epan/dissectors/packet-xml.c try to decrypt data, but the data doesn't look correct yet
authorStefan Metzmacher <metze@samba.org>
Thu, 19 Oct 2017 08:42:41 +0000 (10:42 +0200)
committerStefan Metzmacher <metze@samba.org>
Wed, 17 Oct 2018 14:09:07 +0000 (16:09 +0200)
Change-Id: I84760941f6da2901eb94a9fc12c76144ef392ad6

epan/dissectors/packet-xml.c

index c6310ebe7903ac5b97aa3d42ae60d82778a5ee21..6fc008540d175f95d0b04a6a48d3d25893be8c9b 100644 (file)
@@ -737,7 +737,8 @@ static void after_untag(void *tvbparse_data, const void *wanted_data _U_, tvbpar
             struct decryption_key *key;
 
             key = wmem_new0(wmem_packet_scope(), struct decryption_key);
-            key->id = tvb_format_text(id_frame->value, 0, tvb_reported_length(id_frame->value));
+            key->id = wmem_strdup_printf(wmem_packet_scope(), "#%s",
+                                         tvb_format_text(id_frame->value, 0, tvb_reported_length(id_frame->value)));
            P_SHA1(ek->keyvalue, ek->keylength, seed, seed_length, key->key);
             key->key_length = key_length;
 
@@ -753,12 +754,80 @@ static void after_untag(void *tvbparse_data, const void *wanted_data _U_, tvbpar
     }
     if (strcmp(current_frame->name_orig_case, "CipherValue") == 0) {
         xml_frame_t *encrypted_frame = current_frame->parent->parent;
+        xml_frame_t *key_info_frame = NULL;
+        xml_frame_t *token_frame = NULL;
+        xml_frame_t *reference_frame = NULL;
+        xml_frame_t *uri_frame = NULL;
+        const struct decryption_key *key = NULL;
+        xml_frame_t *cdata_frame = NULL;
+        tvbuff_t *crypt_tvb = NULL;
+        tvbuff_t *plain_tvb = NULL;
 
         printf("%s:%s:%u: CipherValue->Parent->Parent[%p]\n", __FILE__, G_STRFUNC, __LINE__,
                 encrypted_frame);
         printf("%s:%s:%u: CipherValue->Parent->Parent[%s]\n", __FILE__, G_STRFUNC, __LINE__,
                 encrypted_frame->name_orig_case);
+
+        key_info_frame = xml_get_tag(encrypted_frame, "KeyInfo");
+        if (key_info_frame != NULL) {
+            token_frame = xml_get_tag(key_info_frame, "SecurityTokenReference");
+        }
+        if (token_frame != NULL) {
+            reference_frame = xml_get_tag(token_frame, "Reference");
+        }
+        if (reference_frame != NULL) {
+            uri_frame = xml_get_attrib(reference_frame, "URI");
+        }
+
+        printf("%s:%s:%u: key_info[%p] token[%p] reference[%p] uri[%p]\n", __FILE__, G_STRFUNC, __LINE__,
+               key_info_frame, token_frame, reference_frame, uri_frame);
+    fflush(stdout);
+        if (uri_frame != NULL) {
+            gchar *key_id = tvb_format_text(uri_frame->value, 0,
+                                            tvb_reported_length(uri_frame->value));
+
+
+        printf("%s:%s:%u: URI[%s]\n", __FILE__, G_STRFUNC, __LINE__,
+               key_id);
+    fflush(stdout);
+           key = (const struct decryption_key *)wmem_map_lookup(top_frame->decryption_keys, key_id);
+        }
+        if (key != NULL) {
+    printf("%s:%s:%u: key_id[%s] (%02x%02x%02x%02x...)\n", __FILE__, G_STRFUNC, __LINE__, key->id,
+                                    key->key[0] & 0xFF, key->key[1] & 0xFF,
+                                    key->key[2] & 0xFF, key->key[3] & 0xFF);
     fflush(stdout);
+            cdata_frame = xml_get_cdata(current_frame);
+        }
+        if (cdata_frame != NULL) {
+            gchar *text = tvb_format_text(cdata_frame->value, 0,
+                                          tvb_reported_length(cdata_frame->value));
+            crypt_tvb = base64_to_tvb(cdata_frame->value, text);
+        }
+        if (crypt_tvb != NULL) {
+               gcry_cipher_hd_t cipher_hd = NULL;
+                guint8 *data = NULL;
+                size_t data_length = tvb_reported_length(crypt_tvb);
+
+    printf("%s:%s:%u: data_length[%zu]\n", __FILE__, G_STRFUNC, __LINE__, data_length);
+    fflush(stdout);
+               data = (guint8 *)tvb_memdup(wmem_packet_scope(),
+                                            crypt_tvb, 0, data_length);
+
+               /* Open the cipher. */
+               gcry_cipher_open(&cipher_hd, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CBC, 0);
+
+               gcry_cipher_setkey(cipher_hd, key->key, key->key_length);
+               //gcry_cipher_setctr(cipher_hd, A_1, NTLMSSP_KEY_LEN);
+               //gcry_cipher_encrypt(cipher_hd, plain_data, sti->size, NULL, 0);
+               //gcry_cipher_decrypt(cipher_hd, data, data_length, NULL, 0);
+               gcry_cipher_encrypt(cipher_hd, data, data_length, NULL, 0);
+               gcry_cipher_close(cipher_hd);
+
+               plain_tvb = tvb_new_child_real_data(crypt_tvb, data,
+                                                    data_length, data_length);
+                add_new_data_source(current_frame->pinfo, plain_tvb, "Decrypted Data");
+        }
     }
 #endif
 #if 0