diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-10 20:34:10 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-10 20:34:10 +0000 |
commit | e4ba6dbc3f1e76890b22773807ea37fe8fa2b1bc (patch) | |
tree | 68cb5ef9081156392f1dd62a00c6ccc1451b93df /epan/dissectors/packet-tls.c | |
parent | Initial commit. (diff) | |
download | wireshark-e4ba6dbc3f1e76890b22773807ea37fe8fa2b1bc.tar.xz wireshark-e4ba6dbc3f1e76890b22773807ea37fe8fa2b1bc.zip |
Adding upstream version 4.2.2.upstream/4.2.2
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'epan/dissectors/packet-tls.c')
-rw-r--r-- | epan/dissectors/packet-tls.c | 4914 |
1 files changed, 4914 insertions, 0 deletions
diff --git a/epan/dissectors/packet-tls.c b/epan/dissectors/packet-tls.c new file mode 100644 index 00000000..6d80182c --- /dev/null +++ b/epan/dissectors/packet-tls.c @@ -0,0 +1,4914 @@ +/* packet-tls.c + * Routines for TLS dissection + * Copyright (c) 2000-2001, Scott Renfro <scott@renfro.org> + * Copyright 2013-2019, Peter Wu <peter@lekensteyn.nl> + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +/* + * Supported protocol versions: + * + * TLS 1.3, 1.2, 1.0, and SSL 3.0. SSL 2.0 is no longer supported, except for + * the SSL 2.0-compatible Client Hello. + * + * Primary protocol specifications: + * + * https://tools.ietf.org/html/draft-hickman-netscape-ssl-00 - SSL 2.0 + * https://tools.ietf.org/html/rfc6101 - SSL 3.0 + * https://tools.ietf.org/html/rfc2246 - TLS 1.0 + * https://tools.ietf.org/html/rfc4346 - TLS 1.1 + * https://tools.ietf.org/html/rfc5246 - TLS 1.2 + * https://tools.ietf.org/html/rfc8446 - TLS 1.3 + * + * Important IANA registries: + * + * https://www.iana.org/assignments/tls-parameters/ + * https://www.iana.org/assignments/tls-extensiontype-values/ + * + * Notes: + * + * - Decryption needs to be performed 'sequentially', so it's done + * at packet reception time. This may cause a significant packet capture + * slow down. This also causes dissection of some ssl info that in previous + * dissector versions was dissected only when a proto_tree context was + * available + * + * We are at Packet reception if time pinfo->fd->visited == 0 + * + * - Many dissection and decryption operations are implemented in + * epan/dissectors/packet-tls-utils.c and + * epan/dissectors/packet-tls-utils.h due to an overlap of functionality + * with DTLS (epan/dissectors/packet-dtls.c). + * + */ + +#include "config.h" + +#include <epan/packet.h> +#include <epan/reassemble.h> +#include <epan/asn1.h> +#include <epan/tap.h> +#include <epan/uat.h> +#include <epan/addr_resolv.h> +#include <epan/follow.h> +#include <epan/exported_pdu.h> +#include <epan/proto_data.h> +#include <epan/decode_as.h> +#include <epan/secrets.h> +#include <wiretap/secrets-types.h> + +#include <wsutil/utf8_entities.h> +#include <wsutil/str_util.h> +#include <wsutil/strtoi.h> +#include <wsutil/rsa.h> +#include <wsutil/ws_assert.h> +#include "packet-tcp.h" +#include "packet-x509af.h" +#include "packet-tls.h" +#include "packet-tls-utils.h" +#include "packet-ber.h" + +void proto_register_tls(void); + +#ifdef HAVE_LIBGNUTLS +static ssldecrypt_assoc_t *tlskeylist_uats = NULL; +static guint ntlsdecrypt = 0; +#endif + +static gboolean tls_desegment = TRUE; +static gboolean tls_desegment_app_data = TRUE; +static gboolean tls_ignore_mac_failed = FALSE; + + +/********************************************************************* + * + * Protocol Constants, Variables, Data Structures + * + *********************************************************************/ + +/* Initialize the protocol and registered fields */ +static gint tls_tap = -1; +static gint exported_pdu_tap = -1; +static gint proto_tls = -1; +static gint hf_tls_record = -1; +static gint hf_tls_record_content_type = -1; +static gint hf_tls_record_opaque_type = -1; +static gint hf_tls_record_version = -1; +static gint hf_tls_record_length = -1; +static gint hf_tls_record_appdata = -1; +static gint hf_tls_record_appdata_proto = -1; +static gint hf_ssl2_record = -1; +static gint hf_ssl2_record_is_escape = -1; +static gint hf_ssl2_record_padding_length = -1; +static gint hf_ssl2_msg_type = -1; +static gint hf_tls_alert_message = -1; +static gint hf_tls_alert_message_level = -1; +static gint hf_tls_alert_message_description = -1; +static gint hf_tls_handshake_protocol = -1; +static gint hf_tls_handshake_type = -1; +static gint hf_tls_handshake_length = -1; +static gint hf_tls_handshake_npn_selected_protocol_len = -1; +static gint hf_tls_handshake_npn_selected_protocol = -1; +static gint hf_tls_handshake_npn_padding_len = -1; +static gint hf_tls_handshake_npn_padding = -1; +static gint hf_ssl2_handshake_cipher_spec_len = -1; +static gint hf_ssl2_handshake_session_id_len = -1; +static gint hf_ssl2_handshake_challenge_len = -1; +static gint hf_ssl2_handshake_cipher_spec = -1; +static gint hf_ssl2_handshake_challenge = -1; +static gint hf_ssl2_handshake_clear_key_len = -1; +static gint hf_ssl2_handshake_enc_key_len = -1; +static gint hf_ssl2_handshake_key_arg_len = -1; +static gint hf_ssl2_handshake_clear_key = -1; +static gint hf_ssl2_handshake_enc_key = -1; +static gint hf_ssl2_handshake_key_arg = -1; +static gint hf_ssl2_handshake_session_id_hit = -1; +static gint hf_ssl2_handshake_cert_type = -1; +static gint hf_ssl2_handshake_connection_id_len = -1; +static gint hf_ssl2_handshake_connection_id = -1; + +static int hf_tls_reassembled_in = -1; +static int hf_tls_reassembled_length = -1; +static int hf_tls_reassembled_data = -1; +static int hf_tls_segments = -1; +static int hf_tls_segment = -1; +static int hf_tls_segment_overlap = -1; +static int hf_tls_segment_overlap_conflict = -1; +static int hf_tls_segment_multiple_tails = -1; +static int hf_tls_segment_too_long_fragment = -1; +static int hf_tls_segment_error = -1; +static int hf_tls_segment_count = -1; +static int hf_tls_segment_data = -1; + +static int hf_tls_handshake_reassembled_in = -1; +static int hf_tls_handshake_fragments = -1; +static int hf_tls_handshake_fragment = -1; +static int hf_tls_handshake_fragment_count = -1; + +static gint hf_tls_heartbeat_message = -1; +static gint hf_tls_heartbeat_message_type = -1; +static gint hf_tls_heartbeat_message_payload_length = -1; +static gint hf_tls_heartbeat_message_payload = -1; +static gint hf_tls_heartbeat_message_padding = -1; + +static ssl_hfs_t ssl_hfs = { -1, -1 }; + +/* Initialize the subtree pointers */ +static gint ett_tls = -1; +static gint ett_tls_record = -1; +static gint ett_tls_alert = -1; +static gint ett_tls_handshake = -1; +static gint ett_tls_heartbeat = -1; +static gint ett_tls_certs = -1; +static gint ett_tls_segments = -1; +static gint ett_tls_segment = -1; +static gint ett_tls_hs_fragments = -1; +static gint ett_tls_hs_fragment = -1; + +static expert_field ei_ssl2_handshake_session_id_len_error = EI_INIT; +static expert_field ei_ssl3_heartbeat_payload_length = EI_INIT; +static expert_field ei_tls_unexpected_message = EI_INIT; + +/* Generated from convert_proto_tree_add_text.pl */ +static expert_field ei_tls_ignored_unknown_record = EI_INIT; + +/* not all of the hf_fields below make sense for TLS but we have to provide + them anyways to comply with the api (which was aimed for ip fragment + reassembly) */ +static const fragment_items ssl_segment_items = { + &ett_tls_segment, + &ett_tls_segments, + &hf_tls_segments, + &hf_tls_segment, + &hf_tls_segment_overlap, + &hf_tls_segment_overlap_conflict, + &hf_tls_segment_multiple_tails, + &hf_tls_segment_too_long_fragment, + &hf_tls_segment_error, + &hf_tls_segment_count, + &hf_tls_reassembled_in, + &hf_tls_reassembled_length, + &hf_tls_reassembled_data, + "Segments" +}; + +/* Fragmented handshake messages. */ +static const fragment_items tls_hs_fragment_items = { + &ett_tls_hs_fragment, + &ett_tls_hs_fragments, + &hf_tls_handshake_fragments, + &hf_tls_handshake_fragment, + &hf_tls_segment_overlap, // Do not care about the errors, should not happen. + &hf_tls_segment_overlap_conflict, + &hf_tls_segment_multiple_tails, + &hf_tls_segment_too_long_fragment, + &hf_tls_segment_error, + &hf_tls_handshake_fragment_count, + NULL, /* unused - &hf_tls_handshake_reassembled_in, */ + NULL, /* do not display redundant length */ + NULL, /* do not display redundant data */ + "Fragments" +}; + +static SSL_COMMON_LIST_T(dissect_ssl3_hf); + +static void +ssl_proto_tree_add_segment_data( + proto_tree *tree, + tvbuff_t *tvb, + gint offset, + gint length, + const gchar *prefix) +{ + proto_tree_add_bytes_format( + tree, + hf_tls_segment_data, + tvb, + offset, + length, + NULL, + "%sTLS segment data (%u %s)", + prefix != NULL ? prefix : "", + length == -1 ? tvb_reported_length_remaining(tvb, offset) : length, + plurality(length, "byte", "bytes")); +} + + +static ssl_master_key_map_t ssl_master_key_map; + +#ifdef HAVE_LIBGNUTLS +static GHashTable *ssl_key_hash = NULL; +static wmem_stack_t *key_list_stack = NULL; +static uat_t *ssldecrypt_uat = NULL; +static const gchar *ssl_keys_list = NULL; +#endif +static dissector_table_t ssl_associations = NULL; +static dissector_handle_t tls_handle = NULL; +static StringInfo ssl_compressed_data = {NULL, 0}; +static StringInfo ssl_decrypted_data = {NULL, 0}; +static gint ssl_decrypted_data_avail = 0; +static FILE *ssl_keylog_file = NULL; +static ssl_common_options_t ssl_options = { NULL, NULL}; + +/* List of dissectors to call for TLS data */ +static heur_dissector_list_t ssl_heur_subdissector_list; + +static const gchar *ssl_debug_file_name = NULL; + + +/* Forward declaration we need below */ +void proto_reg_handoff_ssl(void); + +/* Desegmentation of TLS streams */ +/* table to hold defragmented TLS streams */ +static reassembly_table ssl_reassembly_table; + +/* Table to hold fragmented TLS handshake records. */ +static reassembly_table tls_hs_reassembly_table; +static guint32 hs_reassembly_id_count; + +/* initialize/reset per capture state data (ssl sessions cache) */ +static void +ssl_init(void) +{ + module_t *ssl_module = prefs_find_module("tls"); + pref_t *keys_list_pref; + + ssl_common_init(&ssl_master_key_map, + &ssl_decrypted_data, &ssl_compressed_data); + ssl_debug_flush(); + + /* We should have loaded "keys_list" by now. Mark it obsolete */ + if (ssl_module) { + keys_list_pref = prefs_find_preference(ssl_module, "keys_list"); + if (! prefs_get_preference_obsolete(keys_list_pref)) { + prefs_set_preference_obsolete(keys_list_pref); + } + } + + /* Reset the identifier for a group of handshake fragments. */ + hs_reassembly_id_count = 0; +} + +static void +ssl_cleanup(void) +{ +#ifdef HAVE_LIBGNUTLS + if (key_list_stack != NULL) { + wmem_destroy_stack(key_list_stack); + key_list_stack = NULL; + } +#endif + ssl_common_cleanup(&ssl_master_key_map, &ssl_keylog_file, + &ssl_decrypted_data, &ssl_compressed_data); +} + +ssl_master_key_map_t * +tls_get_master_key_map(gboolean load_secrets) +{ + // Try to load new keys. + if (load_secrets) { + ssl_load_keyfile(ssl_options.keylog_filename, &ssl_keylog_file, &ssl_master_key_map); + } + return &ssl_master_key_map; +} + +#ifdef HAVE_LIBGNUTLS +/* parse ssl related preferences (private keys and ports association strings) */ +static void +ssl_parse_uat(void) +{ + guint i; + guint16 port; + dissector_handle_t handle; + + ssl_set_debug(ssl_debug_file_name); + + if (ssl_key_hash) + { + g_hash_table_destroy(ssl_key_hash); + } + + /* remove only associations created from key list */ + if (key_list_stack != NULL) { + while (wmem_stack_count(key_list_stack) > 0) { + port = GPOINTER_TO_UINT(wmem_stack_pop(key_list_stack)); + handle = dissector_get_uint_handle(ssl_associations, port); + if (handle != NULL) + ssl_association_remove("tls.port", tls_handle, handle, port, FALSE); + } + } + /* parse private keys string, load available keys and put them in key hash*/ + ssl_key_hash = privkey_hash_table_new(); + + + if (ntlsdecrypt > 0) { + if (key_list_stack == NULL) + key_list_stack = wmem_stack_new(NULL); + for (i = 0; i < ntlsdecrypt; i++) { + ssldecrypt_assoc_t *ssl_uat = &(tlskeylist_uats[i]); + ssl_parse_key_list(ssl_uat, ssl_key_hash, "tls.port", tls_handle, TRUE); + if (key_list_stack && ws_strtou16(ssl_uat->port, NULL, &port) && port > 0) + wmem_stack_push(key_list_stack, GUINT_TO_POINTER(port)); + } + } + + ssl_debug_flush(); +} + +static void +ssl_reset_uat(void) +{ + g_hash_table_destroy(ssl_key_hash); + ssl_key_hash = NULL; +} + +static void +ssl_parse_old_keys(void) +{ + gchar **old_keys, **parts, *err; + gchar *uat_entry; + guint i; + + /* Import old-style keys */ + if (ssldecrypt_uat && ssl_keys_list && ssl_keys_list[0]) { + old_keys = g_strsplit(ssl_keys_list, ";", 0); + for (i = 0; old_keys[i] != NULL; i++) { + parts = g_strsplit(old_keys[i], ",", 5); + if (parts[0] && parts[1] && parts[2] && parts[3]) { + gchar *path = uat_esc(parts[3], (guint)strlen(parts[3])); + const gchar *password = parts[4] ? parts[4] : ""; + uat_entry = wmem_strdup_printf(NULL, "\"%s\",\"%s\",\"%s\",\"%s\",\"%s\"", + parts[0], parts[1], parts[2], path, password); + g_free(path); + if (!uat_load_str(ssldecrypt_uat, uat_entry, &err)) { + ssl_debug_printf("ssl_parse_old_keys: Can't load UAT string %s: %s\n", + uat_entry, err); + g_free(err); + } + wmem_free(NULL, uat_entry); + } + g_strfreev(parts); + } + g_strfreev(old_keys); + } +} +#endif /* HAVE_LIBGNUTLS */ + + +static tap_packet_status +ssl_follow_tap_listener(void *tapdata, packet_info *pinfo, epan_dissect_t *edt _U_, const void *ssl, tap_flags_t flags _U_) +{ + follow_info_t * follow_info = (follow_info_t*) tapdata; + follow_record_t * follow_record = NULL; + const SslRecordInfo *appl_data = NULL; + const SslPacketInfo *pi = (const SslPacketInfo*)ssl; + show_stream_t from = FROM_CLIENT; + + /* Skip packets without decrypted payload data. */ + if (!pi || !pi->records) return TAP_PACKET_DONT_REDRAW; + + /* Compute the packet's sender. */ + if (follow_info->client_port == 0) { + follow_info->client_port = pinfo->srcport; + copy_address(&follow_info->client_ip, &pinfo->src); + follow_info->server_port = pinfo->destport; + copy_address(&follow_info->server_ip, &pinfo->dst); + } + if (addresses_equal(&follow_info->client_ip, &pinfo->src) && + follow_info->client_port == pinfo->srcport) { + from = FROM_CLIENT; + } else { + from = FROM_SERVER; + } + + for (appl_data = pi->records; appl_data != NULL; appl_data = appl_data->next) { + + /* Include only application data in the record, skipping things like + * Handshake messages and alerts. */ + if (appl_data->type != SSL_ID_APP_DATA) continue; + + /* TCP segments that contain the end of two or more TLS PDUs will be + queued to TLS taps for each of those PDUs. Therefore a single + packet could be processed by this TLS tap listener multiple times. + The following test handles that scenario by treating the + follow_info->bytes_written[] values as the next expected + appl_data->seq. Any appl_data instances that fall below that have + already been processed and must be skipped. */ + if (appl_data->seq < follow_info->bytes_written[from]) continue; + + /* Allocate a follow_record_t to hold the current appl_data + instance's decrypted data. Even though it would be possible to + consolidate multiple appl_data instances into a single record, it is + beneficial to use a one-to-one mapping. This affords the Follow + Stream dialog view modes (ASCII, EBCDIC, Hex Dump, C Arrays, Raw) + the opportunity to accurately reflect TLS PDU boundaries. Currently + the Hex Dump view does by starting a new line, and the C Arrays + view does by starting a new array declaration. */ + follow_record = g_new(follow_record_t,1); + + follow_record->is_server = (from == FROM_SERVER); + follow_record->packet_num = pinfo->num; + follow_record->abs_ts = pinfo->abs_ts; + + follow_record->data = g_byte_array_sized_new(appl_data->data_len); + follow_record->data = g_byte_array_append(follow_record->data, + appl_data->plain_data, + appl_data->data_len); + + /* Add the record to the follow_info structure. */ + follow_info->payload = g_list_prepend(follow_info->payload, follow_record); + follow_info->bytes_written[from] += appl_data->data_len; + } + + return TAP_PACKET_DONT_REDRAW; +} + +/********************************************************************* + * + * Forward Declarations + * + *********************************************************************/ + +/* + * SSL version 3 and TLS dissectors + * + */ +/* record layer dissector */ +static gint dissect_ssl3_record(tvbuff_t *tvb, packet_info *pinfo, + proto_tree *tree, guint32 offset, + SslSession *session, gint is_from_server, + gboolean *need_desegmentation, + SslDecryptSession *conv_data, + guint8 curr_layer_num_ssl, + struct tlsinfo *tlsinfo); + +/* alert message dissector */ +static void dissect_ssl3_alert(tvbuff_t *tvb, packet_info *pinfo, + proto_tree *tree, guint32 offset, + guint32 record_length, const SslSession *session, + struct tlsinfo *tlsinfo); + +/* handshake protocol dissector */ +static void dissect_tls_handshake(tvbuff_t *tvb, packet_info *pinfo, + proto_tree *tree, guint32 offset, + guint32 offset_end, gboolean maybe_encrypted, + guint record_id, guint8 curr_layer_num_tls, + SslSession *session, gint is_from_server, + SslDecryptSession *ssl, + const guint16 version); + +static void dissect_tls_handshake_full(tvbuff_t *tvb, packet_info *pinfo, + proto_tree *tree, guint32 offset, + SslSession *session, gint is_from_server, + SslDecryptSession *conv_data, + const guint16 version, + gboolean is_first_msg, guint8 curr_layer_num_tls); + +/* heartbeat message dissector */ +static void dissect_ssl3_heartbeat(tvbuff_t *tvb, packet_info *pinfo, + proto_tree *tree, guint32 offset, + const SslSession *session, guint32 record_length, + gboolean decrypted); + +static void dissect_ssl3_hnd_encrypted_exts(tvbuff_t *tvb, + proto_tree *tree, + guint32 offset); + +/* + * SSL version 2 dissectors + * + */ + +/* record layer dissector */ +static gint dissect_ssl2_record(tvbuff_t *tvb, packet_info *pinfo, + proto_tree *tree, guint32 offset, + SslSession *session, + gboolean *need_desegmentation, + SslDecryptSession *ssl); + +/* client hello dissector */ +static void dissect_ssl2_hnd_client_hello(tvbuff_t *tvb, packet_info *pinfo, + proto_tree *tree, + guint32 offset, + SslDecryptSession *ssl); + +/* client master key dissector */ +static void dissect_ssl2_hnd_client_master_key(tvbuff_t *tvb, + proto_tree *tree, + guint32 offset); + +/* server hello dissector */ +static void dissect_ssl2_hnd_server_hello(tvbuff_t *tvb, + proto_tree *tree, + guint32 offset, packet_info *pinfo); + + +/* + * Support Functions + * + */ +static gint ssl_is_valid_ssl_version(const guint16 version); +static gint ssl_is_v2_client_hello(tvbuff_t *tvb, const guint32 offset); +static gint ssl_looks_like_sslv2(tvbuff_t *tvb, const guint32 offset); +static gint ssl_looks_like_sslv3(tvbuff_t *tvb, const guint32 offset); +static gint ssl_looks_like_valid_v2_handshake(tvbuff_t *tvb, + const guint32 offset, + const guint32 record_length); + +static void +process_ssl_payload(tvbuff_t *tvb, int offset, packet_info *pinfo, + proto_tree *tree, SslSession *session, + dissector_handle_t app_handle_port, + struct tlsinfo *tlsinfo); +static guint32 +tls_msp_fragment_id(struct tcp_multisegment_pdu *msp); + +static void +print_tls_fragment_tree(fragment_head *ipfd_head, proto_tree *tree, proto_tree *tls_tree, packet_info *pinfo, tvbuff_t *next_tvb); + +/********************************************************************* + * + * Main dissector + * + *********************************************************************/ +/* + * Code to actually dissect the packets + */ +static int +dissect_ssl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) +{ + + conversation_t *conversation; + proto_item *ti; + proto_tree *ssl_tree; + guint32 offset; + gboolean need_desegmentation; + SslDecryptSession *ssl_session, *ssl_session_save; + SslSession *session; + gint is_from_server; + struct tcpinfo *tcpinfo; + struct tlsinfo tlsinfo; + /* + * A single packet may contain multiple TLS records. Two possible scenarios: + * + * - Multiple TLS records belonging to the same TLS session. + * - TLS within a different encrypted TLS tunnel. + * + * To support the second case, 'curr_layer_num_ssl' is used as identifier + * for the current TLS layer. + */ + guint8 curr_layer_num_ssl = pinfo->curr_proto_layer_num; + + ti = NULL; + ssl_tree = NULL; + offset = 0; + ssl_session = NULL; + + memset(&tlsinfo, 0, sizeof(tlsinfo)); + tcpinfo = (struct tcpinfo*)data; + + if (tvb_captured_length(tvb) > 4) { + const guint8 *tmp = tvb_get_ptr(tvb, 0, 4); + if (g_ascii_isprint(tmp[0]) && + g_ascii_isprint(tmp[1]) && + g_ascii_isprint(tmp[2]) && + g_ascii_isprint(tmp[3])) { + /* it is extremely unlikely that real TLS traffic starts with four + * printable ascii characters; this looks like it's unencrypted + * text, so assume it's not ours (SSL does have some unencrypted + * text fields in certain packets, but you'd have to get very + * unlucky with TCP fragmentation to have one of those fields at the + * beginning of a TCP payload at the beginning of the capture where + * reassembly hasn't started yet) */ + return 0; + } + } + + ssl_debug_printf("\ndissect_ssl enter frame #%u (%s)\n", pinfo->num, (pinfo->fd->visited)?"already visited":"first time"); + + /* Track the version using conversations to reduce the + * chance that a packet that simply *looks* like a v2 or + * v3 packet is dissected improperly. This also allows + * us to more frequently set the protocol column properly + * for continuation data frames. + * + * Also: We use the copy in conv_version as our cached copy, + * so that we don't have to search the conversation + * table every time we want the version; when setting + * the conv_version, must set the copy in the conversation + * in addition to conv_version + */ + conversation = find_or_create_conversation(pinfo); + ssl_session_save = ssl_session = ssl_get_session(conversation, tls_handle); + session = &ssl_session->session; + is_from_server = ssl_packet_from_server(session, ssl_associations, pinfo); + + if (session->last_nontls_frame != 0 && + session->last_nontls_frame >= pinfo->num) { + /* This conversation started at a different protocol and STARTTLS was + * used, but this packet comes too early. */ + return 0; + } + + /* try decryption only the first time we see this packet + * (to keep cipher synchronized) */ + if (pinfo->fd->visited) + ssl_session = NULL; + + ssl_debug_printf(" conversation = %p, ssl_session = %p\n", (void *)conversation, (void *)ssl_session); + + /* Initialize the protocol column; we'll override it later when we + * detect a different version or flavor of TLS (assuming we don't + * throw an exception before we get the chance to do so). */ + col_set_str(pinfo->cinfo, COL_PROTOCOL, + val_to_str_const(session->version, ssl_version_short_names, "SSL")); + /* clear the info column */ + col_clear(pinfo->cinfo, COL_INFO); + + /* TCP packets and TLS records are orthogonal. + * A tcp packet may contain multiple ssl records and an ssl + * record may be spread across multiple tcp packets. + * + * This loop accounts for multiple ssl records in a single + * frame, but not a single ssl record across multiple tcp + * packets. + * + * Handling the single ssl record across multiple packets + * may be possible using wireshark conversations, but + * probably not cleanly. May have to wait for tcp stream + * reassembly. + */ + + /* Create display subtree for TLS as a whole */ + if (tree) + { + ti = proto_tree_add_item(tree, proto_tls, tvb, 0, -1, ENC_NA); + ssl_tree = proto_item_add_subtree(ti, ett_tls); + } + /* iterate through the records in this tvbuff */ + while (tvb_reported_length_remaining(tvb, offset) > 0) + { + ssl_debug_printf(" record: offset = %d, reported_length_remaining = %d\n", offset, tvb_reported_length_remaining(tvb, offset)); + + /* + * Assume, for now, that this doesn't need desegmentation. + */ + need_desegmentation = FALSE; + + /* first try to dispatch off the cached version + * known to be associated with the conversation + */ + switch (session->version) { + case SSLV2_VERSION: + offset = dissect_ssl2_record(tvb, pinfo, ssl_tree, + offset, session, + &need_desegmentation, + ssl_session); + break; + + case SSLV3_VERSION: + case TLSV1_VERSION: + case TLSV1DOT1_VERSION: + case TLSV1DOT2_VERSION: + case TLCPV1_VERSION: + /* SSLv3/TLS record headers need at least 1+2+2 = 5 bytes. */ + if (tvb_reported_length_remaining(tvb, offset) < 5) { + if (tls_desegment && pinfo->can_desegment) { + pinfo->desegment_offset = offset; + pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT; + need_desegmentation = TRUE; + } else { + /* Not enough bytes available. Stop here. */ + offset = tvb_reported_length(tvb); + } + break; + } + + /* the version tracking code works too well ;-) + * at times, we may visit a v2 client hello after + * we already know the version of the connection; + * work around that here by detecting and calling + * the v2 dissector instead + */ + if (ssl_is_v2_client_hello(tvb, offset)) + { + offset = dissect_ssl2_record(tvb, pinfo, ssl_tree, + offset, session, + &need_desegmentation, + ssl_session); + } + else + { + offset = dissect_ssl3_record(tvb, pinfo, ssl_tree, + offset, session, is_from_server, + &need_desegmentation, + ssl_session, + curr_layer_num_ssl, &tlsinfo); + } + break; + + /* that failed, so apply some heuristics based + * on this individual packet + */ + default: + /* + * If the version is unknown, assume SSLv3/TLS which has a record + * size of at least 5 bytes (SSLv2 record header is two or three + * bytes, but the data will hopefully be larger than three bytes). + */ + if (tvb_reported_length_remaining(tvb, offset) < 5) { + if (tls_desegment && pinfo->can_desegment) { + pinfo->desegment_offset = offset; + pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT; + need_desegmentation = TRUE; + } else { + /* Not enough bytes available. Stop here. */ + offset = tvb_reported_length(tvb); + } + break; + } + + if (ssl_looks_like_sslv2(tvb, offset)) + { + /* looks like sslv2 client hello */ + offset = dissect_ssl2_record(tvb, pinfo, ssl_tree, + offset, session, + &need_desegmentation, + ssl_session); + } + else if (ssl_looks_like_sslv3(tvb, offset)) + { + /* looks like sslv3 or tls */ + offset = dissect_ssl3_record(tvb, pinfo, ssl_tree, + offset, session, is_from_server, + &need_desegmentation, + ssl_session, + curr_layer_num_ssl, &tlsinfo); + } + else + { + /* looks like something unknown, so lump into + * continuation data + */ + offset = tvb_reported_length(tvb); + col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, "Continuation Data"); + } + break; + } + + /* Desegmentation return check */ + if (need_desegmentation) { + ssl_debug_printf(" need_desegmentation: offset = %d, reported_length_remaining = %d\n", + offset, tvb_reported_length_remaining(tvb, offset)); + /* Make data available to ssl_follow_tap_listener */ + tap_queue_packet(tls_tap, pinfo, p_get_proto_data(wmem_file_scope(), pinfo, proto_tls, curr_layer_num_ssl)); + return tvb_captured_length(tvb); + } + } + + guint ret = tvb_captured_length(tvb); + + /* Check for needing to reassemble at end of stream */ + ssl_session = ssl_session_save; + if (ssl_session) { + SslDecoder *decoder; + /* retrieve decoder for this packet direction. Retrieve it + * here because the decoder could have been created while + * processing the records (e.g., an Early Data HTTP request + * and response, with no Content-Length.) */ + if (is_from_server != 0) { + decoder = ssl_session->server; + } + else { + decoder = ssl_session->client; + } + + if (decoder && decoder->flow && decoder->flow->flags & TCP_FLOW_REASSEMBLE_UNTIL_FIN) { + /* We want to reassemble at the end of the stream. Are we + * there? */ + /* There might be more than one record, and we don't want to tell + * the application dissector that we got a TCP FIN if there are + * more app data records to come. We add the FIN here. + * XXX: We could have some logic to do so in dissect_ssl3_record() + * when we're on the last record. Note that the last record could + * be an alert, or this could be a FIN with no data, so we'd still + * have to check here anyway.) + */ + if (tcpinfo) { + tlsinfo.end_of_stream |= (tcpinfo->flags & TH_FIN); + } + if (!tlsinfo.end_of_stream) { + /* No. Tell the TCP dissector that we want to desegment + * at FIN, so that it will call the TLS dissector at FIN + * even if there is no TCP payload. + * + * However, tell it that we've already dissected all the + * the data in the packet, so that we avoid getting it + * later and trying to decrypt the records again. + * (XXX: An alternative would be checking for already decrypted + * records before trying to decrypt on the first pass.) + */ + pinfo->desegment_offset = tvb_captured_length(tvb); + pinfo->desegment_len = DESEGMENT_UNTIL_FIN; + } else { + ssl_debug_printf(" desegmenting at end of stream (FIN)\n"); + struct tcp_multisegment_pdu *msp; + msp = (struct tcp_multisegment_pdu *)wmem_tree_lookup32_le(decoder->flow->multisegment_pdus, decoder->flow->byte_seq); + if (msp) { + fragment_head *ipfd_head; + ipfd_head = fragment_add(&ssl_reassembly_table, tvb, offset, + pinfo, tls_msp_fragment_id(msp), msp, + decoder->flow->byte_seq - msp->seq, + 0, FALSE); + if (ipfd_head && ipfd_head->reassembled_in == pinfo->num) { + tvbuff_t *next_tvb; + + /* create a new TVB structure for desegmented data */ + next_tvb = tvb_new_chain(tvb, ipfd_head->tvb_data); + + /* add desegmented data to the data source list */ + add_new_data_source(pinfo, next_tvb, "Reassembled TLS"); + + /* Show details of the reassembly */ + print_tls_fragment_tree(ipfd_head, tree, ssl_tree, pinfo, next_tvb); + + /* + * Supply the sequence number of the first of the + * reassembled bytes. + */ + tlsinfo.seq = msp->seq; + + /* indicate that this is reassembled data */ + tlsinfo.is_reassembled = TRUE; + + /* call subdissector */ + process_ssl_payload(next_tvb, 0, pinfo, tree, session, session->app_handle, &tlsinfo); + + if (ret == 0) { + /* XXX: Workaround for #15159. Ordinarily we + * return the number of bytes dissected, but zero + * indicates the dissector rejecting the data. If + * we are dissecting at FIN, but there were no new + * records added, we want to indicate that the + * dissector accepted the zero length payload so + * that the TLS (and, e.g. HTTP) layers don't get + * removed. So artificially return 1 instead. + * (The TCP dissector will ignore the number.) + */ + ret = 1; + } + } + } + } + } + } + + + col_set_fence(pinfo->cinfo, COL_INFO); + + ssl_debug_flush(); + + /* Make data available to ssl_follow_tap_listener */ + tap_queue_packet(tls_tap, pinfo, p_get_proto_data(wmem_file_scope(), pinfo, proto_tls, curr_layer_num_ssl)); + + return ret; +} + + +/* + * Dissect ECHConfigList structure, for use by the DNS dissector. + */ +static int +dissect_tls_echconfig(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) +{ + return ssl_dissect_ext_ech_echconfiglist(&dissect_ssl3_hf, tvb, pinfo, + tree, 0, tvb_reported_length(tvb)); +} + +/* + * Dissect TLS 1.3 handshake messages (without the record layer). + * For use by QUIC (draft -13). + */ +static int +dissect_tls13_handshake(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) +{ + + conversation_t *conversation; + SslDecryptSession *ssl_session; + SslSession *session; + gint is_from_server; + proto_item *ti; + proto_tree *ssl_tree; + /** + * A value that uniquely identifies this fragment in this frame. + */ + guint record_id = GPOINTER_TO_UINT(data); + + ssl_debug_printf("\n%s enter frame #%u (%s)\n", G_STRFUNC, pinfo->num, (pinfo->fd->visited)?"already visited":"first time"); + + conversation = find_or_create_conversation(pinfo); + ssl_session = ssl_get_session(conversation, tls_handle); + session = &ssl_session->session; + is_from_server = ssl_packet_from_server(session, ssl_associations, pinfo); + if (session->version == SSL_VER_UNKNOWN) { + session->version = TLSV1DOT3_VERSION; + ssl_session->state |= SSL_VERSION; + ssl_session->state |= SSL_QUIC_RECORD_LAYER; + } + + /* + * First pass: collect state (including Client Random for key matching). + * Second pass: dissection only, no need to collect state. + */ + if (PINFO_FD_VISITED(pinfo)) { + ssl_session = NULL; + } + + ssl_debug_printf(" conversation = %p, ssl_session = %p, from_server = %d\n", + (void *)conversation, (void *)ssl_session, is_from_server); + + /* Add a proto_tls item to allow simple "tls" display filter */ + ti = proto_tree_add_item(tree, proto_tls, tvb, 0, -1, ENC_NA); + ssl_tree = proto_item_add_subtree(ti, ett_tls); + + dissect_tls_handshake(tvb, pinfo, ssl_tree, 0, + tvb_reported_length(tvb), FALSE, record_id, pinfo->curr_layer_num, session, + is_from_server, ssl_session, TLSV1DOT3_VERSION); + + ssl_debug_flush(); + + return tvb_captured_length(tvb); +} + +static gboolean +is_sslv3_or_tls(tvbuff_t *tvb) +{ + guint8 content_type; + guint16 protocol_version, record_length; + + /* + * Heuristics should match the TLS record header. + * ContentType (1), ProtocolVersion (2), Length (2) + * + * We do not check for an actual payload, IBM WebSphere is known + * to separate the record header and payload over two separate packets. + */ + if (tvb_captured_length(tvb) < 5) { + return FALSE; + } + + content_type = tvb_get_guint8(tvb, 0); + protocol_version = tvb_get_ntohs(tvb, 1); + record_length = tvb_get_ntohs(tvb, 3); + + /* These are the common types. */ + if (content_type != SSL_ID_HANDSHAKE && content_type != SSL_ID_APP_DATA) { + return FALSE; + } + + /* + * Match SSLv3, TLS 1.0/1.1/1.2 (TLS 1.3 uses same value as TLS 1.0). Most + * likely you'll see 0x300 (SSLv3) or 0x301 (TLS 1.1) for interoperability + * reasons. Per RFC 5246 we should accept any 0x3xx value, but this is just + * a heuristic that catches common/likely cases. + */ + if (protocol_version != SSLV3_VERSION && + protocol_version != TLSV1_VERSION && + protocol_version != TLSV1DOT1_VERSION && + protocol_version != TLSV1DOT2_VERSION && + protocol_version != TLCPV1_VERSION ) { + return FALSE; + } + + /* Check for sane length, see also ssl_check_record_length in packet-tls-utils.c */ + if (record_length == 0 || record_length >= TLS_MAX_RECORD_LENGTH + 2048) { + return FALSE; + } + + return TRUE; +} + +static gboolean +is_sslv2_clienthello(tvbuff_t *tvb) +{ + /* + * Detect SSL 2.0 compatible Client Hello as used in SSLv3 and TLS. + * + * https://tools.ietf.org/html/rfc5246#appendix-E.2 + * uint8 V2CipherSpec[3]; + * struct { + * uint16 msg_length; // 0: highest bit must be 1 + * uint8 msg_type; // 2: 1 for Client Hello + * Version version; // 3: equal to ClientHello.client_version + * uint16 cipher_spec_length; // 5: cannot be 0, must be multiple of 3 + * uint16 session_id_length; // 7: zero or 16 (in TLS 1.0) + * uint16 challenge_length; // 9: must be 32 + * // length so far: 2 + 1 + 2 + 2 + 2 + 2 = 11 + * V2CipherSpec cipher_specs[V2ClientHello.cipher_spec_length]; // len: min 3 + * opaque session_id[V2ClientHello.session_id_length]; // len: zero or 16 + * opaque challenge[V2ClientHello.challenge_length; // len: 32 + * // min. length: 11 + 3 + (0 or 16) + 32 = 46 or 62 + * } V2ClientHello; + */ + if (tvb_captured_length(tvb) < 46) { + return FALSE; + } + + /* Assume that message length is less than 256 (at most 64 cipherspecs). */ + if (tvb_get_guint8(tvb, 0) != 0x80) { + return FALSE; + } + + /* msg_type must be 1 for Client Hello */ + if (tvb_get_guint8(tvb, 2) != 1) { + return FALSE; + } + + /* cipher spec length must be a non-zero multiple of 3 */ + guint16 cipher_spec_length = tvb_get_ntohs(tvb, 5); + if (cipher_spec_length == 0 || cipher_spec_length % 3 != 0) { + return FALSE; + } + + /* session ID length must be 0 or 16 in TLS 1.0 */ + guint16 session_id_length = tvb_get_ntohs(tvb, 7); + if (session_id_length != 0 && session_id_length != 16) { + return FALSE; + } + + /* Challenge Length must be 32 */ + if (tvb_get_ntohs(tvb, 9) != 32) { + return FALSE; + } + + return TRUE; +} + +static int +dissect_ssl_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) +{ + conversation_t *conversation; + + if (!is_sslv3_or_tls(tvb) && !is_sslv2_clienthello(tvb)) { + return 0; + } + + conversation = find_or_create_conversation(pinfo); + conversation_set_dissector_from_frame_number(conversation, pinfo->num, tls_handle); + return dissect_ssl(tvb, pinfo, tree, data); +} + +static void +tls_save_decrypted_record(packet_info *pinfo, gint record_id, SslDecryptSession *ssl, guint8 content_type, + SslDecoder *decoder, gboolean allow_fragments, guint8 curr_layer_num_ssl) +{ + const guchar *data = ssl_decrypted_data.data; + guint datalen = ssl_decrypted_data_avail; + + if (datalen == 0) { + return; + } + + if (ssl->session.version == TLSV1DOT3_VERSION) { + /* + * The actual data is followed by the content type and then zero or + * more padding. Scan backwards for content type, skipping padding. + */ + while (datalen > 0 && data[datalen - 1] == 0) { + datalen--; + } + ssl_debug_printf("%s found %d padding bytes\n", G_STRFUNC, ssl_decrypted_data_avail - datalen); + if (datalen == 0) { + ssl_debug_printf("%s there is no room for content type!\n", G_STRFUNC); + return; + } + content_type = data[--datalen]; + if (datalen == 0) { + /* + * XXX zero-length Handshake fragments are forbidden by RFC 8446, + * Section 5.1. Empty Application Data fragments are allowed though. + */ + return; + } + } + + /* In TLS 1.3 only Handshake and Application Data can be fragmented. + * Alert messages MUST NOT be fragmented across records, so do not + * bother maintaining a flow for those. */ + ssl_add_record_info(proto_tls, pinfo, data, datalen, record_id, + allow_fragments ? decoder->flow : NULL, (ContentType)content_type, curr_layer_num_ssl); +} + +/** + * Try to decrypt the record and update the internal cipher state. + * On success, the decrypted data will be available in "ssl_decrypted_data" of + * length "ssl_decrypted_data_avail". + */ +static gboolean +decrypt_ssl3_record(tvbuff_t *tvb, packet_info *pinfo, guint32 offset, SslDecryptSession *ssl, + guint8 content_type, guint16 record_version, guint16 record_length, + gboolean allow_fragments, guint8 curr_layer_num_ssl) +{ + gboolean success; + gint direction; + StringInfo *data_for_iv; + gint data_for_iv_len, data_for_iv_offset; + SslDecoder *decoder; + + /* if we can decrypt and decryption was a success + * add decrypted data to this packet info */ + ssl_debug_printf("decrypt_ssl3_record: app_data len %d, ssl state 0x%02X\n", + record_length, ssl->state); + direction = ssl_packet_from_server(&ssl->session, ssl_associations, pinfo); + + /* retrieve decoder for this packet direction */ + if (direction != 0) { + ssl_debug_printf("decrypt_ssl3_record: using server decoder\n"); + decoder = ssl->server; + } + else { + ssl_debug_printf("decrypt_ssl3_record: using client decoder\n"); + decoder = ssl->client; + } + + /* save data to update IV if decoder is available or updated later */ + data_for_iv = (direction != 0) ? &ssl->server_data_for_iv : &ssl->client_data_for_iv; + data_for_iv_len = (record_length < 24) ? record_length : 24; + data_for_iv_offset = offset + record_length - data_for_iv_len; + if (!tvb_bytes_exist(tvb, data_for_iv_offset, data_for_iv_len)) { + ssl_debug_printf("decrypt_ssl3_record: record truncated\n"); + return FALSE; + } + ssl_data_set(data_for_iv, (const guchar*)tvb_get_ptr(tvb, data_for_iv_offset, data_for_iv_len), data_for_iv_len); + + if (!decoder) { + ssl_debug_printf("decrypt_ssl3_record: no decoder available\n"); + return FALSE; + } + + /* run decryption and add decrypted payload to protocol data, if decryption + * is successful*/ + ssl_decrypted_data_avail = ssl_decrypted_data.data_len; + success = ssl_decrypt_record(ssl, decoder, content_type, record_version, tls_ignore_mac_failed, + tvb_get_ptr(tvb, offset, record_length), record_length, NULL, 0, + &ssl_compressed_data, &ssl_decrypted_data, &ssl_decrypted_data_avail) == 0; + /* */ + if (!success) { + /* save data to update IV if valid session key is obtained later */ + data_for_iv = (direction != 0) ? &ssl->server_data_for_iv : &ssl->client_data_for_iv; + data_for_iv_len = (record_length < 24) ? record_length : 24; + ssl_data_set(data_for_iv, (const guchar*)tvb_get_ptr(tvb, offset + record_length - data_for_iv_len, data_for_iv_len), data_for_iv_len); + } + if (success) { + tls_save_decrypted_record(pinfo, tvb_raw_offset(tvb)+offset, ssl, content_type, decoder, allow_fragments, curr_layer_num_ssl); + } + return success; +} + +/** + * Try to guess the early data cipher using trial decryption. + * Requires Libgcrypt 1.6 or newer for verifying that decryption is successful. + */ +static gboolean +decrypt_tls13_early_data(tvbuff_t *tvb, packet_info *pinfo, guint32 offset, + guint16 record_length, SslDecryptSession *ssl, + guint8 curr_layer_num_ssl) + +{ + gboolean success = FALSE; + + ssl_debug_printf("Trying early data encryption, first record / trial decryption: %s\n", + !(ssl->state & SSL_SEEN_0RTT_APPDATA) ? "true" : "false"); + + /* Only try trial decryption for the first record. */ + if (ssl->state & SSL_SEEN_0RTT_APPDATA) { + if (!ssl->client) { + return FALSE; // sanity check, should not happen in valid captures. + } + + ssl_decrypted_data_avail = ssl_decrypted_data.data_len; + success = ssl_decrypt_record(ssl, ssl->client, SSL_ID_APP_DATA, 0x303, FALSE, + tvb_get_ptr(tvb, offset, record_length), record_length, NULL, 0, + &ssl_compressed_data, &ssl_decrypted_data, &ssl_decrypted_data_avail) == 0; + if (success) { + tls_save_decrypted_record(pinfo, tvb_raw_offset(tvb)+offset, ssl, SSL_ID_APP_DATA, ssl->client, TRUE, curr_layer_num_ssl); + } else { + ssl_debug_printf("early data decryption failed, end of early data?\n"); + } + return success; + } + ssl->state |= SSL_SEEN_0RTT_APPDATA; + + ssl_load_keyfile(ssl_options.keylog_filename, &ssl_keylog_file, &ssl_master_key_map); + StringInfo *secret = tls13_load_secret(ssl, &ssl_master_key_map, FALSE, TLS_SECRET_0RTT_APP); + if (!secret) { + ssl_debug_printf("Missing secrets, early data decryption not possible!\n"); + return FALSE; + } + + const guint16 tls13_ciphers[] = { + 0x1301, /* TLS_AES_128_GCM_SHA256 */ + 0x1302, /* TLS_AES_256_GCM_SHA384 */ + 0x1303, /* TLS_CHACHA20_POLY1305_SHA256 */ + 0x1304, /* TLS_AES_128_CCM_SHA256 */ + 0x1305, /* TLS_AES_128_CCM_8_SHA256 */ + 0x00c6, /* TLS_SM4_GCM_SM3 */ + }; + const guchar *record = tvb_get_ptr(tvb, offset, record_length); + for (guint i = 0; i < G_N_ELEMENTS(tls13_ciphers); i++) { + guint16 cipher = tls13_ciphers[i]; + + ssl_debug_printf("Performing early data trial decryption, cipher = %#x\n", cipher); + ssl->session.cipher = cipher; + ssl->cipher_suite = ssl_find_cipher(cipher); + if (!tls13_generate_keys(ssl, secret, FALSE)) { + /* Unable to create cipher (old Libgcrypt) */ + continue; + } + + ssl_decrypted_data_avail = ssl_decrypted_data.data_len; + success = ssl_decrypt_record(ssl, ssl->client, SSL_ID_APP_DATA, 0x303, FALSE, record, record_length, NULL, 0, + &ssl_compressed_data, &ssl_decrypted_data, &ssl_decrypted_data_avail) == 0; + if (success) { + ssl_debug_printf("Early data decryption succeeded, cipher = %#x\n", cipher); + tls_save_decrypted_record(pinfo, tvb_raw_offset(tvb)+offset, ssl, SSL_ID_APP_DATA, ssl->client, TRUE, curr_layer_num_ssl); + break; + } + } + if (!success) { + ssl_debug_printf("Trial decryption of early data failed!\n"); + } + return success; +} + +static void +print_tls_fragment_tree(fragment_head *ipfd_head, proto_tree *tree, proto_tree *tls_tree, packet_info *pinfo, tvbuff_t *next_tvb) +{ + proto_item *tls_tree_item, *frag_tree_item; + + /* + * The subdissector thought it was completely + * desegmented (although the stuff at the + * end may, in turn, require desegmentation), + * so we show a tree with all segments. + */ + show_fragment_tree(ipfd_head, &ssl_segment_items, + tree, pinfo, next_tvb, &frag_tree_item); + /* + * The toplevel fragment subtree is now + * behind all desegmented data; move it + * right behind the TLS tree. + */ + tls_tree_item = proto_tree_get_parent(tls_tree); + if (frag_tree_item && tls_tree_item) { + proto_tree_move_item(tree, tls_tree_item, frag_tree_item); + } +} + +static guint32 +tls_msp_fragment_id(struct tcp_multisegment_pdu *msp) +{ + /* + * If a frame contains multiple appdata PDUs, then "first_frame" is not + * sufficient to uniquely identify groups of fragments. Therefore we use + * the tcp reassembly functions that also test msp->seq (the position of + * the initial fragment in the TLS stream). + * As a frame most likely does not have multiple PDUs (except maybe for + * HTTP2), just check 'seq' at the end instead of using it in the hash. + */ + guint32 id = msp->first_frame; +#if 0 + id ^= (msp->seq & 0xff) << 24; + id ^= (msp->seq & 0xff00) << 16; +#endif + return id; +} + +static void +desegment_ssl(tvbuff_t *tvb, packet_info *pinfo, int offset, + guint32 seq, guint32 nxtseq, + SslSession *session, + proto_tree *root_tree, proto_tree *tree, + SslFlow *flow, dissector_handle_t app_handle_port, + struct tlsinfo *tlsinfo) +{ + fragment_head *ipfd_head; + gboolean must_desegment; + gboolean called_dissector; + int another_pdu_follows; + gboolean another_segment_in_frame = FALSE; + int deseg_offset; + guint32 deseg_seq; + gint nbytes; + proto_item *item; + struct tcp_multisegment_pdu *msp; + +again: + ipfd_head = NULL; + must_desegment = FALSE; + called_dissector = FALSE; + another_pdu_follows = 0; + msp = NULL; + + /* + * Initialize these to assume no desegmentation. + * If that's not the case, these will be set appropriately + * by the subdissector. + */ + pinfo->desegment_offset = 0; + pinfo->desegment_len = 0; + + /* + * Initialize this to assume that this segment will just be + * added to the middle of a desegmented chunk of data, so + * that we should show it all as data. + * If that's not the case, it will be set appropriately. + */ + deseg_offset = offset; + + /* If we've seen this segment before (e.g., it's a retransmission), + * there's nothing for us to do. Certainly, don't add it to the list + * of multisegment_pdus (that would cause subsequent lookups to find + * the retransmission instead of the original transmission, breaking + * dissection of the desegmented pdu if we'd already seen the end of + * the pdu). + */ + if ((msp = (struct tcp_multisegment_pdu *)wmem_tree_lookup32(flow->multisegment_pdus, seq))) { + const char *prefix; + gboolean is_retransmission = FALSE; + + if (msp->first_frame == pinfo->num) { + /* This must be after the first pass. */ + prefix = ""; + if (msp->last_frame == pinfo->num) { + col_clear(pinfo->cinfo, COL_INFO); + } else { + col_set_str(pinfo->cinfo, COL_INFO, "[TLS segment of a reassembled PDU]"); + } + } else { + prefix = "Retransmitted "; + is_retransmission = TRUE; + } + + if (!is_retransmission) { + ipfd_head = fragment_get(&ssl_reassembly_table, pinfo, msp->first_frame, msp); + if (ipfd_head != NULL && ipfd_head->reassembled_in !=0 && + ipfd_head->reassembled_in != pinfo->num) { + /* Show what frame this was reassembled in if not this one. */ + item=proto_tree_add_uint(tree, *ssl_segment_items.hf_reassembled_in, + tvb, 0, 0, ipfd_head->reassembled_in); + proto_item_set_generated(item); + } + } + nbytes = tvb_reported_length_remaining(tvb, offset); + ssl_proto_tree_add_segment_data(tree, tvb, offset, nbytes, prefix); + return; + } + + /* Else, find the most previous PDU starting before this sequence number */ + msp = (struct tcp_multisegment_pdu *)wmem_tree_lookup32_le(flow->multisegment_pdus, seq-1); + if (msp && msp->seq <= seq && msp->nxtpdu > seq) { + int len; + + if (!PINFO_FD_VISITED(pinfo)) { + msp->last_frame = pinfo->num; + msp->last_frame_time = pinfo->abs_ts; + } + + /* OK, this PDU was found, which means the segment continues + * a higher-level PDU and that we must desegment it. + */ + if (msp->flags & MSP_FLAGS_REASSEMBLE_ENTIRE_SEGMENT) { + /* The dissector asked for the entire segment */ + len = MAX(0, tvb_reported_length_remaining(tvb, offset)); + } else { + len = MIN(nxtseq, msp->nxtpdu) - seq; + } + + ipfd_head = fragment_add(&ssl_reassembly_table, tvb, offset, + pinfo, tls_msp_fragment_id(msp), msp, + seq - msp->seq, + len, (LT_SEQ (nxtseq,msp->nxtpdu))); + + if (!PINFO_FD_VISITED(pinfo) + && msp->flags & MSP_FLAGS_REASSEMBLE_ENTIRE_SEGMENT) { + msp->flags &= (~MSP_FLAGS_REASSEMBLE_ENTIRE_SEGMENT); + + /* If we consumed the entire segment there is no + * other pdu starting anywhere inside this segment. + * So update nxtpdu to point at least to the start + * of the next segment. + * (If the subdissector asks for even more data we + * will advance nxtpdu even further later down in + * the code.) + */ + msp->nxtpdu = nxtseq; + } + + if ( (msp->nxtpdu < nxtseq) + && (msp->nxtpdu >= seq) + && (len > 0)) { + another_pdu_follows = msp->nxtpdu - seq; + } + } else { + /* This segment was not found in our table, so it doesn't + * contain a continuation of a higher-level PDU. + * Call the normal subdissector. + */ + + /* + * Supply the sequence number of this segment. We set this here + * because this segment could be after another in the same packet, + * in which case seq was incremented at the end of the loop. + */ + tlsinfo->seq = seq; + + process_ssl_payload(tvb, offset, pinfo, tree, session, app_handle_port, tlsinfo); + called_dissector = TRUE; + + /* Did the subdissector ask us to desegment some more data + * before it could handle the packet? + * If so we have to create some structures in our table but + * this is something we only do the first time we see this + * packet. + */ + if (pinfo->desegment_len) { + if (!PINFO_FD_VISITED(pinfo)) + must_desegment = TRUE; + + /* + * Set "deseg_offset" to the offset in "tvb" + * of the first byte of data that the + * subdissector didn't process. + */ + deseg_offset = offset + pinfo->desegment_offset; + } + + /* Either no desegmentation is necessary, or this is + * segment contains the beginning but not the end of + * a higher-level PDU and thus isn't completely + * desegmented. + */ + ipfd_head = NULL; + } + + + /* is it completely desegmented? */ + if (ipfd_head && ipfd_head->reassembled_in == pinfo->num) { + /* + * Yes, we think it is. + * We only call subdissector for the last segment. + * Note that the last segment may include more than what + * we needed. + */ + if (nxtseq < msp->nxtpdu) { + /* + * This is *not* the last segment. It is part of a PDU in the same + * frame, so no another PDU can follow this one. + * Do not reassemble TLS yet, it will be done in the final segment. + * (If we are reassembling at FIN, we will do that in dissect_ssl() + * after iterating through all the records.) + * Clear the Info column and avoid displaying [TLS segment of a + * reassembled PDU], the payload dissector will typically set it. + * (This is needed here for the second pass.) + */ + another_pdu_follows = 0; + col_clear(pinfo->cinfo, COL_INFO); + another_segment_in_frame = TRUE; + } else { + /* + * OK, this is the last segment of the PDU and also the + * last segment in this frame. + * Let's call the subdissector with the desegmented + * data. + */ + tvbuff_t *next_tvb; + int old_len; + + /* + * Reset column in case multiple TLS segments form the + * PDU and this last TLS segment is not in the first TCP segment of + * this frame. + * XXX prevent clearing the column if the last layer is not SSL? + */ + /* Clear column during the first pass. */ + col_clear(pinfo->cinfo, COL_INFO); + + /* create a new TVB structure for desegmented data */ + next_tvb = tvb_new_chain(tvb, ipfd_head->tvb_data); + + /* add desegmented data to the data source list */ + add_new_data_source(pinfo, next_tvb, "Reassembled TLS"); + + /* + * Supply the sequence number of the first of the + * reassembled bytes. + */ + tlsinfo->seq = msp->seq; + + /* indicate that this is reassembled data */ + tlsinfo->is_reassembled = TRUE; + + /* call subdissector */ + process_ssl_payload(next_tvb, 0, pinfo, tree, session, app_handle_port, tlsinfo); + called_dissector = TRUE; + + /* + * OK, did the subdissector think it was completely + * desegmented, or does it think we need even more + * data? + */ + old_len = (int)(tvb_reported_length(next_tvb) - tvb_reported_length_remaining(tvb, offset)); + if (pinfo->desegment_len && pinfo->desegment_offset <= old_len) { + /* + * "desegment_len" isn't 0, so it needs more + * data for something - and "desegment_offset" + * is before "old_len", so it needs more data + * to dissect the stuff we thought was + * completely desegmented (as opposed to the + * stuff at the beginning being completely + * desegmented, but the stuff at the end + * being a new higher-level PDU that also + * needs desegmentation). + */ + fragment_set_partial_reassembly(&ssl_reassembly_table, + pinfo, tls_msp_fragment_id(msp), msp); + /* Update msp->nxtpdu to point to the new next + * pdu boundary. + */ + if (pinfo->desegment_len == DESEGMENT_ONE_MORE_SEGMENT) { + /* We want reassembly of at least one + * more segment so set the nxtpdu + * boundary to one byte into the next + * segment. + * This means that the next segment + * will complete reassembly even if it + * is only one single byte in length. + */ + msp->nxtpdu = seq + tvb_reported_length_remaining(tvb, offset) + 1; + msp->flags |= MSP_FLAGS_REASSEMBLE_ENTIRE_SEGMENT; + } else if (pinfo->desegment_len == DESEGMENT_UNTIL_FIN) { + /* This is not the first segment, and we thought reassembly + * would be done now, but now we know we desegment at FIN. + * E.g., a HTTP response where the headers were split + * across segments (so previous ONE_MORE_SEGMENT) and + * also no Content-Length (so now DESEGMENT_UNTIL_FIN). + */ + flow->flags |= TCP_FLOW_REASSEMBLE_UNTIL_FIN; + msp->nxtpdu = nxtseq + 0x40000000; + } else { + msp->nxtpdu = seq + tvb_reported_length_remaining(tvb, offset) + pinfo->desegment_len; + } + /* Since we need at least some more data + * there can be no pdu following in the + * tail of this segment. + */ + another_pdu_follows = 0; + } else { + /* + * Show the stuff in this TCP segment as + * just raw TCP segment data. + */ + nbytes = tvb_reported_length_remaining(tvb, offset); + ssl_proto_tree_add_segment_data(tree, tvb, offset, nbytes, NULL); + + /* Show details of the reassembly */ + print_tls_fragment_tree(ipfd_head, root_tree, tree, pinfo, next_tvb); + + /* Did the subdissector ask us to desegment + * some more data? This means that the data + * at the beginning of this segment completed + * a higher-level PDU, but the data at the + * end of this segment started a higher-level + * PDU but didn't complete it. + * + * If so, we have to create some structures + * in our table, but this is something we + * only do the first time we see this packet. + */ + if (pinfo->desegment_len) { + if (!PINFO_FD_VISITED(pinfo)) + must_desegment = TRUE; + + /* The stuff we couldn't dissect + * must have come from this segment, + * so it's all in "tvb". + * + * "pinfo->desegment_offset" is + * relative to the beginning of + * "next_tvb"; we want an offset + * relative to the beginning of "tvb". + * + * First, compute the offset relative + * to the *end* of "next_tvb" - i.e., + * the number of bytes before the end + * of "next_tvb" at which the + * subdissector stopped. That's the + * length of "next_tvb" minus the + * offset, relative to the beginning + * of "next_tvb, at which the + * subdissector stopped. + */ + deseg_offset = ipfd_head->datalen - pinfo->desegment_offset; + + /* "tvb" and "next_tvb" end at the + * same byte of data, so the offset + * relative to the end of "next_tvb" + * of the byte at which we stopped + * is also the offset relative to + * the end of "tvb" of the byte at + * which we stopped. + * + * Convert that back into an offset + * relative to the beginning of + * "tvb", by taking the length of + * "tvb" and subtracting the offset + * relative to the end. + */ + deseg_offset = tvb_reported_length(tvb) - deseg_offset; + } + } + } + } + + if (must_desegment) { + /* If the dissector requested "reassemble until FIN" + * just set this flag for the flow and let reassembly + * proceed at normal. We will check/pick up these + * reassembled PDUs later down in dissect_tcp() when checking + * for the FIN flag. + */ + if (pinfo->desegment_len == DESEGMENT_UNTIL_FIN) { + flow->flags |= TCP_FLOW_REASSEMBLE_UNTIL_FIN; + } + /* + * The sequence number at which the stuff to be desegmented + * starts is the sequence number of the byte at an offset + * of "deseg_offset" into "tvb". + * + * The sequence number of the byte at an offset of "offset" + * is "seq", i.e. the starting sequence number of this + * segment, so the sequence number of the byte at + * "deseg_offset" is "seq + (deseg_offset - offset)". + */ + deseg_seq = seq + (deseg_offset - offset); + + if (((nxtseq - deseg_seq) <= 1024*1024) + && (!PINFO_FD_VISITED(pinfo))) { + if (pinfo->desegment_len == DESEGMENT_ONE_MORE_SEGMENT) { + /* The subdissector asked to reassemble using the + * entire next segment. + * Just ask reassembly for one more byte + * but set this msp flag so we can pick it up + * above. + */ + msp = pdu_store_sequencenumber_of_next_pdu(pinfo, + deseg_seq, nxtseq+1, flow->multisegment_pdus); + msp->flags |= MSP_FLAGS_REASSEMBLE_ENTIRE_SEGMENT; + } else if (pinfo->desegment_len == DESEGMENT_UNTIL_FIN) { + /* Set nxtseq very large so that reassembly won't happen + * until we force it at the end of the stream in dissect_ssl() + * outside this function. + */ + msp = pdu_store_sequencenumber_of_next_pdu(pinfo, + deseg_seq, nxtseq+0x40000000, flow->multisegment_pdus); + } else { + msp = pdu_store_sequencenumber_of_next_pdu(pinfo, + deseg_seq, nxtseq+pinfo->desegment_len, flow->multisegment_pdus); + } + + /* add this segment as the first one for this new pdu */ + fragment_add(&ssl_reassembly_table, tvb, deseg_offset, + pinfo, tls_msp_fragment_id(msp), msp, + 0, nxtseq - deseg_seq, + LT_SEQ(nxtseq, msp->nxtpdu)); + } + } + + if (!called_dissector || pinfo->desegment_len != 0) { + if (ipfd_head != NULL && ipfd_head->reassembled_in != 0 && + ipfd_head->reassembled_in != pinfo->num && + !(ipfd_head->flags & FD_PARTIAL_REASSEMBLY)) { + /* + * We know what other frame this PDU is reassembled in; + * let the user know. + */ + item=proto_tree_add_uint(tree, *ssl_segment_items.hf_reassembled_in, + tvb, 0, 0, ipfd_head->reassembled_in); + proto_item_set_generated(item); + } + + /* + * Either we didn't call the subdissector at all (i.e., + * this is a segment that contains the middle of a + * higher-level PDU, but contains neither the beginning + * nor the end), or the subdissector couldn't dissect it + * all, as some data was missing (i.e., it set + * "pinfo->desegment_len" to the amount of additional + * data it needs). + */ + if (!another_segment_in_frame && pinfo->desegment_offset == 0) { + /* + * It couldn't, in fact, dissect any of it (the + * first byte it couldn't dissect is at an offset + * of "pinfo->desegment_offset" from the beginning + * of the payload, and that's 0). + * Just mark this as SSL. + */ + col_set_str(pinfo->cinfo, COL_PROTOCOL, + val_to_str_const(session->version, ssl_version_short_names, "SSL")); + col_set_str(pinfo->cinfo, COL_INFO, "[TLS segment of a reassembled PDU]"); + } + + /* + * Show what's left in the packet as just raw TCP segment + * data. + * XXX - remember what protocol the last subdissector + * was, and report it as a continuation of that, instead? + */ + nbytes = tvb_reported_length_remaining(tvb, deseg_offset); + ssl_proto_tree_add_segment_data(tree, tvb, deseg_offset, nbytes, NULL); + } + pinfo->can_desegment = 0; + pinfo->desegment_offset = 0; + pinfo->desegment_len = 0; + + if (another_pdu_follows) { + /* there was another pdu following this one. */ + pinfo->can_desegment=2; + /* we also have to prevent the dissector from changing the + * PROTOCOL and INFO colums since what follows may be an + * incomplete PDU and we don't want it be changed back from + * <Protocol> to <TCP> + */ + col_set_fence(pinfo->cinfo, COL_INFO); + col_set_writable(pinfo->cinfo, COL_PROTOCOL, FALSE); + offset += another_pdu_follows; + seq += another_pdu_follows; + goto again; + } +} + +static void +export_pdu_packet(tvbuff_t *tvb, packet_info *pinfo, guint8 tag, const gchar *name) +{ + exp_pdu_data_t *exp_pdu_data = export_pdu_create_common_tags(pinfo, name, tag); + + exp_pdu_data->tvb_captured_length = tvb_captured_length(tvb); + exp_pdu_data->tvb_reported_length = tvb_reported_length(tvb); + exp_pdu_data->pdu_tvb = tvb; + + tap_queue_packet(exported_pdu_tap, pinfo, exp_pdu_data); +} + +static void +process_ssl_payload(tvbuff_t *tvb, int offset, packet_info *pinfo, + proto_tree *tree, SslSession *session, + dissector_handle_t app_handle_port, + struct tlsinfo *tlsinfo) +{ + tvbuff_t *next_tvb; + heur_dtbl_entry_t *hdtbl_entry; + guint16 saved_match_port; + + tlsinfo->app_handle = &session->app_handle; + + next_tvb = tvb_new_subset_remaining(tvb, offset); + + /* If the appdata proto is not yet known (no STARTTLS), try heuristics + * first, then ports-based dissectors. Port 443 is too overloaded... */ + if (!session->app_handle) { + /* The heuristics dissector should set the app_handle via tlsinfo + * if it wants to be called in the future. */ + if (dissector_try_heuristic(ssl_heur_subdissector_list, next_tvb, + pinfo, proto_tree_get_root(tree), &hdtbl_entry, + tlsinfo)) { + ssl_debug_printf("%s: found heuristics dissector %s, app_handle is %p (%s)\n", + G_STRFUNC, hdtbl_entry->short_name, + (void *)session->app_handle, + dissector_handle_get_dissector_name(session->app_handle)); + if (have_tap_listener(exported_pdu_tap)) { + export_pdu_packet(next_tvb, pinfo, EXP_PDU_TAG_HEUR_DISSECTOR_NAME, hdtbl_entry->short_name); + } + return; + } + if (app_handle_port) { + /* Heuristics failed, just try the port-based dissector. */ + ssl_debug_printf("%s: no heuristics dissector, falling back to " + "handle %p (%s)\n", G_STRFUNC, + (void *)app_handle_port, + dissector_handle_get_dissector_name(app_handle_port)); + session->app_handle = app_handle_port; + } else { + /* No heuristics, no port-based proto, unknown protocol. */ + ssl_debug_printf("%s: no appdata dissector found\n", G_STRFUNC); + call_data_dissector(next_tvb, pinfo, proto_tree_get_root(tree)); + return; + } + } + + ssl_debug_printf("%s: found handle %p (%s)\n", G_STRFUNC, + (void *)session->app_handle, + dissector_handle_get_dissector_name(session->app_handle)); + + if (have_tap_listener(exported_pdu_tap)) { + export_pdu_packet(next_tvb, pinfo, EXP_PDU_TAG_DISSECTOR_NAME, + dissector_handle_get_dissector_name(session->app_handle)); + } + saved_match_port = pinfo->match_uint; + if (ssl_packet_from_server(session, ssl_associations, pinfo)) { + pinfo->match_uint = pinfo->srcport; + } else { + pinfo->match_uint = pinfo->destport; + } + call_dissector_with_data(session->app_handle, next_tvb, pinfo, proto_tree_get_root(tree), tlsinfo); + pinfo->match_uint = saved_match_port; +} + +static void +dissect_ssl_payload(tvbuff_t *decrypted, packet_info *pinfo, + proto_tree *tree, SslSession *session, + SslRecordInfo *record, + dissector_handle_t app_handle_port, + struct tlsinfo *tlsinfo) +{ + gboolean save_fragmented; + guint16 save_can_desegment; + + tlsinfo->seq = record->seq; + + /* Preserve current desegmentation ability to prevent the subdissector + * from messing up the ssl desegmentation */ + save_can_desegment = pinfo->can_desegment; + + /* try to dissect decrypted data*/ + ssl_debug_printf("%s decrypted len %d\n", G_STRFUNC, record->data_len); + ssl_print_data("decrypted app data fragment", record->plain_data, record->data_len); + + /* Can we desegment this segment? */ + if (tls_desegment_app_data) { + /* Yes. */ + pinfo->can_desegment = 2; + desegment_ssl(decrypted, pinfo, 0, record->seq, record->seq + record->data_len, + session, proto_tree_get_root(tree), tree, + record->flow, app_handle_port, tlsinfo); + } else if (session->app_handle || app_handle_port) { + /* No - just call the subdissector. + Mark this as fragmented, so if somebody throws an exception, + we don't report it as a malformed frame. */ + pinfo->can_desegment = 0; + save_fragmented = pinfo->fragmented; + pinfo->fragmented = TRUE; + + process_ssl_payload(decrypted, 0, pinfo, tree, session, app_handle_port, tlsinfo); + pinfo->fragmented = save_fragmented; + } + + /* restore desegmentation ability */ + pinfo->can_desegment = save_can_desegment; +} + + +/********************************************************************* + * + * SSL version 3 and TLS Dissection Routines + * + *********************************************************************/ +static gint +dissect_ssl3_record(tvbuff_t *tvb, packet_info *pinfo, + proto_tree *tree, guint32 offset, + SslSession *session, gint is_from_server, + gboolean *need_desegmentation, + SslDecryptSession *ssl, + guint8 curr_layer_num_ssl, struct tlsinfo *tlsinfo) +{ + + /* + * struct { + * uint8 major, minor; + * } ProtocolVersion; + * + * + * enum { + * change_cipher_spec(20), alert(21), handshake(22), + * application_data(23), (255) + * } ContentType; + * + * struct { + * ContentType type; + * ProtocolVersion version; + * uint16 length; + * opaque fragment[TLSPlaintext.length]; + * } TLSPlaintext; + */ + guint32 record_length; + guint16 record_version, version; + guint8 content_type; + guint8 next_byte; + proto_tree *ti; + proto_tree *ssl_record_tree; + proto_item *length_pi, *ct_pi; + guint content_type_offset; + guint32 available_bytes; + tvbuff_t *decrypted; + SslRecordInfo *record = NULL; + + ti = NULL; + ssl_record_tree = NULL; + + available_bytes = tvb_reported_length_remaining(tvb, offset); + + /* TLS 1.0/1.1 just ignores unknown records - RFC 2246 chapter 6. The TLS Record Protocol */ + if ((session->version==TLSV1_VERSION || + session->version==TLSV1DOT1_VERSION || + session->version==TLSV1DOT2_VERSION || + session->version==TLCPV1_VERSION ) && + (available_bytes >=1 ) && !ssl_is_valid_content_type(tvb_get_guint8(tvb, offset))) { + proto_tree_add_expert(tree, pinfo, &ei_tls_ignored_unknown_record, tvb, offset, available_bytes); + col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, "Ignored Unknown Record"); + return offset + available_bytes; + } + + /* + * Is the record header split across segment boundaries? + */ + if (available_bytes < 5) { + /* + * Yes - can we do reassembly? + */ + ssl_proto_tree_add_segment_data(tree, tvb, offset, -1, NULL); + if (tls_desegment && pinfo->can_desegment) { + /* + * Yes. Tell the TCP dissector where the data for this + * message starts in the data it handed us, and that we need + * "some more data." Don't tell it exactly how many bytes we + * need because if/when we ask for even more (after the header) + * that will break reassembly. + */ + pinfo->desegment_offset = offset; + pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT; + *need_desegmentation = TRUE; + return offset; + } else { + /* Not enough bytes available. Stop here. */ + return offset + available_bytes; + } + } + + /* + * Get the record layer fields of interest + */ + content_type = tvb_get_guint8(tvb, offset); + version = tvb_get_ntohs(tvb, offset + 1); + record_version = version; + record_length = tvb_get_ntohs(tvb, offset + 3); + + if (ssl_is_valid_content_type(content_type)) { + + /* + * Is the record split across segment boundaries? + */ + if (available_bytes < record_length + 5) { + /* + * Yes - can we do reassembly? + */ + ssl_proto_tree_add_segment_data(tree, tvb, offset, -1, NULL); + if (tls_desegment && pinfo->can_desegment) { + /* + * Yes. Tell the TCP dissector where the data for this + * message starts in the data it handed us, and how many + * more bytes we need, and return. + */ + pinfo->desegment_offset = offset; + + /* Don't use: + * pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT; + * it avoids some minor display glitches when a frame contains + * the continuation of a previous PDU together with a full new + * PDU, but it completely breaks dissection for jumbo TLS frames + */ + + pinfo->desegment_len = (record_length + 5) - available_bytes; + *need_desegmentation = TRUE; + return offset; + } else { + /* Not enough bytes available. Stop here. */ + return offset + available_bytes; + } + } + + } else { + /* if we don't have a valid content_type, there's no sense + * continuing any further + */ + col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, "Continuation Data"); + + return offset + 5 + record_length; + } + + /* add the record layer subtree header */ + ti = proto_tree_add_item(tree, hf_tls_record, tvb, + offset, 5 + record_length, ENC_NA); + ssl_record_tree = proto_item_add_subtree(ti, ett_tls_record); + + /* show the one-byte content type */ + if (session->version == TLSV1DOT3_VERSION && content_type == SSL_ID_APP_DATA) { + ct_pi = proto_tree_add_item(ssl_record_tree, hf_tls_record_opaque_type, + tvb, offset, 1, ENC_BIG_ENDIAN); + } else { + ct_pi = proto_tree_add_item(ssl_record_tree, hf_tls_record_content_type, + tvb, offset, 1, ENC_BIG_ENDIAN); + } + content_type_offset = offset; + offset++; + + /* add the version */ + proto_tree_add_item(ssl_record_tree, hf_tls_record_version, tvb, + offset, 2, ENC_BIG_ENDIAN); + offset += 2; + + /* add the length */ + length_pi = proto_tree_add_uint(ssl_record_tree, hf_tls_record_length, tvb, + offset, 2, record_length); + offset += 2; /* move past length field itself */ + + /* + * if we don't already have a version set for this conversation, + * but this message's version is authoritative (i.e., it's + * not client_hello, then save the version to the conversation + * structure and print the column version. If the message is not authorative + * (i.e. it is a Client Hello), then this version will still be used for + * display purposes only (it will not be stored in the conversation). + */ + next_byte = tvb_get_guint8(tvb, offset); + if (session->version == SSL_VER_UNKNOWN) { + ssl_try_set_version(session, ssl, content_type, next_byte, FALSE, version); + /* Version has possibly changed, adjust the column accordingly. */ + col_set_str(pinfo->cinfo, COL_PROTOCOL, + val_to_str_const(version, ssl_version_short_names, "SSL")); + } else { + version = session->version; + } + + /* + * now dissect the next layer + */ + ssl_debug_printf("dissect_ssl3_record: content_type %d %s\n",content_type, val_to_str_const(content_type, ssl_31_content_type, "unknown")); + + /* try to decrypt record on the first pass, if possible. Store decrypted + * record for later usage (without having to decrypt again). The offset is + * used as 'key' to identify this record in the packet (we can have multiple + * handshake records in the same frame). + * In TLS 1.3, an encrypted record always has (outer) opaque_type of + * "Application Data". The actual content type of the record is found + * after decryption. + */ + if (ssl && record_length && (session->version != TLSV1DOT3_VERSION || content_type == SSL_ID_APP_DATA)) { + gboolean decrypt_ok = FALSE; + + /* Try to decrypt TLS 1.3 early data first */ + if (session->version == TLSV1DOT3_VERSION && content_type == SSL_ID_APP_DATA && + ssl->has_early_data && !ssl_packet_from_server(session, ssl_associations, pinfo)) { + decrypt_ok = decrypt_tls13_early_data(tvb, pinfo, offset, record_length, ssl, curr_layer_num_ssl); + if (!decrypt_ok) { + /* Either trial decryption failed (e.g. missing key) or end of + * early data is reached. Switch to HS secrets if available. */ + if (ssl->state & SSL_SERVER_RANDOM) { + tls13_change_key(ssl, &ssl_master_key_map, FALSE, TLS_SECRET_HANDSHAKE); + } + ssl->has_early_data = FALSE; + } + } + + if (!decrypt_ok) { + decrypt_ssl3_record(tvb, pinfo, offset, ssl, + content_type, record_version, record_length, + content_type == SSL_ID_APP_DATA || + content_type == SSL_ID_HANDSHAKE, curr_layer_num_ssl); + } + } + + /* try to retrieve and use decrypted alert/handshake/appdata record, if any. */ + decrypted = ssl_get_record_info(tvb, proto_tls, pinfo, tvb_raw_offset(tvb)+offset, curr_layer_num_ssl, &record); + if (decrypted) { + add_new_data_source(pinfo, decrypted, "Decrypted TLS"); + if (session->version == TLSV1DOT3_VERSION) { + content_type = record->type; + ti = proto_tree_add_uint(ssl_record_tree, hf_tls_record_content_type, + tvb, content_type_offset, 1, record->type); + proto_item_set_generated(ti); + } + } + ssl_check_record_length(&dissect_ssl3_hf, pinfo, (ContentType)content_type, record_length, length_pi, version, decrypted); + + switch ((ContentType) content_type) { + case SSL_ID_CHG_CIPHER_SPEC: + if (version == TLSV1DOT3_VERSION && session->tls13_draft_version > 0 && session->tls13_draft_version < 22) { + /* CCS was reintroduced in TLS 1.3 draft -22 */ + expert_add_info_format(pinfo, ct_pi, &ei_tls_unexpected_message, + "Record type is not allowed in TLS 1.3"); + break; + } + col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, "Change Cipher Spec"); + ssl_dissect_change_cipher_spec(&dissect_ssl3_hf, tvb, pinfo, + ssl_record_tree, offset, session, + is_from_server, ssl); + if (version == TLSV1DOT3_VERSION) { + /* CCS is a dummy message in TLS 1.3, do not try to load keys. */ + break; + } + if (ssl) { + ssl_load_keyfile(ssl_options.keylog_filename, &ssl_keylog_file, + &ssl_master_key_map); + ssl_finalize_decryption(ssl, &ssl_master_key_map); + ssl_change_cipher(ssl, ssl_packet_from_server(session, ssl_associations, pinfo)); + } + /* Heuristic: any later ChangeCipherSpec is not a resumption of this + * session. Set the flag after ssl_finalize_decryption such that it has + * a chance to use resume using Session Tickets. */ + if (is_from_server) + session->is_session_resumed = FALSE; + break; + case SSL_ID_ALERT: + if (decrypted) { + dissect_ssl3_alert(decrypted, pinfo, ssl_record_tree, 0, 2, session, tlsinfo); + } else { + dissect_ssl3_alert(tvb, pinfo, ssl_record_tree, offset, record_length, session, tlsinfo); + } + break; + case SSL_ID_HANDSHAKE: + if (decrypted) { + guint record_id = record->id; + dissect_tls_handshake(decrypted, pinfo, ssl_record_tree, 0, + tvb_reported_length(decrypted), FALSE, record_id, curr_layer_num_ssl, session, + is_from_server, ssl, version); + } else { + // Combine both the offset within this TCP segment and the layer + // number in case a record consists of multiple reassembled TCP + // segments. The exact value does not matter, but it should be + // unique per frame. + guint record_id = tvb_raw_offset(tvb) + offset + curr_layer_num_ssl; + dissect_tls_handshake(tvb, pinfo, ssl_record_tree, offset, + offset + record_length, TRUE, record_id, curr_layer_num_ssl, session, + is_from_server, ssl, version); + } + break; + case SSL_ID_APP_DATA: + { + dissector_handle_t app_handle; + + /* show on info column what we are decoding */ + col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, "Application Data"); + + /* app_handle discovery is done here instead of dissect_ssl_payload() + * because the protocol name needs to be displayed below. */ + app_handle = session->app_handle; + if (!app_handle) { + /* Unknown protocol handle, ssl_starttls_ack was not called before. + * Try to find a port-based protocol and use it if there is no + * heuristics dissector (see process_ssl_payload). */ + app_handle = dissector_get_uint_handle(ssl_associations, pinfo->srcport); + if (!app_handle) app_handle = dissector_get_uint_handle(ssl_associations, pinfo->destport); + } + + proto_item_set_text(ssl_record_tree, + "%s Record Layer: %s Protocol: %s", + val_to_str_const(version, ssl_version_short_names, "SSL"), + val_to_str_const(content_type, ssl_31_content_type, "unknown"), + app_handle ? dissector_handle_get_protocol_long_name(app_handle) + : "Application Data"); + + proto_tree_add_item(ssl_record_tree, hf_tls_record_appdata, tvb, + offset, record_length, ENC_NA); + + if (app_handle) { + ti = proto_tree_add_string(ssl_record_tree, hf_tls_record_appdata_proto, tvb, 0, 0, dissector_handle_get_protocol_long_name(app_handle)); + proto_item_set_generated(ti); + } + + if (decrypted) { + dissect_ssl_payload(decrypted, pinfo, tree, session, record, app_handle, tlsinfo); + } + + /* Set app proto again in case the heuristics found a different proto. */ + if (session->app_handle && session->app_handle != app_handle) + proto_item_set_text(ssl_record_tree, + "%s Record Layer: %s Protocol: %s", + val_to_str_const(version, ssl_version_short_names, "SSL"), + val_to_str_const(content_type, ssl_31_content_type, "unknown"), + dissector_handle_get_protocol_long_name(session->app_handle)); + + break; + } + case SSL_ID_HEARTBEAT: + if (version == TLSV1DOT3_VERSION) { + expert_add_info_format(pinfo, ct_pi, &ei_tls_unexpected_message, + "Record type is not allowed in TLS 1.3"); + break; + } + if (decrypted) { + dissect_ssl3_heartbeat(decrypted, pinfo, ssl_record_tree, 0, session, tvb_reported_length (decrypted), TRUE); + } else { + gboolean plaintext = TRUE; + /* heartbeats before ChangeCipherSpec are unencrypted */ + if (ssl) { + if (ssl_packet_from_server(session, ssl_associations, pinfo)) { + plaintext = ssl->server == NULL; + } else { + plaintext = ssl->client == NULL; + } + } + dissect_ssl3_heartbeat(tvb, pinfo, ssl_record_tree, offset, session, record_length, plaintext); + } + break; + case SSL_ID_TLS12_CID: + break; + } + offset += record_length; /* skip to end of record */ + + return offset; +} + +/* dissects the alert message, filling in the tree */ +static void +dissect_ssl3_alert(tvbuff_t *tvb, packet_info *pinfo, + proto_tree *tree, guint32 offset, guint32 record_length, + const SslSession *session, struct tlsinfo *tlsinfo) +{ + /* struct { + * AlertLevel level; + * AlertDescription description; + * } Alert; + */ + proto_tree *ti; + proto_tree *alert_tree = NULL; + const gchar *level; + const gchar *desc; + guint8 level_byte, desc_byte; + + if (tree) + { + ti = proto_tree_add_item(tree, hf_tls_alert_message, tvb, + offset, record_length, ENC_NA); + alert_tree = proto_item_add_subtree(ti, ett_tls_alert); + } + + /* + * Assume that TLS alert records are not fragmented. Any larger message is + * assumed to be encrypted. + */ + if (record_length != 2) { + col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, "Encrypted Alert"); + proto_item_set_text(tree, + "%s Record Layer: Encrypted Alert", + val_to_str_const(session->version, ssl_version_short_names, "TLS")); + proto_item_set_text(alert_tree, + "Alert Message: Encrypted Alert"); + return; + } + + /* + * set the record layer label + */ + + /* first lookup the names for the alert level and description */ + level_byte = tvb_get_guint8(tvb, offset); /* grab the level byte */ + level = val_to_str_const(level_byte, ssl_31_alert_level, "Unknown"); + + desc_byte = tvb_get_guint8(tvb, offset+1); /* grab the desc byte */ + desc = val_to_str_const(desc_byte, ssl_31_alert_description, "Unknown"); + if (desc_byte == 0) { + /* If this is a close_notify, mark it as the end of the stream. + * (XXX: Maybe we should do this for other alerts, and maybe + * reassembling at FIN should also try reassembling at RST as well?) + */ + tlsinfo->end_of_stream = TRUE; + } + + /* now set the text in the record layer line */ + col_append_sep_fstr(pinfo->cinfo, COL_INFO, NULL, + "Alert (Level: %s, Description: %s)", + level, desc); + + if (tree) + { + proto_item_set_text(tree, "%s Record Layer: Alert " + "(Level: %s, Description: %s)", + val_to_str_const(session->version, ssl_version_short_names, "TLS"), + level, desc); + proto_tree_add_item(alert_tree, hf_tls_alert_message_level, + tvb, offset++, 1, ENC_BIG_ENDIAN); + + proto_tree_add_item(alert_tree, hf_tls_alert_message_description, + tvb, offset++, 1, ENC_BIG_ENDIAN); + } +} + + +/** + * Checks whether a handshake message seems encrypted and cannot be dissected. + */ +static gboolean +is_encrypted_handshake_message(tvbuff_t *tvb, packet_info *pinfo, guint32 offset, guint32 offset_end, + gboolean maybe_encrypted, SslSession *session, gboolean is_from_server) +{ + guint record_length = offset_end - offset; + guint msg_length; + guint8 msg_type; + guint16 version; + + if (record_length < 16) { + /* + * Encrypted data has additional overhead. For TLS 1.0/1.1 with stream + * and block ciphers, there is at least a MAC which is at minimum 16 + * bytes for MD5. In TLS 1.2, AEAD adds an explicit nonce and auth tag. + * For AES-GCM/CCM the auth tag is 16 bytes. AES_CCM_8 (RFC 6655) uses 8 + * byte auth tags, but the explicit nonce is also 8 (sums up to 16). + * + * So anything smaller than 16 bytes is assumed to be plaintext. + */ + return FALSE; + } + + /* + * If this is not a decrypted buffer, then perhaps it is still in plaintext. + * Heuristics: if the buffer is too small, it is likely not encrypted. + * Otherwise assume that the Handshake does not contain two successive + * HelloRequest messages (type=0x00 length=0x000000, type=0x00). If this + * occurs, then we have possibly found the explicit nonce preceding the + * encrypted contents for GCM/CCM cipher suites as used in TLS 1.2. + */ + if (maybe_encrypted) { + maybe_encrypted = tvb_get_ntoh40(tvb, offset) == 0; + /* + * TODO handle Finished message after CCS in the same frame and remove the + * above nonce-based heuristic. + */ + } + + if (!maybe_encrypted) { + /* + * Assume encrypted if the message type makes no sense. If this still + * leads to false positives (detecting plaintext while it should mark + * stuff as encrypted), some other ideas include: + * - Perform additional validation based on the message type. + * - Disallow handshake fragmentation except for some common cases like + * Certificate messages (due to large certificates). + */ + msg_type = tvb_get_guint8(tvb, offset); + maybe_encrypted = try_val_to_str(msg_type, ssl_31_handshake_type) == NULL; + if (!maybe_encrypted) { + msg_length = tvb_get_ntoh24(tvb, offset + 1); + // Assume handshake messages are below 64K. + maybe_encrypted = msg_length >= 0x010000; + } + } + + if (!maybe_encrypted) { + + /* + * Everything after the ChangeCipherSpec message should be encrypted. + * At least some buggy clients send a new handshake in the clear + * when renegotiating, though. (#18867). + */ + guint32 *ccs_frame = is_from_server ? &session->server_ccs_frame : &session->client_ccs_frame; + if (*ccs_frame != 0 && pinfo->num > *ccs_frame) { + switch (msg_type) { + + case SSL_HND_CLIENT_HELLO: + case SSL_HND_SERVER_HELLO: + version = tvb_get_ntohs(tvb, offset + 4); + maybe_encrypted = !ssl_is_valid_ssl_version(version); + + if (!maybe_encrypted) { + // Assume ClientHello and ServerHello are < 1024. + maybe_encrypted = msg_length >= 0x400; + } + + if (!maybe_encrypted) { + /* + * This is after the CCS, but looks like an unencrypted + * ClientHello or ServerHello. This is a new handshake; + * it's a buggy renegotiation or possibly retransmissions. + */ + *ccs_frame = 0; + /* XXX: Resetting the CCS frame state will allow us to + * detect the new handshake, but can mean false positives + * on earlier frames on later passes (reporting as + * cleartext handshake messages that were encrypted and + * we failed to decrypt on the first pass.) Maybe we + * should store some additional state, either per packet + * in SslPacketInfo or more complicated information about + * encrypted handshake state changes. (E.g., in a wmem_tree + * store the frames where we get a CCS and the frames + * where this happens.) + */ + } + break; + default: + maybe_encrypted = TRUE; + } + } + } + return maybe_encrypted; +} + +static TlsHsFragment * +save_tls_handshake_fragment(packet_info *pinfo, guint8 curr_layer_num_tls, + guint record_id, guint reassembly_id, + tvbuff_t *tvb, guint32 offset, guint frag_len, + guint frag_offset, guint8 msg_type, gboolean is_last) +{ + // Full handshake messages should not be saved. + DISSECTOR_ASSERT(!(frag_offset == 0 && is_last)); + // 0 is a special value indicating no reassembly in progress. + DISSECTOR_ASSERT(reassembly_id != 0); + + if (tvb_reported_length(tvb) > tvb_captured_length(tvb)) { + // The reassembly API will refuse to add fragments when not all + // available data has been captured. Since we were given a tvb with at + // least 'frag_len' data, we must always succeed in obtaining a subset. + tvb = tvb_new_subset_length(tvb, 0, offset + frag_len); + } + + SslPacketInfo *pi = tls_add_packet_info(proto_tls, pinfo, curr_layer_num_tls); + TlsHsFragment *frag_info = wmem_new0(wmem_file_scope(), TlsHsFragment); + frag_info->record_id = record_id; + frag_info->reassembly_id = reassembly_id; + frag_info->is_last = is_last; + frag_info->offset = frag_offset; + frag_info->type = msg_type; + + TlsHsFragment **p = &pi->hs_fragments; + while (*p) p = &(*p)->next; + *p = frag_info; + + // Add (subset of) record data. + fragment_add_check(&tls_hs_reassembly_table, tvb, offset, + pinfo, reassembly_id, NULL, frag_offset, frag_len, !is_last); + + return frag_info; +} + +/** + * Populate the Info column and record layer tree item based on the message type. + * + * @param pinfo Packet info. + * @param record_tree The Record layer tree item. + * @param version Record version. + * @param msg_type The message type (not necessarily the same as the first byte + * of the buffer in case of HRR in TLS 1.3). + * @param is_first_msg TRUE if this is the first message in this record. + * @param complete TRUE if the buffer describes the full (encrypted) message. + * @param tvb Buffer that covers the start of this handshake fragment. + * @param offset Position within the record data. + * @param length Length of the record fragment that is part of the handshake + * message. May be smaller than the record length if this is a fragment. + */ +static proto_item * +tls_show_handshake_details(packet_info *pinfo, proto_tree *record_tree, guint version, + guint8 msg_type, gboolean is_encrypted, gboolean is_first_msg, gboolean complete, + tvbuff_t *tvb, guint32 offset, guint32 length) +{ + const char *msg_type_str = "Encrypted Handshake Message"; + if (!is_encrypted) { + msg_type_str = val_to_str_const(msg_type, ssl_31_handshake_type, msg_type_str); + } + + /* + * Update our info string if this is the first message (possibly a fragment + * of a handshake message), or if this is a complete (reassembled) message. + */ + if (complete) { + col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, msg_type_str); + } else if (is_first_msg) { + /* + * Only mark the first message to avoid an empty Info column. If another + * message came before this one, do not bother mentioning this fragment. + */ + col_append_sep_fstr(pinfo->cinfo, COL_INFO, NULL, "[%s Fragment]", msg_type_str); + } + + /* set the label text on the record layer expanding node */ + if (is_first_msg) { + proto_item_set_text(record_tree, "%s Record Layer: Handshake Protocol: %s", + val_to_str_const(version, ssl_version_short_names, "TLS"), + msg_type_str); + if (!complete && !is_encrypted) { + proto_item_append_text(record_tree, " (fragment)"); + } + } else { + proto_item_set_text(record_tree, "%s Record Layer: Handshake Protocol: %s", + val_to_str_const(version, ssl_version_short_names, "TLS"), + "Multiple Handshake Messages"); + } + + proto_item *ti = proto_tree_add_item(record_tree, hf_tls_handshake_protocol, + tvb, offset, length, ENC_NA); + proto_item_set_text(ti, "Handshake Protocol: %s", msg_type_str); + if (!complete && !is_encrypted) { + proto_item_append_text(ti, " (fragment)"); + } + return ti; +} + +/* dissects the handshake protocol, filling the tree */ +static void +dissect_tls_handshake(tvbuff_t *tvb, packet_info *pinfo, + proto_tree *tree, guint32 offset, + guint32 offset_end, gboolean maybe_encrypted, + guint record_id, guint8 curr_layer_num_tls, + SslSession *session, gint is_from_server, + SslDecryptSession *ssl, + const guint16 version) +{ + // Handshake fragment processing: + // 1. (First pass:) If a previous handshake message needed reasembly, add + // (a subset of) the new data for reassembly. + // 2. Did this fragment complete reasembly in the previous step? + // - Yes: dissect message and continue. + // - No: show details and stop. + // 3. Not part of a reassembly, so this is a new handshake message. Does it + // look like encrypted data? + // - Yes: show details and stop. + // 4. Loop through remaining handshake messages. Is there sufficient data? + // - Yes: dissect message and continue with next message. + // - No (first pass): Add all data for reassembly, show details and stop. + // - No (second pass): Show details and stop. + + fragment_head *fh = NULL; + guint subset_len; + guint32 msg_len = 0; + TlsHsFragment *frag_info = NULL; + gboolean is_first_msg = TRUE; + proto_item *frag_tree_item; + guint *hs_reassembly_id_p = is_from_server ? &session->server_hs_reassembly_id : &session->client_hs_reassembly_id; + + if (!PINFO_FD_VISITED(pinfo)) { + // 1. (First pass:) If a previous handshake message needed reasembly. + if (*hs_reassembly_id_p) { + // Continuation, so a previous fragment *must* exist. + fh = fragment_get(&tls_hs_reassembly_table, pinfo, *hs_reassembly_id_p, NULL); + DISSECTOR_ASSERT(fh); + // We expect that reassembly has not completed yet. + DISSECTOR_ASSERT(fh->tvb_data == NULL); + + // Combine all previous segments plus data from the current record + // in order to find the length. + tvbuff_t *len_tvb = tvb_new_composite(); + guint frags_len = 0; + for (fragment_item *fd = fh->next; fd; fd = fd->next) { + if (frags_len < 4) { + tvb_composite_append(len_tvb, fd->tvb_data); + } + frags_len += tvb_reported_length(fd->tvb_data); + } + if (frags_len < 4) { + tvbuff_t *remaining_tvb = tvb_new_subset_remaining(tvb, offset); + tvb_composite_append(len_tvb, remaining_tvb); + } + tvb_composite_finalize(len_tvb); + + // Extract the actual handshake message length (0 means unknown) and + // check whether only a subset of the current record is needed. + subset_len = offset_end - offset; + if (tvb_reported_length(len_tvb) >= 4) { + msg_len = 4 + tvb_get_ntoh24(len_tvb, 1); + if (subset_len > msg_len - frags_len) { + subset_len = msg_len - frags_len; + } + } + + if (tvb_captured_length(tvb) < offset + subset_len) { + // Not all data has been captured. As we are missing data, the + // reassembly cannot be completed nor do we know the boundary + // where the next handshake message starts. Stop reassembly. + *hs_reassembly_id_p = 0; + } else { + // Check if the handshake message is complete. + guint8 msg_type = tvb_get_guint8(len_tvb, 0); + gboolean is_last = frags_len + subset_len == msg_len; + frag_info = save_tls_handshake_fragment(pinfo, curr_layer_num_tls, record_id, *hs_reassembly_id_p, + tvb, offset, subset_len, frags_len, msg_type, is_last); + if (is_last) { + // Reassembly finished, next message should not continue this message. + *hs_reassembly_id_p = 0; + } + } + } + } else { + // Lookup the reassembled handshake matching this frame (if any). + SslPacketInfo *pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tls, curr_layer_num_tls); + if (pi) { + for (TlsHsFragment *rec = pi->hs_fragments; rec; rec = rec->next) { + if (rec->record_id == record_id) { + frag_info = rec; + break; + } + } + } + } + + // 2. Did this fragment complete reasembly in the previous step? + if (frag_info && frag_info->offset != 0) { + fh = fragment_get_reassembled_id(&tls_hs_reassembly_table, pinfo, frag_info->reassembly_id); + if (frag_info->is_last) { + // This is the last fragment of the handshake message. + // Skip a subset of the bytes of this buffer. + subset_len = tvb_reported_length_remaining(fh->tvb_data, frag_info->offset); + + // Add a tree item to mark the handshake fragment. + proto_item *ti = proto_tree_add_item(tree, + hf_tls_handshake_protocol, tvb, offset, subset_len, ENC_NA); + offset += subset_len; + proto_item_set_text(ti, "Handshake Protocol: %s (last fragment)", + val_to_str_const(frag_info->type, ssl_31_handshake_type, + "Encrypted Handshake Message")); + + // Now display the full, reassembled handshake message. + tvbuff_t *next_tvb = tvb_new_chain(tvb, fh->tvb_data); + add_new_data_source(pinfo, next_tvb, "Reassembled TLS Handshake"); + show_fragment_tree(fh, &tls_hs_fragment_items, tree, pinfo, next_tvb, &frag_tree_item); + dissect_tls_handshake_full(next_tvb, pinfo, tree, 0, session, is_from_server, ssl, version, TRUE, curr_layer_num_tls); + is_first_msg = FALSE; + + // Skip to the next fragment in case this records ends with another + // fragment for which information is presented below. + frag_info = frag_info->next; + if (frag_info && frag_info->record_id != record_id) { + frag_info = NULL; + } + } else if (frag_info->offset != 0) { + // The full TVB is in the middle of a handshake message and needs more data. + tls_show_handshake_details(pinfo, tree, version, frag_info->type, FALSE, FALSE, FALSE, + tvb, offset, offset_end - offset); + if (fh) { + proto_tree_add_uint(tree, hf_tls_handshake_reassembled_in, tvb, 0, 0, fh->reassembled_in); + } + return; + } + } else if (!frag_info) { + // 3. Not part of a reassembly, so this is a new handshake message. Does it + // look like encrypted data? + if (is_encrypted_handshake_message(tvb, pinfo, offset, offset_end, maybe_encrypted, session, is_from_server)) { + // Update Info column and record tree. + tls_show_handshake_details(pinfo, tree, version, 0, TRUE, TRUE, TRUE, + tvb, offset, offset_end - offset); + return; + } + } + + // 4. Loop through remaining handshake messages. + // The previous reassembly has been handled, so at this point, offset should + // start a new, valid handshake message. + while (offset < offset_end) { + msg_len = 0; + subset_len = offset_end - offset; + if (subset_len >= 4) { + msg_len = 4 + tvb_get_ntoh24(tvb, offset + 1); + } + if (msg_len == 0 || subset_len < msg_len) { + // Need more data to find the message length or complete it. + if (!PINFO_FD_VISITED(pinfo)) { + guint8 msg_type = tvb_get_guint8(tvb, offset); + *hs_reassembly_id_p = ++hs_reassembly_id_count; + frag_info = save_tls_handshake_fragment(pinfo, curr_layer_num_tls, record_id, *hs_reassembly_id_p, + tvb, offset, subset_len, 0, msg_type, FALSE); + } else { + // The first pass must have created a new fragment. + DISSECTOR_ASSERT(frag_info && frag_info->offset == 0); + } + + tls_show_handshake_details(pinfo, tree, version, frag_info->type, FALSE, is_first_msg, FALSE, + tvb, offset, subset_len); + fh = fragment_get_reassembled_id(&tls_hs_reassembly_table, pinfo, frag_info->reassembly_id); + if (fh) { + proto_tree_add_uint(tree, hf_tls_handshake_reassembled_in, tvb, 0, 0, fh->reassembled_in); + } + break; + } + + dissect_tls_handshake_full(tvb, pinfo, tree, offset, session, is_from_server, ssl, version, is_first_msg, curr_layer_num_tls); + offset += msg_len; + is_first_msg = FALSE; + } +} + +/* Dissects a single (reassembled) Handshake message. */ +static void +dissect_tls_handshake_full(tvbuff_t *tvb, packet_info *pinfo, + proto_tree *tree, guint32 offset, + SslSession *session, gint is_from_server, + SslDecryptSession *ssl, + const guint16 version, + gboolean is_first_msg, guint8 curr_layer_num_tls) +{ + /* struct { + * HandshakeType msg_type; + * uint24 length; + * select (HandshakeType) { + * case hello_request: HelloRequest; + * case client_hello: ClientHello; + * case server_hello: ServerHello; + * case certificate: Certificate; + * case server_key_exchange: ServerKeyExchange; + * case certificate_request: CertificateRequest; + * case server_hello_done: ServerHelloDone; + * case certificate_verify: CertificateVerify; + * case client_key_exchange: ClientKeyExchange; + * case finished: Finished; + * case certificate_url: CertificateURL; + * case certificate_status: CertificateStatus; + * case encrypted_extensions:NextProtocolNegotiationEncryptedExtension; + * } body; + * } Handshake; + */ + proto_tree *ssl_hand_tree = NULL; + const gchar *msg_type_str; + guint8 msg_type; + guint32 length; + proto_item *ti; + SslPacketInfo *pi; + + { + guint32 hs_offset = offset; + gboolean is_hrr = FALSE; + + msg_type = tvb_get_guint8(tvb, offset); + length = tvb_get_ntoh24(tvb, offset + 1); + // The caller should have given us a fully reassembled record. + DISSECTOR_ASSERT((guint)tvb_reported_length_remaining(tvb, offset + 4) >= length); + + msg_type_str = try_val_to_str(msg_type, ssl_31_handshake_type); + + ssl_debug_printf("dissect_ssl3_handshake iteration %d type %d offset %d length %d " + "bytes\n", is_first_msg, msg_type, offset, length); + if (!msg_type_str && !is_first_msg) + { + /* only dissect / report messages if they're + * either the first message in this record + * or they're a valid message type + */ + return; + } + + if (is_first_msg && msg_type == SSL_HND_SERVER_HELLO && length > 2) { + guint16 server_version; + + tls_scan_server_hello(tvb, offset + 4, offset + 4 + length, &server_version, &is_hrr); + ssl_try_set_version(session, ssl, SSL_ID_HANDSHAKE, SSL_HND_SERVER_HELLO, FALSE, server_version); + if (is_hrr) { + msg_type_str = "Hello Retry Request"; + } + } + + /* Populate Info column and set record layer text. */ + ti = tls_show_handshake_details(pinfo, tree, version, + is_hrr ? SSL_HND_HELLO_RETRY_REQUEST : msg_type, FALSE, is_first_msg, TRUE, + tvb, offset, length + 4); + + /* if we don't have a valid handshake type, just quit dissecting */ + if (!msg_type_str) + return; + + /* add a subtree for the handshake protocol */ + ssl_hand_tree = proto_item_add_subtree(ti, ett_tls_handshake); + + /* add nodes for the message type and message length */ + proto_tree_add_uint(ssl_hand_tree, hf_tls_handshake_type, + tvb, offset, 1, msg_type); + offset += 1; + proto_tree_add_uint(ssl_hand_tree, hf_tls_handshake_length, + tvb, offset, 3, length); + offset += 3; + + if ((msg_type == SSL_HND_CLIENT_HELLO || msg_type == SSL_HND_SERVER_HELLO)) { + /* Prepare for renegotiation by resetting the state. */ + ssl_reset_session(session, ssl, msg_type == SSL_HND_CLIENT_HELLO); + } + + /* + * Add handshake message (including type, length, etc.) to hash (for + * Extended Master Secret). + * Hash ClientHello up to and including ClientKeyExchange. As the + * premaster secret is looked up during ChangeCipherSpec processing (an + * implementation detail), we must skip the CertificateVerify message + * which can appear between CKE and CCS when mutual auth is enabled. + */ + if (msg_type != SSL_HND_CERT_VERIFY) { + ssl_calculate_handshake_hash(ssl, tvb, hs_offset, 4 + length); + } + + /* now dissect the handshake message, if necessary */ + switch ((HandshakeType) msg_type) { + case SSL_HND_HELLO_REQUEST: + /* hello_request has no fields, so nothing to do! */ + break; + + case SSL_HND_CLIENT_HELLO: + if (ssl) { + /* ClientHello is first packet so set direction */ + ssl_set_server(session, &pinfo->dst, pinfo->ptype, pinfo->destport); + } + ssl_dissect_hnd_cli_hello(&dissect_ssl3_hf, tvb, pinfo, + ssl_hand_tree, offset, offset + length, session, ssl, + NULL); + /* + * Cannot call tls13_change_key here with TLS_SECRET_HANDSHAKE + * since the server may not agree on using TLS 1.3. If + * early_data is advertised, it must be TLS 1.3 though. + */ + if (ssl) { + tls_save_crandom(ssl, &ssl_master_key_map); + if (ssl->has_early_data) { + session->version = TLSV1DOT3_VERSION; + ssl->state |= SSL_VERSION; + ssl_debug_printf("%s forcing version 0x%04X -> state 0x%02X\n", G_STRFUNC, version, ssl->state); + } + } + break; + + case SSL_HND_SERVER_HELLO: + ssl_dissect_hnd_srv_hello(&dissect_ssl3_hf, tvb, pinfo, ssl_hand_tree, + offset, offset + length, session, ssl, FALSE, is_hrr); + if (ssl) { + ssl_load_keyfile(ssl_options.keylog_filename, &ssl_keylog_file, &ssl_master_key_map); + /* Create client and server decoders for TLS 1.3. + * Create client decoder based on HS secret only if there is + * no early data, or if there is no decryptable early data. */ + if (!ssl->has_early_data || + ((ssl->state & SSL_SEEN_0RTT_APPDATA) && !ssl->client)) { + tls13_change_key(ssl, &ssl_master_key_map, FALSE, TLS_SECRET_HANDSHAKE); + } + tls13_change_key(ssl, &ssl_master_key_map, TRUE, TLS_SECRET_HANDSHAKE); + } + break; + + case SSL_HND_HELLO_VERIFY_REQUEST: + /* only valid for DTLS */ + break; + + case SSL_HND_NEWSESSION_TICKET: + /* no need to load keylog file here as it only links a previous + * master key with this Session Ticket */ + ssl_dissect_hnd_new_ses_ticket(&dissect_ssl3_hf, tvb, pinfo, + ssl_hand_tree, offset, offset + length, session, ssl, FALSE, + ssl_master_key_map.tickets); + break; + + case SSL_HND_END_OF_EARLY_DATA: + /* RFC 8446 Section 4.5 */ + if (!is_from_server && ssl) { + ssl_load_keyfile(ssl_options.keylog_filename, &ssl_keylog_file, &ssl_master_key_map); + tls13_change_key(ssl, &ssl_master_key_map, FALSE, TLS_SECRET_HANDSHAKE); + ssl->has_early_data = FALSE; + } + break; + + case SSL_HND_HELLO_RETRY_REQUEST: /* TLS 1.3 draft -21 and before */ + ssl_dissect_hnd_hello_retry_request(&dissect_ssl3_hf, tvb, pinfo, ssl_hand_tree, + offset, offset + length, session, ssl, FALSE); + break; + + case SSL_HND_ENCRYPTED_EXTENSIONS: + /* XXX expert info if used with non-TLS 1.3? */ + ssl_dissect_hnd_encrypted_extensions(&dissect_ssl3_hf, tvb, pinfo, ssl_hand_tree, + offset, offset + length, session, ssl, FALSE); + + break; + + case SSL_HND_CERTIFICATE: + ssl_dissect_hnd_cert(&dissect_ssl3_hf, tvb, ssl_hand_tree, + offset, offset + length, pinfo, session, ssl, is_from_server, FALSE); + break; + + case SSL_HND_SERVER_KEY_EXCHG: + if (!PINFO_FD_VISITED(pinfo)) { + pi = tls_add_packet_info(proto_tls, pinfo, curr_layer_num_tls); + pi->cipher = session->cipher; + } else { + pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tls, curr_layer_num_tls); + if (pi) { + session->cipher = pi->cipher; + } + } + ssl_dissect_hnd_srv_keyex(&dissect_ssl3_hf, tvb, pinfo, ssl_hand_tree, offset, offset + length, session); + break; + + case SSL_HND_CERT_REQUEST: + ssl_dissect_hnd_cert_req(&dissect_ssl3_hf, tvb, pinfo, ssl_hand_tree, offset, offset + length, session, FALSE); + break; + + case SSL_HND_SVR_HELLO_DONE: + /* This is not an abbreviated handshake, it is certainly not resumed. */ + session->is_session_resumed = FALSE; + break; + + case SSL_HND_CERT_VERIFY: + ssl_dissect_hnd_cli_cert_verify(&dissect_ssl3_hf, tvb, pinfo, ssl_hand_tree, offset, offset + length, session->version); + break; + + case SSL_HND_CLIENT_KEY_EXCHG: + if (!PINFO_FD_VISITED(pinfo)) { + pi = tls_add_packet_info(proto_tls, pinfo, curr_layer_num_tls); + pi->cipher = session->cipher; + } else { + pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tls, curr_layer_num_tls); + if (pi) { + session->cipher = pi->cipher; + } + } + ssl_dissect_hnd_cli_keyex(&dissect_ssl3_hf, tvb, ssl_hand_tree, offset, length, session); + + if (!ssl) + break; + + ssl_load_keyfile(ssl_options.keylog_filename, &ssl_keylog_file, + &ssl_master_key_map); + /* try to find master key from pre-master key */ + if (!ssl_generate_pre_master_secret(ssl, length, tvb, offset, + ssl_options.psk, pinfo, +#ifdef HAVE_LIBGNUTLS + ssl_key_hash, +#endif + &ssl_master_key_map)) { + ssl_debug_printf("dissect_ssl3_handshake can't generate pre master secret\n"); + } + break; + + case SSL_HND_FINISHED: + ssl_dissect_hnd_finished(&dissect_ssl3_hf, tvb, ssl_hand_tree, + offset, offset + length, session, &ssl_hfs); + if (ssl) { + ssl_load_keyfile(ssl_options.keylog_filename, &ssl_keylog_file, &ssl_master_key_map); + tls13_change_key(ssl, &ssl_master_key_map, is_from_server, TLS_SECRET_APP); + } + break; + + case SSL_HND_CERT_URL: + ssl_dissect_hnd_cert_url(&dissect_ssl3_hf, tvb, ssl_hand_tree, offset); + break; + + case SSL_HND_CERT_STATUS: + tls_dissect_hnd_certificate_status(&dissect_ssl3_hf, tvb, pinfo, ssl_hand_tree, offset, offset + length); + break; + + case SSL_HND_SUPPLEMENTAL_DATA: + /* TODO: dissect this? */ + break; + + case SSL_HND_KEY_UPDATE: + tls13_dissect_hnd_key_update(&dissect_ssl3_hf, tvb, tree, offset); + if (ssl) { + tls13_key_update(ssl, is_from_server); + } + break; + + case SSL_HND_COMPRESSED_CERTIFICATE: + ssl_dissect_hnd_compress_certificate(&dissect_ssl3_hf, tvb, ssl_hand_tree, + offset, offset + length, pinfo, session, + ssl, is_from_server, FALSE); + break; + + case SSL_HND_ENCRYPTED_EXTS: + dissect_ssl3_hnd_encrypted_exts(tvb, ssl_hand_tree, offset); + break; + } + } +} + +/* dissects the heartbeat message, filling in the tree */ +static void +dissect_ssl3_heartbeat(tvbuff_t *tvb, packet_info *pinfo, + proto_tree *tree, guint32 offset, + const SslSession *session, guint32 record_length, + gboolean decrypted) +{ + /* struct { + * HeartbeatMessageType type; + * uint16 payload_length; + * opaque payload; + * opaque padding; + * } HeartbeatMessage; + */ + + proto_item *ti; + proto_tree *tls_heartbeat_tree; + const gchar *type; + guint8 byte; + guint16 payload_length; + guint16 padding_length; + + tls_heartbeat_tree = NULL; + + if (tree) { + ti = proto_tree_add_item(tree, hf_tls_heartbeat_message, tvb, + offset, record_length, ENC_NA); + tls_heartbeat_tree = proto_item_add_subtree(ti, ett_tls_heartbeat); + } + + /* + * set the record layer label + */ + + /* first lookup the names for the message type and the payload length */ + byte = tvb_get_guint8(tvb, offset); + type = try_val_to_str(byte, tls_heartbeat_type); + + payload_length = tvb_get_ntohs(tvb, offset + 1); + padding_length = record_length - 3 - payload_length; + + /* assume plaintext if the (expected) record size is smaller than the type + * (1), length (2)[, payload] and padding (16) fields combined */ + if (record_length <= 19u || 3u + payload_length + 16 <= record_length) { + decrypted = TRUE; + } + + /* now set the text in the record layer line */ + if (type && decrypted) { + col_append_sep_fstr(pinfo->cinfo, COL_INFO, NULL, "Heartbeat %s", type); + } else { + col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, "Encrypted Heartbeat"); + } + + if (type && decrypted) { + proto_item_set_text(tree, "%s Record Layer: Heartbeat " + "%s", + val_to_str_const(session->version, ssl_version_short_names, "SSL"), + type); + proto_tree_add_item(tls_heartbeat_tree, hf_tls_heartbeat_message_type, + tvb, offset, 1, ENC_BIG_ENDIAN); + offset += 1; + ti = proto_tree_add_uint(tls_heartbeat_tree, hf_tls_heartbeat_message_payload_length, + tvb, offset, 2, payload_length); + offset += 2; + if (3u + payload_length + 16 > record_length) { + expert_add_info_format(pinfo, ti, &ei_ssl3_heartbeat_payload_length, + "Invalid heartbeat payload length (%d)", payload_length); + /* There is no room for padding... truncate the payload such that + * the field can be selected (for the interested). */ + payload_length = record_length - 3; + padding_length = 0; + proto_item_append_text (ti, " (invalid, using %u to decode payload)", payload_length); + } + proto_tree_add_bytes_format(tls_heartbeat_tree, hf_tls_heartbeat_message_payload, + tvb, offset, payload_length, + NULL, "Payload (%u byte%s)", + payload_length, + plurality(payload_length, "", "s")); + offset += payload_length; + if (padding_length) + proto_tree_add_bytes_format(tls_heartbeat_tree, hf_tls_heartbeat_message_padding, + tvb, offset, padding_length, + NULL, "Padding and HMAC (%u byte%s)", + padding_length, + plurality(padding_length, "", "s")); + } else { + proto_item_set_text(tree, + "%s Record Layer: Encrypted Heartbeat", + val_to_str_const(session->version, ssl_version_short_names, "SSL")); + proto_item_set_text(tls_heartbeat_tree, + "Encrypted Heartbeat Message"); + } +} + +/* based on https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04 */ +static void +dissect_ssl3_hnd_encrypted_exts(tvbuff_t *tvb, proto_tree *tree, + guint32 offset) +{ + guint8 selected_protocol_len; + guint8 padding_len; + + selected_protocol_len = tvb_get_guint8(tvb, offset); + proto_tree_add_item(tree, hf_tls_handshake_npn_selected_protocol_len, + tvb, offset, 1, ENC_BIG_ENDIAN); + offset++; + proto_tree_add_item(tree, hf_tls_handshake_npn_selected_protocol, + tvb, offset, selected_protocol_len, ENC_ASCII); + offset += selected_protocol_len; + + padding_len = tvb_get_guint8(tvb, offset); + proto_tree_add_item(tree, hf_tls_handshake_npn_padding_len, + tvb, offset, 1, ENC_BIG_ENDIAN); + offset++; + proto_tree_add_item(tree, hf_tls_handshake_npn_padding, + tvb, offset, padding_len, ENC_NA); +} + +/********************************************************************* + * + * SSL version 2 Dissectors + * + *********************************************************************/ + + +/* record layer dissector */ +static gint +dissect_ssl2_record(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, + guint32 offset, SslSession *session, + gboolean *need_desegmentation, + SslDecryptSession *ssl) +{ + guint32 initial_offset; + guint8 byte; + guint8 record_length_length; + guint32 record_length; + gint is_escape; + gint16 padding_length; + guint8 msg_type; + const gchar *msg_type_str; + guint32 available_bytes; + proto_item *ti; + proto_tree *ssl_record_tree; + + initial_offset = offset; + record_length = 0; + is_escape = -1; + padding_length = -1; + msg_type_str = NULL; + ssl_record_tree = NULL; + + /* pull first byte; if high bit is unset, then record + * length is three bytes due to padding; otherwise + * record length is two bytes + */ + byte = tvb_get_guint8(tvb, offset); + record_length_length = (byte & 0x80) ? 2 : 3; + + available_bytes = tvb_reported_length_remaining(tvb, offset); + + /* + * Is the record header split across segment boundaries? + */ + if (available_bytes < record_length_length) { + /* + * Yes - can we do reassembly? + */ + ssl_proto_tree_add_segment_data(tree, tvb, offset, -1, NULL); + if (tls_desegment && pinfo->can_desegment) { + /* + * Yes. Tell the TCP dissector where the data for this + * message starts in the data it handed us, and that we need + * "some more data." Don't tell it exactly how many bytes we + * need because if/when we ask for even more (after the header) + * that will break reassembly. + */ + pinfo->desegment_offset = offset; + pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT; + *need_desegmentation = TRUE; + return offset; + } else { + /* Not enough bytes available. Stop here. */ + return offset + available_bytes; + } + } + + /* parse out the record length */ + switch (record_length_length) { + case 2: /* two-byte record length */ + record_length = (byte & 0x7f) << 8; + byte = tvb_get_guint8(tvb, offset + 1); + record_length += byte; + break; + case 3: /* three-byte record length */ + is_escape = (byte & 0x40) ? TRUE : FALSE; + record_length = (byte & 0x3f) << 8; + byte = tvb_get_guint8(tvb, offset + 1); + record_length += byte; + byte = tvb_get_guint8(tvb, offset + 2); + padding_length = byte; + } + + /* + * Is the record split across segment boundaries? + */ + if (available_bytes < (record_length_length + record_length)) { + /* + * Yes - Can we do reassembly? + */ + ssl_proto_tree_add_segment_data(tree, tvb, offset, -1, NULL); + if (tls_desegment && pinfo->can_desegment) { + /* + * Yes. Tell the TCP dissector where the data for this + * message starts in the data it handed us, and how many + * more bytes we need, and return. + */ + pinfo->desegment_offset = offset; + pinfo->desegment_len = (record_length_length + record_length) + - available_bytes; + *need_desegmentation = TRUE; + return offset; + } else { + /* Not enough bytes available. Stop here. */ + return offset + available_bytes; + } + } + offset += record_length_length; + + /* add the record layer subtree header */ + ti = proto_tree_add_item(tree, hf_ssl2_record, tvb, initial_offset, + record_length_length + record_length, ENC_NA); + ssl_record_tree = proto_item_add_subtree(ti, ett_tls_record); + + /* pull the msg_type so we can bail if it's unknown */ + msg_type = tvb_get_guint8(tvb, initial_offset + record_length_length); + + /* if we get a server_hello or later handshake in v2, then set + * this to sslv2 + */ + if (session->version == SSL_VER_UNKNOWN) + { + if (msg_type >= 2 && msg_type <= 8) + { + session->version = SSLV2_VERSION; + } + } + + /* if we get here, but don't have a version set for the + * conversation, then set a version for just this frame + * (e.g., on a client hello) + */ + col_set_str(pinfo->cinfo, COL_PROTOCOL, "SSLv2"); + + /* see if the msg_type is valid; if not the payload is + * probably encrypted, so note that fact and bail + */ + msg_type_str = try_val_to_str(msg_type, ssl_20_msg_types); + if (!msg_type_str + || (!ssl_looks_like_valid_v2_handshake(tvb, initial_offset + + record_length_length, + record_length))) + { + if (ssl_record_tree) + { + proto_item_set_text(ssl_record_tree, "%s Record Layer: %s", + "SSLv2", + "Encrypted Data"); + + /* Unlike SSLv3, the SSLv2 record layer does not have a + * version field. To make it possible to filter on record + * layer version we create a generated field with ssl + * record layer version 0x0002 + */ + ti = proto_tree_add_uint(ssl_record_tree, + hf_tls_record_version, tvb, + initial_offset, 0, 0x0002); + proto_item_set_generated(ti); + } + + col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, "Encrypted Data"); + return initial_offset + record_length_length + record_length; + } + else + { + col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, msg_type_str); + + if (ssl_record_tree) + { + proto_item_set_text(ssl_record_tree, "%s Record Layer: %s", + "SSLv2", + msg_type_str); + } + } + + /* We have a valid message type, so move forward, filling in the + * tree by adding the length, is_escape boolean and padding_length, + * if present in the original packet + */ + if (ssl_record_tree) + { + /* Unlike SSLv3, the SSLv2 record layer does not have a + * version field. To make it possible to filter on record + * layer version we create a generated field with ssl + * record layer version 0x0002 + */ + ti = proto_tree_add_uint(ssl_record_tree, + hf_tls_record_version, tvb, + initial_offset, 0, 0x0002); + proto_item_set_generated(ti); + + /* add the record length */ + tvb_ensure_bytes_exist(tvb, offset, record_length_length); + proto_tree_add_uint (ssl_record_tree, + hf_tls_record_length, tvb, + initial_offset, record_length_length, + record_length); + } + if (ssl_record_tree && is_escape != -1) + { + proto_tree_add_boolean(ssl_record_tree, + hf_ssl2_record_is_escape, tvb, + initial_offset, 1, is_escape); + } + if (ssl_record_tree && padding_length != -1) + { + proto_tree_add_uint(ssl_record_tree, + hf_ssl2_record_padding_length, tvb, + initial_offset + 2, 1, padding_length); + } + + /* + * dissect the record data + */ + + /* jump forward to the start of the record data */ + offset = initial_offset + record_length_length; + + /* add the message type */ + if (ssl_record_tree) + { + proto_tree_add_item(ssl_record_tree, hf_ssl2_msg_type, + tvb, offset, 1, ENC_BIG_ENDIAN); + } + offset += 1; /* move past msg_type byte */ + + { + /* dissect the message (only handle client hello right now) */ + switch (msg_type) { + case SSL2_HND_CLIENT_HELLO: + dissect_ssl2_hnd_client_hello(tvb, pinfo, ssl_record_tree, offset, ssl); + break; + + case SSL2_HND_CLIENT_MASTER_KEY: + dissect_ssl2_hnd_client_master_key(tvb, ssl_record_tree, offset); + break; + + case SSL2_HND_SERVER_HELLO: + dissect_ssl2_hnd_server_hello(tvb, ssl_record_tree, offset, pinfo); + break; + + case SSL2_HND_ERROR: + case SSL2_HND_CLIENT_FINISHED: + case SSL2_HND_SERVER_VERIFY: + case SSL2_HND_SERVER_FINISHED: + case SSL2_HND_REQUEST_CERTIFICATE: + case SSL2_HND_CLIENT_CERTIFICATE: + /* unimplemented */ + break; + + default: /* unknown */ + break; + } + } + return (initial_offset + record_length_length + record_length); +} + +static void +dissect_ssl2_hnd_client_hello(tvbuff_t *tvb, packet_info *pinfo, + proto_tree *tree, guint32 offset, + SslDecryptSession *ssl) +{ + /* struct { + * uint8 msg_type; + * Version version; + * uint16 cipher_spec_length; + * uint16 session_id_length; + * uint16 challenge_length; + * V2CipherSpec cipher_specs[V2ClientHello.cipher_spec_length]; + * opaque session_id[V2ClientHello.session_id_length]; + * Random challenge; + * } V2ClientHello; + * + * Note: when we get here, offset's already pointing at Version + * + */ + guint16 version; + guint16 cipher_spec_length; + guint16 session_id_length; + guint16 challenge_length; + + proto_item *ti; + proto_tree *cs_tree; + cs_tree=0; + + version = tvb_get_ntohs(tvb, offset); + if (!ssl_is_valid_ssl_version(version)) + { + /* invalid version; probably encrypted data */ + return; + } + + if (ssl) { + ssl_set_server(&ssl->session, &pinfo->dst, pinfo->ptype, pinfo->destport); + } + + /* show the version */ + proto_tree_add_item(tree, dissect_ssl3_hf.hf.hs_client_version, tvb, + offset, 2, ENC_BIG_ENDIAN); + offset += 2; + + cipher_spec_length = tvb_get_ntohs(tvb, offset); + proto_tree_add_item(tree, hf_ssl2_handshake_cipher_spec_len, + tvb, offset, 2, ENC_BIG_ENDIAN); + offset += 2; + + session_id_length = tvb_get_ntohs(tvb, offset); + ti = proto_tree_add_item(tree, hf_ssl2_handshake_session_id_len, + tvb, offset, 2, ENC_BIG_ENDIAN); + if (session_id_length > SSLV2_MAX_SESSION_ID_LENGTH_IN_BYTES) { + expert_add_info_format(pinfo, ti, &ei_ssl2_handshake_session_id_len_error, + "Session ID length (%u) must be less than %u.", + session_id_length, SSLV2_MAX_SESSION_ID_LENGTH_IN_BYTES); + return; + } + offset += 2; + + challenge_length = tvb_get_ntohs(tvb, offset); + if (tree) + proto_tree_add_item(tree, hf_ssl2_handshake_challenge_len, + tvb, offset, 2, ENC_BIG_ENDIAN); + offset += 2; + + if (tree) + { + /* tell the user how many cipher specs they've won */ + ti = proto_tree_add_none_format(tree, dissect_ssl3_hf.hf.hs_cipher_suites, + tvb, offset, cipher_spec_length, + "Cipher Specs (%u specs)", + cipher_spec_length/3); + + /* make this a subtree and expand the actual specs below */ + cs_tree = proto_item_add_subtree(ti, dissect_ssl3_hf.ett.cipher_suites); + if (!cs_tree) + { + cs_tree = tree; /* failsafe */ + } + } + + /* iterate through the cipher specs, showing them */ + while (cipher_spec_length > 0) + { + if (cs_tree) + proto_tree_add_item(cs_tree, hf_ssl2_handshake_cipher_spec, + tvb, offset, 3, ENC_BIG_ENDIAN); + offset += 3; /* length of one cipher spec */ + cipher_spec_length -= 3; + } + + /* if there's a session id, show it */ + if (session_id_length > 0) + { + proto_tree_add_bytes_format(tree, + dissect_ssl3_hf.hf.hs_session_id, + tvb, offset, session_id_length, + NULL, "Session ID (%u byte%s)", + session_id_length, + plurality(session_id_length, "", "s")); + + /* PAOLO: get session id and reset session state for key [re]negotiation */ + if (ssl) + { + tvb_memcpy(tvb,ssl->session_id.data, offset, session_id_length); + ssl->session_id.data_len = session_id_length; + ssl->state &= ~(SSL_HAVE_SESSION_KEY|SSL_MASTER_SECRET|SSL_PRE_MASTER_SECRET| + SSL_CIPHER|SSL_SERVER_RANDOM); + } + offset += session_id_length; + } + + /* if there's a challenge, show it */ + if (challenge_length > 0) + { + proto_tree_add_item(tree, hf_ssl2_handshake_challenge, + tvb, offset, challenge_length, ENC_NA); + if (ssl) + { + /* PAOLO: get client random data; we get at most 32 bytes from + challenge */ + gint max; + max = challenge_length > 32? 32: challenge_length; + + ssl_debug_printf("client random len: %d padded to 32\n", challenge_length); + + /* client random is padded with zero and 'right' aligned */ + memset(ssl->client_random.data, 0, 32 - max); + tvb_memcpy(tvb, &ssl->client_random.data[32 - max], offset, max); + ssl->client_random.data_len = 32; + ssl->state |= SSL_CLIENT_RANDOM; + ssl_debug_printf("dissect_ssl2_hnd_client_hello found CLIENT RANDOM -> state 0x%02X\n", ssl->state); + } + } +} + +static void +dissect_ssl2_hnd_client_master_key(tvbuff_t *tvb, + proto_tree *tree, guint32 offset) +{ + /* struct { + * uint8 msg_type; + * V2Cipherspec cipher; + * uint16 clear_key_length; + * uint16 encrypted_key_length; + * uint16 key_arg_length; + * opaque clear_key_data[V2ClientMasterKey.clear_key_length]; + * opaque encrypted_key_data[V2ClientMasterKey.encrypted_key_length]; + * opaque key_arg_data[V2ClientMasterKey.key_arg_length]; + * } V2ClientMasterKey; + * + * Note: when we get here, offset's already pointing at cipher + */ + guint16 clear_key_length; + guint16 encrypted_key_length; + guint16 key_arg_length; + + /* at this point, everything we do involves the tree, + * so quit now if we don't have one ;-) + */ + if (!tree) + { + return; + } + + /* show the selected cipher */ + proto_tree_add_item(tree, hf_ssl2_handshake_cipher_spec, + tvb, offset, 3, ENC_BIG_ENDIAN); + offset += 3; + + /* get the fixed fields */ + clear_key_length = tvb_get_ntohs(tvb, offset); + proto_tree_add_item(tree, hf_ssl2_handshake_clear_key_len, + tvb, offset, 2, ENC_BIG_ENDIAN); + offset += 2; + + encrypted_key_length = tvb_get_ntohs(tvb, offset); + proto_tree_add_item(tree, hf_ssl2_handshake_enc_key_len, + tvb, offset, 2, ENC_BIG_ENDIAN); + offset += 2; + + key_arg_length = tvb_get_ntohs(tvb, offset); + proto_tree_add_item(tree, hf_ssl2_handshake_key_arg_len, + tvb, offset, 2, ENC_BIG_ENDIAN); + offset += 2; + + /* show the variable length fields */ + if (clear_key_length > 0) + { + proto_tree_add_item(tree, hf_ssl2_handshake_clear_key, + tvb, offset, clear_key_length, ENC_NA); + offset += clear_key_length; + } + + if (encrypted_key_length > 0) + { + proto_tree_add_item(tree, hf_ssl2_handshake_enc_key, + tvb, offset, encrypted_key_length, ENC_NA); + offset += encrypted_key_length; + } + + if (key_arg_length > 0) + { + proto_tree_add_item(tree, hf_ssl2_handshake_key_arg, + tvb, offset, key_arg_length, ENC_NA); + } + +} + +static void +dissect_ssl2_hnd_server_hello(tvbuff_t *tvb, + proto_tree *tree, guint32 offset, packet_info *pinfo) +{ + /* struct { + * uint8 msg_type; + * uint8 session_id_hit; + * uint8 certificate_type; + * uint16 server_version; + * uint16 certificate_length; + * uint16 cipher_specs_length; + * uint16 connection_id_length; + * opaque certificate_data[V2ServerHello.certificate_length]; + * opaque cipher_specs_data[V2ServerHello.cipher_specs_length]; + * opaque connection_id_data[V2ServerHello.connection_id_length]; + * } V2ServerHello; + * + * Note: when we get here, offset's already pointing at session_id_hit + */ + guint16 certificate_length; + guint16 cipher_spec_length; + guint16 connection_id_length; + guint16 version; + proto_item *ti; + proto_tree *subtree; + asn1_ctx_t asn1_ctx; + + asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo); + + /* everything we do only makes sense with a tree, so + * quit now if we don't have one + */ + if (!tree) + { + return; + } + + version = tvb_get_ntohs(tvb, offset + 2); + if (!ssl_is_valid_ssl_version(version)) + { + /* invalid version; probably encrypted data */ + return; + } + + + /* is there a hit? */ + proto_tree_add_item(tree, hf_ssl2_handshake_session_id_hit, + tvb, offset, 1, ENC_BIG_ENDIAN); + offset += 1; + + /* what type of certificate is this? */ + proto_tree_add_item(tree, hf_ssl2_handshake_cert_type, + tvb, offset, 1, ENC_BIG_ENDIAN); + offset += 1; + + /* now the server version */ + proto_tree_add_item(tree, dissect_ssl3_hf.hf.hs_server_version, + tvb, offset, 2, ENC_BIG_ENDIAN); + offset += 2; + + /* get the fixed fields */ + certificate_length = tvb_get_ntohs(tvb, offset); + proto_tree_add_uint(tree, dissect_ssl3_hf.hf.hs_certificate_len, + tvb, offset, 2, certificate_length); + offset += 2; + + cipher_spec_length = tvb_get_ntohs(tvb, offset); + proto_tree_add_uint(tree, hf_ssl2_handshake_cipher_spec_len, + tvb, offset, 2, cipher_spec_length); + offset += 2; + + connection_id_length = tvb_get_ntohs(tvb, offset); + proto_tree_add_uint(tree, hf_ssl2_handshake_connection_id_len, + tvb, offset, 2, connection_id_length); + offset += 2; + + /* now the variable length fields */ + if (certificate_length > 0) + { + (void)dissect_x509af_Certificate(FALSE, tvb, offset, &asn1_ctx, tree, dissect_ssl3_hf.hf.hs_certificate); + offset += certificate_length; + } + + if (cipher_spec_length > 0) + { + /* provide a collapsing node for the cipher specs */ + ti = proto_tree_add_none_format(tree, + dissect_ssl3_hf.hf.hs_cipher_suites, + tvb, offset, cipher_spec_length, + "Cipher Specs (%u spec%s)", + cipher_spec_length/3, + plurality(cipher_spec_length/3, "", "s")); + subtree = proto_item_add_subtree(ti, dissect_ssl3_hf.ett.cipher_suites); + if (!subtree) + { + subtree = tree; + } + + /* iterate through the cipher specs */ + while (cipher_spec_length > 0) + { + proto_tree_add_item(subtree, hf_ssl2_handshake_cipher_spec, + tvb, offset, 3, ENC_BIG_ENDIAN); + offset += 3; + cipher_spec_length -= 3; + } + } + + if (connection_id_length > 0) + { + proto_tree_add_item(tree, hf_ssl2_handshake_connection_id, + tvb, offset, connection_id_length, ENC_NA); + } + +} + + +void ssl_set_master_secret(guint32 frame_num, address *addr_srv, address *addr_cli, + port_type ptype, guint32 port_srv, guint32 port_cli, + guint32 version, gint cipher, const guchar *_master_secret, + const guchar *_client_random, const guchar *_server_random, + guint32 client_seq, guint32 server_seq) +{ + conversation_t *conversation; + SslDecryptSession *ssl; + guint iv_len; + + ssl_debug_printf("\nssl_set_master_secret enter frame #%u\n", frame_num); + + conversation = find_conversation(frame_num, addr_srv, addr_cli, conversation_pt_to_conversation_type(ptype), port_srv, port_cli, 0); + + if (!conversation) { + /* create a new conversation */ + conversation = conversation_new(frame_num, addr_srv, addr_cli, conversation_pt_to_conversation_type(ptype), port_srv, port_cli, 0); + ssl_debug_printf(" new conversation = %p created\n", (void *)conversation); + } + ssl = ssl_get_session(conversation, tls_handle); + + ssl_debug_printf(" conversation = %p, ssl_session = %p\n", (void *)conversation, (void *)ssl); + + ssl_set_server(&ssl->session, addr_srv, ptype, port_srv); + + /* version */ + if ((ssl->session.version==SSL_VER_UNKNOWN) && (version!=SSL_VER_UNKNOWN)) { + switch (version) { + case SSLV3_VERSION: + case TLSV1_VERSION: + case TLSV1DOT1_VERSION: + case TLSV1DOT2_VERSION: + case TLCPV1_VERSION: + ssl->session.version = version; + ssl->state |= SSL_VERSION; + ssl_debug_printf("%s set version 0x%04X -> state 0x%02X\n", G_STRFUNC, ssl->session.version, ssl->state); + break; + default: + /* API change: version number is no longer an internal value + * (SSL_VER_*) but the ProtocolVersion from wire (*_VERSION) */ + ssl_debug_printf("%s WARNING must pass ProtocolVersion, not 0x%04x!\n", G_STRFUNC, version); + break; + } + } + + /* cipher */ + if (cipher > 0) { + ssl->session.cipher = cipher; + if (!(ssl->cipher_suite = ssl_find_cipher(ssl->session.cipher))) { + ssl->state &= ~SSL_CIPHER; + ssl_debug_printf("ssl_set_master_secret can't find cipher suite 0x%X\n", ssl->session.cipher); + } else { + ssl->state |= SSL_CIPHER; + ssl_debug_printf("ssl_set_master_secret set CIPHER 0x%04X -> state 0x%02X\n", ssl->session.cipher, ssl->state); + } + } + + /* client random */ + if (_client_random) { + ssl_data_set(&ssl->client_random, _client_random, 32); + ssl->state |= SSL_CLIENT_RANDOM; + ssl_debug_printf("ssl_set_master_secret set CLIENT RANDOM -> state 0x%02X\n", ssl->state); + } + + /* server random */ + if (_server_random) { + ssl_data_set(&ssl->server_random, _server_random, 32); + ssl->state |= SSL_SERVER_RANDOM; + ssl_debug_printf("ssl_set_master_secret set SERVER RANDOM -> state 0x%02X\n", ssl->state); + } + + /* master secret */ + if (_master_secret) { + ssl_data_set(&ssl->master_secret, _master_secret, 48); + ssl->state |= SSL_MASTER_SECRET; + ssl_debug_printf("ssl_set_master_secret set MASTER SECRET -> state 0x%02X\n", ssl->state); + } + + ssl_debug_printf("ssl_set_master_secret trying to generate keys\n"); + if (ssl_generate_keyring_material(ssl)<0) { + ssl_debug_printf("ssl_set_master_secret can't generate keyring material\n"); + return; + } + + /* change ciphers immediately */ + ssl_change_cipher(ssl, TRUE); + ssl_change_cipher(ssl, FALSE); + + /* update seq numbers if available */ + /* TODO change API to accept 64-bit sequence numbers. */ + if (ssl->client && (client_seq != (guint32)-1)) { + ssl->client->seq = client_seq; + ssl_debug_printf("ssl_set_master_secret client->seq updated to %" PRIu64 "\n", ssl->client->seq); + } + if (ssl->server && (server_seq != (guint32)-1)) { + ssl->server->seq = server_seq; + ssl_debug_printf("ssl_set_master_secret server->seq updated to %" PRIu64 "\n", ssl->server->seq); + } + + /* update IV from last data */ + iv_len = ssl_get_cipher_blocksize(ssl->cipher_suite); + if (ssl->client && ((ssl->client->seq > 0) || (ssl->client_data_for_iv.data_len > iv_len))) { + ssl_cipher_setiv(&ssl->client->evp, ssl->client_data_for_iv.data + ssl->client_data_for_iv.data_len - iv_len, iv_len); + ssl_print_data("ssl_set_master_secret client IV updated",ssl->client_data_for_iv.data + ssl->client_data_for_iv.data_len - iv_len, iv_len); + } + if (ssl->server && ((ssl->server->seq > 0) || (ssl->server_data_for_iv.data_len > iv_len))) { + ssl_cipher_setiv(&ssl->server->evp, ssl->server_data_for_iv.data + ssl->server_data_for_iv.data_len - iv_len, iv_len); + ssl_print_data("ssl_set_master_secret server IV updated",ssl->server_data_for_iv.data + ssl->server_data_for_iv.data_len - iv_len, iv_len); + } +} + + +/********************************************************************* + * + * Support Functions + * + *********************************************************************/ +static gint +ssl_is_valid_ssl_version(const guint16 version) +{ + const gchar *version_str; + + version_str = try_val_to_str(version, ssl_versions); + return version_str != NULL; +} + +static gint +ssl_is_v2_client_hello(tvbuff_t *tvb, const guint32 offset) +{ + guint8 byte; + + byte = tvb_get_guint8(tvb, offset); + if (byte != 0x80) /* v2 client hello should start this way */ + { + return 0; + } + + byte = tvb_get_guint8(tvb, offset+2); + if (byte != 0x01) /* v2 client hello msg type */ + { + return 0; + } + + /* 1 in 2^16 of being right; improve later if necessary */ + return 1; +} + +/* this applies a heuristic to determine whether + * or not the data beginning at offset looks like a + * valid sslv2 record. this isn't really possible, + * but we'll try to do a reasonable job anyway. + */ +static gint +ssl_looks_like_sslv2(tvbuff_t *tvb, const guint32 offset) +{ + /* here's the current approach: + * + * we only try to catch unencrypted handshake messages, so we can + * assume that there is not padding. This means that the + * first byte must be >= 0x80 and there must be a valid sslv2 + * msg_type in the third byte + */ + + /* get the first byte; must have high bit set */ + guint8 byte; + byte = tvb_get_guint8(tvb, offset); + + if (byte < 0x80) + { + return 0; + } + + /* get the supposed msg_type byte; since we only care about + * unencrypted handshake messages (we can't tell the type for + * encrypted messages), we just check against that list + */ + byte = tvb_get_guint8(tvb, offset + 2); + switch (byte) { + case SSL2_HND_ERROR: + case SSL2_HND_CLIENT_HELLO: + case SSL2_HND_CLIENT_MASTER_KEY: + case SSL2_HND_SERVER_HELLO: + return 1; + } + return 0; +} + +/* this applies a heuristic to determine whether + * or not the data beginning at offset looks like a + * valid sslv3 record. this is somewhat more reliable + * than sslv2 due to the structure of the v3 protocol + */ +static gint +ssl_looks_like_sslv3(tvbuff_t *tvb, const guint32 offset) +{ + /* have to have a valid content type followed by a valid + * protocol version + */ + guint8 byte; + guint16 version; + + /* see if the first byte is a valid content type */ + byte = tvb_get_guint8(tvb, offset); + if (!ssl_is_valid_content_type(byte)) + { + return 0; + } + + /* now check to see if the version byte appears valid */ + version = tvb_get_ntohs(tvb, offset + 1); + switch (version) { + case SSLV3_VERSION: + case TLSV1_VERSION: + case TLSV1DOT1_VERSION: + case TLSV1DOT2_VERSION: + case TLSV1DOT3_VERSION: + case TLCPV1_VERSION: + return 1; + } + return 0; +} + +/* applies a heuristic to determine whether + * or not the data beginning at offset looks + * like a valid, unencrypted v2 handshake message. + * since it isn't possible to completely tell random + * data apart from a valid message without state, + * we try to help the odds. + */ +static gint +ssl_looks_like_valid_v2_handshake(tvbuff_t *tvb, const guint32 offset, + const guint32 record_length) +{ + /* first byte should be a msg_type. + * + * - we know we only see client_hello, client_master_key, + * and server_hello in the clear, so check to see if + * msg_type is one of those (this gives us a 3 in 2^8 + * chance of saying yes with random payload) + * + * - for those three types that we know about, do some + * further validation to reduce the chance of an error + */ + guint8 msg_type; + guint16 version; + guint32 sum; + gint ret = 0; + + /* fetch the msg_type */ + msg_type = tvb_get_guint8(tvb, offset); + + switch (msg_type) { + case SSL2_HND_CLIENT_HELLO: + /* version follows msg byte, so verify that this is valid */ + version = tvb_get_ntohs(tvb, offset+1); + ret = ssl_is_valid_ssl_version(version); + break; + + case SSL2_HND_SERVER_HELLO: + /* version is three bytes after msg_type */ + version = tvb_get_ntohs(tvb, offset+3); + ret = ssl_is_valid_ssl_version(version); + break; + + case SSL2_HND_CLIENT_MASTER_KEY: + /* sum of clear_key_length, encrypted_key_length, and key_arg_length + * must be less than record length + */ + sum = tvb_get_ntohs(tvb, offset + 4); /* clear_key_length */ + sum += tvb_get_ntohs(tvb, offset + 6); /* encrypted_key_length */ + sum += tvb_get_ntohs(tvb, offset + 8); /* key_arg_length */ + if (sum <= record_length) { + ret = 1; + } + break; + + default: + break; + } + + return ret; +} + +gboolean +tls_get_cipher_info(packet_info *pinfo, guint16 cipher_suite, int *cipher_algo, int *cipher_mode, int *hash_algo) +{ + if (cipher_suite == 0) { + conversation_t *conv = find_conversation_pinfo(pinfo, 0); + if (!conv) { + return FALSE; + } + + void *conv_data = conversation_get_proto_data(conv, proto_tls); + if (conv_data == NULL) { + return FALSE; + } + + SslDecryptSession *ssl_session = (SslDecryptSession *)conv_data; + cipher_suite = ssl_session->session.cipher; + } + const SslCipherSuite *suite = ssl_find_cipher(cipher_suite); + if (!suite) { + return FALSE; + } + + /* adapted from ssl_cipher_init in packet-tls-utils.c */ + static const gint gcry_modes[] = { + GCRY_CIPHER_MODE_STREAM, + GCRY_CIPHER_MODE_CBC, + GCRY_CIPHER_MODE_GCM, + GCRY_CIPHER_MODE_CCM, + GCRY_CIPHER_MODE_CCM, + GCRY_CIPHER_MODE_POLY1305, + }; + static const int gcry_mds[] = { + GCRY_MD_MD5, + GCRY_MD_SHA1, + GCRY_MD_SHA256, + GCRY_MD_SHA384, + -1, + }; + int mode = gcry_modes[suite->mode]; + int cipher_algo_id = ssl_get_cipher_algo(suite); + int hash_algo_id = gcry_mds[suite->dig-DIG_MD5]; + if (mode == -1 || cipher_algo_id == 0 || hash_algo_id == -1) { + /* Identifiers are unusable, fail. */ + return FALSE; + } + if (cipher_algo) { + *cipher_algo = cipher_algo_id; + } + if (cipher_mode) { + *cipher_mode = mode; + } + if (hash_algo) { + *hash_algo = hash_algo_id; + } + + return TRUE; +} + +/** + * Load the QUIC traffic secret from the keylog file. + * Returns the secret length (at most 'secret_max_len') and the secret into + * 'secret' if a secret was found, or zero otherwise. + */ +gint +tls13_get_quic_secret(packet_info *pinfo, gboolean is_from_server, int type, guint secret_min_len, guint secret_max_len, guint8 *secret_out) +{ + GHashTable *key_map; + const char *label; + conversation_t *conv = find_conversation_pinfo(pinfo, 0); + if (!conv) { + return 0; + } + + SslDecryptSession *ssl = (SslDecryptSession *)conversation_get_proto_data(conv, proto_tls); + if (ssl == NULL) { + return 0; + } + + gboolean is_quic = !!(ssl->state & SSL_QUIC_RECORD_LAYER); + ssl_debug_printf("%s frame %d is_quic=%d\n", G_STRFUNC, pinfo->num, is_quic); + if (!is_quic) { + return 0; + } + + if (ssl->client_random.data_len == 0) { + /* May happen if Hello message is missing and Finished is found. */ + ssl_debug_printf("%s missing Client Random\n", G_STRFUNC); + return 0; + } + + // Not strictly necessary as QUIC CRYPTO frames have just been processed + // which also calls ssl_load_keyfile for key transitions. + ssl_load_keyfile(ssl_options.keylog_filename, &ssl_keylog_file, &ssl_master_key_map); + + switch ((TLSRecordType)type) { + case TLS_SECRET_0RTT_APP: + DISSECTOR_ASSERT(!is_from_server); + label = "CLIENT_EARLY_TRAFFIC_SECRET"; + key_map = ssl_master_key_map.tls13_client_early; + break; + case TLS_SECRET_HANDSHAKE: + if (is_from_server) { + label = "SERVER_HANDSHAKE_TRAFFIC_SECRET"; + key_map = ssl_master_key_map.tls13_server_handshake; + } else { + label = "CLIENT_HANDSHAKE_TRAFFIC_SECRET"; + key_map = ssl_master_key_map.tls13_client_handshake; + } + break; + case TLS_SECRET_APP: + if (is_from_server) { + label = "SERVER_TRAFFIC_SECRET_0"; + key_map = ssl_master_key_map.tls13_server_appdata; + } else { + label = "CLIENT_TRAFFIC_SECRET_0"; + key_map = ssl_master_key_map.tls13_client_appdata; + } + break; + default: + ws_assert_not_reached(); + } + + StringInfo *secret = (StringInfo *)g_hash_table_lookup(key_map, &ssl->client_random); + if (!secret || secret->data_len < secret_min_len || secret->data_len > secret_max_len) { + ssl_debug_printf("%s Cannot find QUIC %s of size %d..%d, found bad size %d!\n", + G_STRFUNC, label, secret_min_len, secret_max_len, secret ? secret->data_len : 0); + return 0; + } + + ssl_debug_printf("%s Retrieved QUIC traffic secret.\n", G_STRFUNC); + ssl_print_string("Client Random", &ssl->client_random); + ssl_print_string(label, secret); + memcpy(secret_out, secret->data, secret->data_len); + return secret->data_len; +} + +const char * +tls_get_alpn(packet_info *pinfo) +{ + conversation_t *conv = find_conversation_pinfo(pinfo, 0); + if (!conv) { + return NULL; + } + + SslDecryptSession *session = (SslDecryptSession *)conversation_get_proto_data(conv, proto_tls); + if (session == NULL) { + return NULL; + } + + return session->session.alpn_name; +} + +/* TLS Exporters {{{ */ +/** + * Computes the TLS 1.3 Exporter value (RFC 8446 Section 7.5). + * + * "secret" is the [early_]exporter_master_secret. On success, TRUE is returned + * and the key is returned via "out" (free with "wmem_free(NULL, out)"). + */ +static gboolean +tls13_exporter_common(int algo, const StringInfo *secret, const char *label, guint8 *context, + guint context_length, guint key_length, guchar **out) +{ + /* TLS-Exporter(label, context_value, key_length) = + * HKDF-Expand-Label(Derive-Secret(Secret, label, ""), + * "exporter", Hash(context_value), key_length) + * + * Derive-Secret(Secret, Label, Messages) = + * HKDF-Expand-Label(Secret, Label, + * Transcript-Hash(Messages), Hash.length) + */ + gcry_error_t err; + gcry_md_hd_t hd; + const char *hash_value; + StringInfo derived_secret = { NULL, 0 }; + // QUIC -09 currently uses draft 23, so no need to support older TLS drafts + const char *label_prefix = "tls13 "; + + err = gcry_md_open(&hd, algo, 0); + if (err) { + return FALSE; + } + + /* Calculate Derive-Secret(Secret, label, ""). */ + hash_value = gcry_md_read(hd, 0); /* Empty Messages */ + guint8 hash_len = (guint8) gcry_md_get_algo_dlen(algo); + derived_secret.data_len = hash_len; + if (!tls13_hkdf_expand_label_context(algo, secret, label_prefix, label, hash_value, hash_len, derived_secret.data_len, &derived_secret.data)) { + gcry_md_close(hd); + return FALSE; + } + + /* HKDF-Expand-Label(..., "exporter", Hash(context_value), key_length) */ + gcry_md_write(hd, context, context_length); + hash_value = gcry_md_read(hd, 0); + tls13_hkdf_expand_label_context(algo, &derived_secret, label_prefix, "exporter", hash_value, hash_len, key_length, out); + wmem_free(NULL, derived_secret.data); + gcry_md_close(hd); + + return TRUE; +} + +/** + * Exports keying material using "[early_]exporter_master_secret". See + * tls13_exporter_common for more details. + */ +gboolean +tls13_exporter(packet_info *pinfo, gboolean is_early, + const char *label, guint8 *context, + guint context_length, guint key_length, guchar **out) +{ + int hash_algo = 0; + GHashTable *key_map; + const StringInfo *secret; + + if (!tls_get_cipher_info(pinfo, 0, NULL, NULL, &hash_algo)) { + return FALSE; + } + + /* Lookup EXPORTER_SECRET based on client_random from conversation */ + conversation_t *conv = find_conversation_pinfo(pinfo, 0); + if (!conv) { + return FALSE; + } + + void *conv_data = conversation_get_proto_data(conv, proto_tls); + if (conv_data == NULL) { + return FALSE; + } + + SslDecryptSession *ssl_session = (SslDecryptSession *)conv_data; + ssl_load_keyfile(ssl_options.keylog_filename, &ssl_keylog_file, &ssl_master_key_map); + key_map = is_early ? ssl_master_key_map.tls13_early_exporter + : ssl_master_key_map.tls13_exporter; + secret = (StringInfo *)g_hash_table_lookup(key_map, &ssl_session->client_random); + if (!secret) { + return FALSE; + } + + return tls13_exporter_common(hash_algo, secret, label, context, context_length, key_length, out); +} +/* }}} */ + + +/* UAT */ + +#ifdef HAVE_LIBGNUTLS +static void +ssldecrypt_free_cb(void *r) +{ + ssldecrypt_assoc_t *h = (ssldecrypt_assoc_t *)r; + + g_free(h->ipaddr); + g_free(h->port); + g_free(h->protocol); + g_free(h->keyfile); + g_free(h->password); +} + +static void* +ssldecrypt_copy_cb(void *dest, const void *orig, size_t len _U_) +{ + const ssldecrypt_assoc_t *o = (const ssldecrypt_assoc_t *)orig; + ssldecrypt_assoc_t *d = (ssldecrypt_assoc_t *)dest; + + d->ipaddr = g_strdup(o->ipaddr); + d->port = g_strdup(o->port); + d->protocol = g_strdup(o->protocol); + d->keyfile = g_strdup(o->keyfile); + d->password = g_strdup(o->password); + + return d; +} + +UAT_CSTRING_CB_DEF(sslkeylist_uats,ipaddr,ssldecrypt_assoc_t) +UAT_CSTRING_CB_DEF(sslkeylist_uats,port,ssldecrypt_assoc_t) +UAT_CSTRING_CB_DEF(sslkeylist_uats,protocol,ssldecrypt_assoc_t) +UAT_FILENAME_CB_DEF(sslkeylist_uats,keyfile,ssldecrypt_assoc_t) +UAT_CSTRING_CB_DEF(sslkeylist_uats,password,ssldecrypt_assoc_t) + +static bool +ssldecrypt_uat_fld_protocol_chk_cb(void* r _U_, const char* p, guint len _U_, const void* u1 _U_, const void* u2 _U_, char** err) +{ + if (!p || strlen(p) == 0u) { + // This should be removed in favor of Decode As. Make it optional. + *err = NULL; + return TRUE; + } + + if (!ssl_find_appdata_dissector(p)) { + if (proto_get_id_by_filter_name(p) != -1) { + *err = ws_strdup_printf("While '%s' is a valid dissector filter name, that dissector is not configured" + " to support TLS decryption.\n\n" + "If you need to decrypt '%s' over TLS, please contact the Wireshark development team.", p, p); + } else { + char* ssl_str = ssl_association_info("tls.port", "TCP"); + *err = ws_strdup_printf("Could not find dissector for: '%s'\nCommonly used TLS dissectors include:\n%s", p, ssl_str); + g_free(ssl_str); + } + return FALSE; + } + + *err = NULL; + return TRUE; +} +#endif /* HAVE_LIBGNUTLS */ + +static void +ssl_src_prompt(packet_info *pinfo, gchar *result) +{ + SslPacketInfo* pi; + guint32 srcport = pinfo->srcport; + + pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tls, pinfo->curr_layer_num); + if (pi != NULL) + srcport = pi->srcport; + + snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "source (%u%s)", srcport, UTF8_RIGHTWARDS_ARROW); +} + +static gpointer +ssl_src_value(packet_info *pinfo) +{ + SslPacketInfo* pi; + + pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tls, pinfo->curr_layer_num); + if (pi == NULL) + return GUINT_TO_POINTER(pinfo->srcport); + + return GUINT_TO_POINTER(pi->srcport); +} + +static void +ssl_dst_prompt(packet_info *pinfo, gchar *result) +{ + SslPacketInfo* pi; + guint32 destport = pinfo->destport; + + pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tls, pinfo->curr_layer_num); + if (pi != NULL) + destport = pi->destport; + + snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "destination (%s%u)", UTF8_RIGHTWARDS_ARROW, destport); +} + +static gpointer +ssl_dst_value(packet_info *pinfo) +{ + SslPacketInfo* pi; + + pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tls, pinfo->curr_layer_num); + if (pi == NULL) + return GUINT_TO_POINTER(pinfo->destport); + + return GUINT_TO_POINTER(pi->destport); +} + +static void +ssl_both_prompt(packet_info *pinfo, gchar *result) +{ + SslPacketInfo* pi; + guint32 srcport = pinfo->srcport, + destport = pinfo->destport; + + pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto_tls, pinfo->curr_layer_num); + if (pi != NULL) + { + srcport = pi->srcport; + destport = pi->destport; + } + + snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "both (%u%s%u)", srcport, UTF8_LEFT_RIGHT_ARROW, destport); +} + +static void +tls_secrets_block_callback(const void *secrets, guint size) +{ + tls_keylog_process_lines(&ssl_master_key_map, (const guint8 *)secrets, size); +} + +/********************************************************************* + * + * Standard Wireshark Protocol Registration and housekeeping + * + *********************************************************************/ +void +proto_register_tls(void) +{ + + /* Setup list of header fields See Section 1.6.1 for details*/ + static hf_register_info hf[] = { + { &hf_tls_record, + { "Record Layer", "tls.record", + FT_NONE, BASE_NONE, NULL, 0x0, + NULL, HFILL } + }, + { &hf_tls_record_content_type, + { "Content Type", "tls.record.content_type", + FT_UINT8, BASE_DEC, VALS(ssl_31_content_type), 0x0, + NULL, HFILL} + }, + { &hf_tls_record_opaque_type, + { "Opaque Type", "tls.record.opaque_type", + FT_UINT8, BASE_DEC, VALS(ssl_31_content_type), 0x0, + "Always set to value 23, actual content type is known after decryption", HFILL} + }, + { &hf_ssl2_msg_type, + { "Handshake Message Type", "tls.ssl2.handshake.type", + FT_UINT8, BASE_DEC, VALS(ssl_20_msg_types), 0x0, + "SSLv2 handshake message type", HFILL} + }, + { &hf_tls_record_version, + { "Version", "tls.record.version", + FT_UINT16, BASE_HEX, VALS(ssl_versions), 0x0, + "Record layer version", HFILL } + }, + { &hf_tls_record_length, + { "Length", "tls.record.length", + FT_UINT16, BASE_DEC, NULL, 0x0, + "Length of TLS record data", HFILL } + }, + { &hf_tls_record_appdata, + { "Encrypted Application Data", "tls.app_data", + FT_BYTES, BASE_NONE, NULL, 0x0, + "Payload is encrypted application data", HFILL } + }, + { &hf_tls_record_appdata_proto, + { "Application Data Protocol", "tls.app_data_proto", + FT_STRING, BASE_NONE, NULL, 0x0, + NULL, HFILL } + }, + { &hf_ssl2_record, + { "SSLv2 Record Header", "tls.record", + FT_NONE, BASE_NONE, NULL, 0x0, + "SSLv2 record data", HFILL } + }, + { &hf_ssl2_record_is_escape, + { "Is Escape", "tls.record.is_escape", + FT_BOOLEAN, BASE_NONE, NULL, 0x0, + "Indicates a security escape", HFILL} + }, + { &hf_ssl2_record_padding_length, + { "Padding Length", "tls.record.padding_length", + FT_UINT8, BASE_DEC, NULL, 0x0, + "Length of padding at end of record", HFILL } + }, + { &hf_tls_alert_message, + { "Alert Message", "tls.alert_message", + FT_NONE, BASE_NONE, NULL, 0x0, + NULL, HFILL } + }, + { &hf_tls_alert_message_level, + { "Level", "tls.alert_message.level", + FT_UINT8, BASE_DEC, VALS(ssl_31_alert_level), 0x0, + "Alert message level", HFILL } + }, + { &hf_tls_alert_message_description, + { "Description", "tls.alert_message.desc", + FT_UINT8, BASE_DEC, VALS(ssl_31_alert_description), 0x0, + "Alert message description", HFILL } + }, + { &hf_tls_handshake_protocol, + { "Handshake Protocol", "tls.handshake", + FT_NONE, BASE_NONE, NULL, 0x0, + "Handshake protocol message", HFILL} + }, + { &hf_tls_handshake_type, + { "Handshake Type", "tls.handshake.type", + FT_UINT8, BASE_DEC, VALS(ssl_31_handshake_type), 0x0, + "Type of handshake message", HFILL} + }, + { &hf_tls_handshake_length, + { "Length", "tls.handshake.length", + FT_UINT24, BASE_DEC, NULL, 0x0, + "Length of handshake message", HFILL } + }, + { &hf_ssl2_handshake_cipher_spec, + { "Cipher Spec", "tls.ssl2.handshake.cipherspec", + FT_UINT24, BASE_HEX|BASE_EXT_STRING, &ssl_20_cipher_suites_ext, 0x0, + "Cipher specification", HFILL } + }, + { &hf_tls_handshake_npn_selected_protocol_len, + { "Selected Protocol Length", "tls.handshake.npn_selected_protocol_len", + FT_UINT8, BASE_DEC, NULL, 0x0, + NULL, HFILL } + }, + { &hf_tls_handshake_npn_selected_protocol, + { "Selected Protocol", "tls.handshake.npn_selected_protocol", + FT_STRING, BASE_NONE, NULL, 0x0, + "Protocol to be used for connection", HFILL } + }, + { &hf_tls_handshake_npn_padding_len, + { "Padding Length", "tls.handshake.npn_padding_len", + FT_UINT8, BASE_DEC, NULL, 0x0, + NULL, HFILL } + }, + { &hf_tls_handshake_npn_padding, + { "Padding", "tls.handshake.npn_padding", + FT_BYTES, BASE_NONE, NULL, 0x0, + NULL, HFILL } + }, + { &ssl_hfs.hs_md5_hash, + { "MD5 Hash", "tls.handshake.md5_hash", + FT_NONE, BASE_NONE, NULL, 0x0, + "Hash of messages, master_secret, etc.", HFILL } + }, + { &ssl_hfs.hs_sha_hash, + { "SHA-1 Hash", "tls.handshake.sha_hash", + FT_NONE, BASE_NONE, NULL, 0x0, + "Hash of messages, master_secret, etc.", HFILL } + }, + { &hf_tls_heartbeat_message, + { "Heartbeat Message", "tls.heartbeat_message", + FT_NONE, BASE_NONE, NULL, 0x0, + NULL, HFILL } + }, + { &hf_tls_heartbeat_message_type, + { "Type", "tls.heartbeat_message.type", + FT_UINT8, BASE_DEC, VALS(tls_heartbeat_type), 0x0, + "Heartbeat message type", HFILL } + }, + { &hf_tls_heartbeat_message_payload_length, + { "Payload Length", "tls.heartbeat_message.payload_length", + FT_UINT16, BASE_DEC, NULL, 0x00, NULL, HFILL } + }, + { &hf_tls_heartbeat_message_payload, + { "Payload Length", "tls.heartbeat_message.payload", + FT_BYTES, BASE_NONE, NULL, 0x00, NULL, HFILL } + }, + { &hf_tls_heartbeat_message_padding, + { "Payload Length", "tls.heartbeat_message.padding", + FT_BYTES, BASE_NONE, NULL, 0x00, NULL, HFILL } + }, + { &hf_ssl2_handshake_challenge, + { "Challenge", "tls.handshake.challenge", + FT_NONE, BASE_NONE, NULL, 0x0, + "Challenge data used to authenticate server", HFILL } + }, + { &hf_ssl2_handshake_cipher_spec_len, + { "Cipher Spec Length", "tls.handshake.cipher_spec_len", + FT_UINT16, BASE_DEC, NULL, 0x0, + "Length of cipher specs field", HFILL } + }, + { &hf_ssl2_handshake_session_id_len, + { "Session ID Length", "tls.handshake.session_id_length", + FT_UINT16, BASE_DEC, NULL, 0x0, + "Length of session ID field", HFILL } + }, + { &hf_ssl2_handshake_challenge_len, + { "Challenge Length", "tls.handshake.challenge_length", + FT_UINT16, BASE_DEC, NULL, 0x0, + "Length of challenge field", HFILL } + }, + { &hf_ssl2_handshake_clear_key_len, + { "Clear Key Data Length", "tls.handshake.clear_key_length", + FT_UINT16, BASE_DEC, NULL, 0x0, + "Length of clear key data", HFILL } + }, + { &hf_ssl2_handshake_enc_key_len, + { "Encrypted Key Data Length", "tls.handshake.encrypted_key_length", + FT_UINT16, BASE_DEC, NULL, 0x0, + "Length of encrypted key data", HFILL } + }, + { &hf_ssl2_handshake_key_arg_len, + { "Key Argument Length", "tls.handshake.key_arg_length", + FT_UINT16, BASE_DEC, NULL, 0x0, + "Length of key argument", HFILL } + }, + { &hf_ssl2_handshake_clear_key, + { "Clear Key Data", "tls.handshake.clear_key_data", + FT_NONE, BASE_NONE, NULL, 0x0, + "Clear portion of MASTER-KEY", HFILL } + }, + { &hf_ssl2_handshake_enc_key, + { "Encrypted Key", "tls.handshake.encrypted_key", + FT_NONE, BASE_NONE, NULL, 0x0, + "Secret portion of MASTER-KEY encrypted to server", HFILL } + }, + { &hf_ssl2_handshake_key_arg, + { "Key Argument", "tls.handshake.key_arg", + FT_NONE, BASE_NONE, NULL, 0x0, + "Key Argument (e.g., Initialization Vector)", HFILL } + }, + { &hf_ssl2_handshake_session_id_hit, + { "Session ID Hit", "tls.handshake.session_id_hit", + FT_BOOLEAN, BASE_NONE, NULL, 0x0, + "Did the server find the client's Session ID?", HFILL } + }, + { &hf_ssl2_handshake_cert_type, + { "Certificate Type", "tls.ssl2.handshake.cert_type", + FT_UINT8, BASE_DEC, VALS(ssl_20_certificate_type), 0x0, + NULL, HFILL } + }, + { &hf_ssl2_handshake_connection_id_len, + { "Connection ID Length", "tls.handshake.connection_id_length", + FT_UINT16, BASE_DEC, NULL, 0x0, + "Length of connection ID", HFILL } + }, + { &hf_ssl2_handshake_connection_id, + { "Connection ID", "tls.handshake.connection_id", + FT_NONE, BASE_NONE, NULL, 0x0, + "Server's challenge to client", HFILL } + }, + + { &hf_tls_segment_overlap, + { "Segment overlap", "tls.segment.overlap", + FT_BOOLEAN, BASE_NONE, NULL, 0x0, + "Segment overlaps with other segments", HFILL }}, + + { &hf_tls_segment_overlap_conflict, + { "Conflicting data in segment overlap", "tls.segment.overlap.conflict", + FT_BOOLEAN, BASE_NONE, NULL, 0x0, + "Overlapping segments contained conflicting data", HFILL }}, + + { &hf_tls_segment_multiple_tails, + { "Multiple tail segments found", "tls.segment.multipletails", + FT_BOOLEAN, BASE_NONE, NULL, 0x0, + "Several tails were found when reassembling the pdu", HFILL }}, + + { &hf_tls_segment_too_long_fragment, + { "Segment too long", "tls.segment.toolongfragment", + FT_BOOLEAN, BASE_NONE, NULL, 0x0, + "Segment contained data past end of the pdu", HFILL }}, + + { &hf_tls_segment_error, + { "Reassembling error", "tls.segment.error", + FT_FRAMENUM, BASE_NONE, NULL, 0x0, + "Reassembling error due to illegal segments", HFILL }}, + + { &hf_tls_segment_count, + { "Segment count", "tls.segment.count", + FT_UINT32, BASE_DEC, NULL, 0x0, + NULL, HFILL }}, + + { &hf_tls_segment, + { "TLS segment", "tls.segment", + FT_FRAMENUM, BASE_NONE, NULL, 0x0, + NULL, HFILL }}, + + { &hf_tls_segments, + { "Reassembled TLS segments", "tls.segments", + FT_NONE, BASE_NONE, NULL, 0x0, + "TLS Segments", HFILL }}, + + { &hf_tls_reassembled_in, + { "Reassembled PDU in frame", "tls.reassembled_in", + FT_FRAMENUM, BASE_NONE, NULL, 0x0, + "The PDU that doesn't end in this segment is reassembled in this frame", HFILL }}, + + { &hf_tls_reassembled_length, + { "Reassembled PDU length", "tls.reassembled.length", + FT_UINT32, BASE_DEC, NULL, 0x0, + "The total length of the reassembled payload", HFILL }}, + + { &hf_tls_reassembled_data, + { "Reassembled PDU data", "tls.reassembled.data", + FT_BYTES, BASE_NONE, NULL, 0x00, + "The payload of multiple reassembled TLS segments", HFILL }}, + + { &hf_tls_segment_data, + { "TLS segment data", "tls.segment.data", + FT_BYTES, BASE_NONE, NULL, 0x00, + "The payload of a single TLS segment", HFILL } + }, + + { &hf_tls_handshake_fragment_count, + { "Handshake Fragment count", "tls.handshake.fragment.count", + FT_UINT32, BASE_DEC, NULL, 0x0, + NULL, HFILL }}, + + { &hf_tls_handshake_fragment, + { "Handshake Fragment", "tls.handshake.fragment", + FT_FRAMENUM, BASE_NONE, NULL, 0x0, + NULL, HFILL }}, + + { &hf_tls_handshake_fragments, + { "Reassembled Handshake Fragments", "tls.handshake.fragments", + FT_NONE, BASE_NONE, NULL, 0x0, + NULL, HFILL }}, + + { &hf_tls_handshake_reassembled_in, + { "Reassembled Handshake Message in frame", "tls.handshake.reassembled_in", + FT_FRAMENUM, BASE_NONE, NULL, 0x0, + "The handshake message is fully reassembled in this frame", HFILL }}, + + SSL_COMMON_HF_LIST(dissect_ssl3_hf, "tls") + }; + + /* Setup protocol subtree array */ + static gint *ett[] = { + &ett_tls, + &ett_tls_record, + &ett_tls_alert, + &ett_tls_handshake, + &ett_tls_heartbeat, + &ett_tls_certs, + &ett_tls_segments, + &ett_tls_segment, + &ett_tls_hs_fragments, + &ett_tls_hs_fragment, + SSL_COMMON_ETT_LIST(dissect_ssl3_hf) + }; + + static ei_register_info ei[] = { + { &ei_ssl2_handshake_session_id_len_error, { "tls.handshake.session_id_length.error", PI_MALFORMED, PI_ERROR, "Session ID length error", EXPFILL }}, + { &ei_ssl3_heartbeat_payload_length, { "tls.heartbeat_message.payload_length.invalid", PI_MALFORMED, PI_ERROR, "Invalid heartbeat payload length", EXPFILL }}, + { &ei_tls_unexpected_message, { "tls.unexpected_message", PI_PROTOCOL, PI_ERROR, "Unexpected message", EXPFILL }}, + + /* Generated from convert_proto_tree_add_text.pl */ + { &ei_tls_ignored_unknown_record, { "tls.ignored_unknown_record", PI_PROTOCOL, PI_WARN, "Ignored Unknown Record", EXPFILL }}, + + SSL_COMMON_EI_LIST(dissect_ssl3_hf, "tls") + }; + + static build_valid_func ssl_da_src_values[1] = {ssl_src_value}; + static build_valid_func ssl_da_dst_values[1] = {ssl_dst_value}; + static build_valid_func ssl_da_both_values[2] = {ssl_src_value, ssl_dst_value}; + static decode_as_value_t ssl_da_values[3] = {{ssl_src_prompt, 1, ssl_da_src_values}, {ssl_dst_prompt, 1, ssl_da_dst_values}, {ssl_both_prompt, 2, ssl_da_both_values}}; + static decode_as_t ssl_da = {"tls", "tls.port", 3, 2, ssl_da_values, "TCP", "port(s) as", + decode_as_default_populate_list, decode_as_default_reset, decode_as_default_change, NULL}; + + expert_module_t* expert_ssl; + + /* Register the protocol name and description */ + proto_tls = proto_register_protocol("Transport Layer Security", + "TLS", "tls"); + + ssl_associations = register_dissector_table("tls.port", "TLS Port", proto_tls, FT_UINT16, BASE_DEC); + register_dissector_table_alias(ssl_associations, "ssl.port"); + + /* Required function calls to register the header fields and + * subtrees used */ + proto_register_field_array(proto_tls, hf, array_length(hf)); + proto_register_alias(proto_tls, "ssl"); + proto_register_subtree_array(ett, array_length(ett)); + expert_ssl = expert_register_protocol(proto_tls); + expert_register_field_array(expert_ssl, ei, array_length(ei)); + + { + module_t *ssl_module = prefs_register_protocol(proto_tls, proto_reg_handoff_ssl); + +#ifdef HAVE_LIBGNUTLS + static uat_field_t sslkeylist_uats_flds[] = { + UAT_FLD_CSTRING_OTHER(sslkeylist_uats, ipaddr, "IP address", ssldecrypt_uat_fld_ip_chk_cb, "IPv4 or IPv6 address (unused)"), + UAT_FLD_CSTRING_OTHER(sslkeylist_uats, port, "Port", ssldecrypt_uat_fld_port_chk_cb, "Port Number (optional)"), + UAT_FLD_CSTRING_OTHER(sslkeylist_uats, protocol, "Protocol", ssldecrypt_uat_fld_protocol_chk_cb, "Application Layer Protocol (optional)"), + UAT_FLD_FILENAME_OTHER(sslkeylist_uats, keyfile, "Key File", ssldecrypt_uat_fld_fileopen_chk_cb, "Private keyfile."), + UAT_FLD_CSTRING_OTHER(sslkeylist_uats, password,"Password", ssldecrypt_uat_fld_password_chk_cb, "Password (for PCKS#12 keyfile)"), + UAT_END_FIELDS + }; + + ssldecrypt_uat = uat_new("TLS Decrypt", + sizeof(ssldecrypt_assoc_t), + "ssl_keys", /* filename */ + TRUE, /* from_profile */ + &tlskeylist_uats, /* data_ptr */ + &ntlsdecrypt, /* numitems_ptr */ + UAT_AFFECTS_DISSECTION, /* affects dissection of packets, but not set of named fields */ + NULL, /* Help section (currently a wiki page) */ + ssldecrypt_copy_cb, + NULL, + ssldecrypt_free_cb, + ssl_parse_uat, + ssl_reset_uat, + sslkeylist_uats_flds); + + prefs_register_uat_preference(ssl_module, "key_table", + "RSA keys list", + "A table of RSA keys for TLS decryption", + ssldecrypt_uat); + + prefs_register_string_preference(ssl_module, "keys_list", "RSA keys list (deprecated)", + "Semicolon-separated list of private RSA keys used for TLS decryption. " + "Used by versions of Wireshark prior to 1.6", + &ssl_keys_list); +#endif /* HAVE_LIBGNUTLS */ + + prefs_register_filename_preference(ssl_module, "debug_file", "TLS debug file", + "Redirect TLS debug to the file specified. Leave empty to disable debugging " + "or use \"" SSL_DEBUG_USE_STDERR "\" to redirect output to stderr.", + &ssl_debug_file_name, TRUE); + + prefs_register_bool_preference(ssl_module, + "desegment_ssl_records", + "Reassemble TLS records spanning multiple TCP segments", + "Whether the TLS dissector should reassemble TLS records spanning multiple TCP segments. " + "To use this option, you must also enable \"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.", + &tls_desegment); + prefs_register_bool_preference(ssl_module, + "desegment_ssl_application_data", + "Reassemble TLS Application Data spanning multiple TLS records", + "Whether the TLS dissector should reassemble TLS Application Data spanning multiple TLS records. ", + &tls_desegment_app_data); + prefs_register_bool_preference(ssl_module, + "ignore_ssl_mac_failed", + "Message Authentication Code (MAC), ignore \"mac failed\"", + "For troubleshooting ignore the mac check result and decrypt also if the Message Authentication Code (MAC) fails.", + &tls_ignore_mac_failed); + ssl_common_register_options(ssl_module, &ssl_options, FALSE); + } + + /* heuristic dissectors for any premable e.g. CredSSP before RDP */ + ssl_heur_subdissector_list = register_heur_dissector_list("tls", proto_tls); + + ssl_common_register_ssl_alpn_dissector_table("tls.alpn", + "SSL/TLS Application-Layer Protocol Negotiation (ALPN) Protocol IDs", + proto_tls); + + tls_handle = register_dissector("tls", dissect_ssl, proto_tls); + register_dissector("tls13-handshake", dissect_tls13_handshake, proto_tls); + register_dissector("tls-echconfig", dissect_tls_echconfig, proto_tls); + + register_init_routine(ssl_init); + register_cleanup_routine(ssl_cleanup); + reassembly_table_register(&ssl_reassembly_table, + &tcp_reassembly_table_functions); + reassembly_table_register(&tls_hs_reassembly_table, + &addresses_ports_reassembly_table_functions); + register_decode_as(&ssl_da); + + /* XXX: this seems unused due to new "Follow TLS" method, remove? */ + tls_tap = register_tap("tls"); + ssl_debug_printf("proto_register_ssl: registered tap %s:%d\n", + "tls", tls_tap); + + register_follow_stream(proto_tls, "tls", tcp_follow_conv_filter, tcp_follow_index_filter, tcp_follow_address_filter, + tcp_port_to_display, ssl_follow_tap_listener, get_tcp_stream_count, NULL); + secrets_register_type(SECRETS_TYPE_TLS, tls_secrets_block_callback); +} + +static int dissect_tls_sct_ber(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) +{ + guint32 offset = 0; + /* Skip through tag and length for OCTET STRING encoding. */ + offset = dissect_ber_identifier(pinfo, tree, tvb, offset, NULL, NULL, NULL); + offset = dissect_ber_length(pinfo, tree, tvb, offset, NULL, NULL); + /* + * RFC 6962 (Certificate Transparency) refers to RFC 5246 (TLS 1.2) for the + * DigitallySigned format, so asssume that version. + */ + return tls_dissect_sct_list(&dissect_ssl3_hf, tvb, pinfo, tree, offset, tvb_captured_length(tvb), TLSV1DOT2_VERSION); +} + +/* If this dissector uses sub-dissector registration add a registration + * routine. This format is required because a script is used to find + * these routines and create the code that calls these routines. + */ +void +proto_reg_handoff_ssl(void) +{ + +#ifdef HAVE_LIBGNUTLS + /* parse key list */ + ssl_parse_uat(); + ssl_parse_old_keys(); +#endif + + /* + * XXX the port preferences should probably be removed in favor of Decode + * As. Then proto_reg_handoff_ssl can be removed from + * prefs_register_protocol. + */ + static gboolean initialized = FALSE; + if (initialized) { + return; + } + initialized = TRUE; + + exported_pdu_tap = find_tap_id(EXPORT_PDU_TAP_NAME_LAYER_7); + + /* Certificate Transparency extensions: 2 (Certificate), 5 (OCSP Response) */ + register_ber_oid_dissector("1.3.6.1.4.1.11129.2.4.2", dissect_tls_sct_ber, proto_tls, "SignedCertificateTimestampList"); + register_ber_oid_dissector("1.3.6.1.4.1.11129.2.4.5", dissect_tls_sct_ber, proto_tls, "SignedCertificateTimestampList"); + + heur_dissector_add("tcp", dissect_ssl_heur, "SSL/TLS over TCP", "tls_tcp", proto_tls, HEURISTIC_ENABLE); + dissector_add_string("http.upgrade", "tls", tls_handle); +} + +void +ssl_dissector_add(guint port, dissector_handle_t handle) +{ + ssl_association_add("tls.port", tls_handle, handle, port, TRUE); +} + +void +ssl_dissector_delete(guint port, dissector_handle_t handle) +{ + ssl_association_remove("tls.port", tls_handle, handle, port, TRUE); +} + +/* + * Editor modelines - https://www.wireshark.org/tools/modelines.html + * + * Local variables: + * c-basic-offset: 4 + * tab-width: 8 + * indent-tabs-mode: nil + * End: + * + * vi: set shiftwidth=4 tabstop=8 expandtab: + * :indentSize=4:tabSize=8:noTabs=true: + */ |