5 files changed, 445 insertions, 0 deletions
diff --git a/epan/dissectors/asn1/credssp/CMakeLists.txt b/epan/dissectors/asn1/credssp/CMakeLists.txt
new file mode 100644
index 00000000..59c80321
--- /dev/null
+++ b/epan/dissectors/asn1/credssp/CMakeLists.txt
@@ -0,0 +1,39 @@
+# CMakeLists.txt
+#
+# Wireshark - Network traffic analyzer
+# By Gerald Combs <gerald@wireshark.org>
+# Copyright 1998 Gerald Combs
+#
+# SPDX-License-Identifier: GPL-2.0-or-later
+#
+
+set( PROTOCOL_NAME credssp )
+
+set( PROTO_OPT )
+
+set( EXPORT_FILES
+	${PROTOCOL_NAME}-exp.cnf
+)
+
+set( EXT_ASN_FILE_LIST
+)
+
+set( ASN_FILE_LIST
+	CredSSP.asn
+)
+
+set( EXTRA_DIST
+	${ASN_FILE_LIST}
+	packet-${PROTOCOL_NAME}-template.c
+	packet-${PROTOCOL_NAME}-template.h
+	${PROTOCOL_NAME}.cnf
+)
+
+set( SRC_FILES
+	${EXTRA_DIST}
+	${EXT_ASN_FILE_LIST}
+)
+
+set( A2W_FLAGS -b -C )
+
+ASN2WRS()
diff --git a/epan/dissectors/asn1/credssp/CredSSP.asn b/epan/dissectors/asn1/credssp/CredSSP.asn
new file mode 100644
index 00000000..07298526
--- /dev/null
+++ b/epan/dissectors/asn1/credssp/CredSSP.asn
@@ -0,0 +1,56 @@
+-- Derived from http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-CSSP%5D.pdf 
+
+CredSSP DEFINITIONS EXPLICIT TAGS ::=
+
+BEGIN
+
+NegoData ::= SEQUENCE OF SEQUENCE {
+	 negoToken    [0] OCTET STRING
+}
+
+TSPasswordCreds ::=  SEQUENCE {
+		domainName	[0] OCTET STRING,
+		userName 	[1] OCTET STRING,
+		password 	[2] OCTET STRING
+}
+
+TSCspDataDetail ::= SEQUENCE {
+		keySpec		[0] INTEGER,
+		cardName 	[1] OCTET STRING OPTIONAL,
+		readerName 	[2] OCTET STRING OPTIONAL,
+		containerName 	[3] OCTET STRING OPTIONAL,
+		cspName 	[4] OCTET STRING OPTIONAL
+}
+
+TSSmartCardCreds ::=  SEQUENCE {
+		 pin		[0] OCTET STRING,
+		 cspData 	[1] TSCspDataDetail,
+		 userHint 	[2] OCTET STRING OPTIONAL,
+		 domainHint 	[3] OCTET STRING OPTIONAL
+}
+
+TSRemoteGuardPackageCred ::= SEQUENCE {
+	packageName	[0] OCTET STRING,
+	credBuffer	[1] OCTET STRING
+}
+
+TSRemoteGuardCreds ::= SEQUENCE {
+	logonCred		[0] TSRemoteGuardPackageCred,
+	supplementalCreds	[1] SEQUENCE OF TSRemoteGuardPackageCred OPTIONAL
+}
+
+TSCredentials ::= SEQUENCE {
+	      credType 	   [0] INTEGER,
+	      credentials  [1] OCTET STRING
+}
+
+TSRequest ::= SEQUENCE {
+	version	       [0] INTEGER,
+	negoTokens     [1] NegoData OPTIONAL,
+	authInfo       [2] OCTET STRING OPTIONAL,
+	pubKeyAuth     [3] OCTET STRING OPTIONAL,
+	errorCode      [4] INTEGER OPTIONAL,
+	clientNonce    [5] OCTET STRING OPTIONAL
+}
+
+END
diff --git a/epan/dissectors/asn1/credssp/credssp.cnf b/epan/dissectors/asn1/credssp/credssp.cnf
new file mode 100644
index 00000000..a55b1507
--- /dev/null
+++ b/epan/dissectors/asn1/credssp/credssp.cnf
@@ -0,0 +1,130 @@
+# credssp.cnf
+# Credential Security Support Provider (CredSSP) conformance file
+
+#.PDU
+TSRequest
+
+#.FN_PARS TSRequest/version VAL_PTR = &credssp_ver
+
+#.FN_BODY TSRequest/authInfo VAL_PTR = &auth_tvb
+	tvbuff_t *auth_tvb = NULL;
+	tvbuff_t *decr_tvb = NULL;
+	gssapi_encrypt_info_t gssapi_encrypt;
+
+	%(DEFAULT_BODY)s
+
+	memset(&gssapi_encrypt, 0, sizeof(gssapi_encrypt));
+	gssapi_encrypt.decrypt_gssapi_tvb=DECRYPT_GSSAPI_NORMAL;
+	call_dissector_with_data(gssapi_wrap_handle, auth_tvb, actx->pinfo, tree, &gssapi_encrypt);
+	decr_tvb = gssapi_encrypt.gssapi_decrypted_tvb;
+
+	if(decr_tvb != NULL)
+		dissect_credssp_TSCredentials(FALSE, decr_tvb, 0, actx, tree, hf_credssp_TSCredentials);
+
+#.FN_BODY TSRequest/pubKeyAuth VAL_PTR = &auth_tvb
+	tvbuff_t *auth_tvb = NULL;
+	tvbuff_t *decr_tvb = NULL;
+	gssapi_encrypt_info_t gssapi_encrypt;
+
+	%(DEFAULT_BODY)s
+
+	memset(&gssapi_encrypt, 0, sizeof(gssapi_encrypt));
+	gssapi_encrypt.decrypt_gssapi_tvb=DECRYPT_GSSAPI_NORMAL;
+	call_dissector_with_data(gssapi_wrap_handle, auth_tvb, actx->pinfo, tree, &gssapi_encrypt);
+	decr_tvb = gssapi_encrypt.gssapi_decrypted_tvb;
+
+	if(decr_tvb != NULL)
+		proto_tree_add_item(tree, hf_credssp_decr_PublicKeyAuth, decr_tvb, 0, -1, ENC_NA);
+
+#.FN_BODY TSRequest/errorCode
+
+	if (credssp_ver < 3) {
+		return 0;
+	}
+
+	%(DEFAULT_BODY)s
+
+
+#.FN_BODY TSRequest/clientNonce
+
+	if (credssp_ver < 5) {
+		return 0;
+	}
+
+	%(DEFAULT_BODY)s
+
+
+#.FN_PARS TSCredentials/credType VAL_PTR = &creds_type
+#.FN_PARS TSCredentials/credentials VAL_PTR = &creds_tvb
+
+#.FN_BODY TSCredentials/credentials
+	tvbuff_t *creds_tvb = NULL;
+
+	%(DEFAULT_BODY)s
+
+	switch(creds_type) {
+	case TS_PASSWORD_CREDS:
+		dissect_credssp_TSPasswordCreds(FALSE, creds_tvb, 0, actx, tree, hf_credssp_TSPasswordCreds);
+		break;
+	case TS_SMARTCARD_CREDS:
+		dissect_credssp_TSSmartCardCreds(FALSE, creds_tvb, 0, actx, tree, hf_credssp_TSSmartCardCreds);
+		break;
+	case TS_REMOTEGUARD_CREDS:
+		dissect_credssp_TSRemoteGuardCreds(FALSE, creds_tvb, 0, actx, tree, hf_credssp_TSRemoteGuardCreds);
+		break;
+	}
+
+
+#.FN_PARS NegoData/_item/negoToken VAL_PTR = &token_tvb
+
+#.FN_BODY NegoData/_item/negoToken
+	tvbuff_t *token_tvb = NULL;
+
+	%(DEFAULT_BODY)s
+
+	if(token_tvb != NULL)
+		call_dissector(gssapi_handle, token_tvb, actx->pinfo, tree);
+
+
+#.TYPE_ATTR
+TSRemoteGuardPackageCred/packageName TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL
+
+#.FN_BODY TSRemoteGuardPackageCred/packageName VAL_PTR = &pname
+	tvbuff_t *pname = NULL;
+
+	offset = dissect_ber_octet_string(implicit_tag, actx, NULL, tvb, offset, hf_index, &pname);
+
+	if(pname != NULL) {
+		gint nlen = tvb_captured_length(pname);
+
+		if (nlen == sizeof(kerberos_pname) && memcmp(tvb_get_ptr(pname, 0, nlen), kerberos_pname, nlen) == 0) {
+			credssp_TS_RGC_package = TS_RGC_KERBEROS;
+		} else if (nlen == sizeof(ntlm_pname) && memcmp(tvb_get_ptr(pname, 0, nlen), ntlm_pname, nlen) == 0) {
+			credssp_TS_RGC_package = TS_RGC_NTLM;
+		}
+		proto_tree_add_item(tree, hf_index, pname, 0, -1, ENC_UTF_16|ENC_LITTLE_ENDIAN);
+	}
+
+#.FN_BODY TSRemoteGuardPackageCred/credBuffer VAL_PTR = &creds
+	tvbuff_t *creds= NULL;
+	proto_tree *subtree;
+
+	%(DEFAULT_BODY)s
+
+	if (!creds)
+		return offset;
+
+	switch(credssp_TS_RGC_package) {
+	case TS_RGC_KERBEROS:
+		subtree = proto_item_add_subtree(actx->created_item, ett_credssp_RGC_CredBuffer);
+		dissect_kerberos_KERB_TICKET_LOGON(creds, 0, actx, subtree);
+		break;
+	case TS_RGC_NTLM:
+		subtree = proto_item_add_subtree(actx->created_item, ett_credssp_RGC_CredBuffer);
+		dissect_ntlmssp_NTLM_REMOTE_SUPPLEMENTAL_CREDENTIAL(creds, 0, subtree);
+		break;
+	}
+
+#.END
+
+
diff --git a/epan/dissectors/asn1/credssp/packet-credssp-template.c b/epan/dissectors/asn1/credssp/packet-credssp-template.c
new file mode 100644
index 00000000..5eef5741
--- /dev/null
+++ b/epan/dissectors/asn1/credssp/packet-credssp-template.c
@@ -0,0 +1,200 @@
+/* packet-credssp.c
+ * Routines for CredSSP (Credential Security Support Provider) packet dissection
+ * Graeme Lunt 2011
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "config.h"
+
+#include <epan/packet.h>
+#include <epan/asn1.h>
+#include <epan/tap.h>
+#include <epan/exported_pdu.h>
+
+#include "packet-ber.h"
+#include "packet-gssapi.h"
+#include "packet-kerberos.h"
+#include "packet-ntlmssp.h"
+#include "packet-credssp.h"
+
+#define PNAME  "Credential Security Support Provider"
+#define PSNAME "CredSSP"
+#define PFNAME "credssp"
+
+#define TS_PASSWORD_CREDS   1
+#define TS_SMARTCARD_CREDS  2
+#define TS_REMOTEGUARD_CREDS  6
+
+static gint creds_type;
+static gint credssp_ver;
+
+static char kerberos_pname[] = "K\0e\0r\0b\0e\0r\0o\0s";
+static char ntlm_pname[] = "N\0T\0L\0M";
+
+#define TS_RGC_UNKNOWN	0
+#define TS_RGC_KERBEROS	1
+#define TS_RGC_NTLM	2
+
+static gint credssp_TS_RGC_package;
+
+static gint exported_pdu_tap = -1;
+
+/* Initialize the protocol and registered fields */
+static int proto_credssp = -1;
+
+/* List of dissectors to call for negoToken data */
+static heur_dissector_list_t credssp_heur_subdissector_list;
+
+static dissector_handle_t gssapi_handle;
+static dissector_handle_t gssapi_wrap_handle;
+
+static int hf_credssp_TSPasswordCreds = -1;   /* TSPasswordCreds */
+static int hf_credssp_TSSmartCardCreds = -1;  /* TSSmartCardCreds */
+static int hf_credssp_TSRemoteGuardCreds = -1;/* TSRemoteGuardCreds */
+static int hf_credssp_TSCredentials = -1;     /* TSCredentials */
+static int hf_credssp_decr_PublicKeyAuth = -1;/* decr_PublicKeyAuth */
+#include "packet-credssp-hf.c"
+
+/* Initialize the subtree pointers */
+static gint ett_credssp = -1;
+static gint ett_credssp_RGC_CredBuffer = -1;
+
+#include "packet-credssp-ett.c"
+
+#include "packet-credssp-fn.c"
+
+/*
+* Dissect CredSSP PDUs
+*/
+static int
+dissect_credssp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void *data)
+{
+	proto_item *item=NULL;
+	proto_tree *tree=NULL;
+
+	if(parent_tree){
+		item = proto_tree_add_item(parent_tree, proto_credssp, tvb, 0, -1, ENC_NA);
+		tree = proto_item_add_subtree(item, ett_credssp);
+	}
+	col_set_str(pinfo->cinfo, COL_PROTOCOL, "CredSSP");
+  	col_clear(pinfo->cinfo, COL_INFO);
+
+	creds_type = -1;
+	credssp_ver = -1;
+
+	return dissect_TSRequest_PDU(tvb, pinfo, tree, data);
+}
+
+static gboolean
+dissect_credssp_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void *data _U_)
+{
+  asn1_ctx_t asn1_ctx;
+  int offset = 0;
+  gint8 ber_class;
+  bool pc;
+  gint32 tag;
+  guint32 length;
+  gint8 ver;
+
+  asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
+
+  /* Look for SEQUENCE, CONTEXT 0, and INTEGER 2 */
+  if(tvb_captured_length(tvb) > 7) {
+    offset = get_ber_identifier(tvb, offset, &ber_class, &pc, &tag);
+    if((ber_class == BER_CLASS_UNI) && (tag == BER_UNI_TAG_SEQUENCE) && (pc == TRUE)) {
+      offset = get_ber_length(tvb, offset, NULL, NULL);
+      offset = get_ber_identifier(tvb, offset, &ber_class, &pc, &tag);
+      if((ber_class == BER_CLASS_CON) && (tag == 0)) {
+        offset = get_ber_length(tvb, offset, NULL, NULL);
+        offset = get_ber_identifier(tvb, offset, &ber_class, &pc, &tag);
+        if((ber_class == BER_CLASS_UNI) && (tag == BER_UNI_TAG_INTEGER)) {
+          offset = get_ber_length(tvb, offset, &length, NULL);
+          ver = tvb_get_guint8(tvb, offset);
+          if((length == 1) && (ver > 1) && (ver < 99)) {
+            if (have_tap_listener(exported_pdu_tap)) {
+              exp_pdu_data_t *exp_pdu_data = export_pdu_create_common_tags(pinfo, "credssp", EXP_PDU_TAG_DISSECTOR_NAME);
+
+              exp_pdu_data->tvb_captured_length = tvb_captured_length(tvb);
+              exp_pdu_data->tvb_reported_length = tvb_reported_length(tvb);
+              exp_pdu_data->pdu_tvb = tvb;
+
+              tap_queue_packet(exported_pdu_tap, pinfo, exp_pdu_data);
+            }
+            dissect_credssp(tvb, pinfo, parent_tree, NULL);
+            return TRUE;
+          }
+        }
+      }
+    }
+  }
+  return FALSE;
+}
+
+
+/*--- proto_register_credssp -------------------------------------------*/
+void proto_register_credssp(void) {
+
+  /* List of fields */
+  static hf_register_info hf[] =
+  {
+    { &hf_credssp_TSPasswordCreds,
+      { "TSPasswordCreds", "credssp.TSPasswordCreds",
+        FT_NONE, BASE_NONE, NULL, 0,
+        NULL, HFILL }},
+    { &hf_credssp_TSSmartCardCreds,
+      { "TSSmartCardCreds", "credssp.TSSmartCardCreds",
+        FT_NONE, BASE_NONE, NULL, 0,
+        NULL, HFILL }},
+    { &hf_credssp_TSRemoteGuardCreds,
+      { "TSRemoteGuardCreds", "credssp.TSRemoteGuardCreds",
+        FT_NONE, BASE_NONE, NULL, 0,
+        NULL, HFILL }},
+    { &hf_credssp_TSCredentials,
+      { "TSCredentials", "credssp.TSCredentials",
+        FT_NONE, BASE_NONE, NULL, 0,
+        NULL, HFILL }},
+    { &hf_credssp_decr_PublicKeyAuth,
+      { "Decrypted PublicKeyAuth (sha256)", "credssp.decr_PublicKeyAuth",
+        FT_BYTES, BASE_NONE, NULL, 0,
+        NULL, HFILL }},
+#include "packet-credssp-hfarr.c"
+  };
+
+  /* List of subtrees */
+  static gint *ett[] = {
+    &ett_credssp,
+    &ett_credssp_RGC_CredBuffer,
+#include "packet-credssp-ettarr.c"
+  };
+
+
+  /* Register protocol */
+  proto_credssp = proto_register_protocol(PNAME, PSNAME, PFNAME);
+  register_dissector("credssp", dissect_credssp, proto_credssp);
+
+  /* Register fields and subtrees */
+  proto_register_field_array(proto_credssp, hf, array_length(hf));
+  proto_register_subtree_array(ett, array_length(ett));
+
+  /* heuristic dissectors for any premable e.g. CredSSP before RDP */
+  credssp_heur_subdissector_list = register_heur_dissector_list("credssp", proto_credssp);
+
+}
+
+
+/*--- proto_reg_handoff_credssp --- */
+void proto_reg_handoff_credssp(void) {
+
+  gssapi_handle = find_dissector_add_dependency("gssapi", proto_credssp);
+  gssapi_wrap_handle = find_dissector_add_dependency("gssapi_verf", proto_credssp);
+
+  heur_dissector_add("tls", dissect_credssp_heur, "CredSSP over TLS", "credssp_tls", proto_credssp, HEURISTIC_ENABLE);
+  heur_dissector_add("rdp", dissect_credssp_heur, "CredSSP in TPKT", "credssp_tpkt", proto_credssp, HEURISTIC_ENABLE);
+  exported_pdu_tap = find_tap_id(EXPORT_PDU_TAP_NAME_LAYER_7);
+}
+
diff --git a/epan/dissectors/asn1/credssp/packet-credssp-template.h b/epan/dissectors/asn1/credssp/packet-credssp-template.h
new file mode 100644
index 00000000..fda51f3b
--- /dev/null
+++ b/epan/dissectors/asn1/credssp/packet-credssp-template.h
@@ -0,0 +1,20 @@
+/* packet-credssp.h
+ * Routines for CredSSP (Credential Security Support Provider) packet dissection
+ * Graeme Lunt 2011
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#ifndef PACKET_CREDSSP_H
+#define PACKET_CREDSSP_H
+
+#include "packet-credssp-val.h"
+
+void proto_reg_handoff_credssp(void);
+void proto_register_credssp(void);
+
+#endif  /* PACKET_CREDSSP_H */