search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
epan/dissectors/pidl/samr/samr.cnf cnf_dissect_lsa_BinaryString => lsarpc_dissect_str...
[wireshark-sm.git] / epan / dissectors / packet-credssp.c
blob3377e7ba8dff96da0c773e18521a49840e75f4bd
1 /* Do not modify this file. Changes will be overwritten. */
2 /* Generated automatically by the ASN.1 to Wireshark dissector compiler */
3 /* packet-credssp.c */
4 /* asn2wrs.py -b -C -q -L -p credssp -c ./credssp.cnf -s ./packet-credssp-template -D . -O ../.. CredSSP.asn */
5
6 /* packet-credssp.c
7 * Routines for CredSSP (Credential Security Support Provider) packet dissection
8 * Graeme Lunt 2011
9 *
10 * Wireshark - Network traffic analyzer
11 * By Gerald Combs <gerald@wireshark.org>
12 * Copyright 1998 Gerald Combs
13 *
14 * SPDX-License-Identifier: GPL-2.0-or-later
15 */
16
17 #include "config.h"
18
19 #include <epan/packet.h>
20 #include <epan/asn1.h>
21 #include <epan/tap.h>
22 #include <epan/exported_pdu.h>
23 #include <wsutil/array.h>
24
25 #include "packet-ber.h"
26 #include "packet-gssapi.h"
27 #include "packet-kerberos.h"
28 #include "packet-ntlmssp.h"
29 #include "packet-credssp.h"
30
31 #define PNAME "Credential Security Support Provider"
32 #define PSNAME "CredSSP"
33 #define PFNAME "credssp"
34
35 #define TS_PASSWORD_CREDS 1
36 #define TS_SMARTCARD_CREDS 2
37 #define TS_REMOTEGUARD_CREDS 6
38
39 static int creds_type;
40 static int credssp_ver;
41
42 static char kerberos_pname[] = "K\0e\0r\0b\0e\0r\0o\0s";
43 static char ntlm_pname[] = "N\0T\0L\0M";
44
45 #define TS_RGC_UNKNOWN 0
46 #define TS_RGC_KERBEROS 1
47 #define TS_RGC_NTLM 2
48
49 static int credssp_TS_RGC_package;
50
51 static int exported_pdu_tap = -1;
52
53 /* Initialize the protocol and registered fields */
54 static int proto_credssp;
55
56 /* List of dissectors to call for negoToken data */
57 static heur_dissector_list_t credssp_heur_subdissector_list;
58
59 static dissector_handle_t gssapi_handle;
60 static dissector_handle_t gssapi_wrap_handle;
61
62 static int hf_credssp_TSPasswordCreds; /* TSPasswordCreds */
63 static int hf_credssp_TSSmartCardCreds; /* TSSmartCardCreds */
64 static int hf_credssp_TSRemoteGuardCreds;/* TSRemoteGuardCreds */
65 static int hf_credssp_TSCredentials; /* TSCredentials */
66 static int hf_credssp_decr_PublicKeyAuth;/* decr_PublicKeyAuth */
67 static int hf_credssp_TSRequest_PDU; /* TSRequest */
68 static int hf_credssp_NegoData_item; /* NegoData_item */
69 static int hf_credssp_negoToken; /* T_negoToken */
70 static int hf_credssp_domainName; /* OCTET_STRING */
71 static int hf_credssp_userName; /* OCTET_STRING */
72 static int hf_credssp_password; /* OCTET_STRING */
73 static int hf_credssp_keySpec; /* INTEGER */
74 static int hf_credssp_cardName; /* OCTET_STRING */
75 static int hf_credssp_readerName; /* OCTET_STRING */
76 static int hf_credssp_containerName; /* OCTET_STRING */
77 static int hf_credssp_cspName; /* OCTET_STRING */
78 static int hf_credssp_pin; /* OCTET_STRING */
79 static int hf_credssp_cspData; /* TSCspDataDetail */
80 static int hf_credssp_userHint; /* OCTET_STRING */
81 static int hf_credssp_domainHint; /* OCTET_STRING */
82 static int hf_credssp_packageName; /* T_packageName */
83 static int hf_credssp_credBuffer; /* T_credBuffer */
84 static int hf_credssp_logonCred; /* TSRemoteGuardPackageCred */
85 static int hf_credssp_supplementalCreds; /* SEQUENCE_OF_TSRemoteGuardPackageCred */
86 static int hf_credssp_supplementalCreds_item; /* TSRemoteGuardPackageCred */
87 static int hf_credssp_credType; /* T_credType */
88 static int hf_credssp_credentials; /* T_credentials */
89 static int hf_credssp_version; /* T_version */
90 static int hf_credssp_negoTokens; /* NegoData */
91 static int hf_credssp_authInfo; /* T_authInfo */
92 static int hf_credssp_pubKeyAuth; /* T_pubKeyAuth */
93 static int hf_credssp_errorCode; /* T_errorCode */
94 static int hf_credssp_clientNonce; /* T_clientNonce */
95
96 /* Initialize the subtree pointers */
97 static int ett_credssp;
98 static int ett_credssp_RGC_CredBuffer;
99
100 static int ett_credssp_NegoData;
101 static int ett_credssp_NegoData_item;
102 static int ett_credssp_TSPasswordCreds;
103 static int ett_credssp_TSCspDataDetail;
104 static int ett_credssp_TSSmartCardCreds;
105 static int ett_credssp_TSRemoteGuardPackageCred;
106 static int ett_credssp_TSRemoteGuardCreds;
107 static int ett_credssp_SEQUENCE_OF_TSRemoteGuardPackageCred;
108 static int ett_credssp_TSCredentials;
109 static int ett_credssp_TSRequest;
110
111
112
113 static int
114 dissect_credssp_T_negoToken(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
115 tvbuff_t *token_tvb = NULL;
116
117 offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
118 &token_tvb);
119
120
121 if(token_tvb != NULL)
122 call_dissector(gssapi_handle, token_tvb, actx->pinfo, tree);
123
124
125
126 return offset;
127 }
128
129
130 static const ber_sequence_t NegoData_item_sequence[] = {
131 { &hf_credssp_negoToken , BER_CLASS_CON, 0, 0, dissect_credssp_T_negoToken },
132 { NULL, 0, 0, 0, NULL }
133 };
134
135 static int
136 dissect_credssp_NegoData_item(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
137 offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
138 NegoData_item_sequence, hf_index, ett_credssp_NegoData_item);
139
140 return offset;
141 }
142
143
144 static const ber_sequence_t NegoData_sequence_of[1] = {
145 { &hf_credssp_NegoData_item, BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_credssp_NegoData_item },
146 };
147
148 static int
149 dissect_credssp_NegoData(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
150 offset = dissect_ber_sequence_of(implicit_tag, actx, tree, tvb, offset,
151 NegoData_sequence_of, hf_index, ett_credssp_NegoData);
152
153 return offset;
154 }
155
156
157
158 static int
159 dissect_credssp_OCTET_STRING(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
160 offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
161 NULL);
162
163 return offset;
164 }
165
166
167 static const ber_sequence_t TSPasswordCreds_sequence[] = {
168 { &hf_credssp_domainName , BER_CLASS_CON, 0, 0, dissect_credssp_OCTET_STRING },
169 { &hf_credssp_userName , BER_CLASS_CON, 1, 0, dissect_credssp_OCTET_STRING },
170 { &hf_credssp_password , BER_CLASS_CON, 2, 0, dissect_credssp_OCTET_STRING },
171 { NULL, 0, 0, 0, NULL }
172 };
173
174 static int
175 dissect_credssp_TSPasswordCreds(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
176 offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
177 TSPasswordCreds_sequence, hf_index, ett_credssp_TSPasswordCreds);
178
179 return offset;
180 }
181
182
183
184 static int
185 dissect_credssp_INTEGER(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
186 offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
187 NULL);
188
189 return offset;
190 }
191
192
193 static const ber_sequence_t TSCspDataDetail_sequence[] = {
194 { &hf_credssp_keySpec , BER_CLASS_CON, 0, 0, dissect_credssp_INTEGER },
195 { &hf_credssp_cardName , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_credssp_OCTET_STRING },
196 { &hf_credssp_readerName , BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL, dissect_credssp_OCTET_STRING },
197 { &hf_credssp_containerName, BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL, dissect_credssp_OCTET_STRING },
198 { &hf_credssp_cspName , BER_CLASS_CON, 4, BER_FLAGS_OPTIONAL, dissect_credssp_OCTET_STRING },
199 { NULL, 0, 0, 0, NULL }
200 };
201
202 static int
203 dissect_credssp_TSCspDataDetail(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
204 offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
205 TSCspDataDetail_sequence, hf_index, ett_credssp_TSCspDataDetail);
206
207 return offset;
208 }
209
210
211 static const ber_sequence_t TSSmartCardCreds_sequence[] = {
212 { &hf_credssp_pin , BER_CLASS_CON, 0, 0, dissect_credssp_OCTET_STRING },
213 { &hf_credssp_cspData , BER_CLASS_CON, 1, 0, dissect_credssp_TSCspDataDetail },
214 { &hf_credssp_userHint , BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL, dissect_credssp_OCTET_STRING },
215 { &hf_credssp_domainHint , BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL, dissect_credssp_OCTET_STRING },
216 { NULL, 0, 0, 0, NULL }
217 };
218
219 static int
220 dissect_credssp_TSSmartCardCreds(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
221 offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
222 TSSmartCardCreds_sequence, hf_index, ett_credssp_TSSmartCardCreds);
223
224 return offset;
225 }
226
227
228
229 static int
230 dissect_credssp_T_packageName(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
231 tvbuff_t *pname = NULL;
232
233 offset = dissect_ber_octet_string(implicit_tag, actx, NULL, tvb, offset, hf_index, &pname);
234
235 if(pname != NULL) {
236 int nlen = tvb_captured_length(pname);
237
238 if (nlen == sizeof(kerberos_pname) && memcmp(tvb_get_ptr(pname, 0, nlen), kerberos_pname, nlen) == 0) {
239 credssp_TS_RGC_package = TS_RGC_KERBEROS;
240 } else if (nlen == sizeof(ntlm_pname) && memcmp(tvb_get_ptr(pname, 0, nlen), ntlm_pname, nlen) == 0) {
241 credssp_TS_RGC_package = TS_RGC_NTLM;
242 }
243 proto_tree_add_item(tree, hf_index, pname, 0, -1, ENC_UTF_16|ENC_LITTLE_ENDIAN);
244 }
245
246
247 return offset;
248 }
249
250
251
252 static int
253 dissect_credssp_T_credBuffer(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
254 tvbuff_t *creds= NULL;
255 proto_tree *subtree;
256
257 offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
258 &creds);
259
260
261 if (!creds)
262 return offset;
263
264 switch(credssp_TS_RGC_package) {
265 case TS_RGC_KERBEROS:
266 subtree = proto_item_add_subtree(actx->created_item, ett_credssp_RGC_CredBuffer);
267 dissect_kerberos_KERB_TICKET_LOGON(creds, 0, actx, subtree);
268 break;
269 case TS_RGC_NTLM:
270 subtree = proto_item_add_subtree(actx->created_item, ett_credssp_RGC_CredBuffer);
271 dissect_ntlmssp_NTLM_REMOTE_SUPPLEMENTAL_CREDENTIAL(creds, 0, subtree);
272 break;
273 }
274
275
276 return offset;
277 }
278
279
280 static const ber_sequence_t TSRemoteGuardPackageCred_sequence[] = {
281 { &hf_credssp_packageName , BER_CLASS_CON, 0, 0, dissect_credssp_T_packageName },
282 { &hf_credssp_credBuffer , BER_CLASS_CON, 1, 0, dissect_credssp_T_credBuffer },
283 { NULL, 0, 0, 0, NULL }
284 };
285
286 static int
287 dissect_credssp_TSRemoteGuardPackageCred(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
288 offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
289 TSRemoteGuardPackageCred_sequence, hf_index, ett_credssp_TSRemoteGuardPackageCred);
290
291 return offset;
292 }
293
294
295 static const ber_sequence_t SEQUENCE_OF_TSRemoteGuardPackageCred_sequence_of[1] = {
296 { &hf_credssp_supplementalCreds_item, BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_credssp_TSRemoteGuardPackageCred },
297 };
298
299 static int
300 dissect_credssp_SEQUENCE_OF_TSRemoteGuardPackageCred(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
301 offset = dissect_ber_sequence_of(implicit_tag, actx, tree, tvb, offset,
302 SEQUENCE_OF_TSRemoteGuardPackageCred_sequence_of, hf_index, ett_credssp_SEQUENCE_OF_TSRemoteGuardPackageCred);
303
304 return offset;
305 }
306
307
308 static const ber_sequence_t TSRemoteGuardCreds_sequence[] = {
309 { &hf_credssp_logonCred , BER_CLASS_CON, 0, 0, dissect_credssp_TSRemoteGuardPackageCred },
310 { &hf_credssp_supplementalCreds, BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_credssp_SEQUENCE_OF_TSRemoteGuardPackageCred },
311 { NULL, 0, 0, 0, NULL }
312 };
313
314 static int
315 dissect_credssp_TSRemoteGuardCreds(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
316 offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
317 TSRemoteGuardCreds_sequence, hf_index, ett_credssp_TSRemoteGuardCreds);
318
319 return offset;
320 }
321
322
323
324 static int
325 dissect_credssp_T_credType(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
326 offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
327 &creds_type);
328
329 return offset;
330 }
331
332
333
334 static int
335 dissect_credssp_T_credentials(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
336 tvbuff_t *creds_tvb = NULL;
337
338 offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
339 &creds_tvb);
340
341
342 switch(creds_type) {
343 case TS_PASSWORD_CREDS:
344 dissect_credssp_TSPasswordCreds(false, creds_tvb, 0, actx, tree, hf_credssp_TSPasswordCreds);
345 break;
346 case TS_SMARTCARD_CREDS:
347 dissect_credssp_TSSmartCardCreds(false, creds_tvb, 0, actx, tree, hf_credssp_TSSmartCardCreds);
348 break;
349 case TS_REMOTEGUARD_CREDS:
350 dissect_credssp_TSRemoteGuardCreds(false, creds_tvb, 0, actx, tree, hf_credssp_TSRemoteGuardCreds);
351 break;
352 }
353
354
355
356 return offset;
357 }
358
359
360 static const ber_sequence_t TSCredentials_sequence[] = {
361 { &hf_credssp_credType , BER_CLASS_CON, 0, 0, dissect_credssp_T_credType },
362 { &hf_credssp_credentials , BER_CLASS_CON, 1, 0, dissect_credssp_T_credentials },
363 { NULL, 0, 0, 0, NULL }
364 };
365
366 static int
367 dissect_credssp_TSCredentials(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
368 offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
369 TSCredentials_sequence, hf_index, ett_credssp_TSCredentials);
370
371 return offset;
372 }
373
374
375
376 static int
377 dissect_credssp_T_version(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
378 offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
379 &credssp_ver);
380
381 return offset;
382 }
383
384
385
386 static int
387 dissect_credssp_T_authInfo(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
388 tvbuff_t *auth_tvb = NULL;
389 tvbuff_t *decr_tvb = NULL;
390 gssapi_encrypt_info_t gssapi_encrypt;
391
392 offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
393 &auth_tvb);
394
395
396 memset(&gssapi_encrypt, 0, sizeof(gssapi_encrypt));
397 gssapi_encrypt.decrypt_gssapi_tvb=DECRYPT_GSSAPI_NORMAL;
398 call_dissector_with_data(gssapi_wrap_handle, auth_tvb, actx->pinfo, tree, &gssapi_encrypt);
399 decr_tvb = gssapi_encrypt.gssapi_decrypted_tvb;
400
401 if(decr_tvb != NULL)
402 dissect_credssp_TSCredentials(false, decr_tvb, 0, actx, tree, hf_credssp_TSCredentials);
403
404
405 return offset;
406 }
407
408
409
410 static int
411 dissect_credssp_T_pubKeyAuth(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
412 tvbuff_t *auth_tvb = NULL;
413 tvbuff_t *decr_tvb = NULL;
414 gssapi_encrypt_info_t gssapi_encrypt;
415
416 offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
417 &auth_tvb);
418
419
420 memset(&gssapi_encrypt, 0, sizeof(gssapi_encrypt));
421 gssapi_encrypt.decrypt_gssapi_tvb=DECRYPT_GSSAPI_NORMAL;
422 call_dissector_with_data(gssapi_wrap_handle, auth_tvb, actx->pinfo, tree, &gssapi_encrypt);
423 decr_tvb = gssapi_encrypt.gssapi_decrypted_tvb;
424
425 if(decr_tvb != NULL)
426 proto_tree_add_item(tree, hf_credssp_decr_PublicKeyAuth, decr_tvb, 0, -1, ENC_NA);
427
428
429 return offset;
430 }
431
432
433
434 static int
435 dissect_credssp_T_errorCode(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
436
437 if (credssp_ver < 3) {
438 return 0;
439 }
440
441 offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
442 NULL);
443
444
445
446
447 return offset;
448 }
449
450
451
452 static int
453 dissect_credssp_T_clientNonce(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
454
455 if (credssp_ver < 5) {
456 return 0;
457 }
458
459 offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
460 NULL);
461
462
463
464
465 return offset;
466 }
467
468
469 static const ber_sequence_t TSRequest_sequence[] = {
470 { &hf_credssp_version , BER_CLASS_CON, 0, 0, dissect_credssp_T_version },
471 { &hf_credssp_negoTokens , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_credssp_NegoData },
472 { &hf_credssp_authInfo , BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL, dissect_credssp_T_authInfo },
473 { &hf_credssp_pubKeyAuth , BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL, dissect_credssp_T_pubKeyAuth },
474 { &hf_credssp_errorCode , BER_CLASS_CON, 4, BER_FLAGS_OPTIONAL, dissect_credssp_T_errorCode },
475 { &hf_credssp_clientNonce , BER_CLASS_CON, 5, BER_FLAGS_OPTIONAL, dissect_credssp_T_clientNonce },
476 { NULL, 0, 0, 0, NULL }
477 };
478
479 static int
480 dissect_credssp_TSRequest(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
481 offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
482 TSRequest_sequence, hf_index, ett_credssp_TSRequest);
483
484 return offset;
485 }
486
487 /*--- PDUs ---*/
488
489 static int dissect_TSRequest_PDU(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, void *data _U_) {
490 int offset = 0;
491 asn1_ctx_t asn1_ctx;
492 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true, pinfo);
493 offset = dissect_credssp_TSRequest(false, tvb, offset, &asn1_ctx, tree, hf_credssp_TSRequest_PDU);
494 return offset;
495 }
496
497
498 /*
499 * Dissect CredSSP PDUs
500 */
501 static int
502 dissect_credssp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void *data)
503 {
504 proto_item *item=NULL;
505 proto_tree *tree=NULL;
506
507 if(parent_tree){
508 item = proto_tree_add_item(parent_tree, proto_credssp, tvb, 0, -1, ENC_NA);
509 tree = proto_item_add_subtree(item, ett_credssp);
510 }
511 col_set_str(pinfo->cinfo, COL_PROTOCOL, "CredSSP");
512 col_clear(pinfo->cinfo, COL_INFO);
513
514 creds_type = -1;
515 credssp_ver = -1;
516
517 return dissect_TSRequest_PDU(tvb, pinfo, tree, data);
518 }
519
520 static bool
521 dissect_credssp_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void *data)
522 {
523 asn1_ctx_t asn1_ctx;
524 int offset = 0;
525 int8_t ber_class;
526 bool pc;
527 int32_t tag;
528 uint32_t length;
529 int8_t ver;
530
531 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true, pinfo);
532
533 /* Look for SEQUENCE, CONTEXT 0, and INTEGER 2 */
534 if(tvb_captured_length(tvb) > 7) {
535 offset = get_ber_identifier(tvb, offset, &ber_class, &pc, &tag);
536 if((ber_class == BER_CLASS_UNI) && (tag == BER_UNI_TAG_SEQUENCE) && (pc == true)) {
537 offset = get_ber_length(tvb, offset, NULL, NULL);
538 offset = get_ber_identifier(tvb, offset, &ber_class, &pc, &tag);
539 if((ber_class == BER_CLASS_CON) && (tag == 0)) {
540 offset = get_ber_length(tvb, offset, NULL, NULL);
541 offset = get_ber_identifier(tvb, offset, &ber_class, &pc, &tag);
542 if((ber_class == BER_CLASS_UNI) && (tag == BER_UNI_TAG_INTEGER)) {
543 offset = get_ber_length(tvb, offset, &length, NULL);
544 ver = tvb_get_uint8(tvb, offset);
545 if((length == 1) && (ver > 1) && (ver < 99)) {
546 if (have_tap_listener(exported_pdu_tap)) {
547 exp_pdu_data_t *exp_pdu_data = export_pdu_create_common_tags(pinfo, "credssp", EXP_PDU_TAG_DISSECTOR_NAME);
548
549 exp_pdu_data->tvb_captured_length = tvb_captured_length(tvb);
550 exp_pdu_data->tvb_reported_length = tvb_reported_length(tvb);
551 exp_pdu_data->pdu_tvb = tvb;
552
553 tap_queue_packet(exported_pdu_tap, pinfo, exp_pdu_data);
554 }
555 dissect_credssp(tvb, pinfo, parent_tree, data);
556 return true;
557 }
558 }
559 }
560 }
561 }
562 return false;
563 }
564
565
566 /*--- proto_register_credssp -------------------------------------------*/
567 void proto_register_credssp(void) {
568
569 /* List of fields */
570 static hf_register_info hf[] =
571 {
572 { &hf_credssp_TSPasswordCreds,
573 { "TSPasswordCreds", "credssp.TSPasswordCreds",
574 FT_NONE, BASE_NONE, NULL, 0,
575 NULL, HFILL }},
576 { &hf_credssp_TSSmartCardCreds,
577 { "TSSmartCardCreds", "credssp.TSSmartCardCreds",
578 FT_NONE, BASE_NONE, NULL, 0,
579 NULL, HFILL }},
580 { &hf_credssp_TSRemoteGuardCreds,
581 { "TSRemoteGuardCreds", "credssp.TSRemoteGuardCreds",
582 FT_NONE, BASE_NONE, NULL, 0,
583 NULL, HFILL }},
584 { &hf_credssp_TSCredentials,
585 { "TSCredentials", "credssp.TSCredentials",
586 FT_NONE, BASE_NONE, NULL, 0,
587 NULL, HFILL }},
588 { &hf_credssp_decr_PublicKeyAuth,
589 { "Decrypted PublicKeyAuth (sha256)", "credssp.decr_PublicKeyAuth",
590 FT_BYTES, BASE_NONE, NULL, 0,
591 NULL, HFILL }},
592 { &hf_credssp_TSRequest_PDU,
593 { "TSRequest", "credssp.TSRequest_element",
594 FT_NONE, BASE_NONE, NULL, 0,
595 NULL, HFILL }},
596 { &hf_credssp_NegoData_item,
597 { "NegoData item", "credssp.NegoData_item_element",
598 FT_NONE, BASE_NONE, NULL, 0,
599 NULL, HFILL }},
600 { &hf_credssp_negoToken,
601 { "negoToken", "credssp.negoToken",
602 FT_BYTES, BASE_NONE, NULL, 0,
603 NULL, HFILL }},
604 { &hf_credssp_domainName,
605 { "domainName", "credssp.domainName",
606 FT_BYTES, BASE_NONE, NULL, 0,
607 "OCTET_STRING", HFILL }},
608 { &hf_credssp_userName,
609 { "userName", "credssp.userName",
610 FT_BYTES, BASE_NONE, NULL, 0,
611 "OCTET_STRING", HFILL }},
612 { &hf_credssp_password,
613 { "password", "credssp.password",
614 FT_BYTES, BASE_NONE, NULL, 0,
615 "OCTET_STRING", HFILL }},
616 { &hf_credssp_keySpec,
617 { "keySpec", "credssp.keySpec",
618 FT_INT32, BASE_DEC, NULL, 0,
619 "INTEGER", HFILL }},
620 { &hf_credssp_cardName,
621 { "cardName", "credssp.cardName",
622 FT_BYTES, BASE_NONE, NULL, 0,
623 "OCTET_STRING", HFILL }},
624 { &hf_credssp_readerName,
625 { "readerName", "credssp.readerName",
626 FT_BYTES, BASE_NONE, NULL, 0,
627 "OCTET_STRING", HFILL }},
628 { &hf_credssp_containerName,
629 { "containerName", "credssp.containerName",
630 FT_BYTES, BASE_NONE, NULL, 0,
631 "OCTET_STRING", HFILL }},
632 { &hf_credssp_cspName,
633 { "cspName", "credssp.cspName",
634 FT_BYTES, BASE_NONE, NULL, 0,
635 "OCTET_STRING", HFILL }},
636 { &hf_credssp_pin,
637 { "pin", "credssp.pin",
638 FT_BYTES, BASE_NONE, NULL, 0,
639 "OCTET_STRING", HFILL }},
640 { &hf_credssp_cspData,
641 { "cspData", "credssp.cspData_element",
642 FT_NONE, BASE_NONE, NULL, 0,
643 "TSCspDataDetail", HFILL }},
644 { &hf_credssp_userHint,
645 { "userHint", "credssp.userHint",
646 FT_BYTES, BASE_NONE, NULL, 0,
647 "OCTET_STRING", HFILL }},
648 { &hf_credssp_domainHint,
649 { "domainHint", "credssp.domainHint",
650 FT_BYTES, BASE_NONE, NULL, 0,
651 "OCTET_STRING", HFILL }},
652 { &hf_credssp_packageName,
653 { "packageName", "credssp.packageName",
654 FT_STRING, BASE_NONE, NULL, 0,
655 NULL, HFILL }},
656 { &hf_credssp_credBuffer,
657 { "credBuffer", "credssp.credBuffer",
658 FT_BYTES, BASE_NONE, NULL, 0,
659 NULL, HFILL }},
660 { &hf_credssp_logonCred,
661 { "logonCred", "credssp.logonCred_element",
662 FT_NONE, BASE_NONE, NULL, 0,
663 "TSRemoteGuardPackageCred", HFILL }},
664 { &hf_credssp_supplementalCreds,
665 { "supplementalCreds", "credssp.supplementalCreds",
666 FT_UINT32, BASE_DEC, NULL, 0,
667 "SEQUENCE_OF_TSRemoteGuardPackageCred", HFILL }},
668 { &hf_credssp_supplementalCreds_item,
669 { "TSRemoteGuardPackageCred", "credssp.TSRemoteGuardPackageCred_element",
670 FT_NONE, BASE_NONE, NULL, 0,
671 NULL, HFILL }},
672 { &hf_credssp_credType,
673 { "credType", "credssp.credType",
674 FT_INT32, BASE_DEC, NULL, 0,
675 NULL, HFILL }},
676 { &hf_credssp_credentials,
677 { "credentials", "credssp.credentials",
678 FT_BYTES, BASE_NONE, NULL, 0,
679 NULL, HFILL }},
680 { &hf_credssp_version,
681 { "version", "credssp.version",
682 FT_INT32, BASE_DEC, NULL, 0,
683 NULL, HFILL }},
684 { &hf_credssp_negoTokens,
685 { "negoTokens", "credssp.negoTokens",
686 FT_UINT32, BASE_DEC, NULL, 0,
687 "NegoData", HFILL }},
688 { &hf_credssp_authInfo,
689 { "authInfo", "credssp.authInfo",
690 FT_BYTES, BASE_NONE, NULL, 0,
691 NULL, HFILL }},
692 { &hf_credssp_pubKeyAuth,
693 { "pubKeyAuth", "credssp.pubKeyAuth",
694 FT_BYTES, BASE_NONE, NULL, 0,
695 NULL, HFILL }},
696 { &hf_credssp_errorCode,
697 { "errorCode", "credssp.errorCode",
698 FT_INT32, BASE_DEC, NULL, 0,
699 NULL, HFILL }},
700 { &hf_credssp_clientNonce,
701 { "clientNonce", "credssp.clientNonce",
702 FT_BYTES, BASE_NONE, NULL, 0,
703 NULL, HFILL }},
704 };
705
706 /* List of subtrees */
707 static int *ett[] = {
708 &ett_credssp,
709 &ett_credssp_RGC_CredBuffer,
710 &ett_credssp_NegoData,
711 &ett_credssp_NegoData_item,
712 &ett_credssp_TSPasswordCreds,
713 &ett_credssp_TSCspDataDetail,
714 &ett_credssp_TSSmartCardCreds,
715 &ett_credssp_TSRemoteGuardPackageCred,
716 &ett_credssp_TSRemoteGuardCreds,
717 &ett_credssp_SEQUENCE_OF_TSRemoteGuardPackageCred,
718 &ett_credssp_TSCredentials,
719 &ett_credssp_TSRequest,
720 };
721
722
723 /* Register protocol */
724 proto_credssp = proto_register_protocol(PNAME, PSNAME, PFNAME);
725 register_dissector("credssp", dissect_credssp, proto_credssp);
726
727 /* Register fields and subtrees */
728 proto_register_field_array(proto_credssp, hf, array_length(hf));
729 proto_register_subtree_array(ett, array_length(ett));
730
731 /* heuristic dissectors for any preamble e.g. CredSSP before RDP */
732 credssp_heur_subdissector_list = register_heur_dissector_list_with_description("credssp", "Unused", proto_credssp);
733
734 }
735
736
737 /*--- proto_reg_handoff_credssp --- */
738 void proto_reg_handoff_credssp(void) {
739
740 gssapi_handle = find_dissector_add_dependency("gssapi", proto_credssp);
741 gssapi_wrap_handle = find_dissector_add_dependency("gssapi_verf", proto_credssp);
742
743 heur_dissector_add("tls", dissect_credssp_heur, "CredSSP over TLS", "credssp_tls", proto_credssp, HEURISTIC_ENABLE);
744 heur_dissector_add("rdp", dissect_credssp_heur, "CredSSP in TPKT", "credssp_tpkt", proto_credssp, HEURISTIC_ENABLE);
745 exported_pdu_tap = find_tap_id(EXPORT_PDU_TAP_NAME_LAYER_7);
746 }
747
Metzes wireshark repo