diff options
author | Peter Wu <peter@lekensteyn.nl> | 2014-07-11 00:58:35 +0200 |
---|---|---|
committer | Anders Broman <a.broman58@gmail.com> | 2014-07-11 04:36:51 +0000 |
commit | 71ebdb67ad3ea594ec4bbd889f5517f787519378 (patch) | |
tree | 326d10dfbdd7ce8f1aab9880023b000916e61a3a | |
parent | ba6d2e7cc8d8d06e9b879813d3e11dc7855a9e99 (diff) |
ssl: move CertificateRequest to ssl-utils
Except for field/expert_info names, a redundant subtree assignment,
a different !tree check, a type confusion in DTLS (proto_tree *ti),
a check against a different DTLS/TLS version and a (void) retval cast,
the functions are exactly the same. Extract them to ssl-utils.
Change-Id: I2ca7089fe2cd23212ef78656506cb53768f55927
Reviewed-on: https://code.wireshark.org/review/2986
Reviewed-by: Anders Broman <a.broman58@gmail.com>
-rw-r--r-- | epan/dissectors/packet-dtls.c | 211 | ||||
-rw-r--r-- | epan/dissectors/packet-ssl-utils.c | 146 | ||||
-rw-r--r-- | epan/dissectors/packet-ssl-utils.h | 68 | ||||
-rw-r--r-- | epan/dissectors/packet-ssl.c | 199 |
4 files changed, 211 insertions, 413 deletions
diff --git a/epan/dissectors/packet-dtls.c b/epan/dissectors/packet-dtls.c index 1792e3a6b9..f1704c192b 100644 --- a/epan/dissectors/packet-dtls.c +++ b/epan/dissectors/packet-dtls.c @@ -60,7 +60,6 @@ #include <epan/wmem/wmem.h> #include <epan/tap.h> #include <epan/reassemble.h> -#include "packet-x509if.h" #include "packet-ssl-utils.h" #include <wsutil/file_util.h> #include <epan/uat.h> @@ -121,17 +120,10 @@ static gint hf_dtls_handshake_comp_method = -1; static gint hf_dtls_handshake_session_ticket_lifetime_hint = -1; static gint hf_dtls_handshake_session_ticket_len = -1; static gint hf_dtls_handshake_session_ticket = -1; -static gint hf_dtls_handshake_cert_types_count = -1; -static gint hf_dtls_handshake_cert_types = -1; -static gint hf_dtls_handshake_cert_type = -1; static gint hf_dtls_handshake_finished = -1; /* static gint hf_dtls_handshake_md5_hash = -1; */ /* static gint hf_dtls_handshake_sha_hash = -1; */ static gint hf_dtls_handshake_session_id_len = -1; -static gint hf_dtls_handshake_dnames_len = -1; -static gint hf_dtls_handshake_dnames = -1; -static gint hf_dtls_handshake_dname_len = -1; -static gint hf_dtls_handshake_dname = -1; static gint hf_dtls_heartbeat_message = -1; static gint hf_dtls_heartbeat_message_type = -1; @@ -161,8 +153,6 @@ static gint ett_dtls_comp_methods = -1; static gint ett_dtls_random = -1; static gint ett_dtls_new_ses_ticket = -1; static gint ett_dtls_certs = -1; -static gint ett_dtls_cert_types = -1; -static gint ett_dtls_dnames = -1; static gint ett_dtls_fragment = -1; static gint ett_dtls_fragments = -1; @@ -170,7 +160,6 @@ static gint ett_dtls_fragments = -1; static expert_field ei_dtls_handshake_fragment_length_too_long = EI_INIT; static expert_field ei_dtls_handshake_fragment_past_end_msg = EI_INIT; static expert_field ei_dtls_msg_len_diff_fragment = EI_INIT; -static expert_field ei_dtls_handshake_sig_hash_alg_len_bad = EI_INIT; static expert_field ei_dtls_heartbeat_payload_length = EI_INIT; static GHashTable *dtls_session_hash = NULL; @@ -356,13 +345,6 @@ static void dissect_dtls_hnd_new_ses_ticket(tvbuff_t *tvb, proto_tree *tree, guint32 offset, guint32 length); -static void dissect_dtls_hnd_cert_req(tvbuff_t *tvb, - proto_tree *tree, - guint32 offset, - packet_info *pinfo, - const SslSession *session); - - static void dissect_dtls_hnd_finished(tvbuff_t *tvb, proto_tree *tree, guint32 offset, @@ -1396,7 +1378,7 @@ dissect_dtls_handshake(tvbuff_t *tvb, packet_info *pinfo, break; case SSL_HND_CERT_REQUEST: - dissect_dtls_hnd_cert_req(sub_tvb, ssl_hand_tree, 0, pinfo, session); + ssl_dissect_hnd_cert_req(&dissect_dtls_hf, sub_tvb, ssl_hand_tree, 0, pinfo, session); break; case SSL_HND_SVR_HELLO_DONE: @@ -1893,159 +1875,6 @@ dissect_dtls_hnd_new_ses_ticket(tvbuff_t *tvb, tvb, offset + 2, nst_len, ENC_NA); } -static void -dissect_dtls_hnd_cert_req(tvbuff_t *tvb, - proto_tree *tree, guint32 offset, packet_info *pinfo, - const SslSession *session) -{ - /* - * enum { - * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4), - * (255) - * } ClientCertificateType; - * - * opaque DistinguishedName<1..2^16-1>; - * - * struct { - * ClientCertificateType certificate_types<1..2^8-1>; - * DistinguishedName certificate_authorities<3..2^16-1>; - * } CertificateRequest; - * - * - * As per TLSv1.2 (RFC 5246) the format has changed to: - * - * enum { - * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4), - * rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6), - * fortezza_dms_RESERVED(20), (255) - * } ClientCertificateType; - * - * enum { - * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), - * sha512(6), (255) - * } HashAlgorithm; - * - * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } - * SignatureAlgorithm; - * - * struct { - * HashAlgorithm hash; - * SignatureAlgorithm signature; - * } SignatureAndHashAlgorithm; - * - * SignatureAndHashAlgorithm - * supported_signature_algorithms<2..2^16-2>; - * - * opaque DistinguishedName<1..2^16-1>; - * - * struct { - * ClientCertificateType certificate_types<1..2^8-1>; - * SignatureAndHashAlgorithm - * supported_signature_algorithms<2^16-1>; - * DistinguishedName certificate_authorities<0..2^16-1>; - * } CertificateRequest; - * - */ - - proto_tree *ti; - proto_tree *subtree; - guint8 cert_types_count; - gint sh_alg_length; - gint dnames_length; - asn1_ctx_t asn1_ctx; - gint ret; - - asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo); - - if (tree) - { - cert_types_count = tvb_get_guint8(tvb, offset); - proto_tree_add_uint(tree, hf_dtls_handshake_cert_types_count, - tvb, offset, 1, cert_types_count); - offset++; - - if (cert_types_count > 0) - { - ti = proto_tree_add_none_format(tree, - hf_dtls_handshake_cert_types, - tvb, offset, cert_types_count, - "Certificate types (%u type%s)", - cert_types_count, - plurality(cert_types_count, "", "s")); - subtree = proto_item_add_subtree(ti, ett_dtls_cert_types); - if (!subtree) - { - subtree = tree; - } - - while (cert_types_count > 0) - { - proto_tree_add_item(subtree, hf_dtls_handshake_cert_type, - tvb, offset, 1, ENC_BIG_ENDIAN); - offset++; - cert_types_count--; - } - } - - switch (session->version) { - case SSL_VER_DTLS1DOT2: - sh_alg_length = tvb_get_ntohs(tvb, offset); - if (sh_alg_length % 2) { - expert_add_info_format(pinfo, NULL, - &ei_dtls_handshake_sig_hash_alg_len_bad, - "Signature Hash Algorithm length (%d) must be a multiple of 2", - sh_alg_length); - return; - } - - proto_tree_add_uint(tree, dissect_dtls_hf.hf.hs_sig_hash_alg_len, - tvb, offset, 2, sh_alg_length); - offset += 2; - - ret = ssl_dissect_hash_alg_list(&dissect_dtls_hf, tvb, tree, offset, sh_alg_length); - if (ret>=0) - offset += ret; - break; - - default: - break; - } - - dnames_length = tvb_get_ntohs(tvb, offset); - proto_tree_add_uint(tree, hf_dtls_handshake_dnames_len, - tvb, offset, 2, dnames_length); - offset += 2; - - if (dnames_length > 0) - { - ti = proto_tree_add_none_format(tree, - hf_dtls_handshake_dnames, - tvb, offset, dnames_length, - "Distinguished Names (%d byte%s)", - dnames_length, - plurality(dnames_length, "", "s")); - subtree = proto_item_add_subtree(ti, ett_dtls_dnames); - - while (dnames_length > 0) - { - /* get the length of the current certificate */ - guint16 name_length; - name_length = tvb_get_ntohs(tvb, offset); - dnames_length -= 2 + name_length; - - proto_tree_add_item(subtree, hf_dtls_handshake_dname_len, - tvb, offset, 2, ENC_BIG_ENDIAN); - offset += 2; - - dissect_x509if_DistinguishedName(FALSE, tvb, offset, &asn1_ctx, subtree, hf_dtls_handshake_dname); - - offset += name_length; - } - } - } - -} - static void dissect_dtls_hnd_finished(tvbuff_t *tvb, proto_tree *tree, guint32 offset, @@ -2372,21 +2201,6 @@ proto_register_dtls(void) FT_BYTES, BASE_NONE, NULL, 0x0, "New DTLS Session Ticket", HFILL } }, - { &hf_dtls_handshake_cert_types_count, - { "Certificate types count", "dtls.handshake.cert_types_count", - FT_UINT8, BASE_DEC, NULL, 0x0, - "Count of certificate types", HFILL } - }, - { &hf_dtls_handshake_cert_types, - { "Certificate types", "dtls.handshake.cert_types", - FT_NONE, BASE_NONE, NULL, 0x0, - "List of certificate types", HFILL } - }, - { &hf_dtls_handshake_cert_type, - { "Certificate type", "dtls.handshake.cert_type", - FT_UINT8, BASE_DEC, VALS(ssl_31_client_certificate_type), 0x0, - NULL, HFILL } - }, { &hf_dtls_handshake_finished, { "Verify Data", "dtls.handshake.verify_data", FT_NONE, BASE_NONE, NULL, 0x0, @@ -2409,26 +2223,6 @@ proto_register_dtls(void) FT_UINT8, BASE_DEC, NULL, 0x0, "Length of session ID field", HFILL } }, - { &hf_dtls_handshake_dnames_len, - { "Distinguished Names Length", "dtls.handshake.dnames_len", - FT_UINT16, BASE_DEC, NULL, 0x0, - "Length of list of CAs that server trusts", HFILL } - }, - { &hf_dtls_handshake_dnames, - { "Distinguished Names", "dtls.handshake.dnames", - FT_NONE, BASE_NONE, NULL, 0x0, - "List of CAs that server trusts", HFILL } - }, - { &hf_dtls_handshake_dname_len, - { "Distinguished Name Length", "dtls.handshake.dname_len", - FT_UINT16, BASE_DEC, NULL, 0x0, - "Length of distinguished name", HFILL } - }, - { &hf_dtls_handshake_dname, - { "Distinguished Name", "dtls.handshake.dname", - FT_BYTES, BASE_NONE, NULL, 0x0, - "Distinguished name of a CA that server trusts", HFILL } - }, { &hf_dtls_heartbeat_message, { "Heartbeat Message", "dtls.heartbeat_message", FT_NONE, BASE_NONE, NULL, 0x0, @@ -2508,8 +2302,6 @@ proto_register_dtls(void) &ett_dtls_random, &ett_dtls_new_ses_ticket, &ett_dtls_certs, - &ett_dtls_cert_types, - &ett_dtls_dnames, &ett_dtls_fragment, &ett_dtls_fragments, SSL_COMMON_ETT_LIST(dissect_dtls_hf) @@ -2519,7 +2311,6 @@ proto_register_dtls(void) { &ei_dtls_handshake_fragment_length_too_long, { "dtls.handshake.fragment_length.too_long", PI_PROTOCOL, PI_ERROR, "Fragment length is larger than message length", EXPFILL }}, { &ei_dtls_handshake_fragment_past_end_msg, { "dtls.handshake.fragment_past_end_msg", PI_PROTOCOL, PI_ERROR, "Fragment runs past the end of the message", EXPFILL }}, { &ei_dtls_msg_len_diff_fragment, { "dtls.msg_len_diff_fragment", PI_PROTOCOL, PI_ERROR, "Message length differs from value in earlier fragment", EXPFILL }}, - { &ei_dtls_handshake_sig_hash_alg_len_bad, { "dtls.handshake.sig_hash_alg_len.bad", PI_MALFORMED, PI_ERROR, "Signature Hash Algorithm length must be a multiple of 2", EXPFILL }}, { &ei_dtls_heartbeat_payload_length, {"dtls.heartbeat_message.payload_length.invalid", PI_MALFORMED, PI_ERROR, "Invalid heartbeat payload length", EXPFILL }}, SSL_COMMON_EI_LIST(dissect_dtls_hf, "dtls") diff --git a/epan/dissectors/packet-ssl-utils.c b/epan/dissectors/packet-ssl-utils.c index ca4b823b0c..578b8a9800 100644 --- a/epan/dissectors/packet-ssl-utils.c +++ b/epan/dissectors/packet-ssl-utils.c @@ -41,6 +41,7 @@ #include <epan/expert.h> #include <epan/asn1.h> #include <epan/dissectors/packet-x509af.h> +#include "packet-x509if.h" #include <wsutil/file_util.h> #include <wsutil/str_util.h> @@ -5170,6 +5171,151 @@ ssl_dissect_hnd_cert(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, } void +ssl_dissect_hnd_cert_req(ssl_common_dissect_t *hf, tvbuff_t *tvb, + proto_tree *tree, guint32 offset, packet_info *pinfo, + const SslSession *session) +{ + /* + * enum { + * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4), + * (255) + * } ClientCertificateType; + * + * opaque DistinguishedName<1..2^16-1>; + * + * struct { + * ClientCertificateType certificate_types<1..2^8-1>; + * DistinguishedName certificate_authorities<3..2^16-1>; + * } CertificateRequest; + * + * + * As per TLSv1.2 (RFC 5246) the format has changed to: + * + * enum { + * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4), + * rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6), + * fortezza_dms_RESERVED(20), (255) + * } ClientCertificateType; + * + * enum { + * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), + * sha512(6), (255) + * } HashAlgorithm; + * + * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } + * SignatureAlgorithm; + * + * struct { + * HashAlgorithm hash; + * SignatureAlgorithm signature; + * } SignatureAndHashAlgorithm; + * + * SignatureAndHashAlgorithm + * supported_signature_algorithms<2..2^16-2>; + * + * opaque DistinguishedName<1..2^16-1>; + * + * struct { + * ClientCertificateType certificate_types<1..2^8-1>; + * SignatureAndHashAlgorithm + * supported_signature_algorithms<2^16-1>; + * DistinguishedName certificate_authorities<0..2^16-1>; + * } CertificateRequest; + * + */ + proto_item *ti; + proto_tree *subtree; + guint8 cert_types_count; + gint sh_alg_length; + gint dnames_length; + asn1_ctx_t asn1_ctx; + gint ret; + + if (!tree) + return; + + asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo); + + cert_types_count = tvb_get_guint8(tvb, offset); + proto_tree_add_uint(tree, hf->hf.hs_cert_types_count, + tvb, offset, 1, cert_types_count); + offset++; + + if (cert_types_count > 0) { + ti = proto_tree_add_none_format(tree, + hf->hf.hs_cert_types, + tvb, offset, cert_types_count, + "Certificate types (%u type%s)", + cert_types_count, + plurality(cert_types_count, "", "s")); + subtree = proto_item_add_subtree(ti, hf->ett.cert_types); + + while (cert_types_count > 0) { + proto_tree_add_item(subtree, hf->hf.hs_cert_type, + tvb, offset, 1, ENC_BIG_ENDIAN); + offset++; + cert_types_count--; + } + } + + switch (session->version) { + case SSL_VER_TLSv1DOT2: + case SSL_VER_DTLS1DOT2: + sh_alg_length = tvb_get_ntohs(tvb, offset); + if (sh_alg_length % 2) { + expert_add_info_format(pinfo, NULL, + &hf->ei.hs_sig_hash_alg_len_bad, + "Signature Hash Algorithm length (%d) must be a multiple of 2", + sh_alg_length); + return; + } + + proto_tree_add_uint(tree, hf->hf.hs_sig_hash_alg_len, + tvb, offset, 2, sh_alg_length); + offset += 2; + + ret = ssl_dissect_hash_alg_list(hf, tvb, tree, offset, sh_alg_length); + if (ret >= 0) + offset += ret; + break; + + default: + break; + } + + dnames_length = tvb_get_ntohs(tvb, offset); + proto_tree_add_uint(tree, hf->hf.hs_dnames_len, + tvb, offset, 2, dnames_length); + offset += 2; + + if (dnames_length > 0) { + ti = proto_tree_add_none_format(tree, + hf->hf.hs_dnames, + tvb, offset, dnames_length, + "Distinguished Names (%d byte%s)", + dnames_length, + plurality(dnames_length, "", "s")); + subtree = proto_item_add_subtree(ti, hf->ett.dnames); + + while (dnames_length > 0) { + /* get the length of the current certificate */ + guint16 name_length; + name_length = tvb_get_ntohs(tvb, offset); + dnames_length -= 2 + name_length; + + proto_tree_add_item(subtree, hf->hf.hs_dname_len, + tvb, offset, 2, ENC_BIG_ENDIAN); + offset += 2; + + dissect_x509if_DistinguishedName(FALSE, tvb, offset, &asn1_ctx, + subtree, hf->hf.hs_dname); + offset += name_length; + } + } +} + + +void ssl_dissect_hnd_cert_url(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, guint32 offset) { guint16 url_hash_len; diff --git a/epan/dissectors/packet-ssl-utils.h b/epan/dissectors/packet-ssl-utils.h index c11c01ddfe..482fd94f6b 100644 --- a/epan/dissectors/packet-ssl-utils.h +++ b/epan/dissectors/packet-ssl-utils.h @@ -677,6 +677,13 @@ typedef struct ssl_common_dissect { gint hs_certificates; gint hs_certificate_len; gint hs_certificate; + gint hs_cert_types_count; + gint hs_cert_types; + gint hs_cert_type; + gint hs_dnames_len; + gint hs_dnames; + gint hs_dname_len; + gint hs_dname; /* do not forget to update SSL_COMMON_LIST_T and SSL_COMMON_HF_LIST! */ } hf; @@ -695,11 +702,14 @@ typedef struct ssl_common_dissect { gint urlhash; gint keyex_params; gint certificates; + gint cert_types; + gint dnames; /* do not forget to update SSL_COMMON_LIST_T and SSL_COMMON_ETT_LIST! */ } ett; struct { expert_field hs_ext_cert_status_undecoded; + expert_field hs_sig_hash_alg_len_bad; /* do not forget to update SSL_COMMON_LIST_T and SSL_COMMON_EI_LIST! */ } ei; @@ -720,6 +730,11 @@ ssl_dissect_hnd_cert(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, const SslSession *session, gint is_from_server); extern void +ssl_dissect_hnd_cert_req(ssl_common_dissect_t *hf, tvbuff_t *tvb, + proto_tree *tree, guint32 offset, packet_info *pinfo, + const SslSession *session); + +extern void ssl_dissect_hnd_cert_url(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, guint32 offset); extern void @@ -740,13 +755,13 @@ ssl_common_dissect_t name = { \ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \ - -1, -1, -1, -1, -1, -1, -1, -1, -1, \ + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \ }, \ /* ett */ { \ - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \ + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \ }, \ /* ei */ { \ - EI_INIT, \ + EI_INIT, EI_INIT, \ }, \ } /* }}} */ @@ -1117,6 +1132,41 @@ ssl_common_dissect_t name = { \ { "Certificate Length", prefix ".handshake.certificate_length", \ FT_UINT24, BASE_DEC, NULL, 0x0, \ "Length of certificate", HFILL } \ + }, \ + { & name .hf.hs_cert_types_count, \ + { "Certificate types count", prefix ".handshake.cert_types_count",\ + FT_UINT8, BASE_DEC, NULL, 0x0, \ + "Count of certificate types", HFILL } \ + }, \ + { & name .hf.hs_cert_types, \ + { "Certificate types", prefix ".handshake.cert_types", \ + FT_NONE, BASE_NONE, NULL, 0x0, \ + "List of certificate types", HFILL } \ + }, \ + { & name .hf.hs_cert_type, \ + { "Certificate type", prefix ".handshake.cert_type", \ + FT_UINT8, BASE_DEC, VALS(ssl_31_client_certificate_type), 0x0, \ + NULL, HFILL } \ + }, \ + { & name .hf.hs_dnames_len, \ + { "Distinguished Names Length", prefix ".handshake.dnames_len", \ + FT_UINT16, BASE_DEC, NULL, 0x0, \ + "Length of list of CAs that server trusts", HFILL } \ + }, \ + { & name .hf.hs_dnames, \ + { "Distinguished Names", prefix ".handshake.dnames", \ + FT_NONE, BASE_NONE, NULL, 0x0, \ + "List of CAs that server trusts", HFILL } \ + }, \ + { & name .hf.hs_dname_len, \ + { "Distinguished Name Length", prefix ".handshake.dname_len", \ + FT_UINT16, BASE_DEC, NULL, 0x0, \ + "Length of distinguished name", HFILL } \ + }, \ + { & name .hf.hs_dname, \ + { "Distinguished Name", prefix ".handshake.dname", \ + FT_NONE, BASE_NONE, NULL, 0x0, \ + "Distinguished name of a CA that server trusts", HFILL } \ } /* }}} */ @@ -1136,12 +1186,20 @@ ssl_common_dissect_t name = { \ & name .ett.urlhash, \ & name .ett.keyex_params, \ & name .ett.certificates, \ + & name .ett.cert_types, \ + & name .ett.dnames, \ /* }}} */ /* {{{ */ #define SSL_COMMON_EI_LIST(name, prefix) \ - { & name .ei.hs_ext_cert_status_undecoded, { prefix ".handshake.status_request.undecoded", PI_UNDECODED, PI_NOTE, \ - "Responder ID list or Request Extensions are not implemented, contact Wireshark developers if you want this to be supported", EXPFILL }} + { & name .ei.hs_ext_cert_status_undecoded, \ + { prefix ".handshake.status_request.undecoded", PI_UNDECODED, PI_NOTE, \ + "Responder ID list or Request Extensions are not implemented, contact Wireshark developers if you want this to be supported", EXPFILL } \ + }, \ + { & name .ei.hs_sig_hash_alg_len_bad, \ + { prefix ".handshake.sig_hash_alg_len.mult2", PI_MALFORMED, PI_ERROR, \ + "Signature Hash Algorithm length must be a multiple of 2", EXPFILL } \ + }, \ /* }}} */ typedef struct ssl_common_options { diff --git a/epan/dissectors/packet-ssl.c b/epan/dissectors/packet-ssl.c index 72d5b2922d..cf7f176926 100644 --- a/epan/dissectors/packet-ssl.c +++ b/epan/dissectors/packet-ssl.c @@ -103,7 +103,6 @@ #include <epan/tap.h> #include <wsutil/filesystem.h> #include <epan/expert.h> -#include "packet-x509if.h" #include "packet-ssl.h" #include "packet-ssl-utils.h" #include <wsutil/file_util.h> @@ -162,9 +161,6 @@ static gint hf_ssl_handshake_comp_method = -1; static gint hf_ssl_handshake_session_ticket_lifetime_hint = -1; static gint hf_ssl_handshake_session_ticket_len = -1; static gint hf_ssl_handshake_session_ticket = -1; -static gint hf_ssl_handshake_cert_types_count = -1; -static gint hf_ssl_handshake_cert_types = -1; -static gint hf_ssl_handshake_cert_type = -1; static gint hf_ssl_handshake_client_cert_vrfy_sig_len = -1; static gint hf_ssl_handshake_client_cert_vrfy_sig = -1; static gint hf_ssl_handshake_cert_status = -1; @@ -178,10 +174,6 @@ static gint hf_ssl_handshake_finished = -1; static gint hf_ssl_handshake_md5_hash = -1; static gint hf_ssl_handshake_sha_hash = -1; static gint hf_ssl_handshake_session_id_len = -1; -static gint hf_ssl_handshake_dnames_len = -1; -static gint hf_ssl_handshake_dnames = -1; -static gint hf_ssl_handshake_dname_len = -1; -static gint hf_ssl_handshake_dname = -1; static gint hf_ssl2_handshake_cipher_spec_len = -1; static gint hf_ssl2_handshake_session_id_len = -1; static gint hf_ssl2_handshake_challenge_len = -1; @@ -236,8 +228,6 @@ static gint ett_ssl_heartbeat = -1; static gint ett_ssl_cipher_suites = -1; static gint ett_ssl_comp_methods = -1; static gint ett_ssl_certs = -1; -static gint ett_ssl_cert_types = -1; -static gint ett_ssl_dnames = -1; static gint ett_ssl_random = -1; static gint ett_ssl_new_ses_ticket = -1; static gint ett_ssl_cli_sig = -1; @@ -251,7 +241,6 @@ static gint ett_ssl_segments = -1; static gint ett_ssl_segment = -1; static expert_field ei_ssl_handshake_cipher_suites_mult2 = EI_INIT; -static expert_field ei_ssl_handshake_sig_hash_algs_mult2 = EI_INIT; static expert_field ei_ssl2_handshake_session_id_len_error = EI_INIT; static expert_field ei_ssl3_heartbeat_payload_length = EI_INIT; @@ -507,11 +496,6 @@ static void dissect_ssl3_hnd_new_ses_ticket(tvbuff_t *tvb, guint32 offset, guint32 length, SslDecryptSession *ssl); -static void dissect_ssl3_hnd_cert_req(tvbuff_t *tvb, - proto_tree *tree, - guint32 offset, packet_info *pinfo, - const SslSession *session); - static void dissect_ssl3_hnd_cli_cert_verify(tvbuff_t *tvb, proto_tree *tree, guint32 offset, guint32 length); @@ -1996,7 +1980,7 @@ dissect_ssl3_handshake(tvbuff_t *tvb, packet_info *pinfo, break; case SSL_HND_CERT_REQUEST: - dissect_ssl3_hnd_cert_req(tvb, ssl_hand_tree, offset, pinfo, session); + ssl_dissect_hnd_cert_req(&dissect_ssl3_hf, tvb, ssl_hand_tree, offset, pinfo, session); break; case SSL_HND_SVR_HELLO_DONE: @@ -2482,149 +2466,6 @@ dissect_ssl3_hnd_new_ses_ticket(tvbuff_t *tvb, proto_tree *tree, tvb, offset, nst_len, ENC_NA); } -static void -dissect_ssl3_hnd_cert_req(tvbuff_t *tvb, - proto_tree *tree, guint32 offset, packet_info *pinfo, - const SslSession *session) -{ - /* - * enum { - * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4), - * (255) - * } ClientCertificateType; - * - * opaque DistinguishedName<1..2^16-1>; - * - * struct { - * ClientCertificateType certificate_types<1..2^8-1>; - * DistinguishedName certificate_authorities<3..2^16-1>; - * } CertificateRequest; - * - * - * As per TLSv1.2 (RFC 5246) the format has changed to: - * - * enum { - * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4), - * rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6), - * fortezza_dms_RESERVED(20), (255) - * } ClientCertificateType; - * - * enum { - * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), - * sha512(6), (255) - * } HashAlgorithm; - * - * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } - * SignatureAlgorithm; - * - * struct { - * HashAlgorithm hash; - * SignatureAlgorithm signature; - * } SignatureAndHashAlgorithm; - * - * SignatureAndHashAlgorithm - * supported_signature_algorithms<2..2^16-2>; - * - * opaque DistinguishedName<1..2^16-1>; - * - * struct { - * ClientCertificateType certificate_types<1..2^8-1>; - * SignatureAndHashAlgorithm - * supported_signature_algorithms<2^16-1>; - * DistinguishedName certificate_authorities<0..2^16-1>; - * } CertificateRequest; - * - */ - proto_item *ti; - proto_tree *subtree; - guint8 cert_types_count; - gint sh_alg_length; - gint dnames_length; - asn1_ctx_t asn1_ctx; - gint ret; - - if (!tree) - return; - - asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo); - - cert_types_count = tvb_get_guint8(tvb, offset); - proto_tree_add_uint(tree, hf_ssl_handshake_cert_types_count, - tvb, offset, 1, cert_types_count); - offset++; - - if (cert_types_count > 0) { - ti = proto_tree_add_none_format(tree, - hf_ssl_handshake_cert_types, - tvb, offset, cert_types_count, - "Certificate types (%u type%s)", - cert_types_count, - plurality(cert_types_count, "", "s")); - subtree = proto_item_add_subtree(ti, ett_ssl_cert_types); - - while (cert_types_count > 0) { - proto_tree_add_item(subtree, hf_ssl_handshake_cert_type, - tvb, offset, 1, ENC_BIG_ENDIAN); - offset++; - cert_types_count--; - } - } - - switch (session->version) { - case SSL_VER_TLSv1DOT2: - sh_alg_length = tvb_get_ntohs(tvb, offset); - if (sh_alg_length % 2) { - expert_add_info_format(pinfo, NULL, - &ei_ssl_handshake_sig_hash_algs_mult2, - "Signature Hash Algorithm length (%d) must be a multiple of 2", - sh_alg_length); - return; - } - - proto_tree_add_uint(tree, dissect_ssl3_hf.hf.hs_sig_hash_alg_len, - tvb, offset, 2, sh_alg_length); - offset += 2; - - ret = ssl_dissect_hash_alg_list(&dissect_ssl3_hf, tvb, tree, offset, sh_alg_length); - if (ret>=0) - offset += ret; - break; - - default: - break; - } - - dnames_length = tvb_get_ntohs(tvb, offset); - proto_tree_add_uint(tree, hf_ssl_handshake_dnames_len, - tvb, offset, 2, dnames_length); - offset += 2; - - if (dnames_length > 0) { - ti = proto_tree_add_none_format(tree, - hf_ssl_handshake_dnames, - tvb, offset, dnames_length, - "Distinguished Names (%d byte%s)", - dnames_length, - plurality(dnames_length, "", "s")); - subtree = proto_item_add_subtree(ti, ett_ssl_dnames); - - while (dnames_length > 0) { - /* get the length of the current certificate */ - guint16 name_length; - name_length = tvb_get_ntohs(tvb, offset); - dnames_length -= 2 + name_length; - - proto_tree_add_item(subtree, hf_ssl_handshake_dname_len, - tvb, offset, 2, ENC_BIG_ENDIAN); - offset += 2; - - (void)dissect_x509if_DistinguishedName(FALSE, tvb, offset, - &asn1_ctx, subtree, hf_ssl_handshake_dname); - offset += name_length; - } - } -} - static void dissect_ssl3_hnd_cli_cert_verify(tvbuff_t *tvb, proto_tree *tree, @@ -4415,21 +4256,6 @@ proto_register_ssl(void) FT_BYTES, BASE_NONE, NULL, 0x0, "New TLS Session Ticket", HFILL } }, - { &hf_ssl_handshake_cert_types_count, - { "Certificate types count", "ssl.handshake.cert_types_count", - FT_UINT8, BASE_DEC, NULL, 0x0, - "Count of certificate types", HFILL } - }, - { &hf_ssl_handshake_cert_types, - { "Certificate types", "ssl.handshake.cert_types", - FT_NONE, BASE_NONE, NULL, 0x0, - "List of certificate types", HFILL } - }, - { &hf_ssl_handshake_cert_type, - { "Certificate type", "ssl.handshake.cert_type", - FT_UINT8, BASE_DEC, VALS(ssl_31_client_certificate_type), 0x0, - NULL, HFILL } - }, { &hf_ssl_handshake_client_cert_vrfy_sig_len, { "Signature length", "ssl.handshake.client_cert_vrfy.sig_len", FT_UINT16, BASE_DEC, NULL, 0x0, @@ -4495,26 +4321,6 @@ proto_register_ssl(void) FT_UINT8, BASE_DEC, NULL, 0x0, "Length of session ID field", HFILL } }, - { &hf_ssl_handshake_dnames_len, - { "Distinguished Names Length", "ssl.handshake.dnames_len", - FT_UINT16, BASE_DEC, NULL, 0x0, - "Length of list of CAs that server trusts", HFILL } - }, - { &hf_ssl_handshake_dnames, - { "Distinguished Names", "ssl.handshake.dnames", - FT_NONE, BASE_NONE, NULL, 0x0, - "List of CAs that server trusts", HFILL } - }, - { &hf_ssl_handshake_dname_len, - { "Distinguished Name Length", "ssl.handshake.dname_len", - FT_UINT16, BASE_DEC, NULL, 0x0, - "Length of distinguished name", HFILL } - }, - { &hf_ssl_handshake_dname, - { "Distinguished Name", "ssl.handshake.dname", - FT_NONE, BASE_NONE, NULL, 0x0, - "Distinguished name of a CA that server trusts", HFILL } - }, { &hf_ssl_heartbeat_message, { "Heartbeat Message", "ssl.heartbeat_message", FT_NONE, BASE_NONE, NULL, 0x0, @@ -4735,8 +4541,6 @@ proto_register_ssl(void) &ett_ssl_cipher_suites, &ett_ssl_comp_methods, &ett_ssl_certs, - &ett_ssl_cert_types, - &ett_ssl_dnames, &ett_ssl_random, &ett_ssl_new_ses_ticket, &ett_ssl_cli_sig, @@ -4753,7 +4557,6 @@ proto_register_ssl(void) static ei_register_info ei[] = { { &ei_ssl_handshake_cipher_suites_mult2, { "ssl.handshake.cipher_suites_length.mult2", PI_MALFORMED, PI_ERROR, "Cipher suite length must be a multiple of 2", EXPFILL }}, - { &ei_ssl_handshake_sig_hash_algs_mult2, { "ssl.handshake.sig_hash_alg_len.mult2", PI_MALFORMED, PI_ERROR, "Signature Hash Algorithm length must be a multiple of 2", EXPFILL }}, { &ei_ssl2_handshake_session_id_len_error, { "ssl.handshake.session_id_length.error", PI_MALFORMED, PI_ERROR, "Session ID length error", EXPFILL }}, { &ei_ssl3_heartbeat_payload_length, {"ssl.heartbeat_message.payload_length.invalid", PI_MALFORMED, PI_ERROR, "Invalid heartbeat payload length", EXPFILL }}, SSL_COMMON_EI_LIST(dissect_ssl3_hf, "ssl") |