Handle GSS_Wrap header information as well as context-level tokens. A
call to "gssapi_init_oid()" supplies both dissectors for context-level tokens and GSS_Wrap header information; the latter dissector should return the number of bytes of header information, so that if the header information and the message for the protocol that's using GSSAPI are treated as a single blob of data (as is the case with LDAP, but not with DCE RPC, for example), the dissector for the protocol using GSSAPI knows where to start dissecting. We associate a pointer to the entire data structure for the OID, not the handle for context-level token dissector for the OID, with conversations and frames. Make the dissector for NTLMSSP verifiers be the handler for GSS_Wrap stuff for NTLMSSP, and add support for GSS_Wrap stuff for Kerberos. Support SASL GSS-SPNEGO wrapping of LDAP messages. (XXX - this should really check for GSS-SPNEGO.) svn path=/trunk/; revision=6692
This commit is contained in:
parent
094345b492
commit
35eefef60a
111
packet-gssapi.c
111
packet-gssapi.c
|
@ -4,7 +4,7 @@
|
|||
* Copyright 2002, Richard Sharpe <rsharpe@samba.org> Added a few
|
||||
* bits and pieces ...
|
||||
*
|
||||
* $Id: packet-gssapi.c,v 1.24 2002/11/23 06:02:42 guy Exp $
|
||||
* $Id: packet-gssapi.c,v 1.25 2002/11/28 06:48:41 guy Exp $
|
||||
*
|
||||
* Ethereal - Network traffic analyzer
|
||||
* By Gerald Combs <gerald@ethereal.com>
|
||||
|
@ -78,7 +78,7 @@ gssapi_oid_hash(gconstpointer k)
|
|||
|
||||
void
|
||||
gssapi_init_oid(char *oid, int proto, int ett, dissector_handle_t handle,
|
||||
gchar *comment)
|
||||
dissector_handle_t wrap_handle, gchar *comment)
|
||||
{
|
||||
char *key = g_strdup(oid);
|
||||
gssapi_oid_value *value = g_malloc(sizeof(*value));
|
||||
|
@ -86,6 +86,7 @@ gssapi_init_oid(char *oid, int proto, int ett, dissector_handle_t handle,
|
|||
value->proto = proto;
|
||||
value->ett = ett;
|
||||
value->handle = handle;
|
||||
value->wrap_handle = wrap_handle;
|
||||
value->comment = comment;
|
||||
|
||||
g_hash_table_insert(gssapi_oids, key, value);
|
||||
|
@ -142,7 +143,7 @@ dissect_parse_error(tvbuff_t *tvb, int offset, packet_info *pinfo,
|
|||
}
|
||||
}
|
||||
|
||||
static void
|
||||
static int
|
||||
dissect_gssapi_work(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
|
||||
gboolean is_verifier)
|
||||
{
|
||||
|
@ -150,6 +151,7 @@ dissect_gssapi_work(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
|
|||
proto_tree *subtree;
|
||||
ASN1_SCK hnd;
|
||||
int ret, offset = 0;
|
||||
volatile int return_offset = 0;
|
||||
gboolean def;
|
||||
guint len1, oid_len, cls, con, tag, nbytes;
|
||||
subid_t *oid;
|
||||
|
@ -158,6 +160,7 @@ dissect_gssapi_work(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
|
|||
volatile dissector_handle_t handle;
|
||||
conversation_t *volatile conversation;
|
||||
tvbuff_t *oid_tvb;
|
||||
int len;
|
||||
|
||||
/*
|
||||
* We need this later, so lets get it now ...
|
||||
|
@ -194,6 +197,7 @@ dissect_gssapi_work(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
|
|||
if (ret != ASN1_ERR_NOERROR) {
|
||||
dissect_parse_error(tvb, offset, pinfo, subtree,
|
||||
"GSS-API header", ret);
|
||||
return_offset = tvb_length(tvb);
|
||||
goto done;
|
||||
}
|
||||
|
||||
|
@ -201,24 +205,24 @@ dissect_gssapi_work(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
|
|||
/*
|
||||
* If we do not recognise an Application class,
|
||||
* then we are probably dealing with an inner context
|
||||
* token, and we should retrieve the dissector from
|
||||
* the per-frame data or, if there is no per-frame data
|
||||
* (as would be the case the first time we dissect this
|
||||
* frame), from the conversation that exists or that we
|
||||
* created from pinfo (and then make it per-frame data).
|
||||
* token or a wrap token, and we should retrieve the
|
||||
* gssapi_oid_value pointer from the per-frame data or,
|
||||
* if there is no per-frame data (as would be the case
|
||||
* the first time we dissect this frame), from the
|
||||
* conversation that exists or that we created from
|
||||
* pinfo (and then make it per-frame data).
|
||||
* We need to make it per-frame data as there can be
|
||||
* more than one GSS-API negotiation in a conversation.
|
||||
*
|
||||
* Note! We "cheat". Since we only need the dissector
|
||||
* handle, we store that as the data. (That's not
|
||||
* really "cheating" - the per-frame data and per-
|
||||
* conversation data code doesn't care what you
|
||||
* supply as a handle; it just treats it as an opaque
|
||||
* pointer, it doesn't dereference it or free what
|
||||
* it points to.)
|
||||
* Note! We "cheat". Since we only need the pointer,
|
||||
* we store that as the data. (That's not really
|
||||
* "cheating" - the per-frame data and per-conversation
|
||||
* data code doesn't care what you supply as a data
|
||||
* pointer; it just treats it as an opaque pointer, it
|
||||
* doesn't dereference it or free what it points to.)
|
||||
*/
|
||||
handle = p_get_proto_data(pinfo->fd, proto_gssapi);
|
||||
if (!handle && !pinfo->fd->flags.visited)
|
||||
value = p_get_proto_data(pinfo->fd, proto_gssapi);
|
||||
if (!value && !pinfo->fd->flags.visited)
|
||||
{
|
||||
/* No handle attached to this frame, but it's the first */
|
||||
/* pass, so it'd be attached to the conversation. */
|
||||
|
@ -226,17 +230,18 @@ dissect_gssapi_work(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
|
|||
/* and if we get one, attach it to the frame. */
|
||||
if (conversation)
|
||||
{
|
||||
handle = conversation_get_proto_data(conversation,
|
||||
value = conversation_get_proto_data(conversation,
|
||||
proto_gssapi);
|
||||
if (handle)
|
||||
p_add_proto_data(pinfo->fd, proto_gssapi, handle);
|
||||
if (value)
|
||||
p_add_proto_data(pinfo->fd, proto_gssapi, value);
|
||||
}
|
||||
}
|
||||
if (!handle)
|
||||
if (!value)
|
||||
{
|
||||
proto_tree_add_text(subtree, tvb, offset, 0,
|
||||
"Unknown header (cls=%d, con=%d, tag=%d)",
|
||||
cls, con, tag);
|
||||
return_offset = tvb_length(tvb);
|
||||
goto done;
|
||||
}
|
||||
else
|
||||
|
@ -249,7 +254,15 @@ dissect_gssapi_work(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
|
|||
|
||||
hnd.offset = offset;
|
||||
oid_tvb = tvb_new_subset(tvb, offset, -1, -1);
|
||||
call_dissector(handle, oid_tvb, pinfo, subtree);
|
||||
if (is_verifier)
|
||||
handle = value->wrap_handle;
|
||||
else
|
||||
handle = value->handle;
|
||||
len = call_dissector(handle, oid_tvb, pinfo, subtree);
|
||||
if (len == 0)
|
||||
return_offset = tvb_length(tvb);
|
||||
else
|
||||
return_offset = offset + len;
|
||||
goto done; /* We are finished here */
|
||||
}
|
||||
}
|
||||
|
@ -263,6 +276,7 @@ dissect_gssapi_work(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
|
|||
if (ret != ASN1_ERR_NOERROR) {
|
||||
dissect_parse_error(tvb, offset, pinfo, subtree,
|
||||
"GSS-API token", ret);
|
||||
return_offset = tvb_length(tvb);
|
||||
goto done;
|
||||
}
|
||||
|
||||
|
@ -288,6 +302,7 @@ dissect_gssapi_work(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
|
|||
proto_tree_add_text(subtree, tvb, offset, -1,
|
||||
"Token object");
|
||||
|
||||
return_offset = tvb_length(tvb);
|
||||
goto done;
|
||||
}
|
||||
|
||||
|
@ -311,11 +326,9 @@ dissect_gssapi_work(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
|
|||
oid_subtree = proto_item_add_subtree(sub_item, value->ett);
|
||||
*/
|
||||
|
||||
handle = value->handle;
|
||||
|
||||
/*
|
||||
* Here we should create a conversation if needed and
|
||||
* save the OID and dissector handle in it for the
|
||||
* save a pointer to the data for that OID for the
|
||||
* GSSAPI protocol.
|
||||
*/
|
||||
|
||||
|
@ -335,27 +348,38 @@ dissect_gssapi_work(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
|
|||
if (!conversation_get_proto_data(conversation,
|
||||
proto_gssapi)) {
|
||||
conversation_add_proto_data(conversation,
|
||||
proto_gssapi, handle);
|
||||
proto_gssapi, value);
|
||||
}
|
||||
|
||||
if (is_verifier) {
|
||||
/*
|
||||
* XXX - these are GSS_Wrap() tokens.
|
||||
* "gssapi_init_oid()" should take an additional
|
||||
* handle for a routine to dissect those tokens.
|
||||
* See, for example, section 1.2.2 of RFC 1964,
|
||||
* which describes what Kerberos GSS_Wrap tokens
|
||||
* look like.
|
||||
*/
|
||||
proto_tree_add_text(subtree, tvb, offset, -1,
|
||||
"Authentication verifier");
|
||||
} else {
|
||||
handle = value->wrap_handle;
|
||||
if (handle != NULL) {
|
||||
oid_tvb = tvb_new_subset(tvb, offset, -1, -1);
|
||||
call_dissector(handle, oid_tvb, pinfo, subtree);
|
||||
len = call_dissector(handle, oid_tvb, pinfo,
|
||||
subtree);
|
||||
if (len == 0)
|
||||
return_offset = tvb_length(tvb);
|
||||
else
|
||||
return_offset = offset + len;
|
||||
} else {
|
||||
proto_tree_add_text(subtree, tvb, offset, -1,
|
||||
"Authentication verifier");
|
||||
return_offset = tvb_length(tvb);
|
||||
}
|
||||
} else {
|
||||
handle = value->handle;
|
||||
if (handle != NULL) {
|
||||
oid_tvb = tvb_new_subset(tvb, offset, -1, -1);
|
||||
len = call_dissector(handle, oid_tvb, pinfo,
|
||||
subtree);
|
||||
if (len == 0)
|
||||
return_offset = tvb_length(tvb);
|
||||
else
|
||||
return_offset = offset + len;
|
||||
} else {
|
||||
proto_tree_add_text(subtree, tvb, offset, -1,
|
||||
"Authentication credentials");
|
||||
return_offset = tvb_length(tvb);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -366,6 +390,9 @@ dissect_gssapi_work(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
|
|||
} CATCH(ReportedBoundsError) {
|
||||
show_reported_bounds_error(tvb, pinfo, tree);
|
||||
} ENDTRY;
|
||||
|
||||
proto_item_set_len(item, return_offset);
|
||||
return return_offset;
|
||||
}
|
||||
|
||||
static void
|
||||
|
@ -374,10 +401,10 @@ dissect_gssapi(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
|||
dissect_gssapi_work(tvb, pinfo, tree, FALSE);
|
||||
}
|
||||
|
||||
static void
|
||||
dissect_gssapi_verf(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
||||
static int
|
||||
dissect_gssapi_wrap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
||||
{
|
||||
dissect_gssapi_work(tvb, pinfo, tree, TRUE);
|
||||
return dissect_gssapi_work(tvb, pinfo, tree, TRUE);
|
||||
}
|
||||
|
||||
void
|
||||
|
@ -401,7 +428,7 @@ proto_register_gssapi(void)
|
|||
proto_register_subtree_array(ett, array_length(ett));
|
||||
|
||||
register_dissector("gssapi", dissect_gssapi, proto_gssapi);
|
||||
register_dissector("gssapi_verf", dissect_gssapi_verf, proto_gssapi);
|
||||
new_register_dissector("gssapi_verf", dissect_gssapi_wrap, proto_gssapi);
|
||||
|
||||
gssapi_oids = g_hash_table_new(gssapi_oid_hash, gssapi_oid_equal);
|
||||
}
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
* Dissector for GSS-API tokens as described in rfc2078, section 3.1
|
||||
* Copyright 2002, Tim Potter <tpot@samba.org>
|
||||
*
|
||||
* $Id: packet-gssapi.h,v 1.7 2002/09/08 01:43:44 guy Exp $
|
||||
* $Id: packet-gssapi.h,v 1.8 2002/11/28 06:48:41 guy Exp $
|
||||
*
|
||||
* Ethereal - Network traffic analyzer
|
||||
* By Gerald Combs <gerald@ethereal.com>
|
||||
|
@ -32,13 +32,15 @@ typedef struct _gssapi_oid_value {
|
|||
int proto;
|
||||
int ett;
|
||||
dissector_handle_t handle;
|
||||
dissector_handle_t wrap_handle;
|
||||
gchar *comment; /* For the comment */
|
||||
} gssapi_oid_value;
|
||||
|
||||
/* Function prototypes */
|
||||
|
||||
void
|
||||
gssapi_init_oid(char *oid, int proto, int ett, dissector_handle_t handle, gchar *comment);
|
||||
gssapi_init_oid(char *oid, int proto, int ett, dissector_handle_t handle,
|
||||
dissector_handle_t wrap_handle, gchar *comment);
|
||||
|
||||
gssapi_oid_value *
|
||||
gssapi_lookup_oid(subid_t *oid, guint oid_len);
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
*
|
||||
* See RFC 1777 (LDAP v2), RFC 2251 (LDAP v3), and RFC 2222 (SASL).
|
||||
*
|
||||
* $Id: packet-ldap.c,v 1.50 2002/11/27 04:59:56 guy Exp $
|
||||
* $Id: packet-ldap.c,v 1.51 2002/11/28 06:48:41 guy Exp $
|
||||
*
|
||||
* Ethereal - Network traffic analyzer
|
||||
* By Gerald Combs <gerald@ethereal.com>
|
||||
|
@ -126,6 +126,7 @@ static gboolean ldap_desegment = TRUE;
|
|||
#define UDP_PORT_CLDAP 389
|
||||
|
||||
static dissector_handle_t gssapi_handle;
|
||||
static dissector_handle_t gssapi_wrap_handle;
|
||||
|
||||
/*
|
||||
* Data structure attached to a conversation, giving authentication
|
||||
|
@ -753,7 +754,7 @@ static int parse_filter(ASN1_SCK *a, char **filter, guint *filter_length,
|
|||
if (a->offset == *end)
|
||||
return -1;
|
||||
else
|
||||
return ret;
|
||||
return ASN1_ERR_NOERROR;
|
||||
}
|
||||
|
||||
static gboolean read_filter(ASN1_SCK *a, proto_tree *tree, int hf_id)
|
||||
|
@ -1596,7 +1597,7 @@ static void
|
|||
dissect_ldap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
||||
{
|
||||
int offset = 0;
|
||||
gboolean first_time = FALSE;
|
||||
gboolean first_time = TRUE;
|
||||
conversation_t *conversation;
|
||||
ldap_auth_info_t *auth_info;
|
||||
gboolean doing_sasl_security = FALSE;
|
||||
|
@ -1604,13 +1605,17 @@ dissect_ldap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
|||
guint32 sasl_length;
|
||||
guint32 message_data_len;
|
||||
proto_item *ti;
|
||||
proto_tree *ldap_tree;
|
||||
proto_tree *ldap_tree = NULL;
|
||||
ASN1_SCK a;
|
||||
int ret;
|
||||
guint messageLength;
|
||||
int messageOffset;
|
||||
guint headerLength;
|
||||
guint length;
|
||||
gint available_length, reported_length;
|
||||
int len;
|
||||
proto_item *gitem = NULL;
|
||||
proto_tree *gtree = NULL;
|
||||
tvbuff_t *next_tvb;
|
||||
|
||||
/*
|
||||
|
@ -1760,11 +1765,6 @@ dissect_ldap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
|||
col_clear(pinfo->cinfo, COL_INFO);
|
||||
}
|
||||
|
||||
/*
|
||||
* XXX - for now, just show the SASL length and payload; we
|
||||
* eventually should show the GSS-API GSS_Wrap token and
|
||||
* dissect the stuff after it as an LDAP message.
|
||||
*/
|
||||
if (tree)
|
||||
{
|
||||
ti = proto_tree_add_item(tree, proto_ldap, next_tvb, 0, -1, FALSE);
|
||||
|
@ -1772,8 +1772,38 @@ dissect_ldap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
|||
|
||||
proto_tree_add_uint(ldap_tree, hf_ldap_sasl_buffer_length, tvb, 0, 4,
|
||||
sasl_length);
|
||||
proto_tree_add_text(ldap_tree, tvb, 4, -1, "SASL buffer");
|
||||
}
|
||||
|
||||
/*
|
||||
* Now dissect the GSS_Wrap() token; it'll return the length of
|
||||
* the token, from which we compute the offset in the tvbuff at
|
||||
* which the plaintext data, i.e. the LDAP message, begins.
|
||||
*/
|
||||
available_length = tvb_length_remaining(tvb, 4);
|
||||
reported_length = tvb_reported_length_remaining(tvb, 4);
|
||||
g_assert(available_length >= 0);
|
||||
g_assert(reported_length >= 0);
|
||||
if (available_length > reported_length)
|
||||
available_length = reported_length;
|
||||
if ((guint)available_length > sasl_length - 4)
|
||||
available_length = sasl_length - 4;
|
||||
if ((guint)reported_length > sasl_length - 4)
|
||||
reported_length = sasl_length - 4;
|
||||
next_tvb = tvb_new_subset(tvb, 4, available_length, reported_length);
|
||||
if (tree)
|
||||
{
|
||||
gitem = proto_tree_add_text(ldap_tree, next_tvb, 0, -1, "GSS-API Token");
|
||||
gtree = proto_item_add_subtree(gitem, ett_ldap_gssapi_token);
|
||||
}
|
||||
len = call_dissector(gssapi_wrap_handle, next_tvb, pinfo, gtree);
|
||||
g_assert(len != 0); /* GSS_Wrap() dissectors can't reject data */
|
||||
if (gitem != NULL)
|
||||
proto_item_set_len(gitem, len);
|
||||
|
||||
/*
|
||||
* Now dissect the LDAP message.
|
||||
*/
|
||||
dissect_ldap_message(tvb, 4 + len, pinfo, ldap_tree, first_time);
|
||||
offset += message_data_len;
|
||||
} else {
|
||||
/*
|
||||
|
@ -2178,4 +2208,5 @@ proto_reg_handoff_ldap(void)
|
|||
dissector_add("udp.port", UDP_PORT_CLDAP, ldap_handle);
|
||||
|
||||
gssapi_handle = find_dissector("gssapi");
|
||||
gssapi_wrap_handle = find_dissector("gssapi_verf");
|
||||
}
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
* Routines for NTLM Secure Service Provider
|
||||
* Devin Heitmueller <dheitmueller@netilla.com>
|
||||
*
|
||||
* $Id: packet-ntlmssp.c,v 1.31 2002/11/10 09:38:22 guy Exp $
|
||||
* $Id: packet-ntlmssp.c,v 1.32 2002/11/28 06:48:42 guy Exp $
|
||||
*
|
||||
* Ethereal - Network traffic analyzer
|
||||
* By Gerald Combs <gerald@ethereal.com>
|
||||
|
@ -770,7 +770,7 @@ dissect_ntlmssp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
|||
/*
|
||||
* See page 45 of "DCE/RPC over SMB" by Luke Kenneth Casson Leighton.
|
||||
*/
|
||||
static void
|
||||
static int
|
||||
dissect_ntlmssp_verf(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
||||
{
|
||||
volatile int offset = 0;
|
||||
|
@ -814,6 +814,8 @@ dissect_ntlmssp_verf(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
|||
} CATCH(ReportedBoundsError) {
|
||||
show_reported_bounds_error(tvb, pinfo, tree);
|
||||
} ENDTRY;
|
||||
|
||||
return offset;
|
||||
}
|
||||
|
||||
static void
|
||||
|
@ -996,17 +998,19 @@ proto_register_ntlmssp(void)
|
|||
register_init_routine(&ntlmssp_init_protocol);
|
||||
|
||||
register_dissector("ntlmssp", dissect_ntlmssp, proto_ntlmssp);
|
||||
register_dissector("ntlmssp_verf", dissect_ntlmssp_verf, proto_ntlmssp);
|
||||
new_register_dissector("ntlmssp_verf", dissect_ntlmssp_verf, proto_ntlmssp);
|
||||
}
|
||||
|
||||
void
|
||||
proto_reg_handoff_ntlmssp(void)
|
||||
{
|
||||
dissector_handle_t ntlmssp_handle;
|
||||
dissector_handle_t ntlmssp_handle, ntlmssp_wrap_handle;
|
||||
|
||||
/* Register protocol with the GSS-API module */
|
||||
|
||||
ntlmssp_handle = find_dissector("ntlmssp");
|
||||
ntlmssp_wrap_handle = find_dissector("ntlmssp_verf");
|
||||
gssapi_init_oid("1.3.6.1.4.1.311.2.2.10", proto_ntlmssp, ett_ntlmssp,
|
||||
ntlmssp_handle, "NTLMSSP - Microsoft NTLM Security Support Provider");
|
||||
ntlmssp_handle, ntlmssp_wrap_handle,
|
||||
"NTLMSSP - Microsoft NTLM Security Support Provider");
|
||||
}
|
||||
|
|
386
packet-spnego.c
386
packet-spnego.c
|
@ -4,7 +4,7 @@
|
|||
* Copyright 2002, Tim Potter <tpot@samba.org>
|
||||
* Copyright 2002, Richard Sharpe <rsharpe@ns.aus.com>
|
||||
*
|
||||
* $Id: packet-spnego.c,v 1.38 2002/11/07 05:25:37 guy Exp $
|
||||
* $Id: packet-spnego.c,v 1.39 2002/11/28 06:48:42 guy Exp $
|
||||
*
|
||||
* Ethereal - Network traffic analyzer
|
||||
* By Gerald Combs <gerald@ethereal.com>
|
||||
|
@ -67,8 +67,14 @@ static int hf_spnego_negtokentarg_negresult = -1;
|
|||
static int hf_spnego_mechlistmic = -1;
|
||||
static int hf_spnego_responsetoken = -1;
|
||||
static int hf_spnego_reqflags = -1;
|
||||
static int hf_spnego_wraptoken = -1;
|
||||
static int hf_spnego_krb5 = -1;
|
||||
static int hf_spnego_krb5_tok_id = -1;
|
||||
static int hf_spnego_krb5_sgn_alg = -1;
|
||||
static int hf_spnego_krb5_seal_alg = -1;
|
||||
static int hf_spnego_krb5_snd_seq = -1;
|
||||
static int hf_spnego_krb5_sgn_cksum = -1;
|
||||
static int hf_spnego_krb5_confounder = -1;
|
||||
|
||||
static gint ett_spnego = -1;
|
||||
static gint ett_spnego_negtokeninit = -1;
|
||||
|
@ -77,6 +83,7 @@ static gint ett_spnego_mechtype = -1;
|
|||
static gint ett_spnego_mechtoken = -1;
|
||||
static gint ett_spnego_mechlistmic = -1;
|
||||
static gint ett_spnego_responsetoken = -1;
|
||||
static gint ett_spnego_wraptoken = -1;
|
||||
static gint ett_spnego_krb5 = -1;
|
||||
|
||||
static const value_string spnego_negResult_vals[] = {
|
||||
|
@ -112,19 +119,57 @@ dissect_parse_error(tvbuff_t *tvb, int offset, packet_info *pinfo,
|
|||
* by the looks of it.
|
||||
*/
|
||||
|
||||
#define KRB_TOKEN_AP_REQ 0x0001
|
||||
#define KRB_TOKEN_AP_REP 0x0002
|
||||
#define KRB_TOKEN_AP_ERR 0x0003
|
||||
#define KRB_TOKEN_AP_REQ 0x0001
|
||||
#define KRB_TOKEN_AP_REP 0x0002
|
||||
#define KRB_TOKEN_AP_ERR 0x0003
|
||||
#define KRB_TOKEN_AP_ERR 0x0003
|
||||
#define KRB_TOKEN_GETMIC 0x0101
|
||||
#define KRB_TOKEN_WRAP 0x0102
|
||||
#define KRB_TOKEN_DELETE_SEC_CONTEXT 0x0201
|
||||
|
||||
static const value_string spnego_krb5_tok_id_vals[] = {
|
||||
{ KRB_TOKEN_AP_REQ, "KRB5_AP_REQ"},
|
||||
{ KRB_TOKEN_AP_REP, "KRB5_AP_REP"},
|
||||
{ KRB_TOKEN_AP_ERR, "KRB5_ERROR"},
|
||||
{ KRB_TOKEN_AP_REQ, "KRB5_AP_REQ"},
|
||||
{ KRB_TOKEN_AP_REP, "KRB5_AP_REP"},
|
||||
{ KRB_TOKEN_AP_ERR, "KRB5_ERROR"},
|
||||
{ KRB_TOKEN_GETMIC, "KRB5_GSS_GetMIC" },
|
||||
{ KRB_TOKEN_WRAP, "KRB5_GSS_Wrap" },
|
||||
{ KRB_TOKEN_DELETE_SEC_CONTEXT, "KRB5_GSS_Delete_sec_context" },
|
||||
{ 0, NULL}
|
||||
};
|
||||
|
||||
#define KRB_SGN_ALG_DES_MAC_MD5 0x0000
|
||||
#define KRB_SGN_ALG_MD2_5 0x0001
|
||||
#define KRB_SGN_ALG_DES_MAC 0x0002
|
||||
#define KRB_SGN_ALG_HMAC 0x0011
|
||||
|
||||
static const value_string spnego_krb5_sgn_alg_vals[] = {
|
||||
{ KRB_SGN_ALG_DES_MAC_MD5, "DES MAC MD5"},
|
||||
{ KRB_SGN_ALG_MD2_5, "MD2.5"},
|
||||
{ KRB_SGN_ALG_DES_MAC, "DES MAC"},
|
||||
{ KRB_SGN_ALG_HMAC, "HMAC"},
|
||||
{ 0, NULL}
|
||||
};
|
||||
|
||||
#define KRB_SEAL_ALG_DES_CBC 0x0000
|
||||
#define KRB_SEAL_ALG_RC4 0x0010
|
||||
#define KRB_SEAL_ALG_NONE 0xffff
|
||||
|
||||
static const value_string spnego_krb5_seal_alg_vals[] = {
|
||||
{ KRB_SEAL_ALG_DES_CBC, "DES CBC"},
|
||||
{ KRB_SEAL_ALG_RC4, "RC4"},
|
||||
{ KRB_SEAL_ALG_NONE, "None"},
|
||||
{ 0, NULL}
|
||||
};
|
||||
|
||||
/*
|
||||
* XXX - is this for SPNEGO or just GSS-API?
|
||||
* RFC 1964 is "The Kerberos Version 5 GSS-API Mechanism"; presumably one
|
||||
* can directly designate Kerberos V5 as a mechanism in GSS-API, rather
|
||||
* than designating SPNEGO as the mechanism, offering Kerberos V5, and
|
||||
* getting it accepted.
|
||||
*/
|
||||
static void
|
||||
dissect_spnego_krb5(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree)
|
||||
dissect_spnego_krb5(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
||||
{
|
||||
proto_item *item;
|
||||
proto_tree *subtree;
|
||||
|
@ -263,12 +308,99 @@ dissect_spnego_krb5(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree)
|
|||
return;
|
||||
}
|
||||
|
||||
/*
|
||||
* XXX - is this for SPNEGO or just GSS-API?
|
||||
* RFC 1964 is "The Kerberos Version 5 GSS-API Mechanism"; presumably one
|
||||
* can directly designate Kerberos V5 as a mechanism in GSS-API, rather
|
||||
* than designating SPNEGO as the mechanism, offering Kerberos V5, and
|
||||
* getting it accepted.
|
||||
*/
|
||||
static int
|
||||
dissect_spnego_krb5_wrap(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree)
|
||||
{
|
||||
proto_item *item;
|
||||
proto_tree *subtree;
|
||||
int offset = 0;
|
||||
guint16 sgn_alg;
|
||||
|
||||
item = proto_tree_add_item(tree, hf_spnego_krb5, tvb, 0, -1, FALSE);
|
||||
|
||||
subtree = proto_item_add_subtree(item, ett_spnego_krb5);
|
||||
|
||||
/*
|
||||
* The KRB5 blob conforms to RFC1964:
|
||||
* USHORT (0x0102 == GSS_Wrap)
|
||||
* and so on }
|
||||
*/
|
||||
|
||||
/* First, the token ID ... */
|
||||
|
||||
proto_tree_add_item(subtree, hf_spnego_krb5_tok_id, tvb, offset, 2,
|
||||
TRUE);
|
||||
|
||||
offset += 2;
|
||||
|
||||
/* Now, the sign and seal algorithms ... */
|
||||
|
||||
sgn_alg = tvb_get_letohs(tvb, offset);
|
||||
proto_tree_add_uint(subtree, hf_spnego_krb5_sgn_alg, tvb, offset, 2,
|
||||
sgn_alg);
|
||||
|
||||
offset += 2;
|
||||
|
||||
proto_tree_add_item(subtree, hf_spnego_krb5_seal_alg, tvb, offset, 2,
|
||||
TRUE);
|
||||
|
||||
offset += 2;
|
||||
|
||||
/* Skip the filler */
|
||||
|
||||
offset += 2;
|
||||
|
||||
/* Encrypted sequence number */
|
||||
|
||||
proto_tree_add_item(subtree, hf_spnego_krb5_snd_seq, tvb, offset, 8,
|
||||
TRUE);
|
||||
|
||||
offset += 8;
|
||||
|
||||
/* Checksum of plaintext padded data */
|
||||
|
||||
proto_tree_add_item(subtree, hf_spnego_krb5_sgn_cksum, tvb, offset, 8,
|
||||
TRUE);
|
||||
|
||||
offset += 8;
|
||||
|
||||
/*
|
||||
* At least according to draft-brezak-win2k-krb-rc4-hmac-04,
|
||||
* if the signing algorithm is KRB_SGN_ALG_HMAC, there's an
|
||||
* extra 8 bytes of "Random confounder" after the checksum.
|
||||
* It certainly confounds code expecting all Kerberos 5
|
||||
* GSS_Wrap() tokens to look the same....
|
||||
*/
|
||||
if (sgn_alg == KRB_SGN_ALG_HMAC) {
|
||||
proto_tree_add_item(subtree, hf_spnego_krb5_confounder, tvb, offset, 8,
|
||||
TRUE);
|
||||
|
||||
offset += 8;
|
||||
}
|
||||
|
||||
/*
|
||||
* Return the offset past the checksum, so that we know where
|
||||
* the data we're wrapped around starts. Also, set the length
|
||||
* of our top-level item to that offset, so it doesn't cover
|
||||
* the data we're wrapped around.
|
||||
*/
|
||||
proto_item_set_len(item, offset);
|
||||
return offset;
|
||||
}
|
||||
|
||||
/* Spnego stuff from here */
|
||||
|
||||
static int
|
||||
dissect_spnego_mechTypes(tvbuff_t *tvb, int offset, packet_info *pinfo _U_,
|
||||
dissect_spnego_mechTypes(tvbuff_t *tvb, int offset, packet_info *pinfo,
|
||||
proto_tree *tree, ASN1_SCK *hnd,
|
||||
dissector_handle_t *next_level_dissector_p)
|
||||
gssapi_oid_value **next_level_value_p)
|
||||
{
|
||||
proto_item *item = NULL;
|
||||
proto_tree *subtree = NULL;
|
||||
|
@ -344,7 +476,7 @@ dissect_spnego_mechTypes(tvbuff_t *tvb, int offset, packet_info *pinfo _U_,
|
|||
*/
|
||||
if (!saw_mechanism) {
|
||||
if (value)
|
||||
*next_level_dissector_p = value->handle;
|
||||
*next_level_value_p = value;
|
||||
saw_mechanism = TRUE;
|
||||
}
|
||||
|
||||
|
@ -530,7 +662,7 @@ dissect_spnego_mechListMIC(tvbuff_t *tvb, int offset, packet_info *pinfo _U_,
|
|||
static int
|
||||
dissect_spnego_negTokenInit(tvbuff_t *tvb, int offset, packet_info *pinfo _U_,
|
||||
proto_tree *tree, ASN1_SCK *hnd,
|
||||
dissector_handle_t *next_level_dissector_p)
|
||||
gssapi_oid_value **next_level_value_p)
|
||||
{
|
||||
proto_item *item;
|
||||
proto_tree *subtree;
|
||||
|
@ -602,7 +734,7 @@ dissect_spnego_negTokenInit(tvbuff_t *tvb, int offset, packet_info *pinfo _U_,
|
|||
|
||||
offset = dissect_spnego_mechTypes(tvb, offset, pinfo,
|
||||
subtree, hnd,
|
||||
next_level_dissector_p);
|
||||
next_level_value_p);
|
||||
|
||||
break;
|
||||
|
||||
|
@ -615,13 +747,13 @@ dissect_spnego_negTokenInit(tvbuff_t *tvb, int offset, packet_info *pinfo _U_,
|
|||
case SPNEGO_mechToken:
|
||||
|
||||
offset = dissect_spnego_mechToken(tvb, offset, pinfo, subtree,
|
||||
hnd, *next_level_dissector_p);
|
||||
hnd, (*next_level_value_p)->handle);
|
||||
break;
|
||||
|
||||
case SPNEGO_mechListMIC:
|
||||
|
||||
offset = dissect_spnego_mechListMIC(tvb, offset, pinfo, subtree,
|
||||
hnd, *next_level_dissector_p);
|
||||
hnd, (*next_level_value_p)->handle);
|
||||
break;
|
||||
|
||||
default:
|
||||
|
@ -686,7 +818,7 @@ dissect_spnego_negResult(tvbuff_t *tvb, int offset, packet_info *pinfo _U_,
|
|||
static int
|
||||
dissect_spnego_supportedMech(tvbuff_t *tvb, int offset, packet_info *pinfo _U_,
|
||||
proto_tree *tree, ASN1_SCK *hnd,
|
||||
dissector_handle_t *next_level_dissector_p)
|
||||
gssapi_oid_value **next_level_value_p)
|
||||
{
|
||||
int ret;
|
||||
guint oid_len, nbytes;
|
||||
|
@ -727,7 +859,7 @@ dissect_spnego_supportedMech(tvbuff_t *tvb, int offset, packet_info *pinfo _U_,
|
|||
/* Should check for an unrecognized OID ... */
|
||||
|
||||
if (value)
|
||||
*next_level_dissector_p = value->handle;
|
||||
*next_level_value_p = value;
|
||||
|
||||
/*
|
||||
* Now, we need to save this in per proto info in the
|
||||
|
@ -745,7 +877,7 @@ dissect_spnego_supportedMech(tvbuff_t *tvb, int offset, packet_info *pinfo _U_,
|
|||
|
||||
|
||||
conversation_add_proto_data(conversation, proto_spnego,
|
||||
*next_level_dissector_p);
|
||||
*next_level_value_p);
|
||||
}
|
||||
else {
|
||||
|
||||
|
@ -807,7 +939,7 @@ dissect_spnego_responseToken(tvbuff_t *tvb, int offset, packet_info *pinfo _U_,
|
|||
static int
|
||||
dissect_spnego_negTokenTarg(tvbuff_t *tvb, int offset, packet_info *pinfo _U_,
|
||||
proto_tree *tree, ASN1_SCK *hnd,
|
||||
dissector_handle_t *next_level_dissector_p)
|
||||
gssapi_oid_value **next_level_value_p)
|
||||
|
||||
{
|
||||
proto_item *item;
|
||||
|
@ -888,20 +1020,20 @@ dissect_spnego_negTokenTarg(tvbuff_t *tvb, int offset, packet_info *pinfo _U_,
|
|||
case SPNEGO_supportedMech:
|
||||
|
||||
offset = dissect_spnego_supportedMech(tvb, offset, pinfo, subtree,
|
||||
hnd, next_level_dissector_p);
|
||||
hnd, next_level_value_p);
|
||||
|
||||
break;
|
||||
|
||||
case SPNEGO_responseToken:
|
||||
|
||||
offset = dissect_spnego_responseToken(tvb, offset, pinfo, subtree,
|
||||
hnd, *next_level_dissector_p);
|
||||
hnd, (*next_level_value_p)->handle);
|
||||
break;
|
||||
|
||||
case SPNEGO_mechListMIC:
|
||||
|
||||
offset = dissect_spnego_mechListMIC(tvb, offset, pinfo, subtree,
|
||||
hnd, *next_level_dissector_p);
|
||||
hnd, (*next_level_value_p)->handle);
|
||||
break;
|
||||
|
||||
default:
|
||||
|
@ -928,7 +1060,7 @@ dissect_spnego(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
|||
gboolean def;
|
||||
guint len1, cls, con, tag;
|
||||
conversation_t *conversation;
|
||||
dissector_handle_t next_level_dissector;
|
||||
gssapi_oid_value *next_level_value;
|
||||
|
||||
/*
|
||||
* We need this later, so lets get it now ...
|
||||
|
@ -936,8 +1068,8 @@ dissect_spnego(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
|||
* negotiation in a conversation.
|
||||
*/
|
||||
|
||||
next_level_dissector = p_get_proto_data(pinfo->fd, proto_spnego);
|
||||
if (!next_level_dissector && !pinfo->fd->flags.visited) {
|
||||
next_level_value = p_get_proto_data(pinfo->fd, proto_spnego);
|
||||
if (!next_level_value && !pinfo->fd->flags.visited) {
|
||||
/*
|
||||
* No handle attached to this frame, but it's the first
|
||||
* pass, so it'd be attached to the conversation.
|
||||
|
@ -949,10 +1081,10 @@ dissect_spnego(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
|||
pinfo->destport, 0);
|
||||
|
||||
if (conversation) {
|
||||
next_level_dissector = conversation_get_proto_data(conversation,
|
||||
proto_spnego);
|
||||
if (next_level_dissector)
|
||||
p_add_proto_data(pinfo->fd, proto_spnego, next_level_dissector);
|
||||
next_level_value = conversation_get_proto_data(conversation,
|
||||
proto_spnego);
|
||||
if (next_level_value)
|
||||
p_add_proto_data(pinfo->fd, proto_spnego, next_level_value);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1023,7 +1155,7 @@ dissect_spnego(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
|||
|
||||
offset = dissect_spnego_negTokenInit(tvb, offset, pinfo,
|
||||
subtree, &hnd,
|
||||
&next_level_dissector);
|
||||
&next_level_value);
|
||||
|
||||
break;
|
||||
|
||||
|
@ -1031,7 +1163,7 @@ dissect_spnego(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
|||
|
||||
offset = dissect_spnego_negTokenTarg(tvb, offset, pinfo,
|
||||
subtree, &hnd,
|
||||
&next_level_dissector);
|
||||
&next_level_value);
|
||||
break;
|
||||
|
||||
default: /* Broken, what to do? */
|
||||
|
@ -1045,6 +1177,154 @@ dissect_spnego(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
|||
|
||||
}
|
||||
|
||||
static int
|
||||
dissect_spnego_wrap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
||||
{
|
||||
proto_item *item;
|
||||
proto_tree *subtree;
|
||||
int ret, offset = 0;
|
||||
int return_offset;
|
||||
ASN1_SCK hnd;
|
||||
gboolean def;
|
||||
guint len1, cls, con, tag, nbytes;
|
||||
guint oid_len;
|
||||
subid_t *oid;
|
||||
gchar *oid_string;
|
||||
conversation_t *conversation;
|
||||
gssapi_oid_value *next_level_value;
|
||||
tvbuff_t *token_tvb;
|
||||
int len;
|
||||
|
||||
/*
|
||||
* We need this later, so lets get it now ...
|
||||
* It has to be per-frame as there can be more than one GSS-API
|
||||
* negotiation in a conversation.
|
||||
*/
|
||||
|
||||
next_level_value = p_get_proto_data(pinfo->fd, proto_spnego);
|
||||
if (!next_level_value && !pinfo->fd->flags.visited) {
|
||||
/*
|
||||
* No handle attached to this frame, but it's the first
|
||||
* pass, so it'd be attached to the conversation.
|
||||
* If we have a conversation, try to get the handle,
|
||||
* and if we get one, attach it to the frame.
|
||||
*/
|
||||
conversation = find_conversation(&pinfo->src, &pinfo->dst,
|
||||
pinfo->ptype, pinfo->srcport,
|
||||
pinfo->destport, 0);
|
||||
|
||||
if (conversation) {
|
||||
next_level_value = conversation_get_proto_data(conversation,
|
||||
proto_spnego);
|
||||
if (next_level_value)
|
||||
p_add_proto_data(pinfo->fd, proto_spnego, next_level_value);
|
||||
}
|
||||
}
|
||||
|
||||
item = proto_tree_add_item(tree, hf_spnego, tvb, offset,
|
||||
-1, FALSE);
|
||||
|
||||
subtree = proto_item_add_subtree(item, ett_spnego);
|
||||
|
||||
/*
|
||||
* The TVB contains a [0] header and a sequence that consists of an
|
||||
* object ID and a blob containing the data ...
|
||||
* XXX - is this RFC 2743's "Mechanism-Independent Token Format",
|
||||
* with the "optional" "use in non-initial tokens" being chosen.
|
||||
*/
|
||||
|
||||
asn1_open(&hnd, tvb, offset);
|
||||
|
||||
/*
|
||||
* Get the first header ...
|
||||
*/
|
||||
|
||||
ret = asn1_header_decode(&hnd, &cls, &con, &tag, &def, &len1);
|
||||
|
||||
if (ret != ASN1_ERR_NOERROR) {
|
||||
dissect_parse_error(tvb, offset, pinfo, subtree,
|
||||
"SPNEGO context header", ret);
|
||||
return_offset = tvb_length(tvb);
|
||||
goto done;
|
||||
}
|
||||
|
||||
if (!(cls == ASN1_APL && con == ASN1_CON && tag == 0)) {
|
||||
proto_tree_add_text(
|
||||
subtree, tvb, offset, 0,
|
||||
"Unknown header (cls=%d, con=%d, tag=%d)",
|
||||
cls, con, tag);
|
||||
return_offset = tvb_length(tvb);
|
||||
goto done;
|
||||
}
|
||||
|
||||
offset = hnd.offset;
|
||||
|
||||
/*
|
||||
* Get the OID, and find the handle, if any
|
||||
*/
|
||||
|
||||
ret = asn1_oid_decode(&hnd, &oid, &oid_len, &nbytes);
|
||||
|
||||
if (ret != ASN1_ERR_NOERROR) {
|
||||
dissect_parse_error(tvb, offset, pinfo, tree,
|
||||
"SPNEGO wrap token", ret);
|
||||
return_offset = tvb_length(tvb);
|
||||
goto done;
|
||||
}
|
||||
|
||||
oid_string = format_oid(oid, oid_len);
|
||||
next_level_value = gssapi_lookup_oid(oid, oid_len);
|
||||
|
||||
/*
|
||||
* XXX - what should we do if this doesn't match the value
|
||||
* attached to the frame or conversation? (That would be
|
||||
* bogus, but that's not impossible - some broken implementation
|
||||
* might negotiate some security mechanism but put the OID
|
||||
* for some other security mechanism in GSS_Wrap tokens.)
|
||||
*/
|
||||
if (next_level_value)
|
||||
proto_tree_add_text(tree, tvb, offset, nbytes,
|
||||
"thisMech: %s (%s)",
|
||||
oid_string, next_level_value->comment);
|
||||
else
|
||||
proto_tree_add_text(tree, tvb, offset, nbytes, "thisMech: %s",
|
||||
oid_string);
|
||||
|
||||
g_free(oid_string);
|
||||
|
||||
offset += nbytes;
|
||||
|
||||
/*
|
||||
* Now dissect the GSS_Wrap token; it's assumed to be in the
|
||||
* rest of the tvbuff.
|
||||
*/
|
||||
item = proto_tree_add_item(tree, hf_spnego_wraptoken, tvb, offset,
|
||||
-1, FALSE);
|
||||
|
||||
subtree = proto_item_add_subtree(item, ett_spnego_wraptoken);
|
||||
|
||||
/*
|
||||
* Now, we should be able to dispatch after creating a new TVB.
|
||||
* The subdissector must return the length of the part of the
|
||||
* token it dissected, so we can return the length of the part
|
||||
* we (and it) dissected.
|
||||
*/
|
||||
|
||||
token_tvb = tvb_new_subset(tvb, offset, -1, -1);
|
||||
if (next_level_value->wrap_handle) {
|
||||
len = call_dissector(next_level_value->wrap_handle, token_tvb, pinfo, subtree);
|
||||
if (len == 0)
|
||||
return_offset = tvb_length(tvb);
|
||||
else
|
||||
return_offset = offset + len;
|
||||
} else
|
||||
return_offset = tvb_length(tvb);
|
||||
done:
|
||||
asn1_close(&hnd, &offset);
|
||||
|
||||
return return_offset;
|
||||
}
|
||||
|
||||
void
|
||||
proto_register_spnego(void)
|
||||
{
|
||||
|
@ -1077,12 +1357,31 @@ proto_register_spnego(void)
|
|||
{ &hf_spnego_reqflags,
|
||||
{ "reqFlags", "spnego.negtokeninit.reqflags", FT_BYTES,
|
||||
BASE_HEX, NULL, 0, "reqFlags", HFILL }},
|
||||
{ &hf_spnego_wraptoken,
|
||||
{ "wrapToken", "spnego.wraptoken",
|
||||
FT_NONE, BASE_NONE, NULL, 0x0, "SPNEGO wrapToken",
|
||||
HFILL}},
|
||||
{ &hf_spnego_krb5,
|
||||
{ "krb5_blob", "spnego.krb5.blob", FT_BYTES,
|
||||
BASE_HEX, NULL, 0, "krb5_blob", HFILL }},
|
||||
BASE_NONE, NULL, 0, "krb5_blob", HFILL }},
|
||||
{ &hf_spnego_krb5_tok_id,
|
||||
{ "krb5_tok_id", "spnego.krb5.tok_id", FT_UINT16, BASE_HEX,
|
||||
VALS(spnego_krb5_tok_id_vals), 0, "KRB5 Token Ids", HFILL}},
|
||||
VALS(spnego_krb5_tok_id_vals), 0, "KRB5 Token Id", HFILL}},
|
||||
{ &hf_spnego_krb5_sgn_alg,
|
||||
{ "krb5_sgn_alg", "spnego.krb5.sgn_alg", FT_UINT16, BASE_HEX,
|
||||
VALS(spnego_krb5_sgn_alg_vals), 0, "KRB5 Signing Algorithm", HFILL}},
|
||||
{ &hf_spnego_krb5_seal_alg,
|
||||
{ "krb5_seal_alg", "spnego.krb5.seal_alg", FT_UINT16, BASE_HEX,
|
||||
VALS(spnego_krb5_seal_alg_vals), 0, "KRB5 Sealing Algorithm", HFILL}},
|
||||
{ &hf_spnego_krb5_snd_seq,
|
||||
{ "krb5_snd_seq", "spnego.krb5.snd_seq", FT_BYTES, BASE_NONE,
|
||||
NULL, 0, "KRB5 Encrypted Sequence Number", HFILL}},
|
||||
{ &hf_spnego_krb5_sgn_cksum,
|
||||
{ "krb5_sgn_cksum", "spnego.krb5.sgn_cksum", FT_BYTES, BASE_NONE,
|
||||
NULL, 0, "KRB5 Data Checksum", HFILL}},
|
||||
{ &hf_spnego_krb5_confounder,
|
||||
{ "krb5_confounder", "spnego.krb5.confounder", FT_BYTES, BASE_NONE,
|
||||
NULL, 0, "KRB5 Confounder", HFILL}},
|
||||
};
|
||||
|
||||
static gint *ett[] = {
|
||||
|
@ -1093,6 +1392,7 @@ proto_register_spnego(void)
|
|||
&ett_spnego_mechtoken,
|
||||
&ett_spnego_mechlistmic,
|
||||
&ett_spnego_responsetoken,
|
||||
&ett_spnego_wraptoken,
|
||||
&ett_spnego_krb5,
|
||||
};
|
||||
|
||||
|
@ -1109,19 +1409,27 @@ proto_register_spnego(void)
|
|||
void
|
||||
proto_reg_handoff_spnego(void)
|
||||
{
|
||||
dissector_handle_t spnego_handle, spnego_krb5_handle;
|
||||
dissector_handle_t spnego_handle, spnego_wrap_handle;
|
||||
dissector_handle_t spnego_krb5_handle, spnego_krb5_wrap_handle;
|
||||
|
||||
/* Register protocol with GSS-API module */
|
||||
|
||||
spnego_handle = create_dissector_handle(dissect_spnego, proto_spnego);
|
||||
spnego_krb5_handle = create_dissector_handle(dissect_spnego_krb5,
|
||||
proto_spnego_krb5);
|
||||
spnego_wrap_handle = new_create_dissector_handle(dissect_spnego_wrap,
|
||||
proto_spnego);
|
||||
gssapi_init_oid("1.3.6.1.5.5.2", proto_spnego, ett_spnego,
|
||||
spnego_handle, "SPNEGO - Simple Protected Negotiation");
|
||||
spnego_handle, spnego_wrap_handle,
|
||||
"SPNEGO - Simple Protected Negotiation");
|
||||
|
||||
/* Register both the one MS created and the real one */
|
||||
spnego_krb5_handle = create_dissector_handle(dissect_spnego_krb5,
|
||||
proto_spnego_krb5);
|
||||
spnego_krb5_wrap_handle = new_create_dissector_handle(dissect_spnego_krb5_wrap,
|
||||
proto_spnego_krb5);
|
||||
gssapi_init_oid("1.2.840.48018.1.2.2", proto_spnego_krb5, ett_spnego_krb5,
|
||||
spnego_krb5_handle, "MS KRB5 - Microsoft Kerberos 5");
|
||||
spnego_krb5_handle, spnego_krb5_wrap_handle,
|
||||
"MS KRB5 - Microsoft Kerberos 5");
|
||||
gssapi_init_oid("1.2.840.113554.1.2.2", proto_spnego_krb5, ett_spnego_krb5,
|
||||
spnego_krb5_handle, "KRB5 - Kerberos 5");
|
||||
spnego_krb5_handle, spnego_krb5_wrap_handle,
|
||||
"KRB5 - Kerberos 5");
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue