1# ldap.cnf 2# LDAP conformation file 3# Copyright 2005 Anders Broman 4 5#.OMIT_ASSIGNMENT 6DirSyncFlagsSubEntry 7PasswdModifyResponseValue 8 9#.PDU 10 11#.TYPE_RENAME 12 13BindResponse/_untag/resultCode BindResponse_resultCode 14ExtendedResponse/_untag/resultCode ExtendedResponse_resultCode 15ModifyRequest/_untag/modification ModifyRequest_modification 16 17#.FIELD_RENAME 18BindResponse/_untag/resultCode bindResponse_resultCode 19ExtendedResponse/_untag/resultCode extendedResponse_resultCode 20SearchRequest/_untag/attributes searchRequest_attributes 21SearchResultEntry/_untag/attributes searchResultEntry_attributes 22ModifyRequest/_untag/modification modifyRequest_modification 23SubstringFilter/substrings substringFilter_substrings 24BindResponse/_untag/matchedDN bindResponse_matchedDN 25IntermediateResponse/_untag/responseValue intermediateResponse_responseValue 26 27#.TYPE_ATTR 28LDAPString TYPE = FT_STRING DISPLAY = STR_UNICODE STRINGS = NULL 29LDAPURL TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL 30LDAPOID TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL 31Mechanism TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL 32AssertionValue TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL 33DirSyncFlags TYPE = FT_UINT32 DISPLAY = BASE_HEX STRINGS = NULL 34Simple TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL 35 36#.REGISTER 37SearchControlValue B "1.2.840.113556.1.4.319" "pagedResultsControl" 38SortKeyList B "1.2.840.113556.1.4.473" "sortKeyList" 39SortResult B "1.2.840.113556.1.4.474" "sortResult" 40DirSyncControlValue B "1.2.840.113556.1.4.841" "dirsync" 41#RFC 3062 42PasswdModifyRequestValue B "1.3.6.1.4.1.4203.1.11.1" "passwdModifyOID" 43#RFC 3909 44CancelRequestValue B "1.3.6.1.1.8" "cancelRequestOID" 45#RFC 4533 46SyncRequestValue B "1.3.6.1.4.1.4203.1.9.1.1" "syncRequestOID" 47SyncStateValue B "1.3.6.1.4.1.4203.1.9.1.2" "syncStateOID" 48SyncDoneValue B "1.3.6.1.4.1.4203.1.9.1.3" "syncDoneOID" 49SyncInfoValue B "1.3.6.1.4.1.4203.1.9.1.4" "syncInfoOID" 50# Draft RFC - Password Policy for LDAP Directories 51PasswordPolicyResponseValue B "1.3.6.1.4.1.42.2.27.8.5.1" "passwordPolicy" 52 53#.FN_FTR LDAPURL 54 proto_item_set_url(actx->created_item); 55 56#.FN_HDR LDAPOID 57 58 tvbuff_t *parameter_tvb; 59 const gchar *name; 60 ldap_conv_info_t *ldap_info = (ldap_conv_info_t *)actx->private_data; 61 62#.FN_PARS LDAPOID VAL_PTR = ¶meter_tvb 63 64#.FN_FTR LDAPOID 65 66 object_identifier_id = NULL; 67 68 if (!parameter_tvb) 69 return offset; 70 71 object_identifier_id = tvb_get_string_enc(actx->pinfo->pool, parameter_tvb, 0, tvb_reported_length_remaining(parameter_tvb,0), ENC_UTF_8|ENC_NA); 72 name = oid_resolved_from_string(actx->pinfo->pool, object_identifier_id); 73 74 if(name){ 75 proto_item_append_text(actx->created_item, " (%s)", name); 76 77 if((hf_index == hf_ldap_requestName) || (hf_index == hf_ldap_responseName)) { 78 ldap_do_protocolop(actx->pinfo); 79 col_append_fstr(actx->pinfo->cinfo, COL_INFO, "%s ", name); 80 } 81 } 82 83 /* Has the client requested the Start TLS operation? */ 84 if (ldap_info && hf_index == hf_ldap_requestName && 85 !strcmp(object_identifier_id, "1.3.6.1.4.1.1466.20037")) { 86 /* remember we have asked to start_tls */ 87 ldap_info->start_tls_pending = TRUE; 88 } 89 90#.FN_BODY MessageID VAL_PTR = &MessageID 91 92%(DEFAULT_BODY)s 93 94 ldm_tree = tree; 95 96#.FN_PARS ProtocolOp VAL_PTR = &ProtocolOp 97 98#.FN_HDR ProtocolOp 99 100 ldap_call_response_t *lcrp; 101 ldap_conv_info_t *ldap_info = (ldap_conv_info_t *)actx->private_data; 102 do_protocolop = TRUE; 103 104#.FN_FTR ProtocolOp 105 106 if (ProtocolOp == -1) { 107 return offset; 108 } 109 110 /* ProtocolOp is the index, not the tag so convert it to the tag value */ 111 ProtocolOp = ldap_ProtocolOp_vals[ProtocolOp].value; 112 113 lcrp=ldap_match_call_response(tvb, actx->pinfo, tree, MessageID, ProtocolOp, ldap_info); 114 if(lcrp){ 115 tap_queue_packet(ldap_tap, actx->pinfo, lcrp); 116 } 117 118 /* XXX: the count will not work if the results span multiple TCP packets */ 119 120 if(ldap_info) { /* only count once */ 121 switch(ProtocolOp) { 122 123 case LDAP_RES_SEARCH_ENTRY: 124 if (!actx->pinfo->fd->visited) 125 ldap_info->num_results++; 126 127 proto_item_append_text(tree, " [%d result%s]", 128 ldap_info->num_results, ldap_info->num_results == 1 ? "" : "s"); 129 130 break; 131 132 case LDAP_RES_SEARCH_RESULT: 133 134 col_append_fstr(actx->pinfo->cinfo, COL_INFO, " [%d result%s]", 135 ldap_info->num_results, ldap_info->num_results == 1 ? "" : "s"); 136 137 proto_item_append_text(tree, " [%d result%s]", 138 ldap_info->num_results, ldap_info->num_results == 1 ? "" : "s"); 139 140 break; 141 default: 142 break; 143 } 144 } 145 146 147#.FN_BODY Simple 148ldap_conv_info_t *ldap_info; 149 150%(DEFAULT_BODY)s 151 152 ldap_info = (ldap_conv_info_t *)actx->private_data; 153 ldap_info->auth_type = LDAP_AUTH_SIMPLE; 154 155#.FN_BODY Mechanism VAL_PTR = ¶meter_tvb 156 157ldap_conv_info_t *ldap_info; 158tvbuff_t *parameter_tvb; 159char *mechanism = NULL; 160%(DEFAULT_BODY)s 161 ldap_info = (ldap_conv_info_t *)actx->private_data; 162 ldap_info->auth_type = LDAP_AUTH_SASL; 163 164 if (!parameter_tvb) 165 return offset; 166 167 /* 168 * We need to remember the authentication type and mechanism for this 169 * conversation. 170 * 171 * XXX - actually, we might need to remember more than one 172 * type and mechanism, if you can unbind and rebind with a 173 * different type and/or mechanism. 174 */ 175 if(!actx->pinfo->fd->visited) { 176 mechanism = tvb_get_string_enc(wmem_file_scope(), parameter_tvb, 0, tvb_reported_length_remaining(parameter_tvb,0), ENC_UTF_8|ENC_NA); 177 ldap_info->first_auth_frame = 0; /* not known until we see the bind reply */ 178 /* 179 * If the mechanism in this request is an empty string (which is 180 * returned as a null pointer), use the saved mechanism instead. 181 * Otherwise, if the saved mechanism is an empty string (null), 182 * save this mechanism. 183 */ 184 if (mechanism != NULL) { 185 wmem_free(wmem_file_scope(), ldap_info->auth_mech); 186 ldap_info->auth_mech = mechanism; 187 } 188 } 189#.FN_BODY Credentials VAL_PTR = ¶meter_tvb 190 191tvbuff_t *parameter_tvb; 192ldap_conv_info_t *ldap_info; 193gint8 ber_class; 194gboolean pc; 195gint32 tag; 196 197%(DEFAULT_BODY)s 198 199 if (!parameter_tvb) 200 return offset; 201 202 ldap_info = (ldap_conv_info_t *)actx->private_data; 203 get_ber_identifier(parameter_tvb, 0, &ber_class, &pc, &tag); 204 205 /*if ((ldap_info->auth_mech != NULL) && (strcmp(ldap_info->auth_mech, "GSS-SPNEGO") == 0) && (ber_class==BER_CLASS_CON)) {*/ 206 if ((ldap_info->auth_mech != NULL) && (ber_class==BER_CLASS_CON)) { 207 /* 208 * This is a GSS-API token ancapsulated within GSS-SPNEGO. 209 * We need to check the first byte to check whether the blob 210 * contains SPNEGO or GSSAPI. 211 * All SPNEGO PDUs are of class CONSTRUCTED while 212 * GSS PDUs are class APPLICATION 213 */ 214 if (parameter_tvb && (tvb_reported_length(parameter_tvb) > 0)) 215 call_dissector(spnego_handle, parameter_tvb, actx->pinfo, tree); 216 } 217 /*if ((ldap_info->auth_mech != NULL) && ((strcmp(ldap_info->auth_mech, "GSSAPI") == 0) || (ber_class==BER_CLASS_APP))) {*/ 218 if ((ldap_info->auth_mech != NULL) && (ber_class==BER_CLASS_APP)) { 219 /* 220 * This is a raw GSS-API token. 221 */ 222 if (parameter_tvb && (tvb_reported_length(parameter_tvb) > 0)) { 223 call_dissector(gssapi_handle, parameter_tvb, actx->pinfo, tree); 224 } 225 } 226 /* Restore private data */ 227 actx->private_data = ldap_info; 228 229 230#.FN_BODY ServerSaslCreds VAL_PTR = ¶meter_tvb 231 232tvbuff_t *parameter_tvb = NULL; 233ldap_conv_info_t *ldap_info; 234 235%(DEFAULT_BODY)s 236 if (!parameter_tvb) 237 return offset; 238 ldap_info = (ldap_conv_info_t *)actx->private_data; 239 switch (ldap_info->auth_type) { 240 241 /* For Kerberos V4, dissect it as a ticket. */ 242 /* XXX - what about LDAP_AUTH_SIMPLE? */ 243 244 case LDAP_AUTH_SASL: 245 /* 246 * All frames after this are assumed to use a security layer. 247 * 248 * XXX - won't work if there's another reply, with the security 249 * layer, starting in the same TCP segment that ends this 250 * reply, but as LDAP is a request/response protocol, and 251 * as the client probably can't start using authentication until 252 * it gets the bind reply and the server won't send a reply until 253 * it gets a request, that probably won't happen. 254 * 255 * XXX - that assumption is invalid; it's not clear where the 256 * hell you find out whether there's any security layer. In 257 * one capture, we have two GSS-SPNEGO negotiations, both of 258 * which select MS KRB5, and the only differences in the tokens 259 * is in the RC4-HMAC ciphertext. The various 260 * draft-ietf--cat-sasl-gssapi-NN.txt drafts seem to imply 261 * that the RFC 2222 spoo with the bitmask and maximum 262 * output message size stuff is done - but where does that 263 * stuff show up? Is it in the ciphertext, which means it's 264 * presumably encrypted? 265 * 266 * Grrr. We have to do a gross heuristic, checking whether the 267 * putative LDAP message begins with 0x00 or not, making the 268 * assumption that we won't have more than 2^24 bytes of 269 * encapsulated stuff. 270 */ 271 ldap_info->first_auth_frame = actx->pinfo->num + 1; 272 if (ldap_info->auth_mech != NULL && 273 strcmp(ldap_info->auth_mech, "GSS-SPNEGO") == 0) { 274 /* It could be the second leg of GSS-SPNEGO wrapping NTLMSSP 275 * which might not be wrapped in GSS-SPNEGO but be a raw 276 * NTLMSSP blob 277 */ 278 if ( (tvb_reported_length(parameter_tvb)>=7) 279 && (!tvb_memeql(parameter_tvb, 0, "NTLMSSP", 7))){ 280 call_dissector(ntlmssp_handle, parameter_tvb, actx->pinfo, tree); 281 break; 282 } 283 /* 284 * This is a GSS-API token. 285 */ 286 if(parameter_tvb && (tvb_reported_length(parameter_tvb) > 0)) 287 call_dissector(spnego_handle, parameter_tvb, actx->pinfo, tree); 288 } else if (ldap_info->auth_mech != NULL && 289 strcmp(ldap_info->auth_mech, "GSSAPI") == 0) { 290 /* 291 * This is a GSS-API token. 292 */ 293 if(parameter_tvb && (tvb_reported_length(parameter_tvb) > 0)) 294 call_dissector(gssapi_handle, parameter_tvb, actx->pinfo, tree); 295 } 296 break; 297 } 298 actx->private_data = ldap_info; 299 300#.FN_BODY LDAPString VAL_PTR = ¶meter_tvb 301 tvbuff_t *parameter_tvb = NULL; 302 const char *ldapstring = NULL; 303 gchar *sc = NULL; /* semi-colon pointer */ 304 305 offset = dissect_ber_octet_string_with_encoding(implicit_tag, actx, tree, tvb, offset, hf_index, 306 ¶meter_tvb, ENC_UTF_8|ENC_NA); 307 308 if (parameter_tvb || (hf_index == hf_ldap_baseObject)) { 309 310 ldap_do_protocolop(actx->pinfo); 311 312 if(parameter_tvb) 313 ldapstring = tvb_get_string_enc(actx->pinfo->pool, parameter_tvb, 0, tvb_reported_length_remaining(parameter_tvb, 0), ENC_UTF_8|ENC_NA); 314 315 if(hf_index == hf_ldap_baseObject) { 316 /* this is search - put it on the scanline */ 317 if(!ldapstring || !*ldapstring) 318 ldapstring = "<ROOT>"; 319 320 col_append_fstr(actx->pinfo->cinfo, COL_INFO, "\"%%s\" ", format_text(actx->pinfo->pool, ldapstring, strlen(ldapstring))); 321 322 if(ldm_tree) 323 proto_item_append_text(ldm_tree, " \"%%s\"", ldapstring); 324 325 326 if(!parameter_tvb) { 327 328 proto_item_append_text(actx->created_item, " (%%s)", ldapstring); 329 } 330 331 } else if ((hf_index == hf_ldap_errorMessage) && ldapstring && *ldapstring) { /* only show message if not success */ 332 col_append_fstr(actx->pinfo->cinfo, COL_INFO, "(%%s) ", format_text(actx->pinfo->pool, ldapstring, strlen(ldapstring))); 333 334 if(ldm_tree) 335 proto_item_append_text(ldm_tree, " (%%s)", ldapstring); 336 337 } else if ((hf_index == hf_ldap_objectName) || 338 (hf_index == hf_ldap_name) || 339 (hf_index == hf_ldap_entry) || 340 (hf_index == hf_ldap_object) || 341 (hf_index == hf_ldap_delRequest) ) { 342 343 if(!ldapstring || !*ldapstring) 344 ldapstring = "<ROOT>"; 345 346 col_append_fstr(actx->pinfo->cinfo, COL_INFO, "\"%%s\" ", format_text(actx->pinfo->pool, ldapstring, strlen(ldapstring))); 347 348 if(ldm_tree) 349 proto_item_append_text(ldm_tree, " \"%%s\"", ldapstring); 350 } else if (hf_index == hf_ldap_attributeDesc){ 351 /* remember the attribute description */ 352 attributedesc_string=ldapstring; 353 } else if (hf_index == hf_ldap_initial){ 354 /* remember the substring item */ 355 substring_item_init=ldapstring; 356 } else if (hf_index == hf_ldap_any){ 357 /* remember the substring item */ 358 substring_item_any=ldapstring; 359 } else if (hf_index == hf_ldap_final){ 360 /* remember the substring item */ 361 substring_item_final=ldapstring; 362 } else if (hf_index == hf_ldap_matchingRule){ 363 /* remember the matching rule */ 364 matching_rule_string=ldapstring; 365 } else if (hf_index == hf_ldap_present){ 366 /* remember the present name */ 367 Filter_string=ldapstring; 368 } else if (hf_index == hf_ldap_type) { 369 /* remember attribute type name */ 370 attr_type = wmem_strdup(actx->pinfo->pool, ldapstring); 371 372 /* append it to the parent entry */ 373 proto_item_append_text(tree, " %%s", attr_type); 374 375 /* remove the ";binary" component if present */ 376 if((sc = strchr(attr_type, ';')) != NULL) { 377 if(!strcmp(sc, ";binary")) { 378 *sc = '\0'; /* terminate the string */ 379 is_binary_attr_type = TRUE; 380 } 381 } else { 382 is_binary_attr_type = FALSE; 383 } 384 } 385 386 } 387 388#.FN_BODY SearchRequest/_untag/scope VAL_PTR = &scope 389 390 guint32 scope = 0xffff; 391 const gchar *valstr; 392 393%(DEFAULT_BODY)s 394 395 ldap_do_protocolop(actx->pinfo); 396 397 valstr = val_to_str(scope, ldap_T_scope_vals, "Unknown scope(%%u)"); 398 399 col_append_fstr(actx->pinfo->cinfo, COL_INFO, "%%s ", valstr); 400 401 if(ldm_tree) 402 proto_item_append_text(ldm_tree, " %%s", valstr); 403 404#.FN_BODY LDAPResult/resultCode VAL_PTR = &result 405 406 const gchar *valstr; 407 408%(DEFAULT_BODY)s 409 410 ldap_do_protocolop(actx->pinfo); 411 412 valstr = val_to_str(result, ldap_T_resultCode_vals, "Unknown result(%%u)"); 413 414 col_append_fstr(actx->pinfo->cinfo, COL_INFO, "%%s ", valstr); 415 416 if(ldm_tree) 417 proto_item_append_text(ldm_tree, " %%s", valstr); 418 419 420#.FN_BODY BindResponse/_untag/resultCode VAL_PTR = &result 421 422 const gchar *valstr; 423 424%(DEFAULT_BODY)s 425 426 ldap_do_protocolop(actx->pinfo); 427 428 valstr = val_to_str(result, ldap_BindResponse_resultCode_vals, "Unknown result(%%u)"); 429 430 col_append_fstr(actx->pinfo->cinfo, COL_INFO, "%%s ", valstr); 431 432 if(ldm_tree) 433 proto_item_append_text(ldm_tree, " %%s", valstr); 434 435#.FN_BODY ExtendedResponse/_untag/resultCode 436 guint32 resultCode; 437 ldap_conv_info_t *ldap_info = (ldap_conv_info_t *)actx->private_data; 438 439 offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index, 440 &resultCode); 441 /* If Start TLS request was sent and resultCode is success... */ 442 if (ldap_info && ldap_info->start_tls_pending && 443 hf_index == hf_ldap_extendedResponse_resultCode && resultCode == 0) { 444 /* The conversation will continue using SSL */ 445 ssl_starttls_ack(find_dissector("tls"), actx->pinfo, ldap_handle); 446 ldap_info->start_tls_pending = FALSE; 447 } 448 449 450#.FN_BODY AttributeValue 451 452 tvbuff_t *next_tvb = NULL; 453 gchar *string; 454 int old_offset = offset; 455 gint *hf_id; 456 457 /* attr_type, should be set before calling this function */ 458 459 /* extract the value of the octetstring */ 460 offset = dissect_ber_octet_string(FALSE, actx, NULL, tvb, offset, hf_index, &next_tvb); 461 462 /* first check if we have a custom attribute type configured */ 463 if ((hf_id = get_hf_for_header (attr_type)) != NULL) 464 proto_tree_add_item (tree, *hf_id, next_tvb, 0, tvb_reported_length_remaining(next_tvb, 0), ENC_UTF_8|ENC_NA); 465 466 /* if we have an attribute type that isn't binary see if there is a better dissector */ 467 else if(!attr_type || !next_tvb || !dissector_try_string_new(ldap_name_dissector_table, attr_type, next_tvb, actx->pinfo, tree, FALSE, NULL)) { 468 offset = old_offset; 469 470 /* do the default thing */ 471 %(DEFAULT_BODY)s 472 473 if(tvb_ascii_isprint(next_tvb, 0, tvb_reported_length(next_tvb))) { 474 string = tvb_get_string_enc(actx->pinfo->pool, next_tvb, 0, tvb_reported_length_remaining(next_tvb, 0), ENC_UTF_8|ENC_NA); 475 proto_item_set_text(actx->created_item, "AttributeValue: %%s", string); 476 } 477 } 478 479#.FN_BODY AuthenticationChoice VAL_PTR = &branch 480 gint branch = -1; 481 gint auth = -1; 482 const gchar *valstr; 483 484%(DEFAULT_BODY)s 485 486 ldap_do_protocolop(actx->pinfo); 487 488 if((branch > -1) && (branch < (gint)(sizeof AuthenticationChoice_choice/sizeof AuthenticationChoice_choice[0]))) 489 auth = AuthenticationChoice_choice[branch].value; 490 491 valstr = val_to_str(auth, ldap_AuthenticationChoice_vals, "Unknown auth(%%u)"); 492 493 /* If auth is NTLM (10 or 11) don't add to column as the NTLM dissection will do this */ 494 if ((auth != 10) && (auth != 11)) 495 col_append_fstr(actx->pinfo->cinfo, COL_INFO, "%%s ", valstr); 496 497 if(ldm_tree) 498 proto_item_append_text(ldm_tree, " %%s", valstr); 499 500 501#.FN_BODY UnbindRequest 502 503 implicit_tag = TRUE; /* correct problem with asn2wrs */ 504 505%(DEFAULT_BODY)s 506 507 ldap_do_protocolop(actx->pinfo); 508 509 510 511 512 513#.FN_HDR SearchRequest/_untag/filter 514 Filter_string=NULL; 515 Filter_elements = 0; 516 Filter_length = 0; 517 518#.FN_FTR SearchRequest/_untag/filter 519 Filter_string=NULL; 520 and_filter_string=NULL; 521 Filter_elements = 0; 522 Filter_length = 0; 523 524#.FN_FTR Filter/equalityMatch 525 Filter_string=wmem_strdup_printf(actx->pinfo->pool, "(%s=%s)", 526 string_or_null(attributedesc_string), 527 string_or_null(ldapvalue_string)); 528 529 530#.FN_FTR Filter/greaterOrEqual 531 Filter_string=wmem_strdup_printf(actx->pinfo->pool, "(%s>=%s)", 532 string_or_null(attributedesc_string), 533 string_or_null(ldapvalue_string)); 534 535 536#.FN_FTR Filter/lessOrEqual 537 Filter_string=wmem_strdup_printf(actx->pinfo->pool, "(%s<=%s)", 538 string_or_null(attributedesc_string), 539 string_or_null(ldapvalue_string)); 540 541 542#.FN_FTR Filter/approxMatch 543 Filter_string=wmem_strdup_printf(actx->pinfo->pool, "(%s~=%s)", 544 string_or_null(attributedesc_string), 545 string_or_null(ldapvalue_string)); 546 547#.FN_FTR Filter/and/_item 548 if(and_filter_string){ 549 and_filter_string=wmem_strdup_printf(actx->pinfo->pool, "(&%s%s)",and_filter_string,Filter_string); 550 } else { 551 and_filter_string=Filter_string; 552 } 553 554#.FN_BODY Filter/and 555 proto_tree *tr=NULL; 556 proto_item *it=NULL; 557 const char *old_and_filter_string=and_filter_string; 558 559 and_filter_string=NULL; 560 561 tr=proto_tree_add_subtree(tree, tvb, offset, -1, ett_ldap_T_and, &it, "and: "); 562 tree = tr; 563 564%(DEFAULT_BODY)s 565 566 if(and_filter_string) { 567 proto_item_append_text(it, "%%s", and_filter_string); 568 Filter_string=wmem_strdup(actx->pinfo->pool, and_filter_string); 569 } 570 and_filter_string=old_and_filter_string; 571 572#.FN_FTR Filter/or/_item 573 if(or_filter_string){ 574 or_filter_string=wmem_strdup_printf(actx->pinfo->pool, "(|%s%s)",or_filter_string,Filter_string); 575 } else { 576 or_filter_string=Filter_string; 577 } 578 579 580#.FN_BODY Filter/or 581 proto_tree *tr; 582 proto_item *it; 583 const char *old_or_filter_string=or_filter_string; 584 585 or_filter_string=NULL; 586 tr=proto_tree_add_subtree(tree, tvb, offset, -1, ett_ldap_T_or, &it, "or: "); 587 tree = tr; 588 589%(DEFAULT_BODY)s 590 if(or_filter_string) { 591 proto_item_append_text(it, "%%s", or_filter_string); 592 Filter_string=wmem_strdup(actx->pinfo->pool, or_filter_string); 593 } 594 or_filter_string=old_or_filter_string; 595 596#.FN_FTR Filter/present 597 Filter_string=wmem_strdup_printf(actx->pinfo->pool, "(%s=*)",string_or_null(Filter_string)); 598 599#.FN_FTR Filter/not 600 Filter_string=wmem_strdup_printf(actx->pinfo->pool, "(!%s)",string_or_null(Filter_string)); 601 602#.FN_BODY MatchingRuleAssertion/dnAttributes 603 gboolean val; 604 605 offset = dissect_ber_boolean(implicit_tag, actx, tree, tvb, offset, hf_index, &val); 606 607 608 matching_rule_dnattr = val; 609 610 611#.FN_HDR Filter/extensibleMatch 612 attr_type=NULL; 613 matching_rule_string=NULL; 614 ldapvalue_string=NULL; 615 matching_rule_dnattr=FALSE; 616 617#.FN_FTR Filter/extensibleMatch 618 Filter_string=wmem_strdup_printf(actx->pinfo->pool, "(%s:%s%s%s=%s)", 619 (attr_type?attr_type:""), 620 (matching_rule_dnattr?"dn:":""), 621 (matching_rule_string?matching_rule_string:""), 622 (matching_rule_string?":":""), 623 string_or_null(ldapvalue_string)); 624 625#.FN_FTR SubstringFilter/substrings/_item 626 if (substring_item_final) { 627 substring_value=wmem_strdup_printf(actx->pinfo->pool, "%s%s", 628 (substring_value?substring_value:"*"), 629 substring_item_final); 630 } else if (substring_item_any) { 631 substring_value=wmem_strdup_printf(actx->pinfo->pool, "%s%s*", 632 (substring_value?substring_value:"*"), 633 substring_item_any); 634 } else if (substring_item_init) { 635 substring_value=wmem_strdup_printf(actx->pinfo->pool, "%s*", 636 substring_item_init); 637 } 638 639#.FN_BODY SubstringFilter 640 proto_tree *tr; 641 proto_item *it; 642 const char *old_substring_value=substring_value; 643 644 attr_type=NULL; 645 substring_value=NULL; 646 substring_item_init=NULL; 647 substring_item_any=NULL; 648 substring_item_final=NULL; 649 650 tr=proto_tree_add_subtree(tree, tvb, offset, -1, ett_ldap_SubstringFilter, &it, "substring: "); 651 tree = tr; 652 653%(DEFAULT_BODY)s 654 Filter_string=wmem_strdup_printf(actx->pinfo->pool, "(%%s=%%s)", 655 string_or_null(attr_type), 656 string_or_null(substring_value)); 657 proto_item_append_text(it, "%%s", Filter_string); 658 substring_value=old_substring_value; 659 660#.FN_BODY Filter 661 proto_tree *tr; 662 proto_item *it; 663 attributedesc_string=NULL; 664 665 if (Filter_length++ > MAX_FILTER_LEN) { 666 expert_add_info_format(actx->pinfo, tree, &ei_ldap_exceeded_filter_length, "Filter length exceeds %%u. Giving up.", MAX_FILTER_LEN); 667 THROW(ReportedBoundsError); 668 } 669 670 if (Filter_elements++ > MAX_FILTER_ELEMENTS) { 671 expert_add_info_format(actx->pinfo, tree, &ei_ldap_too_many_filter_elements, "Found more than %%u filter elements. Giving up.", MAX_FILTER_ELEMENTS); 672 THROW(ReportedBoundsError); 673 } 674 675 tr=proto_tree_add_subtree(tree, tvb, offset, -1, ett_ldap_Filter, &it, "Filter: "); 676 tree = tr; 677 678%(DEFAULT_BODY)s 679 if(Filter_string) 680 proto_item_append_text(it, "%%s", string_or_null(Filter_string)); 681 682#.FN_BODY AuthenticationChoice/ntlmsspNegotiate 683 /* make sure the protocol op comes first */ 684 ldap_do_protocolop(actx->pinfo); 685 686 call_dissector(ntlmssp_handle, tvb, actx->pinfo, tree); 687 offset+=tvb_reported_length_remaining(tvb, offset); 688 689#.FN_BODY AuthenticationChoice/ntlmsspAuth 690 /* make sure the protocol op comes first */ 691 ldap_do_protocolop(actx->pinfo); 692 693 call_dissector(ntlmssp_handle, tvb, actx->pinfo, tree); 694 offset+=tvb_reported_length_remaining(tvb, offset); 695 696#.FN_BODY BindResponse/_untag/matchedDN 697 tvbuff_t *new_tvb=NULL; 698 699 offset = dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_ldap_matchedDN, &new_tvb); 700 701 if( new_tvb 702 && (tvb_reported_length(new_tvb)>=7) 703 && (!tvb_memeql(new_tvb, 0, "NTLMSSP", 7))){ 704 705 /* make sure the protocol op comes first */ 706 ldap_do_protocolop(actx->pinfo); 707 708 call_dissector(ntlmssp_handle, new_tvb, actx->pinfo, tree); 709 } 710 711#.FN_BODY Control/controlValue 712 gint8 ber_class; 713 gboolean pc, ind; 714 gint32 tag; 715 guint32 len; 716 717 if((object_identifier_id != NULL) && oid_has_dissector(object_identifier_id)) { 718 /* remove the OCTET STRING encoding */ 719 offset=dissect_ber_identifier(actx->pinfo, NULL, tvb, offset, &ber_class, &pc, &tag); 720 offset=dissect_ber_length(actx->pinfo, NULL, tvb, offset, &len, &ind); 721 722 call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL); 723 724 offset += len; 725 } else { 726 %(DEFAULT_BODY)s 727 } 728 729 730#.FN_BODY ExtendedRequest/_untag/requestValue 731 732 if((object_identifier_id != NULL) && oid_has_dissector(object_identifier_id)) { 733 offset = call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL); 734 } else { 735 %(DEFAULT_BODY)s 736 } 737 738#.FN_HDR IntermediateResponse/_untag/responseValue 739 740 const gchar *name; 741 742#.FN_BODY IntermediateResponse/_untag/responseValue 743 if(ldm_tree && object_identifier_id) { 744 proto_item_set_text(ldm_tree, "%%s %%s", "IntermediateResponse", object_identifier_id); 745 name = oid_resolved_from_string(actx->pinfo->pool, object_identifier_id); 746 if(name) 747 proto_item_append_text(ldm_tree, " (%%s)", name); 748 } 749 if((object_identifier_id != NULL) && oid_has_dissector(object_identifier_id)) { 750 offset = call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL); 751 } else { 752 %(DEFAULT_BODY)s 753 } 754 755#.FN_BODY DirSyncFlags 756 gint8 ber_class; 757 gboolean pc; 758 gint32 tag; 759 guint32 len; 760 gint32 val; 761 762 int otheroffset = offset; 763 if(!implicit_tag){ 764 dissect_ber_identifier(actx->pinfo, tree, tvb, otheroffset, &ber_class, &pc, &tag); 765 otheroffset=dissect_ber_length(actx->pinfo, tree, tvb, offset, &len, NULL); 766 } else { 767 gint32 remaining=tvb_reported_length_remaining(tvb, offset); 768 len=remaining>0 ? remaining : 0; 769 } 770 771 offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, -1, &val); 772 773 if (val >0) { 774 static int * const flags[] = { 775 &hf_ldap_object_security_flag, 776 &hf_ldap_ancestor_first_flag, 777 &hf_ldap_public_data_only_flag, 778 &hf_ldap_incremental_value_flag, 779 NULL 780 }; 781 782 proto_tree_add_bitmask_value_with_flags(tree, tvb, otheroffset+1, hf_index, 783 ett_ldap_DirSyncFlagsSubEntry, flags, val, BMT_NO_APPEND); 784 } else { 785 proto_tree_add_uint(tree, hf_index, tvb, otheroffset+len, len, 0); 786 } 787 788#.FN_BODY SearchResultReference 789 790%(DEFAULT_BODY)s 791 792 ldap_do_protocolop(actx->pinfo); 793 794 795#.FN_BODY AbandonRequest 796 797%(DEFAULT_BODY)s 798 799 ldap_do_protocolop(actx->pinfo); 800 801#.NO_EMIT 802AttributeType 803Attribute 804AssertionValue 805 806# 807# Editor modelines - https://www.wireshark.org/tools/modelines.html 808# 809# Local variables: 810# c-basic-offset: 2 811# tab-width: 8 812# indent-tabs-mode: nil 813# End: 814# 815# vi: set shiftwidth=2 tabstop=8 expandtab: 816# :indentSize=2:tabSize=8:noTabs=true: 817# 818