the unicode bit.
Also, it seems that the strings in the address list of a
NTLMSSP_CHALLENGE message are always in unicode, regardless of the
negotiated string type. I have a capture of win98 doing NTLM over
HTTP where the domain name is in ASCII but the address list is
unicode.
There is still a bug in the dissection of the NTLMSSP_AUTH message
where the flags value does not specify unicode but the
domain/user/host name is unicode. Perhaps the flags value for this
message aren't NTLMSSP flags?
Guy/Richard/jmayer, if you have any captures that show different
behaviour can you send them my way?
svn path=/trunk/; revision=6329
HTTP, but NTLMSSP_CHALLENGE appears twice in a session setup response
SPNEGO negTokenTarg, as the NTLMSSP message appears both in the
responseToken and mechListMIC fields.
svn path=/trunk/; revision=6328
dissect_ntlmssp_strings(). It seems that most versions of IE don't
set the workstation name and domain name in the NTLMSSP_NEGOTIATE
message when doing NTLM over HTTP.
svn path=/trunk/; revision=6327
- strings are now in a subtree of a command, printing only the
text unless you go into the subtree (to see length, offset)
- generic blobs are the same as strings, only displayed in hex
- NTLMSSP challenge address lists are decoded
- a couple of unknown fields are now known
svn path=/trunk/; revision=6263
as an argument, and looks up that OID in the GSSAPI OID hash table.
Always use that routine to look up OIDs, so that we never use the result
of "format_oid()" as the key (as that doesn't necessarily work).
Make "gssapi_oids" static, as one should only look up GSSAPI
authentication mechanism OIDs with "gssapi_lookup_oid()".
In the SPNEGO dissector, free up the OID strings when we're done with
them, and don't advance the offset past the OID until after we put the
OID into the protocol tree.
svn path=/trunk/; revision=6228
registered dissector name; that means you don't have to register a
dissector by name to associate it with a GSS-API security mechanism OID.
svn path=/trunk/; revision=6163
don't abort dissection of the entire packet if we get a
ReportedBoundsError while dissecting an authentication blob - the
authentication blob might be in the middle of a packet, and if it's too
short, that doesn't mean that the stuff *after* it shouldn't be
dissected.
A length of "-1" when adding items that have variable-length data
(FT_NONE, FT_PROTOCOL, FT_BYTES, and FT_STRING; this includes stuff
added with "proto_tree_add_text()") means "to the end of the tvbuff"; we
don't need to fetch the length of the tvbuff and use that.
svn path=/trunk/; revision=6161
Handle the case where "get_unicode_or_ascii_string()" returns a null
pointer (which can be the case if the length supplied is zero, which we
check for as per the above, but can also be the case for a Unicode
string if the length supplied is 1 byte).
Fix a call to "proto_tree_add_uint()" that was presumably supposed to be
a call to "proto_tree_add_item()".
svn path=/trunk/; revision=6015
the flags field in NTLMSSP messages as a 32-bit field.
Make "get_unicode_or_ascii_string()" take a "Unicode or not" flag rather
than a "packet_info *" as an argument, make it not static, and move it
to "packet-smb-common.c", so that it can be used by the SMB dissector
and the NTLMSSP dissector. Also get rid of some _U_'s that are applied
to arguments that are, in fact, used.
svn path=/trunk/; revision=5976
equivalents for the toplevel directory. The removal of winsock2.h will
hopefully not cause any problems under MSVC++, as those files using
struct timeval still include wtap.h, which still includes winsock2.h.
svn path=/trunk/; revision=5932