diff options
author | Nardi Ivan <nardi.ivan@gmail.com> | 2021-06-30 20:53:15 +0200 |
---|---|---|
committer | Wireshark GitLab Utility <gerald+gitlab-utility@wireshark.org> | 2021-07-02 06:29:17 +0000 |
commit | ac49b5aff36bc0c4fbee8f013f4d65ad84685039 (patch) | |
tree | a43466c378ba96f8227c18150227d3543f74b1cf /epan/dissectors | |
parent | 180063997f6b6943355c756cd292a7b278321eca (diff) |
TLS: improve support for "delegated_credentials" extension
Client support was added in bd597dc247.
Now, add decoding of the messages sent by the server.
See: https://www.ietf.org/archive/id/draft-ietf-tls-subcerts-10.txt
Diffstat (limited to 'epan/dissectors')
-rw-r--r-- | epan/dissectors/packet-tls-utils.c | 63 | ||||
-rw-r--r-- | epan/dissectors/packet-tls-utils.h | 34 |
2 files changed, 91 insertions, 6 deletions
diff --git a/epan/dissectors/packet-tls-utils.c b/epan/dissectors/packet-tls-utils.c index c34c67b613..e1ee76e54d 100644 --- a/epan/dissectors/packet-tls-utils.c +++ b/epan/dissectors/packet-tls-utils.c @@ -1195,7 +1195,7 @@ const value_string tls_hello_extension_types[] = { { SSL_HND_HELLO_EXT_CACHED_INFO, "cached_info" }, /* RFC 7924 */ { SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE, "compress_certificate" }, /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03 */ { SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT, "record_size_limit" }, /* RFC 8449 */ - { SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS, "delegated_credentials" }, /* draft-ietf-tls-subcerts-09.txt */ + { SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS, "delegated_credentials" }, /* draft-ietf-tls-subcerts-10.txt */ { SSL_HND_HELLO_EXT_SESSION_TICKET_TLS, "session_ticket" }, /* RFC 5077 / RFC 8447 */ { SSL_HND_HELLO_EXT_KEY_SHARE_OLD, "Reserved (key_share)" }, /* https://tools.ietf.org/html/draft-ietf-tls-tls13-22 (removed in -23) */ { SSL_HND_HELLO_EXT_PRE_SHARED_KEY, "pre_shared_key" }, /* RFC 8446 */ @@ -6671,9 +6671,64 @@ ssl_dissect_hnd_hello_ext_sig_hash_algs(ssl_common_dissect_t *hf, tvbuff_t *tvb, static gint ssl_dissect_hnd_ext_delegated_credentials(ssl_common_dissect_t *hf, tvbuff_t *tvb, - proto_tree *tree, packet_info* pinfo, guint32 offset, guint32 offset_end) + proto_tree *tree, packet_info* pinfo, guint32 offset, guint32 offset_end, guint8 hnd_type) { - return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end); + if (hnd_type == SSL_HND_CLIENT_HELLO) { + /* + * struct { + * SignatureScheme supported_signature_algorithm<2..2^16-2>; + * } SignatureSchemeList; + */ + + return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end); + } else { + asn1_ctx_t asn1_ctx; + guint pubkey_length, sign_length; + + /* + * struct { + * uint32 valid_time; + * SignatureScheme expected_cert_verify_algorithm; + * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>; + * } Credential; + * + * struct { + * Credential cred; + * SignatureScheme algorithm; + * opaque signature<0..2^16-1>; + * } DelegatedCredential; + */ + + asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo); + + proto_tree_add_item(tree, hf->hf.hs_cred_valid_time, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + + tls_dissect_signature_algorithm(hf, tvb, tree, offset); + offset += 2; + + if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &pubkey_length, + hf->hf.hs_cred_pubkey_len, 1, G_MAXUINT24)) { + return offset_end; + } + offset += 3; + dissect_x509af_SubjectPublicKeyInfo(FALSE, tvb, offset, &asn1_ctx, tree, hf->hf.hs_cred_pubkey); + offset += pubkey_length; + + tls_dissect_signature_algorithm(hf, tvb, tree, offset); + offset += 2; + + if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sign_length, + hf->hf.hs_cred_signature_len, 1, G_MAXUINT16)) { + return offset_end; + } + offset += 2; + proto_tree_add_item(tree, hf->hf.hs_cred_signature, + tvb, offset, sign_length, ENC_ASCII|ENC_NA); + offset += sign_length; + + return offset; + } } static gint @@ -9512,7 +9567,7 @@ ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *t offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset); break; case SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS: - offset = ssl_dissect_hnd_ext_delegated_credentials(hf, tvb, ext_tree, pinfo, offset, next_offset); + offset = ssl_dissect_hnd_ext_delegated_credentials(hf, tvb, ext_tree, pinfo, offset, next_offset, hnd_type); break; case SSL_HND_HELLO_EXT_USE_SRTP: if (is_dtls) { diff --git a/epan/dissectors/packet-tls-utils.h b/epan/dissectors/packet-tls-utils.h index 799632020b..699658245b 100644 --- a/epan/dissectors/packet-tls-utils.h +++ b/epan/dissectors/packet-tls-utils.h @@ -108,7 +108,7 @@ typedef enum { #define SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE 27 #define SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT 28 /* 26-33 Unassigned*/ -#define SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS 34 /* draft-ietf-tls-subcerts-09.txt */ +#define SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS 34 /* draft-ietf-tls-subcerts-10.txt */ #define SSL_HND_HELLO_EXT_SESSION_TICKET_TLS 35 /* RFC 8446 (TLS 1.3) */ #define SSL_HND_HELLO_EXT_KEY_SHARE_OLD 40 /* draft-ietf-tls-tls13-22 (removed in -23) */ @@ -966,6 +966,11 @@ typedef struct ssl_common_dissect { gint hs_ext_oid_filters_oid_length; gint hs_ext_oid_filters_oid; gint hs_ext_oid_filters_values_length; + gint hs_cred_valid_time; + gint hs_cred_pubkey; + gint hs_cred_pubkey_len; + gint hs_cred_signature; + gint hs_cred_signature_len; /* compress_certificate */ gint hs_ext_compress_certificate_algorithms_length; @@ -1269,7 +1274,7 @@ ssl_common_dissect_t name = { \ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \ - -1, -1, -1, -1 \ + -1, -1, -1, -1, -1, -1, -1, -1, -1 \ }, \ /* ett */ { \ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \ @@ -2070,6 +2075,31 @@ ssl_common_dissect_t name = { \ FT_UINT16, BASE_DEC, NULL, 0x00, \ NULL, HFILL } \ }, \ + { & name .hf.hs_cred_valid_time, \ + { "Valid Time", prefix ".handshake.cred.valid_time", \ + FT_UINT16, BASE_DEC, NULL, 0x0, \ + "Delegated Credentials Valid Time", HFILL } \ + }, \ + { & name .hf.hs_cred_pubkey, \ + { "Subject Public Key Info", prefix ".handshake.cred.pubkey", \ + FT_BYTES, BASE_NONE, NULL, 0x0, \ + "Delegated Credentials Subject Public Key Info", HFILL } \ + }, \ + { & name .hf.hs_cred_pubkey_len, \ + { "Subject Public Key Info Length", prefix ".handshake.cred.pubkey_len", \ + FT_UINT24, BASE_DEC, NULL, 0x0, \ + "Delegated Credentials Subject Public Key Info Length", HFILL } \ + }, \ + { & name .hf.hs_cred_signature, \ + { "Signature", prefix ".handshake.cred.signature", \ + FT_BYTES, BASE_NONE, NULL, 0x0, \ + "Delegated Credentials Signature", HFILL } \ + }, \ + { & name .hf.hs_cred_signature_len, \ + { "Signature Length", prefix ".handshake.cred.signature_len", \ + FT_UINT16, BASE_DEC, NULL, 0x0, \ + "Delegated Credentials Signature Length", HFILL } \ + }, \ { & name .hf.hs_ext_compress_certificate_algorithms_length, \ { "Algorithms Length", prefix ".compress_certificate.algorithms_length", \ FT_UINT8, BASE_DEC, NULL, 0x00, \ |