diff options
| author | Michael Mann <mmann78@netscape.net> | 2016-09-24 08:29:07 -0400 |
|---|---|---|
| committer | Anders Broman <a.broman58@gmail.com> | 2017-11-14 20:20:22 +0000 |
| commit | 5d1328c5285e1cd3f4e1620dd33babda47bafe92 (patch) | |
| tree | 31ebc8bf6e36849df2d101c04d4266c9c6e2c7e0 | |
| parent | 27011d312343a0dac06736087d1a94ffd7ab763e (diff) | |
Kerberos - Add support for RFC 6113
Bug: 8974
Change-Id: I43998a64fc34dfeb1c0a8d702d5bdc5aa74d57de
Reviewed-on: https://code.wireshark.org/review/17879
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
| -rw-r--r-- | epan/dissectors/asn1/kerberos/CMakeLists.txt | 1 | ||||
| -rw-r--r-- | epan/dissectors/asn1/kerberos/Makefile.am | 3 | ||||
| -rw-r--r-- | epan/dissectors/asn1/kerberos/RFC6113.asn | 124 | ||||
| -rw-r--r-- | epan/dissectors/asn1/kerberos/k5.asn | 58 | ||||
| -rw-r--r-- | epan/dissectors/asn1/kerberos/kerberos.cnf | 50 | ||||
| -rw-r--r-- | epan/dissectors/asn1/kerberos/packet-kerberos-template.c | 26 | ||||
| -rw-r--r-- | epan/dissectors/packet-kerberos.c | 435 | ||||
| -rw-r--r-- | epan/dissectors/packet-kerberos.h | 2 |
8 files changed, 615 insertions, 84 deletions
diff --git a/epan/dissectors/asn1/kerberos/CMakeLists.txt b/epan/dissectors/asn1/kerberos/CMakeLists.txt index 3e1bd82309..dd862ee356 100644 --- a/epan/dissectors/asn1/kerberos/CMakeLists.txt +++ b/epan/dissectors/asn1/kerberos/CMakeLists.txt @@ -34,6 +34,7 @@ set( ASN_FILE_LIST KerberosV5Spec2.asn k5.asn RFC3244.asn + RFC6113.asn ) set( EXTRA_DIST diff --git a/epan/dissectors/asn1/kerberos/Makefile.am b/epan/dissectors/asn1/kerberos/Makefile.am index ff7b2558e0..3c0db504a0 100644 --- a/epan/dissectors/asn1/kerberos/Makefile.am +++ b/epan/dissectors/asn1/kerberos/Makefile.am @@ -28,7 +28,8 @@ EXT_ASN_FILE_LIST = ASN_FILE_LIST = \ KerberosV5Spec2.asn \ k5.asn \ - RFC3244.asn + RFC3244.asn \ + RFC6113.asn EXTRA_DIST = \ $(EXTRA_DIST_COMMON) \ diff --git a/epan/dissectors/asn1/kerberos/RFC6113.asn b/epan/dissectors/asn1/kerberos/RFC6113.asn new file mode 100644 index 0000000000..10a3d7ddc6 --- /dev/null +++ b/epan/dissectors/asn1/kerberos/RFC6113.asn @@ -0,0 +1,124 @@ +-- Extracted from RFC 6113 + +KerberosPreauthFramework { + iso(1) identified-organization(3) dod(6) internet(1) + security(5) kerberosV5(2) modules(4) preauth-framework(3) +} DEFINITIONS EXPLICIT TAGS ::= BEGIN + +IMPORTS + KerberosTime, PrincipalName, Realm, EncryptionKey, Checksum, + Int32, EncryptedData, PA-ENC-TS-ENC, PA-DATA, KDC-REQ-BODY, + Microseconds, KerberosFlags, UInt32 + FROM KerberosV5Spec2 { iso(1) identified-organization(3) + dod(6) internet(1) security(5) kerberosV5(2) + modules(4) krb5spec2(2) }; + -- as defined in RFC 4120. + +PA-AUTHENTICATION-SET ::= SEQUENCE OF PA-AUTHENTICATION-SET-ELEM + +PA-AUTHENTICATION-SET-ELEM ::= SEQUENCE { + pa-type [0] Int32, + -- same as padata-type. + pa-hint [1] OCTET STRING OPTIONAL, + pa-value [2] OCTET STRING OPTIONAL, + ... +} + +KrbFastArmor ::= SEQUENCE { + armor-type [0] Int32, + -- Type of the armor. + armor-value [1] OCTET STRING, + -- Value of the armor. + ... +} + +PA-FX-FAST-REQUEST ::= CHOICE { + armored-data [0] KrbFastArmoredReq, + ... +} + +KrbFastArmoredReq ::= SEQUENCE { + armor [0] KrbFastArmor OPTIONAL, + -- Contains the armor that identifies the armor key. + -- MUST be present in AS-REQ. + req-checksum [1] Checksum, + -- For AS, contains the checksum performed over the type + -- KDC-REQ-BODY for the req-body field of the KDC-REQ + -- structure; + -- For TGS, contains the checksum performed over the type + -- AP-REQ in the PA-TGS-REQ padata. + -- The checksum key is the armor key, the checksum + -- type is the required checksum type for the enctype of + -- the armor key, and the key usage number is + -- KEY_USAGE_FAST_REQ_CHKSUM. + enc-fast-req [2] EncryptedData, -- KrbFastReq -- + -- The encryption key is the armor key, and the key usage + -- number is KEY_USAGE_FAST_ENC. + ... +} + +KrbFastReq ::= SEQUENCE { + fast-options [0] FastOptions, + -- Additional options. + padata [1] SEQUENCE OF PA-DATA, + -- padata typed holes. + req-body [2] KDC-REQ-BODY, + -- Contains the KDC request body as defined in Section + -- 5.4.1 of [RFC4120]. + -- This req-body field is preferred over the outer field + -- in the KDC request. + ... +} + +FastOptions ::= KerberosFlags + -- reserved(0), + -- hide-client-names(1), + -- kdc-follow-referrals(16) + +PA-FX-FAST-REPLY ::= CHOICE { + armored-data [0] KrbFastArmoredRep, + ... +} + +KrbFastArmoredRep ::= SEQUENCE { + enc-fast-rep [0] EncryptedData, -- KrbFastResponse -- + -- The encryption key is the armor key in the request, and + -- the key usage number is KEY_USAGE_FAST_REP. + ... +} + +KrbFastResponse ::= SEQUENCE { + padata [0] SEQUENCE OF PA-DATA, + -- padata typed holes. + strengthen-key [1] EncryptionKey OPTIONAL, + -- This, if present, strengthens the reply key for AS and + -- TGS. MUST be present for TGS + -- MUST be absent in KRB-ERROR. + finished [2] KrbFastFinished OPTIONAL, + -- Present in AS or TGS reply; absent otherwise. + nonce [3] UInt32, + -- Nonce from the client request. + ... +} + +KrbFastFinished ::= SEQUENCE { + timestamp [0] KerberosTime, + usec [1] Microseconds, + -- timestamp and usec represent the time on the KDC when + -- the reply was generated. + crealm [2] Realm, + cname [3] PrincipalName, + -- Contains the client realm and the client name. + ticket-checksum [4] Checksum, + -- checksum of the ticket in the KDC-REP using the armor + -- and the key usage is KEY_USAGE_FAST_FINISH. + -- The checksum type is the required checksum type + -- of the armor key. + ... +} + +EncryptedChallenge ::= EncryptedData + -- Encrypted PA-ENC-TS-ENC, encrypted in the challenge key + -- using key usage KEY_USAGE_ENC_CHALLENGE_CLIENT for the + -- client and KEY_USAGE_ENC_CHALLENGE_KDC for the KDC. +END diff --git a/epan/dissectors/asn1/kerberos/k5.asn b/epan/dissectors/asn1/kerberos/k5.asn index ea4e47a371..a74bc62884 100644 --- a/epan/dissectors/asn1/kerberos/k5.asn +++ b/epan/dissectors/asn1/kerberos/k5.asn @@ -14,9 +14,16 @@ NAME-TYPE ::= INTEGER { kRB5-NT-X500-PRINCIPAL(6), -- PKINIT kRB5-NT-SMTP-NAME(7), -- Name in form of SMTP email name kRB5-NT-ENTERPRISE-PRINCIPAL(10), -- Windows 2000 UPN + kRB5-NT-WELLKNOWN(11), -- Wellknown + kRB5-NT-SRV-HST-DOMAIN(12), -- Domain based service with host name as instance (RFC5179) kRB5-NT-ENT-PRINCIPAL-AND-ID(-130), -- Windows 2000 UPN and SID kRB5-NT-MS-PRINCIPAL(-128), -- NT 4 style name - kRB5-NT-MS-PRINCIPAL-AND-ID(-129) -- NT style name and SID + kRB5-NT-MS-PRINCIPAL-AND-ID(-129), -- NT style name and SID + kRB5-NT-NTLM(-1200), -- NTLM name, realm is domain + kRB5-NT-X509-GENERAL-NAME(-1201), -- x509 general name (base64 encoded) + kRB5-NT-GSS-HOSTBASED-SERVICE(-1202), -- not used; remove + kRB5-NT-CACHE-UUID(-1203), -- name is actually a uuid pointing to ccache, use client name in cache + kRB5-NT-SRV-HST-NEEDS-CANON (-195894762) -- Internal: indicates that name canonicalization is needed } -- message types @@ -37,10 +44,11 @@ MESSAGE-TYPE ::= INTEGER { -- pa-data types + PADATA-TYPE ::= INTEGER { kRB5-PADATA-NONE(0), kRB5-PADATA-TGS-REQ(1), --- kRB5-PADATA-AP-REQ(1), + kRB5-PADATA-AP-REQ(1), kRB5-PADATA-ENC-TIMESTAMP(2), kRB5-PADATA-PW-SALT(3), kRB5-PADATA-ENC-UNIX-TIME(5), @@ -54,17 +62,22 @@ PADATA-TYPE ::= INTEGER { kRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp) kRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19) kRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19) --- kRB5-PADATA-PK-AS-REQ-WIN(15), (PKINIT - old number) +-- kRB5-PADATA-PK-AS-REQ-WIN(15), - (PKINIT - old number) kRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25) kRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25) kRB5-PADATA-PA-PK-OCSP-RESPONSE(18), kRB5-PADATA-ETYPE-INFO2(19), kRB5-PADATA-USE-SPECIFIED-KVNO(20), --- kRB5-PADATA-SVR-REFERRAL-INFO(20), old ms referral number +-- kRB5-PADATA-SVR-REFERRAL-INFO(20), - old ms referral number kRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp) kRB5-PADATA-GET-FROM-TYPED-DATA(22), kRB5-PADATA-SAM-ETYPE-INFO(23), kRB5-PADATA-SERVER-REFERRAL(25), + kRB5-PADATA-ALT-PRINC(24), -- (crawdad@fnal.gov) + kRB5-PADATA-SAM-CHALLENGE2(30), -- (kenh@pobox.com) + kRB5-PADATA-SAM-RESPONSE2(31), -- (kenh@pobox.com) + kRB5-PA-EXTRA-TGT(41), -- Reserved extra TGT + kRB5-PADATA-FX-FAST-ARMOR(71), -- fast armor kRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName kRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT kRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT @@ -72,14 +85,31 @@ PADATA-TYPE ::= INTEGER { kRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER kRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER kRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com - kRB5-PADATA-S4U2SELF(129), - kRB5-PADATA-PK-AS-09-BINDING(132), -- client send this to - -- tell KDC that is supports + kRB5-PADATA-FOR-USER(129), -- MS-KILE + kRB5-PADATA-FOR-X509-USER(130), -- MS-KILE + kRB5-PADATA-FOR-CHECK-DUPS(131), -- MS-KILE + kRB5-PADATA-AS-CHECKSUM(132), -- MS-KILE + kRB5-PADATA-PK-AS-09-BINDING(132), -- client send this to + -- tell KDC that is supports -- the asCheckSum in the -- PK-AS-REP - kRB5-PADATA-CLIENT-CANONICALIZED(133) -- + kRB5-PADATA-FX-COOKIE(133), -- krb-wg-preauth-framework + kRB5-PADATA-AUTHENTICATION-SET(134), -- krb-wg-preauth-framework + kRB5-PADATA-AUTH-SET-SELECTED(135), -- krb-wg-preauth-framework + kRB5-PADATA-FX-FAST(136), -- krb-wg-preauth-framework + kRB5-PADATA-FX-ERROR(137), -- krb-wg-preauth-framework + kRB5-PADATA-ENCRYPTED-CHALLENGE(138), -- krb-wg-preauth-framework + kRB5-PADATA-OTP-CHALLENGE(141), -- (gareth.richards@rsa.com) + kRB5-PADATA-OTP-REQUEST(142), -- (gareth.richards@rsa.com) + kBB5-PADATA-OTP-CONFIRM(143), -- (gareth.richards@rsa.com) + kRB5-PADATA-OTP-PIN-CHANGE(144), -- (gareth.richards@rsa.com) + kRB5-PADATA-EPAK-AS-REQ(145), + kRB5-PADATA-EPAK-AS-REP(146), + kRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon + kRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u + kRB5-PADATA-REQ-ENC-PA-REP(149), -- + kRB5-PADATA-SUPPORTED-ETYPES(165) -- MS-KILE } - AUTHDATA-TYPE ::= INTEGER { kRB5-AUTHDATA-IF-RELEVANT(1), kRB5-AUTHDATA-INTENDED-FOR-SERVER(2), @@ -95,7 +125,9 @@ AUTHDATA-TYPE ::= INTEGER { kRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66), kRB5-AUTHDATA-WIN2K-PAC(128), kRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only - kRB5-AUTHDATA-SIGNTICKET(-17) + kRB5-AUTHDATA-SIGNTICKET-OLDER(-17), + kRB5-AUTHDATA-SIGNTICKET-OLD(142), + kRB5-AUTHDATA-SIGNTICKET(512) } -- checksumtypes @@ -119,6 +151,8 @@ CKSUMTYPE ::= INTEGER { cKSUMTYPE-HMAC-SHA1-96-AES-256(16), cKSUMTYPE-CMAC-CAMELLIA128(17), cKSUMTYPE-CMAC-CAMELLIA256(18), + cKSUMTYPE-HMAC-SHA256-128-AES128(19), + cKSUMTYPE-HMAC-SHA384-192-AES256(20), cKSUMTYPE-GSSAPI(--0x8003--32771), cKSUMTYPE-HMAC-MD5(-138), -- unofficial microsoft number cKSUMTYPE-HMAC-MD5-ENC(-1138) -- even more unofficial @@ -320,7 +354,9 @@ TicketFlags ::= BIT STRING { hw-authent(11), transited-policy-checked(12), ok-as-delegate(13), - anonymous(14) + anonymous-14(14), + enc-pa-rep(15), + anonymous(16) } KDCOptions ::= BIT STRING { diff --git a/epan/dissectors/asn1/kerberos/kerberos.cnf b/epan/dissectors/asn1/kerberos/kerberos.cnf index dc04d58abf..f04b6639f8 100644 --- a/epan/dissectors/asn1/kerberos/kerberos.cnf +++ b/epan/dissectors/asn1/kerberos/kerberos.cnf @@ -31,9 +31,7 @@ AD-LoginAlias AD-MANDATORY-FOR-KDC AUTHDATA-TYPE ChangePasswdDataMS -EncryptedData EtypeList -KerberosFlags KRB5SignedPath KRB5SignedPathData KRB5SignedPathPrincipals @@ -56,6 +54,11 @@ Principal PROV-SRV-LOCATION SAMFlags TYPED-DATA +KrbFastReq +KrbFastResponse +KrbFastFinished +FastOptions +KerberosFlags #.NO_EMIT ONLY_VALS Applications @@ -138,34 +141,47 @@ guint32 msgtype; switch(private_data->padata_type){ case KRB5_PA_TGS_REQ: offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_Applications); - break; + break; case KRB5_PA_PK_AS_REQ: offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PaPkAsReq); - break; + break; case KRB5_PA_PK_AS_REP: offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PaPkAsRep); - break; + break; case KRB5_PA_PAC_REQUEST: offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_KERB_PA_PAC_REQUEST); break; case KRB5_PA_S4U2SELF: offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_S4U2Self); - break; + break; case KRB5_PA_PROV_SRV_LOCATION: offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_krb5_PA_PROV_SRV_LOCATION); - break; + break; case KRB5_PA_ENC_TIMESTAMP: offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_ENC_TIMESTAMP); - break; + break; case KRB5_PA_ENCTYPE_INFO: offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_ETYPE_INFO); - break; + break; case KRB5_PA_ENCTYPE_INFO2: offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_ETYPE_INFO2); - break; + break; case KRB5_PA_PW_SALT: offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_krb5_PW_SALT); - break; + break; + case KRB5_PA_AUTHENTICATION_SET: + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_AUTHENTICATION_SET); + break; + case KRB5_PADATA_FX_FAST: + if(private_data->is_request){ + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_FX_FAST_REQUEST); + }else{ + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_FX_FAST_REPLY); + } + break; + case KRB5_PADATA_ENCRYPTED_CHALLENGE: + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_EncryptedChallenge); + break; default: offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, NULL); } @@ -388,3 +404,15 @@ AuthorizationData/_item/ad-type STRINGS=VALS(krb5_ad_types) if (new_tvb) { call_kerberos_callbacks(actx->pinfo, tree, new_tvb, KRB_CBTAG_PRIV_USER_DATA, (kerberos_callbacks*)actx->private_data); } + +#.FN_HDR AS-REQ + kerberos_private_data_t* private_data = kerberos_get_private_data(actx); + private_data->is_request = TRUE; + +#.FN_HDR AS-REP + kerberos_private_data_t* private_data = kerberos_get_private_data(actx); + private_data->is_request = FALSE; + +#.FN_HDR KRB-ERROR + kerberos_private_data_t* private_data = kerberos_get_private_data(actx); + private_data->is_request = FALSE; diff --git a/epan/dissectors/asn1/kerberos/packet-kerberos-template.c b/epan/dissectors/asn1/kerberos/packet-kerberos-template.c index 4412fb1440..7ca1c98496 100644 --- a/epan/dissectors/asn1/kerberos/packet-kerberos-template.c +++ b/epan/dissectors/asn1/kerberos/packet-kerberos-template.c @@ -98,6 +98,7 @@ typedef struct kerberos_key { } kerberos_key_t; typedef struct { + gboolean is_request; guint32 etype; guint32 padata_type; guint32 enctype; @@ -117,7 +118,10 @@ static int dissect_kerberos_PA_S4U2Self(gboolean implicit_tag _U_, tvbuff_t *tvb static int dissect_kerberos_ETYPE_INFO(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); static int dissect_kerberos_ETYPE_INFO2(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); static int dissect_kerberos_AD_IF_RELEVANT(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); - +static int dissect_kerberos_PA_AUTHENTICATION_SET(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); +static int dissect_kerberos_PA_FX_FAST_REQUEST(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); +static int dissect_kerberos_EncryptedChallenge(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); +static int dissect_kerberos_PA_FX_FAST_REPLY(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); /* Desegment Kerberos over TCP messages */ static gboolean krb_desegment = TRUE; @@ -834,6 +838,7 @@ decrypt_krb5_data(proto_tree *tree, packet_info *pinfo, #define KRB5_PA_PK_AS_REQ 14 #define KRB5_PA_PK_AS_REP 15 #define KRB5_PA_DASS 16 +#define KRB5_PA_PK_AS_REP_17 17 #define KRB5_PA_ENCTYPE_INFO2 19 #define KRB5_PA_USE_SPECIFIED_KVNO 20 #define KRB5_PA_SAM_REDIRECT 21 @@ -857,6 +862,15 @@ decrypt_krb5_data(proto_tree *tree, packet_info *pinfo, #define KRB5_PA_PAC_REQUEST 128 /* (Microsoft extension) */ #define KRB5_PA_FOR_USER 129 /* Impersonation (Microsoft extension) See [MS-SFU]. XXX - replaced by KRB5_PA_S4U2SELF */ #define KRB5_PA_S4U2SELF 129 +#define KRB5_PADATA_S4U_X509_USER 130 /* certificate protocol transition request */ +#define KRB5_PADATA_FX_COOKIE 133 +#define KRB5_PA_AUTHENTICATION_SET 134 +#define KRB5_PADATA_FX_FAST 136 +#define KRB5_PADATA_FX_ERROR 137 +#define KRB5_PADATA_ENCRYPTED_CHALLENGE 138 +#define KRB5_PADATA_PKINIT_KX 147 +#define KRB5_ENCPADATA_REQ_ENC_PA_REP 149 + #define KRB5_PA_PROV_SRV_LOCATION 0xffffffff /* (gint32)0xFF) packetcable stuff */ /* Principal name-type */ @@ -1083,6 +1097,7 @@ static const value_string krb5_preauthentication_types[] = { { KRB5_PA_PK_AS_REQ , "PA-PK-AS-REQ" }, { KRB5_PA_PK_AS_REP , "PA-PK-AS-REP" }, { KRB5_PA_DASS , "PA-DASS" }, + { KRB5_PA_PK_AS_REP_17 , "PA-PK-AS-REP-17" }, { KRB5_PA_USE_SPECIFIED_KVNO , "PA-USE-SPECIFIED-KVNO" }, { KRB5_PA_SAM_REDIRECT , "PA-SAM-REDIRECT" }, { KRB5_PA_GET_FROM_TYPED_DATA , "PA-GET-FROM-TYPED-DATA" }, @@ -1100,6 +1115,15 @@ static const value_string krb5_preauthentication_types[] = { { KRB5_TD_REQ_SEQ , "TD-REQ-SEQ" }, { KRB5_PA_PAC_REQUEST , "PA-PAC-REQUEST" }, { KRB5_PA_FOR_USER , "PA-FOR-USER" }, + { KRB5_PADATA_S4U_X509_USER , "PA-S4U-X509-USER" }, + { KRB5_PADATA_FX_COOKIE , "PA-FX-COOKIE" }, + { KRB5_PA_AUTHENTICATION_SET , "KRB5-PA-AUTHENTICATION-SET" }, + + { KRB5_PADATA_FX_FAST , "PA-FX-FAST" }, + { KRB5_PADATA_FX_ERROR , "PA-FX-ERROR" }, + { KRB5_PADATA_ENCRYPTED_CHALLENGE , "PA-ENCRYPTED-CHALLENGE" }, + { KRB5_PADATA_PKINIT_KX , "PA-PKINIT-KX" }, + { KRB5_ENCPADATA_REQ_ENC_PA_REP , "PA-REQ-ENC-PA-REP" }, { KRB5_PA_PROV_SRV_LOCATION , "PA-PROV-SRV-LOCATION" }, { 0 , NULL }, }; diff --git a/epan/dissectors/packet-kerberos.c b/epan/dissectors/packet-kerberos.c index 1f9da76709..07dee0105e 100644 --- a/epan/dissectors/packet-kerberos.c +++ b/epan/dissectors/packet-kerberos.c @@ -1,7 +1,7 @@ /* Do not modify this file. Changes will be overwritten. */ /* Generated automatically by the ASN.1 to Wireshark dissector compiler */ /* packet-kerberos.c */ -/* asn2wrs.py -b -p kerberos -c ./kerberos.cnf -s ./packet-kerberos-template -D . -O ../.. KerberosV5Spec2.asn k5.asn RFC3244.asn */ +/* asn2wrs.py -b -p kerberos -c ./kerberos.cnf -s ./packet-kerberos-template -D . -O ../.. KerberosV5Spec2.asn k5.asn RFC3244.asn RFC6113.asn */ /* Input file: packet-kerberos-template.c */ @@ -106,6 +106,7 @@ typedef struct kerberos_key { } kerberos_key_t; typedef struct { + gboolean is_request; guint32 etype; guint32 padata_type; guint32 enctype; @@ -125,7 +126,10 @@ static int dissect_kerberos_PA_S4U2Self(gboolean implicit_tag _U_, tvbuff_t *tvb static int dissect_kerberos_ETYPE_INFO(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); static int dissect_kerberos_ETYPE_INFO2(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); static int dissect_kerberos_AD_IF_RELEVANT(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); - +static int dissect_kerberos_PA_AUTHENTICATION_SET(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); +static int dissect_kerberos_PA_FX_FAST_REQUEST(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); +static int dissect_kerberos_EncryptedChallenge(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); +static int dissect_kerberos_PA_FX_FAST_REPLY(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); /* Desegment Kerberos over TCP messages */ static gboolean krb_desegment = TRUE; @@ -215,12 +219,13 @@ static int hf_kerberos_ad_type = -1; /* T_ad_type */ static int hf_kerberos_ad_data = -1; /* T_ad_data */ static int hf_kerberos_padata_type = -1; /* PADATA_TYPE */ static int hf_kerberos_padata_value = -1; /* T_padata_value */ +static int hf_kerberos_etype = -1; /* ENCTYPE */ +static int hf_kerberos_kvno = -1; /* UInt32 */ +static int hf_kerberos_cipher = -1; /* OCTET_STRING */ static int hf_kerberos_keytype = -1; /* T_keytype */ static int hf_kerberos_keyvalue = -1; /* T_keyvalue */ static int hf_kerberos_cksumtype = -1; /* CKSUMTYPE */ static int hf_kerberos_checksum = -1; /* T_checksum */ -static int hf_kerberos_etype = -1; /* ENCTYPE */ -static int hf_kerberos_kvno = -1; /* UInt32 */ static int hf_kerberos_encryptedTicketData_cipher = -1; /* T_encryptedTicketData_cipher */ static int hf_kerberos_encryptedAuthorizationData_cipher = -1; /* T_encryptedAuthorizationData_cipher */ static int hf_kerberos_encryptedKDCREPData_cipher = -1; /* T_encryptedKDCREPData_cipher */ @@ -311,6 +316,18 @@ static int hf_kerberos_include_pac = -1; /* BOOLEAN */ static int hf_kerberos_newpasswd = -1; /* OCTET_STRING */ static int hf_kerberos_targname = -1; /* PrincipalName */ static int hf_kerberos_targrealm = -1; /* Realm */ +static int hf_kerberos_PA_AUTHENTICATION_SET_item = -1; /* PA_AUTHENTICATION_SET_ELEM */ +static int hf_kerberos_pa_type = -1; /* Int32 */ +static int hf_kerberos_pa_hint = -1; /* OCTET_STRING */ +static int hf_kerberos_pa_value = -1; /* OCTET_STRING */ +static int hf_kerberos_armor_type = -1; /* Int32 */ +static int hf_kerberos_armor_value = -1; /* OCTET_STRING */ +static int hf_kerberos_armored_data = -1; /* KrbFastArmoredReq */ +static int hf_kerberos_armor = -1; /* KrbFastArmor */ +static int hf_kerberos_req_checksum = -1; /* Checksum */ +static int hf_kerberos_enc_fast_req = -1; /* EncryptedData */ +static int hf_kerberos_armored_data_01 = -1; /* KrbFastArmoredRep */ +static int hf_kerberos_enc_fast_rep = -1; /* EncryptedData */ /* named bits */ static int hf_kerberos_APOptions_reserved = -1; static int hf_kerberos_APOptions_use_session_key = -1; @@ -329,6 +346,8 @@ static int hf_kerberos_TicketFlags_pre_authent = -1; static int hf_kerberos_TicketFlags_hw_authent = -1; static int hf_kerberos_TicketFlags_transited_policy_checked = -1; static int hf_kerberos_TicketFlags_ok_as_delegate = -1; +static int hf_kerberos_TicketFlags_anonymous_14 = -1; +static int hf_kerberos_TicketFlags_enc_pa_rep = -1; static int hf_kerberos_TicketFlags_anonymous = -1; static int hf_kerberos_KDCOptions_reserved = -1; static int hf_kerberos_KDCOptions_forwardable = -1; @@ -352,7 +371,7 @@ static int hf_kerberos_KDCOptions_renew = -1; static int hf_kerberos_KDCOptions_validate = -1; /*--- End of included file: packet-kerberos-hf.c ---*/ -#line 175 "./asn1/kerberos/packet-kerberos-template.c" +#line 179 "./asn1/kerberos/packet-kerberos-template.c" /* Initialize the subtree pointers */ static gint ett_kerberos = -1; @@ -381,6 +400,7 @@ static gint ett_kerberos_HostAddresses = -1; static gint ett_kerberos_AuthorizationData = -1; static gint ett_kerberos_AuthorizationData_item = -1; static gint ett_kerberos_PA_DATA = -1; +static gint ett_kerberos_EncryptedData = -1; static gint ett_kerberos_EncryptionKey = -1; static gint ett_kerberos_Checksum = -1; static gint ett_kerberos_EncryptedTicketData = -1; @@ -426,9 +446,16 @@ static gint ett_kerberos_KDCOptions = -1; static gint ett_kerberos_PA_S4U2Self = -1; static gint ett_kerberos_KERB_PA_PAC_REQUEST = -1; static gint ett_kerberos_ChangePasswdData = -1; +static gint ett_kerberos_PA_AUTHENTICATION_SET = -1; +static gint ett_kerberos_PA_AUTHENTICATION_SET_ELEM = -1; +static gint ett_kerberos_KrbFastArmor = -1; +static gint ett_kerberos_PA_FX_FAST_REQUEST = -1; +static gint ett_kerberos_KrbFastArmoredReq = -1; +static gint ett_kerberos_PA_FX_FAST_REPLY = -1; +static gint ett_kerberos_KrbFastArmoredRep = -1; /*--- End of included file: packet-kerberos-ett.c ---*/ -#line 189 "./asn1/kerberos/packet-kerberos-template.c" +#line 193 "./asn1/kerberos/packet-kerberos-template.c" static expert_field ei_kerberos_decrypted_keytype = EI_INIT; static expert_field ei_kerberos_address = EI_INIT; @@ -457,7 +484,7 @@ static gboolean gbl_do_col_info; #define KERBEROS_ADDR_TYPE_IPV6 24 /*--- End of included file: packet-kerberos-val.h ---*/ -#line 202 "./asn1/kerberos/packet-kerberos-template.c" +#line 206 "./asn1/kerberos/packet-kerberos-template.c" static void call_kerberos_callbacks(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int tag, kerberos_callbacks *cb) @@ -1093,6 +1120,7 @@ decrypt_krb5_data(proto_tree *tree, packet_info *pinfo, #define KRB5_PA_PK_AS_REQ 14 #define KRB5_PA_PK_AS_REP 15 #define KRB5_PA_DASS 16 +#define KRB5_PA_PK_AS_REP_17 17 #define KRB5_PA_ENCTYPE_INFO2 19 #define KRB5_PA_USE_SPECIFIED_KVNO 20 #define KRB5_PA_SAM_REDIRECT 21 @@ -1116,6 +1144,15 @@ decrypt_krb5_data(proto_tree *tree, packet_info *pinfo, #define KRB5_PA_PAC_REQUEST 128 /* (Microsoft extension) */ #define KRB5_PA_FOR_USER 129 /* Impersonation (Microsoft extension) See [MS-SFU]. XXX - replaced by KRB5_PA_S4U2SELF */ #define KRB5_PA_S4U2SELF 129 +#define KRB5_PADATA_S4U_X509_USER 130 /* certificate protocol transition request */ +#define KRB5_PADATA_FX_COOKIE 133 +#define KRB5_PA_AUTHENTICATION_SET 134 +#define KRB5_PADATA_FX_FAST 136 +#define KRB5_PADATA_FX_ERROR 137 +#define KRB5_PADATA_ENCRYPTED_CHALLENGE 138 +#define KRB5_PADATA_PKINIT_KX 147 +#define KRB5_ENCPADATA_REQ_ENC_PA_REP 149 + #define KRB5_PA_PROV_SRV_LOCATION 0xffffffff /* (gint32)0xFF) packetcable stuff */ /* Principal name-type */ @@ -1342,6 +1379,7 @@ static const value_string krb5_preauthentication_types[] = { { KRB5_PA_PK_AS_REQ , "PA-PK-AS-REQ" }, { KRB5_PA_PK_AS_REP , "PA-PK-AS-REP" }, { KRB5_PA_DASS , "PA-DASS" }, + { KRB5_PA_PK_AS_REP_17 , "PA-PK-AS-REP-17" }, { KRB5_PA_USE_SPECIFIED_KVNO , "PA-USE-SPECIFIED-KVNO" }, { KRB5_PA_SAM_REDIRECT , "PA-SAM-REDIRECT" }, { KRB5_PA_GET_FROM_TYPED_DATA , "PA-GET-FROM-TYPED-DATA" }, @@ -1359,6 +1397,15 @@ static const value_string krb5_preauthentication_types[] = { { KRB5_TD_REQ_SEQ , "TD-REQ-SEQ" }, { KRB5_PA_PAC_REQUEST , "PA-PAC-REQUEST" }, { KRB5_PA_FOR_USER , "PA-FOR-USER" }, + { KRB5_PADATA_S4U_X509_USER , "PA-S4U-X509-USER" }, + { KRB5_PADATA_FX_COOKIE , "PA-FX-COOKIE" }, + { KRB5_PA_AUTHENTICATION_SET , "KRB5-PA-AUTHENTICATION-SET" }, + + { KRB5_PADATA_FX_FAST , "PA-FX-FAST" }, + { KRB5_PADATA_FX_ERROR , "PA-FX-ERROR" }, + { KRB5_PADATA_ENCRYPTED_CHALLENGE , "PA-ENCRYPTED-CHALLENGE" }, + { KRB5_PADATA_PKINIT_KX , "PA-PKINIT-KX" }, + { KRB5_ENCPADATA_REQ_ENC_PA_REP , "PA-REQ-ENC-PA-REP" }, { KRB5_PA_PROV_SRV_LOCATION , "PA-PROV-SRV-LOCATION" }, { 0 , NULL }, }; @@ -2152,9 +2199,16 @@ static const value_string kerberos_NAME_TYPE_vals[] = { { 6, "kRB5-NT-X500-PRINCIPAL" }, { 7, "kRB5-NT-SMTP-NAME" }, { 10, "kRB5-NT-ENTERPRISE-PRINCIPAL" }, + { 11, "kRB5-NT-WELLKNOWN" }, + { 12, "kRB5-NT-SRV-HST-DOMAIN" }, { -130, "kRB5-NT-ENT-PRINCIPAL-AND-ID" }, { -128, "kRB5-NT-MS-PRINCIPAL" }, { -129, "kRB5-NT-MS-PRINCIPAL-AND-ID" }, + { -1200, "kRB5-NT-NTLM" }, + { -1201, "kRB5-NT-X509-GENERAL-NAME" }, + { -1202, "kRB5-NT-GSS-HOSTBASED-SERVICE" }, + { -1203, "kRB5-NT-CACHE-UUID" }, + { -195894762, "kRB5-NT-SRV-HST-NEEDS-CANON" }, { 0, NULL } }; @@ -2247,7 +2301,7 @@ static const value_string kerberos_ENCTYPE_vals[] = { static int dissect_kerberos_ENCTYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 225 "./asn1/kerberos/kerberos.cnf" +#line 241 "./asn1/kerberos/kerberos.cnf" kerberos_private_data_t *private_data = kerberos_get_private_data(actx); offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index, &(private_data->etype)); @@ -2272,7 +2326,7 @@ dissect_kerberos_UInt32(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset static int dissect_kerberos_T_encryptedTicketData_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 229 "./asn1/kerberos/kerberos.cnf" +#line 245 "./asn1/kerberos/kerberos.cnf" #ifdef HAVE_KERBEROS offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_ticket_data); #else @@ -2389,6 +2443,8 @@ static const value_string kerberos_CKSUMTYPE_vals[] = { { 16, "cKSUMTYPE-HMAC-SHA1-96-AES-256" }, { 17, "cKSUMTYPE-CMAC-CAMELLIA128" }, { 18, "cKSUMTYPE-CMAC-CAMELLIA256" }, + { 19, "cKSUMTYPE-HMAC-SHA256-128-AES128" }, + { 20, "cKSUMTYPE-HMAC-SHA384-192-AES256" }, { 32771, "cKSUMTYPE-GSSAPI" }, { -138, "cKSUMTYPE-HMAC-MD5" }, { -1138, "cKSUMTYPE-HMAC-MD5-ENC" }, @@ -2398,7 +2454,7 @@ static const value_string kerberos_CKSUMTYPE_vals[] = { static int dissect_kerberos_CKSUMTYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 286 "./asn1/kerberos/kerberos.cnf" +#line 302 "./asn1/kerberos/kerberos.cnf" kerberos_private_data_t *private_data = kerberos_get_private_data(actx); offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index, &(private_data->checksum_type)); @@ -2413,7 +2469,7 @@ dissect_kerberos_CKSUMTYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int off static int dissect_kerberos_T_checksum(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 290 "./asn1/kerberos/kerberos.cnf" +#line 306 "./asn1/kerberos/kerberos.cnf" tvbuff_t *next_tvb; kerberos_private_data_t *private_data = kerberos_get_private_data(actx); @@ -2480,7 +2536,7 @@ dissect_kerberos_Int32(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset static int dissect_kerberos_T_keytype(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 304 "./asn1/kerberos/kerberos.cnf" +#line 320 "./asn1/kerberos/kerberos.cnf" kerberos_private_data_t *private_data = kerberos_get_private_data(actx); offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index, @@ -2496,7 +2552,7 @@ dissect_kerberos_T_keytype(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int off static int dissect_kerberos_T_keyvalue(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 311 "./asn1/kerberos/kerberos.cnf" +#line 327 "./asn1/kerberos/kerberos.cnf" tvbuff_t *out_tvb; kerberos_private_data_t *private_data = kerberos_get_private_data(actx); @@ -2521,7 +2577,7 @@ static const ber_sequence_t EncryptionKey_sequence[] = { static int dissect_kerberos_EncryptionKey(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 320 "./asn1/kerberos/kerberos.cnf" +#line 336 "./asn1/kerberos/kerberos.cnf" kerberos_private_data_t *private_data = kerberos_get_private_data(actx); offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset, @@ -2543,7 +2599,7 @@ dissect_kerberos_EncryptionKey(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int static int dissect_kerberos_T_ad_type(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 331 "./asn1/kerberos/kerberos.cnf" +#line 347 "./asn1/kerberos/kerberos.cnf" kerberos_private_data_t *private_data = kerberos_get_private_data(actx); offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index, &(private_data->ad_type)); @@ -2556,7 +2612,7 @@ dissect_kerberos_T_ad_type(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int off static int dissect_kerberos_T_ad_data(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 338 "./asn1/kerberos/kerberos.cnf" +#line 354 "./asn1/kerberos/kerberos.cnf" kerberos_private_data_t *private_data = kerberos_get_private_data(actx); switch(private_data->ad_type){ @@ -2651,7 +2707,9 @@ static const asn_namedbit TicketFlags_bits[] = { { 11, &hf_kerberos_TicketFlags_hw_authent, -1, -1, "hw-authent", NULL }, { 12, &hf_kerberos_TicketFlags_transited_policy_checked, -1, -1, "transited-policy-checked", NULL }, { 13, &hf_kerberos_TicketFlags_ok_as_delegate, -1, -1, "ok-as-delegate", NULL }, - { 14, &hf_kerberos_TicketFlags_anonymous, -1, -1, "anonymous", NULL }, + { 14, &hf_kerberos_TicketFlags_anonymous_14, -1, -1, "anonymous-14", NULL }, + { 15, &hf_kerberos_TicketFlags_enc_pa_rep, -1, -1, "enc-pa-rep", NULL }, + { 16, &hf_kerberos_TicketFlags_anonymous, -1, -1, "anonymous", NULL }, { 0, NULL, 0, 0, NULL, NULL } }; @@ -2705,7 +2763,7 @@ static const value_string kerberos_ADDR_TYPE_vals[] = { static int dissect_kerberos_ADDR_TYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 352 "./asn1/kerberos/kerberos.cnf" +#line 368 "./asn1/kerberos/kerberos.cnf" kerberos_private_data_t *private_data = kerberos_get_private_data(actx); offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index, &(private_data->addr_type)); @@ -2720,7 +2778,7 @@ dissect_kerberos_ADDR_TYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int off static int dissect_kerberos_T_address(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 174 "./asn1/kerberos/kerberos.cnf" +#line 190 "./asn1/kerberos/kerberos.cnf" gint8 appclass; gboolean pc; gint32 tag; @@ -2853,7 +2911,7 @@ static const value_string kerberos_MESSAGE_TYPE_vals[] = { static int dissect_kerberos_MESSAGE_TYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 68 "./asn1/kerberos/kerberos.cnf" +#line 71 "./asn1/kerberos/kerberos.cnf" guint32 msgtype; offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index, @@ -2862,7 +2920,7 @@ guint32 msgtype; -#line 73 "./asn1/kerberos/kerberos.cnf" +#line 76 "./asn1/kerberos/kerberos.cnf" if (gbl_do_col_info) { col_add_str(actx->pinfo->cinfo, COL_INFO, val_to_str(msgtype, krb5_msg_types, @@ -2883,6 +2941,7 @@ guint32 msgtype; static const value_string kerberos_PADATA_TYPE_vals[] = { { 0, "kRB5-PADATA-NONE" }, { 1, "kRB5-PADATA-TGS-REQ" }, + { 1, "kRB5-PADATA-AP-REQ" }, { 2, "kRB5-PADATA-ENC-TIMESTAMP" }, { 3, "kRB5-PADATA-PW-SALT" }, { 5, "kRB5-PADATA-ENC-UNIX-TIME" }, @@ -2905,6 +2964,11 @@ static const value_string kerberos_PADATA_TYPE_vals[] = { { 22, "kRB5-PADATA-GET-FROM-TYPED-DATA" }, { 23, "kRB5-PADATA-SAM-ETYPE-INFO" }, { 25, "kRB5-PADATA-SERVER-REFERRAL" }, + { 24, "kRB5-PADATA-ALT-PRINC" }, + { 30, "kRB5-PADATA-SAM-CHALLENGE2" }, + { 31, "kRB5-PADATA-SAM-RESPONSE2" }, + { 41, "kRB5-PA-EXTRA-TGT" }, + { 71, "kRB5-PADATA-FX-FAST-ARMOR" }, { 102, "kRB5-PADATA-TD-KRB-PRINCIPAL" }, { 104, "kRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS" }, { 105, "kRB5-PADATA-PK-TD-CERTIFICATE-INDEX" }, @@ -2912,23 +2976,41 @@ static const value_string kerberos_PADATA_TYPE_vals[] = { { 107, "kRB5-PADATA-TD-REQ-NONCE" }, { 108, "kRB5-PADATA-TD-REQ-SEQ" }, { 128, "kRB5-PADATA-PA-PAC-REQUEST" }, - { 129, "kRB5-PADATA-S4U2SELF" }, + { 129, "kRB5-PADATA-FOR-USER" }, + { 130, "kRB5-PADATA-FOR-X509-USER" }, + { 131, "kRB5-PADATA-FOR-CHECK-DUPS" }, + { 132, "kRB5-PADATA-AS-CHECKSUM" }, { 132, "kRB5-PADATA-PK-AS-09-BINDING" }, - { 133, "kRB5-PADATA-CLIENT-CANONICALIZED" }, + { 133, "kRB5-PADATA-FX-COOKIE" }, + { 134, "kRB5-PADATA-AUTHENTICATION-SET" }, + { 135, "kRB5-PADATA-AUTH-SET-SELECTED" }, + { 136, "kRB5-PADATA-FX-FAST" }, + { 137, "kRB5-PADATA-FX-ERROR" }, + { 138, "kRB5-PADATA-ENCRYPTED-CHALLENGE" }, + { 141, "kRB5-PADATA-OTP-CHALLENGE" }, + { 142, "kRB5-PADATA-OTP-REQUEST" }, + { 143, "kBB5-PADATA-OTP-CONFIRM" }, + { 144, "kRB5-PADATA-OTP-PIN-CHANGE" }, + { 145, "kRB5-PADATA-EPAK-AS-REQ" }, + { 146, "kRB5-PADATA-EPAK-AS-REP" }, + { 147, "kRB5-PADATA-PKINIT-KX" }, + { 148, "kRB5-PADATA-PKU2U-NAME" }, + { 149, "kRB5-PADATA-REQ-ENC-PA-REP" }, + { 165, "kRB5-PADATA-SUPPORTED-ETYPES" }, { 0, NULL } }; static int dissect_kerberos_PADATA_TYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 121 "./asn1/kerberos/kerberos.cnf" +#line 124 "./asn1/kerberos/kerberos.cnf" kerberos_private_data_t* private_data = kerberos_get_private_data(actx); offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index, &(private_data->padata_type)); -#line 124 "./asn1/kerberos/kerberos.cnf" +#line 127 "./asn1/kerberos/kerberos.cnf" if(tree){ proto_item_append_text(tree, " %s", val_to_str(private_data->padata_type, krb5_preauthentication_types, @@ -2943,7 +3025,7 @@ dissect_kerberos_PADATA_TYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int o static int dissect_kerberos_T_padata_value(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 131 "./asn1/kerberos/kerberos.cnf" +#line 134 "./asn1/kerberos/kerberos.cnf" proto_tree *sub_tree=tree; kerberos_private_data_t* private_data = kerberos_get_private_data(actx); @@ -2954,34 +3036,47 @@ dissect_kerberos_T_padata_value(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, in switch(private_data->padata_type){ case KRB5_PA_TGS_REQ: offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_Applications); - break; + break; case KRB5_PA_PK_AS_REQ: offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PaPkAsReq); - break; + break; case KRB5_PA_PK_AS_REP: offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PaPkAsRep); - break; + break; case KRB5_PA_PAC_REQUEST: offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_KERB_PA_PAC_REQUEST); break; case KRB5_PA_S4U2SELF: offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_S4U2Self); - break; + break; case KRB5_PA_PROV_SRV_LOCATION: offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_krb5_PA_PROV_SRV_LOCATION); - break; + break; case KRB5_PA_ENC_TIMESTAMP: offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_ENC_TIMESTAMP); - break; + break; case KRB5_PA_ENCTYPE_INFO: offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_ETYPE_INFO); - break; + break; case KRB5_PA_ENCTYPE_INFO2: offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_ETYPE_INFO2); - break; + break; case KRB5_PA_PW_SALT: offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_krb5_PW_SALT); - break; + break; + case KRB5_PA_AUTHENTICATION_SET: + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_AUTHENTICATION_SET); + break; + case KRB5_PADATA_FX_FAST: + if(private_data->is_request){ + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_FX_FAST_REQUEST); + }else{ + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_FX_FAST_REPLY); + } + break; + case KRB5_PADATA_ENCRYPTED_CHALLENGE: + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_EncryptedChallenge); + break; default: offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, NULL); } @@ -3070,7 +3165,7 @@ dissect_kerberos_SEQUENCE_OF_ENCTYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U static int dissect_kerberos_T_encryptedAuthorizationData_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 237 "./asn1/kerberos/kerberos.cnf" +#line 253 "./asn1/kerberos/kerberos.cnf" #ifdef HAVE_KERBEROS offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_authenticator_data); #else @@ -3133,7 +3228,7 @@ static const ber_sequence_t KDC_REQ_BODY_sequence[] = { static int dissect_kerberos_KDC_REQ_BODY(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 356 "./asn1/kerberos/kerberos.cnf" +#line 372 "./asn1/kerberos/kerberos.cnf" conversation_t *conversation; /* @@ -3184,6 +3279,11 @@ dissect_kerberos_KDC_REQ(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offse static int dissect_kerberos_AS_REQ(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +#line 409 "./asn1/kerberos/kerberos.cnf" + kerberos_private_data_t* private_data = kerberos_get_private_data(actx); + private_data->is_request = TRUE; + + offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset, hf_index, BER_CLASS_APP, 10, FALSE, dissect_kerberos_KDC_REQ); @@ -3194,7 +3294,7 @@ dissect_kerberos_AS_REQ(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset static int dissect_kerberos_T_encryptedKDCREPData_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 245 "./asn1/kerberos/kerberos.cnf" +#line 261 "./asn1/kerberos/kerberos.cnf" #ifdef HAVE_KERBEROS offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_KDC_REP_data); #else @@ -3249,6 +3349,11 @@ dissect_kerberos_KDC_REP(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offse static int dissect_kerberos_AS_REP(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +#line 413 "./asn1/kerberos/kerberos.cnf" + kerberos_private_data_t* private_data = kerberos_get_private_data(actx); + private_data->is_request = FALSE; + + offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset, hf_index, BER_CLASS_APP, 11, FALSE, dissect_kerberos_KDC_REP); @@ -3324,7 +3429,7 @@ dissect_kerberos_AP_REQ(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset static int dissect_kerberos_T_encryptedAPREPData_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 261 "./asn1/kerberos/kerberos.cnf" +#line 277 "./asn1/kerberos/kerberos.cnf" #ifdef HAVE_KERBEROS offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_AP_REP_data); #else @@ -3385,7 +3490,7 @@ dissect_kerberos_AP_REP(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset static int dissect_kerberos_T_kRB_SAFE_BODY_user_data(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 379 "./asn1/kerberos/kerberos.cnf" +#line 395 "./asn1/kerberos/kerberos.cnf" tvbuff_t *new_tvb; offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &new_tvb); if (new_tvb) { @@ -3447,7 +3552,7 @@ dissect_kerberos_KRB_SAFE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offs static int dissect_kerberos_T_encryptedKrbPrivData_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 269 "./asn1/kerberos/kerberos.cnf" +#line 285 "./asn1/kerberos/kerberos.cnf" #ifdef HAVE_KERBEROS offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_PRIV_data); #else @@ -3508,7 +3613,7 @@ dissect_kerberos_KRB_PRIV(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offs static int dissect_kerberos_T_encryptedKrbCredData_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 277 "./asn1/kerberos/kerberos.cnf" +#line 293 "./asn1/kerberos/kerberos.cnf" #ifdef HAVE_KERBEROS offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_CRED_data); #else @@ -3707,7 +3812,7 @@ dissect_kerberos_EncAPRepPart(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int static int dissect_kerberos_T_encKrbPrivPart_user_data(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 386 "./asn1/kerberos/kerberos.cnf" +#line 402 "./asn1/kerberos/kerberos.cnf" tvbuff_t *new_tvb; offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &new_tvb); if (new_tvb) { @@ -3715,6 +3820,7 @@ dissect_kerberos_T_encKrbPrivPart_user_data(gboolean implicit_tag _U_, tvbuff_t } + return offset; } @@ -3918,14 +4024,14 @@ static const value_string kerberos_ERROR_CODE_vals[] = { static int dissect_kerberos_ERROR_CODE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 86 "./asn1/kerberos/kerberos.cnf" +#line 89 "./asn1/kerberos/kerberos.cnf" offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index, &krb5_errorcode); -#line 89 "./asn1/kerberos/kerberos.cnf" +#line 92 "./asn1/kerberos/kerberos.cnf" if(krb5_errorcode) { col_add_fstr(actx->pinfo->cinfo, COL_INFO, "KRB Error: %s", @@ -3942,7 +4048,7 @@ dissect_kerberos_ERROR_CODE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int of static int dissect_kerberos_T_e_data(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 99 "./asn1/kerberos/kerberos.cnf" +#line 102 "./asn1/kerberos/kerberos.cnf" switch(krb5_errorcode){ case KRB5_ET_KRB5KDC_ERR_BADOPTION: case KRB5_ET_KRB5KDC_ERR_CLIENT_REVOKED: @@ -4000,6 +4106,10 @@ dissect_kerberos_KRB_ERROR_U(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int o static int dissect_kerberos_KRB_ERROR(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +#line 417 "./asn1/kerberos/kerberos.cnf" + kerberos_private_data_t* private_data = kerberos_get_private_data(actx); + private_data->is_request = FALSE; + offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset, hf_index, BER_CLASS_APP, 30, FALSE, dissect_kerberos_KRB_ERROR_U); @@ -4039,10 +4149,26 @@ dissect_kerberos_Applications(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int } +static const ber_sequence_t EncryptedData_sequence[] = { + { &hf_kerberos_etype , BER_CLASS_CON, 0, 0, dissect_kerberos_ENCTYPE }, + { &hf_kerberos_kvno , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_UInt32 }, + { &hf_kerberos_cipher , BER_CLASS_CON, 2, 0, dissect_kerberos_OCTET_STRING }, + { NULL, 0, 0, 0, NULL } +}; + +static int +dissect_kerberos_EncryptedData(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { + offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset, + EncryptedData_sequence, hf_index, ett_kerberos_EncryptedData); + + return offset; +} + + static int dissect_kerberos_T_pA_ENC_TIMESTAMP_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 253 "./asn1/kerberos/kerberos.cnf" +#line 269 "./asn1/kerberos/kerberos.cnf" #ifdef HAVE_KERBEROS offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_PA_ENC_TIMESTAMP); #else @@ -4207,8 +4333,131 @@ dissect_kerberos_ChangePasswdData(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, } +static const ber_sequence_t PA_AUTHENTICATION_SET_ELEM_sequence[] = { + { &hf_kerberos_pa_type , BER_CLASS_CON, 0, 0, dissect_kerberos_Int32 }, + { &hf_kerberos_pa_hint , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_OCTET_STRING }, + { &hf_kerberos_pa_value , BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL, dissect_kerberos_OCTET_STRING }, + { NULL, 0, 0, 0, NULL } +}; + +static int +dissect_kerberos_PA_AUTHENTICATION_SET_ELEM(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { + offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset, + PA_AUTHENTICATION_SET_ELEM_sequence, hf_index, ett_kerberos_PA_AUTHENTICATION_SET_ELEM); + + return offset; +} + + +static const ber_sequence_t PA_AUTHENTICATION_SET_sequence_of[1] = { + { &hf_kerberos_PA_AUTHENTICATION_SET_item, BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_kerberos_PA_AUTHENTICATION_SET_ELEM }, +}; + +static int +dissect_kerberos_PA_AUTHENTICATION_SET(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { + offset = dissect_ber_sequence_of(implicit_tag, actx, tree, tvb, offset, + PA_AUTHENTICATION_SET_sequence_of, hf_index, ett_kerberos_PA_AUTHENTICATION_SET); + + return offset; +} + + +static const ber_sequence_t KrbFastArmor_sequence[] = { + { &hf_kerberos_armor_type , BER_CLASS_CON, 0, 0, dissect_kerberos_Int32 }, + { &hf_kerberos_armor_value, BER_CLASS_CON, 1, 0, dissect_kerberos_OCTET_STRING }, + { NULL, 0, 0, 0, NULL } +}; + +static int +dissect_kerberos_KrbFastArmor(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { + offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset, + KrbFastArmor_sequence, hf_index, ett_kerberos_KrbFastArmor); + + return offset; +} + + +static const ber_sequence_t KrbFastArmoredReq_sequence[] = { + { &hf_kerberos_armor , BER_CLASS_CON, 0, BER_FLAGS_OPTIONAL, dissect_kerberos_KrbFastArmor }, + { &hf_kerberos_req_checksum, BER_CLASS_CON, 1, 0, dissect_kerberos_Checksum }, + { &hf_kerberos_enc_fast_req, BER_CLASS_CON, 2, 0, dissect_kerberos_EncryptedData }, + { NULL, 0, 0, 0, NULL } +}; + +static int +dissect_kerberos_KrbFastArmoredReq(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { + offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset, + KrbFastArmoredReq_sequence, hf_index, ett_kerberos_KrbFastArmoredReq); + + return offset; +} + + +static const value_string kerberos_PA_FX_FAST_REQUEST_vals[] = { + { 0, "armored-data" }, + { 0, NULL } +}; + +static const ber_choice_t PA_FX_FAST_REQUEST_choice[] = { + { 0, &hf_kerberos_armored_data, BER_CLASS_CON, 0, 0, dissect_kerberos_KrbFastArmoredReq }, + { 0, NULL, 0, 0, 0, NULL } +}; + +static int +dissect_kerberos_PA_FX_FAST_REQUEST(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { + offset = dissect_ber_choice(actx, tree, tvb, offset, + PA_FX_FAST_REQUEST_choice, hf_index, ett_kerberos_PA_FX_FAST_REQUEST, + NULL); + + return offset; +} + + +static const ber_sequence_t KrbFastArmoredRep_sequence[] = { + { &hf_kerberos_enc_fast_rep, BER_CLASS_CON, 0, 0, dissect_kerberos_EncryptedData }, + { NULL, 0, 0, 0, NULL } +}; + +static int +dissect_kerberos_KrbFastArmoredRep(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { + offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset, + KrbFastArmoredRep_sequence, hf_index, ett_kerberos_KrbFastArmoredRep); + + return offset; +} + + +static const value_string kerberos_PA_FX_FAST_REPLY_vals[] = { + { 0, "armored-data" }, + { 0, NULL } +}; + +static const ber_choice_t PA_FX_FAST_REPLY_choice[] = { + { 0, &hf_kerberos_armored_data_01, BER_CLASS_CON, 0, 0, dissect_kerberos_KrbFastArmoredRep }, + { 0, NULL, 0, 0, 0, NULL } +}; + +static int +dissect_kerberos_PA_FX_FAST_REPLY(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { + offset = dissect_ber_choice(actx, tree, tvb, offset, + PA_FX_FAST_REPLY_choice, hf_index, ett_kerberos_PA_FX_FAST_REPLY, + NULL); + + return offset; +} + + + +static int +dissect_kerberos_EncryptedChallenge(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { + offset = dissect_kerberos_EncryptedData(implicit_tag, tvb, offset, actx, tree, hf_index); + + return offset; +} + + /*--- End of included file: packet-kerberos-fn.c ---*/ -#line 1853 "./asn1/kerberos/packet-kerberos-template.c" +#line 1877 "./asn1/kerberos/packet-kerberos-template.c" /* Make wrappers around exported functions for now */ int @@ -4724,6 +4973,18 @@ void proto_register_kerberos(void) { { "padata-value", "kerberos.padata_value", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_kerberos_etype, + { "etype", "kerberos.etype", + FT_INT32, BASE_DEC, VALS(kerberos_ENCTYPE_vals), 0, + "ENCTYPE", HFILL }}, + { &hf_kerberos_kvno, + { "kvno", "kerberos.kvno", + FT_UINT32, BASE_DEC, NULL, 0, + "UInt32", HFILL }}, + { &hf_kerberos_cipher, + { "cipher", "kerberos.cipher", + FT_BYTES, BASE_NONE, NULL, 0, + "OCTET_STRING", HFILL }}, { &hf_kerberos_keytype, { "keytype", "kerberos.keytype", FT_INT32, BASE_DEC, NULL, 0, @@ -4740,14 +5001,6 @@ void proto_register_kerberos(void) { { "checksum", "kerberos.checksum", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL }}, - { &hf_kerberos_etype, - { "etype", "kerberos.etype", - FT_INT32, BASE_DEC, VALS(kerberos_ENCTYPE_vals), 0, - "ENCTYPE", HFILL }}, - { &hf_kerberos_kvno, - { "kvno", "kerberos.kvno", - FT_UINT32, BASE_DEC, NULL, 0, - "UInt32", HFILL }}, { &hf_kerberos_encryptedTicketData_cipher, { "cipher", "kerberos.cipher", FT_BYTES, BASE_NONE, NULL, 0, @@ -5108,6 +5361,54 @@ void proto_register_kerberos(void) { { "targrealm", "kerberos.targrealm", FT_STRING, BASE_NONE, NULL, 0, "Realm", HFILL }}, + { &hf_kerberos_PA_AUTHENTICATION_SET_item, + { "PA-AUTHENTICATION-SET-ELEM", "kerberos.PA_AUTHENTICATION_SET_ELEM_element", + FT_NONE, BASE_NONE, NULL, 0, + NULL, HFILL }}, + { &hf_kerberos_pa_type, + { "pa-type", "kerberos.pa_type", + FT_INT32, BASE_DEC, NULL, 0, + "Int32", HFILL }}, + { &hf_kerberos_pa_hint, + { "pa-hint", "kerberos.pa_hint", + FT_BYTES, BASE_NONE, NULL, 0, + "OCTET_STRING", HFILL }}, + { &hf_kerberos_pa_value, + { "pa-value", "kerberos.pa_value", + FT_BYTES, BASE_NONE, NULL, 0, + "OCTET_STRING", HFILL }}, + { &hf_kerberos_armor_type, + { "armor-type", "kerberos.armor_type", + FT_INT32, BASE_DEC, NULL, 0, + "Int32", HFILL }}, + { &hf_kerberos_armor_value, + { "armor-value", "kerberos.armor_value", + FT_BYTES, BASE_NONE, NULL, 0, + "OCTET_STRING", HFILL }}, + { &hf_kerberos_armored_data, + { "armored-data", "kerberos.armored_data_element", + FT_NONE, BASE_NONE, NULL, 0, + "KrbFastArmoredReq", HFILL }}, + { &hf_kerberos_armor, + { "armor", "kerberos.armor_element", + FT_NONE, BASE_NONE, NULL, 0, + "KrbFastArmor", HFILL }}, + { &hf_kerberos_req_checksum, + { "req-checksum", "kerberos.req_checksum_element", + FT_NONE, BASE_NONE, NULL, 0, + "Checksum", HFILL }}, + { &hf_kerberos_enc_fast_req, + { "enc-fast-req", "kerberos.enc_fast_req_element", + FT_NONE, BASE_NONE, NULL, 0, + "EncryptedData", HFILL }}, + { &hf_kerberos_armored_data_01, + { "armored-data", "kerberos.armored_data_element", + FT_NONE, BASE_NONE, NULL, 0, + "KrbFastArmoredRep", HFILL }}, + { &hf_kerberos_enc_fast_rep, + { "enc-fast-rep", "kerberos.enc_fast_rep_element", + FT_NONE, BASE_NONE, NULL, 0, + "EncryptedData", HFILL }}, { &hf_kerberos_APOptions_reserved, { "reserved", "kerberos.reserved", FT_BOOLEAN, 8, NULL, 0x80, @@ -5176,9 +5477,17 @@ void proto_register_kerberos(void) { { "ok-as-delegate", "kerberos.ok-as-delegate", FT_BOOLEAN, 8, NULL, 0x04, NULL, HFILL }}, + { &hf_kerberos_TicketFlags_anonymous_14, + { "anonymous-14", "kerberos.anonymous-14", + FT_BOOLEAN, 8, NULL, 0x02, + NULL, HFILL }}, + { &hf_kerberos_TicketFlags_enc_pa_rep, + { "enc-pa-rep", "kerberos.enc-pa-rep", + FT_BOOLEAN, 8, NULL, 0x01, + NULL, HFILL }}, { &hf_kerberos_TicketFlags_anonymous, { "anonymous", "kerberos.anonymous", - FT_BOOLEAN, 8, NULL, 0x02, + FT_BOOLEAN, 8, NULL, 0x80, NULL, HFILL }}, { &hf_kerberos_KDCOptions_reserved, { "reserved", "kerberos.reserved", @@ -5262,7 +5571,7 @@ void proto_register_kerberos(void) { NULL, HFILL }}, /*--- End of included file: packet-kerberos-hfarr.c ---*/ -#line 2234 "./asn1/kerberos/packet-kerberos-template.c" +#line 2258 "./asn1/kerberos/packet-kerberos-template.c" }; /* List of subtrees */ @@ -5293,6 +5602,7 @@ void proto_register_kerberos(void) { &ett_kerberos_AuthorizationData, &ett_kerberos_AuthorizationData_item, &ett_kerberos_PA_DATA, + &ett_kerberos_EncryptedData, &ett_kerberos_EncryptionKey, &ett_kerberos_Checksum, &ett_kerberos_EncryptedTicketData, @@ -5338,9 +5648,16 @@ void proto_register_kerberos(void) { &ett_kerberos_PA_S4U2Self, &ett_kerberos_KERB_PA_PAC_REQUEST, &ett_kerberos_ChangePasswdData, + &ett_kerberos_PA_AUTHENTICATION_SET, + &ett_kerberos_PA_AUTHENTICATION_SET_ELEM, + &ett_kerberos_KrbFastArmor, + &ett_kerberos_PA_FX_FAST_REQUEST, + &ett_kerberos_KrbFastArmoredReq, + &ett_kerberos_PA_FX_FAST_REPLY, + &ett_kerberos_KrbFastArmoredRep, /*--- End of included file: packet-kerberos-ettarr.c ---*/ -#line 2250 "./asn1/kerberos/packet-kerberos-template.c" +#line 2274 "./asn1/kerberos/packet-kerberos-template.c" }; static ei_register_info ei[] = { diff --git a/epan/dissectors/packet-kerberos.h b/epan/dissectors/packet-kerberos.h index 901567ac50..4617601bb3 100644 --- a/epan/dissectors/packet-kerberos.h +++ b/epan/dissectors/packet-kerberos.h @@ -1,7 +1,7 @@ /* Do not modify this file. Changes will be overwritten. */ /* Generated automatically by the ASN.1 to Wireshark dissector compiler */ /* packet-kerberos.h */ -/* asn2wrs.py -b -p kerberos -c ./kerberos.cnf -s ./packet-kerberos-template -D . -O ../.. KerberosV5Spec2.asn k5.asn RFC3244.asn */ +/* asn2wrs.py -b -p kerberos -c ./kerberos.cnf -s ./packet-kerberos-template -D . -O ../.. KerberosV5Spec2.asn k5.asn RFC3244.asn RFC6113.asn */ /* Input file: packet-kerberos-template.h */ |