search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert "TODO epan/dissectors/asn1/kerberos/packet-kerberos-template.c new GSS flags"
[wireshark-sm.git] / epan / dissectors / packet-gpef.c
blob7f789f903197f68e5b7907a6d32c8d8a26a44857
1 /* packet-gpef.c
2 * Routines for dissection of Group Policy : Encrypted File System Extension
3 * Described in Microsoft document MS-GPEF.pdf
4 * Copyright 2008, Ronnie Sahlberg
5 *
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
9 *
10 * SPDX-License-Identifier: GPL-2.0-or-later
11 */
12
13 #include "config.h"
14
15 #include <epan/packet.h>
16 #include "packet-windows-common.h"
17 #include <epan/asn1.h>
18 #include "packet-x509af.h"
19
20 void proto_register_gpef(void);
21
22 static int proto_gpef;
23 static int hf_gpef_keycount;
24 static int hf_gpef_efskey;
25 static int hf_gpef_efskey_length1;
26 static int hf_gpef_efskey_length2;
27 static int hf_gpef_efskey_sid_offset;
28 static int hf_gpef_efskey_cert_offset;
29 static int hf_gpef_efskey_cert_length;
30 static int hf_gpef_efskey_certificate;
31
32 static int ett_gpef;
33 static int ett_gpef_efskey;
34
35
36 /* MS-GPEF section 2.2.1.2.2 EfsKey*/
37 static int
38 dissect_gpef_efskey(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *parent_tree)
39 {
40 proto_item *item = NULL;
41 proto_tree *tree = NULL;
42 int old_offset = offset;
43 uint32_t length1, sid_offset;
44 uint32_t cert_length, cert_offset;
45 tvbuff_t *next_tvb;
46 asn1_ctx_t asn1_ctx;
47 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true, pinfo);
48
49 if (parent_tree) {
50 item = proto_tree_add_item(parent_tree, hf_gpef_efskey, tvb, -1, -1, ENC_NA);
51 tree = proto_item_add_subtree(item, ett_gpef_efskey);
52 }
53
54 /* length 1 */
55 length1 = tvb_get_letohl(tvb, offset);
56 proto_tree_add_item(tree, hf_gpef_efskey_length1, tvb, offset, 4, ENC_LITTLE_ENDIAN);
57 offset += 4;
58
59 /* length 2 */
60 proto_tree_add_item(tree, hf_gpef_efskey_length2, tvb, offset, 4, ENC_LITTLE_ENDIAN);
61 offset += 4;
62
63 /* sid offset */
64 sid_offset = tvb_get_letohl(tvb, offset);
65 proto_tree_add_item(tree, hf_gpef_efskey_sid_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
66 offset += 4;
67
68 /* reserved */
69 offset += 4;
70
71 /* cert length */
72 cert_length = tvb_get_letohl(tvb, offset);
73 proto_tree_add_item(tree, hf_gpef_efskey_cert_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
74 offset += 4;
75
76 /* cert offset */
77 cert_offset = tvb_get_letohl(tvb, offset);
78 proto_tree_add_item(tree, hf_gpef_efskey_cert_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
79 /*offset += 4;*/
80
81 /* reserved, must be 0x20 0x00 0x00 0x00 */
82 /*offset += 4;*/
83
84 /* sid */
85 dissect_nt_sid(tvb, old_offset+4+sid_offset, tree, "sid", NULL, -1);
86
87 /* certificate */
88 next_tvb = tvb_new_subset_length(tvb, old_offset+4+cert_offset, cert_length);
89 (void)dissect_x509af_Certificate(false, next_tvb, 0, &asn1_ctx, tree, hf_gpef_efskey_certificate);
90
91
92 offset = old_offset + length1;
93 proto_item_set_len(item, offset-old_offset);
94 return offset;
95 }
96
97 /* MS-GPEF section 2.2.1.2.1 */
98 static int
99 dissect_gpef_efsblob(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void *data _U_)
100 {
101 int offset = 0;
102 proto_tree *tree;
103 proto_item *item;
104 uint32_t count;
105
106 item = proto_tree_add_item(parent_tree, proto_gpef, tvb, 0, -1, ENC_NA);
107 tree = proto_item_add_subtree(item, ett_gpef);
108
109 /* reserved, must be 0x01 0x00 0x01 0x00 */
110 offset += 4;
111
112 /* key count */
113 count = tvb_get_letohl(tvb, offset);
114 proto_tree_add_item(tree, hf_gpef_keycount, tvb, offset, 4, ENC_LITTLE_ENDIAN);
115 offset += 4;
116
117 while (count--) {
118 offset = dissect_gpef_efskey(tvb, offset, pinfo, tree);
119 }
120
121 return offset;
122 }
123
124 void
125 proto_register_gpef(void)
126 {
127 static hf_register_info hf[] = {
128 { &hf_gpef_keycount,
129 { "Key Count", "gpef.key_count", FT_UINT32, BASE_DEC, NULL,
130 0x0, NULL, HFILL }},
131
132 { &hf_gpef_efskey_length1,
133 { "Length1", "gpef.efskey.length1", FT_UINT32, BASE_DEC, NULL,
134 0x0, NULL, HFILL }},
135
136 { &hf_gpef_efskey_length2,
137 { "Length2", "gpef.efskey.length2", FT_UINT32, BASE_DEC, NULL,
138 0x0, NULL, HFILL }},
139
140 { &hf_gpef_efskey_sid_offset,
141 { "SID Offset", "gpef.efskey.sid_offset", FT_UINT32, BASE_DEC, NULL,
142 0x0, NULL, HFILL }},
143
144 { &hf_gpef_efskey_cert_offset,
145 { "Cert Offset", "gpef.efskey.cert_offset", FT_UINT32, BASE_DEC, NULL,
146 0x0, NULL, HFILL }},
147
148 { &hf_gpef_efskey_cert_length,
149 { "Cert Length", "gpef.efskey.cert_length", FT_UINT32, BASE_DEC, NULL,
150 0x0, NULL, HFILL }},
151
152 { &hf_gpef_efskey,
153 { "EfsKey", "gpef.efskey", FT_NONE, BASE_NONE, NULL,
154 0x0, NULL, HFILL }},
155
156 { &hf_gpef_efskey_certificate,
157 { "Certificate", "gpef.efskey.certificate", FT_NONE, BASE_NONE, NULL,
158 0x0, NULL, HFILL }},
159
160 };
161
162 static int *ett[] = {
163 &ett_gpef,
164 &ett_gpef_efskey,
165 };
166
167 proto_gpef = proto_register_protocol("GPEF", "GPEF", "gpef");
168 proto_register_field_array(proto_gpef, hf, array_length(hf));
169 proto_register_subtree_array(ett, array_length(ett));
170
171 register_dissector("efsblob", dissect_gpef_efsblob, proto_gpef);
172 }
173
174 /*
175 * Editor modelines - https://www.wireshark.org/tools/modelines.html
176 *
177 * Local variables:
178 * c-basic-offset: 8
179 * tab-width: 8
180 * indent-tabs-mode: t
181 * End:
182 *
183 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
184 * :indentSize=8:tabSize=8:noTabs=false:
185 */
Metzes wireshark repo