forked from osmocom/wireshark
338 lines
12 KiB
C
338 lines
12 KiB
C
/* packet-dcerpc.h
|
|
* Copyright 2001, Todd Sabin <tas@webspan.net>
|
|
* Copyright 2003, Tim Potter <tpot@samba.org>
|
|
*
|
|
* $Id: packet-dcerpc.h,v 1.40 2004/03/05 23:09:32 sahlberg Exp $
|
|
*
|
|
* Ethereal - Network traffic analyzer
|
|
* By Gerald Combs <gerald@ethereal.com>
|
|
* Copyright 1998 Gerald Combs
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License
|
|
* as published by the Free Software Foundation; either version 2
|
|
* of the License, or (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
|
*/
|
|
|
|
#ifndef __PACKET_DCERPC_H__
|
|
#define __PACKET_DCERPC_H__
|
|
|
|
#include <epan/conversation.h>
|
|
|
|
typedef struct _e_uuid_t {
|
|
guint32 Data1;
|
|
guint16 Data2;
|
|
guint16 Data3;
|
|
guint8 Data4[8];
|
|
} e_uuid_t;
|
|
|
|
/* %08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x */
|
|
#define DCERPC_UUID_STR_LEN 36+1
|
|
|
|
typedef struct _e_ctx_hnd {
|
|
guint32 attributes;
|
|
e_uuid_t uuid;
|
|
} e_ctx_hnd;
|
|
|
|
typedef struct _e_dce_cn_common_hdr_t {
|
|
guint8 rpc_ver;
|
|
guint8 rpc_ver_minor;
|
|
guint8 ptype;
|
|
guint8 flags;
|
|
guint8 drep[4];
|
|
guint16 frag_len;
|
|
guint16 auth_len;
|
|
guint32 call_id;
|
|
} e_dce_cn_common_hdr_t;
|
|
|
|
typedef struct _e_dce_dg_common_hdr_t {
|
|
guint8 rpc_ver;
|
|
guint8 ptype;
|
|
guint8 flags1;
|
|
guint8 flags2;
|
|
guint8 drep[3];
|
|
guint8 serial_hi;
|
|
e_uuid_t obj_id;
|
|
e_uuid_t if_id;
|
|
e_uuid_t act_id;
|
|
guint32 server_boot;
|
|
guint32 if_ver;
|
|
guint32 seqnum;
|
|
guint16 opnum;
|
|
guint16 ihint;
|
|
guint16 ahint;
|
|
guint16 frag_len;
|
|
guint16 frag_num;
|
|
guint8 auth_proto;
|
|
guint8 serial_lo;
|
|
} e_dce_dg_common_hdr_t;
|
|
|
|
typedef struct _dcerpc_auth_info {
|
|
guint8 auth_pad_len;
|
|
guint8 auth_level;
|
|
guint8 auth_type;
|
|
guint32 auth_size;
|
|
tvbuff_t *auth_data;
|
|
} dcerpc_auth_info;
|
|
|
|
#define PDU_REQ 0
|
|
#define PDU_PING 1
|
|
#define PDU_RESP 2
|
|
#define PDU_FAULT 3
|
|
#define PDU_WORKING 4
|
|
#define PDU_NOCALL 5
|
|
#define PDU_REJECT 6
|
|
#define PDU_ACK 7
|
|
#define PDU_CL_CANCEL 8
|
|
#define PDU_FACK 9
|
|
#define PDU_CANCEL_ACK 10
|
|
#define PDU_BIND 11
|
|
#define PDU_BIND_ACK 12
|
|
#define PDU_BIND_NAK 13
|
|
#define PDU_ALTER 14
|
|
#define PDU_ALTER_ACK 15
|
|
#define PDU_AUTH3 16
|
|
#define PDU_SHUTDOWN 17
|
|
#define PDU_CO_CANCEL 18
|
|
#define PDU_ORPHANED 19
|
|
|
|
|
|
/*
|
|
* helpers for packet-dcerpc.c and packet-dcerpc-ndr.c
|
|
* If you're writing a subdissector, you almost certainly want the
|
|
* NDR functions below.
|
|
*/
|
|
guint16 dcerpc_tvb_get_ntohs (tvbuff_t *tvb, gint offset, guint8 *drep);
|
|
guint32 dcerpc_tvb_get_ntohl (tvbuff_t *tvb, gint offset, guint8 *drep);
|
|
void dcerpc_tvb_get_uuid (tvbuff_t *tvb, gint offset, guint8 *drep, e_uuid_t *uuid);
|
|
int dissect_dcerpc_uint8 (tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
|
proto_tree *tree, guint8 *drep,
|
|
int hfindex, guint8 *pdata);
|
|
int dissect_dcerpc_uint16 (tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
|
proto_tree *tree, guint8 *drep,
|
|
int hfindex, guint16 *pdata);
|
|
int dissect_dcerpc_uint32 (tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
|
proto_tree *tree, guint8 *drep,
|
|
int hfindex, guint32 *pdata);
|
|
int dissect_dcerpc_uint64 (tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
|
proto_tree *tree, guint8 *drep,
|
|
int hfindex, unsigned char *pdata);
|
|
int dissect_dcerpc_float (tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
|
proto_tree *tree, guint8 *drep,
|
|
int hfindex, gfloat *pdata);
|
|
int dissect_dcerpc_double (tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
|
proto_tree *tree, guint8 *drep,
|
|
int hfindex, gdouble *pdata);
|
|
int dissect_dcerpc_time_t (tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
|
proto_tree *tree, guint8 *drep,
|
|
int hfindex, guint32 *pdata);
|
|
/*
|
|
* NDR routines for subdissectors.
|
|
*/
|
|
int dissect_ndr_uint8 (tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
|
proto_tree *tree, guint8 *drep,
|
|
int hfindex, guint8 *pdata);
|
|
int dissect_ndr_uint16 (tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
|
proto_tree *tree, guint8 *drep,
|
|
int hfindex, guint16 *pdata);
|
|
int dissect_ndr_uint32 (tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
|
proto_tree *tree, guint8 *drep,
|
|
int hfindex, guint32 *pdata);
|
|
int dissect_ndr_uint64 (tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
|
proto_tree *tree, guint8 *drep,
|
|
int hfindex, unsigned char *pdata);
|
|
int dissect_ndr_float (tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
|
proto_tree *tree, guint8 *drep,
|
|
int hfindex, gfloat *pdata);
|
|
int dissect_ndr_double (tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
|
proto_tree *tree, guint8 *drep,
|
|
int hfindex, gdouble *pdata);
|
|
int dissect_ndr_time_t (tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
|
proto_tree *tree, guint8 *drep,
|
|
int hfindex, guint32 *pdata);
|
|
int dissect_ndr_uuid_t (tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
|
proto_tree *tree, guint8 *drep,
|
|
int hfindex, e_uuid_t *pdata);
|
|
int dissect_ndr_ctx_hnd (tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
|
proto_tree *tree, guint8 *drep,
|
|
int hfindex, e_ctx_hnd *pdata);
|
|
|
|
typedef int (dcerpc_dissect_fnct_t)(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep);
|
|
|
|
typedef void (dcerpc_callback_fnct_t)(packet_info *pinfo, proto_tree *tree, proto_item *item, tvbuff_t *tvb, int start_offset, int end_offset, void *callback_args);
|
|
|
|
#define NDR_POINTER_REF 1
|
|
#define NDR_POINTER_UNIQUE 2
|
|
#define NDR_POINTER_PTR 3
|
|
|
|
int dissect_ndr_pointer_cb(tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
|
proto_tree *tree, guint8 *drep,
|
|
dcerpc_dissect_fnct_t *fnct, int type, char *text,
|
|
int hf_index, dcerpc_callback_fnct_t *callback,
|
|
void *callback_args);
|
|
|
|
int dissect_ndr_pointer(tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
|
proto_tree *tree, guint8 *drep,
|
|
dcerpc_dissect_fnct_t *fnct, int type, char *text,
|
|
int hf_index);
|
|
|
|
/* dissect a NDR unidimensional conformant array */
|
|
int dissect_ndr_ucarray(tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
|
proto_tree *tree, guint8 *drep,
|
|
dcerpc_dissect_fnct_t *fnct);
|
|
|
|
/* dissect a NDR unidimensional conformant and varying array */
|
|
int dissect_ndr_ucvarray(tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
|
proto_tree *tree, guint8 *drep,
|
|
dcerpc_dissect_fnct_t *fnct);
|
|
|
|
int dissect_ndr_byte_array(tvbuff_t *tvb, int offset, packet_info *pinfo,
|
|
proto_tree *tree, guint8 *drep);
|
|
|
|
int dissect_ndr_cvstring(tvbuff_t *tvb, int offset, packet_info *pinfo,
|
|
proto_tree *tree, guint8 *drep, int size_is,
|
|
int hfinfo, gboolean add_subtree,
|
|
char **data);
|
|
int dissect_ndr_char_cvstring(tvbuff_t *tvb, int offset, packet_info *pinfo,
|
|
proto_tree *tree, guint8 *drep);
|
|
int dissect_ndr_wchar_cvstring(tvbuff_t *tvb, int offset, packet_info *pinfo,
|
|
proto_tree *tree, guint8 *drep);
|
|
|
|
typedef struct _dcerpc_sub_dissector {
|
|
guint16 num;
|
|
gchar *name;
|
|
dcerpc_dissect_fnct_t *dissect_rqst;
|
|
dcerpc_dissect_fnct_t *dissect_resp;
|
|
} dcerpc_sub_dissector;
|
|
|
|
/* registration function for subdissectors */
|
|
void dcerpc_init_uuid (int proto, int ett, e_uuid_t *uuid, guint16 ver, dcerpc_sub_dissector *procs, int opnum_hf);
|
|
char *dcerpc_get_proto_name(e_uuid_t *uuid, guint16 ver);
|
|
int dcerpc_get_proto_hf_opnum(e_uuid_t *uuid, guint16 ver);
|
|
dcerpc_sub_dissector *dcerpc_get_proto_sub_dissector(e_uuid_t *uuid, guint16 ver);
|
|
|
|
/* Create a opnum, name value_string from a subdissector list */
|
|
|
|
value_string *value_string_from_subdissectors(dcerpc_sub_dissector *sd);
|
|
|
|
/* Private data structure to pass to DCERPC dissector. This is used to
|
|
pass transport specific information down to the dissector from the
|
|
dissector that parsed this encapsulated calls. */
|
|
|
|
#define DCERPC_TRANSPORT_SMB 1
|
|
|
|
typedef struct _dcerpc_private_info {
|
|
int transport_type; /* Tag */
|
|
|
|
union {
|
|
struct { /* DCERPC_TRANSPORT_SMB */
|
|
guint16 fid;
|
|
} smb;
|
|
} data;
|
|
} dcerpc_private_info;
|
|
|
|
/* Private data passed to subdissectors from the main DCERPC dissector. */
|
|
typedef struct _dcerpc_call_value {
|
|
e_uuid_t uuid;
|
|
guint16 ver;
|
|
guint16 opnum;
|
|
guint32 req_frame;
|
|
nstime_t req_time;
|
|
guint32 rep_frame;
|
|
guint32 max_ptr;
|
|
void *private_data;
|
|
} dcerpc_call_value;
|
|
|
|
typedef struct _dcerpc_info {
|
|
conversation_t *conv; /* Which TCP stream we are in */
|
|
guint32 call_id; /* Context id for this call */
|
|
guint16 smb_fid; /* FID for DCERPC over SMB */
|
|
gboolean request;
|
|
gboolean conformant_run;
|
|
gint32 conformant_eaten; /* how many bytes did the conformant run eat?*/
|
|
guint32 array_max_count; /* max_count for conformant arrays */
|
|
guint32 array_max_count_offset;
|
|
guint32 array_offset;
|
|
guint32 array_offset_offset;
|
|
guint32 array_actual_count;
|
|
guint32 array_actual_count_offset;
|
|
int hf_index;
|
|
dcerpc_call_value *call_data;
|
|
void *private_data;
|
|
} dcerpc_info;
|
|
|
|
|
|
/* the registered subdissectors */
|
|
extern GHashTable *dcerpc_uuids;
|
|
|
|
typedef struct _dcerpc_uuid_key {
|
|
e_uuid_t uuid;
|
|
guint16 ver;
|
|
} dcerpc_uuid_key;
|
|
|
|
typedef struct _dcerpc_uuid_value {
|
|
protocol_t *proto;
|
|
int proto_id;
|
|
int ett;
|
|
gchar *name;
|
|
dcerpc_sub_dissector *procs;
|
|
int opnum_hf;
|
|
} dcerpc_uuid_value;
|
|
|
|
/* Authenticated pipe registration functions and miscellanea */
|
|
|
|
typedef tvbuff_t *(dcerpc_decode_data_fnct_t)(tvbuff_t *tvb, int offset,
|
|
packet_info *pinfo,
|
|
dcerpc_auth_info *auth_info);
|
|
|
|
typedef struct _dcerpc_auth_subdissector_fns {
|
|
|
|
/* Dissect credentials and verifiers */
|
|
|
|
dcerpc_dissect_fnct_t *bind_fn;
|
|
dcerpc_dissect_fnct_t *bind_ack_fn;
|
|
dcerpc_dissect_fnct_t *auth3_fn;
|
|
dcerpc_dissect_fnct_t *req_verf_fn;
|
|
dcerpc_dissect_fnct_t *resp_verf_fn;
|
|
|
|
/* Decrypt encrypted requests/response PDUs */
|
|
|
|
dcerpc_decode_data_fnct_t *req_data_fn;
|
|
dcerpc_decode_data_fnct_t *resp_data_fn;
|
|
|
|
} dcerpc_auth_subdissector_fns;
|
|
|
|
void register_dcerpc_auth_subdissector(guint8 auth_level, guint8 auth_type,
|
|
dcerpc_auth_subdissector_fns *fns);
|
|
|
|
/* Authentication services */
|
|
|
|
#define DCE_C_RPC_AUTHN_PROTOCOL_NONE 0
|
|
#define DCE_C_RPC_AUTHN_PROTOCOL_KRB5 1
|
|
#define DCE_C_RPC_AUTHN_PROTOCOL_SPNEGO 9
|
|
#define DCE_C_RPC_AUTHN_PROTOCOL_NTLMSSP 10
|
|
#define DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN 68
|
|
|
|
/* Protection levels */
|
|
|
|
#define DCE_C_AUTHN_LEVEL_NONE 1
|
|
#define DCE_C_AUTHN_LEVEL_CONNECT 2
|
|
#define DCE_C_AUTHN_LEVEL_CALL 3
|
|
#define DCE_C_AUTHN_LEVEL_PKT 4
|
|
#define DCE_C_AUTHN_LEVEL_PKT_INTEGRITY 5
|
|
#define DCE_C_AUTHN_LEVEL_PKT_PRIVACY 6
|
|
|
|
void
|
|
init_ndr_pointer_list(packet_info *pinfo);
|
|
|
|
#endif /* packet-dcerpc.h */
|