forked from osmocom/wireshark
TLS: improve support for "delegated_credentials" extension
Client support was added in bd597dc247
.
Now, add decoding of the messages sent by the server.
See: https://www.ietf.org/archive/id/draft-ietf-tls-subcerts-10.txt
This commit is contained in:
parent
180063997f
commit
ac49b5aff3
|
@ -1195,7 +1195,7 @@ const value_string tls_hello_extension_types[] = {
|
|||
{ SSL_HND_HELLO_EXT_CACHED_INFO, "cached_info" }, /* RFC 7924 */
|
||||
{ SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE, "compress_certificate" }, /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03 */
|
||||
{ SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT, "record_size_limit" }, /* RFC 8449 */
|
||||
{ SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS, "delegated_credentials" }, /* draft-ietf-tls-subcerts-09.txt */
|
||||
{ SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS, "delegated_credentials" }, /* draft-ietf-tls-subcerts-10.txt */
|
||||
{ SSL_HND_HELLO_EXT_SESSION_TICKET_TLS, "session_ticket" }, /* RFC 5077 / RFC 8447 */
|
||||
{ SSL_HND_HELLO_EXT_KEY_SHARE_OLD, "Reserved (key_share)" }, /* https://tools.ietf.org/html/draft-ietf-tls-tls13-22 (removed in -23) */
|
||||
{ SSL_HND_HELLO_EXT_PRE_SHARED_KEY, "pre_shared_key" }, /* RFC 8446 */
|
||||
|
@ -6671,9 +6671,64 @@ ssl_dissect_hnd_hello_ext_sig_hash_algs(ssl_common_dissect_t *hf, tvbuff_t *tvb,
|
|||
|
||||
static gint
|
||||
ssl_dissect_hnd_ext_delegated_credentials(ssl_common_dissect_t *hf, tvbuff_t *tvb,
|
||||
proto_tree *tree, packet_info* pinfo, guint32 offset, guint32 offset_end)
|
||||
proto_tree *tree, packet_info* pinfo, guint32 offset, guint32 offset_end, guint8 hnd_type)
|
||||
{
|
||||
return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end);
|
||||
if (hnd_type == SSL_HND_CLIENT_HELLO) {
|
||||
/*
|
||||
* struct {
|
||||
* SignatureScheme supported_signature_algorithm<2..2^16-2>;
|
||||
* } SignatureSchemeList;
|
||||
*/
|
||||
|
||||
return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end);
|
||||
} else {
|
||||
asn1_ctx_t asn1_ctx;
|
||||
guint pubkey_length, sign_length;
|
||||
|
||||
/*
|
||||
* struct {
|
||||
* uint32 valid_time;
|
||||
* SignatureScheme expected_cert_verify_algorithm;
|
||||
* opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
|
||||
* } Credential;
|
||||
*
|
||||
* struct {
|
||||
* Credential cred;
|
||||
* SignatureScheme algorithm;
|
||||
* opaque signature<0..2^16-1>;
|
||||
* } DelegatedCredential;
|
||||
*/
|
||||
|
||||
asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
|
||||
|
||||
proto_tree_add_item(tree, hf->hf.hs_cred_valid_time, tvb, offset, 4, ENC_BIG_ENDIAN);
|
||||
offset += 4;
|
||||
|
||||
tls_dissect_signature_algorithm(hf, tvb, tree, offset);
|
||||
offset += 2;
|
||||
|
||||
if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &pubkey_length,
|
||||
hf->hf.hs_cred_pubkey_len, 1, G_MAXUINT24)) {
|
||||
return offset_end;
|
||||
}
|
||||
offset += 3;
|
||||
dissect_x509af_SubjectPublicKeyInfo(FALSE, tvb, offset, &asn1_ctx, tree, hf->hf.hs_cred_pubkey);
|
||||
offset += pubkey_length;
|
||||
|
||||
tls_dissect_signature_algorithm(hf, tvb, tree, offset);
|
||||
offset += 2;
|
||||
|
||||
if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sign_length,
|
||||
hf->hf.hs_cred_signature_len, 1, G_MAXUINT16)) {
|
||||
return offset_end;
|
||||
}
|
||||
offset += 2;
|
||||
proto_tree_add_item(tree, hf->hf.hs_cred_signature,
|
||||
tvb, offset, sign_length, ENC_ASCII|ENC_NA);
|
||||
offset += sign_length;
|
||||
|
||||
return offset;
|
||||
}
|
||||
}
|
||||
|
||||
static gint
|
||||
|
@ -9512,7 +9567,7 @@ ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *t
|
|||
offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset);
|
||||
break;
|
||||
case SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS:
|
||||
offset = ssl_dissect_hnd_ext_delegated_credentials(hf, tvb, ext_tree, pinfo, offset, next_offset);
|
||||
offset = ssl_dissect_hnd_ext_delegated_credentials(hf, tvb, ext_tree, pinfo, offset, next_offset, hnd_type);
|
||||
break;
|
||||
case SSL_HND_HELLO_EXT_USE_SRTP:
|
||||
if (is_dtls) {
|
||||
|
|
|
@ -108,7 +108,7 @@ typedef enum {
|
|||
#define SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE 27
|
||||
#define SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT 28
|
||||
/* 26-33 Unassigned*/
|
||||
#define SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS 34 /* draft-ietf-tls-subcerts-09.txt */
|
||||
#define SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS 34 /* draft-ietf-tls-subcerts-10.txt */
|
||||
#define SSL_HND_HELLO_EXT_SESSION_TICKET_TLS 35
|
||||
/* RFC 8446 (TLS 1.3) */
|
||||
#define SSL_HND_HELLO_EXT_KEY_SHARE_OLD 40 /* draft-ietf-tls-tls13-22 (removed in -23) */
|
||||
|
@ -966,6 +966,11 @@ typedef struct ssl_common_dissect {
|
|||
gint hs_ext_oid_filters_oid_length;
|
||||
gint hs_ext_oid_filters_oid;
|
||||
gint hs_ext_oid_filters_values_length;
|
||||
gint hs_cred_valid_time;
|
||||
gint hs_cred_pubkey;
|
||||
gint hs_cred_pubkey_len;
|
||||
gint hs_cred_signature;
|
||||
gint hs_cred_signature_len;
|
||||
|
||||
/* compress_certificate */
|
||||
gint hs_ext_compress_certificate_algorithms_length;
|
||||
|
@ -1269,7 +1274,7 @@ ssl_common_dissect_t name = { \
|
|||
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \
|
||||
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \
|
||||
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \
|
||||
-1, -1, -1, -1 \
|
||||
-1, -1, -1, -1, -1, -1, -1, -1, -1 \
|
||||
}, \
|
||||
/* ett */ { \
|
||||
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \
|
||||
|
@ -2070,6 +2075,31 @@ ssl_common_dissect_t name = { \
|
|||
FT_UINT16, BASE_DEC, NULL, 0x00, \
|
||||
NULL, HFILL } \
|
||||
}, \
|
||||
{ & name .hf.hs_cred_valid_time, \
|
||||
{ "Valid Time", prefix ".handshake.cred.valid_time", \
|
||||
FT_UINT16, BASE_DEC, NULL, 0x0, \
|
||||
"Delegated Credentials Valid Time", HFILL } \
|
||||
}, \
|
||||
{ & name .hf.hs_cred_pubkey, \
|
||||
{ "Subject Public Key Info", prefix ".handshake.cred.pubkey", \
|
||||
FT_BYTES, BASE_NONE, NULL, 0x0, \
|
||||
"Delegated Credentials Subject Public Key Info", HFILL } \
|
||||
}, \
|
||||
{ & name .hf.hs_cred_pubkey_len, \
|
||||
{ "Subject Public Key Info Length", prefix ".handshake.cred.pubkey_len", \
|
||||
FT_UINT24, BASE_DEC, NULL, 0x0, \
|
||||
"Delegated Credentials Subject Public Key Info Length", HFILL } \
|
||||
}, \
|
||||
{ & name .hf.hs_cred_signature, \
|
||||
{ "Signature", prefix ".handshake.cred.signature", \
|
||||
FT_BYTES, BASE_NONE, NULL, 0x0, \
|
||||
"Delegated Credentials Signature", HFILL } \
|
||||
}, \
|
||||
{ & name .hf.hs_cred_signature_len, \
|
||||
{ "Signature Length", prefix ".handshake.cred.signature_len", \
|
||||
FT_UINT16, BASE_DEC, NULL, 0x0, \
|
||||
"Delegated Credentials Signature Length", HFILL } \
|
||||
}, \
|
||||
{ & name .hf.hs_ext_compress_certificate_algorithms_length, \
|
||||
{ "Algorithms Length", prefix ".compress_certificate.algorithms_length", \
|
||||
FT_UINT8, BASE_DEC, NULL, 0x00, \
|
||||
|
|
Loading…
Reference in New Issue