2 * Routines for ssl dissection
3 * Copyright (c) 2000-2001, Scott Renfro <scott@renfro.org>
5 * $Id: packet-ssl.c,v 1.29 2004/02/05 19:08:59 obiot Exp $
7 * Ethereal - Network traffic analyzer
8 * By Gerald Combs <gerald@ethereal.com>
9 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
27 * http://www.netscape.com/eng/security/SSL_2.html
33 * http://www.netscape.com/eng/ssl3/
37 * See RFC 2246 for SSL 3.1/TLS 1.0 specs.
41 * - Uses conversations in a no-malloc fashion. Since we just want to
42 * remember the version of the conversation, we store the version
43 * integer directly in the void *data member of the conversation
44 * structure. This means that we don't have to manage any memory,
45 * but will cause problems if anyone assumes that all data pointers
46 * are actually pointers to memory allocated by g_mem_chunk_alloc.
48 * - Does not support decryption of encrypted frames, nor dissection
49 * of frames that would require state maintained between frames
50 * (e.g., single ssl records spread across multiple tcp frames)
52 * - Identifies, but does not fully dissect the following messages:
54 * - SSLv3/TLS (These need more state from previous handshake msgs)
55 * - Server Key Exchange
56 * - Client Key Exchange
57 * - Certificate Verify
59 * - SSLv2 (These don't appear in the clear)
64 * - Request Certificate
65 * - Client Certificate
79 #include <epan/conversation.h>
82 static gboolean ssl_desegment = TRUE;
85 /*********************************************************************
87 * Protocol Constants, Variables, Data Structures
89 *********************************************************************/
91 /* Initialize the protocol and registered fields */
92 static int proto_ssl = -1;
93 static int hf_ssl_record = -1;
94 static int hf_ssl_record_content_type = -1;
95 static int hf_ssl_record_version = -1;
96 static int hf_ssl_record_length = -1;
97 static int hf_ssl_record_appdata = -1;
98 static int hf_ssl2_record = -1;
99 static int hf_ssl2_record_is_escape = -1;
100 static int hf_ssl2_record_padding_length = -1;
101 static int hf_ssl2_msg_type = -1;
102 static int hf_pct_msg_type = -1;
103 static int hf_ssl_change_cipher_spec = -1;
104 static int hf_ssl_alert_message = -1;
105 static int hf_ssl_alert_message_level = -1;
106 static int hf_ssl_alert_message_description = -1;
107 static int hf_ssl_handshake_protocol = -1;
108 static int hf_ssl_handshake_type = -1;
109 static int hf_ssl_handshake_length = -1;
110 static int hf_ssl_handshake_client_version = -1;
111 static int hf_ssl_handshake_server_version = -1;
112 static int hf_ssl_handshake_random_time = -1;
113 static int hf_ssl_handshake_random_bytes = -1;
114 static int hf_ssl_handshake_cipher_suites_len = -1;
115 static int hf_ssl_handshake_cipher_suites = -1;
116 static int hf_ssl_handshake_cipher_suite = -1;
117 static int hf_ssl_handshake_session_id = -1;
118 static int hf_ssl_handshake_comp_methods_len = -1;
119 static int hf_ssl_handshake_comp_methods = -1;
120 static int hf_ssl_handshake_comp_method = -1;
121 static int hf_ssl_handshake_certificates_len = -1;
122 static int hf_ssl_handshake_certificates = -1;
123 static int hf_ssl_handshake_certificate = -1;
124 static int hf_ssl_handshake_certificate_len = -1;
125 static int hf_ssl_handshake_cert_types_count = -1;
126 static int hf_ssl_handshake_cert_types = -1;
127 static int hf_ssl_handshake_cert_type = -1;
128 static int hf_ssl_handshake_finished = -1;
129 static int hf_ssl_handshake_md5_hash = -1;
130 static int hf_ssl_handshake_sha_hash = -1;
131 static int hf_ssl_handshake_session_id_len = -1;
132 static int hf_ssl_handshake_dnames_len = -1;
133 static int hf_ssl_handshake_dnames = -1;
134 static int hf_ssl_handshake_dname_len = -1;
135 static int hf_ssl_handshake_dname = -1;
136 static int hf_ssl2_handshake_cipher_spec_len = -1;
137 static int hf_ssl2_handshake_session_id_len = -1;
138 static int hf_ssl2_handshake_challenge_len = -1;
139 static int hf_ssl2_handshake_cipher_spec = -1;
140 static int hf_ssl2_handshake_challenge = -1;
141 static int hf_ssl2_handshake_clear_key_len = -1;
142 static int hf_ssl2_handshake_enc_key_len = -1;
143 static int hf_ssl2_handshake_key_arg_len = -1;
144 static int hf_ssl2_handshake_clear_key = -1;
145 static int hf_ssl2_handshake_enc_key = -1;
146 static int hf_ssl2_handshake_key_arg = -1;
147 static int hf_ssl2_handshake_session_id_hit = -1;
148 static int hf_ssl2_handshake_cert_type = -1;
149 static int hf_ssl2_handshake_connection_id_len = -1;
150 static int hf_ssl2_handshake_connection_id = -1;
152 /* Initialize the subtree pointers */
153 static gint ett_ssl = -1;
154 static gint ett_ssl_record = -1;
155 static gint ett_ssl_alert = -1;
156 static gint ett_ssl_handshake = -1;
157 static gint ett_ssl_cipher_suites = -1;
158 static gint ett_ssl_comp_methods = -1;
159 static gint ett_ssl_certs = -1;
160 static gint ett_ssl_cert_types = -1;
161 static gint ett_ssl_dnames = -1;
163 /* The TCP port to associate with by default */
164 #define TCP_PORT_SSL 443
165 #define TCP_PORT_SSL_LDAP 636
166 #define TCP_PORT_SSL_IMAP 993
167 #define TCP_PORT_SSL_POP 995
169 /* version state tables */
170 #define SSL_VER_UNKNOWN 0
171 #define SSL_VER_SSLv2 1
172 #define SSL_VER_SSLv3 2
173 #define SSL_VER_TLS 3
174 #define SSL_VER_PCT 4
176 /* corresponds to the #defines above */
177 static gchar* ssl_version_short_names[] = {
186 #define SSL_ID_CHG_CIPHER_SPEC 0x14
187 #define SSL_ID_ALERT 0x15
188 #define SSL_ID_HANDSHAKE 0x16
189 #define SSL_ID_APP_DATA 0x17
191 #define SSL_HND_HELLO_REQUEST 0
192 #define SSL_HND_CLIENT_HELLO 1
193 #define SSL_HND_SERVER_HELLO 2
194 #define SSL_HND_CERTIFICATE 11
195 #define SSL_HND_SERVER_KEY_EXCHG 12
196 #define SSL_HND_CERT_REQUEST 13
197 #define SSL_HND_SVR_HELLO_DONE 14
198 #define SSL_HND_CERT_VERIFY 15
199 #define SSL_HND_CLIENT_KEY_EXCHG 16
200 #define SSL_HND_FINISHED 20
202 #define SSL2_HND_ERROR 0x00
203 #define SSL2_HND_CLIENT_HELLO 0x01
204 #define SSL2_HND_CLIENT_MASTER_KEY 0x02
205 #define SSL2_HND_CLIENT_FINISHED 0x03
206 #define SSL2_HND_SERVER_HELLO 0x04
207 #define SSL2_HND_SERVER_VERIFY 0x05
208 #define SSL2_HND_SERVER_FINISHED 0x06
209 #define SSL2_HND_REQUEST_CERTIFICATE 0x07
210 #define SSL2_HND_CLIENT_CERTIFICATE 0x08
212 #define PCT_VERSION_1 0x8001
214 #define PCT_MSG_CLIENT_HELLO 0x01
215 #define PCT_MSG_SERVER_HELLO 0x02
216 #define PCT_MSG_CLIENT_MASTER_KEY 0x03
217 #define PCT_MSG_SERVER_VERIFY 0x04
218 #define PCT_MSG_ERROR 0x05
224 static const value_string ssl_20_msg_types[] = {
225 { SSL2_HND_ERROR, "Error" },
226 { SSL2_HND_CLIENT_HELLO, "Client Hello" },
227 { SSL2_HND_CLIENT_MASTER_KEY, "Client Master Key" },
228 { SSL2_HND_CLIENT_FINISHED, "Client Finished" },
229 { SSL2_HND_SERVER_HELLO, "Server Hello" },
230 { SSL2_HND_SERVER_VERIFY, "Server Verify" },
231 { SSL2_HND_SERVER_FINISHED, "Server Finished" },
232 { SSL2_HND_REQUEST_CERTIFICATE, "Request Certificate" },
233 { SSL2_HND_CLIENT_CERTIFICATE, "Client Certificate" },
237 static const value_string ssl_20_cipher_suites[] = {
238 { 0x010080, "SSL2_RC4_128_WITH_MD5" },
239 { 0x020080, "SSL2_RC4_128_EXPORT40_WITH_MD5" },
240 { 0x030080, "SSL2_RC2_CBC_128_CBC_WITH_MD5" },
241 { 0x040080, "SSL2_RC2_CBC_128_CBC_WITH_MD5" },
242 { 0x050080, "SSL2_IDEA_128_CBC_WITH_MD5" },
243 { 0x060040, "SSL2_DES_64_CBC_WITH_MD5" },
244 { 0x0700c0, "SSL2_DES_192_EDE3_CBC_WITH_MD5" },
245 { 0x080080, "SSL2_RC4_64_WITH_MD5" },
246 { 0x000000, "TLS_NULL_WITH_NULL_NULL" },
247 { 0x000001, "TLS_RSA_WITH_NULL_MD5" },
248 { 0x000002, "TLS_RSA_WITH_NULL_SHA" },
249 { 0x000003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
250 { 0x000004, "TLS_RSA_WITH_RC4_128_MD5" },
251 { 0x000005, "TLS_RSA_WITH_RC4_128_SHA" },
252 { 0x000006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
253 { 0x000007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
254 { 0x000008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
255 { 0x000009, "TLS_RSA_WITH_DES_CBC_SHA" },
256 { 0x00000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
257 { 0x00000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
258 { 0x00000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
259 { 0x00000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
260 { 0x00000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
261 { 0x00000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
262 { 0x000010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
263 { 0x000011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
264 { 0x000012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
265 { 0x000013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
266 { 0x000014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
267 { 0x000015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
268 { 0x000016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
269 { 0x000017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
270 { 0x000018, "TLS_DH_anon_WITH_RC4_128_MD5" },
271 { 0x000019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
272 { 0x00001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
273 { 0x00001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
274 { 0x00001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
275 { 0x00001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
276 { 0x00001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
277 { 0x00002f, "TLS_RSA_WITH_AES_128_CBC_SHA" },
278 { 0x000030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
279 { 0x000031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
280 { 0x000032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
281 { 0x000033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
282 { 0x000034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
283 { 0x000035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
284 { 0x000036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
285 { 0x000037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
286 { 0x000038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
287 { 0x000039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
288 { 0x00003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
289 { 0x000060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
290 { 0x000061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
291 { 0x000062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
292 { 0x000063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
293 { 0x000064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
294 { 0x000065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
295 { 0x000066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
296 /* these from http://www.mozilla.org/projects/
297 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
298 { 0x00fefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
299 { 0x00feff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
300 { 0x00ffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
301 { 0x00ffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
302 /* Microsoft's old PCT protocol. These are from Eric Rescorla's
303 book "SSL and TLS" */
304 { 0x8f8001, "PCT_SSL_COMPAT | PCT_VERSION_1" },
305 { 0x800003, "PCT_SSL_CERT_TYPE | PCT1_CERT_X509_CHAIN" },
306 { 0x800001, "PCT_SSL_CERT_TYPE | PCT1_CERT_X509" },
307 { 0x810001, "PCT_SSL_HASH_TYPE | PCT1_HASH_MD5" },
308 { 0x810003, "PCT_SSL_HASH_TYPE | PCT1_HASH_SHA" },
309 { 0x820001, "PCT_SSL_EXCH_TYPE | PCT1_EXCH_RSA_PKCS1" },
310 { 0x830004, "PCT_SSL_CIPHER_TYPE_1ST_HALF | PCT1_CIPHER_RC4" },
311 { 0x848040, "PCT_SSL_CIPHER_TYPE_2ND_HALF | PCT1_ENC_BITS_128 | PCT1_MAC_BITS_128" },
312 { 0x842840, "PCT_SSL_CIPHER_TYPE_2ND_HALF | PCT1_ENC_BITS_40 | PCT1_MAC_BITS_128" },
313 /* note that ciphersuites of {0x00????} are TLS cipher suites in
314 * a sslv2 client hello message; the ???? above is the two-byte
315 * tls cipher suite id
320 static const value_string ssl_20_certificate_type[] = {
322 { 0x01, "X.509 Certificate" },
326 static const value_string ssl_31_content_type[] = {
327 { 20, "Change Cipher Spec" },
330 { 23, "Application Data" },
334 static const value_string ssl_versions[] = {
335 { 0x0301, "TLS 1.0" },
336 { 0x0300, "SSL 3.0" },
337 { 0x0002, "SSL 2.0" },
342 /* XXX - would be used if we dissected the body of a Change Cipher Spec
344 static const value_string ssl_31_change_cipher_spec[] = {
345 { 1, "Change Cipher Spec" },
350 static const value_string ssl_31_alert_level[] = {
356 static const value_string ssl_31_alert_description[] = {
357 { 0, "Close Notify" },
358 { 10, "Unexpected Message" },
359 { 20, "Bad Record MAC" },
360 { 21, "Decryption Failed" },
361 { 22, "Record Overflow" },
362 { 30, "Decompression Failure" },
363 { 40, "Handshake Failure" },
364 { 42, "Bad Certificate" },
365 { 43, "Unsupported Certificate" },
366 { 44, "Certificate Revoked" },
367 { 45, "Certificate Expired" },
368 { 46, "Certificate Unknown" },
369 { 47, "Illegal Parameter" },
370 { 48, "Unknown CA" },
371 { 49, "Access Denied" },
372 { 50, "Decode Error" },
373 { 51, "Decrypt Error" },
374 { 60, "Export Restriction" },
375 { 70, "Protocol Version" },
376 { 71, "Insufficient Security" },
377 { 80, "Internal Error" },
378 { 90, "User Canceled" },
379 { 100, "No Renegotiation" },
383 static const value_string ssl_31_handshake_type[] = {
384 { SSL_HND_HELLO_REQUEST, "Hello Request" },
385 { SSL_HND_CLIENT_HELLO, "Client Hello" },
386 { SSL_HND_SERVER_HELLO, "Server Hello" },
387 { SSL_HND_CERTIFICATE, "Certificate" },
388 { SSL_HND_SERVER_KEY_EXCHG, "Server Key Exchange" },
389 { SSL_HND_CERT_REQUEST, "Certificate Request" },
390 { SSL_HND_SVR_HELLO_DONE, "Server Hello Done" },
391 { SSL_HND_CERT_VERIFY, "Certificate Verify" },
392 { SSL_HND_CLIENT_KEY_EXCHG, "Client Key Exchange" },
393 { SSL_HND_FINISHED, "Finished" },
397 static const value_string ssl_31_compression_method[] = {
404 /* XXX - would be used if we dissected a Signature, as would be
405 seen in a server key exchange or certificate verify message. */
406 static const value_string ssl_31_key_exchange_algorithm[] = {
408 { 1, "Diffie Hellman" },
412 static const value_string ssl_31_signature_algorithm[] = {
420 static const value_string ssl_31_client_certificate_type[] = {
423 { 3, "RSA Fixed DH" },
424 { 4, "DSS Fixed DH" },
429 /* XXX - would be used if we dissected exchnage keys, as would be
430 seen in a client key exchange message. */
431 static const value_string ssl_31_public_value_encoding[] = {
438 static const value_string ssl_31_ciphersuite[] = {
439 { 0x0000, "TLS_NULL_WITH_NULL_NULL" },
440 { 0x0001, "TLS_RSA_WITH_NULL_MD5" },
441 { 0x0002, "TLS_RSA_WITH_NULL_SHA" },
442 { 0x0003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
443 { 0x0004, "TLS_RSA_WITH_RC4_128_MD5" },
444 { 0x0005, "TLS_RSA_WITH_RC4_128_SHA" },
445 { 0x0006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
446 { 0x0007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
447 { 0x0008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
448 { 0x0009, "TLS_RSA_WITH_DES_CBC_SHA" },
449 { 0x000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
450 { 0x000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
451 { 0x000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
452 { 0x000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
453 { 0x000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
454 { 0x000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
455 { 0x0010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
456 { 0x0011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
457 { 0x0012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
458 { 0x0013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
459 { 0x0014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
460 { 0x0015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
461 { 0x0016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
462 { 0x0017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
463 { 0x0018, "TLS_DH_anon_WITH_RC4_128_MD5" },
464 { 0x0019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
465 { 0x001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
466 { 0x001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
467 { 0x001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
468 { 0x001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
469 { 0x001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
470 { 0x002f, "TLS_RSA_WITH_AES_128_CBC_SHA" },
471 { 0x0030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
472 { 0x0031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
473 { 0x0032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
474 { 0x0033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
475 { 0x0034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
476 { 0x0035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
477 { 0x0036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
478 { 0x0037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
479 { 0x0038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
480 { 0x0039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
481 { 0x003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
482 { 0x0060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
483 { 0x0061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
484 { 0x0062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
485 { 0x0063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
486 { 0x0064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
487 { 0x0065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
488 { 0x0066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
489 /* these from http://www.mozilla.org/projects/
490 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
491 { 0xfefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
492 { 0xfeff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
493 { 0xffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
494 { 0xffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
495 /* note that ciphersuites 0xff00 - 0xffff are private */
499 static const value_string pct_msg_types[] = {
500 { PCT_MSG_CLIENT_HELLO, "Client Hello" },
501 { PCT_MSG_SERVER_HELLO, "Server Hello" },
502 { PCT_MSG_CLIENT_MASTER_KEY, "Client Master Key" },
503 { PCT_MSG_SERVER_VERIFY, "Server Verify" },
504 { PCT_MSG_ERROR, "Error" },
509 /*********************************************************************
511 * Forward Declarations
513 *********************************************************************/
516 * SSL version 3 and TLS dissectors
519 /* record layer dissector */
520 static int dissect_ssl3_record(tvbuff_t *tvb, packet_info *pinfo,
521 proto_tree *tree, guint32 offset,
523 gboolean *need_desegmentation);
525 /* change cipher spec dissector */
526 static void dissect_ssl3_change_cipher_spec(tvbuff_t *tvb,
529 guint *conv_version);
531 /* alert message dissector */
532 static void dissect_ssl3_alert(tvbuff_t *tvb, packet_info *pinfo,
533 proto_tree *tree, guint32 offset,
534 guint *conv_version);
536 /* handshake protocol dissector */
537 static void dissect_ssl3_handshake(tvbuff_t *tvb, packet_info *pinfo,
538 proto_tree *tree, guint32 offset,
539 guint32 record_length,
540 guint *conv_version);
543 static void dissect_ssl3_hnd_cli_hello(tvbuff_t *tvb,
547 static void dissect_ssl3_hnd_srv_hello(tvbuff_t *tvb,
551 static void dissect_ssl3_hnd_cert(tvbuff_t *tvb,
552 proto_tree *tree, guint32 offset);
554 static void dissect_ssl3_hnd_cert_req(tvbuff_t *tvb,
558 static void dissect_ssl3_hnd_finished(tvbuff_t *tvb,
561 guint *conv_version);
565 * SSL version 2 dissectors
569 /* record layer dissector */
570 static int dissect_ssl2_record(tvbuff_t *tvb, packet_info *pinfo,
571 proto_tree *tree, guint32 offset,
573 gboolean *need_desegmentation);
575 /* client hello dissector */
576 static void dissect_ssl2_hnd_client_hello(tvbuff_t *tvb,
580 /* client master key dissector */
581 static void dissect_ssl2_hnd_client_master_key(tvbuff_t *tvb,
585 /* server hello dissector */
586 static void dissect_ssl2_hnd_server_hello(tvbuff_t *tvb,
594 static void ssl_set_conv_version(packet_info *pinfo, guint version);
595 static int ssl_is_valid_handshake_type(guint8 type);
596 static int ssl_is_valid_content_type(guint8 type);
597 static int ssl_is_valid_ssl_version(guint16 version);
598 static int ssl_is_authoritative_version_message(guint8 content_type,
600 static int ssl_is_v2_client_hello(tvbuff_t *tvb, guint32 offset);
601 static int ssl_looks_like_sslv2(tvbuff_t *tvb, guint32 offset);
602 static int ssl_looks_like_sslv3(tvbuff_t *tvb, guint32 offset);
603 static int ssl_looks_like_valid_v2_handshake(tvbuff_t *tvb,
605 guint32 record_length);
606 static int ssl_looks_like_valid_pct_handshake(tvbuff_t *tvb,
608 guint32 record_length);
610 /*********************************************************************
614 *********************************************************************/
616 * Code to actually dissect the packets
619 dissect_ssl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
622 conversation_t *conversation;
624 guint conv_version = SSL_VER_UNKNOWN;
625 proto_item *ti = NULL;
626 proto_tree *ssl_tree = NULL;
628 gboolean first_record_in_frame = TRUE;
629 gboolean need_desegmentation;
631 /* Track the version using conversations to reduce the
632 * chance that a packet that simply *looks* like a v2 or
633 * v3 packet is dissected improperly. This also allows
634 * us to more frequently set the protocol column properly
635 * for continuation data frames.
637 * Also: We use the copy in conv_version as our cached copy,
638 * so that we don't have to search the conversation
639 * table every time we want the version; when setting
640 * the conv_version, must set the copy in the conversation
641 * in addition to conv_version
643 conversation = find_conversation(&pinfo->src, &pinfo->dst, pinfo->ptype,
644 pinfo->srcport, pinfo->destport, 0);
647 /* create a new conversation */
648 conversation = conversation_new(&pinfo->src, &pinfo->dst, pinfo->ptype,
649 pinfo->srcport, pinfo->destport, 0);
651 conv_data = conversation_get_proto_data(conversation, proto_ssl);
652 if (conv_data != NULL)
654 conv_version = GPOINTER_TO_UINT(conv_data);
657 /* Initialize the protocol column; we'll set it later when we
658 * figure out what flavor of SSL it is (assuming we don't
659 * throw an exception before we get the chance to do so). */
660 if (check_col(pinfo->cinfo, COL_PROTOCOL))
662 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SSL");
665 /* clear the the info column */
666 if (check_col(pinfo->cinfo, COL_INFO))
667 col_clear(pinfo->cinfo, COL_INFO);
669 /* TCP packets and SSL records are orthogonal.
670 * A tcp packet may contain multiple ssl records and an ssl
671 * record may be spread across multiple tcp packets.
673 * This loop accounts for multiple ssl records in a single
674 * frame, but not a single ssl record across multiple tcp
677 * Handling the single ssl record across multiple packets
678 * may be possible using ethereal conversations, but
679 * probably not cleanly. May have to wait for tcp stream
683 /* Create display subtree for SSL as a whole */
686 ti = proto_tree_add_item(tree, proto_ssl, tvb, 0, -1, FALSE);
687 ssl_tree = proto_item_add_subtree(ti, ett_ssl);
690 /* iterate through the records in this tvbuff */
691 while (tvb_reported_length_remaining(tvb, offset) != 0)
693 /* on second and subsequent records per frame
694 * add a delimiter on info column
696 if (!first_record_in_frame
697 && check_col(pinfo->cinfo, COL_INFO))
699 col_append_str(pinfo->cinfo, COL_INFO, ", ");
703 * Assume, for now, that this doesn't need desegmentation.
705 need_desegmentation = FALSE;
707 /* first try to dispatch off the cached version
708 * known to be associated with the conversation
710 switch(conv_version) {
713 offset = dissect_ssl2_record(tvb, pinfo, ssl_tree,
714 offset, &conv_version,
715 &need_desegmentation);
720 /* the version tracking code works too well ;-)
721 * at times, we may visit a v2 client hello after
722 * we already know the version of the connection;
723 * work around that here by detecting and calling
724 * the v2 dissector instead
726 if (ssl_is_v2_client_hello(tvb, offset))
728 offset = dissect_ssl2_record(tvb, pinfo, ssl_tree,
729 offset, &conv_version,
730 &need_desegmentation);
734 offset = dissect_ssl3_record(tvb, pinfo, ssl_tree,
735 offset, &conv_version,
736 &need_desegmentation);
740 /* that failed, so apply some heuristics based
741 * on this individual packet
744 if (ssl_looks_like_sslv2(tvb, offset))
746 /* looks like sslv2 or pct client hello */
747 offset = dissect_ssl2_record(tvb, pinfo, ssl_tree,
748 offset, &conv_version,
749 &need_desegmentation);
751 else if (ssl_looks_like_sslv3(tvb, offset))
753 /* looks like sslv3 or tls */
754 offset = dissect_ssl3_record(tvb, pinfo, ssl_tree,
755 offset, &conv_version,
756 &need_desegmentation);
760 /* looks like something unknown, so lump into
763 offset = tvb_length(tvb);
764 if (check_col(pinfo->cinfo, COL_INFO))
765 col_append_str(pinfo->cinfo, COL_INFO,
766 "Continuation Data");
768 /* Set the protocol column */
769 if (check_col(pinfo->cinfo, COL_PROTOCOL))
771 col_set_str(pinfo->cinfo, COL_PROTOCOL,
772 ssl_version_short_names[conv_version]);
778 /* Desegmentation return check */
779 if (need_desegmentation)
782 /* If we haven't already set the version information for
783 * this conversation, do so. */
784 if (conv_data == NULL)
786 conv_data = GINT_TO_POINTER(conv_version);
787 conversation_add_proto_data(conversation, proto_ssl, conv_data);
790 /* set up for next record in frame, if any */
791 first_record_in_frame = FALSE;
797 /*********************************************************************
799 * SSL version 3 and TLS Dissection Routines
801 *********************************************************************/
803 dissect_ssl3_record(tvbuff_t *tvb, packet_info *pinfo,
804 proto_tree *tree, guint32 offset,
805 guint *conv_version, gboolean *need_desegmentation)
810 * uint8 major, minor;
815 * change_cipher_spec(20), alert(21), handshake(22),
816 * application_data(23), (255)
821 * ProtocolVersion version;
823 * opaque fragment[TLSPlaintext.length];
826 guint32 record_length;
830 proto_tree *ti = NULL;
831 proto_tree *ssl_record_tree = NULL;
832 guint32 available_bytes = 0;
834 available_bytes = tvb_length_remaining(tvb, offset);
837 * Can we do reassembly?
839 if (ssl_desegment && pinfo->can_desegment) {
841 * Yes - is the record header split across segment boundaries?
843 if (available_bytes < 5) {
845 * Yes. Tell the TCP dissector where the data for this
846 * message starts in the data it handed us, and how many
847 * more bytes we need, and return.
849 pinfo->desegment_offset = offset;
850 pinfo->desegment_len = 5 - available_bytes;
851 *need_desegmentation = TRUE;
857 * Get the record layer fields of interest
859 content_type = tvb_get_guint8(tvb, offset);
860 version = tvb_get_ntohs(tvb, offset + 1);
861 record_length = tvb_get_ntohs(tvb, offset + 3);
863 if (ssl_is_valid_content_type(content_type)) {
866 * Can we do reassembly?
868 if (ssl_desegment && pinfo->can_desegment) {
870 * Yes - is the record split across segment boundaries?
872 if (available_bytes < record_length + 5) {
874 * Yes. Tell the TCP dissector where the data for this
875 * message starts in the data it handed us, and how many
876 * more bytes we need, and return.
878 pinfo->desegment_offset = offset;
879 pinfo->desegment_len = (record_length + 5) - available_bytes;
880 *need_desegmentation = TRUE;
887 /* if we don't have a valid content_type, there's no sense
888 * continuing any further
890 if (check_col(pinfo->cinfo, COL_INFO))
891 col_append_str(pinfo->cinfo, COL_INFO, "Continuation Data");
893 /* Set the protocol column */
894 if (check_col(pinfo->cinfo, COL_PROTOCOL))
896 col_set_str(pinfo->cinfo, COL_PROTOCOL,
897 ssl_version_short_names[*conv_version]);
899 return offset + 5 + record_length;
903 * If GUI, fill in record layer part of tree
908 /* add the record layer subtree header */
909 ti = proto_tree_add_item(tree, hf_ssl_record, tvb,
910 offset, 5 + record_length, 0);
911 ssl_record_tree = proto_item_add_subtree(ti, ett_ssl_record);
916 /* show the one-byte content type */
917 proto_tree_add_item(ssl_record_tree, hf_ssl_record_content_type,
921 /* add the version */
922 proto_tree_add_item(ssl_record_tree, hf_ssl_record_version, tvb,
927 proto_tree_add_uint(ssl_record_tree, hf_ssl_record_length, tvb,
928 offset, 2, record_length);
929 offset += 2; /* move past length field itself */
933 /* if no GUI tree, then just skip over those fields */
939 * if we don't already have a version set for this conversation,
940 * but this message's version is authoritative (i.e., it's
941 * not client_hello, then save the version to to conversation
942 * structure and print the column version
944 next_byte = tvb_get_guint8(tvb, offset);
945 if (*conv_version == SSL_VER_UNKNOWN
946 && ssl_is_authoritative_version_message(content_type, next_byte))
948 if (version == 0x0300)
950 *conv_version = SSL_VER_SSLv3;
951 ssl_set_conv_version(pinfo, *conv_version);
953 else if (version == 0x0301)
955 *conv_version = SSL_VER_TLS;
956 ssl_set_conv_version(pinfo, *conv_version);
959 if (check_col(pinfo->cinfo, COL_PROTOCOL))
961 if (version == 0x0300)
963 col_set_str(pinfo->cinfo, COL_PROTOCOL,
964 ssl_version_short_names[SSL_VER_SSLv3]);
966 else if (version == 0x0301)
968 col_set_str(pinfo->cinfo, COL_PROTOCOL,
969 ssl_version_short_names[SSL_VER_TLS]);
973 col_set_str(pinfo->cinfo, COL_PROTOCOL,
974 ssl_version_short_names[*conv_version]);
979 * now dissect the next layer
981 switch (content_type) {
982 case SSL_ID_CHG_CIPHER_SPEC:
983 if (check_col(pinfo->cinfo, COL_INFO))
984 col_append_str(pinfo->cinfo, COL_INFO, "Change Cipher Spec");
985 dissect_ssl3_change_cipher_spec(tvb, ssl_record_tree,
986 offset, conv_version);
989 dissect_ssl3_alert(tvb, pinfo, ssl_record_tree, offset,
992 case SSL_ID_HANDSHAKE:
993 dissect_ssl3_handshake(tvb, pinfo, ssl_record_tree, offset,
994 record_length, conv_version);
996 case SSL_ID_APP_DATA:
997 if (check_col(pinfo->cinfo, COL_INFO))
998 col_append_str(pinfo->cinfo, COL_INFO, "Application Data");
1001 proto_item_set_text(ssl_record_tree,
1002 "%s Record Layer: Application Data",
1003 ssl_version_short_names[*conv_version]);
1004 proto_tree_add_item(ssl_record_tree, hf_ssl_record_appdata, tvb,
1005 offset, record_length, 0);
1010 /* shouldn't get here since we check above for valid types */
1011 if (check_col(pinfo->cinfo, COL_INFO))
1012 col_append_str(pinfo->cinfo, COL_INFO, "Bad SSLv3 Content Type");
1015 offset += record_length; /* skip to end of record */
1020 /* dissects the change cipher spec procotol, filling in the tree */
1022 dissect_ssl3_change_cipher_spec(tvbuff_t *tvb,
1023 proto_tree *tree, guint32 offset,
1024 guint *conv_version)
1028 * enum { change_cipher_spec(1), (255) } type;
1029 * } ChangeCipherSpec;
1034 proto_item_set_text(tree,
1035 "%s Record Layer: Change Cipher Spec",
1036 ssl_version_short_names[*conv_version]);
1037 proto_tree_add_item(tree, hf_ssl_change_cipher_spec, tvb,
1038 offset++, 1, FALSE);
1042 /* dissects the alert message, filling in the tree */
1044 dissect_ssl3_alert(tvbuff_t *tvb, packet_info *pinfo,
1045 proto_tree *tree, guint32 offset,
1046 guint *conv_version)
1050 * AlertDescription description;
1054 proto_tree *ssl_alert_tree = NULL;
1060 ti = proto_tree_add_item(tree, hf_ssl_alert_message, tvb,
1062 ssl_alert_tree = proto_item_add_subtree(ti, ett_ssl_alert);
1066 * set the record layer label
1069 /* first lookup the names for the alert level and description */
1070 byte = tvb_get_guint8(tvb, offset); /* grab the level byte */
1071 level = match_strval(byte, ssl_31_alert_level);
1073 byte = tvb_get_guint8(tvb, offset+1); /* grab the desc byte */
1074 desc = match_strval(byte, ssl_31_alert_description);
1076 /* now set the text in the record layer line */
1079 if (check_col(pinfo->cinfo, COL_INFO))
1080 col_append_fstr(pinfo->cinfo, COL_INFO,
1081 "Alert (Level: %s, Description: %s)",
1086 if (check_col(pinfo->cinfo, COL_INFO))
1087 col_append_str(pinfo->cinfo, COL_INFO, "Encrypted Alert");
1094 proto_item_set_text(tree, "%s Record Layer: Alert "
1095 "(Level: %s, Description: %s)",
1096 ssl_version_short_names[*conv_version],
1098 proto_tree_add_item(ssl_alert_tree, hf_ssl_alert_message_level,
1099 tvb, offset++, 1, FALSE);
1101 proto_tree_add_item(ssl_alert_tree, hf_ssl_alert_message_description,
1102 tvb, offset++, 1, FALSE);
1106 proto_item_set_text(tree,
1107 "%s Record Layer: Encrypted Alert",
1108 ssl_version_short_names[*conv_version]);
1109 proto_item_set_text(ssl_alert_tree,
1110 "Alert Message: Encrypted Alert");
1116 /* dissects the handshake protocol, filling the tree */
1118 dissect_ssl3_handshake(tvbuff_t *tvb, packet_info *pinfo,
1119 proto_tree *tree, guint32 offset,
1120 guint32 record_length, guint *conv_version)
1123 * HandshakeType msg_type;
1125 * select (HandshakeType) {
1126 * case hello_request: HelloRequest;
1127 * case client_hello: ClientHello;
1128 * case server_hello: ServerHello;
1129 * case certificate: Certificate;
1130 * case server_key_exchange: ServerKeyExchange;
1131 * case certificate_request: CertificateRequest;
1132 * case server_hello_done: ServerHelloDone;
1133 * case certificate_verify: CertificateVerify;
1134 * case client_key_exchange: ClientKeyExchange;
1135 * case finished: Finished;
1139 proto_tree *ti = NULL;
1140 proto_tree *ssl_hand_tree = NULL;
1141 gchar *msg_type_str = NULL;
1144 gboolean first_iteration = TRUE;
1147 /* just as there can be multiple records per packet, there
1148 * can be multiple messages per record as long as they have
1149 * the same content type
1151 * we really only care about this for handshake messages
1154 /* set record_length to the max offset */
1155 record_length += offset;
1156 while (offset < record_length)
1158 msg_type = tvb_get_guint8(tvb, offset);
1159 msg_type_str = match_strval(msg_type, ssl_31_handshake_type);
1160 length = tvb_get_ntoh24(tvb, offset + 1);
1162 if (!msg_type_str && !first_iteration)
1164 /* only dissect / report messages if they're
1165 * either the first message in this record
1166 * or they're a valid message type
1171 /* on second and later iterations, add comma to info col */
1172 if (!first_iteration)
1174 if (check_col(pinfo->cinfo, COL_INFO))
1175 col_append_fstr(pinfo->cinfo, COL_INFO, ", ");
1179 * Update our info string
1181 if (check_col(pinfo->cinfo, COL_INFO))
1182 col_append_fstr(pinfo->cinfo, COL_INFO, "%s", (msg_type_str != NULL)
1183 ? msg_type_str : "Encrypted Handshake Message");
1187 /* set the label text on the record layer expanding node */
1188 if (first_iteration)
1190 proto_item_set_text(tree, "%s Record Layer: %s",
1191 ssl_version_short_names[*conv_version],
1192 (msg_type_str!=NULL) ? msg_type_str :
1193 "Encrypted Handshake Message");
1197 proto_item_set_text(tree, "%s Record Layer: %s",
1198 ssl_version_short_names[*conv_version],
1199 "Multiple Handshake Messages");
1202 /* add a subtree for the handshake protocol */
1203 ti = proto_tree_add_item(tree, hf_ssl_handshake_protocol, tvb,
1204 offset, length + 4, 0);
1205 ssl_hand_tree = proto_item_add_subtree(ti, ett_ssl_handshake);
1209 /* set the text label on the subtree node */
1210 proto_item_set_text(ssl_hand_tree, "Handshake Protocol: %s",
1211 (msg_type_str != NULL) ? msg_type_str :
1212 "Encrypted Handshake Message");
1216 /* if we don't have a valid handshake type, just quit dissecting */
1224 /* add nodes for the message type and message length */
1225 proto_tree_add_item(ssl_hand_tree, hf_ssl_handshake_type,
1226 tvb, offset, 1, msg_type);
1228 proto_tree_add_uint(ssl_hand_tree, hf_ssl_handshake_length,
1229 tvb, offset, 3, length);
1232 /* now dissect the handshake message, if necessary */
1234 case SSL_HND_HELLO_REQUEST:
1235 /* hello_request has no fields, so nothing to do! */
1238 case SSL_HND_CLIENT_HELLO:
1239 dissect_ssl3_hnd_cli_hello(tvb, ssl_hand_tree, offset);
1242 case SSL_HND_SERVER_HELLO:
1243 dissect_ssl3_hnd_srv_hello(tvb, ssl_hand_tree, offset);
1246 case SSL_HND_CERTIFICATE:
1247 dissect_ssl3_hnd_cert(tvb, ssl_hand_tree, offset);
1250 case SSL_HND_SERVER_KEY_EXCHG:
1254 case SSL_HND_CERT_REQUEST:
1255 dissect_ssl3_hnd_cert_req(tvb, ssl_hand_tree, offset);
1258 case SSL_HND_SVR_HELLO_DONE:
1259 /* server_hello_done has no fields, so nothing to do! */
1262 case SSL_HND_CERT_VERIFY:
1266 case SSL_HND_CLIENT_KEY_EXCHG:
1270 case SSL_HND_FINISHED:
1271 dissect_ssl3_hnd_finished(tvb, ssl_hand_tree,
1272 offset, conv_version);
1279 offset += 4; /* skip the handshake header */
1282 first_iteration = FALSE; /* set up for next pass, if any */
1287 dissect_ssl3_hnd_hello_common(tvbuff_t *tvb, proto_tree *tree,
1290 /* show the client's random challenge */
1291 guint32 initial_offset = offset;
1292 nstime_t gmt_unix_time;
1293 guint8 session_id_length = 0;
1298 gmt_unix_time.secs = tvb_get_ntohl(tvb, offset);
1299 gmt_unix_time.nsecs = 0;
1300 proto_tree_add_time(tree, hf_ssl_handshake_random_time,
1301 tvb, offset, 4, &gmt_unix_time);
1304 /* show the random bytes */
1305 proto_tree_add_item(tree, hf_ssl_handshake_random_bytes,
1306 tvb, offset, 28, 0);
1309 /* show the session id */
1310 session_id_length = tvb_get_guint8(tvb, offset);
1311 proto_tree_add_item(tree, hf_ssl_handshake_session_id_len,
1312 tvb, offset++, 1, 0);
1313 if (session_id_length > 0)
1315 proto_tree_add_bytes_format(tree, hf_ssl_handshake_session_id,
1316 tvb, offset, session_id_length,
1317 tvb_get_ptr(tvb, offset, session_id_length),
1318 "Session ID (%u byte%s)",
1320 plurality(session_id_length, "", "s"));
1321 offset += session_id_length;
1325 return offset - initial_offset;
1329 dissect_ssl3_hnd_cli_hello(tvbuff_t *tvb,
1330 proto_tree *tree, guint32 offset)
1333 * ProtocolVersion client_version;
1335 * SessionID session_id;
1336 * CipherSuite cipher_suites<2..2^16-1>;
1337 * CompressionMethod compression_methods<1..2^8-1>;
1342 proto_tree *cs_tree;
1343 guint16 cipher_suite_length = 0;
1344 guint8 compression_methods_length = 0;
1345 guint8 compression_method;
1349 /* show the client version */
1350 proto_tree_add_item(tree, hf_ssl_handshake_client_version, tvb,
1354 /* show the fields in common with server hello */
1355 offset += dissect_ssl3_hnd_hello_common(tvb, tree, offset);
1357 /* tell the user how many cipher suites there are */
1358 cipher_suite_length = tvb_get_ntohs(tvb, offset);
1359 proto_tree_add_uint(tree, hf_ssl_handshake_cipher_suites_len,
1360 tvb, offset, 2, cipher_suite_length);
1361 offset += 2; /* skip opaque length */
1363 if (cipher_suite_length > 0)
1365 ti = proto_tree_add_none_format(tree,
1366 hf_ssl_handshake_cipher_suites,
1367 tvb, offset, cipher_suite_length,
1368 "Cipher Suites (%u suite%s)",
1369 cipher_suite_length / 2,
1370 plurality(cipher_suite_length/2, "", "s"));
1372 /* make this a subtree */
1373 cs_tree = proto_item_add_subtree(ti, ett_ssl_cipher_suites);
1376 cs_tree = tree; /* failsafe */
1379 while (cipher_suite_length > 0)
1381 proto_tree_add_item(cs_tree, hf_ssl_handshake_cipher_suite,
1382 tvb, offset, 2, FALSE);
1384 cipher_suite_length -= 2;
1388 /* tell the user how man compression methods there are */
1389 compression_methods_length = tvb_get_guint8(tvb, offset);
1390 proto_tree_add_uint(tree, hf_ssl_handshake_comp_methods_len,
1391 tvb, offset, 1, compression_methods_length);
1394 if (compression_methods_length > 0)
1396 ti = proto_tree_add_none_format(tree,
1397 hf_ssl_handshake_comp_methods,
1398 tvb, offset, compression_methods_length,
1399 "Compression Methods (%u method%s)",
1400 compression_methods_length,
1401 plurality(compression_methods_length,
1404 /* make this a subtree */
1405 cs_tree = proto_item_add_subtree(ti, ett_ssl_comp_methods);
1408 cs_tree = tree; /* failsafe */
1411 while (compression_methods_length > 0)
1413 compression_method = tvb_get_guint8(tvb, offset);
1414 if (compression_method < 64)
1415 proto_tree_add_uint(cs_tree, hf_ssl_handshake_comp_method,
1416 tvb, offset, 1, compression_method);
1417 else if (compression_method > 63 && compression_method < 193)
1418 proto_tree_add_text(cs_tree, tvb, offset, 1,
1419 "Compression Method: Reserved - to be assigned by IANA (%u)",
1420 compression_method);
1422 proto_tree_add_text(cs_tree, tvb, offset, 1,
1423 "Compression Method: Private use range (%u)",
1424 compression_method);
1426 compression_methods_length--;
1433 dissect_ssl3_hnd_srv_hello(tvbuff_t *tvb,
1434 proto_tree *tree, guint32 offset)
1437 * ProtocolVersion server_version;
1439 * SessionID session_id;
1440 * CipherSuite cipher_suite;
1441 * CompressionMethod compression_method;
1447 /* show the server version */
1448 proto_tree_add_item(tree, hf_ssl_handshake_server_version, tvb,
1452 /* first display the elements conveniently in
1453 * common with client hello
1455 offset += dissect_ssl3_hnd_hello_common(tvb, tree, offset);
1457 /* now the server-selected cipher suite */
1458 proto_tree_add_item(tree, hf_ssl_handshake_cipher_suite,
1459 tvb, offset, 2, FALSE);
1462 /* and the server-selected compression method */
1463 proto_tree_add_item(tree, hf_ssl_handshake_comp_method,
1464 tvb, offset, 1, FALSE);
1469 dissect_ssl3_hnd_cert(tvbuff_t *tvb,
1470 proto_tree *tree, guint32 offset)
1473 /* opaque ASN.1Cert<2^24-1>;
1476 * ASN.1Cert certificate_list<1..2^24-1>;
1479 guint32 certificate_list_length;
1481 proto_tree *subtree;
1485 certificate_list_length = tvb_get_ntoh24(tvb, offset);
1486 proto_tree_add_uint(tree, hf_ssl_handshake_certificates_len,
1487 tvb, offset, 3, certificate_list_length);
1488 offset += 3; /* 24-bit length value */
1490 if (certificate_list_length > 0)
1492 ti = proto_tree_add_none_format(tree,
1493 hf_ssl_handshake_certificates,
1494 tvb, offset, certificate_list_length,
1495 "Certificates (%u byte%s)",
1496 certificate_list_length,
1497 plurality(certificate_list_length,
1500 /* make it a subtree */
1501 subtree = proto_item_add_subtree(ti, ett_ssl_certs);
1504 subtree = tree; /* failsafe */
1507 /* iterate through each certificate */
1508 while (certificate_list_length > 0)
1510 /* get the length of the current certificate */
1511 guint32 cert_length = tvb_get_ntoh24(tvb, offset);
1512 certificate_list_length -= 3 + cert_length;
1514 proto_tree_add_item(subtree, hf_ssl_handshake_certificate_len,
1515 tvb, offset, 3, FALSE);
1518 proto_tree_add_bytes_format(subtree,
1519 hf_ssl_handshake_certificate,
1520 tvb, offset, cert_length,
1521 tvb_get_ptr(tvb, offset, cert_length),
1522 "Certificate (%u byte%s)",
1524 plurality(cert_length, "", "s"));
1525 offset += cert_length;
1533 dissect_ssl3_hnd_cert_req(tvbuff_t *tvb,
1534 proto_tree *tree, guint32 offset)
1538 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
1540 * } ClientCertificateType;
1542 * opaque DistinguishedName<1..2^16-1>;
1545 * ClientCertificateType certificate_types<1..2^8-1>;
1546 * DistinguishedName certificate_authorities<3..2^16-1>;
1547 * } CertificateRequest;
1551 proto_tree *subtree;
1552 guint8 cert_types_count = 0;
1553 int dnames_length = 0;
1557 cert_types_count = tvb_get_guint8(tvb, offset);
1558 proto_tree_add_uint(tree, hf_ssl_handshake_cert_types_count,
1559 tvb, offset, 1, cert_types_count);
1562 if (cert_types_count > 0)
1564 ti = proto_tree_add_none_format(tree,
1565 hf_ssl_handshake_cert_types,
1566 tvb, offset, cert_types_count,
1567 "Certificate types (%u type%s)",
1569 plurality(cert_types_count, "", "s"));
1570 subtree = proto_item_add_subtree(ti, ett_ssl_cert_types);
1576 while (cert_types_count > 0)
1578 proto_tree_add_item(subtree, hf_ssl_handshake_cert_type,
1579 tvb, offset, 1, FALSE);
1585 dnames_length = tvb_get_ntohs(tvb, offset);
1586 proto_tree_add_uint(tree, hf_ssl_handshake_dnames_len,
1587 tvb, offset, 2, dnames_length);
1590 if (dnames_length > 0)
1592 ti = proto_tree_add_none_format(tree,
1593 hf_ssl_handshake_dnames,
1594 tvb, offset, dnames_length,
1595 "Distinguished Names (%d byte%s)",
1597 plurality(dnames_length, "", "s"));
1598 subtree = proto_item_add_subtree(ti, ett_ssl_dnames);
1604 while (dnames_length > 0)
1606 /* get the length of the current certificate */
1607 guint16 name_length = tvb_get_ntohs(tvb, offset);
1608 dnames_length -= 2 + name_length;
1610 proto_tree_add_item(subtree, hf_ssl_handshake_dname_len,
1611 tvb, offset, 2, FALSE);
1614 proto_tree_add_bytes_format(subtree,
1615 hf_ssl_handshake_dname,
1616 tvb, offset, name_length,
1617 tvb_get_ptr(tvb, offset, name_length),
1618 "Distinguished Name (%u byte%s)",
1620 plurality(name_length, "", "s"));
1621 offset += name_length;
1629 dissect_ssl3_hnd_finished(tvbuff_t *tvb,
1630 proto_tree *tree, guint32 offset,
1631 guint *conv_version)
1635 * opaque verify_data[12];
1640 * opaque md5_hash[16];
1641 * opaque sha_hash[20];
1645 /* this all needs a tree, so bail if we don't have one */
1651 switch(*conv_version) {
1653 proto_tree_add_item(tree, hf_ssl_handshake_finished,
1654 tvb, offset, 12, FALSE);
1658 proto_tree_add_item(tree, hf_ssl_handshake_md5_hash,
1659 tvb, offset, 16, FALSE);
1661 proto_tree_add_item(tree, hf_ssl_handshake_sha_hash,
1662 tvb, offset, 20, FALSE);
1668 /*********************************************************************
1670 * SSL version 2 Dissectors
1672 *********************************************************************/
1675 /* record layer dissector */
1677 dissect_ssl2_record(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
1678 guint32 offset, guint *conv_version,
1679 gboolean *need_desegmentation)
1681 guint32 initial_offset = offset;
1683 guint8 record_length_length = 0;
1684 guint32 record_length = 0;
1685 gint is_escape = -1;
1686 gint16 padding_length = -1;
1687 guint8 msg_type = 0;
1688 gchar *msg_type_str = NULL;
1689 guint32 available_bytes = 0;
1692 proto_tree *ssl_record_tree = NULL;
1694 /* pull first byte; if high bit is set, then record
1695 * length is three bytes due to padding; otherwise
1696 * record length is two bytes
1698 byte = tvb_get_guint8(tvb, offset);
1699 record_length_length = (byte & 0x80) ? 2 : 3;
1702 * Can we do reassembly?
1704 available_bytes = tvb_length_remaining(tvb, offset);
1706 if (ssl_desegment && pinfo->can_desegment) {
1708 * Yes - is the record header split across segment boundaries?
1710 if (available_bytes < record_length_length) {
1712 * Yes. Tell the TCP dissector where the data for this
1713 * message starts in the data it handed us, and how many
1714 * more bytes we need, and return.
1716 pinfo->desegment_offset = offset;
1717 pinfo->desegment_len = record_length_length - available_bytes;
1718 *need_desegmentation = TRUE;
1723 /* parse out the record length */
1724 switch(record_length_length) {
1725 case 2: /* two-byte record length */
1726 record_length = (byte & 0x7f) << 8;
1727 byte = tvb_get_guint8(tvb, offset + 1);
1728 record_length += byte;
1730 case 3: /* three-byte record length */
1731 is_escape = (byte & 0x40) ? TRUE : FALSE;
1732 record_length = (byte & 0x3f) << 8;
1733 byte = tvb_get_guint8(tvb, offset + 1);
1734 record_length += byte;
1735 byte = tvb_get_guint8(tvb, offset + 2);
1736 padding_length = byte;
1740 * Can we do reassembly?
1742 if (ssl_desegment && pinfo->can_desegment) {
1744 * Yes - is the record split across segment boundaries?
1746 if (available_bytes < (record_length_length + record_length)) {
1748 * Yes. Tell the TCP dissector where the data for this
1749 * message starts in the data it handed us, and how many
1750 * more bytes we need, and return.
1752 pinfo->desegment_offset = offset;
1753 pinfo->desegment_len = (record_length_length + record_length)
1755 *need_desegmentation = TRUE;
1759 offset += record_length_length;
1761 /* add the record layer subtree header */
1762 ti = proto_tree_add_item(tree, hf_ssl2_record, tvb, initial_offset,
1763 record_length_length + record_length, 0);
1764 ssl_record_tree = proto_item_add_subtree(ti, ett_ssl_record);
1766 /* pull the msg_type so we can bail if it's unknown */
1767 msg_type = tvb_get_guint8(tvb, initial_offset + record_length_length);
1769 /* if we get a server_hello or later handshake in v2, then set
1772 if (*conv_version == SSL_VER_UNKNOWN)
1774 if (ssl_looks_like_valid_pct_handshake(tvb,
1776 record_length_length),
1778 *conv_version = SSL_VER_PCT;
1779 ssl_set_conv_version(pinfo, *conv_version);
1781 else if (msg_type >= 2 && msg_type <= 8)
1783 *conv_version = SSL_VER_SSLv2;
1784 ssl_set_conv_version(pinfo, *conv_version);
1788 /* if we get here, but don't have a version set for the
1789 * conversation, then set a version for just this frame
1790 * (e.g., on a client hello)
1792 if (check_col(pinfo->cinfo, COL_PROTOCOL))
1794 col_set_str(pinfo->cinfo, COL_PROTOCOL,
1795 (*conv_version == SSL_VER_PCT) ? "PCT" : "SSLv2");
1798 /* see if the msg_type is valid; if not the payload is
1799 * probably encrypted, so note that fact and bail
1801 msg_type_str = match_strval(msg_type,
1802 (*conv_version == SSL_VER_PCT)
1803 ? pct_msg_types : ssl_20_msg_types);
1805 || ((*conv_version != SSL_VER_PCT) &&
1806 !ssl_looks_like_valid_v2_handshake(tvb, initial_offset
1807 + record_length_length,
1809 || ((*conv_version == SSL_VER_PCT) &&
1810 !ssl_looks_like_valid_pct_handshake(tvb, initial_offset
1811 + record_length_length,
1814 if (ssl_record_tree)
1816 proto_item_set_text(ssl_record_tree, "%s Record Layer: %s",
1817 (*conv_version == SSL_VER_PCT)
1821 if (check_col(pinfo->cinfo, COL_INFO))
1822 col_append_str(pinfo->cinfo, COL_INFO, "Encrypted Data");
1823 return initial_offset + record_length_length + record_length;
1827 if (check_col(pinfo->cinfo, COL_INFO))
1828 col_append_str(pinfo->cinfo, COL_INFO, msg_type_str);
1830 if (ssl_record_tree)
1832 proto_item_set_text(ssl_record_tree, "%s Record Layer: %s",
1833 (*conv_version == SSL_VER_PCT)
1839 /* We have a valid message type, so move foward, filling in the
1840 * tree by adding the length, is_escape boolean and padding_length,
1841 * if present in the original packet
1843 if (ssl_record_tree)
1845 /* add the record length */
1846 ti = proto_tree_add_uint (ssl_record_tree,
1847 hf_ssl_record_length, tvb,
1848 initial_offset, record_length_length,
1851 if (ssl_record_tree && is_escape != -1)
1853 proto_tree_add_boolean(ssl_record_tree,
1854 hf_ssl2_record_is_escape, tvb,
1855 initial_offset, 1, is_escape);
1857 if (ssl_record_tree && padding_length != -1)
1859 proto_tree_add_uint(ssl_record_tree,
1860 hf_ssl2_record_padding_length, tvb,
1861 initial_offset + 2, 1, padding_length);
1865 * dissect the record data
1868 /* jump forward to the start of the record data */
1869 offset = initial_offset + record_length_length;
1871 /* add the message type */
1872 if (ssl_record_tree)
1874 proto_tree_add_item(ssl_record_tree,
1875 (*conv_version == SSL_VER_PCT)
1876 ? hf_pct_msg_type : hf_ssl2_msg_type,
1879 offset++; /* move past msg_type byte */
1881 if (*conv_version != SSL_VER_PCT)
1883 /* dissect the message (only handle client hello right now) */
1885 case SSL2_HND_CLIENT_HELLO:
1886 dissect_ssl2_hnd_client_hello(tvb, ssl_record_tree, offset);
1889 case SSL2_HND_CLIENT_MASTER_KEY:
1890 dissect_ssl2_hnd_client_master_key(tvb, ssl_record_tree, offset);
1893 case SSL2_HND_SERVER_HELLO:
1894 dissect_ssl2_hnd_server_hello(tvb, ssl_record_tree, offset);
1897 case SSL2_HND_ERROR:
1898 case SSL2_HND_CLIENT_FINISHED:
1899 case SSL2_HND_SERVER_VERIFY:
1900 case SSL2_HND_SERVER_FINISHED:
1901 case SSL2_HND_REQUEST_CERTIFICATE:
1902 case SSL2_HND_CLIENT_CERTIFICATE:
1906 default: /* unknown */
1912 /* dissect the message */
1914 case PCT_MSG_CLIENT_HELLO:
1915 case PCT_MSG_SERVER_HELLO:
1916 case PCT_MSG_CLIENT_MASTER_KEY:
1917 case PCT_MSG_SERVER_VERIFY:
1922 default: /* unknown */
1926 return (initial_offset + record_length_length + record_length);
1930 dissect_ssl2_hnd_client_hello(tvbuff_t *tvb,
1931 proto_tree *tree, guint32 offset)
1936 * uint16 cipher_spec_length;
1937 * uint16 session_id_length;
1938 * uint16 challenge_length;
1939 * V2CipherSpec cipher_specs[V2ClientHello.cipher_spec_length];
1940 * opaque session_id[V2ClientHello.session_id_length];
1944 * Note: when we get here, offset's already pointing at Version
1948 guint16 cipher_spec_length;
1949 guint16 session_id_length;
1950 guint16 challenge_length;
1953 proto_tree *cs_tree;
1955 version = tvb_get_ntohs(tvb, offset);
1956 if (!ssl_is_valid_ssl_version(version))
1958 /* invalid version; probably encrypted data */
1964 /* show the version */
1965 proto_tree_add_item(tree, hf_ssl_record_version, tvb,
1969 cipher_spec_length = tvb_get_ntohs(tvb, offset);
1970 proto_tree_add_item(tree, hf_ssl2_handshake_cipher_spec_len,
1971 tvb, offset, 2, FALSE);
1974 session_id_length = tvb_get_ntohs(tvb, offset);
1975 proto_tree_add_item(tree, hf_ssl2_handshake_session_id_len,
1976 tvb, offset, 2, FALSE);
1979 challenge_length = tvb_get_ntohs(tvb, offset);
1980 proto_tree_add_item(tree, hf_ssl2_handshake_challenge_len,
1981 tvb, offset, 2, FALSE);
1984 /* tell the user how many cipher specs they've won */
1985 ti = proto_tree_add_none_format(tree, hf_ssl_handshake_cipher_suites,
1986 tvb, offset, cipher_spec_length,
1987 "Cipher Specs (%u specs)",
1988 cipher_spec_length/3);
1990 /* make this a subtree and expand the actual specs below */
1991 cs_tree = proto_item_add_subtree(ti, ett_ssl_cipher_suites);
1994 cs_tree = tree; /* failsafe */
1997 /* iterate through the cipher specs, showing them */
1998 while (cipher_spec_length > 0)
2000 proto_tree_add_item(cs_tree, hf_ssl2_handshake_cipher_spec,
2001 tvb, offset, 3, FALSE);
2002 offset += 3; /* length of one cipher spec */
2003 cipher_spec_length -= 3;
2006 /* if there's a session id, show it */
2007 if (session_id_length > 0)
2009 proto_tree_add_bytes_format(tree,
2010 hf_ssl_handshake_session_id,
2011 tvb, offset, session_id_length,
2012 tvb_get_ptr(tvb, offset, session_id_length),
2013 "Session ID (%u byte%s)",
2015 plurality(session_id_length, "", "s"));
2017 offset += session_id_length;
2020 /* if there's a challenge, show it */
2021 if (challenge_length > 0)
2023 proto_tree_add_item(tree, hf_ssl2_handshake_challenge,
2024 tvb, offset, challenge_length, 0);
2025 offset += challenge_length;
2031 dissect_ssl2_hnd_client_master_key(tvbuff_t *tvb,
2032 proto_tree *tree, guint32 offset)
2036 * V2Cipherspec cipher;
2037 * uint16 clear_key_length;
2038 * uint16 encrypted_key_length;
2039 * uint16 key_arg_length;
2040 * opaque clear_key_data[V2ClientMasterKey.clear_key_length];
2041 * opaque encrypted_key_data[V2ClientMasterKey.encrypted_key_length];
2042 * opaque key_arg_data[V2ClientMasterKey.key_arg_length];
2043 * } V2ClientMasterKey;
2045 * Note: when we get here, offset's already pointing at cipher
2047 guint16 clear_key_length;
2048 guint16 encrypted_key_length;
2049 guint16 key_arg_length;
2051 /* at this point, everything we do involves the tree,
2052 * so quit now if we don't have one ;-)
2059 /* show the selected cipher */
2060 proto_tree_add_item(tree, hf_ssl2_handshake_cipher_spec,
2061 tvb, offset, 3, FALSE);
2064 /* get the fixed fields */
2065 clear_key_length = tvb_get_ntohs(tvb, offset);
2066 proto_tree_add_item(tree, hf_ssl2_handshake_clear_key_len,
2067 tvb, offset, 2, FALSE);
2070 encrypted_key_length = tvb_get_ntohs(tvb, offset);
2071 proto_tree_add_item(tree, hf_ssl2_handshake_enc_key_len,
2072 tvb, offset, 2, FALSE);
2075 key_arg_length = tvb_get_ntohs(tvb, offset);
2076 proto_tree_add_item(tree, hf_ssl2_handshake_key_arg_len,
2077 tvb, offset, 2, FALSE);
2080 /* show the variable length fields */
2081 if (clear_key_length > 0)
2083 proto_tree_add_item(tree, hf_ssl2_handshake_clear_key,
2084 tvb, offset, clear_key_length, FALSE);
2085 offset += clear_key_length;
2088 if (encrypted_key_length > 0)
2090 proto_tree_add_item(tree, hf_ssl2_handshake_enc_key,
2091 tvb, offset, encrypted_key_length, FALSE);
2092 offset += encrypted_key_length;
2095 if (key_arg_length > 0)
2097 proto_tree_add_item(tree, hf_ssl2_handshake_key_arg,
2098 tvb, offset, key_arg_length, FALSE);
2099 offset += key_arg_length;
2105 dissect_ssl2_hnd_server_hello(tvbuff_t *tvb,
2106 proto_tree *tree, guint32 offset)
2110 * uint8 session_id_hit;
2111 * uint8 certificate_type;
2112 * uint16 server_version;
2113 * uint16 certificate_length;
2114 * uint16 cipher_specs_length;
2115 * uint16 connection_id_length;
2116 * opaque certificate_data[V2ServerHello.certificate_length];
2117 * opaque cipher_specs_data[V2ServerHello.cipher_specs_length];
2118 * opaque connection_id_data[V2ServerHello.connection_id_length];
2121 * Note: when we get here, offset's already pointing at session_id_hit
2123 guint16 certificate_length;
2124 guint16 cipher_spec_length;
2125 guint16 connection_id_length;
2128 proto_tree *subtree;
2130 /* everything we do only makes sense with a tree, so
2131 * quit now if we don't have one
2138 version = tvb_get_ntohs(tvb, offset + 2);
2139 if (!ssl_is_valid_ssl_version(version))
2141 /* invalid version; probably encrypted data */
2146 /* is there a hit? */
2147 proto_tree_add_item(tree, hf_ssl2_handshake_session_id_hit,
2148 tvb, offset, 1, FALSE);
2151 /* what type of certificate is this? */
2152 proto_tree_add_item(tree, hf_ssl2_handshake_cert_type,
2153 tvb, offset, 1, FALSE);
2156 /* now the server version */
2157 proto_tree_add_item(tree, hf_ssl_handshake_server_version,
2158 tvb, offset, 2, FALSE);
2161 /* get the fixed fields */
2162 certificate_length = tvb_get_ntohs(tvb, offset);
2163 proto_tree_add_uint(tree, hf_ssl_handshake_certificate_len,
2164 tvb, offset, 2, certificate_length);
2167 cipher_spec_length = tvb_get_ntohs(tvb, offset);
2168 proto_tree_add_uint(tree, hf_ssl2_handshake_cipher_spec_len,
2169 tvb, offset, 2, cipher_spec_length);
2172 connection_id_length = tvb_get_ntohs(tvb, offset);
2173 proto_tree_add_uint(tree, hf_ssl2_handshake_connection_id_len,
2174 tvb, offset, 2, connection_id_length);
2177 /* now the variable length fields */
2178 if (certificate_length > 0)
2180 proto_tree_add_bytes_format(tree, hf_ssl_handshake_certificate,
2181 tvb, offset, certificate_length,
2182 tvb_get_ptr(tvb, offset, certificate_length),
2183 "Certificate (%u byte%s)",
2185 plurality(certificate_length, "", "s"));
2186 offset += certificate_length;
2189 if (cipher_spec_length > 0)
2191 /* provide a collapsing node for the cipher specs */
2192 ti = proto_tree_add_none_format(tree,
2193 hf_ssl_handshake_cipher_suites,
2194 tvb, offset, cipher_spec_length,
2195 "Cipher Specs (%u spec%s)",
2196 cipher_spec_length/3,
2197 plurality(cipher_spec_length/3, "", "s"));
2198 subtree = proto_item_add_subtree(ti, ett_ssl_cipher_suites);
2204 /* iterate through the cipher specs */
2205 while (cipher_spec_length > 0)
2207 proto_tree_add_item(subtree, hf_ssl2_handshake_cipher_spec,
2208 tvb, offset, 3, FALSE);
2210 cipher_spec_length -= 3;
2214 if (connection_id_length > 0)
2216 proto_tree_add_item(tree, hf_ssl2_handshake_connection_id,
2217 tvb, offset, connection_id_length, FALSE);
2218 offset += connection_id_length;
2226 /*********************************************************************
2230 *********************************************************************/
2233 ssl_set_conv_version(packet_info *pinfo, guint version)
2235 conversation_t *conversation;
2237 if (pinfo->fd->flags.visited)
2239 /* We've already processed this frame; no need to do any more
2245 conversation = find_conversation(&pinfo->src, &pinfo->dst, pinfo->ptype,
2246 pinfo->srcport, pinfo->destport, 0);
2248 if (conversation == NULL)
2250 /* create a new conversation */
2251 conversation = conversation_new(&pinfo->src, &pinfo->dst, pinfo->ptype,
2252 pinfo->srcport, pinfo->destport, 0);
2255 if (conversation_get_proto_data(conversation, proto_ssl) != NULL)
2257 /* get rid of the current data */
2258 conversation_delete_proto_data(conversation, proto_ssl);
2260 conversation_add_proto_data(conversation, proto_ssl, GINT_TO_POINTER(version));
2264 ssl_is_valid_handshake_type(guint8 type)
2268 case SSL_HND_HELLO_REQUEST:
2269 case SSL_HND_CLIENT_HELLO:
2270 case SSL_HND_SERVER_HELLO:
2271 case SSL_HND_CERTIFICATE:
2272 case SSL_HND_SERVER_KEY_EXCHG:
2273 case SSL_HND_CERT_REQUEST:
2274 case SSL_HND_SVR_HELLO_DONE:
2275 case SSL_HND_CERT_VERIFY:
2276 case SSL_HND_CLIENT_KEY_EXCHG:
2277 case SSL_HND_FINISHED:
2284 ssl_is_valid_content_type(guint8 type)
2286 if (type >= 0x14 && type <= 0x17)
2295 ssl_is_valid_ssl_version(guint16 version)
2297 gchar *version_str = match_strval(version, ssl_versions);
2298 return version_str != NULL;
2302 ssl_is_authoritative_version_message(guint8 content_type,
2305 if (content_type == SSL_ID_HANDSHAKE
2306 && ssl_is_valid_handshake_type(next_byte))
2308 return (next_byte != SSL_HND_CLIENT_HELLO);
2310 else if (ssl_is_valid_content_type(content_type)
2311 && content_type != SSL_ID_HANDSHAKE)
2319 ssl_is_v2_client_hello(tvbuff_t *tvb, guint32 offset)
2323 byte = tvb_get_guint8(tvb, offset);
2324 if (byte != 0x80) /* v2 client hello should start this way */
2329 byte = tvb_get_guint8(tvb, offset+2);
2330 if (byte != 0x01) /* v2 client hello msg type */
2335 /* 1 in 2^16 of being right; improve later if necessary */
2339 /* this applies a heuristic to determine whether
2340 * or not the data beginning at offset looks like a
2341 * valid sslv2 record. this isn't really possible,
2342 * but we'll try to do a reasonable job anyway.
2345 ssl_looks_like_sslv2(tvbuff_t *tvb, guint32 offset)
2347 /* here's the current approach:
2349 * we only try to catch unencrypted handshake messages, so we can
2350 * assume that there is not padding. This means that the
2351 * first byte must be >= 0x80 and there must be a valid sslv2
2352 * msg_type in the third byte
2355 /* get the first byte; must have high bit set */
2356 guint8 byte = tvb_get_guint8(tvb, offset);
2362 /* get the supposed msg_type byte; since we only care about
2363 * unencrypted handshake messages (we can't tell the type for
2364 * encrypted messages), we just check against that list
2366 byte = tvb_get_guint8(tvb, offset + 2);
2368 case SSL2_HND_ERROR:
2369 case SSL2_HND_CLIENT_HELLO:
2370 case SSL2_HND_CLIENT_MASTER_KEY:
2371 case SSL2_HND_SERVER_HELLO:
2372 case PCT_MSG_CLIENT_MASTER_KEY:
2379 /* this applies a heuristic to determine whether
2380 * or not the data beginning at offset looks like a
2381 * valid sslv3 record. this is somewhat more reliable
2382 * than sslv2 due to the structure of the v3 protocol
2385 ssl_looks_like_sslv3(tvbuff_t *tvb, guint32 offset)
2387 /* have to have a valid content type followed by a valid
2393 /* see if the first byte is a valid content type */
2394 byte = tvb_get_guint8(tvb, offset);
2395 if (!ssl_is_valid_content_type(byte))
2400 /* now check to see if the version byte appears valid */
2401 version = tvb_get_ntohs(tvb, offset + 1);
2402 if (version != 0x0300 && version != 0x0301)
2410 /* applies a heuristic to determine whether
2411 * or not the data beginning at offset looks
2412 * like a valid, unencrypted v2 handshake message.
2413 * since it isn't possible to completely tell random
2414 * data apart from a valid message without state,
2415 * we try to help the odds.
2418 ssl_looks_like_valid_v2_handshake(tvbuff_t *tvb, guint32 offset,
2419 guint32 record_length)
2421 /* first byte should be a msg_type.
2423 * - we know we only see client_hello, client_master_key,
2424 * and server_hello in the clear, so check to see if
2425 * msg_type is one of those (this gives us a 3 in 2^8
2426 * chance of saying yes with random payload)
2428 * - for those three types that we know about, do some
2429 * further validation to reduce the chance of an error
2435 /* fetch the msg_type */
2436 msg_type = tvb_get_guint8(tvb, offset);
2439 case SSL2_HND_CLIENT_HELLO:
2440 /* version follows msg byte, so verify that this is valid */
2441 version = tvb_get_ntohs(tvb, offset+1);
2442 return ssl_is_valid_ssl_version(version);
2445 case SSL2_HND_SERVER_HELLO:
2446 /* version is three bytes after msg_type */
2447 version = tvb_get_ntohs(tvb, offset+3);
2448 return ssl_is_valid_ssl_version(version);
2451 case SSL2_HND_CLIENT_MASTER_KEY:
2452 /* sum of clear_key_length, encrypted_key_length, and key_arg_length
2453 * must be less than record length
2455 sum = tvb_get_ntohs(tvb, offset + 4); /* clear_key_length */
2456 sum += tvb_get_ntohs(tvb, offset + 6); /* encrypted_key_length */
2457 sum += tvb_get_ntohs(tvb, offset + 8); /* key_arg_length */
2458 if (sum > record_length)
2471 /* applies a heuristic to determine whether
2472 * or not the data beginning at offset looks
2473 * like a valid, unencrypted v2 handshake message.
2474 * since it isn't possible to completely tell random
2475 * data apart from a valid message without state,
2476 * we try to help the odds.
2479 ssl_looks_like_valid_pct_handshake(tvbuff_t *tvb, guint32 offset,
2480 guint32 record_length)
2482 /* first byte should be a msg_type.
2484 * - we know we only see client_hello, client_master_key,
2485 * and server_hello in the clear, so check to see if
2486 * msg_type is one of those (this gives us a 3 in 2^8
2487 * chance of saying yes with random payload)
2489 * - for those three types that we know about, do some
2490 * further validation to reduce the chance of an error
2496 /* fetch the msg_type */
2497 msg_type = tvb_get_guint8(tvb, offset);
2500 case PCT_MSG_CLIENT_HELLO:
2501 /* version follows msg byte, so verify that this is valid */
2502 version = tvb_get_ntohs(tvb, offset+1);
2503 return version == PCT_VERSION_1;
2506 case PCT_MSG_SERVER_HELLO:
2507 /* version is one byte after msg_type */
2508 version = tvb_get_ntohs(tvb, offset+2);
2509 return version == PCT_VERSION_1;
2512 case PCT_MSG_CLIENT_MASTER_KEY:
2513 /* sum of various length fields must be less than record length */
2514 sum = tvb_get_ntohs(tvb, offset + 6); /* clear_key_length */
2515 sum += tvb_get_ntohs(tvb, offset + 8); /* encrypted_key_length */
2516 sum += tvb_get_ntohs(tvb, offset + 10); /* key_arg_length */
2517 sum += tvb_get_ntohs(tvb, offset + 12); /* verify_prelude_length */
2518 sum += tvb_get_ntohs(tvb, offset + 14); /* client_cert_length */
2519 sum += tvb_get_ntohs(tvb, offset + 16); /* response_length */
2520 if (sum > record_length)
2527 case PCT_MSG_SERVER_VERIFY:
2528 /* record is 36 bytes longer than response_length */
2529 sum = tvb_get_ntohs(tvb, offset + 34); /* response_length */
2530 if ((sum + 36) == record_length)
2543 /*********************************************************************
2545 * Standard Ethereal Protocol Registration and housekeeping
2547 *********************************************************************/
2549 proto_register_ssl(void)
2552 /* Setup list of header fields See Section 1.6.1 for details*/
2553 static hf_register_info hf[] = {
2555 { "Record Layer", "ssl.record",
2556 FT_NONE, BASE_NONE, NULL, 0x0,
2557 "Record layer", HFILL }
2559 { &hf_ssl_record_content_type,
2560 { "Content Type", "ssl.record.content_type",
2561 FT_UINT8, BASE_DEC, VALS(ssl_31_content_type), 0x0,
2562 "Content type", HFILL}
2564 { &hf_ssl2_msg_type,
2565 { "Handshake Message Type", "ssl.handshake.type",
2566 FT_UINT8, BASE_DEC, VALS(ssl_20_msg_types), 0x0,
2567 "SSLv2 handshake message type", HFILL}
2570 { "Handshake Message Type", "ssl.pct_handshake.type",
2571 FT_UINT8, BASE_DEC, VALS(pct_msg_types), 0x0,
2572 "PCT handshake message type", HFILL}
2574 { &hf_ssl_record_version,
2575 { "Version", "ssl.record.version",
2576 FT_UINT16, BASE_HEX, VALS(ssl_versions), 0x0,
2577 "Record layer version.", HFILL }
2579 { &hf_ssl_record_length,
2580 { "Length", "ssl.record.length",
2581 FT_UINT16, BASE_DEC, NULL, 0x0,
2582 "Length of SSL record data", HFILL }
2584 { &hf_ssl_record_appdata,
2585 { "Application Data", "ssl.app_data",
2586 FT_NONE, BASE_NONE, NULL, 0x0,
2587 "Payload is application data", HFILL }
2590 { "SSLv2/PCT Record Header", "ssl.record",
2591 FT_NONE, BASE_DEC, NULL, 0x0,
2592 "SSLv2/PCT record data", HFILL }
2594 { &hf_ssl2_record_is_escape,
2595 { "Is Escape", "ssl.record.is_escape",
2596 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2597 "Indicates a security escape", HFILL}
2599 { &hf_ssl2_record_padding_length,
2600 { "Padding Length", "ssl.record.padding_length",
2601 FT_UINT8, BASE_DEC, NULL, 0x0,
2602 "Length of padding at end of record", HFILL }
2604 { &hf_ssl_change_cipher_spec,
2605 { "Change Cipher Spec Message", "ssl.change_cipher_spec",
2606 FT_NONE, BASE_NONE, NULL, 0x0,
2607 "Signals a change in cipher specifications", HFILL }
2609 { & hf_ssl_alert_message,
2610 { "Alert Message", "ssl.alert_message",
2611 FT_NONE, BASE_NONE, NULL, 0x0,
2612 "Alert message", HFILL }
2614 { & hf_ssl_alert_message_level,
2615 { "Level", "ssl.alert_message.level",
2616 FT_UINT8, BASE_DEC, VALS(ssl_31_alert_level), 0x0,
2617 "Alert message level", HFILL }
2619 { &hf_ssl_alert_message_description,
2620 { "Description", "ssl.alert_message.desc",
2621 FT_UINT8, BASE_DEC, VALS(ssl_31_alert_description), 0x0,
2622 "Alert message description", HFILL }
2624 { &hf_ssl_handshake_protocol,
2625 { "Handshake Protocol", "ssl.handshake",
2626 FT_NONE, BASE_NONE, NULL, 0x0,
2627 "Handshake protocol message", HFILL}
2629 { &hf_ssl_handshake_type,
2630 { "Handshake Type", "ssl.handshake.type",
2631 FT_UINT8, BASE_DEC, VALS(ssl_31_handshake_type), 0x0,
2632 "Type of handshake message", HFILL}
2634 { &hf_ssl_handshake_length,
2635 { "Length", "ssl.handshake.length",
2636 FT_UINT24, BASE_DEC, NULL, 0x0,
2637 "Length of handshake message", HFILL }
2639 { &hf_ssl_handshake_client_version,
2640 { "Version", "ssl.handshake.version",
2641 FT_UINT16, BASE_HEX, VALS(ssl_versions), 0x0,
2642 "Maximum version supported by client", HFILL }
2644 { &hf_ssl_handshake_server_version,
2645 { "Version", "ssl.handshake.version",
2646 FT_UINT16, BASE_HEX, VALS(ssl_versions), 0x0,
2647 "Version selected by server", HFILL }
2649 { &hf_ssl_handshake_random_time,
2650 { "Random.gmt_unix_time", "ssl.handshake.random_time",
2651 FT_ABSOLUTE_TIME, BASE_NONE, NULL, 0x0,
2652 "Unix time field of random structure", HFILL }
2654 { &hf_ssl_handshake_random_bytes,
2655 { "Random.bytes", "ssl.handshake.random",
2656 FT_NONE, BASE_NONE, NULL, 0x0,
2657 "Random challenge used to authenticate server", HFILL }
2659 { &hf_ssl_handshake_cipher_suites_len,
2660 { "Cipher Suites Length", "ssl.handshake.cipher_suites_length",
2661 FT_UINT16, BASE_DEC, NULL, 0x0,
2662 "Length of cipher suites field", HFILL }
2664 { &hf_ssl_handshake_cipher_suites,
2665 { "Cipher Suites", "ssl.handshake.ciphersuites",
2666 FT_NONE, BASE_NONE, NULL, 0x0,
2667 "List of cipher suites supported by client", HFILL }
2669 { &hf_ssl_handshake_cipher_suite,
2670 { "Cipher Suite", "ssl.handshake.ciphersuite",
2671 FT_UINT16, BASE_HEX, VALS(ssl_31_ciphersuite), 0x0,
2672 "Cipher suite", HFILL }
2674 { &hf_ssl2_handshake_cipher_spec,
2675 { "Cipher Spec", "ssl.handshake.cipherspec",
2676 FT_UINT24, BASE_HEX, VALS(ssl_20_cipher_suites), 0x0,
2677 "Cipher specification", HFILL }
2679 { &hf_ssl_handshake_session_id,
2680 { "Session ID", "ssl.handshake.session_id",
2681 FT_BYTES, BASE_NONE, NULL, 0x0,
2682 "Identifies the SSL session, allowing later resumption", HFILL }
2684 { &hf_ssl_handshake_comp_methods_len,
2685 { "Compression Methods Length", "ssl.handshake.comp_methods_length",
2686 FT_UINT8, BASE_DEC, NULL, 0x0,
2687 "Length of compression methods field", HFILL }
2689 { &hf_ssl_handshake_comp_methods,
2690 { "Compression Methods", "ssl.handshake.comp_methods",
2691 FT_NONE, BASE_NONE, NULL, 0x0,
2692 "List of compression methods supported by client", HFILL }
2694 { &hf_ssl_handshake_comp_method,
2695 { "Compression Method", "ssl.handshake.comp_method",
2696 FT_UINT8, BASE_DEC, VALS(ssl_31_compression_method), 0x0,
2697 "Compression Method", HFILL }
2699 { &hf_ssl_handshake_certificates_len,
2700 { "Certificates Length", "ssl.handshake.certificates_length",
2701 FT_UINT24, BASE_DEC, NULL, 0x0,
2702 "Length of certificates field", HFILL }
2704 { &hf_ssl_handshake_certificates,
2705 { "Certificates", "ssl.handshake.certificates",
2706 FT_NONE, BASE_NONE, NULL, 0x0,
2707 "List of certificates", HFILL }
2709 { &hf_ssl_handshake_certificate,
2710 { "Certificate", "ssl.handshake.certificate",
2711 FT_BYTES, BASE_NONE, NULL, 0x0,
2712 "Certificate", HFILL }
2714 { &hf_ssl_handshake_certificate_len,
2715 { "Certificate Length", "ssl.handshake.certificate_length",
2716 FT_UINT24, BASE_DEC, NULL, 0x0,
2717 "Length of certificate", HFILL }
2719 { &hf_ssl_handshake_cert_types_count,
2720 { "Certificate types count", "ssl.handshake.cert_types_count",
2721 FT_UINT8, BASE_DEC, NULL, 0x0,
2722 "Count of certificate types", HFILL }
2724 { &hf_ssl_handshake_cert_types,
2725 { "Certificate types", "ssl.handshake.cert_types",
2726 FT_NONE, BASE_NONE, NULL, 0x0,
2727 "List of certificate types", HFILL }
2729 { &hf_ssl_handshake_cert_type,
2730 { "Certificate type", "ssl.handshake.cert_type",
2731 FT_UINT8, BASE_DEC, VALS(ssl_31_client_certificate_type), 0x0,
2732 "Certificate type", HFILL }
2734 { &hf_ssl_handshake_finished,
2735 { "Verify Data", "ssl.handshake.verify_data",
2736 FT_NONE, BASE_NONE, NULL, 0x0,
2737 "Opaque verification data", HFILL }
2739 { &hf_ssl_handshake_md5_hash,
2740 { "MD5 Hash", "ssl.handshake.md5_hash",
2741 FT_NONE, BASE_NONE, NULL, 0x0,
2742 "Hash of messages, master_secret, etc.", HFILL }
2744 { &hf_ssl_handshake_sha_hash,
2745 { "SHA-1 Hash", "ssl.handshake.sha_hash",
2746 FT_NONE, BASE_NONE, NULL, 0x0,
2747 "Hash of messages, master_secret, etc.", HFILL }
2749 { &hf_ssl_handshake_session_id_len,
2750 { "Session ID Length", "ssl.handshake.session_id_length",
2751 FT_UINT8, BASE_DEC, NULL, 0x0,
2752 "Length of session ID field", HFILL }
2754 { &hf_ssl_handshake_dnames_len,
2755 { "Distinguished Names Length", "ssl.handshake.dnames_len",
2756 FT_UINT16, BASE_DEC, NULL, 0x0,
2757 "Length of list of CAs that server trusts", HFILL }
2759 { &hf_ssl_handshake_dnames,
2760 { "Distinguished Names", "ssl.handshake.dnames",
2761 FT_NONE, BASE_NONE, NULL, 0x0,
2762 "List of CAs that server trusts", HFILL }
2764 { &hf_ssl_handshake_dname_len,
2765 { "Distinguished Name Length", "ssl.handshake.dname_len",
2766 FT_UINT16, BASE_DEC, NULL, 0x0,
2767 "Length of distinguished name", HFILL }
2769 { &hf_ssl_handshake_dname,
2770 { "Distinguished Name", "ssl.handshake.dname",
2771 FT_BYTES, BASE_NONE, NULL, 0x0,
2772 "Distinguished name of a CA that server trusts", HFILL }
2774 { &hf_ssl2_handshake_challenge,
2775 { "Challenge", "ssl.handshake.challenge",
2776 FT_NONE, BASE_NONE, NULL, 0x0,
2777 "Challenge data used to authenticate server", HFILL }
2779 { &hf_ssl2_handshake_cipher_spec_len,
2780 { "Cipher Spec Length", "ssl.handshake.cipher_spec_len",
2781 FT_UINT16, BASE_DEC, NULL, 0x0,
2782 "Length of cipher specs field", HFILL }
2784 { &hf_ssl2_handshake_session_id_len,
2785 { "Session ID Length", "ssl.handshake.session_id_length",
2786 FT_UINT16, BASE_DEC, NULL, 0x0,
2787 "Length of session ID field", HFILL }
2789 { &hf_ssl2_handshake_challenge_len,
2790 { "Challenge Length", "ssl.handshake.challenge_length",
2791 FT_UINT16, BASE_DEC, NULL, 0x0,
2792 "Length of challenge field", HFILL }
2794 { &hf_ssl2_handshake_clear_key_len,
2795 { "Clear Key Data Length", "ssl.handshake.clear_key_length",
2796 FT_UINT16, BASE_DEC, NULL, 0x0,
2797 "Length of clear key data", HFILL }
2799 { &hf_ssl2_handshake_enc_key_len,
2800 { "Encrypted Key Data Length", "ssl.handshake.encrypted_key_length",
2801 FT_UINT16, BASE_DEC, NULL, 0x0,
2802 "Length of encrypted key data", HFILL }
2804 { &hf_ssl2_handshake_key_arg_len,
2805 { "Key Argument Length", "ssl.handshake.key_arg_length",
2806 FT_UINT16, BASE_DEC, NULL, 0x0,
2807 "Length of key argument", HFILL }
2809 { &hf_ssl2_handshake_clear_key,
2810 { "Clear Key Data", "ssl.handshake.clear_key_data",
2811 FT_NONE, BASE_NONE, NULL, 0x0,
2812 "Clear portion of MASTER-KEY", HFILL }
2814 { &hf_ssl2_handshake_enc_key,
2815 { "Encrypted Key", "ssl.handshake.encrypted_key",
2816 FT_NONE, BASE_NONE, NULL, 0x0,
2817 "Secret portion of MASTER-KEY encrypted to server", HFILL }
2819 { &hf_ssl2_handshake_key_arg,
2820 { "Key Argument", "ssl.handshake.key_arg",
2821 FT_NONE, BASE_NONE, NULL, 0x0,
2822 "Key Argument (e.g., Initialization Vector)", HFILL }
2824 { &hf_ssl2_handshake_session_id_hit,
2825 { "Session ID Hit", "ssl.handshake.session_id_hit",
2826 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2827 "Did the server find the client's Session ID?", HFILL }
2829 { &hf_ssl2_handshake_cert_type,
2830 { "Certificate Type", "ssl.handshake.cert_type",
2831 FT_UINT8, BASE_DEC, VALS(ssl_20_certificate_type), 0x0,
2832 "Certificate Type", HFILL }
2834 { &hf_ssl2_handshake_connection_id_len,
2835 { "Connection ID Length", "ssl.handshake.connection_id_length",
2836 FT_UINT16, BASE_DEC, NULL, 0x0,
2837 "Length of connection ID", HFILL }
2839 { &hf_ssl2_handshake_connection_id,
2840 { "Connection ID", "ssl.handshake.connection_id",
2841 FT_NONE, BASE_NONE, NULL, 0x0,
2842 "Server's challenge to client", HFILL }
2846 /* Setup protocol subtree array */
2847 static gint *ett[] = {
2852 &ett_ssl_cipher_suites,
2853 &ett_ssl_comp_methods,
2855 &ett_ssl_cert_types,
2859 /* Register the protocol name and description */
2860 proto_ssl = proto_register_protocol("Secure Socket Layer",
2863 /* Required function calls to register the header fields and
2865 proto_register_field_array(proto_ssl, hf, array_length(hf));
2866 proto_register_subtree_array(ett, array_length(ett));
2869 module_t *ssl_module = prefs_register_protocol(proto_ssl, NULL);
2870 prefs_register_bool_preference(ssl_module,
2871 "desegment_ssl_records",
2872 "Desegment SSL records",
2873 "When enabled, SSL records that span multiple TCP segments are desegmented",
2877 register_dissector("ssl", dissect_ssl, proto_ssl);
2881 /* If this dissector uses sub-dissector registration add a registration
2882 * routine. This format is required because a script is used to find
2883 * these routines and create the code that calls these routines.
2886 proto_reg_handoff_ssl(void)
2888 dissector_handle_t ssl_handle;
2890 ssl_handle = find_dissector("ssl");
2891 dissector_add("tcp.port", TCP_PORT_SSL, ssl_handle);
2892 dissector_add("tcp.port", TCP_PORT_SSL_LDAP, ssl_handle);
2893 dissector_add("tcp.port", TCP_PORT_SSL_IMAP, ssl_handle);
2894 dissector_add("tcp.port", TCP_PORT_SSL_POP, ssl_handle);