packet-dcerpc-witness: initial implementation based on the idl file from samba

See [MS-SWN], https://msdn.microsoft.com/en-us/library/hh536748.aspx

Change-Id: Ie92dad2c229ec08e7f7e31be9422450305b3908a
Signed-off-by: Gregor Beck <gbeck@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-on: https://code.wireshark.org/review/11366
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>

2 files changed, 355 insertions, 0 deletions

diff --git a/epan/dissectors/pidl/witness.cnf b/epan/dissectors/pidl/witness.cnf
new file mode 100644
index 0000000000..a934e424e7
--- /dev/null
+++ b/epan/dissectors/pidl/witness.cnf
@@ -0,0 +1,203 @@
+MANUAL witness_dissect_element_interfaceInfo_group_name
+NOEMIT witness_dissect_element_interfaceInfo_group_name
+MANUAL witness_dissect_struct_notifyResponse
+MANUAL witness_dissect_element_notifyResponse_messages
+NOEMIT witness_dissect_element_notifyResponse_messages
+MANUAL witness_dissect_struct_IPaddrInfoList
+NOEMIT witness_dissect_struct_IPaddrInfoList
+NOEMIT witness_dissect_element_IPaddrInfoList_addr
+
+HF_FIELD hf_witness_witness_notifyResponse_messages_ "Messages" "witness.witness_notifyResponse.messages_" FT_NONE BASE_NONE NULL 0 "" "" ""
+
+TYPE ipv4address "offset=PIDL_dissect_ipv4address(tvb, offset, pinfo, tree, di, drep, @HF@, PIDL_SET_COL_INFO);" FT_IPv4 BASE_NONE 0 NULL 4
+
+TYPE ipv6address "offset=PIDL_dissect_ipv6address(tvb, offset, pinfo, tree, di, drep, @HF@, PIDL_SET_COL_INFO);" FT_IPv6 BASE_NONE 0 NULL 2
+
+CODE START
+
+ #include "packet-smb-common.h"
+ #include "to_str.h"
+
+static int
+witness_dissect_notifyResponse_message(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, guint8 *drep _U_, int hf_index _U_, guint32 param _U_);
+
+static int
+witness_dissect_notifyResponse_message_(tvbuff_t *tvb, int offset, int length _U_, packet_info *pinfo,
+				        proto_tree *tree, dcerpc_info *di, guint8 *drep _U_)
+{
+	guint32 *type = (guint32 *)di->private_data;
+	guint8 le_drep[4] = { DREP_LITTLE_ENDIAN, };
+	return witness_dissect_notifyResponse_message(tvb, offset, pinfo, tree, di, le_drep,
+						      hf_witness_witness_notifyResponse_messages_, *type);
+}
+
+static int
+witness_dissect_element_notifyResponse_messages(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info *di _U_, guint8 *drep _U_)
+{
+	offset = dissect_ndr_ucarray_block(tvb, offset, pinfo, tree, di, drep,
+					   witness_dissect_notifyResponse_message_);
+	return offset;
+}
+
+int
+witness_dissect_struct_notifyResponse(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, guint8 *drep _U_, int hf_index _U_, guint32 param _U_)
+{
+	guint32 *type = NULL;
+	proto_item *item = NULL;
+	proto_tree *tree = NULL;
+	int old_offset;
+
+	ALIGN_TO_4_BYTES;
+
+	ALIGN_TO_4_BYTES;
+
+	old_offset = offset;
+
+	if (parent_tree) {
+		item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA);
+		tree = proto_item_add_subtree(item, ett_witness_witness_notifyResponse);
+	}
+
+	type = wmem_new0(wmem_packet_scope(), guint32);
+
+	offset = witness_dissect_element_notifyResponse_type(tvb, offset, pinfo, tree, di, drep, type);
+
+	offset = witness_dissect_element_notifyResponse_length(tvb, offset, pinfo, tree, di, drep);
+
+	offset = witness_dissect_element_notifyResponse_num(tvb, offset, pinfo, tree, di, drep);
+
+	di->private_data = type;
+	offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, di, drep,
+					      witness_dissect_element_notifyResponse_messages,
+					      NDR_POINTER_UNIQUE, "Pointer to Message Buffer (uint8)",
+					      hf_witness_witness_notifyResponse_messages);
+
+	proto_item_set_len(item, offset-old_offset);
+
+	if (di->call_data->flags & DCERPC_IS_NDR64) {
+		ALIGN_TO_4_BYTES;
+	}
+
+	return offset;
+}
+
+static int
+witness_dissect_element_IPaddrInfoList_addr(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_)
+{
+	offset = witness_dissect_struct_IPaddrInfo(tvb,offset,pinfo,tree,di,drep,hf_witness_witness_IPaddrInfoList_addr,0);
+
+	return offset;
+}
+
+int
+witness_dissect_struct_IPaddrInfoList(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, guint8 *drep _U_, int hf_index _U_, guint32 param _U_)
+{
+	proto_item *item = NULL;
+	proto_tree *tree = NULL;
+	gboolean oldalign = di->no_align;
+	int old_offset;
+	guint32 i, num;
+
+	di->no_align = TRUE;
+
+	old_offset = offset;
+
+	if (parent_tree) {
+		item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA);
+		tree = proto_item_add_subtree(item, ett_witness_witness_IPaddrInfoList);
+	}
+
+	offset = witness_dissect_element_IPaddrInfoList_length(tvb, offset, pinfo, tree, di, drep);
+
+	offset = witness_dissect_element_IPaddrInfoList_reserved(tvb, offset, pinfo, tree, di, drep);
+
+	num = tvb_get_letohl(tvb, offset);
+
+	offset = witness_dissect_element_IPaddrInfoList_num(tvb, offset, pinfo, tree, di, drep);
+
+	for (i = 0; i < num; i++) {
+		offset = witness_dissect_element_IPaddrInfoList_addr(tvb, offset, pinfo, tree, di, drep);
+	}
+
+	proto_item_set_len(item, offset-old_offset);
+
+	di->no_align = oldalign;
+
+	return offset;
+}
+
+static int
+witness_dissect_element_interfaceInfo_group_name(tvbuff_t *tvb, int offset, packet_info *pinfo _U_, proto_tree *parent_tree, dcerpc_info *di _U_, guint8 *drep _U_)
+{
+	const gchar *str;
+	int len = 260;
+	guint16 bc = tvb_captured_length_remaining(tvb, offset);
+
+	str = get_unicode_or_ascii_string(tvb, &offset, TRUE, &len, TRUE, TRUE, &bc);
+
+	if (str) {
+		proto_item *pi;
+		pi = proto_tree_add_string(parent_tree, hf_witness_witness_interfaceInfo_group_name, tvb, offset, 2*260, str);
+		proto_item_append_text(pi, " [%d]", len);
+		proto_item_append_text(parent_tree, ": %s", str);
+
+	} else {
+	}
+
+	return offset + 2*260;
+}
+
+static int
+PIDL_dissect_ipv4address(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep _U_, int hfindex, guint32 param)
+{
+	if (di->conformant_run) {
+		/* just a run to handle conformant arrays, no scalars to dissect */
+		return offset;
+	}
+
+
+	if (!di->no_align && (offset % 4)) {
+		offset += 4 - (offset % 4);
+	}
+
+	proto_tree_add_item(tree, hfindex, tvb, offset, 4, ENC_BIG_ENDIAN);
+
+	if (param & PIDL_SET_COL_INFO) {
+		const char *ip = tvb_ip_to_str(tvb, offset);
+		header_field_info *hf_info = proto_registrar_get_nth(hfindex);
+
+		proto_item_append_text(proto_tree_get_parent(tree), " %s:%s", hf_info->name, ip);
+
+		col_append_fstr(pinfo->cinfo, COL_INFO," %s:%s", hf_info->name, ip);
+	}
+	return offset + 4;
+}
+
+static int
+PIDL_dissect_ipv6address(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep _U_, int hfindex, guint32 param)
+{
+	if (di->conformant_run) {
+		/* just a run to handle conformant arrays, no scalars to dissect */
+		return offset;
+	}
+
+
+	if (!di->no_align && (offset % 2)) {
+		offset += 2 - (offset % 2);
+	}
+
+	proto_tree_add_item(tree, hfindex, tvb, offset, 16, ENC_BIG_ENDIAN);
+
+	if (param & PIDL_SET_COL_INFO) {
+		const char *ip = tvb_ip6_to_str(tvb, offset);
+		header_field_info *hf_info = proto_registrar_get_nth(hfindex);
+
+		proto_item_append_text(proto_tree_get_parent(tree), " %s:%s", hf_info->name, ip);
+
+		col_append_fstr(pinfo->cinfo, COL_INFO," %s:%s", hf_info->name, ip);
+	}
+
+	return offset + 16;
+}
+
+CODE END
diff --git a/epan/dissectors/pidl/witness.idl b/epan/dissectors/pidl/witness.idl
new file mode 100644
index 0000000000..febae2524a
--- /dev/null
+++ b/epan/dissectors/pidl/witness.idl
@@ -0,0 +1,152 @@
+#include "idl_types.h"
+
+import "misc.idl";
+
+[
+  uuid("ccd8c074-d0e5-4a40-92b4-d074faa6ba28"),
+  version(1.1),
+  pointer_default(unique),
+  helpstring("SMB Witness Service"),
+  helper("../librpc/ndr/ndr_witness.h"),
+  endpoint("ncacn_ip_tcp:")
+]
+interface witness
+{
+	typedef [v1_enum] enum {
+		WITNESS_V1 = 0x00010001,
+		WITNESS_V2 = 0x00020000,
+		WITNESS_UNSPECIFIED_VERSION = 0xFFFFFFFF
+	} witness_version;
+
+	/*****************/
+	/* Function 0x00 */
+
+	typedef [enum16bit] enum {
+		WITNESS_STATE_UNKNOWN     = 0x00,
+		WITNESS_STATE_AVAILABLE   = 0x01,
+		WITNESS_STATE_UNAVAILABLE = 0xff
+	} witness_interfaceInfo_state;
+
+	typedef [bitmap32bit] bitmap {
+		WITNESS_INFO_IPv4_VALID = 0x01,
+		WITNESS_INFO_IPv6_VALID = 0x02,
+		WITNESS_INFO_WITNESS_IF = 0x04
+	} witness_interfaceInfo_flags;
+
+	typedef struct {
+		[charset(UTF16),to_null] uint16 group_name[260];
+		witness_version version;
+		witness_interfaceInfo_state state;
+		[flag(NDR_BIG_ENDIAN)] ipv4address ipv4;
+		[flag(NDR_BIG_ENDIAN)] ipv6address ipv6;
+		witness_interfaceInfo_flags flags;
+	} witness_interfaceInfo;
+
+	typedef struct {
+		uint32 num_interfaces;
+		[size_is(num_interfaces)] witness_interfaceInfo *interfaces;
+	} witness_interfaceList;
+
+	[public] WERROR witness_GetInterfaceList(
+		[out] witness_interfaceList **interface_list
+		);
+
+	/*****************/
+	/* Function 0x01 */
+
+	[public] WERROR witness_Register(
+		[out,ref] policy_handle *context_handle,
+		[in] witness_version version,
+		[in,unique,string,charset(UTF16)] uint16 *net_name,
+		[in,unique,string,charset(UTF16)] uint16 *ip_address,
+		[in,unique,string,charset(UTF16)] uint16 *client_computer_name
+		);
+
+	/*****************/
+	/* Function 0x02 */
+
+	[public] WERROR witness_UnRegister(
+		[in] policy_handle context_handle
+		);
+
+	/*****************/
+	/* Function 0x03 */
+
+	typedef [v1_enum,public] enum {
+		WITNESS_NOTIFY_RESOURCE_CHANGE = 1,
+		WITNESS_NOTIFY_CLIENT_MOVE     = 2,
+		WITNESS_NOTIFY_SHARE_MOVE      = 3,
+		WITNESS_NOTIFY_IP_CHANGE       = 4
+	} witness_notifyResponse_type;
+
+	typedef [v1_enum] enum {
+		WITNESS_RESOURCE_STATE_UNKNOWN     = 0x00,
+		WITNESS_RESOURCE_STATE_AVAILABLE   = 0x01,
+		WITNESS_RESOURCE_STATE_UNAVAILABLE = 0xff
+	} witness_ResourceChange_type;
+
+	typedef [flag(NDR_NOALIGN|NDR_LITTLE_ENDIAN),gensize,public] struct {
+		[value(ndr_size_witness_ResourceChange(r,ndr->flags))] uint32 length;
+		witness_ResourceChange_type type;
+		nstring name;
+	} witness_ResourceChange;
+
+	typedef [bitmap32bit] bitmap {
+		WITNESS_IPADDR_V4      = 0x01,
+		WITNESS_IPADDR_V6      = 0x02,
+		WITNESS_IPADDR_ONLINE  = 0x08,
+		WITNESS_IPADDR_OFFLINE = 0x10
+	} witness_IPaddrInfo_flags;
+
+	typedef [flag(NDR_NOALIGN|NDR_LITTLE_ENDIAN),gensize] struct {
+		witness_IPaddrInfo_flags flags;
+		ipv4address ipv4;
+		ipv6address ipv6;
+	} witness_IPaddrInfo;
+
+	typedef [flag(NDR_NOALIGN|NDR_LITTLE_ENDIAN)] struct {
+		[value(r->num*ndr_size_witness_IPaddrInfo(r->addr, ndr->flags))] uint32 length;
+		[value(0)] uint32 reserved;
+		uint32 num;
+		witness_IPaddrInfo addr[num];
+	} witness_IPaddrInfoList;
+
+	typedef [public,switch_type(witness_notifyResponse_type),nodiscriminant, flag(NDR_NOALIGN|NDR_LITTLE_ENDIAN)] union {
+		[case(WITNESS_NOTIFY_RESOURCE_CHANGE)] witness_ResourceChange resource_change;
+		[case(WITNESS_NOTIFY_CLIENT_MOVE)]     witness_IPaddrInfoList client_move;
+		[case(WITNESS_NOTIFY_SHARE_MOVE)]      witness_IPaddrInfoList share_move;
+		[case(WITNESS_NOTIFY_IP_CHANGE)]       witness_IPaddrInfoList ip_change;
+		[default,flag(NDR_REMAINING)]          DATA_BLOB data;
+	} witness_notifyResponse_message;
+
+	typedef [flag(NDR_PAHEX),gensize,public,nopush,nopull] struct {
+		witness_notifyResponse_type type;
+		[value(ndr_size_witness_notifyResponse(r, ndr->flags)-20)] uint32 length;
+		uint32 num;
+		[subcontext(4), subcontext_size(length), flag(NDR_REMAINING), switch_is(type)] witness_notifyResponse_message messages[num];
+	} witness_notifyResponse;
+
+	[public] WERROR witness_AsyncNotify(
+		[in] policy_handle context_handle,
+		[out] witness_notifyResponse **response
+		);
+
+	/*****************/
+	/* Function 0x04 */
+
+	typedef [bitmap32bit] bitmap {
+		WITNESS_REGISTER_NONE            = 0x00,
+		WITNESS_REGISTER_IP_NOTIFICATION = 0x01
+	} witness_RegisterEx_flags;
+
+	WERROR witness_RegisterEx(
+		[out,ref] policy_handle *context_handle,
+		[in] witness_version version,
+		[in,unique,string,charset(UTF16)] uint16 *net_name,
+		[in,unique,string,charset(UTF16)] uint16 *share_name,
+		[in,unique,string,charset(UTF16)] uint16 *ip_address,
+		[in,unique,string,charset(UTF16)] uint16 *client_computer_name,
+		[in] witness_RegisterEx_flags flags,
+		[in] uint32 timeout
+		);
+}