diff options
| author | Stefan Metzmacher <metze@samba.org> | 2020-05-24 16:19:35 +0200 |
|---|---|---|
| committer | Anders Broman <a.broman58@gmail.com> | 2020-05-26 13:58:45 +0000 |
| commit | daf8b802d862a19ea46d2b4ac683c4c2fe50321e (patch) | |
| tree | 0adf72830fd3dce425332aceae141ea6dceb1fba /epan/dissectors/packet-kerberos.c | |
| parent | fd9ed550c3c7a677d47f2b750017d63ba88c982c (diff) | |
packet-kerberos: avoid guessing the KDC_REP keyusage were possible
We already know about the top level message type.
So we only need an autodetection for the TGS-REP.
We could also avoid that, but that would need state to
match TGS-REQ with TGS-REP.
But if we client used FAST and we got a strengthen_key,
we're sure an authenticator subkey was used.
Windows don't use an authenticator subkey without FAST,
but heimdal does.
For now try 8 before 9 in order to avoid overhead and false
positives for the 'kerberos.missing_keytype' filter in pure
windows captures.
Change-Id: If974dda735cd2aa5b1920c26309e5e2081723e4f
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/37299
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Diffstat (limited to 'epan/dissectors/packet-kerberos.c')
| -rw-r--r-- | epan/dissectors/packet-kerberos.c | 55 |
1 files changed, 43 insertions, 12 deletions
diff --git a/epan/dissectors/packet-kerberos.c b/epan/dissectors/packet-kerberos.c index 764614b559..c0ff90fbd5 100644 --- a/epan/dissectors/packet-kerberos.c +++ b/epan/dissectors/packet-kerberos.c @@ -3227,7 +3227,8 @@ static int dissect_krb5_decrypt_KDC_REP_data (gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_) { - guint8 *plaintext; + kerberos_private_data_t *private_data = kerberos_get_private_data(actx); + guint8 *plaintext = NULL; int length; tvbuff_t *next_tvb; @@ -3240,15 +3241,45 @@ dissect_krb5_decrypt_KDC_REP_data (gboolean imp_tag _U_, tvbuff_t *tvb, int offs * == 3 or * == 8 or * == 9 + * + * 3. AS-REP encrypted part (includes TGS session key or + * application session key), encrypted with the client key + * (section 5.4.2) + * + * 8. TGS-REP encrypted part (includes application session + * key), encrypted with the TGS session key (section + * 5.4.2) + * 9. TGS-REP encrypted part (includes application session + * key), encrypted with the TGS authenticator subkey + * (section 5.4.2) + * + * We currently don't have a way to find the TGS-REQ state + * in order to check if an authenticator subkey was used. + * + * But if we client used FAST and we got a strengthen_key, + * we're sure an authenticator subkey was used. + * + * Windows don't use an authenticator subkey without FAST, + * but heimdal does. + * + * For now try 8 before 9 in order to avoid overhead and false + * positives for the 'kerberos.missing_keytype' filter in pure + * windows captures. */ - plaintext=decrypt_krb5_data_asn1(tree, actx, 3, next_tvb, NULL); - - if(!plaintext){ - plaintext=decrypt_krb5_data_asn1(tree, actx, 8, next_tvb, NULL); - } - - if(!plaintext){ - plaintext=decrypt_krb5_data_asn1(tree, actx, 9, next_tvb, NULL); + switch (private_data->msg_type) { + case KERBEROS_APPLICATIONS_AS_REP: + plaintext=decrypt_krb5_data_asn1(tree, actx, 3, next_tvb, NULL); + break; + case KERBEROS_APPLICATIONS_TGS_REP: + if (private_data->fast_strengthen_key != NULL) { + plaintext=decrypt_krb5_data_asn1(tree, actx, 9, next_tvb, NULL); + } else { + plaintext=decrypt_krb5_data_asn1(tree, actx, 8, next_tvb, NULL); + if(!plaintext){ + plaintext=decrypt_krb5_data_asn1(tree, actx, 9, next_tvb, NULL); + } + } + break; } if(plaintext){ @@ -7030,7 +7061,7 @@ dissect_kerberos_EncryptedChallenge(gboolean implicit_tag _U_, tvbuff_t *tvb _U_ /*--- End of included file: packet-kerberos-fn.c ---*/ -#line 3714 "./asn1/kerberos/packet-kerberos-template.c" +#line 3745 "./asn1/kerberos/packet-kerberos-template.c" #ifdef HAVE_KERBEROS static const ber_sequence_t PA_ENC_TS_ENC_sequence[] = { @@ -8548,7 +8579,7 @@ void proto_register_kerberos(void) { NULL, HFILL }}, /*--- End of included file: packet-kerberos-hfarr.c ---*/ -#line 4299 "./asn1/kerberos/packet-kerberos-template.c" +#line 4330 "./asn1/kerberos/packet-kerberos-template.c" }; /* List of subtrees */ @@ -8652,7 +8683,7 @@ void proto_register_kerberos(void) { &ett_kerberos_EncryptedChallenge, /*--- End of included file: packet-kerberos-ettarr.c ---*/ -#line 4322 "./asn1/kerberos/packet-kerberos-template.c" +#line 4353 "./asn1/kerberos/packet-kerberos-template.c" }; static ei_register_info ei[] = { |