# credssp.cnf # Credential Security Support Provider (CredSSP) conformance file #.PDU TSRequest #.FN_PARS TSRequest/version VAL_PTR = &credssp_ver #.FN_BODY TSRequest/authInfo VAL_PTR = &auth_tvb tvbuff_t *auth_tvb = NULL; tvbuff_t *decr_tvb = NULL; gssapi_encrypt_info_t gssapi_encrypt; %(DEFAULT_BODY)s memset(&gssapi_encrypt, 0, sizeof(gssapi_encrypt)); gssapi_encrypt.decrypt_gssapi_tvb=DECRYPT_GSSAPI_NORMAL; call_dissector_with_data(gssapi_wrap_handle, auth_tvb, actx->pinfo, tree, &gssapi_encrypt); decr_tvb = gssapi_encrypt.gssapi_decrypted_tvb; if(decr_tvb != NULL) dissect_credssp_TSCredentials(false, decr_tvb, 0, actx, tree, hf_credssp_TSCredentials); #.FN_BODY TSRequest/pubKeyAuth VAL_PTR = &auth_tvb tvbuff_t *auth_tvb = NULL; tvbuff_t *decr_tvb = NULL; gssapi_encrypt_info_t gssapi_encrypt; %(DEFAULT_BODY)s memset(&gssapi_encrypt, 0, sizeof(gssapi_encrypt)); gssapi_encrypt.decrypt_gssapi_tvb=DECRYPT_GSSAPI_NORMAL; call_dissector_with_data(gssapi_wrap_handle, auth_tvb, actx->pinfo, tree, &gssapi_encrypt); decr_tvb = gssapi_encrypt.gssapi_decrypted_tvb; if(decr_tvb != NULL) proto_tree_add_item(tree, hf_credssp_decr_PublicKeyAuth, decr_tvb, 0, -1, ENC_NA); #.FN_BODY TSRequest/errorCode if (credssp_ver < 3) { return 0; } %(DEFAULT_BODY)s #.FN_BODY TSRequest/clientNonce if (credssp_ver < 5) { return 0; } %(DEFAULT_BODY)s #.FN_PARS TSCredentials/credType VAL_PTR = &creds_type #.FN_PARS TSCredentials/credentials VAL_PTR = &creds_tvb #.FN_BODY TSCredentials/credentials tvbuff_t *creds_tvb = NULL; %(DEFAULT_BODY)s switch(creds_type) { case TS_PASSWORD_CREDS: dissect_credssp_TSPasswordCreds(false, creds_tvb, 0, actx, tree, hf_credssp_TSPasswordCreds); break; case TS_SMARTCARD_CREDS: dissect_credssp_TSSmartCardCreds(false, creds_tvb, 0, actx, tree, hf_credssp_TSSmartCardCreds); break; case TS_REMOTEGUARD_CREDS: dissect_credssp_TSRemoteGuardCreds(false, creds_tvb, 0, actx, tree, hf_credssp_TSRemoteGuardCreds); break; } #.FN_PARS NegoData/_item/negoToken VAL_PTR = &token_tvb #.FN_BODY NegoData/_item/negoToken tvbuff_t *token_tvb = NULL; %(DEFAULT_BODY)s if(token_tvb != NULL) call_dissector(gssapi_handle, token_tvb, actx->pinfo, tree); #.TYPE_ATTR TSRemoteGuardPackageCred/packageName TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL #.FN_BODY TSRemoteGuardPackageCred/packageName VAL_PTR = &pname tvbuff_t *pname = NULL; offset = dissect_ber_octet_string(implicit_tag, actx, NULL, tvb, offset, hf_index, &pname); if(pname != NULL) { int nlen = tvb_captured_length(pname); if (nlen == sizeof(kerberos_pname) && memcmp(tvb_get_ptr(pname, 0, nlen), kerberos_pname, nlen) == 0) { credssp_TS_RGC_package = TS_RGC_KERBEROS; } else if (nlen == sizeof(ntlm_pname) && memcmp(tvb_get_ptr(pname, 0, nlen), ntlm_pname, nlen) == 0) { credssp_TS_RGC_package = TS_RGC_NTLM; } proto_tree_add_item(tree, hf_index, pname, 0, -1, ENC_UTF_16|ENC_LITTLE_ENDIAN); } #.FN_BODY TSRemoteGuardPackageCred/credBuffer VAL_PTR = &creds tvbuff_t *creds= NULL; proto_tree *subtree; %(DEFAULT_BODY)s if (!creds) return offset; switch(credssp_TS_RGC_package) { case TS_RGC_KERBEROS: subtree = proto_item_add_subtree(actx->created_item, ett_credssp_RGC_CredBuffer); dissect_kerberos_KERB_TICKET_LOGON(creds, 0, actx, subtree); break; case TS_RGC_NTLM: subtree = proto_item_add_subtree(actx->created_item, ett_credssp_RGC_CredBuffer); dissect_ntlmssp_NTLM_REMOTE_SUPPLEMENTAL_CREDENTIAL(creds, 0, subtree); break; } #.END