epan/dissectors/packet-gpef.c

   1 /* packet-gpef.c
   2  * Routines for dissection of Group Policy : Encrypted File System Extension
   3  * Described in Microsoft document MS-GPEF.pdf
   4  * Copyright 2008, Ronnie Sahlberg
   5  *
   6  * $Id$
   7  *
   8  * Wireshark - Network traffic analyzer
   9  * By Gerald Combs <gerald@wireshark.org>
  10  * Copyright 1998 Gerald Combs
  11  *
  12  * This program is free software; you can redistribute it and/or
  13  * modify it under the terms of the GNU General Public License
  14  * as published by the Free Software Foundation; either version 2
  15  * of the License, or (at your option) any later version.
  16  *
  17  * This program is distributed in the hope that it will be useful,
  18  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  19  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  20  * GNU General Public License for more details.
  21  *
  22  * You should have received a copy of the GNU General Public License
  23  * along with this program; if not, write to the Free Software
  24  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  25  */
  26
  27 #include "config.h"
  28
  29 #include <glib.h>
  30 #include <epan/packet.h>
  31 #include "packet-windows-common.h"
  32 #include <epan/asn1.h>
  33 #include "packet-x509af.h"
  34 #include "packet-x509if.h"
  35
  36 static int proto_gpef = -1;
  37 static int hf_gpef_keycount = -1;
  38 static int hf_gpef_efskey = -1;
  39 static int hf_gpef_efskey_length1 = -1;
  40 static int hf_gpef_efskey_length2 = -1;
  41 static int hf_gpef_efskey_sid_offset = -1;
  42 static int hf_gpef_efskey_cert_offset = -1;
  43 static int hf_gpef_efskey_cert_length = -1;
  44 static int hf_gpef_efskey_certificate = -1;
  45
  46 static gint ett_gpef = -1;
  47 static gint ett_gpef_efskey = -1;
  48
  49
  50 /* MS-GPEF section 2.2.1.2.2 EfsKey*/
  51 static int
  52 dissect_gpef_efskey(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *parent_tree)
  53 {
  54         proto_item *item = NULL;
  55         proto_tree *tree = NULL;
  56         int old_offset = offset;
  57         guint32 length1, sid_offset;
  58         guint32 cert_length, cert_offset;
  59         tvbuff_t *next_tvb;
  60         asn1_ctx_t asn1_ctx;
  61         asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
  62
  63         if (parent_tree) {
  64                 item = proto_tree_add_item(parent_tree, hf_gpef_efskey, tvb, -1, -1, ENC_NA);
  65                 tree = proto_item_add_subtree(item, ett_gpef_efskey);
  66         }
  67
  68         /* length 1 */
  69         length1 = tvb_get_letohl(tvb, offset);
  70         proto_tree_add_item(tree, hf_gpef_efskey_length1, tvb, offset, 4, ENC_LITTLE_ENDIAN);
  71         offset += 4;
  72
  73         /* length 2 */
  74         proto_tree_add_item(tree, hf_gpef_efskey_length2, tvb, offset, 4, ENC_LITTLE_ENDIAN);
  75         offset += 4;
  76
  77         /* sid offset */
  78         sid_offset = tvb_get_letohl(tvb, offset);
  79         proto_tree_add_item(tree, hf_gpef_efskey_sid_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
  80         offset += 4;
  81
  82         /* reserved */
  83         offset += 4;
  84
  85         /* cert length */
  86         cert_length = tvb_get_letohl(tvb, offset);
  87         proto_tree_add_item(tree, hf_gpef_efskey_cert_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
  88         offset += 4;
  89
  90         /* cert offset */
  91         cert_offset = tvb_get_letohl(tvb, offset);
  92         proto_tree_add_item(tree, hf_gpef_efskey_cert_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
  93         /*offset += 4;*/
  94
  95         /* reserved, must be 0x20 0x00 0x00 0x00 */
  96         /*offset += 4;*/
  97
  98         /* sid */
  99         dissect_nt_sid(tvb, old_offset+4+sid_offset, tree, "sid", NULL, -1);
 100
 101         /* certificate */
 102         next_tvb = tvb_new_subset(tvb, old_offset+4+cert_offset, cert_length, cert_length);
 103         (void)dissect_x509af_Certificate(FALSE, next_tvb, 0, &asn1_ctx, tree, hf_gpef_efskey_certificate);
 104
 105
 106         offset = old_offset + length1;
 107         proto_item_set_len(item, offset-old_offset);
 108         return offset;
 109 }
 110
 111 /* MS-GPEF section 2.2.1.2.1 */
 112 static int
 113 dissect_gpef_efsblob(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, void *data _U_)
 114 {
 115         int offset = 0;
 116         proto_tree *tree = NULL;
 117         proto_item *item = NULL;
 118         guint32 count;
 119
 120         if (parent_tree) {
 121                 item = proto_tree_add_item(parent_tree, proto_gpef, tvb, 0, -1, ENC_NA);
 122                 tree = proto_item_add_subtree(item, ett_gpef);
 123         }
 124
 125         /* reserved, must be 0x01 0x00 0x01 0x00 */
 126         offset += 4;
 127
 128         /* key count */
 129         count = tvb_get_letohl(tvb, offset);
 130         proto_tree_add_item(tree, hf_gpef_keycount, tvb, offset, 4, ENC_LITTLE_ENDIAN);
 131         offset += 4;
 132
 133         while (count--) {
 134               offset = dissect_gpef_efskey(tvb, offset, pinfo, tree);
 135         }
 136
 137         return offset;
 138 }
 139
 140 void
 141 proto_register_gpef(void)
 142 {
 143         static hf_register_info hf[] = {
 144         { &hf_gpef_keycount,
 145         { "Key Count",   "gpef.key_count", FT_UINT32, BASE_DEC, NULL,
 146                 0x0, NULL, HFILL }},
 147
 148         { &hf_gpef_efskey_length1,
 149         { "Length1",   "gpef.efskey.length1", FT_UINT32, BASE_DEC, NULL,
 150                 0x0, NULL, HFILL }},
 151
 152         { &hf_gpef_efskey_length2,
 153         { "Length2",   "gpef.efskey.length2", FT_UINT32, BASE_DEC, NULL,
 154                 0x0, NULL, HFILL }},
 155
 156         { &hf_gpef_efskey_sid_offset,
 157         { "SID Offset",   "gpef.efskey.sid_offset", FT_UINT32, BASE_DEC, NULL,
 158                 0x0, NULL, HFILL }},
 159
 160         { &hf_gpef_efskey_cert_offset,
 161         { "Cert Offset",   "gpef.efskey.cert_offset", FT_UINT32, BASE_DEC, NULL,
 162                 0x0, NULL, HFILL }},
 163
 164         { &hf_gpef_efskey_cert_length,
 165         { "Cert Length",   "gpef.efskey.cert_length", FT_UINT32, BASE_DEC, NULL,
 166                 0x0, NULL, HFILL }},
 167
 168         { &hf_gpef_efskey,
 169         { "EfsKey",   "gpef.efskey", FT_NONE, BASE_NONE, NULL,
 170                 0x0, NULL, HFILL }},
 171
 172         { &hf_gpef_efskey_certificate,
 173         { "Certificate", "gpef.efskey.certificate", FT_NONE, BASE_NONE, NULL,
 174                 0x0, NULL, HFILL }},
 175
 176         };
 177
 178         static gint *ett[] = {
 179                 &ett_gpef,
 180                 &ett_gpef_efskey,
 181         };
 182
 183         proto_gpef = proto_register_protocol("GPEF", "GPEF", "gpef");
 184         proto_register_field_array(proto_gpef, hf, array_length(hf));
 185         proto_register_subtree_array(ett, array_length(ett));
 186
 187         new_register_dissector("efsblob", dissect_gpef_efsblob, proto_gpef);
 188 }
 189
 190 void
 191 proto_reg_handoff_gpef(void)
 192 {
 193 }