epan/dissectors/packet-dcerpc.h

   1 /* packet-dcerpc.h
   2  * Copyright 2001, Todd Sabin <tas@webspan.net>
   3  * Copyright 2003, Tim Potter <tpot@samba.org>
   4  *
   5  * $Id$
   6  *
   7  * Ethereal - Network traffic analyzer
   8  * By Gerald Combs <gerald@ethereal.com>
   9  * Copyright 1998 Gerald Combs
  10  *
  11  * This program is free software; you can redistribute it and/or
  12  * modify it under the terms of the GNU General Public License
  13  * as published by the Free Software Foundation; either version 2
  14  * of the License, or (at your option) any later version.
  15  *
  16  * This program is distributed in the hope that it will be useful,
  17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  19  * GNU General Public License for more details.
  20  *
  21  * You should have received a copy of the GNU General Public License
  22  * along with this program; if not, write to the Free Software
  23  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
  24  */
  25
  26 #ifndef __PACKET_DCERPC_H__
  27 #define __PACKET_DCERPC_H__
  28
  29 #include <epan/conversation.h>
  30
  31 typedef struct _e_uuid_t {
  32     guint32 Data1;
  33     guint16 Data2;
  34     guint16 Data3;
  35     guint8 Data4[8];
  36 } e_uuid_t;
  37
  38 /* %08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x */
  39 #define DCERPC_UUID_STR_LEN 36+1
  40
  41 typedef struct _e_ctx_hnd {
  42     guint32 attributes;
  43     e_uuid_t uuid;
  44 } e_ctx_hnd;
  45
  46 typedef struct _e_dce_cn_common_hdr_t {
  47     guint8 rpc_ver;
  48     guint8 rpc_ver_minor;
  49     guint8 ptype;
  50     guint8 flags;
  51     guint8 drep[4];
  52     guint16 frag_len;
  53     guint16 auth_len;
  54     guint32 call_id;
  55 } e_dce_cn_common_hdr_t;
  56
  57 typedef struct _e_dce_dg_common_hdr_t {
  58     guint8 rpc_ver;
  59     guint8 ptype;
  60     guint8 flags1;
  61     guint8 flags2;
  62     guint8 drep[3];
  63     guint8 serial_hi;
  64     e_uuid_t obj_id;
  65     e_uuid_t if_id;
  66     e_uuid_t act_id;
  67     guint32 server_boot;
  68     guint32 if_ver;
  69     guint32 seqnum;
  70     guint16 opnum;
  71     guint16 ihint;
  72     guint16 ahint;
  73     guint16 frag_len;
  74     guint16 frag_num;
  75     guint8 auth_proto;
  76     guint8 serial_lo;
  77 } e_dce_dg_common_hdr_t;
  78
  79 typedef struct _dcerpc_auth_info {
  80   guint8 auth_pad_len;
  81   guint8 auth_level;
  82   guint8 auth_type;
  83   guint32 auth_size;
  84   tvbuff_t *auth_data;
  85 } dcerpc_auth_info;
  86
  87 #define PDU_REQ         0
  88 #define PDU_PING        1
  89 #define PDU_RESP        2
  90 #define PDU_FAULT       3
  91 #define PDU_WORKING     4
  92 #define PDU_NOCALL      5
  93 #define PDU_REJECT      6
  94 #define PDU_ACK         7
  95 #define PDU_CL_CANCEL   8
  96 #define PDU_FACK        9
  97 #define PDU_CANCEL_ACK 10
  98 #define PDU_BIND       11
  99 #define PDU_BIND_ACK   12
 100 #define PDU_BIND_NAK   13
 101 #define PDU_ALTER      14
 102 #define PDU_ALTER_ACK  15
 103 #define PDU_AUTH3      16
 104 #define PDU_SHUTDOWN   17
 105 #define PDU_CO_CANCEL  18
 106 #define PDU_ORPHANED   19
 107
 108
 109 /*
 110  * helpers for packet-dcerpc.c and packet-dcerpc-ndr.c
 111  * If you're writing a subdissector, you almost certainly want the
 112  * NDR functions below.
 113  */
 114 guint16 dcerpc_tvb_get_ntohs (tvbuff_t *tvb, gint offset, guint8 *drep);
 115 guint32 dcerpc_tvb_get_ntohl (tvbuff_t *tvb, gint offset, guint8 *drep);
 116 void dcerpc_tvb_get_uuid (tvbuff_t *tvb, gint offset, guint8 *drep, e_uuid_t *uuid);
 117 int dissect_dcerpc_uint8 (tvbuff_t *tvb, gint offset, packet_info *pinfo,
 118                           proto_tree *tree, guint8 *drep,
 119                           int hfindex, guint8 *pdata);
 120 int dissect_dcerpc_uint16 (tvbuff_t *tvb, gint offset, packet_info *pinfo,
 121                            proto_tree *tree, guint8 *drep,
 122                            int hfindex, guint16 *pdata);
 123 int dissect_dcerpc_uint32 (tvbuff_t *tvb, gint offset, packet_info *pinfo,
 124                            proto_tree *tree, guint8 *drep,
 125                            int hfindex, guint32 *pdata);
 126 int dissect_dcerpc_uint64 (tvbuff_t *tvb, gint offset, packet_info *pinfo,
 127                            proto_tree *tree, guint8 *drep,
 128                            int hfindex, guint64 *pdata);
 129 int dissect_dcerpc_float  (tvbuff_t *tvb, gint offset, packet_info *pinfo,
 130                            proto_tree *tree, guint8 *drep,
 131                            int hfindex, gfloat *pdata);
 132 int dissect_dcerpc_double (tvbuff_t *tvb, gint offset, packet_info *pinfo,
 133                            proto_tree *tree, guint8 *drep,
 134                            int hfindex, gdouble *pdata);
 135 int dissect_dcerpc_time_t (tvbuff_t *tvb, gint offset, packet_info *pinfo,
 136                            proto_tree *tree, guint8 *drep,
 137                            int hfindex, guint32 *pdata);
 138 int dissect_dcerpc_uuid_t (tvbuff_t *tvb, gint offset, packet_info *pinfo,
 139                            proto_tree *tree, char *drep,
 140                            int hfindex, e_uuid_t *pdata);
 141
 142 /*
 143  * NDR routines for subdissectors.
 144  */
 145 int dissect_ndr_uint8 (tvbuff_t *tvb, gint offset, packet_info *pinfo,
 146                        proto_tree *tree, guint8 *drep,
 147                        int hfindex, guint8 *pdata);
 148 int dissect_ndr_uint16 (tvbuff_t *tvb, gint offset, packet_info *pinfo,
 149                         proto_tree *tree, guint8 *drep,
 150                         int hfindex, guint16 *pdata);
 151 int dissect_ndr_uint32 (tvbuff_t *tvb, gint offset, packet_info *pinfo,
 152                         proto_tree *tree, guint8 *drep,
 153                         int hfindex, guint32 *pdata);
 154 int dissect_ndr_duint32 (tvbuff_t *tvb, gint offset, packet_info *pinfo,
 155                         proto_tree *tree, guint8 *drep,
 156                         int hfindex, guint64 *pdata);
 157 int dissect_ndr_uint64 (tvbuff_t *tvb, gint offset, packet_info *pinfo,
 158                         proto_tree *tree, guint8 *drep,
 159                         int hfindex, guint64 *pdata);
 160 int dissect_ndr_float (tvbuff_t *tvb, gint offset, packet_info *pinfo,
 161                         proto_tree *tree, guint8 *drep,
 162                         int hfindex, gfloat *pdata);
 163 int dissect_ndr_double (tvbuff_t *tvb, gint offset, packet_info *pinfo,
 164                         proto_tree *tree, guint8 *drep,
 165                         int hfindex, gdouble *pdata);
 166 int dissect_ndr_time_t (tvbuff_t *tvb, gint offset, packet_info *pinfo,
 167                         proto_tree *tree, guint8 *drep,
 168                         int hfindex, guint32 *pdata);
 169 int dissect_ndr_uuid_t (tvbuff_t *tvb, gint offset, packet_info *pinfo,
 170                         proto_tree *tree, guint8 *drep,
 171                         int hfindex, e_uuid_t *pdata);
 172 int dissect_ndr_ctx_hnd (tvbuff_t *tvb, gint offset, packet_info *pinfo,
 173                          proto_tree *tree, guint8 *drep,
 174                          int hfindex, e_ctx_hnd *pdata);
 175
 176 typedef int (dcerpc_dissect_fnct_t)(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep);
 177
 178 typedef void (dcerpc_callback_fnct_t)(packet_info *pinfo, proto_tree *tree, proto_item *item, tvbuff_t *tvb, int start_offset, int end_offset, void *callback_args);
 179
 180 #define NDR_POINTER_REF         1
 181 #define NDR_POINTER_UNIQUE      2
 182 #define NDR_POINTER_PTR         3
 183
 184 int dissect_ndr_pointer_cb(tvbuff_t *tvb, gint offset, packet_info *pinfo,
 185                            proto_tree *tree, guint8 *drep,
 186                            dcerpc_dissect_fnct_t *fnct, int type, char *text,
 187                            int hf_index, dcerpc_callback_fnct_t *callback,
 188                            void *callback_args);
 189
 190 int dissect_ndr_pointer(tvbuff_t *tvb, gint offset, packet_info *pinfo,
 191                         proto_tree *tree, guint8 *drep,
 192                         dcerpc_dissect_fnct_t *fnct, int type, char *text,
 193                         int hf_index);
 194 int dissect_deferred_pointers(packet_info *pinfo, tvbuff_t *tvb, int offset, guint8 *drep);
 195 int dissect_ndr_embedded_pointer(tvbuff_t *tvb, gint offset, packet_info *pinfo,
 196                         proto_tree *tree, guint8 *drep,
 197                         dcerpc_dissect_fnct_t *fnct, int type, char *text,
 198                         int hf_index);
 199 int dissect_ndr_toplevel_pointer(tvbuff_t *tvb, gint offset, packet_info *pinfo,
 200                         proto_tree *tree, guint8 *drep,
 201                         dcerpc_dissect_fnct_t *fnct, int type, char *text,
 202                         int hf_index);
 203
 204 /* dissect a NDR unidimensional conformant array */
 205 int dissect_ndr_ucarray(tvbuff_t *tvb, gint offset, packet_info *pinfo,
 206                         proto_tree *tree, guint8 *drep,
 207                         dcerpc_dissect_fnct_t *fnct);
 208
 209 /* dissect a NDR unidimensional conformant and varying array */
 210 int dissect_ndr_ucvarray(tvbuff_t *tvb, gint offset, packet_info *pinfo,
 211                         proto_tree *tree, guint8 *drep,
 212                         dcerpc_dissect_fnct_t *fnct);
 213
 214 /* dissect a NDR unidimensional varying array */
 215 int dissect_ndr_uvarray(tvbuff_t *tvb, gint offset, packet_info *pinfo,
 216                         proto_tree *tree, guint8 *drep,
 217                         dcerpc_dissect_fnct_t *fnct);
 218
 219 int dissect_ndr_byte_array(tvbuff_t *tvb, int offset, packet_info *pinfo,
 220                            proto_tree *tree, guint8 *drep);
 221
 222 int dissect_ndr_cvstring(tvbuff_t *tvb, int offset, packet_info *pinfo,
 223                          proto_tree *tree, guint8 *drep, int size_is,
 224                          int hfinfo, gboolean add_subtree,
 225                          char **data);
 226 int dissect_ndr_char_cvstring(tvbuff_t *tvb, int offset, packet_info *pinfo,
 227                            proto_tree *tree, guint8 *drep);
 228 int dissect_ndr_wchar_cvstring(tvbuff_t *tvb, int offset, packet_info *pinfo,
 229                             proto_tree *tree, guint8 *drep);
 230 int dissect_ndr_vstring(tvbuff_t *tvb, int offset, packet_info *pinfo,
 231                          proto_tree *tree, guint8 *drep, int size_is,
 232                          int hfinfo, gboolean add_subtree,
 233                          char **data);
 234 int dissect_ndr_char_vstring(tvbuff_t *tvb, int offset, packet_info *pinfo,
 235                            proto_tree *tree, guint8 *drep);
 236 int dissect_ndr_wchar_vstring(tvbuff_t *tvb, int offset, packet_info *pinfo,
 237                             proto_tree *tree, guint8 *drep);
 238
 239 typedef struct _dcerpc_sub_dissector {
 240     guint16 num;
 241     gchar   *name;
 242     dcerpc_dissect_fnct_t *dissect_rqst;
 243     dcerpc_dissect_fnct_t *dissect_resp;
 244 } dcerpc_sub_dissector;
 245
 246 /* registration function for subdissectors */
 247 void dcerpc_init_uuid (int proto, int ett, e_uuid_t *uuid, guint16 ver, dcerpc_sub_dissector *procs, int opnum_hf);
 248 char *dcerpc_get_proto_name(e_uuid_t *uuid, guint16 ver);
 249 int dcerpc_get_proto_hf_opnum(e_uuid_t *uuid, guint16 ver);
 250 dcerpc_sub_dissector *dcerpc_get_proto_sub_dissector(e_uuid_t *uuid, guint16 ver);
 251
 252 /* Create a opnum, name value_string from a subdissector list */
 253
 254 value_string *value_string_from_subdissectors(dcerpc_sub_dissector *sd);
 255
 256 /* try to get protocol name registered for this uuid */
 257 gchar *dcerpc_get_uuid_name(e_uuid_t *uuid, guint16 ver);
 258
 259 /* Private data passed to subdissectors from the main DCERPC dissector. */
 260 typedef struct _dcerpc_call_value {
 261     e_uuid_t uuid;
 262     guint16 ver;
 263     guint16 opnum;
 264     guint32 req_frame;
 265     nstime_t req_time;
 266     guint32 rep_frame;
 267     guint32 max_ptr;
 268     void *private_data;
 269 } dcerpc_call_value;
 270
 271 typedef struct _dcerpc_info {
 272         conversation_t *conv;   /* Which TCP stream we are in */
 273         guint32 call_id;        /* Context id for this call */
 274         guint16 smb_fid;        /* FID for DCERPC over SMB */
 275     guint8 ptype;       /* packet type: PDU_REQ, PDU_RESP, ... */
 276         gboolean conformant_run;
 277         gint32 conformant_eaten; /* how many bytes did the conformant run eat?*/
 278         guint32 array_max_count;        /* max_count for conformant arrays */
 279         guint32 array_max_count_offset;
 280         guint32 array_offset;
 281         guint32 array_offset_offset;
 282         guint32 array_actual_count;
 283         guint32 array_actual_count_offset;
 284         int hf_index;
 285         dcerpc_call_value *call_data;
 286         void *private_data;
 287 } dcerpc_info;
 288
 289
 290 /* the init_protocol hooks. With MSVC and a
 291  * libethereal.dll, we need a special declaration.
 292  */
 293 ETH_VAR_IMPORT GHookList dcerpc_hooks_init_protos;
 294
 295 /* the registered subdissectors. With MSVC and a
 296  * libethereal.dll, we need a special declaration.
 297  */
 298 ETH_VAR_IMPORT GHashTable *dcerpc_uuids;
 299
 300 typedef struct _dcerpc_uuid_key {
 301     e_uuid_t uuid;
 302     guint16 ver;
 303 } dcerpc_uuid_key;
 304
 305 typedef struct _dcerpc_uuid_value {
 306     protocol_t *proto;
 307     int proto_id;
 308     int ett;
 309     gchar *name;
 310     dcerpc_sub_dissector *procs;
 311     int opnum_hf;
 312 } dcerpc_uuid_value;
 313
 314 /* Authenticated pipe registration functions and miscellanea */
 315
 316 typedef tvbuff_t *(dcerpc_decode_data_fnct_t)(tvbuff_t *data_tvb,
 317                                               tvbuff_t *auth_tvb,
 318                                               int offset,
 319                                               packet_info *pinfo,
 320                                               dcerpc_auth_info *auth_info);
 321
 322 typedef struct _dcerpc_auth_subdissector_fns {
 323
 324         /* Dissect credentials and verifiers */
 325
 326         dcerpc_dissect_fnct_t *bind_fn;
 327         dcerpc_dissect_fnct_t *bind_ack_fn;
 328         dcerpc_dissect_fnct_t *auth3_fn;
 329         dcerpc_dissect_fnct_t *req_verf_fn;
 330         dcerpc_dissect_fnct_t *resp_verf_fn;
 331
 332         /* Decrypt encrypted requests/response PDUs */
 333
 334         dcerpc_decode_data_fnct_t *req_data_fn;
 335         dcerpc_decode_data_fnct_t *resp_data_fn;
 336
 337 } dcerpc_auth_subdissector_fns;
 338
 339 void register_dcerpc_auth_subdissector(guint8 auth_level, guint8 auth_type,
 340                                        dcerpc_auth_subdissector_fns *fns);
 341
 342 /* all values needed to (re-)build a dcerpc binding */
 343 typedef struct decode_dcerpc_bind_values_s {
 344     /* values of a typical conversation */
 345     address addr_a;
 346     address addr_b;
 347     port_type ptype;
 348     guint32 port_a;
 349     guint32 port_b;
 350     /* dcerpc conversation specific */
 351     guint16 ctx_id;
 352     guint16 smb_fid;
 353     /* corresponding "interface" */
 354     GString *ifname;
 355     e_uuid_t uuid;
 356     guint16 ver;
 357 } decode_dcerpc_bind_values_t;
 358
 359 /* Helper for "decode as" dialog to set up a UUID/conversation binding. */
 360 struct _dcerpc_bind_value *
 361 dcerpc_add_conv_to_bind_table(decode_dcerpc_bind_values_t *binding);
 362
 363 guint16
 364 dcerpc_get_transport_salt (packet_info *pinfo);
 365
 366 /* Authentication services */
 367
 368 /*
 369  * For MS-specific SSPs (Security Service Provider), see
 370  *
 371  * http://msdn.microsoft.com/library/en-us/rpc/rpc/authentication_level_constants.asp
 372  */
 373
 374 #define DCE_C_RPC_AUTHN_PROTOCOL_NONE           0
 375 #define DCE_C_RPC_AUTHN_PROTOCOL_KRB5           1
 376 #define DCE_C_RPC_AUTHN_PROTOCOL_SPNEGO         9
 377 #define DCE_C_RPC_AUTHN_PROTOCOL_NTLMSSP        10
 378 #define DCE_C_RPC_AUTHN_PROTOCOL_GSS_SCHANNEL   14
 379 #define DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS   16
 380 #define DCE_C_RPC_AUTHN_PROTOCOL_DPA            17
 381 #define DCE_C_RPC_AUTHN_PROTOCOL_MSN            18
 382 #define DCE_C_RPC_AUTHN_PROTOCOL_DIGEST         21
 383 #define DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN       68
 384 #define DCE_C_RPC_AUTHN_PROTOCOL_MQ             100
 385
 386 /* Protection levels */
 387
 388 #define DCE_C_AUTHN_LEVEL_NONE          1
 389 #define DCE_C_AUTHN_LEVEL_CONNECT       2
 390 #define DCE_C_AUTHN_LEVEL_CALL          3
 391 #define DCE_C_AUTHN_LEVEL_PKT           4
 392 #define DCE_C_AUTHN_LEVEL_PKT_INTEGRITY 5
 393 #define DCE_C_AUTHN_LEVEL_PKT_PRIVACY   6
 394
 395 void
 396 init_ndr_pointer_list(packet_info *pinfo);
 397
 398 #endif /* packet-dcerpc.h */