Age | Commit message (Collapse) | Author | Files | Lines |
|
svn path=/trunk/; revision=9735
|
|
handling encrypted request/response PDUs. Instead of having
dissection function pointers which perform both decryption and
dissection, the function pointers now only decrypt the DCERPC fragment
payload. Dissection is handled by the dcerpc_try_handoff() function
(with DCERPC fragment reassembly if necessary).
Details:
- Move the dcerpc_auth_info struct into dcerpc.h as it is now used in
the function prototype for the decryption function handlers.
- decode_encrypted_data() was refactored to take a boolean request
parameter instead of passing the DCERPC PDU packet type.
- A tvbuff_t * data field was added to dcerpc_auth to hold the
verifier. This is passed as an argument to the decryption function
handlers.
- Dissection of verifiers in request and response PDUs was moved to
before the payload.
- The dissect_dcerpc_cn_stub() function was refactored to perform
the decryption process and hand decrypted data to the reassembly
code instead of performing the decryption after reassembly.
- Removed references to decrypted_info_t as it's not necessary
anymore.
Code was tested using encrypted and unencrypted fragmented PDUs.
Before this commit ethereal could not dissect unencrypted (!)
fragmented PDUs correctly.
svn path=/trunk/; revision=8546
|
|
svn path=/trunk/; revision=8326
|
|
svn path=/trunk/; revision=8228
|
|
DCE_C_AUTHN_LEVEL_CONNECT.
svn path=/trunk/; revision=8042
|
|
to the dissector that handles the particular authentication flavour. This
gets rid of a couple of ugly switch statements and allows other authentication
modules to be written easily.
svn path=/trunk/; revision=8026
|
|
packet-smb-common.c so it can be used elsewhere.
Dissect a ntlmv2 response in a session setup SMB if detected.
svn path=/trunk/; revision=7655
|
|
svn path=/trunk/; revision=7648
|
|
svn path=/trunk/; revision=7647
|
|
http://ubiqx.org/cifs/SMB.html#8, para 2.8.5.3
Convert some magic numbers to constants in dissect_ntlmssp_address_list()
svn path=/trunk/; revision=7646
|
|
NULL, convert it to a copy of a null string, otherwise replace it with a
copy of the string, so that we know that the variable for the preference
always points to a string that can be freed.
That also obviates the need to worry about a null-pointer value for a
preference variable when checking to see whether a preference has changed.
When checking for a string preference not being set, check for an empty
string, not a null pointer - the above code turns null pointers into
pointers to empty strings, *and* the GUI code does (and always did!) the
same.
svn path=/trunk/; revision=7342
|
|
than using a fixed-size 1500-byte buffer.
Use memory chunks for ntlmssp_info and ntlmssp_packet_info structures,
and free up the chunks when we re-initialize the dissector.
svn path=/trunk/; revision=7277
|
|
we also call the proper DCERPC subdissector.
With this change ethereal will call the SAMR dissector and dissect the
decrypted SAMR packets in devins capture.
svn path=/trunk/; revision=6855
|
|
using NTLMSSP version 1.
Show stub data as such for all requests and replies where we can't
dissect the stub data as a request or reply for some DCERPC-based
protocol.
svn path=/trunk/; revision=6825
|
|
call to "gssapi_init_oid()" supplies both dissectors for context-level
tokens and GSS_Wrap header information; the latter dissector should
return the number of bytes of header information, so that if the header
information and the message for the protocol that's using GSSAPI are
treated as a single blob of data (as is the case with LDAP, but not with
DCE RPC, for example), the dissector for the protocol using GSSAPI knows
where to start dissecting.
We associate a pointer to the entire data structure for the OID, not the
handle for context-level token dissector for the OID, with conversations
and frames.
Make the dissector for NTLMSSP verifiers be the handler for GSS_Wrap
stuff for NTLMSSP, and add support for GSS_Wrap stuff for Kerberos.
Support SASL GSS-SPNEGO wrapping of LDAP messages. (XXX - this should
really check for GSS-SPNEGO.)
svn path=/trunk/; revision=6692
|
|
SMB" book.
svn path=/trunk/; revision=6598
|
|
message indicates whether the session key or flags are missing in an
AUTH message - and it appears that the session key can be present
without the flags.
For both fields, check whether the offset is after the offset of the
first data chunk and, if so, assume the field is missing.
This means we no longer need to remember the flags for a NEGOTIATE
message, so just remember them for a CHALLENGE message.
svn path=/trunk/; revision=6585
|
|
Fix the name of a field to begin with "ntlmssp".
svn path=/trunk/; revision=6582
|
|
messages, the value in the challenge message is what should be used to
determine how to dissect the auth message.
svn path=/trunk/; revision=6581
|
|
the end, although they're empty in all messages I've seen; put in a
comment noting that.
NTLMSSP_CHALLENGE messages sometimes don't appear to have the address
list; it doesn't seem to be indicated by:
any flags in the previous NEGOTIATE message other than the
Negotiation Workstation Supplied, Negotiate Domain Supplied, or
Negotiate UNICODE, but it doesn't make sense for those to affect
it, as they affect unrelated things;
any flags in the CHALLENGE message other than Negotiate OEM or
Negotiate UNICODE, but those don't make sense.
So we just check whether the address list descriptor would be in the
middle of the domain name string and, if so, assume it's absent.
NTLMSSP_AUTH messages sometimes lack both the session key and the
negotiate flags; that appears to be controlled by th Negotiate Key
Exchange flag in the initial NEGOTIATE message - if not set, those
fields are missing. We therefore remember the NEGOTIATE flags in a
conversation, and attach them to frames containing AUTH messages; we
also need those flags to determine whether the strings in the AUTH
message are Unicode or not.
Make lengths, maximum lengths, and offsets unsigned.
Display entries for empty blobs and address lists.
svn path=/trunk/; revision=6575
|
|
svn path=/trunk/; revision=6504
|
|
the unicode bit.
Also, it seems that the strings in the address list of a
NTLMSSP_CHALLENGE message are always in unicode, regardless of the
negotiated string type. I have a capture of win98 doing NTLM over
HTTP where the domain name is in ASCII but the address list is
unicode.
There is still a bug in the dissection of the NTLMSSP_AUTH message
where the flags value does not specify unicode but the
domain/user/host name is unicode. Perhaps the flags value for this
message aren't NTLMSSP flags?
Guy/Richard/jmayer, if you have any captures that show different
behaviour can you send them my way?
svn path=/trunk/; revision=6329
|
|
HTTP, but NTLMSSP_CHALLENGE appears twice in a session setup response
SPNEGO negTokenTarg, as the NTLMSSP message appears both in the
responseToken and mechListMIC fields.
svn path=/trunk/; revision=6328
|
|
dissect_ntlmssp_strings(). It seems that most versions of IE don't
set the workstation name and domain name in the NTLMSSP_NEGOTIATE
message when doing NTLM over HTTP.
svn path=/trunk/; revision=6327
|
|
svn path=/trunk/; revision=6302
|
|
in a negotiate.
svn path=/trunk/; revision=6276
|
|
NTLMSSP frame.
svn path=/trunk/; revision=6275
|
|
svn path=/trunk/; revision=6266
|
|
- strings are now in a subtree of a command, printing only the
text unless you go into the subtree (to see length, offset)
- generic blobs are the same as strings, only displayed in hex
- NTLMSSP challenge address lists are decoded
- a couple of unknown fields are now known
svn path=/trunk/; revision=6263
|
|
as an argument, and looks up that OID in the GSSAPI OID hash table.
Always use that routine to look up OIDs, so that we never use the result
of "format_oid()" as the key (as that doesn't necessarily work).
Make "gssapi_oids" static, as one should only look up GSSAPI
authentication mechanism OIDs with "gssapi_lookup_oid()".
In the SPNEGO dissector, free up the OID strings when we're done with
them, and don't advance the offset past the OID until after we put the
OID into the protocol tree.
svn path=/trunk/; revision=6228
|
|
svn path=/trunk/; revision=6219
|
|
svn path=/trunk/; revision=6180
|
|
svn path=/trunk/; revision=6172
|
|
registered dissector name; that means you don't have to register a
dissector by name to associate it with a GSS-API security mechanism OID.
svn path=/trunk/; revision=6163
|
|
don't abort dissection of the entire packet if we get a
ReportedBoundsError while dissecting an authentication blob - the
authentication blob might be in the middle of a packet, and if it's too
short, that doesn't mean that the stuff *after* it shouldn't be
dissected.
A length of "-1" when adding items that have variable-length data
(FT_NONE, FT_PROTOCOL, FT_BYTES, and FT_STRING; this includes stuff
added with "proto_tree_add_text()") means "to the end of the tvbuff"; we
don't need to fetch the length of the tvbuff and use that.
svn path=/trunk/; revision=6161
|
|
svn path=/trunk/; revision=6142
|
|
contains.
svn path=/trunk/; revision=6133
|
|
winapi_cleanup tool written by Patrik Stridvall for the wine
project.
svn path=/trunk/; revision=6117
|
|
epan/packet.c
It was cut and pasted into seven other dissectors!
svn path=/trunk/; revision=6052
|
|
Handle the case where "get_unicode_or_ascii_string()" returns a null
pointer (which can be the case if the length supplied is zero, which we
check for as per the above, but can also be the case for a Unicode
string if the length supplied is 1 byte).
Fix a call to "proto_tree_add_uint()" that was presumably supposed to be
a call to "proto_tree_add_item()".
svn path=/trunk/; revision=6015
|
|
svn path=/trunk/; revision=5977
|
|
the flags field in NTLMSSP messages as a 32-bit field.
Make "get_unicode_or_ascii_string()" take a "Unicode or not" flag rather
than a "packet_info *" as an argument, make it not static, and move it
to "packet-smb-common.c", so that it can be used by the SMB dissector
and the NTLMSSP dissector. Also get rid of some _U_'s that are applied
to arguments that are, in fact, used.
svn path=/trunk/; revision=5976
|
|
equivalents for the toplevel directory. The removal of winsock2.h will
hopefully not cause any problems under MSVC++, as those files using
struct timeval still include wtap.h, which still includes winsock2.h.
svn path=/trunk/; revision=5932
|
|
Show an authentication message's contents as "Unknown contents", not as
an "Unrecognized NTLMSSP Message".
svn path=/trunk/; revision=5854
|
|
svn path=/trunk/; revision=5850
|
|
dheitmueller@netilla.com.
svn path=/trunk/; revision=5848
|