2 * Routines for Kerberos
3 * Wes Hardaker (c) 2000
4 * wjhardaker@ucdavis.edu
5 * Richard Sharpe (C) 2002, rsharpe@samba.org, modularized a bit more and
6 * added AP-REQ and AP-REP dissection
8 * Ronnie Sahlberg (C) 2004, major rewrite for new ASN.1/BER API.
9 * decryption of kerberos blobs if keytab is provided
11 * See RFC 1510, and various I-Ds and other documents showing additions,
12 * e.g. ones listed under
14 * http://www.isi.edu/people/bcn/krb-revisions/
18 * http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-clarifications-07.txt
22 * http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-referrals-05.txt
24 * Some structures from RFC2630
26 * Wireshark - Network traffic analyzer
27 * By Gerald Combs <gerald@wireshark.org>
28 * Copyright 1998 Gerald Combs
30 * SPDX-License-Identifier: GPL-2.0-or-later
34 * Some of the development of the Kerberos protocol decoder was sponsored by
35 * Cable Television Laboratories, Inc. ("CableLabs") based upon proprietary
36 * CableLabs' specifications. Your license and use of this protocol decoder
37 * does not mean that you are licensed to use the CableLabs'
38 * specifications. If you have questions about this protocol, contact
39 * jf.mule [AT] cablelabs.com or c.stuart [AT] cablelabs.com for additional
46 #define HAVE_KRB5_CRYPTO_FX_CF2 1
47 #define HAVE_KRB5_C_FX_CF2_SIMPLE 1
51 #include <epan/packet.h>
52 #include <epan/exceptions.h>
53 #include <epan/strutil.h>
54 #include <epan/conversation.h>
55 #include <epan/asn1.h>
56 #include <epan/expert.h>
57 #include <epan/prefs.h>
58 #include <epan/proto_data.h>
59 #include <wsutil/wsgcrypt.h>
60 #include <wsutil/file_util.h>
61 #include <wsutil/str_util.h>
62 #include "packet-kerberos.h"
63 #include "packet-netbios.h"
64 #include "packet-tcp.h"
65 #include "packet-ber.h"
66 #include "packet-pkinit.h"
67 #include "packet-cms.h"
68 #include "packet-windows-common.h"
70 #include "read_keytab_file.h"
72 #include "packet-dcerpc-netlogon.h"
73 #include "packet-dcerpc.h"
75 #include "packet-gssapi.h"
76 #include "packet-smb-common.h"
77 #include "packet-x509af.h"
79 #define KEY_USAGE_FAST_REQ_CHKSUM 50
80 #define KEY_USAGE_FAST_ENC 51
81 #define KEY_USAGE_FAST_REP 52
82 #define KEY_USAGE_FAST_FINISHED 53
83 #define KEY_USAGE_ENC_CHALLENGE_CLIENT 54
84 #define KEY_USAGE_ENC_CHALLENGE_KDC 55
86 void proto_register_kerberos(void);
87 void proto_reg_handoff_kerberos(void);
89 #define UDP_PORT_KERBEROS 88
90 #define TCP_PORT_KERBEROS 88
92 #define ADDRESS_STR_BUFSIZ 256
94 typedef struct kerberos_key {
97 const guint8 *keyvalue;
102 gboolean kdc_response_initialized;
103 gboolean kdc_response;
105 gboolean try_nt_status;
108 guint32 is_enc_padata;
113 guint32 checksum_type;
114 const enc_key_t *last_decryption_key;
116 gboolean fast_armor_request;
117 gboolean fast_armor_within_enc_ticket_part;
118 const enc_key_t *fast_armor_ticket_sessionkey;
119 gboolean fast_armor_within_authenticator;
120 const enc_key_t *fast_armor_remote_subkey;
121 const enc_key_t *fast_armor_key;
122 gboolean fast_strengthen_key_needed;
123 const enc_key_t *fast_strengthen_key;
124 } kerberos_private_data_t;
126 static dissector_handle_t kerberos_handle_udp;
128 /* Forward declarations */
129 static int dissect_kerberos_Applications(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
130 static int dissect_kerberos_AuthorizationData(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
131 static int dissect_kerberos_PA_ENC_TIMESTAMP(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
132 static int dissect_kerberos_PA_ENC_TS_ENC(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
133 static int dissect_kerberos_PA_PAC_REQUEST(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
134 static int dissect_kerberos_PA_S4U2Self(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
135 static int dissect_kerberos_PA_S4U_X509_USER(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
136 static int dissect_kerberos_ETYPE_INFO(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
137 static int dissect_kerberos_ETYPE_INFO2(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
138 static int dissect_kerberos_AD_IF_RELEVANT(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
139 static int dissect_kerberos_PA_AUTHENTICATION_SET_ELEM(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
140 static int dissect_kerberos_PA_FX_FAST_REQUEST(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
141 static int dissect_kerberos_PA_FX_FAST_REPLY(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
142 static int dissect_kerberos_KrbFastReq(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
143 static int dissect_kerberos_KrbFastResponse(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
144 static int dissect_kerberos_EncryptedChallenge(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
145 static int dissect_kerberos_PA_SUPPORTED_ENCTYPES(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
146 static int dissect_kerberos_PA_PAC_OPTIONS(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
147 static int dissect_kerberos_KERB_AD_RESTRICTION_ENTRY(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
148 static int dissect_kerberos_AD_AP_OPTIONS(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
149 static int dissect_kerberos_Checksum(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
151 /* Desegment Kerberos over TCP messages */
152 static gboolean krb_desegment = TRUE;
154 static gint proto_kerberos = -1;
156 static gint hf_krb_rm_reserved = -1;
157 static gint hf_krb_rm_reclen = -1;
158 static gint hf_krb_provsrv_location = -1;
159 static gint hf_krb_smb_nt_status = -1;
160 static gint hf_krb_smb_unknown = -1;
161 static gint hf_krb_address_ip = -1;
162 static gint hf_krb_address_netbios = -1;
163 static gint hf_krb_address_ipv6 = -1;
164 static gint hf_krb_gssapi_len = -1;
165 static gint hf_krb_gssapi_bnd = -1;
166 static gint hf_krb_gssapi_dlgopt = -1;
167 static gint hf_krb_gssapi_dlglen = -1;
168 static gint hf_krb_gssapi_c_flag_deleg = -1;
169 static gint hf_krb_gssapi_c_flag_mutual = -1;
170 static gint hf_krb_gssapi_c_flag_replay = -1;
171 static gint hf_krb_gssapi_c_flag_sequence = -1;
172 static gint hf_krb_gssapi_c_flag_conf = -1;
173 static gint hf_krb_gssapi_c_flag_integ = -1;
174 static gint hf_krb_gssapi_c_flag_dce_style = -1;
175 static gint hf_krb_midl_version = -1;
176 static gint hf_krb_midl_hdr_len = -1;
177 static gint hf_krb_midl_fill_bytes = -1;
178 static gint hf_krb_midl_blob_len = -1;
179 static gint hf_krb_pac_signature_type = -1;
180 static gint hf_krb_pac_signature_signature = -1;
181 static gint hf_krb_w2k_pac_entries = -1;
182 static gint hf_krb_w2k_pac_version = -1;
183 static gint hf_krb_w2k_pac_type = -1;
184 static gint hf_krb_w2k_pac_size = -1;
185 static gint hf_krb_w2k_pac_offset = -1;
186 static gint hf_krb_pac_clientid = -1;
187 static gint hf_krb_pac_namelen = -1;
188 static gint hf_krb_pac_clientname = -1;
189 static gint hf_krb_pac_logon_info = -1;
190 static gint hf_krb_pac_credential_data = -1;
191 static gint hf_krb_pac_credential_info = -1;
192 static gint hf_krb_pac_credential_info_version = -1;
193 static gint hf_krb_pac_credential_info_etype = -1;
194 static gint hf_krb_pac_s4u_delegation_info = -1;
195 static gint hf_krb_pac_upn_dns_info = -1;
196 static gint hf_krb_pac_upn_flags = -1;
197 static gint hf_krb_pac_upn_dns_offset = -1;
198 static gint hf_krb_pac_upn_dns_len = -1;
199 static gint hf_krb_pac_upn_upn_offset = -1;
200 static gint hf_krb_pac_upn_upn_len = -1;
201 static gint hf_krb_pac_upn_upn_name = -1;
202 static gint hf_krb_pac_upn_dns_name = -1;
203 static gint hf_krb_pac_server_checksum = -1;
204 static gint hf_krb_pac_privsvr_checksum = -1;
205 static gint hf_krb_pac_client_info_type = -1;
206 static gint hf_krb_pa_supported_enctypes = -1;
207 static gint hf_krb_pa_supported_enctypes_des_cbc_crc = -1;
208 static gint hf_krb_pa_supported_enctypes_des_cbc_md5 = -1;
209 static gint hf_krb_pa_supported_enctypes_rc4_hmac = -1;
210 static gint hf_krb_pa_supported_enctypes_aes128_cts_hmac_sha1_96 = -1;
211 static gint hf_krb_pa_supported_enctypes_aes256_cts_hmac_sha1_96 = -1;
212 static gint hf_krb_pa_supported_enctypes_fast_supported = -1;
213 static gint hf_krb_pa_supported_enctypes_compound_identity_supported = -1;
214 static gint hf_krb_pa_supported_enctypes_claims_supported = -1;
215 static gint hf_krb_pa_supported_enctypes_resource_sid_compression_disabled = -1;
216 static gint hf_krb_ad_ap_options = -1;
217 static gint hf_krb_ad_ap_options_cbt = -1;
218 #include "packet-kerberos-hf.c"
220 /* Initialize the subtree pointers */
221 static gint ett_kerberos = -1;
222 static gint ett_krb_recordmark = -1;
223 static gint ett_krb_pac = -1;
224 static gint ett_krb_pac_drep = -1;
225 static gint ett_krb_pac_midl_blob = -1;
226 static gint ett_krb_pac_logon_info = -1;
227 static gint ett_krb_pac_credential_info = -1;
228 static gint ett_krb_pac_s4u_delegation_info = -1;
229 static gint ett_krb_pac_upn_dns_info = -1;
230 static gint ett_krb_pac_server_checksum = -1;
231 static gint ett_krb_pac_privsvr_checksum = -1;
232 static gint ett_krb_pac_client_info_type = -1;
233 static gint ett_krb_pa_supported_enctypes = -1;
234 static gint ett_krb_ad_ap_options = -1;
235 #include "packet-kerberos-ett.c"
237 static expert_field ei_kerberos_decrypted_keytype = EI_INIT;
238 static expert_field ei_kerberos_address = EI_INIT;
239 static expert_field ei_krb_gssapi_dlglen = EI_INIT;
241 static dissector_handle_t krb4_handle=NULL;
243 /* Global variables */
244 static guint32 gbl_keytype;
245 static gboolean gbl_do_col_info;
247 #include "packet-kerberos-val.h"
250 call_kerberos_callbacks(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int tag, kerberos_callbacks *cb)
258 cb->callback(pinfo, tvb, tree);
266 static kerberos_private_data_t*
267 kerberos_get_private_data_p(packet_info *pinfo)
269 void *p = p_get_proto_data(pinfo->pool, pinfo, proto_kerberos, 0);
271 p = wmem_new0(pinfo->pool, kerberos_private_data_t);
272 p_add_proto_data(pinfo->pool, pinfo, proto_kerberos, 0, p);
274 return (kerberos_private_data_t *)(p);
277 static kerberos_private_data_t*
278 kerberos_get_private_data(asn1_ctx_t *actx)
280 if (actx->private_data == NULL) {
281 actx->private_data = kerberos_get_private_data_p(actx->pinfo);
283 return (kerberos_private_data_t *)(actx->private_data);
288 /* Decrypt Kerberos blobs */
289 gboolean krb_decrypt = FALSE;
291 /* keytab filename */
292 static const char *keytab_filename = "";
295 read_keytab_file_from_preferences(void)
297 static char *last_keytab = NULL;
303 if (keytab_filename == NULL) {
307 if (last_keytab && !strcmp(last_keytab, keytab_filename)) {
312 last_keytab = g_strdup(keytab_filename);
314 read_keytab_file(last_keytab);
316 #endif /* HAVE_KERBEROS */
318 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
320 /* prevent redefinition warnings in kfw-2.5\inc\win_mac.h */
321 #undef HAVE_GETADDRINFO
322 #undef HAVE_SYS_TYPES_H
325 enc_key_t *enc_key_list=NULL;
328 add_encryption_key(packet_info *pinfo, int keytype, int keylength, const char *keyvalue, const char *origin)
332 if(pinfo->fd->visited){
336 new_key=(enc_key_t *)g_malloc(sizeof(enc_key_t));
337 g_snprintf(new_key->key_origin, KRB_MAX_ORIG_LEN, "%s learnt from frame %u",origin,pinfo->num);
338 new_key->fd_num = pinfo->num;
339 new_key->next=enc_key_list;
340 enc_key_list=new_key;
341 new_key->keytype=keytype;
342 new_key->keylength=keylength;
343 /*XXX this needs to be freed later */
344 new_key->keyvalue=(char *)g_memdup(keyvalue, keylength);
348 krb5_fast_key(packet_info *pinfo,
349 const enc_key_t *ek1, const char *p1,
350 const enc_key_t *ek2, const char *p2,
354 krb5_fast_armor_key(packet_info *pinfo,
355 const enc_key_t *remote_subkey,
356 const enc_key_t *ticket_sessionkey)
358 kerberos_private_data_t *private_data = kerberos_get_private_data_p(pinfo);
367 private_data->fast_armor_key = enc_key_list;
370 #endif /* HAVE_HEIMDAL_KERBEROS || HAVE_MIT_KERBEROS */
372 #if defined(HAVE_MIT_KERBEROS)
374 static krb5_context krb5_ctx;
377 krb5_fast_key(packet_info *pinfo,
378 const enc_key_t *ek1, const char *p1,
379 const enc_key_t *ek2, const char *p2,
382 #ifdef HAVE_KRB5_C_FX_CF2_SIMPLE
386 krb5_keyblock *k = NULL;
400 k1.magic = KV5M_KEYBLOCK;
401 k1.enctype = ek1->keytype;
402 k1.length = ek1->keylength;
403 k1.contents = (guint8 *)ek1->keyvalue;
405 k2.magic = KV5M_KEYBLOCK;
406 k2.enctype = ek2->keytype;
407 k2.length = ek2->keylength;
408 k2.contents = (guint8 *)ek2->keyvalue;
410 ret = krb5_c_fx_cf2_simple(krb5_ctx, &k1, p1, &k2, p2, &k);
415 add_encryption_key(pinfo, k->enctype, k->length,
416 (const char *)k->contents, origin);
418 krb5_free_keyblock(krb5_ctx, k);
422 USES_APPLE_DEPRECATED_API
424 read_keytab_file(const char *filename)
428 krb5_keytab_entry key;
429 krb5_kt_cursor cursor;
430 static gboolean first_time=TRUE;
432 if (filename == NULL || filename[0] == 0) {
438 ret = krb5_init_context(&krb5_ctx);
439 if(ret && ret != KRB5_CONFIG_CANTOPEN){
444 /* should use a file in the wireshark users dir */
445 ret = krb5_kt_resolve(krb5_ctx, filename, &keytab);
447 fprintf(stderr, "KERBEROS ERROR: Badly formatted keytab filename :%s\n",filename);
452 ret = krb5_kt_start_seq_get(krb5_ctx, keytab, &cursor);
454 fprintf(stderr, "KERBEROS ERROR: Could not open or could not read from keytab file :%s\n",filename);
459 ret = krb5_kt_next_entry(krb5_ctx, keytab, &key, &cursor);
465 new_key = g_new(enc_key_t, 1);
466 new_key->fd_num = -1;
467 new_key->next = enc_key_list;
469 /* generate origin string, describing where this key came from */
470 pos=new_key->key_origin;
471 pos+=MIN(KRB_MAX_ORIG_LEN,
472 g_snprintf(pos, KRB_MAX_ORIG_LEN, "keytab principal "));
473 for(i=0;i<key.principal->length;i++){
474 pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin),
475 g_snprintf(pos, (gulong)(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin)), "%s%s",(i?"/":""),(key.principal->data[i]).data));
477 pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin),
478 g_snprintf(pos, (gulong)(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin)), "@%s",key.principal->realm.data));
480 new_key->keytype=key.key.enctype;
481 new_key->keylength=key.key.length;
482 new_key->keyvalue=(char *)g_memdup(key.key.contents, key.key.length);
483 enc_key_list=new_key;
484 ret = krb5_free_keytab_entry_contents(krb5_ctx, &key);
486 fprintf(stderr, "KERBEROS ERROR: Could not release the entry: %d", ret);
487 ret = 0; /* try to continue with the next entry */
492 ret = krb5_kt_end_seq_get(krb5_ctx, keytab, &cursor);
494 fprintf(stderr, "KERBEROS ERROR: Could not release the keytab cursor: %d", ret);
496 ret = krb5_kt_close(krb5_ctx, keytab);
498 fprintf(stderr, "KERBEROS ERROR: Could not close the key table handle: %d", ret);
504 decrypt_krb5_data(proto_tree *tree _U_, packet_info *pinfo,
510 kerberos_private_data_t *private_data = kerberos_get_private_data_p(pinfo);
511 #ifdef HAVE_KRB5_C_FX_CF2_SIMPLE
512 const enc_key_t *ak = private_data->fast_armor_key;
513 const enc_key_t *sk = private_data->fast_strengthen_key;
517 krb5_data data = {0,0,NULL};
518 krb5_keytab_entry key;
519 int length = tvb_captured_length(cryptotvb);
520 const guint8 *cryptotext = tvb_get_ptr(cryptotvb, 0, length);
522 /* don't do anything if we are not attempting to decrypt data */
523 if(!krb_decrypt || length < 1){
527 /* make sure we have all the data we need */
528 if (tvb_captured_length(cryptotvb) < tvb_reported_length(cryptotvb)) {
532 read_keytab_file_from_preferences();
533 data.data = (char *)wmem_alloc(pinfo->pool, length);
534 data.length = length;
536 for(ek=enc_key_list;ek;ek=ek->next){
539 /* shortcircuit and bail out if enctypes are not matching */
540 if((keytype != -1) && (ek->keytype != keytype)) {
544 input.enctype = ek->keytype;
545 input.ciphertext.length = length;
546 input.ciphertext.data = (guint8 *)cryptotext;
548 #ifdef HAVE_KRB5_C_FX_CF2_SIMPLE
553 if (ak != NULL && ak != ek && ak->keytype == ek->keytype) {
556 krb5_keyblock *k = NULL;
557 const char *p1 = NULL;
559 k1.magic = KV5M_KEYBLOCK;
560 k1.enctype = ak->keytype;
561 k1.length = ak->keylength;
562 k1.contents = (guint8 *)ak->keyvalue;
564 k2.magic = KV5M_KEYBLOCK;
565 k2.enctype = ek->keytype;
566 k2.length = ek->keylength;
567 k2.contents = (guint8 *)ek->keyvalue;
569 if (private_data->kdc_response) {
570 p1 = "kdcchallengearmor";
572 p1 = "clientchallengearmor";
575 ret = krb5_c_fx_cf2_simple(krb5_ctx,
577 &k2, "challengelongterm",
583 ret = krb5_c_decrypt(krb5_ctx, k, usage, 0, &input, &data);
587 add_encryption_key(pinfo, k->enctype, k->length,
588 (const char *)k->contents,
590 krb5_free_keyblock(krb5_ctx, k);
592 proto_tree_add_expert_format(tree, pinfo, &ei_kerberos_decrypted_keytype,
594 "Decrypted keytype %d in frame %u using %s",
595 ek->keytype, pinfo->fd->num, ek->key_origin);
596 private_data->last_decryption_key = ek;
598 /* return a private g_malloced blob to the caller */
601 *datalen = data.length;
606 krb5_free_keyblock(krb5_ctx, k);
609 if (sk != NULL && sk != ek && sk->keytype == ek->keytype) {
612 krb5_keyblock *k = NULL;
614 k1.magic = KV5M_KEYBLOCK;
615 k1.enctype = sk->keytype;
616 k1.length = sk->keylength;
617 k1.contents = (guint8 *)sk->keyvalue;
619 k2.magic = KV5M_KEYBLOCK;
620 k2.enctype = ek->keytype;
621 k2.length = ek->keylength;
622 k2.contents = (guint8 *)ek->keyvalue;
624 ret = krb5_c_fx_cf2_simple(krb5_ctx,
625 &k1, "strengthenkey",
632 ret = krb5_c_decrypt(krb5_ctx, k, usage, 0, &input, &data);
636 add_encryption_key(pinfo, k->enctype, k->length,
637 (const char *)k->contents,
639 krb5_free_keyblock(krb5_ctx, k);
641 proto_tree_add_expert_format(tree, pinfo, &ei_kerberos_decrypted_keytype,
643 "Decrypted keytype %d in frame %u using %s",
644 ek->keytype, pinfo->fd->num, ek->key_origin);
645 private_data->last_decryption_key = ek;
647 /* return a private g_malloced blob to the caller */
650 *datalen = data.length;
655 krb5_free_keyblock(krb5_ctx, k);
659 key.key.enctype=ek->keytype;
660 key.key.length=ek->keylength;
661 key.key.contents=ek->keyvalue;
662 ret = krb5_c_decrypt(krb5_ctx, &(key.key), usage, 0, &input, &data);
666 proto_tree_add_expert_format(tree, pinfo, &ei_kerberos_decrypted_keytype,
668 "Decrypted keytype %d in frame %u using %s",
669 ek->keytype, pinfo->num, ek->key_origin);
670 private_data->last_decryption_key = ek;
674 *datalen = data.length;
684 #elif defined(HAVE_HEIMDAL_KERBEROS)
685 static krb5_context krb5_ctx;
687 USES_APPLE_DEPRECATED_API
690 krb5_fast_key(packet_info *pinfo,
691 const enc_key_t *ek1, const char *p1,
692 const enc_key_t *ek2, const char *p2,
695 #ifdef HAVE_KRB5_CRYPTO_FX_CF2
700 read_keytab_file(const char *filename)
704 krb5_keytab_entry key;
705 krb5_kt_cursor cursor;
707 static gboolean first_time=TRUE;
709 if (filename == NULL || filename[0] == 0) {
715 ret = krb5_init_context(&krb5_ctx);
721 /* should use a file in the wireshark users dir */
722 ret = krb5_kt_resolve(krb5_ctx, filename, &keytab);
724 fprintf(stderr, "KERBEROS ERROR: Could not open keytab file :%s\n",filename);
729 ret = krb5_kt_start_seq_get(krb5_ctx, keytab, &cursor);
731 fprintf(stderr, "KERBEROS ERROR: Could not read from keytab file :%s\n",filename);
736 ret = krb5_kt_next_entry(krb5_ctx, keytab, &key, &cursor);
741 new_key = g_new0(enc_key_t, 1);
742 new_key->fd_num = -1;
743 new_key->next = enc_key_list;
745 /* generate origin string, describing where this key came from */
746 pos=new_key->key_origin;
747 pos+=MIN(KRB_MAX_ORIG_LEN,
748 g_snprintf(pos, KRB_MAX_ORIG_LEN, "keytab principal "));
749 for(i=0;i<key.principal->name.name_string.len;i++){
750 pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin),
751 g_snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "%s%s",(i?"/":""),key.principal->name.name_string.val[i]));
753 pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin),
754 g_snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "@%s",key.principal->realm));
756 new_key->keytype=key.keyblock.keytype;
757 new_key->keylength=(int)key.keyblock.keyvalue.length;
758 new_key->keyvalue = (guint8 *)g_memdup(key.keyblock.keyvalue.data, (guint)key.keyblock.keyvalue.length);
759 enc_key_list=new_key;
760 ret = krb5_kt_free_entry(krb5_ctx, &key);
762 fprintf(stderr, "KERBEROS ERROR: Could not release the entry: %d", ret);
763 ret = 0; /* try to continue with the next entry */
768 ret = krb5_kt_end_seq_get(krb5_ctx, keytab, &cursor);
770 fprintf(stderr, "KERBEROS ERROR: Could not release the keytab cursor: %d", ret);
772 ret = krb5_kt_close(krb5_ctx, keytab);
774 fprintf(stderr, "KERBEROS ERROR: Could not close the key table handle: %d", ret);
782 decrypt_krb5_data(proto_tree *tree _U_, packet_info *pinfo,
791 int length = tvb_captured_length(cryptotvb);
792 const guint8 *cryptotext = tvb_get_ptr(cryptotvb, 0, length);
794 /* don't do anything if we are not attempting to decrypt data */
799 /* make sure we have all the data we need */
800 if (tvb_captured_length(cryptotvb) < tvb_reported_length(cryptotvb)) {
804 read_keytab_file_from_preferences();
806 for(ek=enc_key_list;ek;ek=ek->next){
807 krb5_keytab_entry key;
809 guint8 *cryptocopy; /* workaround for pre-0.6.1 heimdal bug */
811 /* shortcircuit and bail out if enctypes are not matching */
812 if((keytype != -1) && (ek->keytype != keytype)) {
816 key.keyblock.keytype=ek->keytype;
817 key.keyblock.keyvalue.length=ek->keylength;
818 key.keyblock.keyvalue.data=ek->keyvalue;
819 ret = krb5_crypto_init(krb5_ctx, &(key.keyblock), (krb5_enctype)ENCTYPE_NULL, &crypto);
824 /* pre-0.6.1 versions of Heimdal would sometimes change
825 the cryptotext data even when the decryption failed.
826 This would obviously not work since we iterate over the
827 keys. So just give it a copy of the crypto data instead.
828 This has been seen for RC4-HMAC blobs.
830 cryptocopy = (guint8 *)wmem_memdup(wmem_packet_scope(), cryptotext, length);
831 ret = krb5_decrypt_ivec(krb5_ctx, crypto, usage,
835 if((ret == 0) && (length>0)){
838 proto_tree_add_expert_format(tree, pinfo, &ei_kerberos_decrypted_keytype,
840 "Decrypted keytype %d in frame %u using %s",
841 ek->keytype, pinfo->num, ek->key_origin);
843 krb5_crypto_destroy(krb5_ctx, crypto);
844 /* return a private wmem_alloced blob to the caller */
845 user_data = (char *)wmem_memdup(pinfo->pool, data.data, (guint)data.length);
847 *datalen = (int)data.length;
851 krb5_crypto_destroy(krb5_ctx, crypto);
856 #elif defined (HAVE_LIBNETTLE)
858 #define SERVICE_KEY_SIZE (DES3_KEY_SIZE + 2)
859 #define KEYTYPE_DES3_CBC_MD5 5 /* Currently the only one supported */
861 typedef struct _service_key_t {
866 char origin[KRB_MAX_ORIG_LEN+1];
868 GSList *service_key_list = NULL;
872 add_encryption_key(packet_info *pinfo, int keytype, int keylength, const char *keyvalue, const char *origin)
874 service_key_t *new_key;
876 if(pinfo->fd->visited){
880 new_key = g_malloc(sizeof(service_key_t));
882 new_key->keytype = keytype;
883 new_key->length = keylength;
884 new_key->contents = g_memdup(keyvalue, keylength);
885 g_snprintf(new_key->origin, KRB_MAX_ORIG_LEN, "%s learnt from frame %u", origin, pinfo->num);
886 service_key_list = g_slist_append(service_key_list, (gpointer) new_key);
894 for(ske = service_key_list; ske != NULL; ske = g_slist_next(ske)){
895 sk = (service_key_t *) ske->data;
897 g_free(sk->contents);
901 g_slist_free(service_key_list);
902 service_key_list = NULL;
906 read_keytab_file(const char *service_key_file)
911 unsigned char buf[SERVICE_KEY_SIZE];
912 int newline_skip = 0, count = 0;
914 if (service_key_file != NULL && ws_stat64 (service_key_file, &st) == 0) {
916 /* The service key file contains raw 192-bit (24 byte) 3DES keys.
917 * There can be zero, one (\n), or two (\r\n) characters between
918 * keys. Trailing characters are ignored.
921 /* XXX We should support the standard keytab format instead */
922 if (st.st_size > SERVICE_KEY_SIZE) {
923 if ( (st.st_size % (SERVICE_KEY_SIZE + 1) == 0) ||
924 (st.st_size % (SERVICE_KEY_SIZE + 1) == SERVICE_KEY_SIZE) ) {
926 } else if ( (st.st_size % (SERVICE_KEY_SIZE + 2) == 0) ||
927 (st.st_size % (SERVICE_KEY_SIZE + 2) == SERVICE_KEY_SIZE) ) {
932 skf = ws_fopen(service_key_file, "rb");
935 while (fread(buf, SERVICE_KEY_SIZE, 1, skf) == 1) {
936 sk = g_malloc(sizeof(service_key_t));
937 sk->kvno = buf[0] << 8 | buf[1];
938 sk->keytype = KEYTYPE_DES3_CBC_MD5;
939 sk->length = DES3_KEY_SIZE;
940 sk->contents = g_memdup(buf + 2, DES3_KEY_SIZE);
941 g_snprintf(sk->origin, KRB_MAX_ORIG_LEN, "3DES service key file, key #%d, offset %ld", count, ftell(skf));
942 service_key_list = g_slist_append(service_key_list, (gpointer) sk);
943 if (fseek(skf, newline_skip, SEEK_CUR) < 0) {
944 fprintf(stderr, "unable to seek...\n");
953 #define CONFOUNDER_PLUS_CHECKSUM 24
956 decrypt_krb5_data(proto_tree *tree, packet_info *pinfo,
963 guint8 *decrypted_data = NULL, *plaintext = NULL;
966 guint32 tag, item_len, data_len;
967 int id_offset, offset;
968 guint8 key[DES3_KEY_SIZE];
969 guint8 initial_vector[DES_BLOCK_SIZE];
970 gcry_md_hd_t md5_handle;
972 guint8 zero_fill[] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
973 guint8 confounder[8];
978 int length = tvb_captured_length(cryptotvb);
979 const guint8 *cryptotext = tvb_get_ptr(cryptotvb, 0, length);
982 /* don't do anything if we are not attempting to decrypt data */
987 /* make sure we have all the data we need */
988 if (tvb_captured_length(cryptotvb) < tvb_reported_length(cryptotvb)) {
992 if (keytype != KEYTYPE_DES3_CBC_MD5 || service_key_list == NULL) {
996 decrypted_data = wmem_alloc(wmem_packet_scope(), length);
997 for(ske = service_key_list; ske != NULL; ske = g_slist_next(ske)){
998 gboolean do_continue = FALSE;
1000 sk = (service_key_t *) ske->data;
1002 des_fix_parity(DES3_KEY_SIZE, key, sk->contents);
1004 memset(initial_vector, 0, DES_BLOCK_SIZE);
1005 des3_set_key(&ctx, key);
1006 cbc_decrypt(&ctx, des3_decrypt, DES_BLOCK_SIZE, initial_vector,
1007 length, decrypted_data, cryptotext);
1008 encr_tvb = tvb_new_real_data(decrypted_data, length, length);
1010 tvb_memcpy(encr_tvb, confounder, 0, 8);
1012 /* We have to pull the decrypted data length from the decrypted
1013 * content. If the key doesn't match or we otherwise get garbage,
1014 * an exception may get thrown while decoding the ASN.1 header.
1015 * Catch it, just in case.
1018 id_offset = get_ber_identifier(encr_tvb, CONFOUNDER_PLUS_CHECKSUM, &cls, &pc, &tag);
1019 offset = get_ber_length(encr_tvb, id_offset, &item_len, &ind);
1021 CATCH_BOUNDS_ERRORS {
1027 if (do_continue) continue;
1029 data_len = item_len + offset - CONFOUNDER_PLUS_CHECKSUM;
1030 if ((int) item_len + offset > length) {
1035 if (gcry_md_open(&md5_handle, GCRY_MD_MD5, 0)) {
1038 gcry_md_write(md5_handle, confounder, 8);
1039 gcry_md_write(md5_handle, zero_fill, 16);
1040 gcry_md_write(md5_handle, decrypted_data + CONFOUNDER_PLUS_CHECKSUM, data_len);
1041 digest = gcry_md_read(md5_handle, 0);
1043 digest_ok = (tvb_memeql (encr_tvb, 8, digest, HASH_MD5_LENGTH) == 0);
1044 gcry_md_close(md5_handle);
1046 plaintext = (guint8* )tvb_memdup(pinfo->pool, encr_tvb, CONFOUNDER_PLUS_CHECKSUM, data_len);
1050 *datalen = data_len;
1060 #endif /* HAVE_MIT_KERBEROS / HAVE_HEIMDAL_KERBEROS / HAVE_LIBNETTLE */
1062 #define INET6_ADDRLEN 16
1064 /* TCP Record Mark */
1065 #define KRB_RM_RESERVED 0x80000000U
1066 #define KRB_RM_RECLEN 0x7fffffffU
1068 #define KRB5_MSG_TICKET 1 /* Ticket */
1069 #define KRB5_MSG_AUTHENTICATOR 2 /* Authenticator */
1070 #define KRB5_MSG_ENC_TICKET_PART 3 /* EncTicketPart */
1071 #define KRB5_MSG_AS_REQ 10 /* AS-REQ type */
1072 #define KRB5_MSG_AS_REP 11 /* AS-REP type */
1073 #define KRB5_MSG_TGS_REQ 12 /* TGS-REQ type */
1074 #define KRB5_MSG_TGS_REP 13 /* TGS-REP type */
1075 #define KRB5_MSG_AP_REQ 14 /* AP-REQ type */
1076 #define KRB5_MSG_AP_REP 15 /* AP-REP type */
1078 #define KRB5_MSG_SAFE 20 /* KRB-SAFE type */
1079 #define KRB5_MSG_PRIV 21 /* KRB-PRIV type */
1080 #define KRB5_MSG_CRED 22 /* KRB-CRED type */
1081 #define KRB5_MSG_ENC_AS_REP_PART 25 /* EncASRepPart */
1082 #define KRB5_MSG_ENC_TGS_REP_PART 26 /* EncTGSRepPart */
1083 #define KRB5_MSG_ENC_AP_REP_PART 27 /* EncAPRepPart */
1084 #define KRB5_MSG_ENC_KRB_PRIV_PART 28 /* EncKrbPrivPart */
1085 #define KRB5_MSG_ENC_KRB_CRED_PART 29 /* EncKrbCredPart */
1086 #define KRB5_MSG_ERROR 30 /* KRB-ERROR type */
1088 #define KRB5_CHKSUM_GSSAPI 0x8003
1090 * For KERB_ENCTYPE_RC4_HMAC and KERB_ENCTYPE_RC4_HMAC_EXP, see
1092 * http://www.ietf.org/internet-drafts/draft-brezak-win2k-krb-rc4-hmac-04.txt
1094 * unless it's expired.
1097 /* Principal name-type */
1098 #define KRB5_NT_UNKNOWN 0
1099 #define KRB5_NT_PRINCIPAL 1
1100 #define KRB5_NT_SRV_INST 2
1101 #define KRB5_NT_SRV_HST 3
1102 #define KRB5_NT_SRV_XHST 4
1103 #define KRB5_NT_UID 5
1104 #define KRB5_NT_X500_PRINCIPAL 6
1105 #define KRB5_NT_SMTP_NAME 7
1106 #define KRB5_NT_ENTERPRISE 10
1109 * MS specific name types, from
1111 * http://msdn.microsoft.com/library/en-us/security/security/kerb_external_name.asp
1113 #define KRB5_NT_MS_PRINCIPAL -128
1114 #define KRB5_NT_MS_PRINCIPAL_AND_SID -129
1115 #define KRB5_NT_ENT_PRINCIPAL_AND_SID -130
1116 #define KRB5_NT_PRINCIPAL_AND_SID -131
1117 #define KRB5_NT_SRV_INST_AND_SID -132
1119 /* error table constants */
1120 /* I prefixed the krb5_err.et constant names with KRB5_ET_ for these */
1121 #define KRB5_ET_KRB5KDC_ERR_NONE 0
1122 #define KRB5_ET_KRB5KDC_ERR_NAME_EXP 1
1123 #define KRB5_ET_KRB5KDC_ERR_SERVICE_EXP 2
1124 #define KRB5_ET_KRB5KDC_ERR_BAD_PVNO 3
1125 #define KRB5_ET_KRB5KDC_ERR_C_OLD_MAST_KVNO 4
1126 #define KRB5_ET_KRB5KDC_ERR_S_OLD_MAST_KVNO 5
1127 #define KRB5_ET_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN 6
1128 #define KRB5_ET_KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN 7
1129 #define KRB5_ET_KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE 8
1130 #define KRB5_ET_KRB5KDC_ERR_NULL_KEY 9
1131 #define KRB5_ET_KRB5KDC_ERR_CANNOT_POSTDATE 10
1132 #define KRB5_ET_KRB5KDC_ERR_NEVER_VALID 11
1133 #define KRB5_ET_KRB5KDC_ERR_POLICY 12
1134 #define KRB5_ET_KRB5KDC_ERR_BADOPTION 13
1135 #define KRB5_ET_KRB5KDC_ERR_ETYPE_NOSUPP 14
1136 #define KRB5_ET_KRB5KDC_ERR_SUMTYPE_NOSUPP 15
1137 #define KRB5_ET_KRB5KDC_ERR_PADATA_TYPE_NOSUPP 16
1138 #define KRB5_ET_KRB5KDC_ERR_TRTYPE_NOSUPP 17
1139 #define KRB5_ET_KRB5KDC_ERR_CLIENT_REVOKED 18
1140 #define KRB5_ET_KRB5KDC_ERR_SERVICE_REVOKED 19
1141 #define KRB5_ET_KRB5KDC_ERR_TGT_REVOKED 20
1142 #define KRB5_ET_KRB5KDC_ERR_CLIENT_NOTYET 21
1143 #define KRB5_ET_KRB5KDC_ERR_SERVICE_NOTYET 22
1144 #define KRB5_ET_KRB5KDC_ERR_KEY_EXP 23
1145 #define KRB5_ET_KRB5KDC_ERR_PREAUTH_FAILED 24
1146 #define KRB5_ET_KRB5KDC_ERR_PREAUTH_REQUIRED 25
1147 #define KRB5_ET_KRB5KDC_ERR_SERVER_NOMATCH 26
1148 #define KRB5_ET_KRB5KDC_ERR_MUST_USE_USER2USER 27
1149 #define KRB5_ET_KRB5KDC_ERR_PATH_NOT_ACCEPTED 28
1150 #define KRB5_ET_KRB5KDC_ERR_SVC_UNAVAILABLE 29
1151 #define KRB5_ET_KRB5KRB_AP_ERR_BAD_INTEGRITY 31
1152 #define KRB5_ET_KRB5KRB_AP_ERR_TKT_EXPIRED 32
1153 #define KRB5_ET_KRB5KRB_AP_ERR_TKT_NYV 33
1154 #define KRB5_ET_KRB5KRB_AP_ERR_REPEAT 34
1155 #define KRB5_ET_KRB5KRB_AP_ERR_NOT_US 35
1156 #define KRB5_ET_KRB5KRB_AP_ERR_BADMATCH 36
1157 #define KRB5_ET_KRB5KRB_AP_ERR_SKEW 37
1158 #define KRB5_ET_KRB5KRB_AP_ERR_BADADDR 38
1159 #define KRB5_ET_KRB5KRB_AP_ERR_BADVERSION 39
1160 #define KRB5_ET_KRB5KRB_AP_ERR_MSG_TYPE 40
1161 #define KRB5_ET_KRB5KRB_AP_ERR_MODIFIED 41
1162 #define KRB5_ET_KRB5KRB_AP_ERR_BADORDER 42
1163 #define KRB5_ET_KRB5KRB_AP_ERR_ILL_CR_TKT 43
1164 #define KRB5_ET_KRB5KRB_AP_ERR_BADKEYVER 44
1165 #define KRB5_ET_KRB5KRB_AP_ERR_NOKEY 45
1166 #define KRB5_ET_KRB5KRB_AP_ERR_MUT_FAIL 46
1167 #define KRB5_ET_KRB5KRB_AP_ERR_BADDIRECTION 47
1168 #define KRB5_ET_KRB5KRB_AP_ERR_METHOD 48
1169 #define KRB5_ET_KRB5KRB_AP_ERR_BADSEQ 49
1170 #define KRB5_ET_KRB5KRB_AP_ERR_INAPP_CKSUM 50
1171 #define KRB5_ET_KRB5KDC_AP_PATH_NOT_ACCEPTED 51
1172 #define KRB5_ET_KRB5KRB_ERR_RESPONSE_TOO_BIG 52
1173 #define KRB5_ET_KRB5KRB_ERR_GENERIC 60
1174 #define KRB5_ET_KRB5KRB_ERR_FIELD_TOOLONG 61
1175 #define KRB5_ET_KDC_ERROR_CLIENT_NOT_TRUSTED 62
1176 #define KRB5_ET_KDC_ERROR_KDC_NOT_TRUSTED 63
1177 #define KRB5_ET_KDC_ERROR_INVALID_SIG 64
1178 #define KRB5_ET_KDC_ERR_KEY_TOO_WEAK 65
1179 #define KRB5_ET_KDC_ERR_CERTIFICATE_MISMATCH 66
1180 #define KRB5_ET_KRB_AP_ERR_NO_TGT 67
1181 #define KRB5_ET_KDC_ERR_WRONG_REALM 68
1182 #define KRB5_ET_KRB_AP_ERR_USER_TO_USER_REQUIRED 69
1183 #define KRB5_ET_KDC_ERR_CANT_VERIFY_CERTIFICATE 70
1184 #define KRB5_ET_KDC_ERR_INVALID_CERTIFICATE 71
1185 #define KRB5_ET_KDC_ERR_REVOKED_CERTIFICATE 72
1186 #define KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNKNOWN 73
1187 #define KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNAVAILABLE 74
1188 #define KRB5_ET_KDC_ERR_CLIENT_NAME_MISMATCH 75
1189 #define KRB5_ET_KDC_ERR_KDC_NAME_MISMATCH 76
1190 #define KRB5_ET_KDC_ERR_PREAUTH_EXPIRED 90
1191 #define KRB5_ET_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED 91
1192 #define KRB5_ET_KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET 92
1193 #define KRB5_ET_KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS 93
1195 static const value_string krb5_error_codes[] = {
1196 { KRB5_ET_KRB5KDC_ERR_NONE, "KRB5KDC_ERR_NONE" },
1197 { KRB5_ET_KRB5KDC_ERR_NAME_EXP, "KRB5KDC_ERR_NAME_EXP" },
1198 { KRB5_ET_KRB5KDC_ERR_SERVICE_EXP, "KRB5KDC_ERR_SERVICE_EXP" },
1199 { KRB5_ET_KRB5KDC_ERR_BAD_PVNO, "KRB5KDC_ERR_BAD_PVNO" },
1200 { KRB5_ET_KRB5KDC_ERR_C_OLD_MAST_KVNO, "KRB5KDC_ERR_C_OLD_MAST_KVNO" },
1201 { KRB5_ET_KRB5KDC_ERR_S_OLD_MAST_KVNO, "KRB5KDC_ERR_S_OLD_MAST_KVNO" },
1202 { KRB5_ET_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, "KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN" },
1203 { KRB5_ET_KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, "KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN" },
1204 { KRB5_ET_KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE, "KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE" },
1205 { KRB5_ET_KRB5KDC_ERR_NULL_KEY, "KRB5KDC_ERR_NULL_KEY" },
1206 { KRB5_ET_KRB5KDC_ERR_CANNOT_POSTDATE, "KRB5KDC_ERR_CANNOT_POSTDATE" },
1207 { KRB5_ET_KRB5KDC_ERR_NEVER_VALID, "KRB5KDC_ERR_NEVER_VALID" },
1208 { KRB5_ET_KRB5KDC_ERR_POLICY, "KRB5KDC_ERR_POLICY" },
1209 { KRB5_ET_KRB5KDC_ERR_BADOPTION, "KRB5KDC_ERR_BADOPTION" },
1210 { KRB5_ET_KRB5KDC_ERR_ETYPE_NOSUPP, "KRB5KDC_ERR_ETYPE_NOSUPP" },
1211 { KRB5_ET_KRB5KDC_ERR_SUMTYPE_NOSUPP, "KRB5KDC_ERR_SUMTYPE_NOSUPP" },
1212 { KRB5_ET_KRB5KDC_ERR_PADATA_TYPE_NOSUPP, "KRB5KDC_ERR_PADATA_TYPE_NOSUPP" },
1213 { KRB5_ET_KRB5KDC_ERR_TRTYPE_NOSUPP, "KRB5KDC_ERR_TRTYPE_NOSUPP" },
1214 { KRB5_ET_KRB5KDC_ERR_CLIENT_REVOKED, "KRB5KDC_ERR_CLIENT_REVOKED" },
1215 { KRB5_ET_KRB5KDC_ERR_SERVICE_REVOKED, "KRB5KDC_ERR_SERVICE_REVOKED" },
1216 { KRB5_ET_KRB5KDC_ERR_TGT_REVOKED, "KRB5KDC_ERR_TGT_REVOKED" },
1217 { KRB5_ET_KRB5KDC_ERR_CLIENT_NOTYET, "KRB5KDC_ERR_CLIENT_NOTYET" },
1218 { KRB5_ET_KRB5KDC_ERR_SERVICE_NOTYET, "KRB5KDC_ERR_SERVICE_NOTYET" },
1219 { KRB5_ET_KRB5KDC_ERR_KEY_EXP, "KRB5KDC_ERR_KEY_EXP" },
1220 { KRB5_ET_KRB5KDC_ERR_PREAUTH_FAILED, "KRB5KDC_ERR_PREAUTH_FAILED" },
1221 { KRB5_ET_KRB5KDC_ERR_PREAUTH_REQUIRED, "KRB5KDC_ERR_PREAUTH_REQUIRED" },
1222 { KRB5_ET_KRB5KDC_ERR_SERVER_NOMATCH, "KRB5KDC_ERR_SERVER_NOMATCH" },
1223 { KRB5_ET_KRB5KDC_ERR_MUST_USE_USER2USER, "KRB5KDC_ERR_MUST_USE_USER2USER" },
1224 { KRB5_ET_KRB5KDC_ERR_PATH_NOT_ACCEPTED, "KRB5KDC_ERR_PATH_NOT_ACCEPTED" },
1225 { KRB5_ET_KRB5KDC_ERR_SVC_UNAVAILABLE, "KRB5KDC_ERR_SVC_UNAVAILABLE" },
1226 { KRB5_ET_KRB5KRB_AP_ERR_BAD_INTEGRITY, "KRB5KRB_AP_ERR_BAD_INTEGRITY" },
1227 { KRB5_ET_KRB5KRB_AP_ERR_TKT_EXPIRED, "KRB5KRB_AP_ERR_TKT_EXPIRED" },
1228 { KRB5_ET_KRB5KRB_AP_ERR_TKT_NYV, "KRB5KRB_AP_ERR_TKT_NYV" },
1229 { KRB5_ET_KRB5KRB_AP_ERR_REPEAT, "KRB5KRB_AP_ERR_REPEAT" },
1230 { KRB5_ET_KRB5KRB_AP_ERR_NOT_US, "KRB5KRB_AP_ERR_NOT_US" },
1231 { KRB5_ET_KRB5KRB_AP_ERR_BADMATCH, "KRB5KRB_AP_ERR_BADMATCH" },
1232 { KRB5_ET_KRB5KRB_AP_ERR_SKEW, "KRB5KRB_AP_ERR_SKEW" },
1233 { KRB5_ET_KRB5KRB_AP_ERR_BADADDR, "KRB5KRB_AP_ERR_BADADDR" },
1234 { KRB5_ET_KRB5KRB_AP_ERR_BADVERSION, "KRB5KRB_AP_ERR_BADVERSION" },
1235 { KRB5_ET_KRB5KRB_AP_ERR_MSG_TYPE, "KRB5KRB_AP_ERR_MSG_TYPE" },
1236 { KRB5_ET_KRB5KRB_AP_ERR_MODIFIED, "KRB5KRB_AP_ERR_MODIFIED" },
1237 { KRB5_ET_KRB5KRB_AP_ERR_BADORDER, "KRB5KRB_AP_ERR_BADORDER" },
1238 { KRB5_ET_KRB5KRB_AP_ERR_ILL_CR_TKT, "KRB5KRB_AP_ERR_ILL_CR_TKT" },
1239 { KRB5_ET_KRB5KRB_AP_ERR_BADKEYVER, "KRB5KRB_AP_ERR_BADKEYVER" },
1240 { KRB5_ET_KRB5KRB_AP_ERR_NOKEY, "KRB5KRB_AP_ERR_NOKEY" },
1241 { KRB5_ET_KRB5KRB_AP_ERR_MUT_FAIL, "KRB5KRB_AP_ERR_MUT_FAIL" },
1242 { KRB5_ET_KRB5KRB_AP_ERR_BADDIRECTION, "KRB5KRB_AP_ERR_BADDIRECTION" },
1243 { KRB5_ET_KRB5KRB_AP_ERR_METHOD, "KRB5KRB_AP_ERR_METHOD" },
1244 { KRB5_ET_KRB5KRB_AP_ERR_BADSEQ, "KRB5KRB_AP_ERR_BADSEQ" },
1245 { KRB5_ET_KRB5KRB_AP_ERR_INAPP_CKSUM, "KRB5KRB_AP_ERR_INAPP_CKSUM" },
1246 { KRB5_ET_KRB5KDC_AP_PATH_NOT_ACCEPTED, "KRB5KDC_AP_PATH_NOT_ACCEPTED" },
1247 { KRB5_ET_KRB5KRB_ERR_RESPONSE_TOO_BIG, "KRB5KRB_ERR_RESPONSE_TOO_BIG"},
1248 { KRB5_ET_KRB5KRB_ERR_GENERIC, "KRB5KRB_ERR_GENERIC" },
1249 { KRB5_ET_KRB5KRB_ERR_FIELD_TOOLONG, "KRB5KRB_ERR_FIELD_TOOLONG" },
1250 { KRB5_ET_KDC_ERROR_CLIENT_NOT_TRUSTED, "KDC_ERROR_CLIENT_NOT_TRUSTED" },
1251 { KRB5_ET_KDC_ERROR_KDC_NOT_TRUSTED, "KDC_ERROR_KDC_NOT_TRUSTED" },
1252 { KRB5_ET_KDC_ERROR_INVALID_SIG, "KDC_ERROR_INVALID_SIG" },
1253 { KRB5_ET_KDC_ERR_KEY_TOO_WEAK, "KDC_ERR_KEY_TOO_WEAK" },
1254 { KRB5_ET_KDC_ERR_CERTIFICATE_MISMATCH, "KDC_ERR_CERTIFICATE_MISMATCH" },
1255 { KRB5_ET_KRB_AP_ERR_NO_TGT, "KRB_AP_ERR_NO_TGT" },
1256 { KRB5_ET_KDC_ERR_WRONG_REALM, "KDC_ERR_WRONG_REALM" },
1257 { KRB5_ET_KRB_AP_ERR_USER_TO_USER_REQUIRED, "KRB_AP_ERR_USER_TO_USER_REQUIRED" },
1258 { KRB5_ET_KDC_ERR_CANT_VERIFY_CERTIFICATE, "KDC_ERR_CANT_VERIFY_CERTIFICATE" },
1259 { KRB5_ET_KDC_ERR_INVALID_CERTIFICATE, "KDC_ERR_INVALID_CERTIFICATE" },
1260 { KRB5_ET_KDC_ERR_REVOKED_CERTIFICATE, "KDC_ERR_REVOKED_CERTIFICATE" },
1261 { KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNKNOWN, "KDC_ERR_REVOCATION_STATUS_UNKNOWN" },
1262 { KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNAVAILABLE, "KDC_ERR_REVOCATION_STATUS_UNAVAILABLE" },
1263 { KRB5_ET_KDC_ERR_CLIENT_NAME_MISMATCH, "KDC_ERR_CLIENT_NAME_MISMATCH" },
1264 { KRB5_ET_KDC_ERR_KDC_NAME_MISMATCH, "KDC_ERR_KDC_NAME_MISMATCH" },
1265 { KRB5_ET_KDC_ERR_PREAUTH_EXPIRED, "KDC_ERR_PREAUTH_EXPIRED" },
1266 { KRB5_ET_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED, "KDC_ERR_MORE_PREAUTH_DATA_REQUIRED" },
1267 { KRB5_ET_KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET, "KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET" },
1268 { KRB5_ET_KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS, "KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS" },
1273 #define PAC_LOGON_INFO 1
1274 #define PAC_CREDENTIAL_TYPE 2
1275 #define PAC_SERVER_CHECKSUM 6
1276 #define PAC_PRIVSVR_CHECKSUM 7
1277 #define PAC_CLIENT_INFO_TYPE 10
1278 #define PAC_S4U_DELEGATION_INFO 11
1279 #define PAC_UPN_DNS_INFO 12
1280 static const value_string w2k_pac_types[] = {
1281 { PAC_LOGON_INFO , "Logon Info" },
1282 { PAC_CREDENTIAL_TYPE , "Credential Type" },
1283 { PAC_SERVER_CHECKSUM , "Server Checksum" },
1284 { PAC_PRIVSVR_CHECKSUM , "Privsvr Checksum" },
1285 { PAC_CLIENT_INFO_TYPE , "Client Info Type" },
1286 { PAC_S4U_DELEGATION_INFO, "S4U Delegation Info" },
1287 { PAC_UPN_DNS_INFO , "UPN DNS Info" },
1291 static const value_string krb5_msg_types[] = {
1292 { KRB5_MSG_TICKET, "Ticket" },
1293 { KRB5_MSG_AUTHENTICATOR, "Authenticator" },
1294 { KRB5_MSG_ENC_TICKET_PART, "EncTicketPart" },
1295 { KRB5_MSG_TGS_REQ, "TGS-REQ" },
1296 { KRB5_MSG_TGS_REP, "TGS-REP" },
1297 { KRB5_MSG_AS_REQ, "AS-REQ" },
1298 { KRB5_MSG_AS_REP, "AS-REP" },
1299 { KRB5_MSG_AP_REQ, "AP-REQ" },
1300 { KRB5_MSG_AP_REP, "AP-REP" },
1301 { KRB5_MSG_SAFE, "KRB-SAFE" },
1302 { KRB5_MSG_PRIV, "KRB-PRIV" },
1303 { KRB5_MSG_CRED, "KRB-CRED" },
1304 { KRB5_MSG_ENC_AS_REP_PART, "EncASRepPart" },
1305 { KRB5_MSG_ENC_TGS_REP_PART, "EncTGSRepPart" },
1306 { KRB5_MSG_ENC_AP_REP_PART, "EncAPRepPart" },
1307 { KRB5_MSG_ENC_KRB_PRIV_PART, "EncKrbPrivPart" },
1308 { KRB5_MSG_ENC_KRB_CRED_PART, "EncKrbCredPart" },
1309 { KRB5_MSG_ERROR, "KRB-ERROR" },
1313 #define KRB5_GSS_C_DELEG_FLAG 0x01
1314 #define KRB5_GSS_C_MUTUAL_FLAG 0x02
1315 #define KRB5_GSS_C_REPLAY_FLAG 0x04
1316 #define KRB5_GSS_C_SEQUENCE_FLAG 0x08
1317 #define KRB5_GSS_C_CONF_FLAG 0x10
1318 #define KRB5_GSS_C_INTEG_FLAG 0x20
1319 #define KRB5_GSS_C_DCE_STYLE 0x1000
1321 static const true_false_string tfs_gss_flags_deleg = {
1322 "Delegate credentials to remote peer",
1325 static const true_false_string tfs_gss_flags_mutual = {
1326 "Request that remote peer authenticates itself",
1327 "Mutual authentication NOT required"
1329 static const true_false_string tfs_gss_flags_replay = {
1330 "Enable replay protection for signed or sealed messages",
1331 "Do NOT enable replay protection"
1333 static const true_false_string tfs_gss_flags_sequence = {
1334 "Enable Out-of-sequence detection for sign or sealed messages",
1335 "Do NOT enable out-of-sequence detection"
1337 static const true_false_string tfs_gss_flags_conf = {
1338 "Confidentiality (sealing) may be invoked",
1339 "Do NOT use Confidentiality (sealing)"
1341 static const true_false_string tfs_gss_flags_integ = {
1342 "Integrity protection (signing) may be invoked",
1343 "Do NOT use integrity protection"
1346 static const true_false_string tfs_gss_flags_dce_style = {
1348 "Not using DCE-STYLE"
1351 #ifdef HAVE_KERBEROS
1353 dissect_krb5_decrypt_ticket_data (gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
1354 proto_tree *tree, int hf_index _U_)
1358 kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
1361 next_tvb=tvb_new_subset_remaining(tvb, offset);
1362 length=tvb_captured_length_remaining(tvb, offset);
1364 /* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
1366 * All Ticket encrypted parts use usage == 2
1368 plaintext=decrypt_krb5_data(tree, actx->pinfo, 2, next_tvb, private_data->etype, NULL);
1371 tvbuff_t *child_tvb;
1372 child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
1374 /* Add the decrypted data to the data source list. */
1375 add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5");
1377 offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
1383 dissect_krb5_decrypt_authenticator_data (gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
1384 proto_tree *tree, int hf_index _U_)
1388 kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
1391 next_tvb=tvb_new_subset_remaining(tvb, offset);
1392 length=tvb_captured_length_remaining(tvb, offset);
1394 /* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
1396 * Authenticators are encrypted with usage
1400 plaintext=decrypt_krb5_data(tree, actx->pinfo, 7, next_tvb, private_data->etype, NULL);
1403 plaintext=decrypt_krb5_data(tree, actx->pinfo, 11, next_tvb, private_data->etype, NULL);
1407 tvbuff_t *child_tvb;
1408 child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
1410 /* Add the decrypted data to the data source list. */
1411 add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5");
1413 offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
1419 dissect_krb5_decrypt_authorization_data(gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
1420 proto_tree *tree, int hf_index _U_)
1424 kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
1427 next_tvb=tvb_new_subset_remaining(tvb, offset);
1428 length=tvb_captured_length_remaining(tvb, offset);
1430 /* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
1432 * Authenticators are encrypted with usage
1436 plaintext=decrypt_krb5_data(tree, actx->pinfo, 5, next_tvb, private_data->etype, NULL);
1439 plaintext=decrypt_krb5_data(tree, actx->pinfo, 4, next_tvb, private_data->etype, NULL);
1443 tvbuff_t *child_tvb;
1444 child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
1445 tvb_set_free_cb(child_tvb, g_free);
1447 /* Add the decrypted data to the data source list. */
1448 add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5");
1450 offset=dissect_kerberos_AuthorizationData(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
1456 dissect_krb5_decrypt_KDC_REP_data (gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
1457 proto_tree *tree, int hf_index _U_)
1461 kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
1464 next_tvb=tvb_new_subset_remaining(tvb, offset);
1465 length=tvb_captured_length_remaining(tvb, offset);
1467 /* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
1469 * ASREP/TGSREP encryptedparts are encrypted with usage
1474 plaintext=decrypt_krb5_data(tree, actx->pinfo, 3, next_tvb, private_data->etype, NULL);
1477 plaintext=decrypt_krb5_data(tree, actx->pinfo, 8, next_tvb, private_data->etype, NULL);
1481 plaintext=decrypt_krb5_data(tree, actx->pinfo, 9, next_tvb, private_data->etype, NULL);
1485 tvbuff_t *child_tvb;
1486 child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
1488 /* Add the decrypted data to the data source list. */
1489 add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5");
1491 offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
1497 dissect_krb5_decrypt_PA_ENC_TIMESTAMP (gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
1498 proto_tree *tree, int hf_index _U_)
1502 kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
1505 next_tvb=tvb_new_subset_remaining(tvb, offset);
1506 length=tvb_captured_length_remaining(tvb, offset);
1508 /* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
1510 * AS-REQ PA_ENC_TIMESTAMP are encrypted with usage
1513 plaintext=decrypt_krb5_data(tree, actx->pinfo, 1, next_tvb, private_data->etype, NULL);
1516 tvbuff_t *child_tvb;
1517 child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
1519 /* Add the decrypted data to the data source list. */
1520 add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5");
1522 offset=dissect_kerberos_PA_ENC_TS_ENC(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
1528 dissect_krb5_decrypt_AP_REP_data (gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
1529 proto_tree *tree, int hf_index _U_)
1533 kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
1536 next_tvb=tvb_new_subset_remaining(tvb, offset);
1537 length=tvb_captured_length_remaining(tvb, offset);
1539 /* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
1541 * AP-REP are encrypted with usage == 12
1543 plaintext=decrypt_krb5_data(tree, actx->pinfo, 12, next_tvb, private_data->etype, NULL);
1546 tvbuff_t *child_tvb;
1547 child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
1549 /* Add the decrypted data to the data source list. */
1550 add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5");
1552 offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
1558 dissect_krb5_decrypt_PRIV_data (gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
1559 proto_tree *tree, int hf_index _U_)
1563 kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
1566 next_tvb=tvb_new_subset_remaining(tvb, offset);
1567 length=tvb_captured_length_remaining(tvb, offset);
1570 * EncKrbPrivPart encrypted with usage
1573 plaintext=decrypt_krb5_data(tree, actx->pinfo, 13, next_tvb, private_data->etype, NULL);
1576 tvbuff_t *child_tvb;
1577 child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
1579 /* Add the decrypted data to the data source list. */
1580 add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5");
1582 offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
1588 dissect_krb5_decrypt_CRED_data (gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
1589 proto_tree *tree, int hf_index _U_)
1593 kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
1596 next_tvb=tvb_new_subset_remaining(tvb, offset);
1597 length=tvb_captured_length_remaining(tvb, offset);
1600 * EncKrbCredPart encrypted with usage
1603 plaintext=decrypt_krb5_data(tree, actx->pinfo, 14, next_tvb, private_data->etype, NULL);
1606 tvbuff_t *child_tvb;
1607 child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
1609 /* Add the decrypted data to the data source list. */
1610 add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5");
1612 offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
1618 dissect_krb5_decrypt_KrbFastReq(gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
1619 proto_tree *tree, int hf_index _U_)
1623 kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
1626 next_tvb=tvb_new_subset_remaining(tvb, offset);
1627 length=tvb_captured_length_remaining(tvb, offset);
1630 * KrbFastResponse encrypted with usage
1631 * KEY_USAGE_FAST_ENC 51
1633 plaintext=decrypt_krb5_data(tree, actx->pinfo, KEY_USAGE_FAST_ENC,
1634 next_tvb, private_data->etype, NULL);
1637 tvbuff_t *child_tvb;
1638 child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
1639 tvb_set_free_cb(child_tvb, g_free);
1641 /* Add the decrypted data to the data source list. */
1642 add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5");
1644 offset=dissect_kerberos_KrbFastReq(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
1650 dissect_krb5_decrypt_KrbFastResponse(gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
1651 proto_tree *tree, int hf_index _U_)
1655 kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
1658 next_tvb=tvb_new_subset_remaining(tvb, offset);
1659 length=tvb_captured_length_remaining(tvb, offset);
1663 * KrbFastResponse encrypted with usage
1664 * KEY_USAGE_FAST_REP 52
1666 plaintext=decrypt_krb5_data(tree, actx->pinfo, KEY_USAGE_FAST_REP,
1667 next_tvb, private_data->etype, NULL);
1670 tvbuff_t *child_tvb;
1671 child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
1672 tvb_set_free_cb(child_tvb, g_free);
1674 /* Add the decrypted data to the data source list. */
1675 add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5");
1677 private_data->fast_armor_key = private_data->last_decryption_key;
1678 offset=dissect_kerberos_KrbFastResponse(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
1684 dissect_krb5_decrypt_EncryptedChallenge(gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
1685 proto_tree *tree, int hf_index _U_)
1689 kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
1693 next_tvb=tvb_new_subset_remaining(tvb, offset);
1694 length=tvb_captured_length_remaining(tvb, offset);
1697 * KEY_USAGE_ENC_CHALLENGE_CLIENT 54
1698 * KEY_USAGE_ENC_CHALLENGE_KDC 55
1700 if (private_data->kdc_response) {
1701 usage = KEY_USAGE_ENC_CHALLENGE_KDC;
1703 usage = KEY_USAGE_ENC_CHALLENGE_CLIENT;
1705 plaintext=decrypt_krb5_data(tree, actx->pinfo, usage, next_tvb, private_data->etype, NULL);
1708 tvbuff_t *child_tvb;
1709 child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
1710 tvb_set_free_cb(child_tvb, g_free);
1712 /* Add the decrypted data to the data source list. */
1713 add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5");
1715 offset=dissect_kerberos_PA_ENC_TS_ENC(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
1721 static const int *hf_krb_pa_supported_enctypes_fields[] = {
1722 &hf_krb_pa_supported_enctypes_des_cbc_crc,
1723 &hf_krb_pa_supported_enctypes_des_cbc_md5,
1724 &hf_krb_pa_supported_enctypes_rc4_hmac,
1725 &hf_krb_pa_supported_enctypes_aes128_cts_hmac_sha1_96,
1726 &hf_krb_pa_supported_enctypes_aes256_cts_hmac_sha1_96,
1727 &hf_krb_pa_supported_enctypes_fast_supported,
1728 &hf_krb_pa_supported_enctypes_compound_identity_supported,
1729 &hf_krb_pa_supported_enctypes_claims_supported,
1730 &hf_krb_pa_supported_enctypes_resource_sid_compression_disabled,
1734 static const true_false_string supported_tfs = {
1735 "Supported", "Not supported"
1739 dissect_kerberos_PA_SUPPORTED_ENCTYPES(gboolean implicit_tag _U_, tvbuff_t *tvb _U_,
1740 int offset _U_, asn1_ctx_t *actx _U_,
1741 proto_tree *tree _U_, int hf_index _U_)
1743 actx->created_item = proto_tree_add_bitmask(tree, tvb, offset,
1744 hf_krb_pa_supported_enctypes,
1745 ett_krb_pa_supported_enctypes,
1746 hf_krb_pa_supported_enctypes_fields,
1753 static const int *hf_krb_ad_ap_options_fields[] = {
1754 &hf_krb_ad_ap_options_cbt,
1758 static const true_false_string set_tfs = {
1763 dissect_kerberos_AD_AP_OPTIONS(gboolean implicit_tag _U_, tvbuff_t *tvb _U_,
1764 int offset _U_, asn1_ctx_t *actx _U_,
1765 proto_tree *tree _U_, int hf_index _U_)
1767 actx->created_item = proto_tree_add_bitmask(tree, tvb, offset,
1768 hf_krb_ad_ap_options,
1769 ett_krb_ad_ap_options,
1770 hf_krb_ad_ap_options_fields,
1776 /* Dissect a GSSAPI checksum as per RFC1964. This is NOT ASN.1 encoded.
1779 dissect_krb5_rfc1964_checksum(asn1_ctx_t *actx _U_, proto_tree *tree, tvbuff_t *tvb)
1785 /* Length of Bnd field */
1786 len=tvb_get_letohl(tvb, offset);
1787 proto_tree_add_item(tree, hf_krb_gssapi_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1791 proto_tree_add_item(tree, hf_krb_gssapi_bnd, tvb, offset, len, ENC_NA);
1796 proto_tree_add_item(tree, hf_krb_gssapi_c_flag_dce_style, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1797 proto_tree_add_item(tree, hf_krb_gssapi_c_flag_integ, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1798 proto_tree_add_item(tree, hf_krb_gssapi_c_flag_conf, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1799 proto_tree_add_item(tree, hf_krb_gssapi_c_flag_sequence, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1800 proto_tree_add_item(tree, hf_krb_gssapi_c_flag_replay, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1801 proto_tree_add_item(tree, hf_krb_gssapi_c_flag_mutual, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1802 proto_tree_add_item(tree, hf_krb_gssapi_c_flag_deleg, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1805 /* the next fields are optional so we have to check that we have
1806 * more data in our buffers */
1807 if(tvb_reported_length_remaining(tvb, offset)<2){
1810 /* dlgopt identifier */
1811 proto_tree_add_item(tree, hf_krb_gssapi_dlgopt, tvb, offset, 2, ENC_LITTLE_ENDIAN);
1814 if(tvb_reported_length_remaining(tvb, offset)<2){
1817 /* dlglen identifier */
1818 dlglen=tvb_get_letohs(tvb, offset);
1819 proto_tree_add_item(tree, hf_krb_gssapi_dlglen, tvb, offset, 2, ENC_LITTLE_ENDIAN);
1822 if(dlglen!=tvb_reported_length_remaining(tvb, offset)){
1823 proto_tree_add_expert_format(tree, actx->pinfo, &ei_krb_gssapi_dlglen, tvb, 0, 0,
1824 "Error: DlgLen:%d is not the same as number of bytes remaining:%d", dlglen, tvb_captured_length_remaining(tvb, offset));
1828 /* this should now be a KRB_CRED message */
1829 offset=dissect_kerberos_Applications(FALSE, tvb, offset, actx, tree, /* hf_index */ -1);
1835 dissect_krb5_PA_PROV_SRV_LOCATION(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_)
1837 offset=dissect_ber_GeneralString(actx, tree, tvb, offset, hf_krb_provsrv_location, NULL, 0);
1843 dissect_krb5_PW_SALT(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_)
1845 kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
1846 gint remaining = tvb_reported_length_remaining(tvb, offset);
1847 guint32 nt_status = 0;
1851 if (private_data->errorcode == 0) {
1855 if (!private_data->try_nt_status) {
1859 if (remaining != 12) {
1863 nt_status=tvb_get_letohl(tvb, offset);
1864 val_0=tvb_get_letohl(tvb, offset + 4);
1865 val_1=tvb_get_letohl(tvb, offset + 8);
1867 if (val_0 != 0 || val_1 != 1) {
1871 /* Microsoft stores a special 12 byte blob here
1873 * guint32 unknown (== 0)
1874 * guint32 unknown (== 1)
1876 proto_tree_add_item(tree, hf_krb_smb_nt_status, tvb, offset, 4,
1878 nt_status=tvb_get_letohl(tvb, offset);
1880 col_append_fstr(actx->pinfo->cinfo, COL_INFO,
1882 val_to_str(nt_status, NT_errors,
1883 "Unknown error code %#x"));
1887 proto_tree_add_item(tree, hf_krb_smb_unknown, tvb, offset, 4,
1891 proto_tree_add_item(tree, hf_krb_smb_unknown, tvb, offset, 4,
1898 return offset + remaining;
1902 dissect_krb5_PAC_DREP(proto_tree *parent_tree, tvbuff_t *tvb, int offset, guint8 *drep)
1907 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 16, ett_krb_pac_drep, NULL, "DREP");
1909 val = tvb_get_guint8(tvb, offset);
1910 proto_tree_add_uint(tree, hf_dcerpc_drep_byteorder, tvb, offset, 1, val>>4);
1921 /* This might be some sort of header that MIDL generates when creating
1922 * marshalling/unmarshalling code for blobs that are not to be transported
1923 * ontop of DCERPC and where the DREP fields specifying things such as
1924 * endianess and similar are not available.
1927 dissect_krb5_PAC_NDRHEADERBLOB(proto_tree *parent_tree, tvbuff_t *tvb, int offset, guint8 *drep, asn1_ctx_t *actx _U_)
1931 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 16, ett_krb_pac_midl_blob, NULL, "MES header");
1933 /* modified DREP field that is used for stuff that is transporetd ontop
1936 proto_tree_add_item(tree, hf_krb_midl_version, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1939 offset = dissect_krb5_PAC_DREP(tree, tvb, offset, drep);
1942 proto_tree_add_item(tree, hf_krb_midl_hdr_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
1945 proto_tree_add_item(tree, hf_krb_midl_fill_bytes, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1948 /* length of blob that follows */
1949 proto_tree_add_item(tree, hf_krb_midl_blob_len, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1956 dissect_krb5_PAC_LOGON_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
1960 guint8 drep[4] = { 0x10, 0x00, 0x00, 0x00}; /* fake DREP struct */
1961 static dcerpc_info di; /* fake dcerpc_info struct */
1962 static dcerpc_call_value call_data;
1964 item = proto_tree_add_item(parent_tree, hf_krb_pac_logon_info, tvb, offset, -1, ENC_NA);
1965 tree = proto_item_add_subtree(item, ett_krb_pac_logon_info);
1967 /* skip the first 16 bytes, they are some magic created by the idl
1968 * compiler the first 4 bytes might be flags?
1970 offset = dissect_krb5_PAC_NDRHEADERBLOB(tree, tvb, offset, &drep[0], actx);
1972 /* the PAC_LOGON_INFO blob */
1973 /* fake whatever state the dcerpc runtime support needs */
1974 di.conformant_run=0;
1975 /* we need di->call_data->flags.NDR64 == 0 */
1976 di.call_data=&call_data;
1977 init_ndr_pointer_list(&di);
1978 offset = dissect_ndr_pointer(tvb, offset, actx->pinfo, tree, &di, drep,
1979 netlogon_dissect_PAC_LOGON_INFO, NDR_POINTER_UNIQUE,
1980 "PAC_LOGON_INFO:", -1);
1987 dissect_krb5_PAC_CREDENTIAL_DATA(proto_tree *parent_tree, tvbuff_t *tvb, int offset, packet_info *pinfo _U_)
1989 proto_tree_add_item(parent_tree, hf_krb_pac_credential_data, tvb, offset, -1, ENC_NA);
1995 dissect_krb5_PAC_CREDENTIAL_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx)
2000 guint8 *plaintext = NULL;
2004 #define KRB5_KU_OTHER_ENCRYPTED 16
2005 int usage = KRB5_KU_OTHER_ENCRYPTED;
2007 item = proto_tree_add_item(parent_tree, hf_krb_pac_credential_info, tvb, offset, -1, ENC_NA);
2008 tree = proto_item_add_subtree(item, ett_krb_pac_credential_info);
2011 proto_tree_add_item(tree, hf_krb_pac_credential_info_version, tvb,
2012 offset, 4, ENC_LITTLE_ENDIAN);
2016 etype = tvb_get_letohl(tvb, offset);
2017 proto_tree_add_item(tree, hf_krb_pac_credential_info_etype, tvb,
2018 offset, 4, ENC_LITTLE_ENDIAN);
2022 next_tvb=tvb_new_subset_remaining(tvb, offset);
2023 length=tvb_captured_length_remaining(tvb, offset);
2025 plaintext=decrypt_krb5_data(tree, actx->pinfo, usage, next_tvb, (int)etype, &plainlen);
2027 if (plaintext != NULL) {
2028 tvbuff_t *child_tvb;
2029 child_tvb = tvb_new_child_real_data(tvb, plaintext, plainlen, plainlen);
2030 tvb_set_free_cb(child_tvb, g_free);
2032 /* Add the decrypted data to the data source list. */
2033 add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5");
2035 dissect_krb5_PAC_CREDENTIAL_DATA(tree, child_tvb, 0, actx->pinfo);
2038 return offset + length;
2042 dissect_krb5_PAC_S4U_DELEGATION_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx)
2046 guint8 drep[4] = { 0x10, 0x00, 0x00, 0x00}; /* fake DREP struct */
2047 static dcerpc_info di; /* fake dcerpc_info struct */
2048 static dcerpc_call_value call_data;
2050 item = proto_tree_add_item(parent_tree, hf_krb_pac_s4u_delegation_info, tvb, offset, -1, ENC_NA);
2051 tree = proto_item_add_subtree(item, ett_krb_pac_s4u_delegation_info);
2053 /* skip the first 16 bytes, they are some magic created by the idl
2054 * compiler the first 4 bytes might be flags?
2056 offset = dissect_krb5_PAC_NDRHEADERBLOB(tree, tvb, offset, &drep[0], actx);
2059 /* the S4U_DELEGATION_INFO blob. See [MS-PAC] */
2060 /* fake whatever state the dcerpc runtime support needs */
2061 di.conformant_run=0;
2062 /* we need di->call_data->flags.NDR64 == 0 */
2063 di.call_data=&call_data;
2064 init_ndr_pointer_list(&di);
2065 offset = dissect_ndr_pointer(tvb, offset, actx->pinfo, tree, &di, drep,
2066 netlogon_dissect_PAC_S4U_DELEGATION_INFO, NDR_POINTER_UNIQUE,
2067 "PAC_S4U_DELEGATION_INFO:", -1);
2073 dissect_krb5_PAC_UPN_DNS_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2077 guint16 dns_offset, dns_len;
2078 guint16 upn_offset, upn_len;
2083 item = proto_tree_add_item(parent_tree, hf_krb_pac_upn_dns_info, tvb, offset, -1, ENC_NA);
2084 tree = proto_item_add_subtree(item, ett_krb_pac_upn_dns_info);
2087 upn_len = tvb_get_letohs(tvb, offset);
2088 proto_tree_add_item(tree, hf_krb_pac_upn_upn_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2090 upn_offset = tvb_get_letohs(tvb, offset);
2091 proto_tree_add_item(tree, hf_krb_pac_upn_upn_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2095 dns_len = tvb_get_letohs(tvb, offset);
2096 proto_tree_add_item(tree, hf_krb_pac_upn_dns_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2098 dns_offset = tvb_get_letohs(tvb, offset);
2099 proto_tree_add_item(tree, hf_krb_pac_upn_dns_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2103 proto_tree_add_item(tree, hf_krb_pac_upn_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2106 offset = upn_offset;
2108 bc = tvb_reported_length_remaining(tvb, offset);
2109 dn = get_unicode_or_ascii_string(tvb, &offset, TRUE, &dn_len, TRUE, TRUE, &bc);
2110 proto_tree_add_string(tree, hf_krb_pac_upn_upn_name, tvb, upn_offset, upn_len, dn);
2113 offset = dns_offset;
2115 bc = tvb_reported_length_remaining(tvb, offset);
2116 dn = get_unicode_or_ascii_string(tvb, &offset, TRUE, &dn_len, TRUE, TRUE, &bc);
2117 proto_tree_add_string(tree, hf_krb_pac_upn_dns_name, tvb, dns_offset, dns_len, dn);
2123 dissect_krb5_PAC_SERVER_CHECKSUM(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2128 item = proto_tree_add_item(parent_tree, hf_krb_pac_server_checksum, tvb, offset, -1, ENC_NA);
2129 tree = proto_item_add_subtree(item, ett_krb_pac_server_checksum);
2131 /* signature type */
2132 proto_tree_add_item(tree, hf_krb_pac_signature_type, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2135 /* signature data */
2136 proto_tree_add_item(tree, hf_krb_pac_signature_signature, tvb, offset, -1, ENC_NA);
2142 dissect_krb5_PAC_PRIVSVR_CHECKSUM(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2147 item = proto_tree_add_item(parent_tree, hf_krb_pac_privsvr_checksum, tvb, offset, -1, ENC_NA);
2148 tree = proto_item_add_subtree(item, ett_krb_pac_privsvr_checksum);
2150 /* signature type */
2151 proto_tree_add_item(tree, hf_krb_pac_signature_type, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2154 /* signature data */
2155 proto_tree_add_item(tree, hf_krb_pac_signature_signature, tvb, offset, -1, ENC_NA);
2161 dissect_krb5_PAC_CLIENT_INFO_TYPE(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2167 item = proto_tree_add_item(parent_tree, hf_krb_pac_client_info_type, tvb, offset, -1, ENC_NA);
2168 tree = proto_item_add_subtree(item, ett_krb_pac_client_info_type);
2171 offset = dissect_nt_64bit_time(tvb, tree, offset, hf_krb_pac_clientid);
2174 namelen=tvb_get_letohs(tvb, offset);
2175 proto_tree_add_uint(tree, hf_krb_pac_namelen, tvb, offset, 2, namelen);
2179 proto_tree_add_item(tree, hf_krb_pac_clientname, tvb, offset, namelen, ENC_UTF_16|ENC_LITTLE_ENDIAN);
2186 dissect_krb5_AD_WIN2K_PAC_struct(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx)
2191 proto_item *it=NULL;
2192 proto_tree *tr=NULL;
2195 /* type of pac data */
2196 pac_type=tvb_get_letohl(tvb, offset);
2197 it=proto_tree_add_uint(tree, hf_krb_w2k_pac_type, tvb, offset, 4, pac_type);
2198 tr=proto_item_add_subtree(it, ett_krb_pac);
2202 /* size of pac data */
2203 pac_size=tvb_get_letohl(tvb, offset);
2204 proto_tree_add_uint(tr, hf_krb_w2k_pac_size, tvb, offset, 4, pac_size);
2207 /* offset to pac data */
2208 pac_offset=tvb_get_letohl(tvb, offset);
2209 proto_tree_add_uint(tr, hf_krb_w2k_pac_offset, tvb, offset, 4, pac_offset);
2212 next_tvb=tvb_new_subset_length_caplen(tvb, pac_offset, pac_size, pac_size);
2214 case PAC_LOGON_INFO:
2215 dissect_krb5_PAC_LOGON_INFO(tr, next_tvb, 0, actx);
2217 case PAC_CREDENTIAL_TYPE:
2218 dissect_krb5_PAC_CREDENTIAL_INFO(tr, next_tvb, 0, actx);
2220 case PAC_SERVER_CHECKSUM:
2221 dissect_krb5_PAC_SERVER_CHECKSUM(tr, next_tvb, 0, actx);
2223 case PAC_PRIVSVR_CHECKSUM:
2224 dissect_krb5_PAC_PRIVSVR_CHECKSUM(tr, next_tvb, 0, actx);
2226 case PAC_CLIENT_INFO_TYPE:
2227 dissect_krb5_PAC_CLIENT_INFO_TYPE(tr, next_tvb, 0, actx);
2229 case PAC_S4U_DELEGATION_INFO:
2230 dissect_krb5_PAC_S4U_DELEGATION_INFO(tr, next_tvb, 0, actx);
2232 case PAC_UPN_DNS_INFO:
2233 dissect_krb5_PAC_UPN_DNS_INFO(tr, next_tvb, 0, actx);
2243 dissect_krb5_AD_WIN2K_PAC(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_)
2249 /* first in the PAC structure comes the number of entries */
2250 entries=tvb_get_letohl(tvb, offset);
2251 proto_tree_add_uint(tree, hf_krb_w2k_pac_entries, tvb, offset, 4, entries);
2254 /* second comes the version */
2255 version=tvb_get_letohl(tvb, offset);
2256 proto_tree_add_uint(tree, hf_krb_w2k_pac_version, tvb, offset, 4, version);
2259 for(i=0;i<entries;i++){
2260 offset=dissect_krb5_AD_WIN2K_PAC_struct(tree, tvb, offset, actx);
2266 #include "packet-kerberos-fn.c"
2268 /* Make wrappers around exported functions for now */
2270 dissect_krb5_Checksum(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2272 return dissect_kerberos_Checksum(FALSE, tvb, offset, actx, tree, hf_kerberos_cksum);
2277 dissect_krb5_ctime(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2279 return dissect_kerberos_KerberosTime(FALSE, tvb, offset, actx, tree, hf_kerberos_ctime);
2284 dissect_krb5_cname(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2286 return dissect_kerberos_PrincipalName(FALSE, tvb, offset, actx, tree, hf_kerberos_cname);
2289 dissect_krb5_realm(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2291 return dissect_kerberos_Realm(FALSE, tvb, offset, actx, tree, hf_kerberos_realm);
2296 dissect_kerberos_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
2297 gboolean dci, gboolean do_col_protocol, gboolean have_rm,
2298 kerberos_callbacks *cb)
2300 volatile int offset = 0;
2301 proto_tree *volatile kerberos_tree = NULL;
2302 proto_item *volatile item = NULL;
2303 asn1_ctx_t asn1_ctx;
2305 /* TCP record mark and length */
2307 gint krb_reclen = 0;
2309 gbl_do_col_info=dci;
2312 krb_rm = tvb_get_ntohl(tvb, offset);
2313 krb_reclen = kerberos_rm_to_reclen(krb_rm);
2315 * What is a reasonable size limit?
2317 if (krb_reclen > 10 * 1024 * 1024) {
2321 if (do_col_protocol) {
2322 col_set_str(pinfo->cinfo, COL_PROTOCOL, "KRB5");
2326 item = proto_tree_add_item(tree, proto_kerberos, tvb, 0, -1, ENC_NA);
2327 kerberos_tree = proto_item_add_subtree(item, ett_kerberos);
2330 show_krb_recordmark(kerberos_tree, tvb, offset, krb_rm);
2333 /* Do some sanity checking here,
2334 * All krb5 packets start with a TAG class that is BER_CLASS_APP
2335 * and a tag value that is either of the values below:
2336 * If it doesn't look like kerberos, return 0 and let someone else have
2343 get_ber_identifier(tvb, offset, &tmp_class, &tmp_pc, &tmp_tag);
2344 if(tmp_class!=BER_CLASS_APP){
2348 case KRB5_MSG_TICKET:
2349 case KRB5_MSG_AUTHENTICATOR:
2350 case KRB5_MSG_ENC_TICKET_PART:
2351 case KRB5_MSG_AS_REQ:
2352 case KRB5_MSG_AS_REP:
2353 case KRB5_MSG_TGS_REQ:
2354 case KRB5_MSG_TGS_REP:
2355 case KRB5_MSG_AP_REQ:
2356 case KRB5_MSG_AP_REP:
2357 case KRB5_MSG_ENC_AS_REP_PART:
2358 case KRB5_MSG_ENC_TGS_REP_PART:
2359 case KRB5_MSG_ENC_AP_REP_PART:
2360 case KRB5_MSG_ENC_KRB_PRIV_PART:
2361 case KRB5_MSG_ENC_KRB_CRED_PART:
2364 case KRB5_MSG_ERROR:
2369 if (do_col_protocol) {
2370 col_set_str(pinfo->cinfo, COL_PROTOCOL, "KRB5");
2372 if (gbl_do_col_info) {
2373 col_clear(pinfo->cinfo, COL_INFO);
2376 item = proto_tree_add_item(tree, proto_kerberos, tvb, 0, -1, ENC_NA);
2377 kerberos_tree = proto_item_add_subtree(item, ett_kerberos);
2380 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
2381 asn1_ctx.private_data = cb;
2384 offset=dissect_kerberos_Applications(FALSE, tvb, offset, &asn1_ctx , kerberos_tree, /* hf_index */ -1);
2385 } CATCH_BOUNDS_ERRORS {
2389 proto_item_set_len(item, offset);
2394 * Display the TCP record mark.
2397 show_krb_recordmark(proto_tree *tree, tvbuff_t *tvb, gint start, guint32 krb_rm)
2400 proto_tree *rm_tree;
2405 rec_len = kerberos_rm_to_reclen(krb_rm);
2406 rm_tree = proto_tree_add_subtree_format(tree, tvb, start, 4, ett_krb_recordmark, NULL,
2407 "Record Mark: %u %s", rec_len, plurality(rec_len, "byte", "bytes"));
2408 proto_tree_add_boolean(rm_tree, hf_krb_rm_reserved, tvb, start, 4, krb_rm);
2409 proto_tree_add_uint(rm_tree, hf_krb_rm_reclen, tvb, start, 4, krb_rm);
2413 dissect_kerberos_main(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int do_col_info, kerberos_callbacks *cb)
2415 return (dissect_kerberos_common(tvb, pinfo, tree, do_col_info, FALSE, FALSE, cb));
2419 kerberos_output_keytype(void)
2425 dissect_kerberos_udp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
2427 /* Some weird kerberos implementation apparently do krb4 on the krb5 port.
2428 Since all (except weirdo transarc krb4 stuff) use
2429 an opcode <=16 in the first byte, use this to see if it might
2431 All krb5 commands start with an APPL tag and thus is >=0x60
2432 so if first byte is <=16 just blindly assume it is krb4 then
2434 if(tvb_captured_length(tvb) >= 1 && tvb_get_guint8(tvb, 0)<=0x10){
2438 res=call_dissector_only(krb4_handle, tvb, pinfo, tree, NULL);
2446 return dissect_kerberos_common(tvb, pinfo, tree, TRUE, TRUE, FALSE, NULL);
2450 kerberos_rm_to_reclen(guint krb_rm)
2452 return (krb_rm & KRB_RM_RECLEN);
2456 get_krb_pdu_len(packet_info *pinfo _U_, tvbuff_t *tvb, int offset, void *data _U_)
2461 krb_rm = tvb_get_ntohl(tvb, offset);
2462 pdulen = kerberos_rm_to_reclen(krb_rm);
2463 return (pdulen + 4);
2466 kerberos_prefs_apply_cb(void) {
2467 #ifdef HAVE_LIBNETTLE
2469 read_keytab_file(keytab_filename);
2474 dissect_kerberos_tcp_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
2476 pinfo->fragmented = TRUE;
2477 if (dissect_kerberos_common(tvb, pinfo, tree, TRUE, TRUE, TRUE, NULL) < 0) {
2479 * The dissector failed to recognize this as a valid
2480 * Kerberos message. Mark it as a continuation packet.
2482 col_set_str(pinfo->cinfo, COL_INFO, "Continuation");
2485 return tvb_captured_length(tvb);
2489 dissect_kerberos_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data)
2491 col_set_str(pinfo->cinfo, COL_PROTOCOL, "KRB5");
2492 col_clear(pinfo->cinfo, COL_INFO);
2494 tcp_dissect_pdus(tvb, pinfo, tree, krb_desegment, 4, get_krb_pdu_len,
2495 dissect_kerberos_tcp_pdu, data);
2496 return tvb_captured_length(tvb);
2499 /*--- proto_register_kerberos -------------------------------------------*/
2500 void proto_register_kerberos(void) {
2502 /* List of fields */
2504 static hf_register_info hf[] = {
2505 { &hf_krb_rm_reserved, {
2506 "Reserved", "kerberos.rm.reserved", FT_BOOLEAN, 32,
2507 TFS(&tfs_set_notset), KRB_RM_RESERVED, "Record mark reserved bit", HFILL }},
2508 { &hf_krb_rm_reclen, {
2509 "Record Length", "kerberos.rm.length", FT_UINT32, BASE_DEC,
2510 NULL, KRB_RM_RECLEN, NULL, HFILL }},
2511 { &hf_krb_provsrv_location, {
2512 "PROVSRV Location", "kerberos.provsrv_location", FT_STRING, BASE_NONE,
2513 NULL, 0, "PacketCable PROV SRV Location", HFILL }},
2514 { &hf_krb_smb_nt_status,
2515 { "NT Status", "kerberos.smb.nt_status", FT_UINT32, BASE_HEX,
2516 VALS(NT_errors), 0, "NT Status code", HFILL }},
2517 { &hf_krb_smb_unknown,
2518 { "Unknown", "kerberos.smb.unknown", FT_UINT32, BASE_HEX,
2519 NULL, 0, NULL, HFILL }},
2520 { &hf_krb_address_ip, {
2521 "IP Address", "kerberos.addr_ip", FT_IPv4, BASE_NONE,
2522 NULL, 0, NULL, HFILL }},
2523 { &hf_krb_address_ipv6, {
2524 "IPv6 Address", "kerberos.addr_ipv6", FT_IPv6, BASE_NONE,
2525 NULL, 0, NULL, HFILL }},
2526 { &hf_krb_address_netbios, {
2527 "NetBIOS Address", "kerberos.addr_nb", FT_STRING, BASE_NONE,
2528 NULL, 0, "NetBIOS Address and type", HFILL }},
2529 { &hf_krb_gssapi_len, {
2530 "Length", "kerberos.gssapi.len", FT_UINT32, BASE_DEC,
2531 NULL, 0, "Length of GSSAPI Bnd field", HFILL }},
2532 { &hf_krb_gssapi_bnd, {
2533 "Bnd", "kerberos.gssapi.bdn", FT_BYTES, BASE_NONE,
2534 NULL, 0, "GSSAPI Bnd field", HFILL }},
2535 { &hf_krb_gssapi_c_flag_deleg, {
2536 "Deleg", "kerberos.gssapi.checksum.flags.deleg", FT_BOOLEAN, 32,
2537 TFS(&tfs_gss_flags_deleg), KRB5_GSS_C_DELEG_FLAG, NULL, HFILL }},
2538 { &hf_krb_gssapi_c_flag_mutual, {
2539 "Mutual", "kerberos.gssapi.checksum.flags.mutual", FT_BOOLEAN, 32,
2540 TFS(&tfs_gss_flags_mutual), KRB5_GSS_C_MUTUAL_FLAG, NULL, HFILL }},
2541 { &hf_krb_gssapi_c_flag_replay, {
2542 "Replay", "kerberos.gssapi.checksum.flags.replay", FT_BOOLEAN, 32,
2543 TFS(&tfs_gss_flags_replay), KRB5_GSS_C_REPLAY_FLAG, NULL, HFILL }},
2544 { &hf_krb_gssapi_c_flag_sequence, {
2545 "Sequence", "kerberos.gssapi.checksum.flags.sequence", FT_BOOLEAN, 32,
2546 TFS(&tfs_gss_flags_sequence), KRB5_GSS_C_SEQUENCE_FLAG, NULL, HFILL }},
2547 { &hf_krb_gssapi_c_flag_conf, {
2548 "Conf", "kerberos.gssapi.checksum.flags.conf", FT_BOOLEAN, 32,
2549 TFS(&tfs_gss_flags_conf), KRB5_GSS_C_CONF_FLAG, NULL, HFILL }},
2550 { &hf_krb_gssapi_c_flag_integ, {
2551 "Integ", "kerberos.gssapi.checksum.flags.integ", FT_BOOLEAN, 32,
2552 TFS(&tfs_gss_flags_integ), KRB5_GSS_C_INTEG_FLAG, NULL, HFILL }},
2553 { &hf_krb_gssapi_c_flag_dce_style, {
2554 "DCE-style", "kerberos.gssapi.checksum.flags.dce-style", FT_BOOLEAN, 32,
2555 TFS(&tfs_gss_flags_dce_style), KRB5_GSS_C_DCE_STYLE, NULL, HFILL }},
2556 { &hf_krb_gssapi_dlgopt, {
2557 "DlgOpt", "kerberos.gssapi.dlgopt", FT_UINT16, BASE_DEC,
2558 NULL, 0, "GSSAPI DlgOpt", HFILL }},
2559 { &hf_krb_gssapi_dlglen, {
2560 "DlgLen", "kerberos.gssapi.dlglen", FT_UINT16, BASE_DEC,
2561 NULL, 0, "GSSAPI DlgLen", HFILL }},
2562 { &hf_krb_midl_blob_len, {
2563 "Blob Length", "kerberos.midl_blob_len", FT_UINT64, BASE_DEC,
2564 NULL, 0, "Length of NDR encoded data that follows", HFILL }},
2565 { &hf_krb_midl_fill_bytes, {
2566 "Fill bytes", "kerberos.midl.fill_bytes", FT_UINT32, BASE_HEX,
2567 NULL, 0, "Just some fill bytes", HFILL }},
2568 { &hf_krb_midl_version, {
2569 "Version", "kerberos.midl.version", FT_UINT8, BASE_DEC,
2570 NULL, 0, "Version of pickling", HFILL }},
2571 { &hf_krb_midl_hdr_len, {
2572 "HDR Length", "kerberos.midl.hdr_len", FT_UINT16, BASE_DEC,
2573 NULL, 0, "Length of header", HFILL }},
2574 { &hf_krb_pac_signature_type, {
2575 "Type", "kerberos.pac.signature.type", FT_INT32, BASE_DEC,
2576 NULL, 0, "PAC Signature Type", HFILL }},
2577 { &hf_krb_pac_signature_signature, {
2578 "Signature", "kerberos.pac.signature.signature", FT_BYTES, BASE_NONE,
2579 NULL, 0, "A PAC signature blob", HFILL }},
2580 { &hf_krb_w2k_pac_entries, {
2581 "Num Entries", "kerberos.pac.entries", FT_UINT32, BASE_DEC,
2582 NULL, 0, "Number of W2k PAC entries", HFILL }},
2583 { &hf_krb_w2k_pac_version, {
2584 "Version", "kerberos.pac.version", FT_UINT32, BASE_DEC,
2585 NULL, 0, "Version of PAC structures", HFILL }},
2586 { &hf_krb_w2k_pac_type, {
2587 "Type", "kerberos.pac.type", FT_UINT32, BASE_DEC,
2588 VALS(w2k_pac_types), 0, "Type of W2k PAC entry", HFILL }},
2589 { &hf_krb_w2k_pac_size, {
2590 "Size", "kerberos.pac.size", FT_UINT32, BASE_DEC,
2591 NULL, 0, "Size of W2k PAC entry", HFILL }},
2592 { &hf_krb_w2k_pac_offset, {
2593 "Offset", "kerberos.pac.offset", FT_UINT32, BASE_DEC,
2594 NULL, 0, "Offset to W2k PAC entry", HFILL }},
2595 { &hf_krb_pac_clientid, {
2596 "ClientID", "kerberos.pac.clientid", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
2597 NULL, 0, "ClientID Timestamp", HFILL }},
2598 { &hf_krb_pac_namelen, {
2599 "Name Length", "kerberos.pac.namelen", FT_UINT16, BASE_DEC,
2600 NULL, 0, "Length of client name", HFILL }},
2601 { &hf_krb_pac_clientname, {
2602 "Name", "kerberos.pac.name", FT_STRING, BASE_NONE,
2603 NULL, 0, "Name of the Client in the PAC structure", HFILL }},
2604 { &hf_krb_pac_logon_info, {
2605 "PAC_LOGON_INFO", "kerberos.pac_logon_info", FT_BYTES, BASE_NONE,
2606 NULL, 0, "PAC_LOGON_INFO structure", HFILL }},
2607 { &hf_krb_pac_credential_data, {
2608 "PAC_CREDENTIAL_DATA", "kerberos.pac_credential_data", FT_BYTES, BASE_NONE,
2609 NULL, 0, "PAC_CREDENTIAL_DATA structure", HFILL }},
2610 { &hf_krb_pac_credential_info, {
2611 "PAC_CREDENTIAL_INFO", "kerberos.pac_credential_info", FT_BYTES, BASE_NONE,
2612 NULL, 0, "PAC_CREDENTIAL_INFO structure", HFILL }},
2613 { &hf_krb_pac_credential_info_version, {
2614 "Version", "kerberos.pac_credential_info.version", FT_UINT32, BASE_DEC,
2615 NULL, 0, NULL, HFILL }},
2616 { &hf_krb_pac_credential_info_etype, {
2617 "Etype", "kerberos.pac_credential_info.etype", FT_UINT32, BASE_DEC,
2618 NULL, 0, NULL, HFILL }},
2619 { &hf_krb_pac_server_checksum, {
2620 "PAC_SERVER_CHECKSUM", "kerberos.pac_server_checksum", FT_BYTES, BASE_NONE,
2621 NULL, 0, "PAC_SERVER_CHECKSUM structure", HFILL }},
2622 { &hf_krb_pac_privsvr_checksum, {
2623 "PAC_PRIVSVR_CHECKSUM", "kerberos.pac_privsvr_checksum", FT_BYTES, BASE_NONE,
2624 NULL, 0, "PAC_PRIVSVR_CHECKSUM structure", HFILL }},
2625 { &hf_krb_pac_client_info_type, {
2626 "PAC_CLIENT_INFO_TYPE", "kerberos.pac_client_info_type", FT_BYTES, BASE_NONE,
2627 NULL, 0, "PAC_CLIENT_INFO_TYPE structure", HFILL }},
2628 { &hf_krb_pac_s4u_delegation_info, {
2629 "PAC_S4U_DELEGATION_INFO", "kerberos.pac_s4u_delegation_info", FT_BYTES, BASE_NONE,
2630 NULL, 0, "PAC_S4U_DELEGATION_INFO structure", HFILL }},
2631 { &hf_krb_pac_upn_dns_info, {
2632 "UPN_DNS_INFO", "kerberos.pac_upn_dns_info", FT_BYTES, BASE_NONE,
2633 NULL, 0, "UPN_DNS_INFO structure", HFILL }},
2634 { &hf_krb_pac_upn_flags, {
2635 "Flags", "kerberos.pac.upn.flags", FT_UINT32, BASE_HEX,
2636 NULL, 0, "UPN flags", HFILL }},
2637 { &hf_krb_pac_upn_dns_offset, {
2638 "DNS Offset", "kerberos.pac.upn.dns_offset", FT_UINT16, BASE_DEC,
2639 NULL, 0, NULL, HFILL }},
2640 { &hf_krb_pac_upn_dns_len, {
2641 "DNS Len", "kerberos.pac.upn.dns_len", FT_UINT16, BASE_DEC,
2642 NULL, 0, NULL, HFILL }},
2643 { &hf_krb_pac_upn_upn_offset, {
2644 "UPN Offset", "kerberos.pac.upn.upn_offset", FT_UINT16, BASE_DEC,
2645 NULL, 0, NULL, HFILL }},
2646 { &hf_krb_pac_upn_upn_len, {
2647 "UPN Len", "kerberos.pac.upn.upn_len", FT_UINT16, BASE_DEC,
2648 NULL, 0, NULL, HFILL }},
2649 { &hf_krb_pac_upn_upn_name, {
2650 "UPN Name", "kerberos.pac.upn.upn_name", FT_STRING, BASE_NONE,
2651 NULL, 0, NULL, HFILL }},
2652 { &hf_krb_pac_upn_dns_name, {
2653 "DNS Name", "kerberos.pac.upn.dns_name", FT_STRING, BASE_NONE,
2654 NULL, 0, NULL, HFILL }},
2655 { &hf_krb_pa_supported_enctypes,
2656 { "SupportedEnctypes", "kerberos.supported_entypes",
2657 FT_UINT32, BASE_HEX, NULL, 0, NULL, HFILL }},
2658 { &hf_krb_pa_supported_enctypes_des_cbc_crc,
2659 { "des-cbc-crc", "kerberos.supported_entypes.des-cbc-crc",
2660 FT_BOOLEAN, 32, TFS(&supported_tfs), 0x00000001, NULL, HFILL }},
2661 { &hf_krb_pa_supported_enctypes_des_cbc_md5,
2662 { "des-cbc-md5", "kerberos.supported_entypes.des-cbc-md5",
2663 FT_BOOLEAN, 32, TFS(&supported_tfs), 0x00000002, NULL, HFILL }},
2664 { &hf_krb_pa_supported_enctypes_rc4_hmac,
2665 { "rc4-hmac", "kerberos.supported_entypes.rc4-hmac",
2666 FT_BOOLEAN, 32, TFS(&supported_tfs), 0x00000004, NULL, HFILL }},
2667 { &hf_krb_pa_supported_enctypes_aes128_cts_hmac_sha1_96,
2668 { "aes128-cts-hmac-sha1-96", "kerberos.supported_entypes.aes128-cts-hmac-sha1-96",
2669 FT_BOOLEAN, 32, TFS(&supported_tfs), 0x00000008, NULL, HFILL }},
2670 { &hf_krb_pa_supported_enctypes_aes256_cts_hmac_sha1_96,
2671 { "aes256-cts-hmac-sha1-96", "kerberos.supported_entypes.aes256-cts-hmac-sha1-96",
2672 FT_BOOLEAN, 32, TFS(&supported_tfs), 0x00000010, NULL, HFILL }},
2673 { &hf_krb_pa_supported_enctypes_fast_supported,
2674 { "fast-supported", "kerberos.supported_entypes.fast-supported",
2675 FT_BOOLEAN, 32, TFS(&supported_tfs), 0x00010000, NULL, HFILL }},
2676 { &hf_krb_pa_supported_enctypes_compound_identity_supported,
2677 { "compound-identity-supported", "kerberos.supported_entypes.compound-identity-supported",
2678 FT_BOOLEAN, 32, TFS(&supported_tfs), 0x00020000, NULL, HFILL }},
2679 { &hf_krb_pa_supported_enctypes_claims_supported,
2680 { "claims-supported", "kerberos.supported_entypes.claims-supported",
2681 FT_BOOLEAN, 32, TFS(&supported_tfs), 0x00040000, NULL, HFILL }},
2682 { &hf_krb_pa_supported_enctypes_resource_sid_compression_disabled,
2683 { "resource-sid-compression-disabled", "kerberos.supported_entypes.resource-sid-compression-disabled",
2684 FT_BOOLEAN, 32, TFS(&supported_tfs), 0x00040000, NULL, HFILL }},
2685 { &hf_krb_ad_ap_options,
2686 { "AD-AP-Options", "kerberos.ad_ap_options",
2687 FT_UINT32, BASE_HEX, NULL, 0, NULL, HFILL }},
2688 { &hf_krb_ad_ap_options_cbt,
2689 { "ChannelBindings", "kerberos.ad_ap_options.cbt",
2690 FT_BOOLEAN, 32, TFS(&set_tfs), 0x00004000, NULL, HFILL }},
2692 #include "packet-kerberos-hfarr.c"
2695 /* List of subtrees */
2696 static gint *ett[] = {
2698 &ett_krb_recordmark,
2701 &ett_krb_pac_midl_blob,
2702 &ett_krb_pac_logon_info,
2703 &ett_krb_pac_credential_info,
2704 &ett_krb_pac_s4u_delegation_info,
2705 &ett_krb_pac_upn_dns_info,
2706 &ett_krb_pac_server_checksum,
2707 &ett_krb_pac_privsvr_checksum,
2708 &ett_krb_pac_client_info_type,
2709 &ett_krb_pa_supported_enctypes,
2710 &ett_krb_ad_ap_options,
2711 #include "packet-kerberos-ettarr.c"
2714 static ei_register_info ei[] = {
2715 { &ei_kerberos_decrypted_keytype, { "kerberos.decrypted_keytype", PI_SECURITY, PI_CHAT, "Decryted keytype", EXPFILL }},
2716 { &ei_kerberos_address, { "kerberos.address.unknown", PI_UNDECODED, PI_WARN, "KRB Address: I don't know how to parse this type of address yet", EXPFILL }},
2717 { &ei_krb_gssapi_dlglen, { "kerberos.gssapi.dlglen.error", PI_MALFORMED, PI_ERROR, "DlgLen is not the same as number of bytes remaining", EXPFILL }},
2720 expert_module_t* expert_krb;
2721 module_t *krb_module;
2723 proto_kerberos = proto_register_protocol("Kerberos", "KRB5", "kerberos");
2724 proto_register_field_array(proto_kerberos, hf, array_length(hf));
2725 proto_register_subtree_array(ett, array_length(ett));
2726 expert_krb = expert_register_protocol(proto_kerberos);
2727 expert_register_field_array(expert_krb, ei, array_length(ei));
2729 /* Register preferences */
2730 krb_module = prefs_register_protocol(proto_kerberos, kerberos_prefs_apply_cb);
2731 prefs_register_bool_preference(krb_module, "desegment",
2732 "Reassemble Kerberos over TCP messages spanning multiple TCP segments",
2733 "Whether the Kerberos dissector should reassemble messages spanning multiple TCP segments."
2734 " To use this option, you must also enable \"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
2736 #ifdef HAVE_KERBEROS
2737 prefs_register_bool_preference(krb_module, "decrypt",
2738 "Try to decrypt Kerberos blobs",
2739 "Whether the dissector should try to decrypt "
2740 "encrypted Kerberos blobs. This requires that the proper "
2741 "keytab file is installed as well.", &krb_decrypt);
2743 prefs_register_filename_preference(krb_module, "file",
2744 "Kerberos keytab file",
2745 "The keytab file containing all the secrets",
2746 &keytab_filename, FALSE);
2750 static int wrap_dissect_gss_kerb(tvbuff_t *tvb, int offset, packet_info *pinfo,
2751 proto_tree *tree, dcerpc_info *di _U_,guint8 *drep _U_)
2755 auth_tvb = tvb_new_subset_remaining(tvb, offset);
2757 dissect_kerberos_main(auth_tvb, pinfo, tree, FALSE, NULL);
2759 return tvb_captured_length_remaining(tvb, offset);
2763 static dcerpc_auth_subdissector_fns gss_kerb_auth_connect_fns = {
2764 wrap_dissect_gss_kerb, /* Bind */
2765 wrap_dissect_gss_kerb, /* Bind ACK */
2766 wrap_dissect_gss_kerb, /* AUTH3 */
2767 NULL, /* Request verifier */
2768 NULL, /* Response verifier */
2769 NULL, /* Request data */
2770 NULL /* Response data */
2773 static dcerpc_auth_subdissector_fns gss_kerb_auth_sign_fns = {
2774 wrap_dissect_gss_kerb, /* Bind */
2775 wrap_dissect_gss_kerb, /* Bind ACK */
2776 wrap_dissect_gss_kerb, /* AUTH3 */
2777 wrap_dissect_gssapi_verf, /* Request verifier */
2778 wrap_dissect_gssapi_verf, /* Response verifier */
2779 NULL, /* Request data */
2780 NULL /* Response data */
2783 static dcerpc_auth_subdissector_fns gss_kerb_auth_seal_fns = {
2784 wrap_dissect_gss_kerb, /* Bind */
2785 wrap_dissect_gss_kerb, /* Bind ACK */
2786 wrap_dissect_gss_kerb, /* AUTH3 */
2787 wrap_dissect_gssapi_verf, /* Request verifier */
2788 wrap_dissect_gssapi_verf, /* Response verifier */
2789 wrap_dissect_gssapi_payload, /* Request data */
2790 wrap_dissect_gssapi_payload /* Response data */
2796 proto_reg_handoff_kerberos(void)
2798 dissector_handle_t kerberos_handle_tcp;
2800 krb4_handle = find_dissector_add_dependency("krb4", proto_kerberos);
2802 kerberos_handle_udp = create_dissector_handle(dissect_kerberos_udp,
2805 kerberos_handle_tcp = create_dissector_handle(dissect_kerberos_tcp,
2808 dissector_add_uint_with_preference("udp.port", UDP_PORT_KERBEROS, kerberos_handle_udp);
2809 dissector_add_uint_with_preference("tcp.port", TCP_PORT_KERBEROS, kerberos_handle_tcp);
2811 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_CONNECT,
2812 DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS,
2813 &gss_kerb_auth_connect_fns);
2815 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_INTEGRITY,
2816 DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS,
2817 &gss_kerb_auth_sign_fns);
2819 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_PRIVACY,
2820 DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS,
2821 &gss_kerb_auth_seal_fns);
2825 * Editor modelines - http://www.wireshark.org/tools/modelines.html
2830 * indent-tabs-mode: t
2833 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
2834 * :indentSize=8:tabSize=8:noTabs=false: