From 2f25e04e00c7ebe895a349b392752e6290952459 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Mon, 31 Dec 2018 19:01:17 +0200 Subject: krb5: fix parsing of PA-S4U-X509-USER in AS-REQ Per [MS-SFU] 2.2.2 PA_S4U_X509_USER in AS-REQ consists of the certificate data instead of the corresponding struct. Also, the subject-certificate field in the struct consists of the certificate data as well, so let's decode it as such. Change-Id: I6f03a66eac74b7d42c0893f63cab772d8ddcb803 Signed-off-by: Isaac Boukris Reviewed-on: https://code.wireshark.org/review/31279 Petri-Dish: Anders Broman Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman --- epan/dissectors/asn1/kerberos/kerberos.cnf | 25 +++-- .../asn1/kerberos/packet-kerberos-template.c | 10 +- epan/dissectors/packet-kerberos.c | 103 ++++++++++++--------- 3 files changed, 83 insertions(+), 55 deletions(-) (limited to 'epan/dissectors') diff --git a/epan/dissectors/asn1/kerberos/kerberos.cnf b/epan/dissectors/asn1/kerberos/kerberos.cnf index b0f2926539..70e749f6d4 100644 --- a/epan/dissectors/asn1/kerberos/kerberos.cnf +++ b/epan/dissectors/asn1/kerberos/kerberos.cnf @@ -157,10 +157,12 @@ guint32 msgtype; offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_S4U2Self); break; case KRB5_PADATA_S4U_X509_USER: - if(!private_data->is_enc_padata) { - offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_S4U_X509_USER); - }else{ + if(private_data->msg_type == KRB5_MSG_AS_REQ){ + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_x509af_Certificate); + }else if(private_data->is_enc_padata){ offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, NULL); + }else{ + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_S4U_X509_USER); } break; case KRB5_PA_PROV_SRV_LOCATION: @@ -182,7 +184,7 @@ guint32 msgtype; offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_AUTHENTICATION_SET); break; case KRB5_PADATA_FX_FAST: - if(private_data->is_request){ + if(private_data->msg_type == KRB5_MSG_AS_REQ || private_data->msg_type == KRB5_MSG_TGS_REQ){ offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_FX_FAST_REQUEST); }else{ offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_FX_FAST_REPLY); @@ -373,6 +375,9 @@ AuthorizationData/_item/ad-type STRINGS=VALS(krb5_ad_types) offset=dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index, NULL); } +#.FN_BODY S4UUserID/subject-certificate + offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset,hf_index, dissect_x509af_Certificate); + #.FN_BODY ADDR-TYPE VAL_PTR=&(private_data->addr_type) kerberos_private_data_t *private_data = kerberos_get_private_data(actx); %(DEFAULT_BODY)s @@ -423,16 +428,20 @@ AuthorizationData/_item/ad-type STRINGS=VALS(krb5_ad_types) #.FN_HDR AS-REQ kerberos_private_data_t* private_data = kerberos_get_private_data(actx); - private_data->is_request = TRUE; + private_data->msg_type = KRB5_MSG_AS_REQ; #.FN_HDR AS-REP kerberos_private_data_t* private_data = kerberos_get_private_data(actx); - private_data->is_request = FALSE; + private_data->msg_type = KRB5_MSG_AS_REP; #.FN_HDR KRB-ERROR kerberos_private_data_t* private_data = kerberos_get_private_data(actx); - private_data->is_request = FALSE; + private_data->msg_type = KRB5_MSG_ERROR; #.FN_HDR TGS-REQ kerberos_private_data_t* private_data = kerberos_get_private_data(actx); - private_data->is_request = TRUE; + private_data->msg_type = KRB5_MSG_TGS_REQ; + +#.FN_HDR TGS-REP + kerberos_private_data_t* private_data = kerberos_get_private_data(actx); + private_data->msg_type = KRB5_MSG_TGS_REP; diff --git a/epan/dissectors/asn1/kerberos/packet-kerberos-template.c b/epan/dissectors/asn1/kerberos/packet-kerberos-template.c index 870c7401f6..9a6e1a0201 100644 --- a/epan/dissectors/asn1/kerberos/packet-kerberos-template.c +++ b/epan/dissectors/asn1/kerberos/packet-kerberos-template.c @@ -69,7 +69,7 @@ #include "packet-gssapi.h" #include "packet-smb-common.h" - +#include "packet-x509af.h" void proto_register_kerberos(void); void proto_reg_handoff_kerberos(void); @@ -86,7 +86,7 @@ typedef struct kerberos_key { } kerberos_key_t; typedef struct { - gboolean is_request; + guint32 msg_type; guint32 etype; guint32 padata_type; guint32 is_enc_padata; @@ -1986,10 +1986,10 @@ dissect_kerberos_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, default: return 0; } - if (do_col_protocol) { + if (do_col_protocol) { col_set_str(pinfo->cinfo, COL_PROTOCOL, "KRB5"); - } - if (gbl_do_col_info) { + } + if (gbl_do_col_info) { col_clear(pinfo->cinfo, COL_INFO); } if (tree) { diff --git a/epan/dissectors/packet-kerberos.c b/epan/dissectors/packet-kerberos.c index 546570abcf..279894894a 100644 --- a/epan/dissectors/packet-kerberos.c +++ b/epan/dissectors/packet-kerberos.c @@ -77,7 +77,7 @@ #include "packet-gssapi.h" #include "packet-smb-common.h" - +#include "packet-x509af.h" void proto_register_kerberos(void); void proto_reg_handoff_kerberos(void); @@ -94,7 +94,7 @@ typedef struct kerberos_key { } kerberos_key_t; typedef struct { - gboolean is_request; + guint32 msg_type; guint32 etype; guint32 padata_type; guint32 is_enc_padata; @@ -305,7 +305,7 @@ static int hf_kerberos_auth = -1; /* GeneralString */ static int hf_kerberos_user_id = -1; /* S4UUserID */ static int hf_kerberos_checksum_01 = -1; /* Checksum */ static int hf_kerberos_cname_01 = -1; /* PrincipalName */ -static int hf_kerberos_subject_certificate = -1; /* OCTET_STRING */ +static int hf_kerberos_subject_certificate = -1; /* T_subject_certificate */ static int hf_kerberos_options = -1; /* BIT_STRING */ static int hf_kerberos_include_pac = -1; /* BOOLEAN */ static int hf_kerberos_newpasswd = -1; /* OCTET_STRING */ @@ -2330,7 +2330,7 @@ static const value_string kerberos_ENCTYPE_vals[] = { static int dissect_kerberos_ENCTYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 250 "./asn1/kerberos/kerberos.cnf" +#line 252 "./asn1/kerberos/kerberos.cnf" kerberos_private_data_t *private_data = kerberos_get_private_data(actx); offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index, &(private_data->etype)); @@ -2355,7 +2355,7 @@ dissect_kerberos_UInt32(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset static int dissect_kerberos_T_encryptedTicketData_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 254 "./asn1/kerberos/kerberos.cnf" +#line 256 "./asn1/kerberos/kerberos.cnf" #ifdef HAVE_KERBEROS offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_ticket_data); #else @@ -2483,7 +2483,7 @@ static const value_string kerberos_CKSUMTYPE_vals[] = { static int dissect_kerberos_CKSUMTYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 311 "./asn1/kerberos/kerberos.cnf" +#line 313 "./asn1/kerberos/kerberos.cnf" kerberos_private_data_t *private_data = kerberos_get_private_data(actx); offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index, &(private_data->checksum_type)); @@ -2498,7 +2498,7 @@ dissect_kerberos_CKSUMTYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int off static int dissect_kerberos_T_checksum(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 315 "./asn1/kerberos/kerberos.cnf" +#line 317 "./asn1/kerberos/kerberos.cnf" tvbuff_t *next_tvb; kerberos_private_data_t *private_data = kerberos_get_private_data(actx); @@ -2565,7 +2565,7 @@ dissect_kerberos_Int32(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset static int dissect_kerberos_T_keytype(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 329 "./asn1/kerberos/kerberos.cnf" +#line 331 "./asn1/kerberos/kerberos.cnf" kerberos_private_data_t *private_data = kerberos_get_private_data(actx); offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index, @@ -2581,7 +2581,7 @@ dissect_kerberos_T_keytype(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int off static int dissect_kerberos_T_keyvalue(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 336 "./asn1/kerberos/kerberos.cnf" +#line 338 "./asn1/kerberos/kerberos.cnf" tvbuff_t *out_tvb; kerberos_private_data_t *private_data = kerberos_get_private_data(actx); @@ -2606,7 +2606,7 @@ static const ber_sequence_t EncryptionKey_sequence[] = { static int dissect_kerberos_EncryptionKey(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 345 "./asn1/kerberos/kerberos.cnf" +#line 347 "./asn1/kerberos/kerberos.cnf" kerberos_private_data_t *private_data = kerberos_get_private_data(actx); offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset, @@ -2628,7 +2628,7 @@ dissect_kerberos_EncryptionKey(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int static int dissect_kerberos_T_ad_type(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 356 "./asn1/kerberos/kerberos.cnf" +#line 358 "./asn1/kerberos/kerberos.cnf" kerberos_private_data_t *private_data = kerberos_get_private_data(actx); offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index, &(private_data->ad_type)); @@ -2641,7 +2641,7 @@ dissect_kerberos_T_ad_type(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int off static int dissect_kerberos_T_ad_data(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 363 "./asn1/kerberos/kerberos.cnf" +#line 365 "./asn1/kerberos/kerberos.cnf" kerberos_private_data_t *private_data = kerberos_get_private_data(actx); switch(private_data->ad_type){ @@ -2792,7 +2792,7 @@ static const value_string kerberos_ADDR_TYPE_vals[] = { static int dissect_kerberos_ADDR_TYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 377 "./asn1/kerberos/kerberos.cnf" +#line 382 "./asn1/kerberos/kerberos.cnf" kerberos_private_data_t *private_data = kerberos_get_private_data(actx); offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index, &(private_data->addr_type)); @@ -2807,7 +2807,7 @@ dissect_kerberos_ADDR_TYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int off static int dissect_kerberos_T_address(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 199 "./asn1/kerberos/kerberos.cnf" +#line 201 "./asn1/kerberos/kerberos.cnf" gint8 appclass; gboolean pc; gint32 tag; @@ -3077,10 +3077,12 @@ dissect_kerberos_T_padata_value(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, in offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_S4U2Self); break; case KRB5_PADATA_S4U_X509_USER: - if(!private_data->is_enc_padata) { - offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_S4U_X509_USER); - }else{ + if(private_data->msg_type == KRB5_MSG_AS_REQ){ + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_x509af_Certificate); + }else if(private_data->is_enc_padata){ offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, NULL); + }else{ + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_S4U_X509_USER); } break; case KRB5_PA_PROV_SRV_LOCATION: @@ -3102,7 +3104,7 @@ dissect_kerberos_T_padata_value(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, in offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_AUTHENTICATION_SET); break; case KRB5_PADATA_FX_FAST: - if(private_data->is_request){ + if(private_data->msg_type == KRB5_MSG_AS_REQ || private_data->msg_type == KRB5_MSG_TGS_REQ){ offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_FX_FAST_REQUEST); }else{ offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_FX_FAST_REPLY); @@ -3211,7 +3213,7 @@ dissect_kerberos_SEQUENCE_OF_ENCTYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U static int dissect_kerberos_T_encryptedAuthorizationData_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 262 "./asn1/kerberos/kerberos.cnf" +#line 264 "./asn1/kerberos/kerberos.cnf" #ifdef HAVE_KERBEROS offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_authenticator_data); #else @@ -3274,7 +3276,7 @@ static const ber_sequence_t KDC_REQ_BODY_sequence[] = { static int dissect_kerberos_KDC_REQ_BODY(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 381 "./asn1/kerberos/kerberos.cnf" +#line 386 "./asn1/kerberos/kerberos.cnf" conversation_t *conversation; /* @@ -3325,9 +3327,9 @@ dissect_kerberos_KDC_REQ(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offse static int dissect_kerberos_AS_REQ(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 425 "./asn1/kerberos/kerberos.cnf" +#line 430 "./asn1/kerberos/kerberos.cnf" kerberos_private_data_t* private_data = kerberos_get_private_data(actx); - private_data->is_request = TRUE; + private_data->msg_type = KRB5_MSG_AS_REQ; offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset, @@ -3340,7 +3342,7 @@ dissect_kerberos_AS_REQ(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset static int dissect_kerberos_T_encryptedKDCREPData_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 270 "./asn1/kerberos/kerberos.cnf" +#line 272 "./asn1/kerberos/kerberos.cnf" #ifdef HAVE_KERBEROS offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_KDC_REP_data); #else @@ -3395,9 +3397,9 @@ dissect_kerberos_KDC_REP(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offse static int dissect_kerberos_AS_REP(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 429 "./asn1/kerberos/kerberos.cnf" +#line 434 "./asn1/kerberos/kerberos.cnf" kerberos_private_data_t* private_data = kerberos_get_private_data(actx); - private_data->is_request = FALSE; + private_data->msg_type = KRB5_MSG_AS_REP; offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset, @@ -3410,9 +3412,10 @@ dissect_kerberos_AS_REP(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset static int dissect_kerberos_TGS_REQ(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 437 "./asn1/kerberos/kerberos.cnf" +#line 442 "./asn1/kerberos/kerberos.cnf" kerberos_private_data_t* private_data = kerberos_get_private_data(actx); - private_data->is_request = TRUE; + private_data->msg_type = KRB5_MSG_TGS_REQ; + offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset, hf_index, BER_CLASS_APP, 12, FALSE, dissect_kerberos_KDC_REQ); @@ -3424,6 +3427,10 @@ dissect_kerberos_TGS_REQ(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offse static int dissect_kerberos_TGS_REP(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +#line 446 "./asn1/kerberos/kerberos.cnf" + kerberos_private_data_t* private_data = kerberos_get_private_data(actx); + private_data->msg_type = KRB5_MSG_TGS_REP; + offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset, hf_index, BER_CLASS_APP, 13, FALSE, dissect_kerberos_KDC_REP); @@ -3479,7 +3486,7 @@ dissect_kerberos_AP_REQ(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset static int dissect_kerberos_T_encryptedAPREPData_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 286 "./asn1/kerberos/kerberos.cnf" +#line 288 "./asn1/kerberos/kerberos.cnf" #ifdef HAVE_KERBEROS offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_AP_REP_data); #else @@ -3540,7 +3547,7 @@ dissect_kerberos_AP_REP(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset static int dissect_kerberos_T_kRB_SAFE_BODY_user_data(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 404 "./asn1/kerberos/kerberos.cnf" +#line 409 "./asn1/kerberos/kerberos.cnf" tvbuff_t *new_tvb; offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &new_tvb); if (new_tvb) { @@ -3602,7 +3609,7 @@ dissect_kerberos_KRB_SAFE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offs static int dissect_kerberos_T_encryptedKrbPrivData_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 294 "./asn1/kerberos/kerberos.cnf" +#line 296 "./asn1/kerberos/kerberos.cnf" #ifdef HAVE_KERBEROS offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_PRIV_data); #else @@ -3663,7 +3670,7 @@ dissect_kerberos_KRB_PRIV(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offs static int dissect_kerberos_T_encryptedKrbCredData_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 302 "./asn1/kerberos/kerberos.cnf" +#line 304 "./asn1/kerberos/kerberos.cnf" #ifdef HAVE_KERBEROS offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_CRED_data); #else @@ -3789,14 +3796,14 @@ dissect_kerberos_METHOD_DATA(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int o static int dissect_kerberos_T_encrypted_pa_data(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 418 "./asn1/kerberos/kerberos.cnf" +#line 423 "./asn1/kerberos/kerberos.cnf" kerberos_private_data_t* private_data = kerberos_get_private_data(actx); private_data->is_enc_padata = TRUE; offset = dissect_kerberos_METHOD_DATA(implicit_tag, tvb, offset, actx, tree, hf_index); -#line 422 "./asn1/kerberos/kerberos.cnf" +#line 427 "./asn1/kerberos/kerberos.cnf" private_data->is_enc_padata = FALSE; @@ -3880,7 +3887,7 @@ dissect_kerberos_EncAPRepPart(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int static int dissect_kerberos_T_encKrbPrivPart_user_data(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 411 "./asn1/kerberos/kerberos.cnf" +#line 416 "./asn1/kerberos/kerberos.cnf" tvbuff_t *new_tvb; offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &new_tvb); if (new_tvb) { @@ -4174,9 +4181,9 @@ dissect_kerberos_KRB_ERROR_U(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int o static int dissect_kerberos_KRB_ERROR(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 433 "./asn1/kerberos/kerberos.cnf" +#line 438 "./asn1/kerberos/kerberos.cnf" kerberos_private_data_t* private_data = kerberos_get_private_data(actx); - private_data->is_request = FALSE; + private_data->msg_type = KRB5_MSG_ERROR; offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset, @@ -4237,7 +4244,7 @@ dissect_kerberos_EncryptedData(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int static int dissect_kerberos_T_pA_ENC_TIMESTAMP_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 278 "./asn1/kerberos/kerberos.cnf" +#line 280 "./asn1/kerberos/kerberos.cnf" #ifdef HAVE_KERBEROS offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_PA_ENC_TIMESTAMP); #else @@ -4364,6 +4371,18 @@ dissect_kerberos_PA_S4U2Self(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int o +static int +dissect_kerberos_T_subject_certificate(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +#line 379 "./asn1/kerberos/kerberos.cnf" + offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset,hf_index, dissect_x509af_Certificate); + + + + return offset; +} + + + static int dissect_kerberos_BIT_STRING(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { offset = dissect_ber_bitstring(implicit_tag, actx, tree, tvb, offset, @@ -4378,7 +4397,7 @@ static const ber_sequence_t S4UUserID_sequence[] = { { &hf_kerberos_nonce , BER_CLASS_CON, 0, 0, dissect_kerberos_UInt32 }, { &hf_kerberos_cname_01 , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_PrincipalName }, { &hf_kerberos_crealm , BER_CLASS_CON, 2, 0, dissect_kerberos_Realm }, - { &hf_kerberos_subject_certificate, BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL, dissect_kerberos_OCTET_STRING }, + { &hf_kerberos_subject_certificate, BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL, dissect_kerberos_T_subject_certificate }, { &hf_kerberos_options , BER_CLASS_CON, 4, BER_FLAGS_OPTIONAL, dissect_kerberos_BIT_STRING }, { NULL, 0, 0, 0, NULL } }; @@ -4663,10 +4682,10 @@ dissect_kerberos_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, default: return 0; } - if (do_col_protocol) { + if (do_col_protocol) { col_set_str(pinfo->cinfo, COL_PROTOCOL, "KRB5"); - } - if (gbl_do_col_info) { + } + if (gbl_do_col_info) { col_clear(pinfo->cinfo, COL_INFO); } if (tree) { @@ -5463,7 +5482,7 @@ void proto_register_kerberos(void) { { &hf_kerberos_subject_certificate, { "subject-certificate", "kerberos.subject_certificate", FT_BYTES, BASE_NONE, NULL, 0, - "OCTET_STRING", HFILL }}, + "T_subject_certificate", HFILL }}, { &hf_kerberos_options, { "options", "kerberos.options", FT_BYTES, BASE_NONE, NULL, 0, -- cgit v1.2.3