Wireshark  4.3.0
The Wireshark network protocol analyzer
packet-dcerpc.h
1 /* packet-dcerpc.h
2  * Copyright 2001, Todd Sabin <tas@webspan.net>
3  * Copyright 2003, Tim Potter <tpot@samba.org>
4  *
5  * Wireshark - Network traffic analyzer
6  * By Gerald Combs <gerald@wireshark.org>
7  * Copyright 1998 Gerald Combs
8  *
9  * SPDX-License-Identifier: GPL-2.0-or-later
10  */
11 
12 #ifndef __PACKET_DCERPC_H__
13 #define __PACKET_DCERPC_H__
14 
15 #include <epan/conversation.h>
16 #include "ws_symbol_export.h"
17 
18 #ifdef __cplusplus
19 extern "C" {
20 #endif /* __cplusplus */
21 
22 #define DCERPC_TABLE_NAME "dcerpc.uuid"
23 /*
24  * Data representation.
25  */
26 #define DREP_LITTLE_ENDIAN 0x10
27 
28 #define DREP_EBCDIC 0x01
29 
30 /*
31  * Data representation to integer byte order.
32  */
33 #define DREP_ENC_INTEGER(drep) \
34  (((drep)[0] & DREP_LITTLE_ENDIAN) ? ENC_LITTLE_ENDIAN : ENC_BIG_ENDIAN)
35 
36 /*
37  * Data representation to (octet-string) character encoding.
38  */
39 #define DREP_ENC_CHAR(drep) \
40  (((drep)[0] & DREP_EBCDIC) ? ENC_EBCDIC|ENC_NA : ENC_ASCII|ENC_NA)
41 
42 #ifdef PT_R4
43 /* now glib always includes signal.h and on linux PPC
44  * signal.h defines PT_R4
45 */
46 #undef PT_R4
47 #endif
48 
49 #define DCERPC_UUID_NULL { 0,0,0, {0,0,0,0,0,0,0,0} }
50 
51 /* %08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x */
52 #define DCERPC_UUID_STR_LEN 36+1
53 
54 typedef struct _e_ctx_hnd {
55  guint32 attributes;
56  e_guid_t uuid;
57 } e_ctx_hnd;
58 
59 typedef struct _e_dce_cn_common_hdr_t {
60  guint8 rpc_ver;
61  guint8 rpc_ver_minor;
62  guint8 ptype;
63  guint8 flags;
64  guint8 drep[4];
65  guint16 frag_len;
66  guint16 auth_len;
67  guint32 call_id;
69 
70 typedef struct _e_dce_dg_common_hdr_t {
71  guint8 rpc_ver;
72  guint8 ptype;
73  guint8 flags1;
74  guint8 flags2;
75  guint8 drep[3];
76  guint8 serial_hi;
77  e_guid_t obj_id;
78  e_guid_t if_id;
79  e_guid_t act_id;
80  guint32 server_boot;
81  guint32 if_ver;
82  guint32 seqnum;
83  guint16 opnum;
84  guint16 ihint;
85  guint16 ahint;
86  guint16 frag_len;
87  guint16 frag_num;
88  guint8 auth_proto;
89  guint8 serial_lo;
91 
93 
94 typedef struct _dcerpc_auth_info {
95  gboolean hdr_signing;
96  guint8 auth_type;
97  guint8 auth_level;
98  guint32 auth_context_id;
99  guint8 auth_pad_len;
100  guint32 auth_size;
101  struct _dcerpc_auth_subdissector_fns *auth_fns;
102  tvbuff_t *auth_hdr_tvb;
103  tvbuff_t *auth_tvb;
104  proto_item *auth_item;
105  proto_tree *auth_tree;
107 
108 typedef struct dcerpcstat_tap_data
109 {
110  const char *prog;
111  e_guid_t uuid;
112  guint16 ver;
113  int num_procedures;
115 
116 /* Private data passed to subdissectors from the main DCERPC dissector.
117  * One unique instance of this structure is created for each
118  * DCERPC request/response transaction when we see the initial request
119  * of the transaction.
120  * These instances are persistent and will remain available until the
121  * capture file is closed and a new one is read.
122  *
123  * For transactions where we never saw the request (missing from the trace)
124  * the dcerpc runtime will create a temporary "fake" such structure to pass
125  * to the response dissector. These fake structures are not persistent
126  * and can not be used to keep data hanging around.
127  */
128 typedef struct _dcerpc_call_value {
129  e_guid_t uuid; /* interface UUID */
130  guint16 ver; /* interface version */
131  e_guid_t object_uuid; /* optional object UUID (or DCERPC_UUID_NULL) */
132  guint16 opnum;
133  guint32 req_frame;
134  nstime_t req_time;
135  guint32 rep_frame;
136  guint32 max_ptr;
137  void *se_data; /* This holds any data with se allocation scope
138  * that we might want to keep
139  * for this request/response transaction.
140  * The pointer is initialized to NULL and must be
141  * checked before being dereferenced.
142  * This is useful for such things as when we
143  * need to pass persistent data from the request
144  * to the reply, such as LSA/OpenPolicy2() that
145  * uses this to pass the domain name from the
146  * request to the reply.
147  */
148  void *private_data; /* XXX This will later be renamed as ep_data */
149  e_ctx_hnd *pol; /* policy handle tracked between request/response*/
150 #define DCERPC_IS_NDR64 0x00000001
151  guint32 flags; /* flags for this transaction */
153 
154 typedef struct _dcerpc_info {
155  conversation_t *conv; /* Which TCP stream we are in */
156  guint32 call_id; /* Call ID for this call */
157  guint64 transport_salt; /* e.g. FID for DCERPC over SMB */
158  guint8 ptype; /* packet type: PDU_REQ, PDU_RESP, ... */
159  gboolean conformant_run;
160  gboolean no_align; /* are data aligned? (default yes) */
161  gint32 conformant_eaten; /* how many bytes did the conformant run eat?*/
162  guint32 array_max_count; /* max_count for conformant arrays */
163  guint32 array_max_count_offset;
164  guint32 array_offset;
165  guint32 array_offset_offset;
166  guint32 array_actual_count;
167  guint32 array_actual_count_offset;
168  int hf_index;
169  dcerpc_call_value *call_data;
170  const char *dcerpc_procedure_name; /* Used by PIDL to store the name of the current dcerpc procedure */
171  void *private_data;
172 
173  /* ndr pointer handling */
174  struct {
175  /* Should we re-read the size of the list ?
176  * Instead of re-calculating the size every time, use the stored value unless this
177  * flag is set which means: re-read the size of the list
178  */
179  gboolean must_check_size;
180  /*
181  * List of pointers encountered so far in the current level. Points to an
182  * element of list_ndr_pointer_list.
183  */
184  GSList *list;
185  GHashTable *hash;
186  /*
187  * List of pointer list, in order to avoid huge performance penalty
188  * when dealing with list bigger than 100 elements due to the way we
189  * try to insert in the list.
190  * We instead maintain a stack of pointer list
191  * To make it easier to manage we just use a list to materialize the stack
192  */
193  GSList *list_list;
194 
195  /* Boolean controlling whether pointers are top-level or embedded */
196  gboolean are_top_level;
197  } pointers;
198 } dcerpc_info;
199 
200 #define PDU_REQ 0
201 #define PDU_PING 1
202 #define PDU_RESP 2
203 #define PDU_FAULT 3
204 #define PDU_WORKING 4
205 #define PDU_NOCALL 5
206 #define PDU_REJECT 6
207 #define PDU_ACK 7
208 #define PDU_CL_CANCEL 8
209 #define PDU_FACK 9
210 #define PDU_CANCEL_ACK 10
211 #define PDU_BIND 11
212 #define PDU_BIND_ACK 12
213 #define PDU_BIND_NAK 13
214 #define PDU_ALTER 14
215 #define PDU_ALTER_ACK 15
216 #define PDU_AUTH3 16
217 #define PDU_SHUTDOWN 17
218 #define PDU_CO_CANCEL 18
219 #define PDU_ORPHANED 19
220 #define PDU_RTS 20
221 
222 /*
223  * helpers for packet-dcerpc.c and packet-dcerpc-ndr.c
224  * If you're writing a subdissector, you almost certainly want the
225  * NDR functions below.
226  */
227 guint16 dcerpc_tvb_get_ntohs (tvbuff_t *tvb, gint offset, guint8 *drep);
228 guint32 dcerpc_tvb_get_ntohl (tvbuff_t *tvb, gint offset, guint8 *drep);
229 void dcerpc_tvb_get_uuid (tvbuff_t *tvb, gint offset, guint8 *drep, e_guid_t *uuid);
230 WS_DLL_PUBLIC
231 int dissect_dcerpc_char (tvbuff_t *tvb, gint offset, packet_info *pinfo,
232  proto_tree *tree, guint8 *drep,
233  int hfindex, guint8 *pdata);
234 WS_DLL_PUBLIC
235 int dissect_dcerpc_uint8 (tvbuff_t *tvb, gint offset, packet_info *pinfo,
236  proto_tree *tree, guint8 *drep,
237  int hfindex, guint8 *pdata);
238 WS_DLL_PUBLIC
239 int dissect_dcerpc_uint16 (tvbuff_t *tvb, gint offset, packet_info *pinfo,
240  proto_tree *tree, guint8 *drep,
241  int hfindex, guint16 *pdata);
242 WS_DLL_PUBLIC
243 int dissect_dcerpc_uint32 (tvbuff_t *tvb, gint offset, packet_info *pinfo,
244  proto_tree *tree, guint8 *drep,
245  int hfindex, guint32 *pdata);
246 WS_DLL_PUBLIC
247 int dissect_dcerpc_uint64 (tvbuff_t *tvb, gint offset, packet_info *pinfo,
248  proto_tree *tree, dcerpc_info *di, guint8 *drep,
249  int hfindex, guint64 *pdata);
250 int dissect_dcerpc_float (tvbuff_t *tvb, gint offset, packet_info *pinfo,
251  proto_tree *tree, guint8 *drep,
252  int hfindex, gfloat *pdata);
253 int dissect_dcerpc_double (tvbuff_t *tvb, gint offset, packet_info *pinfo,
254  proto_tree *tree, guint8 *drep,
255  int hfindex, gdouble *pdata);
256 int dissect_dcerpc_time_t (tvbuff_t *tvb, gint offset, packet_info *pinfo,
257  proto_tree *tree, guint8 *drep,
258  int hfindex, guint32 *pdata);
259 WS_DLL_PUBLIC
260 int dissect_dcerpc_uuid_t (tvbuff_t *tvb, gint offset, packet_info *pinfo,
261  proto_tree *tree, guint8 *drep,
262  int hfindex, e_guid_t *pdata);
263 
264 /*
265  * NDR routines for subdissectors.
266  */
267 WS_DLL_PUBLIC
268 int dissect_ndr_uint8 (tvbuff_t *tvb, gint offset, packet_info *pinfo,
269  proto_tree *tree, dcerpc_info *di, guint8 *drep,
270  int hfindex, guint8 *pdata);
271 int PIDL_dissect_uint8 (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, int hfindex, guint32 param);
272 int PIDL_dissect_uint8_val (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, int hfindex, guint32 param, guint8 *pval);
273 WS_DLL_PUBLIC
274 int dissect_ndr_uint16 (tvbuff_t *tvb, gint offset, packet_info *pinfo,
275  proto_tree *tree, dcerpc_info *di, guint8 *drep,
276  int hfindex, guint16 *pdata);
277 int PIDL_dissect_uint16 (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, int hfindex, guint32 param);
278 int PIDL_dissect_uint16_val (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, int hfindex, guint32 param, guint16 *pval);
279 WS_DLL_PUBLIC
280 int dissect_ndr_uint32 (tvbuff_t *tvb, gint offset, packet_info *pinfo,
281  proto_tree *tree, dcerpc_info *di, guint8 *drep,
282  int hfindex, guint32 *pdata);
283 int PIDL_dissect_uint32 (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, int hfindex, guint32 param);
284 int PIDL_dissect_uint32_val (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, int hfindex, guint32 param, guint32 *rval);
285 WS_DLL_PUBLIC
286 int dissect_ndr_duint32 (tvbuff_t *tvb, gint offset, packet_info *pinfo,
287  proto_tree *tree, dcerpc_info *di, guint8 *drep,
288  int hfindex, guint64 *pdata);
289 WS_DLL_PUBLIC
290 int dissect_ndr_uint64 (tvbuff_t *tvb, gint offset, packet_info *pinfo,
291  proto_tree *tree, dcerpc_info *di, guint8 *drep,
292  int hfindex, guint64 *pdata);
293 int PIDL_dissect_uint64 (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, int hfindex, guint32 param);
294 int PIDL_dissect_uint64_val (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, int hfindex, guint32 param, guint64 *pval);
295 WS_DLL_PUBLIC
296 int dissect_ndr_float (tvbuff_t *tvb, gint offset, packet_info *pinfo,
297  proto_tree *tree, dcerpc_info *di, guint8 *drep,
298  int hfindex, gfloat *pdata);
299 WS_DLL_PUBLIC
300 int dissect_ndr_double (tvbuff_t *tvb, gint offset, packet_info *pinfo,
301  proto_tree *tree, dcerpc_info *di, guint8 *drep,
302  int hfindex, gdouble *pdata);
303 
304 WS_DLL_PUBLIC
305 int dissect_ndr_time_t (tvbuff_t *tvb, gint offset, packet_info *pinfo,
306  proto_tree *tree, dcerpc_info *di, guint8 *drep,
307  int hfindex, guint32 *pdata);
308 WS_DLL_PUBLIC
309 int dissect_ndr_uuid_t (tvbuff_t *tvb, gint offset, packet_info *pinfo,
310  proto_tree *tree, dcerpc_info *di, guint8 *drep,
311  int hfindex, e_guid_t *pdata);
312 int dissect_ndr_ctx_hnd (tvbuff_t *tvb, gint offset, packet_info *pinfo,
313  proto_tree *tree, dcerpc_info *di, guint8 *drep,
314  int hfindex, e_ctx_hnd *pdata);
315 
316 #define FT_UINT1632 FT_UINT32
317 typedef guint32 guint1632;
318 
319 WS_DLL_PUBLIC
320 int dissect_ndr_uint1632 (tvbuff_t *tvb, gint offset, packet_info *pinfo,
321  proto_tree *tree, dcerpc_info *di, guint8 *drep,
322  int hfindex, guint1632 *pdata);
323 
324 typedef guint64 guint3264;
325 
326 WS_DLL_PUBLIC
327 int dissect_ndr_uint3264 (tvbuff_t *tvb, gint offset, packet_info *pinfo,
328  proto_tree *tree, dcerpc_info *di, guint8 *drep,
329  int hfindex, guint3264 *pdata);
330 
331 typedef int (dcerpc_dissect_fnct_t)(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep);
332 typedef int (dcerpc_dissect_fnct_blk_t)(tvbuff_t *tvb, int offset, int length, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep);
333 
334 typedef void (dcerpc_callback_fnct_t)(packet_info *pinfo, proto_tree *tree, proto_item *item, dcerpc_info *di, tvbuff_t *tvb, int start_offset, int end_offset, void *callback_args);
335 
336 #define NDR_POINTER_REF 1
337 #define NDR_POINTER_UNIQUE 2
338 #define NDR_POINTER_PTR 3
339 
340 int dissect_ndr_pointer_cb(tvbuff_t *tvb, gint offset, packet_info *pinfo,
341  proto_tree *tree, dcerpc_info *di, guint8 *drep,
342  dcerpc_dissect_fnct_t *fnct, int type, const char *text,
343  int hf_index, dcerpc_callback_fnct_t *callback,
344  void *callback_args);
345 
346 int dissect_ndr_pointer(tvbuff_t *tvb, gint offset, packet_info *pinfo,
347  proto_tree *tree, dcerpc_info *di, guint8 *drep,
348  dcerpc_dissect_fnct_t *fnct, int type, const char *text,
349  int hf_index);
350 int dissect_deferred_pointers(packet_info *pinfo, tvbuff_t *tvb, int offset, dcerpc_info *di, guint8 *drep);
351 int dissect_ndr_embedded_pointer(tvbuff_t *tvb, gint offset, packet_info *pinfo,
352  proto_tree *tree, dcerpc_info *di, guint8 *drep,
353  dcerpc_dissect_fnct_t *fnct, int type, const char *text,
354  int hf_index);
355 int dissect_ndr_toplevel_pointer(tvbuff_t *tvb, gint offset, packet_info *pinfo,
356  proto_tree *tree, dcerpc_info *di, guint8 *drep,
357  dcerpc_dissect_fnct_t *fnct, int type, const char *text,
358  int hf_index);
359 
360 /* dissect a NDR unidimensional conformant array */
361 int dissect_ndr_ucarray(tvbuff_t *tvb, gint offset, packet_info *pinfo,
362  proto_tree *tree, dcerpc_info *di, guint8 *drep,
363  dcerpc_dissect_fnct_t *fnct);
364 
365 int dissect_ndr_ucarray_block(tvbuff_t *tvb, gint offset, packet_info *pinfo,
366  proto_tree *tree, dcerpc_info *di, guint8 *drep,
367  dcerpc_dissect_fnct_blk_t *fnct);
368 
369 /* dissect a NDR unidimensional conformant and varying array
370  * each byte in the array is processed separately
371  */
372 int dissect_ndr_ucvarray(tvbuff_t *tvb, gint offset, packet_info *pinfo,
373  proto_tree *tree, dcerpc_info *di, guint8 *drep,
374  dcerpc_dissect_fnct_t *fnct);
375 
376 int dissect_ndr_ucvarray_block(tvbuff_t *tvb, gint offset, packet_info *pinfo,
377  proto_tree *tree, dcerpc_info *di, guint8 *drep,
378  dcerpc_dissect_fnct_blk_t *fnct);
379 
380 /* dissect a NDR unidimensional varying array */
381 int dissect_ndr_uvarray(tvbuff_t *tvb, gint offset, packet_info *pinfo,
382  proto_tree *tree, dcerpc_info *di, guint8 *drep,
383  dcerpc_dissect_fnct_t *fnct);
384 
385 int dissect_ndr_byte_array(tvbuff_t *tvb, int offset, packet_info *pinfo,
386  proto_tree *tree, dcerpc_info *di, guint8 *drep);
387 
388 int dissect_ndr_cvstring(tvbuff_t *tvb, int offset, packet_info *pinfo,
389  proto_tree *tree, dcerpc_info *di, guint8 *drep, int size_is,
390  int hfinfo, gboolean add_subtree,
391  char **data);
392 int dissect_ndr_char_cvstring(tvbuff_t *tvb, int offset, packet_info *pinfo,
393  proto_tree *tree, dcerpc_info *di, guint8 *drep);
394 int dissect_ndr_wchar_cvstring(tvbuff_t *tvb, int offset, packet_info *pinfo,
395  proto_tree *tree, dcerpc_info *di, guint8 *drep);
396 int PIDL_dissect_cvstring(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, int chsize, int hfindex, guint32 param);
397 
398 int dissect_ndr_cstring(tvbuff_t *tvb, int offset, packet_info *pinfo,
399  proto_tree *tree, dcerpc_info *di, guint8 *drep, int size_is,
400  int hfindex, gboolean add_subtree, char **data);
401 int dissect_ndr_vstring(tvbuff_t *tvb, int offset, packet_info *pinfo,
402  proto_tree *tree, dcerpc_info *di, guint8 *drep, int size_is,
403  int hfinfo, gboolean add_subtree,
404  char **data);
405 int dissect_ndr_char_vstring(tvbuff_t *tvb, int offset, packet_info *pinfo,
406  proto_tree *tree, dcerpc_info *di, guint8 *drep);
407 int dissect_ndr_wchar_vstring(tvbuff_t *tvb, int offset, packet_info *pinfo,
408  proto_tree *tree, dcerpc_info *di, guint8 *drep);
409 
410 typedef struct _dcerpc_sub_dissector {
411  guint16 num;
412  const gchar *name;
413  dcerpc_dissect_fnct_t *dissect_rqst;
414  dcerpc_dissect_fnct_t *dissect_resp;
416 
417 /* registration function for subdissectors */
418 WS_DLL_PUBLIC
419 void dcerpc_init_uuid (int proto, int ett, e_guid_t *uuid, guint16 ver, const dcerpc_sub_dissector *procs, int opnum_hf);
420 WS_DLL_PUBLIC
421 void dcerpc_init_from_handle(int proto, e_guid_t *uuid, guint16 ver, dissector_handle_t guid_handle);
422 WS_DLL_PUBLIC
423 const char *dcerpc_get_proto_name(e_guid_t *uuid, guint16 ver);
424 WS_DLL_PUBLIC
425 int dcerpc_get_proto_hf_opnum(e_guid_t *uuid, guint16 ver);
426 WS_DLL_PUBLIC
427 const dcerpc_sub_dissector *dcerpc_get_proto_sub_dissector(e_guid_t *uuid, guint16 ver);
428 
429 /* Create a opnum, name value_string from a subdissector list */
430 
431 value_string *value_string_from_subdissectors(const dcerpc_sub_dissector *sd);
432 
433 /* Decode As... functionality */
434 /* remove all bindings */
435 WS_DLL_PUBLIC void decode_dcerpc_reset_all(void);
436 typedef void (*decode_add_show_list_func)(gpointer data, gpointer user_data);
437 WS_DLL_PUBLIC void decode_dcerpc_add_show_list(decode_add_show_list_func func, gpointer user_data);
438 
439 
440 /* the registered subdissectors. With MSVC and a
441  * libwireshark.dll, we need a special declaration.
442  */
443 /* Key: guid_key *
444  * Value: dcerpc_uuid_value *
445  */
446 WS_DLL_PUBLIC GHashTable *dcerpc_uuids;
447 
448 typedef struct _dcerpc_uuid_value {
449  protocol_t *proto;
450  int proto_id;
451  int ett;
452  const gchar *name;
453  const dcerpc_sub_dissector *procs;
454  int opnum_hf;
456 
457 /* Authenticated pipe registration functions and miscellanea */
458 
459 typedef tvbuff_t *(dcerpc_decode_data_fnct_t)(tvbuff_t *header_tvb,
460  tvbuff_t *payload_tvb,
461  tvbuff_t *trailer_tvb,
462  tvbuff_t *auth_tvb,
463  packet_info *pinfo,
464  dcerpc_auth_info *auth_info);
465 
467 
468  /* Dissect credentials and verifiers */
469 
470  dcerpc_dissect_fnct_t *bind_fn;
471  dcerpc_dissect_fnct_t *bind_ack_fn;
472  dcerpc_dissect_fnct_t *auth3_fn;
473  dcerpc_dissect_fnct_t *req_verf_fn;
474  dcerpc_dissect_fnct_t *resp_verf_fn;
475 
476  /* Decrypt encrypted requests/response PDUs */
477 
478  dcerpc_decode_data_fnct_t *req_data_fn;
479  dcerpc_decode_data_fnct_t *resp_data_fn;
480 
482 
483 void register_dcerpc_auth_subdissector(guint8 auth_level, guint8 auth_type,
485 
486 /* all values needed to (re-)build a dcerpc binding */
488  /* values of a typical conversation */
489  address addr_a;
490  address addr_b;
491  port_type ptype;
492  guint32 port_a;
493  guint32 port_b;
494  /* dcerpc conversation specific */
495  guint16 ctx_id;
496  guint64 transport_salt;
497  /* corresponding "interface" */
498  GString *ifname;
499  e_guid_t uuid;
500  guint16 ver;
502 
503 WS_DLL_PUBLIC guint64 dcerpc_get_transport_salt(packet_info *pinfo);
504 WS_DLL_PUBLIC void dcerpc_set_transport_salt(guint64 dcetransportsalt, packet_info *pinfo);
505 
506 /* Authentication services */
507 
508 /*
509  * For MS-specific SSPs (Security Service Provider), see
510  *
511  * https://docs.microsoft.com/en-us/windows/win32/rpc/authentication-level-constants
512  */
513 
514 #define DCE_C_RPC_AUTHN_PROTOCOL_NONE 0
515 #define DCE_C_RPC_AUTHN_PROTOCOL_KRB5 1
516 #define DCE_C_RPC_AUTHN_PROTOCOL_SPNEGO 9
517 #define DCE_C_RPC_AUTHN_PROTOCOL_NTLMSSP 10
518 #define DCE_C_RPC_AUTHN_PROTOCOL_GSS_SCHANNEL 14
519 #define DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS 16
520 #define DCE_C_RPC_AUTHN_PROTOCOL_DPA 17
521 #define DCE_C_RPC_AUTHN_PROTOCOL_MSN 18
522 #define DCE_C_RPC_AUTHN_PROTOCOL_DIGEST 21
523 #define DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN 68
524 #define DCE_C_RPC_AUTHN_PROTOCOL_MQ 100
525 
526 /* Protection levels */
527 
528 #define DCE_C_AUTHN_LEVEL_NONE 1
529 #define DCE_C_AUTHN_LEVEL_CONNECT 2
530 #define DCE_C_AUTHN_LEVEL_CALL 3
531 #define DCE_C_AUTHN_LEVEL_PKT 4
532 #define DCE_C_AUTHN_LEVEL_PKT_INTEGRITY 5
533 #define DCE_C_AUTHN_LEVEL_PKT_PRIVACY 6
534 
535 void
536 free_ndr_pointer_list(dcerpc_info *di);
537 void
538 init_ndr_pointer_list(dcerpc_info *di);
539 
540 
541 
542 /* These defines are used in the PIDL conformance files when using
543  * the PARAM_VALUE directive.
544  */
545 /* Policy handle tracking. Describes in which function a handle is
546  * opened/closed. See "winreg.cnf" for example.
547  *
548  * The guint32 param is divided up into multiple fields
549  *
550  * +--------+--------+--------+--------+
551  * | Flags | Type | | |
552  * +--------+--------+--------+--------+
553  */
554 /* Flags : */
555 #define PIDL_POLHND_OPEN 0x80000000
556 #define PIDL_POLHND_CLOSE 0x40000000
557 /* To "save" a pointer to the string in dcv->private_data */
558 #define PIDL_STR_SAVE 0x20000000
559 /* To make this value appear on the summary line for the packet */
560 #define PIDL_SET_COL_INFO 0x10000000
561 
562 /* Type */
563 #define PIDL_POLHND_TYPE_MASK 0x00ff0000
564 #define PIDL_POLHND_TYPE_SAMR_USER 0x00010000
565 #define PIDL_POLHND_TYPE_SAMR_CONNECT 0x00020000
566 #define PIDL_POLHND_TYPE_SAMR_DOMAIN 0x00030000
567 #define PIDL_POLHND_TYPE_SAMR_GROUP 0x00040000
568 #define PIDL_POLHND_TYPE_SAMR_ALIAS 0x00050000
569 
570 #define PIDL_POLHND_TYPE_LSA_POLICY 0x00060000
571 #define PIDL_POLHND_TYPE_LSA_ACCOUNT 0x00070000
572 #define PIDL_POLHND_TYPE_LSA_SECRET 0x00080000
573 #define PIDL_POLHND_TYPE_LSA_DOMAIN 0x00090000
574 
575 /* a structure we store for all policy handles we track */
576 typedef struct pol_value {
577  struct pol_value *next; /* Next entry in hash bucket */
578  guint32 open_frame, close_frame; /* Frame numbers for open/close */
579  guint32 first_frame; /* First frame in which this instance was seen */
580  guint32 last_frame; /* Last frame in which this instance was seen */
581  char *name; /* Name of policy handle */
582  guint32 type; /* policy handle type */
583 } pol_value;
584 
585 
586 extern int hf_dcerpc_drep_byteorder;
587 extern int hf_dcerpc_ndr_padding;
588 
589 #define FAKE_DCERPC_INFO_STRUCTURE \
590  /* Fake dcerpc_info structure */ \
591  dcerpc_info di; \
592  dcerpc_call_value call_data; \
593  \
594  di.conformant_run = FALSE; \
595  di.no_align = TRUE; \
596  \
597  /* we need di->call_data->flags.NDR64 == 0 */ \
598  call_data.flags = 0; \
599  di.call_data = &call_data;
600 
601 #ifdef __cplusplus
602 }
603 #endif /* __cplusplus */
604 
605 #endif /* packet-dcerpc.h */
Definition: address.h:56
Definition: packet-dcerpc.h:94
Definition: packet-dcerpc.h:466
Definition: packet-dcerpc.h:128
Definition: packet-dcerpc.h:154
Definition: packet-dcerpc.h:410
Definition: packet-dcerpc.h:448
Definition: packet-dcerpc.h:54
Definition: packet-dcerpc.h:59
Definition: packet-dcerpc.h:70
Definition: guid-utils.h:22
Definition: packet_info.h:44
Definition: proto.h:904
Definition: proto.c:372
Definition: value_string.h:26
Definition: conversation.h:220
Definition: packet-dcerpc.h:109
Definition: packet-dcerpc.h:487
Definition: packet.c:763
Definition: nstime.h:26
Definition: packet-dcerpc.h:576
Definition: tvbuff-int.h:35