diff options
author | Graeme Lunt <graeme.lunt@smhs.co.uk> | 2007-02-17 11:06:25 +0000 |
---|---|---|
committer | Graeme Lunt <graeme.lunt@smhs.co.uk> | 2007-02-17 11:06:25 +0000 |
commit | c55b75426468bc4ac7ab6d44452b51649e2389b0 (patch) | |
tree | 1f6d29c6364c53d6a9fdbef152cd315a88a7e7e4 /asn1 | |
parent | 2172e293d6877ba412209185d0dc2a01bfd35619 (diff) |
Tidy ups for SASL/GSSAPI support:
1) Handle empty (zero length) saslCredentials
2) Handle "GSSAPI" auth_mech when identified from the bind
3) Annotate column info to show SASL service applied to LDAP operation
svn path=/trunk/; revision=20830
Diffstat (limited to 'asn1')
-rw-r--r-- | asn1/ldap/ldap.cnf | 18 | ||||
-rw-r--r-- | asn1/ldap/packet-ldap-template.c | 20 |
2 files changed, 26 insertions, 12 deletions
diff --git a/asn1/ldap/ldap.cnf b/asn1/ldap/ldap.cnf index 29a366718b..41535a4230 100644 --- a/asn1/ldap/ldap.cnf +++ b/asn1/ldap/ldap.cnf @@ -175,17 +175,17 @@ ldap_conv_info_t *ldap_info; ldap_info = pinfo->private_data; if (ldap_info->auth_mech != NULL && strcmp(ldap_info->auth_mech, "GSS-SPNEGO") == 0) { - /* + /* * This is a GSS-API token ancapsulated within GSS-SPNEGO. - */ - if (parameter_tvb) - call_dissector(gssapi_handle, parameter_tvb, pinfo, tree); + */ + if (parameter_tvb && (tvb_length(parameter_tvb) > 0)) + call_dissector(spnego_handle, parameter_tvb, pinfo, tree); } else if (ldap_info->auth_mech != NULL && strcmp(ldap_info->auth_mech, "GSSAPI") == 0) { /* * This is a raw GSS-API token. */ - if (parameter_tvb) - call_dissector(gssapi_handle, parameter_tvb, pinfo, tree); + if (parameter_tvb && (tvb_length(parameter_tvb) > 0)) + call_dissector(gssapi_handle, parameter_tvb, pinfo, tree); } pinfo->private_data = ldap_info; @@ -237,13 +237,15 @@ ldap_conv_info_t *ldap_info; /* * This is a GSS-API token. */ - call_dissector(gssapi_handle, parameter_tvb, pinfo, tree); + if(parameter_tvb && (tvb_length(parameter_tvb) > 0)) + call_dissector(spnego_handle, parameter_tvb, pinfo, tree); } else if (ldap_info->auth_mech != NULL && strcmp(ldap_info->auth_mech, "GSSAPI") == 0) { /* * This is a GSS-API token. */ - call_dissector(gssapi_handle, parameter_tvb, pinfo, tree); + if(parameter_tvb && (tvb_length(parameter_tvb) > 0)) + call_dissector(gssapi_handle, parameter_tvb, pinfo, tree); } break; } diff --git a/asn1/ldap/packet-ldap-template.c b/asn1/ldap/packet-ldap-template.c index fe301370dd..e0542c91a7 100644 --- a/asn1/ldap/packet-ldap-template.c +++ b/asn1/ldap/packet-ldap-template.c @@ -174,7 +174,7 @@ static gboolean is_binary_attr_type = FALSE; static dissector_handle_t gssapi_handle; static dissector_handle_t gssapi_wrap_handle; static dissector_handle_t ntlmssp_handle = NULL; - +static dissector_handle_t spnego_handle; /* different types of rpc calls ontop of ms cldap */ #define MSCLDAP_RPC_NETLOGON 1 @@ -781,12 +781,14 @@ dissect_ldap_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gboolean i proto_tree_add_uint(ldap_tree, hf_ldap_sasl_buffer_length, sasl_tvb, 0, 4, sasl_len); - sasl_item = proto_tree_add_text(ldap_tree, sasl_tvb, 0, sasl_msg_len, "SASL buffer"); + sasl_item = proto_tree_add_text(ldap_tree, sasl_tvb, 0, sasl_msg_len, "SASL Buffer"); sasl_tree = proto_item_add_subtree(sasl_item, ett_ldap_sasl_blob); } if (ldap_info->auth_mech != NULL && - strcmp(ldap_info->auth_mech, "GSS-SPNEGO") == 0) { + ((strcmp(ldap_info->auth_mech, "GSS-SPNEGO") == 0) || + /* auth_mech may have been set from the bind */ + (strcmp(ldap_info->auth_mech, "GSSAPI") == 0))) { tvbuff_t *gssapi_tvb, *plain_tvb = NULL, *decr_tvb= NULL; int ver_len; int length; @@ -847,6 +849,11 @@ dissect_ldap_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gboolean i * The LDAP message was encrypted in the packet, and has * been decrypted; dissect the decrypted LDAP message. */ + if (check_col(pinfo->cinfo, COL_INFO)) { + col_add_str(pinfo->cinfo, COL_INFO, "SASL GSS-API Privacy (decrypted): "); + + } + if (sasl_tree) { enc_item = proto_tree_add_text(sasl_tree, gssapi_tvb, ver_len, -1, "GSS-API Encrypted payload (%d byte%s)", @@ -863,6 +870,10 @@ dissect_ldap_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gboolean i * The LDAP message wasn't encrypted in the packet; * dissect the plain LDAP message. */ + if (check_col(pinfo->cinfo, COL_INFO)) { + col_add_str(pinfo->cinfo, COL_INFO, "SASL GSS-API Integrity: "); + } + if (sasl_tree) { plain_item = proto_tree_add_text(sasl_tree, gssapi_tvb, ver_len, -1, "GSS-API payload (%d byte%s)", @@ -878,7 +889,7 @@ dissect_ldap_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gboolean i * not decrypted; just show it as encrypted data. */ if (check_col(pinfo->cinfo, COL_INFO)) { - col_add_fstr(pinfo->cinfo, COL_INFO, "LDAP GSS-API Encrypted payload (%d byte%s)", + col_add_fstr(pinfo->cinfo, COL_INFO, "SASL GSS-API Privacy: payload (%d byte%s)", sasl_len - ver_len, plurality(sasl_len - ver_len, "", "s")); } @@ -1658,6 +1669,7 @@ proto_reg_handoff_ldap(void) gssapi_handle = find_dissector("gssapi"); gssapi_wrap_handle = find_dissector("gssapi_verf"); + spnego_handle = find_dissector("spnego"); ntlmssp_handle = find_dissector("ntlmssp"); |