2 * Routines for ssl dissection
3 * Copyright (c) 2000-2001, Scott Renfro <scott@renfro.org>
7 * Wireshark - Network traffic analyzer
8 * By Gerald Combs <gerald@wireshark.org>
9 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
27 * http://www.mozilla.org/projects/security/pki/nss/ssl/draft02.html
33 * http://www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt
37 * See RFC 2246 for SSL 3.1/TLS 1.0 specs.
39 * See (among other places)
41 * http://www.graphcomp.com/info/specs/ms/pct.htm
43 * for PCT 1 draft specs.
47 * http://research.sun.com/projects/crypto/draft-ietf-tls-ecc-05.txt
49 * for Elliptic Curve Cryptography cipher suites.
53 * http://www.ietf.org/internet-drafts/draft-ietf-tls-camellia-04.txt
55 * for Camellia-based cipher suites.
59 * - Does not support dissection
60 * of frames that would require state maintained between frames
61 * (e.g., single ssl records spread across multiple tcp frames)
63 * - Identifies, but does not fully dissect the following messages:
65 * - SSLv3/TLS (These need more state from previous handshake msgs)
66 * - Server Key Exchange
67 * - Client Key Exchange
68 * - Certificate Verify
70 * - SSLv2 (These don't appear in the clear)
75 * - Request Certificate
76 * - Client Certificate
78 * - Decryption is supported only for session that use RSA key exchange,
79 * if the host private key is provided via preference.
81 * - Decryption needs to be performed 'sequentially', so it's done
82 * at packet reception time. This may cause a significant packet capture
83 * slow down. This also causes dissection of some ssl info that in previous
84 * dissector versions was dissected only when a proto_tree context was
87 * We are at Packet reception if time pinfo->fd->flags.visited == 0
95 #include <epan/packet.h>
96 #include <epan/conversation.h>
97 #include <epan/reassemble.h>
98 #include <epan/prefs.h>
99 #include <epan/emem.h>
100 #include <epan/wmem/wmem.h>
101 #include <epan/dissectors/packet-tcp.h>
102 #include <epan/asn1.h>
103 #include <epan/dissectors/packet-x509af.h>
104 #include <epan/dissectors/packet-ocsp.h>
105 #include <epan/tap.h>
106 #include <wsutil/filesystem.h>
107 #include <epan/expert.h>
108 #include "packet-x509if.h"
109 #include "packet-ssl.h"
110 #include "packet-ssl-utils.h"
111 #include <wsutil/file_util.h>
112 #include <epan/uat.h>
113 #include <epan/exported_pdu.h>
115 void proto_register_ssl(void);
117 static ssldecrypt_assoc_t *sslkeylist_uats = NULL;
118 static guint nssldecrypt = 0;
120 static gboolean ssl_desegment = TRUE;
121 static gboolean ssl_desegment_app_data = TRUE;
123 gboolean ssl_ignore_mac_failed = FALSE;
126 /*********************************************************************
128 * Protocol Constants, Variables, Data Structures
130 *********************************************************************/
132 /* Initialize the protocol and registered fields */
133 static gint ssl_tap = -1;
134 static gint exported_pdu_tap = -1;
135 static gint proto_ssl = -1;
136 static gint hf_ssl_record = -1;
137 static gint hf_ssl_record_content_type = -1;
138 static gint hf_ssl_record_version = -1;
139 static gint hf_ssl_record_length = -1;
140 static gint hf_ssl_record_appdata = -1;
141 static gint hf_ssl2_record = -1;
142 static gint hf_ssl2_record_is_escape = -1;
143 static gint hf_ssl2_record_padding_length = -1;
144 static gint hf_ssl2_msg_type = -1;
145 static gint hf_pct_msg_type = -1;
146 static gint hf_ssl_change_cipher_spec = -1;
147 static gint hf_ssl_alert_message = -1;
148 static gint hf_ssl_alert_message_level = -1;
149 static gint hf_ssl_alert_message_description = -1;
150 static gint hf_ssl_handshake_protocol = -1;
151 static gint hf_ssl_handshake_type = -1;
152 static gint hf_ssl_handshake_length = -1;
153 static gint hf_ssl_handshake_client_version = -1;
154 static gint hf_ssl_handshake_server_version = -1;
155 static gint hf_ssl_handshake_random_time = -1;
156 static gint hf_ssl_handshake_random_bytes = -1;
157 static gint hf_ssl_handshake_cipher_suites_len = -1;
158 static gint hf_ssl_handshake_cipher_suites = -1;
159 static gint hf_ssl_handshake_cipher_suite = -1;
160 static gint hf_ssl_handshake_session_id = -1;
161 static gint hf_ssl_handshake_comp_methods_len = -1;
162 static gint hf_ssl_handshake_comp_methods = -1;
163 static gint hf_ssl_handshake_comp_method = -1;
164 static gint hf_ssl_handshake_extensions_len = -1;
165 static gint hf_ssl_handshake_extension_type = -1;
166 static gint hf_ssl_handshake_extension_len = -1;
167 static gint hf_ssl_handshake_extension_data = -1;
168 static gint hf_ssl_handshake_extension_elliptic_curves_len = -1;
169 static gint hf_ssl_handshake_extension_elliptic_curves = -1;
170 static gint hf_ssl_handshake_extension_elliptic_curve = -1;
171 static gint hf_ssl_handshake_extension_ec_point_formats_len = -1;
172 static gint hf_ssl_handshake_extension_ec_point_format = -1;
173 static gint hf_ssl_handshake_extension_alpn_len = -1;
174 static gint hf_ssl_handshake_extension_alpn_list = -1;
175 static gint hf_ssl_handshake_extension_alpn_str_len = -1;
176 static gint hf_ssl_handshake_extension_alpn_str = -1;
177 static gint hf_ssl_handshake_extension_npn_str_len = -1;
178 static gint hf_ssl_handshake_extension_npn_str = -1;
179 static gint hf_ssl_handshake_extension_reneg_info_len = -1;
180 static gint hf_ssl_handshake_extension_server_name_len = -1;
181 static gint hf_ssl_handshake_extension_server_name_list_len = -1;
182 static gint hf_ssl_handshake_extension_server_name_type = -1;
183 static gint hf_ssl_handshake_extension_server_name = -1;
184 static gint hf_ssl_hs_ext_cert_status_type = -1;
185 static gint hf_ssl_hs_ext_cert_status_request_len = -1;
186 static gint hf_ssl_hs_ext_cert_url_type = -1;
187 static gint hf_ssl_hs_ext_cert_url_url_hash_list_len = -1;
188 static gint hf_ssl_hs_ext_cert_url_item = -1;
189 static gint hf_ssl_hs_ext_cert_url_url_len = -1;
190 static gint hf_ssl_hs_ext_cert_url_url = -1;
191 static gint hf_ssl_hs_ext_cert_url_padding = -1;
192 static gint hf_ssl_hs_ext_cert_url_sha1 = -1;
193 static gint hf_ssl_hs_ext_cert_status_responder_id_list_len = -1;
194 static gint hf_ssl_hs_ext_cert_status_request_extensions_len = -1;
195 static gint hf_ssl_handshake_session_ticket_lifetime_hint = -1;
196 static gint hf_ssl_handshake_session_ticket_len = -1;
197 static gint hf_ssl_handshake_session_ticket = -1;
198 static gint hf_ssl_handshake_certificates_len = -1;
199 static gint hf_ssl_handshake_certificates = -1;
200 static gint hf_ssl_handshake_certificate = -1;
201 static gint hf_ssl_handshake_certificate_len = -1;
202 static gint hf_ssl_handshake_cert_types_count = -1;
203 static gint hf_ssl_handshake_cert_types = -1;
204 static gint hf_ssl_handshake_cert_type = -1;
205 static gint hf_ssl_handshake_server_keyex_p_len = -1;
206 static gint hf_ssl_handshake_server_keyex_g_len = -1;
207 static gint hf_ssl_handshake_server_keyex_ys_len = -1;
208 static gint hf_ssl_handshake_server_keyex_point_len = -1;
209 static gint hf_ssl_handshake_client_keyex_yc_len = -1;
210 static gint hf_ssl_handshake_client_keyex_point_len = -1;
211 static gint hf_ssl_handshake_client_keyex_epms_len = -1;
212 static gint hf_ssl_handshake_server_keyex_modulus_len = -1;
213 static gint hf_ssl_handshake_server_keyex_exponent_len = -1;
214 static gint hf_ssl_handshake_server_keyex_sig_len = -1;
215 static gint hf_ssl_handshake_server_keyex_p = -1;
216 static gint hf_ssl_handshake_server_keyex_g = -1;
217 static gint hf_ssl_handshake_server_keyex_ys = -1;
218 static gint hf_ssl_handshake_client_keyex_yc = -1;
219 static gint hf_ssl_handshake_server_keyex_curve_type = -1;
220 static gint hf_ssl_handshake_server_keyex_named_curve = -1;
221 static gint hf_ssl_handshake_server_keyex_point = -1;
222 static gint hf_ssl_handshake_client_keyex_epms = -1;
223 static gint hf_ssl_handshake_client_keyex_point = -1;
224 static gint hf_ssl_handshake_server_keyex_modulus = -1;
225 static gint hf_ssl_handshake_server_keyex_exponent = -1;
226 static gint hf_ssl_handshake_server_keyex_sig = -1;
227 static gint hf_ssl_handshake_server_keyex_hint_len = -1;
228 static gint hf_ssl_handshake_server_keyex_hint = -1;
229 static gint hf_ssl_handshake_client_keyex_identity_len = -1;
230 static gint hf_ssl_handshake_client_keyex_identity = -1;
231 static gint hf_ssl_handshake_sig_hash_alg_len = -1;
232 static gint hf_ssl_handshake_sig_hash_algs = -1;
233 static gint hf_ssl_handshake_sig_hash_alg = -1;
234 static gint hf_ssl_handshake_sig_hash_hash = -1;
235 static gint hf_ssl_handshake_sig_hash_sig = -1;
236 static gint hf_ssl_handshake_cert_status = -1;
237 static gint hf_ssl_handshake_cert_status_type = -1;
238 static gint hf_ssl_handshake_cert_status_len = -1;
239 static gint hf_ssl_handshake_npn_selected_protocol_len = -1;
240 static gint hf_ssl_handshake_npn_selected_protocol = -1;
241 static gint hf_ssl_handshake_npn_padding_len = -1;
242 static gint hf_ssl_handshake_npn_padding = -1;
243 static gint hf_ssl_handshake_finished = -1;
244 static gint hf_ssl_handshake_md5_hash = -1;
245 static gint hf_ssl_handshake_sha_hash = -1;
246 static gint hf_ssl_handshake_session_id_len = -1;
247 static gint hf_ssl_handshake_dnames_len = -1;
248 static gint hf_ssl_handshake_dnames = -1;
249 static gint hf_ssl_handshake_dname_len = -1;
250 static gint hf_ssl_handshake_dname = -1;
251 static gint hf_ssl2_handshake_cipher_spec_len = -1;
252 static gint hf_ssl2_handshake_session_id_len = -1;
253 static gint hf_ssl2_handshake_challenge_len = -1;
254 static gint hf_ssl2_handshake_cipher_spec = -1;
255 static gint hf_ssl2_handshake_challenge = -1;
256 static gint hf_ssl2_handshake_clear_key_len = -1;
257 static gint hf_ssl2_handshake_enc_key_len = -1;
258 static gint hf_ssl2_handshake_key_arg_len = -1;
259 static gint hf_ssl2_handshake_clear_key = -1;
260 static gint hf_ssl2_handshake_enc_key = -1;
261 static gint hf_ssl2_handshake_key_arg = -1;
262 static gint hf_ssl2_handshake_session_id_hit = -1;
263 static gint hf_ssl2_handshake_cert_type = -1;
264 static gint hf_ssl2_handshake_connection_id_len = -1;
265 static gint hf_ssl2_handshake_connection_id = -1;
266 static gint hf_pct_handshake_cipher_spec = -1;
267 static gint hf_pct_handshake_hash_spec = -1;
268 static gint hf_pct_handshake_cert_spec = -1;
269 static gint hf_pct_handshake_cert = -1;
270 static gint hf_pct_handshake_server_cert = -1;
271 static gint hf_pct_handshake_exch_spec = -1;
272 static gint hf_pct_handshake_hash = -1;
273 static gint hf_pct_handshake_cipher = -1;
274 static gint hf_pct_handshake_exch = -1;
275 static gint hf_pct_handshake_sig = -1;
276 static gint hf_pct_msg_error_type = -1;
277 static int hf_ssl_reassembled_in = -1;
278 static int hf_ssl_reassembled_length = -1;
279 static int hf_ssl_reassembled_data = -1;
280 static int hf_ssl_segments = -1;
281 static int hf_ssl_segment = -1;
282 static int hf_ssl_segment_overlap = -1;
283 static int hf_ssl_segment_overlap_conflict = -1;
284 static int hf_ssl_segment_multiple_tails = -1;
285 static int hf_ssl_segment_too_long_fragment = -1;
286 static int hf_ssl_segment_error = -1;
287 static int hf_ssl_segment_count = -1;
288 static int hf_ssl_segment_data = -1;
290 static gint hf_ssl_heartbeat_extension_mode = -1;
291 static gint hf_ssl_heartbeat_message = -1;
292 static gint hf_ssl_heartbeat_message_type = -1;
293 static gint hf_ssl_heartbeat_message_payload_length = -1;
294 static gint hf_ssl_heartbeat_message_payload = -1;
295 static gint hf_ssl_heartbeat_message_padding = -1;
297 /* Initialize the subtree pointers */
298 static gint ett_ssl = -1;
299 static gint ett_ssl_record = -1;
300 static gint ett_ssl_alert = -1;
301 static gint ett_ssl_handshake = -1;
302 static gint ett_ssl_heartbeat = -1;
303 static gint ett_ssl_cipher_suites = -1;
304 static gint ett_ssl_comp_methods = -1;
305 static gint ett_ssl_extension = -1;
306 static gint ett_ssl_extension_curves = -1;
307 static gint ett_ssl_extension_curves_point_formats = -1;
308 static gint ett_ssl_extension_alpn = -1;
309 static gint ett_ssl_extension_npn = -1;
310 static gint ett_ssl_extension_reneg_info = -1;
311 static gint ett_ssl_extension_server_name = -1;
312 static gint ett_ssl_urlhash = -1;
313 static gint ett_ssl_certs = -1;
314 static gint ett_ssl_cert_types = -1;
315 static gint ett_ssl_sig_hash_algs = -1;
316 static gint ett_ssl_sig_hash_alg = -1;
317 static gint ett_ssl_dnames = -1;
318 static gint ett_ssl_random = -1;
319 static gint ett_ssl_new_ses_ticket = -1;
320 static gint ett_ssl_keyex_params = -1;
321 static gint ett_ssl_cert_status = -1;
322 static gint ett_ssl_ocsp_resp = -1;
323 static gint ett_pct_cipher_suites = -1;
324 static gint ett_pct_hash_suites = -1;
325 static gint ett_pct_cert_suites = -1;
326 static gint ett_pct_exch_suites = -1;
327 static gint ett_ssl_segments = -1;
328 static gint ett_ssl_segment = -1;
330 static expert_field ei_ssl_handshake_cipher_suites_mult2 = EI_INIT;
331 static expert_field ei_ssl_handshake_sig_hash_algs_mult2 = EI_INIT;
332 static expert_field ei_ssl2_handshake_session_id_len_error = EI_INIT;
333 static expert_field ei_ssl_hs_ext_cert_status_undecoded = EI_INIT;
336 /* not all of the hf_fields below make sense for SSL but we have to provide
337 them anyways to comply with the api (which was aimed for ip fragment
339 static const fragment_items ssl_segment_items = {
344 &hf_ssl_segment_overlap,
345 &hf_ssl_segment_overlap_conflict,
346 &hf_ssl_segment_multiple_tails,
347 &hf_ssl_segment_too_long_fragment,
348 &hf_ssl_segment_error,
349 &hf_ssl_segment_count,
350 &hf_ssl_reassembled_in,
351 &hf_ssl_reassembled_length,
352 &hf_ssl_reassembled_data,
356 /* These two "SSL segment data" items are factored out to obey DRY. */
357 #define SSL_SEGMENT_DATA_TEXT "SSL segment data"
360 ssl_proto_tree_add_segment_data(
367 proto_tree_add_bytes_format(
374 "%s" SSL_SEGMENT_DATA_TEXT " (%u %s)",
375 prefix != NULL ? prefix : "",
377 plurality(length, "byte", "bytes"));
381 /* ssl_session_hash is used by "Export SSL Session Keys" */
382 GHashTable *ssl_session_hash = NULL;
384 static GHashTable *ssl_key_hash = NULL;
385 static GTree *ssl_associations = NULL;
386 static dissector_handle_t ssl_handle = NULL;
387 static StringInfo ssl_compressed_data = {NULL, 0};
388 static StringInfo ssl_decrypted_data = {NULL, 0};
389 static gint ssl_decrypted_data_avail = 0;
391 static uat_t *ssldecrypt_uat = NULL;
392 static const gchar *ssl_keys_list = NULL;
393 static const gchar *ssl_psk = NULL;
394 static const gchar *ssl_keylog_filename = NULL;
396 /* List of dissectors to call for SSL data */
397 static heur_dissector_list_t ssl_heur_subdissector_list;
399 #if defined(SSL_DECRYPT_DEBUG) || defined(HAVE_LIBGNUTLS)
400 static const gchar *ssl_debug_file_name = NULL;
404 /* Forward declaration we need below */
405 void proto_reg_handoff_ssl(void);
407 /* Desegmentation of SSL streams */
408 /* table to hold defragmented SSL streams */
409 static reassembly_table ssl_reassembly_table;
411 ssl_fragment_init(void)
413 reassembly_table_init(&ssl_reassembly_table,
414 &addresses_ports_reassembly_table_functions);
417 /* initialize/reset per capture state data (ssl sessions cache) */
421 module_t *ssl_module = prefs_find_module("ssl");
422 pref_t *keys_list_pref;
424 ssl_common_init(&ssl_session_hash, &ssl_decrypted_data, &ssl_compressed_data);
428 /* We should have loaded "keys_list" by now. Mark it obsolete */
430 keys_list_pref = prefs_find_preference(ssl_module, "keys_list");
431 if (! prefs_get_preference_obsolete(keys_list_pref)) {
432 prefs_set_preference_obsolete(keys_list_pref);
437 /* parse ssl related preferences (private keys and ports association strings) */
441 ep_stack_t tmp_stack;
442 SslAssociation *tmp_assoc;
445 ssl_set_debug(ssl_debug_file_name);
449 g_hash_table_foreach(ssl_key_hash, ssl_private_key_free, NULL);
450 g_hash_table_destroy(ssl_key_hash);
453 /* remove only associations created from key list */
454 tmp_stack = ep_stack_new();
455 g_tree_foreach(ssl_associations, ssl_assoc_from_key_list, tmp_stack);
456 while ((tmp_assoc = (SslAssociation *)ep_stack_pop(tmp_stack)) != NULL) {
457 ssl_association_remove(ssl_associations, tmp_assoc);
460 /* parse private keys string, load available keys and put them in key hash*/
461 ssl_key_hash = g_hash_table_new(ssl_private_key_hash,ssl_private_key_equal);
464 if (nssldecrypt > 0) {
465 for (i = 0; i < nssldecrypt; i++) {
466 ssldecrypt_assoc_t *ssl_uat = &(sslkeylist_uats[i]);
467 ssl_parse_key_list(ssl_uat, ssl_key_hash, ssl_associations, ssl_handle, TRUE);
475 ssl_parse_old_keys(void)
477 gchar **old_keys, **parts, *err;
481 /* Import old-style keys */
482 if (ssldecrypt_uat && ssl_keys_list && ssl_keys_list[0]) {
483 old_keys = ep_strsplit(ssl_keys_list, ";", 0);
484 for (i = 0; old_keys[i] != NULL; i++) {
485 parts = ep_strsplit(old_keys[i], ",", 4);
486 if (parts[0] && parts[1] && parts[2] && parts[3]) {
487 uat_entry = ep_strdup_printf("\"%s\",\"%s\",\"%s\",\"%s\",\"\"",
488 parts[0], parts[1], parts[2], parts[3]);
489 if (!uat_load_str(ssldecrypt_uat, uat_entry, &err)) {
490 ssl_debug_printf("ssl_parse_old_keys: Can't load UAT string %s: %s\n",
498 /*********************************************************************
500 * SSL Associations tree
502 *********************************************************************/
504 /** maximum size of ssl_association_info() string */
505 #define SSL_ASSOC_MAX_LEN 8192
508 * callback function used by ssl_association_info() to traverse the SSL associations.
511 ssl_association_info_(gpointer key_ _U_, gpointer value_, gpointer s_)
513 SslAssociation *value = (SslAssociation *)value_;
514 gchar *s = (gchar *)s_;
515 const int l = (const int)strlen(s);
516 g_snprintf(s+l, SSL_ASSOC_MAX_LEN-l, "'%s' %s %i\n", value->info, value->tcp ? "TCP":"UDP", value->ssl_port);
521 * @return an information string on the SSL protocol associations. The string has ephemeral lifetime/scope.
524 ssl_association_info(void)
526 gchar *s = (gchar *)ep_alloc0(SSL_ASSOC_MAX_LEN);
527 g_tree_foreach(ssl_associations, ssl_association_info_, s);
531 /*********************************************************************
533 * Forward Declarations
535 *********************************************************************/
538 * SSL version 3 and TLS dissectors
541 /* record layer dissector */
542 static gint dissect_ssl3_record(tvbuff_t *tvb, packet_info *pinfo,
543 proto_tree *tree, guint32 offset,
544 guint *conv_version, guint conv_cipher,
545 gboolean *need_desegmentation,
546 SslDecryptSession *conv_data,
547 const gboolean first_record_in_frame);
549 /* change cipher spec dissector */
550 static void dissect_ssl3_change_cipher_spec(tvbuff_t *tvb,
553 guint *conv_version, const guint8 content_type);
555 /* alert message dissector */
556 static void dissect_ssl3_alert(tvbuff_t *tvb, packet_info *pinfo,
557 proto_tree *tree, guint32 offset,
558 guint *conv_version);
560 /* handshake protocol dissector */
561 static void dissect_ssl3_handshake(tvbuff_t *tvb, packet_info *pinfo,
562 proto_tree *tree, guint32 offset,
563 guint32 record_length,
564 guint *conv_version, guint conv_cipher,
565 SslDecryptSession *conv_data, const guint8 content_type);
567 /* heartbeat message dissector */
568 static void dissect_ssl3_heartbeat(tvbuff_t *tvb, packet_info *pinfo,
569 proto_tree *tree, guint32 offset,
570 guint *conv_version, guint32 record_length);
572 /* hello extension dissector */
573 static gint dissect_ssl3_hnd_hello_ext_status_request(tvbuff_t *tvb, proto_tree *tree,
574 guint32 offset, gboolean has_length);
576 static gint dissect_ssl3_hnd_hello_ext_status_request_v2(tvbuff_t *tvb,
577 proto_tree *tree, guint32 offset);
579 static gint dissect_ssl3_hnd_hello_ext_elliptic_curves(tvbuff_t *tvb,
580 proto_tree *tree, guint32 offset);
582 static gint dissect_ssl3_hnd_hello_ext_ec_point_formats(tvbuff_t *tvb,
583 proto_tree *tree, guint32 offset);
585 static gint dissect_ssl3_hnd_hello_ext_sig_hash_algs(tvbuff_t *tvb,
586 proto_tree *tree, guint32 offset, guint32 ext_len);
588 static gint dissect_ssl3_hnd_hello_ext_alpn(tvbuff_t *tvb,
589 proto_tree *tree, guint32 offset, guint32 ext_len);
591 static gint dissect_ssl3_hnd_hello_ext_npn(tvbuff_t *tvb,
592 proto_tree *tree, guint32 offset, guint32 ext_len);
594 static gint dissect_ssl3_hnd_hello_ext_reneg_info(tvbuff_t *tvb,
595 proto_tree *tree, guint32 offset, guint32 ext_len);
597 static gint dissect_ssl3_hnd_hello_ext_server_name(tvbuff_t *tvb,
598 proto_tree *tree, guint32 offset, guint32 ext_len);
600 static void dissect_ssl3_hnd_cli_hello(tvbuff_t *tvb, packet_info *pinfo,
602 guint32 offset, guint32 length,
603 SslDecryptSession *ssl);
605 static void dissect_ssl3_hnd_srv_hello(tvbuff_t *tvb,
607 guint32 offset, guint32 length,
608 SslDecryptSession *ssl);
610 static void dissect_ssl3_hnd_new_ses_ticket(tvbuff_t *tvb,
612 guint32 offset, guint32 length);
614 static void dissect_ssl3_hnd_cert(tvbuff_t *tvb,
615 proto_tree *tree, guint32 offset, packet_info *pinfo);
617 static void dissect_ssl3_hnd_cert_req(tvbuff_t *tvb,
619 guint32 offset, packet_info *pinfo,
620 const guint *conv_version);
622 static void dissect_ssl3_hnd_srv_keyex_ecdh(tvbuff_t *tvb,
624 guint32 offset, guint32 length,
625 const guint *conv_version);
628 static void dissect_ssl3_hnd_srv_keyex_dh(tvbuff_t *tvb,
630 guint32 offset, guint32 length);
632 static void dissect_ssl3_hnd_srv_keyex_rsa(tvbuff_t *tvb,
634 guint32 offset, guint32 length,
635 const guint *conv_version);
637 static void dissect_ssl3_hnd_srv_keyex_psk(tvbuff_t *tvb,
639 guint32 offset, guint32 length);
641 static void dissect_ssl3_hnd_cli_keyex_ecdh(tvbuff_t *tvb,
643 guint32 offset, guint32 length);
645 static void dissect_ssl3_hnd_cli_keyex_dh(tvbuff_t *tvb,
647 guint32 offset, guint32 length);
649 static void dissect_ssl3_hnd_cli_keyex_rsa(tvbuff_t *tvb,
651 guint32 offset, guint32 length);
653 static void dissect_ssl3_hnd_cli_keyex_psk(tvbuff_t *tvb,
655 guint32 offset, guint32 length);
657 static void dissect_ssl3_hnd_cli_keyex_rsa_psk(tvbuff_t *tvb,
659 guint32 offset, guint32 length);
662 static void dissect_ssl3_hnd_finished(tvbuff_t *tvb,
664 const guint32 offset,
665 const guint *conv_version);
667 static void dissect_ssl3_hnd_cert_url(tvbuff_t *tvb, proto_tree *tree,
670 static void dissect_ssl3_hnd_cert_status(tvbuff_t *tvb,
675 static void dissect_ssl3_hnd_encrypted_exts(tvbuff_t *tvb,
680 * SSL version 2 dissectors
684 /* record layer dissector */
685 static gint dissect_ssl2_record(tvbuff_t *tvb, packet_info *pinfo,
686 proto_tree *tree, guint32 offset,
688 gboolean *need_desegmentation,
689 SslDecryptSession *ssl, gboolean first_record_in_frame);
691 /* client hello dissector */
692 static void dissect_ssl2_hnd_client_hello(tvbuff_t *tvb, packet_info *pinfo,
695 SslDecryptSession *ssl);
697 static void dissect_pct_msg_client_hello(tvbuff_t *tvb,
701 /* client master key dissector */
702 static void dissect_ssl2_hnd_client_master_key(tvbuff_t *tvb,
705 static void dissect_pct_msg_client_master_key(tvbuff_t *tvb,
709 /* server hello dissector */
710 static void dissect_ssl2_hnd_server_hello(tvbuff_t *tvb,
712 guint32 offset, packet_info *pinfo);
713 static void dissect_pct_msg_server_hello(tvbuff_t *tvb,
715 guint32 offset, packet_info *pinfo);
718 static void dissect_pct_msg_server_verify(tvbuff_t *tvb,
722 static void dissect_pct_msg_error(tvbuff_t *tvb,
730 /*static void ssl_set_conv_version(packet_info *pinfo, guint version);*/
731 static gint ssl_is_valid_handshake_type(const guint8 type);
732 static gint ssl_is_valid_ssl_version(const guint16 version);
733 static gint ssl_is_authoritative_version_message(const guint8 content_type,
734 const guint8 next_byte);
735 static gint ssl_is_v2_client_hello(tvbuff_t *tvb, const guint32 offset);
736 static gint ssl_looks_like_sslv2(tvbuff_t *tvb, const guint32 offset);
737 static gint ssl_looks_like_sslv3(tvbuff_t *tvb, const guint32 offset);
738 static gint ssl_looks_like_valid_v2_handshake(tvbuff_t *tvb,
739 const guint32 offset,
740 const guint32 record_length);
741 static gint ssl_looks_like_valid_pct_handshake(tvbuff_t *tvb,
742 const guint32 offset,
743 const guint32 record_length);
745 static gint dissect_ssl_hash_alg_list(tvbuff_t *tvb, proto_tree *tree,
746 guint32 offset, guint16 len);
748 /*********************************************************************
752 *********************************************************************/
754 * Code to actually dissect the packets
757 dissect_ssl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
760 conversation_t *conversation;
763 proto_tree *ssl_tree;
765 gboolean first_record_in_frame;
766 gboolean need_desegmentation;
767 SslDecryptSession *ssl_session;
774 first_record_in_frame = TRUE;
778 ssl_debug_printf("\ndissect_ssl enter frame #%u (%s)\n", pinfo->fd->num, (pinfo->fd->flags.visited)?"already visited":"first time");
780 /* Track the version using conversations to reduce the
781 * chance that a packet that simply *looks* like a v2 or
782 * v3 packet is dissected improperly. This also allows
783 * us to more frequently set the protocol column properly
784 * for continuation data frames.
786 * Also: We use the copy in conv_version as our cached copy,
787 * so that we don't have to search the conversation
788 * table every time we want the version; when setting
789 * the conv_version, must set the copy in the conversation
790 * in addition to conv_version
792 conversation = find_or_create_conversation(pinfo);
794 conv_data = conversation_get_proto_data(conversation, proto_ssl);
796 /* PAOLO: manage ssl decryption data */
797 /*get a valid ssl session pointer*/
798 if (conv_data != NULL)
799 ssl_session = (SslDecryptSession *)conv_data;
801 ssl_session = (SslDecryptSession *)wmem_alloc0(wmem_file_scope(), sizeof(SslDecryptSession));
802 ssl_session_init(ssl_session);
803 ssl_session->version = SSL_VER_UNKNOWN;
804 conversation_add_proto_data(conversation, proto_ssl, ssl_session);
806 conv_version =& ssl_session->version;
807 conv_cipher = ssl_session->cipher;
809 /* try decryption only the first time we see this packet
810 * (to keep cipher synchronized) */
811 if (pinfo->fd->flags.visited)
814 ssl_debug_printf(" conversation = %p, ssl_session = %p\n", (void *)conversation, (void *)ssl_session);
816 /* Initialize the protocol column; we'll set it later when we
817 * figure out what flavor of SSL it is (assuming we don't
818 * throw an exception before we get the chance to do so). */
819 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SSL");
820 /* clear the the info column */
821 col_clear(pinfo->cinfo, COL_INFO);
823 /* TCP packets and SSL records are orthogonal.
824 * A tcp packet may contain multiple ssl records and an ssl
825 * record may be spread across multiple tcp packets.
827 * This loop accounts for multiple ssl records in a single
828 * frame, but not a single ssl record across multiple tcp
831 * Handling the single ssl record across multiple packets
832 * may be possible using wireshark conversations, but
833 * probably not cleanly. May have to wait for tcp stream
837 /* Create display subtree for SSL as a whole */
840 ti = proto_tree_add_item(tree, proto_ssl, tvb, 0, -1, ENC_NA);
841 ssl_tree = proto_item_add_subtree(ti, ett_ssl);
843 /* iterate through the records in this tvbuff */
844 while (tvb_reported_length_remaining(tvb, offset) > 0)
846 ssl_debug_printf(" record: offset = %d, reported_length_remaining = %d\n", offset, tvb_reported_length_remaining(tvb, offset));
849 * Assume, for now, that this doesn't need desegmentation.
851 need_desegmentation = FALSE;
853 /* first try to dispatch off the cached version
854 * known to be associated with the conversation
856 switch (*conv_version) {
859 offset = dissect_ssl2_record(tvb, pinfo, ssl_tree,
860 offset, conv_version,
861 &need_desegmentation,
863 first_record_in_frame);
868 /* the version tracking code works too well ;-)
869 * at times, we may visit a v2 client hello after
870 * we already know the version of the connection;
871 * work around that here by detecting and calling
872 * the v2 dissector instead
874 if (ssl_is_v2_client_hello(tvb, offset))
876 offset = dissect_ssl2_record(tvb, pinfo, ssl_tree,
877 offset, conv_version,
878 &need_desegmentation,
880 first_record_in_frame);
884 offset = dissect_ssl3_record(tvb, pinfo, ssl_tree,
885 offset, conv_version,
887 &need_desegmentation,
889 first_record_in_frame);
893 /* that failed, so apply some heuristics based
894 * on this individual packet
897 if (ssl_looks_like_sslv2(tvb, offset))
899 /* looks like sslv2 or pct client hello */
900 offset = dissect_ssl2_record(tvb, pinfo, ssl_tree,
901 offset, conv_version,
902 &need_desegmentation,
904 first_record_in_frame);
906 else if (ssl_looks_like_sslv3(tvb, offset))
908 /* looks like sslv3 or tls */
909 offset = dissect_ssl3_record(tvb, pinfo, ssl_tree,
910 offset, conv_version,
912 &need_desegmentation,
914 first_record_in_frame);
918 /* on second and subsequent records per frame
919 * add a delimiter on info column
921 if (!first_record_in_frame) {
922 col_append_str(pinfo->cinfo, COL_INFO, ", ");
925 /* looks like something unknown, so lump into
928 offset = tvb_length(tvb);
929 col_append_str(pinfo->cinfo, COL_INFO,
930 "Continuation Data");
932 /* Set the protocol column */
933 col_set_str(pinfo->cinfo, COL_PROTOCOL,
934 val_to_str_const(*conv_version, ssl_version_short_names, "SSL"));
939 /* Desegmentation return check */
940 if (need_desegmentation) {
941 ssl_debug_printf(" need_desegmentation: offset = %d, reported_length_remaining = %d\n",
942 offset, tvb_reported_length_remaining(tvb, offset));
943 tap_queue_packet(ssl_tap, pinfo, GINT_TO_POINTER(proto_ssl));
947 /* set up for next record in frame, if any */
948 first_record_in_frame = FALSE;
951 col_set_fence(pinfo->cinfo, COL_INFO);
955 tap_queue_packet(ssl_tap, pinfo, GINT_TO_POINTER(proto_ssl));
959 decrypt_ssl3_record(tvbuff_t *tvb, packet_info *pinfo, guint32 offset,
960 guint32 record_length, guint8 content_type, SslDecryptSession *ssl,
961 gboolean save_plaintext)
965 StringInfo *data_for_iv;
966 gint data_for_iv_len;
970 /* if we can decrypt and decryption was a success
971 * add decrypted data to this packet info */
972 ssl_debug_printf("decrypt_ssl3_record: app_data len %d, ssl state 0x%02X\n",
973 record_length, ssl->state);
974 direction = ssl_packet_from_server(ssl, ssl_associations, pinfo);
976 /* retrieve decoder for this packet direction */
977 if (direction != 0) {
978 ssl_debug_printf("decrypt_ssl3_record: using server decoder\n");
979 decoder = ssl->server;
982 ssl_debug_printf("decrypt_ssl3_record: using client decoder\n");
983 decoder = ssl->client;
986 /* save data to update IV if decoder is available or updated later */
987 data_for_iv = (direction != 0) ? &ssl->server_data_for_iv : &ssl->client_data_for_iv;
988 data_for_iv_len = (record_length < 24) ? record_length : 24;
989 ssl_data_set(data_for_iv, (guchar*)tvb_get_ptr(tvb, offset + record_length - data_for_iv_len, data_for_iv_len), data_for_iv_len);
992 ssl_debug_printf("decrypt_ssl3_record: no decoder available\n");
996 /* run decryption and add decrypted payload to protocol data, if decryption
998 ssl_decrypted_data_avail = ssl_decrypted_data.data_len;
999 if (ssl_decrypt_record(ssl, decoder,
1000 content_type, tvb_get_ptr(tvb, offset, record_length),
1001 record_length, &ssl_compressed_data, &ssl_decrypted_data, &ssl_decrypted_data_avail) == 0)
1005 /* save data to update IV if valid session key is obtained later */
1006 data_for_iv = (direction != 0) ? &ssl->server_data_for_iv : &ssl->client_data_for_iv;
1007 data_for_iv_len = (record_length < 24) ? record_length : 24;
1008 ssl_data_set(data_for_iv, (guchar*)tvb_get_ptr(tvb, offset + record_length - data_for_iv_len, data_for_iv_len), data_for_iv_len);
1010 if (ret && save_plaintext) {
1011 ssl_add_data_info(proto_ssl, pinfo, ssl_decrypted_data.data, ssl_decrypted_data_avail, tvb_raw_offset(tvb)+offset, decoder->flow);
1017 process_ssl_payload(tvbuff_t *tvb, volatile int offset, packet_info *pinfo,
1018 proto_tree *tree, SslAssociation *association);
1021 desegment_ssl(tvbuff_t *tvb, packet_info *pinfo, int offset,
1022 guint32 seq, guint32 nxtseq,
1023 SslAssociation *association,
1024 proto_tree *root_tree, proto_tree *tree,
1027 fragment_head *ipfd_head;
1028 gboolean must_desegment;
1029 gboolean called_dissector;
1030 int another_pdu_follows;
1035 proto_item *frag_tree_item;
1036 proto_item *ssl_tree_item;
1037 struct tcp_multisegment_pdu *msp;
1041 must_desegment = FALSE;
1042 called_dissector = FALSE;
1043 another_pdu_follows = 0;
1047 * Initialize these to assume no desegmentation.
1048 * If that's not the case, these will be set appropriately
1049 * by the subdissector.
1051 pinfo->desegment_offset = 0;
1052 pinfo->desegment_len = 0;
1055 * Initialize this to assume that this segment will just be
1056 * added to the middle of a desegmented chunk of data, so
1057 * that we should show it all as data.
1058 * If that's not the case, it will be set appropriately.
1060 deseg_offset = offset;
1062 /* If we've seen this segment before (e.g., it's a retransmission),
1063 * there's nothing for us to do. Certainly, don't add it to the list
1064 * of multisegment_pdus (that would cause subsequent lookups to find
1065 * the retransmission instead of the original transmission, breaking
1066 * dissection of the desegmented pdu if we'd already seen the end of
1069 if ((msp = (struct tcp_multisegment_pdu *)wmem_tree_lookup32(flow->multisegment_pdus, seq))) {
1072 if (msp->first_frame == PINFO_FD_NUM(pinfo)) {
1074 col_set_str(pinfo->cinfo, COL_INFO, "[SSL segment of a reassembled PDU]");
1076 prefix = "Retransmitted ";
1079 nbytes = tvb_reported_length_remaining(tvb, offset);
1080 ssl_proto_tree_add_segment_data(tree, tvb, offset, nbytes, prefix);
1084 /* Else, find the most previous PDU starting before this sequence number */
1085 msp = (struct tcp_multisegment_pdu *)wmem_tree_lookup32_le(flow->multisegment_pdus, seq-1);
1086 if (msp && msp->seq <= seq && msp->nxtpdu > seq) {
1089 if (!PINFO_FD_VISITED(pinfo)) {
1090 msp->last_frame = pinfo->fd->num;
1091 msp->last_frame_time = pinfo->fd->abs_ts;
1094 /* OK, this PDU was found, which means the segment continues
1095 * a higher-level PDU and that we must desegment it.
1097 if (msp->flags & MSP_FLAGS_REASSEMBLE_ENTIRE_SEGMENT) {
1098 /* The dissector asked for the entire segment */
1099 len = MAX(0, tvb_length_remaining(tvb, offset));
1101 len = MIN(nxtseq, msp->nxtpdu) - seq;
1104 ipfd_head = fragment_add(&ssl_reassembly_table, tvb, offset,
1105 pinfo, msp->first_frame, NULL,
1107 len, (LT_SEQ (nxtseq,msp->nxtpdu)));
1109 if (msp->flags & MSP_FLAGS_REASSEMBLE_ENTIRE_SEGMENT) {
1110 msp->flags &= (~MSP_FLAGS_REASSEMBLE_ENTIRE_SEGMENT);
1112 /* If we consumed the entire segment there is no
1113 * other pdu starting anywhere inside this segment.
1114 * So update nxtpdu to point at least to the start
1115 * of the next segment.
1116 * (If the subdissector asks for even more data we
1117 * will advance nxtpdu even further later down in
1120 msp->nxtpdu = nxtseq;
1123 if ( (msp->nxtpdu < nxtseq)
1124 && (msp->nxtpdu >= seq)
1126 another_pdu_follows = msp->nxtpdu - seq;
1129 /* This segment was not found in our table, so it doesn't
1130 * contain a continuation of a higher-level PDU.
1131 * Call the normal subdissector.
1133 process_ssl_payload(tvb, offset, pinfo, tree, association);
1134 called_dissector = TRUE;
1136 /* Did the subdissector ask us to desegment some more data
1137 * before it could handle the packet?
1138 * If so we have to create some structures in our table but
1139 * this is something we only do the first time we see this
1142 if (pinfo->desegment_len) {
1143 if (!PINFO_FD_VISITED(pinfo))
1144 must_desegment = TRUE;
1147 * Set "deseg_offset" to the offset in "tvb"
1148 * of the first byte of data that the
1149 * subdissector didn't process.
1151 deseg_offset = offset + pinfo->desegment_offset;
1154 /* Either no desegmentation is necessary, or this is
1155 * segment contains the beginning but not the end of
1156 * a higher-level PDU and thus isn't completely
1163 /* is it completely desegmented? */
1166 * Yes, we think it is.
1167 * We only call subdissector for the last segment.
1168 * Note that the last segment may include more than what
1171 if (ipfd_head->reassembled_in == pinfo->fd->num) {
1173 * OK, this is the last segment.
1174 * Let's call the subdissector with the desegmented
1180 /* create a new TVB structure for desegmented data */
1181 next_tvb = tvb_new_chain(tvb, ipfd_head->tvb_data);
1183 /* add desegmented data to the data source list */
1184 add_new_data_source(pinfo, next_tvb, "Reassembled SSL");
1186 /* call subdissector */
1187 process_ssl_payload(next_tvb, 0, pinfo, tree, association);
1188 called_dissector = TRUE;
1191 * OK, did the subdissector think it was completely
1192 * desegmented, or does it think we need even more
1195 old_len = (int)(tvb_reported_length(next_tvb) - tvb_reported_length_remaining(tvb, offset));
1196 if (pinfo->desegment_len && pinfo->desegment_offset <= old_len) {
1198 * "desegment_len" isn't 0, so it needs more
1199 * data for something - and "desegment_offset"
1200 * is before "old_len", so it needs more data
1201 * to dissect the stuff we thought was
1202 * completely desegmented (as opposed to the
1203 * stuff at the beginning being completely
1204 * desegmented, but the stuff at the end
1205 * being a new higher-level PDU that also
1206 * needs desegmentation).
1208 fragment_set_partial_reassembly(&ssl_reassembly_table,
1209 pinfo, msp->first_frame, NULL);
1210 /* Update msp->nxtpdu to point to the new next
1213 if (pinfo->desegment_len == DESEGMENT_ONE_MORE_SEGMENT) {
1214 /* We want reassembly of at least one
1215 * more segment so set the nxtpdu
1216 * boundary to one byte into the next
1218 * This means that the next segment
1219 * will complete reassembly even if it
1220 * is only one single byte in length.
1222 msp->nxtpdu = seq + tvb_reported_length_remaining(tvb, offset) + 1;
1223 msp->flags |= MSP_FLAGS_REASSEMBLE_ENTIRE_SEGMENT;
1225 msp->nxtpdu = seq + tvb_reported_length_remaining(tvb, offset) + pinfo->desegment_len;
1227 /* Since we need at least some more data
1228 * there can be no pdu following in the
1229 * tail of this segment.
1231 another_pdu_follows = 0;
1234 * Show the stuff in this TCP segment as
1235 * just raw TCP segment data.
1237 nbytes = tvb_reported_length_remaining(tvb, offset);
1238 ssl_proto_tree_add_segment_data(tree, tvb, offset, nbytes, NULL);
1241 * The subdissector thought it was completely
1242 * desegmented (although the stuff at the
1243 * end may, in turn, require desegmentation),
1244 * so we show a tree with all segments.
1246 show_fragment_tree(ipfd_head, &ssl_segment_items,
1247 root_tree, pinfo, next_tvb, &frag_tree_item);
1249 * The toplevel fragment subtree is now
1250 * behind all desegmented data; move it
1251 * right behind the TCP tree.
1253 ssl_tree_item = proto_tree_get_parent(tree);
1254 if (frag_tree_item && ssl_tree_item) {
1255 proto_tree_move_item(root_tree, ssl_tree_item, frag_tree_item);
1258 /* Did the subdissector ask us to desegment
1259 * some more data? This means that the data
1260 * at the beginning of this segment completed
1261 * a higher-level PDU, but the data at the
1262 * end of this segment started a higher-level
1263 * PDU but didn't complete it.
1265 * If so, we have to create some structures
1266 * in our table, but this is something we
1267 * only do the first time we see this packet.
1269 if (pinfo->desegment_len) {
1270 if (!PINFO_FD_VISITED(pinfo))
1271 must_desegment = TRUE;
1273 /* The stuff we couldn't dissect
1274 * must have come from this segment,
1275 * so it's all in "tvb".
1277 * "pinfo->desegment_offset" is
1278 * relative to the beginning of
1279 * "next_tvb"; we want an offset
1280 * relative to the beginning of "tvb".
1282 * First, compute the offset relative
1283 * to the *end* of "next_tvb" - i.e.,
1284 * the number of bytes before the end
1285 * of "next_tvb" at which the
1286 * subdissector stopped. That's the
1287 * length of "next_tvb" minus the
1288 * offset, relative to the beginning
1289 * of "next_tvb, at which the
1290 * subdissector stopped.
1292 deseg_offset = ipfd_head->datalen - pinfo->desegment_offset;
1294 /* "tvb" and "next_tvb" end at the
1295 * same byte of data, so the offset
1296 * relative to the end of "next_tvb"
1297 * of the byte at which we stopped
1298 * is also the offset relative to
1299 * the end of "tvb" of the byte at
1302 * Convert that back into an offset
1303 * relative to the beginninng of
1304 * "tvb", by taking the length of
1305 * "tvb" and subtracting the offset
1306 * relative to the end.
1308 deseg_offset = tvb_reported_length(tvb) - deseg_offset;
1314 if (must_desegment) {
1315 /* If the dissector requested "reassemble until FIN"
1316 * just set this flag for the flow and let reassembly
1317 * proceed at normal. We will check/pick up these
1318 * reassembled PDUs later down in dissect_tcp() when checking
1321 if (pinfo->desegment_len == DESEGMENT_UNTIL_FIN) {
1322 flow->flags |= TCP_FLOW_REASSEMBLE_UNTIL_FIN;
1325 * The sequence number at which the stuff to be desegmented
1326 * starts is the sequence number of the byte at an offset
1327 * of "deseg_offset" into "tvb".
1329 * The sequence number of the byte at an offset of "offset"
1330 * is "seq", i.e. the starting sequence number of this
1331 * segment, so the sequence number of the byte at
1332 * "deseg_offset" is "seq + (deseg_offset - offset)".
1334 deseg_seq = seq + (deseg_offset - offset);
1336 if (((nxtseq - deseg_seq) <= 1024*1024)
1337 && (!PINFO_FD_VISITED(pinfo))) {
1338 if (pinfo->desegment_len == DESEGMENT_ONE_MORE_SEGMENT) {
1339 /* The subdissector asked to reassemble using the
1340 * entire next segment.
1341 * Just ask reassembly for one more byte
1342 * but set this msp flag so we can pick it up
1345 msp = pdu_store_sequencenumber_of_next_pdu(pinfo,
1346 deseg_seq, nxtseq+1, flow->multisegment_pdus);
1347 msp->flags |= MSP_FLAGS_REASSEMBLE_ENTIRE_SEGMENT;
1349 msp = pdu_store_sequencenumber_of_next_pdu(pinfo,
1350 deseg_seq, nxtseq+pinfo->desegment_len, flow->multisegment_pdus);
1353 /* add this segment as the first one for this new pdu */
1354 fragment_add(&ssl_reassembly_table, tvb, deseg_offset,
1355 pinfo, msp->first_frame, NULL,
1356 0, nxtseq - deseg_seq,
1357 LT_SEQ(nxtseq, msp->nxtpdu));
1361 if (!called_dissector || pinfo->desegment_len != 0) {
1362 if (ipfd_head != NULL && ipfd_head->reassembled_in != 0 &&
1363 !(ipfd_head->flags & FD_PARTIAL_REASSEMBLY)) {
1365 * We know what frame this PDU is reassembled in;
1366 * let the user know.
1368 item=proto_tree_add_uint(tree, *ssl_segment_items.hf_reassembled_in,
1369 tvb, 0, 0, ipfd_head->reassembled_in);
1370 PROTO_ITEM_SET_GENERATED(item);
1374 * Either we didn't call the subdissector at all (i.e.,
1375 * this is a segment that contains the middle of a
1376 * higher-level PDU, but contains neither the beginning
1377 * nor the end), or the subdissector couldn't dissect it
1378 * all, as some data was missing (i.e., it set
1379 * "pinfo->desegment_len" to the amount of additional
1382 if (pinfo->desegment_offset == 0) {
1384 * It couldn't, in fact, dissect any of it (the
1385 * first byte it couldn't dissect is at an offset
1386 * of "pinfo->desegment_offset" from the beginning
1387 * of the payload, and that's 0).
1388 * Just mark this as SSL.
1390 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SSL");
1391 col_set_str(pinfo->cinfo, COL_INFO, "[SSL segment of a reassembled PDU]");
1395 * Show what's left in the packet as just raw TCP segment
1397 * XXX - remember what protocol the last subdissector
1398 * was, and report it as a continuation of that, instead?
1400 nbytes = tvb_reported_length_remaining(tvb, deseg_offset);
1401 ssl_proto_tree_add_segment_data(tree, tvb, deseg_offset, nbytes, NULL);
1403 pinfo->can_desegment = 0;
1404 pinfo->desegment_offset = 0;
1405 pinfo->desegment_len = 0;
1407 if (another_pdu_follows) {
1408 /* there was another pdu following this one. */
1409 pinfo->can_desegment=2;
1410 /* we also have to prevent the dissector from changing the
1411 * PROTOCOL and INFO colums since what follows may be an
1412 * incomplete PDU and we dont want it be changed back from
1413 * <Protocol> to <TCP>
1414 * XXX There is no good way to block the PROTOCOL column
1415 * from being changed yet so we set the entire row unwritable.
1417 col_set_fence(pinfo->cinfo, COL_INFO);
1418 col_set_writable(pinfo->cinfo, FALSE);
1419 offset += another_pdu_follows;
1420 seq += another_pdu_follows;
1426 process_ssl_payload(tvbuff_t *tvb, volatile int offset, packet_info *pinfo,
1427 proto_tree *tree, SslAssociation *association)
1431 next_tvb = tvb_new_subset_remaining(tvb, offset);
1433 if (association && association->handle) {
1434 ssl_debug_printf("dissect_ssl3_record found association %p\n", (void *)association);
1436 if (dissector_try_heuristic(ssl_heur_subdissector_list, next_tvb,
1437 pinfo, proto_tree_get_root(tree), NULL)) {
1439 if (have_tap_listener(exported_pdu_tap)) {
1440 exp_pdu_data_t *exp_pdu_data;
1442 exp_pdu_data = load_export_pdu_tags(pinfo, dissector_handle_get_dissector_name(association->handle), -1,
1443 (EXP_PDU_TAG_IP_SRC_BIT | EXP_PDU_TAG_IP_DST_BIT | EXP_PDU_TAG_SRC_PORT_BIT |
1444 EXP_PDU_TAG_DST_PORT_BIT | EXP_PDU_TAG_ORIG_FNO_BIT));
1446 exp_pdu_data->tvb_length = tvb_length(next_tvb);
1447 exp_pdu_data->pdu_tvb = next_tvb;
1449 tap_queue_packet(exported_pdu_tap, pinfo, exp_pdu_data);
1451 call_dissector(association->handle, next_tvb, pinfo, proto_tree_get_root(tree));
1457 dissect_ssl_payload(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *tree, SslAssociation *association)
1459 gboolean save_fragmented;
1460 guint16 save_can_desegment;
1461 SslDataInfo *appl_data;
1464 /* Preserve current desegmentation ability to prevent the subdissector
1465 * from messing up the ssl desegmentation */
1466 save_can_desegment = pinfo->can_desegment;
1468 /* show decrypted data info, if available */
1469 appl_data = ssl_get_data_info(proto_ssl, pinfo, tvb_raw_offset(tvb)+offset);
1470 if (!appl_data || !appl_data->plain_data.data_len) return;
1472 /* try to dissect decrypted data*/
1473 ssl_debug_printf("dissect_ssl3_record decrypted len %d\n", appl_data->plain_data.data_len);
1474 ssl_print_data("decrypted app data fragment", appl_data->plain_data.data, appl_data->plain_data.data_len);
1476 /* create a new TVB structure for desegmented data */
1477 next_tvb = tvb_new_child_real_data(tvb, appl_data->plain_data.data, appl_data->plain_data.data_len, appl_data->plain_data.data_len);
1479 /* add desegmented data to the data source list */
1480 add_new_data_source(pinfo, next_tvb, "Decrypted SSL data");
1482 /* Can we desegment this segment? */
1483 if (ssl_desegment_app_data) {
1485 pinfo->can_desegment = 2;
1486 desegment_ssl(next_tvb, pinfo, 0, appl_data->seq, appl_data->nxtseq, association, proto_tree_get_root(tree), tree, appl_data->flow);
1487 } else if (association && association->handle) {
1488 /* No - just call the subdissector.
1489 Mark this as fragmented, so if somebody throws an exception,
1490 we don't report it as a malformed frame. */
1491 pinfo->can_desegment = 0;
1492 save_fragmented = pinfo->fragmented;
1493 pinfo->fragmented = TRUE;
1495 process_ssl_payload(next_tvb, 0, pinfo, tree, association);
1496 pinfo->fragmented = save_fragmented;
1499 /* restore desegmentation ability */
1500 pinfo->can_desegment = save_can_desegment;
1504 /*********************************************************************
1506 * SSL version 3 and TLS Dissection Routines
1508 *********************************************************************/
1510 dissect_ssl3_record(tvbuff_t *tvb, packet_info *pinfo,
1511 proto_tree *tree, guint32 offset,
1512 guint *conv_version, guint conv_cipher,
1513 gboolean *need_desegmentation,
1514 SslDecryptSession *ssl, const gboolean first_record_in_frame)
1519 * uint8 major, minor;
1520 * } ProtocolVersion;
1524 * change_cipher_spec(20), alert(21), handshake(22),
1525 * application_data(23), (255)
1530 * ProtocolVersion version;
1532 * opaque fragment[TLSPlaintext.length];
1535 guint32 record_length;
1537 guint8 content_type;
1540 proto_tree *ssl_record_tree;
1541 SslAssociation *association;
1542 guint32 available_bytes;
1545 ssl_record_tree = NULL;
1547 available_bytes = tvb_length_remaining(tvb, offset);
1549 /* TLS 1.0/1.1 just ignores unknown records - RFC 2246 chapter 6. The TLS Record Protocol */
1550 if ((*conv_version==SSL_VER_TLS || *conv_version==SSL_VER_TLSv1DOT1 || *conv_version==SSL_VER_TLSv1DOT2) &&
1551 (available_bytes >=1 ) && !ssl_is_valid_content_type(tvb_get_guint8(tvb, offset))) {
1552 proto_tree_add_text(tree, tvb, offset, available_bytes, "Ignored Unknown Record");
1553 /* on second and subsequent records per frame
1554 * add a delimiter on info column
1556 if (!first_record_in_frame) {
1557 col_append_str(pinfo->cinfo, COL_INFO, ", ");
1559 col_append_str(pinfo->cinfo, COL_INFO, "Ignored Unknown Record");
1560 col_set_str(pinfo->cinfo, COL_PROTOCOL, val_to_str_const(*conv_version, ssl_version_short_names, "SSL"));
1561 return offset + available_bytes;
1565 * Is the record header split across segment boundaries?
1567 if (available_bytes < 5) {
1569 * Yes - can we do reassembly?
1571 if (ssl_desegment && pinfo->can_desegment) {
1573 * Yes. Tell the TCP dissector where the data for this
1574 * message starts in the data it handed us, and that we need
1575 * "some more data." Don't tell it exactly how many bytes we
1576 * need because if/when we ask for even more (after the header)
1577 * that will break reassembly.
1579 pinfo->desegment_offset = offset;
1580 pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
1581 *need_desegmentation = TRUE;
1584 /* Not enough bytes available. Stop here. */
1585 return offset + available_bytes;
1590 * Get the record layer fields of interest
1592 content_type = tvb_get_guint8(tvb, offset);
1593 version = tvb_get_ntohs(tvb, offset + 1);
1594 record_length = tvb_get_ntohs(tvb, offset + 3);
1596 if (ssl_is_valid_content_type(content_type)) {
1599 * Is the record split across segment boundaries?
1601 if (available_bytes < record_length + 5) {
1603 * Yes - can we do reassembly?
1605 if (ssl_desegment && pinfo->can_desegment) {
1607 * Yes. Tell the TCP dissector where the data for this
1608 * message starts in the data it handed us, and how many
1609 * more bytes we need, and return.
1611 pinfo->desegment_offset = offset;
1614 * pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
1615 * it avoids some minor display glitches when a frame contains
1616 * the continuation of a previous PDU together with a full new
1617 * PDU, but it completely breaks dissection for jumbo SSL frames
1620 pinfo->desegment_len = (record_length + 5) - available_bytes;
1621 *need_desegmentation = TRUE;
1624 /* Not enough bytes available. Stop here. */
1625 return offset + available_bytes;
1631 /* on second and subsequent records per frame
1632 * add a delimiter on info column
1634 if (!first_record_in_frame) {
1635 col_append_str(pinfo->cinfo, COL_INFO, ", ");
1638 /* if we don't have a valid content_type, there's no sense
1639 * continuing any further
1641 col_append_str(pinfo->cinfo, COL_INFO, "Continuation Data");
1643 /* Set the protocol column */
1644 col_set_str(pinfo->cinfo, COL_PROTOCOL,
1645 val_to_str_const(*conv_version, ssl_version_short_names, "SSL"));
1647 return offset + 5 + record_length;
1650 /* add the record layer subtree header */
1651 ti = proto_tree_add_item(tree, hf_ssl_record, tvb,
1652 offset, 5 + record_length, ENC_NA);
1653 ssl_record_tree = proto_item_add_subtree(ti, ett_ssl_record);
1655 /* show the one-byte content type */
1656 proto_tree_add_item(ssl_record_tree, hf_ssl_record_content_type,
1657 tvb, offset, 1, ENC_BIG_ENDIAN);
1660 /* add the version */
1661 proto_tree_add_item(ssl_record_tree, hf_ssl_record_version, tvb,
1662 offset, 2, ENC_BIG_ENDIAN);
1665 /* add the length */
1666 proto_tree_add_uint(ssl_record_tree, hf_ssl_record_length, tvb,
1667 offset, 2, record_length);
1668 offset += 2; /* move past length field itself */
1671 * if we don't already have a version set for this conversation,
1672 * but this message's version is authoritative (i.e., it's
1673 * not client_hello, then save the version to to conversation
1674 * structure and print the column version
1676 next_byte = tvb_get_guint8(tvb, offset);
1677 if (*conv_version == SSL_VER_UNKNOWN
1678 && ssl_is_authoritative_version_message(content_type, next_byte))
1680 if (version == SSLV3_VERSION)
1682 *conv_version = SSL_VER_SSLv3;
1684 ssl->version_netorder = version;
1685 ssl->state |= SSL_VERSION;
1686 ssl_debug_printf("dissect_ssl3_record found version 0x%04X -> state 0x%02X\n", ssl->version_netorder, ssl->state);
1688 /*ssl_set_conv_version(pinfo, ssl->version);*/
1690 else if (version == TLSV1_VERSION)
1693 *conv_version = SSL_VER_TLS;
1695 ssl->version_netorder = version;
1696 ssl->state |= SSL_VERSION;
1697 ssl_debug_printf("dissect_ssl3_record found version 0x%04X(TLS 1.0) -> state 0x%02X\n", ssl->version_netorder, ssl->state);
1699 /*ssl_set_conv_version(pinfo, ssl->version);*/
1701 else if (version == TLSV1DOT1_VERSION)
1704 *conv_version = SSL_VER_TLSv1DOT1;
1706 ssl->version_netorder = version;
1707 ssl->state |= SSL_VERSION;
1708 ssl_debug_printf("dissect_ssl3_record found version 0x%04X(TLS 1.1) -> state 0x%02X\n", ssl->version_netorder, ssl->state);
1710 /*ssl_set_conv_version(pinfo, ssl->version);*/
1712 else if (version == TLSV1DOT2_VERSION)
1715 *conv_version = SSL_VER_TLSv1DOT2;
1717 ssl->version_netorder = version;
1718 ssl->state |= SSL_VERSION;
1719 ssl_debug_printf("dissect_ssl3_record found version 0x%04X(TLS 1.2) -> state 0x%02X\n", ssl->version_netorder, ssl->state);
1721 /*ssl_set_conv_version(pinfo, ssl->version);*/
1725 /* on second and subsequent records per frame
1726 * add a delimiter on info column
1728 if (!first_record_in_frame) {
1729 col_append_str(pinfo->cinfo, COL_INFO, ", ");
1732 col_set_str(pinfo->cinfo, COL_PROTOCOL,
1733 val_to_str_const(*conv_version, ssl_version_short_names, "SSL"));
1736 * now dissect the next layer
1738 ssl_debug_printf("dissect_ssl3_record: content_type %d %s\n",content_type, val_to_str_const(content_type, ssl_31_content_type, "unknown"));
1740 /* PAOLO try to decrypt each record (we must keep ciphers "in sync")
1741 * store plain text only for app data */
1743 switch (content_type) {
1744 case SSL_ID_CHG_CIPHER_SPEC:
1745 ssl_debug_printf("dissect_ssl3_change_cipher_spec\n");
1746 col_append_str(pinfo->cinfo, COL_INFO, "Change Cipher Spec");
1747 dissect_ssl3_change_cipher_spec(tvb, ssl_record_tree,
1748 offset, conv_version, content_type);
1749 if (ssl) ssl_change_cipher(ssl, ssl_packet_from_server(ssl, ssl_associations, pinfo));
1753 tvbuff_t *decrypted;
1755 if (ssl&&decrypt_ssl3_record(tvb, pinfo, offset,
1756 record_length, content_type, ssl, FALSE))
1757 ssl_add_record_info(proto_ssl, pinfo, ssl_decrypted_data.data,
1758 ssl_decrypted_data_avail, offset);
1760 /* try to retrieve and use decrypted alert record, if any. */
1761 decrypted = ssl_get_record_info(tvb, proto_ssl, pinfo, offset);
1763 add_new_data_source(pinfo, decrypted, "Decrypted SSL record");
1764 dissect_ssl3_alert(decrypted, pinfo, ssl_record_tree, 0, conv_version);
1766 dissect_ssl3_alert(tvb, pinfo, ssl_record_tree, offset, conv_version);
1770 case SSL_ID_HANDSHAKE:
1772 tvbuff_t *decrypted;
1774 /* try to decrypt handshake record, if possible. Store decrypted
1775 * record for later usage. The offset is used as 'key' to identify
1776 * this record in the packet (we can have multiple handshake records
1777 * in the same frame) */
1778 if (ssl && decrypt_ssl3_record(tvb, pinfo, offset,
1779 record_length, content_type, ssl, FALSE))
1780 ssl_add_record_info(proto_ssl, pinfo, ssl_decrypted_data.data,
1781 ssl_decrypted_data_avail, offset);
1783 /* try to retrieve and use decrypted handshake record, if any. */
1784 decrypted = ssl_get_record_info(tvb, proto_ssl, pinfo, offset);
1786 /* add desegmented data to the data source list */
1787 add_new_data_source(pinfo, decrypted, "Decrypted SSL record");
1788 dissect_ssl3_handshake(decrypted, pinfo, ssl_record_tree, 0,
1789 tvb_length(decrypted), conv_version, conv_cipher, ssl, content_type);
1791 dissect_ssl3_handshake(tvb, pinfo, ssl_record_tree, offset,
1792 record_length, conv_version, conv_cipher, ssl, content_type);
1796 case SSL_ID_APP_DATA:
1798 decrypt_ssl3_record(tvb, pinfo, offset,
1799 record_length, content_type, ssl, TRUE);
1800 /* if application data desegmentation is allowed and needed */
1801 /* if (ssl_desegment_app_data && *need_desegmentation)
1802 ssl_desegment_ssl_app_data(ssl,pinfo);
1806 /* show on info column what we are decoding */
1807 col_append_str(pinfo->cinfo, COL_INFO, "Application Data");
1809 /* we need dissector information when the selected packet is shown.
1810 * ssl session pointer is NULL at that time, so we can't access
1811 * info cached there*/
1812 association = ssl_association_find(ssl_associations, pinfo->srcport, pinfo->ptype == PT_TCP);
1813 association = association ? association: ssl_association_find(ssl_associations, pinfo->destport, pinfo->ptype == PT_TCP);
1814 association = association ? association: ssl_association_find(ssl_associations, 0, pinfo->ptype == PT_TCP);
1816 proto_item_set_text(ssl_record_tree,
1817 "%s Record Layer: %s Protocol: %s",
1818 val_to_str_const(*conv_version, ssl_version_short_names, "SSL"),
1819 val_to_str_const(content_type, ssl_31_content_type, "unknown"),
1820 association?association->info:"Application Data");
1822 proto_tree_add_item(ssl_record_tree, hf_ssl_record_appdata, tvb,
1823 offset, record_length, ENC_NA);
1825 dissect_ssl_payload(tvb, pinfo, offset, tree, association);
1828 case SSL_ID_HEARTBEAT:
1830 tvbuff_t *decrypted;
1832 if (ssl && decrypt_ssl3_record(tvb, pinfo, offset,
1833 record_length, content_type, ssl, FALSE))
1834 ssl_add_record_info(proto_ssl, pinfo, ssl_decrypted_data.data,
1835 ssl_decrypted_data_avail, offset);
1837 /* try to retrieve and use decrypted handshake record, if any. */
1838 decrypted = ssl_get_record_info(tvb, proto_ssl, pinfo, offset);
1840 add_new_data_source(pinfo, decrypted, "Decrypted SSL record");
1841 dissect_ssl3_heartbeat(decrypted, pinfo, ssl_record_tree, 0, conv_version, record_length);
1843 dissect_ssl3_heartbeat(tvb, pinfo, ssl_record_tree, offset, conv_version, record_length);
1849 /* shouldn't get here since we check above for valid types */
1850 col_append_str(pinfo->cinfo, COL_INFO, "Bad SSLv3 Content Type");
1853 offset += record_length; /* skip to end of record */
1858 /* dissects the change cipher spec procotol, filling in the tree */
1860 dissect_ssl3_change_cipher_spec(tvbuff_t *tvb,
1861 proto_tree *tree, guint32 offset,
1862 guint *conv_version, const guint8 content_type)
1866 * enum { change_cipher_spec(1), (255) } type;
1867 * } ChangeCipherSpec;
1872 proto_item_set_text(tree,
1873 "%s Record Layer: %s Protocol: Change Cipher Spec",
1874 val_to_str_const(*conv_version, ssl_version_short_names, "SSL"),
1875 val_to_str_const(content_type, ssl_31_content_type, "unknown"));
1876 proto_tree_add_item(tree, hf_ssl_change_cipher_spec, tvb,
1877 offset++, 1, ENC_NA);
1881 /* dissects the alert message, filling in the tree */
1883 dissect_ssl3_alert(tvbuff_t *tvb, packet_info *pinfo,
1884 proto_tree *tree, guint32 offset,
1885 guint *conv_version)
1889 * AlertDescription description;
1893 proto_tree *ssl_alert_tree;
1898 ssl_alert_tree = NULL;
1901 ti = proto_tree_add_item(tree, hf_ssl_alert_message, tvb,
1903 ssl_alert_tree = proto_item_add_subtree(ti, ett_ssl_alert);
1907 * set the record layer label
1910 /* first lookup the names for the alert level and description */
1911 byte = tvb_get_guint8(tvb, offset); /* grab the level byte */
1912 level = try_val_to_str(byte, ssl_31_alert_level);
1914 byte = tvb_get_guint8(tvb, offset+1); /* grab the desc byte */
1915 desc = try_val_to_str(byte, ssl_31_alert_description);
1917 /* now set the text in the record layer line */
1920 col_append_fstr(pinfo->cinfo, COL_INFO,
1921 "Alert (Level: %s, Description: %s)",
1926 col_append_str(pinfo->cinfo, COL_INFO, "Encrypted Alert");
1933 proto_item_set_text(tree, "%s Record Layer: Alert "
1934 "(Level: %s, Description: %s)",
1935 val_to_str_const(*conv_version, ssl_version_short_names, "SSL"),
1937 proto_tree_add_item(ssl_alert_tree, hf_ssl_alert_message_level,
1938 tvb, offset++, 1, ENC_BIG_ENDIAN);
1940 proto_tree_add_item(ssl_alert_tree, hf_ssl_alert_message_description,
1941 tvb, offset++, 1, ENC_BIG_ENDIAN);
1945 proto_item_set_text(tree,
1946 "%s Record Layer: Encrypted Alert",
1947 val_to_str_const(*conv_version, ssl_version_short_names, "SSL"));
1948 proto_item_set_text(ssl_alert_tree,
1949 "Alert Message: Encrypted Alert");
1955 /* dissects the handshake protocol, filling the tree */
1957 dissect_ssl3_handshake(tvbuff_t *tvb, packet_info *pinfo,
1958 proto_tree *tree, guint32 offset,
1959 guint32 record_length, guint *conv_version, guint conv_cipher,
1960 SslDecryptSession *ssl, const guint8 content_type)
1963 * HandshakeType msg_type;
1965 * select (HandshakeType) {
1966 * case hello_request: HelloRequest;
1967 * case client_hello: ClientHello;
1968 * case server_hello: ServerHello;
1969 * case certificate: Certificate;
1970 * case server_key_exchange: ServerKeyExchange;
1971 * case certificate_request: CertificateRequest;
1972 * case server_hello_done: ServerHelloDone;
1973 * case certificate_verify: CertificateVerify;
1974 * case client_key_exchange: ClientKeyExchange;
1975 * case finished: Finished;
1976 * case certificate_url: CertificateURL;
1977 * case certificate_status: CertificateStatus;
1978 * case encrypted_extensions:NextProtocolNegotiationEncryptedExtension;
1982 proto_tree *ssl_hand_tree;
1983 const gchar *msg_type_str;
1986 gboolean first_iteration;
1988 ssl_hand_tree = NULL;
1989 first_iteration = TRUE;
1991 /* just as there can be multiple records per packet, there
1992 * can be multiple messages per record as long as they have
1993 * the same content type
1995 * we really only care about this for handshake messages
1998 /* set record_length to the max offset */
1999 record_length += offset;
2000 while (offset < record_length)
2002 msg_type = tvb_get_guint8(tvb, offset);
2003 length = tvb_get_ntoh24(tvb, offset + 1);
2005 /* Check the length in the handshake message. Assume it's an
2006 * encrypted handshake message if the message would pass
2007 * the record_length boundary. This is a workaround for the
2008 * situation where the first octet of the encrypted handshake
2009 * message is actually a known handshake message type.
2011 if (offset + length <= record_length)
2012 msg_type_str = try_val_to_str(msg_type, ssl_31_handshake_type);
2014 msg_type_str = NULL;
2016 ssl_debug_printf("dissect_ssl3_handshake iteration %d type %d offset %d length %d "
2017 "bytes, remaining %d \n", first_iteration, msg_type, offset, length, record_length);
2018 if (!msg_type_str && !first_iteration)
2020 /* only dissect / report messages if they're
2021 * either the first message in this record
2022 * or they're a valid message type
2027 /* on second and later iterations, add comma to info col */
2028 if (!first_iteration)
2030 col_append_str(pinfo->cinfo, COL_INFO, ", ");
2034 * Update our info string
2036 col_append_str(pinfo->cinfo, COL_INFO, (msg_type_str != NULL)
2037 ? msg_type_str : "Encrypted Handshake Message");
2043 /* set the label text on the record layer expanding node */
2044 if (first_iteration)
2046 proto_item_set_text(tree, "%s Record Layer: %s Protocol: %s",
2047 val_to_str_const(*conv_version, ssl_version_short_names, "SSL"),
2048 val_to_str_const(content_type, ssl_31_content_type, "unknown"),
2049 (msg_type_str!=NULL) ? msg_type_str :
2050 "Encrypted Handshake Message");
2054 proto_item_set_text(tree, "%s Record Layer: %s Protocol: %s",
2055 val_to_str_const(*conv_version, ssl_version_short_names, "SSL"),
2056 val_to_str_const(content_type, ssl_31_content_type, "unknown"),
2057 "Multiple Handshake Messages");
2060 /* add a subtree for the handshake protocol */
2061 ti = proto_tree_add_item(tree, hf_ssl_handshake_protocol, tvb,
2062 offset, length + 4, ENC_NA);
2063 ssl_hand_tree = proto_item_add_subtree(ti, ett_ssl_handshake);
2067 /* set the text label on the subtree node */
2068 proto_item_set_text(ssl_hand_tree, "Handshake Protocol: %s",
2069 (msg_type_str != NULL) ? msg_type_str :
2070 "Encrypted Handshake Message");
2074 /* if we don't have a valid handshake type, just quit dissecting */
2078 /* PAOLO: if we are doing ssl decryption we must dissect some requests type */
2079 if (ssl_hand_tree || ssl)
2081 /* add nodes for the message type and message length */
2083 proto_tree_add_uint(ssl_hand_tree, hf_ssl_handshake_type,
2084 tvb, offset, 1, msg_type);
2087 proto_tree_add_uint(ssl_hand_tree, hf_ssl_handshake_length,
2088 tvb, offset, 3, length);
2091 /* now dissect the handshake message, if necessary */
2093 case SSL_HND_HELLO_REQUEST:
2094 /* hello_request has no fields, so nothing to do! */
2097 case SSL_HND_CLIENT_HELLO:
2098 dissect_ssl3_hnd_cli_hello(tvb, pinfo, ssl_hand_tree, offset, length, ssl);
2101 case SSL_HND_SERVER_HELLO:
2102 dissect_ssl3_hnd_srv_hello(tvb, ssl_hand_tree, offset, length, ssl);
2105 case SSL_HND_NEWSESSION_TICKET:
2106 dissect_ssl3_hnd_new_ses_ticket(tvb, ssl_hand_tree, offset, length);
2109 case SSL_HND_CERTIFICATE:
2110 dissect_ssl3_hnd_cert(tvb, ssl_hand_tree, offset, pinfo);
2113 case SSL_HND_SERVER_KEY_EXCHG: {
2114 switch (ssl_get_keyex_alg(conv_cipher)) {
2116 dissect_ssl3_hnd_srv_keyex_dh(tvb, ssl_hand_tree, offset, length);
2119 dissect_ssl3_hnd_srv_keyex_rsa(tvb, ssl_hand_tree, offset, length, conv_version);
2122 dissect_ssl3_hnd_srv_keyex_ecdh(tvb, ssl_hand_tree, offset, length, conv_version);
2126 dissect_ssl3_hnd_srv_keyex_psk(tvb, ssl_hand_tree, offset, length);
2134 case SSL_HND_CERT_REQUEST:
2135 dissect_ssl3_hnd_cert_req(tvb, ssl_hand_tree, offset, pinfo, conv_version);
2138 case SSL_HND_SVR_HELLO_DONE:
2139 /* server_hello_done has no fields, so nothing to do! */
2142 case SSL_HND_CERT_VERIFY:
2146 case SSL_HND_CLIENT_KEY_EXCHG:
2147 switch (ssl_get_keyex_alg(conv_cipher)) {
2149 dissect_ssl3_hnd_cli_keyex_dh(tvb, ssl_hand_tree, offset, length);
2152 dissect_ssl3_hnd_cli_keyex_rsa(tvb, ssl_hand_tree, offset, length);
2155 dissect_ssl3_hnd_cli_keyex_ecdh(tvb, ssl_hand_tree, offset, length);
2158 dissect_ssl3_hnd_cli_keyex_psk(tvb, ssl_hand_tree, offset, length);
2161 dissect_ssl3_hnd_cli_keyex_rsa_psk(tvb, ssl_hand_tree, offset, length);
2166 /* PAOLO: here we can have all the data to build session key*/
2171 if (ssl_generate_pre_master_secret(ssl, length, tvb, offset, ssl_psk, ssl_keylog_filename) < 0) {
2172 ssl_debug_printf("dissect_ssl3_handshake can't generate pre master secret\n");
2176 if (ssl_generate_keyring_material(ssl) < 0) {
2177 ssl_debug_printf("dissect_ssl3_handshake can't generate keyring material\n");
2181 ssl_save_session(ssl, ssl_session_hash);
2182 ssl_debug_printf("dissect_ssl3_handshake session keys successfully generated\n");
2185 case SSL_HND_FINISHED:
2186 dissect_ssl3_hnd_finished(tvb, ssl_hand_tree,
2187 offset, conv_version);
2190 case SSL_HND_CERT_URL:
2191 dissect_ssl3_hnd_cert_url(tvb, ssl_hand_tree, offset);
2194 case SSL_HND_CERT_STATUS:
2195 dissect_ssl3_hnd_cert_status(tvb, ssl_hand_tree, offset, pinfo);
2198 case SSL_HND_ENCRYPTED_EXTS:
2199 dissect_ssl3_hnd_encrypted_exts(tvb, ssl_hand_tree, offset);
2205 offset += 4; /* skip the handshake header when handshake is not processed*/
2208 first_iteration = FALSE; /* set up for next pass, if any */
2212 /* dissects the heartbeat message, filling in the tree */
2214 dissect_ssl3_heartbeat(tvbuff_t *tvb, packet_info *pinfo,
2215 proto_tree *tree, guint32 offset,
2216 guint *conv_version, guint32 record_length)
2219 * HeartbeatMessageType type;
2220 * uint16 payload_length;
2223 * } HeartbeatMessage;
2227 proto_tree *tls_heartbeat_tree;
2230 guint16 payload_length;
2231 guint16 padding_length;
2233 tls_heartbeat_tree = NULL;
2236 ti = proto_tree_add_item(tree, hf_ssl_heartbeat_message, tvb,
2237 offset, record_length - 32, ENC_NA);
2238 tls_heartbeat_tree = proto_item_add_subtree(ti, ett_ssl_heartbeat);
2242 * set the record layer label
2245 /* first lookup the names for the message type and the payload length */
2246 byte = tvb_get_guint8(tvb, offset);
2247 type = try_val_to_str(byte, tls_heartbeat_type);
2249 payload_length = tvb_get_ntohs(tvb, offset + 1);
2250 padding_length = record_length - 3 - payload_length;
2252 /* now set the text in the record layer line */
2253 if (type && (payload_length <= record_length - 16 - 3)) {
2254 col_append_fstr(pinfo->cinfo, COL_INFO, "Heartbeat %s", type);
2256 col_append_str(pinfo->cinfo, COL_INFO, "Encrypted Heartbeat");
2260 if (type && (payload_length <= record_length - 16 - 3)) {
2261 proto_item_set_text(tree, "%s Record Layer: Heartbeat "
2263 val_to_str_const(*conv_version, ssl_version_short_names, "SSL"),
2265 proto_tree_add_item(tls_heartbeat_tree, hf_ssl_heartbeat_message_type,
2266 tvb, offset, 1, ENC_BIG_ENDIAN);
2268 proto_tree_add_uint(tls_heartbeat_tree, hf_ssl_heartbeat_message_payload_length,
2269 tvb, offset, 2, payload_length);
2271 proto_tree_add_bytes_format(tls_heartbeat_tree, hf_ssl_heartbeat_message_payload,
2272 tvb, offset, payload_length,
2273 NULL, "Payload (%u byte%s)",
2275 plurality(payload_length, "", "s"));
2276 offset += payload_length;
2277 proto_tree_add_bytes_format(tls_heartbeat_tree, hf_ssl_heartbeat_message_padding,
2278 tvb, offset, padding_length,
2279 NULL, "Padding and HMAC (%u byte%s)",
2281 plurality(padding_length, "", "s"));
2283 proto_item_set_text(tree,
2284 "%s Record Layer: Encrypted Heartbeat",
2285 val_to_str_const(*conv_version, ssl_version_short_names, "SSL"));
2286 proto_item_set_text(tls_heartbeat_tree,
2287 "Encrypted Heartbeat Message");
2293 dissect_ssl3_hnd_hello_common(tvbuff_t *tvb, proto_tree *tree,
2294 guint32 offset, SslDecryptSession *ssl, gint from_server)
2296 /* show the client's random challenge */
2297 nstime_t gmt_unix_time;
2298 guint8 session_id_length;
2300 proto_tree *ssl_rnd_tree;
2302 session_id_length = 0;
2306 /* PAOLO: get proper peer information*/
2309 rnd = &ssl->server_random;
2311 rnd = &ssl->client_random;
2313 /* get provided random for keyring generation*/
2314 tvb_memcpy(tvb, rnd->data, offset, 32);
2317 ssl->state |= SSL_SERVER_RANDOM;
2319 ssl->state |= SSL_CLIENT_RANDOM;
2320 ssl_debug_printf("dissect_ssl3_hnd_hello_common found %s RANDOM -> state 0x%02X\n",
2321 (from_server)?"SERVER":"CLIENT", ssl->state);
2323 session_id_length = tvb_get_guint8(tvb, offset + 32);
2324 /* check stored session id info */
2325 if (from_server && (session_id_length == ssl->session_id.data_len) &&
2326 (tvb_memeql(tvb, offset+33, ssl->session_id.data, session_id_length) == 0))
2328 /* client/server id match: try to restore a previous cached session*/
2329 if (!ssl_restore_session(ssl, ssl_session_hash)) {
2330 /* If we failed to find the previous session, we may still have
2331 * the master secret in the key log. */
2332 if (ssl_keylog_lookup(ssl, ssl_keylog_filename, NULL)) {
2333 ssl_debug_printf(" cannot find master secret in keylog file either\n");
2335 ssl_debug_printf(" found master secret in keylog file\n");
2339 tvb_memcpy(tvb,ssl->session_id.data, offset+33, session_id_length);
2340 ssl->session_id.data_len = session_id_length;
2346 ti_rnd = proto_tree_add_text(tree, tvb, offset, 32, "Random");
2347 ssl_rnd_tree = proto_item_add_subtree(ti_rnd, ett_ssl_random);
2350 gmt_unix_time.secs = tvb_get_ntohl(tvb, offset);
2351 gmt_unix_time.nsecs = 0;
2352 proto_tree_add_time(ssl_rnd_tree, hf_ssl_handshake_random_time,
2353 tvb, offset, 4, &gmt_unix_time);
2356 /* show the random bytes */
2357 proto_tree_add_item(ssl_rnd_tree, hf_ssl_handshake_random_bytes,
2358 tvb, offset, 28, ENC_NA);
2361 /* show the session id */
2362 session_id_length = tvb_get_guint8(tvb, offset);
2363 proto_tree_add_item(tree, hf_ssl_handshake_session_id_len,
2364 tvb, offset++, 1, ENC_BIG_ENDIAN);
2365 if (session_id_length > 0)
2367 tvb_ensure_bytes_exist(tvb, offset, session_id_length);
2368 proto_tree_add_item(tree, hf_ssl_handshake_session_id,
2369 tvb, offset, session_id_length, ENC_NA);
2375 return session_id_length+33;
2379 dissect_ssl3_hnd_hello_ext(tvbuff_t *tvb, proto_tree *tree, guint32 offset,
2380 guint32 left, gboolean is_client)
2382 guint16 extension_length;
2386 proto_tree *ext_tree;
2391 extension_length = tvb_get_ntohs(tvb, offset);
2392 proto_tree_add_uint(tree, hf_ssl_handshake_extensions_len,
2393 tvb, offset, 2, extension_length);
2399 ext_type = tvb_get_ntohs(tvb, offset);
2400 ext_len = tvb_get_ntohs(tvb, offset + 2);
2402 pi = proto_tree_add_text(tree, tvb, offset, 4 + ext_len,
2404 val_to_str(ext_type,
2405 tls_hello_extension_types,
2407 ext_tree = proto_item_add_subtree(pi, ett_ssl_extension);
2411 proto_tree_add_uint(ext_tree, hf_ssl_handshake_extension_type,
2412 tvb, offset, 2, ext_type);
2415 proto_tree_add_uint(ext_tree, hf_ssl_handshake_extension_len,
2416 tvb, offset, 2, ext_len);
2420 case SSL_HND_HELLO_EXT_STATUS_REQUEST:
2422 offset = dissect_ssl3_hnd_hello_ext_status_request(tvb, ext_tree, offset, FALSE);
2424 offset += ext_len; /* server must return empty extension_data */
2426 case SSL_HND_HELLO_EXT_STATUS_REQUEST_V2:
2428 offset = dissect_ssl3_hnd_hello_ext_status_request_v2(tvb, ext_tree, offset);
2430 offset += ext_len; /* server must return empty extension_data */
2432 case SSL_HND_HELLO_EXT_ELLIPTIC_CURVES:
2433 offset = dissect_ssl3_hnd_hello_ext_elliptic_curves(tvb, ext_tree, offset);
2435 case SSL_HND_HELLO_EXT_EC_POINT_FORMATS:
2436 offset = dissect_ssl3_hnd_hello_ext_ec_point_formats(tvb, ext_tree, offset);
2438 case SSL_HND_HELLO_EXT_SIG_HASH_ALGS:
2439 offset = dissect_ssl3_hnd_hello_ext_sig_hash_algs(tvb, ext_tree, offset, ext_len);
2441 case SSL_HND_HELLO_EXT_ALPN:
2442 offset = dissect_ssl3_hnd_hello_ext_alpn(tvb, ext_tree, offset, ext_len);
2444 case SSL_HND_HELLO_EXT_NPN:
2445 offset = dissect_ssl3_hnd_hello_ext_npn(tvb, ext_tree, offset, ext_len);
2447 case SSL_HND_HELLO_EXT_RENEG_INFO:
2448 offset = dissect_ssl3_hnd_hello_ext_reneg_info(tvb, ext_tree, offset, ext_len);
2450 case SSL_HND_HELLO_EXT_SERVER_NAME:
2451 offset = dissect_ssl3_hnd_hello_ext_server_name(tvb, ext_tree, offset, ext_len);
2453 case SSL_HND_HELLO_EXT_HEARTBEAT:
2454 proto_tree_add_item(ext_tree, hf_ssl_heartbeat_extension_mode,
2455 tvb, offset, 1, ENC_BIG_ENDIAN);
2459 proto_tree_add_bytes_format(ext_tree, hf_ssl_handshake_extension_data,
2460 tvb, offset, ext_len, NULL,
2462 ext_len, plurality(ext_len, "", "s"));
2467 left -= 2 + 2 + ext_len;
2474 dissect_ssl3_hnd_hello_ext_sig_hash_algs(tvbuff_t *tvb,
2475 proto_tree *tree, guint32 offset, guint32 ext_len)
2477 guint16 sh_alg_length;
2480 sh_alg_length = tvb_get_ntohs(tvb, offset);
2481 proto_tree_add_uint(tree, hf_ssl_handshake_sig_hash_alg_len,
2482 tvb, offset, 2, sh_alg_length);
2484 if (ext_len<2 || sh_alg_length!=ext_len-2) {
2485 /* ERROR: sh_alg_length must be 2 less than ext_len */
2489 ret = dissect_ssl_hash_alg_list(tvb, tree, offset, sh_alg_length);
2497 dissect_ssl3_hnd_hello_ext_alpn(tvbuff_t *tvb,
2498 proto_tree *tree, guint32 offset, guint32 ext_len)
2500 guint16 alpn_length;
2502 proto_tree *alpn_tree;
2505 alpn_length = tvb_get_ntohs(tvb, offset);
2506 if (ext_len<2 || alpn_length!=ext_len-2) {
2507 /* ERROR: alpn_length must be 2 less than ext_len */
2510 proto_tree_add_item(tree, hf_ssl_handshake_extension_alpn_len,
2511 tvb, offset, 2, ENC_BIG_ENDIAN);
2514 ti = proto_tree_add_item(tree, hf_ssl_handshake_extension_alpn_list,
2515 tvb, offset, alpn_length, ENC_NA);
2516 alpn_tree = proto_item_add_subtree(ti, ett_ssl_extension_alpn);
2518 while (alpn_length > 0) {
2519 name_length = tvb_get_guint8(tvb, offset);
2520 proto_tree_add_item(alpn_tree, hf_ssl_handshake_extension_alpn_str_len,
2521 tvb, offset, 1, ENC_NA);
2524 proto_tree_add_item(alpn_tree, hf_ssl_handshake_extension_alpn_str,
2525 tvb, offset, name_length, ENC_ASCII|ENC_NA);
2526 offset += name_length;
2527 alpn_length -= name_length;
2534 dissect_ssl3_hnd_hello_ext_npn(tvbuff_t *tvb,
2535 proto_tree *tree, guint32 offset, guint32 ext_len)
2538 proto_tree *npn_tree;
2545 ti = proto_tree_add_text(tree, tvb, offset, ext_len, "Next Protocol Negotiation");
2546 npn_tree = proto_item_add_subtree(ti, ett_ssl_extension_npn);
2548 while (ext_len > 0) {
2549 npn_length = tvb_get_guint8(tvb, offset);
2550 proto_tree_add_item(npn_tree, hf_ssl_handshake_extension_npn_str_len,
2551 tvb, offset, 1, ENC_NA);
2555 if (npn_length > 0) {
2556 tvb_ensure_bytes_exist(tvb, offset, npn_length);
2557 proto_tree_add_item(npn_tree, hf_ssl_handshake_extension_npn_str,
2558 tvb, offset, npn_length, ENC_ASCII|ENC_NA);
2559 offset += npn_length;
2560 ext_len -= npn_length;
2568 dissect_ssl3_hnd_hello_ext_reneg_info(tvbuff_t *tvb,
2569 proto_tree *tree, guint32 offset, guint32 ext_len)
2571 guint8 reneg_info_length;
2572 proto_tree *reneg_info_tree;
2579 ti = proto_tree_add_text(tree, tvb, offset, ext_len, "Renegotiation Info extension");
2580 reneg_info_tree = proto_item_add_subtree(ti, ett_ssl_extension_reneg_info);
2582 reneg_info_length = tvb_get_guint8(tvb, offset);
2583 proto_tree_add_item(reneg_info_tree, hf_ssl_handshake_extension_reneg_info_len,
2584 tvb, offset, 1, ENC_NA);
2587 if (reneg_info_length > 0) {
2588 tvb_ensure_bytes_exist(tvb, offset, reneg_info_length);
2589 proto_tree_add_text(reneg_info_tree, tvb, offset, reneg_info_length, "Renegotiation Info");
2590 offset += reneg_info_length;
2597 dissect_ssl3_hnd_hello_ext_server_name(tvbuff_t *tvb,
2598 proto_tree *tree, guint32 offset, guint32 ext_len)
2600 guint16 server_name_length;
2601 proto_tree *server_name_tree;
2609 ti = proto_tree_add_text(tree, tvb, offset, ext_len, "Server Name Indication extension");
2610 server_name_tree = proto_item_add_subtree(ti, ett_ssl_extension_server_name);
2612 proto_tree_add_item(server_name_tree, hf_ssl_handshake_extension_server_name_list_len,
2613 tvb, offset, 2, ENC_BIG_ENDIAN);
2617 while (ext_len > 0) {
2618 proto_tree_add_item(server_name_tree, hf_ssl_handshake_extension_server_name_type,
2619 tvb, offset, 1, ENC_NA);
2623 server_name_length = tvb_get_ntohs(tvb, offset);
2624 proto_tree_add_item(server_name_tree, hf_ssl_handshake_extension_server_name_len,
2625 tvb, offset, 2, ENC_BIG_ENDIAN);
2629 if (server_name_length > 0) {
2630 tvb_ensure_bytes_exist(tvb, offset, server_name_length);
2631 proto_tree_add_item(server_name_tree, hf_ssl_handshake_extension_server_name,
2632 tvb, offset, server_name_length, ENC_ASCII|ENC_NA);
2633 offset += server_name_length;
2634 ext_len -= server_name_length;
2641 dissect_ssl3_hnd_cert_url(tvbuff_t *tvb, proto_tree *tree, guint32 offset)
2643 guint16 url_hash_len;
2646 * individual_certs(0), pkipath(1), (255)
2650 * CertChainType type;
2651 * URLAndHash url_and_hash_list<1..2^16-1>;
2655 * opaque url<1..2^16-1>;
2657 * opaque SHA1Hash[20];
2661 proto_tree_add_item(tree, hf_ssl_hs_ext_cert_url_type,
2662 tvb, offset, 1, ENC_NA);
2665 url_hash_len = tvb_get_ntohs(tvb, offset);
2666 proto_tree_add_item(tree, hf_ssl_hs_ext_cert_url_url_hash_list_len,
2667 tvb, offset, 2, ENC_BIG_ENDIAN);
2669 while (url_hash_len-- > 0) {
2670 proto_item *urlhash_item;
2671 proto_tree *urlhash_tree;
2674 urlhash_item = proto_tree_add_item(tree, hf_ssl_hs_ext_cert_url_item,
2675 tvb, offset, -1, ENC_NA);
2676 urlhash_tree = proto_item_add_subtree(urlhash_item, ett_ssl_urlhash);
2678 url_len = tvb_get_ntohs(tvb, offset);
2679 proto_tree_add_item(urlhash_tree, hf_ssl_hs_ext_cert_url_url_len,
2680 tvb, offset, 2, ENC_BIG_ENDIAN);
2683 proto_tree_add_item(urlhash_tree, hf_ssl_hs_ext_cert_url_url,
2684 tvb, offset, url_len, ENC_ASCII|ENC_NA);
2687 proto_tree_add_item(urlhash_tree, hf_ssl_hs_ext_cert_url_padding,
2688 tvb, offset, 1, ENC_NA);
2690 /* Note: RFC 6066 says that padding must be 0x01 */
2692 proto_tree_add_item(urlhash_tree, hf_ssl_hs_ext_cert_url_sha1,
2693 tvb, offset, 20, ENC_NA);
2699 dissect_ssl3_hnd_hello_ext_status_request(tvbuff_t *tvb, proto_tree *tree,
2700 guint32 offset, gboolean has_length)
2702 guint cert_status_type;
2704 cert_status_type = tvb_get_guint8(tvb, offset);
2705 proto_tree_add_item(tree, hf_ssl_hs_ext_cert_status_type,
2706 tvb, offset, 1, ENC_NA);
2710 proto_tree_add_item(tree, hf_ssl_hs_ext_cert_status_request_len,
2711 tvb, offset, 2, ENC_BIG_ENDIAN);
2715 switch (cert_status_type) {
2716 case SSL_HND_CERT_STATUS_TYPE_OCSP:
2717 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI:
2719 guint16 responder_id_list_len;
2720 guint16 request_extensions_len;
2721 proto_item *responder_id;
2722 proto_item *request_extensions;
2724 responder_id_list_len = tvb_get_ntohs(tvb, offset);
2726 proto_tree_add_item(tree,
2727 hf_ssl_hs_ext_cert_status_responder_id_list_len,
2728 tvb, offset, 2, ENC_BIG_ENDIAN);
2730 if (responder_id_list_len != 0) {
2731 expert_add_info_format(NULL, responder_id,
2732 &ei_ssl_hs_ext_cert_status_undecoded,
2733 "Responder ID list is not implemented, contact Wireshark"
2734 " developers if you want this to be supported");
2735 /* Non-empty responder ID list would mess with extensions. */
2739 request_extensions_len = tvb_get_ntohs(tvb, offset);
2740 request_extensions =
2741 proto_tree_add_item(tree,
2742 hf_ssl_hs_ext_cert_status_request_extensions_len, tvb, offset,
2745 if (request_extensions_len != 0)
2746 expert_add_info_format(NULL, request_extensions,
2747 &ei_ssl_hs_ext_cert_status_undecoded,
2748 "Request Extensions are not implemented, contact"
2749 " Wireshark developers if you want this to be supported");
2758 dissect_ssl3_hnd_hello_ext_status_request_v2(tvbuff_t *tvb, proto_tree *tree,
2763 list_len = tvb_get_ntoh24(tvb, offset);
2766 while (list_len-- > 0)
2767 offset = dissect_ssl3_hnd_hello_ext_status_request(tvb, tree, offset, TRUE);
2773 dissect_ssl3_hnd_hello_ext_elliptic_curves(tvbuff_t *tvb,
2774 proto_tree *tree, guint32 offset)
2776 guint16 curves_length;
2777 proto_tree *curves_tree;
2780 curves_length = tvb_get_ntohs(tvb, offset);
2781 proto_tree_add_item(tree, hf_ssl_handshake_extension_elliptic_curves_len,
2782 tvb, offset, 2, ENC_BIG_ENDIAN);
2785 tvb_ensure_bytes_exist(tvb, offset, curves_length);
2786 ti = proto_tree_add_none_format(tree,
2787 hf_ssl_handshake_extension_elliptic_curves,
2788 tvb, offset, curves_length,
2789 "Elliptic curves (%d curve%s)",
2791 plurality(curves_length/2, "", "s"));
2793 /* make this a subtree */
2794 curves_tree = proto_item_add_subtree(ti, ett_ssl_extension_curves);
2796 /* loop over all curves */
2797 while (curves_length > 0)
2799 proto_tree_add_item(curves_tree, hf_ssl_handshake_extension_elliptic_curve, tvb, offset, 2, ENC_BIG_ENDIAN);
2808 dissect_ssl3_hnd_hello_ext_ec_point_formats(tvbuff_t *tvb,
2809 proto_tree *tree, guint32 offset)
2812 proto_tree *ecpf_tree;
2815 ecpf_length = tvb_get_guint8(tvb, offset);
2816 proto_tree_add_item(tree, hf_ssl_handshake_extension_ec_point_formats_len,
2817 tvb, offset, 1, ENC_BIG_ENDIAN);
2820 tvb_ensure_bytes_exist(tvb, offset, ecpf_length);
2821 ti = proto_tree_add_none_format(tree,
2822 hf_ssl_handshake_extension_elliptic_curves,
2823 tvb, offset, ecpf_length,
2824 "Elliptic curves point formats (%d)",
2827 /* make this a subtree */
2828 ecpf_tree = proto_item_add_subtree(ti, ett_ssl_extension_curves_point_formats);
2830 /* loop over all point formats */
2831 while (ecpf_length > 0)
2833 proto_tree_add_item(ecpf_tree, hf_ssl_handshake_extension_ec_point_format, tvb, offset, 1, ENC_BIG_ENDIAN);
2842 dissect_ssl3_hnd_cli_hello(tvbuff_t *tvb, packet_info *pinfo,
2843 proto_tree *tree, guint32 offset, guint32 length,
2844 SslDecryptSession*ssl)
2847 * ProtocolVersion client_version;
2849 * SessionID session_id;
2850 * CipherSuite cipher_suites<2..2^16-1>;
2851 * CompressionMethod compression_methods<1..2^8-1>;
2852 * Extension client_hello_extension_list<0..2^16-1>;
2857 proto_tree *cs_tree;
2858 gint cipher_suite_length;
2859 guint8 compression_methods_length;
2860 guint8 compression_method;
2861 guint16 start_offset;
2863 start_offset = offset;
2866 ssl_set_server(ssl, &pinfo->dst, pinfo->ptype, pinfo->destport);
2867 ssl_find_private_key(ssl, ssl_key_hash, ssl_associations, pinfo);
2872 /* show the client version */
2874 proto_tree_add_item(tree, hf_ssl_handshake_client_version, tvb,
2875 offset, 2, ENC_BIG_ENDIAN);
2878 /* show the fields in common with server hello */
2879 offset += dissect_ssl3_hnd_hello_common(tvb, tree, offset, ssl, 0);
2881 /* tell the user how many cipher suites there are */
2882 cipher_suite_length = tvb_get_ntohs(tvb, offset);
2885 proto_tree_add_uint(tree, hf_ssl_handshake_cipher_suites_len,
2886 tvb, offset, 2, cipher_suite_length);
2887 offset += 2; /* skip opaque length */
2889 if (cipher_suite_length > 0)
2891 tvb_ensure_bytes_exist(tvb, offset, cipher_suite_length);
2892 ti = proto_tree_add_none_format(tree,
2893 hf_ssl_handshake_cipher_suites,
2894 tvb, offset, cipher_suite_length,
2895 "Cipher Suites (%d suite%s)",
2896 cipher_suite_length / 2,
2897 plurality(cipher_suite_length/2, "", "s"));
2898 if (cipher_suite_length % 2) {
2899 proto_tree_add_text(tree, tvb, offset, 2,
2900 "Invalid cipher suite length: %d", cipher_suite_length);
2901 expert_add_info_format(pinfo, NULL, &ei_ssl_handshake_cipher_suites_mult2,
2902 "Cipher suite length (%d) must be a multiple of 2",
2903 cipher_suite_length);
2907 /* make this a subtree */
2908 cs_tree = proto_item_add_subtree(ti, ett_ssl_cipher_suites);
2911 cs_tree = tree; /* failsafe */
2914 while (cipher_suite_length > 0)
2916 proto_tree_add_item(cs_tree, hf_ssl_handshake_cipher_suite,
2917 tvb, offset, 2, ENC_BIG_ENDIAN);
2919 cipher_suite_length -= 2;
2923 /* tell the user how many compression methods there are */
2924 compression_methods_length = tvb_get_guint8(tvb, offset);
2925 proto_tree_add_uint(tree, hf_ssl_handshake_comp_methods_len,
2926 tvb, offset, 1, compression_methods_length);
2929 if (compression_methods_length > 0)
2931 tvb_ensure_bytes_exist(tvb, offset, compression_methods_length);
2932 ti = proto_tree_add_none_format(tree,
2933 hf_ssl_handshake_comp_methods,
2934 tvb, offset, compression_methods_length,
2935 "Compression Methods (%u method%s)",
2936 compression_methods_length,
2937 plurality(compression_methods_length,
2940 /* make this a subtree */
2941 cs_tree = proto_item_add_subtree(ti, ett_ssl_comp_methods);
2944 cs_tree = tree; /* failsafe */
2947 while (compression_methods_length > 0)
2949 compression_method = tvb_get_guint8(tvb, offset);
2950 if (compression_method < 64)
2951 proto_tree_add_uint(cs_tree, hf_ssl_handshake_comp_method,
2952 tvb, offset, 1, compression_method);
2953 else if (compression_method > 63 && compression_method < 193)
2954 proto_tree_add_text(cs_tree, tvb, offset, 1,
2955 "Compression Method: Reserved - to be assigned by IANA (%u)",
2956 compression_method);
2958 proto_tree_add_text(cs_tree, tvb, offset, 1,
2959 "Compression Method: Private use range (%u)",
2960 compression_method);
2962 compression_methods_length--;
2966 if (length > offset - start_offset)
2968 dissect_ssl3_hnd_hello_ext(tvb, tree, offset,
2969 length - (offset - start_offset), TRUE);
2975 dissect_ssl3_hnd_srv_hello(tvbuff_t *tvb,
2976 proto_tree *tree, guint32 offset, guint32 length, SslDecryptSession *ssl)
2979 * ProtocolVersion server_version;
2981 * SessionID session_id;
2982 * CipherSuite cipher_suite;
2983 * CompressionMethod compression_method;
2984 * Extension server_hello_extension_list<0..2^16-1>;
2987 guint16 start_offset;
2989 start_offset = offset;
2993 /* show the server version */
2995 proto_tree_add_item(tree, hf_ssl_handshake_server_version, tvb,
2996 offset, 2, ENC_BIG_ENDIAN);
2999 /* first display the elements conveniently in
3000 * common with client hello
3002 offset += dissect_ssl3_hnd_hello_common(tvb, tree, offset, ssl, 1);
3004 /* PAOLO: handle session cipher suite */
3006 /* store selected cipher suite for decryption */
3007 ssl->cipher = tvb_get_ntohs(tvb, offset);
3008 if (ssl_find_cipher(ssl->cipher,&ssl->cipher_suite) < 0) {
3009 ssl_debug_printf("dissect_ssl3_hnd_srv_hello can't find cipher suite 0x%X\n", ssl->cipher);
3013 ssl->state |= SSL_CIPHER;
3014 ssl_debug_printf("dissect_ssl3_hnd_srv_hello found CIPHER 0x%04X -> state 0x%02X\n",
3015 ssl->cipher, ssl->state);
3017 /* if we have restored a session now we can have enough material
3018 * to build session key, check it out*/
3019 ssl_debug_printf("dissect_ssl3_hnd_srv_hello trying to generate keys\n");
3020 if (ssl_generate_keyring_material(ssl)<0) {
3021 ssl_debug_printf("dissect_ssl3_hnd_srv_hello can't generate keyring material\n");
3027 /* now the server-selected cipher suite */
3028 proto_tree_add_item(tree, hf_ssl_handshake_cipher_suite,
3029 tvb, offset, 2, ENC_BIG_ENDIAN);
3033 /* store selected compression method for decryption */
3034 ssl->compression = tvb_get_guint8(tvb, offset);
3036 /* and the server-selected compression method */
3037 proto_tree_add_item(tree, hf_ssl_handshake_comp_method,
3038 tvb, offset, 1, ENC_BIG_ENDIAN);
3041 if (length > offset - start_offset)
3043 dissect_ssl3_hnd_hello_ext(tvb, tree, offset,
3044 length - (offset - start_offset), FALSE);
3050 dissect_ssl3_hnd_new_ses_ticket(tvbuff_t *tvb, proto_tree *tree,
3051 guint32 offset, guint32 length)
3055 proto_tree *subtree;
3058 nst_len = tvb_get_ntohs(tvb, offset+4);
3059 if (6 + nst_len != length) {
3063 ti = proto_tree_add_text(tree, tvb, offset, 6+nst_len, "TLS Session Ticket");
3064 subtree = proto_item_add_subtree(ti, ett_ssl_new_ses_ticket);
3066 proto_tree_add_item(subtree, hf_ssl_handshake_session_ticket_lifetime_hint,
3067 tvb, offset, 4, ENC_BIG_ENDIAN);
3070 proto_tree_add_uint(subtree, hf_ssl_handshake_session_ticket_len,
3071 tvb, offset, 2, nst_len);
3072 /* Content depends on implementation, so just show data! */
3073 proto_tree_add_item(subtree, hf_ssl_handshake_session_ticket,
3074 tvb, offset + 2, nst_len, ENC_NA);
3078 dissect_ssl3_hnd_cert(tvbuff_t *tvb,
3079 proto_tree *tree, guint32 offset, packet_info *pinfo)
3082 /* opaque ASN.1Cert<2^24-1>;
3085 * ASN.1Cert certificate_list<1..2^24-1>;
3088 guint32 certificate_list_length;
3090 proto_tree *subtree;
3091 asn1_ctx_t asn1_ctx;
3093 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
3097 certificate_list_length = tvb_get_ntoh24(tvb, offset);
3098 proto_tree_add_uint(tree, hf_ssl_handshake_certificates_len,
3099 tvb, offset, 3, certificate_list_length);
3100 offset += 3; /* 24-bit length value */
3102 if (certificate_list_length > 0)
3104 tvb_ensure_bytes_exist(tvb, offset, certificate_list_length);
3105 ti = proto_tree_add_none_format(tree,
3106 hf_ssl_handshake_certificates,
3107 tvb, offset, certificate_list_length,
3108 "Certificates (%u byte%s)",
3109 certificate_list_length,
3110 plurality(certificate_list_length, "", "s"));
3112 /* make it a subtree */
3113 subtree = proto_item_add_subtree(ti, ett_ssl_certs);
3116 subtree = tree; /* failsafe */
3119 /* iterate through each certificate */
3120 while (certificate_list_length > 0)
3122 /* get the length of the current certificate */
3123 guint32 cert_length;
3124 cert_length = tvb_get_ntoh24(tvb, offset);
3125 certificate_list_length -= 3 + cert_length;
3127 proto_tree_add_item(subtree, hf_ssl_handshake_certificate_len,
3128 tvb, offset, 3, ENC_BIG_ENDIAN);
3131 (void)dissect_x509af_Certificate(FALSE, tvb, offset, &asn1_ctx, subtree, hf_ssl_handshake_certificate);
3132 offset += cert_length;
3140 dissect_ssl3_hnd_cert_req(tvbuff_t *tvb,
3141 proto_tree *tree, guint32 offset, packet_info *pinfo,
3142 const guint *conv_version)
3146 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
3148 * } ClientCertificateType;
3150 * opaque DistinguishedName<1..2^16-1>;
3153 * ClientCertificateType certificate_types<1..2^8-1>;
3154 * DistinguishedName certificate_authorities<3..2^16-1>;
3155 * } CertificateRequest;
3158 * As per TLSv1.2 (RFC 5246) the format has changed to:
3161 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
3162 * rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
3163 * fortezza_dms_RESERVED(20), (255)
3164 * } ClientCertificateType;
3167 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
3171 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
3172 * SignatureAlgorithm;
3175 * HashAlgorithm hash;
3176 * SignatureAlgorithm signature;
3177 * } SignatureAndHashAlgorithm;
3179 * SignatureAndHashAlgorithm
3180 * supported_signature_algorithms<2..2^16-2>;
3182 * opaque DistinguishedName<1..2^16-1>;
3185 * ClientCertificateType certificate_types<1..2^8-1>;
3186 * SignatureAndHashAlgorithm
3187 * supported_signature_algorithms<2^16-1>;
3188 * DistinguishedName certificate_authorities<0..2^16-1>;
3189 * } CertificateRequest;
3193 proto_tree *subtree;
3194 guint8 cert_types_count;
3197 asn1_ctx_t asn1_ctx;
3203 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
3205 cert_types_count = tvb_get_guint8(tvb, offset);
3206 proto_tree_add_uint(tree, hf_ssl_handshake_cert_types_count,
3207 tvb, offset, 1, cert_types_count);
3210 if (cert_types_count > 0) {
3211 ti = proto_tree_add_none_format(tree,
3212 hf_ssl_handshake_cert_types,
3213 tvb, offset, cert_types_count,
3214 "Certificate types (%u type%s)",
3216 plurality(cert_types_count, "", "s"));
3217 subtree = proto_item_add_subtree(ti, ett_ssl_cert_types);
3219 while (cert_types_count > 0) {
3220 proto_tree_add_item(subtree, hf_ssl_handshake_cert_type,
3221 tvb, offset, 1, ENC_BIG_ENDIAN);
3227 switch (*conv_version) {
3228 case SSL_VER_TLSv1DOT2:
3229 sh_alg_length = tvb_get_ntohs(tvb, offset);
3230 if (sh_alg_length % 2) {
3231 expert_add_info_format(pinfo, NULL,
3232 &ei_ssl_handshake_sig_hash_algs_mult2,
3233 "Signature Hash Algorithm length (%d) must be a multiple of 2",
3238 proto_tree_add_uint(tree, hf_ssl_handshake_sig_hash_alg_len,
3239 tvb, offset, 2, sh_alg_length);
3242 ret = dissect_ssl_hash_alg_list(tvb, tree, offset, sh_alg_length);
3251 dnames_length = tvb_get_ntohs(tvb, offset);
3252 proto_tree_add_uint(tree, hf_ssl_handshake_dnames_len,
3253 tvb, offset, 2, dnames_length);
3256 if (dnames_length > 0) {
3257 ti = proto_tree_add_none_format(tree,
3258 hf_ssl_handshake_dnames,
3259 tvb, offset, dnames_length,
3260 "Distinguished Names (%d byte%s)",
3262 plurality(dnames_length, "", "s"));
3263 subtree = proto_item_add_subtree(ti, ett_ssl_dnames);
3265 while (dnames_length > 0) {
3266 /* get the length of the current certificate */
3267 guint16 name_length;
3268 name_length = tvb_get_ntohs(tvb, offset);
3269 dnames_length -= 2 + name_length;
3271 proto_tree_add_item(subtree, hf_ssl_handshake_dname_len,
3272 tvb, offset, 2, ENC_BIG_ENDIAN);
3275 (void)dissect_x509if_DistinguishedName(FALSE, tvb, offset,
3276 &asn1_ctx, subtree, hf_ssl_handshake_dname);
3277 offset += name_length;
3283 dissect_ssl3_hnd_srv_keyex_ecdh(tvbuff_t *tvb, proto_tree *tree,
3284 guint32 offset, guint32 length,
3285 const guint *conv_version)
3287 gint curve_type, curve_type_offset;
3288 gint named_curve, named_curve_offset;
3289 gint point_len, point_len_offset;
3290 gint sig_len, sig_len_offset;
3291 gint sig_algo, sig_algo_offset;
3292 proto_item *ti_ecdh;
3293 proto_item *ti_algo;
3294 proto_tree *ssl_ecdh_tree;
3295 proto_tree *ssl_algo_tree;
3296 guint32 orig_offset;
3298 orig_offset = offset;
3300 curve_type_offset = offset;
3301 curve_type = tvb_get_guint8(tvb, offset);
3302 if (curve_type != 3)
3303 return; /* only named_curves are supported */
3305 if ((offset - orig_offset) > length) {
3309 named_curve_offset = offset;
3310 named_curve = tvb_get_ntohs(tvb, offset);
3312 if ((offset - orig_offset) > length) {
3316 point_len_offset = offset;
3317 point_len = tvb_get_guint8(tvb, offset);
3318 if ((offset + point_len - orig_offset) > length) {
3321 offset += 1 + point_len;
3323 switch (*conv_version) {
3324 case SSL_VER_TLSv1DOT2:
3325 sig_algo_offset = offset;
3326 sig_algo = tvb_get_ntohs(tvb, offset);
3328 if ((offset - orig_offset) > length) {
3334 sig_algo_offset = 0;
3339 sig_len_offset = offset;
3340 sig_len = tvb_get_ntohs(tvb, offset);
3341 offset += 2 + sig_len;
3342 if ((offset - orig_offset) != length) {
3343 /* Lengths don't line up (wasn't what we expected?) */
3347 ti_ecdh = proto_tree_add_text(tree, tvb, orig_offset,
3348 (offset - orig_offset), "EC Diffie-Hellman Server Params");
3349 ssl_ecdh_tree = proto_item_add_subtree(ti_ecdh, ett_ssl_keyex_params);
3352 proto_tree_add_uint(ssl_ecdh_tree, hf_ssl_handshake_server_keyex_curve_type,
3353 tvb, curve_type_offset, 1, curve_type);
3356 proto_tree_add_uint(ssl_ecdh_tree, hf_ssl_handshake_server_keyex_named_curve,
3357 tvb, named_curve_offset, 2, named_curve);
3360 proto_tree_add_uint(ssl_ecdh_tree, hf_ssl_handshake_server_keyex_point_len,
3361 tvb, point_len_offset, 1, point_len);
3362 proto_tree_add_item(ssl_ecdh_tree, hf_ssl_handshake_server_keyex_point,
3363 tvb, point_len_offset+1, point_len, ENC_NA);
3365 switch (*conv_version) {
3366 case SSL_VER_TLSv1DOT2:
3367 ti_algo = proto_tree_add_uint(ssl_ecdh_tree, hf_ssl_handshake_sig_hash_alg,
3368 tvb, offset, 2, sig_algo);
3369 ssl_algo_tree = proto_item_add_subtree(ti_algo, ett_ssl_sig_hash_alg);
3371 proto_tree_add_item(ssl_algo_tree, hf_ssl_handshake_sig_hash_hash,
3372 tvb, sig_algo_offset, 1, ENC_BIG_ENDIAN);
3373 proto_tree_add_item(ssl_algo_tree, hf_ssl_handshake_sig_hash_sig,
3374 tvb, sig_algo_offset+1, 1, ENC_BIG_ENDIAN);
3382 proto_tree_add_uint(ssl_ecdh_tree, hf_ssl_handshake_server_keyex_sig_len,
3383 tvb, sig_len_offset, 2, sig_len);
3384 proto_tree_add_item(ssl_ecdh_tree, hf_ssl_handshake_server_keyex_sig,
3385 tvb, sig_len_offset + 2, sig_len, ENC_NA);
3390 dissect_ssl3_hnd_cli_keyex_ecdh(tvbuff_t *tvb, proto_tree *tree,
3391 guint32 offset, guint32 length)
3393 gint point_len, point_len_offset;
3394 proto_item *ti_ecdh;
3395 proto_tree *ssl_ecdh_tree;
3396 guint32 orig_offset;
3398 orig_offset = offset;
3400 point_len_offset = offset;
3401 point_len = tvb_get_guint8(tvb, offset);
3402 if ((offset + point_len - orig_offset) > length) {
3405 offset += 1 + point_len;
3407 ti_ecdh = proto_tree_add_text(tree, tvb, orig_offset,
3408 (offset - orig_offset), "EC Diffie-Hellman Client Params");
3409 ssl_ecdh_tree = proto_item_add_subtree(ti_ecdh, ett_ssl_keyex_params);
3412 proto_tree_add_uint(ssl_ecdh_tree, hf_ssl_handshake_client_keyex_point_len,
3413 tvb, point_len_offset, 1, point_len);
3414 proto_tree_add_item(ssl_ecdh_tree, hf_ssl_handshake_client_keyex_point,
3415 tvb, point_len_offset+1, point_len, ENC_NA);
3420 dissect_ssl3_hnd_srv_keyex_dh(tvbuff_t *tvb, proto_tree *tree,
3421 guint32 offset, guint32 length)
3423 gint p_len, p_len_offset;
3424 gint g_len, g_len_offset;
3425 gint ys_len, ys_len_offset;
3426 gint sig_len, sig_len_offset;
3428 proto_tree *ssl_dh_tree;
3429 guint32 orig_offset;
3431 orig_offset = offset;
3433 p_len_offset = offset;
3434 p_len = tvb_get_ntohs(tvb, offset);
3435 offset += 2 + p_len;
3436 if ((offset - orig_offset) > length) {
3440 g_len_offset = offset;
3441 g_len = tvb_get_ntohs(tvb, offset);
3442 offset += 2 + g_len;
3443 if ((offset - orig_offset) > length) {
3447 ys_len_offset = offset;
3448 ys_len = tvb_get_ntohs(tvb, offset);
3449 offset += 2 + ys_len;
3450 if ((offset - orig_offset) > length) {
3454 sig_len_offset = offset;
3455 sig_len = tvb_get_ntohs(tvb, offset);
3456 offset += 2 + sig_len;
3457 if ((offset - orig_offset) != length) {
3458 /* Lengths don't line up (wasn't what we expected?) */
3462 ti_dh = proto_tree_add_text(tree, tvb, orig_offset,
3463 (offset - orig_offset), "Diffie-Hellman Server Params");
3464 ssl_dh_tree = proto_item_add_subtree(ti_dh, ett_ssl_keyex_params);
3467 proto_tree_add_uint(ssl_dh_tree, hf_ssl_handshake_server_keyex_p_len,
3468 tvb, p_len_offset, 2, p_len);
3469 proto_tree_add_item(ssl_dh_tree, hf_ssl_handshake_server_keyex_p,
3470 tvb, p_len_offset + 2, p_len, ENC_NA);
3473 proto_tree_add_uint(ssl_dh_tree, hf_ssl_handshake_server_keyex_g_len,
3474 tvb, g_len_offset, 2, g_len);
3475 proto_tree_add_item(ssl_dh_tree, hf_ssl_handshake_server_keyex_g,
3476 tvb, g_len_offset + 2, g_len, ENC_NA);
3479 proto_tree_add_uint(ssl_dh_tree, hf_ssl_handshake_server_keyex_ys_len,
3480 tvb, ys_len_offset, 2, ys_len);
3481 proto_tree_add_item(ssl_dh_tree, hf_ssl_handshake_server_keyex_ys,
3482 tvb, ys_len_offset + 2, ys_len, ENC_NA);
3485 proto_tree_add_uint(ssl_dh_tree, hf_ssl_handshake_server_keyex_sig_len,
3486 tvb, sig_len_offset, 2, sig_len);
3487 proto_tree_add_item(ssl_dh_tree, hf_ssl_handshake_server_keyex_sig,
3488 tvb, sig_len_offset + 2, sig_len, ENC_NA);
3492 /* Only used in RSA-EXPORT cipher suites */
3494 dissect_ssl3_hnd_srv_keyex_rsa(tvbuff_t *tvb, proto_tree *tree,
3495 guint32 offset, guint32 length,
3496 const guint *conv_version)
3498 gint modulus_len, modulus_len_offset;
3499 gint exponent_len, exponent_len_offset;
3500 gint sig_len, sig_len_offset;
3501 gint sig_algo, sig_algo_offset;
3503 proto_item *ti_algo;
3504 proto_tree *ssl_rsa_tree;
3505 proto_tree *ssl_algo_tree;
3506 guint32 orig_offset;
3508 orig_offset = offset;
3510 modulus_len_offset = offset;
3511 modulus_len = tvb_get_ntohs(tvb, offset);
3512 offset += 2 + modulus_len;
3513 if ((offset - orig_offset) > length) {
3517 exponent_len_offset = offset;
3518 exponent_len = tvb_get_ntohs(tvb, offset);
3519 offset += 2 + exponent_len;
3520 if ((offset - orig_offset) > length) {
3524 switch (*conv_version) {
3525 case SSL_VER_TLSv1DOT2:
3526 sig_algo_offset = offset;
3527 sig_algo = tvb_get_ntohs(tvb, offset);
3529 if ((offset - orig_offset) > length) {
3535 sig_algo_offset = 0;
3540 sig_len_offset = offset;
3541 sig_len = tvb_get_ntohs(tvb, offset);
3542 offset += 2 + sig_len;
3543 if ((offset - orig_offset) != length) {
3544 /* Lengths don't line up (wasn't what we expected?) */
3548 ti_rsa = proto_tree_add_text(tree, tvb, orig_offset,
3549 (offset - orig_offset), "RSA-EXPORT Server Params");
3550 ssl_rsa_tree = proto_item_add_subtree(ti_rsa, ett_ssl_keyex_params);
3553 proto_tree_add_uint(ssl_rsa_tree, hf_ssl_handshake_server_keyex_modulus_len,
3554 tvb, modulus_len_offset, 2, modulus_len);
3555 proto_tree_add_item(ssl_rsa_tree, hf_ssl_handshake_server_keyex_modulus,
3556 tvb, modulus_len_offset + 2, modulus_len, ENC_NA);
3559 proto_tree_add_uint(ssl_rsa_tree, hf_ssl_handshake_server_keyex_exponent_len,
3560 tvb, exponent_len_offset, 2, exponent_len);
3561 proto_tree_add_item(ssl_rsa_tree, hf_ssl_handshake_server_keyex_exponent,
3562 tvb, exponent_len_offset + 2, exponent_len, ENC_NA);
3564 switch (*conv_version) {
3565 case SSL_VER_TLSv1DOT2:
3566 ti_algo = proto_tree_add_uint(ssl_rsa_tree, hf_ssl_handshake_sig_hash_alg,
3567 tvb, offset, 2, sig_algo);
3568 ssl_algo_tree = proto_item_add_subtree(ti_algo, ett_ssl_sig_hash_alg);
3570 proto_tree_add_item(ssl_algo_tree, hf_ssl_handshake_sig_hash_hash,
3571 tvb, sig_algo_offset, 1, ENC_BIG_ENDIAN);
3572 proto_tree_add_item(ssl_algo_tree, hf_ssl_handshake_sig_hash_sig,
3573 tvb, sig_algo_offset+1, 1, ENC_BIG_ENDIAN);
3581 proto_tree_add_uint(ssl_rsa_tree, hf_ssl_handshake_server_keyex_sig_len,
3582 tvb, sig_len_offset, 2, sig_len);
3583 proto_tree_add_item(ssl_rsa_tree, hf_ssl_handshake_server_keyex_sig,
3584 tvb, sig_len_offset + 2, sig_len, ENC_NA);
3588 /* Used in RSA PSK and PSK cipher suites */
3590 dissect_ssl3_hnd_srv_keyex_psk(tvbuff_t *tvb, proto_tree *tree,
3591 guint32 offset, guint32 length)
3595 proto_tree *ssl_psk_tree;
3597 hint_len = tvb_get_ntohs(tvb, offset);
3598 if ((2 + hint_len) != length) {
3599 /* Lengths don't line up (wasn't what we expected?) */
3603 ti_psk = proto_tree_add_text(tree, tvb, offset,
3604 length, "PSK Server Params");
3605 ssl_psk_tree = proto_item_add_subtree(ti_psk, ett_ssl_keyex_params);
3608 proto_tree_add_item(ssl_psk_tree, hf_ssl_handshake_server_keyex_hint_len,
3609 tvb, offset, 2, ENC_BIG_ENDIAN);
3610 proto_tree_add_item(ssl_psk_tree, hf_ssl_handshake_server_keyex_hint,
3611 tvb, offset + 2, hint_len, ENC_NA);
3616 dissect_ssl3_hnd_cli_keyex_dh(tvbuff_t *tvb, proto_tree *tree,
3617 guint32 offset, guint32 length)
3619 gint yc_len, yc_len_offset;
3621 proto_tree *ssl_dh_tree;
3622 guint32 orig_offset;
3624 orig_offset = offset;
3626 yc_len_offset = offset;
3627 yc_len = tvb_get_ntohs(tvb, offset);
3628 offset += 2 + yc_len;
3629 if ((offset - orig_offset) != length) {
3633 ti_dh = proto_tree_add_text(tree, tvb, orig_offset,
3634 (offset - orig_offset), "Diffie-Hellman Client Params");
3635 ssl_dh_tree = proto_item_add_subtree(ti_dh, ett_ssl_keyex_params);
3637 /* encrypted PreMaster secret */
3638 proto_tree_add_uint(ssl_dh_tree, hf_ssl_handshake_client_keyex_yc_len,
3639 tvb, yc_len_offset, 2, yc_len);
3640 proto_tree_add_item(ssl_dh_tree, hf_ssl_handshake_client_keyex_yc,
3641 tvb, yc_len_offset + 2, yc_len, ENC_NA);
3645 dissect_ssl3_hnd_cli_keyex_rsa(tvbuff_t *tvb, proto_tree *tree,
3646 guint32 offset, guint32 length)
3648 gint epms_len, epms_len_offset;
3650 proto_tree *ssl_rsa_tree;
3651 guint32 orig_offset;
3653 orig_offset = offset;
3655 epms_len_offset = offset;
3656 epms_len = tvb_get_ntohs(tvb, offset);
3657 offset += 2 + epms_len;
3658 if ((offset - orig_offset) != length) {
3662 ti_rsa = proto_tree_add_text(tree, tvb, orig_offset,
3663 (offset - orig_offset), "RSA Encrypted PreMaster Secret");
3664 ssl_rsa_tree = proto_item_add_subtree(ti_rsa, ett_ssl_keyex_params);
3667 proto_tree_add_uint(ssl_rsa_tree, hf_ssl_handshake_client_keyex_epms_len,
3668 tvb, epms_len_offset, 2, epms_len);
3669 proto_tree_add_item(ssl_rsa_tree, hf_ssl_handshake_client_keyex_epms,
3670 tvb, epms_len_offset + 2, epms_len, ENC_NA);
3673 /* Used in PSK cipher suites */
3675 dissect_ssl3_hnd_cli_keyex_psk(tvbuff_t *tvb, proto_tree *tree,
3676 guint32 offset, guint32 length)
3680 proto_tree *ssl_psk_tree;
3682 identity_len = tvb_get_ntohs(tvb, offset);
3683 if ((2 + identity_len) != length) {
3684 /* Lengths don't line up (wasn't what we expected?) */
3688 ti_psk = proto_tree_add_text(tree, tvb, offset,
3689 length, "PSK Client Params");
3690 ssl_psk_tree = proto_item_add_subtree(ti_psk, ett_ssl_keyex_params);
3693 proto_tree_add_item(ssl_psk_tree, hf_ssl_handshake_client_keyex_identity_len,
3694 tvb, offset, 2, ENC_BIG_ENDIAN);
3695 proto_tree_add_item(ssl_psk_tree, hf_ssl_handshake_client_keyex_identity,
3696 tvb, offset + 2, identity_len, ENC_NA);
3699 /* Used in RSA PSK cipher suites */
3701 dissect_ssl3_hnd_cli_keyex_rsa_psk(tvbuff_t *tvb, proto_tree *tree,
3702 guint32 offset, guint32 length)
3704 gint identity_len, identity_len_offset;
3705 gint epms_len, epms_len_offset;
3707 proto_tree *ssl_psk_tree;
3708 guint32 orig_offset;
3710 orig_offset = offset;
3712 identity_len_offset = offset;
3713 identity_len = tvb_get_ntohs(tvb, offset);
3714 offset += 2 + identity_len;
3715 if ((offset - orig_offset) > length) {
3719 epms_len_offset = offset;
3720 epms_len = tvb_get_ntohs(tvb, offset);
3721 offset += 2 + epms_len;
3722 if ((offset - orig_offset) != length) {
3723 /* Lengths don't line up (wasn't what we expected?) */
3727 ti_psk = proto_tree_add_text(tree, tvb, orig_offset,
3728 (offset - orig_offset), "RSA PSK Client Params");
3729 ssl_psk_tree = proto_item_add_subtree(ti_psk, ett_ssl_keyex_params);
3732 proto_tree_add_item(ssl_psk_tree, hf_ssl_handshake_client_keyex_identity_len,
3733 tvb, identity_len_offset, 2, ENC_BIG_ENDIAN);
3734 proto_tree_add_item(ssl_psk_tree, hf_ssl_handshake_client_keyex_identity,
3735 tvb, identity_len_offset + 2, identity_len, ENC_NA);
3738 proto_tree_add_item(ssl_psk_tree, hf_ssl_handshake_client_keyex_epms_len,
3739 tvb, epms_len_offset, 2, ENC_BIG_ENDIAN);
3740 proto_tree_add_item(ssl_psk_tree, hf_ssl_handshake_client_keyex_epms,
3741 tvb, epms_len_offset + 2, epms_len, ENC_NA);
3748 dissect_ssl3_hnd_finished(tvbuff_t *tvb,
3749 proto_tree *tree, const guint32 offset,
3750 const guint *conv_version)
3754 * opaque verify_data[12];
3759 * opaque md5_hash[16];
3760 * opaque sha_hash[20];
3764 /* this all needs a tree, so bail if we don't have one */
3770 switch (*conv_version) {
3772 case SSL_VER_TLSv1DOT1:
3773 case SSL_VER_TLSv1DOT2:
3774 proto_tree_add_item(tree, hf_ssl_handshake_finished,
3775 tvb, offset, 12, ENC_NA);
3779 proto_tree_add_item(tree, hf_ssl_handshake_md5_hash,
3780 tvb, offset, 16, ENC_NA);
3781 proto_tree_add_item(tree, hf_ssl_handshake_sha_hash,
3782 tvb, offset + 16, 20, ENC_NA);
3788 dissect_ssl3_ocsp_response(tvbuff_t *tvb, proto_tree *tree,
3789 guint32 offset, packet_info *pinfo)
3791 guint cert_status_len;
3793 proto_tree *cert_status_tree;
3795 cert_status_len = tvb_get_ntoh24(tvb, offset);
3796 ti = proto_tree_add_item(tree, hf_ssl_handshake_cert_status,
3797 tvb, offset, cert_status_len + 3,
3799 cert_status_tree = proto_item_add_subtree(ti, ett_ssl_cert_status);
3801 proto_tree_add_item(cert_status_tree, hf_ssl_handshake_cert_status_len,
3802 tvb, offset, 3, ENC_BIG_ENDIAN);
3805 if (cert_status_len > 0) {
3806 proto_item *ocsp_resp;
3807 proto_tree *ocsp_resp_tree;
3808 asn1_ctx_t asn1_ctx;
3810 ocsp_resp = proto_tree_add_item(cert_status_tree,
3811 proto_ocsp, tvb, offset,
3812 cert_status_len, ENC_BIG_ENDIAN);
3813 proto_item_set_text(ocsp_resp, "OCSP Response");
3814 ocsp_resp_tree = proto_item_add_subtree(ocsp_resp,
3816 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
3817 dissect_ocsp_OCSPResponse(FALSE, tvb, offset, &asn1_ctx,
3818 ocsp_resp_tree, -1);
3819 offset += cert_status_len;
3826 dissect_ssl3_hnd_cert_status(tvbuff_t *tvb, proto_tree *tree,
3827 guint32 offset, packet_info *pinfo)
3829 guint8 cert_status_type;
3831 cert_status_type = tvb_get_guint8(tvb, offset);
3832 proto_tree_add_item(tree, hf_ssl_handshake_cert_status_type,
3833 tvb, offset, 1, ENC_BIG_ENDIAN);
3836 switch (cert_status_type) {
3837 case SSL_HND_CERT_STATUS_TYPE_OCSP:
3838 dissect_ssl3_ocsp_response(tvb, tree, offset, pinfo);
3840 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI:
3844 list_len = tvb_get_ntoh24(tvb, offset);
3847 while (list_len-- > 0)
3848 offset = dissect_ssl3_ocsp_response(tvb, tree, offset, pinfo);
3855 /* based on https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04 */
3857 dissect_ssl3_hnd_encrypted_exts(tvbuff_t *tvb, proto_tree *tree,
3860 guint8 selected_protocol_len;
3863 selected_protocol_len = tvb_get_guint8(tvb, offset);
3864 proto_tree_add_item(tree, hf_ssl_handshake_npn_selected_protocol_len,
3865 tvb, offset, 1, ENC_NA);
3867 proto_tree_add_item(tree, hf_ssl_handshake_npn_selected_protocol,
3868 tvb, offset, selected_protocol_len, ENC_ASCII|ENC_NA);
3869 offset += selected_protocol_len;
3871 padding_len = tvb_get_guint8(tvb, offset);
3872 proto_tree_add_item(tree, hf_ssl_handshake_npn_padding_len,
3873 tvb, offset, 1, ENC_NA);
3875 proto_tree_add_item(tree, hf_ssl_handshake_npn_padding,
3876 tvb, offset, padding_len, ENC_NA);
3879 /*********************************************************************
3881 * SSL version 2 Dissectors
3883 *********************************************************************/
3886 /* record layer dissector */
3888 dissect_ssl2_record(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
3889 guint32 offset, guint *conv_version,
3890 gboolean *need_desegmentation,
3891 SslDecryptSession *ssl, gboolean first_record_in_frame)
3893 guint32 initial_offset;
3895 guint8 record_length_length;
3896 guint32 record_length;
3898 gint16 padding_length;
3900 const gchar *msg_type_str;
3901 guint32 available_bytes;
3903 proto_tree *ssl_record_tree;
3905 initial_offset = offset;
3908 padding_length = -1;
3909 msg_type_str = NULL;
3910 ssl_record_tree = NULL;
3912 /* pull first byte; if high bit is unset, then record
3913 * length is three bytes due to padding; otherwise
3914 * record length is two bytes
3916 byte = tvb_get_guint8(tvb, offset);
3917 record_length_length = (byte & 0x80) ? 2 : 3;
3919 available_bytes = tvb_length_remaining(tvb, offset);
3922 * Is the record header split across segment boundaries?
3924 if (available_bytes < record_length_length) {
3926 * Yes - can we do reassembly?
3928 if (ssl_desegment && pinfo->can_desegment) {
3930 * Yes. Tell the TCP dissector where the data for this
3931 * message starts in the data it handed us, and that we need
3932 * "some more data." Don't tell it exactly how many bytes we
3933 * need because if/when we ask for even more (after the header)
3934 * that will break reassembly.
3936 pinfo->desegment_offset = offset;
3937 pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
3938 *need_desegmentation = TRUE;
3941 /* Not enough bytes available. Stop here. */
3942 return offset + available_bytes;
3946 /* parse out the record length */
3947 switch (record_length_length) {
3948 case 2: /* two-byte record length */
3949 record_length = (byte & 0x7f) << 8;
3950 byte = tvb_get_guint8(tvb, offset + 1);
3951 record_length += byte;
3953 case 3: /* three-byte record length */
3954 is_escape = (byte & 0x40) ? TRUE : FALSE;
3955 record_length = (byte & 0x3f) << 8;
3956 byte = tvb_get_guint8(tvb, offset + 1);
3957 record_length += byte;
3958 byte = tvb_get_guint8(tvb, offset + 2);
3959 padding_length = byte;
3963 * Is the record split across segment boundaries?
3965 if (available_bytes < (record_length_length + record_length)) {
3967 * Yes - Can we do reassembly?
3969 if (ssl_desegment && pinfo->can_desegment) {
3971 * Yes. Tell the TCP dissector where the data for this
3972 * message starts in the data it handed us, and how many
3973 * more bytes we need, and return.
3975 pinfo->desegment_offset = offset;
3976 pinfo->desegment_len = (record_length_length + record_length)
3978 *need_desegmentation = TRUE;
3981 /* Not enough bytes available. Stop here. */
3982 return offset + available_bytes;
3985 offset += record_length_length;
3987 /* on second and subsequent records per frame
3988 * add a delimiter on info column
3990 if (!first_record_in_frame) {
3991 col_append_str(pinfo->cinfo, COL_INFO, ", ");
3994 /* add the record layer subtree header */
3995 ti = proto_tree_add_item(tree, hf_ssl2_record, tvb, initial_offset,
3996 record_length_length + record_length, ENC_NA);
3997 ssl_record_tree = proto_item_add_subtree(ti, ett_ssl_record);
3999 /* pull the msg_type so we can bail if it's unknown */
4000 msg_type = tvb_get_guint8(tvb, initial_offset + record_length_length);
4002 /* if we get a server_hello or later handshake in v2, then set
4005 if (*conv_version == SSL_VER_UNKNOWN)
4007 if (ssl_looks_like_valid_pct_handshake(tvb,
4009 record_length_length),
4011 *conv_version = SSL_VER_PCT;
4012 /*ssl_set_conv_version(pinfo, ssl->version);*/
4014 else if (msg_type >= 2 && msg_type <= 8)
4016 *conv_version = SSL_VER_SSLv2;
4017 /*ssl_set_conv_version(pinfo, ssl->version);*/
4021 /* if we get here, but don't have a version set for the
4022 * conversation, then set a version for just this frame
4023 * (e.g., on a client hello)
4025 col_set_str(pinfo->cinfo, COL_PROTOCOL,
4026 (*conv_version == SSL_VER_PCT) ? "PCT" : "SSLv2");
4028 /* see if the msg_type is valid; if not the payload is
4029 * probably encrypted, so note that fact and bail
4031 msg_type_str = try_val_to_str(msg_type,
4032 (*conv_version == SSL_VER_PCT)
4033 ? pct_msg_types : ssl_20_msg_types);
4035 || ((*conv_version != SSL_VER_PCT) &&
4036 !ssl_looks_like_valid_v2_handshake(tvb, initial_offset
4037 + record_length_length,
4039 || ((*conv_version == SSL_VER_PCT) &&
4040 !ssl_looks_like_valid_pct_handshake(tvb, initial_offset
4041 + record_length_length,
4044 if (ssl_record_tree)
4046 proto_item_set_text(ssl_record_tree, "%s Record Layer: %s",
4047 (*conv_version == SSL_VER_PCT)
4051 /* Unlike SSLv3, the SSLv2 record layer does not have a
4052 * version field. To make it possible to filter on record
4053 * layer version we create a generated field with ssl
4054 * record layer version 0x0002
4056 ti = proto_tree_add_uint(ssl_record_tree,
4057 hf_ssl_record_version, tvb,
4058 initial_offset, 0, 0x0002);
4059 PROTO_ITEM_SET_GENERATED(ti);
4062 col_append_str(pinfo->cinfo, COL_INFO, "Encrypted Data");
4063 return initial_offset + record_length_length + record_length;
4067 col_append_str(pinfo->cinfo, COL_INFO, msg_type_str);
4069 if (ssl_record_tree)
4071 proto_item_set_text(ssl_record_tree, "%s Record Layer: %s",
4072 (*conv_version == SSL_VER_PCT)
4078 /* We have a valid message type, so move foward, filling in the
4079 * tree by adding the length, is_escape boolean and padding_length,
4080 * if present in the original packet
4082 if (ssl_record_tree)
4084 /* Unlike SSLv3, the SSLv2 record layer does not have a
4085 * version field. To make it possible to filter on record
4086 * layer version we create a generated field with ssl
4087 * record layer version 0x0002
4089 ti = proto_tree_add_uint(ssl_record_tree,
4090 hf_ssl_record_version, tvb,
4091 initial_offset, 0, 0x0002);
4092 PROTO_ITEM_SET_GENERATED(ti);
4094 /* add the record length */
4095 tvb_ensure_bytes_exist(tvb, offset, record_length_length);
4096 proto_tree_add_uint (ssl_record_tree,
4097 hf_ssl_record_length, tvb,
4098 initial_offset, record_length_length,
4101 if (ssl_record_tree && is_escape != -1)
4103 proto_tree_add_boolean(ssl_record_tree,
4104 hf_ssl2_record_is_escape, tvb,
4105 initial_offset, 1, is_escape);
4107 if (ssl_record_tree && padding_length != -1)
4109 proto_tree_add_uint(ssl_record_tree,
4110 hf_ssl2_record_padding_length, tvb,
4111 initial_offset + 2, 1, padding_length);
4115 * dissect the record data
4118 /* jump forward to the start of the record data */
4119 offset = initial_offset + record_length_length;
4121 /* add the message type */
4122 if (ssl_record_tree)
4124 proto_tree_add_item(ssl_record_tree,
4125 (*conv_version == SSL_VER_PCT)
4126 ? hf_pct_msg_type : hf_ssl2_msg_type,
4127 tvb, offset, 1, ENC_BIG_ENDIAN);
4129 offset += 1; /* move past msg_type byte */
4131 if (*conv_version != SSL_VER_PCT)
4133 /* dissect the message (only handle client hello right now) */
4135 case SSL2_HND_CLIENT_HELLO:
4136 dissect_ssl2_hnd_client_hello(tvb, pinfo, ssl_record_tree, offset, ssl);
4139 case SSL2_HND_CLIENT_MASTER_KEY:
4140 dissect_ssl2_hnd_client_master_key(tvb, ssl_record_tree, offset);
4143 case SSL2_HND_SERVER_HELLO:
4144 dissect_ssl2_hnd_server_hello(tvb, ssl_record_tree, offset, pinfo);
4147 case SSL2_HND_ERROR:
4148 case SSL2_HND_CLIENT_FINISHED:
4149 case SSL2_HND_SERVER_VERIFY:
4150 case SSL2_HND_SERVER_FINISHED:
4151 case SSL2_HND_REQUEST_CERTIFICATE:
4152 case SSL2_HND_CLIENT_CERTIFICATE:
4156 default: /* unknown */
4162 /* dissect the message */
4164 case PCT_MSG_CLIENT_HELLO:
4165 dissect_pct_msg_client_hello(tvb, ssl_record_tree, offset);
4167 case PCT_MSG_SERVER_HELLO:
4168 dissect_pct_msg_server_hello(tvb, ssl_record_tree, offset, pinfo);
4170 case PCT_MSG_CLIENT_MASTER_KEY:
4171 dissect_pct_msg_client_master_key(tvb, ssl_record_tree, offset);
4173 case PCT_MSG_SERVER_VERIFY:
4174 dissect_pct_msg_server_verify(tvb, ssl_record_tree, offset);
4177 dissect_pct_msg_error(tvb, ssl_record_tree, offset);
4180 default: /* unknown */
4184 return (initial_offset + record_length_length + record_length);
4188 dissect_ssl2_hnd_client_hello(tvbuff_t *tvb, packet_info *pinfo,
4189 proto_tree *tree, guint32 offset,
4190 SslDecryptSession *ssl)
4195 * uint16 cipher_spec_length;
4196 * uint16 session_id_length;
4197 * uint16 challenge_length;
4198 * V2CipherSpec cipher_specs[V2ClientHello.cipher_spec_length];
4199 * opaque session_id[V2ClientHello.session_id_length];
4203 * Note: when we get here, offset's already pointing at Version
4207 guint16 cipher_spec_length;
4208 guint16 session_id_length;
4209 guint16 challenge_length;
4212 proto_tree *cs_tree;
4215 version = tvb_get_ntohs(tvb, offset);
4216 if (!ssl_is_valid_ssl_version(version))
4218 /* invalid version; probably encrypted data */
4223 ssl_set_server(ssl, &pinfo->dst, pinfo->ptype, pinfo->destport);
4224 ssl_find_private_key(ssl, ssl_key_hash, ssl_associations, pinfo);
4229 /* show the version */
4231 proto_tree_add_item(tree, hf_ssl_handshake_client_version, tvb,
4232 offset, 2, ENC_BIG_ENDIAN);
4235 cipher_spec_length = tvb_get_ntohs(tvb, offset);
4237 proto_tree_add_item(tree, hf_ssl2_handshake_cipher_spec_len,
4238 tvb, offset, 2, ENC_BIG_ENDIAN);
4241 session_id_length = tvb_get_ntohs(tvb, offset);
4243 proto_tree_add_item(tree, hf_ssl2_handshake_session_id_len,
4244 tvb, offset, 2, ENC_BIG_ENDIAN);
4245 if (session_id_length > SSLV2_MAX_SESSION_ID_LENGTH_IN_BYTES) {
4246 proto_tree_add_text(tree, tvb, offset, 2,
4247 "Invalid session ID length: %d", session_id_length);
4248 expert_add_info_format(pinfo, NULL, &ei_ssl2_handshake_session_id_len_error,
4249 "Session ID length (%u) must be less than %u.",
4250 session_id_length, SSLV2_MAX_SESSION_ID_LENGTH_IN_BYTES);
4255 challenge_length = tvb_get_ntohs(tvb, offset);
4257 proto_tree_add_item(tree, hf_ssl2_handshake_challenge_len,
4258 tvb, offset, 2, ENC_BIG_ENDIAN);
4263 /* tell the user how many cipher specs they've won */
4264 tvb_ensure_bytes_exist(tvb, offset, cipher_spec_length);
4265 ti = proto_tree_add_none_format(tree, hf_ssl_handshake_cipher_suites,
4266 tvb, offset, cipher_spec_length,
4267 "Cipher Specs (%u specs)",
4268 cipher_spec_length/3);
4270 /* make this a subtree and expand the actual specs below */
4271 cs_tree = proto_item_add_subtree(ti, ett_ssl_cipher_suites);
4274 cs_tree = tree; /* failsafe */
4278 /* iterate through the cipher specs, showing them */
4279 while (cipher_spec_length > 0)
4282 proto_tree_add_item(cs_tree, hf_ssl2_handshake_cipher_spec,
4283 tvb, offset, 3, ENC_BIG_ENDIAN);
4284 offset += 3; /* length of one cipher spec */
4285 cipher_spec_length -= 3;
4288 /* if there's a session id, show it */
4289 if (session_id_length > 0)
4293 tvb_ensure_bytes_exist(tvb, offset, session_id_length);
4294 proto_tree_add_bytes_format(tree,
4295 hf_ssl_handshake_session_id,
4296 tvb, offset, session_id_length,
4297 NULL, "Session ID (%u byte%s)",
4299 plurality(session_id_length, "", "s"));
4302 /* PAOLO: get session id and reset session state for key [re]negotiation */
4305 tvb_memcpy(tvb,ssl->session_id.data, offset, session_id_length);
4306 ssl->session_id.data_len = session_id_length;
4307 ssl->state &= ~(SSL_HAVE_SESSION_KEY|SSL_MASTER_SECRET|SSL_PRE_MASTER_SECRET|
4308 SSL_CIPHER|SSL_SERVER_RANDOM);
4310 offset += session_id_length;
4313 /* if there's a challenge, show it */
4314 if (challenge_length > 0)
4316 tvb_ensure_bytes_exist(tvb, offset, challenge_length);
4319 proto_tree_add_item(tree, hf_ssl2_handshake_challenge,
4320 tvb, offset, challenge_length, ENC_NA);
4323 /* PAOLO: get client random data; we get at most 32 bytes from
4326 max = challenge_length > 32? 32: challenge_length;
4328 ssl_debug_printf("client random len: %d padded to 32\n", challenge_length);
4330 /* client random is padded with zero and 'right' aligned */
4331 memset(ssl->client_random.data, 0, 32 - max);
4332 tvb_memcpy(tvb, &ssl->client_random.data[32 - max], offset, max);
4333 ssl->client_random.data_len = 32;
4334 ssl->state |= SSL_CLIENT_RANDOM;
4335 ssl_debug_printf("dissect_ssl2_hnd_client_hello found CLIENT RANDOM -> state 0x%02X\n", ssl->state);
4342 dissect_pct_msg_client_hello(tvbuff_t *tvb,
4343 proto_tree *tree, guint32 offset)
4345 guint16 CH_CLIENT_VERSION, CH_OFFSET, CH_CIPHER_SPECS_LENGTH, CH_HASH_SPECS_LENGTH, CH_CERT_SPECS_LENGTH, CH_EXCH_SPECS_LENGTH, CH_KEY_ARG_LENGTH;
4346 proto_item *CH_CIPHER_SPECS_ti, *CH_HASH_SPECS_ti, *CH_CERT_SPECS_ti, *CH_EXCH_SPECS_ti;
4347 proto_tree *CH_CIPHER_SPECS_tree, *CH_HASH_SPECS_tree, *CH_CERT_SPECS_tree, *CH_EXCH_SPECS_tree;
4350 CH_CLIENT_VERSION = tvb_get_ntohs(tvb, offset);
4351 if (CH_CLIENT_VERSION != PCT_VERSION_1)
4352 proto_tree_add_text(tree, tvb, offset, 2, "Client Version, should be %x in PCT version 1", PCT_VERSION_1);
4354 proto_tree_add_text(tree, tvb, offset, 2, "Client Version (%x)", PCT_VERSION_1);
4357 proto_tree_add_text(tree, tvb, offset, 1, "PAD");
4360 proto_tree_add_text(tree, tvb, offset, 32, "Client Session ID Data (32 bytes)");
4363 proto_tree_add_text(tree, tvb, offset, 32, "Challenge Data(32 bytes)");
4366 CH_OFFSET = tvb_get_ntohs(tvb, offset);
4367 if (CH_OFFSET != PCT_CH_OFFSET_V1)
4368 proto_tree_add_text(tree, tvb, offset, 2, "CH_OFFSET: %d, should be %d in PCT version 1", CH_OFFSET, PCT_CH_OFFSET_V1);
4370 proto_tree_add_text(tree, tvb, offset, 2, "CH_OFFSET: %d", CH_OFFSET);
4373 CH_CIPHER_SPECS_LENGTH = tvb_get_ntohs(tvb, offset);
4374 proto_tree_add_text(tree, tvb, offset, 2, "CIPHER_SPECS Length: %d", CH_CIPHER_SPECS_LENGTH);
4377 CH_HASH_SPECS_LENGTH = tvb_get_ntohs(tvb, offset);
4378 proto_tree_add_text(tree, tvb, offset, 2, "HASH_SPECS Length: %d", CH_HASH_SPECS_LENGTH);
4381 CH_CERT_SPECS_LENGTH = tvb_get_ntohs(tvb, offset);
4382 proto_tree_add_text(tree, tvb, offset, 2, "CERT_SPECS Length: %d", CH_CERT_SPECS_LENGTH);
4385 CH_EXCH_SPECS_LENGTH = tvb_get_ntohs(tvb, offset);
4386 proto_tree_add_text(tree, tvb, offset, 2, "EXCH_SPECS Length: %d", CH_EXCH_SPECS_LENGTH);
4389 CH_KEY_ARG_LENGTH = tvb_get_ntohs(tvb, offset);
4390 proto_tree_add_text(tree, tvb, offset, 2, "IV Length: %d", CH_KEY_ARG_LENGTH);
4393 if (CH_CIPHER_SPECS_LENGTH) {
4394 tvb_ensure_bytes_exist(tvb, offset, CH_CIPHER_SPECS_LENGTH);
4395 CH_CIPHER_SPECS_ti = proto_tree_add_item(tree, hf_pct_handshake_cipher_spec, tvb, offset, CH_CIPHER_SPECS_LENGTH, ENC_NA);
4396 CH_CIPHER_SPECS_tree = proto_item_add_subtree(CH_CIPHER_SPECS_ti, ett_pct_cipher_suites);
4398 for(i=0; i<(CH_CIPHER_SPECS_LENGTH/4); i++) {
4399 proto_tree_add_item(CH_CIPHER_SPECS_tree, hf_pct_handshake_cipher, tvb, offset, 2, ENC_BIG_ENDIAN);
4401 proto_tree_add_text(CH_CIPHER_SPECS_tree, tvb, offset, 1, "Encryption key length: %d", tvb_get_guint8(tvb, offset));
4403 proto_tree_add_text(CH_CIPHER_SPECS_tree, tvb, offset, 1, "MAC key length in bits: %d", tvb_get_guint8(tvb, offset) + 64);
4408 if (CH_HASH_SPECS_LENGTH) {
4409 tvb_ensure_bytes_exist(tvb, offset, CH_HASH_SPECS_LENGTH);
4410 CH_HASH_SPECS_ti = proto_tree_add_item(tree, hf_pct_handshake_hash_spec, tvb, offset, CH_HASH_SPECS_LENGTH, ENC_NA);
4411 CH_HASH_SPECS_tree = proto_item_add_subtree(CH_HASH_SPECS_ti, ett_pct_hash_suites);
4413 for(i=0; i<(CH_HASH_SPECS_LENGTH/2); i++) {
4414 proto_tree_add_item(CH_HASH_SPECS_tree, hf_pct_handshake_hash, tvb, offset, 2, ENC_BIG_ENDIAN);
4419 if (CH_CERT_SPECS_LENGTH) {
4420 tvb_ensure_bytes_exist(tvb, offset, CH_CERT_SPECS_LENGTH);
4421 CH_CERT_SPECS_ti = proto_tree_add_item(tree, hf_pct_handshake_cert_spec, tvb, offset, CH_CERT_SPECS_LENGTH, ENC_NA);
4422 CH_CERT_SPECS_tree = proto_item_add_subtree(CH_CERT_SPECS_ti, ett_pct_cert_suites);
4424 for(i=0; i< (CH_CERT_SPECS_LENGTH/2); i++) {
4425 proto_tree_add_item(CH_CERT_SPECS_tree, hf_pct_handshake_cert, tvb, offset, 2, ENC_BIG_ENDIAN);
4430 if (CH_EXCH_SPECS_LENGTH) {
4431 tvb_ensure_bytes_exist(tvb, offset, CH_EXCH_SPECS_LENGTH);
4432 CH_EXCH_SPECS_ti = proto_tree_add_item(tree, hf_pct_handshake_exch_spec, tvb, offset, CH_EXCH_SPECS_LENGTH, ENC_NA);
4433 CH_EXCH_SPECS_tree = proto_item_add_subtree(CH_EXCH_SPECS_ti, ett_pct_exch_suites);
4435 for(i=0; i<(CH_EXCH_SPECS_LENGTH/2); i++) {
4436 proto_tree_add_item(CH_EXCH_SPECS_tree, hf_pct_handshake_exch, tvb, offset, 2, ENC_BIG_ENDIAN);
4441 if (CH_KEY_ARG_LENGTH) {
4442 tvb_ensure_bytes_exist(tvb, offset, CH_KEY_ARG_LENGTH);
4443 proto_tree_add_text(tree, tvb, offset, CH_KEY_ARG_LENGTH, "IV data (%d bytes)", CH_KEY_ARG_LENGTH);
4448 dissect_pct_msg_server_hello(tvbuff_t *tvb, proto_tree *tree, guint32 offset, packet_info *pinfo)
4451 char SH_MSG_SERVER_HELLO
4453 char SH_SERVER_VERSION_MSB
4454 char SH_SERVER_VERSION_LSB
4455 char SH_RESTART_SESSION_OK
4456 char SH_CLIENT_AUTH_REQ
4457 char SH_CIPHER_SPECS_DATA[4]
4458 char SH_HASH_SPECS_DATA[2]
4459 char SH_CERT_SPECS_DATA[2]
4460 char SH_EXCH_SPECS_DATA[2]
4461 char SH_CONNECTION_ID_DATA[32]
4462 char SH_CERTIFICATE_LENGTH_MSB
4463 char SH_CERTIFICATE_LENGTH_LSB
4464 char SH_CLIENT_CERT_SPECS_LENGTH_MSB
4465 char SH_CLIENT_CERT_SPECS_LENGTH_LSB
4466 char SH_CLIENT_SIG_SPECS_LENGTH_MSB
4467 char SH_CLIENT_SIG_SPECS_LENGTH_LSB
4468 char SH_RESPONSE_LENGTH_MSB
4469 char SH_RESPONSE_LENGTH_LSB
4470 char SH_CERTIFICATE_DATA[MSB<<8|LSB]
4471 char SH_CLIENT_CERT_SPECS_DATA[MSB<<8|LSB]
4472 char SH_CLIENT_SIG_SPECS_DATA[MSB<<8|LSB]
4473 char SH_RESPONSE_DATA[MSB<<8|LSB]
4477 guint16 SH_SERVER_VERSION, SH_CERT_LENGTH, SH_CERT_SPECS_LENGTH, SH_CLIENT_SIG_LENGTH, SH_RESPONSE_LENGTH;
4478 asn1_ctx_t asn1_ctx;
4479 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
4481 proto_tree_add_text(tree, tvb, offset, 1, "PAD");
4484 SH_SERVER_VERSION = tvb_get_ntohs(tvb, offset);
4485 if (SH_SERVER_VERSION != PCT_VERSION_1)
4486 proto_tree_add_text(tree, tvb, offset, 2, "Server Version, should be %x in PCT version 1", PCT_VERSION_1);
4488 proto_tree_add_text(tree, tvb, offset, 2, "Server Version (%x)", PCT_VERSION_1);
4491 proto_tree_add_text(tree, tvb, offset, 1, "SH_RESTART_SESSION_OK flag");
4494 proto_tree_add_text(tree, tvb, offset, 1, "SH_CLIENT_AUTH_REQ flag");
4497 proto_tree_add_item(tree, hf_pct_handshake_cipher, tvb, offset, 2, ENC_BIG_ENDIAN);
4499 proto_tree_add_text(tree, tvb, offset, 1, "Encryption key length: %d", tvb_get_guint8(tvb, offset));
4501 proto_tree_add_text(tree, tvb, offset, 1, "MAC key length in bits: %d", tvb_get_guint8(tvb, offset) + 64);
4504 proto_tree_add_item(tree, hf_pct_handshake_hash, tvb, offset, 2, ENC_BIG_ENDIAN);
4507 proto_tree_add_item(tree, hf_pct_handshake_cert, tvb, offset, 2, ENC_BIG_ENDIAN);
4510 proto_tree_add_item(tree, hf_pct_handshake_exch, tvb, offset, 2, ENC_BIG_ENDIAN);
4513 proto_tree_add_text(tree, tvb, offset, 32, "Connection ID Data (32 bytes)");
4516 SH_CERT_LENGTH = tvb_get_ntohs(tvb, offset);
4517 proto_tree_add_text(tree, tvb, offset, 2, "Server Certificate Length: %d", SH_CERT_LENGTH);
4520 SH_CERT_SPECS_LENGTH = tvb_get_ntohs(tvb, offset);
4521 proto_tree_add_text(tree, tvb, offset, 2, "Client CERT_SPECS Length: %d", SH_CERT_SPECS_LENGTH);
4524 SH_CLIENT_SIG_LENGTH = tvb_get_ntohs(tvb, offset);
4525 proto_tree_add_text(tree, tvb, offset, 2, "Client SIG_SPECS Length: %d", SH_CLIENT_SIG_LENGTH);
4528 SH_RESPONSE_LENGTH = tvb_get_ntohs(tvb, offset);
4529 proto_tree_add_text(tree, tvb, offset, 2, "Response Length: %d", SH_RESPONSE_LENGTH);
4532 if (SH_CERT_LENGTH) {
4533 dissect_x509af_Certificate(FALSE, tvb, offset, &asn1_ctx, tree, hf_pct_handshake_server_cert);
4534 offset += SH_CERT_LENGTH;
4537 if (SH_CERT_SPECS_LENGTH) {
4538 tvb_ensure_bytes_exist(tvb, offset, SH_CERT_SPECS_LENGTH);
4539 proto_tree_add_text(tree, tvb, offset, SH_CERT_SPECS_LENGTH, "Client CERT_SPECS (%d bytes)", SH_CERT_SPECS_LENGTH);
4540 offset += SH_CERT_SPECS_LENGTH;
4543 if (SH_CLIENT_SIG_LENGTH) {
4544 tvb_ensure_bytes_exist(tvb, offset, SH_CLIENT_SIG_LENGTH);
4545 proto_tree_add_text(tree, tvb, offset, SH_CLIENT_SIG_LENGTH, "Client Signature (%d bytes)", SH_CLIENT_SIG_LENGTH);
4546 offset += SH_CLIENT_SIG_LENGTH;
4549 if (SH_RESPONSE_LENGTH) {
4550 tvb_ensure_bytes_exist(tvb, offset, SH_RESPONSE_LENGTH);
4551 proto_tree_add_text(tree, tvb, offset, SH_RESPONSE_LENGTH, "Server Response (%d bytes)", SH_RESPONSE_LENGTH);
4557 dissect_pct_msg_client_master_key(tvbuff_t *tvb, proto_tree *tree, guint32 offset)
4559 guint16 CMK_CLEAR_KEY_LENGTH, CMK_ENCRYPTED_KEY_LENGTH, CMK_KEY_ARG_LENGTH, CMK_VERIFY_PRELUDE, CMK_CLIENT_CERT_LENGTH, CMK_RESPONSE_LENGTH;
4561 proto_tree_add_text(tree, tvb, offset, 1, "PAD");
4564 proto_tree_add_item(tree, hf_pct_handshake_cert, tvb, offset, 2, ENC_BIG_ENDIAN);
4567 proto_tree_add_item(tree, hf_pct_handshake_sig, tvb, offset, 2, ENC_BIG_ENDIAN);
4570 CMK_CLEAR_KEY_LENGTH = tvb_get_ntohs(tvb, offset);
4571 proto_tree_add_text(tree, tvb, offset, 2, "Clear Key Length: %d",CMK_CLEAR_KEY_LENGTH);
4574 CMK_ENCRYPTED_KEY_LENGTH = tvb_get_ntohs(tvb, offset);
4575 proto_tree_add_text(tree, tvb, offset, 2, "Encrypted Key Length: %d",CMK_ENCRYPTED_KEY_LENGTH);
4578 CMK_KEY_ARG_LENGTH= tvb_get_ntohs(tvb, offset);
4579 proto_tree_add_text(tree, tvb, offset, 2, "IV Length: %d",CMK_KEY_ARG_LENGTH);
4582 CMK_VERIFY_PRELUDE = tvb_get_ntohs(tvb, offset);
4583 proto_tree_add_text(tree, tvb, offset, 2, "Verify Prelude Length: %d",CMK_VERIFY_PRELUDE);
4586 CMK_CLIENT_CERT_LENGTH = tvb_get_ntohs(tvb, offset);
4587 proto_tree_add_text(tree, tvb, offset, 2, "Client Cert Length: %d",CMK_CLIENT_CERT_LENGTH);
4590 CMK_RESPONSE_LENGTH = tvb_get_ntohs(tvb, offset);
4591 proto_tree_add_text(tree, tvb, offset, 2, "Response Length: %d",CMK_RESPONSE_LENGTH);
4594 if (CMK_CLEAR_KEY_LENGTH) {
4595 tvb_ensure_bytes_exist(tvb, offset, CMK_CLEAR_KEY_LENGTH);
4596 proto_tree_add_text(tree, tvb, offset, CMK_CLEAR_KEY_LENGTH, "Clear Key data (%d bytes)", CMK_CLEAR_KEY_LENGTH);
4597 offset += CMK_CLEAR_KEY_LENGTH;
4599 if (CMK_ENCRYPTED_KEY_LENGTH) {
4600 tvb_ensure_bytes_exist(tvb, offset, CMK_ENCRYPTED_KEY_LENGTH);
4601 proto_tree_add_text(tree, tvb, offset, CMK_ENCRYPTED_KEY_LENGTH, "Encrypted Key data (%d bytes)", CMK_ENCRYPTED_KEY_LENGTH);
4602 offset += CMK_ENCRYPTED_KEY_LENGTH;
4604 if (CMK_KEY_ARG_LENGTH) {
4605 tvb_ensure_bytes_exist(tvb, offset, CMK_KEY_ARG_LENGTH);
4606 proto_tree_add_text(tree, tvb, offset, CMK_KEY_ARG_LENGTH, "IV data (%d bytes)", CMK_KEY_ARG_LENGTH);
4607 offset += CMK_KEY_ARG_LENGTH;
4609 if (CMK_VERIFY_PRELUDE) {
4610 tvb_ensure_bytes_exist(tvb, offset, CMK_VERIFY_PRELUDE);
4611 proto_tree_add_text(tree, tvb, offset, CMK_VERIFY_PRELUDE, "Verify Prelude data (%d bytes)", CMK_VERIFY_PRELUDE);
4612 offset += CMK_VERIFY_PRELUDE;
4614 if (CMK_CLIENT_CERT_LENGTH) {
4615 tvb_ensure_bytes_exist(tvb, offset, CMK_CLIENT_CERT_LENGTH);
4616 proto_tree_add_text(tree, tvb, offset, CMK_CLIENT_CERT_LENGTH, "Client Certificate data (%d bytes)", CMK_CLIENT_CERT_LENGTH);
4617 offset += CMK_CLIENT_CERT_LENGTH;
4619 if (CMK_RESPONSE_LENGTH) {
4620 tvb_ensure_bytes_exist(tvb, offset, CMK_RESPONSE_LENGTH);
4621 proto_tree_add_text(tree, tvb, offset, CMK_RESPONSE_LENGTH, "Response data (%d bytes)", CMK_RESPONSE_LENGTH);
4626 dissect_pct_msg_server_verify(tvbuff_t *tvb,
4627 proto_tree *tree, guint32 offset)
4629 guint16 SV_RESPONSE_LENGTH;
4631 proto_tree_add_text(tree, tvb, offset, 1, "PAD");
4634 proto_tree_add_text(tree, tvb, offset, 32, "Server Session ID data (32 bytes)");
4637 SV_RESPONSE_LENGTH = tvb_get_ntohs(tvb, offset);
4638 proto_tree_add_text(tree, tvb, offset, 2, "Server Response Length: %d", SV_RESPONSE_LENGTH);
4641 if (SV_RESPONSE_LENGTH) {
4642 tvb_ensure_bytes_exist(tvb, offset, SV_RESPONSE_LENGTH);
4643 proto_tree_add_text(tree, tvb, offset, SV_RESPONSE_LENGTH, "Server Response (%d bytes)", SV_RESPONSE_LENGTH);
4648 dissect_pct_msg_error(tvbuff_t *tvb,
4649 proto_tree *tree, guint32 offset)
4651 guint16 ERROR_CODE, INFO_LEN;
4653 ERROR_CODE = tvb_get_ntohs(tvb, offset);
4654 proto_tree_add_item(tree, hf_pct_msg_error_type, tvb, offset, 2, ENC_BIG_ENDIAN);
4657 INFO_LEN = tvb_get_ntohs(tvb, offset);
4658 proto_tree_add_text(tree, tvb, offset, 2, "Error Information Length: %d", INFO_LEN);
4660 if (ERROR_CODE == PCT_ERR_SPECS_MISMATCH && INFO_LEN == 6)
4662 proto_tree_add_text(tree, tvb, offset, 1, "SPECS_MISMATCH_CIPHER");
4664 proto_tree_add_text(tree, tvb, offset, 1, "SPECS_MISMATCH_HASH");
4666 proto_tree_add_text(tree, tvb, offset, 1, "SPECS_MISMATCH_CERT");
4668 proto_tree_add_text(tree, tvb, offset, 1, "SPECS_MISMATCH_EXCH");
4670 proto_tree_add_text(tree, tvb, offset, 1, "SPECS_MISMATCH_CLIENT_CERT");
4672 proto_tree_add_text(tree, tvb, offset, 1, "SPECS_MISMATCH_CLIENT_SIG");
4674 else if (INFO_LEN) {
4675 proto_tree_add_text(tree, tvb, offset, INFO_LEN, "Error Information data (%d bytes)", INFO_LEN);
4680 dissect_ssl2_hnd_client_master_key(tvbuff_t *tvb,
4681 proto_tree *tree, guint32 offset)
4685 * V2Cipherspec cipher;
4686 * uint16 clear_key_length;
4687 * uint16 encrypted_key_length;
4688 * uint16 key_arg_length;
4689 * opaque clear_key_data[V2ClientMasterKey.clear_key_length];
4690 * opaque encrypted_key_data[V2ClientMasterKey.encrypted_key_length];
4691 * opaque key_arg_data[V2ClientMasterKey.key_arg_length];
4692 * } V2ClientMasterKey;
4694 * Note: when we get here, offset's already pointing at cipher
4696 guint16 clear_key_length;
4697 guint16 encrypted_key_length;
4698 guint16 key_arg_length;
4700 /* at this point, everything we do involves the tree,
4701 * so quit now if we don't have one ;-)
4708 /* show the selected cipher */
4709 proto_tree_add_item(tree, hf_ssl2_handshake_cipher_spec,
4710 tvb, offset, 3, ENC_BIG_ENDIAN);
4713 /* get the fixed fields */
4714 clear_key_length = tvb_get_ntohs(tvb, offset);
4715 proto_tree_add_item(tree, hf_ssl2_handshake_clear_key_len,
4716 tvb, offset, 2, ENC_BIG_ENDIAN);
4719 encrypted_key_length = tvb_get_ntohs(tvb, offset);
4720 proto_tree_add_item(tree, hf_ssl2_handshake_enc_key_len,
4721 tvb, offset, 2, ENC_BIG_ENDIAN);
4724 key_arg_length = tvb_get_ntohs(tvb, offset);
4725 proto_tree_add_item(tree, hf_ssl2_handshake_key_arg_len,
4726 tvb, offset, 2, ENC_BIG_ENDIAN);
4729 /* show the variable length fields */
4730 if (clear_key_length > 0)
4732 tvb_ensure_bytes_exist(tvb, offset, clear_key_length);
4733 proto_tree_add_item(tree, hf_ssl2_handshake_clear_key,
4734 tvb, offset, clear_key_length, ENC_NA);
4735 offset += clear_key_length;
4738 if (encrypted_key_length > 0)
4740 tvb_ensure_bytes_exist(tvb, offset, encrypted_key_length);
4741 proto_tree_add_item(tree, hf_ssl2_handshake_enc_key,
4742 tvb, offset, encrypted_key_length, ENC_NA);
4743 offset += encrypted_key_length;
4746 if (key_arg_length > 0)
4748 tvb_ensure_bytes_exist(tvb, offset, key_arg_length);
4749 proto_tree_add_item(tree, hf_ssl2_handshake_key_arg,
4750 tvb, offset, key_arg_length, ENC_NA);
4756 dissect_ssl2_hnd_server_hello(tvbuff_t *tvb,
4757 proto_tree *tree, guint32 offset, packet_info *pinfo)
4761 * uint8 session_id_hit;
4762 * uint8 certificate_type;
4763 * uint16 server_version;
4764 * uint16 certificate_length;
4765 * uint16 cipher_specs_length;
4766 * uint16 connection_id_length;
4767 * opaque certificate_data[V2ServerHello.certificate_length];
4768 * opaque cipher_specs_data[V2ServerHello.cipher_specs_length];
4769 * opaque connection_id_data[V2ServerHello.connection_id_length];
4772 * Note: when we get here, offset's already pointing at session_id_hit
4774 guint16 certificate_length;
4775 guint16 cipher_spec_length;
4776 guint16 connection_id_length;
4779 proto_tree *subtree;
4780 asn1_ctx_t asn1_ctx;
4782 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
4784 /* everything we do only makes sense with a tree, so
4785 * quit now if we don't have one
4792 version = tvb_get_ntohs(tvb, offset + 2);
4793 if (!ssl_is_valid_ssl_version(version))
4795 /* invalid version; probably encrypted data */
4800 /* is there a hit? */
4801 proto_tree_add_item(tree, hf_ssl2_handshake_session_id_hit,
4802 tvb, offset, 1, ENC_BIG_ENDIAN);
4805 /* what type of certificate is this? */
4806 proto_tree_add_item(tree, hf_ssl2_handshake_cert_type,
4807 tvb, offset, 1, ENC_BIG_ENDIAN);
4810 /* now the server version */
4811 proto_tree_add_item(tree, hf_ssl_handshake_server_version,
4812 tvb, offset, 2, ENC_BIG_ENDIAN);
4815 /* get the fixed fields */
4816 certificate_length = tvb_get_ntohs(tvb, offset);
4817 proto_tree_add_uint(tree, hf_ssl_handshake_certificate_len,
4818 tvb, offset, 2, certificate_length);
4821 cipher_spec_length = tvb_get_ntohs(tvb, offset);
4822 proto_tree_add_uint(tree, hf_ssl2_handshake_cipher_spec_len,
4823 tvb, offset, 2, cipher_spec_length);
4826 connection_id_length = tvb_get_ntohs(tvb, offset);
4827 proto_tree_add_uint(tree, hf_ssl2_handshake_connection_id_len,
4828 tvb, offset, 2, connection_id_length);
4831 /* now the variable length fields */
4832 if (certificate_length > 0)
4834 (void)dissect_x509af_Certificate(FALSE, tvb, offset, &asn1_ctx, tree, hf_ssl_handshake_certificate);
4835 offset += certificate_length;
4838 if (cipher_spec_length > 0)
4840 /* provide a collapsing node for the cipher specs */
4841 tvb_ensure_bytes_exist(tvb, offset, cipher_spec_length);
4842 ti = proto_tree_add_none_format(tree,
4843 hf_ssl_handshake_cipher_suites,
4844 tvb, offset, cipher_spec_length,
4845 "Cipher Specs (%u spec%s)",
4846 cipher_spec_length/3,
4847 plurality(cipher_spec_length/3, "", "s"));
4848 subtree = proto_item_add_subtree(ti, ett_ssl_cipher_suites);
4854 /* iterate through the cipher specs */
4855 while (cipher_spec_length > 0)
4857 proto_tree_add_item(subtree, hf_ssl2_handshake_cipher_spec,
4858 tvb, offset, 3, ENC_BIG_ENDIAN);
4860 cipher_spec_length -= 3;
4864 if (connection_id_length > 0)
4866 tvb_ensure_bytes_exist(tvb, offset, connection_id_length);
4867 proto_tree_add_item(tree, hf_ssl2_handshake_connection_id,
4868 tvb, offset, connection_id_length, ENC_NA);
4874 void ssl_set_master_secret(guint32 frame_num, address *addr_srv, address *addr_cli,
4875 port_type ptype, guint32 port_srv, guint32 port_cli,
4876 guint32 version, gint cipher, const guchar *_master_secret,
4877 const guchar *_client_random, const guchar *_server_random,
4878 guint32 client_seq, guint32 server_seq)
4880 conversation_t *conversation;
4882 SslDecryptSession *ssl;
4885 ssl_debug_printf("\nssl_set_master_secret enter frame #%u\n", frame_num);
4887 conversation = find_conversation(frame_num, addr_srv, addr_cli, ptype, port_srv, port_cli, 0);
4889 if (!conversation) {
4890 /* create a new conversation */
4891 conversation = conversation_new(frame_num, addr_srv, addr_cli, ptype, port_srv, port_cli, 0);
4892 ssl_debug_printf(" new conversation = %p created\n", (void *)conversation);
4894 conv_data = conversation_get_proto_data(conversation, proto_ssl);
4897 ssl = (SslDecryptSession *)conv_data;
4899 ssl = (SslDecryptSession *)wmem_alloc0(wmem_file_scope(), sizeof(SslDecryptSession));
4900 ssl_session_init(ssl);
4901 ssl->version = SSL_VER_UNKNOWN;
4902 conversation_add_proto_data(conversation, proto_ssl, ssl);
4905 ssl_debug_printf(" conversation = %p, ssl_session = %p\n", (void *)conversation, (void *)ssl);
4907 ssl_set_server(ssl, addr_srv, ptype, port_srv);
4910 if ((ssl->version==SSL_VER_UNKNOWN) && (version!=SSL_VER_UNKNOWN)) {
4913 ssl->version = SSL_VER_SSLv3;
4914 ssl->version_netorder = SSLV3_VERSION;
4915 ssl->state |= SSL_VERSION;
4916 ssl_debug_printf("ssl_set_master_secret set version 0x%04X -> state 0x%02X\n", ssl->version_netorder, ssl->state);
4920 ssl->version = SSL_VER_TLS;
4921 ssl->version_netorder = TLSV1_VERSION;
4922 ssl->state |= SSL_VERSION;
4923 ssl_debug_printf("ssl_set_master_secret set version 0x%04X -> state 0x%02X\n", ssl->version_netorder, ssl->state);
4926 case SSL_VER_TLSv1DOT1:
4927 ssl->version = SSL_VER_TLSv1DOT1;
4928 ssl->version_netorder = TLSV1DOT1_VERSION;
4929 ssl->state |= SSL_VERSION;
4930 ssl_debug_printf("ssl_set_master_secret set version 0x%04X -> state 0x%02X\n", ssl->version_netorder, ssl->state);
4933 case SSL_VER_TLSv1DOT2:
4934 ssl->version = SSL_VER_TLSv1DOT2;
4935 ssl->version_netorder = TLSV1DOT2_VERSION;
4936 ssl->state |= SSL_VERSION;
4937 ssl_debug_printf("ssl_set_master_secret set version 0x%04X -> state 0x%02X\n", ssl->version_netorder, ssl->state);
4944 ssl->cipher = cipher;
4945 if (ssl_find_cipher(ssl->cipher,&ssl->cipher_suite) < 0) {
4946 ssl_debug_printf("ssl_set_master_secret can't find cipher suite 0x%X\n", ssl->cipher);
4948 ssl->state |= SSL_CIPHER;
4949 ssl_debug_printf("ssl_set_master_secret set CIPHER 0x%04X -> state 0x%02X\n", ssl->cipher, ssl->state);
4954 if (_client_random) {
4955 ssl_data_set(&ssl->client_random, _client_random, 32);
4956 ssl->state |= SSL_CLIENT_RANDOM;
4957 ssl_debug_printf("ssl_set_master_secret set CLIENT RANDOM -> state 0x%02X\n", ssl->state);
4961 if (_server_random) {
4962 ssl_data_set(&ssl->server_random, _server_random, 32);
4963 ssl->state |= SSL_SERVER_RANDOM;
4964 ssl_debug_printf("ssl_set_master_secret set SERVER RANDOM -> state 0x%02X\n", ssl->state);
4968 if (_master_secret) {
4969 ssl_data_set(&ssl->master_secret, _master_secret, 48);
4970 ssl->state |= SSL_MASTER_SECRET;
4971 ssl_debug_printf("ssl_set_master_secret set MASTER SECRET -> state 0x%02X\n", ssl->state);
4974 ssl_debug_printf("ssl_set_master_secret trying to generate keys\n");
4975 if (ssl_generate_keyring_material(ssl)<0) {
4976 ssl_debug_printf("ssl_set_master_secret can't generate keyring material\n");
4980 /* change ciphers immediately */
4981 ssl_change_cipher(ssl, TRUE);
4982 ssl_change_cipher(ssl, FALSE);
4984 /* update seq numbers if available */
4985 if (ssl->client && (client_seq != (guint32)-1)) {
4986 ssl->client->seq = client_seq;
4987 ssl_debug_printf("ssl_set_master_secret client->seq updated to %u\n", ssl->client->seq);
4989 if (ssl->server && (server_seq != (guint32)-1)) {
4990 ssl->server->seq = server_seq;
4991 ssl_debug_printf("ssl_set_master_secret server->seq updated to %u\n", ssl->server->seq);
4994 /* update IV from last data */
4995 iv_len = (ssl->cipher_suite.block>1) ? ssl->cipher_suite.block : 8;
4996 if (ssl->client && ((ssl->client->seq > 0) || (ssl->client_data_for_iv.data_len > iv_len))) {
4997 ssl_cipher_setiv(&ssl->client->evp, ssl->client_data_for_iv.data + ssl->client_data_for_iv.data_len - iv_len, iv_len);
4998 ssl_print_data("ssl_set_master_secret client IV updated",ssl->client_data_for_iv.data + ssl->client_data_for_iv.data_len - iv_len, iv_len);
5000 if (ssl->server && ((ssl->server->seq > 0) || (ssl->server_data_for_iv.data_len > iv_len))) {
5001 ssl_cipher_setiv(&ssl->server->evp, ssl->server_data_for_iv.data + ssl->server_data_for_iv.data_len - iv_len, iv_len);
5002 ssl_print_data("ssl_set_master_secret server IV updated",ssl->server_data_for_iv.data + ssl->server_data_for_iv.data_len - iv_len, iv_len);
5007 /*********************************************************************
5011 *********************************************************************/
5014 ssl_set_conv_version(packet_info *pinfo, guint version)
5016 conversation_t *conversation;
5018 if (pinfo->fd->flags.visited)
5020 /* We've already processed this frame; no need to do any more
5026 conversation = find_or_create_conversation(pinfo);
5028 if (conversation_get_proto_data(conversation, proto_ssl) != NULL)
5030 /* get rid of the current data */
5031 conversation_delete_proto_data(conversation, proto_ssl);
5033 conversation_add_proto_data(conversation, proto_ssl, GINT_TO_POINTER(version));
5038 ssl_is_valid_handshake_type(const guint8 type)
5042 case SSL_HND_HELLO_REQUEST:
5043 case SSL_HND_CLIENT_HELLO:
5044 case SSL_HND_SERVER_HELLO:
5045 case SSL_HND_NEWSESSION_TICKET:
5046 case SSL_HND_CERTIFICATE:
5047 case SSL_HND_SERVER_KEY_EXCHG:
5048 case SSL_HND_CERT_REQUEST:
5049 case SSL_HND_SVR_HELLO_DONE:
5050 case SSL_HND_CERT_VERIFY:
5051 case SSL_HND_CLIENT_KEY_EXCHG:
5052 case SSL_HND_FINISHED:
5059 ssl_is_valid_ssl_version(const guint16 version)
5061 const gchar *version_str;
5063 version_str = try_val_to_str(version, ssl_versions);
5064 return version_str != NULL;
5068 ssl_is_authoritative_version_message(const guint8 content_type,
5069 const guint8 next_byte)
5071 if (content_type == SSL_ID_HANDSHAKE
5072 && ssl_is_valid_handshake_type(next_byte))
5074 return (next_byte != SSL_HND_CLIENT_HELLO);
5076 else if (ssl_is_valid_content_type(content_type)
5077 && content_type != SSL_ID_HANDSHAKE)
5085 ssl_is_v2_client_hello(tvbuff_t *tvb, const guint32 offset)
5089 byte = tvb_get_guint8(tvb, offset);
5090 if (byte != 0x80) /* v2 client hello should start this way */
5095 byte = tvb_get_guint8(tvb, offset+2);
5096 if (byte != 0x01) /* v2 client hello msg type */
5101 /* 1 in 2^16 of being right; improve later if necessary */
5105 /* this applies a heuristic to determine whether
5106 * or not the data beginning at offset looks like a
5107 * valid sslv2 record. this isn't really possible,
5108 * but we'll try to do a reasonable job anyway.
5111 ssl_looks_like_sslv2(tvbuff_t *tvb, const guint32 offset)
5113 /* here's the current approach:
5115 * we only try to catch unencrypted handshake messages, so we can
5116 * assume that there is not padding. This means that the
5117 * first byte must be >= 0x80 and there must be a valid sslv2
5118 * msg_type in the third byte
5121 /* get the first byte; must have high bit set */
5123 byte = tvb_get_guint8(tvb, offset);
5130 /* get the supposed msg_type byte; since we only care about
5131 * unencrypted handshake messages (we can't tell the type for
5132 * encrypted messages), we just check against that list
5134 byte = tvb_get_guint8(tvb, offset + 2);
5136 case SSL2_HND_ERROR:
5137 case SSL2_HND_CLIENT_HELLO:
5138 case SSL2_HND_CLIENT_MASTER_KEY:
5139 case SSL2_HND_SERVER_HELLO:
5140 case PCT_MSG_CLIENT_MASTER_KEY:
5147 /* this applies a heuristic to determine whether
5148 * or not the data beginning at offset looks like a
5149 * valid sslv3 record. this is somewhat more reliable
5150 * than sslv2 due to the structure of the v3 protocol
5153 ssl_looks_like_sslv3(tvbuff_t *tvb, const guint32 offset)
5155 /* have to have a valid content type followed by a valid
5161 /* see if the first byte is a valid content type */
5162 byte = tvb_get_guint8(tvb, offset);
5163 if (!ssl_is_valid_content_type(byte))
5168 /* now check to see if the version byte appears valid */
5169 version = tvb_get_ntohs(tvb, offset + 1);
5173 case TLSV1DOT1_VERSION:
5174 case TLSV1DOT2_VERSION:
5180 /* applies a heuristic to determine whether
5181 * or not the data beginning at offset looks
5182 * like a valid, unencrypted v2 handshake message.
5183 * since it isn't possible to completely tell random
5184 * data apart from a valid message without state,
5185 * we try to help the odds.
5188 ssl_looks_like_valid_v2_handshake(tvbuff_t *tvb, const guint32 offset,
5189 const guint32 record_length)
5191 /* first byte should be a msg_type.
5193 * - we know we only see client_hello, client_master_key,
5194 * and server_hello in the clear, so check to see if
5195 * msg_type is one of those (this gives us a 3 in 2^8
5196 * chance of saying yes with random payload)
5198 * - for those three types that we know about, do some
5199 * further validation to reduce the chance of an error
5206 /* fetch the msg_type */
5207 msg_type = tvb_get_guint8(tvb, offset);
5210 case SSL2_HND_CLIENT_HELLO:
5211 /* version follows msg byte, so verify that this is valid */
5212 version = tvb_get_ntohs(tvb, offset+1);
5213 ret = ssl_is_valid_ssl_version(version);
5216 case SSL2_HND_SERVER_HELLO:
5217 /* version is three bytes after msg_type */
5218 version = tvb_get_ntohs(tvb, offset+3);
5219 ret = ssl_is_valid_ssl_version(version);
5222 case SSL2_HND_CLIENT_MASTER_KEY:
5223 /* sum of clear_key_length, encrypted_key_length, and key_arg_length
5224 * must be less than record length
5226 sum = tvb_get_ntohs(tvb, offset + 4); /* clear_key_length */
5227 sum += tvb_get_ntohs(tvb, offset + 6); /* encrypted_key_length */
5228 sum += tvb_get_ntohs(tvb, offset + 8); /* key_arg_length */
5229 if (sum <= record_length) {
5241 /* applies a heuristic to determine whether
5242 * or not the data beginning at offset looks
5243 * like a valid, unencrypted pct handshake message.
5244 * since it isn't possible to completely tell random
5245 * data apart from a valid message without state,
5246 * we try to help the odds.
5249 ssl_looks_like_valid_pct_handshake(tvbuff_t *tvb, const guint32 offset,
5250 const guint32 record_length)
5252 /* first byte should be a msg_type.
5254 * - we know we only see client_hello, client_master_key,
5255 * and server_hello in the clear, so check to see if
5256 * msg_type is one of those (this gives us a 3 in 2^8
5257 * chance of saying yes with random payload)
5259 * - for those three types that we know about, do some
5260 * further validation to reduce the chance of an error
5267 /* fetch the msg_type */
5268 msg_type = tvb_get_guint8(tvb, offset);
5271 case PCT_MSG_CLIENT_HELLO:
5272 /* version follows msg byte, so verify that this is valid */
5273 version = tvb_get_ntohs(tvb, offset+1);
5274 ret = (version == PCT_VERSION_1);
5277 case PCT_MSG_SERVER_HELLO:
5278 /* version is one byte after msg_type */
5279 version = tvb_get_ntohs(tvb, offset+2);
5280 ret = (version == PCT_VERSION_1);
5283 case PCT_MSG_CLIENT_MASTER_KEY:
5284 /* sum of various length fields must be less than record length */
5285 sum = tvb_get_ntohs(tvb, offset + 6); /* clear_key_length */
5286 sum += tvb_get_ntohs(tvb, offset + 8); /* encrypted_key_length */
5287 sum += tvb_get_ntohs(tvb, offset + 10); /* key_arg_length */
5288 sum += tvb_get_ntohs(tvb, offset + 12); /* verify_prelude_length */
5289 sum += tvb_get_ntohs(tvb, offset + 14); /* client_cert_length */
5290 sum += tvb_get_ntohs(tvb, offset + 16); /* response_length */
5291 if (sum <= record_length) {
5296 case PCT_MSG_SERVER_VERIFY:
5297 /* record is 36 bytes longer than response_length */
5298 sum = tvb_get_ntohs(tvb, offset + 34); /* response_length */
5299 if ((sum + 36) == record_length) {
5312 /* dissect a list of hash algorithms, return the number of bytes dissected
5313 this is used for the signature algorithms extension and for the
5314 TLS1.2 certificate request */
5316 dissect_ssl_hash_alg_list(tvbuff_t *tvb, proto_tree *tree,
5317 guint32 offset, guint16 len)
5319 guint32 offset_start;
5320 proto_tree *subtree, *alg_tree;
5323 offset_start = offset;
5327 ti = proto_tree_add_none_format(tree,
5328 hf_ssl_handshake_sig_hash_algs,
5330 "Signature Hash Algorithms (%u algorithm%s)",
5332 plurality(len/2, "", "s"));
5333 subtree = proto_item_add_subtree(ti, ett_ssl_sig_hash_algs);
5336 proto_tree_add_text(tree, tvb, offset, 2,
5337 "Invalid Signature Hash Algorithm length: %d", len);
5338 return offset-offset_start;
5342 ti = proto_tree_add_item(subtree, hf_ssl_handshake_sig_hash_alg,
5343 tvb, offset, 2, ENC_BIG_ENDIAN);
5344 alg_tree = proto_item_add_subtree(ti, ett_ssl_sig_hash_alg);
5346 proto_tree_add_item(alg_tree, hf_ssl_handshake_sig_hash_hash,
5347 tvb, offset, 1, ENC_BIG_ENDIAN);
5348 proto_tree_add_item(alg_tree, hf_ssl_handshake_sig_hash_sig,
5349 tvb, offset+1, 1, ENC_BIG_ENDIAN);
5354 return offset-offset_start;
5360 #ifdef HAVE_LIBGNUTLS
5362 ssldecrypt_free_cb(void *r)
5364 ssldecrypt_assoc_t *h = (ssldecrypt_assoc_t *)r;
5368 g_free(h->protocol);
5370 g_free(h->password);
5374 ssldecrypt_copy_cb(void *dest, const void *orig, size_t len _U_)
5376 const ssldecrypt_assoc_t *o = (ssldecrypt_assoc_t *)orig;
5377 ssldecrypt_assoc_t *d = (ssldecrypt_assoc_t *)dest;
5379 d->ipaddr = g_strdup(o->ipaddr);
5380 d->port = g_strdup(o->port);
5381 d->protocol = g_strdup(o->protocol);
5382 d->keyfile = g_strdup(o->keyfile);
5383 d->password = g_strdup(o->password);
5388 UAT_CSTRING_CB_DEF(sslkeylist_uats,ipaddr,ssldecrypt_assoc_t)
5389 UAT_CSTRING_CB_DEF(sslkeylist_uats,port,ssldecrypt_assoc_t)
5390 UAT_CSTRING_CB_DEF(sslkeylist_uats,protocol,ssldecrypt_assoc_t)
5391 UAT_FILENAME_CB_DEF(sslkeylist_uats,keyfile,ssldecrypt_assoc_t)
5392 UAT_CSTRING_CB_DEF(sslkeylist_uats,password,ssldecrypt_assoc_t)
5395 /*********************************************************************
5397 * Standard Wireshark Protocol Registration and housekeeping
5399 *********************************************************************/
5401 proto_register_ssl(void)
5404 /* Setup list of header fields See Section 1.6.1 for details*/
5405 static hf_register_info hf[] = {
5407 { "Record Layer", "ssl.record",
5408 FT_NONE, BASE_NONE, NULL, 0x0,
5411 { &hf_ssl_record_content_type,
5412 { "Content Type", "ssl.record.content_type",
5413 FT_UINT8, BASE_DEC, VALS(ssl_31_content_type), 0x0,
5416 { &hf_ssl2_msg_type,
5417 { "Handshake Message Type", "ssl.handshake.type",
5418 FT_UINT8, BASE_DEC, VALS(ssl_20_msg_types), 0x0,
5419 "SSLv2 handshake message type", HFILL}
5422 { "Handshake Message Type", "ssl.pct_handshake.type",
5423 FT_UINT8, BASE_DEC, VALS(pct_msg_types), 0x0,
5424 "PCT handshake message type", HFILL}
5426 { &hf_ssl_record_version,
5427 { "Version", "ssl.record.version",
5428 FT_UINT16, BASE_HEX, VALS(ssl_versions), 0x0,
5429 "Record layer version", HFILL }
5431 { &hf_ssl_record_length,
5432 { "Length", "ssl.record.length",
5433 FT_UINT16, BASE_DEC, NULL, 0x0,
5434 "Length of SSL record data", HFILL }
5436 { &hf_ssl_record_appdata,
5437 { "Encrypted Application Data", "ssl.app_data",
5438 FT_BYTES, BASE_NONE, NULL, 0x0,
5439 "Payload is encrypted application data", HFILL }
5443 { "SSLv2/PCT Record Header", "ssl.record",
5444 FT_NONE, BASE_NONE, NULL, 0x0,
5445 "SSLv2/PCT record data", HFILL }
5447 { &hf_ssl2_record_is_escape,
5448 { "Is Escape", "ssl.record.is_escape",
5449 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
5450 "Indicates a security escape", HFILL}
5452 { &hf_ssl2_record_padding_length,
5453 { "Padding Length", "ssl.record.padding_length",
5454 FT_UINT8, BASE_DEC, NULL, 0x0,
5455 "Length of padding at end of record", HFILL }
5457 { &hf_ssl_change_cipher_spec,
5458 { "Change Cipher Spec Message", "ssl.change_cipher_spec",
5459 FT_NONE, BASE_NONE, NULL, 0x0,
5460 "Signals a change in cipher specifications", HFILL }
5462 { &hf_ssl_alert_message,
5463 { "Alert Message", "ssl.alert_message",
5464 FT_NONE, BASE_NONE, NULL, 0x0,
5467 { &hf_ssl_alert_message_level,
5468 { "Level", "ssl.alert_message.level",
5469 FT_UINT8, BASE_DEC, VALS(ssl_31_alert_level), 0x0,
5470 "Alert message level", HFILL }
5472 { &hf_ssl_alert_message_description,
5473 { "Description", "ssl.alert_message.desc",
5474 FT_UINT8, BASE_DEC, VALS(ssl_31_alert_description), 0x0,
5475 "Alert message description", HFILL }
5477 { &hf_ssl_handshake_protocol,
5478 { "Handshake Protocol", "ssl.handshake",
5479 FT_NONE, BASE_NONE, NULL, 0x0,
5480 "Handshake protocol message", HFILL}
5482 { &hf_ssl_handshake_type,
5483 { "Handshake Type", "ssl.handshake.type",
5484 FT_UINT8, BASE_DEC, VALS(ssl_31_handshake_type), 0x0,
5485 "Type of handshake message", HFILL}
5487 { &hf_ssl_handshake_length,
5488 { "Length", "ssl.handshake.length",
5489 FT_UINT24, BASE_DEC, NULL, 0x0,
5490 "Length of handshake message", HFILL }
5492 { &hf_ssl_handshake_client_version,
5493 { "Version", "ssl.handshake.version",
5494 FT_UINT16, BASE_HEX, VALS(ssl_versions), 0x0,
5495 "Maximum version supported by client", HFILL }
5497 { &hf_ssl_handshake_server_version,
5498 { "Version", "ssl.handshake.version",
5499 FT_UINT16, BASE_HEX, VALS(ssl_versions), 0x0,
5500 "Version selected by server", HFILL }
5502 { &hf_ssl_handshake_random_time,
5503 { "GMT Unix Time", "ssl.handshake.random_time",
5504 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
5505 "Unix time field of random structure", HFILL }
5507 { &hf_ssl_handshake_random_bytes,
5508 { "Random Bytes", "ssl.handshake.random_bytes",
5509 FT_BYTES, BASE_NONE, NULL, 0x0,
5510 "Random challenge used to authenticate server", HFILL }
5512 { &hf_ssl_handshake_cipher_suites_len,
5513 { "Cipher Suites Length", "ssl.handshake.cipher_suites_length",
5514 FT_UINT16, BASE_DEC, NULL, 0x0,
5515 "Length of cipher suites field", HFILL }
5517 { &hf_ssl_handshake_cipher_suites,
5518 { "Cipher Suites", "ssl.handshake.ciphersuites",
5519 FT_NONE, BASE_NONE, NULL, 0x0,
5520 "List of cipher suites supported by client", HFILL }
5522 { &hf_ssl_handshake_cipher_suite,
5523 { "Cipher Suite", "ssl.handshake.ciphersuite",
5524 FT_UINT16, BASE_HEX|BASE_EXT_STRING, &ssl_31_ciphersuite_ext, 0x0,
5527 { &hf_ssl2_handshake_cipher_spec,
5528 { "Cipher Spec", "ssl.handshake.cipherspec",
5529 FT_UINT24, BASE_HEX|BASE_EXT_STRING, &ssl_20_cipher_suites_ext, 0x0,
5530 "Cipher specification", HFILL }
5532 { &hf_ssl_handshake_session_id,
5533 { "Session ID", "ssl.handshake.session_id",
5534 FT_BYTES, BASE_NONE, NULL, 0x0,
5535 "Identifies the SSL session, allowing later resumption", HFILL }
5537 { &hf_ssl_handshake_comp_methods_len,
5538 { "Compression Methods Length", "ssl.handshake.comp_methods_length",
5539 FT_UINT8, BASE_DEC, NULL, 0x0,
5540 "Length of compression methods field", HFILL }
5542 { &hf_ssl_handshake_comp_methods,
5543 { "Compression Methods", "ssl.handshake.comp_methods",
5544 FT_NONE, BASE_NONE, NULL, 0x0,
5545 "List of compression methods supported by client", HFILL }
5547 { &hf_ssl_handshake_comp_method,
5548 { "Compression Method", "ssl.handshake.comp_method",
5549 FT_UINT8, BASE_DEC, VALS(ssl_31_compression_method), 0x0,
5552 { &hf_ssl_handshake_extensions_len,
5553 { "Extensions Length", "ssl.handshake.extensions_length",
5554 FT_UINT16, BASE_DEC, NULL, 0x0,
5555 "Length of hello extensions", HFILL }
5557 { &hf_ssl_handshake_extension_type,
5558 { "Type", "ssl.handshake.extension.type",
5559 FT_UINT16, BASE_HEX, VALS(tls_hello_extension_types), 0x0,
5560 "Hello extension type", HFILL }
5562 { &hf_ssl_handshake_extension_len,
5563 { "Length", "ssl.handshake.extension.len",
5564 FT_UINT16, BASE_DEC, NULL, 0x0,
5565 "Length of a hello extension", HFILL }
5567 { &hf_ssl_handshake_extension_data,
5568 { "Data", "ssl.handshake.extension.data",
5569 FT_BYTES, BASE_NONE, NULL, 0x0,
5570 "Hello Extension data", HFILL }
5572 { &hf_ssl_handshake_extension_elliptic_curves_len,
5573 { "Elliptic Curves Length", "ssl.handshake.extensions_elliptic_curves_length",
5574 FT_UINT16, BASE_DEC, NULL, 0x0,
5575 "Length of elliptic curves field", HFILL }
5577 { &hf_ssl_handshake_extension_elliptic_curves,
5578 { "Elliptic Curves List", "ssl.handshake.extensions_elliptic_curves",
5579 FT_NONE, BASE_NONE, NULL, 0x0,
5580 "List of elliptic curves supported", HFILL }
5582 { &hf_ssl_handshake_extension_elliptic_curve,
5583 { "Elliptic curve", "ssl.handshake.extensions_elliptic_curve",
5584 FT_UINT16, BASE_HEX, VALS(ssl_extension_curves), 0x0,
5587 { &hf_ssl_handshake_extension_ec_point_formats_len,
5588 { "EC point formats Length", "ssl.handshake.extensions_ec_point_formats_length",
5589 FT_UINT8, BASE_DEC, NULL, 0x0,
5590 "Length of elliptic curves point formats field", HFILL }
5592 { &hf_ssl_handshake_extension_ec_point_format,
5593 { "EC point format", "ssl.handshake.extensions_ec_point_format",
5594 FT_UINT8, BASE_DEC, VALS(ssl_extension_ec_point_formats), 0x0,
5595 "Elliptic curves point format", HFILL }
5597 { &hf_ssl_handshake_extension_alpn_len,
5598 { "ALPN Extension Length", "ssl.handshake.extensions_alpn_len",
5599 FT_UINT16, BASE_DEC, NULL, 0x0,
5600 "Length of the ALPN Extension", HFILL }
5602 { &hf_ssl_handshake_extension_alpn_list,
5603 { "ALPN Protocol", "ssl.handshake.extensions_alpn_list",
5604 FT_NONE, BASE_NONE, NULL, 0x0,
5607 { &hf_ssl_handshake_extension_alpn_str_len,
5608 { "ALPN string length", "ssl.handshake.extensions_alpn_str_len",
5609 FT_UINT8, BASE_DEC, NULL, 0x0,
5610 "Length of ALPN string", HFILL }
5612 { &hf_ssl_handshake_extension_alpn_str,
5613 { "ALPN Next Protocol", "ssl.handshake.extensions_alpn_str",
5614 FT_STRING, BASE_NONE, NULL, 0x00,
5617 { &hf_ssl_handshake_extension_npn_str_len,
5618 { "Protocol string length", "ssl.handshake.extensions_npn_str_len",
5619 FT_UINT8, BASE_DEC, NULL, 0x0,
5620 "Length of next protocol string", HFILL }
5622 { &hf_ssl_handshake_extension_npn_str,
5623 { "Next Protocol", "ssl.handshake.extensions_npn",
5624 FT_STRING, BASE_NONE, NULL, 0x0,
5627 { &hf_ssl_handshake_extension_reneg_info_len,
5628 { "Renegotiation info extension length", "ssl.handshake.extensions_reneg_info_len",
5629 FT_UINT8, BASE_DEC, NULL, 0x0,
5632 { &hf_ssl_handshake_extension_server_name_list_len,
5633 { "Server Name list length", "ssl.handshake.extensions_server_name_list_len",
5634 FT_UINT16, BASE_DEC, NULL, 0x0,
5635 "Length of server name list", HFILL }
5637 { &hf_ssl_handshake_extension_server_name_len,
5638 { "Server Name length", "ssl.handshake.extensions_server_name_len",
5639 FT_UINT16, BASE_DEC, NULL, 0x0,
5640 "Length of server name string", HFILL }
5642 { &hf_ssl_handshake_extension_server_name_type,
5643 { "Server Name Type", "ssl.handshake.extensions_server_name_type",
5644 FT_UINT8, BASE_DEC, VALS(tls_hello_ext_server_name_type_vs), 0x0,
5647 { &hf_ssl_handshake_extension_server_name,
5648 { "Server Name", "ssl.handshake.extensions_server_name",
5649 FT_STRING, BASE_NONE, NULL, 0x0,
5652 { &hf_ssl_hs_ext_cert_url_type,
5653 { "Certificate Chain Type", "ssl.handshake.cert_url_type",
5654 FT_UINT8, BASE_DEC, VALS(tls_cert_chain_type), 0x0,
5655 "Certificate Chain Type for Client Certificate URL", HFILL }
5657 { &hf_ssl_hs_ext_cert_url_url_hash_list_len,
5658 { "URL and Hash list Length", "ssl.handshake.cert_url.url_hash_len",
5659 FT_UINT16, BASE_DEC, NULL, 0x0,
5662 { &hf_ssl_hs_ext_cert_url_item,
5663 { "URL and Hash", "ssl.handshake.cert_url.url_hash",
5664 FT_NONE, BASE_NONE, NULL, 0x0,
5667 { &hf_ssl_hs_ext_cert_url_url_len,
5668 { "URL Length", "ssl.handshake.cert_url.url_len",
5669 FT_UINT16, BASE_DEC, NULL, 0x0,
5672 { &hf_ssl_hs_ext_cert_url_url,
5673 { "URL", "ssl.handshake.cert_url.url_hash_len",
5674 FT_STRING, BASE_NONE, NULL, 0x0,
5675 "URL used to fetch the certificate(s)", HFILL }
5677 { &hf_ssl_hs_ext_cert_url_padding,
5678 { "Padding", "ssl.handshake.cert_url.padding",
5679 FT_NONE, BASE_NONE, NULL, 0x0,
5680 "Padding that MUST be 0x01 for backwards compatibility", HFILL }
5682 { &hf_ssl_hs_ext_cert_url_sha1,
5683 { "SHA1 Hash", "ssl.handshake.cert_url.sha1",
5684 FT_BYTES, BASE_NONE, NULL, 0x0,
5685 "SHA1 Hash of the certificate", HFILL }
5687 { &hf_ssl_hs_ext_cert_status_type,
5688 { "Certificate Status Type", "ssl.handshake.extensions_status_request_type",
5689 FT_UINT8, BASE_DEC, VALS(tls_cert_status_type), 0x0,
5692 { &hf_ssl_hs_ext_cert_status_request_len,
5693 { "Certificate Status Length", "ssl.handshake.extensions_status_request_len",
5694 FT_UINT16, BASE_DEC, NULL, 0x0,
5697 { &hf_ssl_hs_ext_cert_status_responder_id_list_len,
5698 { "Responder ID list Length", "ssl.handshake.extensions_status_request_responder_ids_len",
5699 FT_UINT16, BASE_DEC, NULL, 0x0,
5702 { &hf_ssl_hs_ext_cert_status_request_extensions_len,
5703 { "Request Extensions Length", "ssl.handshake.extensions_status_request_exts_len",
5704 FT_UINT16, BASE_DEC, NULL, 0x0,
5707 { &hf_ssl_handshake_session_ticket_lifetime_hint,
5708 { "Session Ticket Lifetime Hint", "ssl.handshake.session_ticket_lifetime_hint",
5709 FT_UINT32, BASE_DEC, NULL, 0x0,
5710 "New TLS Session Ticket Lifetime Hint", HFILL }
5712 { &hf_ssl_handshake_session_ticket_len,
5713 { "Session Ticket Length", "ssl.handshake.session_ticket_length",
5714 FT_UINT16, BASE_DEC, NULL, 0x0,
5715 "New TLS Session Ticket Length", HFILL }
5717 { &hf_ssl_handshake_session_ticket,
5718 { "Session Ticket", "ssl.handshake.session_ticket",
5719 FT_BYTES, BASE_NONE, NULL, 0x0,
5720 "New TLS Session Ticket", HFILL }
5722 { &hf_ssl_handshake_certificates_len,
5723 { "Certificates Length", "ssl.handshake.certificates_length",
5724 FT_UINT24, BASE_DEC, NULL, 0x0,
5725 "Length of certificates field", HFILL }
5727 { &hf_ssl_handshake_certificates,
5728 { "Certificates", "ssl.handshake.certificates",
5729 FT_NONE, BASE_NONE, NULL, 0x0,
5730 "List of certificates", HFILL }
5732 { &hf_ssl_handshake_certificate,
5733 { "Certificate", "ssl.handshake.certificate",
5734 FT_NONE, BASE_NONE, NULL, 0x0,
5737 { &hf_ssl_handshake_certificate_len,
5738 { "Certificate Length", "ssl.handshake.certificate_length",
5739 FT_UINT24, BASE_DEC, NULL, 0x0,
5740 "Length of certificate", HFILL }
5742 { &hf_ssl_handshake_cert_types_count,
5743 { "Certificate types count", "ssl.handshake.cert_types_count",
5744 FT_UINT8, BASE_DEC, NULL, 0x0,
5745 "Count of certificate types", HFILL }
5747 { &hf_ssl_handshake_cert_types,
5748 { "Certificate types", "ssl.handshake.cert_types",
5749 FT_NONE, BASE_NONE, NULL, 0x0,
5750 "List of certificate types", HFILL }
5752 { &hf_ssl_handshake_cert_type,
5753 { "Certificate type", "ssl.handshake.cert_type",
5754 FT_UINT8, BASE_DEC, VALS(ssl_31_client_certificate_type), 0x0,
5757 { &hf_ssl_handshake_server_keyex_p_len,
5758 { "p Length", "ssl.handshake.p_len",
5759 FT_UINT16, BASE_DEC, NULL, 0x0,
5760 "Length of p", HFILL }
5762 { &hf_ssl_handshake_server_keyex_g_len,
5763 { "g Length", "ssl.handshake.g_len",
5764 FT_UINT16, BASE_DEC, NULL, 0x0,
5765 "Length of g", HFILL }
5767 { &hf_ssl_handshake_server_keyex_ys_len,
5768 { "Pubkey Length", "ssl.handshake.ys_len",
5769 FT_UINT16, BASE_DEC, NULL, 0x0,
5770 "Length of server's Diffie-Hellman public key", HFILL }
5772 { &hf_ssl_handshake_client_keyex_yc_len,
5773 { "Pubkey Length", "ssl.handshake.yc_len",
5774 FT_UINT16, BASE_DEC, NULL, 0x0,
5775 "Length of client's Diffie-Hellman public key", HFILL }
5777 { &hf_ssl_handshake_client_keyex_point_len,
5778 { "Pubkey Length", "ssl.handshake.client_point_len",
5779 FT_UINT8, BASE_DEC, NULL, 0x0,
5780 "Length of client's EC Diffie-Hellman public key", HFILL }
5782 { &hf_ssl_handshake_server_keyex_point_len,
5783 { "Pubkey Length", "ssl.handshake.server_point_len",
5784 FT_UINT8, BASE_DEC, NULL, 0x0,
5785 "Length of server's EC Diffie-Hellman public key", HFILL }
5787 { &hf_ssl_handshake_client_keyex_epms_len,
5788 { "Encrypted PreMaster length", "ssl.handshake.epms_len",
5789 FT_UINT16, BASE_DEC, NULL, 0x0,
5790 "Length of encrypted PreMaster secret", HFILL }
5792 { &hf_ssl_handshake_client_keyex_epms,
5793 { "Encrypted PreMaster", "ssl.handshake.epms",
5794 FT_BYTES, BASE_NONE, NULL, 0x0,
5795 "Encrypted PreMaster secret", HFILL }
5797 { &hf_ssl_handshake_server_keyex_modulus_len,
5798 { "modulus Length", "ssl.handshake.modulus_len",
5799 FT_UINT16, BASE_DEC, NULL, 0x0,
5800 "Length of RSA-EXPORT modulus", HFILL }
5802 { &hf_ssl_handshake_server_keyex_exponent_len,
5803 { "exponent Length", "ssl.handshake.exponent_len",
5804 FT_UINT16, BASE_DEC, NULL, 0x0,
5805 "Length of RSA-EXPORT exponent", HFILL }
5807 { &hf_ssl_handshake_server_keyex_sig_len,
5808 { "Signature Length", "ssl.handshake.sig_len",
5809 FT_UINT16, BASE_DEC, NULL, 0x0,
5810 "Length of Signature", HFILL }
5812 { &hf_ssl_handshake_server_keyex_p,
5813 { "p", "ssl.handshake.p",
5814 FT_BYTES, BASE_NONE, NULL, 0x0,
5815 "Diffie-Hellman p", HFILL }
5817 { &hf_ssl_handshake_server_keyex_g,
5818 { "g", "ssl.handshake.g",
5819 FT_BYTES, BASE_NONE, NULL, 0x0,
5820 "Diffie-Hellman g", HFILL }
5822 { &hf_ssl_handshake_server_keyex_curve_type,
5823 { "curve_type", "ssl.handshake.server_curve_type",
5824 FT_UINT8, BASE_HEX, VALS(ssl_curve_types), 0x0,
5825 "Server curve_type", HFILL }
5827 { &hf_ssl_handshake_server_keyex_named_curve,
5828 { "named_curve", "ssl.handshake.server_named_curve",
5829 FT_UINT16, BASE_HEX, VALS(ssl_extension_curves), 0x0,
5830 "Server named_curve", HFILL }
5832 { &hf_ssl_handshake_server_keyex_ys,
5833 { "pubkey", "ssl.handshake.ys",
5834 FT_BYTES, BASE_NONE, NULL, 0x0,
5835 "Diffie-Hellman server pubkey", HFILL }
5837 { &hf_ssl_handshake_client_keyex_yc,
5838 { "pubkey", "ssl.handshake.yc",
5839 FT_BYTES, BASE_NONE, NULL, 0x0,
5840 "Diffie-Hellman client pubkey", HFILL }
5842 { &hf_ssl_handshake_server_keyex_point,
5843 { "pubkey", "ssl.handshake.server_point",
5844 FT_BYTES, BASE_NONE, NULL, 0x0,
5845 "EC Diffie-Hellman server pubkey", HFILL }
5847 { &hf_ssl_handshake_client_keyex_point,
5848 { "pubkey", "ssl.handshake.client_point",
5849 FT_BYTES, BASE_NONE, NULL, 0x0,
5850 "EC Diffie-Hellman client pubkey", HFILL }
5852 { &hf_ssl_handshake_server_keyex_modulus,
5853 { "modulus", "ssl.handshake.modulus",
5854 FT_BYTES, BASE_NONE, NULL, 0x0,
5855 "RSA-EXPORT modulus", HFILL }
5857 { &hf_ssl_handshake_server_keyex_exponent,
5858 { "exponent", "ssl.handshake.exponent",
5859 FT_BYTES, BASE_NONE, NULL, 0x0,
5860 "RSA-EXPORT exponent", HFILL }
5862 { &hf_ssl_handshake_server_keyex_sig,
5863 { "signature", "ssl.handshake.sig",
5864 FT_BYTES, BASE_NONE, NULL, 0x0,
5865 "Diffie-Hellman server signature", HFILL }
5867 { &hf_ssl_handshake_server_keyex_hint_len,
5868 { "Hint Length", "ssl.handshake.hint_len",
5869 FT_UINT16, BASE_DEC, NULL, 0x0,
5870 "Length of PSK Hint", HFILL }
5872 { &hf_ssl_handshake_server_keyex_hint,
5873 { "Hint", "ssl.handshake.hint",
5874 FT_BYTES, BASE_NONE, NULL, 0x0,
5877 { &hf_ssl_handshake_client_keyex_identity_len,
5878 { "Identity Length", "ssl.handshake.identity_len",
5879 FT_UINT16, BASE_DEC, NULL, 0x0,
5880 "Length of PSK Identity", HFILL }
5882 { &hf_ssl_handshake_client_keyex_identity,
5883 { "Identity", "ssl.handshake.identity",
5884 FT_BYTES, BASE_NONE, NULL, 0x0,
5885 "PSK Identity", HFILL }
5887 { &hf_ssl_handshake_sig_hash_alg_len,
5888 { "Signature Hash Algorithms Length", "ssl.handshake.sig_hash_alg_len",
5889 FT_UINT16, BASE_DEC, NULL, 0x0,
5890 "Length of Signature Hash Algorithms", HFILL }
5892 { &hf_ssl_handshake_sig_hash_algs,
5893 { "Signature Hash Algorithms", "ssl.handshake.sig_hash_algs",
5894 FT_NONE, BASE_NONE, NULL, 0x0,
5895 "List of Signature Hash Algorithms", HFILL }
5897 { &hf_ssl_handshake_sig_hash_alg,
5898 { "Signature Hash Algorithm", "ssl.handshake.sig_hash_alg",
5899 FT_UINT16, BASE_HEX, NULL, 0x0,
5902 { &hf_ssl_handshake_sig_hash_hash,
5903 { "Signature Hash Algorithm Hash", "ssl.handshake.sig_hash_hash",
5904 FT_UINT8, BASE_DEC, VALS(tls_hash_algorithm), 0x0,
5907 { &hf_ssl_handshake_sig_hash_sig,
5908 { "Signature Hash Algorithm Signature", "ssl.handshake.sig_hash_sig",
5909 FT_UINT8, BASE_DEC, VALS(tls_signature_algorithm), 0x0,
5912 { &hf_ssl_handshake_cert_status,
5913 { "Certificate Status", "ssl.handshake.cert_status",
5914 FT_NONE, BASE_NONE, NULL, 0x0,
5915 "Certificate Status Data", HFILL }
5917 { &hf_ssl_handshake_cert_status_type,
5918 { "Certificate Status Type", "ssl.handshake.cert_status_type",
5919 FT_UINT8, BASE_DEC, VALS(tls_cert_status_type), 0x0,
5922 { &hf_ssl_handshake_cert_status_len,
5923 { "Certificate Status Length", "ssl.handshake.cert_status_len",
5924 FT_UINT24, BASE_DEC, NULL, 0x0,
5925 "Length of certificate status", HFILL }
5927 { &hf_ssl_handshake_npn_selected_protocol_len,
5928 { "Selected Protocol Length", "ssl.handshake.npn_selected_protocol_len",
5929 FT_UINT8, BASE_DEC, NULL, 0x0,
5932 { &hf_ssl_handshake_npn_selected_protocol,
5933 { "Selected Protocol", "ssl.handshake.npn_selected_protocol",
5934 FT_STRING, BASE_NONE, NULL, 0x0,
5935 "Protocol to be used for connection", HFILL }
5937 { &hf_ssl_handshake_npn_padding_len,
5938 { "Padding Length", "ssl.handshake.npn_padding_len",
5939 FT_UINT8, BASE_DEC, NULL, 0x0,
5942 { &hf_ssl_handshake_npn_padding,
5943 { "Padding", "ssl.handshake.npn_padding",
5944 FT_BYTES, BASE_NONE, NULL, 0x0,
5947 { &hf_ssl_handshake_finished,
5948 { "Verify Data", "ssl.handshake.verify_data",
5949 FT_NONE, BASE_NONE, NULL, 0x0,
5950 "Opaque verification data", HFILL }
5952 { &hf_ssl_handshake_md5_hash,
5953 { "MD5 Hash", "ssl.handshake.md5_hash",
5954 FT_NONE, BASE_NONE, NULL, 0x0,
5955 "Hash of messages, master_secret, etc.", HFILL }
5957 { &hf_ssl_handshake_sha_hash,
5958 { "SHA-1 Hash", "ssl.handshake.sha_hash",
5959 FT_NONE, BASE_NONE, NULL, 0x0,
5960 "Hash of messages, master_secret, etc.", HFILL }
5962 { &hf_ssl_handshake_session_id_len,
5963 { "Session ID Length", "ssl.handshake.session_id_length",
5964 FT_UINT8, BASE_DEC, NULL, 0x0,
5965 "Length of session ID field", HFILL }
5967 { &hf_ssl_handshake_dnames_len,
5968 { "Distinguished Names Length", "ssl.handshake.dnames_len",
5969 FT_UINT16, BASE_DEC, NULL, 0x0,
5970 "Length of list of CAs that server trusts", HFILL }
5972 { &hf_ssl_handshake_dnames,
5973 { "Distinguished Names", "ssl.handshake.dnames",
5974 FT_NONE, BASE_NONE, NULL, 0x0,
5975 "List of CAs that server trusts", HFILL }
5977 { &hf_ssl_handshake_dname_len,
5978 { "Distinguished Name Length", "ssl.handshake.dname_len",
5979 FT_UINT16, BASE_DEC, NULL, 0x0,
5980 "Length of distinguished name", HFILL }
5982 { &hf_ssl_handshake_dname,
5983 { "Distinguished Name", "ssl.handshake.dname",
5984 FT_NONE, BASE_NONE, NULL, 0x0,
5985 "Distinguished name of a CA that server trusts", HFILL }
5987 { &hf_ssl_heartbeat_extension_mode,
5988 { "Mode", "ssl.handshake.extension.heartbeat.mode",
5989 FT_UINT8, BASE_DEC, VALS(tls_heartbeat_mode), 0x0,
5990 "Heartbeat extension mode", HFILL }
5992 { &hf_ssl_heartbeat_message,
5993 { "Heartbeat Message", "ssl.heartbeat_message",
5994 FT_NONE, BASE_NONE, NULL, 0x0,
5997 { &hf_ssl_heartbeat_message_type,
5998 { "Type", "ssl.heartbeat_message.type",
5999 FT_UINT8, BASE_DEC, VALS(tls_heartbeat_type), 0x0,
6000 "Heartbeat message type", HFILL }
6002 { &hf_ssl_heartbeat_message_payload_length,
6003 { "Payload Length", "ssl.heartbeat_message.payload_length",
6004 FT_UINT16, BASE_DEC, NULL, 0x00, NULL, HFILL }
6006 { &hf_ssl_heartbeat_message_payload,
6007 { "Payload Length", "ssl.heartbeat_message.payload",
6008 FT_BYTES, BASE_NONE, NULL, 0x00, NULL, HFILL }
6010 { &hf_ssl_heartbeat_message_padding,
6011 { "Payload Length", "ssl.heartbeat_message.padding",
6012 FT_BYTES, BASE_NONE, NULL, 0x00, NULL, HFILL }
6014 { &hf_ssl2_handshake_challenge,
6015 { "Challenge", "ssl.handshake.challenge",
6016 FT_NONE, BASE_NONE, NULL, 0x0,
6017 "Challenge data used to authenticate server", HFILL }
6019 { &hf_ssl2_handshake_cipher_spec_len,
6020 { "Cipher Spec Length", "ssl.handshake.cipher_spec_len",
6021 FT_UINT16, BASE_DEC, NULL, 0x0,
6022 "Length of cipher specs field", HFILL }
6024 { &hf_ssl2_handshake_session_id_len,
6025 { "Session ID Length", "ssl.handshake.session_id_length",
6026 FT_UINT16, BASE_DEC, NULL, 0x0,
6027 "Length of session ID field", HFILL }
6029 { &hf_ssl2_handshake_challenge_len,
6030 { "Challenge Length", "ssl.handshake.challenge_length",
6031 FT_UINT16, BASE_DEC, NULL, 0x0,
6032 "Length of challenge field", HFILL }
6034 { &hf_ssl2_handshake_clear_key_len,
6035 { "Clear Key Data Length", "ssl.handshake.clear_key_length",
6036 FT_UINT16, BASE_DEC, NULL, 0x0,
6037 "Length of clear key data", HFILL }
6039 { &hf_ssl2_handshake_enc_key_len,
6040 { "Encrypted Key Data Length", "ssl.handshake.encrypted_key_length",
6041 FT_UINT16, BASE_DEC, NULL, 0x0,
6042 "Length of encrypted key data", HFILL }
6044 { &hf_ssl2_handshake_key_arg_len,
6045 { "Key Argument Length", "ssl.handshake.key_arg_length",
6046 FT_UINT16, BASE_DEC, NULL, 0x0,
6047 "Length of key argument", HFILL }
6049 { &hf_ssl2_handshake_clear_key,
6050 { "Clear Key Data", "ssl.handshake.clear_key_data",
6051 FT_NONE, BASE_NONE, NULL, 0x0,
6052 "Clear portion of MASTER-KEY", HFILL }
6054 { &hf_ssl2_handshake_enc_key,
6055 { "Encrypted Key", "ssl.handshake.encrypted_key",
6056 FT_NONE, BASE_NONE, NULL, 0x0,
6057 "Secret portion of MASTER-KEY encrypted to server", HFILL }
6059 { &hf_ssl2_handshake_key_arg,
6060 { "Key Argument", "ssl.handshake.key_arg",
6061 FT_NONE, BASE_NONE, NULL, 0x0,
6062 "Key Argument (e.g., Initialization Vector)", HFILL }
6064 { &hf_ssl2_handshake_session_id_hit,
6065 { "Session ID Hit", "ssl.handshake.session_id_hit",
6066 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
6067 "Did the server find the client's Session ID?", HFILL }
6069 { &hf_ssl2_handshake_cert_type,
6070 { "Certificate Type", "ssl.handshake.cert_type",
6071 FT_UINT8, BASE_DEC, VALS(ssl_20_certificate_type), 0x0,
6074 { &hf_ssl2_handshake_connection_id_len,
6075 { "Connection ID Length", "ssl.handshake.connection_id_length",
6076 FT_UINT16, BASE_DEC, NULL, 0x0,
6077 "Length of connection ID", HFILL }
6079 { &hf_ssl2_handshake_connection_id,
6080 { "Connection ID", "ssl.handshake.connection_id",
6081 FT_NONE, BASE_NONE, NULL, 0x0,
6082 "Server's challenge to client", HFILL }
6084 { &hf_pct_handshake_cipher_spec,
6085 { "Cipher Spec", "pct.handshake.cipherspec",
6086 FT_NONE, BASE_NONE, NULL, 0x0,
6087 "PCT Cipher specification", HFILL }
6089 { &hf_pct_handshake_cipher,
6090 { "Cipher", "pct.handshake.cipher",
6091 FT_UINT16, BASE_HEX, VALS(pct_cipher_type), 0x0,
6092 "PCT Ciper", HFILL }
6094 { &hf_pct_handshake_hash_spec,
6095 { "Hash Spec", "pct.handshake.hashspec",
6096 FT_NONE, BASE_NONE, NULL, 0x0,
6097 "PCT Hash specification", HFILL }
6099 { &hf_pct_handshake_hash,
6100 { "Hash", "pct.handshake.hash",
6101 FT_UINT16, BASE_HEX, VALS(pct_hash_type), 0x0,
6104 { &hf_pct_handshake_cert_spec,
6105 { "Cert Spec", "pct.handshake.certspec",
6106 FT_NONE, BASE_NONE, NULL, 0x0,
6107 "PCT Certificate specification", HFILL }
6109 { &hf_pct_handshake_cert,
6110 { "Cert", "pct.handshake.cert",
6111 FT_UINT16, BASE_HEX, VALS(pct_cert_type), 0x0,
6112 "PCT Certificate", HFILL }
6114 { &hf_pct_handshake_exch_spec,
6115 { "Exchange Spec", "pct.handshake.exchspec",
6116 FT_NONE, BASE_NONE, NULL, 0x0,
6117 "PCT Exchange specification", HFILL }
6119 { &hf_pct_handshake_exch,
6120 { "Exchange", "pct.handshake.exch",
6121 FT_UINT16, BASE_HEX, VALS(pct_exch_type), 0x0,
6122 "PCT Exchange", HFILL }
6124 { &hf_pct_handshake_sig,
6125 { "Sig Spec", "pct.handshake.sig",
6126 FT_UINT16, BASE_HEX, VALS(pct_sig_type), 0x0,
6127 "PCT Signature", HFILL }
6129 { &hf_pct_msg_error_type,
6130 { "PCT Error Code", "pct.msg_error_code",
6131 FT_UINT16, BASE_HEX, VALS(pct_error_code), 0x0,
6134 { &hf_pct_handshake_server_cert,
6135 { "Server Cert", "pct.handshake.server_cert",
6136 FT_NONE, BASE_NONE, NULL , 0x0,
6137 "PCT Server Certificate", HFILL }
6139 { &hf_ssl_segment_overlap,
6140 { "Segment overlap", "ssl.segment.overlap",
6141 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
6142 "Segment overlaps with other segments", HFILL }},
6144 { &hf_ssl_segment_overlap_conflict,
6145 { "Conflicting data in segment overlap", "ssl.segment.overlap.conflict",
6146 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
6147 "Overlapping segments contained conflicting data", HFILL }},
6149 { &hf_ssl_segment_multiple_tails,
6150 { "Multiple tail segments found", "ssl.segment.multipletails",
6151 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
6152 "Several tails were found when reassembling the pdu", HFILL }},
6154 { &hf_ssl_segment_too_long_fragment,
6155 { "Segment too long", "ssl.segment.toolongfragment",
6156 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
6157 "Segment contained data past end of the pdu", HFILL }},
6159 { &hf_ssl_segment_error,
6160 { "Reassembling error", "ssl.segment.error",
6161 FT_FRAMENUM, BASE_NONE, NULL, 0x0,
6162 "Reassembling error due to illegal segments", HFILL }},
6164 { &hf_ssl_segment_count,
6165 { "Segment count", "ssl.segment.count",
6166 FT_UINT32, BASE_DEC, NULL, 0x0,
6170 { "SSL segment", "ssl.segment",
6171 FT_FRAMENUM, BASE_NONE, NULL, 0x0,
6175 { "Reassembled SSL segments", "ssl.segments",
6176 FT_NONE, BASE_NONE, NULL, 0x0,
6177 "SSL Segments", HFILL }},
6179 { &hf_ssl_reassembled_in,
6180 { "Reassembled PDU in frame", "ssl.reassembled_in",
6181 FT_FRAMENUM, BASE_NONE, NULL, 0x0,
6182 "The PDU that doesn't end in this segment is reassembled in this frame", HFILL }},
6184 { &hf_ssl_reassembled_length,
6185 { "Reassembled PDU length", "ssl.reassembled.length",
6186 FT_UINT32, BASE_DEC, NULL, 0x0,
6187 "The total length of the reassembled payload", HFILL }},
6189 { &hf_ssl_reassembled_data,
6190 { "Reassembled PDU data", "ssl.reassembled.data",
6191 FT_BYTES, BASE_NONE, NULL, 0x00,
6192 "The payload of multiple reassembled SSL segments", HFILL }},
6194 { &hf_ssl_segment_data,
6195 { SSL_SEGMENT_DATA_TEXT, "ssl.segment.data",
6196 FT_BYTES, BASE_NONE, NULL, 0x00,
6197 "The payload of a single SSL segment", HFILL }},
6200 /* Setup protocol subtree array */
6201 static gint *ett[] = {
6207 &ett_ssl_cipher_suites,
6208 &ett_ssl_comp_methods,
6210 &ett_ssl_extension_curves,
6211 &ett_ssl_extension_curves_point_formats,
6212 &ett_ssl_extension_alpn,
6213 &ett_ssl_extension_npn,
6214 &ett_ssl_extension_reneg_info,
6215 &ett_ssl_extension_server_name,
6218 &ett_ssl_cert_types,
6219 &ett_ssl_sig_hash_algs,
6220 &ett_ssl_sig_hash_alg,
6223 &ett_ssl_new_ses_ticket,
6224 &ett_ssl_keyex_params,
6225 &ett_ssl_cert_status,
6227 &ett_pct_cipher_suites,
6228 &ett_pct_hash_suites,
6229 &ett_pct_cert_suites,
6230 &ett_pct_exch_suites,
6235 static ei_register_info ei[] = {
6236 { &ei_ssl_handshake_cipher_suites_mult2, { "ssl.handshake.cipher_suites_length.mult2", PI_MALFORMED, PI_ERROR, "Cipher suite length must be a multiple of 2", EXPFILL }},
6237 { &ei_ssl_handshake_sig_hash_algs_mult2, { "ssl.handshake.sig_hash_alg_len.mult2", PI_MALFORMED, PI_ERROR, "Signature Hash Algorithm length must be a multiple of 2", EXPFILL }},
6238 { &ei_ssl2_handshake_session_id_len_error, { "ssl.handshake.session_id_length.error", PI_MALFORMED, PI_ERROR, "Session ID length error", EXPFILL }},
6239 { &ei_ssl_hs_ext_cert_status_undecoded, { "ssl.handshake.status_request.undecoded", PI_UNDECODED, PI_NOTE,
6240 "Responder ID list or Request Extensions are not implemented, contact Wireshark developers if you want this to be supported", EXPFILL }}
6243 expert_module_t* expert_ssl;
6245 /* Register the protocol name and description */
6246 proto_ssl = proto_register_protocol("Secure Sockets Layer",
6249 /* Required function calls to register the header fields and
6251 proto_register_field_array(proto_ssl, hf, array_length(hf));
6252 proto_register_subtree_array(ett, array_length(ett));
6253 expert_ssl = expert_register_protocol(proto_ssl);
6254 expert_register_field_array(expert_ssl, ei, array_length(ei));
6257 module_t *ssl_module = prefs_register_protocol(proto_ssl, proto_reg_handoff_ssl);
6259 #ifdef HAVE_LIBGNUTLS
6261 static uat_field_t sslkeylist_uats_flds[] = {
6262 UAT_FLD_CSTRING_OTHER(sslkeylist_uats, ipaddr, "IP address", ssldecrypt_uat_fld_ip_chk_cb, "IPv4 or IPv6 address"),
6263 UAT_FLD_CSTRING_OTHER(sslkeylist_uats, port, "Port", ssldecrypt_uat_fld_port_chk_cb, "Port Number"),
6264 UAT_FLD_CSTRING_OTHER(sslkeylist_uats, protocol, "Protocol", ssldecrypt_uat_fld_protocol_chk_cb, "Protocol"),
6265 UAT_FLD_FILENAME_OTHER(sslkeylist_uats, keyfile, "Key File", ssldecrypt_uat_fld_fileopen_chk_cb, "Private keyfile."),
6266 UAT_FLD_CSTRING_OTHER(sslkeylist_uats, password,"Password", ssldecrypt_uat_fld_password_chk_cb, "Password (for PCKS#12 keyfile)"),
6270 ssldecrypt_uat = uat_new("SSL Decrypt",
6271 sizeof(ssldecrypt_assoc_t),
6272 "ssl_keys", /* filename */
6273 TRUE, /* from_profile */
6274 (void**) &sslkeylist_uats, /* data_ptr */
6275 &nssldecrypt, /* numitems_ptr */
6276 UAT_AFFECTS_DISSECTION, /* affects dissection of packets, but not set of named fields */
6277 NULL, /* Help section (currently a wiki page) */
6282 sslkeylist_uats_flds);
6284 prefs_register_uat_preference(ssl_module, "key_table",
6286 "A table of RSA keys for SSL decryption",
6289 prefs_register_filename_preference(ssl_module, "debug_file", "SSL debug file",
6290 "Redirect SSL debug to file name; leave empty to disable debugging, "
6291 "or use \"" SSL_DEBUG_USE_STDERR "\" to redirect output to stderr\n",
6292 &ssl_debug_file_name);
6294 prefs_register_string_preference(ssl_module, "keys_list", "RSA keys list (deprecated)",
6295 "Semicolon-separated list of private RSA keys used for SSL decryption. "
6296 "Used by versions of Wireshark prior to 1.6",
6300 prefs_register_bool_preference(ssl_module,
6301 "desegment_ssl_records",
6302 "Reassemble SSL records spanning multiple TCP segments",
6303 "Whether the SSL dissector should reassemble SSL records spanning multiple TCP segments. "
6304 "To use this option, you must also enable \"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
6306 prefs_register_bool_preference(ssl_module,
6307 "desegment_ssl_application_data",
6308 "Reassemble SSL Application Data spanning multiple SSL records",
6309 "Whether the SSL dissector should reassemble SSL Application Data spanning multiple SSL records. ",
6310 &ssl_desegment_app_data);
6311 prefs_register_bool_preference(ssl_module,
6312 "ignore_ssl_mac_failed",
6313 "Message Authentication Code (MAC), ignore \"mac failed\"",
6314 "For troubleshooting ignore the mac check result and decrypt also if the Message Authentication Code (MAC) fails.",
6315 &ssl_ignore_mac_failed);
6316 #ifdef HAVE_LIBGNUTLS
6317 prefs_register_string_preference(ssl_module, "psk", "Pre-Shared-Key",
6318 "Pre-Shared-Key as HEX string, should be 0 to 16 bytes",
6321 prefs_register_filename_preference(ssl_module, "keylog_file", "(Pre)-Master-Secret log filename",
6322 "The filename of a file which contains a list of \n"
6323 "(pre-)master secrets in one of the following formats:\n"
6325 "RSA <EPMS> <PMS>\n"
6326 "RSA Session-ID:<SSLID> Master-Key:<MS>\n"
6329 "<EPMS> = First 8 bytes of the Encrypted PMS\n"
6330 "<PMS> = The Pre-Master-Secret (PMS)\n"
6331 "<SSLID> = The SSL Session ID\n"
6332 "<MS> = The Master-Secret (MS)\n"
6334 "(All fields are in hex notation)",
6335 &ssl_keylog_filename);
6339 /* heuristic dissectors for any premable e.g. CredSSP before RDP */
6340 register_heur_dissector_list("ssl", &ssl_heur_subdissector_list);
6342 register_dissector("ssl", dissect_ssl, proto_ssl);
6343 ssl_handle = find_dissector("ssl");
6345 ssl_associations = g_tree_new(ssl_association_cmp);
6347 register_init_routine(ssl_init);
6349 ssl_tap = register_tap("ssl");
6350 ssl_debug_printf("proto_register_ssl: registered tap %s:%d\n",
6354 /* If this dissector uses sub-dissector registration add a registration
6355 * routine. This format is required because a script is used to find
6356 * these routines and create the code that calls these routines.
6359 proto_reg_handoff_ssl(void)
6362 /* parse key list */
6364 ssl_parse_old_keys();
6365 exported_pdu_tap = find_tap_id(EXPORT_PDU_TAP_NAME_LAYER_7);
6369 ssl_dissector_add(guint port, const gchar *protocol, gboolean tcp)
6371 SslAssociation *assoc;
6373 assoc = ssl_association_find(ssl_associations, port, tcp);
6375 ssl_association_remove(ssl_associations, assoc);
6378 ssl_association_add(ssl_associations, ssl_handle, port, protocol, tcp, FALSE);
6382 ssl_dissector_delete(guint port, const gchar *protocol, gboolean tcp)
6384 SslAssociation *assoc;
6386 assoc = ssl_association_find(ssl_associations, port, tcp);
6387 if (assoc && (assoc->handle == find_dissector(protocol))) {
6388 ssl_association_remove(ssl_associations, assoc);
6393 * Editor modelines - http://www.wireshark.org/tools/modelines.html
6398 * indent-tabs-mode: nil
6401 * vi: set shiftwidth=4 tabstop=8 expandtab:
6402 * :indentSize=4:tabSize=8:noTabs=true: