2 * Routines for dtls dissection
3 * Copyright (c) 2006, Authesserre Samuel <sauthess@gmail.com>
4 * Copyright (c) 2007, Mikael Magnusson <mikma@users.sourceforge.net>
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <gerald@wireshark.org>
10 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
27 * DTLS dissection and decryption.
28 * See RFC 4347 for details about DTLS specs.
31 * This dissector is based on TLS one (packet-ssl.c) because of the proximity of DTLS and TLS, decryption works like him with RSA key exchange.
32 * It uses the sames things (file, libraries) that SSL one (gnutls, packet-ssl-utils.h) to make it easily maintenable.
34 * It was developped to dissect and decrypt OpenSSL v 0.9.8f DTLS implementation.
35 * It is limited to this implementation while there is no complete implementation.
39 * - DTLS decryption (openssl one)
42 * - activate correct Mac calculation when openssl will be corrected
43 * (or if an other implementation works),
44 * corrected code is ready and commented in packet-ssl-utils.h file.
45 * - add missings things (desegmentation, reordering... that aren't present in actual OpenSSL implementation)
52 #include <sys/types.h>
53 #ifdef HAVE_SYS_SOCKET_H
54 #include <sys/socket.h>
57 #ifdef HAVE_WINSOCK2_H
65 #include <epan/conversation.h>
66 #include <epan/prefs.h>
67 #include <epan/asn1.h>
68 #include <epan/dissectors/packet-x509af.h>
69 #include <epan/emem.h>
71 #include <epan/reassemble.h>
72 #include "inet_v6defs.h"
73 #include "packet-ssl-utils.h"
75 /* we need to remember the top tree so that subdissectors we call are created
76 * at the root and not deep down inside the DTLS decode
78 static proto_tree *top_tree;
80 /*********************************************************************
82 * Protocol Constants, Variables, Data Structures
84 *********************************************************************/
86 /* Initialize the protocol and registered fields */
87 static gint dtls_tap = -1;
88 static gint proto_dtls = -1;
89 static gint hf_dtls_record = -1;
90 static gint hf_dtls_record_content_type = -1;
91 static gint hf_dtls_record_version = -1;
92 static gint hf_dtls_record_epoch = -1;
93 static gint hf_dtls_record_sequence_number = -1;
94 static gint hf_dtls_record_length = -1;
95 static gint hf_dtls_record_appdata = -1;
96 static gint hf_dtls_change_cipher_spec = -1;
97 static gint hf_dtls_alert_message = -1;
98 static gint hf_dtls_alert_message_level = -1;
99 static gint hf_dtls_alert_message_description = -1;
100 static gint hf_dtls_handshake_protocol = -1;
101 static gint hf_dtls_handshake_type = -1;
102 static gint hf_dtls_handshake_length = -1;
103 static gint hf_dtls_handshake_message_seq = -1;
104 static gint hf_dtls_handshake_fragment_offset = -1;
105 static gint hf_dtls_handshake_fragment_length = -1;
106 static gint hf_dtls_handshake_client_version = -1;
107 static gint hf_dtls_handshake_server_version = -1;
108 static gint hf_dtls_handshake_random_time = -1;
109 static gint hf_dtls_handshake_random_bytes = -1;
110 static gint hf_dtls_handshake_cookie_len = -1;
111 static gint hf_dtls_handshake_cookie = -1;
112 static gint hf_dtls_handshake_cipher_suites_len = -1;
113 static gint hf_dtls_handshake_cipher_suites = -1;
114 static gint hf_dtls_handshake_cipher_suite = -1;
115 static gint hf_dtls_handshake_session_id = -1;
116 static gint hf_dtls_handshake_comp_methods_len = -1;
117 static gint hf_dtls_handshake_comp_methods = -1;
118 static gint hf_dtls_handshake_comp_method = -1;
119 static gint hf_dtls_handshake_extensions_len = -1;
120 static gint hf_dtls_handshake_extension_type = -1;
121 static gint hf_dtls_handshake_extension_len = -1;
122 static gint hf_dtls_handshake_extension_data = -1;
123 static gint hf_dtls_handshake_certificates_len = -1;
124 static gint hf_dtls_handshake_certificates = -1;
125 static gint hf_dtls_handshake_certificate = -1;
126 static gint hf_dtls_handshake_certificate_len = -1;
127 static gint hf_dtls_handshake_cert_types_count = -1;
128 static gint hf_dtls_handshake_cert_types = -1;
129 static gint hf_dtls_handshake_cert_type = -1;
130 static gint hf_dtls_handshake_finished = -1;
131 static gint hf_dtls_handshake_md5_hash = -1;
132 static gint hf_dtls_handshake_sha_hash = -1;
133 static gint hf_dtls_handshake_session_id_len = -1;
134 static gint hf_dtls_handshake_dnames_len = -1;
135 static gint hf_dtls_handshake_dnames = -1;
136 static gint hf_dtls_handshake_dname_len = -1;
137 static gint hf_dtls_handshake_dname = -1;
139 static gint hf_dtls_fragments = -1;
140 static gint hf_dtls_fragment = -1;
141 static gint hf_dtls_fragment_overlap = -1;
142 static gint hf_dtls_fragment_overlap_conflicts = -1;
143 static gint hf_dtls_fragment_multiple_tails = -1;
144 static gint hf_dtls_fragment_too_long_fragment = -1;
145 static gint hf_dtls_fragment_error = -1;
146 static gint hf_dtls_reassembled_in = -1;
148 /* Initialize the subtree pointers */
149 static gint ett_dtls = -1;
150 static gint ett_dtls_record = -1;
151 static gint ett_dtls_alert = -1;
152 static gint ett_dtls_handshake = -1;
153 static gint ett_dtls_cipher_suites = -1;
154 static gint ett_dtls_comp_methods = -1;
155 static gint ett_dtls_extension = -1;
156 static gint ett_dtls_certs = -1;
157 static gint ett_dtls_cert_types = -1;
158 static gint ett_dtls_dnames = -1;
160 static gint ett_dtls_fragment = -1;
161 static gint ett_dtls_fragments = -1;
163 static GHashTable *dtls_session_hash = NULL;
164 static GHashTable *dtls_key_hash = NULL;
165 static GHashTable *dtls_fragment_table = NULL;
166 static GTree* dtls_associations = NULL;
167 static dissector_handle_t dtls_handle = NULL;
168 static StringInfo dtls_compressed_data = {NULL, 0};
169 static StringInfo dtls_decrypted_data = {NULL, 0};
170 static gint dtls_decrypted_data_avail = 0;
172 static gchar* dtls_keys_list = NULL;
173 #ifdef HAVE_LIBGNUTLS
174 static gchar* dtls_debug_file_name = NULL;
177 static const fragment_items dtls_frag_items = {
178 /* Fragment subtrees */
181 /* Fragment fields */
184 &hf_dtls_fragment_overlap,
185 &hf_dtls_fragment_overlap_conflicts,
186 &hf_dtls_fragment_multiple_tails,
187 &hf_dtls_fragment_too_long_fragment,
188 &hf_dtls_fragment_error,
189 /* Reassembled in field */
190 &hf_dtls_reassembled_in,
195 /* initialize/reset per capture state data (dtls sessions cache) */
199 ssl_common_init(&dtls_session_hash, &dtls_decrypted_data, &dtls_compressed_data);
200 fragment_table_init (&dtls_fragment_table);
203 /* parse dtls related preferences (private keys and ports association strings) */
207 ep_stack_t tmp_stack;
208 SslAssociation *tmp_assoc;
212 g_hash_table_foreach(dtls_key_hash, ssl_private_key_free, NULL);
213 g_hash_table_destroy(dtls_key_hash);
216 /* remove only associations created from key list */
217 tmp_stack = ep_stack_new();
218 g_tree_foreach(dtls_associations, ssl_assoc_from_key_list, tmp_stack);
219 while ((tmp_assoc = ep_stack_pop(tmp_stack)) != NULL) {
220 ssl_association_remove(dtls_associations, tmp_assoc);
223 /* parse private keys string, load available keys and put them in key hash*/
224 dtls_key_hash = g_hash_table_new(ssl_private_key_hash, ssl_private_key_equal);
226 if (dtls_keys_list && (dtls_keys_list[0] != 0))
228 ssl_parse_key_list(dtls_keys_list,dtls_key_hash,dtls_associations,dtls_handle,FALSE);
231 ssl_set_debug(dtls_debug_file_name);
233 dissector_add_handle("sctp.port", dtls_handle);
234 dissector_add_handle("udp.port", dtls_handle);
238 * DTLS Dissection Routines
242 /* record layer dissector */
243 static gint dissect_dtls_record(tvbuff_t *tvb, packet_info *pinfo,
244 proto_tree *tree, guint32 offset,
246 SslDecryptSession *conv_data);
248 /* change cipher spec dissector */
249 static void dissect_dtls_change_cipher_spec(tvbuff_t *tvb,
252 guint *conv_version, guint8 content_type);
254 /* alert message dissector */
255 static void dissect_dtls_alert(tvbuff_t *tvb, packet_info *pinfo,
256 proto_tree *tree, guint32 offset,
257 guint *conv_version);
259 /* handshake protocol dissector */
260 static void dissect_dtls_handshake(tvbuff_t *tvb, packet_info *pinfo,
261 proto_tree *tree, guint32 offset,
262 guint32 record_length,
264 SslDecryptSession *conv_data, guint8 content_type);
267 static void dissect_dtls_hnd_cli_hello(tvbuff_t *tvb,
269 guint32 offset, guint32 length,
270 SslDecryptSession* ssl);
272 static void dissect_dtls_hnd_hello_verify_request(tvbuff_t *tvb,
275 SslDecryptSession* ssl);
277 static void dissect_dtls_hnd_srv_hello(tvbuff_t *tvb,
279 guint32 offset, guint32 length,
280 SslDecryptSession* ssl);
282 static void dissect_dtls_hnd_cert(tvbuff_t *tvb,
283 proto_tree *tree, guint32 offset, packet_info *pinfo);
285 static void dissect_dtls_hnd_cert_req(tvbuff_t *tvb,
289 static void dissect_dtls_hnd_finished(tvbuff_t *tvb,
292 guint* conv_version);
298 /*static void ssl_set_conv_version(packet_info *pinfo, guint version);*/
299 static gint dtls_is_valid_handshake_type(guint8 type);
301 static gint dtls_is_authoritative_version_message(guint8 content_type,
303 static gint looks_like_dtls(tvbuff_t *tvb, guint32 offset);
305 /*********************************************************************
309 *********************************************************************/
311 * Code to actually dissect the packets
314 dissect_dtls(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
317 conversation_t *conversation;
320 proto_tree *dtls_tree;
322 gboolean first_record_in_frame;
323 SslDecryptSession* ssl_session;
328 first_record_in_frame = TRUE;
332 /* Track the version using conversations allows
333 * us to more frequently set the protocol column properly
334 * for continuation data frames.
336 * Also: We use the copy in conv_version as our cached copy,
337 * so that we don't have to search the conversation
338 * table every time we want the version; when setting
339 * the conv_version, must set the copy in the conversation
340 * in addition to conv_version
342 conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, pinfo->ptype,
343 pinfo->srcport, pinfo->destport, 0);
346 /* create a new conversation */
347 conversation = conversation_new(pinfo->fd->num, &pinfo->src, &pinfo->dst, pinfo->ptype,
348 pinfo->srcport, pinfo->destport, 0);
350 conv_data = conversation_get_proto_data(conversation, proto_dtls);
352 /* manage dtls decryption data */
353 /*get a valid ssl session pointer*/
354 if (conv_data != NULL)
355 ssl_session = conv_data;
359 ssl_session = se_alloc0(sizeof(SslDecryptSession));
360 ssl_session_init(ssl_session);
361 ssl_session->version = SSL_VER_UNKNOWN;
362 conversation_add_proto_data(conversation, proto_dtls, ssl_session);
364 /* we need to know witch side of conversation is speaking */
365 if (ssl_packet_from_server(ssl_session, dtls_associations, pinfo)) {
366 dummy.addr = pinfo->src;
367 dummy.port = pinfo->srcport;
370 dummy.addr = pinfo->dst;
371 dummy.port = pinfo->destport;
373 ssl_debug_printf("dissect_dtls server %s:%d\n",
374 ep_address_to_str(&dummy.addr),dummy.port);
376 /* try to retrive private key for this service. Do it now 'cause pinfo
377 * is not always available
378 * Note that with HAVE_LIBGNUTLS undefined private_key is allways 0
379 * and thus decryption never engaged*/
380 ssl_session->private_key = g_hash_table_lookup(dtls_key_hash, &dummy);
381 if (!ssl_session->private_key)
382 ssl_debug_printf("dissect_dtls can't find private key for this server!\n");
384 conv_version= & ssl_session->version;
386 /* try decryption only the first time we see this packet
387 * (to keep cipher synchronized)and only if we have
388 * the server private key*/
389 if (!ssl_session->private_key || pinfo->fd->flags.visited)
392 /* Initialize the protocol column; we'll set it later when we
393 * figure out what flavor of DTLS it is (actually only one
395 col_set_str(pinfo->cinfo, COL_PROTOCOL, "DTLS");
397 /* clear the the info column */
398 col_clear(pinfo->cinfo, COL_INFO);
400 /* Create display subtree for SSL as a whole */
403 ti = proto_tree_add_item(tree, proto_dtls, tvb, 0, -1, FALSE);
404 dtls_tree = proto_item_add_subtree(ti, ett_dtls);
407 /* iterate through the records in this tvbuff */
408 while (tvb_reported_length_remaining(tvb, offset) != 0)
410 /* on second and subsequent records per frame
411 * add a delimiter on info column
413 if (!first_record_in_frame
414 && check_col(pinfo->cinfo, COL_INFO))
416 col_append_str(pinfo->cinfo, COL_INFO, ", ");
419 /* first try to dispatch off the cached version
420 * known to be associated with the conversation
422 switch(*conv_version) {
424 offset = dissect_dtls_record(tvb, pinfo, dtls_tree,
425 offset, conv_version,
429 /* that failed, so apply some heuristics based
430 * on this individual packet
433 if (looks_like_dtls(tvb, offset))
435 /* looks like dtls */
436 offset = dissect_dtls_record(tvb, pinfo, dtls_tree,
437 offset, conv_version,
442 /* looks like something unknown, so lump into
445 offset = tvb_length(tvb);
446 col_append_str(pinfo->cinfo, COL_INFO,
447 "Continuation Data");
449 /* Set the protocol column */
450 col_set_str(pinfo->cinfo, COL_PROTOCOL, "DTLS");
455 /* set up for next record in frame, if any */
456 first_record_in_frame = FALSE;
459 tap_queue_packet(dtls_tap, pinfo, NULL);
463 decrypt_dtls_record(tvbuff_t *tvb, packet_info *pinfo, guint32 offset,
464 guint32 record_length, guint8 content_type, SslDecryptSession* ssl,
465 gboolean save_plaintext)
472 /* if we can decrypt and decryption have success
473 * add decrypted data to this packet info */
474 ssl_debug_printf("decrypt_dtls_record: app_data len %d ssl state %X\n",
475 record_length, ssl->state);
476 if (!(ssl->state & SSL_HAVE_SESSION_KEY)) {
477 ssl_debug_printf("decrypt_dtls_record: no session key\n");
481 /* retrive decoder for this packet direction */
482 if ((direction = ssl_packet_from_server(ssl, dtls_associations, pinfo)) != 0) {
483 ssl_debug_printf("decrypt_dtls_record: using server decoder\n");
484 decoder = ssl->server;
487 ssl_debug_printf("decrypt_dtls_record: using client decoder\n");
488 decoder = ssl->client;
491 /* ensure we have enough storage space for decrypted data */
492 if (record_length > dtls_decrypted_data.data_len)
494 ssl_debug_printf("decrypt_dtls_record: allocating %d bytes"
495 " for decrypt data (old len %d)\n",
496 record_length + 32, dtls_decrypted_data.data_len);
497 dtls_decrypted_data.data = g_realloc(dtls_decrypted_data.data,
499 dtls_decrypted_data.data_len = record_length + 32;
502 /* run decryption and add decrypted payload to protocol data, if decryption
504 dtls_decrypted_data_avail = dtls_decrypted_data.data_len;
505 if (ssl_decrypt_record(ssl, decoder,
506 content_type, tvb_get_ptr(tvb, offset, record_length),
507 record_length, &dtls_compressed_data, &dtls_decrypted_data, &dtls_decrypted_data_avail) == 0)
510 if (ret && save_plaintext) {
511 ssl_add_data_info(proto_dtls, pinfo, dtls_decrypted_data.data, dtls_decrypted_data_avail, TVB_RAW_OFFSET(tvb)+offset, 0);
521 /*********************************************************************
523 * DTLS Dissection Routines
525 *********************************************************************/
527 dissect_dtls_record(tvbuff_t *tvb, packet_info *pinfo,
528 proto_tree *tree, guint32 offset,
530 SslDecryptSession* ssl)
535 * uint8 major, minor;
540 * change_cipher_spec(20), alert(21), handshake(22),
541 * application_data(23), (255)
546 * ProtocolVersion version;
547 * uint16 epoch; // New field
548 * uint48 sequence_number; // New field
550 * opaque fragment[TLSPlaintext.length];
553 guint32 record_length;
556 gdouble sequence_number;
557 gint64 sequence_number_temp;
561 proto_tree *dtls_record_tree;
562 guint32 available_bytes;
563 SslAssociation* association;
564 SslDataInfo *appl_data;
566 dtls_record_tree = NULL;
567 available_bytes = tvb_length_remaining(tvb, offset);
570 * Get the record layer fields of interest
572 content_type = tvb_get_guint8(tvb, offset);
573 version = tvb_get_ntohs(tvb, offset + 1);
574 epoch = tvb_get_ntohs(tvb, offset + 3);
575 sequence_number = tvb_get_ntohl(tvb, offset + 7);
576 sequence_number_temp=tvb_get_ntohs(tvb, offset + 5);
577 sequence_number_temp=sequence_number_temp<<32;
578 sequence_number+=sequence_number_temp;
579 record_length = tvb_get_ntohs(tvb, offset + 11);
582 if(ssl_packet_from_server(ssl, dtls_associations, pinfo)){
584 ssl->server->seq=(guint32)sequence_number;
585 ssl->server->epoch=epoch;
590 ssl->client->seq=(guint32)sequence_number;
591 ssl->client->epoch=epoch;
595 if (!ssl_is_valid_content_type(content_type)) {
597 /* if we don't have a valid content_type, there's no sense
598 * continuing any further
600 col_append_str(pinfo->cinfo, COL_INFO, "Continuation Data");
602 /* Set the protocol column */
603 col_set_str(pinfo->cinfo, COL_PROTOCOL, "DTLS");
604 return offset + 13 + record_length;
608 * If GUI, fill in record layer part of tree
613 /* add the record layer subtree header */
614 tvb_ensure_bytes_exist(tvb, offset, 13 + record_length);
615 ti = proto_tree_add_item(tree, hf_dtls_record, tvb,
616 offset, 13 + record_length, 0);
617 dtls_record_tree = proto_item_add_subtree(ti, ett_dtls_record);
620 if (dtls_record_tree)
623 /* show the one-byte content type */
624 proto_tree_add_item(dtls_record_tree, hf_dtls_record_content_type,
625 tvb, offset, 1, FALSE);
628 /* add the version */
629 proto_tree_add_item(dtls_record_tree, hf_dtls_record_version, tvb,
634 proto_tree_add_uint(dtls_record_tree, hf_dtls_record_epoch, tvb, offset, 2, epoch);
638 /* add sequence_number */
640 proto_tree_add_double(dtls_record_tree, hf_dtls_record_sequence_number, tvb, offset, 6, sequence_number);
645 proto_tree_add_uint(dtls_record_tree, hf_dtls_record_length, tvb,
646 offset, 2, record_length);
647 offset += 2; /* move past length field itself */
652 /* if no GUI tree, then just skip over those fields */
658 * if we don't already have a version set for this conversation,
659 * but this message's version is authoritative (i.e., it's
660 * not client_hello, then save the version to to conversation
661 * structure and print the column version
663 next_byte = tvb_get_guint8(tvb, offset);
664 if (*conv_version == SSL_VER_UNKNOWN
665 && dtls_is_authoritative_version_message(content_type, next_byte))
667 if (version == DTLSV1DOT0_VERSION ||
668 version == DTLSV1DOT0_VERSION_NOT)
671 *conv_version = SSL_VER_DTLS;
673 ssl->version_netorder = version;
674 ssl->state |= SSL_VERSION;
676 /*ssl_set_conv_version(pinfo, ssl->version);*/
679 if (check_col(pinfo->cinfo, COL_PROTOCOL))
681 if (version == DTLSV1DOT0_VERSION)
683 col_set_str(pinfo->cinfo, COL_PROTOCOL,
684 ssl_version_short_names[SSL_VER_DTLS]);
688 col_set_str(pinfo->cinfo, COL_PROTOCOL,"DTLS");
693 * now dissect the next layer
695 ssl_debug_printf("dissect_dtls_record: content_type %d\n",content_type);
697 /* PAOLO try to decrypt each record (we must keep ciphers "in sync")
698 * store plain text only for app data */
700 switch (content_type) {
701 case SSL_ID_CHG_CIPHER_SPEC:
702 col_append_str(pinfo->cinfo, COL_INFO, "Change Cipher Spec");
703 dissect_dtls_change_cipher_spec(tvb, dtls_record_tree,
704 offset, conv_version, content_type);
710 if (ssl&&decrypt_dtls_record(tvb, pinfo, offset,
711 record_length, content_type, ssl, FALSE))
712 ssl_add_record_info(proto_dtls, pinfo, dtls_decrypted_data.data,
713 dtls_decrypted_data_avail, offset);
715 /* try to retrive and use decrypted alert record, if any. */
716 decrypted = ssl_get_record_info(proto_dtls, pinfo, offset);
718 dissect_dtls_alert(decrypted, pinfo, dtls_record_tree, 0,
721 dissect_dtls_alert(tvb, pinfo, dtls_record_tree, offset,
725 case SSL_ID_HANDSHAKE:
729 /* try to decrypt handshake record, if possible. Store decrypted
730 * record for later usage. The offset is used as 'key' to itentify
731 * this record into the packet (we can have multiple handshake records
732 * in the same frame) */
733 if (ssl && decrypt_dtls_record(tvb, pinfo, offset,
734 record_length, content_type, ssl, FALSE))
735 ssl_add_record_info(proto_dtls, pinfo, dtls_decrypted_data.data,
736 dtls_decrypted_data_avail, offset);
738 /* try to retrive and use decrypted handshake record, if any. */
739 decrypted = ssl_get_record_info(proto_dtls, pinfo, offset);
741 dissect_dtls_handshake(decrypted, pinfo, dtls_record_tree, 0,
742 decrypted->length, conv_version, ssl, content_type);
744 dissect_dtls_handshake(tvb, pinfo, dtls_record_tree, offset,
745 record_length, conv_version, ssl, content_type);
748 case SSL_ID_APP_DATA:
750 decrypt_dtls_record(tvb, pinfo, offset,
751 record_length, content_type, ssl, TRUE);
753 /* show on info colum what we are decoding */
754 col_append_str(pinfo->cinfo, COL_INFO, "Application Data");
756 if (!dtls_record_tree)
759 /* we need dissector information when the selected packet is shown.
760 * ssl session pointer is NULL at that time, so we can't access
761 * info cached there*/
762 association = ssl_association_find(dtls_associations, pinfo->srcport, pinfo->ptype == PT_TCP);
763 association = association ? association: ssl_association_find(dtls_associations, pinfo->destport, pinfo->ptype == PT_TCP);
765 proto_item_set_text(dtls_record_tree,
766 "%s Record Layer: %s Protocol: %s",
767 ssl_version_short_names[*conv_version],
768 val_to_str(content_type, ssl_31_content_type, "unknown"),
769 association?association->info:"Application Data");
771 proto_tree_add_item(dtls_record_tree, hf_dtls_record_appdata, tvb,
772 offset, record_length, 0);
774 /* show decrypted data info, if available */
775 appl_data = ssl_get_data_info(proto_dtls, pinfo, TVB_RAW_OFFSET(tvb)+offset);
776 if (appl_data && (appl_data->plain_data.data_len > 0))
779 /* try to dissect decrypted data*/
780 ssl_debug_printf("dissect_dtls_record decrypted len %d\n",
781 appl_data->plain_data.data_len);
783 /* create a new TVB structure for desegmented data */
784 next_tvb = tvb_new_child_real_data(tvb, appl_data->plain_data.data, appl_data->plain_data.data_len, appl_data->plain_data.data_len);
786 add_new_data_source(pinfo, next_tvb, "Decrypted DTLS data");
788 /* find out a dissector using server port*/
789 if (association && association->handle) {
790 ssl_debug_printf("dissect_dtls_record found association %p\n", (void *)association);
791 ssl_print_text_data("decrypted app data",appl_data->plain_data.data, appl_data->plain_data.data_len);
793 call_dissector(association->handle, next_tvb, pinfo, top_tree);
799 /* shouldn't get here since we check above for valid types */
800 col_append_str(pinfo->cinfo, COL_INFO, "Bad DTLS Content Type");
803 offset += record_length; /* skip to end of record */
808 /* dissects the change cipher spec procotol, filling in the tree */
810 dissect_dtls_change_cipher_spec(tvbuff_t *tvb,
811 proto_tree *tree, guint32 offset,
812 guint* conv_version, guint8 content_type)
816 * enum { change_cipher_spec(1), (255) } type;
817 * } ChangeCipherSpec;
822 proto_item_set_text(tree,
823 "%s Record Layer: %s Protocol: Change Cipher Spec",
824 ssl_version_short_names[*conv_version],
825 val_to_str(content_type, ssl_31_content_type, "unknown"));
826 proto_tree_add_item(tree, hf_dtls_change_cipher_spec, tvb,
831 /* dissects the alert message, filling in the tree */
833 dissect_dtls_alert(tvbuff_t *tvb, packet_info *pinfo,
834 proto_tree *tree, guint32 offset,
839 * AlertDescription description;
843 proto_tree *ssl_alert_tree;
847 ssl_alert_tree = NULL;
851 ti = proto_tree_add_item(tree, hf_dtls_alert_message, tvb,
853 ssl_alert_tree = proto_item_add_subtree(ti, ett_dtls_alert);
857 * set the record layer label
860 /* first lookup the names for the alert level and description */
861 byte = tvb_get_guint8(tvb, offset); /* grab the level byte */
862 level = match_strval(byte, ssl_31_alert_level);
864 byte = tvb_get_guint8(tvb, offset+1); /* grab the desc byte */
865 desc = match_strval(byte, ssl_31_alert_description);
867 /* now set the text in the record layer line */
870 if (check_col(pinfo->cinfo, COL_INFO))
871 col_append_fstr(pinfo->cinfo, COL_INFO,
872 "Alert (Level: %s, Description: %s)",
877 col_append_str(pinfo->cinfo, COL_INFO, "Encrypted Alert");
884 proto_item_set_text(tree, "%s Record Layer: Alert "
885 "(Level: %s, Description: %s)",
886 ssl_version_short_names[*conv_version],
888 proto_tree_add_item(ssl_alert_tree, hf_dtls_alert_message_level,
889 tvb, offset++, 1, FALSE);
891 proto_tree_add_item(ssl_alert_tree, hf_dtls_alert_message_description,
892 tvb, offset++, 1, FALSE);
896 proto_item_set_text(tree,
897 "%s Record Layer: Encrypted Alert",
898 ssl_version_short_names[*conv_version]);
899 proto_item_set_text(ssl_alert_tree,
900 "Alert Message: Encrypted Alert");
906 /* dissects the handshake protocol, filling the tree */
908 dissect_dtls_handshake(tvbuff_t *tvb, packet_info *pinfo,
909 proto_tree *tree, guint32 offset,
910 guint32 record_length, guint *conv_version,
911 SslDecryptSession* ssl, guint8 content_type)
914 * HandshakeType msg_type;
916 * uint16 message_seq; //new field
917 * uint24 fragment_offset; //new field
918 * uint24 fragment_length; //new field
919 * select (HandshakeType) {
920 * case hello_request: HelloRequest;
921 * case client_hello: ClientHello;
922 * case server_hello: ServerHello;
923 * case hello_verify_request: HelloVerifyRequest; //new field
924 * case certificate: Certificate;
925 * case server_key_exchange: ServerKeyExchange;
926 * case certificate_request: CertificateRequest;
927 * case server_hello_done: ServerHelloDone;
928 * case certificate_verify: CertificateVerify;
929 * case client_key_exchange: ClientKeyExchange;
930 * case finished: Finished;
935 proto_tree *ssl_hand_tree;
936 const gchar *msg_type_str;
940 guint32 fragment_offset;
941 guint32 fragment_length;
942 gboolean first_iteration;
944 ssl_hand_tree = NULL;
946 first_iteration = TRUE;
948 /* just as there can be multiple records per packet, there
949 * can be multiple messages per record as long as they have
950 * the same content type
952 * we really only care about this for handshake messages
955 /* set record_length to the max offset */
956 record_length += offset;
957 for (; offset < record_length; offset += fragment_length,
958 first_iteration = FALSE) /* set up for next pass, if any */
960 fragment_data *frag_msg = NULL;
961 tvbuff_t *new_tvb = NULL;
962 const gchar *frag_str = NULL;
965 msg_type = tvb_get_guint8(tvb, offset);
966 msg_type_str = match_strval(msg_type, ssl_31_handshake_type);
967 length = tvb_get_ntoh24(tvb, offset + 1);
968 message_seq = tvb_get_ntohs(tvb,offset + 4);
969 fragment_offset = tvb_get_ntoh24(tvb, offset + 6);
970 fragment_length = tvb_get_ntoh24(tvb, offset + 9);
971 fragmented = fragment_length != length;
973 if (!msg_type_str && !first_iteration)
975 /* only dissect / report messages if they're
976 * either the first message in this record
977 * or they're a valid message type
982 /* on second and later iterations, add comma to info col */
983 if (!first_iteration)
985 col_append_str(pinfo->cinfo, COL_INFO, ", ");
989 * Update our info string
991 if (check_col(pinfo->cinfo, COL_INFO))
992 col_append_str(pinfo->cinfo, COL_INFO, (msg_type_str != NULL)
993 ? msg_type_str : "Encrypted Handshake Message");
995 /* Handle fragments of known message type */
1001 case SSL_HND_HELLO_REQUEST:
1002 case SSL_HND_CLIENT_HELLO:
1003 case SSL_HND_HELLO_VERIFY_REQUEST:
1004 case SSL_HND_SERVER_HELLO:
1005 case SSL_HND_CERTIFICATE:
1006 case SSL_HND_SERVER_KEY_EXCHG:
1007 case SSL_HND_CERT_REQUEST:
1008 case SSL_HND_SVR_HELLO_DONE:
1009 case SSL_HND_CERT_VERIFY:
1010 case SSL_HND_CLIENT_KEY_EXCHG:
1011 case SSL_HND_FINISHED:
1015 /* Ignore encrypted handshake messages */
1021 /* Fragmented handshake message */
1022 pinfo->fragmented = TRUE;
1023 frag_msg = fragment_add(tvb, offset+12, pinfo, message_seq,
1024 dtls_fragment_table,
1025 fragment_offset, fragment_length, TRUE);
1026 fragment_set_tot_len(pinfo, message_seq, dtls_fragment_table,
1029 if (frag_msg && (fragment_length + fragment_offset) == length)
1032 new_tvb = process_reassembled_data(tvb, offset+12, pinfo,
1033 "Reassembled Message",
1037 frag_str = " (Reassembled)";
1041 frag_str = " (Fragment)";
1044 if (check_col(pinfo->cinfo, COL_INFO))
1045 col_append_str(pinfo->cinfo, COL_INFO, frag_str);
1051 /* set the label text on the record layer expanding node */
1052 if (first_iteration)
1054 proto_item_set_text(tree, "%s Record Layer: %s Protocol: %s%s",
1055 ssl_version_short_names[*conv_version],
1056 val_to_str(content_type, ssl_31_content_type, "unknown"),
1057 (msg_type_str!=NULL) ? msg_type_str :
1058 "Encrypted Handshake Message",
1059 (frag_str!=NULL) ? frag_str : "");
1063 proto_item_set_text(tree, "%s Record Layer: %s Protocol: %s%s",
1064 ssl_version_short_names[*conv_version],
1065 val_to_str(content_type, ssl_31_content_type, "unknown"),
1066 "Multiple Handshake Messages",
1067 (frag_str!=NULL) ? frag_str : "");
1070 /* add a subtree for the handshake protocol */
1071 ti = proto_tree_add_item(tree, hf_dtls_handshake_protocol, tvb,
1072 offset, fragment_length + 12, 0);
1073 ssl_hand_tree = proto_item_add_subtree(ti, ett_dtls_handshake);
1077 /* set the text label on the subtree node */
1078 proto_item_set_text(ssl_hand_tree, "Handshake Protocol: %s%s",
1079 (msg_type_str != NULL) ? msg_type_str :
1080 "Encrypted Handshake Message",
1081 (frag_str!=NULL) ? frag_str : "");
1085 /* if we don't have a valid handshake type, just quit dissecting */
1089 /* if we are doing ssl decryption we must dissect some requests type */
1090 if (ssl_hand_tree || ssl)
1092 tvbuff_t *sub_tvb = NULL;
1094 /* add nodes for the message type and message length */
1096 proto_tree_add_item(ssl_hand_tree, hf_dtls_handshake_type,
1097 tvb, offset, 1, msg_type);
1100 proto_tree_add_uint(ssl_hand_tree, hf_dtls_handshake_length,
1101 tvb, offset, 3, length);
1105 proto_tree_add_uint(ssl_hand_tree, hf_dtls_handshake_message_seq,
1106 tvb, offset, 2, message_seq);
1109 proto_tree_add_uint(ssl_hand_tree, hf_dtls_handshake_fragment_offset,
1110 tvb, offset, 3, fragment_offset);
1113 proto_tree_add_uint(ssl_hand_tree, hf_dtls_handshake_fragment_length,
1114 tvb, offset, 3, fragment_length);
1117 if (fragmented && !new_tvb)
1119 /* Skip fragmented messages not reassembled yet */
1129 sub_tvb = tvb_new_subset(tvb, offset, fragment_length,
1133 /* now dissect the handshake message, if necessary */
1135 case SSL_HND_HELLO_REQUEST:
1136 /* hello_request has no fields, so nothing to do! */
1139 case SSL_HND_CLIENT_HELLO:
1140 dissect_dtls_hnd_cli_hello(sub_tvb, ssl_hand_tree, 0, length, ssl);
1143 case SSL_HND_HELLO_VERIFY_REQUEST:
1144 dissect_dtls_hnd_hello_verify_request(sub_tvb, ssl_hand_tree, 0, ssl);
1147 case SSL_HND_SERVER_HELLO:
1148 dissect_dtls_hnd_srv_hello(sub_tvb, ssl_hand_tree, 0, length, ssl);
1151 case SSL_HND_CERTIFICATE:
1152 dissect_dtls_hnd_cert(sub_tvb, ssl_hand_tree, 0, pinfo);
1155 case SSL_HND_SERVER_KEY_EXCHG:
1159 case SSL_HND_CERT_REQUEST:
1160 dissect_dtls_hnd_cert_req(sub_tvb, ssl_hand_tree, 0);
1163 case SSL_HND_SVR_HELLO_DONE:
1164 /* server_hello_done has no fields, so nothing to do! */
1167 case SSL_HND_CERT_VERIFY:
1171 case SSL_HND_CLIENT_KEY_EXCHG:
1173 /* here we can have all the data to build session key */
1174 StringInfo encrypted_pre_master;
1176 guint encrlen = length, skip;
1182 /* check for required session data */
1183 ssl_debug_printf("dissect_dtls_handshake found SSL_HND_CLIENT_KEY_EXCHG state %X\n",
1185 if ((ssl->state & (SSL_CIPHER|SSL_CLIENT_RANDOM|SSL_SERVER_RANDOM|SSL_VERSION)) !=
1186 (SSL_CIPHER|SSL_CLIENT_RANDOM|SSL_SERVER_RANDOM|SSL_VERSION)) {
1187 ssl_debug_printf("dissect_dtls_handshake not enough data to generate key (required %X)\n",
1188 (SSL_CIPHER|SSL_CLIENT_RANDOM|SSL_SERVER_RANDOM|SSL_VERSION));
1192 encrypted_pre_master.data = se_alloc(encrlen);
1193 encrypted_pre_master.data_len = encrlen;
1194 tvb_memcpy(tvb, encrypted_pre_master.data, offset+skip, encrlen);
1196 if (!ssl->private_key) {
1197 ssl_debug_printf("dissect_dtls_handshake can't find private key\n");
1201 /* go with ssl key processessing; encrypted_pre_master
1202 * will be used for master secret store*/
1203 ret = ssl_decrypt_pre_master_secret(ssl, &encrypted_pre_master, ssl->private_key);
1205 ssl_debug_printf("dissect_dtls_handshake can't decrypt pre master secret\n");
1208 if (ssl_generate_keyring_material(ssl)<0) {
1209 ssl_debug_printf("dissect_dtls_handshake can't generate keyring material\n");
1212 ssl->state |= SSL_HAVE_SESSION_KEY;
1213 ssl_save_session(ssl, dtls_session_hash);
1214 ssl_debug_printf("dissect_dtls_handshake session keys successfully generated\n");
1218 case SSL_HND_FINISHED:
1219 dissect_dtls_hnd_finished(sub_tvb, ssl_hand_tree,
1226 offset += 12; /* skip the handshake header when handshake is not processed*/
1232 dissect_dtls_hnd_hello_common(tvbuff_t *tvb, proto_tree *tree,
1233 guint32 offset, SslDecryptSession* ssl, gint from_server)
1235 /* show the client's random challenge */
1236 nstime_t gmt_unix_time;
1237 guint8 session_id_length;
1238 session_id_length = 0;
1241 /* get proper peer information*/
1244 rnd = &ssl->server_random;
1246 rnd = &ssl->client_random;
1248 /* get provided random for keyring generation*/
1249 tvb_memcpy(tvb, rnd->data, offset, 32);
1252 ssl->state |= SSL_SERVER_RANDOM;
1254 ssl->state |= SSL_CLIENT_RANDOM;
1255 ssl_debug_printf("dissect_dtls_hnd_hello_common found random state %X\n",
1258 session_id_length = tvb_get_guint8(tvb, offset + 32);
1259 /* check stored session id info */
1260 if (from_server && (session_id_length == ssl->session_id.data_len) &&
1261 (tvb_memeql(tvb, offset+33, ssl->session_id.data, session_id_length) == 0))
1263 /* clinet/server id match: try to restore a previous cached session*/
1264 ssl_restore_session(ssl, dtls_session_hash);
1267 tvb_memcpy(tvb,ssl->session_id.data, offset+33, session_id_length);
1268 ssl->session_id.data_len = session_id_length;
1275 gmt_unix_time.secs = tvb_get_ntohl(tvb, offset);
1276 gmt_unix_time.nsecs = 0;
1277 proto_tree_add_time(tree, hf_dtls_handshake_random_time,
1278 tvb, offset, 4, &gmt_unix_time);
1281 /* show the random bytes */
1282 proto_tree_add_item(tree, hf_dtls_handshake_random_bytes,
1283 tvb, offset, 28, 0);
1286 /* show the session id */
1287 session_id_length = tvb_get_guint8(tvb, offset);
1288 proto_tree_add_item(tree, hf_dtls_handshake_session_id_len,
1289 tvb, offset++, 1, 0);
1290 if (session_id_length > 0)
1292 proto_tree_add_bytes_format(tree, hf_dtls_handshake_session_id,
1293 tvb, offset, session_id_length,
1294 tvb_get_ptr(tvb, offset, session_id_length),
1295 "Session ID (%u byte%s)",
1297 plurality(session_id_length, "", "s"));
1298 offset += session_id_length;
1304 return session_id_length+33;
1308 dissect_dtls_hnd_hello_ext(tvbuff_t *tvb,
1309 proto_tree *tree, guint32 offset, guint32 left)
1311 guint16 extension_length;
1315 proto_tree *ext_tree;
1320 extension_length = tvb_get_ntohs(tvb, offset);
1321 proto_tree_add_uint(tree, hf_dtls_handshake_extensions_len,
1322 tvb, offset, 2, extension_length);
1328 ext_type = tvb_get_ntohs(tvb, offset);
1329 ext_len = tvb_get_ntohs(tvb, offset + 2);
1331 pi = proto_tree_add_text(tree, tvb, offset, 4 + ext_len,
1333 val_to_str(ext_type,
1334 tls_hello_extension_types,
1336 ext_tree = proto_item_add_subtree(pi, ett_dtls_extension);
1340 proto_tree_add_uint(ext_tree, hf_dtls_handshake_extension_type,
1341 tvb, offset, 2, ext_type);
1344 proto_tree_add_uint(ext_tree, hf_dtls_handshake_extension_len,
1345 tvb, offset, 2, ext_len);
1348 proto_tree_add_bytes_format(ext_tree, hf_dtls_handshake_extension_data,
1349 tvb, offset, ext_len,
1350 tvb_get_ptr(tvb, offset, ext_len),
1352 ext_len, plurality(ext_len, "", "s"));
1354 left -= 2 + 2 + ext_len;
1361 dissect_dtls_hnd_cli_hello(tvbuff_t *tvb,
1362 proto_tree *tree, guint32 offset, guint32 length,
1363 SslDecryptSession*ssl)
1366 * ProtocolVersion client_version;
1368 * SessionID session_id;
1369 * opaque cookie<0..32>; //new field
1370 * CipherSuite cipher_suites<2..2^16-1>;
1371 * CompressionMethod compression_methods<1..2^8-1>;
1372 * Extension client_hello_extension_list<0..2^16-1>;
1377 proto_tree *cs_tree;
1378 guint16 cipher_suite_length;
1379 guint8 compression_methods_length;
1380 guint8 compression_method;
1381 guint16 start_offset = offset;
1382 guint8 cookie_length;
1383 cipher_suite_length = 0;
1384 compression_methods_length = 0;
1389 /* show the client version */
1391 proto_tree_add_item(tree, hf_dtls_handshake_client_version, tvb,
1395 /* show the fields in common with server hello */
1396 offset += dissect_dtls_hnd_hello_common(tvb, tree, offset, ssl, 0);
1398 /* look for a cookie */
1399 cookie_length = tvb_get_guint8(tvb, offset);
1403 proto_tree_add_uint(tree, hf_dtls_handshake_cookie_len,
1404 tvb, offset, 1, cookie_length);
1405 offset ++; /* skip opaque length */
1407 if (cookie_length > 0)
1409 proto_tree_add_bytes_format(tree, hf_dtls_handshake_cookie,
1410 tvb, offset, cookie_length,
1411 tvb_get_ptr(tvb, offset, cookie_length),
1412 "Cookie (%u byte%s)",
1414 plurality(cookie_length, "", "s"));
1415 offset += cookie_length;
1418 /* tell the user how many cipher suites there are */
1419 cipher_suite_length = tvb_get_ntohs(tvb, offset);
1421 proto_tree_add_uint(tree, hf_dtls_handshake_cipher_suites_len,
1422 tvb, offset, 2, cipher_suite_length);
1423 offset += 2; /* skip opaque length */
1425 if (cipher_suite_length > 0)
1427 tvb_ensure_bytes_exist(tvb, offset, cipher_suite_length);
1428 ti = proto_tree_add_none_format(tree,
1429 hf_dtls_handshake_cipher_suites,
1430 tvb, offset, cipher_suite_length,
1431 "Cipher Suites (%u suite%s)",
1432 cipher_suite_length / 2,
1433 plurality(cipher_suite_length/2, "", "s"));
1435 /* make this a subtree */
1436 cs_tree = proto_item_add_subtree(ti, ett_dtls_cipher_suites);
1439 cs_tree = tree; /* failsafe */
1442 while (cipher_suite_length > 0)
1444 proto_tree_add_item(cs_tree, hf_dtls_handshake_cipher_suite,
1445 tvb, offset, 2, FALSE);
1447 cipher_suite_length -= 2;
1451 /* tell the user how man compression methods there are */
1452 compression_methods_length = tvb_get_guint8(tvb, offset);
1453 proto_tree_add_uint(tree, hf_dtls_handshake_comp_methods_len,
1454 tvb, offset, 1, compression_methods_length);
1457 if (compression_methods_length > 0)
1459 tvb_ensure_bytes_exist(tvb, offset, compression_methods_length);
1460 ti = proto_tree_add_none_format(tree,
1461 hf_dtls_handshake_comp_methods,
1462 tvb, offset, compression_methods_length,
1463 "Compression Methods (%u method%s)",
1464 compression_methods_length,
1465 plurality(compression_methods_length,
1468 /* make this a subtree */
1469 cs_tree = proto_item_add_subtree(ti, ett_dtls_comp_methods);
1472 cs_tree = tree; /* failsafe */
1475 while (compression_methods_length > 0)
1477 compression_method = tvb_get_guint8(tvb, offset);
1478 if (compression_method < 64)
1479 proto_tree_add_uint(cs_tree, hf_dtls_handshake_comp_method,
1480 tvb, offset, 1, compression_method);
1481 else if (compression_method > 63 && compression_method < 193)
1482 proto_tree_add_text(cs_tree, tvb, offset, 1,
1483 "Compression Method: Reserved - to be assigned by IANA (%u)",
1484 compression_method);
1486 proto_tree_add_text(cs_tree, tvb, offset, 1,
1487 "Compression Method: Private use range (%u)",
1488 compression_method);
1490 compression_methods_length--;
1494 if (length > offset - start_offset)
1496 offset = dissect_dtls_hnd_hello_ext(tvb, tree, offset,
1498 (offset - start_offset));
1504 static void dissect_dtls_hnd_hello_verify_request(tvbuff_t *tvb,
1507 SslDecryptSession* ssl)
1511 * ProtocolVersion server_version;
1512 * opaque cookie<0..32>;
1513 * } HelloVerifyRequest;
1516 guint8 cookie_length;
1521 /* show the client version */
1523 proto_tree_add_item(tree, hf_dtls_handshake_server_version, tvb,
1528 /* look for a cookie */
1529 cookie_length = tvb_get_guint8(tvb, offset);
1533 proto_tree_add_uint(tree, hf_dtls_handshake_cookie_len,
1534 tvb, offset, 1, cookie_length);
1535 offset ++; /* skip opaque length */
1537 if (cookie_length > 0)
1539 proto_tree_add_bytes_format(tree, hf_dtls_handshake_cookie,
1540 tvb, offset, cookie_length,
1541 tvb_get_ptr(tvb, offset, cookie_length),
1542 "Cookie (%u byte%s)",
1544 plurality(cookie_length, "", "s"));
1545 offset += cookie_length;
1552 dissect_dtls_hnd_srv_hello(tvbuff_t *tvb,
1553 proto_tree *tree, guint32 offset, guint32 length, SslDecryptSession* ssl)
1556 * ProtocolVersion server_version;
1558 * SessionID session_id;
1559 * CipherSuite cipher_suite;
1560 * CompressionMethod compression_method;
1561 * Extension server_hello_extension_list<0..2^16-1>;
1564 guint16 start_offset;
1565 start_offset = offset;
1569 /* show the server version */
1571 proto_tree_add_item(tree, hf_dtls_handshake_server_version, tvb,
1575 /* first display the elements conveniently in
1576 * common with client hello
1578 offset += dissect_dtls_hnd_hello_common(tvb, tree, offset, ssl, 1);
1580 /* PAOLO: handle session cipher suite */
1582 /* store selected cipher suite for decryption */
1583 ssl->cipher = tvb_get_ntohs(tvb, offset);
1584 if (ssl_find_cipher(ssl->cipher,&ssl->cipher_suite) < 0) {
1585 ssl_debug_printf("dissect_dtls_hnd_srv_hello can't find cipher suite %X\n", ssl->cipher);
1589 ssl->state |= SSL_CIPHER;
1590 ssl_debug_printf("dissect_dtls_hnd_srv_hello found cipher %X, state %X\n",
1591 ssl->cipher, ssl->state);
1593 /* if we have restored a session now we can have enought material
1594 * to build session key, check it out*/
1596 (SSL_CIPHER|SSL_CLIENT_RANDOM|SSL_SERVER_RANDOM|SSL_VERSION|SSL_MASTER_SECRET)) !=
1597 (SSL_CIPHER|SSL_CLIENT_RANDOM|SSL_SERVER_RANDOM|SSL_VERSION|SSL_MASTER_SECRET)) {
1598 ssl_debug_printf("dissect_dtls_hnd_srv_hello not enough data to generate key (required %X)\n",
1599 (SSL_CIPHER|SSL_CLIENT_RANDOM|SSL_SERVER_RANDOM|SSL_VERSION|SSL_MASTER_SECRET));
1603 ssl_debug_printf("dissect_dtls_hnd_srv_hello trying to generate keys\n");
1604 if (ssl_generate_keyring_material(ssl)<0) {
1605 ssl_debug_printf("dissect_dtls_hnd_srv_hello can't generate keyring material\n");
1608 ssl->state |= SSL_HAVE_SESSION_KEY;
1614 /* now the server-selected cipher suite */
1615 proto_tree_add_item(tree, hf_dtls_handshake_cipher_suite,
1616 tvb, offset, 2, FALSE);
1619 /* and the server-selected compression method */
1620 proto_tree_add_item(tree, hf_dtls_handshake_comp_method,
1621 tvb, offset, 1, FALSE);
1624 if (length > offset - start_offset)
1626 offset = dissect_dtls_hnd_hello_ext(tvb, tree, offset,
1628 (offset - start_offset));
1634 dissect_dtls_hnd_cert(tvbuff_t *tvb,
1635 proto_tree *tree, guint32 offset, packet_info *pinfo)
1638 /* opaque ASN.1Cert<2^24-1>;
1641 * ASN.1Cert certificate_list<1..2^24-1>;
1644 guint32 certificate_list_length;
1646 proto_tree *subtree;
1647 asn1_ctx_t asn1_ctx;
1648 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
1652 certificate_list_length = tvb_get_ntoh24(tvb, offset);
1653 proto_tree_add_uint(tree, hf_dtls_handshake_certificates_len,
1654 tvb, offset, 3, certificate_list_length);
1655 offset += 3; /* 24-bit length value */
1657 if (certificate_list_length > 0)
1659 tvb_ensure_bytes_exist(tvb, offset, certificate_list_length);
1660 ti = proto_tree_add_none_format(tree,
1661 hf_dtls_handshake_certificates,
1662 tvb, offset, certificate_list_length,
1663 "Certificates (%u byte%s)",
1664 certificate_list_length,
1665 plurality(certificate_list_length,
1668 /* make it a subtree */
1669 subtree = proto_item_add_subtree(ti, ett_dtls_certs);
1672 subtree = tree; /* failsafe */
1675 /* iterate through each certificate */
1676 while (certificate_list_length > 0)
1678 /* get the length of the current certificate */
1679 guint32 cert_length = tvb_get_ntoh24(tvb, offset);
1680 certificate_list_length -= 3 + cert_length;
1682 proto_tree_add_item(subtree, hf_dtls_handshake_certificate_len,
1683 tvb, offset, 3, FALSE);
1686 dissect_x509af_Certificate(FALSE, tvb, offset, &asn1_ctx, subtree, hf_dtls_handshake_certificate);
1687 offset += cert_length;
1695 dissect_dtls_hnd_cert_req(tvbuff_t *tvb,
1696 proto_tree *tree, guint32 offset)
1700 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
1702 * } ClientCertificateType;
1704 * opaque DistinguishedName<1..2^16-1>;
1707 * ClientCertificateType certificate_types<1..2^8-1>;
1708 * DistinguishedName certificate_authorities<3..2^16-1>;
1709 * } CertificateRequest;
1713 proto_tree *subtree;
1714 guint8 cert_types_count;
1716 cert_types_count = 0;
1721 cert_types_count = tvb_get_guint8(tvb, offset);
1722 proto_tree_add_uint(tree, hf_dtls_handshake_cert_types_count,
1723 tvb, offset, 1, cert_types_count);
1726 if (cert_types_count > 0)
1728 ti = proto_tree_add_none_format(tree,
1729 hf_dtls_handshake_cert_types,
1730 tvb, offset, cert_types_count,
1731 "Certificate types (%u type%s)",
1733 plurality(cert_types_count, "", "s"));
1734 subtree = proto_item_add_subtree(ti, ett_dtls_cert_types);
1740 while (cert_types_count > 0)
1742 proto_tree_add_item(subtree, hf_dtls_handshake_cert_type,
1743 tvb, offset, 1, FALSE);
1749 dnames_length = tvb_get_ntohs(tvb, offset);
1750 proto_tree_add_uint(tree, hf_dtls_handshake_dnames_len,
1751 tvb, offset, 2, dnames_length);
1754 if (dnames_length > 0)
1756 tvb_ensure_bytes_exist(tvb, offset, dnames_length);
1757 ti = proto_tree_add_none_format(tree,
1758 hf_dtls_handshake_dnames,
1759 tvb, offset, dnames_length,
1760 "Distinguished Names (%d byte%s)",
1762 plurality(dnames_length, "", "s"));
1763 subtree = proto_item_add_subtree(ti, ett_dtls_dnames);
1769 while (dnames_length > 0)
1771 /* get the length of the current certificate */
1772 guint16 name_length = tvb_get_ntohs(tvb, offset);
1773 dnames_length -= 2 + name_length;
1775 proto_tree_add_item(subtree, hf_dtls_handshake_dname_len,
1776 tvb, offset, 2, FALSE);
1779 proto_tree_add_bytes_format(subtree,
1780 hf_dtls_handshake_dname,
1781 tvb, offset, name_length,
1782 tvb_get_ptr(tvb, offset, name_length),
1783 "Distinguished Name (%u byte%s)",
1785 plurality(name_length, "", "s"));
1786 offset += name_length;
1794 dissect_dtls_hnd_finished(tvbuff_t *tvb,
1795 proto_tree *tree, guint32 offset,
1796 guint* conv_version)
1800 * opaque verify_data[12];
1804 /* this all needs a tree, so bail if we don't have one */
1810 switch(*conv_version) {
1812 proto_tree_add_item(tree, hf_dtls_handshake_finished,
1813 tvb, offset, 12, FALSE);
1818 /*********************************************************************
1822 *********************************************************************/
1825 ssl_set_conv_version(packet_info *pinfo, guint version)
1827 conversation_t *conversation;
1829 if (pinfo->fd->flags.visited)
1831 /* We've already processed this frame; no need to do any more
1837 conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, pinfo->ptype,
1838 pinfo->srcport, pinfo->destport, 0);
1840 if (conversation == NULL)
1842 /* create a new conversation */
1843 conversation = conversation_new(pinfo->fd->num, &pinfo->src, &pinfo->dst, pinfo->ptype,
1844 pinfo->srcport, pinfo->destport, 0);
1847 if (conversation_get_proto_data(conversation, proto_dtls) != NULL)
1849 /* get rid of the current data */
1850 conversation_delete_proto_data(conversation, proto_dtls);
1852 conversation_add_proto_data(conversation, proto_dtls, GINT_TO_POINTER(version));
1857 dtls_is_valid_handshake_type(guint8 type)
1861 case SSL_HND_HELLO_REQUEST:
1862 case SSL_HND_CLIENT_HELLO:
1863 case SSL_HND_SERVER_HELLO:
1864 case SSL_HND_HELLO_VERIFY_REQUEST:
1865 case SSL_HND_CERTIFICATE:
1866 case SSL_HND_SERVER_KEY_EXCHG:
1867 case SSL_HND_CERT_REQUEST:
1868 case SSL_HND_SVR_HELLO_DONE:
1869 case SSL_HND_CERT_VERIFY:
1870 case SSL_HND_CLIENT_KEY_EXCHG:
1871 case SSL_HND_FINISHED:
1878 dtls_is_authoritative_version_message(guint8 content_type,
1881 if (content_type == SSL_ID_HANDSHAKE
1882 && dtls_is_valid_handshake_type(next_byte))
1884 return (next_byte != SSL_HND_CLIENT_HELLO);
1886 else if (ssl_is_valid_content_type(content_type)
1887 && content_type != SSL_ID_HANDSHAKE)
1894 /* this applies a heuristic to determine whether
1895 * or not the data beginning at offset looks like a
1896 * valid dtls record.
1899 looks_like_dtls(tvbuff_t *tvb, guint32 offset)
1901 /* have to have a valid content type followed by a valid
1907 /* see if the first byte is a valid content type */
1908 byte = tvb_get_guint8(tvb, offset);
1909 if (!ssl_is_valid_content_type(byte))
1914 /* now check to see if the version byte appears valid */
1915 version = tvb_get_ntohs(tvb, offset + 1);
1916 if (version != DTLSV1DOT0_VERSION && version != DTLSV1DOT0_VERSION_NOT)
1924 /*********************************************************************
1926 * Standard Wireshark Protocol Registration and housekeeping
1928 *********************************************************************/
1930 proto_register_dtls(void)
1933 /* Setup list of header fields See Section 1.6.1 for details*/
1934 static hf_register_info hf[] = {
1936 { "Record Layer", "dtls.record",
1937 FT_NONE, BASE_NONE, NULL, 0x0,
1938 "Record layer", HFILL }
1940 { &hf_dtls_record_content_type,
1941 { "Content Type", "dtls.record.content_type",
1942 FT_UINT8, BASE_DEC, VALS(ssl_31_content_type), 0x0,
1943 "Content type", HFILL}
1945 { &hf_dtls_record_version,
1946 { "Version", "dtls.record.version",
1947 FT_UINT16, BASE_HEX, VALS(ssl_versions), 0x0,
1948 "Record layer version.", HFILL }
1950 { &hf_dtls_record_epoch,
1951 { "Epoch", "dtls.record.epoch",
1952 FT_UINT16, BASE_DEC, NULL, 0x0,
1955 { &hf_dtls_record_sequence_number,
1956 { "Sequence Number", "dtls.record.sequence_number",
1957 FT_DOUBLE, BASE_NONE, NULL, 0x0,
1960 { &hf_dtls_record_length,
1961 { "Length", "dtls.record.length",
1962 FT_UINT16, BASE_DEC, NULL, 0x0,
1963 "Length of DTLS record data", HFILL }
1965 { &hf_dtls_record_appdata,
1966 { "Encrypted Application Data", "dtls.app_data",
1967 FT_BYTES, BASE_NONE, NULL, 0x0,
1968 "Payload is encrypted application data", HFILL }
1970 { &hf_dtls_change_cipher_spec,
1971 { "Change Cipher Spec Message", "dtls.change_cipher_spec",
1972 FT_NONE, BASE_NONE, NULL, 0x0,
1973 "Signals a change in cipher specifications", HFILL }
1975 { & hf_dtls_alert_message,
1976 { "Alert Message", "dtls.alert_message",
1977 FT_NONE, BASE_NONE, NULL, 0x0,
1978 "Alert message", HFILL }
1980 { & hf_dtls_alert_message_level,
1981 { "Level", "dtls.alert_message.level",
1982 FT_UINT8, BASE_DEC, VALS(ssl_31_alert_level), 0x0,
1983 "Alert message level", HFILL }
1985 { &hf_dtls_alert_message_description,
1986 { "Description", "dtls.alert_message.desc",
1987 FT_UINT8, BASE_DEC, VALS(ssl_31_alert_description), 0x0,
1988 "Alert message description", HFILL }
1990 { &hf_dtls_handshake_protocol,
1991 { "Handshake Protocol", "dtls.handshake",
1992 FT_NONE, BASE_NONE, NULL, 0x0,
1993 "Handshake protocol message", HFILL}
1995 { &hf_dtls_handshake_type,
1996 { "Handshake Type", "dtls.handshake.type",
1997 FT_UINT8, BASE_DEC, VALS(ssl_31_handshake_type), 0x0,
1998 "Type of handshake message", HFILL}
2000 { &hf_dtls_handshake_length,
2001 { "Length", "dtls.handshake.length",
2002 FT_UINT24, BASE_DEC, NULL, 0x0,
2003 "Length of handshake message", HFILL }
2005 { &hf_dtls_handshake_message_seq,
2006 { "Message Sequence", "dtls.handshake.message_seq",
2007 FT_UINT16, BASE_DEC, NULL, 0x0,
2008 "Message sequence of handshake message", HFILL }
2010 { &hf_dtls_handshake_fragment_offset,
2011 { "Fragment Offset", "dtls.handshake.fragment_offset",
2012 FT_UINT24, BASE_DEC, NULL, 0x0,
2013 "Fragment offset of handshake message", HFILL }
2015 { &hf_dtls_handshake_fragment_length,
2016 { "Fragment Length", "dtls.handshake.fragment_length",
2017 FT_UINT24, BASE_DEC, NULL, 0x0,
2018 "Fragment length of handshake message", HFILL }
2020 { &hf_dtls_handshake_client_version,
2021 { "Version", "dtls.handshake.version",
2022 FT_UINT16, BASE_HEX, VALS(ssl_versions), 0x0,
2023 "Maximum version supported by client", HFILL }
2025 { &hf_dtls_handshake_server_version,
2026 { "Version", "dtls.handshake.version",
2027 FT_UINT16, BASE_HEX, VALS(ssl_versions), 0x0,
2028 "Version selected by server", HFILL }
2030 { &hf_dtls_handshake_random_time,
2031 { "Random.gmt_unix_time", "dtls.handshake.random_time",
2032 FT_ABSOLUTE_TIME, BASE_NONE, NULL, 0x0,
2033 "Unix time field of random structure", HFILL }
2035 { &hf_dtls_handshake_random_bytes,
2036 { "Random.bytes", "dtls.handshake.random",
2037 FT_NONE, BASE_NONE, NULL, 0x0,
2038 "Random challenge used to authenticate server", HFILL }
2040 { &hf_dtls_handshake_cipher_suites_len,
2041 { "Cipher Suites Length", "dtls.handshake.cipher_suites_length",
2042 FT_UINT16, BASE_DEC, NULL, 0x0,
2043 "Length of cipher suites field", HFILL }
2045 { &hf_dtls_handshake_cipher_suites,
2046 { "Cipher Suites", "dtls.handshake.ciphersuites",
2047 FT_NONE, BASE_NONE, NULL, 0x0,
2048 "List of cipher suites supported by client", HFILL }
2050 { &hf_dtls_handshake_cipher_suite,
2051 { "Cipher Suite", "dtls.handshake.ciphersuite",
2052 FT_UINT16, BASE_HEX, VALS(ssl_31_ciphersuite), 0x0,
2053 "Cipher suite", HFILL }
2055 { &hf_dtls_handshake_cookie_len,
2056 { "Cookie Length", "dtls.handshake.cookie_length",
2057 FT_UINT8, BASE_DEC, NULL, 0x0,
2058 "Length of the cookie field", HFILL }
2060 { &hf_dtls_handshake_cookie,
2061 { "Cookie", "dtls.handshake.cookie",
2062 FT_BYTES, BASE_NONE, NULL, 0x0,
2065 { &hf_dtls_handshake_session_id,
2066 { "Session ID", "dtls.handshake.session_id",
2067 FT_BYTES, BASE_NONE, NULL, 0x0,
2068 "Identifies the DTLS session, allowing later resumption", HFILL }
2070 { &hf_dtls_handshake_comp_methods_len,
2071 { "Compression Methods Length", "dtls.handshake.comp_methods_length",
2072 FT_UINT8, BASE_DEC, NULL, 0x0,
2073 "Length of compression methods field", HFILL }
2075 { &hf_dtls_handshake_comp_methods,
2076 { "Compression Methods", "dtls.handshake.comp_methods",
2077 FT_NONE, BASE_NONE, NULL, 0x0,
2078 "List of compression methods supported by client", HFILL }
2080 { &hf_dtls_handshake_comp_method,
2081 { "Compression Method", "dtls.handshake.comp_method",
2082 FT_UINT8, BASE_DEC, VALS(ssl_31_compression_method), 0x0,
2085 { &hf_dtls_handshake_extensions_len,
2086 { "Extensions Length", "dtls.handshake.extensions_length",
2087 FT_UINT16, BASE_DEC, NULL, 0x0,
2088 "Length of hello extensions", HFILL }
2090 { &hf_dtls_handshake_extension_type,
2091 { "Type", "dtls.handshake.extension.type",
2092 FT_UINT16, BASE_HEX, VALS(tls_hello_extension_types), 0x0,
2093 "Hello extension type", HFILL }
2095 { &hf_dtls_handshake_extension_len,
2096 { "Length", "dtls.handshake.extension.len",
2097 FT_UINT16, BASE_DEC, NULL, 0x0,
2098 "Length of a hello extension", HFILL }
2100 { &hf_dtls_handshake_extension_data,
2101 { "Data", "dtls.handshake.extension.data",
2102 FT_BYTES, BASE_NONE, NULL, 0x0,
2103 "Hello Extension data", HFILL }
2105 { &hf_dtls_handshake_certificates_len,
2106 { "Certificates Length", "dtls.handshake.certificates_length",
2107 FT_UINT24, BASE_DEC, NULL, 0x0,
2108 "Length of certificates field", HFILL }
2110 { &hf_dtls_handshake_certificates,
2111 { "Certificates", "dtls.handshake.certificates",
2112 FT_NONE, BASE_NONE, NULL, 0x0,
2113 "List of certificates", HFILL }
2115 { &hf_dtls_handshake_certificate,
2116 { "Certificate", "dtls.handshake.certificate",
2117 FT_BYTES, BASE_NONE, NULL, 0x0,
2120 { &hf_dtls_handshake_certificate_len,
2121 { "Certificate Length", "dtls.handshake.certificate_length",
2122 FT_UINT24, BASE_DEC, NULL, 0x0,
2123 "Length of certificate", HFILL }
2125 { &hf_dtls_handshake_cert_types_count,
2126 { "Certificate types count", "dtls.handshake.cert_types_count",
2127 FT_UINT8, BASE_DEC, NULL, 0x0,
2128 "Count of certificate types", HFILL }
2130 { &hf_dtls_handshake_cert_types,
2131 { "Certificate types", "dtls.handshake.cert_types",
2132 FT_NONE, BASE_NONE, NULL, 0x0,
2133 "List of certificate types", HFILL }
2135 { &hf_dtls_handshake_cert_type,
2136 { "Certificate type", "dtls.handshake.cert_type",
2137 FT_UINT8, BASE_DEC, VALS(ssl_31_client_certificate_type), 0x0,
2140 { &hf_dtls_handshake_finished,
2141 { "Verify Data", "dtls.handshake.verify_data",
2142 FT_NONE, BASE_NONE, NULL, 0x0,
2143 "Opaque verification data", HFILL }
2145 { &hf_dtls_handshake_md5_hash,
2146 { "MD5 Hash", "dtls.handshake.md5_hash",
2147 FT_NONE, BASE_NONE, NULL, 0x0,
2148 "Hash of messages, master_secret, etc.", HFILL }
2150 { &hf_dtls_handshake_sha_hash,
2151 { "SHA-1 Hash", "dtls.handshake.sha_hash",
2152 FT_NONE, BASE_NONE, NULL, 0x0,
2153 "Hash of messages, master_secret, etc.", HFILL }
2155 { &hf_dtls_handshake_session_id_len,
2156 { "Session ID Length", "dtls.handshake.session_id_length",
2157 FT_UINT8, BASE_DEC, NULL, 0x0,
2158 "Length of session ID field", HFILL }
2160 { &hf_dtls_handshake_dnames_len,
2161 { "Distinguished Names Length", "dtls.handshake.dnames_len",
2162 FT_UINT16, BASE_DEC, NULL, 0x0,
2163 "Length of list of CAs that server trusts", HFILL }
2165 { &hf_dtls_handshake_dnames,
2166 { "Distinguished Names", "dtls.handshake.dnames",
2167 FT_NONE, BASE_NONE, NULL, 0x0,
2168 "List of CAs that server trusts", HFILL }
2170 { &hf_dtls_handshake_dname_len,
2171 { "Distinguished Name Length", "dtls.handshake.dname_len",
2172 FT_UINT16, BASE_DEC, NULL, 0x0,
2173 "Length of distinguished name", HFILL }
2175 { &hf_dtls_handshake_dname,
2176 { "Distinguished Name", "dtls.handshake.dname",
2177 FT_BYTES, BASE_NONE, NULL, 0x0,
2178 "Distinguished name of a CA that server trusts", HFILL }
2180 { &hf_dtls_fragments,
2181 { "Message fragments", "dtls.fragments",
2182 FT_NONE, BASE_NONE, NULL, 0x00, NULL, HFILL }
2184 { &hf_dtls_fragment,
2185 { "Message fragment", "dtls.fragment",
2186 FT_FRAMENUM, BASE_NONE, NULL, 0x00, NULL, HFILL }
2188 { &hf_dtls_fragment_overlap,
2189 { "Message fragment overlap", "dtls.fragment.overlap",
2190 FT_BOOLEAN, BASE_NONE, NULL, 0x0, NULL, HFILL }
2192 { &hf_dtls_fragment_overlap_conflicts,
2193 { "Message fragment overlapping with conflicting data",
2194 "dtls.fragment.overlap.conflicts",
2195 FT_BOOLEAN, BASE_NONE, NULL, 0x0, NULL, HFILL }
2197 { &hf_dtls_fragment_multiple_tails,
2198 { "Message has multiple tail fragments",
2199 "dtls.fragment.multiple_tails",
2200 FT_BOOLEAN, BASE_NONE, NULL, 0x0, NULL, HFILL }
2202 { &hf_dtls_fragment_too_long_fragment,
2203 { "Message fragment too long", "dtls.fragment.too_long_fragment",
2204 FT_BOOLEAN, BASE_NONE, NULL, 0x0, NULL, HFILL }
2206 { &hf_dtls_fragment_error,
2207 { "Message defragmentation error", "dtls.fragment.error",
2208 FT_FRAMENUM, BASE_NONE, NULL, 0x00, NULL, HFILL }
2210 { &hf_dtls_reassembled_in,
2211 { "Reassembled in", "dtls.reassembled.in",
2212 FT_FRAMENUM, BASE_NONE, NULL, 0x00, NULL, HFILL }
2216 /* Setup protocol subtree array */
2217 static gint *ett[] = {
2221 &ett_dtls_handshake,
2222 &ett_dtls_cipher_suites,
2223 &ett_dtls_comp_methods,
2224 &ett_dtls_extension,
2226 &ett_dtls_cert_types,
2229 &ett_dtls_fragments,
2232 /* Register the protocol name and description */
2233 proto_dtls = proto_register_protocol("Datagram Transport Layer Security",
2236 /* Required function calls to register the header fields and
2238 proto_register_field_array(proto_dtls, hf, array_length(hf));
2239 proto_register_subtree_array(ett, array_length(ett));
2241 #ifdef HAVE_LIBGNUTLS
2243 module_t *dtls_module = prefs_register_protocol(proto_dtls, dtls_parse);
2244 prefs_register_string_preference(dtls_module, "keys_list", "RSA keys list",
2245 "semicolon separated list of private RSA keys used for DTLS decryption; "
2246 "each list entry must be in the form of <ip>,<port>,<protocol>,<key_file_name>"
2247 "<key_file_name> is the local file name of the RSA private key used by the specified server\n",
2248 (const gchar **)&dtls_keys_list);
2249 prefs_register_string_preference(dtls_module, "debug_file", "DTLS debug file",
2250 "redirect dtls debug to file name; leave empty to disable debug, "
2251 "use \"" SSL_DEBUG_USE_STDERR "\" to redirect output to stderr\n",
2252 (const gchar **)&dtls_debug_file_name);
2256 register_dissector("dtls", dissect_dtls, proto_dtls);
2257 dtls_handle = find_dissector("dtls");
2259 dtls_associations = g_tree_new(ssl_association_cmp);
2261 register_init_routine(dtls_init);
2263 dtls_tap = register_tap("dtls");
2264 ssl_debug_printf("proto_register_dtls: registered tap %s:%d\n",
2268 /* If this dissector uses sub-dissector registration add a registration
2269 * routine. This format is required because a script is used to find
2270 * these routines and create the code that calls these routines.
2273 proto_reg_handoff_dtls(void)
2276 /* add now dissector to default ports.*/