diff options
-rw-r--r-- | asn1/kerberos/KerberosV5Spec2.asn | 418 | ||||
-rw-r--r-- | asn1/kerberos/Makefile.am | 26 | ||||
-rw-r--r-- | asn1/kerberos/Makefile.common | 52 | ||||
-rw-r--r-- | asn1/kerberos/Makefile.nmake | 29 | ||||
-rw-r--r-- | asn1/kerberos/kerberos.asn | 417 | ||||
-rw-r--r-- | asn1/kerberos/kerberos.cnf | 12 | ||||
-rw-r--r-- | asn1/kerberos/packet-kerberos-template.c | 1313 | ||||
-rw-r--r-- | asn1/kerberos/packet-kerberos-template.h | 35 |
8 files changed, 2302 insertions, 0 deletions
diff --git a/asn1/kerberos/KerberosV5Spec2.asn b/asn1/kerberos/KerberosV5Spec2.asn new file mode 100644 index 0000000000..0c5e593c84 --- /dev/null +++ b/asn1/kerberos/KerberosV5Spec2.asn @@ -0,0 +1,418 @@ +--http://www.ietf.org/rfc/rfc4120.txt?number=4120 +KerberosV5Spec2 { + iso(1) identified-organization(3) dod(6) internet(1) + security(5) kerberosV5(2) modules(4) krb5spec2(2) +} DEFINITIONS EXPLICIT TAGS ::= BEGIN + +-- OID arc for KerberosV5 +-- +-- This OID may be used to identify Kerberos protocol messages +-- encapsulated in other protocols. +-- +-- This OID also designates the OID arc for KerberosV5-related OIDs. +-- +-- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID. +-- My stuff +Applications ::= CHOICE { + ticket Ticket, -- 1 -- + authenticator Authenticator, -- 2 -- + encTicketPart EncTicketPart, -- 3 -- + as-req AS-REQ, -- 10 -- + as-rep AS-REP, -- 11 -- + tgs-req TGS-REQ, -- 12 -- + tgs-rep TGS-REP, -- 13 -- + ap-req AP-REQ, -- 14 -- + ap-rep AP-REP, -- 15 -- + krb-safe KRB-SAFE, -- 20 -- + krb-priv KRB-PRIV, -- 21 -- + krb-cred KRB-CRED, -- 22 -- + encASRepPart EncASRepPart, -- 25 -- + encTGSRepPart EncTGSRepPart, -- 26 -- + encAPRepPart EncAPRepPart, -- 27 -- + encKrbPrivPart EncKrbPrivPart, -- 28 -- + encKrbCredPart EncKrbCredPart, -- 29 -- + krb-error KRB-ERROR -- 30 -- + } +-- end my stuff +id-krb5 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) dod(6) internet(1) + security(5) kerberosV5(2) +} + +Int32 ::= INTEGER (-2147483648..2147483647) + -- signed values representable in 32 bits + +UInt32 ::= INTEGER (0..4294967295) + -- unsigned 32 bit values + +Microseconds ::= INTEGER (0..999999) + -- microseconds + +KerberosString ::= GeneralString (IA5String) + +Realm ::= KerberosString + +PrincipalName ::= SEQUENCE { + name-type [0] Int32, + name-string [1] SEQUENCE OF KerberosString +} + +KerberosTime ::= GeneralizedTime -- with no fractional seconds + +HostAddress ::= SEQUENCE { + addr-type [0] Int32, + address [1] OCTET STRING +} + +-- NOTE: HostAddresses is always used as an OPTIONAL field and +-- should not be empty. +HostAddresses -- NOTE: subtly different from rfc1510, + -- but has a value mapping and encodes the same + ::= SEQUENCE OF HostAddress + +-- NOTE: AuthorizationData is always used as an OPTIONAL field and +-- should not be empty. +AuthorizationData ::= SEQUENCE OF SEQUENCE { + ad-type [0] Int32, + ad-data [1] OCTET STRING +} + +PA-DATA ::= SEQUENCE { + -- NOTE: first tag is [1], not [0] + padata-type [1] Int32, + padata-value [2] OCTET STRING -- might be encoded AP-REQ +} + +KerberosFlags ::= BIT STRING (SIZE (32..MAX)) + -- minimum number of bits shall be sent, + -- but no fewer than 32 + +EncryptedData ::= SEQUENCE { + etype [0] Int32 -- EncryptionType --, + kvno [1] UInt32 OPTIONAL, + cipher [2] OCTET STRING -- ciphertext +} + +EncryptionKey ::= SEQUENCE { + keytype [0] Int32 -- actually encryption type --, + keyvalue [1] OCTET STRING +} + +Checksum ::= SEQUENCE { + cksumtype [0] Int32, + checksum [1] OCTET STRING +} + +Ticket ::= [APPLICATION 1] SEQUENCE { + tkt-vno [0] INTEGER (5), + realm [1] Realm, + sname [2] PrincipalName, + enc-part [3] EncryptedData -- EncTicketPart +} + +-- Encrypted part of ticket +EncTicketPart ::= [APPLICATION 3] SEQUENCE { + flags [0] TicketFlags, + key [1] EncryptionKey, + crealm [2] Realm, + cname [3] PrincipalName, + transited [4] TransitedEncoding, + authtime [5] KerberosTime, + starttime [6] KerberosTime OPTIONAL, + endtime [7] KerberosTime, + renew-till [8] KerberosTime OPTIONAL, + caddr [9] HostAddresses OPTIONAL, + authorization-data [10] AuthorizationData OPTIONAL +} + +-- encoded Transited field +TransitedEncoding ::= SEQUENCE { + tr-type [0] Int32 -- must be registered --, + contents [1] OCTET STRING +} + +TicketFlags ::= KerberosFlags + -- reserved(0), + -- forwardable(1), + -- forwarded(2), + -- proxiable(3), + -- proxy(4), + -- may-postdate(5), + -- postdated(6), + -- invalid(7), + -- renewable(8), + -- initial(9), + -- pre-authent(10), + -- hw-authent(11), +-- the following are new since 1510 + -- transited-policy-checked(12), + -- ok-as-delegate(13) + +AS-REQ ::= [APPLICATION 10] KDC-REQ + +TGS-REQ ::= [APPLICATION 12] KDC-REQ + +KDC-REQ ::= SEQUENCE { + -- NOTE: first tag is [1], not [0] + pvno [1] INTEGER (5) , +-- msg-type [2] INTEGER (10 - - AS - - | 12 - - TGS - -), + msg-type [2] INTEGER, + padata [3] SEQUENCE OF PA-DATA OPTIONAL + -- NOTE: not empty --, + req-body [4] KDC-REQ-BODY +} + +KDC-REQ-BODY ::= SEQUENCE { + kdc-options [0] KDCOptions, + cname [1] PrincipalName OPTIONAL + -- Used only in AS-REQ --, + realm [2] Realm + -- Server's realm + -- Also client's in AS-REQ --, + sname [3] PrincipalName OPTIONAL, + from [4] KerberosTime OPTIONAL, + till [5] KerberosTime, + rtime [6] KerberosTime OPTIONAL, + nonce [7] UInt32, + etype [8] SEQUENCE OF Int32 -- EncryptionType + -- in preference order --, + addresses [9] HostAddresses OPTIONAL, + enc-authorization-data [10] EncryptedData OPTIONAL + -- AuthorizationData --, + additional-tickets [11] SEQUENCE OF Ticket OPTIONAL + -- NOTE: not empty +} + +KDCOptions ::= KerberosFlags + -- reserved(0), + -- forwardable(1), + -- forwarded(2), + -- proxiable(3), + -- proxy(4), + -- allow-postdate(5), + -- postdated(6), + -- unused7(7), + -- renewable(8), + -- unused9(9), + -- unused10(10), + -- opt-hardware-auth(11), + -- unused12(12), + -- unused13(13), +-- 15 is reserved for canonicalize + -- unused15(15), +-- 26 was unused in 1510 + -- disable-transited-check(26), +-- + -- renewable-ok(27), + -- enc-tkt-in-skey(28), + -- renew(30), + -- validate(31) + +AS-REP ::= [APPLICATION 11] KDC-REP + +TGS-REP ::= [APPLICATION 13] KDC-REP + + +KDC-REP ::= SEQUENCE { + pvno [0] INTEGER (5), +-- msg-type [1] INTEGER (11 - - AS - - | 13 - - TGS - -), + msg-type [1] INTEGER, + padata [2] SEQUENCE OF PA-DATA OPTIONAL + -- NOTE: not empty --, + crealm [3] Realm, + cname [4] PrincipalName, + ticket [5] Ticket, + enc-part [6] EncryptedData + -- EncASRepPart or EncTGSRepPart, + -- as appropriate +} + +EncASRepPart ::= [APPLICATION 25] EncKDCRepPart + +EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart + +EncKDCRepPart ::= SEQUENCE { + key [0] EncryptionKey, + last-req [1] LastReq, + nonce [2] UInt32, + key-expiration [3] KerberosTime OPTIONAL, + flags [4] TicketFlags, + authtime [5] KerberosTime, + starttime [6] KerberosTime OPTIONAL, + endtime [7] KerberosTime, + renew-till [8] KerberosTime OPTIONAL, + srealm [9] Realm, + sname [10] PrincipalName, + caddr [11] HostAddresses OPTIONAL +} + +LastReq ::= SEQUENCE OF SEQUENCE { + lr-type [0] Int32, + lr-value [1] KerberosTime +} + +AP-REQ ::= [APPLICATION 14] SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (14), + ap-options [2] APOptions, + ticket [3] Ticket, + authenticator [4] EncryptedData -- Authenticator +} + +APOptions ::= KerberosFlags + -- reserved(0), + -- use-session-key(1), + -- mutual-required(2) + +-- Unencrypted authenticator +Authenticator ::= [APPLICATION 2] SEQUENCE { + authenticator-vno [0] INTEGER (5), + crealm [1] Realm, + cname [2] PrincipalName, + cksum [3] Checksum OPTIONAL, + cusec [4] Microseconds, + ctime [5] KerberosTime, + subkey [6] EncryptionKey OPTIONAL, + seq-number [7] UInt32 OPTIONAL, + authorization-data [8] AuthorizationData OPTIONAL +} + +AP-REP ::= [APPLICATION 15] SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (15), + enc-part [2] EncryptedData -- EncAPRepPart +} + +EncAPRepPart ::= [APPLICATION 27] SEQUENCE { + ctime [0] KerberosTime, + cusec [1] Microseconds, + subkey [2] EncryptionKey OPTIONAL, + seq-number [3] UInt32 OPTIONAL +} + +KRB-SAFE ::= [APPLICATION 20] SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (20), + safe-body [2] KRB-SAFE-BODY, + cksum [3] Checksum +} + +KRB-SAFE-BODY ::= SEQUENCE { + user-data [0] OCTET STRING, + timestamp [1] KerberosTime OPTIONAL, + usec [2] Microseconds OPTIONAL, + seq-number [3] UInt32 OPTIONAL, + s-address [4] HostAddress, + r-address [5] HostAddress OPTIONAL +} + +KRB-PRIV ::= [APPLICATION 21] SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (21), + -- NOTE: there is no [2] tag + enc-part [3] EncryptedData -- EncKrbPrivPart +} + +EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE { + user-data [0] OCTET STRING, + timestamp [1] KerberosTime OPTIONAL, + usec [2] Microseconds OPTIONAL, + seq-number [3] UInt32 OPTIONAL, + s-address [4] HostAddress -- sender's addr --, + r-address [5] HostAddress OPTIONAL -- recip's addr +} + +KRB-CRED ::= [APPLICATION 22] SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (22), + tickets [2] SEQUENCE OF Ticket, + enc-part [3] EncryptedData -- EncKrbCredPart +} + +EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { + ticket-info [0] SEQUENCE OF KrbCredInfo, + nonce [1] UInt32 OPTIONAL, + timestamp [2] KerberosTime OPTIONAL, + usec [3] Microseconds OPTIONAL, + s-address [4] HostAddress OPTIONAL, + r-address [5] HostAddress OPTIONAL +} + +KrbCredInfo ::= SEQUENCE { + key [0] EncryptionKey, + prealm [1] Realm OPTIONAL, + pname [2] PrincipalName OPTIONAL, + flags [3] TicketFlags OPTIONAL, + authtime [4] KerberosTime OPTIONAL, + starttime [5] KerberosTime OPTIONAL, + endtime [6] KerberosTime OPTIONAL, + renew-till [7] KerberosTime OPTIONAL, + srealm [8] Realm OPTIONAL, + sname [9] PrincipalName OPTIONAL, + caddr [10] HostAddresses OPTIONAL +} + +KRB-ERROR ::= [APPLICATION 30] SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (30), + ctime [2] KerberosTime OPTIONAL, + cusec [3] Microseconds OPTIONAL, + stime [4] KerberosTime, + susec [5] Microseconds, + error-code [6] Int32, + crealm [7] Realm OPTIONAL, + cname [8] PrincipalName OPTIONAL, + realm [9] Realm -- service realm --, + sname [10] PrincipalName -- service name --, + e-text [11] KerberosString OPTIONAL, + e-data [12] OCTET STRING OPTIONAL +} + +METHOD-DATA ::= SEQUENCE OF PA-DATA + +TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { + data-type [0] Int32, + data-value [1] OCTET STRING OPTIONAL +} + +-- preauth stuff follows + +PA-ENC-TIMESTAMP ::= EncryptedData -- PA-ENC-TS-ENC + +PA-ENC-TS-ENC ::= SEQUENCE { + patimestamp [0] KerberosTime -- client's time --, + pausec [1] Microseconds OPTIONAL +} + +ETYPE-INFO-ENTRY ::= SEQUENCE { + etype [0] Int32, + salt [1] OCTET STRING OPTIONAL +} + +ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY + +ETYPE-INFO2-ENTRY ::= SEQUENCE { + etype [0] Int32, + salt [1] KerberosString OPTIONAL, + s2kparams [2] OCTET STRING OPTIONAL +} + +ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY + +AD-IF-RELEVANT ::= AuthorizationData + +AD-KDCIssued ::= SEQUENCE { + ad-checksum [0] Checksum, + i-realm [1] Realm OPTIONAL, + i-sname [2] PrincipalName OPTIONAL, + elements [3] AuthorizationData +} + +AD-AND-OR ::= SEQUENCE { + condition-count [0] Int32, + elements [1] AuthorizationData +} + +AD-MANDATORY-FOR-KDC ::= AuthorizationData + +END diff --git a/asn1/kerberos/Makefile.am b/asn1/kerberos/Makefile.am new file mode 100644 index 0000000000..462af31e88 --- /dev/null +++ b/asn1/kerberos/Makefile.am @@ -0,0 +1,26 @@ +# $Id$ +# +# +# Wireshark - Network traffic analyzer +# By Gerald Combs <gerald@wireshark.org> +# Copyright 1998 Gerald Combs +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + + +include ../Makefile.preinc +include Makefile.common +include ../Makefile.inc + diff --git a/asn1/kerberos/Makefile.common b/asn1/kerberos/Makefile.common new file mode 100644 index 0000000000..658df0627b --- /dev/null +++ b/asn1/kerberos/Makefile.common @@ -0,0 +1,52 @@ +# $Id$ +# +# +# Wireshark - Network traffic analyzer +# By Gerald Combs <gerald@wireshark.org> +# Copyright 1998 Gerald Combs +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + + +PROTOCOL_NAME=kerberos + +DISSECTOR_FILES=packet-$(PROTOCOL_NAME).c \ + packet-$(PROTOCOL_NAME).h + +NEED_PACKET_PROTO_H = 1 + +EXPORT_FILES = \ + $(PROTOCOL_NAME)-exp.cnf + +EXT_ASN_FILE_LIST = + +ASN_FILE_LIST = KerberosV5Spec2.asn + +# The packet-$(PROTOCOL_NAME)-template.h and $(PROTOCOL_NAME).asn +# files do not exist # for all protocols: Please add/remove as required. +EXTRA_DIST = \ + $(ASN_FILE_LIST) \ + packet-$(PROTOCOL_NAME)-template.c \ + packet-$(PROTOCOL_NAME)-template.h \ + $(PROTOCOL_NAME).cnf + +SRC_FILES = \ + $(EXTRA_DIST) \ + $(EXT_ASN_FILE_LIST) + +A2W_FLAGS= -b -X -T -e + +EXTRA_CNF= + diff --git a/asn1/kerberos/Makefile.nmake b/asn1/kerberos/Makefile.nmake new file mode 100644 index 0000000000..5a32997c60 --- /dev/null +++ b/asn1/kerberos/Makefile.nmake @@ -0,0 +1,29 @@ +## Use: $(MAKE) /$(MAKEFLAGS) -f makefile.nmake +# +# $Id$ +# +# +# Wireshark - Network traffic analyzer +# By Gerald Combs <gerald@wireshark.org> +# Copyright 1998 Gerald Combs +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + + +include ../../config.nmake +include ../Makefile.preinc.nmake +include Makefile.common +include ../Makefile.inc.nmake + diff --git a/asn1/kerberos/kerberos.asn b/asn1/kerberos/kerberos.asn new file mode 100644 index 0000000000..621f30c2f5 --- /dev/null +++ b/asn1/kerberos/kerberos.asn @@ -0,0 +1,417 @@ + KerberosV5Spec2 { + iso(1) identified-organization(3) dod(6) internet(1) + security(5) kerberosV5(2) modules(4) krb5spec2(2) +} DEFINITIONS EXPLICIT TAGS ::= BEGIN + +-- OID arc for KerberosV5 +-- +-- This OID may be used to identify Kerberos protocol messages +-- encapsulated in other protocols. +-- +-- This OID also designates the OID arc for KerberosV5-related OIDs. +-- +-- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID. +id-krb5 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) dod(6) internet(1) + security(5) kerberosV5(2) +} + +-- WS construct +Application ::= CHOICE { + ticket Ticket, + authenticator Authenticator, + encTicketPart EncTicketPart, + as-req AS-REQ, + as-rep AS-REP, + tgs-req TGS-REQ, + tgs-rep TGS-REP, + ap-req AP-REQ, + ap-rep AP-REP, + krb-safe KRB-SAFE, + krb-priv KRB-PRIV, + krb-cred KRB-CRED, + encASRepPart EncASRepPart, + encTGSRepPart EncTGSRepPart, + encAPRepPart EncAPRepPart, + encKrbPrivPart EncKrbPrivPart, + encKrbCredPart EncKrbCredPart, + krb-error KRB-ERROR +} + +Int32 ::= INTEGER (-2147483648..2147483647) + -- signed values representable in 32 bits + +UInt32 ::= INTEGER (0..4294967295) + -- unsigned 32 bit values + +Microseconds ::= INTEGER (0..999999) + -- microseconds + +KerberosString ::= GeneralString (IA5String) + +Realm ::= KerberosString + +PrincipalName ::= SEQUENCE { + name-type [0] Int32, + name-string [1] SEQUENCE OF KerberosString +} + +KerberosTime ::= GeneralizedTime -- with no fractional seconds + +HostAddress ::= SEQUENCE { + addr-type [0] Int32, + address [1] OCTET STRING +} + +-- NOTE: HostAddresses is always used as an OPTIONAL field and +-- should not be empty. +HostAddresses -- NOTE: subtly different from rfc1510, + -- but has a value mapping and encodes the same + ::= SEQUENCE OF HostAddress + +-- NOTE: AuthorizationData is always used as an OPTIONAL field and +-- should not be empty. +AuthorizationData ::= SEQUENCE OF SEQUENCE { + ad-type [0] Int32, + ad-data [1] OCTET STRING +} + +PA-DATA ::= SEQUENCE { + -- NOTE: first tag is [1], not [0] + padata-type [1] Int32, + padata-value [2] OCTET STRING -- might be encoded AP-REQ +} + +KerberosFlags ::= BIT STRING (SIZE (32..MAX)) + -- minimum number of bits shall be sent, + -- but no fewer than 32 + +EncryptedData ::= SEQUENCE { + etype [0] Int32 -- EncryptionType --, + kvno [1] UInt32 OPTIONAL, + cipher [2] OCTET STRING -- ciphertext +} + +EncryptionKey ::= SEQUENCE { + keytype [0] Int32 -- actually encryption type --, + keyvalue [1] OCTET STRING +} + +Checksum ::= SEQUENCE { + cksumtype [0] Int32, + checksum [1] OCTET STRING +} + +Ticket ::= [APPLICATION 1] SEQUENCE { + tkt-vno [0] INTEGER (5), + realm [1] Realm, + sname [2] PrincipalName, + enc-part [3] EncryptedData -- EncTicketPart +} + +-- Encrypted part of ticket +EncTicketPart ::= [APPLICATION 3] SEQUENCE { + flags [0] TicketFlags, + key [1] EncryptionKey, + crealm [2] Realm, + cname [3] PrincipalName, + transited [4] TransitedEncoding, + authtime [5] KerberosTime, + starttime [6] KerberosTime OPTIONAL, + endtime [7] KerberosTime, + renew-till [8] KerberosTime OPTIONAL, + caddr [9] HostAddresses OPTIONAL, + authorization-data [10] AuthorizationData OPTIONAL +} + +-- encoded Transited field +TransitedEncoding ::= SEQUENCE { + tr-type [0] Int32 -- must be registered --, + contents [1] OCTET STRING +} + +TicketFlags ::= KerberosFlags + -- reserved(0), + -- forwardable(1), + -- forwarded(2), + -- proxiable(3), + -- proxy(4), + -- may-postdate(5), + -- postdated(6), + -- invalid(7), + -- renewable(8), + -- initial(9), + -- pre-authent(10), + -- hw-authent(11), +-- the following are new since 1510 + -- transited-policy-checked(12), + -- ok-as-delegate(13) + +AS-REQ ::= [APPLICATION 10] KDC-REQ + +TGS-REQ ::= [APPLICATION 12] KDC-REQ + +KDC-REQ ::= SEQUENCE { + -- NOTE: first tag is [1], not [0] + pvno [1] INTEGER (5) , +-- msg-type [2] INTEGER (10 - - AS - - | 12 - - TGS - -), + msg-type [2] INTEGER, + padata [3] SEQUENCE OF PA-DATA OPTIONAL + -- NOTE: not empty --, + req-body [4] KDC-REQ-BODY +} + +KDC-REQ-BODY ::= SEQUENCE { + kdc-options [0] KDCOptions, + cname [1] PrincipalName OPTIONAL + -- Used only in AS-REQ --, + realm [2] Realm + -- Server's realm + -- Also client's in AS-REQ --, + sname [3] PrincipalName OPTIONAL, + from [4] KerberosTime OPTIONAL, + till [5] KerberosTime, + rtime [6] KerberosTime OPTIONAL, + nonce [7] UInt32, + etype [8] SEQUENCE OF Int32 -- EncryptionType + -- in preference order --, + addresses [9] HostAddresses OPTIONAL, + enc-authorization-data [10] EncryptedData OPTIONAL + -- AuthorizationData --, + additional-tickets [11] SEQUENCE OF Ticket OPTIONAL + -- NOTE: not empty +} + +KDCOptions ::= KerberosFlags + -- reserved(0), + -- forwardable(1), + -- forwarded(2), + -- proxiable(3), + -- proxy(4), + -- allow-postdate(5), + -- postdated(6), + -- unused7(7), + -- renewable(8), + -- unused9(9), + -- unused10(10), + -- opt-hardware-auth(11), + -- unused12(12), + -- unused13(13), +-- 15 is reserved for canonicalize + -- unused15(15), +-- 26 was unused in 1510 + -- disable-transited-check(26), +-- + -- renewable-ok(27), + -- enc-tkt-in-skey(28), + -- renew(30), + -- validate(31) + +AS-REP ::= [APPLICATION 11] KDC-REP + +TGS-REP ::= [APPLICATION 13] KDC-REP + + +KDC-REP ::= SEQUENCE { + pvno [0] INTEGER (5), +-- msg-type [1] INTEGER (11 - - AS - - | 13 - - TGS - -), + msg-type [1] INTEGER, + padata [2] SEQUENCE OF PA-DATA OPTIONAL + -- NOTE: not empty --, + crealm [3] Realm, + cname [4] PrincipalName, + ticket [5] Ticket, + enc-part [6] EncryptedData + -- EncASRepPart or EncTGSRepPart, + -- as appropriate +} + +EncASRepPart ::= [APPLICATION 25] EncKDCRepPart + +EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart + +EncKDCRepPart ::= SEQUENCE { + key [0] EncryptionKey, + last-req [1] LastReq, + nonce [2] UInt32, + key-expiration [3] KerberosTime OPTIONAL, + flags [4] TicketFlags, + authtime [5] KerberosTime, + starttime [6] KerberosTime OPTIONAL, + endtime [7] KerberosTime, + renew-till [8] KerberosTime OPTIONAL, + srealm [9] Realm, + sname [10] PrincipalName, + caddr [11] HostAddresses OPTIONAL +} + +LastReq ::= SEQUENCE OF SEQUENCE { + lr-type [0] Int32, + lr-value [1] KerberosTime +} + +AP-REQ ::= [APPLICATION 14] SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (14), + ap-options [2] APOptions, + ticket [3] Ticket, + authenticator [4] EncryptedData -- Authenticator +} + +APOptions ::= KerberosFlags + -- reserved(0), + -- use-session-key(1), + -- mutual-required(2) + +-- Unencrypted authenticator +Authenticator ::= [APPLICATION 2] SEQUENCE { + authenticator-vno [0] INTEGER (5), + crealm [1] Realm, + cname [2] PrincipalName, + cksum [3] Checksum OPTIONAL, + cusec [4] Microseconds, + ctime [5] KerberosTime, + subkey [6] EncryptionKey OPTIONAL, + seq-number [7] UInt32 OPTIONAL, + authorization-data [8] AuthorizationData OPTIONAL +} + +AP-REP ::= [APPLICATION 15] SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (15), + enc-part [2] EncryptedData -- EncAPRepPart +} + +EncAPRepPart ::= [APPLICATION 27] SEQUENCE { + ctime [0] KerberosTime, + cusec [1] Microseconds, + subkey [2] EncryptionKey OPTIONAL, + seq-number [3] UInt32 OPTIONAL +} + +KRB-SAFE ::= [APPLICATION 20] SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (20), + safe-body [2] KRB-SAFE-BODY, + cksum [3] Checksum +} + +KRB-SAFE-BODY ::= SEQUENCE { + user-data [0] OCTET STRING, + timestamp [1] KerberosTime OPTIONAL, + usec [2] Microseconds OPTIONAL, + seq-number [3] UInt32 OPTIONAL, + s-address [4] HostAddress, + r-address [5] HostAddress OPTIONAL +} + +KRB-PRIV ::= [APPLICATION 21] SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (21), + -- NOTE: there is no [2] tag + enc-part [3] EncryptedData -- EncKrbPrivPart +} + +EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE { + user-data [0] OCTET STRING, + timestamp [1] KerberosTime OPTIONAL, + usec [2] Microseconds OPTIONAL, + seq-number [3] UInt32 OPTIONAL, + s-address [4] HostAddress -- sender's addr --, + r-address [5] HostAddress OPTIONAL -- recip's addr +} + +KRB-CRED ::= [APPLICATION 22] SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (22), + tickets [2] SEQUENCE OF Ticket, + enc-part [3] EncryptedData -- EncKrbCredPart +} + +EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { + ticket-info [0] SEQUENCE OF KrbCredInfo, + nonce [1] UInt32 OPTIONAL, + timestamp [2] KerberosTime OPTIONAL, + usec [3] Microseconds OPTIONAL, + s-address [4] HostAddress OPTIONAL, + r-address [5] HostAddress OPTIONAL +} + +KrbCredInfo ::= SEQUENCE { + key [0] EncryptionKey, + prealm [1] Realm OPTIONAL, + pname [2] PrincipalName OPTIONAL, + flags [3] TicketFlags OPTIONAL, + authtime [4] KerberosTime OPTIONAL, + starttime [5] KerberosTime OPTIONAL, + endtime [6] KerberosTime OPTIONAL, + renew-till [7] KerberosTime OPTIONAL, + srealm [8] Realm OPTIONAL, + sname [9] PrincipalName OPTIONAL, + caddr [10] HostAddresses OPTIONAL +} + +KRB-ERROR ::= [APPLICATION 30] SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (30), + ctime [2] KerberosTime OPTIONAL, + cusec [3] Microseconds OPTIONAL, + stime [4] KerberosTime, + susec [5] Microseconds, + error-code [6] Int32, + crealm [7] Realm OPTIONAL, + cname [8] PrincipalName OPTIONAL, + realm [9] Realm -- service realm --, + sname [10] PrincipalName -- service name --, + e-text [11] KerberosString OPTIONAL, + e-data [12] OCTET STRING OPTIONAL +} + +METHOD-DATA ::= SEQUENCE OF PA-DATA + +TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { + data-type [0] Int32, + data-value [1] OCTET STRING OPTIONAL +} + +-- preauth stuff follows + +PA-ENC-TIMESTAMP ::= EncryptedData -- PA-ENC-TS-ENC + +PA-ENC-TS-ENC ::= SEQUENCE { + patimestamp [0] KerberosTime -- client's time --, + pausec [1] Microseconds OPTIONAL +} + +ETYPE-INFO-ENTRY ::= SEQUENCE { + etype [0] Int32, + salt [1] OCTET STRING OPTIONAL +} + +ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY + +ETYPE-INFO2-ENTRY ::= SEQUENCE { + etype [0] Int32, + salt [1] KerberosString OPTIONAL, + s2kparams [2] OCTET STRING OPTIONAL +} + +ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY + +AD-IF-RELEVANT ::= AuthorizationData + +AD-KDCIssued ::= SEQUENCE { + ad-checksum [0] Checksum, + i-realm [1] Realm OPTIONAL, + i-sname [2] PrincipalName OPTIONAL, + elements [3] AuthorizationData +} + +AD-AND-OR ::= SEQUENCE { + condition-count [0] Int32, + elements [1] AuthorizationData +} + +AD-MANDATORY-FOR-KDC ::= AuthorizationData + +END diff --git a/asn1/kerberos/kerberos.cnf b/asn1/kerberos/kerberos.cnf new file mode 100644 index 0000000000..1b99705bcc --- /dev/null +++ b/asn1/kerberos/kerberos.cnf @@ -0,0 +1,12 @@ +# kerberos.cnf +# kerberos conformation file +# Copyright 2007 Anders Broman +# $Id$ + +#.FIELD_RENAME + +#.FN_PARS +Int32 VAL_PTR = etype + + + diff --git a/asn1/kerberos/packet-kerberos-template.c b/asn1/kerberos/packet-kerberos-template.c new file mode 100644 index 0000000000..bd13cea8e1 --- /dev/null +++ b/asn1/kerberos/packet-kerberos-template.c @@ -0,0 +1,1313 @@ +/* packet-kerberos.c + * Routines for Kerberos + * Wes Hardaker (c) 2000 + * wjhardaker@ucdavis.edu + * Richard Sharpe (C) 2002, rsharpe@samba.org, modularized a bit more and + * added AP-REQ and AP-REP dissection + * + * Ronnie Sahlberg (C) 2004, major rewrite for new ASN.1/BER API. + * decryption of kerberos blobs if keytab is provided + * + * See RFC 1510, and various I-Ds and other documents showing additions, + * e.g. ones listed under + * + * http://www.isi.edu/people/bcn/krb-revisions/ + * + * and + * + * http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-clarifications-07.txt + * + * and + * + * http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-referrals-05.txt + * + * Some structures from RFC2630 + * + * $Id$ + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +/* + * Some of the development of the Kerberos protocol decoder was sponsored by + * Cable Television Laboratories, Inc. ("CableLabs") based upon proprietary + * CableLabs' specifications. Your license and use of this protocol decoder + * does not mean that you are licensed to use the CableLabs' + * specifications. If you have questions about this protocol, contact + * jf.mule [AT] cablelabs.com or c.stuart [AT] cablelabs.com for additional + * information. + */ + +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + +#include <stdio.h> +#include <string.h> +#include <glib.h> +#include <ctype.h> + +#ifdef HAVE_LIBNETTLE +#define HAVE_KERBEROS +#ifdef _WIN32 +#include <des.h> +#include <cbc.h> +#else +#include <nettle/des.h> +#include <nettle/cbc.h> +#endif +#include <epan/crypt/crypt-md5.h> +#include <sys/stat.h> /* For keyfile manipulation */ +#endif + +#include <epan/packet.h> + +#include <epan/strutil.h> + +#include <epan/conversation.h> +#include <epan/emem.h> +#include <epan/dissectors/packet-kerberos.h> +#include <epan/dissectors/packet-netbios.h> +#include <epan/dissectors/packet-tcp.h> +#include <epan/prefs.h> +#include <epan/dissectors/packet-ber.h> +#include <epan/dissectors/packet-per.h> +#include <epan/dissectors/packet-pkinit.h> +#include <epan/dissectors/packet-cms.h> +#include <epan/dissectors/packet-windows-common.h> + +#include <epan/dissectors/packet-dcerpc-netlogon.h> +#include <epan/dissectors/packet-dcerpc.h> + +#include <epan/dissectors/packet-gssapi.h> + +#include <wiretap/file_util.h> + +#define PNAME "Kerberos" +#define PSNAME "KRB5" +#define PFNAME "kerberos" + +static kerberos_packet_info kerberos_pi; + +#define UDP_PORT_KERBEROS 88 +#define TCP_PORT_KERBEROS 88 + +static dissector_handle_t kerberos_handle_udp=NULL; + +/* Desegment Kerberos over TCP messages */ +static gboolean krb_desegment = TRUE; + +static gint proto_kerberos = -1; + + +#include "packet-kerberos-hf.c" + +/* Initialize the subtree pointers */ +static gint ett_kerberos = -1; +#include "packet-kerberos-ett.c" + +guint32 krb5_errorcode; + + +static dissector_handle_t krb4_handle=NULL; + +static gboolean do_col_info; + + +static void +call_kerberos_callbacks(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int tag) +{ + kerberos_callbacks *cb=(kerberos_callbacks *)pinfo->private_data; + + if(!cb){ + return; + } + + while(cb->tag){ + if(cb->tag==tag){ + cb->callback(pinfo, tvb, tree); + return; + } + cb++; + } + return; +} + + + +#ifdef HAVE_KERBEROS + +/* Decrypt Kerberos blobs */ +static gboolean krb_decrypt = FALSE; + +/* keytab filename */ +static const char *keytab_filename = "insert filename here"; + +#endif + +#if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS) +#ifdef _WIN32 +/* prevent redefinition warnings in kfw-2.5\inc\win_mac.h */ +#undef HAVE_STDARG_H +#undef HAVE_SYS_TYPES_H +#endif +#include <krb5.h> +enc_key_t *enc_key_list=NULL; + +static void +add_encryption_key(packet_info *pinfo, int keytype, int keylength, const char *keyvalue, const char *origin) +{ + enc_key_t *new_key; + + if(pinfo->fd->flags.visited){ + return; + } +printf("added key in %u\n",pinfo->fd->num); + + new_key=g_malloc(sizeof(enc_key_t)); + g_snprintf(new_key->key_origin, KRB_MAX_ORIG_LEN, "%s learnt from frame %u",origin,pinfo->fd->num); + new_key->next=enc_key_list; + enc_key_list=new_key; + new_key->keytype=keytype; + new_key->keylength=keylength; + /*XXX this needs to be freed later */ + new_key->keyvalue=g_memdup(keyvalue, keylength); +} +#endif /* HAVE_HEIMDAL_KERBEROS || HAVE_MIT_KERBEROS */ + + +#ifdef HAVE_MIT_KERBEROS + +static void +read_keytab_file(const char *filename, krb5_context *context) +{ + krb5_keytab keytab; + krb5_keytab_entry key; + krb5_error_code ret; + krb5_kt_cursor cursor; + enc_key_t *new_key; + + /* should use a file in the wireshark users dir */ + ret = krb5_kt_resolve(*context, filename, &keytab); + if(ret){ + fprintf(stderr, "KERBEROS ERROR: Could not open keytab file :%s\n",filename); + + return; + } + + ret = krb5_kt_start_seq_get(*context, keytab, &cursor); + if(ret){ + fprintf(stderr, "KERBEROS ERROR: Could not read from keytab file :%s\n",filename); + return; + } + + do{ + new_key=g_malloc(sizeof(enc_key_t)); + new_key->next=enc_key_list; + ret = krb5_kt_next_entry(*context, keytab, &key, &cursor); + if(ret==0){ + int i; + char *pos; + + /* generate origin string, describing where this key came from */ + pos=new_key->key_origin; + pos+=MIN(KRB_MAX_ORIG_LEN, + g_snprintf(pos, KRB_MAX_ORIG_LEN, "keytab principal ")); + for(i=0;i<key.principal->length;i++){ + pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), + g_snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "%s%s",(i?"/":""),(key.principal->data[i]).data)); + } + pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), + g_snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "@%s",key.principal->realm.data)); + *pos=0; +/*printf("added key for principal :%s\n", new_key->key_origin);*/ + new_key->keytype=key.key.enctype; + new_key->keylength=key.key.length; + new_key->keyvalue=g_memdup(key.key.contents, key.key.length); + enc_key_list=new_key; + } + }while(ret==0); + + ret = krb5_kt_end_seq_get(*context, keytab, &cursor); + if(ret){ + krb5_kt_close(*context, keytab); + } + +} + + +guint8 * +decrypt_krb5_data(proto_tree *tree, packet_info *pinfo, + int usage, + int length, + const guint8 *cryptotext, + int keytype) +{ + static int first_time=1; + static krb5_context context; + krb5_error_code ret; + enc_key_t *ek; + static krb5_data data = {0,0,NULL}; + krb5_keytab_entry key; + + /* dont do anything if we are not attempting to decrypt data */ + if(!krb_decrypt){ + return NULL; + } + + /* XXX we should only do this for first time, then store somewhere */ + /* XXX We also need to re-read the keytab when the preference changes */ + + /* should this have a destroy context ? MIT people would know */ + if(first_time){ + first_time=0; + ret = krb5_init_context(&context); + if(ret){ + return NULL; + } + read_keytab_file(keytab_filename, &context); + } + + for(ek=enc_key_list;ek;ek=ek->next){ + krb5_enc_data input; + + /* shortcircuit and bail out if enctypes are not matching */ + if(ek->keytype!=keytype){ + continue; + } + + input.enctype = ek->keytype; + input.ciphertext.length = length; + input.ciphertext.data = (guint8 *)cryptotext; + + data.length = length; + if(data.data){ + g_free(data.data); + } + data.data = g_malloc(length); + + key.key.enctype=ek->keytype; + key.key.length=ek->keylength; + key.key.contents=ek->keyvalue; + ret = krb5_c_decrypt(context, &(key.key), usage, 0, &input, &data); + if((ret == 0) && (length>0)){ + char *user_data; + +printf("woohoo decrypted keytype:%d in frame:%u\n", keytype, pinfo->fd->num); + proto_tree_add_text(tree, NULL, 0, 0, "[Decrypted using: %s]", ek->key_origin); + /* return a private g_malloced blob to the caller */ + user_data=g_malloc(data.length); + memcpy(user_data, data.data, data.length); + return user_data; + } + } + + return NULL; +} + +#elif defined(HAVE_HEIMDAL_KERBEROS) +static void +read_keytab_file(const char *filename, krb5_context *context) +{ + krb5_keytab keytab; + krb5_keytab_entry key; + krb5_error_code ret; + krb5_kt_cursor cursor; + enc_key_t *new_key; + + /* should use a file in the wireshark users dir */ + ret = krb5_kt_resolve(*context, filename, &keytab); + if(ret){ + fprintf(stderr, "KERBEROS ERROR: Could not open keytab file :%s\n",filename); + + return; + } + + ret = krb5_kt_start_seq_get(*context, keytab, &cursor); + if(ret){ + fprintf(stderr, "KERBEROS ERROR: Could not read from keytab file :%s\n",filename); + return; + } + + do{ + new_key=g_malloc(sizeof(enc_key_t)); + new_key->next=enc_key_list; + ret = krb5_kt_next_entry(*context, keytab, &key, &cursor); + if(ret==0){ + unsigned int i; + char *pos; + + /* generate origin string, describing where this key came from */ + pos=new_key->key_origin; + pos+=MIN(KRB_MAX_ORIG_LEN, + g_snprintf(pos, KRB_MAX_ORIG_LEN, "keytab principal ")); + for(i=0;i<key.principal->name.name_string.len;i++){ + pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), + g_snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "%s%s",(i?"/":""),key.principal->name.name_string.val[i])); + } + pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), + g_snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "@%s",key.principal->realm)); + *pos=0; + new_key->keytype=key.keyblock.keytype; + new_key->keylength=key.keyblock.keyvalue.length; + new_key->keyvalue=g_memdup(key.keyblock.keyvalue.data, key.keyblock.keyvalue.length); + enc_key_list=new_key; + } + }while(ret==0); + + ret = krb5_kt_end_seq_get(*context, keytab, &cursor); + if(ret){ + krb5_kt_close(*context, keytab); + } + +} + + +guint8 * +decrypt_krb5_data(proto_tree *tree, packet_info *pinfo, + int usage, + int length, + const guint8 *cryptotext, + int keytype) +{ + static int first_time=1; + static krb5_context context; + krb5_error_code ret; + krb5_data data; + enc_key_t *ek; + + /* dont do anything if we are not attempting to decrypt data */ + if(!krb_decrypt){ + return NULL; + } + + /* XXX we should only do this for first time, then store somewhere */ + /* XXX We also need to re-read the keytab when the preference changes */ + + /* should this have a destroy context ? Heimdal people would know */ + if(first_time){ + first_time=0; + ret = krb5_init_context(&context); + if(ret){ + return NULL; + } + read_keytab_file(keytab_filename, &context); + } + + for(ek=enc_key_list;ek;ek=ek->next){ + krb5_keytab_entry key; + krb5_crypto crypto; + guint8 *cryptocopy; /* workaround for pre-0.6.1 heimdal bug */ + + /* shortcircuit and bail out if enctypes are not matching */ + if(ek->keytype!=keytype){ + continue; + } + + key.keyblock.keytype=ek->keytype; + key.keyblock.keyvalue.length=ek->keylength; + key.keyblock.keyvalue.data=ek->keyvalue; + ret = krb5_crypto_init(context, &(key.keyblock), 0, &crypto); + if(ret){ + return NULL; + } + + /* pre-0.6.1 versions of Heimdal would sometimes change + the cryptotext data even when the decryption failed. + This would obviously not work since we iterate over the + keys. So just give it a copy of the crypto data instead. + This has been seen for RC4-HMAC blobs. + */ + cryptocopy=g_malloc(length); + memcpy(cryptocopy, cryptotext, length); + ret = krb5_decrypt_ivec(context, crypto, usage, + cryptocopy, length, + &data, + NULL); + g_free(cryptocopy); + if((ret == 0) && (length>0)){ + char *user_data; + +printf("woohoo decrypted keytype:%d in frame:%u\n", keytype, pinfo->fd->num); + proto_tree_add_text(tree, NULL, 0, 0, "[Decrypted using: %s]", ek->key_origin); + krb5_crypto_destroy(context, crypto); + /* return a private g_malloced blob to the caller */ + user_data=g_malloc(data.length); + memcpy(user_data, data.data, data.length); + return user_data; + } + krb5_crypto_destroy(context, crypto); + } + return NULL; +} + +#elif defined (HAVE_LIBNETTLE) + +#define SERVICE_KEY_SIZE (DES3_KEY_SIZE + 2) +#define KEYTYPE_DES3_CBC_MD5 5 /* Currently the only one supported */ + +typedef struct _service_key_t { + guint16 kvno; + int keytype; + int length; + guint8 *contents; + char origin[KRB_MAX_ORIG_LEN+1]; +} service_key_t; +GSList *service_key_list = NULL; + + +static void +add_encryption_key(packet_info *pinfo, int keytype, int keylength, const char *keyvalue, const char *origin) +{ + service_key_t *new_key; + + if(pinfo->fd->flags.visited){ + return; + } +printf("added key in %u\n",pinfo->fd->num); + + new_key = g_malloc(sizeof(service_key_t)); + new_key->kvno = 0; + new_key->keytype = keytype; + new_key->length = keylength; + new_key->contents = g_malloc(keylength); + memcpy(new_key->contents, keyvalue, keylength); + g_snprintf(new_key->origin, KRB_MAX_ORIG_LEN, "%s learnt from frame %u", origin, pinfo->fd->num); + service_key_list = g_slist_append(service_key_list, (gpointer) new_key); +} + +static void +clear_keytab(void) { + GSList *ske; + service_key_t *sk; + + for(ske = service_key_list; ske != NULL; ske = g_slist_next(ske)){ + sk = (service_key_t *) ske->data; + if (sk && sk->contents) g_free(sk->contents); + if (sk) g_free(sk); + } + g_slist_free(service_key_list); + service_key_list = NULL; +} + +static void +read_keytab_file(const char *service_key_file) +{ + FILE *skf; + struct stat st; + service_key_t *sk; + unsigned char buf[SERVICE_KEY_SIZE]; + int newline_skip = 0, count = 0; + + if (service_key_file != NULL && stat (service_key_file, &st) == 0) { + + /* The service key file contains raw 192-bit (24 byte) 3DES keys. + * There can be zero, one (\n), or two (\r\n) characters between + * keys. Trailing characters are ignored. + */ + + /* XXX We should support the standard keytab format instead */ + if (st.st_size > SERVICE_KEY_SIZE) { + if ( (st.st_size % (SERVICE_KEY_SIZE + 1) == 0) || + (st.st_size % (SERVICE_KEY_SIZE + 1) == SERVICE_KEY_SIZE) ) { + newline_skip = 1; + } else if ( (st.st_size % (SERVICE_KEY_SIZE + 2) == 0) || + (st.st_size % (SERVICE_KEY_SIZE + 2) == SERVICE_KEY_SIZE) ) { + newline_skip = 2; + } + } + + skf = eth_fopen(service_key_file, "rb"); + if (! skf) return; + + while (fread(buf, SERVICE_KEY_SIZE, 1, skf) == 1) { + sk = g_malloc(sizeof(service_key_t)); + sk->kvno = buf[0] << 8 | buf[1]; + sk->keytype = KEYTYPE_DES3_CBC_MD5; + sk->length = DES3_KEY_SIZE; + sk->contents = g_malloc(DES3_KEY_SIZE); + memcpy(sk->contents, buf + 2, DES3_KEY_SIZE); + g_snprintf(sk->origin, KRB_MAX_ORIG_LEN, "3DES service key file, key #%d, offset %ld", count, ftell(skf)); + service_key_list = g_slist_append(service_key_list, (gpointer) sk); + fseek(skf, newline_skip, SEEK_CUR); + count++; +g_warning("added key: %s", sk->origin); + } + fclose(skf); + } +} + +#define CONFOUNDER_PLUS_CHECKSUM 24 + +guint8 * +decrypt_krb5_data(proto_tree *tree, packet_info *pinfo, + int _U_ usage, + int length, + const guint8 *cryptotext, + int keytype) +{ + tvbuff_t *encr_tvb; + guint8 *decrypted_data = NULL, *plaintext = NULL; + int res; + guint8 cls; + gboolean pc; + guint32 tag, item_len, data_len; + int id_offset, offset; + guint8 key[DES3_KEY_SIZE]; + guint8 initial_vector[DES_BLOCK_SIZE]; + md5_state_t md5s; + md5_byte_t digest[16]; + md5_byte_t zero_fill[] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; + md5_byte_t confounder[8]; + gboolean ind; + GSList *ske; + service_key_t *sk; + struct des3_ctx ctx; + + + /* dont do anything if we are not attempting to decrypt data */ + if(!krb_decrypt){ + return NULL; + } + + if (keytype != KEYTYPE_DES3_CBC_MD5 || service_key_list == NULL) { + return NULL; + } + + decrypted_data = g_malloc(length); + for(ske = service_key_list; ske != NULL; ske = g_slist_next(ske)){ + gboolean do_continue = FALSE; + sk = (service_key_t *) ske->data; + + des_fix_parity(DES3_KEY_SIZE, key, sk->contents); + + md5_init(&md5s); + memset(initial_vector, 0, DES_BLOCK_SIZE); + res = des3_set_key(&ctx, key); + cbc_decrypt(&ctx, des3_decrypt, DES_BLOCK_SIZE, initial_vector, + length, decrypted_data, cryptotext); + encr_tvb = tvb_new_real_data(decrypted_data, length, length); + + tvb_memcpy(encr_tvb, confounder, 0, 8); + + /* We have to pull the decrypted data length from the decrypted + * content. If the key doesn't match or we otherwise get garbage, + * an exception may get thrown while decoding the ASN.1 header. + * Catch it, just in case. + */ + TRY { + id_offset = get_ber_identifier(encr_tvb, CONFOUNDER_PLUS_CHECKSUM, &cls, &pc, &tag); + offset = get_ber_length(tree, encr_tvb, id_offset, &item_len, &ind); + } + CATCH (BoundsError) { + tvb_free(encr_tvb); + do_continue = TRUE; + } + ENDTRY; + + if (do_continue) continue; + + data_len = item_len + offset - CONFOUNDER_PLUS_CHECKSUM; + if ((int) item_len + offset > length) { + tvb_free(encr_tvb); + continue; + } + + md5_append(&md5s, confounder, 8); + md5_append(&md5s, zero_fill, 16); + md5_append(&md5s, decrypted_data + CONFOUNDER_PLUS_CHECKSUM, data_len); + md5_finish(&md5s, digest); + + if (tvb_memeql (encr_tvb, 8, digest, 16) == 0) { +g_warning("woohoo decrypted keytype:%d in frame:%u\n", keytype, pinfo->fd->num); + plaintext = g_malloc(data_len); + tvb_memcpy(encr_tvb, plaintext, CONFOUNDER_PLUS_CHECKSUM, data_len); + tvb_free(encr_tvb); + + g_free(decrypted_data); + return(plaintext); + } + } + + g_free(decrypted_data); + return NULL; +} + + +#endif /* HAVE_MIT_KERBEROS / HAVE_HEIMDAL_KERBEROS / HAVE_LIBNETTLE */ + + + +/* TCP Record Mark */ +#define KRB_RM_RESERVED 0x80000000L +#define KRB_RM_RECLEN 0x7fffffffL + +#define KRB5_MSG_TICKET 1 /* Ticket */ +#define KRB5_MSG_AUTHENTICATOR 2 /* Authenticator */ +#define KRB5_MSG_ENC_TICKET_PART 3 /* EncTicketPart */ +#define KRB5_MSG_AS_REQ 10 /* AS-REQ type */ +#define KRB5_MSG_AS_REP 11 /* AS-REP type */ +#define KRB5_MSG_TGS_REQ 12 /* TGS-REQ type */ +#define KRB5_MSG_TGS_REP 13 /* TGS-REP type */ +#define KRB5_MSG_AP_REQ 14 /* AP-REQ type */ +#define KRB5_MSG_AP_REP 15 /* AP-REP type */ + +#define KRB5_MSG_SAFE 20 /* KRB-SAFE type */ +#define KRB5_MSG_PRIV 21 /* KRB-PRIV type */ +#define KRB5_MSG_CRED 22 /* KRB-CRED type */ +#define KRB5_MSG_ENC_AS_REP_PART 25 /* EncASRepPart */ +#define KRB5_MSG_ENC_TGS_REP_PART 26 /* EncTGSRepPart */ +#define KRB5_MSG_ENC_AP_REP_PART 27 /* EncAPRepPart */ +#define KRB5_MSG_ENC_KRB_PRIV_PART 28 /* EncKrbPrivPart */ +#define KRB5_MSG_ENC_KRB_CRED_PART 29 /* EncKrbCredPart */ +#define KRB5_MSG_ERROR 30 /* KRB-ERROR type */ + +/* address type constants */ +#define KRB5_ADDR_IPv4 0x02 +#define KRB5_ADDR_CHAOS 0x05 +#define KRB5_ADDR_XEROX 0x06 +#define KRB5_ADDR_ISO 0x07 +#define KRB5_ADDR_DECNET 0x0c +#define KRB5_ADDR_APPLETALK 0x10 +#define KRB5_ADDR_NETBIOS 0x14 +#define KRB5_ADDR_IPv6 0x18 + +/* encryption type constants */ +#define KRB5_ENCTYPE_NULL 0 +#define KRB5_ENCTYPE_DES_CBC_CRC 1 +#define KRB5_ENCTYPE_DES_CBC_MD4 2 +#define KRB5_ENCTYPE_DES_CBC_MD5 3 +#define KRB5_ENCTYPE_DES_CBC_RAW 4 +#define KRB5_ENCTYPE_DES3_CBC_SHA 5 +#define KRB5_ENCTYPE_DES3_CBC_RAW 6 +#define KRB5_ENCTYPE_DES_HMAC_SHA1 8 +#define KRB5_ENCTYPE_DSA_SHA1_CMS 9 +#define KRB5_ENCTYPE_RSA_MD5_CMS 10 +#define KRB5_ENCTYPE_RSA_SHA1_CMS 11 +#define KRB5_ENCTYPE_RC2_CBC_ENV 12 +#define KRB5_ENCTYPE_RSA_ENV 13 +#define KRB5_ENCTYPE_RSA_ES_OEAP_ENV 14 +#define KRB5_ENCTYPE_DES_EDE3_CBC_ENV 15 +#define KRB5_ENCTYPE_DES3_CBC_SHA1 16 +#define KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96 17 +#define KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96 18 +#define KRB5_ENCTYPE_DES_CBC_MD5_NT 20 +#define KERB_ENCTYPE_RC4_HMAC 23 +#define KERB_ENCTYPE_RC4_HMAC_EXP 24 +#define KRB5_ENCTYPE_UNKNOWN 0x1ff +#define KRB5_ENCTYPE_LOCAL_DES3_HMAC_SHA1 0x7007 +#define KRB5_ENCTYPE_RC4_PLAIN_EXP 0xffffff73 +#define KRB5_ENCTYPE_RC4_PLAIN 0xffffff74 +#define KRB5_ENCTYPE_RC4_PLAIN_OLD_EXP 0xffffff78 +#define KRB5_ENCTYPE_RC4_HMAC_OLD_EXP 0xffffff79 +#define KRB5_ENCTYPE_RC4_PLAIN_OLD 0xffffff7a +#define KRB5_ENCTYPE_RC4_HMAC_OLD 0xffffff7b +#define KRB5_ENCTYPE_DES_PLAIN 0xffffff7c +#define KRB5_ENCTYPE_RC4_SHA 0xffffff7d +#define KRB5_ENCTYPE_RC4_LM 0xffffff7e +#define KRB5_ENCTYPE_RC4_PLAIN2 0xffffff7f +#define KRB5_ENCTYPE_RC4_MD4 0xffffff80 + +/* checksum types */ +#define KRB5_CHKSUM_NONE 0 +#define KRB5_CHKSUM_CRC32 1 +#define KRB5_CHKSUM_MD4 2 +#define KRB5_CHKSUM_KRB_DES_MAC 4 +#define KRB5_CHKSUM_KRB_DES_MAC_K 5 +#define KRB5_CHKSUM_MD5 7 +#define KRB5_CHKSUM_MD5_DES 8 +/* the following four comes from packetcable */ +#define KRB5_CHKSUM_MD5_DES3 9 +#define KRB5_CHKSUM_HMAC_SHA1_DES3_KD 12 +#define KRB5_CHKSUM_HMAC_SHA1_DES3 13 +#define KRB5_CHKSUM_SHA1_UNKEYED 14 +#define KRB5_CHKSUM_HMAC_MD5 0xffffff76 +#define KRB5_CHKSUM_MD5_HMAC 0xffffff77 +#define KRB5_CHKSUM_RC4_MD5 0xffffff78 +#define KRB5_CHKSUM_MD25 0xffffff79 +#define KRB5_CHKSUM_DES_MAC_MD5 0xffffff7a +#define KRB5_CHKSUM_DES_MAC 0xffffff7b +#define KRB5_CHKSUM_REAL_CRC32 0xffffff7c +#define KRB5_CHKSUM_SHA1 0xffffff7d +#define KRB5_CHKSUM_LM 0xffffff7e +#define KRB5_CHKSUM_GSSAPI 0x8003 + +/* + * For KERB_ENCTYPE_RC4_HMAC and KERB_ENCTYPE_RC4_HMAC_EXP, see + * + * http://www.ietf.org/internet-drafts/draft-brezak-win2k-krb-rc4-hmac-04.txt + * + * unless it's expired. + */ + +/* pre-authentication type constants */ +#define KRB5_PA_TGS_REQ 1 +#define KRB5_PA_ENC_TIMESTAMP 2 +#define KRB5_PA_PW_SALT 3 +#define KRB5_PA_ENC_ENCKEY 4 +#define KRB5_PA_ENC_UNIX_TIME 5 +#define KRB5_PA_ENC_SANDIA_SECURID 6 +#define KRB5_PA_SESAME 7 +#define KRB5_PA_OSF_DCE 8 +#define KRB5_PA_CYBERSAFE_SECUREID 9 +#define KRB5_PA_AFS3_SALT 10 +#define KRB5_PA_ENCTYPE_INFO 11 +#define KRB5_PA_SAM_CHALLENGE 12 +#define KRB5_PA_SAM_RESPONSE 13 +#define KRB5_PA_PK_AS_REQ 14 +#define KRB5_PA_PK_AS_REP 15 +#define KRB5_PA_DASS 16 +#define KRB5_PA_ENCTYPE_INFO2 19 +#define KRB5_PA_USE_SPECIFIED_KVNO 20 +#define KRB5_PA_SAM_REDIRECT 21 +#define KRB5_PA_GET_FROM_TYPED_DATA 22 +#define KRB5_PA_SAM_ETYPE_INFO 23 +#define KRB5_PA_ALT_PRINC 24 +#define KRB5_PA_SAM_CHALLENGE2 30 +#define KRB5_PA_SAM_RESPONSE2 31 +#define KRB5_TD_PKINIT_CMS_CERTIFICATES 101 +#define KRB5_TD_KRB_PRINCIPAL 102 +#define KRB5_TD_KRB_REALM 103 +#define KRB5_TD_TRUSTED_CERTIFIERS 104 +#define KRB5_TD_CERTIFICATE_INDEX 105 +#define KRB5_TD_APP_DEFINED_ERROR 106 +#define KRB5_TD_REQ_NONCE 107 +#define KRB5_TD_REQ_SEQ 108 +/* preauthentication types >127 (i.e. negative ones) are app specific. + hopefully there will be no collissions here or we will have to + come up with something better +*/ +#define KRB5_PA_PAC_REQUEST 128 /* MS extension */ +#define KRB5_PA_PROV_SRV_LOCATION 255 /* packetcable stuff */ + +/* Principal name-type */ +#define KRB5_NT_UNKNOWN 0 +#define KRB5_NT_PRINCIPAL 1 +#define KRB5_NT_SRV_INST 2 +#define KRB5_NT_SRV_HST 3 +#define KRB5_NT_SRV_XHST 4 +#define KRB5_NT_UID 5 +#define KRB5_NT_X500_PRINCIPAL 6 +#define KRB5_NT_SMTP_NAME 7 +#define KRB5_NT_ENTERPRISE 10 + +/* + * MS specific name types, from + * + * http://msdn.microsoft.com/library/en-us/security/security/kerb_external_name.asp + */ +#define KRB5_NT_MS_PRINCIPAL -128 +#define KRB5_NT_MS_PRINCIPAL_AND_SID -129 +#define KRB5_NT_ENT_PRINCIPAL_AND_SID -130 +#define KRB5_NT_PRINCIPAL_AND_SID -131 +#define KRB5_NT_SRV_INST_AND_SID -132 + +/* error table constants */ +/* I prefixed the krb5_err.et constant names with KRB5_ET_ for these */ +#define KRB5_ET_KRB5KDC_ERR_NONE 0 +#define KRB5_ET_KRB5KDC_ERR_NAME_EXP 1 +#define KRB5_ET_KRB5KDC_ERR_SERVICE_EXP 2 +#define KRB5_ET_KRB5KDC_ERR_BAD_PVNO 3 +#define KRB5_ET_KRB5KDC_ERR_C_OLD_MAST_KVNO 4 +#define KRB5_ET_KRB5KDC_ERR_S_OLD_MAST_KVNO 5 +#define KRB5_ET_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN 6 +#define KRB5_ET_KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN 7 +#define KRB5_ET_KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE 8 +#define KRB5_ET_KRB5KDC_ERR_NULL_KEY 9 +#define KRB5_ET_KRB5KDC_ERR_CANNOT_POSTDATE 10 +#define KRB5_ET_KRB5KDC_ERR_NEVER_VALID 11 +#define KRB5_ET_KRB5KDC_ERR_POLICY 12 +#define KRB5_ET_KRB5KDC_ERR_BADOPTION 13 +#define KRB5_ET_KRB5KDC_ERR_ETYPE_NOSUPP 14 +#define KRB5_ET_KRB5KDC_ERR_SUMTYPE_NOSUPP 15 +#define KRB5_ET_KRB5KDC_ERR_PADATA_TYPE_NOSUPP 16 +#define KRB5_ET_KRB5KDC_ERR_TRTYPE_NOSUPP 17 +#define KRB5_ET_KRB5KDC_ERR_CLIENT_REVOKED 18 +#define KRB5_ET_KRB5KDC_ERR_SERVICE_REVOKED 19 +#define KRB5_ET_KRB5KDC_ERR_TGT_REVOKED 20 +#define KRB5_ET_KRB5KDC_ERR_CLIENT_NOTYET 21 +#define KRB5_ET_KRB5KDC_ERR_SERVICE_NOTYET 22 +#define KRB5_ET_KRB5KDC_ERR_KEY_EXP 23 +#define KRB5_ET_KRB5KDC_ERR_PREAUTH_FAILED 24 +#define KRB5_ET_KRB5KDC_ERR_PREAUTH_REQUIRED 25 +#define KRB5_ET_KRB5KDC_ERR_SERVER_NOMATCH 26 +#define KRB5_ET_KRB5KDC_ERR_MUST_USE_USER2USER 27 +#define KRB5_ET_KRB5KDC_ERR_PATH_NOT_ACCEPTED 28 +#define KRB5_ET_KRB5KDC_ERR_SVC_UNAVAILABLE 29 +#define KRB5_ET_KRB5KRB_AP_ERR_BAD_INTEGRITY 31 +#define KRB5_ET_KRB5KRB_AP_ERR_TKT_EXPIRED 32 +#define KRB5_ET_KRB5KRB_AP_ERR_TKT_NYV 33 +#define KRB5_ET_KRB5KRB_AP_ERR_REPEAT 34 +#define KRB5_ET_KRB5KRB_AP_ERR_NOT_US 35 +#define KRB5_ET_KRB5KRB_AP_ERR_BADMATCH 36 +#define KRB5_ET_KRB5KRB_AP_ERR_SKEW 37 +#define KRB5_ET_KRB5KRB_AP_ERR_BADADDR 38 +#define KRB5_ET_KRB5KRB_AP_ERR_BADVERSION 39 +#define KRB5_ET_KRB5KRB_AP_ERR_MSG_TYPE 40 +#define KRB5_ET_KRB5KRB_AP_ERR_MODIFIED 41 +#define KRB5_ET_KRB5KRB_AP_ERR_BADORDER 42 +#define KRB5_ET_KRB5KRB_AP_ERR_ILL_CR_TKT 43 +#define KRB5_ET_KRB5KRB_AP_ERR_BADKEYVER 44 +#define KRB5_ET_KRB5KRB_AP_ERR_NOKEY 45 +#define KRB5_ET_KRB5KRB_AP_ERR_MUT_FAIL 46 +#define KRB5_ET_KRB5KRB_AP_ERR_BADDIRECTION 47 +#define KRB5_ET_KRB5KRB_AP_ERR_METHOD 48 +#define KRB5_ET_KRB5KRB_AP_ERR_BADSEQ 49 +#define KRB5_ET_KRB5KRB_AP_ERR_INAPP_CKSUM 50 +#define KRB5_ET_KRB5KDC_AP_PATH_NOT_ACCEPTED 51 +#define KRB5_ET_KRB5KRB_ERR_RESPONSE_TOO_BIG 52 +#define KRB5_ET_KRB5KRB_ERR_GENERIC 60 +#define KRB5_ET_KRB5KRB_ERR_FIELD_TOOLONG 61 +#define KRB5_ET_KDC_ERROR_CLIENT_NOT_TRUSTED 62 +#define KRB5_ET_KDC_ERROR_KDC_NOT_TRUSTED 63 +#define KRB5_ET_KDC_ERROR_INVALID_SIG 64 +#define KRB5_ET_KDC_ERR_KEY_TOO_WEAK 65 +#define KRB5_ET_KDC_ERR_CERTIFICATE_MISMATCH 66 +#define KRB5_ET_KRB_AP_ERR_NO_TGT 67 +#define KRB5_ET_KDC_ERR_WRONG_REALM 68 +#define KRB5_ET_KRB_AP_ERR_USER_TO_USER_REQUIRED 69 +#define KRB5_ET_KDC_ERR_CANT_VERIFY_CERTIFICATE 70 +#define KRB5_ET_KDC_ERR_INVALID_CERTIFICATE 71 +#define KRB5_ET_KDC_ERR_REVOKED_CERTIFICATE 72 +#define KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNKNOWN 73 +#define KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNAVAILABLE 74 +#define KRB5_ET_KDC_ERR_CLIENT_NAME_MISMATCH 75 +#define KRB5_ET_KDC_ERR_KDC_NAME_MISMATCH 76 + +static const value_string krb5_error_codes[] = { + { KRB5_ET_KRB5KDC_ERR_NONE, "KRB5KDC_ERR_NONE" }, + { KRB5_ET_KRB5KDC_ERR_NAME_EXP, "KRB5KDC_ERR_NAME_EXP" }, + { KRB5_ET_KRB5KDC_ERR_SERVICE_EXP, "KRB5KDC_ERR_SERVICE_EXP" }, + { KRB5_ET_KRB5KDC_ERR_BAD_PVNO, "KRB5KDC_ERR_BAD_PVNO" }, + { KRB5_ET_KRB5KDC_ERR_C_OLD_MAST_KVNO, "KRB5KDC_ERR_C_OLD_MAST_KVNO" }, + { KRB5_ET_KRB5KDC_ERR_S_OLD_MAST_KVNO, "KRB5KDC_ERR_S_OLD_MAST_KVNO" }, + { KRB5_ET_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, "KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN" }, + { KRB5_ET_KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, "KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN" }, + { KRB5_ET_KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE, "KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE" }, + { KRB5_ET_KRB5KDC_ERR_NULL_KEY, "KRB5KDC_ERR_NULL_KEY" }, + { KRB5_ET_KRB5KDC_ERR_CANNOT_POSTDATE, "KRB5KDC_ERR_CANNOT_POSTDATE" }, + { KRB5_ET_KRB5KDC_ERR_NEVER_VALID, "KRB5KDC_ERR_NEVER_VALID" }, + { KRB5_ET_KRB5KDC_ERR_POLICY, "KRB5KDC_ERR_POLICY" }, + { KRB5_ET_KRB5KDC_ERR_BADOPTION, "KRB5KDC_ERR_BADOPTION" }, + { KRB5_ET_KRB5KDC_ERR_ETYPE_NOSUPP, "KRB5KDC_ERR_ETYPE_NOSUPP" }, + { KRB5_ET_KRB5KDC_ERR_SUMTYPE_NOSUPP, "KRB5KDC_ERR_SUMTYPE_NOSUPP" }, + { KRB5_ET_KRB5KDC_ERR_PADATA_TYPE_NOSUPP, "KRB5KDC_ERR_PADATA_TYPE_NOSUPP" }, + { KRB5_ET_KRB5KDC_ERR_TRTYPE_NOSUPP, "KRB5KDC_ERR_TRTYPE_NOSUPP" }, + { KRB5_ET_KRB5KDC_ERR_CLIENT_REVOKED, "KRB5KDC_ERR_CLIENT_REVOKED" }, + { KRB5_ET_KRB5KDC_ERR_SERVICE_REVOKED, "KRB5KDC_ERR_SERVICE_REVOKED" }, + { KRB5_ET_KRB5KDC_ERR_TGT_REVOKED, "KRB5KDC_ERR_TGT_REVOKED" }, + { KRB5_ET_KRB5KDC_ERR_CLIENT_NOTYET, "KRB5KDC_ERR_CLIENT_NOTYET" }, + { KRB5_ET_KRB5KDC_ERR_SERVICE_NOTYET, "KRB5KDC_ERR_SERVICE_NOTYET" }, + { KRB5_ET_KRB5KDC_ERR_KEY_EXP, "KRB5KDC_ERR_KEY_EXP" }, + { KRB5_ET_KRB5KDC_ERR_PREAUTH_FAILED, "KRB5KDC_ERR_PREAUTH_FAILED" }, + { KRB5_ET_KRB5KDC_ERR_PREAUTH_REQUIRED, "KRB5KDC_ERR_PREAUTH_REQUIRED" }, + { KRB5_ET_KRB5KDC_ERR_SERVER_NOMATCH, "KRB5KDC_ERR_SERVER_NOMATCH" }, + { KRB5_ET_KRB5KDC_ERR_MUST_USE_USER2USER, "KRB5KDC_ERR_MUST_USE_USER2USER" }, + { KRB5_ET_KRB5KDC_ERR_PATH_NOT_ACCEPTED, "KRB5KDC_ERR_PATH_NOT_ACCEPTED" }, + { KRB5_ET_KRB5KDC_ERR_SVC_UNAVAILABLE, "KRB5KDC_ERR_SVC_UNAVAILABLE" }, + { KRB5_ET_KRB5KRB_AP_ERR_BAD_INTEGRITY, "KRB5KRB_AP_ERR_BAD_INTEGRITY" }, + { KRB5_ET_KRB5KRB_AP_ERR_TKT_EXPIRED, "KRB5KRB_AP_ERR_TKT_EXPIRED" }, + { KRB5_ET_KRB5KRB_AP_ERR_TKT_NYV, "KRB5KRB_AP_ERR_TKT_NYV" }, + { KRB5_ET_KRB5KRB_AP_ERR_REPEAT, "KRB5KRB_AP_ERR_REPEAT" }, + { KRB5_ET_KRB5KRB_AP_ERR_NOT_US, "KRB5KRB_AP_ERR_NOT_US" }, + { KRB5_ET_KRB5KRB_AP_ERR_BADMATCH, "KRB5KRB_AP_ERR_BADMATCH" }, + { KRB5_ET_KRB5KRB_AP_ERR_SKEW, "KRB5KRB_AP_ERR_SKEW" }, + { KRB5_ET_KRB5KRB_AP_ERR_BADADDR, "KRB5KRB_AP_ERR_BADADDR" }, + { KRB5_ET_KRB5KRB_AP_ERR_BADVERSION, "KRB5KRB_AP_ERR_BADVERSION" }, + { KRB5_ET_KRB5KRB_AP_ERR_MSG_TYPE, "KRB5KRB_AP_ERR_MSG_TYPE" }, + { KRB5_ET_KRB5KRB_AP_ERR_MODIFIED, "KRB5KRB_AP_ERR_MODIFIED" }, + { KRB5_ET_KRB5KRB_AP_ERR_BADORDER, "KRB5KRB_AP_ERR_BADORDER" }, + { KRB5_ET_KRB5KRB_AP_ERR_ILL_CR_TKT, "KRB5KRB_AP_ERR_ILL_CR_TKT" }, + { KRB5_ET_KRB5KRB_AP_ERR_BADKEYVER, "KRB5KRB_AP_ERR_BADKEYVER" }, + { KRB5_ET_KRB5KRB_AP_ERR_NOKEY, "KRB5KRB_AP_ERR_NOKEY" }, + { KRB5_ET_KRB5KRB_AP_ERR_MUT_FAIL, "KRB5KRB_AP_ERR_MUT_FAIL" }, + { KRB5_ET_KRB5KRB_AP_ERR_BADDIRECTION, "KRB5KRB_AP_ERR_BADDIRECTION" }, + { KRB5_ET_KRB5KRB_AP_ERR_METHOD, "KRB5KRB_AP_ERR_METHOD" }, + { KRB5_ET_KRB5KRB_AP_ERR_BADSEQ, "KRB5KRB_AP_ERR_BADSEQ" }, + { KRB5_ET_KRB5KRB_AP_ERR_INAPP_CKSUM, "KRB5KRB_AP_ERR_INAPP_CKSUM" }, + { KRB5_ET_KRB5KDC_AP_PATH_NOT_ACCEPTED, "KRB5KDC_AP_PATH_NOT_ACCEPTED" }, + { KRB5_ET_KRB5KRB_ERR_RESPONSE_TOO_BIG, "KRB5KRB_ERR_RESPONSE_TOO_BIG"}, + { KRB5_ET_KRB5KRB_ERR_GENERIC, "KRB5KRB_ERR_GENERIC" }, + { KRB5_ET_KRB5KRB_ERR_FIELD_TOOLONG, "KRB5KRB_ERR_FIELD_TOOLONG" }, + { KRB5_ET_KDC_ERROR_CLIENT_NOT_TRUSTED, "KDC_ERROR_CLIENT_NOT_TRUSTED" }, + { KRB5_ET_KDC_ERROR_KDC_NOT_TRUSTED, "KDC_ERROR_KDC_NOT_TRUSTED" }, + { KRB5_ET_KDC_ERROR_INVALID_SIG, "KDC_ERROR_INVALID_SIG" }, + { KRB5_ET_KDC_ERR_KEY_TOO_WEAK, "KDC_ERR_KEY_TOO_WEAK" }, + { KRB5_ET_KDC_ERR_CERTIFICATE_MISMATCH, "KDC_ERR_CERTIFICATE_MISMATCH" }, + { KRB5_ET_KRB_AP_ERR_NO_TGT, "KRB_AP_ERR_NO_TGT" }, + { KRB5_ET_KDC_ERR_WRONG_REALM, "KDC_ERR_WRONG_REALM" }, + { KRB5_ET_KRB_AP_ERR_USER_TO_USER_REQUIRED, "KRB_AP_ERR_USER_TO_USER_REQUIRED" }, + { KRB5_ET_KDC_ERR_CANT_VERIFY_CERTIFICATE, "KDC_ERR_CANT_VERIFY_CERTIFICATE" }, + { KRB5_ET_KDC_ERR_INVALID_CERTIFICATE, "KDC_ERR_INVALID_CERTIFICATE" }, + { KRB5_ET_KDC_ERR_REVOKED_CERTIFICATE, "KDC_ERR_REVOKED_CERTIFICATE" }, + { KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNKNOWN, "KDC_ERR_REVOCATION_STATUS_UNKNOWN" }, + { KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNAVAILABLE, "KDC_ERR_REVOCATION_STATUS_UNAVAILABLE" }, + { KRB5_ET_KDC_ERR_CLIENT_NAME_MISMATCH, "KDC_ERR_CLIENT_NAME_MISMATCH" }, + { KRB5_ET_KDC_ERR_KDC_NAME_MISMATCH, "KDC_ERR_KDC_NAME_MISMATCH" }, + { 0, NULL } +}; + + +#define PAC_LOGON_INFO 1 +#define PAC_CREDENTIAL_TYPE 2 +#define PAC_SERVER_CHECKSUM 6 +#define PAC_PRIVSVR_CHECKSUM 7 +#define PAC_CLIENT_INFO_TYPE 10 +#define PAC_CONSTRAINED_DELEGATION 11 +static const value_string w2k_pac_types[] = { + { PAC_LOGON_INFO , "Logon Info" }, + { PAC_CREDENTIAL_TYPE , "Credential Type" }, + { PAC_SERVER_CHECKSUM , "Server Checksum" }, + { PAC_PRIVSVR_CHECKSUM , "Privsvr Checksum" }, + { PAC_CLIENT_INFO_TYPE , "Client Info Type" }, + { PAC_CONSTRAINED_DELEGATION, "Constrained Delegation" }, + { 0, NULL }, +}; + + + +static const value_string krb5_princ_types[] = { + { KRB5_NT_UNKNOWN , "Unknown" }, + { KRB5_NT_PRINCIPAL , "Principal" }, + { KRB5_NT_SRV_INST , "Service and Instance" }, + { KRB5_NT_SRV_HST , "Service and Host" }, + { KRB5_NT_SRV_XHST , "Service and Host Components" }, + { KRB5_NT_UID , "Unique ID" }, + { KRB5_NT_X500_PRINCIPAL , "Encoded X.509 Distinguished Name" }, + { KRB5_NT_SMTP_NAME , "SMTP Name" }, + { KRB5_NT_ENTERPRISE , "Enterprise Name" }, + { KRB5_NT_MS_PRINCIPAL , "NT 4.0 style name (MS specific)" }, + { KRB5_NT_MS_PRINCIPAL_AND_SID , "NT 4.0 style name with SID (MS specific)"}, + { KRB5_NT_ENT_PRINCIPAL_AND_SID, "UPN and SID (MS specific)"}, + { KRB5_NT_PRINCIPAL_AND_SID , "Principal name and SID (MS specific)"}, + { KRB5_NT_SRV_INST_AND_SID , "SPN and SID (MS specific)"}, + { 0 , NULL }, +}; + +static const value_string krb5_preauthentication_types[] = { + { KRB5_PA_TGS_REQ , "PA-TGS-REQ" }, + { KRB5_PA_ENC_TIMESTAMP , "PA-ENC-TIMESTAMP" }, + { KRB5_PA_PW_SALT , "PA-PW-SALT" }, + { KRB5_PA_ENC_ENCKEY , "PA-ENC-ENCKEY" }, + { KRB5_PA_ENC_UNIX_TIME , "PA-ENC-UNIX-TIME" }, + { KRB5_PA_ENC_SANDIA_SECURID , "PA-PW-SALT" }, + { KRB5_PA_SESAME , "PA-SESAME" }, + { KRB5_PA_OSF_DCE , "PA-OSF-DCE" }, + { KRB5_PA_CYBERSAFE_SECUREID , "PA-CYBERSAFE-SECURID" }, + { KRB5_PA_AFS3_SALT , "PA-AFS3-SALT" }, + { KRB5_PA_ENCTYPE_INFO , "PA-ENCTYPE-INFO" }, + { KRB5_PA_ENCTYPE_INFO2 , "PA-ENCTYPE-INFO2" }, + { KRB5_PA_SAM_CHALLENGE , "PA-SAM-CHALLENGE" }, + { KRB5_PA_SAM_RESPONSE , "PA-SAM-RESPONSE" }, + { KRB5_PA_PK_AS_REQ , "PA-PK-AS-REQ" }, + { KRB5_PA_PK_AS_REP , "PA-PK-AS-REP" }, + { KRB5_PA_DASS , "PA-DASS" }, + { KRB5_PA_USE_SPECIFIED_KVNO , "PA-USE-SPECIFIED-KVNO" }, + { KRB5_PA_SAM_REDIRECT , "PA-SAM-REDIRECT" }, + { KRB5_PA_GET_FROM_TYPED_DATA , "PA-GET-FROM-TYPED-DATA" }, + { KRB5_PA_SAM_ETYPE_INFO , "PA-SAM-ETYPE-INFO" }, + { KRB5_PA_ALT_PRINC , "PA-ALT-PRINC" }, + { KRB5_PA_SAM_CHALLENGE2 , "PA-SAM-CHALLENGE2" }, + { KRB5_PA_SAM_RESPONSE2 , "PA-SAM-RESPONSE2" }, + { KRB5_TD_PKINIT_CMS_CERTIFICATES, "TD-PKINIT-CMS-CERTIFICATES" }, + { KRB5_TD_KRB_PRINCIPAL , "TD-KRB-PRINCIPAL" }, + { KRB5_TD_KRB_REALM , "TD-KRB-REALM" }, + { KRB5_TD_TRUSTED_CERTIFIERS , "TD-TRUSTED-CERTIFIERS" }, + { KRB5_TD_CERTIFICATE_INDEX , "TD-CERTIFICATE-INDEX" }, + { KRB5_TD_APP_DEFINED_ERROR , "TD-APP-DEFINED-ERROR" }, + { KRB5_TD_REQ_NONCE , "TD-REQ-NONCE" }, + { KRB5_TD_REQ_SEQ , "TD-REQ-SEQ" }, + { KRB5_PA_PAC_REQUEST , "PA-PAC-REQUEST" }, + { KRB5_PA_PROV_SRV_LOCATION , "PA-PROV-SRV-LOCATION" }, + { 0 , NULL }, +}; + +static const value_string krb5_encryption_types[] = { + { KRB5_ENCTYPE_NULL , "NULL" }, + { KRB5_ENCTYPE_DES_CBC_CRC , "des-cbc-crc" }, + { KRB5_ENCTYPE_DES_CBC_MD4 , "des-cbc-md4" }, + { KRB5_ENCTYPE_DES_CBC_MD5 , "des-cbc-md5" }, + { KRB5_ENCTYPE_DES_CBC_RAW , "des-cbc-raw" }, + { KRB5_ENCTYPE_DES3_CBC_SHA , "des3-cbc-sha" }, + { KRB5_ENCTYPE_DES3_CBC_RAW , "des3-cbc-raw" }, + { KRB5_ENCTYPE_DES_HMAC_SHA1 , "des-hmac-sha1" }, + { KRB5_ENCTYPE_DSA_SHA1_CMS , "dsa-sha1-cms" }, + { KRB5_ENCTYPE_RSA_MD5_CMS , "rsa-md5-cms" }, + { KRB5_ENCTYPE_RSA_SHA1_CMS , "rsa-sha1-cms" }, + { KRB5_ENCTYPE_RC2_CBC_ENV , "rc2-cbc-env" }, + { KRB5_ENCTYPE_RSA_ENV , "rsa-env" }, + { KRB5_ENCTYPE_RSA_ES_OEAP_ENV, "rsa-es-oeap-env" }, + { KRB5_ENCTYPE_DES_EDE3_CBC_ENV, "des-ede3-cbc-env" }, + { KRB5_ENCTYPE_DES3_CBC_SHA1 , "des3-cbc-sha1" }, + { KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96 , "aes128-cts-hmac-sha1-96" }, + { KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96 , "aes256-cts-hmac-sha1-96" }, + { KRB5_ENCTYPE_DES_CBC_MD5_NT , "des-cbc-md5-nt" }, + { KERB_ENCTYPE_RC4_HMAC , "rc4-hmac" }, + { KERB_ENCTYPE_RC4_HMAC_EXP , "rc4-hmac-exp" }, + { KRB5_ENCTYPE_UNKNOWN , "unknown" }, + { KRB5_ENCTYPE_LOCAL_DES3_HMAC_SHA1 , "local-des3-hmac-sha1" }, + { KRB5_ENCTYPE_RC4_PLAIN_EXP , "rc4-plain-exp" }, + { KRB5_ENCTYPE_RC4_PLAIN , "rc4-plain" }, + { KRB5_ENCTYPE_RC4_PLAIN_OLD_EXP, "rc4-plain-old-exp" }, + { KRB5_ENCTYPE_RC4_HMAC_OLD_EXP, "rc4-hmac-old-exp" }, + { KRB5_ENCTYPE_RC4_PLAIN_OLD , "rc4-plain-old" }, + { KRB5_ENCTYPE_RC4_HMAC_OLD , "rc4-hmac-old" }, + { KRB5_ENCTYPE_DES_PLAIN , "des-plain" }, + { KRB5_ENCTYPE_RC4_SHA , "rc4-sha" }, + { KRB5_ENCTYPE_RC4_LM , "rc4-lm" }, + { KRB5_ENCTYPE_RC4_PLAIN2 , "rc4-plain2" }, + { KRB5_ENCTYPE_RC4_MD4 , "rc4-md4" }, + { 0 , NULL }, +}; + +static const value_string krb5_checksum_types[] = { + { KRB5_CHKSUM_NONE , "none" }, + { KRB5_CHKSUM_CRC32 , "crc32" }, + { KRB5_CHKSUM_MD4 , "md4" }, + { KRB5_CHKSUM_KRB_DES_MAC , "krb-des-mac" }, + { KRB5_CHKSUM_KRB_DES_MAC_K , "krb-des-mac-k" }, + { KRB5_CHKSUM_MD5 , "md5" }, + { KRB5_CHKSUM_MD5_DES , "md5-des" }, + { KRB5_CHKSUM_MD5_DES3 , "md5-des3" }, + { KRB5_CHKSUM_HMAC_SHA1_DES3_KD, "hmac-sha1-des3-kd" }, + { KRB5_CHKSUM_HMAC_SHA1_DES3 , "hmac-sha1-des3" }, + { KRB5_CHKSUM_SHA1_UNKEYED , "sha1 (unkeyed)" }, + { KRB5_CHKSUM_HMAC_MD5 , "hmac-md5" }, + { KRB5_CHKSUM_MD5_HMAC , "md5-hmac" }, + { KRB5_CHKSUM_RC4_MD5 , "rc5-md5" }, + { KRB5_CHKSUM_MD25 , "md25" }, + { KRB5_CHKSUM_DES_MAC_MD5 , "des-mac-md5" }, + { KRB5_CHKSUM_DES_MAC , "des-mac" }, + { KRB5_CHKSUM_REAL_CRC32 , "real-crc32" }, + { KRB5_CHKSUM_SHA1 , "sha1" }, + { KRB5_CHKSUM_LM , "lm" }, + { KRB5_CHKSUM_GSSAPI , "gssapi-8003" }, + { 0 , NULL }, +}; + +#define KRB5_AD_IF_RELEVANT 1 +#define KRB5_AD_INTENDED_FOR_SERVER 2 +#define KRB5_AD_INTENDED_FOR_APPLICATION_CLASS 3 +#define KRB5_AD_KDC_ISSUED 4 +#define KRB5_AD_OR 5 +#define KRB5_AD_MANDATORY_TICKET_EXTENSIONS 6 +#define KRB5_AD_IN_TICKET_EXTENSIONS 7 +#define KRB5_AD_MANDATORY_FOR_KDC 8 +#define KRB5_AD_OSF_DCE 64 +#define KRB5_AD_SESAME 65 +#define KRB5_AD_OSF_DCE_PKI_CERTID 66 +#define KRB5_AD_WIN2K_PAC 128 +static const value_string krb5_ad_types[] = { + { KRB5_AD_IF_RELEVANT , "AD-IF-RELEVANT" }, + { KRB5_AD_INTENDED_FOR_SERVER , "AD-Intended-For-Server" }, + { KRB5_AD_INTENDED_FOR_APPLICATION_CLASS , "AD-Intended-For-Application-Class" }, + { KRB5_AD_KDC_ISSUED , "AD-KDCIssued" }, + { KRB5_AD_OR , "AD-AND-OR" }, + { KRB5_AD_MANDATORY_TICKET_EXTENSIONS , "AD-Mandatory-Ticket-Extensions" }, + { KRB5_AD_IN_TICKET_EXTENSIONS , "AD-IN-Ticket-Extensions" }, + { KRB5_AD_MANDATORY_FOR_KDC , "AD-MANDATORY-FOR-KDC" }, + { KRB5_AD_OSF_DCE , "AD-OSF-DCE" }, + { KRB5_AD_SESAME , "AD-SESAME" }, + { KRB5_AD_OSF_DCE_PKI_CERTID , "AD-OSF-DCE-PKI-CertID" }, + { KRB5_AD_WIN2K_PAC , "AD-Win2k-PAC" }, + { 0 , NULL }, +}; + +static const value_string krb5_transited_types[] = { + { 1 , "DOMAIN-X500-COMPRESS" }, + { 0 , NULL } +}; + +static const value_string krb5_address_types[] = { + { KRB5_ADDR_IPv4, "IPv4"}, + { KRB5_ADDR_CHAOS, "CHAOS"}, + { KRB5_ADDR_XEROX, "XEROX"}, + { KRB5_ADDR_ISO, "ISO"}, + { KRB5_ADDR_DECNET, "DECNET"}, + { KRB5_ADDR_APPLETALK, "APPLETALK"}, + { KRB5_ADDR_NETBIOS, "NETBIOS"}, + { KRB5_ADDR_IPv6, "IPv6"}, + { 0, NULL }, +}; + +static const value_string krb5_msg_types[] = { + { KRB5_MSG_TICKET, "Ticket" }, + { KRB5_MSG_AUTHENTICATOR, "Authenticator" }, + { KRB5_MSG_ENC_TICKET_PART, "EncTicketPart" }, + { KRB5_MSG_TGS_REQ, "TGS-REQ" }, + { KRB5_MSG_TGS_REP, "TGS-REP" }, + { KRB5_MSG_AS_REQ, "AS-REQ" }, + { KRB5_MSG_AS_REP, "AS-REP" }, + { KRB5_MSG_AP_REQ, "AP-REQ" }, + { KRB5_MSG_AP_REP, "AP-REP" }, + { KRB5_MSG_SAFE, "KRB-SAFE" }, + { KRB5_MSG_PRIV, "KRB-PRIV" }, + { KRB5_MSG_CRED, "KRB-CRED" }, + { KRB5_MSG_ENC_AS_REP_PART, "EncASRepPart" }, + { KRB5_MSG_ENC_TGS_REP_PART, "EncTGSRepPart" }, + { KRB5_MSG_ENC_AP_REP_PART, "EncAPRepPart" }, + { KRB5_MSG_ENC_KRB_PRIV_PART, "EncKrbPrivPart" }, + { KRB5_MSG_ENC_KRB_CRED_PART, "EncKrbCredPart" }, + { KRB5_MSG_ERROR, "KRB-ERROR" }, + { 0, NULL }, +}; + +#ifdef HAVE_KERBEROS +static int +dissect_krb5_decrypt_authenticator_data (proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_) +{ + guint8 *plaintext=NULL; + int length; + + length=tvb_length_remaining(tvb, offset); + + /* draft-ietf-krb-wg-kerberos-clarifications-05.txt : + * 7.5.1 + * Authenticators are encrypted with usage + * == 7 or + * == 11 + */ + if(!plaintext){ + plaintext=decrypt_krb5_data(tree, actx->pinfo, 7, length, tvb_get_ptr(tvb, offset, length), authenticator_etype); + } + if(!plaintext){ + plaintext=decrypt_krb5_data(tree, actx->pinfo, 11, length, tvb_get_ptr(tvb, offset, length), authenticator_etype); + } + + if(plaintext){ + tvbuff_t *next_tvb; + next_tvb = tvb_new_real_data (plaintext, + length, + length); + tvb_set_free_cb(next_tvb, g_free); + tvb_set_child_real_data_tvbuff(tvb, next_tvb); + + /* Add the decrypted data to the data source list. */ + add_new_data_source(actx->pinfo, next_tvb, "Decrypted Krb5"); + + dissect_kerberos_Applications(FALSE, next_tvb, 0, actx, tree, -1) + } + return offset; +} +#endif + +#include "packet-kerberos-fn.c" + + + +} +/*--- proto_register_kerberos -------------------------------------------*/ +void proto_register_kerberos(void) { + + /* List of fields */ + + +#include "packet-kerberos-hfarr.c" + }; + + /* List of subtrees */ + static gint *ett[] = { + &ett_kerberos, +#include "packet-kerberos-ettarr.c" + }; + + + /* Register protocol */ + proto_kerberos = proto_register_protocol(PNAME, PSNAME, PFNAME); + /* Register fields and subtrees */ + proto_register_field_array(proto_kerberos, hf, array_length(hf)); + proto_register_subtree_array(ett, array_length(ett)); + + + register_dissector("kerberos", dissect_kerberos, proto_kerberos); + /* Register preferences */ + krb_module = prefs_register_protocol(proto_kerberos, kerberos_prefs_apply_cb); + prefs_register_bool_preference(krb_module, "desegment", + "Reassemble Kerberos over TCP messages spanning multiple TCP segments", + "Whether the Kerberos dissector should reassemble messages spanning multiple TCP segments." + " To use this option, you must also enable \"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.", + &krb_desegment); +#ifdef HAVE_KERBEROS + prefs_register_bool_preference(krb_module, "decrypt", + "Try to decrypt Kerberos blobs", + "Whether the dissector should try to decrypt " + "encrypted Kerberos blobs. This requires that the proper " + "keytab file is installed as well.", &krb_decrypt); + + prefs_register_string_preference(krb_module, "file", + "Kerberos keytab file", + "The keytab file containing all the secrets", + &keytab_filename); +#endif + +} +static int wrap_dissect_gss_kerb(tvbuff_t *tvb, int offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep _U_) +{ + tvbuff_t *auth_tvb; + + auth_tvb = tvb_new_subset( + tvb, offset, tvb_length_remaining(tvb, offset), + tvb_reported_length_remaining(tvb, offset)); + + dissect_kerberos_main(auth_tvb, pinfo, tree, FALSE, NULL); + + return tvb_length_remaining(tvb, offset); +} + + +static dcerpc_auth_subdissector_fns gss_kerb_auth_fns = { + wrap_dissect_gss_kerb, /* Bind */ + wrap_dissect_gss_kerb, /* Bind ACK */ + NULL, /* AUTH3 */ + wrap_dissect_gssapi_verf, /* Request verifier */ + wrap_dissect_gssapi_verf, /* Response verifier */ + wrap_dissect_gssapi_payload, /* Request data */ + wrap_dissect_gssapi_payload /* Response data */ +}; + + + +/*--- proto_reg_handoff_kerberos ---------------------------------------*/ +void +proto_reg_handoff_kerberos(void) +{ + + dissector_handle_t kerberos_handle_tcp; + + krb4_handle = find_dissector("krb4"); + + kerberos_handle_udp = new_create_dissector_handle(dissect_kerberos_udp, + proto_kerberos); + kerberos_handle_tcp = create_dissector_handle(dissect_kerberos_tcp, + proto_kerberos); + dissector_add("udp.port", UDP_PORT_KERBEROS, kerberos_handle_udp); + dissector_add("tcp.port", TCP_PORT_KERBEROS, kerberos_handle_tcp); + + register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_INTEGRITY, + DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS, + &gss_kerb_auth_fns); + + register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_PRIVACY, + DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS, + &gss_kerb_auth_fns); + +} + + diff --git a/asn1/kerberos/packet-kerberos-template.h b/asn1/kerberos/packet-kerberos-template.h new file mode 100644 index 0000000000..d9397696a8 --- /dev/null +++ b/asn1/kerberos/packet-kerberos-template.h @@ -0,0 +1,35 @@ +/* packet-kerberos.h + * Routines for kerberos packet dissection + * Copyright 2007, Anders Broman <anders.broman@ericsson.com> + * + * $Id$ + * + * Ethereal - Network traffic analyzer + * By Gerald Combs <gerald@ethereal.com> + * Copyright 1998 Gerald Combs + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +#ifndef PACKET_KERBEROS_H +#define PACKET_ROS_H + + + +#include "packet-kerberos-exp.h" + +#endif /* PACKET_KERBEROS_H */ + + |