SAPSNC: Added SAP SNC as main dissector

This commit is contained in:
Martin Gallo 2022-11-29 13:34:38 +00:00 committed by A Wireshark GitLab Utility
parent 9a19d48736
commit 129ed6d4c4
5 changed files with 361 additions and 3 deletions

View File

@ -78,6 +78,7 @@ SAP Internet Graphic Server (SAP IGS)
SAP Message Server (SAPMS)
SAP Network Interface (SAPNI)
SAP Router (SAPROUTER)
SAP Secure Network Connection (SNC)
World of Warcraft World (WOWW) display filters have been changed to be more internally consistent.
Support for almost all WoW 1.12 messages has been added.
Management Component Transport Protocol (MCTP)

View File

@ -1777,6 +1777,7 @@ set(DISSECTOR_SRC
${CMAKE_CURRENT_SOURCE_DIR}/packet-sapms.c
${CMAKE_CURRENT_SOURCE_DIR}/packet-sapni.c
${CMAKE_CURRENT_SOURCE_DIR}/packet-saprouter.c
${CMAKE_CURRENT_SOURCE_DIR}/packet-sapsnc.c
${CMAKE_CURRENT_SOURCE_DIR}/packet-sasp.c
${CMAKE_CURRENT_SOURCE_DIR}/packet-sbus.c
${CMAKE_CURRENT_SOURCE_DIR}/packet-sbc.c

View File

@ -26,6 +26,7 @@
#include <epan/conversation.h>
#include "packet-sapni.h"
#include "packet-sapsnc.h"
/* Define default ports */
@ -401,12 +402,10 @@ dissect_errorstring(tvbuff_t *tvb, proto_tree *tree, guint32 offset)
static tvbuff_t*
dissect_saprouter_snc_frame(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint32 offset _U_){
/* Call the SNC dissector
* TODO: This will be enabled when the SNC dissector is added
/* Call the SNC dissector */
if (global_saprouter_snc_dissection == TRUE){
return dissect_sapsnc_frame(tvb, pinfo, tree, offset);
}
*/
return NULL;
}

View File

@ -0,0 +1,331 @@
/* packet-sapsnc.c
* Routines for SAP SNC (Secure Network Connection) dissection
* Copyright 2022, Martin Gallo <martin.gallo [AT] gmail.com>
* Code contributed by SecureAuth Corp.
*
* Wireshark - Network traffic analyzer
* By Gerald Combs <gerald@wireshark.org>
* Copyright 1998 Gerald Combs
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
/*
* This is a basic dissector for the SAP Secure Network Connection protocol. It dissects the basic
* SNC frame fields, and if the QoP (quality of protection) is only set to wrap/seal but not encrypt,
* it can be used to extract the content and further dissect it on an upper layer.
*
* Some details and example requests can be found in pysap's documentation: https://pysap.readthedocs.io/en/latest/protocols/SAPSNC.html.
*/
#include <config.h>
#include <epan/packet.h>
#include <epan/expert.h>
#include "packet-sapsnc.h"
/* SAP SNC Frame Type */
static const value_string sapsnc_frame_type_vals[] = {
{ 0x00, "REVERSE_REQ" },
{ 0x01, "INIT_REQ" },
{ 0x02, "INIT" },
{ 0x03, "INIT_ACK" },
{ 0x04, "ACCEPT" },
{ 0x05, "ACCEPT_ACK" },
{ 0x06, "ACCEPT_FAILED" },
{ 0x07, "DATA_OPEN" },
{ 0x08, "DATA_MIC/DATA_SIGNED" },
{ 0x09, "DATA_WRAP/DATA_SEALED" },
{ 0x0a, "SHUTDOWN" },
{ 0x0b, "SHUTDOWN_MSG" },
{ 0x0c, "REJECTED" },
{ 0x0d, "ERROR" },
{ 0x0e, "UNKNOWN" },
{ 0, NULL }
};
/* SNC Mech ID values */
static const value_string sapsnc_mech_id_vals[] = {
{ 0x00, "No security" },
{ 0x01, "Generic GSS-API v2 Mechanism" },
{ 0x02, "Kerberos 5/GSS-API v2" },
{ 0x03, "Secude 5 GSS-API v2" },
{ 0x04, "SAP's GSS-API v2 over NTLM(SSPI)" },
{ 0x05, "SPKM1 GSS-API v2 library" },
{ 0x06, "SPKM2 GSS-API v2 library" },
{ 0x07, "reserved ID" },
{ 0x08, "itsec" },
{ 0x09, "SDTI Connect Agent" },
{ 0x0a, "AccessMaster DCE" },
{ 0, NULL }
};
/* SNC Quality of protection values */
static const value_string sapsnc_qop_vals[] = {
{ 0x00, "INVALID" },
{ 0x01, "OPEN" },
{ 0x02, "INTEGRITY/SIGNED" },
{ 0x03, "PRIVACY/SEALED" },
{ 0x07, "MIN" },
{ 0x08, "DEFAULT" },
{ 0x09, "MAX" },
{ 0, NULL }
};
static int proto_sapsnc = -1;
/* SNC Frame */
static int hf_sapsnc_frame = -1;
static int hf_sapsnc_eye_catcher = -1;
static int hf_sapsnc_frame_type = -1;
static int hf_sapsnc_protocol_version = -1;
static int hf_sapsnc_header_length = -1;
static int hf_sapsnc_token_length = -1;
static int hf_sapsnc_data_length = -1;
static int hf_sapsnc_mech_id = -1;
static int hf_sapsnc_flags = -1;
static int hf_sapsnc_qop_min = -1;
static int hf_sapsnc_qop_max = -1;
static int hf_sapsnc_qop_use = -1;
static int hf_sapsnc_ext_flags = -1;
static int hf_sapsnc_ext_field_length = -1;
static int hf_sapsnc_ext_field = -1;
static int hf_sapsnc_token = -1;
static int hf_sapsnc_data = -1;
static gint ett_sapsnc = -1;
/* Expert info */
static expert_field ei_sapsnc_invalid_header_length = EI_INIT;
void proto_reg_handoff_sapsnc(void);
void proto_register_sapsnc(void);
/**
* Dissect an SNC Frame. If data it's found for wrapped/signed frames, it
* returns a new TVB buffer with the content. This function can be called
* from any dissector that wants SNC frames to be decoded.
*/
tvbuff_t*
dissect_sapsnc_frame(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset)
{
tvbuff_t *next_tvb = NULL;
guint8 frame_type;
guint32 header_length, ext_field_length, token_length = 0, data_length = 0;
proto_item *sapsnc_frame = NULL, *sapsnc_flags = NULL, *sapsnc_header_length = NULL;
proto_tree *sapsnc_frame_tree = NULL, *sapsnc_flags_tree = NULL;
/* Add the SNC Frame subtree */
sapsnc_frame = proto_tree_add_item(tree, hf_sapsnc_frame, tvb, offset, -1, ENC_NA);
sapsnc_frame_tree = proto_item_add_subtree(sapsnc_frame, ett_sapsnc);
/* Eye catcher */
proto_tree_add_item(sapsnc_frame_tree, hf_sapsnc_eye_catcher, tvb, offset, 8, ENC_ASCII|ENC_NA);
offset+=8;
/* Frame type */
frame_type = tvb_get_guint8(tvb, offset);
proto_tree_add_item(sapsnc_frame_tree, hf_sapsnc_frame_type, tvb, offset, 1, ENC_BIG_ENDIAN);
offset+=1;
/* Protocol version */
proto_tree_add_item(sapsnc_frame_tree, hf_sapsnc_protocol_version, tvb, offset, 1, ENC_BIG_ENDIAN);
offset+=1;
/* Header length */
sapsnc_header_length = proto_tree_add_item_ret_uint(sapsnc_frame_tree, hf_sapsnc_header_length, tvb, offset, 2, ENC_BIG_ENDIAN, &header_length);
/* We subtracts the 10 bytes of the header already processed */
header_length -= 10;
/* Check the header length, it should be at least 24 bytes */
if (header_length < 14){
expert_add_info_format(pinfo, sapsnc_header_length, &ei_sapsnc_invalid_header_length, "Invalid header length %u", header_length);
header_length = 14;
} else if ((guint32)tvb_reported_length_remaining(tvb, offset) < header_length) {
expert_add_info_format(pinfo, sapsnc_header_length, &ei_sapsnc_invalid_header_length, "Invalid captured length %d (reported %u)", tvb_reported_length_remaining(tvb, offset), header_length);
header_length = tvb_reported_length_remaining(tvb, offset);
}
offset+=2;
header_length-=2;
/* Token length */
proto_tree_add_item_ret_uint(sapsnc_frame_tree, hf_sapsnc_token_length, tvb, offset, 4, ENC_BIG_ENDIAN, &token_length);
offset+=4;
header_length-=4;
/* Data length */
proto_tree_add_item_ret_uint(sapsnc_frame_tree, hf_sapsnc_data_length, tvb, offset, 4, ENC_BIG_ENDIAN, &data_length);
offset+=4;
header_length-=4;
/* Mech ID */
proto_tree_add_item(sapsnc_frame_tree, hf_sapsnc_mech_id, tvb, offset, 2, ENC_BIG_ENDIAN);
offset+=2;
header_length-=2;
/* Build a tree for the flags */
sapsnc_flags = proto_tree_add_item(sapsnc_frame_tree, hf_sapsnc_flags, tvb, offset, 2, ENC_NA);
sapsnc_flags_tree = proto_item_add_subtree(sapsnc_flags, ett_sapsnc);
offset+=1;
header_length-=1; /* Unknown flags (1 byte) */
/* Unknown flag (1 bit) */
proto_tree_add_bits_item(sapsnc_flags_tree, hf_sapsnc_qop_min, tvb, offset*8 + 1, 2, ENC_BIG_ENDIAN);
proto_tree_add_bits_item(sapsnc_flags_tree, hf_sapsnc_qop_max, tvb, offset*8 + 3, 2, ENC_BIG_ENDIAN);
proto_tree_add_bits_item(sapsnc_flags_tree, hf_sapsnc_qop_use, tvb, offset*8 + 5, 2, ENC_BIG_ENDIAN);
/* Unknown flag (1 bit) */
offset+=1;
header_length-=1;
/* If there's header remaining, we add the extra flags, length and fields */
if (header_length >= 6 && tvb_offset_exists(tvb, offset + 6)) {
/* Get the extra flags */
proto_tree_add_item(sapsnc_frame_tree, hf_sapsnc_ext_flags, tvb, offset, 4, ENC_NA);
offset+=4;
/* Get the extra field length */
proto_tree_add_item_ret_uint(sapsnc_frame_tree, hf_sapsnc_ext_field_length, tvb, offset, 2, ENC_BIG_ENDIAN, &ext_field_length);
offset+=2;
/* If the extra field length is valid extract those */
if (ext_field_length > 0 && tvb_offset_exists(tvb, offset + ext_field_length)) {
proto_tree_add_item(sapsnc_frame_tree, hf_sapsnc_ext_field, tvb, offset, ext_field_length, ENC_NA);
offset+=ext_field_length;
}
}
/* Token */
if (token_length > 0 && tvb_offset_exists(tvb, offset + token_length)) {
proto_tree_add_item(sapsnc_frame_tree, hf_sapsnc_token, tvb, offset, token_length, ENC_NA);
offset+=token_length;
}
/* Data */
if (data_length > 0 && tvb_offset_exists(tvb, offset + data_length)) {
proto_tree_add_item(sapsnc_frame_tree, hf_sapsnc_data, tvb, offset, data_length, ENC_NA);
/* If the frame contain data being wrapped or sealed, put it into a new tvb for
further dissection of the upper layer */
if ((frame_type == 0x07) || (frame_type == 0x08)) {
next_tvb = tvb_new_subset_remaining(tvb, offset);
}
}
return next_tvb;
}
/**
* Dissects SNC packets
*/
static int
dissect_sapsnc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
{
/* Add the protocol to the column */
col_add_str(pinfo->cinfo, COL_PROTOCOL, ", SAPSNC");
/* Clear out stuff in the info column */
col_clear(pinfo->cinfo,COL_INFO);
/* Call the SNC frame dissection function */
dissect_sapsnc_frame(tvb, pinfo, tree, 0);
return tvb_reported_length(tvb);
}
void
proto_register_sapsnc(void)
{
static hf_register_info hf[] = {
/* SNC Frame */
{ &hf_sapsnc_frame,
{ "SNC Frame", "sapsnc.frame", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_sapsnc_eye_catcher,
{ "SNC Eye Catcher", "sapsnc.eyecatcher", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_sapsnc_frame_type,
{ "SNC Frame Type", "sapsnc.frame.type", FT_UINT8, BASE_HEX, VALS(sapsnc_frame_type_vals), 0x0, NULL, HFILL }},
{ &hf_sapsnc_protocol_version,
{ "SNC Protocol Version", "sapsnc.frame.protocolversion", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }},
{ &hf_sapsnc_header_length,
{ "SNC Header length", "sapsnc.frame.header_length", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},
{ &hf_sapsnc_token_length,
{ "SNC Token length", "sapsnc.frame.tokenlength", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
{ &hf_sapsnc_data_length,
{ "SNC Data length", "sapsnc.frame.datalength", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
{ &hf_sapsnc_mech_id,
{ "SNC Mech ID", "sapsnc.frame.mech_id", FT_UINT16, BASE_HEX, VALS(sapsnc_mech_id_vals), 0x0, NULL, HFILL }},
{ &hf_sapsnc_flags,
{ "SNC Flags", "sapsnc.frame.flags", FT_UINT16, BASE_HEX, NULL, 0x0, NULL, HFILL }},
{ &hf_sapsnc_qop_min,
{ "SNC QOP Min", "sapsnc.frame.qop_min", FT_UINT8, BASE_HEX, VALS(sapsnc_qop_vals), 0x0, NULL, HFILL }},
{ &hf_sapsnc_qop_max,
{ "SNC QOP Max", "sapsnc.frame.qop_max", FT_UINT8, BASE_HEX, VALS(sapsnc_qop_vals), 0x0, NULL, HFILL }},
{ &hf_sapsnc_qop_use,
{ "SNC QOP Use", "sapsnc.frame.qop_use", FT_UINT8, BASE_HEX, VALS(sapsnc_qop_vals), 0x0, NULL, HFILL }},
{ &hf_sapsnc_ext_flags,
{ "SNC Extensions Flags", "sapsnc.frame.ext_flags", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }},
{ &hf_sapsnc_ext_field_length,
{ "SNC Extensions Field length", "sapsnc.frame.ext_field_length", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},
{ &hf_sapsnc_ext_field,
{ "SNC Extensions Field", "sapsnc.frame.ext_field", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_sapsnc_token,
{ "SNC Token", "sapsnc.frame.token", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_sapsnc_data,
{ "SNC Data", "sapsnc.frame.data", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
};
/* Setup protocol subtree array */
static gint *ett[] = {
&ett_sapsnc
};
/* Register the expert info */
static ei_register_info ei[] = {
{ &ei_sapsnc_invalid_header_length, { "sapsnc.frame.header_length_invalid", PI_MALFORMED, PI_WARN, "Invalid header length", EXPFILL }},
};
expert_module_t* sapsnc_expert;
/* Register the protocol */
proto_sapsnc = proto_register_protocol("SAP SNC Protocol", "SAPSNC", "sapsnc");
proto_register_field_array(proto_sapsnc, hf, array_length(hf));
proto_register_subtree_array(ett, array_length(ett));
sapsnc_expert = expert_register_protocol(proto_sapsnc);
expert_register_field_array(sapsnc_expert, ei, array_length(ei));
register_dissector("sapsnc", dissect_sapsnc, proto_sapsnc);
}
/**
* Register Hand off for the SAP SNC Protocol
*/
void
proto_reg_handoff_sapsnc(void)
{
static gboolean initialized = FALSE;
if (!initialized) {
create_dissector_handle(dissect_sapsnc, proto_sapsnc);
initialized = TRUE;
}
}
/*
* Editor modelines - https://www.wireshark.org/tools/modelines.html
*
* Local variables:
* c-basic-offset: 8
* tab-width: 8
* indent-tabs-mode: t
* End:
*
* vi: set shiftwidth=8 tabstop=8 noexpandtab:
* :indentSize=8:tabSize=8:noTabs=false:
*/

View File

@ -0,0 +1,26 @@
/* packet-sapsnc.h
* Routines for SAP SNC (Secure Network Connectoin) dissection
* Copyright 2022, Martin Gallo <martin.gallo [AT] gmail.com>
* Code contributed by SecureAuth Corp.
*
* Wireshark - Network traffic analyzer
* By Gerald Combs <gerald@wireshark.org>
* Copyright 1998 Gerald Combs
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#ifndef __PACKET_SAPPSNC_H__
#define __PACKET_SAPPSNC_H__
#include <epan/packet.h>
extern /**
* Dissect an SNC Frame. If data it's found for wrapped/signed frames, it
* returns a new TVB buffer with the content. This function can be called
* from any dissector that wants SNC frames to be decoded.
*/
tvbuff_t*
dissect_sapsnc_frame(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset);
#endif /* __PACKET_SAPPSNC_H__ */