diff options
author | Alexis La Goutte <alexis.lagoutte@gmail.com> | 2013-11-18 20:27:04 +0000 |
---|---|---|
committer | Alexis La Goutte <alexis.lagoutte@gmail.com> | 2013-11-18 20:27:04 +0000 |
commit | e069d1c9eaa22f1995d9a24a1dd44503809a79aa (patch) | |
tree | 65a5efef98a171fc8ee81e73d563b9b37b0e0dea | |
parent | 123e3d92039770c0a36c4be97ae34c1ef27c4f8e (diff) | |
download | wireshark-e069d1c9eaa22f1995d9a24a1dd44503809a79aa.tar.gz |
From Peter Wu
Add RFC6066 CertificateUrl TLS extension
This is not supported by OpenSSL or NSS, the extension itself seems
unsafe, but some implementations seem to support it[1].
Untested, no capture available.
[1]: http://www.ietf.org/mail-archive/web/tls/current/msg02535.html
svn path=/trunk/; revision=53417
-rw-r--r-- | epan/dissectors/packet-ssl-utils.c | 6 | ||||
-rw-r--r-- | epan/dissectors/packet-ssl-utils.h | 4 | ||||
-rw-r--r-- | epan/dissectors/packet-ssl.c | 110 |
3 files changed, 120 insertions, 0 deletions
diff --git a/epan/dissectors/packet-ssl-utils.c b/epan/dissectors/packet-ssl-utils.c index 020f0105dc..19e9d85de7 100644 --- a/epan/dissectors/packet-ssl-utils.c +++ b/epan/dissectors/packet-ssl-utils.c @@ -484,6 +484,7 @@ const value_string ssl_31_handshake_type[] = { { SSL_HND_CERT_VERIFY, "Certificate Verify" }, { SSL_HND_CLIENT_KEY_EXCHG, "Client Key Exchange" }, { SSL_HND_FINISHED, "Finished" }, + { SSL_HND_CERT_URL, "Client Certificate URL" }, { SSL_HND_CERT_STATUS, "Certificate Status" }, { SSL_HND_ENCRYPTED_EXTS, "Encrypted Extensions" }, { 0x00, NULL } @@ -1075,6 +1076,11 @@ const value_string tls_certificate_type[] = { { 0, NULL } }; +const value_string tls_cert_chain_type[] = { + { SSL_HND_CERT_URL_TYPE_INDIVIDUAL_CERT, "Individual Certificates" }, + { SSL_HND_CERT_URL_TYPE_PKIPATH, "PKI Path" }, +}; + const value_string tls_cert_status_type[] = { { SSL_HND_CERT_STATUS_TYPE_OCSP, "OCSP" }, { SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI, "OCSP Multi" }, diff --git a/epan/dissectors/packet-ssl-utils.h b/epan/dissectors/packet-ssl-utils.h index e2d3bb911c..9697398fe2 100644 --- a/epan/dissectors/packet-ssl-utils.h +++ b/epan/dissectors/packet-ssl-utils.h @@ -87,6 +87,7 @@ #define SSL_HND_CERT_VERIFY 15 #define SSL_HND_CLIENT_KEY_EXCHG 16 #define SSL_HND_FINISHED 20 +#define SSL_HND_CERT_URL 21 #define SSL_HND_CERT_STATUS 22 /* Encrypted Extensions was NextProtocol in draft-agl-tls-nextprotoneg-03 and * changed in draft 04 */ @@ -161,6 +162,8 @@ #define SSL_HND_HELLO_EXT_STATUS_REQUEST_V2 0x0011 #define SSL_HND_HELLO_EXT_RENEG_INFO 0xff01 #define SSL_HND_HELLO_EXT_NPN 0x3374 +#define SSL_HND_CERT_URL_TYPE_INDIVIDUAL_CERT 1 +#define SSL_HND_CERT_URL_TYPE_PKIPATH 2 #define SSL_HND_CERT_STATUS_TYPE_OCSP 1 #define SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI 2 @@ -196,6 +199,7 @@ extern const value_string tls_hello_extension_types[]; extern const value_string tls_hash_algorithm[]; extern const value_string tls_signature_algorithm[]; extern const value_string tls_certificate_type[]; +extern const value_string tls_cert_chain_type[]; extern const value_string tls_cert_status_type[]; extern const value_string ssl_extension_curves[]; extern const value_string ssl_extension_ec_point_formats[]; diff --git a/epan/dissectors/packet-ssl.c b/epan/dissectors/packet-ssl.c index af5f8c5186..18193c4e16 100644 --- a/epan/dissectors/packet-ssl.c +++ b/epan/dissectors/packet-ssl.c @@ -181,6 +181,13 @@ static gint hf_ssl_handshake_extension_server_name_type = -1; static gint hf_ssl_handshake_extension_server_name = -1; static gint hf_ssl_hs_ext_cert_status_type = -1; static gint hf_ssl_hs_ext_cert_status_request_len = -1; +static gint hf_ssl_hs_ext_cert_url_type = -1; +static gint hf_ssl_hs_ext_cert_url_url_hash_list_len = -1; +static gint hf_ssl_hs_ext_cert_url_item = -1; +static gint hf_ssl_hs_ext_cert_url_url_len = -1; +static gint hf_ssl_hs_ext_cert_url_url = -1; +static gint hf_ssl_hs_ext_cert_url_padding = -1; +static gint hf_ssl_hs_ext_cert_url_sha1 = -1; static gint hf_ssl_hs_ext_cert_status_responder_id_list_len = -1; static gint hf_ssl_hs_ext_cert_status_request_extensions_len = -1; static gint hf_ssl_handshake_session_ticket_lifetime_hint = -1; @@ -300,6 +307,7 @@ static gint ett_ssl_extension_alpn = -1; static gint ett_ssl_extension_npn = -1; static gint ett_ssl_extension_reneg_info = -1; static gint ett_ssl_extension_server_name = -1; +static gint ett_ssl_urlhash = -1; static gint ett_ssl_certs = -1; static gint ett_ssl_cert_types = -1; static gint ett_ssl_sig_hash_algs = -1; @@ -654,6 +662,9 @@ static void dissect_ssl3_hnd_finished(tvbuff_t *tvb, const guint32 offset, const guint *conv_version); +static void dissect_ssl3_hnd_cert_url(tvbuff_t *tvb, proto_tree *tree, + guint32 offset); + static void dissect_ssl3_hnd_cert_status(tvbuff_t *tvb, proto_tree *tree, guint32 offset, @@ -1960,6 +1971,7 @@ dissect_ssl3_handshake(tvbuff_t *tvb, packet_info *pinfo, * case certificate_verify: CertificateVerify; * case client_key_exchange: ClientKeyExchange; * case finished: Finished; + * case certificate_url: CertificateURL; * case certificate_status: CertificateStatus; * case encrypted_extensions:NextProtocolNegotiationEncryptedExtension; * } body; @@ -2278,6 +2290,10 @@ dissect_ssl3_handshake(tvbuff_t *tvb, packet_info *pinfo, offset, conv_version); break; + case SSL_HND_CERT_URL: + dissect_ssl3_hnd_cert_url(tvb, ssl_hand_tree, offset); + break; + case SSL_HND_CERT_STATUS: dissect_ssl3_hnd_cert_status(tvb, ssl_hand_tree, offset, pinfo); break; @@ -2724,6 +2740,64 @@ dissect_ssl3_hnd_hello_ext_server_name(tvbuff_t *tvb, return offset; } +static void +dissect_ssl3_hnd_cert_url(tvbuff_t *tvb, proto_tree *tree, guint32 offset) +{ + guint16 url_hash_len; + + /* enum { + * individual_certs(0), pkipath(1), (255) + * } CertChainType; + * + * struct { + * CertChainType type; + * URLAndHash url_and_hash_list<1..2^16-1>; + * } CertificateURL; + * + * struct { + * opaque url<1..2^16-1>; + * unint8 padding; + * opaque SHA1Hash[20]; + * } URLAndHash; + */ + + proto_tree_add_item(tree, hf_ssl_hs_ext_cert_url_type, + tvb, offset, 1, ENC_NA); + offset++; + + url_hash_len = tvb_get_ntohs(tvb, offset); + proto_tree_add_item(tree, hf_ssl_hs_ext_cert_url_url_hash_list_len, + tvb, offset, 2, ENC_BIG_ENDIAN); + offset += 2; + while (url_hash_len-- > 0) { + proto_item *urlhash_item; + proto_tree *urlhash_tree; + guint16 url_len; + + urlhash_item = proto_tree_add_item(tree, hf_ssl_hs_ext_cert_url_item, + tvb, offset, -1, ENC_NA); + urlhash_tree = proto_item_add_subtree(urlhash_item, ett_ssl_urlhash); + + url_len = tvb_get_ntohs(tvb, offset); + proto_tree_add_item(urlhash_tree, hf_ssl_hs_ext_cert_url_url_len, + tvb, offset, 2, ENC_BIG_ENDIAN); + offset += 2; + + proto_tree_add_item(urlhash_tree, hf_ssl_hs_ext_cert_url_url, + tvb, offset, url_len, ENC_ASCII); + offset += url_len; + + proto_tree_add_item(urlhash_tree, hf_ssl_hs_ext_cert_url_padding, + tvb, offset, 1, ENC_NA); + offset++; + /* Note: RFC 6066 says that padding must be 0x01 */ + + proto_tree_add_item(urlhash_tree, hf_ssl_hs_ext_cert_url_sha1, + tvb, offset, 20, ENC_NA); + offset += 20; + } +} + static gint dissect_ssl3_hnd_hello_ext_status_request(tvbuff_t *tvb, proto_tree *tree, guint32 offset, gboolean has_length) @@ -5678,6 +5752,41 @@ proto_register_ssl(void) FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } }, + { &hf_ssl_hs_ext_cert_url_type, + { "Certificate Chain Type", "ssl.handshake.cert_url_type", + FT_UINT8, BASE_DEC, VALS(tls_cert_chain_type), 0x0, + "Certificate Chain Type for Client Certificate URL", HFILL } + }, + { &hf_ssl_hs_ext_cert_url_url_hash_list_len, + { "URL and Hash list Length", "ssl.handshake.cert_url.url_hash_len", + FT_UINT16, BASE_DEC, NULL, 0x0, + NULL, HFILL } + }, + { &hf_ssl_hs_ext_cert_url_item, + { "URL and Hash", "ssl.handshake.cert_url.url_hash", + FT_NONE, BASE_NONE, NULL, 0x0, + NULL, HFILL } + }, + { &hf_ssl_hs_ext_cert_url_url_len, + { "URL Length", "ssl.handshake.cert_url.url_len", + FT_UINT16, BASE_DEC, NULL, 0x0, + NULL, HFILL } + }, + { &hf_ssl_hs_ext_cert_url_url, + { "URL", "ssl.handshake.cert_url.url_hash_len", + FT_STRING, BASE_NONE, NULL, 0x0, + "URL used to fetch the certificate(s)", HFILL } + }, + { &hf_ssl_hs_ext_cert_url_padding, + { "Padding", "ssl.handshake.cert_url.padding", + FT_NONE, BASE_NONE, NULL, 0x0, + "Padding that MUST be 0x01 for backwards compatibility", HFILL } + }, + { &hf_ssl_hs_ext_cert_url_sha1, + { "SHA1 Hash", "ssl.handshake.cert_url.sha1", + FT_BYTES, BASE_NONE, NULL, 0x0, + "SHA1 Hash of the certificate", HFILL } + }, { &hf_ssl_hs_ext_cert_status_type, { "Certificate Status Type", "ssl.handshake.extensions_status_request_type", FT_UINT8, BASE_DEC, VALS(tls_cert_status_type), 0x0, @@ -6207,6 +6316,7 @@ proto_register_ssl(void) &ett_ssl_extension_npn, &ett_ssl_extension_reneg_info, &ett_ssl_extension_server_name, + &ett_ssl_urlhash, &ett_ssl_certs, &ett_ssl_cert_types, &ett_ssl_sig_hash_algs, |