summaryrefslogtreecommitdiffstats
path: root/epan/dissectors/asn1/credssp
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-10 20:34:10 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-10 20:34:10 +0000
commite4ba6dbc3f1e76890b22773807ea37fe8fa2b1bc (patch)
tree68cb5ef9081156392f1dd62a00c6ccc1451b93df /epan/dissectors/asn1/credssp
parentInitial commit. (diff)
downloadwireshark-e4ba6dbc3f1e76890b22773807ea37fe8fa2b1bc.tar.xz
wireshark-e4ba6dbc3f1e76890b22773807ea37fe8fa2b1bc.zip
Adding upstream version 4.2.2.upstream/4.2.2
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'epan/dissectors/asn1/credssp')
-rw-r--r--epan/dissectors/asn1/credssp/CMakeLists.txt39
-rw-r--r--epan/dissectors/asn1/credssp/CredSSP.asn56
-rw-r--r--epan/dissectors/asn1/credssp/credssp.cnf130
-rw-r--r--epan/dissectors/asn1/credssp/packet-credssp-template.c200
-rw-r--r--epan/dissectors/asn1/credssp/packet-credssp-template.h20
5 files changed, 445 insertions, 0 deletions
diff --git a/epan/dissectors/asn1/credssp/CMakeLists.txt b/epan/dissectors/asn1/credssp/CMakeLists.txt
new file mode 100644
index 00000000..59c80321
--- /dev/null
+++ b/epan/dissectors/asn1/credssp/CMakeLists.txt
@@ -0,0 +1,39 @@
+# CMakeLists.txt
+#
+# Wireshark - Network traffic analyzer
+# By Gerald Combs <gerald@wireshark.org>
+# Copyright 1998 Gerald Combs
+#
+# SPDX-License-Identifier: GPL-2.0-or-later
+#
+
+set( PROTOCOL_NAME credssp )
+
+set( PROTO_OPT )
+
+set( EXPORT_FILES
+ ${PROTOCOL_NAME}-exp.cnf
+)
+
+set( EXT_ASN_FILE_LIST
+)
+
+set( ASN_FILE_LIST
+ CredSSP.asn
+)
+
+set( EXTRA_DIST
+ ${ASN_FILE_LIST}
+ packet-${PROTOCOL_NAME}-template.c
+ packet-${PROTOCOL_NAME}-template.h
+ ${PROTOCOL_NAME}.cnf
+)
+
+set( SRC_FILES
+ ${EXTRA_DIST}
+ ${EXT_ASN_FILE_LIST}
+)
+
+set( A2W_FLAGS -b -C )
+
+ASN2WRS()
diff --git a/epan/dissectors/asn1/credssp/CredSSP.asn b/epan/dissectors/asn1/credssp/CredSSP.asn
new file mode 100644
index 00000000..07298526
--- /dev/null
+++ b/epan/dissectors/asn1/credssp/CredSSP.asn
@@ -0,0 +1,56 @@
+-- Derived from http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-CSSP%5D.pdf
+
+CredSSP DEFINITIONS EXPLICIT TAGS ::=
+
+BEGIN
+
+NegoData ::= SEQUENCE OF SEQUENCE {
+ negoToken [0] OCTET STRING
+}
+
+TSPasswordCreds ::= SEQUENCE {
+ domainName [0] OCTET STRING,
+ userName [1] OCTET STRING,
+ password [2] OCTET STRING
+}
+
+TSCspDataDetail ::= SEQUENCE {
+ keySpec [0] INTEGER,
+ cardName [1] OCTET STRING OPTIONAL,
+ readerName [2] OCTET STRING OPTIONAL,
+ containerName [3] OCTET STRING OPTIONAL,
+ cspName [4] OCTET STRING OPTIONAL
+}
+
+TSSmartCardCreds ::= SEQUENCE {
+ pin [0] OCTET STRING,
+ cspData [1] TSCspDataDetail,
+ userHint [2] OCTET STRING OPTIONAL,
+ domainHint [3] OCTET STRING OPTIONAL
+}
+
+TSRemoteGuardPackageCred ::= SEQUENCE {
+ packageName [0] OCTET STRING,
+ credBuffer [1] OCTET STRING
+}
+
+TSRemoteGuardCreds ::= SEQUENCE {
+ logonCred [0] TSRemoteGuardPackageCred,
+ supplementalCreds [1] SEQUENCE OF TSRemoteGuardPackageCred OPTIONAL
+}
+
+TSCredentials ::= SEQUENCE {
+ credType [0] INTEGER,
+ credentials [1] OCTET STRING
+}
+
+TSRequest ::= SEQUENCE {
+ version [0] INTEGER,
+ negoTokens [1] NegoData OPTIONAL,
+ authInfo [2] OCTET STRING OPTIONAL,
+ pubKeyAuth [3] OCTET STRING OPTIONAL,
+ errorCode [4] INTEGER OPTIONAL,
+ clientNonce [5] OCTET STRING OPTIONAL
+}
+
+END
diff --git a/epan/dissectors/asn1/credssp/credssp.cnf b/epan/dissectors/asn1/credssp/credssp.cnf
new file mode 100644
index 00000000..a55b1507
--- /dev/null
+++ b/epan/dissectors/asn1/credssp/credssp.cnf
@@ -0,0 +1,130 @@
+# credssp.cnf
+# Credential Security Support Provider (CredSSP) conformance file
+
+#.PDU
+TSRequest
+
+#.FN_PARS TSRequest/version VAL_PTR = &credssp_ver
+
+#.FN_BODY TSRequest/authInfo VAL_PTR = &auth_tvb
+ tvbuff_t *auth_tvb = NULL;
+ tvbuff_t *decr_tvb = NULL;
+ gssapi_encrypt_info_t gssapi_encrypt;
+
+ %(DEFAULT_BODY)s
+
+ memset(&gssapi_encrypt, 0, sizeof(gssapi_encrypt));
+ gssapi_encrypt.decrypt_gssapi_tvb=DECRYPT_GSSAPI_NORMAL;
+ call_dissector_with_data(gssapi_wrap_handle, auth_tvb, actx->pinfo, tree, &gssapi_encrypt);
+ decr_tvb = gssapi_encrypt.gssapi_decrypted_tvb;
+
+ if(decr_tvb != NULL)
+ dissect_credssp_TSCredentials(FALSE, decr_tvb, 0, actx, tree, hf_credssp_TSCredentials);
+
+#.FN_BODY TSRequest/pubKeyAuth VAL_PTR = &auth_tvb
+ tvbuff_t *auth_tvb = NULL;
+ tvbuff_t *decr_tvb = NULL;
+ gssapi_encrypt_info_t gssapi_encrypt;
+
+ %(DEFAULT_BODY)s
+
+ memset(&gssapi_encrypt, 0, sizeof(gssapi_encrypt));
+ gssapi_encrypt.decrypt_gssapi_tvb=DECRYPT_GSSAPI_NORMAL;
+ call_dissector_with_data(gssapi_wrap_handle, auth_tvb, actx->pinfo, tree, &gssapi_encrypt);
+ decr_tvb = gssapi_encrypt.gssapi_decrypted_tvb;
+
+ if(decr_tvb != NULL)
+ proto_tree_add_item(tree, hf_credssp_decr_PublicKeyAuth, decr_tvb, 0, -1, ENC_NA);
+
+#.FN_BODY TSRequest/errorCode
+
+ if (credssp_ver < 3) {
+ return 0;
+ }
+
+ %(DEFAULT_BODY)s
+
+
+#.FN_BODY TSRequest/clientNonce
+
+ if (credssp_ver < 5) {
+ return 0;
+ }
+
+ %(DEFAULT_BODY)s
+
+
+#.FN_PARS TSCredentials/credType VAL_PTR = &creds_type
+#.FN_PARS TSCredentials/credentials VAL_PTR = &creds_tvb
+
+#.FN_BODY TSCredentials/credentials
+ tvbuff_t *creds_tvb = NULL;
+
+ %(DEFAULT_BODY)s
+
+ switch(creds_type) {
+ case TS_PASSWORD_CREDS:
+ dissect_credssp_TSPasswordCreds(FALSE, creds_tvb, 0, actx, tree, hf_credssp_TSPasswordCreds);
+ break;
+ case TS_SMARTCARD_CREDS:
+ dissect_credssp_TSSmartCardCreds(FALSE, creds_tvb, 0, actx, tree, hf_credssp_TSSmartCardCreds);
+ break;
+ case TS_REMOTEGUARD_CREDS:
+ dissect_credssp_TSRemoteGuardCreds(FALSE, creds_tvb, 0, actx, tree, hf_credssp_TSRemoteGuardCreds);
+ break;
+ }
+
+
+#.FN_PARS NegoData/_item/negoToken VAL_PTR = &token_tvb
+
+#.FN_BODY NegoData/_item/negoToken
+ tvbuff_t *token_tvb = NULL;
+
+ %(DEFAULT_BODY)s
+
+ if(token_tvb != NULL)
+ call_dissector(gssapi_handle, token_tvb, actx->pinfo, tree);
+
+
+#.TYPE_ATTR
+TSRemoteGuardPackageCred/packageName TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL
+
+#.FN_BODY TSRemoteGuardPackageCred/packageName VAL_PTR = &pname
+ tvbuff_t *pname = NULL;
+
+ offset = dissect_ber_octet_string(implicit_tag, actx, NULL, tvb, offset, hf_index, &pname);
+
+ if(pname != NULL) {
+ gint nlen = tvb_captured_length(pname);
+
+ if (nlen == sizeof(kerberos_pname) && memcmp(tvb_get_ptr(pname, 0, nlen), kerberos_pname, nlen) == 0) {
+ credssp_TS_RGC_package = TS_RGC_KERBEROS;
+ } else if (nlen == sizeof(ntlm_pname) && memcmp(tvb_get_ptr(pname, 0, nlen), ntlm_pname, nlen) == 0) {
+ credssp_TS_RGC_package = TS_RGC_NTLM;
+ }
+ proto_tree_add_item(tree, hf_index, pname, 0, -1, ENC_UTF_16|ENC_LITTLE_ENDIAN);
+ }
+
+#.FN_BODY TSRemoteGuardPackageCred/credBuffer VAL_PTR = &creds
+ tvbuff_t *creds= NULL;
+ proto_tree *subtree;
+
+ %(DEFAULT_BODY)s
+
+ if (!creds)
+ return offset;
+
+ switch(credssp_TS_RGC_package) {
+ case TS_RGC_KERBEROS:
+ subtree = proto_item_add_subtree(actx->created_item, ett_credssp_RGC_CredBuffer);
+ dissect_kerberos_KERB_TICKET_LOGON(creds, 0, actx, subtree);
+ break;
+ case TS_RGC_NTLM:
+ subtree = proto_item_add_subtree(actx->created_item, ett_credssp_RGC_CredBuffer);
+ dissect_ntlmssp_NTLM_REMOTE_SUPPLEMENTAL_CREDENTIAL(creds, 0, subtree);
+ break;
+ }
+
+#.END
+
+
diff --git a/epan/dissectors/asn1/credssp/packet-credssp-template.c b/epan/dissectors/asn1/credssp/packet-credssp-template.c
new file mode 100644
index 00000000..5eef5741
--- /dev/null
+++ b/epan/dissectors/asn1/credssp/packet-credssp-template.c
@@ -0,0 +1,200 @@
+/* packet-credssp.c
+ * Routines for CredSSP (Credential Security Support Provider) packet dissection
+ * Graeme Lunt 2011
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "config.h"
+
+#include <epan/packet.h>
+#include <epan/asn1.h>
+#include <epan/tap.h>
+#include <epan/exported_pdu.h>
+
+#include "packet-ber.h"
+#include "packet-gssapi.h"
+#include "packet-kerberos.h"
+#include "packet-ntlmssp.h"
+#include "packet-credssp.h"
+
+#define PNAME "Credential Security Support Provider"
+#define PSNAME "CredSSP"
+#define PFNAME "credssp"
+
+#define TS_PASSWORD_CREDS 1
+#define TS_SMARTCARD_CREDS 2
+#define TS_REMOTEGUARD_CREDS 6
+
+static gint creds_type;
+static gint credssp_ver;
+
+static char kerberos_pname[] = "K\0e\0r\0b\0e\0r\0o\0s";
+static char ntlm_pname[] = "N\0T\0L\0M";
+
+#define TS_RGC_UNKNOWN 0
+#define TS_RGC_KERBEROS 1
+#define TS_RGC_NTLM 2
+
+static gint credssp_TS_RGC_package;
+
+static gint exported_pdu_tap = -1;
+
+/* Initialize the protocol and registered fields */
+static int proto_credssp = -1;
+
+/* List of dissectors to call for negoToken data */
+static heur_dissector_list_t credssp_heur_subdissector_list;
+
+static dissector_handle_t gssapi_handle;
+static dissector_handle_t gssapi_wrap_handle;
+
+static int hf_credssp_TSPasswordCreds = -1; /* TSPasswordCreds */
+static int hf_credssp_TSSmartCardCreds = -1; /* TSSmartCardCreds */
+static int hf_credssp_TSRemoteGuardCreds = -1;/* TSRemoteGuardCreds */
+static int hf_credssp_TSCredentials = -1; /* TSCredentials */
+static int hf_credssp_decr_PublicKeyAuth = -1;/* decr_PublicKeyAuth */
+#include "packet-credssp-hf.c"
+
+/* Initialize the subtree pointers */
+static gint ett_credssp = -1;
+static gint ett_credssp_RGC_CredBuffer = -1;
+
+#include "packet-credssp-ett.c"
+
+#include "packet-credssp-fn.c"
+
+/*
+* Dissect CredSSP PDUs
+*/
+static int
+dissect_credssp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void *data)
+{
+ proto_item *item=NULL;
+ proto_tree *tree=NULL;
+
+ if(parent_tree){
+ item = proto_tree_add_item(parent_tree, proto_credssp, tvb, 0, -1, ENC_NA);
+ tree = proto_item_add_subtree(item, ett_credssp);
+ }
+ col_set_str(pinfo->cinfo, COL_PROTOCOL, "CredSSP");
+ col_clear(pinfo->cinfo, COL_INFO);
+
+ creds_type = -1;
+ credssp_ver = -1;
+
+ return dissect_TSRequest_PDU(tvb, pinfo, tree, data);
+}
+
+static gboolean
+dissect_credssp_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void *data _U_)
+{
+ asn1_ctx_t asn1_ctx;
+ int offset = 0;
+ gint8 ber_class;
+ bool pc;
+ gint32 tag;
+ guint32 length;
+ gint8 ver;
+
+ asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
+
+ /* Look for SEQUENCE, CONTEXT 0, and INTEGER 2 */
+ if(tvb_captured_length(tvb) > 7) {
+ offset = get_ber_identifier(tvb, offset, &ber_class, &pc, &tag);
+ if((ber_class == BER_CLASS_UNI) && (tag == BER_UNI_TAG_SEQUENCE) && (pc == TRUE)) {
+ offset = get_ber_length(tvb, offset, NULL, NULL);
+ offset = get_ber_identifier(tvb, offset, &ber_class, &pc, &tag);
+ if((ber_class == BER_CLASS_CON) && (tag == 0)) {
+ offset = get_ber_length(tvb, offset, NULL, NULL);
+ offset = get_ber_identifier(tvb, offset, &ber_class, &pc, &tag);
+ if((ber_class == BER_CLASS_UNI) && (tag == BER_UNI_TAG_INTEGER)) {
+ offset = get_ber_length(tvb, offset, &length, NULL);
+ ver = tvb_get_guint8(tvb, offset);
+ if((length == 1) && (ver > 1) && (ver < 99)) {
+ if (have_tap_listener(exported_pdu_tap)) {
+ exp_pdu_data_t *exp_pdu_data = export_pdu_create_common_tags(pinfo, "credssp", EXP_PDU_TAG_DISSECTOR_NAME);
+
+ exp_pdu_data->tvb_captured_length = tvb_captured_length(tvb);
+ exp_pdu_data->tvb_reported_length = tvb_reported_length(tvb);
+ exp_pdu_data->pdu_tvb = tvb;
+
+ tap_queue_packet(exported_pdu_tap, pinfo, exp_pdu_data);
+ }
+ dissect_credssp(tvb, pinfo, parent_tree, NULL);
+ return TRUE;
+ }
+ }
+ }
+ }
+ }
+ return FALSE;
+}
+
+
+/*--- proto_register_credssp -------------------------------------------*/
+void proto_register_credssp(void) {
+
+ /* List of fields */
+ static hf_register_info hf[] =
+ {
+ { &hf_credssp_TSPasswordCreds,
+ { "TSPasswordCreds", "credssp.TSPasswordCreds",
+ FT_NONE, BASE_NONE, NULL, 0,
+ NULL, HFILL }},
+ { &hf_credssp_TSSmartCardCreds,
+ { "TSSmartCardCreds", "credssp.TSSmartCardCreds",
+ FT_NONE, BASE_NONE, NULL, 0,
+ NULL, HFILL }},
+ { &hf_credssp_TSRemoteGuardCreds,
+ { "TSRemoteGuardCreds", "credssp.TSRemoteGuardCreds",
+ FT_NONE, BASE_NONE, NULL, 0,
+ NULL, HFILL }},
+ { &hf_credssp_TSCredentials,
+ { "TSCredentials", "credssp.TSCredentials",
+ FT_NONE, BASE_NONE, NULL, 0,
+ NULL, HFILL }},
+ { &hf_credssp_decr_PublicKeyAuth,
+ { "Decrypted PublicKeyAuth (sha256)", "credssp.decr_PublicKeyAuth",
+ FT_BYTES, BASE_NONE, NULL, 0,
+ NULL, HFILL }},
+#include "packet-credssp-hfarr.c"
+ };
+
+ /* List of subtrees */
+ static gint *ett[] = {
+ &ett_credssp,
+ &ett_credssp_RGC_CredBuffer,
+#include "packet-credssp-ettarr.c"
+ };
+
+
+ /* Register protocol */
+ proto_credssp = proto_register_protocol(PNAME, PSNAME, PFNAME);
+ register_dissector("credssp", dissect_credssp, proto_credssp);
+
+ /* Register fields and subtrees */
+ proto_register_field_array(proto_credssp, hf, array_length(hf));
+ proto_register_subtree_array(ett, array_length(ett));
+
+ /* heuristic dissectors for any premable e.g. CredSSP before RDP */
+ credssp_heur_subdissector_list = register_heur_dissector_list("credssp", proto_credssp);
+
+}
+
+
+/*--- proto_reg_handoff_credssp --- */
+void proto_reg_handoff_credssp(void) {
+
+ gssapi_handle = find_dissector_add_dependency("gssapi", proto_credssp);
+ gssapi_wrap_handle = find_dissector_add_dependency("gssapi_verf", proto_credssp);
+
+ heur_dissector_add("tls", dissect_credssp_heur, "CredSSP over TLS", "credssp_tls", proto_credssp, HEURISTIC_ENABLE);
+ heur_dissector_add("rdp", dissect_credssp_heur, "CredSSP in TPKT", "credssp_tpkt", proto_credssp, HEURISTIC_ENABLE);
+ exported_pdu_tap = find_tap_id(EXPORT_PDU_TAP_NAME_LAYER_7);
+}
+
diff --git a/epan/dissectors/asn1/credssp/packet-credssp-template.h b/epan/dissectors/asn1/credssp/packet-credssp-template.h
new file mode 100644
index 00000000..fda51f3b
--- /dev/null
+++ b/epan/dissectors/asn1/credssp/packet-credssp-template.h
@@ -0,0 +1,20 @@
+/* packet-credssp.h
+ * Routines for CredSSP (Credential Security Support Provider) packet dissection
+ * Graeme Lunt 2011
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#ifndef PACKET_CREDSSP_H
+#define PACKET_CREDSSP_H
+
+#include "packet-credssp-val.h"
+
+void proto_reg_handoff_credssp(void);
+void proto_register_credssp(void);
+
+#endif /* PACKET_CREDSSP_H */