TLS13: update CertificateRequest dissection for draft -19

Removed supported_signature_algorithms and certificate_authorities dissection for TLS 1.3. In preparation for certificate_authorities, extract the certificate_authorities dissection. Change-Id: I58884b02744ac53f226d3a3e6c491219f58facc0 Ping-Bug: 12779 Reviewed-on: https://code.wireshark.org/review/20588 Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com> Reviewed-by: Michael Mann <mmann78@netscape.net>
author: Peter Wu <peter@lekensteyn.nl> 2017-03-17 14:44:18 +0100
committer: Michael Mann <mmann78@netscape.net> 2017-03-19 02:24:28 +0000
commit: 0e244e01fe608dccf8429fb59d65dc9006f6b9a3 (patch)
tree: e4d9641bc775250541645423041457186a21c780 /epan/dissectors/packet-ssl-utils.c
parent: a5bb470a553cbd4dc90a874760ec17e4bd914f7d (diff)
download: wireshark-0e244e01fe608dccf8429fb59d65dc9006f6b9a3.tar.gz
1 files changed, 56 insertions, 48 deletions
diff --git a/epan/dissectors/packet-ssl-utils.c b/epan/dissectors/packet-ssl-utils.c
index ebf5e5ba6a..471ba1bc27 100644
--- a/epan/dissectors/packet-ssl-utils.c
+++ b/epan/dissectors/packet-ssl-utils.c
@@ -5879,6 +5879,57 @@ ssl_dissect_hash_alg_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *t
     return offset;
 } /* }}} */
 
+/* Dissection of DistinguishedName (for CertificateRequest and
+ * certificate_authorities extension). {{{ */
+static guint32
+tls_dissect_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
+                                    proto_tree *tree, guint32 offset, guint32 offset_end)
+{
+    proto_item *ti;
+    proto_tree *subtree;
+    guint32     dnames_length, next_offset;
+    asn1_ctx_t  asn1_ctx;
+
+
+    /* Note: minimum length is 0 for TLS 1.1/1.2 and 3 for earlier/later */
+    /* DistinguishedName certificate_authorities<0..2^16-1> */
+    if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &dnames_length,
+                        hf->hf.hs_dnames_len, 0, G_MAXUINT16)) {
+        return offset_end;
+    }
+    offset += 2;
+    next_offset = offset + dnames_length;
+
+    if (dnames_length > 0) {
+        ti = proto_tree_add_none_format(tree,
+                hf->hf.hs_dnames,
+                tvb, offset, dnames_length,
+                "Distinguished Names (%d byte%s)",
+                dnames_length,
+                plurality(dnames_length, "", "s"));
+        subtree = proto_item_add_subtree(ti, hf->ett.dnames);
+
+        asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
+
+        while (offset < next_offset) {
+            /* get the length of the current certificate */
+            guint32 name_length;
+            /* opaque DistinguishedName<1..2^16-1> */
+            if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &name_length,
+                                hf->hf.hs_dname_len, 1, G_MAXUINT16)) {
+                return next_offset;
+            }
+            offset += 2;
+
+            dissect_x509if_DistinguishedName(FALSE, tvb, offset, &asn1_ctx,
+                                             subtree, hf->hf.hs_dname);
+            offset += name_length;
+        }
+    }
+    return offset;
+} /* }}} */
+
+
 /** TLS Extensions (in Client Hello and Server Hello). {{{ */
 static gint
 ssl_dissect_hnd_hello_ext_sig_hash_algs(ssl_common_dissect_t *hf, tvbuff_t *tvb,
@@ -7438,18 +7489,7 @@ ssl_dissect_hnd_cert_req(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *p
      *        DistinguishedName certificate_authorities<0..2^16-1>;
      *    } CertificateRequest;
      *
-     * draft-ietf-tls-tls13-18 (soon obsolete!):
-     * Note: certificate_extensions is not dissected since it is removed in next
-     * draft.
-     *
-     *    struct {
-     *        opaque certificate_request_context<0..2^8-1>;
-     *        SignatureScheme supported_signature_algorithms<2..2^16-2>;
-     *        DistinguishedName certificate_authorities<0..2^16-1>;
-     *        CertificateExtension certificate_extensions<0..2^16-1>;
-     *    } CertificateRequest;
-     *
-     * draft-ietf-tls-tls13 (between -18 and -19, 2017-01-30):
+     * draft-ietf-tls-tls13-19:
      *
      *    struct {
      *        opaque certificate_request_context<0..2^8-1>;
@@ -7458,7 +7498,7 @@ ssl_dissect_hnd_cert_req(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *p
      */
     proto_item *ti;
     proto_tree *subtree;
-    guint32     dnames_length = 0, next_offset;
+    guint32     next_offset;
     asn1_ctx_t  asn1_ctx;
 
     if (!tree)
@@ -7506,7 +7546,6 @@ ssl_dissect_hnd_cert_req(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *p
     switch (session->version) {
         case TLSV1DOT2_VERSION:
         case DTLSV1DOT2_VERSION:
-        case TLSV1DOT3_VERSION: /* XXX draft -18 only, remove for next version */
             offset = ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end);
             break;
 
@@ -7514,40 +7553,6 @@ ssl_dissect_hnd_cert_req(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *p
             break;
     }
 
-    /* DistinguishedName certificate_authorities<0..2^16-1> */
-    if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &dnames_length,
-                        hf->hf.hs_dnames_len, 0, G_MAXUINT16)) {
-        return;
-    }
-    offset += 2;
-    next_offset = offset + dnames_length;
-
-    if (dnames_length > 0) {
-        ti = proto_tree_add_none_format(tree,
-                hf->hf.hs_dnames,
-                tvb, offset, dnames_length,
-                "Distinguished Names (%d byte%s)",
-                dnames_length,
-                plurality(dnames_length, "", "s"));
-        subtree = proto_item_add_subtree(ti, hf->ett.dnames);
-
-        while (offset < next_offset) {
-            /* get the length of the current certificate */
-            guint32 name_length;
-            /* opaque DistinguishedName<1..2^16-1> */
-            if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &name_length,
-                                hf->hf.hs_dname_len, 1, G_MAXUINT16)) {
-                return;
-            }
-            offset += 2;
-
-            dissect_x509if_DistinguishedName(FALSE, tvb, offset, &asn1_ctx,
-                                             subtree, hf->hf.hs_dname);
-            offset += name_length;
-        }
-    }
-
-    /* TODO this is not valid for TLS 1.3 draft -18. When draft -19 is released, check if this is still correct. */
     if (session->version == TLSV1DOT3_VERSION) {
         /*
          * SslDecryptSession pointer is NULL because Certificate Extensions
@@ -7556,6 +7561,9 @@ ssl_dissect_hnd_cert_req(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *p
         ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
                                   offset_end, SSL_HND_CERT_REQUEST,
                                   session, NULL, is_dtls);
+    } else {
+        /* for TLS 1.2 and older, the certificate_authorities field. */
+        tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
     }
 }
 /* Certificate and Certificate Request dissections. }}} */
author	Peter Wu <peter@lekensteyn.nl>	2017-03-17 14:44:18 +0100
committer	Michael Mann <mmann78@netscape.net>	2017-03-19 02:24:28 +0000
commit	0e244e01fe608dccf8429fb59d65dc9006f6b9a3 (patch)
tree	e4d9641bc775250541645423041457186a21c780 /epan/dissectors/packet-ssl-utils.c
parent	a5bb470a553cbd4dc90a874760ec17e4bd914f7d (diff)
download	wireshark-0e244e01fe608dccf8429fb59d65dc9006f6b9a3.tar.gz