search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert "TODO epan/dissectors/asn1/kerberos/packet-kerberos-template.c new GSS flags"
[wireshark-sm.git] / epan / dissectors / packet-sapsnc.c
blob2a2c467311fff01c4a69b788d79e6d70ed638c90
1 /* packet-sapsnc.c
2 * Routines for SAP SNC (Secure Network Connection) dissection
3 * Copyright 2022, Martin Gallo <martin.gallo [AT] gmail.com>
4 * Code contributed by SecureAuth Corp.
5 *
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
9 *
10 * SPDX-License-Identifier: GPL-2.0-or-later
11 */
12
13 /*
14 * This is a basic dissector for the SAP Secure Network Connection protocol. It dissects the basic
15 * SNC frame fields, and if the QoP (quality of protection) is only set to wrap/seal but not encrypt,
16 * it can be used to extract the content and further dissect it on an upper layer.
17 *
18 * Some details and example requests can be found in pysap's documentation: https://pysap.readthedocs.io/en/latest/protocols/SAPSNC.html.
19 */
20
21 #include <config.h>
22
23 #include <epan/packet.h>
24 #include <epan/expert.h>
25
26 #include "packet-sapsnc.h"
27
28
29 /* SAP SNC Frame Type */
30 static const value_string sapsnc_frame_type_vals[] = {
31 { 0x00, "REVERSE_REQ" },
32 { 0x01, "INIT_REQ" },
33 { 0x02, "INIT" },
34 { 0x03, "INIT_ACK" },
35 { 0x04, "ACCEPT" },
36 { 0x05, "ACCEPT_ACK" },
37 { 0x06, "ACCEPT_FAILED" },
38 { 0x07, "DATA_OPEN" },
39 { 0x08, "DATA_MIC/DATA_SIGNED" },
40 { 0x09, "DATA_WRAP/DATA_SEALED" },
41 { 0x0a, "SHUTDOWN" },
42 { 0x0b, "SHUTDOWN_MSG" },
43 { 0x0c, "REJECTED" },
44 { 0x0d, "ERROR" },
45 { 0x0e, "UNKNOWN" },
46 { 0, NULL }
47 };
48
49 /* SNC Mech ID values */
50 static const value_string sapsnc_mech_id_vals[] = {
51 { 0x00, "No security" },
52 { 0x01, "Generic GSS-API v2 Mechanism" },
53 { 0x02, "Kerberos 5/GSS-API v2" },
54 { 0x03, "Secude 5 GSS-API v2" },
55 { 0x04, "SAP's GSS-API v2 over NTLM(SSPI)" },
56 { 0x05, "SPKM1 GSS-API v2 library" },
57 { 0x06, "SPKM2 GSS-API v2 library" },
58 { 0x07, "reserved ID" },
59 { 0x08, "itsec" },
60 { 0x09, "SDTI Connect Agent" },
61 { 0x0a, "AccessMaster DCE" },
62 { 0, NULL }
63 };
64
65 /* SNC Quality of protection values */
66 static const value_string sapsnc_qop_vals[] = {
67 { 0x00, "INVALID" },
68 { 0x01, "OPEN" },
69 { 0x02, "INTEGRITY/SIGNED" },
70 { 0x03, "PRIVACY/SEALED" },
71 { 0x07, "MIN" },
72 { 0x08, "DEFAULT" },
73 { 0x09, "MAX" },
74 { 0, NULL }
75 };
76
77
78 static int proto_sapsnc;
79
80 /* SNC Frame */
81 static int hf_sapsnc_frame;
82 static int hf_sapsnc_eye_catcher;
83 static int hf_sapsnc_frame_type;
84 static int hf_sapsnc_protocol_version;
85 static int hf_sapsnc_header_length;
86 static int hf_sapsnc_token_length;
87 static int hf_sapsnc_data_length;
88 static int hf_sapsnc_mech_id;
89 static int hf_sapsnc_flags;
90 static int hf_sapsnc_qop_min;
91 static int hf_sapsnc_qop_max;
92 static int hf_sapsnc_qop_use;
93 static int hf_sapsnc_ext_flags;
94 static int hf_sapsnc_ext_field_length;
95 static int hf_sapsnc_ext_field;
96 static int hf_sapsnc_token;
97 static int hf_sapsnc_data;
98
99 static int ett_sapsnc;
100
101 /* Expert info */
102 static expert_field ei_sapsnc_invalid_header_length;
103
104
105 void proto_reg_handoff_sapsnc(void);
106 void proto_register_sapsnc(void);
107
108
109 /**
110 * Dissect an SNC Frame. If data it's found for wrapped/signed frames, it
111 * returns a new TVB buffer with the content. This function can be called
112 * from any dissector that wants SNC frames to be decoded.
113 */
114 tvbuff_t*
115 dissect_sapsnc_frame(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, uint32_t offset)
116 {
117 tvbuff_t *next_tvb = NULL;
118 uint8_t frame_type;
119 uint32_t header_length, ext_field_length, token_length = 0, data_length = 0;
120 proto_item *sapsnc_frame = NULL, *sapsnc_flags = NULL, *sapsnc_header_length = NULL;
121 proto_tree *sapsnc_frame_tree = NULL, *sapsnc_flags_tree = NULL;
122
123 /* Add the SNC Frame subtree */
124 sapsnc_frame = proto_tree_add_item(tree, hf_sapsnc_frame, tvb, offset, -1, ENC_NA);
125 sapsnc_frame_tree = proto_item_add_subtree(sapsnc_frame, ett_sapsnc);
126
127 /* Eye catcher */
128 proto_tree_add_item(sapsnc_frame_tree, hf_sapsnc_eye_catcher, tvb, offset, 8, ENC_ASCII|ENC_NA);
129 offset+=8;
130
131 /* Frame type */
132 frame_type = tvb_get_uint8(tvb, offset);
133 proto_tree_add_item(sapsnc_frame_tree, hf_sapsnc_frame_type, tvb, offset, 1, ENC_BIG_ENDIAN);
134 offset+=1;
135
136 /* Protocol version */
137 proto_tree_add_item(sapsnc_frame_tree, hf_sapsnc_protocol_version, tvb, offset, 1, ENC_BIG_ENDIAN);
138 offset+=1;
139
140 /* Header length */
141 sapsnc_header_length = proto_tree_add_item_ret_uint(sapsnc_frame_tree, hf_sapsnc_header_length, tvb, offset, 2, ENC_BIG_ENDIAN, &header_length);
142 /* We subtracts the 10 bytes of the header already processed */
143 header_length -= 10;
144
145 /* Check the header length, it should be at least 24 bytes */
146 if (header_length < 14){
147 expert_add_info_format(pinfo, sapsnc_header_length, &ei_sapsnc_invalid_header_length, "Invalid header length %u", header_length);
148 header_length = 14;
149 } else if ((uint32_t)tvb_reported_length_remaining(tvb, offset) < header_length) {
150 expert_add_info_format(pinfo, sapsnc_header_length, &ei_sapsnc_invalid_header_length, "Invalid captured length %d (reported %u)", tvb_reported_length_remaining(tvb, offset), header_length);
151 header_length = tvb_reported_length_remaining(tvb, offset);
152 }
153 offset+=2;
154 header_length-=2;
155
156 /* Token length */
157 proto_tree_add_item_ret_uint(sapsnc_frame_tree, hf_sapsnc_token_length, tvb, offset, 4, ENC_BIG_ENDIAN, &token_length);
158 offset+=4;
159 header_length-=4;
160
161 /* Data length */
162 proto_tree_add_item_ret_uint(sapsnc_frame_tree, hf_sapsnc_data_length, tvb, offset, 4, ENC_BIG_ENDIAN, &data_length);
163 offset+=4;
164 header_length-=4;
165
166 /* Mech ID */
167 proto_tree_add_item(sapsnc_frame_tree, hf_sapsnc_mech_id, tvb, offset, 2, ENC_BIG_ENDIAN);
168 offset+=2;
169 header_length-=2;
170
171 /* Build a tree for the flags */
172 sapsnc_flags = proto_tree_add_item(sapsnc_frame_tree, hf_sapsnc_flags, tvb, offset, 2, ENC_NA);
173 sapsnc_flags_tree = proto_item_add_subtree(sapsnc_flags, ett_sapsnc);
174
175 offset+=1;
176 header_length-=1; /* Unknown flags (1 byte) */
177 /* Unknown flag (1 bit) */
178 proto_tree_add_bits_item(sapsnc_flags_tree, hf_sapsnc_qop_use, tvb, offset*8 + 1, 2, ENC_BIG_ENDIAN);
179 proto_tree_add_bits_item(sapsnc_flags_tree, hf_sapsnc_qop_max, tvb, offset*8 + 3, 2, ENC_BIG_ENDIAN);
180 proto_tree_add_bits_item(sapsnc_flags_tree, hf_sapsnc_qop_min, tvb, offset*8 + 5, 2, ENC_BIG_ENDIAN);
181 /* Unknown flag (1 bit) */
182
183 offset+=1;
184 header_length-=1;
185
186 /* If there's header remaining, we add the extra flags, length and fields */
187 if (header_length >= 6 && tvb_offset_exists(tvb, offset + 6)) {
188 /* Get the extra flags */
189 proto_tree_add_item(sapsnc_frame_tree, hf_sapsnc_ext_flags, tvb, offset, 4, ENC_NA);
190 offset+=4;
191
192 /* Get the extra field length */
193 proto_tree_add_item_ret_uint(sapsnc_frame_tree, hf_sapsnc_ext_field_length, tvb, offset, 2, ENC_BIG_ENDIAN, &ext_field_length);
194 offset+=2;
195
196 /* If the extra field length is valid extract those */
197 if (ext_field_length > 0 && tvb_offset_exists(tvb, offset + ext_field_length)) {
198 proto_tree_add_item(sapsnc_frame_tree, hf_sapsnc_ext_field, tvb, offset, ext_field_length, ENC_NA);
199 offset+=ext_field_length;
200 }
201 }
202
203 /* Token */
204 if (token_length > 0 && tvb_offset_exists(tvb, offset + token_length)) {
205 proto_tree_add_item(sapsnc_frame_tree, hf_sapsnc_token, tvb, offset, token_length, ENC_NA);
206 offset+=token_length;
207 }
208
209 /* Data */
210 if (data_length > 0 && tvb_offset_exists(tvb, offset + data_length)) {
211 proto_tree_add_item(sapsnc_frame_tree, hf_sapsnc_data, tvb, offset, data_length, ENC_NA);
212
213 /* If the frame contain data being wrapped or sealed, put it into a new tvb for
214 further dissection of the upper layer */
215 if ((frame_type == 0x07) || (frame_type == 0x08)) {
216 next_tvb = tvb_new_subset_remaining(tvb, offset);
217 }
218 }
219 return next_tvb;
220 }
221
222 /**
223 * Dissects SNC packets
224 */
225 static int
226 dissect_sapsnc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
227 {
228 /* Add the protocol to the column. TODO: append instead? */
229 col_set_str(pinfo->cinfo, COL_PROTOCOL, ", SAPSNC");
230 /* Clear out stuff in the info column */
231 col_clear(pinfo->cinfo,COL_INFO);
232 /* Call the SNC frame dissection function */
233 dissect_sapsnc_frame(tvb, pinfo, tree, 0);
234
235 return tvb_reported_length(tvb);
236 }
237
238 void
239 proto_register_sapsnc(void)
240 {
241 static hf_register_info hf[] = {
242 /* SNC Frame */
243 { &hf_sapsnc_frame,
244 { "SNC Frame", "sapsnc.frame", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
245 { &hf_sapsnc_eye_catcher,
246 { "SNC Eye Catcher", "sapsnc.eyecatcher", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
247 { &hf_sapsnc_frame_type,
248 { "SNC Frame Type", "sapsnc.frame.type", FT_UINT8, BASE_HEX, VALS(sapsnc_frame_type_vals), 0x0, NULL, HFILL }},
249 { &hf_sapsnc_protocol_version,
250 { "SNC Protocol Version", "sapsnc.frame.protocolversion", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }},
251 { &hf_sapsnc_header_length,
252 { "SNC Header length", "sapsnc.frame.header_length", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},
253 { &hf_sapsnc_token_length,
254 { "SNC Token length", "sapsnc.frame.tokenlength", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
255 { &hf_sapsnc_data_length,
256 { "SNC Data length", "sapsnc.frame.datalength", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
257 { &hf_sapsnc_mech_id,
258 { "SNC Mech ID", "sapsnc.frame.mech_id", FT_UINT16, BASE_HEX, VALS(sapsnc_mech_id_vals), 0x0, NULL, HFILL }},
259 { &hf_sapsnc_flags,
260 { "SNC Flags", "sapsnc.frame.flags", FT_UINT16, BASE_HEX, NULL, 0x0, NULL, HFILL }},
261 { &hf_sapsnc_qop_min,
262 { "SNC QOP Min", "sapsnc.frame.qop_min", FT_UINT8, BASE_HEX, VALS(sapsnc_qop_vals), 0x0, NULL, HFILL }},
263 { &hf_sapsnc_qop_max,
264 { "SNC QOP Max", "sapsnc.frame.qop_max", FT_UINT8, BASE_HEX, VALS(sapsnc_qop_vals), 0x0, NULL, HFILL }},
265 { &hf_sapsnc_qop_use,
266 { "SNC QOP Use", "sapsnc.frame.qop_use", FT_UINT8, BASE_HEX, VALS(sapsnc_qop_vals), 0x0, NULL, HFILL }},
267 { &hf_sapsnc_ext_flags,
268 { "SNC Extensions Flags", "sapsnc.frame.ext_flags", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }},
269 { &hf_sapsnc_ext_field_length,
270 { "SNC Extensions Field length", "sapsnc.frame.ext_field_length", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},
271 { &hf_sapsnc_ext_field,
272 { "SNC Extensions Field", "sapsnc.frame.ext_field", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
273 { &hf_sapsnc_token,
274 { "SNC Token", "sapsnc.frame.token", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
275 { &hf_sapsnc_data,
276 { "SNC Data", "sapsnc.frame.data", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
277 };
278
279 /* Setup protocol subtree array */
280 static int *ett[] = {
281 &ett_sapsnc
282 };
283
284 /* Register the expert info */
285 static ei_register_info ei[] = {
286 { &ei_sapsnc_invalid_header_length, { "sapsnc.frame.header_length_invalid", PI_MALFORMED, PI_WARN, "Invalid header length", EXPFILL }},
287 };
288
289 expert_module_t* sapsnc_expert;
290
291 /* Register the protocol */
292 proto_sapsnc = proto_register_protocol("SAP SNC Protocol", "SAPSNC", "sapsnc");
293
294 proto_register_field_array(proto_sapsnc, hf, array_length(hf));
295 proto_register_subtree_array(ett, array_length(ett));
296
297 sapsnc_expert = expert_register_protocol(proto_sapsnc);
298 expert_register_field_array(sapsnc_expert, ei, array_length(ei));
299
300 register_dissector("sapsnc", dissect_sapsnc, proto_sapsnc);
301
302 }
303
304
305 /**
306 * Register Hand off for the SAP SNC Protocol
307 */
308 void
309 proto_reg_handoff_sapsnc(void)
310 {
311 static bool initialized = false;
312
313 if (!initialized) {
314 create_dissector_handle(dissect_sapsnc, proto_sapsnc);
315 initialized = true;
316 }
317
318 }
319
320 /*
321 * Editor modelines - https://www.wireshark.org/tools/modelines.html
322 *
323 * Local variables:
324 * c-basic-offset: 8
325 * tab-width: 8
326 * indent-tabs-mode: t
327 * End:
328 *
329 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
330 * :indentSize=8:tabSize=8:noTabs=false:
331 */
Metzes wireshark repo