=4, cur++)
6275 hash = hash ^ (*cur);
6276
6277 return hash;
6278}
6279/* Functions for TLS/DTLS sessions and RSA private keys hashtables. }}} */
6280
6281/* Handling of association between tls/dtls ports and clear text protocol. {{{ */
6282void
6283ssl_association_add(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6284{
6285 DISSECTOR_ASSERT(main_handle)((void) ((main_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6285, "main_handle"))));
6286 DISSECTOR_ASSERT(subdissector_handle)((void) ((subdissector_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6286, "subdissector_handle"))));
6287 /* Registration is required for Export PDU feature to work properly. */
6288 DISSECTOR_ASSERT_HINT(dissector_handle_get_dissector_name(subdissector_handle),((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6289, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))))
6289 "SSL appdata dissectors must register with register_dissector()!")((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6289, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))));
6290 ssl_debug_printf("association_add %s port %d handle %p\n", dissector_table_name, port, (void *)subdissector_handle);
6291
6292 if (port) {
6293 dissector_add_uint(dissector_table_name, port, subdissector_handle);
6294 if (tcp)
6295 dissector_add_uint("tcp.port", port, main_handle);
6296 else
6297 dissector_add_uint("udp.port", port, main_handle);
6298 dissector_add_uint("sctp.port", port, main_handle);
6299 } else {
6300 dissector_add_for_decode_as(dissector_table_name, subdissector_handle);
6301 }
6302}
6303
6304void
6305ssl_association_remove(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6306{
6307 ssl_debug_printf("ssl_association_remove removing %s %u - handle %p\n",
6308 tcp?"TCP":"UDP", port, (void *)subdissector_handle);
6309 if (main_handle) {
6310 dissector_delete_uint(tcp?"tcp.port":"udp.port", port, main_handle);
6311 dissector_delete_uint("sctp.port", port, main_handle);
6312 }
6313
6314 if (port) {
6315 dissector_delete_uint(dissector_table_name, port, subdissector_handle);
6316 }
6317}
6318
6319void
6320ssl_set_server(SslSession *session, address *addr, port_type ptype, uint32_t port)
6321{
6322 copy_address_wmem(wmem_file_scope(), &session->srv_addr, addr);
6323 session->srv_ptype = ptype;
6324 session->srv_port = port;
6325}
6326
6327int
6328ssl_packet_from_server(SslSession *session, dissector_table_t table, const packet_info *pinfo)
6329{
6330 int ret;
6331 if (session && session->srv_addr.type != AT_NONE) {
6332 ret = (session->srv_ptype == pinfo->ptype) &&
6333 (session->srv_port == pinfo->srcport) &&
6334 addresses_equal(&session->srv_addr, &pinfo->src);
6335 } else {
6336 ret = (dissector_get_uint_handle(table, pinfo->srcport) != 0);
6337 }
6338
6339 ssl_debug_printf("packet_from_server: is from server - %s\n", (ret)?"TRUE":"FALSE");
6340 return ret;
6341}
6342/* Handling of association between tls/dtls ports and clear text protocol. }}} */
6343
6344
6345/* Links SSL records with the real packet data. {{{ */
6346SslPacketInfo *
6347tls_add_packet_info(int proto, packet_info *pinfo, uint8_t curr_layer_num_ssl)
6348{
6349 SslPacketInfo *pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6350 if (!pi) {
6351 pi = wmem_new0(wmem_file_scope(), SslPacketInfo)((SslPacketInfo*)wmem_alloc0((wmem_file_scope()), sizeof(SslPacketInfo
)));
6352 pi->srcport = pinfo->srcport;
6353 pi->destport = pinfo->destport;
6354 p_add_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl, pi);
6355 }
6356
6357 return pi;
6358}
6359
6360/**
6361 * Remembers the decrypted TLS record fragment (TLSInnerPlaintext in TLS 1.3) to
6362 * avoid the need for a decoder in the second pass. Additionally, it remembers
6363 * sequence numbers (for reassembly and Follow TLS Stream).
6364 *
6365 * @param proto The protocol identifier (proto_ssl or proto_dtls).
6366 * @param pinfo The packet where the record originates from.
6367 * @param plain_data Decrypted plaintext to store in the record.
6368 * @param plain_data_len Total length of the plaintext.
6369 * @param content_len Length of the plaintext section corresponding to the record content.
6370 * @param record_id The identifier for this record within the current packet.
6371 * @param flow Information about sequence numbers, etc.
6372 * @param type TLS Content Type (such as handshake or application_data).
6373 * @param curr_layer_num_ssl The layer identifier for this TLS session.
6374 */
6375void
6376ssl_add_record_info(int proto, packet_info *pinfo,
6377 const unsigned char *plain_data, int plain_data_len, int content_len,
6378 int record_id, SslFlow *flow, ContentType type, uint8_t curr_layer_num_ssl,
6379 uint64_t record_seq)
6380{
6381 SslRecordInfo* rec, **prec;
6382 SslPacketInfo *pi = tls_add_packet_info(proto, pinfo, curr_layer_num_ssl);
6383
6384 ws_assert(content_len <= plain_data_len)do { if ((1) && !(content_len <= plain_data_len)) ws_log_fatal_full
("", LOG_LEVEL_ERROR, "epan/dissectors/packet-tls-utils.c", 6384
, __func__, "assertion failed: %s", "content_len <= plain_data_len"
); } while (0);
6385
6386 rec = wmem_new(wmem_file_scope(), SslRecordInfo)((SslRecordInfo*)wmem_alloc((wmem_file_scope()), sizeof(SslRecordInfo
)));
6387 rec->plain_data = (unsigned char *)wmem_memdup(wmem_file_scope(), plain_data, plain_data_len);
6388 rec->plain_data_len = plain_data_len;
6389 rec->content_len = content_len;
6390 rec->id = record_id;
6391 rec->type = type;
6392 rec->next = NULL((void*)0);
6393 rec->record_seq = record_seq;
6394
6395 if (flow && type == SSL_ID_APP_DATA) {
6396 rec->seq = flow->byte_seq;
6397 rec->flow = flow;
6398 flow->byte_seq += content_len;
6399 ssl_debug_printf("%s stored decrypted record seq=%d nxtseq=%d flow=%p\n",
6400 G_STRFUNC((const char*) (__func__)), rec->seq, rec->seq + content_len, (void*)flow);
6401 }
6402
6403 /* Remember decrypted records. */
6404 prec = &pi->records;
6405 while (*prec) prec = &(*prec)->next;
6406 *prec = rec;
6407}
6408
6409/* search in packet data for the specified id; return a newly created tvb for the associated data */
6410tvbuff_t*
6411ssl_get_record_info(tvbuff_t *parent_tvb, int proto, packet_info *pinfo, int record_id, uint8_t curr_layer_num_ssl, SslRecordInfo **matched_record)
6412{
6413 SslRecordInfo* rec;
6414 SslPacketInfo* pi;
6415 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6416
6417 if (!pi)
6418 return NULL((void*)0);
6419
6420 for (rec = pi->records; rec; rec = rec->next)
6421 if (rec->id == record_id) {
6422 *matched_record = rec;
6423 /* link new real_data_tvb with a parent tvb so it is freed when frame dissection is complete */
6424 return tvb_new_child_real_data(parent_tvb, rec->plain_data, rec->plain_data_len, rec->plain_data_len);
6425 }
6426
6427 return NULL((void*)0);
6428}
6429/* Links SSL records with the real packet data. }}} */
6430
6431/* initialize/reset per capture state data (ssl sessions cache). {{{ */
6432void
6433ssl_common_init(ssl_master_key_map_t *mk_map,
6434 StringInfo *decrypted_data, StringInfo *compressed_data)
6435{
6436 mk_map->session = g_hash_table_new(ssl_hash, ssl_equal);
6437 mk_map->tickets = g_hash_table_new(ssl_hash, ssl_equal);
6438 mk_map->crandom = g_hash_table_new(ssl_hash, ssl_equal);
6439 mk_map->pre_master = g_hash_table_new(ssl_hash, ssl_equal);
6440 mk_map->pms = g_hash_table_new(ssl_hash, ssl_equal);
6441 mk_map->tls13_client_early = g_hash_table_new(ssl_hash, ssl_equal);
6442 mk_map->tls13_client_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6443 mk_map->tls13_server_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6444 mk_map->tls13_client_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6445 mk_map->tls13_server_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6446 mk_map->tls13_early_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6447 mk_map->tls13_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6448
6449 mk_map->ech_secret = g_hash_table_new(ssl_hash, ssl_equal);
6450 mk_map->ech_config = g_hash_table_new(ssl_hash, ssl_equal);
6451
6452 mk_map->used_crandom = g_hash_table_new(ssl_hash, ssl_equal);
6453
6454 ssl_data_alloc(decrypted_data, 32);
6455 ssl_data_alloc(compressed_data, 32);
6456}
6457
6458void
6459ssl_common_cleanup(ssl_master_key_map_t *mk_map, FILE **ssl_keylog_file,
6460 StringInfo *decrypted_data, StringInfo *compressed_data)
6461{
6462 g_hash_table_destroy(mk_map->session);
6463 g_hash_table_destroy(mk_map->tickets);
6464 g_hash_table_destroy(mk_map->crandom);
6465 g_hash_table_destroy(mk_map->pre_master);
6466 g_hash_table_destroy(mk_map->pms);
6467 g_hash_table_destroy(mk_map->tls13_client_early);
6468 g_hash_table_destroy(mk_map->tls13_client_handshake);
6469 g_hash_table_destroy(mk_map->tls13_server_handshake);
6470 g_hash_table_destroy(mk_map->tls13_client_appdata);
6471 g_hash_table_destroy(mk_map->tls13_server_appdata);
6472 g_hash_table_destroy(mk_map->tls13_early_exporter);
6473 g_hash_table_destroy(mk_map->tls13_exporter);
6474
6475 g_hash_table_destroy(mk_map->ech_secret);
6476 g_hash_table_destroy(mk_map->ech_config);
6477
6478 g_hash_table_destroy(mk_map->used_crandom);
6479
6480 g_free(decrypted_data->data);
6481 g_free(compressed_data->data);
6482
6483 /* close the previous keylog file now that the cache are cleared, this
6484 * allows the cache to be filled with the full keylog file contents. */
6485 if (*ssl_keylog_file) {
6486 fclose(*ssl_keylog_file);
6487 *ssl_keylog_file = NULL((void*)0);
6488 }
6489}
6490/* }}} */
6491
6492/* parse ssl related preferences (private keys and ports association strings) */
6493#if defined(HAVE_LIBGNUTLS1)
6494/* Load a single RSA key file item from preferences. {{{ */
6495void
6496ssl_parse_key_list(const ssldecrypt_assoc_t *uats, GHashTable *key_hash, const char* dissector_table_name, dissector_handle_t main_handle, bool_Bool tcp)
6497{
6498 gnutls_x509_privkey_t x509_priv_key;
6499 gnutls_privkey_t priv_key = NULL((void*)0);
6500 FILE* fp = NULL((void*)0);
6501 int ret;
6502 size_t key_id_len = 20;
6503 unsigned char *key_id = NULL((void*)0);
6504 char *err = NULL((void*)0);
6505 dissector_handle_t handle;
6506 /* try to load keys file first */
6507 fp = ws_fopenfopen(uats->keyfile, "rb");
6508 if (!fp) {
6509 report_open_failure(uats->keyfile, errno(*__errno_location ()), false0);
6510 return;
6511 }
6512
6513 if ((int)strlen(uats->password) == 0) {
6514 x509_priv_key = rsa_load_pem_key(fp, &err);
6515 } else {
6516 x509_priv_key = rsa_load_pkcs12(fp, uats->password, &err);
6517 }
6518 fclose(fp);
6519
6520 if (!x509_priv_key) {
6521 if (err) {
6522 report_failure("Can't load private key from %s: %s",
6523 uats->keyfile, err);
6524 g_free(err);
6525 } else
6526 report_failure("Can't load private key from %s: unknown error",
6527 uats->keyfile);
6528 return;
6529 }
6530 if (err) {
6531 report_failure("Load of private key from %s \"succeeded\" with error %s",
6532 uats->keyfile, err);
6533 g_free(err);
6534 }
6535
6536 gnutls_privkey_init(&priv_key);
6537 ret = gnutls_privkey_import_x509(priv_key, x509_priv_key,
6538 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE|GNUTLS_PRIVKEY_IMPORT_COPY);
6539 if (ret < 0) {
6540 report_failure("Can't convert private key %s: %s",
6541 uats->keyfile, gnutls_strerror(ret));
6542 goto end;
6543 }
6544
6545 key_id = (unsigned char *) g_malloc0(key_id_len);
6546 ret = gnutls_x509_privkey_get_key_id(x509_priv_key, 0, key_id, &key_id_len);
6547 if (ret < 0) {
6548 report_failure("Can't calculate public key ID for %s: %s",
6549 uats->keyfile, gnutls_strerror(ret));
6550 goto end;
6551 }
6552 ssl_print_data("KeyID", key_id, key_id_len);
6553 if (key_id_len != 20) {
6554 report_failure("Expected Key ID size %u for %s, got %zu", 20,
6555 uats->keyfile, key_id_len);
6556 goto end;
6557 }
6558
6559 g_hash_table_replace(key_hash, key_id, priv_key);
6560 key_id = NULL((void*)0); /* used in key_hash, do not free. */
6561 priv_key = NULL((void*)0);
6562 ssl_debug_printf("ssl_init private key file %s successfully loaded.\n", uats->keyfile);
6563
6564 handle = ssl_find_appdata_dissector(uats->protocol);
6565 if (handle) {
6566 /* Port to subprotocol mapping */
6567 uint16_t port = 0;
6568 if (ws_strtou16(uats->port, NULL((void*)0), &port)) {
6569 if (port > 0) {
6570 ssl_debug_printf("ssl_init port '%d' filename '%s' password(only for p12 file) '%s'\n",
6571 port, uats->keyfile, uats->password);
6572
6573 ssl_association_add(dissector_table_name, main_handle, handle, port, tcp);
6574 }
6575 } else {
6576 if (strcmp(uats->port, "start_tls"))
6577 ssl_debug_printf("invalid ssl_init_port: %s\n", uats->port);
6578 }
6579 }
6580
6581end:
6582 gnutls_x509_privkey_deinit(x509_priv_key);
6583 gnutls_privkey_deinit(priv_key);
6584 g_free(key_id);
6585}
6586/* }}} */
6587#endif
6588
6589
6590/* Store/load a known (pre-)master secret from/for this SSL session. {{{ */
6591/** store a known (pre-)master secret into cache */
6592static void
6593ssl_save_master_key(const char *label, GHashTable *ht, StringInfo *key,
6594 StringInfo *mk)
6595{
6596 StringInfo *ht_key, *master_secret;
6597
6598 if (key->data_len == 0) {
6599 ssl_debug_printf("%s: not saving empty %s!\n", G_STRFUNC((const char*) (__func__)), label);
6600 return;
6601 }
6602
6603 if (mk->data_len == 0) {
6604 ssl_debug_printf("%s not saving empty (pre-)master secret for %s!\n",
6605 G_STRFUNC((const char*) (__func__)), label);
6606 return;
6607 }
6608
6609 /* ssl_hash() depends on session_ticket->data being aligned for unsigned access
6610 * so be careful in changing how it is allocated. */
6611 ht_key = ssl_data_clone(key);
6612 master_secret = ssl_data_clone(mk);
6613 g_hash_table_insert(ht, ht_key, master_secret);
6614
6615 ssl_debug_printf("%s inserted (pre-)master secret for %s\n", G_STRFUNC((const char*) (__func__)), label);
6616 ssl_print_string("stored key", ht_key);
6617 ssl_print_string("stored (pre-)master secret", master_secret);
6618}
6619
6620/** restore a (pre-)master secret given some key in the cache */
6621static bool_Bool
6622ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
6623 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key)
6624{
6625 StringInfo *ms;
6626
6627 if (key->data_len == 0) {
6628 ssl_debug_printf("%s can't restore %smaster secret using an empty %s\n",
6629 G_STRFUNC((const char*) (__func__)), is_pre_master ? "pre-" : "", label);
6630 return false0;
6631 }
6632
6633 ms = (StringInfo *)g_hash_table_lookup(ht, key);
6634 if (!ms) {
6635 ssl_debug_printf("%s can't find %smaster secret by %s\n", G_STRFUNC((const char*) (__func__)),
6636 is_pre_master ? "pre-" : "", label);
6637 return false0;
6638 }
6639
6640 /* (pre)master secret found, clear knowledge of other keys and set it in the
6641 * current conversation */
6642 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) |
6643 SSL_HAVE_SESSION_KEY(1<<3));
6644 if (is_pre_master) {
6645 /* unlike master secret, pre-master secret has a variable size (48 for
6646 * RSA, varying for PSK) and is therefore not statically allocated */
6647 ssl->pre_master_secret.data = (unsigned char *) wmem_alloc(wmem_file_scope(),
6648 ms->data_len);
6649 ssl_data_set(&ssl->pre_master_secret, ms->data, ms->data_len);
6650 ssl->state |= SSL_PRE_MASTER_SECRET(1<<6);
6651 } else {
6652 ssl_data_set(&ssl->master_secret, ms->data, ms->data_len);
6653 ssl->state |= SSL_MASTER_SECRET(1<<5);
6654 }
6655 ssl_debug_printf("%s %smaster secret retrieved using %s\n", G_STRFUNC((const char*) (__func__)),
6656 is_pre_master ? "pre-" : "", label);
6657 ssl_print_string(label, key);
6658 ssl_print_string("(pre-)master secret", ms);
6659 return true1;
6660}
6661/* Store/load a known (pre-)master secret from/for this SSL session. }}} */
6662
6663/* Should be called when all parameters are ready (after ChangeCipherSpec), and
6664 * the decoder should be attempted to be initialized. {{{*/
6665void
6666ssl_finalize_decryption(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
6667{
6668 if (ssl->session.version == TLSV1DOT3_VERSION0x304) {
1
Assuming field 'version' is not equal to TLSV1DOT3_VERSION
2
Taking false branch
6669 /* TLS 1.3 implementations only provide secrets derived from the master
6670 * secret which are loaded in tls13_change_key. No master secrets can be
6671 * loaded here, so just return. */
6672 return;
6673 }
6674 ssl_debug_printf("%s state = 0x%02X\n", G_STRFUNC((const char*) (__func__)), ssl->state);
6675 if (ssl->state & SSL_HAVE_SESSION_KEY(1<<3)) {
3
Assuming the condition is false
4
Taking false branch
6676 ssl_debug_printf(" session key already available, nothing to do.\n");
6677 return;
6678 }
6679 if (!(ssl->state & SSL_CIPHER(1<<2))) {
5
Assuming the condition is false
6680 ssl_debug_printf(" Cipher suite (Server Hello) is missing!\n");
6681 return;
6682 }
6683
6684 /* for decryption, there needs to be a master secret (which can be derived
6685 * from pre-master secret). If missing, try to pick a master key from cache
6686 * (an earlier packet in the capture or key logfile). */
6687 if (!(ssl->state & (SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6))) &&
6
Assuming the condition is false
6688 !ssl_restore_master_key(ssl, "Session ID", false0,
6689 mk_map->session, &ssl->session_id) &&
6690 (!ssl->session.is_session_resumed ||
6691 !ssl_restore_master_key(ssl, "Session Ticket", false0,
6692 mk_map->tickets, &ssl->session_ticket)) &&
6693 !ssl_restore_master_key(ssl, "Client Random", false0,
6694 mk_map->crandom, &ssl->client_random)) {
6695 if (ssl->cipher_suite->enc != ENC_NULL0x3D) {
6696 /* how unfortunate, the master secret could not be found */
6697 ssl_debug_printf(" Cannot find master secret\n");
6698 return;
6699 } else {
6700 ssl_debug_printf(" Cannot find master secret, continuing anyway "
6701 "because of a NULL cipher\n");
6702 }
6703 }
6704
6705 if (ssl_generate_keyring_material(ssl) < 0) {
7
Calling 'ssl_generate_keyring_material'
6706 ssl_debug_printf("%s can't generate keyring material\n", G_STRFUNC((const char*) (__func__)));
6707 return;
6708 }
6709 /* Save Client Random/ Session ID for "SSL Export Session keys" */
6710 ssl_save_master_key("Client Random", mk_map->crandom,
6711 &ssl->client_random, &ssl->master_secret);
6712 ssl_save_master_key("Session ID", mk_map->session,
6713 &ssl->session_id, &ssl->master_secret);
6714 /* Only save the new secrets if the server sent the ticket. The client
6715 * ticket might have become stale. */
6716 if (ssl->state & SSL_NEW_SESSION_TICKET(1<<10)) {
6717 ssl_save_master_key("Session Ticket", mk_map->tickets,
6718 &ssl->session_ticket, &ssl->master_secret);
6719 }
6720} /* }}} */
6721
6722/* Load the traffic key secret from the keylog file. */
6723StringInfo *
6724tls13_load_secret(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6725 bool_Bool is_from_server, TLSRecordType type)
6726{
6727 GHashTable *key_map;
6728 const char *label;
6729
6730 if (ssl->session.version != TLSV1DOT3_VERSION0x304 && ssl->session.version != DTLSV1DOT3_VERSION0xfefc) {
6731 ssl_debug_printf("%s TLS version %#x is not 1.3\n", G_STRFUNC((const char*) (__func__)), ssl->session.version);
6732 return NULL((void*)0);
6733 }
6734
6735 if (ssl->client_random.data_len == 0) {
6736 /* May happen if Hello message is missing and Finished is found. */
6737 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
6738 return NULL((void*)0);
6739 }
6740
6741 switch (type) {
6742 case TLS_SECRET_0RTT_APP:
6743 DISSECTOR_ASSERT(!is_from_server)((void) ((!is_from_server) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6743, "!is_from_server"))));
6744 label = "CLIENT_EARLY_TRAFFIC_SECRET";
6745 key_map = mk_map->tls13_client_early;
6746 break;
6747 case TLS_SECRET_HANDSHAKE:
6748 if (is_from_server) {
6749 label = "SERVER_HANDSHAKE_TRAFFIC_SECRET";
6750 key_map = mk_map->tls13_server_handshake;
6751 } else {
6752 label = "CLIENT_HANDSHAKE_TRAFFIC_SECRET";
6753 key_map = mk_map->tls13_client_handshake;
6754 }
6755 break;
6756 case TLS_SECRET_APP:
6757 if (is_from_server) {
6758 label = "SERVER_TRAFFIC_SECRET_0";
6759 key_map = mk_map->tls13_server_appdata;
6760 } else {
6761 label = "CLIENT_TRAFFIC_SECRET_0";
6762 key_map = mk_map->tls13_client_appdata;
6763 }
6764 break;
6765 default:
6766 ws_assert_not_reached()ws_log_fatal_full("", LOG_LEVEL_ERROR, "epan/dissectors/packet-tls-utils.c"
, 6766, __func__, "assertion \"not reached\" failed");
6767 }
6768
6769 /* Transitioning to new keys, mark old ones as unusable. */
6770 ssl_debug_printf("%s transitioning to new key, old state 0x%02x\n", G_STRFUNC((const char*) (__func__)), ssl->state);
6771 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) | SSL_HAVE_SESSION_KEY(1<<3));
6772
6773 StringInfo *secret = (StringInfo *)g_hash_table_lookup(key_map, &ssl->client_random);
6774 if (!secret) {
6775 ssl_debug_printf("%s Cannot find %s, decryption impossible\n", G_STRFUNC((const char*) (__func__)), label);
6776 /* Disable decryption, the keys are invalid. */
6777 if (is_from_server) {
6778 ssl->server = NULL((void*)0);
6779 } else {
6780 ssl->client = NULL((void*)0);
6781 }
6782 return NULL((void*)0);
6783 }
6784
6785 /* TLS 1.3 secret found, set new keys. */
6786 ssl_debug_printf("%s Retrieved TLS 1.3 traffic secret.\n", G_STRFUNC((const char*) (__func__)));
6787 ssl_print_string("Client Random", &ssl->client_random);
6788 ssl_print_string(label, secret);
6789 return secret;
6790}
6791
6792/* Load the new key. */
6793void
6794tls13_change_key(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6795 bool_Bool is_from_server, TLSRecordType type)
6796{
6797 if (ssl->state & SSL_QUIC_RECORD_LAYER(1<<13)) {
6798 /*
6799 * QUIC does not use the TLS record layer for message protection.
6800 * The required keys will be extracted later by QUIC.
6801 */
6802 return;
6803 }
6804
6805 StringInfo *secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
6806 if (!secret) {
6807 if (type != TLS_SECRET_HANDSHAKE) {
6808 return;
6809 }
6810 /*
6811 * Workaround for when for some reason we don't have the handshake
6812 * secret but do have the application traffic secret. (#20240)
6813 * If we can't find the handshake secret, we'll never decrypt the
6814 * Finished message, so we won't know when to change to the app
6815 * traffic key, so we do so now.
6816 */
6817 type = TLS_SECRET_APP;
6818 secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
6819 if (!secret) {
6820 return;
6821 }
6822 }
6823
6824 if (tls13_generate_keys(ssl, secret, is_from_server)) {
6825 /*
6826 * Remember the application traffic secret to support Key Update. The
6827 * other secrets cannot be used for this purpose, so free them.
6828 */
6829 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
6830 StringInfo *app_secret = &decoder->app_traffic_secret;
6831 if (type == TLS_SECRET_APP) {
6832 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
6833 app_secret->data,
6834 secret->data_len);
6835 ssl_data_set(app_secret, secret->data, secret->data_len);
6836 } else {
6837 wmem_free(wmem_file_scope(), app_secret->data);
6838 app_secret->data = NULL((void*)0);
6839 app_secret->data_len = 0;
6840 }
6841 }
6842}
6843
6844/**
6845 * Update to next application data traffic secret for TLS 1.3. The previous
6846 * secret should have been set by tls13_change_key.
6847 */
6848void
6849tls13_key_update(SslDecryptSession *ssl, bool_Bool is_from_server)
6850{
6851 /* RFC 8446 Section 7.2:
6852 * application_traffic_secret_N+1 =
6853 * HKDF-Expand-Label(application_traffic_secret_N,
6854 * "traffic upd", "", Hash.length)
6855 *
6856 * Both application_traffic_secret_N are of the same length (Hash.length).
6857 */
6858 const SslCipherSuite *cipher_suite = ssl->cipher_suite;
6859 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
6860 StringInfo *app_secret = decoder ? &decoder->app_traffic_secret : NULL((void*)0);
6861 uint8_t tls13_draft_version = ssl->session.tls13_draft_version;
6862
6863 if (!cipher_suite || !app_secret || app_secret->data_len == 0) {
6864 ssl_debug_printf("%s Cannot perform Key Update due to missing info\n", G_STRFUNC((const char*) (__func__)));
6865 return;
6866 }
6867
6868 /*
6869 * Previous traffic secret is available, so find the hash function,
6870 * expand the new traffic secret and generate new keys.
6871 */
6872 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
6873 int hash_algo = ssl_get_digest_by_name(hash_name);
6874 const unsigned hash_len = app_secret->data_len;
6875 unsigned char *new_secret;
6876 const char *label = "traffic upd";
6877 if (tls13_draft_version && tls13_draft_version < 20) {
6878 label = "application traffic secret";
6879 }
6880 if (!tls13_hkdf_expand_label(hash_algo, app_secret,
6881 tls13_hkdf_label_prefix(ssl),
6882 label, hash_len, &new_secret)) {
6883 ssl_debug_printf("%s traffic_secret_N+1 expansion failed\n", G_STRFUNC((const char*) (__func__)));
6884 return;
6885 }
6886 ssl_data_set(app_secret, new_secret, hash_len);
6887 if (tls13_generate_keys(ssl, app_secret, is_from_server)) {
6888 /*
6889 * Remember the application traffic secret on the new decoder to
6890 * support another Key Update.
6891 */
6892 decoder = is_from_server ? ssl->server : ssl->client;
6893 app_secret = &decoder->app_traffic_secret;
6894 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
6895 app_secret->data,
6896 hash_len);
6897 ssl_data_set(app_secret, new_secret, hash_len);
6898 }
6899 wmem_free(NULL((void*)0), new_secret);
6900}
6901
6902void
6903tls_save_crandom(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
6904{
6905 if (ssl && (ssl->state & SSL_CLIENT_RANDOM(1<<0))) {
6906 g_hash_table_add(mk_map->used_crandom, ssl_data_clone(&ssl->client_random));
6907 }
6908}
6909
6910/** SSL keylog file handling. {{{ */
6911
6912static GRegex *
6913ssl_compile_keyfile_regex(void)
6914{
6915#define OCTET "(?:[[:xdigit:]]{2})"
6916 const char *pattern =
6917 "(?:"
6918 /* Matches Client Hellos having this Client Random */
6919 "PMS_CLIENT_RANDOM (?<client_random_pms>" OCTET "{32}) "
6920 /* Matches first part of encrypted RSA pre-master secret */
6921 "|RSA (?<encrypted_pmk>" OCTET "{8}) "
6922 /* Pre-Master-Secret is given, it is 48 bytes for RSA,
6923 but it can be of any length for DHE */
6924 ")(?<pms>" OCTET "+)"
6925 "|(?:"
6926 /* Matches Server Hellos having a Session ID */
6927 "RSA Session-ID:(?<session_id>" OCTET "+) Master-Key:"
6928 /* Matches Client Hellos having this Client Random */
6929 "|CLIENT_RANDOM (?<client_random>" OCTET "{32}) "
6930 /* Master-Secret is given, its length is fixed */
6931 ")(?<master_secret>" OCTET "{" G_STRINGIFY(SSL_MASTER_SECRET_LENGTH)"48" "})"
6932 "|(?"
6933 /* TLS 1.3 Client Random to Derived Secrets mapping. */
6934 ":CLIENT_EARLY_TRAFFIC_SECRET (?<client_early>" OCTET "{32})"
6935 "|CLIENT_HANDSHAKE_TRAFFIC_SECRET (?<client_handshake>" OCTET "{32})"
6936 "|SERVER_HANDSHAKE_TRAFFIC_SECRET (?<server_handshake>" OCTET "{32})"
6937 "|CLIENT_TRAFFIC_SECRET_0 (?<client_appdata>" OCTET "{32})"
6938 "|SERVER_TRAFFIC_SECRET_0 (?<server_appdata>" OCTET "{32})"
6939 "|EARLY_EXPORTER_SECRET (?<early_exporter>" OCTET "{32})"
6940 "|EXPORTER_SECRET (?<exporter>" OCTET "{32})"
6941 /* ECH. Secret length is defined by HPKE KEM Nsecret and can vary between 32 and 64 bytes */
6942 /* These labels and their notation are specified in draft-ietf-tls-ech-keylogfile-01 */
6943 "|ECH_SECRET (?<ech_secret>" OCTET "{32,64})"
6944 "|ECH_CONFIG (?<ech_config>" OCTET "{22,})"
6945 ") (?<derived_secret>" OCTET "+)";
6946#undef OCTET
6947 static GRegex *regex = NULL((void*)0);
6948 GError *gerr = NULL((void*)0);
6949
6950 if (!regex) {
6951 regex = g_regex_new(pattern,
6952 (GRegexCompileFlags)(G_REGEX_OPTIMIZE | G_REGEX_ANCHORED | G_REGEX_RAW),
6953 G_REGEX_MATCH_ANCHORED, &gerr);
6954 if (gerr) {
6955 ssl_debug_printf("%s failed to compile regex: %s\n", G_STRFUNC((const char*) (__func__)),
6956 gerr->message);
6957 g_error_free(gerr);
6958 regex = NULL((void*)0);
6959 }
6960 }
6961
6962 return regex;
6963}
6964
6965typedef struct ssl_master_key_match_group {
6966 const char *re_group_name;
6967 GHashTable *master_key_ht;
6968} ssl_master_key_match_group_t;
6969
6970void
6971tls_keylog_process_lines(const ssl_master_key_map_t *mk_map, const uint8_t *data, unsigned datalen)
6972{
6973 ssl_master_key_match_group_t mk_groups[] = {
6974 { "encrypted_pmk", mk_map->pre_master },
6975 { "session_id", mk_map->session },
6976 { "client_random", mk_map->crandom },
6977 { "client_random_pms", mk_map->pms },
6978 /* TLS 1.3 map from Client Random to derived secret. */
6979 { "client_early", mk_map->tls13_client_early },
6980 { "client_handshake", mk_map->tls13_client_handshake },
6981 { "server_handshake", mk_map->tls13_server_handshake },
6982 { "client_appdata", mk_map->tls13_client_appdata },
6983 { "server_appdata", mk_map->tls13_server_appdata },
6984 { "early_exporter", mk_map->tls13_early_exporter },
6985 { "exporter", mk_map->tls13_exporter },
6986 { "ech_secret", mk_map->ech_secret },
6987 { "ech_config", mk_map->ech_config },
6988 };
6989
6990 /* The format of the file is a series of records with one of the following formats:
6991 * - "RSA xxxx yyyy"
6992 * Where xxxx are the first 8 bytes of the encrypted pre-master secret (hex-encoded)
6993 * Where yyyy is the cleartext pre-master secret (hex-encoded)
6994 * (this is the original format introduced with bug 4349)
6995 *
6996 * - "RSA Session-ID:xxxx Master-Key:yyyy"
6997 * Where xxxx is the SSL session ID (hex-encoded)
6998 * Where yyyy is the cleartext master secret (hex-encoded)
6999 * (added to support openssl s_client Master-Key output)
7000 * This is somewhat is a misnomer because there's nothing RSA specific
7001 * about this.
7002 *
7003 * - "PMS_CLIENT_RANDOM xxxx yyyy"
7004 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7005 * Where yyyy is the cleartext pre-master secret (hex-encoded)
7006 * (This format allows SSL connections to be decrypted, if a user can
7007 * capture the PMS but could not recover the MS for a specific session
7008 * with a SSL Server.)
7009 *
7010 * - "CLIENT_RANDOM xxxx yyyy"
7011 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7012 * Where yyyy is the cleartext master secret (hex-encoded)
7013 * (This format allows non-RSA SSL connections to be decrypted, i.e.
7014 * ECDHE-RSA.)
7015 *
7016 * - "CLIENT_EARLY_TRAFFIC_SECRET xxxx yyyy"
7017 * - "CLIENT_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
7018 * - "SERVER_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
7019 * - "CLIENT_TRAFFIC_SECRET_0 xxxx yyyy"
7020 * - "SERVER_TRAFFIC_SECRET_0 xxxx yyyy"
7021 * - "EARLY_EXPORTER_SECRET xxxx yyyy"
7022 * - "EXPORTER_SECRET xxxx yyyy"
7023 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7024 * Where yyyy is the secret (hex-encoded) derived from the early,
7025 * handshake or master secrets. (This format is introduced with TLS 1.3
7026 * and supported by BoringSSL, OpenSSL, etc. See bug 12779.)
7027 */
7028 GRegex *regex = ssl_compile_keyfile_regex();
7029 if (!regex)
7030 return;
7031
7032 const char *next_line = (const char *)data;
7033 const char *line_end = next_line + datalen;
7034 while (next_line && next_line < line_end) {
7035 const char *line = next_line;
7036 next_line = (const char *)memchr(line, '\n', line_end - line);
7037 ssize_t linelen;
7038
7039 if (next_line) {
7040 linelen = next_line - line;
7041 next_line++; /* drop LF */
7042 } else {
7043 linelen = (ssize_t)(line_end - line);
7044 }
7045 if (linelen > 0 && line[linelen - 1] == '\r') {
7046 linelen--; /* drop CR */
7047 }
7048
7049 ssl_debug_printf(" checking keylog line: %.*s\n", (int)linelen, line);
7050 GMatchInfo *mi;
7051 if (g_regex_match_full(regex, line, linelen, 0, G_REGEX_MATCH_ANCHORED, &mi, NULL((void*)0))) {
7052 char *hex_key, *hex_pre_ms_or_ms;
7053 StringInfo *key = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
7054 StringInfo *pre_ms_or_ms = NULL((void*)0);
7055 GHashTable *ht = NULL((void*)0);
7056
7057 /* Is the PMS being supplied with the PMS_CLIENT_RANDOM
7058 * otherwise we will use the Master Secret
7059 */
7060 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "master_secret");
7061 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
7062 g_free(hex_pre_ms_or_ms);
7063 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "pms");
7064 }
7065 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
7066 g_free(hex_pre_ms_or_ms);
7067 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "derived_secret");
7068 }
7069 /* There is always a match, otherwise the regex is wrong. */
7070 DISSECTOR_ASSERT(hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms))((void) ((hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 7070, "hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms)"
))));
7071
7072 /* convert from hex to bytes and save to hashtable */
7073 pre_ms_or_ms = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
7074 from_hex(pre_ms_or_ms, hex_pre_ms_or_ms, strlen(hex_pre_ms_or_ms));
7075 g_free(hex_pre_ms_or_ms);
7076
7077 /* Find a master key from any format (CLIENT_RANDOM, SID, ...) */
7078 for (unsigned i = 0; i < G_N_ELEMENTS(mk_groups)(sizeof (mk_groups) / sizeof ((mk_groups)[0])); i++) {
7079 ssl_master_key_match_group_t *g = &mk_groups[i];
7080 hex_key = g_match_info_fetch_named(mi, g->re_group_name);
7081 if (hex_key && *hex_key) {
7082 ssl_debug_printf(" matched %s\n", g->re_group_name);
7083 ht = g->master_key_ht;
7084 from_hex(key, hex_key, strlen(hex_key));
7085 g_free(hex_key);
7086 break;
7087 }
7088 g_free(hex_key);
7089 }
7090 DISSECTOR_ASSERT(ht)((void) ((ht) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 7090, "ht")))); /* Cannot be reached, or regex is wrong. */
7091
7092 g_hash_table_insert(ht, key, pre_ms_or_ms);
7093
7094 } else if (linelen > 0 && line[0] != '#') {
7095 ssl_debug_printf(" unrecognized line\n");
7096 }
7097 /* always free match info even if there is no match. */
7098 g_match_info_free(mi);
7099 }
7100}
7101
7102void
7103ssl_load_keyfile(const char *tls_keylog_filename, FILE **keylog_file,
7104 const ssl_master_key_map_t *mk_map)
7105{
7106 /* no need to try if no key log file is configured. */
7107 if (!tls_keylog_filename || !*tls_keylog_filename) {
7108 ssl_debug_printf("%s dtls/tls.keylog_file is not configured!\n",
7109 G_STRFUNC((const char*) (__func__)));
7110 return;
7111 }
7112
7113 /* Validate regexes before even trying to use it. */
7114 if (!ssl_compile_keyfile_regex()) {
7115 return;
7116 }
7117
7118 ssl_debug_printf("trying to use TLS keylog in %s\n", tls_keylog_filename);
7119
7120 /* if the keylog file was deleted/overwritten, re-open it */
7121 if (*keylog_file && file_needs_reopen(ws_filenofileno(*keylog_file), tls_keylog_filename)) {
7122 ssl_debug_printf("%s file got deleted, trying to re-open\n", G_STRFUNC((const char*) (__func__)));
7123 fclose(*keylog_file);
7124 *keylog_file = NULL((void*)0);
7125 }
7126
7127 if (*keylog_file == NULL((void*)0)) {
7128 *keylog_file = ws_fopenfopen(tls_keylog_filename, "r");
7129 if (!*keylog_file) {
7130 ssl_debug_printf("%s failed to open SSL keylog\n", G_STRFUNC((const char*) (__func__)));
7131 return;
7132 }
7133 }
7134
7135 for (;;) {
7136 char buf[1110], *line;
7137 line = fgets(buf, sizeof(buf), *keylog_file);
7138 if (!line) {
7139 if (feof(*keylog_file)) {
7140 /* Ensure that newly appended keys can be read in the future. */
7141 clearerr(*keylog_file);
7142 } else if (ferror(*keylog_file)) {
7143 ssl_debug_printf("%s Error while reading key log file, closing it!\n", G_STRFUNC((const char*) (__func__)));
7144 fclose(*keylog_file);
7145 *keylog_file = NULL((void*)0);
7146 }
7147 break;
7148 }
7149 tls_keylog_process_lines(mk_map, (uint8_t *)line, (int)strlen(line));
7150 }
7151}
7152/** SSL keylog file handling. }}} */
7153
7154#ifdef SSL_DECRYPT_DEBUG /* {{{ */
7155
7156static FILE* ssl_debug_file;
7157
7158void
7159ssl_set_debug(const char* name)
7160{
7161 static int debug_file_must_be_closed;
7162 int use_stderr;
7163
7164 use_stderr = name?(strcmp(name, SSL_DEBUG_USE_STDERR"-") == 0):0;
7165
7166 if (debug_file_must_be_closed)
7167 fclose(ssl_debug_file);
7168
7169 if (use_stderr)
7170 ssl_debug_file = stderrstderr;
7171 else if (!name || (strcmp(name, "") ==0))
7172 ssl_debug_file = NULL((void*)0);
7173 else
7174 ssl_debug_file = ws_fopenfopen(name, "w");
7175
7176 if (!use_stderr && ssl_debug_file)
7177 debug_file_must_be_closed = 1;
7178 else
7179 debug_file_must_be_closed = 0;
7180
7181 ssl_debug_printf("Wireshark SSL debug log \n\n");
7182#ifdef HAVE_LIBGNUTLS1
7183 ssl_debug_printf("GnuTLS version: %s\n", gnutls_check_version(NULL((void*)0)));
7184#endif
7185 ssl_debug_printf("Libgcrypt version: %s\n", gcry_check_version(NULL((void*)0)));
7186 ssl_debug_printf("\n");
7187}
7188
7189void
7190ssl_debug_flush(void)
7191{
7192 if (ssl_debug_file)
7193 fflush(ssl_debug_file);
7194}
7195
7196void
7197ssl_debug_printf(const char* fmt, ...)
7198{
7199 va_list ap;
7200
7201 if (!ssl_debug_file)
7202 return;
7203
7204 va_start(ap, fmt)__builtin_va_start(ap, fmt);
7205 vfprintf(ssl_debug_file, fmt, ap);
7206 va_end(ap)__builtin_va_end(ap);
7207}
7208
7209void
7210ssl_print_data(const char* name, const unsigned char* data, size_t len)
7211{
7212 size_t i, j, k;
7213 if (!ssl_debug_file)
7214 return;
7215 fprintf(ssl_debug_file,"%s[%d]:\n",name, (int) len);
7216 for (i=0; i<len; i+=16) {
7217 fprintf(ssl_debug_file,"| ");
7218 for (j=i, k=0; k<16 && j<len; ++j, ++k)
7219 fprintf(ssl_debug_file,"%.2x ",data[j]);
7220 for (; k<16; ++k)
7221 fprintf(ssl_debug_file," ");
7222 fputc('|', ssl_debug_file);
7223 for (j=i, k=0; k<16 && j<len; ++j, ++k) {
7224 unsigned char c = data[j];
7225 if (!g_ascii_isprint(c)((g_ascii_table[(guchar) (c)] & G_ASCII_PRINT) != 0) || (c=='\t')) c = '.';
7226 fputc(c, ssl_debug_file);
7227 }
7228 for (; k<16; ++k)
7229 fputc(' ', ssl_debug_file);
7230 fprintf(ssl_debug_file,"|\n");
7231 }
7232}
7233
7234void
7235ssl_print_string(const char* name, const StringInfo* data)
7236{
7237 ssl_print_data(name, data->data, data->data_len);
7238}
7239#endif /* SSL_DECRYPT_DEBUG }}} */
7240
7241/* UAT preferences callbacks. {{{ */
7242/* checks for SSL and DTLS UAT key list fields */
7243
7244bool_Bool
7245ssldecrypt_uat_fld_ip_chk_cb(void* r _U___attribute__((unused)), const char* p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7246{
7247 // This should be removed in favor of Decode As. Make it optional.
7248 *err = NULL((void*)0);
7249 return true1;
7250}
7251
7252bool_Bool
7253ssldecrypt_uat_fld_port_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7254{
7255 if (!p || strlen(p) == 0u) {
7256 // This should be removed in favor of Decode As. Make it optional.
7257 *err = NULL((void*)0);
7258 return true1;
7259 }
7260
7261 if (strcmp(p, "start_tls") != 0){
7262 uint16_t port;
7263 if (!ws_strtou16(p, NULL((void*)0), &port)) {
7264 *err = g_strdup("Invalid port given.")g_strdup_inline ("Invalid port given.");
7265 return false0;
7266 }
7267 }
7268
7269 *err = NULL((void*)0);
7270 return true1;
7271}
7272
7273bool_Bool
7274ssldecrypt_uat_fld_fileopen_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7275{
7276 ws_statb64struct stat st;
7277
7278 if (!p || strlen(p) == 0u) {
7279 *err = g_strdup("No filename given.")g_strdup_inline ("No filename given.");
7280 return false0;
7281 } else {
7282 if (ws_stat64stat(p, &st) != 0) {
7283 *err = ws_strdup_printf("File '%s' does not exist or access is denied.", p)wmem_strdup_printf(((void*)0), "File '%s' does not exist or access is denied."
, p);
7284 return false0;
7285 }
7286 }
7287
7288 *err = NULL((void*)0);
7289 return true1;
7290}
7291
7292bool_Bool
7293ssldecrypt_uat_fld_password_chk_cb(void *r _U___attribute__((unused)), const char *p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void *u1 _U___attribute__((unused)), const void *u2 _U___attribute__((unused)), char **err)
7294{
7295#if defined(HAVE_LIBGNUTLS1)
7296 ssldecrypt_assoc_t* f = (ssldecrypt_assoc_t *)r;
7297 FILE *fp = NULL((void*)0);
7298
7299 if (p && (strlen(p) > 0u)) {
7300 fp = ws_fopenfopen(f->keyfile, "rb");
7301 if (fp) {
7302 char *msg = NULL((void*)0);
7303 gnutls_x509_privkey_t priv_key = rsa_load_pkcs12(fp, p, &msg);
7304 if (!priv_key) {
7305 fclose(fp);
7306 *err = ws_strdup_printf("Could not load PKCS#12 key file: %s", msg)wmem_strdup_printf(((void*)0), "Could not load PKCS#12 key file: %s"
, msg);
7307 g_free(msg);
7308 return false0;
7309 }
7310 g_free(msg);
7311 gnutls_x509_privkey_deinit(priv_key);
7312 fclose(fp);
7313 } else {
7314 *err = ws_strdup_printf("Leave this field blank if the keyfile is not PKCS#12.")wmem_strdup_printf(((void*)0), "Leave this field blank if the keyfile is not PKCS#12."
);
7315 return false0;
7316 }
7317 }
7318
7319 *err = NULL((void*)0);
7320 return true1;
7321#else
7322 *err = g_strdup("Cannot load key files, support is not compiled in.")g_strdup_inline ("Cannot load key files, support is not compiled in."
);
7323 return false0;
7324#endif
7325}
7326/* UAT preferences callbacks. }}} */
7327
7328/** maximum size of ssl_association_info() string */
7329#define SSL_ASSOC_MAX_LEN8192 8192
7330
7331typedef struct ssl_association_info_callback_data
7332{
7333 char *str;
7334 const char *table_protocol;
7335} ssl_association_info_callback_data_t;
7336
7337/**
7338 * callback function used by ssl_association_info() to traverse the SSL associations.
7339 */
7340static void
7341ssl_association_info_(const char *table _U___attribute__((unused)), void *handle, void *user_data)
7342{
7343 ssl_association_info_callback_data_t* data = (ssl_association_info_callback_data_t*)user_data;
7344 const int l = (const int)strlen(data->str);
7345 snprintf(data->str+l, SSL_ASSOC_MAX_LEN8192-l, "'%s' (%s)\n", dissector_handle_get_dissector_name((dissector_handle_t)handle), dissector_handle_get_description((dissector_handle_t)handle));
7346}
7347
7348/**
7349 * @return an information string on the SSL protocol associations. The string must be freed.
7350 */
7351char*
7352ssl_association_info(const char* dissector_table_name, const char* table_protocol)
7353{
7354 ssl_association_info_callback_data_t data;
7355
7356 data.str = (char *)g_malloc0(SSL_ASSOC_MAX_LEN8192);
7357 data.table_protocol = table_protocol;
7358 dissector_table_foreach_handle(dissector_table_name, ssl_association_info_, &data);
7359 return data.str;
7360}
7361
7362
7363/** Begin of code related to dissection of wire data. */
7364
7365/* Helpers for dissecting Variable-Length Vectors. {{{ */
7366bool_Bool
7367ssl_add_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7368 unsigned offset, unsigned offset_end, uint32_t *ret_length,
7369 int hf_length, uint32_t min_value, uint32_t max_value)
7370{
7371 unsigned veclen_size;
7372 uint32_t veclen_value;
7373 proto_item *pi;
7374
7375 DISSECTOR_ASSERT_CMPUINT(min_value, <=, max_value)((void) ((min_value <= max_value) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "min_value" " " "<=" " " "max_value"
" (" "%" "l" "u" " " "<=" " " "%" "l" "u" ")", "epan/dissectors/packet-tls-utils.c"
, 7375, (uint64_t)min_value, (uint64_t)max_value))));
7376 if (offset > offset_end) {
7377 expert_add_info_format(pinfo, tree, &hf->ei.malformed_buffer_too_small,
7378 "Vector offset is past buffer end offset (%u > %u)",
7379 offset, offset_end);
7380 *ret_length = 0;
7381 return false0; /* Cannot read length. */
7382 }
7383
7384 if (max_value > 0xffffff) {
7385 veclen_size = 4;
7386 } else if (max_value > 0xffff) {
7387 veclen_size = 3;
7388 } else if (max_value > 0xff) {
7389 veclen_size = 2;
7390 } else {
7391 veclen_size = 1;
7392 }
7393
7394 if (offset_end - offset < veclen_size) {
7395 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7396 tvb, offset, offset_end - offset,
7397 "No more room for vector of length %u",
7398 veclen_size);
7399 *ret_length = 0;
7400 return false0; /* Cannot read length. */
7401 }
7402
7403 pi = proto_tree_add_item_ret_uint(tree, hf_length, tvb, offset, veclen_size, ENC_BIG_ENDIAN0x00000000, &veclen_value);
7404 offset += veclen_size;
7405
7406 if (veclen_value < min_value) {
7407 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7408 "Vector length %u is smaller than minimum %u",
7409 veclen_value, min_value);
7410 } else if (veclen_value > max_value) {
7411 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7412 "Vector length %u is larger than maximum %u",
7413 veclen_value, max_value);
7414 }
7415
7416 if (offset_end - offset < veclen_value) {
7417 expert_add_info_format(pinfo, pi, &hf->ei.malformed_buffer_too_small,
7418 "Vector length %u is too large, truncating it to %u",
7419 veclen_value, offset_end - offset);
7420 *ret_length = offset_end - offset;
7421 return false0; /* Length is truncated to avoid overflow. */
7422 }
7423
7424 *ret_length = veclen_value;
7425 return true1; /* Length is OK. */
7426}
7427
7428bool_Bool
7429ssl_end_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7430 unsigned offset, unsigned offset_end)
7431{
7432 if (offset < offset_end) {
7433 unsigned trailing = offset_end - offset;
7434 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_trailing_data,
7435 tvb, offset, trailing,
7436 "%u trailing byte%s unprocessed",
7437 trailing, plurality(trailing, " was", "s were")((trailing) == 1 ? (" was") : ("s were")));
7438 return false0; /* unprocessed data warning */
7439 } else if (offset > offset_end) {
7440 /*
7441 * Returned offset runs past the end. This should not happen and is
7442 * possibly a dissector bug.
7443 */
7444 unsigned excess = offset - offset_end;
7445 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7446 tvb, offset_end, excess,
7447 "Dissector processed too much data (%u byte%s)",
7448 excess, plurality(excess, "", "s")((excess) == 1 ? ("") : ("s")));
7449 return false0; /* overflow error */
7450 }
7451
7452 return true1; /* OK, offset matches. */
7453}
7454/** }}} */
7455
7456
7457static uint32_t
7458ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7459 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7460 uint16_t version, int hf_sig_len, int hf_sig);
7461
7462/* change_cipher_spec(20) dissection */
7463void
7464ssl_dissect_change_cipher_spec(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7465 packet_info *pinfo, proto_tree *tree,
7466 uint32_t offset, SslSession *session,
7467 bool_Bool is_from_server,
7468 const SslDecryptSession *ssl)
7469{
7470 /*
7471 * struct {
7472 * enum { change_cipher_spec(1), (255) } type;
7473 * } ChangeCipherSpec;
7474 */
7475 proto_item *ti;
7476 proto_item_set_text(tree,
7477 "%s Record Layer: %s Protocol: Change Cipher Spec",
7478 val_to_str_const(session->version, ssl_version_short_names, "SSL"),
7479 val_to_str_const(SSL_ID_CHG_CIPHER_SPEC, ssl_31_content_type, "unknown"));
7480 ti = proto_tree_add_item(tree, hf->hf.change_cipher_spec, tvb, offset, 1, ENC_NA0x00000000);
7481
7482 if (session->version == TLSV1DOT3_VERSION0x304) {
7483 /* CCS is a dummy message in TLS 1.3, do not parse it further. */
7484 return;
7485 }
7486
7487 /* Remember frame number of first CCS */
7488 uint32_t *ccs_frame = is_from_server ? &session->server_ccs_frame : &session->client_ccs_frame;
7489 if (*ccs_frame == 0)
7490 *ccs_frame = pinfo->num;
7491
7492 /* Use heuristics to detect an abbreviated handshake, assume that missing
7493 * ServerHelloDone implies reusing previously negotiating keys. Then when
7494 * a Session ID or ticket is present, it must be a resumed session.
7495 * Normally this should be done at the Finished message, but that may be
7496 * encrypted so we do it here, at the last cleartext message. */
7497 if (is_from_server && ssl) {
7498 if (session->is_session_resumed) {
7499 const char *resumed = NULL((void*)0);
7500 if (ssl->session_ticket.data_len) {
7501 resumed = "Session Ticket";
7502 } else if (ssl->session_id.data_len) {
7503 resumed = "Session ID";
7504 }
7505 if (resumed) {
7506 ssl_debug_printf("%s Session resumption using %s\n", G_STRFUNC((const char*) (__func__)), resumed);
7507 } else {
7508 /* Can happen if the capture somehow starts in the middle */
7509 ssl_debug_printf("%s No Session resumption, missing packets?\n", G_STRFUNC((const char*) (__func__)));
7510 }
7511 } else {
7512 ssl_debug_printf("%s Not using Session resumption\n", G_STRFUNC((const char*) (__func__)));
7513 }
7514 }
7515 if (is_from_server && session->is_session_resumed)
7516 expert_add_info(pinfo, ti, &hf->ei.resumed);
7517}
7518
7519/** Begin of handshake(22) record dissections */
7520
7521/* Dissects a SignatureScheme (TLS 1.3) or SignatureAndHashAlgorithm (TLS 1.2).
7522 * {{{ */
7523static void
7524tls_dissect_signature_algorithm(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, ja4_data_t *ja4_data)
7525{
7526 uint32_t sighash, hashalg, sigalg;
7527 proto_item *ti_sigalg;
7528 proto_tree *sigalg_tree;
7529
7530 ti_sigalg = proto_tree_add_item_ret_uint(tree, hf->hf.hs_sig_hash_alg, tvb,
7531 offset, 2, ENC_BIG_ENDIAN0x00000000, &sighash);
7532 if (ja4_data) {
7533 wmem_list_append(ja4_data->sighash_list, GUINT_TO_POINTER(sighash)((gpointer) (gulong) (sighash)));
7534 }
7535
7536 sigalg_tree = proto_item_add_subtree(ti_sigalg, hf->ett.hs_sig_hash_alg);
7537
7538 /* TLS 1.2: SignatureAndHashAlgorithm { hash, signature } */
7539 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_hash, tvb,
7540 offset, 1, ENC_BIG_ENDIAN0x00000000, &hashalg);
7541 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_sig, tvb,
7542 offset + 1, 1, ENC_BIG_ENDIAN0x00000000, &sigalg);
7543
7544 /* No TLS 1.3 SignatureScheme? Fallback to TLS 1.2 interpretation. */
7545 if (!try_val_to_str(sighash, tls13_signature_algorithm)) {
7546 proto_item_set_text(ti_sigalg, "Signature Algorithm: %s %s (0x%04x)",
7547 val_to_str_const(hashalg, tls_hash_algorithm, "Unknown"),
7548 val_to_str_const(sigalg, tls_signature_algorithm, "Unknown"),
7549 sighash);
7550 }
7551} /* }}} */
7552
7553/* dissect a list of hash algorithms, return the number of bytes dissected
7554 this is used for the signature algorithms extension and for the
7555 TLS1.2 certificate request. {{{ */
7556static int
7557ssl_dissect_hash_alg_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
7558 packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7559{
7560 /* https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
7561 * struct {
7562 * HashAlgorithm hash;
7563 * SignatureAlgorithm signature;
7564 * } SignatureAndHashAlgorithm;
7565 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
7566 */
7567 proto_tree *subtree;
7568 proto_item *ti;
7569 unsigned sh_alg_length;
7570 uint32_t next_offset;
7571
7572 /* SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2> */
7573 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sh_alg_length,
7574 hf->hf.hs_sig_hash_alg_len, 2, UINT16_MAX(65535) - 1)) {
7575 return offset_end;
7576 }
7577 offset += 2;
7578 next_offset = offset + sh_alg_length;
7579
7580 ti = proto_tree_add_none_format(tree, hf->hf.hs_sig_hash_algs, tvb, offset, sh_alg_length,
7581 "Signature Hash Algorithms (%u algorithm%s)",
7582 sh_alg_length / 2, plurality(sh_alg_length / 2, "", "s")((sh_alg_length / 2) == 1 ? ("") : ("s")));
7583 subtree = proto_item_add_subtree(ti, hf->ett.hs_sig_hash_algs);
7584
7585 while (offset + 2 <= next_offset) {
7586 tls_dissect_signature_algorithm(hf, tvb, subtree, offset, ja4_data);
7587 offset += 2;
7588 }
7589
7590 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
7591 offset = next_offset;
7592 }
7593
7594 return offset;
7595} /* }}} */
7596
7597/* Dissection of DistinguishedName (for CertificateRequest and
7598 * certificate_authorities extension). {{{ */
7599static uint32_t
7600tls_dissect_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7601 proto_tree *tree, uint32_t offset, uint32_t offset_end)
7602{
7603 proto_item *ti;
7604 proto_tree *subtree;
7605 uint32_t dnames_length, next_offset;
7606 asn1_ctx_t asn1_ctx;
7607 int dnames_count = 100; /* the maximum number of DNs to add to the tree */
7608
7609 /* Note: minimum length is 0 for TLS 1.1/1.2 and 3 for earlier/later */
7610 /* DistinguishedName certificate_authorities<0..2^16-1> */
7611 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &dnames_length,
7612 hf->hf.hs_dnames_len, 0, UINT16_MAX(65535))) {
7613 return offset_end;
7614 }
7615 offset += 2;
7616 next_offset = offset + dnames_length;
7617
7618 if (dnames_length > 0) {
7619 ti = proto_tree_add_none_format(tree,
7620 hf->hf.hs_dnames,
7621 tvb, offset, dnames_length,
7622 "Distinguished Names (%d byte%s)",
7623 dnames_length,
7624 plurality(dnames_length, "", "s")((dnames_length) == 1 ? ("") : ("s")));
7625 subtree = proto_item_add_subtree(ti, hf->ett.dnames);
7626
7627 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7628
7629 while (offset < next_offset) {
7630 /* get the length of the current certificate */
7631 uint32_t name_length;
7632
7633 if (dnames_count-- == 0) {
7634 /* stop adding to tree when the list is considered too large
7635 * https://gitlab.com/wireshark/wireshark/-/issues/16202
7636 Note: dnames_count must be set low enough not to hit the
7637 limit set by PINFO_LAYER_MAX_RECURSION_DEPTH in packet.c
7638 */
7639 ti = proto_tree_add_item(subtree, hf->hf.hs_dnames_truncated,
7640 tvb, offset, next_offset - offset, ENC_NA0x00000000);
7641 proto_item_set_generated(ti);
7642 return next_offset;
7643 }
7644
7645 /* opaque DistinguishedName<1..2^16-1> */
7646 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &name_length,
7647 hf->hf.hs_dname_len, 1, UINT16_MAX(65535))) {
7648 return next_offset;
7649 }
7650 offset += 2;
7651
7652 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
7653 subtree, hf->hf.hs_dname);
7654 offset += name_length;
7655 }
7656 }
7657 return offset;
7658} /* }}} */
7659
7660
7661/** TLS Extensions (in Client Hello and Server Hello). {{{ */
7662static int
7663ssl_dissect_hnd_hello_ext_sig_hash_algs(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7664 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7665{
7666 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, ja4_data);
7667}
7668
7669static int
7670ssl_dissect_hnd_ext_delegated_credentials(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7671 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type)
7672{
7673 if (hnd_type == SSL_HND_CLIENT_HELLO ||
7674 hnd_type == SSL_HND_CERT_REQUEST) {
7675 /*
7676 * struct {
7677 * SignatureScheme supported_signature_algorithm<2..2^16-2>;
7678 * } SignatureSchemeList;
7679 */
7680
7681 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
7682 } else {
7683 asn1_ctx_t asn1_ctx;
7684 unsigned pubkey_length, sign_length;
7685
7686 /*
7687 * struct {
7688 * uint32 valid_time;
7689 * SignatureScheme expected_cert_verify_algorithm;
7690 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
7691 * } Credential;
7692 *
7693 * struct {
7694 * Credential cred;
7695 * SignatureScheme algorithm;
7696 * opaque signature<0..2^16-1>;
7697 * } DelegatedCredential;
7698 */
7699
7700 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7701
7702 proto_tree_add_item(tree, hf->hf.hs_cred_valid_time, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
7703 offset += 4;
7704
7705 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7706 offset += 2;
7707
7708 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &pubkey_length,
7709 hf->hf.hs_cred_pubkey_len, 1, G_MAXUINT24((1U << 24) - 1))) {
7710 return offset_end;
7711 }
7712 offset += 3;
7713 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, tree, hf->hf.hs_cred_pubkey);
7714 offset += pubkey_length;
7715
7716 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7717 offset += 2;
7718
7719 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sign_length,
7720 hf->hf.hs_cred_signature_len, 1, UINT16_MAX(65535))) {
7721 return offset_end;
7722 }
7723 offset += 2;
7724 proto_tree_add_item(tree, hf->hf.hs_cred_signature,
7725 tvb, offset, sign_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7726 offset += sign_length;
7727
7728 return offset;
7729 }
7730}
7731
7732static int
7733ssl_dissect_hnd_hello_ext_alps(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7734 packet_info *pinfo, proto_tree *tree,
7735 uint32_t offset, uint32_t offset_end,
7736 uint8_t hnd_type)
7737{
7738
7739 /* https://datatracker.ietf.org/doc/html/draft-vvv-tls-alps-01#section-4 */
7740
7741 switch (hnd_type) {
7742 case SSL_HND_CLIENT_HELLO: {
7743 proto_tree *alps_tree;
7744 proto_item *ti;
7745 uint32_t next_offset, alps_length, name_length;
7746
7747 /*
7748 * opaque ProtocolName<1..2^8-1>;
7749 * struct {
7750 * ProtocolName supported_protocols<2..2^16-1>
7751 * } ApplicationSettingsSupport;
7752 */
7753
7754 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alps_length,
7755 hf->hf.hs_ext_alps_len, 2, UINT16_MAX(65535))) {
7756 return offset_end;
7757 }
7758 offset += 2;
7759 next_offset = offset + alps_length;
7760
7761 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alps_alpn_list,
7762 tvb, offset, alps_length, ENC_NA0x00000000);
7763 alps_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alps);
7764
7765 /* Parse list (note missing check for end of vector, ssl_add_vector below
7766 * ensures that data is always available.) */
7767 while (offset < next_offset) {
7768 if (!ssl_add_vector(hf, tvb, pinfo, alps_tree, offset, next_offset, &name_length,
7769 hf->hf.hs_ext_alps_alpn_str_len, 1, UINT8_MAX(255))) {
7770 return next_offset;
7771 }
7772 offset++;
7773
7774 proto_tree_add_item(alps_tree, hf->hf.hs_ext_alps_alpn_str,
7775 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7776 offset += name_length;
7777 }
7778
7779 return offset;
7780 }
7781 case SSL_HND_ENCRYPTED_EXTS:
7782 /* Opaque blob */
7783 proto_tree_add_item(tree, hf->hf.hs_ext_alps_settings,
7784 tvb, offset, offset_end - offset, ENC_ASCII0x00000000|ENC_NA0x00000000);
7785 break;
7786 }
7787
7788 return offset_end;
7789}
7790
7791static int
7792ssl_dissect_hnd_hello_ext_alpn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7793 packet_info *pinfo, proto_tree *tree,
7794 uint32_t offset, uint32_t offset_end,
7795 uint8_t hnd_type, SslSession *session,
7796 bool_Bool is_dtls, ja4_data_t *ja4_data)
7797{
7798
7799 /* https://tools.ietf.org/html/rfc7301#section-3.1
7800 * opaque ProtocolName<1..2^8-1>;
7801 * struct {
7802 * ProtocolName protocol_name_list<2..2^16-1>
7803 * } ProtocolNameList;
7804 */
7805 proto_tree *alpn_tree;
7806 proto_item *ti;
7807 uint32_t next_offset, alpn_length, name_length;
7808 const char *proto_name = NULL((void*)0), *client_proto_name = NULL((void*)0);
7809
7810 /* ProtocolName protocol_name_list<2..2^16-1> */
7811 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alpn_length,
7812 hf->hf.hs_ext_alpn_len, 2, UINT16_MAX(65535))) {
7813 return offset_end;
7814 }
7815 offset += 2;
7816 next_offset = offset + alpn_length;
7817
7818 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alpn_list,
7819 tvb, offset, alpn_length, ENC_NA0x00000000);
7820 alpn_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alpn);
7821
7822 /* Parse list (note missing check for end of vector, ssl_add_vector below
7823 * ensures that data is always available.) */
7824 while (offset < next_offset) {
7825 /* opaque ProtocolName<1..2^8-1> */
7826 if (!ssl_add_vector(hf, tvb, pinfo, alpn_tree, offset, next_offset, &name_length,
7827 hf->hf.hs_ext_alpn_str_len, 1, UINT8_MAX(255))) {
7828 return next_offset;
7829 }
7830 offset++;
7831
7832 proto_tree_add_item(alpn_tree, hf->hf.hs_ext_alpn_str,
7833 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7834 if (ja4_data && wmem_strbuf_get_len(ja4_data->alpn) == 0) {
7835 const char alpn_first_char = (char)tvb_get_uint8(tvb,offset);
7836 const char alpn_last_char = (char)tvb_get_uint8(tvb,offset + name_length - 1);
7837 if ((g_ascii_isprint(alpn_first_char)((g_ascii_table[(guchar) (alpn_first_char)] & G_ASCII_PRINT
) != 0)) && g_ascii_isprint(alpn_last_char)((g_ascii_table[(guchar) (alpn_last_char)] & G_ASCII_PRINT
) != 0)) {
7838 wmem_strbuf_append_printf(ja4_data->alpn, "%c%c", alpn_first_char, alpn_last_char);
7839 }
7840 else {
7841 wmem_strbuf_append_printf(ja4_data->alpn, "%x%x",(alpn_first_char >> 4) & 0x0F,
7842 alpn_last_char & 0x0F);
7843 }
7844 }
7845 /* Remember first ALPN ProtocolName entry for server. */
7846 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) {
7847 /* '\0'-terminated string for dissector table match and prefix
7848 * comparison purposes. */
7849 proto_name = (char*)tvb_get_string_enc(pinfo->pool, tvb, offset,
7850 name_length, ENC_ASCII0x00000000);
7851 } else if (hnd_type == SSL_HND_CLIENT_HELLO) {
7852 client_proto_name = (char*)tvb_get_string_enc(pinfo->pool, tvb, offset,
7853 name_length, ENC_ASCII0x00000000);
7854 }
7855 offset += name_length;
7856 }
7857
7858 /* If ALPN is given in ServerHello, then ProtocolNameList MUST contain
7859 * exactly one "ProtocolName". */
7860 if (proto_name) {
7861 dissector_handle_t handle;
7862
7863 session->alpn_name = wmem_strdup(wmem_file_scope(), proto_name);
7864
7865 if (is_dtls) {
7866 handle = dissector_get_string_handle(dtls_alpn_dissector_table,
7867 proto_name);
7868 } else {
7869 handle = dissector_get_string_handle(ssl_alpn_dissector_table,
7870 proto_name);
7871 if (handle == NULL((void*)0)) {
7872 /* Try prefix matching */
7873 for (size_t i = 0; i < G_N_ELEMENTS(ssl_alpn_prefix_match_protocols)(sizeof (ssl_alpn_prefix_match_protocols) / sizeof ((ssl_alpn_prefix_match_protocols
)[0])); i++) {
7874 const ssl_alpn_prefix_match_protocol_t *alpn_proto = &ssl_alpn_prefix_match_protocols[i];
7875
7876 /* string_string is inappropriate as it compares strings
7877 * while "byte strings MUST NOT be truncated" (RFC 7301) */
7878 if (g_str_has_prefix(proto_name, alpn_proto->proto_prefix)(__builtin_constant_p (alpn_proto->proto_prefix)? __extension__
({ const char * const __str = (proto_name); const char * const
__prefix = (alpn_proto->proto_prefix); gboolean __result =
(0); if (__str == ((void*)0) || __prefix == ((void*)0)) __result
= (g_str_has_prefix) (__str, __prefix); else { const size_t __str_len
= strlen (((__str) + !(__str))); const size_t __prefix_len =
strlen (((__prefix) + !(__prefix))); if (__str_len >= __prefix_len
) __result = memcmp (((__str) + !(__str)), ((__prefix) + !(__prefix
)), __prefix_len) == 0; } __result; }) : (g_str_has_prefix) (
proto_name, alpn_proto->proto_prefix) )) {
7879 handle = find_dissector(alpn_proto->dissector_name);
7880 break;
7881 }
7882 }
7883 }
7884 }
7885 if (handle != NULL((void*)0)) {
7886 /* ProtocolName match, so set the App data dissector handle.
7887 * This may override protocols given via the UAT dialog, but
7888 * since the ALPN hint is precise, do it anyway. */
7889 ssl_debug_printf("%s: changing handle %p to %p (%s)", G_STRFUNC((const char*) (__func__)),
7890 (void *)session->app_handle,
7891 (void *)handle,
7892 dissector_handle_get_dissector_name(handle));
7893 session->app_handle = handle;
7894 }
7895 } else if (client_proto_name) {
7896 // No current use for looking up the handle as the only consumer of this API is currently the QUIC dissector
7897 // and it just needs the string since there are/were various HTTP/3 ALPNs to check for.
7898 session->client_alpn_name = wmem_strdup(wmem_file_scope(), client_proto_name);
7899 }
7900
7901 return offset;
7902}
7903
7904static int
7905ssl_dissect_hnd_hello_ext_npn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7906 packet_info *pinfo, proto_tree *tree,
7907 uint32_t offset, uint32_t offset_end)
7908{
7909 /* https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04#page-3
7910 * The "extension_data" field of a "next_protocol_negotiation" extension
7911 * in a "ServerHello" contains an optional list of protocols advertised
7912 * by the server. Protocols are named by opaque, non-empty byte strings
7913 * and the list of protocols is serialized as a concatenation of 8-bit,
7914 * length prefixed byte strings. Implementations MUST ensure that the
7915 * empty string is not included and that no byte strings are truncated.
7916 */
7917 uint32_t npn_length;
7918 proto_tree *npn_tree;
7919
7920 /* List is optional, do not add tree if there are no entries. */
7921 if (offset == offset_end) {
7922 return offset;
7923 }
7924
7925 npn_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_npn, NULL((void*)0), "Next Protocol Negotiation");
7926
7927 while (offset < offset_end) {
7928 /* non-empty, 8-bit length prefixed strings means range 1..255 */
7929 if (!ssl_add_vector(hf, tvb, pinfo, npn_tree, offset, offset_end, &npn_length,
7930 hf->hf.hs_ext_npn_str_len, 1, UINT8_MAX(255))) {
7931 return offset_end;
7932 }
7933 offset++;
7934
7935 proto_tree_add_item(npn_tree, hf->hf.hs_ext_npn_str,
7936 tvb, offset, npn_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7937 offset += npn_length;
7938 }
7939
7940 return offset;
7941}
7942
7943static int
7944ssl_dissect_hnd_hello_ext_reneg_info(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7945 packet_info *pinfo, proto_tree *tree,
7946 uint32_t offset, uint32_t offset_end)
7947{
7948 /* https://tools.ietf.org/html/rfc5746#section-3.2
7949 * struct {
7950 * opaque renegotiated_connection<0..255>;
7951 * } RenegotiationInfo;
7952 *
7953 */
7954 proto_tree *reneg_info_tree;
7955 uint32_t reneg_info_length;
7956
7957 reneg_info_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_reneg_info, NULL((void*)0), "Renegotiation Info extension");
7958
7959 /* opaque renegotiated_connection<0..255> */
7960 if (!ssl_add_vector(hf, tvb, pinfo, reneg_info_tree, offset, offset_end, &reneg_info_length,
7961 hf->hf.hs_ext_reneg_info_len, 0, 255)) {
7962 return offset_end;
7963 }
7964 offset++;
7965
7966 if (reneg_info_length > 0) {
7967 proto_tree_add_item(reneg_info_tree, hf->hf.hs_ext_reneg_info, tvb, offset, reneg_info_length, ENC_NA0x00000000);
7968 offset += reneg_info_length;
7969 }
7970
7971 return offset;
7972}
7973
7974static int
7975ssl_dissect_hnd_hello_ext_key_share_entry(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7976 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7977 const char **group_name_out)
7978{
7979 /* RFC 8446 Section 4.2.8
7980 * struct {
7981 * NamedGroup group;
7982 * opaque key_exchange<1..2^16-1>;
7983 * } KeyShareEntry;
7984 */
7985 uint32_t key_exchange_length, group;
7986 proto_tree *ks_tree;
7987
7988 ks_tree = proto_tree_add_subtree(tree, tvb, offset, 4, hf->ett.hs_ext_key_share_ks, NULL((void*)0), "Key Share Entry");
7989
7990 proto_tree_add_item_ret_uint(ks_tree, hf->hf.hs_ext_key_share_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
7991 offset += 2;
7992 const char *group_name = val_to_str(pinfo->pool, group, ssl_extension_curves, "Unknown (%u)");
7993 proto_item_append_text(ks_tree, ": Group: %s", group_name);
7994 if (group_name_out) {
7995 *group_name_out = !IS_GREASE_TLS(group)((((group) & 0x0f0f) == 0x0a0a) && (((group) &
0xff) == (((group)>>8) & 0xff))) ? group_name : NULL((void*)0);
7996 }
7997
7998 /* opaque key_exchange<1..2^16-1> */
7999 if (!ssl_add_vector(hf, tvb, pinfo, ks_tree, offset, offset_end, &key_exchange_length,
8000 hf->hf.hs_ext_key_share_key_exchange_length, 1, UINT16_MAX(65535))) {
8001 return offset_end; /* Bad (possible truncated) length, skip to end of KeyShare extension. */
8002 }
8003 offset += 2;
8004 proto_item_set_len(ks_tree, 2 + 2 + key_exchange_length);
8005 proto_item_append_text(ks_tree, ", Key Exchange length: %u", key_exchange_length);
8006
8007 proto_tree_add_item(ks_tree, hf->hf.hs_ext_key_share_key_exchange, tvb, offset, key_exchange_length, ENC_NA0x00000000);
8008 offset += key_exchange_length;
8009
8010 return offset;
8011}
8012
8013static int
8014ssl_dissect_hnd_hello_ext_key_share(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8015 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8016 uint8_t hnd_type)
8017{
8018 proto_tree *key_share_tree;
8019 uint32_t next_offset;
8020 uint32_t client_shares_length;
8021 uint32_t group;
8022 const char *group_name = NULL((void*)0);
8023
8024 if (offset_end <= offset) { /* Check if ext_len == 0 and "overflow" (offset + ext_len) > uint32_t) */
8025 return offset;
8026 }
8027
8028 key_share_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_key_share, NULL((void*)0), "Key Share extension");
8029
8030 switch(hnd_type){
8031 case SSL_HND_CLIENT_HELLO:
8032 /* KeyShareEntry client_shares<0..2^16-1> */
8033 if (!ssl_add_vector(hf, tvb, pinfo, key_share_tree, offset, offset_end, &client_shares_length,
8034 hf->hf.hs_ext_key_share_client_length, 0, UINT16_MAX(65535))) {
8035 return offset_end;
8036 }
8037 offset += 2;
8038 next_offset = offset + client_shares_length;
8039 const char *sep = " ";
8040 while (offset + 4 <= next_offset) { /* (NamedGroup (2 bytes), key_exchange (1 byte for length, 1 byte minimum data) */
8041 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, next_offset, &group_name);
8042 if (group_name) {
8043 proto_item_append_text(tree, "%s%s", sep, group_name);
8044 sep = ", ";
8045 }
8046 }
8047 if (!ssl_end_vector(hf, tvb, pinfo, key_share_tree, offset, next_offset)) {
8048 return next_offset;
8049 }
8050 break;
8051 case SSL_HND_SERVER_HELLO:
8052 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, offset_end, &group_name);
8053 if (group_name) {
8054 proto_item_append_text(tree, " %s", group_name);
8055 }
8056 break;
8057 case SSL_HND_HELLO_RETRY_REQUEST:
8058 proto_tree_add_item_ret_uint(key_share_tree, hf->hf.hs_ext_key_share_selected_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
8059 offset += 2;
8060 group_name = val_to_str(pinfo->pool, group, ssl_extension_curves, "Unknown (%u)");
8061 proto_item_append_text(tree, " %s", group_name);
8062 break;
8063 default: /* no default */
8064 break;
8065 }
8066
8067 return offset;
8068}
8069
8070static int
8071ssl_dissect_hnd_hello_ext_pre_shared_key(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8072 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8073 uint8_t hnd_type)
8074{
8075 /* RFC 8446 Section 4.2.11
8076 * struct {
8077 * opaque identity<1..2^16-1>;
8078 * uint32 obfuscated_ticket_age;
8079 * } PskIdentity;
8080 * opaque PskBinderEntry<32..255>;
8081 * struct {
8082 * select (Handshake.msg_type) {
8083 * case client_hello:
8084 * PskIdentity identities<7..2^16-1>;
8085 * PskBinderEntry binders<33..2^16-1>;
8086 * case server_hello:
8087 * uint16 selected_identity;
8088 * };
8089 * } PreSharedKeyExtension;
8090 */
8091
8092 proto_tree *psk_tree;
8093
8094 psk_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_pre_shared_key, NULL((void*)0), "Pre-Shared Key extension");
8095
8096 switch (hnd_type){
8097 case SSL_HND_CLIENT_HELLO: {
8098 uint32_t identities_length, identities_end, binders_length;
8099
8100 /* PskIdentity identities<7..2^16-1> */
8101 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &identities_length,
8102 hf->hf.hs_ext_psk_identities_length, 7, UINT16_MAX(65535))) {
8103 return offset_end;
8104 }
8105 offset += 2;
8106 identities_end = offset + identities_length;
8107
8108 while (offset < identities_end) {
8109 uint32_t identity_length;
8110 proto_tree *identity_tree;
8111
8112 identity_tree = proto_tree_add_subtree(psk_tree, tvb, offset, 4, hf->ett.hs_ext_psk_identity, NULL((void*)0), "PSK Identity (");
8113
8114 /* opaque identity<1..2^16-1> */
8115 if (!ssl_add_vector(hf, tvb, pinfo, identity_tree, offset, identities_end, &identity_length,
8116 hf->hf.hs_ext_psk_identity_identity_length, 1, UINT16_MAX(65535))) {
8117 return identities_end;
8118 }
8119 offset += 2;
8120 proto_item_append_text(identity_tree, "length: %u)", identity_length);
8121
8122 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_identity, tvb, offset, identity_length, ENC_BIG_ENDIAN0x00000000);
8123 offset += identity_length;
8124
8125 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_obfuscated_ticket_age, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8126 offset += 4;
8127
8128 proto_item_set_len(identity_tree, 2 + identity_length + 4);
8129 }
8130 if (!ssl_end_vector(hf, tvb, pinfo, psk_tree, offset, identities_end)) {
8131 offset = identities_end;
8132 }
8133
8134 /* PskBinderEntry binders<33..2^16-1> */
8135 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &binders_length,
8136 hf->hf.hs_ext_psk_binders_length, 33, UINT16_MAX(65535))) {
8137 return offset_end;
8138 }
8139 offset += 2;
8140
8141 proto_item *binders_item;
8142 proto_tree *binders_tree;
8143 binders_item = proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_binders, tvb, offset, binders_length, ENC_NA0x00000000);
8144 binders_tree = proto_item_add_subtree(binders_item, hf->ett.hs_ext_psk_binders);
8145 uint32_t binders_end = offset + binders_length;
8146 while (offset < binders_end) {
8147 uint32_t binder_length;
8148 proto_item *binder_item;
8149 proto_tree *binder_tree;
8150
8151 binder_item = proto_tree_add_item(binders_tree, hf->hf.hs_ext_psk_binder, tvb, offset, 1, ENC_NA0x00000000);
8152 binder_tree = proto_item_add_subtree(binder_item, hf->ett.hs_ext_psk_binder);
8153
8154 /* opaque PskBinderEntry<32..255>; */
8155 if (!ssl_add_vector(hf, tvb, pinfo, binder_tree, offset, binders_end, &binder_length,
8156 hf->hf.hs_ext_psk_binder_binder_length, 32, 255)) {
8157 return binders_end;
8158 }
8159 offset += 1;
8160 proto_item_append_text(binder_tree, " (length: %u)", binder_length);
8161
8162 proto_tree_add_item(binder_tree, hf->hf.hs_ext_psk_binder_binder, tvb, offset, binder_length, ENC_BIG_ENDIAN0x00000000);
8163 offset += binder_length;
8164
8165 proto_item_set_end(binder_item, tvb, offset);
8166 }
8167 }
8168 break;
8169 case SSL_HND_SERVER_HELLO: {
8170 proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_identity_selected, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8171 offset += 2;
8172 }
8173 break;
8174 default:
8175 break;
8176 }
8177
8178 return offset;
8179}
8180
8181static uint32_t
8182ssl_dissect_hnd_hello_ext_early_data(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
8183 proto_tree *tree, uint32_t offset, uint32_t offset_end _U___attribute__((unused)),
8184 uint8_t hnd_type, SslDecryptSession *ssl)
8185{
8186 /* RFC 8446 Section 4.2.10
8187 * struct {} Empty;
8188 * struct {
8189 * select (Handshake.msg_type) {
8190 * case new_session_ticket: uint32 max_early_data_size;
8191 * case client_hello: Empty;
8192 * case encrypted_extensions: Empty;
8193 * };
8194 * } EarlyDataIndication;
8195 */
8196 switch (hnd_type) {
8197 case SSL_HND_CLIENT_HELLO:
8198 /* Remember that early_data will follow the handshake. */
8199 if (ssl) {
8200 ssl_debug_printf("%s found early_data extension\n", G_STRFUNC((const char*) (__func__)));
8201 ssl->has_early_data = true1;
8202 }
8203 break;
8204 case SSL_HND_NEWSESSION_TICKET:
8205 proto_tree_add_item(tree, hf->hf.hs_ext_max_early_data_size, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8206 offset += 4;
8207 break;
8208 default:
8209 break;
8210 }
8211 return offset;
8212}
8213
8214static uint16_t
8215tls_try_get_version(bool_Bool is_dtls, uint16_t version, uint8_t *draft_version)
8216{
8217 if (draft_version) {
8218 *draft_version = 0;
8219 }
8220 if (!is_dtls) {
8221 uint8_t tls13_draft = extract_tls13_draft_version(version);
8222 if (tls13_draft != 0) {
8223 /* This is TLS 1.3 (a draft version). */
8224 if (draft_version) {
8225 *draft_version = tls13_draft;
8226 }
8227 version = TLSV1DOT3_VERSION0x304;
8228 }
8229 if (version == 0xfb17 || version == 0xfb1a) {
8230 /* Unofficial TLS 1.3 draft version for Facebook fizz. */
8231 tls13_draft = (uint8_t)version;
8232 if (draft_version) {
8233 *draft_version = tls13_draft;
8234 }
8235 version = TLSV1DOT3_VERSION0x304;
8236 }
8237 }
8238
8239 switch (version) {
8240 case SSLV3_VERSION0x300:
8241 case TLSV1_VERSION0x301:
8242 case TLSV1DOT1_VERSION0x302:
8243 case TLSV1DOT2_VERSION0x303:
8244 case TLSV1DOT3_VERSION0x304:
8245 case TLCPV1_VERSION0x101:
8246 if (is_dtls)
8247 return SSL_VER_UNKNOWN0;
8248 break;
8249
8250 case DTLSV1DOT0_VERSION0xfeff:
8251 case DTLSV1DOT0_OPENSSL_VERSION0x100:
8252 case DTLSV1DOT2_VERSION0xfefd:
8253 case DTLSV1DOT3_VERSION0xfefc:
8254 if (!is_dtls)
8255 return SSL_VER_UNKNOWN0;
8256 break;
8257
8258 default: /* invalid version number */
8259 return SSL_VER_UNKNOWN0;
8260 }
8261
8262 return version;
8263}
8264
8265static int
8266ssl_dissect_hnd_hello_ext_supported_versions(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8267 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8268 SslSession *session, bool_Bool is_dtls, ja4_data_t *ja4_data)
8269{
8270
8271 /* RFC 8446 Section 4.2.1
8272 * struct {
8273 * ProtocolVersion versions<2..254>; // ClientHello
8274 * } SupportedVersions;
8275 * Note that ServerHello and HelloRetryRequest are handled by the caller.
8276 */
8277 uint32_t versions_length, next_offset;
8278 /* ProtocolVersion versions<2..254> */
8279 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &versions_length,
8280 hf->hf.hs_ext_supported_versions_len, 2, 254)) {
8281 return offset_end;
8282 }
8283 offset++;
8284 next_offset = offset + versions_length;
8285
8286 unsigned version;
8287 unsigned current_version, lowest_version = SSL_VER_UNKNOWN0;
8288 uint8_t draft_version, max_draft_version = 0;
8289 const char *sep = " ";
8290 while (offset + 2 <= next_offset) {
8291 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
8292 offset += 2;
8293
8294 if (!IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))) {
8295 proto_item_append_text(tree, "%s%s", sep, val_to_str(pinfo->pool, version, ssl_versions, "Unknown (0x%04x)"));
8296 sep = ", ";
8297 }
8298
8299 current_version = tls_try_get_version(is_dtls, version, &draft_version);
8300 if (session->version == SSL_VER_UNKNOWN0) {
8301 if (lowest_version == SSL_VER_UNKNOWN0) {
8302 lowest_version = current_version;
8303 } else if (current_version != SSL_VER_UNKNOWN0) {
8304 if (!is_dtls) {
8305 lowest_version = MIN(lowest_version, current_version)(((lowest_version) < (current_version)) ? (lowest_version)
: (current_version));
8306 } else {
8307 lowest_version = MAX(lowest_version, current_version)(((lowest_version) > (current_version)) ? (lowest_version)
: (current_version));
8308 }
8309 }
8310 }
8311 max_draft_version = MAX(draft_version, max_draft_version)(((draft_version) > (max_draft_version)) ? (draft_version)
: (max_draft_version));
8312 if (ja4_data && !IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))) {
8313 /* The DTLS version numbers get mapped to "00" for unknown per
8314 * JA4 spec, but if JA4 ever does support DTLS we'll probably
8315 * need to take the MIN instead of MAX here for DTLS.
8316 */
8317 ja4_data->max_version = MAX(version, ja4_data->max_version)(((version) > (ja4_data->max_version)) ? (version) : (ja4_data
->max_version));
8318 }
8319 }
8320 if (session->version == SSL_VER_UNKNOWN0 && lowest_version != SSL_VER_UNKNOWN0) {
8321 col_set_str(pinfo->cinfo, COL_PROTOCOL,
8322 val_to_str_const(version, ssl_version_short_names, is_dtls ? "DTLS" : "TLS"));
8323 }
8324 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
8325 offset = next_offset;
8326 }
8327
8328 /* XXX remove this when draft 19 support is dropped,
8329 * this is only required for early data decryption. */
8330 if (max_draft_version) {
8331 session->tls13_draft_version = max_draft_version;
8332 }
8333
8334 return offset;
8335}
8336
8337static int
8338ssl_dissect_hnd_hello_ext_cookie(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8339 packet_info *pinfo, proto_tree *tree,
8340 uint32_t offset, uint32_t offset_end)
8341{
8342 /* RFC 8446 Section 4.2.2
8343 * struct {
8344 * opaque cookie<1..2^16-1>;
8345 * } Cookie;
8346 */
8347 uint32_t cookie_length;
8348 /* opaque cookie<1..2^16-1> */
8349 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cookie_length,
8350 hf->hf.hs_ext_cookie_len, 1, UINT16_MAX(65535))) {
8351 return offset_end;
8352 }
8353 offset += 2;
8354
8355 proto_tree_add_item(tree, hf->hf.hs_ext_cookie, tvb, offset, cookie_length, ENC_NA0x00000000);
8356 offset += cookie_length;
8357
8358 return offset;
8359}
8360
8361static int
8362ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8363 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8364{
8365 /* RFC 8446 Section 4.2.9
8366 * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
8367 *
8368 * struct {
8369 * PskKeyExchangeMode ke_modes<1..255>;
8370 * } PskKeyExchangeModes;
8371 */
8372 uint32_t ke_modes_length, next_offset;
8373
8374 /* PskKeyExchangeMode ke_modes<1..255> */
8375 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ke_modes_length,
8376 hf->hf.hs_ext_psk_ke_modes_length, 1, 255)) {
8377 return offset_end;
8378 }
8379 offset++;
8380 next_offset = offset + ke_modes_length;
8381
8382 while (offset < next_offset) {
8383 proto_tree_add_item(tree, hf->hf.hs_ext_psk_ke_mode, tvb, offset, 1, ENC_NA0x00000000);
8384 offset++;
8385 }
8386
8387 return offset;
8388}
8389
8390static uint32_t
8391ssl_dissect_hnd_hello_ext_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8392 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8393{
8394 /* RFC 8446 Section 4.2.4
8395 * opaque DistinguishedName<1..2^16-1>;
8396 * struct {
8397 * DistinguishedName authorities<3..2^16-1>;
8398 * } CertificateAuthoritiesExtension;
8399 */
8400 return tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
8401}
8402
8403static int
8404ssl_dissect_hnd_hello_ext_oid_filters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8405 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8406{
8407 /* RFC 8446 Section 4.2.5
8408 * struct {
8409 * opaque certificate_extension_oid<1..2^8-1>;
8410 * opaque certificate_extension_values<0..2^16-1>;
8411 * } OIDFilter;
8412 * struct {
8413 * OIDFilter filters<0..2^16-1>;
8414 * } OIDFilterExtension;
8415 */
8416 proto_tree *subtree;
8417 uint32_t filters_length, oid_length, values_length, value_offset;
8418 asn1_ctx_t asn1_ctx;
8419 const char *oid, *name;
8420
8421 /* OIDFilter filters<0..2^16-1> */
8422 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &filters_length,
8423 hf->hf.hs_ext_psk_ke_modes_length, 0, UINT16_MAX(65535))) {
8424 return offset_end;
8425 }
8426 offset += 2;
8427 offset_end = offset + filters_length;
8428
8429 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
8430
8431 while (offset < offset_end) {
8432 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
8433 hf->ett.hs_ext_oid_filter, NULL((void*)0), "OID Filter");
8434
8435 /* opaque certificate_extension_oid<1..2^8-1> */
8436 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &oid_length,
8437 hf->hf.hs_ext_oid_filters_oid_length, 1, UINT8_MAX(255))) {
8438 return offset_end;
8439 }
8440 offset++;
8441 dissect_ber_object_identifier_str(false0, &asn1_ctx, subtree, tvb, offset,
8442 hf->hf.hs_ext_oid_filters_oid, &oid);
8443 offset += oid_length;
8444
8445 /* Append OID to tree label */
8446 name = oid_resolved_from_string(pinfo->pool, oid);
8447 proto_item_append_text(subtree, " (%s)", name ? name : oid);
8448
8449 /* opaque certificate_extension_values<0..2^16-1> */
8450 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &values_length,
8451 hf->hf.hs_ext_oid_filters_values_length, 0, UINT16_MAX(65535))) {
8452 return offset_end;
8453 }
8454 offset += 2;
8455 proto_item_set_len(subtree, 1 + oid_length + 2 + values_length);
8456 if (values_length > 0) {
8457 value_offset = offset;
8458 value_offset = dissect_ber_identifier(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0), NULL((void*)0));
8459 value_offset = dissect_ber_length(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0));
8460 call_ber_oid_callback(oid, tvb, value_offset, pinfo, subtree, NULL((void*)0));
8461 }
8462 offset += values_length;
8463 }
8464
8465 return offset;
8466}
8467
8468static int
8469ssl_dissect_hnd_hello_ext_server_name(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8470 packet_info *pinfo, proto_tree *tree,
8471 uint32_t offset, uint32_t offset_end)
8472{
8473 /* https://tools.ietf.org/html/rfc6066#section-3
8474 *
8475 * struct {
8476 * NameType name_type;
8477 * select (name_type) {
8478 * case host_name: HostName;
8479 * } name;
8480 * } ServerName;
8481 *
8482 * enum {
8483 * host_name(0), (255)
8484 * } NameType;
8485 *
8486 * opaque HostName<1..2^16-1>;
8487 *
8488 * struct {
8489 * ServerName server_name_list<1..2^16-1>
8490 * } ServerNameList;
8491 */
8492 proto_tree *server_name_tree;
8493 uint32_t list_length, server_name_length, next_offset;
8494
8495 /* The server SHALL include "server_name" extension with empty data. */
8496 if (offset == offset_end) {
8497 return offset;
8498 }
8499
8500 server_name_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_server_name, NULL((void*)0), "Server Name Indication extension");
8501
8502 /* ServerName server_name_list<1..2^16-1> */
8503 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, offset_end, &list_length,
8504 hf->hf.hs_ext_server_name_list_len, 1, UINT16_MAX(65535))) {
8505 return offset_end;
8506 }
8507 offset += 2;
8508 next_offset = offset + list_length;
8509
8510 while (offset < next_offset) {
8511 uint32_t name_type;
8512 const char *server_name = NULL((void*)0);
8513 proto_tree_add_item_ret_uint(server_name_tree, hf->hf.hs_ext_server_name_type,
8514 tvb, offset, 1, ENC_NA0x00000000, &name_type);
8515 offset++;
8516
8517 /* opaque HostName<1..2^16-1> */
8518 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, next_offset, &server_name_length,
8519 hf->hf.hs_ext_server_name_len, 1, UINT16_MAX(65535))) {
8520 return next_offset;
8521 }
8522 offset += 2;
8523
8524 proto_tree_add_item_ret_string(server_name_tree, hf->hf.hs_ext_server_name,
8525 tvb, offset, server_name_length, ENC_ASCII0x00000000|ENC_NA0x00000000,
8526 pinfo->pool, (const uint8_t**)&server_name);
8527 offset += server_name_length;
8528 // Each type must only occur once, so we don't check for duplicates.
8529 if (name_type == 0) {
8530 proto_item_append_text(tree, " name=%s", server_name);
8531 col_append_fstr(pinfo->cinfo, COL_INFO, " (SNI=%s)", server_name);
8532
8533 if (gbl_resolv_flags.handshake_sni_addr_resolution) {
8534 // Client Hello: Client (Src) -> Server (Dst)
8535 switch (pinfo->dst.type) {
8536 case AT_IPv4:
8537 if (pinfo->dst.len == sizeof(uint32_t)) {
8538 add_ipv4_name(*(uint32_t *)pinfo->dst.data, server_name, false0);
8539 }
8540 break;
8541 case AT_IPv6:
8542 if (pinfo->dst.len == sizeof(ws_in6_addr)) {
8543 add_ipv6_name(pinfo->dst.data, server_name, false0);
8544 }
8545 break;
8546 }
8547 }
8548 }
8549 }
8550 return offset;
8551}
8552
8553static int
8554ssl_dissect_hnd_hello_ext_session_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8555 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint8_t hnd_type, SslDecryptSession *ssl)
8556{
8557 unsigned ext_len = offset_end - offset;
8558 if (hnd_type == SSL_HND_CLIENT_HELLO && ssl && ext_len != 0) {
8559 tvb_ensure_bytes_exist(tvb, offset, ext_len);
8560 /* Save the Session Ticket such that it can be used as identifier for
8561 * restoring a previous Master Secret (in ChangeCipherSpec) */
8562 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
8563 ssl->session_ticket.data, ext_len);
8564 ssl->session_ticket.data_len = ext_len;
8565 tvb_memcpy(tvb,ssl->session_ticket.data, offset, ext_len);
8566 }
8567 proto_tree_add_item(tree, hf->hf.hs_ext_session_ticket,
8568 tvb, offset, ext_len, ENC_NA0x00000000);
8569 return offset + ext_len;
8570}
8571
8572static int
8573ssl_dissect_hnd_hello_ext_cert_type(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8574 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8575 uint8_t hnd_type, uint16_t ext_type, SslSession *session)
8576{
8577 uint8_t cert_list_length;
8578 uint8_t cert_type;
8579 proto_tree *cert_list_tree;
8580 proto_item *ti;
8581
8582 switch(hnd_type){
8583 case SSL_HND_CLIENT_HELLO:
8584 cert_list_length = tvb_get_uint8(tvb, offset);
8585 proto_tree_add_item(tree, hf->hf.hs_ext_cert_types_len,
8586 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8587 offset += 1;
8588 if (offset_end - offset != (uint32_t)cert_list_length)
8589 return offset;
8590
8591 ti = proto_tree_add_item(tree, hf->hf.hs_ext_cert_types, tvb, offset,
8592 cert_list_length, cert_list_length);
8593 proto_item_append_text(ti, " (%d)", cert_list_length);
8594
8595 /* make this a subtree */
8596 cert_list_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_cert_types);
8597
8598 /* loop over all point formats */
8599 while (cert_list_length > 0)
8600 {
8601 proto_tree_add_item(cert_list_tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8602 offset++;
8603 cert_list_length--;
8604 }
8605 break;
8606 case SSL_HND_SERVER_HELLO:
8607 case SSL_HND_ENCRYPTED_EXTENSIONS:
8608 case SSL_HND_CERTIFICATE:
8609 cert_type = tvb_get_uint8(tvb, offset);
8610 proto_tree_add_item(tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8611 offset += 1;
8612 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19) {
8613 session->client_cert_type = cert_type;
8614 }
8615 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20) {
8616 session->server_cert_type = cert_type;
8617 }
8618 break;
8619 default: /* no default */
8620 break;
8621 }
8622
8623 return offset;
8624}
8625
8626static uint32_t
8627ssl_dissect_hnd_hello_ext_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8628 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8629 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8630{
8631 uint32_t compress_certificate_algorithms_length, next_offset;
8632
8633 /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03#section-3.0
8634 * enum {
8635 * zlib(1),
8636 * brotli(2),
8637 * (65535)
8638 * } CertificateCompressionAlgorithm;
8639 *
8640 * struct {
8641 * CertificateCompressionAlgorithm algorithms<1..2^8-1>;
8642 * } CertificateCompressionAlgorithms;
8643 */
8644 switch (hnd_type) {
8645 case SSL_HND_CLIENT_HELLO:
8646 case SSL_HND_CERT_REQUEST:
8647 /* CertificateCompressionAlgorithm algorithms<1..2^8-1>;*/
8648 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compress_certificate_algorithms_length,
8649 hf->hf.hs_ext_compress_certificate_algorithms_length, 1, UINT8_MAX(255)-1)) {
8650 return offset_end;
8651 }
8652 offset += 1;
8653 next_offset = offset + compress_certificate_algorithms_length;
8654
8655 while (offset < next_offset) {
8656 proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_algorithm,
8657 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8658 offset += 2;
8659 }
8660 break;
8661 default:
8662 break;
8663 }
8664
8665 return offset;
8666}
8667
8668static uint32_t
8669ssl_dissect_hnd_hello_ext_token_binding(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8670 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8671 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8672{
8673 uint32_t key_parameters_length, next_offset;
8674 proto_item *p_ti;
8675 proto_tree *p_tree;
8676
8677 /* RFC 8472
8678 *
8679 * struct {
8680 * uint8 major;
8681 * uint8 minor;
8682 * } TB_ProtocolVersion;
8683 *
8684 * enum {
8685 * rsa2048_pkcs1.5(0), rsa2048_pss(1), ecdsap256(2), (255)
8686 * } TokenBindingKeyParameters;
8687 *
8688 * struct {
8689 * TB_ProtocolVersion token_binding_version;
8690 * TokenBindingKeyParameters key_parameters_list<1..2^8-1>
8691 * } TokenBindingParameters;
8692 */
8693
8694 switch (hnd_type) {
8695 case SSL_HND_CLIENT_HELLO:
8696 case SSL_HND_SERVER_HELLO:
8697 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_major, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8698 offset += 1;
8699 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_minor, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8700 offset += 1;
8701
8702 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &key_parameters_length,
8703 hf->hf.hs_ext_token_binding_key_parameters_length, 1, UINT8_MAX(255))) {
8704 return offset_end;
8705 }
8706 offset += 1;
8707 next_offset = offset + key_parameters_length;
8708
8709 p_ti = proto_tree_add_none_format(tree,
8710 hf->hf.hs_ext_token_binding_key_parameters,
8711 tvb, offset, key_parameters_length,
8712 "Key parameters identifiers (%d identifier%s)",
8713 key_parameters_length,
8714 plurality(key_parameters_length, "", "s")((key_parameters_length) == 1 ? ("") : ("s")));
8715 p_tree = proto_item_add_subtree(p_ti, hf->ett.hs_ext_token_binding_key_parameters);
8716
8717 while (offset < next_offset) {
8718 proto_tree_add_item(p_tree, hf->hf.hs_ext_token_binding_key_parameter,
8719 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8720 offset += 1;
8721 }
8722
8723 if (!ssl_end_vector(hf, tvb, pinfo, p_tree, offset, next_offset)) {
8724 offset = next_offset;
8725 }
8726
8727 break;
8728 default:
8729 break;
8730 }
8731
8732 return offset;
8733}
8734
8735static uint32_t
8736ssl_dissect_hnd_hello_ext_quic_transport_parameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8737 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8738 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8739{
8740 bool_Bool use_varint_encoding = true1; // Whether this is draft -27 or newer.
8741 uint32_t next_offset;
8742
8743 /* https://tools.ietf.org/html/draft-ietf-quic-transport-25#section-18
8744 *
8745 * Note: the following structures are not literally defined in the spec,
8746 * they instead use an ASCII diagram.
8747 *
8748 * struct {
8749 * uint16 id;
8750 * opaque value<0..2^16-1>;
8751 * } TransportParameter; // before draft -27
8752 * TransportParameter TransportParameters<0..2^16-1>; // before draft -27
8753 *
8754 * struct {
8755 * opaque ipv4Address[4];
8756 * uint16 ipv4Port;
8757 * opaque ipv6Address[16];
8758 * uint16 ipv6Port;
8759 * opaque connectionId<0..18>;
8760 * opaque statelessResetToken[16];
8761 * } PreferredAddress;
8762 */
8763
8764 if (offset_end - offset >= 6 &&
8765 2 + (unsigned)tvb_get_ntohs(tvb, offset) == offset_end - offset &&
8766 6 + (unsigned)tvb_get_ntohs(tvb, offset + 4) <= offset_end - offset) {
8767 // Assume encoding of Transport Parameters draft -26 or older with at
8768 // least one transport parameter that has a valid length.
8769 use_varint_encoding = false0;
8770 }
8771
8772 if (use_varint_encoding) {
8773 next_offset = offset_end;
8774 } else {
8775 uint32_t quic_length;
8776 // Assume draft -26 or earlier.
8777 /* TransportParameter TransportParameters<0..2^16-1>; */
8778 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &quic_length,
8779 hf->hf.hs_ext_quictp_len, 0, UINT16_MAX(65535))) {
8780 return offset_end;
8781 }
8782 offset += 2;
8783 next_offset = offset + quic_length;
8784 }
8785
8786 while (offset < next_offset) {
8787 uint64_t parameter_type; /* 62-bit space */
8788 uint32_t parameter_length;
8789 proto_tree *parameter_tree;
8790 uint32_t parameter_end_offset;
8791 uint64_t value;
8792 uint32_t i;
8793 int len = 0;
8794
8795 parameter_tree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.hs_ext_quictp_parameter,
8796 NULL((void*)0), "Parameter");
8797 /* TransportParameter ID and Length. */
8798 if (use_varint_encoding) {
8799 uint64_t parameter_length64;
8800 int type_len = 0;
8801
8802 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
8803 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_type, &type_len);
8804 offset += type_len;
8805
8806 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_len,
8807 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_length64, &len);
8808 parameter_length = (uint32_t)parameter_length64;
8809 offset += len;
8810
8811 proto_item_set_len(parameter_tree, type_len + len + parameter_length);
8812 } else {
8813 parameter_type = tvb_get_ntohs(tvb, offset);
8814 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
8815 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8816 offset += 2;
8817
8818 /* opaque value<0..2^16-1> */
8819 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, next_offset, &parameter_length,
8820 hf->hf.hs_ext_quictp_parameter_len_old, 0, UINT16_MAX(65535))) {
8821 return next_offset;
8822 }
8823 offset += 2;
8824
8825 proto_item_set_len(parameter_tree, 4 + parameter_length);
8826 }
8827
8828 if (IS_GREASE_QUIC(parameter_type)((parameter_type) > 27 ? ((((parameter_type) - 27) % 31) ==
0) : 0)) {
8829 proto_item_append_text(parameter_tree, ": GREASE");
8830 } else {
8831 proto_item_append_text(parameter_tree, ": %s", val64_to_str_wmem(pinfo->pool, parameter_type, quic_transport_parameter_id, "Unknown 0x%04x"));
8832 }
8833
8834 proto_item_append_text(parameter_tree, " (len=%u)", parameter_length);
8835 parameter_end_offset = offset + parameter_length;
8836
8837 /* Omit the value field if the parameter's length is 0. */
8838 if (parameter_length != 0) {
8839 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_value,
8840 tvb, offset, parameter_length, ENC_NA0x00000000);
8841 }
8842
8843 switch (parameter_type) {
8844 case SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00:
8845 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_original_destination_connection_id,
8846 tvb, offset, parameter_length, ENC_NA0x00000000);
8847 offset += parameter_length;
8848 break;
8849 case SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01:
8850 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_idle_timeout,
8851 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8852 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " ms", value);
8853 offset += len;
8854 break;
8855 case SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02:
8856 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_stateless_reset_token,
8857 tvb, offset, 16, ENC_BIG_ENDIAN0x00000000);
8858 quic_add_stateless_reset_token(pinfo, tvb, offset, NULL((void*)0));
8859 offset += 16;
8860 break;
8861 case SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03:
8862 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_udp_payload_size,
8863 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8864 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8865 /*TODO display expert info about invalid value (< 1252 or >65527) ? */
8866 offset += len;
8867 break;
8868 case SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04:
8869 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_data,
8870 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8871 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8872 offset += len;
8873 break;
8874 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05:
8875 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_local,
8876 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8877 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8878 offset += len;
8879 break;
8880 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06:
8881 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_remote,
8882 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8883 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8884 offset += len;
8885 break;
8886 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07:
8887 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_uni,
8888 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8889 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8890 offset += len;
8891 break;
8892 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09:
8893 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_uni,
8894 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8895 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8896 offset += len;
8897 break;
8898 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08:
8899 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_bidi,
8900 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8901 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8902 offset += len;
8903 break;
8904 case SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a:
8905 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_ack_delay_exponent,
8906 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
8907 /*TODO display multiplier (x8) and expert info about invalid value (> 20) ? */
8908 offset += len;
8909 break;
8910 case SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b:
8911 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_ack_delay,
8912 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8913 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8914 offset += len;
8915 break;
8916 case SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c:
8917 /* No Payload */
8918 break;
8919 case SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d: {
8920 uint32_t connectionid_length;
8921 quic_cid_t cid;
8922
8923 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4address,
8924 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8925 offset += 4;
8926 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4port,
8927 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8928 offset += 2;
8929 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6address,
8930 tvb, offset, 16, ENC_NA0x00000000);
8931 offset += 16;
8932 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6port,
8933 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8934 offset += 2;
8935 /* XXX - Should we add these addresses and ports as addresses that the client
8936 * is allowed / expected to migrate the server address to? Right now we don't
8937 * enforce that (see RFC 9000 Section 9, which implies that while the client
8938 * can migrate to whatever address it wants, it can only migrate the server
8939 * address to the Server's Preferred Address as in 9.6. Also Issue #20165.)
8940 */
8941
8942 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, offset_end, &connectionid_length,
8943 hf->hf.hs_ext_quictp_parameter_pa_connectionid_length, 0, 20)) {
8944 break;
8945 }
8946 offset += 1;
8947
8948 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_connectionid,
8949 tvb, offset, connectionid_length, ENC_NA0x00000000);
8950 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
8951 cid.len = connectionid_length;
8952 // RFC 9000 5.1.1 "If the preferred_address transport
8953 // parameter is sent, the sequence number of the supplied
8954 // connection ID is 1."
8955 cid.seq_num = 1;
8956 // Multipath draft-07 "Also, the Path Identifier for the
8957 // connection ID specified in the "preferred address"
8958 // transport parameter is 0."
8959 cid.path_id = 0;
8960 tvb_memcpy(tvb, cid.cid, offset, connectionid_length);
8961 quic_add_connection(pinfo, &cid);
8962 }
8963 offset += connectionid_length;
8964
8965 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_statelessresettoken,
8966 tvb, offset, 16, ENC_NA0x00000000);
8967 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
8968 quic_add_stateless_reset_token(pinfo, tvb, offset, &cid);
8969 }
8970 offset += 16;
8971 }
8972 break;
8973 case SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e:
8974 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_active_connection_id_limit,
8975 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8976 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8977 offset += len;
8978 break;
8979 case SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f:
8980 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_source_connection_id,
8981 tvb, offset, parameter_length, ENC_NA0x00000000);
8982 offset += parameter_length;
8983 break;
8984 case SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10:
8985 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_retry_source_connection_id,
8986 tvb, offset, parameter_length, ENC_NA0x00000000);
8987 offset += parameter_length;
8988 break;
8989 case SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20:
8990 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_datagram_frame_size,
8991 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8992 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8993 offset += len;
8994 break;
8995 case SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000:
8996 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_length,
8997 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8998 proto_item_append_text(parameter_tree, " Length: %" PRIu64"l" "u", value);
8999 offset += len;
9000 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_offset,
9001 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9002 proto_item_append_text(parameter_tree, ", Offset: %" PRIu64"l" "u", value);
9003 offset += len;
9004 break;
9005 case SSL_HND_QUIC_TP_LOSS_BITS0x1057:
9006 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_loss_bits,
9007 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9008 if (len > 0) {
9009 quic_add_loss_bits(pinfo, value);
9010 }
9011 offset += 1;
9012 break;
9013 case SSL_HND_QUIC_TP_ADDRESS_DISCOVERY0x9f81a176:
9014 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_address_discovery,
9015 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
9016 offset += len;
9017 break;
9018 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a:
9019 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A:
9020 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a:
9021 case SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b:
9022 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_min_ack_delay,
9023 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9024 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9025 offset += len;
9026 break;
9027 case SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129:
9028 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_user_agent_id,
9029 tvb, offset, parameter_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
9030 offset += parameter_length;
9031 break;
9032 case SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B:
9033 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_key_update_not_yet_supported,
9034 tvb, offset, parameter_length, ENC_NA0x00000000);
9035 offset += parameter_length;
9036 break;
9037 case SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752:
9038 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_version,
9039 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
9040 offset += 4;
9041 if (hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) { /* From server */
9042 uint32_t versions_length;
9043
9044 proto_tree_add_item_ret_uint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_supported_versions_length,
9045 tvb, offset, 1, ENC_NA0x00000000, &versions_length);
9046 offset += 1;
9047 for (i = 0; i < versions_length / 4; i++) {
9048 quic_proto_tree_add_version(tvb, parameter_tree,
9049 hf->hf.hs_ext_quictp_parameter_google_supported_version, offset);
9050 offset += 4;
9051 }
9052 }
9053 break;
9054 case SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127:
9055 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_initial_rtt,
9056 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9057 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " us", value);
9058 offset += len;
9059 break;
9060 case SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A:
9061 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_support_handshake_done,
9062 tvb, offset, parameter_length, ENC_NA0x00000000);
9063 offset += parameter_length;
9064 break;
9065 case SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751:
9066 /* This field was used for non-standard Google-specific parameters encoded as a
9067 * Google QUIC_CRYPTO CHLO and it has been replaced (version >= T051) by individual
9068 * parameters. Report it as a bytes blob... */
9069 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params,
9070 tvb, offset, parameter_length, ENC_NA0x00000000);
9071 /* ... and try decoding it: not sure what the first 4 bytes are (but they seems to be always 0) */
9072 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params_unknown_field,
9073 tvb, offset, 4, ENC_NA0x00000000);
9074 dissect_gquic_tags(tvb, pinfo, parameter_tree, offset + 4);
9075 offset += parameter_length;
9076 break;
9077 case SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128:
9078 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_connection_options,
9079 tvb, offset, parameter_length, ENC_NA0x00000000);
9080 offset += parameter_length;
9081 break;
9082 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157:
9083 /* No Payload */
9084 break;
9085 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158:
9086 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_time_stamp_v2,
9087 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9088 offset += parameter_length;
9089 break;
9090 case SSL_HND_QUIC_TP_VERSION_INFORMATION_DRAFT0xff73db:
9091 case SSL_HND_QUIC_TP_VERSION_INFORMATION0x11:
9092 quic_proto_tree_add_version(tvb, parameter_tree,
9093 hf->hf.hs_ext_quictp_parameter_chosen_version, offset);
9094 offset += 4;
9095 for (i = 4; i < parameter_length; i += 4) {
9096 quic_proto_tree_add_version(tvb, parameter_tree,
9097 hf->hf.hs_ext_quictp_parameter_other_version, offset);
9098 offset += 4;
9099 }
9100 break;
9101 case SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2:
9102 /* No Payload */
9103 quic_add_grease_quic_bit(pinfo);
9104 break;
9105 case SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00:
9106 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_facebook_partial_reliability,
9107 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9108 offset += parameter_length;
9109 break;
9110 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04:
9111 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_multipath,
9112 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9113 if (value == 1) {
9114 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
9115 }
9116 offset += parameter_length;
9117 break;
9118 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05:
9119 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06:
9120 /* No Payload */
9121 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
9122 break;
9123 case SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07:
9124 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_paths,
9125 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9126 if (value > 1) {
9127 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
9128 }
9129 /* multipath draft-07: "The value of the initial_max_paths
9130 * parameter MUST be at least 2." TODO: Expert Info? */
9131 offset += parameter_length;
9132 break;
9133 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09:
9134 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT110x0f739bbc1b666d11:
9135 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT120x0f739bbc1b666d0c:
9136 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x0f739bbc1b666d0d:
9137 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_path_id,
9138 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9139 /* multipath draft-09 and later: "If an endpoint receives an
9140 * initial_max_path_id transport parameter with value 0, the
9141 * peer aims to enable the multipath extension without allowing
9142 * extra paths immediately."
9143 */
9144 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
9145 offset += parameter_length;
9146 break;
9147 default:
9148 offset += parameter_length;
9149 /*TODO display expert info about unknown ? */
9150 break;
9151 }
9152
9153 if (!ssl_end_vector(hf, tvb, pinfo, parameter_tree, offset, parameter_end_offset)) {
9154 /* Dissection did not end at expected location, fix it. */
9155 offset = parameter_end_offset;
9156 }
9157 }
9158
9159 return offset;
9160}
9161
9162static int
9163ssl_dissect_hnd_hello_common(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9164 proto_tree *tree, uint32_t offset,
9165 SslSession *session, SslDecryptSession *ssl,
9166 bool_Bool from_server, bool_Bool is_hrr)
9167{
9168 uint8_t sessid_length;
9169 proto_item *ti;
9170 proto_tree *rnd_tree;
9171 proto_tree *ti_rnd;
9172 proto_tree *ech_confirm_tree;
9173 uint8_t draft_version = session->tls13_draft_version;
9174
9175 if (ssl) {
9176 StringInfo *rnd;
9177 if (from_server)
9178 rnd = &ssl->server_random;
9179 else
9180 rnd = &ssl->client_random;
9181
9182 /* save provided random for later keyring generation */
9183 tvb_memcpy(tvb, rnd->data, offset, 32);
9184 rnd->data_len = 32;
9185 if (from_server)
9186 ssl->state |= SSL_SERVER_RANDOM(1<<1);
9187 else
9188 ssl->state |= SSL_CLIENT_RANDOM(1<<0);
9189 ssl_debug_printf("%s found %s RANDOM -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)),
9190 from_server ? "SERVER" : "CLIENT", ssl->state);
9191 }
9192
9193 if (!from_server && session->client_random.data_len == 0) {
9194 session->client_random.data_len = 32;
9195 tvb_memcpy(tvb, session->client_random.data, offset, 32);
9196 }
9197
9198 ti_rnd = proto_tree_add_item(tree, hf->hf.hs_random, tvb, offset, 32, ENC_NA0x00000000);
9199
9200 if ((session->version != TLSV1DOT3_VERSION0x304) && (session->version != DTLSV1DOT3_VERSION0xfefc)) { /* No time on first bytes random with TLS 1.3 */
9201
9202 rnd_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
9203 /* show the time */
9204 proto_tree_add_item(rnd_tree, hf->hf.hs_random_time,
9205 tvb, offset, 4, ENC_TIME_SECS0x00000012|ENC_BIG_ENDIAN0x00000000);
9206 offset += 4;
9207
9208 /* show the random bytes */
9209 proto_tree_add_item(rnd_tree, hf->hf.hs_random_bytes,
9210 tvb, offset, 28, ENC_NA0x00000000);
9211 offset += 28;
9212 } else {
9213 if (is_hrr) {
9214 proto_item_append_text(ti_rnd, " (HelloRetryRequest magic)");
9215 } else if (from_server && session->ech) {
9216 ech_confirm_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
9217 proto_tree_add_item(ech_confirm_tree, hf->hf.hs_ech_confirm, tvb, offset + 24, 8, ENC_NA0x00000000);
9218 ti = proto_tree_add_bytes_with_length(ech_confirm_tree, hf->hf.hs_ech_confirm_compute, tvb, offset + 24, 0,
9219 session->ech_confirmation, 8);
9220 proto_item_set_generated(ti);
9221 if (memcmp(session->ech_confirmation, tvb_get_ptr(tvb, offset+24, 8), 8)) {
9222 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
9223 } else {
9224 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
9225 }
9226 }
9227
9228 offset += 32;
9229 }
9230
9231 /* No Session ID with TLS 1.3 on Server Hello before draft -22 */
9232 if (from_server == 0 || !(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
9233 /* show the session id (length followed by actual Session ID) */
9234 sessid_length = tvb_get_uint8(tvb, offset);
9235 proto_tree_add_item(tree, hf->hf.hs_session_id_len,
9236 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9237 offset++;
9238
9239 if (ssl) {
9240 /* save the authoritative SID for later use in ChangeCipherSpec.
9241 * (D)TLS restricts the SID to 32 chars, it does not make sense to
9242 * save more, so ignore larger ones. */
9243 if (from_server && sessid_length <= 32) {
9244 tvb_memcpy(tvb, ssl->session_id.data, offset, sessid_length);
9245 ssl->session_id.data_len = sessid_length;
9246 }
9247 }
9248 if (sessid_length > 0) {
9249 proto_tree_add_item(tree, hf->hf.hs_session_id,
9250 tvb, offset, sessid_length, ENC_NA0x00000000);
9251 offset += sessid_length;
9252 }
9253 }
9254
9255 return offset;
9256}
9257
9258static int
9259ssl_dissect_hnd_hello_ext_status_request(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9260 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9261 bool_Bool has_length)
9262{
9263 /* TLS 1.2/1.3 status_request Client Hello Extension.
9264 * TLS 1.2 status_request_v2 CertificateStatusRequestItemV2 type.
9265 * https://tools.ietf.org/html/rfc6066#section-8 (status_request)
9266 * https://tools.ietf.org/html/rfc6961#section-2.2 (status_request_v2)
9267 * struct {
9268 * CertificateStatusType status_type;
9269 * uint16 request_length; // for status_request_v2
9270 * select (status_type) {
9271 * case ocsp: OCSPStatusRequest;
9272 * case ocsp_multi: OCSPStatusRequest;
9273 * } request;
9274 * } CertificateStatusRequest; // CertificateStatusRequestItemV2
9275 *
9276 * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
9277 * struct {
9278 * ResponderID responder_id_list<0..2^16-1>;
9279 * Extensions request_extensions;
9280 * } OCSPStatusRequest;
9281 * opaque ResponderID<1..2^16-1>;
9282 * opaque Extensions<0..2^16-1>;
9283 */
9284 unsigned cert_status_type;
9285
9286 cert_status_type = tvb_get_uint8(tvb, offset);
9287 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_type,
9288 tvb, offset, 1, ENC_NA0x00000000);
9289 offset++;
9290
9291 if (has_length) {
9292 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_request_len,
9293 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9294 offset += 2;
9295 }
9296
9297 switch (cert_status_type) {
9298 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
9299 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
9300 {
9301 uint32_t responder_id_list_len;
9302 uint32_t request_extensions_len;
9303
9304 /* ResponderID responder_id_list<0..2^16-1> */
9305 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &responder_id_list_len,
9306 hf->hf.hs_ext_cert_status_responder_id_list_len, 0, UINT16_MAX(65535))) {
9307 return offset_end;
9308 }
9309 offset += 2;
9310 if (responder_id_list_len != 0) {
9311 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9312 tvb, offset, responder_id_list_len,
9313 "Responder ID list is not implemented, contact Wireshark"
9314 " developers if you want this to be supported");
9315 }
9316 offset += responder_id_list_len;
9317
9318 /* opaque Extensions<0..2^16-1> */
9319 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &request_extensions_len,
9320 hf->hf.hs_ext_cert_status_request_extensions_len, 0, UINT16_MAX(65535))) {
9321 return offset_end;
9322 }
9323 offset += 2;
9324 if (request_extensions_len != 0) {
9325 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9326 tvb, offset, request_extensions_len,
9327 "Request Extensions are not implemented, contact"
9328 " Wireshark developers if you want this to be supported");
9329 }
9330 offset += request_extensions_len;
9331 break;
9332 }
9333 }
9334
9335 return offset;
9336}
9337
9338static unsigned
9339ssl_dissect_hnd_hello_ext_status_request_v2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9340 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9341{
9342 /* https://tools.ietf.org/html/rfc6961#section-2.2
9343 * struct {
9344 * CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1>;
9345 * } CertificateStatusRequestListV2;
9346 */
9347 uint32_t req_list_length, next_offset;
9348
9349 /* CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1> */
9350 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &req_list_length,
9351 hf->hf.hs_ext_cert_status_request_list_len, 1, UINT16_MAX(65535))) {
9352 return offset_end;
9353 }
9354 offset += 2;
9355 next_offset = offset + req_list_length;
9356
9357 while (offset < next_offset) {
9358 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, tree, offset, next_offset, true1);
9359 }
9360
9361 return offset;
9362}
9363
9364static uint32_t
9365tls_dissect_ocsp_response(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9366 uint32_t offset, uint32_t offset_end)
9367{
9368 uint32_t response_length;
9369 proto_item *ocsp_resp;
9370 proto_tree *ocsp_resp_tree;
9371 asn1_ctx_t asn1_ctx;
9372
9373 /* opaque OCSPResponse<1..2^24-1>; */
9374 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &response_length,
9375 hf->hf.hs_ocsp_response_len, 1, G_MAXUINT24((1U << 24) - 1))) {
9376 return offset_end;
9377 }
9378 offset += 3;
9379
9380 ocsp_resp = proto_tree_add_item(tree, proto_ocsp, tvb, offset,
9381 response_length, ENC_BIG_ENDIAN0x00000000);
9382 proto_item_set_text(ocsp_resp, "OCSP Response");
9383 ocsp_resp_tree = proto_item_add_subtree(ocsp_resp, hf->ett.ocsp_response);
9384 if (proto_is_protocol_enabled(find_protocol_by_id(proto_ocsp))) {
9385 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
9386 dissect_ocsp_OCSPResponse(false0, tvb, offset, &asn1_ctx, ocsp_resp_tree, -1);
9387 }
9388 offset += response_length;
9389
9390 return offset;
9391}
9392
9393uint32_t
9394tls_dissect_hnd_certificate_status(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9395 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9396{
9397 /* TLS 1.2 "CertificateStatus" handshake message.
9398 * TLS 1.3 "status_request" Certificate extension.
9399 * struct {
9400 * CertificateStatusType status_type;
9401 * select (status_type) {
9402 * case ocsp: OCSPResponse;
9403 * case ocsp_multi: OCSPResponseList; // status_request_v2
9404 * } response;
9405 * } CertificateStatus;
9406 * opaque OCSPResponse<1..2^24-1>;
9407 * struct {
9408 * OCSPResponse ocsp_response_list<1..2^24-1>;
9409 * } OCSPResponseList; // status_request_v2
9410 */
9411 uint32_t status_type, resp_list_length, next_offset;
9412
9413 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_cert_status_type,
9414 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &status_type);
9415 offset += 1;
9416
9417 switch (status_type) {
9418 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
9419 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, offset_end);
9420 break;
9421
9422 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
9423 /* OCSPResponse ocsp_response_list<1..2^24-1> */
9424 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &resp_list_length,
9425 hf->hf.hs_ocsp_response_list_len, 1, G_MAXUINT24((1U << 24) - 1))) {
9426 return offset_end;
9427 }
9428 offset += 3;
9429 next_offset = offset + resp_list_length;
9430
9431 while (offset < next_offset) {
9432 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, next_offset);
9433 }
9434 break;
9435 }
9436
9437 return offset;
9438}
9439
9440static unsigned
9441ssl_dissect_hnd_hello_ext_supported_groups(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9442 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9443 wmem_strbuf_t *ja3)
9444{
9445 /* RFC 8446 Section 4.2.7
9446 * enum { ..., (0xFFFF) } NamedGroup;
9447 * struct {
9448 * NamedGroup named_group_list<2..2^16-1>
9449 * } NamedGroupList;
9450 *
9451 * NOTE: "NamedCurve" (RFC 4492) is renamed to "NamedGroup" (RFC 7919) and
9452 * the extension itself from "elliptic_curves" to "supported_groups".
9453 */
9454 uint32_t groups_length, next_offset;
9455 proto_tree *groups_tree;
9456 proto_item *ti;
9457 char *ja3_dash = "";
9458
9459 /* NamedGroup named_group_list<2..2^16-1> */
9460 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &groups_length,
9461 hf->hf.hs_ext_supported_groups_len, 2, UINT16_MAX(65535))) {
9462 return offset_end;
9463 }
9464 offset += 2;
9465 next_offset = offset + groups_length;
9466
9467 ti = proto_tree_add_none_format(tree,
9468 hf->hf.hs_ext_supported_groups,
9469 tvb, offset, groups_length,
9470 "Supported Groups (%d group%s)",
9471 groups_length / 2,
9472 plurality(groups_length/2, "", "s")((groups_length/2) == 1 ? ("") : ("s")));
9473
9474 /* make this a subtree */
9475 groups_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_groups);
9476
9477 if (ja3) {
9478 wmem_strbuf_append_c(ja3, ',');
9479 }
9480 /* loop over all groups */
9481 while (offset + 2 <= offset_end) {
9482 uint32_t ext_supported_group;
9483
9484 proto_tree_add_item_ret_uint(groups_tree, hf->hf.hs_ext_supported_group, tvb, offset, 2,
9485 ENC_BIG_ENDIAN0x00000000, &ext_supported_group);
9486 offset += 2;
9487 if (ja3 && !IS_GREASE_TLS(ext_supported_group)((((ext_supported_group) & 0x0f0f) == 0x0a0a) && (
((ext_supported_group) & 0xff) == (((ext_supported_group)
>>8) & 0xff)))) {
9488 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_supported_group);
9489 ja3_dash = "-";
9490 }
9491 }
9492 if (!ssl_end_vector(hf, tvb, pinfo, groups_tree, offset, next_offset)) {
9493 offset = next_offset;
9494 }
9495
9496 return offset;
9497}
9498
9499static int
9500ssl_dissect_hnd_hello_ext_ec_point_formats(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9501 proto_tree *tree, uint32_t offset, wmem_strbuf_t *ja3)
9502{
9503 uint8_t ecpf_length;
9504 proto_tree *ecpf_tree;
9505 proto_item *ti;
9506
9507 ecpf_length = tvb_get_uint8(tvb, offset);
9508 proto_tree_add_item(tree, hf->hf.hs_ext_ec_point_formats_len,
9509 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9510
9511 offset += 1;
9512 ti = proto_tree_add_none_format(tree,
9513 hf->hf.hs_ext_ec_point_formats,
9514 tvb, offset, ecpf_length,
9515 "Elliptic curves point formats (%d)",
9516 ecpf_length);
9517
9518 /* make this a subtree */
9519 ecpf_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_curves_point_formats);
9520
9521 if (ja3) {
9522 wmem_strbuf_append_c(ja3, ',');
9523 }
9524
9525 /* loop over all point formats */
9526 while (ecpf_length > 0)
9527 {
9528 uint32_t ext_ec_point_format;
9529
9530 proto_tree_add_item_ret_uint(ecpf_tree, hf->hf.hs_ext_ec_point_format, tvb, offset, 1,
9531 ENC_BIG_ENDIAN0x00000000, &ext_ec_point_format);
9532 offset++;
9533 ecpf_length--;
9534 if (ja3) {
9535 wmem_strbuf_append_printf(ja3, "%i", ext_ec_point_format);
9536 if (ecpf_length > 0) {
9537 wmem_strbuf_append_c(ja3, '-');
9538 }
9539 }
9540 }
9541
9542 return offset;
9543}
9544
9545static int
9546ssl_dissect_hnd_hello_ext_srp(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9547 packet_info *pinfo, proto_tree *tree,
9548 uint32_t offset, uint32_t next_offset)
9549{
9550 /* https://tools.ietf.org/html/rfc5054#section-2.8.1
9551 * opaque srp_I<1..2^8-1>;
9552 */
9553 uint32_t username_len;
9554
9555 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, next_offset, &username_len,
9556 hf->hf.hs_ext_srp_len, 1, UINT8_MAX(255))) {
9557 return next_offset;
9558 }
9559 offset++;
9560
9561 proto_tree_add_item(tree, hf->hf.hs_ext_srp_username,
9562 tvb, offset, username_len, ENC_UTF_80x00000002|ENC_NA0x00000000);
9563 offset += username_len;
9564
9565 return offset;
9566}
9567
9568static uint32_t
9569tls_dissect_sct(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9570 uint32_t offset, uint32_t offset_end, uint16_t version)
9571{
9572 /* https://tools.ietf.org/html/rfc6962#section-3.2
9573 * enum { v1(0), (255) } Version;
9574 * struct {
9575 * opaque key_id[32];
9576 * } LogID;
9577 * opaque CtExtensions<0..2^16-1>;
9578 * struct {
9579 * Version sct_version;
9580 * LogID id;
9581 * uint64 timestamp;
9582 * CtExtensions extensions;
9583 * digitally-signed struct { ... };
9584 * } SignedCertificateTimestamp;
9585 */
9586 uint32_t sct_version;
9587 uint64_t sct_timestamp_ms;
9588 nstime_t sct_timestamp;
9589 uint32_t exts_len;
9590 const char *log_name;
9591
9592 proto_tree_add_item_ret_uint(tree, hf->hf.sct_sct_version, tvb, offset, 1, ENC_NA0x00000000, &sct_version);
9593 offset++;
9594 if (sct_version != 0) {
9595 // TODO expert info about unknown SCT version?
9596 return offset;
9597 }
9598 proto_tree_add_item(tree, hf->hf.sct_sct_logid, tvb, offset, 32, ENC_BIG_ENDIAN0x00000000);
9599 log_name = bytesval_to_str_wmem(pinfo->pool, tvb_get_ptr(tvb, offset, 32), 32, ct_logids, "Unknown Log");
9600 proto_item_append_text(tree, " (%s)", log_name);
9601 offset += 32;
9602 sct_timestamp_ms = tvb_get_ntoh64(tvb, offset);
9603 sct_timestamp.secs = (time_t)(sct_timestamp_ms / 1000);
9604 sct_timestamp.nsecs = (int)((sct_timestamp_ms % 1000) * 1000000);
9605 proto_tree_add_time(tree, hf->hf.sct_sct_timestamp, tvb, offset, 8, &sct_timestamp);
9606 offset += 8;
9607 /* opaque CtExtensions<0..2^16-1> */
9608 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
9609 hf->hf.sct_sct_extensions_length, 0, UINT16_MAX(65535))) {
9610 return offset_end;
9611 }
9612 offset += 2;
9613 if (exts_len > 0) {
9614 proto_tree_add_item(tree, hf->hf.sct_sct_extensions, tvb, offset, exts_len, ENC_BIG_ENDIAN0x00000000);
9615 offset += exts_len;
9616 }
9617 offset = ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
9618 hf->hf.sct_sct_signature_length,
9619 hf->hf.sct_sct_signature);
9620 return offset;
9621}
9622
9623uint32_t
9624tls_dissect_sct_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9625 uint32_t offset, uint32_t offset_end, uint16_t version)
9626{
9627 /* https://tools.ietf.org/html/rfc6962#section-3.3
9628 * opaque SerializedSCT<1..2^16-1>;
9629 * struct {
9630 * SerializedSCT sct_list <1..2^16-1>;
9631 * } SignedCertificateTimestampList;
9632 */
9633 uint32_t list_length, sct_length, next_offset;
9634 proto_tree *subtree;
9635
9636 /* SerializedSCT sct_list <1..2^16-1> */
9637 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &list_length,
9638 hf->hf.sct_scts_length, 1, UINT16_MAX(65535))) {
9639 return offset_end;
9640 }
9641 offset += 2;
9642
9643 while (offset < offset_end) {
9644 subtree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.sct, NULL((void*)0), "Signed Certificate Timestamp");
9645
9646 /* opaque SerializedSCT<1..2^16-1> */
9647 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &sct_length,
9648 hf->hf.sct_sct_length, 1, UINT16_MAX(65535))) {
9649 return offset_end;
9650 }
9651 offset += 2;
9652 next_offset = offset + sct_length;
9653 proto_item_set_len(subtree, 2 + sct_length);
9654 offset = tls_dissect_sct(hf, tvb, pinfo, subtree, offset, next_offset, version);
9655 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
9656 offset = next_offset;
9657 }
9658 }
9659
9660 return offset;
9661}
9662
9663static int
9664dissect_ech_hpke_cipher_suite(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
9665 proto_tree *tree, uint32_t offset)
9666{
9667 uint32_t kdf_id, aead_id;
9668 proto_item *cs_ti;
9669 proto_tree *cs_tree;
9670
9671 cs_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig_cipher_suite,
9672 tvb, offset, 4, ENC_NA0x00000000);
9673 cs_tree = proto_item_add_subtree(cs_ti, hf->ett.ech_hpke_cipher_suite);
9674
9675 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_kdf_id,
9676 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &kdf_id);
9677 offset += 2;
9678 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_aead_id,
9679 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &aead_id);
9680 offset += 2;
9681
9682 proto_item_append_text(cs_ti, ": %s/%s",
9683 val_to_str_const(kdf_id, kdf_id_type_vals, "Unknown"),
9684 val_to_str_const(aead_id, aead_id_type_vals, "Unknown"));
9685 return offset;
9686}
9687
9688static int
9689dissect_ech_hpke_key_config(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9690 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9691 uint32_t *config_id)
9692{
9693 uint32_t length, cipher_suite_length;
9694 proto_item *kc_ti, *css_ti;
9695 proto_tree *kc_tree, *css_tree;
9696 uint32_t original_offset = offset, next_offset;
9697
9698 kc_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig,
9699 tvb, offset, -1, ENC_NA0x00000000);
9700 kc_tree = proto_item_add_subtree(kc_ti, hf->ett.ech_hpke_keyconfig);
9701
9702 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_config_id,
9703 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, config_id);
9704 offset += 1;
9705 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_kem_id,
9706 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9707 offset += 2;
9708 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_public_key_length,
9709 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9710 offset += 2;
9711 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_public_key,
9712 tvb, offset, length, ENC_NA0x00000000);
9713 offset += length;
9714
9715 /* HpkeSymmetricCipherSuite cipher_suites<4..2^16-4> */
9716 if (!ssl_add_vector(hf, tvb, pinfo, kc_tree, offset, offset_end, &cipher_suite_length,
9717 hf->hf.ech_hpke_keyconfig_cipher_suites_length, 4, UINT16_MAX(65535) - 3)) {
9718 return offset_end;
9719 }
9720 offset += 2;
9721 next_offset = offset + cipher_suite_length;
9722
9723 css_ti = proto_tree_add_none_format(kc_tree,
9724 hf->hf.ech_hpke_keyconfig_cipher_suites,
9725 tvb, offset, cipher_suite_length,
9726 "Cipher Suites (%d suite%s)",
9727 cipher_suite_length / 4,
9728 plurality(cipher_suite_length / 4, "", "s")((cipher_suite_length / 4) == 1 ? ("") : ("s")));
9729 css_tree = proto_item_add_subtree(css_ti, hf->ett.ech_hpke_cipher_suites);
9730
9731
9732 while (offset + 4 <= next_offset) {
9733 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, css_tree, offset);
9734 }
9735
9736 if (!ssl_end_vector(hf, tvb, pinfo, css_tree, offset, next_offset)) {
9737 offset = next_offset;
9738 }
9739
9740 proto_item_set_len(kc_ti, offset - original_offset);
9741
9742 return offset;
9743}
9744
9745static int
9746dissect_ech_echconfig_contents(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9747 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9748 const uint8_t **public_name, uint32_t *config_id)
9749{
9750 uint32_t public_name_length, extensions_length, next_offset;
9751
9752 offset = dissect_ech_hpke_key_config(hf, tvb, pinfo, tree, offset, offset_end, config_id);
9753 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_maximum_name_length,
9754 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9755 offset += 1;
9756 proto_tree_add_item_ret_uint(tree, hf->hf.ech_echconfigcontents_public_name_length,
9757 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &public_name_length);
9758 offset += 1;
9759 proto_tree_add_item_ret_string(tree, hf->hf.ech_echconfigcontents_public_name,
9760 tvb, offset, public_name_length, ENC_ASCII0x00000000, pinfo->pool, public_name);
9761 offset += public_name_length;
9762
9763 /* Extension extensions<0..2^16-1>; */
9764 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &extensions_length,
9765 hf->hf.ech_echconfigcontents_extensions_length, 0, UINT16_MAX(65535))) {
9766 return offset_end;
9767 }
9768 offset += 2;
9769 next_offset = offset + extensions_length;
9770
9771 if (extensions_length > 0) {
9772 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_extensions,
9773 tvb, offset, extensions_length, ENC_NA0x00000000);
9774 }
9775 offset += extensions_length;
9776
9777 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
9778 offset = next_offset;
9779 }
9780
9781 return offset;
9782}
9783
9784static int
9785dissect_ech_echconfig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9786 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9787{
9788 uint32_t version, length;
9789 proto_item *ech_ti;
9790 proto_tree *ech_tree;
9791 const uint8_t *public_name = NULL((void*)0);
9792 uint32_t config_id = 0;
9793
9794 ech_ti = proto_tree_add_item(tree, hf->hf.ech_echconfig, tvb, offset, -1, ENC_NA0x00000000);
9795 ech_tree = proto_item_add_subtree(ech_ti, hf->ett.ech_echconfig);
9796
9797 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_version,
9798 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
9799 offset += 2;
9800 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_length,
9801 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9802 offset += 2;
9803
9804 proto_item_set_len(ech_ti, 4 + length);
9805
9806 switch(version) {
9807 case 0xfe0d:
9808 dissect_ech_echconfig_contents(hf, tvb, pinfo, ech_tree, offset, offset_end, &public_name, &config_id);
9809 proto_item_append_text(ech_ti, ": id=%d %s", config_id, public_name);
9810 break;
9811
9812 default:
9813 expert_add_info_format(pinfo, ech_ti, &hf->ei.ech_echconfig_invalid_version, "Unsupported/unknown ECHConfig version 0x%x", version);
9814 }
9815
9816 return 4 + length;
9817}
9818
9819uint32_t
9820ssl_dissect_ext_ech_echconfiglist(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9821 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9822{
9823 uint32_t echconfiglist_length, next_offset;
9824
9825 /* ECHConfig ECHConfigList<1..2^16-1>; */
9826 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &echconfiglist_length,
9827 hf->hf.ech_echconfiglist_length, 1, UINT16_MAX(65535))) {
9828 return offset_end;
9829 }
9830 offset += 2;
9831 next_offset = offset + echconfiglist_length;
9832
9833 while (offset < next_offset) {
9834 offset += dissect_ech_echconfig(hf, tvb, pinfo, tree, offset, offset_end);
9835 }
9836
9837 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
9838 offset = next_offset;
9839 }
9840
9841 return offset;
9842}
9843
9844static uint32_t
9845ssl_dissect_hnd_ech_outer_ext(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9846 uint32_t offset, uint32_t offset_end)
9847{
9848 uint32_t ext_length, next_offset;
9849 proto_tree *ext_tree;
9850 proto_item *ti;
9851
9852 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ext_length,
9853 hf->hf.hs_ext_ech_outer_ext_len, 2, UINT8_MAX(255))) {
9854 return offset_end;
9855 }
9856 offset += 1;
9857 next_offset = offset + ext_length;
9858
9859 ti = proto_tree_add_none_format(tree,
9860 hf->hf.hs_ext_ech_outer_ext,
9861 tvb, offset, ext_length,
9862 "Outer Extensions (%d extension%s)",
9863 ext_length / 2,
9864 plurality(ext_length/2, "", "s")((ext_length/2) == 1 ? ("") : ("s")));
9865
9866 ext_tree = proto_item_add_subtree(ti, hf->ett.hs_ext);
9867
9868 while (offset + 2 <= offset_end) {
9869 proto_tree_add_item(ext_tree, hf->hf.hs_ext_type, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9870 offset += 2;
9871 }
9872
9873 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
9874 offset = next_offset;
9875 }
9876
9877 return offset;
9878}
9879
9880static uint32_t
9881// NOLINTNEXTLINE(misc-no-recursion)
9882ssl_dissect_hnd_hello_ext_ech(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9883 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9884 uint8_t hnd_type, SslSession *session, SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
9885 uint32_t initial_offset, uint32_t hello_length)
9886{
9887 uint32_t ch_type, length;
9888 proto_item *ti, *payload_ti;
9889 proto_tree *retry_tree, *payload_tree;
9890
9891 switch (hnd_type) {
9892 case SSL_HND_CLIENT_HELLO:
9893 /*
9894 * enum { outer(0), inner(1) } ECHClientHelloType;
9895 *
9896 * struct {
9897 * ECHClientHelloType type;
9898 * select (ECHClientHello.type) {
9899 * case outer:
9900 * HpkeSymmetricCipherSuite cipher_suite;
9901 * uint8 config_id;
9902 * opaque enc<0..2^16-1>;
9903 * opaque payload<1..2^16-1>;
9904 * case inner:
9905 * Empty;
9906 * };
9907 * } ECHClientHello;
9908 */
9909
9910 proto_tree_add_item_ret_uint(tree, hf->hf.ech_clienthello_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &ch_type);
9911 offset += 1;
9912 switch (ch_type) {
9913 case 0: /* outer */
9914 if (ssl && session->first_ch_ech_frame == 0) {
9915 session->first_ch_ech_frame = pinfo->num;
9916 }
9917 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, tree, offset);
9918 uint16_t kdf_id = tvb_get_ntohs(tvb, offset - 4);
9919 uint16_t aead_id = tvb_get_ntohs(tvb, offset - 2);
9920
9921 proto_tree_add_item(tree, hf->hf.ech_config_id, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9922 uint8_t config_id = tvb_get_uint8(tvb, offset);
9923 offset += 1;
9924 proto_tree_add_item_ret_uint(tree, hf->hf.ech_enc_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9925 offset += 2;
9926 proto_tree_add_item(tree, hf->hf.ech_enc, tvb, offset, length, ENC_NA0x00000000);
9927 offset += length;
9928 proto_tree_add_item_ret_uint(tree, hf->hf.ech_payload_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9929 offset += 2;
9930 payload_ti = proto_tree_add_item(tree, hf->hf.ech_payload, tvb, offset, length, ENC_NA0x00000000);
9931 offset += length;
9932
9933 if (!mk_map) {
9934 break;
9935 }
9936 if (session->client_random.data_len == 0) {
9937 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
9938 break;
9939 }
9940 StringInfo *ech_secret = (StringInfo *)g_hash_table_lookup(mk_map->ech_secret, &session->client_random);
9941 StringInfo *ech_config = (StringInfo *)g_hash_table_lookup(mk_map->ech_config, &session->client_random);
9942 if (!ech_secret || !ech_config) {
9943 ssl_debug_printf("%s Cannot find ECH_SECRET or ECH_CONFIG, Encrypted Client Hello decryption impossible\n",
9944 G_STRFUNC((const char*) (__func__)));
9945 break;
9946 }
9947
9948 if (hpke_hkdf_len(kdf_id) == 0) {
9949 ssl_debug_printf("Unsupported KDF\n");
9950 break;
9951 }
9952
9953 if (hpke_aead_key_len(aead_id) == 0) {
9954 ssl_debug_printf("Unsupported AEAD\n");
9955 break;
9956 }
9957
9958 size_t aead_nonce_len = hpke_aead_nonce_len(aead_id);
9959
9960 uint16_t version = GUINT16_FROM_BE(*(uint16_t *)ech_config->data)(((((guint16) ( (guint16) ((guint16) (*(uint16_t *)ech_config
->data) >> 8) | (guint16) ((guint16) (*(uint16_t *)ech_config
->data) << 8))))));
9961 if (version != SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037) {
9962 ssl_debug_printf("Unexpected version in ECH Config\n");
9963 break;
9964 }
9965 uint32_t ech_config_offset = 2;
9966 if (GUINT16_FROM_BE(*(uint16_t *)(ech_config->data + ech_config_offset))(((((guint16) ( (guint16) ((guint16) (*(uint16_t *)(ech_config
->data + ech_config_offset)) >> 8) | (guint16) ((guint16
) (*(uint16_t *)(ech_config->data + ech_config_offset)) <<
8)))))) != ech_config->data_len - 4) {
9967 ssl_debug_printf("Malformed ECH Config, invalid length\n");
9968 break;
9969 }
9970 ech_config_offset += 2;
9971 if (*(ech_config->data + ech_config_offset) != config_id) {
9972 ssl_debug_printf("ECH Config version mismatch\n");
9973 break;
9974 }
9975 ech_config_offset += 1;
9976 uint16_t kem_id_be = *(uint16_t *)(ech_config->data + ech_config_offset);
9977 uint16_t kem_id = GUINT16_FROM_BE(kem_id_be)(((((guint16) ( (guint16) ((guint16) (kem_id_be) >> 8) |
(guint16) ((guint16) (kem_id_be) << 8))))));
9978 uint8_t suite_id[HPKE_SUIT_ID_LEN10];
9979 hpke_suite_id(kem_id, kdf_id, aead_id, suite_id);
9980 GByteArray *info = g_byte_array_new();
9981 g_byte_array_append(info, (const uint8_t*)"tls ech", 8);
9982 g_byte_array_append(info, ech_config->data, ech_config->data_len);
9983 uint8_t key[AEAD_MAX_KEY_LENGTH32];
9984 uint8_t base_nonce[HPKE_AEAD_NONCE_LENGTH12];
9985 if (hpke_key_schedule(kdf_id, aead_id, ech_secret->data, ech_secret->data_len, suite_id, info->data, info->len, HPKE_MODE_BASE0,
9986 key, base_nonce)) {
9987 g_byte_array_free(info, TRUE(!(0)));
9988 break;
9989 }
9990 g_byte_array_free(info, TRUE(!(0)));
9991 gcry_cipher_hd_t cipher;
9992 if (hpke_setup_aead(&cipher, aead_id, key) ||
9993 hpke_set_nonce(cipher, !session->hrr_ech_declined && pinfo->num > session->first_ch_ech_frame, base_nonce, aead_nonce_len)) {
9994 gcry_cipher_close(cipher);
9995 break;
9996 }
9997 const uint8_t *payload = tvb_get_ptr(tvb, offset - length, length);
9998 uint8_t *ech_aad = (uint8_t *)wmem_alloc(NULL((void*)0), hello_length);
9999 tvb_memcpy(tvb, ech_aad, initial_offset, hello_length);
10000 memset(ech_aad + offset - length - initial_offset, 0, length);
10001 if (gcry_cipher_authenticate(cipher, ech_aad, hello_length)) {
10002 gcry_cipher_close(cipher);
10003 wmem_free(NULL((void*)0), ech_aad);
10004 break;
10005 }
10006 wmem_free(NULL((void*)0), ech_aad);
10007 uint8_t *ech_decrypted_data = (uint8_t *)wmem_alloc(pinfo->pool, length - 16);
10008 if (gcry_cipher_decrypt(cipher, ech_decrypted_data, length - 16, payload, length - 16)) {
10009 gcry_cipher_close(cipher);
10010 break;
10011 }
10012 unsigned char ech_auth_tag_calc[16];
10013 if (gcry_cipher_gettag(cipher, ech_auth_tag_calc, 16)) {
10014 gcry_cipher_close(cipher);
10015 break;
10016 }
10017 if (ssl && !session->hrr_ech_declined && session->first_ch_ech_frame == pinfo->num)
10018 memcpy(session->first_ech_auth_tag, ech_auth_tag_calc, 16);
10019 gcry_cipher_close(cipher);
10020 if (memcmp(pinfo->num > session->first_ch_ech_frame ? ech_auth_tag_calc : session->first_ech_auth_tag,
10021 payload + length - 16, 16)) {
10022 ssl_debug_printf("%s ECH auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
10023 } else {
10024 payload_tree = proto_item_add_subtree(payload_ti, hf->ett.ech_decrypt);
10025 tvbuff_t *ech_tvb = tvb_new_child_real_data(tvb, ech_decrypted_data, length - 16, length - 16);
10026 add_new_data_source(pinfo, ech_tvb, "Client Hello Inner");
10027 if (ssl) {
10028 tvb_memcpy(ech_tvb, ssl->client_random.data, 2, 32);
10029 uint32_t len_offset = ssl->ech_transcript.data_len;
10030 if (ssl->ech_transcript.data_len > 0)
10031 ssl->ech_transcript.data = (unsigned char*)wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
10032 ssl->ech_transcript.data_len + hello_length + 4);
10033 else
10034 ssl->ech_transcript.data = (unsigned char*)wmem_alloc(wmem_file_scope(), hello_length + 4);
10035 ssl->ech_transcript.data[ssl->ech_transcript.data_len] = SSL_HND_CLIENT_HELLO;
10036 ssl->ech_transcript.data[ssl->ech_transcript.data_len + 1] = 0;
10037 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, 0, 34);
10038 ssl->ech_transcript.data_len += 38;
10039 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, initial_offset + 34,
10040 tvb_get_uint8(tvb, initial_offset + 34) + 1);
10041 ssl->ech_transcript.data_len += tvb_get_uint8(tvb, initial_offset + 34) + 1;
10042 uint32_t ech_offset = 35 + tvb_get_uint8(ech_tvb, 34);
10043 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10044 2 + tvb_get_ntohs(ech_tvb, ech_offset));
10045 ssl->ech_transcript.data_len += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
10046 ech_offset += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
10047 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10048 1 + tvb_get_uint8(ech_tvb, ech_offset));
10049 ssl->ech_transcript.data_len += 1 + tvb_get_uint8(ech_tvb, ech_offset);
10050 ech_offset += 1 + tvb_get_uint8(ech_tvb, ech_offset);
10051 uint32_t ech_extensions_len_offset = ssl->ech_transcript.data_len;
10052 ssl->ech_transcript.data_len += 2;
10053 uint16_t extensions_end = ech_offset + tvb_get_ntohs(ech_tvb, ech_offset) + 2;
10054 ech_offset += 2;
10055 while (extensions_end - ech_offset >= 4) {
10056 if (tvb_get_ntohs(ech_tvb, ech_offset) != SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768) {
10057 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10058 4 + tvb_get_ntohs(ech_tvb, ech_offset + 2));
10059 ssl->ech_transcript.data_len += 4 + tvb_get_ntohs(ech_tvb, ech_offset + 2);
10060 ech_offset += 4 + tvb_get_ntohs(ech_tvb, ech_offset + 2);
10061 } else if (tvb_get_ntohs(ech_tvb, ech_offset + 2) > 0) {
10062 uint8_t outer_extensions_end = tvb_get_uint8(ech_tvb, ech_offset + 4) + ech_offset + 5;
10063 ech_offset += 5;
10064 uint16_t outer_offset = initial_offset + 35 + tvb_get_uint8(tvb, initial_offset + 34);
10065 outer_offset += tvb_get_ntohs(tvb, outer_offset) + 2;
10066 outer_offset += tvb_get_uint8(tvb, outer_offset) + 3;
10067 while (outer_extensions_end - ech_offset >= 2) {
10068 while (hello_length - outer_offset >= 4) {
10069 if (tvb_get_ntohs(tvb, outer_offset) == tvb_get_ntohs(ech_tvb, ech_offset)) {
10070 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, outer_offset,
10071 4 + tvb_get_ntohs(tvb, outer_offset + 2));
10072 ssl->ech_transcript.data_len += 4 + tvb_get_ntohs(tvb, outer_offset + 2);
10073 outer_offset += 4 + tvb_get_ntohs(tvb, outer_offset + 2);
10074 break;
10075 } else {
10076 outer_offset += 4 + tvb_get_ntohs(tvb, outer_offset + 2);
10077 }
10078 }
10079 ech_offset += 2;
10080 }
10081 }
10082 }
10083 uint16_t ech_extensions_len_be = GUINT16_TO_BE(ssl->ech_transcript.data_len - ech_extensions_len_offset - 2)((((guint16) ( (guint16) ((guint16) (ssl->ech_transcript.data_len
- ech_extensions_len_offset - 2) >> 8) | (guint16) ((guint16
) (ssl->ech_transcript.data_len - ech_extensions_len_offset
- 2) << 8)))));
10084 *(ssl->ech_transcript.data + ech_extensions_len_offset) = ech_extensions_len_be & 0xff;
10085 *(ssl->ech_transcript.data + ech_extensions_len_offset + 1) = (ech_extensions_len_be >> 8);
10086 *(ssl->ech_transcript.data + len_offset + 2) = ((ssl->ech_transcript.data_len - len_offset - 4) >> 8);
10087 *(ssl->ech_transcript.data + len_offset + 3) = (ssl->ech_transcript.data_len - len_offset - 4) & 0xff;
10088 }
10089 uint32_t ech_padding_begin = (uint32_t)ssl_dissect_hnd_cli_hello(hf, ech_tvb, pinfo, payload_tree, 0, length - 16, session,
10090 ssl, NULL((void*)0), mk_map);
10091 if (ech_padding_begin < length - 16) {
10092 proto_tree_add_item(payload_tree, hf->hf.ech_padding_data, ech_tvb, ech_padding_begin, length - 16 - ech_padding_begin,
10093 ENC_NA0x00000000);
10094 }
10095 }
10096
10097 break;
10098 case 1: /* inner */
10099 break;
10100 }
10101 break;
10102
10103 case SSL_HND_ENCRYPTED_EXTENSIONS:
10104 /*
10105 * struct {
10106 * ECHConfigList retry_configs;
10107 * } ECHEncryptedExtensions;
10108 */
10109
10110 ti = proto_tree_add_item(tree, hf->hf.ech_retry_configs, tvb, offset, offset_end - offset, ENC_NA0x00000000);
10111 retry_tree = proto_item_add_subtree(ti, hf->ett.ech_retry_configs);
10112 offset = ssl_dissect_ext_ech_echconfiglist(hf, tvb, pinfo, retry_tree, offset, offset_end);
10113 break;
10114
10115 case SSL_HND_HELLO_RETRY_REQUEST:
10116 /*
10117 * struct {
10118 * opaque confirmation[8];
10119 * } ECHHelloRetryRequest;
10120 */
10121
10122 proto_tree_add_item(tree, hf->hf.ech_confirmation, tvb, offset, 8, ENC_NA0x00000000);
10123 if (session->ech) {
10124 ti = proto_tree_add_bytes_with_length(tree, hf->hf.hs_ech_confirm_compute, tvb, offset, 0, session->hrr_ech_confirmation, 8);
10125 proto_item_set_generated(ti);
10126 if (memcmp(session->hrr_ech_confirmation, tvb_get_ptr(tvb, offset, 8), 8)) {
10127 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
10128 } else {
10129 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
10130 }
10131 }
10132 offset += 8;
10133 break;
10134 }
10135
10136 return offset;
10137}
10138
10139static uint32_t
10140ssl_dissect_hnd_hello_ext_esni(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10141 proto_tree *tree, uint32_t offset, uint32_t offset_end,
10142 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
10143{
10144 uint32_t record_digest_length, encrypted_sni_length;
10145
10146 switch (hnd_type) {
10147 case SSL_HND_CLIENT_HELLO:
10148 /*
10149 * struct {
10150 * CipherSuite suite;
10151 * KeyShareEntry key_share;
10152 * opaque record_digest<0..2^16-1>;
10153 * opaque encrypted_sni<0..2^16-1>;
10154 * } ClientEncryptedSNI;
10155 */
10156 proto_tree_add_item(tree, hf->hf.esni_suite, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
10157 offset += 2;
10158 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, tree, offset, offset_end, NULL((void*)0));
10159
10160 /* opaque record_digest<0..2^16-1> */
10161 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &record_digest_length,
10162 hf->hf.esni_record_digest_length, 0, UINT16_MAX(65535))) {
10163 return offset_end;
10164 }
10165 offset += 2;
10166 if (record_digest_length > 0) {
10167 proto_tree_add_item(tree, hf->hf.esni_record_digest, tvb, offset, record_digest_length, ENC_NA0x00000000);
10168 offset += record_digest_length;
10169 }
10170
10171 /* opaque encrypted_sni<0..2^16-1> */
10172 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &encrypted_sni_length,
10173 hf->hf.esni_encrypted_sni_length, 0, UINT16_MAX(65535))) {
10174 return offset_end;
10175 }
10176 offset += 2;
10177 if (encrypted_sni_length > 0) {
10178 proto_tree_add_item(tree, hf->hf.esni_encrypted_sni, tvb, offset, encrypted_sni_length, ENC_NA0x00000000);
10179 offset += encrypted_sni_length;
10180 }
10181 break;
10182
10183 case SSL_HND_ENCRYPTED_EXTENSIONS:
10184 proto_tree_add_item(tree, hf->hf.esni_nonce, tvb, offset, 16, ENC_NA0x00000000);
10185 offset += 16;
10186 break;
10187 }
10188
10189 return offset;
10190}
10191/** TLS Extensions (in Client Hello and Server Hello). }}} */
10192
10193/* Connection ID dissection. {{{ */
10194static uint32_t
10195ssl_dissect_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10196 proto_tree *tree, uint32_t offset, SslDecryptSession *ssl,
10197 uint8_t cidl, uint8_t **session_cid, uint8_t *session_cidl)
10198{
10199 /* keep track of the decrypt session only for the first pass */
10200 if (cidl > 0 && !PINFO_FD_VISITED(pinfo)((pinfo)->fd->visited)) {
10201 tvb_ensure_bytes_exist(tvb, offset + 1, cidl);
10202 *session_cidl = cidl;
10203 *session_cid = (uint8_t*)wmem_alloc0(wmem_file_scope(), cidl);
10204 tvb_memcpy(tvb, *session_cid, offset + 1, cidl);
10205 if (ssl) {
10206 ssl_add_session_by_cid(ssl);
10207 }
10208 }
10209
10210 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id_length,
10211 tvb, offset, 1, ENC_NA0x00000000);
10212 offset++;
10213
10214 if (cidl > 0) {
10215 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id,
10216 tvb, offset, cidl, ENC_NA0x00000000);
10217 offset += cidl;
10218 }
10219
10220 return offset;
10221}
10222
10223static uint32_t
10224ssl_dissect_hnd_hello_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10225 proto_tree *tree, uint32_t offset, uint8_t hnd_type,
10226 SslSession *session, SslDecryptSession *ssl)
10227{
10228 uint8_t cidl = tvb_get_uint8(tvb, offset);
10229
10230 switch (hnd_type) {
10231 case SSL_HND_CLIENT_HELLO:
10232 session->client_cid_len_present = true1;
10233 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
10234 cidl, &session->client_cid, &session->client_cid_len);
10235 case SSL_HND_SERVER_HELLO:
10236 session->server_cid_len_present = true1;
10237 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
10238 cidl, &session->server_cid, &session->server_cid_len);
10239 default:
10240 return offset;
10241 }
10242} /* }}} */
10243
10244/* Trusted CA dissection. {{{ */
10245static uint32_t
10246ssl_dissect_hnd_hello_ext_trusted_ca_keys(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10247 uint32_t offset, uint32_t offset_end)
10248{
10249 proto_item *ti;
10250 proto_tree *subtree;
10251 uint32_t keys_length, next_offset;
10252
10253 /*
10254 * struct {
10255 * TrustedAuthority trusted_authorities_list<0..2^16-1>;
10256 * } TrustedAuthorities;
10257 *
10258 * struct {
10259 * IdentifierType identifier_type;
10260 * select (identifier_type) {
10261 * case pre_agreed: struct {};
10262 * case key_sha1_hash: SHA1Hash;
10263 * case x509_name: DistinguishedName;
10264 * case cert_sha1_hash: SHA1Hash;
10265 * } identifier;
10266 * } TrustedAuthority;
10267 *
10268 * enum {
10269 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10270 * cert_sha1_hash(3), (255)
10271 * } IdentifierType;
10272 *
10273 * opaque DistinguishedName<1..2^16-1>;
10274 *
10275 */
10276
10277
10278 /* TrustedAuthority trusted_authorities_list<0..2^16-1> */
10279 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &keys_length, hf->hf.hs_ext_trusted_ca_keys_len,
10280 0, UINT16_MAX(65535)))
10281 {
10282 return offset_end;
10283 }
10284 offset += 2;
10285 next_offset = offset + keys_length;
10286
10287 if (keys_length > 0)
10288 {
10289 ti = proto_tree_add_none_format(tree, hf->hf.hs_ext_trusted_ca_keys_list, tvb, offset, keys_length,
10290 "Trusted CA keys (%d byte%s)", keys_length, plurality(keys_length, "", "s")((keys_length) == 1 ? ("") : ("s")));
10291 subtree = proto_item_add_subtree(ti, hf->ett.hs_ext_trusted_ca_keys);
10292
10293 while (offset < next_offset)
10294 {
10295 uint32_t identifier_type;
10296 proto_tree *trusted_key_tree;
10297 proto_item *trusted_key_item;
10298 asn1_ctx_t asn1_ctx;
10299 uint32_t key_len = 0;
10300
10301 identifier_type = tvb_get_uint8(tvb, offset);
10302
10303 // Use 0 as length for now as we'll only know the size when we decode the identifier
10304 trusted_key_item = proto_tree_add_none_format(subtree, hf->hf.hs_ext_trusted_ca_key, tvb,
10305 offset, 0, "Trusted CA Key");
10306 trusted_key_tree = proto_item_add_subtree(trusted_key_item, hf->ett.hs_ext_trusted_ca_key);
10307
10308 proto_tree_add_uint(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_type, tvb,
10309 offset, 1, identifier_type);
10310 offset++;
10311
10312 /*
10313 * enum {
10314 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10315 * cert_sha1_hash(3), (255)
10316 * } IdentifierType;
10317 */
10318 switch (identifier_type)
10319 {
10320 case 0:
10321 key_len = 0;
10322 break;
10323 case 2:
10324 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
10325
10326 uint32_t name_length;
10327 /* opaque DistinguishedName<1..2^16-1> */
10328 if (!ssl_add_vector(hf, tvb, pinfo, trusted_key_tree, offset, next_offset, &name_length,
10329 hf->hf.hs_ext_trusted_ca_key_dname_len, 1, UINT16_MAX(65535))) {
10330 return next_offset;
10331 }
10332 offset += 2;
10333
10334 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
10335 trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_dname);
10336 offset += name_length;
10337 break;
10338 case 1:
10339 case 3:
10340 key_len = 20;
10341 /* opaque SHA1Hash[20]; */
10342 proto_tree_add_item(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_hash, tvb,
10343 offset, 20, ENC_NA0x00000000);
10344 break;
10345
10346 default:
10347 key_len = 0;
10348 /*TODO display expert info about unknown ? */
10349 break;
10350 }
10351 proto_item_set_len(trusted_key_item, 1 + key_len);
10352 offset += key_len;
10353 }
10354 }
10355
10356 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset))
10357 {
10358 offset = next_offset;
10359 }
10360
10361 return offset;
10362} /* }}} */
10363
10364
10365/* Whether the Content and Handshake Types are valid; handle Protocol Version. {{{ */
10366bool_Bool
10367ssl_is_valid_content_type(uint8_t type)
10368{
10369 switch ((ContentType) type) {
10370 case SSL_ID_CHG_CIPHER_SPEC:
10371 case SSL_ID_ALERT:
10372 case SSL_ID_HANDSHAKE:
10373 case SSL_ID_APP_DATA:
10374 case SSL_ID_HEARTBEAT:
10375 case SSL_ID_TLS12_CID:
10376 case SSL_ID_DTLS13_ACK:
10377 return true1;
10378 }
10379 return false0;
10380}
10381
10382bool_Bool
10383ssl_is_valid_handshake_type(uint8_t hs_type, bool_Bool is_dtls)
10384{
10385 switch ((HandshakeType) hs_type) {
10386 case SSL_HND_HELLO_VERIFY_REQUEST:
10387 /* hello_verify_request is DTLS-only */
10388 return is_dtls;
10389
10390 case SSL_HND_HELLO_REQUEST:
10391 case SSL_HND_CLIENT_HELLO:
10392 case SSL_HND_SERVER_HELLO:
10393 case SSL_HND_NEWSESSION_TICKET:
10394 case SSL_HND_END_OF_EARLY_DATA:
10395 case SSL_HND_HELLO_RETRY_REQUEST:
10396 case SSL_HND_ENCRYPTED_EXTENSIONS:
10397 case SSL_HND_CERTIFICATE:
10398 case SSL_HND_SERVER_KEY_EXCHG:
10399 case SSL_HND_CERT_REQUEST:
10400 case SSL_HND_SVR_HELLO_DONE:
10401 case SSL_HND_CERT_VERIFY:
10402 case SSL_HND_CLIENT_KEY_EXCHG:
10403 case SSL_HND_FINISHED:
10404 case SSL_HND_CERT_URL:
10405 case SSL_HND_CERT_STATUS:
10406 case SSL_HND_SUPPLEMENTAL_DATA:
10407 case SSL_HND_KEY_UPDATE:
10408 case SSL_HND_COMPRESSED_CERTIFICATE:
10409 case SSL_HND_ENCRYPTED_EXTS:
10410 return true1;
10411 case SSL_HND_MESSAGE_HASH:
10412 return false0;
10413 }
10414 return false0;
10415}
10416
10417static bool_Bool
10418ssl_is_authoritative_version_message(uint8_t content_type, uint8_t handshake_type,
10419 bool_Bool is_dtls)
10420{
10421 /* Consider all valid Handshake messages (except for Client Hello) and
10422 * all other valid record types (other than Handshake) */
10423 return (content_type == SSL_ID_HANDSHAKE &&
10424 ssl_is_valid_handshake_type(handshake_type, is_dtls) &&
10425 handshake_type != SSL_HND_CLIENT_HELLO) ||
10426 (content_type != SSL_ID_HANDSHAKE &&
10427 ssl_is_valid_content_type(content_type));
10428}
10429
10430/**
10431 * Scan a Server Hello handshake message for the negotiated version. For TLS 1.3
10432 * draft 22 and newer, it also checks whether it is a HelloRetryRequest.
10433 * Returns true if the supported_versions extension was found, false if not.
10434 */
10435bool_Bool
10436tls_scan_server_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end,
10437 uint16_t *server_version, bool_Bool *is_hrr)
10438{
10439 /* SHA256("HelloRetryRequest") */
10440 static const uint8_t tls13_hrr_random_magic[] = {
10441 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
10442 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
10443 };
10444 uint8_t session_id_length;
10445
10446 *server_version = tvb_get_ntohs(tvb, offset);
10447
10448 /*
10449 * Try to look for supported_versions extension. Minimum length:
10450 * 2 + 32 + 1 = 35 (version, random, session id length)
10451 * 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10452 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10453 *
10454 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10455 * there's a separate expert info warning for that.
10456 */
10457 if ((*server_version == TLSV1DOT2_VERSION0x303 || *server_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
10458 offset += 2;
10459 if (is_hrr) {
10460 *is_hrr = tvb_memeql(tvb, offset, tls13_hrr_random_magic, sizeof(tls13_hrr_random_magic)) == 0;
10461 }
10462 offset += 32;
10463 session_id_length = tvb_get_uint8(tvb, offset);
10464 offset++;
10465 if (offset_end - offset < session_id_length + 5u) {
10466 return false0;
10467 }
10468 offset += session_id_length + 5;
10469
10470 while (offset_end - offset >= 6) {
10471 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
10472 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
10473 if (offset_end - offset < 4u + ext_len) {
10474 break; /* not enough data for type, length and data */
10475 }
10476 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
10477 if (ext_len == 2) {
10478 *server_version = tvb_get_ntohs(tvb, offset + 4);
10479 }
10480 return true1;
10481 }
10482 offset += 4 + ext_len;
10483 }
10484 } else {
10485 if (is_hrr) {
10486 *is_hrr = false0;
10487 }
10488 }
10489 return false0;
10490}
10491
10492/**
10493 * Scan a Client Hello handshake message to see if the supported_versions
10494 * extension is found, in which case the version field is legacy_version.
10495 */
10496static bool_Bool
10497tls_scan_client_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end)
10498{
10499 uint8_t session_id_length;
10500
10501 uint16_t client_version = tvb_get_ntohs(tvb, offset);
10502
10503 /*
10504 * Try to look for supported_versions extension. Minimum length:
10505 * 2 + 32 + 1 = 35 (version, random, session id length)
10506 * 2 + 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10507 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10508 *
10509 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10510 * there's a separate expert info warning for that.
10511 */
10512 if ((client_version == TLSV1DOT2_VERSION0x303 || client_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
10513 offset += 2;
10514 offset += 32;
10515 session_id_length = tvb_get_uint8(tvb, offset);
10516 offset++;
10517 if (offset_end - offset < session_id_length + 2u) {
10518 return false0;
10519 }
10520 offset += session_id_length;
10521 if (client_version == DTLSV1DOT2_VERSION0xfefd) {
10522 uint8_t cookie_length = tvb_get_uint8(tvb, offset);
10523 offset++;
10524 if (offset_end - offset < cookie_length + 2u) {
10525 return false0;
10526 }
10527 }
10528 uint16_t cipher_suites_length = tvb_get_ntohs(tvb, offset);
10529 offset += 2;
10530 if (offset_end - offset < cipher_suites_length + 1u) {
10531 return false0;
10532 }
10533 offset += cipher_suites_length;
10534 uint8_t compression_methods_length = tvb_get_uint8(tvb, offset);
10535 offset++;
10536 if (offset_end - offset < compression_methods_length + 2u) {
10537 return false0;
10538 }
10539 offset += compression_methods_length + 2;
10540
10541 while (offset_end - offset >= 6) {
10542 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
10543 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
10544 if (offset_end - offset < 4u + ext_len) {
10545 break; /* not enough data for type, length and data */
10546 }
10547 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
10548 return true1;
10549 }
10550 offset += 4 + ext_len;
10551 }
10552 }
10553 return false0;
10554}
10555void
10556ssl_try_set_version(SslSession *session, SslDecryptSession *ssl,
10557 uint8_t content_type, uint8_t handshake_type,
10558 bool_Bool is_dtls, uint16_t version)
10559{
10560 uint8_t tls13_draft = 0;
10561
10562 if (!ssl_is_authoritative_version_message(content_type, handshake_type,
10563 is_dtls))
10564 return;
10565
10566 version = tls_try_get_version(is_dtls, version, &tls13_draft);
10567 if (version == SSL_VER_UNKNOWN0) {
10568 return;
10569 }
10570
10571 session->tls13_draft_version = tls13_draft;
10572 session->version = version;
10573 if (ssl) {
10574 ssl->state |= SSL_VERSION(1<<4);
10575 ssl_debug_printf("%s found version 0x%04X -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), version, ssl->state);
10576 }
10577}
10578
10579void
10580ssl_check_record_length(ssl_common_dissect_t *hf, packet_info *pinfo,
10581 ContentType content_type,
10582 unsigned record_length, proto_item *length_pi,
10583 uint16_t version, tvbuff_t *decrypted_tvb)
10584{
10585 unsigned max_expansion;
10586 if (version == TLSV1DOT3_VERSION0x304) {
10587 /* TLS 1.3: Max length is 2^14 + 256 */
10588 max_expansion = 256;
10589 } else {
10590 /* RFC 5246, Section 6.2.3: TLSCiphertext.fragment length MUST NOT exceed 2^14 + 2048 */
10591 max_expansion = 2048;
10592 }
10593 /*
10594 * RFC 5246 (TLS 1.2), Section 6.2.1 forbids zero-length Handshake, Alert
10595 * and ChangeCipherSpec.
10596 * RFC 6520 (Heartbeats) does not mention zero-length Heartbeat fragments,
10597 * so assume it is permitted.
10598 * RFC 6347 (DTLS 1.2) does not mention zero-length fragments either, so
10599 * assume TLS 1.2 requirements.
10600 */
10601 if (record_length == 0 &&
10602 (content_type == SSL_ID_CHG_CIPHER_SPEC ||
10603 content_type == SSL_ID_ALERT ||
10604 content_type == SSL_ID_HANDSHAKE)) {
10605 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10606 "Zero-length %s fragments are not allowed",
10607 val_to_str_const(content_type, ssl_31_content_type, "unknown"));
10608 }
10609 if (record_length > TLS_MAX_RECORD_LENGTH0x4000 + max_expansion) {
10610 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10611 "TLSCiphertext length MUST NOT exceed 2^14 + %u", max_expansion);
10612 }
10613 if (decrypted_tvb && tvb_captured_length(decrypted_tvb) > TLS_MAX_RECORD_LENGTH0x4000) {
10614 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10615 "TLSPlaintext length MUST NOT exceed 2^14");
10616 }
10617}
10618
10619static void
10620ssl_set_cipher(SslDecryptSession *ssl, uint16_t cipher)
10621{
10622 /* store selected cipher suite for decryption */
10623 ssl->session.cipher = cipher;
10624
10625 const SslCipherSuite *cs = ssl_find_cipher(cipher);
10626 if (!cs) {
10627 ssl->cipher_suite = NULL((void*)0);
10628 ssl->state &= ~SSL_CIPHER(1<<2);
10629 ssl_debug_printf("%s can't find cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10630 } else if (ssl->session.version == SSLV3_VERSION0x300 && !(cs->dig == DIG_MD50x40 || cs->dig == DIG_SHA0x41)) {
10631 /* A malicious packet capture contains a SSL 3.0 session using a TLS 1.2
10632 * cipher suite that uses for example MACAlgorithm SHA256. Reject that
10633 * to avoid a potential buffer overflow in ssl3_check_mac. */
10634 ssl->cipher_suite = NULL((void*)0);
10635 ssl->state &= ~SSL_CIPHER(1<<2);
10636 ssl_debug_printf("%s invalid SSL 3.0 cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10637 } else {
10638 /* Cipher found, save this for the delayed decoder init */
10639 ssl->cipher_suite = cs;
10640 ssl->state |= SSL_CIPHER(1<<2);
10641 ssl_debug_printf("%s found CIPHER 0x%04X %s -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), cipher,
10642 val_to_str_ext_const(cipher, &ssl_31_ciphersuite_ext, "unknown"),
10643 ssl->state);
10644 }
10645}
10646/* }}} */
10647
10648
10649/* Client Hello and Server Hello dissections. {{{ */
10650static int
10651ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
10652 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
10653 SslSession *session, SslDecryptSession *ssl,
10654 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
10655 ssl_master_key_map_t *mk_map, uint32_t initial_offset, uint32_t hello_length);
10656int
10657// NOLINTNEXTLINE(misc-no-recursion)
10658ssl_dissect_hnd_cli_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10659 packet_info *pinfo, proto_tree *tree, uint32_t offset,
10660 uint32_t offset_end, SslSession *session,
10661 SslDecryptSession *ssl, dtls_hfs_t *dtls_hfs, ssl_master_key_map_t *mk_map)
10662{
10663 /* struct {
10664 * ProtocolVersion client_version;
10665 * Random random;
10666 * SessionID session_id;
10667 * opaque cookie<0..32>; //new field for DTLS
10668 * CipherSuite cipher_suites<2..2^16-1>;
10669 * CompressionMethod compression_methods<1..2^8-1>;
10670 * Extension client_hello_extension_list<0..2^16-1>;
10671 * } ClientHello;
10672 */
10673 proto_item *ti;
10674 proto_tree *cs_tree;
10675 uint32_t client_version;
10676 uint32_t cipher_suite_length;
10677 uint32_t compression_methods_length;
10678 uint8_t compression_method;
10679 uint32_t next_offset;
10680 uint32_t initial_offset = offset;
10681 uint32_t hello_length = offset_end - initial_offset;
10682 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
10683 char *ja3_hash;
10684 char *ja3_dash = "";
10685 char *ja4, *ja4_r, *ja4_hash, *ja4_b, *ja4_c;
10686 ja4_data_t ja4_data;
10687 wmem_strbuf_t *ja4_a = wmem_strbuf_new(pinfo->pool, "");
10688 wmem_strbuf_t *ja4_br = wmem_strbuf_new(pinfo->pool, "");
10689 wmem_strbuf_t *ja4_cr = wmem_strbuf_new(pinfo->pool, "");
10690 wmem_list_frame_t *curr_entry;
10691
10692 ja4_data.max_version = 0;
10693 ja4_data.server_name_present = false0;
10694 ja4_data.num_cipher_suites = 0;
10695 ja4_data.num_extensions = 0;
10696 ja4_data.alpn = wmem_strbuf_new(pinfo->pool, "");
10697 ja4_data.cipher_list = wmem_list_new(pinfo->pool);
10698 ja4_data.extension_list = wmem_list_new(pinfo->pool);
10699 ja4_data.sighash_list = wmem_list_new(pinfo->pool);
10700
10701 /* show the client version */
10702 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_client_version, tvb,
10703 offset, 2, ENC_BIG_ENDIAN0x00000000,
10704 &client_version);
10705 if (tls_scan_client_hello(tvb, offset, offset_end)) {
10706 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
10707 }
10708 offset += 2;
10709 wmem_strbuf_append_printf(ja3, "%i,", client_version);
10710
10711 /*
10712 * Is it version 1.3?
10713 * If so, that's an error; TLS and DTLS 1.3 Client Hellos claim
10714 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
10715 * section 4.1.2 "Client Hello" and RFC 9147 Section 5.3 "Client
10716 * Hello".
10717 */
10718 if (dtls_hfs != NULL((void*)0)) {
10719 if (client_version == DTLSV1DOT3_VERSION0xfefc) {
10720 /* Don't do that. */
10721 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10722 }
10723 } else {
10724 if (client_version == TLSV1DOT3_VERSION0x304) {
10725 /* Don't do that. */
10726 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10727 }
10728 }
10729
10730 /* dissect fields that are present in both ClientHello and ServerHello */
10731 offset = ssl_dissect_hnd_hello_common(hf, tvb, pinfo, tree, offset, session, ssl, false0, false0);
10732
10733 /* fields specific for DTLS (cookie_len, cookie) */
10734 if (dtls_hfs != NULL((void*)0)) {
10735 uint32_t cookie_length;
10736 /* opaque cookie<0..32> (for DTLS only) */
10737 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cookie_length,
10738 dtls_hfs->hf_dtls_handshake_cookie_len, 0, 32)) {
10739 return offset;
10740 }
10741 offset++;
10742 if (cookie_length > 0) {
10743 proto_tree_add_item(tree, dtls_hfs->hf_dtls_handshake_cookie,
10744 tvb, offset, cookie_length, ENC_NA0x00000000);
10745 offset += cookie_length;
10746 }
10747 }
10748
10749 /* CipherSuite cipher_suites<2..2^16-1> */
10750 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cipher_suite_length,
10751 hf->hf.hs_cipher_suites_len, 2, UINT16_MAX(65535))) {
10752 return offset;
10753 }
10754 offset += 2;
10755 next_offset = offset + cipher_suite_length;
10756 ti = proto_tree_add_none_format(tree,
10757 hf->hf.hs_cipher_suites,
10758 tvb, offset, cipher_suite_length,
10759 "Cipher Suites (%d suite%s)",
10760 cipher_suite_length / 2,
10761 plurality(cipher_suite_length/2, "", "s")((cipher_suite_length/2) == 1 ? ("") : ("s")));
10762 cs_tree = proto_item_add_subtree(ti, hf->ett.cipher_suites);
10763 while (offset + 2 <= next_offset) {
10764 uint32_t cipher_suite;
10765
10766 proto_tree_add_item_ret_uint(cs_tree, hf->hf.hs_cipher_suite, tvb, offset, 2,
10767 ENC_BIG_ENDIAN0x00000000, &cipher_suite);
10768 offset += 2;
10769 if (!IS_GREASE_TLS(cipher_suite)((((cipher_suite) & 0x0f0f) == 0x0a0a) && (((cipher_suite
) & 0xff) == (((cipher_suite)>>8) & 0xff)))) {
10770 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, cipher_suite);
10771 ja3_dash = "-";
10772 ja4_data.num_cipher_suites += 1;
10773 wmem_list_insert_sorted(ja4_data.cipher_list, GUINT_TO_POINTER(cipher_suite)((gpointer) (gulong) (cipher_suite)), wmem_compare_uint);
10774 }
10775 }
10776 wmem_strbuf_append_c(ja3, ',');
10777 if (!ssl_end_vector(hf, tvb, pinfo, cs_tree, offset, next_offset)) {
10778 offset = next_offset;
10779 }
10780
10781 /* CompressionMethod compression_methods<1..2^8-1> */
10782 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compression_methods_length,
10783 hf->hf.hs_comp_methods_len, 1, UINT8_MAX(255))) {
10784 return offset;
10785 }
10786 offset++;
10787 next_offset = offset + compression_methods_length;
10788 ti = proto_tree_add_none_format(tree,
10789 hf->hf.hs_comp_methods,
10790 tvb, offset, compression_methods_length,
10791 "Compression Methods (%u method%s)",
10792 compression_methods_length,
10793 plurality(compression_methods_length,((compression_methods_length) == 1 ? ("") : ("s"))
10794 "", "s")((compression_methods_length) == 1 ? ("") : ("s")));
10795 cs_tree = proto_item_add_subtree(ti, hf->ett.comp_methods);
10796 while (offset < next_offset) {
10797 compression_method = tvb_get_uint8(tvb, offset);
10798 /* TODO: make reserved/private comp meth. fields selectable */
10799 if (compression_method < 64)
10800 proto_tree_add_uint(cs_tree, hf->hf.hs_comp_method,
10801 tvb, offset, 1, compression_method);
10802 else if (compression_method > 63 && compression_method < 193)
10803 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, tvb, offset, 1,
10804 compression_method, "Reserved - to be assigned by IANA (%u)",
10805 compression_method);
10806 else
10807 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, tvb, offset, 1,
10808 compression_method, "Private use range (%u)",
10809 compression_method);
10810 offset++;
10811 }
10812
10813 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
10814 if (offset < offset_end) {
10815 offset = ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
10816 offset_end, SSL_HND_CLIENT_HELLO,
10817 session, ssl, dtls_hfs != NULL((void*)0), ja3, &ja4_data, mk_map, initial_offset, hello_length);
10818 if (ja4_data.max_version > 0) {
10819 client_version = ja4_data.max_version;
10820 }
10821 } else {
10822 wmem_strbuf_append_printf(ja3, ",,");
10823 }
10824
10825 if (proto_is_frame_protocol(pinfo->layers,"tcp")) {
10826 wmem_strbuf_append(ja4_a, "t");
10827 } else if (proto_is_frame_protocol(pinfo->layers,"quic")) {
10828 wmem_strbuf_append(ja4_a, "q");
10829 } else if (proto_is_frame_protocol(pinfo->layers,"dtls")) {
10830 wmem_strbuf_append(ja4_a, "d");
10831 }
10832 wmem_strbuf_append_printf(ja4_a, "%s", val_to_str_const(client_version, ssl_version_ja4_names, "00"));
10833 wmem_strbuf_append_printf(ja4_a, "%s", ja4_data.server_name_present ? "d" : "i");
10834 if (ja4_data.num_cipher_suites > 99) {
10835 wmem_strbuf_append(ja4_a, "99");
10836 } else {
10837 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_cipher_suites);
10838 }
10839 if (ja4_data.num_extensions > 99) {
10840 wmem_strbuf_append(ja4_a, "99");
10841 } else {
10842 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_extensions);
10843 }
10844 if (wmem_strbuf_get_len(ja4_data.alpn) > 0 ) {
10845 wmem_strbuf_append_printf(ja4_a, "%s", wmem_strbuf_get_str(ja4_data.alpn));
10846 } else {
10847 wmem_strbuf_append(ja4_a, "00");
10848 }
10849
10850 curr_entry = wmem_list_head(ja4_data.cipher_list);
10851 for (unsigned i = 0; i < wmem_list_count(ja4_data.cipher_list); i++) {
10852 wmem_strbuf_append_printf(ja4_br, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10853 if (i < wmem_list_count(ja4_data.cipher_list) - 1) {
10854 wmem_strbuf_append(ja4_br, ",");
10855 }
10856 curr_entry = wmem_list_frame_next(curr_entry);
10857 }
10858
10859 curr_entry = wmem_list_head(ja4_data.extension_list);
10860 for (unsigned i = 0; i < wmem_list_count(ja4_data.extension_list); i++) {
10861 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10862 if (i < wmem_list_count(ja4_data.extension_list) - 1) {
10863 wmem_strbuf_append(ja4_cr, ",");
10864 }
10865 curr_entry = wmem_list_frame_next(curr_entry);
10866 }
10867
10868 if (wmem_list_count(ja4_data.sighash_list) > 0) {
10869 wmem_strbuf_append(ja4_cr, "_");
10870 curr_entry = wmem_list_head(ja4_data.sighash_list);
10871 for (unsigned i = 0; i < wmem_list_count(ja4_data.sighash_list); i++) {
10872 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10873 if (i < wmem_list_count(ja4_data.sighash_list) - 1) {
10874 wmem_strbuf_append(ja4_cr, ",");
10875 }
10876 curr_entry = wmem_list_frame_next(curr_entry);
10877 }
10878 }
10879 if ( wmem_strbuf_get_len(ja4_br) == 0 ) {
10880 ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
10881 } else {
10882 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_br),-1);
10883 }
10884 ja4_b = wmem_strndup(pinfo->pool, ja4_hash, 12);
10885
10886 g_free(ja4_hash);
10887 if ( wmem_strbuf_get_len(ja4_cr) == 0 ) {
10888 ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
10889 } else {
10890 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_cr),-1);
10891 }
10892 ja4_c = wmem_strndup(pinfo->pool, ja4_hash, 12);
10893 g_free(ja4_hash);
10894
10895 ja4 = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), ja4_b, ja4_c);
10896 ja4_r = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), wmem_strbuf_get_str(ja4_br), wmem_strbuf_get_str(ja4_cr));
10897
10898 ti = proto_tree_add_string(tree, hf->hf.hs_ja4, tvb, offset, 0, ja4);
10899 proto_item_set_generated(ti);
10900 ti = proto_tree_add_string(tree, hf->hf.hs_ja4_r, tvb, offset, 0, ja4_r);
10901 proto_item_set_generated(ti);
10902
10903 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
10904 wmem_strbuf_get_len(ja3));
10905 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_full, tvb, offset, 0, wmem_strbuf_get_str(ja3));
10906 proto_item_set_generated(ti);
10907 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_hash, tvb, offset, 0, ja3_hash);
10908 proto_item_set_generated(ti);
10909 g_free(ja3_hash);
10910 return offset;
10911}
10912
10913void
10914ssl_dissect_hnd_srv_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10915 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
10916 SslSession *session, SslDecryptSession *ssl,
10917 bool_Bool is_dtls, bool_Bool is_hrr)
10918{
10919 /* struct {
10920 * ProtocolVersion server_version;
10921 * Random random;
10922 * SessionID session_id; // TLS 1.2 and before
10923 * CipherSuite cipher_suite;
10924 * CompressionMethod compression_method; // TLS 1.2 and before
10925 * Extension server_hello_extension_list<0..2^16-1>;
10926 * } ServerHello;
10927 */
10928 uint8_t draft_version = session->tls13_draft_version;
10929 proto_item *ti;
10930 uint32_t server_version;
10931 uint32_t cipher_suite;
10932 uint32_t initial_offset = offset;
10933 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
10934 char *ja3_hash;
10935
10936 col_set_str(pinfo->cinfo, COL_PROTOCOL,
10937 val_to_str_const(session->version, ssl_version_short_names, "SSL"));
10938
10939 /* Initially assume that the session is resumed. If this is not the case, a
10940 * ServerHelloDone will be observed before the ChangeCipherSpec message
10941 * which will reset this flag. */
10942 session->is_session_resumed = true1;
10943
10944 /* show the server version */
10945 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
10946 offset, 2, ENC_BIG_ENDIAN0x00000000, &server_version);
10947
10948 uint16_t supported_server_version;
10949 if (tls_scan_server_hello(tvb, offset, offset_end, &supported_server_version, NULL((void*)0))) {
10950 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
10951 }
10952 /*
10953 * Is it version 1.3?
10954 * If so, that's an error; TLS and DTLS 1.3 Server Hellos claim
10955 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
10956 * section 4.1.3 "Server Hello" and RFC 9147 Section 5.4 "Server
10957 * Hello".
10958 */
10959 if (is_dtls) {
10960 if (server_version == DTLSV1DOT3_VERSION0xfefc) {
10961 /* Don't do that. */
10962 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
10963 }
10964 } else {
10965 if (server_version == TLSV1DOT3_VERSION0x304) {
10966 /* Don't do that. */
10967 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
10968 }
10969 }
10970
10971 offset += 2;
10972 wmem_strbuf_append_printf(ja3, "%i", server_version);
10973
10974 /* dissect fields that are present in both ClientHello and ServerHello */
10975 offset = ssl_dissect_hnd_hello_common(hf, tvb, pinfo, tree, offset, session, ssl, true1, is_hrr);
10976
10977 if (ssl) {
10978 /* store selected cipher suite for decryption */
10979 ssl_set_cipher(ssl, tvb_get_ntohs(tvb, offset));
10980 }
10981
10982 /* now the server-selected cipher suite */
10983 proto_tree_add_item_ret_uint(tree, hf->hf.hs_cipher_suite,
10984 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &cipher_suite);
10985 offset += 2;
10986 wmem_strbuf_append_printf(ja3, ",%i,", cipher_suite);
10987
10988 /* No compression with TLS 1.3 before draft -22 */
10989 if (!(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
10990 if (ssl) {
10991 /* store selected compression method for decryption */
10992 ssl->session.compression = tvb_get_uint8(tvb, offset);
10993 }
10994 /* and the server-selected compression method */
10995 proto_tree_add_item(tree, hf->hf.hs_comp_method,
10996 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
10997 offset++;
10998 }
10999
11000 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
11001 if (offset < offset_end) {
11002 offset = ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11003 offset_end,
11004 is_hrr ? SSL_HND_HELLO_RETRY_REQUEST : SSL_HND_SERVER_HELLO,
11005 session, ssl, is_dtls, ja3, NULL((void*)0), NULL((void*)0), 0, 0);
11006 }
11007
11008 if (ssl && ssl->ech_transcript.data_len > 0 && (ssl->state & SSL_CIPHER(1<<2)) && ssl->client_random.data_len > 0) {
11009 int hash_algo = ssl_get_digest_by_name(ssl_cipher_suite_dig(ssl->cipher_suite)->name);
11010 if (hash_algo) {
11011 SSL_MDgcry_md_hd_t mc;
11012 unsigned char transcript_hash[DIGEST_MAX_SIZE48];
11013 unsigned char prk[DIGEST_MAX_SIZE48];
11014 unsigned char *ech_verify_out = NULL((void*)0);
11015 unsigned int len;
11016 ssl_md_init(&mc, hash_algo);
11017 ssl_md_update(&mc, ssl->ech_transcript.data, ssl->ech_transcript.data_len);
11018 if (is_hrr) {
11019 ssl_md_final(&mc, transcript_hash, &len);
11020 ssl_md_cleanup(&mc);
11021 wmem_free(wmem_file_scope(), ssl->ech_transcript.data);
11022 ssl->ech_transcript.data_len = 4 + len;
11023 ssl->ech_transcript.data = (unsigned char*)wmem_alloc(wmem_file_scope(), 4 + len + 4 + offset_end - initial_offset);
11024 ssl->ech_transcript.data[0] = SSL_HND_MESSAGE_HASH;
11025 ssl->ech_transcript.data[1] = 0;
11026 ssl->ech_transcript.data[2] = 0;
11027 ssl->ech_transcript.data[3] = len;
11028 memcpy(ssl->ech_transcript.data + 4, transcript_hash, len);
11029 ssl_md_init(&mc, hash_algo);
11030 ssl_md_update(&mc, ssl->ech_transcript.data, 4 + len);
11031 } else {
11032 ssl->ech_transcript.data = wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
11033 ssl->ech_transcript.data_len + 4 + offset_end - initial_offset);
11034 }
11035 if (initial_offset > 4) {
11036 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, initial_offset - 4,
11037 4 + offset_end - initial_offset);
11038 if (is_hrr)
11039 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, initial_offset-4, 38), 38);
11040 else
11041 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, initial_offset-4, 30), 30);
11042 } else {
11043 uint8_t prefix[4] = {SSL_HND_SERVER_HELLO, 0x00, 0x00, 0x00};
11044 prefix[2] = ((offset - initial_offset) >> 8);
11045 prefix[3] = (offset - initial_offset) & 0xff;
11046 memcpy(ssl->ech_transcript.data + ssl->ech_transcript.data_len, prefix, 4);
11047 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, initial_offset,
11048 offset_end - initial_offset);
11049 ssl_md_update(&mc, prefix, 4);
11050 if (is_hrr)
11051 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, initial_offset, 34), 34);
11052 else
11053 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, initial_offset, 26), 26);
11054 }
11055 ssl->ech_transcript.data_len += 4 + offset_end - initial_offset;
11056 uint8_t zeros[8] = { 0 };
11057 uint32_t confirmation_offset = initial_offset + 26;
11058 if (is_hrr) {
11059 uint32_t hrr_offset = initial_offset + 34;
11060 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, hrr_offset,
11061 tvb_get_uint8(tvb, hrr_offset) + 1), tvb_get_uint8(tvb, hrr_offset) + 1);
11062 hrr_offset += tvb_get_uint8(tvb, hrr_offset) + 1;
11063 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, hrr_offset, 3), 3);
11064 hrr_offset += 3;
11065 uint16_t extensions_end = hrr_offset + tvb_get_ntohs(tvb, hrr_offset) + 2;
11066 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, hrr_offset, 2), 2);
11067 hrr_offset += 2;
11068 while (extensions_end - hrr_offset >= 4) {
11069 if (tvb_get_ntohs(tvb, hrr_offset) == SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037 &&
11070 tvb_get_ntohs(tvb, hrr_offset + 2) == 8) {
11071 confirmation_offset = hrr_offset + 4;
11072 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, hrr_offset, 4), 4);
11073 ssl_md_update(&mc, zeros, 8);
11074 hrr_offset += 12;
11075 } else {
11076 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, hrr_offset, tvb_get_ntohs(tvb, hrr_offset + 2) + 4),
11077 tvb_get_ntohs(tvb, hrr_offset + 2) + 4);
11078 hrr_offset += tvb_get_ntohs(tvb, hrr_offset + 2) + 4;
11079 }
11080 }
11081 } else {
11082 ssl_md_update(&mc, zeros, 8);
11083 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, initial_offset + 34, offset - initial_offset - 34),
11084 offset - initial_offset - 34);
11085 }
11086 ssl_md_final(&mc, transcript_hash, &len);
11087 ssl_md_cleanup(&mc);
11088 hkdf_extract(hash_algo, NULL((void*)0), 0, ssl->client_random.data, 32, prk);
11089 StringInfo prk_string = {prk, len};
11090 if (tls13_hkdf_expand_label_context(hash_algo, &prk_string, tls13_hkdf_label_prefix(ssl),
11091 is_hrr ? "hrr ech accept confirmation" : "ech accept confirmation",
11092 transcript_hash, len, 8, &ech_verify_out)) {
11093 memcpy(is_hrr ? ssl->session.hrr_ech_confirmation : ssl->session.ech_confirmation, ech_verify_out, 8);
11094 if (tvb_memeql(tvb, confirmation_offset, ech_verify_out, 8) == -1) {
11095 if (is_hrr) {
11096 ssl->session.hrr_ech_declined = true1;
11097 ssl->session.first_ch_ech_frame = 0;
11098 }
11099 memcpy(ssl->client_random.data, ssl->session.client_random.data, ssl->session.client_random.data_len);
11100 ssl_print_data("Updated Client Random", ssl->client_random.data, 32);
11101 }
11102 wmem_free(NULL((void*)0), ech_verify_out);
11103 }
11104 ssl->session.ech = true1;
11105 }
11106 }
11107
11108 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
11109 wmem_strbuf_get_len(ja3));
11110 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_full, tvb, offset, 0, wmem_strbuf_get_str(ja3));
11111 proto_item_set_generated(ti);
11112 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_hash, tvb, offset, 0, ja3_hash);
11113 proto_item_set_generated(ti);
11114 g_free(ja3_hash);
11115}
11116/* Client Hello and Server Hello dissections. }}} */
11117
11118/* New Session Ticket dissection. {{{ */
11119void
11120ssl_dissect_hnd_new_ses_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11121 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11122 SslSession *session, SslDecryptSession *ssl,
11123 bool_Bool is_dtls, GHashTable *session_hash)
11124{
11125 /* https://tools.ietf.org/html/rfc5077#section-3.3 (TLS >= 1.0):
11126 * struct {
11127 * uint32 ticket_lifetime_hint;
11128 * opaque ticket<0..2^16-1>;
11129 * } NewSessionTicket;
11130 *
11131 * RFC 8446 Section 4.6.1 (TLS 1.3):
11132 * struct {
11133 * uint32 ticket_lifetime;
11134 * uint32 ticket_age_add;
11135 * opaque ticket_nonce<0..255>; // new in draft -21, updated in -22
11136 * opaque ticket<1..2^16-1>;
11137 * Extension extensions<0..2^16-2>;
11138 * } NewSessionTicket;
11139 */
11140 proto_tree *subtree;
11141 proto_item *subitem;
11142 uint32_t ticket_len;
11143 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc;
11144 unsigned char draft_version = session->tls13_draft_version;
11145 uint32_t lifetime_hint;
11146
11147 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
11148 hf->ett.session_ticket, NULL((void*)0),
11149 "TLS Session Ticket");
11150
11151 /* ticket lifetime hint */
11152 subitem = proto_tree_add_item_ret_uint(subtree, hf->hf.hs_session_ticket_lifetime_hint,
11153 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000, &lifetime_hint);
11154 offset += 4;
11155
11156 if (lifetime_hint >= 60) {
11157 char *time_str = unsigned_time_secs_to_str(pinfo->pool, lifetime_hint);
11158 proto_item_append_text(subitem, " (%s)", time_str);
11159 }
11160
11161 if (is_tls13) {
11162
11163 /* for TLS 1.3: ticket_age_add */
11164 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_age_add,
11165 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
11166 offset += 4;
11167
11168 /* for TLS 1.3: ticket_nonce (coming with Draft 21)*/
11169 if (draft_version == 0 || draft_version >= 21) {
11170 uint32_t ticket_nonce_len;
11171
11172 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_nonce_len,
11173 hf->hf.hs_session_ticket_nonce_len, 0, 255)) {
11174 return;
11175 }
11176 offset++;
11177
11178 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_nonce, tvb, offset, ticket_nonce_len, ENC_NA0x00000000);
11179 offset += ticket_nonce_len;
11180 }
11181
11182 }
11183
11184 /* opaque ticket<0..2^16-1> (with TLS 1.3 the minimum is 1) */
11185 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_len,
11186 hf->hf.hs_session_ticket_len, is_tls13 ? 1 : 0, UINT16_MAX(65535))) {
11187 return;
11188 }
11189 offset += 2;
11190
11191 /* Content depends on implementation, so just show data! */
11192 proto_tree_add_item(subtree, hf->hf.hs_session_ticket,
11193 tvb, offset, ticket_len, ENC_NA0x00000000);
11194 /* save the session ticket to cache for ssl_finalize_decryption */
11195 if (ssl && !is_tls13) {
11196 if (ssl->session.is_session_resumed) {
11197 /* NewSessionTicket is received in ServerHello before ChangeCipherSpec
11198 * (Abbreviated Handshake Using New Session Ticket).
11199 * Restore the master key for this session ticket before saving
11200 * it to the new session ticket. */
11201 ssl_restore_master_key(ssl, "Session Ticket", false0,
11202 session_hash, &ssl->session_ticket);
11203 }
11204 tvb_ensure_bytes_exist(tvb, offset, ticket_len);
11205 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
11206 ssl->session_ticket.data, ticket_len);
11207 ssl->session_ticket.data_len = ticket_len;
11208 tvb_memcpy(tvb, ssl->session_ticket.data, offset, ticket_len);
11209 /* NewSessionTicket is received after the first (client)
11210 * ChangeCipherSpec, and before the second (server) ChangeCipherSpec.
11211 * Since the second CCS has already the session key available it will
11212 * just return. To ensure that the session ticket is mapped to a
11213 * master key (from the first CCS), save the ticket here too. */
11214 ssl_save_master_key("Session Ticket", session_hash,
11215 &ssl->session_ticket, &ssl->master_secret);
11216 ssl->state |= SSL_NEW_SESSION_TICKET(1<<10);
11217 }
11218 offset += ticket_len;
11219
11220 if (is_tls13) {
11221 ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
11222 offset_end, SSL_HND_NEWSESSION_TICKET,
11223 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11224 }
11225} /* }}} */
11226
11227void
11228ssl_dissect_hnd_hello_retry_request(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11229 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11230 SslSession *session, SslDecryptSession *ssl,
11231 bool_Bool is_dtls)
11232{
11233 /* https://tools.ietf.org/html/draft-ietf-tls-tls13-19#section-4.1.4
11234 * struct {
11235 * ProtocolVersion server_version;
11236 * CipherSuite cipher_suite; // not before draft -19
11237 * Extension extensions<2..2^16-1>;
11238 * } HelloRetryRequest;
11239 * Note: no longer used since draft -22
11240 */
11241 uint32_t version;
11242 uint8_t draft_version;
11243
11244 proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
11245 offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
11246 draft_version = extract_tls13_draft_version(version);
11247 offset += 2;
11248
11249 if (draft_version == 0 || draft_version >= 19) {
11250 proto_tree_add_item(tree, hf->hf.hs_cipher_suite,
11251 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11252 offset += 2;
11253 }
11254
11255 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11256 offset_end, SSL_HND_HELLO_RETRY_REQUEST,
11257 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11258}
11259
11260void
11261ssl_dissect_hnd_encrypted_extensions(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11262 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11263 SslSession *session, SslDecryptSession *ssl,
11264 bool_Bool is_dtls)
11265{
11266 /* RFC 8446 Section 4.3.1
11267 * struct {
11268 * Extension extensions<0..2^16-1>;
11269 * } EncryptedExtensions;
11270 */
11271 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11272 offset_end, SSL_HND_ENCRYPTED_EXTENSIONS,
11273 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11274}
11275
11276/* Certificate and Certificate Request dissections. {{{ */
11277void
11278ssl_dissect_hnd_cert(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11279 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11280 SslSession *session, SslDecryptSession *ssl _U___attribute__((unused)),
11281 bool_Bool is_from_server, bool_Bool is_dtls)
11282{
11283 /* opaque ASN.1Cert<1..2^24-1>;
11284 *
11285 * Before RFC 8446 (TLS <= 1.2):
11286 * struct {
11287 * select(certificate_type) {
11288 *
11289 * // certificate type defined in RFC 7250
11290 * case RawPublicKey:
11291 * opaque ASN.1_subjectPublicKeyInfo<1..2^24-1>;
11292 *
11293 * // X.509 certificate defined in RFC 5246
11294 * case X.509:
11295 * ASN.1Cert certificate_list<0..2^24-1>;
11296 * };
11297 * } Certificate;
11298 *
11299 * RFC 8446 (since draft -20):
11300 * struct {
11301 * select(certificate_type){
11302 * case RawPublicKey:
11303 * // From RFC 7250 ASN.1_subjectPublicKeyInfo
11304 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
11305 *
11306 * case X.509:
11307 * opaque cert_data<1..2^24-1>;
11308 * }
11309 * Extension extensions<0..2^16-1>;
11310 * } CertificateEntry;
11311 * struct {
11312 * opaque certificate_request_context<0..2^8-1>;
11313 * CertificateEntry certificate_list<0..2^24-1>;
11314 * } Certificate;
11315 */
11316 enum { CERT_X509, CERT_RPK } cert_type;
11317 asn1_ctx_t asn1_ctx;
11318#if defined(HAVE_LIBGNUTLS1)
11319 gnutls_datum_t subjectPublicKeyInfo = { NULL((void*)0), 0 };
11320 unsigned certificate_index = 0;
11321#endif
11322 uint32_t next_offset, certificate_list_length, cert_length;
11323 proto_tree *subtree = tree;
11324
11325 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
11326
11327 if ((is_from_server && session->server_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2) ||
11328 (!is_from_server && session->client_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2)) {
11329 cert_type = CERT_RPK;
11330 } else {
11331 cert_type = CERT_X509;
11332 }
11333
11334#if defined(HAVE_LIBGNUTLS1)
11335 /* Ask the pkcs1 dissector to return the public key details */
11336 if (ssl)
11337 asn1_ctx.private_data = &subjectPublicKeyInfo;
11338#endif
11339
11340 /* TLS 1.3: opaque certificate_request_context<0..2^8-1> */
11341 if (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc) {
11342 uint32_t context_length;
11343 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
11344 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
11345 return;
11346 }
11347 offset++;
11348 if (context_length > 0) {
11349 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
11350 tvb, offset, context_length, ENC_NA0x00000000);
11351 offset += context_length;
11352 }
11353 }
11354
11355 if ((session->version != TLSV1DOT3_VERSION0x304 && session->version != DTLSV1DOT3_VERSION0xfefc) && cert_type == CERT_RPK) {
11356 /* For RPK before TLS 1.3, the single RPK is stored directly without
11357 * another "certificate_list" field. */
11358 certificate_list_length = offset_end - offset;
11359 next_offset = offset_end;
11360 } else {
11361 /* CertificateEntry certificate_list<0..2^24-1> */
11362 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &certificate_list_length,
11363 hf->hf.hs_certificates_len, 0, G_MAXUINT24((1U << 24) - 1))) {
11364 return;
11365 }
11366 offset += 3; /* 24-bit length value */
11367 next_offset = offset + certificate_list_length;
11368 }
11369
11370 /* RawPublicKey must have one cert, but X.509 can have multiple. */
11371 if (certificate_list_length > 0 && cert_type == CERT_X509) {
11372 proto_item *ti;
11373
11374 ti = proto_tree_add_none_format(tree,
11375 hf->hf.hs_certificates,
11376 tvb, offset, certificate_list_length,
11377 "Certificates (%u bytes)",
11378 certificate_list_length);
11379
11380 /* make it a subtree */
11381 subtree = proto_item_add_subtree(ti, hf->ett.certificates);
11382 }
11383
11384 while (offset < next_offset) {
11385 switch (cert_type) {
11386 case CERT_RPK:
11387 /* TODO add expert info if there is more than one RPK entry (certificate_index > 0) */
11388 /* opaque ASN.1_subjectPublicKeyInfo<1..2^24-1> */
11389 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
11390 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
11391 return;
11392 }
11393 offset += 3;
11394
11395 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
11396 offset += cert_length;
11397 break;
11398 case CERT_X509:
11399 /* opaque ASN1Cert<1..2^24-1> */
11400 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
11401 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
11402 return;
11403 }
11404 offset += 3;
11405
11406 dissect_x509af_Certificate(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
11407#if defined(HAVE_LIBGNUTLS1)
11408 if (is_from_server && ssl && certificate_index == 0) {
11409 ssl_find_private_key_by_pubkey(ssl, &subjectPublicKeyInfo);
11410 /* Only attempt to get the RSA modulus for the first cert. */
11411 asn1_ctx.private_data = NULL((void*)0);
11412 }
11413#endif
11414 offset += cert_length;
11415 break;
11416 }
11417
11418 /* TLS 1.3: Extension extensions<0..2^16-1> */
11419 if ((session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc)) {
11420 offset = ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
11421 next_offset, SSL_HND_CERTIFICATE,
11422 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11423 }
11424
11425#if defined(HAVE_LIBGNUTLS1)
11426 certificate_index++;
11427#endif
11428 }
11429}
11430
11431void
11432ssl_dissect_hnd_cert_req(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11433 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11434 SslSession *session, bool_Bool is_dtls)
11435{
11436 /* From SSL 3.0 and up (note that since TLS 1.1 certificate_authorities can be empty):
11437 * enum {
11438 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11439 * (255)
11440 * } ClientCertificateType;
11441 *
11442 * opaque DistinguishedName<1..2^16-1>;
11443 *
11444 * struct {
11445 * ClientCertificateType certificate_types<1..2^8-1>;
11446 * DistinguishedName certificate_authorities<3..2^16-1>;
11447 * } CertificateRequest;
11448 *
11449 *
11450 * As per TLSv1.2 (RFC 5246) the format has changed to:
11451 *
11452 * enum {
11453 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11454 * rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
11455 * fortezza_dms_RESERVED(20), (255)
11456 * } ClientCertificateType;
11457 *
11458 * enum {
11459 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
11460 * sha512(6), (255)
11461 * } HashAlgorithm;
11462 *
11463 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
11464 * SignatureAlgorithm;
11465 *
11466 * struct {
11467 * HashAlgorithm hash;
11468 * SignatureAlgorithm signature;
11469 * } SignatureAndHashAlgorithm;
11470 *
11471 * SignatureAndHashAlgorithm
11472 * supported_signature_algorithms<2..2^16-2>;
11473 *
11474 * opaque DistinguishedName<1..2^16-1>;
11475 *
11476 * struct {
11477 * ClientCertificateType certificate_types<1..2^8-1>;
11478 * SignatureAndHashAlgorithm supported_signature_algorithms<2^16-1>;
11479 * DistinguishedName certificate_authorities<0..2^16-1>;
11480 * } CertificateRequest;
11481 *
11482 * draft-ietf-tls-tls13-18:
11483 * struct {
11484 * opaque certificate_request_context<0..2^8-1>;
11485 * SignatureScheme
11486 * supported_signature_algorithms<2..2^16-2>;
11487 * DistinguishedName certificate_authorities<0..2^16-1>;
11488 * CertificateExtension certificate_extensions<0..2^16-1>;
11489 * } CertificateRequest;
11490 *
11491 * RFC 8446 (since draft-ietf-tls-tls13-19):
11492 *
11493 * struct {
11494 * opaque certificate_request_context<0..2^8-1>;
11495 * Extension extensions<2..2^16-1>;
11496 * } CertificateRequest;
11497 */
11498 proto_item *ti;
11499 proto_tree *subtree;
11500 uint32_t next_offset;
11501 asn1_ctx_t asn1_ctx;
11502 bool_Bool is_tls13 = (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc);
11503 unsigned char draft_version = session->tls13_draft_version;
11504
11505 if (!tree)
11506 return;
11507
11508 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
11509
11510 if (is_tls13) {
11511 uint32_t context_length;
11512 /* opaque certificate_request_context<0..2^8-1> */
11513 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
11514 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
11515 return;
11516 }
11517 offset++;
11518 if (context_length > 0) {
11519 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
11520 tvb, offset, context_length, ENC_NA0x00000000);
11521 offset += context_length;
11522 }
11523 } else {
11524 uint32_t cert_types_count;
11525 /* ClientCertificateType certificate_types<1..2^8-1> */
11526 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cert_types_count,
11527 hf->hf.hs_cert_types_count, 1, UINT8_MAX(255))) {
11528 return;
11529 }
11530 offset++;
11531 next_offset = offset + cert_types_count;
11532
11533 ti = proto_tree_add_none_format(tree,
11534 hf->hf.hs_cert_types,
11535 tvb, offset, cert_types_count,
11536 "Certificate types (%u type%s)",
11537 cert_types_count,
11538 plurality(cert_types_count, "", "s")((cert_types_count) == 1 ? ("") : ("s")));
11539 subtree = proto_item_add_subtree(ti, hf->ett.cert_types);
11540
11541 while (offset < next_offset) {
11542 proto_tree_add_item(subtree, hf->hf.hs_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11543 offset++;
11544 }
11545 }
11546
11547 if (session->version == TLSV1DOT2_VERSION0x303 || session->version == DTLSV1DOT2_VERSION0xfefd ||
11548 (is_tls13 && (draft_version > 0 && draft_version < 19))) {
11549 offset = ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
11550 }
11551
11552 if (is_tls13 && (draft_version == 0 || draft_version >= 19)) {
11553 /*
11554 * TLS 1.3 draft 19 and newer: Extensions.
11555 * SslDecryptSession pointer is NULL because Certificate Extensions
11556 * should not influence decryption state.
11557 */
11558 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11559 offset_end, SSL_HND_CERT_REQUEST,
11560 session, NULL((void*)0), is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11561 } else if (is_tls13 && draft_version <= 18) {
11562 /*
11563 * TLS 1.3 draft 18 and older: certificate_authorities and
11564 * certificate_extensions (a vector of OID mappings).
11565 */
11566 offset = tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
11567 ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, tree, offset, offset_end);
11568 } else {
11569 /* for TLS 1.2 and older, the certificate_authorities field. */
11570 tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
11571 }
11572}
11573/* Certificate and Certificate Request dissections. }}} */
11574
11575void
11576ssl_dissect_hnd_cli_cert_verify(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11577 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint16_t version)
11578{
11579 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
11580 hf->hf.hs_client_cert_vrfy_sig_len,
11581 hf->hf.hs_client_cert_vrfy_sig);
11582}
11583
11584/* Finished dissection. {{{ */
11585void
11586ssl_dissect_hnd_finished(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11587 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11588 const SslSession *session, ssl_hfs_t *ssl_hfs)
11589{
11590 /* For SSLv3:
11591 * struct {
11592 * opaque md5_hash[16];
11593 * opaque sha_hash[20];
11594 * } Finished;
11595 *
11596 * For (D)TLS:
11597 * struct {
11598 * opaque verify_data[12];
11599 * } Finished;
11600 *
11601 * For TLS 1.3:
11602 * struct {
11603 * opaque verify_data[Hash.length];
11604 * }
11605 */
11606 if (!tree)
11607 return;
11608
11609 if (session->version == SSLV3_VERSION0x300) {
11610 if (ssl_hfs != NULL((void*)0)) {
11611 proto_tree_add_item(tree, ssl_hfs->hs_md5_hash,
11612 tvb, offset, 16, ENC_NA0x00000000);
11613 proto_tree_add_item(tree, ssl_hfs->hs_sha_hash,
11614 tvb, offset + 16, 20, ENC_NA0x00000000);
11615 }
11616 } else {
11617 /* Length should be 12 for TLS before 1.3, assume this is the case. */
11618 proto_tree_add_item(tree, hf->hf.hs_finished,
11619 tvb, offset, offset_end - offset, ENC_NA0x00000000);
11620 }
11621} /* }}} */
11622
11623/* RFC 6066 Certificate URL handshake message dissection. {{{ */
11624void
11625ssl_dissect_hnd_cert_url(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset)
11626{
11627 uint16_t url_hash_len;
11628
11629 /* enum {
11630 * individual_certs(0), pkipath(1), (255)
11631 * } CertChainType;
11632 *
11633 * struct {
11634 * CertChainType type;
11635 * URLAndHash url_and_hash_list<1..2^16-1>;
11636 * } CertificateURL;
11637 *
11638 * struct {
11639 * opaque url<1..2^16-1>;
11640 * uint8 padding;
11641 * opaque SHA1Hash[20];
11642 * } URLAndHash;
11643 */
11644
11645 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_type,
11646 tvb, offset, 1, ENC_NA0x00000000);
11647 offset++;
11648
11649 url_hash_len = tvb_get_ntohs(tvb, offset);
11650 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_url_hash_list_len,
11651 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11652 offset += 2;
11653 while (url_hash_len-- > 0) {
11654 proto_item *urlhash_item;
11655 proto_tree *urlhash_tree;
11656 uint16_t url_len;
11657
11658 urlhash_item = proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_item,
11659 tvb, offset, -1, ENC_NA0x00000000);
11660 urlhash_tree = proto_item_add_subtree(urlhash_item, hf->ett.urlhash);
11661
11662 url_len = tvb_get_ntohs(tvb, offset);
11663 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url_len,
11664 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11665 offset += 2;
11666
11667 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url,
11668 tvb, offset, url_len, ENC_ASCII0x00000000|ENC_NA0x00000000);
11669 offset += url_len;
11670
11671 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_padding,
11672 tvb, offset, 1, ENC_NA0x00000000);
11673 offset++;
11674 /* Note: RFC 6066 says that padding must be 0x01 */
11675
11676 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_sha1,
11677 tvb, offset, 20, ENC_NA0x00000000);
11678 offset += 20;
11679 }
11680} /* }}} */
11681
11682void
11683ssl_dissect_hnd_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11684 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11685 SslSession *session, SslDecryptSession *ssl,
11686 bool_Bool is_from_server, bool_Bool is_dtls)
11687{
11688 uint32_t algorithm, uncompressed_length;
11689 uint32_t compressed_certificate_message_length;
11690 tvbuff_t *uncompressed_tvb = NULL((void*)0);
11691 proto_item *ti;
11692 /*
11693 * enum {
11694 * zlib(1),
11695 * brotli(2),
11696 * zstd(3),
11697 * (65535)
11698 * } CertificateCompressionAlgorithm;
11699 *
11700 * struct {
11701 * CertificateCompressionAlgorithm algorithm;
11702 * uint24 uncompressed_length;
11703 * opaque compressed_certificate_message<1..2^24-1>;
11704 * } CompressedCertificate;
11705 */
11706
11707 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_algorithm,
11708 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &algorithm);
11709 offset += 2;
11710
11711 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_uncompressed_length,
11712 tvb, offset, 3, ENC_BIG_ENDIAN0x00000000, &uncompressed_length);
11713 offset += 3;
11714
11715 /* opaque compressed_certificate_message<1..2^24-1>; */
11716 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compressed_certificate_message_length,
11717 hf->hf.hs_ext_compress_certificate_compressed_certificate_message_length, 1, G_MAXUINT24((1U << 24) - 1))) {
11718 return;
11719 }
11720 offset += 3;
11721
11722 ti = proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_compressed_certificate_message,
11723 tvb, offset, compressed_certificate_message_length, ENC_NA0x00000000);
11724
11725 /* Certificate decompression following algorithm */
11726 switch (algorithm) {
11727 case 1: /* zlib */
11728 uncompressed_tvb = tvb_child_uncompress_zlib(tvb, tvb, offset, compressed_certificate_message_length);
11729 break;
11730 case 2: /* brotli */
11731 uncompressed_tvb = tvb_child_uncompress_brotli(tvb, tvb, offset, compressed_certificate_message_length);
11732 break;
11733 case 3: /* zstd */
11734 uncompressed_tvb = tvb_child_uncompress_zstd(tvb, tvb, offset, compressed_certificate_message_length);
11735 break;
11736 }
11737
11738 if (uncompressed_tvb) {
11739 proto_tree *uncompressed_tree;
11740
11741 if (uncompressed_length != tvb_captured_length(uncompressed_tvb)) {
11742 proto_tree_add_expert_format(tree, pinfo, &hf->ei.decompression_error,
11743 tvb, offset, offset_end - offset,
11744 "Invalid uncompressed length %u (expected %u)",
11745 tvb_captured_length(uncompressed_tvb),
11746 uncompressed_length);
11747 } else {
11748 uncompressed_tree = proto_item_add_subtree(ti, hf->ett.uncompressed_certificates);
11749 ssl_dissect_hnd_cert(hf, uncompressed_tvb, uncompressed_tree,
11750 0, uncompressed_length, pinfo, session, ssl, is_from_server, is_dtls);
11751 add_new_data_source(pinfo, uncompressed_tvb, "Uncompressed certificate(s)");
11752 }
11753 }
11754}
11755
11756/* Dissection of TLS Extensions in Client Hello, Server Hello, etc. {{{ */
11757static int
11758// NOLINTNEXTLINE(misc-no-recursion)
11759ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11760 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
11761 SslSession *session, SslDecryptSession *ssl,
11762 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
11763 ssl_master_key_map_t *mk_map, uint32_t initial_offset, uint32_t hello_length)
11764{
11765 uint32_t exts_len;
11766 uint16_t ext_type;
11767 uint32_t ext_len;
11768 uint32_t next_offset;
11769 proto_item *ext_item;
11770 proto_tree *ext_tree;
11771 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304;
11772 wmem_strbuf_t *ja3_sg = wmem_strbuf_new(pinfo->pool, "");
11773 wmem_strbuf_t *ja3_ecpf = wmem_strbuf_new(pinfo->pool, "");
11774 char *ja3_dash = "";
11775 unsigned supported_version;
11776
11777 /* Extension extensions<0..2^16-2> (for TLS 1.3 HRR/CR min-length is 2) */
11778 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
11779 hf->hf.hs_exts_len, 0, UINT16_MAX(65535))) {
11780 return offset_end;
11781 }
11782 offset += 2;
11783 offset_end = offset + exts_len;
11784
11785 if (ja4_data) {
11786 ja4_data->num_extensions = 0;
11787 }
11788 while (offset_end - offset >= 4)
11789 {
11790 ext_type = tvb_get_ntohs(tvb, offset);
11791 ext_len = tvb_get_ntohs(tvb, offset + 2);
11792
11793 if (ja4_data && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {
11794 ja4_data->num_extensions += 1;
11795 if (ext_type != SSL_HND_HELLO_EXT_SERVER_NAME0 &&
11796 ext_type != SSL_HND_HELLO_EXT_ALPN16) {
11797 wmem_list_insert_sorted(ja4_data->extension_list, GUINT_TO_POINTER(ext_type)((gpointer) (gulong) (ext_type)), wmem_compare_uint);
11798 }
11799 }
11800
11801 ext_item = proto_tree_add_none_format(tree, hf->hf.hs_ext, tvb, offset, 4 + ext_len,
11802 "Extension: %s (len=%u)", val_to_str(pinfo->pool, ext_type,
11803 tls_hello_extension_types,
11804 "Unknown type %u"), ext_len);
11805 ext_tree = proto_item_add_subtree(ext_item, hf->ett.hs_ext);
11806
11807 proto_tree_add_uint(ext_tree, hf->hf.hs_ext_type,
11808 tvb, offset, 2, ext_type);
11809 offset += 2;
11810 if (ja3 && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {
11811 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_type);
11812 ja3_dash = "-";
11813 }
11814
11815 /* opaque extension_data<0..2^16-1> */
11816 if (!ssl_add_vector(hf, tvb, pinfo, ext_tree, offset, offset_end, &ext_len,
11817 hf->hf.hs_ext_len, 0, UINT16_MAX(65535))) {
11818 return offset_end;
11819 }
11820 offset += 2;
11821 next_offset = offset + ext_len;
11822
11823 switch (ext_type) {
11824 case SSL_HND_HELLO_EXT_SERVER_NAME0:
11825 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11826 offset = ssl_dissect_hnd_hello_ext_server_name(hf, tvb, pinfo, ext_tree, offset, next_offset);
11827 if (ja4_data) {
11828 ja4_data->server_name_present = true1;
11829 }
11830 }
11831 break;
11832 case SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1:
11833 proto_tree_add_item(ext_tree, hf->hf.hs_ext_max_fragment_length, tvb, offset, 1, ENC_NA0x00000000);
11834 offset += 1;
11835 break;
11836 case SSL_HND_HELLO_EXT_STATUS_REQUEST5:
11837 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11838 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, ext_tree, offset, next_offset, false0);
11839 } else if (is_tls13 && hnd_type == SSL_HND_CERTIFICATE) {
11840 offset = tls_dissect_hnd_certificate_status(hf, tvb, pinfo, ext_tree, offset, next_offset);
11841 }
11842 break;
11843 case SSL_HND_HELLO_EXT_CERT_TYPE9:
11844 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
11845 offset, next_offset,
11846 hnd_type, ext_type,
11847 session);
11848 break;
11849 case SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10:
11850 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11851 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
11852 next_offset, ja3_sg);
11853 } else {
11854 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
11855 next_offset, NULL((void*)0));
11856 }
11857 break;
11858 case SSL_HND_HELLO_EXT_EC_POINT_FORMATS11:
11859 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11860 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, ja3_ecpf);
11861 } else {
11862 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, NULL((void*)0));
11863 }
11864 break;
11865 break;
11866 case SSL_HND_HELLO_EXT_SRP12:
11867 offset = ssl_dissect_hnd_hello_ext_srp(hf, tvb, pinfo, ext_tree, offset, next_offset);
11868 break;
11869 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13:
11870 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, ja4_data);
11871 break;
11872 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50: /* since TLS 1.3 draft -23 */
11873 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, NULL((void*)0));
11874 break;
11875 case SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34:
11876 offset = ssl_dissect_hnd_ext_delegated_credentials(hf, tvb, ext_tree, pinfo, offset, next_offset, hnd_type);
11877 break;
11878 case SSL_HND_HELLO_EXT_USE_SRTP14:
11879 if (is_dtls) {
11880 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11881 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, false0);
11882 } else if (hnd_type == SSL_HND_SERVER_HELLO) {
11883 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, true1);
11884 }
11885 } else {
11886 // XXX expert info: This extension MUST only be used with DTLS, and not with TLS.
11887 }
11888 break;
11889 case SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768:
11890 offset = ssl_dissect_hnd_ech_outer_ext(hf, tvb, pinfo, ext_tree, offset, next_offset);
11891 break;
11892 case SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037:
11893 offset = ssl_dissect_hnd_hello_ext_ech(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, ssl, mk_map, initial_offset, hello_length);
11894 break;
11895 case SSL_HND_HELLO_EXT_HEARTBEAT15:
11896 proto_tree_add_item(ext_tree, hf->hf.hs_ext_heartbeat_mode,
11897 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11898 offset++;
11899 break;
11900 case SSL_HND_HELLO_EXT_ALPN16:
11901 offset = ssl_dissect_hnd_hello_ext_alpn(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, is_dtls, ja4_data);
11902 break;
11903 case SSL_HND_HELLO_EXT_STATUS_REQUEST_V217:
11904 if (hnd_type == SSL_HND_CLIENT_HELLO)
11905 offset = ssl_dissect_hnd_hello_ext_status_request_v2(hf, tvb, pinfo, ext_tree, offset, next_offset);
11906 break;
11907 case SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18:
11908 // TLS 1.3 note: SCT only appears in EE in draft -16 and before.
11909 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS || hnd_type == SSL_HND_CERTIFICATE)
11910 offset = tls_dissect_sct_list(hf, tvb, pinfo, ext_tree, offset, next_offset, session->version);
11911 break;
11912 case SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19:
11913 case SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20:
11914 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
11915 offset, next_offset,
11916 hnd_type, ext_type,
11917 session);
11918 break;
11919 case SSL_HND_HELLO_EXT_PADDING21:
11920 proto_tree_add_item(ext_tree, hf->hf.hs_ext_padding_data, tvb, offset, ext_len, ENC_NA0x00000000);
11921 offset += ext_len;
11922 break;
11923 case SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22:
11924 if (ssl && hnd_type == SSL_HND_SERVER_HELLO) {
11925 ssl_debug_printf("%s enabling Encrypt-then-MAC\n", G_STRFUNC((const char*) (__func__)));
11926 ssl->state |= SSL_ENCRYPT_THEN_MAC(1<<11);
11927 }
11928 break;
11929 case SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23:
11930 if (ssl) {
11931 switch (hnd_type) {
11932 case SSL_HND_CLIENT_HELLO:
11933 ssl->state |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
11934 break;
11935 case SSL_HND_SERVER_HELLO:
11936 ssl->state |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8);
11937 break;
11938 default: /* no default */
11939 break;
11940 }
11941 }
11942 break;
11943 case SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27:
11944 offset = ssl_dissect_hnd_hello_ext_compress_certificate(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11945 break;
11946 case SSL_HND_HELLO_EXT_TOKEN_BINDING24:
11947 offset = ssl_dissect_hnd_hello_ext_token_binding(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11948 break;
11949 case SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28:
11950 proto_tree_add_item(ext_tree, hf->hf.hs_ext_record_size_limit,
11951 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11952 offset += 2;
11953 break;
11954 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445:
11955 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157:
11956 offset = ssl_dissect_hnd_hello_ext_quic_transport_parameters(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11957 break;
11958 case SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35:
11959 offset = ssl_dissect_hnd_hello_ext_session_ticket(hf, tvb, ext_tree, offset, next_offset, hnd_type, ssl);
11960 break;
11961 case SSL_HND_HELLO_EXT_KEY_SHARE_OLD40: /* used before TLS 1.3 draft -23 */
11962 case SSL_HND_HELLO_EXT_KEY_SHARE51:
11963 offset = ssl_dissect_hnd_hello_ext_key_share(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11964 break;
11965 case SSL_HND_HELLO_EXT_PRE_SHARED_KEY41:
11966 offset = ssl_dissect_hnd_hello_ext_pre_shared_key(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11967 break;
11968 case SSL_HND_HELLO_EXT_EARLY_DATA42:
11969 case SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46:
11970 offset = ssl_dissect_hnd_hello_ext_early_data(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11971 break;
11972 case SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43:
11973 switch (hnd_type) {
11974 case SSL_HND_CLIENT_HELLO:
11975 offset = ssl_dissect_hnd_hello_ext_supported_versions(hf, tvb, pinfo, ext_tree, offset, next_offset, session, is_dtls, ja4_data);
11976 break;
11977 case SSL_HND_SERVER_HELLO:
11978 case SSL_HND_HELLO_RETRY_REQUEST:
11979 proto_tree_add_item_ret_uint(ext_tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &supported_version);
11980 offset += 2;
11981 proto_item_append_text(ext_tree, " %s", val_to_str(pinfo->pool, supported_version, ssl_versions, "Unknown (0x%04x)"));
11982 break;
11983 }
11984 break;
11985 case SSL_HND_HELLO_EXT_COOKIE44:
11986 offset = ssl_dissect_hnd_hello_ext_cookie(hf, tvb, pinfo, ext_tree, offset, next_offset);
11987 break;
11988 case SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45:
11989 offset = ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(hf, tvb, pinfo, ext_tree, offset, next_offset);
11990 break;
11991 case SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47:
11992 offset = ssl_dissect_hnd_hello_ext_certificate_authorities(hf, tvb, pinfo, ext_tree, offset, next_offset);
11993 break;
11994 case SSL_HND_HELLO_EXT_OID_FILTERS48:
11995 offset = ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, ext_tree, offset, next_offset);
11996 break;
11997 case SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49:
11998 break;
11999 case SSL_HND_HELLO_EXT_NPN13172:
12000 offset = ssl_dissect_hnd_hello_ext_npn(hf, tvb, pinfo, ext_tree, offset, next_offset);
12001 break;
12002 case SSL_HND_HELLO_EXT_ALPS_OLD17513:
12003 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
12004 break;
12005 case SSL_HND_HELLO_EXT_ALPS17613:
12006 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
12007 break;
12008 case SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281:
12009 offset = ssl_dissect_hnd_hello_ext_reneg_info(hf, tvb, pinfo, ext_tree, offset, next_offset);
12010 break;
12011 case SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486:
12012 offset = ssl_dissect_hnd_hello_ext_esni(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12013 break;
12014 case SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53:
12015 session->deprecated_cid = true1;
12016 /* FALLTHRU */
12017 case SSL_HND_HELLO_EXT_CONNECTION_ID54:
12018 offset = ssl_dissect_hnd_hello_ext_connection_id(hf, tvb, pinfo, ext_tree, offset, hnd_type, session, ssl);
12019 break;
12020 case SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3:
12021 offset = ssl_dissect_hnd_hello_ext_trusted_ca_keys(hf, tvb, pinfo, ext_tree, offset, next_offset);
12022 break;
12023 default:
12024 proto_tree_add_item(ext_tree, hf->hf.hs_ext_data,
12025 tvb, offset, ext_len, ENC_NA0x00000000);
12026 offset += ext_len;
12027 break;
12028 }
12029
12030 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
12031 /* Dissection did not end at expected location, fix it. */
12032 offset = next_offset;
12033 }
12034 }
12035
12036 if (ja3) {
12037 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12038 if(wmem_strbuf_get_len(ja3_sg) > 0) {
12039 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_sg));
12040 } else {
12041 wmem_strbuf_append_c(ja3, ',');
12042 }
12043 if(wmem_strbuf_get_len(ja3_ecpf) > 0) {
12044 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_ecpf));
12045 } else {
12046 wmem_strbuf_append_c(ja3, ',');
12047 }
12048 }
12049 }
12050
12051 /* Check if Extensions vector is correctly terminated. */
12052 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, offset_end)) {
12053 offset = offset_end;
12054 }
12055
12056 return offset;
12057} /* }}} */
12058
12059
12060/* ClientKeyExchange algo-specific dissectors. {{{ */
12061
12062static void
12063dissect_ssl3_hnd_cli_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12064 proto_tree *tree, uint32_t offset,
12065 uint32_t length)
12066{
12067 int point_len;
12068 proto_tree *ssl_ecdh_tree;
12069
12070 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12071 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Client Params");
12072
12073 /* point */
12074 point_len = tvb_get_uint8(tvb, offset);
12075 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point_len, tvb,
12076 offset, 1, ENC_BIG_ENDIAN0x00000000);
12077 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point, tvb,
12078 offset + 1, point_len, ENC_NA0x00000000);
12079}
12080
12081static void
12082dissect_ssl3_hnd_cli_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12083 proto_tree *tree, uint32_t offset, uint32_t length)
12084{
12085 int yc_len;
12086 proto_tree *ssl_dh_tree;
12087
12088 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12089 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Client Params");
12090
12091 /* ClientDiffieHellmanPublic.dh_public (explicit) */
12092 yc_len = tvb_get_ntohs(tvb, offset);
12093 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc_len, tvb,
12094 offset, 2, ENC_BIG_ENDIAN0x00000000);
12095 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc, tvb,
12096 offset + 2, yc_len, ENC_NA0x00000000);
12097}
12098
12099static void
12100dissect_ssl3_hnd_cli_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12101 proto_tree *tree, uint32_t offset,
12102 uint32_t length, const SslSession *session)
12103{
12104 int epms_len;
12105 proto_tree *ssl_rsa_tree;
12106
12107 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12108 hf->ett.keyex_params, NULL((void*)0), "RSA Encrypted PreMaster Secret");
12109
12110 /* EncryptedPreMasterSecret.pre_master_secret */
12111 switch (session->version) {
12112 case SSLV2_VERSION0x0002:
12113 case SSLV3_VERSION0x300:
12114 case DTLSV1DOT0_OPENSSL_VERSION0x100:
12115 /* OpenSSL pre-0.9.8f DTLS and pre-TLS quirk: 2-octet length vector is
12116 * not present. The handshake contents represents the EPMS, see:
12117 * https://gitlab.com/wireshark/wireshark/-/issues/10222 */
12118 epms_len = length;
12119 break;
12120
12121 default:
12122 /* TLS and DTLS include vector length before EPMS */
12123 epms_len = tvb_get_ntohs(tvb, offset);
12124 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12125 offset, 2, ENC_BIG_ENDIAN0x00000000);
12126 offset += 2;
12127 break;
12128 }
12129 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms, tvb,
12130 offset, epms_len, ENC_NA0x00000000);
12131}
12132
12133/* Used in PSK cipher suites */
12134static uint32_t
12135dissect_ssl3_hnd_cli_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12136 proto_tree *tree, uint32_t offset)
12137{
12138 unsigned identity_len;
12139 proto_tree *ssl_psk_tree;
12140
12141 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
12142 hf->ett.keyex_params, NULL((void*)0), "PSK Client Params");
12143 /* identity */
12144 identity_len = tvb_get_ntohs(tvb, offset);
12145 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len, tvb,
12146 offset, 2, ENC_BIG_ENDIAN0x00000000);
12147 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity, tvb,
12148 offset + 2, identity_len, ENC_NA0x00000000);
12149
12150 proto_item_set_len(ssl_psk_tree, 2 + identity_len);
12151 return 2 + identity_len;
12152}
12153
12154/* Used in RSA PSK cipher suites */
12155static void
12156dissect_ssl3_hnd_cli_keyex_rsa_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12157 proto_tree *tree, uint32_t offset,
12158 uint32_t length)
12159{
12160 int identity_len, epms_len;
12161 proto_tree *ssl_psk_tree;
12162
12163 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12164 hf->ett.keyex_params, NULL((void*)0), "RSA PSK Client Params");
12165
12166 /* identity */
12167 identity_len = tvb_get_ntohs(tvb, offset);
12168 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len,
12169 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12170 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity,
12171 tvb, offset + 2, identity_len, ENC_NA0x00000000);
12172 offset += 2 + identity_len;
12173
12174 /* Yc */
12175 epms_len = tvb_get_ntohs(tvb, offset);
12176 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12177 offset, 2, ENC_BIG_ENDIAN0x00000000);
12178 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms, tvb,
12179 offset + 2, epms_len, ENC_NA0x00000000);
12180}
12181
12182/* Used in Diffie-Hellman PSK cipher suites */
12183static void
12184dissect_ssl3_hnd_cli_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12185 proto_tree *tree, uint32_t offset, uint32_t length)
12186{
12187 /*
12188 * struct {
12189 * select (KeyExchangeAlgorithm) {
12190 * case diffie_hellman_psk:
12191 * opaque psk_identity<0..2^16-1>;
12192 * ClientDiffieHellmanPublic public;
12193 * } exchange_keys;
12194 * } ClientKeyExchange;
12195 */
12196
12197 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12198 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset + psk_len, length - psk_len);
12199}
12200
12201/* Used in EC Diffie-Hellman PSK cipher suites */
12202static void
12203dissect_ssl3_hnd_cli_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12204 proto_tree *tree, uint32_t offset, uint32_t length)
12205{
12206 /*
12207 * struct {
12208 * select (KeyExchangeAlgorithm) {
12209 * case ec_diffie_hellman_psk:
12210 * opaque psk_identity<0..2^16-1>;
12211 * ClientECDiffieHellmanPublic public;
12212 * } exchange_keys;
12213 * } ClientKeyExchange;
12214 */
12215
12216 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12217 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset + psk_len, length - psk_len);
12218}
12219
12220/* Used in EC J-PAKE cipher suites */
12221static void
12222dissect_ssl3_hnd_cli_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12223 proto_tree *tree, uint32_t offset,
12224 uint32_t length)
12225{
12226 /*
12227 * struct {
12228 * ECPoint V;
12229 * opaque r<1..2^8-1>;
12230 * } ECSchnorrZKP;
12231 *
12232 * struct {
12233 * ECPoint X;
12234 * ECSchnorrZKP zkp;
12235 * } ECJPAKEKeyKP;
12236 *
12237 * struct {
12238 * ECJPAKEKeyKP ecjpake_key_kp;
12239 * } ClientECJPAKEParams;
12240 *
12241 * select (KeyExchangeAlgorithm) {
12242 * case ecjpake:
12243 * ClientECJPAKEParams params;
12244 * } ClientKeyExchange;
12245 */
12246
12247 int point_len;
12248 proto_tree *ssl_ecjpake_tree;
12249
12250 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12251 hf->ett.keyex_params, NULL((void*)0),
12252 "EC J-PAKE Client Params");
12253
12254 /* ECJPAKEKeyKP.X */
12255 point_len = tvb_get_uint8(tvb, offset);
12256 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc_len, tvb,
12257 offset, 1, ENC_BIG_ENDIAN0x00000000);
12258 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc, tvb,
12259 offset + 1, point_len, ENC_NA0x00000000);
12260 offset += 1 + point_len;
12261
12262 /* ECJPAKEKeyKP.zkp.V */
12263 point_len = tvb_get_uint8(tvb, offset);
12264 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc_len, tvb,
12265 offset, 1, ENC_BIG_ENDIAN0x00000000);
12266 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc, tvb,
12267 offset + 1, point_len, ENC_NA0x00000000);
12268 offset += 1 + point_len;
12269
12270 /* ECJPAKEKeyKP.zkp.r */
12271 point_len = tvb_get_uint8(tvb, offset);
12272 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc_len, tvb,
12273 offset, 1, ENC_BIG_ENDIAN0x00000000);
12274 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc, tvb,
12275 offset + 1, point_len, ENC_NA0x00000000);
12276}
12277
12278static void
12279dissect_ssl3_hnd_cli_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12280 proto_tree *tree, uint32_t offset,
12281 uint32_t length)
12282{
12283 int epms_len;
12284 proto_tree *ssl_ecc_sm2_tree;
12285
12286 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12287 hf->ett.keyex_params, NULL((void*)0),
12288 "ECC-SM2 Encrypted PreMaster Secret");
12289
12290 epms_len = tvb_get_ntohs(tvb, offset);
12291 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12292 offset, 2, ENC_BIG_ENDIAN0x00000000);
12293 offset += 2;
12294 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms, tvb,
12295 offset, epms_len, ENC_NA0x00000000);
12296}
12297/* ClientKeyExchange algo-specific dissectors. }}} */
12298
12299
12300/* Dissects DigitallySigned (see RFC 5246 4.7 Cryptographic Attributes). {{{ */
12301static uint32_t
12302ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12303 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12304 uint16_t version, int hf_sig_len, int hf_sig)
12305{
12306 uint32_t sig_len;
12307
12308 switch (version) {
12309 case TLSV1DOT2_VERSION0x303:
12310 case DTLSV1DOT2_VERSION0xfefd:
12311 case TLSV1DOT3_VERSION0x304:
12312 case DTLSV1DOT3_VERSION0xfefc:
12313 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
12314 offset += 2;
12315 break;
12316
12317 default:
12318 break;
12319 }
12320
12321 /* Sig */
12322 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sig_len,
12323 hf_sig_len, 0, UINT16_MAX(65535))) {
12324 return offset_end;
12325 }
12326 offset += 2;
12327 proto_tree_add_item(tree, hf_sig, tvb, offset, sig_len, ENC_NA0x00000000);
12328 offset += sig_len;
12329 return offset;
12330} /* }}} */
12331
12332/* ServerKeyExchange algo-specific dissectors. {{{ */
12333
12334/* dissects signed_params inside a ServerKeyExchange for some keyex algos */
12335static void
12336dissect_ssl3_hnd_srv_keyex_sig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12337 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12338 uint16_t version)
12339{
12340 /*
12341 * TLSv1.2 (RFC 5246 sec 7.4.8)
12342 * struct {
12343 * digitally-signed struct {
12344 * opaque handshake_messages[handshake_messages_length];
12345 * }
12346 * } CertificateVerify;
12347 *
12348 * TLSv1.0/TLSv1.1 (RFC 5436 sec 7.4.8 and 7.4.3) works essentially the same
12349 * as TLSv1.2, but the hash algorithms are not explicit in digitally-signed.
12350 *
12351 * SSLv3 (RFC 6101 sec 5.6.8) essentially works the same as TLSv1.0 but it
12352 * does more hashing including the master secret and padding.
12353 */
12354 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
12355 hf->hf.hs_server_keyex_sig_len,
12356 hf->hf.hs_server_keyex_sig);
12357}
12358
12359static uint32_t
12360dissect_tls_ecparameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, uint32_t offset_end)
12361{
12362 /*
12363 * RFC 4492 ECC cipher suites for TLS
12364 *
12365 * struct {
12366 * ECCurveType curve_type;
12367 * select (curve_type) {
12368 * case explicit_prime:
12369 * ...
12370 * case explicit_char2:
12371 * ...
12372 * case named_curve:
12373 * NamedCurve namedcurve;
12374 * };
12375 * } ECParameters;
12376 */
12377
12378 int curve_type;
12379
12380 /* ECParameters.curve_type */
12381 curve_type = tvb_get_uint8(tvb, offset);
12382 proto_tree_add_item(tree, hf->hf.hs_server_keyex_curve_type, tvb,
12383 offset, 1, ENC_BIG_ENDIAN0x00000000);
12384 offset++;
12385
12386 if (curve_type != 3)
12387 return offset_end; /* only named_curves are supported */
12388
12389 /* case curve_type == named_curve; ECParameters.namedcurve */
12390 proto_tree_add_item(tree, hf->hf.hs_server_keyex_named_curve, tvb,
12391 offset, 2, ENC_BIG_ENDIAN0x00000000);
12392 offset += 2;
12393
12394 return offset;
12395}
12396
12397static void
12398dissect_ssl3_hnd_srv_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12399 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12400 uint16_t version, bool_Bool anon)
12401{
12402 /*
12403 * RFC 4492 ECC cipher suites for TLS
12404 *
12405 * struct {
12406 * opaque point <1..2^8-1>;
12407 * } ECPoint;
12408 *
12409 * struct {
12410 * ECParameters curve_params;
12411 * ECPoint public;
12412 * } ServerECDHParams;
12413 *
12414 * select (KeyExchangeAlgorithm) {
12415 * case ec_diffie_hellman:
12416 * ServerECDHParams params;
12417 * Signature signed_params;
12418 * } ServerKeyExchange;
12419 */
12420
12421 int point_len;
12422 proto_tree *ssl_ecdh_tree;
12423
12424 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12425 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Server Params");
12426
12427 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecdh_tree, offset, offset_end);
12428 if (offset >= offset_end)
12429 return; /* only named_curves are supported */
12430
12431 /* ECPoint.point */
12432 point_len = tvb_get_uint8(tvb, offset);
12433 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point_len, tvb,
12434 offset, 1, ENC_BIG_ENDIAN0x00000000);
12435 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point, tvb,
12436 offset + 1, point_len, ENC_NA0x00000000);
12437 offset += 1 + point_len;
12438
12439 /* Signature (if non-anonymous KEX) */
12440 if (!anon) {
12441 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecdh_tree, offset, offset_end, version);
12442 }
12443}
12444
12445static void
12446dissect_ssl3_hnd_srv_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12447 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12448 uint16_t version, bool_Bool anon)
12449{
12450 int p_len, g_len, ys_len;
12451 proto_tree *ssl_dh_tree;
12452
12453 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12454 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Server Params");
12455
12456 /* p */
12457 p_len = tvb_get_ntohs(tvb, offset);
12458 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p_len, tvb,
12459 offset, 2, ENC_BIG_ENDIAN0x00000000);
12460 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p, tvb,
12461 offset + 2, p_len, ENC_NA0x00000000);
12462 offset += 2 + p_len;
12463
12464 /* g */
12465 g_len = tvb_get_ntohs(tvb, offset);
12466 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g_len, tvb,
12467 offset, 2, ENC_BIG_ENDIAN0x00000000);
12468 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g, tvb,
12469 offset + 2, g_len, ENC_NA0x00000000);
12470 offset += 2 + g_len;
12471
12472 /* Ys */
12473 ys_len = tvb_get_ntohs(tvb, offset);
12474 proto_tree_add_uint(ssl_dh_tree, hf->hf.hs_server_keyex_ys_len, tvb,
12475 offset, 2, ys_len);
12476 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_ys, tvb,
12477 offset + 2, ys_len, ENC_NA0x00000000);
12478 offset += 2 + ys_len;
12479
12480 /* Signature (if non-anonymous KEX) */
12481 if (!anon) {
12482 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_dh_tree, offset, offset_end, version);
12483 }
12484}
12485
12486/* Only used in RSA-EXPORT cipher suites */
12487static void
12488dissect_ssl3_hnd_srv_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12489 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12490 uint16_t version)
12491{
12492 int modulus_len, exponent_len;
12493 proto_tree *ssl_rsa_tree;
12494
12495 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12496 hf->ett.keyex_params, NULL((void*)0), "RSA-EXPORT Server Params");
12497
12498 /* modulus */
12499 modulus_len = tvb_get_ntohs(tvb, offset);
12500 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus_len, tvb,
12501 offset, 2, ENC_BIG_ENDIAN0x00000000);
12502 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus, tvb,
12503 offset + 2, modulus_len, ENC_NA0x00000000);
12504 offset += 2 + modulus_len;
12505
12506 /* exponent */
12507 exponent_len = tvb_get_ntohs(tvb, offset);
12508 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent_len,
12509 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12510 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent,
12511 tvb, offset + 2, exponent_len, ENC_NA0x00000000);
12512 offset += 2 + exponent_len;
12513
12514 /* Signature */
12515 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_rsa_tree, offset, offset_end, version);
12516}
12517
12518/* Used in RSA PSK and PSK cipher suites */
12519static uint32_t
12520dissect_ssl3_hnd_srv_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12521 proto_tree *tree, uint32_t offset)
12522{
12523 unsigned hint_len;
12524 proto_tree *ssl_psk_tree;
12525
12526 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
12527 hf->ett.keyex_params, NULL((void*)0), "PSK Server Params");
12528
12529 /* hint */
12530 hint_len = tvb_get_ntohs(tvb, offset);
12531 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint_len, tvb,
12532 offset, 2, ENC_BIG_ENDIAN0x00000000);
12533 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint, tvb,
12534 offset + 2, hint_len, ENC_NA0x00000000);
12535
12536 proto_item_set_len(ssl_psk_tree, 2 + hint_len);
12537 return 2 + hint_len;
12538}
12539
12540/* Used in Diffie-Hellman PSK cipher suites */
12541static void
12542dissect_ssl3_hnd_srv_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12543 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12544{
12545 /*
12546 * struct {
12547 * select (KeyExchangeAlgorithm) {
12548 * case diffie_hellman_psk:
12549 * opaque psk_identity_hint<0..2^16-1>;
12550 * ServerDHParams params;
12551 * };
12552 * } ServerKeyExchange;
12553 */
12554
12555 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12556 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12557}
12558
12559/* Used in EC Diffie-Hellman PSK cipher suites */
12560static void
12561dissect_ssl3_hnd_srv_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12562 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12563{
12564 /*
12565 * struct {
12566 * select (KeyExchangeAlgorithm) {
12567 * case ec_diffie_hellman_psk:
12568 * opaque psk_identity_hint<0..2^16-1>;
12569 * ServerECDHParams params;
12570 * };
12571 * } ServerKeyExchange;
12572 */
12573
12574 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12575 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12576}
12577
12578/* Used in EC J-PAKE cipher suites */
12579static void
12580dissect_ssl3_hnd_srv_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12581 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12582{
12583 /*
12584 * struct {
12585 * ECPoint V;
12586 * opaque r<1..2^8-1>;
12587 * } ECSchnorrZKP;
12588 *
12589 * struct {
12590 * ECPoint X;
12591 * ECSchnorrZKP zkp;
12592 * } ECJPAKEKeyKP;
12593 *
12594 * struct {
12595 * ECParameters curve_params;
12596 * ECJPAKEKeyKP ecjpake_key_kp;
12597 * } ServerECJPAKEParams;
12598 *
12599 * select (KeyExchangeAlgorithm) {
12600 * case ecjpake:
12601 * ServerECJPAKEParams params;
12602 * } ServerKeyExchange;
12603 */
12604
12605 int point_len;
12606 proto_tree *ssl_ecjpake_tree;
12607
12608 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12609 hf->ett.keyex_params, NULL((void*)0),
12610 "EC J-PAKE Server Params");
12611
12612 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecjpake_tree, offset, offset_end);
12613 if (offset >= offset_end)
12614 return; /* only named_curves are supported */
12615
12616 /* ECJPAKEKeyKP.X */
12617 point_len = tvb_get_uint8(tvb, offset);
12618 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs_len, tvb,
12619 offset, 1, ENC_BIG_ENDIAN0x00000000);
12620 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs, tvb,
12621 offset + 1, point_len, ENC_NA0x00000000);
12622 offset += 1 + point_len;
12623
12624 /* ECJPAKEKeyKP.zkp.V */
12625 point_len = tvb_get_uint8(tvb, offset);
12626 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs_len, tvb,
12627 offset, 1, ENC_BIG_ENDIAN0x00000000);
12628 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs, tvb,
12629 offset + 1, point_len, ENC_NA0x00000000);
12630 offset += 1 + point_len;
12631
12632 /* ECJPAKEKeyKP.zkp.r */
12633 point_len = tvb_get_uint8(tvb, offset);
12634 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs_len, tvb,
12635 offset, 1, ENC_BIG_ENDIAN0x00000000);
12636 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs, tvb,
12637 offset + 1, point_len, ENC_NA0x00000000);
12638}
12639
12640/* Only used in ECC-SM2-EXPORT cipher suites */
12641static void
12642dissect_ssl3_hnd_srv_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12643 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12644 uint16_t version)
12645{
12646 proto_tree *ssl_ecc_sm2_tree;
12647
12648 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12649 hf->ett.keyex_params, NULL((void*)0), "ECC-SM2-EXPORT Server Params");
12650
12651 /* Signature */
12652 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecc_sm2_tree, offset, offset_end, version);
12653}
12654/* ServerKeyExchange algo-specific dissectors. }}} */
12655
12656/* Client Key Exchange and Server Key Exchange handshake dissections. {{{ */
12657void
12658ssl_dissect_hnd_cli_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12659 proto_tree *tree, uint32_t offset, uint32_t length,
12660 const SslSession *session)
12661{
12662 switch (ssl_get_keyex_alg(session->cipher)) {
12663 case KEX_DH_ANON0x13: /* RFC 5246; DHE_DSS, DHE_RSA, DH_DSS, DH_RSA, DH_ANON: ClientDiffieHellmanPublic */
12664 case KEX_DH_DSS0x14:
12665 case KEX_DH_RSA0x15:
12666 case KEX_DHE_DSS0x10:
12667 case KEX_DHE_RSA0x12:
12668 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset, length);
12669 break;
12670 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity, ClientDiffieHellmanPublic */
12671 dissect_ssl3_hnd_cli_keyex_dhe_psk(hf, tvb, tree, offset, length);
12672 break;
12673 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ClientECDiffieHellmanPublic */
12674 case KEX_ECDH_ECDSA0x1a:
12675 case KEX_ECDH_RSA0x1b:
12676 case KEX_ECDHE_ECDSA0x16:
12677 case KEX_ECDHE_RSA0x18:
12678 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset, length);
12679 break;
12680 case KEX_ECDHE_PSK0x17: /* RFC 5489; ec_diffie_hellman_psk: psk_identity, ClientECDiffieHellmanPublic */
12681 dissect_ssl3_hnd_cli_keyex_ecdh_psk(hf, tvb, tree, offset, length);
12682 break;
12683 case KEX_KRB50x1c: /* RFC 2712; krb5: KerberosWrapper */
12684 /* XXX: implement support for KRB5 */
12685 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12686 tvb, offset, length,
12687 "Kerberos ciphersuites (RFC 2712) are not implemented, contact Wireshark"
12688 " developers if you want them to be supported");
12689 break;
12690 case KEX_PSK0x1d: /* RFC 4279; psk: psk_identity */
12691 dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12692 break;
12693 case KEX_RSA0x1e: /* RFC 5246; rsa: EncryptedPreMasterSecret */
12694 dissect_ssl3_hnd_cli_keyex_rsa(hf, tvb, tree, offset, length, session);
12695 break;
12696 case KEX_RSA_PSK0x1f: /* RFC 4279; rsa_psk: psk_identity, EncryptedPreMasterSecret */
12697 dissect_ssl3_hnd_cli_keyex_rsa_psk(hf, tvb, tree, offset, length);
12698 break;
12699 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ClientSRPPublic */
12700 case KEX_SRP_SHA_DSS0x21:
12701 case KEX_SRP_SHA_RSA0x22:
12702 /* XXX: implement support for SRP_SHA* */
12703 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12704 tvb, offset, length,
12705 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12706 " developers if you want them to be supported");
12707 break;
12708 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12709 dissect_ssl3_hnd_cli_keyex_ecjpake(hf, tvb, tree, offset, length);
12710 break;
12711 case KEX_ECC_SM20x26: /* GB/T 38636 */
12712 dissect_ssl3_hnd_cli_keyex_ecc_sm2(hf, tvb, tree, offset, length);
12713 break;
12714 default:
12715 if (session->cipher == 0) {
12716 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12717 tvb, offset, length,
12718 "Cipher Suite not found");
12719 } else {
12720 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12721 tvb, offset, length,
12722 "Cipher Suite 0x%04x is not implemented, "
12723 "contact Wireshark developers if you want this to be supported",
12724 session->cipher);
12725 }
12726 break;
12727 }
12728}
12729
12730void
12731ssl_dissect_hnd_srv_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12732 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12733 const SslSession *session)
12734{
12735 switch (ssl_get_keyex_alg(session->cipher)) {
12736 case KEX_DH_ANON0x13: /* RFC 5246; ServerDHParams */
12737 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
12738 break;
12739 case KEX_DH_DSS0x14: /* RFC 5246; not allowed */
12740 case KEX_DH_RSA0x15:
12741 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
12742 tvb, offset, offset_end - offset);
12743 break;
12744 case KEX_DHE_DSS0x10: /* RFC 5246; dhe_dss, dhe_rsa: ServerDHParams, Signature */
12745 case KEX_DHE_RSA0x12:
12746 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
12747 break;
12748 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity_hint, ServerDHParams */
12749 dissect_ssl3_hnd_srv_keyex_dhe_psk(hf, tvb, pinfo, tree, offset, offset_end);
12750 break;
12751 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ServerECDHParams (without signature for anon) */
12752 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
12753 break;
12754 case KEX_ECDHE_PSK0x17: /* RFC 5489; psk_identity_hint, ServerECDHParams */
12755 dissect_ssl3_hnd_srv_keyex_ecdh_psk(hf, tvb, pinfo, tree, offset, offset_end);
12756 break;
12757 case KEX_ECDH_ECDSA0x1a: /* RFC 4492; ec_diffie_hellman: ServerECDHParams, Signature */
12758 case KEX_ECDH_RSA0x1b:
12759 case KEX_ECDHE_ECDSA0x16:
12760 case KEX_ECDHE_RSA0x18:
12761 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
12762 break;
12763 case KEX_KRB50x1c: /* RFC 2712; not allowed */
12764 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
12765 tvb, offset, offset_end - offset);
12766 break;
12767 case KEX_PSK0x1d: /* RFC 4279; psk, rsa: psk_identity */
12768 case KEX_RSA_PSK0x1f:
12769 dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12770 break;
12771 case KEX_RSA0x1e: /* only allowed if the public key in the server certificate is longer than 512 bits */
12772 dissect_ssl3_hnd_srv_keyex_rsa(hf, tvb, pinfo, tree, offset, offset_end, session->version);
12773 break;
12774 case KEX_ECC_SM20x26: /* GB/T 38636 */
12775 dissect_ssl3_hnd_srv_keyex_ecc_sm2(hf, tvb, pinfo, tree, offset, offset_end, session->version);
12776 break;
12777 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ServerSRPParams, Signature */
12778 case KEX_SRP_SHA_DSS0x21:
12779 case KEX_SRP_SHA_RSA0x22:
12780 /* XXX: implement support for SRP_SHA* */
12781 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12782 tvb, offset, offset_end - offset,
12783 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12784 " developers if you want them to be supported");
12785 break;
12786 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12787 dissect_ssl3_hnd_srv_keyex_ecjpake(hf, tvb, tree, offset, offset_end);
12788 break;
12789 default:
12790 if (session->cipher == 0) {
12791 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12792 tvb, offset, offset_end - offset,
12793 "Cipher Suite not found");
12794 } else {
12795 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12796 tvb, offset, offset_end - offset,
12797 "Cipher Suite 0x%04x is not implemented, "
12798 "contact Wireshark developers if you want this to be supported",
12799 session->cipher);
12800 }
12801 break;
12802 }
12803}
12804/* Client Key Exchange and Server Key Exchange handshake dissections. }}} */
12805
12806void
12807tls13_dissect_hnd_key_update(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12808 proto_tree *tree, uint32_t offset)
12809{
12810 /* RFC 8446 Section 4.6.3
12811 * enum {
12812 * update_not_requested(0), update_requested(1), (255)
12813 * } KeyUpdateRequest;
12814 *
12815 * struct {
12816 * KeyUpdateRequest request_update;
12817 * } KeyUpdate;
12818 */
12819 proto_tree_add_item(tree, hf->hf.hs_key_update_request_update, tvb, offset, 1, ENC_NA0x00000000);
12820}
12821
12822void
12823ssl_common_register_ssl_alpn_dissector_table(const char *name,
12824 const char *ui_name, const int proto)
12825{
12826 ssl_alpn_dissector_table = register_dissector_table(name, ui_name,
12827 proto, FT_STRING, STRING_CASE_SENSITIVE0);
12828 register_dissector_table_alias(ssl_alpn_dissector_table, "ssl.handshake.extensions_alpn_str");
12829}
12830
12831void
12832ssl_common_register_dtls_alpn_dissector_table(const char *name,
12833 const char *ui_name, const int proto)
12834{
12835 dtls_alpn_dissector_table = register_dissector_table(name, ui_name,
12836 proto, FT_STRING, STRING_CASE_SENSITIVE0);
12837 register_dissector_table_alias(ssl_alpn_dissector_table, "dtls.handshake.extensions_alpn_str");
12838}
12839
12840void
12841ssl_common_register_options(module_t *module, ssl_common_options_t *options, bool_Bool is_dtls)
12842{
12843 prefs_register_string_preference(module, "psk", "Pre-Shared Key",
12844 "Pre-Shared Key as HEX string. Should be 0 to 16 bytes.",
12845 &(options->psk));
12846
12847 if (is_dtls) {
12848 prefs_register_obsolete_preference(module, "keylog_file");
12849 prefs_register_static_text_preference(module, "keylog_file_removed",
12850 "The (Pre)-Master-Secret log filename preference can be configured in the TLS protocol preferences.",
12851 "Use the TLS protocol preference to configure the keylog file for both DTLS and TLS.");
12852 return;
12853 }
12854
12855 prefs_register_filename_preference(module, "keylog_file", "(Pre)-Master-Secret log filename",
12856 "The name of a file which contains a list of \n"
12857 "(pre-)master secrets in one of the following formats:\n"
12858 "\n"
12859 "RSA <EPMS> <PMS>\n"
12860 "RSA Session-ID:<SSLID> Master-Key:<MS>\n"
12861 "CLIENT_RANDOM <CRAND> <MS>\n"
12862 "PMS_CLIENT_RANDOM <CRAND> <PMS>\n"
12863 "\n"
12864 "Where:\n"
12865 "<EPMS> = First 8 bytes of the Encrypted PMS\n"
12866 "<PMS> = The Pre-Master-Secret (PMS) used to derive the MS\n"
12867 "<SSLID> = The SSL Session ID\n"
12868 "<MS> = The Master-Secret (MS)\n"
12869 "<CRAND> = The Client's random number from the ClientHello message\n"
12870 "\n"
12871 "(All fields are in hex notation)",
12872 &(options->keylog_filename), false0);
12873}
12874
12875void
12876ssl_calculate_handshake_hash(SslDecryptSession *ssl_session, tvbuff_t *tvb, uint32_t offset, uint32_t length)
12877{
12878 if (ssl_session && ssl_session->session.version != TLSV1DOT3_VERSION0x304 && !(ssl_session->state & SSL_MASTER_SECRET(1<<5))) {
12879 uint32_t old_length = ssl_session->handshake_data.data_len;
12880 ssl_debug_printf("Calculating hash with offset %d %d\n", offset, length);
12881 if (tvb) {
12882 if (tvb_bytes_exist(tvb, offset, length)) {
12883 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
12884 tvb_memcpy(tvb, ssl_session->handshake_data.data + old_length, offset, length);
12885 ssl_session->handshake_data.data_len += length;
12886 }
12887 } else {
12888 /* DTLS calculates the hash as if each handshake message had been
12889 * sent as a single fragment (RFC 6347, section 4.2.6) and passes
12890 * in a null tvbuff to add 3 bytes for a zero fragment offset.
12891 */
12892 DISSECTOR_ASSERT_CMPINT(length, <, 4)((void) ((length < 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "length" " " "<" " " "4" " (" "%"
"l" "d" " " "<" " " "%" "l" "d" ")", "epan/dissectors/packet-tls-utils.c"
, 12892, (int64_t)length, (int64_t)4))));
12893 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
12894 memset(ssl_session->handshake_data.data + old_length, 0, length);
12895 ssl_session->handshake_data.data_len += length;
12896 }
12897 }
12898}
12899
12900
12901/*
12902 * Editor modelines - https://www.wireshark.org/tools/modelines.html
12903 *
12904 * Local variables:
12905 * c-basic-offset: 4
12906 * tab-width: 8
12907 * indent-tabs-mode: nil
12908 * End:
12909 *
12910 * vi: set shiftwidth=4 tabstop=8 expandtab:
12911 * :indentSize=4:tabSize=8:noTabs=true:
12912 */