diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-10 20:34:10 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-10 20:34:10 +0000 |
commit | e4ba6dbc3f1e76890b22773807ea37fe8fa2b1bc (patch) | |
tree | 68cb5ef9081156392f1dd62a00c6ccc1451b93df /epan/dissectors/asn1/snmp | |
parent | Initial commit. (diff) | |
download | wireshark-e4ba6dbc3f1e76890b22773807ea37fe8fa2b1bc.tar.xz wireshark-e4ba6dbc3f1e76890b22773807ea37fe8fa2b1bc.zip |
Adding upstream version 4.2.2.upstream/4.2.2
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'epan/dissectors/asn1/snmp')
-rw-r--r-- | epan/dissectors/asn1/snmp/CMakeLists.txt | 35 | ||||
-rw-r--r-- | epan/dissectors/asn1/snmp/packet-snmp-template.c | 2732 | ||||
-rw-r--r-- | epan/dissectors/asn1/snmp/packet-snmp-template.h | 107 | ||||
-rw-r--r-- | epan/dissectors/asn1/snmp/snmp.asn | 338 | ||||
-rw-r--r-- | epan/dissectors/asn1/snmp/snmp.cnf | 266 |
5 files changed, 3478 insertions, 0 deletions
diff --git a/epan/dissectors/asn1/snmp/CMakeLists.txt b/epan/dissectors/asn1/snmp/CMakeLists.txt new file mode 100644 index 00000000..dc6a1c97 --- /dev/null +++ b/epan/dissectors/asn1/snmp/CMakeLists.txt @@ -0,0 +1,35 @@ +# CMakeLists.txt +# +# Wireshark - Network traffic analyzer +# By Gerald Combs <gerald@wireshark.org> +# Copyright 1998 Gerald Combs +# +# SPDX-License-Identifier: GPL-2.0-or-later +# + +set( PROTOCOL_NAME snmp ) + +set( PROTO_OPT ) + +set( EXT_ASN_FILE_LIST +) + +set( ASN_FILE_LIST + ${PROTOCOL_NAME}.asn +) + +set( EXTRA_DIST + ${ASN_FILE_LIST} + packet-${PROTOCOL_NAME}-template.c + packet-${PROTOCOL_NAME}-template.h + ${PROTOCOL_NAME}.cnf +) + +set( SRC_FILES + ${EXTRA_DIST} + ${EXT_ASN_FILE_LIST} +) + +set( A2W_FLAGS -b ) + +ASN2WRS() diff --git a/epan/dissectors/asn1/snmp/packet-snmp-template.c b/epan/dissectors/asn1/snmp/packet-snmp-template.c new file mode 100644 index 00000000..e8e606e1 --- /dev/null +++ b/epan/dissectors/asn1/snmp/packet-snmp-template.c @@ -0,0 +1,2732 @@ +/* packet-snmp.c + * Routines for SNMP (simple network management protocol) + * Copyright (C) 1998 Didier Jorand + * + * See RFC 1157 for SNMPv1. + * + * See RFCs 1901, 1905, and 1906 for SNMPv2c. + * + * See RFCs 1905, 1906, 1909, and 1910 for SNMPv2u [historic]. + * + * See RFCs 2570-2576 for SNMPv3 + * Updated to use the asn2wrs compiler made by Tomas Kukosa + * Copyright (C) 2005 - 2006 Anders Broman [AT] ericsson.com + * + * See RFC 3414 for User-based Security Model for SNMPv3 + * See RFC 3826 for (AES) Cipher Algorithm in the SNMP USM + * See RFC 2578 for Structure of Management Information Version 2 (SMIv2) + * Copyright (C) 2007 Luis E. Garcia Ontanon <luis@ontanon.org> + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * Some stuff from: + * + * GXSNMP -- An snmp mangament application + * Copyright (C) 1998 Gregory McLean & Jochen Friedrich + * Beholder RMON ethernet network monitor,Copyright (C) 1993 DNPAP group + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#if 0 +#include <stdio.h> +#define D(args) do {printf args; fflush(stdout); } while(0) +#endif + +#include "config.h" + +#include <epan/packet.h> +#include <epan/strutil.h> +#include <epan/conversation.h> +#include <epan/etypes.h> +#include <epan/prefs.h> +#include <epan/addr_resolv.h> +#include <epan/next_tvb.h> +#include <epan/uat.h> +#include <epan/asn1.h> +#include <epan/expert.h> +#include <epan/oids.h> +#include <epan/srt_table.h> +#include <epan/tap.h> +#include "packet-ipx.h" +#include "packet-hpext.h" +#include "packet-ber.h" +#include "packet-snmp.h" +#include <wsutil/wsgcrypt.h> + +#define PNAME "Simple Network Management Protocol" +#define PSNAME "SNMP" +#define PFNAME "snmp" + +#define UDP_PORT_SNMP 161 +#define UDP_PORT_SNMP_TRAP 162 +#define TCP_PORT_SNMP 161 +#define TCP_PORT_SNMP_TRAP 162 +#define TCP_PORT_SMUX 199 +#define UDP_PORT_SNMP_PATROL 8161 +#define SNMP_NUM_PROCEDURES 8 + +/* Initialize the protocol and registered fields */ +static int snmp_tap = -1; +static int proto_snmp = -1; +static int proto_smux = -1; + +static gboolean display_oid = TRUE; +static gboolean snmp_var_in_tree = TRUE; + +void proto_register_snmp(void); +void proto_reg_handoff_snmp(void); +void proto_register_smux(void); +void proto_reg_handoff_smux(void); + +static void snmp_usm_password_to_key(const snmp_usm_auth_model_t model, const guint8 *password, guint passwordlen, + const guint8 *engineID, guint engineLength, guint8 *key); + +static tvbuff_t* snmp_usm_priv_des(snmp_usm_params_t*, tvbuff_t*, packet_info *pinfo, gchar const**); +static tvbuff_t* snmp_usm_priv_aes128(snmp_usm_params_t*, tvbuff_t*, packet_info *pinfo, gchar const**); +static tvbuff_t* snmp_usm_priv_aes192(snmp_usm_params_t*, tvbuff_t*, packet_info *pinfo, gchar const**); +static tvbuff_t* snmp_usm_priv_aes256(snmp_usm_params_t*, tvbuff_t*, packet_info *pinfo, gchar const**); + +static bool snmp_usm_auth(const packet_info *pinfo, const snmp_usm_auth_model_t model, snmp_usm_params_t* p, guint8**, guint*, gchar const**); + +static const value_string auth_types[] = { + {SNMP_USM_AUTH_MD5,"MD5"}, + {SNMP_USM_AUTH_SHA1,"SHA1"}, + {SNMP_USM_AUTH_SHA2_224,"SHA2-224"}, + {SNMP_USM_AUTH_SHA2_256,"SHA2-256"}, + {SNMP_USM_AUTH_SHA2_384,"SHA2-384"}, + {SNMP_USM_AUTH_SHA2_512,"SHA2-512"}, + {0,NULL} +}; + +static const guint auth_hash_len[] = { + HASH_MD5_LENGTH, + HASH_SHA1_LENGTH, + HASH_SHA2_224_LENGTH, + HASH_SHA2_256_LENGTH, + HASH_SHA2_384_LENGTH, + HASH_SHA2_512_LENGTH +}; + +static const guint auth_tag_len[] = { + 12, + 12, + 16, + 24, + 32, + 48 +}; + +static const enum gcry_md_algos auth_hash_algo[] = { + GCRY_MD_MD5, + GCRY_MD_SHA1, + GCRY_MD_SHA224, + GCRY_MD_SHA256, + GCRY_MD_SHA384, + GCRY_MD_SHA512 +}; + +#define PRIV_DES 0 +#define PRIV_AES128 1 +#define PRIV_AES192 2 +#define PRIV_AES256 3 + +static const value_string priv_types[] = { + { PRIV_DES, "DES" }, + { PRIV_AES128, "AES" }, + { PRIV_AES192, "AES192" }, + { PRIV_AES256, "AES256" }, + { 0, NULL} +}; +static snmp_usm_decoder_t priv_protos[] = { + snmp_usm_priv_des, + snmp_usm_priv_aes128, + snmp_usm_priv_aes192, + snmp_usm_priv_aes256 +}; + +static snmp_ue_assoc_t* ueas = NULL; +static guint num_ueas = 0; +static snmp_ue_assoc_t* localized_ues = NULL; +static snmp_ue_assoc_t* unlocalized_ues = NULL; +/****/ + +/* Variables used for handling enterprise specific trap types */ +typedef struct _snmp_st_assoc_t { + char *enterprise; + guint trap; + char *desc; +} snmp_st_assoc_t; +static guint num_specific_traps = 0; +static snmp_st_assoc_t *specific_traps = NULL; +static const char *enterprise_oid = NULL; +static guint generic_trap = 0; +static guint32 snmp_version = 0; +static guint32 RequestID = -1; + +static snmp_usm_params_t usm_p = {FALSE,FALSE,0,0,0,0,NULL,NULL,NULL,NULL,NULL,NULL,NULL,FALSE}; + +#define TH_AUTH 0x01 +#define TH_CRYPT 0x02 +#define TH_REPORT 0x04 + +/* desegmentation of SNMP-over-TCP */ +static gboolean snmp_desegment = TRUE; + +/* Global variables */ + +guint32 MsgSecurityModel; +tvbuff_t *oid_tvb=NULL; +tvbuff_t *value_tvb=NULL; + +static dissector_handle_t snmp_handle; +static dissector_handle_t snmp_tcp_handle; +static dissector_handle_t data_handle; +static dissector_handle_t smux_handle; + +static next_tvb_list_t *var_list; + +static int hf_snmp_response_in = -1; +static int hf_snmp_response_to = -1; +static int hf_snmp_time = -1; + +static int hf_snmp_v3_flags_auth = -1; +static int hf_snmp_v3_flags_crypt = -1; +static int hf_snmp_v3_flags_report = -1; + +static int hf_snmp_engineid_conform = -1; +static int hf_snmp_engineid_enterprise = -1; +static int hf_snmp_engineid_format = -1; +static int hf_snmp_engineid_ipv4 = -1; +static int hf_snmp_engineid_ipv6 = -1; +static int hf_snmp_engineid_cisco_type = -1; +static int hf_snmp_engineid_mac = -1; +static int hf_snmp_engineid_text = -1; +static int hf_snmp_engineid_time = -1; +static int hf_snmp_engineid_data = -1; +static int hf_snmp_decryptedPDU = -1; +static int hf_snmp_msgAuthentication = -1; + +static int hf_snmp_noSuchObject = -1; +static int hf_snmp_noSuchInstance = -1; +static int hf_snmp_endOfMibView = -1; +static int hf_snmp_unSpecified = -1; + +static int hf_snmp_integer32_value = -1; +static int hf_snmp_octetstring_value = -1; +static int hf_snmp_oid_value = -1; +static int hf_snmp_null_value = -1; +static int hf_snmp_ipv4_value = -1; +static int hf_snmp_ipv6_value = -1; +static int hf_snmp_anyaddress_value = -1; +static int hf_snmp_unsigned32_value = -1; +static int hf_snmp_unknown_value = -1; +static int hf_snmp_opaque_value = -1; +static int hf_snmp_nsap_value = -1; +static int hf_snmp_counter_value = -1; +static int hf_snmp_timeticks_value = -1; +static int hf_snmp_big_counter_value = -1; +static int hf_snmp_gauge32_value = -1; + +static int hf_snmp_objectname = -1; +static int hf_snmp_scalar_instance_index = -1; + +static int hf_snmp_var_bind_str = -1; +static int hf_snmp_agentid_trailer = -1; + +#include "packet-snmp-hf.c" + +/* Initialize the subtree pointers */ +static gint ett_smux = -1; +static gint ett_snmp = -1; +static gint ett_engineid = -1; +static gint ett_msgFlags = -1; +static gint ett_encryptedPDU = -1; +static gint ett_decrypted = -1; +static gint ett_authParameters = -1; +static gint ett_internet = -1; +static gint ett_varbind = -1; +static gint ett_name = -1; +static gint ett_value = -1; +static gint ett_decoding_error = -1; + +#include "packet-snmp-ett.c" + +static expert_field ei_snmp_failed_decrypted_data_pdu = EI_INIT; +static expert_field ei_snmp_decrypted_data_bad_formatted = EI_INIT; +static expert_field ei_snmp_verify_authentication_error = EI_INIT; +static expert_field ei_snmp_authentication_ok = EI_INIT; +static expert_field ei_snmp_authentication_error = EI_INIT; +static expert_field ei_snmp_varbind_not_uni_class_seq = EI_INIT; +static expert_field ei_snmp_varbind_has_indicator = EI_INIT; +static expert_field ei_snmp_objectname_not_oid = EI_INIT; +static expert_field ei_snmp_objectname_has_indicator = EI_INIT; +static expert_field ei_snmp_value_not_primitive_encoding = EI_INIT; +static expert_field ei_snmp_invalid_oid = EI_INIT; +static expert_field ei_snmp_varbind_wrong_tag = EI_INIT; +static expert_field ei_snmp_varbind_response = EI_INIT; +static expert_field ei_snmp_no_instance_subid = EI_INIT; +static expert_field ei_snmp_wrong_num_of_subids = EI_INIT; +static expert_field ei_snmp_index_suboid_too_short = EI_INIT; +static expert_field ei_snmp_unimplemented_instance_index = EI_INIT; +static expert_field ei_snmp_index_suboid_len0 = EI_INIT; +static expert_field ei_snmp_index_suboid_too_long = EI_INIT; +static expert_field ei_snmp_index_string_too_long = EI_INIT; +static expert_field ei_snmp_column_parent_not_row = EI_INIT; +static expert_field ei_snmp_uint_too_large = EI_INIT; +static expert_field ei_snmp_int_too_large = EI_INIT; +static expert_field ei_snmp_integral_value0 = EI_INIT; +static expert_field ei_snmp_missing_mib = EI_INIT; +static expert_field ei_snmp_varbind_wrong_length_value = EI_INIT; +static expert_field ei_snmp_varbind_wrong_class_tag = EI_INIT; +static expert_field ei_snmp_rfc1910_non_conformant = EI_INIT; +static expert_field ei_snmp_rfc3411_non_conformant = EI_INIT; +static expert_field ei_snmp_version_unknown = EI_INIT; +static expert_field ei_snmp_trap_pdu_obsolete = EI_INIT; + +static const true_false_string auth_flags = { + "OK", + "Failed" +}; + +/* Security Models */ + +#define SNMP_SEC_ANY 0 +#define SNMP_SEC_V1 1 +#define SNMP_SEC_V2C 2 +#define SNMP_SEC_USM 3 + +static const value_string sec_models[] = { + { SNMP_SEC_ANY, "Any" }, + { SNMP_SEC_V1, "V1" }, + { SNMP_SEC_V2C, "V2C" }, + { SNMP_SEC_USM, "USM" }, + { 0, NULL } +}; + +#if 0 +/* SMUX PDU types */ +#define SMUX_MSG_OPEN 0 +#define SMUX_MSG_CLOSE 1 +#define SMUX_MSG_RREQ 2 +#define SMUX_MSG_RRSP 3 +#define SMUX_MSG_SOUT 4 + +static const value_string smux_types[] = { + { SMUX_MSG_OPEN, "Open" }, + { SMUX_MSG_CLOSE, "Close" }, + { SMUX_MSG_RREQ, "Registration Request" }, + { SMUX_MSG_RRSP, "Registration Response" }, + { SMUX_MSG_SOUT, "Commit Or Rollback" }, + { 0, NULL } +}; +#endif + +/* Procedure names (used in Service Response Time) */ +const value_string snmp_procedure_names[] = { + { 0, "Get" }, + { 1, "GetNext" }, + { 3, "Set" }, + { 4, "Register" }, + { 5, "Bulk" }, + { 6, "Inform" }, + { 0, NULL } +}; + +#define SNMP_IPA 0 /* IP Address */ +#define SNMP_CNT 1 /* Counter (Counter32) */ +#define SNMP_GGE 2 /* Gauge (Gauge32) */ +#define SNMP_TIT 3 /* TimeTicks */ +#define SNMP_OPQ 4 /* Opaque */ +#define SNMP_NSP 5 /* NsapAddress */ +#define SNMP_C64 6 /* Counter64 */ +#define SNMP_U32 7 /* Uinteger32 */ + +#define SERR_NSO 0 +#define SERR_NSI 1 +#define SERR_EOM 2 + + +dissector_table_t value_sub_dissectors_table; + +/* + * Data structure attached to a conversation, request/response information + */ +typedef struct snmp_conv_info_t { + wmem_map_t *request_response; +} snmp_conv_info_t; + +static snmp_conv_info_t* +snmp_find_conversation_and_get_conv_data(packet_info *pinfo); + +static snmp_request_response_t * +snmp_get_request_response_pointer(wmem_map_t *map, guint32 requestId) +{ + snmp_request_response_t *srrp=(snmp_request_response_t *)wmem_map_lookup(map, &requestId); + if (!srrp) { + srrp=wmem_new0(wmem_file_scope(), snmp_request_response_t); + srrp->requestId=requestId; + wmem_map_insert(map, &(srrp->requestId), (void *)srrp); + } + + return srrp; +} + +static snmp_request_response_t* +snmp_match_request_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint requestId, guint procedure_id, snmp_conv_info_t *snmp_info) +{ + snmp_request_response_t *srrp=NULL; + + DISSECTOR_ASSERT_HINT(snmp_info, "No SNMP info from ASN1 context"); + + /* get or create request/response pointer based on request id */ + srrp=(snmp_request_response_t *)snmp_get_request_response_pointer(snmp_info->request_response, requestId); + + // if not visited fill the request/response data + if (!PINFO_FD_VISITED(pinfo)) { + switch(procedure_id) + { + case SNMP_REQ_GET: + case SNMP_REQ_GETNEXT: + case SNMP_REQ_SET: + case SNMP_REQ_GETBULK: + case SNMP_REQ_INFORM: + srrp->request_frame_id=pinfo->fd->num; + srrp->response_frame_id=0; + srrp->request_time=pinfo->abs_ts; + srrp->request_procedure_id=procedure_id; + break; + case SNMP_RES_GET: + srrp->response_frame_id=pinfo->fd->num; + break; + default: + return NULL; + } + } + + /* if request and response was matched */ + if (srrp->request_frame_id!=0 && srrp->response_frame_id!=0) + { + proto_item *it; + + // if it is a request + if (srrp->request_frame_id == pinfo->fd->num) + { + it=proto_tree_add_uint(tree, hf_snmp_response_in, tvb, 0, 0, srrp->response_frame_id); + proto_item_set_generated(it); + } else { + nstime_t ns; + it=proto_tree_add_uint(tree, hf_snmp_response_to, tvb, 0, 0, srrp->request_frame_id); + proto_item_set_generated(it); + nstime_delta(&ns, &pinfo->abs_ts, &srrp->request_time); + it=proto_tree_add_time(tree, hf_snmp_time, tvb, 0, 0, &ns); + proto_item_set_generated(it); + + return srrp; + } + } + + return NULL; +} + +static void +snmpstat_init(struct register_srt* srt _U_, GArray* srt_array) +{ + srt_stat_table *snmp_srt_table; + guint32 i; + + snmp_srt_table = init_srt_table("SNMP Commands", NULL, srt_array, SNMP_NUM_PROCEDURES, NULL, "snmp.data", NULL); + for (i = 0; i < SNMP_NUM_PROCEDURES; i++) + { + init_srt_table_row(snmp_srt_table, i, val_to_str_const(i, snmp_procedure_names, "<unknown>")); + } +} + +/* This is called only if request and response was matched -> no need to return anything than TAP_PACKET_REDRAW */ +static tap_packet_status +snmpstat_packet(void *psnmp, packet_info *pinfo, epan_dissect_t *edt _U_, const void *psi, tap_flags_t flags _U_) +{ + guint i = 0; + srt_stat_table *snmp_srt_table; + const snmp_request_response_t *snmp=(const snmp_request_response_t *)psi; + srt_data_t *data = (srt_data_t *)psnmp; + + snmp_srt_table = g_array_index(data->srt_array, srt_stat_table*, i); + + add_srt_table_data(snmp_srt_table, snmp->request_procedure_id, &snmp->request_time, pinfo); + return TAP_PACKET_REDRAW; +} + +static const gchar * +snmp_lookup_specific_trap (guint specific_trap) +{ + guint i; + + for (i = 0; i < num_specific_traps; i++) { + snmp_st_assoc_t *u = &(specific_traps[i]); + + if ((u->trap == specific_trap) && + (strcmp (u->enterprise, enterprise_oid) == 0)) + { + return u->desc; + } + } + + return NULL; +} + +static int +dissect_snmp_variable_string(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, void *data _U_) +{ + + proto_tree_add_item(tree, hf_snmp_var_bind_str, tvb, 0, -1, ENC_ASCII); + + return tvb_captured_length(tvb); +} + +/* +DateAndTime ::= TEXTUAL-CONVENTION + DISPLAY-HINT "2d-1d-1d,1d:1d:1d.1d,1a1d:1d" + STATUS current + DESCRIPTION + "A date-time specification. + + field octets contents range + ----- ------ -------- ----- + 1 1-2 year* 0..65536 + 2 3 month 1..12 + 3 4 day 1..31 + 4 5 hour 0..23 + 5 6 minutes 0..59 + 6 7 seconds 0..60 + (use 60 for leap-second) + 7 8 deci-seconds 0..9 + 8 9 direction from UTC '+' / '-' + 9 10 hours from UTC* 0..13 + 10 11 minutes from UTC 0..59 + + * Notes: + - the value of year is in network-byte order + - daylight saving time in New Zealand is +13 + + For example, Tuesday May 26, 1992 at 1:30:15 PM EDT would be + displayed as: + + 1992-5-26,13:30:15.0,-4:0 + + Note that if only local time is known, then timezone + information (fields 8-10) is not present." + SYNTAX OCTET STRING (SIZE (8 | 11)) +*/ +static proto_item * +dissect_snmp_variable_date_and_time(proto_tree *tree, packet_info *pinfo, int hfid, tvbuff_t *tvb, int offset, int length) +{ + guint16 year; + guint8 month; + guint8 day; + guint8 hour; + guint8 minutes; + guint8 seconds; + guint8 deci_seconds; + guint8 hour_from_utc; + guint8 min_from_utc; + gchar *str; + + year = tvb_get_ntohs(tvb,offset); + month = tvb_get_guint8(tvb,offset+2); + day = tvb_get_guint8(tvb,offset+3); + hour = tvb_get_guint8(tvb,offset+4); + minutes = tvb_get_guint8(tvb,offset+5); + seconds = tvb_get_guint8(tvb,offset+6); + deci_seconds = tvb_get_guint8(tvb,offset+7); + if(length > 8){ + hour_from_utc = tvb_get_guint8(tvb,offset+9); + min_from_utc = tvb_get_guint8(tvb,offset+10); + + str = wmem_strdup_printf(pinfo->pool, + "%u-%u-%u, %u:%u:%u.%u UTC %s%u:%u", + year, + month, + day, + hour, + minutes, + seconds, + deci_seconds, + tvb_get_string_enc(pinfo->pool,tvb,offset+8,1,ENC_ASCII|ENC_NA), + hour_from_utc, + min_from_utc); + }else{ + str = wmem_strdup_printf(pinfo->pool, + "%u-%u-%u, %u:%u:%u.%u", + year, + month, + day, + hour, + minutes, + seconds, + deci_seconds); + } + + return proto_tree_add_string(tree, hfid, tvb, offset, length, str); + +} + +/* + * dissect_snmp_VarBind + * this routine dissects variable bindings, looking for the oid information in our oid reporsitory + * to format and add the value adequatelly. + * + * The choice to handwrite this code instead of using the asn compiler is to avoid having tons + * of uses of global variables distributed in very different parts of the code. + * Other than that there's a cosmetic thing: the tree from ASN generated code would be so + * convoluted due to the nesting of CHOICEs in the definition of VarBind/value. + * + * XXX: the length of this function (~400 lines) is an aberration! + * oid_key_t:key_type could become a series of callbacks instead of an enum + * the (! oid_info_is_ok) switch could be made into an array (would be slower) + * + + NetworkAddress ::= CHOICE { internet IpAddress } + IpAddress ::= [APPLICATION 0] IMPLICIT OCTET STRING (SIZE (4)) + TimeTicks ::= [APPLICATION 3] IMPLICIT INTEGER (0..4294967295) + Integer32 ::= INTEGER (-2147483648..2147483647) + ObjectName ::= OBJECT IDENTIFIER + Counter32 ::= [APPLICATION 1] IMPLICIT INTEGER (0..4294967295) + Gauge32 ::= [APPLICATION 2] IMPLICIT INTEGER (0..4294967295) + Unsigned32 ::= [APPLICATION 2] IMPLICIT INTEGER (0..4294967295) + Integer-value ::= INTEGER (-2147483648..2147483647) + Integer32 ::= INTEGER (-2147483648..2147483647) + ObjectID-value ::= OBJECT IDENTIFIER + Empty ::= NULL + TimeTicks ::= [APPLICATION 3] IMPLICIT INTEGER (0..4294967295) + Opaque ::= [APPLICATION 4] IMPLICIT OCTET STRING + Counter64 ::= [APPLICATION 6] IMPLICIT INTEGER (0..18446744073709551615) + + ObjectSyntax ::= CHOICE { + simple SimpleSyntax, + application-wide ApplicationSyntax + } + + SimpleSyntax ::= CHOICE { + integer-value Integer-value, + string-value String-value, + objectID-value ObjectID-value, + empty Empty + } + + ApplicationSyntax ::= CHOICE { + ipAddress-value IpAddress, + counter-value Counter32, + timeticks-value TimeTicks, + arbitrary-value Opaque, + big-counter-value Counter64, + unsigned-integer-value Unsigned32 + } + + ValueType ::= CHOICE { + value ObjectSyntax, + unSpecified NULL, + noSuchObject[0] IMPLICIT NULL, + noSuchInstance[1] IMPLICIT NULL, + endOfMibView[2] IMPLICIT NULL + } + + VarBind ::= SEQUENCE { + name ObjectName, + valueType ValueType + } + + */ + +static int +dissect_snmp_VarBind(bool implicit_tag _U_, tvbuff_t *tvb, int offset, + asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_) +{ + int seq_offset, name_offset, value_offset, value_start; + guint32 seq_len, name_len, value_len; + gint8 ber_class; + bool pc; + gint32 tag; + bool ind; + guint32* subids; + guint8* oid_bytes; + oid_info_t* oid_info = NULL; + guint oid_matched, oid_left; + proto_item *pi_name, *pi_varbind, *pi_value = NULL; + proto_tree *pt, *pt_varbind, *pt_name, *pt_value; + char label[ITEM_LABEL_LENGTH]; + const char* repr = NULL; + const char* info_oid = NULL; + char* valstr; + int hfid = -1; + int min_len = 0, max_len = 0; + bool oid_info_is_ok; + const char* oid_string = NULL; + enum {BER_NO_ERROR, BER_WRONG_LENGTH, BER_WRONG_TAG} format_error = BER_NO_ERROR; + + seq_offset = offset; + + /* first have the VarBind's sequence header */ + offset = dissect_ber_identifier(actx->pinfo, tree, tvb, offset, &ber_class, &pc, &tag); + offset = dissect_ber_length(actx->pinfo, tree, tvb, offset, &seq_len, &ind); + + if (!pc && ber_class==BER_CLASS_UNI && tag==BER_UNI_TAG_SEQUENCE) { + proto_item* pi; + pt = proto_tree_add_subtree(tree, tvb, seq_offset, seq_len + (offset - seq_offset), + ett_decoding_error, &pi, "VarBind must be an universal class sequence"); + expert_add_info(actx->pinfo, pi, &ei_snmp_varbind_not_uni_class_seq); + return dissect_unknown_ber(actx->pinfo, tvb, seq_offset, pt); + } + + if (ind) { + proto_item* pi; + pt = proto_tree_add_subtree(tree, tvb, seq_offset, seq_len + (offset - seq_offset), + ett_decoding_error, &pi, "Indicator must be clear in VarBind"); + expert_add_info(actx->pinfo, pi, &ei_snmp_varbind_has_indicator); + return dissect_unknown_ber(actx->pinfo, tvb, seq_offset, pt); + } + + /* we add the varbind tree root with a dummy label we'll fill later on */ + pt_varbind = proto_tree_add_subtree(tree,tvb,offset,seq_len,ett_varbind,&pi_varbind,"VarBind"); + *label = '\0'; + + seq_len += offset - seq_offset; + + /* then we have the ObjectName's header */ + + offset = dissect_ber_identifier(actx->pinfo, pt_varbind, tvb, offset, &ber_class, &pc, &tag); + name_offset = offset = dissect_ber_length(actx->pinfo, pt_varbind, tvb, offset, &name_len, &ind); + + if (! ( !pc && ber_class==BER_CLASS_UNI && tag==BER_UNI_TAG_OID) ) { + proto_item* pi; + pt = proto_tree_add_subtree(tree, tvb, seq_offset, seq_len, + ett_decoding_error, &pi, "ObjectName must be an OID in primitive encoding"); + expert_add_info(actx->pinfo, pi, &ei_snmp_objectname_not_oid); + return dissect_unknown_ber(actx->pinfo, tvb, seq_offset, pt); + } + + if (ind) { + proto_item* pi; + pt = proto_tree_add_subtree(tree, tvb, seq_offset, seq_len, + ett_decoding_error, &pi, "Indicator must be clear in ObjectName"); + expert_add_info(actx->pinfo, pi, &ei_snmp_objectname_has_indicator); + return dissect_unknown_ber(actx->pinfo, tvb, seq_offset, pt); + } + + pi_name = proto_tree_add_item(pt_varbind,hf_snmp_objectname,tvb,name_offset,name_len,ENC_NA); + pt_name = proto_item_add_subtree(pi_name,ett_name); + + offset += name_len; + value_start = offset; + /* then we have the value's header */ + offset = dissect_ber_identifier(actx->pinfo, pt_varbind, tvb, offset, &ber_class, &pc, &tag); + value_offset = dissect_ber_length(actx->pinfo, pt_varbind, tvb, offset, &value_len, &ind); + + if (! (!pc) ) { + proto_item* pi; + pt = proto_tree_add_subtree(pt_varbind, tvb, value_start, value_len, + ett_decoding_error, &pi, "the value must be in primitive encoding"); + expert_add_info(actx->pinfo, pi, &ei_snmp_value_not_primitive_encoding); + return dissect_unknown_ber(actx->pinfo, tvb, value_start, pt); + } + + /* Now, we know where everithing is */ + + /* fetch ObjectName and its relative oid_info */ + oid_bytes = (guint8*)tvb_memdup(actx->pinfo->pool, tvb, name_offset, name_len); + oid_info = oid_get_from_encoded(actx->pinfo->pool, oid_bytes, name_len, &subids, &oid_matched, &oid_left); + + add_oid_debug_subtree(oid_info,pt_name); + + if (!subids) { + proto_item* pi; + + repr = oid_encoded2string(actx->pinfo->pool, oid_bytes, name_len); + pt = proto_tree_add_subtree_format(pt_name,tvb, 0, 0, ett_decoding_error, &pi, "invalid oid: %s", repr); + expert_add_info_format(actx->pinfo, pi, &ei_snmp_invalid_oid, "invalid oid: %s", repr); + return dissect_unknown_ber(actx->pinfo, tvb, name_offset, pt); + } + + if (oid_matched+oid_left) { + oid_string = oid_subid2string(actx->pinfo->pool, subids,oid_matched+oid_left); + } + + if (ber_class == BER_CLASS_CON) { + /* if we have an error value just add it and get out the way ASAP */ + proto_item* pi; + const char* note; + + if (value_len != 0) { + min_len = max_len = 0; + format_error = BER_WRONG_LENGTH; + } + + switch (tag) { + case SERR_NSO: + hfid = hf_snmp_noSuchObject; + note = "noSuchObject"; + break; + case SERR_NSI: + hfid = hf_snmp_noSuchInstance; + note = "noSuchInstance"; + break; + case SERR_EOM: + hfid = hf_snmp_endOfMibView; + note = "endOfMibView"; + break; + default: { + pt = proto_tree_add_subtree_format(pt_varbind,tvb,0,0,ett_decoding_error,&pi, + "Wrong tag for Error Value: expected 0, 1, or 2 but got: %d",tag); + expert_add_info(actx->pinfo, pi, &ei_snmp_varbind_wrong_tag); + return dissect_unknown_ber(actx->pinfo, tvb, value_start, pt); + } + } + + pi = proto_tree_add_item(pt_varbind,hfid,tvb,value_offset,value_len,ENC_BIG_ENDIAN); + expert_add_info_format(actx->pinfo, pi, &ei_snmp_varbind_response, "%s",note); + (void) g_strlcpy (label, note, ITEM_LABEL_LENGTH); + goto set_label; + } + + /* now we'll try to figure out which are the indexing sub-oids and whether the oid we know about is the one oid we have to use */ + switch (oid_info->kind) { + case OID_KIND_SCALAR: + if (oid_left == 1) { + /* OK: we got the instance sub-id */ + proto_tree_add_uint64(pt_name,hf_snmp_scalar_instance_index,tvb,name_offset,name_len,subids[oid_matched]); + oid_info_is_ok = TRUE; + goto indexing_done; + } else if (oid_left == 0) { + if (ber_class == BER_CLASS_UNI && tag == BER_UNI_TAG_NULL) { + /* unSpecified does not require an instance sub-id add the new value and get off the way! */ + pi_value = proto_tree_add_item(pt_varbind,hf_snmp_unSpecified,tvb,value_offset,value_len,ENC_NA); + goto set_label; + } else { + proto_tree_add_expert(pt_name,actx->pinfo,&ei_snmp_no_instance_subid,tvb,0,0); + oid_info_is_ok = FALSE; + goto indexing_done; + } + } else { + proto_tree_add_expert_format(pt_name,actx->pinfo,&ei_snmp_wrong_num_of_subids,tvb,0,0,"A scalar should have only one instance sub-id this has: %d",oid_left); + oid_info_is_ok = FALSE; + goto indexing_done; + } + break; + case OID_KIND_COLUMN: + if ( oid_info->parent->kind == OID_KIND_ROW) { + oid_key_t* k = oid_info->parent->key; + guint key_start = oid_matched; + guint key_len = oid_left; + oid_info_is_ok = TRUE; + + if ( key_len == 0 && ber_class == BER_CLASS_UNI && tag == BER_UNI_TAG_NULL) { + /* unSpecified does not require an instance sub-id add the new value and get off the way! */ + pi_value = proto_tree_add_item(pt_varbind,hf_snmp_unSpecified,tvb,value_offset,value_len,ENC_NA); + goto set_label; + } + + if (k) { + for (;k;k = k->next) { + guint suboid_len; + + if (key_start >= oid_matched+oid_left) { + proto_tree_add_expert(pt_name,actx->pinfo,&ei_snmp_index_suboid_too_short,tvb,0,0); + oid_info_is_ok = FALSE; + goto indexing_done; + } + + switch(k->key_type) { + case OID_KEY_TYPE_WRONG: { + proto_tree_add_expert(pt_name,actx->pinfo,&ei_snmp_unimplemented_instance_index,tvb,0,0); + oid_info_is_ok = FALSE; + goto indexing_done; + } + case OID_KEY_TYPE_INTEGER: { + if (FT_IS_INT(k->ft_type)) { + proto_tree_add_int(pt_name,k->hfid,tvb,name_offset,name_len,(guint)subids[key_start]); + } else { /* if it's not an unsigned int let proto_tree_add_uint throw a warning */ + proto_tree_add_uint64(pt_name,k->hfid,tvb,name_offset,name_len,(guint)subids[key_start]); + } + key_start++; + key_len--; + continue; /* k->next */ + } + case OID_KEY_TYPE_IMPLIED_OID: + suboid_len = key_len; + + goto show_oid_index; + + case OID_KEY_TYPE_OID: { + guint8* suboid_buf; + guint suboid_buf_len; + guint32* suboid; + + suboid_len = subids[key_start++]; + key_len--; + +show_oid_index: + suboid = &(subids[key_start]); + + if( suboid_len == 0 ) { + proto_tree_add_expert(pt_name,actx->pinfo,&ei_snmp_index_suboid_len0,tvb,0,0); + oid_info_is_ok = FALSE; + goto indexing_done; + } + + if( key_len < suboid_len ) { + proto_tree_add_expert(pt_name,actx->pinfo,&ei_snmp_index_suboid_too_long,tvb,0,0); + oid_info_is_ok = FALSE; + goto indexing_done; + } + + suboid_buf_len = oid_subid2encoded(actx->pinfo->pool, suboid_len, suboid, &suboid_buf); + + DISSECTOR_ASSERT(suboid_buf_len); + + proto_tree_add_oid(pt_name,k->hfid,tvb,name_offset, suboid_buf_len, suboid_buf); + + key_start += suboid_len; + key_len -= suboid_len + 1; + continue; /* k->next */ + } + default: { + guint8* buf; + guint buf_len; + guint32* suboid; + guint i; + + + switch (k->key_type) { + case OID_KEY_TYPE_IPADDR: + suboid = &(subids[key_start]); + buf_len = 4; + break; + case OID_KEY_TYPE_IMPLIED_STRING: + case OID_KEY_TYPE_IMPLIED_BYTES: + case OID_KEY_TYPE_ETHER: + suboid = &(subids[key_start]); + buf_len = key_len; + break; + default: + buf_len = k->num_subids; + suboid = &(subids[key_start]); + + if(!buf_len) { + buf_len = *suboid++; + key_len--; + key_start++; + } + break; + } + + if( key_len < buf_len ) { + proto_tree_add_expert(pt_name,actx->pinfo,&ei_snmp_index_string_too_long,tvb,0,0); + oid_info_is_ok = FALSE; + goto indexing_done; + } + + buf = (guint8*)wmem_alloc(actx->pinfo->pool, buf_len+1); + for (i = 0; i < buf_len; i++) + buf[i] = (guint8)suboid[i]; + buf[i] = '\0'; + + switch(k->key_type) { + case OID_KEY_TYPE_STRING: + case OID_KEY_TYPE_IMPLIED_STRING: + proto_tree_add_string(pt_name,k->hfid,tvb,name_offset,buf_len, buf); + break; + case OID_KEY_TYPE_BYTES: + case OID_KEY_TYPE_NSAP: + case OID_KEY_TYPE_IMPLIED_BYTES: + proto_tree_add_bytes(pt_name,k->hfid,tvb,name_offset,buf_len, buf); + break; + case OID_KEY_TYPE_ETHER: + proto_tree_add_ether(pt_name,k->hfid,tvb,name_offset,buf_len, buf); + break; + case OID_KEY_TYPE_IPADDR: { + guint32* ipv4_p = (guint32*)buf; + proto_tree_add_ipv4(pt_name,k->hfid,tvb,name_offset,buf_len, *ipv4_p); + } + break; + default: + DISSECTOR_ASSERT_NOT_REACHED(); + break; + } + + key_start += buf_len; + key_len -= buf_len; + continue; /* k->next*/ + } + } + } + goto indexing_done; + } else { + proto_tree_add_expert(pt_name,actx->pinfo,&ei_snmp_unimplemented_instance_index,tvb,0,0); + oid_info_is_ok = FALSE; + goto indexing_done; + } + } else { + proto_tree_add_expert(pt_name,actx->pinfo,&ei_snmp_column_parent_not_row,tvb,0,0); + oid_info_is_ok = FALSE; + goto indexing_done; + } + default: { +/* proto_tree_add_expert (pt_name,actx->pinfo,PI_MALFORMED, PI_WARN,tvb,0,0,"This kind OID should have no value"); */ + oid_info_is_ok = FALSE; + goto indexing_done; + } + } +indexing_done: + + if (oid_info_is_ok && oid_info->value_type) { + if (ber_class == BER_CLASS_UNI && tag == BER_UNI_TAG_NULL) { + pi_value = proto_tree_add_item(pt_varbind,hf_snmp_unSpecified,tvb,value_offset,value_len,ENC_NA); + } else { + /* Provide a tree_item to attach errors to, if needed. */ + pi_value = pi_name; + + if ((oid_info->value_type->ber_class != BER_CLASS_ANY) && + (ber_class != oid_info->value_type->ber_class)) + format_error = BER_WRONG_TAG; + else if ((oid_info->value_type->ber_tag != BER_TAG_ANY) && + (tag != oid_info->value_type->ber_tag)) + format_error = BER_WRONG_TAG; + else { + max_len = oid_info->value_type->max_len == -1 ? 0xffffff : oid_info->value_type->max_len; + min_len = oid_info->value_type->min_len; + + if ((int)value_len < min_len || (int)value_len > max_len) + format_error = BER_WRONG_LENGTH; + } + + if (format_error == BER_NO_ERROR) { + /* Special case DATE AND TIME */ + if((oid_info->value_type)&&(oid_info->value_type->keytype == OID_KEY_TYPE_DATE_AND_TIME)&&(value_len > 7)){ + pi_value = dissect_snmp_variable_date_and_time(pt_varbind, actx->pinfo, oid_info->value_hfid, tvb, value_offset, value_len); + } else { + pi_value = proto_tree_add_item(pt_varbind,oid_info->value_hfid,tvb,value_offset,value_len,ENC_BIG_ENDIAN); + } + } + } + } else { + switch(ber_class|(tag<<4)) { + case BER_CLASS_UNI|(BER_UNI_TAG_INTEGER<<4): + { + gint64 val=0; + unsigned int int_val_offset = value_offset; + unsigned int i; + + max_len = 4; min_len = 1; + if (value_len > (guint)max_len || value_len < (guint)min_len) { + hfid = hf_snmp_integer32_value; + format_error = BER_WRONG_LENGTH; + break; + } + + if(value_len > 0) { + /* extend sign bit */ + if(tvb_get_guint8(tvb, int_val_offset)&0x80) { + val=-1; + } + for(i=0;i<value_len;i++) { + val=(val<<8)|tvb_get_guint8(tvb, int_val_offset); + int_val_offset++; + } + } + pi_value = proto_tree_add_int64(pt_varbind, hf_snmp_integer32_value, tvb,value_offset,value_len, val); + + goto already_added; + } + case BER_CLASS_UNI|(BER_UNI_TAG_OCTETSTRING<<4): + if(oid_info->value_hfid> -1){ + hfid = oid_info->value_hfid; + }else{ + hfid = hf_snmp_octetstring_value; + } + break; + case BER_CLASS_UNI|(BER_UNI_TAG_OID<<4): + max_len = -1; min_len = 1; + if (value_len < (guint)min_len) format_error = BER_WRONG_LENGTH; + hfid = hf_snmp_oid_value; + break; + case BER_CLASS_UNI|(BER_UNI_TAG_NULL<<4): + max_len = 0; min_len = 0; + if (value_len != 0) format_error = BER_WRONG_LENGTH; + hfid = hf_snmp_null_value; + break; + case BER_CLASS_APP: /* | (SNMP_IPA<<4)*/ + switch(value_len) { + case 4: hfid = hf_snmp_ipv4_value; break; + case 16: hfid = hf_snmp_ipv6_value; break; + default: hfid = hf_snmp_anyaddress_value; break; + } + break; + case BER_CLASS_APP|(SNMP_U32<<4): + hfid = hf_snmp_unsigned32_value; + break; + case BER_CLASS_APP|(SNMP_GGE<<4): + hfid = hf_snmp_gauge32_value; + break; + case BER_CLASS_APP|(SNMP_CNT<<4): + hfid = hf_snmp_counter_value; + break; + case BER_CLASS_APP|(SNMP_TIT<<4): + hfid = hf_snmp_timeticks_value; + break; + case BER_CLASS_APP|(SNMP_OPQ<<4): + hfid = hf_snmp_opaque_value; + break; + case BER_CLASS_APP|(SNMP_NSP<<4): + hfid = hf_snmp_nsap_value; + break; + case BER_CLASS_APP|(SNMP_C64<<4): + hfid = hf_snmp_big_counter_value; + break; + default: + hfid = hf_snmp_unknown_value; + break; + } + if (value_len > 8) { + /* + * Too long for an FT_UINT64 or an FT_INT64. + */ + header_field_info *hfinfo = proto_registrar_get_nth(hfid); + if (hfinfo->type == FT_UINT64) { + /* + * Check if this is an unsigned int64 with + * a big value. + */ + if (value_len > 9 || tvb_get_guint8(tvb, value_offset) != 0) { + /* It is. Fail. */ + proto_tree_add_expert_format(pt_varbind,actx->pinfo,&ei_snmp_uint_too_large,tvb,value_offset,value_len,"Integral value too large"); + goto already_added; + } + /* Cheat and skip the leading 0 byte */ + value_len--; + value_offset++; + } else if (hfinfo->type == FT_INT64) { + /* + * For now, just reject these. + */ + proto_tree_add_expert_format(pt_varbind,actx->pinfo,&ei_snmp_int_too_large,tvb,value_offset,value_len,"Integral value too large or too small"); + goto already_added; + } + } else if (value_len == 0) { + /* + * X.690 section 8.3.1 "Encoding of an integer value": + * "The encoding of an integer value shall be + * primitive. The contents octets shall consist of + * one or more octets." + * + * Zero is not "one or more". + */ + header_field_info *hfinfo = proto_registrar_get_nth(hfid); + if (hfinfo->type == FT_UINT64 || hfinfo->type == FT_INT64) { + proto_tree_add_expert_format(pt_varbind,actx->pinfo,&ei_snmp_integral_value0,tvb,value_offset,value_len,"Integral value is zero-length"); + goto already_added; + } + } + /* Special case DATE AND TIME */ + if((oid_info->value_type)&&(oid_info->value_type->keytype == OID_KEY_TYPE_DATE_AND_TIME)&&(value_len > 7)){ + pi_value = dissect_snmp_variable_date_and_time(pt_varbind, actx->pinfo, hfid, tvb, value_offset, value_len); + }else{ + pi_value = proto_tree_add_item(pt_varbind,hfid,tvb,value_offset,value_len,ENC_BIG_ENDIAN); + } + if (format_error != BER_NO_ERROR) { + expert_add_info(actx->pinfo, pi_value, &ei_snmp_missing_mib); + } + + } +already_added: + pt_value = proto_item_add_subtree(pi_value,ett_value); + + if (value_len > 0 && oid_string) { + tvbuff_t* sub_tvb = tvb_new_subset_length(tvb, value_offset, value_len); + + next_tvb_add_string(var_list, sub_tvb, (snmp_var_in_tree) ? pt_value : NULL, value_sub_dissectors_table, oid_string); + } + + +set_label: + if (pi_value) proto_item_fill_label(PITEM_FINFO(pi_value), label); + + if (oid_info && oid_info->name) { + if (oid_left >= 1) { + repr = wmem_strdup_printf(actx->pinfo->pool, "%s.%s (%s)", oid_info->name, + oid_subid2string(actx->pinfo->pool, &(subids[oid_matched]),oid_left), + oid_subid2string(actx->pinfo->pool, subids,oid_matched+oid_left)); + info_oid = wmem_strdup_printf(actx->pinfo->pool, "%s.%s", oid_info->name, + oid_subid2string(actx->pinfo->pool, &(subids[oid_matched]),oid_left)); + } else { + repr = wmem_strdup_printf(actx->pinfo->pool, "%s (%s)", oid_info->name, + oid_subid2string(actx->pinfo->pool, subids,oid_matched)); + info_oid = oid_info->name; + } + } else if (oid_string) { + repr = wmem_strdup(actx->pinfo->pool, oid_string); + info_oid = oid_string; + } else { + repr = wmem_strdup(actx->pinfo->pool, "[Bad OID]"); + } + + valstr = strstr(label,": "); + valstr = valstr ? valstr+2 : label; + + proto_item_set_text(pi_varbind,"%s: %s",repr,valstr); + + if (display_oid && info_oid) { + col_append_fstr (actx->pinfo->cinfo, COL_INFO, " %s", info_oid); + } + + switch (format_error) { + case BER_WRONG_LENGTH: { + proto_item* pi; + proto_tree* p_tree = proto_item_add_subtree(pi_value,ett_decoding_error); + pt = proto_tree_add_subtree_format(p_tree,tvb,0,0,ett_decoding_error,&pi, + "Wrong value length: %u expecting: %u <= len <= %u", + value_len, min_len, max_len == -1 ? 0xFFFFFF : max_len); + expert_add_info(actx->pinfo, pi, &ei_snmp_varbind_wrong_length_value); + return dissect_unknown_ber(actx->pinfo, tvb, value_start, pt); + } + case BER_WRONG_TAG: { + proto_item* pi; + proto_tree* p_tree = proto_item_add_subtree(pi_value,ett_decoding_error); + pt = proto_tree_add_subtree_format(p_tree,tvb,0,0,ett_decoding_error,&pi, + "Wrong class/tag for Value expected: %d,%d got: %d,%d", + oid_info->value_type->ber_class, oid_info->value_type->ber_tag, + ber_class, tag); + expert_add_info(actx->pinfo, pi, &ei_snmp_varbind_wrong_class_tag); + return dissect_unknown_ber(actx->pinfo, tvb, value_start, pt); + } + default: + break; + } + + return seq_offset + seq_len; +} + + +#define F_SNMP_ENGINEID_CONFORM 0x80 +#define SNMP_ENGINEID_RFC1910 0x00 +#define SNMP_ENGINEID_RFC3411 0x01 + +static const true_false_string tfs_snmp_engineid_conform = { + "RFC3411 (SNMPv3)", + "RFC1910 (Non-SNMPv3)" +}; + +#define SNMP_ENGINEID_FORMAT_IPV4 0x01 +#define SNMP_ENGINEID_FORMAT_IPV6 0x02 +#define SNMP_ENGINEID_FORMAT_MACADDRESS 0x03 +#define SNMP_ENGINEID_FORMAT_TEXT 0x04 +#define SNMP_ENGINEID_FORMAT_OCTETS 0x05 + +static const value_string snmp_engineid_format_vals[] = { + { SNMP_ENGINEID_FORMAT_IPV4, "IPv4 address" }, + { SNMP_ENGINEID_FORMAT_IPV6, "IPv6 address" }, + { SNMP_ENGINEID_FORMAT_MACADDRESS, "MAC address" }, + { SNMP_ENGINEID_FORMAT_TEXT, "Text, administratively assigned" }, + { SNMP_ENGINEID_FORMAT_OCTETS, "Octets, administratively assigned" }, + { 0, NULL } +}; + +#define SNMP_ENGINEID_CISCO_AGENT 0x00 +#define SNMP_ENGINEID_CISCO_MANAGER 0x01 + +static const value_string snmp_engineid_cisco_type_vals[] = { + { SNMP_ENGINEID_CISCO_AGENT, "Agent" }, + { SNMP_ENGINEID_CISCO_MANAGER, "Manager" }, + { 0, NULL } +}; + +/* + * SNMP Engine ID dissection according to RFC 3411 (SnmpEngineID TC) + * or historic RFC 1910 (AgentID) + */ +int +dissect_snmp_engineid(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, int offset, int len) +{ + proto_item *item = NULL; + guint8 conformance, format; + guint32 enterpriseid; + time_t seconds; + nstime_t ts; + int len_remain = len; + + /* first bit: engine id conformance */ + if (len_remain<1) return offset; + conformance = ((tvb_get_guint8(tvb, offset)>>7) & 0x01); + proto_tree_add_item(tree, hf_snmp_engineid_conform, tvb, offset, 1, ENC_BIG_ENDIAN); + + /* 4-byte enterprise number/name */ + if (len_remain<4) return offset; + enterpriseid = tvb_get_ntohl(tvb, offset); + if (conformance) + enterpriseid -= 0x80000000; /* ignore first bit */ + proto_tree_add_uint(tree, hf_snmp_engineid_enterprise, tvb, offset, 4, enterpriseid); + offset+=4; + len_remain-=4; + + switch(conformance) { + + case SNMP_ENGINEID_RFC1910: + /* 12-byte AgentID w/ 8-byte trailer */ + if (len_remain==8) { + proto_tree_add_item(tree, hf_snmp_agentid_trailer, tvb, offset, 8, ENC_NA); + offset+=8; + len_remain-=8; + } else { + proto_tree_add_expert(tree, pinfo, &ei_snmp_rfc1910_non_conformant, tvb, offset, len_remain); + return offset; + } + break; + + case SNMP_ENGINEID_RFC3411: /* variable length: 5..32 */ + + /* 1-byte format specifier */ + if (len_remain<1) return offset; + format = tvb_get_guint8(tvb, offset); + item = proto_tree_add_uint_format(tree, hf_snmp_engineid_format, tvb, offset, 1, format, "Engine ID Format: %s (%d)", + val_to_str_const(format, snmp_engineid_format_vals, "Reserved/Enterprise-specific"), + format); + offset+=1; + len_remain-=1; + + switch(format) { + case SNMP_ENGINEID_FORMAT_IPV4: + /* 4-byte IPv4 address */ + if (len_remain==4) { + proto_tree_add_item(tree, hf_snmp_engineid_ipv4, tvb, offset, 4, ENC_BIG_ENDIAN); + offset+=4; + len_remain=0; + } + break; + case SNMP_ENGINEID_FORMAT_IPV6: + /* 16-byte IPv6 address */ + if (len_remain==16) { + proto_tree_add_item(tree, hf_snmp_engineid_ipv6, tvb, offset, 16, ENC_NA); + offset+=16; + len_remain=0; + } + break; + case SNMP_ENGINEID_FORMAT_MACADDRESS: + /* See: https://supportforums.cisco.com/message/3010617#3010617 for details. */ + if ((enterpriseid==9)&&(len_remain==7)) { + proto_tree_add_item(tree, hf_snmp_engineid_cisco_type, tvb, offset, 1, ENC_BIG_ENDIAN); + offset++; + len_remain--; + } + /* 6-byte MAC address */ + if (len_remain==6) { + proto_tree_add_item(tree, hf_snmp_engineid_mac, tvb, offset, 6, ENC_NA); + offset+=6; + len_remain=0; + } + break; + case SNMP_ENGINEID_FORMAT_TEXT: + /* max. 27-byte string, administratively assigned */ + if (len_remain<=27) { + proto_tree_add_item(tree, hf_snmp_engineid_text, tvb, offset, len_remain, ENC_ASCII); + offset+=len_remain; + len_remain=0; + } + break; + case 128: + /* most common enterprise-specific format: (ucd|net)-snmp random */ + if ((enterpriseid==2021)||(enterpriseid==8072)) { + proto_item_append_text(item, (enterpriseid==2021) ? ": UCD-SNMP Random" : ": Net-SNMP Random"); + /* demystify: 4B random, 4B/8B epoch seconds */ + if ((len_remain==8) || (len_remain==12)) { + proto_tree_add_item(tree, hf_snmp_engineid_data, tvb, offset, 4, ENC_NA); + if (len_remain==8) { + seconds = (time_t)tvb_get_letohl(tvb, offset + 4); + } else { + seconds = (time_t)tvb_get_letohi64(tvb, offset + 4); + } + ts.secs = seconds; + ts.nsecs = 0; + proto_tree_add_time_format_value(tree, hf_snmp_engineid_time, tvb, offset + 4, len_remain - 4, + &ts, "%s", + abs_time_secs_to_str(pinfo->pool, seconds, ABSOLUTE_TIME_LOCAL, TRUE)); + offset+=len_remain; + len_remain=0; + } + break; + } + /* fall through */ + case SNMP_ENGINEID_FORMAT_OCTETS: + default: + /* max. 27 bytes, administratively assigned or unknown format */ + if (len_remain<=27) { + proto_tree_add_item(tree, hf_snmp_engineid_data, tvb, offset, len_remain, ENC_NA); + offset+=len_remain; + len_remain=0; + } + break; + } + } + + if (len_remain>0) { + proto_tree_add_expert(tree, pinfo, &ei_snmp_rfc3411_non_conformant, tvb, offset, len_remain); + offset+=len_remain; + } + return offset; +} + + +static void set_ue_keys(snmp_ue_assoc_t* n ) { + guint key_size = auth_hash_len[n->user.authModel]; + + n->user.authKey.data = (guint8 *)g_malloc(key_size); + n->user.authKey.len = key_size; + snmp_usm_password_to_key(n->user.authModel, + n->user.authPassword.data, + n->user.authPassword.len, + n->engine.data, + n->engine.len, + n->user.authKey.data); + + if (n->priv_proto == PRIV_AES128 || n->priv_proto == PRIV_AES192 || n->priv_proto == PRIV_AES256) { + guint need_key_len = + (n->priv_proto == PRIV_AES128) ? 16 : + (n->priv_proto == PRIV_AES192) ? 24 : + (n->priv_proto == PRIV_AES256) ? 32 : + 0; + + guint key_len = key_size; + + while (key_len < need_key_len) + key_len += key_size; + + n->user.privKey.data = (guint8 *)g_malloc(key_len); + n->user.privKey.len = need_key_len; + + snmp_usm_password_to_key(n->user.authModel, + n->user.privPassword.data, + n->user.privPassword.len, + n->engine.data, + n->engine.len, + n->user.privKey.data); + + key_len = key_size; + + /* extend key if needed */ + while (key_len < need_key_len) { + snmp_usm_password_to_key(n->user.authModel, + n->user.privKey.data, + key_len, + n->engine.data, + n->engine.len, + n->user.privKey.data + key_len); + + key_len += key_size; + } + + } else { + n->user.privKey.data = (guint8 *)g_malloc(key_size); + n->user.privKey.len = key_size; + snmp_usm_password_to_key(n->user.authModel, + n->user.privPassword.data, + n->user.privPassword.len, + n->engine.data, + n->engine.len, + n->user.privKey.data); + } +} + +static snmp_ue_assoc_t* +ue_dup(snmp_ue_assoc_t* o) +{ + snmp_ue_assoc_t* d = (snmp_ue_assoc_t*)g_memdup2(o,sizeof(snmp_ue_assoc_t)); + + d->user.authModel = o->user.authModel; + + d->user.privProtocol = o->user.privProtocol; + + d->user.userName.data = (guint8 *)g_memdup2(o->user.userName.data,o->user.userName.len); + d->user.userName.len = o->user.userName.len; + + d->user.authPassword.data = o->user.authPassword.data ? (guint8 *)g_memdup2(o->user.authPassword.data,o->user.authPassword.len) : NULL; + d->user.authPassword.len = o->user.authPassword.len; + + d->user.privPassword.data = o->user.privPassword.data ? (guint8 *)g_memdup2(o->user.privPassword.data,o->user.privPassword.len) : NULL; + d->user.privPassword.len = o->user.privPassword.len; + + d->engine.len = o->engine.len; + + if (d->engine.len) { + d->engine.data = (guint8 *)g_memdup2(o->engine.data,o->engine.len); + set_ue_keys(d); + } + + return d; + +} + +static void* +snmp_users_copy_cb(void* dest, const void* orig, size_t len _U_) +{ + const snmp_ue_assoc_t* o = (const snmp_ue_assoc_t*)orig; + snmp_ue_assoc_t* d = (snmp_ue_assoc_t*)dest; + + d->auth_model = o->auth_model; + d->user.authModel = (snmp_usm_auth_model_t) o->auth_model; + + d->priv_proto = o->priv_proto; + d->user.privProtocol = priv_protos[o->priv_proto]; + + d->user.userName.data = (guint8*)g_memdup2(o->user.userName.data,o->user.userName.len); + d->user.userName.len = o->user.userName.len; + + d->user.authPassword.data = o->user.authPassword.data ? (guint8*)g_memdup2(o->user.authPassword.data,o->user.authPassword.len) : NULL; + d->user.authPassword.len = o->user.authPassword.len; + + d->user.privPassword.data = o->user.privPassword.data ? (guint8*)g_memdup2(o->user.privPassword.data,o->user.privPassword.len) : NULL; + d->user.privPassword.len = o->user.privPassword.len; + + d->engine.len = o->engine.len; + if (o->engine.data) { + d->engine.data = (guint8*)g_memdup2(o->engine.data,o->engine.len); + } + + d->user.authKey.data = o->user.authKey.data ? (guint8*)g_memdup2(o->user.authKey.data,o->user.authKey.len) : NULL; + d->user.authKey.len = o->user.authKey.len; + + d->user.privKey.data = o->user.privKey.data ? (guint8*)g_memdup2(o->user.privKey.data,o->user.privKey.len) : NULL; + d->user.privKey.len = o->user.privKey.len; + + return d; +} + +static void +snmp_users_free_cb(void* p) +{ + snmp_ue_assoc_t* ue = (snmp_ue_assoc_t*)p; + g_free(ue->user.userName.data); + g_free(ue->user.authPassword.data); + g_free(ue->user.privPassword.data); + g_free(ue->user.authKey.data); + g_free(ue->user.privKey.data); + g_free(ue->engine.data); +} + +static bool +snmp_users_update_cb(void* p _U_, char** err) +{ + snmp_ue_assoc_t* ue = (snmp_ue_assoc_t*)p; + GString* es = g_string_new(""); + unsigned int i; + + *err = NULL; + + if (! ue->user.userName.len) { + g_string_append_printf(es,"no userName\n"); + } else if ((ue->engine.len > 0) && (ue->engine.len < 5 || ue->engine.len > 32)) { + /* RFC 3411 section 5 */ + g_string_append_printf(es, "Invalid engineId length (%u). Must be between 5 and 32 (10 and 64 hex digits)\n", ue->engine.len); + } else if (num_ueas) { + for (i=0; i<num_ueas-1; i++) { + snmp_ue_assoc_t* u = &(ueas[i]); + + if ( u->user.userName.len == ue->user.userName.len + && u->engine.len == ue->engine.len && (u != ue)) { + + if (u->engine.len > 0 && memcmp( u->engine.data, ue->engine.data, u->engine.len ) == 0) { + if ( memcmp( u->user.userName.data, ue->user.userName.data, ue->user.userName.len ) == 0 ) { + /* XXX: make a string for the engineId */ + g_string_append_printf(es,"Duplicate key (userName='%s')\n",ue->user.userName.data); + break; + } + } + + if (u->engine.len == 0) { + if ( memcmp( u->user.userName.data, ue->user.userName.data, ue->user.userName.len ) == 0 ) { + g_string_append_printf(es,"Duplicate key (userName='%s' engineId=NONE)\n",ue->user.userName.data); + break; + } + } + } + } + } + + if (es->len) { + es = g_string_truncate(es,es->len-1); + *err = g_string_free(es, FALSE); + return FALSE; + } + + return TRUE; +} + +static void +free_ue_cache(snmp_ue_assoc_t **cache) +{ + static snmp_ue_assoc_t *a, *nxt; + + for (a = *cache; a; a = nxt) { + nxt = a->next; + snmp_users_free_cb(a); + g_free(a); + } + + *cache = NULL; +} + +#define CACHE_INSERT(c,a) if (c) { snmp_ue_assoc_t* t = c; c = a; c->next = t; } else { c = a; a->next = NULL; } + +static void +init_ue_cache(void) +{ + guint i; + + for (i = 0; i < num_ueas; i++) { + snmp_ue_assoc_t* a = ue_dup(&(ueas[i])); + + if (a->engine.len) { + CACHE_INSERT(localized_ues,a); + + } else { + CACHE_INSERT(unlocalized_ues,a); + } + + } +} + +static void +cleanup_ue_cache(void) +{ + free_ue_cache(&localized_ues); + free_ue_cache(&unlocalized_ues); +} + +/* Called when the user applies changes to UAT preferences. */ +static void +renew_ue_cache(void) +{ + cleanup_ue_cache(); + init_ue_cache(); +} + + +static snmp_ue_assoc_t* +localize_ue( snmp_ue_assoc_t* o, const guint8* engine, guint engine_len ) +{ + snmp_ue_assoc_t* n = (snmp_ue_assoc_t*)g_memdup2(o,sizeof(snmp_ue_assoc_t)); + + n->user.userName.data = (guint8*)g_memdup2(o->user.userName.data,o->user.userName.len); + n->user.authModel = o->user.authModel; + n->user.authPassword.data = (guint8*)g_memdup2(o->user.authPassword.data,o->user.authPassword.len); + n->user.authPassword.len = o->user.authPassword.len; + n->user.privPassword.data = (guint8*)g_memdup2(o->user.privPassword.data,o->user.privPassword.len); + n->user.privPassword.len = o->user.privPassword.len; + n->user.authKey.data = (guint8*)g_memdup2(o->user.authKey.data,o->user.authKey.len); + n->user.privKey.data = (guint8*)g_memdup2(o->user.privKey.data,o->user.privKey.len); + n->engine.data = (guint8*)g_memdup2(engine,engine_len); + n->engine.len = engine_len; + n->priv_proto = o->priv_proto; + + set_ue_keys(n); + + return n; +} + + +#define localized_match(a,u,ul,e,el) \ + ( a->user.userName.len == ul \ + && a->engine.len == el \ + && memcmp( a->user.userName.data, u, ul ) == 0 \ + && memcmp( a->engine.data, e, el ) == 0 ) + +#define unlocalized_match(a,u,l) \ + ( a->user.userName.len == l && memcmp( a->user.userName.data, u, l) == 0 ) + +static snmp_ue_assoc_t* +get_user_assoc(tvbuff_t* engine_tvb, tvbuff_t* user_tvb, packet_info *pinfo) +{ + static snmp_ue_assoc_t* a; + guint given_username_len; + guint8* given_username; + guint given_engine_len = 0; + guint8* given_engine = NULL; + + if ( ! (localized_ues || unlocalized_ues ) ) return NULL; + + if (! ( user_tvb && engine_tvb ) ) return NULL; + + given_username_len = tvb_captured_length(user_tvb); + given_engine_len = tvb_captured_length(engine_tvb); + if (! ( given_engine_len && given_username_len ) ) return NULL; + given_username = (guint8*)tvb_memdup(pinfo->pool,user_tvb,0,-1); + given_engine = (guint8*)tvb_memdup(pinfo->pool,engine_tvb,0,-1); + + for (a = localized_ues; a; a = a->next) { + if ( localized_match(a, given_username, given_username_len, given_engine, given_engine_len) ) { + return a; + } + } + + for (a = unlocalized_ues; a; a = a->next) { + if ( unlocalized_match(a, given_username, given_username_len) ) { + snmp_ue_assoc_t* n = localize_ue( a, given_engine, given_engine_len ); + CACHE_INSERT(localized_ues,n); + return n; + } + } + + return NULL; +} + +static bool +snmp_usm_auth(const packet_info *pinfo, const snmp_usm_auth_model_t model, snmp_usm_params_t* p, guint8** calc_auth_p, + guint* calc_auth_len_p, gchar const** error) +{ + gint msg_len; + guint8* msg; + guint auth_len; + guint8* auth; + guint8* key; + guint key_len; + guint8 *calc_auth; + guint start; + guint end; + guint i; + + if (!p->auth_tvb) { + *error = "No Authenticator"; + return FALSE; + } + + key = p->user_assoc->user.authKey.data; + key_len = p->user_assoc->user.authKey.len; + + if (! key ) { + *error = "User has no authKey"; + return FALSE; + } + + auth_len = tvb_captured_length(p->auth_tvb); + + if (auth_len != auth_tag_len[model]) { + *error = "Authenticator length wrong"; + return FALSE; + } + + msg_len = tvb_captured_length(p->msg_tvb); + if (msg_len <= 0) { + *error = "Not enough data remaining"; + return FALSE; + } + msg = (guint8*)tvb_memdup(pinfo->pool,p->msg_tvb,0,msg_len); + + auth = (guint8*)tvb_memdup(pinfo->pool,p->auth_tvb,0,auth_len); + + start = p->auth_offset - p->start_offset; + end = start + auth_len; + + /* fill the authenticator with zeros */ + for ( i = start ; i < end ; i++ ) { + msg[i] = '\0'; + } + + calc_auth = (guint8*)wmem_alloc(pinfo->pool, auth_hash_len[model]); + + if (ws_hmac_buffer(auth_hash_algo[model], calc_auth, msg, msg_len, key, key_len)) { + return FALSE; + } + + if (calc_auth_p) *calc_auth_p = calc_auth; + if (calc_auth_len_p) *calc_auth_len_p = auth_len; + + return ( memcmp(auth,calc_auth,auth_len) != 0 ) ? FALSE : TRUE; +} + +static tvbuff_t* +snmp_usm_priv_des(snmp_usm_params_t* p, tvbuff_t* encryptedData, packet_info *pinfo, gchar const** error) +{ + gcry_error_t err; + gcry_cipher_hd_t hd = NULL; + + guint8* cleartext; + guint8* des_key = p->user_assoc->user.privKey.data; /* first 8 bytes */ + guint8* pre_iv = &(p->user_assoc->user.privKey.data[8]); /* last 8 bytes */ + guint8* salt; + gint salt_len; + gint cryptgrm_len; + guint8* cryptgrm; + tvbuff_t* clear_tvb; + guint8 iv[8]; + guint i; + + + salt_len = tvb_captured_length(p->priv_tvb); + + if (salt_len != 8) { + *error = "decryptionError: msgPrivacyParameters length != 8"; + return NULL; + } + + salt = (guint8*)tvb_memdup(pinfo->pool,p->priv_tvb,0,salt_len); + + /* + The resulting "salt" is XOR-ed with the pre-IV to obtain the IV. + */ + for (i=0; i<8; i++) { + iv[i] = pre_iv[i] ^ salt[i]; + } + + cryptgrm_len = tvb_captured_length(encryptedData); + + if ((cryptgrm_len <= 0) || (cryptgrm_len % 8)) { + *error = "decryptionError: the length of the encrypted data is not a multiple of 8 octets"; + return NULL; + } + + cryptgrm = (guint8*)tvb_memdup(pinfo->pool,encryptedData,0,-1); + + cleartext = (guint8*)wmem_alloc(pinfo->pool, cryptgrm_len); + + err = gcry_cipher_open(&hd, GCRY_CIPHER_DES, GCRY_CIPHER_MODE_CBC, 0); + if (err != GPG_ERR_NO_ERROR) goto on_gcry_error; + + err = gcry_cipher_setiv(hd, iv, 8); + if (err != GPG_ERR_NO_ERROR) goto on_gcry_error; + + err = gcry_cipher_setkey(hd,des_key,8); + if (err != GPG_ERR_NO_ERROR) goto on_gcry_error; + + err = gcry_cipher_decrypt(hd, cleartext, cryptgrm_len, cryptgrm, cryptgrm_len); + if (err != GPG_ERR_NO_ERROR) goto on_gcry_error; + + gcry_cipher_close(hd); + + clear_tvb = tvb_new_child_real_data(encryptedData, cleartext, cryptgrm_len, cryptgrm_len); + + return clear_tvb; + +on_gcry_error: + *error = (const gchar *)gcry_strerror(err); + if (hd) gcry_cipher_close(hd); + return NULL; +} + +static tvbuff_t* +snmp_usm_priv_aes_common(snmp_usm_params_t* p, tvbuff_t* encryptedData, packet_info *pinfo, gchar const** error, int algo) +{ + gcry_error_t err; + gcry_cipher_hd_t hd = NULL; + + guint8* cleartext; + guint8* aes_key = p->user_assoc->user.privKey.data; + int aes_key_len = p->user_assoc->user.privKey.len; + guint8 iv[16]; + gint priv_len; + gint cryptgrm_len; + guint8* cryptgrm; + tvbuff_t* clear_tvb; + + priv_len = tvb_captured_length(p->priv_tvb); + + if (priv_len != 8) { + *error = "decryptionError: msgPrivacyParameters length != 8"; + return NULL; + } + + iv[0] = (p->boots & 0xff000000) >> 24; + iv[1] = (p->boots & 0x00ff0000) >> 16; + iv[2] = (p->boots & 0x0000ff00) >> 8; + iv[3] = (p->boots & 0x000000ff); + iv[4] = (p->snmp_time & 0xff000000) >> 24; + iv[5] = (p->snmp_time & 0x00ff0000) >> 16; + iv[6] = (p->snmp_time & 0x0000ff00) >> 8; + iv[7] = (p->snmp_time & 0x000000ff); + tvb_memcpy(p->priv_tvb,&(iv[8]),0,8); + + cryptgrm_len = tvb_captured_length(encryptedData); + if (cryptgrm_len <= 0) { + *error = "Not enough data remaining"; + return NULL; + } + cryptgrm = (guint8*)tvb_memdup(pinfo->pool,encryptedData,0,-1); + + cleartext = (guint8*)wmem_alloc(pinfo->pool, cryptgrm_len); + + err = gcry_cipher_open(&hd, algo, GCRY_CIPHER_MODE_CFB, 0); + if (err != GPG_ERR_NO_ERROR) goto on_gcry_error; + + err = gcry_cipher_setiv(hd, iv, 16); + if (err != GPG_ERR_NO_ERROR) goto on_gcry_error; + + err = gcry_cipher_setkey(hd,aes_key,aes_key_len); + if (err != GPG_ERR_NO_ERROR) goto on_gcry_error; + + err = gcry_cipher_decrypt(hd, cleartext, cryptgrm_len, cryptgrm, cryptgrm_len); + if (err != GPG_ERR_NO_ERROR) goto on_gcry_error; + + gcry_cipher_close(hd); + + clear_tvb = tvb_new_child_real_data(encryptedData, cleartext, cryptgrm_len, cryptgrm_len); + + return clear_tvb; + +on_gcry_error: + *error = (const gchar *)gcry_strerror(err); + if (hd) gcry_cipher_close(hd); + return NULL; +} + +static tvbuff_t* +snmp_usm_priv_aes128(snmp_usm_params_t* p, tvbuff_t* encryptedData, packet_info *pinfo, gchar const** error) +{ + return snmp_usm_priv_aes_common(p, encryptedData, pinfo, error, GCRY_CIPHER_AES); +} + +static tvbuff_t* +snmp_usm_priv_aes192(snmp_usm_params_t* p, tvbuff_t* encryptedData, packet_info *pinfo, gchar const** error) +{ + return snmp_usm_priv_aes_common(p, encryptedData, pinfo, error, GCRY_CIPHER_AES192); +} + +static tvbuff_t* +snmp_usm_priv_aes256(snmp_usm_params_t* p, tvbuff_t* encryptedData, packet_info *pinfo, gchar const** error) +{ + return snmp_usm_priv_aes_common(p, encryptedData, pinfo, error, GCRY_CIPHER_AES256); +} + +static gboolean +check_ScopedPdu(tvbuff_t* tvb) +{ + int offset; + gint8 ber_class; + bool pc; + gint32 tag; + int hoffset, eoffset; + guint32 len; + + offset = get_ber_identifier(tvb, 0, &ber_class, &pc, &tag); + offset = get_ber_length(tvb, offset, NULL, NULL); + + if ( ! (((ber_class!=BER_CLASS_APP) && (ber_class!=BER_CLASS_PRI) ) + && ( (!pc) || (ber_class!=BER_CLASS_UNI) || (tag!=BER_UNI_TAG_ENUMERATED) ) + )) return FALSE; + + if((tvb_get_guint8(tvb, offset)==0)&&(tvb_get_guint8(tvb, offset+1)==0)) + return TRUE; + + hoffset = offset; + + offset = get_ber_identifier(tvb, offset, &ber_class, &pc, &tag); + offset = get_ber_length(tvb, offset, &len, NULL); + eoffset = offset + len; + + if (eoffset <= hoffset) return FALSE; + + if ((ber_class!=BER_CLASS_APP)&&(ber_class!=BER_CLASS_PRI)) + if( (ber_class!=BER_CLASS_UNI) + ||((tag<BER_UNI_TAG_NumericString)&&(tag!=BER_UNI_TAG_OCTETSTRING)&&(tag!=BER_UNI_TAG_UTF8String)) ) + return FALSE; + + return TRUE; + +} + +#include "packet-snmp-fn.c" + +static snmp_conv_info_t* +snmp_find_conversation_and_get_conv_data(packet_info *pinfo) { + + conversation_t *conversation = NULL; + snmp_conv_info_t *snmp_info = NULL; + + /* Get the conversation with the wildcarded port, if it exists + * and is associated with SNMP, so that requests and responses + * can be matched even if the response comes from a different, + * ephemeral, source port, as originally done in OS/400. + * On UDP, we do not automatically call conversation_set_port2() + * and we do not want to do so. Possibly this should eventually + * use find_conversation_full and separate the "SNMP conversation" + * from "the transport layer conversation that carries SNMP." + */ + if (pinfo->destport == UDP_PORT_SNMP) { + conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, conversation_pt_to_conversation_type(pinfo->ptype), + pinfo->srcport, 0, NO_PORT_B); + } else if (pinfo->srcport == UDP_PORT_SNMP) { + conversation = find_conversation(pinfo->fd->num, &pinfo->dst, &pinfo->src, conversation_pt_to_conversation_type(pinfo->ptype), + pinfo->destport, 0, NO_PORT_B); + } + if ((conversation == NULL) || (conversation_get_dissector(conversation, pinfo->num) != snmp_handle)) { + conversation = find_or_create_conversation(pinfo); + } + + snmp_info = (snmp_conv_info_t *)conversation_get_proto_data(conversation, proto_snmp); + if (snmp_info == NULL) { + snmp_info = wmem_new0(wmem_file_scope(), snmp_conv_info_t); + snmp_info->request_response=wmem_map_new(wmem_file_scope(), g_int_hash, g_int_equal); + + conversation_add_proto_data(conversation, proto_snmp, snmp_info); + } + return snmp_info; +} + +guint +dissect_snmp_pdu(tvbuff_t *tvb, int offset, packet_info *pinfo, + proto_tree *tree, int proto, gint ett, gboolean is_tcp) +{ + + guint length_remaining; + gint8 ber_class; + bool pc, ind = 0; + gint32 tag; + guint32 len; + guint message_length; + int start_offset = offset; + guint32 version = 0; + tvbuff_t *next_tvb; + + proto_tree *snmp_tree = NULL; + proto_item *item = NULL; + + snmp_conv_info_t *snmp_info = snmp_find_conversation_and_get_conv_data(pinfo); + + asn1_ctx_t asn1_ctx; + asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo); + + asn1_ctx.private_data = snmp_info; + + usm_p.msg_tvb = tvb; + usm_p.start_offset = tvb_offset_from_real_beginning(tvb); + usm_p.engine_tvb = NULL; + usm_p.user_tvb = NULL; + usm_p.auth_item = NULL; + usm_p.auth_tvb = NULL; + usm_p.auth_offset = 0; + usm_p.priv_tvb = NULL; + usm_p.user_assoc = NULL; + usm_p.authenticated = FALSE; + usm_p.encrypted = FALSE; + usm_p.boots = 0; + usm_p.snmp_time = 0; + usm_p.authOK = FALSE; + + /* + * This will throw an exception if we don't have any data left. + * That's what we want. (See "tcp_dissect_pdus()", which is + * similar, but doesn't have to deal with ASN.1. + * XXX - can we make "tcp_dissect_pdus()" provide enough + * information to the "get_pdu_len" routine so that we could + * have that routine deal with ASN.1, and just use + * "tcp_dissect_pdus()"?) + */ + length_remaining = tvb_ensure_captured_length_remaining(tvb, offset); + + /* NOTE: we have to parse the message piece by piece, since the + * capture length may be less than the message length: a 'global' + * parsing is likely to fail. + */ + + /* + * If this is SNMP-over-TCP, we might have to do reassembly + * in order to read the "Sequence Of" header. + */ + if (is_tcp && snmp_desegment && pinfo->can_desegment) { + /* + * This is TCP, and we should, and can, do reassembly. + * + * Is the "Sequence Of" header split across segment + * boundaries? We require at least 6 bytes for the + * header, which allows for a 4-byte length (ASN.1 + * BER). + */ + if (length_remaining < 6) { + /* + * Yes. Tell the TCP dissector where the data + * for this message starts in the data it handed + * us and that we need "some more data." Don't tell + * it exactly how many bytes we need because if/when + * we ask for even more (after the header) that will + * break reassembly. + */ + pinfo->desegment_offset = offset; + pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT; + return 0; + } + } + + /* + * OK, try to read the "Sequence Of" header; this gets the total + * length of the SNMP message. + */ + offset = get_ber_identifier(tvb, offset, &ber_class, &pc, &tag); + /*Get the total octet length of the SNMP data*/ + offset = get_ber_length(tvb, offset, &len, &ind); + message_length = len + offset; + + /*Get the SNMP version data*/ + /*offset =*/ dissect_ber_integer(FALSE, &asn1_ctx, 0, tvb, offset, -1, &version); + + + /* + * If this is SNMP-over-TCP, we might have to do reassembly + * to get all of this message. + */ + if (is_tcp && snmp_desegment && pinfo->can_desegment) { + /* + * Yes - is the message split across segment boundaries? + */ + if (length_remaining < message_length) { + /* + * Yes. Tell the TCP dissector where the data + * for this message starts in the data it handed + * us, and how many more bytes we need, and + * return. + */ + pinfo->desegment_offset = start_offset; + pinfo->desegment_len = + message_length - length_remaining; + + /* + * Return 0, which means "I didn't dissect anything + * because I don't have enough data - we need + * to desegment". + */ + return 0; + } + } + + var_list = next_tvb_list_new(pinfo->pool); + + col_set_str(pinfo->cinfo, COL_PROTOCOL, proto_get_protocol_short_name(find_protocol_by_id(proto))); + + item = proto_tree_add_item(tree, proto, tvb, start_offset, message_length, ENC_BIG_ENDIAN); + snmp_tree = proto_item_add_subtree(item, ett); + + switch (version) { + case 0: /* v1 */ + case 1: /* v2c */ + offset = dissect_snmp_Message(FALSE , tvb, start_offset, &asn1_ctx, snmp_tree, -1); + break; + case 2: /* v2u */ + offset = dissect_snmp_Messagev2u(FALSE , tvb, start_offset, &asn1_ctx, snmp_tree, -1); + break; + /* v3 */ + case 3: + offset = dissect_snmp_SNMPv3Message(FALSE , tvb, start_offset, &asn1_ctx, snmp_tree, -1); + break; + default: + /* + * Return the length remaining in the tvbuff, so + * if this is SNMP-over-TCP, our caller thinks there's + * nothing left to dissect. + */ + expert_add_info(pinfo, item, &ei_snmp_version_unknown); + return length_remaining; + break; + } + + /* There may be appended data after the SNMP data, so treat as raw + * data which needs to be dissected in case of UDP as UDP is PDU oriented. + */ + if((!is_tcp) && (length_remaining > (guint)offset)) { + next_tvb = tvb_new_subset_remaining(tvb, offset); + call_dissector(data_handle, next_tvb, pinfo, tree); + } else { + next_tvb_call(var_list, pinfo, tree, NULL, data_handle); + } + + return offset; +} + +static gint +dissect_snmp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) +{ + int offset; + gint8 tmp_class; + bool tmp_pc; + gint32 tmp_tag; + guint32 tmp_length; + bool tmp_ind; + + /* + * See if this looks like SNMP or not. if not, return 0 so + * wireshark can try some other dissector instead. + */ + /* All SNMP packets are BER encoded and consist of a SEQUENCE + * that spans the entire PDU. The first item is an INTEGER that + * has the values 0-2 (version 1-3). + * if not it is not snmp. + */ + /* SNMP starts with a SEQUENCE */ + offset = get_ber_identifier(tvb, 0, &tmp_class, &tmp_pc, &tmp_tag); + if((tmp_class!=BER_CLASS_UNI)||(tmp_tag!=BER_UNI_TAG_SEQUENCE)) { + return 0; + } + /* then comes a length which spans the rest of the tvb */ + offset = get_ber_length(tvb, offset, &tmp_length, &tmp_ind); + /* Loosen the heuristic a bit to handle the case where data has intentionally + * been added after the snmp PDU ( UDP case) (#3684) + * If this is fragmented or carried in ICMP, we don't expect the tvb to + * have the full legnth, so don't check. + */ + if (!pinfo->fragmented && !pinfo->flags.in_error_pkt) { + if ( pinfo->ptype == PT_UDP ) { + if(tmp_length>(guint32)tvb_reported_length_remaining(tvb, offset)) { + return 0; + } + }else{ + if(tmp_length!=(guint32)tvb_reported_length_remaining(tvb, offset)) { + return 0; + } + } + } + /* then comes an INTEGER (version)*/ + get_ber_identifier(tvb, offset, &tmp_class, &tmp_pc, &tmp_tag); + if((tmp_class!=BER_CLASS_UNI)||(tmp_tag!=BER_UNI_TAG_INTEGER)) { + return 0; + } + /* do we need to test that version is 0 - 2 (version1-3) ? */ + + + /* + * The IBM i (OS/400) SNMP agent, at least originally, would + * send responses back from some *other* UDP port, an ephemeral + * port above 5000, going back to the same IP address and port + * from which the request came, similar to TFTP. This only happens + * with the agent port, 161, not with the trap port, etc. As of + * 2015 with the latest fixes applied, it no longer does this: + * https://www.ibm.com/support/pages/ptf/SI55487 + * https://www.ibm.com/support/pages/ptf/SI55537 + * + * The SNMP RFCs are silent on this (cf. L2TP RFC 2661, which + * supports using either the well-known port or an ephemeral + * port as the source port for responses, while noting that + * the latter can cause issues with firewalls and NATs.) so + * possibly some other implementations could do this. + * + * If this packet went to the SNMP port, we check to see if + * there's already a conversation with one address/port pair + * matching the source IP address and port of this packet, + * the other address matching the destination IP address of this + * packet, and any destination port. + * + * If not, we create one, with its address 1/port 1 pair being + * the source address/port of this packet, its address 2 being + * the destination address of this packet, and its port 2 being + * wildcarded, and give it the SNMP dissector as a dissector. + */ + + if (pinfo->destport == UDP_PORT_SNMP) { + conversation_t *conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, conversation_pt_to_conversation_type(pinfo->ptype), + pinfo->srcport, 0, NO_PORT_B); + + if( (conversation == NULL) || (conversation_get_dissector(conversation, pinfo->num)!=snmp_handle) ) { + conversation = conversation_new(pinfo->num, &pinfo->src, &pinfo->dst, conversation_pt_to_conversation_type(pinfo->ptype), + pinfo->srcport, 0, NO_PORT2); + conversation_set_dissector(conversation, snmp_handle); + } + } + + return dissect_snmp_pdu(tvb, 0, pinfo, tree, proto_snmp, ett_snmp, FALSE); +} + +static int +dissect_snmp_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) +{ + int offset = 0; + guint message_len; + + while (tvb_reported_length_remaining(tvb, offset) > 0) { + message_len = dissect_snmp_pdu(tvb, offset, pinfo, tree, proto_snmp, ett_snmp, TRUE); + if (message_len == 0) { + /* + * We don't have all the data for that message, + * so we need to do desegmentation; + * "dissect_snmp_pdu()" has set that up. + */ + break; + } + offset += message_len; + } + return tvb_captured_length(tvb); +} + +static int +dissect_smux(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) +{ + proto_tree *smux_tree = NULL; + proto_item *item = NULL; + + var_list = next_tvb_list_new(pinfo->pool); + + col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMUX"); + + item = proto_tree_add_item(tree, proto_smux, tvb, 0, -1, ENC_NA); + smux_tree = proto_item_add_subtree(item, ett_smux); + + return dissect_SMUX_PDUs_PDU(tvb, pinfo, smux_tree, data); +} + +/* + MD5 Password to Key Algorithm from RFC 3414 A.2.1 + SHA1 Password to Key Algorithm from RFC 3414 A.2.2 + SHA2 Password to Key Algorithm from RFC 7860 9.3 +*/ +static void +snmp_usm_password_to_key(const snmp_usm_auth_model_t model, const guint8 *password, + guint passwordlen, const guint8 *engineID, guint engineLength, guint8 *key) +{ + gcry_md_hd_t hash_handle; + guint8 *cp, password_buf[64]; + guint32 password_index = 0; + guint32 count = 0, i; + guint hash_len; + + if (gcry_md_open(&hash_handle, auth_hash_algo[model], 0)) { + return; + } + + hash_len = auth_hash_len[model]; + + /**********************************************/ + /* Use while loop until we've done 1 Megabyte */ + /**********************************************/ + while (count < 1048576) { + cp = password_buf; + if (passwordlen != 0) { + for (i = 0; i < 64; i++) { + /*************************************************/ + /* Take the next octet of the password, wrapping */ + /* to the beginning of the password as necessary.*/ + /*************************************************/ + *cp++ = password[password_index++ % passwordlen]; + } + } else { + *cp = 0; + } + gcry_md_write(hash_handle, password_buf, 64); + count += 64; + } + memcpy(key, gcry_md_read(hash_handle, 0), hash_len); + gcry_md_close(hash_handle); + + /*****************************************************/ + /* Now localise the key with the engineID and pass */ + /* through hash function to produce final key */ + /* We ignore invalid engineLengths here. More strict */ + /* checking is done in snmp_users_update_cb. */ + /*****************************************************/ + if (gcry_md_open(&hash_handle, auth_hash_algo[model], 0)) { + return; + } + gcry_md_write(hash_handle, key, hash_len); + gcry_md_write(hash_handle, engineID, engineLength); + gcry_md_write(hash_handle, key, hash_len); + memcpy(key, gcry_md_read(hash_handle, 0), hash_len); + gcry_md_close(hash_handle); + return; +} + +static void +process_prefs(void) +{ +} + +UAT_LSTRING_CB_DEF(snmp_users,userName,snmp_ue_assoc_t,user.userName.data,user.userName.len) +UAT_LSTRING_CB_DEF(snmp_users,authPassword,snmp_ue_assoc_t,user.authPassword.data,user.authPassword.len) +UAT_LSTRING_CB_DEF(snmp_users,privPassword,snmp_ue_assoc_t,user.privPassword.data,user.privPassword.len) +UAT_BUFFER_CB_DEF(snmp_users,engine_id,snmp_ue_assoc_t,engine.data,engine.len) +UAT_VS_DEF(snmp_users,auth_model,snmp_ue_assoc_t,guint,0,"MD5") +UAT_VS_DEF(snmp_users,priv_proto,snmp_ue_assoc_t,guint,0,"DES") + +static void * +snmp_specific_trap_copy_cb(void *dest, const void *orig, size_t len _U_) +{ + snmp_st_assoc_t *u = (snmp_st_assoc_t *)dest; + const snmp_st_assoc_t *o = (const snmp_st_assoc_t *)orig; + + u->enterprise = g_strdup(o->enterprise); + u->trap = o->trap; + u->desc = g_strdup(o->desc); + + return dest; +} + +static void +snmp_specific_trap_free_cb(void *r) +{ + snmp_st_assoc_t *u = (snmp_st_assoc_t *)r; + + g_free(u->enterprise); + g_free(u->desc); +} + +UAT_CSTRING_CB_DEF(specific_traps, enterprise, snmp_st_assoc_t) +UAT_DEC_CB_DEF(specific_traps, trap, snmp_st_assoc_t) +UAT_CSTRING_CB_DEF(specific_traps, desc, snmp_st_assoc_t) + + /*--- proto_register_snmp -------------------------------------------*/ +void proto_register_snmp(void) { + /* List of fields */ + static hf_register_info hf[] = { + { &hf_snmp_response_in, + { "Response In", "snmp.response_in", FT_FRAMENUM, BASE_NONE, NULL, 0x0, + "The response to this SNMP request is in this frame", HFILL }}, + { &hf_snmp_response_to, + { "Response To", "snmp.response_to", FT_FRAMENUM, BASE_NONE, NULL, 0x0, + "This is a response to the SNMP request in this frame", HFILL }}, + { &hf_snmp_time, + { "Time", "snmp.time", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0, + "The time between the Request and the Response", HFILL }}, + { &hf_snmp_v3_flags_auth, + { "Authenticated", "snmp.v3.flags.auth", FT_BOOLEAN, 8, + TFS(&tfs_set_notset), TH_AUTH, NULL, HFILL }}, + { &hf_snmp_v3_flags_crypt, + { "Encrypted", "snmp.v3.flags.crypt", FT_BOOLEAN, 8, + TFS(&tfs_set_notset), TH_CRYPT, NULL, HFILL }}, + { &hf_snmp_v3_flags_report, + { "Reportable", "snmp.v3.flags.report", FT_BOOLEAN, 8, + TFS(&tfs_set_notset), TH_REPORT, NULL, HFILL }}, + { &hf_snmp_engineid_conform, { + "Engine ID Conformance", "snmp.engineid.conform", FT_BOOLEAN, 8, + TFS(&tfs_snmp_engineid_conform), F_SNMP_ENGINEID_CONFORM, "Engine ID RFC3411 Conformance", HFILL }}, + { &hf_snmp_engineid_enterprise, { + "Engine Enterprise ID", "snmp.engineid.enterprise", FT_UINT32, BASE_ENTERPRISES, + STRINGS_ENTERPRISES, 0, NULL, HFILL }}, + { &hf_snmp_engineid_format, { + "Engine ID Format", "snmp.engineid.format", FT_UINT8, BASE_DEC, + VALS(snmp_engineid_format_vals), 0, NULL, HFILL }}, + { &hf_snmp_engineid_ipv4, { + "Engine ID Data: IPv4 address", "snmp.engineid.ipv4", FT_IPv4, BASE_NONE, + NULL, 0, NULL, HFILL }}, + { &hf_snmp_engineid_ipv6, { + "Engine ID Data: IPv6 address", "snmp.engineid.ipv6", FT_IPv6, BASE_NONE, + NULL, 0, NULL, HFILL }}, + { &hf_snmp_engineid_cisco_type, { + "Engine ID Data: Cisco type", "snmp.engineid.cisco.type", FT_UINT8, BASE_HEX, + VALS(snmp_engineid_cisco_type_vals), 0, NULL, HFILL }}, + { &hf_snmp_engineid_mac, { + "Engine ID Data: MAC address", "snmp.engineid.mac", FT_ETHER, BASE_NONE, + NULL, 0, NULL, HFILL }}, + { &hf_snmp_engineid_text, { + "Engine ID Data: Text", "snmp.engineid.text", FT_STRING, BASE_NONE, + NULL, 0, NULL, HFILL }}, + { &hf_snmp_engineid_time, { + "Engine ID Data: Creation Time", "snmp.engineid.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, + NULL, 0, NULL, HFILL }}, + { &hf_snmp_engineid_data, { + "Engine ID Data", "snmp.engineid.data", FT_BYTES, BASE_NONE, + NULL, 0, NULL, HFILL }}, + { &hf_snmp_msgAuthentication, { + "Authentication", "snmp.v3.auth", FT_BOOLEAN, BASE_NONE, + TFS(&auth_flags), 0, NULL, HFILL }}, + { &hf_snmp_decryptedPDU, { + "Decrypted ScopedPDU", "snmp.decrypted_pdu", FT_BYTES, BASE_NONE, + NULL, 0, "Decrypted PDU", HFILL }}, + { &hf_snmp_noSuchObject, { + "noSuchObject", "snmp.noSuchObject", FT_NONE, BASE_NONE, + NULL, 0, NULL, HFILL }}, + { &hf_snmp_noSuchInstance, { + "noSuchInstance", "snmp.noSuchInstance", FT_NONE, BASE_NONE, + NULL, 0, NULL, HFILL }}, + { &hf_snmp_endOfMibView, { + "endOfMibView", "snmp.endOfMibView", FT_NONE, BASE_NONE, + NULL, 0, NULL, HFILL }}, + { &hf_snmp_unSpecified, { + "unSpecified", "snmp.unSpecified", FT_NONE, BASE_NONE, + NULL, 0, NULL, HFILL }}, + + { &hf_snmp_integer32_value, { + "Value (Integer32)", "snmp.value.int", FT_INT64, BASE_DEC, + NULL, 0, NULL, HFILL }}, + { &hf_snmp_octetstring_value, { + "Value (OctetString)", "snmp.value.octets", FT_BYTES, BASE_SHOW_ASCII_PRINTABLE, + NULL, 0, NULL, HFILL }}, + { &hf_snmp_oid_value, { + "Value (OID)", "snmp.value.oid", FT_OID, BASE_NONE, + NULL, 0, NULL, HFILL }}, + { &hf_snmp_null_value, { + "Value (Null)", "snmp.value.null", FT_NONE, BASE_NONE, + NULL, 0, NULL, HFILL }}, + { &hf_snmp_ipv4_value, { + "Value (IpAddress)", "snmp.value.ipv4", FT_IPv4, BASE_NONE, + NULL, 0, NULL, HFILL }}, + { &hf_snmp_ipv6_value, { + "Value (IpAddress)", "snmp.value.ipv6", FT_IPv6, BASE_NONE, + NULL, 0, NULL, HFILL }}, + { &hf_snmp_anyaddress_value, { + "Value (IpAddress)", "snmp.value.addr", FT_BYTES, BASE_NONE, + NULL, 0, NULL, HFILL }}, + { &hf_snmp_unsigned32_value, { + "Value (Unsigned32)", "snmp.value.u32", FT_INT64, BASE_DEC, + NULL, 0, NULL, HFILL }}, + { &hf_snmp_gauge32_value, { + "Value (Gauge32)", "snmp.value.g32", FT_INT64, BASE_DEC, + NULL, 0, NULL, HFILL }}, + { &hf_snmp_unknown_value, { + "Value (Unknown)", "snmp.value.unk", FT_BYTES, BASE_NONE, + NULL, 0, NULL, HFILL }}, + { &hf_snmp_counter_value, { + "Value (Counter32)", "snmp.value.counter", FT_UINT64, BASE_DEC, + NULL, 0, NULL, HFILL }}, + { &hf_snmp_big_counter_value, { + "Value (Counter64)", "snmp.value.counter", FT_UINT64, BASE_DEC, + NULL, 0, NULL, HFILL }}, + { &hf_snmp_nsap_value, { + "Value (NSAP)", "snmp.value.nsap", FT_UINT64, BASE_DEC, + NULL, 0, NULL, HFILL }}, + { &hf_snmp_timeticks_value, { + "Value (Timeticks)", "snmp.value.timeticks", FT_UINT64, BASE_DEC, + NULL, 0, NULL, HFILL }}, + { &hf_snmp_opaque_value, { + "Value (Opaque)", "snmp.value.opaque", FT_BYTES, BASE_NONE, + NULL, 0, NULL, HFILL }}, + { &hf_snmp_objectname, { + "Object Name", "snmp.name", FT_OID, BASE_NONE, + NULL, 0, NULL, HFILL }}, + { &hf_snmp_scalar_instance_index, { + "Scalar Instance Index", "snmp.name.index", FT_UINT64, BASE_DEC, + NULL, 0, NULL, HFILL }}, + { &hf_snmp_var_bind_str, { + "Variable-binding-string", "snmp.var-bind_str", FT_STRING, BASE_NONE, + NULL, 0, NULL, HFILL }}, + { &hf_snmp_agentid_trailer, { + "AgentID Trailer", "snmp.agentid_trailer", FT_BYTES, BASE_NONE, + NULL, 0, NULL, HFILL }}, + + +#include "packet-snmp-hfarr.c" + }; + + /* List of subtrees */ + static gint *ett[] = { + &ett_snmp, + &ett_engineid, + &ett_msgFlags, + &ett_encryptedPDU, + &ett_decrypted, + &ett_authParameters, + &ett_internet, + &ett_varbind, + &ett_name, + &ett_value, + &ett_decoding_error, +#include "packet-snmp-ettarr.c" + }; + static ei_register_info ei[] = { + { &ei_snmp_failed_decrypted_data_pdu, { "snmp.failed_decrypted_data_pdu", PI_MALFORMED, PI_WARN, "Failed to decrypt encryptedPDU", EXPFILL }}, + { &ei_snmp_decrypted_data_bad_formatted, { "snmp.decrypted_data_bad_formatted", PI_MALFORMED, PI_WARN, "Decrypted data not formatted as expected, wrong key?", EXPFILL }}, + { &ei_snmp_verify_authentication_error, { "snmp.verify_authentication_error", PI_MALFORMED, PI_ERROR, "Error while verifying Message authenticity", EXPFILL }}, + { &ei_snmp_authentication_ok, { "snmp.authentication_ok", PI_CHECKSUM, PI_CHAT, "SNMP Authentication OK", EXPFILL }}, + { &ei_snmp_authentication_error, { "snmp.authentication_error", PI_CHECKSUM, PI_WARN, "SNMP Authentication Error", EXPFILL }}, + { &ei_snmp_varbind_not_uni_class_seq, { "snmp.varbind.not_uni_class_seq", PI_MALFORMED, PI_WARN, "VarBind is not an universal class sequence", EXPFILL }}, + { &ei_snmp_varbind_has_indicator, { "snmp.varbind.has_indicator", PI_MALFORMED, PI_WARN, "VarBind has indicator set", EXPFILL }}, + { &ei_snmp_objectname_not_oid, { "snmp.objectname_not_oid", PI_MALFORMED, PI_WARN, "ObjectName not an OID", EXPFILL }}, + { &ei_snmp_objectname_has_indicator, { "snmp.objectname_has_indicator", PI_MALFORMED, PI_WARN, "ObjectName has indicator set", EXPFILL }}, + { &ei_snmp_value_not_primitive_encoding, { "snmp.value_not_primitive_encoding", PI_MALFORMED, PI_WARN, "value not in primitive encoding", EXPFILL }}, + { &ei_snmp_invalid_oid, { "snmp.invalid_oid", PI_MALFORMED, PI_WARN, "invalid oid", EXPFILL }}, + { &ei_snmp_varbind_wrong_tag, { "snmp.varbind.wrong_tag", PI_MALFORMED, PI_WARN, "Wrong tag for SNMP VarBind error value", EXPFILL }}, + { &ei_snmp_varbind_response, { "snmp.varbind.response", PI_RESPONSE_CODE, PI_NOTE, "Response", EXPFILL }}, + { &ei_snmp_no_instance_subid, { "snmp.no_instance_subid", PI_MALFORMED, PI_WARN, "No instance sub-id in scalar value", EXPFILL }}, + { &ei_snmp_wrong_num_of_subids, { "snmp.wrong_num_of_subids", PI_MALFORMED, PI_WARN, "Wrong number of instance sub-ids in scalar value", EXPFILL }}, + { &ei_snmp_index_suboid_too_short, { "snmp.index_suboid_too_short", PI_MALFORMED, PI_WARN, "index sub-oid shorter than expected", EXPFILL }}, + { &ei_snmp_unimplemented_instance_index, { "snmp.unimplemented_instance_index", PI_UNDECODED, PI_WARN, "OID instaces not handled, if you want this implemented please contact the wireshark developers", EXPFILL }}, + { &ei_snmp_index_suboid_len0, { "snmp.ndex_suboid_len0", PI_MALFORMED, PI_WARN, "an index sub-oid OID cannot be 0 bytes long!", EXPFILL }}, + { &ei_snmp_index_suboid_too_long, { "snmp.index_suboid_too_long", PI_MALFORMED, PI_WARN, "index sub-oid should not be longer than remaining oid size", EXPFILL }}, + { &ei_snmp_index_string_too_long, { "snmp.index_string_too_long", PI_MALFORMED, PI_WARN, "index string should not be longer than remaining oid size", EXPFILL }}, + { &ei_snmp_column_parent_not_row, { "snmp.column_parent_not_row", PI_MALFORMED, PI_ERROR, "COLUMNS's parent is not a ROW", EXPFILL }}, + { &ei_snmp_uint_too_large, { "snmp.uint_too_large", PI_UNDECODED, PI_NOTE, "Unsigned integer value > 2^64 - 1", EXPFILL }}, + { &ei_snmp_int_too_large, { "snmp.int_too_large", PI_UNDECODED, PI_NOTE, "Signed integer value > 2^63 - 1 or <= -2^63", EXPFILL }}, + { &ei_snmp_integral_value0, { "snmp.integral_value0", PI_UNDECODED, PI_NOTE, "Integral value is zero-length", EXPFILL }}, + { &ei_snmp_missing_mib, { "snmp.missing_mib", PI_UNDECODED, PI_NOTE, "Unresolved value, Missing MIB", EXPFILL }}, + { &ei_snmp_varbind_wrong_length_value, { "snmp.varbind.wrong_length_value", PI_MALFORMED, PI_WARN, "Wrong length for SNMP VarBind/value", EXPFILL }}, + { &ei_snmp_varbind_wrong_class_tag, { "snmp.varbind.wrong_class_tag", PI_MALFORMED, PI_WARN, "Wrong class/tag for SNMP VarBind/value", EXPFILL }}, + { &ei_snmp_rfc1910_non_conformant, { "snmp.rfc1910_non_conformant", PI_PROTOCOL, PI_WARN, "Data not conforming to RFC1910", EXPFILL }}, + { &ei_snmp_rfc3411_non_conformant, { "snmp.rfc3411_non_conformant", PI_PROTOCOL, PI_WARN, "Data not conforming to RFC3411", EXPFILL }}, + { &ei_snmp_version_unknown, { "snmp.version.unknown", PI_PROTOCOL, PI_WARN, "Unknown version", EXPFILL }}, + { &ei_snmp_trap_pdu_obsolete, { "snmp.trap_pdu_obsolete", PI_PROTOCOL, PI_WARN, "Trap-PDU is obsolete in this SNMP version", EXPFILL }}, + + }; + + expert_module_t* expert_snmp; + module_t *snmp_module; + + static uat_field_t users_fields[] = { + UAT_FLD_BUFFER(snmp_users,engine_id,"Engine ID","Engine-id for this entry (empty = any)"), + UAT_FLD_LSTRING(snmp_users,userName,"Username","The username"), + UAT_FLD_VS(snmp_users,auth_model,"Authentication model",auth_types,"Algorithm to be used for authentication."), + UAT_FLD_LSTRING(snmp_users,authPassword,"Password","The password used for authenticating packets for this entry"), + UAT_FLD_VS(snmp_users,priv_proto,"Privacy protocol",priv_types,"Algorithm to be used for privacy."), + UAT_FLD_LSTRING(snmp_users,privPassword,"Privacy password","The password used for encrypting packets for this entry"), + UAT_END_FIELDS + }; + + uat_t *assocs_uat = uat_new("SNMP Users", + sizeof(snmp_ue_assoc_t), + "snmp_users", + TRUE, + &ueas, + &num_ueas, + UAT_AFFECTS_DISSECTION, /* affects dissection of packets, but not set of named fields */ + "ChSNMPUsersSection", + snmp_users_copy_cb, + snmp_users_update_cb, + snmp_users_free_cb, + renew_ue_cache, + NULL, + users_fields); + + static uat_field_t specific_traps_flds[] = { + UAT_FLD_CSTRING(specific_traps,enterprise,"Enterprise OID","Enterprise Object Identifier"), + UAT_FLD_DEC(specific_traps,trap,"Trap Id","The specific-trap value"), + UAT_FLD_CSTRING(specific_traps,desc,"Description","Trap type description"), + UAT_END_FIELDS + }; + + uat_t* specific_traps_uat = uat_new("SNMP Enterprise Specific Trap Types", + sizeof(snmp_st_assoc_t), + "snmp_specific_traps", + TRUE, + &specific_traps, + &num_specific_traps, + UAT_AFFECTS_DISSECTION, /* affects dissection of packets, but not set of named fields */ + "ChSNMPEnterpriseSpecificTrapTypes", + snmp_specific_trap_copy_cb, + NULL, + snmp_specific_trap_free_cb, + NULL, + NULL, + specific_traps_flds); + + /* Register protocol */ + proto_snmp = proto_register_protocol(PNAME, PSNAME, PFNAME); + snmp_handle = register_dissector("snmp", dissect_snmp, proto_snmp); + + /* Register fields and subtrees */ + proto_register_field_array(proto_snmp, hf, array_length(hf)); + proto_register_subtree_array(ett, array_length(ett)); + expert_snmp = expert_register_protocol(proto_snmp); + expert_register_field_array(expert_snmp, ei, array_length(ei)); + + /* Register dissector */ + snmp_tcp_handle = register_dissector("snmp.tcp", dissect_snmp_tcp, proto_snmp); + + /* Register configuration preferences */ + snmp_module = prefs_register_protocol(proto_snmp, process_prefs); + prefs_register_bool_preference(snmp_module, "display_oid", + "Show SNMP OID in info column", + "Whether the SNMP OID should be shown in the info column", + &display_oid); + + prefs_register_obsolete_preference(snmp_module, "mib_modules"); + prefs_register_obsolete_preference(snmp_module, "users_file"); + + prefs_register_bool_preference(snmp_module, "desegment", + "Reassemble SNMP-over-TCP messages spanning multiple TCP segments", + "Whether the SNMP dissector should reassemble messages spanning multiple TCP segments." + " To use this option, you must also enable \"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.", + &snmp_desegment); + + prefs_register_bool_preference(snmp_module, "var_in_tree", + "Display dissected variables inside SNMP tree", + "ON - display dissected variables inside SNMP tree, OFF - display dissected variables in root tree after SNMP", + &snmp_var_in_tree); + + prefs_register_uat_preference(snmp_module, "users_table", + "Users Table", + "Table of engine-user associations used for authentication and decryption", + assocs_uat); + + prefs_register_uat_preference(snmp_module, "specific_traps_table", + "Enterprise Specific Trap Types", + "Table of enterprise specific-trap type descriptions", + specific_traps_uat); + +#ifdef HAVE_LIBSMI + prefs_register_static_text_preference(snmp_module, "info_mibs", + "MIB settings can be changed in the Name Resolution preferences", + "MIB settings can be changed in the Name Resolution preferences"); +#endif + + value_sub_dissectors_table = register_dissector_table("snmp.variable_oid","SNMP Variable OID", proto_snmp, FT_STRING, STRING_CASE_SENSITIVE); + + register_init_routine(init_ue_cache); + register_cleanup_routine(cleanup_ue_cache); + + register_ber_syntax_dissector("SNMP", proto_snmp, dissect_snmp_tcp); + + snmp_tap=register_tap("snmp"); + + register_srt_table(proto_snmp, NULL, 1, snmpstat_packet, snmpstat_init, NULL); +} + + +/*--- proto_reg_handoff_snmp ---------------------------------------*/ +void proto_reg_handoff_snmp(void) { + + dissector_add_uint_with_preference("udp.port", UDP_PORT_SNMP, snmp_handle); + dissector_add_uint("ethertype", ETHERTYPE_SNMP, snmp_handle); + dissector_add_uint("ipx.socket", IPX_SOCKET_SNMP_AGENT, snmp_handle); + dissector_add_uint("ipx.socket", IPX_SOCKET_SNMP_SINK, snmp_handle); + dissector_add_uint("hpext.dxsap", HPEXT_SNMP, snmp_handle); + + dissector_add_uint_with_preference("tcp.port", TCP_PORT_SNMP, snmp_tcp_handle); + /* Since "regular" SNMP port and "trap" SNMP port use the same handler, + the "trap" port doesn't really need a separate preference. Just register + normally */ + dissector_add_uint("tcp.port", TCP_PORT_SNMP_TRAP, snmp_tcp_handle); + dissector_add_uint("udp.port", UDP_PORT_SNMP_TRAP, snmp_handle); + dissector_add_uint("udp.port", UDP_PORT_SNMP_PATROL, snmp_handle); + + data_handle = find_dissector("data"); + + /* SNMPv2-MIB sysDescr "1.3.6.1.2.1.1.1.0" */ + dissector_add_string("snmp.variable_oid", "1.3.6.1.2.1.1.1.0", + create_dissector_handle(dissect_snmp_variable_string, proto_snmp)); + /* SNMPv2-MIB::sysName.0 (1.3.6.1.2.1.1.5.0) */ + dissector_add_string("snmp.variable_oid", "1.3.6.1.2.1.1.5.0", + create_dissector_handle(dissect_snmp_variable_string, proto_snmp)); + + /* + * Process preference settings. + * + * We can't do this in the register routine, as preferences aren't + * read until all dissector register routines have been called (so + * that all dissector preferences have been registered). + */ + process_prefs(); + +} + +void +proto_register_smux(void) +{ + static gint *ett[] = { + &ett_smux, + }; + + proto_smux = proto_register_protocol("SNMP Multiplex Protocol", + "SMUX", "smux"); + + proto_register_subtree_array(ett, array_length(ett)); + + smux_handle = register_dissector("smux", dissect_smux, proto_smux); +} + +void +proto_reg_handoff_smux(void) +{ + dissector_add_uint_with_preference("tcp.port", TCP_PORT_SMUX, smux_handle); +} + +/* + * Editor modelines - https://www.wireshark.org/tools/modelines.html + * + * Local variables: + * c-basic-offset: 8 + * tab-width: 8 + * indent-tabs-mode: t + * End: + * + * vi: set shiftwidth=8 tabstop=8 noexpandtab: + * :indentSize=8:tabSize=8:noTabs=false: + */ diff --git a/epan/dissectors/asn1/snmp/packet-snmp-template.h b/epan/dissectors/asn1/snmp/packet-snmp-template.h new file mode 100644 index 00000000..362114d5 --- /dev/null +++ b/epan/dissectors/asn1/snmp/packet-snmp-template.h @@ -0,0 +1,107 @@ +/* packet-snmp.h + * Routines for snmp packet dissection + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef PACKET_SNMP_H +#define PACKET_SNMP_H + +#define SNMP_REQ_GET 0 +#define SNMP_REQ_GETNEXT 1 +#define SNMP_REQ_SET 3 +#define SNMP_REQ_GETBULK 5 +#define SNMP_REQ_INFORM 6 + +#define SNMP_RES_GET 2 + +#define SNMP_TRAP 4 +#define SNMP_TRAPV2 7 +#define SNMP_REPORT 8 + +typedef struct _snmp_usm_key { + guint8* data; + guint len; +} snmp_usm_key_t; + +typedef struct _snmp_ue_assoc_t snmp_ue_assoc_t; +typedef struct _snmp_usm_params_t snmp_usm_params_t; + +typedef tvbuff_t* (*snmp_usm_decoder_t)(snmp_usm_params_t*, tvbuff_t* encryptedData, packet_info *pinfo, gchar const** error); + +typedef enum _snmp_usm_auth_model_t { + SNMP_USM_AUTH_MD5 = 0, + SNMP_USM_AUTH_SHA1, + SNMP_USM_AUTH_SHA2_224, + SNMP_USM_AUTH_SHA2_256, + SNMP_USM_AUTH_SHA2_384, + SNMP_USM_AUTH_SHA2_512 +} snmp_usm_auth_model_t; + +typedef struct _snmp_user_t { + snmp_usm_key_t userName; + + snmp_usm_auth_model_t authModel; + snmp_usm_key_t authPassword; + snmp_usm_key_t authKey; + + snmp_usm_decoder_t privProtocol; + snmp_usm_key_t privPassword; + snmp_usm_key_t privKey; +} snmp_user_t; + +typedef struct { + guint8* data; + guint len; +} snmp_engine_id_t; + +struct _snmp_ue_assoc_t { + snmp_user_t user; + snmp_engine_id_t engine; + guint auth_model; + guint priv_proto; + struct _snmp_ue_assoc_t* next; +}; + +struct _snmp_usm_params_t { + gboolean authenticated; + gboolean encrypted; + guint start_offset; + guint auth_offset; + + guint32 boots; + guint32 snmp_time; + tvbuff_t* engine_tvb; + tvbuff_t* user_tvb; + proto_item* auth_item; + tvbuff_t* auth_tvb; + tvbuff_t* priv_tvb; + tvbuff_t* msg_tvb; + snmp_ue_assoc_t* user_assoc; + + gboolean authOK; +}; + +typedef struct snmp_request_response { + guint32 request_frame_id; + guint32 response_frame_id; + nstime_t request_time; + guint requestId; + guint request_procedure_id; +} snmp_request_response_t; + +/* + * Guts of the SNMP dissector - exported for use by protocols such as + * ILMI. + */ +extern guint dissect_snmp_pdu(tvbuff_t *, int, packet_info *, proto_tree *tree, + int, gint, gboolean); +extern int dissect_snmp_engineid(proto_tree *, packet_info *, tvbuff_t *, int, int); + +/*#include "packet-snmp-exp.h"*/ + +#endif /* PACKET_SNMP_H */ diff --git a/epan/dissectors/asn1/snmp/snmp.asn b/epan/dissectors/asn1/snmp/snmp.asn new file mode 100644 index 00000000..9b214472 --- /dev/null +++ b/epan/dissectors/asn1/snmp/snmp.asn @@ -0,0 +1,338 @@ +RFC1157-SNMP DEFINITIONS ::= BEGIN + +-- IMPORTS +-- ObjectName, ObjectSyntax, NetworkAddress, IpAddress, TimeTicks +-- FROM RFC1155-SMI; +-- +-- Local imports +-- IMPORTS +-- ObjectName, ObjectSyntax, NetworkAddress, IpAddress, TimeTicks +-- FROM RFC1155-SMI; +-- +-- names of objects +-- (Note that these definitions of ObjectName and NotificationName +-- are not to be IMPORTed by MIB modules.) +-- + +--ObjectSyntax ::= CHOICE { +-- simple SimpleSyntax, +-- application-wide ApplicationSyntax +--} + +--SimpleSyntax ::= CHOICE { +-- integer-value Integer-value, +-- string-value String-value, +-- objectID-value ObjectID-value, +-- empty Empty +--} + +--String-value ::= OCTET STRING (SIZE (0..65535)) + + -- includes Integer32 +--Integer-value ::= INTEGER (-2147483648..2147483647) + +--Integer32 ::= INTEGER (-2147483648..2147483647) + +--ObjectID-value ::= OBJECT IDENTIFIER + +--Empty ::= NULL + + -- hundredths of seconds since an event, usualy the last restart +--TimeTicks ::= [APPLICATION 3] IMPLICIT INTEGER (0..4294967295) + +--Opaque ::= [APPLICATION 4] IMPLICIT OCTET STRING + +--Counter64 ::= [APPLICATION 6] IMPLICIT INTEGER (0..18446744073709551615) + +--ApplicationSyntax ::= CHOICE { +-- ipAddress-value IpAddress, +-- counter-value Counter32, +-- timeticks-value TimeTicks, +-- arbitrary-value Opaque, +-- big-counter-value Counter64, +-- unsigned-integer-value Unsigned32 + -- includes Gauge32 +--} +--NetworkAddress ::= CHOICE { internet IpAddress } +--IpAddress ::= [APPLICATION 0] IMPLICIT OCTET STRING (SIZE (4)) + +NotificationName ::= OBJECT IDENTIFIER +EnterpriseOID ::= OBJECT IDENTIFIER +NetworkAddress ::= [APPLICATION 0] IMPLICIT OCTET STRING (SIZE (4)) +TimeTicks ::= [APPLICATION 3] IMPLICIT INTEGER (0..4294967295) +Integer32 ::= INTEGER (-2147483648..2147483647) +ObjectName ::= OBJECT IDENTIFIER +--Counter32 ::= [APPLICATION 1] IMPLICIT INTEGER (0..4294967295) +--Gauge32 ::= [APPLICATION 2] IMPLICIT INTEGER (0..4294967295) +--Unsigned32 ::= [APPLICATION 2] IMPLICIT INTEGER (0..4294967295) + +-- End Import + +Message ::= SEQUENCE { + version Version, + community OCTET STRING, + data PDUs +} + +Version ::= INTEGER { version-1(0), v2c(1), v2u (2), snmpv3(3) } + + +Messagev2u ::= + SEQUENCE { + version Version, + parameters OCTET STRING, + -- <model=1> + -- <qoS><agentID><agentBoots><agentTime><maxSize> + -- <userLen><userName><authLen><authDigest> + -- <contextSelector> + + datav2u CHOICE { + plaintext PDUs, + encrypted OCTET STRING + } +} + +-- USMSecurityParametersSyntax DEFINITIONS IMPLICIT TAGS ::= BEGIN + +UsmSecurityParameters ::= SEQUENCE { + -- global User-based security parameters + msgAuthoritativeEngineID SnmpEngineID, + msgAuthoritativeEngineBoots INTEGER (0..2147483647), + msgAuthoritativeEngineTime INTEGER (0..2147483647), + msgUserName OCTET STRING (SIZE(1..32)), + -- authentication protocol specific parameters + msgAuthenticationParameters OCTET STRING, + -- privacy protocol specific parameters + msgPrivacyParameters OCTET STRING +} + -- END USMSecurityParametersSyntax + +SnmpEngineID ::= OCTET STRING + +-- SNMPv3MessageSyntax DEFINITIONS IMPLICIT TAGS ::= BEGIN + +SNMPv3Message ::= SEQUENCE { + -- identify the layout of the SNMPv3Message + -- this element is in same position as in SNMPv1 + -- and SNMPv2c, allowing recognition + -- the value 3 is used for snmpv3 + msgVersion Version, + -- INTEGER ( 0 .. 2147483647 ), + -- administrative parameters + msgGlobalData HeaderData, + -- security model-specific parameters + -- format defined by Security Model + msgSecurityParameters OCTET STRING, + msgData ScopedPduData +} + +HeaderData ::= SEQUENCE { + msgID INTEGER (0..2147483647), + msgMaxSize INTEGER (484..2147483647), + + msgFlags OCTET STRING (SIZE(1)), + -- .... ...1 authFlag + -- .... ..1. privFlag + -- .... .1.. reportableFlag + -- Please observe: + -- .... ..00 is OK, means noAuthNoPriv + -- .... ..01 is OK, means authNoPriv + -- .... ..10 reserved, must NOT be used. + -- .... ..11 is OK, means authPriv + + msgSecurityModel INTEGER (1..2147483647) +} + + +ScopedPduData ::= CHOICE { + plaintext ScopedPDU, + encryptedPDU OCTET STRING -- encrypted scopedPDU value +} + +ScopedPDU ::= SEQUENCE { + contextEngineID SnmpEngineID, + contextName OCTET STRING, + data PDUs + -- ANY + -- e.g., PDUs as defined in RFC 1905 +} + +-- END SNMPv3MessageSyntax + -- protocol data units + +PDUs ::= CHOICE { + get-request GetRequest-PDU, + get-next-request GetNextRequest-PDU, + get-response GetResponse-PDU, + set-request SetRequest-PDU, + trap Trap-PDU, + getBulkRequest GetBulkRequest-PDU, + informRequest InformRequest-PDU, + snmpV2-trap SNMPv2-Trap-PDU, + report Report-PDU +} + +-- PDUs + +GetRequest-PDU ::= [0] IMPLICIT PDU +GetNextRequest-PDU ::= [1] IMPLICIT PDU +GetResponse-PDU ::= [2] IMPLICIT PDU + +SetRequest-PDU ::= [3] IMPLICIT PDU + +-- v2 added +-- [4] is obsolete +GetBulkRequest-PDU ::= [5] IMPLICIT BulkPDU +InformRequest-PDU ::= [6] IMPLICIT PDU +SNMPv2-Trap-PDU ::= [7] IMPLICIT PDU + + -- Usage and precise semantics of Report-PDU are not presently + -- defined. Any SNMP administrative framework making use of + -- this PDU must define its usage and semantics. +Report-PDU ::= [8] IMPLICIT PDU + + +PDU ::= SEQUENCE { + request-id INTEGER, + error-status INTEGER { + noError(0), + tooBig(1), + noSuchName(2), -- for proxy compatibility + badValue(3), -- for proxy compatibility + readOnly(4), -- for proxy compatibility + genErr(5), + noAccess(6), + wrongType(7), + wrongLength(8), + wrongEncoding(9), + wrongValue(10), + noCreation(11), + inconsistentValue(12), + resourceUnavailable(13), + commitFailed(14), + undoFailed(15), + authorizationError(16), + notWritable(17), + inconsistentName(18) + }, + error-index INTEGER, + variable-bindings VarBindList +} + +-- v2 +BulkPDU ::= SEQUENCE { -- MUST be identical in structure to PDU + request-id Integer32, + non-repeaters INTEGER (0..2147483647), + max-repetitions INTEGER (0..2147483647), + variable-bindings VarBindList +} + +-- end v2 +Trap-PDU ::= [4] IMPLICIT SEQUENCE { + enterprise EnterpriseOID, -- type of object generating trap, see sysObjectID in [5] + agent-addr NetworkAddress, -- address of object generating trap + generic-trap INTEGER { -- generic trap type + coldStart(0), + warmStart(1), + linkDown(2), + linkUp(3), + authenticationFailure(4), + egpNeighborLoss(5), + enterpriseSpecific(6) + }, + specific-trap INTEGER, -- specific code, present even if generic-trap is not enterpriseSpecific + time-stamp TimeTicks, -- time elapsed between the last (re)initialization of the network entity and the generation of the trap + variable-bindings VarBindList -- "interesting" information +} + + +-- variable bindings + +VarBind ::= SEQUENCE { name ObjectName, valueType ValueType } +-- SEQUENCE { +-- name ObjectName, +-- valueType ValueType +-- } + +--ValueType ::= CHOICE { +-- value ObjectSyntax, +-- unSpecified NULL, + -- in retrieval requests + -- exceptions in responses +-- noSuchObject[0] IMPLICIT NULL, +-- noSuchInstance[1] IMPLICIT NULL, +-- endOfMibView[2] IMPLICIT NULL +--} + +VarBindList ::= SEQUENCE OF VarBind + +-- SMUX DEFINITIONS ::= BEGIN RFC 1227 + +SMUX-PDUs ::= CHOICE { + open OpenPDU,-- SMUX peer uses immediately after TCP open + close ClosePDU, -- either uses immediately before TCP close + registerRequest RReqPDU, -- SMUX peer uses + +-- registerResponse .. SNMP agent uses +-- RRspPDU, +-- +-- PDUs, +-- Rewritten + registerResponse RegisterResponse, + -- note that roles are reversed: + -- SNMP agent does get/get-next/set + -- SMUX peer does get-response/trap + + commitOrRollback -- SNMP agent uses + SOutPDU +} + +RegisterResponse ::= CHOICE { + rRspPDU RRspPDU, + pDUs PDUs +} + + -- open PDU + -- currently only simple authentication + +OpenPDU ::= CHOICE { + smux-simple SimpleOpen +} + +SimpleOpen ::= [APPLICATION 0] IMPLICIT SEQUENCE { + smux-version INTEGER { version-1(0) }, -- of SMUX protocol + identity OBJECT IDENTIFIER, -- of SMUX peer, authoritative + description DisplayString, -- of SMUX peer, implementation-specific + password OCTET STRING -- zero length indicates no authentication +} + +DisplayString ::= OCTET STRING + +ClosePDU ::= [APPLICATION 1] IMPLICIT INTEGER { + goingDown(0), + unsupportedVersion(1), + packetFormat(2), + protocolError(3), + internalError(4), + authenticationFailure(5) +} + + + -- insert PDU +RReqPDU ::= [APPLICATION 2] IMPLICIT SEQUENCE { + subtree ObjectName, + priority INTEGER (-1..2147483647), -- the lower the better, "-1" means default + + operation INTEGER { + delete(0), -- remove registration + readOnly(1), -- add registration, objects are RO + readWrite(2) -- .., objects are RW + } +} + +RRspPDU ::= [APPLICATION 3] IMPLICIT INTEGER { failure(-1) } -- on success the non-negative priority is returned +SOutPDU ::= [APPLICATION 4] IMPLICIT INTEGER { commit(0), rollback(1) } + +END + + diff --git a/epan/dissectors/asn1/snmp/snmp.cnf b/epan/dissectors/asn1/snmp/snmp.cnf new file mode 100644 index 00000000..9c9547aa --- /dev/null +++ b/epan/dissectors/asn1/snmp/snmp.cnf @@ -0,0 +1,266 @@ +# snmp.cnf +# snmp conformation file + + +#.PDU +SMUX-PDUs + +#.NO_EMIT +NotificationName +VarBind + +#.TYPE_RENAME +Message/community Community +Trap-PDU/_untag/generic-trap GenericTrap +Trap-PDU/_untag/specific-trap SpecificTrap + +#.FIELD_RENAME +Messagev2u/datav2u/plaintext v2u_plaintext +BulkPDU/request-id bulkPDU_request-id + +#.FN_HDR SMUX-PDUs + + snmp_conv_info_t *snmp_info = snmp_find_conversation_and_get_conv_data(actx->pinfo); + + actx->private_data = snmp_info; + +#.FN_PARS Version VAL_PTR = &snmp_version + +#.FN_PARS PDUs + + VAL_PTR = &pdu_type + +#.FN_BODY PDUs + gint pdu_type=-1; + + snmp_request_response_t *srrp; + snmp_conv_info_t *snmp_info = (snmp_conv_info_t *)actx->private_data; + + col_clear(actx->pinfo->cinfo, COL_INFO); + +%(DEFAULT_BODY)s + if( (pdu_type!=-1) && snmp_PDUs_vals[pdu_type].strptr ){ + col_prepend_fstr(actx->pinfo->cinfo, COL_INFO, "%%s", snmp_PDUs_vals[pdu_type].strptr); + + /* pdu_type is the index, not the tag so convert it to the tag value */ + pdu_type = snmp_PDUs_vals[pdu_type].value; + + srrp=snmp_match_request_response(tvb, actx->pinfo, tree, RequestID, pdu_type, snmp_info); + if (srrp) { + tap_queue_packet(snmp_tap, actx->pinfo, srrp); + } + } + + +#.END + +#.FN_BODY PDU/request-id VAL_PTR = &RequestID + +%(DEFAULT_BODY)s + +#.FN_BODY Integer32 VAL_PTR = &RequestID + +%(DEFAULT_BODY)s + +#.FN_BODY Trap-PDU/_untag + generic_trap = 0; + enterprise_oid = NULL; + +%(DEFAULT_BODY)s + + if (snmp_version != 0) { + expert_add_info(actx->pinfo, tree, &ei_snmp_trap_pdu_obsolete); + } + +#.FN_PARS Trap-PDU/_untag/generic-trap VAL_PTR = &generic_trap + +#.FN_BODY Trap-PDU/_untag/specific-trap VAL_PTR = &specific_trap + guint specific_trap; + +%(DEFAULT_BODY)s + + if (generic_trap == 6) { /* enterprise specific */ + const gchar *specific_str = snmp_lookup_specific_trap (specific_trap); + if (specific_str) { + proto_item_append_text(actx->created_item, " (%%s)", specific_str); + } + } +#.END + + +#.FN_PARS EnterpriseOID FN_VARIANT = _str VAL_PTR = &enterprise_oid + +#.FN_BODY EnterpriseOID + const gchar* name; + +%(DEFAULT_BODY)s + + if (display_oid && enterprise_oid) { + name = oid_resolved_from_string(actx->pinfo->pool, enterprise_oid); + if (name) { + col_append_fstr (actx->pinfo->cinfo, COL_INFO, " %%s", name); + } + } + +#.END + +#.FN_PARS HeaderData/msgSecurityModel + + VAL_PTR = &MsgSecurityModel + +#.FN_PARS UsmSecurityParameters/msgAuthoritativeEngineBoots + + VAL_PTR = &usm_p.boots + +#.FN_PARS UsmSecurityParameters/msgAuthoritativeEngineTime + + VAL_PTR = &usm_p.snmp_time + +#.FN_BODY UsmSecurityParameters/msgAuthoritativeEngineID + + offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index, &usm_p.engine_tvb); + if (usm_p.engine_tvb) { + proto_tree* engine_tree = proto_item_add_subtree(%(ACTX)s->created_item,ett_engineid); + dissect_snmp_engineid(engine_tree, actx->pinfo, usm_p.engine_tvb, 0, tvb_reported_length_remaining(usm_p.engine_tvb,0)); + } + +#.FN_BODY SnmpEngineID + tvbuff_t* param_tvb = NULL; + + offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index, ¶m_tvb); + if (param_tvb) { + proto_tree* engine_tree = proto_item_add_subtree(%(ACTX)s->created_item,ett_engineid); + dissect_snmp_engineid(engine_tree, actx->pinfo, param_tvb, 0, tvb_reported_length_remaining(param_tvb,0)); + } + +#.FN_PARS UsmSecurityParameters/msgUserName + VAL_PTR = &usm_p.user_tvb + +#.FN_BODY UsmSecurityParameters/msgAuthenticationParameters + offset = dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &usm_p.auth_tvb); + if (usm_p.auth_tvb) { + usm_p.auth_item = %(ACTX)s->created_item; + usm_p.auth_offset = tvb_offset_from_real_beginning(usm_p.auth_tvb); + } +#.FN_PARS UsmSecurityParameters/msgPrivacyParameters + VAL_PTR = &usm_p.priv_tvb + +#.FN_BODY ScopedPduData/encryptedPDU + tvbuff_t* crypt_tvb; + offset = dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_snmp_encryptedPDU, &crypt_tvb); + + if( usm_p.encrypted && crypt_tvb + && usm_p.user_assoc + && usm_p.user_assoc->user.privProtocol ) { + + const gchar* error = NULL; + proto_tree* encryptedpdu_tree = proto_item_add_subtree(%(ACTX)s->created_item,ett_encryptedPDU); + tvbuff_t* cleartext_tvb = usm_p.user_assoc->user.privProtocol(&usm_p, crypt_tvb, actx->pinfo, &error ); + + if (! cleartext_tvb) { + proto_tree_add_expert_format(encryptedpdu_tree, actx->pinfo, &ei_snmp_failed_decrypted_data_pdu, + crypt_tvb, 0, -1, "Failed to decrypt encryptedPDU: %%s", error); + + col_set_str(actx->pinfo->cinfo, COL_INFO, "encryptedPDU: Failed to decrypt"); + + return offset; + } else { + proto_item* decrypted_item; + proto_tree* decrypted_tree; + + if (! check_ScopedPdu(cleartext_tvb)) { + proto_tree_add_expert(encryptedpdu_tree, actx->pinfo, &ei_snmp_decrypted_data_bad_formatted, cleartext_tvb, 0, -1); + + col_set_str(actx->pinfo->cinfo, COL_INFO, "encryptedPDU: Decrypted data not formatted as expected"); + + return offset; + } + + + add_new_data_source(actx->pinfo, cleartext_tvb, "Decrypted ScopedPDU"); + + decrypted_item = proto_tree_add_item(encryptedpdu_tree, hf_snmp_decryptedPDU,cleartext_tvb,0,-1,ENC_NA); + decrypted_tree = proto_item_add_subtree(decrypted_item,ett_decrypted); + dissect_snmp_ScopedPDU(FALSE, cleartext_tvb, 0, actx, decrypted_tree, -1); + } + } else { + col_set_str(actx->pinfo->cinfo, COL_INFO, "encryptedPDU: privKey Unknown"); + } + +#.FN_BODY SNMPv3Message/msgSecurityParameters + + switch(MsgSecurityModel){ + case SNMP_SEC_USM: /* 3 */ + offset = get_ber_identifier(tvb, offset, NULL, NULL, NULL); + offset = get_ber_length(tvb, offset, NULL, NULL); + offset = dissect_snmp_UsmSecurityParameters(FALSE, tvb, offset, actx, tree, -1); + usm_p.user_assoc = get_user_assoc(usm_p.engine_tvb, usm_p.user_tvb, actx->pinfo); + break; + case SNMP_SEC_ANY: /* 0 */ + case SNMP_SEC_V1: /* 1 */ + case SNMP_SEC_V2C: /* 2 */ + default: + %(DEFAULT_BODY)s + break; + } + +#.FN_FTR SNMPv3Message + + if( usm_p.authenticated + && usm_p.user_assoc ) { + const gchar* error = NULL; + proto_item* authen_item; + proto_tree* authen_tree = proto_item_add_subtree(usm_p.auth_item,ett_authParameters); + guint8* calc_auth = NULL; + guint calc_auth_len = 0; + + usm_p.authOK = snmp_usm_auth(actx->pinfo, usm_p.user_assoc->user.authModel, &usm_p, &calc_auth, &calc_auth_len, &error ); + + if (error) { + expert_add_info_format( actx->pinfo, usm_p.auth_item, &ei_snmp_verify_authentication_error, "Error while verifying Message authenticity: %s", error ); + } else { + expert_field* expert; + + authen_item = proto_tree_add_boolean(authen_tree, hf_snmp_msgAuthentication, tvb, 0, 0, usm_p.authOK); + proto_item_set_generated(authen_item); + + if (usm_p.authOK) { + expert = &ei_snmp_authentication_ok; + } else { + const gchar* calc_auth_str = bytes_to_str_punct(actx->pinfo->pool, calc_auth,calc_auth_len,' '); + proto_item_append_text(authen_item, " calculated = %s", calc_auth_str); + expert = &ei_snmp_authentication_error; + } + + expert_add_info( actx->pinfo, authen_item, expert); + } + } + +#.END + + + +#.FN_BODY HeaderData/msgFlags VAL_PTR = ¶meter_tvb + tvbuff_t *parameter_tvb = NULL; + + %(DEFAULT_BODY)s + if (parameter_tvb){ + guint8 v3_flags = tvb_get_guint8(parameter_tvb, 0); + proto_tree* flags_tree = proto_item_add_subtree(%(ACTX)s->created_item,ett_msgFlags); + + proto_tree_add_item(flags_tree, hf_snmp_v3_flags_report, parameter_tvb, 0, 1, ENC_BIG_ENDIAN); + proto_tree_add_item(flags_tree, hf_snmp_v3_flags_crypt, parameter_tvb, 0, 1, ENC_BIG_ENDIAN); + proto_tree_add_item(flags_tree, hf_snmp_v3_flags_auth, parameter_tvb, 0, 1, ENC_BIG_ENDIAN); + + usm_p.encrypted = v3_flags & TH_CRYPT ? TRUE : FALSE; + usm_p.authenticated = v3_flags & TH_AUTH ? TRUE : FALSE; + } + + +#.TYPE_ATTR +NetworkAddress TYPE = FT_IPv4 DISPLAY = BASE_NONE STRINGS = NULL +Message/community TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL +HeaderData/msgSecurityModel TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = VALS(sec_models) +UsmSecurityParameters/msgUserName TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL +ScopedPDU/contextName TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL +#.END |