TLS: enable OCSP status dissection for TLS 1.3 and DTLS

In TLS 1.2, the "certificate_status" extension in the CH would result in
a response in the CertificateStatus handshake message. In TLS 1.3, the
response appears in a SH extension instead. Refactor the code to use
ssl_add_vector and hook it up with SH extensions dissection.

Do not stop dissection on a non-empty Responder ID list. Remove
misleading "CertificateStatus" tree item, it only covered the
"OCSPResponse" vector, now its two children (just OCSP Response Length
and the OCSP Response tree) are displayed directly.

Enable DTLS support, the spec does not forbid it and there is a user:
https://mta.openssl.org/pipermail/openssl-users/2016-August/004306.html

Tested with tls-sct.pcap (bug 13372) which now shows one tree item less
and tls13-18-cert-sct-ocsp.pcap (bug 12779) which now dissects the OCSP
response in the Certificate Extensions.

Change-Id: I2ccde84cb1e3bcb1bc47676eadc5cb542248cd92
Ping-Bug: 12779
Reviewed-on: https://code.wireshark.org/review/23819
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>

1 files changed, 4 insertions, 1 deletions

diff --git a/epan/dissectors/packet-dtls.c b/epan/dissectors/packet-dtls.c
index ccdf542797..1e2b5a35ff 100644
--- a/epan/dissectors/packet-dtls.c
+++ b/epan/dissectors/packet-dtls.c
@@ -1367,8 +1367,11 @@ dissect_dtls_handshake(tvbuff_t *tvb, packet_info *pinfo,
                                      0, length, session, NULL);
             break;
 
-          case SSL_HND_CERT_URL:
           case SSL_HND_CERT_STATUS:
+            tls_dissect_hnd_certificate_status(&dissect_dtls_hf, sub_tvb, pinfo, ssl_hand_tree, 0, length);
+            break;
+
+          case SSL_HND_CERT_URL:
           case SSL_HND_SUPPLEMENTAL_DATA:
           case SSL_HND_KEY_UPDATE:
           case SSL_HND_ENCRYPTED_EXTS: