credssp: add support for gss-api and krb5 dissection

Since the gssapi handler can cope fine with ntlm blobs, remove the heuristic in ntlmssp and call the gssapi dissector directly. In turn we get kerberos support, including decpryption with keytab etc.
2021-05-22 15:14:14 +03:00 · 2021-05-22 15:14:14 +03:00 · fa1204c02c
parent 6f528e6cd7
commit fa1204c02c
4 changed files with 15 additions and 25 deletions
--- a/epan/dissectors/asn1/credssp/credssp.cnf
+++ b/epan/dissectors/asn1/credssp/credssp.cnf
@ -62,13 +62,11 @@ TSRequest

 #.FN_BODY NegoData/_item/negoToken
 	tvbuff_t *token_tvb = NULL;
-	heur_dtbl_entry_t *hdtbl_entry;

 	%(DEFAULT_BODY)s

 	if(token_tvb != NULL)
-		      dissector_try_heuristic(credssp_heur_subdissector_list,
-		      token_tvb, actx->pinfo, proto_tree_get_root(tree), &hdtbl_entry, NULL);
+		call_dissector(gssapi_handle, token_tvb, actx->pinfo, tree);


 #.END
--- a/epan/dissectors/asn1/credssp/packet-credssp-template.c
+++ b/epan/dissectors/asn1/credssp/packet-credssp-template.c
@ -37,6 +37,8 @@ static int proto_credssp = -1;
 /* List of dissectors to call for negoToken data */
 static heur_dissector_list_t credssp_heur_subdissector_list;

+static dissector_handle_t gssapi_handle;
+
 static int hf_credssp_TSPasswordCreds = -1;   /* TSPasswordCreds */
 static int hf_credssp_TSSmartCardCreds = -1;  /* TSSmartCardCreds */
 static int hf_credssp_TSCredentials = -1;     /* TSCredentials */
@ -161,6 +163,8 @@ void proto_register_credssp(void) {
 /*--- proto_reg_handoff_credssp --- */
 void proto_reg_handoff_credssp(void) {

+  gssapi_handle = find_dissector_add_dependency("gssapi", proto_credssp);
+
  heur_dissector_add("tls", dissect_credssp_heur, "CredSSP over TLS", "credssp_tls", proto_credssp, HEURISTIC_ENABLE);
  heur_dissector_add("rdp", dissect_credssp_heur, "CredSSP in TPKT", "credssp_tpkt", proto_credssp, HEURISTIC_ENABLE);
  exported_pdu_tap = find_tap_id(EXPORT_PDU_TAP_NAME_LAYER_7);
--- a/epan/dissectors/packet-credssp.c
+++ b/epan/dissectors/packet-credssp.c
@ -45,6 +45,8 @@ static int proto_credssp = -1;
 /* List of dissectors to call for negoToken data */
 static heur_dissector_list_t credssp_heur_subdissector_list;

+static dissector_handle_t gssapi_handle;
+
 static int hf_credssp_TSPasswordCreds = -1;   /* TSPasswordCreds */
 static int hf_credssp_TSSmartCardCreds = -1;  /* TSSmartCardCreds */
 static int hf_credssp_TSCredentials = -1;     /* TSCredentials */
@ -76,7 +78,7 @@ static int hf_credssp_errorCode = -1;             /* T_errorCode */
 static int hf_credssp_clientNonce = -1;           /* T_clientNonce */

 /*--- End of included file: packet-credssp-hf.c ---*/
-#line 44 "./asn1/credssp/packet-credssp-template.c"
+#line 46 "./asn1/credssp/packet-credssp-template.c"

 /* Initialize the subtree pointers */
 static gint ett_credssp = -1;
@ -92,7 +94,7 @@ static gint ett_credssp_TSCredentials = -1;
 static gint ett_credssp_TSRequest = -1;

 /*--- End of included file: packet-credssp-ett.c ---*/
-#line 48 "./asn1/credssp/packet-credssp-template.c"
+#line 50 "./asn1/credssp/packet-credssp-template.c"


 /*--- Included file: packet-credssp-fn.c ---*/
@ -103,15 +105,13 @@ static int
 dissect_credssp_T_negoToken(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
 #line 64 "./asn1/credssp/credssp.cnf"
 	tvbuff_t *token_tvb = NULL;
-	heur_dtbl_entry_t *hdtbl_entry;

 	  offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
                                       &token_tvb);


 	if(token_tvb != NULL)
-		      dissector_try_heuristic(credssp_heur_subdissector_list,
-		      token_tvb, actx->pinfo, proto_tree_get_root(tree), &hdtbl_entry, NULL);
+		call_dissector(gssapi_handle, token_tvb, actx->pinfo, tree);



@ -375,7 +375,7 @@ static int dissect_TSRequest_PDU(tvbuff_t *tvb _U_, packet_info *pinfo _U_, prot


 /*--- End of included file: packet-credssp-fn.c ---*/
-#line 50 "./asn1/credssp/packet-credssp-template.c"
+#line 52 "./asn1/credssp/packet-credssp-template.c"

 /*
 * Dissect CredSSP PDUs
@ -560,7 +560,7 @@ void proto_register_credssp(void) {
        NULL, HFILL }},

 /*--- End of included file: packet-credssp-hfarr.c ---*/
-#line 138 "./asn1/credssp/packet-credssp-template.c"
+#line 140 "./asn1/credssp/packet-credssp-template.c"
  };

  /* List of subtrees */
@ -578,7 +578,7 @@ void proto_register_credssp(void) {
    &ett_credssp_TSRequest,

 /*--- End of included file: packet-credssp-ettarr.c ---*/
-#line 144 "./asn1/credssp/packet-credssp-template.c"
+#line 146 "./asn1/credssp/packet-credssp-template.c"
  };


@ -599,6 +599,8 @@ void proto_register_credssp(void) {
 /*--- proto_reg_handoff_credssp --- */
 void proto_reg_handoff_credssp(void) {

+  gssapi_handle = find_dissector_add_dependency("gssapi", proto_credssp);
+
  heur_dissector_add("tls", dissect_credssp_heur, "CredSSP over TLS", "credssp_tls", proto_credssp, HEURISTIC_ENABLE);
  heur_dissector_add("rdp", dissect_credssp_heur, "CredSSP in TPKT", "credssp_tpkt", proto_credssp, HEURISTIC_ENABLE);
  exported_pdu_tap = find_tap_id(EXPORT_PDU_TAP_NAME_LAYER_7);
--- a/epan/dissectors/packet-ntlmssp.c
+++ b/epan/dissectors/packet-ntlmssp.c
@ -2432,18 +2432,6 @@ dissect_ntlmssp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data
  return tvb_captured_length(tvb);
 }

-static gboolean
-dissect_ntlmssp_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void *data _U_)
-{
-  if (tvb_memeql(tvb, 0, "NTLMSSP", 8) == 0) {
-    dissect_ntlmssp(tvb, pinfo, parent_tree, data);
-    return TRUE;
-  }
-
-  return FALSE;
-}
-
-
 /*
 * See page 45 of "DCE/RPC over SMB" by Luke Kenneth Casson Leighton.
 */
@ -3505,8 +3493,6 @@ proto_reg_handoff_ntlmssp(void)
                                    &ntlmssp_seal_fns);
  ntlmssp_tap = register_tap("ntlmssp");

-  heur_dissector_add("credssp", dissect_ntlmssp_heur, "NTLMSSP over CredSSP", "ntlmssp_credssp", proto_ntlmssp, HEURISTIC_ENABLE);
-
 }

 /*