From Kaspar Brand:

SSL/TLS dissector: add support for "Certificate Status" messages (aka OCSP stapling) https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5503 svn path=/trunk/; revision=35655
2011-01-26 08:49:06 +00:00 · 2011-01-26 08:49:06 +00:00 · c4fe9a28ca
parent cf1bb44105
commit c4fe9a28ca
6 changed files with 101 additions and 3 deletions
--- a/asn1/ocsp/ocsp.cnf
+++ b/asn1/ocsp/ocsp.cnf
@ -13,6 +13,7 @@ PKIX1Explicit88 pkix1explicit
 #.INCLUDE ../pkix1explicit/pkix1explicit_exp.cnf

 #.EXPORTS
+OCSPResponse

 #.PDU

--- a/epan/dissectors/packet-ocsp.c
+++ b/epan/dissectors/packet-ocsp.c
@ -52,7 +52,7 @@
 #define PFNAME "ocsp"

 /* Initialize the protocol and registered fields */
-static int proto_ocsp = -1;
+proto_ocsp = -1;
 static int hf_ocsp_responseType_id = -1;

 /*--- Included file: packet-ocsp-hf.c ---*/
@ -321,7 +321,7 @@ dissect_ocsp_T_responseType(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int of

 static int
 dissect_ocsp_T_response(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 37 "ocsp.cnf"
+#line 38 "ocsp.cnf"
  gint8 class;
  gboolean pc, ind;
  gint32 tag;
@ -358,7 +358,7 @@ static const ber_sequence_t OCSPResponse_sequence[] = {
  { NULL, 0, 0, 0, NULL }
 };

-static int
+int
 dissect_ocsp_OCSPResponse(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
  offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
                                   OCSPResponse_sequence, hf_index, ett_ocsp_OCSPResponse);
--- a/epan/dissectors/packet-ocsp.h
+++ b/epan/dissectors/packet-ocsp.h
@ -36,5 +36,8 @@

 /*#include "packet-ocsp-exp.h"*/

+extern int proto_ocsp;
+int dissect_ocsp_OCSPResponse(gboolean implicit_tag, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index);
+
 #endif  /* PACKET_OCSP_H */

--- a/epan/dissectors/packet-ssl-utils.c
+++ b/epan/dissectors/packet-ssl-utils.c
@ -472,6 +472,7 @@ const value_string ssl_31_handshake_type[] = {
    { SSL_HND_CERT_VERIFY,       "Certificate Verify" },
    { SSL_HND_CLIENT_KEY_EXCHG,  "Client Key Exchange" },
    { SSL_HND_FINISHED,          "Finished" },
+    { SSL_HND_CERT_STATUS,       "Certificate Status" },
    { 0x00, NULL }
 };

@ -905,6 +906,11 @@ const value_string tls_signature_algorithm[] = {
    { 0, NULL }
 };

+const value_string tls_cert_status_type[] = {
+    { SSL_HND_CERT_STATUS_TYPE_OCSP, "OCSP" },
+    { 0, NULL }
+};
+
 /* we keep this internal to packet-ssl-utils, as there should be
   no need to access it any other way.

--- a/epan/dissectors/packet-ssl-utils.h
+++ b/epan/dissectors/packet-ssl-utils.h
@ -84,6 +84,7 @@
 #define SSL_HND_CERT_VERIFY            15
 #define SSL_HND_CLIENT_KEY_EXCHG       16
 #define SSL_HND_FINISHED               20
+#define SSL_HND_CERT_STATUS            22

 #define SSL2_HND_ERROR                 0x00
 #define SSL2_HND_CLIENT_HELLO          0x01
@ -147,6 +148,8 @@
 #define SSL_HND_HELLO_EXT_ELLIPTIC_CURVES    0x000a
 #define SSL_HND_HELLO_EXT_EC_POINT_FORMATS   0x000b

+#define SSL_HND_CERT_STATUS_TYPE_OCSP  1
+
 /*
 * Lookup tables
 */
@ -176,6 +179,7 @@ extern const value_string pct_error_code[];
 extern const value_string tls_hello_extension_types[];
 extern const value_string tls_hash_algorithm[];
 extern const value_string tls_signature_algorithm[];
+extern const value_string tls_cert_status_type[];
 extern const value_string ssl_extension_curves[];
 extern const value_string ssl_extension_ec_point_formats[];

--- a/epan/dissectors/packet-ssl.c
+++ b/epan/dissectors/packet-ssl.c
@ -117,6 +117,7 @@
 #include <epan/dissectors/packet-tcp.h>
 #include <epan/asn1.h>
 #include <epan/dissectors/packet-x509af.h>
+#include <epan/dissectors/packet-ocsp.h>
 #include <epan/tap.h>
 #include <epan/filesystem.h>
 #include <epan/report_err.h>
@ -192,6 +193,9 @@ static gint hf_ssl_handshake_sig_hash_algs    = -1;
 static gint hf_ssl_handshake_sig_hash_alg     = -1;
 static gint hf_ssl_handshake_sig_hash_hash    = -1;
 static gint hf_ssl_handshake_sig_hash_sig     = -1;
+static gint hf_ssl_handshake_cert_status      = -1;
+static gint hf_ssl_handshake_cert_status_type = -1;
+static gint hf_ssl_handshake_cert_status_len  = -1;
 static gint hf_ssl_handshake_finished         = -1;
 static gint hf_ssl_handshake_md5_hash         = -1;
 static gint hf_ssl_handshake_sha_hash         = -1;
@ -252,6 +256,8 @@ static gint ett_ssl_sig_hash_algs     = -1;
 static gint ett_ssl_sig_hash_alg      = -1;
 static gint ett_ssl_dnames            = -1;
 static gint ett_ssl_random            = -1;
+static gint ett_ssl_cert_status       = -1;
+static gint ett_ssl_ocsp_resp         = -1;
 static gint ett_pct_cipher_suites     = -1;
 static gint ett_pct_hash_suites       = -1;
 static gint ett_pct_cert_suites       = -1;
@ -439,6 +445,10 @@ static void dissect_ssl3_hnd_finished(tvbuff_t *tvb,
                                      const guint32 offset,
                                      const guint* conv_version);

+static void dissect_ssl3_hnd_cert_status(tvbuff_t *tvb,
+                                         proto_tree *tree,
+                                         guint32 offset,
+                                         packet_info *pinfo);

 /*
 * SSL version 2 dissectors
@ -1958,6 +1968,10 @@ dissect_ssl3_handshake(tvbuff_t *tvb, packet_info *pinfo,
                dissect_ssl3_hnd_finished(tvb, ssl_hand_tree,
                                          offset, conv_version);
                break;
+
+            case SSL_HND_CERT_STATUS:
+                dissect_ssl3_hnd_cert_status(tvb, ssl_hand_tree, offset, pinfo);
+                break;
            }

        }
@ -2685,6 +2699,59 @@ dissect_ssl3_hnd_finished(tvbuff_t *tvb,
    }
 }

+static void
+dissect_ssl3_hnd_cert_status(tvbuff_t *tvb, proto_tree *tree,
+                             guint32 offset, packet_info *pinfo)
+{
+    guint8 cert_status_type;
+    guint cert_status_len;
+    proto_tree *ti;
+    proto_tree *cert_status_tree;
+
+    if (tree)
+    {
+        cert_status_type = tvb_get_guint8(tvb, offset);
+        cert_status_len  = tvb_get_ntoh24(tvb, offset+1);
+        tvb_ensure_bytes_exist(tvb, offset, cert_status_len+4);
+        ti = proto_tree_add_none_format(tree, hf_ssl_handshake_cert_status,
+                                        tvb, offset, cert_status_len+4,
+                                        "Certificate Status (%u byte%s)",
+                                        cert_status_len+4,
+                                        plurality(cert_status_len+4, "", "s"));
+        cert_status_tree = proto_item_add_subtree(ti, ett_ssl_cert_status);
+        proto_tree_add_item(cert_status_tree, hf_ssl_handshake_cert_status_type,
+                            tvb, offset, 1, FALSE);
+        offset++;
+        proto_tree_add_uint(cert_status_tree, hf_ssl_handshake_cert_status_len,
+                            tvb, offset, 3, cert_status_len);
+        offset += 3;
+        if (cert_status_len > 0)
+        {
+            switch (cert_status_type) {
+            case SSL_HND_CERT_STATUS_TYPE_OCSP:
+                {
+                    proto_item *ocsp_resp;
+                    proto_tree *ocsp_resp_tree;
+                    asn1_ctx_t asn1_ctx;
+
+                    ocsp_resp = proto_tree_add_item(cert_status_tree,
+                                                    proto_ocsp, tvb, offset,
+                                                    cert_status_len, FALSE);
+                    proto_item_set_text(ocsp_resp, "OCSP Response");
+                    ocsp_resp_tree = proto_item_add_subtree(ocsp_resp,
+                                                            ett_ssl_ocsp_resp);
+                    asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
+                    dissect_ocsp_OCSPResponse(FALSE, tvb, offset, &asn1_ctx,
+                                              ocsp_resp_tree, -1);
+                    break;
+                }
+            default:
+                break;
+            }
+        }
+    }
+}
+
 /*********************************************************************
 *
 * SSL version 2 Dissectors
@ -4368,6 +4435,21 @@ proto_register_ssl(void)
            FT_UINT8, BASE_DEC, VALS(tls_signature_algorithm), 0x0,
            NULL, HFILL }
        },
+        { &hf_ssl_handshake_cert_status,
+          { "Certificate Status", "ssl.handshake.cert_status",
+            FT_NONE, BASE_NONE, NULL, 0x0,
+            "Certificate Status Data", HFILL }
+        },
+        { &hf_ssl_handshake_cert_status_type,
+          { "Certificate Status Type", "ssl.handshake.cert_status_type",
+            FT_UINT8, BASE_DEC, VALS(tls_cert_status_type), 0x0,
+            NULL, HFILL }
+        },
+        { &hf_ssl_handshake_cert_status_len,
+          { "Certificate Status Length", "ssl.handshake.cert_status_len",
+            FT_UINT24, BASE_DEC, NULL, 0x0,
+            "Length of certificate status", HFILL }
+        },
        { &hf_ssl_handshake_finished,
          { "Verify Data", "ssl.handshake.verify_data",
            FT_NONE, BASE_NONE, NULL, 0x0,
@ -4596,6 +4678,8 @@ proto_register_ssl(void)
        &ett_ssl_sig_hash_alg,
        &ett_ssl_dnames,
        &ett_ssl_random,
+        &ett_ssl_cert_status,
+        &ett_ssl_ocsp_resp,
        &ett_pct_cipher_suites,
        &ett_pct_hash_suites,
        &ett_pct_cert_suites,