diff options
author | Stefan Metzmacher <metze@samba.org> | 2016-01-04 13:41:20 +0100 |
---|---|---|
committer | Anders Broman <a.broman58@gmail.com> | 2020-03-18 10:50:59 +0000 |
commit | 62039fd1c424b0dc4a379808f3056d35f97734ca (patch) | |
tree | 755f49c2e3be989154068e682e5b96206bce6986 /epan/dissectors/asn1 | |
parent | bc5a7061a2b8567a29c527521bb17e11141bafdf (diff) |
packet-{kerberos,pkinit}: Add support for Windows based PKINIT
Change-Id: I472884ed84f7d630aede5a2bb65e87c5ad1e76a4
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/36456
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Diffstat (limited to 'epan/dissectors/asn1')
-rw-r--r-- | epan/dissectors/asn1/kerberos/kerberos.cnf | 8 | ||||
-rw-r--r-- | epan/dissectors/asn1/kerberos/packet-kerberos-template.c | 21 | ||||
-rw-r--r-- | epan/dissectors/asn1/kerberos/packet-kerberos-template.h | 3 | ||||
-rw-r--r-- | epan/dissectors/asn1/pkinit/PKINIT.asn | 28 | ||||
-rw-r--r-- | epan/dissectors/asn1/pkinit/packet-pkinit-template.c | 8 | ||||
-rw-r--r-- | epan/dissectors/asn1/pkinit/pkinit.cnf | 10 |
6 files changed, 69 insertions, 9 deletions
diff --git a/epan/dissectors/asn1/kerberos/kerberos.cnf b/epan/dissectors/asn1/kerberos/kerberos.cnf index 180345b96a..53d3f0fad5 100644 --- a/epan/dissectors/asn1/kerberos/kerberos.cnf +++ b/epan/dissectors/asn1/kerberos/kerberos.cnf @@ -155,6 +155,14 @@ PADATA-TYPE PROT_PREFIX UPPER_CASE case KERBEROS_PA_TGS_REQ: offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_Applications); break; + case KERBEROS_PA_PK_AS_REP_19: + private_data->is_win2k_pkinit = TRUE; + if (kerberos_private_is_kdc_req(private_data)) { + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PA_PK_AS_REQ_Win2k); + } else { + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PA_PK_AS_REP_Win2k); + } + break; case KERBEROS_PA_PK_AS_REQ: offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PaPkAsReq); break; diff --git a/epan/dissectors/asn1/kerberos/packet-kerberos-template.c b/epan/dissectors/asn1/kerberos/packet-kerberos-template.c index d008a35114..2af4c158e0 100644 --- a/epan/dissectors/asn1/kerberos/packet-kerberos-template.c +++ b/epan/dissectors/asn1/kerberos/packet-kerberos-template.c @@ -87,6 +87,7 @@ typedef struct kerberos_key { typedef struct { guint32 msg_type; + gboolean is_win2k_pkinit; guint32 errorcode; gboolean try_nt_status; guint32 etype; @@ -225,6 +226,26 @@ kerberos_get_private_data(asn1_ctx_t *actx) return (kerberos_private_data_t *)(actx->private_data); } +static gboolean +kerberos_private_is_kdc_req(kerberos_private_data_t *private_data) +{ + switch (private_data->msg_type) { + case KERBEROS_APPLICATIONS_AS_REQ: + case KERBEROS_APPLICATIONS_TGS_REQ: + return TRUE; + } + + return FALSE; +} + +gboolean +kerberos_is_win2k_pkinit(asn1_ctx_t *actx) +{ + kerberos_private_data_t *private_data = kerberos_get_private_data(actx); + + return private_data->is_win2k_pkinit; +} + #ifdef HAVE_KERBEROS /* Decrypt Kerberos blobs */ diff --git a/epan/dissectors/asn1/kerberos/packet-kerberos-template.h b/epan/dissectors/asn1/kerberos/packet-kerberos-template.h index 88800185a6..f2187a8e43 100644 --- a/epan/dissectors/asn1/kerberos/packet-kerberos-template.h +++ b/epan/dissectors/asn1/kerberos/packet-kerberos-template.h @@ -35,6 +35,9 @@ typedef struct _kerberos_callbacks { /* Function prototypes */ +gboolean +kerberos_is_win2k_pkinit(asn1_ctx_t *actx); + gint dissect_kerberos_main(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gboolean do_col_info, kerberos_callbacks *cb); diff --git a/epan/dissectors/asn1/pkinit/PKINIT.asn b/epan/dissectors/asn1/pkinit/PKINIT.asn index 2af0321a84..ff25738fb8 100644 --- a/epan/dissectors/asn1/pkinit/PKINIT.asn +++ b/epan/dissectors/asn1/pkinit/PKINIT.asn @@ -41,7 +41,7 @@ BEGIN modules(0) cms(1) } - KerberosTime, Checksum, TYPED-DATA, PrincipalName, Realm, EncryptionKey + KerberosTime, TYPED-DATA, PrincipalName, Realm, EncryptionKey FROM KerberosV5Spec2 { iso(1) identified-organization(3) dod(6) internet(1) security(5) kerberosV5(2) modules(4) krb5spec2(2) } ; @@ -87,12 +87,14 @@ TrustedCA ::= CHOICE { ... } +DHNonce ::= OCTET STRING AuthPack ::= SEQUENCE { pkAuthenticator [0] PKAuthenticator, clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL, supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier OPTIONAL, + clientDHNonce [3] DHNonce OPTIONAL, ... } @@ -101,7 +103,8 @@ PKAuthenticator ::= SEQUENCE { cusec [0] INTEGER, ctime [1] KerberosTime, nonce [2] INTEGER (0..4294967295), - paChecksum [3] Checksum, + -- paChecksum [3] Checksum, # changed during draft-ietf-cat-kerberos-pk-init* from Checksum to OCTET STRING OPTIONAL + paChecksum [3] OCTET STRING OPTIONAL, ... } @@ -146,5 +149,26 @@ KDCDHKeyInfo ::= SEQUENCE { -- ... -- } +-- Windows compat glue -- + +PKAuthenticator-Win2k ::= SEQUENCE { + kdcName [0] PrincipalName, + kdcRealm [1] Realm, + cusec [2] INTEGER (0..4294967295), + ctime [3] KerberosTime, + nonce [4] INTEGER (-2147483648..2147483647), + ... +} + +PA-PK-AS-REQ-Win2k ::= SEQUENCE { + signed-auth-pack [0] ContentInfo, + trusted-certifiers [2] SEQUENCE OF TrustedCA OPTIONAL, + kdc-cert [3] IMPLICIT OCTET STRING OPTIONAL, + encryption-cert [4] IMPLICIT OCTET STRING OPTIONAL, + ... +} + +PA-PK-AS-REP-Win2k ::= PaPkAsRep + END diff --git a/epan/dissectors/asn1/pkinit/packet-pkinit-template.c b/epan/dissectors/asn1/pkinit/packet-pkinit-template.c index 11d9376d43..43f2e40aa0 100644 --- a/epan/dissectors/asn1/pkinit/packet-pkinit-template.c +++ b/epan/dissectors/asn1/pkinit/packet-pkinit-template.c @@ -35,9 +35,9 @@ static int proto_pkinit = -1; #include "packet-pkinit-ett.c" static int dissect_KerberosV5Spec2_KerberosTime(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_); -static int dissect_KerberosV5Spec2_Checksum(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_); static int dissect_KerberosV5Spec2_Realm(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_); static int dissect_KerberosV5Spec2_PrincipalName(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_); +static int dissect_pkinit_PKAuthenticator_Win2k(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); #include "packet-pkinit-fn.c" @@ -60,12 +60,6 @@ dissect_KerberosV5Spec2_KerberosTime(gboolean implicit_tag _U_, tvbuff_t *tvb, i } static int -dissect_KerberosV5Spec2_Checksum(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_) { - offset = dissect_krb5_Checksum(tree, tvb, offset, actx); - return offset; -} - -static int dissect_KerberosV5Spec2_Realm(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_) { offset = dissect_krb5_realm(tree, tvb, offset, actx); return offset; diff --git a/epan/dissectors/asn1/pkinit/pkinit.cnf b/epan/dissectors/asn1/pkinit/pkinit.cnf index a62ff8412f..a64c322c37 100644 --- a/epan/dissectors/asn1/pkinit/pkinit.cnf +++ b/epan/dissectors/asn1/pkinit/pkinit.cnf @@ -10,6 +10,14 @@ PKIX1Explicit88 pkix1explicit #.EXPORTS PaPkAsReq PaPkAsRep +PA-PK-AS-REQ-Win2k +PA-PK-AS-REP-Win2k + +#.FN_BODY PKAuthenticator + if (kerberos_is_win2k_pkinit(actx)) { + return dissect_pkinit_PKAuthenticator_Win2k(implicit_tag, tvb, offset, actx, tree, hf_index); + } +%(DEFAULT_BODY)s #.REGISTER AuthPack B "1.3.6.1.5.2.3.1" "id-pkauthdata" @@ -22,7 +30,9 @@ KRB5PrincipalName B "1.3.6.1.5.2.2" "id-pkinit-san" #.FIELD_RENAME KDCDHKeyInfo/nonce dhNonce +PKAuthenticator-Win2k/cusec cusecWin2k PKAuthenticator/nonce paNonce +PKAuthenticator-Win2k/nonce paNonceWin2k #.END |