From 30a69454dbbf8adebd66b815ed203e09f896ed4c Mon Sep 17 00:00:00 2001 From: Ronnie Sahlberg Date: Fri, 2 Dec 2005 10:41:46 +0000 Subject: add work in progress asn2eth generated ldap dissector from AndersB's email of Nov 15 it is checked in but not copied to epan/dissectors so that those interested can work on it until it gets ready to replace the old one. svn path=/trunk/; revision=16649 --- .../Lightweight-Directory-Access-Protocol-V3.asn | 346 +++++++++ ...ghtweight-Directory-Access-Protocol-V3.asn.orig | 346 +++++++++ asn1/ldap/Makefile.nmake | 42 ++ asn1/ldap/README | 7 + asn1/ldap/ldap.cnf | 38 + asn1/ldap/packet-ldap-template.c | 770 +++++++++++++++++++++ asn1/ldap/packet-ldap-template.h | 94 +++ 7 files changed, 1643 insertions(+) create mode 100755 asn1/ldap/Lightweight-Directory-Access-Protocol-V3.asn create mode 100755 asn1/ldap/Lightweight-Directory-Access-Protocol-V3.asn.orig create mode 100755 asn1/ldap/Makefile.nmake create mode 100644 asn1/ldap/README create mode 100755 asn1/ldap/ldap.cnf create mode 100755 asn1/ldap/packet-ldap-template.c create mode 100755 asn1/ldap/packet-ldap-template.h (limited to 'asn1/ldap') diff --git a/asn1/ldap/Lightweight-Directory-Access-Protocol-V3.asn b/asn1/ldap/Lightweight-Directory-Access-Protocol-V3.asn new file mode 100755 index 0000000000..e85cb4fe5e --- /dev/null +++ b/asn1/ldap/Lightweight-Directory-Access-Protocol-V3.asn @@ -0,0 +1,346 @@ +-- Module Lightweight-Directory-Access-Protocol-V3 (RFC 2251:12/1997) +Lightweight-Directory-Access-Protocol-V3 +-- +-- Copyright (C) The Internet Society (1997). This version of +-- this ASN.1 module is part of RFC 2251; +-- see the RFC itself for full legal notices. +-- +DEFINITIONS IMPLICIT TAGS ::= +BEGIN + +LDAPMessage ::= SEQUENCE { + messageID MessageID, + protocolOp + CHOICE {bindRequest BindRequest, + bindResponse BindResponse, + unbindRequest UnbindRequest, + searchRequest SearchRequest, + searchResEntry SearchResultEntry, + searchResDone SearchResultDone, + searchResRef SearchResultReference, + modifyRequest ModifyRequest, + modifyResponse ModifyResponse, + addRequest AddRequest, + addResponse AddResponse, + delRequest DelRequest, + delResponse DelResponse, + modDNRequest ModifyDNRequest, + modDNResponse ModifyDNResponse, + compareRequest CompareRequest, + compareResponse CompareResponse, + abandonRequest AbandonRequest, + extendedReq ExtendedRequest, + extendedResp ExtendedResponse}, + controls [0] Controls OPTIONAL +} + +MessageID ::= INTEGER(0..maxInt) + +maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) + +LDAPString ::= OCTET STRING + +LDAPOID ::= OCTET STRING + +LDAPDN ::= LDAPString + +RelativeLDAPDN ::= LDAPString + +AttributeType ::= LDAPString + +AttributeDescription ::= LDAPString + +AttributeDescriptionList ::= SEQUENCE OF AttributeDescription + +AttributeValue ::= OCTET STRING + +AttributeValueAssertion ::= SEQUENCE { + attributeDesc AttributeDescription, + assertionValue AssertionValue +} + +AssertionValue ::= OCTET STRING + +Attribute ::= SEQUENCE {type AttributeDescription, + vals SET OF AttributeValue +} + +MatchingRuleId ::= LDAPString + +LDAPResult ::= SEQUENCE { + resultCode + ENUMERATED {success(0), operationsError(1), protocolError(2), + timeLimitExceeded(3), sizeLimitExceeded(4), compareFalse(5), + compareTrue(6), authMethodNotSupported(7), + strongAuthRequired(8), + -- 9 reserved + referral(10),-- new-- adminLimitExceeded(11),-- new-- + unavailableCriticalExtension(12),-- new-- + confidentialityRequired(13),-- new-- + saslBindInProgress(14),-- new-- noSuchAttribute(16), + undefinedAttributeType(17), inappropriateMatching(18), + constraintViolation(19), attributeOrValueExists(20), + invalidAttributeSyntax(21), + -- 22-31 unused + noSuchObject(32), aliasProblem(33), + invalidDNSyntax(34), + -- 35 reserved for undefined isLeaf + aliasDereferencingProblem(36), + -- 37-47 unused + inappropriateAuthentication(48), invalidCredentials(49), + insufficientAccessRights(50), busy(51), unavailable(52), + unwillingToPerform(53), + loopDetect(54), + -- 55-63 unused + namingViolation(64), objectClassViolation(65), + notAllowedOnNonLeaf(66), notAllowedOnRDN(67), + entryAlreadyExists(68), + objectClassModsProhibited(69), + -- 70 reserved for CLDAP + affectsMultipleDSAs(71),-- new-- + -- 72-79 unused + other(80)}, + -- 81-90 reserved for APIs + matchedDN LDAPDN, + errorMessage ErrorMessage, + referral [3] Referral OPTIONAL +} + +Referral ::= SEQUENCE OF LDAPURL + +LDAPURL ::= LDAPString -- limited to characters permitted in URLs + +Controls ::= SEQUENCE OF Control + +Control ::= SEQUENCE { + controlType ControlType, + criticality BOOLEAN DEFAULT FALSE, + controlValue OCTET STRING OPTIONAL +} + +ControlType ::= LDAPOID + +BindRequest ::= [APPLICATION 0] SEQUENCE { + version INTEGER(1..127), + name LDAPDN, + authentication AuthenticationChoice +} + +AuthenticationChoice ::= CHOICE { + simple [0] OCTET STRING, + -- 1 and 2 reserved + sasl [3] SaslCredentials +} + +SaslCredentials ::= SEQUENCE { + mechanism Mechanism, + credentials OCTET STRING OPTIONAL +} + +Mechanism ::= LDAPString + +BindResponse ::= [APPLICATION 1] SEQUENCE { +-- COMPONENTS OF LDAPResult, + resultCode + ENUMERATED {success(0), operationsError(1), protocolError(2), + timeLimitExceeded(3), sizeLimitExceeded(4), compareFalse(5), + compareTrue(6), authMethodNotSupported(7), + strongAuthRequired(8), + -- 9 reserved + referral(10),-- new-- adminLimitExceeded(11),-- new-- + unavailableCriticalExtension(12),-- new-- + confidentialityRequired(13),-- new-- + saslBindInProgress(14),-- new-- noSuchAttribute(16), + undefinedAttributeType(17), inappropriateMatching(18), + constraintViolation(19), attributeOrValueExists(20), + invalidAttributeSyntax(21), + -- 22-31 unused + noSuchObject(32), aliasProblem(33), + invalidDNSyntax(34), + -- 35 reserved for undefined isLeaf + aliasDereferencingProblem(36), + -- 37-47 unused + inappropriateAuthentication(48), invalidCredentials(49), + insufficientAccessRights(50), busy(51), unavailable(52), + unwillingToPerform(53), + loopDetect(54), + -- 55-63 unused + namingViolation(64), objectClassViolation(65), + notAllowedOnNonLeaf(66), notAllowedOnRDN(67), + entryAlreadyExists(68), + objectClassModsProhibited(69), + -- 70 reserved for CLDAP + affectsMultipleDSAs(71),-- new-- + -- 72-79 unused + other(80)}, + -- 81-90 reserved for APIs + matchedDN LDAPDN, + errorMessage ErrorMessage, + referral [3] Referral OPTIONAL, + +-- end of components + serverSaslCreds [7] OCTET STRING OPTIONAL +} + +ErrorMessage ::= LDAPString + +UnbindRequest ::= [APPLICATION 2] NULL + +SearchRequest ::= [APPLICATION 3] SEQUENCE { + baseObject LDAPDN, + scope ENUMERATED {baseObject(0), singleLevel(1), wholeSubtree(2)}, + derefAliases + ENUMERATED {neverDerefAliases(0), derefInSearching(1), + derefFindingBaseObj(2), derefAlways(3)}, + sizeLimit INTEGER(0..maxInt), + timeLimit INTEGER(0..maxInt), + typesOnly BOOLEAN, + filter Filter, + attributes AttributeDescriptionList +} + +Filter ::= CHOICE { + and [0] SET OF Filter, + or [1] SET OF Filter, + not [2] Filter, + equalityMatch [3] AttributeValueAssertion, + substrings [4] SubstringFilter, + greaterOrEqual [5] AttributeValueAssertion, + lessOrEqual [6] AttributeValueAssertion, + present [7] AttributeDescription, + approxMatch [8] AttributeValueAssertion, + extensibleMatch [9] MatchingRuleAssertion +} + +SubstringFilter ::= SEQUENCE { + type AttributeDescription, + -- at least one must be present + substrings + SEQUENCE OF + CHOICE {initial [0] LDAPString, + any [1] LDAPString, + final [2] LDAPString} +} + +MatchingRuleAssertion ::= SEQUENCE { + matchingRule [1] MatchingRuleId OPTIONAL, + type [2] AttributeDescription OPTIONAL, + matchValue [3] AssertionValue, + dnAttributes [4] BOOLEAN DEFAULT FALSE +} + +SearchResultEntry ::= [APPLICATION 4] SEQUENCE { + objectName LDAPDN, + attributes PartialAttributeList +} + +PartialAttributeList ::= + SEQUENCE OF SEQUENCE {type AttributeDescription, + vals SET OF AttributeValue} + +SearchResultReference ::= [APPLICATION 19] SEQUENCE OF LDAPURL + +SearchResultDone ::= [APPLICATION 5] LDAPResult + +ModifyRequest ::= [APPLICATION 6] SEQUENCE { + object LDAPDN, + modification + SEQUENCE OF + SEQUENCE {operation ENUMERATED {add(0), delete(1), replace(2)}, + modification AttributeTypeAndValues} +} + +AttributeTypeAndValues ::= SEQUENCE { + type AttributeDescription, + vals SET OF AttributeValue +} + +ModifyResponse ::= [APPLICATION 7] LDAPResult + +AddRequest ::= [APPLICATION 8] SEQUENCE { + entry LDAPDN, + attributes AttributeList +} + +AttributeList ::= + SEQUENCE OF SEQUENCE {type AttributeDescription, + vals SET OF AttributeValue} + +AddResponse ::= [APPLICATION 9] LDAPResult + +DelRequest ::= [APPLICATION 10] LDAPDN + +DelResponse ::= [APPLICATION 11] LDAPResult + +ModifyDNRequest ::= [APPLICATION 12] SEQUENCE { + entry LDAPDN, + newrdn RelativeLDAPDN, + deleteoldrdn BOOLEAN, + newSuperior [0] LDAPDN OPTIONAL +} + +ModifyDNResponse ::= [APPLICATION 13] LDAPResult + +CompareRequest ::= [APPLICATION 14] SEQUENCE { + entry LDAPDN, + ava AttributeValueAssertion +} + +CompareResponse ::= [APPLICATION 15] LDAPResult + +AbandonRequest ::= [APPLICATION 16] MessageID + +ExtendedRequest ::= [APPLICATION 23] SEQUENCE { + requestName [0] LDAPOID, + requestValue [1] OCTET STRING OPTIONAL +} + +ExtendedResponse ::= [APPLICATION 24] SEQUENCE { +-- COMPONENTS OF LDAPResult, + resultCode + ENUMERATED {success(0), operationsError(1), protocolError(2), + timeLimitExceeded(3), sizeLimitExceeded(4), compareFalse(5), + compareTrue(6), authMethodNotSupported(7), + strongAuthRequired(8), + -- 9 reserved + referral(10),-- new-- adminLimitExceeded(11),-- new-- + unavailableCriticalExtension(12),-- new-- + confidentialityRequired(13),-- new-- + saslBindInProgress(14),-- new-- noSuchAttribute(16), + undefinedAttributeType(17), inappropriateMatching(18), + constraintViolation(19), attributeOrValueExists(20), + invalidAttributeSyntax(21), + -- 22-31 unused + noSuchObject(32), aliasProblem(33), + invalidDNSyntax(34), + -- 35 reserved for undefined isLeaf + aliasDereferencingProblem(36), + -- 37-47 unused + inappropriateAuthentication(48), invalidCredentials(49), + insufficientAccessRights(50), busy(51), unavailable(52), + unwillingToPerform(53), + loopDetect(54), + -- 55-63 unused + namingViolation(64), objectClassViolation(65), + notAllowedOnNonLeaf(66), notAllowedOnRDN(67), + entryAlreadyExists(68), + objectClassModsProhibited(69), + -- 70 reserved for CLDAP + affectsMultipleDSAs(71),-- new-- + -- 72-79 unused + other(80)}, + -- 81-90 reserved for APIs + matchedDN LDAPDN, + errorMessage ErrorMessage, + referral [3] Referral OPTIONAL, +-- end of COMPONENTS + responseName [10] ResponseName OPTIONAL, + response [11] OCTET STRING OPTIONAL +} + +ResponseName ::= LDAPOID + +END + +-- Generated by Asnp, the ASN.1 pretty-printer of France Telecom R&D + diff --git a/asn1/ldap/Lightweight-Directory-Access-Protocol-V3.asn.orig b/asn1/ldap/Lightweight-Directory-Access-Protocol-V3.asn.orig new file mode 100755 index 0000000000..e85cb4fe5e --- /dev/null +++ b/asn1/ldap/Lightweight-Directory-Access-Protocol-V3.asn.orig @@ -0,0 +1,346 @@ +-- Module Lightweight-Directory-Access-Protocol-V3 (RFC 2251:12/1997) +Lightweight-Directory-Access-Protocol-V3 +-- +-- Copyright (C) The Internet Society (1997). This version of +-- this ASN.1 module is part of RFC 2251; +-- see the RFC itself for full legal notices. +-- +DEFINITIONS IMPLICIT TAGS ::= +BEGIN + +LDAPMessage ::= SEQUENCE { + messageID MessageID, + protocolOp + CHOICE {bindRequest BindRequest, + bindResponse BindResponse, + unbindRequest UnbindRequest, + searchRequest SearchRequest, + searchResEntry SearchResultEntry, + searchResDone SearchResultDone, + searchResRef SearchResultReference, + modifyRequest ModifyRequest, + modifyResponse ModifyResponse, + addRequest AddRequest, + addResponse AddResponse, + delRequest DelRequest, + delResponse DelResponse, + modDNRequest ModifyDNRequest, + modDNResponse ModifyDNResponse, + compareRequest CompareRequest, + compareResponse CompareResponse, + abandonRequest AbandonRequest, + extendedReq ExtendedRequest, + extendedResp ExtendedResponse}, + controls [0] Controls OPTIONAL +} + +MessageID ::= INTEGER(0..maxInt) + +maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) + +LDAPString ::= OCTET STRING + +LDAPOID ::= OCTET STRING + +LDAPDN ::= LDAPString + +RelativeLDAPDN ::= LDAPString + +AttributeType ::= LDAPString + +AttributeDescription ::= LDAPString + +AttributeDescriptionList ::= SEQUENCE OF AttributeDescription + +AttributeValue ::= OCTET STRING + +AttributeValueAssertion ::= SEQUENCE { + attributeDesc AttributeDescription, + assertionValue AssertionValue +} + +AssertionValue ::= OCTET STRING + +Attribute ::= SEQUENCE {type AttributeDescription, + vals SET OF AttributeValue +} + +MatchingRuleId ::= LDAPString + +LDAPResult ::= SEQUENCE { + resultCode + ENUMERATED {success(0), operationsError(1), protocolError(2), + timeLimitExceeded(3), sizeLimitExceeded(4), compareFalse(5), + compareTrue(6), authMethodNotSupported(7), + strongAuthRequired(8), + -- 9 reserved + referral(10),-- new-- adminLimitExceeded(11),-- new-- + unavailableCriticalExtension(12),-- new-- + confidentialityRequired(13),-- new-- + saslBindInProgress(14),-- new-- noSuchAttribute(16), + undefinedAttributeType(17), inappropriateMatching(18), + constraintViolation(19), attributeOrValueExists(20), + invalidAttributeSyntax(21), + -- 22-31 unused + noSuchObject(32), aliasProblem(33), + invalidDNSyntax(34), + -- 35 reserved for undefined isLeaf + aliasDereferencingProblem(36), + -- 37-47 unused + inappropriateAuthentication(48), invalidCredentials(49), + insufficientAccessRights(50), busy(51), unavailable(52), + unwillingToPerform(53), + loopDetect(54), + -- 55-63 unused + namingViolation(64), objectClassViolation(65), + notAllowedOnNonLeaf(66), notAllowedOnRDN(67), + entryAlreadyExists(68), + objectClassModsProhibited(69), + -- 70 reserved for CLDAP + affectsMultipleDSAs(71),-- new-- + -- 72-79 unused + other(80)}, + -- 81-90 reserved for APIs + matchedDN LDAPDN, + errorMessage ErrorMessage, + referral [3] Referral OPTIONAL +} + +Referral ::= SEQUENCE OF LDAPURL + +LDAPURL ::= LDAPString -- limited to characters permitted in URLs + +Controls ::= SEQUENCE OF Control + +Control ::= SEQUENCE { + controlType ControlType, + criticality BOOLEAN DEFAULT FALSE, + controlValue OCTET STRING OPTIONAL +} + +ControlType ::= LDAPOID + +BindRequest ::= [APPLICATION 0] SEQUENCE { + version INTEGER(1..127), + name LDAPDN, + authentication AuthenticationChoice +} + +AuthenticationChoice ::= CHOICE { + simple [0] OCTET STRING, + -- 1 and 2 reserved + sasl [3] SaslCredentials +} + +SaslCredentials ::= SEQUENCE { + mechanism Mechanism, + credentials OCTET STRING OPTIONAL +} + +Mechanism ::= LDAPString + +BindResponse ::= [APPLICATION 1] SEQUENCE { +-- COMPONENTS OF LDAPResult, + resultCode + ENUMERATED {success(0), operationsError(1), protocolError(2), + timeLimitExceeded(3), sizeLimitExceeded(4), compareFalse(5), + compareTrue(6), authMethodNotSupported(7), + strongAuthRequired(8), + -- 9 reserved + referral(10),-- new-- adminLimitExceeded(11),-- new-- + unavailableCriticalExtension(12),-- new-- + confidentialityRequired(13),-- new-- + saslBindInProgress(14),-- new-- noSuchAttribute(16), + undefinedAttributeType(17), inappropriateMatching(18), + constraintViolation(19), attributeOrValueExists(20), + invalidAttributeSyntax(21), + -- 22-31 unused + noSuchObject(32), aliasProblem(33), + invalidDNSyntax(34), + -- 35 reserved for undefined isLeaf + aliasDereferencingProblem(36), + -- 37-47 unused + inappropriateAuthentication(48), invalidCredentials(49), + insufficientAccessRights(50), busy(51), unavailable(52), + unwillingToPerform(53), + loopDetect(54), + -- 55-63 unused + namingViolation(64), objectClassViolation(65), + notAllowedOnNonLeaf(66), notAllowedOnRDN(67), + entryAlreadyExists(68), + objectClassModsProhibited(69), + -- 70 reserved for CLDAP + affectsMultipleDSAs(71),-- new-- + -- 72-79 unused + other(80)}, + -- 81-90 reserved for APIs + matchedDN LDAPDN, + errorMessage ErrorMessage, + referral [3] Referral OPTIONAL, + +-- end of components + serverSaslCreds [7] OCTET STRING OPTIONAL +} + +ErrorMessage ::= LDAPString + +UnbindRequest ::= [APPLICATION 2] NULL + +SearchRequest ::= [APPLICATION 3] SEQUENCE { + baseObject LDAPDN, + scope ENUMERATED {baseObject(0), singleLevel(1), wholeSubtree(2)}, + derefAliases + ENUMERATED {neverDerefAliases(0), derefInSearching(1), + derefFindingBaseObj(2), derefAlways(3)}, + sizeLimit INTEGER(0..maxInt), + timeLimit INTEGER(0..maxInt), + typesOnly BOOLEAN, + filter Filter, + attributes AttributeDescriptionList +} + +Filter ::= CHOICE { + and [0] SET OF Filter, + or [1] SET OF Filter, + not [2] Filter, + equalityMatch [3] AttributeValueAssertion, + substrings [4] SubstringFilter, + greaterOrEqual [5] AttributeValueAssertion, + lessOrEqual [6] AttributeValueAssertion, + present [7] AttributeDescription, + approxMatch [8] AttributeValueAssertion, + extensibleMatch [9] MatchingRuleAssertion +} + +SubstringFilter ::= SEQUENCE { + type AttributeDescription, + -- at least one must be present + substrings + SEQUENCE OF + CHOICE {initial [0] LDAPString, + any [1] LDAPString, + final [2] LDAPString} +} + +MatchingRuleAssertion ::= SEQUENCE { + matchingRule [1] MatchingRuleId OPTIONAL, + type [2] AttributeDescription OPTIONAL, + matchValue [3] AssertionValue, + dnAttributes [4] BOOLEAN DEFAULT FALSE +} + +SearchResultEntry ::= [APPLICATION 4] SEQUENCE { + objectName LDAPDN, + attributes PartialAttributeList +} + +PartialAttributeList ::= + SEQUENCE OF SEQUENCE {type AttributeDescription, + vals SET OF AttributeValue} + +SearchResultReference ::= [APPLICATION 19] SEQUENCE OF LDAPURL + +SearchResultDone ::= [APPLICATION 5] LDAPResult + +ModifyRequest ::= [APPLICATION 6] SEQUENCE { + object LDAPDN, + modification + SEQUENCE OF + SEQUENCE {operation ENUMERATED {add(0), delete(1), replace(2)}, + modification AttributeTypeAndValues} +} + +AttributeTypeAndValues ::= SEQUENCE { + type AttributeDescription, + vals SET OF AttributeValue +} + +ModifyResponse ::= [APPLICATION 7] LDAPResult + +AddRequest ::= [APPLICATION 8] SEQUENCE { + entry LDAPDN, + attributes AttributeList +} + +AttributeList ::= + SEQUENCE OF SEQUENCE {type AttributeDescription, + vals SET OF AttributeValue} + +AddResponse ::= [APPLICATION 9] LDAPResult + +DelRequest ::= [APPLICATION 10] LDAPDN + +DelResponse ::= [APPLICATION 11] LDAPResult + +ModifyDNRequest ::= [APPLICATION 12] SEQUENCE { + entry LDAPDN, + newrdn RelativeLDAPDN, + deleteoldrdn BOOLEAN, + newSuperior [0] LDAPDN OPTIONAL +} + +ModifyDNResponse ::= [APPLICATION 13] LDAPResult + +CompareRequest ::= [APPLICATION 14] SEQUENCE { + entry LDAPDN, + ava AttributeValueAssertion +} + +CompareResponse ::= [APPLICATION 15] LDAPResult + +AbandonRequest ::= [APPLICATION 16] MessageID + +ExtendedRequest ::= [APPLICATION 23] SEQUENCE { + requestName [0] LDAPOID, + requestValue [1] OCTET STRING OPTIONAL +} + +ExtendedResponse ::= [APPLICATION 24] SEQUENCE { +-- COMPONENTS OF LDAPResult, + resultCode + ENUMERATED {success(0), operationsError(1), protocolError(2), + timeLimitExceeded(3), sizeLimitExceeded(4), compareFalse(5), + compareTrue(6), authMethodNotSupported(7), + strongAuthRequired(8), + -- 9 reserved + referral(10),-- new-- adminLimitExceeded(11),-- new-- + unavailableCriticalExtension(12),-- new-- + confidentialityRequired(13),-- new-- + saslBindInProgress(14),-- new-- noSuchAttribute(16), + undefinedAttributeType(17), inappropriateMatching(18), + constraintViolation(19), attributeOrValueExists(20), + invalidAttributeSyntax(21), + -- 22-31 unused + noSuchObject(32), aliasProblem(33), + invalidDNSyntax(34), + -- 35 reserved for undefined isLeaf + aliasDereferencingProblem(36), + -- 37-47 unused + inappropriateAuthentication(48), invalidCredentials(49), + insufficientAccessRights(50), busy(51), unavailable(52), + unwillingToPerform(53), + loopDetect(54), + -- 55-63 unused + namingViolation(64), objectClassViolation(65), + notAllowedOnNonLeaf(66), notAllowedOnRDN(67), + entryAlreadyExists(68), + objectClassModsProhibited(69), + -- 70 reserved for CLDAP + affectsMultipleDSAs(71),-- new-- + -- 72-79 unused + other(80)}, + -- 81-90 reserved for APIs + matchedDN LDAPDN, + errorMessage ErrorMessage, + referral [3] Referral OPTIONAL, +-- end of COMPONENTS + responseName [10] ResponseName OPTIONAL, + response [11] OCTET STRING OPTIONAL +} + +ResponseName ::= LDAPOID + +END + +-- Generated by Asnp, the ASN.1 pretty-printer of France Telecom R&D + diff --git a/asn1/ldap/Makefile.nmake b/asn1/ldap/Makefile.nmake new file mode 100755 index 0000000000..b61dd6378e --- /dev/null +++ b/asn1/ldap/Makefile.nmake @@ -0,0 +1,42 @@ +## Use: $(MAKE) /$(MAKEFLAGS) -f makefile.nmake +# +# $Id: Makefile.nmake 13077 2005-01-16 23:26:02Z lroland $ + +include ../../config.nmake + +UNIX2DOS=$(PERL) ../../tools/unix2dos.pl + +PROTOCOL_NAME=ldap +DISSECTOR_FILES=packet-$(PROTOCOL_NAME).c packet-$(PROTOCOL_NAME).h + +all: generate_dissector + +generate_dissector: $(DISSECTOR_FILES) + +$(DISSECTOR_FILES): ../../tools/asn2eth.py Lightweight-Directory-Access-Protocol-V3.asn packet-ldap-template.c packet-ldap-template.h ldap.cnf +!IFDEF PYTHON + $(PYTHON) ../../tools/asn2eth.py -X -b -e -p $(PROTOCOL_NAME) -c ldap.cnf -s packet-ldap-template Lightweight-Directory-Access-Protocol-V3.asn +!ELSE + @echo Error: You need Python to use asn2eth.py + @exit 1 +!ENDIF + +clean: + rm -f parsetab.py $(DISSECTOR_FILES) + +# Fix EOL in generated dissectors. Cygwin's python generates files with +# mixed EOL styles, which can't be commited to the SVN repository. +# Stuff included from template and "cnf" files has "\r\n" on windows, while +# the generated stuff has "\n". + +fix_eol: generate_dissector + move packet-$(PROTOCOL_NAME).c packet-$(PROTOCOL_NAME).c.tmp + move packet-$(PROTOCOL_NAME).h packet-$(PROTOCOL_NAME).h.tmp + $(UNIX2DOS) < packet-$(PROTOCOL_NAME).c.tmp > packet-$(PROTOCOL_NAME).c + $(UNIX2DOS) < packet-$(PROTOCOL_NAME).h.tmp > packet-$(PROTOCOL_NAME).h + del /f packet-$(PROTOCOL_NAME).c.tmp packet-$(PROTOCOL_NAME).h.tmp + +copy_files: generate_dissector fix_eol + xcopy packet-$(PROTOCOL_NAME).c ..\..\epan\dissectors /d /y + xcopy packet-$(PROTOCOL_NAME).h ..\..\epan\dissectors /d /y + diff --git a/asn1/ldap/README b/asn1/ldap/README new file mode 100644 index 0000000000..f8acf6032f --- /dev/null +++ b/asn1/ldap/README @@ -0,0 +1,7 @@ +This is a work in progress to enhance and replace the existing ldap dissector with an asn2eth generated one. + +To test/use this work in progress dissector you will have to compile it with asn2eth and copy the resulting .c and .h files over to epan/dissectors. + +This dissector is not yet ready for public consumption and lacks many vital features of the existing ldap dissector such as CLDAP support. + + diff --git a/asn1/ldap/ldap.cnf b/asn1/ldap/ldap.cnf new file mode 100755 index 0000000000..3be33f9f85 --- /dev/null +++ b/asn1/ldap/ldap.cnf @@ -0,0 +1,38 @@ +# ros.cnf +# ros conformation file +# Copyright 2005 Anders Broman +# $Id:$ + + +#.PDU +LDAPMessage + +#.TYPE_RENAME + +BindResponse/resultCode BindResponse_resultCode +ExtendedResponse/resultCode ExtendedResponse_resultCode +ModifyRequest/modification ModifyRequest_modification + +#.FIELD_RENAME +BindResponse/resultCode bindResponse_resultCode +ExtendedResponse/resultCode extendedResponse_resultCode +SearchRequest/attributes searchRequest_attributes +SearchResultEntry/attributes searchResultEntry_attributes +ModifyRequest/modification modifyRequest_modification +SubstringFilter/substrings substringFilter_substrings + +#.TYPE_ATTR +LDAPDN TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL +RelativeLDAPDN TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL +AttributeType TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL +AttributeDescription TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL +MatchingRuleId TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL +ErrorMessage TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL +LDAPURL TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL +Mechanism TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL +ControlType TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL +ResponseName TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL + +#.FN_PARS MessageID VAL_PTR = &MessageID +#.FN_PARS AuthenticationChoice VAL_PTR = &AuthenticationChoice + diff --git a/asn1/ldap/packet-ldap-template.c b/asn1/ldap/packet-ldap-template.c new file mode 100755 index 0000000000..da73727748 --- /dev/null +++ b/asn1/ldap/packet-ldap-template.c @@ -0,0 +1,770 @@ +/* packet-ldap.c + * Routines for ldap packet dissection + * + * See RFC 1777 (LDAP v2), RFC 2251 (LDAP v3), and RFC 2222 (SASL). + * + * $Id: packet-ldap.c 16332 2005-10-27 08:50:42Z sahlberg $ + * + * Ethereal - Network traffic analyzer + * By Gerald Combs + * Copyright 1998 Gerald Combs + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +/* + * This is not a complete implementation. It doesn't handle the full version 3, more specifically, + * it handles only the commands of version 2, but any additional characteristics of the ver3 command are supported. + * It's also missing extensible search filters. + * + * There should probably be alot more error checking, I simply assume that if we have a full packet, it will be a complete + * and correct packet. + * + * AFAIK, it will handle all messages used by the OpenLDAP 1.2.9 server and libraries which was my goal. I do plan to add + * the remaining commands as time permits but this is not a priority to me. Send me an email if you need it and I'll see what + * I can do. + * + * Doug Nazar + * nazard@dragoninc.on.ca + */ + +/* + * 11/11/2002 - Fixed problem when decoding LDAP with desegmentation enabled and the + * ASN.1 BER Universal Class Tag: "Sequence Of" header is encapsulated across 2 + * TCP segments. + * + * Ronald W. Henderson + * ronald.henderson@cognicaseusa.com + */ + +/* + * 20-JAN-2004 - added decoding of MS-CLDAP netlogon RPC + * using information from the SNIA 2003 conference paper : + * Active Directory Domain Controller Location Service + * by Anthony Liguori + * ronnie sahlberg + */ + +/* + * 17-DEC-2004 - added basic decoding for LDAP Controls + * 20-DEC-2004 - added handling for GSS-API encrypted blobs + * + * Stefan Metzmacher + * + * 15-NOV-2005 - Changed to use the asn2eth compiler + * Anders Broman + */ + +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include + +#include + +#include +#include +#include +#include +#include +#include + +#include "packet-frame.h" +#include "packet-ldap.h" + +#include "packet-ber.h" +#include "packet-per.h" + +#define PNAME "Lightweight-Directory-Access-Protocol" +#define PSNAME "LDAP" +#define PFNAME "ldap" + + + +static dissector_handle_t ldap_handle=NULL; + +/* Initialize the protocol and registered fields */ +static int ldap_tap = -1; +static int proto_ldap = -1; +static int proto_cldap = -1; + +static int hf_ldap_sasl_buffer_length = -1; + +#include "packet-ldap-hf.c" + +/* Initialize the subtree pointers */ +static gint ett_ldap = -1; +static gint ett_ldap_msg = -1; +static gint ett_ldap_sasl_blob = -1; +static guint ett_ldap_payload = -1; + +#include "packet-ldap-ett.c" + +/* desegmentation of LDAP */ +static gboolean ldap_desegment = TRUE; + +#define TCP_PORT_LDAP 389 +#define UDP_PORT_CLDAP 389 +#define TCP_PORT_GLOBALCAT_LDAP 3268 /* Windows 2000 Global Catalog */ + +static dissector_handle_t gssapi_handle; +static dissector_handle_t gssapi_wrap_handle; + + +/* different types of rpc calls ontop of ms cldap */ +#define MSCLDAP_RPC_NETLOGON 1 + + +/* + * Data structure attached to a conversation, giving authentication + * information from a bind request. + * We keep a linked list of them, so that we can free up all the + * authentication mechanism strings. + */ +typedef struct ldap_conv_info_t { + struct ldap_conv_info_t *next; + guint auth_type; /* authentication type */ + char *auth_mech; /* authentication mechanism */ + guint32 first_auth_frame; /* first frame that would use a security layer */ + GHashTable *unmatched; + GHashTable *matched; + gboolean is_mscldap; + gboolean first_time; +} ldap_conv_info_t; +static ldap_conv_info_t *ldap_info_items; + +static guint +ldap_info_hash_matched(gconstpointer k) +{ + const ldap_call_response_t *key = k; + + return key->messageId; +} + +static gint +ldap_info_equal_matched(gconstpointer k1, gconstpointer k2) +{ + const ldap_call_response_t *key1 = k1; + const ldap_call_response_t *key2 = k2; + + if( key1->req_frame && key2->req_frame && (key1->req_frame!=key2->req_frame) ){ + return 0; + } + if( key1->rep_frame && key2->rep_frame && (key1->rep_frame!=key2->rep_frame) ){ + return 0; + } + + return key1->messageId==key2->messageId; +} + +static guint +ldap_info_hash_unmatched(gconstpointer k) +{ + const ldap_call_response_t *key = k; + + return key->messageId; +} + +static gint +ldap_info_equal_unmatched(gconstpointer k1, gconstpointer k2) +{ + const ldap_call_response_t *key1 = k1; + const ldap_call_response_t *key2 = k2; + + return key1->messageId==key2->messageId; +} + +/* Global variables */ +guint32 MessageID; +guint32 AuthenticationChoice; + +#include "packet-ldap-fn.c" + +static void +dissect_ldap_payload(tvbuff_t *tvb, packet_info *pinfo, + proto_tree *tree, ldap_conv_info_t *ldap_info, + gboolean rest_is_pad, gboolean is_mscldap) +{ + int offset = 0; + gboolean first_time = TRUE; + guint length_remaining; + guint msg_len = 0; + int messageOffset = 0; + guint headerLength = 0; + guint length = 0; + tvbuff_t *msg_tvb = NULL; + proto_item *msg_item = NULL; + proto_tree *msg_tree = NULL; + gint8 class; + gboolean pc, ind = 0; + gint32 ber_tag; + + while (tvb_reported_length_remaining(tvb, offset) > 0) { + /* + * This will throw an exception if we don't have any data left. + * That's what we want. (See "tcp_dissect_pdus()", which is + * similar) + */ + length_remaining = tvb_ensure_length_remaining(tvb, offset); + + if (rest_is_pad && length_remaining < 6) return; + + /* + * The frame begins + * with a "Sequence Of" header. + * Can we do reassembly? + */ + if (ldap_desegment && pinfo->can_desegment) { + /* + * Yes - is the "Sequence Of" header split across segment + * boundaries? We require at least 6 bytes for the header + * which allows for a 4 byte length (ASN.1 BER). + */ + if (length_remaining < 6) { + /* stop if the caller says that we are given all data and the rest is padding + * this is for the SASL GSSAPI case when the data is only signed and not sealed + */ + pinfo->desegment_offset = offset; + pinfo->desegment_len = 6 - length_remaining; + return; + } + } + + /* + * OK, try to read the "Sequence Of" header; this gets the total + * length of the LDAP message. + */ + messageOffset = get_ber_identifier(tvb, offset, &class, &pc, &ber_tag); + messageOffset = get_ber_length(tree, tvb, messageOffset, &msg_len, &ind); + + if (ber_tag == BER_UNI_TAG_SEQUENCE) { + /* + * Add the length of the "Sequence Of" header to the message + * length. + */ + headerLength = messageOffset - offset; + msg_len += headerLength; + if (msg_len < headerLength) { + /* + * The message length was probably so large that the total length + * overflowed. + * + * Report this as an error. + */ + show_reported_bounds_error(tvb, pinfo, tree); + return; + } + } else { + /* + * We couldn't parse the header; just make it the amount of data + * remaining in the tvbuff, so we'll give up on this segment + * after attempting to parse the message - there's nothing more + * we can do. "dissect_ldap_message()" will display the error. + */ + msg_len = length_remaining; + } + + /* + * Is the message split across segment boundaries? + */ + if (length_remaining < msg_len) { + /* provide a hint to TCP where the next PDU starts */ + pinfo->want_pdu_tracking=2; + pinfo->bytes_until_next_pdu= msg_len - length_remaining; + /* + * Can we do reassembly? + */ + if (ldap_desegment && pinfo->can_desegment) { + /* + * Yes. Tell the TCP dissector where the data for this message + * starts in the data it handed us, and how many more bytes + * we need, and return. + */ + pinfo->desegment_offset = offset; + pinfo->desegment_len = msg_len - length_remaining; + return; + } + } + + /* + * Construct a tvbuff containing the amount of the payload we have + * available. Make its reported length the amount of data in the + * LDAP message. + * + * XXX - if reassembly isn't enabled. the subdissector will throw a + * BoundsError exception, rather than a ReportedBoundsError exception. + * We really want a tvbuff where the length is "length", the reported + * length is "plen", and the "if the snapshot length were infinite" + * length is the minimum of the reported length of the tvbuff handed + * to us and "plen", with a new type of exception thrown if the offset + * is within the reported length but beyond that third length, with + * that exception getting the "Unreassembled Packet" error. + */ + length = length_remaining; + if (length > msg_len) length = msg_len; + msg_tvb = tvb_new_subset(tvb, offset, length, msg_len); + + /* + * Now dissect the LDAP message. + */ + if (tree) { + msg_item = proto_tree_add_text(tree, msg_tvb, 0, msg_len, "LDAP Message"); + msg_tree = proto_item_add_subtree(msg_item, ett_ldap_msg); + } + + /*dissect_ldap_message(msg_tvb, 0, pinfo, msg_tree, msg_item, first_time, ldap_info, is_mscldap);*/ + ldap_info->first_time= first_time; + ldap_info->is_mscldap = is_mscldap; + pinfo->private_data = ldap_info; + dissect_LDAPMessage_PDU(msg_tvb, pinfo, msg_tree); + + + offset += msg_len; + + first_time = FALSE; + } +} + +static void +dissect_ldap_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gboolean is_mscldap) +{ + int offset = 0; + conversation_t *conversation; + gboolean doing_sasl_security = FALSE; + guint length_remaining; + ldap_conv_info_t *ldap_info = NULL; + proto_item *ldap_item = NULL; + proto_tree *ldap_tree = NULL; + + /* + * Do we have a conversation for this connection? + */ + conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, + pinfo->ptype, pinfo->srcport, + pinfo->destport, 0); + if (conversation == NULL) { + /* We don't yet have a conversation, so create one. */ + conversation = conversation_new(pinfo->fd->num, &pinfo->src, &pinfo->dst, + pinfo->ptype, pinfo->srcport, + pinfo->destport, 0); + } + + /* + * Do we already have a type and mechanism? + */ + ldap_info = conversation_get_proto_data(conversation, proto_ldap); + if (ldap_info == NULL) { + /* No. Attach that information to the conversation, and add + * it to the list of information structures. + */ + ldap_info = se_alloc(sizeof(ldap_conv_info_t)); + ldap_info->auth_type = 0; + ldap_info->auth_mech = 0; + ldap_info->first_auth_frame = 0; + ldap_info->matched=g_hash_table_new(ldap_info_hash_matched, ldap_info_equal_matched); + ldap_info->unmatched=g_hash_table_new(ldap_info_hash_unmatched, ldap_info_equal_unmatched); + conversation_add_proto_data(conversation, proto_ldap, ldap_info); + ldap_info->next = ldap_info_items; + ldap_info_items = ldap_info; + } + + switch (ldap_info->auth_type) { + case LDAP_AUTH_SASL: + /* + * It's SASL; are we using a security layer? + */ + if (ldap_info->first_auth_frame != 0 && + pinfo->fd->num >= ldap_info->first_auth_frame) { + doing_sasl_security = TRUE; /* yes */ + } + } + + while (tvb_reported_length_remaining(tvb, offset) > 0) { + + /* + * This will throw an exception if we don't have any data left. + * That's what we want. (See "tcp_dissect_pdus()", which is + * similar, but doesn't have to deal with the SASL issues. + * XXX - can we make "tcp_dissect_pdus()" provide enough information + * to the "get_pdu_len" routine so that we could have one dealing + * with the SASL issues, have that routine deal with SASL and + * ASN.1, and just use "tcp_dissect_pdus()"?) + */ + length_remaining = tvb_ensure_length_remaining(tvb, offset); + + /* + * Try to find out if we have a plain LDAP buffer + * with a "Sequence Of" header or a SASL buffer with + * Can we do reassembly? + */ + if (ldap_desegment && pinfo->can_desegment) { + /* + * Yes - is the "Sequence Of" header split across segment + * boundaries? We require at least 6 bytes for the header + * which allows for a 4 byte length (ASN.1 BER). + * For the SASL case we need at least 4 bytes, so this is + * no problem here because we check for 6 bytes ans sasl buffers + * with less than 2 bytes should not exist... + */ + if (length_remaining < 6) { + pinfo->desegment_offset = offset; + pinfo->desegment_len = 6 - length_remaining; + return; + } + } + + /* It might still be a packet containing a SASL security layer + * but its just that we never saw the BIND packet. + * check if it looks like it could be a SASL blob here + * and in that case just assume it is GSS-SPNEGO + */ + if(!doing_sasl_security && (tvb_bytes_exist(tvb, offset, 5)) + &&(tvb_get_ntohl(tvb, offset)<=(guint)(tvb_reported_length_remaining(tvb, offset)-4)) + &&(tvb_get_guint8(tvb, offset+4)==0x60) ){ + ldap_info->auth_type=LDAP_AUTH_SASL; + ldap_info->first_auth_frame=pinfo->fd->num; + ldap_info->auth_mech=g_strdup("GSS-SPNEGO"); + doing_sasl_security=TRUE; + } + + /* + * This is the first PDU, set the Protocol column and clear the + * Info column. + */ + if (check_col(pinfo->cinfo, COL_PROTOCOL)) col_set_str(pinfo->cinfo, COL_PROTOCOL, pinfo->current_proto); + if (check_col(pinfo->cinfo, COL_INFO)) col_clear(pinfo->cinfo, COL_INFO); + + ldap_item = proto_tree_add_item(tree, proto_ldap, tvb, 0, -1, FALSE); + ldap_tree = proto_item_add_subtree(ldap_item, ett_ldap); + + /* + * Might we be doing a SASL security layer and, if so, *are* we doing + * one? + * + * Just because we've seen a bind reply for SASL, that doesn't mean + * that we're using a SASL security layer; I've seen captures in + * which some SASL negotiations lead to a security layer being used + * and other negotiations don't, and it's not obvious what's different + * in the two negotiations. Therefore, we assume that if the first + * byte is 0, it's a length for a SASL security layer (that way, we + * never reassemble more than 16 megabytes, protecting us from + * chewing up *too* much memory), and otherwise that it's an LDAP + * message (actually, if it's an LDAP message it should begin with 0x30, + * but we want to parse garbage as LDAP messages rather than really + * huge lengths). + */ + + if (doing_sasl_security && tvb_get_guint8(tvb, offset) == 0) { + proto_item *sasl_item = NULL; + proto_tree *sasl_tree = NULL; + tvbuff_t *sasl_tvb; + guint sasl_len, sasl_msg_len, length; + /* + * Yes. The frame begins with a 4-byte big-endian length. + * And we know we have at least 6 bytes + */ + + /* + * Get the SASL length, which is the length of data in the buffer + * following the length (i.e., it's 4 less than the total length). + * + * XXX - do we need to reassemble buffers? For now, we + * assume that each LDAP message is entirely contained within + * a buffer. + */ + sasl_len = tvb_get_ntohl(tvb, offset); + sasl_msg_len = sasl_len + 4; + if (sasl_msg_len < 4) { + /* + * The message length was probably so large that the total length + * overflowed. + * + * Report this as an error. + */ + show_reported_bounds_error(tvb, pinfo, tree); + return; + } + + /* + * Is the buffer split across segment boundaries? + */ + if (length_remaining < sasl_msg_len) { + /* provide a hint to TCP where the next PDU starts */ + pinfo->want_pdu_tracking = 2; + pinfo->bytes_until_next_pdu= sasl_msg_len - length_remaining; + /* + * Can we do reassembly? + */ + if (ldap_desegment && pinfo->can_desegment) { + /* + * Yes. Tell the TCP dissector where the data for this message + * starts in the data it handed us, and how many more bytes we + * need, and return. + */ + pinfo->desegment_offset = offset; + pinfo->desegment_len = sasl_msg_len - length_remaining; + return; + } + } + + /* + * Construct a tvbuff containing the amount of the payload we have + * available. Make its reported length the amount of data in the PDU. + * + * XXX - if reassembly isn't enabled. the subdissector will throw a + * BoundsError exception, rather than a ReportedBoundsError exception. + * We really want a tvbuff where the length is "length", the reported + * length is "plen", and the "if the snapshot length were infinite" + * length is the minimum of the reported length of the tvbuff handed + * to us and "plen", with a new type of exception thrown if the offset + * is within the reported length but beyond that third length, with + * that exception getting the "Unreassembled Packet" error. + */ + length = length_remaining; + if (length > sasl_msg_len) length = sasl_msg_len; + sasl_tvb = tvb_new_subset(tvb, offset, length, sasl_msg_len); + + if (ldap_tree) { + proto_tree_add_uint(ldap_tree, hf_ldap_sasl_buffer_length, sasl_tvb, 0, 4, + sasl_len); + + sasl_item = proto_tree_add_text(ldap_tree, sasl_tvb, 0, sasl_msg_len, "SASL buffer"); + sasl_tree = proto_item_add_subtree(sasl_item, ett_ldap_sasl_blob); + } + + if (ldap_info->auth_mech != NULL && + strcmp(ldap_info->auth_mech, "GSS-SPNEGO") == 0) { + tvbuff_t *gssapi_tvb, *plain_tvb = NULL, *decr_tvb= NULL; + int ver_len; + int length; + + /* + * This is GSS-API (using SPNEGO, but we should be done with + * the negotiation by now). + * + * Dissect the GSS_Wrap() token; it'll return the length of + * the token, from which we compute the offset in the tvbuff at + * which the plaintext data, i.e. the LDAP message, begins. + */ + length = tvb_length_remaining(sasl_tvb, 4); + if ((guint)length > sasl_len) + length = sasl_len; + gssapi_tvb = tvb_new_subset(sasl_tvb, 4, length, sasl_len); + + /* Attempt decryption of the GSSAPI wrapped data if possible */ + pinfo->decrypt_gssapi_tvb=DECRYPT_GSSAPI_NORMAL; + pinfo->gssapi_wrap_tvb=NULL; + pinfo->gssapi_encrypted_tvb=NULL; + pinfo->gssapi_decrypted_tvb=NULL; + ver_len = call_dissector(gssapi_wrap_handle, gssapi_tvb, pinfo, sasl_tree); + /* if we could unwrap, do a tvb shuffle */ + if(pinfo->gssapi_decrypted_tvb){ + decr_tvb=pinfo->gssapi_decrypted_tvb; + } + /* tidy up */ + pinfo->decrypt_gssapi_tvb=0; + pinfo->gssapi_wrap_tvb=NULL; + pinfo->gssapi_encrypted_tvb=NULL; + pinfo->gssapi_decrypted_tvb=NULL; + + /* + * if len is 0 it probably mean that we got a PDU that is not + * aligned to the start of the segment. + */ + if(ver_len==0){ + return; + } + + /* + * if we don't have unwrapped data, + * see if the wrapping involved encryption of the + * data; if not, just use the plaintext data. + */ + if (!decr_tvb) { + if(!pinfo->gssapi_data_encrypted){ + plain_tvb = tvb_new_subset(gssapi_tvb, ver_len, -1, -1); + } + } + + if (decr_tvb) { + proto_item *enc_item = NULL; + proto_tree *enc_tree = NULL; + + /* + * The LDAP message was encrypted in the packet, and has + * been decrypted; dissect the decrypted LDAP message. + */ + if (sasl_tree) { + enc_item = proto_tree_add_text(sasl_tree, gssapi_tvb, ver_len, -1, + "GSS-API Encrypted payload (%d byte%s)", + sasl_len - ver_len, + plurality(sasl_len - ver_len, "", "s")); + enc_tree = proto_item_add_subtree(enc_item, ett_ldap_payload); + } + dissect_ldap_payload(decr_tvb, pinfo, enc_tree, ldap_info, TRUE, is_mscldap); + } else if (plain_tvb) { + proto_item *plain_item = NULL; + proto_tree *plain_tree = NULL; + + /* + * The LDAP message wasn't encrypted in the packet; + * dissect the plain LDAP message. + */ + if (sasl_tree) { + plain_item = proto_tree_add_text(sasl_tree, gssapi_tvb, ver_len, -1, + "GSS-API payload (%d byte%s)", + sasl_len - ver_len, + plurality(sasl_len - ver_len, "", "s")); + plain_tree = proto_item_add_subtree(plain_item, ett_ldap_payload); + } + + dissect_ldap_payload(plain_tvb, pinfo, plain_tree, ldap_info, TRUE, is_mscldap); + } else { + /* + * The LDAP message was encrypted in the packet, and was + * not decrypted; just show it as encrypted data. + */ + if (check_col(pinfo->cinfo, COL_INFO)) { + col_add_fstr(pinfo->cinfo, COL_INFO, "LDAP GSS-API Encrypted payload (%d byte%s)", + sasl_len - ver_len, + plurality(sasl_len - ver_len, "", "s")); + } + if (sasl_tree) { + proto_tree_add_text(sasl_tree, gssapi_tvb, ver_len, -1, + "GSS-API Encrypted payload (%d byte%s)", + sasl_len - ver_len, + plurality(sasl_len - ver_len, "", "s")); + } + } + } + offset += sasl_msg_len; + } else { + /* plain LDAP, so dissect the payload */ + dissect_ldap_payload(tvb, pinfo, ldap_tree, ldap_info, FALSE, is_mscldap); + /* dissect_ldap_payload() has it's own loop so go out here */ + break; + } + } +} +static void +dissect_ldap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) +{ + dissect_ldap_pdu(tvb, pinfo, tree, FALSE); + return; +} + +static void +dissect_mscldap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) +{ + dissect_ldap_pdu(tvb, pinfo, tree, TRUE); + return; +} + + +static void +ldap_reinit(void) +{ + ldap_conv_info_t *ldap_info; + + /* Free up state attached to the ldap_info structures */ + for (ldap_info = ldap_info_items; ldap_info != NULL; ldap_info = ldap_info->next) { + if (ldap_info->auth_mech != NULL) { + g_free(ldap_info->auth_mech); + ldap_info->auth_mech=NULL; + } + g_hash_table_destroy(ldap_info->matched); + ldap_info->matched=NULL; + g_hash_table_destroy(ldap_info->unmatched); + ldap_info->unmatched=NULL; + } + + ldap_info_items = NULL; + +} +/*--- proto_register_ldap -------------------------------------------*/ +void proto_register_ldap(void) { + + /* List of fields */ + + static hf_register_info hf[] = { + + { &hf_ldap_sasl_buffer_length, + { "SASL Buffer Length", "ldap.sasl_buffer_length", + FT_UINT32, BASE_DEC, NULL, 0x0, + "SASL Buffer Length", HFILL }}, + +#include "packet-ldap-hfarr.c" + }; + + /* List of subtrees */ + static gint *ett[] = { + &ett_ldap, + &ett_ldap_payload, + &ett_ldap_sasl_blob, + &ett_ldap_msg, + +#include "packet-ldap-ettarr.c" + }; + + module_t *ldap_module; + + /* Register protocol */ + proto_ldap = proto_register_protocol(PNAME, PSNAME, PFNAME); + /* Register fields and subtrees */ + proto_register_field_array(proto_ldap, hf, array_length(hf)); + proto_register_subtree_array(ett, array_length(ett)); + + + register_dissector("ldap", dissect_ldap, proto_ldap); + + ldap_module = prefs_register_protocol(proto_ldap, NULL); + prefs_register_bool_preference(ldap_module, "desegment_ldap_messages", + "Reassemble LDAP messages spanning multiple TCP segments", + "Whether the LDAP dissector should reassemble messages spanning multiple TCP segments." + " To use this option, you must also enable \"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.", + &ldap_desegment); + + proto_cldap = proto_register_protocol( + "Connectionless Lightweight Directory Access Protocol", + "CLDAP", "cldap"); + + register_init_routine(ldap_reinit); + ldap_tap=register_tap("ldap"); + +} + + +/*--- proto_reg_handoff_ldap ---------------------------------------*/ +void +proto_reg_handoff_ldap(void) +{ + dissector_handle_t ldap_handle, cldap_handle; + ldap_handle = create_dissector_handle(dissect_ldap, proto_ldap); + dissector_add("tcp.port", TCP_PORT_LDAP, ldap_handle); + dissector_add("tcp.port", TCP_PORT_GLOBALCAT_LDAP, ldap_handle); + + cldap_handle = create_dissector_handle(dissect_mscldap, proto_cldap); + dissector_add("udp.port", UDP_PORT_CLDAP, cldap_handle); + + gssapi_handle = find_dissector("gssapi"); + gssapi_wrap_handle = find_dissector("gssapi_verf"); + + + +} + + diff --git a/asn1/ldap/packet-ldap-template.h b/asn1/ldap/packet-ldap-template.h new file mode 100755 index 0000000000..79becfafd1 --- /dev/null +++ b/asn1/ldap/packet-ldap-template.h @@ -0,0 +1,94 @@ +/* packet-ldap.h + * Routines for ros packet dissection + * Copyright 2005, Anders Broman + * + * $Id: packet-ros-template.h 12203 2004-10-05 09:18:55Z guy $ + * + * Ethereal - Network traffic analyzer + * By Gerald Combs + * Copyright 1998 Gerald Combs + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +#ifndef __PACKET_LDAP_H__ +#define __PACKET_LDAP_H__ + +/* + * These are all APPLICATION types; the value is the type tag. + */ +#define LDAP_REQ_BIND 0 +#define LDAP_REQ_UNBIND 2 +#define LDAP_REQ_SEARCH 3 +#define LDAP_REQ_MODIFY 6 +#define LDAP_REQ_ADD 8 +#define LDAP_REQ_DELETE 10 +#define LDAP_REQ_MODRDN 12 +#define LDAP_REQ_COMPARE 14 +#define LDAP_REQ_ABANDON 16 +#define LDAP_REQ_EXTENDED 23 /* LDAP V3 only */ + +#define LDAP_RES_BIND 1 +#define LDAP_RES_SEARCH_ENTRY 4 +#define LDAP_RES_SEARCH_REF 19 /* LDAP V3 only */ +#define LDAP_RES_SEARCH_RESULT 5 +#define LDAP_RES_MODIFY 7 +#define LDAP_RES_ADD 9 +#define LDAP_RES_DELETE 11 +#define LDAP_RES_MODRDN 13 +#define LDAP_RES_COMPARE 15 +#define LDAP_RES_EXTENDED 24 /* LDAP V3 only */ + +/* + * These are all CONTEXT types; the value is the type tag. + */ + +/* authentication type tags */ +#define LDAP_AUTH_SIMPLE 0 +#define LDAP_AUTH_KRBV4LDAP 1 /* LDAP V2 only */ +#define LDAP_AUTH_KRBV4DSA 2 /* LDAP V2 only */ +#define LDAP_AUTH_SASL 3 /* LDAP V3 only */ + +/* filter type tags */ +#define LDAP_FILTER_AND 0 +#define LDAP_FILTER_OR 1 +#define LDAP_FILTER_NOT 2 +#define LDAP_FILTER_EQUALITY 3 +#define LDAP_FILTER_SUBSTRINGS 4 +#define LDAP_FILTER_GE 5 +#define LDAP_FILTER_LE 6 +#define LDAP_FILTER_PRESENT 7 +#define LDAP_FILTER_APPROX 8 +#define LDAP_FILTER_EXTENSIBLE 9 /* LDAP V3 only */ + +#define LDAP_MOD_ADD 0 +#define LDAP_MOD_DELETE 1 +#define LDAP_MOD_REPLACE 2 + +typedef struct ldap_call_response { + gboolean is_request; + guint32 req_frame; + nstime_t req_time; + guint32 rep_frame; + guint messageId; + guint protocolOpTag; +} ldap_call_response_t; + + +/*#include "packet-ldap-exp.h" */ + +#endif /* PACKET_LDAP_H */ + + -- cgit v1.2.3