1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
|
# ros.cnf
# ros conformation file
# Copyright 2005 Anders Broman
# $Id$
#.PDU
LDAPMessage
#.TYPE_RENAME
BindResponse/resultCode BindResponse_resultCode
ExtendedResponse/resultCode ExtendedResponse_resultCode
ModifyRequest/modification ModifyRequest_modification
#.FIELD_RENAME
BindResponse/resultCode bindResponse_resultCode
ExtendedResponse/resultCode extendedResponse_resultCode
SearchRequest/attributes searchRequest_attributes
SearchResultEntry/attributes searchResultEntry_attributes
ModifyRequest/modification modifyRequest_modification
SubstringFilter/substrings substringFilter_substrings
#.TYPE_ATTR
LDAPString TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL
LDAPURL TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL
LDAPOID TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL
Mechanism TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL
#.FN_PARS LDAPOID VAL_PTR = ¶meter_tvb
#.FN_HDR LDAPOID
tvbuff_t *parameter_tvb;
const gchar *name;
proto_item *item = NULL;
#.FN_FTR LDAPOID
if (!parameter_tvb)
return offset;
item = get_ber_last_created_item();
name = get_oid_str_name(tvb_get_string(parameter_tvb, 0, tvb_length_remaining(parameter_tvb,0)));
if(name){
proto_item_append_text(item, " (%s)", name);
}
#.FN_PARS MessageID VAL_PTR = &MessageID
#.FN_BODY MessageID
gint MessageID;
%(DEFAULT_BODY)s
if (check_col(pinfo->cinfo, COL_INFO))
col_append_fstr(pinfo->cinfo, COL_INFO, "MsgId=%%u, ",MessageID);
#.FN_PARS ProtocolOp VAL_PTR = &ProtocolOp
#.FN_BODY ProtocolOp
gint ProtocolOp;
%(DEFAULT_BODY)s
if (check_col(pinfo->cinfo, COL_INFO))
col_append_fstr(pinfo->cinfo, COL_INFO, val_to_str(ProtocolOp, ldap_ProtocolOp_choice_vals, "Unknown (%%u)"));
#.FN_BODY Simple
ldap_conv_info_t *ldap_info;
%(DEFAULT_BODY)s
ldap_info = pinfo->private_data;
ldap_info->auth_type = LDAP_AUTH_SIMPLE;
pinfo->private_data = ldap_info;
#.FN_PARS Mechanism VAL_PTR = ¶meter_tvb
#.FN_BODY Mechanism
ldap_conv_info_t *ldap_info;
tvbuff_t *parameter_tvb;
char *mechanism = NULL;
%(DEFAULT_BODY)s
ldap_info = pinfo->private_data;
ldap_info->auth_type = LDAP_AUTH_SASL;
if (!parameter_tvb)
return offset;
/*
* We need to remember the authentication type and mechanism for this
* conversation.
*
* XXX - actually, we might need to remember more than one
* type and mechanism, if you can unbind and rebind with a
* different type and/or mechanism.
*/
mechanism = tvb_get_string(parameter_tvb, 0, tvb_length_remaining(parameter_tvb,0));
ldap_info->first_auth_frame = 0; /* not known until we see the bind reply */
/*
* If the mechanism in this request is an empty string (which is
* returned as a null pointer), use the saved mechanism instead.
* Otherwise, if the saved mechanism is an empty string (null),
* save this mechanism.
*/
if (mechanism == NULL)
mechanism = ldap_info->auth_mech;
else {
if (ldap_info->auth_mech == NULL) {
g_free(ldap_info->auth_mech);
}
ldap_info->auth_mech = mechanism;
}
pinfo->private_data = ldap_info;
#.FN_PARS Credentials VAL_PTR = ¶meter_tvb
#.FN_BODY Credentials
tvbuff_t *parameter_tvb;
ldap_conv_info_t *ldap_info;
%(DEFAULT_BODY)s
if (!parameter_tvb)
return offset;
ldap_info = pinfo->private_data;
if (ldap_info->auth_mech != NULL && strcmp(ldap_info->auth_mech, "GSS-SPNEGO") == 0) {
/*
* This is a GSS-API token ancapsulated within GSS-SPNEGO.
*/
if (parameter_tvb)
call_dissector(gssapi_handle, parameter_tvb, pinfo, tree);
} else if (ldap_info->auth_mech != NULL && strcmp(ldap_info->auth_mech, "GSSAPI") == 0) {
/*
* This is a raw GSS-API token.
*/
if (parameter_tvb)
call_dissector(gssapi_handle, parameter_tvb, pinfo, tree);
}
pinfo->private_data = ldap_info;
#.FN_PARS ServerSaslCreds VAL_PTR = ¶meter_tvb
#.FN_BODY ServerSaslCreds
tvbuff_t *parameter_tvb;
ldap_conv_info_t *ldap_info;
%(DEFAULT_BODY)s
if (!parameter_tvb)
return offset;
ldap_info = pinfo->private_data;
switch (ldap_info->auth_type) {
/* For Kerberos V4, dissect it as a ticket. */
/* XXX - what about LDAP_AUTH_SIMPLE? */
case LDAP_AUTH_SASL:
/*
* All frames after this are assumed to use a security layer.
*
* XXX - won't work if there's another reply, with the security
* layer, starting in the same TCP segment that ends this
* reply, but as LDAP is a request/response protocol, and
* as the client probably can't start using authentication until
* it gets the bind reply and the server won't send a reply until
* it gets a request, that probably won't happen.
*
* XXX - that assumption is invalid; it's not clear where the
* hell you find out whether there's any security layer. In
* one capture, we have two GSS-SPNEGO negotiations, both of
* which select MS KRB5, and the only differences in the tokens
* is in the RC4-HMAC ciphertext. The various
* draft-ietf--cat-sasl-gssapi-NN.txt drafts seem to imply
* that the RFC 2222 spoo with the bitmask and maximum
* output message size stuff is done - but where does that
* stuff show up? Is it in the ciphertext, which means it's
* presumably encrypted?
*
* Grrr. We have to do a gross heuristic, checking whether the
* putative LDAP message begins with 0x00 or not, making the
* assumption that we won't have more than 2^24 bytes of
* encapsulated stuff.
*/
ldap_info->first_auth_frame = pinfo->fd->num + 1;
if (ldap_info->auth_mech != NULL &&
strcmp(ldap_info->auth_mech, "GSS-SPNEGO") == 0) {
/*
* This is a GSS-API token.
*/
call_dissector(gssapi_handle, parameter_tvb, pinfo, tree);
} else if (ldap_info->auth_mech != NULL &&
strcmp(ldap_info->auth_mech, "GSSAPI") == 0) {
/*
* This is a GSS-API token.
*/
call_dissector(gssapi_handle, parameter_tvb, pinfo, tree);
}
break;
}
pinfo->private_data = ldap_info;
|
