Put in some of the old functionallity.

svn path=/trunk/; revision=17360
2006-02-21 18:56:25 +00:00 · 2006-02-21 18:56:25 +00:00 · 3d728fcf08
parent 48f6c25460
commit 3d728fcf08
3 changed files with 252 additions and 23 deletions
--- a/asn1/ldap/Lightweight-Directory-Access-Protocol-V3.asn
+++ b/asn1/ldap/Lightweight-Directory-Access-Protocol-V3.asn
@ -1,6 +1,7 @@
 -- Module Lightweight-Directory-Access-Protocol-V3 (RFC 2251:12/1997)
 Lightweight-Directory-Access-Protocol-V3
 --
+-- $Id:$
 -- Copyright (C) The Internet Society (1997). This version of
 -- this ASN.1 module is part of RFC 2251;
 -- see the RFC itself for full legal notices.
@ -9,9 +10,15 @@ DEFINITIONS IMPLICIT TAGS ::=
 BEGIN

 LDAPMessage ::= SEQUENCE {
-  messageID   MessageID,
-  protocolOp
-    CHOICE {bindRequest      BindRequest,
+  messageID		MessageID,
+  protocolOp	ProtocolOp,
+  controls		[0]  Controls OPTIONAL
+}
+
+MessageID ::= INTEGER(0..maxInt)
+
+ProtocolOp ::=     CHOICE { 
+			bindRequest      BindRequest,
            bindResponse     BindResponse,
            unbindRequest    UnbindRequest,
            searchRequest    SearchRequest,
@ -30,11 +37,9 @@ LDAPMessage ::= SEQUENCE {
            compareResponse  CompareResponse,
            abandonRequest   AbandonRequest,
            extendedReq      ExtendedRequest,
-            extendedResp     ExtendedResponse},
-  controls    [0]  Controls OPTIONAL
-}
+            extendedResp     ExtendedResponse
+			}

-MessageID ::= INTEGER(0..maxInt)

 maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) 

@ -127,17 +132,33 @@ BindRequest ::= [APPLICATION 0]  SEQUENCE {
 }

 AuthenticationChoice ::= CHOICE {
-  simple  [0]  OCTET STRING,
+  simple  [0]  Simple,
  -- 1 and 2 reserved
  sasl    [3]  SaslCredentials
 }

+Simple ::= OCTET STRING
+
 SaslCredentials ::= SEQUENCE {
  mechanism    Mechanism,
-  credentials  OCTET STRING OPTIONAL
+  credentials  Credentials OPTIONAL
 }

-Mechanism ::=  LDAPString
+--4.1.2. String Types
+--
+-- The LDAPString is a notational convenience to indicate that, although
+-- strings of LDAPString type encode as OCTET STRING types, the ISO
+-- 10646 [13] character set (a superset of Unicode) is used, encoded
+-- following the UTF-8 algorithm [14]. Note that in the UTF-8 algorithm
+-- characters which are the same as ASCII (0x0000 through 0x007F) are
+-- represented as that same ASCII character in a single byte.  The other
+-- byte values are used to form a variable-length encoding of an
+-- arbitrary character.
+
+-- Mechanism ::= LDAPString
+Mechanism ::= OCTET STRING
+
+Credentials ::= OCTET STRING

 BindResponse ::= [APPLICATION 1]  SEQUENCE {
 --  COMPONENTS OF LDAPResult,
@ -179,9 +200,11 @@ BindResponse ::= [APPLICATION 1]  SEQUENCE {
  referral      [3]  Referral OPTIONAL,

 -- end of components
-  serverSaslCreds  [7]  OCTET STRING OPTIONAL
+  serverSaslCreds  [7] ServerSaslCreds  OPTIONAL
 }

+ServerSaslCreds ::= OCTET STRING
+
 ErrorMessage ::= LDAPString

 UnbindRequest ::= [APPLICATION 2]  NULL
--- a/asn1/ldap/ldap.cnf
+++ b/asn1/ldap/ldap.cnf
@ -22,17 +22,179 @@ ModifyRequest/modification modifyRequest_modification
 SubstringFilter/substrings substringFilter_substrings

 #.TYPE_ATTR
-LDAPDN TYPE = FT_STRING  DISPLAY = BASE_NONE  STRINGS = NULL
-RelativeLDAPDN TYPE = FT_STRING  DISPLAY = BASE_NONE  STRINGS = NULL
-AttributeType TYPE = FT_STRING  DISPLAY = BASE_NONE  STRINGS = NULL
-AttributeDescription TYPE = FT_STRING  DISPLAY = BASE_NONE  STRINGS = NULL
-MatchingRuleId TYPE = FT_STRING  DISPLAY = BASE_NONE  STRINGS = NULL
-ErrorMessage TYPE = FT_STRING  DISPLAY = BASE_NONE  STRINGS = NULL
+LDAPString TYPE = FT_STRING  DISPLAY = BASE_NONE  STRINGS = NULL
 LDAPURL TYPE = FT_STRING  DISPLAY = BASE_NONE  STRINGS = NULL
+LDAPOID  TYPE = FT_STRING  DISPLAY = BASE_NONE  STRINGS = NULL
 Mechanism  TYPE = FT_STRING  DISPLAY = BASE_NONE  STRINGS = NULL
-ControlType  TYPE = FT_STRING  DISPLAY = BASE_NONE  STRINGS = NULL
-ResponseName  TYPE = FT_STRING  DISPLAY = BASE_NONE  STRINGS = NULL
+
+#.FN_PARS LDAPOID VAL_PTR = &parameter_tvb
+#.FN_HDR LDAPOID
+
+	tvbuff_t	*parameter_tvb;
+	const gchar *name;
+	proto_item	*item = NULL;
+
+
+#.FN_FTR LDAPOID
+	if (!parameter_tvb)
+		return offset;
+	item = get_ber_last_created_item();
+	name = get_oid_str_name(tvb_get_string(parameter_tvb, 0, tvb_length_remaining(parameter_tvb,0)));
+	if(name){
+		proto_item_append_text(item, " (%s)", name);
+	}
+

 #.FN_PARS MessageID VAL_PTR = &MessageID
-#.FN_PARS AuthenticationChoice VAL_PTR = &AuthenticationChoice
+#.FN_BODY MessageID
+gint MessageID;

+%(DEFAULT_BODY)s
+
+	if (check_col(pinfo->cinfo, COL_INFO))
+		col_append_fstr(pinfo->cinfo, COL_INFO, "MsgId=%%u, ",MessageID);
+
+#.FN_PARS ProtocolOp VAL_PTR = &ProtocolOp
+
+#.FN_BODY ProtocolOp
+
+gint ProtocolOp;
+
+%(DEFAULT_BODY)s
+	if (check_col(pinfo->cinfo, COL_INFO))
+		col_append_fstr(pinfo->cinfo, COL_INFO, val_to_str(ProtocolOp, ldap_ProtocolOp_choice_vals, "Unknown (%%u)"));
+
+#.FN_BODY Simple
+ldap_conv_info_t *ldap_info;
+
+%(DEFAULT_BODY)s
+	
+	ldap_info = pinfo->private_data;
+	ldap_info->auth_type = LDAP_AUTH_SIMPLE;
+
+	pinfo->private_data = ldap_info;
+
+#.FN_PARS Mechanism VAL_PTR = &parameter_tvb
+#.FN_BODY Mechanism
+
+ldap_conv_info_t *ldap_info;
+tvbuff_t	*parameter_tvb;
+char *mechanism = NULL;
+%(DEFAULT_BODY)s
+	ldap_info = pinfo->private_data;
+	ldap_info->auth_type = LDAP_AUTH_SASL;
+
+	if (!parameter_tvb)
+		return offset;
+
+    /*
+     * We need to remember the authentication type and mechanism for this
+     * conversation.
+     *
+     * XXX - actually, we might need to remember more than one
+     * type and mechanism, if you can unbind and rebind with a
+     * different type and/or mechanism.
+     */
+    mechanism = tvb_get_string(parameter_tvb, 0, tvb_length_remaining(parameter_tvb,0));
+    ldap_info->first_auth_frame = 0;	/* not known until we see the bind reply */
+    /*
+     * If the mechanism in this request is an empty string (which is
+     * returned as a null pointer), use the saved mechanism instead.
+     * Otherwise, if the saved mechanism is an empty string (null),
+     * save this mechanism.
+     */
+    if (mechanism == NULL)
+        mechanism = ldap_info->auth_mech;
+    else {
+      if (ldap_info->auth_mech == NULL) {
+        g_free(ldap_info->auth_mech);
+      }
+      ldap_info->auth_mech = mechanism;
+    }
+	pinfo->private_data = ldap_info;
+
+#.FN_PARS Credentials VAL_PTR = &parameter_tvb
+#.FN_BODY Credentials
+
+tvbuff_t	*parameter_tvb;
+ldap_conv_info_t *ldap_info;
+
+%(DEFAULT_BODY)s
+	if (!parameter_tvb)
+		return offset;
+
+	ldap_info = pinfo->private_data;
+	if (ldap_info->auth_mech != NULL && strcmp(ldap_info->auth_mech, "GSS-SPNEGO") == 0) {
+		/*
+         * This is a GSS-API token ancapsulated within GSS-SPNEGO.
+		 */
+		 if (parameter_tvb)
+			call_dissector(gssapi_handle, parameter_tvb, pinfo, tree);
+	} else if (ldap_info->auth_mech != NULL && strcmp(ldap_info->auth_mech, "GSSAPI") == 0) {
+        /*
+         * This is a raw GSS-API token.
+         */
+		 if (parameter_tvb)
+			call_dissector(gssapi_handle, parameter_tvb, pinfo, tree);
+	}
+	pinfo->private_data = ldap_info;
+
+#.FN_PARS ServerSaslCreds VAL_PTR = &parameter_tvb
+#.FN_BODY ServerSaslCreds
+
+tvbuff_t	*parameter_tvb;
+ldap_conv_info_t *ldap_info;
+
+%(DEFAULT_BODY)s
+	if (!parameter_tvb)
+		return offset;
+	ldap_info = pinfo->private_data;
+    switch (ldap_info->auth_type) {
+
+      /* For Kerberos V4, dissect it as a ticket. */
+      /* XXX - what about LDAP_AUTH_SIMPLE? */
+
+    case LDAP_AUTH_SASL:
+      /*
+       * All frames after this are assumed to use a security layer.
+       *
+       * XXX - won't work if there's another reply, with the security
+       * layer, starting in the same TCP segment that ends this
+       * reply, but as LDAP is a request/response protocol, and
+       * as the client probably can't start using authentication until
+       * it gets the bind reply and the server won't send a reply until
+       * it gets a request, that probably won't happen.
+       *
+       * XXX - that assumption is invalid; it's not clear where the
+       * hell you find out whether there's any security layer.  In
+       * one capture, we have two GSS-SPNEGO negotiations, both of
+       * which select MS KRB5, and the only differences in the tokens
+       * is in the RC4-HMAC ciphertext.  The various
+       * draft-ietf--cat-sasl-gssapi-NN.txt drafts seem to imply
+       * that the RFC 2222 spoo with the bitmask and maximum
+       * output message size stuff is done - but where does that
+       * stuff show up?  Is it in the ciphertext, which means it's
+       * presumably encrypted?
+       *
+       * Grrr.  We have to do a gross heuristic, checking whether the
+       * putative LDAP message begins with 0x00 or not, making the
+       * assumption that we won't have more than 2^24 bytes of
+       * encapsulated stuff.
+       */
+      ldap_info->first_auth_frame = pinfo->fd->num + 1;
+      if (ldap_info->auth_mech != NULL &&
+          strcmp(ldap_info->auth_mech, "GSS-SPNEGO") == 0) {
+        /*
+         * This is a GSS-API token.
+         */
+        call_dissector(gssapi_handle, parameter_tvb, pinfo, tree);
+      } else if (ldap_info->auth_mech != NULL &&
+          strcmp(ldap_info->auth_mech, "GSSAPI") == 0) {
+        /*
+         * This is a GSS-API token.
+         */
+        call_dissector(gssapi_handle, parameter_tvb, pinfo, tree);
+		}
+	break;
+	}
+	pinfo->private_data = ldap_info;
--- a/asn1/ldap/packet-ldap-template.c
+++ b/asn1/ldap/packet-ldap-template.c
@ -82,6 +82,7 @@
 #include <epan/conversation.h>
 #include <epan/tap.h>
 #include <epan/emem.h>
+#include <epan/oid_resolv.h>

 #include "packet-frame.h"
 #include "packet-ldap.h"
@ -128,7 +129,30 @@ static dissector_handle_t gssapi_wrap_handle;
 /* different types of rpc calls ontop of ms cldap */
 #define	MSCLDAP_RPC_NETLOGON 	1

-
+/* Message type Choice values */
+static const value_string ldap_ProtocolOp_choice_vals[] = {
+  {   0, "bindRequest" },
+  {   1, "bindResponse" },
+  {   2, "unbindRequest" },
+  {   3, "searchRequest" },
+  {   4, "searchResEntry" },
+  {   5, "searchResDone" },
+  {	  6, "searchResRef" },
+  {   7, "modifyRequest" },
+  {   8, "modifyResponse" },
+  {   9, "addRequest" },
+  {  10, "addResponse" },
+  {  11, "delRequest" },
+  {  12, "delResponse" },
+  {  13, "modDNRequest" },
+  {  14, "modDNResponse" },
+  {  15, "compareRequest" },
+  {  16, "compareResponse" },
+  {  17, "abandonRequest" },
+  {  18, "extendedReq" },
+  {  19, "extendedResp" },
+  { 0, NULL }
+};
 /*
 * Data structure attached to a conversation, giving authentication
 * information from a bind request.
@ -189,8 +213,7 @@ ldap_info_equal_unmatched(gconstpointer k1, gconstpointer k2)
 }

 /* Global variables */
-guint32 MessageID;
-guint32 AuthenticationChoice;
+char *mechanism = NULL;

 #include "packet-ldap-fn.c"

@ -763,6 +786,27 @@ proto_reg_handoff_ldap(void)
 	gssapi_handle = find_dissector("gssapi");
 	gssapi_wrap_handle = find_dissector("gssapi_verf");

+/*  http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dsml/dsml/ldap_controls_and_session_support.asp */
+	register_ber_oid_name("1.2.840.113556.1.4.319","LDAP_PAGED_RESULT_OID_STRING"); 
+	register_ber_oid_name("1.2.840.113556.1.4.417","LDAP_SERVER_SHOW_DELETED_OID"); 
+	register_ber_oid_name("1.2.840.113556.1.4.473","LDAP_SERVER_SORT_OID"); 
+	register_ber_oid_name("1.2.840.113556.1.4.521","LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID"); 
+	register_ber_oid_name("1.2.840.113556.1.4.528","LDAP_SERVER_NOTIFICATION_OID"); 
+	register_ber_oid_name("1.2.840.113556.1.4.529","LDAP_SERVER_EXTENDED_DN_OID"); 
+	register_ber_oid_name("1.2.840.113556.1.4.619","LDAP_SERVER_LAZY_COMMIT_OID"); 
+	register_ber_oid_name("1.2.840.113556.1.4.801","LDAP_SERVER_SD_FLAGS_OID"); 
+	register_ber_oid_name("1.2.840.113556.1.4.805","LDAP_SERVER_TREE_DELETE_OID"); 
+	register_ber_oid_name("1.2.840.113556.1.4.841","LDAP_SERVER_DIRSYNC_OID"); 
+	register_ber_oid_name("1.2.840.113556.1.4.970 ","None"); 
+	register_ber_oid_name("1.2.840.113556.1.4.1338","LDAP_SERVER_VERIFY_NAME_OID"); 
+	register_ber_oid_name("1.2.840.113556.1.4.1339","LDAP_SERVER_DOMAIN_SCOPE_OID"); 
+	register_ber_oid_name("1.2.840.113556.1.4.1340","LDAP_SERVER_SEARCH_OPTIONS_OID"); 
+	register_ber_oid_name("1.2.840.113556.1.4.1413","LDAP_SERVER_PERMISSIVE_MODIFY_OID"); 
+	register_ber_oid_name("1.2.840.113556.1.4.1504","LDAP_SERVER_ASQ_OID"); 
+	register_ber_oid_name("1.2.840.113556.1.4.1781","LDAP_SERVER_FAST_BIND_OID"); 
+	register_ber_oid_name("1.3.6.1.4.1.1466.101.119.1","None"); 
+	register_ber_oid_name("1.3.6.1.4.1.1466.20037","LDAP_START_TLS_OID"); 
+	register_ber_oid_name("2.16.840.1.113730.3.4.9","LDAP_CONTROL_VLVREQUEST VLV");


 }