diff options
author | Anders Broman <anders.broman@ericsson.com> | 2005-11-16 07:13:12 +0000 |
---|---|---|
committer | Anders Broman <anders.broman@ericsson.com> | 2005-11-16 07:13:12 +0000 |
commit | c33182b8982742ece2bbfa298977a5aa09f48377 (patch) | |
tree | 0c7664cef1a075c4ecb3ad5ddc8d364055957829 /asn1/cms | |
parent | 893ad69c74f54fc9bb7ac7b7ffc3c0e28bd4d418 (diff) |
From Graeme Lunt:
Here are a number of small patches for asn1 based dissectors:
acse:
release request/response column information (many X.400/X.500 unbinds are
empty)
"standardised" PNAME to "ISO 8650-1 OSI Association Control Service"
fix for crash when using EXTERNAL dissector
rtse:
column information when attempting a resume
x509if:
generation of LDAP-style DNs from RDNSequences
new function x509if_get_last_dn() to get the last DN generated.
x509af:
DSS parameters
certificate extension naming
subject naming of certificate
x509sat:
Guide syntax (as SET now supported)
PDU exports.
cms:
verification of message digest attribute (SHA-1 and MD5)
ess:
enumerated/restrictive/permissive/informative security categories
x411:
generation of string encoding of X.400 addresses, trace information and message identifiers.
s4406:
separate types for primary and copy precedence to allow better filtering (e.g. primary precedence = flash)
priority-level-qualifier
svn path=/trunk/; revision=16508
Diffstat (limited to 'asn1/cms')
-rw-r--r-- | asn1/cms/Makefile.nmake | 4 | ||||
-rw-r--r-- | asn1/cms/cms.cnf | 42 | ||||
-rw-r--r-- | asn1/cms/packet-cms-template.c | 76 |
3 files changed, 116 insertions, 6 deletions
diff --git a/asn1/cms/Makefile.nmake b/asn1/cms/Makefile.nmake index 21948a74a3..4bbaef8195 100644 --- a/asn1/cms/Makefile.nmake +++ b/asn1/cms/Makefile.nmake @@ -37,6 +37,6 @@ fix_eol: generate_dissector del /f packet-$(PROTOCOL_NAME).c.tmp packet-$(PROTOCOL_NAME).h.tmp copy_files: generate_dissector fix_eol - xcopy packet-$(PROTOCOL_NAME).c ..\..\epan\dissectors /d - xcopy packet-$(PROTOCOL_NAME).h ..\..\epan\dissectors /d + xcopy packet-$(PROTOCOL_NAME).c ..\..\epan\dissectors /d /y + xcopy packet-$(PROTOCOL_NAME).h ..\..\epan\dissectors /d /y diff --git a/asn1/cms/cms.cnf b/asn1/cms/cms.cnf index 2c09a38d58..95e29b91c1 100644 --- a/asn1/cms/cms.cnf +++ b/asn1/cms/cms.cnf @@ -46,6 +46,13 @@ Countersignature B "1.2.840.113549.1.9.6" "id-counterSignature" #.FIELD_RENAME SignerInfo/signature signatureValue RecipientEncryptedKey/rid rekRid +EncryptedContentInfo/contentType encryptedContentType + +#.FN_BODY ContentInfo + top_tree = tree; + %(DEFAULT_BODY)s + content_tvb = NULL; + top_tree = NULL; #.FN_BODY ContentInfo/contentType offset = dissect_ber_object_identifier_str(FALSE, pinfo, tree, tvb, offset, @@ -64,13 +71,16 @@ RecipientEncryptedKey/rid rekRid gint32 tag; guint32 len; int pdu_offset = offset; + int content_offset; /* XXX Do we care about printing out the octet string? */ - offset = dissect_cms_OCTET_STRING(FALSE, tvb, offset, pinfo, tree, hf_cms_eContent); + offset = dissect_cms_OCTET_STRING(FALSE, tvb, offset, pinfo, NULL, hf_cms_eContent); pdu_offset = get_ber_identifier(tvb, pdu_offset, &class, &pc, &tag); - pdu_offset = get_ber_length(tree, tvb, pdu_offset, &len, &ind); - pdu_offset = call_ber_oid_callback(object_identifier_id, tvb, pdu_offset, pinfo, tree); + content_offset = pdu_offset = get_ber_length(tree, tvb, pdu_offset, &len, &ind); + pdu_offset = call_ber_oid_callback(object_identifier_id, tvb, pdu_offset, pinfo, top_tree ? top_tree : tree); + + content_tvb = tvb_new_subset(tvb, content_offset, len, -1); #.FN_PARS OtherKeyAttribute/keyAttrId FN_VARIANT = _str HF_INDEX = hf_cms_ci_contentType VAL_PTR = &object_identifier_id @@ -78,13 +88,39 @@ RecipientEncryptedKey/rid rekRid #.FN_BODY OtherKeyAttribute/keyAttr offset=call_ber_oid_callback(object_identifier_id, tvb, offset, pinfo, tree); + #.FN_PARS Attribute/attrType FN_VARIANT = _str HF_INDEX = hf_cms_attrType VAL_PTR = &object_identifier_id +#.FN_BODY Attribute/attrType + char *name = NULL; + + %(DEFAULT_BODY)s + + if(object_identifier_id) { + name = get_ber_oid_name(object_identifier_id); + proto_item_append_text(tree, " (%%s)", name ? name : object_identifier_id); + } + #.FN_BODY AttributeValue offset=call_ber_oid_callback(object_identifier_id, tvb, offset, pinfo, tree); +#.FN_BODY MessageDigest + proto_item *pi; + int old_offset = offset; + + %(DEFAULT_BODY)s + + pi = get_ber_last_created_item(); + + /* move past TLV */ + old_offset = get_ber_identifier(tvb, old_offset, NULL, NULL, NULL); + old_offset = get_ber_length(tree, tvb, old_offset, NULL, NULL); + + if(content_tvb) + cms_verify_msg_digest(pi, content_tvb, x509af_get_last_algorithm_id(), tvb, old_offset); + #.END diff --git a/asn1/cms/packet-cms-template.c b/asn1/cms/packet-cms-template.c index c52c79da72..48115551a1 100644 --- a/asn1/cms/packet-cms-template.c +++ b/asn1/cms/packet-cms-template.c @@ -39,6 +39,9 @@ #include "packet-x509af.h" #include "packet-x509if.h" +#include <epan/sha1.h> +#include <epan/crypt-md5.h> + #define PNAME "Cryptographic Message Syntax" #define PSNAME "CMS" #define PFNAME "cms" @@ -55,9 +58,80 @@ static int dissect_cms_OCTET_STRING(gboolean implicit_tag _U_, tvbuff_t *tvb, in static const char *object_identifier_id; +static tvbuff_t *content_tvb = NULL; -#include "packet-cms-fn.c" +static proto_tree *top_tree=NULL; + +#define HASH_SHA1 "1.3.14.3.2.26" +#define SHA1_BUFFER_SIZE 20 + +#define HASH_MD5 "1.2.840.113549.2.5" +#define MD5_BUFFER_SIZE 16 + + +/* SHA-2 variants */ +#define HASH_SHA224 "2.16.840.1.101.3.4.2.4" +#define SHA224_BUFFER_SIZE 32 /* actually 28 */ +#define HASH_SHA256 "2.16.840.1.101.3.4.2.1" +#define SHA256_BUFFER_SIZE 32 + +unsigned char digest_buf[MAX(SHA1_BUFFER_SIZE, MD5_BUFFER_SIZE)]; + +static void +cms_verify_msg_digest(proto_item *pi, tvbuff_t *content, char *alg, tvbuff_t *tvb, int offset) +{ + sha1_context sha1_ctx; + md5_state_t md5_ctx; + int i= 0, buffer_size = 0; + + /* we only support two algorithms at the moment - if we do add SHA2 + we should add a registration process to use a registration process */ + + if(strcmp(alg, HASH_SHA1) == 0) { + + sha1_starts(&sha1_ctx); + + sha1_update(&sha1_ctx, + (guint8*)tvb_get_ptr(content, 0, tvb_length(content)), + tvb_length(content)); + sha1_finish(&sha1_ctx, digest_buf); + + buffer_size = SHA1_BUFFER_SIZE; + + } else if(strcmp(alg, HASH_MD5) == 0) { + + md5_init(&md5_ctx); + + md5_append(&md5_ctx, + (const guint8*) tvb_get_ptr(content, 0, tvb_length(content)), + tvb_length(content)); + + md5_finish(&md5_ctx, digest_buf); + + buffer_size = MD5_BUFFER_SIZE; + } + + if(buffer_size) { + /* compare our computed hash with what we have received */ + + if(tvb_bytes_exist(tvb, offset, buffer_size) && + (memcmp(tvb_get_ptr(tvb, offset, buffer_size), digest_buf, buffer_size) != 0)) { + proto_item_append_text(pi, " [incorrect, should be "); + for(i = 0; i < buffer_size; i++) + proto_item_append_text(pi, "%02X", digest_buf[i]); + + proto_item_append_text(pi, "]"); + } + else + proto_item_append_text(pi, " [correct]"); + } else { + proto_item_append_text(pi, " [unable to verify]"); + } + +} + +#include "packet-cms-fn.c" /*--- proto_register_cms ----------------------------------------------*/ void proto_register_cms(void) { |