1 /* packet-tls.c
2 * Routines for TLS dissection
3 * Copyright (c) 2000-2001, Scott Renfro <scott@renfro.org>
4 * Copyright 2013-2019, Peter Wu <peter@lekensteyn.nl>
5 *
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
9 *
10 * SPDX-License-Identifier: GPL-2.0-or-later
11 */
12
13 /*
14 * Supported protocol versions:
15 *
16 * TLS 1.3, 1.2, 1.0, and SSL 3.0. SSL 2.0 is no longer supported, except for
17 * the SSL 2.0-compatible Client Hello.
18 *
19 * Primary protocol specifications:
20 *
21 * https://tools.ietf.org/html/draft-hickman-netscape-ssl-00 - SSL 2.0
22 * https://tools.ietf.org/html/rfc6101 - SSL 3.0
23 * https://tools.ietf.org/html/rfc2246 - TLS 1.0
24 * https://tools.ietf.org/html/rfc4346 - TLS 1.1
25 * https://tools.ietf.org/html/rfc5246 - TLS 1.2
26 * https://tools.ietf.org/html/rfc8446 - TLS 1.3
27 *
28 * Important IANA registries:
29 *
30 * https://www.iana.org/assignments/tls-parameters/
31 * https://www.iana.org/assignments/tls-extensiontype-values/
32 *
33 * Notes:
34 *
35 * - Decryption needs to be performed 'sequentially', so it's done
36 * at packet reception time. This may cause a significant packet capture
37 * slow down. This also causes dissection of some ssl info that in previous
38 * dissector versions was dissected only when a proto_tree context was
39 * available
40 *
41 * We are at Packet reception if time pinfo->fd->visited == 0
42 *
43 * - Many dissection and decryption operations are implemented in
44 * epan/dissectors/packet-tls-utils.c and
45 * epan/dissectors/packet-tls-utils.h due to an overlap of functionality
46 * with DTLS (epan/dissectors/packet-dtls.c).
47 *
48 */
49
50 #include "config.h"
51
52 #include <epan/packet.h>
53 #include <epan/reassemble.h>
54 #include <epan/asn1.h>
55 #include <epan/tap.h>
56 #include <epan/uat.h>
57 #include <epan/addr_resolv.h>
58 #include <epan/follow.h>
59 #include <epan/exported_pdu.h>
60 #include <epan/proto_data.h>
61 #include <epan/decode_as.h>
62 #include <epan/secrets.h>
63 #include <wiretap/secrets-types.h>
64
65 #include <wsutil/utf8_entities.h>
66 #include <wsutil/str_util.h>
67 #include <wsutil/strtoi.h>
68 #include <wsutil/rsa.h>
69 #include <wsutil/ws_assert.h>
70 #include "packet-tcp.h"
71 #include "packet-x509af.h"
72 #include "packet-tls.h"
73 #include "packet-tls-utils.h"
74 #include "packet-ber.h"
75
76 void proto_register_tls(void);
77
78 #ifdef HAVE_LIBGNUTLS
79 static ssldecrypt_assoc_t *tlskeylist_uats = NULL;
80 static guint ntlsdecrypt = 0;
81 #endif
82
83 static gboolean tls_desegment = TRUE;
84 static gboolean tls_desegment_app_data = TRUE;
85 static gboolean tls_ignore_mac_failed = FALSE;
86
87
88 /*********************************************************************
89 *
90 * Protocol Constants, Variables, Data Structures
91 *
92 *********************************************************************/
93
94 /* Initialize the protocol and registered fields */
95 static gint tls_tap = -1;
96 static gint exported_pdu_tap = -1;
97 static gint proto_tls = -1;
98 static gint hf_tls_record = -1;
99 static gint hf_tls_record_content_type = -1;
100 static gint hf_tls_record_opaque_type = -1;
101 static gint hf_tls_record_version = -1;
102 static gint hf_tls_record_length = -1;
103 static gint hf_tls_record_appdata = -1;
104 static gint hf_tls_record_appdata_proto = -1;
105 static gint hf_ssl2_record = -1;
106 static gint hf_ssl2_record_is_escape = -1;
107 static gint hf_ssl2_record_padding_length = -1;
108 static gint hf_ssl2_msg_type = -1;
109 static gint hf_tls_alert_message = -1;
110 static gint hf_tls_alert_message_level = -1;
111 static gint hf_tls_alert_message_description = -1;
112 static gint hf_tls_handshake_protocol = -1;
113 static gint hf_tls_handshake_type = -1;
114 static gint hf_tls_handshake_length = -1;
115 static gint hf_tls_handshake_npn_selected_protocol_len = -1;
116 static gint hf_tls_handshake_npn_selected_protocol = -1;
117 static gint hf_tls_handshake_npn_padding_len = -1;
118 static gint hf_tls_handshake_npn_padding = -1;
119 static gint hf_ssl2_handshake_cipher_spec_len = -1;
120 static gint hf_ssl2_handshake_session_id_len = -1;
121 static gint hf_ssl2_handshake_challenge_len = -1;
122 static gint hf_ssl2_handshake_cipher_spec = -1;
123 static gint hf_ssl2_handshake_challenge = -1;
124 static gint hf_ssl2_handshake_clear_key_len = -1;
125 static gint hf_ssl2_handshake_enc_key_len = -1;
126 static gint hf_ssl2_handshake_key_arg_len = -1;
127 static gint hf_ssl2_handshake_clear_key = -1;
128 static gint hf_ssl2_handshake_enc_key = -1;
129 static gint hf_ssl2_handshake_key_arg = -1;
130 static gint hf_ssl2_handshake_session_id_hit = -1;
131 static gint hf_ssl2_handshake_cert_type = -1;
132 static gint hf_ssl2_handshake_connection_id_len = -1;
133 static gint hf_ssl2_handshake_connection_id = -1;
134
135 static int hf_tls_reassembled_in = -1;
136 static int hf_tls_reassembled_length = -1;
137 static int hf_tls_reassembled_data = -1;
138 static int hf_tls_segments = -1;
139 static int hf_tls_segment = -1;
140 static int hf_tls_segment_overlap = -1;
141 static int hf_tls_segment_overlap_conflict = -1;
142 static int hf_tls_segment_multiple_tails = -1;
143 static int hf_tls_segment_too_long_fragment = -1;
144 static int hf_tls_segment_error = -1;
145 static int hf_tls_segment_count = -1;
146 static int hf_tls_segment_data = -1;
147
148 static int hf_tls_handshake_reassembled_in = -1;
149 static int hf_tls_handshake_fragments = -1;
150 static int hf_tls_handshake_fragment = -1;
151 static int hf_tls_handshake_fragment_count = -1;
152
153 static gint hf_tls_heartbeat_message = -1;
154 static gint hf_tls_heartbeat_message_type = -1;
155 static gint hf_tls_heartbeat_message_payload_length = -1;
156 static gint hf_tls_heartbeat_message_payload = -1;
157 static gint hf_tls_heartbeat_message_padding = -1;
158
159 static ssl_hfs_t ssl_hfs = { -1, -1 };
160
161 /* Initialize the subtree pointers */
162 static gint ett_tls = -1;
163 static gint ett_tls_record = -1;
164 static gint ett_tls_alert = -1;
165 static gint ett_tls_handshake = -1;
166 static gint ett_tls_heartbeat = -1;
167 static gint ett_tls_certs = -1;
168 static gint ett_tls_segments = -1;
169 static gint ett_tls_segment = -1;
170 static gint ett_tls_hs_fragments = -1;
171 static gint ett_tls_hs_fragment = -1;
172
173 static expert_field ei_ssl2_handshake_session_id_len_error = EI_INIT;
174 static expert_field ei_ssl3_heartbeat_payload_length = EI_INIT;
175 static expert_field ei_tls_unexpected_message = EI_INIT;
176
177 /* Generated from convert_proto_tree_add_text.pl */
178 static expert_field ei_tls_ignored_unknown_record = EI_INIT;
179
180 /* not all of the hf_fields below make sense for TLS but we have to provide
181 them anyways to comply with the api (which was aimed for ip fragment
182 reassembly) */
183 static const fragment_items ssl_segment_items = {
184 &ett_tls_segment,
185 &ett_tls_segments,
186 &hf_tls_segments,
187 &hf_tls_segment,
188 &hf_tls_segment_overlap,
189 &hf_tls_segment_overlap_conflict,
190 &hf_tls_segment_multiple_tails,
191 &hf_tls_segment_too_long_fragment,
192 &hf_tls_segment_error,
193 &hf_tls_segment_count,
194 &hf_tls_reassembled_in,
195 &hf_tls_reassembled_length,
196 &hf_tls_reassembled_data,
197 "Segments"
198 };
199
200 /* Fragmented handshake messages. */
201 static const fragment_items tls_hs_fragment_items = {
202 &ett_tls_hs_fragment,
203 &ett_tls_hs_fragments,
204 &hf_tls_handshake_fragments,
205 &hf_tls_handshake_fragment,
206 &hf_tls_segment_overlap, // Do not care about the errors, should not happen.
207 &hf_tls_segment_overlap_conflict,
208 &hf_tls_segment_multiple_tails,
209 &hf_tls_segment_too_long_fragment,
210 &hf_tls_segment_error,
211 &hf_tls_handshake_fragment_count,
212 NULL, /* unused - &hf_tls_handshake_reassembled_in, */
213 NULL, /* do not display redundant length */
214 NULL, /* do not display redundant data */
215 "Fragments"
216 };
217
218 static SSL_COMMON_LIST_T(dissect_ssl3_hf);
219
220 static void
ssl_proto_tree_add_segment_data(proto_tree * tree,tvbuff_t * tvb,gint offset,gint length,const gchar * prefix)221 ssl_proto_tree_add_segment_data(
222 proto_tree *tree,
223 tvbuff_t *tvb,
224 gint offset,
225 gint length,
226 const gchar *prefix)
227 {
228 proto_tree_add_bytes_format(
229 tree,
230 hf_tls_segment_data,
231 tvb,
232 offset,
233 length,
234 NULL,
235 "%sTLS segment data (%u %s)",
236 prefix != NULL ? prefix : "",
237 length,
238 plurality(length, "byte", "bytes"));
239 }
240
241
242 static ssl_master_key_map_t ssl_master_key_map;
243 /* used by "Export TLS Session Keys" */
244 GHashTable *ssl_session_hash;
245 GHashTable *ssl_crandom_hash;
246
247 #ifdef HAVE_LIBGNUTLS
248 static GHashTable *ssl_key_hash = NULL;
249 static wmem_stack_t *key_list_stack = NULL;
250 static uat_t *ssldecrypt_uat = NULL;
251 static const gchar *ssl_keys_list = NULL;
252 #endif
253 static dissector_table_t ssl_associations = NULL;
254 static dissector_handle_t tls_handle = NULL;
255 static StringInfo ssl_compressed_data = {NULL, 0};
256 static StringInfo ssl_decrypted_data = {NULL, 0};
257 static gint ssl_decrypted_data_avail = 0;
258 static FILE *ssl_keylog_file = NULL;
259 static ssl_common_options_t ssl_options = { NULL, NULL};
260
261 /* List of dissectors to call for TLS data */
262 static heur_dissector_list_t ssl_heur_subdissector_list;
263
264 static const gchar *ssl_debug_file_name = NULL;
265
266
267 /* Forward declaration we need below */
268 void proto_reg_handoff_ssl(void);
269
270 /* Desegmentation of TLS streams */
271 /* table to hold defragmented TLS streams */
272 static reassembly_table ssl_reassembly_table;
273
274 /* Table to hold fragmented TLS handshake records. */
275 static reassembly_table tls_hs_reassembly_table;
276 static guint32 hs_reassembly_id_count;
277
278 /* initialize/reset per capture state data (ssl sessions cache) */
279 static void
ssl_init(void)280 ssl_init(void)
281 {
282 module_t *ssl_module = prefs_find_module("tls");
283 pref_t *keys_list_pref;
284
285 ssl_common_init(&ssl_master_key_map,
286 &ssl_decrypted_data, &ssl_compressed_data);
287 ssl_debug_flush();
288
289 /* for "Export TLS Session Keys" */
290 ssl_session_hash = ssl_master_key_map.session;
291 ssl_crandom_hash = ssl_master_key_map.crandom;
292
293 /* We should have loaded "keys_list" by now. Mark it obsolete */
294 if (ssl_module) {
295 keys_list_pref = prefs_find_preference(ssl_module, "keys_list");
296 if (! prefs_get_preference_obsolete(keys_list_pref)) {
297 prefs_set_preference_obsolete(keys_list_pref);
298 }
299 }
300
301 /* Reset the identifier for a group of handshake fragments. */
302 hs_reassembly_id_count = 0;
303 }
304
305 static void
ssl_cleanup(void)306 ssl_cleanup(void)
307 {
308 #ifdef HAVE_LIBGNUTLS
309 if (key_list_stack != NULL) {
310 wmem_destroy_stack(key_list_stack);
311 key_list_stack = NULL;
312 }
313 #endif
314 ssl_common_cleanup(&ssl_master_key_map, &ssl_keylog_file,
315 &ssl_decrypted_data, &ssl_compressed_data);
316
317 /* should not be needed since the UI code prevents this from being accessed
318 * when no file is open. Clear it anyway just to be sure. */
319 ssl_session_hash = NULL;
320 ssl_crandom_hash = NULL;
321 }
322
323 ssl_master_key_map_t *
tls_get_master_key_map(gboolean load_secrets)324 tls_get_master_key_map(gboolean load_secrets)
325 {
326 // Try to load new keys.
327 if (load_secrets) {
328 ssl_load_keyfile(ssl_options.keylog_filename, &ssl_keylog_file, &ssl_master_key_map);
329 }
330 return &ssl_master_key_map;
331 }
332
333 #ifdef HAVE_LIBGNUTLS
334 /* parse ssl related preferences (private keys and ports association strings) */
335 static void
ssl_parse_uat(void)336 ssl_parse_uat(void)
337 {
338 guint i;
339 guint16 port;
340 dissector_handle_t handle;
341
342 ssl_set_debug(ssl_debug_file_name);
343
344 if (ssl_key_hash)
345 {
346 g_hash_table_destroy(ssl_key_hash);
347 }
348
349 /* remove only associations created from key list */
350 if (key_list_stack != NULL) {
351 while (wmem_stack_count(key_list_stack) > 0) {
352 port = GPOINTER_TO_UINT(wmem_stack_pop(key_list_stack));
353 handle = dissector_get_uint_handle(ssl_associations, port);
354 if (handle != NULL)
355 ssl_association_remove("tls.port", tls_handle, handle, port, FALSE);
356 }
357 }
358 /* parse private keys string, load available keys and put them in key hash*/
359 ssl_key_hash = privkey_hash_table_new();
360
361
362 if (ntlsdecrypt > 0) {
363 if (key_list_stack == NULL)
364 key_list_stack = wmem_stack_new(NULL);
365 for (i = 0; i < ntlsdecrypt; i++) {
366 ssldecrypt_assoc_t *ssl_uat = &(tlskeylist_uats[i]);
367 ssl_parse_key_list(ssl_uat, ssl_key_hash, "tls.port", tls_handle, TRUE);
368 if (key_list_stack && ws_strtou16(ssl_uat->port, NULL, &port) && port > 0)
369 wmem_stack_push(key_list_stack, GUINT_TO_POINTER(port));
370 }
371 }
372
373 ssl_debug_flush();
374 }
375
376 static void
ssl_reset_uat(void)377 ssl_reset_uat(void)
378 {
379 g_hash_table_destroy(ssl_key_hash);
380 ssl_key_hash = NULL;
381 }
382
383 static void
ssl_parse_old_keys(void)384 ssl_parse_old_keys(void)
385 {
386 gchar **old_keys, **parts, *err;
387 gchar *uat_entry;
388 guint i;
389
390 /* Import old-style keys */
391 if (ssldecrypt_uat && ssl_keys_list && ssl_keys_list[0]) {
392 old_keys = g_strsplit(ssl_keys_list, ";", 0);
393 for (i = 0; old_keys[i] != NULL; i++) {
394 parts = g_strsplit(old_keys[i], ",", 5);
395 if (parts[0] && parts[1] && parts[2] && parts[3]) {
396 gchar *path = uat_esc(parts[3], (guint)strlen(parts[3]));
397 const gchar *password = parts[4] ? parts[4] : "";
398 uat_entry = wmem_strdup_printf(NULL, "\"%s\",\"%s\",\"%s\",\"%s\",\"%s\"",
399 parts[0], parts[1], parts[2], path, password);
400 g_free(path);
401 if (!uat_load_str(ssldecrypt_uat, uat_entry, &err)) {
402 ssl_debug_printf("ssl_parse_old_keys: Can't load UAT string %s: %s\n",
403 uat_entry, err);
404 g_free(err);
405 }
406 wmem_free(NULL, uat_entry);
407 }
408 g_strfreev(parts);
409 }
410 g_strfreev(old_keys);
411 }
412 }
413 #endif /* HAVE_LIBGNUTLS */
414
415
416 static tap_packet_status
ssl_follow_tap_listener(void * tapdata,packet_info * pinfo,epan_dissect_t * edt _U_,const void * ssl)417 ssl_follow_tap_listener(void *tapdata, packet_info *pinfo, epan_dissect_t *edt _U_, const void *ssl)
418 {
419 follow_info_t * follow_info = (follow_info_t*) tapdata;
420 follow_record_t * follow_record = NULL;
421 const SslRecordInfo *appl_data = NULL;
422 const SslPacketInfo *pi = (const SslPacketInfo*)ssl;
423 show_stream_t from = FROM_CLIENT;
424
425 /* Skip packets without decrypted payload data. */
426 if (!pi || !pi->records) return TAP_PACKET_DONT_REDRAW;
427
428 /* Compute the packet's sender. */
429 if (follow_info->client_port == 0) {
430 follow_info->client_port = pinfo->srcport;
431 copy_address(&follow_info->client_ip, &pinfo->src);
432 }
433 if (addresses_equal(&follow_info->client_ip, &pinfo->src) &&
434 follow_info->client_port == pinfo->srcport) {
435 from = FROM_CLIENT;
436 } else {
437 from = FROM_SERVER;
438 }
439
440 for (appl_data = pi->records; appl_data != NULL; appl_data = appl_data->next) {
441
442 /* Include only application data in the record, skipping things like
443 * Handshake messages and alerts. */
444 if (appl_data->type != SSL_ID_APP_DATA) continue;
445
446 /* TCP segments that contain the end of two or more TLS PDUs will be
447 queued to TLS taps for each of those PDUs. Therefore a single
448 packet could be processed by this TLS tap listener multiple times.
449 The following test handles that scenario by treating the
450 follow_info->bytes_written[] values as the next expected
451 appl_data->seq. Any appl_data instances that fall below that have
452 already been processed and must be skipped. */
453 if (appl_data->seq < follow_info->bytes_written[from]) continue;
454
455 /* Allocate a follow_record_t to hold the current appl_data
456 instance's decrypted data. Even though it would be possible to
457 consolidate multiple appl_data instances into a single record, it is
458 beneficial to use a one-to-one mapping. This affords the Follow
459 Stream dialog view modes (ASCII, EBCDIC, Hex Dump, C Arrays, Raw)
460 the opportunity to accurately reflect TLS PDU boundaries. Currently
461 the Hex Dump view does by starting a new line, and the C Arrays
462 view does by starting a new array declaration. */
463 follow_record = g_new(follow_record_t,1);
464
465 follow_record->is_server = (from == FROM_SERVER);
466 follow_record->packet_num = pinfo->num;
467 follow_record->abs_ts = pinfo->abs_ts;
468
469 follow_record->data = g_byte_array_sized_new(appl_data->data_len);
470 follow_record->data = g_byte_array_append(follow_record->data,
471 appl_data->plain_data,
472 appl_data->data_len);
473
474 /* Add the record to the follow_info structure. */
475 follow_info->payload = g_list_prepend(follow_info->payload, follow_record);
476 follow_info->bytes_written[from] += appl_data->data_len;
477 }
478
479 return TAP_PACKET_DONT_REDRAW;
480 }
481
482 /*********************************************************************
483 *
484 * Forward Declarations
485 *
486 *********************************************************************/
487
488 /*
489 * SSL version 3 and TLS dissectors
490 *
491 */
492 /* record layer dissector */
493 static gint dissect_ssl3_record(tvbuff_t *tvb, packet_info *pinfo,
494 proto_tree *tree, guint32 offset,
495 SslSession *session, gint is_from_server,
496 gboolean *need_desegmentation,
497 SslDecryptSession *conv_data,
498 guint8 curr_layer_num_ssl);
499
500 /* alert message dissector */
501 static void dissect_ssl3_alert(tvbuff_t *tvb, packet_info *pinfo,
502 proto_tree *tree, guint32 offset,
503 guint32 record_length, const SslSession *session);
504
505 /* handshake protocol dissector */
506 static void dissect_tls_handshake(tvbuff_t *tvb, packet_info *pinfo,
507 proto_tree *tree, guint32 offset,
508 guint32 offset_end, gboolean maybe_encrypted,
509 guint record_id, guint8 curr_layer_num_tls,
510 SslSession *session, gint is_from_server,
511 SslDecryptSession *ssl,
512 const guint16 version);
513
514 static void dissect_tls_handshake_full(tvbuff_t *tvb, packet_info *pinfo,
515 proto_tree *tree, guint32 offset,
516 SslSession *session, gint is_from_server,
517 SslDecryptSession *conv_data,
518 const guint16 version,
519 gboolean is_first_msg);
520
521 /* heartbeat message dissector */
522 static void dissect_ssl3_heartbeat(tvbuff_t *tvb, packet_info *pinfo,
523 proto_tree *tree, guint32 offset,
524 const SslSession *session, guint32 record_length,
525 gboolean decrypted);
526
527 static void dissect_ssl3_hnd_encrypted_exts(tvbuff_t *tvb,
528 proto_tree *tree,
529 guint32 offset);
530
531 /*
532 * SSL version 2 dissectors
533 *
534 */
535
536 /* record layer dissector */
537 static gint dissect_ssl2_record(tvbuff_t *tvb, packet_info *pinfo,
538 proto_tree *tree, guint32 offset,
539 SslSession *session,
540 gboolean *need_desegmentation,
541 SslDecryptSession *ssl);
542
543 /* client hello dissector */
544 static void dissect_ssl2_hnd_client_hello(tvbuff_t *tvb, packet_info *pinfo,
545 proto_tree *tree,
546 guint32 offset,
547 SslDecryptSession *ssl);
548
549 /* client master key dissector */
550 static void dissect_ssl2_hnd_client_master_key(tvbuff_t *tvb,
551 proto_tree *tree,
552 guint32 offset);
553
554 /* server hello dissector */
555 static void dissect_ssl2_hnd_server_hello(tvbuff_t *tvb,
556 proto_tree *tree,
557 guint32 offset, packet_info *pinfo);
558
559
560 /*
561 * Support Functions
562 *
563 */
564 static gint ssl_is_valid_ssl_version(const guint16 version);
565 static gint ssl_is_v2_client_hello(tvbuff_t *tvb, const guint32 offset);
566 static gint ssl_looks_like_sslv2(tvbuff_t *tvb, const guint32 offset);
567 static gint ssl_looks_like_sslv3(tvbuff_t *tvb, const guint32 offset);
568 static gint ssl_looks_like_valid_v2_handshake(tvbuff_t *tvb,
569 const guint32 offset,
570 const guint32 record_length);
571
572 /*********************************************************************
573 *
574 * Main dissector
575 *
576 *********************************************************************/
577 /*
578 * Code to actually dissect the packets
579 */
580 static int
dissect_ssl(tvbuff_t * tvb,packet_info * pinfo,proto_tree * tree,void * data _U_)581 dissect_ssl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
582 {
583
584 conversation_t *conversation;
585 proto_item *ti;
586 proto_tree *ssl_tree;
587 guint32 offset;
588 gboolean need_desegmentation;
589 SslDecryptSession *ssl_session;
590 SslSession *session;
591 gint is_from_server;
592 /*
593 * A single packet may contain multiple TLS records. Two possible scenarios:
594 *
595 * - Multiple TLS records belonging to the same TLS session.
596 * - TLS within a different encrypted TLS tunnel.
597 *
598 * To support the second case, 'curr_layer_num_ssl' is used as identifier
599 * for the current TLS layer. It is however not a stable identifier for the
600 * second pass (Bug 16109). If the first decrypted record requests
601 * reassembly for HTTP, then the second pass will skip calling the dissector
602 * for the first record. That means that 'pinfo->curr_layer_num' will
603 * actually be lower the second time.
604 *
605 * Since this cannot be easily fixed, we will just break the (hopefully less
606 * common) case of TLS tunneled within TLS.
607 */
608 guint8 curr_layer_num_ssl = 0; // pinfo->curr_layer_num;
609
610 ti = NULL;
611 ssl_tree = NULL;
612 offset = 0;
613 ssl_session = NULL;
614
615
616 if (tvb_captured_length(tvb) > 4) {
617 const guint8 *tmp = tvb_get_ptr(tvb, 0, 4);
618 if (g_ascii_isprint(tmp[0]) &&
619 g_ascii_isprint(tmp[1]) &&
620 g_ascii_isprint(tmp[2]) &&
621 g_ascii_isprint(tmp[3])) {
622 /* it is extremely unlikely that real TLS traffic starts with four
623 * printable ascii characters; this looks like it's unencrypted
624 * text, so assume it's not ours (SSL does have some unencrypted
625 * text fields in certain packets, but you'd have to get very
626 * unlucky with TCP fragmentation to have one of those fields at the
627 * beginning of a TCP payload at the beginning of the capture where
628 * reassembly hasn't started yet) */
629 return 0;
630 }
631 }
632
633 ssl_debug_printf("\ndissect_ssl enter frame #%u (%s)\n", pinfo->num, (pinfo->fd->visited)?"already visited":"first time");
634
635 /* Track the version using conversations to reduce the
636 * chance that a packet that simply *looks* like a v2 or
637 * v3 packet is dissected improperly. This also allows
638 * us to more frequently set the protocol column properly
639 * for continuation data frames.
640 *
641 * Also: We use the copy in conv_version as our cached copy,
642 * so that we don't have to search the conversation
643 * table every time we want the version; when setting
644 * the conv_version, must set the copy in the conversation
645 * in addition to conv_version
646 */
647 conversation = find_or_create_conversation(pinfo);
648 ssl_session = ssl_get_session(conversation, tls_handle);
649 session = &ssl_session->session;
650 is_from_server = ssl_packet_from_server(session, ssl_associations, pinfo);
651
652 if (session->last_nontls_frame != 0 &&
653 session->last_nontls_frame >= pinfo->num) {
654 /* This conversation started at a different protocol and STARTTLS was
655 * used, but this packet comes too early. */
656 return 0;
657 }
658
659 /* try decryption only the first time we see this packet
660 * (to keep cipher synchronized) */
661 if (pinfo->fd->visited)
662 ssl_session = NULL;
663
664 ssl_debug_printf(" conversation = %p, ssl_session = %p\n", (void *)conversation, (void *)ssl_session);
665
666 /* Initialize the protocol column; we'll override it later when we
667 * detect a different version or flavor of TLS (assuming we don't
668 * throw an exception before we get the chance to do so). */
669 col_set_str(pinfo->cinfo, COL_PROTOCOL,
670 val_to_str_const(session->version, ssl_version_short_names, "SSL"));
671 /* clear the the info column */
672 col_clear(pinfo->cinfo, COL_INFO);
673
674 /* TCP packets and TLS records are orthogonal.
675 * A tcp packet may contain multiple ssl records and an ssl
676 * record may be spread across multiple tcp packets.
677 *
678 * This loop accounts for multiple ssl records in a single
679 * frame, but not a single ssl record across multiple tcp
680 * packets.
681 *
682 * Handling the single ssl record across multiple packets
683 * may be possible using wireshark conversations, but
684 * probably not cleanly. May have to wait for tcp stream
685 * reassembly.
686 */
687
688 /* Create display subtree for TLS as a whole */
689 if (tree)
690 {
691 ti = proto_tree_add_item(tree, proto_tls, tvb, 0, -1, ENC_NA);
692 ssl_tree = proto_item_add_subtree(ti, ett_tls);
693 }
694 /* iterate through the records in this tvbuff */
695 while (tvb_reported_length_remaining(tvb, offset) > 0)
696 {
697 ssl_debug_printf(" record: offset = %d, reported_length_remaining = %d\n", offset, tvb_reported_length_remaining(tvb, offset));
698
699 /*
700 * Assume, for now, that this doesn't need desegmentation.
701 */
702 need_desegmentation = FALSE;
703
704 /* first try to dispatch off the cached version
705 * known to be associated with the conversation
706 */
707 switch (session->version) {
708 case SSLV2_VERSION:
709 offset = dissect_ssl2_record(tvb, pinfo, ssl_tree,
710 offset, session,
711 &need_desegmentation,
712 ssl_session);
713 break;
714
715 case SSLV3_VERSION:
716 case TLSV1_VERSION:
717 case TLSV1DOT1_VERSION:
718 case TLSV1DOT2_VERSION:
719 case GMTLSV1_VERSION:
720 /* SSLv3/TLS record headers need at least 1+2+2 = 5 bytes. */
721 if (tvb_reported_length_remaining(tvb, offset) < 5) {
722 if (tls_desegment && pinfo->can_desegment) {
723 pinfo->desegment_offset = offset;
724 pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
725 need_desegmentation = TRUE;
726 } else {
727 /* Not enough bytes available. Stop here. */
728 offset = tvb_reported_length(tvb);
729 }
730 break;
731 }
732
733 /* the version tracking code works too well ;-)
734 * at times, we may visit a v2 client hello after
735 * we already know the version of the connection;
736 * work around that here by detecting and calling
737 * the v2 dissector instead
738 */
739 if (ssl_is_v2_client_hello(tvb, offset))
740 {
741 offset = dissect_ssl2_record(tvb, pinfo, ssl_tree,
742 offset, session,
743 &need_desegmentation,
744 ssl_session);
745 }
746 else
747 {
748 offset = dissect_ssl3_record(tvb, pinfo, ssl_tree,
749 offset, session, is_from_server,
750 &need_desegmentation,
751 ssl_session,
752 curr_layer_num_ssl);
753 }
754 break;
755
756 /* that failed, so apply some heuristics based
757 * on this individual packet
758 */
759 default:
760 /*
761 * If the version is unknown, assume SSLv3/TLS which has a record
762 * size of at least 5 bytes (SSLv2 record header is two or three
763 * bytes, but the data will hopefully be larger than three bytes).
764 */
765 if (tvb_reported_length_remaining(tvb, offset) < 5) {
766 if (tls_desegment && pinfo->can_desegment) {
767 pinfo->desegment_offset = offset;
768 pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
769 need_desegmentation = TRUE;
770 } else {
771 /* Not enough bytes available. Stop here. */
772 offset = tvb_reported_length(tvb);
773 }
774 break;
775 }
776
777 if (ssl_looks_like_sslv2(tvb, offset))
778 {
779 /* looks like sslv2 client hello */
780 offset = dissect_ssl2_record(tvb, pinfo, ssl_tree,
781 offset, session,
782 &need_desegmentation,
783 ssl_session);
784 }
785 else if (ssl_looks_like_sslv3(tvb, offset))
786 {
787 /* looks like sslv3 or tls */
788 offset = dissect_ssl3_record(tvb, pinfo, ssl_tree,
789 offset, session, is_from_server,
790 &need_desegmentation,
791 ssl_session,
792 curr_layer_num_ssl);
793 }
794 else
795 {
796 /* looks like something unknown, so lump into
797 * continuation data
798 */
799 offset = tvb_reported_length(tvb);
800 col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, "Continuation Data");
801 }
802 break;
803 }
804
805 /* Desegmentation return check */
806 if (need_desegmentation) {
807 ssl_debug_printf(" need_desegmentation: offset = %d, reported_length_remaining = %d\n",
808 offset, tvb_reported_length_remaining(tvb, offset));
809 /* Make data available to ssl_follow_tap_listener */
810 tap_queue_packet(tls_tap, pinfo, p_get_proto_data(wmem_file_scope(), pinfo, proto_tls, curr_layer_num_ssl));
811 return tvb_captured_length(tvb);
812 }
813 }
814
815 col_set_fence(pinfo->cinfo, COL_INFO);
816
817 ssl_debug_flush();
818
819 /* Make data available to ssl_follow_tap_listener */
820 tap_queue_packet(tls_tap, pinfo, p_get_proto_data(wmem_file_scope(), pinfo, proto_tls, curr_layer_num_ssl));
821
822 return tvb_captured_length(tvb);
823 }
824
825 /*
826 * Dissect TLS 1.3 handshake messages (without the record layer).
827 * For use by QUIC (draft -13).
828 */
829 static int
dissect_tls13_handshake(tvbuff_t * tvb,packet_info * pinfo,proto_tree * tree,void * data)830 dissect_tls13_handshake(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
831 {
832
833 conversation_t *conversation;
834 SslDecryptSession *ssl_session;
835 SslSession *session;
836 gint is_from_server;
837 proto_item *ti;
838 proto_tree *ssl_tree;
839 /**
840 * A value that uniquely identifies this fragment in this frame.
841 */
842 guint record_id = GPOINTER_TO_UINT(data);
843
844 ssl_debug_printf("\n%s enter frame #%u (%s)\n", G_STRFUNC, pinfo->num, (pinfo->fd->visited)?"already visited":"first time");
845
846 conversation = find_or_create_conversation(pinfo);
847 ssl_session = ssl_get_session(conversation, tls_handle);
848 session = &ssl_session->session;
849 is_from_server = ssl_packet_from_server(session, ssl_associations, pinfo);
850 if (session->version == SSL_VER_UNKNOWN) {
851 session->version = TLSV1DOT3_VERSION;
852 ssl_session->state |= SSL_VERSION;
853 ssl_session->state |= SSL_QUIC_RECORD_LAYER;
854 }
855
856 /*
857 * First pass: collect state (including Client Random for key matching).
858 * Second pass: dissection only, no need to collect state.
859 */
860 if (PINFO_FD_VISITED(pinfo)) {
861 ssl_session = NULL;
862 }
863
864 ssl_debug_printf(" conversation = %p, ssl_session = %p, from_server = %d\n",
865 (void *)conversation, (void *)ssl_session, is_from_server);
866
867 /* Add a proto_tls item to allow simple "tls" display filter */
868 ti = proto_tree_add_item(tree, proto_tls, tvb, 0, -1, ENC_NA);
869 ssl_tree = proto_item_add_subtree(ti, ett_tls);
870
871 dissect_tls_handshake(tvb, pinfo, ssl_tree, 0,
872 tvb_reported_length(tvb), FALSE, record_id, pinfo->curr_layer_num, session,
873 is_from_server, ssl_session, TLSV1DOT3_VERSION);
874
875 ssl_debug_flush();
876
877 return tvb_captured_length(tvb);
878 }
879
880 static gboolean
is_sslv3_or_tls(tvbuff_t * tvb)881 is_sslv3_or_tls(tvbuff_t *tvb)
882 {
883 guint8 content_type;
884 guint16 protocol_version, record_length;
885
886 /*
887 * Heuristics should match the TLS record header.
888 * ContentType (1), ProtocolVersion (2), Length (2)
889 *
890 * We do not check for an actual payload, IBM WebSphere is known
891 * to separate the record header and payload over two separate packets.
892 */
893 if (tvb_captured_length(tvb) < 5) {
894 return FALSE;
895 }
896
897 content_type = tvb_get_guint8(tvb, 0);
898 protocol_version = tvb_get_ntohs(tvb, 1);
899 record_length = tvb_get_ntohs(tvb, 3);
900
901 /* These are the common types. */
902 if (content_type != SSL_ID_HANDSHAKE && content_type != SSL_ID_APP_DATA) {
903 return FALSE;
904 }
905
906 /*
907 * Match SSLv3, TLS 1.0/1.1/1.2 (TLS 1.3 uses same value as TLS 1.0). Most
908 * likely you'll see 0x300 (SSLv3) or 0x301 (TLS 1.1) for interoperability
909 * reasons. Per RFC 5246 we should accept any 0x3xx value, but this is just
910 * a heuristic that catches common/likely cases.
911 */
912 if (protocol_version != SSLV3_VERSION &&
913 protocol_version != TLSV1_VERSION &&
914 protocol_version != TLSV1DOT1_VERSION &&
915 protocol_version != TLSV1DOT2_VERSION &&
916 protocol_version != GMTLSV1_VERSION ) {
917 return FALSE;
918 }
919
920 /* Check for sane length, see also ssl_check_record_length in packet-tls-utils.c */
921 if (record_length == 0 || record_length >= TLS_MAX_RECORD_LENGTH + 2048) {
922 return FALSE;
923 }
924
925 return TRUE;
926 }
927
928 static gboolean
is_sslv2_clienthello(tvbuff_t * tvb)929 is_sslv2_clienthello(tvbuff_t *tvb)
930 {
931 /*
932 * Detect SSL 2.0 compatible Client Hello as used in SSLv3 and TLS.
933 *
934 * https://tools.ietf.org/html/rfc5246#appendix-E.2
935 * uint8 V2CipherSpec[3];
936 * struct {
937 * uint16 msg_length; // 0: highest bit must be 1
938 * uint8 msg_type; // 2: 1 for Client Hello
939 * Version version; // 3: equal to ClientHello.client_version
940 * uint16 cipher_spec_length; // 5: cannot be 0, must be multiple of 3
941 * uint16 session_id_length; // 7: zero or 16 (in TLS 1.0)
942 * uint16 challenge_length; // 9: must be 32
943 * // length so far: 2 + 1 + 2 + 2 + 2 + 2 = 11
944 * V2CipherSpec cipher_specs[V2ClientHello.cipher_spec_length]; // len: min 3
945 * opaque session_id[V2ClientHello.session_id_length]; // len: zero or 16
946 * opaque challenge[V2ClientHello.challenge_length; // len: 32
947 * // min. length: 11 + 3 + (0 or 16) + 32 = 46 or 62
948 * } V2ClientHello;
949 */
950 if (tvb_captured_length(tvb) < 46) {
951 return FALSE;
952 }
953
954 /* Assume that message length is less than 256 (at most 64 cipherspecs). */
955 if (tvb_get_guint8(tvb, 0) != 0x80) {
956 return FALSE;
957 }
958
959 /* msg_type must be 1 for Client Hello */
960 if (tvb_get_guint8(tvb, 2) != 1) {
961 return FALSE;
962 }
963
964 /* cipher spec length must be a non-zero multiple of 3 */
965 guint16 cipher_spec_length = tvb_get_ntohs(tvb, 5);
966 if (cipher_spec_length == 0 || cipher_spec_length % 3 != 0) {
967 return FALSE;
968 }
969
970 /* session ID length must be 0 or 16 in TLS 1.0 */
971 guint16 session_id_length = tvb_get_ntohs(tvb, 7);
972 if (session_id_length != 0 && session_id_length != 16) {
973 return FALSE;
974 }
975
976 /* Challenge Length must be 32 */
977 if (tvb_get_ntohs(tvb, 9) != 32) {
978 return FALSE;
979 }
980
981 return TRUE;
982 }
983
984 static int
dissect_ssl_heur(tvbuff_t * tvb,packet_info * pinfo,proto_tree * tree,void * data)985 dissect_ssl_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
986 {
987 conversation_t *conversation;
988
989 if (!is_sslv3_or_tls(tvb) && !is_sslv2_clienthello(tvb)) {
990 return 0;
991 }
992
993 conversation = find_or_create_conversation(pinfo);
994 conversation_set_dissector(conversation, tls_handle);
995 return dissect_ssl(tvb, pinfo, tree, data);
996 }
997
998 static void
tls_save_decrypted_record(packet_info * pinfo,gint record_id,SslDecryptSession * ssl,guint8 content_type,SslDecoder * decoder,gboolean allow_fragments,guint8 curr_layer_num_ssl)999 tls_save_decrypted_record(packet_info *pinfo, gint record_id, SslDecryptSession *ssl, guint8 content_type,
1000 SslDecoder *decoder, gboolean allow_fragments, guint8 curr_layer_num_ssl)
1001 {
1002 const guchar *data = ssl_decrypted_data.data;
1003 guint datalen = ssl_decrypted_data_avail;
1004
1005 if (datalen == 0) {
1006 return;
1007 }
1008
1009 if (ssl->session.version == TLSV1DOT3_VERSION) {
1010 /*
1011 * The actual data is followed by the content type and then zero or
1012 * more padding. Scan backwards for content type, skipping padding.
1013 */
1014 while (datalen > 0 && data[datalen - 1] == 0) {
1015 datalen--;
1016 }
1017 ssl_debug_printf("%s found %d padding bytes\n", G_STRFUNC, ssl_decrypted_data_avail - datalen);
1018 if (datalen == 0) {
1019 ssl_debug_printf("%s there is no room for content type!\n", G_STRFUNC);
1020 return;
1021 }
1022 content_type = data[--datalen];
1023 if (datalen == 0) {
1024 /*
1025 * XXX zero-length Handshake fragments are forbidden by RFC 8446,
1026 * Section 5.1. Empty Application Data fragments are allowed though.
1027 */
1028 return;
1029 }
1030 }
1031
1032 /* In TLS 1.3 only Handshake and Application Data can be fragmented.
1033 * Alert messages MUST NOT be fragmented across records, so do not
1034 * bother maintaining a flow for those. */
1035 ssl_add_record_info(proto_tls, pinfo, data, datalen, record_id,
1036 allow_fragments ? decoder->flow : NULL, (ContentType)content_type, curr_layer_num_ssl);
1037 }
1038
1039 /**
1040 * Try to decrypt the record and update the internal cipher state.
1041 * On success, the decrypted data will be available in "ssl_decrypted_data" of
1042 * length "ssl_decrypted_data_avail".
1043 */
1044 static gboolean
decrypt_ssl3_record(tvbuff_t * tvb,packet_info * pinfo,guint32 offset,SslDecryptSession * ssl,guint8 content_type,guint16 record_version,guint16 record_length,gboolean allow_fragments,guint8 curr_layer_num_ssl)1045 decrypt_ssl3_record(tvbuff_t *tvb, packet_info *pinfo, guint32 offset, SslDecryptSession *ssl,
1046 guint8 content_type, guint16 record_version, guint16 record_length,
1047 gboolean allow_fragments, guint8 curr_layer_num_ssl)
1048 {
1049 gboolean success;
1050 gint direction;
1051 StringInfo *data_for_iv;
1052 gint data_for_iv_len;
1053 SslDecoder *decoder;
1054
1055 /* if we can decrypt and decryption was a success
1056 * add decrypted data to this packet info */
1057 ssl_debug_printf("decrypt_ssl3_record: app_data len %d, ssl state 0x%02X\n",
1058 record_length, ssl->state);
1059 direction = ssl_packet_from_server(&ssl->session, ssl_associations, pinfo);
1060
1061 /* retrieve decoder for this packet direction */
1062 if (direction != 0) {
1063 ssl_debug_printf("decrypt_ssl3_record: using server decoder\n");
1064 decoder = ssl->server;
1065 }
1066 else {
1067 ssl_debug_printf("decrypt_ssl3_record: using client decoder\n");
1068 decoder = ssl->client;
1069 }
1070
1071 /* save data to update IV if decoder is available or updated later */
1072 data_for_iv = (direction != 0) ? &ssl->server_data_for_iv : &ssl->client_data_for_iv;
1073 data_for_iv_len = (record_length < 24) ? record_length : 24;
1074 ssl_data_set(data_for_iv, (const guchar*)tvb_get_ptr(tvb, offset + record_length - data_for_iv_len, data_for_iv_len), data_for_iv_len);
1075
1076 if (!decoder) {
1077 ssl_debug_printf("decrypt_ssl3_record: no decoder available\n");
1078 return FALSE;
1079 }
1080
1081 /* run decryption and add decrypted payload to protocol data, if decryption
1082 * is successful*/
1083 ssl_decrypted_data_avail = ssl_decrypted_data.data_len;
1084 success = ssl_decrypt_record(ssl, decoder, content_type, record_version, tls_ignore_mac_failed,
1085 tvb_get_ptr(tvb, offset, record_length), record_length, NULL, 0,
1086 &ssl_compressed_data, &ssl_decrypted_data, &ssl_decrypted_data_avail) == 0;
1087 /* */
1088 if (!success) {
1089 /* save data to update IV if valid session key is obtained later */
1090 data_for_iv = (direction != 0) ? &ssl->server_data_for_iv : &ssl->client_data_for_iv;
1091 data_for_iv_len = (record_length < 24) ? record_length : 24;
1092 ssl_data_set(data_for_iv, (const guchar*)tvb_get_ptr(tvb, offset + record_length - data_for_iv_len, data_for_iv_len), data_for_iv_len);
1093 }
1094 if (success) {
1095 tls_save_decrypted_record(pinfo, tvb_raw_offset(tvb)+offset, ssl, content_type, decoder, allow_fragments, curr_layer_num_ssl);
1096 }
1097 return success;
1098 }
1099
1100 #ifdef HAVE_LIBGCRYPT_AEAD
1101 /**
1102 * Try to guess the early data cipher using trial decryption.
1103 * Requires Libgcrypt 1.6 or newer for verifying that decryption is successful.
1104 */
1105 static gboolean
decrypt_tls13_early_data(tvbuff_t * tvb,packet_info * pinfo,guint32 offset,guint16 record_length,SslDecryptSession * ssl,guint8 curr_layer_num_ssl)1106 decrypt_tls13_early_data(tvbuff_t *tvb, packet_info *pinfo, guint32 offset,
1107 guint16 record_length, SslDecryptSession *ssl,
1108 guint8 curr_layer_num_ssl)
1109
1110 {
1111 gboolean success = FALSE;
1112
1113 ssl_debug_printf("Trying early data encryption, first record / trial decryption: %s\n",
1114 !(ssl->state & SSL_SEEN_0RTT_APPDATA) ? "true" : "false");
1115
1116 /* Only try trial decryption for the first record. */
1117 if (ssl->state & SSL_SEEN_0RTT_APPDATA) {
1118 if (!ssl->client) {
1119 return FALSE; // sanity check, should not happen in valid captures.
1120 }
1121
1122 ssl_decrypted_data_avail = ssl_decrypted_data.data_len;
1123 success = ssl_decrypt_record(ssl, ssl->client, SSL_ID_APP_DATA, 0x303, FALSE,
1124 tvb_get_ptr(tvb, offset, record_length), record_length, NULL, 0,
1125 &ssl_compressed_data, &ssl_decrypted_data, &ssl_decrypted_data_avail) == 0;
1126 if (success) {
1127 tls_save_decrypted_record(pinfo, tvb_raw_offset(tvb)+offset, ssl, SSL_ID_APP_DATA, ssl->client, TRUE, curr_layer_num_ssl);
1128 } else {
1129 ssl_debug_printf("early data decryption failed, end of early data?\n");
1130 }
1131 return success;
1132 }
1133 ssl->state |= SSL_SEEN_0RTT_APPDATA;
1134
1135 ssl_load_keyfile(ssl_options.keylog_filename, &ssl_keylog_file, &ssl_master_key_map);
1136 StringInfo *secret = tls13_load_secret(ssl, &ssl_master_key_map, FALSE, TLS_SECRET_0RTT_APP);
1137 if (!secret) {
1138 ssl_debug_printf("Missing secrets, early data decryption not possible!\n");
1139 return FALSE;
1140 }
1141
1142 const guint16 tls13_ciphers[] = {
1143 0x1301, /* TLS_AES_128_GCM_SHA256 */
1144 0x1302, /* TLS_AES_256_GCM_SHA384 */
1145 0x1303, /* TLS_CHACHA20_POLY1305_SHA256 */
1146 0x1304, /* TLS_AES_128_CCM_SHA256 */
1147 0x1305, /* TLS_AES_128_CCM_8_SHA256 */
1148 };
1149 const guchar *record = tvb_get_ptr(tvb, offset, record_length);
1150 for (guint i = 0; i < G_N_ELEMENTS(tls13_ciphers); i++) {
1151 guint16 cipher = tls13_ciphers[i];
1152
1153 ssl_debug_printf("Performing early data trial decryption, cipher = %#x\n", cipher);
1154 ssl->session.cipher = cipher;
1155 ssl->cipher_suite = ssl_find_cipher(cipher);
1156 if (!tls13_generate_keys(ssl, secret, FALSE)) {
1157 /* Unable to create cipher (old Libgcrypt) */
1158 continue;
1159 }
1160
1161 ssl_decrypted_data_avail = ssl_decrypted_data.data_len;
1162 success = ssl_decrypt_record(ssl, ssl->client, SSL_ID_APP_DATA, 0x303, FALSE, record, record_length, NULL, 0,
1163 &ssl_compressed_data, &ssl_decrypted_data, &ssl_decrypted_data_avail) == 0;
1164 if (success) {
1165 ssl_debug_printf("Early data decryption succeeded, cipher = %#x\n", cipher);
1166 tls_save_decrypted_record(pinfo, tvb_raw_offset(tvb)+offset, ssl, SSL_ID_APP_DATA, ssl->client, TRUE, curr_layer_num_ssl);
1167 break;
1168 }
1169 }
1170 if (!success) {
1171 ssl_debug_printf("Trial decryption of early data failed!\n");
1172 }
1173 return success;
1174 }
1175 #endif
1176
1177 static void
1178 process_ssl_payload(tvbuff_t *tvb, int offset, packet_info *pinfo,
1179 proto_tree *tree, SslSession *session,
1180 dissector_handle_t app_handle_port);
1181
1182 static guint32
tls_msp_fragment_id(struct tcp_multisegment_pdu * msp)1183 tls_msp_fragment_id(struct tcp_multisegment_pdu *msp)
1184 {
1185 /*
1186 * If a frame contains multiple appdata PDUs, then "first_frame" is not
1187 * sufficient to uniquely identify groups of fragments. Therefore include
1188 * seq (the position of the initial fragment in the TLS stream) in the ID.
1189 * As a frame most likely does not have multiple PDUs (except maybe for
1190 * HTTP2), just let 'seq' contibute only a few bits.
1191 */
1192 guint32 id = msp->first_frame;
1193 id ^= (msp->seq & 0xff) << 24;
1194 id ^= (msp->seq & 0xff00) << 16;
1195 return id;
1196 }
1197
1198 static void
desegment_ssl(tvbuff_t * tvb,packet_info * pinfo,int offset,guint32 seq,guint32 nxtseq,SslSession * session,proto_tree * root_tree,proto_tree * tree,SslFlow * flow,dissector_handle_t app_handle_port)1199 desegment_ssl(tvbuff_t *tvb, packet_info *pinfo, int offset,
1200 guint32 seq, guint32 nxtseq,
1201 SslSession *session,
1202 proto_tree *root_tree, proto_tree *tree,
1203 SslFlow *flow, dissector_handle_t app_handle_port)
1204 {
1205 fragment_head *ipfd_head;
1206 gboolean must_desegment;
1207 gboolean called_dissector;
1208 int another_pdu_follows;
1209 gboolean another_segment_in_frame = FALSE;
1210 int deseg_offset;
1211 guint32 deseg_seq;
1212 gint nbytes;
1213 proto_item *item;
1214 proto_item *frag_tree_item;
1215 proto_item *ssl_tree_item;
1216 struct tcp_multisegment_pdu *msp;
1217
1218 again:
1219 ipfd_head = NULL;
1220 must_desegment = FALSE;
1221 called_dissector = FALSE;
1222 another_pdu_follows = 0;
1223 msp = NULL;
1224
1225 /*
1226 * Initialize these to assume no desegmentation.
1227 * If that's not the case, these will be set appropriately
1228 * by the subdissector.
1229 */
1230 pinfo->desegment_offset = 0;
1231 pinfo->desegment_len = 0;
1232
1233 /*
1234 * Initialize this to assume that this segment will just be
1235 * added to the middle of a desegmented chunk of data, so
1236 * that we should show it all as data.
1237 * If that's not the case, it will be set appropriately.
1238 */
1239 deseg_offset = offset;
1240
1241 /* If we've seen this segment before (e.g., it's a retransmission),
1242 * there's nothing for us to do. Certainly, don't add it to the list
1243 * of multisegment_pdus (that would cause subsequent lookups to find
1244 * the retransmission instead of the original transmission, breaking
1245 * dissection of the desegmented pdu if we'd already seen the end of
1246 * the pdu).
1247 */
1248 if ((msp = (struct tcp_multisegment_pdu *)wmem_tree_lookup32(flow->multisegment_pdus, seq))) {
1249 const char *prefix;
1250
1251 if (msp->first_frame == pinfo->num) {
1252 prefix = "";
1253 col_set_str(pinfo->cinfo, COL_INFO, "[TLS segment of a reassembled PDU]");
1254 } else {
1255 prefix = "Retransmitted ";
1256 }
1257
1258 nbytes = tvb_reported_length_remaining(tvb, offset);
1259 ssl_proto_tree_add_segment_data(tree, tvb, offset, nbytes, prefix);
1260 return;
1261 }
1262
1263 /* Else, find the most previous PDU starting before this sequence number */
1264 msp = (struct tcp_multisegment_pdu *)wmem_tree_lookup32_le(flow->multisegment_pdus, seq-1);
1265 if (msp && msp->seq <= seq && msp->nxtpdu > seq) {
1266 int len;
1267
1268 if (!PINFO_FD_VISITED(pinfo)) {
1269 msp->last_frame = pinfo->num;
1270 msp->last_frame_time = pinfo->abs_ts;
1271 }
1272
1273 /* OK, this PDU was found, which means the segment continues
1274 * a higher-level PDU and that we must desegment it.
1275 */
1276 if (msp->flags & MSP_FLAGS_REASSEMBLE_ENTIRE_SEGMENT) {
1277 /* The dissector asked for the entire segment */
1278 len = MAX(0, tvb_reported_length_remaining(tvb, offset));
1279 } else {
1280 len = MIN(nxtseq, msp->nxtpdu) - seq;
1281 }
1282
1283 ipfd_head = fragment_add(&ssl_reassembly_table, tvb, offset,
1284 pinfo, tls_msp_fragment_id(msp), NULL,
1285 seq - msp->seq,
1286 len, (LT_SEQ (nxtseq,msp->nxtpdu)));
1287
1288 if (msp->flags & MSP_FLAGS_REASSEMBLE_ENTIRE_SEGMENT) {
1289 msp->flags &= (~MSP_FLAGS_REASSEMBLE_ENTIRE_SEGMENT);
1290
1291 /* If we consumed the entire segment there is no
1292 * other pdu starting anywhere inside this segment.
1293 * So update nxtpdu to point at least to the start
1294 * of the next segment.
1295 * (If the subdissector asks for even more data we
1296 * will advance nxtpdu even further later down in
1297 * the code.)
1298 */
1299 msp->nxtpdu = nxtseq;
1300 }
1301
1302 if ( (msp->nxtpdu < nxtseq)
1303 && (msp->nxtpdu >= seq)
1304 && (len > 0)) {
1305 another_pdu_follows = msp->nxtpdu - seq;
1306 }
1307 } else {
1308 /* This segment was not found in our table, so it doesn't
1309 * contain a continuation of a higher-level PDU.
1310 * Call the normal subdissector.
1311 */
1312 process_ssl_payload(tvb, offset, pinfo, tree, session, app_handle_port);
1313 called_dissector = TRUE;
1314
1315 /* Did the subdissector ask us to desegment some more data
1316 * before it could handle the packet?
1317 * If so we have to create some structures in our table but
1318 * this is something we only do the first time we see this
1319 * packet.
1320 */
1321 if (pinfo->desegment_len) {
1322 if (!PINFO_FD_VISITED(pinfo))
1323 must_desegment = TRUE;
1324
1325 /*
1326 * Set "deseg_offset" to the offset in "tvb"
1327 * of the first byte of data that the
1328 * subdissector didn't process.
1329 */
1330 deseg_offset = offset + pinfo->desegment_offset;
1331 }
1332
1333 /* Either no desegmentation is necessary, or this is
1334 * segment contains the beginning but not the end of
1335 * a higher-level PDU and thus isn't completely
1336 * desegmented.
1337 */
1338 ipfd_head = NULL;
1339 }
1340
1341
1342 /* is it completely desegmented? */
1343 if (ipfd_head && ipfd_head->reassembled_in == pinfo->num) {
1344 /*
1345 * Yes, we think it is.
1346 * We only call subdissector for the last segment.
1347 * Note that the last segment may include more than what
1348 * we needed.
1349 */
1350 if (nxtseq < msp->nxtpdu) {
1351 /*
1352 * This is *not* the last segment. It is part of a PDU in the same
1353 * frame, so no another PDU can follow this one.
1354 * Do not reassemble TLS yet, it will be done in the final segment.
1355 * Clear the Info column and avoid displaying [TLS segment of a
1356 * reassembled PDU], the payload dissector will typically set it.
1357 * (This is needed here for the second pass.)
1358 */
1359 another_pdu_follows = 0;
1360 col_clear(pinfo->cinfo, COL_INFO);
1361 another_segment_in_frame = TRUE;
1362 } else {
1363 /*
1364 * OK, this is the last segment of the PDU and also the
1365 * last segment in this frame.
1366 * Let's call the subdissector with the desegmented
1367 * data.
1368 */
1369 tvbuff_t *next_tvb;
1370 int old_len;
1371
1372 /*
1373 * Reset column in case multiple TLS segments form the
1374 * PDU and this last TLS segment is not in the first TCP segment of
1375 * this frame.
1376 * XXX prevent clearing the column if the last layer is not SSL?
1377 */
1378 /* Clear column during the first pass. */
1379 col_clear(pinfo->cinfo, COL_INFO);
1380
1381 /* create a new TVB structure for desegmented data */
1382 next_tvb = tvb_new_chain(tvb, ipfd_head->tvb_data);
1383
1384 /* add desegmented data to the data source list */
1385 add_new_data_source(pinfo, next_tvb, "Reassembled SSL");
1386
1387 /* call subdissector */
1388 process_ssl_payload(next_tvb, 0, pinfo, tree, session, app_handle_port);
1389 called_dissector = TRUE;
1390
1391 /*
1392 * OK, did the subdissector think it was completely
1393 * desegmented, or does it think we need even more
1394 * data?
1395 */
1396 old_len = (int)(tvb_reported_length(next_tvb) - tvb_reported_length_remaining(tvb, offset));
1397 if (pinfo->desegment_len && pinfo->desegment_offset <= old_len) {
1398 /*
1399 * "desegment_len" isn't 0, so it needs more
1400 * data for something - and "desegment_offset"
1401 * is before "old_len", so it needs more data
1402 * to dissect the stuff we thought was
1403 * completely desegmented (as opposed to the
1404 * stuff at the beginning being completely
1405 * desegmented, but the stuff at the end
1406 * being a new higher-level PDU that also
1407 * needs desegmentation).
1408 */
1409 fragment_set_partial_reassembly(&ssl_reassembly_table,
1410 pinfo, tls_msp_fragment_id(msp), NULL);
1411 /* Update msp->nxtpdu to point to the new next
1412 * pdu boundary.
1413 */
1414 if (pinfo->desegment_len == DESEGMENT_ONE_MORE_SEGMENT) {
1415 /* We want reassembly of at least one
1416 * more segment so set the nxtpdu
1417 * boundary to one byte into the next
1418 * segment.
1419 * This means that the next segment
1420 * will complete reassembly even if it
1421 * is only one single byte in length.
1422 */
1423 msp->nxtpdu = seq + tvb_reported_length_remaining(tvb, offset) + 1;
1424 msp->flags |= MSP_FLAGS_REASSEMBLE_ENTIRE_SEGMENT;
1425 } else {
1426 msp->nxtpdu = seq + tvb_reported_length_remaining(tvb, offset) + pinfo->desegment_len;
1427 }
1428 /* Since we need at least some more data
1429 * there can be no pdu following in the
1430 * tail of this segment.
1431 */
1432 another_pdu_follows = 0;
1433 } else {
1434 /*
1435 * Show the stuff in this TCP segment as
1436 * just raw TCP segment data.
1437 */
1438 nbytes = tvb_reported_length_remaining(tvb, offset);
1439 ssl_proto_tree_add_segment_data(tree, tvb, offset, nbytes, NULL);
1440
1441 /*
1442 * The subdissector thought it was completely
1443 * desegmented (although the stuff at the
1444 * end may, in turn, require desegmentation),
1445 * so we show a tree with all segments.
1446 */
1447 show_fragment_tree(ipfd_head, &ssl_segment_items,
1448 root_tree, pinfo, next_tvb, &frag_tree_item);
1449 /*
1450 * The toplevel fragment subtree is now
1451 * behind all desegmented data; move it
1452 * right behind the TCP tree.
1453 */
1454 ssl_tree_item = proto_tree_get_parent(tree);
1455 if (frag_tree_item && ssl_tree_item) {
1456 proto_tree_move_item(root_tree, ssl_tree_item, frag_tree_item);
1457 }
1458
1459 /* Did the subdissector ask us to desegment
1460 * some more data? This means that the data
1461 * at the beginning of this segment completed
1462 * a higher-level PDU, but the data at the
1463 * end of this segment started a higher-level
1464 * PDU but didn't complete it.
1465 *
1466 * If so, we have to create some structures
1467 * in our table, but this is something we
1468 * only do the first time we see this packet.
1469 */
1470 if (pinfo->desegment_len) {
1471 if (!PINFO_FD_VISITED(pinfo))
1472 must_desegment = TRUE;
1473
1474 /* The stuff we couldn't dissect
1475 * must have come from this segment,
1476 * so it's all in "tvb".
1477 *
1478 * "pinfo->desegment_offset" is
1479 * relative to the beginning of
1480 * "next_tvb"; we want an offset
1481 * relative to the beginning of "tvb".
1482 *
1483 * First, compute the offset relative
1484 * to the *end* of "next_tvb" - i.e.,
1485 * the number of bytes before the end
1486 * of "next_tvb" at which the
1487 * subdissector stopped. That's the
1488 * length of "next_tvb" minus the
1489 * offset, relative to the beginning
1490 * of "next_tvb, at which the
1491 * subdissector stopped.
1492 */
1493 deseg_offset = ipfd_head->datalen - pinfo->desegment_offset;
1494
1495 /* "tvb" and "next_tvb" end at the
1496 * same byte of data, so the offset
1497 * relative to the end of "next_tvb"
1498 * of the byte at which we stopped
1499 * is also the offset relative to
1500 * the end of "tvb" of the byte at
1501 * which we stopped.
1502 *
1503 * Convert that back into an offset
1504 * relative to the beginning of
1505 * "tvb", by taking the length of
1506 * "tvb" and subtracting the offset
1507 * relative to the end.
1508 */
1509 deseg_offset = tvb_reported_length(tvb) - deseg_offset;
1510 }
1511 }
1512 }
1513 }
1514
1515 if (must_desegment) {
1516 /* If the dissector requested "reassemble until FIN"
1517 * just set this flag for the flow and let reassembly
1518 * proceed at normal. We will check/pick up these
1519 * reassembled PDUs later down in dissect_tcp() when checking
1520 * for the FIN flag.
1521 */
1522 if (pinfo->desegment_len == DESEGMENT_UNTIL_FIN) {
1523 flow->flags |= TCP_FLOW_REASSEMBLE_UNTIL_FIN;
1524 }
1525 /*
1526 * The sequence number at which the stuff to be desegmented
1527 * starts is the sequence number of the byte at an offset
1528 * of "deseg_offset" into "tvb".
1529 *
1530 * The sequence number of the byte at an offset of "offset"
1531 * is "seq", i.e. the starting sequence number of this
1532 * segment, so the sequence number of the byte at
1533 * "deseg_offset" is "seq + (deseg_offset - offset)".
1534 */
1535 deseg_seq = seq + (deseg_offset - offset);
1536
1537 if (((nxtseq - deseg_seq) <= 1024*1024)
1538 && (!PINFO_FD_VISITED(pinfo))) {
1539 if (pinfo->desegment_len == DESEGMENT_ONE_MORE_SEGMENT) {
1540 /* The subdissector asked to reassemble using the
1541 * entire next segment.
1542 * Just ask reassembly for one more byte
1543 * but set this msp flag so we can pick it up
1544 * above.
1545 */
1546 msp = pdu_store_sequencenumber_of_next_pdu(pinfo,
1547 deseg_seq, nxtseq+1, flow->multisegment_pdus);
1548 msp->flags |= MSP_FLAGS_REASSEMBLE_ENTIRE_SEGMENT;
1549 } else {
1550 msp = pdu_store_sequencenumber_of_next_pdu(pinfo,
1551 deseg_seq, nxtseq+pinfo->desegment_len, flow->multisegment_pdus);
1552 }
1553
1554 /* add this segment as the first one for this new pdu */
1555 fragment_add(&ssl_reassembly_table, tvb, deseg_offset,
1556 pinfo, tls_msp_fragment_id(msp), NULL,
1557 0, nxtseq - deseg_seq,
1558 LT_SEQ(nxtseq, msp->nxtpdu));
1559 }
1560 }
1561
1562 if (!called_dissector || pinfo->desegment_len != 0) {
1563 if (ipfd_head != NULL && ipfd_head->reassembled_in != 0 &&
1564 !(ipfd_head->flags & FD_PARTIAL_REASSEMBLY)) {
1565 /*
1566 * We know what frame this PDU is reassembled in;
1567 * let the user know.
1568 */
1569 item=proto_tree_add_uint(tree, *ssl_segment_items.hf_reassembled_in,
1570 tvb, 0, 0, ipfd_head->reassembled_in);
1571 proto_item_set_generated(item);
1572 }
1573
1574 /*
1575 * Either we didn't call the subdissector at all (i.e.,
1576 * this is a segment that contains the middle of a
1577 * higher-level PDU, but contains neither the beginning
1578 * nor the end), or the subdissector couldn't dissect it
1579 * all, as some data was missing (i.e., it set
1580 * "pinfo->desegment_len" to the amount of additional
1581 * data it needs).
1582 */
1583 if (!another_segment_in_frame && pinfo->desegment_offset == 0) {
1584 /*
1585 * It couldn't, in fact, dissect any of it (the
1586 * first byte it couldn't dissect is at an offset
1587 * of "pinfo->desegment_offset" from the beginning
1588 * of the payload, and that's 0).
1589 * Just mark this as SSL.
1590 */
1591 col_set_str(pinfo->cinfo, COL_PROTOCOL,
1592 val_to_str_const(session->version, ssl_version_short_names, "SSL"));
1593 col_set_str(pinfo->cinfo, COL_INFO, "[TLS segment of a reassembled PDU]");
1594 }
1595
1596 /*
1597 * Show what's left in the packet as just raw TCP segment
1598 * data.
1599 * XXX - remember what protocol the last subdissector
1600 * was, and report it as a continuation of that, instead?
1601 */
1602 nbytes = tvb_reported_length_remaining(tvb, deseg_offset);
1603 ssl_proto_tree_add_segment_data(tree, tvb, deseg_offset, nbytes, NULL);
1604 }
1605 pinfo->can_desegment = 0;
1606 pinfo->desegment_offset = 0;
1607 pinfo->desegment_len = 0;
1608
1609 if (another_pdu_follows) {
1610 /* there was another pdu following this one. */
1611 pinfo->can_desegment=2;
1612 /* we also have to prevent the dissector from changing the
1613 * PROTOCOL and INFO colums since what follows may be an
1614 * incomplete PDU and we don't want it be changed back from
1615 * <Protocol> to <TCP>
1616 */
1617 col_set_fence(pinfo->cinfo, COL_INFO);
1618 col_set_writable(pinfo->cinfo, COL_PROTOCOL, FALSE);
1619 offset += another_pdu_follows;
1620 seq += another_pdu_follows;
1621 goto again;
1622 }
1623 }
1624
1625 static void
export_pdu_packet(tvbuff_t * tvb,packet_info * pinfo,guint8 tag,const gchar * name)1626 export_pdu_packet(tvbuff_t *tvb, packet_info *pinfo, guint8 tag, const gchar *name)
1627 {
1628 exp_pdu_data_t *exp_pdu_data = export_pdu_create_common_tags(pinfo, name, tag);
1629
1630 exp_pdu_data->tvb_captured_length = tvb_captured_length(tvb);
1631 exp_pdu_data->tvb_reported_length = tvb_reported_length(tvb);
1632 exp_pdu_data->pdu_tvb = tvb;
1633
1634 tap_queue_packet(exported_pdu_tap, pinfo, exp_pdu_data);
1635 }
1636
1637 static void
process_ssl_payload(tvbuff_t * tvb,int offset,packet_info * pinfo,proto_tree * tree,SslSession * session,dissector_handle_t app_handle_port)1638 process_ssl_payload(tvbuff_t *tvb, int offset, packet_info *pinfo,
1639 proto_tree *tree, SslSession *session,
1640 dissector_handle_t app_handle_port)
1641 {
1642 tvbuff_t *next_tvb;
1643 heur_dtbl_entry_t *hdtbl_entry;
1644 guint16 saved_match_port;
1645
1646 next_tvb = tvb_new_subset_remaining(tvb, offset);
1647
1648 /* If the appdata proto is not yet known (no STARTTLS), try heuristics
1649 * first, then ports-based dissectors. Port 443 is too overloaded... */
1650 if (!session->app_handle) {
1651 /* The heuristics dissector should set the app_handle if it wants to be
1652 * called in the future. */
1653 if (dissector_try_heuristic(ssl_heur_subdissector_list, next_tvb,
1654 pinfo, proto_tree_get_root(tree), &hdtbl_entry,
1655 &session->app_handle)) {
1656 ssl_debug_printf("%s: found heuristics dissector %s, app_handle is %p (%s)\n",
1657 G_STRFUNC, hdtbl_entry->short_name,
1658 (void *)session->app_handle,
1659 dissector_handle_get_dissector_name(session->app_handle));
1660 if (have_tap_listener(exported_pdu_tap)) {
1661 export_pdu_packet(next_tvb, pinfo, EXP_PDU_TAG_HEUR_PROTO_NAME, hdtbl_entry->short_name);
1662 }
1663 return;
1664 }
1665 if (app_handle_port) {
1666 /* Heuristics failed, just try the port-based dissector. */
1667 ssl_debug_printf("%s: no heuristics dissector, falling back to "
1668 "handle %p (%s)\n", G_STRFUNC,
1669 (void *)app_handle_port,
1670 dissector_handle_get_dissector_name(app_handle_port));
1671 session->app_handle = app_handle_port;
1672 } else {
1673 /* No heuristics, no port-based proto, unknown protocol. */
1674 ssl_debug_printf("%s: no appdata dissector found\n", G_STRFUNC);
1675 call_data_dissector(next_tvb, pinfo, proto_tree_get_root(tree));
1676 return;
1677 }
1678 }
1679
1680 ssl_debug_printf("%s: found handle %p (%s)\n", G_STRFUNC,
1681 (void *)session->app_handle,
1682 dissector_handle_get_dissector_name(session->app_handle));
1683
1684 if (have_tap_listener(exported_pdu_tap)) {
1685 export_pdu_packet(next_tvb, pinfo, EXP_PDU_TAG_PROTO_NAME,
1686 dissector_handle_get_dissector_name(session->app_handle));
1687 }
1688 saved_match_port = pinfo->match_uint;
1689 if (ssl_packet_from_server(session, ssl_associations, pinfo)) {
1690 pinfo->match_uint = pinfo->srcport;
1691 } else {
1692 pinfo->match_uint = pinfo->destport;
1693 }
1694 call_dissector(session->app_handle, next_tvb, pinfo, proto_tree_get_root(tree));
1695 pinfo->match_uint = saved_match_port;
1696 }
1697
1698 static void
dissect_ssl_payload(tvbuff_t * decrypted,packet_info * pinfo,proto_tree * tree,SslSession * session,SslRecordInfo * record,dissector_handle_t app_handle_port)1699 dissect_ssl_payload(tvbuff_t *decrypted, packet_info *pinfo,
1700 proto_tree *tree, SslSession *session,
1701 SslRecordInfo *record,
1702 dissector_handle_t app_handle_port)
1703 {
1704 gboolean save_fragmented;
1705 guint16 save_can_desegment;
1706
1707 /* Preserve current desegmentation ability to prevent the subdissector
1708 * from messing up the ssl desegmentation */
1709 save_can_desegment = pinfo->can_desegment;
1710
1711 /* try to dissect decrypted data*/
1712 ssl_debug_printf("%s decrypted len %d\n", G_STRFUNC, record->data_len);
1713 ssl_print_data("decrypted app data fragment", record->plain_data, record->data_len);
1714
1715 /* Can we desegment this segment? */
1716 if (tls_desegment_app_data) {
1717 /* Yes. */
1718 pinfo->can_desegment = 2;
1719 desegment_ssl(decrypted, pinfo, 0, record->seq, record->seq + record->data_len,
1720 session, proto_tree_get_root(tree), tree,
1721 record->flow, app_handle_port);
1722 } else if (session->app_handle || app_handle_port) {
1723 /* No - just call the subdissector.
1724 Mark this as fragmented, so if somebody throws an exception,
1725 we don't report it as a malformed frame. */
1726 pinfo->can_desegment = 0;
1727 save_fragmented = pinfo->fragmented;
1728 pinfo->fragmented = TRUE;
1729
1730 process_ssl_payload(decrypted, 0, pinfo, tree, session, app_handle_port);
1731 pinfo->fragmented = save_fragmented;
1732 }
1733
1734 /* restore desegmentation ability */
1735 pinfo->can_desegment = save_can_desegment;
1736 }
1737
1738
1739 /*********************************************************************
1740 *
1741 * SSL version 3 and TLS Dissection Routines
1742 *
1743 *********************************************************************/
1744 static gint
dissect_ssl3_record(tvbuff_t * tvb,packet_info * pinfo,proto_tree * tree,guint32 offset,SslSession * session,gint is_from_server,gboolean * need_desegmentation,SslDecryptSession * ssl,guint8 curr_layer_num_ssl)1745 dissect_ssl3_record(tvbuff_t *tvb, packet_info *pinfo,
1746 proto_tree *tree, guint32 offset,
1747 SslSession *session, gint is_from_server,
1748 gboolean *need_desegmentation,
1749 SslDecryptSession *ssl,
1750 guint8 curr_layer_num_ssl)
1751 {
1752
1753 /*
1754 * struct {
1755 * uint8 major, minor;
1756 * } ProtocolVersion;
1757 *
1758 *
1759 * enum {
1760 * change_cipher_spec(20), alert(21), handshake(22),
1761 * application_data(23), (255)
1762 * } ContentType;
1763 *
1764 * struct {
1765 * ContentType type;
1766 * ProtocolVersion version;
1767 * uint16 length;
1768 * opaque fragment[TLSPlaintext.length];
1769 * } TLSPlaintext;
1770 */
1771 guint32 record_length;
1772 guint16 record_version, version;
1773 guint8 content_type;
1774 guint8 next_byte;
1775 proto_tree *ti;
1776 proto_tree *ssl_record_tree;
1777 proto_item *length_pi, *ct_pi;
1778 guint content_type_offset;
1779 guint32 available_bytes;
1780 tvbuff_t *decrypted;
1781 SslRecordInfo *record = NULL;
1782
1783 ti = NULL;
1784 ssl_record_tree = NULL;
1785
1786 available_bytes = tvb_reported_length_remaining(tvb, offset);
1787
1788 /* TLS 1.0/1.1 just ignores unknown records - RFC 2246 chapter 6. The TLS Record Protocol */
1789 if ((session->version==TLSV1_VERSION ||
1790 session->version==TLSV1DOT1_VERSION ||
1791 session->version==TLSV1DOT2_VERSION ||
1792 session->version==GMTLSV1_VERSION ) &&
1793 (available_bytes >=1 ) && !ssl_is_valid_content_type(tvb_get_guint8(tvb, offset))) {
1794 proto_tree_add_expert(tree, pinfo, &ei_tls_ignored_unknown_record, tvb, offset, available_bytes);
1795 col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, "Ignored Unknown Record");
1796 return offset + available_bytes;
1797 }
1798
1799 /*
1800 * Is the record header split across segment boundaries?
1801 */
1802 if (available_bytes < 5) {
1803 /*
1804 * Yes - can we do reassembly?
1805 */
1806 if (tls_desegment && pinfo->can_desegment) {
1807 /*
1808 * Yes. Tell the TCP dissector where the data for this
1809 * message starts in the data it handed us, and that we need
1810 * "some more data." Don't tell it exactly how many bytes we
1811 * need because if/when we ask for even more (after the header)
1812 * that will break reassembly.
1813 */
1814 pinfo->desegment_offset = offset;
1815 pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
1816 *need_desegmentation = TRUE;
1817 return offset;
1818 } else {
1819 /* Not enough bytes available. Stop here. */
1820 return offset + available_bytes;
1821 }
1822 }
1823
1824 /*
1825 * Get the record layer fields of interest
1826 */
1827 content_type = tvb_get_guint8(tvb, offset);
1828 version = tvb_get_ntohs(tvb, offset + 1);
1829 record_version = version;
1830 record_length = tvb_get_ntohs(tvb, offset + 3);
1831
1832 if (ssl_is_valid_content_type(content_type)) {
1833
1834 /*
1835 * Is the record split across segment boundaries?
1836 */
1837 if (available_bytes < record_length + 5) {
1838 /*
1839 * Yes - can we do reassembly?
1840 */
1841 if (tls_desegment && pinfo->can_desegment) {
1842 /*
1843 * Yes. Tell the TCP dissector where the data for this
1844 * message starts in the data it handed us, and how many
1845 * more bytes we need, and return.
1846 */
1847 pinfo->desegment_offset = offset;
1848
1849 /* Don't use:
1850 * pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
1851 * it avoids some minor display glitches when a frame contains
1852 * the continuation of a previous PDU together with a full new
1853 * PDU, but it completely breaks dissection for jumbo TLS frames
1854 */
1855
1856 pinfo->desegment_len = (record_length + 5) - available_bytes;
1857 *need_desegmentation = TRUE;
1858 return offset;
1859 } else {
1860 /* Not enough bytes available. Stop here. */
1861 return offset + available_bytes;
1862 }
1863 }
1864
1865 } else {
1866 /* if we don't have a valid content_type, there's no sense
1867 * continuing any further
1868 */
1869 col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, "Continuation Data");
1870
1871 return offset + 5 + record_length;
1872 }
1873
1874 /* add the record layer subtree header */
1875 ti = proto_tree_add_item(tree, hf_tls_record, tvb,
1876 offset, 5 + record_length, ENC_NA);
1877 ssl_record_tree = proto_item_add_subtree(ti, ett_tls_record);
1878
1879 /* show the one-byte content type */
1880 if (session->version == TLSV1DOT3_VERSION && content_type == SSL_ID_APP_DATA) {
1881 ct_pi = proto_tree_add_item(ssl_record_tree, hf_tls_record_opaque_type,
1882 tvb, offset, 1, ENC_BIG_ENDIAN);
1883 } else {
1884 ct_pi = proto_tree_add_item(ssl_record_tree, hf_tls_record_content_type,
1885 tvb, offset, 1, ENC_BIG_ENDIAN);
1886 }
1887 content_type_offset = offset;
1888 offset++;
1889
1890 /* add the version */
1891 proto_tree_add_item(ssl_record_tree, hf_tls_record_version, tvb,
1892 offset, 2, ENC_BIG_ENDIAN);
1893 offset += 2;
1894
1895 /* add the length */
1896 length_pi = proto_tree_add_uint(ssl_record_tree, hf_tls_record_length, tvb,
1897 offset, 2, record_length);
1898 offset += 2; /* move past length field itself */
1899
1900 /*
1901 * if we don't already have a version set for this conversation,
1902 * but this message's version is authoritative (i.e., it's
1903 * not client_hello, then save the version to to conversation
1904 * structure and print the column version. If the message is not authorative
1905 * (i.e. it is a Client Hello), then this version will still be used for
1906 * display purposes only (it will not be stored in the conversation).
1907 */
1908 next_byte = tvb_get_guint8(tvb, offset);
1909 if (session->version == SSL_VER_UNKNOWN) {
1910 ssl_try_set_version(session, ssl, content_type, next_byte, FALSE, version);
1911 /* Version has possibly changed, adjust the column accordingly. */
1912 col_set_str(pinfo->cinfo, COL_PROTOCOL,
1913 val_to_str_const(version, ssl_version_short_names, "SSL"));
1914 } else {
1915 version = session->version;
1916 }
1917
1918 /*
1919 * now dissect the next layer
1920 */
1921 ssl_debug_printf("dissect_ssl3_record: content_type %d %s\n",content_type, val_to_str_const(content_type, ssl_31_content_type, "unknown"));
1922
1923 /* try to decrypt record on the first pass, if possible. Store decrypted
1924 * record for later usage (without having to decrypt again). The offset is
1925 * used as 'key' to identify this record in the packet (we can have multiple
1926 * handshake records in the same frame).
1927 * In TLS 1.3, only "Application Data" records are encrypted.
1928 */
1929 if (ssl && record_length && (session->version != TLSV1DOT3_VERSION || content_type == SSL_ID_APP_DATA)) {
1930 gboolean decrypt_ok = FALSE;
1931
1932 /* Try to decrypt TLS 1.3 early data first */
1933 if (session->version == TLSV1DOT3_VERSION && content_type == SSL_ID_APP_DATA &&
1934 ssl->has_early_data && !ssl_packet_from_server(session, ssl_associations, pinfo)) {
1935 #ifdef HAVE_LIBGCRYPT_AEAD
1936 decrypt_ok = decrypt_tls13_early_data(tvb, pinfo, offset, record_length, ssl, curr_layer_num_ssl);
1937 #endif
1938 if (!decrypt_ok) {
1939 /* Either trial decryption failed (e.g. missing key) or end of
1940 * early data is reached. Switch to HS secrets if available. */
1941 if (ssl->state & SSL_SERVER_RANDOM) {
1942 tls13_change_key(ssl, &ssl_master_key_map, FALSE, TLS_SECRET_HANDSHAKE);
1943 }
1944 ssl->has_early_data = FALSE;
1945 }
1946 }
1947
1948 if (!decrypt_ok) {
1949 decrypt_ssl3_record(tvb, pinfo, offset, ssl,
1950 content_type, record_version, record_length,
1951 content_type == SSL_ID_APP_DATA ||
1952 content_type == SSL_ID_HANDSHAKE, curr_layer_num_ssl);
1953 }
1954 }
1955
1956 /* try to retrieve and use decrypted alert/handshake/appdata record, if any. */
1957 decrypted = ssl_get_record_info(tvb, proto_tls, pinfo, tvb_raw_offset(tvb)+offset, curr_layer_num_ssl, &record);
1958 if (decrypted) {
1959 add_new_data_source(pinfo, decrypted, "Decrypted TLS");
1960 if (session->version == TLSV1DOT3_VERSION) {
1961 content_type = record->type;
1962 ti = proto_tree_add_uint(ssl_record_tree, hf_tls_record_content_type,
1963 tvb, content_type_offset, 1, record->type);
1964 proto_item_set_generated(ti);
1965 }
1966 }
1967 ssl_check_record_length(&dissect_ssl3_hf, pinfo, (ContentType)content_type, record_length, length_pi, version, decrypted);
1968
1969 switch ((ContentType) content_type) {
1970 case SSL_ID_CHG_CIPHER_SPEC:
1971 if (version == TLSV1DOT3_VERSION && session->tls13_draft_version > 0 && session->tls13_draft_version < 22) {
1972 /* CCS was reintroduced in TLS 1.3 draft -22 */
1973 expert_add_info_format(pinfo, ct_pi, &ei_tls_unexpected_message,
1974 "Record type is not allowed in TLS 1.3");
1975 break;
1976 }
1977 col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, "Change Cipher Spec");
1978 ssl_dissect_change_cipher_spec(&dissect_ssl3_hf, tvb, pinfo,
1979 ssl_record_tree, offset, session,
1980 is_from_server, ssl);
1981 if (version == TLSV1DOT3_VERSION) {
1982 /* CCS is a dummy message in TLS 1.3, do not try to load keys. */
1983 break;
1984 }
1985 if (ssl) {
1986 ssl_load_keyfile(ssl_options.keylog_filename, &ssl_keylog_file,
1987 &ssl_master_key_map);
1988 ssl_finalize_decryption(ssl, &ssl_master_key_map);
1989 ssl_change_cipher(ssl, ssl_packet_from_server(session, ssl_associations, pinfo));
1990 }
1991 /* Heuristic: any later ChangeCipherSpec is not a resumption of this
1992 * session. Set the flag after ssl_finalize_decryption such that it has
1993 * a chance to use resume using Session Tickets. */
1994 if (is_from_server)
1995 session->is_session_resumed = FALSE;
1996 break;
1997 case SSL_ID_ALERT:
1998 if (decrypted) {
1999 dissect_ssl3_alert(decrypted, pinfo, ssl_record_tree, 0, 2, session);
2000 } else {
2001 dissect_ssl3_alert(tvb, pinfo, ssl_record_tree, offset, record_length, session);
2002 }
2003 break;
2004 case SSL_ID_HANDSHAKE:
2005 if (decrypted) {
2006 guint record_id = record->id;
2007 dissect_tls_handshake(decrypted, pinfo, ssl_record_tree, 0,
2008 tvb_reported_length(decrypted), FALSE, record_id, curr_layer_num_ssl, session,
2009 is_from_server, ssl, version);
2010 } else {
2011 // Combine both the offset within this TCP segment and the layer
2012 // number in case a record consists of multiple reassembled TCP
2013 // segments. The exact value does not matter, but it should be
2014 // unique per frame.
2015 guint record_id = tvb_raw_offset(tvb) + offset + curr_layer_num_ssl;
2016 dissect_tls_handshake(tvb, pinfo, ssl_record_tree, offset,
2017 offset + record_length, TRUE, record_id, curr_layer_num_ssl, session,
2018 is_from_server, ssl, version);
2019 }
2020 break;
2021 case SSL_ID_APP_DATA:
2022 {
2023 dissector_handle_t app_handle;
2024
2025 /* show on info column what we are decoding */
2026 col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, "Application Data");
2027
2028 /* app_handle discovery is done here instead of dissect_ssl_payload()
2029 * because the protocol name needs to be displayed below. */
2030 app_handle = session->app_handle;
2031 if (!app_handle) {
2032 /* Unknown protocol handle, ssl_starttls_ack was not called before.
2033 * Try to find a port-based protocol and use it if there is no
2034 * heuristics dissector (see process_ssl_payload). */
2035 app_handle = dissector_get_uint_handle(ssl_associations, pinfo->srcport);
2036 if (!app_handle) app_handle = dissector_get_uint_handle(ssl_associations, pinfo->destport);
2037 }
2038
2039 proto_item_set_text(ssl_record_tree,
2040 "%s Record Layer: %s Protocol: %s",
2041 val_to_str_const(version, ssl_version_short_names, "SSL"),
2042 val_to_str_const(content_type, ssl_31_content_type, "unknown"),
2043 app_handle ? dissector_handle_get_dissector_name(app_handle)
2044 : "Application Data");
2045
2046 proto_tree_add_item(ssl_record_tree, hf_tls_record_appdata, tvb,
2047 offset, record_length, ENC_NA);
2048
2049 if (app_handle) {
2050 ti = proto_tree_add_string(ssl_record_tree, hf_tls_record_appdata_proto, tvb, 0, 0, dissector_handle_get_dissector_name(app_handle));
2051 proto_item_set_generated(ti);
2052 }
2053
2054 if (decrypted) {
2055 dissect_ssl_payload(decrypted, pinfo, tree, session, record, app_handle);
2056 }
2057
2058 /* Set app proto again in case the heuristics found a different proto. */
2059 if (session->app_handle && session->app_handle != app_handle)
2060 proto_item_set_text(ssl_record_tree,
2061 "%s Record Layer: %s Protocol: %s",
2062 val_to_str_const(version, ssl_version_short_names, "SSL"),
2063 val_to_str_const(content_type, ssl_31_content_type, "unknown"),
2064 dissector_handle_get_dissector_name(session->app_handle));
2065
2066 break;
2067 }
2068 case SSL_ID_HEARTBEAT:
2069 if (version == TLSV1DOT3_VERSION) {
2070 expert_add_info_format(pinfo, ct_pi, &ei_tls_unexpected_message,
2071 "Record type is not allowed in TLS 1.3");
2072 break;
2073 }
2074 if (decrypted) {
2075 dissect_ssl3_heartbeat(decrypted, pinfo, ssl_record_tree, 0, session, tvb_reported_length (decrypted), TRUE);
2076 } else {
2077 gboolean plaintext = TRUE;
2078 /* heartbeats before ChangeCipherSpec are unencrypted */
2079 if (ssl) {
2080 if (ssl_packet_from_server(session, ssl_associations, pinfo)) {
2081 plaintext = ssl->server == NULL;
2082 } else {
2083 plaintext = ssl->client == NULL;
2084 }
2085 }
2086 dissect_ssl3_heartbeat(tvb, pinfo, ssl_record_tree, offset, session, record_length, plaintext);
2087 }
2088 break;
2089 case SSL_ID_TLS12_CID:
2090 break;
2091 }
2092 offset += record_length; /* skip to end of record */
2093
2094 return offset;
2095 }
2096
2097 /* dissects the alert message, filling in the tree */
2098 static void
dissect_ssl3_alert(tvbuff_t * tvb,packet_info * pinfo,proto_tree * tree,guint32 offset,guint32 record_length,const SslSession * session)2099 dissect_ssl3_alert(tvbuff_t *tvb, packet_info *pinfo,
2100 proto_tree *tree, guint32 offset, guint32 record_length,
2101 const SslSession *session)
2102 {
2103 /* struct {
2104 * AlertLevel level;
2105 * AlertDescription description;
2106 * } Alert;
2107 */
2108 proto_tree *ti;
2109 proto_tree *alert_tree = NULL;
2110 const gchar *level;
2111 const gchar *desc;
2112 guint8 level_byte, desc_byte;
2113
2114 if (tree)
2115 {
2116 ti = proto_tree_add_item(tree, hf_tls_alert_message, tvb,
2117 offset, record_length, ENC_NA);
2118 alert_tree = proto_item_add_subtree(ti, ett_tls_alert);
2119 }
2120
2121 /*
2122 * Assume that TLS alert records are not fragmented. Any larger message is
2123 * assumed to be encrypted.
2124 */
2125 if (record_length != 2) {
2126 col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, "Encrypted Alert");
2127 proto_item_set_text(tree,
2128 "%s Record Layer: Encrypted Alert",
2129 val_to_str_const(session->version, ssl_version_short_names, "TLS"));
2130 proto_item_set_text(alert_tree,
2131 "Alert Message: Encrypted Alert");
2132 return;
2133 }
2134
2135 /*
2136 * set the record layer label
2137 */
2138
2139 /* first lookup the names for the alert level and description */
2140 level_byte = tvb_get_guint8(tvb, offset); /* grab the level byte */
2141 level = val_to_str_const(level_byte, ssl_31_alert_level, "Unknown");
2142
2143 desc_byte = tvb_get_guint8(tvb, offset+1); /* grab the desc byte */
2144 desc = val_to_str_const(desc_byte, ssl_31_alert_description, "Unknown");
2145
2146 /* now set the text in the record layer line */
2147 col_append_sep_fstr(pinfo->cinfo, COL_INFO, NULL,
2148 "Alert (Level: %s, Description: %s)",
2149 level, desc);
2150
2151 if (tree)
2152 {
2153 proto_item_set_text(tree, "%s Record Layer: Alert "
2154 "(Level: %s, Description: %s)",
2155 val_to_str_const(session->version, ssl_version_short_names, "TLS"),
2156 level, desc);
2157 proto_tree_add_item(alert_tree, hf_tls_alert_message_level,
2158 tvb, offset++, 1, ENC_BIG_ENDIAN);
2159
2160 proto_tree_add_item(alert_tree, hf_tls_alert_message_description,
2161 tvb, offset++, 1, ENC_BIG_ENDIAN);
2162 }
2163 }
2164
2165
2166 /**
2167 * Checks whether a handshake message seems encrypted and cannot be dissected.
2168 */
2169 static gboolean
is_encrypted_handshake_message(tvbuff_t * tvb,packet_info * pinfo,guint32 offset,guint32 offset_end,gboolean maybe_encrypted,SslSession * session,gboolean is_from_server)2170 is_encrypted_handshake_message(tvbuff_t *tvb, packet_info *pinfo, guint32 offset, guint32 offset_end,
2171 gboolean maybe_encrypted, SslSession *session, gboolean is_from_server)
2172 {
2173 guint record_length = offset_end - offset;
2174
2175 if (record_length < 16) {
2176 /*
2177 * Encrypted data has additional overhead. For TLS 1.0/1.1 with stream
2178 * and block ciphers, there is at least a MAC which is at minimum 16
2179 * bytes for MD5. In TLS 1.2, AEAD adds an explicit nonce and auth tag.
2180 * For AES-GCM/CCM the auth tag is 16 bytes. AES_CCM_8 (RFC 6655) uses 8
2181 * byte auth tags, but the explicit nonce is also 8 (sums up to 16).
2182 *
2183 * So anything smaller than 16 bytes is assumed to be plaintext.
2184 */
2185 return FALSE;
2186 }
2187
2188 /*
2189 * If this is not a decrypted buffer, then perhaps it is still in plaintext.
2190 * Heuristics: if the buffer is too small, it is likely not encrypted.
2191 * Otherwise assume that the Handshake does not contain two successive
2192 * HelloRequest messages (type=0x00 length=0x000000, type=0x00). If this
2193 * occurs, then we have possibly found the explicit nonce preceding the
2194 * encrypted contents for GCM/CCM cipher suites as used in TLS 1.2.
2195 */
2196 if (maybe_encrypted) {
2197 maybe_encrypted = tvb_get_ntoh40(tvb, offset) == 0;
2198 /*
2199 * Everything after the ChangeCipherSpec message is encrypted.
2200 * TODO handle Finished message after CCS in the same frame and remove the
2201 * above nonce-based heuristic.
2202 */
2203 if (!maybe_encrypted) {
2204 guint32 ccs_frame = is_from_server ? session->server_ccs_frame : session->client_ccs_frame;
2205 maybe_encrypted = ccs_frame != 0 && pinfo->num > ccs_frame;
2206 }
2207 }
2208
2209 if (!maybe_encrypted) {
2210 /*
2211 * Assume encrypted if the message type makes no sense. If this still
2212 * leads to false positives (detecting plaintext while it should mark
2213 * stuff as encrypted), some other ideas include:
2214 * - Perform additional validation based on the message type.
2215 * - Disallow handshake fragmentation except for some common cases like
2216 * Certificate messages (due to large certificates).
2217 */
2218 guint8 msg_type = tvb_get_guint8(tvb, offset);
2219 maybe_encrypted = try_val_to_str(msg_type, ssl_31_handshake_type) == NULL;
2220 if (!maybe_encrypted) {
2221 guint msg_length = tvb_get_ntoh24(tvb, offset + 1);
2222 // Assume handshake messages are below 64K.
2223 maybe_encrypted = msg_length >= 0x010000;
2224 }
2225 }
2226 return maybe_encrypted;
2227 }
2228
2229 static TlsHsFragment *
save_tls_handshake_fragment(packet_info * pinfo,guint8 curr_layer_num_tls,guint record_id,guint reassembly_id,tvbuff_t * tvb,guint32 offset,guint frag_len,guint frag_offset,guint8 msg_type,gboolean is_last)2230 save_tls_handshake_fragment(packet_info *pinfo, guint8 curr_layer_num_tls,
2231 guint record_id, guint reassembly_id,
2232 tvbuff_t *tvb, guint32 offset, guint frag_len,
2233 guint frag_offset, guint8 msg_type, gboolean is_last)
2234 {
2235 // Full handshake messages should not be saved.
2236 DISSECTOR_ASSERT(!(frag_offset == 0 && is_last));
2237 // Fragment data must be non-empty.
2238 DISSECTOR_ASSERT(frag_len != 0);
2239 // 0 is a special value indicating no reassembly in progress.
2240 DISSECTOR_ASSERT(reassembly_id != 0);
2241
2242 if (tvb_reported_length(tvb) > tvb_captured_length(tvb)) {
2243 // The reassembly API will refuse to add fragments when not all
2244 // available data has been captured. Since we were given a tvb with at
2245 // least 'frag_len' data, we must always succeed in obtaining a subset.
2246 tvb = tvb_new_subset_length(tvb, 0, offset + frag_len);
2247 }
2248
2249 SslPacketInfo *pi = tls_add_packet_info(proto_tls, pinfo, curr_layer_num_tls);
2250 TlsHsFragment *frag_info = wmem_new0(wmem_file_scope(), TlsHsFragment);
2251 frag_info->record_id = record_id;
2252 frag_info->reassembly_id = reassembly_id;
2253 frag_info->is_last = is_last;
2254 frag_info->offset = frag_offset;
2255 frag_info->type = msg_type;
2256
2257 TlsHsFragment **p = &pi->hs_fragments;
2258 while (*p) p = &(*p)->next;
2259 *p = frag_info;
2260
2261 // Add (subset of) record data.
2262 fragment_add_check(&tls_hs_reassembly_table, tvb, offset,
2263 pinfo, reassembly_id, NULL, frag_offset, frag_len, !is_last);
2264
2265 return frag_info;
2266 }
2267
2268 /**
2269 * Populate the Info column and record layer tree item based on the message type.
2270 *
2271 * @param pinfo Packet info.
2272 * @param record_tree The Record layer tree item.
2273 * @param version Record version.
2274 * @param msg_type The message type (not necessarily the same as the first byte
2275 * of the buffer in case of HRR in TLS 1.3).
2276 * @param is_first_msg TRUE if this is the first message in this record.
2277 * @param complete TRUE if the buffer describes the full (encrypted) message.
2278 * @param tvb Buffer that covers the start of this handshake fragment.
2279 * @param offset Position within the record data.
2280 * @param length Length of the record fragment that is part of the handshake
2281 * message. May be smaller than the record length if this is a fragment.
2282 */
2283 static proto_item *
tls_show_handshake_details(packet_info * pinfo,proto_tree * record_tree,guint version,guint8 msg_type,gboolean is_encrypted,gboolean is_first_msg,gboolean complete,tvbuff_t * tvb,guint32 offset,guint32 length)2284 tls_show_handshake_details(packet_info *pinfo, proto_tree *record_tree, guint version,
2285 guint8 msg_type, gboolean is_encrypted, gboolean is_first_msg, gboolean complete,
2286 tvbuff_t *tvb, guint32 offset, guint32 length)
2287 {
2288 const char *msg_type_str = "Encrypted Handshake Message";
2289 if (!is_encrypted) {
2290 msg_type_str = val_to_str_const(msg_type, ssl_31_handshake_type, msg_type_str);
2291 }
2292
2293 /*
2294 * Update our info string if this is the first message (possibly a fragment
2295 * of a handshake message), or if this is a complete (reassembled) message.
2296 */
2297 if (complete) {
2298 col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, msg_type_str);
2299 } else if (is_first_msg) {
2300 /*
2301 * Only mark the first message to avoid an empty Info column. If another
2302 * message came before this one, do not bother mentioning this fragment.
2303 */
2304 col_append_sep_fstr(pinfo->cinfo, COL_INFO, NULL, "[%s Fragment]", msg_type_str);
2305 }
2306
2307 /* set the label text on the record layer expanding node */
2308 if (is_first_msg) {
2309 proto_item_set_text(record_tree, "%s Record Layer: Handshake Protocol: %s",
2310 val_to_str_const(version, ssl_version_short_names, "TLS"),
2311 msg_type_str);
2312 if (!complete && !is_encrypted) {
2313 proto_item_append_text(record_tree, " (fragment)");
2314 }
2315 } else {
2316 proto_item_set_text(record_tree, "%s Record Layer: Handshake Protocol: %s",
2317 val_to_str_const(version, ssl_version_short_names, "TLS"),
2318 "Multiple Handshake Messages");
2319 }
2320
2321 proto_item *ti = proto_tree_add_item(record_tree, hf_tls_handshake_protocol,
2322 tvb, offset, length, ENC_NA);
2323 proto_item_set_text(ti, "Handshake Protocol: %s", msg_type_str);
2324 if (!complete && !is_encrypted) {
2325 proto_item_append_text(ti, " (fragment)");
2326 }
2327 return ti;
2328 }
2329
2330 /* dissects the handshake protocol, filling the tree */
2331 static void
dissect_tls_handshake(tvbuff_t * tvb,packet_info * pinfo,proto_tree * tree,guint32 offset,guint32 offset_end,gboolean maybe_encrypted,guint record_id,guint8 curr_layer_num_tls,SslSession * session,gint is_from_server,SslDecryptSession * ssl,const guint16 version)2332 dissect_tls_handshake(tvbuff_t *tvb, packet_info *pinfo,
2333 proto_tree *tree, guint32 offset,
2334 guint32 offset_end, gboolean maybe_encrypted,
2335 guint record_id, guint8 curr_layer_num_tls,
2336 SslSession *session, gint is_from_server,
2337 SslDecryptSession *ssl,
2338 const guint16 version)
2339 {
2340 // Handshake fragment processing:
2341 // 1. (First pass:) If a previous handshake message needed reasembly, add
2342 // (a subset of) the new data for reassembly.
2343 // 2. Did this fragment complete reasembly in the previous step?
2344 // - Yes: dissect message and continue.
2345 // - No: show details and stop.
2346 // 3. Not part of a reassembly, so this is a new handshake message. Does it
2347 // look like encrypted data?
2348 // - Yes: show details and stop.
2349 // 4. Loop through remaining handshake messages. Is there sufficient data?
2350 // - Yes: dissect message and continue with next message.
2351 // - No (first pass): Add all data for reassembly, show details and stop.
2352 // - No (second pass): Show details and stop.
2353
2354 fragment_head *fh = NULL;
2355 guint subset_len;
2356 guint32 msg_len = 0;
2357 TlsHsFragment *frag_info = NULL;
2358 gboolean is_first_msg = TRUE;
2359 proto_item *frag_tree_item;
2360 guint *hs_reassembly_id_p = is_from_server ? &session->server_hs_reassembly_id : &session->client_hs_reassembly_id;
2361
2362 if (!PINFO_FD_VISITED(pinfo)) {
2363 // 1. (First pass:) If a previous handshake message needed reasembly.
2364 if (*hs_reassembly_id_p) {
2365 // Continuation, so a previous fragment *must* exist.
2366 fh = fragment_get(&tls_hs_reassembly_table, pinfo, *hs_reassembly_id_p, NULL);
2367 DISSECTOR_ASSERT(fh);
2368 // We expect that reassembly has not completed yet.
2369 DISSECTOR_ASSERT(fh->tvb_data == NULL);
2370
2371 // Combine all previous segments plus data from the current record
2372 // in order to find the length.
2373 tvbuff_t *len_tvb = tvb_new_composite();
2374 guint frags_len = 0;
2375 for (fragment_item *fd = fh->next; fd; fd = fd->next) {
2376 if (frags_len < 4) {
2377 tvb_composite_append(len_tvb, fd->tvb_data);
2378 }
2379 frags_len += tvb_reported_length(fd->tvb_data);
2380 }
2381 if (frags_len < 4) {
2382 tvbuff_t *remaining_tvb = tvb_new_subset_remaining(tvb, offset);
2383 tvb_composite_append(len_tvb, remaining_tvb);
2384 }
2385 tvb_composite_finalize(len_tvb);
2386
2387 // Extract the actual handshake message length (0 means unknown) and
2388 // check whether only a subset of the current record is needed.
2389 subset_len = offset_end - offset;
2390 if (tvb_reported_length(len_tvb) >= 4) {
2391 msg_len = 4 + tvb_get_ntoh24(len_tvb, 1);
2392 if (subset_len > msg_len - frags_len) {
2393 subset_len = msg_len - frags_len;
2394 }
2395 }
2396
2397 if (tvb_captured_length(tvb) < offset + subset_len) {
2398 // Not all data has been captured. As we are missing data, the
2399 // reassembly cannot be completed nor do we know the boundary
2400 // where the next handshake message starts. Stop reassembly.
2401 *hs_reassembly_id_p = 0;
2402 } else {
2403 // Check if the handshake message is complete.
2404 guint8 msg_type = tvb_get_guint8(len_tvb, 0);
2405 gboolean is_last = frags_len + subset_len == msg_len;
2406 frag_info = save_tls_handshake_fragment(pinfo, curr_layer_num_tls, record_id, *hs_reassembly_id_p,
2407 tvb, offset, subset_len, frags_len, msg_type, is_last);
2408 if (is_last) {
2409 // Reassembly finished, next message should not continue this message.
2410 *hs_reassembly_id_p = 0;
2411 }
2412 }
2413 }
2414 } else {
2415 // Lookup the reassembled handshake matching this frame (if any).
2416 SslPacketInfo *pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tls, curr_layer_num_tls);
2417 if (pi) {
2418 for (TlsHsFragment *rec = pi->hs_fragments; rec; rec = rec->next) {
2419 if (rec->record_id == record_id) {
2420 frag_info = rec;
2421 break;
2422 }
2423 }
2424 }
2425 }
2426
2427 // 2. Did this fragment complete reasembly in the previous step?
2428 if (frag_info && frag_info->offset != 0) {
2429 fh = fragment_get_reassembled_id(&tls_hs_reassembly_table, pinfo, frag_info->reassembly_id);
2430 if (frag_info->is_last) {
2431 // This is the last fragment of the handshake message.
2432 // Skip a subset of the bytes of this buffer.
2433 subset_len = tvb_reported_length_remaining(fh->tvb_data, frag_info->offset);
2434
2435 // Add a tree item to mark the handshake fragment.
2436 proto_item *ti = proto_tree_add_item(tree,
2437 hf_tls_handshake_protocol, tvb, offset, subset_len, ENC_NA);
2438 offset += subset_len;
2439 proto_item_set_text(ti, "Handshake Protocol: %s (last fragment)",
2440 val_to_str_const(frag_info->type, ssl_31_handshake_type,
2441 "Encrypted Handshake Message"));
2442
2443 // Now display the full, reassembled handshake message.
2444 tvbuff_t *next_tvb = tvb_new_chain(tvb, fh->tvb_data);
2445 add_new_data_source(pinfo, next_tvb, "Reassembled TLS Handshake");
2446 show_fragment_tree(fh, &tls_hs_fragment_items, tree, pinfo, next_tvb, &frag_tree_item);
2447 dissect_tls_handshake_full(next_tvb, pinfo, tree, 0, session, is_from_server, ssl, version, TRUE);
2448 is_first_msg = FALSE;
2449
2450 // Skip to the next fragment in case this records ends with another
2451 // fragment for which information is presented below.
2452 frag_info = frag_info->next;
2453 if (frag_info && frag_info->record_id != record_id) {
2454 frag_info = NULL;
2455 }
2456 } else if (frag_info->offset != 0) {
2457 // The full TVB is in the middle of a handshake message and needs more data.
2458 tls_show_handshake_details(pinfo, tree, version, frag_info->type, FALSE, FALSE, FALSE,
2459 tvb, offset, offset_end - offset);
2460 if (fh) {
2461 proto_tree_add_uint(tree, hf_tls_handshake_reassembled_in, tvb, 0, 0, fh->reassembled_in);
2462 }
2463 return;
2464 }
2465 } else if (!frag_info) {
2466 // 3. Not part of a reassembly, so this is a new handshake message. Does it
2467 // look like encrypted data?
2468 if (is_encrypted_handshake_message(tvb, pinfo, offset, offset_end, maybe_encrypted, session, is_from_server)) {
2469 // Update Info column and record tree.
2470 tls_show_handshake_details(pinfo, tree, version, 0, TRUE, TRUE, TRUE,
2471 tvb, offset, offset_end - offset);
2472 return;
2473 }
2474 }
2475
2476 // 4. Loop through remaining handshake messages.
2477 // The previous reassembly has been handled, so at this point, offset should
2478 // start a new, valid handshake message.
2479 while (offset < offset_end) {
2480 msg_len = 0;
2481 subset_len = offset_end - offset;
2482 if (subset_len >= 4) {
2483 msg_len = 4 + tvb_get_ntoh24(tvb, offset + 1);
2484 }
2485 if (msg_len == 0 || subset_len < msg_len) {
2486 // Need more data to find the message length or complete it.
2487 if (!PINFO_FD_VISITED(pinfo)) {
2488 guint8 msg_type = tvb_get_guint8(tvb, offset);
2489 *hs_reassembly_id_p = ++hs_reassembly_id_count;
2490 frag_info = save_tls_handshake_fragment(pinfo, curr_layer_num_tls, record_id, *hs_reassembly_id_p,
2491 tvb, offset, subset_len, 0, msg_type, FALSE);
2492 } else {
2493 // The first pass must have created a new fragment.
2494 DISSECTOR_ASSERT(frag_info && frag_info->offset == 0);
2495 }
2496
2497 tls_show_handshake_details(pinfo, tree, version, frag_info->type, FALSE, is_first_msg, FALSE,
2498 tvb, offset, subset_len);
2499 fh = fragment_get_reassembled_id(&tls_hs_reassembly_table, pinfo, frag_info->reassembly_id);
2500 if (fh) {
2501 proto_tree_add_uint(tree, hf_tls_handshake_reassembled_in, tvb, 0, 0, fh->reassembled_in);
2502 }
2503 break;
2504 }
2505
2506 dissect_tls_handshake_full(tvb, pinfo, tree, offset, session, is_from_server, ssl, version, is_first_msg);
2507 offset += msg_len;
2508 is_first_msg = FALSE;
2509 }
2510 }
2511
2512 /* Dissects a single (reassembled) Handshake message. */
2513 static void
dissect_tls_handshake_full(tvbuff_t * tvb,packet_info * pinfo,proto_tree * tree,guint32 offset,SslSession * session,gint is_from_server,SslDecryptSession * ssl,const guint16 version,gboolean is_first_msg)2514 dissect_tls_handshake_full(tvbuff_t *tvb, packet_info *pinfo,
2515 proto_tree *tree, guint32 offset,
2516 SslSession *session, gint is_from_server,
2517 SslDecryptSession *ssl,
2518 const guint16 version,
2519 gboolean is_first_msg)
2520 {
2521 /* struct {
2522 * HandshakeType msg_type;
2523 * uint24 length;
2524 * select (HandshakeType) {
2525 * case hello_request: HelloRequest;
2526 * case client_hello: ClientHello;
2527 * case server_hello: ServerHello;
2528 * case certificate: Certificate;
2529 * case server_key_exchange: ServerKeyExchange;
2530 * case certificate_request: CertificateRequest;
2531 * case server_hello_done: ServerHelloDone;
2532 * case certificate_verify: CertificateVerify;
2533 * case client_key_exchange: ClientKeyExchange;
2534 * case finished: Finished;
2535 * case certificate_url: CertificateURL;
2536 * case certificate_status: CertificateStatus;
2537 * case encrypted_extensions:NextProtocolNegotiationEncryptedExtension;
2538 * } body;
2539 * } Handshake;
2540 */
2541 proto_tree *ssl_hand_tree = NULL;
2542 const gchar *msg_type_str;
2543 guint8 msg_type;
2544 guint32 length;
2545 proto_item *ti;
2546
2547 {
2548 guint32 hs_offset = offset;
2549 gboolean is_hrr = FALSE;
2550
2551 msg_type = tvb_get_guint8(tvb, offset);
2552 length = tvb_get_ntoh24(tvb, offset + 1);
2553 // The caller should have given us a fully reassembled record.
2554 DISSECTOR_ASSERT((guint)tvb_reported_length_remaining(tvb, offset + 4) >= length);
2555
2556 msg_type_str = try_val_to_str(msg_type, ssl_31_handshake_type);
2557
2558 ssl_debug_printf("dissect_ssl3_handshake iteration %d type %d offset %d length %d "
2559 "bytes\n", is_first_msg, msg_type, offset, length);
2560 if (!msg_type_str && !is_first_msg)
2561 {
2562 /* only dissect / report messages if they're
2563 * either the first message in this record
2564 * or they're a valid message type
2565 */
2566 return;
2567 }
2568
2569 if (is_first_msg && msg_type == SSL_HND_SERVER_HELLO && length > 2) {
2570 guint16 server_version;
2571
2572 tls_scan_server_hello(tvb, offset + 4, offset + 4 + length, &server_version, &is_hrr);
2573 ssl_try_set_version(session, ssl, SSL_ID_HANDSHAKE, SSL_HND_SERVER_HELLO, FALSE, server_version);
2574 if (is_hrr) {
2575 msg_type_str = "Hello Retry Request";
2576 }
2577 }
2578
2579 /* Populate Info column and set record layer text. */
2580 ti = tls_show_handshake_details(pinfo, tree, version,
2581 is_hrr ? SSL_HND_HELLO_RETRY_REQUEST : msg_type, FALSE, is_first_msg, TRUE,
2582 tvb, offset, length + 4);
2583
2584 /* if we don't have a valid handshake type, just quit dissecting */
2585 if (!msg_type_str)
2586 return;
2587
2588 /* add a subtree for the handshake protocol */
2589 ssl_hand_tree = proto_item_add_subtree(ti, ett_tls_handshake);
2590
2591 /* add nodes for the message type and message length */
2592 proto_tree_add_uint(ssl_hand_tree, hf_tls_handshake_type,
2593 tvb, offset, 1, msg_type);
2594 offset += 1;
2595 proto_tree_add_uint(ssl_hand_tree, hf_tls_handshake_length,
2596 tvb, offset, 3, length);
2597 offset += 3;
2598
2599 /*
2600 * Add handshake message (including type, length, etc.) to hash (for
2601 * Extended Master Secret).
2602 * Hash ClientHello up to and including ClientKeyExchange. As the
2603 * premaster secret is looked up during ChangeCipherSpec processing (an
2604 * implementation detail), we must skip the CertificateVerify message
2605 * which can appear between CKE and CCS when mutual auth is enabled.
2606 */
2607 if (msg_type != SSL_HND_CERT_VERIFY) {
2608 ssl_calculate_handshake_hash(ssl, tvb, hs_offset, 4 + length);
2609 }
2610
2611 /* now dissect the handshake message, if necessary */
2612 switch ((HandshakeType) msg_type) {
2613 case SSL_HND_HELLO_REQUEST:
2614 /* hello_request has no fields, so nothing to do! */
2615 break;
2616
2617 case SSL_HND_CLIENT_HELLO:
2618 if (ssl) {
2619 /* ClientHello is first packet so set direction */
2620 ssl_set_server(session, &pinfo->dst, pinfo->ptype, pinfo->destport);
2621 }
2622 ssl_dissect_hnd_cli_hello(&dissect_ssl3_hf, tvb, pinfo,
2623 ssl_hand_tree, offset, offset + length, session, ssl,
2624 NULL);
2625 /*
2626 * Cannot call tls13_change_key here with TLS_SECRET_HANDSHAKE
2627 * since the server may not agree on using TLS 1.3. If
2628 * early_data is advertised, it must be TLS 1.3 though.
2629 */
2630 if (ssl && ssl->has_early_data) {
2631 session->version = TLSV1DOT3_VERSION;
2632 ssl->state |= SSL_VERSION;
2633 ssl_debug_printf("%s forcing version 0x%04X -> state 0x%02X\n", G_STRFUNC, version, ssl->state);
2634 }
2635 break;
2636
2637 case SSL_HND_SERVER_HELLO:
2638 ssl_dissect_hnd_srv_hello(&dissect_ssl3_hf, tvb, pinfo, ssl_hand_tree,
2639 offset, offset + length, session, ssl, FALSE, is_hrr);
2640 if (ssl) {
2641 ssl_load_keyfile(ssl_options.keylog_filename, &ssl_keylog_file, &ssl_master_key_map);
2642 /* Create client and server decoders for TLS 1.3.
2643 * Create client decoder based on HS secret only if there is
2644 * no early data, or if there is no decryptable early data. */
2645 if (!ssl->has_early_data ||
2646 ((ssl->state & SSL_SEEN_0RTT_APPDATA) && !ssl->client)) {
2647 tls13_change_key(ssl, &ssl_master_key_map, FALSE, TLS_SECRET_HANDSHAKE);
2648 }
2649 tls13_change_key(ssl, &ssl_master_key_map, TRUE, TLS_SECRET_HANDSHAKE);
2650 }
2651 break;
2652
2653 case SSL_HND_HELLO_VERIFY_REQUEST:
2654 /* only valid for DTLS */
2655 break;
2656
2657 case SSL_HND_NEWSESSION_TICKET:
2658 /* no need to load keylog file here as it only links a previous
2659 * master key with this Session Ticket */
2660 ssl_dissect_hnd_new_ses_ticket(&dissect_ssl3_hf, tvb, pinfo,
2661 ssl_hand_tree, offset, offset + length, session, ssl, FALSE,
2662 ssl_master_key_map.tickets);
2663 break;
2664
2665 case SSL_HND_END_OF_EARLY_DATA:
2666 /* RFC 8446 Section 4.5 */
2667 if (!is_from_server && ssl) {
2668 ssl_load_keyfile(ssl_options.keylog_filename, &ssl_keylog_file, &ssl_master_key_map);
2669 tls13_change_key(ssl, &ssl_master_key_map, FALSE, TLS_SECRET_HANDSHAKE);
2670 ssl->has_early_data = FALSE;
2671 }
2672 break;
2673
2674 case SSL_HND_HELLO_RETRY_REQUEST: /* TLS 1.3 draft -21 and before */
2675 ssl_dissect_hnd_hello_retry_request(&dissect_ssl3_hf, tvb, pinfo, ssl_hand_tree,
2676 offset, offset + length, session, ssl, FALSE);
2677 break;
2678
2679 case SSL_HND_ENCRYPTED_EXTENSIONS:
2680 /* XXX expert info if used with non-TLS 1.3? */
2681 ssl_dissect_hnd_encrypted_extensions(&dissect_ssl3_hf, tvb, pinfo, ssl_hand_tree,
2682 offset, offset + length, session, ssl, FALSE);
2683
2684 break;
2685
2686 case SSL_HND_CERTIFICATE:
2687 ssl_dissect_hnd_cert(&dissect_ssl3_hf, tvb, ssl_hand_tree,
2688 offset, offset + length, pinfo, session, ssl, is_from_server, FALSE);
2689 break;
2690
2691 case SSL_HND_SERVER_KEY_EXCHG:
2692 ssl_dissect_hnd_srv_keyex(&dissect_ssl3_hf, tvb, pinfo, ssl_hand_tree, offset, offset + length, session);
2693 break;
2694
2695 case SSL_HND_CERT_REQUEST:
2696 ssl_dissect_hnd_cert_req(&dissect_ssl3_hf, tvb, pinfo, ssl_hand_tree, offset, offset + length, session, FALSE);
2697 break;
2698
2699 case SSL_HND_SVR_HELLO_DONE:
2700 /* This is not an abbreviated handshake, it is certainly not resumed. */
2701 session->is_session_resumed = FALSE;
2702 break;
2703
2704 case SSL_HND_CERT_VERIFY:
2705 ssl_dissect_hnd_cli_cert_verify(&dissect_ssl3_hf, tvb, pinfo, ssl_hand_tree, offset, offset + length, session->version);
2706 break;
2707
2708 case SSL_HND_CLIENT_KEY_EXCHG:
2709 ssl_dissect_hnd_cli_keyex(&dissect_ssl3_hf, tvb, ssl_hand_tree, offset, length, session);
2710
2711 if (!ssl)
2712 break;
2713
2714 ssl_load_keyfile(ssl_options.keylog_filename, &ssl_keylog_file,
2715 &ssl_master_key_map);
2716 /* try to find master key from pre-master key */
2717 if (!ssl_generate_pre_master_secret(ssl, length, tvb, offset,
2718 ssl_options.psk,
2719 #ifdef HAVE_LIBGNUTLS
2720 ssl_key_hash,
2721 #endif
2722 &ssl_master_key_map)) {
2723 ssl_debug_printf("dissect_ssl3_handshake can't generate pre master secret\n");
2724 }
2725 break;
2726
2727 case SSL_HND_FINISHED:
2728 ssl_dissect_hnd_finished(&dissect_ssl3_hf, tvb, ssl_hand_tree,
2729 offset, offset + length, session, &ssl_hfs);
2730 if (ssl) {
2731 ssl_load_keyfile(ssl_options.keylog_filename, &ssl_keylog_file, &ssl_master_key_map);
2732 tls13_change_key(ssl, &ssl_master_key_map, is_from_server, TLS_SECRET_APP);
2733 }
2734 break;
2735
2736 case SSL_HND_CERT_URL:
2737 ssl_dissect_hnd_cert_url(&dissect_ssl3_hf, tvb, ssl_hand_tree, offset);
2738 break;
2739
2740 case SSL_HND_CERT_STATUS:
2741 tls_dissect_hnd_certificate_status(&dissect_ssl3_hf, tvb, pinfo, ssl_hand_tree, offset, offset + length);
2742 break;
2743
2744 case SSL_HND_SUPPLEMENTAL_DATA:
2745 /* TODO: dissect this? */
2746 break;
2747
2748 case SSL_HND_KEY_UPDATE:
2749 tls13_dissect_hnd_key_update(&dissect_ssl3_hf, tvb, tree, offset);
2750 if (ssl) {
2751 tls13_key_update(ssl, is_from_server);
2752 }
2753 break;
2754
2755 case SSL_HND_COMPRESSED_CERTIFICATE:
2756 ssl_dissect_hnd_compress_certificate(&dissect_ssl3_hf, tvb, ssl_hand_tree,
2757 offset, offset + length, pinfo, session,
2758 ssl, is_from_server, FALSE);
2759 break;
2760
2761 case SSL_HND_ENCRYPTED_EXTS:
2762 dissect_ssl3_hnd_encrypted_exts(tvb, ssl_hand_tree, offset);
2763 break;
2764 }
2765 }
2766 }
2767
2768 /* dissects the heartbeat message, filling in the tree */
2769 static void
dissect_ssl3_heartbeat(tvbuff_t * tvb,packet_info * pinfo,proto_tree * tree,guint32 offset,const SslSession * session,guint32 record_length,gboolean decrypted)2770 dissect_ssl3_heartbeat(tvbuff_t *tvb, packet_info *pinfo,
2771 proto_tree *tree, guint32 offset,
2772 const SslSession *session, guint32 record_length,
2773 gboolean decrypted)
2774 {
2775 /* struct {
2776 * HeartbeatMessageType type;
2777 * uint16 payload_length;
2778 * opaque payload;
2779 * opaque padding;
2780 * } HeartbeatMessage;
2781 */
2782
2783 proto_item *ti;
2784 proto_tree *tls_heartbeat_tree;
2785 const gchar *type;
2786 guint8 byte;
2787 guint16 payload_length;
2788 guint16 padding_length;
2789
2790 tls_heartbeat_tree = NULL;
2791
2792 if (tree) {
2793 ti = proto_tree_add_item(tree, hf_tls_heartbeat_message, tvb,
2794 offset, record_length, ENC_NA);
2795 tls_heartbeat_tree = proto_item_add_subtree(ti, ett_tls_heartbeat);
2796 }
2797
2798 /*
2799 * set the record layer label
2800 */
2801
2802 /* first lookup the names for the message type and the payload length */
2803 byte = tvb_get_guint8(tvb, offset);
2804 type = try_val_to_str(byte, tls_heartbeat_type);
2805
2806 payload_length = tvb_get_ntohs(tvb, offset + 1);
2807 padding_length = record_length - 3 - payload_length;
2808
2809 /* assume plaintext if the (expected) record size is smaller than the type
2810 * (1), length (2)[, payload] and padding (16) fields combined */
2811 if (record_length <= 19u || 3u + payload_length + 16 <= record_length) {
2812 decrypted = TRUE;
2813 }
2814
2815 /* now set the text in the record layer line */
2816 if (type && decrypted) {
2817 col_append_sep_fstr(pinfo->cinfo, COL_INFO, NULL, "Heartbeat %s", type);
2818 } else {
2819 col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, "Encrypted Heartbeat");
2820 }
2821
2822 if (type && decrypted) {
2823 proto_item_set_text(tree, "%s Record Layer: Heartbeat "
2824 "%s",
2825 val_to_str_const(session->version, ssl_version_short_names, "SSL"),
2826 type);
2827 proto_tree_add_item(tls_heartbeat_tree, hf_tls_heartbeat_message_type,
2828 tvb, offset, 1, ENC_BIG_ENDIAN);
2829 offset += 1;
2830 ti = proto_tree_add_uint(tls_heartbeat_tree, hf_tls_heartbeat_message_payload_length,
2831 tvb, offset, 2, payload_length);
2832 offset += 2;
2833 if (3u + payload_length + 16 > record_length) {
2834 expert_add_info_format(pinfo, ti, &ei_ssl3_heartbeat_payload_length,
2835 "Invalid heartbeat payload length (%d)", payload_length);
2836 /* There is no room for padding... truncate the payload such that
2837 * the field can be selected (for the interested). */
2838 payload_length = record_length - 3;
2839 padding_length = 0;
2840 proto_item_append_text (ti, " (invalid, using %u to decode payload)", payload_length);
2841 }
2842 proto_tree_add_bytes_format(tls_heartbeat_tree, hf_tls_heartbeat_message_payload,
2843 tvb, offset, payload_length,
2844 NULL, "Payload (%u byte%s)",
2845 payload_length,
2846 plurality(payload_length, "", "s"));
2847 offset += payload_length;
2848 if (padding_length)
2849 proto_tree_add_bytes_format(tls_heartbeat_tree, hf_tls_heartbeat_message_padding,
2850 tvb, offset, padding_length,
2851 NULL, "Padding and HMAC (%u byte%s)",
2852 padding_length,
2853 plurality(padding_length, "", "s"));
2854 } else {
2855 proto_item_set_text(tree,
2856 "%s Record Layer: Encrypted Heartbeat",
2857 val_to_str_const(session->version, ssl_version_short_names, "SSL"));
2858 proto_item_set_text(tls_heartbeat_tree,
2859 "Encrypted Heartbeat Message");
2860 }
2861 }
2862
2863 /* based on https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04 */
2864 static void
dissect_ssl3_hnd_encrypted_exts(tvbuff_t * tvb,proto_tree * tree,guint32 offset)2865 dissect_ssl3_hnd_encrypted_exts(tvbuff_t *tvb, proto_tree *tree,
2866 guint32 offset)
2867 {
2868 guint8 selected_protocol_len;
2869 guint8 padding_len;
2870
2871 selected_protocol_len = tvb_get_guint8(tvb, offset);
2872 proto_tree_add_item(tree, hf_tls_handshake_npn_selected_protocol_len,
2873 tvb, offset, 1, ENC_BIG_ENDIAN);
2874 offset++;
2875 proto_tree_add_item(tree, hf_tls_handshake_npn_selected_protocol,
2876 tvb, offset, selected_protocol_len, ENC_ASCII|ENC_NA);
2877 offset += selected_protocol_len;
2878
2879 padding_len = tvb_get_guint8(tvb, offset);
2880 proto_tree_add_item(tree, hf_tls_handshake_npn_padding_len,
2881 tvb, offset, 1, ENC_BIG_ENDIAN);
2882 offset++;
2883 proto_tree_add_item(tree, hf_tls_handshake_npn_padding,
2884 tvb, offset, padding_len, ENC_NA);
2885 }
2886
2887 /*********************************************************************
2888 *
2889 * SSL version 2 Dissectors
2890 *
2891 *********************************************************************/
2892
2893
2894 /* record layer dissector */
2895 static gint
dissect_ssl2_record(tvbuff_t * tvb,packet_info * pinfo,proto_tree * tree,guint32 offset,SslSession * session,gboolean * need_desegmentation,SslDecryptSession * ssl)2896 dissect_ssl2_record(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
2897 guint32 offset, SslSession *session,
2898 gboolean *need_desegmentation,
2899 SslDecryptSession *ssl)
2900 {
2901 guint32 initial_offset;
2902 guint8 byte;
2903 guint8 record_length_length;
2904 guint32 record_length;
2905 gint is_escape;
2906 gint16 padding_length;
2907 guint8 msg_type;
2908 const gchar *msg_type_str;
2909 guint32 available_bytes;
2910 proto_item *ti;
2911 proto_tree *ssl_record_tree;
2912
2913 initial_offset = offset;
2914 record_length = 0;
2915 is_escape = -1;
2916 padding_length = -1;
2917 msg_type_str = NULL;
2918 ssl_record_tree = NULL;
2919
2920 /* pull first byte; if high bit is unset, then record
2921 * length is three bytes due to padding; otherwise
2922 * record length is two bytes
2923 */
2924 byte = tvb_get_guint8(tvb, offset);
2925 record_length_length = (byte & 0x80) ? 2 : 3;
2926
2927 available_bytes = tvb_reported_length_remaining(tvb, offset);
2928
2929 /*
2930 * Is the record header split across segment boundaries?
2931 */
2932 if (available_bytes < record_length_length) {
2933 /*
2934 * Yes - can we do reassembly?
2935 */
2936 if (tls_desegment && pinfo->can_desegment) {
2937 /*
2938 * Yes. Tell the TCP dissector where the data for this
2939 * message starts in the data it handed us, and that we need
2940 * "some more data." Don't tell it exactly how many bytes we
2941 * need because if/when we ask for even more (after the header)
2942 * that will break reassembly.
2943 */
2944 pinfo->desegment_offset = offset;
2945 pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
2946 *need_desegmentation = TRUE;
2947 return offset;
2948 } else {
2949 /* Not enough bytes available. Stop here. */
2950 return offset + available_bytes;
2951 }
2952 }
2953
2954 /* parse out the record length */
2955 switch (record_length_length) {
2956 case 2: /* two-byte record length */
2957 record_length = (byte & 0x7f) << 8;
2958 byte = tvb_get_guint8(tvb, offset + 1);
2959 record_length += byte;
2960 break;
2961 case 3: /* three-byte record length */
2962 is_escape = (byte & 0x40) ? TRUE : FALSE;
2963 record_length = (byte & 0x3f) << 8;
2964 byte = tvb_get_guint8(tvb, offset + 1);
2965 record_length += byte;
2966 byte = tvb_get_guint8(tvb, offset + 2);
2967 padding_length = byte;
2968 }
2969
2970 /*
2971 * Is the record split across segment boundaries?
2972 */
2973 if (available_bytes < (record_length_length + record_length)) {
2974 /*
2975 * Yes - Can we do reassembly?
2976 */
2977 if (tls_desegment && pinfo->can_desegment) {
2978 /*
2979 * Yes. Tell the TCP dissector where the data for this
2980 * message starts in the data it handed us, and how many
2981 * more bytes we need, and return.
2982 */
2983 pinfo->desegment_offset = offset;
2984 pinfo->desegment_len = (record_length_length + record_length)
2985 - available_bytes;
2986 *need_desegmentation = TRUE;
2987 return offset;
2988 } else {
2989 /* Not enough bytes available. Stop here. */
2990 return offset + available_bytes;
2991 }
2992 }
2993 offset += record_length_length;
2994
2995 /* add the record layer subtree header */
2996 ti = proto_tree_add_item(tree, hf_ssl2_record, tvb, initial_offset,
2997 record_length_length + record_length, ENC_NA);
2998 ssl_record_tree = proto_item_add_subtree(ti, ett_tls_record);
2999
3000 /* pull the msg_type so we can bail if it's unknown */
3001 msg_type = tvb_get_guint8(tvb, initial_offset + record_length_length);
3002
3003 /* if we get a server_hello or later handshake in v2, then set
3004 * this to sslv2
3005 */
3006 if (session->version == SSL_VER_UNKNOWN)
3007 {
3008 if (msg_type >= 2 && msg_type <= 8)
3009 {
3010 session->version = SSLV2_VERSION;
3011 }
3012 }
3013
3014 /* if we get here, but don't have a version set for the
3015 * conversation, then set a version for just this frame
3016 * (e.g., on a client hello)
3017 */
3018 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SSLv2");
3019
3020 /* see if the msg_type is valid; if not the payload is
3021 * probably encrypted, so note that fact and bail
3022 */
3023 msg_type_str = try_val_to_str(msg_type, ssl_20_msg_types);
3024 if (!msg_type_str
3025 || (!ssl_looks_like_valid_v2_handshake(tvb, initial_offset
3026 + record_length_length,
3027 record_length)))
3028 {
3029 if (ssl_record_tree)
3030 {
3031 proto_item_set_text(ssl_record_tree, "%s Record Layer: %s",
3032 "SSLv2",
3033 "Encrypted Data");
3034
3035 /* Unlike SSLv3, the SSLv2 record layer does not have a
3036 * version field. To make it possible to filter on record
3037 * layer version we create a generated field with ssl
3038 * record layer version 0x0002
3039 */
3040 ti = proto_tree_add_uint(ssl_record_tree,
3041 hf_tls_record_version, tvb,
3042 initial_offset, 0, 0x0002);
3043 proto_item_set_generated(ti);
3044 }
3045
3046 col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, "Encrypted Data");
3047 return initial_offset + record_length_length + record_length;
3048 }
3049 else
3050 {
3051 col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, msg_type_str);
3052
3053 if (ssl_record_tree)
3054 {
3055 proto_item_set_text(ssl_record_tree, "%s Record Layer: %s",
3056 "SSLv2",
3057 msg_type_str);
3058 }
3059 }
3060
3061 /* We have a valid message type, so move forward, filling in the
3062 * tree by adding the length, is_escape boolean and padding_length,
3063 * if present in the original packet
3064 */
3065 if (ssl_record_tree)
3066 {
3067 /* Unlike SSLv3, the SSLv2 record layer does not have a
3068 * version field. To make it possible to filter on record
3069 * layer version we create a generated field with ssl
3070 * record layer version 0x0002
3071 */
3072 ti = proto_tree_add_uint(ssl_record_tree,
3073 hf_tls_record_version, tvb,
3074 initial_offset, 0, 0x0002);
3075 proto_item_set_generated(ti);
3076
3077 /* add the record length */
3078 tvb_ensure_bytes_exist(tvb, offset, record_length_length);
3079 proto_tree_add_uint (ssl_record_tree,
3080 hf_tls_record_length, tvb,
3081 initial_offset, record_length_length,
3082 record_length);
3083 }
3084 if (ssl_record_tree && is_escape != -1)
3085 {
3086 proto_tree_add_boolean(ssl_record_tree,
3087 hf_ssl2_record_is_escape, tvb,
3088 initial_offset, 1, is_escape);
3089 }
3090 if (ssl_record_tree && padding_length != -1)
3091 {
3092 proto_tree_add_uint(ssl_record_tree,
3093 hf_ssl2_record_padding_length, tvb,
3094 initial_offset + 2, 1, padding_length);
3095 }
3096
3097 /*
3098 * dissect the record data
3099 */
3100
3101 /* jump forward to the start of the record data */
3102 offset = initial_offset + record_length_length;
3103
3104 /* add the message type */
3105 if (ssl_record_tree)
3106 {
3107 proto_tree_add_item(ssl_record_tree, hf_ssl2_msg_type,
3108 tvb, offset, 1, ENC_BIG_ENDIAN);
3109 }
3110 offset += 1; /* move past msg_type byte */
3111
3112 {
3113 /* dissect the message (only handle client hello right now) */
3114 switch (msg_type) {
3115 case SSL2_HND_CLIENT_HELLO:
3116 dissect_ssl2_hnd_client_hello(tvb, pinfo, ssl_record_tree, offset, ssl);
3117 break;
3118
3119 case SSL2_HND_CLIENT_MASTER_KEY:
3120 dissect_ssl2_hnd_client_master_key(tvb, ssl_record_tree, offset);
3121 break;
3122
3123 case SSL2_HND_SERVER_HELLO:
3124 dissect_ssl2_hnd_server_hello(tvb, ssl_record_tree, offset, pinfo);
3125 break;
3126
3127 case SSL2_HND_ERROR:
3128 case SSL2_HND_CLIENT_FINISHED:
3129 case SSL2_HND_SERVER_VERIFY:
3130 case SSL2_HND_SERVER_FINISHED:
3131 case SSL2_HND_REQUEST_CERTIFICATE:
3132 case SSL2_HND_CLIENT_CERTIFICATE:
3133 /* unimplemented */
3134 break;
3135
3136 default: /* unknown */
3137 break;
3138 }
3139 }
3140 return (initial_offset + record_length_length + record_length);
3141 }
3142
3143 static void
dissect_ssl2_hnd_client_hello(tvbuff_t * tvb,packet_info * pinfo,proto_tree * tree,guint32 offset,SslDecryptSession * ssl)3144 dissect_ssl2_hnd_client_hello(tvbuff_t *tvb, packet_info *pinfo,
3145 proto_tree *tree, guint32 offset,
3146 SslDecryptSession *ssl)
3147 {
3148 /* struct {
3149 * uint8 msg_type;
3150 * Version version;
3151 * uint16 cipher_spec_length;
3152 * uint16 session_id_length;
3153 * uint16 challenge_length;
3154 * V2CipherSpec cipher_specs[V2ClientHello.cipher_spec_length];
3155 * opaque session_id[V2ClientHello.session_id_length];
3156 * Random challenge;
3157 * } V2ClientHello;
3158 *
3159 * Note: when we get here, offset's already pointing at Version
3160 *
3161 */
3162 guint16 version;
3163 guint16 cipher_spec_length;
3164 guint16 session_id_length;
3165 guint16 challenge_length;
3166
3167 proto_item *ti;
3168 proto_tree *cs_tree;
3169 cs_tree=0;
3170
3171 version = tvb_get_ntohs(tvb, offset);
3172 if (!ssl_is_valid_ssl_version(version))
3173 {
3174 /* invalid version; probably encrypted data */
3175 return;
3176 }
3177
3178 if (ssl) {
3179 ssl_set_server(&ssl->session, &pinfo->dst, pinfo->ptype, pinfo->destport);
3180 }
3181
3182 /* show the version */
3183 proto_tree_add_item(tree, dissect_ssl3_hf.hf.hs_client_version, tvb,
3184 offset, 2, ENC_BIG_ENDIAN);
3185 offset += 2;
3186
3187 cipher_spec_length = tvb_get_ntohs(tvb, offset);
3188 proto_tree_add_item(tree, hf_ssl2_handshake_cipher_spec_len,
3189 tvb, offset, 2, ENC_BIG_ENDIAN);
3190 offset += 2;
3191
3192 session_id_length = tvb_get_ntohs(tvb, offset);
3193 ti = proto_tree_add_item(tree, hf_ssl2_handshake_session_id_len,
3194 tvb, offset, 2, ENC_BIG_ENDIAN);
3195 if (session_id_length > SSLV2_MAX_SESSION_ID_LENGTH_IN_BYTES) {
3196 expert_add_info_format(pinfo, ti, &ei_ssl2_handshake_session_id_len_error,
3197 "Session ID length (%u) must be less than %u.",
3198 session_id_length, SSLV2_MAX_SESSION_ID_LENGTH_IN_BYTES);
3199 return;
3200 }
3201 offset += 2;
3202
3203 challenge_length = tvb_get_ntohs(tvb, offset);
3204 if (tree)
3205 proto_tree_add_item(tree, hf_ssl2_handshake_challenge_len,
3206 tvb, offset, 2, ENC_BIG_ENDIAN);
3207 offset += 2;
3208
3209 if (tree)
3210 {
3211 /* tell the user how many cipher specs they've won */
3212 ti = proto_tree_add_none_format(tree, dissect_ssl3_hf.hf.hs_cipher_suites,
3213 tvb, offset, cipher_spec_length,
3214 "Cipher Specs (%u specs)",
3215 cipher_spec_length/3);
3216
3217 /* make this a subtree and expand the actual specs below */
3218 cs_tree = proto_item_add_subtree(ti, dissect_ssl3_hf.ett.cipher_suites);
3219 if (!cs_tree)
3220 {
3221 cs_tree = tree; /* failsafe */
3222 }
3223 }
3224
3225 /* iterate through the cipher specs, showing them */
3226 while (cipher_spec_length > 0)
3227 {
3228 if (cs_tree)
3229 proto_tree_add_item(cs_tree, hf_ssl2_handshake_cipher_spec,
3230 tvb, offset, 3, ENC_BIG_ENDIAN);
3231 offset += 3; /* length of one cipher spec */
3232 cipher_spec_length -= 3;
3233 }
3234
3235 /* if there's a session id, show it */
3236 if (session_id_length > 0)
3237 {
3238 proto_tree_add_bytes_format(tree,
3239 dissect_ssl3_hf.hf.hs_session_id,
3240 tvb, offset, session_id_length,
3241 NULL, "Session ID (%u byte%s)",
3242 session_id_length,
3243 plurality(session_id_length, "", "s"));
3244
3245 /* PAOLO: get session id and reset session state for key [re]negotiation */
3246 if (ssl)
3247 {
3248 tvb_memcpy(tvb,ssl->session_id.data, offset, session_id_length);
3249 ssl->session_id.data_len = session_id_length;
3250 ssl->state &= ~(SSL_HAVE_SESSION_KEY|SSL_MASTER_SECRET|SSL_PRE_MASTER_SECRET|
3251 SSL_CIPHER|SSL_SERVER_RANDOM);
3252 }
3253 offset += session_id_length;
3254 }
3255
3256 /* if there's a challenge, show it */
3257 if (challenge_length > 0)
3258 {
3259 proto_tree_add_item(tree, hf_ssl2_handshake_challenge,
3260 tvb, offset, challenge_length, ENC_NA);
3261 if (ssl)
3262 {
3263 /* PAOLO: get client random data; we get at most 32 bytes from
3264 challenge */
3265 gint max;
3266 max = challenge_length > 32? 32: challenge_length;
3267
3268 ssl_debug_printf("client random len: %d padded to 32\n", challenge_length);
3269
3270 /* client random is padded with zero and 'right' aligned */
3271 memset(ssl->client_random.data, 0, 32 - max);
3272 tvb_memcpy(tvb, &ssl->client_random.data[32 - max], offset, max);
3273 ssl->client_random.data_len = 32;
3274 ssl->state |= SSL_CLIENT_RANDOM;
3275 ssl_debug_printf("dissect_ssl2_hnd_client_hello found CLIENT RANDOM -> state 0x%02X\n", ssl->state);
3276 }
3277 }
3278 }
3279
3280 static void
dissect_ssl2_hnd_client_master_key(tvbuff_t * tvb,proto_tree * tree,guint32 offset)3281 dissect_ssl2_hnd_client_master_key(tvbuff_t *tvb,
3282 proto_tree *tree, guint32 offset)
3283 {
3284 /* struct {
3285 * uint8 msg_type;
3286 * V2Cipherspec cipher;
3287 * uint16 clear_key_length;
3288 * uint16 encrypted_key_length;
3289 * uint16 key_arg_length;
3290 * opaque clear_key_data[V2ClientMasterKey.clear_key_length];
3291 * opaque encrypted_key_data[V2ClientMasterKey.encrypted_key_length];
3292 * opaque key_arg_data[V2ClientMasterKey.key_arg_length];
3293 * } V2ClientMasterKey;
3294 *
3295 * Note: when we get here, offset's already pointing at cipher
3296 */
3297 guint16 clear_key_length;
3298 guint16 encrypted_key_length;
3299 guint16 key_arg_length;
3300
3301 /* at this point, everything we do involves the tree,
3302 * so quit now if we don't have one ;-)
3303 */
3304 if (!tree)
3305 {
3306 return;
3307 }
3308
3309 /* show the selected cipher */
3310 proto_tree_add_item(tree, hf_ssl2_handshake_cipher_spec,
3311 tvb, offset, 3, ENC_BIG_ENDIAN);
3312 offset += 3;
3313
3314 /* get the fixed fields */
3315 clear_key_length = tvb_get_ntohs(tvb, offset);
3316 proto_tree_add_item(tree, hf_ssl2_handshake_clear_key_len,
3317 tvb, offset, 2, ENC_BIG_ENDIAN);
3318 offset += 2;
3319
3320 encrypted_key_length = tvb_get_ntohs(tvb, offset);
3321 proto_tree_add_item(tree, hf_ssl2_handshake_enc_key_len,
3322 tvb, offset, 2, ENC_BIG_ENDIAN);
3323 offset += 2;
3324
3325 key_arg_length = tvb_get_ntohs(tvb, offset);
3326 proto_tree_add_item(tree, hf_ssl2_handshake_key_arg_len,
3327 tvb, offset, 2, ENC_BIG_ENDIAN);
3328 offset += 2;
3329
3330 /* show the variable length fields */
3331 if (clear_key_length > 0)
3332 {
3333 proto_tree_add_item(tree, hf_ssl2_handshake_clear_key,
3334 tvb, offset, clear_key_length, ENC_NA);
3335 offset += clear_key_length;
3336 }
3337
3338 if (encrypted_key_length > 0)
3339 {
3340 proto_tree_add_item(tree, hf_ssl2_handshake_enc_key,
3341 tvb, offset, encrypted_key_length, ENC_NA);
3342 offset += encrypted_key_length;
3343 }
3344
3345 if (key_arg_length > 0)
3346 {
3347 proto_tree_add_item(tree, hf_ssl2_handshake_key_arg,
3348 tvb, offset, key_arg_length, ENC_NA);
3349 }
3350
3351 }
3352
3353 static void
dissect_ssl2_hnd_server_hello(tvbuff_t * tvb,proto_tree * tree,guint32 offset,packet_info * pinfo)3354 dissect_ssl2_hnd_server_hello(tvbuff_t *tvb,
3355 proto_tree *tree, guint32 offset, packet_info *pinfo)
3356 {
3357 /* struct {
3358 * uint8 msg_type;
3359 * uint8 session_id_hit;
3360 * uint8 certificate_type;
3361 * uint16 server_version;
3362 * uint16 certificate_length;
3363 * uint16 cipher_specs_length;
3364 * uint16 connection_id_length;
3365 * opaque certificate_data[V2ServerHello.certificate_length];
3366 * opaque cipher_specs_data[V2ServerHello.cipher_specs_length];
3367 * opaque connection_id_data[V2ServerHello.connection_id_length];
3368 * } V2ServerHello;
3369 *
3370 * Note: when we get here, offset's already pointing at session_id_hit
3371 */
3372 guint16 certificate_length;
3373 guint16 cipher_spec_length;
3374 guint16 connection_id_length;
3375 guint16 version;
3376 proto_item *ti;
3377 proto_tree *subtree;
3378 asn1_ctx_t asn1_ctx;
3379
3380 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
3381
3382 /* everything we do only makes sense with a tree, so
3383 * quit now if we don't have one
3384 */
3385 if (!tree)
3386 {
3387 return;
3388 }
3389
3390 version = tvb_get_ntohs(tvb, offset + 2);
3391 if (!ssl_is_valid_ssl_version(version))
3392 {
3393 /* invalid version; probably encrypted data */
3394 return;
3395 }
3396
3397
3398 /* is there a hit? */
3399 proto_tree_add_item(tree, hf_ssl2_handshake_session_id_hit,
3400 tvb, offset, 1, ENC_BIG_ENDIAN);
3401 offset += 1;
3402
3403 /* what type of certificate is this? */
3404 proto_tree_add_item(tree, hf_ssl2_handshake_cert_type,
3405 tvb, offset, 1, ENC_BIG_ENDIAN);
3406 offset += 1;
3407
3408 /* now the server version */
3409 proto_tree_add_item(tree, dissect_ssl3_hf.hf.hs_server_version,
3410 tvb, offset, 2, ENC_BIG_ENDIAN);
3411 offset += 2;
3412
3413 /* get the fixed fields */
3414 certificate_length = tvb_get_ntohs(tvb, offset);
3415 proto_tree_add_uint(tree, dissect_ssl3_hf.hf.hs_certificate_len,
3416 tvb, offset, 2, certificate_length);
3417 offset += 2;
3418
3419 cipher_spec_length = tvb_get_ntohs(tvb, offset);
3420 proto_tree_add_uint(tree, hf_ssl2_handshake_cipher_spec_len,
3421 tvb, offset, 2, cipher_spec_length);
3422 offset += 2;
3423
3424 connection_id_length = tvb_get_ntohs(tvb, offset);
3425 proto_tree_add_uint(tree, hf_ssl2_handshake_connection_id_len,
3426 tvb, offset, 2, connection_id_length);
3427 offset += 2;
3428
3429 /* now the variable length fields */
3430 if (certificate_length > 0)
3431 {
3432 (void)dissect_x509af_Certificate(FALSE, tvb, offset, &asn1_ctx, tree, dissect_ssl3_hf.hf.hs_certificate);
3433 offset += certificate_length;
3434 }
3435
3436 if (cipher_spec_length > 0)
3437 {
3438 /* provide a collapsing node for the cipher specs */
3439 ti = proto_tree_add_none_format(tree,
3440 dissect_ssl3_hf.hf.hs_cipher_suites,
3441 tvb, offset, cipher_spec_length,
3442 "Cipher Specs (%u spec%s)",
3443 cipher_spec_length/3,
3444 plurality(cipher_spec_length/3, "", "s"));
3445 subtree = proto_item_add_subtree(ti, dissect_ssl3_hf.ett.cipher_suites);
3446 if (!subtree)
3447 {
3448 subtree = tree;
3449 }
3450
3451 /* iterate through the cipher specs */
3452 while (cipher_spec_length > 0)
3453 {
3454 proto_tree_add_item(subtree, hf_ssl2_handshake_cipher_spec,
3455 tvb, offset, 3, ENC_BIG_ENDIAN);
3456 offset += 3;
3457 cipher_spec_length -= 3;
3458 }
3459 }
3460
3461 if (connection_id_length > 0)
3462 {
3463 proto_tree_add_item(tree, hf_ssl2_handshake_connection_id,
3464 tvb, offset, connection_id_length, ENC_NA);
3465 }
3466
3467 }
3468
3469
ssl_set_master_secret(guint32 frame_num,address * addr_srv,address * addr_cli,port_type ptype,guint32 port_srv,guint32 port_cli,guint32 version,gint cipher,const guchar * _master_secret,const guchar * _client_random,const guchar * _server_random,guint32 client_seq,guint32 server_seq)3470 void ssl_set_master_secret(guint32 frame_num, address *addr_srv, address *addr_cli,
3471 port_type ptype, guint32 port_srv, guint32 port_cli,
3472 guint32 version, gint cipher, const guchar *_master_secret,
3473 const guchar *_client_random, const guchar *_server_random,
3474 guint32 client_seq, guint32 server_seq)
3475 {
3476 conversation_t *conversation;
3477 SslDecryptSession *ssl;
3478 guint iv_len;
3479
3480 ssl_debug_printf("\nssl_set_master_secret enter frame #%u\n", frame_num);
3481
3482 conversation = find_conversation(frame_num, addr_srv, addr_cli, conversation_pt_to_endpoint_type(ptype), port_srv, port_cli, 0);
3483
3484 if (!conversation) {
3485 /* create a new conversation */
3486 conversation = conversation_new(frame_num, addr_srv, addr_cli, conversation_pt_to_endpoint_type(ptype), port_srv, port_cli, 0);
3487 ssl_debug_printf(" new conversation = %p created\n", (void *)conversation);
3488 }
3489 ssl = ssl_get_session(conversation, tls_handle);
3490
3491 ssl_debug_printf(" conversation = %p, ssl_session = %p\n", (void *)conversation, (void *)ssl);
3492
3493 ssl_set_server(&ssl->session, addr_srv, ptype, port_srv);
3494
3495 /* version */
3496 if ((ssl->session.version==SSL_VER_UNKNOWN) && (version!=SSL_VER_UNKNOWN)) {
3497 switch (version) {
3498 case SSLV3_VERSION:
3499 case TLSV1_VERSION:
3500 case TLSV1DOT1_VERSION:
3501 case TLSV1DOT2_VERSION:
3502 case GMTLSV1_VERSION:
3503 ssl->session.version = version;
3504 ssl->state |= SSL_VERSION;
3505 ssl_debug_printf("%s set version 0x%04X -> state 0x%02X\n", G_STRFUNC, ssl->session.version, ssl->state);
3506 break;
3507 default:
3508 /* API change: version number is no longer an internal value
3509 * (SSL_VER_*) but the ProtocolVersion from wire (*_VERSION) */
3510 ssl_debug_printf("%s WARNING must pass ProtocolVersion, not 0x%04x!\n", G_STRFUNC, version);
3511 break;
3512 }
3513 }
3514
3515 /* cipher */
3516 if (cipher > 0) {
3517 ssl->session.cipher = cipher;
3518 if (!(ssl->cipher_suite = ssl_find_cipher(ssl->session.cipher))) {
3519 ssl->state &= ~SSL_CIPHER;
3520 ssl_debug_printf("ssl_set_master_secret can't find cipher suite 0x%X\n", ssl->session.cipher);
3521 } else {
3522 ssl->state |= SSL_CIPHER;
3523 ssl_debug_printf("ssl_set_master_secret set CIPHER 0x%04X -> state 0x%02X\n", ssl->session.cipher, ssl->state);
3524 }
3525 }
3526
3527 /* client random */
3528 if (_client_random) {
3529 ssl_data_set(&ssl->client_random, _client_random, 32);
3530 ssl->state |= SSL_CLIENT_RANDOM;
3531 ssl_debug_printf("ssl_set_master_secret set CLIENT RANDOM -> state 0x%02X\n", ssl->state);
3532 }
3533
3534 /* server random */
3535 if (_server_random) {
3536 ssl_data_set(&ssl->server_random, _server_random, 32);
3537 ssl->state |= SSL_SERVER_RANDOM;
3538 ssl_debug_printf("ssl_set_master_secret set SERVER RANDOM -> state 0x%02X\n", ssl->state);
3539 }
3540
3541 /* master secret */
3542 if (_master_secret) {
3543 ssl_data_set(&ssl->master_secret, _master_secret, 48);
3544 ssl->state |= SSL_MASTER_SECRET;
3545 ssl_debug_printf("ssl_set_master_secret set MASTER SECRET -> state 0x%02X\n", ssl->state);
3546 }
3547
3548 ssl_debug_printf("ssl_set_master_secret trying to generate keys\n");
3549 if (ssl_generate_keyring_material(ssl)<0) {
3550 ssl_debug_printf("ssl_set_master_secret can't generate keyring material\n");
3551 return;
3552 }
3553
3554 /* change ciphers immediately */
3555 ssl_change_cipher(ssl, TRUE);
3556 ssl_change_cipher(ssl, FALSE);
3557
3558 /* update seq numbers if available */
3559 /* TODO change API to accept 64-bit sequence numbers. */
3560 if (ssl->client && (client_seq != (guint32)-1)) {
3561 ssl->client->seq = client_seq;
3562 ssl_debug_printf("ssl_set_master_secret client->seq updated to %" G_GUINT64_FORMAT "\n", ssl->client->seq);
3563 }
3564 if (ssl->server && (server_seq != (guint32)-1)) {
3565 ssl->server->seq = server_seq;
3566 ssl_debug_printf("ssl_set_master_secret server->seq updated to %" G_GUINT64_FORMAT "\n", ssl->server->seq);
3567 }
3568
3569 /* update IV from last data */
3570 iv_len = ssl_get_cipher_blocksize(ssl->cipher_suite);
3571 if (ssl->client && ((ssl->client->seq > 0) || (ssl->client_data_for_iv.data_len > iv_len))) {
3572 ssl_cipher_setiv(&ssl->client->evp, ssl->client_data_for_iv.data + ssl->client_data_for_iv.data_len - iv_len, iv_len);
3573 ssl_print_data("ssl_set_master_secret client IV updated",ssl->client_data_for_iv.data + ssl->client_data_for_iv.data_len - iv_len, iv_len);
3574 }
3575 if (ssl->server && ((ssl->server->seq > 0) || (ssl->server_data_for_iv.data_len > iv_len))) {
3576 ssl_cipher_setiv(&ssl->server->evp, ssl->server_data_for_iv.data + ssl->server_data_for_iv.data_len - iv_len, iv_len);
3577 ssl_print_data("ssl_set_master_secret server IV updated",ssl->server_data_for_iv.data + ssl->server_data_for_iv.data_len - iv_len, iv_len);
3578 }
3579 }
3580
3581
3582 /*********************************************************************
3583 *
3584 * Support Functions
3585 *
3586 *********************************************************************/
3587 static gint
ssl_is_valid_ssl_version(const guint16 version)3588 ssl_is_valid_ssl_version(const guint16 version)
3589 {
3590 const gchar *version_str;
3591
3592 version_str = try_val_to_str(version, ssl_versions);
3593 return version_str != NULL;
3594 }
3595
3596 static gint
ssl_is_v2_client_hello(tvbuff_t * tvb,const guint32 offset)3597 ssl_is_v2_client_hello(tvbuff_t *tvb, const guint32 offset)
3598 {
3599 guint8 byte;
3600
3601 byte = tvb_get_guint8(tvb, offset);
3602 if (byte != 0x80) /* v2 client hello should start this way */
3603 {
3604 return 0;
3605 }
3606
3607 byte = tvb_get_guint8(tvb, offset+2);
3608 if (byte != 0x01) /* v2 client hello msg type */
3609 {
3610 return 0;
3611 }
3612
3613 /* 1 in 2^16 of being right; improve later if necessary */
3614 return 1;
3615 }
3616
3617 /* this applies a heuristic to determine whether
3618 * or not the data beginning at offset looks like a
3619 * valid sslv2 record. this isn't really possible,
3620 * but we'll try to do a reasonable job anyway.
3621 */
3622 static gint
ssl_looks_like_sslv2(tvbuff_t * tvb,const guint32 offset)3623 ssl_looks_like_sslv2(tvbuff_t *tvb, const guint32 offset)
3624 {
3625 /* here's the current approach:
3626 *
3627 * we only try to catch unencrypted handshake messages, so we can
3628 * assume that there is not padding. This means that the
3629 * first byte must be >= 0x80 and there must be a valid sslv2
3630 * msg_type in the third byte
3631 */
3632
3633 /* get the first byte; must have high bit set */
3634 guint8 byte;
3635 byte = tvb_get_guint8(tvb, offset);
3636
3637 if (byte < 0x80)
3638 {
3639 return 0;
3640 }
3641
3642 /* get the supposed msg_type byte; since we only care about
3643 * unencrypted handshake messages (we can't tell the type for
3644 * encrypted messages), we just check against that list
3645 */
3646 byte = tvb_get_guint8(tvb, offset + 2);
3647 switch (byte) {
3648 case SSL2_HND_ERROR:
3649 case SSL2_HND_CLIENT_HELLO:
3650 case SSL2_HND_CLIENT_MASTER_KEY:
3651 case SSL2_HND_SERVER_HELLO:
3652 return 1;
3653 }
3654 return 0;
3655 }
3656
3657 /* this applies a heuristic to determine whether
3658 * or not the data beginning at offset looks like a
3659 * valid sslv3 record. this is somewhat more reliable
3660 * than sslv2 due to the structure of the v3 protocol
3661 */
3662 static gint
ssl_looks_like_sslv3(tvbuff_t * tvb,const guint32 offset)3663 ssl_looks_like_sslv3(tvbuff_t *tvb, const guint32 offset)
3664 {
3665 /* have to have a valid content type followed by a valid
3666 * protocol version
3667 */
3668 guint8 byte;
3669 guint16 version;
3670
3671 /* see if the first byte is a valid content type */
3672 byte = tvb_get_guint8(tvb, offset);
3673 if (!ssl_is_valid_content_type(byte))
3674 {
3675 return 0;
3676 }
3677
3678 /* now check to see if the version byte appears valid */
3679 version = tvb_get_ntohs(tvb, offset + 1);
3680 switch (version) {
3681 case SSLV3_VERSION:
3682 case TLSV1_VERSION:
3683 case TLSV1DOT1_VERSION:
3684 case TLSV1DOT2_VERSION:
3685 case GMTLSV1_VERSION:
3686 return 1;
3687 }
3688 return 0;
3689 }
3690
3691 /* applies a heuristic to determine whether
3692 * or not the data beginning at offset looks
3693 * like a valid, unencrypted v2 handshake message.
3694 * since it isn't possible to completely tell random
3695 * data apart from a valid message without state,
3696 * we try to help the odds.
3697 */
3698 static gint
ssl_looks_like_valid_v2_handshake(tvbuff_t * tvb,const guint32 offset,const guint32 record_length)3699 ssl_looks_like_valid_v2_handshake(tvbuff_t *tvb, const guint32 offset,
3700 const guint32 record_length)
3701 {
3702 /* first byte should be a msg_type.
3703 *
3704 * - we know we only see client_hello, client_master_key,
3705 * and server_hello in the clear, so check to see if
3706 * msg_type is one of those (this gives us a 3 in 2^8
3707 * chance of saying yes with random payload)
3708 *
3709 * - for those three types that we know about, do some
3710 * further validation to reduce the chance of an error
3711 */
3712 guint8 msg_type;
3713 guint16 version;
3714 guint32 sum;
3715 gint ret = 0;
3716
3717 /* fetch the msg_type */
3718 msg_type = tvb_get_guint8(tvb, offset);
3719
3720 switch (msg_type) {
3721 case SSL2_HND_CLIENT_HELLO:
3722 /* version follows msg byte, so verify that this is valid */
3723 version = tvb_get_ntohs(tvb, offset+1);
3724 ret = ssl_is_valid_ssl_version(version);
3725 break;
3726
3727 case SSL2_HND_SERVER_HELLO:
3728 /* version is three bytes after msg_type */
3729 version = tvb_get_ntohs(tvb, offset+3);
3730 ret = ssl_is_valid_ssl_version(version);
3731 break;
3732
3733 case SSL2_HND_CLIENT_MASTER_KEY:
3734 /* sum of clear_key_length, encrypted_key_length, and key_arg_length
3735 * must be less than record length
3736 */
3737 sum = tvb_get_ntohs(tvb, offset + 4); /* clear_key_length */
3738 sum += tvb_get_ntohs(tvb, offset + 6); /* encrypted_key_length */
3739 sum += tvb_get_ntohs(tvb, offset + 8); /* key_arg_length */
3740 if (sum <= record_length) {
3741 ret = 1;
3742 }
3743 break;
3744
3745 default:
3746 break;
3747 }
3748
3749 return ret;
3750 }
3751
3752 gboolean
tls_get_cipher_info(packet_info * pinfo,guint16 cipher_suite,int * cipher_algo,int * cipher_mode,int * hash_algo)3753 tls_get_cipher_info(packet_info *pinfo, guint16 cipher_suite, int *cipher_algo, int *cipher_mode, int *hash_algo)
3754 {
3755 if (cipher_suite == 0) {
3756 conversation_t *conv = find_conversation_pinfo(pinfo, 0);
3757 if (!conv) {
3758 return FALSE;
3759 }
3760
3761 void *conv_data = conversation_get_proto_data(conv, proto_tls);
3762 if (conv_data == NULL) {
3763 return FALSE;
3764 }
3765
3766 SslDecryptSession *ssl_session = (SslDecryptSession *)conv_data;
3767 cipher_suite = ssl_session->session.cipher;
3768 }
3769 const SslCipherSuite *suite = ssl_find_cipher(cipher_suite);
3770 if (!suite) {
3771 return FALSE;
3772 }
3773
3774 /* adapted from ssl_cipher_init in packet-tls-utils.c */
3775 static const gint gcry_modes[] = {
3776 GCRY_CIPHER_MODE_STREAM,
3777 GCRY_CIPHER_MODE_CBC,
3778 #ifdef HAVE_LIBGCRYPT_AEAD
3779 GCRY_CIPHER_MODE_GCM,
3780 GCRY_CIPHER_MODE_CCM,
3781 GCRY_CIPHER_MODE_CCM,
3782 #else
3783 -1, /* Do not bother with fallback support. */
3784 -1,
3785 -1,
3786 #endif
3787 #ifdef HAVE_LIBGCRYPT_CHACHA20_POLY1305
3788 GCRY_CIPHER_MODE_POLY1305,
3789 #else
3790 -1, /* AEAD_CHACHA20_POLY1305 is unsupported. */
3791 #endif
3792 };
3793 static const int gcry_mds[] = {
3794 GCRY_MD_MD5,
3795 GCRY_MD_SHA1,
3796 GCRY_MD_SHA256,
3797 GCRY_MD_SHA384,
3798 -1,
3799 };
3800 int mode = gcry_modes[suite->mode];
3801 int cipher_algo_id = ssl_get_cipher_algo(suite);
3802 int hash_algo_id = gcry_mds[suite->dig-DIG_MD5];
3803 if (mode == -1 || cipher_algo_id == 0 || hash_algo_id == -1) {
3804 /* Identifiers are unusable, fail. */
3805 return FALSE;
3806 }
3807 if (cipher_algo) {
3808 *cipher_algo = cipher_algo_id;
3809 }
3810 if (cipher_mode) {
3811 *cipher_mode = mode;
3812 }
3813 if (hash_algo) {
3814 *hash_algo = hash_algo_id;
3815 }
3816
3817 return TRUE;
3818 }
3819
3820 /**
3821 * Load the QUIC traffic secret from the keylog file.
3822 * Returns the secret length (at most 'secret_max_len') and the secret into
3823 * 'secret' if a secret was found, or zero otherwise.
3824 */
3825 gint
tls13_get_quic_secret(packet_info * pinfo,gboolean is_from_server,int type,guint secret_min_len,guint secret_max_len,guint8 * secret_out)3826 tls13_get_quic_secret(packet_info *pinfo, gboolean is_from_server, int type, guint secret_min_len, guint secret_max_len, guint8 *secret_out)
3827 {
3828 GHashTable *key_map;
3829 const char *label;
3830 conversation_t *conv = find_conversation_pinfo(pinfo, 0);
3831 if (!conv) {
3832 return 0;
3833 }
3834
3835 SslDecryptSession *ssl = (SslDecryptSession *)conversation_get_proto_data(conv, proto_tls);
3836 if (ssl == NULL) {
3837 return 0;
3838 }
3839
3840 gboolean is_quic = !!(ssl->state & SSL_QUIC_RECORD_LAYER);
3841 ssl_debug_printf("%s frame %d is_quic=%d\n", G_STRFUNC, pinfo->num, is_quic);
3842 if (!is_quic) {
3843 return 0;
3844 }
3845
3846 if (ssl->client_random.data_len == 0) {
3847 /* May happen if Hello message is missing and Finished is found. */
3848 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC);
3849 return 0;
3850 }
3851
3852 // Not strictly necessary as QUIC CRYPTO frames have just been processed
3853 // which also calls ssl_load_keyfile for key transitions.
3854 ssl_load_keyfile(ssl_options.keylog_filename, &ssl_keylog_file, &ssl_master_key_map);
3855
3856 switch ((TLSRecordType)type) {
3857 case TLS_SECRET_0RTT_APP:
3858 DISSECTOR_ASSERT(!is_from_server);
3859 label = "CLIENT_EARLY_TRAFFIC_SECRET";
3860 key_map = ssl_master_key_map.tls13_client_early;
3861 break;
3862 case TLS_SECRET_HANDSHAKE:
3863 if (is_from_server) {
3864 label = "SERVER_HANDSHAKE_TRAFFIC_SECRET";
3865 key_map = ssl_master_key_map.tls13_server_handshake;
3866 } else {
3867 label = "CLIENT_HANDSHAKE_TRAFFIC_SECRET";
3868 key_map = ssl_master_key_map.tls13_client_handshake;
3869 }
3870 break;
3871 case TLS_SECRET_APP:
3872 if (is_from_server) {
3873 label = "SERVER_TRAFFIC_SECRET_0";
3874 key_map = ssl_master_key_map.tls13_server_appdata;
3875 } else {
3876 label = "CLIENT_TRAFFIC_SECRET_0";
3877 key_map = ssl_master_key_map.tls13_client_appdata;
3878 }
3879 break;
3880 default:
3881 ws_assert_not_reached();
3882 }
3883
3884 StringInfo *secret = (StringInfo *)g_hash_table_lookup(key_map, &ssl->client_random);
3885 if (!secret || secret->data_len < secret_min_len || secret->data_len > secret_max_len) {
3886 ssl_debug_printf("%s Cannot find QUIC %s of size %d..%d, found bad size %d!\n",
3887 G_STRFUNC, label, secret_min_len, secret_max_len, secret ? secret->data_len : 0);
3888 return 0;
3889 }
3890
3891 ssl_debug_printf("%s Retrieved QUIC traffic secret.\n", G_STRFUNC);
3892 ssl_print_string("Client Random", &ssl->client_random);
3893 ssl_print_string(label, secret);
3894 memcpy(secret_out, secret->data, secret->data_len);
3895 return secret->data_len;
3896 }
3897
3898 const char *
tls_get_alpn(packet_info * pinfo)3899 tls_get_alpn(packet_info *pinfo)
3900 {
3901 conversation_t *conv = find_conversation_pinfo(pinfo, 0);
3902 if (!conv) {
3903 return NULL;
3904 }
3905
3906 SslDecryptSession *session = (SslDecryptSession *)conversation_get_proto_data(conv, proto_tls);
3907 if (session == NULL) {
3908 return NULL;
3909 }
3910
3911 return session->session.alpn_name;
3912 }
3913
3914 /* TLS Exporters {{{ */
3915 #if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */
3916 /**
3917 * Computes the TLS 1.3 Exporter value (RFC 8446 Section 7.5).
3918 *
3919 * "secret" is the [early_]exporter_master_secret. On success, TRUE is returned
3920 * and the key is returned via "out" (free with "wmem_free(NULL, out)").
3921 */
3922 static gboolean
tls13_exporter_common(int algo,const StringInfo * secret,const char * label,guint8 * context,guint context_length,guint key_length,guchar ** out)3923 tls13_exporter_common(int algo, const StringInfo *secret, const char *label, guint8 *context,
3924 guint context_length, guint key_length, guchar **out)
3925 {
3926 /* TLS-Exporter(label, context_value, key_length) =
3927 * HKDF-Expand-Label(Derive-Secret(Secret, label, ""),
3928 * "exporter", Hash(context_value), key_length)
3929 *
3930 * Derive-Secret(Secret, Label, Messages) =
3931 * HKDF-Expand-Label(Secret, Label,
3932 * Transcript-Hash(Messages), Hash.length)
3933 */
3934 gcry_error_t err;
3935 gcry_md_hd_t hd;
3936 const char *hash_value;
3937 StringInfo derived_secret = { NULL, 0 };
3938 // QUIC -09 currently uses draft 23, so no need to support older TLS drafts
3939 const char *label_prefix = "tls13 ";
3940
3941 err = gcry_md_open(&hd, algo, 0);
3942 if (err) {
3943 return FALSE;
3944 }
3945
3946 /* Calculate Derive-Secret(Secret, label, ""). */
3947 hash_value = gcry_md_read(hd, 0); /* Empty Messages */
3948 guint8 hash_len = (guint8) gcry_md_get_algo_dlen(algo);
3949 derived_secret.data_len = hash_len;
3950 if (!tls13_hkdf_expand_label_context(algo, secret, label_prefix, label, hash_value, hash_len, derived_secret.data_len, &derived_secret.data)) {
3951 gcry_md_close(hd);
3952 return FALSE;
3953 }
3954
3955 /* HKDF-Expand-Label(..., "exporter", Hash(context_value), key_length) */
3956 gcry_md_write(hd, context, context_length);
3957 hash_value = gcry_md_read(hd, 0);
3958 tls13_hkdf_expand_label_context(algo, &derived_secret, label_prefix, "exporter", hash_value, hash_len, key_length, out);
3959 wmem_free(NULL, derived_secret.data);
3960 gcry_md_close(hd);
3961
3962 return TRUE;
3963 }
3964
3965 /**
3966 * Exports keying material using "[early_]exporter_master_secret". See
3967 * tls13_exporter_common for more details.
3968 */
3969 gboolean
tls13_exporter(packet_info * pinfo,gboolean is_early,const char * label,guint8 * context,guint context_length,guint key_length,guchar ** out)3970 tls13_exporter(packet_info *pinfo, gboolean is_early,
3971 const char *label, guint8 *context,
3972 guint context_length, guint key_length, guchar **out)
3973 {
3974 int hash_algo = 0;
3975 GHashTable *key_map;
3976 const StringInfo *secret;
3977
3978 if (!tls_get_cipher_info(pinfo, 0, NULL, NULL, &hash_algo)) {
3979 return FALSE;
3980 }
3981
3982 /* Lookup EXPORTER_SECRET based on client_random from conversation */
3983 conversation_t *conv = find_conversation_pinfo(pinfo, 0);
3984 if (!conv) {
3985 return FALSE;
3986 }
3987
3988 void *conv_data = conversation_get_proto_data(conv, proto_tls);
3989 if (conv_data == NULL) {
3990 return FALSE;
3991 }
3992
3993 SslDecryptSession *ssl_session = (SslDecryptSession *)conv_data;
3994 ssl_load_keyfile(ssl_options.keylog_filename, &ssl_keylog_file, &ssl_master_key_map);
3995 key_map = is_early ? ssl_master_key_map.tls13_early_exporter
3996 : ssl_master_key_map.tls13_exporter;
3997 secret = (StringInfo *)g_hash_table_lookup(key_map, &ssl_session->client_random);
3998 if (!secret) {
3999 return FALSE;
4000 }
4001
4002 return tls13_exporter_common(hash_algo, secret, label, context, context_length, key_length, out);
4003 }
4004 #endif
4005 /* }}} */
4006
4007
4008 /* UAT */
4009
4010 #ifdef HAVE_LIBGNUTLS
4011 static void
ssldecrypt_free_cb(void * r)4012 ssldecrypt_free_cb(void *r)
4013 {
4014 ssldecrypt_assoc_t *h = (ssldecrypt_assoc_t *)r;
4015
4016 g_free(h->ipaddr);
4017 g_free(h->port);
4018 g_free(h->protocol);
4019 g_free(h->keyfile);
4020 g_free(h->password);
4021 }
4022
4023 static void*
ssldecrypt_copy_cb(void * dest,const void * orig,size_t len _U_)4024 ssldecrypt_copy_cb(void *dest, const void *orig, size_t len _U_)
4025 {
4026 const ssldecrypt_assoc_t *o = (const ssldecrypt_assoc_t *)orig;
4027 ssldecrypt_assoc_t *d = (ssldecrypt_assoc_t *)dest;
4028
4029 d->ipaddr = g_strdup(o->ipaddr);
4030 d->port = g_strdup(o->port);
4031 d->protocol = g_strdup(o->protocol);
4032 d->keyfile = g_strdup(o->keyfile);
4033 d->password = g_strdup(o->password);
4034
4035 return d;
4036 }
4037
UAT_CSTRING_CB_DEF(sslkeylist_uats,ipaddr,ssldecrypt_assoc_t)4038 UAT_CSTRING_CB_DEF(sslkeylist_uats,ipaddr,ssldecrypt_assoc_t)
4039 UAT_CSTRING_CB_DEF(sslkeylist_uats,port,ssldecrypt_assoc_t)
4040 UAT_CSTRING_CB_DEF(sslkeylist_uats,protocol,ssldecrypt_assoc_t)
4041 UAT_FILENAME_CB_DEF(sslkeylist_uats,keyfile,ssldecrypt_assoc_t)
4042 UAT_CSTRING_CB_DEF(sslkeylist_uats,password,ssldecrypt_assoc_t)
4043
4044 static gboolean
4045 ssldecrypt_uat_fld_protocol_chk_cb(void* r _U_, const char* p, guint len _U_, const void* u1 _U_, const void* u2 _U_, char** err)
4046 {
4047 if (!p || strlen(p) == 0u) {
4048 // This should be removed in favor of Decode As. Make it optional.
4049 *err = NULL;
4050 return TRUE;
4051 }
4052
4053 if (!ssl_find_appdata_dissector(p)) {
4054 if (proto_get_id_by_filter_name(p) != -1) {
4055 *err = g_strdup_printf("While '%s' is a valid dissector filter name, that dissector is not configured"
4056 " to support TLS decryption.\n\n"
4057 "If you need to decrypt '%s' over TLS, please contact the Wireshark development team.", p, p);
4058 } else {
4059 char* ssl_str = ssl_association_info("tls.port", "TCP");
4060 *err = g_strdup_printf("Could not find dissector for: '%s'\nCommonly used TLS dissectors include:\n%s", p, ssl_str);
4061 g_free(ssl_str);
4062 }
4063 return FALSE;
4064 }
4065
4066 *err = NULL;
4067 return TRUE;
4068 }
4069 #endif /* HAVE_LIBGNUTLS */
4070
4071 static void
ssl_src_prompt(packet_info * pinfo,gchar * result)4072 ssl_src_prompt(packet_info *pinfo, gchar *result)
4073 {
4074 SslPacketInfo* pi;
4075 guint32 srcport = pinfo->srcport;
4076
4077 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tls, pinfo->curr_layer_num);
4078 if (pi != NULL)
4079 srcport = pi->srcport;
4080
4081 g_snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "source (%u%s)", srcport, UTF8_RIGHTWARDS_ARROW);
4082 }
4083
4084 static gpointer
ssl_src_value(packet_info * pinfo)4085 ssl_src_value(packet_info *pinfo)
4086 {
4087 SslPacketInfo* pi;
4088
4089 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tls, pinfo->curr_layer_num);
4090 if (pi == NULL)
4091 return GUINT_TO_POINTER(pinfo->srcport);
4092
4093 return GUINT_TO_POINTER(pi->srcport);
4094 }
4095
4096 static void
ssl_dst_prompt(packet_info * pinfo,gchar * result)4097 ssl_dst_prompt(packet_info *pinfo, gchar *result)
4098 {
4099 SslPacketInfo* pi;
4100 guint32 destport = pinfo->destport;
4101
4102 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tls, pinfo->curr_layer_num);
4103 if (pi != NULL)
4104 destport = pi->destport;
4105
4106 g_snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "destination (%s%u)", UTF8_RIGHTWARDS_ARROW, destport);
4107 }
4108
4109 static gpointer
ssl_dst_value(packet_info * pinfo)4110 ssl_dst_value(packet_info *pinfo)
4111 {
4112 SslPacketInfo* pi;
4113
4114 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tls, pinfo->curr_layer_num);
4115 if (pi == NULL)
4116 return GUINT_TO_POINTER(pinfo->destport);
4117
4118 return GUINT_TO_POINTER(pi->destport);
4119 }
4120
4121 static void
ssl_both_prompt(packet_info * pinfo,gchar * result)4122 ssl_both_prompt(packet_info *pinfo, gchar *result)
4123 {
4124 SslPacketInfo* pi;
4125 guint32 srcport = pinfo->srcport,
4126 destport = pinfo->destport;
4127
4128 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tls, pinfo->curr_layer_num);
4129 if (pi != NULL)
4130 {
4131 srcport = pi->srcport;
4132 destport = pi->destport;
4133 }
4134
4135 g_snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "both (%u%s%u)", srcport, UTF8_LEFT_RIGHT_ARROW, destport);
4136 }
4137
4138 static void
tls_secrets_block_callback(const void * secrets,guint size)4139 tls_secrets_block_callback(const void *secrets, guint size)
4140 {
4141 tls_keylog_process_lines(&ssl_master_key_map, (const guint8 *)secrets, size);
4142 }
4143
4144 /*********************************************************************
4145 *
4146 * Standard Wireshark Protocol Registration and housekeeping
4147 *
4148 *********************************************************************/
4149 void
proto_register_tls(void)4150 proto_register_tls(void)
4151 {
4152
4153 /* Setup list of header fields See Section 1.6.1 for details*/
4154 static hf_register_info hf[] = {
4155 { &hf_tls_record,
4156 { "Record Layer", "tls.record",
4157 FT_NONE, BASE_NONE, NULL, 0x0,
4158 NULL, HFILL }
4159 },
4160 { &hf_tls_record_content_type,
4161 { "Content Type", "tls.record.content_type",
4162 FT_UINT8, BASE_DEC, VALS(ssl_31_content_type), 0x0,
4163 NULL, HFILL}
4164 },
4165 { &hf_tls_record_opaque_type,
4166 { "Opaque Type", "tls.record.opaque_type",
4167 FT_UINT8, BASE_DEC, VALS(ssl_31_content_type), 0x0,
4168 "Always set to value 23, actual content type is known after decryption", HFILL}
4169 },
4170 { &hf_ssl2_msg_type,
4171 { "Handshake Message Type", "tls.handshake.type",
4172 FT_UINT8, BASE_DEC, VALS(ssl_20_msg_types), 0x0,
4173 "SSLv2 handshake message type", HFILL}
4174 },
4175 { &hf_tls_record_version,
4176 { "Version", "tls.record.version",
4177 FT_UINT16, BASE_HEX, VALS(ssl_versions), 0x0,
4178 "Record layer version", HFILL }
4179 },
4180 { &hf_tls_record_length,
4181 { "Length", "tls.record.length",
4182 FT_UINT16, BASE_DEC, NULL, 0x0,
4183 "Length of TLS record data", HFILL }
4184 },
4185 { &hf_tls_record_appdata,
4186 { "Encrypted Application Data", "tls.app_data",
4187 FT_BYTES, BASE_NONE, NULL, 0x0,
4188 "Payload is encrypted application data", HFILL }
4189 },
4190 { &hf_tls_record_appdata_proto,
4191 { "Application Data Protocol", "tls.app_data_proto",
4192 FT_STRING, BASE_NONE, NULL, 0x0,
4193 NULL, HFILL }
4194 },
4195 { &hf_ssl2_record,
4196 { "SSLv2 Record Header", "tls.record",
4197 FT_NONE, BASE_NONE, NULL, 0x0,
4198 "SSLv2 record data", HFILL }
4199 },
4200 { &hf_ssl2_record_is_escape,
4201 { "Is Escape", "tls.record.is_escape",
4202 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
4203 "Indicates a security escape", HFILL}
4204 },
4205 { &hf_ssl2_record_padding_length,
4206 { "Padding Length", "tls.record.padding_length",
4207 FT_UINT8, BASE_DEC, NULL, 0x0,
4208 "Length of padding at end of record", HFILL }
4209 },
4210 { &hf_tls_alert_message,
4211 { "Alert Message", "tls.alert_message",
4212 FT_NONE, BASE_NONE, NULL, 0x0,
4213 NULL, HFILL }
4214 },
4215 { &hf_tls_alert_message_level,
4216 { "Level", "tls.alert_message.level",
4217 FT_UINT8, BASE_DEC, VALS(ssl_31_alert_level), 0x0,
4218 "Alert message level", HFILL }
4219 },
4220 { &hf_tls_alert_message_description,
4221 { "Description", "tls.alert_message.desc",
4222 FT_UINT8, BASE_DEC, VALS(ssl_31_alert_description), 0x0,
4223 "Alert message description", HFILL }
4224 },
4225 { &hf_tls_handshake_protocol,
4226 { "Handshake Protocol", "tls.handshake",
4227 FT_NONE, BASE_NONE, NULL, 0x0,
4228 "Handshake protocol message", HFILL}
4229 },
4230 { &hf_tls_handshake_type,
4231 { "Handshake Type", "tls.handshake.type",
4232 FT_UINT8, BASE_DEC, VALS(ssl_31_handshake_type), 0x0,
4233 "Type of handshake message", HFILL}
4234 },
4235 { &hf_tls_handshake_length,
4236 { "Length", "tls.handshake.length",
4237 FT_UINT24, BASE_DEC, NULL, 0x0,
4238 "Length of handshake message", HFILL }
4239 },
4240 { &hf_ssl2_handshake_cipher_spec,
4241 { "Cipher Spec", "tls.handshake.cipherspec",
4242 FT_UINT24, BASE_HEX|BASE_EXT_STRING, &ssl_20_cipher_suites_ext, 0x0,
4243 "Cipher specification", HFILL }
4244 },
4245 { &hf_tls_handshake_npn_selected_protocol_len,
4246 { "Selected Protocol Length", "tls.handshake.npn_selected_protocol_len",
4247 FT_UINT8, BASE_DEC, NULL, 0x0,
4248 NULL, HFILL }
4249 },
4250 { &hf_tls_handshake_npn_selected_protocol,
4251 { "Selected Protocol", "tls.handshake.npn_selected_protocol",
4252 FT_STRING, BASE_NONE, NULL, 0x0,
4253 "Protocol to be used for connection", HFILL }
4254 },
4255 { &hf_tls_handshake_npn_padding_len,
4256 { "Padding Length", "tls.handshake.npn_padding_len",
4257 FT_UINT8, BASE_DEC, NULL, 0x0,
4258 NULL, HFILL }
4259 },
4260 { &hf_tls_handshake_npn_padding,
4261 { "Padding", "tls.handshake.npn_padding",
4262 FT_BYTES, BASE_NONE, NULL, 0x0,
4263 NULL, HFILL }
4264 },
4265 { &ssl_hfs.hs_md5_hash,
4266 { "MD5 Hash", "tls.handshake.md5_hash",
4267 FT_NONE, BASE_NONE, NULL, 0x0,
4268 "Hash of messages, master_secret, etc.", HFILL }
4269 },
4270 { &ssl_hfs.hs_sha_hash,
4271 { "SHA-1 Hash", "tls.handshake.sha_hash",
4272 FT_NONE, BASE_NONE, NULL, 0x0,
4273 "Hash of messages, master_secret, etc.", HFILL }
4274 },
4275 { &hf_tls_heartbeat_message,
4276 { "Heartbeat Message", "tls.heartbeat_message",
4277 FT_NONE, BASE_NONE, NULL, 0x0,
4278 NULL, HFILL }
4279 },
4280 { &hf_tls_heartbeat_message_type,
4281 { "Type", "tls.heartbeat_message.type",
4282 FT_UINT8, BASE_DEC, VALS(tls_heartbeat_type), 0x0,
4283 "Heartbeat message type", HFILL }
4284 },
4285 { &hf_tls_heartbeat_message_payload_length,
4286 { "Payload Length", "tls.heartbeat_message.payload_length",
4287 FT_UINT16, BASE_DEC, NULL, 0x00, NULL, HFILL }
4288 },
4289 { &hf_tls_heartbeat_message_payload,
4290 { "Payload Length", "tls.heartbeat_message.payload",
4291 FT_BYTES, BASE_NONE, NULL, 0x00, NULL, HFILL }
4292 },
4293 { &hf_tls_heartbeat_message_padding,
4294 { "Payload Length", "tls.heartbeat_message.padding",
4295 FT_BYTES, BASE_NONE, NULL, 0x00, NULL, HFILL }
4296 },
4297 { &hf_ssl2_handshake_challenge,
4298 { "Challenge", "tls.handshake.challenge",
4299 FT_NONE, BASE_NONE, NULL, 0x0,
4300 "Challenge data used to authenticate server", HFILL }
4301 },
4302 { &hf_ssl2_handshake_cipher_spec_len,
4303 { "Cipher Spec Length", "tls.handshake.cipher_spec_len",
4304 FT_UINT16, BASE_DEC, NULL, 0x0,
4305 "Length of cipher specs field", HFILL }
4306 },
4307 { &hf_ssl2_handshake_session_id_len,
4308 { "Session ID Length", "tls.handshake.session_id_length",
4309 FT_UINT16, BASE_DEC, NULL, 0x0,
4310 "Length of session ID field", HFILL }
4311 },
4312 { &hf_ssl2_handshake_challenge_len,
4313 { "Challenge Length", "tls.handshake.challenge_length",
4314 FT_UINT16, BASE_DEC, NULL, 0x0,
4315 "Length of challenge field", HFILL }
4316 },
4317 { &hf_ssl2_handshake_clear_key_len,
4318 { "Clear Key Data Length", "tls.handshake.clear_key_length",
4319 FT_UINT16, BASE_DEC, NULL, 0x0,
4320 "Length of clear key data", HFILL }
4321 },
4322 { &hf_ssl2_handshake_enc_key_len,
4323 { "Encrypted Key Data Length", "tls.handshake.encrypted_key_length",
4324 FT_UINT16, BASE_DEC, NULL, 0x0,
4325 "Length of encrypted key data", HFILL }
4326 },
4327 { &hf_ssl2_handshake_key_arg_len,
4328 { "Key Argument Length", "tls.handshake.key_arg_length",
4329 FT_UINT16, BASE_DEC, NULL, 0x0,
4330 "Length of key argument", HFILL }
4331 },
4332 { &hf_ssl2_handshake_clear_key,
4333 { "Clear Key Data", "tls.handshake.clear_key_data",
4334 FT_NONE, BASE_NONE, NULL, 0x0,
4335 "Clear portion of MASTER-KEY", HFILL }
4336 },
4337 { &hf_ssl2_handshake_enc_key,
4338 { "Encrypted Key", "tls.handshake.encrypted_key",
4339 FT_NONE, BASE_NONE, NULL, 0x0,
4340 "Secret portion of MASTER-KEY encrypted to server", HFILL }
4341 },
4342 { &hf_ssl2_handshake_key_arg,
4343 { "Key Argument", "tls.handshake.key_arg",
4344 FT_NONE, BASE_NONE, NULL, 0x0,
4345 "Key Argument (e.g., Initialization Vector)", HFILL }
4346 },
4347 { &hf_ssl2_handshake_session_id_hit,
4348 { "Session ID Hit", "tls.handshake.session_id_hit",
4349 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
4350 "Did the server find the client's Session ID?", HFILL }
4351 },
4352 { &hf_ssl2_handshake_cert_type,
4353 { "Certificate Type", "tls.handshake.cert_type",
4354 FT_UINT8, BASE_DEC, VALS(ssl_20_certificate_type), 0x0,
4355 NULL, HFILL }
4356 },
4357 { &hf_ssl2_handshake_connection_id_len,
4358 { "Connection ID Length", "tls.handshake.connection_id_length",
4359 FT_UINT16, BASE_DEC, NULL, 0x0,
4360 "Length of connection ID", HFILL }
4361 },
4362 { &hf_ssl2_handshake_connection_id,
4363 { "Connection ID", "tls.handshake.connection_id",
4364 FT_NONE, BASE_NONE, NULL, 0x0,
4365 "Server's challenge to client", HFILL }
4366 },
4367
4368 { &hf_tls_segment_overlap,
4369 { "Segment overlap", "tls.segment.overlap",
4370 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
4371 "Segment overlaps with other segments", HFILL }},
4372
4373 { &hf_tls_segment_overlap_conflict,
4374 { "Conflicting data in segment overlap", "tls.segment.overlap.conflict",
4375 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
4376 "Overlapping segments contained conflicting data", HFILL }},
4377
4378 { &hf_tls_segment_multiple_tails,
4379 { "Multiple tail segments found", "tls.segment.multipletails",
4380 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
4381 "Several tails were found when reassembling the pdu", HFILL }},
4382
4383 { &hf_tls_segment_too_long_fragment,
4384 { "Segment too long", "tls.segment.toolongfragment",
4385 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
4386 "Segment contained data past end of the pdu", HFILL }},
4387
4388 { &hf_tls_segment_error,
4389 { "Reassembling error", "tls.segment.error",
4390 FT_FRAMENUM, BASE_NONE, NULL, 0x0,
4391 "Reassembling error due to illegal segments", HFILL }},
4392
4393 { &hf_tls_segment_count,
4394 { "Segment count", "tls.segment.count",
4395 FT_UINT32, BASE_DEC, NULL, 0x0,
4396 NULL, HFILL }},
4397
4398 { &hf_tls_segment,
4399 { "TLS segment", "tls.segment",
4400 FT_FRAMENUM, BASE_NONE, NULL, 0x0,
4401 NULL, HFILL }},
4402
4403 { &hf_tls_segments,
4404 { "Reassembled TLS segments", "tls.segments",
4405 FT_NONE, BASE_NONE, NULL, 0x0,
4406 "TLS Segments", HFILL }},
4407
4408 { &hf_tls_reassembled_in,
4409 { "Reassembled PDU in frame", "tls.reassembled_in",
4410 FT_FRAMENUM, BASE_NONE, NULL, 0x0,
4411 "The PDU that doesn't end in this segment is reassembled in this frame", HFILL }},
4412
4413 { &hf_tls_reassembled_length,
4414 { "Reassembled PDU length", "tls.reassembled.length",
4415 FT_UINT32, BASE_DEC, NULL, 0x0,
4416 "The total length of the reassembled payload", HFILL }},
4417
4418 { &hf_tls_reassembled_data,
4419 { "Reassembled PDU data", "tls.reassembled.data",
4420 FT_BYTES, BASE_NONE, NULL, 0x00,
4421 "The payload of multiple reassembled TLS segments", HFILL }},
4422
4423 { &hf_tls_segment_data,
4424 { "TLS segment data", "tls.segment.data",
4425 FT_BYTES, BASE_NONE, NULL, 0x00,
4426 "The payload of a single TLS segment", HFILL }
4427 },
4428
4429 { &hf_tls_handshake_fragment_count,
4430 { "Handshake Fragment count", "tls.handshake.fragment.count",
4431 FT_UINT32, BASE_DEC, NULL, 0x0,
4432 NULL, HFILL }},
4433
4434 { &hf_tls_handshake_fragment,
4435 { "Handshake Fragment", "tls.handshake.fragment",
4436 FT_FRAMENUM, BASE_NONE, NULL, 0x0,
4437 NULL, HFILL }},
4438
4439 { &hf_tls_handshake_fragments,
4440 { "Reassembled Handshake Fragments", "tls.handshake.fragments",
4441 FT_NONE, BASE_NONE, NULL, 0x0,
4442 NULL, HFILL }},
4443
4444 { &hf_tls_handshake_reassembled_in,
4445 { "Reassembled Handshake Message in frame", "tls.handshake.reassembled_in",
4446 FT_FRAMENUM, BASE_NONE, NULL, 0x0,
4447 "The handshake message is fully reassembled in this frame", HFILL }},
4448
4449 SSL_COMMON_HF_LIST(dissect_ssl3_hf, "tls")
4450 };
4451
4452 /* Setup protocol subtree array */
4453 static gint *ett[] = {
4454 &ett_tls,
4455 &ett_tls_record,
4456 &ett_tls_alert,
4457 &ett_tls_handshake,
4458 &ett_tls_heartbeat,
4459 &ett_tls_certs,
4460 &ett_tls_segments,
4461 &ett_tls_segment,
4462 &ett_tls_hs_fragments,
4463 &ett_tls_hs_fragment,
4464 SSL_COMMON_ETT_LIST(dissect_ssl3_hf)
4465 };
4466
4467 static ei_register_info ei[] = {
4468 { &ei_ssl2_handshake_session_id_len_error, { "tls.handshake.session_id_length.error", PI_MALFORMED, PI_ERROR, "Session ID length error", EXPFILL }},
4469 { &ei_ssl3_heartbeat_payload_length, { "tls.heartbeat_message.payload_length.invalid", PI_MALFORMED, PI_ERROR, "Invalid heartbeat payload length", EXPFILL }},
4470 { &ei_tls_unexpected_message, { "tls.unexpected_message", PI_PROTOCOL, PI_ERROR, "Unexpected message", EXPFILL }},
4471
4472 /* Generated from convert_proto_tree_add_text.pl */
4473 { &ei_tls_ignored_unknown_record, { "tls.ignored_unknown_record", PI_PROTOCOL, PI_WARN, "Ignored Unknown Record", EXPFILL }},
4474
4475 SSL_COMMON_EI_LIST(dissect_ssl3_hf, "tls")
4476 };
4477
4478 static build_valid_func ssl_da_src_values[1] = {ssl_src_value};
4479 static build_valid_func ssl_da_dst_values[1] = {ssl_dst_value};
4480 static build_valid_func ssl_da_both_values[2] = {ssl_src_value, ssl_dst_value};
4481 static decode_as_value_t ssl_da_values[3] = {{ssl_src_prompt, 1, ssl_da_src_values}, {ssl_dst_prompt, 1, ssl_da_dst_values}, {ssl_both_prompt, 2, ssl_da_both_values}};
4482 static decode_as_t ssl_da = {"tls", "tls.port", 3, 2, ssl_da_values, "TCP", "port(s) as",
4483 decode_as_default_populate_list, decode_as_default_reset, decode_as_default_change, NULL};
4484
4485 expert_module_t* expert_ssl;
4486
4487 /* Register the protocol name and description */
4488 proto_tls = proto_register_protocol("Transport Layer Security",
4489 "TLS", "tls");
4490
4491 ssl_associations = register_dissector_table("tls.port", "TLS Port", proto_tls, FT_UINT16, BASE_DEC);
4492 register_dissector_table_alias(ssl_associations, "ssl.port");
4493
4494 /* Required function calls to register the header fields and
4495 * subtrees used */
4496 proto_register_field_array(proto_tls, hf, array_length(hf));
4497 proto_register_alias(proto_tls, "ssl");
4498 proto_register_subtree_array(ett, array_length(ett));
4499 expert_ssl = expert_register_protocol(proto_tls);
4500 expert_register_field_array(expert_ssl, ei, array_length(ei));
4501
4502 {
4503 module_t *ssl_module = prefs_register_protocol(proto_tls, proto_reg_handoff_ssl);
4504
4505 #ifdef HAVE_LIBGNUTLS
4506 static uat_field_t sslkeylist_uats_flds[] = {
4507 UAT_FLD_CSTRING_OTHER(sslkeylist_uats, ipaddr, "IP address", ssldecrypt_uat_fld_ip_chk_cb, "IPv4 or IPv6 address (unused)"),
4508 UAT_FLD_CSTRING_OTHER(sslkeylist_uats, port, "Port", ssldecrypt_uat_fld_port_chk_cb, "Port Number (optional)"),
4509 UAT_FLD_CSTRING_OTHER(sslkeylist_uats, protocol, "Protocol", ssldecrypt_uat_fld_protocol_chk_cb, "Application Layer Protocol (optional)"),
4510 UAT_FLD_FILENAME_OTHER(sslkeylist_uats, keyfile, "Key File", ssldecrypt_uat_fld_fileopen_chk_cb, "Private keyfile."),
4511 UAT_FLD_CSTRING_OTHER(sslkeylist_uats, password,"Password", ssldecrypt_uat_fld_password_chk_cb, "Password (for PCKS#12 keyfile)"),
4512 UAT_END_FIELDS
4513 };
4514
4515 ssldecrypt_uat = uat_new("TLS Decrypt",
4516 sizeof(ssldecrypt_assoc_t),
4517 "ssl_keys", /* filename */
4518 TRUE, /* from_profile */
4519 &tlskeylist_uats, /* data_ptr */
4520 &ntlsdecrypt, /* numitems_ptr */
4521 UAT_AFFECTS_DISSECTION, /* affects dissection of packets, but not set of named fields */
4522 NULL, /* Help section (currently a wiki page) */
4523 ssldecrypt_copy_cb,
4524 NULL,
4525 ssldecrypt_free_cb,
4526 ssl_parse_uat,
4527 ssl_reset_uat,
4528 sslkeylist_uats_flds);
4529
4530 prefs_register_uat_preference(ssl_module, "key_table",
4531 "RSA keys list",
4532 "A table of RSA keys for TLS decryption",
4533 ssldecrypt_uat);
4534
4535 prefs_register_string_preference(ssl_module, "keys_list", "RSA keys list (deprecated)",
4536 "Semicolon-separated list of private RSA keys used for TLS decryption. "
4537 "Used by versions of Wireshark prior to 1.6",
4538 &ssl_keys_list);
4539 #endif /* HAVE_LIBGNUTLS */
4540
4541 prefs_register_filename_preference(ssl_module, "debug_file", "TLS debug file",
4542 "Redirect TLS debug to the file specified. Leave empty to disable debugging "
4543 "or use \"" SSL_DEBUG_USE_STDERR "\" to redirect output to stderr.",
4544 &ssl_debug_file_name, TRUE);
4545
4546 prefs_register_bool_preference(ssl_module,
4547 "desegment_ssl_records",
4548 "Reassemble TLS records spanning multiple TCP segments",
4549 "Whether the TLS dissector should reassemble TLS records spanning multiple TCP segments. "
4550 "To use this option, you must also enable \"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
4551 &tls_desegment);
4552 prefs_register_bool_preference(ssl_module,
4553 "desegment_ssl_application_data",
4554 "Reassemble TLS Application Data spanning multiple TLS records",
4555 "Whether the TLS dissector should reassemble TLS Application Data spanning multiple TLS records. ",
4556 &tls_desegment_app_data);
4557 prefs_register_bool_preference(ssl_module,
4558 "ignore_ssl_mac_failed",
4559 "Message Authentication Code (MAC), ignore \"mac failed\"",
4560 "For troubleshooting ignore the mac check result and decrypt also if the Message Authentication Code (MAC) fails.",
4561 &tls_ignore_mac_failed);
4562 ssl_common_register_options(ssl_module, &ssl_options, FALSE);
4563 }
4564
4565 /* heuristic dissectors for any premable e.g. CredSSP before RDP */
4566 ssl_heur_subdissector_list = register_heur_dissector_list("tls", proto_tls);
4567
4568 ssl_common_register_ssl_alpn_dissector_table("tls.alpn",
4569 "SSL/TLS Application-Layer Protocol Negotiation (ALPN) Protocol IDs",
4570 proto_tls);
4571
4572 tls_handle = register_dissector("tls", dissect_ssl, proto_tls);
4573 register_dissector("tls13-handshake", dissect_tls13_handshake, proto_tls);
4574
4575 register_init_routine(ssl_init);
4576 register_cleanup_routine(ssl_cleanup);
4577 reassembly_table_register(&ssl_reassembly_table,
4578 &addresses_ports_reassembly_table_functions);
4579 reassembly_table_register(&tls_hs_reassembly_table,
4580 &addresses_ports_reassembly_table_functions);
4581 register_decode_as(&ssl_da);
4582
4583 /* XXX: this seems unused due to new "Follow TLS" method, remove? */
4584 tls_tap = register_tap("tls");
4585 ssl_debug_printf("proto_register_ssl: registered tap %s:%d\n",
4586 "tls", tls_tap);
4587
4588 register_follow_stream(proto_tls, "tls", tcp_follow_conv_filter, tcp_follow_index_filter, tcp_follow_address_filter,
4589 tcp_port_to_display, ssl_follow_tap_listener);
4590 secrets_register_type(SECRETS_TYPE_TLS, tls_secrets_block_callback);
4591 }
4592
dissect_tls_sct_ber(tvbuff_t * tvb,packet_info * pinfo,proto_tree * tree,void * data _U_)4593 static int dissect_tls_sct_ber(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
4594 {
4595 guint32 offset = 0;
4596 /* Skip through tag and length for OCTET STRING encoding. */
4597 offset = dissect_ber_identifier(pinfo, tree, tvb, offset, NULL, NULL, NULL);
4598 offset = dissect_ber_length(pinfo, tree, tvb, offset, NULL, NULL);
4599 /*
4600 * RFC 6962 (Certificate Transparency) refers to RFC 5246 (TLS 1.2) for the
4601 * DigitallySigned format, so asssume that version.
4602 */
4603 return tls_dissect_sct_list(&dissect_ssl3_hf, tvb, pinfo, tree, offset, tvb_captured_length(tvb), TLSV1DOT2_VERSION);
4604 }
4605
4606 /* If this dissector uses sub-dissector registration add a registration
4607 * routine. This format is required because a script is used to find
4608 * these routines and create the code that calls these routines.
4609 */
4610 void
proto_reg_handoff_ssl(void)4611 proto_reg_handoff_ssl(void)
4612 {
4613
4614 #ifdef HAVE_LIBGNUTLS
4615 /* parse key list */
4616 ssl_parse_uat();
4617 ssl_parse_old_keys();
4618 #endif
4619
4620 /*
4621 * XXX the port preferences should probably be removed in favor of Decode
4622 * As. Then proto_reg_handoff_ssl can be removed from
4623 * prefs_register_protocol.
4624 */
4625 static gboolean initialized = FALSE;
4626 if (initialized) {
4627 return;
4628 }
4629 initialized = TRUE;
4630
4631 exported_pdu_tap = find_tap_id(EXPORT_PDU_TAP_NAME_LAYER_7);
4632
4633 /* Certificate Transparency extensions: 2 (Certificate), 5 (OCSP Response) */
4634 register_ber_oid_dissector("1.3.6.1.4.1.11129.2.4.2", dissect_tls_sct_ber, proto_tls, "SignedCertificateTimestampList");
4635 register_ber_oid_dissector("1.3.6.1.4.1.11129.2.4.5", dissect_tls_sct_ber, proto_tls, "SignedCertificateTimestampList");
4636
4637 heur_dissector_add("tcp", dissect_ssl_heur, "SSL/TLS over TCP", "tls_tcp", proto_tls, HEURISTIC_ENABLE);
4638 }
4639
4640 void
ssl_dissector_add(guint port,dissector_handle_t handle)4641 ssl_dissector_add(guint port, dissector_handle_t handle)
4642 {
4643 ssl_association_add("tls.port", tls_handle, handle, port, TRUE);
4644 }
4645
4646 void
ssl_dissector_delete(guint port,dissector_handle_t handle)4647 ssl_dissector_delete(guint port, dissector_handle_t handle)
4648 {
4649 ssl_association_remove("tls.port", tls_handle, handle, port, TRUE);
4650 }
4651
4652 /*
4653 * Editor modelines - https://www.wireshark.org/tools/modelines.html
4654 *
4655 * Local variables:
4656 * c-basic-offset: 4
4657 * tab-width: 8
4658 * indent-tabs-mode: nil
4659 * End:
4660 *
4661 * vi: set shiftwidth=4 tabstop=8 expandtab:
4662 * :indentSize=4:tabSize=8:noTabs=true:
4663 */
4664