diff options
author | John Thacker <johnthacker@gmail.com> | 2024-02-25 08:41:08 -0500 |
---|---|---|
committer | John Thacker <johnthacker@gmail.com> | 2024-02-26 16:58:09 +0000 |
commit | 3540bbc9690957cfec7bd0eeac5fa2badae3e8a2 (patch) | |
tree | c5e2938f8994113f55bbd7cd62a96b4d69bf9983 /epan/dissectors/packet-pgsql.c | |
parent | 09f6a3aaa6abeb7c396449335e4792761fff1578 (diff) |
GSSAPI: Avoid dissecting checksum in signed-only KRB_TOKEN_CFX_WRAP
In KRB_TOKEN_CFX_WRAP (RFC 4121), for signed-only Wrap tokens
("Wrap tokens without confidentiality"), the plaintext is followed
by the checksum, unlike in other implementations where the all
the GSSAPI bits, including the checksum, precede the plaintext.
For those cases, the calling dissector cannot simply dissect
the entire original tvb after the returned offset, as it's not
all plaintext. Instead, place the plaintext without checksum
subset in gssapi_decrypted_tvb and return it to the caller.
In these cases, gssapi_data_encrypted will be set to FALSE, to
allow dissectors that wish to distinguished signed-and-sealed
from signed-only. For dissectors that do not care to distinguish
the cases, this requires no change.
Update the documentation in the GSSAPI header to describe this.
Fix #9398.
Diffstat (limited to 'epan/dissectors/packet-pgsql.c')
-rw-r--r-- | epan/dissectors/packet-pgsql.c | 26 |
1 files changed, 17 insertions, 9 deletions
diff --git a/epan/dissectors/packet-pgsql.c b/epan/dissectors/packet-pgsql.c index e0ddacc818..a7be66afaf 100644 --- a/epan/dissectors/packet-pgsql.c +++ b/epan/dissectors/packet-pgsql.c @@ -872,18 +872,26 @@ dissect_pgsql_gssapi_wrap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, v /* GSS-API couldn't do anything with it. */ return tvb_captured_length(tvb); } - if (encrypt.gssapi_decrypted_tvb) { - tvbuff_t *decr_tvb = encrypt.gssapi_decrypted_tvb; - add_new_data_source(pinfo, encrypt.gssapi_decrypted_tvb, "Decrypted GSS-API"); - dissect_pgsql_msg(decr_tvb, pinfo, ptree, data); - } else if (encrypt.gssapi_data_encrypted) { - /* Encrypted but couldn't be decrypted. */ - proto_tree_add_item(ptree, hf_gssapi_encrypted_payload, gssapi_tvb, ver_len, -1, ENC_NA); + if (encrypt.gssapi_data_encrypted) { + if (encrypt.gssapi_decrypted_tvb) { + tvbuff_t *decr_tvb = encrypt.gssapi_decrypted_tvb; + add_new_data_source(pinfo, encrypt.gssapi_decrypted_tvb, "Decrypted GSS-API"); + dissect_pgsql_msg(decr_tvb, pinfo, ptree, data); + } else { + /* Encrypted but couldn't be decrypted. */ + proto_tree_add_item(ptree, hf_gssapi_encrypted_payload, gssapi_tvb, ver_len, -1, ENC_NA); + } } else { /* No encrypted (sealed) payload. If any bytes are left, that is * signed-only payload. */ - if (tvb_reported_length_remaining(gssapi_tvb, ver_len)) { - dissect_pgsql_msg(tvb_new_subset_remaining(gssapi_tvb, ver_len), pinfo, ptree, data); + tvbuff_t *plain_tvb; + if (encrypt.gssapi_decrypted_tvb) { + plain_tvb = encrypt.gssapi_decrypted_tvb; + } else { + plain_tvb = tvb_new_subset_remaining(gssapi_tvb, ver_len); + } + if (tvb_reported_length(plain_tvb)) { + dissect_pgsql_msg(plain_tvb, pinfo, ptree, data); } } return tvb_captured_length(tvb); |