TLS: use macros for GREASE checks

The tests in `packet-tls-utils.c` for GREASE values aren't strictly correct, in that they would falsely ignore a value such as 0x1a2a. Create a macro to replace this test, which also serves to document the intent of the test to future developers. Also create a macro for the reserved values of QUIC transport parameters which serve a similar function as GREASE.
2023-02-21 08:11:46 -05:00 · 2023-02-21 08:11:46 -05:00 · 9730610c0b
parent 56b97c0fa5
commit 9730610c0b
1 changed files with 16 additions and 7 deletions
--- a/epan/dissectors/packet-tls-utils.c
+++ b/epan/dissectors/packet-tls-utils.c
@ -53,6 +53,17 @@
 #include <gnutls/abstract.h>
 #endif

+/* JA3/JA3S calculations must ignore GREASE values
+ * as described in RFC 8701.
+ */
+#define IS_GREASE_TLS(x) ((((x) & 0x0f0f) == 0x0a0a) && \
+                        (((x) & 0xff) == (((x)>>8) & 0xff)))
+
+/* Section 22.3 of RFC 9000 (QUIC) reserves values of this
+ * form for a similar purpose as GREASE.
+ */
+#define IS_GREASE_QUIC(x) ((((x) - 27) % 31) == 0)
+
 /* Lookup tables {{{ */
 const value_string ssl_version_short_names[] = {
    { SSLV2_VERSION,        "SSLv2" },
@ -2273,8 +2284,7 @@ void
 quic_transport_parameter_id_base_custom(gchar *result, guint64 parameter_id)
 {
    const char *label;
-    /* GREASE? https://tools.ietf.org/html/draft-ietf-quic-transport-27#section-18.1 */
-    if (((parameter_id - 27) % 31) == 0) {
+    if (IS_GREASE_QUIC(parameter_id)) {
        label = "GREASE";
    } else if (parameter_id > 0xffffffff) {
        // There are no 64-bit Parameter IDs at the moment.
@ -7869,8 +7879,7 @@ ssl_dissect_hnd_hello_ext_quic_transport_parameters(ssl_common_dissect_t *hf, tv
            proto_item_set_len(parameter_tree, 4 + parameter_length);
        }

-        /* GREASE? https://tools.ietf.org/html/draft-ietf-quic-transport-27#section-18.1 */
-        if (((parameter_type - 27) % 31) == 0) {
+        if (IS_GREASE_QUIC(parameter_type)) {
            proto_item_append_text(parameter_tree, ": GREASE");
        } else if (parameter_type > G_MAXUINT) {
            /* There are currently no known TP larger than 32 bits, therefore
@ -8451,7 +8460,7 @@ ssl_dissect_hnd_hello_ext_supported_groups(ssl_common_dissect_t *hf, tvbuff_t *t
        proto_tree_add_item_ret_uint(groups_tree, hf->hf.hs_ext_supported_group, tvb, offset, 2,
                                     ENC_BIG_ENDIAN, &ext_supported_group);
        offset += 2;
-        if (ja3 && ((ext_supported_group & 0x0f0f) != 0x0a0a)) {
+        if (ja3 && !IS_GREASE_TLS(ext_supported_group)) {
            wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_supported_group);
            ja3_dash = "-";
        }
@ -9067,7 +9076,7 @@ ssl_dissect_hnd_cli_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
        proto_tree_add_item_ret_uint(cs_tree, hf->hf.hs_cipher_suite, tvb, offset, 2,
                                     ENC_BIG_ENDIAN, &cipher_suite);
        offset += 2;
-        if ((cipher_suite & 0x0f0f) != 0x0a0a) {
+        if (!IS_GREASE_TLS(cipher_suite)) {
            wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, cipher_suite);
            ja3_dash = "-";
        }
@ -9868,7 +9877,7 @@ ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *t
        proto_tree_add_uint(ext_tree, hf->hf.hs_ext_type,
                            tvb, offset, 2, ext_type);
        offset += 2;
-        if (ja3 && ((ext_type & 0x0f0f) != 0x0a0a)) {
+        if (ja3 && !IS_GREASE_TLS(ext_type)) {
            wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_type);
            ja3_dash = "-";
        }