/src/wireshark/epan/dissectors/packet-smtp.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* packet-smtp.c |
2 | | * Routines for SMTP packet disassembly |
3 | | * |
4 | | * Copyright (c) 2000 by Richard Sharpe <rsharpe@ns.aus.com> |
5 | | * |
6 | | * Added RFC 4954 SMTP Authentication |
7 | | * Michael Mann * Copyright 2012 |
8 | | * Added RFC 2920 Pipelining and RFC 3030 BDAT Pipelining |
9 | | * John Thacker <johnthacker@gmail.com> |
10 | | * |
11 | | * Wireshark - Network traffic analyzer |
12 | | * By Gerald Combs <gerald@wireshark.org> |
13 | | * Copyright 1999 Gerald Combs |
14 | | * |
15 | | * SPDX-License-Identifier: GPL-2.0-or-later |
16 | | */ |
17 | | |
18 | | #include "config.h" |
19 | | |
20 | | #include <stdlib.h> |
21 | | |
22 | | #include <epan/packet.h> |
23 | | #include <epan/conversation.h> |
24 | | #include <epan/prefs.h> |
25 | | #include <epan/strutil.h> |
26 | | #include <epan/reassemble.h> |
27 | | #include <epan/proto_data.h> |
28 | | |
29 | | #include <ui/tap-credentials.h> |
30 | | #include <tap.h> |
31 | | |
32 | | #include <wsutil/str_util.h> |
33 | | #include "packet-tls.h" |
34 | | #include "packet-tls-utils.h" |
35 | | |
36 | | /* RFC 2821 */ |
37 | 14 | #define TCP_PORT_SMTP "25" |
38 | 14 | #define TCP_PORT_SSL_SMTP 465 |
39 | | |
40 | | /* RFC 4409 */ |
41 | 14 | #define TCP_PORT_SUBMISSION 587 |
42 | | |
43 | | void proto_register_smtp(void); |
44 | | void proto_reg_handoff_smtp(void); |
45 | | |
46 | | static int proto_smtp; |
47 | | |
48 | | static int credentials_tap; |
49 | | |
50 | | static int hf_smtp_req; |
51 | | static int hf_smtp_rsp; |
52 | | static int hf_smtp_message; |
53 | | static int hf_smtp_command_line; |
54 | | static int hf_smtp_req_command; |
55 | | static int hf_smtp_req_parameter; |
56 | | static int hf_smtp_response; |
57 | | static int hf_smtp_rsp_code; |
58 | | static int hf_smtp_rsp_parameter; |
59 | | static int hf_smtp_username; |
60 | | static int hf_smtp_password; |
61 | | static int hf_smtp_username_password; |
62 | | static int hf_smtp_eom; |
63 | | |
64 | | static int hf_smtp_data_fragments; |
65 | | static int hf_smtp_data_fragment; |
66 | | static int hf_smtp_data_fragment_overlap; |
67 | | static int hf_smtp_data_fragment_overlap_conflicts; |
68 | | static int hf_smtp_data_fragment_multiple_tails; |
69 | | static int hf_smtp_data_fragment_too_long_fragment; |
70 | | static int hf_smtp_data_fragment_error; |
71 | | static int hf_smtp_data_fragment_count; |
72 | | static int hf_smtp_data_reassembled_in; |
73 | | static int hf_smtp_data_reassembled_length; |
74 | | |
75 | | static int ett_smtp; |
76 | | static int ett_smtp_cmdresp; |
77 | | |
78 | | static int ett_smtp_data_fragment; |
79 | | static int ett_smtp_data_fragments; |
80 | | |
81 | | static expert_field ei_smtp_base64_decode; |
82 | | static expert_field ei_smtp_rsp_code; |
83 | | |
84 | | static bool smtp_auth_parameter_decoding_enabled; |
85 | | /* desegmentation of SMTP command and response lines */ |
86 | | static bool smtp_desegment = true; |
87 | | static bool smtp_data_desegment = true; |
88 | | |
89 | | static reassembly_table smtp_data_reassembly_table; |
90 | | |
91 | | static const fragment_items smtp_data_frag_items = { |
92 | | /* Fragment subtrees */ |
93 | | &ett_smtp_data_fragment, |
94 | | &ett_smtp_data_fragments, |
95 | | /* Fragment fields */ |
96 | | &hf_smtp_data_fragments, |
97 | | &hf_smtp_data_fragment, |
98 | | &hf_smtp_data_fragment_overlap, |
99 | | &hf_smtp_data_fragment_overlap_conflicts, |
100 | | &hf_smtp_data_fragment_multiple_tails, |
101 | | &hf_smtp_data_fragment_too_long_fragment, |
102 | | &hf_smtp_data_fragment_error, |
103 | | &hf_smtp_data_fragment_count, |
104 | | /* Reassembled in field */ |
105 | | &hf_smtp_data_reassembled_in, |
106 | | /* Reassembled length field */ |
107 | | &hf_smtp_data_reassembled_length, |
108 | | /* Reassembled data field */ |
109 | | NULL, |
110 | | /* Tag */ |
111 | | "DATA fragments" |
112 | | }; |
113 | | |
114 | | static dissector_handle_t smtp_handle; |
115 | | static dissector_handle_t tls_handle; |
116 | | static dissector_handle_t imf_handle; |
117 | | static dissector_handle_t ntlmssp_handle; |
118 | | static dissector_handle_t data_text_lines_handle; |
119 | | |
120 | | /* |
121 | | * A CMD is an SMTP command, MESSAGE is the message portion, and EOM is the |
122 | | * last part of a message |
123 | | */ |
124 | 887 | #define SMTP_PDU_CMD 0 |
125 | 976 | #define SMTP_PDU_MESSAGE 1 |
126 | 0 | #define SMTP_PDU_EOM 2 |
127 | | |
128 | | struct smtp_proto_data { |
129 | | uint16_t pdu_type; |
130 | | uint16_t conversation_id; |
131 | | bool more_frags; |
132 | | int end_offset; |
133 | | struct smtp_proto_data *next; |
134 | | }; |
135 | | |
136 | | /* |
137 | | * State information stored with a conversation. |
138 | | */ |
139 | | typedef enum { |
140 | | SMTP_STATE_START, /* Start of SMTP conversion */ |
141 | | SMTP_STATE_READING_CMDS, /* reading commands */ |
142 | | SMTP_STATE_READING_DATA, /* reading message data */ |
143 | | SMTP_STATE_AWAITING_STARTTLS_RESPONSE /* sent STARTTLS, awaiting response */ |
144 | | } smtp_state_t; |
145 | | |
146 | | typedef enum { |
147 | | SMTP_AUTH_STATE_NONE, /* No authentication seen or used */ |
148 | | SMTP_AUTH_STATE_START, /* Authentication started, waiting for username */ |
149 | | SMTP_AUTH_STATE_USERNAME_REQ, /* Received username request from server */ |
150 | | SMTP_AUTH_STATE_USERNAME_RSP, /* Received username response from client */ |
151 | | SMTP_AUTH_STATE_PASSWORD_REQ, /* Received password request from server */ |
152 | | SMTP_AUTH_STATE_PASSWORD_RSP, /* Received password request from server */ |
153 | | SMTP_AUTH_STATE_PLAIN_START_REQ, /* Received AUTH PLAIN command from client*/ |
154 | | SMTP_AUTH_STATE_PLAIN_CRED_REQ, /* Received AUTH PLAIN command including creds from client*/ |
155 | | SMTP_AUTH_STATE_PLAIN_REQ, /* Received AUTH PLAIN request from server */ |
156 | | SMTP_AUTH_STATE_PLAIN_RSP, /* Received AUTH PLAIN response from client */ |
157 | | SMTP_AUTH_STATE_NTLM_REQ, /* Received ntlm negotiate request from client */ |
158 | | SMTP_AUTH_STATE_NTLM_CHALLANGE, /* Received ntlm challenge request from server */ |
159 | | SMTP_AUTH_STATE_NTLM_RSP, /* Received ntlm auth request from client */ |
160 | | SMTP_AUTH_STATE_SUCCESS, /* Password received, authentication successful, start decoding */ |
161 | | SMTP_AUTH_STATE_FAILED /* authentication failed, no decoding */ |
162 | | } smtp_auth_state_t; |
163 | | |
164 | | typedef enum { |
165 | | SMTP_MULTILINE_NONE, |
166 | | SMTP_MULTILINE_START, |
167 | | SMTP_MULTILINE_CONTINUE, |
168 | | SMTP_MULTILINE_END |
169 | | |
170 | | } smtp_multiline_state_t; |
171 | | |
172 | | struct smtp_session_state { |
173 | | smtp_state_t smtp_state; /* Current state */ |
174 | | smtp_auth_state_t auth_state; /* Current authentication state */ |
175 | | /* Values that need to be saved because state machine can't be used during tree dissection */ |
176 | | uint32_t first_auth_frame; /* First frame involving authentication. */ |
177 | | uint32_t username_frame; /* Frame containing client username */ |
178 | | uint32_t password_frame; /* Frame containing client password */ |
179 | | uint32_t last_auth_frame; /* Last frame involving authentication. */ |
180 | | uint8_t* username; /* The username in the authentication. */ |
181 | | bool crlf_seen; /* Have we seen a CRLF on the end of a packet */ |
182 | | bool data_seen; /* Have we seen a DATA command yet */ |
183 | | uint32_t msg_read_len; /* Length of BDAT message read so far */ |
184 | | uint32_t msg_tot_len; /* Total length of BDAT message */ |
185 | | bool msg_last; /* Is this the last BDAT chunk */ |
186 | | uint32_t username_cmd_frame; /* AUTH command contains username */ |
187 | | uint32_t user_pass_cmd_frame; /* AUTH command contains username and password */ |
188 | | uint32_t user_pass_frame; /* Frame contains username and password */ |
189 | | uint32_t ntlm_req_frame; /* Frame containing NTLM request */ |
190 | | uint32_t ntlm_cha_frame; /* Frame containing NTLM challenge. */ |
191 | | uint32_t ntlm_rsp_frame; /* Frame containing NTLM response. */ |
192 | | }; |
193 | | |
194 | | /* |
195 | | * See |
196 | | * |
197 | | * http://support.microsoft.com/default.aspx?scid=kb;[LN];812455 |
198 | | * |
199 | | * for the Exchange extensions. |
200 | | */ |
201 | | static const struct { |
202 | | const char *command; |
203 | | int len; |
204 | | } commands[] = { |
205 | | { "STARTTLS", 8 }, /* RFC 2487 */ |
206 | | { "X-EXPS", 6 }, /* Microsoft Exchange */ |
207 | | { "X-LINK2STATE", 12 }, /* Microsoft Exchange */ |
208 | | { "XEXCH50", 7 } /* Microsoft Exchange */ |
209 | | }; |
210 | | |
211 | 4.36k | #define NCOMMANDS array_length(commands) |
212 | | |
213 | | /* The following were copied from RFC 2821 */ |
214 | | static const value_string response_codes_vs[] = { |
215 | | { 211, "System status, or system help reply" }, |
216 | | { 214, "Help message" }, |
217 | | { 220, "<domain> Service ready" }, |
218 | | { 221, "<domain> Service closing transmission channel" }, |
219 | | { 235, "Authentication successful" }, |
220 | | { 250, "Requested mail action okay, completed" }, |
221 | | { 251, "User not local; will forward to <forward-path>" }, |
222 | | { 252, "Cannot VRFY user, but will accept message and attempt delivery" }, |
223 | | { 334, "AUTH input" }, |
224 | | { 354, "Start mail input; end with <CRLF>.<CRLF>" }, |
225 | | { 421, "<domain> Service not available, closing transmission channel" }, |
226 | | { 432, "A password transition is needed" }, |
227 | | { 450, "Requested mail action not taken: mailbox unavailable" }, |
228 | | { 451, "Requested action aborted: local error in processing" }, |
229 | | { 452, "Requested action not taken: insufficient system storage" }, |
230 | | { 454, "Temporary authentication failed" }, |
231 | | { 500, "Syntax error, command unrecognized" }, |
232 | | { 501, "Syntax error in parameters or arguments" }, |
233 | | { 502, "Command not implemented" }, |
234 | | { 503, "Bad sequence of commands" }, |
235 | | { 504, "Command parameter not implemented" }, |
236 | | { 530, "Authentication required" }, |
237 | | { 534, "Authentication mechanism is too weak" }, |
238 | | { 535, "Authentication credentials invalid" }, |
239 | | { 538, "Encryption required for requested authentication mechanism" }, |
240 | | { 550, "Requested action not taken: mailbox unavailable" }, |
241 | | { 551, "User not local; please try <forward-path>" }, |
242 | | { 552, "Requested mail action aborted: exceeded storage allocation" }, |
243 | | { 553, "Requested action not taken: mailbox name not allowed" }, |
244 | | { 554, "Transaction failed" }, |
245 | | { 0, NULL } |
246 | | }; |
247 | | static value_string_ext response_codes_vs_ext = VALUE_STRING_EXT_INIT(response_codes_vs); |
248 | | |
249 | | static struct smtp_proto_data* |
250 | | append_pdu(struct smtp_proto_data *spd_frame_data) |
251 | 0 | { |
252 | 0 | DISSECTOR_ASSERT(spd_frame_data && spd_frame_data->next == NULL); |
253 | 0 | struct smtp_proto_data *new_pdu = wmem_new0(wmem_file_scope(), struct smtp_proto_data); |
254 | 0 | new_pdu->conversation_id = spd_frame_data->conversation_id; |
255 | 0 | new_pdu->more_frags = true; |
256 | 0 | spd_frame_data->next = new_pdu; |
257 | |
|
258 | 0 | return new_pdu; |
259 | 0 | } |
260 | | |
261 | | static bool |
262 | | line_is_smtp_command(const unsigned char *command, int commandlen) |
263 | 883 | { |
264 | 883 | size_t i; |
265 | | |
266 | | /* |
267 | | * To quote RFC 821, "Command codes are four alphabetic |
268 | | * characters". |
269 | | * |
270 | | * However, there are some SMTP extensions that involve commands |
271 | | * longer than 4 characters and/or that contain non-alphabetic |
272 | | * characters; we treat them specially. |
273 | | * |
274 | | * XXX - should we just have a table of known commands? Or would |
275 | | * that fail to catch some extensions we don't know about? |
276 | | */ |
277 | 883 | if (commandlen == 4 && g_ascii_isalpha(command[0]) && |
278 | 883 | g_ascii_isalpha(command[1]) && g_ascii_isalpha(command[2]) && |
279 | 883 | g_ascii_isalpha(command[3])) { |
280 | | /* standard 4-alphabetic command */ |
281 | 11 | return true; |
282 | 11 | } |
283 | | |
284 | | /* |
285 | | * Check the list of non-4-alphabetic commands. |
286 | | */ |
287 | 4.36k | for (i = 0; i < NCOMMANDS; i++) { |
288 | 3.48k | if (commandlen == commands[i].len && |
289 | 3.48k | g_ascii_strncasecmp(command, commands[i].command, commands[i].len) == 0) |
290 | 0 | return true; |
291 | 3.48k | } |
292 | 872 | return false; |
293 | 872 | } |
294 | | |
295 | | static void |
296 | | dissect_smtp_data(tvbuff_t *tvb, int offset, proto_tree *smtp_tree) |
297 | 0 | { |
298 | 0 | int next_offset; |
299 | |
|
300 | 0 | if (smtp_tree) { |
301 | 0 | while (tvb_offset_exists(tvb, offset)) { |
302 | | /* |
303 | | * Find the end of the line. |
304 | | */ |
305 | 0 | tvb_find_line_end(tvb, offset, -1, &next_offset, false); |
306 | | |
307 | | /* |
308 | | * Put this line. |
309 | | */ |
310 | 0 | proto_tree_add_item(smtp_tree, hf_smtp_message, tvb, |
311 | 0 | offset, next_offset - offset, ENC_ASCII); |
312 | | |
313 | | /* |
314 | | * Step to the next line. |
315 | | */ |
316 | 0 | offset = next_offset; |
317 | 0 | } |
318 | 0 | } |
319 | 0 | } |
320 | | |
321 | | static void |
322 | | dissect_ntlm_auth(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, |
323 | | const char *line) |
324 | 0 | { |
325 | 0 | tvbuff_t *ntlm_tvb; |
326 | |
|
327 | 0 | ntlm_tvb = base64_to_tvb(tvb, line); |
328 | 0 | if(tvb_strneql(ntlm_tvb, 0, "NTLMSSP", 7) == 0) { |
329 | 0 | add_new_data_source(pinfo, ntlm_tvb, "NTLMSSP Data"); |
330 | 0 | call_dissector(ntlmssp_handle, ntlm_tvb, pinfo, tree); |
331 | 0 | } |
332 | 0 | } |
333 | | |
334 | | static void |
335 | | decode_plain_auth(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, |
336 | | int a_offset, int a_linelen) |
337 | 0 | { |
338 | 0 | int returncode; |
339 | 0 | int length_user1; |
340 | 0 | int length_user2; |
341 | 0 | int length_pass; |
342 | 0 | uint8_t *decrypt = NULL; |
343 | 0 | proto_item *ti; |
344 | 0 | size_t len = 0; |
345 | |
|
346 | 0 | decrypt = tvb_get_string_enc(pinfo->pool, tvb, a_offset, a_linelen, ENC_ASCII); |
347 | 0 | if (smtp_auth_parameter_decoding_enabled) { |
348 | 0 | if (strlen(decrypt) > 1) { |
349 | 0 | g_base64_decode_inplace(decrypt, &len); |
350 | 0 | decrypt[len] = 0; |
351 | 0 | } |
352 | 0 | returncode = (int)len; |
353 | 0 | if (returncode) { |
354 | 0 | char* username; |
355 | 0 | length_user1 = (int)strlen(decrypt); |
356 | 0 | if (returncode >= (length_user1 + 1)) { |
357 | 0 | length_user2 = (int)strlen(decrypt + length_user1 + 1); |
358 | 0 | proto_tree_add_string(tree, hf_smtp_username, tvb, |
359 | 0 | a_offset, a_linelen, decrypt + length_user1 + 1); |
360 | 0 | username = format_text(pinfo->pool, decrypt + length_user1 + 1, length_user2); |
361 | 0 | col_append_fstr(pinfo->cinfo, COL_INFO, "User: %s", username); |
362 | |
|
363 | 0 | if (returncode >= (length_user1 + 1 + length_user2 + 1)) { |
364 | 0 | length_pass = (int)strlen(decrypt + length_user1 + length_user2 + 2); |
365 | 0 | proto_tree_add_string(tree, hf_smtp_password, tvb, |
366 | 0 | a_offset, length_pass, decrypt + length_user1 + length_user2 + 2); |
367 | 0 | col_append_str(pinfo->cinfo, COL_INFO, " "); |
368 | 0 | col_append_fstr(pinfo->cinfo, COL_INFO, " Pass: %s", |
369 | 0 | format_text(pinfo->pool, decrypt + length_user1 + length_user2 + 2, length_pass)); |
370 | |
|
371 | 0 | tap_credential_t* auth = wmem_new0(pinfo->pool, tap_credential_t); |
372 | 0 | auth->num = pinfo->num; |
373 | 0 | auth->username_num = pinfo->num; |
374 | 0 | auth->password_hf_id = hf_smtp_password; |
375 | 0 | auth->username = username; |
376 | 0 | auth->proto = "SMTP"; |
377 | 0 | tap_queue_packet(credentials_tap, pinfo, auth); |
378 | 0 | } |
379 | 0 | } |
380 | 0 | } |
381 | 0 | } |
382 | 0 | else { |
383 | 0 | ti = proto_tree_add_item(tree, hf_smtp_username_password, tvb, |
384 | 0 | a_offset, a_linelen, ENC_ASCII); |
385 | 0 | expert_add_info(pinfo, ti, &ei_smtp_base64_decode); |
386 | 0 | col_append_str(pinfo->cinfo, COL_INFO, format_text(pinfo->pool, decrypt, a_linelen)); |
387 | 0 | } |
388 | 0 | } |
389 | | |
390 | | static int |
391 | | dissect_smtp_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_tree *smtp_tree, struct smtp_session_state *session_state, struct smtp_proto_data *spd_frame_data, bool first_pdu) |
392 | 36 | { |
393 | 36 | proto_item *ti, *hidden_item; |
394 | 36 | proto_tree *cmdresp_tree = NULL; |
395 | 36 | int offset = 0; |
396 | 36 | int next_offset; |
397 | 36 | int linelen = 0; |
398 | 36 | int length_remaining; |
399 | 36 | int cmdlen; |
400 | 36 | fragment_head *frag_msg = NULL; |
401 | 36 | tvbuff_t *next_tvb; |
402 | 36 | uint8_t *decrypt = NULL; |
403 | 36 | size_t decrypt_len = 0; |
404 | 36 | uint8_t *base64_string = NULL; |
405 | | |
406 | 36 | switch (spd_frame_data->pdu_type) { |
407 | | |
408 | 32 | case SMTP_PDU_MESSAGE: |
409 | | /* Column Info */ |
410 | 32 | length_remaining = tvb_reported_length_remaining(tvb, offset); |
411 | 32 | if (first_pdu) |
412 | 32 | col_append_str(pinfo->cinfo, COL_INFO, "C: "); |
413 | 0 | else |
414 | 0 | col_append_str(pinfo->cinfo, COL_INFO, " | "); |
415 | 32 | col_append_str(pinfo->cinfo, COL_INFO, smtp_data_desegment ? "DATA fragment" : "Message Body"); |
416 | 32 | col_append_fstr(pinfo->cinfo, COL_INFO, ", %d byte%s", length_remaining, |
417 | 32 | plurality (length_remaining, "", "s")); |
418 | | |
419 | 32 | if (smtp_data_desegment) { |
420 | 32 | frag_msg = fragment_add_seq_next(&smtp_data_reassembly_table, tvb, 0, |
421 | 32 | pinfo, spd_frame_data->conversation_id, NULL, |
422 | 32 | tvb_reported_length(tvb), |
423 | 32 | spd_frame_data->more_frags); |
424 | 32 | if (spd_frame_data->more_frags) { |
425 | | /* Show the text lines within this PDU fragment |
426 | | * Calling this on the last fragment would interfere with |
427 | | * process reassembled data below, by changing the layer number. |
428 | | * (We'll display the data anyway as part of the reassembly.) |
429 | | */ |
430 | 32 | call_dissector(data_text_lines_handle, tvb, pinfo, smtp_tree); |
431 | 32 | } |
432 | 32 | } else { |
433 | | /* |
434 | | * Message body. |
435 | | * Put its lines into the protocol tree, a line at a time. |
436 | | */ |
437 | 0 | dissect_smtp_data(tvb, offset, smtp_tree); |
438 | 0 | } |
439 | 32 | break; |
440 | | |
441 | 0 | case SMTP_PDU_EOM: |
442 | | /* |
443 | | * End-of-message-body indicator. |
444 | | */ |
445 | 0 | if (first_pdu) |
446 | 0 | col_append_str(pinfo->cinfo, COL_INFO, "C: "); |
447 | 0 | else |
448 | 0 | col_append_str(pinfo->cinfo, COL_INFO, " | "); |
449 | 0 | col_append_str(pinfo->cinfo, COL_INFO, "."); |
450 | |
|
451 | 0 | proto_tree_add_none_format(smtp_tree, hf_smtp_eom, tvb, offset, 3, "C: ."); |
452 | |
|
453 | 0 | break; |
454 | | |
455 | 4 | case SMTP_PDU_CMD: |
456 | | /* |
457 | | * Command. |
458 | | */ |
459 | | |
460 | 55 | while (tvb_offset_exists(tvb, offset)) { |
461 | | /* |
462 | | * Find the end of the line. |
463 | | */ |
464 | 51 | linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, false); |
465 | | |
466 | | /* Column Info */ |
467 | 51 | if (first_pdu && offset == 0) |
468 | 4 | col_append_str(pinfo->cinfo, COL_INFO, "C: "); |
469 | 47 | else |
470 | 47 | col_append_str(pinfo->cinfo, COL_INFO, " | "); |
471 | | |
472 | 51 | hidden_item = proto_tree_add_boolean(smtp_tree, hf_smtp_req, tvb, |
473 | 51 | 0, 0, true); |
474 | 51 | proto_item_set_hidden(hidden_item); |
475 | | |
476 | 51 | if (session_state->username_frame == pinfo->num) { |
477 | 0 | if (decrypt == NULL) { |
478 | | /* This line wasn't already decrypted through the state machine */ |
479 | 0 | decrypt = tvb_get_string_enc(pinfo->pool, tvb, offset, linelen, ENC_ASCII); |
480 | 0 | decrypt_len = linelen; |
481 | 0 | if (smtp_auth_parameter_decoding_enabled) { |
482 | 0 | if (strlen(decrypt) > 1) { |
483 | 0 | g_base64_decode_inplace(decrypt, &decrypt_len); |
484 | 0 | decrypt[decrypt_len] = 0; |
485 | 0 | } else { |
486 | 0 | decrypt_len = 0; |
487 | 0 | } |
488 | 0 | if (decrypt_len == 0) { |
489 | | /* Go back to the original string */ |
490 | 0 | decrypt = tvb_get_string_enc(pinfo->pool, tvb, offset, linelen, ENC_ASCII); |
491 | 0 | decrypt_len = linelen; |
492 | 0 | } |
493 | 0 | } |
494 | 0 | } |
495 | |
|
496 | 0 | if (!session_state->username) |
497 | 0 | session_state->username = wmem_strdup(wmem_file_scope(), decrypt); |
498 | 0 | proto_tree_add_string(smtp_tree, hf_smtp_username, tvb, |
499 | 0 | offset, linelen, decrypt); |
500 | 0 | col_append_fstr(pinfo->cinfo, COL_INFO, "User: %s", format_text(pinfo->pool, decrypt, decrypt_len)); |
501 | 51 | } else if (session_state->password_frame == pinfo->num) { |
502 | 0 | if (decrypt == NULL) { |
503 | | /* This line wasn't already decrypted through the state machine */ |
504 | 0 | decrypt = tvb_get_string_enc(pinfo->pool, tvb, offset, linelen, ENC_ASCII); |
505 | 0 | decrypt_len = linelen; |
506 | 0 | if (smtp_auth_parameter_decoding_enabled) { |
507 | 0 | if (strlen(decrypt) > 1) { |
508 | 0 | g_base64_decode_inplace(decrypt, &decrypt_len); |
509 | 0 | decrypt[decrypt_len] = 0; |
510 | 0 | } else { |
511 | 0 | decrypt_len = 0; |
512 | 0 | } |
513 | 0 | if (decrypt_len == 0) { |
514 | | /* Go back to the original string */ |
515 | 0 | decrypt = tvb_get_string_enc(pinfo->pool, tvb, offset, linelen, ENC_ASCII); |
516 | 0 | decrypt_len = linelen; |
517 | 0 | } |
518 | 0 | } |
519 | 0 | } |
520 | 0 | proto_tree_add_string(smtp_tree, hf_smtp_password, tvb, |
521 | 0 | offset, linelen, decrypt); |
522 | 0 | col_append_fstr(pinfo->cinfo, COL_INFO, "Pass: %s", format_text(pinfo->pool, decrypt, decrypt_len)); |
523 | |
|
524 | 0 | tap_credential_t* auth = wmem_new0(pinfo->pool, tap_credential_t); |
525 | 0 | auth->num = pinfo->num; |
526 | 0 | auth->username_num = session_state->username_frame; |
527 | 0 | auth->password_hf_id = hf_smtp_password; |
528 | 0 | auth->username = session_state->username; |
529 | 0 | auth->proto = "SMTP"; |
530 | 0 | auth->info = wmem_strdup_printf(pinfo->pool, "Username in packet %u", auth->username_num); |
531 | 0 | tap_queue_packet(credentials_tap, pinfo, auth); |
532 | 51 | } else if (session_state->ntlm_rsp_frame == pinfo->num) { |
533 | 0 | decrypt = tvb_get_string_enc(pinfo->pool, tvb, offset, linelen, ENC_ASCII); |
534 | 0 | decrypt_len = linelen; |
535 | 0 | if (smtp_auth_parameter_decoding_enabled) { |
536 | 0 | if (strlen(decrypt) > 1) { |
537 | 0 | g_base64_decode_inplace(decrypt, &decrypt_len); |
538 | 0 | decrypt[decrypt_len] = 0; |
539 | 0 | } else { |
540 | 0 | decrypt_len = 0; |
541 | 0 | } |
542 | 0 | if (decrypt_len == 0) { |
543 | | /* Go back to the original string */ |
544 | 0 | decrypt = tvb_get_string_enc(pinfo->pool, tvb, offset, linelen, ENC_ASCII); |
545 | 0 | decrypt_len = linelen; |
546 | 0 | col_append_str(pinfo->cinfo, COL_INFO, format_text(pinfo->pool, decrypt, linelen)); |
547 | 0 | proto_tree_add_item(smtp_tree, hf_smtp_command_line, tvb, |
548 | 0 | offset, linelen, ENC_ASCII); |
549 | 0 | } |
550 | 0 | else { |
551 | 0 | base64_string = tvb_get_string_enc(pinfo->pool, tvb, offset, linelen, ENC_ASCII); |
552 | 0 | dissect_ntlm_auth(tvb, pinfo, smtp_tree, base64_string); |
553 | 0 | } |
554 | 0 | } |
555 | 0 | else { |
556 | 0 | col_append_str(pinfo->cinfo, COL_INFO, format_text(pinfo->pool, decrypt, linelen)); |
557 | 0 | proto_tree_add_item(smtp_tree, hf_smtp_command_line, tvb, |
558 | 0 | offset, linelen, ENC_ASCII); |
559 | 0 | } |
560 | 51 | } else if (session_state->user_pass_frame == pinfo->num) { |
561 | 0 | decode_plain_auth(tvb, pinfo, smtp_tree, offset, linelen); |
562 | 51 | } else { |
563 | | |
564 | 51 | if (linelen >= 4) |
565 | 36 | cmdlen = 4; |
566 | 15 | else |
567 | 15 | cmdlen = linelen; |
568 | | |
569 | | /* |
570 | | * Put the command line into the protocol tree. |
571 | | */ |
572 | 51 | ti = proto_tree_add_item(smtp_tree, hf_smtp_command_line, tvb, |
573 | 51 | offset, next_offset - offset, ENC_ASCII); |
574 | 51 | cmdresp_tree = proto_item_add_subtree(ti, ett_smtp_cmdresp); |
575 | | |
576 | 51 | proto_tree_add_item(cmdresp_tree, hf_smtp_req_command, tvb, |
577 | 51 | offset, cmdlen, ENC_ASCII); |
578 | | |
579 | 51 | if ((linelen > 5) && (session_state->username_cmd_frame == pinfo->num) ) { |
580 | 0 | proto_tree_add_item(cmdresp_tree, hf_smtp_req_parameter, tvb, |
581 | 0 | offset + 5, linelen - 5, ENC_ASCII); |
582 | |
|
583 | 0 | if (linelen >= 11) { |
584 | 0 | if (decrypt == NULL) { |
585 | | /* This line wasn't already decrypted through the state machine */ |
586 | 0 | decrypt = tvb_get_string_enc(pinfo->pool, tvb, offset + 11, linelen - 11, ENC_ASCII); |
587 | 0 | decrypt_len = linelen - 11; |
588 | 0 | if (smtp_auth_parameter_decoding_enabled) { |
589 | 0 | if (strlen(decrypt) > 1) { |
590 | 0 | g_base64_decode_inplace(decrypt, &decrypt_len); |
591 | 0 | decrypt[decrypt_len] = 0; |
592 | 0 | } else { |
593 | 0 | decrypt_len = 0; |
594 | 0 | } |
595 | 0 | if (decrypt_len == 0) { |
596 | | /* Go back to the original string */ |
597 | 0 | decrypt = tvb_get_string_enc(pinfo->pool, tvb, offset + 11, linelen - 11, ENC_ASCII); |
598 | 0 | decrypt_len = linelen - 11; |
599 | 0 | } |
600 | 0 | } |
601 | 0 | } |
602 | 0 | proto_tree_add_string(cmdresp_tree, hf_smtp_username, tvb, offset + 11, linelen - 11, decrypt); |
603 | 0 | col_append_str(pinfo->cinfo, COL_INFO, |
604 | 0 | tvb_format_text(pinfo->pool, tvb, offset, 11)); |
605 | 0 | col_append_fstr(pinfo->cinfo, COL_INFO, "User: %s", format_text(pinfo->pool, decrypt, decrypt_len)); |
606 | 0 | } |
607 | 0 | } |
608 | 51 | else if ((linelen > 5) && (session_state->ntlm_req_frame == pinfo->num) ) { |
609 | 0 | proto_tree_add_item(cmdresp_tree, hf_smtp_req_parameter, tvb, |
610 | 0 | offset + 5, linelen - 5, ENC_ASCII); |
611 | 0 | if (linelen >= 10) { |
612 | 0 | decrypt = tvb_get_string_enc(pinfo->pool, tvb, offset + 10, linelen - 10, ENC_ASCII); |
613 | 0 | decrypt_len = linelen - 10; |
614 | 0 | if (smtp_auth_parameter_decoding_enabled) { |
615 | 0 | if (strlen(decrypt) > 1) { |
616 | 0 | g_base64_decode_inplace(decrypt, &decrypt_len); |
617 | 0 | decrypt[decrypt_len] = 0; |
618 | 0 | } else { |
619 | 0 | decrypt_len = 0; |
620 | 0 | } |
621 | 0 | if (decrypt_len == 0) { |
622 | | /* Go back to the original string */ |
623 | 0 | decrypt = tvb_get_string_enc(pinfo->pool, tvb, offset + 10, linelen - 10, ENC_ASCII); |
624 | 0 | decrypt_len = linelen - 10; |
625 | 0 | col_append_str(pinfo->cinfo, COL_INFO, |
626 | 0 | tvb_format_text(pinfo->pool, tvb, offset, 10)); |
627 | 0 | col_append_str(pinfo->cinfo, COL_INFO, format_text(pinfo->pool, decrypt, linelen - 10)); |
628 | 0 | } |
629 | 0 | else { |
630 | 0 | base64_string = tvb_get_string_enc(pinfo->pool, tvb, offset + 10, linelen - 10, ENC_ASCII); |
631 | 0 | col_append_str(pinfo->cinfo, COL_INFO, |
632 | 0 | tvb_format_text(pinfo->pool, tvb, offset, 10)); |
633 | 0 | dissect_ntlm_auth(tvb, pinfo, cmdresp_tree, format_text(pinfo->pool, base64_string, linelen - 10)); |
634 | 0 | } |
635 | 0 | } |
636 | 0 | else { |
637 | 0 | col_append_str(pinfo->cinfo, COL_INFO, |
638 | 0 | tvb_format_text(pinfo->pool, tvb, offset, 10)); |
639 | 0 | col_append_str(pinfo->cinfo, COL_INFO, format_text(pinfo->pool, decrypt, linelen - 10)); |
640 | 0 | } |
641 | 0 | } |
642 | 0 | } |
643 | 51 | else if ((linelen > 5) && (session_state->user_pass_cmd_frame == pinfo->num) ) { |
644 | 0 | proto_tree_add_item(cmdresp_tree, hf_smtp_req_parameter, tvb, |
645 | 0 | offset + 5, linelen - 5, ENC_ASCII); |
646 | 0 | col_append_str(pinfo->cinfo, COL_INFO, |
647 | 0 | tvb_format_text(pinfo->pool, tvb, offset, 11)); |
648 | 0 | decode_plain_auth(tvb, pinfo, cmdresp_tree, offset + 11, linelen - 11); |
649 | 0 | } |
650 | 51 | else if (linelen > 5) { |
651 | 22 | proto_tree_add_item(cmdresp_tree, hf_smtp_req_parameter, tvb, |
652 | 22 | offset + 5, linelen - 5, ENC_ASCII); |
653 | 22 | col_append_str(pinfo->cinfo, COL_INFO, |
654 | 22 | tvb_format_text(pinfo->pool, tvb, offset, linelen)); |
655 | 22 | } |
656 | 29 | else { |
657 | 29 | col_append_str(pinfo->cinfo, COL_INFO, |
658 | 29 | tvb_format_text(pinfo->pool, tvb, offset, linelen)); |
659 | 29 | } |
660 | | |
661 | 51 | if (smtp_data_desegment && !spd_frame_data->more_frags) { |
662 | | /* terminate the desegmentation */ |
663 | 0 | frag_msg = fragment_end_seq_next(&smtp_data_reassembly_table, |
664 | 0 | pinfo, spd_frame_data->conversation_id, NULL); |
665 | 0 | } |
666 | 51 | } |
667 | | /* |
668 | | * Step past this line. |
669 | | */ |
670 | 51 | offset = next_offset; |
671 | 51 | } |
672 | 36 | } |
673 | | |
674 | 36 | if (smtp_data_desegment && (spd_frame_data->pdu_type == SMTP_PDU_MESSAGE || spd_frame_data->more_frags == false) ) { |
675 | | /* XXX: fragment_add_seq_next() only supports one PDU with a given ID |
676 | | * being completed in a frame. |
677 | | * |
678 | | * RFCs 2920 and 3030 imply that even with pipelining, a frame only |
679 | | * contains one message that ends, as the client needs to handle |
680 | | * responses. If it does happen, we need to track message numbers within |
681 | | * the conversation and use those as part of the frag ID. |
682 | | */ |
683 | 32 | next_tvb = process_reassembled_data(tvb, offset, pinfo, "Reassembled SMTP", |
684 | 32 | frag_msg, &smtp_data_frag_items, NULL, smtp_tree); |
685 | 32 | if (next_tvb) { |
686 | | /* XXX: this is presumptuous - we may have negotiated something else */ |
687 | 0 | if (imf_handle) { |
688 | 0 | call_dissector(imf_handle, next_tvb, pinfo, tree); |
689 | 0 | } else { |
690 | | /* |
691 | | * Message body. |
692 | | * Put its lines into the protocol tree, a line at a time. |
693 | | */ |
694 | 0 | dissect_smtp_data(tvb, offset, smtp_tree); |
695 | 0 | } |
696 | |
|
697 | 0 | pinfo->fragmented = false; |
698 | 32 | } else { |
699 | 32 | pinfo->fragmented = true; |
700 | 32 | } |
701 | 32 | } |
702 | 36 | return tvb_captured_length(tvb); |
703 | 36 | } |
704 | | |
705 | | static int |
706 | | dissect_smtp_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *smtp_tree, struct smtp_session_state *session_state) |
707 | 17 | { |
708 | 17 | proto_item *ti, *hidden_item; |
709 | 17 | proto_tree *cmdresp_tree = NULL; |
710 | 17 | int offset = 0; |
711 | 17 | int next_offset; |
712 | 17 | int linelen = 0; |
713 | 17 | uint32_t code; |
714 | 17 | uint8_t line_code[3]; |
715 | 17 | uint8_t *decrypt = NULL; |
716 | 17 | size_t decrypt_len = 0; |
717 | 17 | uint8_t *base64_string = NULL; |
718 | | |
719 | | /* |
720 | | * Process the response, a line at a time, until we hit a line |
721 | | * that doesn't have a continuation indication on it. |
722 | | */ |
723 | 17 | hidden_item = proto_tree_add_boolean(smtp_tree, hf_smtp_rsp, tvb, 0, 0, true); |
724 | 17 | proto_item_set_hidden(hidden_item); |
725 | | |
726 | | //Multiline information |
727 | 17 | smtp_multiline_state_t multiline_state = SMTP_MULTILINE_NONE; |
728 | 17 | uint32_t multiline_code = 0; |
729 | 17 | proto_item* code_item = NULL; |
730 | | |
731 | 386 | while (tvb_offset_exists(tvb, offset)) { |
732 | | /* |
733 | | * Find the end of the line. |
734 | | */ |
735 | 369 | linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, false); |
736 | | |
737 | 369 | if (offset == 0) |
738 | 17 | col_append_str(pinfo->cinfo, COL_INFO, "S: "); |
739 | 352 | else |
740 | 352 | col_append_str(pinfo->cinfo, COL_INFO, " | "); |
741 | | |
742 | 369 | if (linelen >= 3) { |
743 | 64 | line_code[0] = tvb_get_uint8(tvb, offset); |
744 | 64 | line_code[1] = tvb_get_uint8(tvb, offset+1); |
745 | 64 | line_code[2] = tvb_get_uint8(tvb, offset+2); |
746 | 64 | if (g_ascii_isdigit(line_code[0]) && g_ascii_isdigit(line_code[1]) |
747 | 64 | && g_ascii_isdigit(line_code[2])) { |
748 | | /* |
749 | | * We have a 3-digit response code. |
750 | | */ |
751 | 12 | code = (line_code[0] - '0')*100 + (line_code[1] - '0')*10 + (line_code[2] - '0'); |
752 | 12 | if ((linelen > 3) && (tvb_get_uint8(tvb, offset + 3) == '-')) { |
753 | 0 | if (multiline_state == SMTP_MULTILINE_NONE) { |
754 | 0 | multiline_state = SMTP_MULTILINE_START; |
755 | 0 | multiline_code = code; |
756 | 0 | } else { |
757 | 0 | multiline_state = SMTP_MULTILINE_CONTINUE; |
758 | 0 | } |
759 | 12 | } else if ((multiline_state == SMTP_MULTILINE_START) || (multiline_state == SMTP_MULTILINE_CONTINUE)) { |
760 | 0 | multiline_state = SMTP_MULTILINE_END; |
761 | 0 | } |
762 | | |
763 | | /* |
764 | | * If we're awaiting the response to a STARTTLS code, this |
765 | | * is it - if it's 220, all subsequent traffic will |
766 | | * be TLS, otherwise we're back to boring old SMTP. |
767 | | */ |
768 | 12 | if (session_state->smtp_state == SMTP_STATE_AWAITING_STARTTLS_RESPONSE) { |
769 | 0 | if (code == 220) { |
770 | | /* This is the last non-TLS frame. */ |
771 | 0 | ssl_starttls_ack(tls_handle, pinfo, smtp_handle); |
772 | 0 | } |
773 | 0 | session_state->smtp_state = SMTP_STATE_READING_CMDS; |
774 | 0 | } |
775 | | |
776 | 12 | if (code == 334) { |
777 | 0 | switch(session_state->auth_state) |
778 | 0 | { |
779 | 0 | case SMTP_AUTH_STATE_START: |
780 | 0 | session_state->auth_state = SMTP_AUTH_STATE_USERNAME_REQ; |
781 | 0 | break; |
782 | 0 | case SMTP_AUTH_STATE_USERNAME_RSP: |
783 | 0 | session_state->auth_state = SMTP_AUTH_STATE_PASSWORD_REQ; |
784 | 0 | break; |
785 | 0 | case SMTP_AUTH_STATE_PLAIN_REQ: |
786 | 0 | session_state->auth_state = SMTP_AUTH_STATE_PLAIN_RSP; |
787 | 0 | break; |
788 | 0 | case SMTP_AUTH_STATE_PLAIN_START_REQ: |
789 | 0 | session_state->auth_state = SMTP_AUTH_STATE_PLAIN_REQ; |
790 | 0 | break; |
791 | 0 | case SMTP_AUTH_STATE_NTLM_REQ: |
792 | 0 | session_state->auth_state = SMTP_AUTH_STATE_NTLM_CHALLANGE; |
793 | 0 | break; |
794 | 0 | case SMTP_AUTH_STATE_NONE: |
795 | 0 | case SMTP_AUTH_STATE_USERNAME_REQ: |
796 | 0 | case SMTP_AUTH_STATE_PASSWORD_REQ: |
797 | 0 | case SMTP_AUTH_STATE_PASSWORD_RSP: |
798 | 0 | case SMTP_AUTH_STATE_PLAIN_RSP: |
799 | 0 | case SMTP_AUTH_STATE_PLAIN_CRED_REQ: |
800 | 0 | case SMTP_AUTH_STATE_NTLM_RSP: |
801 | 0 | case SMTP_AUTH_STATE_NTLM_CHALLANGE: |
802 | 0 | case SMTP_AUTH_STATE_SUCCESS: |
803 | 0 | case SMTP_AUTH_STATE_FAILED: |
804 | | /* ignore */ |
805 | 0 | break; |
806 | 0 | } |
807 | 12 | } else if ((session_state->auth_state == SMTP_AUTH_STATE_PASSWORD_RSP) || |
808 | 12 | ( session_state->auth_state == SMTP_AUTH_STATE_PLAIN_RSP) || |
809 | 12 | ( session_state->auth_state == SMTP_AUTH_STATE_NTLM_RSP) || |
810 | 12 | ( session_state->auth_state == SMTP_AUTH_STATE_PLAIN_CRED_REQ) ) { |
811 | 0 | if (code == 235) { |
812 | 0 | session_state->auth_state = SMTP_AUTH_STATE_SUCCESS; |
813 | 0 | } else { |
814 | 0 | session_state->auth_state = SMTP_AUTH_STATE_FAILED; |
815 | 0 | } |
816 | 0 | session_state->last_auth_frame = pinfo->num; |
817 | 0 | } |
818 | | |
819 | | /* |
820 | | * Put the response code and parameters into the protocol tree. |
821 | | * Only create a new response tree when not in the middle of multiline response. |
822 | | */ |
823 | 12 | if ((multiline_state != SMTP_MULTILINE_CONTINUE) && |
824 | 12 | (multiline_state != SMTP_MULTILINE_END)) |
825 | 12 | { |
826 | 12 | ti = proto_tree_add_item(smtp_tree, hf_smtp_response, tvb, |
827 | 12 | offset, next_offset - offset, ENC_ASCII | ENC_NA); |
828 | 12 | cmdresp_tree = proto_item_add_subtree(ti, ett_smtp_cmdresp); |
829 | | |
830 | 12 | code_item = proto_tree_add_uint(cmdresp_tree, hf_smtp_rsp_code, tvb, offset, 3, code); |
831 | 12 | } else if (multiline_code != code) { |
832 | 0 | expert_add_info_format(pinfo, code_item, &ei_smtp_rsp_code, "Unexpected response code %u in multiline response. Expected %u", code, multiline_code); |
833 | 0 | } |
834 | | |
835 | 12 | decrypt = NULL; |
836 | 12 | if (linelen >= 4) { |
837 | 11 | if ((smtp_auth_parameter_decoding_enabled) && (code == 334)) { |
838 | 0 | decrypt = tvb_get_string_enc(pinfo->pool, tvb, offset + 4, linelen - 4, ENC_ASCII); |
839 | 0 | if (strlen(decrypt) > 1 && (g_base64_decode_inplace(decrypt, &decrypt_len)) && decrypt_len > 0) { |
840 | 0 | decrypt[decrypt_len] = 0; |
841 | 0 | if (g_ascii_strncasecmp(decrypt, "NTLMSSP", 7) == 0) { |
842 | 0 | base64_string = tvb_get_string_enc(pinfo->pool, tvb, offset + 4, linelen - 4, ENC_ASCII); |
843 | 0 | col_append_fstr(pinfo->cinfo, COL_INFO, "%d ", code); |
844 | 0 | proto_tree_add_string(cmdresp_tree, hf_smtp_rsp_parameter, tvb, |
845 | 0 | offset + 4, linelen - 4, (const char*)base64_string); |
846 | 0 | dissect_ntlm_auth(tvb, pinfo, cmdresp_tree, base64_string); |
847 | 0 | } |
848 | 0 | else { |
849 | 0 | proto_tree_add_string(cmdresp_tree, hf_smtp_rsp_parameter, tvb, |
850 | 0 | offset + 4, linelen - 4, (const char*)decrypt); |
851 | |
|
852 | 0 | col_append_fstr(pinfo->cinfo, COL_INFO, "%d %s", code, format_text(pinfo->pool, decrypt, decrypt_len)); |
853 | 0 | } |
854 | 0 | } else { |
855 | 0 | decrypt = NULL; |
856 | 0 | } |
857 | 0 | } |
858 | | |
859 | 11 | if (decrypt == NULL) { |
860 | 11 | proto_tree_add_item(cmdresp_tree, hf_smtp_rsp_parameter, tvb, |
861 | 11 | offset + 4, linelen - 4, ENC_ASCII); |
862 | | |
863 | 11 | if ((multiline_state != SMTP_MULTILINE_CONTINUE) && |
864 | 11 | (multiline_state != SMTP_MULTILINE_END)) { |
865 | 11 | col_append_str(pinfo->cinfo, COL_INFO, |
866 | 11 | tvb_format_text(pinfo->pool, tvb, offset, linelen)); |
867 | 11 | } else { |
868 | 0 | col_append_str(pinfo->cinfo, COL_INFO, |
869 | 0 | tvb_format_text(pinfo->pool, tvb, offset+4, linelen-4)); |
870 | 0 | } |
871 | 11 | } |
872 | 11 | } else { |
873 | 1 | col_append_str(pinfo->cinfo, COL_INFO, |
874 | 1 | tvb_format_text(pinfo->pool, tvb, offset, linelen)); |
875 | 1 | } |
876 | 12 | } |
877 | | |
878 | | //Clear multiline state if this is the last line |
879 | 64 | if (multiline_state == SMTP_MULTILINE_END) |
880 | 0 | multiline_state = SMTP_MULTILINE_NONE; |
881 | 64 | } |
882 | | /* |
883 | | * Step past this line. |
884 | | */ |
885 | 369 | offset = next_offset; |
886 | | |
887 | 369 | } |
888 | 17 | return offset; |
889 | 17 | } |
890 | | |
891 | | static int |
892 | | dissect_smtp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) |
893 | 53 | { |
894 | 53 | struct smtp_proto_data *spd_frame_data; |
895 | 53 | proto_tree *smtp_tree = NULL; |
896 | 53 | proto_item *ti; |
897 | 53 | int offset = 0; |
898 | 53 | int request = 0; |
899 | 53 | conversation_t *conversation; |
900 | 53 | struct smtp_session_state *session_state; |
901 | 53 | const unsigned char *line, *linep, *lineend; |
902 | 53 | int linelen = 0; |
903 | 53 | bool eom_seen = false; |
904 | 53 | int next_offset; |
905 | 53 | int loffset = 0; |
906 | 53 | int cmdlen; |
907 | 53 | uint8_t *decrypt = NULL; |
908 | 53 | size_t decrypt_len = 0; |
909 | | |
910 | | /* As there is no guarantee that we will only see frames in the |
911 | | * the SMTP conversation once, and that we will see them in |
912 | | * order - in Wireshark, the user could randomly click on frames |
913 | | * in the conversation in any order in which they choose - we |
914 | | * have to store information with each frame indicating whether |
915 | | * it contains commands or data or an EOM indication. |
916 | | * |
917 | | * XXX - what about frames that contain *both*? TCP is a |
918 | | * byte-stream protocol, and there are no guarantees that |
919 | | * TCP segment boundaries will correspond to SMTP commands |
920 | | * or EOM indications. |
921 | | * |
922 | | * We only need that for the client->server stream; responses |
923 | | * are easy to manage. |
924 | | * |
925 | | * If we have per frame data, use that, else, we must be on the first |
926 | | * pass, so we figure it out on the first pass. |
927 | | */ |
928 | | |
929 | | /* |
930 | | * Find or create the conversation for this. |
931 | | */ |
932 | 53 | conversation = find_or_create_conversation(pinfo); |
933 | | |
934 | | /* |
935 | | * Is there a request structure attached to this conversation? |
936 | | */ |
937 | 53 | session_state = (struct smtp_session_state *)conversation_get_proto_data(conversation, proto_smtp); |
938 | 53 | if (!session_state) { |
939 | | /* |
940 | | * No - create one and attach it. |
941 | | */ |
942 | 30 | session_state = wmem_new0(wmem_file_scope(), struct smtp_session_state); |
943 | 30 | session_state->smtp_state = SMTP_STATE_START; |
944 | 30 | session_state->auth_state = SMTP_AUTH_STATE_NONE; |
945 | 30 | session_state->msg_last = true; |
946 | | |
947 | 30 | conversation_add_proto_data(conversation, proto_smtp, session_state); |
948 | 30 | } |
949 | | |
950 | | /* Is this a request or a response? */ |
951 | 53 | request = pinfo->destport == pinfo->match_uint; |
952 | | |
953 | | /* |
954 | | * Is there any data attached to this frame? |
955 | | */ |
956 | 53 | spd_frame_data = (struct smtp_proto_data *)p_get_proto_data(wmem_file_scope(), pinfo, proto_smtp, 0); |
957 | | |
958 | 53 | if (!spd_frame_data) { |
959 | | |
960 | | /* |
961 | | * No frame data. |
962 | | */ |
963 | 53 | if (request) { |
964 | | |
965 | | /* |
966 | | * Create a frame data structure and attach it to the packet. |
967 | | */ |
968 | 36 | spd_frame_data = wmem_new0(wmem_file_scope(), struct smtp_proto_data); |
969 | | |
970 | 36 | spd_frame_data->conversation_id = conversation->conv_index; |
971 | 36 | spd_frame_data->more_frags = true; |
972 | 36 | spd_frame_data->end_offset = tvb_reported_length(tvb); |
973 | | |
974 | 36 | p_add_proto_data(wmem_file_scope(), pinfo, proto_smtp, 0, spd_frame_data); |
975 | | |
976 | 36 | } |
977 | | |
978 | | /* |
979 | | * Get the first line from the buffer. |
980 | | * |
981 | | * Note that "tvb_find_line_end()" will, if it doesn't return |
982 | | * -1, return a value that is not longer than what's in the buffer, |
983 | | * and "tvb_find_line_end()" will always return a value that is not |
984 | | * longer than what's in the buffer, so the "tvb_get_ptr()" call |
985 | | * won't throw an exception. |
986 | | */ |
987 | 53 | loffset = offset; |
988 | 1.30k | while (tvb_offset_exists(tvb, loffset)) { |
989 | 1.25k | linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, |
990 | 1.25k | smtp_desegment && pinfo->can_desegment); |
991 | 1.25k | if (linelen == -1) { |
992 | 0 | if (offset == loffset) { |
993 | | /* |
994 | | * We didn't find a line ending, and we're doing desegmentation; |
995 | | * tell the TCP dissector where the data for this message starts |
996 | | * in the data it handed us, and tell it we need more bytes |
997 | | */ |
998 | 0 | pinfo->desegment_offset = loffset; |
999 | 0 | pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT; |
1000 | 0 | return tvb_captured_length(tvb); |
1001 | 0 | } else { |
1002 | 0 | linelen = tvb_reported_length_remaining(tvb, loffset); |
1003 | 0 | next_offset = loffset + linelen; |
1004 | 0 | } |
1005 | 0 | } |
1006 | | |
1007 | | /* |
1008 | | * Check whether or not this packet is an end of message packet |
1009 | | * We should look for CRLF.CRLF and they may be split. |
1010 | | * We have to keep in mind that we may see what we want on |
1011 | | * two passes through here ... |
1012 | | */ |
1013 | 1.25k | if (request) { |
1014 | | /* |
1015 | | * The order of these is important ... We want to avoid |
1016 | | * cases where there is a CRLF at the end of a packet and a |
1017 | | * .CRLF at the beginning of the same packet. |
1018 | | */ |
1019 | 883 | if (session_state->crlf_seen && tvb_strneql(tvb, loffset, ".\r\n", 3) == 0) |
1020 | 0 | eom_seen = true; |
1021 | | |
1022 | 883 | if (tvb_strneql(tvb, next_offset-2, "\r\n", 2) == 0) { |
1023 | 45 | session_state->crlf_seen = true; |
1024 | 838 | } else { |
1025 | 838 | session_state->crlf_seen = false; |
1026 | 838 | } |
1027 | 883 | } |
1028 | | |
1029 | | /* |
1030 | | * OK, Check if we have seen a DATA request. We do it here for |
1031 | | * simplicity, but we have to be careful below. |
1032 | | */ |
1033 | 1.25k | if (request) { |
1034 | 883 | if (session_state->smtp_state == SMTP_STATE_READING_DATA) { |
1035 | | /* |
1036 | | * This is message data. |
1037 | | */ |
1038 | 0 | if (eom_seen) { /* Seen the EOM */ |
1039 | | /* |
1040 | | * EOM. |
1041 | | * Everything that comes before it is a message. |
1042 | | * Everything that comes after it is commands. |
1043 | | */ |
1044 | 0 | spd_frame_data->pdu_type = SMTP_PDU_MESSAGE; |
1045 | 0 | spd_frame_data->more_frags = false; |
1046 | 0 | spd_frame_data->end_offset = loffset; |
1047 | |
|
1048 | 0 | spd_frame_data = append_pdu(spd_frame_data); |
1049 | 0 | spd_frame_data->pdu_type = SMTP_PDU_EOM; |
1050 | 0 | spd_frame_data->end_offset = next_offset; |
1051 | |
|
1052 | 0 | spd_frame_data = append_pdu(spd_frame_data); |
1053 | 0 | spd_frame_data->end_offset = tvb_reported_length(tvb); |
1054 | |
|
1055 | 0 | session_state->smtp_state = SMTP_STATE_READING_CMDS; |
1056 | 0 | } else { |
1057 | | /* |
1058 | | * Message data with no EOM. |
1059 | | */ |
1060 | 0 | spd_frame_data->pdu_type = SMTP_PDU_MESSAGE; |
1061 | |
|
1062 | 0 | if (session_state->msg_tot_len > 0) { |
1063 | | /* |
1064 | | * We are handling a BDAT message. |
1065 | | * Check if we have reached end of the data chunk. |
1066 | | */ |
1067 | |
|
1068 | 0 | uint32_t msg_len = MIN((uint32_t)tvb_reported_length_remaining(tvb, loffset), (session_state->msg_tot_len - session_state->msg_read_len)); |
1069 | 0 | session_state->msg_read_len += msg_len; |
1070 | | /* |
1071 | | * Since we're grabbing the rest of the packet or the data chunk, |
1072 | | * update the offset accordingly. |
1073 | | */ |
1074 | 0 | next_offset = loffset + msg_len; |
1075 | 0 | spd_frame_data->end_offset = next_offset; |
1076 | |
|
1077 | 0 | if (session_state->msg_read_len == session_state->msg_tot_len) { |
1078 | | /* |
1079 | | * We have reached end of BDAT data chunk. |
1080 | | * Everything that comes after this is commands. |
1081 | | */ |
1082 | |
|
1083 | 0 | if (session_state->msg_last) { |
1084 | | /* |
1085 | | * We have found the LAST data chunk. |
1086 | | * The message can now be reassembled. |
1087 | | */ |
1088 | 0 | spd_frame_data->more_frags = false; |
1089 | 0 | } |
1090 | |
|
1091 | 0 | spd_frame_data = append_pdu(spd_frame_data); |
1092 | 0 | spd_frame_data->end_offset = tvb_reported_length(tvb); |
1093 | |
|
1094 | 0 | session_state->smtp_state = SMTP_STATE_READING_CMDS; |
1095 | 0 | } |
1096 | 0 | } |
1097 | 0 | } |
1098 | 883 | } else { |
1099 | | /* |
1100 | | * This is commands - unless the capture started in the |
1101 | | * middle of a session, and we're in the middle of data. |
1102 | | * |
1103 | | * Commands are not necessarily 4 characters; look |
1104 | | * for a space or the end of the line to see where |
1105 | | * the putative command ends. |
1106 | | */ |
1107 | 883 | if ((session_state->auth_state != SMTP_AUTH_STATE_NONE) && |
1108 | 883 | (pinfo->num >= session_state->first_auth_frame) && |
1109 | 883 | ((session_state->last_auth_frame == 0) || (pinfo->num <= session_state->last_auth_frame))) { |
1110 | 0 | decrypt = tvb_get_string_enc(pinfo->pool, tvb, loffset, linelen, ENC_ASCII); |
1111 | 0 | if ((smtp_auth_parameter_decoding_enabled) && |
1112 | 0 | (strlen(decrypt) > 1) && |
1113 | 0 | (g_base64_decode_inplace(decrypt, &decrypt_len)) && |
1114 | 0 | (decrypt_len > 0)) { |
1115 | 0 | decrypt[decrypt_len] = 0; |
1116 | 0 | line = decrypt; |
1117 | 0 | linelen = (int)decrypt_len; |
1118 | 0 | } else { |
1119 | 0 | line = tvb_get_ptr(tvb, loffset, linelen); |
1120 | 0 | decrypt_len = linelen; |
1121 | 0 | } |
1122 | 883 | } else { |
1123 | 883 | line = tvb_get_ptr(tvb, loffset, linelen); |
1124 | 883 | } |
1125 | | |
1126 | 883 | linep = line; |
1127 | 883 | lineend = line + linelen; |
1128 | 7.69k | while (linep < lineend && *linep != ' ') |
1129 | 6.80k | linep++; |
1130 | 883 | cmdlen = (int)(linep - line); |
1131 | 883 | if (line_is_smtp_command(line, cmdlen) && |
1132 | 883 | ( session_state->auth_state != SMTP_AUTH_STATE_PASSWORD_REQ )) { |
1133 | 11 | if (g_ascii_strncasecmp(line, "DATA", 4) == 0) { |
1134 | | /* |
1135 | | * DATA command. |
1136 | | * This is a command, but everything that comes after it, |
1137 | | * until an EOM, is data. |
1138 | | */ |
1139 | 0 | spd_frame_data->pdu_type = SMTP_PDU_CMD; |
1140 | 0 | session_state->smtp_state = SMTP_STATE_READING_DATA; |
1141 | 0 | session_state->data_seen = true; |
1142 | 11 | } else if (g_ascii_strncasecmp(line, "BDAT", 4) == 0) { |
1143 | | /* |
1144 | | * BDAT command. |
1145 | | * This is a command, but everything that comes after it, |
1146 | | * until given length is received, is data. |
1147 | | */ |
1148 | 0 | uint32_t msg_len; |
1149 | |
|
1150 | 0 | msg_len = (uint32_t)strtoul (line+5, NULL, 10); |
1151 | |
|
1152 | 0 | spd_frame_data->pdu_type = SMTP_PDU_CMD; |
1153 | |
|
1154 | 0 | session_state->data_seen = true; |
1155 | 0 | session_state->msg_tot_len += msg_len; |
1156 | |
|
1157 | 0 | if (g_ascii_strncasecmp(line+linelen-4, "LAST", 4) == 0) { |
1158 | | /* |
1159 | | * This is the last data chunk. |
1160 | | */ |
1161 | 0 | session_state->msg_last = true; |
1162 | |
|
1163 | 0 | if (msg_len == 0) { |
1164 | | /* |
1165 | | * No more data to expect. |
1166 | | * The message can now be reassembled. |
1167 | | */ |
1168 | 0 | spd_frame_data->more_frags = false; |
1169 | 0 | } |
1170 | 0 | } else { |
1171 | 0 | session_state->msg_last = false; |
1172 | 0 | } |
1173 | |
|
1174 | 0 | if (msg_len == 0) { |
1175 | | /* No data to read, next will be another command */ |
1176 | 0 | session_state->smtp_state = SMTP_STATE_READING_CMDS; |
1177 | 0 | } else { |
1178 | 0 | session_state->smtp_state = SMTP_STATE_READING_DATA; |
1179 | 0 | spd_frame_data->end_offset = next_offset; |
1180 | |
|
1181 | 0 | spd_frame_data = append_pdu(spd_frame_data); |
1182 | 0 | spd_frame_data->end_offset = tvb_reported_length(tvb); |
1183 | 0 | } |
1184 | 11 | } else if (g_ascii_strncasecmp(line, "RSET", 4) == 0) { |
1185 | | /* |
1186 | | * RSET command. |
1187 | | * According to RFC 3030, the RSET command clears all BDAT |
1188 | | * segments and resets the transaction. It is possible to |
1189 | | * use DATA and BDAT in the same session, so long as they |
1190 | | * are not mixed in the same transaction. |
1191 | | */ |
1192 | 0 | spd_frame_data->pdu_type = SMTP_PDU_CMD; |
1193 | 0 | session_state->msg_last = true; |
1194 | 0 | session_state->msg_tot_len = 0; |
1195 | 0 | session_state->msg_read_len = 0; |
1196 | 11 | } else if ((g_ascii_strncasecmp(line, "AUTH LOGIN", 10) == 0) && (linelen <= 11)) { |
1197 | | /* |
1198 | | * AUTH LOGIN command. |
1199 | | * Username is in a separate frame |
1200 | | */ |
1201 | 0 | spd_frame_data->pdu_type = SMTP_PDU_CMD; |
1202 | 0 | session_state->smtp_state = SMTP_STATE_READING_CMDS; |
1203 | 0 | session_state->auth_state = SMTP_AUTH_STATE_START; |
1204 | 0 | session_state->first_auth_frame = pinfo->num; |
1205 | 11 | } else if ((g_ascii_strncasecmp(line, "AUTH LOGIN", 10) == 0) && (linelen > 11)) { |
1206 | | /* |
1207 | | * AUTH LOGIN command. |
1208 | | * Username follows the 'AUTH LOGIN' string |
1209 | | */ |
1210 | 0 | spd_frame_data->pdu_type = SMTP_PDU_CMD; |
1211 | 0 | session_state->smtp_state = SMTP_STATE_READING_CMDS; |
1212 | 0 | session_state->auth_state = SMTP_AUTH_STATE_USERNAME_RSP; |
1213 | 0 | session_state->first_auth_frame = pinfo->num; |
1214 | 0 | session_state->username_cmd_frame = pinfo->num; |
1215 | 11 | } else if ((g_ascii_strncasecmp(line, "AUTH PLAIN", 10) == 0) && (linelen <= 11)) { |
1216 | | /* |
1217 | | * AUTH PLAIN command. |
1218 | | * Username and Password is in one separate frame |
1219 | | */ |
1220 | 0 | spd_frame_data->pdu_type = SMTP_PDU_CMD; |
1221 | 0 | session_state->smtp_state = SMTP_STATE_READING_CMDS; |
1222 | 0 | session_state->auth_state = SMTP_AUTH_STATE_PLAIN_START_REQ; |
1223 | 0 | session_state->first_auth_frame = pinfo->num; |
1224 | 11 | } else if ((g_ascii_strncasecmp(line, "AUTH PLAIN", 10) == 0) && (linelen > 11)) { |
1225 | | /* |
1226 | | * AUTH PLAIN command. |
1227 | | * Username and Password follows the 'AUTH PLAIN' string |
1228 | | */ |
1229 | 0 | spd_frame_data->pdu_type = SMTP_PDU_CMD; |
1230 | 0 | session_state->smtp_state = SMTP_STATE_READING_CMDS; |
1231 | 0 | session_state->auth_state = SMTP_AUTH_STATE_PLAIN_CRED_REQ; |
1232 | 0 | session_state->first_auth_frame = pinfo->num; |
1233 | 0 | session_state->user_pass_cmd_frame = pinfo->num; |
1234 | 11 | } else if ((g_ascii_strncasecmp(line, "AUTH NTLM", 9) == 0) && (linelen > 10)) { |
1235 | | /* |
1236 | | * AUTH NTLM command with nlmssp request |
1237 | | */ |
1238 | 0 | spd_frame_data->pdu_type = SMTP_PDU_CMD; |
1239 | 0 | session_state->smtp_state = SMTP_STATE_READING_CMDS; |
1240 | 0 | session_state->auth_state = SMTP_AUTH_STATE_NTLM_REQ; |
1241 | 0 | session_state->ntlm_req_frame = pinfo->num; |
1242 | 11 | } else if (g_ascii_strncasecmp(line, "STARTTLS", 8) == 0) { |
1243 | | /* |
1244 | | * STARTTLS command. |
1245 | | * This is a command, but if the response is 220, |
1246 | | * everything after the response is TLS. |
1247 | | */ |
1248 | 0 | session_state->smtp_state = SMTP_STATE_AWAITING_STARTTLS_RESPONSE; |
1249 | 0 | spd_frame_data->pdu_type = SMTP_PDU_CMD; |
1250 | 11 | } else { |
1251 | | /* |
1252 | | * Regular command. |
1253 | | */ |
1254 | 11 | spd_frame_data->pdu_type = SMTP_PDU_CMD; |
1255 | 11 | } |
1256 | 872 | } else if (session_state->auth_state == SMTP_AUTH_STATE_USERNAME_REQ) { |
1257 | 0 | session_state->auth_state = SMTP_AUTH_STATE_USERNAME_RSP; |
1258 | 0 | session_state->username_frame = pinfo->num; |
1259 | 872 | } else if (session_state->auth_state == SMTP_AUTH_STATE_PASSWORD_REQ) { |
1260 | 0 | session_state->auth_state = SMTP_AUTH_STATE_PASSWORD_RSP; |
1261 | 0 | session_state->password_frame = pinfo->num; |
1262 | 872 | } else if (session_state->auth_state == SMTP_AUTH_STATE_PLAIN_REQ) { |
1263 | 0 | session_state->auth_state = SMTP_AUTH_STATE_PLAIN_RSP; |
1264 | 0 | session_state->user_pass_frame = pinfo->num; |
1265 | 872 | } else if (session_state->auth_state == SMTP_AUTH_STATE_NTLM_CHALLANGE) { |
1266 | 0 | session_state->auth_state = SMTP_AUTH_STATE_NTLM_RSP; |
1267 | 0 | session_state->ntlm_rsp_frame = pinfo->num; |
1268 | 0 | } |
1269 | 872 | else { |
1270 | | |
1271 | | /* |
1272 | | * Assume it's message data. |
1273 | | */ |
1274 | 872 | spd_frame_data->pdu_type = (session_state->data_seen || (session_state->smtp_state == SMTP_STATE_START)) ? SMTP_PDU_MESSAGE : SMTP_PDU_CMD; |
1275 | 872 | } |
1276 | 883 | } |
1277 | 883 | } |
1278 | | |
1279 | | /* |
1280 | | * Step past this line. |
1281 | | */ |
1282 | 1.25k | loffset = next_offset; |
1283 | 1.25k | } |
1284 | 53 | } |
1285 | | |
1286 | | |
1287 | | /* |
1288 | | * From here, we simply add items to the tree and info to the info |
1289 | | * fields ... |
1290 | | */ |
1291 | | |
1292 | 53 | col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMTP"); |
1293 | 53 | col_clear(pinfo->cinfo, COL_INFO); |
1294 | | |
1295 | 53 | ti = proto_tree_add_item(tree, proto_smtp, tvb, offset, -1, ENC_NA); |
1296 | 53 | smtp_tree = proto_item_add_subtree(ti, ett_smtp); |
1297 | | |
1298 | 53 | if (request) { |
1299 | | /* |
1300 | | * Check out whether or not we can see a command in there ... |
1301 | | * What we are looking for is not data_seen and the word DATA |
1302 | | * and not eom_seen. |
1303 | | * |
1304 | | * We will see DATA and session_state->data_seen when we process the |
1305 | | * tree view after we have seen a DATA packet when processing |
1306 | | * the packet list pane. |
1307 | | * |
1308 | | * On the first pass, we will not have any info on the packets |
1309 | | * On second and subsequent passes, we will. |
1310 | | */ |
1311 | 36 | spd_frame_data = (struct smtp_proto_data *)p_get_proto_data(wmem_file_scope(), pinfo, proto_smtp, 0); |
1312 | 36 | offset = 0; |
1313 | 72 | while (spd_frame_data != NULL && tvb_reported_length_remaining(tvb, offset)) { |
1314 | 36 | DISSECTOR_ASSERT_CMPINT(offset, <=, spd_frame_data->end_offset); |
1315 | 36 | dissect_smtp_request(tvb_new_subset_length(tvb, offset, spd_frame_data->end_offset - offset), pinfo, tree, smtp_tree, session_state, spd_frame_data, (offset == 0)); |
1316 | 36 | offset = spd_frame_data->end_offset; |
1317 | 36 | spd_frame_data = spd_frame_data->next; |
1318 | 36 | } |
1319 | 36 | } else { |
1320 | 17 | dissect_smtp_response(tvb, pinfo, smtp_tree, session_state); |
1321 | 17 | } |
1322 | | |
1323 | 53 | return tvb_captured_length(tvb); |
1324 | 53 | } |
1325 | | |
1326 | | |
1327 | | /* Register all the bits needed by the filtering engine */ |
1328 | | |
1329 | | void |
1330 | | proto_register_smtp(void) |
1331 | 14 | { |
1332 | 14 | static hf_register_info hf[] = { |
1333 | 14 | { &hf_smtp_req, |
1334 | 14 | { "Request", "smtp.req", |
1335 | 14 | FT_BOOLEAN, BASE_NONE, NULL, 0x0, NULL, HFILL }}, |
1336 | | |
1337 | 14 | { &hf_smtp_rsp, |
1338 | 14 | { "Response", "smtp.rsp", |
1339 | 14 | FT_BOOLEAN, BASE_NONE, NULL, 0x0, NULL, HFILL }}, |
1340 | | |
1341 | 14 | { &hf_smtp_message, |
1342 | 14 | { "Message", "smtp.message", |
1343 | 14 | FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }}, |
1344 | | |
1345 | 14 | { &hf_smtp_command_line, |
1346 | 14 | { "Command Line", "smtp.command_line", |
1347 | 14 | FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }}, |
1348 | | |
1349 | 14 | { &hf_smtp_req_command, |
1350 | 14 | { "Command", "smtp.req.command", |
1351 | 14 | FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }}, |
1352 | | |
1353 | 14 | { &hf_smtp_req_parameter, |
1354 | 14 | { "Request parameter", "smtp.req.parameter", |
1355 | 14 | FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }}, |
1356 | | |
1357 | 14 | { &hf_smtp_response, |
1358 | 14 | { "Response", "smtp.response", |
1359 | 14 | FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }}, |
1360 | | |
1361 | 14 | { &hf_smtp_rsp_code, |
1362 | 14 | { "Response code", "smtp.response.code", |
1363 | 14 | FT_UINT32, BASE_DEC|BASE_EXT_STRING, &response_codes_vs_ext, 0x0, NULL, HFILL }}, |
1364 | | |
1365 | 14 | { &hf_smtp_rsp_parameter, |
1366 | 14 | { "Response parameter", "smtp.rsp.parameter", |
1367 | 14 | FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }}, |
1368 | | |
1369 | 14 | { &hf_smtp_username, |
1370 | 14 | { "Username", "smtp.auth.username", |
1371 | 14 | FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }}, |
1372 | | |
1373 | 14 | { &hf_smtp_password, |
1374 | 14 | { "Password", "smtp.auth.password", |
1375 | 14 | FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }}, |
1376 | | |
1377 | 14 | { &hf_smtp_username_password, |
1378 | 14 | { "Username/Password", "smtp.auth.username_password", |
1379 | 14 | FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }}, |
1380 | | |
1381 | 14 | { &hf_smtp_eom, |
1382 | 14 | { "EOM", "smtp.eom", |
1383 | 14 | FT_NONE, BASE_NONE, NULL, 0x00, NULL, HFILL } }, |
1384 | | |
1385 | | /* Fragment entries */ |
1386 | 14 | { &hf_smtp_data_fragments, |
1387 | 14 | { "DATA fragments", "smtp.data.fragments", |
1388 | 14 | FT_NONE, BASE_NONE, NULL, 0x00, "Message fragments", HFILL } }, |
1389 | | |
1390 | 14 | { &hf_smtp_data_fragment, |
1391 | 14 | { "DATA fragment", "smtp.data.fragment", |
1392 | 14 | FT_FRAMENUM, BASE_NONE, NULL, 0x00, "Message fragment", HFILL } }, |
1393 | | |
1394 | 14 | { &hf_smtp_data_fragment_overlap, |
1395 | 14 | { "DATA fragment overlap", "smtp.data.fragment.overlap", FT_BOOLEAN, |
1396 | 14 | BASE_NONE, NULL, 0x0, "Message fragment overlap", HFILL } }, |
1397 | | |
1398 | 14 | { &hf_smtp_data_fragment_overlap_conflicts, |
1399 | 14 | { "DATA fragment overlapping with conflicting data", |
1400 | 14 | "smtp.data.fragment.overlap.conflicts", FT_BOOLEAN, BASE_NONE, NULL, |
1401 | 14 | 0x0, "Message fragment overlapping with conflicting data", HFILL } }, |
1402 | | |
1403 | 14 | { &hf_smtp_data_fragment_multiple_tails, |
1404 | 14 | { "DATA has multiple tail fragments", "smtp.data.fragment.multiple_tails", |
1405 | 14 | FT_BOOLEAN, BASE_NONE, NULL, 0x0, "Message has multiple tail fragments", HFILL } }, |
1406 | | |
1407 | 14 | { &hf_smtp_data_fragment_too_long_fragment, |
1408 | 14 | { "DATA fragment too long", "smtp.data.fragment.too_long_fragment", |
1409 | 14 | FT_BOOLEAN, BASE_NONE, NULL, 0x0, "Message fragment too long", HFILL } }, |
1410 | | |
1411 | 14 | { &hf_smtp_data_fragment_error, |
1412 | 14 | { "DATA defragmentation error", "smtp.data.fragment.error", |
1413 | 14 | FT_FRAMENUM, BASE_NONE, NULL, 0x00, "Message defragmentation error", HFILL } }, |
1414 | | |
1415 | 14 | { &hf_smtp_data_fragment_count, |
1416 | 14 | { "DATA fragment count", "smtp.data.fragment.count", |
1417 | 14 | FT_UINT32, BASE_DEC, NULL, 0x00, NULL, HFILL } }, |
1418 | | |
1419 | 14 | { &hf_smtp_data_reassembled_in, |
1420 | 14 | { "Reassembled DATA in frame", "smtp.data.reassembled.in", |
1421 | 14 | FT_FRAMENUM, BASE_NONE, NULL, 0x00, "This DATA fragment is reassembled in this frame", HFILL } }, |
1422 | | |
1423 | 14 | { &hf_smtp_data_reassembled_length, |
1424 | 14 | { "Reassembled DATA length", "smtp.data.reassembled.length", |
1425 | 14 | FT_UINT32, BASE_DEC, NULL, 0x00, "The total length of the reassembled payload", HFILL } }, |
1426 | 14 | }; |
1427 | 14 | static int *ett[] = { |
1428 | 14 | &ett_smtp, |
1429 | 14 | &ett_smtp_cmdresp, |
1430 | 14 | &ett_smtp_data_fragment, |
1431 | 14 | &ett_smtp_data_fragments, |
1432 | | |
1433 | 14 | }; |
1434 | | |
1435 | 14 | static ei_register_info ei[] = { |
1436 | 14 | { &ei_smtp_base64_decode, { "smtp.base64_decode", PI_PROTOCOL, PI_WARN, "base64 decode failed or is not enabled (check SMTP preferences)", EXPFILL }}, |
1437 | 14 | { &ei_smtp_rsp_code,{ "smtp.response.code.unexpected", PI_PROTOCOL, PI_WARN, "Unexpected response code in multiline response", EXPFILL } }, |
1438 | 14 | }; |
1439 | | |
1440 | 14 | module_t *smtp_module; |
1441 | 14 | expert_module_t* expert_smtp; |
1442 | | |
1443 | 14 | proto_smtp = proto_register_protocol("Simple Mail Transfer Protocol", |
1444 | 14 | "SMTP", "smtp"); |
1445 | | |
1446 | 14 | proto_register_field_array(proto_smtp, hf, array_length(hf)); |
1447 | 14 | proto_register_subtree_array(ett, array_length(ett)); |
1448 | 14 | expert_smtp = expert_register_protocol(proto_smtp); |
1449 | 14 | expert_register_field_array(expert_smtp, ei, array_length(ei)); |
1450 | 14 | reassembly_table_register(&smtp_data_reassembly_table, |
1451 | 14 | &addresses_ports_reassembly_table_functions); |
1452 | | |
1453 | | /* Allow dissector to find be found by name. */ |
1454 | 14 | smtp_handle = register_dissector("smtp", dissect_smtp, proto_smtp); |
1455 | | |
1456 | | /* Preferences */ |
1457 | 14 | smtp_module = prefs_register_protocol(proto_smtp, NULL); |
1458 | 14 | prefs_register_bool_preference(smtp_module, "desegment_lines", |
1459 | 14 | "Reassemble SMTP command and response lines spanning multiple TCP segments", |
1460 | 14 | "Whether the SMTP dissector should reassemble command and response lines" |
1461 | 14 | " spanning multiple TCP segments. To use this option, you must also enable " |
1462 | 14 | "\"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.", |
1463 | 14 | &smtp_desegment); |
1464 | | |
1465 | 14 | prefs_register_bool_preference(smtp_module, "desegment_data", |
1466 | 14 | "Reassemble SMTP DATA commands spanning multiple TCP segments", |
1467 | 14 | "Whether the SMTP dissector should reassemble DATA command and lines" |
1468 | 14 | " spanning multiple TCP segments. To use this option, you must also enable " |
1469 | 14 | "\"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.", |
1470 | 14 | &smtp_data_desegment); |
1471 | | |
1472 | 14 | prefs_register_bool_preference(smtp_module, "decryption", |
1473 | 14 | "Decode Base64 encoded AUTH parameters", |
1474 | 14 | "Whether the SMTP dissector should decode Base64 encoded AUTH parameters", |
1475 | 14 | &smtp_auth_parameter_decoding_enabled); |
1476 | | |
1477 | 14 | credentials_tap = register_tap("credentials"); /* credentials tap */ |
1478 | 14 | } |
1479 | | |
1480 | | /* The registration hand-off routine */ |
1481 | | void |
1482 | | proto_reg_handoff_smtp(void) |
1483 | 14 | { |
1484 | 14 | dissector_add_uint_range_with_preference("tcp.port", TCP_PORT_SMTP, smtp_handle); |
1485 | 14 | ssl_dissector_add(TCP_PORT_SSL_SMTP, smtp_handle); |
1486 | | /* No "auto" preference since handle is shared with SMTP */ |
1487 | 14 | dissector_add_uint("tcp.port", TCP_PORT_SUBMISSION, smtp_handle); |
1488 | | |
1489 | | /* find the IMF dissector */ |
1490 | 14 | imf_handle = find_dissector_add_dependency("imf", proto_smtp); |
1491 | | |
1492 | | /* find the TLS dissector */ |
1493 | 14 | tls_handle = find_dissector_add_dependency("tls", proto_smtp); |
1494 | | |
1495 | | /* find the NTLM dissector */ |
1496 | 14 | ntlmssp_handle = find_dissector_add_dependency("ntlmssp", proto_smtp); |
1497 | | |
1498 | | /* find the data-text-lines dissector */ |
1499 | 14 | data_text_lines_handle = find_dissector_add_dependency("data-text-lines", proto_smtp); |
1500 | 14 | } |
1501 | | |
1502 | | /* |
1503 | | * Editor modelines - https://www.wireshark.org/tools/modelines.html |
1504 | | * |
1505 | | * Local variables: |
1506 | | * c-basic-offset: 2 |
1507 | | * tab-width: 8 |
1508 | | * indent-tabs-mode: nil |
1509 | | * End: |
1510 | | * |
1511 | | * vi: set shiftwidth=2 tabstop=8 expandtab: |
1512 | | * :indentSize=2:tabSize=8:noTabs=true |
1513 | | */ |