80b0e62a09da988e418444c58055c00494740b6c
[metze/wireshark/wip.git] / epan / dissectors / asn1 / kerberos / kerberos.cnf
1 # kerberos.cnf
2 # kerberos conformation file
3 # Copyright 2008 Anders Broman
4
5 #.EXPORTS
6 ChangePasswdData
7 Applications ONLY_ENUM
8
9 #.FIELD_RENAME
10 #EncryptedData/etype encryptedData_etype
11 KDC-REQ-BODY/etype kDC-REQ-BODY_etype
12 KRB-SAFE-BODY/user-data kRB-SAFE-BODY_user_data
13 EncKrbPrivPart/user-data encKrbPrivPart_user_data
14 EncryptedTicketData/cipher encryptedTicketData_cipher
15 EncryptedAuthorizationData/cipher encryptedAuthorizationData_cipher
16 EncryptedKDCREPData/cipher encryptedKDCREPData_cipher
17 PA-ENC-TIMESTAMP/cipher pA-ENC-TIMESTAMP_cipher
18 EncryptedAPREPData/cipher encryptedAPREPData_cipher
19 EncryptedKrbPrivData/cipher encryptedKrbPrivData_cipher
20 EncryptedKrbCredData/cipher encryptedKrbCredData_cipher
21 KRB-CRED/_untag/enc-part kRB_CRED_enc_part
22 KRB-PRIV/_untag/enc-part kRB_PRIV_enc_part
23 AP-REP/_untag/enc-part aP_REP_enc_part
24 KDC-REP/enc-part kDC_REP_enc_part
25 Ticket/_untag/enc-part ticket_enc_part
26
27 #.OMIT_ASSIGNMENT
28 AD-AND-OR
29 AD-KDCIssued
30 AD-LoginAlias
31 AD-MANDATORY-FOR-KDC
32 ChangePasswdDataMS
33 EtypeList
34 KRB5SignedPath
35 KRB5SignedPathData
36 KRB5SignedPathPrincipals
37 Krb5int32
38 Krb5uint32
39 PA-ClientCanonicalized
40 PA-ClientCanonicalizedNames
41 PA-ENC-TS-ENC
42 PA-ENC-SAM-RESPONSE-ENC
43 PA-PAC-REQUEST
44 PA-SAM-CHALLENGE-2
45 PA-SAM-CHALLENGE-2-BODY
46 PA-SAM-REDIRECT
47 PA-SAM-RESPONSE-2
48 PA-SAM-TYPE
49 PA-SERVER-REFERRAL-DATA
50 PA-ServerReferralData
51 PA-SvrReferralData
52 Principal
53 PROV-SRV-LOCATION
54 SAMFlags
55 TYPED-DATA
56 KrbFastReq
57 KrbFastResponse
58 KrbFastFinished
59 FastOptions
60 KerberosFlags
61
62 #.NO_EMIT ONLY_VALS
63 Applications
64 PA-FX-FAST-REPLY
65 PA-FX-FAST-REQUEST
66
67 #.MAKE_DEFINES
68 ADDR-TYPE TYPE_PREFIX
69 Applications TYPE_PREFIX
70
71 #.MAKE_ENUM
72 PADATA-TYPE PROT_PREFIX UPPER_CASE
73 AUTHDATA-TYPE PROT_PREFIX UPPER_CASE
74
75 #.VALS_ATTR
76 PADATA-TYPE UPPER_CASE_FIRST
77 AUTHDATA-TYPE UPPER_CASE_FIRST
78
79 #.FN_BODY MESSAGE-TYPE VAL_PTR = &msgtype
80 guint32 msgtype;
81
82 %(DEFAULT_BODY)s
83
84 #.FN_FTR MESSAGE-TYPE
85         if (gbl_do_col_info) {
86                 col_add_str(actx->pinfo->cinfo, COL_INFO,
87                         val_to_str(msgtype, krb5_msg_types,
88                         "Unknown msg type %#x"));
89         }
90         gbl_do_col_info=FALSE;
91
92 ##if 0
93         /* append the application type to the tree */
94         proto_item_append_text(tree, " %s", val_to_str(msgtype, krb5_msg_types, "Unknown:0x%x"));
95 ##endif
96
97 #.FN_BODY ERROR-CODE VAL_PTR = &krb5_errorcode
98 %(DEFAULT_BODY)s
99
100 #.FN_FTR ERROR-CODE
101         if(krb5_errorcode) {
102                 col_add_fstr(actx->pinfo->cinfo, COL_INFO,
103                         "KRB Error: %s",
104                         val_to_str(krb5_errorcode, krb5_error_codes,
105                         "Unknown error code %#x"));
106         }
107
108         return offset;
109 #.END
110 #.FN_BODY KRB-ERROR/_untag/e-data
111         switch(krb5_errorcode){
112         case KRB5_ET_KRB5KDC_ERR_BADOPTION:
113         case KRB5_ET_KRB5KDC_ERR_CLIENT_REVOKED:
114         case KRB5_ET_KRB5KDC_ERR_KEY_EXP:
115         case KRB5_ET_KRB5KDC_ERR_POLICY:
116                 /* ms windows kdc sends e-data of this type containing a "salt"
117                  * that contains the nt_status code for these error codes.
118                  */
119                 offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_kerberos_e_data, dissect_kerberos_PA_DATA);
120                 break;
121         case KRB5_ET_KRB5KDC_ERR_PREAUTH_REQUIRED:
122         case KRB5_ET_KRB5KDC_ERR_PREAUTH_FAILED:
123         case KRB5_ET_KRB5KDC_ERR_ETYPE_NOSUPP:
124                 offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_kerberos_e_data, dissect_kerberos_SEQUENCE_OF_PA_DATA);
125
126                 break;
127         default:
128                 offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_kerberos_e_data, NULL);
129         }
130
131
132 #.FN_BODY PADATA-TYPE VAL_PTR=&(private_data->padata_type)
133         kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
134 %(DEFAULT_BODY)s
135 #.FN_FTR PADATA-TYPE
136         if(tree){
137                 proto_item_append_text(tree, " %s",
138                         val_to_str(private_data->padata_type, kerberos_PADATA_TYPE_vals,
139                         "Unknown:%d"));
140         }
141
142 #.FN_BODY PA-DATA/padata-value
143         proto_tree *sub_tree=tree;
144         kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
145
146         if(actx->created_item){
147                 sub_tree=proto_item_add_subtree(actx->created_item, ett_kerberos_PA_DATA);
148         }
149
150         switch(private_data->padata_type){
151         case KERBEROS_PA_TGS_REQ:
152                 offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_Applications);
153                 break;
154         case KERBEROS_PA_PK_AS_REQ:
155                 offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PaPkAsReq);
156                 break;
157         case KERBEROS_PA_PK_AS_REP:
158                 offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PaPkAsRep);
159                 break;
160         case KERBEROS_PA_PAC_REQUEST:
161                 offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_KERB_PA_PAC_REQUEST);
162                 break;
163         case KERBEROS_PA_FOR_USER: /* S4U2SELF */
164                 offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_S4U2Self);
165                 break;
166         case KERBEROS_PA_FOR_X509_USER:
167                 if(private_data->msg_type == KRB5_MSG_AS_REQ){
168                         offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_x509af_Certificate);
169                 }else if(private_data->is_enc_padata){
170                         offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, NULL);
171                 }else{
172                         offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_S4U_X509_USER);
173                 }
174                 break;
175         case KERBEROS_PA_PROV_SRV_LOCATION:
176                 offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_krb5_PA_PROV_SRV_LOCATION);
177                 break;
178         case KERBEROS_PA_ENC_TIMESTAMP:
179                 offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_ENC_TIMESTAMP);
180                 break;
181         case KERBEROS_PA_ENCTYPE_INFO:
182                 offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_ETYPE_INFO);
183                 break;
184         case KERBEROS_PA_ENCTYPE_INFO2:
185                 offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_ETYPE_INFO2);
186                 break;
187         case KERBEROS_PA_PW_SALT:
188                 offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_krb5_PW_SALT);
189                 break;
190         case KERBEROS_PA_AUTHENTICATION_SET:
191                 offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_AUTHENTICATION_SET);
192                 break;
193         case KERBEROS_PADATA_FX_FAST:
194                 if(private_data->msg_type == KRB5_MSG_AS_REQ || private_data->msg_type == KRB5_MSG_TGS_REQ){
195                         offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_FX_FAST_REQUEST);
196                 }else{
197                         offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_FX_FAST_REPLY);
198                 }
199                 break;
200         case KERBEROS_PADATA_ENCRYPTED_CHALLENGE:
201                 offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_EncryptedChallenge);
202                 break;
203         default:
204                 offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, NULL);
205         }
206
207 #.FN_BODY HostAddress/address
208         gint8 appclass;
209         gboolean pc;
210         gint32 tag;
211         guint32 len;
212         const char *address_str;
213         proto_item *it=NULL;
214         kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
215
216         /* read header and len for the octet string */
217         offset=dissect_ber_identifier(actx->pinfo, tree, tvb, offset, &appclass, &pc, &tag);
218         offset=dissect_ber_length(actx->pinfo, tree, tvb, offset, &len, NULL);
219
220         switch(private_data->addr_type){
221         case KERBEROS_ADDR_TYPE_IPV4:
222                 it=proto_tree_add_item(tree, hf_krb_address_ip, tvb, offset, 4, ENC_BIG_ENDIAN);
223                 address_str = tvb_ip_to_str(tvb, offset);
224                 break;
225         case KERBEROS_ADDR_TYPE_NETBIOS:
226                 {
227                 char netbios_name[(NETBIOS_NAME_LEN - 1)*4 + 1];
228                 int netbios_name_type;
229                 int netbios_name_len = (NETBIOS_NAME_LEN - 1)*4 + 1;
230
231                 netbios_name_type = process_netbios_name(tvb_get_ptr(tvb, offset, 16), netbios_name, netbios_name_len);
232                 address_str = wmem_strdup_printf(wmem_packet_scope(), "%s<%02x>", netbios_name, netbios_name_type);
233                 it=proto_tree_add_string_format(tree, hf_krb_address_netbios, tvb, offset, 16, netbios_name, "NetBIOS Name: %s (%s)", address_str, netbios_name_type_descr(netbios_name_type));
234                 }
235                 break;
236         case KERBEROS_ADDR_TYPE_IPV6:
237                 it=proto_tree_add_item(tree, hf_krb_address_ipv6, tvb, offset, INET6_ADDRLEN, ENC_NA);
238                 address_str = tvb_ip6_to_str(tvb, offset);
239                 break;
240         default:
241                 proto_tree_add_expert(tree, actx->pinfo, &ei_kerberos_address, tvb, offset, len);
242                 address_str = NULL;
243         }
244
245         /* push it up two levels in the decode pane */
246         if(it && address_str){
247                 proto_item_append_text(proto_item_get_parent(it), " %s",address_str);
248                 proto_item_append_text(proto_item_get_parent_nth(it, 2), " %s",address_str);
249         }
250
251         offset+=len;
252         return offset;
253
254
255 #.TYPE_ATTR
256 #xxx TYPE = FT_UINT16  DISPLAY = BASE_DEC  STRINGS = VALS(xx_vals)
257
258 #.FN_BODY ENCTYPE VAL_PTR=&(private_data->etype)
259         kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
260 %(DEFAULT_BODY)s
261
262 #.FN_BODY EncryptedTicketData/cipher
263 ##ifdef HAVE_KERBEROS
264         offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_ticket_data);
265 ##else
266 %(DEFAULT_BODY)s
267 ##endif
268         return offset;
269
270 #.FN_BODY EncryptedAuthorizationData/cipher
271 ##ifdef HAVE_KERBEROS
272         offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_authenticator_data);
273 ##else
274 %(DEFAULT_BODY)s
275 ##endif
276         return offset;
277
278 #.FN_BODY EncryptedKDCREPData/cipher
279 ##ifdef HAVE_KERBEROS
280         offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_KDC_REP_data);
281 ##else
282 %(DEFAULT_BODY)s
283 ##endif
284         return offset;
285
286 #.FN_BODY PA-ENC-TIMESTAMP/cipher
287 ##ifdef HAVE_KERBEROS
288         offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_PA_ENC_TIMESTAMP);
289 ##else
290 %(DEFAULT_BODY)s
291 ##endif
292         return offset;
293
294 #.FN_BODY EncryptedAPREPData/cipher
295 ##ifdef HAVE_KERBEROS
296         offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_AP_REP_data);
297 ##else
298 %(DEFAULT_BODY)s
299 ##endif
300         return offset;
301
302 #.FN_BODY EncryptedKrbPrivData/cipher
303 ##ifdef HAVE_KERBEROS
304         offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_PRIV_data);
305 ##else
306 %(DEFAULT_BODY)s
307 ##endif
308         return offset;
309
310 #.FN_BODY EncryptedKrbCredData/cipher
311 ##ifdef HAVE_KERBEROS
312         offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_CRED_data);
313 ##else
314 %(DEFAULT_BODY)s
315 ##endif
316         return offset;
317
318
319 #.FN_BODY CKSUMTYPE VAL_PTR=&(private_data->checksum_type)
320         kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
321 %(DEFAULT_BODY)s
322
323 #.FN_BODY Checksum/checksum
324         tvbuff_t *next_tvb;
325         kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
326
327         switch(private_data->checksum_type){
328         case KRB5_CHKSUM_GSSAPI:
329                 offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &next_tvb);
330                 dissect_krb5_rfc1964_checksum(actx, tree, next_tvb);
331                 break;
332         default:
333                 offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, NULL);
334         }
335         return offset;
336
337 #.FN_BODY EncryptionKey/keytype VAL_PTR=&gbl_keytype
338         kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
339
340         offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
341                                                                         &gbl_keytype);
342         private_data->key.keytype = gbl_keytype;
343
344 #.FN_BODY EncryptionKey/keyvalue VAL_PTR=&out_tvb
345         tvbuff_t *out_tvb;
346         kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
347
348 %(DEFAULT_BODY)s
349
350         private_data->key.keylength = tvb_reported_length(out_tvb);
351         private_data->key.keyvalue = tvb_get_ptr(out_tvb, 0, private_data->key.keylength);
352
353 #.FN_BODY EncryptionKey
354         kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
355
356         %(DEFAULT_BODY)s
357
358         if (private_data->key.keytype != 0 && private_data->key.keylength > 0) {
359 ##ifdef HAVE_KERBEROS
360                 add_encryption_key(actx->pinfo, private_data->key.keytype, private_data->key.keylength, private_data->key.keyvalue, "key");
361 ##endif
362         }
363
364 #.FN_BODY AUTHDATA-TYPE VAL_PTR=&(private_data->ad_type)
365         kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
366 %(DEFAULT_BODY)s
367
368 #.FN_BODY AuthorizationData/_item/ad-data
369         kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
370
371         switch(private_data->ad_type){
372         case KERBEROS_AD_WIN2K_PAC:
373                 offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_krb5_AD_WIN2K_PAC);
374                 break;
375         case KERBEROS_AD_IF_RELEVANT:
376                 offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_kerberos_AD_IF_RELEVANT);
377                 break;
378         default:
379                 offset=dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index, NULL);
380         }
381
382 #.FN_BODY S4UUserID/subject-certificate
383         offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset,hf_index, dissect_x509af_Certificate);
384
385 #.FN_BODY ADDR-TYPE VAL_PTR=&(private_data->addr_type)
386         kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
387 %(DEFAULT_BODY)s
388
389 #.FN_BODY KDC-REQ-BODY
390         conversation_t *conversation;
391
392         /*
393          * UDP replies to KDC_REQs are sent from the server back to the client's
394          * source port, similar to the way TFTP works.  Set up a conversation
395          * accordingly.
396          *
397          * Ref: Section 7.2.1 of
398          * http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-clarifications-07.txt
399          */
400         if (actx->pinfo->destport == UDP_PORT_KERBEROS && actx->pinfo->ptype == PT_UDP) {
401                 conversation = find_conversation(actx->pinfo->num, &actx->pinfo->src, &actx->pinfo->dst, ENDPOINT_UDP,
402                                                                                         actx->pinfo->srcport, 0, NO_PORT_B);
403                 if (conversation == NULL) {
404                         conversation = conversation_new(actx->pinfo->num, &actx->pinfo->src, &actx->pinfo->dst, ENDPOINT_UDP,
405                                                                                         actx->pinfo->srcport, 0, NO_PORT2);
406                         conversation_set_dissector(conversation, kerberos_handle_udp);
407                 }
408         }
409
410         %(DEFAULT_BODY)s
411
412 #.FN_BODY KRB-SAFE-BODY/user-data
413         tvbuff_t *new_tvb;
414         offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &new_tvb);
415         if (new_tvb) {
416                 call_kerberos_callbacks(actx->pinfo, tree, new_tvb, KRB_CBTAG_SAFE_USER_DATA, (kerberos_callbacks*)actx->private_data);
417         }
418
419 #.FN_BODY EncKrbPrivPart/user-data
420         tvbuff_t *new_tvb;
421         offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &new_tvb);
422         if (new_tvb) {
423                 call_kerberos_callbacks(actx->pinfo, tree, new_tvb, KRB_CBTAG_PRIV_USER_DATA, (kerberos_callbacks*)actx->private_data);
424         }
425
426 #.FN_HDR EncKDCRepPart/encrypted-pa-data
427         kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
428         private_data->is_enc_padata = TRUE;
429
430 #.FN_FTR EncKDCRepPart/encrypted-pa-data
431         private_data->is_enc_padata = FALSE;
432
433 #.FN_HDR AS-REQ
434         kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
435         private_data->msg_type = KRB5_MSG_AS_REQ;
436
437 #.FN_HDR AS-REP
438         kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
439         private_data->msg_type = KRB5_MSG_AS_REP;
440
441 #.FN_HDR KRB-ERROR
442         kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
443         private_data->msg_type = KRB5_MSG_ERROR;
444
445 #.FN_HDR TGS-REQ
446         kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
447         private_data->msg_type = KRB5_MSG_TGS_REQ;
448
449 #.FN_HDR TGS-REP
450         kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
451         private_data->msg_type = KRB5_MSG_TGS_REP;