1 /* packet-ldap-template.c
2 * Routines for ldap packet dissection
3 *
4 * See RFC 3494 (LDAP v2), RFC 4511 (LDAP v3), and RFC 2222 (SASL).
5 *
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
9 *
10 * SPDX-License-Identifier: GPL-2.0-or-later
11 */
12
13 /*
14 * This is not a complete implementation. It doesn't handle the full version 3, more specifically,
15 * it handles only the commands of version 2, but any additional characteristics of the ver3 command are supported.
16 * It's also missing extensible search filters.
17 *
18 * There should probably be a lot more error checking, I simply assume that if we have a full packet, it will be a complete
19 * and correct packet.
20 *
21 * AFAIK, it will handle all messages used by the OpenLDAP 1.2.9 server and libraries which was my goal. I do plan to add
22 * the remaining commands as time permits but this is not a priority to me. Send me an email if you need it and I'll see what
23 * I can do.
24 *
25 * Doug Nazar
26 * nazard@dragoninc.on.ca
27 */
28
29 /*
30 * 11/11/2002 - Fixed problem when decoding LDAP with desegmentation enabled and the
31 * ASN.1 BER Universal Class Tag: "Sequence Of" header is encapsulated across 2
32 * TCP segments.
33 *
34 * Ronald W. Henderson
35 * ronald.henderson@cognicaseusa.com
36 */
37
38 /*
39 * 20-JAN-2004 - added decoding of MS-CLDAP netlogon RPC
40 * using information from the SNIA 2003 conference paper :
41 * Active Directory Domain Controller Location Service
42 * by Anthony Liguori
43 * ronnie sahlberg
44 */
45
46 /*
47 * 17-DEC-2004 - added basic decoding for LDAP Controls
48 * 20-DEC-2004 - added handling for GSS-API encrypted blobs
49 *
50 * Stefan Metzmacher <metze@samba.org>
51 *
52 * 15-NOV-2005 - Changed to use the asn2wrs compiler
53 * Anders Broman <anders.broman@ericsson.com>
54 */
55
56 /*
57 * 3-AUG-2008 - Extended the cldap support to include all netlogon data types.
58 * Updated cldap_netlogon_flags to include Windows 2008 flags
59 * Expanded the ntver ldap option with bit field
60 *
61 * Gary Reynolds <gazzadownunder@yahoo.co.uk>
62 */
63
64 /*
65 * 09-DEC-2009 - Added support for RFC4533
66 * Content Synchronization Operation (aka syncrepl)
67 * 11-DEC-2009 - Added support for IntermediateResponse (LDAP v3 from RFC 4511)
68 * Mathieu Parent <math.parent@gmail.com>
69 */
70
71 #include "config.h"
72
73 #include <epan/packet.h>
74 #include <epan/exceptions.h>
75 #include <epan/conversation.h>
76 #include <epan/prefs.h>
77 #include <epan/tap.h>
78 #include <epan/srt_table.h>
79 #include <epan/oids.h>
80 #include <epan/strutil.h>
81 #include <epan/show_exception.h>
82 #include <epan/asn1.h>
83 #include <epan/expert.h>
84 #include <epan/uat.h>
85 #include <wsutil/str_util.h>
86 #include "packet-frame.h"
87 #include "packet-tcp.h"
88 #include "packet-windows-common.h"
89 #include "packet-dcerpc.h"
90
91 #include "packet-ldap.h"
92 #include "packet-ntlmssp.h"
93 #include "packet-tls.h"
94 #include "packet-tls-utils.h"
95 #include "packet-gssapi.h"
96 #include "packet-acdr.h"
97
98 #include "packet-ber.h"
99 #include "packet-per.h"
100 #include "packet-dns.h"
101
102 #define PNAME "Lightweight Directory Access Protocol"
103 #define PSNAME "LDAP"
104 #define PFNAME "ldap"
105
106 void proto_register_ldap(void);
107 void proto_reg_handoff_ldap(void);
108
109 /* Initialize the protocol and registered fields */
110 static int ldap_tap = -1;
111 static int proto_ldap = -1;
112 static int proto_cldap = -1;
113
114 static int hf_ldap_sasl_buffer_length = -1;
115 static int hf_ldap_response_in = -1;
116 static int hf_ldap_response_to = -1;
117 static int hf_ldap_time = -1;
118 static int hf_ldap_guid = -1;
119
120 static int hf_mscldap_ntver_flags = -1;
121 static int hf_mscldap_ntver_flags_v1 = -1;
122 static int hf_mscldap_ntver_flags_v5 = -1;
123 static int hf_mscldap_ntver_flags_v5ex = -1;
124 static int hf_mscldap_ntver_flags_v5ep = -1;
125 static int hf_mscldap_ntver_flags_vcs = -1;
126 static int hf_mscldap_ntver_flags_vnt4 = -1;
127 static int hf_mscldap_ntver_flags_vpdc = -1;
128 static int hf_mscldap_ntver_flags_vip = -1;
129 static int hf_mscldap_ntver_flags_vl = -1;
130 static int hf_mscldap_ntver_flags_vgc = -1;
131
132 static int hf_mscldap_netlogon_ipaddress_family = -1;
133 static int hf_mscldap_netlogon_ipaddress_port = -1;
134 static int hf_mscldap_netlogon_ipaddress = -1;
135 static int hf_mscldap_netlogon_ipaddress_ipv4 = -1;
136 static int hf_mscldap_netlogon_opcode = -1;
137 static int hf_mscldap_netlogon_flags = -1;
138 static int hf_mscldap_netlogon_flags_pdc = -1;
139 static int hf_mscldap_netlogon_flags_gc = -1;
140 static int hf_mscldap_netlogon_flags_ldap = -1;
141 static int hf_mscldap_netlogon_flags_ds = -1;
142 static int hf_mscldap_netlogon_flags_kdc = -1;
143 static int hf_mscldap_netlogon_flags_timeserv = -1;
144 static int hf_mscldap_netlogon_flags_closest = -1;
145 static int hf_mscldap_netlogon_flags_writable = -1;
146 static int hf_mscldap_netlogon_flags_good_timeserv = -1;
147 static int hf_mscldap_netlogon_flags_ndnc = -1;
148 static int hf_mscldap_netlogon_flags_fnc = -1;
149 static int hf_mscldap_netlogon_flags_dnc = -1;
150 static int hf_mscldap_netlogon_flags_dns = -1;
151 static int hf_mscldap_netlogon_flags_wdc = -1;
152 static int hf_mscldap_netlogon_flags_rodc = -1;
153 static int hf_mscldap_domain_guid = -1;
154 static int hf_mscldap_forest = -1;
155 static int hf_mscldap_domain = -1;
156 static int hf_mscldap_hostname = -1;
157 static int hf_mscldap_nb_domain_z = -1;
158 static int hf_mscldap_nb_domain = -1;
159 static int hf_mscldap_nb_hostname_z = -1;
160 static int hf_mscldap_nb_hostname = -1;
161 static int hf_mscldap_username_z = -1;
162 static int hf_mscldap_username = -1;
163 static int hf_mscldap_sitename = -1;
164 static int hf_mscldap_clientsitename = -1;
165 static int hf_mscldap_netlogon_lm_token = -1;
166 static int hf_mscldap_netlogon_nt_token = -1;
167 static int hf_ldap_sid = -1;
168 static int hf_ldap_AccessMask_ADS_CREATE_CHILD = -1;
169 static int hf_ldap_AccessMask_ADS_DELETE_CHILD = -1;
170 static int hf_ldap_AccessMask_ADS_LIST = -1;
171 static int hf_ldap_AccessMask_ADS_SELF_WRITE = -1;
172 static int hf_ldap_AccessMask_ADS_READ_PROP = -1;
173 static int hf_ldap_AccessMask_ADS_WRITE_PROP = -1;
174 static int hf_ldap_AccessMask_ADS_DELETE_TREE = -1;
175 static int hf_ldap_AccessMask_ADS_LIST_OBJECT = -1;
176 static int hf_ldap_AccessMask_ADS_CONTROL_ACCESS = -1;
177 static int hf_ldap_LDAPMessage_PDU = -1;
178 static int hf_ldap_object_security_flag = -1;
179 static int hf_ldap_ancestor_first_flag = -1;
180 static int hf_ldap_public_data_only_flag = -1;
181 static int hf_ldap_incremental_value_flag = -1;
182 static int hf_ldap_oid = -1;
183 static int hf_ldap_gssapi_encrypted_payload = -1;
184
185 #include "packet-ldap-hf.c"
186
187 /* Initialize the subtree pointers */
188 static gint ett_ldap = -1;
189 static gint ett_ldap_msg = -1;
190 static gint ett_ldap_sasl_blob = -1;
191 static gint ett_ldap_payload = -1;
192 static gint ett_mscldap_netlogon_flags = -1;
193 static gint ett_mscldap_ntver_flags = -1;
194 static gint ett_mscldap_ipdetails = -1;
195 static gint ett_ldap_DirSyncFlagsSubEntry = -1;
196
197 #include "packet-ldap-ett.c"
198
199 static expert_field ei_ldap_exceeded_filter_length = EI_INIT;
200 static expert_field ei_ldap_too_many_filter_elements = EI_INIT;
201
202 static dissector_table_t ldap_name_dissector_table=NULL;
203 static const char *object_identifier_id = NULL; /* LDAP OID */
204
205 static gboolean do_protocolop = FALSE;
206 static gchar *attr_type = NULL;
207 static gboolean is_binary_attr_type = FALSE;
208 static gboolean ldap_found_in_frame = FALSE;
209
210 #define TCP_PORT_RANGE_LDAP "389,3268" /* 3268 is Windows 2000 Global Catalog */
211 #define TCP_PORT_LDAPS 636
212 #define UDP_PORT_CLDAP 389
213
214 /* desegmentation of LDAP */
215 static gboolean ldap_desegment = TRUE;
216 static guint global_ldaps_tcp_port = TCP_PORT_LDAPS;
217 static guint ssl_port = 0;
218
219 static dissector_handle_t gssapi_handle;
220 static dissector_handle_t gssapi_wrap_handle;
221 static dissector_handle_t ntlmssp_handle;
222 static dissector_handle_t spnego_handle;
223 static dissector_handle_t tls_handle;
224 static dissector_handle_t ldap_handle ;
225
226 static void prefs_register_ldap(void); /* forward declaration for use in preferences registration */
227
228
229 /* different types of rpc calls ontop of ms cldap */
230 #define MSCLDAP_RPC_NETLOGON 1
231
232 /* Message type Choice values */
233 static const value_string ldap_ProtocolOp_choice_vals[] = {
234 { 0, "bindRequest" },
235 { 1, "bindResponse" },
236 { 2, "unbindRequest" },
237 { 3, "searchRequest" },
238 { 4, "searchResEntry" },
239 { 5, "searchResDone" },
240 { 6, "searchResRef" },
241 { 7, "modifyRequest" },
242 { 8, "modifyResponse" },
243 { 9, "addRequest" },
244 { 10, "addResponse" },
245 { 11, "delRequest" },
246 { 12, "delResponse" },
247 { 13, "modDNRequest" },
248 { 14, "modDNResponse" },
249 { 15, "compareRequest" },
250 { 16, "compareResponse" },
251 { 17, "abandonRequest" },
252 { 18, "extendedReq" },
253 { 19, "extendedResp" },
254 { 20, "intermediateResponse" },
255 { 0, NULL }
256 };
257
258 /* Procedure names (used in Service Response Time */
259 const value_string ldap_procedure_names[] = {
260 { 0, "Bind" },
261 { 3, "Search" },
262 { 6, "Modify" },
263 { 8, "Add" },
264 { 10, "Delete" },
265 { 12, "Modrdn" },
266 { 14, "Compare" },
267 { 23, "Extended" },
268 { 0, NULL }
269 };
270
271 #define LOGON_PRIMARY_QUERY 7
272 #define LOGON_PRIMARY_RESPONSE 12
273 #define LOGON_SAM_LOGON_REQUEST 18
274 #define LOGON_SAM_LOGON_RESPONSE 19
275 #define LOGON_SAM_PAUSE_RESPONSE 20
276 #define LOGON_SAM_USER_UNKNOWN 21
277 #define LOGON_SAM_LOGON_RESPONSE_EX 23
278 #define LOGON_SAM_PAUSE_RESPONSE_EX 24
279 #define LOGON_SAM_USER_UNKNOWN_EX 25
280
281 static const value_string netlogon_opcode_vals[] = {
282 { LOGON_PRIMARY_QUERY, "LOGON_PRIMARY_QUERY" },
283 { LOGON_PRIMARY_RESPONSE, "LOGON_PRIMARY_RESPONSE" },
284 { LOGON_SAM_LOGON_REQUEST, "LOGON_SAM_LOGON_REQUEST" },
285 { LOGON_SAM_LOGON_RESPONSE, "LOGON_SAM_LOGON_RESPONSE" },
286 { LOGON_SAM_PAUSE_RESPONSE, "LOGON_SAM_PAUSE_RESPONSE" },
287 { LOGON_SAM_LOGON_RESPONSE_EX, "LOGON_SAM_LOGON_RESPONSE_EX" },
288 { LOGON_SAM_PAUSE_RESPONSE_EX, "LOGON_SAM_PAUSE_RESPONSE_EX" },
289 { LOGON_SAM_USER_UNKNOWN_EX, "LOGON_SAM_USER_UNKNOWN_EX" },
290 { 0, NULL }
291 };
292
293 #define LDAP_NUM_PROCEDURES 24
294
295 static void
ldapstat_init(struct register_srt * srt _U_,GArray * srt_array)296 ldapstat_init(struct register_srt* srt _U_, GArray* srt_array)
297 {
298 srt_stat_table *ldap_srt_table;
299 guint32 i;
300
301 ldap_srt_table = init_srt_table("LDAP Commands", NULL, srt_array, LDAP_NUM_PROCEDURES, NULL, "ldap.protocolOp", NULL);
302 for (i = 0; i < LDAP_NUM_PROCEDURES; i++)
303 {
304 init_srt_table_row(ldap_srt_table, i, val_to_str_const(i, ldap_procedure_names, "<unknown>"));
305 }
306 }
307
308 static tap_packet_status
ldapstat_packet(void * pldap,packet_info * pinfo,epan_dissect_t * edt _U_,const void * psi)309 ldapstat_packet(void *pldap, packet_info *pinfo, epan_dissect_t *edt _U_, const void *psi)
310 {
311 guint i = 0;
312 srt_stat_table *ldap_srt_table;
313 const ldap_call_response_t *ldap=(const ldap_call_response_t *)psi;
314 srt_data_t *data = (srt_data_t *)pldap;
315
316 /* we are only interested in reply packets */
317 if(ldap->is_request){
318 return TAP_PACKET_DONT_REDRAW;
319 }
320 /* if we havnt seen the request, just ignore it */
321 if(!ldap->req_frame){
322 return TAP_PACKET_DONT_REDRAW;
323 }
324
325 /* only use the commands we know how to handle */
326 switch(ldap->protocolOpTag){
327 case LDAP_REQ_BIND:
328 case LDAP_REQ_SEARCH:
329 case LDAP_REQ_MODIFY:
330 case LDAP_REQ_ADD:
331 case LDAP_REQ_DELETE:
332 case LDAP_REQ_MODRDN:
333 case LDAP_REQ_COMPARE:
334 case LDAP_REQ_EXTENDED:
335 break;
336 default:
337 return TAP_PACKET_DONT_REDRAW;
338 }
339
340 ldap_srt_table = g_array_index(data->srt_array, srt_stat_table*, i);
341
342 add_srt_table_data(ldap_srt_table, ldap->protocolOpTag, &ldap->req_time, pinfo);
343 return TAP_PACKET_REDRAW;
344 }
345
346 /*
347 * Data structure attached to a conversation, giving authentication
348 * information from a bind request.
349 */
350 typedef struct ldap_conv_info_t {
351 guint auth_type; /* authentication type */
352 char *auth_mech; /* authentication mechanism */
353 guint32 first_auth_frame; /* first frame that would use a security layer */
354 wmem_map_t *unmatched;
355 wmem_map_t *matched;
356 gboolean is_mscldap;
357 guint32 num_results;
358 gboolean start_tls_pending;
359 guint32 start_tls_frame;
360 } ldap_conv_info_t;
361
362 static guint
ldap_info_hash_matched(gconstpointer k)363 ldap_info_hash_matched(gconstpointer k)
364 {
365 const ldap_call_response_t *key = (const ldap_call_response_t *)k;
366
367 return key->messageId;
368 }
369
370 static gint
ldap_info_equal_matched(gconstpointer k1,gconstpointer k2)371 ldap_info_equal_matched(gconstpointer k1, gconstpointer k2)
372 {
373 const ldap_call_response_t *key1 = (const ldap_call_response_t*)k1;
374 const ldap_call_response_t *key2 = (const ldap_call_response_t*)k2;
375
376 if( key1->req_frame && key2->req_frame && (key1->req_frame!=key2->req_frame) ){
377 return 0;
378 }
379 /* a response may span multiple frames
380 if( key1->rep_frame && key2->rep_frame && (key1->rep_frame!=key2->rep_frame) ){
381 return 0;
382 }
383 */
384
385 return key1->messageId==key2->messageId;
386 }
387
388 static guint
ldap_info_hash_unmatched(gconstpointer k)389 ldap_info_hash_unmatched(gconstpointer k)
390 {
391 const ldap_call_response_t *key = (const ldap_call_response_t*)k;
392
393 return key->messageId;
394 }
395
396 static gint
ldap_info_equal_unmatched(gconstpointer k1,gconstpointer k2)397 ldap_info_equal_unmatched(gconstpointer k1, gconstpointer k2)
398 {
399 const ldap_call_response_t *key1 = (const ldap_call_response_t*)k1;
400 const ldap_call_response_t *key2 = (const ldap_call_response_t*)k2;
401
402 return key1->messageId==key2->messageId;
403 }
404
405
406 /* These are the NtVer flags from MS-ADTS section 6.3.1.1
407 * https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts
408 */
409
410 static const true_false_string tfs_ntver_v1 = {
411 "Client requested version 1 netlogon response",
412 "Version 1 netlogon response not requested"
413 };
414
415 static const true_false_string tfs_ntver_v5 = {
416 "Client requested version 5 netlogon response",
417 "Version 5 netlogon response not requested"
418 };
419 static const true_false_string tfs_ntver_v5ex = {
420 "Client requested version 5 extended netlogon response",
421 "Version 5 extended response not requested"
422 };
423 static const true_false_string tfs_ntver_v5ep = {
424 "Client has requested IP address of the server",
425 "IP address of server not requested"
426 };
427 static const true_false_string tfs_ntver_vcs = {
428 "Client has asked for the closest site information",
429 "Closest site information not requested"
430 };
431 static const true_false_string tfs_ntver_vnt4 = {
432 "Client is requesting server to avoid NT4 emulation",
433 "Only full AD DS requested"
434 };
435 static const true_false_string tfs_ntver_vpdc = {
436 "Client has requested the Primary Domain Controller",
437 "Primary Domain Controller not requested"
438 };
439 static const true_false_string tfs_ntver_vip = {
440 "Client has requested IP details (obsolete)",
441 "IP details not requested (obsolete)"
442 };
443 static const true_false_string tfs_ntver_vl = {
444 "Client indicated that it is the local machine",
445 "Client is not the local machine"
446 };static const true_false_string tfs_ntver_vgc = {
447 "Client has requested a Global Catalog server",
448 "Global Catalog not requested"
449 };
450
451 /* Stuff for generation/handling of fields for custom AttributeValues */
452 typedef struct _attribute_type_t {
453 gchar* attribute_type;
454 gchar* attribute_desc;
455 } attribute_type_t;
456
457 static attribute_type_t* attribute_types;
458 static guint num_attribute_types;
459
460 static GHashTable* attribute_types_hash;
461 static hf_register_info* dynamic_hf;
462 static guint dynamic_hf_size;
463
464 static gboolean
attribute_types_update_cb(void * r,char ** err)465 attribute_types_update_cb(void *r, char **err)
466 {
467 attribute_type_t *rec = (attribute_type_t *)r;
468 char c;
469
470 if (rec->attribute_type == NULL) {
471 *err = g_strdup("Attribute type can't be empty");
472 return FALSE;
473 }
474
475 g_strstrip(rec->attribute_type);
476 if (rec->attribute_type[0] == 0) {
477 *err = g_strdup("Attribute type can't be empty");
478 return FALSE;
479 }
480
481 /* Check for invalid characters (to avoid asserting out when
482 * registering the field).
483 */
484 c = proto_check_field_name(rec->attribute_type);
485 if (c) {
486 *err = g_strdup_printf("Attribute type can't contain '%c'", c);
487 return FALSE;
488 }
489
490 *err = NULL;
491 return TRUE;
492 }
493
494 static void *
attribute_types_copy_cb(void * n,const void * o,size_t siz _U_)495 attribute_types_copy_cb(void* n, const void* o, size_t siz _U_)
496 {
497 attribute_type_t* new_rec = (attribute_type_t*)n;
498 const attribute_type_t* old_rec = (const attribute_type_t*)o;
499
500 new_rec->attribute_type = g_strdup(old_rec->attribute_type);
501 new_rec->attribute_desc = g_strdup(old_rec->attribute_desc);
502
503 return new_rec;
504 }
505
506 static void
attribute_types_free_cb(void * r)507 attribute_types_free_cb(void*r)
508 {
509 attribute_type_t* rec = (attribute_type_t*)r;
510
511 g_free(rec->attribute_type);
512 g_free(rec->attribute_desc);
513 }
514
UAT_CSTRING_CB_DEF(attribute_types,attribute_type,attribute_type_t)515 UAT_CSTRING_CB_DEF(attribute_types, attribute_type, attribute_type_t)
516 UAT_CSTRING_CB_DEF(attribute_types, attribute_desc, attribute_type_t)
517
518 /*
519 *
520 */
521 static gint*
522 get_hf_for_header(char* attribute_type)
523 {
524 gint* hf_id = NULL;
525
526 if (attribute_types_hash) {
527 hf_id = (gint*) g_hash_table_lookup(attribute_types_hash, attribute_type);
528 } else {
529 hf_id = NULL;
530 }
531
532 return hf_id;
533 }
534
535 /*
536 *
537 */
538 static void
deregister_attribute_types(void)539 deregister_attribute_types(void)
540 {
541 if (dynamic_hf) {
542 /* Deregister all fields */
543 for (guint i = 0; i < dynamic_hf_size; i++) {
544 proto_deregister_field (proto_ldap, *(dynamic_hf[i].p_id));
545 g_free (dynamic_hf[i].p_id);
546 }
547
548 proto_add_deregistered_data (dynamic_hf);
549 dynamic_hf = NULL;
550 dynamic_hf_size = 0;
551 }
552
553 if (attribute_types_hash) {
554 g_hash_table_destroy (attribute_types_hash);
555 attribute_types_hash = NULL;
556 }
557 }
558
559 static void
attribute_types_post_update_cb(void)560 attribute_types_post_update_cb(void)
561 {
562 gint* hf_id;
563 gchar* attribute_type;
564
565 deregister_attribute_types();
566
567 if (num_attribute_types) {
568 attribute_types_hash = g_hash_table_new(g_str_hash, g_str_equal);
569 dynamic_hf = g_new0(hf_register_info,num_attribute_types);
570 dynamic_hf_size = num_attribute_types;
571
572 for (guint i = 0; i < dynamic_hf_size; i++) {
573 hf_id = g_new(gint,1);
574 *hf_id = -1;
575 attribute_type = g_strdup(attribute_types[i].attribute_type);
576
577 dynamic_hf[i].p_id = hf_id;
578 dynamic_hf[i].hfinfo.name = attribute_type;
579 dynamic_hf[i].hfinfo.abbrev = g_strdup_printf("ldap.AttributeValue.%s", attribute_type);
580 dynamic_hf[i].hfinfo.type = FT_STRING;
581 dynamic_hf[i].hfinfo.display = BASE_NONE;
582 dynamic_hf[i].hfinfo.strings = NULL;
583 dynamic_hf[i].hfinfo.bitmask = 0;
584 dynamic_hf[i].hfinfo.blurb = g_strdup(attribute_types[i].attribute_desc);
585 HFILL_INIT(dynamic_hf[i]);
586
587 g_hash_table_insert(attribute_types_hash, attribute_type, hf_id);
588 }
589
590 proto_register_field_array(proto_ldap, dynamic_hf, dynamic_hf_size);
591 }
592 }
593
594 static void
attribute_types_reset_cb(void)595 attribute_types_reset_cb(void)
596 {
597 deregister_attribute_types();
598 }
599
600 /* MS-ADTS specification, section 6.3.1.1, NETLOGON_NT_VERSION Options Bits */
dissect_mscldap_ntver_flags(proto_tree * parent_tree,tvbuff_t * tvb,int offset)601 static int dissect_mscldap_ntver_flags(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
602 {
603 static int * const flags[] = {
604 &hf_mscldap_ntver_flags_v1,
605 &hf_mscldap_ntver_flags_v5,
606 &hf_mscldap_ntver_flags_v5ex,
607 &hf_mscldap_ntver_flags_v5ep,
608 &hf_mscldap_ntver_flags_vcs,
609 &hf_mscldap_ntver_flags_vnt4,
610 &hf_mscldap_ntver_flags_vpdc,
611 &hf_mscldap_ntver_flags_vip,
612 &hf_mscldap_ntver_flags_vl,
613 &hf_mscldap_ntver_flags_vgc,
614 NULL
615 };
616
617 proto_tree_add_bitmask_with_flags(parent_tree, tvb, offset, hf_mscldap_ntver_flags,
618 ett_mscldap_ntver_flags, flags, ENC_LITTLE_ENDIAN, BMT_NO_FALSE);
619 offset += 4;
620
621 return offset;
622 }
623
624 /* This string contains the last LDAPString that was decoded */
625 static const char *attributedesc_string=NULL;
626
627 /* This string contains the last AssertionValue that was decoded */
628 static char *ldapvalue_string=NULL;
629
630 /* if the octet string contain all printable ASCII characters, then
631 * display it as a string, othervise just display it in hex.
632 */
633 static int
dissect_ldap_AssertionValue(gboolean implicit_tag,tvbuff_t * tvb,int offset,asn1_ctx_t * actx _U_,proto_tree * tree,int hf_index)634 dissect_ldap_AssertionValue(gboolean implicit_tag, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_, proto_tree *tree, int hf_index)
635 {
636 gint8 ber_class;
637 gboolean pc, ind, is_ascii;
638 gint32 tag;
639 guint32 len;
640
641 if(!implicit_tag){
642 offset=get_ber_identifier(tvb, offset, &ber_class, &pc, &tag);
643 offset=get_ber_length(tvb, offset, &len, &ind);
644 } else {
645 len=tvb_reported_length_remaining(tvb,offset);
646 }
647
648 if(len==0){
649 return offset;
650 }
651
652
653 /*
654 * Some special/wellknown attributes in common LDAP (read AD)
655 * are neither ascii strings nor blobs of hex data.
656 * Special case these attributes and decode them more nicely.
657 *
658 * Add more special cases as required to prettify further
659 * (there can't be that many ones that are truly interesting)
660 */
661 if(attributedesc_string && !strncmp("DomainSid", attributedesc_string, 9)){
662 tvbuff_t *sid_tvb;
663 char *tmpstr;
664
665 /* this octet string contains an NT SID */
666 sid_tvb=tvb_new_subset_length(tvb, offset, len);
667 dissect_nt_sid(sid_tvb, 0, tree, "SID", &tmpstr, hf_index);
668 ldapvalue_string=tmpstr;
669
670 goto finished;
671 } else if ( (len==16) /* GUIDs are always 16 bytes */
672 && (attributedesc_string && !strncmp("DomainGuid", attributedesc_string, 10))) {
673 guint8 drep[4] = { 0x10, 0x00, 0x00, 0x00}; /* fake DREP struct */
674 e_guid_t uuid;
675
676 /* This octet string contained a GUID */
677 dissect_dcerpc_uuid_t(tvb, offset, actx->pinfo, tree, drep, hf_ldap_guid, &uuid);
678
679 ldapvalue_string=(char*)wmem_alloc(actx->pinfo->pool, 1024);
680 g_snprintf(ldapvalue_string, 1023, "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
681 uuid.data1, uuid.data2, uuid.data3, uuid.data4[0], uuid.data4[1],
682 uuid.data4[2], uuid.data4[3], uuid.data4[4], uuid.data4[5],
683 uuid.data4[6], uuid.data4[7]);
684
685 goto finished;
686 } else if (attributedesc_string && !strncmp("NtVer", attributedesc_string, 5)){
687 guint32 flags;
688
689 len = 0;
690 /* get flag value to populate ldapvalue_string */
691 flags=tvb_get_letohl(tvb, offset);
692
693 ldapvalue_string=(char*)wmem_alloc(actx->pinfo->pool, 1024);
694 g_snprintf(ldapvalue_string, 1023, "0x%08x",flags);
695
696 /* populate bitmask subtree */
697 offset = dissect_mscldap_ntver_flags(tree, tvb, offset);
698
699 goto finished;
700
701
702 }
703
704 /*
705 * It was not one of our "wellknown" attributes so make the best
706 * we can and just try to see if it is an ascii string or if it
707 * is a binary blob.
708 *
709 * XXX - should we support reading RFC 2252-style schemas
710 * for LDAP, and using that to determine how to display
711 * attribute values and assertion values?
712 *
713 * -- I don't think there are full schemas available that describe the
714 * interesting cases i.e. AD -- ronnie
715 */
716 is_ascii=tvb_ascii_isprint(tvb, offset, len);
717
718 /* convert the string into a printable string */
719 if(is_ascii){
720 ldapvalue_string= tvb_get_string_enc(actx->pinfo->pool, tvb, offset, len, ENC_UTF_8|ENC_NA);
721 } else {
722 ldapvalue_string= tvb_bytes_to_str_punct(actx->pinfo->pool, tvb, offset, len, ':');
723 }
724
725 proto_tree_add_string(tree, hf_index, tvb, offset, len, ldapvalue_string);
726
727
728 finished:
729 offset+=len;
730 return offset;
731 }
732
733 /* This string contains the last Filter item that was decoded */
734 static const char *Filter_string=NULL;
735 static const char *and_filter_string=NULL;
736 static const char *or_filter_string=NULL;
737 static const char *substring_value=NULL;
738 static const char *substring_item_init=NULL;
739 static const char *substring_item_any=NULL;
740 static const char *substring_item_final=NULL;
741 static const char *matching_rule_string=NULL;
742 static gboolean matching_rule_dnattr=FALSE;
743
744 #define MAX_FILTER_LEN 4096
745 static gint Filter_length;
746
747 #define MAX_FILTER_ELEMENTS 200
748 static gint Filter_elements;
749
750 /* Global variables */
751 static gint MessageID =-1;
752 static gint ProtocolOp = -1;
753 static gint result = 0;
754 static proto_item *ldm_tree = NULL; /* item to add text to */
755
ldap_do_protocolop(packet_info * pinfo)756 static void ldap_do_protocolop(packet_info *pinfo)
757 {
758 const gchar* valstr;
759
760 if (do_protocolop) {
761
762 valstr = val_to_str(ProtocolOp, ldap_ProtocolOp_choice_vals, "Unknown (%%u)");
763
764 col_append_fstr(pinfo->cinfo, COL_INFO, "%s(%u) ", valstr, MessageID);
765
766 if(ldm_tree)
767 proto_item_append_text(ldm_tree, " %s(%d)", valstr, MessageID);
768
769 do_protocolop = FALSE;
770
771 }
772 }
773
774 static ldap_call_response_t *
ldap_match_call_response(tvbuff_t * tvb,packet_info * pinfo,proto_tree * tree,guint messageId,guint protocolOpTag,ldap_conv_info_t * ldap_info)775 ldap_match_call_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint messageId, guint protocolOpTag, ldap_conv_info_t *ldap_info)
776 {
777 ldap_call_response_t lcr, *lcrp=NULL;
778
779 /* first see if we have already matched this */
780
781 lcr.messageId=messageId;
782 switch(protocolOpTag){
783 case LDAP_REQ_BIND:
784 case LDAP_REQ_SEARCH:
785 case LDAP_REQ_MODIFY:
786 case LDAP_REQ_ADD:
787 case LDAP_REQ_DELETE:
788 case LDAP_REQ_MODRDN:
789 case LDAP_REQ_COMPARE:
790 case LDAP_REQ_EXTENDED:
791 lcr.is_request=TRUE;
792 lcr.req_frame=pinfo->num;
793 lcr.rep_frame=0;
794 break;
795 case LDAP_RES_BIND:
796 case LDAP_RES_SEARCH_ENTRY:
797 case LDAP_RES_SEARCH_REF:
798 case LDAP_RES_SEARCH_RESULT:
799 case LDAP_RES_MODIFY:
800 case LDAP_RES_ADD:
801 case LDAP_RES_DELETE:
802 case LDAP_RES_MODRDN:
803 case LDAP_RES_COMPARE:
804 case LDAP_RES_EXTENDED:
805 case LDAP_RES_INTERMEDIATE:
806 lcr.is_request=FALSE;
807 lcr.req_frame=0;
808 lcr.rep_frame=pinfo->num;
809 break;
810 default:
811 return NULL;
812 }
813 lcrp=(ldap_call_response_t *)wmem_map_lookup(ldap_info->matched, &lcr);
814
815 if(lcrp){
816
817 lcrp->is_request=lcr.is_request;
818
819 } else {
820
821 /* we haven't found a match - try and match it up */
822
823 switch(protocolOpTag){
824 case LDAP_REQ_BIND:
825 case LDAP_REQ_SEARCH:
826 case LDAP_REQ_MODIFY:
827 case LDAP_REQ_ADD:
828 case LDAP_REQ_DELETE:
829 case LDAP_REQ_MODRDN:
830 case LDAP_REQ_COMPARE:
831 case LDAP_REQ_EXTENDED:
832
833 /* this a a request - add it to the unmatched list */
834
835 /* check that we don't already have one of those in the
836 unmatched list and if so remove it */
837
838 lcr.messageId=messageId;
839 lcrp=(ldap_call_response_t *)wmem_map_lookup(ldap_info->unmatched, &lcr);
840 if(lcrp){
841 wmem_map_remove(ldap_info->unmatched, lcrp);
842 }
843 /* if we can't reuse the old one, grab a new chunk */
844 if(!lcrp){
845 lcrp=wmem_new0(wmem_file_scope(), ldap_call_response_t);
846 }
847 lcrp->messageId=messageId;
848 lcrp->req_frame=pinfo->num;
849 lcrp->req_time=pinfo->abs_ts;
850 lcrp->rep_frame=0;
851 lcrp->protocolOpTag=protocolOpTag;
852 lcrp->is_request=TRUE;
853 wmem_map_insert(ldap_info->unmatched, lcrp, lcrp);
854 return NULL;
855 break;
856 case LDAP_RES_BIND:
857 case LDAP_RES_SEARCH_ENTRY:
858 case LDAP_RES_SEARCH_REF:
859 case LDAP_RES_SEARCH_RESULT:
860 case LDAP_RES_MODIFY:
861 case LDAP_RES_ADD:
862 case LDAP_RES_DELETE:
863 case LDAP_RES_MODRDN:
864 case LDAP_RES_COMPARE:
865 case LDAP_RES_EXTENDED:
866 case LDAP_RES_INTERMEDIATE:
867
868 /* this is a result - it should be in our unmatched list */
869
870 lcr.messageId=messageId;
871 lcrp=(ldap_call_response_t *)wmem_map_lookup(ldap_info->unmatched, &lcr);
872
873 if(lcrp){
874
875 if(!lcrp->rep_frame){
876 wmem_map_remove(ldap_info->unmatched, lcrp);
877 lcrp->rep_frame=pinfo->num;
878 lcrp->is_request=FALSE;
879 wmem_map_insert(ldap_info->matched, lcrp, lcrp);
880 }
881 }
882
883 break;
884 }
885
886 }
887 /* we have found a match */
888
889 if(lcrp){
890 proto_item *it;
891
892 if(lcrp->is_request){
893 it=proto_tree_add_uint(tree, hf_ldap_response_in, tvb, 0, 0, lcrp->rep_frame);
894 proto_item_set_generated(it);
895 } else {
896 nstime_t ns;
897 it=proto_tree_add_uint(tree, hf_ldap_response_to, tvb, 0, 0, lcrp->req_frame);
898 proto_item_set_generated(it);
899 nstime_delta(&ns, &pinfo->abs_ts, &lcrp->req_time);
900 it=proto_tree_add_time(tree, hf_ldap_time, tvb, 0, 0, &ns);
901 proto_item_set_generated(it);
902 }
903 }
904
905 return lcrp;
906 }
907
908 #include "packet-ldap-fn.c"
dissect_LDAPMessage_PDU(tvbuff_t * tvb,packet_info * pinfo,proto_tree * tree,ldap_conv_info_t * ldap_info)909 static int dissect_LDAPMessage_PDU(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, ldap_conv_info_t *ldap_info) {
910
911 int offset = 0;
912 asn1_ctx_t asn1_ctx;
913 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
914
915 asn1_ctx.private_data = ldap_info;
916 offset = dissect_ldap_LDAPMessage(FALSE, tvb, offset, &asn1_ctx, tree, hf_ldap_LDAPMessage_PDU);
917 return offset;
918 }
919
920 static void
dissect_ldap_payload(tvbuff_t * tvb,packet_info * pinfo,proto_tree * tree,ldap_conv_info_t * ldap_info,gboolean is_mscldap)921 dissect_ldap_payload(tvbuff_t *tvb, packet_info *pinfo,
922 proto_tree *tree, ldap_conv_info_t *ldap_info,
923 gboolean is_mscldap)
924 {
925 int offset = 0;
926 guint length_remaining;
927 guint msg_len = 0;
928 int messageOffset = 0;
929 guint headerLength = 0;
930 guint length = 0;
931 tvbuff_t *msg_tvb = NULL;
932 gint8 ber_class;
933 gboolean pc, ind = 0;
934 gint32 ber_tag;
935
936 attributedesc_string=NULL;
937
938
939 one_more_pdu:
940
941 length_remaining = tvb_ensure_captured_length_remaining(tvb, offset);
942
943 if (length_remaining < 6) return;
944
945 /*
946 * OK, try to read the "Sequence Of" header; this gets the total
947 * length of the LDAP message.
948 */
949 messageOffset = get_ber_identifier(tvb, offset, &ber_class, &pc, &ber_tag);
950 messageOffset = get_ber_length(tvb, messageOffset, &msg_len, &ind);
951
952 /* sanity check */
953 if((msg_len<4) || (msg_len>10000000)) return;
954
955 if ( (ber_class==BER_CLASS_UNI) && (ber_tag==BER_UNI_TAG_SEQUENCE) ) {
956 /*
957 * Add the length of the "Sequence Of" header to the message
958 * length.
959 */
960 headerLength = messageOffset - offset;
961 msg_len += headerLength;
962 if (msg_len < headerLength) {
963 /*
964 * The message length was probably so large that the total length
965 * overflowed.
966 *
967 * Report this as an error.
968 */
969 show_reported_bounds_error(tvb, pinfo, tree);
970 return;
971 }
972 } else {
973 /*
974 * We couldn't parse the header; just make it the amount of data
975 * remaining in the tvbuff, so we'll give up on this segment
976 * after attempting to parse the message - there's nothing more
977 * we can do. "dissect_ldap_message()" will display the error.
978 */
979 msg_len = length_remaining;
980 }
981
982 /*
983 * Construct a tvbuff containing the amount of the payload we have
984 * available. Make its reported length the amount of data in the
985 * LDAP message.
986 *
987 * XXX - if reassembly isn't enabled. the subdissector will throw a
988 * BoundsError exception, rather than a ReportedBoundsError exception.
989 * We really want a tvbuff where the length is "length", the reported
990 * length is "plen", and the "if the snapshot length were infinite"
991 * length is the minimum of the reported length of the tvbuff handed
992 * to us and "plen", with a new type of exception thrown if the offset
993 * is within the reported length but beyond that third length, with
994 * that exception getting the "Unreassembled Packet" error.
995 */
996 length = length_remaining;
997 if (length > msg_len) length = msg_len;
998 msg_tvb = tvb_new_subset_length_caplen(tvb, offset, length, msg_len);
999
1000 /*
1001 * Now dissect the LDAP message.
1002 */
1003 ldap_info->is_mscldap = is_mscldap;
1004 dissect_LDAPMessage_PDU(msg_tvb, pinfo, tree, ldap_info);
1005
1006 offset += msg_len;
1007
1008 /* If this was a sasl blob there might be another PDU following in the
1009 * same blob
1010 */
1011 if(tvb_reported_length_remaining(tvb, offset)>=6){
1012 tvb = tvb_new_subset_remaining(tvb, offset);
1013 offset = 0;
1014
1015 goto one_more_pdu;
1016 }
1017
1018 }
1019
1020 static void
ldap_frame_end(void)1021 ldap_frame_end(void)
1022 {
1023 ldap_found_in_frame = FALSE;
1024 attr_type = NULL;
1025 ldapvalue_string = NULL;
1026 /* ? */
1027 attributedesc_string = NULL;
1028 Filter_string = NULL;
1029 and_filter_string = NULL;
1030 object_identifier_id = NULL;
1031 or_filter_string = NULL;
1032
1033 substring_item_any = NULL;
1034 substring_item_final = NULL;
1035 substring_item_init = NULL;
1036 substring_value = NULL;
1037
1038 ldm_tree = NULL;
1039
1040 Filter_elements = 0;
1041 Filter_length = 0;
1042 do_protocolop = FALSE;
1043 result = 0;
1044
1045 /* seems to be ok, but reset just in case */
1046 matching_rule_string = NULL;
1047 }
1048
1049 static void
dissect_ldap_pdu(tvbuff_t * tvb,packet_info * pinfo,proto_tree * tree,gboolean is_mscldap)1050 dissect_ldap_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gboolean is_mscldap)
1051 {
1052 int offset = 0;
1053 conversation_t *conversation;
1054 gboolean doing_sasl_security = FALSE;
1055 guint length_remaining;
1056 ldap_conv_info_t *ldap_info = NULL;
1057 proto_item *ldap_item = NULL;
1058 proto_tree *ldap_tree = NULL;
1059
1060 ldm_tree = NULL;
1061
1062 conversation = find_or_create_conversation(pinfo);
1063
1064 /*
1065 * Do we already have a type and mechanism?
1066 */
1067 ldap_info = (ldap_conv_info_t *)conversation_get_proto_data(conversation, proto_ldap);
1068 if (ldap_info == NULL) {
1069 /* No. Attach that information to the conversation, and add
1070 * it to the list of information structures.
1071 */
1072 ldap_info = wmem_new0(wmem_file_scope(), ldap_conv_info_t);
1073 ldap_info->matched=wmem_map_new(wmem_file_scope(), ldap_info_hash_matched, ldap_info_equal_matched);
1074 ldap_info->unmatched=wmem_map_new(wmem_file_scope(), ldap_info_hash_unmatched, ldap_info_equal_unmatched);
1075
1076 conversation_add_proto_data(conversation, proto_ldap, ldap_info);
1077 }
1078
1079 switch (ldap_info->auth_type) {
1080 case LDAP_AUTH_SASL:
1081 /*
1082 * It's SASL; are we using a security layer?
1083 */
1084 if (ldap_info->first_auth_frame != 0 &&
1085 pinfo->num >= ldap_info->first_auth_frame) {
1086 doing_sasl_security = TRUE; /* yes */
1087 }
1088 }
1089
1090 length_remaining = tvb_ensure_captured_length_remaining(tvb, offset);
1091
1092 /* It might still be a packet containing a SASL security layer
1093 * but it's just that we never saw the BIND packet.
1094 * check if it looks like it could be a SASL blob here
1095 * and in that case just assume it is GSS-SPNEGO
1096 */
1097 if(!doing_sasl_security && (tvb_bytes_exist(tvb, offset, 5))
1098 &&(tvb_get_ntohl(tvb, offset)<=(guint)(tvb_reported_length_remaining(tvb, offset)-4))
1099 &&(tvb_get_guint8(tvb, offset+4)==0x60) ){
1100 ldap_info->auth_type=LDAP_AUTH_SASL;
1101 ldap_info->first_auth_frame=pinfo->num;
1102 ldap_info->auth_mech=wmem_strdup(wmem_file_scope(), "GSS-SPNEGO");
1103 doing_sasl_security=TRUE;
1104 }
1105
1106 /*
1107 * This is the first PDU, set the Protocol column and clear the
1108 * Info column.
1109 */
1110 col_set_str(pinfo->cinfo, COL_PROTOCOL, pinfo->current_proto);
1111
1112 if(ldap_found_in_frame) {
1113 /* we have already dissected an ldap PDU in this frame - add a separator and set a fence */
1114 col_append_str(pinfo->cinfo, COL_INFO, " | ");
1115 col_set_fence(pinfo->cinfo, COL_INFO);
1116 } else {
1117 col_clear(pinfo->cinfo, COL_INFO);
1118 register_frame_end_routine (pinfo, ldap_frame_end);
1119 ldap_found_in_frame = TRUE;
1120 }
1121
1122 ldap_item = proto_tree_add_item(tree, is_mscldap?proto_cldap:proto_ldap, tvb, 0, -1, ENC_NA);
1123 ldap_tree = proto_item_add_subtree(ldap_item, ett_ldap);
1124
1125 /*
1126 * Might we be doing a SASL security layer and, if so, *are* we doing
1127 * one?
1128 *
1129 * Just because we've seen a bind reply for SASL, that doesn't mean
1130 * that we're using a SASL security layer; I've seen captures in
1131 * which some SASL negotiations lead to a security layer being used
1132 * and other negotiations don't, and it's not obvious what's different
1133 * in the two negotiations. Therefore, we assume that if the first
1134 * byte is 0, it's a length for a SASL security layer (that way, we
1135 * never reassemble more than 16 megabytes, protecting us from
1136 * chewing up *too* much memory), and otherwise that it's an LDAP
1137 * message (actually, if it's an LDAP message it should begin with 0x30,
1138 * but we want to parse garbage as LDAP messages rather than really
1139 * huge lengths).
1140 */
1141
1142 if (doing_sasl_security && tvb_get_guint8(tvb, offset) == 0) {
1143 proto_tree *sasl_tree;
1144 tvbuff_t *sasl_tvb;
1145 guint sasl_len, sasl_msg_len, length;
1146 /*
1147 * Yes. The frame begins with a 4-byte big-endian length.
1148 * And we know we have at least 6 bytes
1149 */
1150
1151 /*
1152 * Get the SASL length, which is the length of data in the buffer
1153 * following the length (i.e., it's 4 less than the total length).
1154 *
1155 * XXX - do we need to reassemble buffers? For now, we
1156 * assume that each LDAP message is entirely contained within
1157 * a buffer.
1158 */
1159 sasl_len = tvb_get_ntohl(tvb, offset);
1160 sasl_msg_len = sasl_len + 4;
1161 if (sasl_msg_len < 4) {
1162 /*
1163 * The message length was probably so large that the total length
1164 * overflowed.
1165 *
1166 * Report this as an error.
1167 */
1168 show_reported_bounds_error(tvb, pinfo, tree);
1169 return;
1170 }
1171
1172 /*
1173 * Construct a tvbuff containing the amount of the payload we have
1174 * available. Make its reported length the amount of data in the PDU.
1175 *
1176 * XXX - if reassembly isn't enabled. the subdissector will throw a
1177 * BoundsError exception, rather than a ReportedBoundsError exception.
1178 * We really want a tvbuff where the length is "length", the reported
1179 * length is "plen", and the "if the snapshot length were infinite"
1180 * length is the minimum of the reported length of the tvbuff handed
1181 * to us and "plen", with a new type of exception thrown if the offset
1182 * is within the reported length but beyond that third length, with
1183 * that exception getting the "Unreassembled Packet" error.
1184 */
1185 length = length_remaining;
1186 if (length > sasl_msg_len) length = sasl_msg_len;
1187 sasl_tvb = tvb_new_subset_length_caplen(tvb, offset, length, sasl_msg_len);
1188
1189 proto_tree_add_uint(ldap_tree, hf_ldap_sasl_buffer_length, sasl_tvb, 0, 4, sasl_len);
1190
1191 sasl_tree = proto_tree_add_subtree(ldap_tree, sasl_tvb, 4, sasl_msg_len - 4, ett_ldap_sasl_blob, NULL, "SASL Buffer");
1192
1193 if (ldap_info->auth_mech != NULL &&
1194 ((strcmp(ldap_info->auth_mech, "GSS-SPNEGO") == 0) ||
1195 /* auth_mech may have been set from the bind */
1196 (strcmp(ldap_info->auth_mech, "GSSAPI") == 0))) {
1197 tvbuff_t *gssapi_tvb = NULL;
1198 int ver_len;
1199 int tmp_length;
1200 gssapi_encrypt_info_t gssapi_encrypt;
1201
1202 /*
1203 * This is GSS-API (using SPNEGO, but we should be done with
1204 * the negotiation by now).
1205 *
1206 * Dissect the GSS_Wrap() token; it'll return the length of
1207 * the token, from which we compute the offset in the tvbuff at
1208 * which the plaintext data, i.e. the LDAP message, begins.
1209 */
1210 tmp_length = tvb_reported_length_remaining(sasl_tvb, 4);
1211 if ((guint)tmp_length > sasl_len)
1212 tmp_length = sasl_len;
1213 gssapi_tvb = tvb_new_subset_length_caplen(sasl_tvb, 4, tmp_length, sasl_len);
1214
1215 /* Attempt decryption of the GSSAPI wrapped data if possible */
1216 memset(&gssapi_encrypt, 0, sizeof(gssapi_encrypt));
1217 gssapi_encrypt.decrypt_gssapi_tvb=DECRYPT_GSSAPI_NORMAL;
1218 ver_len = call_dissector_with_data(gssapi_wrap_handle, gssapi_tvb, pinfo, sasl_tree, &gssapi_encrypt);
1219 /*
1220 * If ver_len is 0, it probably means that we got a PDU that is not
1221 * aligned to the start of the segment.
1222 */
1223 if(ver_len==0){
1224 return;
1225 }
1226 if (gssapi_encrypt.gssapi_decrypted_tvb) {
1227 tvbuff_t *decr_tvb = gssapi_encrypt.gssapi_decrypted_tvb;
1228 proto_tree *enc_tree = NULL;
1229
1230 /*
1231 * The LDAP payload (blob) was encrypted and we were able to decrypt it.
1232 * The data was signed via a MIC token, sealed (encrypted), and "wrapped"
1233 * within the mechanism's "blob." Call dissect_ldap_payload to dissect
1234 * one or more LDAPMessages such as searchRequest messages within this
1235 * payload.
1236 */
1237 col_set_str(pinfo->cinfo, COL_INFO, "SASL GSS-API Privacy (decrypted): ");
1238
1239 if (sasl_tree) {
1240 guint decr_len = tvb_reported_length(decr_tvb);
1241
1242 enc_tree = proto_tree_add_subtree_format(sasl_tree, decr_tvb, 0, -1,
1243 ett_ldap_payload, NULL, "GSS-API Encrypted payload (%d byte%s)",
1244 decr_len, plurality(decr_len, "", "s"));
1245 }
1246
1247 dissect_ldap_payload(decr_tvb, pinfo, enc_tree, ldap_info, is_mscldap);
1248 }
1249 else if (gssapi_encrypt.gssapi_data_encrypted) {
1250 /*
1251 * The LDAP message was encrypted but couldn't be decrypted so just display the
1252 * encrypted data all of which is found in Packet Bytes.
1253 */
1254 col_add_fstr(pinfo->cinfo, COL_INFO, "SASL GSS-API Privacy: payload (%d byte%s)",
1255 sasl_len-ver_len, plurality(sasl_len-ver_len, "", "s"));
1256
1257 proto_tree_add_item(sasl_tree, hf_ldap_gssapi_encrypted_payload, gssapi_tvb, ver_len, -1, ENC_NA);
1258 }
1259 else {
1260 tvbuff_t *plain_tvb = tvb_new_subset_remaining(gssapi_tvb, ver_len);
1261 proto_tree *plain_tree = NULL;
1262
1263 /*
1264 * The payload was not encrypted (sealed) but was signed via a MIC token.
1265 * If krb5_tok_id == KRB_TOKEN_CFX_WRAP, the payload was wrapped within
1266 * the mechanism's blob. Call dissect_ldap_payload to dissect one or more
1267 * LDAPMessages within the payload.
1268 */
1269 col_set_str(pinfo->cinfo, COL_INFO, "SASL GSS-API Integrity: ");
1270
1271 if (sasl_tree) {
1272 guint plain_len = tvb_reported_length(plain_tvb);
1273
1274 plain_tree = proto_tree_add_subtree_format(sasl_tree, plain_tvb, 0, -1,
1275 ett_ldap_payload, NULL, "GSS-API payload (%d byte%s)",
1276 plain_len, plurality(plain_len, "", "s"));
1277 }
1278
1279 dissect_ldap_payload(plain_tvb, pinfo, plain_tree, ldap_info, is_mscldap);
1280 }
1281 }
1282 } else {
1283 /*
1284 * The LDAP packet does not contain a SASL security layer. Such messages are typically sent
1285 * prior to the LDAP "bind" negotiation exchange which establishes the "context" of the session.
1286 * This means the data could neither be "signed" (no data origin auth or data integrity
1287 * check) nor "sealed" (encrypted).
1288 */
1289 dissect_ldap_payload(tvb, pinfo, ldap_tree, ldap_info, is_mscldap);
1290 }
1291 }
1292
1293 /*
1294 * prepend_dot is no longer used, but is being left in place in order to
1295 * maintain ABI compatibility.
1296 */
dissect_mscldap_string(tvbuff_t * tvb,int offset,char * str,int max_len,gboolean prepend_dot _U_)1297 int dissect_mscldap_string(tvbuff_t *tvb, int offset, char *str, int max_len, gboolean prepend_dot _U_)
1298 {
1299 int compr_len;
1300 const gchar *name;
1301 guint name_len;
1302
1303 /* The name data MUST start at offset 0 of the tvb */
1304 compr_len = get_dns_name(tvb, offset, max_len, 0, &name, &name_len);
1305 (void) g_strlcpy(str, name, max_len);
1306 return offset + compr_len;
1307 }
1308
1309
1310 /* These are the cldap DC flags
1311 http://msdn.microsoft.com/en-us/library/cc201036.aspx
1312 */
1313 static const true_false_string tfs_ads_pdc = {
1314 "This is a PDC",
1315 "This is NOT a pdc"
1316 };
1317 static const true_false_string tfs_ads_gc = {
1318 "This is a GLOBAL CATALOGUE of forest",
1319 "This is NOT a global catalog of forest"
1320 };
1321 static const true_false_string tfs_ads_ldap = {
1322 "This is an LDAP server",
1323 "This is NOT an ldap server"
1324 };
1325 static const true_false_string tfs_ads_ds = {
1326 "This dc supports DS",
1327 "This dc does NOT support ds"
1328 };
1329 static const true_false_string tfs_ads_kdc = {
1330 "This is a KDC (kerberos)",
1331 "This is NOT a kdc (kerberos)"
1332 };
1333 static const true_false_string tfs_ads_timeserv = {
1334 "This dc is running TIME SERVICES (ntp)",
1335 "This dc is NOT running time services (ntp)"
1336 };
1337 static const true_false_string tfs_ads_closest = {
1338 "This server is in the same site as the client",
1339 "This server is NOT in the same site as the client"
1340 };
1341 static const true_false_string tfs_ads_writable = {
1342 "This dc is WRITABLE",
1343 "This dc is NOT writable"
1344 };
1345 static const true_false_string tfs_ads_good_timeserv = {
1346 "This dc has a GOOD TIME SERVICE (i.e. hardware clock)",
1347 "This dc does NOT have a good time service (i.e. no hardware clock)"
1348 };
1349 static const true_false_string tfs_ads_ndnc = {
1350 "Domain is NON-DOMAIN NC serviced by ldap server",
1351 "Domain is NOT non-domain nc serviced by ldap server"
1352 };
1353 static const true_false_string tfs_ads_rodc = {
1354 "Domain controller is a Windows 2008 RODC",
1355 "Domain controller is not a Windows 2008 RODC"
1356 };
1357 static const true_false_string tfs_ads_wdc = {
1358 "Domain controller is a Windows 2008 writable NC",
1359 "Domain controller is not a Windows 2008 writable NC"
1360 };
1361 static const true_false_string tfs_ads_dns = {
1362 "Server name is in DNS format (Windows 2008)",
1363 "Server name is not in DNS format (Windows 2008)"
1364 };
1365 static const true_false_string tfs_ads_dnc = {
1366 "The NC is the default NC (Windows 2008)",
1367 "The NC is not the default NC (Windows 2008)"
1368 };
1369 static const true_false_string tfs_ads_fnc = {
1370 "The NC is the default forest NC(Windows 2008)",
1371 "The NC is not the default forest NC (Windows 2008)"
1372 };
dissect_mscldap_netlogon_flags(proto_tree * parent_tree,tvbuff_t * tvb,int offset)1373 static int dissect_mscldap_netlogon_flags(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
1374 {
1375 static int * const flags[] = {
1376 &hf_mscldap_netlogon_flags_fnc,
1377 &hf_mscldap_netlogon_flags_dnc,
1378 &hf_mscldap_netlogon_flags_dns,
1379 &hf_mscldap_netlogon_flags_wdc,
1380 &hf_mscldap_netlogon_flags_rodc,
1381 &hf_mscldap_netlogon_flags_ndnc,
1382 &hf_mscldap_netlogon_flags_good_timeserv,
1383 &hf_mscldap_netlogon_flags_writable,
1384 &hf_mscldap_netlogon_flags_closest,
1385 &hf_mscldap_netlogon_flags_timeserv,
1386 &hf_mscldap_netlogon_flags_kdc,
1387 &hf_mscldap_netlogon_flags_ds,
1388 &hf_mscldap_netlogon_flags_ldap,
1389 &hf_mscldap_netlogon_flags_gc,
1390 &hf_mscldap_netlogon_flags_pdc,
1391 NULL
1392 };
1393
1394 proto_tree_add_bitmask_with_flags(parent_tree, tvb, offset, hf_mscldap_netlogon_flags,
1395 ett_mscldap_netlogon_flags, flags, ENC_LITTLE_ENDIAN, BMT_NO_FALSE);
1396 offset += 4;
1397
1398 return offset;
1399 }
1400
dissect_NetLogon_PDU(tvbuff_t * tvb,packet_info * pinfo _U_,proto_tree * tree,void * data _U_)1401 static int dissect_NetLogon_PDU(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, void* data _U_)
1402 {
1403 int old_offset, offset=0;
1404 char str[256];
1405 guint16 itype;
1406 guint16 len;
1407 guint32 version;
1408 int fn_len;
1409 proto_item *item;
1410
1411 ldm_tree = NULL;
1412
1413
1414 /* Get the length of the buffer */
1415 len=tvb_reported_length_remaining(tvb,offset);
1416
1417 /* check the len if it is to small return */
1418 if (len < 10)
1419 return tvb_captured_length(tvb);
1420
1421 /* Type */
1422 proto_tree_add_item(tree, hf_mscldap_netlogon_opcode, tvb, offset, 2, ENC_LITTLE_ENDIAN);
1423 itype = tvb_get_letohs(tvb, offset);
1424 offset += 2;
1425
1426 switch(itype){
1427
1428 case LOGON_SAM_LOGON_RESPONSE:
1429 /* logon server name; must be aligned on a 2-byte boundary */
1430 if ((offset & 1) != 0) {
1431 offset++;
1432 }
1433 proto_tree_add_item_ret_length(tree, hf_mscldap_nb_hostname_z, tvb,offset, -1, ENC_UTF_16|ENC_LITTLE_ENDIAN, &fn_len);
1434 offset +=fn_len;
1435
1436 /* username; must be aligned on a 2-byte boundary */
1437 if ((offset & 1) != 0) {
1438 offset++;
1439 }
1440 proto_tree_add_item_ret_length(tree, hf_mscldap_username_z, tvb,offset, -1, ENC_UTF_16|ENC_LITTLE_ENDIAN, &fn_len);
1441 offset +=fn_len;
1442
1443 /* domain name; must be aligned on a 2-byte boundary */
1444 if ((offset & 1) != 0) {
1445 offset++;
1446 }
1447 proto_tree_add_item_ret_length(tree, hf_mscldap_nb_domain_z, tvb,offset, -1, ENC_UTF_16|ENC_LITTLE_ENDIAN, &fn_len);
1448 offset +=fn_len;
1449
1450 /* get the version number from the end of the buffer, as the
1451 length is variable and the version determines what fields
1452 need to be decoded */
1453 version = tvb_get_letohl(tvb,len-8);
1454
1455 /* include the extra version 5 fields */
1456 if ((version & NETLOGON_NT_VERSION_5) == NETLOGON_NT_VERSION_5){
1457
1458 /* domain guid */
1459 proto_tree_add_item(tree, hf_mscldap_domain_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
1460 offset += 16;
1461
1462 /* domain guid part 2
1463 there is another 16 byte guid but this is alway zero, so we will skip it */
1464 offset += 16;
1465
1466 /* Forest */
1467 old_offset=offset;
1468 offset=dissect_mscldap_string(tvb, offset, str, 255, FALSE);
1469 proto_tree_add_string(tree, hf_mscldap_forest, tvb, old_offset, offset-old_offset, str);
1470
1471 /* Domain */
1472 old_offset=offset;
1473 offset=dissect_mscldap_string(tvb, offset, str, 255, FALSE);
1474 proto_tree_add_string(tree, hf_mscldap_domain, tvb, old_offset, offset-old_offset, str);
1475
1476 /* Hostname */
1477 old_offset=offset;
1478 offset=dissect_mscldap_string(tvb, offset, str, 255, FALSE);
1479 proto_tree_add_string(tree, hf_mscldap_hostname, tvb, old_offset, offset-old_offset, str);
1480
1481 /* DC IP Address */
1482 proto_tree_add_item(tree, hf_mscldap_netlogon_ipaddress, tvb, offset, 4, ENC_BIG_ENDIAN);
1483 offset += 4;
1484
1485 /* Flags */
1486 dissect_mscldap_netlogon_flags(tree, tvb, offset);
1487 }
1488
1489 break;
1490
1491 case LOGON_SAM_LOGON_RESPONSE_EX:
1492 /* MS-ADTS 6.3.1.9 */
1493 offset += 2; /* Skip over "Sbz" field (MUST be set to 0) */
1494
1495 /* Flags */
1496 offset = dissect_mscldap_netlogon_flags(tree, tvb, offset);
1497
1498 /* Domain GUID */
1499 proto_tree_add_item(tree, hf_mscldap_domain_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
1500 offset += 16;
1501
1502 /* Forest */
1503 old_offset=offset;
1504 offset=dissect_mscldap_string(tvb, offset, str, 255, FALSE);
1505 proto_tree_add_string(tree, hf_mscldap_forest, tvb, old_offset, offset-old_offset, str);
1506
1507 /* Domain */
1508 old_offset=offset;
1509 offset=dissect_mscldap_string(tvb, offset, str, 255, FALSE);
1510 proto_tree_add_string(tree, hf_mscldap_domain, tvb, old_offset, offset-old_offset, str);
1511
1512 /* Hostname */
1513 old_offset=offset;
1514 offset=dissect_mscldap_string(tvb, offset, str, 255, FALSE);
1515 proto_tree_add_string(tree, hf_mscldap_hostname, tvb, old_offset, offset-old_offset, str);
1516
1517 /* NetBIOS Domain */
1518 old_offset=offset;
1519 offset=dissect_mscldap_string(tvb, offset, str, 255, FALSE);
1520 proto_tree_add_string(tree, hf_mscldap_nb_domain, tvb, old_offset, offset-old_offset, str);
1521
1522 /* NetBIOS Hostname */
1523 old_offset=offset;
1524 offset=dissect_mscldap_string(tvb, offset, str, 255, FALSE);
1525 proto_tree_add_string(tree, hf_mscldap_nb_hostname, tvb, old_offset, offset-old_offset, str);
1526
1527 /* User */
1528 old_offset=offset;
1529 offset=dissect_mscldap_string(tvb, offset, str, 255, FALSE);
1530 proto_tree_add_string(tree, hf_mscldap_username, tvb, old_offset, offset-old_offset, str);
1531
1532 /* Server Site */
1533 old_offset=offset;
1534 offset=dissect_mscldap_string(tvb, offset, str, 255, FALSE);
1535 proto_tree_add_string(tree, hf_mscldap_sitename, tvb, old_offset, offset-old_offset, str);
1536
1537 /* Client Site */
1538 old_offset=offset;
1539 offset=dissect_mscldap_string(tvb, offset, str, 255, FALSE);
1540 proto_tree_add_string(tree, hf_mscldap_clientsitename, tvb, old_offset, offset-old_offset, str);
1541
1542 /* get the version number from the end of the buffer, as the
1543 length is variable and the version determines what fields
1544 need to be decoded */
1545 version = tvb_get_letohl(tvb,len-8);
1546
1547 /* include the extra fields for version 5 with IP s */
1548 if ((version & NETLOGON_NT_VERSION_5EX_WITH_IP) == NETLOGON_NT_VERSION_5EX_WITH_IP){
1549 /* The ip address is returned as a sockaddr_in structure
1550 *
1551 * This section may need to be updated if the base Windows APIs
1552 * are changed to support ipv6, which currently is not the case.
1553 *
1554 * The desector assumes the length is based on ipv4 and
1555 * ignores the length
1556 */
1557
1558 /* skip the length of the sockaddr_in */
1559
1560 offset +=1;
1561
1562 /* add IP address and desect the sockaddr_in structure */
1563
1564 old_offset = offset + 4;
1565 item = proto_tree_add_item(tree, hf_mscldap_netlogon_ipaddress, tvb, old_offset, 4, ENC_BIG_ENDIAN);
1566
1567 if (tree) {
1568 proto_tree *subtree;
1569
1570 subtree = proto_item_add_subtree(item, ett_mscldap_ipdetails);
1571
1572 /* get sockaddr family */
1573 proto_tree_add_item(subtree, hf_mscldap_netlogon_ipaddress_family, tvb, offset, 2, ENC_LITTLE_ENDIAN);
1574 offset +=2;
1575
1576 /* get sockaddr port */
1577 proto_tree_add_item(subtree, hf_mscldap_netlogon_ipaddress_port, tvb, offset, 2, ENC_LITTLE_ENDIAN);
1578 offset +=2;
1579
1580 /* get IP address */
1581 proto_tree_add_item(subtree, hf_mscldap_netlogon_ipaddress_ipv4, tvb, offset, 4, ENC_BIG_ENDIAN);
1582 }
1583
1584 }
1585
1586 break;
1587 }
1588
1589
1590 /* complete the decode with the version and token details */
1591
1592 offset = len - 8;
1593
1594 /* NETLOGON_NT_VERISON Options (MS-ADTS 6.3.1.1) */
1595 offset = dissect_mscldap_ntver_flags(tree, tvb, offset);
1596
1597 /* LM Token */
1598 proto_tree_add_item(tree, hf_mscldap_netlogon_lm_token, tvb, offset, 2, ENC_LITTLE_ENDIAN);
1599 offset += 2;
1600
1601 /* NT Token */
1602 proto_tree_add_item(tree, hf_mscldap_netlogon_nt_token, tvb, offset, 2, ENC_LITTLE_ENDIAN);
1603
1604 return tvb_captured_length(tvb);
1605 }
1606
1607
1608 static guint
get_sasl_ldap_pdu_len(packet_info * pinfo _U_,tvbuff_t * tvb,int offset,void * data _U_)1609 get_sasl_ldap_pdu_len(packet_info *pinfo _U_, tvbuff_t *tvb,
1610 int offset, void *data _U_)
1611 {
1612 /* sasl encapsulated ldap is 4 bytes plus the length in size */
1613 return tvb_get_ntohl(tvb, offset)+4;
1614 }
1615
1616 static int
dissect_sasl_ldap_pdu(tvbuff_t * tvb,packet_info * pinfo,proto_tree * tree,void * data _U_)1617 dissect_sasl_ldap_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
1618 {
1619 dissect_ldap_pdu(tvb, pinfo, tree, FALSE);
1620 return tvb_captured_length(tvb);
1621 }
1622
1623 static guint
get_normal_ldap_pdu_len(packet_info * pinfo _U_,tvbuff_t * tvb,int offset,void * data _U_)1624 get_normal_ldap_pdu_len(packet_info *pinfo _U_, tvbuff_t *tvb,
1625 int offset, void *data _U_)
1626 {
1627 guint32 len;
1628 gboolean ind;
1629 int data_offset;
1630
1631 /* normal ldap is tag+len bytes plus the length
1632 * offset is where the tag is
1633 * offset+1 is where length starts
1634 */
1635 data_offset=get_ber_length(tvb, offset+1, &len, &ind);
1636 return len+data_offset-offset;
1637 }
1638
1639 static int
dissect_normal_ldap_pdu(tvbuff_t * tvb,packet_info * pinfo,proto_tree * tree,void * data _U_)1640 dissect_normal_ldap_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
1641 {
1642 dissect_ldap_pdu(tvb, pinfo, tree, FALSE);
1643 return tvb_captured_length(tvb);
1644 }
1645
1646 static int
dissect_ldap_oid(tvbuff_t * tvb,packet_info * pinfo _U_,proto_tree * tree,void * data _U_)1647 dissect_ldap_oid(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, void* data _U_)
1648 {
1649 char *oid;
1650 const char *oidname;
1651
1652 /* tvb here contains an ascii string that is really an oid */
1653 /* XXX we should convert the string oid into a real oid so we can use
1654 * proto_tree_add_oid() instead.
1655 */
1656
1657 oid=tvb_get_string_enc(pinfo->pool, tvb, 0, tvb_reported_length(tvb), ENC_UTF_8|ENC_NA);
1658 if(!oid){
1659 return tvb_captured_length(tvb);
1660 }
1661
1662 oidname=oid_resolved_from_string(pinfo->pool, oid);
1663
1664 if(oidname){
1665 proto_tree_add_string_format_value(tree, hf_ldap_oid, tvb, 0, tvb_reported_length(tvb), oid, "%s (%s)",oid,oidname);
1666 } else {
1667 proto_tree_add_string(tree, hf_ldap_oid, tvb, 0, tvb_captured_length(tvb), oid);
1668 }
1669 return tvb_captured_length(tvb);
1670 }
1671
1672 #define LDAP_ACCESSMASK_ADS_CREATE_CHILD 0x00000001
1673 #define LDAP_ACCESSMASK_ADS_DELETE_CHILD 0x00000002
1674 #define LDAP_ACCESSMASK_ADS_LIST 0x00000004
1675 #define LDAP_ACCESSMASK_ADS_SELF_WRITE 0x00000008
1676 #define LDAP_ACCESSMASK_ADS_READ_PROP 0x00000010
1677 #define LDAP_ACCESSMASK_ADS_WRITE_PROP 0x00000020
1678 #define LDAP_ACCESSMASK_ADS_DELETE_TREE 0x00000040
1679 #define LDAP_ACCESSMASK_ADS_LIST_OBJECT 0x00000080
1680 #define LDAP_ACCESSMASK_ADS_CONTROL_ACCESS 0x00000100
1681
1682 static void
ldap_specific_rights(tvbuff_t * tvb,gint offset,proto_tree * tree,guint32 access)1683 ldap_specific_rights(tvbuff_t *tvb, gint offset, proto_tree *tree, guint32 access)
1684 {
1685 static int * const access_flags[] = {
1686 &hf_ldap_AccessMask_ADS_CONTROL_ACCESS,
1687 &hf_ldap_AccessMask_ADS_LIST_OBJECT,
1688 &hf_ldap_AccessMask_ADS_DELETE_TREE,
1689 &hf_ldap_AccessMask_ADS_WRITE_PROP,
1690 &hf_ldap_AccessMask_ADS_READ_PROP,
1691 &hf_ldap_AccessMask_ADS_SELF_WRITE,
1692 &hf_ldap_AccessMask_ADS_LIST,
1693 &hf_ldap_AccessMask_ADS_DELETE_CHILD,
1694 &hf_ldap_AccessMask_ADS_CREATE_CHILD,
1695 NULL
1696 };
1697
1698 proto_tree_add_bitmask_list_value(tree, tvb, offset, 4, access_flags, access);
1699 }
1700 struct access_mask_info ldap_access_mask_info = {
1701 "LDAP", /* Name of specific rights */
1702 ldap_specific_rights, /* Dissection function */
1703 NULL, /* Generic mapping table */
1704 NULL /* Standard mapping table */
1705 };
1706
1707 static int
dissect_ldap_nt_sec_desc(tvbuff_t * tvb,packet_info * pinfo,proto_tree * tree,void * data _U_)1708 dissect_ldap_nt_sec_desc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
1709 {
1710 dissect_nt_sec_desc(tvb, 0, pinfo, tree, NULL, TRUE, tvb_reported_length(tvb), &ldap_access_mask_info);
1711 return tvb_captured_length(tvb);
1712 }
1713
1714 static int
dissect_ldap_sid(tvbuff_t * tvb,packet_info * pinfo _U_,proto_tree * tree,void * data _U_)1715 dissect_ldap_sid(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, void* data _U_)
1716 {
1717 char *tmpstr;
1718
1719 /* this octet string contains an NT SID */
1720 dissect_nt_sid(tvb, 0, tree, "SID", &tmpstr, hf_ldap_sid);
1721 ldapvalue_string=tmpstr;
1722 return tvb_captured_length(tvb);
1723 }
1724
1725 static int
dissect_ldap_guid(tvbuff_t * tvb,packet_info * pinfo,proto_tree * tree,void * data _U_)1726 dissect_ldap_guid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
1727 {
1728 guint8 drep[4] = { 0x10, 0x00, 0x00, 0x00}; /* fake DREP struct */
1729 e_guid_t uuid;
1730
1731 /* This octet string contained a GUID */
1732 dissect_dcerpc_uuid_t(tvb, 0, pinfo, tree, drep, hf_ldap_guid, &uuid);
1733
1734 ldapvalue_string=(char*)wmem_alloc(pinfo->pool, 1024);
1735 g_snprintf(ldapvalue_string, 1023, "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
1736 uuid.data1, uuid.data2, uuid.data3, uuid.data4[0], uuid.data4[1],
1737 uuid.data4[2], uuid.data4[3], uuid.data4[4], uuid.data4[5],
1738 uuid.data4[6], uuid.data4[7]);
1739 return tvb_captured_length(tvb);
1740 }
1741
1742 static int
dissect_ldap_tcp(tvbuff_t * tvb,packet_info * pinfo,proto_tree * tree,void * data)1743 dissect_ldap_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data)
1744 {
1745 guint32 sasl_len;
1746 guint32 ldap_len;
1747 gboolean ind;
1748 conversation_t *conversation;
1749 ldap_conv_info_t *ldap_info = NULL;
1750
1751 /*
1752 * Do we have a conversation for this connection?
1753 */
1754 conversation = find_conversation_pinfo(pinfo, 0);
1755 if(conversation){
1756 ldap_info = (ldap_conv_info_t *)conversation_get_proto_data(conversation, proto_ldap);
1757 }
1758
1759 ldm_tree = NULL;
1760
1761 /* This is a bit tricky. We have to find out whether SASL is used
1762 * so that we know how big a header we are supposed to pass
1763 * to tcp_dissect_pdus()
1764 * We must also cope with the case when a client connects to LDAP
1765 * and performs a few unauthenticated searches of LDAP before
1766 * it performs the bind on the same tcp connection.
1767 */
1768 /* check for a SASL header, i.e. assume it is SASL if
1769 * 1, first four bytes (SASL length) is an integer
1770 * with a value that must be <LDAP_SASL_MAX_BUF and >2
1771 * (>2 to fight false positives, 0x00000000 is a common
1772 * "random" tcp payload)
1773 * (SASL ldap PDUs might be >64k in size, which is why
1774 * LDAP_SASL_MAX_BUF is used - defined in packet-ldap.h)
1775 *
1776 * 2, we must have a conversation and the auth type must
1777 * be LDAP_AUTH_SASL
1778 */
1779 sasl_len=tvb_get_ntohl(tvb, 0);
1780
1781 if( sasl_len<2 ){
1782 goto this_was_not_sasl;
1783 }
1784
1785 if( sasl_len>LDAP_SASL_MAX_BUF ){
1786 goto this_was_not_sasl;
1787 }
1788
1789 if((!ldap_info) || (ldap_info->auth_type!=LDAP_AUTH_SASL) ){
1790 goto this_was_not_sasl;
1791 }
1792
1793 tcp_dissect_pdus(tvb, pinfo, tree, ldap_desegment, 4, get_sasl_ldap_pdu_len, dissect_sasl_ldap_pdu, data);
1794 return tvb_captured_length(tvb);
1795
1796 this_was_not_sasl:
1797 /* check if it is a normal BER encoded LDAP packet
1798 * i.e. first byte is 0x30 followed by a length that is
1799 * <64k
1800 * (no ldap PDUs are ever >64kb? )
1801 */
1802 if(tvb_get_guint8(tvb, 0)!=0x30){
1803 goto this_was_not_normal_ldap;
1804 }
1805
1806 /* check that length makes sense */
1807 get_ber_length(tvb, 1, &ldap_len, &ind);
1808
1809 /* don't check ind since indefinite length is never used for ldap (famous last words)*/
1810 if(ldap_len<2){
1811 goto this_was_not_normal_ldap;
1812 }
1813
1814 /*
1815 * The minimum size of a LDAP pdu is 7 bytes
1816 *
1817 * dumpasn1 -hh ldap-unbind-min.dat
1818 *
1819 * <30 05 02 01 09 42 00>
1820 * 0 5: SEQUENCE {
1821 * <02 01 09>
1822 * 2 1: INTEGER 9
1823 * <42 00>
1824 * 5 0: [APPLICATION 2]
1825 * : Error: Object has zero length.
1826 * : }
1827 *
1828 * dumpasn1 -hh ldap-unbind-windows.dat
1829 *
1830 * <30 84 00 00 00 05 02 01 09 42 00>
1831 * 0 5: SEQUENCE {
1832 * <02 01 09>
1833 * 6 1: INTEGER 9
1834 * <42 00>
1835 * 9 0: [APPLICATION 2]
1836 * : Error: Object has zero length.
1837 * : }
1838 *
1839 * 6 bytes would also be ok to get the full length of
1840 * the pdu, but as the smallest pdu can be 7 bytes
1841 * we can use 7.
1842 */
1843 tcp_dissect_pdus(tvb, pinfo, tree, ldap_desegment, 7, get_normal_ldap_pdu_len, dissect_normal_ldap_pdu, data);
1844
1845 goto end;
1846
1847 this_was_not_normal_ldap:
1848
1849 /* Ok it might be a strange case of SASL still
1850 * It has been seen with Exchange setup to MS AD
1851 * when Exchange pretend that there is SASL but in fact data are still
1852 * in clear*/
1853 if ((sasl_len + 4) == (guint32)tvb_reported_length_remaining(tvb, 0))
1854 tcp_dissect_pdus(tvb, pinfo, tree, ldap_desegment, 4, get_sasl_ldap_pdu_len, dissect_sasl_ldap_pdu, data);
1855 end:
1856 return tvb_captured_length(tvb);
1857 }
1858
1859 static int
dissect_mscldap(tvbuff_t * tvb,packet_info * pinfo,proto_tree * tree,void * data _U_)1860 dissect_mscldap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
1861 {
1862 dissect_ldap_pdu(tvb, pinfo, tree, TRUE);
1863 return tvb_captured_length(tvb);
1864 }
1865
1866
1867 /*--- proto_register_ldap -------------------------------------------*/
proto_register_ldap(void)1868 void proto_register_ldap(void) {
1869
1870 /* List of fields */
1871
1872 static hf_register_info hf[] = {
1873
1874 { &hf_ldap_sasl_buffer_length,
1875 { "SASL Buffer Length", "ldap.sasl_buffer_length",
1876 FT_UINT32, BASE_DEC, NULL, 0x0,
1877 NULL, HFILL }},
1878 { &hf_ldap_response_in,
1879 { "Response In", "ldap.response_in",
1880 FT_FRAMENUM, BASE_NONE, NULL, 0x0,
1881 "The response to this LDAP request is in this frame", HFILL }},
1882 { &hf_ldap_response_to,
1883 { "Response To", "ldap.response_to",
1884 FT_FRAMENUM, BASE_NONE, NULL, 0x0,
1885 "This is a response to the LDAP request in this frame", HFILL }},
1886 { &hf_ldap_time,
1887 { "Time", "ldap.time",
1888 FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
1889 "The time between the Call and the Reply", HFILL }},
1890
1891 { &hf_mscldap_netlogon_opcode,
1892 { "Operation code", "mscldap.netlogon.opcode",
1893 FT_UINT16, BASE_DEC, VALS(netlogon_opcode_vals), 0x0,
1894 "LDAP ping operation code", HFILL }},
1895
1896 { &hf_mscldap_netlogon_ipaddress_family,
1897 { "Family", "mscldap.netlogon.ipaddress.family",
1898 FT_UINT16, BASE_DEC, NULL, 0x0,
1899 NULL, HFILL }},
1900
1901 { &hf_mscldap_netlogon_ipaddress_ipv4,
1902 { "IPv4", "mscldap.netlogon.ipaddress.ipv4",
1903 FT_IPv4, BASE_NONE, NULL, 0x0,
1904 "IP Address", HFILL }},
1905
1906 { &hf_mscldap_netlogon_ipaddress_port,
1907 { "Port", "mscldap.netlogon.ipaddress.port",
1908 FT_UINT16, BASE_DEC, NULL, 0x0,
1909 NULL, HFILL }},
1910
1911 { &hf_mscldap_netlogon_ipaddress,
1912 { "IP Address","mscldap.netlogon.ipaddress",
1913 FT_IPv4, BASE_NONE, NULL, 0x0,
1914 "Domain Controller IP Address", HFILL }},
1915
1916 { &hf_mscldap_netlogon_lm_token,
1917 { "LM Token", "mscldap.netlogon.lm_token",
1918 FT_UINT16, BASE_HEX, NULL, 0x0,
1919 "MUST be set to 0xFFFF", HFILL }},
1920
1921 { &hf_mscldap_netlogon_nt_token,
1922 { "NT Token", "mscldap.netlogon.nt_token",
1923 FT_UINT16, BASE_HEX, NULL, 0x0,
1924 "MUST be set to 0xFFFF", HFILL }},
1925
1926 { &hf_mscldap_netlogon_flags,
1927 { "Flags", "mscldap.netlogon.flags",
1928 FT_UINT32, BASE_HEX, NULL, 0x0,
1929 "Netlogon flags describing the DC properties", HFILL }},
1930
1931 { &hf_mscldap_ntver_flags,
1932 { "Version Flags", "mscldap.ntver.flags",
1933 FT_UINT32, BASE_HEX, NULL, 0x0,
1934 "NETLOGON_NT_VERSION Options Bits", HFILL }},
1935
1936 { &hf_mscldap_domain_guid,
1937 { "Domain GUID", "mscldap.domain.guid",
1938 FT_GUID, BASE_NONE, NULL, 0x0,
1939 "Value of the NC's GUID attribute", HFILL }},
1940
1941 { &hf_mscldap_forest,
1942 { "Forest", "mscldap.forest",
1943 FT_STRING, BASE_NONE, NULL, 0x0,
1944 "DNS name of the forest", HFILL }},
1945
1946 { &hf_mscldap_domain,
1947 { "Domain", "mscldap.domain",
1948 FT_STRING, BASE_NONE, NULL, 0x0,
1949 "DNS name of the NC", HFILL }},
1950
1951 { &hf_mscldap_hostname,
1952 { "Hostname", "mscldap.hostname",
1953 FT_STRING, BASE_NONE, NULL, 0x0,
1954 "DNS name of server", HFILL }},
1955
1956 { &hf_mscldap_nb_domain_z,
1957 { "NetBIOS Domain", "mscldap.nb_domain",
1958 FT_STRINGZ, BASE_NONE, NULL, 0x0,
1959 "NetBIOS name of the NC", HFILL }},
1960
1961 { &hf_mscldap_nb_domain,
1962 { "NetBIOS Domain", "mscldap.nb_domain",
1963 FT_STRING, BASE_NONE, NULL, 0x0,
1964 "NetBIOS name of the NC", HFILL }},
1965
1966 { &hf_mscldap_nb_hostname_z,
1967 { "NetBIOS Hostname", "mscldap.nb_hostname",
1968 FT_STRINGZ, BASE_NONE, NULL, 0x0,
1969 "NetBIOS name of the server", HFILL }},
1970
1971 { &hf_mscldap_nb_hostname,
1972 { "NetBIOS Hostname", "mscldap.nb_hostname",
1973 FT_STRING, BASE_NONE, NULL, 0x0,
1974 "NetBIOS name of the server", HFILL }},
1975
1976 { &hf_mscldap_username_z,
1977 { "Username", "mscldap.username",
1978 FT_STRINGZ, BASE_NONE, NULL, 0x0,
1979 "User specified in client's request", HFILL }},
1980
1981 { &hf_mscldap_username,
1982 { "Username", "mscldap.username",
1983 FT_STRING, BASE_NONE, NULL, 0x0,
1984 "User specified in client's request", HFILL }},
1985
1986 { &hf_mscldap_sitename,
1987 { "Server Site", "mscldap.sitename",
1988 FT_STRING, BASE_NONE, NULL, 0x0,
1989 "Site name of the server", HFILL }},
1990
1991 { &hf_mscldap_clientsitename,
1992 { "Client Site", "mscldap.clientsitename",
1993 FT_STRING, BASE_NONE, NULL, 0x0,
1994 "Site name of the client", HFILL }},
1995
1996 { &hf_ldap_sid,
1997 { "Sid", "ldap.sid",
1998 FT_STRING, BASE_NONE, NULL, 0x0,
1999 NULL, HFILL }},
2000
2001 { &hf_mscldap_ntver_flags_v1,
2002 { "V1", "mscldap.ntver.searchflags.v1", FT_BOOLEAN, 32,
2003 TFS(&tfs_ntver_v1), 0x00000001, "See section 6.3.1.1 of MS-ADTS specification", HFILL }},
2004
2005 { &hf_mscldap_ntver_flags_v5,
2006 { "V5", "mscldap.ntver.searchflags.v5", FT_BOOLEAN, 32,
2007 TFS(&tfs_ntver_v5), 0x00000002, "See section 6.3.1.1 of MS-ADTS specification", HFILL }},
2008
2009 { &hf_mscldap_ntver_flags_v5ex,
2010 { "V5EX", "mscldap.ntver.searchflags.v5ex", FT_BOOLEAN, 32,
2011 TFS(&tfs_ntver_v5ex), 0x00000004, "See section 6.3.1.1 of MS-ADTS specification", HFILL }},
2012
2013 { &hf_mscldap_ntver_flags_v5ep,
2014 { "V5EP", "mscldap.ntver.searchflags.v5ep", FT_BOOLEAN, 32,
2015 TFS(&tfs_ntver_v5ep), 0x00000008, "See section 6.3.1.1 of MS-ADTS specification", HFILL }},
2016
2017 { &hf_mscldap_ntver_flags_vcs,
2018 { "VCS", "mscldap.ntver.searchflags.vcs", FT_BOOLEAN, 32,
2019 TFS(&tfs_ntver_vcs), 0x00000010, "See section 6.3.1.1 of MS-ADTS specification", HFILL }},
2020
2021 { &hf_mscldap_ntver_flags_vnt4,
2022 { "VNT4", "mscldap.ntver.searchflags.vnt4", FT_BOOLEAN, 32,
2023 TFS(&tfs_ntver_vnt4), 0x01000000, "See section 6.3.1.1 of MS-ADTS specification", HFILL }},
2024
2025 { &hf_mscldap_ntver_flags_vpdc,
2026 { "VPDC", "mscldap.ntver.searchflags.vpdc", FT_BOOLEAN, 32,
2027 TFS(&tfs_ntver_vpdc), 0x10000000, "See section 6.3.1.1 of MS-ADTS specification", HFILL }},
2028
2029 { &hf_mscldap_ntver_flags_vip,
2030 { "VIP", "mscldap.ntver.searchflags.vip", FT_BOOLEAN, 32,
2031 TFS(&tfs_ntver_vip), 0x20000000, "See section 6.3.1.1 of MS-ADTS specification", HFILL }},
2032
2033 { &hf_mscldap_ntver_flags_vl,
2034 { "VL", "mscldap.ntver.searchflags.vl", FT_BOOLEAN, 32,
2035 TFS(&tfs_ntver_vl), 0x40000000, "See section 6.3.1.1 of MS-ADTS specification", HFILL }},
2036
2037 { &hf_mscldap_ntver_flags_vgc,
2038 { "VGC", "mscldap.ntver.searchflags.vgc", FT_BOOLEAN, 32,
2039 TFS(&tfs_ntver_vgc), 0x80000000, "See section 6.3.1.1 of MS-ADTS specification", HFILL }},
2040
2041
2042 { &hf_mscldap_netlogon_flags_pdc,
2043 { "PDC", "mscldap.netlogon.flags.pdc", FT_BOOLEAN, 32,
2044 TFS(&tfs_ads_pdc), 0x00000001, "Is this DC a PDC or not?", HFILL }},
2045
2046 { &hf_mscldap_netlogon_flags_gc,
2047 { "GC", "mscldap.netlogon.flags.gc", FT_BOOLEAN, 32,
2048 TFS(&tfs_ads_gc), 0x00000004, "Does this dc service as a GLOBAL CATALOGUE?", HFILL }},
2049
2050 { &hf_mscldap_netlogon_flags_ldap,
2051 { "LDAP", "mscldap.netlogon.flags.ldap", FT_BOOLEAN, 32,
2052 TFS(&tfs_ads_ldap), 0x00000008, "Does this DC act as an LDAP server?", HFILL }},
2053
2054 { &hf_mscldap_netlogon_flags_ds,
2055 { "DS", "mscldap.netlogon.flags.ds", FT_BOOLEAN, 32,
2056 TFS(&tfs_ads_ds), 0x00000010, "Does this dc provide DS services?", HFILL }},
2057
2058 { &hf_mscldap_netlogon_flags_kdc,
2059 { "KDC", "mscldap.netlogon.flags.kdc", FT_BOOLEAN, 32,
2060 TFS(&tfs_ads_kdc), 0x00000020, "Does this dc act as a KDC?", HFILL }},
2061
2062 { &hf_mscldap_netlogon_flags_timeserv,
2063 { "Time Serv", "mscldap.netlogon.flags.timeserv", FT_BOOLEAN, 32,
2064 TFS(&tfs_ads_timeserv), 0x00000040, "Does this dc provide time services (ntp) ?", HFILL }},
2065
2066 { &hf_mscldap_netlogon_flags_closest,
2067 { "Closest", "mscldap.netlogon.flags.closest", FT_BOOLEAN, 32,
2068 TFS(&tfs_ads_closest), 0x00000080, "Is this the closest dc?", HFILL }},
2069
2070 { &hf_mscldap_netlogon_flags_writable,
2071 { "Writable", "mscldap.netlogon.flags.writable", FT_BOOLEAN, 32,
2072 TFS(&tfs_ads_writable), 0x00000100, "Is this dc writable?", HFILL }},
2073
2074 { &hf_mscldap_netlogon_flags_good_timeserv,
2075 { "Good Time Serv", "mscldap.netlogon.flags.good_timeserv", FT_BOOLEAN, 32,
2076 TFS(&tfs_ads_good_timeserv), 0x00000200, "Is this a Good Time Server? (i.e. does it have a hardware clock)", HFILL }},
2077
2078 { &hf_mscldap_netlogon_flags_ndnc,
2079 { "NDNC", "mscldap.netlogon.flags.ndnc", FT_BOOLEAN, 32,
2080 TFS(&tfs_ads_ndnc), 0x00000400, "Is this an NDNC dc?", HFILL }},
2081
2082 { &hf_mscldap_netlogon_flags_rodc,
2083 { "RODC", "mscldap.netlogon.flags.rodc", FT_BOOLEAN, 32,
2084 TFS(&tfs_ads_rodc), 0x00000800, "Is this an read only dc?", HFILL }},
2085
2086 { &hf_mscldap_netlogon_flags_wdc,
2087 { "WDC", "mscldap.netlogon.flags.writabledc", FT_BOOLEAN, 32,
2088 TFS(&tfs_ads_wdc), 0x00001000, "Is this an writable dc (Windows 2008)?", HFILL }},
2089
2090 { &hf_mscldap_netlogon_flags_dns,
2091 { "DNS", "mscldap.netlogon.flags.dnsname", FT_BOOLEAN, 32,
2092 TFS(&tfs_ads_dns), 0x20000000, "Does the server have a dns name (Windows 2008)?", HFILL }},
2093
2094 { &hf_mscldap_netlogon_flags_dnc,
2095 { "DNC", "mscldap.netlogon.flags.defaultnc", FT_BOOLEAN, 32,
2096 TFS(&tfs_ads_dnc), 0x40000000, "Is this the default NC (Windows 2008)?", HFILL }},
2097
2098 { &hf_mscldap_netlogon_flags_fnc,
2099 { "FDC", "mscldap.netlogon.flags.forestnc", FT_BOOLEAN, 32,
2100 TFS(&tfs_ads_fnc), 0x80000000, "Is the the NC the default forest root(Windows 2008)?", HFILL }},
2101
2102 { &hf_ldap_guid,
2103 { "GUID", "ldap.guid", FT_GUID, BASE_NONE,
2104 NULL, 0, NULL, HFILL }},
2105
2106 { &hf_ldap_AccessMask_ADS_CREATE_CHILD,
2107 { "Ads Create Child", "ldap.AccessMask.ADS_CREATE_CHILD", FT_BOOLEAN, 32, TFS(&tfs_set_notset), LDAP_ACCESSMASK_ADS_CREATE_CHILD, NULL, HFILL }},
2108
2109 { &hf_ldap_AccessMask_ADS_DELETE_CHILD,
2110 { "Ads Delete Child", "ldap.AccessMask.ADS_DELETE_CHILD", FT_BOOLEAN, 32, TFS(&tfs_set_notset), LDAP_ACCESSMASK_ADS_DELETE_CHILD, NULL, HFILL }},
2111
2112 { &hf_ldap_AccessMask_ADS_LIST,
2113 { "Ads List", "ldap.AccessMask.ADS_LIST", FT_BOOLEAN, 32, TFS(&tfs_set_notset), LDAP_ACCESSMASK_ADS_LIST, NULL, HFILL }},
2114
2115 { &hf_ldap_AccessMask_ADS_SELF_WRITE,
2116 { "Ads Self Write", "ldap.AccessMask.ADS_SELF_WRITE", FT_BOOLEAN, 32, TFS(&tfs_set_notset), LDAP_ACCESSMASK_ADS_SELF_WRITE, NULL, HFILL }},
2117
2118 { &hf_ldap_AccessMask_ADS_READ_PROP,
2119 { "Ads Read Prop", "ldap.AccessMask.ADS_READ_PROP", FT_BOOLEAN, 32, TFS(&tfs_set_notset), LDAP_ACCESSMASK_ADS_READ_PROP, NULL, HFILL }},
2120
2121 { &hf_ldap_AccessMask_ADS_WRITE_PROP,
2122 { "Ads Write Prop", "ldap.AccessMask.ADS_WRITE_PROP", FT_BOOLEAN, 32, TFS(&tfs_set_notset), LDAP_ACCESSMASK_ADS_WRITE_PROP, NULL, HFILL }},
2123
2124 { &hf_ldap_AccessMask_ADS_DELETE_TREE,
2125 { "Ads Delete Tree", "ldap.AccessMask.ADS_DELETE_TREE", FT_BOOLEAN, 32, TFS(&tfs_set_notset), LDAP_ACCESSMASK_ADS_DELETE_TREE, NULL, HFILL }},
2126
2127 { &hf_ldap_AccessMask_ADS_LIST_OBJECT,
2128 { "Ads List Object", "ldap.AccessMask.ADS_LIST_OBJECT", FT_BOOLEAN, 32, TFS(&tfs_set_notset), LDAP_ACCESSMASK_ADS_LIST_OBJECT, NULL, HFILL }},
2129
2130 { &hf_ldap_AccessMask_ADS_CONTROL_ACCESS,
2131 { "Ads Control Access", "ldap.AccessMask.ADS_CONTROL_ACCESS", FT_BOOLEAN, 32, TFS(&tfs_set_notset), LDAP_ACCESSMASK_ADS_CONTROL_ACCESS, NULL, HFILL }},
2132
2133 { &hf_ldap_LDAPMessage_PDU,
2134 { "LDAPMessage", "ldap.LDAPMessage_element", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
2135
2136 { &hf_ldap_object_security_flag,
2137 { "Flag Object_Security", "ldap.object_security_flag", FT_BOOLEAN, 32, NULL, 0x00000001, NULL, HFILL }},
2138
2139 { &hf_ldap_ancestor_first_flag,
2140 { "Flag Ancestor_First", "ldap.ancestor_first_flag", FT_BOOLEAN, 32, NULL, 0x00000800, NULL, HFILL }},
2141
2142 { &hf_ldap_public_data_only_flag,
2143 { "Flag Public_Data_Only", "ldap.public_data_only_flag", FT_BOOLEAN, 32, NULL, 0x00002000, NULL, HFILL }},
2144
2145 { &hf_ldap_incremental_value_flag,
2146 { "Flag Incremental_Value", "ldap.incremental_value_flag", FT_BOOLEAN, 32, NULL, 0x80000000, NULL, HFILL }},
2147
2148 { &hf_ldap_oid,
2149 { "OID", "ldap.oid", FT_STRING, BASE_NONE,
2150 NULL, 0, NULL, HFILL }},
2151
2152 { &hf_ldap_gssapi_encrypted_payload,
2153 { "GSS-API Encrypted payload", "ldap.gssapi_encrypted_payload", FT_BYTES, BASE_NONE,
2154 NULL, 0, NULL, HFILL }},
2155
2156 #include "packet-ldap-hfarr.c"
2157 };
2158
2159 /* List of subtrees */
2160 static gint *ett[] = {
2161 &ett_ldap,
2162 &ett_ldap_payload,
2163 &ett_ldap_sasl_blob,
2164 &ett_ldap_msg,
2165 &ett_mscldap_netlogon_flags,
2166 &ett_mscldap_ntver_flags,
2167 &ett_mscldap_ipdetails,
2168 &ett_ldap_DirSyncFlagsSubEntry,
2169
2170 #include "packet-ldap-ettarr.c"
2171 };
2172 /* UAT for header fields */
2173 static uat_field_t custom_attribute_types_uat_fields[] = {
2174 UAT_FLD_CSTRING(attribute_types, attribute_type, "Attribute type", "Attribute type"),
2175 UAT_FLD_CSTRING(attribute_types, attribute_desc, "Description", "Description of the value matching type"),
2176 UAT_END_FIELDS
2177 };
2178
2179 static ei_register_info ei[] = {
2180 { &ei_ldap_exceeded_filter_length, { "ldap.exceeded_filter_length", PI_UNDECODED, PI_ERROR, "Filter length exceeds number. Giving up", EXPFILL }},
2181 { &ei_ldap_too_many_filter_elements, { "ldap.too_many_filter_elements", PI_UNDECODED, PI_ERROR, "Found more than %%u filter elements. Giving up.", EXPFILL }},
2182 };
2183
2184 expert_module_t* expert_ldap;
2185 module_t *ldap_module;
2186 uat_t *attributes_uat;
2187
2188 /* Register protocol */
2189 proto_ldap = proto_register_protocol(PNAME, PSNAME, PFNAME);
2190 /* Register fields and subtrees */
2191 proto_register_field_array(proto_ldap, hf, array_length(hf));
2192 proto_register_subtree_array(ett, array_length(ett));
2193 expert_ldap = expert_register_protocol(proto_ldap);
2194 expert_register_field_array(expert_ldap, ei, array_length(ei));
2195
2196 ldap_handle = register_dissector("ldap", dissect_ldap_tcp, proto_ldap);
2197
2198 ldap_module = prefs_register_protocol(proto_ldap, prefs_register_ldap);
2199 prefs_register_bool_preference(ldap_module, "desegment_ldap_messages",
2200 "Reassemble LDAP messages spanning multiple TCP segments",
2201 "Whether the LDAP dissector should reassemble messages spanning multiple TCP segments."
2202 " To use this option, you must also enable \"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
2203 &ldap_desegment);
2204
2205 prefs_register_uint_preference(ldap_module, "tls.port", "LDAPS TCP Port",
2206 "Set the port for LDAP operations over TLS",
2207 10, &global_ldaps_tcp_port);
2208 prefs_register_obsolete_preference(ldap_module, "ssl.port");
2209 /* UAT */
2210 attributes_uat = uat_new("Custom LDAP AttributeValue types",
2211 sizeof(attribute_type_t),
2212 "custom_ldap_attribute_types",
2213 TRUE,
2214 &attribute_types,
2215 &num_attribute_types,
2216 /* specifies named fields, so affects dissection
2217 and the set of named fields */
2218 UAT_AFFECTS_DISSECTION|UAT_AFFECTS_FIELDS,
2219 NULL,
2220 attribute_types_copy_cb,
2221 attribute_types_update_cb,
2222 attribute_types_free_cb,
2223 attribute_types_post_update_cb,
2224 attribute_types_reset_cb,
2225 custom_attribute_types_uat_fields);
2226
2227 prefs_register_uat_preference(ldap_module, "custom_ldap_attribute_types",
2228 "Custom AttributeValue types",
2229 "A table to define custom LDAP attribute type values for which fields can be setup and used for filtering/data extraction etc.",
2230 attributes_uat);
2231
2232 prefs_register_obsolete_preference(ldap_module, "max_pdu");
2233
2234 proto_cldap = proto_register_protocol(
2235 "Connectionless Lightweight Directory Access Protocol",
2236 "CLDAP", "cldap");
2237
2238 ldap_tap=register_tap("ldap");
2239
2240 ldap_name_dissector_table = register_dissector_table("ldap.name", "LDAP Attribute Type Dissectors", proto_cldap, FT_STRING, BASE_NONE);
2241
2242 register_srt_table(proto_ldap, NULL, 1, ldapstat_packet, ldapstat_init, NULL);
2243 }
2244
2245
2246 /*--- proto_reg_handoff_ldap ---------------------------------------*/
2247 void
proto_reg_handoff_ldap(void)2248 proto_reg_handoff_ldap(void)
2249 {
2250 dissector_handle_t cldap_handle;
2251
2252 cldap_handle = create_dissector_handle(dissect_mscldap, proto_cldap);
2253 dissector_add_uint_with_preference("udp.port", UDP_PORT_CLDAP, cldap_handle);
2254
2255 gssapi_handle = find_dissector_add_dependency("gssapi", proto_ldap);
2256 gssapi_wrap_handle = find_dissector_add_dependency("gssapi_verf", proto_ldap);
2257 spnego_handle = find_dissector_add_dependency("spnego", proto_ldap);
2258
2259 ntlmssp_handle = find_dissector_add_dependency("ntlmssp", proto_ldap);
2260
2261 tls_handle = find_dissector_add_dependency("tls", proto_ldap);
2262
2263 prefs_register_ldap();
2264
2265 oid_add_from_string("ISO assigned OIDs, USA", "1.2.840");
2266
2267 /* http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dsml/dsml/ldap_controls_and_session_support.asp */
2268 /* https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/3c5e87db-4728-4f29-b164-01dd7d7391ea */
2269 oid_add_from_string("LDAP_PAGED_RESULT_OID_STRING","1.2.840.113556.1.4.319");
2270 oid_add_from_string("LDAP_SERVER_SHOW_DELETED_OID","1.2.840.113556.1.4.417");
2271 oid_add_from_string("LDAP_SERVER_SORT_OID","1.2.840.113556.1.4.473");
2272 oid_add_from_string("LDAP_SERVER_RESP_SORT_OID","1.2.840.113556.1.4.474");
2273 oid_add_from_string("LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID","1.2.840.113556.1.4.521");
2274 oid_add_from_string("LDAP_SERVER_NOTIFICATION_OID","1.2.840.113556.1.4.528");
2275 oid_add_from_string("LDAP_SERVER_EXTENDED_DN_OID","1.2.840.113556.1.4.529");
2276 oid_add_from_string("meetingAdvertiseScope","1.2.840.113556.1.4.582");
2277 oid_add_from_string("LDAP_SERVER_LAZY_COMMIT_OID","1.2.840.113556.1.4.619");
2278 oid_add_from_string("mhsORAddress","1.2.840.113556.1.4.650");
2279 oid_add_from_string("managedObjects","1.2.840.113556.1.4.654");
2280 oid_add_from_string("LDAP_CAP_ACTIVE_DIRECTORY_OID","1.2.840.113556.1.4.800");
2281 oid_add_from_string("LDAP_SERVER_SD_FLAGS_OID","1.2.840.113556.1.4.801");
2282 oid_add_from_string("LDAP_SERVER_RANGE_OPTION_OID","1.2.840.113556.1.4.802");
2283 oid_add_from_string("LDAP_OID_COMPARATOR_OR","1.2.840.113556.1.4.804");
2284 oid_add_from_string("LDAP_SERVER_TREE_DELETE_OID","1.2.840.113556.1.4.805");
2285 oid_add_from_string("LDAP_SERVER_DIRSYNC_OID","1.2.840.113556.1.4.841");
2286 oid_add_from_string("LDAP_SERVER_GET_STATS_OID","1.2.840.113556.1.4.970");
2287 oid_add_from_string("LDAP_SERVER_VERIFY_NAME_OID","1.2.840.113556.1.4.1338");
2288 oid_add_from_string("LDAP_SERVER_DOMAIN_SCOPE_OID","1.2.840.113556.1.4.1339");
2289 oid_add_from_string("LDAP_SERVER_SEARCH_OPTIONS_OID","1.2.840.113556.1.4.1340");
2290 oid_add_from_string("LDAP_SERVER_RODC_DCPROMO_OID","1.2.840.113556.1.4.1341");
2291 oid_add_from_string("LDAP_SERVER_PERMISSIVE_MODIFY_OID","1.2.840.113556.1.4.1413");
2292 oid_add_from_string("LDAP_SERVER_ASQ_OID","1.2.840.113556.1.4.1504");
2293 oid_add_from_string("LDAP_CAP_ACTIVE_DIRECTORY_V51_OID","1.2.840.113556.1.4.1670");
2294 oid_add_from_string("msDS-SDReferenceDomain","1.2.840.113556.1.4.1711");
2295 oid_add_from_string("msDS-AdditionalDnsHostName","1.2.840.113556.1.4.1717");
2296 oid_add_from_string("LDAP_SERVER_FAST_BIND_OID","1.2.840.113556.1.4.1781");
2297 oid_add_from_string("LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID","1.2.840.113556.1.4.1791");
2298 oid_add_from_string("msDS-ObjectReference","1.2.840.113556.1.4.1840");
2299 oid_add_from_string("msDS-QuotaEffective","1.2.840.113556.1.4.1848");
2300 oid_add_from_string("LDAP_CAP_ACTIVE_DIRECTORY_ADAM_OID","1.2.840.113556.1.4.1851");
2301 oid_add_from_string("LDAP_SERVER_QUOTA_CONTROL_OID","1.2.840.113556.1.4.1852");
2302 oid_add_from_string("msDS-PortSSL","1.2.840.113556.1.4.1860");
2303 oid_add_from_string("LDAP_SERVER_SHUTDOWN_NOTIFY_OID","1.2.840.113556.1.4.1907");
2304 oid_add_from_string("LDAP_SERVER_RANGE_RETRIEVAL_NOERR_OID","1.2.840.113556.1.4.1948");
2305 oid_add_from_string("msDS-isRODC","1.2.840.113556.1.4.1960");
2306 oid_add_from_string("LDAP_SERVER_FORCE_UPDATE_OID","1.2.840.113556.1.4.1974");
2307 oid_add_from_string("LDAP_SERVER_DN_INPUT_OID","1.2.840.113556.1.4.2026");
2308 oid_add_from_string("LDAP_SERVER_SHOW_RECYCLED_OID","1.2.840.113556.1.4.2064");
2309 oid_add_from_string("LDAP_SERVER_SHOW_DEACTIVATED_LINK_OID","1.2.840.113556.1.4.2065");
2310 oid_add_from_string("LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID","1.2.840.113556.1.4.2066");
2311 oid_add_from_string("LDAP_SERVER_DIRSYNC_EX_OID","1.2.840.113556.1.4.2090");
2312 oid_add_from_string("LDAP_SERVER_TREE_DELETE_EX_OID","1.2.840.113556.1.4.2204");
2313 oid_add_from_string("LDAP_SERVER_UPDATE_STATS_OID","1.2.840.113556.1.4.2205");
2314 oid_add_from_string("LDAP_SERVER_SEARCH_HINTS_OID","1.2.840.113556.1.4.2206");
2315 oid_add_from_string("LDAP_SERVER_EXPECTED_ENTRY_COUNT_OID","1.2.840.113556.1.4.2211");
2316 oid_add_from_string("LDAP_SERVER_POLICY_HINTS_OID","1.2.840.113556.1.4.2239");
2317 oid_add_from_string("LDAP_SERVER_SET_OWNER_OID","1.2.840.113556.1.4.2255");
2318 oid_add_from_string("LDAP_SERVER_BYPASS_QUOTA_OID","1.2.840.113556.1.4.2256");
2319 oid_add_from_string("LDAP_SERVER_LINK_TTL_OID","1.2.840.113556.1.4.2309");
2320 oid_add_from_string("LDAP_SERVER_SET_CORRELATION_ID_OID","1.2.840.113556.1.4.2330");
2321 oid_add_from_string("LDAP_SERVER_THREAD_TRACE_OVERRIDE_OID","1.2.840.113556.1.4.2354");
2322 oid_add_from_string("DYNAMIC_REFRESH","1.3.6.1.4.1.1466.101.119.1");
2323 oid_add_from_string("LDAP_START_TLS_OID","1.3.6.1.4.1.1466.20037");
2324
2325 oid_add_from_string("inetOrgPerson", "2.16.840.1.113730.3.2.2");
2326 /* RFC2798 */
2327 oid_add_from_string("US company arc", "2.16.840.1");
2328
2329 /* http://www.alvestrand.no/objectid/2.16.840.1.113730.3.4.html */
2330 oid_add_from_string("Manage DSA IT LDAPv3 control", "2.16.840.1.113730.3.4.2");
2331 oid_add_from_string("Persistent Search LDAPv3 control", "2.16.840.1.113730.3.4.3");
2332 oid_add_from_string("Netscape Password Expired LDAPv3 control", "2.16.840.1.113730.3.4.4");
2333 oid_add_from_string("Netscape Password Expiring LDAPv3 control", "2.16.840.1.113730.3.4.5");
2334 oid_add_from_string("Netscape NT Synchronization Client LDAPv3 control", "2.16.840.1.113730.3.4.6");
2335 oid_add_from_string("Entry Change Notification LDAPv3 control", "2.16.840.1.113730.3.4.7");
2336 oid_add_from_string("Transaction ID Request Control", "2.16.840.1.113730.3.4.8");
2337 oid_add_from_string("VLV Request LDAPv3 control", "2.16.840.1.113730.3.4.9");
2338 oid_add_from_string("VLV Response LDAPv3 control", "2.16.840.1.113730.3.4.10");
2339 oid_add_from_string("Transaction ID Response Control", "2.16.840.1.113730.3.4.11");
2340 oid_add_from_string("Proxied Authorization (version 1) control", "2.16.840.1.113730.3.4.12");
2341 oid_add_from_string("iPlanet Directory Server Replication Update Information Control", "2.16.840.1.113730.3.4.13");
2342 oid_add_from_string("iPlanet Directory Server search on specific backend control", "2.16.840.1.113730.3.4.14");
2343 oid_add_from_string("Authentication Response Control", "2.16.840.1.113730.3.4.15");
2344 oid_add_from_string("Authentication Request Control", "2.16.840.1.113730.3.4.16");
2345 oid_add_from_string("Real Attributes Only Request Control", "2.16.840.1.113730.3.4.17");
2346 oid_add_from_string("Proxied Authorization (version 2) Control", "2.16.840.1.113730.3.4.18");
2347 oid_add_from_string("Chaining loop detection", "2.16.840.1.113730.3.4.19");
2348 oid_add_from_string("iPlanet Replication Modrdn Extra Mods Control", "2.16.840.1.113730.3.4.999");
2349
2350
2351 oid_add_from_string("LDAP_SERVER_QUOTA_CONTROL_OID", "1.2.840.113556.1.4.1852");
2352 oid_add_from_string("LDAP_SERVER_RANGE_OPTION_OID", "1.2.840.113556.1.4.802");
2353 oid_add_from_string("LDAP_SERVER_SHUTDOWN_NOTIFY_OID", "1.2.840.113556.1.4.1907");
2354 oid_add_from_string("LDAP_SERVER_RANGE_RETRIEVAL_NOERR_OID", "1.2.840.113556.1.4.1948");
2355
2356
2357 dissector_add_string("ldap.name", "netlogon", create_dissector_handle(dissect_NetLogon_PDU, proto_cldap));
2358 dissector_add_string("ldap.name", "objectGUID", create_dissector_handle(dissect_ldap_guid, proto_ldap));
2359 dissector_add_string("ldap.name", "supportedControl", create_dissector_handle(dissect_ldap_oid, proto_ldap));
2360 dissector_add_string("ldap.name", "supportedCapabilities", create_dissector_handle(dissect_ldap_oid, proto_ldap));
2361 dissector_add_string("ldap.name", "objectSid", create_dissector_handle(dissect_ldap_sid, proto_ldap));
2362 dissector_add_string("ldap.name", "nTSecurityDescriptor", create_dissector_handle(dissect_ldap_nt_sec_desc, proto_ldap));
2363
2364 #include "packet-ldap-dis-tab.c"
2365
2366 dissector_add_uint_range_with_preference("tcp.port", TCP_PORT_RANGE_LDAP, ldap_handle);
2367
2368 dissector_add_uint("acdr.tls_application_port", 636, ldap_handle);
2369 dissector_add_uint("acdr.tls_application", TLS_APP_LDAP, ldap_handle);
2370 }
2371
2372 static void
prefs_register_ldap(void)2373 prefs_register_ldap(void)
2374 {
2375 if(ssl_port != global_ldaps_tcp_port) {
2376 if(ssl_port)
2377 ssl_dissector_delete(ssl_port, ldap_handle);
2378
2379 /* Set our port number for future use */
2380 ssl_port = global_ldaps_tcp_port;
2381
2382 if(ssl_port)
2383 ssl_dissector_add(ssl_port, ldap_handle);
2384 }
2385
2386 }
2387
2388 /*
2389 * Editor modelines - https://www.wireshark.org/tools/modelines.html
2390 *
2391 * Local Variables:
2392 * c-basic-offset: 2
2393 * tab-width: 8
2394 * indent-tabs-mode: nil
2395 * End:
2396 *
2397 * vi: set shiftwidth=2 tabstop=8 expandtab:
2398 * :indentSize=2:tabSize=8:noTabs=true:
2399 */
2400