A conversation in Wireshark might have two endpoints or might have no
endpoints; few if any have one endpoint. Distinguish between
conversations and endpoints.
Using a similar strategy to ce087027ef we
group conversation and pdata use by the layer depth we are decoding.
This now decodes EAP-TLS within TEAP (and should work for TTLS and PEAP)
The existing PEAP support does not decode the inner attributes, this
commit adds that support by introducing packet-peap.c which recreates
a 'pseudo' EAP header before looping the TVB back into the EAP dissector.
Decode TEAP's O-flag.
We also update the diagram and references as PEAPv0 has a different view
of how the flags are used compared to the RFCs and drafts.
The function to dissect CSuite Sel returns offset not number of
dissected bytes so calling function must assign new offset rather
than incrementing. For consistency also update the CSuite List
function to return offset.
Fix issues found by running ./tools/check_typed_item_calls.py
epan/dissectors/packet-eap.c:1475 proto_tree_add_item called for hf_eap_gpsk_failure_code - item type is FT_UINT16 but call has len 4
epan/dissectors/packet-eap.c:1479 proto_tree_add_item called for hf_eap_gpsk_failure_code - item type is FT_UINT16 but call has len 4
tokens[] contains two tokens - the part of the identity before @ and the
part of the identity after @.
realm_tokens[] contain five tokens - the "."-separated parts of the part
of the identity after @.
The latter include "mncNNN" and "mncNNN".
This fixes a crash.
Change-Id: I4b13dd90977a626a823cb53958412301abf8addb
Reviewed-on: https://code.wireshark.org/review/38158
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Removed WLAN from the EAP identity fields because
it is additional and unnecessary. Added fields for
the full identity string and the identity type.
Removed the pseudo and reauth identity types by
collapsing all identity values into one field
(eap.identity) so the values may be filtered easier
by users in tshark and the GUI. Omitting
encrypted IMSI code until this patch and Change
37250 get merged since the encrypted IMSI logic
depends on these two patches.
Bug: 16537
Change-Id: If359756c1949aff2510b822b70e0e79df85213d0
Reviewed-on: https://code.wireshark.org/review/37257
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Fixing EAP WLAN identity dissection to account for
identities that contain periods. Also fixed an issue
with the identity unknown data field where it would
incorrectly calculate the number of remaining bytes
in identity messages. In that same vein, renamed the
field from hf_eap_identity_unknown_data to
hf_eap_identity_padding as it is only null bytes appended
to the end of identity strings. Lastly, I corrected
the EAP WLAN identity MCC and MNC lookup logic. It
wrongly assumed that NAI Realm MCC and MNCs should only
exist or dissect with permanent EAP identities which
is not the case. The algorithm used to perform lookups
would also not resolve all MCC/MNC pairs for the MNC value.
Bug: 16524
Change-Id: I1d9955618dab0c70de9fcd88088a4390989653c7
Reviewed-on: https://code.wireshark.org/review/37250
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Added two fields for EAP-SIM/AKA Notification Type.
Added value_string array for AT_NOTIFICATION types & external ref.
Updated else if statements to a switch for EAP-SIM and EAP-AKA
Updated eap_sim_aka_attribute_vals[] and added Client Error Codes
Bug: 16539
Change-Id: Iaf9949d713d700330536e805d9ceb9328d183744
Reviewed-on: https://code.wireshark.org/review/36999
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Added unknown data field at end of EAP Identity
dissection to ensure clean offsets to CRC/Checksum.
Bug: 16529
Change-Id: I09bc945bb89a91231bb82ced011ca3d1075a7788
Reviewed-on: https://code.wireshark.org/review/37094
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
check_dissector_urls.py was written and used to
find URLs within epan/dissectors/*.c and try to
fetch them using 'requests'. Will be commmitted
separately.
Most of the changes were to adapt to reorganisation
of IETF or 3gpp2 links, but many of the broken links
are for websites or companies that no longer exist.
Change-Id: Ie9afdb95099218402a61626a0cd5193c6f781b96
Reviewed-on: https://code.wireshark.org/review/36769
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
Initial support for TEAP (Tunnel Extensible Authentication Protocol)
defined in RFC7170.
Only partial support implemented. Mainly the parts needed to discover
the carried EAP payload when establishing IEEE802.11 EAP-TEAP
connections.
Bug: 16379
Change-Id: Ic2b31d0b871b430792a371cd09926811e350c32b
Reviewed-on: https://code.wireshark.org/review/36104
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
From RFC7170
Bug: 16379
Change-Id: I1698e87c78ce3cdc3e322cfb112fd99e8d23e3ec
Reviewed-on: https://code.wireshark.org/review/36056
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Passing the appdata dissector via the data parameter caused crashes due
to type confusion, use an alternative, indirect method instead.
Change-Id: I1de3de4e7daf4504c176a6ad8947037606aa20bb
Depends-On: I4770d03f912dd75f92878dd74ad830ebb7eb1431
Reviewed-on: https://code.wireshark.org/review/34312
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Tested with the three captures from the linked bug: eap-peap-gtc.pcapng,
eap-peap-md5.pcapng, eap-peap-mschapv2.pcapng.
Bug: 15597
Change-Id: Idb1fb2809d05648a3b961af8dbdd9b35c3284c13
Reviewed-on: https://code.wireshark.org/review/34294
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add support for dissecting the decrypted TLS payload as Diameter.
Add support for dissecting the EAP-Message attribute as EAP.
Disable retransmission detection when EAP-Message is detected (EAP in
TLS in EAP) since this results in false positives.
Tested with captures from Bug 15603:
* eap-ttls-pap.pcapng - ok, User-Name and User-Password AVPs.
* eap-ttls-eap-gtc.pcapng, eap-ttls-eap-md5.pcapng - EAP-Message AVP.
* eap-ttls-mschapv2.pcapng - partially supported, does not conform to
Diameter AVP requirements as it is not padded. Microsoft vendor types
are also not yet supported. To be fixed later.
* eapttls-diameter-avp.pcapng (Bug 12880) - EAP-Message AVP.
Bug: 12880
Bug: 15603
Change-Id: Ie7ea282d05c1d3ff8463c34bf259107562714440
Reviewed-on: https://code.wireshark.org/review/34281
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The EAP length field must cover at least Code (1 byte), ID (1 byte),
Length (1 byte) and not have missing data afterwards.
Bug: 14406
Change-Id: I829e2aa33e5f286d55d2e8249457e118e7c3ebcc
Reviewed-on: https://code.wireshark.org/review/34292
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Remember the most recently seen Identifier field for the authenticator
and peer. Flag packets that mismatch and skip further processing if it
could modify the state as is the case for EAP-TTLS.
Bug: 5056
Change-Id: If439d5ef2ae390208f678ff271d3036efaf9fa7f
Reviewed-on: https://code.wireshark.org/review/34261
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
TLS requires unique conversations for every TLS session. With EAP-TTLS
over EAPOL, only a single conversation was created, breaking TLS.
Force a new conversation at the start of the EAP protocol to fix this.
This alone was not sufficient, the right conversation was not always
matched. This happened due to wildcard matching in EAP (NO_PORT_B) while
TLS does not use NO_PORT_B. TLS ended up setting a dummy port via
"conversation_set_port2" because PT_NONE is considered connection-less.
Even after treating PT_NONE as *not* connection-less in conversation.c,
the EAP Success message was not correctly matched against a conversation
and resulted into creation of another conversation.
To avoid all of that mess, just use the same conversation matching logic
as TLS, without NO_PORT_B. The original conversation tracking logic in
EAP was presumably added to avoid multiple conversations for EAP over
RADIUS (UDP), but that requirement does not seem necessary.
Verified with `tshark -2r eap-tls-bug-cert.pcap -otls.log_file:out.txt`,
two different `conversation =` values exist for the two sessions.
Bug: 15983
Change-Id: I3376624ee3ea627eaa6233d39ae3c1d19bdc98bb
Reviewed-on: https://code.wireshark.org/review/34247
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This avoids multiple dissections on the second pass which could
potentially break decryption and TLS handshake reassembly.
Bug: 15982
Change-Id: I9f83fbd51c732140b831f7d5f29f46e9694e405c
Reviewed-on: https://code.wireshark.org/review/34237
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Currently an extended vendor parser only gets the vendor_type directly and
the vendor_id indirectly. For some cases (eap fragmentation et al.) it is
important to have access to the eap_code and the eap_identifier as well.
This patch is adding this.
Change-Id: I848cbe58dc4f8e4034382a9c9ca43d350a61bb18
Signed-off-by: Dr. Lars Voelker <lars-github@larsvoelker.de>
Reviewed-on: https://code.wireshark.org/review/32944
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Petri-Dish: Jaap Keuter <jaap.keuter@xs4all.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
The current EAP dissector assumes that all vendor-defined extended types are
WPS. This does not allow for adding new vendor-defined payloads. This codes
cleans up the limitation. The Vendor-ID can be registered using a dissector
table, while the Vendor-Type is passed as data.
Change-Id: Idc75108fd42b9b2153089db503b137c6eeefe274
Signed-off-by: Dr. Lars Voelker <lars-github@larsvoelker.de>
Reviewed-on: https://code.wireshark.org/review/32888
Petri-Dish: Graham Bloice <graham.bloice@trihedral.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Make the time stamp precision a 4-bit bitfield, so, when combined with
the other bitfields, we have 32 bits. That means we put the flags at
the same structure level as the time stamp precision, so they can be
combined; that gets rid of an extra "flags." for references to the flags.
Put the two pointers next to each other, and after a multiple of 8 bytes
worth of other fields, so that there's no padding before or between them.
It's still not down to 64 bytes, which is the next lower power of 2, so
there's more work to do.
Change-Id: I6f3e9d9f6f48137bbee8f100c152d2c42adb8fbe
Reviewed-on: https://code.wireshark.org/review/31213
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Guy Harris