aboutsummaryrefslogtreecommitdiffstats
path: root/asn1
diff options
context:
space:
mode:
authorAnders Broman <anders.broman@ericsson.com>2008-10-15 06:14:24 +0000
committerAnders Broman <anders.broman@ericsson.com>2008-10-15 06:14:24 +0000
commit18a701918b4ff383114d2d8282ccb4ce4f69d79d (patch)
tree9bdec51f589e72a4ffbb8b87dfd99d16720b32f5 /asn1
parentc99312dae0587939b3aae92bbb7bd4fc7a009800 (diff)
Start of an asn2wrs generated kerberos dissector. Most of the hand crafted stuff is in the template file but it's not yet accessed from the asn2wrs generated code.
- Work in progress. svn path=/trunk/; revision=26460
Diffstat (limited to 'asn1')
-rw-r--r--asn1/kerberos/KerberosV5Spec2.asn418
-rw-r--r--asn1/kerberos/Makefile.am26
-rw-r--r--asn1/kerberos/Makefile.common52
-rw-r--r--asn1/kerberos/Makefile.nmake29
-rw-r--r--asn1/kerberos/kerberos.asn417
-rw-r--r--asn1/kerberos/kerberos.cnf12
-rw-r--r--asn1/kerberos/packet-kerberos-template.c1313
-rw-r--r--asn1/kerberos/packet-kerberos-template.h35
8 files changed, 2302 insertions, 0 deletions
diff --git a/asn1/kerberos/KerberosV5Spec2.asn b/asn1/kerberos/KerberosV5Spec2.asn
new file mode 100644
index 0000000000..0c5e593c84
--- /dev/null
+++ b/asn1/kerberos/KerberosV5Spec2.asn
@@ -0,0 +1,418 @@
+--http://www.ietf.org/rfc/rfc4120.txt?number=4120
+KerberosV5Spec2 {
+ iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) kerberosV5(2) modules(4) krb5spec2(2)
+} DEFINITIONS EXPLICIT TAGS ::= BEGIN
+
+-- OID arc for KerberosV5
+--
+-- This OID may be used to identify Kerberos protocol messages
+-- encapsulated in other protocols.
+--
+-- This OID also designates the OID arc for KerberosV5-related OIDs.
+--
+-- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID.
+-- My stuff
+Applications ::= CHOICE {
+ ticket Ticket, -- 1 --
+ authenticator Authenticator, -- 2 --
+ encTicketPart EncTicketPart, -- 3 --
+ as-req AS-REQ, -- 10 --
+ as-rep AS-REP, -- 11 --
+ tgs-req TGS-REQ, -- 12 --
+ tgs-rep TGS-REP, -- 13 --
+ ap-req AP-REQ, -- 14 --
+ ap-rep AP-REP, -- 15 --
+ krb-safe KRB-SAFE, -- 20 --
+ krb-priv KRB-PRIV, -- 21 --
+ krb-cred KRB-CRED, -- 22 --
+ encASRepPart EncASRepPart, -- 25 --
+ encTGSRepPart EncTGSRepPart, -- 26 --
+ encAPRepPart EncAPRepPart, -- 27 --
+ encKrbPrivPart EncKrbPrivPart, -- 28 --
+ encKrbCredPart EncKrbCredPart, -- 29 --
+ krb-error KRB-ERROR -- 30 --
+ }
+-- end my stuff
+id-krb5 OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) kerberosV5(2)
+}
+
+Int32 ::= INTEGER (-2147483648..2147483647)
+ -- signed values representable in 32 bits
+
+UInt32 ::= INTEGER (0..4294967295)
+ -- unsigned 32 bit values
+
+Microseconds ::= INTEGER (0..999999)
+ -- microseconds
+
+KerberosString ::= GeneralString (IA5String)
+
+Realm ::= KerberosString
+
+PrincipalName ::= SEQUENCE {
+ name-type [0] Int32,
+ name-string [1] SEQUENCE OF KerberosString
+}
+
+KerberosTime ::= GeneralizedTime -- with no fractional seconds
+
+HostAddress ::= SEQUENCE {
+ addr-type [0] Int32,
+ address [1] OCTET STRING
+}
+
+-- NOTE: HostAddresses is always used as an OPTIONAL field and
+-- should not be empty.
+HostAddresses -- NOTE: subtly different from rfc1510,
+ -- but has a value mapping and encodes the same
+ ::= SEQUENCE OF HostAddress
+
+-- NOTE: AuthorizationData is always used as an OPTIONAL field and
+-- should not be empty.
+AuthorizationData ::= SEQUENCE OF SEQUENCE {
+ ad-type [0] Int32,
+ ad-data [1] OCTET STRING
+}
+
+PA-DATA ::= SEQUENCE {
+ -- NOTE: first tag is [1], not [0]
+ padata-type [1] Int32,
+ padata-value [2] OCTET STRING -- might be encoded AP-REQ
+}
+
+KerberosFlags ::= BIT STRING (SIZE (32..MAX))
+ -- minimum number of bits shall be sent,
+ -- but no fewer than 32
+
+EncryptedData ::= SEQUENCE {
+ etype [0] Int32 -- EncryptionType --,
+ kvno [1] UInt32 OPTIONAL,
+ cipher [2] OCTET STRING -- ciphertext
+}
+
+EncryptionKey ::= SEQUENCE {
+ keytype [0] Int32 -- actually encryption type --,
+ keyvalue [1] OCTET STRING
+}
+
+Checksum ::= SEQUENCE {
+ cksumtype [0] Int32,
+ checksum [1] OCTET STRING
+}
+
+Ticket ::= [APPLICATION 1] SEQUENCE {
+ tkt-vno [0] INTEGER (5),
+ realm [1] Realm,
+ sname [2] PrincipalName,
+ enc-part [3] EncryptedData -- EncTicketPart
+}
+
+-- Encrypted part of ticket
+EncTicketPart ::= [APPLICATION 3] SEQUENCE {
+ flags [0] TicketFlags,
+ key [1] EncryptionKey,
+ crealm [2] Realm,
+ cname [3] PrincipalName,
+ transited [4] TransitedEncoding,
+ authtime [5] KerberosTime,
+ starttime [6] KerberosTime OPTIONAL,
+ endtime [7] KerberosTime,
+ renew-till [8] KerberosTime OPTIONAL,
+ caddr [9] HostAddresses OPTIONAL,
+ authorization-data [10] AuthorizationData OPTIONAL
+}
+
+-- encoded Transited field
+TransitedEncoding ::= SEQUENCE {
+ tr-type [0] Int32 -- must be registered --,
+ contents [1] OCTET STRING
+}
+
+TicketFlags ::= KerberosFlags
+ -- reserved(0),
+ -- forwardable(1),
+ -- forwarded(2),
+ -- proxiable(3),
+ -- proxy(4),
+ -- may-postdate(5),
+ -- postdated(6),
+ -- invalid(7),
+ -- renewable(8),
+ -- initial(9),
+ -- pre-authent(10),
+ -- hw-authent(11),
+-- the following are new since 1510
+ -- transited-policy-checked(12),
+ -- ok-as-delegate(13)
+
+AS-REQ ::= [APPLICATION 10] KDC-REQ
+
+TGS-REQ ::= [APPLICATION 12] KDC-REQ
+
+KDC-REQ ::= SEQUENCE {
+ -- NOTE: first tag is [1], not [0]
+ pvno [1] INTEGER (5) ,
+-- msg-type [2] INTEGER (10 - - AS - - | 12 - - TGS - -),
+ msg-type [2] INTEGER,
+ padata [3] SEQUENCE OF PA-DATA OPTIONAL
+ -- NOTE: not empty --,
+ req-body [4] KDC-REQ-BODY
+}
+
+KDC-REQ-BODY ::= SEQUENCE {
+ kdc-options [0] KDCOptions,
+ cname [1] PrincipalName OPTIONAL
+ -- Used only in AS-REQ --,
+ realm [2] Realm
+ -- Server's realm
+ -- Also client's in AS-REQ --,
+ sname [3] PrincipalName OPTIONAL,
+ from [4] KerberosTime OPTIONAL,
+ till [5] KerberosTime,
+ rtime [6] KerberosTime OPTIONAL,
+ nonce [7] UInt32,
+ etype [8] SEQUENCE OF Int32 -- EncryptionType
+ -- in preference order --,
+ addresses [9] HostAddresses OPTIONAL,
+ enc-authorization-data [10] EncryptedData OPTIONAL
+ -- AuthorizationData --,
+ additional-tickets [11] SEQUENCE OF Ticket OPTIONAL
+ -- NOTE: not empty
+}
+
+KDCOptions ::= KerberosFlags
+ -- reserved(0),
+ -- forwardable(1),
+ -- forwarded(2),
+ -- proxiable(3),
+ -- proxy(4),
+ -- allow-postdate(5),
+ -- postdated(6),
+ -- unused7(7),
+ -- renewable(8),
+ -- unused9(9),
+ -- unused10(10),
+ -- opt-hardware-auth(11),
+ -- unused12(12),
+ -- unused13(13),
+-- 15 is reserved for canonicalize
+ -- unused15(15),
+-- 26 was unused in 1510
+ -- disable-transited-check(26),
+--
+ -- renewable-ok(27),
+ -- enc-tkt-in-skey(28),
+ -- renew(30),
+ -- validate(31)
+
+AS-REP ::= [APPLICATION 11] KDC-REP
+
+TGS-REP ::= [APPLICATION 13] KDC-REP
+
+
+KDC-REP ::= SEQUENCE {
+ pvno [0] INTEGER (5),
+-- msg-type [1] INTEGER (11 - - AS - - | 13 - - TGS - -),
+ msg-type [1] INTEGER,
+ padata [2] SEQUENCE OF PA-DATA OPTIONAL
+ -- NOTE: not empty --,
+ crealm [3] Realm,
+ cname [4] PrincipalName,
+ ticket [5] Ticket,
+ enc-part [6] EncryptedData
+ -- EncASRepPart or EncTGSRepPart,
+ -- as appropriate
+}
+
+EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
+
+EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
+
+EncKDCRepPart ::= SEQUENCE {
+ key [0] EncryptionKey,
+ last-req [1] LastReq,
+ nonce [2] UInt32,
+ key-expiration [3] KerberosTime OPTIONAL,
+ flags [4] TicketFlags,
+ authtime [5] KerberosTime,
+ starttime [6] KerberosTime OPTIONAL,
+ endtime [7] KerberosTime,
+ renew-till [8] KerberosTime OPTIONAL,
+ srealm [9] Realm,
+ sname [10] PrincipalName,
+ caddr [11] HostAddresses OPTIONAL
+}
+
+LastReq ::= SEQUENCE OF SEQUENCE {
+ lr-type [0] Int32,
+ lr-value [1] KerberosTime
+}
+
+AP-REQ ::= [APPLICATION 14] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (14),
+ ap-options [2] APOptions,
+ ticket [3] Ticket,
+ authenticator [4] EncryptedData -- Authenticator
+}
+
+APOptions ::= KerberosFlags
+ -- reserved(0),
+ -- use-session-key(1),
+ -- mutual-required(2)
+
+-- Unencrypted authenticator
+Authenticator ::= [APPLICATION 2] SEQUENCE {
+ authenticator-vno [0] INTEGER (5),
+ crealm [1] Realm,
+ cname [2] PrincipalName,
+ cksum [3] Checksum OPTIONAL,
+ cusec [4] Microseconds,
+ ctime [5] KerberosTime,
+ subkey [6] EncryptionKey OPTIONAL,
+ seq-number [7] UInt32 OPTIONAL,
+ authorization-data [8] AuthorizationData OPTIONAL
+}
+
+AP-REP ::= [APPLICATION 15] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (15),
+ enc-part [2] EncryptedData -- EncAPRepPart
+}
+
+EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
+ ctime [0] KerberosTime,
+ cusec [1] Microseconds,
+ subkey [2] EncryptionKey OPTIONAL,
+ seq-number [3] UInt32 OPTIONAL
+}
+
+KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (20),
+ safe-body [2] KRB-SAFE-BODY,
+ cksum [3] Checksum
+}
+
+KRB-SAFE-BODY ::= SEQUENCE {
+ user-data [0] OCTET STRING,
+ timestamp [1] KerberosTime OPTIONAL,
+ usec [2] Microseconds OPTIONAL,
+ seq-number [3] UInt32 OPTIONAL,
+ s-address [4] HostAddress,
+ r-address [5] HostAddress OPTIONAL
+}
+
+KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (21),
+ -- NOTE: there is no [2] tag
+ enc-part [3] EncryptedData -- EncKrbPrivPart
+}
+
+EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
+ user-data [0] OCTET STRING,
+ timestamp [1] KerberosTime OPTIONAL,
+ usec [2] Microseconds OPTIONAL,
+ seq-number [3] UInt32 OPTIONAL,
+ s-address [4] HostAddress -- sender's addr --,
+ r-address [5] HostAddress OPTIONAL -- recip's addr
+}
+
+KRB-CRED ::= [APPLICATION 22] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (22),
+ tickets [2] SEQUENCE OF Ticket,
+ enc-part [3] EncryptedData -- EncKrbCredPart
+}
+
+EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
+ ticket-info [0] SEQUENCE OF KrbCredInfo,
+ nonce [1] UInt32 OPTIONAL,
+ timestamp [2] KerberosTime OPTIONAL,
+ usec [3] Microseconds OPTIONAL,
+ s-address [4] HostAddress OPTIONAL,
+ r-address [5] HostAddress OPTIONAL
+}
+
+KrbCredInfo ::= SEQUENCE {
+ key [0] EncryptionKey,
+ prealm [1] Realm OPTIONAL,
+ pname [2] PrincipalName OPTIONAL,
+ flags [3] TicketFlags OPTIONAL,
+ authtime [4] KerberosTime OPTIONAL,
+ starttime [5] KerberosTime OPTIONAL,
+ endtime [6] KerberosTime OPTIONAL,
+ renew-till [7] KerberosTime OPTIONAL,
+ srealm [8] Realm OPTIONAL,
+ sname [9] PrincipalName OPTIONAL,
+ caddr [10] HostAddresses OPTIONAL
+}
+
+KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (30),
+ ctime [2] KerberosTime OPTIONAL,
+ cusec [3] Microseconds OPTIONAL,
+ stime [4] KerberosTime,
+ susec [5] Microseconds,
+ error-code [6] Int32,
+ crealm [7] Realm OPTIONAL,
+ cname [8] PrincipalName OPTIONAL,
+ realm [9] Realm -- service realm --,
+ sname [10] PrincipalName -- service name --,
+ e-text [11] KerberosString OPTIONAL,
+ e-data [12] OCTET STRING OPTIONAL
+}
+
+METHOD-DATA ::= SEQUENCE OF PA-DATA
+
+TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
+ data-type [0] Int32,
+ data-value [1] OCTET STRING OPTIONAL
+}
+
+-- preauth stuff follows
+
+PA-ENC-TIMESTAMP ::= EncryptedData -- PA-ENC-TS-ENC
+
+PA-ENC-TS-ENC ::= SEQUENCE {
+ patimestamp [0] KerberosTime -- client's time --,
+ pausec [1] Microseconds OPTIONAL
+}
+
+ETYPE-INFO-ENTRY ::= SEQUENCE {
+ etype [0] Int32,
+ salt [1] OCTET STRING OPTIONAL
+}
+
+ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
+
+ETYPE-INFO2-ENTRY ::= SEQUENCE {
+ etype [0] Int32,
+ salt [1] KerberosString OPTIONAL,
+ s2kparams [2] OCTET STRING OPTIONAL
+}
+
+ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
+
+AD-IF-RELEVANT ::= AuthorizationData
+
+AD-KDCIssued ::= SEQUENCE {
+ ad-checksum [0] Checksum,
+ i-realm [1] Realm OPTIONAL,
+ i-sname [2] PrincipalName OPTIONAL,
+ elements [3] AuthorizationData
+}
+
+AD-AND-OR ::= SEQUENCE {
+ condition-count [0] Int32,
+ elements [1] AuthorizationData
+}
+
+AD-MANDATORY-FOR-KDC ::= AuthorizationData
+
+END
diff --git a/asn1/kerberos/Makefile.am b/asn1/kerberos/Makefile.am
new file mode 100644
index 0000000000..462af31e88
--- /dev/null
+++ b/asn1/kerberos/Makefile.am
@@ -0,0 +1,26 @@
+# $Id$
+#
+#
+# Wireshark - Network traffic analyzer
+# By Gerald Combs <gerald@wireshark.org>
+# Copyright 1998 Gerald Combs
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+
+include ../Makefile.preinc
+include Makefile.common
+include ../Makefile.inc
+
diff --git a/asn1/kerberos/Makefile.common b/asn1/kerberos/Makefile.common
new file mode 100644
index 0000000000..658df0627b
--- /dev/null
+++ b/asn1/kerberos/Makefile.common
@@ -0,0 +1,52 @@
+# $Id$
+#
+#
+# Wireshark - Network traffic analyzer
+# By Gerald Combs <gerald@wireshark.org>
+# Copyright 1998 Gerald Combs
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+
+PROTOCOL_NAME=kerberos
+
+DISSECTOR_FILES=packet-$(PROTOCOL_NAME).c \
+ packet-$(PROTOCOL_NAME).h
+
+NEED_PACKET_PROTO_H = 1
+
+EXPORT_FILES = \
+ $(PROTOCOL_NAME)-exp.cnf
+
+EXT_ASN_FILE_LIST =
+
+ASN_FILE_LIST = KerberosV5Spec2.asn
+
+# The packet-$(PROTOCOL_NAME)-template.h and $(PROTOCOL_NAME).asn
+# files do not exist # for all protocols: Please add/remove as required.
+EXTRA_DIST = \
+ $(ASN_FILE_LIST) \
+ packet-$(PROTOCOL_NAME)-template.c \
+ packet-$(PROTOCOL_NAME)-template.h \
+ $(PROTOCOL_NAME).cnf
+
+SRC_FILES = \
+ $(EXTRA_DIST) \
+ $(EXT_ASN_FILE_LIST)
+
+A2W_FLAGS= -b -X -T -e
+
+EXTRA_CNF=
+
diff --git a/asn1/kerberos/Makefile.nmake b/asn1/kerberos/Makefile.nmake
new file mode 100644
index 0000000000..5a32997c60
--- /dev/null
+++ b/asn1/kerberos/Makefile.nmake
@@ -0,0 +1,29 @@
+## Use: $(MAKE) /$(MAKEFLAGS) -f makefile.nmake
+#
+# $Id$
+#
+#
+# Wireshark - Network traffic analyzer
+# By Gerald Combs <gerald@wireshark.org>
+# Copyright 1998 Gerald Combs
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+
+include ../../config.nmake
+include ../Makefile.preinc.nmake
+include Makefile.common
+include ../Makefile.inc.nmake
+
diff --git a/asn1/kerberos/kerberos.asn b/asn1/kerberos/kerberos.asn
new file mode 100644
index 0000000000..621f30c2f5
--- /dev/null
+++ b/asn1/kerberos/kerberos.asn
@@ -0,0 +1,417 @@
+ KerberosV5Spec2 {
+ iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) kerberosV5(2) modules(4) krb5spec2(2)
+} DEFINITIONS EXPLICIT TAGS ::= BEGIN
+
+-- OID arc for KerberosV5
+--
+-- This OID may be used to identify Kerberos protocol messages
+-- encapsulated in other protocols.
+--
+-- This OID also designates the OID arc for KerberosV5-related OIDs.
+--
+-- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID.
+id-krb5 OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) kerberosV5(2)
+}
+
+-- WS construct
+Application ::= CHOICE {
+ ticket Ticket,
+ authenticator Authenticator,
+ encTicketPart EncTicketPart,
+ as-req AS-REQ,
+ as-rep AS-REP,
+ tgs-req TGS-REQ,
+ tgs-rep TGS-REP,
+ ap-req AP-REQ,
+ ap-rep AP-REP,
+ krb-safe KRB-SAFE,
+ krb-priv KRB-PRIV,
+ krb-cred KRB-CRED,
+ encASRepPart EncASRepPart,
+ encTGSRepPart EncTGSRepPart,
+ encAPRepPart EncAPRepPart,
+ encKrbPrivPart EncKrbPrivPart,
+ encKrbCredPart EncKrbCredPart,
+ krb-error KRB-ERROR
+}
+
+Int32 ::= INTEGER (-2147483648..2147483647)
+ -- signed values representable in 32 bits
+
+UInt32 ::= INTEGER (0..4294967295)
+ -- unsigned 32 bit values
+
+Microseconds ::= INTEGER (0..999999)
+ -- microseconds
+
+KerberosString ::= GeneralString (IA5String)
+
+Realm ::= KerberosString
+
+PrincipalName ::= SEQUENCE {
+ name-type [0] Int32,
+ name-string [1] SEQUENCE OF KerberosString
+}
+
+KerberosTime ::= GeneralizedTime -- with no fractional seconds
+
+HostAddress ::= SEQUENCE {
+ addr-type [0] Int32,
+ address [1] OCTET STRING
+}
+
+-- NOTE: HostAddresses is always used as an OPTIONAL field and
+-- should not be empty.
+HostAddresses -- NOTE: subtly different from rfc1510,
+ -- but has a value mapping and encodes the same
+ ::= SEQUENCE OF HostAddress
+
+-- NOTE: AuthorizationData is always used as an OPTIONAL field and
+-- should not be empty.
+AuthorizationData ::= SEQUENCE OF SEQUENCE {
+ ad-type [0] Int32,
+ ad-data [1] OCTET STRING
+}
+
+PA-DATA ::= SEQUENCE {
+ -- NOTE: first tag is [1], not [0]
+ padata-type [1] Int32,
+ padata-value [2] OCTET STRING -- might be encoded AP-REQ
+}
+
+KerberosFlags ::= BIT STRING (SIZE (32..MAX))
+ -- minimum number of bits shall be sent,
+ -- but no fewer than 32
+
+EncryptedData ::= SEQUENCE {
+ etype [0] Int32 -- EncryptionType --,
+ kvno [1] UInt32 OPTIONAL,
+ cipher [2] OCTET STRING -- ciphertext
+}
+
+EncryptionKey ::= SEQUENCE {
+ keytype [0] Int32 -- actually encryption type --,
+ keyvalue [1] OCTET STRING
+}
+
+Checksum ::= SEQUENCE {
+ cksumtype [0] Int32,
+ checksum [1] OCTET STRING
+}
+
+Ticket ::= [APPLICATION 1] SEQUENCE {
+ tkt-vno [0] INTEGER (5),
+ realm [1] Realm,
+ sname [2] PrincipalName,
+ enc-part [3] EncryptedData -- EncTicketPart
+}
+
+-- Encrypted part of ticket
+EncTicketPart ::= [APPLICATION 3] SEQUENCE {
+ flags [0] TicketFlags,
+ key [1] EncryptionKey,
+ crealm [2] Realm,
+ cname [3] PrincipalName,
+ transited [4] TransitedEncoding,
+ authtime [5] KerberosTime,
+ starttime [6] KerberosTime OPTIONAL,
+ endtime [7] KerberosTime,
+ renew-till [8] KerberosTime OPTIONAL,
+ caddr [9] HostAddresses OPTIONAL,
+ authorization-data [10] AuthorizationData OPTIONAL
+}
+
+-- encoded Transited field
+TransitedEncoding ::= SEQUENCE {
+ tr-type [0] Int32 -- must be registered --,
+ contents [1] OCTET STRING
+}
+
+TicketFlags ::= KerberosFlags
+ -- reserved(0),
+ -- forwardable(1),
+ -- forwarded(2),
+ -- proxiable(3),
+ -- proxy(4),
+ -- may-postdate(5),
+ -- postdated(6),
+ -- invalid(7),
+ -- renewable(8),
+ -- initial(9),
+ -- pre-authent(10),
+ -- hw-authent(11),
+-- the following are new since 1510
+ -- transited-policy-checked(12),
+ -- ok-as-delegate(13)
+
+AS-REQ ::= [APPLICATION 10] KDC-REQ
+
+TGS-REQ ::= [APPLICATION 12] KDC-REQ
+
+KDC-REQ ::= SEQUENCE {
+ -- NOTE: first tag is [1], not [0]
+ pvno [1] INTEGER (5) ,
+-- msg-type [2] INTEGER (10 - - AS - - | 12 - - TGS - -),
+ msg-type [2] INTEGER,
+ padata [3] SEQUENCE OF PA-DATA OPTIONAL
+ -- NOTE: not empty --,
+ req-body [4] KDC-REQ-BODY
+}
+
+KDC-REQ-BODY ::= SEQUENCE {
+ kdc-options [0] KDCOptions,
+ cname [1] PrincipalName OPTIONAL
+ -- Used only in AS-REQ --,
+ realm [2] Realm
+ -- Server's realm
+ -- Also client's in AS-REQ --,
+ sname [3] PrincipalName OPTIONAL,
+ from [4] KerberosTime OPTIONAL,
+ till [5] KerberosTime,
+ rtime [6] KerberosTime OPTIONAL,
+ nonce [7] UInt32,
+ etype [8] SEQUENCE OF Int32 -- EncryptionType
+ -- in preference order --,
+ addresses [9] HostAddresses OPTIONAL,
+ enc-authorization-data [10] EncryptedData OPTIONAL
+ -- AuthorizationData --,
+ additional-tickets [11] SEQUENCE OF Ticket OPTIONAL
+ -- NOTE: not empty
+}
+
+KDCOptions ::= KerberosFlags
+ -- reserved(0),
+ -- forwardable(1),
+ -- forwarded(2),
+ -- proxiable(3),
+ -- proxy(4),
+ -- allow-postdate(5),
+ -- postdated(6),
+ -- unused7(7),
+ -- renewable(8),
+ -- unused9(9),
+ -- unused10(10),
+ -- opt-hardware-auth(11),
+ -- unused12(12),
+ -- unused13(13),
+-- 15 is reserved for canonicalize
+ -- unused15(15),
+-- 26 was unused in 1510
+ -- disable-transited-check(26),
+--
+ -- renewable-ok(27),
+ -- enc-tkt-in-skey(28),
+ -- renew(30),
+ -- validate(31)
+
+AS-REP ::= [APPLICATION 11] KDC-REP
+
+TGS-REP ::= [APPLICATION 13] KDC-REP
+
+
+KDC-REP ::= SEQUENCE {
+ pvno [0] INTEGER (5),
+-- msg-type [1] INTEGER (11 - - AS - - | 13 - - TGS - -),
+ msg-type [1] INTEGER,
+ padata [2] SEQUENCE OF PA-DATA OPTIONAL
+ -- NOTE: not empty --,
+ crealm [3] Realm,
+ cname [4] PrincipalName,
+ ticket [5] Ticket,
+ enc-part [6] EncryptedData
+ -- EncASRepPart or EncTGSRepPart,
+ -- as appropriate
+}
+
+EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
+
+EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
+
+EncKDCRepPart ::= SEQUENCE {
+ key [0] EncryptionKey,
+ last-req [1] LastReq,
+ nonce [2] UInt32,
+ key-expiration [3] KerberosTime OPTIONAL,
+ flags [4] TicketFlags,
+ authtime [5] KerberosTime,
+ starttime [6] KerberosTime OPTIONAL,
+ endtime [7] KerberosTime,
+ renew-till [8] KerberosTime OPTIONAL,
+ srealm [9] Realm,
+ sname [10] PrincipalName,
+ caddr [11] HostAddresses OPTIONAL
+}
+
+LastReq ::= SEQUENCE OF SEQUENCE {
+ lr-type [0] Int32,
+ lr-value [1] KerberosTime
+}
+
+AP-REQ ::= [APPLICATION 14] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (14),
+ ap-options [2] APOptions,
+ ticket [3] Ticket,
+ authenticator [4] EncryptedData -- Authenticator
+}
+
+APOptions ::= KerberosFlags
+ -- reserved(0),
+ -- use-session-key(1),
+ -- mutual-required(2)
+
+-- Unencrypted authenticator
+Authenticator ::= [APPLICATION 2] SEQUENCE {
+ authenticator-vno [0] INTEGER (5),
+ crealm [1] Realm,
+ cname [2] PrincipalName,
+ cksum [3] Checksum OPTIONAL,
+ cusec [4] Microseconds,
+ ctime [5] KerberosTime,
+ subkey [6] EncryptionKey OPTIONAL,
+ seq-number [7] UInt32 OPTIONAL,
+ authorization-data [8] AuthorizationData OPTIONAL
+}
+
+AP-REP ::= [APPLICATION 15] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (15),
+ enc-part [2] EncryptedData -- EncAPRepPart
+}
+
+EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
+ ctime [0] KerberosTime,
+ cusec [1] Microseconds,
+ subkey [2] EncryptionKey OPTIONAL,
+ seq-number [3] UInt32 OPTIONAL
+}
+
+KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (20),
+ safe-body [2] KRB-SAFE-BODY,
+ cksum [3] Checksum
+}
+
+KRB-SAFE-BODY ::= SEQUENCE {
+ user-data [0] OCTET STRING,
+ timestamp [1] KerberosTime OPTIONAL,
+ usec [2] Microseconds OPTIONAL,
+ seq-number [3] UInt32 OPTIONAL,
+ s-address [4] HostAddress,
+ r-address [5] HostAddress OPTIONAL
+}
+
+KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (21),
+ -- NOTE: there is no [2] tag
+ enc-part [3] EncryptedData -- EncKrbPrivPart
+}
+
+EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
+ user-data [0] OCTET STRING,
+ timestamp [1] KerberosTime OPTIONAL,
+ usec [2] Microseconds OPTIONAL,
+ seq-number [3] UInt32 OPTIONAL,
+ s-address [4] HostAddress -- sender's addr --,
+ r-address [5] HostAddress OPTIONAL -- recip's addr
+}
+
+KRB-CRED ::= [APPLICATION 22] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (22),
+ tickets [2] SEQUENCE OF Ticket,
+ enc-part [3] EncryptedData -- EncKrbCredPart
+}
+
+EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
+ ticket-info [0] SEQUENCE OF KrbCredInfo,
+ nonce [1] UInt32 OPTIONAL,
+ timestamp [2] KerberosTime OPTIONAL,
+ usec [3] Microseconds OPTIONAL,
+ s-address [4] HostAddress OPTIONAL,
+ r-address [5] HostAddress OPTIONAL
+}
+
+KrbCredInfo ::= SEQUENCE {
+ key [0] EncryptionKey,
+ prealm [1] Realm OPTIONAL,
+ pname [2] PrincipalName OPTIONAL,
+ flags [3] TicketFlags OPTIONAL,
+ authtime [4] KerberosTime OPTIONAL,
+ starttime [5] KerberosTime OPTIONAL,
+ endtime [6] KerberosTime OPTIONAL,
+ renew-till [7] KerberosTime OPTIONAL,
+ srealm [8] Realm OPTIONAL,
+ sname [9] PrincipalName OPTIONAL,
+ caddr [10] HostAddresses OPTIONAL
+}
+
+KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (30),
+ ctime [2] KerberosTime OPTIONAL,
+ cusec [3] Microseconds OPTIONAL,
+ stime [4] KerberosTime,
+ susec [5] Microseconds,
+ error-code [6] Int32,
+ crealm [7] Realm OPTIONAL,
+ cname [8] PrincipalName OPTIONAL,
+ realm [9] Realm -- service realm --,
+ sname [10] PrincipalName -- service name --,
+ e-text [11] KerberosString OPTIONAL,
+ e-data [12] OCTET STRING OPTIONAL
+}
+
+METHOD-DATA ::= SEQUENCE OF PA-DATA
+
+TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
+ data-type [0] Int32,
+ data-value [1] OCTET STRING OPTIONAL
+}
+
+-- preauth stuff follows
+
+PA-ENC-TIMESTAMP ::= EncryptedData -- PA-ENC-TS-ENC
+
+PA-ENC-TS-ENC ::= SEQUENCE {
+ patimestamp [0] KerberosTime -- client's time --,
+ pausec [1] Microseconds OPTIONAL
+}
+
+ETYPE-INFO-ENTRY ::= SEQUENCE {
+ etype [0] Int32,
+ salt [1] OCTET STRING OPTIONAL
+}
+
+ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
+
+ETYPE-INFO2-ENTRY ::= SEQUENCE {
+ etype [0] Int32,
+ salt [1] KerberosString OPTIONAL,
+ s2kparams [2] OCTET STRING OPTIONAL
+}
+
+ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
+
+AD-IF-RELEVANT ::= AuthorizationData
+
+AD-KDCIssued ::= SEQUENCE {
+ ad-checksum [0] Checksum,
+ i-realm [1] Realm OPTIONAL,
+ i-sname [2] PrincipalName OPTIONAL,
+ elements [3] AuthorizationData
+}
+
+AD-AND-OR ::= SEQUENCE {
+ condition-count [0] Int32,
+ elements [1] AuthorizationData
+}
+
+AD-MANDATORY-FOR-KDC ::= AuthorizationData
+
+END
diff --git a/asn1/kerberos/kerberos.cnf b/asn1/kerberos/kerberos.cnf
new file mode 100644
index 0000000000..1b99705bcc
--- /dev/null
+++ b/asn1/kerberos/kerberos.cnf
@@ -0,0 +1,12 @@
+# kerberos.cnf
+# kerberos conformation file
+# Copyright 2007 Anders Broman
+# $Id$
+
+#.FIELD_RENAME
+
+#.FN_PARS
+Int32 VAL_PTR = etype
+
+
+
diff --git a/asn1/kerberos/packet-kerberos-template.c b/asn1/kerberos/packet-kerberos-template.c
new file mode 100644
index 0000000000..bd13cea8e1
--- /dev/null
+++ b/asn1/kerberos/packet-kerberos-template.c
@@ -0,0 +1,1313 @@
+/* packet-kerberos.c
+ * Routines for Kerberos
+ * Wes Hardaker (c) 2000
+ * wjhardaker@ucdavis.edu
+ * Richard Sharpe (C) 2002, rsharpe@samba.org, modularized a bit more and
+ * added AP-REQ and AP-REP dissection
+ *
+ * Ronnie Sahlberg (C) 2004, major rewrite for new ASN.1/BER API.
+ * decryption of kerberos blobs if keytab is provided
+ *
+ * See RFC 1510, and various I-Ds and other documents showing additions,
+ * e.g. ones listed under
+ *
+ * http://www.isi.edu/people/bcn/krb-revisions/
+ *
+ * and
+ *
+ * http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-clarifications-07.txt
+ *
+ * and
+ *
+ * http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-referrals-05.txt
+ *
+ * Some structures from RFC2630
+ *
+ * $Id$
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ */
+
+/*
+ * Some of the development of the Kerberos protocol decoder was sponsored by
+ * Cable Television Laboratories, Inc. ("CableLabs") based upon proprietary
+ * CableLabs' specifications. Your license and use of this protocol decoder
+ * does not mean that you are licensed to use the CableLabs'
+ * specifications. If you have questions about this protocol, contact
+ * jf.mule [AT] cablelabs.com or c.stuart [AT] cablelabs.com for additional
+ * information.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#include <glib.h>
+#include <ctype.h>
+
+#ifdef HAVE_LIBNETTLE
+#define HAVE_KERBEROS
+#ifdef _WIN32
+#include <des.h>
+#include <cbc.h>
+#else
+#include <nettle/des.h>
+#include <nettle/cbc.h>
+#endif
+#include <epan/crypt/crypt-md5.h>
+#include <sys/stat.h> /* For keyfile manipulation */
+#endif
+
+#include <epan/packet.h>
+
+#include <epan/strutil.h>
+
+#include <epan/conversation.h>
+#include <epan/emem.h>
+#include <epan/dissectors/packet-kerberos.h>
+#include <epan/dissectors/packet-netbios.h>
+#include <epan/dissectors/packet-tcp.h>
+#include <epan/prefs.h>
+#include <epan/dissectors/packet-ber.h>
+#include <epan/dissectors/packet-per.h>
+#include <epan/dissectors/packet-pkinit.h>
+#include <epan/dissectors/packet-cms.h>
+#include <epan/dissectors/packet-windows-common.h>
+
+#include <epan/dissectors/packet-dcerpc-netlogon.h>
+#include <epan/dissectors/packet-dcerpc.h>
+
+#include <epan/dissectors/packet-gssapi.h>
+
+#include <wiretap/file_util.h>
+
+#define PNAME "Kerberos"
+#define PSNAME "KRB5"
+#define PFNAME "kerberos"
+
+static kerberos_packet_info kerberos_pi;
+
+#define UDP_PORT_KERBEROS 88
+#define TCP_PORT_KERBEROS 88
+
+static dissector_handle_t kerberos_handle_udp=NULL;
+
+/* Desegment Kerberos over TCP messages */
+static gboolean krb_desegment = TRUE;
+
+static gint proto_kerberos = -1;
+
+
+#include "packet-kerberos-hf.c"
+
+/* Initialize the subtree pointers */
+static gint ett_kerberos = -1;
+#include "packet-kerberos-ett.c"
+
+guint32 krb5_errorcode;
+
+
+static dissector_handle_t krb4_handle=NULL;
+
+static gboolean do_col_info;
+
+
+static void
+call_kerberos_callbacks(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int tag)
+{
+ kerberos_callbacks *cb=(kerberos_callbacks *)pinfo->private_data;
+
+ if(!cb){
+ return;
+ }
+
+ while(cb->tag){
+ if(cb->tag==tag){
+ cb->callback(pinfo, tvb, tree);
+ return;
+ }
+ cb++;
+ }
+ return;
+}
+
+
+
+#ifdef HAVE_KERBEROS
+
+/* Decrypt Kerberos blobs */
+static gboolean krb_decrypt = FALSE;
+
+/* keytab filename */
+static const char *keytab_filename = "insert filename here";
+
+#endif
+
+#if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
+#ifdef _WIN32
+/* prevent redefinition warnings in kfw-2.5\inc\win_mac.h */
+#undef HAVE_STDARG_H
+#undef HAVE_SYS_TYPES_H
+#endif
+#include <krb5.h>
+enc_key_t *enc_key_list=NULL;
+
+static void
+add_encryption_key(packet_info *pinfo, int keytype, int keylength, const char *keyvalue, const char *origin)
+{
+ enc_key_t *new_key;
+
+ if(pinfo->fd->flags.visited){
+ return;
+ }
+printf("added key in %u\n",pinfo->fd->num);
+
+ new_key=g_malloc(sizeof(enc_key_t));
+ g_snprintf(new_key->key_origin, KRB_MAX_ORIG_LEN, "%s learnt from frame %u",origin,pinfo->fd->num);
+ new_key->next=enc_key_list;
+ enc_key_list=new_key;
+ new_key->keytype=keytype;
+ new_key->keylength=keylength;
+ /*XXX this needs to be freed later */
+ new_key->keyvalue=g_memdup(keyvalue, keylength);
+}
+#endif /* HAVE_HEIMDAL_KERBEROS || HAVE_MIT_KERBEROS */
+
+
+#ifdef HAVE_MIT_KERBEROS
+
+static void
+read_keytab_file(const char *filename, krb5_context *context)
+{
+ krb5_keytab keytab;
+ krb5_keytab_entry key;
+ krb5_error_code ret;
+ krb5_kt_cursor cursor;
+ enc_key_t *new_key;
+
+ /* should use a file in the wireshark users dir */
+ ret = krb5_kt_resolve(*context, filename, &keytab);
+ if(ret){
+ fprintf(stderr, "KERBEROS ERROR: Could not open keytab file :%s\n",filename);
+
+ return;
+ }
+
+ ret = krb5_kt_start_seq_get(*context, keytab, &cursor);
+ if(ret){
+ fprintf(stderr, "KERBEROS ERROR: Could not read from keytab file :%s\n",filename);
+ return;
+ }
+
+ do{
+ new_key=g_malloc(sizeof(enc_key_t));
+ new_key->next=enc_key_list;
+ ret = krb5_kt_next_entry(*context, keytab, &key, &cursor);
+ if(ret==0){
+ int i;
+ char *pos;
+
+ /* generate origin string, describing where this key came from */
+ pos=new_key->key_origin;
+ pos+=MIN(KRB_MAX_ORIG_LEN,
+ g_snprintf(pos, KRB_MAX_ORIG_LEN, "keytab principal "));
+ for(i=0;i<key.principal->length;i++){
+ pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin),
+ g_snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "%s%s",(i?"/":""),(key.principal->data[i]).data));
+ }
+ pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin),
+ g_snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "@%s",key.principal->realm.data));
+ *pos=0;
+/*printf("added key for principal :%s\n", new_key->key_origin);*/
+ new_key->keytype=key.key.enctype;
+ new_key->keylength=key.key.length;
+ new_key->keyvalue=g_memdup(key.key.contents, key.key.length);
+ enc_key_list=new_key;
+ }
+ }while(ret==0);
+
+ ret = krb5_kt_end_seq_get(*context, keytab, &cursor);
+ if(ret){
+ krb5_kt_close(*context, keytab);
+ }
+
+}
+
+
+guint8 *
+decrypt_krb5_data(proto_tree *tree, packet_info *pinfo,
+ int usage,
+ int length,
+ const guint8 *cryptotext,
+ int keytype)
+{
+ static int first_time=1;
+ static krb5_context context;
+ krb5_error_code ret;
+ enc_key_t *ek;
+ static krb5_data data = {0,0,NULL};
+ krb5_keytab_entry key;
+
+ /* dont do anything if we are not attempting to decrypt data */
+ if(!krb_decrypt){
+ return NULL;
+ }
+
+ /* XXX we should only do this for first time, then store somewhere */
+ /* XXX We also need to re-read the keytab when the preference changes */
+
+ /* should this have a destroy context ? MIT people would know */
+ if(first_time){
+ first_time=0;
+ ret = krb5_init_context(&context);
+ if(ret){
+ return NULL;
+ }
+ read_keytab_file(keytab_filename, &context);
+ }
+
+ for(ek=enc_key_list;ek;ek=ek->next){
+ krb5_enc_data input;
+
+ /* shortcircuit and bail out if enctypes are not matching */
+ if(ek->keytype!=keytype){
+ continue;
+ }
+
+ input.enctype = ek->keytype;
+ input.ciphertext.length = length;
+ input.ciphertext.data = (guint8 *)cryptotext;
+
+ data.length = length;
+ if(data.data){
+ g_free(data.data);
+ }
+ data.data = g_malloc(length);
+
+ key.key.enctype=ek->keytype;
+ key.key.length=ek->keylength;
+ key.key.contents=ek->keyvalue;
+ ret = krb5_c_decrypt(context, &(key.key), usage, 0, &input, &data);
+ if((ret == 0) && (length>0)){
+ char *user_data;
+
+printf("woohoo decrypted keytype:%d in frame:%u\n", keytype, pinfo->fd->num);
+ proto_tree_add_text(tree, NULL, 0, 0, "[Decrypted using: %s]", ek->key_origin);
+ /* return a private g_malloced blob to the caller */
+ user_data=g_malloc(data.length);
+ memcpy(user_data, data.data, data.length);
+ return user_data;
+ }
+ }
+
+ return NULL;
+}
+
+#elif defined(HAVE_HEIMDAL_KERBEROS)
+static void
+read_keytab_file(const char *filename, krb5_context *context)
+{
+ krb5_keytab keytab;
+ krb5_keytab_entry key;
+ krb5_error_code ret;
+ krb5_kt_cursor cursor;
+ enc_key_t *new_key;
+
+ /* should use a file in the wireshark users dir */
+ ret = krb5_kt_resolve(*context, filename, &keytab);
+ if(ret){
+ fprintf(stderr, "KERBEROS ERROR: Could not open keytab file :%s\n",filename);
+
+ return;
+ }
+
+ ret = krb5_kt_start_seq_get(*context, keytab, &cursor);
+ if(ret){
+ fprintf(stderr, "KERBEROS ERROR: Could not read from keytab file :%s\n",filename);
+ return;
+ }
+
+ do{
+ new_key=g_malloc(sizeof(enc_key_t));
+ new_key->next=enc_key_list;
+ ret = krb5_kt_next_entry(*context, keytab, &key, &cursor);
+ if(ret==0){
+ unsigned int i;
+ char *pos;
+
+ /* generate origin string, describing where this key came from */
+ pos=new_key->key_origin;
+ pos+=MIN(KRB_MAX_ORIG_LEN,
+ g_snprintf(pos, KRB_MAX_ORIG_LEN, "keytab principal "));
+ for(i=0;i<key.principal->name.name_string.len;i++){
+ pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin),
+ g_snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "%s%s",(i?"/":""),key.principal->name.name_string.val[i]));
+ }
+ pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin),
+ g_snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "@%s",key.principal->realm));
+ *pos=0;
+ new_key->keytype=key.keyblock.keytype;
+ new_key->keylength=key.keyblock.keyvalue.length;
+ new_key->keyvalue=g_memdup(key.keyblock.keyvalue.data, key.keyblock.keyvalue.length);
+ enc_key_list=new_key;
+ }
+ }while(ret==0);
+
+ ret = krb5_kt_end_seq_get(*context, keytab, &cursor);
+ if(ret){
+ krb5_kt_close(*context, keytab);
+ }
+
+}
+
+
+guint8 *
+decrypt_krb5_data(proto_tree *tree, packet_info *pinfo,
+ int usage,
+ int length,
+ const guint8 *cryptotext,
+ int keytype)
+{
+ static int first_time=1;
+ static krb5_context context;
+ krb5_error_code ret;
+ krb5_data data;
+ enc_key_t *ek;
+
+ /* dont do anything if we are not attempting to decrypt data */
+ if(!krb_decrypt){
+ return NULL;
+ }
+
+ /* XXX we should only do this for first time, then store somewhere */
+ /* XXX We also need to re-read the keytab when the preference changes */
+
+ /* should this have a destroy context ? Heimdal people would know */
+ if(first_time){
+ first_time=0;
+ ret = krb5_init_context(&context);
+ if(ret){
+ return NULL;
+ }
+ read_keytab_file(keytab_filename, &context);
+ }
+
+ for(ek=enc_key_list;ek;ek=ek->next){
+ krb5_keytab_entry key;
+ krb5_crypto crypto;
+ guint8 *cryptocopy; /* workaround for pre-0.6.1 heimdal bug */
+
+ /* shortcircuit and bail out if enctypes are not matching */
+ if(ek->keytype!=keytype){
+ continue;
+ }
+
+ key.keyblock.keytype=ek->keytype;
+ key.keyblock.keyvalue.length=ek->keylength;
+ key.keyblock.keyvalue.data=ek->keyvalue;
+ ret = krb5_crypto_init(context, &(key.keyblock), 0, &crypto);
+ if(ret){
+ return NULL;
+ }
+
+ /* pre-0.6.1 versions of Heimdal would sometimes change
+ the cryptotext data even when the decryption failed.
+ This would obviously not work since we iterate over the
+ keys. So just give it a copy of the crypto data instead.
+ This has been seen for RC4-HMAC blobs.
+ */
+ cryptocopy=g_malloc(length);
+ memcpy(cryptocopy, cryptotext, length);
+ ret = krb5_decrypt_ivec(context, crypto, usage,
+ cryptocopy, length,
+ &data,
+ NULL);
+ g_free(cryptocopy);
+ if((ret == 0) && (length>0)){
+ char *user_data;
+
+printf("woohoo decrypted keytype:%d in frame:%u\n", keytype, pinfo->fd->num);
+ proto_tree_add_text(tree, NULL, 0, 0, "[Decrypted using: %s]", ek->key_origin);
+ krb5_crypto_destroy(context, crypto);
+ /* return a private g_malloced blob to the caller */
+ user_data=g_malloc(data.length);
+ memcpy(user_data, data.data, data.length);
+ return user_data;
+ }
+ krb5_crypto_destroy(context, crypto);
+ }
+ return NULL;
+}
+
+#elif defined (HAVE_LIBNETTLE)
+
+#define SERVICE_KEY_SIZE (DES3_KEY_SIZE + 2)
+#define KEYTYPE_DES3_CBC_MD5 5 /* Currently the only one supported */
+
+typedef struct _service_key_t {
+ guint16 kvno;
+ int keytype;
+ int length;
+ guint8 *contents;
+ char origin[KRB_MAX_ORIG_LEN+1];
+} service_key_t;
+GSList *service_key_list = NULL;
+
+
+static void
+add_encryption_key(packet_info *pinfo, int keytype, int keylength, const char *keyvalue, const char *origin)
+{
+ service_key_t *new_key;
+
+ if(pinfo->fd->flags.visited){
+ return;
+ }
+printf("added key in %u\n",pinfo->fd->num);
+
+ new_key = g_malloc(sizeof(service_key_t));
+ new_key->kvno = 0;
+ new_key->keytype = keytype;
+ new_key->length = keylength;
+ new_key->contents = g_malloc(keylength);
+ memcpy(new_key->contents, keyvalue, keylength);
+ g_snprintf(new_key->origin, KRB_MAX_ORIG_LEN, "%s learnt from frame %u", origin, pinfo->fd->num);
+ service_key_list = g_slist_append(service_key_list, (gpointer) new_key);
+}
+
+static void
+clear_keytab(void) {
+ GSList *ske;
+ service_key_t *sk;
+
+ for(ske = service_key_list; ske != NULL; ske = g_slist_next(ske)){
+ sk = (service_key_t *) ske->data;
+ if (sk && sk->contents) g_free(sk->contents);
+ if (sk) g_free(sk);
+ }
+ g_slist_free(service_key_list);
+ service_key_list = NULL;
+}
+
+static void
+read_keytab_file(const char *service_key_file)
+{
+ FILE *skf;
+ struct stat st;
+ service_key_t *sk;
+ unsigned char buf[SERVICE_KEY_SIZE];
+ int newline_skip = 0, count = 0;
+
+ if (service_key_file != NULL && stat (service_key_file, &st) == 0) {
+
+ /* The service key file contains raw 192-bit (24 byte) 3DES keys.
+ * There can be zero, one (\n), or two (\r\n) characters between
+ * keys. Trailing characters are ignored.
+ */
+
+ /* XXX We should support the standard keytab format instead */
+ if (st.st_size > SERVICE_KEY_SIZE) {
+ if ( (st.st_size % (SERVICE_KEY_SIZE + 1) == 0) ||
+ (st.st_size % (SERVICE_KEY_SIZE + 1) == SERVICE_KEY_SIZE) ) {
+ newline_skip = 1;
+ } else if ( (st.st_size % (SERVICE_KEY_SIZE + 2) == 0) ||
+ (st.st_size % (SERVICE_KEY_SIZE + 2) == SERVICE_KEY_SIZE) ) {
+ newline_skip = 2;
+ }
+ }
+
+ skf = eth_fopen(service_key_file, "rb");
+ if (! skf) return;
+
+ while (fread(buf, SERVICE_KEY_SIZE, 1, skf) == 1) {
+ sk = g_malloc(sizeof(service_key_t));
+ sk->kvno = buf[0] << 8 | buf[1];
+ sk->keytype = KEYTYPE_DES3_CBC_MD5;
+ sk->length = DES3_KEY_SIZE;
+ sk->contents = g_malloc(DES3_KEY_SIZE);
+ memcpy(sk->contents, buf + 2, DES3_KEY_SIZE);
+ g_snprintf(sk->origin, KRB_MAX_ORIG_LEN, "3DES service key file, key #%d, offset %ld", count, ftell(skf));
+ service_key_list = g_slist_append(service_key_list, (gpointer) sk);
+ fseek(skf, newline_skip, SEEK_CUR);
+ count++;
+g_warning("added key: %s", sk->origin);
+ }
+ fclose(skf);
+ }
+}
+
+#define CONFOUNDER_PLUS_CHECKSUM 24
+
+guint8 *
+decrypt_krb5_data(proto_tree *tree, packet_info *pinfo,
+ int _U_ usage,
+ int length,
+ const guint8 *cryptotext,
+ int keytype)
+{
+ tvbuff_t *encr_tvb;
+ guint8 *decrypted_data = NULL, *plaintext = NULL;
+ int res;
+ guint8 cls;
+ gboolean pc;
+ guint32 tag, item_len, data_len;
+ int id_offset, offset;
+ guint8 key[DES3_KEY_SIZE];
+ guint8 initial_vector[DES_BLOCK_SIZE];
+ md5_state_t md5s;
+ md5_byte_t digest[16];
+ md5_byte_t zero_fill[] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
+ md5_byte_t confounder[8];
+ gboolean ind;
+ GSList *ske;
+ service_key_t *sk;
+ struct des3_ctx ctx;
+
+
+ /* dont do anything if we are not attempting to decrypt data */
+ if(!krb_decrypt){
+ return NULL;
+ }
+
+ if (keytype != KEYTYPE_DES3_CBC_MD5 || service_key_list == NULL) {
+ return NULL;
+ }
+
+ decrypted_data = g_malloc(length);
+ for(ske = service_key_list; ske != NULL; ske = g_slist_next(ske)){
+ gboolean do_continue = FALSE;
+ sk = (service_key_t *) ske->data;
+
+ des_fix_parity(DES3_KEY_SIZE, key, sk->contents);
+
+ md5_init(&md5s);
+ memset(initial_vector, 0, DES_BLOCK_SIZE);
+ res = des3_set_key(&ctx, key);
+ cbc_decrypt(&ctx, des3_decrypt, DES_BLOCK_SIZE, initial_vector,
+ length, decrypted_data, cryptotext);
+ encr_tvb = tvb_new_real_data(decrypted_data, length, length);
+
+ tvb_memcpy(encr_tvb, confounder, 0, 8);
+
+ /* We have to pull the decrypted data length from the decrypted
+ * content. If the key doesn't match or we otherwise get garbage,
+ * an exception may get thrown while decoding the ASN.1 header.
+ * Catch it, just in case.
+ */
+ TRY {
+ id_offset = get_ber_identifier(encr_tvb, CONFOUNDER_PLUS_CHECKSUM, &cls, &pc, &tag);
+ offset = get_ber_length(tree, encr_tvb, id_offset, &item_len, &ind);
+ }
+ CATCH (BoundsError) {
+ tvb_free(encr_tvb);
+ do_continue = TRUE;
+ }
+ ENDTRY;
+
+ if (do_continue) continue;
+
+ data_len = item_len + offset - CONFOUNDER_PLUS_CHECKSUM;
+ if ((int) item_len + offset > length) {
+ tvb_free(encr_tvb);
+ continue;
+ }
+
+ md5_append(&md5s, confounder, 8);
+ md5_append(&md5s, zero_fill, 16);
+ md5_append(&md5s, decrypted_data + CONFOUNDER_PLUS_CHECKSUM, data_len);
+ md5_finish(&md5s, digest);
+
+ if (tvb_memeql (encr_tvb, 8, digest, 16) == 0) {
+g_warning("woohoo decrypted keytype:%d in frame:%u\n", keytype, pinfo->fd->num);
+ plaintext = g_malloc(data_len);
+ tvb_memcpy(encr_tvb, plaintext, CONFOUNDER_PLUS_CHECKSUM, data_len);
+ tvb_free(encr_tvb);
+
+ g_free(decrypted_data);
+ return(plaintext);
+ }
+ }
+
+ g_free(decrypted_data);
+ return NULL;
+}
+
+
+#endif /* HAVE_MIT_KERBEROS / HAVE_HEIMDAL_KERBEROS / HAVE_LIBNETTLE */
+
+
+
+/* TCP Record Mark */
+#define KRB_RM_RESERVED 0x80000000L
+#define KRB_RM_RECLEN 0x7fffffffL
+
+#define KRB5_MSG_TICKET 1 /* Ticket */
+#define KRB5_MSG_AUTHENTICATOR 2 /* Authenticator */
+#define KRB5_MSG_ENC_TICKET_PART 3 /* EncTicketPart */
+#define KRB5_MSG_AS_REQ 10 /* AS-REQ type */
+#define KRB5_MSG_AS_REP 11 /* AS-REP type */
+#define KRB5_MSG_TGS_REQ 12 /* TGS-REQ type */
+#define KRB5_MSG_TGS_REP 13 /* TGS-REP type */
+#define KRB5_MSG_AP_REQ 14 /* AP-REQ type */
+#define KRB5_MSG_AP_REP 15 /* AP-REP type */
+
+#define KRB5_MSG_SAFE 20 /* KRB-SAFE type */
+#define KRB5_MSG_PRIV 21 /* KRB-PRIV type */
+#define KRB5_MSG_CRED 22 /* KRB-CRED type */
+#define KRB5_MSG_ENC_AS_REP_PART 25 /* EncASRepPart */
+#define KRB5_MSG_ENC_TGS_REP_PART 26 /* EncTGSRepPart */
+#define KRB5_MSG_ENC_AP_REP_PART 27 /* EncAPRepPart */
+#define KRB5_MSG_ENC_KRB_PRIV_PART 28 /* EncKrbPrivPart */
+#define KRB5_MSG_ENC_KRB_CRED_PART 29 /* EncKrbCredPart */
+#define KRB5_MSG_ERROR 30 /* KRB-ERROR type */
+
+/* address type constants */
+#define KRB5_ADDR_IPv4 0x02
+#define KRB5_ADDR_CHAOS 0x05
+#define KRB5_ADDR_XEROX 0x06
+#define KRB5_ADDR_ISO 0x07
+#define KRB5_ADDR_DECNET 0x0c
+#define KRB5_ADDR_APPLETALK 0x10
+#define KRB5_ADDR_NETBIOS 0x14
+#define KRB5_ADDR_IPv6 0x18
+
+/* encryption type constants */
+#define KRB5_ENCTYPE_NULL 0
+#define KRB5_ENCTYPE_DES_CBC_CRC 1
+#define KRB5_ENCTYPE_DES_CBC_MD4 2
+#define KRB5_ENCTYPE_DES_CBC_MD5 3
+#define KRB5_ENCTYPE_DES_CBC_RAW 4
+#define KRB5_ENCTYPE_DES3_CBC_SHA 5
+#define KRB5_ENCTYPE_DES3_CBC_RAW 6
+#define KRB5_ENCTYPE_DES_HMAC_SHA1 8
+#define KRB5_ENCTYPE_DSA_SHA1_CMS 9
+#define KRB5_ENCTYPE_RSA_MD5_CMS 10
+#define KRB5_ENCTYPE_RSA_SHA1_CMS 11
+#define KRB5_ENCTYPE_RC2_CBC_ENV 12
+#define KRB5_ENCTYPE_RSA_ENV 13
+#define KRB5_ENCTYPE_RSA_ES_OEAP_ENV 14
+#define KRB5_ENCTYPE_DES_EDE3_CBC_ENV 15
+#define KRB5_ENCTYPE_DES3_CBC_SHA1 16
+#define KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96 17
+#define KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96 18
+#define KRB5_ENCTYPE_DES_CBC_MD5_NT 20
+#define KERB_ENCTYPE_RC4_HMAC 23
+#define KERB_ENCTYPE_RC4_HMAC_EXP 24
+#define KRB5_ENCTYPE_UNKNOWN 0x1ff
+#define KRB5_ENCTYPE_LOCAL_DES3_HMAC_SHA1 0x7007
+#define KRB5_ENCTYPE_RC4_PLAIN_EXP 0xffffff73
+#define KRB5_ENCTYPE_RC4_PLAIN 0xffffff74
+#define KRB5_ENCTYPE_RC4_PLAIN_OLD_EXP 0xffffff78
+#define KRB5_ENCTYPE_RC4_HMAC_OLD_EXP 0xffffff79
+#define KRB5_ENCTYPE_RC4_PLAIN_OLD 0xffffff7a
+#define KRB5_ENCTYPE_RC4_HMAC_OLD 0xffffff7b
+#define KRB5_ENCTYPE_DES_PLAIN 0xffffff7c
+#define KRB5_ENCTYPE_RC4_SHA 0xffffff7d
+#define KRB5_ENCTYPE_RC4_LM 0xffffff7e
+#define KRB5_ENCTYPE_RC4_PLAIN2 0xffffff7f
+#define KRB5_ENCTYPE_RC4_MD4 0xffffff80
+
+/* checksum types */
+#define KRB5_CHKSUM_NONE 0
+#define KRB5_CHKSUM_CRC32 1
+#define KRB5_CHKSUM_MD4 2
+#define KRB5_CHKSUM_KRB_DES_MAC 4
+#define KRB5_CHKSUM_KRB_DES_MAC_K 5
+#define KRB5_CHKSUM_MD5 7
+#define KRB5_CHKSUM_MD5_DES 8
+/* the following four comes from packetcable */
+#define KRB5_CHKSUM_MD5_DES3 9
+#define KRB5_CHKSUM_HMAC_SHA1_DES3_KD 12
+#define KRB5_CHKSUM_HMAC_SHA1_DES3 13
+#define KRB5_CHKSUM_SHA1_UNKEYED 14
+#define KRB5_CHKSUM_HMAC_MD5 0xffffff76
+#define KRB5_CHKSUM_MD5_HMAC 0xffffff77
+#define KRB5_CHKSUM_RC4_MD5 0xffffff78
+#define KRB5_CHKSUM_MD25 0xffffff79
+#define KRB5_CHKSUM_DES_MAC_MD5 0xffffff7a
+#define KRB5_CHKSUM_DES_MAC 0xffffff7b
+#define KRB5_CHKSUM_REAL_CRC32 0xffffff7c
+#define KRB5_CHKSUM_SHA1 0xffffff7d
+#define KRB5_CHKSUM_LM 0xffffff7e
+#define KRB5_CHKSUM_GSSAPI 0x8003
+
+/*
+ * For KERB_ENCTYPE_RC4_HMAC and KERB_ENCTYPE_RC4_HMAC_EXP, see
+ *
+ * http://www.ietf.org/internet-drafts/draft-brezak-win2k-krb-rc4-hmac-04.txt
+ *
+ * unless it's expired.
+ */
+
+/* pre-authentication type constants */
+#define KRB5_PA_TGS_REQ 1
+#define KRB5_PA_ENC_TIMESTAMP 2
+#define KRB5_PA_PW_SALT 3
+#define KRB5_PA_ENC_ENCKEY 4
+#define KRB5_PA_ENC_UNIX_TIME 5
+#define KRB5_PA_ENC_SANDIA_SECURID 6
+#define KRB5_PA_SESAME 7
+#define KRB5_PA_OSF_DCE 8
+#define KRB5_PA_CYBERSAFE_SECUREID 9
+#define KRB5_PA_AFS3_SALT 10
+#define KRB5_PA_ENCTYPE_INFO 11
+#define KRB5_PA_SAM_CHALLENGE 12
+#define KRB5_PA_SAM_RESPONSE 13
+#define KRB5_PA_PK_AS_REQ 14
+#define KRB5_PA_PK_AS_REP 15
+#define KRB5_PA_DASS 16
+#define KRB5_PA_ENCTYPE_INFO2 19
+#define KRB5_PA_USE_SPECIFIED_KVNO 20
+#define KRB5_PA_SAM_REDIRECT 21
+#define KRB5_PA_GET_FROM_TYPED_DATA 22
+#define KRB5_PA_SAM_ETYPE_INFO 23
+#define KRB5_PA_ALT_PRINC 24
+#define KRB5_PA_SAM_CHALLENGE2 30
+#define KRB5_PA_SAM_RESPONSE2 31
+#define KRB5_TD_PKINIT_CMS_CERTIFICATES 101
+#define KRB5_TD_KRB_PRINCIPAL 102
+#define KRB5_TD_KRB_REALM 103
+#define KRB5_TD_TRUSTED_CERTIFIERS 104
+#define KRB5_TD_CERTIFICATE_INDEX 105
+#define KRB5_TD_APP_DEFINED_ERROR 106
+#define KRB5_TD_REQ_NONCE 107
+#define KRB5_TD_REQ_SEQ 108
+/* preauthentication types >127 (i.e. negative ones) are app specific.
+ hopefully there will be no collissions here or we will have to
+ come up with something better
+*/
+#define KRB5_PA_PAC_REQUEST 128 /* MS extension */
+#define KRB5_PA_PROV_SRV_LOCATION 255 /* packetcable stuff */
+
+/* Principal name-type */
+#define KRB5_NT_UNKNOWN 0
+#define KRB5_NT_PRINCIPAL 1
+#define KRB5_NT_SRV_INST 2
+#define KRB5_NT_SRV_HST 3
+#define KRB5_NT_SRV_XHST 4
+#define KRB5_NT_UID 5
+#define KRB5_NT_X500_PRINCIPAL 6
+#define KRB5_NT_SMTP_NAME 7
+#define KRB5_NT_ENTERPRISE 10
+
+/*
+ * MS specific name types, from
+ *
+ * http://msdn.microsoft.com/library/en-us/security/security/kerb_external_name.asp
+ */
+#define KRB5_NT_MS_PRINCIPAL -128
+#define KRB5_NT_MS_PRINCIPAL_AND_SID -129
+#define KRB5_NT_ENT_PRINCIPAL_AND_SID -130
+#define KRB5_NT_PRINCIPAL_AND_SID -131
+#define KRB5_NT_SRV_INST_AND_SID -132
+
+/* error table constants */
+/* I prefixed the krb5_err.et constant names with KRB5_ET_ for these */
+#define KRB5_ET_KRB5KDC_ERR_NONE 0
+#define KRB5_ET_KRB5KDC_ERR_NAME_EXP 1
+#define KRB5_ET_KRB5KDC_ERR_SERVICE_EXP 2
+#define KRB5_ET_KRB5KDC_ERR_BAD_PVNO 3
+#define KRB5_ET_KRB5KDC_ERR_C_OLD_MAST_KVNO 4
+#define KRB5_ET_KRB5KDC_ERR_S_OLD_MAST_KVNO 5
+#define KRB5_ET_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN 6
+#define KRB5_ET_KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN 7
+#define KRB5_ET_KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE 8
+#define KRB5_ET_KRB5KDC_ERR_NULL_KEY 9
+#define KRB5_ET_KRB5KDC_ERR_CANNOT_POSTDATE 10
+#define KRB5_ET_KRB5KDC_ERR_NEVER_VALID 11
+#define KRB5_ET_KRB5KDC_ERR_POLICY 12
+#define KRB5_ET_KRB5KDC_ERR_BADOPTION 13
+#define KRB5_ET_KRB5KDC_ERR_ETYPE_NOSUPP 14
+#define KRB5_ET_KRB5KDC_ERR_SUMTYPE_NOSUPP 15
+#define KRB5_ET_KRB5KDC_ERR_PADATA_TYPE_NOSUPP 16
+#define KRB5_ET_KRB5KDC_ERR_TRTYPE_NOSUPP 17
+#define KRB5_ET_KRB5KDC_ERR_CLIENT_REVOKED 18
+#define KRB5_ET_KRB5KDC_ERR_SERVICE_REVOKED 19
+#define KRB5_ET_KRB5KDC_ERR_TGT_REVOKED 20
+#define KRB5_ET_KRB5KDC_ERR_CLIENT_NOTYET 21
+#define KRB5_ET_KRB5KDC_ERR_SERVICE_NOTYET 22
+#define KRB5_ET_KRB5KDC_ERR_KEY_EXP 23
+#define KRB5_ET_KRB5KDC_ERR_PREAUTH_FAILED 24
+#define KRB5_ET_KRB5KDC_ERR_PREAUTH_REQUIRED 25
+#define KRB5_ET_KRB5KDC_ERR_SERVER_NOMATCH 26
+#define KRB5_ET_KRB5KDC_ERR_MUST_USE_USER2USER 27
+#define KRB5_ET_KRB5KDC_ERR_PATH_NOT_ACCEPTED 28
+#define KRB5_ET_KRB5KDC_ERR_SVC_UNAVAILABLE 29
+#define KRB5_ET_KRB5KRB_AP_ERR_BAD_INTEGRITY 31
+#define KRB5_ET_KRB5KRB_AP_ERR_TKT_EXPIRED 32
+#define KRB5_ET_KRB5KRB_AP_ERR_TKT_NYV 33
+#define KRB5_ET_KRB5KRB_AP_ERR_REPEAT 34
+#define KRB5_ET_KRB5KRB_AP_ERR_NOT_US 35
+#define KRB5_ET_KRB5KRB_AP_ERR_BADMATCH 36
+#define KRB5_ET_KRB5KRB_AP_ERR_SKEW 37
+#define KRB5_ET_KRB5KRB_AP_ERR_BADADDR 38
+#define KRB5_ET_KRB5KRB_AP_ERR_BADVERSION 39
+#define KRB5_ET_KRB5KRB_AP_ERR_MSG_TYPE 40
+#define KRB5_ET_KRB5KRB_AP_ERR_MODIFIED 41
+#define KRB5_ET_KRB5KRB_AP_ERR_BADORDER 42
+#define KRB5_ET_KRB5KRB_AP_ERR_ILL_CR_TKT 43
+#define KRB5_ET_KRB5KRB_AP_ERR_BADKEYVER 44
+#define KRB5_ET_KRB5KRB_AP_ERR_NOKEY 45
+#define KRB5_ET_KRB5KRB_AP_ERR_MUT_FAIL 46
+#define KRB5_ET_KRB5KRB_AP_ERR_BADDIRECTION 47
+#define KRB5_ET_KRB5KRB_AP_ERR_METHOD 48
+#define KRB5_ET_KRB5KRB_AP_ERR_BADSEQ 49
+#define KRB5_ET_KRB5KRB_AP_ERR_INAPP_CKSUM 50
+#define KRB5_ET_KRB5KDC_AP_PATH_NOT_ACCEPTED 51
+#define KRB5_ET_KRB5KRB_ERR_RESPONSE_TOO_BIG 52
+#define KRB5_ET_KRB5KRB_ERR_GENERIC 60
+#define KRB5_ET_KRB5KRB_ERR_FIELD_TOOLONG 61
+#define KRB5_ET_KDC_ERROR_CLIENT_NOT_TRUSTED 62
+#define KRB5_ET_KDC_ERROR_KDC_NOT_TRUSTED 63
+#define KRB5_ET_KDC_ERROR_INVALID_SIG 64
+#define KRB5_ET_KDC_ERR_KEY_TOO_WEAK 65
+#define KRB5_ET_KDC_ERR_CERTIFICATE_MISMATCH 66
+#define KRB5_ET_KRB_AP_ERR_NO_TGT 67
+#define KRB5_ET_KDC_ERR_WRONG_REALM 68
+#define KRB5_ET_KRB_AP_ERR_USER_TO_USER_REQUIRED 69
+#define KRB5_ET_KDC_ERR_CANT_VERIFY_CERTIFICATE 70
+#define KRB5_ET_KDC_ERR_INVALID_CERTIFICATE 71
+#define KRB5_ET_KDC_ERR_REVOKED_CERTIFICATE 72
+#define KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNKNOWN 73
+#define KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNAVAILABLE 74
+#define KRB5_ET_KDC_ERR_CLIENT_NAME_MISMATCH 75
+#define KRB5_ET_KDC_ERR_KDC_NAME_MISMATCH 76
+
+static const value_string krb5_error_codes[] = {
+ { KRB5_ET_KRB5KDC_ERR_NONE, "KRB5KDC_ERR_NONE" },
+ { KRB5_ET_KRB5KDC_ERR_NAME_EXP, "KRB5KDC_ERR_NAME_EXP" },
+ { KRB5_ET_KRB5KDC_ERR_SERVICE_EXP, "KRB5KDC_ERR_SERVICE_EXP" },
+ { KRB5_ET_KRB5KDC_ERR_BAD_PVNO, "KRB5KDC_ERR_BAD_PVNO" },
+ { KRB5_ET_KRB5KDC_ERR_C_OLD_MAST_KVNO, "KRB5KDC_ERR_C_OLD_MAST_KVNO" },
+ { KRB5_ET_KRB5KDC_ERR_S_OLD_MAST_KVNO, "KRB5KDC_ERR_S_OLD_MAST_KVNO" },
+ { KRB5_ET_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, "KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN" },
+ { KRB5_ET_KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, "KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN" },
+ { KRB5_ET_KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE, "KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE" },
+ { KRB5_ET_KRB5KDC_ERR_NULL_KEY, "KRB5KDC_ERR_NULL_KEY" },
+ { KRB5_ET_KRB5KDC_ERR_CANNOT_POSTDATE, "KRB5KDC_ERR_CANNOT_POSTDATE" },
+ { KRB5_ET_KRB5KDC_ERR_NEVER_VALID, "KRB5KDC_ERR_NEVER_VALID" },
+ { KRB5_ET_KRB5KDC_ERR_POLICY, "KRB5KDC_ERR_POLICY" },
+ { KRB5_ET_KRB5KDC_ERR_BADOPTION, "KRB5KDC_ERR_BADOPTION" },
+ { KRB5_ET_KRB5KDC_ERR_ETYPE_NOSUPP, "KRB5KDC_ERR_ETYPE_NOSUPP" },
+ { KRB5_ET_KRB5KDC_ERR_SUMTYPE_NOSUPP, "KRB5KDC_ERR_SUMTYPE_NOSUPP" },
+ { KRB5_ET_KRB5KDC_ERR_PADATA_TYPE_NOSUPP, "KRB5KDC_ERR_PADATA_TYPE_NOSUPP" },
+ { KRB5_ET_KRB5KDC_ERR_TRTYPE_NOSUPP, "KRB5KDC_ERR_TRTYPE_NOSUPP" },
+ { KRB5_ET_KRB5KDC_ERR_CLIENT_REVOKED, "KRB5KDC_ERR_CLIENT_REVOKED" },
+ { KRB5_ET_KRB5KDC_ERR_SERVICE_REVOKED, "KRB5KDC_ERR_SERVICE_REVOKED" },
+ { KRB5_ET_KRB5KDC_ERR_TGT_REVOKED, "KRB5KDC_ERR_TGT_REVOKED" },
+ { KRB5_ET_KRB5KDC_ERR_CLIENT_NOTYET, "KRB5KDC_ERR_CLIENT_NOTYET" },
+ { KRB5_ET_KRB5KDC_ERR_SERVICE_NOTYET, "KRB5KDC_ERR_SERVICE_NOTYET" },
+ { KRB5_ET_KRB5KDC_ERR_KEY_EXP, "KRB5KDC_ERR_KEY_EXP" },
+ { KRB5_ET_KRB5KDC_ERR_PREAUTH_FAILED, "KRB5KDC_ERR_PREAUTH_FAILED" },
+ { KRB5_ET_KRB5KDC_ERR_PREAUTH_REQUIRED, "KRB5KDC_ERR_PREAUTH_REQUIRED" },
+ { KRB5_ET_KRB5KDC_ERR_SERVER_NOMATCH, "KRB5KDC_ERR_SERVER_NOMATCH" },
+ { KRB5_ET_KRB5KDC_ERR_MUST_USE_USER2USER, "KRB5KDC_ERR_MUST_USE_USER2USER" },
+ { KRB5_ET_KRB5KDC_ERR_PATH_NOT_ACCEPTED, "KRB5KDC_ERR_PATH_NOT_ACCEPTED" },
+ { KRB5_ET_KRB5KDC_ERR_SVC_UNAVAILABLE, "KRB5KDC_ERR_SVC_UNAVAILABLE" },
+ { KRB5_ET_KRB5KRB_AP_ERR_BAD_INTEGRITY, "KRB5KRB_AP_ERR_BAD_INTEGRITY" },
+ { KRB5_ET_KRB5KRB_AP_ERR_TKT_EXPIRED, "KRB5KRB_AP_ERR_TKT_EXPIRED" },
+ { KRB5_ET_KRB5KRB_AP_ERR_TKT_NYV, "KRB5KRB_AP_ERR_TKT_NYV" },
+ { KRB5_ET_KRB5KRB_AP_ERR_REPEAT, "KRB5KRB_AP_ERR_REPEAT" },
+ { KRB5_ET_KRB5KRB_AP_ERR_NOT_US, "KRB5KRB_AP_ERR_NOT_US" },
+ { KRB5_ET_KRB5KRB_AP_ERR_BADMATCH, "KRB5KRB_AP_ERR_BADMATCH" },
+ { KRB5_ET_KRB5KRB_AP_ERR_SKEW, "KRB5KRB_AP_ERR_SKEW" },
+ { KRB5_ET_KRB5KRB_AP_ERR_BADADDR, "KRB5KRB_AP_ERR_BADADDR" },
+ { KRB5_ET_KRB5KRB_AP_ERR_BADVERSION, "KRB5KRB_AP_ERR_BADVERSION" },
+ { KRB5_ET_KRB5KRB_AP_ERR_MSG_TYPE, "KRB5KRB_AP_ERR_MSG_TYPE" },
+ { KRB5_ET_KRB5KRB_AP_ERR_MODIFIED, "KRB5KRB_AP_ERR_MODIFIED" },
+ { KRB5_ET_KRB5KRB_AP_ERR_BADORDER, "KRB5KRB_AP_ERR_BADORDER" },
+ { KRB5_ET_KRB5KRB_AP_ERR_ILL_CR_TKT, "KRB5KRB_AP_ERR_ILL_CR_TKT" },
+ { KRB5_ET_KRB5KRB_AP_ERR_BADKEYVER, "KRB5KRB_AP_ERR_BADKEYVER" },
+ { KRB5_ET_KRB5KRB_AP_ERR_NOKEY, "KRB5KRB_AP_ERR_NOKEY" },
+ { KRB5_ET_KRB5KRB_AP_ERR_MUT_FAIL, "KRB5KRB_AP_ERR_MUT_FAIL" },
+ { KRB5_ET_KRB5KRB_AP_ERR_BADDIRECTION, "KRB5KRB_AP_ERR_BADDIRECTION" },
+ { KRB5_ET_KRB5KRB_AP_ERR_METHOD, "KRB5KRB_AP_ERR_METHOD" },
+ { KRB5_ET_KRB5KRB_AP_ERR_BADSEQ, "KRB5KRB_AP_ERR_BADSEQ" },
+ { KRB5_ET_KRB5KRB_AP_ERR_INAPP_CKSUM, "KRB5KRB_AP_ERR_INAPP_CKSUM" },
+ { KRB5_ET_KRB5KDC_AP_PATH_NOT_ACCEPTED, "KRB5KDC_AP_PATH_NOT_ACCEPTED" },
+ { KRB5_ET_KRB5KRB_ERR_RESPONSE_TOO_BIG, "KRB5KRB_ERR_RESPONSE_TOO_BIG"},
+ { KRB5_ET_KRB5KRB_ERR_GENERIC, "KRB5KRB_ERR_GENERIC" },
+ { KRB5_ET_KRB5KRB_ERR_FIELD_TOOLONG, "KRB5KRB_ERR_FIELD_TOOLONG" },
+ { KRB5_ET_KDC_ERROR_CLIENT_NOT_TRUSTED, "KDC_ERROR_CLIENT_NOT_TRUSTED" },
+ { KRB5_ET_KDC_ERROR_KDC_NOT_TRUSTED, "KDC_ERROR_KDC_NOT_TRUSTED" },
+ { KRB5_ET_KDC_ERROR_INVALID_SIG, "KDC_ERROR_INVALID_SIG" },
+ { KRB5_ET_KDC_ERR_KEY_TOO_WEAK, "KDC_ERR_KEY_TOO_WEAK" },
+ { KRB5_ET_KDC_ERR_CERTIFICATE_MISMATCH, "KDC_ERR_CERTIFICATE_MISMATCH" },
+ { KRB5_ET_KRB_AP_ERR_NO_TGT, "KRB_AP_ERR_NO_TGT" },
+ { KRB5_ET_KDC_ERR_WRONG_REALM, "KDC_ERR_WRONG_REALM" },
+ { KRB5_ET_KRB_AP_ERR_USER_TO_USER_REQUIRED, "KRB_AP_ERR_USER_TO_USER_REQUIRED" },
+ { KRB5_ET_KDC_ERR_CANT_VERIFY_CERTIFICATE, "KDC_ERR_CANT_VERIFY_CERTIFICATE" },
+ { KRB5_ET_KDC_ERR_INVALID_CERTIFICATE, "KDC_ERR_INVALID_CERTIFICATE" },
+ { KRB5_ET_KDC_ERR_REVOKED_CERTIFICATE, "KDC_ERR_REVOKED_CERTIFICATE" },
+ { KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNKNOWN, "KDC_ERR_REVOCATION_STATUS_UNKNOWN" },
+ { KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNAVAILABLE, "KDC_ERR_REVOCATION_STATUS_UNAVAILABLE" },
+ { KRB5_ET_KDC_ERR_CLIENT_NAME_MISMATCH, "KDC_ERR_CLIENT_NAME_MISMATCH" },
+ { KRB5_ET_KDC_ERR_KDC_NAME_MISMATCH, "KDC_ERR_KDC_NAME_MISMATCH" },
+ { 0, NULL }
+};
+
+
+#define PAC_LOGON_INFO 1
+#define PAC_CREDENTIAL_TYPE 2
+#define PAC_SERVER_CHECKSUM 6
+#define PAC_PRIVSVR_CHECKSUM 7
+#define PAC_CLIENT_INFO_TYPE 10
+#define PAC_CONSTRAINED_DELEGATION 11
+static const value_string w2k_pac_types[] = {
+ { PAC_LOGON_INFO , "Logon Info" },
+ { PAC_CREDENTIAL_TYPE , "Credential Type" },
+ { PAC_SERVER_CHECKSUM , "Server Checksum" },
+ { PAC_PRIVSVR_CHECKSUM , "Privsvr Checksum" },
+ { PAC_CLIENT_INFO_TYPE , "Client Info Type" },
+ { PAC_CONSTRAINED_DELEGATION, "Constrained Delegation" },
+ { 0, NULL },
+};
+
+
+
+static const value_string krb5_princ_types[] = {
+ { KRB5_NT_UNKNOWN , "Unknown" },
+ { KRB5_NT_PRINCIPAL , "Principal" },
+ { KRB5_NT_SRV_INST , "Service and Instance" },
+ { KRB5_NT_SRV_HST , "Service and Host" },
+ { KRB5_NT_SRV_XHST , "Service and Host Components" },
+ { KRB5_NT_UID , "Unique ID" },
+ { KRB5_NT_X500_PRINCIPAL , "Encoded X.509 Distinguished Name" },
+ { KRB5_NT_SMTP_NAME , "SMTP Name" },
+ { KRB5_NT_ENTERPRISE , "Enterprise Name" },
+ { KRB5_NT_MS_PRINCIPAL , "NT 4.0 style name (MS specific)" },
+ { KRB5_NT_MS_PRINCIPAL_AND_SID , "NT 4.0 style name with SID (MS specific)"},
+ { KRB5_NT_ENT_PRINCIPAL_AND_SID, "UPN and SID (MS specific)"},
+ { KRB5_NT_PRINCIPAL_AND_SID , "Principal name and SID (MS specific)"},
+ { KRB5_NT_SRV_INST_AND_SID , "SPN and SID (MS specific)"},
+ { 0 , NULL },
+};
+
+static const value_string krb5_preauthentication_types[] = {
+ { KRB5_PA_TGS_REQ , "PA-TGS-REQ" },
+ { KRB5_PA_ENC_TIMESTAMP , "PA-ENC-TIMESTAMP" },
+ { KRB5_PA_PW_SALT , "PA-PW-SALT" },
+ { KRB5_PA_ENC_ENCKEY , "PA-ENC-ENCKEY" },
+ { KRB5_PA_ENC_UNIX_TIME , "PA-ENC-UNIX-TIME" },
+ { KRB5_PA_ENC_SANDIA_SECURID , "PA-PW-SALT" },
+ { KRB5_PA_SESAME , "PA-SESAME" },
+ { KRB5_PA_OSF_DCE , "PA-OSF-DCE" },
+ { KRB5_PA_CYBERSAFE_SECUREID , "PA-CYBERSAFE-SECURID" },
+ { KRB5_PA_AFS3_SALT , "PA-AFS3-SALT" },
+ { KRB5_PA_ENCTYPE_INFO , "PA-ENCTYPE-INFO" },
+ { KRB5_PA_ENCTYPE_INFO2 , "PA-ENCTYPE-INFO2" },
+ { KRB5_PA_SAM_CHALLENGE , "PA-SAM-CHALLENGE" },
+ { KRB5_PA_SAM_RESPONSE , "PA-SAM-RESPONSE" },
+ { KRB5_PA_PK_AS_REQ , "PA-PK-AS-REQ" },
+ { KRB5_PA_PK_AS_REP , "PA-PK-AS-REP" },
+ { KRB5_PA_DASS , "PA-DASS" },
+ { KRB5_PA_USE_SPECIFIED_KVNO , "PA-USE-SPECIFIED-KVNO" },
+ { KRB5_PA_SAM_REDIRECT , "PA-SAM-REDIRECT" },
+ { KRB5_PA_GET_FROM_TYPED_DATA , "PA-GET-FROM-TYPED-DATA" },
+ { KRB5_PA_SAM_ETYPE_INFO , "PA-SAM-ETYPE-INFO" },
+ { KRB5_PA_ALT_PRINC , "PA-ALT-PRINC" },
+ { KRB5_PA_SAM_CHALLENGE2 , "PA-SAM-CHALLENGE2" },
+ { KRB5_PA_SAM_RESPONSE2 , "PA-SAM-RESPONSE2" },
+ { KRB5_TD_PKINIT_CMS_CERTIFICATES, "TD-PKINIT-CMS-CERTIFICATES" },
+ { KRB5_TD_KRB_PRINCIPAL , "TD-KRB-PRINCIPAL" },
+ { KRB5_TD_KRB_REALM , "TD-KRB-REALM" },
+ { KRB5_TD_TRUSTED_CERTIFIERS , "TD-TRUSTED-CERTIFIERS" },
+ { KRB5_TD_CERTIFICATE_INDEX , "TD-CERTIFICATE-INDEX" },
+ { KRB5_TD_APP_DEFINED_ERROR , "TD-APP-DEFINED-ERROR" },
+ { KRB5_TD_REQ_NONCE , "TD-REQ-NONCE" },
+ { KRB5_TD_REQ_SEQ , "TD-REQ-SEQ" },
+ { KRB5_PA_PAC_REQUEST , "PA-PAC-REQUEST" },
+ { KRB5_PA_PROV_SRV_LOCATION , "PA-PROV-SRV-LOCATION" },
+ { 0 , NULL },
+};
+
+static const value_string krb5_encryption_types[] = {
+ { KRB5_ENCTYPE_NULL , "NULL" },
+ { KRB5_ENCTYPE_DES_CBC_CRC , "des-cbc-crc" },
+ { KRB5_ENCTYPE_DES_CBC_MD4 , "des-cbc-md4" },
+ { KRB5_ENCTYPE_DES_CBC_MD5 , "des-cbc-md5" },
+ { KRB5_ENCTYPE_DES_CBC_RAW , "des-cbc-raw" },
+ { KRB5_ENCTYPE_DES3_CBC_SHA , "des3-cbc-sha" },
+ { KRB5_ENCTYPE_DES3_CBC_RAW , "des3-cbc-raw" },
+ { KRB5_ENCTYPE_DES_HMAC_SHA1 , "des-hmac-sha1" },
+ { KRB5_ENCTYPE_DSA_SHA1_CMS , "dsa-sha1-cms" },
+ { KRB5_ENCTYPE_RSA_MD5_CMS , "rsa-md5-cms" },
+ { KRB5_ENCTYPE_RSA_SHA1_CMS , "rsa-sha1-cms" },
+ { KRB5_ENCTYPE_RC2_CBC_ENV , "rc2-cbc-env" },
+ { KRB5_ENCTYPE_RSA_ENV , "rsa-env" },
+ { KRB5_ENCTYPE_RSA_ES_OEAP_ENV, "rsa-es-oeap-env" },
+ { KRB5_ENCTYPE_DES_EDE3_CBC_ENV, "des-ede3-cbc-env" },
+ { KRB5_ENCTYPE_DES3_CBC_SHA1 , "des3-cbc-sha1" },
+ { KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96 , "aes128-cts-hmac-sha1-96" },
+ { KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96 , "aes256-cts-hmac-sha1-96" },
+ { KRB5_ENCTYPE_DES_CBC_MD5_NT , "des-cbc-md5-nt" },
+ { KERB_ENCTYPE_RC4_HMAC , "rc4-hmac" },
+ { KERB_ENCTYPE_RC4_HMAC_EXP , "rc4-hmac-exp" },
+ { KRB5_ENCTYPE_UNKNOWN , "unknown" },
+ { KRB5_ENCTYPE_LOCAL_DES3_HMAC_SHA1 , "local-des3-hmac-sha1" },
+ { KRB5_ENCTYPE_RC4_PLAIN_EXP , "rc4-plain-exp" },
+ { KRB5_ENCTYPE_RC4_PLAIN , "rc4-plain" },
+ { KRB5_ENCTYPE_RC4_PLAIN_OLD_EXP, "rc4-plain-old-exp" },
+ { KRB5_ENCTYPE_RC4_HMAC_OLD_EXP, "rc4-hmac-old-exp" },
+ { KRB5_ENCTYPE_RC4_PLAIN_OLD , "rc4-plain-old" },
+ { KRB5_ENCTYPE_RC4_HMAC_OLD , "rc4-hmac-old" },
+ { KRB5_ENCTYPE_DES_PLAIN , "des-plain" },
+ { KRB5_ENCTYPE_RC4_SHA , "rc4-sha" },
+ { KRB5_ENCTYPE_RC4_LM , "rc4-lm" },
+ { KRB5_ENCTYPE_RC4_PLAIN2 , "rc4-plain2" },
+ { KRB5_ENCTYPE_RC4_MD4 , "rc4-md4" },
+ { 0 , NULL },
+};
+
+static const value_string krb5_checksum_types[] = {
+ { KRB5_CHKSUM_NONE , "none" },
+ { KRB5_CHKSUM_CRC32 , "crc32" },
+ { KRB5_CHKSUM_MD4 , "md4" },
+ { KRB5_CHKSUM_KRB_DES_MAC , "krb-des-mac" },
+ { KRB5_CHKSUM_KRB_DES_MAC_K , "krb-des-mac-k" },
+ { KRB5_CHKSUM_MD5 , "md5" },
+ { KRB5_CHKSUM_MD5_DES , "md5-des" },
+ { KRB5_CHKSUM_MD5_DES3 , "md5-des3" },
+ { KRB5_CHKSUM_HMAC_SHA1_DES3_KD, "hmac-sha1-des3-kd" },
+ { KRB5_CHKSUM_HMAC_SHA1_DES3 , "hmac-sha1-des3" },
+ { KRB5_CHKSUM_SHA1_UNKEYED , "sha1 (unkeyed)" },
+ { KRB5_CHKSUM_HMAC_MD5 , "hmac-md5" },
+ { KRB5_CHKSUM_MD5_HMAC , "md5-hmac" },
+ { KRB5_CHKSUM_RC4_MD5 , "rc5-md5" },
+ { KRB5_CHKSUM_MD25 , "md25" },
+ { KRB5_CHKSUM_DES_MAC_MD5 , "des-mac-md5" },
+ { KRB5_CHKSUM_DES_MAC , "des-mac" },
+ { KRB5_CHKSUM_REAL_CRC32 , "real-crc32" },
+ { KRB5_CHKSUM_SHA1 , "sha1" },
+ { KRB5_CHKSUM_LM , "lm" },
+ { KRB5_CHKSUM_GSSAPI , "gssapi-8003" },
+ { 0 , NULL },
+};
+
+#define KRB5_AD_IF_RELEVANT 1
+#define KRB5_AD_INTENDED_FOR_SERVER 2
+#define KRB5_AD_INTENDED_FOR_APPLICATION_CLASS 3
+#define KRB5_AD_KDC_ISSUED 4
+#define KRB5_AD_OR 5
+#define KRB5_AD_MANDATORY_TICKET_EXTENSIONS 6
+#define KRB5_AD_IN_TICKET_EXTENSIONS 7
+#define KRB5_AD_MANDATORY_FOR_KDC 8
+#define KRB5_AD_OSF_DCE 64
+#define KRB5_AD_SESAME 65
+#define KRB5_AD_OSF_DCE_PKI_CERTID 66
+#define KRB5_AD_WIN2K_PAC 128
+static const value_string krb5_ad_types[] = {
+ { KRB5_AD_IF_RELEVANT , "AD-IF-RELEVANT" },
+ { KRB5_AD_INTENDED_FOR_SERVER , "AD-Intended-For-Server" },
+ { KRB5_AD_INTENDED_FOR_APPLICATION_CLASS , "AD-Intended-For-Application-Class" },
+ { KRB5_AD_KDC_ISSUED , "AD-KDCIssued" },
+ { KRB5_AD_OR , "AD-AND-OR" },
+ { KRB5_AD_MANDATORY_TICKET_EXTENSIONS , "AD-Mandatory-Ticket-Extensions" },
+ { KRB5_AD_IN_TICKET_EXTENSIONS , "AD-IN-Ticket-Extensions" },
+ { KRB5_AD_MANDATORY_FOR_KDC , "AD-MANDATORY-FOR-KDC" },
+ { KRB5_AD_OSF_DCE , "AD-OSF-DCE" },
+ { KRB5_AD_SESAME , "AD-SESAME" },
+ { KRB5_AD_OSF_DCE_PKI_CERTID , "AD-OSF-DCE-PKI-CertID" },
+ { KRB5_AD_WIN2K_PAC , "AD-Win2k-PAC" },
+ { 0 , NULL },
+};
+
+static const value_string krb5_transited_types[] = {
+ { 1 , "DOMAIN-X500-COMPRESS" },
+ { 0 , NULL }
+};
+
+static const value_string krb5_address_types[] = {
+ { KRB5_ADDR_IPv4, "IPv4"},
+ { KRB5_ADDR_CHAOS, "CHAOS"},
+ { KRB5_ADDR_XEROX, "XEROX"},
+ { KRB5_ADDR_ISO, "ISO"},
+ { KRB5_ADDR_DECNET, "DECNET"},
+ { KRB5_ADDR_APPLETALK, "APPLETALK"},
+ { KRB5_ADDR_NETBIOS, "NETBIOS"},
+ { KRB5_ADDR_IPv6, "IPv6"},
+ { 0, NULL },
+};
+
+static const value_string krb5_msg_types[] = {
+ { KRB5_MSG_TICKET, "Ticket" },
+ { KRB5_MSG_AUTHENTICATOR, "Authenticator" },
+ { KRB5_MSG_ENC_TICKET_PART, "EncTicketPart" },
+ { KRB5_MSG_TGS_REQ, "TGS-REQ" },
+ { KRB5_MSG_TGS_REP, "TGS-REP" },
+ { KRB5_MSG_AS_REQ, "AS-REQ" },
+ { KRB5_MSG_AS_REP, "AS-REP" },
+ { KRB5_MSG_AP_REQ, "AP-REQ" },
+ { KRB5_MSG_AP_REP, "AP-REP" },
+ { KRB5_MSG_SAFE, "KRB-SAFE" },
+ { KRB5_MSG_PRIV, "KRB-PRIV" },
+ { KRB5_MSG_CRED, "KRB-CRED" },
+ { KRB5_MSG_ENC_AS_REP_PART, "EncASRepPart" },
+ { KRB5_MSG_ENC_TGS_REP_PART, "EncTGSRepPart" },
+ { KRB5_MSG_ENC_AP_REP_PART, "EncAPRepPart" },
+ { KRB5_MSG_ENC_KRB_PRIV_PART, "EncKrbPrivPart" },
+ { KRB5_MSG_ENC_KRB_CRED_PART, "EncKrbCredPart" },
+ { KRB5_MSG_ERROR, "KRB-ERROR" },
+ { 0, NULL },
+};
+
+#ifdef HAVE_KERBEROS
+static int
+dissect_krb5_decrypt_authenticator_data (proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+{
+ guint8 *plaintext=NULL;
+ int length;
+
+ length=tvb_length_remaining(tvb, offset);
+
+ /* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
+ * 7.5.1
+ * Authenticators are encrypted with usage
+ * == 7 or
+ * == 11
+ */
+ if(!plaintext){
+ plaintext=decrypt_krb5_data(tree, actx->pinfo, 7, length, tvb_get_ptr(tvb, offset, length), authenticator_etype);
+ }
+ if(!plaintext){
+ plaintext=decrypt_krb5_data(tree, actx->pinfo, 11, length, tvb_get_ptr(tvb, offset, length), authenticator_etype);
+ }
+
+ if(plaintext){
+ tvbuff_t *next_tvb;
+ next_tvb = tvb_new_real_data (plaintext,
+ length,
+ length);
+ tvb_set_free_cb(next_tvb, g_free);
+ tvb_set_child_real_data_tvbuff(tvb, next_tvb);
+
+ /* Add the decrypted data to the data source list. */
+ add_new_data_source(actx->pinfo, next_tvb, "Decrypted Krb5");
+
+ dissect_kerberos_Applications(FALSE, next_tvb, 0, actx, tree, -1)
+ }
+ return offset;
+}
+#endif
+
+#include "packet-kerberos-fn.c"
+
+
+
+}
+/*--- proto_register_kerberos -------------------------------------------*/
+void proto_register_kerberos(void) {
+
+ /* List of fields */
+
+
+#include "packet-kerberos-hfarr.c"
+ };
+
+ /* List of subtrees */
+ static gint *ett[] = {
+ &ett_kerberos,
+#include "packet-kerberos-ettarr.c"
+ };
+
+
+ /* Register protocol */
+ proto_kerberos = proto_register_protocol(PNAME, PSNAME, PFNAME);
+ /* Register fields and subtrees */
+ proto_register_field_array(proto_kerberos, hf, array_length(hf));
+ proto_register_subtree_array(ett, array_length(ett));
+
+
+ register_dissector("kerberos", dissect_kerberos, proto_kerberos);
+ /* Register preferences */
+ krb_module = prefs_register_protocol(proto_kerberos, kerberos_prefs_apply_cb);
+ prefs_register_bool_preference(krb_module, "desegment",
+ "Reassemble Kerberos over TCP messages spanning multiple TCP segments",
+ "Whether the Kerberos dissector should reassemble messages spanning multiple TCP segments."
+ " To use this option, you must also enable \"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
+ &krb_desegment);
+#ifdef HAVE_KERBEROS
+ prefs_register_bool_preference(krb_module, "decrypt",
+ "Try to decrypt Kerberos blobs",
+ "Whether the dissector should try to decrypt "
+ "encrypted Kerberos blobs. This requires that the proper "
+ "keytab file is installed as well.", &krb_decrypt);
+
+ prefs_register_string_preference(krb_module, "file",
+ "Kerberos keytab file",
+ "The keytab file containing all the secrets",
+ &keytab_filename);
+#endif
+
+}
+static int wrap_dissect_gss_kerb(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, guint8 *drep _U_)
+{
+ tvbuff_t *auth_tvb;
+
+ auth_tvb = tvb_new_subset(
+ tvb, offset, tvb_length_remaining(tvb, offset),
+ tvb_reported_length_remaining(tvb, offset));
+
+ dissect_kerberos_main(auth_tvb, pinfo, tree, FALSE, NULL);
+
+ return tvb_length_remaining(tvb, offset);
+}
+
+
+static dcerpc_auth_subdissector_fns gss_kerb_auth_fns = {
+ wrap_dissect_gss_kerb, /* Bind */
+ wrap_dissect_gss_kerb, /* Bind ACK */
+ NULL, /* AUTH3 */
+ wrap_dissect_gssapi_verf, /* Request verifier */
+ wrap_dissect_gssapi_verf, /* Response verifier */
+ wrap_dissect_gssapi_payload, /* Request data */
+ wrap_dissect_gssapi_payload /* Response data */
+};
+
+
+
+/*--- proto_reg_handoff_kerberos ---------------------------------------*/
+void
+proto_reg_handoff_kerberos(void)
+{
+
+ dissector_handle_t kerberos_handle_tcp;
+
+ krb4_handle = find_dissector("krb4");
+
+ kerberos_handle_udp = new_create_dissector_handle(dissect_kerberos_udp,
+ proto_kerberos);
+ kerberos_handle_tcp = create_dissector_handle(dissect_kerberos_tcp,
+ proto_kerberos);
+ dissector_add("udp.port", UDP_PORT_KERBEROS, kerberos_handle_udp);
+ dissector_add("tcp.port", TCP_PORT_KERBEROS, kerberos_handle_tcp);
+
+ register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_INTEGRITY,
+ DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS,
+ &gss_kerb_auth_fns);
+
+ register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_PRIVACY,
+ DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS,
+ &gss_kerb_auth_fns);
+
+}
+
+
diff --git a/asn1/kerberos/packet-kerberos-template.h b/asn1/kerberos/packet-kerberos-template.h
new file mode 100644
index 0000000000..d9397696a8
--- /dev/null
+++ b/asn1/kerberos/packet-kerberos-template.h
@@ -0,0 +1,35 @@
+/* packet-kerberos.h
+ * Routines for kerberos packet dissection
+ * Copyright 2007, Anders Broman <anders.broman@ericsson.com>
+ *
+ * $Id$
+ *
+ * Ethereal - Network traffic analyzer
+ * By Gerald Combs <gerald@ethereal.com>
+ * Copyright 1998 Gerald Combs
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ */
+
+#ifndef PACKET_KERBEROS_H
+#define PACKET_ROS_H
+
+
+
+#include "packet-kerberos-exp.h"
+
+#endif /* PACKET_KERBEROS_H */
+
+
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-24 03:03:18 +0000