TLS: allow but warn about 0x0304 in Client Hello legacy version field.

You're Not Supposed To Do That, as per RFC 8446 section 4.1.2 "Client Hello". Also do the equivalent check for DTLS, as RFC 9147 Section 5.3 "Client Hello" says You're Not Supposed To Do The Equivalent. We don't yet handle DTLS 1.3, but if we ever do.... Fixes #18851. While we're at it, improve two comments to clarify what ssl_dissect_hnd_hello_common() does (and to fix one place where the old comment was incorrect).
2023-02-09 01:49:28 -08:00 · 2023-02-09 01:49:28 -08:00 · 2d173ec34c
parent 60b87b55db
commit 2d173ec34c
3 changed files with 32 additions and 5 deletions
--- a/epan/dissectors/packet-tls-utils.c
+++ b/epan/dissectors/packet-tls-utils.c
@ -9001,12 +9001,31 @@ ssl_dissect_hnd_cli_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
    gchar      *ja3_dash = "";

    /* show the client version */
-    proto_tree_add_item_ret_uint(tree, hf->hf.hs_client_version, tvb,
-                        offset, 2, ENC_BIG_ENDIAN, &ja3_value);
+    ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_client_version, tvb,
+                                      offset, 2, ENC_BIG_ENDIAN, &ja3_value);
    offset += 2;
    wmem_strbuf_append_printf(ja3, "%i,", ja3_value);

-    /* dissect fields that are also present in ClientHello */
+    /*
+     * Is it version 1.3?
+     * If so, that's an error; TLS and DTLS 1.3 Client Hellos claim
+     * to be TLS 1.2, and mention 1.3 in an extension.  See RFC 8446
+     * section 4.1.2 "Client Hello" and RFC 9147 Section 5.3 "Client
+     * Hello".
+     */
+    if (dtls_hfs != NULL) {
+        if (ja3_value == DTLSV1DOT3_VERSION) {
+            /* Don't do that. */
+            expert_add_info(pinfo, ti, &hf->ei.client_version_error);
+        }
+    } else {
+        if (ja3_value == TLSV1DOT3_VERSION) {
+            /* Don't do that. */
+            expert_add_info(pinfo, ti, &hf->ei.client_version_error);
+        }
+    }
+
+    /* dissect fields that are present in both ClientHello and ServerHello */
    offset = ssl_dissect_hnd_hello_common(hf, tvb, tree, offset, session, ssl, FALSE, FALSE);

    /* fields specific for DTLS (cookie_len, cookie) */
@ -9138,7 +9157,7 @@ ssl_dissect_hnd_srv_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
    offset += 2;
    wmem_strbuf_append_printf(ja3, "%i", ja3_value);

-    /* dissect fields that are also present in ClientHello */
+    /* dissect fields that are present in both ClientHello and ServerHello */
    offset = ssl_dissect_hnd_hello_common(hf, tvb, tree, offset, session, ssl, TRUE, is_hrr);

    if (ssl) {
--- a/epan/dissectors/packet-tls-utils.h
+++ b/epan/dissectors/packet-tls-utils.h
@ -258,6 +258,7 @@ typedef struct _StringInfo {
 #define DTLSV1DOT0_VERSION     0xfeff
 #define DTLSV1DOT0_OPENSSL_VERSION 0x100
 #define DTLSV1DOT2_VERSION     0xfefd
+#define DTLSV1DOT3_VERSION     0xfefc

 /* Returns the TLS 1.3 draft version or 0 if not applicable. */
 static inline guint8 extract_tls13_draft_version(guint32 version) {
@ -1099,6 +1100,7 @@ typedef struct ssl_common_dissect {
    } ett;
    struct {
        /* Generic expert info for malformed packets. */
+        expert_field client_version_error;
        expert_field malformed_vector_length;
        expert_field malformed_buffer_too_small;
        expert_field malformed_trailing_data;
@ -1294,7 +1296,8 @@ ssl_common_dissect_t name = {   \
        -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1          \
    },                                                                  \
    /* ei */ {                                                          \
-        EI_INIT, EI_INIT, EI_INIT, EI_INIT, EI_INIT, EI_INIT, EI_INIT   \
+        EI_INIT, EI_INIT, EI_INIT, EI_INIT, EI_INIT, EI_INIT, EI_INIT,  \
+        EI_INIT                                                         \
    },                                                                  \
 }
 /* }}} */
@ -2501,6 +2504,10 @@ ssl_common_dissect_t name = {   \

 /* {{{ */
 #define SSL_COMMON_EI_LIST(name, prefix)                       \
+    { & name .ei.client_version_error, \
+        { prefix ".handshake.client_version_error", PI_PROTOCOL, PI_WARN, \
+        "Client Hello legacy version field specifies version 1.3, not version 1.2; some servers may not be able to handle that.", EXPFILL } \
+    }, \
    { & name .ei.malformed_vector_length, \
        { prefix ".malformed.vector_length", PI_PROTOCOL, PI_WARN, \
        "Variable vector length is outside the permitted range", EXPFILL } \
--- a/epan/dissectors/packet-tls.c
+++ b/epan/dissectors/packet-tls.c
@ -3874,6 +3874,7 @@ ssl_looks_like_sslv3(tvbuff_t *tvb, const guint32 offset)
    case TLSV1_VERSION:
    case TLSV1DOT1_VERSION:
    case TLSV1DOT2_VERSION:
+    case TLSV1DOT3_VERSION:
    case TLCPV1_VERSION:
        return 1;
    }