add support to decrypt and dissect sign-and-sealed traffic.

(cifs: dc's talking to eachother   and when longhorn comes out: anyone wanting to talk dce to a dc!)

((this is an incredibly advanced feature well worthy of mentioning in NEWS))


svn path=/trunk/; revision=13690

7 files changed, 81 insertions, 19 deletions

diff --git a/epan/dissectors/packet-dcerpc.c b/epan/dissectors/packet-dcerpc.c
index e7498aa825..f600b0cf4e 100644
--- a/epan/dissectors/packet-dcerpc.c
+++ b/epan/dissectors/packet-dcerpc.c
@@ -2854,7 +2854,7 @@ dissect_dcerpc_cn_stub (tvbuff_t *tvb, int offset, packet_info *pinfo,
     gboolean save_fragmented;
     fragment_data *fd_head=NULL;
     guint32 tot_len;
-    tvbuff_t *payload_tvb, *decrypted_tvb;
+    tvbuff_t *auth_tvb, *payload_tvb, *decrypted_tvb;
     proto_item *pi;
 
     save_fragmented = pinfo->fragmented;
@@ -2872,6 +2872,17 @@ dissect_dcerpc_cn_stub (tvbuff_t *tvb, int offset, packet_info *pinfo,
 	length = reported_length;
     payload_tvb = tvb_new_subset(tvb, offset, length, reported_length);
 
+    auth_tvb=NULL;
+    /*dont bother if we dont have the entire tvb */
+    /*XXX we should really make sure we calculate auth_info->auth_data
+	and use that one instead of this auth_tvb hack
+    */
+    if(tvb_length(tvb)==tvb_reported_length(tvb)){
+	if(tvb_length_remaining(tvb, offset+length)>8){
+	    auth_tvb = tvb_new_subset(tvb, offset+length+8, -1, -1);
+	}
+    }
+
     /* Decrypt the PDU if it is encrypted */
 
     if (auth_info->auth_type &&
@@ -2889,9 +2900,9 @@ dissect_dcerpc_cn_stub (tvbuff_t *tvb, int offset, packet_info *pinfo,
 	    if ((auth_fns = get_auth_subdissector_fns(
 			 auth_info->auth_level, auth_info->auth_type))) {
 		    tvbuff_t *result;
-		    
+
 		    result = decode_encrypted_data(
-			    payload_tvb, NULL, pinfo, auth_fns,
+			    payload_tvb, auth_tvb, pinfo, auth_fns,
 			    hdr->ptype == PDU_REQ, auth_info);	    
 		    
 		    if (result) {
diff --git a/epan/dissectors/packet-gssapi.c b/epan/dissectors/packet-gssapi.c
index 85d456edb3..38df659cb8 100644
--- a/epan/dissectors/packet-gssapi.c
+++ b/epan/dissectors/packet-gssapi.c
@@ -202,6 +202,7 @@ dissect_gssapi_work(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
 			goto done;
 		}
 
+
 		if (!(cls == ASN1_APL && con == ASN1_CON && tag == 0)) {
 		  /* 
 		   * If we do not recognise an Application class,
@@ -458,6 +459,37 @@ int wrap_dissect_gssapi_verf(tvbuff_t *tvb, int offset,
 	return dissect_gssapi_verf(auth_tvb, pinfo, tree);
 }
 
+tvbuff_t *
+wrap_dissect_gssapi_payload(tvbuff_t *data_tvb, 
+			tvbuff_t *auth_tvb,
+			int offset,
+			packet_info *pinfo, 
+			dcerpc_auth_info *auth_info)
+{
+	tvbuff_t *result;
+
+	/* we need a full auth and a full data tvb or else we cant
+	   decrypt anything 
+	*/
+	if((!auth_tvb)||(!data_tvb)){
+		return NULL;
+	}
+
+	pinfo->decrypt_gssapi_tvb=DECRYPT_GSSAPI_DCE;
+	pinfo->gssapi_wrap_tvb=NULL;
+	pinfo->gssapi_encrypted_tvb=data_tvb;
+	pinfo->gssapi_decrypted_tvb=NULL;
+	dissect_gssapi_verf(auth_tvb, pinfo, NULL);
+	result=pinfo->gssapi_decrypted_tvb;
+
+	pinfo->decrypt_gssapi_tvb=0;
+	pinfo->gssapi_wrap_tvb=NULL;
+	pinfo->gssapi_encrypted_tvb=NULL;
+	pinfo->gssapi_decrypted_tvb=NULL;
+
+	return result;
+}
+
 static dcerpc_auth_subdissector_fns gssapi_auth_fns = {
 	wrap_dissect_gssapi,		        /* Bind */
 	wrap_dissect_gssapi,	 	        /* Bind ACK */
diff --git a/epan/dissectors/packet-gssapi.h b/epan/dissectors/packet-gssapi.h
index 761b8b4c1d..7bf2ced0f9 100644
--- a/epan/dissectors/packet-gssapi.h
+++ b/epan/dissectors/packet-gssapi.h
@@ -49,4 +49,10 @@ int wrap_dissect_gssapi_verf(tvbuff_t *tvb, int offset,
 			     packet_info *pinfo, 
 			     proto_tree *tree, guint8 *drep);
 
+tvbuff_t *wrap_dissect_gssapi_payload(tvbuff_t *data_tvb, 
+					tvbuff_t *auth_tvb,
+					int offset,
+					packet_info *pinfo, 
+					dcerpc_auth_info *auth_info);
+
 #endif /* __PACKET_GSSAPI_H */
diff --git a/epan/dissectors/packet-kerberos.c b/epan/dissectors/packet-kerberos.c
index f5d2ee38ac..11d29cd68a 100644
--- a/epan/dissectors/packet-kerberos.c
+++ b/epan/dissectors/packet-kerberos.c
@@ -4373,8 +4373,8 @@ static dcerpc_auth_subdissector_fns gss_kerb_auth_fns = {
 	NULL,					/* AUTH3 */
 	wrap_dissect_gssapi_verf, 		/* Request verifier */
 	wrap_dissect_gssapi_verf,		/* Response verifier */
-	NULL,			                /* Request data */
-	NULL			                /* Response data */
+	wrap_dissect_gssapi_payload,            /* Request data */
+	wrap_dissect_gssapi_payload             /* Response data */
 };
 
 
diff --git a/epan/dissectors/packet-ldap.c b/epan/dissectors/packet-ldap.c
index a998acff2f..dfafa85e7e 100644
--- a/epan/dissectors/packet-ldap.c
+++ b/epan/dissectors/packet-ldap.c
@@ -2572,6 +2572,7 @@ dissect_ldap_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gboolean i
 
 	  /* Attempt decryption of the GSSAPI wrapped data if possible */
 	  pinfo->decrypt_gssapi_tvb=DECRYPT_GSSAPI_NORMAL;
+	  pinfo->gssapi_wrap_tvb=NULL;
 	  pinfo->gssapi_encrypted_tvb=NULL;
 	  pinfo->gssapi_decrypted_tvb=NULL;
           len = call_dissector(gssapi_wrap_handle, next_tvb, pinfo, gtree);
@@ -2583,6 +2584,7 @@ dissect_ldap_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gboolean i
 	  }
 	  /* tidy up */
 	  pinfo->decrypt_gssapi_tvb=0;
+	  pinfo->gssapi_wrap_tvb=NULL;
 	  pinfo->gssapi_encrypted_tvb=NULL;
 	  pinfo->gssapi_decrypted_tvb=NULL;
 
diff --git a/epan/dissectors/packet-ntlmssp.c b/epan/dissectors/packet-ntlmssp.c
index 6a595a94b1..0774db0ac3 100644
--- a/epan/dissectors/packet-ntlmssp.c
+++ b/epan/dissectors/packet-ntlmssp.c
@@ -37,13 +37,13 @@
 #include "packet-windows-common.h"
 #include "packet-smb-common.h"
 #include <epan/asn1.h>		/* XXX - needed for subid_t */
-#include "packet-gssapi.h"
 #include "packet-frame.h"
 #include <epan/prefs.h>
 #include <epan/crypt-rc4.h>
 #include <epan/crypt-md4.h>
 #include <epan/crypt-des.h>
 #include "packet-dcerpc.h"
+#include "packet-gssapi.h"
 
 #include "packet-ntlmssp.h"
 
diff --git a/epan/dissectors/packet-spnego.c b/epan/dissectors/packet-spnego.c
index 54f51f1cba..e0f7907274 100644
--- a/epan/dissectors/packet-spnego.c
+++ b/epan/dissectors/packet-spnego.c
@@ -42,6 +42,7 @@
 
 #include <epan/asn1.h>
 #include "format-oid.h"
+#include "packet-dcerpc.h"
 #include "packet-gssapi.h"
 #include "packet-kerberos.h"
 #include <epan/crypt-rc4.h>
@@ -532,7 +533,6 @@ gssapi_verify_pad(unsigned char *wrapped_data, int wrapped_length,
     return 0;
 }
 
-#ifdef HAVE_HEIMDAL_KERBEROS
 static int
 decrypt_arcfour(packet_info *pinfo,
 	 char *input_message_buffer,
@@ -625,34 +625,45 @@ decrypt_arcfour(packet_info *pinfo,
     }
     memset(k6_data, 0, sizeof(k6_data));
 
-    ret = gssapi_verify_pad(output_message_buffer,datalen,datalen, &padlen);
-    if (ret) {
-	return 9;
+    /* only normal (i.e. non DCE style  wrapping use padding ? */
+    if(pinfo->decrypt_gssapi_tvb==DECRYPT_GSSAPI_NORMAL){
+	ret = gssapi_verify_pad(output_message_buffer,datalen,datalen, &padlen);
+    	if (ret) {
+	    return 9;
+	}
+    } else {
+	padlen=0;
     }
 
     datalen -= padlen;
 
-    ret = arcfour_mic_cksum(key_value, key_size,
+    /* dont know what the checksum looks like for dce style gssapi */
+    if(pinfo->decrypt_gssapi_tvb==DECRYPT_GSSAPI_NORMAL){
+	ret = arcfour_mic_cksum(key_value, key_size,
 			    KRB5_KU_USAGE_SEAL,
 			    cksum_data, 
 			    tvb_get_ptr(pinfo->gssapi_wrap_tvb, 0, 8), 8,
 			    Confounder, sizeof(Confounder),
 			    output_message_buffer, 
 			    datalen + padlen);
-    if (ret) {
-	return 10;
-    }
+	if (ret) {
+	    return 10;
+	}
 
-    cmp = memcmp(cksum_data, 
-	tvb_get_ptr(pinfo->gssapi_wrap_tvb, 16, 8),
-	8); /* SGN_CKSUM */
-    if (cmp) {
-	return 11;
+	cmp = memcmp(cksum_data, 
+	    tvb_get_ptr(pinfo->gssapi_wrap_tvb, 16, 8),
+	    8); /* SGN_CKSUM */
+	if (cmp) {
+	    return 11;
+	}
     }
 
     return 0;
 }
 
+
+
+#ifdef HAVE_HEIMDAL_KERBEROS
 #include <krb5.h>
 
 static void