2 * Routines for ssl dissection
3 * Copyright (c) 2000-2001, Scott Renfro <scott@renfro.org>
5 * $Id: packet-ssl.c,v 1.27 2003/07/19 07:06:01 guy Exp $
7 * Ethereal - Network traffic analyzer
8 * By Gerald Combs <gerald@ethereal.com>
9 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
27 * http://www.netscape.com/eng/security/SSL_2.html
33 * http://www.netscape.com/eng/ssl3/
37 * See RFC 2246 for SSL 3.1/TLS 1.0 specs.
41 * - Uses conversations in a no-malloc fashion. Since we just want to
42 * remember the version of the conversation, we store the version
43 * integer directly in the void *data member of the conversation
44 * structure. This means that we don't have to manage any memory,
45 * but will cause problems if anyone assumes that all data pointers
46 * are actually pointers to memory allocated by g_mem_chunk_alloc.
48 * - Does not support decryption of encrypted frames, nor dissection
49 * of frames that would require state maintained between frames
50 * (e.g., single ssl records spread across multiple tcp frames)
52 * - Identifies, but does not fully dissect the following messages:
54 * - SSLv3/TLS (These need more state from previous handshake msgs)
55 * - Server Key Exchange
56 * - Client Key Exchange
57 * - Certificate Verify
59 * - SSLv2 (These don't appear in the clear)
64 * - Request Certificate
65 * - Client Certificate
79 #include <epan/conversation.h>
82 static gboolean ssl_desegment = TRUE;
85 /*********************************************************************
87 * Protocol Constants, Variables, Data Structures
89 *********************************************************************/
91 /* Initialize the protocol and registered fields */
92 static int proto_ssl = -1;
93 static int hf_ssl_record = -1;
94 static int hf_ssl_record_content_type = -1;
95 static int hf_ssl_record_version = -1;
96 static int hf_ssl_record_length = -1;
97 static int hf_ssl_record_appdata = -1;
98 static int hf_ssl2_record = -1;
99 static int hf_ssl2_record_is_escape = -1;
100 static int hf_ssl2_record_padding_length = -1;
101 static int hf_ssl2_msg_type = -1;
102 static int hf_pct_msg_type = -1;
103 static int hf_ssl_change_cipher_spec = -1;
104 static int hf_ssl_alert_message = -1;
105 static int hf_ssl_alert_message_level = -1;
106 static int hf_ssl_alert_message_description = -1;
107 static int hf_ssl_handshake_protocol = -1;
108 static int hf_ssl_handshake_type = -1;
109 static int hf_ssl_handshake_length = -1;
110 static int hf_ssl_handshake_client_version = -1;
111 static int hf_ssl_handshake_server_version = -1;
112 static int hf_ssl_handshake_random_time = -1;
113 static int hf_ssl_handshake_random_bytes = -1;
114 static int hf_ssl_handshake_cipher_suites_len = -1;
115 static int hf_ssl_handshake_cipher_suites = -1;
116 static int hf_ssl_handshake_cipher_suite = -1;
117 static int hf_ssl_handshake_session_id = -1;
118 static int hf_ssl_handshake_comp_methods_len = -1;
119 static int hf_ssl_handshake_comp_methods = -1;
120 static int hf_ssl_handshake_comp_method = -1;
121 static int hf_ssl_handshake_certificates_len = -1;
122 static int hf_ssl_handshake_certificates = -1;
123 static int hf_ssl_handshake_certificate = -1;
124 static int hf_ssl_handshake_certificate_len = -1;
125 static int hf_ssl_handshake_cert_types_count = -1;
126 static int hf_ssl_handshake_cert_types = -1;
127 static int hf_ssl_handshake_cert_type = -1;
128 static int hf_ssl_handshake_finished = -1;
129 static int hf_ssl_handshake_md5_hash = -1;
130 static int hf_ssl_handshake_sha_hash = -1;
131 static int hf_ssl_handshake_session_id_len = -1;
132 static int hf_ssl_handshake_dnames_len = -1;
133 static int hf_ssl_handshake_dnames = -1;
134 static int hf_ssl_handshake_dname_len = -1;
135 static int hf_ssl_handshake_dname = -1;
136 static int hf_ssl2_handshake_cipher_spec_len = -1;
137 static int hf_ssl2_handshake_session_id_len = -1;
138 static int hf_ssl2_handshake_challenge_len = -1;
139 static int hf_ssl2_handshake_cipher_spec = -1;
140 static int hf_ssl2_handshake_challenge = -1;
141 static int hf_ssl2_handshake_clear_key_len = -1;
142 static int hf_ssl2_handshake_enc_key_len = -1;
143 static int hf_ssl2_handshake_key_arg_len = -1;
144 static int hf_ssl2_handshake_clear_key = -1;
145 static int hf_ssl2_handshake_enc_key = -1;
146 static int hf_ssl2_handshake_key_arg = -1;
147 static int hf_ssl2_handshake_session_id_hit = -1;
148 static int hf_ssl2_handshake_cert_type = -1;
149 static int hf_ssl2_handshake_connection_id_len = -1;
150 static int hf_ssl2_handshake_connection_id = -1;
152 /* Initialize the subtree pointers */
153 static gint ett_ssl = -1;
154 static gint ett_ssl_record = -1;
155 static gint ett_ssl_alert = -1;
156 static gint ett_ssl_handshake = -1;
157 static gint ett_ssl_cipher_suites = -1;
158 static gint ett_ssl_comp_methods = -1;
159 static gint ett_ssl_certs = -1;
160 static gint ett_ssl_cert_types = -1;
161 static gint ett_ssl_dnames = -1;
163 /* The TCP port to associate with by default */
164 #define TCP_PORT_SSL 443
165 #define TCP_PORT_SSL_LDAP 636
166 #define TCP_PORT_SSL_IMAP 993
167 #define TCP_PORT_SSL_POP 995
169 /* version state tables */
170 #define SSL_VER_UNKNOWN 0
171 #define SSL_VER_SSLv2 1
172 #define SSL_VER_SSLv3 2
173 #define SSL_VER_TLS 3
174 #define SSL_VER_PCT 4
176 /* corresponds to the #defines above */
177 static gchar* ssl_version_short_names[] = {
186 #define SSL_ID_CHG_CIPHER_SPEC 0x14
187 #define SSL_ID_ALERT 0x15
188 #define SSL_ID_HANDSHAKE 0x16
189 #define SSL_ID_APP_DATA 0x17
191 #define SSL_HND_HELLO_REQUEST 0
192 #define SSL_HND_CLIENT_HELLO 1
193 #define SSL_HND_SERVER_HELLO 2
194 #define SSL_HND_CERTIFICATE 11
195 #define SSL_HND_SERVER_KEY_EXCHG 12
196 #define SSL_HND_CERT_REQUEST 13
197 #define SSL_HND_SVR_HELLO_DONE 14
198 #define SSL_HND_CERT_VERIFY 15
199 #define SSL_HND_CLIENT_KEY_EXCHG 16
200 #define SSL_HND_FINISHED 20
202 #define SSL2_HND_ERROR 0x00
203 #define SSL2_HND_CLIENT_HELLO 0x01
204 #define SSL2_HND_CLIENT_MASTER_KEY 0x02
205 #define SSL2_HND_CLIENT_FINISHED 0x03
206 #define SSL2_HND_SERVER_HELLO 0x04
207 #define SSL2_HND_SERVER_VERIFY 0x05
208 #define SSL2_HND_SERVER_FINISHED 0x06
209 #define SSL2_HND_REQUEST_CERTIFICATE 0x07
210 #define SSL2_HND_CLIENT_CERTIFICATE 0x08
212 #define PCT_VERSION_1 0x8001
214 #define PCT_MSG_CLIENT_HELLO 0x01
215 #define PCT_MSG_SERVER_HELLO 0x02
216 #define PCT_MSG_CLIENT_MASTER_KEY 0x03
217 #define PCT_MSG_SERVER_VERIFY 0x04
218 #define PCT_MSG_ERROR 0x05
224 static const value_string ssl_20_msg_types[] = {
225 { SSL2_HND_ERROR, "Error" },
226 { SSL2_HND_CLIENT_HELLO, "Client Hello" },
227 { SSL2_HND_CLIENT_MASTER_KEY, "Client Master Key" },
228 { SSL2_HND_CLIENT_FINISHED, "Client Finished" },
229 { SSL2_HND_SERVER_HELLO, "Server Hello" },
230 { SSL2_HND_SERVER_VERIFY, "Server Verify" },
231 { SSL2_HND_SERVER_FINISHED, "Server Finished" },
232 { SSL2_HND_REQUEST_CERTIFICATE, "Request Certificate" },
233 { SSL2_HND_CLIENT_CERTIFICATE, "Client Certificate" },
237 static const value_string ssl_20_cipher_suites[] = {
238 { 0x010080, "SSL2_RC4_128_WITH_MD5" },
239 { 0x020080, "SSL2_RC4_128_EXPORT40_WITH_MD5" },
240 { 0x030080, "SSL2_RC2_CBC_128_CBC_WITH_MD5" },
241 { 0x040080, "SSL2_RC2_CBC_128_CBC_WITH_MD5" },
242 { 0x050080, "SSL2_IDEA_128_CBC_WITH_MD5" },
243 { 0x060040, "SSL2_DES_64_CBC_WITH_MD5" },
244 { 0x0700c0, "SSL2_DES_192_EDE3_CBC_WITH_MD5" },
245 { 0x080080, "SSL2_RC4_64_WITH_MD5" },
246 { 0x000000, "TLS_NULL_WITH_NULL_NULL" },
247 { 0x000001, "TLS_RSA_WITH_NULL_MD5" },
248 { 0x000002, "TLS_RSA_WITH_NULL_SHA" },
249 { 0x000003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
250 { 0x000004, "TLS_RSA_WITH_RC4_128_MD5" },
251 { 0x000005, "TLS_RSA_WITH_RC4_128_SHA" },
252 { 0x000006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
253 { 0x000007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
254 { 0x000008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
255 { 0x000009, "TLS_RSA_WITH_DES_CBC_SHA" },
256 { 0x00000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
257 { 0x00000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
258 { 0x00000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
259 { 0x00000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
260 { 0x00000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
261 { 0x00000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
262 { 0x000010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
263 { 0x000011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
264 { 0x000012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
265 { 0x000013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
266 { 0x000014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
267 { 0x000015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
268 { 0x000016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
269 { 0x000017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
270 { 0x000018, "TLS_DH_anon_WITH_RC4_128_MD5" },
271 { 0x000019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
272 { 0x00001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
273 { 0x00001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
274 { 0x00001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
275 { 0x00001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
276 { 0x00001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
277 { 0x000060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
278 { 0x000061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
279 { 0x000062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
280 { 0x000063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
281 { 0x000064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
282 { 0x000065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
283 { 0x000066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
284 /* these from http://www.mozilla.org/projects/
285 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
286 { 0x00fefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
287 { 0x00feff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
288 { 0x00ffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
289 { 0x00ffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
290 /* Microsoft's old PCT protocol. These are from Eric Rescorla's
291 book "SSL and TLS" */
292 { 0x8f8001, "PCT_SSL_COMPAT | PCT_VERSION_1" },
293 { 0x800003, "PCT_SSL_CERT_TYPE | PCT1_CERT_X509_CHAIN" },
294 { 0x800001, "PCT_SSL_CERT_TYPE | PCT1_CERT_X509" },
295 { 0x810001, "PCT_SSL_HASH_TYPE | PCT1_HASH_MD5" },
296 { 0x810003, "PCT_SSL_HASH_TYPE | PCT1_HASH_SHA" },
297 { 0x820001, "PCT_SSL_EXCH_TYPE | PCT1_EXCH_RSA_PKCS1" },
298 { 0x830004, "PCT_SSL_CIPHER_TYPE_1ST_HALF | PCT1_CIPHER_RC4" },
299 { 0x848040, "PCT_SSL_CIPHER_TYPE_2ND_HALF | PCT1_ENC_BITS_128 | PCT1_MAC_BITS_128" },
300 { 0x842840, "PCT_SSL_CIPHER_TYPE_2ND_HALF | PCT1_ENC_BITS_40 | PCT1_MAC_BITS_128" },
301 /* note that ciphersuites of {0x00????} are TLS cipher suites in
302 * a sslv2 client hello message; the ???? above is the two-byte
303 * tls cipher suite id
308 static const value_string ssl_20_certificate_type[] = {
310 { 0x01, "X.509 Certificate" },
314 static const value_string ssl_31_content_type[] = {
315 { 20, "Change Cipher Spec" },
318 { 23, "Application Data" },
322 static const value_string ssl_versions[] = {
323 { 0x0301, "TLS 1.0" },
324 { 0x0300, "SSL 3.0" },
325 { 0x0002, "SSL 2.0" },
330 /* XXX - would be used if we dissected the body of a Change Cipher Spec
332 static const value_string ssl_31_change_cipher_spec[] = {
333 { 1, "Change Cipher Spec" },
338 static const value_string ssl_31_alert_level[] = {
344 static const value_string ssl_31_alert_description[] = {
345 { 0, "Close Notify" },
346 { 10, "Unexpected Message" },
347 { 20, "Bad Record MAC" },
348 { 21, "Decryption Failed" },
349 { 22, "Record Overflow" },
350 { 30, "Decompression Failure" },
351 { 40, "Handshake Failure" },
352 { 42, "Bad Certificate" },
353 { 43, "Unsupported Certificate" },
354 { 44, "Certificate Revoked" },
355 { 45, "Certificate Expired" },
356 { 46, "Certificate Unknown" },
357 { 47, "Illegal Parameter" },
358 { 48, "Unknown CA" },
359 { 49, "Access Denied" },
360 { 50, "Decode Error" },
361 { 51, "Decrypt Error" },
362 { 60, "Export Restriction" },
363 { 70, "Protocol Version" },
364 { 71, "Insufficient Security" },
365 { 80, "Internal Error" },
366 { 90, "User Canceled" },
367 { 100, "No Renegotiation" },
371 static const value_string ssl_31_handshake_type[] = {
372 { SSL_HND_HELLO_REQUEST, "Hello Request" },
373 { SSL_HND_CLIENT_HELLO, "Client Hello" },
374 { SSL_HND_SERVER_HELLO, "Server Hello" },
375 { SSL_HND_CERTIFICATE, "Certificate" },
376 { SSL_HND_SERVER_KEY_EXCHG, "Server Key Exchange" },
377 { SSL_HND_CERT_REQUEST, "Certificate Request" },
378 { SSL_HND_SVR_HELLO_DONE, "Server Hello Done" },
379 { SSL_HND_CERT_VERIFY, "Certificate Verify" },
380 { SSL_HND_CLIENT_KEY_EXCHG, "Client Key Exchange" },
381 { SSL_HND_FINISHED, "Finished" },
385 static const value_string ssl_31_compression_method[] = {
392 /* XXX - would be used if we dissected a Signature, as would be
393 seen in a server key exchange or certificate verify message. */
394 static const value_string ssl_31_key_exchange_algorithm[] = {
396 { 1, "Diffie Hellman" },
400 static const value_string ssl_31_signature_algorithm[] = {
408 static const value_string ssl_31_client_certificate_type[] = {
411 { 3, "RSA Fixed DH" },
412 { 4, "DSS Fixed DH" },
417 /* XXX - would be used if we dissected exchnage keys, as would be
418 seen in a client key exchange message. */
419 static const value_string ssl_31_public_value_encoding[] = {
426 static const value_string ssl_31_ciphersuite[] = {
427 { 0x0000, "TLS_NULL_WITH_NULL_NULL" },
428 { 0x0001, "TLS_RSA_WITH_NULL_MD5" },
429 { 0x0002, "TLS_RSA_WITH_NULL_SHA" },
430 { 0x0003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
431 { 0x0004, "TLS_RSA_WITH_RC4_128_MD5" },
432 { 0x0005, "TLS_RSA_WITH_RC4_128_SHA" },
433 { 0x0006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
434 { 0x0007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
435 { 0x0008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
436 { 0x0009, "TLS_RSA_WITH_DES_CBC_SHA" },
437 { 0x000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
438 { 0x000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
439 { 0x000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
440 { 0x000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
441 { 0x000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
442 { 0x000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
443 { 0x0010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
444 { 0x0011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
445 { 0x0012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
446 { 0x0013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
447 { 0x0014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
448 { 0x0015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
449 { 0x0016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
450 { 0x0017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
451 { 0x0018, "TLS_DH_anon_WITH_RC4_128_MD5" },
452 { 0x0019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
453 { 0x001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
454 { 0x001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
455 { 0x001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
456 { 0x001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
457 { 0x001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
458 { 0x002f, "TLS_RSA_WITH_AES_128_CBC_SHA" },
459 { 0x0030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
460 { 0x0031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
461 { 0x0032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
462 { 0x0033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
463 { 0x0034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
464 { 0x0035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
465 { 0x0036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
466 { 0x0037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
467 { 0x0038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
468 { 0x0039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
469 { 0x003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
470 { 0x0062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
471 { 0x0063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
472 { 0x0064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
473 { 0x0065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
474 { 0x0066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
475 /* these from http://www.mozilla.org/projects/
476 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
477 { 0xfefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
478 { 0xfeff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
479 { 0xffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
480 { 0xffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
481 /* note that ciphersuites 0xff00 - 0xffff are private */
485 static const value_string pct_msg_types[] = {
486 { PCT_MSG_CLIENT_HELLO, "Client Hello" },
487 { PCT_MSG_SERVER_HELLO, "Server Hello" },
488 { PCT_MSG_CLIENT_MASTER_KEY, "Client Master Key" },
489 { PCT_MSG_SERVER_VERIFY, "Server Verify" },
490 { PCT_MSG_ERROR, "Error" },
495 /*********************************************************************
497 * Forward Declarations
499 *********************************************************************/
502 * SSL version 3 and TLS dissectors
505 /* record layer dissector */
506 static int dissect_ssl3_record(tvbuff_t *tvb, packet_info *pinfo,
507 proto_tree *tree, guint32 offset,
509 gboolean *need_desegmentation);
511 /* change cipher spec dissector */
512 static void dissect_ssl3_change_cipher_spec(tvbuff_t *tvb,
515 guint *conv_version);
517 /* alert message dissector */
518 static void dissect_ssl3_alert(tvbuff_t *tvb, packet_info *pinfo,
519 proto_tree *tree, guint32 offset,
520 guint *conv_version);
522 /* handshake protocol dissector */
523 static void dissect_ssl3_handshake(tvbuff_t *tvb, packet_info *pinfo,
524 proto_tree *tree, guint32 offset,
525 guint32 record_length,
526 guint *conv_version);
529 static void dissect_ssl3_hnd_cli_hello(tvbuff_t *tvb,
533 static void dissect_ssl3_hnd_srv_hello(tvbuff_t *tvb,
537 static void dissect_ssl3_hnd_cert(tvbuff_t *tvb,
538 proto_tree *tree, guint32 offset);
540 static void dissect_ssl3_hnd_cert_req(tvbuff_t *tvb,
544 static void dissect_ssl3_hnd_finished(tvbuff_t *tvb,
547 guint *conv_version);
551 * SSL version 2 dissectors
555 /* record layer dissector */
556 static int dissect_ssl2_record(tvbuff_t *tvb, packet_info *pinfo,
557 proto_tree *tree, guint32 offset,
559 gboolean *need_desegmentation);
561 /* client hello dissector */
562 static void dissect_ssl2_hnd_client_hello(tvbuff_t *tvb,
566 /* client master key dissector */
567 static void dissect_ssl2_hnd_client_master_key(tvbuff_t *tvb,
571 /* server hello dissector */
572 static void dissect_ssl2_hnd_server_hello(tvbuff_t *tvb,
580 static void ssl_set_conv_version(packet_info *pinfo, guint version);
581 static int ssl_is_valid_handshake_type(guint8 type);
582 static int ssl_is_valid_content_type(guint8 type);
583 static int ssl_is_valid_ssl_version(guint16 version);
584 static int ssl_is_authoritative_version_message(guint8 content_type,
586 static int ssl_is_v2_client_hello(tvbuff_t *tvb, guint32 offset);
587 static int ssl_looks_like_sslv2(tvbuff_t *tvb, guint32 offset);
588 static int ssl_looks_like_sslv3(tvbuff_t *tvb, guint32 offset);
589 static int ssl_looks_like_valid_v2_handshake(tvbuff_t *tvb,
591 guint32 record_length);
592 static int ssl_looks_like_valid_pct_handshake(tvbuff_t *tvb,
594 guint32 record_length);
596 /*********************************************************************
600 *********************************************************************/
602 * Code to actually dissect the packets
605 dissect_ssl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
608 conversation_t *conversation;
610 guint conv_version = SSL_VER_UNKNOWN;
611 proto_item *ti = NULL;
612 proto_tree *ssl_tree = NULL;
614 gboolean first_record_in_frame = TRUE;
615 gboolean need_desegmentation;
617 /* Track the version using conversations to reduce the
618 * chance that a packet that simply *looks* like a v2 or
619 * v3 packet is dissected improperly. This also allows
620 * us to more frequently set the protocol column properly
621 * for continuation data frames.
623 * Also: We use the copy in conv_version as our cached copy,
624 * so that we don't have to search the conversation
625 * table every time we want the version; when setting
626 * the conv_version, must set the copy in the conversation
627 * in addition to conv_version
629 conversation = find_conversation(&pinfo->src, &pinfo->dst, pinfo->ptype,
630 pinfo->srcport, pinfo->destport, 0);
633 /* create a new conversation */
634 conversation = conversation_new(&pinfo->src, &pinfo->dst, pinfo->ptype,
635 pinfo->srcport, pinfo->destport, 0);
637 conv_data = conversation_get_proto_data(conversation, proto_ssl);
638 if (conv_data != NULL)
640 conv_version = GPOINTER_TO_UINT(conv_data);
643 /* Initialize the protocol column; we'll set it later when we
644 * figure out what flavor of SSL it is (assuming we don't
645 * throw an exception before we get the chance to do so). */
646 if (check_col(pinfo->cinfo, COL_PROTOCOL))
648 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SSL");
651 /* clear the the info column */
652 if (check_col(pinfo->cinfo, COL_INFO))
653 col_clear(pinfo->cinfo, COL_INFO);
655 /* TCP packets and SSL records are orthogonal.
656 * A tcp packet may contain multiple ssl records and an ssl
657 * record may be spread across multiple tcp packets.
659 * This loop accounts for multiple ssl records in a single
660 * frame, but not a single ssl record across multiple tcp
663 * Handling the single ssl record across multiple packets
664 * may be possible using ethereal conversations, but
665 * probably not cleanly. May have to wait for tcp stream
669 /* Create display subtree for SSL as a whole */
672 ti = proto_tree_add_item(tree, proto_ssl, tvb, 0, -1, FALSE);
673 ssl_tree = proto_item_add_subtree(ti, ett_ssl);
676 /* iterate through the records in this tvbuff */
677 while (tvb_reported_length_remaining(tvb, offset) != 0)
679 /* on second and subsequent records per frame
680 * add a delimiter on info column
682 if (!first_record_in_frame
683 && check_col(pinfo->cinfo, COL_INFO))
685 col_append_str(pinfo->cinfo, COL_INFO, ", ");
689 * Assume, for now, that this doesn't need desegmentation.
691 need_desegmentation = FALSE;
693 /* first try to dispatch off the cached version
694 * known to be associated with the conversation
696 switch(conv_version) {
699 offset = dissect_ssl2_record(tvb, pinfo, ssl_tree,
700 offset, &conv_version,
701 &need_desegmentation);
706 /* the version tracking code works too well ;-)
707 * at times, we may visit a v2 client hello after
708 * we already know the version of the connection;
709 * work around that here by detecting and calling
710 * the v2 dissector instead
712 if (ssl_is_v2_client_hello(tvb, offset))
714 offset = dissect_ssl2_record(tvb, pinfo, ssl_tree,
715 offset, &conv_version,
716 &need_desegmentation);
720 offset = dissect_ssl3_record(tvb, pinfo, ssl_tree,
721 offset, &conv_version,
722 &need_desegmentation);
726 /* that failed, so apply some heuristics based
727 * on this individual packet
730 if (ssl_looks_like_sslv2(tvb, offset))
732 /* looks like sslv2 or pct client hello */
733 offset = dissect_ssl2_record(tvb, pinfo, ssl_tree,
734 offset, &conv_version,
735 &need_desegmentation);
737 else if (ssl_looks_like_sslv3(tvb, offset))
739 /* looks like sslv3 or tls */
740 offset = dissect_ssl3_record(tvb, pinfo, ssl_tree,
741 offset, &conv_version,
742 &need_desegmentation);
746 /* looks like something unknown, so lump into
749 offset = tvb_length(tvb);
750 if (check_col(pinfo->cinfo, COL_INFO))
751 col_append_str(pinfo->cinfo, COL_INFO,
752 "Continuation Data");
754 /* Set the protocol column */
755 if (check_col(pinfo->cinfo, COL_PROTOCOL))
757 col_set_str(pinfo->cinfo, COL_PROTOCOL,
758 ssl_version_short_names[conv_version]);
764 /* Desegmentation return check */
765 if (need_desegmentation)
768 /* If we haven't already set the version information for
769 * this conversation, do so. */
770 if (conv_data == NULL)
772 conv_data = GINT_TO_POINTER(conv_version);
773 conversation_add_proto_data(conversation, proto_ssl, conv_data);
776 /* set up for next record in frame, if any */
777 first_record_in_frame = FALSE;
783 /*********************************************************************
785 * SSL version 3 and TLS Dissection Routines
787 *********************************************************************/
789 dissect_ssl3_record(tvbuff_t *tvb, packet_info *pinfo,
790 proto_tree *tree, guint32 offset,
791 guint *conv_version, gboolean *need_desegmentation)
796 * uint8 major, minor;
801 * change_cipher_spec(20), alert(21), handshake(22),
802 * application_data(23), (255)
807 * ProtocolVersion version;
809 * opaque fragment[TLSPlaintext.length];
812 guint32 record_length;
816 proto_tree *ti = NULL;
817 proto_tree *ssl_record_tree = NULL;
818 guint32 available_bytes = 0;
820 available_bytes = tvb_length_remaining(tvb, offset);
823 * Can we do reassembly?
825 if (ssl_desegment && pinfo->can_desegment) {
827 * Yes - is the record header split across segment boundaries?
829 if (available_bytes < 5) {
831 * Yes. Tell the TCP dissector where the data for this
832 * message starts in the data it handed us, and how many
833 * more bytes we need, and return.
835 pinfo->desegment_offset = offset;
836 pinfo->desegment_len = 5 - available_bytes;
837 *need_desegmentation = TRUE;
843 * Get the record layer fields of interest
845 content_type = tvb_get_guint8(tvb, offset);
846 version = tvb_get_ntohs(tvb, offset + 1);
847 record_length = tvb_get_ntohs(tvb, offset + 3);
849 if (ssl_is_valid_content_type(content_type)) {
852 * Can we do reassembly?
854 if (ssl_desegment && pinfo->can_desegment) {
856 * Yes - is the record split across segment boundaries?
858 if (available_bytes < record_length + 5) {
860 * Yes. Tell the TCP dissector where the data for this
861 * message starts in the data it handed us, and how many
862 * more bytes we need, and return.
864 pinfo->desegment_offset = offset;
865 pinfo->desegment_len = (record_length + 5) - available_bytes;
866 *need_desegmentation = TRUE;
873 /* if we don't have a valid content_type, there's no sense
874 * continuing any further
876 if (check_col(pinfo->cinfo, COL_INFO))
877 col_append_str(pinfo->cinfo, COL_INFO, "Continuation Data");
879 /* Set the protocol column */
880 if (check_col(pinfo->cinfo, COL_PROTOCOL))
882 col_set_str(pinfo->cinfo, COL_PROTOCOL,
883 ssl_version_short_names[*conv_version]);
885 return offset + 5 + record_length;
889 * If GUI, fill in record layer part of tree
894 /* add the record layer subtree header */
895 ti = proto_tree_add_item(tree, hf_ssl_record, tvb,
896 offset, 5 + record_length, 0);
897 ssl_record_tree = proto_item_add_subtree(ti, ett_ssl_record);
902 /* show the one-byte content type */
903 proto_tree_add_item(ssl_record_tree, hf_ssl_record_content_type,
907 /* add the version */
908 proto_tree_add_item(ssl_record_tree, hf_ssl_record_version, tvb,
913 proto_tree_add_uint(ssl_record_tree, hf_ssl_record_length, tvb,
914 offset, 2, record_length);
915 offset += 2; /* move past length field itself */
919 /* if no GUI tree, then just skip over those fields */
925 * if we don't already have a version set for this conversation,
926 * but this message's version is authoritative (i.e., it's
927 * not client_hello, then save the version to to conversation
928 * structure and print the column version
930 next_byte = tvb_get_guint8(tvb, offset);
931 if (*conv_version == SSL_VER_UNKNOWN
932 && ssl_is_authoritative_version_message(content_type, next_byte))
934 if (version == 0x0300)
936 *conv_version = SSL_VER_SSLv3;
937 ssl_set_conv_version(pinfo, *conv_version);
939 else if (version == 0x0301)
941 *conv_version = SSL_VER_TLS;
942 ssl_set_conv_version(pinfo, *conv_version);
945 if (check_col(pinfo->cinfo, COL_PROTOCOL))
947 if (version == 0x0300)
949 col_set_str(pinfo->cinfo, COL_PROTOCOL,
950 ssl_version_short_names[SSL_VER_SSLv3]);
952 else if (version == 0x0301)
954 col_set_str(pinfo->cinfo, COL_PROTOCOL,
955 ssl_version_short_names[SSL_VER_TLS]);
959 col_set_str(pinfo->cinfo, COL_PROTOCOL,
960 ssl_version_short_names[*conv_version]);
965 * now dissect the next layer
967 switch (content_type) {
968 case SSL_ID_CHG_CIPHER_SPEC:
969 if (check_col(pinfo->cinfo, COL_INFO))
970 col_append_str(pinfo->cinfo, COL_INFO, "Change Cipher Spec");
971 dissect_ssl3_change_cipher_spec(tvb, ssl_record_tree,
972 offset, conv_version);
975 dissect_ssl3_alert(tvb, pinfo, ssl_record_tree, offset,
978 case SSL_ID_HANDSHAKE:
979 dissect_ssl3_handshake(tvb, pinfo, ssl_record_tree, offset,
980 record_length, conv_version);
982 case SSL_ID_APP_DATA:
983 if (check_col(pinfo->cinfo, COL_INFO))
984 col_append_str(pinfo->cinfo, COL_INFO, "Application Data");
987 proto_item_set_text(ssl_record_tree,
988 "%s Record Layer: Application Data",
989 ssl_version_short_names[*conv_version]);
990 proto_tree_add_item(ssl_record_tree, hf_ssl_record_appdata, tvb,
991 offset, record_length, 0);
996 /* shouldn't get here since we check above for valid types */
997 if (check_col(pinfo->cinfo, COL_INFO))
998 col_append_str(pinfo->cinfo, COL_INFO, "Bad SSLv3 Content Type");
1001 offset += record_length; /* skip to end of record */
1006 /* dissects the change cipher spec procotol, filling in the tree */
1008 dissect_ssl3_change_cipher_spec(tvbuff_t *tvb,
1009 proto_tree *tree, guint32 offset,
1010 guint *conv_version)
1014 * enum { change_cipher_spec(1), (255) } type;
1015 * } ChangeCipherSpec;
1020 proto_item_set_text(tree,
1021 "%s Record Layer: Change Cipher Spec",
1022 ssl_version_short_names[*conv_version]);
1023 proto_tree_add_item(tree, hf_ssl_change_cipher_spec, tvb,
1024 offset++, 1, FALSE);
1028 /* dissects the alert message, filling in the tree */
1030 dissect_ssl3_alert(tvbuff_t *tvb, packet_info *pinfo,
1031 proto_tree *tree, guint32 offset,
1032 guint *conv_version)
1036 * AlertDescription description;
1040 proto_tree *ssl_alert_tree = NULL;
1046 ti = proto_tree_add_item(tree, hf_ssl_alert_message, tvb,
1048 ssl_alert_tree = proto_item_add_subtree(ti, ett_ssl_alert);
1052 * set the record layer label
1055 /* first lookup the names for the alert level and description */
1056 byte = tvb_get_guint8(tvb, offset); /* grab the level byte */
1057 level = match_strval(byte, ssl_31_alert_level);
1059 byte = tvb_get_guint8(tvb, offset+1); /* grab the desc byte */
1060 desc = match_strval(byte, ssl_31_alert_description);
1062 /* now set the text in the record layer line */
1065 if (check_col(pinfo->cinfo, COL_INFO))
1066 col_append_fstr(pinfo->cinfo, COL_INFO,
1067 "Alert (Level: %s, Description: %s)",
1072 if (check_col(pinfo->cinfo, COL_INFO))
1073 col_append_str(pinfo->cinfo, COL_INFO, "Encrypted Alert");
1080 proto_item_set_text(tree, "%s Record Layer: Alert "
1081 "(Level: %s, Description: %s)",
1082 ssl_version_short_names[*conv_version],
1084 proto_tree_add_item(ssl_alert_tree, hf_ssl_alert_message_level,
1085 tvb, offset++, 1, FALSE);
1087 proto_tree_add_item(ssl_alert_tree, hf_ssl_alert_message_description,
1088 tvb, offset++, 1, FALSE);
1092 proto_item_set_text(tree,
1093 "%s Record Layer: Encrypted Alert",
1094 ssl_version_short_names[*conv_version]);
1095 proto_item_set_text(ssl_alert_tree,
1096 "Alert Message: Encrypted Alert");
1102 /* dissects the handshake protocol, filling the tree */
1104 dissect_ssl3_handshake(tvbuff_t *tvb, packet_info *pinfo,
1105 proto_tree *tree, guint32 offset,
1106 guint32 record_length, guint *conv_version)
1109 * HandshakeType msg_type;
1111 * select (HandshakeType) {
1112 * case hello_request: HelloRequest;
1113 * case client_hello: ClientHello;
1114 * case server_hello: ServerHello;
1115 * case certificate: Certificate;
1116 * case server_key_exchange: ServerKeyExchange;
1117 * case certificate_request: CertificateRequest;
1118 * case server_hello_done: ServerHelloDone;
1119 * case certificate_verify: CertificateVerify;
1120 * case client_key_exchange: ClientKeyExchange;
1121 * case finished: Finished;
1125 proto_tree *ti = NULL;
1126 proto_tree *ssl_hand_tree = NULL;
1127 gchar *msg_type_str = NULL;
1130 gboolean first_iteration = TRUE;
1133 /* just as there can be multiple records per packet, there
1134 * can be multiple messages per record as long as they have
1135 * the same content type
1137 * we really only care about this for handshake messages
1140 /* set record_length to the max offset */
1141 record_length += offset;
1142 while (offset < record_length)
1144 msg_type = tvb_get_guint8(tvb, offset);
1145 msg_type_str = match_strval(msg_type, ssl_31_handshake_type);
1146 length = tvb_get_ntoh24(tvb, offset + 1);
1148 if (!msg_type_str && !first_iteration)
1150 /* only dissect / report messages if they're
1151 * either the first message in this record
1152 * or they're a valid message type
1157 /* on second and later iterations, add comma to info col */
1158 if (!first_iteration)
1160 if (check_col(pinfo->cinfo, COL_INFO))
1161 col_append_fstr(pinfo->cinfo, COL_INFO, ", ");
1165 * Update our info string
1167 if (check_col(pinfo->cinfo, COL_INFO))
1168 col_append_fstr(pinfo->cinfo, COL_INFO, "%s", (msg_type_str != NULL)
1169 ? msg_type_str : "Encrypted Handshake Message");
1173 /* set the label text on the record layer expanding node */
1174 if (first_iteration)
1176 proto_item_set_text(tree, "%s Record Layer: %s",
1177 ssl_version_short_names[*conv_version],
1178 (msg_type_str!=NULL) ? msg_type_str :
1179 "Encrypted Handshake Message");
1183 proto_item_set_text(tree, "%s Record Layer: %s",
1184 ssl_version_short_names[*conv_version],
1185 "Multiple Handshake Messages");
1188 /* add a subtree for the handshake protocol */
1189 ti = proto_tree_add_item(tree, hf_ssl_handshake_protocol, tvb,
1190 offset, length + 4, 0);
1191 ssl_hand_tree = proto_item_add_subtree(ti, ett_ssl_handshake);
1195 /* set the text label on the subtree node */
1196 proto_item_set_text(ssl_hand_tree, "Handshake Protocol: %s",
1197 (msg_type_str != NULL) ? msg_type_str :
1198 "Encrypted Handshake Message");
1202 /* if we don't have a valid handshake type, just quit dissecting */
1210 /* add nodes for the message type and message length */
1211 proto_tree_add_item(ssl_hand_tree, hf_ssl_handshake_type,
1212 tvb, offset, 1, msg_type);
1214 proto_tree_add_uint(ssl_hand_tree, hf_ssl_handshake_length,
1215 tvb, offset, 3, length);
1218 /* now dissect the handshake message, if necessary */
1220 case SSL_HND_HELLO_REQUEST:
1221 /* hello_request has no fields, so nothing to do! */
1224 case SSL_HND_CLIENT_HELLO:
1225 dissect_ssl3_hnd_cli_hello(tvb, ssl_hand_tree, offset);
1228 case SSL_HND_SERVER_HELLO:
1229 dissect_ssl3_hnd_srv_hello(tvb, ssl_hand_tree, offset);
1232 case SSL_HND_CERTIFICATE:
1233 dissect_ssl3_hnd_cert(tvb, ssl_hand_tree, offset);
1236 case SSL_HND_SERVER_KEY_EXCHG:
1240 case SSL_HND_CERT_REQUEST:
1241 dissect_ssl3_hnd_cert_req(tvb, ssl_hand_tree, offset);
1244 case SSL_HND_SVR_HELLO_DONE:
1245 /* server_hello_done has no fields, so nothing to do! */
1248 case SSL_HND_CERT_VERIFY:
1252 case SSL_HND_CLIENT_KEY_EXCHG:
1256 case SSL_HND_FINISHED:
1257 dissect_ssl3_hnd_finished(tvb, ssl_hand_tree,
1258 offset, conv_version);
1265 offset += 4; /* skip the handshake header */
1268 first_iteration = FALSE; /* set up for next pass, if any */
1273 dissect_ssl3_hnd_hello_common(tvbuff_t *tvb, proto_tree *tree,
1276 /* show the client's random challenge */
1277 guint32 initial_offset = offset;
1278 nstime_t gmt_unix_time;
1279 guint8 session_id_length = 0;
1284 gmt_unix_time.secs = tvb_get_ntohl(tvb, offset);
1285 gmt_unix_time.nsecs = 0;
1286 proto_tree_add_time(tree, hf_ssl_handshake_random_time,
1287 tvb, offset, 4, &gmt_unix_time);
1290 /* show the random bytes */
1291 proto_tree_add_item(tree, hf_ssl_handshake_random_bytes,
1292 tvb, offset, 28, 0);
1295 /* show the session id */
1296 session_id_length = tvb_get_guint8(tvb, offset);
1297 proto_tree_add_item(tree, hf_ssl_handshake_session_id_len,
1298 tvb, offset++, 1, 0);
1299 if (session_id_length > 0)
1301 proto_tree_add_bytes_format(tree, hf_ssl_handshake_session_id,
1302 tvb, offset, session_id_length,
1303 tvb_get_ptr(tvb, offset, session_id_length),
1304 "Session ID (%u byte%s)",
1306 plurality(session_id_length, "", "s"));
1307 offset += session_id_length;
1311 return offset - initial_offset;
1315 dissect_ssl3_hnd_cli_hello(tvbuff_t *tvb,
1316 proto_tree *tree, guint32 offset)
1319 * ProtocolVersion client_version;
1321 * SessionID session_id;
1322 * CipherSuite cipher_suites<2..2^16-1>;
1323 * CompressionMethod compression_methods<1..2^8-1>;
1328 proto_tree *cs_tree;
1329 guint16 cipher_suite_length = 0;
1330 guint8 compression_methods_length = 0;
1331 guint8 compression_method;
1335 /* show the client version */
1336 proto_tree_add_item(tree, hf_ssl_handshake_client_version, tvb,
1340 /* show the fields in common with server hello */
1341 offset += dissect_ssl3_hnd_hello_common(tvb, tree, offset);
1343 /* tell the user how many cipher suites there are */
1344 cipher_suite_length = tvb_get_ntohs(tvb, offset);
1345 proto_tree_add_uint(tree, hf_ssl_handshake_cipher_suites_len,
1346 tvb, offset, 2, cipher_suite_length);
1347 offset += 2; /* skip opaque length */
1349 if (cipher_suite_length > 0)
1351 ti = proto_tree_add_none_format(tree,
1352 hf_ssl_handshake_cipher_suites,
1353 tvb, offset, cipher_suite_length,
1354 "Cipher Suites (%u suite%s)",
1355 cipher_suite_length / 2,
1356 plurality(cipher_suite_length/2, "", "s"));
1358 /* make this a subtree */
1359 cs_tree = proto_item_add_subtree(ti, ett_ssl_cipher_suites);
1362 cs_tree = tree; /* failsafe */
1365 while (cipher_suite_length > 0)
1367 proto_tree_add_item(cs_tree, hf_ssl_handshake_cipher_suite,
1368 tvb, offset, 2, FALSE);
1370 cipher_suite_length -= 2;
1374 /* tell the user how man compression methods there are */
1375 compression_methods_length = tvb_get_guint8(tvb, offset);
1376 proto_tree_add_uint(tree, hf_ssl_handshake_comp_methods_len,
1377 tvb, offset, 1, compression_methods_length);
1380 if (compression_methods_length > 0)
1382 ti = proto_tree_add_none_format(tree,
1383 hf_ssl_handshake_comp_methods,
1384 tvb, offset, compression_methods_length,
1385 "Compression Methods (%u method%s)",
1386 compression_methods_length,
1387 plurality(compression_methods_length,
1390 /* make this a subtree */
1391 cs_tree = proto_item_add_subtree(ti, ett_ssl_comp_methods);
1394 cs_tree = tree; /* failsafe */
1397 while (compression_methods_length > 0)
1399 compression_method = tvb_get_guint8(tvb, offset);
1400 if (compression_method < 64)
1401 proto_tree_add_uint(cs_tree, hf_ssl_handshake_comp_method,
1402 tvb, offset, 1, compression_method);
1403 else if (compression_method > 63 && compression_method < 193)
1404 proto_tree_add_text(cs_tree, tvb, offset, 1,
1405 "Compression Method: Reserved - to be assigned by IANA (%u)",
1406 compression_method);
1408 proto_tree_add_text(cs_tree, tvb, offset, 1,
1409 "Compression Method: Private use range (%u)",
1410 compression_method);
1412 compression_methods_length--;
1419 dissect_ssl3_hnd_srv_hello(tvbuff_t *tvb,
1420 proto_tree *tree, guint32 offset)
1423 * ProtocolVersion server_version;
1425 * SessionID session_id;
1426 * CipherSuite cipher_suite;
1427 * CompressionMethod compression_method;
1433 /* show the server version */
1434 proto_tree_add_item(tree, hf_ssl_handshake_server_version, tvb,
1438 /* first display the elements conveniently in
1439 * common with client hello
1441 offset += dissect_ssl3_hnd_hello_common(tvb, tree, offset);
1443 /* now the server-selected cipher suite */
1444 proto_tree_add_item(tree, hf_ssl_handshake_cipher_suite,
1445 tvb, offset, 2, FALSE);
1448 /* and the server-selected compression method */
1449 proto_tree_add_item(tree, hf_ssl_handshake_comp_method,
1450 tvb, offset, 1, FALSE);
1455 dissect_ssl3_hnd_cert(tvbuff_t *tvb,
1456 proto_tree *tree, guint32 offset)
1459 /* opaque ASN.1Cert<2^24-1>;
1462 * ASN.1Cert certificate_list<1..2^24-1>;
1465 guint32 certificate_list_length;
1467 proto_tree *subtree;
1471 certificate_list_length = tvb_get_ntoh24(tvb, offset);
1472 proto_tree_add_uint(tree, hf_ssl_handshake_certificates_len,
1473 tvb, offset, 3, certificate_list_length);
1474 offset += 3; /* 24-bit length value */
1476 if (certificate_list_length > 0)
1478 ti = proto_tree_add_none_format(tree,
1479 hf_ssl_handshake_certificates,
1480 tvb, offset, certificate_list_length,
1481 "Certificates (%u byte%s)",
1482 certificate_list_length,
1483 plurality(certificate_list_length,
1486 /* make it a subtree */
1487 subtree = proto_item_add_subtree(ti, ett_ssl_certs);
1490 subtree = tree; /* failsafe */
1493 /* iterate through each certificate */
1494 while (certificate_list_length > 0)
1496 /* get the length of the current certificate */
1497 guint32 cert_length = tvb_get_ntoh24(tvb, offset);
1498 certificate_list_length -= 3 + cert_length;
1500 proto_tree_add_item(subtree, hf_ssl_handshake_certificate_len,
1501 tvb, offset, 3, FALSE);
1504 proto_tree_add_bytes_format(subtree,
1505 hf_ssl_handshake_certificate,
1506 tvb, offset, cert_length,
1507 tvb_get_ptr(tvb, offset, cert_length),
1508 "Certificate (%u byte%s)",
1510 plurality(cert_length, "", "s"));
1511 offset += cert_length;
1519 dissect_ssl3_hnd_cert_req(tvbuff_t *tvb,
1520 proto_tree *tree, guint32 offset)
1524 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
1526 * } ClientCertificateType;
1528 * opaque DistinguishedName<1..2^16-1>;
1531 * ClientCertificateType certificate_types<1..2^8-1>;
1532 * DistinguishedName certificate_authorities<3..2^16-1>;
1533 * } CertificateRequest;
1537 proto_tree *subtree;
1538 guint8 cert_types_count = 0;
1539 int dnames_length = 0;
1543 cert_types_count = tvb_get_guint8(tvb, offset);
1544 proto_tree_add_uint(tree, hf_ssl_handshake_cert_types_count,
1545 tvb, offset, 1, cert_types_count);
1548 if (cert_types_count > 0)
1550 ti = proto_tree_add_none_format(tree,
1551 hf_ssl_handshake_cert_types,
1552 tvb, offset, cert_types_count,
1553 "Certificate types (%u type%s)",
1555 plurality(cert_types_count, "", "s"));
1556 subtree = proto_item_add_subtree(ti, ett_ssl_cert_types);
1562 while (cert_types_count > 0)
1564 proto_tree_add_item(subtree, hf_ssl_handshake_cert_type,
1565 tvb, offset, 1, FALSE);
1571 dnames_length = tvb_get_ntohs(tvb, offset);
1572 proto_tree_add_uint(tree, hf_ssl_handshake_dnames_len,
1573 tvb, offset, 2, dnames_length);
1576 if (dnames_length > 0)
1578 ti = proto_tree_add_none_format(tree,
1579 hf_ssl_handshake_dnames,
1580 tvb, offset, dnames_length,
1581 "Distinguished Names (%d byte%s)",
1583 plurality(dnames_length, "", "s"));
1584 subtree = proto_item_add_subtree(ti, ett_ssl_dnames);
1590 while (dnames_length > 0)
1592 /* get the length of the current certificate */
1593 guint16 name_length = tvb_get_ntohs(tvb, offset);
1594 dnames_length -= 2 + name_length;
1596 proto_tree_add_item(subtree, hf_ssl_handshake_dname_len,
1597 tvb, offset, 2, FALSE);
1600 proto_tree_add_bytes_format(subtree,
1601 hf_ssl_handshake_dname,
1602 tvb, offset, name_length,
1603 tvb_get_ptr(tvb, offset, name_length),
1604 "Distinguished Name (%u byte%s)",
1606 plurality(name_length, "", "s"));
1607 offset += name_length;
1615 dissect_ssl3_hnd_finished(tvbuff_t *tvb,
1616 proto_tree *tree, guint32 offset,
1617 guint *conv_version)
1621 * opaque verify_data[12];
1626 * opaque md5_hash[16];
1627 * opaque sha_hash[20];
1631 /* this all needs a tree, so bail if we don't have one */
1637 switch(*conv_version) {
1639 proto_tree_add_item(tree, hf_ssl_handshake_finished,
1640 tvb, offset, 12, FALSE);
1644 proto_tree_add_item(tree, hf_ssl_handshake_md5_hash,
1645 tvb, offset, 16, FALSE);
1647 proto_tree_add_item(tree, hf_ssl_handshake_sha_hash,
1648 tvb, offset, 20, FALSE);
1654 /*********************************************************************
1656 * SSL version 2 Dissectors
1658 *********************************************************************/
1661 /* record layer dissector */
1663 dissect_ssl2_record(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
1664 guint32 offset, guint *conv_version,
1665 gboolean *need_desegmentation)
1667 guint32 initial_offset = offset;
1669 guint8 record_length_length = 0;
1670 guint32 record_length = 0;
1671 gint is_escape = -1;
1672 gint16 padding_length = -1;
1673 guint8 msg_type = 0;
1674 gchar *msg_type_str = NULL;
1675 guint32 available_bytes = 0;
1678 proto_tree *ssl_record_tree = NULL;
1680 /* pull first byte; if high bit is set, then record
1681 * length is three bytes due to padding; otherwise
1682 * record length is two bytes
1684 byte = tvb_get_guint8(tvb, offset);
1685 record_length_length = (byte & 0x80) ? 2 : 3;
1688 * Can we do reassembly?
1690 available_bytes = tvb_length_remaining(tvb, offset);
1692 if (ssl_desegment && pinfo->can_desegment) {
1694 * Yes - is the record header split across segment boundaries?
1696 if (available_bytes < record_length_length) {
1698 * Yes. Tell the TCP dissector where the data for this
1699 * message starts in the data it handed us, and how many
1700 * more bytes we need, and return.
1702 pinfo->desegment_offset = offset;
1703 pinfo->desegment_len = record_length_length - available_bytes;
1704 *need_desegmentation = TRUE;
1709 /* parse out the record length */
1710 switch(record_length_length) {
1711 case 2: /* two-byte record length */
1712 record_length = (byte & 0x7f) << 8;
1713 byte = tvb_get_guint8(tvb, offset + 1);
1714 record_length += byte;
1716 case 3: /* three-byte record length */
1717 is_escape = (byte & 0x40) ? TRUE : FALSE;
1718 record_length = (byte & 0x3f) << 8;
1719 byte = tvb_get_guint8(tvb, offset + 1);
1720 record_length += byte;
1721 byte = tvb_get_guint8(tvb, offset + 2);
1722 padding_length = byte;
1726 * Can we do reassembly?
1728 if (ssl_desegment && pinfo->can_desegment) {
1730 * Yes - is the record split across segment boundaries?
1732 if (available_bytes < (record_length_length + record_length)) {
1734 * Yes. Tell the TCP dissector where the data for this
1735 * message starts in the data it handed us, and how many
1736 * more bytes we need, and return.
1738 pinfo->desegment_offset = offset;
1739 pinfo->desegment_len = (record_length_length + record_length)
1741 *need_desegmentation = TRUE;
1745 offset += record_length_length;
1747 /* add the record layer subtree header */
1748 ti = proto_tree_add_item(tree, hf_ssl2_record, tvb, initial_offset,
1749 record_length_length + record_length, 0);
1750 ssl_record_tree = proto_item_add_subtree(ti, ett_ssl_record);
1752 /* pull the msg_type so we can bail if it's unknown */
1753 msg_type = tvb_get_guint8(tvb, initial_offset + record_length_length);
1755 /* if we get a server_hello or later handshake in v2, then set
1758 if (*conv_version == SSL_VER_UNKNOWN)
1760 if (ssl_looks_like_valid_pct_handshake(tvb,
1762 record_length_length),
1764 *conv_version = SSL_VER_PCT;
1765 ssl_set_conv_version(pinfo, *conv_version);
1767 else if (msg_type >= 2 && msg_type <= 8)
1769 *conv_version = SSL_VER_SSLv2;
1770 ssl_set_conv_version(pinfo, *conv_version);
1774 /* if we get here, but don't have a version set for the
1775 * conversation, then set a version for just this frame
1776 * (e.g., on a client hello)
1778 if (check_col(pinfo->cinfo, COL_PROTOCOL))
1780 col_set_str(pinfo->cinfo, COL_PROTOCOL,
1781 (*conv_version == SSL_VER_PCT) ? "PCT" : "SSLv2");
1784 /* see if the msg_type is valid; if not the payload is
1785 * probably encrypted, so note that fact and bail
1787 msg_type_str = match_strval(msg_type,
1788 (*conv_version == SSL_VER_PCT)
1789 ? pct_msg_types : ssl_20_msg_types);
1791 || ((*conv_version != SSL_VER_PCT) &&
1792 !ssl_looks_like_valid_v2_handshake(tvb, initial_offset
1793 + record_length_length,
1795 || ((*conv_version == SSL_VER_PCT) &&
1796 !ssl_looks_like_valid_pct_handshake(tvb, initial_offset
1797 + record_length_length,
1800 if (ssl_record_tree)
1802 proto_item_set_text(ssl_record_tree, "%s Record Layer: %s",
1803 (*conv_version == SSL_VER_PCT)
1807 if (check_col(pinfo->cinfo, COL_INFO))
1808 col_append_str(pinfo->cinfo, COL_INFO, "Encrypted Data");
1809 return initial_offset + record_length_length + record_length;
1813 if (check_col(pinfo->cinfo, COL_INFO))
1814 col_append_str(pinfo->cinfo, COL_INFO, msg_type_str);
1816 if (ssl_record_tree)
1818 proto_item_set_text(ssl_record_tree, "%s Record Layer: %s",
1819 (*conv_version == SSL_VER_PCT)
1825 /* We have a valid message type, so move foward, filling in the
1826 * tree by adding the length, is_escape boolean and padding_length,
1827 * if present in the original packet
1829 if (ssl_record_tree)
1831 /* add the record length */
1832 ti = proto_tree_add_uint (ssl_record_tree,
1833 hf_ssl_record_length, tvb,
1834 initial_offset, record_length_length,
1837 if (ssl_record_tree && is_escape != -1)
1839 proto_tree_add_boolean(ssl_record_tree,
1840 hf_ssl2_record_is_escape, tvb,
1841 initial_offset, 1, is_escape);
1843 if (ssl_record_tree && padding_length != -1)
1845 proto_tree_add_uint(ssl_record_tree,
1846 hf_ssl2_record_padding_length, tvb,
1847 initial_offset + 2, 1, padding_length);
1851 * dissect the record data
1854 /* jump forward to the start of the record data */
1855 offset = initial_offset + record_length_length;
1857 /* add the message type */
1858 if (ssl_record_tree)
1860 proto_tree_add_item(ssl_record_tree,
1861 (*conv_version == SSL_VER_PCT)
1862 ? hf_pct_msg_type : hf_ssl2_msg_type,
1865 offset++; /* move past msg_type byte */
1867 if (*conv_version != SSL_VER_PCT)
1869 /* dissect the message (only handle client hello right now) */
1871 case SSL2_HND_CLIENT_HELLO:
1872 dissect_ssl2_hnd_client_hello(tvb, ssl_record_tree, offset);
1875 case SSL2_HND_CLIENT_MASTER_KEY:
1876 dissect_ssl2_hnd_client_master_key(tvb, ssl_record_tree, offset);
1879 case SSL2_HND_SERVER_HELLO:
1880 dissect_ssl2_hnd_server_hello(tvb, ssl_record_tree, offset);
1883 case SSL2_HND_ERROR:
1884 case SSL2_HND_CLIENT_FINISHED:
1885 case SSL2_HND_SERVER_VERIFY:
1886 case SSL2_HND_SERVER_FINISHED:
1887 case SSL2_HND_REQUEST_CERTIFICATE:
1888 case SSL2_HND_CLIENT_CERTIFICATE:
1892 default: /* unknown */
1898 /* dissect the message */
1900 case PCT_MSG_CLIENT_HELLO:
1901 case PCT_MSG_SERVER_HELLO:
1902 case PCT_MSG_CLIENT_MASTER_KEY:
1903 case PCT_MSG_SERVER_VERIFY:
1908 default: /* unknown */
1912 return (initial_offset + record_length_length + record_length);
1916 dissect_ssl2_hnd_client_hello(tvbuff_t *tvb,
1917 proto_tree *tree, guint32 offset)
1922 * uint16 cipher_spec_length;
1923 * uint16 session_id_length;
1924 * uint16 challenge_length;
1925 * V2CipherSpec cipher_specs[V2ClientHello.cipher_spec_length];
1926 * opaque session_id[V2ClientHello.session_id_length];
1930 * Note: when we get here, offset's already pointing at Version
1934 guint16 cipher_spec_length;
1935 guint16 session_id_length;
1936 guint16 challenge_length;
1939 proto_tree *cs_tree;
1941 version = tvb_get_ntohs(tvb, offset);
1942 if (!ssl_is_valid_ssl_version(version))
1944 /* invalid version; probably encrypted data */
1950 /* show the version */
1951 proto_tree_add_item(tree, hf_ssl_record_version, tvb,
1955 cipher_spec_length = tvb_get_ntohs(tvb, offset);
1956 proto_tree_add_item(tree, hf_ssl2_handshake_cipher_spec_len,
1957 tvb, offset, 2, FALSE);
1960 session_id_length = tvb_get_ntohs(tvb, offset);
1961 proto_tree_add_item(tree, hf_ssl2_handshake_session_id_len,
1962 tvb, offset, 2, FALSE);
1965 challenge_length = tvb_get_ntohs(tvb, offset);
1966 proto_tree_add_item(tree, hf_ssl2_handshake_challenge_len,
1967 tvb, offset, 2, FALSE);
1970 /* tell the user how many cipher specs they've won */
1971 ti = proto_tree_add_none_format(tree, hf_ssl_handshake_cipher_suites,
1972 tvb, offset, cipher_spec_length,
1973 "Cipher Specs (%u specs)",
1974 cipher_spec_length/3);
1976 /* make this a subtree and expand the actual specs below */
1977 cs_tree = proto_item_add_subtree(ti, ett_ssl_cipher_suites);
1980 cs_tree = tree; /* failsafe */
1983 /* iterate through the cipher specs, showing them */
1984 while (cipher_spec_length > 0)
1986 proto_tree_add_item(cs_tree, hf_ssl2_handshake_cipher_spec,
1987 tvb, offset, 3, FALSE);
1988 offset += 3; /* length of one cipher spec */
1989 cipher_spec_length -= 3;
1992 /* if there's a session id, show it */
1993 if (session_id_length > 0)
1995 proto_tree_add_bytes_format(tree,
1996 hf_ssl_handshake_session_id,
1997 tvb, offset, session_id_length,
1998 tvb_get_ptr(tvb, offset, session_id_length),
1999 "Session ID (%u byte%s)",
2001 plurality(session_id_length, "", "s"));
2003 offset += session_id_length;
2006 /* if there's a challenge, show it */
2007 if (challenge_length > 0)
2009 proto_tree_add_item(tree, hf_ssl2_handshake_challenge,
2010 tvb, offset, challenge_length, 0);
2011 offset += challenge_length;
2017 dissect_ssl2_hnd_client_master_key(tvbuff_t *tvb,
2018 proto_tree *tree, guint32 offset)
2022 * V2Cipherspec cipher;
2023 * uint16 clear_key_length;
2024 * uint16 encrypted_key_length;
2025 * uint16 key_arg_length;
2026 * opaque clear_key_data[V2ClientMasterKey.clear_key_length];
2027 * opaque encrypted_key_data[V2ClientMasterKey.encrypted_key_length];
2028 * opaque key_arg_data[V2ClientMasterKey.key_arg_length];
2029 * } V2ClientMasterKey;
2031 * Note: when we get here, offset's already pointing at cipher
2033 guint16 clear_key_length;
2034 guint16 encrypted_key_length;
2035 guint16 key_arg_length;
2037 /* at this point, everything we do involves the tree,
2038 * so quit now if we don't have one ;-)
2045 /* show the selected cipher */
2046 proto_tree_add_item(tree, hf_ssl2_handshake_cipher_spec,
2047 tvb, offset, 3, FALSE);
2050 /* get the fixed fields */
2051 clear_key_length = tvb_get_ntohs(tvb, offset);
2052 proto_tree_add_item(tree, hf_ssl2_handshake_clear_key_len,
2053 tvb, offset, 2, FALSE);
2056 encrypted_key_length = tvb_get_ntohs(tvb, offset);
2057 proto_tree_add_item(tree, hf_ssl2_handshake_enc_key_len,
2058 tvb, offset, 2, FALSE);
2061 key_arg_length = tvb_get_ntohs(tvb, offset);
2062 proto_tree_add_item(tree, hf_ssl2_handshake_key_arg_len,
2063 tvb, offset, 2, FALSE);
2066 /* show the variable length fields */
2067 if (clear_key_length > 0)
2069 proto_tree_add_item(tree, hf_ssl2_handshake_clear_key,
2070 tvb, offset, clear_key_length, FALSE);
2071 offset += clear_key_length;
2074 if (encrypted_key_length > 0)
2076 proto_tree_add_item(tree, hf_ssl2_handshake_enc_key,
2077 tvb, offset, encrypted_key_length, FALSE);
2078 offset += encrypted_key_length;
2081 if (key_arg_length > 0)
2083 proto_tree_add_item(tree, hf_ssl2_handshake_key_arg,
2084 tvb, offset, key_arg_length, FALSE);
2085 offset += key_arg_length;
2091 dissect_ssl2_hnd_server_hello(tvbuff_t *tvb,
2092 proto_tree *tree, guint32 offset)
2096 * uint8 session_id_hit;
2097 * uint8 certificate_type;
2098 * uint16 server_version;
2099 * uint16 certificate_length;
2100 * uint16 cipher_specs_length;
2101 * uint16 connection_id_length;
2102 * opaque certificate_data[V2ServerHello.certificate_length];
2103 * opaque cipher_specs_data[V2ServerHello.cipher_specs_length];
2104 * opaque connection_id_data[V2ServerHello.connection_id_length];
2107 * Note: when we get here, offset's already pointing at session_id_hit
2109 guint16 certificate_length;
2110 guint16 cipher_spec_length;
2111 guint16 connection_id_length;
2114 proto_tree *subtree;
2116 /* everything we do only makes sense with a tree, so
2117 * quit now if we don't have one
2124 version = tvb_get_ntohs(tvb, offset + 2);
2125 if (!ssl_is_valid_ssl_version(version))
2127 /* invalid version; probably encrypted data */
2132 /* is there a hit? */
2133 proto_tree_add_item(tree, hf_ssl2_handshake_session_id_hit,
2134 tvb, offset, 1, FALSE);
2137 /* what type of certificate is this? */
2138 proto_tree_add_item(tree, hf_ssl2_handshake_cert_type,
2139 tvb, offset, 1, FALSE);
2142 /* now the server version */
2143 proto_tree_add_item(tree, hf_ssl_handshake_server_version,
2144 tvb, offset, 2, FALSE);
2147 /* get the fixed fields */
2148 certificate_length = tvb_get_ntohs(tvb, offset);
2149 proto_tree_add_uint(tree, hf_ssl_handshake_certificate_len,
2150 tvb, offset, 2, certificate_length);
2153 cipher_spec_length = tvb_get_ntohs(tvb, offset);
2154 proto_tree_add_uint(tree, hf_ssl2_handshake_cipher_spec_len,
2155 tvb, offset, 2, cipher_spec_length);
2158 connection_id_length = tvb_get_ntohs(tvb, offset);
2159 proto_tree_add_uint(tree, hf_ssl2_handshake_connection_id_len,
2160 tvb, offset, 2, connection_id_length);
2163 /* now the variable length fields */
2164 if (certificate_length > 0)
2166 proto_tree_add_bytes_format(tree, hf_ssl_handshake_certificate,
2167 tvb, offset, certificate_length,
2168 tvb_get_ptr(tvb, offset, certificate_length),
2169 "Certificate (%u byte%s)",
2171 plurality(certificate_length, "", "s"));
2172 offset += certificate_length;
2175 if (cipher_spec_length > 0)
2177 /* provide a collapsing node for the cipher specs */
2178 ti = proto_tree_add_none_format(tree,
2179 hf_ssl_handshake_cipher_suites,
2180 tvb, offset, cipher_spec_length,
2181 "Cipher Specs (%u spec%s)",
2182 cipher_spec_length/3,
2183 plurality(cipher_spec_length/3, "", "s"));
2184 subtree = proto_item_add_subtree(ti, ett_ssl_cipher_suites);
2190 /* iterate through the cipher specs */
2191 while (cipher_spec_length > 0)
2193 proto_tree_add_item(subtree, hf_ssl2_handshake_cipher_spec,
2194 tvb, offset, 3, FALSE);
2196 cipher_spec_length -= 3;
2200 if (connection_id_length > 0)
2202 proto_tree_add_item(tree, hf_ssl2_handshake_connection_id,
2203 tvb, offset, connection_id_length, FALSE);
2204 offset += connection_id_length;
2212 /*********************************************************************
2216 *********************************************************************/
2219 ssl_set_conv_version(packet_info *pinfo, guint version)
2221 conversation_t *conversation;
2223 if (pinfo->fd->flags.visited)
2225 /* We've already processed this frame; no need to do any more
2231 conversation = find_conversation(&pinfo->src, &pinfo->dst, pinfo->ptype,
2232 pinfo->srcport, pinfo->destport, 0);
2234 if (conversation == NULL)
2236 /* create a new conversation */
2237 conversation = conversation_new(&pinfo->src, &pinfo->dst, pinfo->ptype,
2238 pinfo->srcport, pinfo->destport, 0);
2241 if (conversation_get_proto_data(conversation, proto_ssl) != NULL)
2243 /* get rid of the current data */
2244 conversation_delete_proto_data(conversation, proto_ssl);
2246 conversation_add_proto_data(conversation, proto_ssl, GINT_TO_POINTER(version));
2250 ssl_is_valid_handshake_type(guint8 type)
2254 case SSL_HND_HELLO_REQUEST:
2255 case SSL_HND_CLIENT_HELLO:
2256 case SSL_HND_SERVER_HELLO:
2257 case SSL_HND_CERTIFICATE:
2258 case SSL_HND_SERVER_KEY_EXCHG:
2259 case SSL_HND_CERT_REQUEST:
2260 case SSL_HND_SVR_HELLO_DONE:
2261 case SSL_HND_CERT_VERIFY:
2262 case SSL_HND_CLIENT_KEY_EXCHG:
2263 case SSL_HND_FINISHED:
2270 ssl_is_valid_content_type(guint8 type)
2272 if (type >= 0x14 && type <= 0x17)
2281 ssl_is_valid_ssl_version(guint16 version)
2283 gchar *version_str = match_strval(version, ssl_versions);
2284 return version_str != NULL;
2288 ssl_is_authoritative_version_message(guint8 content_type,
2291 if (content_type == SSL_ID_HANDSHAKE
2292 && ssl_is_valid_handshake_type(next_byte))
2294 return (next_byte != SSL_HND_CLIENT_HELLO);
2296 else if (ssl_is_valid_content_type(content_type)
2297 && content_type != SSL_ID_HANDSHAKE)
2305 ssl_is_v2_client_hello(tvbuff_t *tvb, guint32 offset)
2309 byte = tvb_get_guint8(tvb, offset);
2310 if (byte != 0x80) /* v2 client hello should start this way */
2315 byte = tvb_get_guint8(tvb, offset+2);
2316 if (byte != 0x01) /* v2 client hello msg type */
2321 /* 1 in 2^16 of being right; improve later if necessary */
2325 /* this applies a heuristic to determine whether
2326 * or not the data beginning at offset looks like a
2327 * valid sslv2 record. this isn't really possible,
2328 * but we'll try to do a reasonable job anyway.
2331 ssl_looks_like_sslv2(tvbuff_t *tvb, guint32 offset)
2333 /* here's the current approach:
2335 * we only try to catch unencrypted handshake messages, so we can
2336 * assume that there is not padding. This means that the
2337 * first byte must be >= 0x80 and there must be a valid sslv2
2338 * msg_type in the third byte
2341 /* get the first byte; must have high bit set */
2342 guint8 byte = tvb_get_guint8(tvb, offset);
2348 /* get the supposed msg_type byte; since we only care about
2349 * unencrypted handshake messages (we can't tell the type for
2350 * encrypted messages), we just check against that list
2352 byte = tvb_get_guint8(tvb, offset + 2);
2354 case SSL2_HND_ERROR:
2355 case SSL2_HND_CLIENT_HELLO:
2356 case SSL2_HND_CLIENT_MASTER_KEY:
2357 case SSL2_HND_SERVER_HELLO:
2358 case PCT_MSG_CLIENT_MASTER_KEY:
2365 /* this applies a heuristic to determine whether
2366 * or not the data beginning at offset looks like a
2367 * valid sslv3 record. this is somewhat more reliable
2368 * than sslv2 due to the structure of the v3 protocol
2371 ssl_looks_like_sslv3(tvbuff_t *tvb, guint32 offset)
2373 /* have to have a valid content type followed by a valid
2379 /* see if the first byte is a valid content type */
2380 byte = tvb_get_guint8(tvb, offset);
2381 if (!ssl_is_valid_content_type(byte))
2386 /* now check to see if the version byte appears valid */
2387 version = tvb_get_ntohs(tvb, offset + 1);
2388 if (version != 0x0300 && version != 0x0301)
2396 /* applies a heuristic to determine whether
2397 * or not the data beginning at offset looks
2398 * like a valid, unencrypted v2 handshake message.
2399 * since it isn't possible to completely tell random
2400 * data apart from a valid message without state,
2401 * we try to help the odds.
2404 ssl_looks_like_valid_v2_handshake(tvbuff_t *tvb, guint32 offset,
2405 guint32 record_length)
2407 /* first byte should be a msg_type.
2409 * - we know we only see client_hello, client_master_key,
2410 * and server_hello in the clear, so check to see if
2411 * msg_type is one of those (this gives us a 3 in 2^8
2412 * chance of saying yes with random payload)
2414 * - for those three types that we know about, do some
2415 * further validation to reduce the chance of an error
2421 /* fetch the msg_type */
2422 msg_type = tvb_get_guint8(tvb, offset);
2425 case SSL2_HND_CLIENT_HELLO:
2426 /* version follows msg byte, so verify that this is valid */
2427 version = tvb_get_ntohs(tvb, offset+1);
2428 return ssl_is_valid_ssl_version(version);
2431 case SSL2_HND_SERVER_HELLO:
2432 /* version is three bytes after msg_type */
2433 version = tvb_get_ntohs(tvb, offset+3);
2434 return ssl_is_valid_ssl_version(version);
2437 case SSL2_HND_CLIENT_MASTER_KEY:
2438 /* sum of clear_key_length, encrypted_key_length, and key_arg_length
2439 * must be less than record length
2441 sum = tvb_get_ntohs(tvb, offset + 4); /* clear_key_length */
2442 sum += tvb_get_ntohs(tvb, offset + 6); /* encrypted_key_length */
2443 sum += tvb_get_ntohs(tvb, offset + 8); /* key_arg_length */
2444 if (sum > record_length)
2457 /* applies a heuristic to determine whether
2458 * or not the data beginning at offset looks
2459 * like a valid, unencrypted v2 handshake message.
2460 * since it isn't possible to completely tell random
2461 * data apart from a valid message without state,
2462 * we try to help the odds.
2465 ssl_looks_like_valid_pct_handshake(tvbuff_t *tvb, guint32 offset,
2466 guint32 record_length)
2468 /* first byte should be a msg_type.
2470 * - we know we only see client_hello, client_master_key,
2471 * and server_hello in the clear, so check to see if
2472 * msg_type is one of those (this gives us a 3 in 2^8
2473 * chance of saying yes with random payload)
2475 * - for those three types that we know about, do some
2476 * further validation to reduce the chance of an error
2482 /* fetch the msg_type */
2483 msg_type = tvb_get_guint8(tvb, offset);
2486 case PCT_MSG_CLIENT_HELLO:
2487 /* version follows msg byte, so verify that this is valid */
2488 version = tvb_get_ntohs(tvb, offset+1);
2489 return version == PCT_VERSION_1;
2492 case PCT_MSG_SERVER_HELLO:
2493 /* version is one byte after msg_type */
2494 version = tvb_get_ntohs(tvb, offset+2);
2495 return version == PCT_VERSION_1;
2498 case PCT_MSG_CLIENT_MASTER_KEY:
2499 /* sum of various length fields must be less than record length */
2500 sum = tvb_get_ntohs(tvb, offset + 6); /* clear_key_length */
2501 sum += tvb_get_ntohs(tvb, offset + 8); /* encrypted_key_length */
2502 sum += tvb_get_ntohs(tvb, offset + 10); /* key_arg_length */
2503 sum += tvb_get_ntohs(tvb, offset + 12); /* verify_prelude_length */
2504 sum += tvb_get_ntohs(tvb, offset + 14); /* client_cert_length */
2505 sum += tvb_get_ntohs(tvb, offset + 16); /* response_length */
2506 if (sum > record_length)
2513 case PCT_MSG_SERVER_VERIFY:
2514 /* record is 36 bytes longer than response_length */
2515 sum = tvb_get_ntohs(tvb, offset + 34); /* response_length */
2516 if ((sum + 36) == record_length)
2529 /*********************************************************************
2531 * Standard Ethereal Protocol Registration and housekeeping
2533 *********************************************************************/
2535 proto_register_ssl(void)
2538 /* Setup list of header fields See Section 1.6.1 for details*/
2539 static hf_register_info hf[] = {
2541 { "Record Layer", "ssl.record",
2542 FT_NONE, BASE_NONE, NULL, 0x0,
2543 "Record layer", HFILL }
2545 { &hf_ssl_record_content_type,
2546 { "Content Type", "ssl.record.content_type",
2547 FT_UINT8, BASE_DEC, VALS(ssl_31_content_type), 0x0,
2548 "Content type", HFILL}
2550 { &hf_ssl2_msg_type,
2551 { "Handshake Message Type", "ssl.handshake.type",
2552 FT_UINT8, BASE_DEC, VALS(ssl_20_msg_types), 0x0,
2553 "SSLv2 handshake message type", HFILL}
2556 { "Handshake Message Type", "ssl.pct_handshake.type",
2557 FT_UINT8, BASE_DEC, VALS(pct_msg_types), 0x0,
2558 "PCT handshake message type", HFILL}
2560 { &hf_ssl_record_version,
2561 { "Version", "ssl.record.version",
2562 FT_UINT16, BASE_HEX, VALS(ssl_versions), 0x0,
2563 "Record layer version.", HFILL }
2565 { &hf_ssl_record_length,
2566 { "Length", "ssl.record.length",
2567 FT_UINT16, BASE_DEC, NULL, 0x0,
2568 "Length of SSL record data", HFILL }
2570 { &hf_ssl_record_appdata,
2571 { "Application Data", "ssl.app_data",
2572 FT_NONE, BASE_NONE, NULL, 0x0,
2573 "Payload is application data", HFILL }
2576 { "SSLv2/PCT Record Header", "ssl.record",
2577 FT_NONE, BASE_DEC, NULL, 0x0,
2578 "SSLv2/PCT record data", HFILL }
2580 { &hf_ssl2_record_is_escape,
2581 { "Is Escape", "ssl.record.is_escape",
2582 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2583 "Indicates a security escape", HFILL}
2585 { &hf_ssl2_record_padding_length,
2586 { "Padding Length", "ssl.record.padding_length",
2587 FT_UINT8, BASE_DEC, NULL, 0x0,
2588 "Length of padding at end of record", HFILL }
2590 { &hf_ssl_change_cipher_spec,
2591 { "Change Cipher Spec Message", "ssl.change_cipher_spec",
2592 FT_NONE, BASE_NONE, NULL, 0x0,
2593 "Signals a change in cipher specifications", HFILL }
2595 { & hf_ssl_alert_message,
2596 { "Alert Message", "ssl.alert_message",
2597 FT_NONE, BASE_NONE, NULL, 0x0,
2598 "Alert message", HFILL }
2600 { & hf_ssl_alert_message_level,
2601 { "Level", "ssl.alert_message.level",
2602 FT_UINT8, BASE_DEC, VALS(ssl_31_alert_level), 0x0,
2603 "Alert message level", HFILL }
2605 { &hf_ssl_alert_message_description,
2606 { "Description", "ssl.alert_message.desc",
2607 FT_UINT8, BASE_DEC, VALS(ssl_31_alert_description), 0x0,
2608 "Alert message description", HFILL }
2610 { &hf_ssl_handshake_protocol,
2611 { "Handshake Protocol", "ssl.handshake",
2612 FT_NONE, BASE_NONE, NULL, 0x0,
2613 "Handshake protocol message", HFILL}
2615 { &hf_ssl_handshake_type,
2616 { "Handshake Type", "ssl.handshake.type",
2617 FT_UINT8, BASE_DEC, VALS(ssl_31_handshake_type), 0x0,
2618 "Type of handshake message", HFILL}
2620 { &hf_ssl_handshake_length,
2621 { "Length", "ssl.handshake.length",
2622 FT_UINT24, BASE_DEC, NULL, 0x0,
2623 "Length of handshake message", HFILL }
2625 { &hf_ssl_handshake_client_version,
2626 { "Version", "ssl.handshake.version",
2627 FT_UINT16, BASE_HEX, VALS(ssl_versions), 0x0,
2628 "Maximum version supported by client", HFILL }
2630 { &hf_ssl_handshake_server_version,
2631 { "Version", "ssl.handshake.version",
2632 FT_UINT16, BASE_HEX, VALS(ssl_versions), 0x0,
2633 "Version selected by server", HFILL }
2635 { &hf_ssl_handshake_random_time,
2636 { "Random.gmt_unix_time", "ssl.handshake.random_time",
2637 FT_ABSOLUTE_TIME, BASE_NONE, NULL, 0x0,
2638 "Unix time field of random structure", HFILL }
2640 { &hf_ssl_handshake_random_bytes,
2641 { "Random.bytes", "ssl.handshake.random",
2642 FT_NONE, BASE_NONE, NULL, 0x0,
2643 "Random challenge used to authenticate server", HFILL }
2645 { &hf_ssl_handshake_cipher_suites_len,
2646 { "Cipher Suites Length", "ssl.handshake.cipher_suites_length",
2647 FT_UINT16, BASE_DEC, NULL, 0x0,
2648 "Length of cipher suites field", HFILL }
2650 { &hf_ssl_handshake_cipher_suites,
2651 { "Cipher Suites", "ssl.handshake.ciphersuites",
2652 FT_NONE, BASE_NONE, NULL, 0x0,
2653 "List of cipher suites supported by client", HFILL }
2655 { &hf_ssl_handshake_cipher_suite,
2656 { "Cipher Suite", "ssl.handshake.ciphersuite",
2657 FT_UINT16, BASE_HEX, VALS(ssl_31_ciphersuite), 0x0,
2658 "Cipher suite", HFILL }
2660 { &hf_ssl2_handshake_cipher_spec,
2661 { "Cipher Spec", "ssl.handshake.cipherspec",
2662 FT_UINT24, BASE_HEX, VALS(ssl_20_cipher_suites), 0x0,
2663 "Cipher specification", HFILL }
2665 { &hf_ssl_handshake_session_id,
2666 { "Session ID", "ssl.handshake.session_id",
2667 FT_BYTES, BASE_NONE, NULL, 0x0,
2668 "Identifies the SSL session, allowing later resumption", HFILL }
2670 { &hf_ssl_handshake_comp_methods_len,
2671 { "Compression Methods Length", "ssl.handshake.comp_methods_length",
2672 FT_UINT8, BASE_DEC, NULL, 0x0,
2673 "Length of compression methods field", HFILL }
2675 { &hf_ssl_handshake_comp_methods,
2676 { "Compression Methods", "ssl.handshake.comp_methods",
2677 FT_NONE, BASE_NONE, NULL, 0x0,
2678 "List of compression methods supported by client", HFILL }
2680 { &hf_ssl_handshake_comp_method,
2681 { "Compression Method", "ssl.handshake.comp_method",
2682 FT_UINT8, BASE_DEC, VALS(ssl_31_compression_method), 0x0,
2683 "Compression Method", HFILL }
2685 { &hf_ssl_handshake_certificates_len,
2686 { "Certificates Length", "ssl.handshake.certificates_length",
2687 FT_UINT24, BASE_DEC, NULL, 0x0,
2688 "Length of certificates field", HFILL }
2690 { &hf_ssl_handshake_certificates,
2691 { "Certificates", "ssl.handshake.certificates",
2692 FT_NONE, BASE_NONE, NULL, 0x0,
2693 "List of certificates", HFILL }
2695 { &hf_ssl_handshake_certificate,
2696 { "Certificate", "ssl.handshake.certificate",
2697 FT_BYTES, BASE_NONE, NULL, 0x0,
2698 "Certificate", HFILL }
2700 { &hf_ssl_handshake_certificate_len,
2701 { "Certificate Length", "ssl.handshake.certificate_length",
2702 FT_UINT24, BASE_DEC, NULL, 0x0,
2703 "Length of certificate", HFILL }
2705 { &hf_ssl_handshake_cert_types_count,
2706 { "Certificate types count", "ssl.handshake.cert_types_count",
2707 FT_UINT8, BASE_DEC, NULL, 0x0,
2708 "Count of certificate types", HFILL }
2710 { &hf_ssl_handshake_cert_types,
2711 { "Certificate types", "ssl.handshake.cert_types",
2712 FT_NONE, BASE_NONE, NULL, 0x0,
2713 "List of certificate types", HFILL }
2715 { &hf_ssl_handshake_cert_type,
2716 { "Certificate type", "ssl.handshake.cert_type",
2717 FT_UINT8, BASE_DEC, VALS(ssl_31_client_certificate_type), 0x0,
2718 "Certificate type", HFILL }
2720 { &hf_ssl_handshake_finished,
2721 { "Verify Data", "ssl.handshake.verify_data",
2722 FT_NONE, BASE_NONE, NULL, 0x0,
2723 "Opaque verification data", HFILL }
2725 { &hf_ssl_handshake_md5_hash,
2726 { "MD5 Hash", "ssl.handshake.md5_hash",
2727 FT_NONE, BASE_NONE, NULL, 0x0,
2728 "Hash of messages, master_secret, etc.", HFILL }
2730 { &hf_ssl_handshake_sha_hash,
2731 { "SHA-1 Hash", "ssl.handshake.sha_hash",
2732 FT_NONE, BASE_NONE, NULL, 0x0,
2733 "Hash of messages, master_secret, etc.", HFILL }
2735 { &hf_ssl_handshake_session_id_len,
2736 { "Session ID Length", "ssl.handshake.session_id_length",
2737 FT_UINT8, BASE_DEC, NULL, 0x0,
2738 "Length of session ID field", HFILL }
2740 { &hf_ssl_handshake_dnames_len,
2741 { "Distinguished Names Length", "ssl.handshake.dnames_len",
2742 FT_UINT16, BASE_DEC, NULL, 0x0,
2743 "Length of list of CAs that server trusts", HFILL }
2745 { &hf_ssl_handshake_dnames,
2746 { "Distinguished Names", "ssl.handshake.dnames",
2747 FT_NONE, BASE_NONE, NULL, 0x0,
2748 "List of CAs that server trusts", HFILL }
2750 { &hf_ssl_handshake_dname_len,
2751 { "Distinguished Name Length", "ssl.handshake.dname_len",
2752 FT_UINT16, BASE_DEC, NULL, 0x0,
2753 "Length of distinguished name", HFILL }
2755 { &hf_ssl_handshake_dname,
2756 { "Distinguished Name", "ssl.handshake.dname",
2757 FT_BYTES, BASE_NONE, NULL, 0x0,
2758 "Distinguished name of a CA that server trusts", HFILL }
2760 { &hf_ssl2_handshake_challenge,
2761 { "Challenge", "ssl.handshake.challenge",
2762 FT_NONE, BASE_NONE, NULL, 0x0,
2763 "Challenge data used to authenticate server", HFILL }
2765 { &hf_ssl2_handshake_cipher_spec_len,
2766 { "Cipher Spec Length", "ssl.handshake.cipher_spec_len",
2767 FT_UINT16, BASE_DEC, NULL, 0x0,
2768 "Length of cipher specs field", HFILL }
2770 { &hf_ssl2_handshake_session_id_len,
2771 { "Session ID Length", "ssl.handshake.session_id_length",
2772 FT_UINT16, BASE_DEC, NULL, 0x0,
2773 "Length of session ID field", HFILL }
2775 { &hf_ssl2_handshake_challenge_len,
2776 { "Challenge Length", "ssl.handshake.challenge_length",
2777 FT_UINT16, BASE_DEC, NULL, 0x0,
2778 "Length of challenge field", HFILL }
2780 { &hf_ssl2_handshake_clear_key_len,
2781 { "Clear Key Data Length", "ssl.handshake.clear_key_length",
2782 FT_UINT16, BASE_DEC, NULL, 0x0,
2783 "Length of clear key data", HFILL }
2785 { &hf_ssl2_handshake_enc_key_len,
2786 { "Encrypted Key Data Length", "ssl.handshake.encrypted_key_length",
2787 FT_UINT16, BASE_DEC, NULL, 0x0,
2788 "Length of encrypted key data", HFILL }
2790 { &hf_ssl2_handshake_key_arg_len,
2791 { "Key Argument Length", "ssl.handshake.key_arg_length",
2792 FT_UINT16, BASE_DEC, NULL, 0x0,
2793 "Length of key argument", HFILL }
2795 { &hf_ssl2_handshake_clear_key,
2796 { "Clear Key Data", "ssl.handshake.clear_key_data",
2797 FT_NONE, BASE_NONE, NULL, 0x0,
2798 "Clear portion of MASTER-KEY", HFILL }
2800 { &hf_ssl2_handshake_enc_key,
2801 { "Encrypted Key", "ssl.handshake.encrypted_key",
2802 FT_NONE, BASE_NONE, NULL, 0x0,
2803 "Secret portion of MASTER-KEY encrypted to server", HFILL }
2805 { &hf_ssl2_handshake_key_arg,
2806 { "Key Argument", "ssl.handshake.key_arg",
2807 FT_NONE, BASE_NONE, NULL, 0x0,
2808 "Key Argument (e.g., Initialization Vector)", HFILL }
2810 { &hf_ssl2_handshake_session_id_hit,
2811 { "Session ID Hit", "ssl.handshake.session_id_hit",
2812 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2813 "Did the server find the client's Session ID?", HFILL }
2815 { &hf_ssl2_handshake_cert_type,
2816 { "Certificate Type", "ssl.handshake.cert_type",
2817 FT_UINT8, BASE_DEC, VALS(ssl_20_certificate_type), 0x0,
2818 "Certificate Type", HFILL }
2820 { &hf_ssl2_handshake_connection_id_len,
2821 { "Connection ID Length", "ssl.handshake.connection_id_length",
2822 FT_UINT16, BASE_DEC, NULL, 0x0,
2823 "Length of connection ID", HFILL }
2825 { &hf_ssl2_handshake_connection_id,
2826 { "Connection ID", "ssl.handshake.connection_id",
2827 FT_NONE, BASE_NONE, NULL, 0x0,
2828 "Server's challenge to client", HFILL }
2832 /* Setup protocol subtree array */
2833 static gint *ett[] = {
2838 &ett_ssl_cipher_suites,
2839 &ett_ssl_comp_methods,
2841 &ett_ssl_cert_types,
2845 /* Register the protocol name and description */
2846 proto_ssl = proto_register_protocol("Secure Socket Layer",
2849 /* Required function calls to register the header fields and
2851 proto_register_field_array(proto_ssl, hf, array_length(hf));
2852 proto_register_subtree_array(ett, array_length(ett));
2855 module_t *ssl_module = prefs_register_protocol(proto_ssl, NULL);
2856 prefs_register_bool_preference(ssl_module,
2857 "desegment_ssl_records",
2858 "Desegment SSL records",
2859 "When enabled, SSL records that span multiple TCP segments are desegmented",
2863 register_dissector("ssl", dissect_ssl, proto_ssl);
2867 /* If this dissector uses sub-dissector registration add a registration
2868 * routine. This format is required because a script is used to find
2869 * these routines and create the code that calls these routines.
2872 proto_reg_handoff_ssl(void)
2874 dissector_handle_t ssl_handle;
2876 ssl_handle = find_dissector("ssl");
2877 dissector_add("tcp.port", TCP_PORT_SSL, ssl_handle);
2878 dissector_add("tcp.port", TCP_PORT_SSL_LDAP, ssl_handle);
2879 dissector_add("tcp.port", TCP_PORT_SSL_IMAP, ssl_handle);
2880 dissector_add("tcp.port", TCP_PORT_SSL_POP, ssl_handle);