diff options
author | João Valverde <joao.valverde@tecnico.ulisboa.pt> | 2016-03-09 03:17:51 +0000 |
---|---|---|
committer | João Valverde <j@v6e.pt> | 2016-03-13 21:30:24 +0000 |
commit | 54a520d4a1151c68d0b4e5f09a8d82466fa499f3 (patch) | |
tree | 7aacae160382098ce651ac862a5dfd5de4beff94 /epan/dissectors/asn1/kerberos | |
parent | c1f3c935bdd33090c87f0d2f84842ce9729b747a (diff) |
Move /asn1 to /epan/dissectors
Change-Id: I1208fe3c2ba428995526f561e8f792b8d871e9a9
Reviewed-on: https://code.wireshark.org/review/14388
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Reviewed-by: João Valverde <j@v6e.pt>
Diffstat (limited to 'epan/dissectors/asn1/kerberos')
-rw-r--r-- | epan/dissectors/asn1/kerberos/CMakeLists.txt | 54 | ||||
-rw-r--r-- | epan/dissectors/asn1/kerberos/KerberosV5Spec2.asn | 497 | ||||
-rw-r--r-- | epan/dissectors/asn1/kerberos/Makefile.am | 23 | ||||
-rw-r--r-- | epan/dissectors/asn1/kerberos/Makefile.common | 46 | ||||
-rw-r--r-- | epan/dissectors/asn1/kerberos/Makefile.nmake | 26 | ||||
-rw-r--r-- | epan/dissectors/asn1/kerberos/RFC3244.asn | 12 | ||||
-rw-r--r-- | epan/dissectors/asn1/kerberos/k5.asn | 775 | ||||
-rw-r--r-- | epan/dissectors/asn1/kerberos/kerberos.cnf | 388 | ||||
-rw-r--r-- | epan/dissectors/asn1/kerberos/packet-kerberos-template.c | 2506 | ||||
-rw-r--r-- | epan/dissectors/asn1/kerberos/packet-kerberos-template.h | 145 |
10 files changed, 4472 insertions, 0 deletions
diff --git a/epan/dissectors/asn1/kerberos/CMakeLists.txt b/epan/dissectors/asn1/kerberos/CMakeLists.txt new file mode 100644 index 0000000000..0de5b69e0e --- /dev/null +++ b/epan/dissectors/asn1/kerberos/CMakeLists.txt @@ -0,0 +1,54 @@ +# CMakeLists.txt +# +# Wireshark - Network traffic analyzer +# By Gerald Combs <gerald@wireshark.org> +# Copyright 1998 Gerald Combs +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# + +set( PROTOCOL_NAME kerberos ) + +set( PROTO_OPT ) + +set( EXPORT_FILES + ${PROTOCOL_NAME}-exp.cnf +) + +set( EXT_ASN_FILE_LIST +) + +set( ASN_FILE_LIST + KerberosV5Spec2.asn + k5.asn + RFC3244.asn +) + +set( EXTRA_DIST + ${ASN_FILE_LIST} + packet-${PROTOCOL_NAME}-template.c + packet-${PROTOCOL_NAME}-template.h + ${PROTOCOL_NAME}.cnf +) + +set( SRC_FILES + ${EXTRA_DIST} + ${EXT_ASN_FILE_LIST} +) + +set( A2W_FLAGS -b ) + +ASN2WRS() + diff --git a/epan/dissectors/asn1/kerberos/KerberosV5Spec2.asn b/epan/dissectors/asn1/kerberos/KerberosV5Spec2.asn new file mode 100644 index 0000000000..fb3f4e8b56 --- /dev/null +++ b/epan/dissectors/asn1/kerberos/KerberosV5Spec2.asn @@ -0,0 +1,497 @@ +--http://www.ietf.org/rfc/rfc4120.txt?number=4120 +KerberosV5Spec2 { + iso(1) identified-organization(3) dod(6) internet(1) + security(5) kerberosV5(2) modules(4) krb5spec2(2) +} DEFINITIONS EXPLICIT TAGS ::= BEGIN + +-- OID arc for KerberosV5 +-- +-- This OID may be used to identify Kerberos protocol messages +-- encapsulated in other protocols. +-- +-- This OID also designates the OID arc for KerberosV5-related OIDs. +-- +-- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID. +-- WS construct +Applications ::= CHOICE { + ticket Ticket, -- 1 -- + authenticator Authenticator, -- 2 -- + encTicketPart EncTicketPart, -- 3 -- + as-req AS-REQ, -- 10 -- + as-rep AS-REP, -- 11 -- + tgs-req TGS-REQ, -- 12 -- + tgs-rep TGS-REP, -- 13 -- + ap-req AP-REQ, -- 14 -- + ap-rep AP-REP, -- 15 -- + krb-safe KRB-SAFE, -- 20 -- + krb-priv KRB-PRIV, -- 21 -- + krb-cred KRB-CRED, -- 22 -- + encASRepPart EncASRepPart, -- 25 -- + encTGSRepPart EncTGSRepPart, -- 26 -- + encAPRepPart EncAPRepPart, -- 27 -- + encKrbPrivPart ENC-KRB-PRIV-PART, -- 28 -- + encKrbCredPart EncKrbCredPart, -- 29 -- + krb-error KRB-ERROR -- 30 -- + } +-- end WS construct +id-krb5 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) dod(6) internet(1) + security(5) kerberosV5(2) +} + +Int32 ::= INTEGER (-2147483648..2147483647) + -- signed values representable in 32 bits + +UInt32 ::= INTEGER (0..4294967295) + -- unsigned 32 bit values + +Microseconds ::= INTEGER (0..999999) + -- microseconds + +KerberosString ::= GeneralString (IA5String) +CNameString ::= GeneralString (IA5String) +SNameString ::= GeneralString (IA5String) + +Realm ::= KerberosString + +PrincipalName ::= SEQUENCE { +-- name-type [0] Int32, Use the translationj from krb5.asn (Heimdahl) + name-type [0] NAME-TYPE, + name-string [1] SEQUENCE OF KerberosString +} + +CName ::= SEQUENCE { + name-type [0] NAME-TYPE, + cname-string [1] SEQUENCE OF CNameString +} + +SName ::= SEQUENCE { + name-type [0] NAME-TYPE, + sname-string [1] SEQUENCE OF SNameString +} + +KerberosTime ::= GeneralizedTime -- with no fractional seconds + +HostAddress ::= SEQUENCE { +-- addr-type [0] Int32, + addr-type [0] ADDR-TYPE, --use k5.asn + address [1] OCTET STRING +} + +-- NOTE: HostAddresses is always used as an OPTIONAL field and +-- should not be empty. +HostAddresses -- NOTE: subtly different from rfc1510, + -- but has a value mapping and encodes the same + ::= SEQUENCE OF HostAddress + +-- NOTE: AuthorizationData is always used as an OPTIONAL field and +-- should not be empty. +AuthorizationData ::= SEQUENCE OF SEQUENCE { + ad-type [0] Int32, + ad-data [1] OCTET STRING +} + +PA-DATA ::= SEQUENCE { + -- NOTE: first tag is [1], not [0] +-- padata-type [1] Int32, use k5.asn + padata-type [1] PADATA-TYPE, + padata-value [2] OCTET STRING -- might be encoded AP-REQ +} + +KerberosFlags ::= BIT STRING (SIZE (32..MAX)) + -- minimum number of bits shall be sent, + -- but no fewer than 32 + +EncryptedData ::= SEQUENCE { +-- etype [0] Int32 - - EncryptionType - -, Use k5.asn + etype [0] ENCTYPE -- EncryptionType --, + kvno [1] UInt32 OPTIONAL, + cipher [2] OCTET STRING -- ciphertext +} + +EncryptionKey ::= SEQUENCE { + keytype [0] Int32 -- actually encryption type --, + keyvalue [1] OCTET STRING +} + +Checksum ::= SEQUENCE { +-- cksumtype [0] Int32, Use k5.asn + cksumtype [0] CKSUMTYPE, + checksum [1] OCTET STRING +} + +EncryptedTicketData ::= SEQUENCE { + etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn + kvno [1] UInt32 OPTIONAL, + cipher [2] OCTET STRING -- ciphertext +} + +EncryptedAuthorizationData ::= SEQUENCE { + etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn + kvno [1] UInt32 OPTIONAL, + cipher [2] OCTET STRING -- ciphertext +} + +EncryptedKDCREPData ::= SEQUENCE { + etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn + kvno [1] UInt32 OPTIONAL, + cipher [2] OCTET STRING -- ciphertext +} + +EncryptedAPREPData ::= SEQUENCE { + etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn + kvno [1] UInt32 OPTIONAL, + cipher [2] OCTET STRING -- ciphertext +} + +EncryptedKrbPrivData ::= SEQUENCE { + etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn + kvno [1] UInt32 OPTIONAL, + cipher [2] OCTET STRING -- ciphertext +} + +EncryptedKrbCredData ::= SEQUENCE { + etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn + kvno [1] UInt32 OPTIONAL, + cipher [2] OCTET STRING -- ciphertext +} + +Ticket ::= [APPLICATION 1] SEQUENCE { + tkt-vno [0] INTEGER (5), + realm [1] Realm, + sname [2] SName, + enc-part [3] EncryptedTicketData +} + +-- Encrypted part of ticket +EncTicketPart ::= [APPLICATION 3] SEQUENCE { + flags [0] TicketFlags, + key [1] EncryptionKey, + crealm [2] Realm, + cname [3] CName, + transited [4] TransitedEncoding, + authtime [5] KerberosTime, + starttime [6] KerberosTime OPTIONAL, + endtime [7] KerberosTime, + renew-till [8] KerberosTime OPTIONAL, + caddr [9] HostAddresses OPTIONAL, + authorization-data [10] AuthorizationData OPTIONAL +} + +-- encoded Transited field +TransitedEncoding ::= SEQUENCE { + tr-type [0] Int32 -- must be registered --, + contents [1] OCTET STRING +} +-- Use the k5.asn def +-- TicketFlags ::= KerberosFlags + -- reserved(0), + -- forwardable(1), + -- forwarded(2), + -- proxiable(3), + -- proxy(4), + -- may-postdate(5), + -- postdated(6), + -- invalid(7), + -- renewable(8), + -- initial(9), + -- pre-authent(10), + -- hw-authent(11), +-- the following are new since 1510 + -- transited-policy-checked(12), + -- ok-as-delegate(13) + +AS-REQ ::= [APPLICATION 10] KDC-REQ + +TGS-REQ ::= [APPLICATION 12] KDC-REQ + +KDC-REQ ::= SEQUENCE { + -- NOTE: first tag is [1], not [0] + pvno [1] INTEGER (5) , +-- msg-type [2] INTEGER (10 - - AS - - | 12 - - TGS - -), +-- msg-type [2] INTEGER, use k5.asn + msg-type [2] MESSAGE-TYPE, + padata [3] SEQUENCE OF PA-DATA OPTIONAL + -- NOTE: not empty --, + req-body [4] KDC-REQ-BODY +} + +KDC-REQ-BODY ::= SEQUENCE { + kdc-options [0] KDCOptions, + cname [1] CName OPTIONAL + -- Used only in AS-REQ --, + realm [2] Realm + -- Server's realm + -- Also client's in AS-REQ --, + sname [3] SName OPTIONAL, + from [4] KerberosTime OPTIONAL, + +-- this field is not optional in the kerberos spec, however, in the packetcable spec it is optional +-- make it optional here since normal kerberos will still decode the pdu correctly. + till [5] KerberosTime OPTIONAL, + + rtime [6] KerberosTime OPTIONAL, + nonce [7] UInt32, +-- etype [8] SEQUENCE OF Int32 - - EncryptionType Use k5.asn + etype [8] SEQUENCE OF ENCTYPE -- EncryptionType + -- in preference order --, + addresses [9] HostAddresses OPTIONAL, + enc-authorization-data [10] EncryptedAuthorizationData OPTIONAL + -- AuthorizationData --, + additional-tickets [11] SEQUENCE OF Ticket OPTIONAL + -- NOTE: not empty +} + +-- Use th k5.asn def +--KDCOptions ::= KerberosFlags + -- reserved(0), + -- forwardable(1), + -- forwarded(2), + -- proxiable(3), + -- proxy(4), + -- allow-postdate(5), + -- postdated(6), + -- unused7(7), + -- renewable(8), + -- unused9(9), + -- unused10(10), + -- opt-hardware-auth(11), + -- unused12(12), + -- unused13(13), +-- 15 is reserved for canonicalize + -- unused15(15), +-- 26 was unused in 1510 + -- disable-transited-check(26), +-- + -- renewable-ok(27), + -- enc-tkt-in-skey(28), + -- renew(30), + -- validate(31) + +AS-REP ::= [APPLICATION 11] KDC-REP + +TGS-REP ::= [APPLICATION 13] KDC-REP + + +KDC-REP ::= SEQUENCE { + pvno [0] INTEGER (5), +-- msg-type [1] INTEGER (11 - - AS - - | 13 - - TGS - -), +-- msg-type [1] INTEGER, use k5.asn + msg-type [1] MESSAGE-TYPE, + padata [2] SEQUENCE OF PA-DATA OPTIONAL + -- NOTE: not empty --, + crealm [3] Realm, + cname [4] CName, + ticket [5] Ticket, + enc-part [6] EncryptedKDCREPData + -- EncASRepPart or EncTGSRepPart, + -- as appropriate +} + +EncASRepPart ::= [APPLICATION 25] EncKDCRepPart + +EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart + +EncKDCRepPart ::= SEQUENCE { + key [0] EncryptionKey, + last-req [1] LastReq, + nonce [2] UInt32, + key-expiration [3] KerberosTime OPTIONAL, + flags [4] TicketFlags, + authtime [5] KerberosTime, + starttime [6] KerberosTime OPTIONAL, + endtime [7] KerberosTime, + renew-till [8] KerberosTime OPTIONAL, + srealm [9] Realm, + sname [10] SName, + caddr [11] HostAddresses OPTIONAL, + encrypted-pa-data[12] METHOD-DATA OPTIONAL -- from k5.asn +} + +LastReq ::= SEQUENCE OF SEQUENCE { +-- lr-type [0] Int32, Use k5.asn + lr-type [0] LR-TYPE, + lr-value [1] KerberosTime +} + +AP-REQ ::= [APPLICATION 14] SEQUENCE { + pvno [0] INTEGER (5), +-- msg-type [1] INTEGER (14), use k5.asn + msg-type [1] MESSAGE-TYPE, + ap-options [2] APOptions, + ticket [3] Ticket, + authenticator [4] EncryptedAuthorizationData -- Authenticator +} +-- Use the krb5.asn def. +--APOptions ::= KerberosFlags + -- reserved(0), + -- use-session-key(1), + -- mutual-required(2) + +-- Unencrypted authenticator +Authenticator ::= [APPLICATION 2] SEQUENCE { + authenticator-vno [0] INTEGER (5), + crealm [1] Realm, + cname [2] CName, + cksum [3] Checksum OPTIONAL, + cusec [4] Microseconds, + ctime [5] KerberosTime, + subkey [6] EncryptionKey OPTIONAL, + seq-number [7] UInt32 OPTIONAL, + authorization-data [8] AuthorizationData OPTIONAL +} + +AP-REP ::= [APPLICATION 15] SEQUENCE { + pvno [0] INTEGER (5), +-- msg-type [1] INTEGER (15), Use k5.asn + msg-type [1] MESSAGE-TYPE, + enc-part [2] EncryptedAPREPData -- EncAPRepPart +} + +EncAPRepPart ::= [APPLICATION 27] SEQUENCE { + ctime [0] KerberosTime, + cusec [1] Microseconds, + subkey [2] EncryptionKey OPTIONAL, + seq-number [3] UInt32 OPTIONAL +} + +KRB-SAFE ::= [APPLICATION 20] SEQUENCE { + pvno [0] INTEGER (5), +-- msg-type [1] INTEGER (20), use k5.asn + msg-type [1] MESSAGE-TYPE, + safe-body [2] KRB-SAFE-BODY, + cksum [3] Checksum +} + +KRB-SAFE-BODY ::= SEQUENCE { + user-data [0] OCTET STRING, + timestamp [1] KerberosTime OPTIONAL, + usec [2] Microseconds OPTIONAL, + seq-number [3] UInt32 OPTIONAL, + s-address [4] HostAddress OPTIONAL, -- XXX this one is OPTIONAL in packetcable? but mandatory in kerberos + r-address [5] HostAddress OPTIONAL +} + +KRB-PRIV ::= [APPLICATION 21] SEQUENCE { + pvno [0] INTEGER (5), +-- msg-type [1] INTEGER (21), Use k5.asn + msg-type [1] MESSAGE-TYPE, + -- NOTE: there is no [2] tag + enc-part [3] EncryptedKrbPrivData -- EncKrbPrivPart +} + +ENC-KRB-PRIV-PART ::= [APPLICATION 28] EncKrbPrivPart + +EncKrbPrivPart ::= SEQUENCE { + user-data [0] OCTET STRING, + timestamp [1] KerberosTime OPTIONAL, + usec [2] Microseconds OPTIONAL, + seq-number [3] UInt32 OPTIONAL, + s-address [4] HostAddress -- sender's addr --, + r-address [5] HostAddress OPTIONAL -- recip's addr +} + +KRB-CRED ::= [APPLICATION 22] SEQUENCE { + pvno [0] INTEGER (5), +-- msg-type [1] INTEGER (22), use k5.asn + msg-type [1] MESSAGE-TYPE, + tickets [2] SEQUENCE OF Ticket, + enc-part [3] EncryptedKrbCredData -- EncKrbCredPart +} + +EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { + ticket-info [0] SEQUENCE OF KrbCredInfo, + nonce [1] UInt32 OPTIONAL, + timestamp [2] KerberosTime OPTIONAL, + usec [3] Microseconds OPTIONAL, + s-address [4] HostAddress OPTIONAL, + r-address [5] HostAddress OPTIONAL +} + +KrbCredInfo ::= SEQUENCE { + key [0] EncryptionKey, + prealm [1] Realm OPTIONAL, + pname [2] PrincipalName OPTIONAL, + flags [3] TicketFlags OPTIONAL, + authtime [4] KerberosTime OPTIONAL, + starttime [5] KerberosTime OPTIONAL, + endtime [6] KerberosTime OPTIONAL, + renew-till [7] KerberosTime OPTIONAL, + srealm [8] Realm OPTIONAL, + sname [9] SName OPTIONAL, + caddr [10] HostAddresses OPTIONAL +} + +KRB-ERROR ::= [APPLICATION 30] SEQUENCE { + pvno [0] INTEGER (5), +-- msg-type [1] INTEGER (30), use k5.asn + msg-type [1] MESSAGE-TYPE, + ctime [2] KerberosTime OPTIONAL, + cusec [3] Microseconds OPTIONAL, + stime [4] KerberosTime, + susec [5] Microseconds, +-- error-code [6] Int32, + error-code [6] ERROR-CODE, -- Use k5.asn + crealm [7] Realm OPTIONAL, + cname [8] CName OPTIONAL, + realm [9] Realm -- service realm --, + sname [10] SName -- service name --, + e-text [11] KerberosString OPTIONAL, + e-data [12] OCTET STRING OPTIONAL, + e-checksum [13] Checksum OPTIONAL -- used by PacketCable +} + +METHOD-DATA ::= SEQUENCE OF PA-DATA + +TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { + data-type [0] Int32, + data-value [1] OCTET STRING OPTIONAL +} + +-- preauth stuff follows + +PA-ENC-TIMESTAMP ::= SEQUENCE { + etype [0] ENCTYPE -- EncryptionType --, + kvno [1] UInt32 OPTIONAL, + cipher [2] OCTET STRING -- ciphertext +} + +PA-ENC-TS-ENC ::= SEQUENCE { + patimestamp [0] KerberosTime -- client's time --, + pausec [1] Microseconds OPTIONAL +} + +ETYPE-INFO-ENTRY ::= SEQUENCE { +-- etype [0] Int32, use k5.asn + etype [0] ENCTYPE, + salt [1] OCTET STRING OPTIONAL +} + +ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY + +ETYPE-INFO2-ENTRY ::= SEQUENCE { +-- etype [0] Int32, use k5.asn + etype [0] ENCTYPE, + salt [1] KerberosString OPTIONAL, + s2kparams [2] OCTET STRING OPTIONAL +} + +ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY + +AD-IF-RELEVANT ::= AuthorizationData + +AD-KDCIssued ::= SEQUENCE { + ad-checksum [0] Checksum, + i-realm [1] Realm OPTIONAL, + i-sname [2] SName OPTIONAL, + elements [3] AuthorizationData +} + +AD-AND-OR ::= SEQUENCE { + condition-count [0] Int32, + elements [1] AuthorizationData +} + +AD-MANDATORY-FOR-KDC ::= AuthorizationData + +END diff --git a/epan/dissectors/asn1/kerberos/Makefile.am b/epan/dissectors/asn1/kerberos/Makefile.am new file mode 100644 index 0000000000..72d28e600b --- /dev/null +++ b/epan/dissectors/asn1/kerberos/Makefile.am @@ -0,0 +1,23 @@ +# Wireshark - Network traffic analyzer +# By Gerald Combs <gerald@wireshark.org> +# Copyright 1998 Gerald Combs +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + + +include ../Makefile.preinc +include Makefile.common +include ../Makefile.inc + diff --git a/epan/dissectors/asn1/kerberos/Makefile.common b/epan/dissectors/asn1/kerberos/Makefile.common new file mode 100644 index 0000000000..1871c27ca4 --- /dev/null +++ b/epan/dissectors/asn1/kerberos/Makefile.common @@ -0,0 +1,46 @@ +# Wireshark - Network traffic analyzer +# By Gerald Combs <gerald@wireshark.org> +# Copyright 1998 Gerald Combs +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + + +PROTOCOL_NAME=kerberos + +EXPORT_FILES = \ + $(PROTOCOL_NAME)-exp.cnf + +EXT_ASN_FILE_LIST = + +ASN_FILE_LIST = \ + KerberosV5Spec2.asn \ + k5.asn \ + RFC3244.asn + +EXTRA_DIST = \ + $(EXTRA_DIST_COMMON) \ + $(ASN_FILE_LIST) \ + packet-$(PROTOCOL_NAME)-template.c \ + packet-$(PROTOCOL_NAME)-template.h \ + $(PROTOCOL_NAME).cnf + +SRC_FILES = \ + $(EXTRA_DIST) \ + $(EXT_ASN_FILE_LIST) + +A2W_FLAGS= -b + +EXTRA_CNF= + diff --git a/epan/dissectors/asn1/kerberos/Makefile.nmake b/epan/dissectors/asn1/kerberos/Makefile.nmake new file mode 100644 index 0000000000..d296638ddd --- /dev/null +++ b/epan/dissectors/asn1/kerberos/Makefile.nmake @@ -0,0 +1,26 @@ +## Use: $(MAKE) /$(MAKEFLAGS) -f makefile.nmake +# +# Wireshark - Network traffic analyzer +# By Gerald Combs <gerald@wireshark.org> +# Copyright 1998 Gerald Combs +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + + +include ../../../../config.nmake +include ../Makefile.preinc.nmake +include Makefile.common +include ../Makefile.inc.nmake + diff --git a/epan/dissectors/asn1/kerberos/RFC3244.asn b/epan/dissectors/asn1/kerberos/RFC3244.asn new file mode 100644 index 0000000000..4dcd06e1ec --- /dev/null +++ b/epan/dissectors/asn1/kerberos/RFC3244.asn @@ -0,0 +1,12 @@ +-- Extracted from RFC 3244 + +RFC3244 DEFINITIONS ::= +BEGIN + +ChangePasswdData ::= SEQUENCE { + newpasswd[0] OCTET STRING, + targname[1] PrincipalName OPTIONAL, + targrealm[2] Realm OPTIONAL +} + +END diff --git a/epan/dissectors/asn1/kerberos/k5.asn b/epan/dissectors/asn1/kerberos/k5.asn new file mode 100644 index 0000000000..dde61ec87f --- /dev/null +++ b/epan/dissectors/asn1/kerberos/k5.asn @@ -0,0 +1,775 @@ +-- Extracted from http://www.h5l.org/dist/src/heimdal-1.2.tar.gz +-- Id: k5.asn1 22745 2008-03-24 12:07:54Z lha $ +-- Commented out stuff already in KerberosV5Spec2.asn +KERBEROS5 DEFINITIONS ::= +BEGIN + +NAME-TYPE ::= INTEGER { + kRB5-NT-UNKNOWN(0), -- Name type not known + kRB5-NT-PRINCIPAL(1), -- Just the name of the principal as in + kRB5-NT-SRV-INST(2), -- Service and other unique instance (krbtgt) + kRB5-NT-SRV-HST(3), -- Service with host name as instance + kRB5-NT-SRV-XHST(4), -- Service with host as remaining components + kRB5-NT-UID(5), -- Unique ID + kRB5-NT-X500-PRINCIPAL(6), -- PKINIT + kRB5-NT-SMTP-NAME(7), -- Name in form of SMTP email name + kRB5-NT-ENTERPRISE-PRINCIPAL(10), -- Windows 2000 UPN + kRB5-NT-ENT-PRINCIPAL-AND-ID(-130), -- Windows 2000 UPN and SID + kRB5-NT-MS-PRINCIPAL(-128), -- NT 4 style name + kRB5-NT-MS-PRINCIPAL-AND-ID(-129) -- NT style name and SID +} + +-- message types + +MESSAGE-TYPE ::= INTEGER { + krb-as-req(10), -- Request for initial authentication + krb-as-rep(11), -- Response to KRB_AS_REQ request + krb-tgs-req(12), -- Request for authentication based on TGT + krb-tgs-rep(13), -- Response to KRB_TGS_REQ request + krb-ap-req(14), -- application request to server + krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL + krb-safe(20), -- Safe (checksummed) application message + krb-priv(21), -- Private (encrypted) application message + krb-cred(22), -- Private (encrypted) message to forward credentials + krb-error(30) -- Error response +} + + +-- pa-data types + +PADATA-TYPE ::= INTEGER { + kRB5-PADATA-NONE(0), + kRB5-PADATA-TGS-REQ(1), + kRB5-PADATA-AP-REQ(1), + kRB5-PADATA-ENC-TIMESTAMP(2), + kRB5-PADATA-PW-SALT(3), + kRB5-PADATA-ENC-UNIX-TIME(5), + kRB5-PADATA-SANDIA-SECUREID(6), + kRB5-PADATA-SESAME(7), + kRB5-PADATA-OSF-DCE(8), + kRB5-PADATA-CYBERSAFE-SECUREID(9), + kRB5-PADATA-AFS3-SALT(10), + kRB5-PADATA-ETYPE-INFO(11), + kRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp) + kRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp) + kRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19) + kRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19) + kRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number) + kRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25) + kRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25) + kRB5-PADATA-PA-PK-OCSP-RESPONSE(18), + kRB5-PADATA-ETYPE-INFO2(19), + kRB5-PADATA-USE-SPECIFIED-KVNO(20), + kRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number + kRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp) + kRB5-PADATA-GET-FROM-TYPED-DATA(22), + kRB5-PADATA-SAM-ETYPE-INFO(23), + kRB5-PADATA-SERVER-REFERRAL(25), + kRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName + kRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT + kRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT + kRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific + kRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER + kRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER + kRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com + kRB5-PADATA-S4U2SELF(129), + kRB5-PADATA-PK-AS-09-BINDING(132), -- client send this to + -- tell KDC that is supports + -- the asCheckSum in the + -- PK-AS-REP + kRB5-PADATA-CLIENT-CANONICALIZED(133) -- +} + +AUTHDATA-TYPE ::= INTEGER { + kRB5-AUTHDATA-IF-RELEVANT(1), + kRB5-AUTHDATA-INTENDED-FOR-SERVER(2), + kRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3), + kRB5-AUTHDATA-KDC-ISSUED(4), + kRB5-AUTHDATA-AND-OR(5), + kRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6), + kRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7), + kRB5-AUTHDATA-MANDATORY-FOR-KDC(8), + kRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9), + kRB5-AUTHDATA-OSF-DCE(64), + kRB5-AUTHDATA-SESAME(65), + kRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66), + kRB5-AUTHDATA-WIN2K-PAC(128), + kRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only + kRB5-AUTHDATA-SIGNTICKET(-17) +} + +-- checksumtypes + +CKSUMTYPE ::= INTEGER { + cKSUMTYPE-NONE(0), + cKSUMTYPE-CRC32(1), + cKSUMTYPE-RSA-MD4(2), + cKSUMTYPE-RSA-MD4-DES(3), + cKSUMTYPE-DES-MAC(4), + cKSUMTYPE-DES-MAC-K(5), + cKSUMTYPE-RSA-MD4-DES-K(6), + cKSUMTYPE-RSA-MD5(7), + cKSUMTYPE-RSA-MD5-DES(8), + cKSUMTYPE-RSA-MD5-DES3(9), + cKSUMTYPE-SHA1-OTHER(10), + cKSUMTYPE-HMAC-SHA1-DES3-KD(12), + cKSUMTYPE-HMAC-SHA1-DES3(13), + cKSUMTYPE-SHA1(14), + cKSUMTYPE-HMAC-SHA1-96-AES-128(15), + cKSUMTYPE-HMAC-SHA1-96-AES-256(16), + cKSUMTYPE-CMAC-CAMELLIA128(17), + cKSUMTYPE-CMAC-CAMELLIA256(18), + cKSUMTYPE-GSSAPI(--0x8003--32771), + cKSUMTYPE-HMAC-MD5(-138), -- unofficial microsoft number + cKSUMTYPE-HMAC-MD5-ENC(-1138) -- even more unofficial +} + +--enctypes +ENCTYPE ::= INTEGER { + eTYPE-NULL(0), + eTYPE-DES-CBC-CRC(1), + eTYPE-DES-CBC-MD4(2), + eTYPE-DES-CBC-MD5(3), + eTYPE-DES3-CBC-MD5(5), + eTYPE-OLD-DES3-CBC-SHA1(7), + eTYPE-SIGN-DSA-GENERATE(8), + eTYPE-DSA-SHA1(9), + eTYPE-RSA-MD5(10), + eTYPE-RSA-SHA1(11), + eTYPE-RC2-CBC(12), + eTYPE-RSA(13), + eTYPE-RSAES-OAEP(14), + eTYPE-DES-EDE3-CBC(15), + eTYPE-DES3-CBC-SHA1(16), -- with key derivation + eTYPE-AES128-CTS-HMAC-SHA1-96(17), + eTYPE-AES256-CTS-HMAC-SHA1-96(18), + eTYPE-ARCFOUR-HMAC-MD5(23), + eTYPE-ARCFOUR-HMAC-MD5-56(24), + eTYPE-CAMELLIA128-CTS-CMAC(25), + eTYPE-CAMELLIA256-CTS-CMAC(26), + eTYPE-ENCTYPE-PK-CROSS(48), +-- some "old" windows types + eTYPE-ARCFOUR-MD4(-128), + eTYPE-ARCFOUR-HMAC-OLD(-133), + eTYPE-ARCFOUR-HMAC-OLD-EXP(-135), +-- these are for Heimdal internal use +-- eTYPE-DES-CBC-NONE(-0x1000), + eTYPE-DES-CBC-NONE( -4096), +-- eTYPE-DES3-CBC-NONE(-0x1001), + eTYPE-DES3-CBC-NONE(-4097), +-- eTYPE-DES-CFB64-NONE(-0x1002), + eTYPE-DES-CFB64-NONE(-4098), +-- eTYPE-DES-PCBC-NONE(-0x1003), + eTYPE-DES-PCBC-NONE(-4099), +-- eTYPE-DIGEST-MD5-NONE(-0x1004), - - private use, lukeh@padl.com + eTYPE-DIGEST-MD5-NONE(-4100), -- private use, lukeh@padl.com +-- eTYPE-CRAM-MD5-NONE(-0x1005) - - private use, lukeh@padl.com + eTYPE-CRAM-MD5-NONE(-4101) -- private use, lukeh@padl.com +} + +-- addr-types (WS extension ) +ADDR-TYPE ::= INTEGER { + iPv4(2), + cHAOS(5), + xEROX(6), + iSO(7), + dECNET(12), + aPPLETALK(16), + nETBIOS(20), + iPv6(24) +} + +-- error-codes (WS extension) +ERROR-CODE ::= INTEGER { +--error table constants + eRR-NONE(0), + eRR-NAME-EXP(1), + eRR-SERVICE-EXP(2), + eRR-BAD-PVNO(3), + eRR-C-OLD-MAST-KVNO(4), + eRR-S-OLD-MAST-KVNO(5), + eRR-C-PRINCIPAL-UNKNOWN(6), + eRR-S-PRINCIPAL-UNKNOWN(7), + eRR-PRINCIPAL-NOT-UNIQUE(8), + eRR-NULL-KEY(9), + eRR-CANNOT-POSTDATE(10), + eRR-NEVER-VALID(11), + eRR-POLICY(12), + eRR-BADOPTION(13), + eRR-ETYPE-NOSUPP(14), + eRR-SUMTYPE-NOSUPP(15), + eRR-PADATA-TYPE-NOSUPP(16), + eRR-TRTYPE-NOSUPP(17), + eRR-CLIENT-REVOKED(18), + eRR-SERVICE-REVOKED(19), + eRR-TGT-REVOKED(20), + eRR-CLIENT-NOTYET(21), + eRR-SERVICE-NOTYET(22), + eRR-KEY-EXP(23), + eRR-PREAUTH-FAILED(24), + eRR-PREAUTH-REQUIRED(25), + eRR-SERVER-NOMATCH(26), + eRR-MUST-USE-USER2USER(27), + eRR-PATH-NOT-ACCEPTED(28), + eRR-SVC-UNAVAILABLE(29), + eRR-BAD-INTEGRITY(31), + eRR-TKT-EXPIRED(32), + eRR-TKT-NYV(33), + eRR-REPEAT(34), + eRR-NOT-US(35), + eRR-BADMATCH(36), + eRR-SKEW(37), + eRR-BADADDR(38), + eRR-BADVERSION(39), + eRR-MSG-TYPE(40), + eRR-MODIFIED(41), + eRR-BADORDER(42), + eRR-ILL-CR-TKT(43), + eRR-BADKEYVER(44), + eRR-NOKEY(45), + eRR-MUT-FAIL(46), + eRR-BADDIRECTION(47), + eRR-METHOD(48), + eRR-BADSEQ(49), + eRR-INAPP-CKSUM(50), + pATH-NOT-ACCEPTED(51), + eRR-RESPONSE-TOO-BIG(52), + eRR-GENERIC(60), + eRR-FIELD-TOOLONG(61), + eRROR-CLIENT-NOT-TRUSTED(62), + eRROR-KDC-NOT-TRUSTED(63), + eRROR-INVALID-SIG(64), + eRR-KEY-TOO-WEAK(65), + eRR-CERTIFICATE-MISMATCH(66), + eRR-NO-TGT(67), + eRR-WRONG-REALM(68), + eRR-USER-TO-USER-REQUIRED(69), + eRR-CANT-VERIFY-CERTIFICATE(70), + eRR-INVALID-CERTIFICATE(71), + eRR-REVOKED-CERTIFICATE(72), + eRR-REVOCATION-STATUS-UNKNOWN(73), + eRR-REVOCATION-STATUS-UNAVAILABLE(74), + eRR-CLIENT-NAME-MISMATCH(75), + eRR-KDC-NAME-MISMATCH(76) +} + +-- this is sugar to make something ASN1 does not have: unsigned + +Krb5uint32 ::= INTEGER (0..4294967295) +Krb5int32 ::= INTEGER (-2147483648..2147483647) + +--KerberosString ::= GeneralString + +--Realm ::= GeneralString +--PrincipalName ::= SEQUENCE { +-- name-type[0] NAME-TYPE, +-- name-string[1] SEQUENCE OF GeneralString +--} + +-- this is not part of RFC1510 +Principal ::= SEQUENCE { + name[0] PrincipalName, + realm[1] Realm +} + +--HostAddress ::= SEQUENCE { +-- addr-type [0] Krb5int32, +-- address [1] OCTET STRING +--} + +-- This is from RFC1510. +-- +-- HostAddresses ::= SEQUENCE OF SEQUENCE { +-- addr-type[0] Krb5int32, +-- address[1] OCTET STRING +-- } + +-- This seems much better. +--HostAddresses ::= SEQUENCE OF HostAddress + + +--KerberosTime ::= GeneralizedTime - - Specifying UTC time zone (Z) + +--AuthorizationDataElement ::= SEQUENCE { +-- ad-type[0] Krb5int32, +-- ad-data[1] OCTET STRING +--} + +--AuthorizationData ::= SEQUENCE OF AuthorizationDataElement + +APOptions ::= BIT STRING { + reserved(0), + use-session-key(1), + mutual-required(2) +} + +TicketFlags ::= BIT STRING { + reserved(0), + forwardable(1), + forwarded(2), + proxiable(3), + proxy(4), + may-postdate(5), + postdated(6), + invalid(7), + renewable(8), + initial(9), + pre-authent(10), + hw-authent(11), + transited-policy-checked(12), + ok-as-delegate(13), + anonymous(14) +} + +KDCOptions ::= BIT STRING { + reserved(0), + forwardable(1), + forwarded(2), + proxiable(3), + proxy(4), + allow-postdate(5), + postdated(6), + unused7(7), + renewable(8), + unused9(9), + unused10(10), + opt-hardware-auth(11), -- taken from KerberosV5Spec2.asn + request-anonymous(14), + canonicalize(15), + constrained-delegation(16), -- ms extension + disable-transited-check(26), + renewable-ok(27), + enc-tkt-in-skey(28), + renew(30), + validate(31) +} + +LR-TYPE ::= INTEGER { + lR-NONE(0), -- no information + lR-INITIAL-TGT(1), -- last initial TGT request + lR-INITIAL(2), -- last initial request + lR-ISSUE-USE-TGT(3), -- time of newest TGT used + lR-RENEWAL(4), -- time of last renewal + lR-REQUEST(5), -- time of last request (of any type) + lR-PW-EXPTIME(6), -- expiration time of password + lR-ACCT-EXPTIME(7) -- expiration time of account +} + +--LastReq ::= SEQUENCE OF SEQUENCE { +-- lr-type[0] LR-TYPE, +-- lr-value[1] KerberosTime +--} + + +--EncryptedData ::= SEQUENCE { +-- etype[0] ENCTYPE, - - EncryptionType +-- kvno[1] Krb5int32 OPTIONAL, +-- cipher[2] OCTET STRING - - ciphertext +--} + +--EncryptionKey ::= SEQUENCE { +-- keytype[0] Krb5int32, +-- keyvalue[1] OCTET STRING +--} + +-- encoded Transited field +--TransitedEncoding ::= SEQUENCE { +-- tr-type[0] Krb5int32, - - must be registered +-- contents[1] OCTET STRING +--} + +--Ticket ::= [APPLICATION 1] SEQUENCE { +-- tkt-vno[0] Krb5int32, +-- realm[1] Realm, +-- sname[2] PrincipalName, +-- enc-part[3] EncryptedData +--} +-- Encrypted part of ticket +--EncTicketPart ::= [APPLICATION 3] SEQUENCE { +-- flags[0] TicketFlags, +-- key[1] EncryptionKey, +-- crealm[2] Realm, +-- cname[3] PrincipalName, +-- transited[4] TransitedEncoding, +-- authtime[5] KerberosTime, +-- starttime[6] KerberosTime OPTIONAL, +-- endtime[7] KerberosTime, +-- renew-till[8] KerberosTime OPTIONAL, +-- caddr[9] HostAddresses OPTIONAL, +-- authorization-data[10] AuthorizationData OPTIONAL +--} + +--Checksum ::= SEQUENCE { +-- cksumtype[0] CKSUMTYPE, +-- checksum[1] OCTET STRING +--} + +--Authenticator ::= [APPLICATION 2] SEQUENCE { +-- authenticator-vno[0] Krb5int32, +-- crealm[1] Realm, +-- cname[2] PrincipalName, +-- cksum[3] Checksum OPTIONAL, +-- cusec[4] Krb5int32, +-- ctime[5] KerberosTime, +-- subkey[6] EncryptionKey OPTIONAL, +-- seq-number[7] Krb5uint32 OPTIONAL, +-- authorization-data[8] AuthorizationData OPTIONAL +--} + +--PA-DATA ::= SEQUENCE { + -- might be encoded AP-REQ +-- padata-type[1] PADATA-TYPE, +-- padata-value[2] OCTET STRING +--} + +--ETYPE-INFO-ENTRY ::= SEQUENCE { +-- etype[0] ENCTYPE, +-- salt[1] OCTET STRING OPTIONAL, +-- salttype[2] Krb5int32 OPTIONAL +--} + +--ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY + +--ETYPE-INFO2-ENTRY ::= SEQUENCE { +-- etype[0] ENCTYPE, +-- salt[1] KerberosString OPTIONAL, +-- s2kparams[2] OCTET STRING OPTIONAL +--} + +--ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY + +-- METHOD-DATA ::= SEQUENCE OF PA-DATA + +--TypedData ::= SEQUENCE { +-- data-type[0] Krb5int32, +-- data-value[1] OCTET STRING OPTIONAL +--} + +--TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData + +--KDC-REQ-BODY ::= SEQUENCE { +-- kdc-options[0] KDCOptions, +-- cname[1] PrincipalName OPTIONAL, - - Used only in AS-REQ +-- realm[2] Realm, - - Server's realm + -- Also client's in AS-REQ +-- sname[3] PrincipalName OPTIONAL, +-- from[4] KerberosTime OPTIONAL, +-- till[5] KerberosTime OPTIONAL, +-- rtime[6] KerberosTime OPTIONAL, +-- nonce[7] Krb5int32, +-- etype[8] SEQUENCE OF ENCTYPE, - - EncryptionType, + -- in preference order +-- addresses[9] HostAddresses OPTIONAL, +-- enc-authorization-data[10] EncryptedData OPTIONAL, + -- Encrypted AuthorizationData encoding +-- additional-tickets[11] SEQUENCE OF Ticket OPTIONAL +--} + +--KDC-REQ ::= SEQUENCE { +-- pvno[1] Krb5int32, +-- msg-type[2] MESSAGE-TYPE, +-- padata[3] METHOD-DATA OPTIONAL, +-- req-body[4] KDC-REQ-BODY +--} + +--AS-REQ ::= [APPLICATION 10] KDC-REQ +--TGS-REQ ::= [APPLICATION 12] KDC-REQ + +-- padata-type ::= PA-ENC-TIMESTAMP +-- padata-value ::= EncryptedData - PA-ENC-TS-ENC + +--PA-ENC-TS-ENC ::= SEQUENCE { +-- patimestamp[0] KerberosTime, - - client's time +-- pausec[1] Krb5int32 OPTIONAL +--} + +-- draft-brezak-win2k-krb-authz-01 +PA-PAC-REQUEST ::= SEQUENCE { + include-pac[0] BOOLEAN -- Indicates whether a PAC + -- should be included or not +} + +-- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf +PROV-SRV-LOCATION ::= GeneralString + +--KDC-REP ::= SEQUENCE { +-- pvno[0] Krb5int32, +-- msg-type[1] MESSAGE-TYPE, +-- padata[2] METHOD-DATA OPTIONAL, +-- crealm[3] Realm, +-- cname[4] PrincipalName, +-- ticket[5] Ticket, +-- enc-part[6] EncryptedData +--} + +--AS-REP ::= [APPLICATION 11] KDC-REP +--TGS-REP ::= [APPLICATION 13] KDC-REP + +--EncKDCRepPart ::= SEQUENCE { +-- key[0] EncryptionKey, +-- last-req[1] LastReq, +-- nonce[2] Krb5int32, +-- key-expiration[3] KerberosTime OPTIONAL, +-- flags[4] TicketFlags, +-- authtime[5] KerberosTime, +-- starttime[6] KerberosTime OPTIONAL, +-- endtime[7] KerberosTime, +-- renew-till[8] KerberosTime OPTIONAL, +-- srealm[9] Realm, +-- sname[10] PrincipalName, +-- caddr[11] HostAddresses OPTIONAL, +-- encrypted-pa-data[12] METHOD-DATA OPTIONAL +--} + +--EncASRepPart ::= [APPLICATION 25] EncKDCRepPart +--EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart + +--AP-REQ ::= [APPLICATION 14] SEQUENCE { +-- pvno[0] Krb5int32, +-- msg-type[1] MESSAGE-TYPE, +-- ap-options[2] APOptions, +-- ticket[3] Ticket, +-- authenticator[4] EncryptedData +--} + +--AP-REP ::= [APPLICATION 15] SEQUENCE { +-- pvno[0] Krb5int32, +-- msg-type[1] MESSAGE-TYPE, +-- enc-part[2] EncryptedData +--} + +--EncAPRepPart ::= [APPLICATION 27] SEQUENCE { +-- ctime[0] KerberosTime, +-- cusec[1] Krb5int32, +-- subkey[2] EncryptionKey OPTIONAL, +-- seq-number[3] Krb5uint32 OPTIONAL +--} + +--KRB-SAFE-BODY ::= SEQUENCE { +-- user-data[0] OCTET STRING, +-- timestamp[1] KerberosTime OPTIONAL, +-- usec[2] Krb5int32 OPTIONAL, +-- seq-number[3] Krb5uint32 OPTIONAL, +-- s-address[4] HostAddress OPTIONAL, +-- r-address[5] HostAddress OPTIONAL +--} + +--KRB-SAFE ::= [APPLICATION 20] SEQUENCE { +-- pvno[0] Krb5int32, +-- msg-type[1] MESSAGE-TYPE, +-- safe-body[2] KRB-SAFE-BODY, +-- cksum[3] Checksum +--} + +--KRB-PRIV ::= [APPLICATION 21] SEQUENCE { +-- pvno[0] Krb5int32, +-- msg-type[1] MESSAGE-TYPE, +-- enc-part[3] EncryptedData +--} +--EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE { +-- user-data[0] OCTET STRING, +-- timestamp[1] KerberosTime OPTIONAL, +-- usec[2] Krb5int32 OPTIONAL, +-- seq-number[3] Krb5uint32 OPTIONAL, +-- s-address[4] HostAddress OPTIONAL, - - sender's addr +-- r-address[5] HostAddress OPTIONAL - - recip's addr +--} + +--KRB-CRED ::= [APPLICATION 22] SEQUENCE { +-- pvno[0] Krb5int32, +-- msg-type[1] MESSAGE-TYPE, - - KRB_CRED +-- tickets[2] SEQUENCE OF Ticket, +-- enc-part[3] EncryptedData +--} + +--KrbCredInfo ::= SEQUENCE { +-- key[0] EncryptionKey, +-- prealm[1] Realm OPTIONAL, +-- pname[2] PrincipalName OPTIONAL, +-- flags[3] TicketFlags OPTIONAL, +-- authtime[4] KerberosTime OPTIONAL, +-- starttime[5] KerberosTime OPTIONAL, +-- endtime[6] KerberosTime OPTIONAL, +-- renew-till[7] KerberosTime OPTIONAL, +-- srealm[8] Realm OPTIONAL, +-- sname[9] PrincipalName OPTIONAL, +-- caddr[10] HostAddresses OPTIONAL +--} + +--EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { +-- ticket-info[0] SEQUENCE OF KrbCredInfo, +-- nonce[1] Krb5int32 OPTIONAL, +-- timestamp[2] KerberosTime OPTIONAL, +-- usec[3] Krb5int32 OPTIONAL, +-- s-address[4] HostAddress OPTIONAL, +-- r-address[5] HostAddress OPTIONAL +--} + +--KRB-ERROR ::= [APPLICATION 30] SEQUENCE { +-- pvno[0] Krb5int32, +-- msg-type[1] MESSAGE-TYPE, +-- ctime[2] KerberosTime OPTIONAL, +-- cusec[3] Krb5int32 OPTIONAL, +-- stime[4] KerberosTime, +-- susec[5] Krb5int32, +-- error-code[6] Krb5int32, +-- crealm[7] Realm OPTIONAL, +-- cname[8] PrincipalName OPTIONAL, +-- realm[9] Realm, - - Correct realm +-- sname[10] PrincipalName, - - Correct name +-- e-text[11] GeneralString OPTIONAL, +-- e-data[12] OCTET STRING OPTIONAL +--} + +ChangePasswdDataMS ::= SEQUENCE { + newpasswd[0] OCTET STRING, + targname[1] PrincipalName OPTIONAL, + targrealm[2] Realm OPTIONAL +} + +EtypeList ::= SEQUENCE OF Krb5int32 + -- the client's proposed enctype list in + -- decreasing preference order, favorite choice first + +--krb5-pvno Krb5int32 ::= 5 - - current Kerberos protocol version number + +-- transited encodings + +--DOMAIN-X500-COMPRESS Krb5int32 ::= 1 + +-- authorization data primitives + +--AD-IF-RELEVANT ::= AuthorizationData + +--AD-KDCIssued ::= SEQUENCE { +-- ad-checksum[0] Checksum, +-- i-realm[1] Realm OPTIONAL, +-- i-sname[2] PrincipalName OPTIONAL, +-- elements[3] AuthorizationData +--} + +--AD-AND-OR ::= SEQUENCE { +-- condition-count[0] INTEGER, +-- elements[1] AuthorizationData +--} + +--AD-MANDATORY-FOR-KDC ::= AuthorizationData + +-- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2 + +PA-SAM-TYPE ::= INTEGER { + pA-SAM-TYPE-ENIGMA(1), -- Enigma Logic + pA-SAM-TYPE-DIGI-PATH(2), -- Digital Pathways + pA-SAM-TYPE-SKEY-K0(3), -- S/key where KDC has key 0 + pA-SAM-TYPE-SKEY(4), -- Traditional S/Key + pA-SAM-TYPE-SECURID(5), -- Security Dynamics + pA-SAM-TYPE-CRYPTOCARD(6) -- CRYPTOCard +} + +PA-SAM-REDIRECT ::= HostAddresses + +SAMFlags ::= BIT STRING { + use-sad-as-key(0), + send-encrypted-sad(1), + must-pk-encrypt-sad(2) +} + +PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE { + sam-type[0] Krb5int32, + sam-flags[1] SAMFlags, + sam-type-name[2] GeneralString OPTIONAL, + sam-track-id[3] GeneralString OPTIONAL, + sam-challenge-label[4] GeneralString OPTIONAL, + sam-challenge[5] GeneralString OPTIONAL, + sam-response-prompt[6] GeneralString OPTIONAL, + sam-pk-for-sad[7] EncryptionKey OPTIONAL, + sam-nonce[8] Krb5int32, + sam-etype[9] Krb5int32, + ... +} + +PA-SAM-CHALLENGE-2 ::= SEQUENCE { + sam-body[0] PA-SAM-CHALLENGE-2-BODY, + sam-cksum[1] SEQUENCE OF Checksum, -- (1..MAX) + ... +} + +PA-SAM-RESPONSE-2 ::= SEQUENCE { + sam-type[0] Krb5int32, + sam-flags[1] SAMFlags, + sam-track-id[2] GeneralString OPTIONAL, + sam-enc-nonce-or-sad[3] EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC + sam-nonce[4] Krb5int32, + ... +} + +PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE { + sam-nonce[0] Krb5int32, + sam-sad[1] GeneralString OPTIONAL, + ... +} + +PA-S4U2Self ::= SEQUENCE { + name[0] PrincipalName, + realm[1] Realm, + cksum[2] Checksum, + auth[3] GeneralString +} + +KRB5SignedPathPrincipals ::= SEQUENCE OF Principal + +-- never encoded on the wire, just used to checksum over +KRB5SignedPathData ::= SEQUENCE { + encticket[0] EncTicketPart, + delegated[1] KRB5SignedPathPrincipals OPTIONAL +} + +KRB5SignedPath ::= SEQUENCE { + -- DERcoded KRB5SignedPathData + -- krbtgt key (etype), KeyUsage = XXX + etype[0] ENCTYPE, + cksum[1] Checksum, + -- srvs delegated though + delegated[2] KRB5SignedPathPrincipals OPTIONAL +} + +PA-ClientCanonicalizedNames ::= SEQUENCE{ + requested-name [0] PrincipalName, + mapped-name [1] PrincipalName +} + +PA-ClientCanonicalized ::= SEQUENCE { + names [0] PA-ClientCanonicalizedNames, + canon-checksum [1] Checksum +} + +AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD -- + login-alias [0] PrincipalName, + checksum [1] Checksum +} + +-- old ms referral +PA-SvrReferralData ::= SEQUENCE { + referred-name [1] PrincipalName OPTIONAL, + referred-realm [0] Realm +} + +PA-SERVER-REFERRAL-DATA ::= EncryptedData + +PA-ServerReferralData ::= SEQUENCE { + referred-realm [0] Realm OPTIONAL, + true-principal-name [1] PrincipalName OPTIONAL, + requested-principal-name [2] PrincipalName OPTIONAL, + referral-valid-until [3] KerberosTime OPTIONAL, + ... +} +-- WS put extensions found elsewere here +-- http://msdn.microsoft.com/en-us/library/cc206948.aspx +-- +KERB-PA-PAC-REQUEST ::= SEQUENCE { +include-pac[0] BOOLEAN --If TRUE, and no pac present, include PAC. + --If FALSE, and PAC present, remove PAC +} +END + +-- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1 diff --git a/epan/dissectors/asn1/kerberos/kerberos.cnf b/epan/dissectors/asn1/kerberos/kerberos.cnf new file mode 100644 index 0000000000..ff73d2b44b --- /dev/null +++ b/epan/dissectors/asn1/kerberos/kerberos.cnf @@ -0,0 +1,388 @@ +# kerberos.cnf +# kerberos conformation file +# Copyright 2008 Anders Broman + +#.EXPORTS +ChangePasswdData + +#.FIELD_RENAME +#EncryptedData/etype encryptedData_etype +KDC-REQ-BODY/etype kDC-REQ-BODY_etype +KRB-SAFE-BODY/user-data kRB-SAFE-BODY_user_data +EncKrbPrivPart/user-data encKrbPrivPart_user_data +EncryptedTicketData/cipher encryptedTicketData_cipher +EncryptedAuthorizationData/cipher encryptedAuthorizationData_cipher +EncryptedKDCREPData/cipher encryptedKDCREPData_cipher +PA-ENC-TIMESTAMP/cipher pA-ENC-TIMESTAMP_cipher +EncryptedAPREPData/cipher encryptedAPREPData_cipher +EncryptedKrbPrivData/cipher encryptedKrbPrivData_cipher +EncryptedKrbCredData/cipher encryptedKrbCredData_cipher +KRB-CRED/_untag/enc-part kRB_CRED_enc_part +KRB-PRIV/_untag/enc-part kRB_PRIV_enc_part +AP-REP/_untag/enc-part aP_REP_enc_part +KDC-REP/enc-part kDC_REP_enc_part +Ticket/_untag/enc-part ticket_enc_part + +#.OMIT_ASSIGNMENT +AD-AND-OR +AD-KDCIssued +AD-LoginAlias +AD-MANDATORY-FOR-KDC +AUTHDATA-TYPE +ChangePasswdDataMS +EncryptedData +EtypeList +KerberosFlags +KRB5SignedPath +KRB5SignedPathData +KRB5SignedPathPrincipals +Krb5int32 +Krb5uint32 +PA-ClientCanonicalized +PA-ClientCanonicalizedNames +PA-ENC-TS-ENC +PA-ENC-SAM-RESPONSE-ENC +PA-PAC-REQUEST +PA-SAM-CHALLENGE-2 +PA-SAM-CHALLENGE-2-BODY +PA-SAM-REDIRECT +PA-SAM-RESPONSE-2 +PA-SAM-TYPE +PA-SERVER-REFERRAL-DATA +PA-ServerReferralData +PA-SvrReferralData +Principal +PROV-SRV-LOCATION +SAMFlags +TYPED-DATA + +#.NO_EMIT ONLY_VALS +Applications + +#.MAKE_DEFINES +ADDR-TYPE TYPE_PREFIX + +#.FN_BODY MESSAGE-TYPE VAL_PTR = &msgtype +guint32 msgtype; + +%(DEFAULT_BODY)s + +#.FN_FTR MESSAGE-TYPE + if (gbl_do_col_info) { + col_add_str(actx->pinfo->cinfo, COL_INFO, + val_to_str(msgtype, krb5_msg_types, + "Unknown msg type %#x")); + } + gbl_do_col_info=FALSE; + +##if 0 + /* append the application type to the tree */ + proto_item_append_text(tree, " %s", val_to_str(msgtype, krb5_msg_types, "Unknown:0x%x")); +##endif + +#.FN_BODY ERROR-CODE VAL_PTR = &krb5_errorcode +%(DEFAULT_BODY)s + +#.FN_FTR ERROR-CODE + if(krb5_errorcode) { + col_add_fstr(actx->pinfo->cinfo, COL_INFO, + "KRB Error: %s", + val_to_str(krb5_errorcode, krb5_error_codes, + "Unknown error code %#x")); + } + + return offset; +#.END +#.FN_BODY KRB-ERROR/_untag/e-data + switch(krb5_errorcode){ + case KRB5_ET_KRB5KDC_ERR_BADOPTION: + case KRB5_ET_KRB5KDC_ERR_CLIENT_REVOKED: + case KRB5_ET_KRB5KDC_ERR_KEY_EXP: + case KRB5_ET_KRB5KDC_ERR_POLICY: + /* ms windows kdc sends e-data of this type containing a "salt" + * that contains the nt_status code for these error codes. + */ + offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_kerberos_e_data, dissect_kerberos_PA_DATA); + break; + case KRB5_ET_KRB5KDC_ERR_PREAUTH_REQUIRED: + case KRB5_ET_KRB5KDC_ERR_PREAUTH_FAILED: + case KRB5_ET_KRB5KDC_ERR_ETYPE_NOSUPP: + offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_kerberos_e_data, dissect_kerberos_SEQUENCE_OF_PA_DATA); + + break; + default: + offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_kerberos_e_data, NULL); + } + + +#.FN_BODY PADATA-TYPE VAL_PTR=&(private_data->padata_type) + kerberos_private_data_t* private_data = kerberos_get_private_data(actx); +%(DEFAULT_BODY)s +#.FN_FTR PADATA-TYPE + if(tree){ + proto_item_append_text(tree, " %s", + val_to_str(private_data->padata_type, krb5_preauthentication_types, + "Unknown:%d")); + } + +#.FN_BODY PA-DATA/padata-value + proto_tree *sub_tree=tree; + kerberos_private_data_t* private_data = kerberos_get_private_data(actx); + + if(actx->created_item){ + sub_tree=proto_item_add_subtree(actx->created_item, ett_kerberos_PA_DATA); + } + + switch(private_data->padata_type){ + case KRB5_PA_TGS_REQ: + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_Applications); + break; + case KRB5_PA_PK_AS_REQ: + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PaPkAsReq); + break; + case KRB5_PA_PK_AS_REP: + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PaPkAsRep); + break; + case KRB5_PA_PAC_REQUEST: + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_KERB_PA_PAC_REQUEST); + break; + case KRB5_PA_S4U2SELF: + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_S4U2Self); + break; + case KRB5_PA_PROV_SRV_LOCATION: + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_krb5_PA_PROV_SRV_LOCATION); + break; + case KRB5_PA_ENC_TIMESTAMP: + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_ENC_TIMESTAMP); + break; + case KRB5_PA_ENCTYPE_INFO: + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_ETYPE_INFO); + break; + case KRB5_PA_ENCTYPE_INFO2: + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_ETYPE_INFO2); + break; + case KRB5_PA_PW_SALT: + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_krb5_PW_SALT); + break; + default: + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, NULL); + } + +#.FN_BODY HostAddress/address + gint8 appclass; + gboolean pc; + gint32 tag; + guint32 len; + const char *address_str; + proto_item *it=NULL; + kerberos_private_data_t *private_data = kerberos_get_private_data(actx); + + /* read header and len for the octet string */ + offset=dissect_ber_identifier(actx->pinfo, tree, tvb, offset, &appclass, &pc, &tag); + offset=dissect_ber_length(actx->pinfo, tree, tvb, offset, &len, NULL); + + switch(private_data->addr_type){ + case KERBEROS_ADDR_TYPE_IPV4: + it=proto_tree_add_item(tree, hf_krb_address_ip, tvb, offset, 4, ENC_BIG_ENDIAN); + address_str = tvb_ip_to_str(tvb, offset); + break; + case KERBEROS_ADDR_TYPE_NETBIOS: + { + char netbios_name[(NETBIOS_NAME_LEN - 1)*4 + 1]; + int netbios_name_type; + int netbios_name_len = (NETBIOS_NAME_LEN - 1)*4 + 1; + + netbios_name_type = process_netbios_name(tvb_get_ptr(tvb, offset, 16), netbios_name, netbios_name_len); + address_str = wmem_strdup_printf(wmem_packet_scope(), "%s<%02x>", netbios_name, netbios_name_type); + it=proto_tree_add_string_format(tree, hf_krb_address_netbios, tvb, offset, 16, netbios_name, "NetBIOS Name: %s (%s)", address_str, netbios_name_type_descr(netbios_name_type)); + } + break; + case KERBEROS_ADDR_TYPE_IPV6: + it=proto_tree_add_item(tree, hf_krb_address_ipv6, tvb, offset, INET6_ADDRLEN, ENC_NA); + address_str = tvb_ip6_to_str(tvb, offset); + break; + default: + proto_tree_add_expert(tree, actx->pinfo, &ei_kerberos_address, tvb, offset, len); + address_str = NULL; + } + + /* push it up two levels in the decode pane */ + if(it && address_str){ + proto_item_append_text(proto_item_get_parent(it), " %s",address_str); + proto_item_append_text(proto_item_get_parent_nth(it, 2), " %s",address_str); + } + + offset+=len; + return offset; + + +#.TYPE_ATTR +#xxx TYPE = FT_UINT16 DISPLAY = BASE_DEC STRINGS = VALS(xx_vals) + +#.FN_BODY ENCTYPE VAL_PTR=&(private_data->etype) + kerberos_private_data_t *private_data = kerberos_get_private_data(actx); +%(DEFAULT_BODY)s + +#.FN_BODY EncryptedTicketData/cipher +##ifdef HAVE_KERBEROS + offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_ticket_data); +##else +%(DEFAULT_BODY)s +##endif + return offset; + +#.FN_BODY EncryptedAuthorizationData/cipher +##ifdef HAVE_KERBEROS + offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_authenticator_data); +##else +%(DEFAULT_BODY)s +##endif + return offset; + +#.FN_BODY EncryptedKDCREPData/cipher +##ifdef HAVE_KERBEROS + offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_KDC_REP_data); +##else +%(DEFAULT_BODY)s +##endif + return offset; + +#.FN_BODY PA-ENC-TIMESTAMP/cipher +##ifdef HAVE_KERBEROS + offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_PA_ENC_TIMESTAMP); +##else +%(DEFAULT_BODY)s +##endif + return offset; + +#.FN_BODY EncryptedAPREPData/cipher +##ifdef HAVE_KERBEROS + offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_AP_REP_data); +##else +%(DEFAULT_BODY)s +##endif + return offset; + +#.FN_BODY EncryptedKrbPrivData/cipher +##ifdef HAVE_KERBEROS + offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_PRIV_data); +##else +%(DEFAULT_BODY)s +##endif + return offset; + +#.FN_BODY EncryptedKrbCredData/cipher +##ifdef HAVE_KERBEROS + offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_CRED_data); +##else +%(DEFAULT_BODY)s +##endif + return offset; + + +#.FN_BODY CKSUMTYPE VAL_PTR=&(private_data->checksum_type) + kerberos_private_data_t *private_data = kerberos_get_private_data(actx); +%(DEFAULT_BODY)s + +#.FN_BODY Checksum/checksum + tvbuff_t *next_tvb; + kerberos_private_data_t *private_data = kerberos_get_private_data(actx); + + switch(private_data->checksum_type){ + case KRB5_CHKSUM_GSSAPI: + offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &next_tvb); + dissect_krb5_rfc1964_checksum(actx, tree, next_tvb); + break; + default: + offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, NULL); + } + return offset; + +#.FN_BODY EncryptionKey/keytype VAL_PTR=&gbl_keytype + kerberos_private_data_t *private_data = kerberos_get_private_data(actx); + + offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index, + &gbl_keytype); + private_data->key.keytype = gbl_keytype; + +#.FN_BODY EncryptionKey/keyvalue VAL_PTR=&out_tvb + tvbuff_t *out_tvb; + kerberos_private_data_t *private_data = kerberos_get_private_data(actx); + +%(DEFAULT_BODY)s + + private_data->key.keylength = tvb_reported_length(out_tvb); + private_data->key.keyvalue = tvb_get_ptr(out_tvb, 0, private_data->key.keylength); + +#.FN_BODY EncryptionKey + kerberos_private_data_t *private_data = kerberos_get_private_data(actx); + + %(DEFAULT_BODY)s + + if (private_data->key.keytype != 0) { +##ifdef HAVE_KERBEROS + add_encryption_key(actx->pinfo, private_data->key.keytype, private_data->key.keylength, private_data->key.keyvalue, "key"); +##endif + } + +#.FN_BODY AuthorizationData/_item/ad-type + kerberos_private_data_t *private_data = kerberos_get_private_data(actx); + offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index, + &(private_data->ad_type)); +#.TYPE_ATTR +AuthorizationData/_item/ad-type STRINGS=VALS(krb5_ad_types) + +#.FN_BODY AuthorizationData/_item/ad-data + kerberos_private_data_t *private_data = kerberos_get_private_data(actx); + + switch(private_data->ad_type){ + case KRB5_AD_WIN2K_PAC: + offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_krb5_AD_WIN2K_PAC); + break; + case KRB5_AD_IF_RELEVANT: + offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_kerberos_AD_IF_RELEVANT); + break; + default: + offset=dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index, NULL); + } + +#.FN_BODY ADDR-TYPE VAL_PTR=&(private_data->addr_type) + kerberos_private_data_t *private_data = kerberos_get_private_data(actx); +%(DEFAULT_BODY)s + +#.FN_BODY KDC-REQ-BODY + conversation_t *conversation; + + /* + * UDP replies to KDC_REQs are sent from the server back to the client's + * source port, similar to the way TFTP works. Set up a conversation + * accordingly. + * + * Ref: Section 7.2.1 of + * http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-clarifications-07.txt + */ + if (actx->pinfo->destport == UDP_PORT_KERBEROS && actx->pinfo->ptype == PT_UDP) { + conversation = find_conversation(actx->pinfo->num, &actx->pinfo->src, &actx->pinfo->dst, PT_UDP, + actx->pinfo->srcport, 0, NO_PORT_B); + if (conversation == NULL) { + conversation = conversation_new(actx->pinfo->num, &actx->pinfo->src, &actx->pinfo->dst, PT_UDP, + actx->pinfo->srcport, 0, NO_PORT2); + conversation_set_dissector(conversation, kerberos_handle_udp); + } + } + + %(DEFAULT_BODY)s + +#.FN_BODY KRB-SAFE-BODY/user-data + tvbuff_t *new_tvb; + offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &new_tvb); + if (new_tvb) { + call_kerberos_callbacks(actx->pinfo, tree, new_tvb, KRB_CBTAG_SAFE_USER_DATA, (kerberos_callbacks*)actx->private_data); + } + +#.FN_BODY EncKrbPrivPart/user-data + tvbuff_t *new_tvb; + offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &new_tvb); + if (new_tvb) { + call_kerberos_callbacks(actx->pinfo, tree, new_tvb, KRB_CBTAG_PRIV_USER_DATA, (kerberos_callbacks*)actx->private_data); + } diff --git a/epan/dissectors/asn1/kerberos/packet-kerberos-template.c b/epan/dissectors/asn1/kerberos/packet-kerberos-template.c new file mode 100644 index 0000000000..631e403098 --- /dev/null +++ b/epan/dissectors/asn1/kerberos/packet-kerberos-template.c @@ -0,0 +1,2506 @@ +/* packet-kerberos.c + * Routines for Kerberos + * Wes Hardaker (c) 2000 + * wjhardaker@ucdavis.edu + * Richard Sharpe (C) 2002, rsharpe@samba.org, modularized a bit more and + * added AP-REQ and AP-REP dissection + * + * Ronnie Sahlberg (C) 2004, major rewrite for new ASN.1/BER API. + * decryption of kerberos blobs if keytab is provided + * + * See RFC 1510, and various I-Ds and other documents showing additions, + * e.g. ones listed under + * + * http://www.isi.edu/people/bcn/krb-revisions/ + * + * and + * + * http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-clarifications-07.txt + * + * and + * + * http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-referrals-05.txt + * + * Some structures from RFC2630 + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +/* + * Some of the development of the Kerberos protocol decoder was sponsored by + * Cable Television Laboratories, Inc. ("CableLabs") based upon proprietary + * CableLabs' specifications. Your license and use of this protocol decoder + * does not mean that you are licensed to use the CableLabs' + * specifications. If you have questions about this protocol, contact + * jf.mule [AT] cablelabs.com or c.stuart [AT] cablelabs.com for additional + * information. + */ + +#include "config.h" + +#include <stdio.h> + +#include <epan/packet.h> +#include <epan/exceptions.h> +#include <epan/strutil.h> +#include <epan/conversation.h> +#include <epan/asn1.h> +#include <epan/expert.h> +#include <epan/prefs.h> +#include <wsutil/file_util.h> +#include <wsutil/ws_diag_control.h> +#include <wsutil/str_util.h> +#include "packet-kerberos.h" +#include "packet-netbios.h" +#include "packet-tcp.h" +#include "packet-ber.h" +#include "packet-pkinit.h" +#include "packet-cms.h" +#include "packet-windows-common.h" + +#include "packet-dcerpc-netlogon.h" +#include "packet-dcerpc.h" + +#include "packet-gssapi.h" +#include "packet-smb-common.h" + + +void proto_register_kerberos(void); +void proto_reg_handoff_kerberos(void); + +#define UDP_PORT_KERBEROS 88 +#define TCP_PORT_KERBEROS 88 + +#define ADDRESS_STR_BUFSIZ 256 + +typedef struct kerberos_key { + guint32 keytype; + int keylength; + const guint8 *keyvalue; +} kerberos_key_t; + +typedef struct { + guint32 etype; + guint32 padata_type; + guint32 enctype; + kerberos_key_t key; + guint32 ad_type; + guint32 addr_type; + guint32 checksum_type; +} kerberos_private_data_t; + +static dissector_handle_t kerberos_handle_udp; + +/* Forward declarations */ +static int dissect_kerberos_Applications(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); +static int dissect_kerberos_PA_ENC_TIMESTAMP(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); +static int dissect_kerberos_KERB_PA_PAC_REQUEST(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); +static int dissect_kerberos_PA_S4U2Self(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); +static int dissect_kerberos_ETYPE_INFO(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); +static int dissect_kerberos_ETYPE_INFO2(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); +static int dissect_kerberos_AD_IF_RELEVANT(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); + + +/* Desegment Kerberos over TCP messages */ +static gboolean krb_desegment = TRUE; + +static gint proto_kerberos = -1; + +static gint hf_krb_rm_reserved = -1; +static gint hf_krb_rm_reclen = -1; +static gint hf_krb_provsrv_location = -1; +static gint hf_krb_smb_nt_status = -1; +static gint hf_krb_smb_unknown = -1; +static gint hf_krb_address_ip = -1; +static gint hf_krb_address_netbios = -1; +static gint hf_krb_address_ipv6 = -1; +static gint hf_krb_gssapi_len = -1; +static gint hf_krb_gssapi_bnd = -1; +static gint hf_krb_gssapi_dlgopt = -1; +static gint hf_krb_gssapi_dlglen = -1; +static gint hf_krb_gssapi_c_flag_deleg = -1; +static gint hf_krb_gssapi_c_flag_mutual = -1; +static gint hf_krb_gssapi_c_flag_replay = -1; +static gint hf_krb_gssapi_c_flag_sequence = -1; +static gint hf_krb_gssapi_c_flag_conf = -1; +static gint hf_krb_gssapi_c_flag_integ = -1; +static gint hf_krb_gssapi_c_flag_dce_style = -1; +static gint hf_krb_midl_version = -1; +static gint hf_krb_midl_hdr_len = -1; +static gint hf_krb_midl_fill_bytes = -1; +static gint hf_krb_midl_blob_len = -1; +static gint hf_krb_pac_signature_type = -1; +static gint hf_krb_pac_signature_signature = -1; +static gint hf_krb_w2k_pac_entries = -1; +static gint hf_krb_w2k_pac_version = -1; +static gint hf_krb_w2k_pac_type = -1; +static gint hf_krb_w2k_pac_size = -1; +static gint hf_krb_w2k_pac_offset = -1; +static gint hf_krb_pac_clientid = -1; +static gint hf_krb_pac_namelen = -1; +static gint hf_krb_pac_clientname = -1; +static gint hf_krb_pac_logon_info = -1; +static gint hf_krb_pac_credential_type = -1; +static gint hf_krb_pac_s4u_delegation_info = -1; +static gint hf_krb_pac_upn_dns_info = -1; +static gint hf_krb_pac_upn_flags = -1; +static gint hf_krb_pac_upn_dns_offset = -1; +static gint hf_krb_pac_upn_dns_len = -1; +static gint hf_krb_pac_upn_upn_offset = -1; +static gint hf_krb_pac_upn_upn_len = -1; +static gint hf_krb_pac_upn_upn_name = -1; +static gint hf_krb_pac_upn_dns_name = -1; +static gint hf_krb_pac_server_checksum = -1; +static gint hf_krb_pac_privsvr_checksum = -1; +static gint hf_krb_pac_client_info_type = -1; +#include "packet-kerberos-hf.c" + +/* Initialize the subtree pointers */ +static gint ett_kerberos = -1; +static gint ett_krb_recordmark = -1; +static gint ett_krb_pac = -1; +static gint ett_krb_pac_drep = -1; +static gint ett_krb_pac_midl_blob = -1; +static gint ett_krb_pac_logon_info = -1; +static gint ett_krb_pac_s4u_delegation_info = -1; +static gint ett_krb_pac_upn_dns_info = -1; +static gint ett_krb_pac_server_checksum = -1; +static gint ett_krb_pac_privsvr_checksum = -1; +static gint ett_krb_pac_client_info_type = -1; +#include "packet-kerberos-ett.c" + +static expert_field ei_kerberos_decrypted_keytype = EI_INIT; +static expert_field ei_kerberos_address = EI_INIT; +static expert_field ei_krb_gssapi_dlglen = EI_INIT; + +static dissector_handle_t krb4_handle=NULL; + +/* Global variables */ +static guint32 krb5_errorcode; +static guint32 gbl_keytype; +static gboolean gbl_do_col_info; + +#include "packet-kerberos-val.h" + +static void +call_kerberos_callbacks(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int tag, kerberos_callbacks *cb) +{ + if(!cb){ + return; + } + + while(cb->tag){ + if(cb->tag==tag){ + cb->callback(pinfo, tvb, tree); + return; + } + cb++; + } + return; +} + +static kerberos_private_data_t* +kerberos_get_private_data(asn1_ctx_t *actx) +{ + if (!actx->private_data) { + actx->private_data = wmem_new0(wmem_packet_scope(), kerberos_private_data_t); + } + return (kerberos_private_data_t *)(actx->private_data); +} + +#ifdef HAVE_KERBEROS + +/* Decrypt Kerberos blobs */ +gboolean krb_decrypt = FALSE; + +/* keytab filename */ +static const char *keytab_filename = ""; + +void +read_keytab_file_from_preferences(void) +{ + static char *last_keytab = NULL; + + if (!krb_decrypt) { + return; + } + + if (keytab_filename == NULL) { + return; + } + + if (last_keytab && !strcmp(last_keytab, keytab_filename)) { + return; + } + + if (last_keytab != NULL) { + g_free(last_keytab); + last_keytab = NULL; + } + last_keytab = g_strdup(keytab_filename); + + read_keytab_file(last_keytab); +} +#endif /* HAVE_KERBEROS */ + +#if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS) +#ifdef _WIN32 +/* prevent redefinition warnings in kfw-2.5\inc\win_mac.h */ +#undef HAVE_GETADDRINFO +#undef HAVE_SYS_TYPES_H +#endif /* _WIN32 */ +#include <krb5.h> +enc_key_t *enc_key_list=NULL; + +static void +add_encryption_key(packet_info *pinfo, int keytype, int keylength, const char *keyvalue, const char *origin) +{ + enc_key_t *new_key; + + if(pinfo->fd->flags.visited){ + return; + } + + new_key=(enc_key_t *)g_malloc(sizeof(enc_key_t)); + g_snprintf(new_key->key_origin, KRB_MAX_ORIG_LEN, "%s learnt from frame %u",origin,pinfo->num); + new_key->fd_num = pinfo->num; + new_key->next=enc_key_list; + enc_key_list=new_key; + new_key->keytype=keytype; + new_key->keylength=keylength; + /*XXX this needs to be freed later */ + new_key->keyvalue=(char *)g_memdup(keyvalue, keylength); +} +#endif /* HAVE_HEIMDAL_KERBEROS || HAVE_MIT_KERBEROS */ + +#if defined(HAVE_MIT_KERBEROS) + +static krb5_context krb5_ctx; + +USES_APPLE_DEPRECATED_API +void +read_keytab_file(const char *filename) +{ + krb5_keytab keytab; + krb5_error_code ret; + krb5_keytab_entry key; + krb5_kt_cursor cursor; + enc_key_t *new_key; + static gboolean first_time=TRUE; + + if (filename == NULL || filename[0] == 0) { + return; + } + + if(first_time){ + first_time=FALSE; + ret = krb5_init_context(&krb5_ctx); + if(ret && ret != KRB5_CONFIG_CANTOPEN){ + return; + } + } + + /* should use a file in the wireshark users dir */ + ret = krb5_kt_resolve(krb5_ctx, filename, &keytab); + if(ret){ + fprintf(stderr, "KERBEROS ERROR: Badly formatted keytab filename :%s\n",filename); + + return; + } + + ret = krb5_kt_start_seq_get(krb5_ctx, keytab, &cursor); + if(ret){ + fprintf(stderr, "KERBEROS ERROR: Could not open or could not read from keytab file :%s\n",filename); + return; + } + + do{ + new_key=(enc_key_t *)g_malloc(sizeof(enc_key_t)); + new_key->fd_num = -1; + new_key->next=enc_key_list; + ret = krb5_kt_next_entry(krb5_ctx, keytab, &key, &cursor); + if(ret==0){ + int i; + char *pos; + + /* generate origin string, describing where this key came from */ + pos=new_key->key_origin; + pos+=MIN(KRB_MAX_ORIG_LEN, + g_snprintf(pos, KRB_MAX_ORIG_LEN, "keytab principal ")); + for(i=0;i<key.principal->length;i++){ + pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), + g_snprintf(pos, (gulong)(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin)), "%s%s",(i?"/":""),(key.principal->data[i]).data)); + } + pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), + g_snprintf(pos, (gulong)(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin)), "@%s",key.principal->realm.data)); + *pos=0; + new_key->keytype=key.key.enctype; + new_key->keylength=key.key.length; + new_key->keyvalue=(char *)g_memdup(key.key.contents, key.key.length); + enc_key_list=new_key; + } + }while(ret==0); + + ret = krb5_kt_end_seq_get(krb5_ctx, keytab, &cursor); + if(ret){ + krb5_kt_close(krb5_ctx, keytab); + } +} + + +guint8 * +decrypt_krb5_data(proto_tree *tree _U_, packet_info *pinfo, + int usage, + tvbuff_t *cryptotvb, + int keytype, + int *datalen) +{ + krb5_error_code ret; + enc_key_t *ek; + krb5_data data = {0,0,NULL}; + krb5_keytab_entry key; + int length = tvb_captured_length(cryptotvb); + const guint8 *cryptotext = tvb_get_ptr(cryptotvb, 0, length); + + /* don't do anything if we are not attempting to decrypt data */ + if(!krb_decrypt || length < 1){ + return NULL; + } + + /* make sure we have all the data we need */ + if (tvb_captured_length(cryptotvb) < tvb_reported_length(cryptotvb)) { + return NULL; + } + + read_keytab_file_from_preferences(); + data.data = (char *)g_malloc(length); + data.length = length; + + for(ek=enc_key_list;ek;ek=ek->next){ + krb5_enc_data input; + + /* shortcircuit and bail out if enctypes are not matching */ + if((keytype != -1) && (ek->keytype != keytype)) { + continue; + } + + input.enctype = ek->keytype; + input.ciphertext.length = length; + input.ciphertext.data = (guint8 *)cryptotext; + + key.key.enctype=ek->keytype; + key.key.length=ek->keylength; + key.key.contents=ek->keyvalue; + ret = krb5_c_decrypt(krb5_ctx, &(key.key), usage, 0, &input, &data); + if(ret == 0){ + char *user_data; + + expert_add_info_format(pinfo, NULL, &ei_kerberos_decrypted_keytype, + "Decrypted keytype %d in frame %u using %s", + ek->keytype, pinfo->num, ek->key_origin); + + /* return a private g_malloced blob to the caller */ + user_data=data.data; + if (datalen) { + *datalen = data.length; + } + return user_data; + } + } + g_free(data.data); + + return NULL; +} +USES_APPLE_RST + +#elif defined(HAVE_HEIMDAL_KERBEROS) +static krb5_context krb5_ctx; + +USES_APPLE_DEPRECATED_API +void +read_keytab_file(const char *filename) +{ + krb5_keytab keytab; + krb5_error_code ret; + krb5_keytab_entry key; + krb5_kt_cursor cursor; + enc_key_t *new_key; + static gboolean first_time=TRUE; + + if (filename == NULL || filename[0] == 0) { + return; + } + + if(first_time){ + first_time=FALSE; + ret = krb5_init_context(&krb5_ctx); + if(ret){ + return; + } + } + + /* should use a file in the wireshark users dir */ + ret = krb5_kt_resolve(krb5_ctx, filename, &keytab); + if(ret){ + fprintf(stderr, "KERBEROS ERROR: Could not open keytab file :%s\n",filename); + + return; + } + + ret = krb5_kt_start_seq_get(krb5_ctx, keytab, &cursor); + if(ret){ + fprintf(stderr, "KERBEROS ERROR: Could not read from keytab file :%s\n",filename); + return; + } + + do{ + new_key = (enc_key_t *)g_malloc(sizeof(enc_key_t)); + new_key->fd_num = -1; + new_key->next=enc_key_list; + ret = krb5_kt_next_entry(krb5_ctx, keytab, &key, &cursor); + if(ret==0){ + unsigned int i; + char *pos; + + /* generate origin string, describing where this key came from */ + pos=new_key->key_origin; + pos+=MIN(KRB_MAX_ORIG_LEN, + g_snprintf(pos, KRB_MAX_ORIG_LEN, "keytab principal ")); + for(i=0;i<key.principal->name.name_string.len;i++){ + pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), + g_snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "%s%s",(i?"/":""),key.principal->name.name_string.val[i])); + } + pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), + g_snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "@%s",key.principal->realm)); + *pos=0; + new_key->keytype=key.keyblock.keytype; + new_key->keylength=(int)key.keyblock.keyvalue.length; + new_key->keyvalue = (guint8 *)g_memdup(key.keyblock.keyvalue.data, (guint)key.keyblock.keyvalue.length); + enc_key_list=new_key; + } + }while(ret==0); + + ret = krb5_kt_end_seq_get(krb5_ctx, keytab, &cursor); + if(ret){ + krb5_kt_close(krb5_ctx, keytab); + } + +} +USES_APPLE_RST + + +guint8 * +decrypt_krb5_data(proto_tree *tree _U_, packet_info *pinfo, + int usage, + tvbuff_t *cryptotvb, + int keytype, + int *datalen) +{ + krb5_error_code ret; + krb5_data data; + enc_key_t *ek; + int length = tvb_captured_length(cryptotvb); + const guint8 *cryptotext = tvb_get_ptr(cryptotvb, 0, length); + + /* don't do anything if we are not attempting to decrypt data */ + if(!krb_decrypt){ + return NULL; + } + + /* make sure we have all the data we need */ + if (tvb_captured_length(cryptotvb) < tvb_reported_length(cryptotvb)) { + return NULL; + } + + read_keytab_file_from_preferences(); + + for(ek=enc_key_list;ek;ek=ek->next){ + krb5_keytab_entry key; + krb5_crypto crypto; + guint8 *cryptocopy; /* workaround for pre-0.6.1 heimdal bug */ + + /* shortcircuit and bail out if enctypes are not matching */ + if((keytype != -1) && (ek->keytype != keytype)) { + continue; + } + + key.keyblock.keytype=ek->keytype; + key.keyblock.keyvalue.length=ek->keylength; + key.keyblock.keyvalue.data=ek->keyvalue; + ret = krb5_crypto_init(krb5_ctx, &(key.keyblock), (krb5_enctype)ENCTYPE_NULL, &crypto); + if(ret){ + return NULL; + } + + /* pre-0.6.1 versions of Heimdal would sometimes change + the cryptotext data even when the decryption failed. + This would obviously not work since we iterate over the + keys. So just give it a copy of the crypto data instead. + This has been seen for RC4-HMAC blobs. + */ + cryptocopy = (guint8 *)g_memdup(cryptotext, length); + ret = krb5_decrypt_ivec(krb5_ctx, crypto, usage, + cryptocopy, length, + &data, + NULL); + g_free(cryptocopy); + if((ret == 0) && (length>0)){ + char *user_data; + + expert_add_info_format(pinfo, NULL, &ei_kerberos_decrypted_keytype, + "Decrypted keytype %d in frame %u using %s", + ek->keytype, pinfo->num, ek->key_origin); + + krb5_crypto_destroy(krb5_ctx, crypto); + /* return a private g_malloced blob to the caller */ + user_data = (char *)g_memdup(data.data, (guint)data.length); + if (datalen) { + *datalen = (int)data.length; + } + return user_data; + } + krb5_crypto_destroy(krb5_ctx, crypto); + } + return NULL; +} + +#elif defined (HAVE_LIBNETTLE) + +#define SERVICE_KEY_SIZE (DES3_KEY_SIZE + 2) +#define KEYTYPE_DES3_CBC_MD5 5 /* Currently the only one supported */ + +typedef struct _service_key_t { + guint16 kvno; + int keytype; + int length; + guint8 *contents; + char origin[KRB_MAX_ORIG_LEN+1]; +} service_key_t; +GSList *service_key_list = NULL; + + +static void +add_encryption_key(packet_info *pinfo, int keytype, int keylength, const char *keyvalue, const char *origin) +{ + service_key_t *new_key; + + if(pinfo->fd->flags.visited){ + return; + } + + new_key = g_malloc(sizeof(service_key_t)); + new_key->kvno = 0; + new_key->keytype = keytype; + new_key->length = keylength; + new_key->contents = g_memdup(keyvalue, keylength); + g_snprintf(new_key->origin, KRB_MAX_ORIG_LEN, "%s learnt from frame %u", origin, pinfo->num); + service_key_list = g_slist_append(service_key_list, (gpointer) new_key); +} + +static void +clear_keytab(void) { + GSList *ske; + service_key_t *sk; + + for(ske = service_key_list; ske != NULL; ske = g_slist_next(ske)){ + sk = (service_key_t *) ske->data; + if (sk) { + g_free(sk->contents); + g_free(sk); + } + } + g_slist_free(service_key_list); + service_key_list = NULL; +} + +static void +read_keytab_file(const char *service_key_file) +{ + FILE *skf; + ws_statb64 st; + service_key_t *sk; + unsigned char buf[SERVICE_KEY_SIZE]; + int newline_skip = 0, count = 0; + + if (service_key_file != NULL && ws_stat64 (service_key_file, &st) == 0) { + + /* The service key file contains raw 192-bit (24 byte) 3DES keys. + * There can be zero, one (\n), or two (\r\n) characters between + * keys. Trailing characters are ignored. + */ + + /* XXX We should support the standard keytab format instead */ + if (st.st_size > SERVICE_KEY_SIZE) { + if ( (st.st_size % (SERVICE_KEY_SIZE + 1) == 0) || + (st.st_size % (SERVICE_KEY_SIZE + 1) == SERVICE_KEY_SIZE) ) { + newline_skip = 1; + } else if ( (st.st_size % (SERVICE_KEY_SIZE + 2) == 0) || + (st.st_size % (SERVICE_KEY_SIZE + 2) == SERVICE_KEY_SIZE) ) { + newline_skip = 2; + } + } + + skf = ws_fopen(service_key_file, "rb"); + if (! skf) return; + + while (fread(buf, SERVICE_KEY_SIZE, 1, skf) == 1) { + sk = g_malloc(sizeof(service_key_t)); + sk->kvno = buf[0] << 8 | buf[1]; + sk->keytype = KEYTYPE_DES3_CBC_MD5; + sk->length = DES3_KEY_SIZE; + sk->contents = g_memdup(buf + 2, DES3_KEY_SIZE); + g_snprintf(sk->origin, KRB_MAX_ORIG_LEN, "3DES service key file, key #%d, offset %ld", count, ftell(skf)); + service_key_list = g_slist_append(service_key_list, (gpointer) sk); + if (fseek(skf, newline_skip, SEEK_CUR) < 0) { + fprintf(stderr, "unable to seek...\n"); + return; + } + count++; + } + fclose(skf); + } +} + +#define CONFOUNDER_PLUS_CHECKSUM 24 + +guint8 * +decrypt_krb5_data(proto_tree *tree, packet_info *pinfo, + int _U_ usage, + tvbuff_t *cryptotvb, + int keytype, + int *datalen) +{ + tvbuff_t *encr_tvb; + guint8 *decrypted_data = NULL, *plaintext = NULL; + guint8 cls; + gboolean pc; + guint32 tag, item_len, data_len; + int id_offset, offset; + guint8 key[DES3_KEY_SIZE]; + guint8 initial_vector[DES_BLOCK_SIZE]; + md5_state_t md5s; + md5_byte_t digest[16]; + md5_byte_t zero_fill[] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; + md5_byte_t confounder[8]; + gboolean ind; + GSList *ske; + service_key_t *sk; + struct des3_ctx ctx; + int length = tvb_captured_length(cryptotvb); + const guint8 *cryptotext = tvb_get_ptr(cryptotvb, 0, length); + + + /* don't do anything if we are not attempting to decrypt data */ + if(!krb_decrypt){ + return NULL; + } + + /* make sure we have all the data we need */ + if (tvb_captured_length(cryptotvb) < tvb_reported_length(cryptotvb)) { + return NULL; + } + + if (keytype != KEYTYPE_DES3_CBC_MD5 || service_key_list == NULL) { + return NULL; + } + + decrypted_data = g_malloc(length); + for(ske = service_key_list; ske != NULL; ske = g_slist_next(ske)){ + gboolean do_continue = FALSE; + sk = (service_key_t *) ske->data; + + des_fix_parity(DES3_KEY_SIZE, key, sk->contents); + + md5_init(&md5s); + memset(initial_vector, 0, DES_BLOCK_SIZE); + des3_set_key(&ctx, key); + cbc_decrypt(&ctx, des3_decrypt, DES_BLOCK_SIZE, initial_vector, + length, decrypted_data, cryptotext); + encr_tvb = tvb_new_real_data(decrypted_data, length, length); + + tvb_memcpy(encr_tvb, confounder, 0, 8); + + /* We have to pull the decrypted data length from the decrypted + * content. If the key doesn't match or we otherwise get garbage, + * an exception may get thrown while decoding the ASN.1 header. + * Catch it, just in case. + */ + TRY { + id_offset = get_ber_identifier(encr_tvb, CONFOUNDER_PLUS_CHECKSUM, &cls, &pc, &tag); + offset = get_ber_length(encr_tvb, id_offset, &item_len, &ind); + } + CATCH_BOUNDS_ERRORS { + tvb_free(encr_tvb); + do_continue = TRUE; + } + ENDTRY; + + if (do_continue) continue; + + data_len = item_len + offset - CONFOUNDER_PLUS_CHECKSUM; + if ((int) item_len + offset > length) { + tvb_free(encr_tvb); + continue; + } + + md5_append(&md5s, confounder, 8); + md5_append(&md5s, zero_fill, 16); + md5_append(&md5s, decrypted_data + CONFOUNDER_PLUS_CHECKSUM, data_len); + md5_finish(&md5s, digest); + + if (tvb_memeql (encr_tvb, 8, digest, 16) == 0) { + plaintext = g_malloc(data_len); + tvb_memcpy(encr_tvb, plaintext, CONFOUNDER_PLUS_CHECKSUM, data_len); + tvb_free(encr_tvb); + + if (datalen) { + *datalen = data_len; + } + g_free(decrypted_data); + return(plaintext); + } + tvb_free(encr_tvb); + } + + g_free(decrypted_data); + return NULL; +} + +#endif /* HAVE_MIT_KERBEROS / HAVE_HEIMDAL_KERBEROS / HAVE_LIBNETTLE */ + +#define INET6_ADDRLEN 16 + +/* TCP Record Mark */ +#define KRB_RM_RESERVED 0x80000000U +#define KRB_RM_RECLEN 0x7fffffffU + +#define KRB5_MSG_TICKET 1 /* Ticket */ +#define KRB5_MSG_AUTHENTICATOR 2 /* Authenticator */ +#define KRB5_MSG_ENC_TICKET_PART 3 /* EncTicketPart */ +#define KRB5_MSG_AS_REQ 10 /* AS-REQ type */ +#define KRB5_MSG_AS_REP 11 /* AS-REP type */ +#define KRB5_MSG_TGS_REQ 12 /* TGS-REQ type */ +#define KRB5_MSG_TGS_REP 13 /* TGS-REP type */ +#define KRB5_MSG_AP_REQ 14 /* AP-REQ type */ +#define KRB5_MSG_AP_REP 15 /* AP-REP type */ + +#define KRB5_MSG_SAFE 20 /* KRB-SAFE type */ +#define KRB5_MSG_PRIV 21 /* KRB-PRIV type */ +#define KRB5_MSG_CRED 22 /* KRB-CRED type */ +#define KRB5_MSG_ENC_AS_REP_PART 25 /* EncASRepPart */ +#define KRB5_MSG_ENC_TGS_REP_PART 26 /* EncTGSRepPart */ +#define KRB5_MSG_ENC_AP_REP_PART 27 /* EncAPRepPart */ +#define KRB5_MSG_ENC_KRB_PRIV_PART 28 /* EncKrbPrivPart */ +#define KRB5_MSG_ENC_KRB_CRED_PART 29 /* EncKrbCredPart */ +#define KRB5_MSG_ERROR 30 /* KRB-ERROR type */ + +/* encryption type constants */ +#define KRB5_ENCTYPE_NULL 0 +#define KRB5_ENCTYPE_DES_CBC_CRC 1 +#define KRB5_ENCTYPE_DES_CBC_MD4 2 +#define KRB5_ENCTYPE_DES_CBC_MD5 3 +#define KRB5_ENCTYPE_DES_CBC_RAW 4 +#define KRB5_ENCTYPE_DES3_CBC_SHA 5 +#define KRB5_ENCTYPE_DES3_CBC_RAW 6 +#define KRB5_ENCTYPE_DES_HMAC_SHA1 8 +#define KRB5_ENCTYPE_DSA_SHA1_CMS 9 +#define KRB5_ENCTYPE_RSA_MD5_CMS 10 +#define KRB5_ENCTYPE_RSA_SHA1_CMS 11 +#define KRB5_ENCTYPE_RC2_CBC_ENV 12 +#define KRB5_ENCTYPE_RSA_ENV 13 +#define KRB5_ENCTYPE_RSA_ES_OEAP_ENV 14 +#define KRB5_ENCTYPE_DES_EDE3_CBC_ENV 15 +#define KRB5_ENCTYPE_DES3_CBC_SHA1 16 +#define KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96 17 +#define KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96 18 +#define KRB5_ENCTYPE_DES_CBC_MD5_NT 20 +#define KERB_ENCTYPE_RC4_HMAC 23 +#define KERB_ENCTYPE_RC4_HMAC_EXP 24 +#define KRB5_ENCTYPE_UNKNOWN 0x1ff +#define KRB5_ENCTYPE_LOCAL_DES3_HMAC_SHA1 0x7007 +#define KRB5_ENCTYPE_RC4_PLAIN_EXP 0xffffff73 +#define KRB5_ENCTYPE_RC4_PLAIN 0xffffff74 +#define KRB5_ENCTYPE_RC4_PLAIN_OLD_EXP 0xffffff78 +#define KRB5_ENCTYPE_RC4_HMAC_OLD_EXP 0xffffff79 +#define KRB5_ENCTYPE_RC4_PLAIN_OLD 0xffffff7a +#define KRB5_ENCTYPE_RC4_HMAC_OLD 0xffffff7b +#define KRB5_ENCTYPE_DES_PLAIN 0xffffff7c +#define KRB5_ENCTYPE_RC4_SHA 0xffffff7d +#define KRB5_ENCTYPE_RC4_LM 0xffffff7e +#define KRB5_ENCTYPE_RC4_PLAIN2 0xffffff7f +#define KRB5_ENCTYPE_RC4_MD4 0xffffff80 + +/* checksum types */ +#define KRB5_CHKSUM_NONE 0 +#define KRB5_CHKSUM_CRC32 1 +#define KRB5_CHKSUM_MD4 2 +#define KRB5_CHKSUM_KRB_DES_MAC 4 +#define KRB5_CHKSUM_KRB_DES_MAC_K 5 +#define KRB5_CHKSUM_MD5 7 +#define KRB5_CHKSUM_MD5_DES 8 +/* the following four come from packetcable */ +#define KRB5_CHKSUM_MD5_DES3 9 +#define KRB5_CHKSUM_HMAC_SHA1_DES3_KD 12 +#define KRB5_CHKSUM_HMAC_SHA1_DES3 13 +#define KRB5_CHKSUM_SHA1_UNKEYED 14 +#define KRB5_CHKSUM_HMAC_MD5 0xffffff76 +#define KRB5_CHKSUM_MD5_HMAC 0xffffff77 +#define KRB5_CHKSUM_RC4_MD5 0xffffff78 +#define KRB5_CHKSUM_MD25 0xffffff79 +#define KRB5_CHKSUM_DES_MAC_MD5 0xffffff7a +#define KRB5_CHKSUM_DES_MAC 0xffffff7b +#define KRB5_CHKSUM_REAL_CRC32 0xffffff7c +#define KRB5_CHKSUM_SHA1 0xffffff7d +#define KRB5_CHKSUM_LM 0xffffff7e +#define KRB5_CHKSUM_GSSAPI 0x8003 + +/* + * For KERB_ENCTYPE_RC4_HMAC and KERB_ENCTYPE_RC4_HMAC_EXP, see + * + * http://www.ietf.org/internet-drafts/draft-brezak-win2k-krb-rc4-hmac-04.txt + * + * unless it's expired. + */ + +/* pre-authentication type constants */ +#define KRB5_PA_TGS_REQ 1 +#define KRB5_PA_ENC_TIMESTAMP 2 +#define KRB5_PA_PW_SALT 3 +#define KRB5_PA_ENC_ENCKEY 4 +#define KRB5_PA_ENC_UNIX_TIME 5 +#define KRB5_PA_ENC_SANDIA_SECURID 6 +#define KRB5_PA_SESAME 7 +#define KRB5_PA_OSF_DCE 8 +#define KRB5_PA_CYBERSAFE_SECUREID 9 +#define KRB5_PA_AFS3_SALT 10 +#define KRB5_PA_ENCTYPE_INFO 11 +#define KRB5_PA_SAM_CHALLENGE 12 +#define KRB5_PA_SAM_RESPONSE 13 +#define KRB5_PA_PK_AS_REQ 14 +#define KRB5_PA_PK_AS_REP 15 +#define KRB5_PA_DASS 16 +#define KRB5_PA_ENCTYPE_INFO2 19 +#define KRB5_PA_USE_SPECIFIED_KVNO 20 +#define KRB5_PA_SAM_REDIRECT 21 +#define KRB5_PA_GET_FROM_TYPED_DATA 22 +#define KRB5_PA_SAM_ETYPE_INFO 23 +#define KRB5_PA_ALT_PRINC 24 +#define KRB5_PA_SAM_CHALLENGE2 30 +#define KRB5_PA_SAM_RESPONSE2 31 +#define KRB5_TD_PKINIT_CMS_CERTIFICATES 101 +#define KRB5_TD_KRB_PRINCIPAL 102 +#define KRB5_TD_KRB_REALM 103 +#define KRB5_TD_TRUSTED_CERTIFIERS 104 +#define KRB5_TD_CERTIFICATE_INDEX 105 +#define KRB5_TD_APP_DEFINED_ERROR 106 +#define KRB5_TD_REQ_NONCE 107 +#define KRB5_TD_REQ_SEQ 108 +/* preauthentication types >127 (i.e. negative ones) are app specific. + however since Microsoft is the dominant(only?) user of types in this range + we also treat the type as unsigned. +*/ +#define KRB5_PA_PAC_REQUEST 128 /* (Microsoft extension) */ +#define KRB5_PA_FOR_USER 129 /* Impersonation (Microsoft extension) See [MS-SFU]. XXX - replaced by KRB5_PA_S4U2SELF */ +#define KRB5_PA_S4U2SELF 129 + +#define KRB5_PA_PROV_SRV_LOCATION 0xffffffff /* (gint32)0xFF) packetcable stuff */ +/* Principal name-type */ +#define KRB5_NT_UNKNOWN 0 +#define KRB5_NT_PRINCIPAL 1 +#define KRB5_NT_SRV_INST 2 +#define KRB5_NT_SRV_HST 3 +#define KRB5_NT_SRV_XHST 4 +#define KRB5_NT_UID 5 +#define KRB5_NT_X500_PRINCIPAL 6 +#define KRB5_NT_SMTP_NAME 7 +#define KRB5_NT_ENTERPRISE 10 + +/* + * MS specific name types, from + * + * http://msdn.microsoft.com/library/en-us/security/security/kerb_external_name.asp + */ +#define KRB5_NT_MS_PRINCIPAL -128 +#define KRB5_NT_MS_PRINCIPAL_AND_SID -129 +#define KRB5_NT_ENT_PRINCIPAL_AND_SID -130 +#define KRB5_NT_PRINCIPAL_AND_SID -131 +#define KRB5_NT_SRV_INST_AND_SID -132 + +/* error table constants */ +/* I prefixed the krb5_err.et constant names with KRB5_ET_ for these */ +#define KRB5_ET_KRB5KDC_ERR_NONE 0 +#define KRB5_ET_KRB5KDC_ERR_NAME_EXP 1 +#define KRB5_ET_KRB5KDC_ERR_SERVICE_EXP 2 +#define KRB5_ET_KRB5KDC_ERR_BAD_PVNO 3 +#define KRB5_ET_KRB5KDC_ERR_C_OLD_MAST_KVNO 4 +#define KRB5_ET_KRB5KDC_ERR_S_OLD_MAST_KVNO 5 +#define KRB5_ET_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN 6 +#define KRB5_ET_KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN 7 +#define KRB5_ET_KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE 8 +#define KRB5_ET_KRB5KDC_ERR_NULL_KEY 9 +#define KRB5_ET_KRB5KDC_ERR_CANNOT_POSTDATE 10 +#define KRB5_ET_KRB5KDC_ERR_NEVER_VALID 11 +#define KRB5_ET_KRB5KDC_ERR_POLICY 12 +#define KRB5_ET_KRB5KDC_ERR_BADOPTION 13 +#define KRB5_ET_KRB5KDC_ERR_ETYPE_NOSUPP 14 +#define KRB5_ET_KRB5KDC_ERR_SUMTYPE_NOSUPP 15 +#define KRB5_ET_KRB5KDC_ERR_PADATA_TYPE_NOSUPP 16 +#define KRB5_ET_KRB5KDC_ERR_TRTYPE_NOSUPP 17 +#define KRB5_ET_KRB5KDC_ERR_CLIENT_REVOKED 18 +#define KRB5_ET_KRB5KDC_ERR_SERVICE_REVOKED 19 +#define KRB5_ET_KRB5KDC_ERR_TGT_REVOKED 20 +#define KRB5_ET_KRB5KDC_ERR_CLIENT_NOTYET 21 +#define KRB5_ET_KRB5KDC_ERR_SERVICE_NOTYET 22 +#define KRB5_ET_KRB5KDC_ERR_KEY_EXP 23 +#define KRB5_ET_KRB5KDC_ERR_PREAUTH_FAILED 24 +#define KRB5_ET_KRB5KDC_ERR_PREAUTH_REQUIRED 25 +#define KRB5_ET_KRB5KDC_ERR_SERVER_NOMATCH 26 +#define KRB5_ET_KRB5KDC_ERR_MUST_USE_USER2USER 27 +#define KRB5_ET_KRB5KDC_ERR_PATH_NOT_ACCEPTED 28 +#define KRB5_ET_KRB5KDC_ERR_SVC_UNAVAILABLE 29 +#define KRB5_ET_KRB5KRB_AP_ERR_BAD_INTEGRITY 31 +#define KRB5_ET_KRB5KRB_AP_ERR_TKT_EXPIRED 32 +#define KRB5_ET_KRB5KRB_AP_ERR_TKT_NYV 33 +#define KRB5_ET_KRB5KRB_AP_ERR_REPEAT 34 +#define KRB5_ET_KRB5KRB_AP_ERR_NOT_US 35 +#define KRB5_ET_KRB5KRB_AP_ERR_BADMATCH 36 +#define KRB5_ET_KRB5KRB_AP_ERR_SKEW 37 +#define KRB5_ET_KRB5KRB_AP_ERR_BADADDR 38 +#define KRB5_ET_KRB5KRB_AP_ERR_BADVERSION 39 +#define KRB5_ET_KRB5KRB_AP_ERR_MSG_TYPE 40 +#define KRB5_ET_KRB5KRB_AP_ERR_MODIFIED 41 +#define KRB5_ET_KRB5KRB_AP_ERR_BADORDER 42 +#define KRB5_ET_KRB5KRB_AP_ERR_ILL_CR_TKT 43 +#define KRB5_ET_KRB5KRB_AP_ERR_BADKEYVER 44 +#define KRB5_ET_KRB5KRB_AP_ERR_NOKEY 45 +#define KRB5_ET_KRB5KRB_AP_ERR_MUT_FAIL 46 +#define KRB5_ET_KRB5KRB_AP_ERR_BADDIRECTION 47 +#define KRB5_ET_KRB5KRB_AP_ERR_METHOD 48 +#define KRB5_ET_KRB5KRB_AP_ERR_BADSEQ 49 +#define KRB5_ET_KRB5KRB_AP_ERR_INAPP_CKSUM 50 +#define KRB5_ET_KRB5KDC_AP_PATH_NOT_ACCEPTED 51 +#define KRB5_ET_KRB5KRB_ERR_RESPONSE_TOO_BIG 52 +#define KRB5_ET_KRB5KRB_ERR_GENERIC 60 +#define KRB5_ET_KRB5KRB_ERR_FIELD_TOOLONG 61 +#define KRB5_ET_KDC_ERROR_CLIENT_NOT_TRUSTED 62 +#define KRB5_ET_KDC_ERROR_KDC_NOT_TRUSTED 63 +#define KRB5_ET_KDC_ERROR_INVALID_SIG 64 +#define KRB5_ET_KDC_ERR_KEY_TOO_WEAK 65 +#define KRB5_ET_KDC_ERR_CERTIFICATE_MISMATCH 66 +#define KRB5_ET_KRB_AP_ERR_NO_TGT 67 +#define KRB5_ET_KDC_ERR_WRONG_REALM 68 +#define KRB5_ET_KRB_AP_ERR_USER_TO_USER_REQUIRED 69 +#define KRB5_ET_KDC_ERR_CANT_VERIFY_CERTIFICATE 70 +#define KRB5_ET_KDC_ERR_INVALID_CERTIFICATE 71 +#define KRB5_ET_KDC_ERR_REVOKED_CERTIFICATE 72 +#define KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNKNOWN 73 +#define KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNAVAILABLE 74 +#define KRB5_ET_KDC_ERR_CLIENT_NAME_MISMATCH 75 +#define KRB5_ET_KDC_ERR_KDC_NAME_MISMATCH 76 + +static const value_string krb5_error_codes[] = { + { KRB5_ET_KRB5KDC_ERR_NONE, "KRB5KDC_ERR_NONE" }, + { KRB5_ET_KRB5KDC_ERR_NAME_EXP, "KRB5KDC_ERR_NAME_EXP" }, + { KRB5_ET_KRB5KDC_ERR_SERVICE_EXP, "KRB5KDC_ERR_SERVICE_EXP" }, + { KRB5_ET_KRB5KDC_ERR_BAD_PVNO, "KRB5KDC_ERR_BAD_PVNO" }, + { KRB5_ET_KRB5KDC_ERR_C_OLD_MAST_KVNO, "KRB5KDC_ERR_C_OLD_MAST_KVNO" }, + { KRB5_ET_KRB5KDC_ERR_S_OLD_MAST_KVNO, "KRB5KDC_ERR_S_OLD_MAST_KVNO" }, + { KRB5_ET_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, "KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN" }, + { KRB5_ET_KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, "KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN" }, + { KRB5_ET_KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE, "KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE" }, + { KRB5_ET_KRB5KDC_ERR_NULL_KEY, "KRB5KDC_ERR_NULL_KEY" }, + { KRB5_ET_KRB5KDC_ERR_CANNOT_POSTDATE, "KRB5KDC_ERR_CANNOT_POSTDATE" }, + { KRB5_ET_KRB5KDC_ERR_NEVER_VALID, "KRB5KDC_ERR_NEVER_VALID" }, + { KRB5_ET_KRB5KDC_ERR_POLICY, "KRB5KDC_ERR_POLICY" }, + { KRB5_ET_KRB5KDC_ERR_BADOPTION, "KRB5KDC_ERR_BADOPTION" }, + { KRB5_ET_KRB5KDC_ERR_ETYPE_NOSUPP, "KRB5KDC_ERR_ETYPE_NOSUPP" }, + { KRB5_ET_KRB5KDC_ERR_SUMTYPE_NOSUPP, "KRB5KDC_ERR_SUMTYPE_NOSUPP" }, + { KRB5_ET_KRB5KDC_ERR_PADATA_TYPE_NOSUPP, "KRB5KDC_ERR_PADATA_TYPE_NOSUPP" }, + { KRB5_ET_KRB5KDC_ERR_TRTYPE_NOSUPP, "KRB5KDC_ERR_TRTYPE_NOSUPP" }, + { KRB5_ET_KRB5KDC_ERR_CLIENT_REVOKED, "KRB5KDC_ERR_CLIENT_REVOKED" }, + { KRB5_ET_KRB5KDC_ERR_SERVICE_REVOKED, "KRB5KDC_ERR_SERVICE_REVOKED" }, + { KRB5_ET_KRB5KDC_ERR_TGT_REVOKED, "KRB5KDC_ERR_TGT_REVOKED" }, + { KRB5_ET_KRB5KDC_ERR_CLIENT_NOTYET, "KRB5KDC_ERR_CLIENT_NOTYET" }, + { KRB5_ET_KRB5KDC_ERR_SERVICE_NOTYET, "KRB5KDC_ERR_SERVICE_NOTYET" }, + { KRB5_ET_KRB5KDC_ERR_KEY_EXP, "KRB5KDC_ERR_KEY_EXP" }, + { KRB5_ET_KRB5KDC_ERR_PREAUTH_FAILED, "KRB5KDC_ERR_PREAUTH_FAILED" }, + { KRB5_ET_KRB5KDC_ERR_PREAUTH_REQUIRED, "KRB5KDC_ERR_PREAUTH_REQUIRED" }, + { KRB5_ET_KRB5KDC_ERR_SERVER_NOMATCH, "KRB5KDC_ERR_SERVER_NOMATCH" }, + { KRB5_ET_KRB5KDC_ERR_MUST_USE_USER2USER, "KRB5KDC_ERR_MUST_USE_USER2USER" }, + { KRB5_ET_KRB5KDC_ERR_PATH_NOT_ACCEPTED, "KRB5KDC_ERR_PATH_NOT_ACCEPTED" }, + { KRB5_ET_KRB5KDC_ERR_SVC_UNAVAILABLE, "KRB5KDC_ERR_SVC_UNAVAILABLE" }, + { KRB5_ET_KRB5KRB_AP_ERR_BAD_INTEGRITY, "KRB5KRB_AP_ERR_BAD_INTEGRITY" }, + { KRB5_ET_KRB5KRB_AP_ERR_TKT_EXPIRED, "KRB5KRB_AP_ERR_TKT_EXPIRED" }, + { KRB5_ET_KRB5KRB_AP_ERR_TKT_NYV, "KRB5KRB_AP_ERR_TKT_NYV" }, + { KRB5_ET_KRB5KRB_AP_ERR_REPEAT, "KRB5KRB_AP_ERR_REPEAT" }, + { KRB5_ET_KRB5KRB_AP_ERR_NOT_US, "KRB5KRB_AP_ERR_NOT_US" }, + { KRB5_ET_KRB5KRB_AP_ERR_BADMATCH, "KRB5KRB_AP_ERR_BADMATCH" }, + { KRB5_ET_KRB5KRB_AP_ERR_SKEW, "KRB5KRB_AP_ERR_SKEW" }, + { KRB5_ET_KRB5KRB_AP_ERR_BADADDR, "KRB5KRB_AP_ERR_BADADDR" }, + { KRB5_ET_KRB5KRB_AP_ERR_BADVERSION, "KRB5KRB_AP_ERR_BADVERSION" }, + { KRB5_ET_KRB5KRB_AP_ERR_MSG_TYPE, "KRB5KRB_AP_ERR_MSG_TYPE" }, + { KRB5_ET_KRB5KRB_AP_ERR_MODIFIED, "KRB5KRB_AP_ERR_MODIFIED" }, + { KRB5_ET_KRB5KRB_AP_ERR_BADORDER, "KRB5KRB_AP_ERR_BADORDER" }, + { KRB5_ET_KRB5KRB_AP_ERR_ILL_CR_TKT, "KRB5KRB_AP_ERR_ILL_CR_TKT" }, + { KRB5_ET_KRB5KRB_AP_ERR_BADKEYVER, "KRB5KRB_AP_ERR_BADKEYVER" }, + { KRB5_ET_KRB5KRB_AP_ERR_NOKEY, "KRB5KRB_AP_ERR_NOKEY" }, + { KRB5_ET_KRB5KRB_AP_ERR_MUT_FAIL, "KRB5KRB_AP_ERR_MUT_FAIL" }, + { KRB5_ET_KRB5KRB_AP_ERR_BADDIRECTION, "KRB5KRB_AP_ERR_BADDIRECTION" }, + { KRB5_ET_KRB5KRB_AP_ERR_METHOD, "KRB5KRB_AP_ERR_METHOD" }, + { KRB5_ET_KRB5KRB_AP_ERR_BADSEQ, "KRB5KRB_AP_ERR_BADSEQ" }, + { KRB5_ET_KRB5KRB_AP_ERR_INAPP_CKSUM, "KRB5KRB_AP_ERR_INAPP_CKSUM" }, + { KRB5_ET_KRB5KDC_AP_PATH_NOT_ACCEPTED, "KRB5KDC_AP_PATH_NOT_ACCEPTED" }, + { KRB5_ET_KRB5KRB_ERR_RESPONSE_TOO_BIG, "KRB5KRB_ERR_RESPONSE_TOO_BIG"}, + { KRB5_ET_KRB5KRB_ERR_GENERIC, "KRB5KRB_ERR_GENERIC" }, + { KRB5_ET_KRB5KRB_ERR_FIELD_TOOLONG, "KRB5KRB_ERR_FIELD_TOOLONG" }, + { KRB5_ET_KDC_ERROR_CLIENT_NOT_TRUSTED, "KDC_ERROR_CLIENT_NOT_TRUSTED" }, + { KRB5_ET_KDC_ERROR_KDC_NOT_TRUSTED, "KDC_ERROR_KDC_NOT_TRUSTED" }, + { KRB5_ET_KDC_ERROR_INVALID_SIG, "KDC_ERROR_INVALID_SIG" }, + { KRB5_ET_KDC_ERR_KEY_TOO_WEAK, "KDC_ERR_KEY_TOO_WEAK" }, + { KRB5_ET_KDC_ERR_CERTIFICATE_MISMATCH, "KDC_ERR_CERTIFICATE_MISMATCH" }, + { KRB5_ET_KRB_AP_ERR_NO_TGT, "KRB_AP_ERR_NO_TGT" }, + { KRB5_ET_KDC_ERR_WRONG_REALM, "KDC_ERR_WRONG_REALM" }, + { KRB5_ET_KRB_AP_ERR_USER_TO_USER_REQUIRED, "KRB_AP_ERR_USER_TO_USER_REQUIRED" }, + { KRB5_ET_KDC_ERR_CANT_VERIFY_CERTIFICATE, "KDC_ERR_CANT_VERIFY_CERTIFICATE" }, + { KRB5_ET_KDC_ERR_INVALID_CERTIFICATE, "KDC_ERR_INVALID_CERTIFICATE" }, + { KRB5_ET_KDC_ERR_REVOKED_CERTIFICATE, "KDC_ERR_REVOKED_CERTIFICATE" }, + { KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNKNOWN, "KDC_ERR_REVOCATION_STATUS_UNKNOWN" }, + { KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNAVAILABLE, "KDC_ERR_REVOCATION_STATUS_UNAVAILABLE" }, + { KRB5_ET_KDC_ERR_CLIENT_NAME_MISMATCH, "KDC_ERR_CLIENT_NAME_MISMATCH" }, + { KRB5_ET_KDC_ERR_KDC_NAME_MISMATCH, "KDC_ERR_KDC_NAME_MISMATCH" }, + { 0, NULL } +}; + + +#define PAC_LOGON_INFO 1 +#define PAC_CREDENTIAL_TYPE 2 +#define PAC_SERVER_CHECKSUM 6 +#define PAC_PRIVSVR_CHECKSUM 7 +#define PAC_CLIENT_INFO_TYPE 10 +#define PAC_S4U_DELEGATION_INFO 11 +#define PAC_UPN_DNS_INFO 12 +static const value_string w2k_pac_types[] = { + { PAC_LOGON_INFO , "Logon Info" }, + { PAC_CREDENTIAL_TYPE , "Credential Type" }, + { PAC_SERVER_CHECKSUM , "Server Checksum" }, + { PAC_PRIVSVR_CHECKSUM , "Privsvr Checksum" }, + { PAC_CLIENT_INFO_TYPE , "Client Info Type" }, + { PAC_S4U_DELEGATION_INFO, "S4U Delegation Info" }, + { PAC_UPN_DNS_INFO , "UPN DNS Info" }, + { 0, NULL }, +}; + +#if 0 +static const value_string krb5_princ_types[] = { + { KRB5_NT_UNKNOWN , "Unknown" }, + { KRB5_NT_PRINCIPAL , "Principal" }, + { KRB5_NT_SRV_INST , "Service and Instance" }, + { KRB5_NT_SRV_HST , "Service and Host" }, + { KRB5_NT_SRV_XHST , "Service and Host Components" }, + { KRB5_NT_UID , "Unique ID" }, + { KRB5_NT_X500_PRINCIPAL , "Encoded X.509 Distinguished Name" }, + { KRB5_NT_SMTP_NAME , "SMTP Name" }, + { KRB5_NT_ENTERPRISE , "Enterprise Name" }, + { KRB5_NT_MS_PRINCIPAL , "NT 4.0 style name (MS specific)" }, + { KRB5_NT_MS_PRINCIPAL_AND_SID , "NT 4.0 style name with SID (MS specific)"}, + { KRB5_NT_ENT_PRINCIPAL_AND_SID, "UPN and SID (MS specific)"}, + { KRB5_NT_PRINCIPAL_AND_SID , "Principal name and SID (MS specific)"}, + { KRB5_NT_SRV_INST_AND_SID , "SPN and SID (MS specific)"}, + { 0 , NULL }, +}; +#endif + +static const value_string krb5_preauthentication_types[] = { + { KRB5_PA_TGS_REQ , "PA-TGS-REQ" }, + { KRB5_PA_ENC_TIMESTAMP , "PA-ENC-TIMESTAMP" }, + { KRB5_PA_PW_SALT , "PA-PW-SALT" }, + { KRB5_PA_ENC_ENCKEY , "PA-ENC-ENCKEY" }, + { KRB5_PA_ENC_UNIX_TIME , "PA-ENC-UNIX-TIME" }, + { KRB5_PA_ENC_SANDIA_SECURID , "PA-PW-SALT" }, + { KRB5_PA_SESAME , "PA-SESAME" }, + { KRB5_PA_OSF_DCE , "PA-OSF-DCE" }, + { KRB5_PA_CYBERSAFE_SECUREID , "PA-CYBERSAFE-SECURID" }, + { KRB5_PA_AFS3_SALT , "PA-AFS3-SALT" }, + { KRB5_PA_ENCTYPE_INFO , "PA-ENCTYPE-INFO" }, + { KRB5_PA_ENCTYPE_INFO2 , "PA-ENCTYPE-INFO2" }, + { KRB5_PA_SAM_CHALLENGE , "PA-SAM-CHALLENGE" }, + { KRB5_PA_SAM_RESPONSE , "PA-SAM-RESPONSE" }, + { KRB5_PA_PK_AS_REQ , "PA-PK-AS-REQ" }, + { KRB5_PA_PK_AS_REP , "PA-PK-AS-REP" }, + { KRB5_PA_DASS , "PA-DASS" }, + { KRB5_PA_USE_SPECIFIED_KVNO , "PA-USE-SPECIFIED-KVNO" }, + { KRB5_PA_SAM_REDIRECT , "PA-SAM-REDIRECT" }, + { KRB5_PA_GET_FROM_TYPED_DATA , "PA-GET-FROM-TYPED-DATA" }, + { KRB5_PA_SAM_ETYPE_INFO , "PA-SAM-ETYPE-INFO" }, + { KRB5_PA_ALT_PRINC , "PA-ALT-PRINC" }, + { KRB5_PA_SAM_CHALLENGE2 , "PA-SAM-CHALLENGE2" }, + { KRB5_PA_SAM_RESPONSE2 , "PA-SAM-RESPONSE2" }, + { KRB5_TD_PKINIT_CMS_CERTIFICATES, "TD-PKINIT-CMS-CERTIFICATES" }, + { KRB5_TD_KRB_PRINCIPAL , "TD-KRB-PRINCIPAL" }, + { KRB5_TD_KRB_REALM , "TD-KRB-REALM" }, + { KRB5_TD_TRUSTED_CERTIFIERS , "TD-TRUSTED-CERTIFIERS" }, + { KRB5_TD_CERTIFICATE_INDEX , "TD-CERTIFICATE-INDEX" }, + { KRB5_TD_APP_DEFINED_ERROR , "TD-APP-DEFINED-ERROR" }, + { KRB5_TD_REQ_NONCE , "TD-REQ-NONCE" }, + { KRB5_TD_REQ_SEQ , "TD-REQ-SEQ" }, + { KRB5_PA_PAC_REQUEST , "PA-PAC-REQUEST" }, + { KRB5_PA_FOR_USER , "PA-FOR-USER" }, + { KRB5_PA_PROV_SRV_LOCATION , "PA-PROV-SRV-LOCATION" }, + { 0 , NULL }, +}; + +#if 0 +static const value_string krb5_encryption_types[] = { + { KRB5_ENCTYPE_NULL , "NULL" }, + { KRB5_ENCTYPE_DES_CBC_CRC , "des-cbc-crc" }, + { KRB5_ENCTYPE_DES_CBC_MD4 , "des-cbc-md4" }, + { KRB5_ENCTYPE_DES_CBC_MD5 , "des-cbc-md5" }, + { KRB5_ENCTYPE_DES_CBC_RAW , "des-cbc-raw" }, + { KRB5_ENCTYPE_DES3_CBC_SHA , "des3-cbc-sha" }, + { KRB5_ENCTYPE_DES3_CBC_RAW , "des3-cbc-raw" }, + { KRB5_ENCTYPE_DES_HMAC_SHA1 , "des-hmac-sha1" }, + { KRB5_ENCTYPE_DSA_SHA1_CMS , "dsa-sha1-cms" }, + { KRB5_ENCTYPE_RSA_MD5_CMS , "rsa-md5-cms" }, + { KRB5_ENCTYPE_RSA_SHA1_CMS , "rsa-sha1-cms" }, + { KRB5_ENCTYPE_RC2_CBC_ENV , "rc2-cbc-env" }, + { KRB5_ENCTYPE_RSA_ENV , "rsa-env" }, + { KRB5_ENCTYPE_RSA_ES_OEAP_ENV, "rsa-es-oeap-env" }, + { KRB5_ENCTYPE_DES_EDE3_CBC_ENV, "des-ede3-cbc-env" }, + { KRB5_ENCTYPE_DES3_CBC_SHA1 , "des3-cbc-sha1" }, + { KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96 , "aes128-cts-hmac-sha1-96" }, + { KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96 , "aes256-cts-hmac-sha1-96" }, + { KRB5_ENCTYPE_DES_CBC_MD5_NT , "des-cbc-md5-nt" }, + { KERB_ENCTYPE_RC4_HMAC , "rc4-hmac" }, + { KERB_ENCTYPE_RC4_HMAC_EXP , "rc4-hmac-exp" }, + { KRB5_ENCTYPE_UNKNOWN , "unknown" }, + { KRB5_ENCTYPE_LOCAL_DES3_HMAC_SHA1 , "local-des3-hmac-sha1" }, + { KRB5_ENCTYPE_RC4_PLAIN_EXP , "rc4-plain-exp" }, + { KRB5_ENCTYPE_RC4_PLAIN , "rc4-plain" }, + { KRB5_ENCTYPE_RC4_PLAIN_OLD_EXP, "rc4-plain-old-exp" }, + { KRB5_ENCTYPE_RC4_HMAC_OLD_EXP, "rc4-hmac-old-exp" }, + { KRB5_ENCTYPE_RC4_PLAIN_OLD , "rc4-plain-old" }, + { KRB5_ENCTYPE_RC4_HMAC_OLD , "rc4-hmac-old" }, + { KRB5_ENCTYPE_DES_PLAIN , "des-plain" }, + { KRB5_ENCTYPE_RC4_SHA , "rc4-sha" }, + { KRB5_ENCTYPE_RC4_LM , "rc4-lm" }, + { KRB5_ENCTYPE_RC4_PLAIN2 , "rc4-plain2" }, + { KRB5_ENCTYPE_RC4_MD4 , "rc4-md4" }, + { 0 , NULL }, +}; + +static const value_string krb5_checksum_types[] = { + { KRB5_CHKSUM_NONE , "none" }, + { KRB5_CHKSUM_CRC32 , "crc32" }, + { KRB5_CHKSUM_MD4 , "md4" }, + { KRB5_CHKSUM_KRB_DES_MAC , "krb-des-mac" }, + { KRB5_CHKSUM_KRB_DES_MAC_K , "krb-des-mac-k" }, + { KRB5_CHKSUM_MD5 , "md5" }, + { KRB5_CHKSUM_MD5_DES , "md5-des" }, + { KRB5_CHKSUM_MD5_DES3 , "md5-des3" }, + { KRB5_CHKSUM_HMAC_SHA1_DES3_KD, "hmac-sha1-des3-kd" }, + { KRB5_CHKSUM_HMAC_SHA1_DES3 , "hmac-sha1-des3" }, + { KRB5_CHKSUM_SHA1_UNKEYED , "sha1 (unkeyed)" }, + { KRB5_CHKSUM_HMAC_MD5 , "hmac-md5" }, + { KRB5_CHKSUM_MD5_HMAC , "md5-hmac" }, + { KRB5_CHKSUM_RC4_MD5 , "rc5-md5" }, + { KRB5_CHKSUM_MD25 , "md25" }, + { KRB5_CHKSUM_DES_MAC_MD5 , "des-mac-md5" }, + { KRB5_CHKSUM_DES_MAC , "des-mac" }, + { KRB5_CHKSUM_REAL_CRC32 , "real-crc32" }, + { KRB5_CHKSUM_SHA1 , "sha1" }, + { KRB5_CHKSUM_LM , "lm" }, + { KRB5_CHKSUM_GSSAPI , "gssapi-8003" }, + { 0 , NULL }, +}; +#endif + +#define KRB5_AD_IF_RELEVANT 1 +#define KRB5_AD_INTENDED_FOR_SERVER 2 +#define KRB5_AD_INTENDED_FOR_APPLICATION_CLASS 3 +#define KRB5_AD_KDC_ISSUED 4 +#define KRB5_AD_OR 5 +#define KRB5_AD_MANDATORY_TICKET_EXTENSIONS 6 +#define KRB5_AD_IN_TICKET_EXTENSIONS 7 +#define KRB5_AD_MANDATORY_FOR_KDC 8 +#define KRB5_AD_OSF_DCE 64 +#define KRB5_AD_SESAME 65 +#define KRB5_AD_OSF_DCE_PKI_CERTID 66 +#define KRB5_AD_WIN2K_PAC 128 +#define KRB5_AD_SIGNTICKET 0xffffffef + +static const value_string krb5_ad_types[] = { + { KRB5_AD_IF_RELEVANT , "AD-IF-RELEVANT" }, + { KRB5_AD_INTENDED_FOR_SERVER , "AD-Intended-For-Server" }, + { KRB5_AD_INTENDED_FOR_APPLICATION_CLASS , "AD-Intended-For-Application-Class" }, + { KRB5_AD_KDC_ISSUED , "AD-KDCIssued" }, + { KRB5_AD_OR , "AD-AND-OR" }, + { KRB5_AD_MANDATORY_TICKET_EXTENSIONS , "AD-Mandatory-Ticket-Extensions" }, + { KRB5_AD_IN_TICKET_EXTENSIONS , "AD-IN-Ticket-Extensions" }, + { KRB5_AD_MANDATORY_FOR_KDC , "AD-MANDATORY-FOR-KDC" }, + { KRB5_AD_OSF_DCE , "AD-OSF-DCE" }, + { KRB5_AD_SESAME , "AD-SESAME" }, + { KRB5_AD_OSF_DCE_PKI_CERTID , "AD-OSF-DCE-PKI-CertID" }, + { KRB5_AD_WIN2K_PAC , "AD-Win2k-PAC" }, + { KRB5_AD_SIGNTICKET , "AD-SignTicket" }, + { 0 , NULL }, +}; +#if 0 +static const value_string krb5_transited_types[] = { + { 1 , "DOMAIN-X500-COMPRESS" }, + { 0 , NULL } +}; +#endif + +static const value_string krb5_msg_types[] = { + { KRB5_MSG_TICKET, "Ticket" }, + { KRB5_MSG_AUTHENTICATOR, "Authenticator" }, + { KRB5_MSG_ENC_TICKET_PART, "EncTicketPart" }, + { KRB5_MSG_TGS_REQ, "TGS-REQ" }, + { KRB5_MSG_TGS_REP, "TGS-REP" }, + { KRB5_MSG_AS_REQ, "AS-REQ" }, + { KRB5_MSG_AS_REP, "AS-REP" }, + { KRB5_MSG_AP_REQ, "AP-REQ" }, + { KRB5_MSG_AP_REP, "AP-REP" }, + { KRB5_MSG_SAFE, "KRB-SAFE" }, + { KRB5_MSG_PRIV, "KRB-PRIV" }, + { KRB5_MSG_CRED, "KRB-CRED" }, + { KRB5_MSG_ENC_AS_REP_PART, "EncASRepPart" }, + { KRB5_MSG_ENC_TGS_REP_PART, "EncTGSRepPart" }, + { KRB5_MSG_ENC_AP_REP_PART, "EncAPRepPart" }, + { KRB5_MSG_ENC_KRB_PRIV_PART, "EncKrbPrivPart" }, + { KRB5_MSG_ENC_KRB_CRED_PART, "EncKrbCredPart" }, + { KRB5_MSG_ERROR, "KRB-ERROR" }, + { 0, NULL }, +}; + +#define KRB5_GSS_C_DELEG_FLAG 0x01 +#define KRB5_GSS_C_MUTUAL_FLAG 0x02 +#define KRB5_GSS_C_REPLAY_FLAG 0x04 +#define KRB5_GSS_C_SEQUENCE_FLAG 0x08 +#define KRB5_GSS_C_CONF_FLAG 0x10 +#define KRB5_GSS_C_INTEG_FLAG 0x20 +#define KRB5_GSS_C_DCE_STYLE 0x1000 + +static const true_false_string tfs_gss_flags_deleg = { + "Delegate credentials to remote peer", + "Do NOT delegate" +}; +static const true_false_string tfs_gss_flags_mutual = { + "Request that remote peer authenticates itself", + "Mutual authentication NOT required" +}; +static const true_false_string tfs_gss_flags_replay = { + "Enable replay protection for signed or sealed messages", + "Do NOT enable replay protection" +}; +static const true_false_string tfs_gss_flags_sequence = { + "Enable Out-of-sequence detection for sign or sealed messages", + "Do NOT enable out-of-sequence detection" +}; +static const true_false_string tfs_gss_flags_conf = { + "Confidentiality (sealing) may be invoked", + "Do NOT use Confidentiality (sealing)" +}; +static const true_false_string tfs_gss_flags_integ = { + "Integrity protection (signing) may be invoked", + "Do NOT use integrity protection" +}; + +static const true_false_string tfs_gss_flags_dce_style = { + "DCE-STYLE", + "Not using DCE-STYLE" +}; + +#ifdef HAVE_KERBEROS +static int +dissect_krb5_decrypt_ticket_data (gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, + proto_tree *tree, int hf_index _U_) +{ + guint8 *plaintext; + int length; + kerberos_private_data_t *private_data = kerberos_get_private_data(actx); + tvbuff_t *next_tvb; + + next_tvb=tvb_new_subset_remaining(tvb, offset); + length=tvb_captured_length_remaining(tvb, offset); + + /* draft-ietf-krb-wg-kerberos-clarifications-05.txt : + * 7.5.1 + * All Ticket encrypted parts use usage == 2 + */ + plaintext=decrypt_krb5_data(tree, actx->pinfo, 2, next_tvb, private_data->etype, NULL); + + if(plaintext){ + tvbuff_t *child_tvb; + child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length); + tvb_set_free_cb(child_tvb, g_free); + + /* Add the decrypted data to the data source list. */ + add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5"); + + offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1); + } + return offset; +} + +static int +dissect_krb5_decrypt_authenticator_data (gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, + proto_tree *tree, int hf_index _U_) +{ + guint8 *plaintext; + int length; + kerberos_private_data_t *private_data = kerberos_get_private_data(actx); + tvbuff_t *next_tvb; + + next_tvb=tvb_new_subset_remaining(tvb, offset); + length=tvb_captured_length_remaining(tvb, offset); + + /* draft-ietf-krb-wg-kerberos-clarifications-05.txt : + * 7.5.1 + * Authenticators are encrypted with usage + * == 7 or + * == 11 + */ + plaintext=decrypt_krb5_data(tree, actx->pinfo, 7, next_tvb, private_data->etype, NULL); + + if(!plaintext){ + plaintext=decrypt_krb5_data(tree, actx->pinfo, 11, next_tvb, private_data->etype, NULL); + } + + if(plaintext){ + tvbuff_t *child_tvb; + child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length); + tvb_set_free_cb(child_tvb, g_free); + + /* Add the decrypted data to the data source list. */ + add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5"); + + offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1); + } + return offset; +} + +static int +dissect_krb5_decrypt_KDC_REP_data (gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, + proto_tree *tree, int hf_index _U_) +{ + guint8 *plaintext; + int length; + kerberos_private_data_t *private_data = kerberos_get_private_data(actx); + tvbuff_t *next_tvb; + + next_tvb=tvb_new_subset_remaining(tvb, offset); + length=tvb_captured_length_remaining(tvb, offset); + + /* draft-ietf-krb-wg-kerberos-clarifications-05.txt : + * 7.5.1 + * ASREP/TGSREP encryptedparts are encrypted with usage + * == 3 or + * == 8 or + * == 9 + */ + plaintext=decrypt_krb5_data(tree, actx->pinfo, 3, next_tvb, private_data->etype, NULL); + + if(!plaintext){ + plaintext=decrypt_krb5_data(tree, actx->pinfo, 8, next_tvb, private_data->etype, NULL); + } + + if(!plaintext){ + plaintext=decrypt_krb5_data(tree, actx->pinfo, 9, next_tvb, private_data->etype, NULL); + } + + if(plaintext){ + tvbuff_t *child_tvb; + child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length); + tvb_set_free_cb(child_tvb, g_free); + + /* Add the decrypted data to the data source list. */ + add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5"); + + offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1); + } + return offset; +} + +static int +dissect_krb5_decrypt_PA_ENC_TIMESTAMP (gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, + proto_tree *tree, int hf_index _U_) +{ + guint8 *plaintext; + int length; + kerberos_private_data_t *private_data = kerberos_get_private_data(actx); + tvbuff_t *next_tvb; + + next_tvb=tvb_new_subset_remaining(tvb, offset); + length=tvb_captured_length_remaining(tvb, offset); + + /* draft-ietf-krb-wg-kerberos-clarifications-05.txt : + * 7.5.1 + * AS-REQ PA_ENC_TIMESTAMP are encrypted with usage + * == 1 + */ + plaintext=decrypt_krb5_data(tree, actx->pinfo, 1, next_tvb, private_data->etype, NULL); + + if(plaintext){ + tvbuff_t *child_tvb; + child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length); + tvb_set_free_cb(child_tvb, g_free); + + /* Add the decrypted data to the data source list. */ + add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5"); + + offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1); + } + return offset; +} + +static int +dissect_krb5_decrypt_AP_REP_data (gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, + proto_tree *tree, int hf_index _U_) +{ + guint8 *plaintext; + int length; + kerberos_private_data_t *private_data = kerberos_get_private_data(actx); + tvbuff_t *next_tvb; + + next_tvb=tvb_new_subset_remaining(tvb, offset); + length=tvb_captured_length_remaining(tvb, offset); + + /* draft-ietf-krb-wg-kerberos-clarifications-05.txt : + * 7.5.1 + * AP-REP are encrypted with usage == 12 + */ + plaintext=decrypt_krb5_data(tree, actx->pinfo, 12, next_tvb, private_data->etype, NULL); + + if(plaintext){ + tvbuff_t *child_tvb; + child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length); + tvb_set_free_cb(child_tvb, g_free); + + /* Add the decrypted data to the data source list. */ + add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5"); + + offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1); + } + return offset; +} + +static int +dissect_krb5_decrypt_PRIV_data (gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, + proto_tree *tree, int hf_index _U_) +{ + guint8 *plaintext; + int length; + kerberos_private_data_t *private_data = kerberos_get_private_data(actx); + tvbuff_t *next_tvb; + + next_tvb=tvb_new_subset_remaining(tvb, offset); + length=tvb_captured_length_remaining(tvb, offset); + + /* RFC4120 : + * EncKrbPrivPart encrypted with usage + * == 13 + */ + plaintext=decrypt_krb5_data(tree, actx->pinfo, 13, next_tvb, private_data->etype, NULL); + + if(plaintext){ + tvbuff_t *child_tvb; + child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length); + tvb_set_free_cb(child_tvb, g_free); + + /* Add the decrypted data to the data source list. */ + add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5"); + + offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1); + } + return offset; +} + +static int +dissect_krb5_decrypt_CRED_data (gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, + proto_tree *tree, int hf_index _U_) +{ + guint8 *plaintext; + int length; + kerberos_private_data_t *private_data = kerberos_get_private_data(actx); + tvbuff_t *next_tvb; + + next_tvb=tvb_new_subset_remaining(tvb, offset); + length=tvb_captured_length_remaining(tvb, offset); + + /* RFC4120 : + * EncKrbCredPart encrypted with usage + * == 14 + */ + plaintext=decrypt_krb5_data(tree, actx->pinfo, 14, next_tvb, private_data->etype, NULL); + + if(plaintext){ + tvbuff_t *child_tvb; + child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length); + tvb_set_free_cb(child_tvb, g_free); + + /* Add the decrypted data to the data source list. */ + add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5"); + + offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1); + } + return offset; +} +#endif + +/* Dissect a GSSAPI checksum as per RFC1964. This is NOT ASN.1 encoded. + */ +static int +dissect_krb5_rfc1964_checksum(asn1_ctx_t *actx _U_, proto_tree *tree, tvbuff_t *tvb) +{ + int offset=0; + guint32 len; + guint16 dlglen; + + /* Length of Bnd field */ + len=tvb_get_letohl(tvb, offset); + proto_tree_add_item(tree, hf_krb_gssapi_len, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + + /* Bnd field */ + proto_tree_add_item(tree, hf_krb_gssapi_bnd, tvb, offset, len, ENC_NA); + offset += len; + + + /* flags */ + proto_tree_add_item(tree, hf_krb_gssapi_c_flag_dce_style, tvb, offset, 4, ENC_LITTLE_ENDIAN); + proto_tree_add_item(tree, hf_krb_gssapi_c_flag_integ, tvb, offset, 4, ENC_LITTLE_ENDIAN); + proto_tree_add_item(tree, hf_krb_gssapi_c_flag_conf, tvb, offset, 4, ENC_LITTLE_ENDIAN); + proto_tree_add_item(tree, hf_krb_gssapi_c_flag_sequence, tvb, offset, 4, ENC_LITTLE_ENDIAN); + proto_tree_add_item(tree, hf_krb_gssapi_c_flag_replay, tvb, offset, 4, ENC_LITTLE_ENDIAN); + proto_tree_add_item(tree, hf_krb_gssapi_c_flag_mutual, tvb, offset, 4, ENC_LITTLE_ENDIAN); + proto_tree_add_item(tree, hf_krb_gssapi_c_flag_deleg, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + + /* the next fields are optional so we have to check that we have + * more data in our buffers */ + if(tvb_reported_length_remaining(tvb, offset)<2){ + return offset; + } + /* dlgopt identifier */ + proto_tree_add_item(tree, hf_krb_gssapi_dlgopt, tvb, offset, 2, ENC_LITTLE_ENDIAN); + offset += 2; + + if(tvb_reported_length_remaining(tvb, offset)<2){ + return offset; + } + /* dlglen identifier */ + dlglen=tvb_get_letohs(tvb, offset); + proto_tree_add_item(tree, hf_krb_gssapi_dlglen, tvb, offset, 2, ENC_LITTLE_ENDIAN); + offset += 2; + + if(dlglen!=tvb_reported_length_remaining(tvb, offset)){ + proto_tree_add_expert_format(tree, actx->pinfo, &ei_krb_gssapi_dlglen, tvb, 0, 0, + "Error: DlgLen:%d is not the same as number of bytes remaining:%d", dlglen, tvb_captured_length_remaining(tvb, offset)); + return offset; + } + + /* this should now be a KRB_CRED message */ + offset=dissect_kerberos_Applications(FALSE, tvb, offset, actx, tree, /* hf_index */ -1); + + return offset; +} + +static int +dissect_krb5_PA_PROV_SRV_LOCATION(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) +{ + offset=dissect_ber_GeneralString(actx, tree, tvb, offset, hf_krb_provsrv_location, NULL, 0); + + return offset; +} + +static int +dissect_krb5_PW_SALT(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) +{ + guint32 nt_status; + + /* Microsoft stores a special 12 byte blob here + * guint32 NT_status + * guint32 unknown + * guint32 unknown + * decode everything as this blob for now until we see if anyone + * else ever uses it or we learn how to tell whether this + * is such an MS blob or not. + */ + proto_tree_add_item(tree, hf_krb_smb_nt_status, tvb, offset, 4, + ENC_LITTLE_ENDIAN); + nt_status=tvb_get_letohl(tvb, offset); + if(nt_status) { + col_append_fstr(actx->pinfo->cinfo, COL_INFO, + " NT Status: %s", + val_to_str(nt_status, NT_errors, + "Unknown error code %#x")); + } + offset += 4; + + proto_tree_add_item(tree, hf_krb_smb_unknown, tvb, offset, 4, + ENC_LITTLE_ENDIAN); + offset += 4; + + proto_tree_add_item(tree, hf_krb_smb_unknown, tvb, offset, 4, + ENC_LITTLE_ENDIAN); + offset += 4; + + return offset; +} + +static int +dissect_krb5_PAC_DREP(proto_tree *parent_tree, tvbuff_t *tvb, int offset, guint8 *drep) +{ + proto_tree *tree; + guint8 val; + + tree = proto_tree_add_subtree(parent_tree, tvb, offset, 16, ett_krb_pac_drep, NULL, "DREP"); + + val = tvb_get_guint8(tvb, offset); + proto_tree_add_uint(tree, hf_dcerpc_drep_byteorder, tvb, offset, 1, val>>4); + + offset++; + + if (drep) { + *drep = val; + } + + return offset; +} + +/* This might be some sort of header that MIDL generates when creating + * marshalling/unmarshalling code for blobs that are not to be transported + * ontop of DCERPC and where the DREP fields specifying things such as + * endianess and similar are not available. + */ +static int +dissect_krb5_PAC_NDRHEADERBLOB(proto_tree *parent_tree, tvbuff_t *tvb, int offset, guint8 *drep, asn1_ctx_t *actx _U_) +{ + proto_tree *tree; + + tree = proto_tree_add_subtree(parent_tree, tvb, offset, 16, ett_krb_pac_midl_blob, NULL, "MES header"); + + /* modified DREP field that is used for stuff that is transporetd ontop + of non dcerpc + */ + proto_tree_add_item(tree, hf_krb_midl_version, tvb, offset, 1, ENC_LITTLE_ENDIAN); + offset++; + + offset = dissect_krb5_PAC_DREP(tree, tvb, offset, drep); + + + proto_tree_add_item(tree, hf_krb_midl_hdr_len, tvb, offset, 2, ENC_LITTLE_ENDIAN); + offset+=2; + + proto_tree_add_item(tree, hf_krb_midl_fill_bytes, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + + /* length of blob that follows */ + proto_tree_add_item(tree, hf_krb_midl_blob_len, tvb, offset, 8, ENC_LITTLE_ENDIAN); + offset += 8; + + return offset; +} + +static int +dissect_krb5_PAC_LOGON_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_) +{ + proto_item *item; + proto_tree *tree; + guint8 drep[4] = { 0x10, 0x00, 0x00, 0x00}; /* fake DREP struct */ + static dcerpc_info di; /* fake dcerpc_info struct */ + static dcerpc_call_value call_data; + + item = proto_tree_add_item(parent_tree, hf_krb_pac_logon_info, tvb, offset, -1, ENC_NA); + tree = proto_item_add_subtree(item, ett_krb_pac_logon_info); + + /* skip the first 16 bytes, they are some magic created by the idl + * compiler the first 4 bytes might be flags? + */ + offset = dissect_krb5_PAC_NDRHEADERBLOB(tree, tvb, offset, &drep[0], actx); + + /* the PAC_LOGON_INFO blob */ + /* fake whatever state the dcerpc runtime support needs */ + di.conformant_run=0; + /* we need di->call_data->flags.NDR64 == 0 */ + di.call_data=&call_data; + init_ndr_pointer_list(&di); + offset = dissect_ndr_pointer(tvb, offset, actx->pinfo, tree, &di, drep, + netlogon_dissect_PAC_LOGON_INFO, NDR_POINTER_UNIQUE, + "PAC_LOGON_INFO:", -1); + + return offset; +} + +static int +dissect_krb5_PAC_S4U_DELEGATION_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx) +{ + proto_item *item; + proto_tree *tree; + guint8 drep[4] = { 0x10, 0x00, 0x00, 0x00}; /* fake DREP struct */ + static dcerpc_info di; /* fake dcerpc_info struct */ + static dcerpc_call_value call_data; + + item = proto_tree_add_item(parent_tree, hf_krb_pac_s4u_delegation_info, tvb, offset, -1, ENC_NA); + tree = proto_item_add_subtree(item, ett_krb_pac_s4u_delegation_info); + + /* skip the first 16 bytes, they are some magic created by the idl + * compiler the first 4 bytes might be flags? + */ + offset = dissect_krb5_PAC_NDRHEADERBLOB(tree, tvb, offset, &drep[0], actx); + + + /* the S4U_DELEGATION_INFO blob. See [MS-PAC] */ + /* fake whatever state the dcerpc runtime support needs */ + di.conformant_run=0; + /* we need di->call_data->flags.NDR64 == 0 */ + di.call_data=&call_data; + init_ndr_pointer_list(&di); + offset = dissect_ndr_pointer(tvb, offset, actx->pinfo, tree, &di, drep, + netlogon_dissect_PAC_S4U_DELEGATION_INFO, NDR_POINTER_UNIQUE, + "PAC_S4U_DELEGATION_INFO:", -1); + + return offset; +} + +static int +dissect_krb5_PAC_UPN_DNS_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_) +{ + proto_item *item; + proto_tree *tree; + guint16 dns_offset, dns_len; + guint16 upn_offset, upn_len; + const char *dn; + int dn_len; + guint16 bc; + + item = proto_tree_add_item(parent_tree, hf_krb_pac_upn_dns_info, tvb, offset, -1, ENC_NA); + tree = proto_item_add_subtree(item, ett_krb_pac_upn_dns_info); + + /* upn */ + upn_len = tvb_get_letohs(tvb, offset); + proto_tree_add_item(tree, hf_krb_pac_upn_upn_len, tvb, offset, 2, ENC_LITTLE_ENDIAN); + offset+=2; + upn_offset = tvb_get_letohs(tvb, offset); + proto_tree_add_item(tree, hf_krb_pac_upn_upn_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN); + offset+=2; + + /* dns */ + dns_len = tvb_get_letohs(tvb, offset); + proto_tree_add_item(tree, hf_krb_pac_upn_dns_len, tvb, offset, 2, ENC_LITTLE_ENDIAN); + offset+=2; + dns_offset = tvb_get_letohs(tvb, offset); + proto_tree_add_item(tree, hf_krb_pac_upn_dns_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN); + offset+=2; + + /* flags */ + proto_tree_add_item(tree, hf_krb_pac_upn_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN); + + /* upn */ + offset = upn_offset; + dn_len = upn_len; + bc = tvb_reported_length_remaining(tvb, offset); + dn = get_unicode_or_ascii_string(tvb, &offset, TRUE, &dn_len, TRUE, TRUE, &bc); + proto_tree_add_string(tree, hf_krb_pac_upn_upn_name, tvb, upn_offset, upn_len, dn); + + /* dns */ + offset = dns_offset; + dn_len = dns_len; + bc = tvb_reported_length_remaining(tvb, offset); + dn = get_unicode_or_ascii_string(tvb, &offset, TRUE, &dn_len, TRUE, TRUE, &bc); + proto_tree_add_string(tree, hf_krb_pac_upn_dns_name, tvb, dns_offset, dns_len, dn); + + return offset; +} + +static int +dissect_krb5_PAC_CREDENTIAL_TYPE(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_) +{ + proto_tree_add_item(parent_tree, hf_krb_pac_credential_type, tvb, offset, -1, ENC_NA); + + return offset; +} + +static int +dissect_krb5_PAC_SERVER_CHECKSUM(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_) +{ + proto_item *item; + proto_tree *tree; + + item = proto_tree_add_item(parent_tree, hf_krb_pac_server_checksum, tvb, offset, -1, ENC_NA); + tree = proto_item_add_subtree(item, ett_krb_pac_server_checksum); + + /* signature type */ + proto_tree_add_item(tree, hf_krb_pac_signature_type, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset+=4; + + /* signature data */ + proto_tree_add_item(tree, hf_krb_pac_signature_signature, tvb, offset, -1, ENC_NA); + + return offset; +} + +static int +dissect_krb5_PAC_PRIVSVR_CHECKSUM(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_) +{ + proto_item *item; + proto_tree *tree; + + item = proto_tree_add_item(parent_tree, hf_krb_pac_privsvr_checksum, tvb, offset, -1, ENC_NA); + tree = proto_item_add_subtree(item, ett_krb_pac_privsvr_checksum); + + /* signature type */ + proto_tree_add_item(tree, hf_krb_pac_signature_type, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset+=4; + + /* signature data */ + proto_tree_add_item(tree, hf_krb_pac_signature_signature, tvb, offset, -1, ENC_NA); + + return offset; +} + +static int +dissect_krb5_PAC_CLIENT_INFO_TYPE(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_) +{ + proto_item *item; + proto_tree *tree; + guint16 namelen; + + item = proto_tree_add_item(parent_tree, hf_krb_pac_client_info_type, tvb, offset, -1, ENC_NA); + tree = proto_item_add_subtree(item, ett_krb_pac_client_info_type); + + /* clientid */ + offset = dissect_nt_64bit_time(tvb, tree, offset, hf_krb_pac_clientid); + + /* name length */ + namelen=tvb_get_letohs(tvb, offset); + proto_tree_add_uint(tree, hf_krb_pac_namelen, tvb, offset, 2, namelen); + offset+=2; + + /* client name */ + proto_tree_add_item(tree, hf_krb_pac_clientname, tvb, offset, namelen, ENC_UTF_16|ENC_LITTLE_ENDIAN); + offset+=namelen; + + return offset; +} + +static int +dissect_krb5_AD_WIN2K_PAC_struct(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx) +{ + guint32 pac_type; + guint32 pac_size; + guint32 pac_offset; + proto_item *it=NULL; + proto_tree *tr=NULL; + tvbuff_t *next_tvb; + + /* type of pac data */ + pac_type=tvb_get_letohl(tvb, offset); + it=proto_tree_add_uint(tree, hf_krb_w2k_pac_type, tvb, offset, 4, pac_type); + tr=proto_item_add_subtree(it, ett_krb_pac); + + offset += 4; + + /* size of pac data */ + pac_size=tvb_get_letohl(tvb, offset); + proto_tree_add_uint(tr, hf_krb_w2k_pac_size, tvb, offset, 4, pac_size); + offset += 4; + + /* offset to pac data */ + pac_offset=tvb_get_letohl(tvb, offset); + proto_tree_add_uint(tr, hf_krb_w2k_pac_offset, tvb, offset, 4, pac_offset); + offset += 8; + + next_tvb=tvb_new_subset(tvb, pac_offset, pac_size, pac_size); + switch(pac_type){ + case PAC_LOGON_INFO: + dissect_krb5_PAC_LOGON_INFO(tr, next_tvb, 0, actx); + break; + case PAC_CREDENTIAL_TYPE: + dissect_krb5_PAC_CREDENTIAL_TYPE(tr, next_tvb, 0, actx); + break; + case PAC_SERVER_CHECKSUM: + dissect_krb5_PAC_SERVER_CHECKSUM(tr, next_tvb, 0, actx); + break; + case PAC_PRIVSVR_CHECKSUM: + dissect_krb5_PAC_PRIVSVR_CHECKSUM(tr, next_tvb, 0, actx); + break; + case PAC_CLIENT_INFO_TYPE: + dissect_krb5_PAC_CLIENT_INFO_TYPE(tr, next_tvb, 0, actx); + break; + case PAC_S4U_DELEGATION_INFO: + dissect_krb5_PAC_S4U_DELEGATION_INFO(tr, next_tvb, 0, actx); + break; + case PAC_UPN_DNS_INFO: + dissect_krb5_PAC_UPN_DNS_INFO(tr, next_tvb, 0, actx); + break; + + default: + break; + } + return offset; +} + +static int +dissect_krb5_AD_WIN2K_PAC(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_) +{ + guint32 entries; + guint32 version; + guint32 i; + + /* first in the PAC structure comes the number of entries */ + entries=tvb_get_letohl(tvb, offset); + proto_tree_add_uint(tree, hf_krb_w2k_pac_entries, tvb, offset, 4, entries); + offset += 4; + + /* second comes the version */ + version=tvb_get_letohl(tvb, offset); + proto_tree_add_uint(tree, hf_krb_w2k_pac_version, tvb, offset, 4, version); + offset += 4; + + for(i=0;i<entries;i++){ + offset=dissect_krb5_AD_WIN2K_PAC_struct(tree, tvb, offset, actx); + } + + return offset; +} + +#include "packet-kerberos-fn.c" + +/* Make wrappers around exported functions for now */ +int +dissect_krb5_Checksum(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_) +{ + return dissect_kerberos_Checksum(FALSE, tvb, offset, actx, tree, hf_kerberos_cksum); + +} + +int +dissect_krb5_ctime(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_) +{ + return dissect_kerberos_KerberosTime(FALSE, tvb, offset, actx, tree, hf_kerberos_ctime); +} + + +int +dissect_krb5_cname(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_) +{ + return dissect_kerberos_PrincipalName(FALSE, tvb, offset, actx, tree, hf_kerberos_cname); +} +int +dissect_krb5_realm(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_) +{ + return dissect_kerberos_Realm(FALSE, tvb, offset, actx, tree, hf_kerberos_realm); +} + + +static gint +dissect_kerberos_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, + gboolean dci, gboolean do_col_protocol, gboolean have_rm, + kerberos_callbacks *cb) +{ + volatile int offset = 0; + proto_tree *volatile kerberos_tree = NULL; + proto_item *volatile item = NULL; + asn1_ctx_t asn1_ctx; + + /* TCP record mark and length */ + guint32 krb_rm = 0; + gint krb_reclen = 0; + + gbl_do_col_info=dci; + + if (have_rm) { + krb_rm = tvb_get_ntohl(tvb, offset); + krb_reclen = kerberos_rm_to_reclen(krb_rm); + /* + * What is a reasonable size limit? + */ + if (krb_reclen > 10 * 1024 * 1024) { + return (-1); + } + + if (do_col_protocol) { + col_set_str(pinfo->cinfo, COL_PROTOCOL, "KRB5"); + } + + if (tree) { + item = proto_tree_add_item(tree, proto_kerberos, tvb, 0, -1, ENC_NA); + kerberos_tree = proto_item_add_subtree(item, ett_kerberos); + } + + show_krb_recordmark(kerberos_tree, tvb, offset, krb_rm); + offset += 4; + } else { + /* Do some sanity checking here, + * All krb5 packets start with a TAG class that is BER_CLASS_APP + * and a tag value that is either of the values below: + * If it doesn't look like kerberos, return 0 and let someone else have + * a go at it. + */ + gint8 tmp_class; + gboolean tmp_pc; + gint32 tmp_tag; + + get_ber_identifier(tvb, offset, &tmp_class, &tmp_pc, &tmp_tag); + if(tmp_class!=BER_CLASS_APP){ + return 0; + } + switch(tmp_tag){ + case KRB5_MSG_TICKET: + case KRB5_MSG_AUTHENTICATOR: + case KRB5_MSG_ENC_TICKET_PART: + case KRB5_MSG_AS_REQ: + case KRB5_MSG_AS_REP: + case KRB5_MSG_TGS_REQ: + case KRB5_MSG_TGS_REP: + case KRB5_MSG_AP_REQ: + case KRB5_MSG_AP_REP: + case KRB5_MSG_ENC_AS_REP_PART: + case KRB5_MSG_ENC_TGS_REP_PART: + case KRB5_MSG_ENC_AP_REP_PART: + case KRB5_MSG_ENC_KRB_PRIV_PART: + case KRB5_MSG_ENC_KRB_CRED_PART: + case KRB5_MSG_SAFE: + case KRB5_MSG_PRIV: + case KRB5_MSG_ERROR: + break; + default: + return 0; + } + if (do_col_protocol) { + col_set_str(pinfo->cinfo, COL_PROTOCOL, "KRB5"); + } + if (gbl_do_col_info) { + col_clear(pinfo->cinfo, COL_INFO); + } + if (tree) { + item = proto_tree_add_item(tree, proto_kerberos, tvb, 0, -1, ENC_NA); + kerberos_tree = proto_item_add_subtree(item, ett_kerberos); + } + } + asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo); + asn1_ctx.private_data = cb; + + TRY { + offset=dissect_kerberos_Applications(FALSE, tvb, offset, &asn1_ctx , kerberos_tree, /* hf_index */ -1); + } CATCH_BOUNDS_ERRORS { + RETHROW; + } ENDTRY; + + proto_item_set_len(item, offset); + return offset; +} + +/* + * Display the TCP record mark. + */ +void +show_krb_recordmark(proto_tree *tree, tvbuff_t *tvb, gint start, guint32 krb_rm) +{ + gint rec_len; + proto_tree *rm_tree; + + if (tree == NULL) + return; + + rec_len = kerberos_rm_to_reclen(krb_rm); + rm_tree = proto_tree_add_subtree_format(tree, tvb, start, 4, ett_krb_recordmark, NULL, + "Record Mark: %u %s", rec_len, plurality(rec_len, "byte", "bytes")); + proto_tree_add_boolean(rm_tree, hf_krb_rm_reserved, tvb, start, 4, krb_rm); + proto_tree_add_uint(rm_tree, hf_krb_rm_reclen, tvb, start, 4, krb_rm); +} + +gint +dissect_kerberos_main(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int do_col_info, kerberos_callbacks *cb) +{ + return (dissect_kerberos_common(tvb, pinfo, tree, do_col_info, FALSE, FALSE, cb)); +} + +guint32 +kerberos_output_keytype(void) +{ + return gbl_keytype; +} + +static gint +dissect_kerberos_udp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) +{ + /* Some weird kerberos implementation apparently do krb4 on the krb5 port. + Since all (except weirdo transarc krb4 stuff) use + an opcode <=16 in the first byte, use this to see if it might + be krb4. + All krb5 commands start with an APPL tag and thus is >=0x60 + so if first byte is <=16 just blindly assume it is krb4 then + */ + if(tvb_captured_length(tvb) >= 1 && tvb_get_guint8(tvb, 0)<=0x10){ + if(krb4_handle){ + gboolean res; + + res=call_dissector_only(krb4_handle, tvb, pinfo, tree, NULL); + return res; + }else{ + return 0; + } + } + + + return dissect_kerberos_common(tvb, pinfo, tree, TRUE, TRUE, FALSE, NULL); +} + +gint +kerberos_rm_to_reclen(guint krb_rm) +{ + return (krb_rm & KRB_RM_RECLEN); +} + +guint +get_krb_pdu_len(packet_info *pinfo _U_, tvbuff_t *tvb, int offset, void *data _U_) +{ + guint krb_rm; + gint pdulen; + + krb_rm = tvb_get_ntohl(tvb, offset); + pdulen = kerberos_rm_to_reclen(krb_rm); + return (pdulen + 4); +} +static void +kerberos_prefs_apply_cb(void) { +#ifdef HAVE_LIBNETTLE + clear_keytab(); + read_keytab_file(keytab_filename); +#endif +} + +static int +dissect_kerberos_tcp_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) +{ + pinfo->fragmented = TRUE; + if (dissect_kerberos_common(tvb, pinfo, tree, TRUE, TRUE, TRUE, NULL) < 0) { + /* + * The dissector failed to recognize this as a valid + * Kerberos message. Mark it as a continuation packet. + */ + col_set_str(pinfo->cinfo, COL_INFO, "Continuation"); + } + + return tvb_captured_length(tvb); +} + +static int +dissect_kerberos_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data) +{ + col_set_str(pinfo->cinfo, COL_PROTOCOL, "KRB5"); + col_clear(pinfo->cinfo, COL_INFO); + + tcp_dissect_pdus(tvb, pinfo, tree, krb_desegment, 4, get_krb_pdu_len, + dissect_kerberos_tcp_pdu, data); + return tvb_captured_length(tvb); +} + +/*--- proto_register_kerberos -------------------------------------------*/ +void proto_register_kerberos(void) { + + /* List of fields */ + + static hf_register_info hf[] = { + { &hf_krb_rm_reserved, { + "Reserved", "kerberos.rm.reserved", FT_BOOLEAN, 32, + TFS(&tfs_set_notset), KRB_RM_RESERVED, "Record mark reserved bit", HFILL }}, + { &hf_krb_rm_reclen, { + "Record Length", "kerberos.rm.length", FT_UINT32, BASE_DEC, + NULL, KRB_RM_RECLEN, NULL, HFILL }}, + { &hf_krb_provsrv_location, { + "PROVSRV Location", "kerberos.provsrv_location", FT_STRING, BASE_NONE, + NULL, 0, "PacketCable PROV SRV Location", HFILL }}, + { &hf_krb_smb_nt_status, + { "NT Status", "kerberos.smb.nt_status", FT_UINT32, BASE_HEX, + VALS(NT_errors), 0, "NT Status code", HFILL }}, + { &hf_krb_smb_unknown, + { "Unknown", "kerberos.smb.unknown", FT_UINT32, BASE_HEX, + NULL, 0, NULL, HFILL }}, + { &hf_krb_address_ip, { + "IP Address", "kerberos.addr_ip", FT_IPv4, BASE_NONE, + NULL, 0, NULL, HFILL }}, + { &hf_krb_address_ipv6, { + "IPv6 Address", "kerberos.addr_ipv6", FT_IPv6, BASE_NONE, + NULL, 0, NULL, HFILL }}, + { &hf_krb_address_netbios, { + "NetBIOS Address", "kerberos.addr_nb", FT_STRING, BASE_NONE, + NULL, 0, "NetBIOS Address and type", HFILL }}, + { &hf_krb_gssapi_len, { + "Length", "kerberos.gssapi.len", FT_UINT32, BASE_DEC, + NULL, 0, "Length of GSSAPI Bnd field", HFILL }}, + { &hf_krb_gssapi_bnd, { + "Bnd", "kerberos.gssapi.bdn", FT_BYTES, BASE_NONE, + NULL, 0, "GSSAPI Bnd field", HFILL }}, + { &hf_krb_gssapi_c_flag_deleg, { + "Deleg", "kerberos.gssapi.checksum.flags.deleg", FT_BOOLEAN, 32, + TFS(&tfs_gss_flags_deleg), KRB5_GSS_C_DELEG_FLAG, NULL, HFILL }}, + { &hf_krb_gssapi_c_flag_mutual, { + "Mutual", "kerberos.gssapi.checksum.flags.mutual", FT_BOOLEAN, 32, + TFS(&tfs_gss_flags_mutual), KRB5_GSS_C_MUTUAL_FLAG, NULL, HFILL }}, + { &hf_krb_gssapi_c_flag_replay, { + "Replay", "kerberos.gssapi.checksum.flags.replay", FT_BOOLEAN, 32, + TFS(&tfs_gss_flags_replay), KRB5_GSS_C_REPLAY_FLAG, NULL, HFILL }}, + { &hf_krb_gssapi_c_flag_sequence, { + "Sequence", "kerberos.gssapi.checksum.flags.sequence", FT_BOOLEAN, 32, + TFS(&tfs_gss_flags_sequence), KRB5_GSS_C_SEQUENCE_FLAG, NULL, HFILL }}, + { &hf_krb_gssapi_c_flag_conf, { + "Conf", "kerberos.gssapi.checksum.flags.conf", FT_BOOLEAN, 32, + TFS(&tfs_gss_flags_conf), KRB5_GSS_C_CONF_FLAG, NULL, HFILL }}, + { &hf_krb_gssapi_c_flag_integ, { + "Integ", "kerberos.gssapi.checksum.flags.integ", FT_BOOLEAN, 32, + TFS(&tfs_gss_flags_integ), KRB5_GSS_C_INTEG_FLAG, NULL, HFILL }}, + { &hf_krb_gssapi_c_flag_dce_style, { + "DCE-style", "kerberos.gssapi.checksum.flags.dce-style", FT_BOOLEAN, 32, + TFS(&tfs_gss_flags_dce_style), KRB5_GSS_C_DCE_STYLE, NULL, HFILL }}, + { &hf_krb_gssapi_dlgopt, { + "DlgOpt", "kerberos.gssapi.dlgopt", FT_UINT16, BASE_DEC, + NULL, 0, "GSSAPI DlgOpt", HFILL }}, + { &hf_krb_gssapi_dlglen, { + "DlgLen", "kerberos.gssapi.dlglen", FT_UINT16, BASE_DEC, + NULL, 0, "GSSAPI DlgLen", HFILL }}, + { &hf_krb_midl_blob_len, { + "Blob Length", "kerberos.midl_blob_len", FT_UINT64, BASE_DEC, + NULL, 0, "Length of NDR encoded data that follows", HFILL }}, + { &hf_krb_midl_fill_bytes, { + "Fill bytes", "kerberos.midl.fill_bytes", FT_UINT32, BASE_HEX, + NULL, 0, "Just some fill bytes", HFILL }}, + { &hf_krb_midl_version, { + "Version", "kerberos.midl.version", FT_UINT8, BASE_DEC, + NULL, 0, "Version of pickling", HFILL }}, + { &hf_krb_midl_hdr_len, { + "HDR Length", "kerberos.midl.hdr_len", FT_UINT16, BASE_DEC, + NULL, 0, "Length of header", HFILL }}, + { &hf_krb_pac_signature_type, { + "Type", "kerberos.pac.signature.type", FT_INT32, BASE_DEC, + NULL, 0, "PAC Signature Type", HFILL }}, + { &hf_krb_pac_signature_signature, { + "Signature", "kerberos.pac.signature.signature", FT_BYTES, BASE_NONE, + NULL, 0, "A PAC signature blob", HFILL }}, + { &hf_krb_w2k_pac_entries, { + "Num Entries", "kerberos.pac.entries", FT_UINT32, BASE_DEC, + NULL, 0, "Number of W2k PAC entries", HFILL }}, + { &hf_krb_w2k_pac_version, { + "Version", "kerberos.pac.version", FT_UINT32, BASE_DEC, + NULL, 0, "Version of PAC structures", HFILL }}, + { &hf_krb_w2k_pac_type, { + "Type", "kerberos.pac.type", FT_UINT32, BASE_DEC, + VALS(w2k_pac_types), 0, "Type of W2k PAC entry", HFILL }}, + { &hf_krb_w2k_pac_size, { + "Size", "kerberos.pac.size", FT_UINT32, BASE_DEC, + NULL, 0, "Size of W2k PAC entry", HFILL }}, + { &hf_krb_w2k_pac_offset, { + "Offset", "kerberos.pac.offset", FT_UINT32, BASE_DEC, + NULL, 0, "Offset to W2k PAC entry", HFILL }}, + { &hf_krb_pac_clientid, { + "ClientID", "kerberos.pac.clientid", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, + NULL, 0, "ClientID Timestamp", HFILL }}, + { &hf_krb_pac_namelen, { + "Name Length", "kerberos.pac.namelen", FT_UINT16, BASE_DEC, + NULL, 0, "Length of client name", HFILL }}, + { &hf_krb_pac_clientname, { + "Name", "kerberos.pac.name", FT_STRING, BASE_NONE, + NULL, 0, "Name of the Client in the PAC structure", HFILL }}, + { &hf_krb_pac_logon_info, { + "PAC_LOGON_INFO", "kerberos.pac_logon_info", FT_BYTES, BASE_NONE, + NULL, 0, "PAC_LOGON_INFO structure", HFILL }}, + { &hf_krb_pac_credential_type, { + "PAC_CREDENTIAL_TYPE", "kerberos.pac_credential_type", FT_BYTES, BASE_NONE, + NULL, 0, "PAC_CREDENTIAL_TYPE structure", HFILL }}, + { &hf_krb_pac_server_checksum, { + "PAC_SERVER_CHECKSUM", "kerberos.pac_server_checksum", FT_BYTES, BASE_NONE, + NULL, 0, "PAC_SERVER_CHECKSUM structure", HFILL }}, + { &hf_krb_pac_privsvr_checksum, { + "PAC_PRIVSVR_CHECKSUM", "kerberos.pac_privsvr_checksum", FT_BYTES, BASE_NONE, + NULL, 0, "PAC_PRIVSVR_CHECKSUM structure", HFILL }}, + { &hf_krb_pac_client_info_type, { + "PAC_CLIENT_INFO_TYPE", "kerberos.pac_client_info_type", FT_BYTES, BASE_NONE, + NULL, 0, "PAC_CLIENT_INFO_TYPE structure", HFILL }}, + { &hf_krb_pac_s4u_delegation_info, { + "PAC_S4U_DELEGATION_INFO", "kerberos.pac_s4u_delegation_info", FT_BYTES, BASE_NONE, + NULL, 0, "PAC_S4U_DELEGATION_INFO structure", HFILL }}, + { &hf_krb_pac_upn_dns_info, { + "UPN_DNS_INFO", "kerberos.pac_upn_dns_info", FT_BYTES, BASE_NONE, + NULL, 0, "UPN_DNS_INFO structure", HFILL }}, + { &hf_krb_pac_upn_flags, { + "Flags", "kerberos.pac.upn.flags", FT_UINT32, BASE_HEX, + NULL, 0, "UPN flags", HFILL }}, + { &hf_krb_pac_upn_dns_offset, { + "DNS Offset", "kerberos.pac.upn.dns_offset", FT_UINT16, BASE_DEC, + NULL, 0, NULL, HFILL }}, + { &hf_krb_pac_upn_dns_len, { + "DNS Len", "kerberos.pac.upn.dns_len", FT_UINT16, BASE_DEC, + NULL, 0, NULL, HFILL }}, + { &hf_krb_pac_upn_upn_offset, { + "UPN Offset", "kerberos.pac.upn.upn_offset", FT_UINT16, BASE_DEC, + NULL, 0, NULL, HFILL }}, + { &hf_krb_pac_upn_upn_len, { + "UPN Len", "kerberos.pac.upn.upn_len", FT_UINT16, BASE_DEC, + NULL, 0, NULL, HFILL }}, + { &hf_krb_pac_upn_upn_name, { + "UPN Name", "kerberos.pac.upn.upn_name", FT_STRING, BASE_NONE, + NULL, 0, NULL, HFILL }}, + { &hf_krb_pac_upn_dns_name, { + "DNS Name", "kerberos.pac.upn.dns_name", FT_STRING, BASE_NONE, + NULL, 0, NULL, HFILL }}, + +#include "packet-kerberos-hfarr.c" + }; + + /* List of subtrees */ + static gint *ett[] = { + &ett_kerberos, + &ett_krb_recordmark, + &ett_krb_pac, + &ett_krb_pac_drep, + &ett_krb_pac_midl_blob, + &ett_krb_pac_logon_info, + &ett_krb_pac_s4u_delegation_info, + &ett_krb_pac_upn_dns_info, + &ett_krb_pac_server_checksum, + &ett_krb_pac_privsvr_checksum, + &ett_krb_pac_client_info_type, +#include "packet-kerberos-ettarr.c" + }; + + static ei_register_info ei[] = { + { &ei_kerberos_decrypted_keytype, { "kerberos.decrypted_keytype", PI_SECURITY, PI_CHAT, "Decryted keytype", EXPFILL }}, + { &ei_kerberos_address, { "kerberos.address.unknown", PI_UNDECODED, PI_WARN, "KRB Address: I don't know how to parse this type of address yet", EXPFILL }}, + { &ei_krb_gssapi_dlglen, { "kerberos.gssapi.dlglen.error", PI_MALFORMED, PI_ERROR, "DlgLen is not the same as number of bytes remaining", EXPFILL }}, + }; + + expert_module_t* expert_krb; + module_t *krb_module; + + proto_kerberos = proto_register_protocol("Kerberos", "KRB5", "kerberos"); + proto_register_field_array(proto_kerberos, hf, array_length(hf)); + proto_register_subtree_array(ett, array_length(ett)); + expert_krb = expert_register_protocol(proto_kerberos); + expert_register_field_array(expert_krb, ei, array_length(ei)); + + /* Register preferences */ + krb_module = prefs_register_protocol(proto_kerberos, kerberos_prefs_apply_cb); + prefs_register_bool_preference(krb_module, "desegment", + "Reassemble Kerberos over TCP messages spanning multiple TCP segments", + "Whether the Kerberos dissector should reassemble messages spanning multiple TCP segments." + " To use this option, you must also enable \"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.", + &krb_desegment); +#ifdef HAVE_KERBEROS + prefs_register_bool_preference(krb_module, "decrypt", + "Try to decrypt Kerberos blobs", + "Whether the dissector should try to decrypt " + "encrypted Kerberos blobs. This requires that the proper " + "keytab file is installed as well.", &krb_decrypt); + + prefs_register_filename_preference(krb_module, "file", + "Kerberos keytab file", + "The keytab file containing all the secrets", + &keytab_filename); +#endif + +} +static int wrap_dissect_gss_kerb(tvbuff_t *tvb, int offset, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di _U_,guint8 *drep _U_) +{ + tvbuff_t *auth_tvb; + + auth_tvb = tvb_new_subset_remaining(tvb, offset); + + dissect_kerberos_main(auth_tvb, pinfo, tree, FALSE, NULL); + + return tvb_captured_length_remaining(tvb, offset); +} + + +static dcerpc_auth_subdissector_fns gss_kerb_auth_connect_fns = { + wrap_dissect_gss_kerb, /* Bind */ + wrap_dissect_gss_kerb, /* Bind ACK */ + wrap_dissect_gss_kerb, /* AUTH3 */ + NULL, /* Request verifier */ + NULL, /* Response verifier */ + NULL, /* Request data */ + NULL /* Response data */ +}; + +static dcerpc_auth_subdissector_fns gss_kerb_auth_sign_fns = { + wrap_dissect_gss_kerb, /* Bind */ + wrap_dissect_gss_kerb, /* Bind ACK */ + wrap_dissect_gss_kerb, /* AUTH3 */ + wrap_dissect_gssapi_verf, /* Request verifier */ + wrap_dissect_gssapi_verf, /* Response verifier */ + NULL, /* Request data */ + NULL /* Response data */ +}; + +static dcerpc_auth_subdissector_fns gss_kerb_auth_seal_fns = { + wrap_dissect_gss_kerb, /* Bind */ + wrap_dissect_gss_kerb, /* Bind ACK */ + wrap_dissect_gss_kerb, /* AUTH3 */ + wrap_dissect_gssapi_verf, /* Request verifier */ + wrap_dissect_gssapi_verf, /* Response verifier */ + wrap_dissect_gssapi_payload, /* Request data */ + wrap_dissect_gssapi_payload /* Response data */ +}; + + + +void +proto_reg_handoff_kerberos(void) +{ + dissector_handle_t kerberos_handle_tcp; + + krb4_handle = find_dissector("krb4"); + + kerberos_handle_udp = create_dissector_handle(dissect_kerberos_udp, + proto_kerberos); + + kerberos_handle_tcp = create_dissector_handle(dissect_kerberos_tcp, + proto_kerberos); + + dissector_add_uint("udp.port", UDP_PORT_KERBEROS, kerberos_handle_udp); + dissector_add_uint("tcp.port", TCP_PORT_KERBEROS, kerberos_handle_tcp); + + register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_CONNECT, + DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS, + &gss_kerb_auth_connect_fns); + + register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_INTEGRITY, + DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS, + &gss_kerb_auth_sign_fns); + + register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_PRIVACY, + DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS, + &gss_kerb_auth_seal_fns); +} + +/* + * Editor modelines - http://www.wireshark.org/tools/modelines.html + * + * Local variables: + * c-basic-offset: 8 + * tab-width: 8 + * indent-tabs-mode: t + * End: + * + * vi: set shiftwidth=8 tabstop=8 noexpandtab: + * :indentSize=8:tabSize=8:noTabs=false: + */ diff --git a/epan/dissectors/asn1/kerberos/packet-kerberos-template.h b/epan/dissectors/asn1/kerberos/packet-kerberos-template.h new file mode 100644 index 0000000000..4ed6a6e8cc --- /dev/null +++ b/epan/dissectors/asn1/kerberos/packet-kerberos-template.h @@ -0,0 +1,145 @@ +/* packet-kerberos.h + * Routines for kerberos packet dissection + * Copyright 2007, Anders Broman <anders.broman@ericsson.com> + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifndef __PACKET_KERBEROS_H +#define __PACKET_KERBEROS_H + +#include "ws_symbol_export.h" + +#ifdef __cplusplus +extern "C" { +#endif /* __cplusplus */ + +/* This is a list of callback functions a caller can use to specify that + octet strings in kerberos to be passed back to application specific + dissectors, outside of kerberos. + This is used for dissection of application specific data for PacketCable + KRB_SAFE user data and eventually to pass kerberos session keys + to future DCERPC decryption and other uses. + The list is terminated by {0, NULL } +*/ +#define KRB_CBTAG_SAFE_USER_DATA 1 +#define KRB_CBTAG_PRIV_USER_DATA 2 +typedef struct _kerberos_callbacks { + int tag; + int (*callback)(packet_info *pinfo, tvbuff_t *tvb, proto_tree *tree); +} kerberos_callbacks; + +/* Function prototypes */ + +gint +dissect_kerberos_main(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gboolean do_col_info, kerberos_callbacks *cb); + +int +dissect_krb5_Checksum(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_); + +int +dissect_krb5_ctime(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_); + +int dissect_krb5_cname(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_); +int dissect_krb5_realm(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_); +guint32 kerberos_output_keytype(void); + +guint get_krb_pdu_len(packet_info *, tvbuff_t *tvb, int offset, void *data _U_); + +gint kerberos_rm_to_reclen(guint krb_rm); + +void +show_krb_recordmark(proto_tree *tree, tvbuff_t *tvb, gint start, guint32 krb_rm); + +#ifdef HAVE_KERBEROS +#define KRB_MAX_ORIG_LEN 256 + +#if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS) +typedef struct _enc_key_t { + struct _enc_key_t *next; + int keytype; + int keylength; + char *keyvalue; + char key_origin[KRB_MAX_ORIG_LEN+1]; + int fd_num; /* remember where we learned a key */ +} enc_key_t; +extern enc_key_t *enc_key_list; + +guint8 * +decrypt_krb5_data(proto_tree *tree, packet_info *pinfo, + int usage, + tvbuff_t *crypototvb, + int keytype, + int *datalen); + +#endif /* HAVE_HEIMDAL_KERBEROS || HAVE_MIT_KERBEROS */ + +extern gboolean krb_decrypt; + +WS_DLL_PUBLIC +void read_keytab_file(const char *); + +WS_DLL_PUBLIC +void read_keytab_file_from_preferences(void); + +#endif /* HAVE_KERBEROS */ + +/* encryption type constants */ +#define KRB5_ENCTYPE_NULL 0 +#define KRB5_ENCTYPE_DES_CBC_CRC 1 +#define KRB5_ENCTYPE_DES_CBC_MD4 2 +#define KRB5_ENCTYPE_DES_CBC_MD5 3 +#define KRB5_ENCTYPE_DES_CBC_RAW 4 +#define KRB5_ENCTYPE_DES3_CBC_SHA 5 +#define KRB5_ENCTYPE_DES3_CBC_RAW 6 +#define KRB5_ENCTYPE_DES_HMAC_SHA1 8 +#define KRB5_ENCTYPE_DSA_SHA1_CMS 9 +#define KRB5_ENCTYPE_RSA_MD5_CMS 10 +#define KRB5_ENCTYPE_RSA_SHA1_CMS 11 +#define KRB5_ENCTYPE_RC2_CBC_ENV 12 +#define KRB5_ENCTYPE_RSA_ENV 13 +#define KRB5_ENCTYPE_RSA_ES_OEAP_ENV 14 +#define KRB5_ENCTYPE_DES_EDE3_CBC_ENV 15 +#define KRB5_ENCTYPE_DES3_CBC_SHA1 16 +#define KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96 17 +#define KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96 18 +#define KRB5_ENCTYPE_DES_CBC_MD5_NT 20 +#define KERB_ENCTYPE_RC4_HMAC 23 +#define KERB_ENCTYPE_RC4_HMAC_EXP 24 +#define KRB5_ENCTYPE_UNKNOWN 0x1ff +#define KRB5_ENCTYPE_LOCAL_DES3_HMAC_SHA1 0x7007 +#define KRB5_ENCTYPE_RC4_PLAIN_EXP 0xffffff73 +#define KRB5_ENCTYPE_RC4_PLAIN 0xffffff74 +#define KRB5_ENCTYPE_RC4_PLAIN_OLD_EXP 0xffffff78 +#define KRB5_ENCTYPE_RC4_HMAC_OLD_EXP 0xffffff79 +#define KRB5_ENCTYPE_RC4_PLAIN_OLD 0xffffff7a +#define KRB5_ENCTYPE_RC4_HMAC_OLD 0xffffff7b +#define KRB5_ENCTYPE_DES_PLAIN 0xffffff7c +#define KRB5_ENCTYPE_RC4_SHA 0xffffff7d +#define KRB5_ENCTYPE_RC4_LM 0xffffff7e +#define KRB5_ENCTYPE_RC4_PLAIN2 0xffffff7f +#define KRB5_ENCTYPE_RC4_MD4 0xffffff80 + +#include "packet-kerberos-exp.h" + +#ifdef __cplusplus +} +#endif /* __cplusplus */ + +#endif /* __PACKET_KERBEROS_H */ |