diff options
author | Peter Wu <peter@lekensteyn.nl> | 2017-10-03 02:42:19 +0100 |
---|---|---|
committer | Anders Broman <a.broman58@gmail.com> | 2017-10-03 03:46:00 +0000 |
commit | e670f9c80be87e4b81f4cd4dafc3d3dd9ea183e9 (patch) | |
tree | 3bf83f6d1f8ce964ab152d7e55080dd6b1431c53 | |
parent | 83cb6ff625a403b6d505c3b2f0fc23cebbd479bd (diff) |
TLS13: fix SCT dissection since draft -17
Since draft -17, SCT has moved from EE to Certificate extensions.
Decryption failed for a boringssl test suite capture because it tests
with an unknown version and a small SerializedSCT which resulted in a
malformed packet exception. Ignore the SCT following RFC 6962, sect 3.3.
Change-Id: I894d51447f28ca121ea7f3fcef2b711a0debc1fb
Ping-Bug: 12779
Reviewed-on: https://code.wireshark.org/review/23818
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
-rw-r--r-- | epan/dissectors/packet-ssl-utils.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/epan/dissectors/packet-ssl-utils.c b/epan/dissectors/packet-ssl-utils.c index 378d35a9c3..0fd2695948 100644 --- a/epan/dissectors/packet-ssl-utils.c +++ b/epan/dissectors/packet-ssl-utils.c @@ -6775,13 +6775,18 @@ tls_dissect_sct(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, pro * digitally-signed struct { ... }; * } SignedCertificateTimestamp; */ + guint32 sct_version; guint64 sct_timestamp_ms; nstime_t sct_timestamp; guint32 exts_len; const gchar *log_name; - proto_tree_add_item(tree, hf->hf.sct_sct_version, tvb, offset, 1, ENC_NA); + proto_tree_add_item_ret_uint(tree, hf->hf.sct_sct_version, tvb, offset, 1, ENC_NA, &sct_version); offset++; + if (sct_version != 0) { + // TODO expert info about unknown SCT version? + return offset; + } proto_tree_add_item(tree, hf->hf.sct_sct_logid, tvb, offset, 32, ENC_BIG_ENDIAN); log_name = bytesval_to_str(tvb_get_ptr(tvb, offset, 32), 32, ct_logids, "Unknown Log"); proto_item_append_text(tree, " (%s)", log_name); @@ -7815,7 +7820,8 @@ ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *t // TODO dissect CertificateStatus for SSL_HND_CERTIFICATE (TLS 1.3) break; case SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP: - if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) + // TLS 1.3 note: SCT only appears in EE in draft -16 and before. + if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS || hnd_type == SSL_HND_CERTIFICATE) offset = tls_dissect_sct_list(hf, tvb, pinfo, ext_tree, offset, next_offset, session->version); break; case SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE: |