epan/dissectors/asn1/kerberos/kerberos.cnf

   1 # kerberos.cnf
   2 # kerberos conformation file
   3 # Copyright 2008 Anders Broman
   4
   5 #.EXPORTS
   6 ChangePasswdData
   7 Applications ONLY_ENUM
   8
   9 #.FIELD_RENAME
  10 KDC-REQ-BODY/etype kDC-REQ-BODY_etype
  11 KRB-SAFE-BODY/user-data kRB-SAFE-BODY_user_data
  12 EncKrbPrivPart/user-data encKrbPrivPart_user_data
  13 EncryptedTicketData/cipher encryptedTicketData_cipher
  14 EncryptedAuthorizationData/cipher encryptedAuthorizationData_cipher
  15 EncryptedKDCREPData/cipher encryptedKDCREPData_cipher
  16 PA-ENC-TIMESTAMP/cipher pA-ENC-TIMESTAMP_cipher
  17 EncryptedAPREPData/cipher encryptedAPREPData_cipher
  18 EncryptedKrbPrivData/cipher encryptedKrbPrivData_cipher
  19 EncryptedKrbCredData/cipher encryptedKrbCredData_cipher
  20 KRB-CRED/_untag/enc-part kRB_CRED_enc_part
  21 KRB-PRIV/_untag/enc-part kRB_PRIV_enc_part
  22 AP-REP/_untag/enc-part aP_REP_enc_part
  23 KDC-REP/enc-part kDC_REP_enc_part
  24 Ticket/_untag/enc-part ticket_enc_part
  25
  26 #.OMIT_ASSIGNMENT
  27 AD-AND-OR
  28 AD-KDCIssued
  29 AD-LoginAlias
  30 AD-MANDATORY-FOR-KDC
  31 ChangePasswdDataMS
  32 EtypeList
  33 KRB5SignedPath
  34 KRB5SignedPathData
  35 KRB5SignedPathPrincipals
  36 Krb5int32
  37 Krb5uint32
  38 PA-ClientCanonicalized
  39 PA-ClientCanonicalizedNames
  40 PA-ENC-SAM-RESPONSE-ENC
  41 PA-PAC-REQUEST
  42 PA-SAM-CHALLENGE-2
  43 PA-SAM-CHALLENGE-2-BODY
  44 PA-SAM-REDIRECT
  45 PA-SAM-RESPONSE-2
  46 PA-SAM-TYPE
  47 PA-SERVER-REFERRAL-DATA
  48 PA-ServerReferralData
  49 PA-SvrReferralData
  50 Principal
  51 PROV-SRV-LOCATION
  52 SAMFlags
  53 TYPED-DATA
  54 KrbFastReq
  55 KrbFastResponse
  56 KrbFastFinished
  57 FastOptions
  58 KerberosFlags
  59
  60 #.NO_EMIT ONLY_VALS
  61 Applications
  62 PA-FX-FAST-REPLY
  63 PA-FX-FAST-REQUEST
  64
  65 #.MAKE_DEFINES
  66 ADDR-TYPE TYPE_PREFIX
  67 Applications TYPE_PREFIX
  68
  69 #.MAKE_ENUM
  70 PADATA-TYPE PROT_PREFIX UPPER_CASE
  71 AUTHDATA-TYPE PROT_PREFIX UPPER_CASE
  72
  73 #.VALS_ATTR
  74 PADATA-TYPE UPPER_CASE_FIRST
  75 AUTHDATA-TYPE UPPER_CASE_FIRST
  76
  77 #.FN_BODY KDC-REP
  78         kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
  79 %(DEFAULT_BODY)s
  80         if (!private_data->kdc_response_initialized) {
  81                 private_data->kdc_response = TRUE;
  82         }
  83
  84 #.FN_BODY Applications
  85         kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
  86 %(DEFAULT_BODY)s
  87         private_data->kdc_response_initialized = TRUE;
  88
  89 #.FN_BODY MESSAGE-TYPE VAL_PTR = &msgtype
  90 guint32 msgtype;
  91
  92 %(DEFAULT_BODY)s
  93
  94 #.FN_FTR MESSAGE-TYPE
  95         if (gbl_do_col_info) {
  96                 col_add_str(actx->pinfo->cinfo, COL_INFO,
  97                         val_to_str(msgtype, krb5_msg_types,
  98                         "Unknown msg type %#x"));
  99         }
 100         gbl_do_col_info=FALSE;
 101
 102 ##if 0
 103         /* append the application type to the tree */
 104         proto_item_append_text(tree, " %s", val_to_str(msgtype, krb5_msg_types, "Unknown:0x%x"));
 105 ##endif
 106
 107 #.FN_BODY ERROR-CODE VAL_PTR = &krb5_errorcode
 108 %(DEFAULT_BODY)s
 109
 110 #.FN_FTR ERROR-CODE
 111         if(krb5_errorcode) {
 112                 col_add_fstr(actx->pinfo->cinfo, COL_INFO,
 113                         "KRB Error: %s",
 114                         val_to_str(krb5_errorcode, krb5_error_codes,
 115                         "Unknown error code %#x"));
 116         }
 117
 118         return offset;
 119 #.END
 120 #.FN_BODY KRB-ERROR/_untag/e-data
 121         switch(krb5_errorcode){
 122         case KRB5_ET_KRB5KDC_ERR_BADOPTION:
 123         case KRB5_ET_KRB5KDC_ERR_CLIENT_REVOKED:
 124         case KRB5_ET_KRB5KDC_ERR_KEY_EXP:
 125         case KRB5_ET_KRB5KDC_ERR_POLICY:
 126                 /* ms windows kdc sends e-data of this type containing a "salt"
 127                  * that contains the nt_status code for these error codes.
 128                  */
 129                 offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_kerberos_e_data, dissect_kerberos_PA_DATA);
 130                 break;
 131         case KRB5_ET_KRB5KDC_ERR_PREAUTH_REQUIRED:
 132         case KRB5_ET_KRB5KDC_ERR_PREAUTH_FAILED:
 133         case KRB5_ET_KRB5KDC_ERR_ETYPE_NOSUPP:
 134                 offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_kerberos_e_data, dissect_kerberos_SEQUENCE_OF_PA_DATA);
 135
 136                 break;
 137         default:
 138                 offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_kerberos_e_data, NULL);
 139         }
 140
 141
 142 #.FN_BODY PADATA-TYPE VAL_PTR=&(private_data->padata_type)
 143         kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
 144 %(DEFAULT_BODY)s
 145 #.FN_FTR PADATA-TYPE
 146         if(tree){
 147                 proto_item_append_text(tree, " %s",
 148                         val_to_str(private_data->padata_type, kerberos_PADATA_TYPE_vals,
 149                         "Unknown:%d"));
 150         }
 151
 152 #.FN_BODY PA-DATA/padata-value
 153         proto_tree *sub_tree=tree;
 154         kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
 155
 156         if(actx->created_item){
 157                 sub_tree=proto_item_add_subtree(actx->created_item, ett_kerberos_PA_DATA);
 158         }
 159
 160         switch(private_data->padata_type){
 161         case KERBEROS_PA_TGS_REQ:
 162                 offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_Applications);
 163                 break;
 164         case KERBEROS_PA_PK_AS_REQ:
 165                 offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PaPkAsReq);
 166                 break;
 167         case KERBEROS_PA_PK_AS_REP:
 168                 offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PaPkAsRep);
 169                 break;
 170         case KERBEROS_PA_PAC_REQUEST:
 171                 offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_KERB_PA_PAC_REQUEST);
 172                 break;
 173         case KERBEROS_PA_FOR_USER: /* S4U2SELF */
 174                 offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_S4U2Self);
 175                 break;
 176         case KERBEROS_PA_PROV_SRV_LOCATION:
 177                 offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_krb5_PA_PROV_SRV_LOCATION);
 178                 break;
 179         case KERBEROS_PA_ENC_TIMESTAMP:
 180                 offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_ENC_TIMESTAMP);
 181                 break;
 182         case KERBEROS_PA_ENCTYPE_INFO:
 183                 offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_ETYPE_INFO);
 184                 break;
 185         case KERBEROS_PA_ENCTYPE_INFO2:
 186                 offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_ETYPE_INFO2);
 187                 break;
 188         case KERBEROS_PA_PW_SALT:
 189                 offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_krb5_PW_SALT);
 190                 break;
 191         case KERBEROS_PA_AUTH_SET_SELECTED:
 192                 offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_AUTHENTICATION_SET_ELEM);
 193                 break;
 194         case KERBEROS_PA_FX_FAST:
 195                 if (private_data->kdc_response) {
 196                         offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_FX_FAST_REPLY);
 197                 } else {
 198                         offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_FX_FAST_REQUEST);
 199                 }
 200                 break;
 201         case KERBEROS_PA_FX_ERROR:
 202                 offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_Applications);
 203                 break;
 204         case KERBEROS_PA_ENCRYPTED_CHALLENGE:
 205                 offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_EncryptedChallenge);
 206                 break;
 207         case KERBEROS_PA_SUPPORTED_ETYPES:
 208                 offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_SUPPORTED_ENCTYPES);
 209                 break;
 210         case KERBEROS_PA_PAC_OPTIONS:
 211                 offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_PAC_OPTIONS);
 212                 break;
 213         default:
 214                 offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, NULL);
 215         }
 216
 217 #.FN_BODY HostAddress/address
 218         gint8 appclass;
 219         gboolean pc;
 220         gint32 tag;
 221         guint32 len;
 222         const char *address_str;
 223         proto_item *it=NULL;
 224         kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
 225
 226         /* read header and len for the octet string */
 227         offset=dissect_ber_identifier(actx->pinfo, tree, tvb, offset, &appclass, &pc, &tag);
 228         offset=dissect_ber_length(actx->pinfo, tree, tvb, offset, &len, NULL);
 229
 230         switch(private_data->addr_type){
 231         case KERBEROS_ADDR_TYPE_IPV4:
 232                 it=proto_tree_add_item(tree, hf_krb_address_ip, tvb, offset, 4, ENC_BIG_ENDIAN);
 233                 address_str = tvb_ip_to_str(tvb, offset);
 234                 break;
 235         case KERBEROS_ADDR_TYPE_NETBIOS:
 236                 {
 237                 char netbios_name[(NETBIOS_NAME_LEN - 1)*4 + 1];
 238                 int netbios_name_type;
 239                 int netbios_name_len = (NETBIOS_NAME_LEN - 1)*4 + 1;
 240
 241                 netbios_name_type = process_netbios_name(tvb_get_ptr(tvb, offset, 16), netbios_name, netbios_name_len);
 242                 address_str = wmem_strdup_printf(wmem_packet_scope(), "%s<%02x>", netbios_name, netbios_name_type);
 243                 it=proto_tree_add_string_format(tree, hf_krb_address_netbios, tvb, offset, 16, netbios_name, "NetBIOS Name: %s (%s)", address_str, netbios_name_type_descr(netbios_name_type));
 244                 }
 245                 break;
 246         case KERBEROS_ADDR_TYPE_IPV6:
 247                 it=proto_tree_add_item(tree, hf_krb_address_ipv6, tvb, offset, INET6_ADDRLEN, ENC_NA);
 248                 address_str = tvb_ip6_to_str(tvb, offset);
 249                 break;
 250         default:
 251                 proto_tree_add_expert(tree, actx->pinfo, &ei_kerberos_address, tvb, offset, len);
 252                 address_str = NULL;
 253         }
 254
 255         /* push it up two levels in the decode pane */
 256         if(it && address_str){
 257                 proto_item_append_text(proto_item_get_parent(it), " %s",address_str);
 258                 proto_item_append_text(proto_item_get_parent_nth(it, 2), " %s",address_str);
 259         }
 260
 261         offset+=len;
 262         return offset;
 263
 264
 265 #.TYPE_ATTR
 266 #xxx TYPE = FT_UINT16  DISPLAY = BASE_DEC  STRINGS = VALS(xx_vals)
 267
 268 #.FN_BODY ENCTYPE VAL_PTR=&(private_data->etype)
 269         kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
 270 %(DEFAULT_BODY)s
 271
 272 #.FN_BODY EncryptedTicketData/cipher
 273 ##ifdef HAVE_KERBEROS
 274         offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_ticket_data);
 275 ##else
 276 %(DEFAULT_BODY)s
 277 ##endif
 278         return offset;
 279
 280 #.FN_BODY EncryptedAuthorizationData/cipher
 281 ##ifdef HAVE_KERBEROS
 282         offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_authenticator_data);
 283 ##else
 284 %(DEFAULT_BODY)s
 285 ##endif
 286         return offset;
 287
 288 #.FN_BODY EncryptedKDCREPData/cipher
 289 ##ifdef HAVE_KERBEROS
 290         offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_KDC_REP_data);
 291 ##else
 292 %(DEFAULT_BODY)s
 293 ##endif
 294         return offset;
 295
 296 #.FN_BODY PA-ENC-TIMESTAMP/cipher
 297 ##ifdef HAVE_KERBEROS
 298         offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_PA_ENC_TIMESTAMP);
 299 ##else
 300 %(DEFAULT_BODY)s
 301 ##endif
 302         return offset;
 303
 304 #.FN_BODY EncryptedAPREPData/cipher
 305 ##ifdef HAVE_KERBEROS
 306         offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_AP_REP_data);
 307 ##else
 308 %(DEFAULT_BODY)s
 309 ##endif
 310         return offset;
 311
 312 #.FN_BODY EncryptedKrbPrivData/cipher
 313 ##ifdef HAVE_KERBEROS
 314         offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_PRIV_data);
 315 ##else
 316 %(DEFAULT_BODY)s
 317 ##endif
 318         return offset;
 319
 320 #.FN_BODY EncryptedKrbCredData/cipher
 321 ##ifdef HAVE_KERBEROS
 322         offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_CRED_data);
 323 ##else
 324 %(DEFAULT_BODY)s
 325 ##endif
 326         return offset;
 327
 328
 329 #.FN_BODY CKSUMTYPE VAL_PTR=&(private_data->checksum_type)
 330         kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
 331 %(DEFAULT_BODY)s
 332
 333 #.FN_BODY Checksum/checksum
 334         tvbuff_t *next_tvb;
 335         kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
 336
 337         switch(private_data->checksum_type){
 338         case KRB5_CHKSUM_GSSAPI:
 339                 offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &next_tvb);
 340                 dissect_krb5_rfc1964_checksum(actx, tree, next_tvb);
 341                 break;
 342         default:
 343                 offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, NULL);
 344         }
 345         return offset;
 346
 347 #.FN_BODY EncryptionKey/keytype VAL_PTR=&gbl_keytype
 348         kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
 349
 350         offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
 351                                                                         &gbl_keytype);
 352         private_data->key.keytype = gbl_keytype;
 353
 354 #.FN_BODY EncryptionKey/keyvalue VAL_PTR=&out_tvb
 355         tvbuff_t *out_tvb;
 356         kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
 357
 358 %(DEFAULT_BODY)s
 359
 360         private_data->key.keylength = tvb_reported_length(out_tvb);
 361         private_data->key.keyvalue = tvb_get_ptr(out_tvb, 0, private_data->key.keylength);
 362
 363 #.FN_BODY EncryptionKey
 364         kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
 365
 366         %(DEFAULT_BODY)s
 367
 368         if (private_data->key.keytype != 0 && private_data->key.keylength > 0) {
 369 ##ifdef HAVE_KERBEROS
 370                 add_encryption_key(actx->pinfo, private_data->key.keytype, private_data->key.keylength, private_data->key.keyvalue, "key");
 371 ##endif
 372         }
 373
 374 #.FN_BODY AUTHDATA-TYPE VAL_PTR=&(private_data->ad_type)
 375         kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
 376 %(DEFAULT_BODY)s
 377
 378 #.FN_BODY AuthorizationData/_item/ad-data
 379         kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
 380
 381         switch(private_data->ad_type){
 382         case KERBEROS_AD_WIN2K_PAC:
 383                 offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_krb5_AD_WIN2K_PAC);
 384                 break;
 385         case KERBEROS_AD_IF_RELEVANT:
 386                 offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_kerberos_AD_IF_RELEVANT);
 387                 break;
 388         case KERBEROS_AD_TOKEN_RESTRICTIONS:
 389                 offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_kerberos_KERB_AD_RESTRICTION_ENTRY);
 390                 break;
 391         default:
 392                 offset=dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index, NULL);
 393         }
 394
 395 #.FN_BODY ADDR-TYPE VAL_PTR=&(private_data->addr_type)
 396         kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
 397 %(DEFAULT_BODY)s
 398
 399 #.FN_BODY KDC-REQ-BODY
 400         conversation_t *conversation;
 401
 402         /*
 403          * UDP replies to KDC_REQs are sent from the server back to the client's
 404          * source port, similar to the way TFTP works.  Set up a conversation
 405          * accordingly.
 406          *
 407          * Ref: Section 7.2.1 of
 408          * http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-clarifications-07.txt
 409          */
 410         if (actx->pinfo->destport == UDP_PORT_KERBEROS && actx->pinfo->ptype == PT_UDP) {
 411                 conversation = find_conversation(actx->pinfo->num, &actx->pinfo->src, &actx->pinfo->dst, ENDPOINT_UDP,
 412                                                                                         actx->pinfo->srcport, 0, NO_PORT_B);
 413                 if (conversation == NULL) {
 414                         conversation = conversation_new(actx->pinfo->num, &actx->pinfo->src, &actx->pinfo->dst, ENDPOINT_UDP,
 415                                                                                         actx->pinfo->srcport, 0, NO_PORT2);
 416                         conversation_set_dissector(conversation, kerberos_handle_udp);
 417                 }
 418         }
 419
 420         %(DEFAULT_BODY)s
 421
 422 #.FN_BODY KRB-SAFE-BODY/user-data
 423         tvbuff_t *new_tvb;
 424         offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &new_tvb);
 425         if (new_tvb) {
 426                 call_kerberos_callbacks(actx->pinfo, tree, new_tvb, KRB_CBTAG_SAFE_USER_DATA, (kerberos_callbacks*)actx->private_data);
 427         }
 428
 429 #.FN_BODY EncKrbPrivPart/user-data
 430         tvbuff_t *new_tvb;
 431         offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &new_tvb);
 432         if (new_tvb) {
 433                 call_kerberos_callbacks(actx->pinfo, tree, new_tvb, KRB_CBTAG_PRIV_USER_DATA, (kerberos_callbacks*)actx->private_data);
 434         }
 435
 436 #.FN_BODY KrbFastArmoredReq/enc-fast-req
 437 ##ifdef HAVE_KERBEROS
 438         offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_KrbFastReq);
 439 ##else
 440 %(DEFAULT_BODY)s
 441 ##endif
 442         return offset;
 443
 444 #.FN_BODY KrbFastArmoredRep/enc-fast-rep
 445 ##ifdef HAVE_KERBEROS
 446         offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_KrbFastResponse);
 447 ##else
 448 %(DEFAULT_BODY)s
 449 ##endif
 450         return offset;
 451
 452 #.FN_BODY EncryptedChallenge
 453 ##ifdef HAVE_KERBEROS
 454         offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_EncryptedChallenge);
 455 ##else
 456 %(DEFAULT_BODY)s
 457 ##endif
 458         return offset;