diff options
Diffstat (limited to 'epan/dissectors/packet-dcerpc-netlogon.c')
-rw-r--r-- | epan/dissectors/packet-dcerpc-netlogon.c | 104 |
1 files changed, 34 insertions, 70 deletions
diff --git a/epan/dissectors/packet-dcerpc-netlogon.c b/epan/dissectors/packet-dcerpc-netlogon.c index 1b05041d1c..ea695d6290 100644 --- a/epan/dissectors/packet-dcerpc-netlogon.c +++ b/epan/dissectors/packet-dcerpc-netlogon.c @@ -557,11 +557,23 @@ static const true_false_string user_account_control_account_disabled= { }; typedef struct _netlogon_auth_key { - address src; - address dst; - guint32 srcport; - guint32 dstport; - char * name; + /* + * For now we only match the client and server ip + * addresses, as keys can be used across tcp connections. + * + * Also note that ServerChallenge and ServerAuthenticate + * can be on different tcp connections! + * + * TODO: + * * We could have a challenge table indexed by client, server + * and computer name + * * A good ServerAuthenticate could fill a session key table + * indexed by computer name. + * * A DCERPC bind/alter context could lookup the session key table + * and copy the session key to the DCERPC connection/auth_context. + */ + address client; + address server; } netlogon_auth_key; static gint @@ -569,33 +581,18 @@ netlogon_auth_equal (gconstpointer k1, gconstpointer k2) { const netlogon_auth_key *key1 = (const netlogon_auth_key *)k1; const netlogon_auth_key *key2 = (const netlogon_auth_key *)k2; - if(key1->name == NULL || key2->name ==NULL) - return ((key1->srcport == key2->srcport) && (key1->dstport == key2->dstport) && addresses_equal(&key1->src,&key2->src) && - addresses_equal(&key1->dst,&key2->dst)); - else - return ((strcmp(key1->name,key2->name)==0) && addresses_equal(&key1->src,&key2->src) && - addresses_equal(&key1->dst,&key2->dst)); + + return (addresses_equal(&key1->client,&key2->client) && addresses_equal(&key1->server,&key2->server)); } static guint netlogon_auth_hash (gconstpointer k) { const netlogon_auth_key *key1 = (const netlogon_auth_key *)k; - guint hash_val1; - if(key1->name == NULL) { - hash_val1 = key1->dstport; - hash_val1 += key1->srcport; - } - else { - unsigned int i = 0; - hash_val1 = 0; - for(i=0; key1->name[i]; i++) { - hash_val1 += key1->name[i]; - } - } + guint hash_val1 = 0; - hash_val1 = add_address_to_hash(hash_val1, &key1->src); - hash_val1 = add_address_to_hash(hash_val1, &key1->dst); + hash_val1 = add_address_to_hash(hash_val1, &key1->client); + hash_val1 = add_address_to_hash(hash_val1, &key1->server); return hash_val1; } static int @@ -2372,23 +2369,15 @@ netlogon_dissect_netrlogonsamlogoff_reply(tvbuff_t *tvb, int offset, return offset; } -static void generate_hash_key(packet_info *pinfo,unsigned char is_server,netlogon_auth_key *key,char* name) +static void generate_hash_key(packet_info *pinfo,unsigned char is_server,netlogon_auth_key *key) { if(is_server) { - key->dstport = pinfo->srcport; - key->srcport = pinfo->destport; - copy_address_shallow(&key->dst,&pinfo->src); - copy_address_shallow(&key->src,&pinfo->dst); - /* name has been durably allocated */ - key->name = name; + copy_address_shallow(&key->server,&pinfo->src); + copy_address_shallow(&key->client,&pinfo->dst); } else { - copy_address_shallow(&key->dst,&pinfo->dst); - copy_address_shallow(&key->src,&pinfo->src); - key->dstport = pinfo->destport; - key->srcport = pinfo->srcport; - /* name has been durably allocated */ - key->name = name; + copy_address_shallow(&key->server,&pinfo->dst); + copy_address_shallow(&key->client,&pinfo->src); } } @@ -2433,12 +2422,12 @@ netlogon_dissect_netrserverreqchallenge_rqst(tvbuff_t *tvb, int offset, vars->next_start = -1; vars->next = NULL; - generate_hash_key(pinfo,0,&key,NULL); + generate_hash_key(pinfo,0,&key); existing_vars = (netlogon_auth_vars *)wmem_map_lookup(netlogon_auths, &key); if (!existing_vars) { netlogon_auth_key *k = (netlogon_auth_key *)wmem_memdup(wmem_file_scope(), &key, sizeof(netlogon_auth_key)); - copy_address_wmem(wmem_file_scope(), &k->src, &key.src); - copy_address_wmem(wmem_file_scope(), &k->dst, &key.dst); + copy_address_wmem(wmem_file_scope(), &k->client, &key.client); + copy_address_wmem(wmem_file_scope(), &k->server, &key.server); debugprintf("Adding initial vars with this start packet = %d\n",vars->start); wmem_map_insert(netlogon_auths, k, vars); } @@ -2457,31 +2446,6 @@ netlogon_dissect_netrserverreqchallenge_rqst(tvbuff_t *tvb, int offset, existing_vars->next = vars; } } - /* used by other rpc that use schannel ie lsa */ -#if 0 - generate_hash_key(pinfo,0,&key,vars->client_name); - existing_vars = NULL; - existing_vars = wmem_map_lookup(schannel_auths, key); - if (!existing_vars) - { - netlogon_auth_key *k = (netlogon_auth_key *)wmem_memdup(wmem_file_scope(), &key, sizeof(netlogon_auth_key)); - copy_address_wmem(wmem_file_scope(), &k->src, &key.src); - copy_address_wmem(wmem_file_scope(), &k->dst, &key.dst); - wmem_map_insert(schannel_auths, k, vars); - } - else - { - while(existing_vars->next != NULL && existing_vars->start <= vars->start) { - existing_vars = existing_vars->next; - } - if(existing_vars->next != NULL || existing_vars == vars) { - debugprintf("It seems that I already record this vars (schannel hash)%d\n",vars->start); - } - else { - existing_vars->next_start = pinfo->num; - existing_vars->next = vars; - } -#endif return offset; } @@ -2493,7 +2457,7 @@ netlogon_dissect_netrserverreqchallenge_reply(tvbuff_t *tvb, int offset, netlogon_auth_key key; guint64 server_challenge; - generate_hash_key(pinfo,1,&key,NULL); + generate_hash_key(pinfo,1,&key); vars = (netlogon_auth_vars *)wmem_map_lookup(netlogon_auths,(gconstpointer*) &key); offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, tree, drep, @@ -6622,7 +6586,7 @@ netlogon_dissect_netrserverauthenticate23_reply(tvbuff_t *tvb, int offset, offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep, hf_netlogon_rc, NULL); - generate_hash_key(pinfo, 1 , &key, NULL); + generate_hash_key(pinfo, 1 , &key); vars = (netlogon_auth_vars *)wmem_map_lookup(netlogon_auths, &key); if(vars != NULL) { @@ -7909,7 +7873,7 @@ dissect_packet_data(tvbuff_t *tvb ,tvbuff_t *auth_tvb _U_, netlogon_auth_key key; /*debugprintf("Dissection of request data offset %d len=%d on packet %d\n",offset,tvb_length_remaining(tvb,offset),pinfo->num);*/ - generate_hash_key(pinfo,is_server,&key,NULL); + generate_hash_key(pinfo,is_server,&key); vars = (netlogon_auth_vars *)wmem_map_lookup(netlogon_auths, &key); if(vars != NULL ) { @@ -7984,7 +7948,7 @@ dissect_secchan_verf(tvbuff_t *tvb, int offset, packet_info *pinfo, guint64 confounder = 0; int update_vars = 0; - generate_hash_key(pinfo,is_server,&key,NULL); + generate_hash_key(pinfo,is_server,&key); vars = (netlogon_auth_vars *)wmem_map_lookup(netlogon_auths,(gconstpointer*) &key); if( ! (seen.isseen && seen.num == pinfo->num) ) { /* |