Wireshark-dev: [Wireshark-dev] A much better version of packet-negoex.c ...

From: Richard Sharpe <realrichardsharpe@xxxxxxxxx>
Date: Sun, 1 Jul 2012 15:53:30 -0700
Hi Folks,

Here a version of the NEGOEX dissector that is pretty functional ...
and reveals that I need to add a GSS-API EAP dissector :-)

When I get permission to post the capture, I will create a bug and add
the capture to the bug.

Index: epan/CMakeLists.txt
===================================================================
--- epan/CMakeLists.txt	(revision 43186)
+++ epan/CMakeLists.txt	(working copy)
@@ -893,6 +893,7 @@
 	dissectors/packet-ndmp.c
 	dissectors/packet-ndp.c
 	dissectors/packet-ndps.c
+	dissectors/packet-negoex.c
 	dissectors/packet-netanalyzer.c
 	dissectors/packet-netbios.c
 	dissectors/packet-netdump.c
Index: epan/dissectors/Makefile.common
===================================================================
--- epan/dissectors/Makefile.common	(revision 43186)
+++ epan/dissectors/Makefile.common	(working copy)
@@ -814,6 +814,7 @@
 	packet-ndmp.c		\
 	packet-ndp.c		\
 	packet-ndps.c		\
+	packet-negoex.c		\
 	packet-netanalyzer.c	\
 	packet-netbios.c	\
 	packet-netdump.c	\


-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
/* packet-negoex.c
 * Dissect the NEGOEX security protocol
 * Copyright 2012 Richard Sharpe <realrichardsharpe@xxxxxxxxx>
 * Routines for The Extended GSS-API Negotiation Mechanism
 *
 * $Id: packet-negoex.c 42904 2012-05-29 21:51:52Z rsharpe $
 *
 * Wireshark - Network traffic analyzer
 * By Gerald Combs <gerald@xxxxxxxxxxxxx>
 * Copyright 1998 Gerald Combs
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 2
 * of the License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
 */
/* Just set me to activate debug #define DEBUG_NEGOEX */
#ifdef HAVE_CONFIG_H
# include "config.h"
#endif
#include <stdio.h>
#include <string.h>
#include <ctype.h>

#include <glib.h>
#include <epan/packet.h>

#include "packet-windows-common.h"
#include "packet-smb-common.h"
#include "packet-frame.h"
#include <epan/asn1.h>
#include "packet-kerberos.h"
#include <epan/prefs.h>
#include <epan/emem.h>
#include <epan/tap.h>
#include <epan/expert.h>
#include "packet-dcerpc.h"
#include "packet-gssapi.h"
#include <wsutil/crc32.h>

static int proto_negoex = -1;
static int hf_negoex_sig = -1;
static int hf_negoex_message_type = -1;
static int hf_negoex_sequence_num = -1;
static int hf_negoex_header_len = -1;
static int hf_negoex_message_len = -1;
static int hf_negoex_conversation_id = -1;
static int hf_negoex_random = -1;
static int hf_negoex_proto_version = -1;
static int hf_negoex_authscheme = -1;
static int hf_negoex_authscheme_vector_offset = -1;
static int hf_negoex_authscheme_vector_count = -1;
static int hf_negoex_authscheme_vector_pad = -1;
static int hf_negoex_extension = -1;
static int hf_negoex_extension_vector_offset = -1;
static int hf_negoex_extension_vector_count = -1;
static int hf_negoex_extension_vector_pad = -1;
static int hf_negoex_exchange_vector_offset = -1;
static int hf_negoex_exchange_vector_count = -1;
static int hf_negoex_exchange_vector_pad = -1;
static int hf_negoex_exchange = -1;

static gint ett_negoex = -1;
static gint ett_negoex_msg = -1;
static gint ett_negoex_hdr = -1;
static gint ett_negoex_authscheme_vector = -1;
static gint ett_negoex_extension_vector = -1;
static gint ett_negoex_exchange = -1;

/* If you add more message types, add them in sequence and update MAX_MSG */
#define MESSAGE_TYPE_INITIATOR_NEGO      0
#define MESSAGE_TYPE_ACCEPTOR_NEGO       1
#define MESSAGE_TYPE_INITIATOR_META_DATA 2
#define MESSAGE_TYPE_ACCEPTOR_META_DATA  3
#define MESSAGE_TYPE_CHALLENGE           4
#define MESSAGE_TYPE_AP_REQUEST          5
#define MESSAGE_TYPE_VERIFY              6
#define MESSAGE_TYPE_ALERT               7
#define MESSAGE_TYPE_MAX_MSG             MESSAGE_TYPE_ALERT

static const value_string negoex_message_types[] = {
  {MESSAGE_TYPE_INITIATOR_NEGO,      "INITATOR_NEGO"},
  {MESSAGE_TYPE_ACCEPTOR_NEGO,       "ACCEPTOR_NEGO"},
  {MESSAGE_TYPE_INITIATOR_META_DATA, "INITIATOR_META_DATA"},
  {MESSAGE_TYPE_ACCEPTOR_META_DATA,  "ACCEPTOR_META_DATA"},
  {MESSAGE_TYPE_CHALLENGE,           "CHALLENGE"},
  {MESSAGE_TYPE_AP_REQUEST,          "AP_REQUEST"},
  {MESSAGE_TYPE_VERIFY,              "VERIFY"},
  {MESSAGE_TYPE_ALERT,               "ALERT"},
  {0, NULL}
};

static void
dissect_negoex_exchange_message(tvbuff_t *tvb,
                                packet_info *pinfo __attribute__((unused)),
                                proto_tree *tree,
                                guint32 start_off)
{
  volatile guint32 offset;
  guint32 exchange_vector_offset;
  guint32 exchange_vector_count;
  proto_item *pi;
  proto_tree *exchange_vector;

  offset = start_off;

  /* AuthScheme */
  proto_tree_add_item(tree, hf_negoex_authscheme, tvb, offset, 16, ENC_NA);
  offset += 16;

  /* Exchange Byte Vector */
  exchange_vector_offset = tvb_get_letohl(tvb, offset);
  exchange_vector_count = tvb_get_letohs(tvb, offset + 4);

  pi = proto_tree_add_text(tree, tvb, offset, 8, "Exchange: %u bytes at %u",
                           exchange_vector_count, exchange_vector_offset);
  exchange_vector = proto_item_add_subtree(pi, ett_negoex_exchange);

  proto_tree_add_item(exchange_vector, hf_negoex_exchange_vector_offset, tvb, 
                      offset, 4, ENC_LITTLE_ENDIAN);
  offset += 4;

  proto_tree_add_item(exchange_vector, hf_negoex_exchange_vector_count, tvb,
                      offset, 2, ENC_LITTLE_ENDIAN);
  offset +=  2;

  proto_tree_add_item(exchange_vector, hf_negoex_exchange_vector_pad, tvb,
                      offset, 2, ENC_NA);
  offset += 2;

  proto_tree_add_item(exchange_vector, hf_negoex_exchange, tvb,
                      offset, exchange_vector_count, ENC_NA);
}

/*
 * In each of the subdissectors we are handed the whole message, but the 
 * header is already dissected. The offset tells us where in buffer the
 * actual data starts. This is a bit redundant, but it allows for changes
 * to the header structure ...
 *
 * Eventually we want to treat the header and body differently perhaps.
 */
static void
dissect_negoex_nego_message(tvbuff_t *tvb, 
                            packet_info *pinfo __attribute__((unused)),
                            proto_tree *tree,
                            guint32 start_off)
{
  volatile guint32 offset;
  guint32 authscheme_vector_offset;
  guint16 authscheme_vector_count;
  guint32 extension_vector_offset;
  guint32 extension_vector_count;
  proto_item *pi, *ext_pi;
  proto_tree *authscheme_vector;
  proto_tree *extension_vector;
  guint32 i;

  offset = start_off;

  TRY {
    /* The Random field */
    proto_tree_add_item(tree, hf_negoex_random, tvb, offset, 32, ENC_ASCII);
    offset += 32;

    /* Protocol version */
    proto_tree_add_item(tree, hf_negoex_proto_version, tvb, offset, 8, ENC_LITTLE_ENDIAN);
    offset += 8;

    /* AuthScheme offset and count */
    authscheme_vector_offset = tvb_get_letohl(tvb, offset);
    authscheme_vector_count = tvb_get_letohs(tvb, offset + 4);

    pi = proto_tree_add_text(tree, tvb, offset, 8, "AuthSchemes: %u at %u",
                             authscheme_vector_count, authscheme_vector_offset);
    authscheme_vector = proto_item_add_subtree(pi, ett_negoex_authscheme_vector);
    proto_tree_add_item(authscheme_vector, hf_negoex_authscheme_vector_offset,
                        tvb, offset, 4, ENC_LITTLE_ENDIAN);
    offset += 4;

    proto_tree_add_item(authscheme_vector, hf_negoex_authscheme_vector_count,
                        tvb, offset, 2, ENC_LITTLE_ENDIAN);
    offset += 2;

    proto_tree_add_item(authscheme_vector, hf_negoex_authscheme_vector_pad,
                        tvb, offset, 2, ENC_NA);
    offset += 2;

    /* Now, add the various items */
    for (i = 0; i < authscheme_vector_count; i++) {
      proto_tree_add_item(authscheme_vector, hf_negoex_authscheme, tvb,
        authscheme_vector_offset + i * 16, 16, ENC_NA);
    }

    extension_vector_offset = tvb_get_letohl(tvb, offset);
    extension_vector_count = tvb_get_letohs(tvb, offset + 4);

    ext_pi = proto_tree_add_text(tree, tvb, offset, 8, "Extensions: %u at %u",
                                 extension_vector_count, extension_vector_count);
    extension_vector = proto_item_add_subtree(ext_pi, ett_negoex_extension_vector);


    for (i = 0; i < extension_vector_count; i++) {
      /* Dissect these things ... */
    }


  } ENDTRY;

}

static void
dissect_negoex(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
  volatile guint32 offset;
  proto_tree *volatile negoex_tree;
  proto_item *tf;
  gboolean done;
  guint32 payload_len;
  guint32 message_len;
  guint32 message_type;
  guint32 header_len;

  offset = 0;
  negoex_tree = NULL;
  tf = NULL;
  done = FALSE;
  payload_len = tvb_length(tvb); 
  message_len = 0;
  message_type = 0;  /* This is a MESSAGE_TYPE_INITIATOR_NEGO ... */
  header_len = 0;

  /* Set up the initial NEGOEX payload */
  if (tree) {
    tf = proto_tree_add_item(tree, proto_negoex, tvb, offset, -1, ENC_NA);
    negoex_tree = proto_item_add_subtree(tf, ett_negoex);
  }

  /*
   * There can me multiple negoex messages, each with a header with a length.
   * However, the payload might not have been reassembled ... 
   */

  while (offset < payload_len && !done) {
    proto_tree *volatile negoex_msg_tree;
    proto_tree *volatile negoex_hdr_tree;
    proto_item *msg;
    proto_item *hdr;
    tvbuff_t *msg_tvb;
    guint32 start_offset;

    start_offset = offset;

    TRY {
     /* Message type, it is after the signature */
      message_type = tvb_get_letohl(tvb, offset + 8);

      /* Add the message type tree ... set its lenght below */
      msg = proto_tree_add_text(negoex_tree, tvb, offset, -1,
                                "NEGEOX %s",
                                val_to_str(message_type,
                                           negoex_message_types,
                                           "Unknown NEGOEX message type"));

      /* Add a subtree for the message */
      negoex_msg_tree = proto_item_add_subtree(msg, ett_negoex_msg);

      /* Add a subtree for the header */
      hdr = proto_tree_add_text(negoex_msg_tree, tvb, offset, 40, "Header");
      negoex_hdr_tree = proto_item_add_subtree(hdr, ett_negoex_hdr);

      /* Signature, NEGOEXTS */
      proto_tree_add_item(negoex_hdr_tree, hf_negoex_sig,
                          tvb, offset, 8, ENC_ASCII | ENC_NA);
      offset += 8;

      col_append_sep_fstr(pinfo->cinfo, COL_INFO, ", ", "%s",
                          val_to_str(message_type, 
                                     negoex_message_types,
                                     "Unknown NEGOEX message type"));
      proto_tree_add_uint(negoex_hdr_tree, hf_negoex_message_type,
                          tvb, offset, 4, message_type);

      /* 
       * If this is an unknown message type, we have to punt because anything
       * following cannot be handled
       */
      if (message_type > MESSAGE_TYPE_MAX_MSG) {
        offset = payload_len; /* Can't do any more */
        goto bad_message;
      } else {
        offset += 4;
      }

      /* Sequence Number */
      proto_tree_add_item(negoex_hdr_tree, hf_negoex_sequence_num,
                          tvb, offset, 4, ENC_LITTLE_ENDIAN);
      offset += 4;

      /* Header Length */
      header_len = tvb_get_letohl(tvb, offset);
      proto_tree_add_uint(negoex_hdr_tree, hf_negoex_header_len,
                          tvb, offset, 4, header_len);
      offset += 4;

      /* Message Length */
      message_len = tvb_get_letohl(tvb, offset);
      proto_tree_add_uint(negoex_hdr_tree, hf_negoex_message_len,
                          tvb, offset, 4, message_len);
      offset += 4;

      /* Set the message len so the tree item has correct len */
      proto_item_set_len(msg, message_len);

      /* Conversation ID */
      proto_tree_add_item(negoex_hdr_tree, hf_negoex_conversation_id,
                          tvb, offset, 16, ENC_NA);
      offset += 16;

      /*
       * Construct a new TVB covering just this message and pass to the 
       * sub-dissector
       */
      msg_tvb = tvb_new_subset(tvb, 
                               start_offset,
                               MIN(message_len, tvb_length(tvb)),
                               message_len);

      switch (message_type) {
      case MESSAGE_TYPE_INITIATOR_NEGO:
      case MESSAGE_TYPE_ACCEPTOR_NEGO:
        dissect_negoex_nego_message(msg_tvb, 
                                    pinfo, 
                                    negoex_msg_tree, 
                                    offset - start_offset);
        break;

      case MESSAGE_TYPE_INITIATOR_META_DATA:
      case MESSAGE_TYPE_ACCEPTOR_META_DATA:
      case MESSAGE_TYPE_CHALLENGE:
      case MESSAGE_TYPE_AP_REQUEST:
        dissect_negoex_exchange_message(msg_tvb, 
                                        pinfo,
                                        negoex_msg_tree,
                                        offset - start_offset);
        break;

      default:
        proto_tree_add_text(negoex_msg_tree, tvb, offset, message_len - 40,
                            "The rest of the message");
      }

      offset = start_offset + message_len;

      /* We cannot branch out of the TRY block, but we can branch here */
    bad_message:
        ;

    } CATCH(BoundsError) {
      RETHROW;
    } CATCH(ReportedBoundsError) {
      done = TRUE;
      show_reported_bounds_error(tvb, pinfo, tree);
    } ENDTRY;
  }

}

static void
negoex_init_protocol(void)
{
}

void
proto_register_negoex(void)
{

  static hf_register_info hf[] = {
    { &hf_negoex_sig,
      { "Signature", "negoex.message.sig", FT_STRING, BASE_NONE,
        NULL, 0x0, NULL, HFILL }},
    { &hf_negoex_message_type,
      { "MessageType", "negoex.message.type", FT_UINT32, BASE_HEX, 
         VALS(negoex_message_types), 0x00, NULL, HFILL }},
    { &hf_negoex_sequence_num, 
      { "SequencNum", "negoex.message.seq_num", FT_UINT32, BASE_DEC,
        NULL, 0x0, NULL, HFILL }},
    { &hf_negoex_header_len,
      { "cbHeaderLength", "negoex.header.len", FT_UINT32, BASE_DEC,
        NULL, 0x0, NULL, HFILL }},
    { &hf_negoex_message_len,
      { "cbMessageLength", "negoex.message.len", FT_UINT32, BASE_DEC,
        NULL, 0x0, NULL, HFILL }},
    { &hf_negoex_conversation_id,
      { "ConversationID", "negoex.message.conv_id", FT_GUID, BASE_NONE,
        NULL, 0x0, NULL, HFILL}},
    { &hf_negoex_random,
      { "Random", "negoex.message.random", FT_BYTES, BASE_NONE, 
        NULL, 0x0, "Random data", HFILL }},
    { &hf_negoex_proto_version,
      { "ProtocolVersion", "negoex.proto_version", FT_UINT64, BASE_DEC,
        NULL, 0x0, NULL, HFILL}},
    { &hf_negoex_authscheme,
      { "AuthScheme", "negoex.auth_scheme", FT_GUID, BASE_NONE,
        NULL, 0x0, NULL, HFILL}},
    { &hf_negoex_authscheme_vector_offset,
      { "AuthSchemeArrayOffset", "negoex.auth_scheme_array_offset", FT_UINT32,
        BASE_DEC, NULL, 0x0, NULL, HFILL }},
    { &hf_negoex_authscheme_vector_count,
      { "AuthSchemeCount", "negoex.auth_scheme_array_count", FT_UINT16,
        BASE_DEC, NULL, 0x0, NULL, HFILL }},
    { &hf_negoex_authscheme_vector_pad,
      { "AuthSchemePad", "negoex.auth_scheme_array_pad", FT_BYTES,
        BASE_NONE, NULL, 0x0, NULL, HFILL }},
    { &hf_negoex_extension,
      { "Extension", "negoex.extension", FT_BYTES, BASE_NONE,
        NULL, 0x0, "Extension data", HFILL }},
    { &hf_negoex_extension_vector_offset,
      { "ExtensionArrayOffset", "negoex.extension_array_offset", FT_UINT32,
        BASE_DEC, NULL, 0x0, NULL, HFILL }},
    { &hf_negoex_extension_vector_count,
      { "ExtensionCount", "negoex.extension_array_count", FT_UINT32,
        BASE_DEC, NULL, 0x0, NULL, HFILL }},
    { &hf_negoex_extension_vector_pad,
      { "ExtensionPad", "negoex.extension_pad", FT_UINT32,
        BASE_DEC, NULL, 0x0, NULL, HFILL }},
    { &hf_negoex_exchange_vector_offset,
      { "ExchangeOffset", "negoex.exchange_vec_offset", FT_UINT32, BASE_DEC,
        NULL, 0x0, NULL, HFILL}},
    { &hf_negoex_exchange_vector_count,
      { "ExchangeByteCount", "negoex.exchange_vec_byte_count", FT_UINT32, 
        BASE_DEC, NULL, 0x0, NULL, HFILL}},
    { &hf_negoex_exchange_vector_pad,
      { "ExchangePad", "negoex.exchange_vec_pad", FT_BYTES, BASE_NONE,
        NULL, 0x0, NULL, HFILL}},
    { &hf_negoex_exchange,
      { "Exchange Bytes", "negoex.exchange", FT_BYTES, BASE_NONE,
        NULL, 0x0, NULL, HFILL}},
  };

  static gint *ett[] = {
    &ett_negoex,
    &ett_negoex_msg,
    &ett_negoex_hdr,
    &ett_negoex_authscheme_vector,
    &ett_negoex_extension_vector,
    &ett_negoex_exchange,
  };
  /*module_t *negoex_module = NULL; */

  proto_negoex = proto_register_protocol (
    "The Extended GSS-API Negotiation Mechanism", /* name */
    "NEGOEX",  /* short name */
    "negoex"   /* abbrev */
    );
  proto_register_field_array(proto_negoex, hf, array_length(hf));
  proto_register_subtree_array(ett, array_length(ett));
  register_init_routine(&negoex_init_protocol);

  /* negoex_module = prefs_register_protocol(proto_negoex, NULL);*/

  register_dissector("negoex", dissect_negoex, proto_negoex);
}

void
proto_reg_handoff_negoex(void)
{
  dissector_handle_t negoex_handle;

  /* Register protocol with the GSS-API module */

  negoex_handle = find_dissector("negoex");
  gssapi_init_oid("1.3.6.1.4.1.311.2.2.30", proto_negoex, ett_negoex,
                  negoex_handle, NULL,
                  "NEGOEX - The Extended GSS-API Negotiation Mechanism");

}

/*
 * Editor modelines  -  http://www.wireshark.org/tools/modelines.html
 *
 * Local variables:
 * c-basic-offset: 2
 * tab-width: 8
 * indent-tabs-mode: nil
 * End:
 *
 * vi: set shiftwidth=2 tabstop=8 expandtab:
 * :indentSize=2:tabSize=8:noTabs=true:
 */