packet-{kerberos,pkinit}: Add support for Windows based PKINIT

Change-Id: I472884ed84f7d630aede5a2bb65e87c5ad1e76a4
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/36456
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>

6 files changed, 69 insertions, 9 deletions

diff --git a/epan/dissectors/asn1/kerberos/kerberos.cnf b/epan/dissectors/asn1/kerberos/kerberos.cnf
index 180345b96a..53d3f0fad5 100644
--- a/epan/dissectors/asn1/kerberos/kerberos.cnf
+++ b/epan/dissectors/asn1/kerberos/kerberos.cnf
@@ -155,6 +155,14 @@ PADATA-TYPE PROT_PREFIX UPPER_CASE
 	case KERBEROS_PA_TGS_REQ:
 		offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_Applications);
 		break;
+	case KERBEROS_PA_PK_AS_REP_19:
+		private_data->is_win2k_pkinit = TRUE;
+		if (kerberos_private_is_kdc_req(private_data)) {
+			offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PA_PK_AS_REQ_Win2k);
+		} else {
+			offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PA_PK_AS_REP_Win2k);
+		}
+		break;
 	case KERBEROS_PA_PK_AS_REQ:
 		offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PaPkAsReq);
 		break;
diff --git a/epan/dissectors/asn1/kerberos/packet-kerberos-template.c b/epan/dissectors/asn1/kerberos/packet-kerberos-template.c
index d008a35114..2af4c158e0 100644
--- a/epan/dissectors/asn1/kerberos/packet-kerberos-template.c
+++ b/epan/dissectors/asn1/kerberos/packet-kerberos-template.c
@@ -87,6 +87,7 @@ typedef struct kerberos_key {
 
 typedef struct {
 	guint32 msg_type;
+	gboolean is_win2k_pkinit;
 	guint32 errorcode;
 	gboolean try_nt_status;
 	guint32 etype;
@@ -225,6 +226,26 @@ kerberos_get_private_data(asn1_ctx_t *actx)
 	return (kerberos_private_data_t *)(actx->private_data);
 }
 
+static gboolean
+kerberos_private_is_kdc_req(kerberos_private_data_t *private_data)
+{
+	switch (private_data->msg_type) {
+	case KERBEROS_APPLICATIONS_AS_REQ:
+	case KERBEROS_APPLICATIONS_TGS_REQ:
+		return TRUE;
+	}
+
+	return FALSE;
+}
+
+gboolean
+kerberos_is_win2k_pkinit(asn1_ctx_t *actx)
+{
+	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+
+	return private_data->is_win2k_pkinit;
+}
+
 #ifdef HAVE_KERBEROS
 
 /* Decrypt Kerberos blobs */
diff --git a/epan/dissectors/asn1/kerberos/packet-kerberos-template.h b/epan/dissectors/asn1/kerberos/packet-kerberos-template.h
index 88800185a6..f2187a8e43 100644
--- a/epan/dissectors/asn1/kerberos/packet-kerberos-template.h
+++ b/epan/dissectors/asn1/kerberos/packet-kerberos-template.h
@@ -35,6 +35,9 @@ typedef struct _kerberos_callbacks {
 
 /* Function prototypes */
 
+gboolean
+kerberos_is_win2k_pkinit(asn1_ctx_t *actx);
+
 gint
 dissect_kerberos_main(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gboolean do_col_info, kerberos_callbacks *cb);
 
diff --git a/epan/dissectors/asn1/pkinit/PKINIT.asn b/epan/dissectors/asn1/pkinit/PKINIT.asn
index 2af0321a84..ff25738fb8 100644
--- a/epan/dissectors/asn1/pkinit/PKINIT.asn
+++ b/epan/dissectors/asn1/pkinit/PKINIT.asn
@@ -41,7 +41,7 @@ BEGIN
               modules(0) cms(1) }
 
 
-        KerberosTime, Checksum, TYPED-DATA, PrincipalName, Realm, EncryptionKey
+        KerberosTime, TYPED-DATA, PrincipalName, Realm, EncryptionKey
             FROM KerberosV5Spec2 { iso(1) identified-organization(3)
               dod(6) internet(1) security(5) kerberosV5(2) modules(4)
               krb5spec2(2) } ;
@@ -87,12 +87,14 @@ TrustedCA ::= CHOICE {
     ...
 }
 
+DHNonce ::= OCTET STRING
 
 AuthPack ::= SEQUENCE {
     pkAuthenticator         [0] PKAuthenticator,
     clientPublicValue       [1] SubjectPublicKeyInfo OPTIONAL,
     supportedCMSTypes       [2] SEQUENCE OF AlgorithmIdentifier
                                 OPTIONAL,
+    clientDHNonce           [3] DHNonce OPTIONAL,
     ...
 }
 
@@ -101,7 +103,8 @@ PKAuthenticator ::= SEQUENCE {
     cusec                   [0] INTEGER,
     ctime                   [1] KerberosTime,
     nonce                   [2] INTEGER (0..4294967295),
-    paChecksum              [3] Checksum,
+    -- paChecksum              [3] Checksum, # changed during draft-ietf-cat-kerberos-pk-init* from Checksum to OCTET STRING OPTIONAL
+    paChecksum              [3] OCTET STRING OPTIONAL,
     ...
 }
 
@@ -146,5 +149,26 @@ KDCDHKeyInfo ::= SEQUENCE {
 --        ...
 --    }
 
+-- Windows compat glue --
+
+PKAuthenticator-Win2k ::= SEQUENCE {
+	kdcName			[0] PrincipalName,
+	kdcRealm		[1] Realm,
+	cusec			[2] INTEGER (0..4294967295),
+	ctime			[3] KerberosTime,
+	nonce                   [4] INTEGER (-2147483648..2147483647),
+	...
+}
+
+PA-PK-AS-REQ-Win2k ::= SEQUENCE {
+	signed-auth-pack	[0] ContentInfo,
+	trusted-certifiers	[2] SEQUENCE OF TrustedCA OPTIONAL,
+	kdc-cert		[3] IMPLICIT OCTET STRING OPTIONAL,
+	encryption-cert		[4] IMPLICIT OCTET STRING OPTIONAL,
+	...
+}
+
+PA-PK-AS-REP-Win2k ::= PaPkAsRep
+
 END
 
diff --git a/epan/dissectors/asn1/pkinit/packet-pkinit-template.c b/epan/dissectors/asn1/pkinit/packet-pkinit-template.c
index 11d9376d43..43f2e40aa0 100644
--- a/epan/dissectors/asn1/pkinit/packet-pkinit-template.c
+++ b/epan/dissectors/asn1/pkinit/packet-pkinit-template.c
@@ -35,9 +35,9 @@ static int proto_pkinit = -1;
 #include "packet-pkinit-ett.c"
 
 static int dissect_KerberosV5Spec2_KerberosTime(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset,  asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_);
-static int dissect_KerberosV5Spec2_Checksum(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset,  asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_);
 static int dissect_KerberosV5Spec2_Realm(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset,  asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_);
 static int dissect_KerberosV5Spec2_PrincipalName(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset,  asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_);
+static int dissect_pkinit_PKAuthenticator_Win2k(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
 
 #include "packet-pkinit-fn.c"
 
@@ -60,12 +60,6 @@ dissect_KerberosV5Spec2_KerberosTime(gboolean implicit_tag _U_, tvbuff_t *tvb, i
 }
 
 static int
-dissect_KerberosV5Spec2_Checksum(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_) {
-  offset = dissect_krb5_Checksum(tree, tvb, offset, actx);
-  return offset;
-}
-
-static int
 dissect_KerberosV5Spec2_Realm(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_) {
   offset = dissect_krb5_realm(tree, tvb, offset, actx);
   return offset;
diff --git a/epan/dissectors/asn1/pkinit/pkinit.cnf b/epan/dissectors/asn1/pkinit/pkinit.cnf
index a62ff8412f..a64c322c37 100644
--- a/epan/dissectors/asn1/pkinit/pkinit.cnf
+++ b/epan/dissectors/asn1/pkinit/pkinit.cnf
@@ -10,6 +10,14 @@ PKIX1Explicit88              pkix1explicit
 #.EXPORTS
 PaPkAsReq
 PaPkAsRep
+PA-PK-AS-REQ-Win2k
+PA-PK-AS-REP-Win2k
+
+#.FN_BODY PKAuthenticator
+	if (kerberos_is_win2k_pkinit(actx)) {
+		return dissect_pkinit_PKAuthenticator_Win2k(implicit_tag, tvb, offset, actx, tree, hf_index);
+	}
+%(DEFAULT_BODY)s
 
 #.REGISTER
 AuthPack          B "1.3.6.1.5.2.3.1" "id-pkauthdata"
@@ -22,7 +30,9 @@ KRB5PrincipalName B "1.3.6.1.5.2.2"   "id-pkinit-san"
 
 #.FIELD_RENAME
 KDCDHKeyInfo/nonce	dhNonce
+PKAuthenticator-Win2k/cusec cusecWin2k
 PKAuthenticator/nonce	paNonce
+PKAuthenticator-Win2k/nonce	paNonceWin2k
 
 #.END