diff options
author | Anders Broman <anders.broman@ericsson.com> | 2011-01-26 08:49:06 +0000 |
---|---|---|
committer | Anders Broman <anders.broman@ericsson.com> | 2011-01-26 08:49:06 +0000 |
commit | c4fe9a28ca8281d11facbcdf908aa9391309891e (patch) | |
tree | 5bdbf9af38cec945f8fb5c03073f89cb6dce5fff | |
parent | cf1bb441058aa286e0223de976ef99592722e925 (diff) |
From Kaspar Brand:
SSL/TLS dissector: add support for "Certificate Status" messages (aka OCSP stapling)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5503
svn path=/trunk/; revision=35655
-rw-r--r-- | asn1/ocsp/ocsp.cnf | 1 | ||||
-rw-r--r-- | epan/dissectors/packet-ocsp.c | 6 | ||||
-rw-r--r-- | epan/dissectors/packet-ocsp.h | 3 | ||||
-rw-r--r-- | epan/dissectors/packet-ssl-utils.c | 6 | ||||
-rw-r--r-- | epan/dissectors/packet-ssl-utils.h | 4 | ||||
-rw-r--r-- | epan/dissectors/packet-ssl.c | 84 |
6 files changed, 101 insertions, 3 deletions
diff --git a/asn1/ocsp/ocsp.cnf b/asn1/ocsp/ocsp.cnf index e72a072e6b..537880d372 100644 --- a/asn1/ocsp/ocsp.cnf +++ b/asn1/ocsp/ocsp.cnf @@ -13,6 +13,7 @@ PKIX1Explicit88 pkix1explicit #.INCLUDE ../pkix1explicit/pkix1explicit_exp.cnf #.EXPORTS +OCSPResponse #.PDU diff --git a/epan/dissectors/packet-ocsp.c b/epan/dissectors/packet-ocsp.c index 7e77306691..02f6c0683d 100644 --- a/epan/dissectors/packet-ocsp.c +++ b/epan/dissectors/packet-ocsp.c @@ -52,7 +52,7 @@ #define PFNAME "ocsp" /* Initialize the protocol and registered fields */ -static int proto_ocsp = -1; +proto_ocsp = -1; static int hf_ocsp_responseType_id = -1; /*--- Included file: packet-ocsp-hf.c ---*/ @@ -321,7 +321,7 @@ dissect_ocsp_T_responseType(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int of static int dissect_ocsp_T_response(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 37 "ocsp.cnf" +#line 38 "ocsp.cnf" gint8 class; gboolean pc, ind; gint32 tag; @@ -358,7 +358,7 @@ static const ber_sequence_t OCSPResponse_sequence[] = { { NULL, 0, 0, 0, NULL } }; -static int +int dissect_ocsp_OCSPResponse(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset, OCSPResponse_sequence, hf_index, ett_ocsp_OCSPResponse); diff --git a/epan/dissectors/packet-ocsp.h b/epan/dissectors/packet-ocsp.h index 90031e153d..a002c9b2d1 100644 --- a/epan/dissectors/packet-ocsp.h +++ b/epan/dissectors/packet-ocsp.h @@ -36,5 +36,8 @@ /*#include "packet-ocsp-exp.h"*/ +extern int proto_ocsp; +int dissect_ocsp_OCSPResponse(gboolean implicit_tag, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index); + #endif /* PACKET_OCSP_H */ diff --git a/epan/dissectors/packet-ssl-utils.c b/epan/dissectors/packet-ssl-utils.c index 0fa08b54a1..131c12657d 100644 --- a/epan/dissectors/packet-ssl-utils.c +++ b/epan/dissectors/packet-ssl-utils.c @@ -472,6 +472,7 @@ const value_string ssl_31_handshake_type[] = { { SSL_HND_CERT_VERIFY, "Certificate Verify" }, { SSL_HND_CLIENT_KEY_EXCHG, "Client Key Exchange" }, { SSL_HND_FINISHED, "Finished" }, + { SSL_HND_CERT_STATUS, "Certificate Status" }, { 0x00, NULL } }; @@ -905,6 +906,11 @@ const value_string tls_signature_algorithm[] = { { 0, NULL } }; +const value_string tls_cert_status_type[] = { + { SSL_HND_CERT_STATUS_TYPE_OCSP, "OCSP" }, + { 0, NULL } +}; + /* we keep this internal to packet-ssl-utils, as there should be no need to access it any other way. diff --git a/epan/dissectors/packet-ssl-utils.h b/epan/dissectors/packet-ssl-utils.h index 4acafaf799..ea0b5eb70d 100644 --- a/epan/dissectors/packet-ssl-utils.h +++ b/epan/dissectors/packet-ssl-utils.h @@ -84,6 +84,7 @@ #define SSL_HND_CERT_VERIFY 15 #define SSL_HND_CLIENT_KEY_EXCHG 16 #define SSL_HND_FINISHED 20 +#define SSL_HND_CERT_STATUS 22 #define SSL2_HND_ERROR 0x00 #define SSL2_HND_CLIENT_HELLO 0x01 @@ -147,6 +148,8 @@ #define SSL_HND_HELLO_EXT_ELLIPTIC_CURVES 0x000a #define SSL_HND_HELLO_EXT_EC_POINT_FORMATS 0x000b +#define SSL_HND_CERT_STATUS_TYPE_OCSP 1 + /* * Lookup tables */ @@ -176,6 +179,7 @@ extern const value_string pct_error_code[]; extern const value_string tls_hello_extension_types[]; extern const value_string tls_hash_algorithm[]; extern const value_string tls_signature_algorithm[]; +extern const value_string tls_cert_status_type[]; extern const value_string ssl_extension_curves[]; extern const value_string ssl_extension_ec_point_formats[]; diff --git a/epan/dissectors/packet-ssl.c b/epan/dissectors/packet-ssl.c index 6c25167b24..82c1615555 100644 --- a/epan/dissectors/packet-ssl.c +++ b/epan/dissectors/packet-ssl.c @@ -117,6 +117,7 @@ #include <epan/dissectors/packet-tcp.h> #include <epan/asn1.h> #include <epan/dissectors/packet-x509af.h> +#include <epan/dissectors/packet-ocsp.h> #include <epan/tap.h> #include <epan/filesystem.h> #include <epan/report_err.h> @@ -192,6 +193,9 @@ static gint hf_ssl_handshake_sig_hash_algs = -1; static gint hf_ssl_handshake_sig_hash_alg = -1; static gint hf_ssl_handshake_sig_hash_hash = -1; static gint hf_ssl_handshake_sig_hash_sig = -1; +static gint hf_ssl_handshake_cert_status = -1; +static gint hf_ssl_handshake_cert_status_type = -1; +static gint hf_ssl_handshake_cert_status_len = -1; static gint hf_ssl_handshake_finished = -1; static gint hf_ssl_handshake_md5_hash = -1; static gint hf_ssl_handshake_sha_hash = -1; @@ -252,6 +256,8 @@ static gint ett_ssl_sig_hash_algs = -1; static gint ett_ssl_sig_hash_alg = -1; static gint ett_ssl_dnames = -1; static gint ett_ssl_random = -1; +static gint ett_ssl_cert_status = -1; +static gint ett_ssl_ocsp_resp = -1; static gint ett_pct_cipher_suites = -1; static gint ett_pct_hash_suites = -1; static gint ett_pct_cert_suites = -1; @@ -439,6 +445,10 @@ static void dissect_ssl3_hnd_finished(tvbuff_t *tvb, const guint32 offset, const guint* conv_version); +static void dissect_ssl3_hnd_cert_status(tvbuff_t *tvb, + proto_tree *tree, + guint32 offset, + packet_info *pinfo); /* * SSL version 2 dissectors @@ -1958,6 +1968,10 @@ dissect_ssl3_handshake(tvbuff_t *tvb, packet_info *pinfo, dissect_ssl3_hnd_finished(tvb, ssl_hand_tree, offset, conv_version); break; + + case SSL_HND_CERT_STATUS: + dissect_ssl3_hnd_cert_status(tvb, ssl_hand_tree, offset, pinfo); + break; } } @@ -2685,6 +2699,59 @@ dissect_ssl3_hnd_finished(tvbuff_t *tvb, } } +static void +dissect_ssl3_hnd_cert_status(tvbuff_t *tvb, proto_tree *tree, + guint32 offset, packet_info *pinfo) +{ + guint8 cert_status_type; + guint cert_status_len; + proto_tree *ti; + proto_tree *cert_status_tree; + + if (tree) + { + cert_status_type = tvb_get_guint8(tvb, offset); + cert_status_len = tvb_get_ntoh24(tvb, offset+1); + tvb_ensure_bytes_exist(tvb, offset, cert_status_len+4); + ti = proto_tree_add_none_format(tree, hf_ssl_handshake_cert_status, + tvb, offset, cert_status_len+4, + "Certificate Status (%u byte%s)", + cert_status_len+4, + plurality(cert_status_len+4, "", "s")); + cert_status_tree = proto_item_add_subtree(ti, ett_ssl_cert_status); + proto_tree_add_item(cert_status_tree, hf_ssl_handshake_cert_status_type, + tvb, offset, 1, FALSE); + offset++; + proto_tree_add_uint(cert_status_tree, hf_ssl_handshake_cert_status_len, + tvb, offset, 3, cert_status_len); + offset += 3; + if (cert_status_len > 0) + { + switch (cert_status_type) { + case SSL_HND_CERT_STATUS_TYPE_OCSP: + { + proto_item *ocsp_resp; + proto_tree *ocsp_resp_tree; + asn1_ctx_t asn1_ctx; + + ocsp_resp = proto_tree_add_item(cert_status_tree, + proto_ocsp, tvb, offset, + cert_status_len, FALSE); + proto_item_set_text(ocsp_resp, "OCSP Response"); + ocsp_resp_tree = proto_item_add_subtree(ocsp_resp, + ett_ssl_ocsp_resp); + asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo); + dissect_ocsp_OCSPResponse(FALSE, tvb, offset, &asn1_ctx, + ocsp_resp_tree, -1); + break; + } + default: + break; + } + } + } +} + /********************************************************************* * * SSL version 2 Dissectors @@ -4368,6 +4435,21 @@ proto_register_ssl(void) FT_UINT8, BASE_DEC, VALS(tls_signature_algorithm), 0x0, NULL, HFILL } }, + { &hf_ssl_handshake_cert_status, + { "Certificate Status", "ssl.handshake.cert_status", + FT_NONE, BASE_NONE, NULL, 0x0, + "Certificate Status Data", HFILL } + }, + { &hf_ssl_handshake_cert_status_type, + { "Certificate Status Type", "ssl.handshake.cert_status_type", + FT_UINT8, BASE_DEC, VALS(tls_cert_status_type), 0x0, + NULL, HFILL } + }, + { &hf_ssl_handshake_cert_status_len, + { "Certificate Status Length", "ssl.handshake.cert_status_len", + FT_UINT24, BASE_DEC, NULL, 0x0, + "Length of certificate status", HFILL } + }, { &hf_ssl_handshake_finished, { "Verify Data", "ssl.handshake.verify_data", FT_NONE, BASE_NONE, NULL, 0x0, @@ -4596,6 +4678,8 @@ proto_register_ssl(void) &ett_ssl_sig_hash_alg, &ett_ssl_dnames, &ett_ssl_random, + &ett_ssl_cert_status, + &ett_ssl_ocsp_resp, &ett_pct_cipher_suites, &ett_pct_hash_suites, &ett_pct_cert_suites, |