Wireshark-dev: Re: [Wireshark-dev] How do I call the next dissector ...
Date Prev · Date Next · Thread Prev · Thread Next
From: Richard Sharpe <realrichardsharpe@xxxxxxxxx>
Date: Sat, 31 May 2014 15:26:16 -0700
On Thu, May 29, 2014 at 10:24 PM, Richard Sharpe
<realrichardsharpe@xxxxxxxxx> wrote:
> Hi folks,
>
> to fix the LDAP SASL integrity only stuff, I think I have to do
> something like the following:
>
> --- a/asn1/spnego/packet-spnego-template.c
> +++ b/asn1/spnego/packet-spnego-template.c
> @@ -1026,13 +1026,30 @@ dissect_spnego_krb5_cfx_wrap_base(tvbuff_t *tvb, int off
>
>         if (pinfo->gssapi_data_encrypted) {
>                 checksum_size = 44 + ec;
> +
> +               proto_tree_add_item(tree, hf_spnego_krb5_sgn_cksum, tvb, offset,
> +                                   checksum_size, ENC_NA);
> +               offset += checksum_size;
> +
>         } else {
> -               checksum_size = 12;
> -       }
> +               tvbuff_t *inner_token;
> +               int inner_token_len = 0;
> +               heur_dtbl_entry_t *hdtbl_entry;
>
> -       proto_tree_add_item(tree, hf_spnego_krb5_sgn_cksum, tvb, offset,
> -                           checksum_size, ENC_NA);
> -       offset += checksum_size;
> +               checksum_size = ec;
> +
> +               inner_token_len = tvb_reported_length_remaining(tvb, offset) -
> +                                       ec;
> +               inner_token = tvb_new_subset(tvb, offset, inner_token_len,
> +                               tvb_reported_length(tvb));
> +
> +               call_some_dissector(inner_token, pinfo, tree, FALSE);
> +
> +               offset += inner_token_len;
> +
> +               proto_tree_add_item(tree, hf_spnego_krb5_sgn_cksum, tvb, offset,
> +                                   checksum_size, ENC_NA);
> +       }
>
>         if(pinfo->decrypt_gssapi_tvb){
>                 /* if the caller did not provide a tvb, then we just use
>
> So, how do I call the next dissector?
>
> The only clue I have so far is that the inner token looks like it is
> ASN.1 encoded because it starts with 0x3073...
>
> Any clues out there?

OK, I found a way to deal with it, but it needs cleaning up and it
does not associate the correct bytes with the LDAP query (although it
at least dissects the LDAP query now.):

diff --git a/asn1/spnego/packet-spnego-template.c b/asn1/spnego/packet-spnego-te
index ac2d9b1..aaac8a2 100644
--- a/asn1/spnego/packet-spnego-template.c
+++ b/asn1/spnego/packet-spnego-template.c
@@ -1026,13 +1026,29 @@ dissect_spnego_krb5_cfx_wrap_base(tvbuff_t *tvb, int off

        if (pinfo->gssapi_data_encrypted) {
                checksum_size = 44 + ec;
+
+               proto_tree_add_item(tree, hf_spnego_krb5_sgn_cksum, tvb, offset,
+                                   checksum_size, ENC_NA);
+               offset += checksum_size;
+
        } else {
-               checksum_size = 12;
-       }
+               int inner_token_len = 0;

-       proto_tree_add_item(tree, hf_spnego_krb5_sgn_cksum, tvb, offset,
-                           checksum_size, ENC_NA);
-       offset += checksum_size;
+               checksum_size = ec;
+
+               inner_token_len = tvb_reported_length_remaining(tvb, offset) -
+                                       ec;
+
+               pinfo->gssapi_wrap_tvb = tvb_new_subset(tvb, offset,
+                                               inner_token_len, inner_token_len
+
+               offset += inner_token_len;
+
+               proto_tree_add_item(tree, hf_spnego_krb5_sgn_cksum, tvb, offset,
+                                   checksum_size, ENC_NA);
+
+               return offset;
+       }

        if(pinfo->decrypt_gssapi_tvb){
                /* if the caller did not provide a tvb, then we just use
diff --git a/epan/dissectors/packet-ldap.c b/epan/dissectors/packet-ldap.c
index 9ee6054..536e52d 100644
--- a/epan/dissectors/packet-ldap.c
+++ b/epan/dissectors/packet-ldap.c
@@ -4129,7 +4129,10 @@ static void
                                /* if we could unwrap, do a tvb shuffle */
                                if(pinfo->gssapi_decrypted_tvb){
                                        decr_tvb=pinfo->gssapi_decrypted_tvb;
+                               } else if (pinfo->gssapi_wrap_tvb) {
+                                       plain_tvb=pinfo->gssapi_wrap_tvb;
                                }
+
                                /* tidy up */
                                pinfo->decrypt_gssapi_tvb=0;
                                pinfo->gssapi_wrap_tvb=NULL;
@@ -4149,7 +4152,7 @@ static void
                                * see if the wrapping involved encryption of the
                                * data; if not, just use the plaintext data.
                                */
-                               if (!decr_tvb) {
+                               if (!decr_tvb && !plain_tvb) {
                                        if(!pinfo->gssapi_data_encrypted){
                                                plain_tvb = tvb_new_subset_remai
                                        }


-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)