diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-10 20:34:10 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-10 20:34:10 +0000 |
commit | e4ba6dbc3f1e76890b22773807ea37fe8fa2b1bc (patch) | |
tree | 68cb5ef9081156392f1dd62a00c6ccc1451b93df /epan/dissectors/packet-pop.c | |
parent | Initial commit. (diff) | |
download | wireshark-e4ba6dbc3f1e76890b22773807ea37fe8fa2b1bc.tar.xz wireshark-e4ba6dbc3f1e76890b22773807ea37fe8fa2b1bc.zip |
Adding upstream version 4.2.2.upstream/4.2.2
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'epan/dissectors/packet-pop.c')
-rw-r--r-- | epan/dissectors/packet-pop.c | 526 |
1 files changed, 526 insertions, 0 deletions
diff --git a/epan/dissectors/packet-pop.c b/epan/dissectors/packet-pop.c new file mode 100644 index 00000000..f7af76c1 --- /dev/null +++ b/epan/dissectors/packet-pop.c @@ -0,0 +1,526 @@ +/* packet-pop.c + * Routines for pop packet dissection + * RFC 1939 + * Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com> + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * Copied from packet-tftp.c + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "config.h" + +#include <stdlib.h> + +#include <epan/packet.h> +#include <epan/strutil.h> +#include <epan/conversation.h> +#include <epan/prefs.h> +#include <epan/reassemble.h> +#include <epan/proto_data.h> +#include <epan/expert.h> + +#include <wsutil/str_util.h> +#include <wsutil/strtoi.h> + +#include <ui/tap-credentials.h> +#include <tap.h> + +#include "packet-tls.h" +#include "packet-tls-utils.h" + +void proto_register_pop(void); +void proto_reg_handoff_pop(void); + +static int proto_pop = -1; + +static int credentials_tap = -1; + +static int hf_pop_response = -1; +static int hf_pop_response_indicator = -1; +static int hf_pop_response_description = -1; +static int hf_pop_response_data = -1; + +static int hf_pop_request = -1; +static int hf_pop_request_command = -1; +static int hf_pop_request_parameter = -1; +static int hf_pop_request_data = -1; + +static int hf_pop_data_fragments = -1; +static int hf_pop_data_fragment = -1; +static int hf_pop_data_fragment_overlap = -1; +static int hf_pop_data_fragment_overlap_conflicts = -1; +static int hf_pop_data_fragment_multiple_tails = -1; +static int hf_pop_data_fragment_too_long_fragment = -1; +static int hf_pop_data_fragment_error = -1; +static int hf_pop_data_fragment_count = -1; +static int hf_pop_data_reassembled_in = -1; +static int hf_pop_data_reassembled_length = -1; + +static expert_field ei_pop_resp_tot_len_invalid = EI_INIT; + +static gint ett_pop = -1; +static gint ett_pop_reqresp = -1; + +static gint ett_pop_data_fragment = -1; +static gint ett_pop_data_fragments = -1; + +static dissector_handle_t pop_handle; +static dissector_handle_t imf_handle; +static dissector_handle_t tls_handle; + +#define TCP_PORT_POP 110 +#define TCP_PORT_SSL_POP 995 + +/* desegmentation of POP command and response lines */ +static gboolean pop_data_desegment = TRUE; + +static reassembly_table pop_data_reassembly_table; + +static const fragment_items pop_data_frag_items = { + /* Fragment subtrees */ + &ett_pop_data_fragment, + &ett_pop_data_fragments, + /* Fragment fields */ + &hf_pop_data_fragments, + &hf_pop_data_fragment, + &hf_pop_data_fragment_overlap, + &hf_pop_data_fragment_overlap_conflicts, + &hf_pop_data_fragment_multiple_tails, + &hf_pop_data_fragment_too_long_fragment, + &hf_pop_data_fragment_error, + &hf_pop_data_fragment_count, + /* Reassembled in field */ + &hf_pop_data_reassembled_in, + /* Reassembled length field */ + &hf_pop_data_reassembled_length, + /* Reassembled data field */ + NULL, + /* Tag */ + "DATA fragments" +}; + +struct pop_proto_data { + guint16 conversation_id; + gboolean more_frags; +}; + +struct pop_data_val { + gboolean msg_request; + guint32 msg_read_len; /* Length of RETR message read so far */ + guint32 msg_tot_len; /* Total length of RETR message */ + gboolean stls_request; /* Received STLS request */ + gchar* username; + guint username_num; +}; + +typedef enum { + pop_arg_type_unknown, + pop_arg_type_username, + pop_arg_type_password +} pop_arg_type_t; + +static gboolean response_is_continuation(const guchar *data); + +static int +dissect_pop(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) +{ + struct pop_proto_data *frame_data_p; + gboolean is_request; + gboolean is_continuation; + proto_tree *pop_tree, *reqresp_tree; + proto_item *ti; + gint offset = 0; + guchar *line; + gint next_offset; + int linelen; + int tokenlen; + const guchar *next_token; + fragment_head *frag_msg = NULL; + tvbuff_t *next_tvb = NULL; + conversation_t *conversation = NULL; + struct pop_data_val *data_val = NULL; + gint length_remaining; + pop_arg_type_t pop_arg_type = pop_arg_type_unknown; + + col_set_str(pinfo->cinfo, COL_PROTOCOL, "POP"); + + frame_data_p = (struct pop_proto_data *)p_get_proto_data(wmem_file_scope(), pinfo, proto_pop, 0); + + conversation = find_or_create_conversation(pinfo); + data_val = (struct pop_data_val *)conversation_get_proto_data(conversation, proto_pop); + if (!data_val) { + + /* + * No conversation - create one and attach it. + */ + data_val = wmem_new0(wmem_file_scope(), struct pop_data_val); + + conversation_add_proto_data(conversation, proto_pop, data_val); + } + + /* + * Find the end of the first line. + */ + linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); + line = (guchar*)wmem_alloc(pinfo->pool, linelen+1); + tvb_memcpy(tvb, line, offset, linelen); + line[linelen] = '\0'; + + if (pinfo->match_uint == pinfo->destport) { + is_request = TRUE; + is_continuation = FALSE; + } else { + is_request = FALSE; + is_continuation = response_is_continuation(line); + } + + /* + * Put the first line from the buffer into the summary + * if it's a POP request or reply (but leave out the + * line terminator). + * Otherwise, just call it a continuation. + */ + if (is_continuation) { + length_remaining = tvb_reported_length_remaining(tvb, offset); + col_add_fstr(pinfo->cinfo, COL_INFO, "S: DATA fragment, %d byte%s", + length_remaining, plurality (length_remaining, "", "s")); + } + else + col_add_fstr(pinfo->cinfo, COL_INFO, "%s: %s", is_request ? "C" : "S", + format_text(pinfo->pool, line, linelen)); + + ti = proto_tree_add_item(tree, proto_pop, tvb, offset, -1, ENC_NA); + pop_tree = proto_item_add_subtree(ti, ett_pop); + + if (is_continuation) { + + if (pop_data_desegment) { + + if (!frame_data_p) { + + data_val->msg_read_len += tvb_reported_length(tvb); + + frame_data_p = wmem_new(wmem_file_scope(), struct pop_proto_data); + + frame_data_p->conversation_id = conversation->conv_index; + frame_data_p->more_frags = data_val->msg_read_len < data_val->msg_tot_len; + + p_add_proto_data(wmem_file_scope(), pinfo, proto_pop, 0, frame_data_p); + } + + frag_msg = fragment_add_seq_next(&pop_data_reassembly_table, tvb, 0, + pinfo, + frame_data_p->conversation_id, + NULL, + tvb_reported_length(tvb), + frame_data_p->more_frags); + + next_tvb = process_reassembled_data(tvb, offset, pinfo, + "Reassembled DATA", + frag_msg, &pop_data_frag_items, + NULL, pop_tree); + + if (next_tvb) { + + if (imf_handle) + call_dissector(imf_handle, next_tvb, pinfo, tree); + + if (data_val) { + /* we have read everything - reset */ + + data_val->msg_read_len = 0; + data_val->msg_tot_len = 0; + } + pinfo->fragmented = FALSE; + } else { + pinfo->fragmented = TRUE; + } + + } else { + + /* + * Put the whole packet into the tree as data. + */ + call_data_dissector(tvb, pinfo, pop_tree); + + } + return tvb_captured_length(tvb); + } + + /* + * Put the line into the protocol tree. + */ + ti = proto_tree_add_string_format(pop_tree, + (is_request) ? + hf_pop_request : + hf_pop_response, + tvb, offset, + next_offset - offset, + "", "%s", + tvb_format_text(pinfo->pool, tvb, offset, next_offset - offset)); + reqresp_tree = proto_item_add_subtree(ti, ett_pop_reqresp); + + /* + * Extract the first token, and, if there is a first + * token, add it as the request or reply code. + */ + tokenlen = get_token_len(line, line + linelen, &next_token); + if (tokenlen != 0) { + proto_tree_add_item(reqresp_tree, + (is_request) ? + hf_pop_request_command : + hf_pop_response_indicator, + tvb, offset, tokenlen, ENC_ASCII|ENC_NA); + + if (data_val) { + if (is_request) { + /* see if this is RETR or TOP command */ + if (g_ascii_strncasecmp(line, "RETR", 4) == 0 || + g_ascii_strncasecmp(line, "TOP", 3) == 0) + /* the next response will tell us how many bytes */ + data_val->msg_request = TRUE; + + if (g_ascii_strncasecmp(line, "STLS", 4) == 0) { + data_val->stls_request = TRUE; + } + + if (g_ascii_strncasecmp(line, "USER", 4) == 0) { + pop_arg_type = pop_arg_type_username; + } + + if (g_ascii_strncasecmp(line, "PASS", 4) == 0) { + pop_arg_type = pop_arg_type_password; + } + } else { + if (data_val->msg_request) { + /* this is a response to a RETR or TOP command */ + + if (g_ascii_strncasecmp(line, "+OK ", 4) == 0 && linelen > 4) { + /* the message will be sent - work out how many bytes */ + data_val->msg_read_len = 0; + data_val->msg_tot_len = 0; + if (sscanf(line, "%*s %u %*s", &data_val->msg_tot_len) != 1) + expert_add_info(pinfo, ti, &ei_pop_resp_tot_len_invalid); + } + data_val->msg_request = FALSE; + } + + if (data_val->stls_request) { + if (g_ascii_strncasecmp(line, "+OK ", 4) == 0) { + /* This is the last non-TLS frame. */ + ssl_starttls_ack(tls_handle, pinfo, pop_handle); + } + data_val->stls_request = FALSE; + } + } + } + + offset += (gint) (next_token - line); + linelen -= (int) (next_token - line); + } + + + /* + * Add the rest of the first line as request or + * reply param/description. + */ + if (linelen != 0) { + tap_credential_t* auth; + proto_tree_add_item(reqresp_tree, + (is_request) ? + hf_pop_request_parameter : + hf_pop_response_description, + tvb, offset, linelen, ENC_ASCII|ENC_NA); + switch (pop_arg_type) { + case pop_arg_type_username: + if (!data_val->username && linelen > 0) { + data_val->username = tvb_get_string_enc(wmem_file_scope(), tvb, offset, linelen, ENC_NA|ENC_ASCII);; + data_val->username_num = pinfo->num; + } + break; + case pop_arg_type_password: + auth = wmem_new0(pinfo->pool, tap_credential_t); + auth->num = pinfo->num; + auth->username_num = data_val->username_num; + auth->password_hf_id = hf_pop_request_parameter; + auth->username = data_val->username; + auth->proto = "POP3"; + auth->info = wmem_strdup_printf(pinfo->pool, "Username in packet %u", data_val->username_num); + tap_queue_packet(credentials_tap, pinfo, auth); + break; + default: + break; + } + } + offset = next_offset; + + /* + * Show the rest of the request or response as text, + * a line at a time. + */ + while (tvb_offset_exists(tvb, offset)) { + /* + * Find the end of the line. + */ + tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); + + /* + * Put this line. + */ + proto_tree_add_string_format(pop_tree, + (is_request) ? + hf_pop_request_data : + hf_pop_response_data, + tvb, offset, + next_offset - offset, + "", "%s", + tvb_format_text(pinfo->pool, tvb, offset, next_offset - offset)); + offset = next_offset; + } + return tvb_captured_length(tvb); +} + +static gboolean response_is_continuation(const guchar *data) +{ + if (strncmp(data, "+OK", strlen("+OK")) == 0) + return FALSE; + + if (strncmp(data, "-ERR", strlen("-ERR")) == 0) + return FALSE; + + return TRUE; +} + +void +proto_register_pop(void) +{ + expert_module_t* expert_pop; + + static hf_register_info hf[] = { + { &hf_pop_response, + { "Response", "pop.response", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_pop_response_indicator, + { "Response indicator", "pop.response.indicator", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_pop_response_description, + { "Response description", "pop.response.description", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_pop_response_data, + { "Data", "pop.response.data", + FT_STRING, BASE_NONE, NULL, 0x0, "Response Data", HFILL }}, + { &hf_pop_request, + { "Request", "pop.request", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_pop_request_command, + { "Request command", "pop.request.command", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_pop_request_parameter, + { "Request parameter", "pop.request.parameter", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_pop_request_data, + { "Data", "pop.request.data", + FT_STRING, BASE_NONE, NULL, 0x0, "Request data", HFILL }}, + /* Fragment entries */ + { &hf_pop_data_fragments, + { "DATA fragments", "pop.data.fragments", FT_NONE, BASE_NONE, + NULL, 0x00, "Message fragments", HFILL } }, + { &hf_pop_data_fragment, + { "DATA fragment", "pop.data.fragment", FT_FRAMENUM, BASE_NONE, + NULL, 0x00, "Message fragment", HFILL } }, + { &hf_pop_data_fragment_overlap, + { "DATA fragment overlap", "pop.data.fragment.overlap", FT_BOOLEAN, + BASE_NONE, NULL, 0x0, "Message fragment overlap", HFILL } }, + { &hf_pop_data_fragment_overlap_conflicts, + { "DATA fragment overlapping with conflicting data", + "pop.data.fragment.overlap.conflicts", FT_BOOLEAN, BASE_NONE, NULL, + 0x0, "Message fragment overlapping with conflicting data", HFILL } }, + { &hf_pop_data_fragment_multiple_tails, + { "DATA has multiple tail fragments", + "pop.data.fragment.multiple_tails", FT_BOOLEAN, BASE_NONE, + NULL, 0x0, "Message has multiple tail fragments", HFILL } }, + { &hf_pop_data_fragment_too_long_fragment, + { "DATA fragment too long", "pop.data.fragment.too_long_fragment", + FT_BOOLEAN, BASE_NONE, NULL, 0x0, "Message fragment too long", + HFILL } }, + { &hf_pop_data_fragment_error, + { "DATA defragmentation error", "pop.data.fragment.error", FT_FRAMENUM, + BASE_NONE, NULL, 0x00, "Message defragmentation error", HFILL } }, + { &hf_pop_data_fragment_count, + { "DATA fragment count", "pop.data.fragment.count", FT_UINT32, BASE_DEC, + NULL, 0x00, NULL, HFILL } }, + { &hf_pop_data_reassembled_in, + { "Reassembled DATA in frame", "pop.data.reassembled.in", FT_FRAMENUM, BASE_NONE, + NULL, 0x00, "This DATA fragment is reassembled in this frame", HFILL } }, + { &hf_pop_data_reassembled_length, + { "Reassembled DATA length", "pop.data.reassembled.length", FT_UINT32, BASE_DEC, + NULL, 0x00, "The total length of the reassembled payload", HFILL } }, + }; + + static ei_register_info ei[] = { + { &ei_pop_resp_tot_len_invalid, { "pop.response.tot_len.invalid", PI_MALFORMED, PI_ERROR, + "Length must be a string containing an integer", EXPFILL }} + }; + + static gint *ett[] = { + &ett_pop, + &ett_pop_reqresp, + &ett_pop_data_fragment, + &ett_pop_data_fragments + }; + module_t *pop_module; + + + proto_pop = proto_register_protocol("Post Office Protocol", "POP", "pop"); + pop_handle = register_dissector("pop", dissect_pop, proto_pop); + proto_register_field_array(proto_pop, hf, array_length(hf)); + proto_register_subtree_array(ett, array_length(ett)); + + reassembly_table_register (&pop_data_reassembly_table, + &addresses_ports_reassembly_table_functions); + + /* Preferences */ + pop_module = prefs_register_protocol(proto_pop, NULL); + + prefs_register_bool_preference(pop_module, "desegment_data", + "Reassemble POP RETR and TOP responses spanning multiple TCP segments", + "Whether the POP dissector should reassemble RETR and TOP responses and spanning multiple TCP segments." + " To use this option, you must also enable \"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.", + &pop_data_desegment); + + expert_pop = expert_register_protocol(proto_pop); + expert_register_field_array(expert_pop, ei, array_length(ei)); + + credentials_tap = register_tap("credentials"); +} + +void +proto_reg_handoff_pop(void) +{ + dissector_add_uint_with_preference("tcp.port", TCP_PORT_POP, pop_handle); + ssl_dissector_add(TCP_PORT_SSL_POP, pop_handle); + + /* find the IMF dissector */ + imf_handle = find_dissector_add_dependency("imf", proto_pop); + + /* find the TLS dissector */ + tls_handle = find_dissector_add_dependency("tls", proto_pop); +} + +/* + * Editor modelines - https://www.wireshark.org/tools/modelines.html + * + * Local Variables: + * c-basic-offset: 2 + * tab-width: 8 + * indent-tabs-mode: nil + * End: + * + * ex: set shiftwidth=2 tabstop=8 expandtab: + * :indentSize=2:tabSize=8:noTabs=true: + */ |