Wireshark-bugs: [Wireshark-bugs] [Bug 3440] Failure to dissect long SASL wrapped LDAP response

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Mon, 6 Jul 2009 06:05:15 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3440





--- Comment #4 from Graeme Lunt <graeme@xxxxxxxxxxx>  2009-07-06 06:05:07 PDT ---
(In reply to comment #3)
> >As I see it, the LDAP dissector currently knows if SASL authentication >was
> >used, but not if SASL integrity or confidentiality services have >negotiated
> >(requested by the client). If it knew a security layer had been >negotiated,
> >then it would know that any PDU was SASL, regardless of the PDU size.
> 
> I guess otherwise their is no reason for the code to be like it is ... at the
> same time is it possible to negotiate SASL auth without SASL
> integrity/confidentiality ... ?

It is perfectly possible to to negotiate SASL auth with SASL
integrity/confidentiality. Certainly it can be done with Kerberos. 

> > Would that be a sensible, solution?
> The simple one (but the most likely to hit a bare sooner or latter ...) to 16MB
> (well I hope not so soon to seen such LDAP message but with MS worser is always
> an option !). As it correspond to 0x00 on the first byte and FF FF FF on the 3
> others.

I think this is a bit cumbersome and the limit will always be hit by someone.
Alot of ADS/LDS services use SASL GSSAPI with integrity. 

> Because the real solution would be to follow this rfc for SSL 
> 
> http://www.ietf.org/rfc/rfc2830.txt

SSL/TLS is something different - it provides network authentication and
confidentiality services. It is something SASL can use to provide application
authentication (using the SASL EXTERNAL mechanism), but I would expect that
additional SASL integrity/confidentiality layers are not negotiated with this
mechanism.

If you are using Kerberos (SASL GSSAPI) as you indicate, then switching to SSL
is probably not what you want to do.

> Which indicate that we should search for an special oid indicating the starttls
> start (I guess this should occur before the bind ...).

It can occur at any point in the LDAP conversation.

> But for differencing LDAP with SASL or without the ldap dissector should
> receive a notification from the authentification dissector (GSSAPI) of which
> attributes (security/integrity/...) have been negociated (have fun ...)
> 
> Third way might be first try a normal dissection, then an ssl and then a sasl
> one (and we stop one we have a valid ldap message).

There is certainly a possibility to try LDAP and SASL.

Graeme


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.