From Kaspar Brand:

SSL/TLS dissector: add support for "Certificate Status" messages (aka OCSP stapling)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5503

svn path=/trunk/; revision=35655

6 files changed, 101 insertions, 3 deletions

diff --git a/asn1/ocsp/ocsp.cnf b/asn1/ocsp/ocsp.cnf
index e72a072e6b..537880d372 100644
--- a/asn1/ocsp/ocsp.cnf
+++ b/asn1/ocsp/ocsp.cnf
@@ -13,6 +13,7 @@ PKIX1Explicit88 pkix1explicit
 #.INCLUDE ../pkix1explicit/pkix1explicit_exp.cnf
 
 #.EXPORTS
+OCSPResponse
 
 #.PDU
 
diff --git a/epan/dissectors/packet-ocsp.c b/epan/dissectors/packet-ocsp.c
index 7e77306691..02f6c0683d 100644
--- a/epan/dissectors/packet-ocsp.c
+++ b/epan/dissectors/packet-ocsp.c
@@ -52,7 +52,7 @@
 #define PFNAME "ocsp"
 
 /* Initialize the protocol and registered fields */
-static int proto_ocsp = -1;
+proto_ocsp = -1;
 static int hf_ocsp_responseType_id = -1;
 
 /*--- Included file: packet-ocsp-hf.c ---*/
@@ -321,7 +321,7 @@ dissect_ocsp_T_responseType(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int of
 
 static int
 dissect_ocsp_T_response(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 37 "ocsp.cnf"
+#line 38 "ocsp.cnf"
   gint8 class;
   gboolean pc, ind;
   gint32 tag;
@@ -358,7 +358,7 @@ static const ber_sequence_t OCSPResponse_sequence[] = {
   { NULL, 0, 0, 0, NULL }
 };
 
-static int
+int
 dissect_ocsp_OCSPResponse(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
                                    OCSPResponse_sequence, hf_index, ett_ocsp_OCSPResponse);
diff --git a/epan/dissectors/packet-ocsp.h b/epan/dissectors/packet-ocsp.h
index 90031e153d..a002c9b2d1 100644
--- a/epan/dissectors/packet-ocsp.h
+++ b/epan/dissectors/packet-ocsp.h
@@ -36,5 +36,8 @@
 
 /*#include "packet-ocsp-exp.h"*/
 
+extern int proto_ocsp;
+int dissect_ocsp_OCSPResponse(gboolean implicit_tag, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index);
+
 #endif  /* PACKET_OCSP_H */
 
diff --git a/epan/dissectors/packet-ssl-utils.c b/epan/dissectors/packet-ssl-utils.c
index 0fa08b54a1..131c12657d 100644
--- a/epan/dissectors/packet-ssl-utils.c
+++ b/epan/dissectors/packet-ssl-utils.c
@@ -472,6 +472,7 @@ const value_string ssl_31_handshake_type[] = {
     { SSL_HND_CERT_VERIFY,       "Certificate Verify" },
     { SSL_HND_CLIENT_KEY_EXCHG,  "Client Key Exchange" },
     { SSL_HND_FINISHED,          "Finished" },
+    { SSL_HND_CERT_STATUS,       "Certificate Status" },
     { 0x00, NULL }
 };
 
@@ -905,6 +906,11 @@ const value_string tls_signature_algorithm[] = {
     { 0, NULL }
 };
 
+const value_string tls_cert_status_type[] = {
+    { SSL_HND_CERT_STATUS_TYPE_OCSP, "OCSP" },
+    { 0, NULL }
+};
+
 /* we keep this internal to packet-ssl-utils, as there should be
    no need to access it any other way.
 
diff --git a/epan/dissectors/packet-ssl-utils.h b/epan/dissectors/packet-ssl-utils.h
index 4acafaf799..ea0b5eb70d 100644
--- a/epan/dissectors/packet-ssl-utils.h
+++ b/epan/dissectors/packet-ssl-utils.h
@@ -84,6 +84,7 @@
 #define SSL_HND_CERT_VERIFY            15
 #define SSL_HND_CLIENT_KEY_EXCHG       16
 #define SSL_HND_FINISHED               20
+#define SSL_HND_CERT_STATUS            22
 
 #define SSL2_HND_ERROR                 0x00
 #define SSL2_HND_CLIENT_HELLO          0x01
@@ -147,6 +148,8 @@
 #define SSL_HND_HELLO_EXT_ELLIPTIC_CURVES    0x000a
 #define SSL_HND_HELLO_EXT_EC_POINT_FORMATS   0x000b
 
+#define SSL_HND_CERT_STATUS_TYPE_OCSP  1
+
 /*
  * Lookup tables
  */
@@ -176,6 +179,7 @@ extern const value_string pct_error_code[];
 extern const value_string tls_hello_extension_types[];
 extern const value_string tls_hash_algorithm[];
 extern const value_string tls_signature_algorithm[];
+extern const value_string tls_cert_status_type[];
 extern const value_string ssl_extension_curves[];
 extern const value_string ssl_extension_ec_point_formats[];
 
diff --git a/epan/dissectors/packet-ssl.c b/epan/dissectors/packet-ssl.c
index 6c25167b24..82c1615555 100644
--- a/epan/dissectors/packet-ssl.c
+++ b/epan/dissectors/packet-ssl.c
@@ -117,6 +117,7 @@
 #include <epan/dissectors/packet-tcp.h>
 #include <epan/asn1.h>
 #include <epan/dissectors/packet-x509af.h>
+#include <epan/dissectors/packet-ocsp.h>
 #include <epan/tap.h>
 #include <epan/filesystem.h>
 #include <epan/report_err.h>
@@ -192,6 +193,9 @@ static gint hf_ssl_handshake_sig_hash_algs    = -1;
 static gint hf_ssl_handshake_sig_hash_alg     = -1;
 static gint hf_ssl_handshake_sig_hash_hash    = -1;
 static gint hf_ssl_handshake_sig_hash_sig     = -1;
+static gint hf_ssl_handshake_cert_status      = -1;
+static gint hf_ssl_handshake_cert_status_type = -1;
+static gint hf_ssl_handshake_cert_status_len  = -1;
 static gint hf_ssl_handshake_finished         = -1;
 static gint hf_ssl_handshake_md5_hash         = -1;
 static gint hf_ssl_handshake_sha_hash         = -1;
@@ -252,6 +256,8 @@ static gint ett_ssl_sig_hash_algs     = -1;
 static gint ett_ssl_sig_hash_alg      = -1;
 static gint ett_ssl_dnames            = -1;
 static gint ett_ssl_random            = -1;
+static gint ett_ssl_cert_status       = -1;
+static gint ett_ssl_ocsp_resp         = -1;
 static gint ett_pct_cipher_suites     = -1;
 static gint ett_pct_hash_suites       = -1;
 static gint ett_pct_cert_suites       = -1;
@@ -439,6 +445,10 @@ static void dissect_ssl3_hnd_finished(tvbuff_t *tvb,
                                       const guint32 offset,
                                       const guint* conv_version);
 
+static void dissect_ssl3_hnd_cert_status(tvbuff_t *tvb,
+                                         proto_tree *tree,
+                                         guint32 offset,
+                                         packet_info *pinfo);
 
 /*
  * SSL version 2 dissectors
@@ -1958,6 +1968,10 @@ dissect_ssl3_handshake(tvbuff_t *tvb, packet_info *pinfo,
                 dissect_ssl3_hnd_finished(tvb, ssl_hand_tree,
                                           offset, conv_version);
                 break;
+
+            case SSL_HND_CERT_STATUS:
+                dissect_ssl3_hnd_cert_status(tvb, ssl_hand_tree, offset, pinfo);
+                break;
             }
 
         }
@@ -2685,6 +2699,59 @@ dissect_ssl3_hnd_finished(tvbuff_t *tvb,
     }
 }
 
+static void
+dissect_ssl3_hnd_cert_status(tvbuff_t *tvb, proto_tree *tree,
+                             guint32 offset, packet_info *pinfo)
+{
+    guint8 cert_status_type;
+    guint cert_status_len;
+    proto_tree *ti;
+    proto_tree *cert_status_tree;
+
+    if (tree)
+    {
+        cert_status_type = tvb_get_guint8(tvb, offset);
+        cert_status_len  = tvb_get_ntoh24(tvb, offset+1);
+        tvb_ensure_bytes_exist(tvb, offset, cert_status_len+4);
+        ti = proto_tree_add_none_format(tree, hf_ssl_handshake_cert_status,
+                                        tvb, offset, cert_status_len+4,
+                                        "Certificate Status (%u byte%s)",
+                                        cert_status_len+4,
+                                        plurality(cert_status_len+4, "", "s"));
+        cert_status_tree = proto_item_add_subtree(ti, ett_ssl_cert_status);
+        proto_tree_add_item(cert_status_tree, hf_ssl_handshake_cert_status_type,
+                            tvb, offset, 1, FALSE);
+        offset++;
+        proto_tree_add_uint(cert_status_tree, hf_ssl_handshake_cert_status_len,
+                            tvb, offset, 3, cert_status_len);
+        offset += 3;
+        if (cert_status_len > 0)
+        {
+            switch (cert_status_type) {
+            case SSL_HND_CERT_STATUS_TYPE_OCSP:
+                {
+                    proto_item *ocsp_resp;
+                    proto_tree *ocsp_resp_tree;
+                    asn1_ctx_t asn1_ctx;
+
+                    ocsp_resp = proto_tree_add_item(cert_status_tree,
+                                                    proto_ocsp, tvb, offset,
+                                                    cert_status_len, FALSE);
+                    proto_item_set_text(ocsp_resp, "OCSP Response");
+                    ocsp_resp_tree = proto_item_add_subtree(ocsp_resp,
+                                                            ett_ssl_ocsp_resp);
+                    asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
+                    dissect_ocsp_OCSPResponse(FALSE, tvb, offset, &asn1_ctx,
+                                              ocsp_resp_tree, -1);
+                    break;
+                }
+            default:
+                break;
+            }
+        }
+    }
+}
+
 /*********************************************************************
  *
  * SSL version 2 Dissectors
@@ -4368,6 +4435,21 @@ proto_register_ssl(void)
             FT_UINT8, BASE_DEC, VALS(tls_signature_algorithm), 0x0,
             NULL, HFILL }
         },
+        { &hf_ssl_handshake_cert_status,
+          { "Certificate Status", "ssl.handshake.cert_status",
+            FT_NONE, BASE_NONE, NULL, 0x0,
+            "Certificate Status Data", HFILL }
+        },
+        { &hf_ssl_handshake_cert_status_type,
+          { "Certificate Status Type", "ssl.handshake.cert_status_type",
+            FT_UINT8, BASE_DEC, VALS(tls_cert_status_type), 0x0,
+            NULL, HFILL }
+        },
+        { &hf_ssl_handshake_cert_status_len,
+          { "Certificate Status Length", "ssl.handshake.cert_status_len",
+            FT_UINT24, BASE_DEC, NULL, 0x0,
+            "Length of certificate status", HFILL }
+        },
         { &hf_ssl_handshake_finished,
           { "Verify Data", "ssl.handshake.verify_data",
             FT_NONE, BASE_NONE, NULL, 0x0,
@@ -4596,6 +4678,8 @@ proto_register_ssl(void)
         &ett_ssl_sig_hash_alg,
         &ett_ssl_dnames,
         &ett_ssl_random,
+        &ett_ssl_cert_status,
+        &ett_ssl_ocsp_resp,
         &ett_pct_cipher_suites,
         &ett_pct_hash_suites,
         &ett_pct_cert_suites,