2 * Routines for ssl dissection
3 * Copyright (c) 2000-2001, Scott Renfro <scott@renfro.org>
5 * $Id: packet-ssl.c,v 1.22 2002/04/11 09:43:22 guy Exp $
7 * Ethereal - Network traffic analyzer
8 * By Gerald Combs <gerald@ethereal.com>
9 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
27 * - Uses conversations in a no-malloc fashion. Since we just want to
28 * remember the version of the conversation, we store the version
29 * integer directly in the void *data member of the conversation
30 * structure. This means that we don't have to manage any memory,
31 * but will cause problems if anyone assumes that all data pointers
32 * are actually pointers to memory allocated by g_mem_chunk_alloc.
34 * - Does not support decryption of encrypted frames, nor dissection
35 * of frames that would require state maintained between frames
36 * (e.g., single ssl records spread across multiple tcp frames)
38 * - Identifies, but does not fully dissect the following messages:
40 * - SSLv3/TLS (These need more state from previous handshake msgs)
41 * - Server Key Exchange
42 * - Client Key Exchange
43 * - Certificate Verify
45 * - SSLv2 (These don't appear in the clear)
50 * - Request Certificate
51 * - Client Certificate
65 #ifdef NEED_SNPRINTF_H
66 # include "snprintf.h"
69 #include <epan/conversation.h>
72 static gboolean ssl_desegment = TRUE;
75 /*********************************************************************
77 * Protocol Constants, Variables, Data Structures
79 *********************************************************************/
81 /* Initialize the protocol and registered fields */
82 static int proto_ssl = -1;
83 static int hf_ssl_record = -1;
84 static int hf_ssl_record_content_type = -1;
85 static int hf_ssl_record_version = -1;
86 static int hf_ssl_record_length = -1;
87 static int hf_ssl_record_appdata = -1;
88 static int hf_ssl2_record = -1;
89 static int hf_ssl2_record_is_escape = -1;
90 static int hf_ssl2_record_padding_length = -1;
91 static int hf_ssl2_msg_type = -1;
92 static int hf_pct_msg_type = -1;
93 static int hf_ssl_change_cipher_spec = -1;
94 static int hf_ssl_alert_message = -1;
95 static int hf_ssl_alert_message_level = -1;
96 static int hf_ssl_alert_message_description = -1;
97 static int hf_ssl_handshake_protocol = -1;
98 static int hf_ssl_handshake_type = -1;
99 static int hf_ssl_handshake_length = -1;
100 static int hf_ssl_handshake_client_version = -1;
101 static int hf_ssl_handshake_server_version = -1;
102 static int hf_ssl_handshake_random_time = -1;
103 static int hf_ssl_handshake_random_bytes = -1;
104 static int hf_ssl_handshake_cipher_suites_len = -1;
105 static int hf_ssl_handshake_cipher_suites = -1;
106 static int hf_ssl_handshake_cipher_suite = -1;
107 static int hf_ssl_handshake_session_id = -1;
108 static int hf_ssl_handshake_comp_methods_len = -1;
109 static int hf_ssl_handshake_comp_methods = -1;
110 static int hf_ssl_handshake_comp_method = -1;
111 static int hf_ssl_handshake_certificates_len = -1;
112 static int hf_ssl_handshake_certificates = -1;
113 static int hf_ssl_handshake_certificate = -1;
114 static int hf_ssl_handshake_certificate_len = -1;
115 static int hf_ssl_handshake_cert_types_count = -1;
116 static int hf_ssl_handshake_cert_types = -1;
117 static int hf_ssl_handshake_cert_type = -1;
118 static int hf_ssl_handshake_finished = -1;
119 static int hf_ssl_handshake_md5_hash = -1;
120 static int hf_ssl_handshake_sha_hash = -1;
121 static int hf_ssl_handshake_session_id_len = -1;
122 static int hf_ssl_handshake_dnames_len = -1;
123 static int hf_ssl_handshake_dnames = -1;
124 static int hf_ssl_handshake_dname_len = -1;
125 static int hf_ssl_handshake_dname = -1;
126 static int hf_ssl2_handshake_cipher_spec_len = -1;
127 static int hf_ssl2_handshake_session_id_len = -1;
128 static int hf_ssl2_handshake_challenge_len = -1;
129 static int hf_ssl2_handshake_cipher_spec = -1;
130 static int hf_ssl2_handshake_challenge = -1;
131 static int hf_ssl2_handshake_clear_key_len = -1;
132 static int hf_ssl2_handshake_enc_key_len = -1;
133 static int hf_ssl2_handshake_key_arg_len = -1;
134 static int hf_ssl2_handshake_clear_key = -1;
135 static int hf_ssl2_handshake_enc_key = -1;
136 static int hf_ssl2_handshake_key_arg = -1;
137 static int hf_ssl2_handshake_session_id_hit = -1;
138 static int hf_ssl2_handshake_cert_type = -1;
139 static int hf_ssl2_handshake_connection_id_len = -1;
140 static int hf_ssl2_handshake_connection_id = -1;
142 /* Initialize the subtree pointers */
143 static gint ett_ssl = -1;
144 static gint ett_ssl_record = -1;
145 static gint ett_ssl_alert = -1;
146 static gint ett_ssl_handshake = -1;
147 static gint ett_ssl_cipher_suites = -1;
148 static gint ett_ssl_comp_methods = -1;
149 static gint ett_ssl_certs = -1;
150 static gint ett_ssl_cert_types = -1;
151 static gint ett_ssl_dnames = -1;
153 /* The TCP port to associate with by default */
154 #define TCP_PORT_SSL 443
155 #define TCP_PORT_SSL_LDAP 636
156 #define TCP_PORT_SSL_IMAP 993
157 #define TCP_PORT_SSL_POP 995
159 /* version state tables */
160 #define SSL_VER_UNKNOWN 0
161 #define SSL_VER_SSLv2 1
162 #define SSL_VER_SSLv3 2
163 #define SSL_VER_TLS 3
164 #define SSL_VER_PCT 4
166 /* corresponds to the #defines above */
167 static gchar* ssl_version_short_names[] = {
176 #define SSL_ID_CHG_CIPHER_SPEC 0x14
177 #define SSL_ID_ALERT 0x15
178 #define SSL_ID_HANDSHAKE 0x16
179 #define SSL_ID_APP_DATA 0x17
181 #define SSL_HND_HELLO_REQUEST 0x00
182 #define SSL_HND_CLIENT_HELLO 0x01
183 #define SSL_HND_SERVER_HELLO 0x02
184 #define SSL_HND_CERTIFICATE 0x0b
185 #define SSL_HND_SERVER_KEY_EXCHG 0x0c
186 #define SSL_HND_CERT_REQUEST 0x0d
187 #define SSL_HND_SVR_HELLO_DONE 0x0e
188 #define SSL_HND_CERT_VERIFY 0x0f
189 #define SSL_HND_CLIENT_KEY_EXCHG 0x10
190 #define SSL_HND_FINISHED 0x14
192 #define SSL2_HND_ERROR 0x00
193 #define SSL2_HND_CLIENT_HELLO 0x01
194 #define SSL2_HND_CLIENT_MASTER_KEY 0x02
195 #define SSL2_HND_CLIENT_FINISHED 0x03
196 #define SSL2_HND_SERVER_HELLO 0x04
197 #define SSL2_HND_SERVER_VERIFY 0x05
198 #define SSL2_HND_SERVER_FINISHED 0x06
199 #define SSL2_HND_REQUEST_CERTIFICATE 0x07
200 #define SSL2_HND_CLIENT_CERTIFICATE 0x08
202 #define PCT_VERSION_1 0x8001
204 #define PCT_MSG_CLIENT_HELLO 0x01
205 #define PCT_MSG_SERVER_HELLO 0x02
206 #define PCT_MSG_CLIENT_MASTER_KEY 0x03
207 #define PCT_MSG_SERVER_VERIFY 0x04
208 #define PCT_MSG_ERROR 0x05
214 static const value_string ssl_20_msg_types[] = {
215 { SSL2_HND_ERROR, "Error" },
216 { SSL2_HND_CLIENT_HELLO, "Client Hello" },
217 { SSL2_HND_CLIENT_MASTER_KEY, "Client Master Key" },
218 { SSL2_HND_CLIENT_FINISHED, "Client Finished" },
219 { SSL2_HND_SERVER_HELLO, "Server Hello" },
220 { SSL2_HND_SERVER_VERIFY, "Server Verify" },
221 { SSL2_HND_SERVER_FINISHED, "Server Finished" },
222 { SSL2_HND_REQUEST_CERTIFICATE, "Request Certificate" },
223 { SSL2_HND_CLIENT_CERTIFICATE, "Client Certificate" },
227 static const value_string ssl_20_cipher_suites[] = {
228 { 0x010080, "SSL2_RC4_128_WITH_MD5" },
229 { 0x020080, "SSL2_RC4_128_EXPORT40_WITH_MD5" },
230 { 0x030080, "SSL2_RC2_CBC_128_CBC_WITH_MD5" },
231 { 0x040080, "SSL2_RC2_CBC_128_CBC_WITH_MD5" },
232 { 0x050080, "SSL2_IDEA_128_CBC_WITH_MD5" },
233 { 0x060040, "SSL2_DES_64_CBC_WITH_MD5" },
234 { 0x0700c0, "SSL2_DES_192_EDE3_CBC_WITH_MD5" },
235 { 0x080080, "SSL2_RC4_64_WITH_MD5" },
236 { 0x000000, "TLS_NULL_WITH_NULL_NULL" },
237 { 0x000001, "TLS_RSA_WITH_NULL_MD5" },
238 { 0x000002, "TLS_RSA_WITH_NULL_SHA" },
239 { 0x000003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
240 { 0x000004, "TLS_RSA_WITH_RC4_128_MD5" },
241 { 0x000005, "TLS_RSA_WITH_RC4_128_SHA" },
242 { 0x000006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
243 { 0x000007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
244 { 0x000008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
245 { 0x000009, "TLS_RSA_WITH_DES_CBC_SHA" },
246 { 0x00000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
247 { 0x00000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
248 { 0x00000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
249 { 0x00000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
250 { 0x00000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
251 { 0x00000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
252 { 0x000010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
253 { 0x000011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
254 { 0x000012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
255 { 0x000013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
256 { 0x000014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
257 { 0x000015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
258 { 0x000016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
259 { 0x000017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
260 { 0x000018, "TLS_DH_anon_WITH_RC4_128_MD5" },
261 { 0x000019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
262 { 0x00001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
263 { 0x00001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
264 { 0x00001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
265 { 0x00001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
266 { 0x00001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
267 { 0x000060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
268 { 0x000061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
269 { 0x000062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
270 { 0x000063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
271 { 0x000064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
272 { 0x000065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
273 { 0x000066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
274 /* these from http://www.mozilla.org/projects/
275 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
276 { 0x00fefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
277 { 0x00feff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
278 { 0x00ffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
279 { 0x00ffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
280 /* Microsoft's old PCT protocol. These are from Eric Rescorla's
281 book "SSL and TLS" */
282 { 0x8f8001, "PCT_SSL_COMPAT | PCT_VERSION_1" },
283 { 0x800003, "PCT_SSL_CERT_TYPE | PCT1_CERT_X509_CHAIN" },
284 { 0x800001, "PCT_SSL_CERT_TYPE | PCT1_CERT_X509" },
285 { 0x810001, "PCT_SSL_HASH_TYPE | PCT1_HASH_MD5" },
286 { 0x810003, "PCT_SSL_HASH_TYPE | PCT1_HASH_SHA" },
287 { 0x820001, "PCT_SSL_EXCH_TYPE | PCT1_EXCH_RSA_PKCS1" },
288 { 0x830004, "PCT_SSL_CIPHER_TYPE_1ST_HALF | PCT1_CIPHER_RC4" },
289 { 0x848040, "PCT_SSL_CIPHER_TYPE_2ND_HALF | PCT1_ENC_BITS_128 | PCT1_MAC_BITS_128" },
290 { 0x842840, "PCT_SSL_CIPHER_TYPE_2ND_HALF | PCT1_ENC_BITS_40 | PCT1_MAC_BITS_128" },
291 /* note that ciphersuites of {0x00????} are TLS cipher suites in
292 * a sslv2 client hello message; the ???? above is the two-byte
293 * tls cipher suite id
298 static const value_string ssl_20_certificate_type[] = {
300 { 0x01, "X.509 Certificate" },
304 static const value_string ssl_31_content_type[] = {
305 { 20, "Change Cipher Spec" },
308 { 23, "Application Data" },
312 static const value_string ssl_versions[] = {
313 { 0x0301, "TLS 1.0" },
314 { 0x0300, "SSL 3.0" },
315 { 0x0002, "SSL 2.0" },
319 static const value_string ssl_31_change_cipher_spec[] = {
320 { 1, "Change Cipher Spec" },
324 static const value_string ssl_31_alert_level[] = {
330 static const value_string ssl_31_alert_description[] = {
331 { 0, "Close Notify" },
332 { 10, "Unexpected Message" },
333 { 20, "Bad Record MAC" },
334 { 21, "Decryption Failed" },
335 { 22, "Record Overflow" },
336 { 30, "Decompression Failure" },
337 { 40, "Handshake Failure" },
338 { 42, "Bad Certificate" },
339 { 43, "Unsupported Certificate" },
340 { 44, "Certificate Revoked" },
341 { 45, "Certificate Expired" },
342 { 46, "Certificate Unknown" },
343 { 47, "Illegal Parameter" },
344 { 48, "Unknown CA" },
345 { 49, "Access Denied" },
346 { 50, "Decode Error" },
347 { 51, "Decrypt Error" },
348 { 60, "Export Restriction" },
349 { 70, "Protocol Version" },
350 { 71, "Insufficient Security" },
351 { 80, "Internal Error" },
352 { 90, "User Canceled" },
353 { 100, "No Renegotiation" },
357 static const value_string ssl_31_handshake_type[] = {
358 { SSL_HND_HELLO_REQUEST, "Hello Request" },
359 { SSL_HND_CLIENT_HELLO, "Client Hello" },
360 { SSL_HND_SERVER_HELLO, "Server Hello" },
361 { SSL_HND_CERTIFICATE, "Certificate" },
362 { SSL_HND_SERVER_KEY_EXCHG, "Server Key Exchange" },
363 { SSL_HND_CERT_REQUEST, "Certificate Request" },
364 { SSL_HND_SVR_HELLO_DONE, "Server Hello Done" },
365 { SSL_HND_CERT_VERIFY, "Certificate Verify" },
366 { SSL_HND_CLIENT_KEY_EXCHG, "Client Key Exchange" },
367 { SSL_HND_FINISHED, "Finished" },
371 static const value_string ssl_31_compression_method[] = {
376 static const value_string ssl_31_key_exchange_algorithm[] = {
378 { 1, "Diffie Hellman" },
382 static const value_string ssl_31_signature_algorithm[] = {
389 static const value_string ssl_31_client_certificate_type[] = {
392 { 3, "RSA Fixed DH" },
393 { 4, "DSS Fixed DH" },
397 static const value_string ssl_31_public_value_encoding[] = {
403 static const value_string ssl_31_ciphersuite[] = {
404 { 0x0000, "TLS_NULL_WITH_NULL_NULL" },
405 { 0x0001, "TLS_RSA_WITH_NULL_MD5" },
406 { 0x0002, "TLS_RSA_WITH_NULL_SHA" },
407 { 0x0003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
408 { 0x0004, "TLS_RSA_WITH_RC4_128_MD5" },
409 { 0x0005, "TLS_RSA_WITH_RC4_128_SHA" },
410 { 0x0006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
411 { 0x0007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
412 { 0x0008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
413 { 0x0009, "TLS_RSA_WITH_DES_CBC_SHA" },
414 { 0x000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
415 { 0x000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
416 { 0x000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
417 { 0x000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
418 { 0x000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
419 { 0x000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
420 { 0x0010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
421 { 0x0011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
422 { 0x0012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
423 { 0x0013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
424 { 0x0014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
425 { 0x0015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
426 { 0x0016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
427 { 0x0017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
428 { 0x0018, "TLS_DH_anon_WITH_RC4_128_MD5" },
429 { 0x0019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
430 { 0x001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
431 { 0x001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
432 { 0x001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
433 { 0x001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
434 { 0x001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
435 { 0x0062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
436 { 0x0063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
437 { 0x0064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
438 { 0x0065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
439 { 0x0066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
440 /* these from http://www.mozilla.org/projects/
441 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
442 { 0xfefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
443 { 0xfeff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
444 { 0xffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
445 { 0xffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
446 /* note that ciphersuites 0xff00 - 0xffff are private */
450 static const value_string pct_msg_types[] = {
451 { PCT_MSG_CLIENT_HELLO, "Client Hello" },
452 { PCT_MSG_SERVER_HELLO, "Server Hello" },
453 { PCT_MSG_CLIENT_MASTER_KEY, "Client Master Key" },
454 { PCT_MSG_SERVER_VERIFY, "Server Verify" },
455 { PCT_MSG_ERROR, "Error" },
460 /*********************************************************************
462 * Forward Declarations
464 *********************************************************************/
467 * SSL version 3 and TLS dissectors
470 /* record layer dissector */
471 static int dissect_ssl3_record(tvbuff_t *tvb, packet_info *pinfo,
472 proto_tree *tree, guint32 offset,
474 gboolean *need_desegmentation);
476 /* change cipher spec dissector */
477 static void dissect_ssl3_change_cipher_spec(tvbuff_t *tvb,
480 guint *conv_version);
482 /* alert message dissector */
483 static void dissect_ssl3_alert(tvbuff_t *tvb, packet_info *pinfo,
484 proto_tree *tree, guint32 offset,
485 guint *conv_version);
487 /* handshake protocol dissector */
488 static void dissect_ssl3_handshake(tvbuff_t *tvb, packet_info *pinfo,
489 proto_tree *tree, guint32 offset,
490 guint32 record_length,
491 guint *conv_version);
494 static void dissect_ssl3_hnd_cli_hello(tvbuff_t *tvb,
498 static void dissect_ssl3_hnd_srv_hello(tvbuff_t *tvb,
502 static void dissect_ssl3_hnd_cert(tvbuff_t *tvb,
503 proto_tree *tree, guint32 offset);
505 static void dissect_ssl3_hnd_cert_req(tvbuff_t *tvb,
509 static void dissect_ssl3_hnd_finished(tvbuff_t *tvb,
512 guint *conv_version);
516 * SSL version 2 dissectors
520 /* record layer dissector */
521 static int dissect_ssl2_record(tvbuff_t *tvb, packet_info *pinfo,
522 proto_tree *tree, guint32 offset,
524 gboolean *need_desegmentation);
526 /* client hello dissector */
527 static void dissect_ssl2_hnd_client_hello(tvbuff_t *tvb,
531 /* client master key dissector */
532 static void dissect_ssl2_hnd_client_master_key(tvbuff_t *tvb,
536 /* server hello dissector */
537 static void dissect_ssl2_hnd_server_hello(tvbuff_t *tvb,
545 static void ssl_set_conv_version(packet_info *pinfo, guint version);
546 static int ssl_is_valid_handshake_type(guint8 type);
547 static int ssl_is_valid_content_type(guint8 type);
548 static int ssl_is_valid_ssl_version(guint16 version);
549 static int ssl_is_authoritative_version_message(guint8 content_type,
551 static int ssl_is_v2_client_hello(tvbuff_t *tvb, guint32 offset);
552 static int ssl_looks_like_sslv2(tvbuff_t *tvb, guint32 offset);
553 static int ssl_looks_like_sslv3(tvbuff_t *tvb, guint32 offset);
554 static int ssl_looks_like_valid_v2_handshake(tvbuff_t *tvb,
556 guint32 record_length);
557 static int ssl_looks_like_valid_pct_handshake(tvbuff_t *tvb,
559 guint32 record_length);
561 /*********************************************************************
565 *********************************************************************/
567 * Code to actually dissect the packets
570 dissect_ssl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
573 conversation_t *conversation;
575 guint conv_version = SSL_VER_UNKNOWN;
576 proto_item *ti = NULL;
577 proto_tree *ssl_tree = NULL;
579 gboolean first_record_in_frame = TRUE;
580 gboolean need_desegmentation;
582 /* Track the version using conversations to reduce the
583 * chance that a packet that simply *looks* like a v2 or
584 * v3 packet is dissected improperly. This also allows
585 * us to more frequently set the protocol column properly
586 * for continuation data frames.
588 * Also: We use the copy in conv_version as our cached copy,
589 * so that we don't have to search the conversation
590 * table every time we want the version; when setting
591 * the conv_version, must set the copy in the conversation
592 * in addition to conv_version
594 conversation = find_conversation(&pinfo->src, &pinfo->dst, pinfo->ptype,
595 pinfo->srcport, pinfo->destport, 0);
598 /* create a new conversation */
599 conversation = conversation_new(&pinfo->src, &pinfo->dst, pinfo->ptype,
600 pinfo->srcport, pinfo->destport, 0);
602 conv_data = conversation_get_proto_data(conversation, proto_ssl);
603 if (conv_data != NULL)
605 conv_version = (guint)conv_data;
608 /* Initialize the protocol column; we'll set it later when we
609 * figure out what flavor of SSL it is (assuming we don't
610 * throw an exception before we get the chance to do so). */
611 if (check_col(pinfo->cinfo, COL_PROTOCOL))
613 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SSL");
616 /* clear the the info column */
617 if (check_col(pinfo->cinfo, COL_INFO))
618 col_clear(pinfo->cinfo, COL_INFO);
620 /* TCP packets and SSL records are orthogonal.
621 * A tcp packet may contain multiple ssl records and an ssl
622 * record may be spread across multiple tcp packets.
624 * This loop accounts for multiple ssl records in a single
625 * frame, but not a single ssl record across multiple tcp
628 * Handling the single ssl record across multiple packets
629 * may be possible using ethereal conversations, but
630 * probably not cleanly. May have to wait for tcp stream
634 /* Create display subtree for SSL as a whole */
637 ti = proto_tree_add_item(tree, proto_ssl, tvb, 0, -1, FALSE);
638 ssl_tree = proto_item_add_subtree(ti, ett_ssl);
641 /* iterate through the records in this tvbuff */
642 while (tvb_reported_length_remaining(tvb, offset) != 0)
644 /* on second and subsequent records per frame
645 * add a delimiter on info column
647 if (!first_record_in_frame
648 && check_col(pinfo->cinfo, COL_INFO))
650 col_append_str(pinfo->cinfo, COL_INFO, ", ");
654 * Assume, for now, that this doesn't need desegmentation.
656 need_desegmentation = FALSE;
658 /* first try to dispatch off the cached version
659 * known to be associated with the conversation
661 switch(conv_version) {
664 offset = dissect_ssl2_record(tvb, pinfo, ssl_tree,
665 offset, &conv_version,
666 &need_desegmentation);
671 /* the version tracking code works too well ;-)
672 * at times, we may visit a v2 client hello after
673 * we already know the version of the connection;
674 * work around that here by detecting and calling
675 * the v2 dissector instead
677 if (ssl_is_v2_client_hello(tvb, offset))
679 offset = dissect_ssl2_record(tvb, pinfo, ssl_tree,
680 offset, &conv_version,
681 &need_desegmentation);
685 offset = dissect_ssl3_record(tvb, pinfo, ssl_tree,
686 offset, &conv_version,
687 &need_desegmentation);
691 /* that failed, so apply some heuristics based
692 * on this individual packet
695 if (ssl_looks_like_sslv2(tvb, offset))
697 /* looks like sslv2 or pct client hello */
698 offset = dissect_ssl2_record(tvb, pinfo, ssl_tree,
699 offset, &conv_version,
700 &need_desegmentation);
702 else if (ssl_looks_like_sslv3(tvb, offset))
704 /* looks like sslv3 or tls */
705 offset = dissect_ssl3_record(tvb, pinfo, ssl_tree,
706 offset, &conv_version,
707 &need_desegmentation);
711 /* looks like something unknown, so lump into
714 offset = tvb_length(tvb);
715 if (check_col(pinfo->cinfo, COL_INFO))
716 col_append_str(pinfo->cinfo, COL_INFO,
717 "Continuation Data");
719 /* Set the protocol column */
720 if (check_col(pinfo->cinfo, COL_PROTOCOL))
722 col_set_str(pinfo->cinfo, COL_PROTOCOL,
723 ssl_version_short_names[conv_version]);
729 /* Desegmentation return check */
730 if (need_desegmentation)
733 /* If we haven't already set the version information for
734 * this conversation, do so. */
735 if (conv_data == NULL)
737 conv_data = (void *)conv_version;
738 conversation_add_proto_data(conversation, proto_ssl, conv_data);
741 /* set up for next record in frame, if any */
742 first_record_in_frame = FALSE;
748 /*********************************************************************
750 * SSL version 3 and TLS Dissection Routines
752 *********************************************************************/
754 dissect_ssl3_record(tvbuff_t *tvb, packet_info *pinfo,
755 proto_tree *tree, guint32 offset,
756 guint *conv_version, gboolean *need_desegmentation)
761 * uint8 major, minor;
766 * change_cipher_spec(20), alert(21), handshake(22),
767 * application_data(23), (255)
772 * ProtocolVersion version;
774 * opaque fragment[TLSPlaintext.length];
777 guint32 record_length;
781 proto_tree *ti = NULL;
782 proto_tree *ssl_record_tree = NULL;
783 guint32 available_bytes = 0;
785 available_bytes = tvb_length_remaining(tvb, offset);
788 * Can we do reassembly?
790 if (ssl_desegment && pinfo->can_desegment) {
792 * Yes - is the record header split across segment boundaries?
794 if (available_bytes < 5) {
796 * Yes. Tell the TCP dissector where the data for this
797 * message starts in the data it handed us, and how many
798 * more bytes we need, and return.
800 pinfo->desegment_offset = offset;
801 pinfo->desegment_len = 5 - available_bytes;
802 *need_desegmentation = TRUE;
808 * Get the record layer fields of interest
810 content_type = tvb_get_guint8(tvb, offset);
811 version = tvb_get_ntohs(tvb, offset + 1);
812 record_length = tvb_get_ntohs(tvb, offset + 3);
814 if (ssl_is_valid_content_type(content_type)) {
817 * Can we do reassembly?
819 if (ssl_desegment && pinfo->can_desegment) {
821 * Yes - is the record split across segment boundaries?
823 if (available_bytes < record_length + 5) {
825 * Yes. Tell the TCP dissector where the data for this
826 * message starts in the data it handed us, and how many
827 * more bytes we need, and return.
829 pinfo->desegment_offset = offset;
830 pinfo->desegment_len = (record_length + 5) - available_bytes;
831 *need_desegmentation = TRUE;
838 /* if we don't have a valid content_type, there's no sense
839 * continuing any further
841 if (check_col(pinfo->cinfo, COL_INFO))
842 col_append_str(pinfo->cinfo, COL_INFO, "Continuation Data");
844 /* Set the protocol column */
845 if (check_col(pinfo->cinfo, COL_PROTOCOL))
847 col_set_str(pinfo->cinfo, COL_PROTOCOL,
848 ssl_version_short_names[*conv_version]);
850 return offset + 5 + record_length;
854 * If GUI, fill in record layer part of tree
859 /* add the record layer subtree header */
860 ti = proto_tree_add_item(tree, hf_ssl_record, tvb,
861 offset, 5 + record_length, 0);
862 ssl_record_tree = proto_item_add_subtree(ti, ett_ssl_record);
867 /* show the one-byte content type */
868 proto_tree_add_item(ssl_record_tree, hf_ssl_record_content_type,
872 /* add the version */
873 proto_tree_add_item(ssl_record_tree, hf_ssl_record_version, tvb,
878 proto_tree_add_uint(ssl_record_tree, hf_ssl_record_length, tvb,
879 offset, 2, record_length);
880 offset += 2; /* move past length field itself */
884 /* if no GUI tree, then just skip over those fields */
890 * if we don't already have a version set for this conversation,
891 * but this message's version is authoritative (i.e., it's
892 * not client_hello, then save the version to to conversation
893 * structure and print the column version
895 next_byte = tvb_get_guint8(tvb, offset);
896 if (*conv_version == SSL_VER_UNKNOWN
897 && ssl_is_authoritative_version_message(content_type, next_byte))
899 if (version == 0x0300)
901 *conv_version = SSL_VER_SSLv3;
902 ssl_set_conv_version(pinfo, *conv_version);
904 else if (version == 0x0301)
906 *conv_version = SSL_VER_TLS;
907 ssl_set_conv_version(pinfo, *conv_version);
910 if (check_col(pinfo->cinfo, COL_PROTOCOL))
912 if (version == 0x0300)
914 col_set_str(pinfo->cinfo, COL_PROTOCOL,
915 ssl_version_short_names[SSL_VER_SSLv3]);
917 else if (version == 0x0301)
919 col_set_str(pinfo->cinfo, COL_PROTOCOL,
920 ssl_version_short_names[SSL_VER_TLS]);
924 col_set_str(pinfo->cinfo, COL_PROTOCOL,
925 ssl_version_short_names[*conv_version]);
930 * now dissect the next layer
932 switch (content_type) {
933 case SSL_ID_CHG_CIPHER_SPEC:
934 if (check_col(pinfo->cinfo, COL_INFO))
935 col_append_str(pinfo->cinfo, COL_INFO, "Change Cipher Spec");
936 dissect_ssl3_change_cipher_spec(tvb, ssl_record_tree,
937 offset, conv_version);
940 dissect_ssl3_alert(tvb, pinfo, ssl_record_tree, offset,
943 case SSL_ID_HANDSHAKE:
944 dissect_ssl3_handshake(tvb, pinfo, ssl_record_tree, offset,
945 record_length, conv_version);
947 case SSL_ID_APP_DATA:
948 if (check_col(pinfo->cinfo, COL_INFO))
949 col_append_str(pinfo->cinfo, COL_INFO, "Application Data");
952 proto_item_set_text(ssl_record_tree,
953 "%s Record Layer: Application Data",
954 ssl_version_short_names[*conv_version]);
955 proto_tree_add_item(ssl_record_tree, hf_ssl_record_appdata, tvb,
956 offset, record_length, 0);
961 /* shouldn't get here since we check above for valid types */
962 if (check_col(pinfo->cinfo, COL_INFO))
963 col_append_str(pinfo->cinfo, COL_INFO, "Bad SSLv3 Content Type");
966 offset += record_length; /* skip to end of record */
971 /* dissects the change cipher spec procotol, filling in the tree */
973 dissect_ssl3_change_cipher_spec(tvbuff_t *tvb,
974 proto_tree *tree, guint32 offset,
979 * enum { change_cipher_spec(1), (255) } type;
980 * } ChangeCipherSpec;
985 proto_item_set_text(tree,
986 "%s Record Layer: Change Cipher Spec",
987 ssl_version_short_names[*conv_version]);
988 proto_tree_add_item(tree, hf_ssl_change_cipher_spec, tvb,
993 /* dissects the alert message, filling in the tree */
995 dissect_ssl3_alert(tvbuff_t *tvb, packet_info *pinfo,
996 proto_tree *tree, guint32 offset,
1001 * AlertDescription description;
1005 proto_tree *ssl_alert_tree = NULL;
1011 ti = proto_tree_add_item(tree, hf_ssl_alert_message, tvb,
1013 ssl_alert_tree = proto_item_add_subtree(ti, ett_ssl_alert);
1017 * set the record layer label
1020 /* first lookup the names for the alert level and description */
1021 byte = tvb_get_guint8(tvb, offset); /* grab the level byte */
1022 level = match_strval(byte, ssl_31_alert_level);
1024 byte = tvb_get_guint8(tvb, offset+1); /* grab the desc byte */
1025 desc = match_strval(byte, ssl_31_alert_description);
1027 /* now set the text in the record layer line */
1030 if (check_col(pinfo->cinfo, COL_INFO))
1031 col_append_fstr(pinfo->cinfo, COL_INFO,
1032 "Alert (Level: %s, Description: %s)",
1037 if (check_col(pinfo->cinfo, COL_INFO))
1038 col_append_str(pinfo->cinfo, COL_INFO, "Encrypted Alert");
1045 proto_item_set_text(tree, "%s Record Layer: Alert "
1046 "(Level: %s, Description: %s)",
1047 ssl_version_short_names[*conv_version],
1049 proto_tree_add_item(ssl_alert_tree, hf_ssl_alert_message_level,
1050 tvb, offset++, 1, FALSE);
1052 proto_tree_add_item(ssl_alert_tree, hf_ssl_alert_message_description,
1053 tvb, offset++, 1, FALSE);
1057 proto_item_set_text(tree,
1058 "%s Record Layer: Encrypted Alert",
1059 ssl_version_short_names[*conv_version]);
1060 proto_item_set_text(ssl_alert_tree,
1061 "Alert Message: Encrypted Alert");
1067 /* dissects the handshake protocol, filling the tree */
1069 dissect_ssl3_handshake(tvbuff_t *tvb, packet_info *pinfo,
1070 proto_tree *tree, guint32 offset,
1071 guint32 record_length, guint *conv_version)
1074 * HandshakeType msg_type;
1076 * select (HandshakeType) {
1077 * case hello_request: HelloRequest;
1078 * case client_hello: ClientHello;
1079 * case server_hello: ServerHello;
1080 * case certificate: Certificate;
1081 * case server_key_exchange: ServerKeyExchange;
1082 * case certificate_request: CertificateRequest;
1083 * case server_hello_done: ServerHelloDone;
1084 * case certificate_verify: CertificateVerify;
1085 * case client_key_exchange: ClientKeyExchange;
1086 * case finished: Finished;
1090 proto_tree *ti = NULL;
1091 proto_tree *ssl_hand_tree = NULL;
1092 gchar *msg_type_str = NULL;
1095 gboolean first_iteration = TRUE;
1098 /* just as there can be multiple records per packet, there
1099 * can be multiple messages per record as long as they have
1100 * the same content type
1102 * we really only care about this for handshake messages
1105 /* set record_length to the max offset */
1106 record_length += offset;
1107 while (offset < record_length)
1109 msg_type = tvb_get_guint8(tvb, offset);
1110 msg_type_str = match_strval(msg_type, ssl_31_handshake_type);
1111 length = tvb_get_ntoh24(tvb, offset + 1);
1113 if (!msg_type_str && !first_iteration)
1115 /* only dissect / report messages if they're
1116 * either the first message in this record
1117 * or they're a valid message type
1122 /* on second and later iterations, add comma to info col */
1123 if (!first_iteration)
1125 if (check_col(pinfo->cinfo, COL_INFO))
1126 col_append_fstr(pinfo->cinfo, COL_INFO, ", ");
1130 * Update our info string
1132 if (check_col(pinfo->cinfo, COL_INFO))
1133 col_append_fstr(pinfo->cinfo, COL_INFO, "%s", (msg_type_str != NULL)
1134 ? msg_type_str : "Encrypted Handshake Message");
1138 /* set the label text on the record layer expanding node */
1139 if (first_iteration)
1141 proto_item_set_text(tree, "%s Record Layer: %s",
1142 ssl_version_short_names[*conv_version],
1143 (msg_type_str!=NULL) ? msg_type_str :
1144 "Encrypted Handshake Message");
1148 proto_item_set_text(tree, "%s Record Layer: %s",
1149 ssl_version_short_names[*conv_version],
1150 "Multiple Handshake Messages");
1153 /* add a subtree for the handshake protocol */
1154 ti = proto_tree_add_item(tree, hf_ssl_handshake_protocol, tvb,
1155 offset, length + 4, 0);
1156 ssl_hand_tree = proto_item_add_subtree(ti, ett_ssl_handshake);
1160 /* set the text label on the subtree node */
1161 proto_item_set_text(ssl_hand_tree, "Handshake Protocol: %s",
1162 (msg_type_str != NULL) ? msg_type_str :
1163 "Encrypted Handshake Message");
1167 /* if we don't have a valid handshake type, just quit dissecting */
1175 /* add nodes for the message type and message length */
1176 proto_tree_add_item(ssl_hand_tree, hf_ssl_handshake_type,
1177 tvb, offset, 1, msg_type);
1179 proto_tree_add_uint(ssl_hand_tree, hf_ssl_handshake_length,
1180 tvb, offset, 3, length);
1183 /* now dissect the handshake message, if necessary */
1185 case SSL_HND_HELLO_REQUEST:
1186 /* hello_request has no fields, so nothing to do! */
1189 case SSL_HND_CLIENT_HELLO:
1190 dissect_ssl3_hnd_cli_hello(tvb, ssl_hand_tree, offset);
1193 case SSL_HND_SERVER_HELLO:
1194 dissect_ssl3_hnd_srv_hello(tvb, ssl_hand_tree, offset);
1197 case SSL_HND_CERTIFICATE:
1198 dissect_ssl3_hnd_cert(tvb, ssl_hand_tree, offset);
1201 case SSL_HND_CERT_REQUEST:
1202 dissect_ssl3_hnd_cert_req(tvb, ssl_hand_tree, offset);
1205 case SSL_HND_SVR_HELLO_DONE:
1206 /* server_hello_done has no fields, so nothing to do! */
1209 case SSL_HND_FINISHED:
1210 dissect_ssl3_hnd_finished(tvb, ssl_hand_tree,
1211 offset, conv_version);
1214 case SSL_HND_SERVER_KEY_EXCHG:
1215 case SSL_HND_CERT_VERIFY:
1216 case SSL_HND_CLIENT_KEY_EXCHG:
1224 offset += 4; /* skip the handshake header */
1227 first_iteration = FALSE; /* set up for next pass, if any */
1232 dissect_ssl3_hnd_hello_common(tvbuff_t *tvb, proto_tree *tree,
1235 /* show the client's random challenge */
1236 guint32 initial_offset = offset;
1237 nstime_t gmt_unix_time;
1238 guint8 session_id_length = 0;
1243 gmt_unix_time.secs = tvb_get_ntohl(tvb, offset);
1244 gmt_unix_time.nsecs = 0;
1245 proto_tree_add_time(tree, hf_ssl_handshake_random_time,
1246 tvb, offset, 4, &gmt_unix_time);
1249 /* show the random bytes */
1250 proto_tree_add_item(tree, hf_ssl_handshake_random_bytes,
1251 tvb, offset, 28, 0);
1254 /* show the session id */
1255 session_id_length = tvb_get_guint8(tvb, offset);
1256 proto_tree_add_item(tree, hf_ssl_handshake_session_id_len,
1257 tvb, offset++, 1, 0);
1258 if (session_id_length > 0)
1260 proto_tree_add_bytes_format(tree, hf_ssl_handshake_session_id,
1261 tvb, offset, session_id_length,
1262 tvb_get_ptr(tvb, offset, session_id_length),
1263 "Session ID (%u byte%s)",
1265 plurality(session_id_length, "", "s"));
1266 offset += session_id_length;
1270 return offset - initial_offset;
1274 dissect_ssl3_hnd_cli_hello(tvbuff_t *tvb,
1275 proto_tree *tree, guint32 offset)
1278 * ProtocolVersion client_version;
1280 * SessionID session_id;
1281 * CipherSuite cipher_suites<2..2^16-1>;
1282 * CompressionMethod compression_methods<1..2^8-1>;
1287 proto_tree *cs_tree;
1288 guint16 cipher_suite_length = 0;
1289 guint8 compression_methods_length = 0;
1293 /* show the client version */
1294 proto_tree_add_item(tree, hf_ssl_handshake_client_version, tvb,
1298 /* show the fields in common with server hello */
1299 offset += dissect_ssl3_hnd_hello_common(tvb, tree, offset);
1301 /* tell the user how many cipher suites there are */
1302 cipher_suite_length = tvb_get_ntohs(tvb, offset);
1303 proto_tree_add_uint(tree, hf_ssl_handshake_cipher_suites_len,
1304 tvb, offset, 2, cipher_suite_length);
1305 offset += 2; /* skip opaque length */
1307 if (cipher_suite_length > 0)
1309 ti = proto_tree_add_none_format(tree,
1310 hf_ssl_handshake_cipher_suites,
1311 tvb, offset, cipher_suite_length,
1312 "Cipher Suites (%u suite%s)",
1313 cipher_suite_length / 2,
1314 plurality(cipher_suite_length/2, "", "s"));
1316 /* make this a subtree */
1317 cs_tree = proto_item_add_subtree(ti, ett_ssl_cipher_suites);
1320 cs_tree = tree; /* failsafe */
1323 while (cipher_suite_length > 0)
1325 proto_tree_add_item(cs_tree, hf_ssl_handshake_cipher_suite,
1326 tvb, offset, 2, FALSE);
1328 cipher_suite_length -= 2;
1332 /* tell the user how man compression methods there are */
1333 compression_methods_length = tvb_get_guint8(tvb, offset);
1334 proto_tree_add_uint(tree, hf_ssl_handshake_comp_methods_len,
1335 tvb, offset, 1, compression_methods_length);
1338 if (compression_methods_length > 0)
1340 ti = proto_tree_add_none_format(tree,
1341 hf_ssl_handshake_comp_methods,
1342 tvb, offset, compression_methods_length,
1343 "Compression Methods (%u method%s)",
1344 compression_methods_length,
1345 plurality(compression_methods_length,
1348 /* make this a subtree */
1349 cs_tree = proto_item_add_subtree(ti, ett_ssl_comp_methods);
1352 cs_tree = tree; /* failsafe */
1355 while (compression_methods_length > 0)
1357 proto_tree_add_item(cs_tree, hf_ssl_handshake_comp_method,
1358 tvb, offset, 1, FALSE);
1360 compression_methods_length--;
1367 dissect_ssl3_hnd_srv_hello(tvbuff_t *tvb,
1368 proto_tree *tree, guint32 offset)
1371 * ProtocolVersion server_version;
1373 * SessionID session_id;
1374 * CipherSuite cipher_suite;
1375 * CompressionMethod compression_method;
1381 /* show the server version */
1382 proto_tree_add_item(tree, hf_ssl_handshake_server_version, tvb,
1386 /* first display the elements conveniently in
1387 * common with client hello
1389 offset += dissect_ssl3_hnd_hello_common(tvb, tree, offset);
1391 /* now the server-selected cipher suite */
1392 proto_tree_add_item(tree, hf_ssl_handshake_cipher_suite,
1393 tvb, offset, 2, FALSE);
1396 /* and the server-selected compression method */
1397 proto_tree_add_item(tree, hf_ssl_handshake_comp_method,
1398 tvb, offset, 1, FALSE);
1403 dissect_ssl3_hnd_cert(tvbuff_t *tvb,
1404 proto_tree *tree, guint32 offset)
1407 /* opaque ASN.1Cert<2^24-1>;
1410 * ASN.1Cert certificate_list<1..2^24-1>;
1413 guint32 certificate_list_length;
1415 proto_tree *subtree;
1419 certificate_list_length = tvb_get_ntoh24(tvb, offset);
1420 proto_tree_add_uint(tree, hf_ssl_handshake_certificates_len,
1421 tvb, offset, 3, certificate_list_length);
1422 offset += 3; /* 24-bit length value */
1424 if (certificate_list_length > 0)
1426 ti = proto_tree_add_none_format(tree,
1427 hf_ssl_handshake_certificates,
1428 tvb, offset, certificate_list_length,
1429 "Certificates (%u byte%s)",
1430 certificate_list_length,
1431 plurality(certificate_list_length,
1434 /* make it a subtree */
1435 subtree = proto_item_add_subtree(ti, ett_ssl_certs);
1438 subtree = tree; /* failsafe */
1441 /* iterate through each certificate */
1442 while (certificate_list_length > 0)
1444 /* get the length of the current certificate */
1445 guint32 cert_length = tvb_get_ntoh24(tvb, offset);
1446 certificate_list_length -= 3 + cert_length;
1448 proto_tree_add_item(subtree, hf_ssl_handshake_certificate_len,
1449 tvb, offset, 3, FALSE);
1452 proto_tree_add_bytes_format(subtree,
1453 hf_ssl_handshake_certificate,
1454 tvb, offset, cert_length,
1455 tvb_get_ptr(tvb, offset, cert_length),
1456 "Certificate (%u byte%s)",
1458 plurality(cert_length, "", "s"));
1459 offset += cert_length;
1467 dissect_ssl3_hnd_cert_req(tvbuff_t *tvb,
1468 proto_tree *tree, guint32 offset)
1472 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
1474 * } ClientCertificateType;
1476 * opaque DistinguishedName<1..2^16-1>;
1479 * ClientCertificateType certificate_types<1..2^8-1>;
1480 * DistinguishedName certificate_authorities<3..2^16-1>;
1481 * } CertificateRequest;
1485 proto_tree *subtree;
1486 guint8 cert_types_count = 0;
1487 int dnames_length = 0;
1491 cert_types_count = tvb_get_guint8(tvb, offset);
1492 proto_tree_add_uint(tree, hf_ssl_handshake_cert_types_count,
1493 tvb, offset, 1, cert_types_count);
1496 if (cert_types_count > 0)
1498 ti = proto_tree_add_none_format(tree,
1499 hf_ssl_handshake_cert_types,
1500 tvb, offset, cert_types_count,
1501 "Certificate types (%u type%s)",
1503 plurality(cert_types_count, "", "s"));
1504 subtree = proto_item_add_subtree(ti, ett_ssl_cert_types);
1510 while (cert_types_count > 0)
1512 proto_tree_add_item(subtree, hf_ssl_handshake_cert_type,
1513 tvb, offset, 1, FALSE);
1519 dnames_length = tvb_get_ntohs(tvb, offset);
1520 proto_tree_add_uint(tree, hf_ssl_handshake_dnames_len,
1521 tvb, offset, 2, dnames_length);
1524 if (dnames_length > 0)
1526 ti = proto_tree_add_none_format(tree,
1527 hf_ssl_handshake_dnames,
1528 tvb, offset, dnames_length,
1529 "Distinguished Names (%d byte%s)",
1531 plurality(dnames_length, "", "s"));
1532 subtree = proto_item_add_subtree(ti, ett_ssl_dnames);
1538 while (dnames_length > 0)
1540 /* get the length of the current certificate */
1541 guint16 name_length = tvb_get_ntohs(tvb, offset);
1542 dnames_length -= 2 + name_length;
1544 proto_tree_add_item(subtree, hf_ssl_handshake_dname_len,
1545 tvb, offset, 2, FALSE);
1548 proto_tree_add_bytes_format(subtree,
1549 hf_ssl_handshake_dname,
1550 tvb, offset, name_length,
1551 tvb_get_ptr(tvb, offset, name_length),
1552 "Distinguished Name (%u byte%s)",
1554 plurality(name_length, "", "s"));
1555 offset += name_length;
1563 dissect_ssl3_hnd_finished(tvbuff_t *tvb,
1564 proto_tree *tree, guint32 offset,
1565 guint *conv_version)
1569 * opaque verify_data[12];
1574 * opaque md5_hash[16];
1575 * opaque sha_hash[20];
1579 /* this all needs a tree, so bail if we don't have one */
1585 switch(*conv_version) {
1587 proto_tree_add_item(tree, hf_ssl_handshake_finished,
1588 tvb, offset, 12, FALSE);
1592 proto_tree_add_item(tree, hf_ssl_handshake_md5_hash,
1593 tvb, offset, 16, FALSE);
1595 proto_tree_add_item(tree, hf_ssl_handshake_sha_hash,
1596 tvb, offset, 20, FALSE);
1602 /*********************************************************************
1604 * SSL version 2 Dissectors
1606 *********************************************************************/
1609 /* record layer dissector */
1611 dissect_ssl2_record(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
1612 guint32 offset, guint *conv_version,
1613 gboolean *need_desegmentation)
1615 guint32 initial_offset = offset;
1617 guint8 record_length_length = 0;
1618 guint32 record_length = 0;
1619 gint is_escape = -1;
1620 gint16 padding_length = -1;
1621 guint8 msg_type = 0;
1622 gchar *msg_type_str = NULL;
1623 guint32 available_bytes = 0;
1626 proto_tree *ssl_record_tree = NULL;
1628 /* pull first byte; if high bit is set, then record
1629 * length is three bytes due to padding; otherwise
1630 * record length is two bytes
1632 byte = tvb_get_guint8(tvb, offset);
1633 record_length_length = (byte & 0x80) ? 2 : 3;
1636 * Can we do reassembly?
1638 available_bytes = tvb_length_remaining(tvb, offset);
1640 if (ssl_desegment && pinfo->can_desegment) {
1642 * Yes - is the record header split across segment boundaries?
1644 if (available_bytes < record_length_length) {
1646 * Yes. Tell the TCP dissector where the data for this
1647 * message starts in the data it handed us, and how many
1648 * more bytes we need, and return.
1650 pinfo->desegment_offset = offset;
1651 pinfo->desegment_len = record_length_length - available_bytes;
1652 *need_desegmentation = TRUE;
1657 /* parse out the record length */
1658 switch(record_length_length) {
1659 case 2: /* two-byte record length */
1660 record_length = (byte & 0x7f) << 8;
1661 byte = tvb_get_guint8(tvb, offset + 1);
1662 record_length += byte;
1664 case 3: /* three-byte record length */
1665 is_escape = (byte & 0x40) ? TRUE : FALSE;
1666 record_length = (byte & 0x3f) << 8;
1667 byte = tvb_get_guint8(tvb, offset + 1);
1668 record_length += byte;
1669 byte = tvb_get_guint8(tvb, offset + 2);
1670 padding_length = byte;
1674 * Can we do reassembly?
1676 if (ssl_desegment && pinfo->can_desegment) {
1678 * Yes - is the record split across segment boundaries?
1680 if (available_bytes < (record_length_length + record_length)) {
1682 * Yes. Tell the TCP dissector where the data for this
1683 * message starts in the data it handed us, and how many
1684 * more bytes we need, and return.
1686 pinfo->desegment_offset = offset;
1687 pinfo->desegment_len = (record_length_length + record_length)
1689 *need_desegmentation = TRUE;
1693 offset += record_length_length;
1695 /* add the record layer subtree header */
1696 ti = proto_tree_add_item(tree, hf_ssl2_record, tvb, initial_offset,
1697 record_length_length + record_length, 0);
1698 ssl_record_tree = proto_item_add_subtree(ti, ett_ssl_record);
1700 /* pull the msg_type so we can bail if it's unknown */
1701 msg_type = tvb_get_guint8(tvb, initial_offset + record_length_length);
1703 /* if we get a server_hello or later handshake in v2, then set
1706 if (*conv_version == SSL_VER_UNKNOWN)
1708 if (ssl_looks_like_valid_pct_handshake(tvb,
1710 record_length_length),
1712 *conv_version = SSL_VER_PCT;
1713 ssl_set_conv_version(pinfo, *conv_version);
1715 else if (msg_type >= 2 && msg_type <= 8)
1717 *conv_version = SSL_VER_SSLv2;
1718 ssl_set_conv_version(pinfo, *conv_version);
1722 /* if we get here, but don't have a version set for the
1723 * conversation, then set a version for just this frame
1724 * (e.g., on a client hello)
1726 if (check_col(pinfo->cinfo, COL_PROTOCOL))
1728 col_set_str(pinfo->cinfo, COL_PROTOCOL,
1729 (*conv_version == SSL_VER_PCT) ? "PCT" : "SSLv2");
1732 /* see if the msg_type is valid; if not the payload is
1733 * probably encrypted, so note that fact and bail
1735 msg_type_str = match_strval(msg_type,
1736 (*conv_version == SSL_VER_PCT)
1737 ? pct_msg_types : ssl_20_msg_types);
1739 || ((*conv_version != SSL_VER_PCT) &&
1740 !ssl_looks_like_valid_v2_handshake(tvb, initial_offset
1741 + record_length_length,
1743 || ((*conv_version == SSL_VER_PCT) &&
1744 !ssl_looks_like_valid_pct_handshake(tvb, initial_offset
1745 + record_length_length,
1748 if (ssl_record_tree)
1750 proto_item_set_text(ssl_record_tree, "%s Record Layer: %s",
1751 (*conv_version == SSL_VER_PCT)
1755 if (check_col(pinfo->cinfo, COL_INFO))
1756 col_append_str(pinfo->cinfo, COL_INFO, "Encrypted Data");
1757 return initial_offset + record_length_length + record_length;
1761 if (check_col(pinfo->cinfo, COL_INFO))
1762 col_append_str(pinfo->cinfo, COL_INFO, msg_type_str);
1764 if (ssl_record_tree)
1766 proto_item_set_text(ssl_record_tree, "%s Record Layer: %s",
1767 (*conv_version == SSL_VER_PCT)
1773 /* We have a valid message type, so move foward, filling in the
1774 * tree by adding the length, is_escape boolean and padding_length,
1775 * if present in the original packet
1777 if (ssl_record_tree)
1779 /* add the record length */
1780 ti = proto_tree_add_uint (ssl_record_tree,
1781 hf_ssl_record_length, tvb,
1782 initial_offset, record_length_length,
1785 if (ssl_record_tree && is_escape != -1)
1787 proto_tree_add_boolean(ssl_record_tree,
1788 hf_ssl2_record_is_escape, tvb,
1789 initial_offset, 1, is_escape);
1791 if (ssl_record_tree && padding_length != -1)
1793 proto_tree_add_uint(ssl_record_tree,
1794 hf_ssl2_record_padding_length, tvb,
1795 initial_offset + 2, 1, padding_length);
1799 * dissect the record data
1802 /* jump forward to the start of the record data */
1803 offset = initial_offset + record_length_length;
1805 /* add the message type */
1806 if (ssl_record_tree)
1808 proto_tree_add_item(ssl_record_tree,
1809 (*conv_version == SSL_VER_PCT)
1810 ? hf_pct_msg_type : hf_ssl2_msg_type,
1813 offset++; /* move past msg_type byte */
1815 if (*conv_version != SSL_VER_PCT)
1817 /* dissect the message (only handle client hello right now) */
1819 case SSL2_HND_CLIENT_HELLO:
1820 dissect_ssl2_hnd_client_hello(tvb, ssl_record_tree, offset);
1823 case SSL2_HND_CLIENT_MASTER_KEY:
1824 dissect_ssl2_hnd_client_master_key(tvb, ssl_record_tree, offset);
1827 case SSL2_HND_SERVER_HELLO:
1828 dissect_ssl2_hnd_server_hello(tvb, ssl_record_tree, offset);
1831 case SSL2_HND_ERROR:
1832 case SSL2_HND_CLIENT_FINISHED:
1833 case SSL2_HND_SERVER_VERIFY:
1834 case SSL2_HND_SERVER_FINISHED:
1835 case SSL2_HND_REQUEST_CERTIFICATE:
1836 case SSL2_HND_CLIENT_CERTIFICATE:
1840 default: /* unknown */
1846 /* dissect the message */
1848 case PCT_MSG_CLIENT_HELLO:
1849 case PCT_MSG_SERVER_HELLO:
1850 case PCT_MSG_CLIENT_MASTER_KEY:
1851 case PCT_MSG_SERVER_VERIFY:
1856 default: /* unknown */
1860 return (initial_offset + record_length_length + record_length);
1864 dissect_ssl2_hnd_client_hello(tvbuff_t *tvb,
1865 proto_tree *tree, guint32 offset)
1870 * uint16 cipher_spec_length;
1871 * uint16 session_id_length;
1872 * uint16 challenge_length;
1873 * V2CipherSpec cipher_specs[V2ClientHello.cipher_spec_length];
1874 * opaque session_id[V2ClientHello.session_id_length];
1878 * Note: when we get here, offset's already pointing at Version
1882 guint16 cipher_spec_length;
1883 guint16 session_id_length;
1884 guint16 challenge_length;
1887 proto_tree *cs_tree;
1889 version = tvb_get_ntohs(tvb, offset);
1890 if (!ssl_is_valid_ssl_version(version))
1892 /* invalid version; probably encrypted data */
1898 /* show the version */
1899 proto_tree_add_item(tree, hf_ssl_record_version, tvb,
1903 cipher_spec_length = tvb_get_ntohs(tvb, offset);
1904 proto_tree_add_item(tree, hf_ssl2_handshake_cipher_spec_len,
1905 tvb, offset, 2, FALSE);
1908 session_id_length = tvb_get_ntohs(tvb, offset);
1909 proto_tree_add_item(tree, hf_ssl2_handshake_session_id_len,
1910 tvb, offset, 2, FALSE);
1913 challenge_length = tvb_get_ntohs(tvb, offset);
1914 proto_tree_add_item(tree, hf_ssl2_handshake_challenge_len,
1915 tvb, offset, 2, FALSE);
1918 /* tell the user how many cipher specs they've won */
1919 ti = proto_tree_add_none_format(tree, hf_ssl_handshake_cipher_suites,
1920 tvb, offset, cipher_spec_length,
1921 "Cipher Specs (%u specs)",
1922 cipher_spec_length/3);
1924 /* make this a subtree and expand the actual specs below */
1925 cs_tree = proto_item_add_subtree(ti, ett_ssl_cipher_suites);
1928 cs_tree = tree; /* failsafe */
1931 /* iterate through the cipher specs, showing them */
1932 while (cipher_spec_length > 0)
1934 proto_tree_add_item(cs_tree, hf_ssl2_handshake_cipher_spec,
1935 tvb, offset, 3, FALSE);
1936 offset += 3; /* length of one cipher spec */
1937 cipher_spec_length -= 3;
1940 /* if there's a session id, show it */
1941 if (session_id_length > 0)
1943 proto_tree_add_bytes_format(tree,
1944 hf_ssl_handshake_session_id,
1945 tvb, offset, session_id_length,
1946 tvb_get_ptr(tvb, offset, session_id_length),
1947 "Session ID (%u byte%s)",
1949 plurality(session_id_length, "", "s"));
1951 offset += session_id_length;
1954 /* if there's a challenge, show it */
1955 if (challenge_length > 0)
1957 proto_tree_add_item(tree, hf_ssl2_handshake_challenge,
1958 tvb, offset, challenge_length, 0);
1959 offset += challenge_length;
1965 dissect_ssl2_hnd_client_master_key(tvbuff_t *tvb,
1966 proto_tree *tree, guint32 offset)
1970 * V2Cipherspec cipher;
1971 * uint16 clear_key_length;
1972 * uint16 encrypted_key_length;
1973 * uint16 key_arg_length;
1974 * opaque clear_key_data[V2ClientMasterKey.clear_key_length];
1975 * opaque encrypted_key_data[V2ClientMasterKey.encrypted_key_length];
1976 * opaque key_arg_data[V2ClientMasterKey.key_arg_length];
1977 * } V2ClientMasterKey;
1979 * Note: when we get here, offset's already pointing at cipher
1981 guint16 clear_key_length;
1982 guint16 encrypted_key_length;
1983 guint16 key_arg_length;
1985 /* at this point, everything we do involves the tree,
1986 * so quit now if we don't have one ;-)
1993 /* show the selected cipher */
1994 proto_tree_add_item(tree, hf_ssl2_handshake_cipher_spec,
1995 tvb, offset, 3, FALSE);
1998 /* get the fixed fields */
1999 clear_key_length = tvb_get_ntohs(tvb, offset);
2000 proto_tree_add_item(tree, hf_ssl2_handshake_clear_key_len,
2001 tvb, offset, 2, FALSE);
2004 encrypted_key_length = tvb_get_ntohs(tvb, offset);
2005 proto_tree_add_item(tree, hf_ssl2_handshake_enc_key_len,
2006 tvb, offset, 2, FALSE);
2009 key_arg_length = tvb_get_ntohs(tvb, offset);
2010 proto_tree_add_item(tree, hf_ssl2_handshake_key_arg_len,
2011 tvb, offset, 2, FALSE);
2014 /* show the variable length fields */
2015 if (clear_key_length > 0)
2017 proto_tree_add_item(tree, hf_ssl2_handshake_clear_key,
2018 tvb, offset, clear_key_length, FALSE);
2019 offset += clear_key_length;
2022 if (encrypted_key_length > 0)
2024 proto_tree_add_item(tree, hf_ssl2_handshake_enc_key,
2025 tvb, offset, encrypted_key_length, FALSE);
2026 offset += encrypted_key_length;
2029 if (key_arg_length > 0)
2031 proto_tree_add_item(tree, hf_ssl2_handshake_key_arg,
2032 tvb, offset, key_arg_length, FALSE);
2033 offset += key_arg_length;
2039 dissect_ssl2_hnd_server_hello(tvbuff_t *tvb,
2040 proto_tree *tree, guint32 offset)
2044 * uint8 session_id_hit;
2045 * uint8 certificate_type;
2046 * uint16 server_version;
2047 * uint16 certificate_length;
2048 * uint16 cipher_specs_length;
2049 * uint16 connection_id_length;
2050 * opaque certificate_data[V2ServerHello.certificate_length];
2051 * opaque cipher_specs_data[V2ServerHello.cipher_specs_length];
2052 * opaque connection_id_data[V2ServerHello.connection_id_length];
2055 * Note: when we get here, offset's already pointing at session_id_hit
2057 guint16 certificate_length;
2058 guint16 cipher_spec_length;
2059 guint16 connection_id_length;
2062 proto_tree *subtree;
2064 /* everything we do only makes sense with a tree, so
2065 * quit now if we don't have one
2072 version = tvb_get_ntohs(tvb, offset + 2);
2073 if (!ssl_is_valid_ssl_version(version))
2075 /* invalid version; probably encrypted data */
2080 /* is there a hit? */
2081 proto_tree_add_item(tree, hf_ssl2_handshake_session_id_hit,
2082 tvb, offset, 1, FALSE);
2085 /* what type of certificate is this? */
2086 proto_tree_add_item(tree, hf_ssl2_handshake_cert_type,
2087 tvb, offset, 1, FALSE);
2090 /* now the server version */
2091 proto_tree_add_item(tree, hf_ssl_handshake_server_version,
2092 tvb, offset, 2, FALSE);
2095 /* get the fixed fields */
2096 certificate_length = tvb_get_ntohs(tvb, offset);
2097 proto_tree_add_uint(tree, hf_ssl_handshake_certificate_len,
2098 tvb, offset, 2, certificate_length);
2101 cipher_spec_length = tvb_get_ntohs(tvb, offset);
2102 proto_tree_add_uint(tree, hf_ssl2_handshake_cipher_spec_len,
2103 tvb, offset, 2, cipher_spec_length);
2106 connection_id_length = tvb_get_ntohs(tvb, offset);
2107 proto_tree_add_uint(tree, hf_ssl2_handshake_connection_id_len,
2108 tvb, offset, 2, connection_id_length);
2111 /* now the variable length fields */
2112 if (certificate_length > 0)
2114 proto_tree_add_bytes_format(tree, hf_ssl_handshake_certificate,
2115 tvb, offset, certificate_length,
2116 tvb_get_ptr(tvb, offset, certificate_length),
2117 "Certificate (%u byte%s)",
2119 plurality(certificate_length, "", "s"));
2120 offset += certificate_length;
2123 if (cipher_spec_length > 0)
2125 /* provide a collapsing node for the cipher specs */
2126 ti = proto_tree_add_none_format(tree,
2127 hf_ssl_handshake_cipher_suites,
2128 tvb, offset, cipher_spec_length,
2129 "Cipher Specs (%u spec%s)",
2130 cipher_spec_length/3,
2131 plurality(cipher_spec_length/3, "", "s"));
2132 subtree = proto_item_add_subtree(ti, ett_ssl_cipher_suites);
2138 /* iterate through the cipher specs */
2139 while (cipher_spec_length > 0)
2141 proto_tree_add_item(subtree, hf_ssl2_handshake_cipher_spec,
2142 tvb, offset, 3, FALSE);
2144 cipher_spec_length -= 3;
2148 if (connection_id_length > 0)
2150 proto_tree_add_item(tree, hf_ssl2_handshake_connection_id,
2151 tvb, offset, connection_id_length, FALSE);
2152 offset += connection_id_length;
2160 /*********************************************************************
2164 *********************************************************************/
2167 ssl_set_conv_version(packet_info *pinfo, guint version)
2169 conversation_t *conversation;
2171 if (pinfo->fd->flags.visited)
2173 /* We've already processed this frame; no need to do any more
2179 conversation = find_conversation(&pinfo->src, &pinfo->dst, pinfo->ptype,
2180 pinfo->srcport, pinfo->destport, 0);
2182 if (conversation == NULL)
2184 /* create a new conversation */
2185 conversation = conversation_new(&pinfo->src, &pinfo->dst, pinfo->ptype,
2186 pinfo->srcport, pinfo->destport, 0);
2189 if (conversation_get_proto_data(conversation, proto_ssl) != NULL)
2191 /* get rid of the current data */
2192 conversation_delete_proto_data(conversation, proto_ssl);
2194 conversation_add_proto_data(conversation, proto_ssl, (void *)version);
2198 ssl_is_valid_handshake_type(guint8 type)
2202 case SSL_HND_HELLO_REQUEST:
2203 case SSL_HND_CLIENT_HELLO:
2204 case SSL_HND_SERVER_HELLO:
2205 case SSL_HND_CERTIFICATE:
2206 case SSL_HND_SERVER_KEY_EXCHG:
2207 case SSL_HND_CERT_REQUEST:
2208 case SSL_HND_SVR_HELLO_DONE:
2209 case SSL_HND_CERT_VERIFY:
2210 case SSL_HND_CLIENT_KEY_EXCHG:
2211 case SSL_HND_FINISHED:
2218 ssl_is_valid_content_type(guint8 type)
2220 if (type >= 0x14 && type <= 0x17)
2229 ssl_is_valid_ssl_version(guint16 version)
2231 gchar *version_str = match_strval(version, ssl_versions);
2232 return version_str != NULL;
2236 ssl_is_authoritative_version_message(guint8 content_type,
2239 if (content_type == SSL_ID_HANDSHAKE
2240 && ssl_is_valid_handshake_type(next_byte))
2242 return (next_byte != SSL_HND_CLIENT_HELLO);
2244 else if (ssl_is_valid_content_type(content_type)
2245 && content_type != SSL_ID_HANDSHAKE)
2253 ssl_is_v2_client_hello(tvbuff_t *tvb, guint32 offset)
2257 byte = tvb_get_guint8(tvb, offset);
2258 if (byte != 0x80) /* v2 client hello should start this way */
2263 byte = tvb_get_guint8(tvb, offset+2);
2264 if (byte != 0x01) /* v2 client hello msg type */
2269 /* 1 in 2^16 of being right; improve later if necessary */
2273 /* this applies a heuristic to determine whether
2274 * or not the data beginning at offset looks like a
2275 * valid sslv2 record. this isn't really possible,
2276 * but we'll try to do a reasonable job anyway.
2279 ssl_looks_like_sslv2(tvbuff_t *tvb, guint32 offset)
2281 /* here's the current approach:
2283 * we only try to catch unencrypted handshake messages, so we can
2284 * assume that there is not padding. This means that the
2285 * first byte must be >= 0x80 and there must be a valid sslv2
2286 * msg_type in the third byte
2289 /* get the first byte; must have high bit set */
2290 guint8 byte = tvb_get_guint8(tvb, offset);
2296 /* get the supposed msg_type byte; since we only care about
2297 * unencrypted handshake messages (we can't tell the type for
2298 * encrypted messages), we just check against that list
2300 byte = tvb_get_guint8(tvb, offset + 2);
2302 case SSL2_HND_ERROR:
2303 case SSL2_HND_CLIENT_HELLO:
2304 case SSL2_HND_CLIENT_MASTER_KEY:
2305 case SSL2_HND_SERVER_HELLO:
2306 case PCT_MSG_CLIENT_MASTER_KEY:
2313 /* this applies a heuristic to determine whether
2314 * or not the data beginning at offset looks like a
2315 * valid sslv3 record. this is somewhat more reliable
2316 * than sslv2 due to the structure of the v3 protocol
2319 ssl_looks_like_sslv3(tvbuff_t *tvb, guint32 offset)
2321 /* have to have a valid content type followed by a valid
2327 /* see if the first byte is a valid content type */
2328 byte = tvb_get_guint8(tvb, offset);
2329 if (!ssl_is_valid_content_type(byte))
2334 /* now check to see if the version byte appears valid */
2335 version = tvb_get_ntohs(tvb, offset + 1);
2336 if (version != 0x0300 && version != 0x0301)
2344 /* applies a heuristic to determine whether
2345 * or not the data beginning at offset looks
2346 * like a valid, unencrypted v2 handshake message.
2347 * since it isn't possible to completely tell random
2348 * data apart from a valid message without state,
2349 * we try to help the odds.
2352 ssl_looks_like_valid_v2_handshake(tvbuff_t *tvb, guint32 offset,
2353 guint32 record_length)
2355 /* first byte should be a msg_type.
2357 * - we know we only see client_hello, client_master_key,
2358 * and server_hello in the clear, so check to see if
2359 * msg_type is one of those (this gives us a 3 in 2^8
2360 * chance of saying yes with random payload)
2362 * - for those three types that we know about, do some
2363 * further validation to reduce the chance of an error
2369 /* fetch the msg_type */
2370 msg_type = tvb_get_guint8(tvb, offset);
2373 case SSL2_HND_CLIENT_HELLO:
2374 /* version follows msg byte, so verify that this is valid */
2375 version = tvb_get_ntohs(tvb, offset+1);
2376 return ssl_is_valid_ssl_version(version);
2379 case SSL2_HND_SERVER_HELLO:
2380 /* version is three bytes after msg_type */
2381 version = tvb_get_ntohs(tvb, offset+3);
2382 return ssl_is_valid_ssl_version(version);
2385 case SSL2_HND_CLIENT_MASTER_KEY:
2386 /* sum of clear_key_length, encrypted_key_length, and key_arg_length
2387 * must be less than record length
2389 sum = tvb_get_ntohs(tvb, offset + 4); /* clear_key_length */
2390 sum += tvb_get_ntohs(tvb, offset + 6); /* encrypted_key_length */
2391 sum += tvb_get_ntohs(tvb, offset + 8); /* key_arg_length */
2392 if (sum > record_length)
2405 /* applies a heuristic to determine whether
2406 * or not the data beginning at offset looks
2407 * like a valid, unencrypted v2 handshake message.
2408 * since it isn't possible to completely tell random
2409 * data apart from a valid message without state,
2410 * we try to help the odds.
2413 ssl_looks_like_valid_pct_handshake(tvbuff_t *tvb, guint32 offset,
2414 guint32 record_length)
2416 /* first byte should be a msg_type.
2418 * - we know we only see client_hello, client_master_key,
2419 * and server_hello in the clear, so check to see if
2420 * msg_type is one of those (this gives us a 3 in 2^8
2421 * chance of saying yes with random payload)
2423 * - for those three types that we know about, do some
2424 * further validation to reduce the chance of an error
2430 /* fetch the msg_type */
2431 msg_type = tvb_get_guint8(tvb, offset);
2434 case PCT_MSG_CLIENT_HELLO:
2435 /* version follows msg byte, so verify that this is valid */
2436 version = tvb_get_ntohs(tvb, offset+1);
2437 return version == PCT_VERSION_1;
2440 case PCT_MSG_SERVER_HELLO:
2441 /* version is one byte after msg_type */
2442 version = tvb_get_ntohs(tvb, offset+2);
2443 return version == PCT_VERSION_1;
2446 case PCT_MSG_CLIENT_MASTER_KEY:
2447 /* sum of various length fields must be less than record length */
2448 sum = tvb_get_ntohs(tvb, offset + 6); /* clear_key_length */
2449 sum += tvb_get_ntohs(tvb, offset + 8); /* encrypted_key_length */
2450 sum += tvb_get_ntohs(tvb, offset + 10); /* key_arg_length */
2451 sum += tvb_get_ntohs(tvb, offset + 12); /* verify_prelude_length */
2452 sum += tvb_get_ntohs(tvb, offset + 14); /* client_cert_length */
2453 sum += tvb_get_ntohs(tvb, offset + 16); /* response_length */
2454 if (sum > record_length)
2461 case PCT_MSG_SERVER_VERIFY:
2462 /* record is 36 bytes longer than response_length */
2463 sum = tvb_get_ntohs(tvb, offset + 34); /* response_length */
2464 if ((sum + 36) == record_length)
2477 /*********************************************************************
2479 * Standard Ethereal Protocol Registration and housekeeping
2481 *********************************************************************/
2483 proto_register_ssl(void)
2486 /* Setup list of header fields See Section 1.6.1 for details*/
2487 static hf_register_info hf[] = {
2489 { "Record Layer", "ssl.record",
2490 FT_NONE, BASE_NONE, NULL, 0x0,
2491 "Record layer", HFILL }
2493 { &hf_ssl_record_content_type,
2494 { "Content Type", "ssl.record.content_type",
2495 FT_UINT8, BASE_DEC, VALS(ssl_31_content_type), 0x0,
2496 "Content type", HFILL}
2498 { &hf_ssl2_msg_type,
2499 { "Handshake Message Type", "ssl.handshake.type",
2500 FT_UINT8, BASE_DEC, VALS(ssl_20_msg_types), 0x0,
2501 "SSLv2 handshake message type", HFILL}
2504 { "Handshake Message Type", "ssl.pct_handshake.type",
2505 FT_UINT8, BASE_DEC, VALS(pct_msg_types), 0x0,
2506 "PCT handshake message type", HFILL}
2508 { &hf_ssl_record_version,
2509 { "Version", "ssl.record.version",
2510 FT_UINT16, BASE_HEX, VALS(ssl_versions), 0x0,
2511 "Record layer version.", HFILL }
2513 { &hf_ssl_record_length,
2514 { "Length", "ssl.record.length",
2515 FT_UINT16, BASE_DEC, NULL, 0x0,
2516 "Length of SSL record data", HFILL }
2518 { &hf_ssl_record_appdata,
2519 { "Application Data", "ssl.app_data",
2520 FT_NONE, BASE_NONE, NULL, 0x0,
2521 "Payload is application data", HFILL }
2524 { "SSLv2/PCT Record Header", "ssl.record",
2525 FT_NONE, BASE_DEC, NULL, 0x0,
2526 "SSLv2/PCT record data", HFILL }
2528 { &hf_ssl2_record_is_escape,
2529 { "Is Escape", "ssl.record.is_escape",
2530 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2531 "Indicates a security escape", HFILL}
2533 { &hf_ssl2_record_padding_length,
2534 { "Padding Length", "ssl.record.padding_length",
2535 FT_UINT8, BASE_DEC, NULL, 0x0,
2536 "Length of padding at end of record", HFILL }
2538 { &hf_ssl_change_cipher_spec,
2539 { "Change Cipher Spec Message", "ssl.change_cipher_spec",
2540 FT_NONE, BASE_NONE, NULL, 0x0,
2541 "Signals a change in cipher specifications", HFILL }
2543 { & hf_ssl_alert_message,
2544 { "Alert Message", "ssl.alert_message",
2545 FT_NONE, BASE_NONE, NULL, 0x0,
2546 "Alert message", HFILL }
2548 { & hf_ssl_alert_message_level,
2549 { "Level", "ssl.alert_message.level",
2550 FT_UINT8, BASE_DEC, VALS(ssl_31_alert_level), 0x0,
2551 "Alert message level", HFILL }
2553 { &hf_ssl_alert_message_description,
2554 { "Description", "ssl.alert_message.desc",
2555 FT_UINT8, BASE_DEC, VALS(ssl_31_alert_description), 0x0,
2556 "Alert message description", HFILL }
2558 { &hf_ssl_handshake_protocol,
2559 { "Handshake Protocol", "ssl.handshake",
2560 FT_NONE, BASE_NONE, NULL, 0x0,
2561 "Handshake protocol message", HFILL}
2563 { &hf_ssl_handshake_type,
2564 { "Handshake Type", "ssl.handshake.type",
2565 FT_UINT8, BASE_DEC, VALS(ssl_31_handshake_type), 0x0,
2566 "Type of handshake message", HFILL}
2568 { &hf_ssl_handshake_length,
2569 { "Length", "ssl.handshake.length",
2570 FT_UINT24, BASE_DEC, NULL, 0x0,
2571 "Length of handshake message", HFILL }
2573 { &hf_ssl_handshake_client_version,
2574 { "Version", "ssl.handshake.version",
2575 FT_UINT16, BASE_HEX, VALS(ssl_versions), 0x0,
2576 "Maximum version supported by client", HFILL }
2578 { &hf_ssl_handshake_server_version,
2579 { "Version", "ssl.handshake.version",
2580 FT_UINT16, BASE_HEX, VALS(ssl_versions), 0x0,
2581 "Version selected by server", HFILL }
2583 { &hf_ssl_handshake_random_time,
2584 { "Random.gmt_unix_time", "ssl.handshake.random_time",
2585 FT_ABSOLUTE_TIME, BASE_NONE, NULL, 0x0,
2586 "Unix time field of random structure", HFILL }
2588 { &hf_ssl_handshake_random_bytes,
2589 { "Random.bytes", "ssl.handshake.random",
2590 FT_NONE, BASE_NONE, NULL, 0x0,
2591 "Random challenge used to authenticate server", HFILL }
2593 { &hf_ssl_handshake_cipher_suites_len,
2594 { "Cipher Suites Length", "ssl.handshake.cipher_suites_length",
2595 FT_UINT16, BASE_DEC, NULL, 0x0,
2596 "Length of cipher suites field", HFILL }
2598 { &hf_ssl_handshake_cipher_suites,
2599 { "Cipher Suites", "ssl.handshake.ciphersuites",
2600 FT_NONE, BASE_NONE, NULL, 0x0,
2601 "List of cipher suites supported by client", HFILL }
2603 { &hf_ssl_handshake_cipher_suite,
2604 { "Cipher Suite", "ssl.handshake.ciphersuite",
2605 FT_UINT16, BASE_HEX, VALS(ssl_31_ciphersuite), 0x0,
2606 "Cipher suite", HFILL }
2608 { &hf_ssl2_handshake_cipher_spec,
2609 { "Cipher Spec", "ssl.handshake.cipherspec",
2610 FT_UINT24, BASE_HEX, VALS(ssl_20_cipher_suites), 0x0,
2611 "Cipher specification", HFILL }
2613 { &hf_ssl_handshake_session_id,
2614 { "Session ID", "ssl.handshake.session_id",
2615 FT_BYTES, BASE_NONE, NULL, 0x0,
2616 "Identifies the SSL session, allowing later resumption", HFILL }
2618 { &hf_ssl_handshake_comp_methods_len,
2619 { "Compression Methods Length", "ssl.handshake.comp_methods_length",
2620 FT_UINT8, BASE_DEC, NULL, 0x0,
2621 "Length of compression methods field", HFILL }
2623 { &hf_ssl_handshake_comp_methods,
2624 { "Compression Methods", "ssl.handshake.comp_methods",
2625 FT_NONE, BASE_NONE, NULL, 0x0,
2626 "List of compression methods supported by client", HFILL }
2628 { &hf_ssl_handshake_comp_method,
2629 { "Compression Method", "ssl.handshake.comp_method",
2630 FT_UINT8, BASE_DEC, VALS(ssl_31_compression_method), 0x0,
2631 "Compression Method", HFILL }
2633 { &hf_ssl_handshake_certificates_len,
2634 { "Certificates Length", "ssl.handshake.certificates_length",
2635 FT_UINT24, BASE_DEC, NULL, 0x0,
2636 "Length of certificates field", HFILL }
2638 { &hf_ssl_handshake_certificates,
2639 { "Certificates", "ssl.handshake.certificates",
2640 FT_NONE, BASE_NONE, NULL, 0x0,
2641 "List of certificates", HFILL }
2643 { &hf_ssl_handshake_certificate,
2644 { "Certificate", "ssl.handshake.certificate",
2645 FT_BYTES, BASE_NONE, NULL, 0x0,
2646 "Certificate", HFILL }
2648 { &hf_ssl_handshake_certificate_len,
2649 { "Certificate Length", "ssl.handshake.certificate_length",
2650 FT_UINT24, BASE_DEC, NULL, 0x0,
2651 "Length of certificate", HFILL }
2653 { &hf_ssl_handshake_cert_types_count,
2654 { "Certificate types count", "ssl.handshake.cert_types_count",
2655 FT_UINT8, BASE_DEC, NULL, 0x0,
2656 "Count of certificate types", HFILL }
2658 { &hf_ssl_handshake_cert_types,
2659 { "Certificate types", "ssl.handshake.cert_types",
2660 FT_NONE, BASE_NONE, NULL, 0x0,
2661 "List of certificate types", HFILL }
2663 { &hf_ssl_handshake_cert_type,
2664 { "Certificate type", "ssl.handshake.cert_type",
2665 FT_UINT8, BASE_DEC, VALS(ssl_31_client_certificate_type), 0x0,
2666 "Certificate type", HFILL }
2668 { &hf_ssl_handshake_finished,
2669 { "Verify Data", "ssl.handshake.verify_data",
2670 FT_NONE, BASE_NONE, NULL, 0x0,
2671 "Opaque verification data", HFILL }
2673 { &hf_ssl_handshake_md5_hash,
2674 { "MD5 Hash", "ssl.handshake.md5_hash",
2675 FT_NONE, BASE_NONE, NULL, 0x0,
2676 "Hash of messages, master_secret, etc.", HFILL }
2678 { &hf_ssl_handshake_sha_hash,
2679 { "SHA-1 Hash", "ssl.handshake.sha_hash",
2680 FT_NONE, BASE_NONE, NULL, 0x0,
2681 "Hash of messages, master_secret, etc.", HFILL }
2683 { &hf_ssl_handshake_session_id_len,
2684 { "Session ID Length", "ssl.handshake.session_id_length",
2685 FT_UINT8, BASE_DEC, NULL, 0x0,
2686 "Length of session ID field", HFILL }
2688 { &hf_ssl_handshake_dnames_len,
2689 { "Distinguished Names Length", "ssl.handshake.dnames_len",
2690 FT_UINT16, BASE_DEC, NULL, 0x0,
2691 "Length of list of CAs that server trusts", HFILL }
2693 { &hf_ssl_handshake_dnames,
2694 { "Distinguished Names", "ssl.handshake.dnames",
2695 FT_NONE, BASE_NONE, NULL, 0x0,
2696 "List of CAs that server trusts", HFILL }
2698 { &hf_ssl_handshake_dname_len,
2699 { "Distinguished Name Length", "ssl.handshake.dname_len",
2700 FT_UINT16, BASE_DEC, NULL, 0x0,
2701 "Length of distinguished name", HFILL }
2703 { &hf_ssl_handshake_dname,
2704 { "Distinguished Name", "ssl.handshake.dname",
2705 FT_BYTES, BASE_NONE, NULL, 0x0,
2706 "Distinguished name of a CA that server trusts", HFILL }
2708 { &hf_ssl2_handshake_challenge,
2709 { "Challenge", "ssl.handshake.challenge",
2710 FT_NONE, BASE_NONE, NULL, 0x0,
2711 "Challenge data used to authenticate server", HFILL }
2713 { &hf_ssl2_handshake_cipher_spec_len,
2714 { "Cipher Spec Length", "ssl.handshake.cipher_spec_len",
2715 FT_UINT16, BASE_DEC, NULL, 0x0,
2716 "Length of cipher specs field", HFILL }
2718 { &hf_ssl2_handshake_session_id_len,
2719 { "Session ID Length", "ssl.handshake.session_id_length",
2720 FT_UINT16, BASE_DEC, NULL, 0x0,
2721 "Length of session ID field", HFILL }
2723 { &hf_ssl2_handshake_challenge_len,
2724 { "Challenge Length", "ssl.handshake.challenge_length",
2725 FT_UINT16, BASE_DEC, NULL, 0x0,
2726 "Length of challenge field", HFILL }
2728 { &hf_ssl2_handshake_clear_key_len,
2729 { "Clear Key Data Length", "ssl.handshake.clear_key_length",
2730 FT_UINT16, BASE_DEC, NULL, 0x0,
2731 "Length of clear key data", HFILL }
2733 { &hf_ssl2_handshake_enc_key_len,
2734 { "Encrypted Key Data Length", "ssl.handshake.encrypted_key_length",
2735 FT_UINT16, BASE_DEC, NULL, 0x0,
2736 "Length of encrypted key data", HFILL }
2738 { &hf_ssl2_handshake_key_arg_len,
2739 { "Key Argument Length", "ssl.handshake.key_arg_length",
2740 FT_UINT16, BASE_DEC, NULL, 0x0,
2741 "Length of key argument", HFILL }
2743 { &hf_ssl2_handshake_clear_key,
2744 { "Clear Key Data", "ssl.handshake.clear_key_data",
2745 FT_NONE, BASE_NONE, NULL, 0x0,
2746 "Clear portion of MASTER-KEY", HFILL }
2748 { &hf_ssl2_handshake_enc_key,
2749 { "Encrypted Key", "ssl.handshake.encrypted_key",
2750 FT_NONE, BASE_NONE, NULL, 0x0,
2751 "Secret portion of MASTER-KEY encrypted to server", HFILL }
2753 { &hf_ssl2_handshake_key_arg,
2754 { "Key Argument", "ssl.handshake.key_arg",
2755 FT_NONE, BASE_NONE, NULL, 0x0,
2756 "Key Argument (e.g., Initialization Vector)", HFILL }
2758 { &hf_ssl2_handshake_session_id_hit,
2759 { "Session ID Hit", "ssl.handshake.session_id_hit",
2760 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2761 "Did the server find the client's Session ID?", HFILL }
2763 { &hf_ssl2_handshake_cert_type,
2764 { "Certificate Type", "ssl.handshake.cert_type",
2765 FT_UINT8, BASE_DEC, VALS(ssl_20_certificate_type), 0x0,
2766 "Certificate Type", HFILL }
2768 { &hf_ssl2_handshake_connection_id_len,
2769 { "Connection ID Length", "ssl.handshake.connection_id_length",
2770 FT_UINT16, BASE_DEC, NULL, 0x0,
2771 "Length of connection ID", HFILL }
2773 { &hf_ssl2_handshake_connection_id,
2774 { "Connection ID", "ssl.handshake.connection_id",
2775 FT_NONE, BASE_NONE, NULL, 0x0,
2776 "Server's challenge to client", HFILL }
2780 /* Setup protocol subtree array */
2781 static gint *ett[] = {
2786 &ett_ssl_cipher_suites,
2787 &ett_ssl_comp_methods,
2789 &ett_ssl_cert_types,
2793 /* Register the protocol name and description */
2794 proto_ssl = proto_register_protocol("Secure Socket Layer",
2797 /* Required function calls to register the header fields and
2799 proto_register_field_array(proto_ssl, hf, array_length(hf));
2800 proto_register_subtree_array(ett, array_length(ett));
2803 module_t *ssl_module = prefs_register_protocol(proto_ssl, NULL);
2804 prefs_register_bool_preference(ssl_module,
2805 "desegment_ssl_records",
2806 "Desegment SSL records",
2807 "When enabled, SSL records that span multiple TCP segments are desegmented",
2811 register_dissector("ssl", dissect_ssl, proto_ssl);
2815 /* If this dissector uses sub-dissector registration add a registration
2816 * routine. This format is required because a script is used to find
2817 * these routines and create the code that calls these routines.
2820 proto_reg_handoff_ssl(void)
2822 dissector_handle_t ssl_handle;
2824 ssl_handle = find_dissector("ssl");
2825 dissector_add("tcp.port", TCP_PORT_SSL, ssl_handle);
2826 dissector_add("tcp.port", TCP_PORT_SSL_LDAP, ssl_handle);
2827 dissector_add("tcp.port", TCP_PORT_SSL_IMAP, ssl_handle);
2828 dissector_add("tcp.port", TCP_PORT_SSL_POP, ssl_handle);