2 * Routines for dtls dissection
3 * Copyright (c) 2006, Authesserre Samuel <sauthess@gmail.com>
4 * Copyright (c) 2007, Mikael Magnusson <mikma@users.sourceforge.net>
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <gerald@wireshark.org>
10 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
27 * DTLS dissection and decryption.
28 * See RFC 4347 for details about DTLS specs.
31 * This dissector is based on TLS one (packet-ssl.c) because of the proximity of DTLS and TLS, decryption works like him with RSA key exchange.
32 * It uses the sames things (file, libraries) that SSL one (gnutls, packet-ssl-utils.h) to make it easily maintenable.
34 * It was developped to dissect and decrypt OpenSSL v 0.9.8f DTLS implementation.
35 * It is limited to this implementation while there is no complete implementation.
39 * - DTLS decryption (openssl one)
42 * - activate correct Mac calculation when openssl will be corrected
43 * (or if an other implementation works),
44 * corrected code is ready and commented in packet-ssl-utils.h file.
45 * - add missings things (desegmentation, reordering... that aren't present in actual OpenSSL implementation)
52 #ifdef HAVE_SYS_TYPES_H
53 #include <sys/types.h>
56 #ifdef HAVE_SYS_SOCKET_H
57 #include <sys/socket.h>
60 #ifdef HAVE_WINSOCK2_H
66 #include <epan/conversation.h>
67 #include <epan/prefs.h>
68 #include <epan/asn1.h>
69 #include <epan/dissectors/packet-x509af.h>
70 #include <epan/emem.h>
72 #include <epan/reassemble.h>
73 #ifdef NEED_INET_V6DEFS_H
74 #include "wsutil/inet_v6defs.h"
76 #include "packet-ssl-utils.h"
78 /* we need to remember the top tree so that subdissectors we call are created
79 * at the root and not deep down inside the DTLS decode
81 static proto_tree *top_tree;
83 /*********************************************************************
85 * Protocol Constants, Variables, Data Structures
87 *********************************************************************/
89 /* Initialize the protocol and registered fields */
90 static gint dtls_tap = -1;
91 static gint proto_dtls = -1;
92 static gint hf_dtls_record = -1;
93 static gint hf_dtls_record_content_type = -1;
94 static gint hf_dtls_record_version = -1;
95 static gint hf_dtls_record_epoch = -1;
96 static gint hf_dtls_record_sequence_number = -1;
97 static gint hf_dtls_record_length = -1;
98 static gint hf_dtls_record_appdata = -1;
99 static gint hf_dtls_change_cipher_spec = -1;
100 static gint hf_dtls_alert_message = -1;
101 static gint hf_dtls_alert_message_level = -1;
102 static gint hf_dtls_alert_message_description = -1;
103 static gint hf_dtls_handshake_protocol = -1;
104 static gint hf_dtls_handshake_type = -1;
105 static gint hf_dtls_handshake_length = -1;
106 static gint hf_dtls_handshake_message_seq = -1;
107 static gint hf_dtls_handshake_fragment_offset = -1;
108 static gint hf_dtls_handshake_fragment_length = -1;
109 static gint hf_dtls_handshake_client_version = -1;
110 static gint hf_dtls_handshake_server_version = -1;
111 static gint hf_dtls_handshake_random_time = -1;
112 static gint hf_dtls_handshake_random_bytes = -1;
113 static gint hf_dtls_handshake_cookie_len = -1;
114 static gint hf_dtls_handshake_cookie = -1;
115 static gint hf_dtls_handshake_cipher_suites_len = -1;
116 static gint hf_dtls_handshake_cipher_suites = -1;
117 static gint hf_dtls_handshake_cipher_suite = -1;
118 static gint hf_dtls_handshake_session_id = -1;
119 static gint hf_dtls_handshake_comp_methods_len = -1;
120 static gint hf_dtls_handshake_comp_methods = -1;
121 static gint hf_dtls_handshake_comp_method = -1;
122 static gint hf_dtls_handshake_extensions_len = -1;
123 static gint hf_dtls_handshake_extension_type = -1;
124 static gint hf_dtls_handshake_extension_len = -1;
125 static gint hf_dtls_handshake_extension_data = -1;
126 static gint hf_dtls_handshake_certificates_len = -1;
127 static gint hf_dtls_handshake_certificates = -1;
128 static gint hf_dtls_handshake_certificate = -1;
129 static gint hf_dtls_handshake_certificate_len = -1;
130 static gint hf_dtls_handshake_cert_types_count = -1;
131 static gint hf_dtls_handshake_cert_types = -1;
132 static gint hf_dtls_handshake_cert_type = -1;
133 static gint hf_dtls_handshake_finished = -1;
134 static gint hf_dtls_handshake_md5_hash = -1;
135 static gint hf_dtls_handshake_sha_hash = -1;
136 static gint hf_dtls_handshake_session_id_len = -1;
137 static gint hf_dtls_handshake_dnames_len = -1;
138 static gint hf_dtls_handshake_dnames = -1;
139 static gint hf_dtls_handshake_dname_len = -1;
140 static gint hf_dtls_handshake_dname = -1;
142 static gint hf_dtls_fragments = -1;
143 static gint hf_dtls_fragment = -1;
144 static gint hf_dtls_fragment_overlap = -1;
145 static gint hf_dtls_fragment_overlap_conflicts = -1;
146 static gint hf_dtls_fragment_multiple_tails = -1;
147 static gint hf_dtls_fragment_too_long_fragment = -1;
148 static gint hf_dtls_fragment_error = -1;
149 static gint hf_dtls_reassembled_in = -1;
150 static gint hf_dtls_reassembled_length = -1;
152 /* Initialize the subtree pointers */
153 static gint ett_dtls = -1;
154 static gint ett_dtls_record = -1;
155 static gint ett_dtls_alert = -1;
156 static gint ett_dtls_handshake = -1;
157 static gint ett_dtls_cipher_suites = -1;
158 static gint ett_dtls_comp_methods = -1;
159 static gint ett_dtls_extension = -1;
160 static gint ett_dtls_certs = -1;
161 static gint ett_dtls_cert_types = -1;
162 static gint ett_dtls_dnames = -1;
164 static gint ett_dtls_fragment = -1;
165 static gint ett_dtls_fragments = -1;
167 static GHashTable *dtls_session_hash = NULL;
168 static GHashTable *dtls_key_hash = NULL;
169 static GHashTable *dtls_fragment_table = NULL;
170 static GTree* dtls_associations = NULL;
171 static dissector_handle_t dtls_handle = NULL;
172 static StringInfo dtls_compressed_data = {NULL, 0};
173 static StringInfo dtls_decrypted_data = {NULL, 0};
174 static gint dtls_decrypted_data_avail = 0;
176 static gchar* dtls_keys_list = NULL;
177 #ifdef HAVE_LIBGNUTLS
178 static gchar* dtls_debug_file_name = NULL;
181 static const fragment_items dtls_frag_items = {
182 /* Fragment subtrees */
185 /* Fragment fields */
188 &hf_dtls_fragment_overlap,
189 &hf_dtls_fragment_overlap_conflicts,
190 &hf_dtls_fragment_multiple_tails,
191 &hf_dtls_fragment_too_long_fragment,
192 &hf_dtls_fragment_error,
193 /* Reassembled in field */
194 &hf_dtls_reassembled_in,
195 /* Reassembled length field */
196 &hf_dtls_reassembled_length,
201 /* initialize/reset per capture state data (dtls sessions cache) */
205 ssl_common_init(&dtls_session_hash, &dtls_decrypted_data, &dtls_compressed_data);
206 fragment_table_init (&dtls_fragment_table);
209 /* parse dtls related preferences (private keys and ports association strings) */
213 ep_stack_t tmp_stack;
214 SslAssociation *tmp_assoc;
218 g_hash_table_foreach(dtls_key_hash, ssl_private_key_free, NULL);
219 g_hash_table_destroy(dtls_key_hash);
222 /* remove only associations created from key list */
223 tmp_stack = ep_stack_new();
224 g_tree_foreach(dtls_associations, ssl_assoc_from_key_list, tmp_stack);
225 while ((tmp_assoc = ep_stack_pop(tmp_stack)) != NULL) {
226 ssl_association_remove(dtls_associations, tmp_assoc);
229 /* parse private keys string, load available keys and put them in key hash*/
230 dtls_key_hash = g_hash_table_new(ssl_private_key_hash, ssl_private_key_equal);
232 if (dtls_keys_list && (dtls_keys_list[0] != 0))
234 ssl_parse_key_list(dtls_keys_list,dtls_key_hash,dtls_associations,dtls_handle,FALSE);
237 ssl_set_debug(dtls_debug_file_name);
239 dissector_add_handle("sctp.port", dtls_handle);
240 dissector_add_handle("udp.port", dtls_handle);
244 * DTLS Dissection Routines
248 /* record layer dissector */
249 static gint dissect_dtls_record(tvbuff_t *tvb, packet_info *pinfo,
250 proto_tree *tree, guint32 offset,
252 SslDecryptSession *conv_data);
254 /* change cipher spec dissector */
255 static void dissect_dtls_change_cipher_spec(tvbuff_t *tvb,
258 guint *conv_version, guint8 content_type);
260 /* alert message dissector */
261 static void dissect_dtls_alert(tvbuff_t *tvb, packet_info *pinfo,
262 proto_tree *tree, guint32 offset,
263 guint *conv_version);
265 /* handshake protocol dissector */
266 static void dissect_dtls_handshake(tvbuff_t *tvb, packet_info *pinfo,
267 proto_tree *tree, guint32 offset,
268 guint32 record_length,
270 SslDecryptSession *conv_data, guint8 content_type);
273 static void dissect_dtls_hnd_cli_hello(tvbuff_t *tvb,
275 guint32 offset, guint32 length,
276 SslDecryptSession* ssl);
278 static void dissect_dtls_hnd_hello_verify_request(tvbuff_t *tvb,
281 SslDecryptSession* ssl);
283 static void dissect_dtls_hnd_srv_hello(tvbuff_t *tvb,
285 guint32 offset, guint32 length,
286 SslDecryptSession* ssl);
288 static void dissect_dtls_hnd_cert(tvbuff_t *tvb,
289 proto_tree *tree, guint32 offset, packet_info *pinfo);
291 static void dissect_dtls_hnd_cert_req(tvbuff_t *tvb,
295 static void dissect_dtls_hnd_finished(tvbuff_t *tvb,
298 guint* conv_version);
304 /*static void ssl_set_conv_version(packet_info *pinfo, guint version);*/
305 static gint dtls_is_valid_handshake_type(guint8 type);
307 static gint dtls_is_authoritative_version_message(guint8 content_type,
309 static gint looks_like_dtls(tvbuff_t *tvb, guint32 offset);
311 /*********************************************************************
315 *********************************************************************/
317 * Code to actually dissect the packets
320 dissect_dtls(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
323 conversation_t *conversation;
326 proto_tree *dtls_tree;
328 gboolean first_record_in_frame;
329 SslDecryptSession* ssl_session;
334 first_record_in_frame = TRUE;
338 /* Track the version using conversations allows
339 * us to more frequently set the protocol column properly
340 * for continuation data frames.
342 * Also: We use the copy in conv_version as our cached copy,
343 * so that we don't have to search the conversation
344 * table every time we want the version; when setting
345 * the conv_version, must set the copy in the conversation
346 * in addition to conv_version
348 conversation = find_or_create_conversation(pinfo);
349 conv_data = conversation_get_proto_data(conversation, proto_dtls);
351 /* manage dtls decryption data */
352 /*get a valid ssl session pointer*/
353 if (conv_data != NULL)
354 ssl_session = conv_data;
358 ssl_session = se_alloc0(sizeof(SslDecryptSession));
359 ssl_session_init(ssl_session);
360 ssl_session->version = SSL_VER_UNKNOWN;
361 conversation_add_proto_data(conversation, proto_dtls, ssl_session);
363 /* we need to know witch side of conversation is speaking */
364 if (ssl_packet_from_server(ssl_session, dtls_associations, pinfo)) {
365 dummy.addr = pinfo->src;
366 dummy.port = pinfo->srcport;
369 dummy.addr = pinfo->dst;
370 dummy.port = pinfo->destport;
372 ssl_debug_printf("dissect_dtls server %s:%d\n",
373 ep_address_to_str(&dummy.addr),dummy.port);
375 /* try to retrive private key for this service. Do it now 'cause pinfo
376 * is not always available
377 * Note that with HAVE_LIBGNUTLS undefined private_key is allways 0
378 * and thus decryption never engaged*/
379 ssl_session->private_key = g_hash_table_lookup(dtls_key_hash, &dummy);
380 if (!ssl_session->private_key)
381 ssl_debug_printf("dissect_dtls can't find private key for this server!\n");
383 conv_version= & ssl_session->version;
385 /* try decryption only the first time we see this packet
386 * (to keep cipher synchronized)and only if we have
387 * the server private key*/
388 if (!ssl_session->private_key || pinfo->fd->flags.visited)
391 /* Initialize the protocol column; we'll set it later when we
392 * figure out what flavor of DTLS it is (actually only one
394 col_set_str(pinfo->cinfo, COL_PROTOCOL, "DTLS");
396 /* clear the the info column */
397 col_clear(pinfo->cinfo, COL_INFO);
399 /* Create display subtree for SSL as a whole */
402 ti = proto_tree_add_item(tree, proto_dtls, tvb, 0, -1, FALSE);
403 dtls_tree = proto_item_add_subtree(ti, ett_dtls);
406 /* iterate through the records in this tvbuff */
407 while (tvb_reported_length_remaining(tvb, offset) != 0)
409 /* on second and subsequent records per frame
410 * add a delimiter on info column
412 if (!first_record_in_frame)
414 col_append_str(pinfo->cinfo, COL_INFO, ", ");
417 /* first try to dispatch off the cached version
418 * known to be associated with the conversation
420 switch(*conv_version) {
422 offset = dissect_dtls_record(tvb, pinfo, dtls_tree,
423 offset, conv_version,
427 /* that failed, so apply some heuristics based
428 * on this individual packet
431 if (looks_like_dtls(tvb, offset))
433 /* looks like dtls */
434 offset = dissect_dtls_record(tvb, pinfo, dtls_tree,
435 offset, conv_version,
440 /* looks like something unknown, so lump into
443 offset = tvb_length(tvb);
444 col_append_str(pinfo->cinfo, COL_INFO,
445 "Continuation Data");
447 /* Set the protocol column */
448 col_set_str(pinfo->cinfo, COL_PROTOCOL, "DTLS");
453 /* set up for next record in frame, if any */
454 first_record_in_frame = FALSE;
457 tap_queue_packet(dtls_tap, pinfo, NULL);
461 decrypt_dtls_record(tvbuff_t *tvb, packet_info *pinfo, guint32 offset,
462 guint32 record_length, guint8 content_type, SslDecryptSession* ssl,
463 gboolean save_plaintext)
470 /* if we can decrypt and decryption have success
471 * add decrypted data to this packet info */
472 ssl_debug_printf("decrypt_dtls_record: app_data len %d, ssl state %X\n",
473 record_length, ssl->state);
474 if (!(ssl->state & SSL_HAVE_SESSION_KEY)) {
475 ssl_debug_printf("decrypt_dtls_record: no session key\n");
479 /* retrive decoder for this packet direction */
480 if ((direction = ssl_packet_from_server(ssl, dtls_associations, pinfo)) != 0) {
481 ssl_debug_printf("decrypt_dtls_record: using server decoder\n");
482 decoder = ssl->server;
485 ssl_debug_printf("decrypt_dtls_record: using client decoder\n");
486 decoder = ssl->client;
489 /* ensure we have enough storage space for decrypted data */
490 if (record_length > dtls_decrypted_data.data_len)
492 ssl_debug_printf("decrypt_dtls_record: allocating %d bytes"
493 " for decrypt data (old len %d)\n",
494 record_length + 32, dtls_decrypted_data.data_len);
495 dtls_decrypted_data.data = g_realloc(dtls_decrypted_data.data,
497 dtls_decrypted_data.data_len = record_length + 32;
500 /* run decryption and add decrypted payload to protocol data, if decryption
502 dtls_decrypted_data_avail = dtls_decrypted_data.data_len;
503 if (ssl_decrypt_record(ssl, decoder,
504 content_type, tvb_get_ptr(tvb, offset, record_length),
505 record_length, &dtls_compressed_data, &dtls_decrypted_data, &dtls_decrypted_data_avail) == 0)
508 if (ret && save_plaintext) {
509 ssl_add_data_info(proto_dtls, pinfo, dtls_decrypted_data.data, dtls_decrypted_data_avail, TVB_RAW_OFFSET(tvb)+offset, 0);
519 /*********************************************************************
521 * DTLS Dissection Routines
523 *********************************************************************/
525 dissect_dtls_record(tvbuff_t *tvb, packet_info *pinfo,
526 proto_tree *tree, guint32 offset,
528 SslDecryptSession* ssl)
533 * uint8 major, minor;
538 * change_cipher_spec(20), alert(21), handshake(22),
539 * application_data(23), (255)
544 * ProtocolVersion version;
545 * uint16 epoch; // New field
546 * uint48 sequence_number; // New field
548 * opaque fragment[TLSPlaintext.length];
551 guint32 record_length;
554 gdouble sequence_number;
555 gint64 sequence_number_temp;
559 proto_tree *dtls_record_tree;
560 guint32 available_bytes;
561 SslAssociation* association;
562 SslDataInfo *appl_data;
564 dtls_record_tree = NULL;
565 available_bytes = tvb_length_remaining(tvb, offset);
568 * Get the record layer fields of interest
570 content_type = tvb_get_guint8(tvb, offset);
571 version = tvb_get_ntohs(tvb, offset + 1);
572 epoch = tvb_get_ntohs(tvb, offset + 3);
573 sequence_number = tvb_get_ntohl(tvb, offset + 7);
574 sequence_number_temp=tvb_get_ntohs(tvb, offset + 5);
575 sequence_number_temp=sequence_number_temp<<32;
576 sequence_number+=sequence_number_temp;
577 record_length = tvb_get_ntohs(tvb, offset + 11);
580 if(ssl_packet_from_server(ssl, dtls_associations, pinfo)){
582 ssl->server->seq=(guint32)sequence_number;
583 ssl->server->epoch=epoch;
588 ssl->client->seq=(guint32)sequence_number;
589 ssl->client->epoch=epoch;
593 if (!ssl_is_valid_content_type(content_type)) {
595 /* if we don't have a valid content_type, there's no sense
596 * continuing any further
598 col_append_str(pinfo->cinfo, COL_INFO, "Continuation Data");
600 /* Set the protocol column */
601 col_set_str(pinfo->cinfo, COL_PROTOCOL, "DTLS");
602 return offset + 13 + record_length;
606 * If GUI, fill in record layer part of tree
611 /* add the record layer subtree header */
612 tvb_ensure_bytes_exist(tvb, offset, 13 + record_length);
613 ti = proto_tree_add_item(tree, hf_dtls_record, tvb,
614 offset, 13 + record_length, 0);
615 dtls_record_tree = proto_item_add_subtree(ti, ett_dtls_record);
618 if (dtls_record_tree)
621 /* show the one-byte content type */
622 proto_tree_add_item(dtls_record_tree, hf_dtls_record_content_type,
623 tvb, offset, 1, FALSE);
626 /* add the version */
627 proto_tree_add_item(dtls_record_tree, hf_dtls_record_version, tvb,
632 proto_tree_add_uint(dtls_record_tree, hf_dtls_record_epoch, tvb, offset, 2, epoch);
636 /* add sequence_number */
638 proto_tree_add_double(dtls_record_tree, hf_dtls_record_sequence_number, tvb, offset, 6, sequence_number);
643 proto_tree_add_uint(dtls_record_tree, hf_dtls_record_length, tvb,
644 offset, 2, record_length);
645 offset += 2; /* move past length field itself */
650 /* if no GUI tree, then just skip over those fields */
656 * if we don't already have a version set for this conversation,
657 * but this message's version is authoritative (i.e., it's
658 * not client_hello, then save the version to to conversation
659 * structure and print the column version
661 next_byte = tvb_get_guint8(tvb, offset);
662 if (*conv_version == SSL_VER_UNKNOWN
663 && dtls_is_authoritative_version_message(content_type, next_byte))
665 if (version == DTLSV1DOT0_VERSION ||
666 version == DTLSV1DOT0_VERSION_NOT)
669 *conv_version = SSL_VER_DTLS;
671 ssl->version_netorder = version;
672 ssl->state |= SSL_VERSION;
674 /*ssl_set_conv_version(pinfo, ssl->version);*/
677 if (check_col(pinfo->cinfo, COL_PROTOCOL))
679 if (version == DTLSV1DOT0_VERSION)
681 col_set_str(pinfo->cinfo, COL_PROTOCOL,
682 val_to_str_const(SSL_VER_DTLS, ssl_version_short_names, "SSL"));
686 col_set_str(pinfo->cinfo, COL_PROTOCOL,"DTLS");
691 * now dissect the next layer
693 ssl_debug_printf("dissect_dtls_record: content_type %d\n",content_type);
695 /* PAOLO try to decrypt each record (we must keep ciphers "in sync")
696 * store plain text only for app data */
698 switch (content_type) {
699 case SSL_ID_CHG_CIPHER_SPEC:
700 col_append_str(pinfo->cinfo, COL_INFO, "Change Cipher Spec");
701 dissect_dtls_change_cipher_spec(tvb, dtls_record_tree,
702 offset, conv_version, content_type);
708 if (ssl&&decrypt_dtls_record(tvb, pinfo, offset,
709 record_length, content_type, ssl, FALSE))
710 ssl_add_record_info(proto_dtls, pinfo, dtls_decrypted_data.data,
711 dtls_decrypted_data_avail, offset);
713 /* try to retrive and use decrypted alert record, if any. */
714 decrypted = ssl_get_record_info(proto_dtls, pinfo, offset);
716 dissect_dtls_alert(decrypted, pinfo, dtls_record_tree, 0,
719 dissect_dtls_alert(tvb, pinfo, dtls_record_tree, offset,
723 case SSL_ID_HANDSHAKE:
727 /* try to decrypt handshake record, if possible. Store decrypted
728 * record for later usage. The offset is used as 'key' to itentify
729 * this record into the packet (we can have multiple handshake records
730 * in the same frame) */
731 if (ssl && decrypt_dtls_record(tvb, pinfo, offset,
732 record_length, content_type, ssl, FALSE))
733 ssl_add_record_info(proto_dtls, pinfo, dtls_decrypted_data.data,
734 dtls_decrypted_data_avail, offset);
736 /* try to retrive and use decrypted handshake record, if any. */
737 decrypted = ssl_get_record_info(proto_dtls, pinfo, offset);
739 dissect_dtls_handshake(decrypted, pinfo, dtls_record_tree, 0,
740 decrypted->length, conv_version, ssl, content_type);
742 dissect_dtls_handshake(tvb, pinfo, dtls_record_tree, offset,
743 record_length, conv_version, ssl, content_type);
746 case SSL_ID_APP_DATA:
748 decrypt_dtls_record(tvb, pinfo, offset,
749 record_length, content_type, ssl, TRUE);
751 /* show on info colum what we are decoding */
752 col_append_str(pinfo->cinfo, COL_INFO, "Application Data");
754 if (!dtls_record_tree)
757 /* we need dissector information when the selected packet is shown.
758 * ssl session pointer is NULL at that time, so we can't access
759 * info cached there*/
760 association = ssl_association_find(dtls_associations, pinfo->srcport, pinfo->ptype == PT_TCP);
761 association = association ? association: ssl_association_find(dtls_associations, pinfo->destport, pinfo->ptype == PT_TCP);
763 proto_item_set_text(dtls_record_tree,
764 "%s Record Layer: %s Protocol: %s",
765 val_to_str_const(*conv_version, ssl_version_short_names, "SSL"),
766 val_to_str(content_type, ssl_31_content_type, "unknown"),
767 association?association->info:"Application Data");
769 proto_tree_add_item(dtls_record_tree, hf_dtls_record_appdata, tvb,
770 offset, record_length, 0);
772 /* show decrypted data info, if available */
773 appl_data = ssl_get_data_info(proto_dtls, pinfo, TVB_RAW_OFFSET(tvb)+offset);
774 if (appl_data && (appl_data->plain_data.data_len > 0))
777 /* try to dissect decrypted data*/
778 ssl_debug_printf("dissect_dtls_record decrypted len %d\n",
779 appl_data->plain_data.data_len);
781 /* create a new TVB structure for desegmented data */
782 next_tvb = tvb_new_child_real_data(tvb, appl_data->plain_data.data, appl_data->plain_data.data_len, appl_data->plain_data.data_len);
784 add_new_data_source(pinfo, next_tvb, "Decrypted DTLS data");
786 /* find out a dissector using server port*/
787 if (association && association->handle) {
788 ssl_debug_printf("dissect_dtls_record found association %p\n", (void *)association);
789 ssl_print_text_data("decrypted app data",appl_data->plain_data.data, appl_data->plain_data.data_len);
791 call_dissector(association->handle, next_tvb, pinfo, top_tree);
797 /* shouldn't get here since we check above for valid types */
798 col_append_str(pinfo->cinfo, COL_INFO, "Bad DTLS Content Type");
801 offset += record_length; /* skip to end of record */
806 /* dissects the change cipher spec procotol, filling in the tree */
808 dissect_dtls_change_cipher_spec(tvbuff_t *tvb,
809 proto_tree *tree, guint32 offset,
810 guint* conv_version, guint8 content_type)
814 * enum { change_cipher_spec(1), (255) } type;
815 * } ChangeCipherSpec;
820 proto_item_set_text(tree,
821 "%s Record Layer: %s Protocol: Change Cipher Spec",
822 val_to_str_const(*conv_version, ssl_version_short_names, "SSL"),
823 val_to_str(content_type, ssl_31_content_type, "unknown"));
824 proto_tree_add_item(tree, hf_dtls_change_cipher_spec, tvb,
829 /* dissects the alert message, filling in the tree */
831 dissect_dtls_alert(tvbuff_t *tvb, packet_info *pinfo,
832 proto_tree *tree, guint32 offset,
837 * AlertDescription description;
841 proto_tree *ssl_alert_tree;
845 ssl_alert_tree = NULL;
849 ti = proto_tree_add_item(tree, hf_dtls_alert_message, tvb,
851 ssl_alert_tree = proto_item_add_subtree(ti, ett_dtls_alert);
855 * set the record layer label
858 /* first lookup the names for the alert level and description */
859 byte = tvb_get_guint8(tvb, offset); /* grab the level byte */
860 level = match_strval(byte, ssl_31_alert_level);
862 byte = tvb_get_guint8(tvb, offset+1); /* grab the desc byte */
863 desc = match_strval(byte, ssl_31_alert_description);
865 /* now set the text in the record layer line */
868 if (check_col(pinfo->cinfo, COL_INFO))
869 col_append_fstr(pinfo->cinfo, COL_INFO,
870 "Alert (Level: %s, Description: %s)",
875 col_append_str(pinfo->cinfo, COL_INFO, "Encrypted Alert");
882 proto_item_set_text(tree, "%s Record Layer: Alert "
883 "(Level: %s, Description: %s)",
884 val_to_str_const(*conv_version, ssl_version_short_names, "SSL"),
886 proto_tree_add_item(ssl_alert_tree, hf_dtls_alert_message_level,
887 tvb, offset++, 1, FALSE);
889 proto_tree_add_item(ssl_alert_tree, hf_dtls_alert_message_description,
890 tvb, offset++, 1, FALSE);
894 proto_item_set_text(tree,
895 "%s Record Layer: Encrypted Alert",
896 val_to_str_const(*conv_version, ssl_version_short_names, "SSL"));
897 proto_item_set_text(ssl_alert_tree,
898 "Alert Message: Encrypted Alert");
904 /* dissects the handshake protocol, filling the tree */
906 dissect_dtls_handshake(tvbuff_t *tvb, packet_info *pinfo,
907 proto_tree *tree, guint32 offset,
908 guint32 record_length, guint *conv_version,
909 SslDecryptSession* ssl, guint8 content_type)
912 * HandshakeType msg_type;
914 * uint16 message_seq; //new field
915 * uint24 fragment_offset; //new field
916 * uint24 fragment_length; //new field
917 * select (HandshakeType) {
918 * case hello_request: HelloRequest;
919 * case client_hello: ClientHello;
920 * case server_hello: ServerHello;
921 * case hello_verify_request: HelloVerifyRequest; //new field
922 * case certificate: Certificate;
923 * case server_key_exchange: ServerKeyExchange;
924 * case certificate_request: CertificateRequest;
925 * case server_hello_done: ServerHelloDone;
926 * case certificate_verify: CertificateVerify;
927 * case client_key_exchange: ClientKeyExchange;
928 * case finished: Finished;
933 proto_tree *ssl_hand_tree;
934 const gchar *msg_type_str;
938 guint32 fragment_offset;
939 guint32 fragment_length;
940 gboolean first_iteration;
942 ssl_hand_tree = NULL;
944 first_iteration = TRUE;
946 /* just as there can be multiple records per packet, there
947 * can be multiple messages per record as long as they have
948 * the same content type
950 * we really only care about this for handshake messages
953 /* set record_length to the max offset */
954 record_length += offset;
955 for (; offset < record_length; offset += fragment_length,
956 first_iteration = FALSE) /* set up for next pass, if any */
958 fragment_data *frag_msg = NULL;
959 tvbuff_t *new_tvb = NULL;
960 const gchar *frag_str = NULL;
963 msg_type = tvb_get_guint8(tvb, offset);
964 msg_type_str = match_strval(msg_type, ssl_31_handshake_type);
965 length = tvb_get_ntoh24(tvb, offset + 1);
966 message_seq = tvb_get_ntohs(tvb,offset + 4);
967 fragment_offset = tvb_get_ntoh24(tvb, offset + 6);
968 fragment_length = tvb_get_ntoh24(tvb, offset + 9);
969 fragmented = fragment_length != length;
971 if (!msg_type_str && !first_iteration)
973 /* only dissect / report messages if they're
974 * either the first message in this record
975 * or they're a valid message type
980 /* on second and later iterations, add comma to info col */
981 if (!first_iteration)
983 col_append_str(pinfo->cinfo, COL_INFO, ", ");
987 * Update our info string
989 if (check_col(pinfo->cinfo, COL_INFO))
990 col_append_str(pinfo->cinfo, COL_INFO, (msg_type_str != NULL)
991 ? msg_type_str : "Encrypted Handshake Message");
993 /* Handle fragments of known message type */
999 case SSL_HND_HELLO_REQUEST:
1000 case SSL_HND_CLIENT_HELLO:
1001 case SSL_HND_HELLO_VERIFY_REQUEST:
1002 case SSL_HND_SERVER_HELLO:
1003 case SSL_HND_CERTIFICATE:
1004 case SSL_HND_SERVER_KEY_EXCHG:
1005 case SSL_HND_CERT_REQUEST:
1006 case SSL_HND_SVR_HELLO_DONE:
1007 case SSL_HND_CERT_VERIFY:
1008 case SSL_HND_CLIENT_KEY_EXCHG:
1009 case SSL_HND_FINISHED:
1013 /* Ignore encrypted handshake messages */
1019 /* Fragmented handshake message */
1020 pinfo->fragmented = TRUE;
1021 frag_msg = fragment_add(tvb, offset+12, pinfo, message_seq,
1022 dtls_fragment_table,
1023 fragment_offset, fragment_length, TRUE);
1024 fragment_set_tot_len(pinfo, message_seq, dtls_fragment_table,
1027 if (frag_msg && (fragment_length + fragment_offset) == length)
1030 new_tvb = process_reassembled_data(tvb, offset+12, pinfo,
1035 frag_str = " (Reassembled)";
1039 frag_str = " (Fragment)";
1042 if (check_col(pinfo->cinfo, COL_INFO))
1043 col_append_str(pinfo->cinfo, COL_INFO, frag_str);
1049 /* set the label text on the record layer expanding node */
1050 if (first_iteration)
1052 proto_item_set_text(tree, "%s Record Layer: %s Protocol: %s%s",
1053 val_to_str_const(*conv_version, ssl_version_short_names, "SSL"),
1054 val_to_str(content_type, ssl_31_content_type, "unknown"),
1055 (msg_type_str!=NULL) ? msg_type_str :
1056 "Encrypted Handshake Message",
1057 (frag_str!=NULL) ? frag_str : "");
1061 proto_item_set_text(tree, "%s Record Layer: %s Protocol: %s%s",
1062 val_to_str_const(*conv_version, ssl_version_short_names, "SSL"),
1063 val_to_str(content_type, ssl_31_content_type, "unknown"),
1064 "Multiple Handshake Messages",
1065 (frag_str!=NULL) ? frag_str : "");
1068 /* add a subtree for the handshake protocol */
1069 ti = proto_tree_add_item(tree, hf_dtls_handshake_protocol, tvb,
1070 offset, fragment_length + 12, 0);
1071 ssl_hand_tree = proto_item_add_subtree(ti, ett_dtls_handshake);
1075 /* set the text label on the subtree node */
1076 proto_item_set_text(ssl_hand_tree, "Handshake Protocol: %s%s",
1077 (msg_type_str != NULL) ? msg_type_str :
1078 "Encrypted Handshake Message",
1079 (frag_str!=NULL) ? frag_str : "");
1083 /* if we don't have a valid handshake type, just quit dissecting */
1087 /* if we are doing ssl decryption we must dissect some requests type */
1088 if (ssl_hand_tree || ssl)
1090 tvbuff_t *sub_tvb = NULL;
1092 /* add nodes for the message type and message length */
1094 proto_tree_add_item(ssl_hand_tree, hf_dtls_handshake_type,
1095 tvb, offset, 1, msg_type);
1098 proto_tree_add_uint(ssl_hand_tree, hf_dtls_handshake_length,
1099 tvb, offset, 3, length);
1103 proto_tree_add_uint(ssl_hand_tree, hf_dtls_handshake_message_seq,
1104 tvb, offset, 2, message_seq);
1107 proto_tree_add_uint(ssl_hand_tree, hf_dtls_handshake_fragment_offset,
1108 tvb, offset, 3, fragment_offset);
1111 proto_tree_add_uint(ssl_hand_tree, hf_dtls_handshake_fragment_length,
1112 tvb, offset, 3, fragment_length);
1115 if (fragmented && !new_tvb)
1117 /* Skip fragmented messages not reassembled yet */
1127 sub_tvb = tvb_new_subset(tvb, offset, fragment_length,
1131 /* now dissect the handshake message, if necessary */
1133 case SSL_HND_HELLO_REQUEST:
1134 /* hello_request has no fields, so nothing to do! */
1137 case SSL_HND_CLIENT_HELLO:
1138 dissect_dtls_hnd_cli_hello(sub_tvb, ssl_hand_tree, 0, length, ssl);
1141 case SSL_HND_HELLO_VERIFY_REQUEST:
1142 dissect_dtls_hnd_hello_verify_request(sub_tvb, ssl_hand_tree, 0, ssl);
1145 case SSL_HND_SERVER_HELLO:
1146 dissect_dtls_hnd_srv_hello(sub_tvb, ssl_hand_tree, 0, length, ssl);
1149 case SSL_HND_CERTIFICATE:
1150 dissect_dtls_hnd_cert(sub_tvb, ssl_hand_tree, 0, pinfo);
1153 case SSL_HND_SERVER_KEY_EXCHG:
1157 case SSL_HND_CERT_REQUEST:
1158 dissect_dtls_hnd_cert_req(sub_tvb, ssl_hand_tree, 0);
1161 case SSL_HND_SVR_HELLO_DONE:
1162 /* server_hello_done has no fields, so nothing to do! */
1165 case SSL_HND_CERT_VERIFY:
1169 case SSL_HND_CLIENT_KEY_EXCHG:
1171 /* here we can have all the data to build session key */
1172 StringInfo encrypted_pre_master;
1174 guint encrlen = length, skip;
1180 /* check for required session data */
1181 ssl_debug_printf("dissect_dtls_handshake found SSL_HND_CLIENT_KEY_EXCHG, state %X\n",
1183 if ((ssl->state & (SSL_CIPHER|SSL_CLIENT_RANDOM|SSL_SERVER_RANDOM|SSL_VERSION)) !=
1184 (SSL_CIPHER|SSL_CLIENT_RANDOM|SSL_SERVER_RANDOM|SSL_VERSION)) {
1185 ssl_debug_printf("dissect_dtls_handshake not enough data to generate key (required state %X)\n",
1186 (SSL_CIPHER|SSL_CLIENT_RANDOM|SSL_SERVER_RANDOM|SSL_VERSION));
1190 encrypted_pre_master.data = se_alloc(encrlen);
1191 encrypted_pre_master.data_len = encrlen;
1192 tvb_memcpy(tvb, encrypted_pre_master.data, offset+skip, encrlen);
1194 if (!ssl->private_key) {
1195 ssl_debug_printf("dissect_dtls_handshake can't find private key\n");
1199 /* go with ssl key processessing; encrypted_pre_master
1200 * will be used for master secret store*/
1201 ret = ssl_decrypt_pre_master_secret(ssl, &encrypted_pre_master, ssl->private_key);
1203 ssl_debug_printf("dissect_dtls_handshake can't decrypt pre master secret\n");
1206 if (ssl_generate_keyring_material(ssl)<0) {
1207 ssl_debug_printf("dissect_dtls_handshake can't generate keyring material\n");
1210 ssl->state |= SSL_HAVE_SESSION_KEY;
1211 ssl_save_session(ssl, dtls_session_hash);
1212 ssl_debug_printf("dissect_dtls_handshake session keys successfully generated\n");
1216 case SSL_HND_FINISHED:
1217 dissect_dtls_hnd_finished(sub_tvb, ssl_hand_tree,
1224 offset += 12; /* skip the handshake header when handshake is not processed*/
1230 dissect_dtls_hnd_hello_common(tvbuff_t *tvb, proto_tree *tree,
1231 guint32 offset, SslDecryptSession* ssl, gint from_server)
1233 /* show the client's random challenge */
1234 nstime_t gmt_unix_time;
1235 guint8 session_id_length;
1236 session_id_length = 0;
1239 /* get proper peer information*/
1242 rnd = &ssl->server_random;
1244 rnd = &ssl->client_random;
1246 /* get provided random for keyring generation*/
1247 tvb_memcpy(tvb, rnd->data, offset, 32);
1250 ssl->state |= SSL_SERVER_RANDOM;
1252 ssl->state |= SSL_CLIENT_RANDOM;
1253 ssl_debug_printf("dissect_dtls_hnd_hello_common found random state %X\n",
1256 session_id_length = tvb_get_guint8(tvb, offset + 32);
1257 /* check stored session id info */
1258 if (from_server && (session_id_length == ssl->session_id.data_len) &&
1259 (tvb_memeql(tvb, offset+33, ssl->session_id.data, session_id_length) == 0))
1261 /* clinet/server id match: try to restore a previous cached session*/
1262 ssl_restore_session(ssl, dtls_session_hash);
1265 tvb_memcpy(tvb,ssl->session_id.data, offset+33, session_id_length);
1266 ssl->session_id.data_len = session_id_length;
1273 gmt_unix_time.secs = tvb_get_ntohl(tvb, offset);
1274 gmt_unix_time.nsecs = 0;
1275 proto_tree_add_time(tree, hf_dtls_handshake_random_time,
1276 tvb, offset, 4, &gmt_unix_time);
1279 /* show the random bytes */
1280 proto_tree_add_item(tree, hf_dtls_handshake_random_bytes,
1281 tvb, offset, 28, 0);
1284 /* show the session id */
1285 session_id_length = tvb_get_guint8(tvb, offset);
1286 proto_tree_add_item(tree, hf_dtls_handshake_session_id_len,
1287 tvb, offset++, 1, 0);
1288 if (session_id_length > 0)
1290 proto_tree_add_bytes_format(tree, hf_dtls_handshake_session_id,
1291 tvb, offset, session_id_length,
1292 tvb_get_ptr(tvb, offset, session_id_length),
1293 "Session ID (%u byte%s)",
1295 plurality(session_id_length, "", "s"));
1296 offset += session_id_length;
1302 return session_id_length+33;
1306 dissect_dtls_hnd_hello_ext(tvbuff_t *tvb,
1307 proto_tree *tree, guint32 offset, guint32 left)
1309 guint16 extension_length;
1313 proto_tree *ext_tree;
1318 extension_length = tvb_get_ntohs(tvb, offset);
1319 proto_tree_add_uint(tree, hf_dtls_handshake_extensions_len,
1320 tvb, offset, 2, extension_length);
1326 ext_type = tvb_get_ntohs(tvb, offset);
1327 ext_len = tvb_get_ntohs(tvb, offset + 2);
1329 pi = proto_tree_add_text(tree, tvb, offset, 4 + ext_len,
1331 val_to_str(ext_type,
1332 tls_hello_extension_types,
1334 ext_tree = proto_item_add_subtree(pi, ett_dtls_extension);
1338 proto_tree_add_uint(ext_tree, hf_dtls_handshake_extension_type,
1339 tvb, offset, 2, ext_type);
1342 proto_tree_add_uint(ext_tree, hf_dtls_handshake_extension_len,
1343 tvb, offset, 2, ext_len);
1346 proto_tree_add_bytes_format(ext_tree, hf_dtls_handshake_extension_data,
1347 tvb, offset, ext_len,
1348 tvb_get_ptr(tvb, offset, ext_len),
1350 ext_len, plurality(ext_len, "", "s"));
1352 left -= 2 + 2 + ext_len;
1359 dissect_dtls_hnd_cli_hello(tvbuff_t *tvb,
1360 proto_tree *tree, guint32 offset, guint32 length,
1361 SslDecryptSession*ssl)
1364 * ProtocolVersion client_version;
1366 * SessionID session_id;
1367 * opaque cookie<0..32>; //new field
1368 * CipherSuite cipher_suites<2..2^16-1>;
1369 * CompressionMethod compression_methods<1..2^8-1>;
1370 * Extension client_hello_extension_list<0..2^16-1>;
1375 proto_tree *cs_tree;
1376 guint16 cipher_suite_length;
1377 guint8 compression_methods_length;
1378 guint8 compression_method;
1379 guint16 start_offset = offset;
1380 guint8 cookie_length;
1381 cipher_suite_length = 0;
1382 compression_methods_length = 0;
1387 /* show the client version */
1389 proto_tree_add_item(tree, hf_dtls_handshake_client_version, tvb,
1393 /* show the fields in common with server hello */
1394 offset += dissect_dtls_hnd_hello_common(tvb, tree, offset, ssl, 0);
1396 /* look for a cookie */
1397 cookie_length = tvb_get_guint8(tvb, offset);
1401 proto_tree_add_uint(tree, hf_dtls_handshake_cookie_len,
1402 tvb, offset, 1, cookie_length);
1403 offset ++; /* skip opaque length */
1405 if (cookie_length > 0)
1407 proto_tree_add_bytes_format(tree, hf_dtls_handshake_cookie,
1408 tvb, offset, cookie_length,
1409 tvb_get_ptr(tvb, offset, cookie_length),
1410 "Cookie (%u byte%s)",
1412 plurality(cookie_length, "", "s"));
1413 offset += cookie_length;
1416 /* tell the user how many cipher suites there are */
1417 cipher_suite_length = tvb_get_ntohs(tvb, offset);
1419 proto_tree_add_uint(tree, hf_dtls_handshake_cipher_suites_len,
1420 tvb, offset, 2, cipher_suite_length);
1421 offset += 2; /* skip opaque length */
1423 if (cipher_suite_length > 0)
1425 tvb_ensure_bytes_exist(tvb, offset, cipher_suite_length);
1426 ti = proto_tree_add_none_format(tree,
1427 hf_dtls_handshake_cipher_suites,
1428 tvb, offset, cipher_suite_length,
1429 "Cipher Suites (%u suite%s)",
1430 cipher_suite_length / 2,
1431 plurality(cipher_suite_length/2, "", "s"));
1433 /* make this a subtree */
1434 cs_tree = proto_item_add_subtree(ti, ett_dtls_cipher_suites);
1437 cs_tree = tree; /* failsafe */
1440 while (cipher_suite_length > 0)
1442 proto_tree_add_item(cs_tree, hf_dtls_handshake_cipher_suite,
1443 tvb, offset, 2, FALSE);
1445 cipher_suite_length -= 2;
1449 /* tell the user how man compression methods there are */
1450 compression_methods_length = tvb_get_guint8(tvb, offset);
1451 proto_tree_add_uint(tree, hf_dtls_handshake_comp_methods_len,
1452 tvb, offset, 1, compression_methods_length);
1455 if (compression_methods_length > 0)
1457 tvb_ensure_bytes_exist(tvb, offset, compression_methods_length);
1458 ti = proto_tree_add_none_format(tree,
1459 hf_dtls_handshake_comp_methods,
1460 tvb, offset, compression_methods_length,
1461 "Compression Methods (%u method%s)",
1462 compression_methods_length,
1463 plurality(compression_methods_length,
1466 /* make this a subtree */
1467 cs_tree = proto_item_add_subtree(ti, ett_dtls_comp_methods);
1470 cs_tree = tree; /* failsafe */
1473 while (compression_methods_length > 0)
1475 compression_method = tvb_get_guint8(tvb, offset);
1476 if (compression_method < 64)
1477 proto_tree_add_uint(cs_tree, hf_dtls_handshake_comp_method,
1478 tvb, offset, 1, compression_method);
1479 else if (compression_method > 63 && compression_method < 193)
1480 proto_tree_add_text(cs_tree, tvb, offset, 1,
1481 "Compression Method: Reserved - to be assigned by IANA (%u)",
1482 compression_method);
1484 proto_tree_add_text(cs_tree, tvb, offset, 1,
1485 "Compression Method: Private use range (%u)",
1486 compression_method);
1488 compression_methods_length--;
1492 if (length > offset - start_offset)
1494 offset = dissect_dtls_hnd_hello_ext(tvb, tree, offset,
1496 (offset - start_offset));
1502 static void dissect_dtls_hnd_hello_verify_request(tvbuff_t *tvb,
1505 SslDecryptSession* ssl)
1509 * ProtocolVersion server_version;
1510 * opaque cookie<0..32>;
1511 * } HelloVerifyRequest;
1514 guint8 cookie_length;
1519 /* show the client version */
1521 proto_tree_add_item(tree, hf_dtls_handshake_server_version, tvb,
1526 /* look for a cookie */
1527 cookie_length = tvb_get_guint8(tvb, offset);
1531 proto_tree_add_uint(tree, hf_dtls_handshake_cookie_len,
1532 tvb, offset, 1, cookie_length);
1533 offset ++; /* skip opaque length */
1535 if (cookie_length > 0)
1537 proto_tree_add_bytes_format(tree, hf_dtls_handshake_cookie,
1538 tvb, offset, cookie_length,
1539 tvb_get_ptr(tvb, offset, cookie_length),
1540 "Cookie (%u byte%s)",
1542 plurality(cookie_length, "", "s"));
1543 offset += cookie_length;
1550 dissect_dtls_hnd_srv_hello(tvbuff_t *tvb,
1551 proto_tree *tree, guint32 offset, guint32 length, SslDecryptSession* ssl)
1554 * ProtocolVersion server_version;
1556 * SessionID session_id;
1557 * CipherSuite cipher_suite;
1558 * CompressionMethod compression_method;
1559 * Extension server_hello_extension_list<0..2^16-1>;
1562 guint16 start_offset;
1563 start_offset = offset;
1567 /* show the server version */
1569 proto_tree_add_item(tree, hf_dtls_handshake_server_version, tvb,
1573 /* first display the elements conveniently in
1574 * common with client hello
1576 offset += dissect_dtls_hnd_hello_common(tvb, tree, offset, ssl, 1);
1578 /* PAOLO: handle session cipher suite */
1580 /* store selected cipher suite for decryption */
1581 ssl->cipher = tvb_get_ntohs(tvb, offset);
1582 if (ssl_find_cipher(ssl->cipher,&ssl->cipher_suite) < 0) {
1583 ssl_debug_printf("dissect_dtls_hnd_srv_hello can't find cipher suite %X\n", ssl->cipher);
1587 ssl->state |= SSL_CIPHER;
1588 ssl_debug_printf("dissect_dtls_hnd_srv_hello found cipher %X, state %X\n",
1589 ssl->cipher, ssl->state);
1591 /* if we have restored a session now we can have enought material
1592 * to build session key, check it out*/
1594 (SSL_CIPHER|SSL_CLIENT_RANDOM|SSL_SERVER_RANDOM|SSL_VERSION|SSL_MASTER_SECRET)) !=
1595 (SSL_CIPHER|SSL_CLIENT_RANDOM|SSL_SERVER_RANDOM|SSL_VERSION|SSL_MASTER_SECRET)) {
1596 ssl_debug_printf("dissect_dtls_hnd_srv_hello not enough data to generate key (required state %X)\n",
1597 (SSL_CIPHER|SSL_CLIENT_RANDOM|SSL_SERVER_RANDOM|SSL_VERSION|SSL_MASTER_SECRET));
1601 ssl_debug_printf("dissect_dtls_hnd_srv_hello trying to generate keys\n");
1602 if (ssl_generate_keyring_material(ssl)<0) {
1603 ssl_debug_printf("dissect_dtls_hnd_srv_hello can't generate keyring material\n");
1606 ssl->state |= SSL_HAVE_SESSION_KEY;
1612 /* now the server-selected cipher suite */
1613 proto_tree_add_item(tree, hf_dtls_handshake_cipher_suite,
1614 tvb, offset, 2, FALSE);
1617 /* and the server-selected compression method */
1618 proto_tree_add_item(tree, hf_dtls_handshake_comp_method,
1619 tvb, offset, 1, FALSE);
1622 if (length > offset - start_offset)
1624 offset = dissect_dtls_hnd_hello_ext(tvb, tree, offset,
1626 (offset - start_offset));
1632 dissect_dtls_hnd_cert(tvbuff_t *tvb,
1633 proto_tree *tree, guint32 offset, packet_info *pinfo)
1636 /* opaque ASN.1Cert<2^24-1>;
1639 * ASN.1Cert certificate_list<1..2^24-1>;
1642 guint32 certificate_list_length;
1644 proto_tree *subtree;
1645 asn1_ctx_t asn1_ctx;
1646 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
1650 certificate_list_length = tvb_get_ntoh24(tvb, offset);
1651 proto_tree_add_uint(tree, hf_dtls_handshake_certificates_len,
1652 tvb, offset, 3, certificate_list_length);
1653 offset += 3; /* 24-bit length value */
1655 if (certificate_list_length > 0)
1657 tvb_ensure_bytes_exist(tvb, offset, certificate_list_length);
1658 ti = proto_tree_add_none_format(tree,
1659 hf_dtls_handshake_certificates,
1660 tvb, offset, certificate_list_length,
1661 "Certificates (%u byte%s)",
1662 certificate_list_length,
1663 plurality(certificate_list_length,
1666 /* make it a subtree */
1667 subtree = proto_item_add_subtree(ti, ett_dtls_certs);
1670 subtree = tree; /* failsafe */
1673 /* iterate through each certificate */
1674 while (certificate_list_length > 0)
1676 /* get the length of the current certificate */
1677 guint32 cert_length = tvb_get_ntoh24(tvb, offset);
1678 certificate_list_length -= 3 + cert_length;
1680 proto_tree_add_item(subtree, hf_dtls_handshake_certificate_len,
1681 tvb, offset, 3, FALSE);
1684 dissect_x509af_Certificate(FALSE, tvb, offset, &asn1_ctx, subtree, hf_dtls_handshake_certificate);
1685 offset += cert_length;
1693 dissect_dtls_hnd_cert_req(tvbuff_t *tvb,
1694 proto_tree *tree, guint32 offset)
1698 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
1700 * } ClientCertificateType;
1702 * opaque DistinguishedName<1..2^16-1>;
1705 * ClientCertificateType certificate_types<1..2^8-1>;
1706 * DistinguishedName certificate_authorities<3..2^16-1>;
1707 * } CertificateRequest;
1711 proto_tree *subtree;
1712 guint8 cert_types_count;
1714 cert_types_count = 0;
1719 cert_types_count = tvb_get_guint8(tvb, offset);
1720 proto_tree_add_uint(tree, hf_dtls_handshake_cert_types_count,
1721 tvb, offset, 1, cert_types_count);
1724 if (cert_types_count > 0)
1726 ti = proto_tree_add_none_format(tree,
1727 hf_dtls_handshake_cert_types,
1728 tvb, offset, cert_types_count,
1729 "Certificate types (%u type%s)",
1731 plurality(cert_types_count, "", "s"));
1732 subtree = proto_item_add_subtree(ti, ett_dtls_cert_types);
1738 while (cert_types_count > 0)
1740 proto_tree_add_item(subtree, hf_dtls_handshake_cert_type,
1741 tvb, offset, 1, FALSE);
1747 dnames_length = tvb_get_ntohs(tvb, offset);
1748 proto_tree_add_uint(tree, hf_dtls_handshake_dnames_len,
1749 tvb, offset, 2, dnames_length);
1752 if (dnames_length > 0)
1754 tvb_ensure_bytes_exist(tvb, offset, dnames_length);
1755 ti = proto_tree_add_none_format(tree,
1756 hf_dtls_handshake_dnames,
1757 tvb, offset, dnames_length,
1758 "Distinguished Names (%d byte%s)",
1760 plurality(dnames_length, "", "s"));
1761 subtree = proto_item_add_subtree(ti, ett_dtls_dnames);
1767 while (dnames_length > 0)
1769 /* get the length of the current certificate */
1770 guint16 name_length = tvb_get_ntohs(tvb, offset);
1771 dnames_length -= 2 + name_length;
1773 proto_tree_add_item(subtree, hf_dtls_handshake_dname_len,
1774 tvb, offset, 2, FALSE);
1777 proto_tree_add_bytes_format(subtree,
1778 hf_dtls_handshake_dname,
1779 tvb, offset, name_length,
1780 tvb_get_ptr(tvb, offset, name_length),
1781 "Distinguished Name (%u byte%s)",
1783 plurality(name_length, "", "s"));
1784 offset += name_length;
1792 dissect_dtls_hnd_finished(tvbuff_t *tvb,
1793 proto_tree *tree, guint32 offset,
1794 guint* conv_version)
1798 * opaque verify_data[12];
1802 /* this all needs a tree, so bail if we don't have one */
1808 switch(*conv_version) {
1810 proto_tree_add_item(tree, hf_dtls_handshake_finished,
1811 tvb, offset, 12, FALSE);
1816 /*********************************************************************
1820 *********************************************************************/
1823 ssl_set_conv_version(packet_info *pinfo, guint version)
1825 conversation_t *conversation;
1827 if (pinfo->fd->flags.visited)
1829 /* We've already processed this frame; no need to do any more
1835 conversation = find_or_create_conversation(pinfo);
1837 if (conversation_get_proto_data(conversation, proto_dtls) != NULL)
1839 /* get rid of the current data */
1840 conversation_delete_proto_data(conversation, proto_dtls);
1842 conversation_add_proto_data(conversation, proto_dtls, GINT_TO_POINTER(version));
1847 dtls_is_valid_handshake_type(guint8 type)
1851 case SSL_HND_HELLO_REQUEST:
1852 case SSL_HND_CLIENT_HELLO:
1853 case SSL_HND_SERVER_HELLO:
1854 case SSL_HND_HELLO_VERIFY_REQUEST:
1855 case SSL_HND_CERTIFICATE:
1856 case SSL_HND_SERVER_KEY_EXCHG:
1857 case SSL_HND_CERT_REQUEST:
1858 case SSL_HND_SVR_HELLO_DONE:
1859 case SSL_HND_CERT_VERIFY:
1860 case SSL_HND_CLIENT_KEY_EXCHG:
1861 case SSL_HND_FINISHED:
1868 dtls_is_authoritative_version_message(guint8 content_type,
1871 if (content_type == SSL_ID_HANDSHAKE
1872 && dtls_is_valid_handshake_type(next_byte))
1874 return (next_byte != SSL_HND_CLIENT_HELLO);
1876 else if (ssl_is_valid_content_type(content_type)
1877 && content_type != SSL_ID_HANDSHAKE)
1884 /* this applies a heuristic to determine whether
1885 * or not the data beginning at offset looks like a
1886 * valid dtls record.
1889 looks_like_dtls(tvbuff_t *tvb, guint32 offset)
1891 /* have to have a valid content type followed by a valid
1897 /* see if the first byte is a valid content type */
1898 byte = tvb_get_guint8(tvb, offset);
1899 if (!ssl_is_valid_content_type(byte))
1904 /* now check to see if the version byte appears valid */
1905 version = tvb_get_ntohs(tvb, offset + 1);
1906 if (version != DTLSV1DOT0_VERSION && version != DTLSV1DOT0_VERSION_NOT)
1914 /*********************************************************************
1916 * Standard Wireshark Protocol Registration and housekeeping
1918 *********************************************************************/
1920 proto_register_dtls(void)
1923 /* Setup list of header fields See Section 1.6.1 for details*/
1924 static hf_register_info hf[] = {
1926 { "Record Layer", "dtls.record",
1927 FT_NONE, BASE_NONE, NULL, 0x0,
1930 { &hf_dtls_record_content_type,
1931 { "Content Type", "dtls.record.content_type",
1932 FT_UINT8, BASE_DEC, VALS(ssl_31_content_type), 0x0,
1935 { &hf_dtls_record_version,
1936 { "Version", "dtls.record.version",
1937 FT_UINT16, BASE_HEX, VALS(ssl_versions), 0x0,
1938 "Record layer version.", HFILL }
1940 { &hf_dtls_record_epoch,
1941 { "Epoch", "dtls.record.epoch",
1942 FT_UINT16, BASE_DEC, NULL, 0x0,
1945 { &hf_dtls_record_sequence_number,
1946 { "Sequence Number", "dtls.record.sequence_number",
1947 FT_DOUBLE, BASE_NONE, NULL, 0x0,
1950 { &hf_dtls_record_length,
1951 { "Length", "dtls.record.length",
1952 FT_UINT16, BASE_DEC, NULL, 0x0,
1953 "Length of DTLS record data", HFILL }
1955 { &hf_dtls_record_appdata,
1956 { "Encrypted Application Data", "dtls.app_data",
1957 FT_BYTES, BASE_NONE, NULL, 0x0,
1958 "Payload is encrypted application data", HFILL }
1960 { &hf_dtls_change_cipher_spec,
1961 { "Change Cipher Spec Message", "dtls.change_cipher_spec",
1962 FT_NONE, BASE_NONE, NULL, 0x0,
1963 "Signals a change in cipher specifications", HFILL }
1965 { & hf_dtls_alert_message,
1966 { "Alert Message", "dtls.alert_message",
1967 FT_NONE, BASE_NONE, NULL, 0x0,
1968 "Alert message", HFILL }
1970 { & hf_dtls_alert_message_level,
1971 { "Level", "dtls.alert_message.level",
1972 FT_UINT8, BASE_DEC, VALS(ssl_31_alert_level), 0x0,
1973 "Alert message level", HFILL }
1975 { &hf_dtls_alert_message_description,
1976 { "Description", "dtls.alert_message.desc",
1977 FT_UINT8, BASE_DEC, VALS(ssl_31_alert_description), 0x0,
1978 "Alert message description", HFILL }
1980 { &hf_dtls_handshake_protocol,
1981 { "Handshake Protocol", "dtls.handshake",
1982 FT_NONE, BASE_NONE, NULL, 0x0,
1983 "Handshake protocol message", HFILL}
1985 { &hf_dtls_handshake_type,
1986 { "Handshake Type", "dtls.handshake.type",
1987 FT_UINT8, BASE_DEC, VALS(ssl_31_handshake_type), 0x0,
1988 "Type of handshake message", HFILL}
1990 { &hf_dtls_handshake_length,
1991 { "Length", "dtls.handshake.length",
1992 FT_UINT24, BASE_DEC, NULL, 0x0,
1993 "Length of handshake message", HFILL }
1995 { &hf_dtls_handshake_message_seq,
1996 { "Message Sequence", "dtls.handshake.message_seq",
1997 FT_UINT16, BASE_DEC, NULL, 0x0,
1998 "Message sequence of handshake message", HFILL }
2000 { &hf_dtls_handshake_fragment_offset,
2001 { "Fragment Offset", "dtls.handshake.fragment_offset",
2002 FT_UINT24, BASE_DEC, NULL, 0x0,
2003 "Fragment offset of handshake message", HFILL }
2005 { &hf_dtls_handshake_fragment_length,
2006 { "Fragment Length", "dtls.handshake.fragment_length",
2007 FT_UINT24, BASE_DEC, NULL, 0x0,
2008 "Fragment length of handshake message", HFILL }
2010 { &hf_dtls_handshake_client_version,
2011 { "Version", "dtls.handshake.version",
2012 FT_UINT16, BASE_HEX, VALS(ssl_versions), 0x0,
2013 "Maximum version supported by client", HFILL }
2015 { &hf_dtls_handshake_server_version,
2016 { "Version", "dtls.handshake.version",
2017 FT_UINT16, BASE_HEX, VALS(ssl_versions), 0x0,
2018 "Version selected by server", HFILL }
2020 { &hf_dtls_handshake_random_time,
2021 { "Random.gmt_unix_time", "dtls.handshake.random_time",
2022 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
2023 "Unix time field of random structure", HFILL }
2025 { &hf_dtls_handshake_random_bytes,
2026 { "Random.bytes", "dtls.handshake.random",
2027 FT_NONE, BASE_NONE, NULL, 0x0,
2028 "Random challenge used to authenticate server", HFILL }
2030 { &hf_dtls_handshake_cipher_suites_len,
2031 { "Cipher Suites Length", "dtls.handshake.cipher_suites_length",
2032 FT_UINT16, BASE_DEC, NULL, 0x0,
2033 "Length of cipher suites field", HFILL }
2035 { &hf_dtls_handshake_cipher_suites,
2036 { "Cipher Suites", "dtls.handshake.ciphersuites",
2037 FT_NONE, BASE_NONE, NULL, 0x0,
2038 "List of cipher suites supported by client", HFILL }
2040 { &hf_dtls_handshake_cipher_suite,
2041 { "Cipher Suite", "dtls.handshake.ciphersuite",
2042 FT_UINT16, BASE_HEX, VALS(ssl_31_ciphersuite), 0x0,
2045 { &hf_dtls_handshake_cookie_len,
2046 { "Cookie Length", "dtls.handshake.cookie_length",
2047 FT_UINT8, BASE_DEC, NULL, 0x0,
2048 "Length of the cookie field", HFILL }
2050 { &hf_dtls_handshake_cookie,
2051 { "Cookie", "dtls.handshake.cookie",
2052 FT_BYTES, BASE_NONE, NULL, 0x0,
2055 { &hf_dtls_handshake_session_id,
2056 { "Session ID", "dtls.handshake.session_id",
2057 FT_BYTES, BASE_NONE, NULL, 0x0,
2058 "Identifies the DTLS session, allowing later resumption", HFILL }
2060 { &hf_dtls_handshake_comp_methods_len,
2061 { "Compression Methods Length", "dtls.handshake.comp_methods_length",
2062 FT_UINT8, BASE_DEC, NULL, 0x0,
2063 "Length of compression methods field", HFILL }
2065 { &hf_dtls_handshake_comp_methods,
2066 { "Compression Methods", "dtls.handshake.comp_methods",
2067 FT_NONE, BASE_NONE, NULL, 0x0,
2068 "List of compression methods supported by client", HFILL }
2070 { &hf_dtls_handshake_comp_method,
2071 { "Compression Method", "dtls.handshake.comp_method",
2072 FT_UINT8, BASE_DEC, VALS(ssl_31_compression_method), 0x0,
2075 { &hf_dtls_handshake_extensions_len,
2076 { "Extensions Length", "dtls.handshake.extensions_length",
2077 FT_UINT16, BASE_DEC, NULL, 0x0,
2078 "Length of hello extensions", HFILL }
2080 { &hf_dtls_handshake_extension_type,
2081 { "Type", "dtls.handshake.extension.type",
2082 FT_UINT16, BASE_HEX, VALS(tls_hello_extension_types), 0x0,
2083 "Hello extension type", HFILL }
2085 { &hf_dtls_handshake_extension_len,
2086 { "Length", "dtls.handshake.extension.len",
2087 FT_UINT16, BASE_DEC, NULL, 0x0,
2088 "Length of a hello extension", HFILL }
2090 { &hf_dtls_handshake_extension_data,
2091 { "Data", "dtls.handshake.extension.data",
2092 FT_BYTES, BASE_NONE, NULL, 0x0,
2093 "Hello Extension data", HFILL }
2095 { &hf_dtls_handshake_certificates_len,
2096 { "Certificates Length", "dtls.handshake.certificates_length",
2097 FT_UINT24, BASE_DEC, NULL, 0x0,
2098 "Length of certificates field", HFILL }
2100 { &hf_dtls_handshake_certificates,
2101 { "Certificates", "dtls.handshake.certificates",
2102 FT_NONE, BASE_NONE, NULL, 0x0,
2103 "List of certificates", HFILL }
2105 { &hf_dtls_handshake_certificate,
2106 { "Certificate", "dtls.handshake.certificate",
2107 FT_BYTES, BASE_NONE, NULL, 0x0,
2110 { &hf_dtls_handshake_certificate_len,
2111 { "Certificate Length", "dtls.handshake.certificate_length",
2112 FT_UINT24, BASE_DEC, NULL, 0x0,
2113 "Length of certificate", HFILL }
2115 { &hf_dtls_handshake_cert_types_count,
2116 { "Certificate types count", "dtls.handshake.cert_types_count",
2117 FT_UINT8, BASE_DEC, NULL, 0x0,
2118 "Count of certificate types", HFILL }
2120 { &hf_dtls_handshake_cert_types,
2121 { "Certificate types", "dtls.handshake.cert_types",
2122 FT_NONE, BASE_NONE, NULL, 0x0,
2123 "List of certificate types", HFILL }
2125 { &hf_dtls_handshake_cert_type,
2126 { "Certificate type", "dtls.handshake.cert_type",
2127 FT_UINT8, BASE_DEC, VALS(ssl_31_client_certificate_type), 0x0,
2130 { &hf_dtls_handshake_finished,
2131 { "Verify Data", "dtls.handshake.verify_data",
2132 FT_NONE, BASE_NONE, NULL, 0x0,
2133 "Opaque verification data", HFILL }
2135 { &hf_dtls_handshake_md5_hash,
2136 { "MD5 Hash", "dtls.handshake.md5_hash",
2137 FT_NONE, BASE_NONE, NULL, 0x0,
2138 "Hash of messages, master_secret, etc.", HFILL }
2140 { &hf_dtls_handshake_sha_hash,
2141 { "SHA-1 Hash", "dtls.handshake.sha_hash",
2142 FT_NONE, BASE_NONE, NULL, 0x0,
2143 "Hash of messages, master_secret, etc.", HFILL }
2145 { &hf_dtls_handshake_session_id_len,
2146 { "Session ID Length", "dtls.handshake.session_id_length",
2147 FT_UINT8, BASE_DEC, NULL, 0x0,
2148 "Length of session ID field", HFILL }
2150 { &hf_dtls_handshake_dnames_len,
2151 { "Distinguished Names Length", "dtls.handshake.dnames_len",
2152 FT_UINT16, BASE_DEC, NULL, 0x0,
2153 "Length of list of CAs that server trusts", HFILL }
2155 { &hf_dtls_handshake_dnames,
2156 { "Distinguished Names", "dtls.handshake.dnames",
2157 FT_NONE, BASE_NONE, NULL, 0x0,
2158 "List of CAs that server trusts", HFILL }
2160 { &hf_dtls_handshake_dname_len,
2161 { "Distinguished Name Length", "dtls.handshake.dname_len",
2162 FT_UINT16, BASE_DEC, NULL, 0x0,
2163 "Length of distinguished name", HFILL }
2165 { &hf_dtls_handshake_dname,
2166 { "Distinguished Name", "dtls.handshake.dname",
2167 FT_BYTES, BASE_NONE, NULL, 0x0,
2168 "Distinguished name of a CA that server trusts", HFILL }
2170 { &hf_dtls_fragments,
2171 { "Message fragments", "dtls.fragments",
2172 FT_NONE, BASE_NONE, NULL, 0x00, NULL, HFILL }
2174 { &hf_dtls_fragment,
2175 { "Message fragment", "dtls.fragment",
2176 FT_FRAMENUM, BASE_NONE, NULL, 0x00, NULL, HFILL }
2178 { &hf_dtls_fragment_overlap,
2179 { "Message fragment overlap", "dtls.fragment.overlap",
2180 FT_BOOLEAN, BASE_NONE, NULL, 0x0, NULL, HFILL }
2182 { &hf_dtls_fragment_overlap_conflicts,
2183 { "Message fragment overlapping with conflicting data",
2184 "dtls.fragment.overlap.conflicts",
2185 FT_BOOLEAN, BASE_NONE, NULL, 0x0, NULL, HFILL }
2187 { &hf_dtls_fragment_multiple_tails,
2188 { "Message has multiple tail fragments",
2189 "dtls.fragment.multiple_tails",
2190 FT_BOOLEAN, BASE_NONE, NULL, 0x0, NULL, HFILL }
2192 { &hf_dtls_fragment_too_long_fragment,
2193 { "Message fragment too long", "dtls.fragment.too_long_fragment",
2194 FT_BOOLEAN, BASE_NONE, NULL, 0x0, NULL, HFILL }
2196 { &hf_dtls_fragment_error,
2197 { "Message defragmentation error", "dtls.fragment.error",
2198 FT_FRAMENUM, BASE_NONE, NULL, 0x00, NULL, HFILL }
2200 { &hf_dtls_reassembled_in,
2201 { "Reassembled in", "dtls.reassembled.in",
2202 FT_FRAMENUM, BASE_NONE, NULL, 0x00, NULL, HFILL }
2204 { &hf_dtls_reassembled_length,
2205 { "Reassembled DTLS length", "dtls.reassembled.length",
2206 FT_UINT32, BASE_DEC, NULL, 0x00, NULL, HFILL }
2210 /* Setup protocol subtree array */
2211 static gint *ett[] = {
2215 &ett_dtls_handshake,
2216 &ett_dtls_cipher_suites,
2217 &ett_dtls_comp_methods,
2218 &ett_dtls_extension,
2220 &ett_dtls_cert_types,
2223 &ett_dtls_fragments,
2226 /* Register the protocol name and description */
2227 proto_dtls = proto_register_protocol("Datagram Transport Layer Security",
2230 /* Required function calls to register the header fields and
2232 proto_register_field_array(proto_dtls, hf, array_length(hf));
2233 proto_register_subtree_array(ett, array_length(ett));
2235 #ifdef HAVE_LIBGNUTLS
2237 module_t *dtls_module = prefs_register_protocol(proto_dtls, dtls_parse);
2238 prefs_register_string_preference(dtls_module, "keys_list", "RSA keys list",
2239 "semicolon separated list of private RSA keys used for DTLS decryption; "
2240 "each list entry must be in the form of <ip>,<port>,<protocol>,<key_file_name>"
2241 "<key_file_name> is the local file name of the RSA private key used by the specified server\n",
2242 (const gchar **)&dtls_keys_list);
2243 prefs_register_string_preference(dtls_module, "debug_file", "DTLS debug file",
2244 "redirect dtls debug to file name; leave empty to disable debug, "
2245 "use \"" SSL_DEBUG_USE_STDERR "\" to redirect output to stderr\n",
2246 (const gchar **)&dtls_debug_file_name);
2250 register_dissector("dtls", dissect_dtls, proto_dtls);
2251 dtls_handle = find_dissector("dtls");
2253 dtls_associations = g_tree_new(ssl_association_cmp);
2255 register_init_routine(dtls_init);
2257 dtls_tap = register_tap("dtls");
2258 ssl_debug_printf("proto_register_dtls: registered tap %s:%d\n",
2262 /* If this dissector uses sub-dissector registration add a registration
2263 * routine. This format is required because a script is used to find
2264 * these routines and create the code that calls these routines.
2267 proto_reg_handoff_dtls(void)
2270 /* add now dissector to default ports.*/