Wireshark · Ethereal-dev: [Ethereal-dev] AUTH

Ethereal-dev: [Ethereal-dev] AUTH_DES cred/verf decoding

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Mike Frisch <mfrisch@xxxxxxxxxxxxxxx>

Date: Fri, 25 May 2001 15:55:55 -0400

I was bored at work this afternoon, so I added support for AUTH_DES
credential and verifier decoding.  Patch enclosed.

Index: packet-rpc.c
===================================================================
RCS file: /cvsroot/ethereal/packet-rpc.c,v
retrieving revision 1.58
diff -u -r1.58 packet-rpc.c
--- packet-rpc.c	2001/05/21 08:52:17	1.58
+++ packet-rpc.c	2001/05/25 19:54:51
@@ -125,6 +125,11 @@
 	{ 0, NULL }
 };
 
+static const value_string rpc_authdes_namekind[] = {
+	{ AUTHDES_NAMEKIND_FULLNAME, "ADN_FULLNAME" },
+	{ AUTHDES_NAMEKIND_NICKNAME, "ADN_NICKNAME" },
+	{ 0, NULL }
+};
 
 /* the protocol number */
 static int proto_rpc = -1;
@@ -158,6 +163,14 @@
 static int hf_rpc_authgss_data_length = -1;
 static int hf_rpc_authgss_data = -1;
 static int hf_rpc_authgss_checksum = -1;
+static int hf_rpc_authdes_namekind = -1;
+static int hf_rpc_authdes_netname = -1;
+static int hf_rpc_authdes_convkey = -1;
+static int hf_rpc_authdes_window = -1;
+static int hf_rpc_authdes_nickname = -1;
+static int hf_rpc_authdes_timestamp = -1;
+static int hf_rpc_authdes_windowverf = -1;
+static int hf_rpc_authdes_timeverf = -1;
 static int hf_rpc_state_accept = -1;
 static int hf_rpc_state_reply = -1;
 static int hf_rpc_state_reject = -1;
@@ -936,7 +949,65 @@
 	return offset;
 }
 
+int
+dissect_rpc_authdes_desblock_tvb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
+int hfindex, int offset)
+{
+	guint32 value_low;
+	guint32 value_high;
+
+	value_high = tvb_get_ntohl(tvb, offset + 0);
+	value_low  = tvb_get_ntohl(tvb, offset + 4);
+
+	if (tree) {
+		proto_tree_add_text(tree, tvb, offset, 8,
+			"%s: 0x%x%08x", proto_registrar_get_name(hfindex), value_high, 
+			value_low);
+	}
+
+	return offset + 8;
+}
+
 static int
+dissect_rpc_authdes_cred(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, int offset)
+{
+	guint adc_namekind;
+	guint window = 0;
+	guint nickname = 0;
+
+	if (!tvb_bytes_exist(tvb,offset,4)) return offset;
+
+	adc_namekind = tvb_get_ntohl(tvb, offset+0);
+	if (tree)
+		proto_tree_add_uint(tree, hf_rpc_authdes_namekind,
+				    tvb, offset+0, 4, adc_namekind);
+	offset += 4;
+
+	switch(adc_namekind)
+	{
+	case AUTHDES_NAMEKIND_FULLNAME:
+		offset = dissect_rpc_string_tvb(tvb, pinfo, tree, 
+			hf_rpc_authdes_netname, offset, NULL);
+		offset = dissect_rpc_authdes_desblock_tvb(tvb, pinfo, tree,
+			hf_rpc_authdes_convkey, offset);
+		window = tvb_get_ntohl(tvb, offset+0);
+		proto_tree_add_uint(tree, hf_rpc_authdes_window, tvb, offset+0, 4,
+			window);
+		offset += 4;
+		break;
+
+	case AUTHDES_NAMEKIND_NICKNAME:
+		nickname = tvb_get_ntohl(tvb, offset+0);
+		proto_tree_add_uint(tree, hf_rpc_authdes_nickname, tvb, offset+0, 4,
+			window);
+		offset += 4;
+		break;
+	}
+
+	return offset;
+}
+
+static int
 dissect_rpc_cred(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, int offset)
 {
 	guint flavor;
@@ -969,13 +1040,10 @@
 
 		break;
 		*/
-		/* I have no tcpdump file with such a packet to verify the
-			info from the RFC 1050 */
-		/*
 		case AUTH_DES:
-
-		break;
-		*/
+			dissect_rpc_authdes_cred(tvb, pinfo, ctree, offset+8);
+			break;
+			
 		case RPCSEC_GSS:
 			dissect_rpc_authgss_cred(tvb, pinfo, ctree, offset+8);
 			break;
@@ -991,8 +1059,11 @@
 	return offset;
 }
 
+/* AUTH_DES verifiers are asymmetrical, so we need to know what type of
+ * verifier we're decoding (CALL or REPLY).
+ */
 static int
-dissect_rpc_verf(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, int offset)
+dissect_rpc_verf(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, int offset, int msg_type)
 {
 	guint flavor;
 	guint length;
@@ -1019,6 +1090,32 @@
 					    offset+4, 4, length);
 			dissect_rpc_authunix_cred(tvb, pinfo, vtree, offset+8);
 			break;
+		case AUTH_DES:
+			proto_tree_add_uint(vtree, hf_rpc_auth_length, tvb,
+				offset+4, 4, length);
+
+			if (msg_type == RPC_CALL)
+			{
+				guint window;
+
+				dissect_rpc_authdes_desblock_tvb(tvb, pinfo, vtree,
+					hf_rpc_authdes_timestamp, offset+8);
+				window = tvb_get_ntohl(tvb, offset+16);
+				proto_tree_add_uint(vtree, hf_rpc_authdes_windowverf, tvb, 
+					offset+16, 4, window);
+			}
+			else
+			{
+				/* must be an RPC_REPLY */
+				guint nickname;
+
+				dissect_rpc_authdes_desblock_tvb(tvb, pinfo, vtree,
+					hf_rpc_authdes_timeverf, offset+8);
+				nickname = tvb_get_ntohl(tvb, offset+16);
+				proto_tree_add_uint(vtree, hf_rpc_authdes_nickname, tvb, 
+				 	offset+16, 4, nickname);
+			}
+			break;
 		case RPCSEC_GSS:
 			dissect_rpc_data_tvb(tvb, pinfo, vtree,
 				hf_rpc_authgss_checksum, offset+4);
@@ -1698,7 +1795,7 @@
 		offset += 16;
 
 		offset = dissect_rpc_cred(tvb, pinfo, rpc_tree, offset);
-		offset = dissect_rpc_verf(tvb, pinfo, rpc_tree, offset);
+		offset = dissect_rpc_verf(tvb, pinfo, rpc_tree, offset, msg_type);
 
 		/* go to the next dissector */
 
@@ -1811,7 +1908,7 @@
 		offset += 4;
 
 		if (reply_state == MSG_ACCEPTED) {
-			offset = dissect_rpc_verf(tvb, pinfo, rpc_tree, offset);
+			offset = dissect_rpc_verf(tvb, pinfo, rpc_tree, offset, msg_type);
 			if (!tvb_bytes_exist(tvb, offset,4))
 				return TRUE;
 			accept_state = tvb_get_ntohl(tvb,offset+0);
@@ -2098,6 +2195,30 @@
 		{ &hf_rpc_authgss_checksum, {
 			"GSS Checksum", "rpc.authgss.checksum", FT_BYTES,
 			BASE_HEX, NULL, 0, "GSS Checksum" }},
+		{ &hf_rpc_authdes_namekind, {
+			"Namekind", "rpc.authdes.namekind", FT_UINT32, BASE_DEC,
+			VALS(rpc_authdes_namekind), 0, "Namekind" }},
+		{ &hf_rpc_authdes_netname, {
+			"Netname", "rpc.authdes.netname", FT_STRING,
+			BASE_DEC, NULL, 0, "Netname" }},
+		{ &hf_rpc_authdes_convkey, {
+			"Conversation Key (encrypted)", "rpc.authdes.convkey", FT_UINT32,
+			BASE_HEX, NULL, 0, "Conversation Key (encrypted)" }},
+		{ &hf_rpc_authdes_window, {
+			"Window (encrypted)", "rpc.authdes.window", FT_UINT32,
+			BASE_HEX, NULL, 0, "Windows (encrypted)" }},
+		{ &hf_rpc_authdes_nickname, {
+			"Nickname", "rpc.authdes.nickname", FT_UINT32, 
+			BASE_HEX, NULL, 0, "Nickname" }},
+		{ &hf_rpc_authdes_timestamp, {
+			"Timestamp (encrypted)", "rpc.authdes.timestamp", FT_UINT32,
+			BASE_HEX, NULL, 0, "Timestamp (encrypted)" }},
+		{ &hf_rpc_authdes_windowverf, {
+			"Window verifier (encrypted)", "rpc.authdes.windowverf", FT_UINT32,
+			BASE_HEX, NULL, 0, "Window verifier (encrypted)" }},
+		{ &hf_rpc_authdes_timeverf, {
+			"Timestamp verifier (encrypted)", "rpc.authdes.timeverf", FT_UINT32,
+			BASE_HEX, NULL, 0, "Timestamp verifier (encrypted)" }},
 		{ &hf_rpc_auth_machinename, {
 			"Machine Name", "rpc.auth.machinename", FT_STRING, 
 			BASE_DEC, NULL, 0, "Machine Name" }},

Follow-Ups:
- Re: [Ethereal-dev] AUTH_DES cred/verf decoding
  - From: Guy Harris

Prev by Date: Re: [Ethereal-dev] Finally, a GIOP Release Date
Next by Date: Re: [Ethereal-dev] AUTH_DES cred/verf decoding
Previous by thread: Re: [Ethereal-dev] ethereal-0.8.18 libtool fails on Solaris
Next by thread: Re: [Ethereal-dev] AUTH_DES cred/verf decoding
Index(es):
- Date
- Thread