2 * Routines for dtls dissection
3 * Copyright (c) 2006, Authesserre Samuel <sauthess@gmail.com>
7 * Wireshark - Network traffic analyzer
8 * By Gerald Combs <gerald@wireshark.org>
9 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
26 * DTLS dissection and decryption.
27 * See RFC 4347 for details about DTLS specs.
30 * This dissector is based on TLS one (packet-ssl.c) because of the proximity of DTLS and TLS, decryption works like him with RSA key exchange.
31 * It uses the sames things (file, libraries) that SSL one (gnutls, packet-ssl-utils.h) to make it easily maintenable.
33 * It was developped to dissect and decrypt OpenSSL v 0.9.8b DTLS implementation.
34 * It is limited to this implementation while there is no complete implementation.
38 * - DTLS decryption (openssl one)
41 * - activate correct Mac calculation when openssl will be corrected
42 * (or if an other implementation works),
43 * corrected code is ready and commented in packet-ssl-utils.h file.
44 * - add missings things (desegmentation, reordering... that aren't present in actual OpenSSL implementation)
55 #include <sys/types.h>
56 #ifdef HAVE_SYS_SOCKET_H
57 #include <sys/socket.h>
62 #include <epan/conversation.h>
63 #include <epan/prefs.h>
64 #include <epan/inet_v6defs.h>
65 #include <epan/asn1.h>
66 #include <epan/dissectors/packet-x509af.h>
67 #include <epan/emem.h>
69 #include "packet-ssl-utils.h"
71 extern const gchar *ssl_version_short_names[];
73 /* we need to remember the top tree so that subdissectors we call are created
74 * at the root and not deep down inside the DTLS decode
76 static proto_tree *top_tree;
78 /*********************************************************************
80 * Protocol Constants, Variables, Data Structures
82 *********************************************************************/
84 /* Initialize the protocol and registered fields */
85 static gint dtls_tap = -1;
86 static gint proto_dtls = -1;
87 static gint hf_dtls_record = -1;
88 static gint hf_dtls_record_content_type = -1;
89 static gint hf_dtls_record_version = -1;
90 static gint hf_dtls_record_epoch = -1;
91 static gint hf_dtls_record_sequence_number = -1;
92 static gint hf_dtls_record_length = -1;
93 static gint hf_dtls_record_appdata = -1;
94 static gint hf_dtls_change_cipher_spec = -1;
95 static gint hf_dtls_alert_message = -1;
96 static gint hf_dtls_alert_message_level = -1;
97 static gint hf_dtls_alert_message_description = -1;
98 static gint hf_dtls_handshake_protocol = -1;
99 static gint hf_dtls_handshake_type = -1;
100 static gint hf_dtls_handshake_length = -1;
101 static gint hf_dtls_handshake_message_seq = -1;
102 static gint hf_dtls_handshake_fragment_offset = -1;
103 static gint hf_dtls_handshake_fragment_length = -1;
104 static gint hf_dtls_handshake_client_version = -1;
105 static gint hf_dtls_handshake_server_version = -1;
106 static gint hf_dtls_handshake_random_time = -1;
107 static gint hf_dtls_handshake_random_bytes = -1;
108 static gint hf_dtls_handshake_cookie_len = -1;
109 static gint hf_dtls_handshake_cookie = -1;
110 static gint hf_dtls_handshake_cipher_suites_len = -1;
111 static gint hf_dtls_handshake_cipher_suites = -1;
112 static gint hf_dtls_handshake_cipher_suite = -1;
113 static gint hf_dtls_handshake_session_id = -1;
114 static gint hf_dtls_handshake_comp_methods_len = -1;
115 static gint hf_dtls_handshake_comp_methods = -1;
116 static gint hf_dtls_handshake_comp_method = -1;
117 static gint hf_dtls_handshake_extensions_len = -1;
118 static gint hf_dtls_handshake_extension_type = -1;
119 static gint hf_dtls_handshake_extension_len = -1;
120 static gint hf_dtls_handshake_extension_data = -1;
121 static gint hf_dtls_handshake_certificates_len = -1;
122 static gint hf_dtls_handshake_certificates = -1;
123 static gint hf_dtls_handshake_certificate = -1;
124 static gint hf_dtls_handshake_certificate_len = -1;
125 static gint hf_dtls_handshake_cert_types_count = -1;
126 static gint hf_dtls_handshake_cert_types = -1;
127 static gint hf_dtls_handshake_cert_type = -1;
128 static gint hf_dtls_handshake_finished = -1;
129 static gint hf_dtls_handshake_md5_hash = -1;
130 static gint hf_dtls_handshake_sha_hash = -1;
131 static gint hf_dtls_handshake_session_id_len = -1;
132 static gint hf_dtls_handshake_dnames_len = -1;
133 static gint hf_dtls_handshake_dnames = -1;
134 static gint hf_dtls_handshake_dname_len = -1;
135 static gint hf_dtls_handshake_dname = -1;
137 /* Initialize the subtree pointers */
138 static gint ett_dtls = -1;
139 static gint ett_dtls_record = -1;
140 static gint ett_dtls_alert = -1;
141 static gint ett_dtls_handshake = -1;
142 static gint ett_dtls_cipher_suites = -1;
143 static gint ett_dtls_comp_methods = -1;
144 static gint ett_dtls_extension = -1;
145 static gint ett_dtls_certs = -1;
146 static gint ett_dtls_cert_types = -1;
147 static gint ett_dtls_dnames = -1;
149 static GHashTable *dtls_session_hash = NULL;
150 static GHashTable *dtls_key_hash = NULL;
151 static GTree* dtls_associations = NULL;
152 static dissector_handle_t dtls_handle = NULL;
153 static StringInfo dtls_compressed_data = {NULL, 0};
154 static StringInfo dtls_decrypted_data = {NULL, 0};
155 static gint dtls_decrypted_data_avail = 0;
157 static gchar* dtls_keys_list = NULL;
158 #ifdef HAVE_LIBGNUTLS
159 static gchar* dtls_debug_file_name = NULL;
162 /* initialize/reset per capture state data (dtls sessions cache) */
166 ssl_common_init(&dtls_session_hash, &dtls_decrypted_data, &dtls_compressed_data);
169 /* parse dtls related preferences (private keys and ports association strings) */
173 ep_stack_t tmp_stack;
174 SslAssociation *tmp_assoc;
178 g_hash_table_foreach(dtls_key_hash, ssl_private_key_free, NULL);
179 g_hash_table_destroy(dtls_key_hash);
182 /* remove only associations created from key list */
183 tmp_stack = ep_stack_new();
184 g_tree_traverse(dtls_associations, ssl_assoc_from_key_list, G_IN_ORDER, tmp_stack);
185 while ((tmp_assoc = ep_stack_pop(tmp_stack)) != NULL) {
186 ssl_association_remove(dtls_associations, tmp_assoc);
189 /* parse private keys string, load available keys and put them in key hash*/
190 dtls_key_hash = g_hash_table_new(ssl_private_key_hash, ssl_private_key_equal);
192 if (dtls_keys_list && (dtls_keys_list[0] != 0))
194 ssl_parse_key_list(dtls_keys_list,dtls_key_hash,dtls_associations,dtls_handle,FALSE);
197 ssl_set_debug(dtls_debug_file_name);
199 /* [re] add dtls dissection to default port in openssl 0.9.8b implementation */
200 ssl_association_add(dtls_associations, dtls_handle, 4433, "http", FALSE,FALSE);
204 * DTLS Dissection Routines
208 /* record layer dissector */
209 static gint dissect_dtls_record(tvbuff_t *tvb, packet_info *pinfo,
210 proto_tree *tree, guint32 offset,
212 SslDecryptSession *conv_data);
214 /* change cipher spec dissector */
215 static void dissect_dtls_change_cipher_spec(tvbuff_t *tvb,
218 guint *conv_version, guint8 content_type);
220 /* alert message dissector */
221 static void dissect_dtls_alert(tvbuff_t *tvb, packet_info *pinfo,
222 proto_tree *tree, guint32 offset,
223 guint *conv_version);
225 /* handshake protocol dissector */
226 static void dissect_dtls_handshake(tvbuff_t *tvb, packet_info *pinfo,
227 proto_tree *tree, guint32 offset,
228 guint32 record_length,
230 SslDecryptSession *conv_data, guint8 content_type);
233 static void dissect_dtls_hnd_cli_hello(tvbuff_t *tvb,
235 guint32 offset, guint32 length,
236 SslDecryptSession* ssl);
238 static void dissect_dtls_hnd_hello_verify_request(tvbuff_t *tvb,
241 SslDecryptSession* ssl);
243 static void dissect_dtls_hnd_srv_hello(tvbuff_t *tvb,
245 guint32 offset, guint32 length,
246 SslDecryptSession* ssl);
248 static void dissect_dtls_hnd_cert(tvbuff_t *tvb,
249 proto_tree *tree, guint32 offset, packet_info *pinfo);
251 static void dissect_dtls_hnd_cert_req(tvbuff_t *tvb,
255 static void dissect_dtls_hnd_finished(tvbuff_t *tvb,
258 guint* conv_version);
264 /*static void ssl_set_conv_version(packet_info *pinfo, guint version);*/
265 static gint dtls_is_valid_handshake_type(guint8 type);
267 static gint dtls_is_authoritative_version_message(guint8 content_type,
269 static gint looks_like_dtls(tvbuff_t *tvb, guint32 offset);
271 /*********************************************************************
275 *********************************************************************/
277 * Code to actually dissect the packets
280 dissect_dtls(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
283 conversation_t *conversation;
286 proto_tree *dtls_tree;
288 gboolean first_record_in_frame;
289 SslDecryptSession* ssl_session;
294 first_record_in_frame = TRUE;
298 /* Track the version using conversations allows
299 * us to more frequently set the protocol column properly
300 * for continuation data frames.
302 * Also: We use the copy in conv_version as our cached copy,
303 * so that we don't have to search the conversation
304 * table every time we want the version; when setting
305 * the conv_version, must set the copy in the conversation
306 * in addition to conv_version
308 conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, pinfo->ptype,
309 pinfo->srcport, pinfo->destport, 0);
312 /* create a new conversation */
313 conversation = conversation_new(pinfo->fd->num, &pinfo->src, &pinfo->dst, pinfo->ptype,
314 pinfo->srcport, pinfo->destport, 0);
316 conv_data = conversation_get_proto_data(conversation, proto_dtls);
318 /* manage dtls decryption data */
319 /*get a valid ssl session pointer*/
320 if (conv_data != NULL)
321 ssl_session = conv_data;
325 ssl_session = se_alloc0(sizeof(SslDecryptSession));
326 ssl_session_init(ssl_session);
327 ssl_session->version = SSL_VER_UNKNOWN;
328 conversation_add_proto_data(conversation, proto_dtls, ssl_session);
330 /* we need to know witch side of conversation is speaking */
331 if (ssl_packet_from_server(dtls_associations, pinfo->srcport, pinfo->ptype == PT_TCP)) {
332 dummy.addr = pinfo->src;
333 dummy.port = pinfo->srcport;
336 dummy.addr = pinfo->dst;
337 dummy.port = pinfo->destport;
339 ssl_debug_printf("dissect_dtls server %s:%d\n",
340 address_to_str(&dummy.addr),dummy.port);
342 /* try to retrive private key for this service. Do it now 'cause pinfo
343 * is not always available
344 * Note that with HAVE_LIBGNUTLS undefined private_key is allways 0
345 * and thus decryption never engaged*/
346 ssl_session->private_key = g_hash_table_lookup(dtls_key_hash, &dummy);
347 if (!ssl_session->private_key)
348 ssl_debug_printf("dissect_dtls can't find private key for this server!\n");
350 conv_version= & ssl_session->version;
352 /* try decryption only the first time we see this packet
353 * (to keep cipher syncronized)and only if we have
354 * the server private key*/
355 if (!ssl_session->private_key || pinfo->fd->flags.visited)
358 /* Initialize the protocol column; we'll set it later when we
359 * figure out what flavor of DTLS it is (actually only one
361 if (check_col(pinfo->cinfo, COL_PROTOCOL))
363 col_set_str(pinfo->cinfo, COL_PROTOCOL, "DTLS");
366 /* clear the the info column */
367 if (check_col(pinfo->cinfo, COL_INFO))
368 col_clear(pinfo->cinfo, COL_INFO);
370 /* Create display subtree for SSL as a whole */
373 ti = proto_tree_add_item(tree, proto_dtls, tvb, 0, -1, FALSE);
374 dtls_tree = proto_item_add_subtree(ti, ett_dtls);
377 /* iterate through the records in this tvbuff */
378 while (tvb_reported_length_remaining(tvb, offset) != 0)
380 /* on second and subsequent records per frame
381 * add a delimiter on info column
383 if (!first_record_in_frame
384 && check_col(pinfo->cinfo, COL_INFO))
386 col_append_str(pinfo->cinfo, COL_INFO, ", ");
389 /* first try to dispatch off the cached version
390 * known to be associated with the conversation
392 switch(*conv_version) {
394 offset = dissect_dtls_record(tvb, pinfo, dtls_tree,
395 offset, conv_version,
399 /* that failed, so apply some heuristics based
400 * on this individual packet
403 if (looks_like_dtls(tvb, offset))
405 /* looks like dtls */
406 offset = dissect_dtls_record(tvb, pinfo, dtls_tree,
407 offset, conv_version,
412 /* looks like something unknown, so lump into
415 offset = tvb_length(tvb);
416 if (check_col(pinfo->cinfo, COL_INFO))
417 col_append_str(pinfo->cinfo, COL_INFO,
418 "Continuation Data");
420 /* Set the protocol column */
421 if (check_col(pinfo->cinfo, COL_PROTOCOL))
423 col_set_str(pinfo->cinfo, COL_PROTOCOL,"DTLS");
429 /* set up for next record in frame, if any */
430 first_record_in_frame = FALSE;
433 tap_queue_packet(dtls_tap, pinfo, NULL);
437 decrypt_dtls_record(tvbuff_t *tvb, packet_info *pinfo, guint32 offset,
438 guint32 record_length, guint8 content_type, SslDecryptSession* ssl,
439 gboolean save_plaintext)
446 /* if we can decrypt and decryption have success
447 * add decrypted data to this packet info */
448 ssl_debug_printf("decrypt_dtls_record: app_data len %d ssl state %X\n",
449 record_length, ssl->state);
450 if (!(ssl->state & SSL_HAVE_SESSION_KEY)) {
451 ssl_debug_printf("decrypt_dtls_record: no session key\n");
455 /* retrive decoder for this packet direction */
456 if ((direction = ssl_packet_from_server(dtls_associations, pinfo->srcport, pinfo->ptype == PT_TCP)) != 0) {
457 ssl_debug_printf("decrypt_dtls_record: using server decoder\n");
458 decoder = ssl->server;
461 ssl_debug_printf("decrypt_dtls_record: using client decoder\n");
462 decoder = ssl->client;
465 /* ensure we have enough storage space for decrypted data */
466 if (record_length > dtls_decrypted_data.data_len)
468 ssl_debug_printf("decrypt_dtls_record: allocating %d bytes"
469 " for decrypt data (old len %d)\n",
470 record_length + 32, dtls_decrypted_data.data_len);
471 dtls_decrypted_data.data = g_realloc(dtls_decrypted_data.data,
473 dtls_decrypted_data.data_len = record_length + 32;
476 /* run decryption and add decrypted payload to protocol data, if decryption
478 dtls_decrypted_data_avail = dtls_decrypted_data.data_len;
479 if (ssl_decrypt_record(ssl, decoder,
480 content_type, tvb_get_ptr(tvb, offset, record_length),
481 record_length, &dtls_compressed_data, &dtls_decrypted_data, &dtls_decrypted_data_avail) == 0)
484 if (ret && save_plaintext) {
485 ssl_add_data_info(proto_dtls, pinfo, dtls_decrypted_data.data, dtls_decrypted_data_avail, TVB_RAW_OFFSET(tvb)+offset, 0);
495 /*********************************************************************
497 * DTLS Dissection Routines
499 *********************************************************************/
501 dissect_dtls_record(tvbuff_t *tvb, packet_info *pinfo,
502 proto_tree *tree, guint32 offset,
504 SslDecryptSession* ssl)
509 * uint8 major, minor;
514 * change_cipher_spec(20), alert(21), handshake(22),
515 * application_data(23), (255)
520 * ProtocolVersion version;
521 * uint16 epoch; // New field
522 * uint48 sequence_number; // New field
524 * opaque fragment[TLSPlaintext.length];
527 guint32 record_length;
530 gdouble sequence_number;
531 gint64 sequence_number_temp;
535 proto_tree *dtls_record_tree;
536 guint32 available_bytes;
537 SslAssociation* association;
538 SslDataInfo *appl_data;
540 dtls_record_tree = NULL;
541 available_bytes = tvb_length_remaining(tvb, offset);
544 * Get the record layer fields of interest
546 content_type = tvb_get_guint8(tvb, offset);
547 version = tvb_get_ntohs(tvb, offset + 1);
548 epoch = tvb_get_ntohs(tvb, offset + 3);
549 sequence_number = tvb_get_ntohl(tvb, offset + 7);
550 sequence_number_temp=tvb_get_ntohs(tvb, offset + 5);
551 sequence_number_temp=sequence_number_temp<<32;
552 sequence_number+=sequence_number_temp;
553 record_length = tvb_get_ntohs(tvb, offset + 11);
556 if(ssl_packet_from_server(dtls_associations, pinfo->srcport, pinfo->ptype == PT_TCP)){
558 ssl->server->seq=(guint32)sequence_number;
559 ssl->server->epoch=epoch;
564 ssl->client->seq=(guint32)sequence_number;
565 ssl->client->epoch=epoch;
569 if (!ssl_is_valid_content_type(content_type)) {
571 /* if we don't have a valid content_type, there's no sense
572 * continuing any further
574 if (check_col(pinfo->cinfo, COL_INFO))
575 col_append_str(pinfo->cinfo, COL_INFO, "Continuation Data");
577 /* Set the protocol column */
578 if (check_col(pinfo->cinfo, COL_PROTOCOL))
580 col_set_str(pinfo->cinfo, COL_PROTOCOL,"DTLS");
582 return offset + 13 + record_length;
586 * If GUI, fill in record layer part of tree
591 /* add the record layer subtree header */
592 tvb_ensure_bytes_exist(tvb, offset, 13 + record_length);
593 ti = proto_tree_add_item(tree, hf_dtls_record, tvb,
594 offset, 13 + record_length, 0);
595 dtls_record_tree = proto_item_add_subtree(ti, ett_dtls_record);
598 if (dtls_record_tree)
601 /* show the one-byte content type */
602 proto_tree_add_item(dtls_record_tree, hf_dtls_record_content_type,
603 tvb, offset, 1, FALSE);
606 /* add the version */
607 proto_tree_add_item(dtls_record_tree, hf_dtls_record_version, tvb,
612 proto_tree_add_uint(dtls_record_tree, hf_dtls_record_epoch, tvb, offset, 2, epoch);
616 /* add sequence_number */
618 proto_tree_add_double(dtls_record_tree, hf_dtls_record_sequence_number, tvb, offset, 6, sequence_number);
623 proto_tree_add_uint(dtls_record_tree, hf_dtls_record_length, tvb,
624 offset, 2, record_length);
625 offset += 2; /* move past length field itself */
630 /* if no GUI tree, then just skip over those fields */
636 * if we don't already have a version set for this conversation,
637 * but this message's version is authoritative (i.e., it's
638 * not client_hello, then save the version to to conversation
639 * structure and print the column version
641 next_byte = tvb_get_guint8(tvb, offset);
642 if (*conv_version == SSL_VER_UNKNOWN
643 && dtls_is_authoritative_version_message(content_type, next_byte))
645 if (version == DTLSV1DOT0_VERSION)
648 *conv_version = SSL_VER_DTLS;
650 ssl->version_netorder = version;
651 ssl->state |= SSL_VERSION;
653 /*ssl_set_conv_version(pinfo, ssl->version);*/
656 if (check_col(pinfo->cinfo, COL_PROTOCOL))
658 if (version == DTLSV1DOT0_VERSION)
660 col_set_str(pinfo->cinfo, COL_PROTOCOL,
661 ssl_version_short_names[SSL_VER_DTLS]);
665 col_set_str(pinfo->cinfo, COL_PROTOCOL,"DTLS");
670 * now dissect the next layer
672 ssl_debug_printf("dissect_dtls_record: content_type %d\n",content_type);
674 /* PAOLO try to decrypt each record (we must keep ciphers "in sync")
675 * store plain text only for app data */
677 switch (content_type) {
678 case SSL_ID_CHG_CIPHER_SPEC:
679 if (check_col(pinfo->cinfo, COL_INFO))
680 col_append_str(pinfo->cinfo, COL_INFO, "Change Cipher Spec");
681 dissect_dtls_change_cipher_spec(tvb, dtls_record_tree,
682 offset, conv_version, content_type);
688 if (ssl&&decrypt_dtls_record(tvb, pinfo, offset,
689 record_length, content_type, ssl, FALSE))
690 ssl_add_record_info(proto_dtls, pinfo, dtls_decrypted_data.data,
691 dtls_decrypted_data_avail, offset);
693 /* try to retrive and use decrypted alert record, if any. */
694 decrypted = ssl_get_record_info(proto_dtls, pinfo, offset);
696 dissect_dtls_alert(decrypted, pinfo, dtls_record_tree, 0,
699 dissect_dtls_alert(tvb, pinfo, dtls_record_tree, offset,
703 case SSL_ID_HANDSHAKE:
707 /* try to decrypt handshake record, if possible. Store decrypted
708 * record for later usage. The offset is used as 'key' to itentify
709 * this record into the packet (we can have multiple handshake records
710 * in the same frame) */
711 if (ssl && decrypt_dtls_record(tvb, pinfo, offset,
712 record_length, content_type, ssl, FALSE))
713 ssl_add_record_info(proto_dtls, pinfo, dtls_decrypted_data.data,
714 dtls_decrypted_data_avail, offset);
716 /* try to retrive and use decrypted handshake record, if any. */
717 decrypted = ssl_get_record_info(proto_dtls, pinfo, offset);
719 dissect_dtls_handshake(decrypted, pinfo, dtls_record_tree, 0,
720 decrypted->length, conv_version, ssl, content_type);
722 dissect_dtls_handshake(tvb, pinfo, dtls_record_tree, offset,
723 record_length, conv_version, ssl, content_type);
726 case SSL_ID_APP_DATA:
728 decrypt_dtls_record(tvb, pinfo, offset,
729 record_length, content_type, ssl, TRUE);
731 /* show on info colum what we are decoding */
732 if (check_col(pinfo->cinfo, COL_INFO))
733 col_append_str(pinfo->cinfo, COL_INFO, "Application Data");
735 if (!dtls_record_tree)
738 /* we need dissector information when the selected packet is shown.
739 * ssl session pointer is NULL at that time, so we can't access
740 * info cached there*/
741 association = ssl_association_find(dtls_associations, pinfo->srcport, pinfo->ptype == PT_TCP);
742 association = association ? association: ssl_association_find(dtls_associations, pinfo->destport, pinfo->ptype == PT_TCP);
744 proto_item_set_text(dtls_record_tree,
745 "%s Record Layer: %s Protocol: %s",
746 ssl_version_short_names[*conv_version],
747 val_to_str(content_type, ssl_31_content_type, "unknown"),
748 association?association->info:"Application Data");
750 proto_tree_add_item(dtls_record_tree, hf_dtls_record_appdata, tvb,
751 offset, record_length, 0);
753 /* show decrypted data info, if available */
754 appl_data = ssl_get_data_info(proto_dtls, pinfo, TVB_RAW_OFFSET(tvb)+offset);
755 if (appl_data && (appl_data->plain_data.data_len > 0))
758 /* try to dissect decrypted data*/
759 ssl_debug_printf("dissect_dtls_record decrypted len %d\n",
760 appl_data->plain_data.data_len);
762 /* create a new TVB structure for desegmented data */
763 next_tvb = tvb_new_real_data(appl_data->plain_data.data, appl_data->plain_data.data_len, appl_data->plain_data.data_len);
765 /* add this tvb as a child to the original one */
766 tvb_set_child_real_data_tvbuff(tvb, next_tvb);
768 add_new_data_source(pinfo, next_tvb, "Decrypted DTLS data");
770 /* find out a dissector using server port*/
771 if (association && association->handle) {
772 ssl_debug_printf("dissect_dtls_record found association %p\n", association);
773 ssl_print_text_data("decrypted app data",appl_data->plain_data.data, appl_data->plain_data.data_len);
775 call_dissector(association->handle, next_tvb, pinfo, top_tree);
781 /* shouldn't get here since we check above for valid types */
782 if (check_col(pinfo->cinfo, COL_INFO))
783 col_append_str(pinfo->cinfo, COL_INFO, "Bad DTLS Content Type");
786 offset += record_length; /* skip to end of record */
791 /* dissects the change cipher spec procotol, filling in the tree */
793 dissect_dtls_change_cipher_spec(tvbuff_t *tvb,
794 proto_tree *tree, guint32 offset,
795 guint* conv_version, guint8 content_type)
799 * enum { change_cipher_spec(1), (255) } type;
800 * } ChangeCipherSpec;
805 proto_item_set_text(tree,
806 "%s Record Layer: %s Protocol: Change Cipher Spec",
807 ssl_version_short_names[*conv_version],
808 val_to_str(content_type, ssl_31_content_type, "unknown"));
809 proto_tree_add_item(tree, hf_dtls_change_cipher_spec, tvb,
814 /* dissects the alert message, filling in the tree */
816 dissect_dtls_alert(tvbuff_t *tvb, packet_info *pinfo,
817 proto_tree *tree, guint32 offset,
822 * AlertDescription description;
826 proto_tree *ssl_alert_tree;
830 ssl_alert_tree = NULL;
834 ti = proto_tree_add_item(tree, hf_dtls_alert_message, tvb,
836 ssl_alert_tree = proto_item_add_subtree(ti, ett_dtls_alert);
840 * set the record layer label
843 /* first lookup the names for the alert level and description */
844 byte = tvb_get_guint8(tvb, offset); /* grab the level byte */
845 level = match_strval(byte, ssl_31_alert_level);
847 byte = tvb_get_guint8(tvb, offset+1); /* grab the desc byte */
848 desc = match_strval(byte, ssl_31_alert_description);
850 /* now set the text in the record layer line */
853 if (check_col(pinfo->cinfo, COL_INFO))
854 col_append_fstr(pinfo->cinfo, COL_INFO,
855 "Alert (Level: %s, Description: %s)",
860 if (check_col(pinfo->cinfo, COL_INFO))
861 col_append_str(pinfo->cinfo, COL_INFO, "Encrypted Alert");
868 proto_item_set_text(tree, "%s Record Layer: Alert "
869 "(Level: %s, Description: %s)",
870 ssl_version_short_names[*conv_version],
872 proto_tree_add_item(ssl_alert_tree, hf_dtls_alert_message_level,
873 tvb, offset++, 1, FALSE);
875 proto_tree_add_item(ssl_alert_tree, hf_dtls_alert_message_description,
876 tvb, offset++, 1, FALSE);
880 proto_item_set_text(tree,
881 "%s Record Layer: Encrypted Alert",
882 ssl_version_short_names[*conv_version]);
883 proto_item_set_text(ssl_alert_tree,
884 "Alert Message: Encrypted Alert");
890 /* dissects the handshake protocol, filling the tree */
892 dissect_dtls_handshake(tvbuff_t *tvb, packet_info *pinfo,
893 proto_tree *tree, guint32 offset,
894 guint32 record_length, guint *conv_version,
895 SslDecryptSession* ssl, guint8 content_type)
898 * HandshakeType msg_type;
900 * uint16 message_seq; //new field
901 * uint24 fragment_offset; //new field
902 * uint24 fragment_length; //new field
903 * select (HandshakeType) {
904 * case hello_request: HelloRequest;
905 * case client_hello: ClientHello;
906 * case server_hello: ServerHello;
907 * case hello_verify_request: HelloVerifyRequest; //new field
908 * case certificate: Certificate;
909 * case server_key_exchange: ServerKeyExchange;
910 * case certificate_request: CertificateRequest;
911 * case server_hello_done: ServerHelloDone;
912 * case certificate_verify: CertificateVerify;
913 * case client_key_exchange: ClientKeyExchange;
914 * case finished: Finished;
919 proto_tree *ssl_hand_tree;
920 const gchar *msg_type_str;
924 guint32 fragment_offset;
925 guint32 fragment_length;
926 gboolean first_iteration;
928 ssl_hand_tree = NULL;
930 first_iteration = TRUE;
932 /* just as there can be multiple records per packet, there
933 * can be multiple messages per record as long as they have
934 * the same content type
936 * we really only care about this for handshake messages
939 /* set record_length to the max offset */
940 record_length += offset;
941 while (offset < record_length)
943 msg_type = tvb_get_guint8(tvb, offset);
944 msg_type_str = match_strval(msg_type, ssl_31_handshake_type);
945 length = tvb_get_ntoh24(tvb, offset + 1);
946 message_seq = tvb_get_ntohs(tvb,offset + 4);
947 fragment_offset = tvb_get_ntoh24(tvb, offset + 6);
948 fragment_length = tvb_get_ntoh24(tvb, offset + 9);
950 if (!msg_type_str && !first_iteration)
952 /* only dissect / report messages if they're
953 * either the first message in this record
954 * or they're a valid message type
959 /* on second and later iterations, add comma to info col */
960 if (!first_iteration)
962 if (check_col(pinfo->cinfo, COL_INFO))
963 col_append_fstr(pinfo->cinfo, COL_INFO, ", ");
967 * Update our info string
969 if (check_col(pinfo->cinfo, COL_INFO))
970 col_append_fstr(pinfo->cinfo, COL_INFO, "%s", (msg_type_str != NULL)
971 ? msg_type_str : "Encrypted Handshake Message");
975 /* set the label text on the record layer expanding node */
978 proto_item_set_text(tree, "%s Record Layer: %s Protocol: %s",
979 ssl_version_short_names[*conv_version],
980 val_to_str(content_type, ssl_31_content_type, "unknown"),
981 (msg_type_str!=NULL) ? msg_type_str :
982 "Encrypted Handshake Message");
986 proto_item_set_text(tree, "%s Record Layer: %s Protocol: %s",
987 ssl_version_short_names[*conv_version],
988 val_to_str(content_type, ssl_31_content_type, "unknown"),
989 "Multiple Handshake Messages");
992 /* add a subtree for the handshake protocol */
993 ti = proto_tree_add_item(tree, hf_dtls_handshake_protocol, tvb,
994 offset, length + 12, 0);
995 ssl_hand_tree = proto_item_add_subtree(ti, ett_dtls_handshake);
999 /* set the text label on the subtree node */
1000 proto_item_set_text(ssl_hand_tree, "Handshake Protocol: %s",
1001 (msg_type_str != NULL) ? msg_type_str :
1002 "Encrypted Handshake Message");
1006 /* if we don't have a valid handshake type, just quit dissecting */
1010 /* if we are doing ssl decryption we must dissect some requests type */
1011 if (ssl_hand_tree || ssl)
1013 /* add nodes for the message type and message length */
1015 proto_tree_add_item(ssl_hand_tree, hf_dtls_handshake_type,
1016 tvb, offset, 1, msg_type);
1019 proto_tree_add_uint(ssl_hand_tree, hf_dtls_handshake_length,
1020 tvb, offset, 3, length);
1024 proto_tree_add_uint(ssl_hand_tree, hf_dtls_handshake_message_seq,
1025 tvb, offset, 2, message_seq);
1028 proto_tree_add_uint(ssl_hand_tree, hf_dtls_handshake_fragment_offset,
1029 tvb, offset, 3, fragment_offset);
1032 proto_tree_add_uint(ssl_hand_tree, hf_dtls_handshake_fragment_length,
1033 tvb, offset, 3, fragment_length);
1036 /* now dissect the handshake message, if necessary */
1038 case SSL_HND_HELLO_REQUEST:
1039 /* hello_request has no fields, so nothing to do! */
1042 case SSL_HND_CLIENT_HELLO:
1043 dissect_dtls_hnd_cli_hello(tvb, ssl_hand_tree, offset, length, ssl);
1046 case SSL_HND_HELLO_VERIFY_REQUEST:
1047 dissect_dtls_hnd_hello_verify_request(tvb, ssl_hand_tree, offset, ssl);
1050 case SSL_HND_SERVER_HELLO:
1051 dissect_dtls_hnd_srv_hello(tvb, ssl_hand_tree, offset, length, ssl);
1054 case SSL_HND_CERTIFICATE:
1055 dissect_dtls_hnd_cert(tvb, ssl_hand_tree, offset, pinfo);
1058 case SSL_HND_SERVER_KEY_EXCHG:
1062 case SSL_HND_CERT_REQUEST:
1063 dissect_dtls_hnd_cert_req(tvb, ssl_hand_tree, offset);
1066 case SSL_HND_SVR_HELLO_DONE:
1067 /* server_hello_done has no fields, so nothing to do! */
1070 case SSL_HND_CERT_VERIFY:
1074 case SSL_HND_CLIENT_KEY_EXCHG:
1076 /* here we can have all the data to build session key */
1077 StringInfo encrypted_pre_master;
1079 guint encrlen = length, skip;
1085 /* check for required session data */
1086 ssl_debug_printf("dissect_dtls_handshake found SSL_HND_CLIENT_KEY_EXCHG state %X\n",
1088 if ((ssl->state & (SSL_CIPHER|SSL_CLIENT_RANDOM|SSL_SERVER_RANDOM|SSL_VERSION)) !=
1089 (SSL_CIPHER|SSL_CLIENT_RANDOM|SSL_SERVER_RANDOM|SSL_VERSION)) {
1090 ssl_debug_printf("dissect_dtls_handshake not enough data to generate key (required %X)\n",
1091 (SSL_CIPHER|SSL_CLIENT_RANDOM|SSL_SERVER_RANDOM|SSL_VERSION));
1095 encrypted_pre_master.data = se_alloc(encrlen);
1096 encrypted_pre_master.data_len = encrlen;
1097 tvb_memcpy(tvb, encrypted_pre_master.data, offset+skip, encrlen);
1099 if (!ssl->private_key) {
1100 ssl_debug_printf("dissect_dtls_handshake can't find private key\n");
1104 /* go with ssl key processessing; encrypted_pre_master
1105 * will be used for master secret store*/
1106 ret = ssl_decrypt_pre_master_secret(ssl, &encrypted_pre_master, ssl->private_key);
1108 ssl_debug_printf("dissect_dtls_handshake can't decrypt pre master secret\n");
1111 if (ssl_generate_keyring_material(ssl)<0) {
1112 ssl_debug_printf("dissect_dtls_handshake can't generate keyring material\n");
1115 ssl->state |= SSL_HAVE_SESSION_KEY;
1116 ssl_save_session(ssl, dtls_session_hash);
1117 ssl_debug_printf("dissect_dtls_handshake session keys succesfully generated\n");
1121 case SSL_HND_FINISHED:
1122 dissect_dtls_hnd_finished(tvb, ssl_hand_tree,
1123 offset, conv_version);
1129 offset += 12; /* skip the handshake header when handshake is not processed*/
1132 first_iteration = FALSE; /* set up for next pass, if any */
1137 dissect_dtls_hnd_hello_common(tvbuff_t *tvb, proto_tree *tree,
1138 guint32 offset, SslDecryptSession* ssl, gint from_server)
1140 /* show the client's random challenge */
1141 nstime_t gmt_unix_time;
1142 guint8 session_id_length;
1143 session_id_length = 0;
1146 /* get proper peer information*/
1149 rnd = &ssl->server_random;
1151 rnd = &ssl->client_random;
1153 /* get provided random for keyring generation*/
1154 tvb_memcpy(tvb, rnd->data, offset, 32);
1157 ssl->state |= SSL_SERVER_RANDOM;
1159 ssl->state |= SSL_CLIENT_RANDOM;
1160 ssl_debug_printf("dissect_dtls_hnd_hello_common found random state %X\n",
1163 session_id_length = tvb_get_guint8(tvb, offset + 32);
1164 /* check stored session id info */
1165 if (from_server && (session_id_length == ssl->session_id.data_len) &&
1166 (tvb_memeql(tvb, offset+33, ssl->session_id.data, session_id_length) == 0))
1168 /* clinet/server id match: try to restore a previous cached session*/
1169 ssl_restore_session(ssl, dtls_session_hash);
1172 tvb_memcpy(tvb,ssl->session_id.data, offset+33, session_id_length);
1173 ssl->session_id.data_len = session_id_length;
1180 gmt_unix_time.secs = tvb_get_ntohl(tvb, offset);
1181 gmt_unix_time.nsecs = 0;
1182 proto_tree_add_time(tree, hf_dtls_handshake_random_time,
1183 tvb, offset, 4, &gmt_unix_time);
1186 /* show the random bytes */
1187 proto_tree_add_item(tree, hf_dtls_handshake_random_bytes,
1188 tvb, offset, 28, 0);
1191 /* show the session id */
1192 session_id_length = tvb_get_guint8(tvb, offset);
1193 proto_tree_add_item(tree, hf_dtls_handshake_session_id_len,
1194 tvb, offset++, 1, 0);
1195 if (session_id_length > 0)
1197 tvb_ensure_bytes_exist(tvb, offset, session_id_length);
1198 proto_tree_add_bytes_format(tree, hf_dtls_handshake_session_id,
1199 tvb, offset, session_id_length,
1200 tvb_get_ptr(tvb, offset, session_id_length),
1201 "Session ID (%u byte%s)",
1203 plurality(session_id_length, "", "s"));
1204 offset += session_id_length;
1210 return session_id_length+33;
1214 dissect_dtls_hnd_hello_ext(tvbuff_t *tvb,
1215 proto_tree *tree, guint32 offset, guint32 left)
1217 guint16 extension_length;
1221 proto_tree *ext_tree;
1226 extension_length = tvb_get_ntohs(tvb, offset);
1227 proto_tree_add_uint(tree, hf_dtls_handshake_extensions_len,
1228 tvb, offset, 2, extension_length);
1234 ext_type = tvb_get_ntohs(tvb, offset);
1235 ext_len = tvb_get_ntohs(tvb, offset + 2);
1237 pi = proto_tree_add_text(tree, tvb, offset, 4 + ext_len,
1239 val_to_str(ext_type,
1240 tls_hello_extension_types,
1242 ext_tree = proto_item_add_subtree(pi, ett_dtls_extension);
1246 proto_tree_add_uint(ext_tree, hf_dtls_handshake_extension_type,
1247 tvb, offset, 2, ext_type);
1250 proto_tree_add_uint(ext_tree, hf_dtls_handshake_extension_len,
1251 tvb, offset, 2, ext_len);
1254 proto_tree_add_bytes_format(ext_tree, hf_dtls_handshake_extension_data,
1255 tvb, offset, ext_len,
1256 tvb_get_ptr(tvb, offset, ext_len),
1258 ext_len, plurality(ext_len, "", "s"));
1260 left -= 2 + 2 + ext_len;
1267 dissect_dtls_hnd_cli_hello(tvbuff_t *tvb,
1268 proto_tree *tree, guint32 offset, guint32 length,
1269 SslDecryptSession*ssl)
1272 * ProtocolVersion client_version;
1274 * SessionID session_id;
1275 * opaque cookie<0..32>; //new field
1276 * CipherSuite cipher_suites<2..2^16-1>;
1277 * CompressionMethod compression_methods<1..2^8-1>;
1278 * Extension client_hello_extension_list<0..2^16-1>;
1283 proto_tree *cs_tree;
1284 guint16 cipher_suite_length;
1285 guint8 compression_methods_length;
1286 guint8 compression_method;
1287 guint16 start_offset = offset;
1288 guint8 cookie_length;
1289 cipher_suite_length = 0;
1290 compression_methods_length = 0;
1295 /* show the client version */
1297 proto_tree_add_item(tree, hf_dtls_handshake_client_version, tvb,
1301 /* show the fields in common with server hello */
1302 offset += dissect_dtls_hnd_hello_common(tvb, tree, offset, ssl, 0);
1304 /* look for a cookie */
1305 cookie_length = tvb_get_guint8(tvb, offset);
1309 proto_tree_add_uint(tree, hf_dtls_handshake_cookie_len,
1310 tvb, offset, 1, cookie_length);
1311 offset ++; /* skip opaque length */
1313 if (cookie_length > 0)
1315 tvb_ensure_bytes_exist(tvb, offset, cookie_length);
1316 proto_tree_add_bytes_format(tree, hf_dtls_handshake_cookie,
1317 tvb, offset, cookie_length,
1318 tvb_get_ptr(tvb, offset, cookie_length),
1319 "Cookie (%u byte%s)",
1321 plurality(cookie_length, "", "s"));
1322 offset += cookie_length;
1325 /* tell the user how many cipher suites there are */
1326 cipher_suite_length = tvb_get_ntohs(tvb, offset);
1328 proto_tree_add_uint(tree, hf_dtls_handshake_cipher_suites_len,
1329 tvb, offset, 2, cipher_suite_length);
1330 offset += 2; /* skip opaque length */
1332 if (cipher_suite_length > 0)
1334 tvb_ensure_bytes_exist(tvb, offset, cipher_suite_length);
1335 ti = proto_tree_add_none_format(tree,
1336 hf_dtls_handshake_cipher_suites,
1337 tvb, offset, cipher_suite_length,
1338 "Cipher Suites (%u suite%s)",
1339 cipher_suite_length / 2,
1340 plurality(cipher_suite_length/2, "", "s"));
1342 /* make this a subtree */
1343 cs_tree = proto_item_add_subtree(ti, ett_dtls_cipher_suites);
1346 cs_tree = tree; /* failsafe */
1349 while (cipher_suite_length > 0)
1351 proto_tree_add_item(cs_tree, hf_dtls_handshake_cipher_suite,
1352 tvb, offset, 2, FALSE);
1354 cipher_suite_length -= 2;
1358 /* tell the user how man compression methods there are */
1359 compression_methods_length = tvb_get_guint8(tvb, offset);
1360 proto_tree_add_uint(tree, hf_dtls_handshake_comp_methods_len,
1361 tvb, offset, 1, compression_methods_length);
1364 if (compression_methods_length > 0)
1366 tvb_ensure_bytes_exist(tvb, offset, compression_methods_length);
1367 ti = proto_tree_add_none_format(tree,
1368 hf_dtls_handshake_comp_methods,
1369 tvb, offset, compression_methods_length,
1370 "Compression Methods (%u method%s)",
1371 compression_methods_length,
1372 plurality(compression_methods_length,
1375 /* make this a subtree */
1376 cs_tree = proto_item_add_subtree(ti, ett_dtls_comp_methods);
1379 cs_tree = tree; /* failsafe */
1382 while (compression_methods_length > 0)
1384 compression_method = tvb_get_guint8(tvb, offset);
1385 if (compression_method < 64)
1386 proto_tree_add_uint(cs_tree, hf_dtls_handshake_comp_method,
1387 tvb, offset, 1, compression_method);
1388 else if (compression_method > 63 && compression_method < 193)
1389 proto_tree_add_text(cs_tree, tvb, offset, 1,
1390 "Compression Method: Reserved - to be assigned by IANA (%u)",
1391 compression_method);
1393 proto_tree_add_text(cs_tree, tvb, offset, 1,
1394 "Compression Method: Private use range (%u)",
1395 compression_method);
1397 compression_methods_length--;
1401 if (length > offset - start_offset)
1403 offset = dissect_dtls_hnd_hello_ext(tvb, tree, offset,
1405 (offset - start_offset));
1411 static void dissect_dtls_hnd_hello_verify_request(tvbuff_t *tvb,
1414 SslDecryptSession* ssl)
1418 * ProtocolVersion server_version;
1419 * opaque cookie<0..32>;
1420 * } HelloVerifyRequest;
1423 guint8 cookie_length;
1428 /* show the client version */
1430 proto_tree_add_item(tree, hf_dtls_handshake_server_version, tvb,
1435 /* look for a cookie */
1436 cookie_length = tvb_get_guint8(tvb, offset);
1440 proto_tree_add_uint(tree, hf_dtls_handshake_cookie_len,
1441 tvb, offset, 1, cookie_length);
1442 offset ++; /* skip opaque length */
1444 if (cookie_length > 0)
1446 tvb_ensure_bytes_exist(tvb, offset, cookie_length);
1447 proto_tree_add_bytes_format(tree, hf_dtls_handshake_cookie,
1448 tvb, offset, cookie_length,
1449 tvb_get_ptr(tvb, offset, cookie_length),
1450 "Cookie (%u byte%s)",
1452 plurality(cookie_length, "", "s"));
1453 offset += cookie_length;
1460 dissect_dtls_hnd_srv_hello(tvbuff_t *tvb,
1461 proto_tree *tree, guint32 offset, guint32 length, SslDecryptSession* ssl)
1464 * ProtocolVersion server_version;
1466 * SessionID session_id;
1467 * CipherSuite cipher_suite;
1468 * CompressionMethod compression_method;
1469 * Extension server_hello_extension_list<0..2^16-1>;
1472 guint16 start_offset;
1473 start_offset = offset;
1477 /* show the server version */
1479 proto_tree_add_item(tree, hf_dtls_handshake_server_version, tvb,
1483 /* first display the elements conveniently in
1484 * common with client hello
1486 offset += dissect_dtls_hnd_hello_common(tvb, tree, offset, ssl, 1);
1488 /* PAOLO: handle session cipher suite */
1490 /* store selected cipher suite for decryption */
1491 ssl->cipher = tvb_get_ntohs(tvb, offset);
1492 if (ssl_find_cipher(ssl->cipher,&ssl->cipher_suite) < 0) {
1493 ssl_debug_printf("dissect_dtls_hnd_srv_hello can't find cipher suite %X\n", ssl->cipher);
1497 ssl->state |= SSL_CIPHER;
1498 ssl_debug_printf("dissect_dtls_hnd_srv_hello found cipher %X, state %X\n",
1499 ssl->cipher, ssl->state);
1501 /* if we have restored a session now we can have enought material
1502 * to build session key, check it out*/
1504 (SSL_CIPHER|SSL_CLIENT_RANDOM|SSL_SERVER_RANDOM|SSL_VERSION|SSL_MASTER_SECRET)) !=
1505 (SSL_CIPHER|SSL_CLIENT_RANDOM|SSL_SERVER_RANDOM|SSL_VERSION|SSL_MASTER_SECRET)) {
1506 ssl_debug_printf("dissect_dtls_hnd_srv_hello not enough data to generate key (required %X)\n",
1507 (SSL_CIPHER|SSL_CLIENT_RANDOM|SSL_SERVER_RANDOM|SSL_VERSION|SSL_MASTER_SECRET));
1511 ssl_debug_printf("dissect_dtls_hnd_srv_hello trying to generate keys\n");
1512 if (ssl_generate_keyring_material(ssl)<0) {
1513 ssl_debug_printf("dissect_dtls_hnd_srv_hello can't generate keyring material\n");
1516 ssl->state |= SSL_HAVE_SESSION_KEY;
1522 /* now the server-selected cipher suite */
1523 proto_tree_add_item(tree, hf_dtls_handshake_cipher_suite,
1524 tvb, offset, 2, FALSE);
1527 /* and the server-selected compression method */
1528 proto_tree_add_item(tree, hf_dtls_handshake_comp_method,
1529 tvb, offset, 1, FALSE);
1532 if (length > offset - start_offset)
1534 offset = dissect_dtls_hnd_hello_ext(tvb, tree, offset,
1536 (offset - start_offset));
1542 dissect_dtls_hnd_cert(tvbuff_t *tvb,
1543 proto_tree *tree, guint32 offset, packet_info *pinfo)
1546 /* opaque ASN.1Cert<2^24-1>;
1549 * ASN.1Cert certificate_list<1..2^24-1>;
1552 guint32 certificate_list_length;
1554 proto_tree *subtree;
1555 asn1_ctx_t asn1_ctx;
1556 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
1560 certificate_list_length = tvb_get_ntoh24(tvb, offset);
1561 proto_tree_add_uint(tree, hf_dtls_handshake_certificates_len,
1562 tvb, offset, 3, certificate_list_length);
1563 offset += 3; /* 24-bit length value */
1565 if (certificate_list_length > 0)
1567 tvb_ensure_bytes_exist(tvb, offset, certificate_list_length);
1568 ti = proto_tree_add_none_format(tree,
1569 hf_dtls_handshake_certificates,
1570 tvb, offset, certificate_list_length,
1571 "Certificates (%u byte%s)",
1572 certificate_list_length,
1573 plurality(certificate_list_length,
1576 /* make it a subtree */
1577 subtree = proto_item_add_subtree(ti, ett_dtls_certs);
1580 subtree = tree; /* failsafe */
1583 /* iterate through each certificate */
1584 while (certificate_list_length > 0)
1586 /* get the length of the current certificate */
1587 guint32 cert_length = tvb_get_ntoh24(tvb, offset);
1588 certificate_list_length -= 3 + cert_length;
1590 proto_tree_add_item(subtree, hf_dtls_handshake_certificate_len,
1591 tvb, offset, 3, FALSE);
1594 dissect_x509af_Certificate(FALSE, tvb, offset, &asn1_ctx, subtree, hf_dtls_handshake_certificate);
1595 offset += cert_length;
1603 dissect_dtls_hnd_cert_req(tvbuff_t *tvb,
1604 proto_tree *tree, guint32 offset)
1608 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
1610 * } ClientCertificateType;
1612 * opaque DistinguishedName<1..2^16-1>;
1615 * ClientCertificateType certificate_types<1..2^8-1>;
1616 * DistinguishedName certificate_authorities<3..2^16-1>;
1617 * } CertificateRequest;
1621 proto_tree *subtree;
1622 guint8 cert_types_count;
1624 cert_types_count = 0;
1629 cert_types_count = tvb_get_guint8(tvb, offset);
1630 proto_tree_add_uint(tree, hf_dtls_handshake_cert_types_count,
1631 tvb, offset, 1, cert_types_count);
1634 if (cert_types_count > 0)
1636 ti = proto_tree_add_none_format(tree,
1637 hf_dtls_handshake_cert_types,
1638 tvb, offset, cert_types_count,
1639 "Certificate types (%u type%s)",
1641 plurality(cert_types_count, "", "s"));
1642 subtree = proto_item_add_subtree(ti, ett_dtls_cert_types);
1648 while (cert_types_count > 0)
1650 proto_tree_add_item(subtree, hf_dtls_handshake_cert_type,
1651 tvb, offset, 1, FALSE);
1657 dnames_length = tvb_get_ntohs(tvb, offset);
1658 proto_tree_add_uint(tree, hf_dtls_handshake_dnames_len,
1659 tvb, offset, 2, dnames_length);
1662 if (dnames_length > 0)
1664 tvb_ensure_bytes_exist(tvb, offset, dnames_length);
1665 ti = proto_tree_add_none_format(tree,
1666 hf_dtls_handshake_dnames,
1667 tvb, offset, dnames_length,
1668 "Distinguished Names (%d byte%s)",
1670 plurality(dnames_length, "", "s"));
1671 subtree = proto_item_add_subtree(ti, ett_dtls_dnames);
1677 while (dnames_length > 0)
1679 /* get the length of the current certificate */
1680 guint16 name_length = tvb_get_ntohs(tvb, offset);
1681 dnames_length -= 2 + name_length;
1683 proto_tree_add_item(subtree, hf_dtls_handshake_dname_len,
1684 tvb, offset, 2, FALSE);
1687 tvb_ensure_bytes_exist(tvb, offset, name_length);
1688 proto_tree_add_bytes_format(subtree,
1689 hf_dtls_handshake_dname,
1690 tvb, offset, name_length,
1691 tvb_get_ptr(tvb, offset, name_length),
1692 "Distinguished Name (%u byte%s)",
1694 plurality(name_length, "", "s"));
1695 offset += name_length;
1703 dissect_dtls_hnd_finished(tvbuff_t *tvb,
1704 proto_tree *tree, guint32 offset,
1705 guint* conv_version)
1709 * opaque verify_data[12];
1713 /* this all needs a tree, so bail if we don't have one */
1719 switch(*conv_version) {
1721 proto_tree_add_item(tree, hf_dtls_handshake_finished,
1722 tvb, offset, 12, FALSE);
1727 /*********************************************************************
1731 *********************************************************************/
1734 ssl_set_conv_version(packet_info *pinfo, guint version)
1736 conversation_t *conversation;
1738 if (pinfo->fd->flags.visited)
1740 /* We've already processed this frame; no need to do any more
1746 conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, pinfo->ptype,
1747 pinfo->srcport, pinfo->destport, 0);
1749 if (conversation == NULL)
1751 /* create a new conversation */
1752 conversation = conversation_new(pinfo->fd->num, &pinfo->src, &pinfo->dst, pinfo->ptype,
1753 pinfo->srcport, pinfo->destport, 0);
1756 if (conversation_get_proto_data(conversation, proto_dtls) != NULL)
1758 /* get rid of the current data */
1759 conversation_delete_proto_data(conversation, proto_dtls);
1761 conversation_add_proto_data(conversation, proto_dtls, GINT_TO_POINTER(version));
1766 dtls_is_valid_handshake_type(guint8 type)
1770 case SSL_HND_HELLO_REQUEST:
1771 case SSL_HND_CLIENT_HELLO:
1772 case SSL_HND_SERVER_HELLO:
1773 case SSL_HND_HELLO_VERIFY_REQUEST:
1774 case SSL_HND_CERTIFICATE:
1775 case SSL_HND_SERVER_KEY_EXCHG:
1776 case SSL_HND_CERT_REQUEST:
1777 case SSL_HND_SVR_HELLO_DONE:
1778 case SSL_HND_CERT_VERIFY:
1779 case SSL_HND_CLIENT_KEY_EXCHG:
1780 case SSL_HND_FINISHED:
1787 dtls_is_authoritative_version_message(guint8 content_type,
1790 if (content_type == SSL_ID_HANDSHAKE
1791 && dtls_is_valid_handshake_type(next_byte))
1793 return (next_byte != SSL_HND_CLIENT_HELLO);
1795 else if (ssl_is_valid_content_type(content_type)
1796 && content_type != SSL_ID_HANDSHAKE)
1803 /* this applies a heuristic to determine whether
1804 * or not the data beginning at offset looks like a
1805 * valid dtls record.
1808 looks_like_dtls(tvbuff_t *tvb, guint32 offset)
1810 /* have to have a valid content type followed by a valid
1816 /* see if the first byte is a valid content type */
1817 byte = tvb_get_guint8(tvb, offset);
1818 if (!ssl_is_valid_content_type(byte))
1823 /* now check to see if the version byte appears valid */
1824 version = tvb_get_ntohs(tvb, offset + 1);
1825 if (version != DTLSV1DOT0_VERSION)
1833 /*********************************************************************
1835 * Standard Wireshark Protocol Registration and housekeeping
1837 *********************************************************************/
1839 proto_register_dtls(void)
1842 /* Setup list of header fields See Section 1.6.1 for details*/
1843 static hf_register_info hf[] = {
1845 { "Record Layer", "dtls.record",
1846 FT_NONE, BASE_NONE, NULL, 0x0,
1847 "Record layer", HFILL }
1849 { &hf_dtls_record_content_type,
1850 { "Content Type", "dtls.record.content_type",
1851 FT_UINT8, BASE_DEC, VALS(ssl_31_content_type), 0x0,
1852 "Content type", HFILL}
1854 { &hf_dtls_record_version,
1855 { "Version", "dtls.record.version",
1856 FT_UINT16, BASE_HEX, VALS(ssl_versions), 0x0,
1857 "Record layer version.", HFILL }
1859 { &hf_dtls_record_epoch,
1860 { "Epoch", "dtls.record.epoch",
1861 FT_UINT16, BASE_DEC, NULL, 0x0,
1864 { &hf_dtls_record_sequence_number,
1865 { "Sequence Number", "dtls.record.sequence_number",
1866 FT_DOUBLE, BASE_DEC, NULL, 0x0,
1867 "Sequence Number", HFILL }
1869 { &hf_dtls_record_length,
1870 { "Length", "dtls.record.length",
1871 FT_UINT16, BASE_DEC, NULL, 0x0,
1872 "Length of DTLS record data", HFILL }
1874 { &hf_dtls_record_appdata,
1875 { "Encrypted Application Data", "dtls.app_data",
1876 FT_BYTES, BASE_HEX, NULL, 0x0,
1877 "Payload is encrypted application data", HFILL }
1879 { &hf_dtls_change_cipher_spec,
1880 { "Change Cipher Spec Message", "dtls.change_cipher_spec",
1881 FT_NONE, BASE_NONE, NULL, 0x0,
1882 "Signals a change in cipher specifications", HFILL }
1884 { & hf_dtls_alert_message,
1885 { "Alert Message", "dtls.alert_message",
1886 FT_NONE, BASE_NONE, NULL, 0x0,
1887 "Alert message", HFILL }
1889 { & hf_dtls_alert_message_level,
1890 { "Level", "dtls.alert_message.level",
1891 FT_UINT8, BASE_DEC, VALS(ssl_31_alert_level), 0x0,
1892 "Alert message level", HFILL }
1894 { &hf_dtls_alert_message_description,
1895 { "Description", "dtls.alert_message.desc",
1896 FT_UINT8, BASE_DEC, VALS(ssl_31_alert_description), 0x0,
1897 "Alert message description", HFILL }
1899 { &hf_dtls_handshake_protocol,
1900 { "Handshake Protocol", "dtls.handshake",
1901 FT_NONE, BASE_NONE, NULL, 0x0,
1902 "Handshake protocol message", HFILL}
1904 { &hf_dtls_handshake_type,
1905 { "Handshake Type", "dtls.handshake.type",
1906 FT_UINT8, BASE_DEC, VALS(ssl_31_handshake_type), 0x0,
1907 "Type of handshake message", HFILL}
1909 { &hf_dtls_handshake_length,
1910 { "Length", "dtls.handshake.length",
1911 FT_UINT24, BASE_DEC, NULL, 0x0,
1912 "Length of handshake message", HFILL }
1914 { &hf_dtls_handshake_message_seq,
1915 { "Message Sequence", "dtls.handshake.message_seq",
1916 FT_UINT16, BASE_DEC, NULL, 0x0,
1917 "Message sequence of handshake message", HFILL }
1919 { &hf_dtls_handshake_fragment_offset,
1920 { "Fragment Offset", "dtls.handshake.fragment_offset",
1921 FT_UINT24, BASE_DEC, NULL, 0x0,
1922 "Fragment offset of handshake message", HFILL }
1924 { &hf_dtls_handshake_fragment_length,
1925 { "Fragment Length", "dtls.handshake.fragment_length",
1926 FT_UINT24, BASE_DEC, NULL, 0x0,
1927 "Fragment length of handshake message", HFILL }
1929 { &hf_dtls_handshake_client_version,
1930 { "Version", "dtls.handshake.version",
1931 FT_UINT16, BASE_HEX, VALS(ssl_versions), 0x0,
1932 "Maximum version supported by client", HFILL }
1934 { &hf_dtls_handshake_server_version,
1935 { "Version", "dtls.handshake.version",
1936 FT_UINT16, BASE_HEX, VALS(ssl_versions), 0x0,
1937 "Version selected by server", HFILL }
1939 { &hf_dtls_handshake_random_time,
1940 { "Random.gmt_unix_time", "dtls.handshake.random_time",
1941 FT_ABSOLUTE_TIME, BASE_NONE, NULL, 0x0,
1942 "Unix time field of random structure", HFILL }
1944 { &hf_dtls_handshake_random_bytes,
1945 { "Random.bytes", "dtls.handshake.random",
1946 FT_NONE, BASE_NONE, NULL, 0x0,
1947 "Random challenge used to authenticate server", HFILL }
1949 { &hf_dtls_handshake_cipher_suites_len,
1950 { "Cipher Suites Length", "dtls.handshake.cipher_suites_length",
1951 FT_UINT16, BASE_DEC, NULL, 0x0,
1952 "Length of cipher suites field", HFILL }
1954 { &hf_dtls_handshake_cipher_suites,
1955 { "Cipher Suites", "dtls.handshake.ciphersuites",
1956 FT_NONE, BASE_NONE, NULL, 0x0,
1957 "List of cipher suites supported by client", HFILL }
1959 { &hf_dtls_handshake_cipher_suite,
1960 { "Cipher Suite", "dtls.handshake.ciphersuite",
1961 FT_UINT16, BASE_HEX, VALS(ssl_31_ciphersuite), 0x0,
1962 "Cipher suite", HFILL }
1964 { &hf_dtls_handshake_cookie_len,
1965 { "Cookie Length", "dtls.handshake.cookie_length",
1966 FT_UINT8, BASE_DEC, NULL, 0x0,
1967 "Length of the cookie field", HFILL }
1969 { &hf_dtls_handshake_cookie,
1970 { "Cookie", "dtls.handshake.cookie",
1971 FT_NONE, BASE_NONE, NULL, 0x0,
1974 { &hf_dtls_handshake_session_id,
1975 { "Session ID", "dtls.handshake.session_id",
1976 FT_BYTES, BASE_NONE, NULL, 0x0,
1977 "Identifies the DTLS session, allowing later resumption", HFILL }
1979 { &hf_dtls_handshake_comp_methods_len,
1980 { "Compression Methods Length", "dtls.handshake.comp_methods_length",
1981 FT_UINT8, BASE_DEC, NULL, 0x0,
1982 "Length of compression methods field", HFILL }
1984 { &hf_dtls_handshake_comp_methods,
1985 { "Compression Methods", "dtls.handshake.comp_methods",
1986 FT_NONE, BASE_NONE, NULL, 0x0,
1987 "List of compression methods supported by client", HFILL }
1989 { &hf_dtls_handshake_comp_method,
1990 { "Compression Method", "dtls.handshake.comp_method",
1991 FT_UINT8, BASE_DEC, VALS(ssl_31_compression_method), 0x0,
1992 "Compression Method", HFILL }
1994 { &hf_dtls_handshake_extensions_len,
1995 { "Extensions Length", "dtls.handshake.extensions_length",
1996 FT_UINT16, BASE_DEC, NULL, 0x0,
1997 "Length of hello extensions", HFILL }
1999 { &hf_dtls_handshake_extension_type,
2000 { "Type", "dtls.handshake.extension.type",
2001 FT_UINT16, BASE_HEX, VALS(tls_hello_extension_types), 0x0,
2002 "Hello extension type", HFILL }
2004 { &hf_dtls_handshake_extension_len,
2005 { "Length", "dtls.handshake.extension.len",
2006 FT_UINT16, BASE_DEC, NULL, 0x0,
2007 "Length of a hello extension", HFILL }
2009 { &hf_dtls_handshake_extension_data,
2010 { "Data", "dtls.handshake.extension.data",
2011 FT_BYTES, BASE_NONE, NULL, 0x0,
2012 "Hello Extension data", HFILL }
2014 { &hf_dtls_handshake_certificates_len,
2015 { "Certificates Length", "dtls.handshake.certificates_length",
2016 FT_UINT24, BASE_DEC, NULL, 0x0,
2017 "Length of certificates field", HFILL }
2019 { &hf_dtls_handshake_certificates,
2020 { "Certificates", "dtls.handshake.certificates",
2021 FT_NONE, BASE_NONE, NULL, 0x0,
2022 "List of certificates", HFILL }
2024 { &hf_dtls_handshake_certificate,
2025 { "Certificate", "dtls.handshake.certificate",
2026 FT_BYTES, BASE_NONE, NULL, 0x0,
2027 "Certificate", HFILL }
2029 { &hf_dtls_handshake_certificate_len,
2030 { "Certificate Length", "dtls.handshake.certificate_length",
2031 FT_UINT24, BASE_DEC, NULL, 0x0,
2032 "Length of certificate", HFILL }
2034 { &hf_dtls_handshake_cert_types_count,
2035 { "Certificate types count", "dtls.handshake.cert_types_count",
2036 FT_UINT8, BASE_DEC, NULL, 0x0,
2037 "Count of certificate types", HFILL }
2039 { &hf_dtls_handshake_cert_types,
2040 { "Certificate types", "dtls.handshake.cert_types",
2041 FT_NONE, BASE_NONE, NULL, 0x0,
2042 "List of certificate types", HFILL }
2044 { &hf_dtls_handshake_cert_type,
2045 { "Certificate type", "dtls.handshake.cert_type",
2046 FT_UINT8, BASE_DEC, VALS(ssl_31_client_certificate_type), 0x0,
2047 "Certificate type", HFILL }
2049 { &hf_dtls_handshake_finished,
2050 { "Verify Data", "dtls.handshake.verify_data",
2051 FT_NONE, BASE_NONE, NULL, 0x0,
2052 "Opaque verification data", HFILL }
2054 { &hf_dtls_handshake_md5_hash,
2055 { "MD5 Hash", "dtls.handshake.md5_hash",
2056 FT_NONE, BASE_NONE, NULL, 0x0,
2057 "Hash of messages, master_secret, etc.", HFILL }
2059 { &hf_dtls_handshake_sha_hash,
2060 { "SHA-1 Hash", "dtls.handshake.sha_hash",
2061 FT_NONE, BASE_NONE, NULL, 0x0,
2062 "Hash of messages, master_secret, etc.", HFILL }
2064 { &hf_dtls_handshake_session_id_len,
2065 { "Session ID Length", "dtls.handshake.session_id_length",
2066 FT_UINT8, BASE_DEC, NULL, 0x0,
2067 "Length of session ID field", HFILL }
2069 { &hf_dtls_handshake_dnames_len,
2070 { "Distinguished Names Length", "dtls.handshake.dnames_len",
2071 FT_UINT16, BASE_DEC, NULL, 0x0,
2072 "Length of list of CAs that server trusts", HFILL }
2074 { &hf_dtls_handshake_dnames,
2075 { "Distinguished Names", "dtls.handshake.dnames",
2076 FT_NONE, BASE_NONE, NULL, 0x0,
2077 "List of CAs that server trusts", HFILL }
2079 { &hf_dtls_handshake_dname_len,
2080 { "Distinguished Name Length", "dtls.handshake.dname_len",
2081 FT_UINT16, BASE_DEC, NULL, 0x0,
2082 "Length of distinguished name", HFILL }
2084 { &hf_dtls_handshake_dname,
2085 { "Distinguished Name", "dtls.handshake.dname",
2086 FT_BYTES, BASE_NONE, NULL, 0x0,
2087 "Distinguished name of a CA that server trusts", HFILL }
2091 /* Setup protocol subtree array */
2092 static gint *ett[] = {
2096 &ett_dtls_handshake,
2097 &ett_dtls_cipher_suites,
2098 &ett_dtls_comp_methods,
2099 &ett_dtls_extension,
2101 &ett_dtls_cert_types,
2105 /* Register the protocol name and description */
2106 proto_dtls = proto_register_protocol("Datagram Transport Layer Security",
2109 /* Required function calls to register the header fields and
2111 proto_register_field_array(proto_dtls, hf, array_length(hf));
2112 proto_register_subtree_array(ett, array_length(ett));
2114 #ifdef HAVE_LIBGNUTLS
2116 module_t *dtls_module = prefs_register_protocol(proto_dtls, dtls_parse);
2117 prefs_register_string_preference(dtls_module, "keys_list", "RSA keys list",
2118 "semicolon separated list of private RSA keys used for DTLS decryption; "
2119 "each list entry must be in the form of <ip>,<port>,<protocol>,<key_file_name>"
2120 "<key_file_name> is the local file name of the RSA private key used by the specified server\n",
2121 (const gchar **)&dtls_keys_list);
2122 prefs_register_string_preference(dtls_module, "debug_file", "DTLS debug file",
2123 "redirect dtls debug to file name; leave empty to disable debug, "
2124 "use \"" SSL_DEBUG_USE_STDERR "\" to redirect output to stderr\n",
2125 (const gchar **)&dtls_debug_file_name);
2129 register_dissector("dtls", dissect_dtls, proto_dtls);
2130 dtls_handle = find_dissector("dtls");
2132 dtls_associations = g_tree_new(ssl_association_cmp);
2134 register_init_routine(dtls_init);
2136 dtls_tap = register_tap("dtls");
2137 ssl_debug_printf("proto_register_dtls: registered tap %s:%d\n",
2141 /* If this dissector uses sub-dissector registration add a registration
2142 * routine. This format is required because a script is used to find
2143 * these routines and create the code that calls these routines.
2146 proto_reg_handoff_dtls(void)
2149 /* add now dissector to default ports.*/