search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
epan/dissectors/pidl/samr/samr.cnf cnf_dissect_lsa_BinaryString => lsarpc_dissect_str...
[wireshark-sm.git] / epan / dissectors / packet-smtp.c
blob8d7fe6e856d9d592a2ac4fa51561cff454a952c7
1 /* packet-smtp.c
2 * Routines for SMTP packet disassembly
3 *
4 * Copyright (c) 2000 by Richard Sharpe <rsharpe@ns.aus.com>
5 *
6 * Added RFC 4954 SMTP Authentication
7 * Michael Mann * Copyright 2012
8 * Added RFC 2920 Pipelining and RFC 3030 BDAT Pipelining
9 * John Thacker <johnthacker@gmail.com>
10 *
11 * Wireshark - Network traffic analyzer
12 * By Gerald Combs <gerald@wireshark.org>
13 * Copyright 1999 Gerald Combs
14 *
15 * SPDX-License-Identifier: GPL-2.0-or-later
16 */
17
18 #include "config.h"
19
20 #include <stdlib.h>
21
22 #include <epan/packet.h>
23 #include <epan/conversation.h>
24 #include <epan/prefs.h>
25 #include <epan/strutil.h>
26 #include <epan/reassemble.h>
27 #include <epan/proto_data.h>
28
29 #include <ui/tap-credentials.h>
30 #include <tap.h>
31
32 #include <wsutil/str_util.h>
33 #include "packet-tls.h"
34 #include "packet-tls-utils.h"
35
36 /* RFC 2821 */
37 #define TCP_PORT_SMTP "25"
38 #define TCP_PORT_SSL_SMTP 465
39
40 /* RFC 4409 */
41 #define TCP_PORT_SUBMISSION 587
42
43 void proto_register_smtp(void);
44 void proto_reg_handoff_smtp(void);
45
46 static int proto_smtp;
47
48 static int credentials_tap;
49
50 static int hf_smtp_req;
51 static int hf_smtp_rsp;
52 static int hf_smtp_message;
53 static int hf_smtp_command_line;
54 static int hf_smtp_req_command;
55 static int hf_smtp_req_parameter;
56 static int hf_smtp_response;
57 static int hf_smtp_rsp_code;
58 static int hf_smtp_rsp_parameter;
59 static int hf_smtp_username;
60 static int hf_smtp_password;
61 static int hf_smtp_username_password;
62 static int hf_smtp_eom;
63
64 static int hf_smtp_data_fragments;
65 static int hf_smtp_data_fragment;
66 static int hf_smtp_data_fragment_overlap;
67 static int hf_smtp_data_fragment_overlap_conflicts;
68 static int hf_smtp_data_fragment_multiple_tails;
69 static int hf_smtp_data_fragment_too_long_fragment;
70 static int hf_smtp_data_fragment_error;
71 static int hf_smtp_data_fragment_count;
72 static int hf_smtp_data_reassembled_in;
73 static int hf_smtp_data_reassembled_length;
74
75 static int ett_smtp;
76 static int ett_smtp_cmdresp;
77
78 static int ett_smtp_data_fragment;
79 static int ett_smtp_data_fragments;
80
81 static expert_field ei_smtp_base64_decode;
82 static expert_field ei_smtp_rsp_code;
83
84 static bool smtp_auth_parameter_decoding_enabled;
85 /* desegmentation of SMTP command and response lines */
86 static bool smtp_desegment = true;
87 static bool smtp_data_desegment = true;
88
89 static reassembly_table smtp_data_reassembly_table;
90
91 static const fragment_items smtp_data_frag_items = {
92 /* Fragment subtrees */
93 &ett_smtp_data_fragment,
94 &ett_smtp_data_fragments,
95 /* Fragment fields */
96 &hf_smtp_data_fragments,
97 &hf_smtp_data_fragment,
98 &hf_smtp_data_fragment_overlap,
99 &hf_smtp_data_fragment_overlap_conflicts,
100 &hf_smtp_data_fragment_multiple_tails,
101 &hf_smtp_data_fragment_too_long_fragment,
102 &hf_smtp_data_fragment_error,
103 &hf_smtp_data_fragment_count,
104 /* Reassembled in field */
105 &hf_smtp_data_reassembled_in,
106 /* Reassembled length field */
107 &hf_smtp_data_reassembled_length,
108 /* Reassembled data field */
109 NULL,
110 /* Tag */
111 "DATA fragments"
112 };
113
114 static dissector_handle_t smtp_handle;
115 static dissector_handle_t tls_handle;
116 static dissector_handle_t imf_handle;
117 static dissector_handle_t ntlmssp_handle;
118 static dissector_handle_t data_text_lines_handle;
119
120 /*
121 * A CMD is an SMTP command, MESSAGE is the message portion, and EOM is the
122 * last part of a message
123 */
124 #define SMTP_PDU_CMD 0
125 #define SMTP_PDU_MESSAGE 1
126 #define SMTP_PDU_EOM 2
127
128 struct smtp_proto_data {
129 uint16_t pdu_type;
130 uint16_t conversation_id;
131 bool more_frags;
132 int end_offset;
133 struct smtp_proto_data *next;
134 };
135
136 /*
137 * State information stored with a conversation.
138 */
139 typedef enum {
140 SMTP_STATE_START, /* Start of SMTP conversion */
141 SMTP_STATE_READING_CMDS, /* reading commands */
142 SMTP_STATE_READING_DATA, /* reading message data */
143 SMTP_STATE_AWAITING_STARTTLS_RESPONSE /* sent STARTTLS, awaiting response */
144 } smtp_state_t;
145
146 typedef enum {
147 SMTP_AUTH_STATE_NONE, /* No authentication seen or used */
148 SMTP_AUTH_STATE_START, /* Authentication started, waiting for username */
149 SMTP_AUTH_STATE_USERNAME_REQ, /* Received username request from server */
150 SMTP_AUTH_STATE_USERNAME_RSP, /* Received username response from client */
151 SMTP_AUTH_STATE_PASSWORD_REQ, /* Received password request from server */
152 SMTP_AUTH_STATE_PASSWORD_RSP, /* Received password request from server */
153 SMTP_AUTH_STATE_PLAIN_START_REQ, /* Received AUTH PLAIN command from client*/
154 SMTP_AUTH_STATE_PLAIN_CRED_REQ, /* Received AUTH PLAIN command including creds from client*/
155 SMTP_AUTH_STATE_PLAIN_REQ, /* Received AUTH PLAIN request from server */
156 SMTP_AUTH_STATE_PLAIN_RSP, /* Received AUTH PLAIN response from client */
157 SMTP_AUTH_STATE_NTLM_REQ, /* Received ntlm negotiate request from client */
158 SMTP_AUTH_STATE_NTLM_CHALLANGE, /* Received ntlm challenge request from server */
159 SMTP_AUTH_STATE_NTLM_RSP, /* Received ntlm auth request from client */
160 SMTP_AUTH_STATE_SUCCESS, /* Password received, authentication successful, start decoding */
161 SMTP_AUTH_STATE_FAILED /* authentication failed, no decoding */
162 } smtp_auth_state_t;
163
164 typedef enum {
165 SMTP_MULTILINE_NONE,
166 SMTP_MULTILINE_START,
167 SMTP_MULTILINE_CONTINUE,
168 SMTP_MULTILINE_END
169
170 } smtp_multiline_state_t;
171
172 struct smtp_session_state {
173 smtp_state_t smtp_state; /* Current state */
174 smtp_auth_state_t auth_state; /* Current authentication state */
175 /* Values that need to be saved because state machine can't be used during tree dissection */
176 uint32_t first_auth_frame; /* First frame involving authentication. */
177 uint32_t username_frame; /* Frame containing client username */
178 uint32_t password_frame; /* Frame containing client password */
179 uint32_t last_auth_frame; /* Last frame involving authentication. */
180 uint8_t* username; /* The username in the authentication. */
181 bool crlf_seen; /* Have we seen a CRLF on the end of a packet */
182 bool data_seen; /* Have we seen a DATA command yet */
183 uint32_t msg_read_len; /* Length of BDAT message read so far */
184 uint32_t msg_tot_len; /* Total length of BDAT message */
185 bool msg_last; /* Is this the last BDAT chunk */
186 uint32_t username_cmd_frame; /* AUTH command contains username */
187 uint32_t user_pass_cmd_frame; /* AUTH command contains username and password */
188 uint32_t user_pass_frame; /* Frame contains username and password */
189 uint32_t ntlm_req_frame; /* Frame containing NTLM request */
190 uint32_t ntlm_cha_frame; /* Frame containing NTLM challenge. */
191 uint32_t ntlm_rsp_frame; /* Frame containing NTLM response. */
192 };
193
194 /*
195 * See
196 *
197 * http://support.microsoft.com/default.aspx?scid=kb;[LN];812455
198 *
199 * for the Exchange extensions.
200 */
201 static const struct {
202 const char *command;
203 int len;
204 } commands[] = {
205 { "STARTTLS", 8 }, /* RFC 2487 */
206 { "X-EXPS", 6 }, /* Microsoft Exchange */
207 { "X-LINK2STATE", 12 }, /* Microsoft Exchange */
208 { "XEXCH50", 7 } /* Microsoft Exchange */
209 };
210
211 #define NCOMMANDS array_length(commands)
212
213 /* The following were copied from RFC 2821 */
214 static const value_string response_codes_vs[] = {
215 { 211, "System status, or system help reply" },
216 { 214, "Help message" },
217 { 220, "<domain> Service ready" },
218 { 221, "<domain> Service closing transmission channel" },
219 { 235, "Authentication successful" },
220 { 250, "Requested mail action okay, completed" },
221 { 251, "User not local; will forward to <forward-path>" },
222 { 252, "Cannot VRFY user, but will accept message and attempt delivery" },
223 { 334, "AUTH input" },
224 { 354, "Start mail input; end with <CRLF>.<CRLF>" },
225 { 421, "<domain> Service not available, closing transmission channel" },
226 { 432, "A password transition is needed" },
227 { 450, "Requested mail action not taken: mailbox unavailable" },
228 { 451, "Requested action aborted: local error in processing" },
229 { 452, "Requested action not taken: insufficient system storage" },
230 { 454, "Temporary authentication failed" },
231 { 500, "Syntax error, command unrecognized" },
232 { 501, "Syntax error in parameters or arguments" },
233 { 502, "Command not implemented" },
234 { 503, "Bad sequence of commands" },
235 { 504, "Command parameter not implemented" },
236 { 530, "Authentication required" },
237 { 534, "Authentication mechanism is too weak" },
238 { 535, "Authentication credentials invalid" },
239 { 538, "Encryption required for requested authentication mechanism" },
240 { 550, "Requested action not taken: mailbox unavailable" },
241 { 551, "User not local; please try <forward-path>" },
242 { 552, "Requested mail action aborted: exceeded storage allocation" },
243 { 553, "Requested action not taken: mailbox name not allowed" },
244 { 554, "Transaction failed" },
245 { 0, NULL }
246 };
247 static value_string_ext response_codes_vs_ext = VALUE_STRING_EXT_INIT(response_codes_vs);
248
249 static struct smtp_proto_data*
250 append_pdu(struct smtp_proto_data *spd_frame_data)
251 {
252 DISSECTOR_ASSERT(spd_frame_data && spd_frame_data->next == NULL);
253 struct smtp_proto_data *new_pdu = wmem_new0(wmem_file_scope(), struct smtp_proto_data);
254 new_pdu->conversation_id = spd_frame_data->conversation_id;
255 new_pdu->more_frags = true;
256 spd_frame_data->next = new_pdu;
257
258 return new_pdu;
259 }
260
261 static bool
262 line_is_smtp_command(const unsigned char *command, int commandlen)
263 {
264 size_t i;
265
266 /*
267 * To quote RFC 821, "Command codes are four alphabetic
268 * characters".
269 *
270 * However, there are some SMTP extensions that involve commands
271 * longer than 4 characters and/or that contain non-alphabetic
272 * characters; we treat them specially.
273 *
274 * XXX - should we just have a table of known commands? Or would
275 * that fail to catch some extensions we don't know about?
276 */
277 if (commandlen == 4 && g_ascii_isalpha(command[0]) &&
278 g_ascii_isalpha(command[1]) && g_ascii_isalpha(command[2]) &&
279 g_ascii_isalpha(command[3])) {
280 /* standard 4-alphabetic command */
281 return true;
282 }
283
284 /*
285 * Check the list of non-4-alphabetic commands.
286 */
287 for (i = 0; i < NCOMMANDS; i++) {
288 if (commandlen == commands[i].len &&
289 g_ascii_strncasecmp(command, commands[i].command, commands[i].len) == 0)
290 return true;
291 }
292 return false;
293 }
294
295 static void
296 dissect_smtp_data(tvbuff_t *tvb, int offset, proto_tree *smtp_tree)
297 {
298 int next_offset;
299
300 if (smtp_tree) {
301 while (tvb_offset_exists(tvb, offset)) {
302 /*
303 * Find the end of the line.
304 */
305 tvb_find_line_end(tvb, offset, -1, &next_offset, false);
306
307 /*
308 * Put this line.
309 */
310 proto_tree_add_item(smtp_tree, hf_smtp_message, tvb,
311 offset, next_offset - offset, ENC_ASCII);
312
313 /*
314 * Step to the next line.
315 */
316 offset = next_offset;
317 }
318 }
319 }
320
321 static void
322 dissect_ntlm_auth(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
323 const char *line)
324 {
325 tvbuff_t *ntlm_tvb;
326
327 ntlm_tvb = base64_to_tvb(tvb, line);
328 if(tvb_strneql(ntlm_tvb, 0, "NTLMSSP", 7) == 0) {
329 add_new_data_source(pinfo, ntlm_tvb, "NTLMSSP Data");
330 call_dissector(ntlmssp_handle, ntlm_tvb, pinfo, tree);
331 }
332 }
333
334 static void
335 decode_plain_auth(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
336 int a_offset, int a_linelen)
337 {
338 int returncode;
339 int length_user1;
340 int length_user2;
341 int length_pass;
342 uint8_t *decrypt = NULL;
343 proto_item *ti;
344 size_t len = 0;
345
346 decrypt = tvb_get_string_enc(pinfo->pool, tvb, a_offset, a_linelen, ENC_ASCII);
347 if (smtp_auth_parameter_decoding_enabled) {
348 if (strlen(decrypt) > 1) {
349 g_base64_decode_inplace(decrypt, &len);
350 decrypt[len] = 0;
351 }
352 returncode = (int)len;
353 if (returncode) {
354 char* username;
355 length_user1 = (int)strlen(decrypt);
356 if (returncode >= (length_user1 + 1)) {
357 length_user2 = (int)strlen(decrypt + length_user1 + 1);
358 proto_tree_add_string(tree, hf_smtp_username, tvb,
359 a_offset, a_linelen, decrypt + length_user1 + 1);
360 username = format_text(pinfo->pool, decrypt + length_user1 + 1, length_user2);
361 col_append_fstr(pinfo->cinfo, COL_INFO, "User: %s", username);
362
363 if (returncode >= (length_user1 + 1 + length_user2 + 1)) {
364 length_pass = (int)strlen(decrypt + length_user1 + length_user2 + 2);
365 proto_tree_add_string(tree, hf_smtp_password, tvb,
366 a_offset, length_pass, decrypt + length_user1 + length_user2 + 2);
367 col_append_str(pinfo->cinfo, COL_INFO, " ");
368 col_append_fstr(pinfo->cinfo, COL_INFO, " Pass: %s",
369 format_text(pinfo->pool, decrypt + length_user1 + length_user2 + 2, length_pass));
370
371 tap_credential_t* auth = wmem_new0(pinfo->pool, tap_credential_t);
372 auth->num = pinfo->num;
373 auth->username_num = pinfo->num;
374 auth->password_hf_id = hf_smtp_password;
375 auth->username = username;
376 auth->proto = "SMTP";
377 tap_queue_packet(credentials_tap, pinfo, auth);
378 }
379 }
380 }
381 }
382 else {
383 ti = proto_tree_add_item(tree, hf_smtp_username_password, tvb,
384 a_offset, a_linelen, ENC_ASCII);
385 expert_add_info(pinfo, ti, &ei_smtp_base64_decode);
386 col_append_str(pinfo->cinfo, COL_INFO, format_text(pinfo->pool, decrypt, a_linelen));
387 }
388 }
389
390 static int
391 dissect_smtp_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_tree *smtp_tree, struct smtp_session_state *session_state, struct smtp_proto_data *spd_frame_data, bool first_pdu)
392 {
393 proto_item *ti, *hidden_item;
394 proto_tree *cmdresp_tree = NULL;
395 int offset = 0;
396 int next_offset;
397 int linelen = 0;
398 int length_remaining;
399 int cmdlen;
400 fragment_head *frag_msg = NULL;
401 tvbuff_t *next_tvb;
402 uint8_t *decrypt = NULL;
403 size_t decrypt_len = 0;
404 uint8_t *base64_string = NULL;
405
406 switch (spd_frame_data->pdu_type) {
407
408 case SMTP_PDU_MESSAGE:
409 /* Column Info */
410 length_remaining = tvb_reported_length_remaining(tvb, offset);
411 if (first_pdu)
412 col_append_str(pinfo->cinfo, COL_INFO, "C: ");
413 else
414 col_append_str(pinfo->cinfo, COL_INFO, " | ");
415 col_append_str(pinfo->cinfo, COL_INFO, smtp_data_desegment ? "DATA fragment" : "Message Body");
416 col_append_fstr(pinfo->cinfo, COL_INFO, ", %d byte%s", length_remaining,
417 plurality (length_remaining, "", "s"));
418
419 if (smtp_data_desegment) {
420 frag_msg = fragment_add_seq_next(&smtp_data_reassembly_table, tvb, 0,
421 pinfo, spd_frame_data->conversation_id, NULL,
422 tvb_reported_length(tvb),
423 spd_frame_data->more_frags);
424 if (spd_frame_data->more_frags) {
425 /* Show the text lines within this PDU fragment
426 * Calling this on the last fragment would interfere with
427 * process reassembled data below, by changing the layer number.
428 * (We'll display the data anyway as part of the reassembly.)
429 */
430 call_dissector(data_text_lines_handle, tvb, pinfo, smtp_tree);
431 }
432 } else {
433 /*
434 * Message body.
435 * Put its lines into the protocol tree, a line at a time.
436 */
437 dissect_smtp_data(tvb, offset, smtp_tree);
438 }
439 break;
440
441 case SMTP_PDU_EOM:
442 /*
443 * End-of-message-body indicator.
444 */
445 if (first_pdu)
446 col_append_str(pinfo->cinfo, COL_INFO, "C: ");
447 else
448 col_append_str(pinfo->cinfo, COL_INFO, " | ");
449 col_append_str(pinfo->cinfo, COL_INFO, ".");
450
451 proto_tree_add_none_format(smtp_tree, hf_smtp_eom, tvb, offset, 3, "C: .");
452
453 break;
454
455 case SMTP_PDU_CMD:
456 /*
457 * Command.
458 */
459
460 while (tvb_offset_exists(tvb, offset)) {
461 /*
462 * Find the end of the line.
463 */
464 linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, false);
465
466 /* Column Info */
467 if (first_pdu && offset == 0)
468 col_append_str(pinfo->cinfo, COL_INFO, "C: ");
469 else
470 col_append_str(pinfo->cinfo, COL_INFO, " | ");
471
472 hidden_item = proto_tree_add_boolean(smtp_tree, hf_smtp_req, tvb,
473 0, 0, true);
474 proto_item_set_hidden(hidden_item);
475
476 if (session_state->username_frame == pinfo->num) {
477 if (decrypt == NULL) {
478 /* This line wasn't already decrypted through the state machine */
479 decrypt = tvb_get_string_enc(pinfo->pool, tvb, offset, linelen, ENC_ASCII);
480 decrypt_len = linelen;
481 if (smtp_auth_parameter_decoding_enabled) {
482 if (strlen(decrypt) > 1) {
483 g_base64_decode_inplace(decrypt, &decrypt_len);
484 decrypt[decrypt_len] = 0;
485 } else {
486 decrypt_len = 0;
487 }
488 if (decrypt_len == 0) {
489 /* Go back to the original string */
490 decrypt = tvb_get_string_enc(pinfo->pool, tvb, offset, linelen, ENC_ASCII);
491 decrypt_len = linelen;
492 }
493 }
494 }
495
496 if (!session_state->username)
497 session_state->username = wmem_strdup(wmem_file_scope(), decrypt);
498 proto_tree_add_string(smtp_tree, hf_smtp_username, tvb,
499 offset, linelen, decrypt);
500 col_append_fstr(pinfo->cinfo, COL_INFO, "User: %s", format_text(pinfo->pool, decrypt, decrypt_len));
501 } else if (session_state->password_frame == pinfo->num) {
502 if (decrypt == NULL) {
503 /* This line wasn't already decrypted through the state machine */
504 decrypt = tvb_get_string_enc(pinfo->pool, tvb, offset, linelen, ENC_ASCII);
505 decrypt_len = linelen;
506 if (smtp_auth_parameter_decoding_enabled) {
507 if (strlen(decrypt) > 1) {
508 g_base64_decode_inplace(decrypt, &decrypt_len);
509 decrypt[decrypt_len] = 0;
510 } else {
511 decrypt_len = 0;
512 }
513 if (decrypt_len == 0) {
514 /* Go back to the original string */
515 decrypt = tvb_get_string_enc(pinfo->pool, tvb, offset, linelen, ENC_ASCII);
516 decrypt_len = linelen;
517 }
518 }
519 }
520 proto_tree_add_string(smtp_tree, hf_smtp_password, tvb,
521 offset, linelen, decrypt);
522 col_append_fstr(pinfo->cinfo, COL_INFO, "Pass: %s", format_text(pinfo->pool, decrypt, decrypt_len));
523
524 tap_credential_t* auth = wmem_new0(pinfo->pool, tap_credential_t);
525 auth->num = pinfo->num;
526 auth->username_num = session_state->username_frame;
527 auth->password_hf_id = hf_smtp_password;
528 auth->username = session_state->username;
529 auth->proto = "SMTP";
530 auth->info = wmem_strdup_printf(pinfo->pool, "Username in packet %u", auth->username_num);
531 tap_queue_packet(credentials_tap, pinfo, auth);
532 } else if (session_state->ntlm_rsp_frame == pinfo->num) {
533 decrypt = tvb_get_string_enc(pinfo->pool, tvb, offset, linelen, ENC_ASCII);
534 decrypt_len = linelen;
535 if (smtp_auth_parameter_decoding_enabled) {
536 if (strlen(decrypt) > 1) {
537 g_base64_decode_inplace(decrypt, &decrypt_len);
538 decrypt[decrypt_len] = 0;
539 } else {
540 decrypt_len = 0;
541 }
542 if (decrypt_len == 0) {
543 /* Go back to the original string */
544 decrypt = tvb_get_string_enc(pinfo->pool, tvb, offset, linelen, ENC_ASCII);
545 decrypt_len = linelen;
546 col_append_str(pinfo->cinfo, COL_INFO, format_text(pinfo->pool, decrypt, linelen));
547 proto_tree_add_item(smtp_tree, hf_smtp_command_line, tvb,
548 offset, linelen, ENC_ASCII);
549 }
550 else {
551 base64_string = tvb_get_string_enc(pinfo->pool, tvb, offset, linelen, ENC_ASCII);
552 dissect_ntlm_auth(tvb, pinfo, smtp_tree, base64_string);
553 }
554 }
555 else {
556 col_append_str(pinfo->cinfo, COL_INFO, format_text(pinfo->pool, decrypt, linelen));
557 proto_tree_add_item(smtp_tree, hf_smtp_command_line, tvb,
558 offset, linelen, ENC_ASCII);
559 }
560 } else if (session_state->user_pass_frame == pinfo->num) {
561 decode_plain_auth(tvb, pinfo, smtp_tree, offset, linelen);
562 } else {
563
564 if (linelen >= 4)
565 cmdlen = 4;
566 else
567 cmdlen = linelen;
568
569 /*
570 * Put the command line into the protocol tree.
571 */
572 ti = proto_tree_add_item(smtp_tree, hf_smtp_command_line, tvb,
573 offset, next_offset - offset, ENC_ASCII);
574 cmdresp_tree = proto_item_add_subtree(ti, ett_smtp_cmdresp);
575
576 proto_tree_add_item(cmdresp_tree, hf_smtp_req_command, tvb,
577 offset, cmdlen, ENC_ASCII);
578
579 if ((linelen > 5) && (session_state->username_cmd_frame == pinfo->num) ) {
580 proto_tree_add_item(cmdresp_tree, hf_smtp_req_parameter, tvb,
581 offset + 5, linelen - 5, ENC_ASCII);
582
583 if (linelen >= 11) {
584 if (decrypt == NULL) {
585 /* This line wasn't already decrypted through the state machine */
586 decrypt = tvb_get_string_enc(pinfo->pool, tvb, offset + 11, linelen - 11, ENC_ASCII);
587 decrypt_len = linelen - 11;
588 if (smtp_auth_parameter_decoding_enabled) {
589 if (strlen(decrypt) > 1) {
590 g_base64_decode_inplace(decrypt, &decrypt_len);
591 decrypt[decrypt_len] = 0;
592 } else {
593 decrypt_len = 0;
594 }
595 if (decrypt_len == 0) {
596 /* Go back to the original string */
597 decrypt = tvb_get_string_enc(pinfo->pool, tvb, offset + 11, linelen - 11, ENC_ASCII);
598 decrypt_len = linelen - 11;
599 }
600 }
601 }
602 proto_tree_add_string(cmdresp_tree, hf_smtp_username, tvb, offset + 11, linelen - 11, decrypt);
603 col_append_str(pinfo->cinfo, COL_INFO,
604 tvb_format_text(pinfo->pool, tvb, offset, 11));
605 col_append_fstr(pinfo->cinfo, COL_INFO, "User: %s", format_text(pinfo->pool, decrypt, decrypt_len));
606 }
607 }
608 else if ((linelen > 5) && (session_state->ntlm_req_frame == pinfo->num) ) {
609 proto_tree_add_item(cmdresp_tree, hf_smtp_req_parameter, tvb,
610 offset + 5, linelen - 5, ENC_ASCII);
611 if (linelen >= 10) {
612 decrypt = tvb_get_string_enc(pinfo->pool, tvb, offset + 10, linelen - 10, ENC_ASCII);
613 decrypt_len = linelen - 10;
614 if (smtp_auth_parameter_decoding_enabled) {
615 if (strlen(decrypt) > 1) {
616 g_base64_decode_inplace(decrypt, &decrypt_len);
617 decrypt[decrypt_len] = 0;
618 } else {
619 decrypt_len = 0;
620 }
621 if (decrypt_len == 0) {
622 /* Go back to the original string */
623 decrypt = tvb_get_string_enc(pinfo->pool, tvb, offset + 10, linelen - 10, ENC_ASCII);
624 decrypt_len = linelen - 10;
625 col_append_str(pinfo->cinfo, COL_INFO,
626 tvb_format_text(pinfo->pool, tvb, offset, 10));
627 col_append_str(pinfo->cinfo, COL_INFO, format_text(pinfo->pool, decrypt, linelen - 10));
628 }
629 else {
630 base64_string = tvb_get_string_enc(pinfo->pool, tvb, offset + 10, linelen - 10, ENC_ASCII);
631 col_append_str(pinfo->cinfo, COL_INFO,
632 tvb_format_text(pinfo->pool, tvb, offset, 10));
633 dissect_ntlm_auth(tvb, pinfo, cmdresp_tree, format_text(pinfo->pool, base64_string, linelen - 10));
634 }
635 }
636 else {
637 col_append_str(pinfo->cinfo, COL_INFO,
638 tvb_format_text(pinfo->pool, tvb, offset, 10));
639 col_append_str(pinfo->cinfo, COL_INFO, format_text(pinfo->pool, decrypt, linelen - 10));
640 }
641 }
642 }
643 else if ((linelen > 5) && (session_state->user_pass_cmd_frame == pinfo->num) ) {
644 proto_tree_add_item(cmdresp_tree, hf_smtp_req_parameter, tvb,
645 offset + 5, linelen - 5, ENC_ASCII);
646 col_append_str(pinfo->cinfo, COL_INFO,
647 tvb_format_text(pinfo->pool, tvb, offset, 11));
648 decode_plain_auth(tvb, pinfo, cmdresp_tree, offset + 11, linelen - 11);
649 }
650 else if (linelen > 5) {
651 proto_tree_add_item(cmdresp_tree, hf_smtp_req_parameter, tvb,
652 offset + 5, linelen - 5, ENC_ASCII);
653 col_append_str(pinfo->cinfo, COL_INFO,
654 tvb_format_text(pinfo->pool, tvb, offset, linelen));
655 }
656 else {
657 col_append_str(pinfo->cinfo, COL_INFO,
658 tvb_format_text(pinfo->pool, tvb, offset, linelen));
659 }
660
661 if (smtp_data_desegment && !spd_frame_data->more_frags) {
662 /* terminate the desegmentation */
663 frag_msg = fragment_end_seq_next(&smtp_data_reassembly_table,
664 pinfo, spd_frame_data->conversation_id, NULL);
665 }
666 }
667 /*
668 * Step past this line.
669 */
670 offset = next_offset;
671 }
672 }
673
674 if (smtp_data_desegment && (spd_frame_data->pdu_type == SMTP_PDU_MESSAGE || spd_frame_data->more_frags == false) ) {
675 /* XXX: fragment_add_seq_next() only supports one PDU with a given ID
676 * being completed in a frame.
677 *
678 * RFCs 2920 and 3030 imply that even with pipelining, a frame only
679 * contains one message that ends, as the client needs to handle
680 * responses. If it does happen, we need to track message numbers within
681 * the conversation and use those as part of the frag ID.
682 */
683 next_tvb = process_reassembled_data(tvb, offset, pinfo, "Reassembled SMTP",
684 frag_msg, &smtp_data_frag_items, NULL, smtp_tree);
685 if (next_tvb) {
686 /* XXX: this is presumptuous - we may have negotiated something else */
687 if (imf_handle) {
688 call_dissector(imf_handle, next_tvb, pinfo, tree);
689 } else {
690 /*
691 * Message body.
692 * Put its lines into the protocol tree, a line at a time.
693 */
694 dissect_smtp_data(tvb, offset, smtp_tree);
695 }
696
697 pinfo->fragmented = false;
698 } else {
699 pinfo->fragmented = true;
700 }
701 }
702 return tvb_captured_length(tvb);
703 }
704
705 static int
706 dissect_smtp_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *smtp_tree, struct smtp_session_state *session_state)
707 {
708 proto_item *ti, *hidden_item;
709 proto_tree *cmdresp_tree = NULL;
710 int offset = 0;
711 int next_offset;
712 int linelen = 0;
713 uint32_t code;
714 uint8_t line_code[3];
715 uint8_t *decrypt = NULL;
716 size_t decrypt_len = 0;
717 uint8_t *base64_string = NULL;
718
719 /*
720 * Process the response, a line at a time, until we hit a line
721 * that doesn't have a continuation indication on it.
722 */
723 hidden_item = proto_tree_add_boolean(smtp_tree, hf_smtp_rsp, tvb, 0, 0, true);
724 proto_item_set_hidden(hidden_item);
725
726 //Multiline information
727 smtp_multiline_state_t multiline_state = SMTP_MULTILINE_NONE;
728 uint32_t multiline_code = 0;
729 proto_item* code_item = NULL;
730
731 while (tvb_offset_exists(tvb, offset)) {
732 /*
733 * Find the end of the line.
734 */
735 linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, false);
736
737 if (offset == 0)
738 col_append_str(pinfo->cinfo, COL_INFO, "S: ");
739 else
740 col_append_str(pinfo->cinfo, COL_INFO, " | ");
741
742 if (linelen >= 3) {
743 line_code[0] = tvb_get_uint8(tvb, offset);
744 line_code[1] = tvb_get_uint8(tvb, offset+1);
745 line_code[2] = tvb_get_uint8(tvb, offset+2);
746 if (g_ascii_isdigit(line_code[0]) && g_ascii_isdigit(line_code[1])
747 && g_ascii_isdigit(line_code[2])) {
748 /*
749 * We have a 3-digit response code.
750 */
751 code = (line_code[0] - '0')*100 + (line_code[1] - '0')*10 + (line_code[2] - '0');
752 if ((linelen > 3) && (tvb_get_uint8(tvb, offset + 3) == '-')) {
753 if (multiline_state == SMTP_MULTILINE_NONE) {
754 multiline_state = SMTP_MULTILINE_START;
755 multiline_code = code;
756 } else {
757 multiline_state = SMTP_MULTILINE_CONTINUE;
758 }
759 } else if ((multiline_state == SMTP_MULTILINE_START) || (multiline_state == SMTP_MULTILINE_CONTINUE)) {
760 multiline_state = SMTP_MULTILINE_END;
761 }
762
763 /*
764 * If we're awaiting the response to a STARTTLS code, this
765 * is it - if it's 220, all subsequent traffic will
766 * be TLS, otherwise we're back to boring old SMTP.
767 */
768 if (session_state->smtp_state == SMTP_STATE_AWAITING_STARTTLS_RESPONSE) {
769 if (code == 220) {
770 /* This is the last non-TLS frame. */
771 ssl_starttls_ack(tls_handle, pinfo, smtp_handle);
772 }
773 session_state->smtp_state = SMTP_STATE_READING_CMDS;
774 }
775
776 if (code == 334) {
777 switch(session_state->auth_state)
778 {
779 case SMTP_AUTH_STATE_START:
780 session_state->auth_state = SMTP_AUTH_STATE_USERNAME_REQ;
781 break;
782 case SMTP_AUTH_STATE_USERNAME_RSP:
783 session_state->auth_state = SMTP_AUTH_STATE_PASSWORD_REQ;
784 break;
785 case SMTP_AUTH_STATE_PLAIN_REQ:
786 session_state->auth_state = SMTP_AUTH_STATE_PLAIN_RSP;
787 break;
788 case SMTP_AUTH_STATE_PLAIN_START_REQ:
789 session_state->auth_state = SMTP_AUTH_STATE_PLAIN_REQ;
790 break;
791 case SMTP_AUTH_STATE_NTLM_REQ:
792 session_state->auth_state = SMTP_AUTH_STATE_NTLM_CHALLANGE;
793 break;
794 case SMTP_AUTH_STATE_NONE:
795 case SMTP_AUTH_STATE_USERNAME_REQ:
796 case SMTP_AUTH_STATE_PASSWORD_REQ:
797 case SMTP_AUTH_STATE_PASSWORD_RSP:
798 case SMTP_AUTH_STATE_PLAIN_RSP:
799 case SMTP_AUTH_STATE_PLAIN_CRED_REQ:
800 case SMTP_AUTH_STATE_NTLM_RSP:
801 case SMTP_AUTH_STATE_NTLM_CHALLANGE:
802 case SMTP_AUTH_STATE_SUCCESS:
803 case SMTP_AUTH_STATE_FAILED:
804 /* ignore */
805 break;
806 }
807 } else if ((session_state->auth_state == SMTP_AUTH_STATE_PASSWORD_RSP) ||
808 ( session_state->auth_state == SMTP_AUTH_STATE_PLAIN_RSP) ||
809 ( session_state->auth_state == SMTP_AUTH_STATE_NTLM_RSP) ||
810 ( session_state->auth_state == SMTP_AUTH_STATE_PLAIN_CRED_REQ) ) {
811 if (code == 235) {
812 session_state->auth_state = SMTP_AUTH_STATE_SUCCESS;
813 } else {
814 session_state->auth_state = SMTP_AUTH_STATE_FAILED;
815 }
816 session_state->last_auth_frame = pinfo->num;
817 }
818
819 /*
820 * Put the response code and parameters into the protocol tree.
821 * Only create a new response tree when not in the middle of multiline response.
822 */
823 if ((multiline_state != SMTP_MULTILINE_CONTINUE) &&
824 (multiline_state != SMTP_MULTILINE_END))
825 {
826 ti = proto_tree_add_item(smtp_tree, hf_smtp_response, tvb,
827 offset, next_offset - offset, ENC_ASCII | ENC_NA);
828 cmdresp_tree = proto_item_add_subtree(ti, ett_smtp_cmdresp);
829
830 code_item = proto_tree_add_uint(cmdresp_tree, hf_smtp_rsp_code, tvb, offset, 3, code);
831 } else if (multiline_code != code) {
832 expert_add_info_format(pinfo, code_item, &ei_smtp_rsp_code, "Unexpected response code %u in multiline response. Expected %u", code, multiline_code);
833 }
834
835 decrypt = NULL;
836 if (linelen >= 4) {
837 if ((smtp_auth_parameter_decoding_enabled) && (code == 334)) {
838 decrypt = tvb_get_string_enc(pinfo->pool, tvb, offset + 4, linelen - 4, ENC_ASCII);
839 if (strlen(decrypt) > 1 && (g_base64_decode_inplace(decrypt, &decrypt_len)) && decrypt_len > 0) {
840 decrypt[decrypt_len] = 0;
841 if (g_ascii_strncasecmp(decrypt, "NTLMSSP", 7) == 0) {
842 base64_string = tvb_get_string_enc(pinfo->pool, tvb, offset + 4, linelen - 4, ENC_ASCII);
843 col_append_fstr(pinfo->cinfo, COL_INFO, "%d ", code);
844 proto_tree_add_string(cmdresp_tree, hf_smtp_rsp_parameter, tvb,
845 offset + 4, linelen - 4, (const char*)base64_string);
846 dissect_ntlm_auth(tvb, pinfo, cmdresp_tree, base64_string);
847 }
848 else {
849 proto_tree_add_string(cmdresp_tree, hf_smtp_rsp_parameter, tvb,
850 offset + 4, linelen - 4, (const char*)decrypt);
851
852 col_append_fstr(pinfo->cinfo, COL_INFO, "%d %s", code, format_text(pinfo->pool, decrypt, decrypt_len));
853 }
854 } else {
855 decrypt = NULL;
856 }
857 }
858
859 if (decrypt == NULL) {
860 proto_tree_add_item(cmdresp_tree, hf_smtp_rsp_parameter, tvb,
861 offset + 4, linelen - 4, ENC_ASCII);
862
863 if ((multiline_state != SMTP_MULTILINE_CONTINUE) &&
864 (multiline_state != SMTP_MULTILINE_END)) {
865 col_append_str(pinfo->cinfo, COL_INFO,
866 tvb_format_text(pinfo->pool, tvb, offset, linelen));
867 } else {
868 col_append_str(pinfo->cinfo, COL_INFO,
869 tvb_format_text(pinfo->pool, tvb, offset+4, linelen-4));
870 }
871 }
872 } else {
873 col_append_str(pinfo->cinfo, COL_INFO,
874 tvb_format_text(pinfo->pool, tvb, offset, linelen));
875 }
876 }
877
878 //Clear multiline state if this is the last line
879 if (multiline_state == SMTP_MULTILINE_END)
880 multiline_state = SMTP_MULTILINE_NONE;
881 }
882 /*
883 * Step past this line.
884 */
885 offset = next_offset;
886
887 }
888 return offset;
889 }
890
891 static int
892 dissect_smtp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
893 {
894 struct smtp_proto_data *spd_frame_data;
895 proto_tree *smtp_tree = NULL;
896 proto_item *ti;
897 int offset = 0;
898 int request = 0;
899 conversation_t *conversation;
900 struct smtp_session_state *session_state;
901 const unsigned char *line, *linep, *lineend;
902 int linelen = 0;
903 bool eom_seen = false;
904 int next_offset;
905 int loffset = 0;
906 int cmdlen;
907 uint8_t *decrypt = NULL;
908 size_t decrypt_len = 0;
909
910 /* As there is no guarantee that we will only see frames in the
911 * the SMTP conversation once, and that we will see them in
912 * order - in Wireshark, the user could randomly click on frames
913 * in the conversation in any order in which they choose - we
914 * have to store information with each frame indicating whether
915 * it contains commands or data or an EOM indication.
916 *
917 * XXX - what about frames that contain *both*? TCP is a
918 * byte-stream protocol, and there are no guarantees that
919 * TCP segment boundaries will correspond to SMTP commands
920 * or EOM indications.
921 *
922 * We only need that for the client->server stream; responses
923 * are easy to manage.
924 *
925 * If we have per frame data, use that, else, we must be on the first
926 * pass, so we figure it out on the first pass.
927 */
928
929 /*
930 * Find or create the conversation for this.
931 */
932 conversation = find_or_create_conversation(pinfo);
933
934 /*
935 * Is there a request structure attached to this conversation?
936 */
937 session_state = (struct smtp_session_state *)conversation_get_proto_data(conversation, proto_smtp);
938 if (!session_state) {
939 /*
940 * No - create one and attach it.
941 */
942 session_state = wmem_new0(wmem_file_scope(), struct smtp_session_state);
943 session_state->smtp_state = SMTP_STATE_START;
944 session_state->auth_state = SMTP_AUTH_STATE_NONE;
945 session_state->msg_last = true;
946
947 conversation_add_proto_data(conversation, proto_smtp, session_state);
948 }
949
950 /* Is this a request or a response? */
951 request = pinfo->destport == pinfo->match_uint;
952
953 /*
954 * Is there any data attached to this frame?
955 */
956 spd_frame_data = (struct smtp_proto_data *)p_get_proto_data(wmem_file_scope(), pinfo, proto_smtp, 0);
957
958 if (!spd_frame_data) {
959
960 /*
961 * No frame data.
962 */
963 if (request) {
964
965 /*
966 * Create a frame data structure and attach it to the packet.
967 */
968 spd_frame_data = wmem_new0(wmem_file_scope(), struct smtp_proto_data);
969
970 spd_frame_data->conversation_id = conversation->conv_index;
971 spd_frame_data->more_frags = true;
972 spd_frame_data->end_offset = tvb_reported_length(tvb);
973
974 p_add_proto_data(wmem_file_scope(), pinfo, proto_smtp, 0, spd_frame_data);
975
976 }
977
978 /*
979 * Get the first line from the buffer.
980 *
981 * Note that "tvb_find_line_end()" will, if it doesn't return
982 * -1, return a value that is not longer than what's in the buffer,
983 * and "tvb_find_line_end()" will always return a value that is not
984 * longer than what's in the buffer, so the "tvb_get_ptr()" call
985 * won't throw an exception.
986 */
987 loffset = offset;
988 while (tvb_offset_exists(tvb, loffset)) {
989 linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset,
990 smtp_desegment && pinfo->can_desegment);
991 if (linelen == -1) {
992 if (offset == loffset) {
993 /*
994 * We didn't find a line ending, and we're doing desegmentation;
995 * tell the TCP dissector where the data for this message starts
996 * in the data it handed us, and tell it we need more bytes
997 */
998 pinfo->desegment_offset = loffset;
999 pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
1000 return tvb_captured_length(tvb);
1001 } else {
1002 linelen = tvb_reported_length_remaining(tvb, loffset);
1003 next_offset = loffset + linelen;
1004 }
1005 }
1006
1007 /*
1008 * Check whether or not this packet is an end of message packet
1009 * We should look for CRLF.CRLF and they may be split.
1010 * We have to keep in mind that we may see what we want on
1011 * two passes through here ...
1012 */
1013 if (request) {
1014 /*
1015 * The order of these is important ... We want to avoid
1016 * cases where there is a CRLF at the end of a packet and a
1017 * .CRLF at the beginning of the same packet.
1018 */
1019 if (session_state->crlf_seen && tvb_strneql(tvb, loffset, ".\r\n", 3) == 0)
1020 eom_seen = true;
1021
1022 if (tvb_strneql(tvb, next_offset-2, "\r\n", 2) == 0) {
1023 session_state->crlf_seen = true;
1024 } else {
1025 session_state->crlf_seen = false;
1026 }
1027 }
1028
1029 /*
1030 * OK, Check if we have seen a DATA request. We do it here for
1031 * simplicity, but we have to be careful below.
1032 */
1033 if (request) {
1034 if (session_state->smtp_state == SMTP_STATE_READING_DATA) {
1035 /*
1036 * This is message data.
1037 */
1038 if (eom_seen) { /* Seen the EOM */
1039 /*
1040 * EOM.
1041 * Everything that comes before it is a message.
1042 * Everything that comes after it is commands.
1043 */
1044 spd_frame_data->pdu_type = SMTP_PDU_MESSAGE;
1045 spd_frame_data->more_frags = false;
1046 spd_frame_data->end_offset = loffset;
1047
1048 spd_frame_data = append_pdu(spd_frame_data);
1049 spd_frame_data->pdu_type = SMTP_PDU_EOM;
1050 spd_frame_data->end_offset = next_offset;
1051
1052 spd_frame_data = append_pdu(spd_frame_data);
1053 spd_frame_data->end_offset = tvb_reported_length(tvb);
1054
1055 session_state->smtp_state = SMTP_STATE_READING_CMDS;
1056 } else {
1057 /*
1058 * Message data with no EOM.
1059 */
1060 spd_frame_data->pdu_type = SMTP_PDU_MESSAGE;
1061
1062 if (session_state->msg_tot_len > 0) {
1063 /*
1064 * We are handling a BDAT message.
1065 * Check if we have reached end of the data chunk.
1066 */
1067
1068 uint32_t msg_len = MIN((uint32_t)tvb_reported_length_remaining(tvb, loffset), (session_state->msg_tot_len - session_state->msg_read_len));
1069 session_state->msg_read_len += msg_len;
1070 /*
1071 * Since we're grabbing the rest of the packet or the data chunk,
1072 * update the offset accordingly.
1073 */
1074 next_offset = loffset + msg_len;
1075 spd_frame_data->end_offset = next_offset;
1076
1077 if (session_state->msg_read_len == session_state->msg_tot_len) {
1078 /*
1079 * We have reached end of BDAT data chunk.
1080 * Everything that comes after this is commands.
1081 */
1082
1083 if (session_state->msg_last) {
1084 /*
1085 * We have found the LAST data chunk.
1086 * The message can now be reassembled.
1087 */
1088 spd_frame_data->more_frags = false;
1089 }
1090
1091 spd_frame_data = append_pdu(spd_frame_data);
1092 spd_frame_data->end_offset = tvb_reported_length(tvb);
1093
1094 session_state->smtp_state = SMTP_STATE_READING_CMDS;
1095 }
1096 }
1097 }
1098 } else {
1099 /*
1100 * This is commands - unless the capture started in the
1101 * middle of a session, and we're in the middle of data.
1102 *
1103 * Commands are not necessarily 4 characters; look
1104 * for a space or the end of the line to see where
1105 * the putative command ends.
1106 */
1107 if ((session_state->auth_state != SMTP_AUTH_STATE_NONE) &&
1108 (pinfo->num >= session_state->first_auth_frame) &&
1109 ((session_state->last_auth_frame == 0) || (pinfo->num <= session_state->last_auth_frame))) {
1110 decrypt = tvb_get_string_enc(pinfo->pool, tvb, loffset, linelen, ENC_ASCII);
1111 if ((smtp_auth_parameter_decoding_enabled) &&
1112 (strlen(decrypt) > 1) &&
1113 (g_base64_decode_inplace(decrypt, &decrypt_len)) &&
1114 (decrypt_len > 0)) {
1115 decrypt[decrypt_len] = 0;
1116 line = decrypt;
1117 linelen = (int)decrypt_len;
1118 } else {
1119 line = tvb_get_ptr(tvb, loffset, linelen);
1120 decrypt_len = linelen;
1121 }
1122 } else {
1123 line = tvb_get_ptr(tvb, loffset, linelen);
1124 }
1125
1126 linep = line;
1127 lineend = line + linelen;
1128 while (linep < lineend && *linep != ' ')
1129 linep++;
1130 cmdlen = (int)(linep - line);
1131 if (line_is_smtp_command(line, cmdlen) &&
1132 ( session_state->auth_state != SMTP_AUTH_STATE_PASSWORD_REQ )) {
1133 if (g_ascii_strncasecmp(line, "DATA", 4) == 0) {
1134 /*
1135 * DATA command.
1136 * This is a command, but everything that comes after it,
1137 * until an EOM, is data.
1138 */
1139 spd_frame_data->pdu_type = SMTP_PDU_CMD;
1140 session_state->smtp_state = SMTP_STATE_READING_DATA;
1141 session_state->data_seen = true;
1142 } else if (g_ascii_strncasecmp(line, "BDAT", 4) == 0) {
1143 /*
1144 * BDAT command.
1145 * This is a command, but everything that comes after it,
1146 * until given length is received, is data.
1147 */
1148 uint32_t msg_len;
1149
1150 msg_len = (uint32_t)strtoul (line+5, NULL, 10);
1151
1152 spd_frame_data->pdu_type = SMTP_PDU_CMD;
1153
1154 session_state->data_seen = true;
1155 session_state->msg_tot_len += msg_len;
1156
1157 if (g_ascii_strncasecmp(line+linelen-4, "LAST", 4) == 0) {
1158 /*
1159 * This is the last data chunk.
1160 */
1161 session_state->msg_last = true;
1162
1163 if (msg_len == 0) {
1164 /*
1165 * No more data to expect.
1166 * The message can now be reassembled.
1167 */
1168 spd_frame_data->more_frags = false;
1169 }
1170 } else {
1171 session_state->msg_last = false;
1172 }
1173
1174 if (msg_len == 0) {
1175 /* No data to read, next will be another command */
1176 session_state->smtp_state = SMTP_STATE_READING_CMDS;
1177 } else {
1178 session_state->smtp_state = SMTP_STATE_READING_DATA;
1179 spd_frame_data->end_offset = next_offset;
1180
1181 spd_frame_data = append_pdu(spd_frame_data);
1182 spd_frame_data->end_offset = tvb_reported_length(tvb);
1183 }
1184 } else if (g_ascii_strncasecmp(line, "RSET", 4) == 0) {
1185 /*
1186 * RSET command.
1187 * According to RFC 3030, the RSET command clears all BDAT
1188 * segments and resets the transaction. It is possible to
1189 * use DATA and BDAT in the same session, so long as they
1190 * are not mixed in the same transaction.
1191 */
1192 spd_frame_data->pdu_type = SMTP_PDU_CMD;
1193 session_state->msg_last = true;
1194 session_state->msg_tot_len = 0;
1195 session_state->msg_read_len = 0;
1196 } else if ((g_ascii_strncasecmp(line, "AUTH LOGIN", 10) == 0) && (linelen <= 11)) {
1197 /*
1198 * AUTH LOGIN command.
1199 * Username is in a separate frame
1200 */
1201 spd_frame_data->pdu_type = SMTP_PDU_CMD;
1202 session_state->smtp_state = SMTP_STATE_READING_CMDS;
1203 session_state->auth_state = SMTP_AUTH_STATE_START;
1204 session_state->first_auth_frame = pinfo->num;
1205 } else if ((g_ascii_strncasecmp(line, "AUTH LOGIN", 10) == 0) && (linelen > 11)) {
1206 /*
1207 * AUTH LOGIN command.
1208 * Username follows the 'AUTH LOGIN' string
1209 */
1210 spd_frame_data->pdu_type = SMTP_PDU_CMD;
1211 session_state->smtp_state = SMTP_STATE_READING_CMDS;
1212 session_state->auth_state = SMTP_AUTH_STATE_USERNAME_RSP;
1213 session_state->first_auth_frame = pinfo->num;
1214 session_state->username_cmd_frame = pinfo->num;
1215 } else if ((g_ascii_strncasecmp(line, "AUTH PLAIN", 10) == 0) && (linelen <= 11)) {
1216 /*
1217 * AUTH PLAIN command.
1218 * Username and Password is in one separate frame
1219 */
1220 spd_frame_data->pdu_type = SMTP_PDU_CMD;
1221 session_state->smtp_state = SMTP_STATE_READING_CMDS;
1222 session_state->auth_state = SMTP_AUTH_STATE_PLAIN_START_REQ;
1223 session_state->first_auth_frame = pinfo->num;
1224 } else if ((g_ascii_strncasecmp(line, "AUTH PLAIN", 10) == 0) && (linelen > 11)) {
1225 /*
1226 * AUTH PLAIN command.
1227 * Username and Password follows the 'AUTH PLAIN' string
1228 */
1229 spd_frame_data->pdu_type = SMTP_PDU_CMD;
1230 session_state->smtp_state = SMTP_STATE_READING_CMDS;
1231 session_state->auth_state = SMTP_AUTH_STATE_PLAIN_CRED_REQ;
1232 session_state->first_auth_frame = pinfo->num;
1233 session_state->user_pass_cmd_frame = pinfo->num;
1234 } else if ((g_ascii_strncasecmp(line, "AUTH NTLM", 9) == 0) && (linelen > 10)) {
1235 /*
1236 * AUTH NTLM command with nlmssp request
1237 */
1238 spd_frame_data->pdu_type = SMTP_PDU_CMD;
1239 session_state->smtp_state = SMTP_STATE_READING_CMDS;
1240 session_state->auth_state = SMTP_AUTH_STATE_NTLM_REQ;
1241 session_state->ntlm_req_frame = pinfo->num;
1242 } else if (g_ascii_strncasecmp(line, "STARTTLS", 8) == 0) {
1243 /*
1244 * STARTTLS command.
1245 * This is a command, but if the response is 220,
1246 * everything after the response is TLS.
1247 */
1248 session_state->smtp_state = SMTP_STATE_AWAITING_STARTTLS_RESPONSE;
1249 spd_frame_data->pdu_type = SMTP_PDU_CMD;
1250 } else {
1251 /*
1252 * Regular command.
1253 */
1254 spd_frame_data->pdu_type = SMTP_PDU_CMD;
1255 }
1256 } else if (session_state->auth_state == SMTP_AUTH_STATE_USERNAME_REQ) {
1257 session_state->auth_state = SMTP_AUTH_STATE_USERNAME_RSP;
1258 session_state->username_frame = pinfo->num;
1259 } else if (session_state->auth_state == SMTP_AUTH_STATE_PASSWORD_REQ) {
1260 session_state->auth_state = SMTP_AUTH_STATE_PASSWORD_RSP;
1261 session_state->password_frame = pinfo->num;
1262 } else if (session_state->auth_state == SMTP_AUTH_STATE_PLAIN_REQ) {
1263 session_state->auth_state = SMTP_AUTH_STATE_PLAIN_RSP;
1264 session_state->user_pass_frame = pinfo->num;
1265 } else if (session_state->auth_state == SMTP_AUTH_STATE_NTLM_CHALLANGE) {
1266 session_state->auth_state = SMTP_AUTH_STATE_NTLM_RSP;
1267 session_state->ntlm_rsp_frame = pinfo->num;
1268 }
1269 else {
1270
1271 /*
1272 * Assume it's message data.
1273 */
1274 spd_frame_data->pdu_type = (session_state->data_seen || (session_state->smtp_state == SMTP_STATE_START)) ? SMTP_PDU_MESSAGE : SMTP_PDU_CMD;
1275 }
1276 }
1277 }
1278
1279 /*
1280 * Step past this line.
1281 */
1282 loffset = next_offset;
1283 }
1284 }
1285
1286
1287 /*
1288 * From here, we simply add items to the tree and info to the info
1289 * fields ...
1290 */
1291
1292 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMTP");
1293 col_clear(pinfo->cinfo, COL_INFO);
1294
1295 ti = proto_tree_add_item(tree, proto_smtp, tvb, offset, -1, ENC_NA);
1296 smtp_tree = proto_item_add_subtree(ti, ett_smtp);
1297
1298 if (request) {
1299 /*
1300 * Check out whether or not we can see a command in there ...
1301 * What we are looking for is not data_seen and the word DATA
1302 * and not eom_seen.
1303 *
1304 * We will see DATA and session_state->data_seen when we process the
1305 * tree view after we have seen a DATA packet when processing
1306 * the packet list pane.
1307 *
1308 * On the first pass, we will not have any info on the packets
1309 * On second and subsequent passes, we will.
1310 */
1311 spd_frame_data = (struct smtp_proto_data *)p_get_proto_data(wmem_file_scope(), pinfo, proto_smtp, 0);
1312 offset = 0;
1313 while (spd_frame_data != NULL && tvb_reported_length_remaining(tvb, offset)) {
1314 DISSECTOR_ASSERT_CMPINT(offset, <=, spd_frame_data->end_offset);
1315 dissect_smtp_request(tvb_new_subset_length(tvb, offset, spd_frame_data->end_offset - offset), pinfo, tree, smtp_tree, session_state, spd_frame_data, (offset == 0));
1316 offset = spd_frame_data->end_offset;
1317 spd_frame_data = spd_frame_data->next;
1318 }
1319 } else {
1320 dissect_smtp_response(tvb, pinfo, smtp_tree, session_state);
1321 }
1322
1323 return tvb_captured_length(tvb);
1324 }
1325
1326
1327 /* Register all the bits needed by the filtering engine */
1328
1329 void
1330 proto_register_smtp(void)
1331 {
1332 static hf_register_info hf[] = {
1333 { &hf_smtp_req,
1334 { "Request", "smtp.req",
1335 FT_BOOLEAN, BASE_NONE, NULL, 0x0, NULL, HFILL }},
1336
1337 { &hf_smtp_rsp,
1338 { "Response", "smtp.rsp",
1339 FT_BOOLEAN, BASE_NONE, NULL, 0x0, NULL, HFILL }},
1340
1341 { &hf_smtp_message,
1342 { "Message", "smtp.message",
1343 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
1344
1345 { &hf_smtp_command_line,
1346 { "Command Line", "smtp.command_line",
1347 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
1348
1349 { &hf_smtp_req_command,
1350 { "Command", "smtp.req.command",
1351 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
1352
1353 { &hf_smtp_req_parameter,
1354 { "Request parameter", "smtp.req.parameter",
1355 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
1356
1357 { &hf_smtp_response,
1358 { "Response", "smtp.response",
1359 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
1360
1361 { &hf_smtp_rsp_code,
1362 { "Response code", "smtp.response.code",
1363 FT_UINT32, BASE_DEC|BASE_EXT_STRING, &response_codes_vs_ext, 0x0, NULL, HFILL }},
1364
1365 { &hf_smtp_rsp_parameter,
1366 { "Response parameter", "smtp.rsp.parameter",
1367 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
1368
1369 { &hf_smtp_username,
1370 { "Username", "smtp.auth.username",
1371 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
1372
1373 { &hf_smtp_password,
1374 { "Password", "smtp.auth.password",
1375 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
1376
1377 { &hf_smtp_username_password,
1378 { "Username/Password", "smtp.auth.username_password",
1379 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
1380
1381 { &hf_smtp_eom,
1382 { "EOM", "smtp.eom",
1383 FT_NONE, BASE_NONE, NULL, 0x00, NULL, HFILL } },
1384
1385 /* Fragment entries */
1386 { &hf_smtp_data_fragments,
1387 { "DATA fragments", "smtp.data.fragments",
1388 FT_NONE, BASE_NONE, NULL, 0x00, "Message fragments", HFILL } },
1389
1390 { &hf_smtp_data_fragment,
1391 { "DATA fragment", "smtp.data.fragment",
1392 FT_FRAMENUM, BASE_NONE, NULL, 0x00, "Message fragment", HFILL } },
1393
1394 { &hf_smtp_data_fragment_overlap,
1395 { "DATA fragment overlap", "smtp.data.fragment.overlap", FT_BOOLEAN,
1396 BASE_NONE, NULL, 0x0, "Message fragment overlap", HFILL } },
1397
1398 { &hf_smtp_data_fragment_overlap_conflicts,
1399 { "DATA fragment overlapping with conflicting data",
1400 "smtp.data.fragment.overlap.conflicts", FT_BOOLEAN, BASE_NONE, NULL,
1401 0x0, "Message fragment overlapping with conflicting data", HFILL } },
1402
1403 { &hf_smtp_data_fragment_multiple_tails,
1404 { "DATA has multiple tail fragments", "smtp.data.fragment.multiple_tails",
1405 FT_BOOLEAN, BASE_NONE, NULL, 0x0, "Message has multiple tail fragments", HFILL } },
1406
1407 { &hf_smtp_data_fragment_too_long_fragment,
1408 { "DATA fragment too long", "smtp.data.fragment.too_long_fragment",
1409 FT_BOOLEAN, BASE_NONE, NULL, 0x0, "Message fragment too long", HFILL } },
1410
1411 { &hf_smtp_data_fragment_error,
1412 { "DATA defragmentation error", "smtp.data.fragment.error",
1413 FT_FRAMENUM, BASE_NONE, NULL, 0x00, "Message defragmentation error", HFILL } },
1414
1415 { &hf_smtp_data_fragment_count,
1416 { "DATA fragment count", "smtp.data.fragment.count",
1417 FT_UINT32, BASE_DEC, NULL, 0x00, NULL, HFILL } },
1418
1419 { &hf_smtp_data_reassembled_in,
1420 { "Reassembled DATA in frame", "smtp.data.reassembled.in",
1421 FT_FRAMENUM, BASE_NONE, NULL, 0x00, "This DATA fragment is reassembled in this frame", HFILL } },
1422
1423 { &hf_smtp_data_reassembled_length,
1424 { "Reassembled DATA length", "smtp.data.reassembled.length",
1425 FT_UINT32, BASE_DEC, NULL, 0x00, "The total length of the reassembled payload", HFILL } },
1426 };
1427 static int *ett[] = {
1428 &ett_smtp,
1429 &ett_smtp_cmdresp,
1430 &ett_smtp_data_fragment,
1431 &ett_smtp_data_fragments,
1432
1433 };
1434
1435 static ei_register_info ei[] = {
1436 { &ei_smtp_base64_decode, { "smtp.base64_decode", PI_PROTOCOL, PI_WARN, "base64 decode failed or is not enabled (check SMTP preferences)", EXPFILL }},
1437 { &ei_smtp_rsp_code,{ "smtp.response.code.unexpected", PI_PROTOCOL, PI_WARN, "Unexpected response code in multiline response", EXPFILL } },
1438 };
1439
1440 module_t *smtp_module;
1441 expert_module_t* expert_smtp;
1442
1443 proto_smtp = proto_register_protocol("Simple Mail Transfer Protocol",
1444 "SMTP", "smtp");
1445
1446 proto_register_field_array(proto_smtp, hf, array_length(hf));
1447 proto_register_subtree_array(ett, array_length(ett));
1448 expert_smtp = expert_register_protocol(proto_smtp);
1449 expert_register_field_array(expert_smtp, ei, array_length(ei));
1450 reassembly_table_register(&smtp_data_reassembly_table,
1451 &addresses_ports_reassembly_table_functions);
1452
1453 /* Allow dissector to find be found by name. */
1454 smtp_handle = register_dissector("smtp", dissect_smtp, proto_smtp);
1455
1456 /* Preferences */
1457 smtp_module = prefs_register_protocol(proto_smtp, NULL);
1458 prefs_register_bool_preference(smtp_module, "desegment_lines",
1459 "Reassemble SMTP command and response lines spanning multiple TCP segments",
1460 "Whether the SMTP dissector should reassemble command and response lines"
1461 " spanning multiple TCP segments. To use this option, you must also enable "
1462 "\"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
1463 &smtp_desegment);
1464
1465 prefs_register_bool_preference(smtp_module, "desegment_data",
1466 "Reassemble SMTP DATA commands spanning multiple TCP segments",
1467 "Whether the SMTP dissector should reassemble DATA command and lines"
1468 " spanning multiple TCP segments. To use this option, you must also enable "
1469 "\"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
1470 &smtp_data_desegment);
1471
1472 prefs_register_bool_preference(smtp_module, "decryption",
1473 "Decode Base64 encoded AUTH parameters",
1474 "Whether the SMTP dissector should decode Base64 encoded AUTH parameters",
1475 &smtp_auth_parameter_decoding_enabled);
1476
1477 credentials_tap = register_tap("credentials"); /* credentials tap */
1478 }
1479
1480 /* The registration hand-off routine */
1481 void
1482 proto_reg_handoff_smtp(void)
1483 {
1484 dissector_add_uint_range_with_preference("tcp.port", TCP_PORT_SMTP, smtp_handle);
1485 ssl_dissector_add(TCP_PORT_SSL_SMTP, smtp_handle);
1486 /* No "auto" preference since handle is shared with SMTP */
1487 dissector_add_uint("tcp.port", TCP_PORT_SUBMISSION, smtp_handle);
1488
1489 /* find the IMF dissector */
1490 imf_handle = find_dissector_add_dependency("imf", proto_smtp);
1491
1492 /* find the TLS dissector */
1493 tls_handle = find_dissector_add_dependency("tls", proto_smtp);
1494
1495 /* find the NTLM dissector */
1496 ntlmssp_handle = find_dissector_add_dependency("ntlmssp", proto_smtp);
1497
1498 /* find the data-text-lines dissector */
1499 data_text_lines_handle = find_dissector_add_dependency("data-text-lines", proto_smtp);
1500 }
1501
1502 /*
1503 * Editor modelines - https://www.wireshark.org/tools/modelines.html
1504 *
1505 * Local variables:
1506 * c-basic-offset: 2
1507 * tab-width: 8
1508 * indent-tabs-mode: nil
1509 * End:
1510 *
1511 * vi: set shiftwidth=2 tabstop=8 expandtab:
1512 * :indentSize=2:tabSize=8:noTabs=true
1513 */
Metzes wireshark repo