packet-kerberos: avoid guessing the authorization_data keyusage

Change-Id: I28bdf176818401c1e4e6ef15cf808e502fcf4989
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/37300
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>

1 files changed, 9 insertions, 3 deletions

diff --git a/epan/dissectors/asn1/kerberos/packet-kerberos-template.c b/epan/dissectors/asn1/kerberos/packet-kerberos-template.c
index 9566f08088..677605a360 100644
--- a/epan/dissectors/asn1/kerberos/packet-kerberos-template.c
+++ b/epan/dissectors/asn1/kerberos/packet-kerberos-template.c
@@ -2745,6 +2745,7 @@ static int
 dissect_krb5_decrypt_authorization_data(gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
 					proto_tree *tree, int hf_index _U_)
 {
+	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
 	guint8 *plaintext;
 	int length;
 	tvbuff_t *next_tvb;
@@ -2757,10 +2758,15 @@ dissect_krb5_decrypt_authorization_data(gboolean imp_tag _U_, tvbuff_t *tvb, int
 	 * Authenticators are encrypted with usage
 	 * == 5 or
 	 * == 4
+	 *
+	 * 4. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with
+	 *    the TGS session key (section 5.4.1)
+	 * 5. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with
+	 *    the TGS authenticator subkey (section 5.4.1)
 	 */
-	plaintext=decrypt_krb5_data_asn1(tree, actx, 5, next_tvb, NULL);
-
-	if(!plaintext){
+	if (private_data->PA_TGS_REQ_subkey != NULL) {
+		plaintext=decrypt_krb5_data_asn1(tree, actx, 5, next_tvb, NULL);
+	} else {
 		plaintext=decrypt_krb5_data_asn1(tree, actx, 4, next_tvb, NULL);
 	}