diff options
| -rw-r--r-- | cmake/modules/FindKERBEROS.cmake | 1 | ||||
| -rw-r--r-- | cmakeconfig.h.in | 3 | ||||
| -rw-r--r-- | epan/dissectors/asn1/kerberos/packet-kerberos-template.c | 25 | ||||
| -rw-r--r-- | epan/dissectors/packet-kerberos.c | 31 |
4 files changed, 43 insertions, 17 deletions
diff --git a/cmake/modules/FindKERBEROS.cmake b/cmake/modules/FindKERBEROS.cmake index 008aad442b..dbdf4d5bc5 100644 --- a/cmake/modules/FindKERBEROS.cmake +++ b/cmake/modules/FindKERBEROS.cmake @@ -87,6 +87,7 @@ if(KERBEROS_FOUND) set(CMAKE_REQUIRED_INCLUDES ${KERBEROS_INCLUDE_DIRS}) set(CMAKE_REQUIRED_LIBRARIES ${KERBEROS_LIBRARIES}) check_symbol_exists("heimdal_version" "krb5.h" HAVE_HEIMDAL_KERBEROS) + check_symbol_exists("krb5_pac_verify" "krb5.h" HAVE_KRB5_PAC_VERIFY) set(CMAKE_REQUIRED_INCLUDES) set(CMAKE_REQUIRED_LIBRARIES) if(NOT HAVE_HEIMDAL_KERBEROS) diff --git a/cmakeconfig.h.in b/cmakeconfig.h.in index f117da675b..0135d1bfdc 100644 --- a/cmakeconfig.h.in +++ b/cmakeconfig.h.in @@ -88,6 +88,9 @@ /* Define to use heimdal kerberos */ #cmakedefine HAVE_HEIMDAL_KERBEROS 1 +/* Define to 1 if you have the `krb5_pac_verify' function. */ +#cmakedefine HAVE_KRB5_PAC_VERIFY 1 + /* Define to 1 if you have the `inflatePrime' function. */ #cmakedefine HAVE_INFLATEPRIME 1 diff --git a/epan/dissectors/asn1/kerberos/packet-kerberos-template.c b/epan/dissectors/asn1/kerberos/packet-kerberos-template.c index 55f70c73e0..24498bea34 100644 --- a/epan/dissectors/asn1/kerberos/packet-kerberos-template.c +++ b/epan/dissectors/asn1/kerberos/packet-kerberos-template.c @@ -296,7 +296,11 @@ static void used_encryption_key(proto_tree *tree, packet_info *pinfo, ek->keyvalue[2] & 0xFF, ek->keyvalue[3] & 0xFF); } -#ifdef HAVE_MIT_KERBEROS +#endif /* HAVE_HEIMDAL_KERBEROS || HAVE_MIT_KERBEROS */ + +#if defined(HAVE_MIT_KERBEROS) + +#ifdef HAVE_KRB5_PAC_VERIFY static void used_signing_key(proto_tree *tree, packet_info *pinfo, enc_key_t *ek, tvbuff_t *tvb, krb5_cksumtype checksum, @@ -310,11 +314,7 @@ static void used_signing_key(proto_tree *tree, packet_info *pinfo, ek->keyvalue[0] & 0xFF, ek->keyvalue[1] & 0xFF, ek->keyvalue[2] & 0xFF, ek->keyvalue[3] & 0xFF); } -#endif /* HAVE_MIT_KERBEROS */ - -#endif /* HAVE_HEIMDAL_KERBEROS || HAVE_MIT_KERBEROS */ - -#if defined(HAVE_MIT_KERBEROS) +#endif /* HAVE_KRB5_PAC_VERIFY */ static krb5_context krb5_ctx; @@ -460,6 +460,16 @@ decrypt_krb5_data(proto_tree *tree _U_, packet_info *pinfo, } USES_APPLE_RST +#ifdef HAVE_KRB5_PAC_VERIFY +/* + * macOS up to 10.14.5 only has a MIT shim layer on top + * of heimdal. It means that krb5_pac_verify() is not available + * in /usr/lib/libkrb5.dylib + * + * https://opensource.apple.com/tarballs/Heimdal/Heimdal-520.260.1.tar.gz + * https://opensource.apple.com/tarballs/MITKerberosShim/MITKerberosShim-71.200.1.tar.gz + */ + extern krb5_error_code krb5int_c_mandatory_cksumtype(krb5_context, krb5_enctype, krb5_cksumtype *); @@ -554,6 +564,7 @@ verify_krb5_pac(proto_tree *tree _U_, asn1_ctx_t *actx, tvbuff_t *pactvb) krb5_pac_free(krb5_ctx, pac); } +#endif /* HAVE_KRB5_PAC_VERIFY */ #elif defined(HAVE_HEIMDAL_KERBEROS) static krb5_context krb5_ctx; @@ -2009,7 +2020,7 @@ dissect_krb5_AD_WIN2K_PAC(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset, guint32 version; guint32 i; -#ifdef HAVE_MIT_KERBEROS +#if defined(HAVE_MIT_KERBEROS) && defined(HAVE_KRB5_PAC_VERIFY) verify_krb5_pac(tree, actx, tvb); #endif diff --git a/epan/dissectors/packet-kerberos.c b/epan/dissectors/packet-kerberos.c index 2107f8b0a5..230d3f6c77 100644 --- a/epan/dissectors/packet-kerberos.c +++ b/epan/dissectors/packet-kerberos.c @@ -604,7 +604,11 @@ static void used_encryption_key(proto_tree *tree, packet_info *pinfo, ek->keyvalue[2] & 0xFF, ek->keyvalue[3] & 0xFF); } -#ifdef HAVE_MIT_KERBEROS +#endif /* HAVE_HEIMDAL_KERBEROS || HAVE_MIT_KERBEROS */ + +#if defined(HAVE_MIT_KERBEROS) + +#ifdef HAVE_KRB5_PAC_VERIFY static void used_signing_key(proto_tree *tree, packet_info *pinfo, enc_key_t *ek, tvbuff_t *tvb, krb5_cksumtype checksum, @@ -618,11 +622,7 @@ static void used_signing_key(proto_tree *tree, packet_info *pinfo, ek->keyvalue[0] & 0xFF, ek->keyvalue[1] & 0xFF, ek->keyvalue[2] & 0xFF, ek->keyvalue[3] & 0xFF); } -#endif /* HAVE_MIT_KERBEROS */ - -#endif /* HAVE_HEIMDAL_KERBEROS || HAVE_MIT_KERBEROS */ - -#if defined(HAVE_MIT_KERBEROS) +#endif /* HAVE_KRB5_PAC_VERIFY */ static krb5_context krb5_ctx; @@ -768,6 +768,16 @@ decrypt_krb5_data(proto_tree *tree _U_, packet_info *pinfo, } USES_APPLE_RST +#ifdef HAVE_KRB5_PAC_VERIFY +/* + * macOS up to 10.14.5 only has a MIT shim layer on top + * of heimdal. It means that krb5_pac_verify() is not available + * in /usr/lib/libkrb5.dylib + * + * https://opensource.apple.com/tarballs/Heimdal/Heimdal-520.260.1.tar.gz + * https://opensource.apple.com/tarballs/MITKerberosShim/MITKerberosShim-71.200.1.tar.gz + */ + extern krb5_error_code krb5int_c_mandatory_cksumtype(krb5_context, krb5_enctype, krb5_cksumtype *); @@ -862,6 +872,7 @@ verify_krb5_pac(proto_tree *tree _U_, asn1_ctx_t *actx, tvbuff_t *pactvb) krb5_pac_free(krb5_ctx, pac); } +#endif /* HAVE_KRB5_PAC_VERIFY */ #elif defined(HAVE_HEIMDAL_KERBEROS) static krb5_context krb5_ctx; @@ -2317,7 +2328,7 @@ dissect_krb5_AD_WIN2K_PAC(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset, guint32 version; guint32 i; -#ifdef HAVE_MIT_KERBEROS +#if defined(HAVE_MIT_KERBEROS) && defined(HAVE_KRB5_PAC_VERIFY) verify_krb5_pac(tree, actx, tvb); #endif @@ -4773,7 +4784,7 @@ dissect_kerberos_EncryptedChallenge(gboolean implicit_tag _U_, tvbuff_t *tvb _U_ /*--- End of included file: packet-kerberos-fn.c ---*/ -#line 2034 "./asn1/kerberos/packet-kerberos-template.c" +#line 2045 "./asn1/kerberos/packet-kerberos-template.c" /* Make wrappers around exported functions for now */ int @@ -5981,7 +5992,7 @@ void proto_register_kerberos(void) { NULL, HFILL }}, /*--- End of included file: packet-kerberos-hfarr.c ---*/ -#line 2421 "./asn1/kerberos/packet-kerberos-template.c" +#line 2432 "./asn1/kerberos/packet-kerberos-template.c" }; /* List of subtrees */ @@ -6071,7 +6082,7 @@ void proto_register_kerberos(void) { &ett_kerberos_KrbFastArmoredRep, /*--- End of included file: packet-kerberos-ettarr.c ---*/ -#line 2437 "./asn1/kerberos/packet-kerberos-template.c" +#line 2448 "./asn1/kerberos/packet-kerberos-template.c" }; static ei_register_info ei[] = { |