|
 |
dbc6ab |
diff --git a/epan/dissectors/packet-ssl.c b/epan/dissectors/packet-ssl.c
|
|
|
dbc6ab |
index e97e46e..f70919b 100644
|
|
|
dbc6ab |
--- a/epan/dissectors/packet-ssl.c
|
|
|
dbc6ab |
+++ b/epan/dissectors/packet-ssl.c
|
|
|
dbc6ab |
@@ -202,6 +202,8 @@ static gint hf_ssl_handshake_server_keyex_named_curve = -1;
|
|
|
dbc6ab |
static gint hf_ssl_handshake_server_keyex_point = -1;
|
|
|
dbc6ab |
static gint hf_ssl_handshake_client_keyex_epms = -1;
|
|
|
dbc6ab |
static gint hf_ssl_handshake_client_keyex_point = -1;
|
|
|
dbc6ab |
+static gint hf_ssl_handshake_client_vrfy_sig_len = -1;
|
|
|
dbc6ab |
+static gint hf_ssl_handshake_client_vrfy_sig = -1;
|
|
|
dbc6ab |
static gint hf_ssl_handshake_server_keyex_modulus = -1;
|
|
|
dbc6ab |
static gint hf_ssl_handshake_server_keyex_exponent = -1;
|
|
|
dbc6ab |
static gint hf_ssl_handshake_server_keyex_sig = -1;
|
|
|
dbc6ab |
@@ -682,6 +684,10 @@ static gint ssl_looks_like_valid_pct_handshake(tvbuff_t *tvb,
|
|
|
dbc6ab |
static gint dissect_ssl_hash_alg_list(tvbuff_t *tvb, proto_tree *tree,
|
|
|
dbc6ab |
guint32 offset, guint16 len);
|
|
|
dbc6ab |
|
|
|
dbc6ab |
+static void dissect_ssl3_hnd_cli_cert_verify(tvbuff_t *tvb, proto_tree *tree,
|
|
|
dbc6ab |
+ guint32 offset,
|
|
|
dbc6ab |
+ const SslSession *session);
|
|
|
dbc6ab |
+
|
|
|
dbc6ab |
/*********************************************************************
|
|
|
dbc6ab |
*
|
|
|
dbc6ab |
* Main dissector
|
|
|
dbc6ab |
@@ -2070,7 +2076,7 @@ dissect_ssl3_handshake(tvbuff_t *tvb, packet_info *pinfo,
|
|
|
dbc6ab |
break;
|
|
|
dbc6ab |
|
|
|
dbc6ab |
case SSL_HND_CERT_VERIFY:
|
|
|
dbc6ab |
- /* unimplemented */
|
|
|
dbc6ab |
+ dissect_ssl3_hnd_cli_cert_verify(tvb, ssl_hand_tree, offset, session);
|
|
|
dbc6ab |
break;
|
|
|
dbc6ab |
|
|
|
dbc6ab |
case SSL_HND_CLIENT_KEY_EXCHG:
|
|
|
dbc6ab |
@@ -3174,8 +3180,9 @@ dissect_ssl3_hnd_cert_req(tvbuff_t *tvb,
|
|
|
dbc6ab |
}
|
|
|
dbc6ab |
|
|
|
dbc6ab |
static void
|
|
|
dbc6ab |
-dissect_ssl3_hnd_srv_keyex_sig(tvbuff_t *tvb, proto_tree *tree,
|
|
|
dbc6ab |
- guint32 offset, SslSession *session)
|
|
|
dbc6ab |
+dissect_ssl3_digitally_signed(tvbuff_t *tvb, proto_tree *tree, guint32 offset,
|
|
|
dbc6ab |
+ const SslSession *session, gint hf_sig_len,
|
|
|
dbc6ab |
+ gint hf_sig)
|
|
|
dbc6ab |
{
|
|
|
dbc6ab |
gint sig_len;
|
|
|
dbc6ab |
proto_item *ti_algo;
|
|
|
dbc6ab |
@@ -3202,10 +3209,40 @@ dissect_ssl3_hnd_srv_keyex_sig(tvbuff_t *tvb, proto_tree *tree,
|
|
|
dbc6ab |
|
|
|
dbc6ab |
/* Sig */
|
|
|
dbc6ab |
sig_len = tvb_get_ntohs(tvb, offset);
|
|
|
dbc6ab |
- proto_tree_add_item(tree, hf_ssl_handshake_server_keyex_sig_len, tvb,
|
|
|
dbc6ab |
- offset, 2, ENC_BIG_ENDIAN);
|
|
|
dbc6ab |
- proto_tree_add_item(tree, hf_ssl_handshake_server_keyex_sig, tvb,
|
|
|
dbc6ab |
- offset + 2, sig_len, ENC_NA);
|
|
|
dbc6ab |
+ proto_tree_add_item(tree, hf_sig_len, tvb, offset, 2, ENC_BIG_ENDIAN);
|
|
|
dbc6ab |
+ proto_tree_add_item(tree, hf_sig, tvb, offset + 2, sig_len, ENC_NA);
|
|
|
dbc6ab |
+}
|
|
|
dbc6ab |
+
|
|
|
dbc6ab |
+static void
|
|
|
dbc6ab |
+dissect_ssl3_hnd_cli_cert_verify(tvbuff_t *tvb, proto_tree *tree,
|
|
|
dbc6ab |
+ guint32 offset, const SslSession *session)
|
|
|
dbc6ab |
+{
|
|
|
dbc6ab |
+ dissect_ssl3_digitally_signed(tvb, tree, offset, session,
|
|
|
dbc6ab |
+ hf_ssl_handshake_client_vrfy_sig_len,
|
|
|
dbc6ab |
+ hf_ssl_handshake_client_vrfy_sig);
|
|
|
dbc6ab |
+}
|
|
|
dbc6ab |
+
|
|
|
dbc6ab |
+static void
|
|
|
dbc6ab |
+dissect_ssl3_hnd_srv_keyex_sig(tvbuff_t *tvb, proto_tree *tree,
|
|
|
dbc6ab |
+ guint32 offset, SslSession *session)
|
|
|
dbc6ab |
+{
|
|
|
dbc6ab |
+ /*
|
|
|
dbc6ab |
+ * TLSv1.2 (RFC 5246 sec 7.4.8)
|
|
|
dbc6ab |
+ * struct {
|
|
|
dbc6ab |
+ * digitally-signed struct {
|
|
|
dbc6ab |
+ * opaque handshake_messages[handshake_messages_length];
|
|
|
dbc6ab |
+ * }
|
|
|
dbc6ab |
+ * } CertificateVerify;
|
|
|
dbc6ab |
+ *
|
|
|
dbc6ab |
+ * TLSv1.0/TLSv1.1 (RFC 5436 sec 7.4.8 and 7.4.3) works essentially the same
|
|
|
dbc6ab |
+ * as TLSv1.2, but the hash algorithms are not explicit in digitally-signed.
|
|
|
dbc6ab |
+ *
|
|
|
dbc6ab |
+ * SSLv3 (RFC 6101 sec 5.6.8) esseentially works the same as TLSv1.0 but it
|
|
|
dbc6ab |
+ * does more hashing including the master secret and padding.
|
|
|
dbc6ab |
+ */
|
|
|
dbc6ab |
+ dissect_ssl3_digitally_signed(tvb, tree, offset, session,
|
|
|
dbc6ab |
+ hf_ssl_handshake_server_keyex_sig_len,
|
|
|
dbc6ab |
+ hf_ssl_handshake_server_keyex_sig);
|
|
|
dbc6ab |
}
|
|
|
dbc6ab |
|
|
|
dbc6ab |
static void
|
|
|
dbc6ab |
@@ -5410,6 +5447,16 @@ proto_register_ssl(void)
|
|
|
dbc6ab |
FT_BYTES, BASE_NONE, NULL, 0x0,
|
|
|
dbc6ab |
"EC Diffie-Hellman client pubkey", HFILL }
|
|
|
dbc6ab |
},
|
|
|
dbc6ab |
+ { &hf_ssl_handshake_client_vrfy_sig_len,
|
|
|
dbc6ab |
+ { "signature length", "ssl.handshake.client_cert_vrfy.sig_len",
|
|
|
dbc6ab |
+ FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
dbc6ab |
+ "Length of CertificateVerify's signature", HFILL }
|
|
|
dbc6ab |
+ },
|
|
|
dbc6ab |
+ { &hf_ssl_handshake_client_vrfy_sig,
|
|
|
dbc6ab |
+ { "signature", "ssl.handshake.client_cert_vrfy.sig",
|
|
|
dbc6ab |
+ FT_BYTES, BASE_NONE, NULL, 0x0,
|
|
|
dbc6ab |
+ "CertificateVerify's signature", HFILL }
|
|
|
dbc6ab |
+ },
|
|
|
dbc6ab |
{ &hf_ssl_handshake_server_keyex_modulus,
|
|
|
dbc6ab |
{ "modulus", "ssl.handshake.modulus",
|
|
|
dbc6ab |
FT_BYTES, BASE_NONE, NULL, 0x0,
|