From 262744d2b26733d7d788321999cdecf0de866bad Mon Sep 17 00:00:00 2001
From: Guy Harris <guy@alum.mit.edu>
Date: Sun, 10 Nov 2002 09:38:22 +0000
Subject: [PATCH] Dissect NTLMSSP authentication verifiers, as per lkcl's
 "DCE/RPC over SMB" book.

svn path=/trunk/; revision=6598
---
 packet-dcerpc.c  | 21 +++++++++++++----
 packet-ntlmssp.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 76 insertions(+), 6 deletions(-)

diff --git a/packet-dcerpc.c b/packet-dcerpc.c
index 1a61592c00..2549b59f9c 100644
--- a/packet-dcerpc.c
+++ b/packet-dcerpc.c
@@ -2,7 +2,7 @@
  * Routines for DCERPC packet disassembly
  * Copyright 2001, Todd Sabin <tas@webspan.net>
  *
- * $Id: packet-dcerpc.c,v 1.86 2002/11/05 21:41:26 guy Exp $
+ * $Id: packet-dcerpc.c,v 1.87 2002/11/10 09:38:22 guy Exp $
  *
  * Ethereal - Network traffic analyzer
  * By Gerald Combs <gerald@ethereal.com>
@@ -404,9 +404,8 @@ static gint ett_dcerpc_fragments = -1;
 static gint ett_dcerpc_fragment = -1;
 static gint ett_decrpc_krb5_auth_verf = -1;
 
-static dissector_handle_t ntlmssp_handle;
-static dissector_handle_t gssapi_handle;
-static dissector_handle_t gssapi_verf_handle;
+static dissector_handle_t ntlmssp_handle, ntlmssp_verf_handle;
+static dissector_handle_t gssapi_handle, gssapi_verf_handle;
 
 static const fragment_items dcerpc_frag_items = {
 	&ett_dcerpc_fragments,
@@ -1517,6 +1516,19 @@ dissect_dcerpc_cn_auth (tvbuff_t *tvb, packet_info *pinfo, proto_tree *dcerpc_tr
 	     */
 	    switch (auth_type) {
 
+	    case DCE_C_RPC_AUTHN_PROTOCOL_NTLMSSP: {
+		/* NTLMSSP */
+		tvbuff_t *ntlmssp_tvb;
+
+		ntlmssp_tvb = tvb_new_subset(tvb, offset, hdr->auth_len,
+					     hdr->auth_len);
+
+		call_dissector(ntlmssp_verf_handle, ntlmssp_tvb, pinfo,
+			       dcerpc_tree);
+
+		break;
+	    }
+
 	    case DCE_C_RPC_AUTHN_PROTOCOL_SPNEGO: {
 		/* SPNEGO (rfc2478) */
 		tvbuff_t *gssapi_tvb;
@@ -3806,6 +3818,7 @@ proto_reg_handoff_dcerpc (void)
     heur_dissector_add ("udp", dissect_dcerpc_dg, proto_dcerpc);
     heur_dissector_add ("smb_transact", dissect_dcerpc_cn_bs, proto_dcerpc);
     ntlmssp_handle = find_dissector("ntlmssp");
+    ntlmssp_verf_handle = find_dissector("ntlmssp_verf");
     gssapi_handle = find_dissector("gssapi");
     gssapi_verf_handle = find_dissector("gssapi_verf");
 }
diff --git a/packet-ntlmssp.c b/packet-ntlmssp.c
index d01c28f087..8ce8a1ce83 100644
--- a/packet-ntlmssp.c
+++ b/packet-ntlmssp.c
@@ -2,7 +2,7 @@
  * Routines for NTLM Secure Service Provider
  * Devin Heitmueller <dheitmueller@netilla.com>
  *
- * $Id: packet-ntlmssp.c,v 1.30 2002/11/08 06:02:18 guy Exp $
+ * $Id: packet-ntlmssp.c,v 1.31 2002/11/10 09:38:22 guy Exp $
  *
  * Ethereal - Network traffic analyzer
  * By Gerald Combs <gerald@ethereal.com>
@@ -156,6 +156,8 @@ static int hf_ntlmssp_address_list_server_nb = -1;
 static int hf_ntlmssp_address_list_domain_nb = -1;
 static int hf_ntlmssp_address_list_server_dns = -1;
 static int hf_ntlmssp_address_list_domain_dns = -1;
+static int hf_ntlmssp_verf_vers = -1;
+static int hf_ntlmssp_verf_body = -1;
 
 static gint ett_ntlmssp = -1;
 static gint ett_ntlmssp_negotiate_flags = -1;
@@ -765,6 +767,55 @@ dissect_ntlmssp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
   } ENDTRY;
 }
 
+/*
+ * See page 45 of "DCE/RPC over SMB" by Luke Kenneth Casson Leighton.
+ */
+static void
+dissect_ntlmssp_verf(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
+{
+  volatile int offset = 0;
+  proto_tree *volatile ntlmssp_tree = NULL;
+  proto_item *tf = NULL;
+
+  /* Setup a new tree for the NTLMSSP payload */
+  if (tree) {
+    tf = proto_tree_add_item (tree,
+			      hf_ntlmssp,
+			      tvb, offset, -1, FALSE);
+
+    ntlmssp_tree = proto_item_add_subtree (tf,
+					   ett_ntlmssp);
+  }
+
+  /*
+   * Catch the ReportedBoundsError exception; the stuff we've been
+   * handed doesn't necessarily run to the end of the packet, it's
+   * an item inside a packet, so if it happens to be malformed (or
+   * we, or a dissector we call, has a bug), so that an exception
+   * is thrown, we want to report the error, but return and let
+   * our caller dissect the rest of the packet.
+   *
+   * If it gets a BoundsError, we can stop, as there's nothing more
+   * in the packet after our blob to see, so we just re-throw the
+   * exception.
+   */
+  TRY {
+    /* Version number */
+    proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_verf_vers,
+			 tvb, offset, 4, TRUE);
+    offset += 4;
+
+    /* Encrypted body */
+    proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_verf_body,
+			 tvb, offset, 12, TRUE);
+    offset += 12; 
+  } CATCH(BoundsError) {
+    RETHROW;
+  } CATCH(ReportedBoundsError) {
+    show_reported_bounds_error(tvb, pinfo, tree);
+  } ENDTRY;
+}
+
 static void
 ntlmssp_init_protocol(void)
 {
@@ -917,7 +968,12 @@ proto_register_ntlmssp(void)
     { &hf_ntlmssp_address_list_server_dns,
       { "Server DNS Name", "ntlmssp.challenge.addresslist.serverdns", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }},
     { &hf_ntlmssp_address_list_domain_dns,
-      { "Domain DNS Name", "ntlmssp.challenge.addresslist.domaindns", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }}
+      { "Domain DNS Name", "ntlmssp.challenge.addresslist.domaindns", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }},
+
+    { &hf_ntlmssp_verf_vers,
+      { "Version Number", "ntlmssp.verf.vers", FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }},
+    { &hf_ntlmssp_verf_body,
+      { "Verifier Body", "ntlmssp.verf.body", FT_BYTES, BASE_NONE, NULL, 0x0, "", HFILL }}
 
   };
 
@@ -940,6 +996,7 @@ proto_register_ntlmssp(void)
   register_init_routine(&ntlmssp_init_protocol);
 
   register_dissector("ntlmssp", dissect_ntlmssp, proto_ntlmssp);
+  register_dissector("ntlmssp_verf", dissect_ntlmssp_verf, proto_ntlmssp);
 }
 
 void
-- 
2.34.1