* Routines for ssl dissection
* Copyright (c) 2000-2001, Scott Renfro <scott@renfro.org>
*
- * $Id: packet-ssl.c,v 1.12 2002/01/04 07:01:54 guy Exp $
+ * $Id: packet-ssl.c,v 1.22 2002/04/11 09:43:22 guy Exp $
*
* Ethereal - Network traffic analyzer
* By Gerald Combs <gerald@ethereal.com>
# include "snprintf.h"
#endif
-#include "conversation.h"
+#include <epan/conversation.h>
#include "prefs.h"
static gboolean ssl_desegment = TRUE;
static int hf_ssl2_record_is_escape = -1;
static int hf_ssl2_record_padding_length = -1;
static int hf_ssl2_msg_type = -1;
+static int hf_pct_msg_type = -1;
static int hf_ssl_change_cipher_spec = -1;
static int hf_ssl_alert_message = -1;
static int hf_ssl_alert_message_level = -1;
/* The TCP port to associate with by default */
#define TCP_PORT_SSL 443
+#define TCP_PORT_SSL_LDAP 636
+#define TCP_PORT_SSL_IMAP 993
+#define TCP_PORT_SSL_POP 995
/* version state tables */
#define SSL_VER_UNKNOWN 0
#define SSL_VER_SSLv2 1
#define SSL_VER_SSLv3 2
#define SSL_VER_TLS 3
+#define SSL_VER_PCT 4
/* corresponds to the #defines above */
static gchar* ssl_version_short_names[] = {
"SSLv2",
"SSLv3",
"TLS",
+ "PCT"
};
/* other defines */
#define SSL2_HND_REQUEST_CERTIFICATE 0x07
#define SSL2_HND_CLIENT_CERTIFICATE 0x08
+#define PCT_VERSION_1 0x8001
+
+#define PCT_MSG_CLIENT_HELLO 0x01
+#define PCT_MSG_SERVER_HELLO 0x02
+#define PCT_MSG_CLIENT_MASTER_KEY 0x03
+#define PCT_MSG_SERVER_VERIFY 0x04
+#define PCT_MSG_ERROR 0x05
+
/*
* Lookup tables
*
{ 0x050080, "SSL2_IDEA_128_CBC_WITH_MD5" },
{ 0x060040, "SSL2_DES_64_CBC_WITH_MD5" },
{ 0x0700c0, "SSL2_DES_192_EDE3_CBC_WITH_MD5" },
+ { 0x080080, "SSL2_RC4_64_WITH_MD5" },
{ 0x000000, "TLS_NULL_WITH_NULL_NULL" },
{ 0x000001, "TLS_RSA_WITH_NULL_MD5" },
{ 0x000002, "TLS_RSA_WITH_NULL_SHA" },
{ 0x00001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
{ 0x00001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
{ 0x00001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
+ { 0x000060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
+ { 0x000061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
{ 0x000062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
{ 0x000063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
{ 0x000064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
{ 0x00feff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
{ 0x00ffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
{ 0x00ffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
+ /* Microsoft's old PCT protocol. These are from Eric Rescorla's
+ book "SSL and TLS" */
+ { 0x8f8001, "PCT_SSL_COMPAT | PCT_VERSION_1" },
+ { 0x800003, "PCT_SSL_CERT_TYPE | PCT1_CERT_X509_CHAIN" },
+ { 0x800001, "PCT_SSL_CERT_TYPE | PCT1_CERT_X509" },
+ { 0x810001, "PCT_SSL_HASH_TYPE | PCT1_HASH_MD5" },
+ { 0x810003, "PCT_SSL_HASH_TYPE | PCT1_HASH_SHA" },
+ { 0x820001, "PCT_SSL_EXCH_TYPE | PCT1_EXCH_RSA_PKCS1" },
+ { 0x830004, "PCT_SSL_CIPHER_TYPE_1ST_HALF | PCT1_CIPHER_RC4" },
+ { 0x848040, "PCT_SSL_CIPHER_TYPE_2ND_HALF | PCT1_ENC_BITS_128 | PCT1_MAC_BITS_128" },
+ { 0x842840, "PCT_SSL_CIPHER_TYPE_2ND_HALF | PCT1_ENC_BITS_40 | PCT1_MAC_BITS_128" },
/* note that ciphersuites of {0x00????} are TLS cipher suites in
* a sslv2 client hello message; the ???? above is the two-byte
* tls cipher suite id
{ 0x00, NULL }
};
+static const value_string pct_msg_types[] = {
+ { PCT_MSG_CLIENT_HELLO, "Client Hello" },
+ { PCT_MSG_SERVER_HELLO, "Server Hello" },
+ { PCT_MSG_CLIENT_MASTER_KEY, "Client Master Key" },
+ { PCT_MSG_SERVER_VERIFY, "Server Verify" },
+ { PCT_MSG_ERROR, "Error" },
+ { 0x00, NULL },
+};
+
+
/*********************************************************************
*
* Forward Declarations
/* record layer dissector */
static int dissect_ssl3_record(tvbuff_t *tvb, packet_info *pinfo,
proto_tree *tree, guint32 offset,
- guint *conv_version);
+ guint *conv_version,
+ gboolean *need_desegmentation);
/* change cipher spec dissector */
-static void dissect_ssl3_change_cipher_spec(tvbuff_t *tvb, packet_info *pinfo,
+static void dissect_ssl3_change_cipher_spec(tvbuff_t *tvb,
proto_tree *tree,
guint32 offset,
guint *conv_version);
guint *conv_version);
-static void dissect_ssl3_hnd_cli_hello(tvbuff_t *tvb, packet_info *pinfo,
+static void dissect_ssl3_hnd_cli_hello(tvbuff_t *tvb,
proto_tree *tree,
guint32 offset);
-static void dissect_ssl3_hnd_srv_hello(tvbuff_t *tvb, packet_info *pinfo,
+static void dissect_ssl3_hnd_srv_hello(tvbuff_t *tvb,
proto_tree *tree,
guint32 offset);
-static void dissect_ssl3_hnd_cert(tvbuff_t *tvb, packet_info *pinfo,
+static void dissect_ssl3_hnd_cert(tvbuff_t *tvb,
proto_tree *tree, guint32 offset);
-static void dissect_ssl3_hnd_cert_req(tvbuff_t *tvb, packet_info *pinfo,
+static void dissect_ssl3_hnd_cert_req(tvbuff_t *tvb,
proto_tree *tree,
guint32 offset);
-static void dissect_ssl3_hnd_finished(tvbuff_t *tvb, packet_info *pinfo,
+static void dissect_ssl3_hnd_finished(tvbuff_t *tvb,
proto_tree *tree,
guint32 offset,
guint *conv_version);
/* record layer dissector */
static int dissect_ssl2_record(tvbuff_t *tvb, packet_info *pinfo,
proto_tree *tree, guint32 offset,
- guint *conv_version);
+ guint *conv_version,
+ gboolean *need_desegmentation);
/* client hello dissector */
-static void dissect_ssl2_hnd_client_hello(tvbuff_t *tvb, packet_info *pinfo,
+static void dissect_ssl2_hnd_client_hello(tvbuff_t *tvb,
proto_tree *tree,
guint32 offset);
/* client master key dissector */
static void dissect_ssl2_hnd_client_master_key(tvbuff_t *tvb,
- packet_info *pinfo,
proto_tree *tree,
guint32 offset);
/* server hello dissector */
static void dissect_ssl2_hnd_server_hello(tvbuff_t *tvb,
- packet_info *pinfo,
proto_tree *tree,
guint32 offset);
static int ssl_looks_like_valid_v2_handshake(tvbuff_t *tvb,
guint32 offset,
guint32 record_length);
+static int ssl_looks_like_valid_pct_handshake(tvbuff_t *tvb,
+ guint32 offset,
+ guint32 record_length);
/*********************************************************************
*
proto_tree *ssl_tree = NULL;
guint32 offset = 0;
gboolean first_record_in_frame = TRUE;
+ gboolean need_desegmentation;
/* Track the version using conversations to reduce the
* chance that a packet that simply *looks* like a v2 or
/* Create display subtree for SSL as a whole */
if (tree)
{
- ti = proto_tree_add_item(tree, proto_ssl, tvb,
- 0, tvb_length(tvb), FALSE);
+ ti = proto_tree_add_item(tree, proto_ssl, tvb, 0, -1, FALSE);
ssl_tree = proto_item_add_subtree(ti, ett_ssl);
}
- /* iterate through the records in this frame */
- while (offset < tvb_length(tvb)-1)
+ /* iterate through the records in this tvbuff */
+ while (tvb_reported_length_remaining(tvb, offset) != 0)
{
/* on second and subsequent records per frame
* add a delimiter on info column
col_append_str(pinfo->cinfo, COL_INFO, ", ");
}
+ /*
+ * Assume, for now, that this doesn't need desegmentation.
+ */
+ need_desegmentation = FALSE;
+
/* first try to dispatch off the cached version
* known to be associated with the conversation
*/
switch(conv_version) {
case SSL_VER_SSLv2:
+ case SSL_VER_PCT:
offset = dissect_ssl2_record(tvb, pinfo, ssl_tree,
- offset, &conv_version);
+ offset, &conv_version,
+ &need_desegmentation);
break;
case SSL_VER_SSLv3:
if (ssl_is_v2_client_hello(tvb, offset))
{
offset = dissect_ssl2_record(tvb, pinfo, ssl_tree,
- offset, &conv_version);
+ offset, &conv_version,
+ &need_desegmentation);
}
else
{
offset = dissect_ssl3_record(tvb, pinfo, ssl_tree,
- offset, &conv_version);
+ offset, &conv_version,
+ &need_desegmentation);
}
break;
default:
if (ssl_looks_like_sslv2(tvb, offset))
{
- /* looks like sslv2 client hello */
+ /* looks like sslv2 or pct client hello */
offset = dissect_ssl2_record(tvb, pinfo, ssl_tree,
- offset, &conv_version);
+ offset, &conv_version,
+ &need_desegmentation);
}
else if (ssl_looks_like_sslv3(tvb, offset))
{
/* looks like sslv3 or tls */
offset = dissect_ssl3_record(tvb, pinfo, ssl_tree,
- offset, &conv_version);
+ offset, &conv_version,
+ &need_desegmentation);
}
else
{
}
/* Desegmentation return check */
- if (pinfo->desegment_len > 0)
+ if (need_desegmentation)
return;
/* If we haven't already set the version information for
static int
dissect_ssl3_record(tvbuff_t *tvb, packet_info *pinfo,
proto_tree *tree, guint32 offset,
- guint *conv_version)
+ guint *conv_version, gboolean *need_desegmentation)
{
/*
proto_tree *ssl_record_tree = NULL;
guint32 available_bytes = 0;
+ available_bytes = tvb_length_remaining(tvb, offset);
+
+ /*
+ * Can we do reassembly?
+ */
+ if (ssl_desegment && pinfo->can_desegment) {
+ /*
+ * Yes - is the record header split across segment boundaries?
+ */
+ if (available_bytes < 5) {
+ /*
+ * Yes. Tell the TCP dissector where the data for this
+ * message starts in the data it handed us, and how many
+ * more bytes we need, and return.
+ */
+ pinfo->desegment_offset = offset;
+ pinfo->desegment_len = 5 - available_bytes;
+ *need_desegmentation = TRUE;
+ return offset;
+ }
+ }
+
/*
* Get the record layer fields of interest
*/
if (ssl_is_valid_content_type(content_type)) {
/*
- * Desegmentation test
+ * Can we do reassembly?
*/
- available_bytes = tvb_length_remaining(tvb, offset + 5);
- if (ssl_desegment
- && pinfo->can_desegment
- && available_bytes < record_length) {
-
- pinfo->desegment_offset = offset;
- pinfo->desegment_len = record_length - available_bytes;
- return offset;
+ if (ssl_desegment && pinfo->can_desegment) {
+ /*
+ * Yes - is the record split across segment boundaries?
+ */
+ if (available_bytes < record_length + 5) {
+ /*
+ * Yes. Tell the TCP dissector where the data for this
+ * message starts in the data it handed us, and how many
+ * more bytes we need, and return.
+ */
+ pinfo->desegment_offset = offset;
+ pinfo->desegment_len = (record_length + 5) - available_bytes;
+ *need_desegmentation = TRUE;
+ return offset;
+ }
}
} else {
return offset + 5 + record_length;
}
-
/*
* If GUI, fill in record layer part of tree
*/
case SSL_ID_CHG_CIPHER_SPEC:
if (check_col(pinfo->cinfo, COL_INFO))
col_append_str(pinfo->cinfo, COL_INFO, "Change Cipher Spec");
- dissect_ssl3_change_cipher_spec(tvb, pinfo, ssl_record_tree,
+ dissect_ssl3_change_cipher_spec(tvb, ssl_record_tree,
offset, conv_version);
break;
case SSL_ID_ALERT:
/* dissects the change cipher spec procotol, filling in the tree */
static void
-dissect_ssl3_change_cipher_spec(tvbuff_t *tvb, packet_info *pinfo,
+dissect_ssl3_change_cipher_spec(tvbuff_t *tvb,
proto_tree *tree, guint32 offset,
guint *conv_version)
{
break;
case SSL_HND_CLIENT_HELLO:
- dissect_ssl3_hnd_cli_hello(tvb, pinfo, ssl_hand_tree, offset);
+ dissect_ssl3_hnd_cli_hello(tvb, ssl_hand_tree, offset);
break;
case SSL_HND_SERVER_HELLO:
- dissect_ssl3_hnd_srv_hello(tvb, pinfo, ssl_hand_tree, offset);
+ dissect_ssl3_hnd_srv_hello(tvb, ssl_hand_tree, offset);
break;
case SSL_HND_CERTIFICATE:
- dissect_ssl3_hnd_cert(tvb, pinfo, ssl_hand_tree, offset);
+ dissect_ssl3_hnd_cert(tvb, ssl_hand_tree, offset);
break;
case SSL_HND_CERT_REQUEST:
- dissect_ssl3_hnd_cert_req(tvb, pinfo, ssl_hand_tree, offset);
+ dissect_ssl3_hnd_cert_req(tvb, ssl_hand_tree, offset);
break;
case SSL_HND_SVR_HELLO_DONE:
break;
case SSL_HND_FINISHED:
- dissect_ssl3_hnd_finished(tvb, pinfo, ssl_hand_tree,
+ dissect_ssl3_hnd_finished(tvb, ssl_hand_tree,
offset, conv_version);
break;
}
static void
-dissect_ssl3_hnd_cli_hello(tvbuff_t *tvb, packet_info *pinfo,
+dissect_ssl3_hnd_cli_hello(tvbuff_t *tvb,
proto_tree *tree, guint32 offset)
{
/* struct {
}
static void
-dissect_ssl3_hnd_srv_hello(tvbuff_t *tvb, packet_info *pinfo,
+dissect_ssl3_hnd_srv_hello(tvbuff_t *tvb,
proto_tree *tree, guint32 offset)
{
/* struct {
}
static void
-dissect_ssl3_hnd_cert(tvbuff_t *tvb, packet_info *pinfo,
+dissect_ssl3_hnd_cert(tvbuff_t *tvb,
proto_tree *tree, guint32 offset)
{
}
static void
-dissect_ssl3_hnd_cert_req(tvbuff_t *tvb, packet_info *pinfo,
+dissect_ssl3_hnd_cert_req(tvbuff_t *tvb,
proto_tree *tree, guint32 offset)
{
/*
}
static void
-dissect_ssl3_hnd_finished(tvbuff_t *tvb, packet_info *pinfo,
+dissect_ssl3_hnd_finished(tvbuff_t *tvb,
proto_tree *tree, guint32 offset,
guint *conv_version)
{
/* record layer dissector */
static int
-dissect_ssl2_record(tvbuff_t *tvb, packet_info *pinfo, proto_tree
- *tree, guint32 offset, guint *conv_version)
+dissect_ssl2_record(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
+ guint32 offset, guint *conv_version,
+ gboolean *need_desegmentation)
{
guint32 initial_offset = offset;
guint8 byte = 0;
proto_tree *ti;
proto_tree *ssl_record_tree = NULL;
- /* if we get here, but don't have a version set for the
- * conversation, then set a version for just this frame
- * (e.g., on a client hello)
- */
- if (check_col(pinfo->cinfo, COL_PROTOCOL))
- {
- col_set_str(pinfo->cinfo, COL_PROTOCOL, "SSLv2");
- }
-
/* pull first byte; if high bit is set, then record
* length is three bytes due to padding; otherwise
* record length is two bytes
*/
- byte = tvb_get_guint8(tvb, offset++);
+ byte = tvb_get_guint8(tvb, offset);
record_length_length = (byte & 0x80) ? 2 : 3;
+ /*
+ * Can we do reassembly?
+ */
+ available_bytes = tvb_length_remaining(tvb, offset);
+
+ if (ssl_desegment && pinfo->can_desegment) {
+ /*
+ * Yes - is the record header split across segment boundaries?
+ */
+ if (available_bytes < record_length_length) {
+ /*
+ * Yes. Tell the TCP dissector where the data for this
+ * message starts in the data it handed us, and how many
+ * more bytes we need, and return.
+ */
+ pinfo->desegment_offset = offset;
+ pinfo->desegment_len = record_length_length - available_bytes;
+ *need_desegmentation = TRUE;
+ return offset;
+ }
+ }
+
/* parse out the record length */
switch(record_length_length) {
case 2: /* two-byte record length */
record_length = (byte & 0x7f) << 8;
- byte = tvb_get_guint8(tvb, offset++);
+ byte = tvb_get_guint8(tvb, offset + 1);
record_length += byte;
break;
case 3: /* three-byte record length */
is_escape = (byte & 0x40) ? TRUE : FALSE;
record_length = (byte & 0x3f) << 8;
- byte = tvb_get_guint8(tvb, offset++);
+ byte = tvb_get_guint8(tvb, offset + 1);
record_length += byte;
- byte = tvb_get_guint8(tvb, offset++);
+ byte = tvb_get_guint8(tvb, offset + 2);
padding_length = byte;
}
/*
- * Desegmentation test
+ * Can we do reassembly?
*/
- available_bytes = tvb_length_remaining(tvb, offset);
- if (ssl_desegment
- && pinfo->can_desegment
- && available_bytes < record_length) {
-
- pinfo->desegment_offset = offset;
- pinfo->desegment_len = record_length - available_bytes;
- return offset;
+ if (ssl_desegment && pinfo->can_desegment) {
+ /*
+ * Yes - is the record split across segment boundaries?
+ */
+ if (available_bytes < (record_length_length + record_length)) {
+ /*
+ * Yes. Tell the TCP dissector where the data for this
+ * message starts in the data it handed us, and how many
+ * more bytes we need, and return.
+ */
+ pinfo->desegment_offset = offset;
+ pinfo->desegment_len = (record_length_length + record_length)
+ - available_bytes;
+ *need_desegmentation = TRUE;
+ return offset;
+ }
}
+ offset += record_length_length;
/* add the record layer subtree header */
ti = proto_tree_add_item(tree, hf_ssl2_record, tvb, initial_offset,
/* if we get a server_hello or later handshake in v2, then set
* this to sslv2
*/
- if (*conv_version == SSL_VER_UNKNOWN
- && msg_type >= 2 && msg_type <= 8)
+ if (*conv_version == SSL_VER_UNKNOWN)
+ {
+ if (ssl_looks_like_valid_pct_handshake(tvb,
+ (initial_offset +
+ record_length_length),
+ record_length)) {
+ *conv_version = SSL_VER_PCT;
+ ssl_set_conv_version(pinfo, *conv_version);
+ }
+ else if (msg_type >= 2 && msg_type <= 8)
+ {
+ *conv_version = SSL_VER_SSLv2;
+ ssl_set_conv_version(pinfo, *conv_version);
+ }
+ }
+
+ /* if we get here, but don't have a version set for the
+ * conversation, then set a version for just this frame
+ * (e.g., on a client hello)
+ */
+ if (check_col(pinfo->cinfo, COL_PROTOCOL))
{
- *conv_version = SSL_VER_SSLv2;
- ssl_set_conv_version(pinfo, *conv_version);
+ col_set_str(pinfo->cinfo, COL_PROTOCOL,
+ (*conv_version == SSL_VER_PCT) ? "PCT" : "SSLv2");
}
/* see if the msg_type is valid; if not the payload is
* probably encrypted, so note that fact and bail
*/
- msg_type_str = match_strval(msg_type, ssl_20_msg_types);
+ msg_type_str = match_strval(msg_type,
+ (*conv_version == SSL_VER_PCT)
+ ? pct_msg_types : ssl_20_msg_types);
if (!msg_type_str
- || !ssl_looks_like_valid_v2_handshake(tvb, initial_offset
- + record_length_length,
- record_length))
+ || ((*conv_version != SSL_VER_PCT) &&
+ !ssl_looks_like_valid_v2_handshake(tvb, initial_offset
+ + record_length_length,
+ record_length))
+ || ((*conv_version == SSL_VER_PCT) &&
+ !ssl_looks_like_valid_pct_handshake(tvb, initial_offset
+ + record_length_length,
+ record_length)))
{
if (ssl_record_tree)
{
- proto_item_set_text(ssl_record_tree, "SSLv2 Record Layer: %s",
+ proto_item_set_text(ssl_record_tree, "%s Record Layer: %s",
+ (*conv_version == SSL_VER_PCT)
+ ? "PCT" : "SSLv2",
"Encrypted Data");
}
if (check_col(pinfo->cinfo, COL_INFO))
if (ssl_record_tree)
{
- proto_item_set_text(ssl_record_tree, "SSLv2 Record Layer: %s",
+ proto_item_set_text(ssl_record_tree, "%s Record Layer: %s",
+ (*conv_version == SSL_VER_PCT)
+ ? "PCT" : "SSLv2",
msg_type_str);
}
}
/* add the message type */
if (ssl_record_tree)
{
- proto_tree_add_item(ssl_record_tree, hf_ssl2_msg_type, tvb,
- offset, 1, 0);
+ proto_tree_add_item(ssl_record_tree,
+ (*conv_version == SSL_VER_PCT)
+ ? hf_pct_msg_type : hf_ssl2_msg_type,
+ tvb, offset, 1, 0);
}
offset++; /* move past msg_type byte */
+ if (*conv_version != SSL_VER_PCT)
+ {
+ /* dissect the message (only handle client hello right now) */
+ switch (msg_type) {
+ case SSL2_HND_CLIENT_HELLO:
+ dissect_ssl2_hnd_client_hello(tvb, ssl_record_tree, offset);
+ break;
- /* dissect the message (only handle client hello right now) */
- switch (msg_type) {
- case SSL2_HND_CLIENT_HELLO:
- dissect_ssl2_hnd_client_hello(tvb, pinfo, ssl_record_tree, offset);
- break;
-
- case SSL2_HND_CLIENT_MASTER_KEY:
- dissect_ssl2_hnd_client_master_key(tvb, pinfo, ssl_record_tree, offset);
- break;
+ case SSL2_HND_CLIENT_MASTER_KEY:
+ dissect_ssl2_hnd_client_master_key(tvb, ssl_record_tree, offset);
+ break;
- case SSL2_HND_SERVER_HELLO:
- dissect_ssl2_hnd_server_hello(tvb, pinfo, ssl_record_tree, offset);
- break;
+ case SSL2_HND_SERVER_HELLO:
+ dissect_ssl2_hnd_server_hello(tvb, ssl_record_tree, offset);
+ break;
- case SSL2_HND_ERROR:
- case SSL2_HND_CLIENT_FINISHED:
- case SSL2_HND_SERVER_VERIFY:
- case SSL2_HND_SERVER_FINISHED:
- case SSL2_HND_REQUEST_CERTIFICATE:
- case SSL2_HND_CLIENT_CERTIFICATE:
- /* unimplemented */
- break;
+ case SSL2_HND_ERROR:
+ case SSL2_HND_CLIENT_FINISHED:
+ case SSL2_HND_SERVER_VERIFY:
+ case SSL2_HND_SERVER_FINISHED:
+ case SSL2_HND_REQUEST_CERTIFICATE:
+ case SSL2_HND_CLIENT_CERTIFICATE:
+ /* unimplemented */
+ break;
- default: /* unknown */
- break;
+ default: /* unknown */
+ break;
+ }
}
+ else
+ {
+ /* dissect the message */
+ switch (msg_type) {
+ case PCT_MSG_CLIENT_HELLO:
+ case PCT_MSG_SERVER_HELLO:
+ case PCT_MSG_CLIENT_MASTER_KEY:
+ case PCT_MSG_SERVER_VERIFY:
+ case PCT_MSG_ERROR:
+ /* unimplemented */
+ break;
-
+ default: /* unknown */
+ break;
+ }
+ }
return (initial_offset + record_length_length + record_length);
}
static void
-dissect_ssl2_hnd_client_hello(tvbuff_t *tvb, packet_info *pinfo,
+dissect_ssl2_hnd_client_hello(tvbuff_t *tvb,
proto_tree *tree, guint32 offset)
{
/* struct {
}
static void
-dissect_ssl2_hnd_client_master_key(tvbuff_t *tvb, packet_info *pinfo,
+dissect_ssl2_hnd_client_master_key(tvbuff_t *tvb,
proto_tree *tree, guint32 offset)
{
/* struct {
}
static void
-dissect_ssl2_hnd_server_hello(tvbuff_t *tvb, packet_info *pinfo,
+dissect_ssl2_hnd_server_hello(tvbuff_t *tvb,
proto_tree *tree, guint32 offset)
{
/* struct {
case SSL2_HND_CLIENT_HELLO:
case SSL2_HND_CLIENT_MASTER_KEY:
case SSL2_HND_SERVER_HELLO:
+ case PCT_MSG_CLIENT_MASTER_KEY:
+ case PCT_MSG_ERROR:
return 1;
}
return 0;
return 0;
}
+/* applies a heuristic to determine whether
+ * or not the data beginning at offset looks
+ * like a valid, unencrypted v2 handshake message.
+ * since it isn't possible to completely tell random
+ * data apart from a valid message without state,
+ * we try to help the odds.
+ */
+static int
+ssl_looks_like_valid_pct_handshake(tvbuff_t *tvb, guint32 offset,
+ guint32 record_length)
+{
+ /* first byte should be a msg_type.
+ *
+ * - we know we only see client_hello, client_master_key,
+ * and server_hello in the clear, so check to see if
+ * msg_type is one of those (this gives us a 3 in 2^8
+ * chance of saying yes with random payload)
+ *
+ * - for those three types that we know about, do some
+ * further validation to reduce the chance of an error
+ */
+ guint8 msg_type;
+ guint16 version;
+ guint32 sum;
+
+ /* fetch the msg_type */
+ msg_type = tvb_get_guint8(tvb, offset);
+
+ switch (msg_type) {
+ case PCT_MSG_CLIENT_HELLO:
+ /* version follows msg byte, so verify that this is valid */
+ version = tvb_get_ntohs(tvb, offset+1);
+ return version == PCT_VERSION_1;
+ break;
+
+ case PCT_MSG_SERVER_HELLO:
+ /* version is one byte after msg_type */
+ version = tvb_get_ntohs(tvb, offset+2);
+ return version == PCT_VERSION_1;
+ break;
+
+ case PCT_MSG_CLIENT_MASTER_KEY:
+ /* sum of various length fields must be less than record length */
+ sum = tvb_get_ntohs(tvb, offset + 6); /* clear_key_length */
+ sum += tvb_get_ntohs(tvb, offset + 8); /* encrypted_key_length */
+ sum += tvb_get_ntohs(tvb, offset + 10); /* key_arg_length */
+ sum += tvb_get_ntohs(tvb, offset + 12); /* verify_prelude_length */
+ sum += tvb_get_ntohs(tvb, offset + 14); /* client_cert_length */
+ sum += tvb_get_ntohs(tvb, offset + 16); /* response_length */
+ if (sum > record_length)
+ {
+ return 0;
+ }
+ return 1;
+ break;
+
+ case PCT_MSG_SERVER_VERIFY:
+ /* record is 36 bytes longer than response_length */
+ sum = tvb_get_ntohs(tvb, offset + 34); /* response_length */
+ if ((sum + 36) == record_length)
+ return 1;
+ else
+ return 0;
+ break;
+
+ default:
+ return 0;
+ }
+ return 0;
+}
+
+
/*********************************************************************
*
* Standard Ethereal Protocol Registration and housekeeping
FT_UINT8, BASE_DEC, VALS(ssl_20_msg_types), 0x0,
"SSLv2 handshake message type", HFILL}
},
+ { &hf_pct_msg_type,
+ { "Handshake Message Type", "ssl.pct_handshake.type",
+ FT_UINT8, BASE_DEC, VALS(pct_msg_types), 0x0,
+ "PCT handshake message type", HFILL}
+ },
{ &hf_ssl_record_version,
{ "Version", "ssl.record.version",
FT_UINT16, BASE_HEX, VALS(ssl_versions), 0x0,
"Payload is application data", HFILL }
},
{ & hf_ssl2_record,
- { "SSLv2 Record Header", "ssl.record",
+ { "SSLv2/PCT Record Header", "ssl.record",
FT_NONE, BASE_DEC, NULL, 0x0,
- "SSLv2 record data", HFILL }
+ "SSLv2/PCT record data", HFILL }
},
{ &hf_ssl2_record_is_escape,
{ "Is Escape", "ssl.record.is_escape",
"When enabled, SSL records that span multiple TCP segments are desegmented",
&ssl_desegment);
}
+
+ register_dissector("ssl", dissect_ssl, proto_ssl);
+
}
/* If this dissector uses sub-dissector registration add a registration
{
dissector_handle_t ssl_handle;
- ssl_handle = create_dissector_handle(dissect_ssl, proto_ssl);
+ ssl_handle = find_dissector("ssl");
dissector_add("tcp.port", TCP_PORT_SSL, ssl_handle);
+ dissector_add("tcp.port", TCP_PORT_SSL_LDAP, ssl_handle);
+ dissector_add("tcp.port", TCP_PORT_SSL_IMAP, ssl_handle);
+ dissector_add("tcp.port", TCP_PORT_SSL_POP, ssl_handle);
}