Kerberos - Add support for RFC 6113

Bug: 8974 Change-Id: I43998a64fc34dfeb1c0a8d702d5bdc5aa74d57de Reviewed-on: https://code.wireshark.org/review/17879 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
author: Michael Mann <mmann78@netscape.net> 2016-09-24 08:29:07 -0400
committer: Anders Broman <a.broman58@gmail.com> 2017-11-14 20:20:22 +0000
commit: 5d1328c5285e1cd3f4e1620dd33babda47bafe92 (patch)
tree: 31ebc8bf6e36849df2d101c04d4266c9c6e2c7e0 /epan/dissectors/asn1
parent: 27011d312343a0dac06736087d1a94ffd7ab763e (diff)
6 files changed, 238 insertions, 24 deletions
diff --git a/epan/dissectors/asn1/kerberos/CMakeLists.txt b/epan/dissectors/asn1/kerberos/CMakeLists.txt
index 3e1bd82309..dd862ee356 100644
--- a/epan/dissectors/asn1/kerberos/CMakeLists.txt
+++ b/epan/dissectors/asn1/kerberos/CMakeLists.txt
@@ -34,6 +34,7 @@ set( ASN_FILE_LIST
 	KerberosV5Spec2.asn
 	k5.asn
 	RFC3244.asn
+	RFC6113.asn
 )
 
 set( EXTRA_DIST
diff --git a/epan/dissectors/asn1/kerberos/Makefile.am b/epan/dissectors/asn1/kerberos/Makefile.am
index ff7b2558e0..3c0db504a0 100644
--- a/epan/dissectors/asn1/kerberos/Makefile.am
+++ b/epan/dissectors/asn1/kerberos/Makefile.am
@@ -28,7 +28,8 @@ EXT_ASN_FILE_LIST =
 ASN_FILE_LIST = \
 	KerberosV5Spec2.asn \
 	k5.asn \
-	RFC3244.asn
+	RFC3244.asn \
+	RFC6113.asn
 
 EXTRA_DIST = \
 	$(EXTRA_DIST_COMMON) \
diff --git a/epan/dissectors/asn1/kerberos/RFC6113.asn b/epan/dissectors/asn1/kerberos/RFC6113.asn
new file mode 100644
index 0000000000..10a3d7ddc6
--- /dev/null
+++ b/epan/dissectors/asn1/kerberos/RFC6113.asn
@@ -0,0 +1,124 @@
+-- Extracted from RFC 6113
+
+KerberosPreauthFramework {
+	iso(1) identified-organization(3) dod(6) internet(1)
+	security(5) kerberosV5(2) modules(4) preauth-framework(3)
+} DEFINITIONS EXPLICIT TAGS ::= BEGIN
+
+IMPORTS
+	KerberosTime, PrincipalName, Realm, EncryptionKey, Checksum,
+	Int32, EncryptedData, PA-ENC-TS-ENC, PA-DATA, KDC-REQ-BODY,
+	Microseconds, KerberosFlags, UInt32
+		FROM KerberosV5Spec2 { iso(1) identified-organization(3)
+			dod(6) internet(1) security(5) kerberosV5(2)
+			modules(4) krb5spec2(2) };
+			-- as defined in RFC 4120.
+
+PA-AUTHENTICATION-SET ::= SEQUENCE OF PA-AUTHENTICATION-SET-ELEM
+
+PA-AUTHENTICATION-SET-ELEM ::= SEQUENCE {
+	pa-type      [0] Int32,
+		-- same as padata-type.
+	pa-hint      [1] OCTET STRING OPTIONAL,
+	pa-value     [2] OCTET STRING OPTIONAL,
+	...
+}
+
+KrbFastArmor ::= SEQUENCE {
+	armor-type   [0] Int32,
+		-- Type of the armor.
+	armor-value  [1] OCTET STRING,
+		-- Value of the armor.
+	...
+}
+
+PA-FX-FAST-REQUEST ::= CHOICE {
+	armored-data [0] KrbFastArmoredReq,
+	...
+}
+
+KrbFastArmoredReq ::= SEQUENCE {
+	armor        [0] KrbFastArmor OPTIONAL,
+		-- Contains the armor that identifies the armor key.
+		-- MUST be present in AS-REQ.
+	req-checksum [1] Checksum,
+		-- For AS, contains the checksum performed over the type
+		-- KDC-REQ-BODY for the req-body field of the KDC-REQ
+		-- structure;
+		-- For TGS, contains the checksum performed over the type
+		-- AP-REQ in the PA-TGS-REQ padata.
+		-- The checksum key is the armor key, the checksum
+		-- type is the required checksum type for the enctype of
+		-- the armor key, and the key usage number is
+		-- KEY_USAGE_FAST_REQ_CHKSUM.
+	enc-fast-req [2] EncryptedData, -- KrbFastReq --
+		-- The encryption key is the armor key, and the key usage
+		-- number is KEY_USAGE_FAST_ENC.
+	...
+}
+
+KrbFastReq ::= SEQUENCE {
+	fast-options [0] FastOptions,
+		-- Additional options.
+	padata       [1] SEQUENCE OF PA-DATA,
+		-- padata typed holes.
+	req-body     [2] KDC-REQ-BODY,
+		-- Contains the KDC request body as defined in Section
+		-- 5.4.1 of [RFC4120].
+		-- This req-body field is preferred over the outer field
+		-- in the KDC request.
+		...
+}
+
+FastOptions ::= KerberosFlags
+	-- reserved(0),
+	-- hide-client-names(1),
+	-- kdc-follow-referrals(16)
+
+PA-FX-FAST-REPLY ::= CHOICE {
+	armored-data [0] KrbFastArmoredRep,
+	...
+}
+
+KrbFastArmoredRep ::= SEQUENCE {
+	enc-fast-rep      [0] EncryptedData, -- KrbFastResponse --
+		-- The encryption key is the armor key in the request, and
+		-- the key usage number is KEY_USAGE_FAST_REP.
+	...
+}
+
+KrbFastResponse ::= SEQUENCE {
+	padata         [0] SEQUENCE OF PA-DATA,
+		-- padata typed holes.
+	strengthen-key [1] EncryptionKey OPTIONAL,
+		-- This, if present, strengthens the reply key for AS and
+		-- TGS.  MUST be present for TGS
+		-- MUST be absent in KRB-ERROR.
+	finished       [2] KrbFastFinished OPTIONAL,
+		-- Present in AS or TGS reply; absent otherwise.
+	nonce          [3] UInt32,
+		-- Nonce from the client request.
+	...
+}
+
+KrbFastFinished ::= SEQUENCE {
+	timestamp       [0] KerberosTime,
+	usec            [1] Microseconds,
+		-- timestamp and usec represent the time on the KDC when
+		-- the reply was generated.
+	crealm          [2] Realm,
+	cname           [3] PrincipalName,
+		-- Contains the client realm and the client name.
+	ticket-checksum [4] Checksum,
+		-- checksum of the ticket in the KDC-REP  using the armor
+		-- and the key usage is KEY_USAGE_FAST_FINISH.
+		-- The checksum type is the required checksum type
+		-- of the armor key.
+	...
+}
+
+EncryptedChallenge ::= EncryptedData
+		-- Encrypted PA-ENC-TS-ENC, encrypted in the challenge key
+		-- using key usage KEY_USAGE_ENC_CHALLENGE_CLIENT for the
+		-- client and KEY_USAGE_ENC_CHALLENGE_KDC for the KDC.
+END
diff --git a/epan/dissectors/asn1/kerberos/k5.asn b/epan/dissectors/asn1/kerberos/k5.asn
index ea4e47a371..a74bc62884 100644
--- a/epan/dissectors/asn1/kerberos/k5.asn
+++ b/epan/dissectors/asn1/kerberos/k5.asn
@@ -14,9 +14,16 @@ NAME-TYPE ::= INTEGER {
 	kRB5-NT-X500-PRINCIPAL(6), -- PKINIT
 	kRB5-NT-SMTP-NAME(7),	-- Name in form of SMTP email name
 	kRB5-NT-ENTERPRISE-PRINCIPAL(10), -- Windows 2000 UPN
+	kRB5-NT-WELLKNOWN(11),	-- Wellknown
+	kRB5-NT-SRV-HST-DOMAIN(12), -- Domain based service with host name as instance (RFC5179)
 	kRB5-NT-ENT-PRINCIPAL-AND-ID(-130), -- Windows 2000 UPN and SID
 	kRB5-NT-MS-PRINCIPAL(-128), -- NT 4 style name
-	kRB5-NT-MS-PRINCIPAL-AND-ID(-129) -- NT style name and SID
+	kRB5-NT-MS-PRINCIPAL-AND-ID(-129), -- NT style name and SID
+	kRB5-NT-NTLM(-1200), -- NTLM name, realm is domain
+	kRB5-NT-X509-GENERAL-NAME(-1201), -- x509 general name (base64 encoded)
+	kRB5-NT-GSS-HOSTBASED-SERVICE(-1202), -- not used; remove
+	kRB5-NT-CACHE-UUID(-1203), -- name is actually a uuid pointing to ccache, use client name in cache
+	kRB5-NT-SRV-HST-NEEDS-CANON (-195894762) -- Internal: indicates that name canonicalization is needed
 }
 
 -- message types
@@ -37,10 +44,11 @@ MESSAGE-TYPE ::= INTEGER {
 
 -- pa-data types
 
+
 PADATA-TYPE ::= INTEGER {
 	kRB5-PADATA-NONE(0),
 	kRB5-PADATA-TGS-REQ(1),
---	kRB5-PADATA-AP-REQ(1),
+	kRB5-PADATA-AP-REQ(1),
 	kRB5-PADATA-ENC-TIMESTAMP(2),
 	kRB5-PADATA-PW-SALT(3),
 	kRB5-PADATA-ENC-UNIX-TIME(5),
@@ -54,17 +62,22 @@ PADATA-TYPE ::= INTEGER {
 	kRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
 	kRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19)
 	kRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19)
---	kRB5-PADATA-PK-AS-REQ-WIN(15),  (PKINIT - old number)
+--  kRB5-PADATA-PK-AS-REQ-WIN(15), -  (PKINIT - old number)
 	kRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25)
 	kRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25)
 	kRB5-PADATA-PA-PK-OCSP-RESPONSE(18),
 	kRB5-PADATA-ETYPE-INFO2(19),
 	kRB5-PADATA-USE-SPECIFIED-KVNO(20),
---	kRB5-PADATA-SVR-REFERRAL-INFO(20),  old ms referral number
+--  kRB5-PADATA-SVR-REFERRAL-INFO(20), - old ms referral number
 	kRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
 	kRB5-PADATA-GET-FROM-TYPED-DATA(22),
 	kRB5-PADATA-SAM-ETYPE-INFO(23),
 	kRB5-PADATA-SERVER-REFERRAL(25),
+	kRB5-PADATA-ALT-PRINC(24),		-- (crawdad@fnal.gov)
+	kRB5-PADATA-SAM-CHALLENGE2(30),		-- (kenh@pobox.com)
+	kRB5-PADATA-SAM-RESPONSE2(31),		-- (kenh@pobox.com)
+	kRB5-PA-EXTRA-TGT(41),			-- Reserved extra TGT
+	kRB5-PADATA-FX-FAST-ARMOR(71),		-- fast armor
 	kRB5-PADATA-TD-KRB-PRINCIPAL(102),	-- PrincipalName
 	kRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT
 	kRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT
@@ -72,14 +85,31 @@ PADATA-TYPE ::= INTEGER {
 	kRB5-PADATA-TD-REQ-NONCE(107),		-- INTEGER
 	kRB5-PADATA-TD-REQ-SEQ(108),		-- INTEGER
 	kRB5-PADATA-PA-PAC-REQUEST(128),	-- jbrezak@exchange.microsoft.com
-	kRB5-PADATA-S4U2SELF(129),
-	kRB5-PADATA-PK-AS-09-BINDING(132),	-- client send this to 
-						-- tell KDC that is supports 
+	kRB5-PADATA-FOR-USER(129),		-- MS-KILE
+	kRB5-PADATA-FOR-X509-USER(130),		-- MS-KILE
+	kRB5-PADATA-FOR-CHECK-DUPS(131),	-- MS-KILE
+	kRB5-PADATA-AS-CHECKSUM(132),		-- MS-KILE
+	kRB5-PADATA-PK-AS-09-BINDING(132),	-- client send this to
+						-- tell KDC that is supports
 						-- the asCheckSum in the
 						--  PK-AS-REP
-	kRB5-PADATA-CLIENT-CANONICALIZED(133)	-- 
+	kRB5-PADATA-FX-COOKIE(133),		-- krb-wg-preauth-framework
+	kRB5-PADATA-AUTHENTICATION-SET(134),	-- krb-wg-preauth-framework
+	kRB5-PADATA-AUTH-SET-SELECTED(135),	-- krb-wg-preauth-framework
+	kRB5-PADATA-FX-FAST(136),		-- krb-wg-preauth-framework
+	kRB5-PADATA-FX-ERROR(137),		-- krb-wg-preauth-framework
+	kRB5-PADATA-ENCRYPTED-CHALLENGE(138),	-- krb-wg-preauth-framework
+	kRB5-PADATA-OTP-CHALLENGE(141),		-- (gareth.richards@rsa.com)
+	kRB5-PADATA-OTP-REQUEST(142),		-- (gareth.richards@rsa.com)
+	kBB5-PADATA-OTP-CONFIRM(143),		-- (gareth.richards@rsa.com)
+	kRB5-PADATA-OTP-PIN-CHANGE(144),	-- (gareth.richards@rsa.com)
+	kRB5-PADATA-EPAK-AS-REQ(145),
+	kRB5-PADATA-EPAK-AS-REP(146),
+	kRB5-PADATA-PKINIT-KX(147),		-- krb-wg-anon
+	kRB5-PADATA-PKU2U-NAME(148),		-- zhu-pku2u
+	kRB5-PADATA-REQ-ENC-PA-REP(149),	--
+	kRB5-PADATA-SUPPORTED-ETYPES(165)	-- MS-KILE
 }
-
 AUTHDATA-TYPE ::= INTEGER {
 	kRB5-AUTHDATA-IF-RELEVANT(1),
 	kRB5-AUTHDATA-INTENDED-FOR-SERVER(2),
@@ -95,7 +125,9 @@ AUTHDATA-TYPE ::= INTEGER {
 	kRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
 	kRB5-AUTHDATA-WIN2K-PAC(128),
 	kRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
-	kRB5-AUTHDATA-SIGNTICKET(-17)
+	kRB5-AUTHDATA-SIGNTICKET-OLDER(-17),
+	kRB5-AUTHDATA-SIGNTICKET-OLD(142),
+	kRB5-AUTHDATA-SIGNTICKET(512)
 }
 
 -- checksumtypes
@@ -119,6 +151,8 @@ CKSUMTYPE ::= INTEGER {
 	cKSUMTYPE-HMAC-SHA1-96-AES-256(16),
 	cKSUMTYPE-CMAC-CAMELLIA128(17),
 	cKSUMTYPE-CMAC-CAMELLIA256(18),
+	cKSUMTYPE-HMAC-SHA256-128-AES128(19),
+	cKSUMTYPE-HMAC-SHA384-192-AES256(20),
 	cKSUMTYPE-GSSAPI(--0x8003--32771),
 	cKSUMTYPE-HMAC-MD5(-138),	-- unofficial microsoft number
 	cKSUMTYPE-HMAC-MD5-ENC(-1138)	-- even more unofficial
@@ -320,7 +354,9 @@ TicketFlags ::= BIT STRING {
 	hw-authent(11),
 	transited-policy-checked(12),
 	ok-as-delegate(13),
-	anonymous(14)
+	anonymous-14(14),
+	enc-pa-rep(15),
+	anonymous(16)
 }
 
 KDCOptions ::= BIT STRING {
diff --git a/epan/dissectors/asn1/kerberos/kerberos.cnf b/epan/dissectors/asn1/kerberos/kerberos.cnf
index dc04d58abf..f04b6639f8 100644
--- a/epan/dissectors/asn1/kerberos/kerberos.cnf
+++ b/epan/dissectors/asn1/kerberos/kerberos.cnf
@@ -31,9 +31,7 @@ AD-LoginAlias
 AD-MANDATORY-FOR-KDC
 AUTHDATA-TYPE
 ChangePasswdDataMS
-EncryptedData
 EtypeList
-KerberosFlags
 KRB5SignedPath
 KRB5SignedPathData
 KRB5SignedPathPrincipals
@@ -56,6 +54,11 @@ Principal
 PROV-SRV-LOCATION
 SAMFlags
 TYPED-DATA
+KrbFastReq
+KrbFastResponse
+KrbFastFinished
+FastOptions
+KerberosFlags
 
 #.NO_EMIT ONLY_VALS
 Applications
@@ -138,34 +141,47 @@ guint32 msgtype;
 	switch(private_data->padata_type){
 	case KRB5_PA_TGS_REQ:
 		offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_Applications);
- 		break;
+		break;
 	case KRB5_PA_PK_AS_REQ:
 		offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PaPkAsReq);
- 		break;
+		break;
  	case KRB5_PA_PK_AS_REP:
 		offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PaPkAsRep);
- 		break;
+		break;
 	case KRB5_PA_PAC_REQUEST:
 		offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_KERB_PA_PAC_REQUEST);
 		break;
 	case KRB5_PA_S4U2SELF:
 		offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_S4U2Self);
- 		break;
+		break;
 	case KRB5_PA_PROV_SRV_LOCATION:
 		offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_krb5_PA_PROV_SRV_LOCATION);
- 		break;
+		break;
 	case KRB5_PA_ENC_TIMESTAMP:
 		offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_ENC_TIMESTAMP);
- 		break;
+		break;
 	case KRB5_PA_ENCTYPE_INFO:
 		offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_ETYPE_INFO);
- 		break;
+		break;
 	case KRB5_PA_ENCTYPE_INFO2:
 		offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_ETYPE_INFO2);
- 		break;
+		break;
 	case KRB5_PA_PW_SALT:
 		offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_krb5_PW_SALT);
- 		break;
+		break;
+	case KRB5_PA_AUTHENTICATION_SET:
+		offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_AUTHENTICATION_SET);
+		break;
+	case KRB5_PADATA_FX_FAST:
+		if(private_data->is_request){
+			offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_FX_FAST_REQUEST);
+		}else{
+			offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_FX_FAST_REPLY);
+		}
+		break;
+	case KRB5_PADATA_ENCRYPTED_CHALLENGE:
+		offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_EncryptedChallenge);
+		break;
 	default:
 		offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, NULL);
 	}
@@ -388,3 +404,15 @@ AuthorizationData/_item/ad-type STRINGS=VALS(krb5_ad_types)
 	if (new_tvb) {
 		call_kerberos_callbacks(actx->pinfo, tree, new_tvb, KRB_CBTAG_PRIV_USER_DATA, (kerberos_callbacks*)actx->private_data);
 	}
+
+#.FN_HDR AS-REQ
+	kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
+	private_data->is_request = TRUE;
+
+#.FN_HDR AS-REP
+	kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
+	private_data->is_request = FALSE;
+
+#.FN_HDR KRB-ERROR
+	kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
+	private_data->is_request = FALSE;
diff --git a/epan/dissectors/asn1/kerberos/packet-kerberos-template.c b/epan/dissectors/asn1/kerberos/packet-kerberos-template.c
index 4412fb1440..7ca1c98496 100644
--- a/epan/dissectors/asn1/kerberos/packet-kerberos-template.c
+++ b/epan/dissectors/asn1/kerberos/packet-kerberos-template.c
@@ -98,6 +98,7 @@ typedef struct kerberos_key {
 } kerberos_key_t;
 
 typedef struct {
+	gboolean is_request;
 	guint32 etype;
 	guint32 padata_type;
 	guint32 enctype;
@@ -117,7 +118,10 @@ static int dissect_kerberos_PA_S4U2Self(gboolean implicit_tag _U_, tvbuff_t *tvb
 static int dissect_kerberos_ETYPE_INFO(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
 static int dissect_kerberos_ETYPE_INFO2(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
 static int dissect_kerberos_AD_IF_RELEVANT(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
-
+static int dissect_kerberos_PA_AUTHENTICATION_SET(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_PA_FX_FAST_REQUEST(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_EncryptedChallenge(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_PA_FX_FAST_REPLY(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
 
 /* Desegment Kerberos over TCP messages */
 static gboolean krb_desegment = TRUE;
@@ -834,6 +838,7 @@ decrypt_krb5_data(proto_tree *tree, packet_info *pinfo,
 #define KRB5_PA_PK_AS_REQ		14
 #define KRB5_PA_PK_AS_REP		15
 #define KRB5_PA_DASS			16
+#define KRB5_PA_PK_AS_REP_17		17
 #define KRB5_PA_ENCTYPE_INFO2		19
 #define KRB5_PA_USE_SPECIFIED_KVNO	20
 #define KRB5_PA_SAM_REDIRECT		21
@@ -857,6 +862,15 @@ decrypt_krb5_data(proto_tree *tree, packet_info *pinfo,
 #define KRB5_PA_PAC_REQUEST		128    /* (Microsoft extension) */
 #define KRB5_PA_FOR_USER		129    /* Impersonation (Microsoft extension) See [MS-SFU]. XXX - replaced by KRB5_PA_S4U2SELF */
 #define KRB5_PA_S4U2SELF		129
+#define KRB5_PADATA_S4U_X509_USER	130 /* certificate protocol transition request */
+#define KRB5_PADATA_FX_COOKIE	133
+#define KRB5_PA_AUTHENTICATION_SET 134
+#define KRB5_PADATA_FX_FAST		136
+#define KRB5_PADATA_FX_ERROR	137
+#define KRB5_PADATA_ENCRYPTED_CHALLENGE	138
+#define KRB5_PADATA_PKINIT_KX	147
+#define KRB5_ENCPADATA_REQ_ENC_PA_REP	149
+
 
 #define KRB5_PA_PROV_SRV_LOCATION 0xffffffff    /* (gint32)0xFF) packetcable stuff */
 /* Principal name-type */
@@ -1083,6 +1097,7 @@ static const value_string krb5_preauthentication_types[] = {
 	{ KRB5_PA_PK_AS_REQ            , "PA-PK-AS-REQ" },
 	{ KRB5_PA_PK_AS_REP            , "PA-PK-AS-REP" },
 	{ KRB5_PA_DASS                 , "PA-DASS" },
+	{ KRB5_PA_PK_AS_REP_17         , "PA-PK-AS-REP-17" },
 	{ KRB5_PA_USE_SPECIFIED_KVNO   , "PA-USE-SPECIFIED-KVNO" },
 	{ KRB5_PA_SAM_REDIRECT         , "PA-SAM-REDIRECT" },
 	{ KRB5_PA_GET_FROM_TYPED_DATA  , "PA-GET-FROM-TYPED-DATA" },
@@ -1100,6 +1115,15 @@ static const value_string krb5_preauthentication_types[] = {
 	{ KRB5_TD_REQ_SEQ              , "TD-REQ-SEQ" },
 	{ KRB5_PA_PAC_REQUEST          , "PA-PAC-REQUEST" },
 	{ KRB5_PA_FOR_USER             , "PA-FOR-USER" },
+	{ KRB5_PADATA_S4U_X509_USER    , "PA-S4U-X509-USER" },
+	{ KRB5_PADATA_FX_COOKIE        , "PA-FX-COOKIE" },
+	{ KRB5_PA_AUTHENTICATION_SET   , "KRB5-PA-AUTHENTICATION-SET" },
+
+	{ KRB5_PADATA_FX_FAST          , "PA-FX-FAST" },
+	{ KRB5_PADATA_FX_ERROR         , "PA-FX-ERROR" },
+	{ KRB5_PADATA_ENCRYPTED_CHALLENGE , "PA-ENCRYPTED-CHALLENGE" },
+	{ KRB5_PADATA_PKINIT_KX        , "PA-PKINIT-KX" },
+	{ KRB5_ENCPADATA_REQ_ENC_PA_REP , "PA-REQ-ENC-PA-REP" },
 	{ KRB5_PA_PROV_SRV_LOCATION    , "PA-PROV-SRV-LOCATION" },
 	{ 0                            , NULL },
 };
author	Michael Mann <mmann78@netscape.net>	2016-09-24 08:29:07 -0400
committer	Anders Broman <a.broman58@gmail.com>	2017-11-14 20:20:22 +0000
commit	5d1328c5285e1cd3f4e1620dd33babda47bafe92 (patch)
tree	31ebc8bf6e36849df2d101c04d4266c9c6e2c7e0 /epan/dissectors/asn1
parent	27011d312343a0dac06736087d1a94ffd7ab763e (diff)