handling encrypted request/response PDUs. Instead of having
dissection function pointers which perform both decryption and
dissection, the function pointers now only decrypt the DCERPC fragment
payload. Dissection is handled by the dcerpc_try_handoff() function
(with DCERPC fragment reassembly if necessary).
Details:
- Move the dcerpc_auth_info struct into dcerpc.h as it is now used in
the function prototype for the decryption function handlers.
- decode_encrypted_data() was refactored to take a boolean request
parameter instead of passing the DCERPC PDU packet type.
- A tvbuff_t * data field was added to dcerpc_auth to hold the
verifier. This is passed as an argument to the decryption function
handlers.
- Dissection of verifiers in request and response PDUs was moved to
before the payload.
- The dissect_dcerpc_cn_stub() function was refactored to perform
the decryption process and hand decrypted data to the reassembly
code instead of performing the decryption after reassembly.
- Removed references to decrypted_info_t as it's not necessary
anymore.
Code was tested using encrypted and unencrypted fragmented PDUs.
Before this commit ethereal could not dissect unencrypted (!)
fragmented PDUs correctly.
svn path=/trunk/; revision=8546
to the dissector that handles the particular authentication flavour. This
gets rid of a couple of ugly switch statements and allows other authentication
modules to be written easily.
svn path=/trunk/; revision=8026
http://ubiqx.org/cifs/SMB.html#8, para 2.8.5.3
Convert some magic numbers to constants in dissect_ntlmssp_address_list()
svn path=/trunk/; revision=7646
NULL, convert it to a copy of a null string, otherwise replace it with a
copy of the string, so that we know that the variable for the preference
always points to a string that can be freed.
That also obviates the need to worry about a null-pointer value for a
preference variable when checking to see whether a preference has changed.
When checking for a string preference not being set, check for an empty
string, not a null pointer - the above code turns null pointers into
pointers to empty strings, *and* the GUI code does (and always did!) the
same.
svn path=/trunk/; revision=7342
than using a fixed-size 1500-byte buffer.
Use memory chunks for ntlmssp_info and ntlmssp_packet_info structures,
and free up the chunks when we re-initialize the dissector.
svn path=/trunk/; revision=7277
we also call the proper DCERPC subdissector.
With this change ethereal will call the SAMR dissector and dissect the
decrypted SAMR packets in devins capture.
svn path=/trunk/; revision=6855
using NTLMSSP version 1.
Show stub data as such for all requests and replies where we can't
dissect the stub data as a request or reply for some DCERPC-based
protocol.
svn path=/trunk/; revision=6825
call to "gssapi_init_oid()" supplies both dissectors for context-level
tokens and GSS_Wrap header information; the latter dissector should
return the number of bytes of header information, so that if the header
information and the message for the protocol that's using GSSAPI are
treated as a single blob of data (as is the case with LDAP, but not with
DCE RPC, for example), the dissector for the protocol using GSSAPI knows
where to start dissecting.
We associate a pointer to the entire data structure for the OID, not the
handle for context-level token dissector for the OID, with conversations
and frames.
Make the dissector for NTLMSSP verifiers be the handler for GSS_Wrap
stuff for NTLMSSP, and add support for GSS_Wrap stuff for Kerberos.
Support SASL GSS-SPNEGO wrapping of LDAP messages. (XXX - this should
really check for GSS-SPNEGO.)
svn path=/trunk/; revision=6692
message indicates whether the session key or flags are missing in an
AUTH message - and it appears that the session key can be present
without the flags.
For both fields, check whether the offset is after the offset of the
first data chunk and, if so, assume the field is missing.
This means we no longer need to remember the flags for a NEGOTIATE
message, so just remember them for a CHALLENGE message.
svn path=/trunk/; revision=6585
the end, although they're empty in all messages I've seen; put in a
comment noting that.
NTLMSSP_CHALLENGE messages sometimes don't appear to have the address
list; it doesn't seem to be indicated by:
any flags in the previous NEGOTIATE message other than the
Negotiation Workstation Supplied, Negotiate Domain Supplied, or
Negotiate UNICODE, but it doesn't make sense for those to affect
it, as they affect unrelated things;
any flags in the CHALLENGE message other than Negotiate OEM or
Negotiate UNICODE, but those don't make sense.
So we just check whether the address list descriptor would be in the
middle of the domain name string and, if so, assume it's absent.
NTLMSSP_AUTH messages sometimes lack both the session key and the
negotiate flags; that appears to be controlled by th Negotiate Key
Exchange flag in the initial NEGOTIATE message - if not set, those
fields are missing. We therefore remember the NEGOTIATE flags in a
conversation, and attach them to frames containing AUTH messages; we
also need those flags to determine whether the strings in the AUTH
message are Unicode or not.
Make lengths, maximum lengths, and offsets unsigned.
Display entries for empty blobs and address lists.
svn path=/trunk/; revision=6575
the unicode bit.
Also, it seems that the strings in the address list of a
NTLMSSP_CHALLENGE message are always in unicode, regardless of the
negotiated string type. I have a capture of win98 doing NTLM over
HTTP where the domain name is in ASCII but the address list is
unicode.
There is still a bug in the dissection of the NTLMSSP_AUTH message
where the flags value does not specify unicode but the
domain/user/host name is unicode. Perhaps the flags value for this
message aren't NTLMSSP flags?
Guy/Richard/jmayer, if you have any captures that show different
behaviour can you send them my way?
svn path=/trunk/; revision=6329
HTTP, but NTLMSSP_CHALLENGE appears twice in a session setup response
SPNEGO negTokenTarg, as the NTLMSSP message appears both in the
responseToken and mechListMIC fields.
svn path=/trunk/; revision=6328
dissect_ntlmssp_strings(). It seems that most versions of IE don't
set the workstation name and domain name in the NTLMSSP_NEGOTIATE
message when doing NTLM over HTTP.
svn path=/trunk/; revision=6327
- strings are now in a subtree of a command, printing only the
text unless you go into the subtree (to see length, offset)
- generic blobs are the same as strings, only displayed in hex
- NTLMSSP challenge address lists are decoded
- a couple of unknown fields are now known
svn path=/trunk/; revision=6263
as an argument, and looks up that OID in the GSSAPI OID hash table.
Always use that routine to look up OIDs, so that we never use the result
of "format_oid()" as the key (as that doesn't necessarily work).
Make "gssapi_oids" static, as one should only look up GSSAPI
authentication mechanism OIDs with "gssapi_lookup_oid()".
In the SPNEGO dissector, free up the OID strings when we're done with
them, and don't advance the offset past the OID until after we put the
OID into the protocol tree.
svn path=/trunk/; revision=6228
registered dissector name; that means you don't have to register a
dissector by name to associate it with a GSS-API security mechanism OID.
svn path=/trunk/; revision=6163
don't abort dissection of the entire packet if we get a
ReportedBoundsError while dissecting an authentication blob - the
authentication blob might be in the middle of a packet, and if it's too
short, that doesn't mean that the stuff *after* it shouldn't be
dissected.
A length of "-1" when adding items that have variable-length data
(FT_NONE, FT_PROTOCOL, FT_BYTES, and FT_STRING; this includes stuff
added with "proto_tree_add_text()") means "to the end of the tvbuff"; we
don't need to fetch the length of the tvbuff and use that.
svn path=/trunk/; revision=6161
Handle the case where "get_unicode_or_ascii_string()" returns a null
pointer (which can be the case if the length supplied is zero, which we
check for as per the above, but can also be the case for a Unicode
string if the length supplied is 1 byte).
Fix a call to "proto_tree_add_uint()" that was presumably supposed to be
a call to "proto_tree_add_item()".
svn path=/trunk/; revision=6015
the flags field in NTLMSSP messages as a 32-bit field.
Make "get_unicode_or_ascii_string()" take a "Unicode or not" flag rather
than a "packet_info *" as an argument, make it not static, and move it
to "packet-smb-common.c", so that it can be used by the SMB dissector
and the NTLMSSP dissector. Also get rid of some _U_'s that are applied
to arguments that are, in fact, used.
svn path=/trunk/; revision=5976
equivalents for the toplevel directory. The removal of winsock2.h will
hopefully not cause any problems under MSVC++, as those files using
struct timeval still include wtap.h, which still includes winsock2.h.
svn path=/trunk/; revision=5932
Tim Potter