aboutsummaryrefslogtreecommitdiffstats
path: root/epan/dissectors/asn1/kerberos
diff options
context:
space:
mode:
authorJoão Valverde <joao.valverde@tecnico.ulisboa.pt>2016-03-09 03:17:51 +0000
committerJoão Valverde <j@v6e.pt>2016-03-13 21:30:24 +0000
commit54a520d4a1151c68d0b4e5f09a8d82466fa499f3 (patch)
tree7aacae160382098ce651ac862a5dfd5de4beff94 /epan/dissectors/asn1/kerberos
parentc1f3c935bdd33090c87f0d2f84842ce9729b747a (diff)
Move /asn1 to /epan/dissectors
Change-Id: I1208fe3c2ba428995526f561e8f792b8d871e9a9 Reviewed-on: https://code.wireshark.org/review/14388 Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com> Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Reviewed-by: João Valverde <j@v6e.pt>
Diffstat (limited to 'epan/dissectors/asn1/kerberos')
-rw-r--r--epan/dissectors/asn1/kerberos/CMakeLists.txt54
-rw-r--r--epan/dissectors/asn1/kerberos/KerberosV5Spec2.asn497
-rw-r--r--epan/dissectors/asn1/kerberos/Makefile.am23
-rw-r--r--epan/dissectors/asn1/kerberos/Makefile.common46
-rw-r--r--epan/dissectors/asn1/kerberos/Makefile.nmake26
-rw-r--r--epan/dissectors/asn1/kerberos/RFC3244.asn12
-rw-r--r--epan/dissectors/asn1/kerberos/k5.asn775
-rw-r--r--epan/dissectors/asn1/kerberos/kerberos.cnf388
-rw-r--r--epan/dissectors/asn1/kerberos/packet-kerberos-template.c2506
-rw-r--r--epan/dissectors/asn1/kerberos/packet-kerberos-template.h145
10 files changed, 4472 insertions, 0 deletions
diff --git a/epan/dissectors/asn1/kerberos/CMakeLists.txt b/epan/dissectors/asn1/kerberos/CMakeLists.txt
new file mode 100644
index 0000000000..0de5b69e0e
--- /dev/null
+++ b/epan/dissectors/asn1/kerberos/CMakeLists.txt
@@ -0,0 +1,54 @@
+# CMakeLists.txt
+#
+# Wireshark - Network traffic analyzer
+# By Gerald Combs <gerald@wireshark.org>
+# Copyright 1998 Gerald Combs
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+
+set( PROTOCOL_NAME kerberos )
+
+set( PROTO_OPT )
+
+set( EXPORT_FILES
+ ${PROTOCOL_NAME}-exp.cnf
+)
+
+set( EXT_ASN_FILE_LIST
+)
+
+set( ASN_FILE_LIST
+ KerberosV5Spec2.asn
+ k5.asn
+ RFC3244.asn
+)
+
+set( EXTRA_DIST
+ ${ASN_FILE_LIST}
+ packet-${PROTOCOL_NAME}-template.c
+ packet-${PROTOCOL_NAME}-template.h
+ ${PROTOCOL_NAME}.cnf
+)
+
+set( SRC_FILES
+ ${EXTRA_DIST}
+ ${EXT_ASN_FILE_LIST}
+)
+
+set( A2W_FLAGS -b )
+
+ASN2WRS()
+
diff --git a/epan/dissectors/asn1/kerberos/KerberosV5Spec2.asn b/epan/dissectors/asn1/kerberos/KerberosV5Spec2.asn
new file mode 100644
index 0000000000..fb3f4e8b56
--- /dev/null
+++ b/epan/dissectors/asn1/kerberos/KerberosV5Spec2.asn
@@ -0,0 +1,497 @@
+--http://www.ietf.org/rfc/rfc4120.txt?number=4120
+KerberosV5Spec2 {
+ iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) kerberosV5(2) modules(4) krb5spec2(2)
+} DEFINITIONS EXPLICIT TAGS ::= BEGIN
+
+-- OID arc for KerberosV5
+--
+-- This OID may be used to identify Kerberos protocol messages
+-- encapsulated in other protocols.
+--
+-- This OID also designates the OID arc for KerberosV5-related OIDs.
+--
+-- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID.
+-- WS construct
+Applications ::= CHOICE {
+ ticket Ticket, -- 1 --
+ authenticator Authenticator, -- 2 --
+ encTicketPart EncTicketPart, -- 3 --
+ as-req AS-REQ, -- 10 --
+ as-rep AS-REP, -- 11 --
+ tgs-req TGS-REQ, -- 12 --
+ tgs-rep TGS-REP, -- 13 --
+ ap-req AP-REQ, -- 14 --
+ ap-rep AP-REP, -- 15 --
+ krb-safe KRB-SAFE, -- 20 --
+ krb-priv KRB-PRIV, -- 21 --
+ krb-cred KRB-CRED, -- 22 --
+ encASRepPart EncASRepPart, -- 25 --
+ encTGSRepPart EncTGSRepPart, -- 26 --
+ encAPRepPart EncAPRepPart, -- 27 --
+ encKrbPrivPart ENC-KRB-PRIV-PART, -- 28 --
+ encKrbCredPart EncKrbCredPart, -- 29 --
+ krb-error KRB-ERROR -- 30 --
+ }
+-- end WS construct
+id-krb5 OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) kerberosV5(2)
+}
+
+Int32 ::= INTEGER (-2147483648..2147483647)
+ -- signed values representable in 32 bits
+
+UInt32 ::= INTEGER (0..4294967295)
+ -- unsigned 32 bit values
+
+Microseconds ::= INTEGER (0..999999)
+ -- microseconds
+
+KerberosString ::= GeneralString (IA5String)
+CNameString ::= GeneralString (IA5String)
+SNameString ::= GeneralString (IA5String)
+
+Realm ::= KerberosString
+
+PrincipalName ::= SEQUENCE {
+-- name-type [0] Int32, Use the translationj from krb5.asn (Heimdahl)
+ name-type [0] NAME-TYPE,
+ name-string [1] SEQUENCE OF KerberosString
+}
+
+CName ::= SEQUENCE {
+ name-type [0] NAME-TYPE,
+ cname-string [1] SEQUENCE OF CNameString
+}
+
+SName ::= SEQUENCE {
+ name-type [0] NAME-TYPE,
+ sname-string [1] SEQUENCE OF SNameString
+}
+
+KerberosTime ::= GeneralizedTime -- with no fractional seconds
+
+HostAddress ::= SEQUENCE {
+-- addr-type [0] Int32,
+ addr-type [0] ADDR-TYPE, --use k5.asn
+ address [1] OCTET STRING
+}
+
+-- NOTE: HostAddresses is always used as an OPTIONAL field and
+-- should not be empty.
+HostAddresses -- NOTE: subtly different from rfc1510,
+ -- but has a value mapping and encodes the same
+ ::= SEQUENCE OF HostAddress
+
+-- NOTE: AuthorizationData is always used as an OPTIONAL field and
+-- should not be empty.
+AuthorizationData ::= SEQUENCE OF SEQUENCE {
+ ad-type [0] Int32,
+ ad-data [1] OCTET STRING
+}
+
+PA-DATA ::= SEQUENCE {
+ -- NOTE: first tag is [1], not [0]
+-- padata-type [1] Int32, use k5.asn
+ padata-type [1] PADATA-TYPE,
+ padata-value [2] OCTET STRING -- might be encoded AP-REQ
+}
+
+KerberosFlags ::= BIT STRING (SIZE (32..MAX))
+ -- minimum number of bits shall be sent,
+ -- but no fewer than 32
+
+EncryptedData ::= SEQUENCE {
+-- etype [0] Int32 - - EncryptionType - -, Use k5.asn
+ etype [0] ENCTYPE -- EncryptionType --,
+ kvno [1] UInt32 OPTIONAL,
+ cipher [2] OCTET STRING -- ciphertext
+}
+
+EncryptionKey ::= SEQUENCE {
+ keytype [0] Int32 -- actually encryption type --,
+ keyvalue [1] OCTET STRING
+}
+
+Checksum ::= SEQUENCE {
+-- cksumtype [0] Int32, Use k5.asn
+ cksumtype [0] CKSUMTYPE,
+ checksum [1] OCTET STRING
+}
+
+EncryptedTicketData ::= SEQUENCE {
+ etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn
+ kvno [1] UInt32 OPTIONAL,
+ cipher [2] OCTET STRING -- ciphertext
+}
+
+EncryptedAuthorizationData ::= SEQUENCE {
+ etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn
+ kvno [1] UInt32 OPTIONAL,
+ cipher [2] OCTET STRING -- ciphertext
+}
+
+EncryptedKDCREPData ::= SEQUENCE {
+ etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn
+ kvno [1] UInt32 OPTIONAL,
+ cipher [2] OCTET STRING -- ciphertext
+}
+
+EncryptedAPREPData ::= SEQUENCE {
+ etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn
+ kvno [1] UInt32 OPTIONAL,
+ cipher [2] OCTET STRING -- ciphertext
+}
+
+EncryptedKrbPrivData ::= SEQUENCE {
+ etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn
+ kvno [1] UInt32 OPTIONAL,
+ cipher [2] OCTET STRING -- ciphertext
+}
+
+EncryptedKrbCredData ::= SEQUENCE {
+ etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn
+ kvno [1] UInt32 OPTIONAL,
+ cipher [2] OCTET STRING -- ciphertext
+}
+
+Ticket ::= [APPLICATION 1] SEQUENCE {
+ tkt-vno [0] INTEGER (5),
+ realm [1] Realm,
+ sname [2] SName,
+ enc-part [3] EncryptedTicketData
+}
+
+-- Encrypted part of ticket
+EncTicketPart ::= [APPLICATION 3] SEQUENCE {
+ flags [0] TicketFlags,
+ key [1] EncryptionKey,
+ crealm [2] Realm,
+ cname [3] CName,
+ transited [4] TransitedEncoding,
+ authtime [5] KerberosTime,
+ starttime [6] KerberosTime OPTIONAL,
+ endtime [7] KerberosTime,
+ renew-till [8] KerberosTime OPTIONAL,
+ caddr [9] HostAddresses OPTIONAL,
+ authorization-data [10] AuthorizationData OPTIONAL
+}
+
+-- encoded Transited field
+TransitedEncoding ::= SEQUENCE {
+ tr-type [0] Int32 -- must be registered --,
+ contents [1] OCTET STRING
+}
+-- Use the k5.asn def
+-- TicketFlags ::= KerberosFlags
+ -- reserved(0),
+ -- forwardable(1),
+ -- forwarded(2),
+ -- proxiable(3),
+ -- proxy(4),
+ -- may-postdate(5),
+ -- postdated(6),
+ -- invalid(7),
+ -- renewable(8),
+ -- initial(9),
+ -- pre-authent(10),
+ -- hw-authent(11),
+-- the following are new since 1510
+ -- transited-policy-checked(12),
+ -- ok-as-delegate(13)
+
+AS-REQ ::= [APPLICATION 10] KDC-REQ
+
+TGS-REQ ::= [APPLICATION 12] KDC-REQ
+
+KDC-REQ ::= SEQUENCE {
+ -- NOTE: first tag is [1], not [0]
+ pvno [1] INTEGER (5) ,
+-- msg-type [2] INTEGER (10 - - AS - - | 12 - - TGS - -),
+-- msg-type [2] INTEGER, use k5.asn
+ msg-type [2] MESSAGE-TYPE,
+ padata [3] SEQUENCE OF PA-DATA OPTIONAL
+ -- NOTE: not empty --,
+ req-body [4] KDC-REQ-BODY
+}
+
+KDC-REQ-BODY ::= SEQUENCE {
+ kdc-options [0] KDCOptions,
+ cname [1] CName OPTIONAL
+ -- Used only in AS-REQ --,
+ realm [2] Realm
+ -- Server's realm
+ -- Also client's in AS-REQ --,
+ sname [3] SName OPTIONAL,
+ from [4] KerberosTime OPTIONAL,
+
+-- this field is not optional in the kerberos spec, however, in the packetcable spec it is optional
+-- make it optional here since normal kerberos will still decode the pdu correctly.
+ till [5] KerberosTime OPTIONAL,
+
+ rtime [6] KerberosTime OPTIONAL,
+ nonce [7] UInt32,
+-- etype [8] SEQUENCE OF Int32 - - EncryptionType Use k5.asn
+ etype [8] SEQUENCE OF ENCTYPE -- EncryptionType
+ -- in preference order --,
+ addresses [9] HostAddresses OPTIONAL,
+ enc-authorization-data [10] EncryptedAuthorizationData OPTIONAL
+ -- AuthorizationData --,
+ additional-tickets [11] SEQUENCE OF Ticket OPTIONAL
+ -- NOTE: not empty
+}
+
+-- Use th k5.asn def
+--KDCOptions ::= KerberosFlags
+ -- reserved(0),
+ -- forwardable(1),
+ -- forwarded(2),
+ -- proxiable(3),
+ -- proxy(4),
+ -- allow-postdate(5),
+ -- postdated(6),
+ -- unused7(7),
+ -- renewable(8),
+ -- unused9(9),
+ -- unused10(10),
+ -- opt-hardware-auth(11),
+ -- unused12(12),
+ -- unused13(13),
+-- 15 is reserved for canonicalize
+ -- unused15(15),
+-- 26 was unused in 1510
+ -- disable-transited-check(26),
+--
+ -- renewable-ok(27),
+ -- enc-tkt-in-skey(28),
+ -- renew(30),
+ -- validate(31)
+
+AS-REP ::= [APPLICATION 11] KDC-REP
+
+TGS-REP ::= [APPLICATION 13] KDC-REP
+
+
+KDC-REP ::= SEQUENCE {
+ pvno [0] INTEGER (5),
+-- msg-type [1] INTEGER (11 - - AS - - | 13 - - TGS - -),
+-- msg-type [1] INTEGER, use k5.asn
+ msg-type [1] MESSAGE-TYPE,
+ padata [2] SEQUENCE OF PA-DATA OPTIONAL
+ -- NOTE: not empty --,
+ crealm [3] Realm,
+ cname [4] CName,
+ ticket [5] Ticket,
+ enc-part [6] EncryptedKDCREPData
+ -- EncASRepPart or EncTGSRepPart,
+ -- as appropriate
+}
+
+EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
+
+EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
+
+EncKDCRepPart ::= SEQUENCE {
+ key [0] EncryptionKey,
+ last-req [1] LastReq,
+ nonce [2] UInt32,
+ key-expiration [3] KerberosTime OPTIONAL,
+ flags [4] TicketFlags,
+ authtime [5] KerberosTime,
+ starttime [6] KerberosTime OPTIONAL,
+ endtime [7] KerberosTime,
+ renew-till [8] KerberosTime OPTIONAL,
+ srealm [9] Realm,
+ sname [10] SName,
+ caddr [11] HostAddresses OPTIONAL,
+ encrypted-pa-data[12] METHOD-DATA OPTIONAL -- from k5.asn
+}
+
+LastReq ::= SEQUENCE OF SEQUENCE {
+-- lr-type [0] Int32, Use k5.asn
+ lr-type [0] LR-TYPE,
+ lr-value [1] KerberosTime
+}
+
+AP-REQ ::= [APPLICATION 14] SEQUENCE {
+ pvno [0] INTEGER (5),
+-- msg-type [1] INTEGER (14), use k5.asn
+ msg-type [1] MESSAGE-TYPE,
+ ap-options [2] APOptions,
+ ticket [3] Ticket,
+ authenticator [4] EncryptedAuthorizationData -- Authenticator
+}
+-- Use the krb5.asn def.
+--APOptions ::= KerberosFlags
+ -- reserved(0),
+ -- use-session-key(1),
+ -- mutual-required(2)
+
+-- Unencrypted authenticator
+Authenticator ::= [APPLICATION 2] SEQUENCE {
+ authenticator-vno [0] INTEGER (5),
+ crealm [1] Realm,
+ cname [2] CName,
+ cksum [3] Checksum OPTIONAL,
+ cusec [4] Microseconds,
+ ctime [5] KerberosTime,
+ subkey [6] EncryptionKey OPTIONAL,
+ seq-number [7] UInt32 OPTIONAL,
+ authorization-data [8] AuthorizationData OPTIONAL
+}
+
+AP-REP ::= [APPLICATION 15] SEQUENCE {
+ pvno [0] INTEGER (5),
+-- msg-type [1] INTEGER (15), Use k5.asn
+ msg-type [1] MESSAGE-TYPE,
+ enc-part [2] EncryptedAPREPData -- EncAPRepPart
+}
+
+EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
+ ctime [0] KerberosTime,
+ cusec [1] Microseconds,
+ subkey [2] EncryptionKey OPTIONAL,
+ seq-number [3] UInt32 OPTIONAL
+}
+
+KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
+ pvno [0] INTEGER (5),
+-- msg-type [1] INTEGER (20), use k5.asn
+ msg-type [1] MESSAGE-TYPE,
+ safe-body [2] KRB-SAFE-BODY,
+ cksum [3] Checksum
+}
+
+KRB-SAFE-BODY ::= SEQUENCE {
+ user-data [0] OCTET STRING,
+ timestamp [1] KerberosTime OPTIONAL,
+ usec [2] Microseconds OPTIONAL,
+ seq-number [3] UInt32 OPTIONAL,
+ s-address [4] HostAddress OPTIONAL, -- XXX this one is OPTIONAL in packetcable? but mandatory in kerberos
+ r-address [5] HostAddress OPTIONAL
+}
+
+KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
+ pvno [0] INTEGER (5),
+-- msg-type [1] INTEGER (21), Use k5.asn
+ msg-type [1] MESSAGE-TYPE,
+ -- NOTE: there is no [2] tag
+ enc-part [3] EncryptedKrbPrivData -- EncKrbPrivPart
+}
+
+ENC-KRB-PRIV-PART ::= [APPLICATION 28] EncKrbPrivPart
+
+EncKrbPrivPart ::= SEQUENCE {
+ user-data [0] OCTET STRING,
+ timestamp [1] KerberosTime OPTIONAL,
+ usec [2] Microseconds OPTIONAL,
+ seq-number [3] UInt32 OPTIONAL,
+ s-address [4] HostAddress -- sender's addr --,
+ r-address [5] HostAddress OPTIONAL -- recip's addr
+}
+
+KRB-CRED ::= [APPLICATION 22] SEQUENCE {
+ pvno [0] INTEGER (5),
+-- msg-type [1] INTEGER (22), use k5.asn
+ msg-type [1] MESSAGE-TYPE,
+ tickets [2] SEQUENCE OF Ticket,
+ enc-part [3] EncryptedKrbCredData -- EncKrbCredPart
+}
+
+EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
+ ticket-info [0] SEQUENCE OF KrbCredInfo,
+ nonce [1] UInt32 OPTIONAL,
+ timestamp [2] KerberosTime OPTIONAL,
+ usec [3] Microseconds OPTIONAL,
+ s-address [4] HostAddress OPTIONAL,
+ r-address [5] HostAddress OPTIONAL
+}
+
+KrbCredInfo ::= SEQUENCE {
+ key [0] EncryptionKey,
+ prealm [1] Realm OPTIONAL,
+ pname [2] PrincipalName OPTIONAL,
+ flags [3] TicketFlags OPTIONAL,
+ authtime [4] KerberosTime OPTIONAL,
+ starttime [5] KerberosTime OPTIONAL,
+ endtime [6] KerberosTime OPTIONAL,
+ renew-till [7] KerberosTime OPTIONAL,
+ srealm [8] Realm OPTIONAL,
+ sname [9] SName OPTIONAL,
+ caddr [10] HostAddresses OPTIONAL
+}
+
+KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
+ pvno [0] INTEGER (5),
+-- msg-type [1] INTEGER (30), use k5.asn
+ msg-type [1] MESSAGE-TYPE,
+ ctime [2] KerberosTime OPTIONAL,
+ cusec [3] Microseconds OPTIONAL,
+ stime [4] KerberosTime,
+ susec [5] Microseconds,
+-- error-code [6] Int32,
+ error-code [6] ERROR-CODE, -- Use k5.asn
+ crealm [7] Realm OPTIONAL,
+ cname [8] CName OPTIONAL,
+ realm [9] Realm -- service realm --,
+ sname [10] SName -- service name --,
+ e-text [11] KerberosString OPTIONAL,
+ e-data [12] OCTET STRING OPTIONAL,
+ e-checksum [13] Checksum OPTIONAL -- used by PacketCable
+}
+
+METHOD-DATA ::= SEQUENCE OF PA-DATA
+
+TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
+ data-type [0] Int32,
+ data-value [1] OCTET STRING OPTIONAL
+}
+
+-- preauth stuff follows
+
+PA-ENC-TIMESTAMP ::= SEQUENCE {
+ etype [0] ENCTYPE -- EncryptionType --,
+ kvno [1] UInt32 OPTIONAL,
+ cipher [2] OCTET STRING -- ciphertext
+}
+
+PA-ENC-TS-ENC ::= SEQUENCE {
+ patimestamp [0] KerberosTime -- client's time --,
+ pausec [1] Microseconds OPTIONAL
+}
+
+ETYPE-INFO-ENTRY ::= SEQUENCE {
+-- etype [0] Int32, use k5.asn
+ etype [0] ENCTYPE,
+ salt [1] OCTET STRING OPTIONAL
+}
+
+ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
+
+ETYPE-INFO2-ENTRY ::= SEQUENCE {
+-- etype [0] Int32, use k5.asn
+ etype [0] ENCTYPE,
+ salt [1] KerberosString OPTIONAL,
+ s2kparams [2] OCTET STRING OPTIONAL
+}
+
+ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
+
+AD-IF-RELEVANT ::= AuthorizationData
+
+AD-KDCIssued ::= SEQUENCE {
+ ad-checksum [0] Checksum,
+ i-realm [1] Realm OPTIONAL,
+ i-sname [2] SName OPTIONAL,
+ elements [3] AuthorizationData
+}
+
+AD-AND-OR ::= SEQUENCE {
+ condition-count [0] Int32,
+ elements [1] AuthorizationData
+}
+
+AD-MANDATORY-FOR-KDC ::= AuthorizationData
+
+END
diff --git a/epan/dissectors/asn1/kerberos/Makefile.am b/epan/dissectors/asn1/kerberos/Makefile.am
new file mode 100644
index 0000000000..72d28e600b
--- /dev/null
+++ b/epan/dissectors/asn1/kerberos/Makefile.am
@@ -0,0 +1,23 @@
+# Wireshark - Network traffic analyzer
+# By Gerald Combs <gerald@wireshark.org>
+# Copyright 1998 Gerald Combs
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+
+include ../Makefile.preinc
+include Makefile.common
+include ../Makefile.inc
+
diff --git a/epan/dissectors/asn1/kerberos/Makefile.common b/epan/dissectors/asn1/kerberos/Makefile.common
new file mode 100644
index 0000000000..1871c27ca4
--- /dev/null
+++ b/epan/dissectors/asn1/kerberos/Makefile.common
@@ -0,0 +1,46 @@
+# Wireshark - Network traffic analyzer
+# By Gerald Combs <gerald@wireshark.org>
+# Copyright 1998 Gerald Combs
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+
+PROTOCOL_NAME=kerberos
+
+EXPORT_FILES = \
+ $(PROTOCOL_NAME)-exp.cnf
+
+EXT_ASN_FILE_LIST =
+
+ASN_FILE_LIST = \
+ KerberosV5Spec2.asn \
+ k5.asn \
+ RFC3244.asn
+
+EXTRA_DIST = \
+ $(EXTRA_DIST_COMMON) \
+ $(ASN_FILE_LIST) \
+ packet-$(PROTOCOL_NAME)-template.c \
+ packet-$(PROTOCOL_NAME)-template.h \
+ $(PROTOCOL_NAME).cnf
+
+SRC_FILES = \
+ $(EXTRA_DIST) \
+ $(EXT_ASN_FILE_LIST)
+
+A2W_FLAGS= -b
+
+EXTRA_CNF=
+
diff --git a/epan/dissectors/asn1/kerberos/Makefile.nmake b/epan/dissectors/asn1/kerberos/Makefile.nmake
new file mode 100644
index 0000000000..d296638ddd
--- /dev/null
+++ b/epan/dissectors/asn1/kerberos/Makefile.nmake
@@ -0,0 +1,26 @@
+## Use: $(MAKE) /$(MAKEFLAGS) -f makefile.nmake
+#
+# Wireshark - Network traffic analyzer
+# By Gerald Combs <gerald@wireshark.org>
+# Copyright 1998 Gerald Combs
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+
+include ../../../../config.nmake
+include ../Makefile.preinc.nmake
+include Makefile.common
+include ../Makefile.inc.nmake
+
diff --git a/epan/dissectors/asn1/kerberos/RFC3244.asn b/epan/dissectors/asn1/kerberos/RFC3244.asn
new file mode 100644
index 0000000000..4dcd06e1ec
--- /dev/null
+++ b/epan/dissectors/asn1/kerberos/RFC3244.asn
@@ -0,0 +1,12 @@
+-- Extracted from RFC 3244
+
+RFC3244 DEFINITIONS ::=
+BEGIN
+
+ChangePasswdData ::= SEQUENCE {
+ newpasswd[0] OCTET STRING,
+ targname[1] PrincipalName OPTIONAL,
+ targrealm[2] Realm OPTIONAL
+}
+
+END
diff --git a/epan/dissectors/asn1/kerberos/k5.asn b/epan/dissectors/asn1/kerberos/k5.asn
new file mode 100644
index 0000000000..dde61ec87f
--- /dev/null
+++ b/epan/dissectors/asn1/kerberos/k5.asn
@@ -0,0 +1,775 @@
+-- Extracted from http://www.h5l.org/dist/src/heimdal-1.2.tar.gz
+-- Id: k5.asn1 22745 2008-03-24 12:07:54Z lha $
+-- Commented out stuff already in KerberosV5Spec2.asn
+KERBEROS5 DEFINITIONS ::=
+BEGIN
+
+NAME-TYPE ::= INTEGER {
+ kRB5-NT-UNKNOWN(0), -- Name type not known
+ kRB5-NT-PRINCIPAL(1), -- Just the name of the principal as in
+ kRB5-NT-SRV-INST(2), -- Service and other unique instance (krbtgt)
+ kRB5-NT-SRV-HST(3), -- Service with host name as instance
+ kRB5-NT-SRV-XHST(4), -- Service with host as remaining components
+ kRB5-NT-UID(5), -- Unique ID
+ kRB5-NT-X500-PRINCIPAL(6), -- PKINIT
+ kRB5-NT-SMTP-NAME(7), -- Name in form of SMTP email name
+ kRB5-NT-ENTERPRISE-PRINCIPAL(10), -- Windows 2000 UPN
+ kRB5-NT-ENT-PRINCIPAL-AND-ID(-130), -- Windows 2000 UPN and SID
+ kRB5-NT-MS-PRINCIPAL(-128), -- NT 4 style name
+ kRB5-NT-MS-PRINCIPAL-AND-ID(-129) -- NT style name and SID
+}
+
+-- message types
+
+MESSAGE-TYPE ::= INTEGER {
+ krb-as-req(10), -- Request for initial authentication
+ krb-as-rep(11), -- Response to KRB_AS_REQ request
+ krb-tgs-req(12), -- Request for authentication based on TGT
+ krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
+ krb-ap-req(14), -- application request to server
+ krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
+ krb-safe(20), -- Safe (checksummed) application message
+ krb-priv(21), -- Private (encrypted) application message
+ krb-cred(22), -- Private (encrypted) message to forward credentials
+ krb-error(30) -- Error response
+}
+
+
+-- pa-data types
+
+PADATA-TYPE ::= INTEGER {
+ kRB5-PADATA-NONE(0),
+ kRB5-PADATA-TGS-REQ(1),
+ kRB5-PADATA-AP-REQ(1),
+ kRB5-PADATA-ENC-TIMESTAMP(2),
+ kRB5-PADATA-PW-SALT(3),
+ kRB5-PADATA-ENC-UNIX-TIME(5),
+ kRB5-PADATA-SANDIA-SECUREID(6),
+ kRB5-PADATA-SESAME(7),
+ kRB5-PADATA-OSF-DCE(8),
+ kRB5-PADATA-CYBERSAFE-SECUREID(9),
+ kRB5-PADATA-AFS3-SALT(10),
+ kRB5-PADATA-ETYPE-INFO(11),
+ kRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
+ kRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
+ kRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19)
+ kRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19)
+ kRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number)
+ kRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25)
+ kRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25)
+ kRB5-PADATA-PA-PK-OCSP-RESPONSE(18),
+ kRB5-PADATA-ETYPE-INFO2(19),
+ kRB5-PADATA-USE-SPECIFIED-KVNO(20),
+ kRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number
+ kRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
+ kRB5-PADATA-GET-FROM-TYPED-DATA(22),
+ kRB5-PADATA-SAM-ETYPE-INFO(23),
+ kRB5-PADATA-SERVER-REFERRAL(25),
+ kRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName
+ kRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT
+ kRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT
+ kRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific
+ kRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER
+ kRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER
+ kRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com
+ kRB5-PADATA-S4U2SELF(129),
+ kRB5-PADATA-PK-AS-09-BINDING(132), -- client send this to
+ -- tell KDC that is supports
+ -- the asCheckSum in the
+ -- PK-AS-REP
+ kRB5-PADATA-CLIENT-CANONICALIZED(133) --
+}
+
+AUTHDATA-TYPE ::= INTEGER {
+ kRB5-AUTHDATA-IF-RELEVANT(1),
+ kRB5-AUTHDATA-INTENDED-FOR-SERVER(2),
+ kRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3),
+ kRB5-AUTHDATA-KDC-ISSUED(4),
+ kRB5-AUTHDATA-AND-OR(5),
+ kRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6),
+ kRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7),
+ kRB5-AUTHDATA-MANDATORY-FOR-KDC(8),
+ kRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9),
+ kRB5-AUTHDATA-OSF-DCE(64),
+ kRB5-AUTHDATA-SESAME(65),
+ kRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
+ kRB5-AUTHDATA-WIN2K-PAC(128),
+ kRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
+ kRB5-AUTHDATA-SIGNTICKET(-17)
+}
+
+-- checksumtypes
+
+CKSUMTYPE ::= INTEGER {
+ cKSUMTYPE-NONE(0),
+ cKSUMTYPE-CRC32(1),
+ cKSUMTYPE-RSA-MD4(2),
+ cKSUMTYPE-RSA-MD4-DES(3),
+ cKSUMTYPE-DES-MAC(4),
+ cKSUMTYPE-DES-MAC-K(5),
+ cKSUMTYPE-RSA-MD4-DES-K(6),
+ cKSUMTYPE-RSA-MD5(7),
+ cKSUMTYPE-RSA-MD5-DES(8),
+ cKSUMTYPE-RSA-MD5-DES3(9),
+ cKSUMTYPE-SHA1-OTHER(10),
+ cKSUMTYPE-HMAC-SHA1-DES3-KD(12),
+ cKSUMTYPE-HMAC-SHA1-DES3(13),
+ cKSUMTYPE-SHA1(14),
+ cKSUMTYPE-HMAC-SHA1-96-AES-128(15),
+ cKSUMTYPE-HMAC-SHA1-96-AES-256(16),
+ cKSUMTYPE-CMAC-CAMELLIA128(17),
+ cKSUMTYPE-CMAC-CAMELLIA256(18),
+ cKSUMTYPE-GSSAPI(--0x8003--32771),
+ cKSUMTYPE-HMAC-MD5(-138), -- unofficial microsoft number
+ cKSUMTYPE-HMAC-MD5-ENC(-1138) -- even more unofficial
+}
+
+--enctypes
+ENCTYPE ::= INTEGER {
+ eTYPE-NULL(0),
+ eTYPE-DES-CBC-CRC(1),
+ eTYPE-DES-CBC-MD4(2),
+ eTYPE-DES-CBC-MD5(3),
+ eTYPE-DES3-CBC-MD5(5),
+ eTYPE-OLD-DES3-CBC-SHA1(7),
+ eTYPE-SIGN-DSA-GENERATE(8),
+ eTYPE-DSA-SHA1(9),
+ eTYPE-RSA-MD5(10),
+ eTYPE-RSA-SHA1(11),
+ eTYPE-RC2-CBC(12),
+ eTYPE-RSA(13),
+ eTYPE-RSAES-OAEP(14),
+ eTYPE-DES-EDE3-CBC(15),
+ eTYPE-DES3-CBC-SHA1(16), -- with key derivation
+ eTYPE-AES128-CTS-HMAC-SHA1-96(17),
+ eTYPE-AES256-CTS-HMAC-SHA1-96(18),
+ eTYPE-ARCFOUR-HMAC-MD5(23),
+ eTYPE-ARCFOUR-HMAC-MD5-56(24),
+ eTYPE-CAMELLIA128-CTS-CMAC(25),
+ eTYPE-CAMELLIA256-CTS-CMAC(26),
+ eTYPE-ENCTYPE-PK-CROSS(48),
+-- some "old" windows types
+ eTYPE-ARCFOUR-MD4(-128),
+ eTYPE-ARCFOUR-HMAC-OLD(-133),
+ eTYPE-ARCFOUR-HMAC-OLD-EXP(-135),
+-- these are for Heimdal internal use
+-- eTYPE-DES-CBC-NONE(-0x1000),
+ eTYPE-DES-CBC-NONE( -4096),
+-- eTYPE-DES3-CBC-NONE(-0x1001),
+ eTYPE-DES3-CBC-NONE(-4097),
+-- eTYPE-DES-CFB64-NONE(-0x1002),
+ eTYPE-DES-CFB64-NONE(-4098),
+-- eTYPE-DES-PCBC-NONE(-0x1003),
+ eTYPE-DES-PCBC-NONE(-4099),
+-- eTYPE-DIGEST-MD5-NONE(-0x1004), - - private use, lukeh@padl.com
+ eTYPE-DIGEST-MD5-NONE(-4100), -- private use, lukeh@padl.com
+-- eTYPE-CRAM-MD5-NONE(-0x1005) - - private use, lukeh@padl.com
+ eTYPE-CRAM-MD5-NONE(-4101) -- private use, lukeh@padl.com
+}
+
+-- addr-types (WS extension )
+ADDR-TYPE ::= INTEGER {
+ iPv4(2),
+ cHAOS(5),
+ xEROX(6),
+ iSO(7),
+ dECNET(12),
+ aPPLETALK(16),
+ nETBIOS(20),
+ iPv6(24)
+}
+
+-- error-codes (WS extension)
+ERROR-CODE ::= INTEGER {
+--error table constants
+ eRR-NONE(0),
+ eRR-NAME-EXP(1),
+ eRR-SERVICE-EXP(2),
+ eRR-BAD-PVNO(3),
+ eRR-C-OLD-MAST-KVNO(4),
+ eRR-S-OLD-MAST-KVNO(5),
+ eRR-C-PRINCIPAL-UNKNOWN(6),
+ eRR-S-PRINCIPAL-UNKNOWN(7),
+ eRR-PRINCIPAL-NOT-UNIQUE(8),
+ eRR-NULL-KEY(9),
+ eRR-CANNOT-POSTDATE(10),
+ eRR-NEVER-VALID(11),
+ eRR-POLICY(12),
+ eRR-BADOPTION(13),
+ eRR-ETYPE-NOSUPP(14),
+ eRR-SUMTYPE-NOSUPP(15),
+ eRR-PADATA-TYPE-NOSUPP(16),
+ eRR-TRTYPE-NOSUPP(17),
+ eRR-CLIENT-REVOKED(18),
+ eRR-SERVICE-REVOKED(19),
+ eRR-TGT-REVOKED(20),
+ eRR-CLIENT-NOTYET(21),
+ eRR-SERVICE-NOTYET(22),
+ eRR-KEY-EXP(23),
+ eRR-PREAUTH-FAILED(24),
+ eRR-PREAUTH-REQUIRED(25),
+ eRR-SERVER-NOMATCH(26),
+ eRR-MUST-USE-USER2USER(27),
+ eRR-PATH-NOT-ACCEPTED(28),
+ eRR-SVC-UNAVAILABLE(29),
+ eRR-BAD-INTEGRITY(31),
+ eRR-TKT-EXPIRED(32),
+ eRR-TKT-NYV(33),
+ eRR-REPEAT(34),
+ eRR-NOT-US(35),
+ eRR-BADMATCH(36),
+ eRR-SKEW(37),
+ eRR-BADADDR(38),
+ eRR-BADVERSION(39),
+ eRR-MSG-TYPE(40),
+ eRR-MODIFIED(41),
+ eRR-BADORDER(42),
+ eRR-ILL-CR-TKT(43),
+ eRR-BADKEYVER(44),
+ eRR-NOKEY(45),
+ eRR-MUT-FAIL(46),
+ eRR-BADDIRECTION(47),
+ eRR-METHOD(48),
+ eRR-BADSEQ(49),
+ eRR-INAPP-CKSUM(50),
+ pATH-NOT-ACCEPTED(51),
+ eRR-RESPONSE-TOO-BIG(52),
+ eRR-GENERIC(60),
+ eRR-FIELD-TOOLONG(61),
+ eRROR-CLIENT-NOT-TRUSTED(62),
+ eRROR-KDC-NOT-TRUSTED(63),
+ eRROR-INVALID-SIG(64),
+ eRR-KEY-TOO-WEAK(65),
+ eRR-CERTIFICATE-MISMATCH(66),
+ eRR-NO-TGT(67),
+ eRR-WRONG-REALM(68),
+ eRR-USER-TO-USER-REQUIRED(69),
+ eRR-CANT-VERIFY-CERTIFICATE(70),
+ eRR-INVALID-CERTIFICATE(71),
+ eRR-REVOKED-CERTIFICATE(72),
+ eRR-REVOCATION-STATUS-UNKNOWN(73),
+ eRR-REVOCATION-STATUS-UNAVAILABLE(74),
+ eRR-CLIENT-NAME-MISMATCH(75),
+ eRR-KDC-NAME-MISMATCH(76)
+}
+
+-- this is sugar to make something ASN1 does not have: unsigned
+
+Krb5uint32 ::= INTEGER (0..4294967295)
+Krb5int32 ::= INTEGER (-2147483648..2147483647)
+
+--KerberosString ::= GeneralString
+
+--Realm ::= GeneralString
+--PrincipalName ::= SEQUENCE {
+-- name-type[0] NAME-TYPE,
+-- name-string[1] SEQUENCE OF GeneralString
+--}
+
+-- this is not part of RFC1510
+Principal ::= SEQUENCE {
+ name[0] PrincipalName,
+ realm[1] Realm
+}
+
+--HostAddress ::= SEQUENCE {
+-- addr-type [0] Krb5int32,
+-- address [1] OCTET STRING
+--}
+
+-- This is from RFC1510.
+--
+-- HostAddresses ::= SEQUENCE OF SEQUENCE {
+-- addr-type[0] Krb5int32,
+-- address[1] OCTET STRING
+-- }
+
+-- This seems much better.
+--HostAddresses ::= SEQUENCE OF HostAddress
+
+
+--KerberosTime ::= GeneralizedTime - - Specifying UTC time zone (Z)
+
+--AuthorizationDataElement ::= SEQUENCE {
+-- ad-type[0] Krb5int32,
+-- ad-data[1] OCTET STRING
+--}
+
+--AuthorizationData ::= SEQUENCE OF AuthorizationDataElement
+
+APOptions ::= BIT STRING {
+ reserved(0),
+ use-session-key(1),
+ mutual-required(2)
+}
+
+TicketFlags ::= BIT STRING {
+ reserved(0),
+ forwardable(1),
+ forwarded(2),
+ proxiable(3),
+ proxy(4),
+ may-postdate(5),
+ postdated(6),
+ invalid(7),
+ renewable(8),
+ initial(9),
+ pre-authent(10),
+ hw-authent(11),
+ transited-policy-checked(12),
+ ok-as-delegate(13),
+ anonymous(14)
+}
+
+KDCOptions ::= BIT STRING {
+ reserved(0),
+ forwardable(1),
+ forwarded(2),
+ proxiable(3),
+ proxy(4),
+ allow-postdate(5),
+ postdated(6),
+ unused7(7),
+ renewable(8),
+ unused9(9),
+ unused10(10),
+ opt-hardware-auth(11), -- taken from KerberosV5Spec2.asn
+ request-anonymous(14),
+ canonicalize(15),
+ constrained-delegation(16), -- ms extension
+ disable-transited-check(26),
+ renewable-ok(27),
+ enc-tkt-in-skey(28),
+ renew(30),
+ validate(31)
+}
+
+LR-TYPE ::= INTEGER {
+ lR-NONE(0), -- no information
+ lR-INITIAL-TGT(1), -- last initial TGT request
+ lR-INITIAL(2), -- last initial request
+ lR-ISSUE-USE-TGT(3), -- time of newest TGT used
+ lR-RENEWAL(4), -- time of last renewal
+ lR-REQUEST(5), -- time of last request (of any type)
+ lR-PW-EXPTIME(6), -- expiration time of password
+ lR-ACCT-EXPTIME(7) -- expiration time of account
+}
+
+--LastReq ::= SEQUENCE OF SEQUENCE {
+-- lr-type[0] LR-TYPE,
+-- lr-value[1] KerberosTime
+--}
+
+
+--EncryptedData ::= SEQUENCE {
+-- etype[0] ENCTYPE, - - EncryptionType
+-- kvno[1] Krb5int32 OPTIONAL,
+-- cipher[2] OCTET STRING - - ciphertext
+--}
+
+--EncryptionKey ::= SEQUENCE {
+-- keytype[0] Krb5int32,
+-- keyvalue[1] OCTET STRING
+--}
+
+-- encoded Transited field
+--TransitedEncoding ::= SEQUENCE {
+-- tr-type[0] Krb5int32, - - must be registered
+-- contents[1] OCTET STRING
+--}
+
+--Ticket ::= [APPLICATION 1] SEQUENCE {
+-- tkt-vno[0] Krb5int32,
+-- realm[1] Realm,
+-- sname[2] PrincipalName,
+-- enc-part[3] EncryptedData
+--}
+-- Encrypted part of ticket
+--EncTicketPart ::= [APPLICATION 3] SEQUENCE {
+-- flags[0] TicketFlags,
+-- key[1] EncryptionKey,
+-- crealm[2] Realm,
+-- cname[3] PrincipalName,
+-- transited[4] TransitedEncoding,
+-- authtime[5] KerberosTime,
+-- starttime[6] KerberosTime OPTIONAL,
+-- endtime[7] KerberosTime,
+-- renew-till[8] KerberosTime OPTIONAL,
+-- caddr[9] HostAddresses OPTIONAL,
+-- authorization-data[10] AuthorizationData OPTIONAL
+--}
+
+--Checksum ::= SEQUENCE {
+-- cksumtype[0] CKSUMTYPE,
+-- checksum[1] OCTET STRING
+--}
+
+--Authenticator ::= [APPLICATION 2] SEQUENCE {
+-- authenticator-vno[0] Krb5int32,
+-- crealm[1] Realm,
+-- cname[2] PrincipalName,
+-- cksum[3] Checksum OPTIONAL,
+-- cusec[4] Krb5int32,
+-- ctime[5] KerberosTime,
+-- subkey[6] EncryptionKey OPTIONAL,
+-- seq-number[7] Krb5uint32 OPTIONAL,
+-- authorization-data[8] AuthorizationData OPTIONAL
+--}
+
+--PA-DATA ::= SEQUENCE {
+ -- might be encoded AP-REQ
+-- padata-type[1] PADATA-TYPE,
+-- padata-value[2] OCTET STRING
+--}
+
+--ETYPE-INFO-ENTRY ::= SEQUENCE {
+-- etype[0] ENCTYPE,
+-- salt[1] OCTET STRING OPTIONAL,
+-- salttype[2] Krb5int32 OPTIONAL
+--}
+
+--ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
+
+--ETYPE-INFO2-ENTRY ::= SEQUENCE {
+-- etype[0] ENCTYPE,
+-- salt[1] KerberosString OPTIONAL,
+-- s2kparams[2] OCTET STRING OPTIONAL
+--}
+
+--ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
+
+-- METHOD-DATA ::= SEQUENCE OF PA-DATA
+
+--TypedData ::= SEQUENCE {
+-- data-type[0] Krb5int32,
+-- data-value[1] OCTET STRING OPTIONAL
+--}
+
+--TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData
+
+--KDC-REQ-BODY ::= SEQUENCE {
+-- kdc-options[0] KDCOptions,
+-- cname[1] PrincipalName OPTIONAL, - - Used only in AS-REQ
+-- realm[2] Realm, - - Server's realm
+ -- Also client's in AS-REQ
+-- sname[3] PrincipalName OPTIONAL,
+-- from[4] KerberosTime OPTIONAL,
+-- till[5] KerberosTime OPTIONAL,
+-- rtime[6] KerberosTime OPTIONAL,
+-- nonce[7] Krb5int32,
+-- etype[8] SEQUENCE OF ENCTYPE, - - EncryptionType,
+ -- in preference order
+-- addresses[9] HostAddresses OPTIONAL,
+-- enc-authorization-data[10] EncryptedData OPTIONAL,
+ -- Encrypted AuthorizationData encoding
+-- additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
+--}
+
+--KDC-REQ ::= SEQUENCE {
+-- pvno[1] Krb5int32,
+-- msg-type[2] MESSAGE-TYPE,
+-- padata[3] METHOD-DATA OPTIONAL,
+-- req-body[4] KDC-REQ-BODY
+--}
+
+--AS-REQ ::= [APPLICATION 10] KDC-REQ
+--TGS-REQ ::= [APPLICATION 12] KDC-REQ
+
+-- padata-type ::= PA-ENC-TIMESTAMP
+-- padata-value ::= EncryptedData - PA-ENC-TS-ENC
+
+--PA-ENC-TS-ENC ::= SEQUENCE {
+-- patimestamp[0] KerberosTime, - - client's time
+-- pausec[1] Krb5int32 OPTIONAL
+--}
+
+-- draft-brezak-win2k-krb-authz-01
+PA-PAC-REQUEST ::= SEQUENCE {
+ include-pac[0] BOOLEAN -- Indicates whether a PAC
+ -- should be included or not
+}
+
+-- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf
+PROV-SRV-LOCATION ::= GeneralString
+
+--KDC-REP ::= SEQUENCE {
+-- pvno[0] Krb5int32,
+-- msg-type[1] MESSAGE-TYPE,
+-- padata[2] METHOD-DATA OPTIONAL,
+-- crealm[3] Realm,
+-- cname[4] PrincipalName,
+-- ticket[5] Ticket,
+-- enc-part[6] EncryptedData
+--}
+
+--AS-REP ::= [APPLICATION 11] KDC-REP
+--TGS-REP ::= [APPLICATION 13] KDC-REP
+
+--EncKDCRepPart ::= SEQUENCE {
+-- key[0] EncryptionKey,
+-- last-req[1] LastReq,
+-- nonce[2] Krb5int32,
+-- key-expiration[3] KerberosTime OPTIONAL,
+-- flags[4] TicketFlags,
+-- authtime[5] KerberosTime,
+-- starttime[6] KerberosTime OPTIONAL,
+-- endtime[7] KerberosTime,
+-- renew-till[8] KerberosTime OPTIONAL,
+-- srealm[9] Realm,
+-- sname[10] PrincipalName,
+-- caddr[11] HostAddresses OPTIONAL,
+-- encrypted-pa-data[12] METHOD-DATA OPTIONAL
+--}
+
+--EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
+--EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
+
+--AP-REQ ::= [APPLICATION 14] SEQUENCE {
+-- pvno[0] Krb5int32,
+-- msg-type[1] MESSAGE-TYPE,
+-- ap-options[2] APOptions,
+-- ticket[3] Ticket,
+-- authenticator[4] EncryptedData
+--}
+
+--AP-REP ::= [APPLICATION 15] SEQUENCE {
+-- pvno[0] Krb5int32,
+-- msg-type[1] MESSAGE-TYPE,
+-- enc-part[2] EncryptedData
+--}
+
+--EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
+-- ctime[0] KerberosTime,
+-- cusec[1] Krb5int32,
+-- subkey[2] EncryptionKey OPTIONAL,
+-- seq-number[3] Krb5uint32 OPTIONAL
+--}
+
+--KRB-SAFE-BODY ::= SEQUENCE {
+-- user-data[0] OCTET STRING,
+-- timestamp[1] KerberosTime OPTIONAL,
+-- usec[2] Krb5int32 OPTIONAL,
+-- seq-number[3] Krb5uint32 OPTIONAL,
+-- s-address[4] HostAddress OPTIONAL,
+-- r-address[5] HostAddress OPTIONAL
+--}
+
+--KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
+-- pvno[0] Krb5int32,
+-- msg-type[1] MESSAGE-TYPE,
+-- safe-body[2] KRB-SAFE-BODY,
+-- cksum[3] Checksum
+--}
+
+--KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
+-- pvno[0] Krb5int32,
+-- msg-type[1] MESSAGE-TYPE,
+-- enc-part[3] EncryptedData
+--}
+--EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
+-- user-data[0] OCTET STRING,
+-- timestamp[1] KerberosTime OPTIONAL,
+-- usec[2] Krb5int32 OPTIONAL,
+-- seq-number[3] Krb5uint32 OPTIONAL,
+-- s-address[4] HostAddress OPTIONAL, - - sender's addr
+-- r-address[5] HostAddress OPTIONAL - - recip's addr
+--}
+
+--KRB-CRED ::= [APPLICATION 22] SEQUENCE {
+-- pvno[0] Krb5int32,
+-- msg-type[1] MESSAGE-TYPE, - - KRB_CRED
+-- tickets[2] SEQUENCE OF Ticket,
+-- enc-part[3] EncryptedData
+--}
+
+--KrbCredInfo ::= SEQUENCE {
+-- key[0] EncryptionKey,
+-- prealm[1] Realm OPTIONAL,
+-- pname[2] PrincipalName OPTIONAL,
+-- flags[3] TicketFlags OPTIONAL,
+-- authtime[4] KerberosTime OPTIONAL,
+-- starttime[5] KerberosTime OPTIONAL,
+-- endtime[6] KerberosTime OPTIONAL,
+-- renew-till[7] KerberosTime OPTIONAL,
+-- srealm[8] Realm OPTIONAL,
+-- sname[9] PrincipalName OPTIONAL,
+-- caddr[10] HostAddresses OPTIONAL
+--}
+
+--EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
+-- ticket-info[0] SEQUENCE OF KrbCredInfo,
+-- nonce[1] Krb5int32 OPTIONAL,
+-- timestamp[2] KerberosTime OPTIONAL,
+-- usec[3] Krb5int32 OPTIONAL,
+-- s-address[4] HostAddress OPTIONAL,
+-- r-address[5] HostAddress OPTIONAL
+--}
+
+--KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
+-- pvno[0] Krb5int32,
+-- msg-type[1] MESSAGE-TYPE,
+-- ctime[2] KerberosTime OPTIONAL,
+-- cusec[3] Krb5int32 OPTIONAL,
+-- stime[4] KerberosTime,
+-- susec[5] Krb5int32,
+-- error-code[6] Krb5int32,
+-- crealm[7] Realm OPTIONAL,
+-- cname[8] PrincipalName OPTIONAL,
+-- realm[9] Realm, - - Correct realm
+-- sname[10] PrincipalName, - - Correct name
+-- e-text[11] GeneralString OPTIONAL,
+-- e-data[12] OCTET STRING OPTIONAL
+--}
+
+ChangePasswdDataMS ::= SEQUENCE {
+ newpasswd[0] OCTET STRING,
+ targname[1] PrincipalName OPTIONAL,
+ targrealm[2] Realm OPTIONAL
+}
+
+EtypeList ::= SEQUENCE OF Krb5int32
+ -- the client's proposed enctype list in
+ -- decreasing preference order, favorite choice first
+
+--krb5-pvno Krb5int32 ::= 5 - - current Kerberos protocol version number
+
+-- transited encodings
+
+--DOMAIN-X500-COMPRESS Krb5int32 ::= 1
+
+-- authorization data primitives
+
+--AD-IF-RELEVANT ::= AuthorizationData
+
+--AD-KDCIssued ::= SEQUENCE {
+-- ad-checksum[0] Checksum,
+-- i-realm[1] Realm OPTIONAL,
+-- i-sname[2] PrincipalName OPTIONAL,
+-- elements[3] AuthorizationData
+--}
+
+--AD-AND-OR ::= SEQUENCE {
+-- condition-count[0] INTEGER,
+-- elements[1] AuthorizationData
+--}
+
+--AD-MANDATORY-FOR-KDC ::= AuthorizationData
+
+-- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2
+
+PA-SAM-TYPE ::= INTEGER {
+ pA-SAM-TYPE-ENIGMA(1), -- Enigma Logic
+ pA-SAM-TYPE-DIGI-PATH(2), -- Digital Pathways
+ pA-SAM-TYPE-SKEY-K0(3), -- S/key where KDC has key 0
+ pA-SAM-TYPE-SKEY(4), -- Traditional S/Key
+ pA-SAM-TYPE-SECURID(5), -- Security Dynamics
+ pA-SAM-TYPE-CRYPTOCARD(6) -- CRYPTOCard
+}
+
+PA-SAM-REDIRECT ::= HostAddresses
+
+SAMFlags ::= BIT STRING {
+ use-sad-as-key(0),
+ send-encrypted-sad(1),
+ must-pk-encrypt-sad(2)
+}
+
+PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE {
+ sam-type[0] Krb5int32,
+ sam-flags[1] SAMFlags,
+ sam-type-name[2] GeneralString OPTIONAL,
+ sam-track-id[3] GeneralString OPTIONAL,
+ sam-challenge-label[4] GeneralString OPTIONAL,
+ sam-challenge[5] GeneralString OPTIONAL,
+ sam-response-prompt[6] GeneralString OPTIONAL,
+ sam-pk-for-sad[7] EncryptionKey OPTIONAL,
+ sam-nonce[8] Krb5int32,
+ sam-etype[9] Krb5int32,
+ ...
+}
+
+PA-SAM-CHALLENGE-2 ::= SEQUENCE {
+ sam-body[0] PA-SAM-CHALLENGE-2-BODY,
+ sam-cksum[1] SEQUENCE OF Checksum, -- (1..MAX)
+ ...
+}
+
+PA-SAM-RESPONSE-2 ::= SEQUENCE {
+ sam-type[0] Krb5int32,
+ sam-flags[1] SAMFlags,
+ sam-track-id[2] GeneralString OPTIONAL,
+ sam-enc-nonce-or-sad[3] EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC
+ sam-nonce[4] Krb5int32,
+ ...
+}
+
+PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE {
+ sam-nonce[0] Krb5int32,
+ sam-sad[1] GeneralString OPTIONAL,
+ ...
+}
+
+PA-S4U2Self ::= SEQUENCE {
+ name[0] PrincipalName,
+ realm[1] Realm,
+ cksum[2] Checksum,
+ auth[3] GeneralString
+}
+
+KRB5SignedPathPrincipals ::= SEQUENCE OF Principal
+
+-- never encoded on the wire, just used to checksum over
+KRB5SignedPathData ::= SEQUENCE {
+ encticket[0] EncTicketPart,
+ delegated[1] KRB5SignedPathPrincipals OPTIONAL
+}
+
+KRB5SignedPath ::= SEQUENCE {
+ -- DERcoded KRB5SignedPathData
+ -- krbtgt key (etype), KeyUsage = XXX
+ etype[0] ENCTYPE,
+ cksum[1] Checksum,
+ -- srvs delegated though
+ delegated[2] KRB5SignedPathPrincipals OPTIONAL
+}
+
+PA-ClientCanonicalizedNames ::= SEQUENCE{
+ requested-name [0] PrincipalName,
+ mapped-name [1] PrincipalName
+}
+
+PA-ClientCanonicalized ::= SEQUENCE {
+ names [0] PA-ClientCanonicalizedNames,
+ canon-checksum [1] Checksum
+}
+
+AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD --
+ login-alias [0] PrincipalName,
+ checksum [1] Checksum
+}
+
+-- old ms referral
+PA-SvrReferralData ::= SEQUENCE {
+ referred-name [1] PrincipalName OPTIONAL,
+ referred-realm [0] Realm
+}
+
+PA-SERVER-REFERRAL-DATA ::= EncryptedData
+
+PA-ServerReferralData ::= SEQUENCE {
+ referred-realm [0] Realm OPTIONAL,
+ true-principal-name [1] PrincipalName OPTIONAL,
+ requested-principal-name [2] PrincipalName OPTIONAL,
+ referral-valid-until [3] KerberosTime OPTIONAL,
+ ...
+}
+-- WS put extensions found elsewere here
+-- http://msdn.microsoft.com/en-us/library/cc206948.aspx
+--
+KERB-PA-PAC-REQUEST ::= SEQUENCE {
+include-pac[0] BOOLEAN --If TRUE, and no pac present, include PAC.
+ --If FALSE, and PAC present, remove PAC
+}
+END
+
+-- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1
diff --git a/epan/dissectors/asn1/kerberos/kerberos.cnf b/epan/dissectors/asn1/kerberos/kerberos.cnf
new file mode 100644
index 0000000000..ff73d2b44b
--- /dev/null
+++ b/epan/dissectors/asn1/kerberos/kerberos.cnf
@@ -0,0 +1,388 @@
+# kerberos.cnf
+# kerberos conformation file
+# Copyright 2008 Anders Broman
+
+#.EXPORTS
+ChangePasswdData
+
+#.FIELD_RENAME
+#EncryptedData/etype encryptedData_etype
+KDC-REQ-BODY/etype kDC-REQ-BODY_etype
+KRB-SAFE-BODY/user-data kRB-SAFE-BODY_user_data
+EncKrbPrivPart/user-data encKrbPrivPart_user_data
+EncryptedTicketData/cipher encryptedTicketData_cipher
+EncryptedAuthorizationData/cipher encryptedAuthorizationData_cipher
+EncryptedKDCREPData/cipher encryptedKDCREPData_cipher
+PA-ENC-TIMESTAMP/cipher pA-ENC-TIMESTAMP_cipher
+EncryptedAPREPData/cipher encryptedAPREPData_cipher
+EncryptedKrbPrivData/cipher encryptedKrbPrivData_cipher
+EncryptedKrbCredData/cipher encryptedKrbCredData_cipher
+KRB-CRED/_untag/enc-part kRB_CRED_enc_part
+KRB-PRIV/_untag/enc-part kRB_PRIV_enc_part
+AP-REP/_untag/enc-part aP_REP_enc_part
+KDC-REP/enc-part kDC_REP_enc_part
+Ticket/_untag/enc-part ticket_enc_part
+
+#.OMIT_ASSIGNMENT
+AD-AND-OR
+AD-KDCIssued
+AD-LoginAlias
+AD-MANDATORY-FOR-KDC
+AUTHDATA-TYPE
+ChangePasswdDataMS
+EncryptedData
+EtypeList
+KerberosFlags
+KRB5SignedPath
+KRB5SignedPathData
+KRB5SignedPathPrincipals
+Krb5int32
+Krb5uint32
+PA-ClientCanonicalized
+PA-ClientCanonicalizedNames
+PA-ENC-TS-ENC
+PA-ENC-SAM-RESPONSE-ENC
+PA-PAC-REQUEST
+PA-SAM-CHALLENGE-2
+PA-SAM-CHALLENGE-2-BODY
+PA-SAM-REDIRECT
+PA-SAM-RESPONSE-2
+PA-SAM-TYPE
+PA-SERVER-REFERRAL-DATA
+PA-ServerReferralData
+PA-SvrReferralData
+Principal
+PROV-SRV-LOCATION
+SAMFlags
+TYPED-DATA
+
+#.NO_EMIT ONLY_VALS
+Applications
+
+#.MAKE_DEFINES
+ADDR-TYPE TYPE_PREFIX
+
+#.FN_BODY MESSAGE-TYPE VAL_PTR = &msgtype
+guint32 msgtype;
+
+%(DEFAULT_BODY)s
+
+#.FN_FTR MESSAGE-TYPE
+ if (gbl_do_col_info) {
+ col_add_str(actx->pinfo->cinfo, COL_INFO,
+ val_to_str(msgtype, krb5_msg_types,
+ "Unknown msg type %#x"));
+ }
+ gbl_do_col_info=FALSE;
+
+##if 0
+ /* append the application type to the tree */
+ proto_item_append_text(tree, " %s", val_to_str(msgtype, krb5_msg_types, "Unknown:0x%x"));
+##endif
+
+#.FN_BODY ERROR-CODE VAL_PTR = &krb5_errorcode
+%(DEFAULT_BODY)s
+
+#.FN_FTR ERROR-CODE
+ if(krb5_errorcode) {
+ col_add_fstr(actx->pinfo->cinfo, COL_INFO,
+ "KRB Error: %s",
+ val_to_str(krb5_errorcode, krb5_error_codes,
+ "Unknown error code %#x"));
+ }
+
+ return offset;
+#.END
+#.FN_BODY KRB-ERROR/_untag/e-data
+ switch(krb5_errorcode){
+ case KRB5_ET_KRB5KDC_ERR_BADOPTION:
+ case KRB5_ET_KRB5KDC_ERR_CLIENT_REVOKED:
+ case KRB5_ET_KRB5KDC_ERR_KEY_EXP:
+ case KRB5_ET_KRB5KDC_ERR_POLICY:
+ /* ms windows kdc sends e-data of this type containing a "salt"
+ * that contains the nt_status code for these error codes.
+ */
+ offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_kerberos_e_data, dissect_kerberos_PA_DATA);
+ break;
+ case KRB5_ET_KRB5KDC_ERR_PREAUTH_REQUIRED:
+ case KRB5_ET_KRB5KDC_ERR_PREAUTH_FAILED:
+ case KRB5_ET_KRB5KDC_ERR_ETYPE_NOSUPP:
+ offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_kerberos_e_data, dissect_kerberos_SEQUENCE_OF_PA_DATA);
+
+ break;
+ default:
+ offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_kerberos_e_data, NULL);
+ }
+
+
+#.FN_BODY PADATA-TYPE VAL_PTR=&(private_data->padata_type)
+ kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
+%(DEFAULT_BODY)s
+#.FN_FTR PADATA-TYPE
+ if(tree){
+ proto_item_append_text(tree, " %s",
+ val_to_str(private_data->padata_type, krb5_preauthentication_types,
+ "Unknown:%d"));
+ }
+
+#.FN_BODY PA-DATA/padata-value
+ proto_tree *sub_tree=tree;
+ kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
+
+ if(actx->created_item){
+ sub_tree=proto_item_add_subtree(actx->created_item, ett_kerberos_PA_DATA);
+ }
+
+ switch(private_data->padata_type){
+ case KRB5_PA_TGS_REQ:
+ offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_Applications);
+ break;
+ case KRB5_PA_PK_AS_REQ:
+ offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PaPkAsReq);
+ break;
+ case KRB5_PA_PK_AS_REP:
+ offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PaPkAsRep);
+ break;
+ case KRB5_PA_PAC_REQUEST:
+ offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_KERB_PA_PAC_REQUEST);
+ break;
+ case KRB5_PA_S4U2SELF:
+ offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_S4U2Self);
+ break;
+ case KRB5_PA_PROV_SRV_LOCATION:
+ offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_krb5_PA_PROV_SRV_LOCATION);
+ break;
+ case KRB5_PA_ENC_TIMESTAMP:
+ offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_ENC_TIMESTAMP);
+ break;
+ case KRB5_PA_ENCTYPE_INFO:
+ offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_ETYPE_INFO);
+ break;
+ case KRB5_PA_ENCTYPE_INFO2:
+ offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_ETYPE_INFO2);
+ break;
+ case KRB5_PA_PW_SALT:
+ offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_krb5_PW_SALT);
+ break;
+ default:
+ offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, NULL);
+ }
+
+#.FN_BODY HostAddress/address
+ gint8 appclass;
+ gboolean pc;
+ gint32 tag;
+ guint32 len;
+ const char *address_str;
+ proto_item *it=NULL;
+ kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+
+ /* read header and len for the octet string */
+ offset=dissect_ber_identifier(actx->pinfo, tree, tvb, offset, &appclass, &pc, &tag);
+ offset=dissect_ber_length(actx->pinfo, tree, tvb, offset, &len, NULL);
+
+ switch(private_data->addr_type){
+ case KERBEROS_ADDR_TYPE_IPV4:
+ it=proto_tree_add_item(tree, hf_krb_address_ip, tvb, offset, 4, ENC_BIG_ENDIAN);
+ address_str = tvb_ip_to_str(tvb, offset);
+ break;
+ case KERBEROS_ADDR_TYPE_NETBIOS:
+ {
+ char netbios_name[(NETBIOS_NAME_LEN - 1)*4 + 1];
+ int netbios_name_type;
+ int netbios_name_len = (NETBIOS_NAME_LEN - 1)*4 + 1;
+
+ netbios_name_type = process_netbios_name(tvb_get_ptr(tvb, offset, 16), netbios_name, netbios_name_len);
+ address_str = wmem_strdup_printf(wmem_packet_scope(), "%s<%02x>", netbios_name, netbios_name_type);
+ it=proto_tree_add_string_format(tree, hf_krb_address_netbios, tvb, offset, 16, netbios_name, "NetBIOS Name: %s (%s)", address_str, netbios_name_type_descr(netbios_name_type));
+ }
+ break;
+ case KERBEROS_ADDR_TYPE_IPV6:
+ it=proto_tree_add_item(tree, hf_krb_address_ipv6, tvb, offset, INET6_ADDRLEN, ENC_NA);
+ address_str = tvb_ip6_to_str(tvb, offset);
+ break;
+ default:
+ proto_tree_add_expert(tree, actx->pinfo, &ei_kerberos_address, tvb, offset, len);
+ address_str = NULL;
+ }
+
+ /* push it up two levels in the decode pane */
+ if(it && address_str){
+ proto_item_append_text(proto_item_get_parent(it), " %s",address_str);
+ proto_item_append_text(proto_item_get_parent_nth(it, 2), " %s",address_str);
+ }
+
+ offset+=len;
+ return offset;
+
+
+#.TYPE_ATTR
+#xxx TYPE = FT_UINT16 DISPLAY = BASE_DEC STRINGS = VALS(xx_vals)
+
+#.FN_BODY ENCTYPE VAL_PTR=&(private_data->etype)
+ kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+%(DEFAULT_BODY)s
+
+#.FN_BODY EncryptedTicketData/cipher
+##ifdef HAVE_KERBEROS
+ offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_ticket_data);
+##else
+%(DEFAULT_BODY)s
+##endif
+ return offset;
+
+#.FN_BODY EncryptedAuthorizationData/cipher
+##ifdef HAVE_KERBEROS
+ offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_authenticator_data);
+##else
+%(DEFAULT_BODY)s
+##endif
+ return offset;
+
+#.FN_BODY EncryptedKDCREPData/cipher
+##ifdef HAVE_KERBEROS
+ offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_KDC_REP_data);
+##else
+%(DEFAULT_BODY)s
+##endif
+ return offset;
+
+#.FN_BODY PA-ENC-TIMESTAMP/cipher
+##ifdef HAVE_KERBEROS
+ offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_PA_ENC_TIMESTAMP);
+##else
+%(DEFAULT_BODY)s
+##endif
+ return offset;
+
+#.FN_BODY EncryptedAPREPData/cipher
+##ifdef HAVE_KERBEROS
+ offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_AP_REP_data);
+##else
+%(DEFAULT_BODY)s
+##endif
+ return offset;
+
+#.FN_BODY EncryptedKrbPrivData/cipher
+##ifdef HAVE_KERBEROS
+ offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_PRIV_data);
+##else
+%(DEFAULT_BODY)s
+##endif
+ return offset;
+
+#.FN_BODY EncryptedKrbCredData/cipher
+##ifdef HAVE_KERBEROS
+ offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_CRED_data);
+##else
+%(DEFAULT_BODY)s
+##endif
+ return offset;
+
+
+#.FN_BODY CKSUMTYPE VAL_PTR=&(private_data->checksum_type)
+ kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+%(DEFAULT_BODY)s
+
+#.FN_BODY Checksum/checksum
+ tvbuff_t *next_tvb;
+ kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+
+ switch(private_data->checksum_type){
+ case KRB5_CHKSUM_GSSAPI:
+ offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &next_tvb);
+ dissect_krb5_rfc1964_checksum(actx, tree, next_tvb);
+ break;
+ default:
+ offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, NULL);
+ }
+ return offset;
+
+#.FN_BODY EncryptionKey/keytype VAL_PTR=&gbl_keytype
+ kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+
+ offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
+ &gbl_keytype);
+ private_data->key.keytype = gbl_keytype;
+
+#.FN_BODY EncryptionKey/keyvalue VAL_PTR=&out_tvb
+ tvbuff_t *out_tvb;
+ kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+
+%(DEFAULT_BODY)s
+
+ private_data->key.keylength = tvb_reported_length(out_tvb);
+ private_data->key.keyvalue = tvb_get_ptr(out_tvb, 0, private_data->key.keylength);
+
+#.FN_BODY EncryptionKey
+ kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+
+ %(DEFAULT_BODY)s
+
+ if (private_data->key.keytype != 0) {
+##ifdef HAVE_KERBEROS
+ add_encryption_key(actx->pinfo, private_data->key.keytype, private_data->key.keylength, private_data->key.keyvalue, "key");
+##endif
+ }
+
+#.FN_BODY AuthorizationData/_item/ad-type
+ kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+ offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
+ &(private_data->ad_type));
+#.TYPE_ATTR
+AuthorizationData/_item/ad-type STRINGS=VALS(krb5_ad_types)
+
+#.FN_BODY AuthorizationData/_item/ad-data
+ kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+
+ switch(private_data->ad_type){
+ case KRB5_AD_WIN2K_PAC:
+ offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_krb5_AD_WIN2K_PAC);
+ break;
+ case KRB5_AD_IF_RELEVANT:
+ offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_kerberos_AD_IF_RELEVANT);
+ break;
+ default:
+ offset=dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index, NULL);
+ }
+
+#.FN_BODY ADDR-TYPE VAL_PTR=&(private_data->addr_type)
+ kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+%(DEFAULT_BODY)s
+
+#.FN_BODY KDC-REQ-BODY
+ conversation_t *conversation;
+
+ /*
+ * UDP replies to KDC_REQs are sent from the server back to the client's
+ * source port, similar to the way TFTP works. Set up a conversation
+ * accordingly.
+ *
+ * Ref: Section 7.2.1 of
+ * http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-clarifications-07.txt
+ */
+ if (actx->pinfo->destport == UDP_PORT_KERBEROS && actx->pinfo->ptype == PT_UDP) {
+ conversation = find_conversation(actx->pinfo->num, &actx->pinfo->src, &actx->pinfo->dst, PT_UDP,
+ actx->pinfo->srcport, 0, NO_PORT_B);
+ if (conversation == NULL) {
+ conversation = conversation_new(actx->pinfo->num, &actx->pinfo->src, &actx->pinfo->dst, PT_UDP,
+ actx->pinfo->srcport, 0, NO_PORT2);
+ conversation_set_dissector(conversation, kerberos_handle_udp);
+ }
+ }
+
+ %(DEFAULT_BODY)s
+
+#.FN_BODY KRB-SAFE-BODY/user-data
+ tvbuff_t *new_tvb;
+ offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &new_tvb);
+ if (new_tvb) {
+ call_kerberos_callbacks(actx->pinfo, tree, new_tvb, KRB_CBTAG_SAFE_USER_DATA, (kerberos_callbacks*)actx->private_data);
+ }
+
+#.FN_BODY EncKrbPrivPart/user-data
+ tvbuff_t *new_tvb;
+ offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &new_tvb);
+ if (new_tvb) {
+ call_kerberos_callbacks(actx->pinfo, tree, new_tvb, KRB_CBTAG_PRIV_USER_DATA, (kerberos_callbacks*)actx->private_data);
+ }
diff --git a/epan/dissectors/asn1/kerberos/packet-kerberos-template.c b/epan/dissectors/asn1/kerberos/packet-kerberos-template.c
new file mode 100644
index 0000000000..631e403098
--- /dev/null
+++ b/epan/dissectors/asn1/kerberos/packet-kerberos-template.c
@@ -0,0 +1,2506 @@
+/* packet-kerberos.c
+ * Routines for Kerberos
+ * Wes Hardaker (c) 2000
+ * wjhardaker@ucdavis.edu
+ * Richard Sharpe (C) 2002, rsharpe@samba.org, modularized a bit more and
+ * added AP-REQ and AP-REP dissection
+ *
+ * Ronnie Sahlberg (C) 2004, major rewrite for new ASN.1/BER API.
+ * decryption of kerberos blobs if keytab is provided
+ *
+ * See RFC 1510, and various I-Ds and other documents showing additions,
+ * e.g. ones listed under
+ *
+ * http://www.isi.edu/people/bcn/krb-revisions/
+ *
+ * and
+ *
+ * http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-clarifications-07.txt
+ *
+ * and
+ *
+ * http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-referrals-05.txt
+ *
+ * Some structures from RFC2630
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+/*
+ * Some of the development of the Kerberos protocol decoder was sponsored by
+ * Cable Television Laboratories, Inc. ("CableLabs") based upon proprietary
+ * CableLabs' specifications. Your license and use of this protocol decoder
+ * does not mean that you are licensed to use the CableLabs'
+ * specifications. If you have questions about this protocol, contact
+ * jf.mule [AT] cablelabs.com or c.stuart [AT] cablelabs.com for additional
+ * information.
+ */
+
+#include "config.h"
+
+#include <stdio.h>
+
+#include <epan/packet.h>
+#include <epan/exceptions.h>
+#include <epan/strutil.h>
+#include <epan/conversation.h>
+#include <epan/asn1.h>
+#include <epan/expert.h>
+#include <epan/prefs.h>
+#include <wsutil/file_util.h>
+#include <wsutil/ws_diag_control.h>
+#include <wsutil/str_util.h>
+#include "packet-kerberos.h"
+#include "packet-netbios.h"
+#include "packet-tcp.h"
+#include "packet-ber.h"
+#include "packet-pkinit.h"
+#include "packet-cms.h"
+#include "packet-windows-common.h"
+
+#include "packet-dcerpc-netlogon.h"
+#include "packet-dcerpc.h"
+
+#include "packet-gssapi.h"
+#include "packet-smb-common.h"
+
+
+void proto_register_kerberos(void);
+void proto_reg_handoff_kerberos(void);
+
+#define UDP_PORT_KERBEROS 88
+#define TCP_PORT_KERBEROS 88
+
+#define ADDRESS_STR_BUFSIZ 256
+
+typedef struct kerberos_key {
+ guint32 keytype;
+ int keylength;
+ const guint8 *keyvalue;
+} kerberos_key_t;
+
+typedef struct {
+ guint32 etype;
+ guint32 padata_type;
+ guint32 enctype;
+ kerberos_key_t key;
+ guint32 ad_type;
+ guint32 addr_type;
+ guint32 checksum_type;
+} kerberos_private_data_t;
+
+static dissector_handle_t kerberos_handle_udp;
+
+/* Forward declarations */
+static int dissect_kerberos_Applications(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_PA_ENC_TIMESTAMP(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_KERB_PA_PAC_REQUEST(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_PA_S4U2Self(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_ETYPE_INFO(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_ETYPE_INFO2(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_AD_IF_RELEVANT(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+
+
+/* Desegment Kerberos over TCP messages */
+static gboolean krb_desegment = TRUE;
+
+static gint proto_kerberos = -1;
+
+static gint hf_krb_rm_reserved = -1;
+static gint hf_krb_rm_reclen = -1;
+static gint hf_krb_provsrv_location = -1;
+static gint hf_krb_smb_nt_status = -1;
+static gint hf_krb_smb_unknown = -1;
+static gint hf_krb_address_ip = -1;
+static gint hf_krb_address_netbios = -1;
+static gint hf_krb_address_ipv6 = -1;
+static gint hf_krb_gssapi_len = -1;
+static gint hf_krb_gssapi_bnd = -1;
+static gint hf_krb_gssapi_dlgopt = -1;
+static gint hf_krb_gssapi_dlglen = -1;
+static gint hf_krb_gssapi_c_flag_deleg = -1;
+static gint hf_krb_gssapi_c_flag_mutual = -1;
+static gint hf_krb_gssapi_c_flag_replay = -1;
+static gint hf_krb_gssapi_c_flag_sequence = -1;
+static gint hf_krb_gssapi_c_flag_conf = -1;
+static gint hf_krb_gssapi_c_flag_integ = -1;
+static gint hf_krb_gssapi_c_flag_dce_style = -1;
+static gint hf_krb_midl_version = -1;
+static gint hf_krb_midl_hdr_len = -1;
+static gint hf_krb_midl_fill_bytes = -1;
+static gint hf_krb_midl_blob_len = -1;
+static gint hf_krb_pac_signature_type = -1;
+static gint hf_krb_pac_signature_signature = -1;
+static gint hf_krb_w2k_pac_entries = -1;
+static gint hf_krb_w2k_pac_version = -1;
+static gint hf_krb_w2k_pac_type = -1;
+static gint hf_krb_w2k_pac_size = -1;
+static gint hf_krb_w2k_pac_offset = -1;
+static gint hf_krb_pac_clientid = -1;
+static gint hf_krb_pac_namelen = -1;
+static gint hf_krb_pac_clientname = -1;
+static gint hf_krb_pac_logon_info = -1;
+static gint hf_krb_pac_credential_type = -1;
+static gint hf_krb_pac_s4u_delegation_info = -1;
+static gint hf_krb_pac_upn_dns_info = -1;
+static gint hf_krb_pac_upn_flags = -1;
+static gint hf_krb_pac_upn_dns_offset = -1;
+static gint hf_krb_pac_upn_dns_len = -1;
+static gint hf_krb_pac_upn_upn_offset = -1;
+static gint hf_krb_pac_upn_upn_len = -1;
+static gint hf_krb_pac_upn_upn_name = -1;
+static gint hf_krb_pac_upn_dns_name = -1;
+static gint hf_krb_pac_server_checksum = -1;
+static gint hf_krb_pac_privsvr_checksum = -1;
+static gint hf_krb_pac_client_info_type = -1;
+#include "packet-kerberos-hf.c"
+
+/* Initialize the subtree pointers */
+static gint ett_kerberos = -1;
+static gint ett_krb_recordmark = -1;
+static gint ett_krb_pac = -1;
+static gint ett_krb_pac_drep = -1;
+static gint ett_krb_pac_midl_blob = -1;
+static gint ett_krb_pac_logon_info = -1;
+static gint ett_krb_pac_s4u_delegation_info = -1;
+static gint ett_krb_pac_upn_dns_info = -1;
+static gint ett_krb_pac_server_checksum = -1;
+static gint ett_krb_pac_privsvr_checksum = -1;
+static gint ett_krb_pac_client_info_type = -1;
+#include "packet-kerberos-ett.c"
+
+static expert_field ei_kerberos_decrypted_keytype = EI_INIT;
+static expert_field ei_kerberos_address = EI_INIT;
+static expert_field ei_krb_gssapi_dlglen = EI_INIT;
+
+static dissector_handle_t krb4_handle=NULL;
+
+/* Global variables */
+static guint32 krb5_errorcode;
+static guint32 gbl_keytype;
+static gboolean gbl_do_col_info;
+
+#include "packet-kerberos-val.h"
+
+static void
+call_kerberos_callbacks(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int tag, kerberos_callbacks *cb)
+{
+ if(!cb){
+ return;
+ }
+
+ while(cb->tag){
+ if(cb->tag==tag){
+ cb->callback(pinfo, tvb, tree);
+ return;
+ }
+ cb++;
+ }
+ return;
+}
+
+static kerberos_private_data_t*
+kerberos_get_private_data(asn1_ctx_t *actx)
+{
+ if (!actx->private_data) {
+ actx->private_data = wmem_new0(wmem_packet_scope(), kerberos_private_data_t);
+ }
+ return (kerberos_private_data_t *)(actx->private_data);
+}
+
+#ifdef HAVE_KERBEROS
+
+/* Decrypt Kerberos blobs */
+gboolean krb_decrypt = FALSE;
+
+/* keytab filename */
+static const char *keytab_filename = "";
+
+void
+read_keytab_file_from_preferences(void)
+{
+ static char *last_keytab = NULL;
+
+ if (!krb_decrypt) {
+ return;
+ }
+
+ if (keytab_filename == NULL) {
+ return;
+ }
+
+ if (last_keytab && !strcmp(last_keytab, keytab_filename)) {
+ return;
+ }
+
+ if (last_keytab != NULL) {
+ g_free(last_keytab);
+ last_keytab = NULL;
+ }
+ last_keytab = g_strdup(keytab_filename);
+
+ read_keytab_file(last_keytab);
+}
+#endif /* HAVE_KERBEROS */
+
+#if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
+#ifdef _WIN32
+/* prevent redefinition warnings in kfw-2.5\inc\win_mac.h */
+#undef HAVE_GETADDRINFO
+#undef HAVE_SYS_TYPES_H
+#endif /* _WIN32 */
+#include <krb5.h>
+enc_key_t *enc_key_list=NULL;
+
+static void
+add_encryption_key(packet_info *pinfo, int keytype, int keylength, const char *keyvalue, const char *origin)
+{
+ enc_key_t *new_key;
+
+ if(pinfo->fd->flags.visited){
+ return;
+ }
+
+ new_key=(enc_key_t *)g_malloc(sizeof(enc_key_t));
+ g_snprintf(new_key->key_origin, KRB_MAX_ORIG_LEN, "%s learnt from frame %u",origin,pinfo->num);
+ new_key->fd_num = pinfo->num;
+ new_key->next=enc_key_list;
+ enc_key_list=new_key;
+ new_key->keytype=keytype;
+ new_key->keylength=keylength;
+ /*XXX this needs to be freed later */
+ new_key->keyvalue=(char *)g_memdup(keyvalue, keylength);
+}
+#endif /* HAVE_HEIMDAL_KERBEROS || HAVE_MIT_KERBEROS */
+
+#if defined(HAVE_MIT_KERBEROS)
+
+static krb5_context krb5_ctx;
+
+USES_APPLE_DEPRECATED_API
+void
+read_keytab_file(const char *filename)
+{
+ krb5_keytab keytab;
+ krb5_error_code ret;
+ krb5_keytab_entry key;
+ krb5_kt_cursor cursor;
+ enc_key_t *new_key;
+ static gboolean first_time=TRUE;
+
+ if (filename == NULL || filename[0] == 0) {
+ return;
+ }
+
+ if(first_time){
+ first_time=FALSE;
+ ret = krb5_init_context(&krb5_ctx);
+ if(ret && ret != KRB5_CONFIG_CANTOPEN){
+ return;
+ }
+ }
+
+ /* should use a file in the wireshark users dir */
+ ret = krb5_kt_resolve(krb5_ctx, filename, &keytab);
+ if(ret){
+ fprintf(stderr, "KERBEROS ERROR: Badly formatted keytab filename :%s\n",filename);
+
+ return;
+ }
+
+ ret = krb5_kt_start_seq_get(krb5_ctx, keytab, &cursor);
+ if(ret){
+ fprintf(stderr, "KERBEROS ERROR: Could not open or could not read from keytab file :%s\n",filename);
+ return;
+ }
+
+ do{
+ new_key=(enc_key_t *)g_malloc(sizeof(enc_key_t));
+ new_key->fd_num = -1;
+ new_key->next=enc_key_list;
+ ret = krb5_kt_next_entry(krb5_ctx, keytab, &key, &cursor);
+ if(ret==0){
+ int i;
+ char *pos;
+
+ /* generate origin string, describing where this key came from */
+ pos=new_key->key_origin;
+ pos+=MIN(KRB_MAX_ORIG_LEN,
+ g_snprintf(pos, KRB_MAX_ORIG_LEN, "keytab principal "));
+ for(i=0;i<key.principal->length;i++){
+ pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin),
+ g_snprintf(pos, (gulong)(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin)), "%s%s",(i?"/":""),(key.principal->data[i]).data));
+ }
+ pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin),
+ g_snprintf(pos, (gulong)(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin)), "@%s",key.principal->realm.data));
+ *pos=0;
+ new_key->keytype=key.key.enctype;
+ new_key->keylength=key.key.length;
+ new_key->keyvalue=(char *)g_memdup(key.key.contents, key.key.length);
+ enc_key_list=new_key;
+ }
+ }while(ret==0);
+
+ ret = krb5_kt_end_seq_get(krb5_ctx, keytab, &cursor);
+ if(ret){
+ krb5_kt_close(krb5_ctx, keytab);
+ }
+}
+
+
+guint8 *
+decrypt_krb5_data(proto_tree *tree _U_, packet_info *pinfo,
+ int usage,
+ tvbuff_t *cryptotvb,
+ int keytype,
+ int *datalen)
+{
+ krb5_error_code ret;
+ enc_key_t *ek;
+ krb5_data data = {0,0,NULL};
+ krb5_keytab_entry key;
+ int length = tvb_captured_length(cryptotvb);
+ const guint8 *cryptotext = tvb_get_ptr(cryptotvb, 0, length);
+
+ /* don't do anything if we are not attempting to decrypt data */
+ if(!krb_decrypt || length < 1){
+ return NULL;
+ }
+
+ /* make sure we have all the data we need */
+ if (tvb_captured_length(cryptotvb) < tvb_reported_length(cryptotvb)) {
+ return NULL;
+ }
+
+ read_keytab_file_from_preferences();
+ data.data = (char *)g_malloc(length);
+ data.length = length;
+
+ for(ek=enc_key_list;ek;ek=ek->next){
+ krb5_enc_data input;
+
+ /* shortcircuit and bail out if enctypes are not matching */
+ if((keytype != -1) && (ek->keytype != keytype)) {
+ continue;
+ }
+
+ input.enctype = ek->keytype;
+ input.ciphertext.length = length;
+ input.ciphertext.data = (guint8 *)cryptotext;
+
+ key.key.enctype=ek->keytype;
+ key.key.length=ek->keylength;
+ key.key.contents=ek->keyvalue;
+ ret = krb5_c_decrypt(krb5_ctx, &(key.key), usage, 0, &input, &data);
+ if(ret == 0){
+ char *user_data;
+
+ expert_add_info_format(pinfo, NULL, &ei_kerberos_decrypted_keytype,
+ "Decrypted keytype %d in frame %u using %s",
+ ek->keytype, pinfo->num, ek->key_origin);
+
+ /* return a private g_malloced blob to the caller */
+ user_data=data.data;
+ if (datalen) {
+ *datalen = data.length;
+ }
+ return user_data;
+ }
+ }
+ g_free(data.data);
+
+ return NULL;
+}
+USES_APPLE_RST
+
+#elif defined(HAVE_HEIMDAL_KERBEROS)
+static krb5_context krb5_ctx;
+
+USES_APPLE_DEPRECATED_API
+void
+read_keytab_file(const char *filename)
+{
+ krb5_keytab keytab;
+ krb5_error_code ret;
+ krb5_keytab_entry key;
+ krb5_kt_cursor cursor;
+ enc_key_t *new_key;
+ static gboolean first_time=TRUE;
+
+ if (filename == NULL || filename[0] == 0) {
+ return;
+ }
+
+ if(first_time){
+ first_time=FALSE;
+ ret = krb5_init_context(&krb5_ctx);
+ if(ret){
+ return;
+ }
+ }
+
+ /* should use a file in the wireshark users dir */
+ ret = krb5_kt_resolve(krb5_ctx, filename, &keytab);
+ if(ret){
+ fprintf(stderr, "KERBEROS ERROR: Could not open keytab file :%s\n",filename);
+
+ return;
+ }
+
+ ret = krb5_kt_start_seq_get(krb5_ctx, keytab, &cursor);
+ if(ret){
+ fprintf(stderr, "KERBEROS ERROR: Could not read from keytab file :%s\n",filename);
+ return;
+ }
+
+ do{
+ new_key = (enc_key_t *)g_malloc(sizeof(enc_key_t));
+ new_key->fd_num = -1;
+ new_key->next=enc_key_list;
+ ret = krb5_kt_next_entry(krb5_ctx, keytab, &key, &cursor);
+ if(ret==0){
+ unsigned int i;
+ char *pos;
+
+ /* generate origin string, describing where this key came from */
+ pos=new_key->key_origin;
+ pos+=MIN(KRB_MAX_ORIG_LEN,
+ g_snprintf(pos, KRB_MAX_ORIG_LEN, "keytab principal "));
+ for(i=0;i<key.principal->name.name_string.len;i++){
+ pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin),
+ g_snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "%s%s",(i?"/":""),key.principal->name.name_string.val[i]));
+ }
+ pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin),
+ g_snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "@%s",key.principal->realm));
+ *pos=0;
+ new_key->keytype=key.keyblock.keytype;
+ new_key->keylength=(int)key.keyblock.keyvalue.length;
+ new_key->keyvalue = (guint8 *)g_memdup(key.keyblock.keyvalue.data, (guint)key.keyblock.keyvalue.length);
+ enc_key_list=new_key;
+ }
+ }while(ret==0);
+
+ ret = krb5_kt_end_seq_get(krb5_ctx, keytab, &cursor);
+ if(ret){
+ krb5_kt_close(krb5_ctx, keytab);
+ }
+
+}
+USES_APPLE_RST
+
+
+guint8 *
+decrypt_krb5_data(proto_tree *tree _U_, packet_info *pinfo,
+ int usage,
+ tvbuff_t *cryptotvb,
+ int keytype,
+ int *datalen)
+{
+ krb5_error_code ret;
+ krb5_data data;
+ enc_key_t *ek;
+ int length = tvb_captured_length(cryptotvb);
+ const guint8 *cryptotext = tvb_get_ptr(cryptotvb, 0, length);
+
+ /* don't do anything if we are not attempting to decrypt data */
+ if(!krb_decrypt){
+ return NULL;
+ }
+
+ /* make sure we have all the data we need */
+ if (tvb_captured_length(cryptotvb) < tvb_reported_length(cryptotvb)) {
+ return NULL;
+ }
+
+ read_keytab_file_from_preferences();
+
+ for(ek=enc_key_list;ek;ek=ek->next){
+ krb5_keytab_entry key;
+ krb5_crypto crypto;
+ guint8 *cryptocopy; /* workaround for pre-0.6.1 heimdal bug */
+
+ /* shortcircuit and bail out if enctypes are not matching */
+ if((keytype != -1) && (ek->keytype != keytype)) {
+ continue;
+ }
+
+ key.keyblock.keytype=ek->keytype;
+ key.keyblock.keyvalue.length=ek->keylength;
+ key.keyblock.keyvalue.data=ek->keyvalue;
+ ret = krb5_crypto_init(krb5_ctx, &(key.keyblock), (krb5_enctype)ENCTYPE_NULL, &crypto);
+ if(ret){
+ return NULL;
+ }
+
+ /* pre-0.6.1 versions of Heimdal would sometimes change
+ the cryptotext data even when the decryption failed.
+ This would obviously not work since we iterate over the
+ keys. So just give it a copy of the crypto data instead.
+ This has been seen for RC4-HMAC blobs.
+ */
+ cryptocopy = (guint8 *)g_memdup(cryptotext, length);
+ ret = krb5_decrypt_ivec(krb5_ctx, crypto, usage,
+ cryptocopy, length,
+ &data,
+ NULL);
+ g_free(cryptocopy);
+ if((ret == 0) && (length>0)){
+ char *user_data;
+
+ expert_add_info_format(pinfo, NULL, &ei_kerberos_decrypted_keytype,
+ "Decrypted keytype %d in frame %u using %s",
+ ek->keytype, pinfo->num, ek->key_origin);
+
+ krb5_crypto_destroy(krb5_ctx, crypto);
+ /* return a private g_malloced blob to the caller */
+ user_data = (char *)g_memdup(data.data, (guint)data.length);
+ if (datalen) {
+ *datalen = (int)data.length;
+ }
+ return user_data;
+ }
+ krb5_crypto_destroy(krb5_ctx, crypto);
+ }
+ return NULL;
+}
+
+#elif defined (HAVE_LIBNETTLE)
+
+#define SERVICE_KEY_SIZE (DES3_KEY_SIZE + 2)
+#define KEYTYPE_DES3_CBC_MD5 5 /* Currently the only one supported */
+
+typedef struct _service_key_t {
+ guint16 kvno;
+ int keytype;
+ int length;
+ guint8 *contents;
+ char origin[KRB_MAX_ORIG_LEN+1];
+} service_key_t;
+GSList *service_key_list = NULL;
+
+
+static void
+add_encryption_key(packet_info *pinfo, int keytype, int keylength, const char *keyvalue, const char *origin)
+{
+ service_key_t *new_key;
+
+ if(pinfo->fd->flags.visited){
+ return;
+ }
+
+ new_key = g_malloc(sizeof(service_key_t));
+ new_key->kvno = 0;
+ new_key->keytype = keytype;
+ new_key->length = keylength;
+ new_key->contents = g_memdup(keyvalue, keylength);
+ g_snprintf(new_key->origin, KRB_MAX_ORIG_LEN, "%s learnt from frame %u", origin, pinfo->num);
+ service_key_list = g_slist_append(service_key_list, (gpointer) new_key);
+}
+
+static void
+clear_keytab(void) {
+ GSList *ske;
+ service_key_t *sk;
+
+ for(ske = service_key_list; ske != NULL; ske = g_slist_next(ske)){
+ sk = (service_key_t *) ske->data;
+ if (sk) {
+ g_free(sk->contents);
+ g_free(sk);
+ }
+ }
+ g_slist_free(service_key_list);
+ service_key_list = NULL;
+}
+
+static void
+read_keytab_file(const char *service_key_file)
+{
+ FILE *skf;
+ ws_statb64 st;
+ service_key_t *sk;
+ unsigned char buf[SERVICE_KEY_SIZE];
+ int newline_skip = 0, count = 0;
+
+ if (service_key_file != NULL && ws_stat64 (service_key_file, &st) == 0) {
+
+ /* The service key file contains raw 192-bit (24 byte) 3DES keys.
+ * There can be zero, one (\n), or two (\r\n) characters between
+ * keys. Trailing characters are ignored.
+ */
+
+ /* XXX We should support the standard keytab format instead */
+ if (st.st_size > SERVICE_KEY_SIZE) {
+ if ( (st.st_size % (SERVICE_KEY_SIZE + 1) == 0) ||
+ (st.st_size % (SERVICE_KEY_SIZE + 1) == SERVICE_KEY_SIZE) ) {
+ newline_skip = 1;
+ } else if ( (st.st_size % (SERVICE_KEY_SIZE + 2) == 0) ||
+ (st.st_size % (SERVICE_KEY_SIZE + 2) == SERVICE_KEY_SIZE) ) {
+ newline_skip = 2;
+ }
+ }
+
+ skf = ws_fopen(service_key_file, "rb");
+ if (! skf) return;
+
+ while (fread(buf, SERVICE_KEY_SIZE, 1, skf) == 1) {
+ sk = g_malloc(sizeof(service_key_t));
+ sk->kvno = buf[0] << 8 | buf[1];
+ sk->keytype = KEYTYPE_DES3_CBC_MD5;
+ sk->length = DES3_KEY_SIZE;
+ sk->contents = g_memdup(buf + 2, DES3_KEY_SIZE);
+ g_snprintf(sk->origin, KRB_MAX_ORIG_LEN, "3DES service key file, key #%d, offset %ld", count, ftell(skf));
+ service_key_list = g_slist_append(service_key_list, (gpointer) sk);
+ if (fseek(skf, newline_skip, SEEK_CUR) < 0) {
+ fprintf(stderr, "unable to seek...\n");
+ return;
+ }
+ count++;
+ }
+ fclose(skf);
+ }
+}
+
+#define CONFOUNDER_PLUS_CHECKSUM 24
+
+guint8 *
+decrypt_krb5_data(proto_tree *tree, packet_info *pinfo,
+ int _U_ usage,
+ tvbuff_t *cryptotvb,
+ int keytype,
+ int *datalen)
+{
+ tvbuff_t *encr_tvb;
+ guint8 *decrypted_data = NULL, *plaintext = NULL;
+ guint8 cls;
+ gboolean pc;
+ guint32 tag, item_len, data_len;
+ int id_offset, offset;
+ guint8 key[DES3_KEY_SIZE];
+ guint8 initial_vector[DES_BLOCK_SIZE];
+ md5_state_t md5s;
+ md5_byte_t digest[16];
+ md5_byte_t zero_fill[] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
+ md5_byte_t confounder[8];
+ gboolean ind;
+ GSList *ske;
+ service_key_t *sk;
+ struct des3_ctx ctx;
+ int length = tvb_captured_length(cryptotvb);
+ const guint8 *cryptotext = tvb_get_ptr(cryptotvb, 0, length);
+
+
+ /* don't do anything if we are not attempting to decrypt data */
+ if(!krb_decrypt){
+ return NULL;
+ }
+
+ /* make sure we have all the data we need */
+ if (tvb_captured_length(cryptotvb) < tvb_reported_length(cryptotvb)) {
+ return NULL;
+ }
+
+ if (keytype != KEYTYPE_DES3_CBC_MD5 || service_key_list == NULL) {
+ return NULL;
+ }
+
+ decrypted_data = g_malloc(length);
+ for(ske = service_key_list; ske != NULL; ske = g_slist_next(ske)){
+ gboolean do_continue = FALSE;
+ sk = (service_key_t *) ske->data;
+
+ des_fix_parity(DES3_KEY_SIZE, key, sk->contents);
+
+ md5_init(&md5s);
+ memset(initial_vector, 0, DES_BLOCK_SIZE);
+ des3_set_key(&ctx, key);
+ cbc_decrypt(&ctx, des3_decrypt, DES_BLOCK_SIZE, initial_vector,
+ length, decrypted_data, cryptotext);
+ encr_tvb = tvb_new_real_data(decrypted_data, length, length);
+
+ tvb_memcpy(encr_tvb, confounder, 0, 8);
+
+ /* We have to pull the decrypted data length from the decrypted
+ * content. If the key doesn't match or we otherwise get garbage,
+ * an exception may get thrown while decoding the ASN.1 header.
+ * Catch it, just in case.
+ */
+ TRY {
+ id_offset = get_ber_identifier(encr_tvb, CONFOUNDER_PLUS_CHECKSUM, &cls, &pc, &tag);
+ offset = get_ber_length(encr_tvb, id_offset, &item_len, &ind);
+ }
+ CATCH_BOUNDS_ERRORS {
+ tvb_free(encr_tvb);
+ do_continue = TRUE;
+ }
+ ENDTRY;
+
+ if (do_continue) continue;
+
+ data_len = item_len + offset - CONFOUNDER_PLUS_CHECKSUM;
+ if ((int) item_len + offset > length) {
+ tvb_free(encr_tvb);
+ continue;
+ }
+
+ md5_append(&md5s, confounder, 8);
+ md5_append(&md5s, zero_fill, 16);
+ md5_append(&md5s, decrypted_data + CONFOUNDER_PLUS_CHECKSUM, data_len);
+ md5_finish(&md5s, digest);
+
+ if (tvb_memeql (encr_tvb, 8, digest, 16) == 0) {
+ plaintext = g_malloc(data_len);
+ tvb_memcpy(encr_tvb, plaintext, CONFOUNDER_PLUS_CHECKSUM, data_len);
+ tvb_free(encr_tvb);
+
+ if (datalen) {
+ *datalen = data_len;
+ }
+ g_free(decrypted_data);
+ return(plaintext);
+ }
+ tvb_free(encr_tvb);
+ }
+
+ g_free(decrypted_data);
+ return NULL;
+}
+
+#endif /* HAVE_MIT_KERBEROS / HAVE_HEIMDAL_KERBEROS / HAVE_LIBNETTLE */
+
+#define INET6_ADDRLEN 16
+
+/* TCP Record Mark */
+#define KRB_RM_RESERVED 0x80000000U
+#define KRB_RM_RECLEN 0x7fffffffU
+
+#define KRB5_MSG_TICKET 1 /* Ticket */
+#define KRB5_MSG_AUTHENTICATOR 2 /* Authenticator */
+#define KRB5_MSG_ENC_TICKET_PART 3 /* EncTicketPart */
+#define KRB5_MSG_AS_REQ 10 /* AS-REQ type */
+#define KRB5_MSG_AS_REP 11 /* AS-REP type */
+#define KRB5_MSG_TGS_REQ 12 /* TGS-REQ type */
+#define KRB5_MSG_TGS_REP 13 /* TGS-REP type */
+#define KRB5_MSG_AP_REQ 14 /* AP-REQ type */
+#define KRB5_MSG_AP_REP 15 /* AP-REP type */
+
+#define KRB5_MSG_SAFE 20 /* KRB-SAFE type */
+#define KRB5_MSG_PRIV 21 /* KRB-PRIV type */
+#define KRB5_MSG_CRED 22 /* KRB-CRED type */
+#define KRB5_MSG_ENC_AS_REP_PART 25 /* EncASRepPart */
+#define KRB5_MSG_ENC_TGS_REP_PART 26 /* EncTGSRepPart */
+#define KRB5_MSG_ENC_AP_REP_PART 27 /* EncAPRepPart */
+#define KRB5_MSG_ENC_KRB_PRIV_PART 28 /* EncKrbPrivPart */
+#define KRB5_MSG_ENC_KRB_CRED_PART 29 /* EncKrbCredPart */
+#define KRB5_MSG_ERROR 30 /* KRB-ERROR type */
+
+/* encryption type constants */
+#define KRB5_ENCTYPE_NULL 0
+#define KRB5_ENCTYPE_DES_CBC_CRC 1
+#define KRB5_ENCTYPE_DES_CBC_MD4 2
+#define KRB5_ENCTYPE_DES_CBC_MD5 3
+#define KRB5_ENCTYPE_DES_CBC_RAW 4
+#define KRB5_ENCTYPE_DES3_CBC_SHA 5
+#define KRB5_ENCTYPE_DES3_CBC_RAW 6
+#define KRB5_ENCTYPE_DES_HMAC_SHA1 8
+#define KRB5_ENCTYPE_DSA_SHA1_CMS 9
+#define KRB5_ENCTYPE_RSA_MD5_CMS 10
+#define KRB5_ENCTYPE_RSA_SHA1_CMS 11
+#define KRB5_ENCTYPE_RC2_CBC_ENV 12
+#define KRB5_ENCTYPE_RSA_ENV 13
+#define KRB5_ENCTYPE_RSA_ES_OEAP_ENV 14
+#define KRB5_ENCTYPE_DES_EDE3_CBC_ENV 15
+#define KRB5_ENCTYPE_DES3_CBC_SHA1 16
+#define KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96 17
+#define KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96 18
+#define KRB5_ENCTYPE_DES_CBC_MD5_NT 20
+#define KERB_ENCTYPE_RC4_HMAC 23
+#define KERB_ENCTYPE_RC4_HMAC_EXP 24
+#define KRB5_ENCTYPE_UNKNOWN 0x1ff
+#define KRB5_ENCTYPE_LOCAL_DES3_HMAC_SHA1 0x7007
+#define KRB5_ENCTYPE_RC4_PLAIN_EXP 0xffffff73
+#define KRB5_ENCTYPE_RC4_PLAIN 0xffffff74
+#define KRB5_ENCTYPE_RC4_PLAIN_OLD_EXP 0xffffff78
+#define KRB5_ENCTYPE_RC4_HMAC_OLD_EXP 0xffffff79
+#define KRB5_ENCTYPE_RC4_PLAIN_OLD 0xffffff7a
+#define KRB5_ENCTYPE_RC4_HMAC_OLD 0xffffff7b
+#define KRB5_ENCTYPE_DES_PLAIN 0xffffff7c
+#define KRB5_ENCTYPE_RC4_SHA 0xffffff7d
+#define KRB5_ENCTYPE_RC4_LM 0xffffff7e
+#define KRB5_ENCTYPE_RC4_PLAIN2 0xffffff7f
+#define KRB5_ENCTYPE_RC4_MD4 0xffffff80
+
+/* checksum types */
+#define KRB5_CHKSUM_NONE 0
+#define KRB5_CHKSUM_CRC32 1
+#define KRB5_CHKSUM_MD4 2
+#define KRB5_CHKSUM_KRB_DES_MAC 4
+#define KRB5_CHKSUM_KRB_DES_MAC_K 5
+#define KRB5_CHKSUM_MD5 7
+#define KRB5_CHKSUM_MD5_DES 8
+/* the following four come from packetcable */
+#define KRB5_CHKSUM_MD5_DES3 9
+#define KRB5_CHKSUM_HMAC_SHA1_DES3_KD 12
+#define KRB5_CHKSUM_HMAC_SHA1_DES3 13
+#define KRB5_CHKSUM_SHA1_UNKEYED 14
+#define KRB5_CHKSUM_HMAC_MD5 0xffffff76
+#define KRB5_CHKSUM_MD5_HMAC 0xffffff77
+#define KRB5_CHKSUM_RC4_MD5 0xffffff78
+#define KRB5_CHKSUM_MD25 0xffffff79
+#define KRB5_CHKSUM_DES_MAC_MD5 0xffffff7a
+#define KRB5_CHKSUM_DES_MAC 0xffffff7b
+#define KRB5_CHKSUM_REAL_CRC32 0xffffff7c
+#define KRB5_CHKSUM_SHA1 0xffffff7d
+#define KRB5_CHKSUM_LM 0xffffff7e
+#define KRB5_CHKSUM_GSSAPI 0x8003
+
+/*
+ * For KERB_ENCTYPE_RC4_HMAC and KERB_ENCTYPE_RC4_HMAC_EXP, see
+ *
+ * http://www.ietf.org/internet-drafts/draft-brezak-win2k-krb-rc4-hmac-04.txt
+ *
+ * unless it's expired.
+ */
+
+/* pre-authentication type constants */
+#define KRB5_PA_TGS_REQ 1
+#define KRB5_PA_ENC_TIMESTAMP 2
+#define KRB5_PA_PW_SALT 3
+#define KRB5_PA_ENC_ENCKEY 4
+#define KRB5_PA_ENC_UNIX_TIME 5
+#define KRB5_PA_ENC_SANDIA_SECURID 6
+#define KRB5_PA_SESAME 7
+#define KRB5_PA_OSF_DCE 8
+#define KRB5_PA_CYBERSAFE_SECUREID 9
+#define KRB5_PA_AFS3_SALT 10
+#define KRB5_PA_ENCTYPE_INFO 11
+#define KRB5_PA_SAM_CHALLENGE 12
+#define KRB5_PA_SAM_RESPONSE 13
+#define KRB5_PA_PK_AS_REQ 14
+#define KRB5_PA_PK_AS_REP 15
+#define KRB5_PA_DASS 16
+#define KRB5_PA_ENCTYPE_INFO2 19
+#define KRB5_PA_USE_SPECIFIED_KVNO 20
+#define KRB5_PA_SAM_REDIRECT 21
+#define KRB5_PA_GET_FROM_TYPED_DATA 22
+#define KRB5_PA_SAM_ETYPE_INFO 23
+#define KRB5_PA_ALT_PRINC 24
+#define KRB5_PA_SAM_CHALLENGE2 30
+#define KRB5_PA_SAM_RESPONSE2 31
+#define KRB5_TD_PKINIT_CMS_CERTIFICATES 101
+#define KRB5_TD_KRB_PRINCIPAL 102
+#define KRB5_TD_KRB_REALM 103
+#define KRB5_TD_TRUSTED_CERTIFIERS 104
+#define KRB5_TD_CERTIFICATE_INDEX 105
+#define KRB5_TD_APP_DEFINED_ERROR 106
+#define KRB5_TD_REQ_NONCE 107
+#define KRB5_TD_REQ_SEQ 108
+/* preauthentication types >127 (i.e. negative ones) are app specific.
+ however since Microsoft is the dominant(only?) user of types in this range
+ we also treat the type as unsigned.
+*/
+#define KRB5_PA_PAC_REQUEST 128 /* (Microsoft extension) */
+#define KRB5_PA_FOR_USER 129 /* Impersonation (Microsoft extension) See [MS-SFU]. XXX - replaced by KRB5_PA_S4U2SELF */
+#define KRB5_PA_S4U2SELF 129
+
+#define KRB5_PA_PROV_SRV_LOCATION 0xffffffff /* (gint32)0xFF) packetcable stuff */
+/* Principal name-type */
+#define KRB5_NT_UNKNOWN 0
+#define KRB5_NT_PRINCIPAL 1
+#define KRB5_NT_SRV_INST 2
+#define KRB5_NT_SRV_HST 3
+#define KRB5_NT_SRV_XHST 4
+#define KRB5_NT_UID 5
+#define KRB5_NT_X500_PRINCIPAL 6
+#define KRB5_NT_SMTP_NAME 7
+#define KRB5_NT_ENTERPRISE 10
+
+/*
+ * MS specific name types, from
+ *
+ * http://msdn.microsoft.com/library/en-us/security/security/kerb_external_name.asp
+ */
+#define KRB5_NT_MS_PRINCIPAL -128
+#define KRB5_NT_MS_PRINCIPAL_AND_SID -129
+#define KRB5_NT_ENT_PRINCIPAL_AND_SID -130
+#define KRB5_NT_PRINCIPAL_AND_SID -131
+#define KRB5_NT_SRV_INST_AND_SID -132
+
+/* error table constants */
+/* I prefixed the krb5_err.et constant names with KRB5_ET_ for these */
+#define KRB5_ET_KRB5KDC_ERR_NONE 0
+#define KRB5_ET_KRB5KDC_ERR_NAME_EXP 1
+#define KRB5_ET_KRB5KDC_ERR_SERVICE_EXP 2
+#define KRB5_ET_KRB5KDC_ERR_BAD_PVNO 3
+#define KRB5_ET_KRB5KDC_ERR_C_OLD_MAST_KVNO 4
+#define KRB5_ET_KRB5KDC_ERR_S_OLD_MAST_KVNO 5
+#define KRB5_ET_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN 6
+#define KRB5_ET_KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN 7
+#define KRB5_ET_KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE 8
+#define KRB5_ET_KRB5KDC_ERR_NULL_KEY 9
+#define KRB5_ET_KRB5KDC_ERR_CANNOT_POSTDATE 10
+#define KRB5_ET_KRB5KDC_ERR_NEVER_VALID 11
+#define KRB5_ET_KRB5KDC_ERR_POLICY 12
+#define KRB5_ET_KRB5KDC_ERR_BADOPTION 13
+#define KRB5_ET_KRB5KDC_ERR_ETYPE_NOSUPP 14
+#define KRB5_ET_KRB5KDC_ERR_SUMTYPE_NOSUPP 15
+#define KRB5_ET_KRB5KDC_ERR_PADATA_TYPE_NOSUPP 16
+#define KRB5_ET_KRB5KDC_ERR_TRTYPE_NOSUPP 17
+#define KRB5_ET_KRB5KDC_ERR_CLIENT_REVOKED 18
+#define KRB5_ET_KRB5KDC_ERR_SERVICE_REVOKED 19
+#define KRB5_ET_KRB5KDC_ERR_TGT_REVOKED 20
+#define KRB5_ET_KRB5KDC_ERR_CLIENT_NOTYET 21
+#define KRB5_ET_KRB5KDC_ERR_SERVICE_NOTYET 22
+#define KRB5_ET_KRB5KDC_ERR_KEY_EXP 23
+#define KRB5_ET_KRB5KDC_ERR_PREAUTH_FAILED 24
+#define KRB5_ET_KRB5KDC_ERR_PREAUTH_REQUIRED 25
+#define KRB5_ET_KRB5KDC_ERR_SERVER_NOMATCH 26
+#define KRB5_ET_KRB5KDC_ERR_MUST_USE_USER2USER 27
+#define KRB5_ET_KRB5KDC_ERR_PATH_NOT_ACCEPTED 28
+#define KRB5_ET_KRB5KDC_ERR_SVC_UNAVAILABLE 29
+#define KRB5_ET_KRB5KRB_AP_ERR_BAD_INTEGRITY 31
+#define KRB5_ET_KRB5KRB_AP_ERR_TKT_EXPIRED 32
+#define KRB5_ET_KRB5KRB_AP_ERR_TKT_NYV 33
+#define KRB5_ET_KRB5KRB_AP_ERR_REPEAT 34
+#define KRB5_ET_KRB5KRB_AP_ERR_NOT_US 35
+#define KRB5_ET_KRB5KRB_AP_ERR_BADMATCH 36
+#define KRB5_ET_KRB5KRB_AP_ERR_SKEW 37
+#define KRB5_ET_KRB5KRB_AP_ERR_BADADDR 38
+#define KRB5_ET_KRB5KRB_AP_ERR_BADVERSION 39
+#define KRB5_ET_KRB5KRB_AP_ERR_MSG_TYPE 40
+#define KRB5_ET_KRB5KRB_AP_ERR_MODIFIED 41
+#define KRB5_ET_KRB5KRB_AP_ERR_BADORDER 42
+#define KRB5_ET_KRB5KRB_AP_ERR_ILL_CR_TKT 43
+#define KRB5_ET_KRB5KRB_AP_ERR_BADKEYVER 44
+#define KRB5_ET_KRB5KRB_AP_ERR_NOKEY 45
+#define KRB5_ET_KRB5KRB_AP_ERR_MUT_FAIL 46
+#define KRB5_ET_KRB5KRB_AP_ERR_BADDIRECTION 47
+#define KRB5_ET_KRB5KRB_AP_ERR_METHOD 48
+#define KRB5_ET_KRB5KRB_AP_ERR_BADSEQ 49
+#define KRB5_ET_KRB5KRB_AP_ERR_INAPP_CKSUM 50
+#define KRB5_ET_KRB5KDC_AP_PATH_NOT_ACCEPTED 51
+#define KRB5_ET_KRB5KRB_ERR_RESPONSE_TOO_BIG 52
+#define KRB5_ET_KRB5KRB_ERR_GENERIC 60
+#define KRB5_ET_KRB5KRB_ERR_FIELD_TOOLONG 61
+#define KRB5_ET_KDC_ERROR_CLIENT_NOT_TRUSTED 62
+#define KRB5_ET_KDC_ERROR_KDC_NOT_TRUSTED 63
+#define KRB5_ET_KDC_ERROR_INVALID_SIG 64
+#define KRB5_ET_KDC_ERR_KEY_TOO_WEAK 65
+#define KRB5_ET_KDC_ERR_CERTIFICATE_MISMATCH 66
+#define KRB5_ET_KRB_AP_ERR_NO_TGT 67
+#define KRB5_ET_KDC_ERR_WRONG_REALM 68
+#define KRB5_ET_KRB_AP_ERR_USER_TO_USER_REQUIRED 69
+#define KRB5_ET_KDC_ERR_CANT_VERIFY_CERTIFICATE 70
+#define KRB5_ET_KDC_ERR_INVALID_CERTIFICATE 71
+#define KRB5_ET_KDC_ERR_REVOKED_CERTIFICATE 72
+#define KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNKNOWN 73
+#define KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNAVAILABLE 74
+#define KRB5_ET_KDC_ERR_CLIENT_NAME_MISMATCH 75
+#define KRB5_ET_KDC_ERR_KDC_NAME_MISMATCH 76
+
+static const value_string krb5_error_codes[] = {
+ { KRB5_ET_KRB5KDC_ERR_NONE, "KRB5KDC_ERR_NONE" },
+ { KRB5_ET_KRB5KDC_ERR_NAME_EXP, "KRB5KDC_ERR_NAME_EXP" },
+ { KRB5_ET_KRB5KDC_ERR_SERVICE_EXP, "KRB5KDC_ERR_SERVICE_EXP" },
+ { KRB5_ET_KRB5KDC_ERR_BAD_PVNO, "KRB5KDC_ERR_BAD_PVNO" },
+ { KRB5_ET_KRB5KDC_ERR_C_OLD_MAST_KVNO, "KRB5KDC_ERR_C_OLD_MAST_KVNO" },
+ { KRB5_ET_KRB5KDC_ERR_S_OLD_MAST_KVNO, "KRB5KDC_ERR_S_OLD_MAST_KVNO" },
+ { KRB5_ET_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, "KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN" },
+ { KRB5_ET_KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, "KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN" },
+ { KRB5_ET_KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE, "KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE" },
+ { KRB5_ET_KRB5KDC_ERR_NULL_KEY, "KRB5KDC_ERR_NULL_KEY" },
+ { KRB5_ET_KRB5KDC_ERR_CANNOT_POSTDATE, "KRB5KDC_ERR_CANNOT_POSTDATE" },
+ { KRB5_ET_KRB5KDC_ERR_NEVER_VALID, "KRB5KDC_ERR_NEVER_VALID" },
+ { KRB5_ET_KRB5KDC_ERR_POLICY, "KRB5KDC_ERR_POLICY" },
+ { KRB5_ET_KRB5KDC_ERR_BADOPTION, "KRB5KDC_ERR_BADOPTION" },
+ { KRB5_ET_KRB5KDC_ERR_ETYPE_NOSUPP, "KRB5KDC_ERR_ETYPE_NOSUPP" },
+ { KRB5_ET_KRB5KDC_ERR_SUMTYPE_NOSUPP, "KRB5KDC_ERR_SUMTYPE_NOSUPP" },
+ { KRB5_ET_KRB5KDC_ERR_PADATA_TYPE_NOSUPP, "KRB5KDC_ERR_PADATA_TYPE_NOSUPP" },
+ { KRB5_ET_KRB5KDC_ERR_TRTYPE_NOSUPP, "KRB5KDC_ERR_TRTYPE_NOSUPP" },
+ { KRB5_ET_KRB5KDC_ERR_CLIENT_REVOKED, "KRB5KDC_ERR_CLIENT_REVOKED" },
+ { KRB5_ET_KRB5KDC_ERR_SERVICE_REVOKED, "KRB5KDC_ERR_SERVICE_REVOKED" },
+ { KRB5_ET_KRB5KDC_ERR_TGT_REVOKED, "KRB5KDC_ERR_TGT_REVOKED" },
+ { KRB5_ET_KRB5KDC_ERR_CLIENT_NOTYET, "KRB5KDC_ERR_CLIENT_NOTYET" },
+ { KRB5_ET_KRB5KDC_ERR_SERVICE_NOTYET, "KRB5KDC_ERR_SERVICE_NOTYET" },
+ { KRB5_ET_KRB5KDC_ERR_KEY_EXP, "KRB5KDC_ERR_KEY_EXP" },
+ { KRB5_ET_KRB5KDC_ERR_PREAUTH_FAILED, "KRB5KDC_ERR_PREAUTH_FAILED" },
+ { KRB5_ET_KRB5KDC_ERR_PREAUTH_REQUIRED, "KRB5KDC_ERR_PREAUTH_REQUIRED" },
+ { KRB5_ET_KRB5KDC_ERR_SERVER_NOMATCH, "KRB5KDC_ERR_SERVER_NOMATCH" },
+ { KRB5_ET_KRB5KDC_ERR_MUST_USE_USER2USER, "KRB5KDC_ERR_MUST_USE_USER2USER" },
+ { KRB5_ET_KRB5KDC_ERR_PATH_NOT_ACCEPTED, "KRB5KDC_ERR_PATH_NOT_ACCEPTED" },
+ { KRB5_ET_KRB5KDC_ERR_SVC_UNAVAILABLE, "KRB5KDC_ERR_SVC_UNAVAILABLE" },
+ { KRB5_ET_KRB5KRB_AP_ERR_BAD_INTEGRITY, "KRB5KRB_AP_ERR_BAD_INTEGRITY" },
+ { KRB5_ET_KRB5KRB_AP_ERR_TKT_EXPIRED, "KRB5KRB_AP_ERR_TKT_EXPIRED" },
+ { KRB5_ET_KRB5KRB_AP_ERR_TKT_NYV, "KRB5KRB_AP_ERR_TKT_NYV" },
+ { KRB5_ET_KRB5KRB_AP_ERR_REPEAT, "KRB5KRB_AP_ERR_REPEAT" },
+ { KRB5_ET_KRB5KRB_AP_ERR_NOT_US, "KRB5KRB_AP_ERR_NOT_US" },
+ { KRB5_ET_KRB5KRB_AP_ERR_BADMATCH, "KRB5KRB_AP_ERR_BADMATCH" },
+ { KRB5_ET_KRB5KRB_AP_ERR_SKEW, "KRB5KRB_AP_ERR_SKEW" },
+ { KRB5_ET_KRB5KRB_AP_ERR_BADADDR, "KRB5KRB_AP_ERR_BADADDR" },
+ { KRB5_ET_KRB5KRB_AP_ERR_BADVERSION, "KRB5KRB_AP_ERR_BADVERSION" },
+ { KRB5_ET_KRB5KRB_AP_ERR_MSG_TYPE, "KRB5KRB_AP_ERR_MSG_TYPE" },
+ { KRB5_ET_KRB5KRB_AP_ERR_MODIFIED, "KRB5KRB_AP_ERR_MODIFIED" },
+ { KRB5_ET_KRB5KRB_AP_ERR_BADORDER, "KRB5KRB_AP_ERR_BADORDER" },
+ { KRB5_ET_KRB5KRB_AP_ERR_ILL_CR_TKT, "KRB5KRB_AP_ERR_ILL_CR_TKT" },
+ { KRB5_ET_KRB5KRB_AP_ERR_BADKEYVER, "KRB5KRB_AP_ERR_BADKEYVER" },
+ { KRB5_ET_KRB5KRB_AP_ERR_NOKEY, "KRB5KRB_AP_ERR_NOKEY" },
+ { KRB5_ET_KRB5KRB_AP_ERR_MUT_FAIL, "KRB5KRB_AP_ERR_MUT_FAIL" },
+ { KRB5_ET_KRB5KRB_AP_ERR_BADDIRECTION, "KRB5KRB_AP_ERR_BADDIRECTION" },
+ { KRB5_ET_KRB5KRB_AP_ERR_METHOD, "KRB5KRB_AP_ERR_METHOD" },
+ { KRB5_ET_KRB5KRB_AP_ERR_BADSEQ, "KRB5KRB_AP_ERR_BADSEQ" },
+ { KRB5_ET_KRB5KRB_AP_ERR_INAPP_CKSUM, "KRB5KRB_AP_ERR_INAPP_CKSUM" },
+ { KRB5_ET_KRB5KDC_AP_PATH_NOT_ACCEPTED, "KRB5KDC_AP_PATH_NOT_ACCEPTED" },
+ { KRB5_ET_KRB5KRB_ERR_RESPONSE_TOO_BIG, "KRB5KRB_ERR_RESPONSE_TOO_BIG"},
+ { KRB5_ET_KRB5KRB_ERR_GENERIC, "KRB5KRB_ERR_GENERIC" },
+ { KRB5_ET_KRB5KRB_ERR_FIELD_TOOLONG, "KRB5KRB_ERR_FIELD_TOOLONG" },
+ { KRB5_ET_KDC_ERROR_CLIENT_NOT_TRUSTED, "KDC_ERROR_CLIENT_NOT_TRUSTED" },
+ { KRB5_ET_KDC_ERROR_KDC_NOT_TRUSTED, "KDC_ERROR_KDC_NOT_TRUSTED" },
+ { KRB5_ET_KDC_ERROR_INVALID_SIG, "KDC_ERROR_INVALID_SIG" },
+ { KRB5_ET_KDC_ERR_KEY_TOO_WEAK, "KDC_ERR_KEY_TOO_WEAK" },
+ { KRB5_ET_KDC_ERR_CERTIFICATE_MISMATCH, "KDC_ERR_CERTIFICATE_MISMATCH" },
+ { KRB5_ET_KRB_AP_ERR_NO_TGT, "KRB_AP_ERR_NO_TGT" },
+ { KRB5_ET_KDC_ERR_WRONG_REALM, "KDC_ERR_WRONG_REALM" },
+ { KRB5_ET_KRB_AP_ERR_USER_TO_USER_REQUIRED, "KRB_AP_ERR_USER_TO_USER_REQUIRED" },
+ { KRB5_ET_KDC_ERR_CANT_VERIFY_CERTIFICATE, "KDC_ERR_CANT_VERIFY_CERTIFICATE" },
+ { KRB5_ET_KDC_ERR_INVALID_CERTIFICATE, "KDC_ERR_INVALID_CERTIFICATE" },
+ { KRB5_ET_KDC_ERR_REVOKED_CERTIFICATE, "KDC_ERR_REVOKED_CERTIFICATE" },
+ { KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNKNOWN, "KDC_ERR_REVOCATION_STATUS_UNKNOWN" },
+ { KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNAVAILABLE, "KDC_ERR_REVOCATION_STATUS_UNAVAILABLE" },
+ { KRB5_ET_KDC_ERR_CLIENT_NAME_MISMATCH, "KDC_ERR_CLIENT_NAME_MISMATCH" },
+ { KRB5_ET_KDC_ERR_KDC_NAME_MISMATCH, "KDC_ERR_KDC_NAME_MISMATCH" },
+ { 0, NULL }
+};
+
+
+#define PAC_LOGON_INFO 1
+#define PAC_CREDENTIAL_TYPE 2
+#define PAC_SERVER_CHECKSUM 6
+#define PAC_PRIVSVR_CHECKSUM 7
+#define PAC_CLIENT_INFO_TYPE 10
+#define PAC_S4U_DELEGATION_INFO 11
+#define PAC_UPN_DNS_INFO 12
+static const value_string w2k_pac_types[] = {
+ { PAC_LOGON_INFO , "Logon Info" },
+ { PAC_CREDENTIAL_TYPE , "Credential Type" },
+ { PAC_SERVER_CHECKSUM , "Server Checksum" },
+ { PAC_PRIVSVR_CHECKSUM , "Privsvr Checksum" },
+ { PAC_CLIENT_INFO_TYPE , "Client Info Type" },
+ { PAC_S4U_DELEGATION_INFO, "S4U Delegation Info" },
+ { PAC_UPN_DNS_INFO , "UPN DNS Info" },
+ { 0, NULL },
+};
+
+#if 0
+static const value_string krb5_princ_types[] = {
+ { KRB5_NT_UNKNOWN , "Unknown" },
+ { KRB5_NT_PRINCIPAL , "Principal" },
+ { KRB5_NT_SRV_INST , "Service and Instance" },
+ { KRB5_NT_SRV_HST , "Service and Host" },
+ { KRB5_NT_SRV_XHST , "Service and Host Components" },
+ { KRB5_NT_UID , "Unique ID" },
+ { KRB5_NT_X500_PRINCIPAL , "Encoded X.509 Distinguished Name" },
+ { KRB5_NT_SMTP_NAME , "SMTP Name" },
+ { KRB5_NT_ENTERPRISE , "Enterprise Name" },
+ { KRB5_NT_MS_PRINCIPAL , "NT 4.0 style name (MS specific)" },
+ { KRB5_NT_MS_PRINCIPAL_AND_SID , "NT 4.0 style name with SID (MS specific)"},
+ { KRB5_NT_ENT_PRINCIPAL_AND_SID, "UPN and SID (MS specific)"},
+ { KRB5_NT_PRINCIPAL_AND_SID , "Principal name and SID (MS specific)"},
+ { KRB5_NT_SRV_INST_AND_SID , "SPN and SID (MS specific)"},
+ { 0 , NULL },
+};
+#endif
+
+static const value_string krb5_preauthentication_types[] = {
+ { KRB5_PA_TGS_REQ , "PA-TGS-REQ" },
+ { KRB5_PA_ENC_TIMESTAMP , "PA-ENC-TIMESTAMP" },
+ { KRB5_PA_PW_SALT , "PA-PW-SALT" },
+ { KRB5_PA_ENC_ENCKEY , "PA-ENC-ENCKEY" },
+ { KRB5_PA_ENC_UNIX_TIME , "PA-ENC-UNIX-TIME" },
+ { KRB5_PA_ENC_SANDIA_SECURID , "PA-PW-SALT" },
+ { KRB5_PA_SESAME , "PA-SESAME" },
+ { KRB5_PA_OSF_DCE , "PA-OSF-DCE" },
+ { KRB5_PA_CYBERSAFE_SECUREID , "PA-CYBERSAFE-SECURID" },
+ { KRB5_PA_AFS3_SALT , "PA-AFS3-SALT" },
+ { KRB5_PA_ENCTYPE_INFO , "PA-ENCTYPE-INFO" },
+ { KRB5_PA_ENCTYPE_INFO2 , "PA-ENCTYPE-INFO2" },
+ { KRB5_PA_SAM_CHALLENGE , "PA-SAM-CHALLENGE" },
+ { KRB5_PA_SAM_RESPONSE , "PA-SAM-RESPONSE" },
+ { KRB5_PA_PK_AS_REQ , "PA-PK-AS-REQ" },
+ { KRB5_PA_PK_AS_REP , "PA-PK-AS-REP" },
+ { KRB5_PA_DASS , "PA-DASS" },
+ { KRB5_PA_USE_SPECIFIED_KVNO , "PA-USE-SPECIFIED-KVNO" },
+ { KRB5_PA_SAM_REDIRECT , "PA-SAM-REDIRECT" },
+ { KRB5_PA_GET_FROM_TYPED_DATA , "PA-GET-FROM-TYPED-DATA" },
+ { KRB5_PA_SAM_ETYPE_INFO , "PA-SAM-ETYPE-INFO" },
+ { KRB5_PA_ALT_PRINC , "PA-ALT-PRINC" },
+ { KRB5_PA_SAM_CHALLENGE2 , "PA-SAM-CHALLENGE2" },
+ { KRB5_PA_SAM_RESPONSE2 , "PA-SAM-RESPONSE2" },
+ { KRB5_TD_PKINIT_CMS_CERTIFICATES, "TD-PKINIT-CMS-CERTIFICATES" },
+ { KRB5_TD_KRB_PRINCIPAL , "TD-KRB-PRINCIPAL" },
+ { KRB5_TD_KRB_REALM , "TD-KRB-REALM" },
+ { KRB5_TD_TRUSTED_CERTIFIERS , "TD-TRUSTED-CERTIFIERS" },
+ { KRB5_TD_CERTIFICATE_INDEX , "TD-CERTIFICATE-INDEX" },
+ { KRB5_TD_APP_DEFINED_ERROR , "TD-APP-DEFINED-ERROR" },
+ { KRB5_TD_REQ_NONCE , "TD-REQ-NONCE" },
+ { KRB5_TD_REQ_SEQ , "TD-REQ-SEQ" },
+ { KRB5_PA_PAC_REQUEST , "PA-PAC-REQUEST" },
+ { KRB5_PA_FOR_USER , "PA-FOR-USER" },
+ { KRB5_PA_PROV_SRV_LOCATION , "PA-PROV-SRV-LOCATION" },
+ { 0 , NULL },
+};
+
+#if 0
+static const value_string krb5_encryption_types[] = {
+ { KRB5_ENCTYPE_NULL , "NULL" },
+ { KRB5_ENCTYPE_DES_CBC_CRC , "des-cbc-crc" },
+ { KRB5_ENCTYPE_DES_CBC_MD4 , "des-cbc-md4" },
+ { KRB5_ENCTYPE_DES_CBC_MD5 , "des-cbc-md5" },
+ { KRB5_ENCTYPE_DES_CBC_RAW , "des-cbc-raw" },
+ { KRB5_ENCTYPE_DES3_CBC_SHA , "des3-cbc-sha" },
+ { KRB5_ENCTYPE_DES3_CBC_RAW , "des3-cbc-raw" },
+ { KRB5_ENCTYPE_DES_HMAC_SHA1 , "des-hmac-sha1" },
+ { KRB5_ENCTYPE_DSA_SHA1_CMS , "dsa-sha1-cms" },
+ { KRB5_ENCTYPE_RSA_MD5_CMS , "rsa-md5-cms" },
+ { KRB5_ENCTYPE_RSA_SHA1_CMS , "rsa-sha1-cms" },
+ { KRB5_ENCTYPE_RC2_CBC_ENV , "rc2-cbc-env" },
+ { KRB5_ENCTYPE_RSA_ENV , "rsa-env" },
+ { KRB5_ENCTYPE_RSA_ES_OEAP_ENV, "rsa-es-oeap-env" },
+ { KRB5_ENCTYPE_DES_EDE3_CBC_ENV, "des-ede3-cbc-env" },
+ { KRB5_ENCTYPE_DES3_CBC_SHA1 , "des3-cbc-sha1" },
+ { KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96 , "aes128-cts-hmac-sha1-96" },
+ { KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96 , "aes256-cts-hmac-sha1-96" },
+ { KRB5_ENCTYPE_DES_CBC_MD5_NT , "des-cbc-md5-nt" },
+ { KERB_ENCTYPE_RC4_HMAC , "rc4-hmac" },
+ { KERB_ENCTYPE_RC4_HMAC_EXP , "rc4-hmac-exp" },
+ { KRB5_ENCTYPE_UNKNOWN , "unknown" },
+ { KRB5_ENCTYPE_LOCAL_DES3_HMAC_SHA1 , "local-des3-hmac-sha1" },
+ { KRB5_ENCTYPE_RC4_PLAIN_EXP , "rc4-plain-exp" },
+ { KRB5_ENCTYPE_RC4_PLAIN , "rc4-plain" },
+ { KRB5_ENCTYPE_RC4_PLAIN_OLD_EXP, "rc4-plain-old-exp" },
+ { KRB5_ENCTYPE_RC4_HMAC_OLD_EXP, "rc4-hmac-old-exp" },
+ { KRB5_ENCTYPE_RC4_PLAIN_OLD , "rc4-plain-old" },
+ { KRB5_ENCTYPE_RC4_HMAC_OLD , "rc4-hmac-old" },
+ { KRB5_ENCTYPE_DES_PLAIN , "des-plain" },
+ { KRB5_ENCTYPE_RC4_SHA , "rc4-sha" },
+ { KRB5_ENCTYPE_RC4_LM , "rc4-lm" },
+ { KRB5_ENCTYPE_RC4_PLAIN2 , "rc4-plain2" },
+ { KRB5_ENCTYPE_RC4_MD4 , "rc4-md4" },
+ { 0 , NULL },
+};
+
+static const value_string krb5_checksum_types[] = {
+ { KRB5_CHKSUM_NONE , "none" },
+ { KRB5_CHKSUM_CRC32 , "crc32" },
+ { KRB5_CHKSUM_MD4 , "md4" },
+ { KRB5_CHKSUM_KRB_DES_MAC , "krb-des-mac" },
+ { KRB5_CHKSUM_KRB_DES_MAC_K , "krb-des-mac-k" },
+ { KRB5_CHKSUM_MD5 , "md5" },
+ { KRB5_CHKSUM_MD5_DES , "md5-des" },
+ { KRB5_CHKSUM_MD5_DES3 , "md5-des3" },
+ { KRB5_CHKSUM_HMAC_SHA1_DES3_KD, "hmac-sha1-des3-kd" },
+ { KRB5_CHKSUM_HMAC_SHA1_DES3 , "hmac-sha1-des3" },
+ { KRB5_CHKSUM_SHA1_UNKEYED , "sha1 (unkeyed)" },
+ { KRB5_CHKSUM_HMAC_MD5 , "hmac-md5" },
+ { KRB5_CHKSUM_MD5_HMAC , "md5-hmac" },
+ { KRB5_CHKSUM_RC4_MD5 , "rc5-md5" },
+ { KRB5_CHKSUM_MD25 , "md25" },
+ { KRB5_CHKSUM_DES_MAC_MD5 , "des-mac-md5" },
+ { KRB5_CHKSUM_DES_MAC , "des-mac" },
+ { KRB5_CHKSUM_REAL_CRC32 , "real-crc32" },
+ { KRB5_CHKSUM_SHA1 , "sha1" },
+ { KRB5_CHKSUM_LM , "lm" },
+ { KRB5_CHKSUM_GSSAPI , "gssapi-8003" },
+ { 0 , NULL },
+};
+#endif
+
+#define KRB5_AD_IF_RELEVANT 1
+#define KRB5_AD_INTENDED_FOR_SERVER 2
+#define KRB5_AD_INTENDED_FOR_APPLICATION_CLASS 3
+#define KRB5_AD_KDC_ISSUED 4
+#define KRB5_AD_OR 5
+#define KRB5_AD_MANDATORY_TICKET_EXTENSIONS 6
+#define KRB5_AD_IN_TICKET_EXTENSIONS 7
+#define KRB5_AD_MANDATORY_FOR_KDC 8
+#define KRB5_AD_OSF_DCE 64
+#define KRB5_AD_SESAME 65
+#define KRB5_AD_OSF_DCE_PKI_CERTID 66
+#define KRB5_AD_WIN2K_PAC 128
+#define KRB5_AD_SIGNTICKET 0xffffffef
+
+static const value_string krb5_ad_types[] = {
+ { KRB5_AD_IF_RELEVANT , "AD-IF-RELEVANT" },
+ { KRB5_AD_INTENDED_FOR_SERVER , "AD-Intended-For-Server" },
+ { KRB5_AD_INTENDED_FOR_APPLICATION_CLASS , "AD-Intended-For-Application-Class" },
+ { KRB5_AD_KDC_ISSUED , "AD-KDCIssued" },
+ { KRB5_AD_OR , "AD-AND-OR" },
+ { KRB5_AD_MANDATORY_TICKET_EXTENSIONS , "AD-Mandatory-Ticket-Extensions" },
+ { KRB5_AD_IN_TICKET_EXTENSIONS , "AD-IN-Ticket-Extensions" },
+ { KRB5_AD_MANDATORY_FOR_KDC , "AD-MANDATORY-FOR-KDC" },
+ { KRB5_AD_OSF_DCE , "AD-OSF-DCE" },
+ { KRB5_AD_SESAME , "AD-SESAME" },
+ { KRB5_AD_OSF_DCE_PKI_CERTID , "AD-OSF-DCE-PKI-CertID" },
+ { KRB5_AD_WIN2K_PAC , "AD-Win2k-PAC" },
+ { KRB5_AD_SIGNTICKET , "AD-SignTicket" },
+ { 0 , NULL },
+};
+#if 0
+static const value_string krb5_transited_types[] = {
+ { 1 , "DOMAIN-X500-COMPRESS" },
+ { 0 , NULL }
+};
+#endif
+
+static const value_string krb5_msg_types[] = {
+ { KRB5_MSG_TICKET, "Ticket" },
+ { KRB5_MSG_AUTHENTICATOR, "Authenticator" },
+ { KRB5_MSG_ENC_TICKET_PART, "EncTicketPart" },
+ { KRB5_MSG_TGS_REQ, "TGS-REQ" },
+ { KRB5_MSG_TGS_REP, "TGS-REP" },
+ { KRB5_MSG_AS_REQ, "AS-REQ" },
+ { KRB5_MSG_AS_REP, "AS-REP" },
+ { KRB5_MSG_AP_REQ, "AP-REQ" },
+ { KRB5_MSG_AP_REP, "AP-REP" },
+ { KRB5_MSG_SAFE, "KRB-SAFE" },
+ { KRB5_MSG_PRIV, "KRB-PRIV" },
+ { KRB5_MSG_CRED, "KRB-CRED" },
+ { KRB5_MSG_ENC_AS_REP_PART, "EncASRepPart" },
+ { KRB5_MSG_ENC_TGS_REP_PART, "EncTGSRepPart" },
+ { KRB5_MSG_ENC_AP_REP_PART, "EncAPRepPart" },
+ { KRB5_MSG_ENC_KRB_PRIV_PART, "EncKrbPrivPart" },
+ { KRB5_MSG_ENC_KRB_CRED_PART, "EncKrbCredPart" },
+ { KRB5_MSG_ERROR, "KRB-ERROR" },
+ { 0, NULL },
+};
+
+#define KRB5_GSS_C_DELEG_FLAG 0x01
+#define KRB5_GSS_C_MUTUAL_FLAG 0x02
+#define KRB5_GSS_C_REPLAY_FLAG 0x04
+#define KRB5_GSS_C_SEQUENCE_FLAG 0x08
+#define KRB5_GSS_C_CONF_FLAG 0x10
+#define KRB5_GSS_C_INTEG_FLAG 0x20
+#define KRB5_GSS_C_DCE_STYLE 0x1000
+
+static const true_false_string tfs_gss_flags_deleg = {
+ "Delegate credentials to remote peer",
+ "Do NOT delegate"
+};
+static const true_false_string tfs_gss_flags_mutual = {
+ "Request that remote peer authenticates itself",
+ "Mutual authentication NOT required"
+};
+static const true_false_string tfs_gss_flags_replay = {
+ "Enable replay protection for signed or sealed messages",
+ "Do NOT enable replay protection"
+};
+static const true_false_string tfs_gss_flags_sequence = {
+ "Enable Out-of-sequence detection for sign or sealed messages",
+ "Do NOT enable out-of-sequence detection"
+};
+static const true_false_string tfs_gss_flags_conf = {
+ "Confidentiality (sealing) may be invoked",
+ "Do NOT use Confidentiality (sealing)"
+};
+static const true_false_string tfs_gss_flags_integ = {
+ "Integrity protection (signing) may be invoked",
+ "Do NOT use integrity protection"
+};
+
+static const true_false_string tfs_gss_flags_dce_style = {
+ "DCE-STYLE",
+ "Not using DCE-STYLE"
+};
+
+#ifdef HAVE_KERBEROS
+static int
+dissect_krb5_decrypt_ticket_data (gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
+ proto_tree *tree, int hf_index _U_)
+{
+ guint8 *plaintext;
+ int length;
+ kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+ tvbuff_t *next_tvb;
+
+ next_tvb=tvb_new_subset_remaining(tvb, offset);
+ length=tvb_captured_length_remaining(tvb, offset);
+
+ /* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
+ * 7.5.1
+ * All Ticket encrypted parts use usage == 2
+ */
+ plaintext=decrypt_krb5_data(tree, actx->pinfo, 2, next_tvb, private_data->etype, NULL);
+
+ if(plaintext){
+ tvbuff_t *child_tvb;
+ child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
+ tvb_set_free_cb(child_tvb, g_free);
+
+ /* Add the decrypted data to the data source list. */
+ add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5");
+
+ offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
+ }
+ return offset;
+}
+
+static int
+dissect_krb5_decrypt_authenticator_data (gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
+ proto_tree *tree, int hf_index _U_)
+{
+ guint8 *plaintext;
+ int length;
+ kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+ tvbuff_t *next_tvb;
+
+ next_tvb=tvb_new_subset_remaining(tvb, offset);
+ length=tvb_captured_length_remaining(tvb, offset);
+
+ /* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
+ * 7.5.1
+ * Authenticators are encrypted with usage
+ * == 7 or
+ * == 11
+ */
+ plaintext=decrypt_krb5_data(tree, actx->pinfo, 7, next_tvb, private_data->etype, NULL);
+
+ if(!plaintext){
+ plaintext=decrypt_krb5_data(tree, actx->pinfo, 11, next_tvb, private_data->etype, NULL);
+ }
+
+ if(plaintext){
+ tvbuff_t *child_tvb;
+ child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
+ tvb_set_free_cb(child_tvb, g_free);
+
+ /* Add the decrypted data to the data source list. */
+ add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5");
+
+ offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
+ }
+ return offset;
+}
+
+static int
+dissect_krb5_decrypt_KDC_REP_data (gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
+ proto_tree *tree, int hf_index _U_)
+{
+ guint8 *plaintext;
+ int length;
+ kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+ tvbuff_t *next_tvb;
+
+ next_tvb=tvb_new_subset_remaining(tvb, offset);
+ length=tvb_captured_length_remaining(tvb, offset);
+
+ /* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
+ * 7.5.1
+ * ASREP/TGSREP encryptedparts are encrypted with usage
+ * == 3 or
+ * == 8 or
+ * == 9
+ */
+ plaintext=decrypt_krb5_data(tree, actx->pinfo, 3, next_tvb, private_data->etype, NULL);
+
+ if(!plaintext){
+ plaintext=decrypt_krb5_data(tree, actx->pinfo, 8, next_tvb, private_data->etype, NULL);
+ }
+
+ if(!plaintext){
+ plaintext=decrypt_krb5_data(tree, actx->pinfo, 9, next_tvb, private_data->etype, NULL);
+ }
+
+ if(plaintext){
+ tvbuff_t *child_tvb;
+ child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
+ tvb_set_free_cb(child_tvb, g_free);
+
+ /* Add the decrypted data to the data source list. */
+ add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5");
+
+ offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
+ }
+ return offset;
+}
+
+static int
+dissect_krb5_decrypt_PA_ENC_TIMESTAMP (gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
+ proto_tree *tree, int hf_index _U_)
+{
+ guint8 *plaintext;
+ int length;
+ kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+ tvbuff_t *next_tvb;
+
+ next_tvb=tvb_new_subset_remaining(tvb, offset);
+ length=tvb_captured_length_remaining(tvb, offset);
+
+ /* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
+ * 7.5.1
+ * AS-REQ PA_ENC_TIMESTAMP are encrypted with usage
+ * == 1
+ */
+ plaintext=decrypt_krb5_data(tree, actx->pinfo, 1, next_tvb, private_data->etype, NULL);
+
+ if(plaintext){
+ tvbuff_t *child_tvb;
+ child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
+ tvb_set_free_cb(child_tvb, g_free);
+
+ /* Add the decrypted data to the data source list. */
+ add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5");
+
+ offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
+ }
+ return offset;
+}
+
+static int
+dissect_krb5_decrypt_AP_REP_data (gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
+ proto_tree *tree, int hf_index _U_)
+{
+ guint8 *plaintext;
+ int length;
+ kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+ tvbuff_t *next_tvb;
+
+ next_tvb=tvb_new_subset_remaining(tvb, offset);
+ length=tvb_captured_length_remaining(tvb, offset);
+
+ /* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
+ * 7.5.1
+ * AP-REP are encrypted with usage == 12
+ */
+ plaintext=decrypt_krb5_data(tree, actx->pinfo, 12, next_tvb, private_data->etype, NULL);
+
+ if(plaintext){
+ tvbuff_t *child_tvb;
+ child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
+ tvb_set_free_cb(child_tvb, g_free);
+
+ /* Add the decrypted data to the data source list. */
+ add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5");
+
+ offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
+ }
+ return offset;
+}
+
+static int
+dissect_krb5_decrypt_PRIV_data (gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
+ proto_tree *tree, int hf_index _U_)
+{
+ guint8 *plaintext;
+ int length;
+ kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+ tvbuff_t *next_tvb;
+
+ next_tvb=tvb_new_subset_remaining(tvb, offset);
+ length=tvb_captured_length_remaining(tvb, offset);
+
+ /* RFC4120 :
+ * EncKrbPrivPart encrypted with usage
+ * == 13
+ */
+ plaintext=decrypt_krb5_data(tree, actx->pinfo, 13, next_tvb, private_data->etype, NULL);
+
+ if(plaintext){
+ tvbuff_t *child_tvb;
+ child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
+ tvb_set_free_cb(child_tvb, g_free);
+
+ /* Add the decrypted data to the data source list. */
+ add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5");
+
+ offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
+ }
+ return offset;
+}
+
+static int
+dissect_krb5_decrypt_CRED_data (gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
+ proto_tree *tree, int hf_index _U_)
+{
+ guint8 *plaintext;
+ int length;
+ kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+ tvbuff_t *next_tvb;
+
+ next_tvb=tvb_new_subset_remaining(tvb, offset);
+ length=tvb_captured_length_remaining(tvb, offset);
+
+ /* RFC4120 :
+ * EncKrbCredPart encrypted with usage
+ * == 14
+ */
+ plaintext=decrypt_krb5_data(tree, actx->pinfo, 14, next_tvb, private_data->etype, NULL);
+
+ if(plaintext){
+ tvbuff_t *child_tvb;
+ child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
+ tvb_set_free_cb(child_tvb, g_free);
+
+ /* Add the decrypted data to the data source list. */
+ add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5");
+
+ offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
+ }
+ return offset;
+}
+#endif
+
+/* Dissect a GSSAPI checksum as per RFC1964. This is NOT ASN.1 encoded.
+ */
+static int
+dissect_krb5_rfc1964_checksum(asn1_ctx_t *actx _U_, proto_tree *tree, tvbuff_t *tvb)
+{
+ int offset=0;
+ guint32 len;
+ guint16 dlglen;
+
+ /* Length of Bnd field */
+ len=tvb_get_letohl(tvb, offset);
+ proto_tree_add_item(tree, hf_krb_gssapi_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+ offset += 4;
+
+ /* Bnd field */
+ proto_tree_add_item(tree, hf_krb_gssapi_bnd, tvb, offset, len, ENC_NA);
+ offset += len;
+
+
+ /* flags */
+ proto_tree_add_item(tree, hf_krb_gssapi_c_flag_dce_style, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+ proto_tree_add_item(tree, hf_krb_gssapi_c_flag_integ, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+ proto_tree_add_item(tree, hf_krb_gssapi_c_flag_conf, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+ proto_tree_add_item(tree, hf_krb_gssapi_c_flag_sequence, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+ proto_tree_add_item(tree, hf_krb_gssapi_c_flag_replay, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+ proto_tree_add_item(tree, hf_krb_gssapi_c_flag_mutual, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+ proto_tree_add_item(tree, hf_krb_gssapi_c_flag_deleg, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+ offset += 4;
+
+ /* the next fields are optional so we have to check that we have
+ * more data in our buffers */
+ if(tvb_reported_length_remaining(tvb, offset)<2){
+ return offset;
+ }
+ /* dlgopt identifier */
+ proto_tree_add_item(tree, hf_krb_gssapi_dlgopt, tvb, offset, 2, ENC_LITTLE_ENDIAN);
+ offset += 2;
+
+ if(tvb_reported_length_remaining(tvb, offset)<2){
+ return offset;
+ }
+ /* dlglen identifier */
+ dlglen=tvb_get_letohs(tvb, offset);
+ proto_tree_add_item(tree, hf_krb_gssapi_dlglen, tvb, offset, 2, ENC_LITTLE_ENDIAN);
+ offset += 2;
+
+ if(dlglen!=tvb_reported_length_remaining(tvb, offset)){
+ proto_tree_add_expert_format(tree, actx->pinfo, &ei_krb_gssapi_dlglen, tvb, 0, 0,
+ "Error: DlgLen:%d is not the same as number of bytes remaining:%d", dlglen, tvb_captured_length_remaining(tvb, offset));
+ return offset;
+ }
+
+ /* this should now be a KRB_CRED message */
+ offset=dissect_kerberos_Applications(FALSE, tvb, offset, actx, tree, /* hf_index */ -1);
+
+ return offset;
+}
+
+static int
+dissect_krb5_PA_PROV_SRV_LOCATION(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_)
+{
+ offset=dissect_ber_GeneralString(actx, tree, tvb, offset, hf_krb_provsrv_location, NULL, 0);
+
+ return offset;
+}
+
+static int
+dissect_krb5_PW_SALT(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_)
+{
+ guint32 nt_status;
+
+ /* Microsoft stores a special 12 byte blob here
+ * guint32 NT_status
+ * guint32 unknown
+ * guint32 unknown
+ * decode everything as this blob for now until we see if anyone
+ * else ever uses it or we learn how to tell whether this
+ * is such an MS blob or not.
+ */
+ proto_tree_add_item(tree, hf_krb_smb_nt_status, tvb, offset, 4,
+ ENC_LITTLE_ENDIAN);
+ nt_status=tvb_get_letohl(tvb, offset);
+ if(nt_status) {
+ col_append_fstr(actx->pinfo->cinfo, COL_INFO,
+ " NT Status: %s",
+ val_to_str(nt_status, NT_errors,
+ "Unknown error code %#x"));
+ }
+ offset += 4;
+
+ proto_tree_add_item(tree, hf_krb_smb_unknown, tvb, offset, 4,
+ ENC_LITTLE_ENDIAN);
+ offset += 4;
+
+ proto_tree_add_item(tree, hf_krb_smb_unknown, tvb, offset, 4,
+ ENC_LITTLE_ENDIAN);
+ offset += 4;
+
+ return offset;
+}
+
+static int
+dissect_krb5_PAC_DREP(proto_tree *parent_tree, tvbuff_t *tvb, int offset, guint8 *drep)
+{
+ proto_tree *tree;
+ guint8 val;
+
+ tree = proto_tree_add_subtree(parent_tree, tvb, offset, 16, ett_krb_pac_drep, NULL, "DREP");
+
+ val = tvb_get_guint8(tvb, offset);
+ proto_tree_add_uint(tree, hf_dcerpc_drep_byteorder, tvb, offset, 1, val>>4);
+
+ offset++;
+
+ if (drep) {
+ *drep = val;
+ }
+
+ return offset;
+}
+
+/* This might be some sort of header that MIDL generates when creating
+ * marshalling/unmarshalling code for blobs that are not to be transported
+ * ontop of DCERPC and where the DREP fields specifying things such as
+ * endianess and similar are not available.
+ */
+static int
+dissect_krb5_PAC_NDRHEADERBLOB(proto_tree *parent_tree, tvbuff_t *tvb, int offset, guint8 *drep, asn1_ctx_t *actx _U_)
+{
+ proto_tree *tree;
+
+ tree = proto_tree_add_subtree(parent_tree, tvb, offset, 16, ett_krb_pac_midl_blob, NULL, "MES header");
+
+ /* modified DREP field that is used for stuff that is transporetd ontop
+ of non dcerpc
+ */
+ proto_tree_add_item(tree, hf_krb_midl_version, tvb, offset, 1, ENC_LITTLE_ENDIAN);
+ offset++;
+
+ offset = dissect_krb5_PAC_DREP(tree, tvb, offset, drep);
+
+
+ proto_tree_add_item(tree, hf_krb_midl_hdr_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
+ offset+=2;
+
+ proto_tree_add_item(tree, hf_krb_midl_fill_bytes, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+ offset += 4;
+
+ /* length of blob that follows */
+ proto_tree_add_item(tree, hf_krb_midl_blob_len, tvb, offset, 8, ENC_LITTLE_ENDIAN);
+ offset += 8;
+
+ return offset;
+}
+
+static int
+dissect_krb5_PAC_LOGON_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+{
+ proto_item *item;
+ proto_tree *tree;
+ guint8 drep[4] = { 0x10, 0x00, 0x00, 0x00}; /* fake DREP struct */
+ static dcerpc_info di; /* fake dcerpc_info struct */
+ static dcerpc_call_value call_data;
+
+ item = proto_tree_add_item(parent_tree, hf_krb_pac_logon_info, tvb, offset, -1, ENC_NA);
+ tree = proto_item_add_subtree(item, ett_krb_pac_logon_info);
+
+ /* skip the first 16 bytes, they are some magic created by the idl
+ * compiler the first 4 bytes might be flags?
+ */
+ offset = dissect_krb5_PAC_NDRHEADERBLOB(tree, tvb, offset, &drep[0], actx);
+
+ /* the PAC_LOGON_INFO blob */
+ /* fake whatever state the dcerpc runtime support needs */
+ di.conformant_run=0;
+ /* we need di->call_data->flags.NDR64 == 0 */
+ di.call_data=&call_data;
+ init_ndr_pointer_list(&di);
+ offset = dissect_ndr_pointer(tvb, offset, actx->pinfo, tree, &di, drep,
+ netlogon_dissect_PAC_LOGON_INFO, NDR_POINTER_UNIQUE,
+ "PAC_LOGON_INFO:", -1);
+
+ return offset;
+}
+
+static int
+dissect_krb5_PAC_S4U_DELEGATION_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx)
+{
+ proto_item *item;
+ proto_tree *tree;
+ guint8 drep[4] = { 0x10, 0x00, 0x00, 0x00}; /* fake DREP struct */
+ static dcerpc_info di; /* fake dcerpc_info struct */
+ static dcerpc_call_value call_data;
+
+ item = proto_tree_add_item(parent_tree, hf_krb_pac_s4u_delegation_info, tvb, offset, -1, ENC_NA);
+ tree = proto_item_add_subtree(item, ett_krb_pac_s4u_delegation_info);
+
+ /* skip the first 16 bytes, they are some magic created by the idl
+ * compiler the first 4 bytes might be flags?
+ */
+ offset = dissect_krb5_PAC_NDRHEADERBLOB(tree, tvb, offset, &drep[0], actx);
+
+
+ /* the S4U_DELEGATION_INFO blob. See [MS-PAC] */
+ /* fake whatever state the dcerpc runtime support needs */
+ di.conformant_run=0;
+ /* we need di->call_data->flags.NDR64 == 0 */
+ di.call_data=&call_data;
+ init_ndr_pointer_list(&di);
+ offset = dissect_ndr_pointer(tvb, offset, actx->pinfo, tree, &di, drep,
+ netlogon_dissect_PAC_S4U_DELEGATION_INFO, NDR_POINTER_UNIQUE,
+ "PAC_S4U_DELEGATION_INFO:", -1);
+
+ return offset;
+}
+
+static int
+dissect_krb5_PAC_UPN_DNS_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+{
+ proto_item *item;
+ proto_tree *tree;
+ guint16 dns_offset, dns_len;
+ guint16 upn_offset, upn_len;
+ const char *dn;
+ int dn_len;
+ guint16 bc;
+
+ item = proto_tree_add_item(parent_tree, hf_krb_pac_upn_dns_info, tvb, offset, -1, ENC_NA);
+ tree = proto_item_add_subtree(item, ett_krb_pac_upn_dns_info);
+
+ /* upn */
+ upn_len = tvb_get_letohs(tvb, offset);
+ proto_tree_add_item(tree, hf_krb_pac_upn_upn_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
+ offset+=2;
+ upn_offset = tvb_get_letohs(tvb, offset);
+ proto_tree_add_item(tree, hf_krb_pac_upn_upn_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
+ offset+=2;
+
+ /* dns */
+ dns_len = tvb_get_letohs(tvb, offset);
+ proto_tree_add_item(tree, hf_krb_pac_upn_dns_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
+ offset+=2;
+ dns_offset = tvb_get_letohs(tvb, offset);
+ proto_tree_add_item(tree, hf_krb_pac_upn_dns_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
+ offset+=2;
+
+ /* flags */
+ proto_tree_add_item(tree, hf_krb_pac_upn_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+
+ /* upn */
+ offset = upn_offset;
+ dn_len = upn_len;
+ bc = tvb_reported_length_remaining(tvb, offset);
+ dn = get_unicode_or_ascii_string(tvb, &offset, TRUE, &dn_len, TRUE, TRUE, &bc);
+ proto_tree_add_string(tree, hf_krb_pac_upn_upn_name, tvb, upn_offset, upn_len, dn);
+
+ /* dns */
+ offset = dns_offset;
+ dn_len = dns_len;
+ bc = tvb_reported_length_remaining(tvb, offset);
+ dn = get_unicode_or_ascii_string(tvb, &offset, TRUE, &dn_len, TRUE, TRUE, &bc);
+ proto_tree_add_string(tree, hf_krb_pac_upn_dns_name, tvb, dns_offset, dns_len, dn);
+
+ return offset;
+}
+
+static int
+dissect_krb5_PAC_CREDENTIAL_TYPE(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+{
+ proto_tree_add_item(parent_tree, hf_krb_pac_credential_type, tvb, offset, -1, ENC_NA);
+
+ return offset;
+}
+
+static int
+dissect_krb5_PAC_SERVER_CHECKSUM(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+{
+ proto_item *item;
+ proto_tree *tree;
+
+ item = proto_tree_add_item(parent_tree, hf_krb_pac_server_checksum, tvb, offset, -1, ENC_NA);
+ tree = proto_item_add_subtree(item, ett_krb_pac_server_checksum);
+
+ /* signature type */
+ proto_tree_add_item(tree, hf_krb_pac_signature_type, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+ offset+=4;
+
+ /* signature data */
+ proto_tree_add_item(tree, hf_krb_pac_signature_signature, tvb, offset, -1, ENC_NA);
+
+ return offset;
+}
+
+static int
+dissect_krb5_PAC_PRIVSVR_CHECKSUM(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+{
+ proto_item *item;
+ proto_tree *tree;
+
+ item = proto_tree_add_item(parent_tree, hf_krb_pac_privsvr_checksum, tvb, offset, -1, ENC_NA);
+ tree = proto_item_add_subtree(item, ett_krb_pac_privsvr_checksum);
+
+ /* signature type */
+ proto_tree_add_item(tree, hf_krb_pac_signature_type, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+ offset+=4;
+
+ /* signature data */
+ proto_tree_add_item(tree, hf_krb_pac_signature_signature, tvb, offset, -1, ENC_NA);
+
+ return offset;
+}
+
+static int
+dissect_krb5_PAC_CLIENT_INFO_TYPE(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+{
+ proto_item *item;
+ proto_tree *tree;
+ guint16 namelen;
+
+ item = proto_tree_add_item(parent_tree, hf_krb_pac_client_info_type, tvb, offset, -1, ENC_NA);
+ tree = proto_item_add_subtree(item, ett_krb_pac_client_info_type);
+
+ /* clientid */
+ offset = dissect_nt_64bit_time(tvb, tree, offset, hf_krb_pac_clientid);
+
+ /* name length */
+ namelen=tvb_get_letohs(tvb, offset);
+ proto_tree_add_uint(tree, hf_krb_pac_namelen, tvb, offset, 2, namelen);
+ offset+=2;
+
+ /* client name */
+ proto_tree_add_item(tree, hf_krb_pac_clientname, tvb, offset, namelen, ENC_UTF_16|ENC_LITTLE_ENDIAN);
+ offset+=namelen;
+
+ return offset;
+}
+
+static int
+dissect_krb5_AD_WIN2K_PAC_struct(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx)
+{
+ guint32 pac_type;
+ guint32 pac_size;
+ guint32 pac_offset;
+ proto_item *it=NULL;
+ proto_tree *tr=NULL;
+ tvbuff_t *next_tvb;
+
+ /* type of pac data */
+ pac_type=tvb_get_letohl(tvb, offset);
+ it=proto_tree_add_uint(tree, hf_krb_w2k_pac_type, tvb, offset, 4, pac_type);
+ tr=proto_item_add_subtree(it, ett_krb_pac);
+
+ offset += 4;
+
+ /* size of pac data */
+ pac_size=tvb_get_letohl(tvb, offset);
+ proto_tree_add_uint(tr, hf_krb_w2k_pac_size, tvb, offset, 4, pac_size);
+ offset += 4;
+
+ /* offset to pac data */
+ pac_offset=tvb_get_letohl(tvb, offset);
+ proto_tree_add_uint(tr, hf_krb_w2k_pac_offset, tvb, offset, 4, pac_offset);
+ offset += 8;
+
+ next_tvb=tvb_new_subset(tvb, pac_offset, pac_size, pac_size);
+ switch(pac_type){
+ case PAC_LOGON_INFO:
+ dissect_krb5_PAC_LOGON_INFO(tr, next_tvb, 0, actx);
+ break;
+ case PAC_CREDENTIAL_TYPE:
+ dissect_krb5_PAC_CREDENTIAL_TYPE(tr, next_tvb, 0, actx);
+ break;
+ case PAC_SERVER_CHECKSUM:
+ dissect_krb5_PAC_SERVER_CHECKSUM(tr, next_tvb, 0, actx);
+ break;
+ case PAC_PRIVSVR_CHECKSUM:
+ dissect_krb5_PAC_PRIVSVR_CHECKSUM(tr, next_tvb, 0, actx);
+ break;
+ case PAC_CLIENT_INFO_TYPE:
+ dissect_krb5_PAC_CLIENT_INFO_TYPE(tr, next_tvb, 0, actx);
+ break;
+ case PAC_S4U_DELEGATION_INFO:
+ dissect_krb5_PAC_S4U_DELEGATION_INFO(tr, next_tvb, 0, actx);
+ break;
+ case PAC_UPN_DNS_INFO:
+ dissect_krb5_PAC_UPN_DNS_INFO(tr, next_tvb, 0, actx);
+ break;
+
+ default:
+ break;
+ }
+ return offset;
+}
+
+static int
+dissect_krb5_AD_WIN2K_PAC(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_)
+{
+ guint32 entries;
+ guint32 version;
+ guint32 i;
+
+ /* first in the PAC structure comes the number of entries */
+ entries=tvb_get_letohl(tvb, offset);
+ proto_tree_add_uint(tree, hf_krb_w2k_pac_entries, tvb, offset, 4, entries);
+ offset += 4;
+
+ /* second comes the version */
+ version=tvb_get_letohl(tvb, offset);
+ proto_tree_add_uint(tree, hf_krb_w2k_pac_version, tvb, offset, 4, version);
+ offset += 4;
+
+ for(i=0;i<entries;i++){
+ offset=dissect_krb5_AD_WIN2K_PAC_struct(tree, tvb, offset, actx);
+ }
+
+ return offset;
+}
+
+#include "packet-kerberos-fn.c"
+
+/* Make wrappers around exported functions for now */
+int
+dissect_krb5_Checksum(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+{
+ return dissect_kerberos_Checksum(FALSE, tvb, offset, actx, tree, hf_kerberos_cksum);
+
+}
+
+int
+dissect_krb5_ctime(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+{
+ return dissect_kerberos_KerberosTime(FALSE, tvb, offset, actx, tree, hf_kerberos_ctime);
+}
+
+
+int
+dissect_krb5_cname(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+{
+ return dissect_kerberos_PrincipalName(FALSE, tvb, offset, actx, tree, hf_kerberos_cname);
+}
+int
+dissect_krb5_realm(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+{
+ return dissect_kerberos_Realm(FALSE, tvb, offset, actx, tree, hf_kerberos_realm);
+}
+
+
+static gint
+dissect_kerberos_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
+ gboolean dci, gboolean do_col_protocol, gboolean have_rm,
+ kerberos_callbacks *cb)
+{
+ volatile int offset = 0;
+ proto_tree *volatile kerberos_tree = NULL;
+ proto_item *volatile item = NULL;
+ asn1_ctx_t asn1_ctx;
+
+ /* TCP record mark and length */
+ guint32 krb_rm = 0;
+ gint krb_reclen = 0;
+
+ gbl_do_col_info=dci;
+
+ if (have_rm) {
+ krb_rm = tvb_get_ntohl(tvb, offset);
+ krb_reclen = kerberos_rm_to_reclen(krb_rm);
+ /*
+ * What is a reasonable size limit?
+ */
+ if (krb_reclen > 10 * 1024 * 1024) {
+ return (-1);
+ }
+
+ if (do_col_protocol) {
+ col_set_str(pinfo->cinfo, COL_PROTOCOL, "KRB5");
+ }
+
+ if (tree) {
+ item = proto_tree_add_item(tree, proto_kerberos, tvb, 0, -1, ENC_NA);
+ kerberos_tree = proto_item_add_subtree(item, ett_kerberos);
+ }
+
+ show_krb_recordmark(kerberos_tree, tvb, offset, krb_rm);
+ offset += 4;
+ } else {
+ /* Do some sanity checking here,
+ * All krb5 packets start with a TAG class that is BER_CLASS_APP
+ * and a tag value that is either of the values below:
+ * If it doesn't look like kerberos, return 0 and let someone else have
+ * a go at it.
+ */
+ gint8 tmp_class;
+ gboolean tmp_pc;
+ gint32 tmp_tag;
+
+ get_ber_identifier(tvb, offset, &tmp_class, &tmp_pc, &tmp_tag);
+ if(tmp_class!=BER_CLASS_APP){
+ return 0;
+ }
+ switch(tmp_tag){
+ case KRB5_MSG_TICKET:
+ case KRB5_MSG_AUTHENTICATOR:
+ case KRB5_MSG_ENC_TICKET_PART:
+ case KRB5_MSG_AS_REQ:
+ case KRB5_MSG_AS_REP:
+ case KRB5_MSG_TGS_REQ:
+ case KRB5_MSG_TGS_REP:
+ case KRB5_MSG_AP_REQ:
+ case KRB5_MSG_AP_REP:
+ case KRB5_MSG_ENC_AS_REP_PART:
+ case KRB5_MSG_ENC_TGS_REP_PART:
+ case KRB5_MSG_ENC_AP_REP_PART:
+ case KRB5_MSG_ENC_KRB_PRIV_PART:
+ case KRB5_MSG_ENC_KRB_CRED_PART:
+ case KRB5_MSG_SAFE:
+ case KRB5_MSG_PRIV:
+ case KRB5_MSG_ERROR:
+ break;
+ default:
+ return 0;
+ }
+ if (do_col_protocol) {
+ col_set_str(pinfo->cinfo, COL_PROTOCOL, "KRB5");
+ }
+ if (gbl_do_col_info) {
+ col_clear(pinfo->cinfo, COL_INFO);
+ }
+ if (tree) {
+ item = proto_tree_add_item(tree, proto_kerberos, tvb, 0, -1, ENC_NA);
+ kerberos_tree = proto_item_add_subtree(item, ett_kerberos);
+ }
+ }
+ asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
+ asn1_ctx.private_data = cb;
+
+ TRY {
+ offset=dissect_kerberos_Applications(FALSE, tvb, offset, &asn1_ctx , kerberos_tree, /* hf_index */ -1);
+ } CATCH_BOUNDS_ERRORS {
+ RETHROW;
+ } ENDTRY;
+
+ proto_item_set_len(item, offset);
+ return offset;
+}
+
+/*
+ * Display the TCP record mark.
+ */
+void
+show_krb_recordmark(proto_tree *tree, tvbuff_t *tvb, gint start, guint32 krb_rm)
+{
+ gint rec_len;
+ proto_tree *rm_tree;
+
+ if (tree == NULL)
+ return;
+
+ rec_len = kerberos_rm_to_reclen(krb_rm);
+ rm_tree = proto_tree_add_subtree_format(tree, tvb, start, 4, ett_krb_recordmark, NULL,
+ "Record Mark: %u %s", rec_len, plurality(rec_len, "byte", "bytes"));
+ proto_tree_add_boolean(rm_tree, hf_krb_rm_reserved, tvb, start, 4, krb_rm);
+ proto_tree_add_uint(rm_tree, hf_krb_rm_reclen, tvb, start, 4, krb_rm);
+}
+
+gint
+dissect_kerberos_main(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int do_col_info, kerberos_callbacks *cb)
+{
+ return (dissect_kerberos_common(tvb, pinfo, tree, do_col_info, FALSE, FALSE, cb));
+}
+
+guint32
+kerberos_output_keytype(void)
+{
+ return gbl_keytype;
+}
+
+static gint
+dissect_kerberos_udp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
+{
+ /* Some weird kerberos implementation apparently do krb4 on the krb5 port.
+ Since all (except weirdo transarc krb4 stuff) use
+ an opcode <=16 in the first byte, use this to see if it might
+ be krb4.
+ All krb5 commands start with an APPL tag and thus is >=0x60
+ so if first byte is <=16 just blindly assume it is krb4 then
+ */
+ if(tvb_captured_length(tvb) >= 1 && tvb_get_guint8(tvb, 0)<=0x10){
+ if(krb4_handle){
+ gboolean res;
+
+ res=call_dissector_only(krb4_handle, tvb, pinfo, tree, NULL);
+ return res;
+ }else{
+ return 0;
+ }
+ }
+
+
+ return dissect_kerberos_common(tvb, pinfo, tree, TRUE, TRUE, FALSE, NULL);
+}
+
+gint
+kerberos_rm_to_reclen(guint krb_rm)
+{
+ return (krb_rm & KRB_RM_RECLEN);
+}
+
+guint
+get_krb_pdu_len(packet_info *pinfo _U_, tvbuff_t *tvb, int offset, void *data _U_)
+{
+ guint krb_rm;
+ gint pdulen;
+
+ krb_rm = tvb_get_ntohl(tvb, offset);
+ pdulen = kerberos_rm_to_reclen(krb_rm);
+ return (pdulen + 4);
+}
+static void
+kerberos_prefs_apply_cb(void) {
+#ifdef HAVE_LIBNETTLE
+ clear_keytab();
+ read_keytab_file(keytab_filename);
+#endif
+}
+
+static int
+dissect_kerberos_tcp_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
+{
+ pinfo->fragmented = TRUE;
+ if (dissect_kerberos_common(tvb, pinfo, tree, TRUE, TRUE, TRUE, NULL) < 0) {
+ /*
+ * The dissector failed to recognize this as a valid
+ * Kerberos message. Mark it as a continuation packet.
+ */
+ col_set_str(pinfo->cinfo, COL_INFO, "Continuation");
+ }
+
+ return tvb_captured_length(tvb);
+}
+
+static int
+dissect_kerberos_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data)
+{
+ col_set_str(pinfo->cinfo, COL_PROTOCOL, "KRB5");
+ col_clear(pinfo->cinfo, COL_INFO);
+
+ tcp_dissect_pdus(tvb, pinfo, tree, krb_desegment, 4, get_krb_pdu_len,
+ dissect_kerberos_tcp_pdu, data);
+ return tvb_captured_length(tvb);
+}
+
+/*--- proto_register_kerberos -------------------------------------------*/
+void proto_register_kerberos(void) {
+
+ /* List of fields */
+
+ static hf_register_info hf[] = {
+ { &hf_krb_rm_reserved, {
+ "Reserved", "kerberos.rm.reserved", FT_BOOLEAN, 32,
+ TFS(&tfs_set_notset), KRB_RM_RESERVED, "Record mark reserved bit", HFILL }},
+ { &hf_krb_rm_reclen, {
+ "Record Length", "kerberos.rm.length", FT_UINT32, BASE_DEC,
+ NULL, KRB_RM_RECLEN, NULL, HFILL }},
+ { &hf_krb_provsrv_location, {
+ "PROVSRV Location", "kerberos.provsrv_location", FT_STRING, BASE_NONE,
+ NULL, 0, "PacketCable PROV SRV Location", HFILL }},
+ { &hf_krb_smb_nt_status,
+ { "NT Status", "kerberos.smb.nt_status", FT_UINT32, BASE_HEX,
+ VALS(NT_errors), 0, "NT Status code", HFILL }},
+ { &hf_krb_smb_unknown,
+ { "Unknown", "kerberos.smb.unknown", FT_UINT32, BASE_HEX,
+ NULL, 0, NULL, HFILL }},
+ { &hf_krb_address_ip, {
+ "IP Address", "kerberos.addr_ip", FT_IPv4, BASE_NONE,
+ NULL, 0, NULL, HFILL }},
+ { &hf_krb_address_ipv6, {
+ "IPv6 Address", "kerberos.addr_ipv6", FT_IPv6, BASE_NONE,
+ NULL, 0, NULL, HFILL }},
+ { &hf_krb_address_netbios, {
+ "NetBIOS Address", "kerberos.addr_nb", FT_STRING, BASE_NONE,
+ NULL, 0, "NetBIOS Address and type", HFILL }},
+ { &hf_krb_gssapi_len, {
+ "Length", "kerberos.gssapi.len", FT_UINT32, BASE_DEC,
+ NULL, 0, "Length of GSSAPI Bnd field", HFILL }},
+ { &hf_krb_gssapi_bnd, {
+ "Bnd", "kerberos.gssapi.bdn", FT_BYTES, BASE_NONE,
+ NULL, 0, "GSSAPI Bnd field", HFILL }},
+ { &hf_krb_gssapi_c_flag_deleg, {
+ "Deleg", "kerberos.gssapi.checksum.flags.deleg", FT_BOOLEAN, 32,
+ TFS(&tfs_gss_flags_deleg), KRB5_GSS_C_DELEG_FLAG, NULL, HFILL }},
+ { &hf_krb_gssapi_c_flag_mutual, {
+ "Mutual", "kerberos.gssapi.checksum.flags.mutual", FT_BOOLEAN, 32,
+ TFS(&tfs_gss_flags_mutual), KRB5_GSS_C_MUTUAL_FLAG, NULL, HFILL }},
+ { &hf_krb_gssapi_c_flag_replay, {
+ "Replay", "kerberos.gssapi.checksum.flags.replay", FT_BOOLEAN, 32,
+ TFS(&tfs_gss_flags_replay), KRB5_GSS_C_REPLAY_FLAG, NULL, HFILL }},
+ { &hf_krb_gssapi_c_flag_sequence, {
+ "Sequence", "kerberos.gssapi.checksum.flags.sequence", FT_BOOLEAN, 32,
+ TFS(&tfs_gss_flags_sequence), KRB5_GSS_C_SEQUENCE_FLAG, NULL, HFILL }},
+ { &hf_krb_gssapi_c_flag_conf, {
+ "Conf", "kerberos.gssapi.checksum.flags.conf", FT_BOOLEAN, 32,
+ TFS(&tfs_gss_flags_conf), KRB5_GSS_C_CONF_FLAG, NULL, HFILL }},
+ { &hf_krb_gssapi_c_flag_integ, {
+ "Integ", "kerberos.gssapi.checksum.flags.integ", FT_BOOLEAN, 32,
+ TFS(&tfs_gss_flags_integ), KRB5_GSS_C_INTEG_FLAG, NULL, HFILL }},
+ { &hf_krb_gssapi_c_flag_dce_style, {
+ "DCE-style", "kerberos.gssapi.checksum.flags.dce-style", FT_BOOLEAN, 32,
+ TFS(&tfs_gss_flags_dce_style), KRB5_GSS_C_DCE_STYLE, NULL, HFILL }},
+ { &hf_krb_gssapi_dlgopt, {
+ "DlgOpt", "kerberos.gssapi.dlgopt", FT_UINT16, BASE_DEC,
+ NULL, 0, "GSSAPI DlgOpt", HFILL }},
+ { &hf_krb_gssapi_dlglen, {
+ "DlgLen", "kerberos.gssapi.dlglen", FT_UINT16, BASE_DEC,
+ NULL, 0, "GSSAPI DlgLen", HFILL }},
+ { &hf_krb_midl_blob_len, {
+ "Blob Length", "kerberos.midl_blob_len", FT_UINT64, BASE_DEC,
+ NULL, 0, "Length of NDR encoded data that follows", HFILL }},
+ { &hf_krb_midl_fill_bytes, {
+ "Fill bytes", "kerberos.midl.fill_bytes", FT_UINT32, BASE_HEX,
+ NULL, 0, "Just some fill bytes", HFILL }},
+ { &hf_krb_midl_version, {
+ "Version", "kerberos.midl.version", FT_UINT8, BASE_DEC,
+ NULL, 0, "Version of pickling", HFILL }},
+ { &hf_krb_midl_hdr_len, {
+ "HDR Length", "kerberos.midl.hdr_len", FT_UINT16, BASE_DEC,
+ NULL, 0, "Length of header", HFILL }},
+ { &hf_krb_pac_signature_type, {
+ "Type", "kerberos.pac.signature.type", FT_INT32, BASE_DEC,
+ NULL, 0, "PAC Signature Type", HFILL }},
+ { &hf_krb_pac_signature_signature, {
+ "Signature", "kerberos.pac.signature.signature", FT_BYTES, BASE_NONE,
+ NULL, 0, "A PAC signature blob", HFILL }},
+ { &hf_krb_w2k_pac_entries, {
+ "Num Entries", "kerberos.pac.entries", FT_UINT32, BASE_DEC,
+ NULL, 0, "Number of W2k PAC entries", HFILL }},
+ { &hf_krb_w2k_pac_version, {
+ "Version", "kerberos.pac.version", FT_UINT32, BASE_DEC,
+ NULL, 0, "Version of PAC structures", HFILL }},
+ { &hf_krb_w2k_pac_type, {
+ "Type", "kerberos.pac.type", FT_UINT32, BASE_DEC,
+ VALS(w2k_pac_types), 0, "Type of W2k PAC entry", HFILL }},
+ { &hf_krb_w2k_pac_size, {
+ "Size", "kerberos.pac.size", FT_UINT32, BASE_DEC,
+ NULL, 0, "Size of W2k PAC entry", HFILL }},
+ { &hf_krb_w2k_pac_offset, {
+ "Offset", "kerberos.pac.offset", FT_UINT32, BASE_DEC,
+ NULL, 0, "Offset to W2k PAC entry", HFILL }},
+ { &hf_krb_pac_clientid, {
+ "ClientID", "kerberos.pac.clientid", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
+ NULL, 0, "ClientID Timestamp", HFILL }},
+ { &hf_krb_pac_namelen, {
+ "Name Length", "kerberos.pac.namelen", FT_UINT16, BASE_DEC,
+ NULL, 0, "Length of client name", HFILL }},
+ { &hf_krb_pac_clientname, {
+ "Name", "kerberos.pac.name", FT_STRING, BASE_NONE,
+ NULL, 0, "Name of the Client in the PAC structure", HFILL }},
+ { &hf_krb_pac_logon_info, {
+ "PAC_LOGON_INFO", "kerberos.pac_logon_info", FT_BYTES, BASE_NONE,
+ NULL, 0, "PAC_LOGON_INFO structure", HFILL }},
+ { &hf_krb_pac_credential_type, {
+ "PAC_CREDENTIAL_TYPE", "kerberos.pac_credential_type", FT_BYTES, BASE_NONE,
+ NULL, 0, "PAC_CREDENTIAL_TYPE structure", HFILL }},
+ { &hf_krb_pac_server_checksum, {
+ "PAC_SERVER_CHECKSUM", "kerberos.pac_server_checksum", FT_BYTES, BASE_NONE,
+ NULL, 0, "PAC_SERVER_CHECKSUM structure", HFILL }},
+ { &hf_krb_pac_privsvr_checksum, {
+ "PAC_PRIVSVR_CHECKSUM", "kerberos.pac_privsvr_checksum", FT_BYTES, BASE_NONE,
+ NULL, 0, "PAC_PRIVSVR_CHECKSUM structure", HFILL }},
+ { &hf_krb_pac_client_info_type, {
+ "PAC_CLIENT_INFO_TYPE", "kerberos.pac_client_info_type", FT_BYTES, BASE_NONE,
+ NULL, 0, "PAC_CLIENT_INFO_TYPE structure", HFILL }},
+ { &hf_krb_pac_s4u_delegation_info, {
+ "PAC_S4U_DELEGATION_INFO", "kerberos.pac_s4u_delegation_info", FT_BYTES, BASE_NONE,
+ NULL, 0, "PAC_S4U_DELEGATION_INFO structure", HFILL }},
+ { &hf_krb_pac_upn_dns_info, {
+ "UPN_DNS_INFO", "kerberos.pac_upn_dns_info", FT_BYTES, BASE_NONE,
+ NULL, 0, "UPN_DNS_INFO structure", HFILL }},
+ { &hf_krb_pac_upn_flags, {
+ "Flags", "kerberos.pac.upn.flags", FT_UINT32, BASE_HEX,
+ NULL, 0, "UPN flags", HFILL }},
+ { &hf_krb_pac_upn_dns_offset, {
+ "DNS Offset", "kerberos.pac.upn.dns_offset", FT_UINT16, BASE_DEC,
+ NULL, 0, NULL, HFILL }},
+ { &hf_krb_pac_upn_dns_len, {
+ "DNS Len", "kerberos.pac.upn.dns_len", FT_UINT16, BASE_DEC,
+ NULL, 0, NULL, HFILL }},
+ { &hf_krb_pac_upn_upn_offset, {
+ "UPN Offset", "kerberos.pac.upn.upn_offset", FT_UINT16, BASE_DEC,
+ NULL, 0, NULL, HFILL }},
+ { &hf_krb_pac_upn_upn_len, {
+ "UPN Len", "kerberos.pac.upn.upn_len", FT_UINT16, BASE_DEC,
+ NULL, 0, NULL, HFILL }},
+ { &hf_krb_pac_upn_upn_name, {
+ "UPN Name", "kerberos.pac.upn.upn_name", FT_STRING, BASE_NONE,
+ NULL, 0, NULL, HFILL }},
+ { &hf_krb_pac_upn_dns_name, {
+ "DNS Name", "kerberos.pac.upn.dns_name", FT_STRING, BASE_NONE,
+ NULL, 0, NULL, HFILL }},
+
+#include "packet-kerberos-hfarr.c"
+ };
+
+ /* List of subtrees */
+ static gint *ett[] = {
+ &ett_kerberos,
+ &ett_krb_recordmark,
+ &ett_krb_pac,
+ &ett_krb_pac_drep,
+ &ett_krb_pac_midl_blob,
+ &ett_krb_pac_logon_info,
+ &ett_krb_pac_s4u_delegation_info,
+ &ett_krb_pac_upn_dns_info,
+ &ett_krb_pac_server_checksum,
+ &ett_krb_pac_privsvr_checksum,
+ &ett_krb_pac_client_info_type,
+#include "packet-kerberos-ettarr.c"
+ };
+
+ static ei_register_info ei[] = {
+ { &ei_kerberos_decrypted_keytype, { "kerberos.decrypted_keytype", PI_SECURITY, PI_CHAT, "Decryted keytype", EXPFILL }},
+ { &ei_kerberos_address, { "kerberos.address.unknown", PI_UNDECODED, PI_WARN, "KRB Address: I don't know how to parse this type of address yet", EXPFILL }},
+ { &ei_krb_gssapi_dlglen, { "kerberos.gssapi.dlglen.error", PI_MALFORMED, PI_ERROR, "DlgLen is not the same as number of bytes remaining", EXPFILL }},
+ };
+
+ expert_module_t* expert_krb;
+ module_t *krb_module;
+
+ proto_kerberos = proto_register_protocol("Kerberos", "KRB5", "kerberos");
+ proto_register_field_array(proto_kerberos, hf, array_length(hf));
+ proto_register_subtree_array(ett, array_length(ett));
+ expert_krb = expert_register_protocol(proto_kerberos);
+ expert_register_field_array(expert_krb, ei, array_length(ei));
+
+ /* Register preferences */
+ krb_module = prefs_register_protocol(proto_kerberos, kerberos_prefs_apply_cb);
+ prefs_register_bool_preference(krb_module, "desegment",
+ "Reassemble Kerberos over TCP messages spanning multiple TCP segments",
+ "Whether the Kerberos dissector should reassemble messages spanning multiple TCP segments."
+ " To use this option, you must also enable \"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
+ &krb_desegment);
+#ifdef HAVE_KERBEROS
+ prefs_register_bool_preference(krb_module, "decrypt",
+ "Try to decrypt Kerberos blobs",
+ "Whether the dissector should try to decrypt "
+ "encrypted Kerberos blobs. This requires that the proper "
+ "keytab file is installed as well.", &krb_decrypt);
+
+ prefs_register_filename_preference(krb_module, "file",
+ "Kerberos keytab file",
+ "The keytab file containing all the secrets",
+ &keytab_filename);
+#endif
+
+}
+static int wrap_dissect_gss_kerb(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, dcerpc_info *di _U_,guint8 *drep _U_)
+{
+ tvbuff_t *auth_tvb;
+
+ auth_tvb = tvb_new_subset_remaining(tvb, offset);
+
+ dissect_kerberos_main(auth_tvb, pinfo, tree, FALSE, NULL);
+
+ return tvb_captured_length_remaining(tvb, offset);
+}
+
+
+static dcerpc_auth_subdissector_fns gss_kerb_auth_connect_fns = {
+ wrap_dissect_gss_kerb, /* Bind */
+ wrap_dissect_gss_kerb, /* Bind ACK */
+ wrap_dissect_gss_kerb, /* AUTH3 */
+ NULL, /* Request verifier */
+ NULL, /* Response verifier */
+ NULL, /* Request data */
+ NULL /* Response data */
+};
+
+static dcerpc_auth_subdissector_fns gss_kerb_auth_sign_fns = {
+ wrap_dissect_gss_kerb, /* Bind */
+ wrap_dissect_gss_kerb, /* Bind ACK */
+ wrap_dissect_gss_kerb, /* AUTH3 */
+ wrap_dissect_gssapi_verf, /* Request verifier */
+ wrap_dissect_gssapi_verf, /* Response verifier */
+ NULL, /* Request data */
+ NULL /* Response data */
+};
+
+static dcerpc_auth_subdissector_fns gss_kerb_auth_seal_fns = {
+ wrap_dissect_gss_kerb, /* Bind */
+ wrap_dissect_gss_kerb, /* Bind ACK */
+ wrap_dissect_gss_kerb, /* AUTH3 */
+ wrap_dissect_gssapi_verf, /* Request verifier */
+ wrap_dissect_gssapi_verf, /* Response verifier */
+ wrap_dissect_gssapi_payload, /* Request data */
+ wrap_dissect_gssapi_payload /* Response data */
+};
+
+
+
+void
+proto_reg_handoff_kerberos(void)
+{
+ dissector_handle_t kerberos_handle_tcp;
+
+ krb4_handle = find_dissector("krb4");
+
+ kerberos_handle_udp = create_dissector_handle(dissect_kerberos_udp,
+ proto_kerberos);
+
+ kerberos_handle_tcp = create_dissector_handle(dissect_kerberos_tcp,
+ proto_kerberos);
+
+ dissector_add_uint("udp.port", UDP_PORT_KERBEROS, kerberos_handle_udp);
+ dissector_add_uint("tcp.port", TCP_PORT_KERBEROS, kerberos_handle_tcp);
+
+ register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_CONNECT,
+ DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS,
+ &gss_kerb_auth_connect_fns);
+
+ register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_INTEGRITY,
+ DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS,
+ &gss_kerb_auth_sign_fns);
+
+ register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_PRIVACY,
+ DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS,
+ &gss_kerb_auth_seal_fns);
+}
+
+/*
+ * Editor modelines - http://www.wireshark.org/tools/modelines.html
+ *
+ * Local variables:
+ * c-basic-offset: 8
+ * tab-width: 8
+ * indent-tabs-mode: t
+ * End:
+ *
+ * vi: set shiftwidth=8 tabstop=8 noexpandtab:
+ * :indentSize=8:tabSize=8:noTabs=false:
+ */
diff --git a/epan/dissectors/asn1/kerberos/packet-kerberos-template.h b/epan/dissectors/asn1/kerberos/packet-kerberos-template.h
new file mode 100644
index 0000000000..4ed6a6e8cc
--- /dev/null
+++ b/epan/dissectors/asn1/kerberos/packet-kerberos-template.h
@@ -0,0 +1,145 @@
+/* packet-kerberos.h
+ * Routines for kerberos packet dissection
+ * Copyright 2007, Anders Broman <anders.broman@ericsson.com>
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef __PACKET_KERBEROS_H
+#define __PACKET_KERBEROS_H
+
+#include "ws_symbol_export.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif /* __cplusplus */
+
+/* This is a list of callback functions a caller can use to specify that
+ octet strings in kerberos to be passed back to application specific
+ dissectors, outside of kerberos.
+ This is used for dissection of application specific data for PacketCable
+ KRB_SAFE user data and eventually to pass kerberos session keys
+ to future DCERPC decryption and other uses.
+ The list is terminated by {0, NULL }
+*/
+#define KRB_CBTAG_SAFE_USER_DATA 1
+#define KRB_CBTAG_PRIV_USER_DATA 2
+typedef struct _kerberos_callbacks {
+ int tag;
+ int (*callback)(packet_info *pinfo, tvbuff_t *tvb, proto_tree *tree);
+} kerberos_callbacks;
+
+/* Function prototypes */
+
+gint
+dissect_kerberos_main(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gboolean do_col_info, kerberos_callbacks *cb);
+
+int
+dissect_krb5_Checksum(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_);
+
+int
+dissect_krb5_ctime(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_);
+
+int dissect_krb5_cname(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_);
+int dissect_krb5_realm(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_);
+guint32 kerberos_output_keytype(void);
+
+guint get_krb_pdu_len(packet_info *, tvbuff_t *tvb, int offset, void *data _U_);
+
+gint kerberos_rm_to_reclen(guint krb_rm);
+
+void
+show_krb_recordmark(proto_tree *tree, tvbuff_t *tvb, gint start, guint32 krb_rm);
+
+#ifdef HAVE_KERBEROS
+#define KRB_MAX_ORIG_LEN 256
+
+#if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
+typedef struct _enc_key_t {
+ struct _enc_key_t *next;
+ int keytype;
+ int keylength;
+ char *keyvalue;
+ char key_origin[KRB_MAX_ORIG_LEN+1];
+ int fd_num; /* remember where we learned a key */
+} enc_key_t;
+extern enc_key_t *enc_key_list;
+
+guint8 *
+decrypt_krb5_data(proto_tree *tree, packet_info *pinfo,
+ int usage,
+ tvbuff_t *crypototvb,
+ int keytype,
+ int *datalen);
+
+#endif /* HAVE_HEIMDAL_KERBEROS || HAVE_MIT_KERBEROS */
+
+extern gboolean krb_decrypt;
+
+WS_DLL_PUBLIC
+void read_keytab_file(const char *);
+
+WS_DLL_PUBLIC
+void read_keytab_file_from_preferences(void);
+
+#endif /* HAVE_KERBEROS */
+
+/* encryption type constants */
+#define KRB5_ENCTYPE_NULL 0
+#define KRB5_ENCTYPE_DES_CBC_CRC 1
+#define KRB5_ENCTYPE_DES_CBC_MD4 2
+#define KRB5_ENCTYPE_DES_CBC_MD5 3
+#define KRB5_ENCTYPE_DES_CBC_RAW 4
+#define KRB5_ENCTYPE_DES3_CBC_SHA 5
+#define KRB5_ENCTYPE_DES3_CBC_RAW 6
+#define KRB5_ENCTYPE_DES_HMAC_SHA1 8
+#define KRB5_ENCTYPE_DSA_SHA1_CMS 9
+#define KRB5_ENCTYPE_RSA_MD5_CMS 10
+#define KRB5_ENCTYPE_RSA_SHA1_CMS 11
+#define KRB5_ENCTYPE_RC2_CBC_ENV 12
+#define KRB5_ENCTYPE_RSA_ENV 13
+#define KRB5_ENCTYPE_RSA_ES_OEAP_ENV 14
+#define KRB5_ENCTYPE_DES_EDE3_CBC_ENV 15
+#define KRB5_ENCTYPE_DES3_CBC_SHA1 16
+#define KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96 17
+#define KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96 18
+#define KRB5_ENCTYPE_DES_CBC_MD5_NT 20
+#define KERB_ENCTYPE_RC4_HMAC 23
+#define KERB_ENCTYPE_RC4_HMAC_EXP 24
+#define KRB5_ENCTYPE_UNKNOWN 0x1ff
+#define KRB5_ENCTYPE_LOCAL_DES3_HMAC_SHA1 0x7007
+#define KRB5_ENCTYPE_RC4_PLAIN_EXP 0xffffff73
+#define KRB5_ENCTYPE_RC4_PLAIN 0xffffff74
+#define KRB5_ENCTYPE_RC4_PLAIN_OLD_EXP 0xffffff78
+#define KRB5_ENCTYPE_RC4_HMAC_OLD_EXP 0xffffff79
+#define KRB5_ENCTYPE_RC4_PLAIN_OLD 0xffffff7a
+#define KRB5_ENCTYPE_RC4_HMAC_OLD 0xffffff7b
+#define KRB5_ENCTYPE_DES_PLAIN 0xffffff7c
+#define KRB5_ENCTYPE_RC4_SHA 0xffffff7d
+#define KRB5_ENCTYPE_RC4_LM 0xffffff7e
+#define KRB5_ENCTYPE_RC4_PLAIN2 0xffffff7f
+#define KRB5_ENCTYPE_RC4_MD4 0xffffff80
+
+#include "packet-kerberos-exp.h"
+
+#ifdef __cplusplus
+}
+#endif /* __cplusplus */
+
+#endif /* __PACKET_KERBEROS_H */
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-13 19:50:07 +0000