Have GSS-API subdissectors supply a "data is encrypted" flag to their

callers, so that they can tell "no decrypted tvbuff because I couldn't decrypt it" from "no decrypted tvbuff because it's not encrypted in the first place". Set that based on the Kerberos seal algorithm field in the SPNEGO Kerberos 5 wrap dissector code. Use that to determine whether the GSS-API encapsulated data in LDAP is encrypted or not., rather than using a heuristic. Set the length of the SASL blob tvbuff based on the SASL length and the length of the tvbuff from which it's consstructed, rather than setting it to the SASL length. svn path=/trunk/; revision=13780
author: Guy Harris <guy@alum.mit.edu> 2005-03-16 21:59:25 +0000
committer: Guy Harris <guy@alum.mit.edu> 2005-03-16 21:59:25 +0000
commit: 90f8224360facc9d3b7e9bac2e704e4e75726e90 (patch)
tree: b602a200a76719f9907e241553cb802aeb6c8de4 /epan/dissectors/packet-ldap.c
parent: c664c29958a6f9cfb08c13959ae73dd46de8cebe (diff)
1 files changed, 20 insertions, 18 deletions
diff --git a/epan/dissectors/packet-ldap.c b/epan/dissectors/packet-ldap.c
index 47c1e8007d..4b323cc7bc 100644
--- a/epan/dissectors/packet-ldap.c
+++ b/epan/dissectors/packet-ldap.c
@@ -2677,6 +2677,8 @@ dissect_ldap_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gboolean i
           strcmp(ldap_info->auth_mech, "GSS-SPNEGO") == 0) {
 	  tvbuff_t *gssapi_tvb, *plain_tvb = NULL, *decr_tvb= NULL;
 	  int ver_len;
+	  int length;
+
           /*
            * This is GSS-API (using SPNEGO, but we should be done with
            * the negotiation by now).
@@ -2685,7 +2687,10 @@ dissect_ldap_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gboolean i
            * the token, from which we compute the offset in the tvbuff at
            * which the plaintext data, i.e. the LDAP message, begins.
            */
-	  gssapi_tvb = tvb_new_subset(sasl_tvb, 4, sasl_len, sasl_len);
+          length = tvb_length_remaining(sasl_tvb, 4);
+          if ((guint)length > sasl_len)
+              length = sasl_len;
+	  gssapi_tvb = tvb_new_subset(sasl_tvb, 4, length, sasl_len);
 
 	  /* Attempt decryption of the GSSAPI wrapped data if possible */
 	  pinfo->decrypt_gssapi_tvb=DECRYPT_GSSAPI_NORMAL;
@@ -2713,31 +2718,22 @@ dissect_ldap_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gboolean i
 
 	  /*
 	   * if we don't have unwrapped data,
-	   * see if the data we already have is maybe
-	   * plain LDAP
+	   * see if the wrapping involved encryption of the
+	   * data; if not, just use the plaintext data.
 	   */
 	  if (!decr_tvb) {
-	    ASN1_SCK a;
-	    int ret;
-	    guint messageLength;
-	    int messageOffset;
-	    /*
-	     * OK, try to read the "Sequence Of" header;
-	     * if it gives no error create the dcer_tvb
-	     */
-	    asn1_open(&a, gssapi_tvb, ver_len);
-	    ret = read_sequence(&a, &messageLength);
-	    asn1_close(&a, &messageOffset);
-	    if (ret == ASN1_ERR_NOERROR) {
-		plain_tvb = tvb_new_subset(gssapi_tvb,  ver_len, -1, -1);
+	    if(!pinfo->gssapi_data_encrypted){
+	      plain_tvb = tvb_new_subset(gssapi_tvb,  ver_len, -1, -1);
 	    }
 	  }
 
           if (decr_tvb) {
 	    proto_item *enc_item = NULL;
 	    proto_tree *enc_tree = NULL;
+
             /*
-             * Now dissect the decrypted LDAP message.
+             * The LDAP message was encrypted in the packet, and has
+             * been decrypted; dissect the decrypted LDAP message.
              */
             if (sasl_tree) {
 	      enc_item = proto_tree_add_text(sasl_tree, gssapi_tvb, ver_len, -1,
@@ -2750,8 +2746,10 @@ dissect_ldap_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gboolean i
           } else if (plain_tvb) {
 	    proto_item *plain_item = NULL;
 	    proto_tree *plain_tree = NULL;
+
 	    /*
-             * Now dissect the plain LDAP message.
+	     * The LDAP message wasn't encrypted in the packet;
+	     * dissect the plain LDAP message.
              */
 	    if (sasl_tree) {
               plain_item = proto_tree_add_text(sasl_tree, gssapi_tvb, ver_len, -1,
@@ -2762,6 +2760,10 @@ dissect_ldap_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gboolean i
             }
             dissect_ldap_payload(plain_tvb, pinfo, plain_tree, ldap_info, TRUE, is_mscldap);
 	  } else {
+            /*
+             * The LDAP message was encrypted in the packet, and was
+             * not decrypted; just show it as encrypted data.
+             */
             if (check_col(pinfo->cinfo, COL_INFO)) {
         	    col_add_fstr(pinfo->cinfo, COL_INFO, "LDAP GSS-API Encrypted payload (%d byte%s)",
                                  sasl_len - ver_len,
author	Guy Harris <guy@alum.mit.edu>	2005-03-16 21:59:25 +0000
committer	Guy Harris <guy@alum.mit.edu>	2005-03-16 21:59:25 +0000
commit	90f8224360facc9d3b7e9bac2e704e4e75726e90 (patch)
tree	b602a200a76719f9907e241553cb802aeb6c8de4 /epan/dissectors/packet-ldap.c
parent	c664c29958a6f9cfb08c13959ae73dd46de8cebe (diff)