2 * Routines for ssl dissection
3 * Copyright (c) 2000-2001, Scott Renfro <scott@renfro.org>
5 * $Id: packet-ssl.c,v 1.25 2003/01/27 19:50:05 guy Exp $
7 * Ethereal - Network traffic analyzer
8 * By Gerald Combs <gerald@ethereal.com>
9 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
27 * - Uses conversations in a no-malloc fashion. Since we just want to
28 * remember the version of the conversation, we store the version
29 * integer directly in the void *data member of the conversation
30 * structure. This means that we don't have to manage any memory,
31 * but will cause problems if anyone assumes that all data pointers
32 * are actually pointers to memory allocated by g_mem_chunk_alloc.
34 * - Does not support decryption of encrypted frames, nor dissection
35 * of frames that would require state maintained between frames
36 * (e.g., single ssl records spread across multiple tcp frames)
38 * - Identifies, but does not fully dissect the following messages:
40 * - SSLv3/TLS (These need more state from previous handshake msgs)
41 * - Server Key Exchange
42 * - Client Key Exchange
43 * - Certificate Verify
45 * - SSLv2 (These don't appear in the clear)
50 * - Request Certificate
51 * - Client Certificate
65 #include <epan/conversation.h>
68 static gboolean ssl_desegment = TRUE;
71 /*********************************************************************
73 * Protocol Constants, Variables, Data Structures
75 *********************************************************************/
77 /* Initialize the protocol and registered fields */
78 static int proto_ssl = -1;
79 static int hf_ssl_record = -1;
80 static int hf_ssl_record_content_type = -1;
81 static int hf_ssl_record_version = -1;
82 static int hf_ssl_record_length = -1;
83 static int hf_ssl_record_appdata = -1;
84 static int hf_ssl2_record = -1;
85 static int hf_ssl2_record_is_escape = -1;
86 static int hf_ssl2_record_padding_length = -1;
87 static int hf_ssl2_msg_type = -1;
88 static int hf_pct_msg_type = -1;
89 static int hf_ssl_change_cipher_spec = -1;
90 static int hf_ssl_alert_message = -1;
91 static int hf_ssl_alert_message_level = -1;
92 static int hf_ssl_alert_message_description = -1;
93 static int hf_ssl_handshake_protocol = -1;
94 static int hf_ssl_handshake_type = -1;
95 static int hf_ssl_handshake_length = -1;
96 static int hf_ssl_handshake_client_version = -1;
97 static int hf_ssl_handshake_server_version = -1;
98 static int hf_ssl_handshake_random_time = -1;
99 static int hf_ssl_handshake_random_bytes = -1;
100 static int hf_ssl_handshake_cipher_suites_len = -1;
101 static int hf_ssl_handshake_cipher_suites = -1;
102 static int hf_ssl_handshake_cipher_suite = -1;
103 static int hf_ssl_handshake_session_id = -1;
104 static int hf_ssl_handshake_comp_methods_len = -1;
105 static int hf_ssl_handshake_comp_methods = -1;
106 static int hf_ssl_handshake_comp_method = -1;
107 static int hf_ssl_handshake_certificates_len = -1;
108 static int hf_ssl_handshake_certificates = -1;
109 static int hf_ssl_handshake_certificate = -1;
110 static int hf_ssl_handshake_certificate_len = -1;
111 static int hf_ssl_handshake_cert_types_count = -1;
112 static int hf_ssl_handshake_cert_types = -1;
113 static int hf_ssl_handshake_cert_type = -1;
114 static int hf_ssl_handshake_finished = -1;
115 static int hf_ssl_handshake_md5_hash = -1;
116 static int hf_ssl_handshake_sha_hash = -1;
117 static int hf_ssl_handshake_session_id_len = -1;
118 static int hf_ssl_handshake_dnames_len = -1;
119 static int hf_ssl_handshake_dnames = -1;
120 static int hf_ssl_handshake_dname_len = -1;
121 static int hf_ssl_handshake_dname = -1;
122 static int hf_ssl2_handshake_cipher_spec_len = -1;
123 static int hf_ssl2_handshake_session_id_len = -1;
124 static int hf_ssl2_handshake_challenge_len = -1;
125 static int hf_ssl2_handshake_cipher_spec = -1;
126 static int hf_ssl2_handshake_challenge = -1;
127 static int hf_ssl2_handshake_clear_key_len = -1;
128 static int hf_ssl2_handshake_enc_key_len = -1;
129 static int hf_ssl2_handshake_key_arg_len = -1;
130 static int hf_ssl2_handshake_clear_key = -1;
131 static int hf_ssl2_handshake_enc_key = -1;
132 static int hf_ssl2_handshake_key_arg = -1;
133 static int hf_ssl2_handshake_session_id_hit = -1;
134 static int hf_ssl2_handshake_cert_type = -1;
135 static int hf_ssl2_handshake_connection_id_len = -1;
136 static int hf_ssl2_handshake_connection_id = -1;
138 /* Initialize the subtree pointers */
139 static gint ett_ssl = -1;
140 static gint ett_ssl_record = -1;
141 static gint ett_ssl_alert = -1;
142 static gint ett_ssl_handshake = -1;
143 static gint ett_ssl_cipher_suites = -1;
144 static gint ett_ssl_comp_methods = -1;
145 static gint ett_ssl_certs = -1;
146 static gint ett_ssl_cert_types = -1;
147 static gint ett_ssl_dnames = -1;
149 /* The TCP port to associate with by default */
150 #define TCP_PORT_SSL 443
151 #define TCP_PORT_SSL_LDAP 636
152 #define TCP_PORT_SSL_IMAP 993
153 #define TCP_PORT_SSL_POP 995
155 /* version state tables */
156 #define SSL_VER_UNKNOWN 0
157 #define SSL_VER_SSLv2 1
158 #define SSL_VER_SSLv3 2
159 #define SSL_VER_TLS 3
160 #define SSL_VER_PCT 4
162 /* corresponds to the #defines above */
163 static gchar* ssl_version_short_names[] = {
172 #define SSL_ID_CHG_CIPHER_SPEC 0x14
173 #define SSL_ID_ALERT 0x15
174 #define SSL_ID_HANDSHAKE 0x16
175 #define SSL_ID_APP_DATA 0x17
177 #define SSL_HND_HELLO_REQUEST 0x00
178 #define SSL_HND_CLIENT_HELLO 0x01
179 #define SSL_HND_SERVER_HELLO 0x02
180 #define SSL_HND_CERTIFICATE 0x0b
181 #define SSL_HND_SERVER_KEY_EXCHG 0x0c
182 #define SSL_HND_CERT_REQUEST 0x0d
183 #define SSL_HND_SVR_HELLO_DONE 0x0e
184 #define SSL_HND_CERT_VERIFY 0x0f
185 #define SSL_HND_CLIENT_KEY_EXCHG 0x10
186 #define SSL_HND_FINISHED 0x14
188 #define SSL2_HND_ERROR 0x00
189 #define SSL2_HND_CLIENT_HELLO 0x01
190 #define SSL2_HND_CLIENT_MASTER_KEY 0x02
191 #define SSL2_HND_CLIENT_FINISHED 0x03
192 #define SSL2_HND_SERVER_HELLO 0x04
193 #define SSL2_HND_SERVER_VERIFY 0x05
194 #define SSL2_HND_SERVER_FINISHED 0x06
195 #define SSL2_HND_REQUEST_CERTIFICATE 0x07
196 #define SSL2_HND_CLIENT_CERTIFICATE 0x08
198 #define PCT_VERSION_1 0x8001
200 #define PCT_MSG_CLIENT_HELLO 0x01
201 #define PCT_MSG_SERVER_HELLO 0x02
202 #define PCT_MSG_CLIENT_MASTER_KEY 0x03
203 #define PCT_MSG_SERVER_VERIFY 0x04
204 #define PCT_MSG_ERROR 0x05
210 static const value_string ssl_20_msg_types[] = {
211 { SSL2_HND_ERROR, "Error" },
212 { SSL2_HND_CLIENT_HELLO, "Client Hello" },
213 { SSL2_HND_CLIENT_MASTER_KEY, "Client Master Key" },
214 { SSL2_HND_CLIENT_FINISHED, "Client Finished" },
215 { SSL2_HND_SERVER_HELLO, "Server Hello" },
216 { SSL2_HND_SERVER_VERIFY, "Server Verify" },
217 { SSL2_HND_SERVER_FINISHED, "Server Finished" },
218 { SSL2_HND_REQUEST_CERTIFICATE, "Request Certificate" },
219 { SSL2_HND_CLIENT_CERTIFICATE, "Client Certificate" },
223 static const value_string ssl_20_cipher_suites[] = {
224 { 0x010080, "SSL2_RC4_128_WITH_MD5" },
225 { 0x020080, "SSL2_RC4_128_EXPORT40_WITH_MD5" },
226 { 0x030080, "SSL2_RC2_CBC_128_CBC_WITH_MD5" },
227 { 0x040080, "SSL2_RC2_CBC_128_CBC_WITH_MD5" },
228 { 0x050080, "SSL2_IDEA_128_CBC_WITH_MD5" },
229 { 0x060040, "SSL2_DES_64_CBC_WITH_MD5" },
230 { 0x0700c0, "SSL2_DES_192_EDE3_CBC_WITH_MD5" },
231 { 0x080080, "SSL2_RC4_64_WITH_MD5" },
232 { 0x000000, "TLS_NULL_WITH_NULL_NULL" },
233 { 0x000001, "TLS_RSA_WITH_NULL_MD5" },
234 { 0x000002, "TLS_RSA_WITH_NULL_SHA" },
235 { 0x000003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
236 { 0x000004, "TLS_RSA_WITH_RC4_128_MD5" },
237 { 0x000005, "TLS_RSA_WITH_RC4_128_SHA" },
238 { 0x000006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
239 { 0x000007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
240 { 0x000008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
241 { 0x000009, "TLS_RSA_WITH_DES_CBC_SHA" },
242 { 0x00000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
243 { 0x00000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
244 { 0x00000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
245 { 0x00000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
246 { 0x00000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
247 { 0x00000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
248 { 0x000010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
249 { 0x000011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
250 { 0x000012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
251 { 0x000013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
252 { 0x000014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
253 { 0x000015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
254 { 0x000016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
255 { 0x000017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
256 { 0x000018, "TLS_DH_anon_WITH_RC4_128_MD5" },
257 { 0x000019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
258 { 0x00001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
259 { 0x00001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
260 { 0x00001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
261 { 0x00001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
262 { 0x00001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
263 { 0x000060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
264 { 0x000061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
265 { 0x000062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
266 { 0x000063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
267 { 0x000064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
268 { 0x000065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
269 { 0x000066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
270 /* these from http://www.mozilla.org/projects/
271 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
272 { 0x00fefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
273 { 0x00feff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
274 { 0x00ffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
275 { 0x00ffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
276 /* Microsoft's old PCT protocol. These are from Eric Rescorla's
277 book "SSL and TLS" */
278 { 0x8f8001, "PCT_SSL_COMPAT | PCT_VERSION_1" },
279 { 0x800003, "PCT_SSL_CERT_TYPE | PCT1_CERT_X509_CHAIN" },
280 { 0x800001, "PCT_SSL_CERT_TYPE | PCT1_CERT_X509" },
281 { 0x810001, "PCT_SSL_HASH_TYPE | PCT1_HASH_MD5" },
282 { 0x810003, "PCT_SSL_HASH_TYPE | PCT1_HASH_SHA" },
283 { 0x820001, "PCT_SSL_EXCH_TYPE | PCT1_EXCH_RSA_PKCS1" },
284 { 0x830004, "PCT_SSL_CIPHER_TYPE_1ST_HALF | PCT1_CIPHER_RC4" },
285 { 0x848040, "PCT_SSL_CIPHER_TYPE_2ND_HALF | PCT1_ENC_BITS_128 | PCT1_MAC_BITS_128" },
286 { 0x842840, "PCT_SSL_CIPHER_TYPE_2ND_HALF | PCT1_ENC_BITS_40 | PCT1_MAC_BITS_128" },
287 /* note that ciphersuites of {0x00????} are TLS cipher suites in
288 * a sslv2 client hello message; the ???? above is the two-byte
289 * tls cipher suite id
294 static const value_string ssl_20_certificate_type[] = {
296 { 0x01, "X.509 Certificate" },
300 static const value_string ssl_31_content_type[] = {
301 { 20, "Change Cipher Spec" },
304 { 23, "Application Data" },
308 static const value_string ssl_versions[] = {
309 { 0x0301, "TLS 1.0" },
310 { 0x0300, "SSL 3.0" },
311 { 0x0002, "SSL 2.0" },
315 static const value_string ssl_31_change_cipher_spec[] = {
316 { 1, "Change Cipher Spec" },
320 static const value_string ssl_31_alert_level[] = {
326 static const value_string ssl_31_alert_description[] = {
327 { 0, "Close Notify" },
328 { 10, "Unexpected Message" },
329 { 20, "Bad Record MAC" },
330 { 21, "Decryption Failed" },
331 { 22, "Record Overflow" },
332 { 30, "Decompression Failure" },
333 { 40, "Handshake Failure" },
334 { 42, "Bad Certificate" },
335 { 43, "Unsupported Certificate" },
336 { 44, "Certificate Revoked" },
337 { 45, "Certificate Expired" },
338 { 46, "Certificate Unknown" },
339 { 47, "Illegal Parameter" },
340 { 48, "Unknown CA" },
341 { 49, "Access Denied" },
342 { 50, "Decode Error" },
343 { 51, "Decrypt Error" },
344 { 60, "Export Restriction" },
345 { 70, "Protocol Version" },
346 { 71, "Insufficient Security" },
347 { 80, "Internal Error" },
348 { 90, "User Canceled" },
349 { 100, "No Renegotiation" },
353 static const value_string ssl_31_handshake_type[] = {
354 { SSL_HND_HELLO_REQUEST, "Hello Request" },
355 { SSL_HND_CLIENT_HELLO, "Client Hello" },
356 { SSL_HND_SERVER_HELLO, "Server Hello" },
357 { SSL_HND_CERTIFICATE, "Certificate" },
358 { SSL_HND_SERVER_KEY_EXCHG, "Server Key Exchange" },
359 { SSL_HND_CERT_REQUEST, "Certificate Request" },
360 { SSL_HND_SVR_HELLO_DONE, "Server Hello Done" },
361 { SSL_HND_CERT_VERIFY, "Certificate Verify" },
362 { SSL_HND_CLIENT_KEY_EXCHG, "Client Key Exchange" },
363 { SSL_HND_FINISHED, "Finished" },
367 static const value_string ssl_31_compression_method[] = {
373 static const value_string ssl_31_key_exchange_algorithm[] = {
375 { 1, "Diffie Hellman" },
379 static const value_string ssl_31_signature_algorithm[] = {
386 static const value_string ssl_31_client_certificate_type[] = {
389 { 3, "RSA Fixed DH" },
390 { 4, "DSS Fixed DH" },
394 static const value_string ssl_31_public_value_encoding[] = {
400 static const value_string ssl_31_ciphersuite[] = {
401 { 0x0000, "TLS_NULL_WITH_NULL_NULL" },
402 { 0x0001, "TLS_RSA_WITH_NULL_MD5" },
403 { 0x0002, "TLS_RSA_WITH_NULL_SHA" },
404 { 0x0003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
405 { 0x0004, "TLS_RSA_WITH_RC4_128_MD5" },
406 { 0x0005, "TLS_RSA_WITH_RC4_128_SHA" },
407 { 0x0006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
408 { 0x0007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
409 { 0x0008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
410 { 0x0009, "TLS_RSA_WITH_DES_CBC_SHA" },
411 { 0x000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
412 { 0x000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
413 { 0x000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
414 { 0x000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
415 { 0x000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
416 { 0x000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
417 { 0x0010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
418 { 0x0011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
419 { 0x0012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
420 { 0x0013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
421 { 0x0014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
422 { 0x0015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
423 { 0x0016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
424 { 0x0017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
425 { 0x0018, "TLS_DH_anon_WITH_RC4_128_MD5" },
426 { 0x0019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
427 { 0x001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
428 { 0x001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
429 { 0x001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
430 { 0x001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
431 { 0x001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
432 { 0x002f, "TLS_RSA_WITH_AES_128_CBC_SHA" },
433 { 0x0030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
434 { 0x0031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
435 { 0x0032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
436 { 0x0033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
437 { 0x0034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
438 { 0x0035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
439 { 0x0036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
440 { 0x0037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
441 { 0x0038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
442 { 0x0039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
443 { 0x003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
444 { 0x0062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
445 { 0x0063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
446 { 0x0064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
447 { 0x0065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
448 { 0x0066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
449 /* these from http://www.mozilla.org/projects/
450 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
451 { 0xfefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
452 { 0xfeff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
453 { 0xffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
454 { 0xffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
455 /* note that ciphersuites 0xff00 - 0xffff are private */
459 static const value_string pct_msg_types[] = {
460 { PCT_MSG_CLIENT_HELLO, "Client Hello" },
461 { PCT_MSG_SERVER_HELLO, "Server Hello" },
462 { PCT_MSG_CLIENT_MASTER_KEY, "Client Master Key" },
463 { PCT_MSG_SERVER_VERIFY, "Server Verify" },
464 { PCT_MSG_ERROR, "Error" },
469 /*********************************************************************
471 * Forward Declarations
473 *********************************************************************/
476 * SSL version 3 and TLS dissectors
479 /* record layer dissector */
480 static int dissect_ssl3_record(tvbuff_t *tvb, packet_info *pinfo,
481 proto_tree *tree, guint32 offset,
483 gboolean *need_desegmentation);
485 /* change cipher spec dissector */
486 static void dissect_ssl3_change_cipher_spec(tvbuff_t *tvb,
489 guint *conv_version);
491 /* alert message dissector */
492 static void dissect_ssl3_alert(tvbuff_t *tvb, packet_info *pinfo,
493 proto_tree *tree, guint32 offset,
494 guint *conv_version);
496 /* handshake protocol dissector */
497 static void dissect_ssl3_handshake(tvbuff_t *tvb, packet_info *pinfo,
498 proto_tree *tree, guint32 offset,
499 guint32 record_length,
500 guint *conv_version);
503 static void dissect_ssl3_hnd_cli_hello(tvbuff_t *tvb,
507 static void dissect_ssl3_hnd_srv_hello(tvbuff_t *tvb,
511 static void dissect_ssl3_hnd_cert(tvbuff_t *tvb,
512 proto_tree *tree, guint32 offset);
514 static void dissect_ssl3_hnd_cert_req(tvbuff_t *tvb,
518 static void dissect_ssl3_hnd_finished(tvbuff_t *tvb,
521 guint *conv_version);
525 * SSL version 2 dissectors
529 /* record layer dissector */
530 static int dissect_ssl2_record(tvbuff_t *tvb, packet_info *pinfo,
531 proto_tree *tree, guint32 offset,
533 gboolean *need_desegmentation);
535 /* client hello dissector */
536 static void dissect_ssl2_hnd_client_hello(tvbuff_t *tvb,
540 /* client master key dissector */
541 static void dissect_ssl2_hnd_client_master_key(tvbuff_t *tvb,
545 /* server hello dissector */
546 static void dissect_ssl2_hnd_server_hello(tvbuff_t *tvb,
554 static void ssl_set_conv_version(packet_info *pinfo, guint version);
555 static int ssl_is_valid_handshake_type(guint8 type);
556 static int ssl_is_valid_content_type(guint8 type);
557 static int ssl_is_valid_ssl_version(guint16 version);
558 static int ssl_is_authoritative_version_message(guint8 content_type,
560 static int ssl_is_v2_client_hello(tvbuff_t *tvb, guint32 offset);
561 static int ssl_looks_like_sslv2(tvbuff_t *tvb, guint32 offset);
562 static int ssl_looks_like_sslv3(tvbuff_t *tvb, guint32 offset);
563 static int ssl_looks_like_valid_v2_handshake(tvbuff_t *tvb,
565 guint32 record_length);
566 static int ssl_looks_like_valid_pct_handshake(tvbuff_t *tvb,
568 guint32 record_length);
570 /*********************************************************************
574 *********************************************************************/
576 * Code to actually dissect the packets
579 dissect_ssl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
582 conversation_t *conversation;
584 guint conv_version = SSL_VER_UNKNOWN;
585 proto_item *ti = NULL;
586 proto_tree *ssl_tree = NULL;
588 gboolean first_record_in_frame = TRUE;
589 gboolean need_desegmentation;
591 /* Track the version using conversations to reduce the
592 * chance that a packet that simply *looks* like a v2 or
593 * v3 packet is dissected improperly. This also allows
594 * us to more frequently set the protocol column properly
595 * for continuation data frames.
597 * Also: We use the copy in conv_version as our cached copy,
598 * so that we don't have to search the conversation
599 * table every time we want the version; when setting
600 * the conv_version, must set the copy in the conversation
601 * in addition to conv_version
603 conversation = find_conversation(&pinfo->src, &pinfo->dst, pinfo->ptype,
604 pinfo->srcport, pinfo->destport, 0);
607 /* create a new conversation */
608 conversation = conversation_new(&pinfo->src, &pinfo->dst, pinfo->ptype,
609 pinfo->srcport, pinfo->destport, 0);
611 conv_data = conversation_get_proto_data(conversation, proto_ssl);
612 if (conv_data != NULL)
614 conv_version = (guint)conv_data;
617 /* Initialize the protocol column; we'll set it later when we
618 * figure out what flavor of SSL it is (assuming we don't
619 * throw an exception before we get the chance to do so). */
620 if (check_col(pinfo->cinfo, COL_PROTOCOL))
622 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SSL");
625 /* clear the the info column */
626 if (check_col(pinfo->cinfo, COL_INFO))
627 col_clear(pinfo->cinfo, COL_INFO);
629 /* TCP packets and SSL records are orthogonal.
630 * A tcp packet may contain multiple ssl records and an ssl
631 * record may be spread across multiple tcp packets.
633 * This loop accounts for multiple ssl records in a single
634 * frame, but not a single ssl record across multiple tcp
637 * Handling the single ssl record across multiple packets
638 * may be possible using ethereal conversations, but
639 * probably not cleanly. May have to wait for tcp stream
643 /* Create display subtree for SSL as a whole */
646 ti = proto_tree_add_item(tree, proto_ssl, tvb, 0, -1, FALSE);
647 ssl_tree = proto_item_add_subtree(ti, ett_ssl);
650 /* iterate through the records in this tvbuff */
651 while (tvb_reported_length_remaining(tvb, offset) != 0)
653 /* on second and subsequent records per frame
654 * add a delimiter on info column
656 if (!first_record_in_frame
657 && check_col(pinfo->cinfo, COL_INFO))
659 col_append_str(pinfo->cinfo, COL_INFO, ", ");
663 * Assume, for now, that this doesn't need desegmentation.
665 need_desegmentation = FALSE;
667 /* first try to dispatch off the cached version
668 * known to be associated with the conversation
670 switch(conv_version) {
673 offset = dissect_ssl2_record(tvb, pinfo, ssl_tree,
674 offset, &conv_version,
675 &need_desegmentation);
680 /* the version tracking code works too well ;-)
681 * at times, we may visit a v2 client hello after
682 * we already know the version of the connection;
683 * work around that here by detecting and calling
684 * the v2 dissector instead
686 if (ssl_is_v2_client_hello(tvb, offset))
688 offset = dissect_ssl2_record(tvb, pinfo, ssl_tree,
689 offset, &conv_version,
690 &need_desegmentation);
694 offset = dissect_ssl3_record(tvb, pinfo, ssl_tree,
695 offset, &conv_version,
696 &need_desegmentation);
700 /* that failed, so apply some heuristics based
701 * on this individual packet
704 if (ssl_looks_like_sslv2(tvb, offset))
706 /* looks like sslv2 or pct client hello */
707 offset = dissect_ssl2_record(tvb, pinfo, ssl_tree,
708 offset, &conv_version,
709 &need_desegmentation);
711 else if (ssl_looks_like_sslv3(tvb, offset))
713 /* looks like sslv3 or tls */
714 offset = dissect_ssl3_record(tvb, pinfo, ssl_tree,
715 offset, &conv_version,
716 &need_desegmentation);
720 /* looks like something unknown, so lump into
723 offset = tvb_length(tvb);
724 if (check_col(pinfo->cinfo, COL_INFO))
725 col_append_str(pinfo->cinfo, COL_INFO,
726 "Continuation Data");
728 /* Set the protocol column */
729 if (check_col(pinfo->cinfo, COL_PROTOCOL))
731 col_set_str(pinfo->cinfo, COL_PROTOCOL,
732 ssl_version_short_names[conv_version]);
738 /* Desegmentation return check */
739 if (need_desegmentation)
742 /* If we haven't already set the version information for
743 * this conversation, do so. */
744 if (conv_data == NULL)
746 conv_data = (void *)conv_version;
747 conversation_add_proto_data(conversation, proto_ssl, conv_data);
750 /* set up for next record in frame, if any */
751 first_record_in_frame = FALSE;
757 /*********************************************************************
759 * SSL version 3 and TLS Dissection Routines
761 *********************************************************************/
763 dissect_ssl3_record(tvbuff_t *tvb, packet_info *pinfo,
764 proto_tree *tree, guint32 offset,
765 guint *conv_version, gboolean *need_desegmentation)
770 * uint8 major, minor;
775 * change_cipher_spec(20), alert(21), handshake(22),
776 * application_data(23), (255)
781 * ProtocolVersion version;
783 * opaque fragment[TLSPlaintext.length];
786 guint32 record_length;
790 proto_tree *ti = NULL;
791 proto_tree *ssl_record_tree = NULL;
792 guint32 available_bytes = 0;
794 available_bytes = tvb_length_remaining(tvb, offset);
797 * Can we do reassembly?
799 if (ssl_desegment && pinfo->can_desegment) {
801 * Yes - is the record header split across segment boundaries?
803 if (available_bytes < 5) {
805 * Yes. Tell the TCP dissector where the data for this
806 * message starts in the data it handed us, and how many
807 * more bytes we need, and return.
809 pinfo->desegment_offset = offset;
810 pinfo->desegment_len = 5 - available_bytes;
811 *need_desegmentation = TRUE;
817 * Get the record layer fields of interest
819 content_type = tvb_get_guint8(tvb, offset);
820 version = tvb_get_ntohs(tvb, offset + 1);
821 record_length = tvb_get_ntohs(tvb, offset + 3);
823 if (ssl_is_valid_content_type(content_type)) {
826 * Can we do reassembly?
828 if (ssl_desegment && pinfo->can_desegment) {
830 * Yes - is the record split across segment boundaries?
832 if (available_bytes < record_length + 5) {
834 * Yes. Tell the TCP dissector where the data for this
835 * message starts in the data it handed us, and how many
836 * more bytes we need, and return.
838 pinfo->desegment_offset = offset;
839 pinfo->desegment_len = (record_length + 5) - available_bytes;
840 *need_desegmentation = TRUE;
847 /* if we don't have a valid content_type, there's no sense
848 * continuing any further
850 if (check_col(pinfo->cinfo, COL_INFO))
851 col_append_str(pinfo->cinfo, COL_INFO, "Continuation Data");
853 /* Set the protocol column */
854 if (check_col(pinfo->cinfo, COL_PROTOCOL))
856 col_set_str(pinfo->cinfo, COL_PROTOCOL,
857 ssl_version_short_names[*conv_version]);
859 return offset + 5 + record_length;
863 * If GUI, fill in record layer part of tree
868 /* add the record layer subtree header */
869 ti = proto_tree_add_item(tree, hf_ssl_record, tvb,
870 offset, 5 + record_length, 0);
871 ssl_record_tree = proto_item_add_subtree(ti, ett_ssl_record);
876 /* show the one-byte content type */
877 proto_tree_add_item(ssl_record_tree, hf_ssl_record_content_type,
881 /* add the version */
882 proto_tree_add_item(ssl_record_tree, hf_ssl_record_version, tvb,
887 proto_tree_add_uint(ssl_record_tree, hf_ssl_record_length, tvb,
888 offset, 2, record_length);
889 offset += 2; /* move past length field itself */
893 /* if no GUI tree, then just skip over those fields */
899 * if we don't already have a version set for this conversation,
900 * but this message's version is authoritative (i.e., it's
901 * not client_hello, then save the version to to conversation
902 * structure and print the column version
904 next_byte = tvb_get_guint8(tvb, offset);
905 if (*conv_version == SSL_VER_UNKNOWN
906 && ssl_is_authoritative_version_message(content_type, next_byte))
908 if (version == 0x0300)
910 *conv_version = SSL_VER_SSLv3;
911 ssl_set_conv_version(pinfo, *conv_version);
913 else if (version == 0x0301)
915 *conv_version = SSL_VER_TLS;
916 ssl_set_conv_version(pinfo, *conv_version);
919 if (check_col(pinfo->cinfo, COL_PROTOCOL))
921 if (version == 0x0300)
923 col_set_str(pinfo->cinfo, COL_PROTOCOL,
924 ssl_version_short_names[SSL_VER_SSLv3]);
926 else if (version == 0x0301)
928 col_set_str(pinfo->cinfo, COL_PROTOCOL,
929 ssl_version_short_names[SSL_VER_TLS]);
933 col_set_str(pinfo->cinfo, COL_PROTOCOL,
934 ssl_version_short_names[*conv_version]);
939 * now dissect the next layer
941 switch (content_type) {
942 case SSL_ID_CHG_CIPHER_SPEC:
943 if (check_col(pinfo->cinfo, COL_INFO))
944 col_append_str(pinfo->cinfo, COL_INFO, "Change Cipher Spec");
945 dissect_ssl3_change_cipher_spec(tvb, ssl_record_tree,
946 offset, conv_version);
949 dissect_ssl3_alert(tvb, pinfo, ssl_record_tree, offset,
952 case SSL_ID_HANDSHAKE:
953 dissect_ssl3_handshake(tvb, pinfo, ssl_record_tree, offset,
954 record_length, conv_version);
956 case SSL_ID_APP_DATA:
957 if (check_col(pinfo->cinfo, COL_INFO))
958 col_append_str(pinfo->cinfo, COL_INFO, "Application Data");
961 proto_item_set_text(ssl_record_tree,
962 "%s Record Layer: Application Data",
963 ssl_version_short_names[*conv_version]);
964 proto_tree_add_item(ssl_record_tree, hf_ssl_record_appdata, tvb,
965 offset, record_length, 0);
970 /* shouldn't get here since we check above for valid types */
971 if (check_col(pinfo->cinfo, COL_INFO))
972 col_append_str(pinfo->cinfo, COL_INFO, "Bad SSLv3 Content Type");
975 offset += record_length; /* skip to end of record */
980 /* dissects the change cipher spec procotol, filling in the tree */
982 dissect_ssl3_change_cipher_spec(tvbuff_t *tvb,
983 proto_tree *tree, guint32 offset,
988 * enum { change_cipher_spec(1), (255) } type;
989 * } ChangeCipherSpec;
994 proto_item_set_text(tree,
995 "%s Record Layer: Change Cipher Spec",
996 ssl_version_short_names[*conv_version]);
997 proto_tree_add_item(tree, hf_ssl_change_cipher_spec, tvb,
1002 /* dissects the alert message, filling in the tree */
1004 dissect_ssl3_alert(tvbuff_t *tvb, packet_info *pinfo,
1005 proto_tree *tree, guint32 offset,
1006 guint *conv_version)
1010 * AlertDescription description;
1014 proto_tree *ssl_alert_tree = NULL;
1020 ti = proto_tree_add_item(tree, hf_ssl_alert_message, tvb,
1022 ssl_alert_tree = proto_item_add_subtree(ti, ett_ssl_alert);
1026 * set the record layer label
1029 /* first lookup the names for the alert level and description */
1030 byte = tvb_get_guint8(tvb, offset); /* grab the level byte */
1031 level = match_strval(byte, ssl_31_alert_level);
1033 byte = tvb_get_guint8(tvb, offset+1); /* grab the desc byte */
1034 desc = match_strval(byte, ssl_31_alert_description);
1036 /* now set the text in the record layer line */
1039 if (check_col(pinfo->cinfo, COL_INFO))
1040 col_append_fstr(pinfo->cinfo, COL_INFO,
1041 "Alert (Level: %s, Description: %s)",
1046 if (check_col(pinfo->cinfo, COL_INFO))
1047 col_append_str(pinfo->cinfo, COL_INFO, "Encrypted Alert");
1054 proto_item_set_text(tree, "%s Record Layer: Alert "
1055 "(Level: %s, Description: %s)",
1056 ssl_version_short_names[*conv_version],
1058 proto_tree_add_item(ssl_alert_tree, hf_ssl_alert_message_level,
1059 tvb, offset++, 1, FALSE);
1061 proto_tree_add_item(ssl_alert_tree, hf_ssl_alert_message_description,
1062 tvb, offset++, 1, FALSE);
1066 proto_item_set_text(tree,
1067 "%s Record Layer: Encrypted Alert",
1068 ssl_version_short_names[*conv_version]);
1069 proto_item_set_text(ssl_alert_tree,
1070 "Alert Message: Encrypted Alert");
1076 /* dissects the handshake protocol, filling the tree */
1078 dissect_ssl3_handshake(tvbuff_t *tvb, packet_info *pinfo,
1079 proto_tree *tree, guint32 offset,
1080 guint32 record_length, guint *conv_version)
1083 * HandshakeType msg_type;
1085 * select (HandshakeType) {
1086 * case hello_request: HelloRequest;
1087 * case client_hello: ClientHello;
1088 * case server_hello: ServerHello;
1089 * case certificate: Certificate;
1090 * case server_key_exchange: ServerKeyExchange;
1091 * case certificate_request: CertificateRequest;
1092 * case server_hello_done: ServerHelloDone;
1093 * case certificate_verify: CertificateVerify;
1094 * case client_key_exchange: ClientKeyExchange;
1095 * case finished: Finished;
1099 proto_tree *ti = NULL;
1100 proto_tree *ssl_hand_tree = NULL;
1101 gchar *msg_type_str = NULL;
1104 gboolean first_iteration = TRUE;
1107 /* just as there can be multiple records per packet, there
1108 * can be multiple messages per record as long as they have
1109 * the same content type
1111 * we really only care about this for handshake messages
1114 /* set record_length to the max offset */
1115 record_length += offset;
1116 while (offset < record_length)
1118 msg_type = tvb_get_guint8(tvb, offset);
1119 msg_type_str = match_strval(msg_type, ssl_31_handshake_type);
1120 length = tvb_get_ntoh24(tvb, offset + 1);
1122 if (!msg_type_str && !first_iteration)
1124 /* only dissect / report messages if they're
1125 * either the first message in this record
1126 * or they're a valid message type
1131 /* on second and later iterations, add comma to info col */
1132 if (!first_iteration)
1134 if (check_col(pinfo->cinfo, COL_INFO))
1135 col_append_fstr(pinfo->cinfo, COL_INFO, ", ");
1139 * Update our info string
1141 if (check_col(pinfo->cinfo, COL_INFO))
1142 col_append_fstr(pinfo->cinfo, COL_INFO, "%s", (msg_type_str != NULL)
1143 ? msg_type_str : "Encrypted Handshake Message");
1147 /* set the label text on the record layer expanding node */
1148 if (first_iteration)
1150 proto_item_set_text(tree, "%s Record Layer: %s",
1151 ssl_version_short_names[*conv_version],
1152 (msg_type_str!=NULL) ? msg_type_str :
1153 "Encrypted Handshake Message");
1157 proto_item_set_text(tree, "%s Record Layer: %s",
1158 ssl_version_short_names[*conv_version],
1159 "Multiple Handshake Messages");
1162 /* add a subtree for the handshake protocol */
1163 ti = proto_tree_add_item(tree, hf_ssl_handshake_protocol, tvb,
1164 offset, length + 4, 0);
1165 ssl_hand_tree = proto_item_add_subtree(ti, ett_ssl_handshake);
1169 /* set the text label on the subtree node */
1170 proto_item_set_text(ssl_hand_tree, "Handshake Protocol: %s",
1171 (msg_type_str != NULL) ? msg_type_str :
1172 "Encrypted Handshake Message");
1176 /* if we don't have a valid handshake type, just quit dissecting */
1184 /* add nodes for the message type and message length */
1185 proto_tree_add_item(ssl_hand_tree, hf_ssl_handshake_type,
1186 tvb, offset, 1, msg_type);
1188 proto_tree_add_uint(ssl_hand_tree, hf_ssl_handshake_length,
1189 tvb, offset, 3, length);
1192 /* now dissect the handshake message, if necessary */
1194 case SSL_HND_HELLO_REQUEST:
1195 /* hello_request has no fields, so nothing to do! */
1198 case SSL_HND_CLIENT_HELLO:
1199 dissect_ssl3_hnd_cli_hello(tvb, ssl_hand_tree, offset);
1202 case SSL_HND_SERVER_HELLO:
1203 dissect_ssl3_hnd_srv_hello(tvb, ssl_hand_tree, offset);
1206 case SSL_HND_CERTIFICATE:
1207 dissect_ssl3_hnd_cert(tvb, ssl_hand_tree, offset);
1210 case SSL_HND_CERT_REQUEST:
1211 dissect_ssl3_hnd_cert_req(tvb, ssl_hand_tree, offset);
1214 case SSL_HND_SVR_HELLO_DONE:
1215 /* server_hello_done has no fields, so nothing to do! */
1218 case SSL_HND_FINISHED:
1219 dissect_ssl3_hnd_finished(tvb, ssl_hand_tree,
1220 offset, conv_version);
1223 case SSL_HND_SERVER_KEY_EXCHG:
1224 case SSL_HND_CERT_VERIFY:
1225 case SSL_HND_CLIENT_KEY_EXCHG:
1233 offset += 4; /* skip the handshake header */
1236 first_iteration = FALSE; /* set up for next pass, if any */
1241 dissect_ssl3_hnd_hello_common(tvbuff_t *tvb, proto_tree *tree,
1244 /* show the client's random challenge */
1245 guint32 initial_offset = offset;
1246 nstime_t gmt_unix_time;
1247 guint8 session_id_length = 0;
1252 gmt_unix_time.secs = tvb_get_ntohl(tvb, offset);
1253 gmt_unix_time.nsecs = 0;
1254 proto_tree_add_time(tree, hf_ssl_handshake_random_time,
1255 tvb, offset, 4, &gmt_unix_time);
1258 /* show the random bytes */
1259 proto_tree_add_item(tree, hf_ssl_handshake_random_bytes,
1260 tvb, offset, 28, 0);
1263 /* show the session id */
1264 session_id_length = tvb_get_guint8(tvb, offset);
1265 proto_tree_add_item(tree, hf_ssl_handshake_session_id_len,
1266 tvb, offset++, 1, 0);
1267 if (session_id_length > 0)
1269 proto_tree_add_bytes_format(tree, hf_ssl_handshake_session_id,
1270 tvb, offset, session_id_length,
1271 tvb_get_ptr(tvb, offset, session_id_length),
1272 "Session ID (%u byte%s)",
1274 plurality(session_id_length, "", "s"));
1275 offset += session_id_length;
1279 return offset - initial_offset;
1283 dissect_ssl3_hnd_cli_hello(tvbuff_t *tvb,
1284 proto_tree *tree, guint32 offset)
1287 * ProtocolVersion client_version;
1289 * SessionID session_id;
1290 * CipherSuite cipher_suites<2..2^16-1>;
1291 * CompressionMethod compression_methods<1..2^8-1>;
1296 proto_tree *cs_tree;
1297 guint16 cipher_suite_length = 0;
1298 guint8 compression_methods_length = 0;
1299 guint8 compression_method;
1303 /* show the client version */
1304 proto_tree_add_item(tree, hf_ssl_handshake_client_version, tvb,
1308 /* show the fields in common with server hello */
1309 offset += dissect_ssl3_hnd_hello_common(tvb, tree, offset);
1311 /* tell the user how many cipher suites there are */
1312 cipher_suite_length = tvb_get_ntohs(tvb, offset);
1313 proto_tree_add_uint(tree, hf_ssl_handshake_cipher_suites_len,
1314 tvb, offset, 2, cipher_suite_length);
1315 offset += 2; /* skip opaque length */
1317 if (cipher_suite_length > 0)
1319 ti = proto_tree_add_none_format(tree,
1320 hf_ssl_handshake_cipher_suites,
1321 tvb, offset, cipher_suite_length,
1322 "Cipher Suites (%u suite%s)",
1323 cipher_suite_length / 2,
1324 plurality(cipher_suite_length/2, "", "s"));
1326 /* make this a subtree */
1327 cs_tree = proto_item_add_subtree(ti, ett_ssl_cipher_suites);
1330 cs_tree = tree; /* failsafe */
1333 while (cipher_suite_length > 0)
1335 proto_tree_add_item(cs_tree, hf_ssl_handshake_cipher_suite,
1336 tvb, offset, 2, FALSE);
1338 cipher_suite_length -= 2;
1342 /* tell the user how man compression methods there are */
1343 compression_methods_length = tvb_get_guint8(tvb, offset);
1344 proto_tree_add_uint(tree, hf_ssl_handshake_comp_methods_len,
1345 tvb, offset, 1, compression_methods_length);
1348 if (compression_methods_length > 0)
1350 ti = proto_tree_add_none_format(tree,
1351 hf_ssl_handshake_comp_methods,
1352 tvb, offset, compression_methods_length,
1353 "Compression Methods (%u method%s)",
1354 compression_methods_length,
1355 plurality(compression_methods_length,
1358 /* make this a subtree */
1359 cs_tree = proto_item_add_subtree(ti, ett_ssl_comp_methods);
1362 cs_tree = tree; /* failsafe */
1365 while (compression_methods_length > 0)
1367 compression_method = tvb_get_guint8(tvb, offset);
1368 if (compression_method < 64)
1369 proto_tree_add_uint(cs_tree, hf_ssl_handshake_comp_method,
1370 tvb, offset, 1, compression_method);
1371 else if (compression_method > 63 && compression_method < 193)
1372 proto_tree_add_text(cs_tree, tvb, offset, 1,
1373 "Compression Method: Reserved - to be assigned by IANA (%u)",
1374 compression_method);
1376 proto_tree_add_text(cs_tree, tvb, offset, 1,
1377 "Compression Method: Private use range (%u)",
1378 compression_method);
1380 compression_methods_length--;
1387 dissect_ssl3_hnd_srv_hello(tvbuff_t *tvb,
1388 proto_tree *tree, guint32 offset)
1391 * ProtocolVersion server_version;
1393 * SessionID session_id;
1394 * CipherSuite cipher_suite;
1395 * CompressionMethod compression_method;
1401 /* show the server version */
1402 proto_tree_add_item(tree, hf_ssl_handshake_server_version, tvb,
1406 /* first display the elements conveniently in
1407 * common with client hello
1409 offset += dissect_ssl3_hnd_hello_common(tvb, tree, offset);
1411 /* now the server-selected cipher suite */
1412 proto_tree_add_item(tree, hf_ssl_handshake_cipher_suite,
1413 tvb, offset, 2, FALSE);
1416 /* and the server-selected compression method */
1417 proto_tree_add_item(tree, hf_ssl_handshake_comp_method,
1418 tvb, offset, 1, FALSE);
1423 dissect_ssl3_hnd_cert(tvbuff_t *tvb,
1424 proto_tree *tree, guint32 offset)
1427 /* opaque ASN.1Cert<2^24-1>;
1430 * ASN.1Cert certificate_list<1..2^24-1>;
1433 guint32 certificate_list_length;
1435 proto_tree *subtree;
1439 certificate_list_length = tvb_get_ntoh24(tvb, offset);
1440 proto_tree_add_uint(tree, hf_ssl_handshake_certificates_len,
1441 tvb, offset, 3, certificate_list_length);
1442 offset += 3; /* 24-bit length value */
1444 if (certificate_list_length > 0)
1446 ti = proto_tree_add_none_format(tree,
1447 hf_ssl_handshake_certificates,
1448 tvb, offset, certificate_list_length,
1449 "Certificates (%u byte%s)",
1450 certificate_list_length,
1451 plurality(certificate_list_length,
1454 /* make it a subtree */
1455 subtree = proto_item_add_subtree(ti, ett_ssl_certs);
1458 subtree = tree; /* failsafe */
1461 /* iterate through each certificate */
1462 while (certificate_list_length > 0)
1464 /* get the length of the current certificate */
1465 guint32 cert_length = tvb_get_ntoh24(tvb, offset);
1466 certificate_list_length -= 3 + cert_length;
1468 proto_tree_add_item(subtree, hf_ssl_handshake_certificate_len,
1469 tvb, offset, 3, FALSE);
1472 proto_tree_add_bytes_format(subtree,
1473 hf_ssl_handshake_certificate,
1474 tvb, offset, cert_length,
1475 tvb_get_ptr(tvb, offset, cert_length),
1476 "Certificate (%u byte%s)",
1478 plurality(cert_length, "", "s"));
1479 offset += cert_length;
1487 dissect_ssl3_hnd_cert_req(tvbuff_t *tvb,
1488 proto_tree *tree, guint32 offset)
1492 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
1494 * } ClientCertificateType;
1496 * opaque DistinguishedName<1..2^16-1>;
1499 * ClientCertificateType certificate_types<1..2^8-1>;
1500 * DistinguishedName certificate_authorities<3..2^16-1>;
1501 * } CertificateRequest;
1505 proto_tree *subtree;
1506 guint8 cert_types_count = 0;
1507 int dnames_length = 0;
1511 cert_types_count = tvb_get_guint8(tvb, offset);
1512 proto_tree_add_uint(tree, hf_ssl_handshake_cert_types_count,
1513 tvb, offset, 1, cert_types_count);
1516 if (cert_types_count > 0)
1518 ti = proto_tree_add_none_format(tree,
1519 hf_ssl_handshake_cert_types,
1520 tvb, offset, cert_types_count,
1521 "Certificate types (%u type%s)",
1523 plurality(cert_types_count, "", "s"));
1524 subtree = proto_item_add_subtree(ti, ett_ssl_cert_types);
1530 while (cert_types_count > 0)
1532 proto_tree_add_item(subtree, hf_ssl_handshake_cert_type,
1533 tvb, offset, 1, FALSE);
1539 dnames_length = tvb_get_ntohs(tvb, offset);
1540 proto_tree_add_uint(tree, hf_ssl_handshake_dnames_len,
1541 tvb, offset, 2, dnames_length);
1544 if (dnames_length > 0)
1546 ti = proto_tree_add_none_format(tree,
1547 hf_ssl_handshake_dnames,
1548 tvb, offset, dnames_length,
1549 "Distinguished Names (%d byte%s)",
1551 plurality(dnames_length, "", "s"));
1552 subtree = proto_item_add_subtree(ti, ett_ssl_dnames);
1558 while (dnames_length > 0)
1560 /* get the length of the current certificate */
1561 guint16 name_length = tvb_get_ntohs(tvb, offset);
1562 dnames_length -= 2 + name_length;
1564 proto_tree_add_item(subtree, hf_ssl_handshake_dname_len,
1565 tvb, offset, 2, FALSE);
1568 proto_tree_add_bytes_format(subtree,
1569 hf_ssl_handshake_dname,
1570 tvb, offset, name_length,
1571 tvb_get_ptr(tvb, offset, name_length),
1572 "Distinguished Name (%u byte%s)",
1574 plurality(name_length, "", "s"));
1575 offset += name_length;
1583 dissect_ssl3_hnd_finished(tvbuff_t *tvb,
1584 proto_tree *tree, guint32 offset,
1585 guint *conv_version)
1589 * opaque verify_data[12];
1594 * opaque md5_hash[16];
1595 * opaque sha_hash[20];
1599 /* this all needs a tree, so bail if we don't have one */
1605 switch(*conv_version) {
1607 proto_tree_add_item(tree, hf_ssl_handshake_finished,
1608 tvb, offset, 12, FALSE);
1612 proto_tree_add_item(tree, hf_ssl_handshake_md5_hash,
1613 tvb, offset, 16, FALSE);
1615 proto_tree_add_item(tree, hf_ssl_handshake_sha_hash,
1616 tvb, offset, 20, FALSE);
1622 /*********************************************************************
1624 * SSL version 2 Dissectors
1626 *********************************************************************/
1629 /* record layer dissector */
1631 dissect_ssl2_record(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
1632 guint32 offset, guint *conv_version,
1633 gboolean *need_desegmentation)
1635 guint32 initial_offset = offset;
1637 guint8 record_length_length = 0;
1638 guint32 record_length = 0;
1639 gint is_escape = -1;
1640 gint16 padding_length = -1;
1641 guint8 msg_type = 0;
1642 gchar *msg_type_str = NULL;
1643 guint32 available_bytes = 0;
1646 proto_tree *ssl_record_tree = NULL;
1648 /* pull first byte; if high bit is set, then record
1649 * length is three bytes due to padding; otherwise
1650 * record length is two bytes
1652 byte = tvb_get_guint8(tvb, offset);
1653 record_length_length = (byte & 0x80) ? 2 : 3;
1656 * Can we do reassembly?
1658 available_bytes = tvb_length_remaining(tvb, offset);
1660 if (ssl_desegment && pinfo->can_desegment) {
1662 * Yes - is the record header split across segment boundaries?
1664 if (available_bytes < record_length_length) {
1666 * Yes. Tell the TCP dissector where the data for this
1667 * message starts in the data it handed us, and how many
1668 * more bytes we need, and return.
1670 pinfo->desegment_offset = offset;
1671 pinfo->desegment_len = record_length_length - available_bytes;
1672 *need_desegmentation = TRUE;
1677 /* parse out the record length */
1678 switch(record_length_length) {
1679 case 2: /* two-byte record length */
1680 record_length = (byte & 0x7f) << 8;
1681 byte = tvb_get_guint8(tvb, offset + 1);
1682 record_length += byte;
1684 case 3: /* three-byte record length */
1685 is_escape = (byte & 0x40) ? TRUE : FALSE;
1686 record_length = (byte & 0x3f) << 8;
1687 byte = tvb_get_guint8(tvb, offset + 1);
1688 record_length += byte;
1689 byte = tvb_get_guint8(tvb, offset + 2);
1690 padding_length = byte;
1694 * Can we do reassembly?
1696 if (ssl_desegment && pinfo->can_desegment) {
1698 * Yes - is the record split across segment boundaries?
1700 if (available_bytes < (record_length_length + record_length)) {
1702 * Yes. Tell the TCP dissector where the data for this
1703 * message starts in the data it handed us, and how many
1704 * more bytes we need, and return.
1706 pinfo->desegment_offset = offset;
1707 pinfo->desegment_len = (record_length_length + record_length)
1709 *need_desegmentation = TRUE;
1713 offset += record_length_length;
1715 /* add the record layer subtree header */
1716 ti = proto_tree_add_item(tree, hf_ssl2_record, tvb, initial_offset,
1717 record_length_length + record_length, 0);
1718 ssl_record_tree = proto_item_add_subtree(ti, ett_ssl_record);
1720 /* pull the msg_type so we can bail if it's unknown */
1721 msg_type = tvb_get_guint8(tvb, initial_offset + record_length_length);
1723 /* if we get a server_hello or later handshake in v2, then set
1726 if (*conv_version == SSL_VER_UNKNOWN)
1728 if (ssl_looks_like_valid_pct_handshake(tvb,
1730 record_length_length),
1732 *conv_version = SSL_VER_PCT;
1733 ssl_set_conv_version(pinfo, *conv_version);
1735 else if (msg_type >= 2 && msg_type <= 8)
1737 *conv_version = SSL_VER_SSLv2;
1738 ssl_set_conv_version(pinfo, *conv_version);
1742 /* if we get here, but don't have a version set for the
1743 * conversation, then set a version for just this frame
1744 * (e.g., on a client hello)
1746 if (check_col(pinfo->cinfo, COL_PROTOCOL))
1748 col_set_str(pinfo->cinfo, COL_PROTOCOL,
1749 (*conv_version == SSL_VER_PCT) ? "PCT" : "SSLv2");
1752 /* see if the msg_type is valid; if not the payload is
1753 * probably encrypted, so note that fact and bail
1755 msg_type_str = match_strval(msg_type,
1756 (*conv_version == SSL_VER_PCT)
1757 ? pct_msg_types : ssl_20_msg_types);
1759 || ((*conv_version != SSL_VER_PCT) &&
1760 !ssl_looks_like_valid_v2_handshake(tvb, initial_offset
1761 + record_length_length,
1763 || ((*conv_version == SSL_VER_PCT) &&
1764 !ssl_looks_like_valid_pct_handshake(tvb, initial_offset
1765 + record_length_length,
1768 if (ssl_record_tree)
1770 proto_item_set_text(ssl_record_tree, "%s Record Layer: %s",
1771 (*conv_version == SSL_VER_PCT)
1775 if (check_col(pinfo->cinfo, COL_INFO))
1776 col_append_str(pinfo->cinfo, COL_INFO, "Encrypted Data");
1777 return initial_offset + record_length_length + record_length;
1781 if (check_col(pinfo->cinfo, COL_INFO))
1782 col_append_str(pinfo->cinfo, COL_INFO, msg_type_str);
1784 if (ssl_record_tree)
1786 proto_item_set_text(ssl_record_tree, "%s Record Layer: %s",
1787 (*conv_version == SSL_VER_PCT)
1793 /* We have a valid message type, so move foward, filling in the
1794 * tree by adding the length, is_escape boolean and padding_length,
1795 * if present in the original packet
1797 if (ssl_record_tree)
1799 /* add the record length */
1800 ti = proto_tree_add_uint (ssl_record_tree,
1801 hf_ssl_record_length, tvb,
1802 initial_offset, record_length_length,
1805 if (ssl_record_tree && is_escape != -1)
1807 proto_tree_add_boolean(ssl_record_tree,
1808 hf_ssl2_record_is_escape, tvb,
1809 initial_offset, 1, is_escape);
1811 if (ssl_record_tree && padding_length != -1)
1813 proto_tree_add_uint(ssl_record_tree,
1814 hf_ssl2_record_padding_length, tvb,
1815 initial_offset + 2, 1, padding_length);
1819 * dissect the record data
1822 /* jump forward to the start of the record data */
1823 offset = initial_offset + record_length_length;
1825 /* add the message type */
1826 if (ssl_record_tree)
1828 proto_tree_add_item(ssl_record_tree,
1829 (*conv_version == SSL_VER_PCT)
1830 ? hf_pct_msg_type : hf_ssl2_msg_type,
1833 offset++; /* move past msg_type byte */
1835 if (*conv_version != SSL_VER_PCT)
1837 /* dissect the message (only handle client hello right now) */
1839 case SSL2_HND_CLIENT_HELLO:
1840 dissect_ssl2_hnd_client_hello(tvb, ssl_record_tree, offset);
1843 case SSL2_HND_CLIENT_MASTER_KEY:
1844 dissect_ssl2_hnd_client_master_key(tvb, ssl_record_tree, offset);
1847 case SSL2_HND_SERVER_HELLO:
1848 dissect_ssl2_hnd_server_hello(tvb, ssl_record_tree, offset);
1851 case SSL2_HND_ERROR:
1852 case SSL2_HND_CLIENT_FINISHED:
1853 case SSL2_HND_SERVER_VERIFY:
1854 case SSL2_HND_SERVER_FINISHED:
1855 case SSL2_HND_REQUEST_CERTIFICATE:
1856 case SSL2_HND_CLIENT_CERTIFICATE:
1860 default: /* unknown */
1866 /* dissect the message */
1868 case PCT_MSG_CLIENT_HELLO:
1869 case PCT_MSG_SERVER_HELLO:
1870 case PCT_MSG_CLIENT_MASTER_KEY:
1871 case PCT_MSG_SERVER_VERIFY:
1876 default: /* unknown */
1880 return (initial_offset + record_length_length + record_length);
1884 dissect_ssl2_hnd_client_hello(tvbuff_t *tvb,
1885 proto_tree *tree, guint32 offset)
1890 * uint16 cipher_spec_length;
1891 * uint16 session_id_length;
1892 * uint16 challenge_length;
1893 * V2CipherSpec cipher_specs[V2ClientHello.cipher_spec_length];
1894 * opaque session_id[V2ClientHello.session_id_length];
1898 * Note: when we get here, offset's already pointing at Version
1902 guint16 cipher_spec_length;
1903 guint16 session_id_length;
1904 guint16 challenge_length;
1907 proto_tree *cs_tree;
1909 version = tvb_get_ntohs(tvb, offset);
1910 if (!ssl_is_valid_ssl_version(version))
1912 /* invalid version; probably encrypted data */
1918 /* show the version */
1919 proto_tree_add_item(tree, hf_ssl_record_version, tvb,
1923 cipher_spec_length = tvb_get_ntohs(tvb, offset);
1924 proto_tree_add_item(tree, hf_ssl2_handshake_cipher_spec_len,
1925 tvb, offset, 2, FALSE);
1928 session_id_length = tvb_get_ntohs(tvb, offset);
1929 proto_tree_add_item(tree, hf_ssl2_handshake_session_id_len,
1930 tvb, offset, 2, FALSE);
1933 challenge_length = tvb_get_ntohs(tvb, offset);
1934 proto_tree_add_item(tree, hf_ssl2_handshake_challenge_len,
1935 tvb, offset, 2, FALSE);
1938 /* tell the user how many cipher specs they've won */
1939 ti = proto_tree_add_none_format(tree, hf_ssl_handshake_cipher_suites,
1940 tvb, offset, cipher_spec_length,
1941 "Cipher Specs (%u specs)",
1942 cipher_spec_length/3);
1944 /* make this a subtree and expand the actual specs below */
1945 cs_tree = proto_item_add_subtree(ti, ett_ssl_cipher_suites);
1948 cs_tree = tree; /* failsafe */
1951 /* iterate through the cipher specs, showing them */
1952 while (cipher_spec_length > 0)
1954 proto_tree_add_item(cs_tree, hf_ssl2_handshake_cipher_spec,
1955 tvb, offset, 3, FALSE);
1956 offset += 3; /* length of one cipher spec */
1957 cipher_spec_length -= 3;
1960 /* if there's a session id, show it */
1961 if (session_id_length > 0)
1963 proto_tree_add_bytes_format(tree,
1964 hf_ssl_handshake_session_id,
1965 tvb, offset, session_id_length,
1966 tvb_get_ptr(tvb, offset, session_id_length),
1967 "Session ID (%u byte%s)",
1969 plurality(session_id_length, "", "s"));
1971 offset += session_id_length;
1974 /* if there's a challenge, show it */
1975 if (challenge_length > 0)
1977 proto_tree_add_item(tree, hf_ssl2_handshake_challenge,
1978 tvb, offset, challenge_length, 0);
1979 offset += challenge_length;
1985 dissect_ssl2_hnd_client_master_key(tvbuff_t *tvb,
1986 proto_tree *tree, guint32 offset)
1990 * V2Cipherspec cipher;
1991 * uint16 clear_key_length;
1992 * uint16 encrypted_key_length;
1993 * uint16 key_arg_length;
1994 * opaque clear_key_data[V2ClientMasterKey.clear_key_length];
1995 * opaque encrypted_key_data[V2ClientMasterKey.encrypted_key_length];
1996 * opaque key_arg_data[V2ClientMasterKey.key_arg_length];
1997 * } V2ClientMasterKey;
1999 * Note: when we get here, offset's already pointing at cipher
2001 guint16 clear_key_length;
2002 guint16 encrypted_key_length;
2003 guint16 key_arg_length;
2005 /* at this point, everything we do involves the tree,
2006 * so quit now if we don't have one ;-)
2013 /* show the selected cipher */
2014 proto_tree_add_item(tree, hf_ssl2_handshake_cipher_spec,
2015 tvb, offset, 3, FALSE);
2018 /* get the fixed fields */
2019 clear_key_length = tvb_get_ntohs(tvb, offset);
2020 proto_tree_add_item(tree, hf_ssl2_handshake_clear_key_len,
2021 tvb, offset, 2, FALSE);
2024 encrypted_key_length = tvb_get_ntohs(tvb, offset);
2025 proto_tree_add_item(tree, hf_ssl2_handshake_enc_key_len,
2026 tvb, offset, 2, FALSE);
2029 key_arg_length = tvb_get_ntohs(tvb, offset);
2030 proto_tree_add_item(tree, hf_ssl2_handshake_key_arg_len,
2031 tvb, offset, 2, FALSE);
2034 /* show the variable length fields */
2035 if (clear_key_length > 0)
2037 proto_tree_add_item(tree, hf_ssl2_handshake_clear_key,
2038 tvb, offset, clear_key_length, FALSE);
2039 offset += clear_key_length;
2042 if (encrypted_key_length > 0)
2044 proto_tree_add_item(tree, hf_ssl2_handshake_enc_key,
2045 tvb, offset, encrypted_key_length, FALSE);
2046 offset += encrypted_key_length;
2049 if (key_arg_length > 0)
2051 proto_tree_add_item(tree, hf_ssl2_handshake_key_arg,
2052 tvb, offset, key_arg_length, FALSE);
2053 offset += key_arg_length;
2059 dissect_ssl2_hnd_server_hello(tvbuff_t *tvb,
2060 proto_tree *tree, guint32 offset)
2064 * uint8 session_id_hit;
2065 * uint8 certificate_type;
2066 * uint16 server_version;
2067 * uint16 certificate_length;
2068 * uint16 cipher_specs_length;
2069 * uint16 connection_id_length;
2070 * opaque certificate_data[V2ServerHello.certificate_length];
2071 * opaque cipher_specs_data[V2ServerHello.cipher_specs_length];
2072 * opaque connection_id_data[V2ServerHello.connection_id_length];
2075 * Note: when we get here, offset's already pointing at session_id_hit
2077 guint16 certificate_length;
2078 guint16 cipher_spec_length;
2079 guint16 connection_id_length;
2082 proto_tree *subtree;
2084 /* everything we do only makes sense with a tree, so
2085 * quit now if we don't have one
2092 version = tvb_get_ntohs(tvb, offset + 2);
2093 if (!ssl_is_valid_ssl_version(version))
2095 /* invalid version; probably encrypted data */
2100 /* is there a hit? */
2101 proto_tree_add_item(tree, hf_ssl2_handshake_session_id_hit,
2102 tvb, offset, 1, FALSE);
2105 /* what type of certificate is this? */
2106 proto_tree_add_item(tree, hf_ssl2_handshake_cert_type,
2107 tvb, offset, 1, FALSE);
2110 /* now the server version */
2111 proto_tree_add_item(tree, hf_ssl_handshake_server_version,
2112 tvb, offset, 2, FALSE);
2115 /* get the fixed fields */
2116 certificate_length = tvb_get_ntohs(tvb, offset);
2117 proto_tree_add_uint(tree, hf_ssl_handshake_certificate_len,
2118 tvb, offset, 2, certificate_length);
2121 cipher_spec_length = tvb_get_ntohs(tvb, offset);
2122 proto_tree_add_uint(tree, hf_ssl2_handshake_cipher_spec_len,
2123 tvb, offset, 2, cipher_spec_length);
2126 connection_id_length = tvb_get_ntohs(tvb, offset);
2127 proto_tree_add_uint(tree, hf_ssl2_handshake_connection_id_len,
2128 tvb, offset, 2, connection_id_length);
2131 /* now the variable length fields */
2132 if (certificate_length > 0)
2134 proto_tree_add_bytes_format(tree, hf_ssl_handshake_certificate,
2135 tvb, offset, certificate_length,
2136 tvb_get_ptr(tvb, offset, certificate_length),
2137 "Certificate (%u byte%s)",
2139 plurality(certificate_length, "", "s"));
2140 offset += certificate_length;
2143 if (cipher_spec_length > 0)
2145 /* provide a collapsing node for the cipher specs */
2146 ti = proto_tree_add_none_format(tree,
2147 hf_ssl_handshake_cipher_suites,
2148 tvb, offset, cipher_spec_length,
2149 "Cipher Specs (%u spec%s)",
2150 cipher_spec_length/3,
2151 plurality(cipher_spec_length/3, "", "s"));
2152 subtree = proto_item_add_subtree(ti, ett_ssl_cipher_suites);
2158 /* iterate through the cipher specs */
2159 while (cipher_spec_length > 0)
2161 proto_tree_add_item(subtree, hf_ssl2_handshake_cipher_spec,
2162 tvb, offset, 3, FALSE);
2164 cipher_spec_length -= 3;
2168 if (connection_id_length > 0)
2170 proto_tree_add_item(tree, hf_ssl2_handshake_connection_id,
2171 tvb, offset, connection_id_length, FALSE);
2172 offset += connection_id_length;
2180 /*********************************************************************
2184 *********************************************************************/
2187 ssl_set_conv_version(packet_info *pinfo, guint version)
2189 conversation_t *conversation;
2191 if (pinfo->fd->flags.visited)
2193 /* We've already processed this frame; no need to do any more
2199 conversation = find_conversation(&pinfo->src, &pinfo->dst, pinfo->ptype,
2200 pinfo->srcport, pinfo->destport, 0);
2202 if (conversation == NULL)
2204 /* create a new conversation */
2205 conversation = conversation_new(&pinfo->src, &pinfo->dst, pinfo->ptype,
2206 pinfo->srcport, pinfo->destport, 0);
2209 if (conversation_get_proto_data(conversation, proto_ssl) != NULL)
2211 /* get rid of the current data */
2212 conversation_delete_proto_data(conversation, proto_ssl);
2214 conversation_add_proto_data(conversation, proto_ssl, (void *)version);
2218 ssl_is_valid_handshake_type(guint8 type)
2222 case SSL_HND_HELLO_REQUEST:
2223 case SSL_HND_CLIENT_HELLO:
2224 case SSL_HND_SERVER_HELLO:
2225 case SSL_HND_CERTIFICATE:
2226 case SSL_HND_SERVER_KEY_EXCHG:
2227 case SSL_HND_CERT_REQUEST:
2228 case SSL_HND_SVR_HELLO_DONE:
2229 case SSL_HND_CERT_VERIFY:
2230 case SSL_HND_CLIENT_KEY_EXCHG:
2231 case SSL_HND_FINISHED:
2238 ssl_is_valid_content_type(guint8 type)
2240 if (type >= 0x14 && type <= 0x17)
2249 ssl_is_valid_ssl_version(guint16 version)
2251 gchar *version_str = match_strval(version, ssl_versions);
2252 return version_str != NULL;
2256 ssl_is_authoritative_version_message(guint8 content_type,
2259 if (content_type == SSL_ID_HANDSHAKE
2260 && ssl_is_valid_handshake_type(next_byte))
2262 return (next_byte != SSL_HND_CLIENT_HELLO);
2264 else if (ssl_is_valid_content_type(content_type)
2265 && content_type != SSL_ID_HANDSHAKE)
2273 ssl_is_v2_client_hello(tvbuff_t *tvb, guint32 offset)
2277 byte = tvb_get_guint8(tvb, offset);
2278 if (byte != 0x80) /* v2 client hello should start this way */
2283 byte = tvb_get_guint8(tvb, offset+2);
2284 if (byte != 0x01) /* v2 client hello msg type */
2289 /* 1 in 2^16 of being right; improve later if necessary */
2293 /* this applies a heuristic to determine whether
2294 * or not the data beginning at offset looks like a
2295 * valid sslv2 record. this isn't really possible,
2296 * but we'll try to do a reasonable job anyway.
2299 ssl_looks_like_sslv2(tvbuff_t *tvb, guint32 offset)
2301 /* here's the current approach:
2303 * we only try to catch unencrypted handshake messages, so we can
2304 * assume that there is not padding. This means that the
2305 * first byte must be >= 0x80 and there must be a valid sslv2
2306 * msg_type in the third byte
2309 /* get the first byte; must have high bit set */
2310 guint8 byte = tvb_get_guint8(tvb, offset);
2316 /* get the supposed msg_type byte; since we only care about
2317 * unencrypted handshake messages (we can't tell the type for
2318 * encrypted messages), we just check against that list
2320 byte = tvb_get_guint8(tvb, offset + 2);
2322 case SSL2_HND_ERROR:
2323 case SSL2_HND_CLIENT_HELLO:
2324 case SSL2_HND_CLIENT_MASTER_KEY:
2325 case SSL2_HND_SERVER_HELLO:
2326 case PCT_MSG_CLIENT_MASTER_KEY:
2333 /* this applies a heuristic to determine whether
2334 * or not the data beginning at offset looks like a
2335 * valid sslv3 record. this is somewhat more reliable
2336 * than sslv2 due to the structure of the v3 protocol
2339 ssl_looks_like_sslv3(tvbuff_t *tvb, guint32 offset)
2341 /* have to have a valid content type followed by a valid
2347 /* see if the first byte is a valid content type */
2348 byte = tvb_get_guint8(tvb, offset);
2349 if (!ssl_is_valid_content_type(byte))
2354 /* now check to see if the version byte appears valid */
2355 version = tvb_get_ntohs(tvb, offset + 1);
2356 if (version != 0x0300 && version != 0x0301)
2364 /* applies a heuristic to determine whether
2365 * or not the data beginning at offset looks
2366 * like a valid, unencrypted v2 handshake message.
2367 * since it isn't possible to completely tell random
2368 * data apart from a valid message without state,
2369 * we try to help the odds.
2372 ssl_looks_like_valid_v2_handshake(tvbuff_t *tvb, guint32 offset,
2373 guint32 record_length)
2375 /* first byte should be a msg_type.
2377 * - we know we only see client_hello, client_master_key,
2378 * and server_hello in the clear, so check to see if
2379 * msg_type is one of those (this gives us a 3 in 2^8
2380 * chance of saying yes with random payload)
2382 * - for those three types that we know about, do some
2383 * further validation to reduce the chance of an error
2389 /* fetch the msg_type */
2390 msg_type = tvb_get_guint8(tvb, offset);
2393 case SSL2_HND_CLIENT_HELLO:
2394 /* version follows msg byte, so verify that this is valid */
2395 version = tvb_get_ntohs(tvb, offset+1);
2396 return ssl_is_valid_ssl_version(version);
2399 case SSL2_HND_SERVER_HELLO:
2400 /* version is three bytes after msg_type */
2401 version = tvb_get_ntohs(tvb, offset+3);
2402 return ssl_is_valid_ssl_version(version);
2405 case SSL2_HND_CLIENT_MASTER_KEY:
2406 /* sum of clear_key_length, encrypted_key_length, and key_arg_length
2407 * must be less than record length
2409 sum = tvb_get_ntohs(tvb, offset + 4); /* clear_key_length */
2410 sum += tvb_get_ntohs(tvb, offset + 6); /* encrypted_key_length */
2411 sum += tvb_get_ntohs(tvb, offset + 8); /* key_arg_length */
2412 if (sum > record_length)
2425 /* applies a heuristic to determine whether
2426 * or not the data beginning at offset looks
2427 * like a valid, unencrypted v2 handshake message.
2428 * since it isn't possible to completely tell random
2429 * data apart from a valid message without state,
2430 * we try to help the odds.
2433 ssl_looks_like_valid_pct_handshake(tvbuff_t *tvb, guint32 offset,
2434 guint32 record_length)
2436 /* first byte should be a msg_type.
2438 * - we know we only see client_hello, client_master_key,
2439 * and server_hello in the clear, so check to see if
2440 * msg_type is one of those (this gives us a 3 in 2^8
2441 * chance of saying yes with random payload)
2443 * - for those three types that we know about, do some
2444 * further validation to reduce the chance of an error
2450 /* fetch the msg_type */
2451 msg_type = tvb_get_guint8(tvb, offset);
2454 case PCT_MSG_CLIENT_HELLO:
2455 /* version follows msg byte, so verify that this is valid */
2456 version = tvb_get_ntohs(tvb, offset+1);
2457 return version == PCT_VERSION_1;
2460 case PCT_MSG_SERVER_HELLO:
2461 /* version is one byte after msg_type */
2462 version = tvb_get_ntohs(tvb, offset+2);
2463 return version == PCT_VERSION_1;
2466 case PCT_MSG_CLIENT_MASTER_KEY:
2467 /* sum of various length fields must be less than record length */
2468 sum = tvb_get_ntohs(tvb, offset + 6); /* clear_key_length */
2469 sum += tvb_get_ntohs(tvb, offset + 8); /* encrypted_key_length */
2470 sum += tvb_get_ntohs(tvb, offset + 10); /* key_arg_length */
2471 sum += tvb_get_ntohs(tvb, offset + 12); /* verify_prelude_length */
2472 sum += tvb_get_ntohs(tvb, offset + 14); /* client_cert_length */
2473 sum += tvb_get_ntohs(tvb, offset + 16); /* response_length */
2474 if (sum > record_length)
2481 case PCT_MSG_SERVER_VERIFY:
2482 /* record is 36 bytes longer than response_length */
2483 sum = tvb_get_ntohs(tvb, offset + 34); /* response_length */
2484 if ((sum + 36) == record_length)
2497 /*********************************************************************
2499 * Standard Ethereal Protocol Registration and housekeeping
2501 *********************************************************************/
2503 proto_register_ssl(void)
2506 /* Setup list of header fields See Section 1.6.1 for details*/
2507 static hf_register_info hf[] = {
2509 { "Record Layer", "ssl.record",
2510 FT_NONE, BASE_NONE, NULL, 0x0,
2511 "Record layer", HFILL }
2513 { &hf_ssl_record_content_type,
2514 { "Content Type", "ssl.record.content_type",
2515 FT_UINT8, BASE_DEC, VALS(ssl_31_content_type), 0x0,
2516 "Content type", HFILL}
2518 { &hf_ssl2_msg_type,
2519 { "Handshake Message Type", "ssl.handshake.type",
2520 FT_UINT8, BASE_DEC, VALS(ssl_20_msg_types), 0x0,
2521 "SSLv2 handshake message type", HFILL}
2524 { "Handshake Message Type", "ssl.pct_handshake.type",
2525 FT_UINT8, BASE_DEC, VALS(pct_msg_types), 0x0,
2526 "PCT handshake message type", HFILL}
2528 { &hf_ssl_record_version,
2529 { "Version", "ssl.record.version",
2530 FT_UINT16, BASE_HEX, VALS(ssl_versions), 0x0,
2531 "Record layer version.", HFILL }
2533 { &hf_ssl_record_length,
2534 { "Length", "ssl.record.length",
2535 FT_UINT16, BASE_DEC, NULL, 0x0,
2536 "Length of SSL record data", HFILL }
2538 { &hf_ssl_record_appdata,
2539 { "Application Data", "ssl.app_data",
2540 FT_NONE, BASE_NONE, NULL, 0x0,
2541 "Payload is application data", HFILL }
2544 { "SSLv2/PCT Record Header", "ssl.record",
2545 FT_NONE, BASE_DEC, NULL, 0x0,
2546 "SSLv2/PCT record data", HFILL }
2548 { &hf_ssl2_record_is_escape,
2549 { "Is Escape", "ssl.record.is_escape",
2550 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2551 "Indicates a security escape", HFILL}
2553 { &hf_ssl2_record_padding_length,
2554 { "Padding Length", "ssl.record.padding_length",
2555 FT_UINT8, BASE_DEC, NULL, 0x0,
2556 "Length of padding at end of record", HFILL }
2558 { &hf_ssl_change_cipher_spec,
2559 { "Change Cipher Spec Message", "ssl.change_cipher_spec",
2560 FT_NONE, BASE_NONE, NULL, 0x0,
2561 "Signals a change in cipher specifications", HFILL }
2563 { & hf_ssl_alert_message,
2564 { "Alert Message", "ssl.alert_message",
2565 FT_NONE, BASE_NONE, NULL, 0x0,
2566 "Alert message", HFILL }
2568 { & hf_ssl_alert_message_level,
2569 { "Level", "ssl.alert_message.level",
2570 FT_UINT8, BASE_DEC, VALS(ssl_31_alert_level), 0x0,
2571 "Alert message level", HFILL }
2573 { &hf_ssl_alert_message_description,
2574 { "Description", "ssl.alert_message.desc",
2575 FT_UINT8, BASE_DEC, VALS(ssl_31_alert_description), 0x0,
2576 "Alert message description", HFILL }
2578 { &hf_ssl_handshake_protocol,
2579 { "Handshake Protocol", "ssl.handshake",
2580 FT_NONE, BASE_NONE, NULL, 0x0,
2581 "Handshake protocol message", HFILL}
2583 { &hf_ssl_handshake_type,
2584 { "Handshake Type", "ssl.handshake.type",
2585 FT_UINT8, BASE_DEC, VALS(ssl_31_handshake_type), 0x0,
2586 "Type of handshake message", HFILL}
2588 { &hf_ssl_handshake_length,
2589 { "Length", "ssl.handshake.length",
2590 FT_UINT24, BASE_DEC, NULL, 0x0,
2591 "Length of handshake message", HFILL }
2593 { &hf_ssl_handshake_client_version,
2594 { "Version", "ssl.handshake.version",
2595 FT_UINT16, BASE_HEX, VALS(ssl_versions), 0x0,
2596 "Maximum version supported by client", HFILL }
2598 { &hf_ssl_handshake_server_version,
2599 { "Version", "ssl.handshake.version",
2600 FT_UINT16, BASE_HEX, VALS(ssl_versions), 0x0,
2601 "Version selected by server", HFILL }
2603 { &hf_ssl_handshake_random_time,
2604 { "Random.gmt_unix_time", "ssl.handshake.random_time",
2605 FT_ABSOLUTE_TIME, BASE_NONE, NULL, 0x0,
2606 "Unix time field of random structure", HFILL }
2608 { &hf_ssl_handshake_random_bytes,
2609 { "Random.bytes", "ssl.handshake.random",
2610 FT_NONE, BASE_NONE, NULL, 0x0,
2611 "Random challenge used to authenticate server", HFILL }
2613 { &hf_ssl_handshake_cipher_suites_len,
2614 { "Cipher Suites Length", "ssl.handshake.cipher_suites_length",
2615 FT_UINT16, BASE_DEC, NULL, 0x0,
2616 "Length of cipher suites field", HFILL }
2618 { &hf_ssl_handshake_cipher_suites,
2619 { "Cipher Suites", "ssl.handshake.ciphersuites",
2620 FT_NONE, BASE_NONE, NULL, 0x0,
2621 "List of cipher suites supported by client", HFILL }
2623 { &hf_ssl_handshake_cipher_suite,
2624 { "Cipher Suite", "ssl.handshake.ciphersuite",
2625 FT_UINT16, BASE_HEX, VALS(ssl_31_ciphersuite), 0x0,
2626 "Cipher suite", HFILL }
2628 { &hf_ssl2_handshake_cipher_spec,
2629 { "Cipher Spec", "ssl.handshake.cipherspec",
2630 FT_UINT24, BASE_HEX, VALS(ssl_20_cipher_suites), 0x0,
2631 "Cipher specification", HFILL }
2633 { &hf_ssl_handshake_session_id,
2634 { "Session ID", "ssl.handshake.session_id",
2635 FT_BYTES, BASE_NONE, NULL, 0x0,
2636 "Identifies the SSL session, allowing later resumption", HFILL }
2638 { &hf_ssl_handshake_comp_methods_len,
2639 { "Compression Methods Length", "ssl.handshake.comp_methods_length",
2640 FT_UINT8, BASE_DEC, NULL, 0x0,
2641 "Length of compression methods field", HFILL }
2643 { &hf_ssl_handshake_comp_methods,
2644 { "Compression Methods", "ssl.handshake.comp_methods",
2645 FT_NONE, BASE_NONE, NULL, 0x0,
2646 "List of compression methods supported by client", HFILL }
2648 { &hf_ssl_handshake_comp_method,
2649 { "Compression Method", "ssl.handshake.comp_method",
2650 FT_UINT8, BASE_DEC, VALS(ssl_31_compression_method), 0x0,
2651 "Compression Method", HFILL }
2653 { &hf_ssl_handshake_certificates_len,
2654 { "Certificates Length", "ssl.handshake.certificates_length",
2655 FT_UINT24, BASE_DEC, NULL, 0x0,
2656 "Length of certificates field", HFILL }
2658 { &hf_ssl_handshake_certificates,
2659 { "Certificates", "ssl.handshake.certificates",
2660 FT_NONE, BASE_NONE, NULL, 0x0,
2661 "List of certificates", HFILL }
2663 { &hf_ssl_handshake_certificate,
2664 { "Certificate", "ssl.handshake.certificate",
2665 FT_BYTES, BASE_NONE, NULL, 0x0,
2666 "Certificate", HFILL }
2668 { &hf_ssl_handshake_certificate_len,
2669 { "Certificate Length", "ssl.handshake.certificate_length",
2670 FT_UINT24, BASE_DEC, NULL, 0x0,
2671 "Length of certificate", HFILL }
2673 { &hf_ssl_handshake_cert_types_count,
2674 { "Certificate types count", "ssl.handshake.cert_types_count",
2675 FT_UINT8, BASE_DEC, NULL, 0x0,
2676 "Count of certificate types", HFILL }
2678 { &hf_ssl_handshake_cert_types,
2679 { "Certificate types", "ssl.handshake.cert_types",
2680 FT_NONE, BASE_NONE, NULL, 0x0,
2681 "List of certificate types", HFILL }
2683 { &hf_ssl_handshake_cert_type,
2684 { "Certificate type", "ssl.handshake.cert_type",
2685 FT_UINT8, BASE_DEC, VALS(ssl_31_client_certificate_type), 0x0,
2686 "Certificate type", HFILL }
2688 { &hf_ssl_handshake_finished,
2689 { "Verify Data", "ssl.handshake.verify_data",
2690 FT_NONE, BASE_NONE, NULL, 0x0,
2691 "Opaque verification data", HFILL }
2693 { &hf_ssl_handshake_md5_hash,
2694 { "MD5 Hash", "ssl.handshake.md5_hash",
2695 FT_NONE, BASE_NONE, NULL, 0x0,
2696 "Hash of messages, master_secret, etc.", HFILL }
2698 { &hf_ssl_handshake_sha_hash,
2699 { "SHA-1 Hash", "ssl.handshake.sha_hash",
2700 FT_NONE, BASE_NONE, NULL, 0x0,
2701 "Hash of messages, master_secret, etc.", HFILL }
2703 { &hf_ssl_handshake_session_id_len,
2704 { "Session ID Length", "ssl.handshake.session_id_length",
2705 FT_UINT8, BASE_DEC, NULL, 0x0,
2706 "Length of session ID field", HFILL }
2708 { &hf_ssl_handshake_dnames_len,
2709 { "Distinguished Names Length", "ssl.handshake.dnames_len",
2710 FT_UINT16, BASE_DEC, NULL, 0x0,
2711 "Length of list of CAs that server trusts", HFILL }
2713 { &hf_ssl_handshake_dnames,
2714 { "Distinguished Names", "ssl.handshake.dnames",
2715 FT_NONE, BASE_NONE, NULL, 0x0,
2716 "List of CAs that server trusts", HFILL }
2718 { &hf_ssl_handshake_dname_len,
2719 { "Distinguished Name Length", "ssl.handshake.dname_len",
2720 FT_UINT16, BASE_DEC, NULL, 0x0,
2721 "Length of distinguished name", HFILL }
2723 { &hf_ssl_handshake_dname,
2724 { "Distinguished Name", "ssl.handshake.dname",
2725 FT_BYTES, BASE_NONE, NULL, 0x0,
2726 "Distinguished name of a CA that server trusts", HFILL }
2728 { &hf_ssl2_handshake_challenge,
2729 { "Challenge", "ssl.handshake.challenge",
2730 FT_NONE, BASE_NONE, NULL, 0x0,
2731 "Challenge data used to authenticate server", HFILL }
2733 { &hf_ssl2_handshake_cipher_spec_len,
2734 { "Cipher Spec Length", "ssl.handshake.cipher_spec_len",
2735 FT_UINT16, BASE_DEC, NULL, 0x0,
2736 "Length of cipher specs field", HFILL }
2738 { &hf_ssl2_handshake_session_id_len,
2739 { "Session ID Length", "ssl.handshake.session_id_length",
2740 FT_UINT16, BASE_DEC, NULL, 0x0,
2741 "Length of session ID field", HFILL }
2743 { &hf_ssl2_handshake_challenge_len,
2744 { "Challenge Length", "ssl.handshake.challenge_length",
2745 FT_UINT16, BASE_DEC, NULL, 0x0,
2746 "Length of challenge field", HFILL }
2748 { &hf_ssl2_handshake_clear_key_len,
2749 { "Clear Key Data Length", "ssl.handshake.clear_key_length",
2750 FT_UINT16, BASE_DEC, NULL, 0x0,
2751 "Length of clear key data", HFILL }
2753 { &hf_ssl2_handshake_enc_key_len,
2754 { "Encrypted Key Data Length", "ssl.handshake.encrypted_key_length",
2755 FT_UINT16, BASE_DEC, NULL, 0x0,
2756 "Length of encrypted key data", HFILL }
2758 { &hf_ssl2_handshake_key_arg_len,
2759 { "Key Argument Length", "ssl.handshake.key_arg_length",
2760 FT_UINT16, BASE_DEC, NULL, 0x0,
2761 "Length of key argument", HFILL }
2763 { &hf_ssl2_handshake_clear_key,
2764 { "Clear Key Data", "ssl.handshake.clear_key_data",
2765 FT_NONE, BASE_NONE, NULL, 0x0,
2766 "Clear portion of MASTER-KEY", HFILL }
2768 { &hf_ssl2_handshake_enc_key,
2769 { "Encrypted Key", "ssl.handshake.encrypted_key",
2770 FT_NONE, BASE_NONE, NULL, 0x0,
2771 "Secret portion of MASTER-KEY encrypted to server", HFILL }
2773 { &hf_ssl2_handshake_key_arg,
2774 { "Key Argument", "ssl.handshake.key_arg",
2775 FT_NONE, BASE_NONE, NULL, 0x0,
2776 "Key Argument (e.g., Initialization Vector)", HFILL }
2778 { &hf_ssl2_handshake_session_id_hit,
2779 { "Session ID Hit", "ssl.handshake.session_id_hit",
2780 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2781 "Did the server find the client's Session ID?", HFILL }
2783 { &hf_ssl2_handshake_cert_type,
2784 { "Certificate Type", "ssl.handshake.cert_type",
2785 FT_UINT8, BASE_DEC, VALS(ssl_20_certificate_type), 0x0,
2786 "Certificate Type", HFILL }
2788 { &hf_ssl2_handshake_connection_id_len,
2789 { "Connection ID Length", "ssl.handshake.connection_id_length",
2790 FT_UINT16, BASE_DEC, NULL, 0x0,
2791 "Length of connection ID", HFILL }
2793 { &hf_ssl2_handshake_connection_id,
2794 { "Connection ID", "ssl.handshake.connection_id",
2795 FT_NONE, BASE_NONE, NULL, 0x0,
2796 "Server's challenge to client", HFILL }
2800 /* Setup protocol subtree array */
2801 static gint *ett[] = {
2806 &ett_ssl_cipher_suites,
2807 &ett_ssl_comp_methods,
2809 &ett_ssl_cert_types,
2813 /* Register the protocol name and description */
2814 proto_ssl = proto_register_protocol("Secure Socket Layer",
2817 /* Required function calls to register the header fields and
2819 proto_register_field_array(proto_ssl, hf, array_length(hf));
2820 proto_register_subtree_array(ett, array_length(ett));
2823 module_t *ssl_module = prefs_register_protocol(proto_ssl, NULL);
2824 prefs_register_bool_preference(ssl_module,
2825 "desegment_ssl_records",
2826 "Desegment SSL records",
2827 "When enabled, SSL records that span multiple TCP segments are desegmented",
2831 register_dissector("ssl", dissect_ssl, proto_ssl);
2835 /* If this dissector uses sub-dissector registration add a registration
2836 * routine. This format is required because a script is used to find
2837 * these routines and create the code that calls these routines.
2840 proto_reg_handoff_ssl(void)
2842 dissector_handle_t ssl_handle;
2844 ssl_handle = find_dissector("ssl");
2845 dissector_add("tcp.port", TCP_PORT_SSL, ssl_handle);
2846 dissector_add("tcp.port", TCP_PORT_SSL_LDAP, ssl_handle);
2847 dissector_add("tcp.port", TCP_PORT_SSL_IMAP, ssl_handle);
2848 dissector_add("tcp.port", TCP_PORT_SSL_POP, ssl_handle);