From 3874621667caf3de55d28b564458a42053c8f130 Mon Sep 17 00:00:00 2001
From: David Fort <contact@hardening-consulting.com>
Date: Wed, 30 Jun 2021 16:18:27 +0200
Subject: [PATCH] spnego: also interpret the mechList field

In NegTokenTarg the mechListMIC field can be dissected using the gss_wrap dissector.
---
 .../asn1/spnego/packet-spnego-template.c      |  2 +-
 epan/dissectors/asn1/spnego/spnego.cnf        | 23 ++++++++++
 epan/dissectors/packet-spnego.c               | 43 ++++++++++++++++++-
 3 files changed, 65 insertions(+), 3 deletions(-)

diff --git a/epan/dissectors/asn1/spnego/packet-spnego-template.c b/epan/dissectors/asn1/spnego/packet-spnego-template.c
index a4f9a50009..ce46efdb58 100644
--- a/epan/dissectors/asn1/spnego/packet-spnego-template.c
+++ b/epan/dissectors/asn1/spnego/packet-spnego-template.c
@@ -84,7 +84,7 @@ static dissector_handle_t spnego_krb5_handle;
 static dissector_handle_t spnego_krb5_wrap_handle;
 
 /*
- * Unfortunately, we have to have forward declarations of thess,
+ * Unfortunately, we have to have forward declarations of these,
  * as the code generated by asn2wrs includes a call before the
  * definition.
  */
diff --git a/epan/dissectors/asn1/spnego/spnego.cnf b/epan/dissectors/asn1/spnego/spnego.cnf
index 9974795e67..518165eac9 100644
--- a/epan/dissectors/asn1/spnego/spnego.cnf
+++ b/epan/dissectors/asn1/spnego/spnego.cnf
@@ -176,6 +176,29 @@ NegotiationToken
     }
   }
 
+
+#.FN_BODY NegTokenTarg/mechListMIC VAL_PTR = &mechListMIC_tvb
+
+  tvbuff_t *mechListMIC_tvb;
+
+
+%(DEFAULT_BODY)s
+
+
+  /*
+   * Now, we should be able to dispatch, if we've gotten a tvbuff for
+   * the token and we have information on how to dissect its contents.
+   * However, we should make sure that there is something in the
+   * response token ...
+   */
+  if (mechListMIC_tvb && (tvb_reported_length(mechListMIC_tvb) > 0) ){
+    gssapi_oid_value *value=next_level_value;
+
+    if(value){
+      call_dissector(value->handle, mechListMIC_tvb, actx->pinfo, tree);
+    }
+  }
+
 #.END
 
 #
diff --git a/epan/dissectors/packet-spnego.c b/epan/dissectors/packet-spnego.c
index 1cb06cc9b7..475ec6dc7e 100644
--- a/epan/dissectors/packet-spnego.c
+++ b/epan/dissectors/packet-spnego.c
@@ -85,6 +85,7 @@ static int hf_spnego_negHints = -1;               /* NegHints */
 static int hf_spnego_negResult = -1;              /* T_negResult */
 static int hf_spnego_supportedMech = -1;          /* T_supportedMech */
 static int hf_spnego_responseToken = -1;          /* T_responseToken */
+static int hf_spnego_mechListMIC_01 = -1;         /* T_mechListMIC */
 static int hf_spnego_thisMech = -1;               /* MechType */
 static int hf_spnego_innerContextToken = -1;      /* InnerContextToken */
 /* named bits */
@@ -134,7 +135,7 @@ static dissector_handle_t spnego_krb5_handle;
 static dissector_handle_t spnego_krb5_wrap_handle;
 
 /*
- * Unfortunately, we have to have forward declarations of thess,
+ * Unfortunately, we have to have forward declarations of these,
  * as the code generated by asn2wrs includes a call before the
  * definition.
  */
@@ -388,6 +389,40 @@ dissect_spnego_T_responseToken(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int
 
 
 
+
+  return offset;
+}
+
+
+
+static int
+dissect_spnego_T_mechListMIC(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+#line 181 "./asn1/spnego/spnego.cnf"
+
+  tvbuff_t *mechListMIC_tvb;
+
+
+  offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
+                                       &mechListMIC_tvb);
+
+
+
+  /*
+   * Now, we should be able to dispatch, if we've gotten a tvbuff for
+   * the token and we have information on how to dissect its contents.
+   * However, we should make sure that there is something in the
+   * response token ...
+   */
+  if (mechListMIC_tvb && (tvb_reported_length(mechListMIC_tvb) > 0) ){
+    gssapi_oid_value *value=next_level_value;
+
+    if(value){
+      call_dissector(value->handle, mechListMIC_tvb, actx->pinfo, tree);
+    }
+  }
+
+
+
   return offset;
 }
 
@@ -396,7 +431,7 @@ static const ber_sequence_t NegTokenTarg_sequence[] = {
   { &hf_spnego_negResult    , BER_CLASS_CON, 0, BER_FLAGS_OPTIONAL, dissect_spnego_T_negResult },
   { &hf_spnego_supportedMech, BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_spnego_T_supportedMech },
   { &hf_spnego_responseToken, BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL, dissect_spnego_T_responseToken },
-  { &hf_spnego_mechListMIC  , BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL, dissect_spnego_OCTET_STRING },
+  { &hf_spnego_mechListMIC_01, BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL, dissect_spnego_T_mechListMIC },
   { NULL, 0, 0, 0, NULL }
 };
 
@@ -1901,6 +1936,10 @@ void proto_register_spnego(void) {
       { "responseToken", "spnego.responseToken",
         FT_BYTES, BASE_NONE, NULL, 0,
         NULL, HFILL }},
+    { &hf_spnego_mechListMIC_01,
+      { "mechListMIC", "spnego.mechListMIC",
+        FT_BYTES, BASE_NONE, NULL, 0,
+        NULL, HFILL }},
     { &hf_spnego_thisMech,
       { "thisMech", "spnego.thisMech",
         FT_OID, BASE_NONE, NULL, 0,