forked from osmocom/wireshark
Put in some of the old functionallity.
svn path=/trunk/; revision=17360
This commit is contained in:
parent
48f6c25460
commit
3d728fcf08
|
@ -1,6 +1,7 @@
|
|||
-- Module Lightweight-Directory-Access-Protocol-V3 (RFC 2251:12/1997)
|
||||
Lightweight-Directory-Access-Protocol-V3
|
||||
--
|
||||
-- $Id:$
|
||||
-- Copyright (C) The Internet Society (1997). This version of
|
||||
-- this ASN.1 module is part of RFC 2251;
|
||||
-- see the RFC itself for full legal notices.
|
||||
|
@ -9,9 +10,15 @@ DEFINITIONS IMPLICIT TAGS ::=
|
|||
BEGIN
|
||||
|
||||
LDAPMessage ::= SEQUENCE {
|
||||
messageID MessageID,
|
||||
protocolOp
|
||||
CHOICE {bindRequest BindRequest,
|
||||
messageID MessageID,
|
||||
protocolOp ProtocolOp,
|
||||
controls [0] Controls OPTIONAL
|
||||
}
|
||||
|
||||
MessageID ::= INTEGER(0..maxInt)
|
||||
|
||||
ProtocolOp ::= CHOICE {
|
||||
bindRequest BindRequest,
|
||||
bindResponse BindResponse,
|
||||
unbindRequest UnbindRequest,
|
||||
searchRequest SearchRequest,
|
||||
|
@ -30,11 +37,9 @@ LDAPMessage ::= SEQUENCE {
|
|||
compareResponse CompareResponse,
|
||||
abandonRequest AbandonRequest,
|
||||
extendedReq ExtendedRequest,
|
||||
extendedResp ExtendedResponse},
|
||||
controls [0] Controls OPTIONAL
|
||||
}
|
||||
extendedResp ExtendedResponse
|
||||
}
|
||||
|
||||
MessageID ::= INTEGER(0..maxInt)
|
||||
|
||||
maxInt INTEGER ::= 2147483647 -- (2^^31 - 1)
|
||||
|
||||
|
@ -127,17 +132,33 @@ BindRequest ::= [APPLICATION 0] SEQUENCE {
|
|||
}
|
||||
|
||||
AuthenticationChoice ::= CHOICE {
|
||||
simple [0] OCTET STRING,
|
||||
simple [0] Simple,
|
||||
-- 1 and 2 reserved
|
||||
sasl [3] SaslCredentials
|
||||
}
|
||||
|
||||
Simple ::= OCTET STRING
|
||||
|
||||
SaslCredentials ::= SEQUENCE {
|
||||
mechanism Mechanism,
|
||||
credentials OCTET STRING OPTIONAL
|
||||
credentials Credentials OPTIONAL
|
||||
}
|
||||
|
||||
Mechanism ::= LDAPString
|
||||
--4.1.2. String Types
|
||||
--
|
||||
-- The LDAPString is a notational convenience to indicate that, although
|
||||
-- strings of LDAPString type encode as OCTET STRING types, the ISO
|
||||
-- 10646 [13] character set (a superset of Unicode) is used, encoded
|
||||
-- following the UTF-8 algorithm [14]. Note that in the UTF-8 algorithm
|
||||
-- characters which are the same as ASCII (0x0000 through 0x007F) are
|
||||
-- represented as that same ASCII character in a single byte. The other
|
||||
-- byte values are used to form a variable-length encoding of an
|
||||
-- arbitrary character.
|
||||
|
||||
-- Mechanism ::= LDAPString
|
||||
Mechanism ::= OCTET STRING
|
||||
|
||||
Credentials ::= OCTET STRING
|
||||
|
||||
BindResponse ::= [APPLICATION 1] SEQUENCE {
|
||||
-- COMPONENTS OF LDAPResult,
|
||||
|
@ -179,9 +200,11 @@ BindResponse ::= [APPLICATION 1] SEQUENCE {
|
|||
referral [3] Referral OPTIONAL,
|
||||
|
||||
-- end of components
|
||||
serverSaslCreds [7] OCTET STRING OPTIONAL
|
||||
serverSaslCreds [7] ServerSaslCreds OPTIONAL
|
||||
}
|
||||
|
||||
ServerSaslCreds ::= OCTET STRING
|
||||
|
||||
ErrorMessage ::= LDAPString
|
||||
|
||||
UnbindRequest ::= [APPLICATION 2] NULL
|
||||
|
|
|
@ -22,17 +22,179 @@ ModifyRequest/modification modifyRequest_modification
|
|||
SubstringFilter/substrings substringFilter_substrings
|
||||
|
||||
#.TYPE_ATTR
|
||||
LDAPDN TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL
|
||||
RelativeLDAPDN TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL
|
||||
AttributeType TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL
|
||||
AttributeDescription TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL
|
||||
MatchingRuleId TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL
|
||||
ErrorMessage TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL
|
||||
LDAPString TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL
|
||||
LDAPURL TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL
|
||||
LDAPOID TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL
|
||||
Mechanism TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL
|
||||
ControlType TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL
|
||||
ResponseName TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL
|
||||
|
||||
#.FN_PARS LDAPOID VAL_PTR = ¶meter_tvb
|
||||
#.FN_HDR LDAPOID
|
||||
|
||||
tvbuff_t *parameter_tvb;
|
||||
const gchar *name;
|
||||
proto_item *item = NULL;
|
||||
|
||||
|
||||
#.FN_FTR LDAPOID
|
||||
if (!parameter_tvb)
|
||||
return offset;
|
||||
item = get_ber_last_created_item();
|
||||
name = get_oid_str_name(tvb_get_string(parameter_tvb, 0, tvb_length_remaining(parameter_tvb,0)));
|
||||
if(name){
|
||||
proto_item_append_text(item, " (%s)", name);
|
||||
}
|
||||
|
||||
|
||||
#.FN_PARS MessageID VAL_PTR = &MessageID
|
||||
#.FN_PARS AuthenticationChoice VAL_PTR = &AuthenticationChoice
|
||||
#.FN_BODY MessageID
|
||||
gint MessageID;
|
||||
|
||||
%(DEFAULT_BODY)s
|
||||
|
||||
if (check_col(pinfo->cinfo, COL_INFO))
|
||||
col_append_fstr(pinfo->cinfo, COL_INFO, "MsgId=%%u, ",MessageID);
|
||||
|
||||
#.FN_PARS ProtocolOp VAL_PTR = &ProtocolOp
|
||||
|
||||
#.FN_BODY ProtocolOp
|
||||
|
||||
gint ProtocolOp;
|
||||
|
||||
%(DEFAULT_BODY)s
|
||||
if (check_col(pinfo->cinfo, COL_INFO))
|
||||
col_append_fstr(pinfo->cinfo, COL_INFO, val_to_str(ProtocolOp, ldap_ProtocolOp_choice_vals, "Unknown (%%u)"));
|
||||
|
||||
#.FN_BODY Simple
|
||||
ldap_conv_info_t *ldap_info;
|
||||
|
||||
%(DEFAULT_BODY)s
|
||||
|
||||
ldap_info = pinfo->private_data;
|
||||
ldap_info->auth_type = LDAP_AUTH_SIMPLE;
|
||||
|
||||
pinfo->private_data = ldap_info;
|
||||
|
||||
#.FN_PARS Mechanism VAL_PTR = ¶meter_tvb
|
||||
#.FN_BODY Mechanism
|
||||
|
||||
ldap_conv_info_t *ldap_info;
|
||||
tvbuff_t *parameter_tvb;
|
||||
char *mechanism = NULL;
|
||||
%(DEFAULT_BODY)s
|
||||
ldap_info = pinfo->private_data;
|
||||
ldap_info->auth_type = LDAP_AUTH_SASL;
|
||||
|
||||
if (!parameter_tvb)
|
||||
return offset;
|
||||
|
||||
/*
|
||||
* We need to remember the authentication type and mechanism for this
|
||||
* conversation.
|
||||
*
|
||||
* XXX - actually, we might need to remember more than one
|
||||
* type and mechanism, if you can unbind and rebind with a
|
||||
* different type and/or mechanism.
|
||||
*/
|
||||
mechanism = tvb_get_string(parameter_tvb, 0, tvb_length_remaining(parameter_tvb,0));
|
||||
ldap_info->first_auth_frame = 0; /* not known until we see the bind reply */
|
||||
/*
|
||||
* If the mechanism in this request is an empty string (which is
|
||||
* returned as a null pointer), use the saved mechanism instead.
|
||||
* Otherwise, if the saved mechanism is an empty string (null),
|
||||
* save this mechanism.
|
||||
*/
|
||||
if (mechanism == NULL)
|
||||
mechanism = ldap_info->auth_mech;
|
||||
else {
|
||||
if (ldap_info->auth_mech == NULL) {
|
||||
g_free(ldap_info->auth_mech);
|
||||
}
|
||||
ldap_info->auth_mech = mechanism;
|
||||
}
|
||||
pinfo->private_data = ldap_info;
|
||||
|
||||
#.FN_PARS Credentials VAL_PTR = ¶meter_tvb
|
||||
#.FN_BODY Credentials
|
||||
|
||||
tvbuff_t *parameter_tvb;
|
||||
ldap_conv_info_t *ldap_info;
|
||||
|
||||
%(DEFAULT_BODY)s
|
||||
if (!parameter_tvb)
|
||||
return offset;
|
||||
|
||||
ldap_info = pinfo->private_data;
|
||||
if (ldap_info->auth_mech != NULL && strcmp(ldap_info->auth_mech, "GSS-SPNEGO") == 0) {
|
||||
/*
|
||||
* This is a GSS-API token ancapsulated within GSS-SPNEGO.
|
||||
*/
|
||||
if (parameter_tvb)
|
||||
call_dissector(gssapi_handle, parameter_tvb, pinfo, tree);
|
||||
} else if (ldap_info->auth_mech != NULL && strcmp(ldap_info->auth_mech, "GSSAPI") == 0) {
|
||||
/*
|
||||
* This is a raw GSS-API token.
|
||||
*/
|
||||
if (parameter_tvb)
|
||||
call_dissector(gssapi_handle, parameter_tvb, pinfo, tree);
|
||||
}
|
||||
pinfo->private_data = ldap_info;
|
||||
|
||||
#.FN_PARS ServerSaslCreds VAL_PTR = ¶meter_tvb
|
||||
#.FN_BODY ServerSaslCreds
|
||||
|
||||
tvbuff_t *parameter_tvb;
|
||||
ldap_conv_info_t *ldap_info;
|
||||
|
||||
%(DEFAULT_BODY)s
|
||||
if (!parameter_tvb)
|
||||
return offset;
|
||||
ldap_info = pinfo->private_data;
|
||||
switch (ldap_info->auth_type) {
|
||||
|
||||
/* For Kerberos V4, dissect it as a ticket. */
|
||||
/* XXX - what about LDAP_AUTH_SIMPLE? */
|
||||
|
||||
case LDAP_AUTH_SASL:
|
||||
/*
|
||||
* All frames after this are assumed to use a security layer.
|
||||
*
|
||||
* XXX - won't work if there's another reply, with the security
|
||||
* layer, starting in the same TCP segment that ends this
|
||||
* reply, but as LDAP is a request/response protocol, and
|
||||
* as the client probably can't start using authentication until
|
||||
* it gets the bind reply and the server won't send a reply until
|
||||
* it gets a request, that probably won't happen.
|
||||
*
|
||||
* XXX - that assumption is invalid; it's not clear where the
|
||||
* hell you find out whether there's any security layer. In
|
||||
* one capture, we have two GSS-SPNEGO negotiations, both of
|
||||
* which select MS KRB5, and the only differences in the tokens
|
||||
* is in the RC4-HMAC ciphertext. The various
|
||||
* draft-ietf--cat-sasl-gssapi-NN.txt drafts seem to imply
|
||||
* that the RFC 2222 spoo with the bitmask and maximum
|
||||
* output message size stuff is done - but where does that
|
||||
* stuff show up? Is it in the ciphertext, which means it's
|
||||
* presumably encrypted?
|
||||
*
|
||||
* Grrr. We have to do a gross heuristic, checking whether the
|
||||
* putative LDAP message begins with 0x00 or not, making the
|
||||
* assumption that we won't have more than 2^24 bytes of
|
||||
* encapsulated stuff.
|
||||
*/
|
||||
ldap_info->first_auth_frame = pinfo->fd->num + 1;
|
||||
if (ldap_info->auth_mech != NULL &&
|
||||
strcmp(ldap_info->auth_mech, "GSS-SPNEGO") == 0) {
|
||||
/*
|
||||
* This is a GSS-API token.
|
||||
*/
|
||||
call_dissector(gssapi_handle, parameter_tvb, pinfo, tree);
|
||||
} else if (ldap_info->auth_mech != NULL &&
|
||||
strcmp(ldap_info->auth_mech, "GSSAPI") == 0) {
|
||||
/*
|
||||
* This is a GSS-API token.
|
||||
*/
|
||||
call_dissector(gssapi_handle, parameter_tvb, pinfo, tree);
|
||||
}
|
||||
break;
|
||||
}
|
||||
pinfo->private_data = ldap_info;
|
||||
|
|
|
@ -82,6 +82,7 @@
|
|||
#include <epan/conversation.h>
|
||||
#include <epan/tap.h>
|
||||
#include <epan/emem.h>
|
||||
#include <epan/oid_resolv.h>
|
||||
|
||||
#include "packet-frame.h"
|
||||
#include "packet-ldap.h"
|
||||
|
@ -128,7 +129,30 @@ static dissector_handle_t gssapi_wrap_handle;
|
|||
/* different types of rpc calls ontop of ms cldap */
|
||||
#define MSCLDAP_RPC_NETLOGON 1
|
||||
|
||||
|
||||
/* Message type Choice values */
|
||||
static const value_string ldap_ProtocolOp_choice_vals[] = {
|
||||
{ 0, "bindRequest" },
|
||||
{ 1, "bindResponse" },
|
||||
{ 2, "unbindRequest" },
|
||||
{ 3, "searchRequest" },
|
||||
{ 4, "searchResEntry" },
|
||||
{ 5, "searchResDone" },
|
||||
{ 6, "searchResRef" },
|
||||
{ 7, "modifyRequest" },
|
||||
{ 8, "modifyResponse" },
|
||||
{ 9, "addRequest" },
|
||||
{ 10, "addResponse" },
|
||||
{ 11, "delRequest" },
|
||||
{ 12, "delResponse" },
|
||||
{ 13, "modDNRequest" },
|
||||
{ 14, "modDNResponse" },
|
||||
{ 15, "compareRequest" },
|
||||
{ 16, "compareResponse" },
|
||||
{ 17, "abandonRequest" },
|
||||
{ 18, "extendedReq" },
|
||||
{ 19, "extendedResp" },
|
||||
{ 0, NULL }
|
||||
};
|
||||
/*
|
||||
* Data structure attached to a conversation, giving authentication
|
||||
* information from a bind request.
|
||||
|
@ -189,8 +213,7 @@ ldap_info_equal_unmatched(gconstpointer k1, gconstpointer k2)
|
|||
}
|
||||
|
||||
/* Global variables */
|
||||
guint32 MessageID;
|
||||
guint32 AuthenticationChoice;
|
||||
char *mechanism = NULL;
|
||||
|
||||
#include "packet-ldap-fn.c"
|
||||
|
||||
|
@ -763,6 +786,27 @@ proto_reg_handoff_ldap(void)
|
|||
gssapi_handle = find_dissector("gssapi");
|
||||
gssapi_wrap_handle = find_dissector("gssapi_verf");
|
||||
|
||||
/* http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dsml/dsml/ldap_controls_and_session_support.asp */
|
||||
register_ber_oid_name("1.2.840.113556.1.4.319","LDAP_PAGED_RESULT_OID_STRING");
|
||||
register_ber_oid_name("1.2.840.113556.1.4.417","LDAP_SERVER_SHOW_DELETED_OID");
|
||||
register_ber_oid_name("1.2.840.113556.1.4.473","LDAP_SERVER_SORT_OID");
|
||||
register_ber_oid_name("1.2.840.113556.1.4.521","LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID");
|
||||
register_ber_oid_name("1.2.840.113556.1.4.528","LDAP_SERVER_NOTIFICATION_OID");
|
||||
register_ber_oid_name("1.2.840.113556.1.4.529","LDAP_SERVER_EXTENDED_DN_OID");
|
||||
register_ber_oid_name("1.2.840.113556.1.4.619","LDAP_SERVER_LAZY_COMMIT_OID");
|
||||
register_ber_oid_name("1.2.840.113556.1.4.801","LDAP_SERVER_SD_FLAGS_OID");
|
||||
register_ber_oid_name("1.2.840.113556.1.4.805","LDAP_SERVER_TREE_DELETE_OID");
|
||||
register_ber_oid_name("1.2.840.113556.1.4.841","LDAP_SERVER_DIRSYNC_OID");
|
||||
register_ber_oid_name("1.2.840.113556.1.4.970 ","None");
|
||||
register_ber_oid_name("1.2.840.113556.1.4.1338","LDAP_SERVER_VERIFY_NAME_OID");
|
||||
register_ber_oid_name("1.2.840.113556.1.4.1339","LDAP_SERVER_DOMAIN_SCOPE_OID");
|
||||
register_ber_oid_name("1.2.840.113556.1.4.1340","LDAP_SERVER_SEARCH_OPTIONS_OID");
|
||||
register_ber_oid_name("1.2.840.113556.1.4.1413","LDAP_SERVER_PERMISSIVE_MODIFY_OID");
|
||||
register_ber_oid_name("1.2.840.113556.1.4.1504","LDAP_SERVER_ASQ_OID");
|
||||
register_ber_oid_name("1.2.840.113556.1.4.1781","LDAP_SERVER_FAST_BIND_OID");
|
||||
register_ber_oid_name("1.3.6.1.4.1.1466.101.119.1","None");
|
||||
register_ber_oid_name("1.3.6.1.4.1.1466.20037","LDAP_START_TLS_OID");
|
||||
register_ber_oid_name("2.16.840.1.113730.3.4.9","LDAP_CONTROL_VLVREQUEST VLV");
|
||||
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue