aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPeter Wu <peter@lekensteyn.nl>2017-10-03 02:54:28 +0100
committerAnders Broman <a.broman58@gmail.com>2017-10-04 03:40:16 +0000
commit3cddb369d57e8ef7b310edea7ba5d7b2be19e777 (patch)
tree09b892382fdb3db0198576697c6b1e223677f669
parent064038bb1bf12d992e8083517f37ae2acfa782a8 (diff)
TLS: enable OCSP status dissection for TLS 1.3 and DTLS
In TLS 1.2, the "certificate_status" extension in the CH would result in a response in the CertificateStatus handshake message. In TLS 1.3, the response appears in a SH extension instead. Refactor the code to use ssl_add_vector and hook it up with SH extensions dissection. Do not stop dissection on a non-empty Responder ID list. Remove misleading "CertificateStatus" tree item, it only covered the "OCSPResponse" vector, now its two children (just OCSP Response Length and the OCSP Response tree) are displayed directly. Enable DTLS support, the spec does not forbid it and there is a user: https://mta.openssl.org/pipermail/openssl-users/2016-August/004306.html Tested with tls-sct.pcap (bug 13372) which now shows one tree item less and tls13-18-cert-sct-ocsp.pcap (bug 12779) which now dissects the OCSP response in the Certificate Extensions. Change-Id: I2ccde84cb1e3bcb1bc47676eadc5cb542248cd92 Ping-Bug: 12779 Reviewed-on: https://code.wireshark.org/review/23819 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Anders Broman <a.broman58@gmail.com>
Diffstat
-rw-r--r--epan/dissectors/packet-dtls.c5
-rw-r--r--epan/dissectors/packet-ssl-utils.c182
-rw-r--r--epan/dissectors/packet-ssl-utils.h38
-rw-r--r--epan/dissectors/packet-ssl.c100
4 files changed, 181 insertions, 144 deletions
diff --git a/epan/dissectors/packet-dtls.c b/epan/dissectors/packet-dtls.c
index ccdf542797..1e2b5a35ff 100644
--- a/epan/dissectors/packet-dtls.c
+++ b/epan/dissectors/packet-dtls.c
@@ -1367,8 +1367,11 @@ dissect_dtls_handshake(tvbuff_t *tvb, packet_info *pinfo,
0, length, session, NULL);
break;
- case SSL_HND_CERT_URL:
case SSL_HND_CERT_STATUS:
+ tls_dissect_hnd_certificate_status(&dissect_dtls_hf, sub_tvb, pinfo, ssl_hand_tree, 0, length);
+ break;
+
+ case SSL_HND_CERT_URL:
case SSL_HND_SUPPLEMENTAL_DATA:
case SSL_HND_KEY_UPDATE:
case SSL_HND_ENCRYPTED_EXTS:
diff --git a/epan/dissectors/packet-ssl-utils.c b/epan/dissectors/packet-ssl-utils.c
index 0fd2695948..7b3683d9cc 100644
--- a/epan/dissectors/packet-ssl-utils.c
+++ b/epan/dissectors/packet-ssl-utils.c
@@ -56,6 +56,7 @@
#include "packet-x509af.h"
#include "packet-x509if.h"
#include "packet-ssl-utils.h"
+#include "packet-ocsp.h"
#include "packet-ssl.h"
#include "packet-dtls.h"
#if defined(HAVE_LIBGNUTLS)
@@ -6601,9 +6602,31 @@ ssl_dissect_hnd_hello_common(ssl_common_dissect_t *hf, tvbuff_t *tvb,
}
static gint
-ssl_dissect_hnd_hello_ext_status_request(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
- guint32 offset, gboolean has_length)
+ssl_dissect_hnd_hello_ext_status_request(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
+ proto_tree *tree, guint32 offset, guint32 offset_end,
+ gboolean has_length)
{
+ /* TLS 1.2/1.3 status_request Client Hello Extension.
+ * TLS 1.2 status_request_v2 CertificateStatusRequestItemV2 type.
+ * https://tools.ietf.org/html/rfc6066#section-8 (status_request)
+ * https://tools.ietf.org/html/rfc6961#section-2.2 (status_request_v2)
+ * struct {
+ * CertificateStatusType status_type;
+ * uint16 request_length; // for status_request_v2
+ * select (status_type) {
+ * case ocsp: OCSPStatusRequest;
+ * case ocsp_multi: OCSPStatusRequest;
+ * } request;
+ * } CertificateStatusRequest; // CertificateStatusRequestItemV2
+ *
+ * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
+ * struct {
+ * ResponderID responder_id_list<0..2^16-1>;
+ * Extensions request_extensions;
+ * } OCSPStatusRequest;
+ * opaque ResponderID<1..2^16-1>;
+ * opaque Extensions<0..2^16-1>;
+ */
guint cert_status_type;
cert_status_type = tvb_get_guint8(tvb, offset);
@@ -6621,37 +6644,36 @@ ssl_dissect_hnd_hello_ext_status_request(ssl_common_dissect_t *hf, tvbuff_t *tvb
case SSL_HND_CERT_STATUS_TYPE_OCSP:
case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI:
{
- guint16 responder_id_list_len;
- guint16 request_extensions_len;
- proto_item *responder_id;
- proto_item *request_extensions;
-
- responder_id_list_len = tvb_get_ntohs(tvb, offset);
- responder_id =
- proto_tree_add_item(tree,
- hf->hf.hs_ext_cert_status_responder_id_list_len,
- tvb, offset, 2, ENC_BIG_ENDIAN);
+ guint32 responder_id_list_len;
+ guint32 request_extensions_len;
+
+ /* ResponderID responder_id_list<0..2^16-1> */
+ if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &responder_id_list_len,
+ hf->hf.hs_ext_cert_status_responder_id_list_len, 0, G_MAXUINT16)) {
+ return offset_end;
+ }
offset += 2;
if (responder_id_list_len != 0) {
- expert_add_info_format(NULL, responder_id,
- &hf->ei.hs_ext_cert_status_undecoded,
+ proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
+ tvb, offset, responder_id_list_len,
"Responder ID list is not implemented, contact Wireshark"
" developers if you want this to be supported");
- /* Non-empty responder ID list would mess with extensions. */
- break;
}
+ offset += responder_id_list_len;
- request_extensions_len = tvb_get_ntohs(tvb, offset);
- request_extensions =
- proto_tree_add_item(tree,
- hf->hf.hs_ext_cert_status_request_extensions_len, tvb, offset,
- 2, ENC_BIG_ENDIAN);
+ /* opaque Extensions<0..2^16-1> */
+ if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &request_extensions_len,
+ hf->hf.hs_ext_cert_status_request_extensions_len, 0, G_MAXUINT16)) {
+ return offset_end;
+ }
offset += 2;
- if (request_extensions_len != 0)
- expert_add_info_format(NULL, request_extensions,
- &hf->ei.hs_ext_cert_status_undecoded,
+ if (request_extensions_len != 0) {
+ proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
+ tvb, offset, request_extensions_len,
"Request Extensions are not implemented, contact"
" Wireshark developers if you want this to be supported");
+ }
+ offset += request_extensions_len;
break;
}
}
@@ -6659,19 +6681,101 @@ ssl_dissect_hnd_hello_ext_status_request(ssl_common_dissect_t *hf, tvbuff_t *tvb
return offset;
}
-static gint
-ssl_dissect_hnd_hello_ext_status_request_v2(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
- guint32 offset)
+static guint
+ssl_dissect_hnd_hello_ext_status_request_v2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
+ proto_tree *tree, guint32 offset, guint32 offset_end)
{
- gint32 list_len;
+ /* https://tools.ietf.org/html/rfc6961#section-2.2
+ * struct {
+ * CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1>;
+ * } CertificateStatusRequestListV2;
+ */
+ guint32 req_list_length, next_offset;
- list_len = tvb_get_ntohs(tvb, offset);
+ /* CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1> */
+ if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &req_list_length,
+ hf->hf.hs_ext_cert_status_request_list_len, 1, G_MAXUINT16)) {
+ return offset_end;
+ }
offset += 2;
+ next_offset = offset + req_list_length;
+
+ while (offset < next_offset) {
+ offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, tree, offset, next_offset, TRUE);
+ }
+
+ return offset;
+}
+
+static guint32
+tls_dissect_ocsp_response(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
+ guint32 offset, guint32 offset_end)
+{
+ guint32 response_length;
+ proto_item *ocsp_resp;
+ proto_tree *ocsp_resp_tree;
+ asn1_ctx_t asn1_ctx;
- while (list_len > 0) {
- guint32 prev_offset = offset;
- offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, tree, offset, TRUE);
- list_len -= (offset - prev_offset);
+ /* opaque OCSPResponse<1..2^24-1>; */
+ if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &response_length,
+ hf->hf.hs_ocsp_response_len, 1, G_MAXUINT24)) {
+ return offset_end;
+ }
+ offset += 3;
+
+ ocsp_resp = proto_tree_add_item(tree, proto_ocsp, tvb, offset,
+ response_length, ENC_BIG_ENDIAN);
+ proto_item_set_text(ocsp_resp, "OCSP Response");
+ ocsp_resp_tree = proto_item_add_subtree(ocsp_resp, hf->ett.ocsp_response);
+ asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
+ dissect_ocsp_OCSPResponse(FALSE, tvb, offset, &asn1_ctx, ocsp_resp_tree, -1);
+ offset += response_length;;
+
+ return offset;
+}
+
+guint32
+tls_dissect_hnd_certificate_status(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
+ proto_tree *tree, guint32 offset, guint32 offset_end)
+{
+ /* TLS 1.2 "CertificateStatus" handshake message.
+ * TLS 1.3 "status_request" Certificate extension.
+ * struct {
+ * CertificateStatusType status_type;
+ * select (status_type) {
+ * case ocsp: OCSPResponse;
+ * case ocsp_multi: OCSPResponseList; // status_request_v2
+ * } response;
+ * } CertificateStatus;
+ * opaque OCSPResponse<1..2^24-1>;
+ * struct {
+ * OCSPResponse ocsp_response_list<1..2^24-1>;
+ * } OCSPResponseList; // status_request_v2
+ */
+ guint32 status_type, resp_list_length, next_offset;
+
+ proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_cert_status_type,
+ tvb, offset, 1, ENC_BIG_ENDIAN, &status_type);
+ offset += 1;
+
+ switch (status_type) {
+ case SSL_HND_CERT_STATUS_TYPE_OCSP:
+ offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, offset_end);
+ break;
+
+ case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI:
+ /* OCSPResponse ocsp_response_list<1..2^24-1> */
+ if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &resp_list_length,
+ hf->hf.hs_ocsp_response_list_len, 1, G_MAXUINT24)) {
+ return offset_end;
+ }
+ offset += 3;
+ next_offset = offset + resp_list_length;
+
+ while (offset < next_offset) {
+ offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, next_offset);
+ }
+ break;
}
return offset;
@@ -7744,6 +7848,7 @@ ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *t
guint32 ext_len;
guint32 next_offset;
proto_tree *ext_tree;
+ gboolean is_tls13 = session->version == TLSV1DOT3_VERSION;
/* Extension extensions<0..2^16-2> (for TLS 1.3 HRR/CR min-length is 2) */
if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
@@ -7780,9 +7885,11 @@ ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *t
offset = ssl_dissect_hnd_hello_ext_server_name(hf, tvb, pinfo, ext_tree, offset, next_offset);
break;
case SSL_HND_HELLO_EXT_STATUS_REQUEST:
- if (hnd_type == SSL_HND_CLIENT_HELLO)
- offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, ext_tree, offset, FALSE);
- // TODO dissect CertificateStatus for SSL_HND_CERTIFICATE (TLS 1.3)
+ if (hnd_type == SSL_HND_CLIENT_HELLO) {
+ offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, ext_tree, offset, next_offset, FALSE);
+ } else if (is_tls13 && hnd_type == SSL_HND_CERTIFICATE) {
+ offset = tls_dissect_hnd_certificate_status(hf, tvb, pinfo, ext_tree, offset, next_offset);
+ }
break;
case SSL_HND_HELLO_EXT_CERT_TYPE:
offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
@@ -7816,8 +7923,7 @@ ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *t
break;
case SSL_HND_HELLO_EXT_STATUS_REQUEST_V2:
if (hnd_type == SSL_HND_CLIENT_HELLO)
- offset = ssl_dissect_hnd_hello_ext_status_request_v2(hf, tvb, ext_tree, offset);
- // TODO dissect CertificateStatus for SSL_HND_CERTIFICATE (TLS 1.3)
+ offset = ssl_dissect_hnd_hello_ext_status_request_v2(hf, tvb, pinfo, ext_tree, offset, next_offset);
break;
case SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP:
// TLS 1.3 note: SCT only appears in EE in draft -16 and before.
diff --git a/epan/dissectors/packet-ssl-utils.h b/epan/dissectors/packet-ssl-utils.h
index 4fb1742b33..4fe57baadd 100644
--- a/epan/dissectors/packet-ssl-utils.h
+++ b/epan/dissectors/packet-ssl-utils.h
@@ -702,10 +702,6 @@ typedef struct ssl_common_dissect {
gint hs_ext_alpn_list;
gint hs_ext_alpn_str;
gint hs_ext_alpn_str_len;
- gint hs_ext_cert_status_request_extensions_len;
- gint hs_ext_cert_status_request_len;
- gint hs_ext_cert_status_responder_id_list_len;
- gint hs_ext_cert_status_type;
gint hs_ext_cert_url_item;
gint hs_ext_cert_url_padding;
gint hs_ext_cert_url_sha1;
@@ -713,6 +709,13 @@ typedef struct ssl_common_dissect {
gint hs_ext_cert_url_url;
gint hs_ext_cert_url_url_hash_list_len;
gint hs_ext_cert_url_url_len;
+ gint hs_ext_cert_status_type;
+ gint hs_ext_cert_status_request_len;
+ gint hs_ext_cert_status_responder_id_list_len;
+ gint hs_ext_cert_status_request_extensions_len;
+ gint hs_ext_cert_status_request_list_len;
+ gint hs_ocsp_response_list_len;
+ gint hs_ocsp_response_len;
gint hs_ext_cert_type;
gint hs_ext_cert_types;
gint hs_ext_cert_types_len;
@@ -884,6 +887,8 @@ typedef struct ssl_common_dissect {
gint comp_methods;
gint session_ticket;
gint sct;
+ gint cert_status;
+ gint ocsp_response;
/* do not forget to update SSL_COMMON_LIST_T and SSL_COMMON_ETT_LIST! */
} ett;
@@ -1019,6 +1024,10 @@ ssl_dissect_hnd_finished(ssl_common_dissect_t *hf, tvbuff_t *tvb,
extern void
ssl_dissect_hnd_cert_url(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, guint32 offset);
+extern guint32
+tls_dissect_hnd_certificate_status(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
+ proto_tree *tree, guint32 offset, guint32 offset_end);
+
extern void
ssl_dissect_hnd_cli_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb,
proto_tree *tree, guint32 offset, guint32 length,
@@ -1050,11 +1059,11 @@ ssl_common_dissect_t name = { \
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \
- -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \
+ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \
}, \
/* ett */ { \
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \
- -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \
+ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \
}, \
/* ei */ { \
EI_INIT, EI_INIT, EI_INIT, EI_INIT, EI_INIT, EI_INIT, \
@@ -1334,6 +1343,21 @@ ssl_common_dissect_t name = { \
FT_UINT16, BASE_DEC, NULL, 0x0, \
NULL, HFILL } \
}, \
+ { & name .hf.hs_ext_cert_status_request_list_len, \
+ { "Certificate Status List Length", prefix ".handshake.extensions_status_request_list_len", \
+ FT_UINT16, BASE_DEC, NULL, 0x0, \
+ "CertificateStatusRequestItemV2 list length", HFILL } \
+ }, \
+ { & name .hf.hs_ocsp_response_list_len, \
+ { "OCSP Response List Length", prefix ".handshake.ocsp_response_list_len", \
+ FT_UINT24, BASE_DEC, NULL, 0x0, \
+ "OCSPResponseList length", HFILL } \
+ }, \
+ { & name .hf.hs_ocsp_response_len, \
+ { "OCSP Response Length", prefix ".handshake.ocsp_response_len", \
+ FT_UINT24, BASE_DEC, NULL, 0x0, \
+ NULL, HFILL } \
+ }, \
{ & name .hf.hs_sig_hash_alg_len, \
{ "Signature Hash Algorithms Length", prefix ".handshake.sig_hash_alg_len", \
FT_UINT16, BASE_DEC, NULL, 0x0, \
@@ -1866,6 +1890,8 @@ ssl_common_dissect_t name = { \
& name .ett.comp_methods, \
& name .ett.session_ticket, \
& name .ett.sct, \
+ & name .ett.cert_status, \
+ & name .ett.ocsp_response, \
/* }}} */
/* {{{ */
diff --git a/epan/dissectors/packet-ssl.c b/epan/dissectors/packet-ssl.c
index 3cf4ab2c9b..c0e4233387 100644
--- a/epan/dissectors/packet-ssl.c
+++ b/epan/dissectors/packet-ssl.c
@@ -100,7 +100,6 @@
#include <wsutil/rsa.h>
#include "packet-tcp.h"
#include "packet-x509af.h"
-#include "packet-ocsp.h"
#include "packet-ssl.h"
#include "packet-ssl-utils.h"
#include "packet-ber.h"
@@ -143,9 +142,6 @@ static gint hf_ssl_alert_message_description = -1;
static gint hf_ssl_handshake_protocol = -1;
static gint hf_ssl_handshake_type = -1;
static gint hf_ssl_handshake_length = -1;
-static gint hf_ssl_handshake_cert_status = -1;
-static gint hf_ssl_handshake_cert_status_type = -1;
-static gint hf_ssl_handshake_cert_status_len = -1;
static gint hf_ssl_handshake_npn_selected_protocol_len = -1;
static gint hf_ssl_handshake_npn_selected_protocol = -1;
static gint hf_ssl_handshake_npn_padding_len = -1;
@@ -250,8 +246,6 @@ static gint ett_ssl_alert = -1;
static gint ett_ssl_handshake = -1;
static gint ett_ssl_heartbeat = -1;
static gint ett_ssl_certs = -1;
-static gint ett_ssl_cert_status = -1;
-static gint ett_ssl_ocsp_resp = -1;
static gint ett_pct_cipher_suites = -1;
static gint ett_pct_hash_suites = -1;
static gint ett_pct_cert_suites = -1;
@@ -570,11 +564,6 @@ static void dissect_ssl3_heartbeat(tvbuff_t *tvb, packet_info *pinfo,
const SslSession *session, guint32 record_length,
gboolean decrypted);
-static void dissect_ssl3_hnd_cert_status(tvbuff_t *tvb,
- proto_tree *tree,
- guint32 offset,
- packet_info *pinfo);
-
static void dissect_ssl3_hnd_encrypted_exts(tvbuff_t *tvb,
proto_tree *tree,
guint32 offset);
@@ -2264,7 +2253,7 @@ dissect_ssl3_handshake(tvbuff_t *tvb, packet_info *pinfo,
break;
case SSL_HND_CERT_STATUS:
- dissect_ssl3_hnd_cert_status(tvb, ssl_hand_tree, offset, pinfo);
+ tls_dissect_hnd_certificate_status(&dissect_ssl3_hf, tvb, pinfo, ssl_hand_tree, offset, offset + length);
break;
case SSL_HND_SUPPLEMENTAL_DATA:
@@ -2383,76 +2372,6 @@ dissect_ssl3_heartbeat(tvbuff_t *tvb, packet_info *pinfo,
}
}
-static guint
-dissect_ssl3_ocsp_response(tvbuff_t *tvb, proto_tree *tree,
- guint32 offset, packet_info *pinfo)
-{
- guint cert_status_len;
- proto_item *ti;
- proto_tree *cert_status_tree;
-
- cert_status_len = tvb_get_ntoh24(tvb, offset);
- ti = proto_tree_add_item(tree, hf_ssl_handshake_cert_status,
- tvb, offset, cert_status_len + 3,
- ENC_NA);
- cert_status_tree = proto_item_add_subtree(ti, ett_ssl_cert_status);
-
- proto_tree_add_item(cert_status_tree, hf_ssl_handshake_cert_status_len,
- tvb, offset, 3, ENC_BIG_ENDIAN);
- offset += 3;
-
- if (cert_status_len > 0) {
- proto_item *ocsp_resp;
- proto_tree *ocsp_resp_tree;
- asn1_ctx_t asn1_ctx;
-
- ocsp_resp = proto_tree_add_item(cert_status_tree,
- proto_ocsp, tvb, offset,
- cert_status_len, ENC_BIG_ENDIAN);
- proto_item_set_text(ocsp_resp, "OCSP Response");
- ocsp_resp_tree = proto_item_add_subtree(ocsp_resp,
- ett_ssl_ocsp_resp);
- asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
- dissect_ocsp_OCSPResponse(FALSE, tvb, offset, &asn1_ctx,
- ocsp_resp_tree, -1);
- offset += cert_status_len;
- }
-
- return offset;
-}
-
-static void
-dissect_ssl3_hnd_cert_status(tvbuff_t *tvb, proto_tree *tree,
- guint32 offset, packet_info *pinfo)
-{
- guint8 cert_status_type;
-
- cert_status_type = tvb_get_guint8(tvb, offset);
- proto_tree_add_item(tree, hf_ssl_handshake_cert_status_type,
- tvb, offset, 1, ENC_BIG_ENDIAN);
- offset += 1;
-
- switch (cert_status_type) {
- case SSL_HND_CERT_STATUS_TYPE_OCSP:
- dissect_ssl3_ocsp_response(tvb, tree, offset, pinfo);
- break;
- case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI:
- {
- gint32 list_len;
-
- list_len = tvb_get_ntoh24(tvb, offset);
- offset += 3;
-
- while (list_len > 0) {
- guint32 prev_offset = offset;
- offset = dissect_ssl3_ocsp_response(tvb, tree, offset, pinfo);
- list_len -= offset - prev_offset;
- }
- break;
- }
- }
-}
-
/* based on https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04 */
static void
dissect_ssl3_hnd_encrypted_exts(tvbuff_t *tvb, proto_tree *tree,
@@ -4011,21 +3930,6 @@ proto_register_ssl(void)
FT_UINT24, BASE_HEX|BASE_EXT_STRING, &ssl_20_cipher_suites_ext, 0x0,
"Cipher specification", HFILL }
},
- { &hf_ssl_handshake_cert_status,
- { "Certificate Status", "ssl.handshake.cert_status",
- FT_NONE, BASE_NONE, NULL, 0x0,
- "Certificate Status Data", HFILL }
- },
- { &hf_ssl_handshake_cert_status_type,
- { "Certificate Status Type", "ssl.handshake.cert_status_type",
- FT_UINT8, BASE_DEC, VALS(tls_cert_status_type), 0x0,
- NULL, HFILL }
- },
- { &hf_ssl_handshake_cert_status_len,
- { "Certificate Status Length", "ssl.handshake.cert_status_len",
- FT_UINT24, BASE_DEC, NULL, 0x0,
- "Length of certificate status", HFILL }
- },
{ &hf_ssl_handshake_npn_selected_protocol_len,
{ "Selected Protocol Length", "ssl.handshake.npn_selected_protocol_len",
FT_UINT8, BASE_DEC, NULL, 0x0,
@@ -4321,8 +4225,6 @@ proto_register_ssl(void)
&ett_ssl_handshake,
&ett_ssl_heartbeat,
&ett_ssl_certs,
- &ett_ssl_cert_status,
- &ett_ssl_ocsp_resp,
&ett_pct_cipher_suites,
&ett_pct_hash_suites,
&ett_pct_cert_suites,
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-23 12:10:00 +0000