2 * Routines for Kerberos
3 * Wes Hardaker (c) 2000
4 * wjhardaker@ucdavis.edu
5 * Richard Sharpe (C) 2002, rsharpe@samba.org, modularized a bit more and
6 * added AP-REQ and AP-REP dissection
8 * Ronnie Sahlberg (C) 2004, major rewrite for new ASN.1/BER API.
9 * decryption of kerberos blobs if keytab is provided
11 * See RFC 1510, and various I-Ds and other documents showing additions,
12 * e.g. ones listed under
14 * http://www.isi.edu/people/bcn/krb-revisions/
18 * http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-clarifications-07.txt
22 * http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-referrals-05.txt
24 * Some structures from RFC2630
26 * Ted Percival ted[AT]midg3t.net
27 * Support for PA-S4U2Self Kerberos packet type based on ASN.1 description
29 * http://loka.it.su.se/source/xref/heimdal/heimdal/lib/asn1/k5.asn1
31 * Wireshark - Network traffic analyzer
32 * By Gerald Combs <gerald@wireshark.org>
33 * Copyright 1998 Gerald Combs
35 * This program is free software; you can redistribute it and/or
36 * modify it under the terms of the GNU General Public License
37 * as published by the Free Software Foundation; either version 2
38 * of the License, or (at your option) any later version.
40 * This program is distributed in the hope that it will be useful,
41 * but WITHOUT ANY WARRANTY; without even the implied warranty of
42 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
43 * GNU General Public License for more details.
45 * You should have received a copy of the GNU General Public License
46 * along with this program; if not, write to the Free Software
47 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
51 * Some of the development of the Kerberos protocol decoder was sponsored by
52 * Cable Television Laboratories, Inc. ("CableLabs") based upon proprietary
53 * CableLabs' specifications. Your license and use of this protocol decoder
54 * does not mean that you are licensed to use the CableLabs'
55 * specifications. If you have questions about this protocol, contact
56 * jf.mule [AT] cablelabs.com or c.stuart [AT] cablelabs.com for additional
73 #include <nettle/des.h>
74 #include <nettle/cbc.h>
76 #include <wsutil/md5.h>
77 #include <sys/stat.h> /* For keyfile manipulation */
80 #include <epan/packet.h>
82 #include <epan/strutil.h>
84 #include <epan/conversation.h>
85 #include <epan/exceptions.h>
86 #include <epan/wmem/wmem.h>
87 #include <epan/asn1.h>
88 #include <epan/expert.h>
89 #include <epan/dissectors/packet-kerberos.h>
90 #include <epan/dissectors/packet-netbios.h>
91 #include <epan/dissectors/packet-tcp.h>
92 #include <epan/prefs.h>
93 #include <epan/dissectors/packet-ber.h>
94 #include <epan/dissectors/packet-pkinit.h>
95 #include <epan/dissectors/packet-cms.h>
96 #include <epan/dissectors/packet-windows-common.h>
98 #include <epan/dissectors/packet-dcerpc-netlogon.h>
99 #include <epan/dissectors/packet-dcerpc.h>
101 #include <epan/dissectors/packet-gssapi.h>
102 #include <epan/dissectors/packet-smb-common.h>
104 #include <wsutil/file_util.h>
106 void proto_register_kerberos(void);
107 void proto_reg_handoff_kerberos(void);
109 #define UDP_PORT_KERBEROS 88
110 #define TCP_PORT_KERBEROS 88
112 static dissector_handle_t kerberos_handle_udp;
114 /* Desegment Kerberos over TCP messages */
115 static gboolean krb_desegment = TRUE;
117 static gint proto_kerberos = -1;
118 static gint hf_krb_rm_reserved = -1;
119 static gint hf_krb_rm_reclen = -1;
121 static gint hf_krb_pac_signature_type = -1;
122 static gint hf_krb_pac_signature_signature = -1;
123 static gint hf_krb_pac_clientid = -1;
124 static gint hf_krb_pac_namelen = -1;
125 static gint hf_krb_pac_clientname = -1;
126 static gint hf_krb_pac_upn_flags = -1;
127 static gint hf_krb_pac_upn_upn_name = -1;
128 static gint hf_krb_pac_upn_dns_name = -1;
129 static gint hf_krb_pac_upn_dns_offset = -1;
130 static gint hf_krb_pac_upn_dns_len = -1;
131 static gint hf_krb_pac_upn_upn_offset = -1;
132 static gint hf_krb_pac_upn_upn_len = -1;
133 static gint hf_krb_w2k_pac_entries = -1;
134 static gint hf_krb_w2k_pac_version = -1;
135 static gint hf_krb_w2k_pac_type = -1;
136 static gint hf_krb_w2k_pac_size = -1;
137 static gint hf_krb_w2k_pac_offset = -1;
138 static gint hf_krb_padata = -1;
139 static gint hf_krb_error_code = -1;
140 static gint hf_krb_ticket = -1;
141 static gint hf_krb_AP_REP_enc = -1;
142 static gint hf_krb_KDC_REP_enc = -1;
143 static gint hf_krb_tkt_vno = -1;
144 static gint hf_krb_e_data = -1;
145 static gint hf_krb_TransitedEncoding = -1;
146 static gint hf_krb_PA_PAC_REQUEST_flag = -1;
147 static gint hf_krb_encrypted_authenticator_data = -1;
148 static gint hf_krb_PAC_LOGON_INFO = -1;
149 static gint hf_krb_PAC_CREDENTIAL_TYPE = -1;
150 static gint hf_krb_PAC_SERVER_CHECKSUM = -1;
151 static gint hf_krb_PAC_PRIVSVR_CHECKSUM = -1;
152 static gint hf_krb_PAC_CLIENT_INFO_TYPE = -1;
153 static gint hf_krb_PAC_S4U_DELEGATION_INFO = -1;
154 static gint hf_krb_PAC_UPN_DNS_INFO = -1;
155 static gint hf_krb_encrypted_PA_ENC_TIMESTAMP = -1;
156 static gint hf_krb_encrypted_enc_authorization_data = -1;
157 static gint hf_krb_encrypted_EncKrbCredPart = -1;
158 static gint hf_krb_checksum_checksum = -1;
159 static gint hf_krb_encrypted_PRIV = -1;
160 static gint hf_krb_encrypted_Ticket_data = -1;
161 static gint hf_krb_encrypted_AP_REP_data = -1;
162 static gint hf_krb_encrypted_KDC_REP_data = -1;
163 static gint hf_krb_PA_DATA_type = -1;
164 static gint hf_krb_PA_DATA_value = -1;
165 static gint hf_krb_etype_info_salt = -1;
166 static gint hf_krb_etype_info2_salt = -1;
167 static gint hf_krb_etype_info2_s2kparams = -1;
168 static gint hf_krb_SAFE_BODY_user_data = -1;
169 static gint hf_krb_PRIV_BODY_user_data = -1;
170 static gint hf_krb_realm = -1;
171 static gint hf_krb_srealm = -1;
172 static gint hf_krb_prealm = -1;
173 static gint hf_krb_crealm = -1;
174 static gint hf_krb_sname = -1;
175 static gint hf_krb_pname = -1;
176 static gint hf_krb_cname = -1;
177 static gint hf_krb_name_string = -1;
178 static gint hf_krb_provsrv_location = -1;
179 static gint hf_krb_e_text = -1;
180 static gint hf_krb_s4u2self_auth = -1;
181 static gint hf_krb_name_type = -1;
182 static gint hf_krb_lr_type = -1;
183 static gint hf_krb_from = -1;
184 static gint hf_krb_till = -1;
185 static gint hf_krb_authtime = -1;
186 static gint hf_krb_patimestamp = -1;
187 static gint hf_krb_SAFE_BODY_timestamp = -1;
188 static gint hf_krb_pausec = -1;
189 static gint hf_krb_lr_time = -1;
190 static gint hf_krb_starttime = -1;
191 static gint hf_krb_endtime = -1;
192 static gint hf_krb_key_expire = -1;
193 static gint hf_krb_renew_till = -1;
194 static gint hf_krb_rtime = -1;
195 static gint hf_krb_ctime = -1;
196 static gint hf_krb_cusec = -1;
197 static gint hf_krb_stime = -1;
198 static gint hf_krb_susec = -1;
199 static gint hf_krb_SAFE_BODY_usec = -1;
200 static gint hf_krb_nonce = -1;
201 static gint hf_krb_transitedtype = -1;
202 static gint hf_krb_transitedcontents = -1;
203 static gint hf_krb_keytype = -1;
204 static gint hf_krb_keyvalue = -1;
205 static gint hf_krb_IF_RELEVANT_type = -1;
206 static gint hf_krb_IF_RELEVANT_value = -1;
207 static gint hf_krb_adtype = -1;
208 static gint hf_krb_advalue = -1;
209 static gint hf_krb_etype = -1;
210 static gint hf_krb_etypes = -1;
211 static gint hf_krb_KrbCredInfos = -1;
212 static gint hf_krb_sq_tickets = -1;
213 static gint hf_krb_LastReqs = -1;
214 static gint hf_krb_IF_RELEVANT = -1;
215 static gint hf_krb_addr_type = -1;
216 static gint hf_krb_address_ip = -1;
217 static gint hf_krb_address_ipv6 = -1;
218 static gint hf_krb_address_netbios = -1;
219 static gint hf_krb_msg_type = -1;
220 static gint hf_krb_pvno = -1;
221 static gint hf_krb_kvno = -1;
222 static gint hf_krb_checksum_type = -1;
223 static gint hf_krb_authenticator_vno = -1;
224 static gint hf_krb_AuthorizationData = -1;
225 static gint hf_krb_key = -1;
226 static gint hf_krb_subkey = -1;
227 static gint hf_krb_seq_number = -1;
228 static gint hf_krb_EncTicketPart = -1;
229 static gint hf_krb_EncAPRepPart = -1;
230 static gint hf_krb_EncKrbPrivPart = -1;
231 static gint hf_krb_EncKrbCredPart = -1;
232 static gint hf_krb_EncKDCRepPart = -1;
233 static gint hf_krb_LastReq = -1;
234 static gint hf_krb_Authenticator = -1;
235 static gint hf_krb_Checksum = -1;
236 static gint hf_krb_s_address = -1;
237 static gint hf_krb_r_address = -1;
238 static gint hf_krb_KrbCredInfo = -1;
239 static gint hf_krb_HostAddress = -1;
240 static gint hf_krb_HostAddresses = -1;
241 static gint hf_krb_APOptions = -1;
242 static gint hf_krb_APOptions_reserved = -1;
243 static gint hf_krb_APOptions_use_session_key = -1;
244 static gint hf_krb_APOptions_mutual_required = -1;
245 static gint hf_krb_TicketFlags = -1;
246 static gint hf_krb_TicketFlags_forwardable = -1;
247 static gint hf_krb_TicketFlags_forwarded = -1;
248 static gint hf_krb_TicketFlags_proxiable = -1;
249 static gint hf_krb_TicketFlags_proxy = -1;
250 static gint hf_krb_TicketFlags_allow_postdate = -1;
251 static gint hf_krb_TicketFlags_postdated = -1;
252 static gint hf_krb_TicketFlags_invalid = -1;
253 static gint hf_krb_TicketFlags_renewable = -1;
254 static gint hf_krb_TicketFlags_initial = -1;
255 static gint hf_krb_TicketFlags_pre_auth = -1;
256 static gint hf_krb_TicketFlags_hw_auth = -1;
257 static gint hf_krb_TicketFlags_transited_policy_checked = -1;
258 static gint hf_krb_TicketFlags_ok_as_delegate = -1;
259 static gint hf_krb_KDCOptions = -1;
260 static gint hf_krb_KDCOptions_forwardable = -1;
261 static gint hf_krb_KDCOptions_forwarded = -1;
262 static gint hf_krb_KDCOptions_proxiable = -1;
263 static gint hf_krb_KDCOptions_proxy = -1;
264 static gint hf_krb_KDCOptions_allow_postdate = -1;
265 static gint hf_krb_KDCOptions_postdated = -1;
266 static gint hf_krb_KDCOptions_renewable = -1;
267 static gint hf_krb_KDCOptions_constrained_delegation = -1;
268 static gint hf_krb_KDCOptions_canonicalize = -1;
269 static gint hf_krb_KDCOptions_opt_hardware_auth = -1;
270 static gint hf_krb_KDCOptions_disable_transited_check = -1;
271 static gint hf_krb_KDCOptions_renewable_ok = -1;
272 static gint hf_krb_KDCOptions_enc_tkt_in_skey = -1;
273 static gint hf_krb_KDCOptions_renew = -1;
274 static gint hf_krb_KDCOptions_validate = -1;
275 static gint hf_krb_KDC_REQ_BODY = -1;
276 static gint hf_krb_PRIV_BODY = -1;
277 static gint hf_krb_CRED_BODY = -1;
278 static gint hf_krb_ENC_PRIV = -1;
279 static gint hf_krb_authenticator_enc = -1;
280 static gint hf_krb_CRED_enc = -1;
281 static gint hf_krb_ticket_enc = -1;
282 static gint hf_krb_e_checksum = -1;
283 static gint hf_krb_gssapi_len = -1;
284 static gint hf_krb_gssapi_bnd = -1;
285 static gint hf_krb_gssapi_dlgopt = -1;
286 static gint hf_krb_gssapi_dlglen = -1;
287 static gint hf_krb_gssapi_c_flag_deleg = -1;
288 static gint hf_krb_gssapi_c_flag_mutual = -1;
289 static gint hf_krb_gssapi_c_flag_replay = -1;
290 static gint hf_krb_gssapi_c_flag_sequence = -1;
291 static gint hf_krb_gssapi_c_flag_conf = -1;
292 static gint hf_krb_gssapi_c_flag_integ = -1;
293 static gint hf_krb_gssapi_c_flag_dce_style = -1;
294 static gint hf_krb_smb_nt_status = -1;
295 static gint hf_krb_smb_unknown = -1;
296 static gint hf_krb_midl_blob_len = -1;
297 static gint hf_krb_midl_fill_bytes = -1;
298 static gint hf_krb_midl_version = -1;
299 static gint hf_krb_midl_hdr_len = -1;
301 static gint ett_krb_kerberos = -1;
302 static gint ett_krb_TransitedEncoding = -1;
303 static gint ett_krb_PAC_LOGON_INFO = -1;
304 static gint ett_krb_PAC_SERVER_CHECKSUM = -1;
305 static gint ett_krb_PAC_PRIVSVR_CHECKSUM = -1;
306 static gint ett_krb_PAC_CLIENT_INFO_TYPE = -1;
307 static gint ett_krb_PAC_S4U_DELEGATION_INFO = -1;
308 static gint ett_krb_KDC_REP_enc = -1;
309 static gint ett_krb_EncTicketPart = -1;
310 static gint ett_krb_EncAPRepPart = -1;
311 static gint ett_krb_EncKrbPrivPart = -1;
312 static gint ett_krb_EncKrbCredPart = -1;
313 static gint ett_krb_EncKDCRepPart = -1;
314 static gint ett_krb_LastReq = -1;
315 static gint ett_krb_Authenticator = -1;
316 static gint ett_krb_Checksum = -1;
317 static gint ett_krb_key = -1;
318 static gint ett_krb_subkey = -1;
319 static gint ett_krb_AuthorizationData = -1;
320 static gint ett_krb_sname = -1;
321 static gint ett_krb_pname = -1;
322 static gint ett_krb_cname = -1;
323 static gint ett_krb_AP_REP_enc = -1;
324 static gint ett_krb_padata = -1;
325 static gint ett_krb_etypes = -1;
326 static gint ett_krb_KrbCredInfos = -1;
327 static gint ett_krb_sq_tickets = -1;
328 static gint ett_krb_LastReqs = -1;
329 static gint ett_krb_IF_RELEVANT = -1;
330 static gint ett_krb_PA_DATA_tree = -1;
331 static gint ett_krb_PAC = -1;
332 static gint ett_krb_s_address = -1;
333 static gint ett_krb_r_address = -1;
334 static gint ett_krb_KrbCredInfo = -1;
335 static gint ett_krb_HostAddress = -1;
336 static gint ett_krb_HostAddresses = -1;
337 static gint ett_krb_authenticator_enc = -1;
338 static gint ett_krb_CRED_enc = -1;
339 static gint ett_krb_AP_Options = -1;
340 static gint ett_krb_KDC_Options = -1;
341 static gint ett_krb_Ticket_Flags = -1;
342 static gint ett_krb_request = -1;
343 static gint ett_krb_recordmark = -1;
344 static gint ett_krb_ticket = -1;
345 static gint ett_krb_ticket_enc = -1;
346 static gint ett_krb_CRED = -1;
347 static gint ett_krb_PRIV = -1;
348 static gint ett_krb_PRIV_enc = -1;
349 static gint ett_krb_e_checksum = -1;
350 static gint ett_krb_PAC_MIDL_BLOB = -1;
351 static gint ett_krb_PAC_DREP = -1;
352 static gint ett_krb_PAC_UPN_DNS_INFO = -1;
354 static expert_field ei_krb_decrypted_keytype = EI_INIT;
356 static guint32 krb5_errorcode;
359 static dissector_handle_t krb4_handle=NULL;
361 static gboolean gbl_do_col_info;
365 call_kerberos_callbacks(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int tag, kerberos_callbacks *cb)
373 cb->callback(pinfo, tvb, tree);
385 /* Decrypt Kerberos blobs */
386 gboolean krb_decrypt = FALSE;
388 /* keytab filename */
389 static const char *keytab_filename = "";
392 void read_keytab_file(const char *);
395 read_keytab_file_from_preferences(void)
397 static char *last_keytab = NULL;
403 if (keytab_filename == NULL) {
407 if (last_keytab && !strcmp(last_keytab, keytab_filename)) {
411 if (last_keytab != NULL) {
415 last_keytab = g_strdup(keytab_filename);
417 read_keytab_file(last_keytab);
420 #elif defined(_WIN32)
423 * Dummy version to allow us to export this function -- even
424 * on systems without KERBEROS.
427 read_keytab_file_from_preferences(void)
433 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
435 /* prevent redefinition warnings in kfw-2.5\inc\win_mac.h */
439 #undef HAVE_SYS_TYPES_H
442 enc_key_t *enc_key_list=NULL;
445 add_encryption_key(packet_info *pinfo, int keytype, int keylength, const char *keyvalue, const char *origin)
449 if(pinfo->fd->flags.visited){
452 printf("added key in %u keytype:%d len:%d\n",pinfo->fd->num, keytype, keylength);
454 new_key=(enc_key_t *)g_malloc(sizeof(enc_key_t));
455 g_snprintf(new_key->key_origin, KRB_MAX_ORIG_LEN, "%s learnt from frame %u",origin,pinfo->fd->num);
456 new_key->fd_num = pinfo->fd->num;
457 new_key->next=enc_key_list;
458 enc_key_list=new_key;
459 new_key->keytype=keytype;
460 new_key->keylength=keylength;
461 /*XXX this needs to be freed later */
462 new_key->keyvalue=(char *)g_memdup(keyvalue, keylength);
464 #endif /* HAVE_HEIMDAL_KERBEROS || HAVE_MIT_KERBEROS */
466 #if defined(_WIN32) && !defined(HAVE_HEIMDAL_KERBEROS) && !defined(HAVE_MIT_KERBEROS) && !defined(HAVE_LIBNETTLE)
468 read_keytab_file(const char *filename _U_)
473 #ifdef HAVE_MIT_KERBEROS
475 static krb5_context krb5_ctx;
478 read_keytab_file(const char *filename)
482 krb5_keytab_entry key;
483 krb5_kt_cursor cursor;
485 static gboolean first_time=TRUE;
487 printf("read keytab file %s\n", filename);
490 ret = krb5_init_context(&krb5_ctx);
491 if(ret && ret != KRB5_CONFIG_CANTOPEN){
496 /* should use a file in the wireshark users dir */
497 ret = krb5_kt_resolve(krb5_ctx, filename, &keytab);
499 fprintf(stderr, "KERBEROS ERROR: Badly formatted keytab filename :%s\n",filename);
504 ret = krb5_kt_start_seq_get(krb5_ctx, keytab, &cursor);
506 fprintf(stderr, "KERBEROS ERROR: Could not open or could not read from keytab file :%s\n",filename);
511 new_key=(enc_key_t *)g_malloc(sizeof(enc_key_t));
512 new_key->fd_num = -1;
513 new_key->next=enc_key_list;
514 ret = krb5_kt_next_entry(krb5_ctx, keytab, &key, &cursor);
519 /* generate origin string, describing where this key came from */
520 pos=new_key->key_origin;
521 pos+=MIN(KRB_MAX_ORIG_LEN,
522 g_snprintf(pos, KRB_MAX_ORIG_LEN, "keytab principal "));
523 for(i=0;i<key.principal->length;i++){
524 pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin),
525 g_snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "%s%s",(i?"/":""),(key.principal->data[i]).data));
527 pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin),
528 g_snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "@%s",key.principal->realm.data));
530 /*printf("added key for principal :%s\n", new_key->key_origin);*/
531 new_key->keytype=key.key.enctype;
532 new_key->keylength=key.key.length;
533 new_key->keyvalue=(char *)g_memdup(key.key.contents, key.key.length);
534 enc_key_list=new_key;
538 ret = krb5_kt_end_seq_get(krb5_ctx, keytab, &cursor);
540 krb5_kt_close(krb5_ctx, keytab);
547 decrypt_krb5_data(proto_tree *tree, packet_info *pinfo,
555 krb5_data data = {0,0,NULL};
556 krb5_keytab_entry key;
557 int length = tvb_length(cryptotvb);
558 const guint8 *cryptotext = tvb_get_ptr(cryptotvb, 0, length);
560 /* don't do anything if we are not attempting to decrypt data */
561 if(!krb_decrypt || length < 1){
565 /* make sure we have all the data we need */
566 if (tvb_length(cryptotvb) < tvb_reported_length(cryptotvb)) {
570 read_keytab_file_from_preferences();
571 data.data = (char *)g_malloc(length);
572 data.length = length;
574 for(ek=enc_key_list;ek;ek=ek->next){
577 /* shortcircuit and bail out if enctypes are not matching */
578 if((keytype != -1) && (ek->keytype != keytype)) {
582 input.enctype = ek->keytype;
583 input.ciphertext.length = length;
584 input.ciphertext.data = (guint8 *)cryptotext;
586 key.key.enctype=ek->keytype;
587 key.key.length=ek->keylength;
588 key.key.contents=ek->keyvalue;
589 ret = krb5_c_decrypt(krb5_ctx, &(key.key), usage, 0, &input, &data);
593 expert_add_info_format(pinfo, NULL, &ei_krb_decrypted_keytype,
594 "Decrypted keytype %d in frame %u using %s",
595 ek->keytype, pinfo->fd->num, ek->key_origin);
597 proto_tree_add_text(tree, NULL, 0, 0, "[Decrypted using: %s]", ek->key_origin);
598 /* return a private g_malloced blob to the caller */
601 *datalen = data.length;
611 #elif defined(HAVE_HEIMDAL_KERBEROS)
612 static krb5_context krb5_ctx;
615 read_keytab_file(const char *filename)
619 krb5_keytab_entry key;
620 krb5_kt_cursor cursor;
622 static gboolean first_time=TRUE;
626 ret = krb5_init_context(&krb5_ctx);
632 /* should use a file in the wireshark users dir */
633 ret = krb5_kt_resolve(krb5_ctx, filename, &keytab);
635 fprintf(stderr, "KERBEROS ERROR: Could not open keytab file :%s\n",filename);
640 ret = krb5_kt_start_seq_get(krb5_ctx, keytab, &cursor);
642 fprintf(stderr, "KERBEROS ERROR: Could not read from keytab file :%s\n",filename);
647 new_key=(enc_key_t*)g_malloc(sizeof(enc_key_t));
648 new_key->fd_num = -1;
649 new_key->next=enc_key_list;
650 ret = krb5_kt_next_entry(krb5_ctx, keytab, &key, &cursor);
655 /* generate origin string, describing where this key came from */
656 pos=new_key->key_origin;
657 pos+=MIN(KRB_MAX_ORIG_LEN,
658 g_snprintf(pos, KRB_MAX_ORIG_LEN, "keytab principal "));
659 for(i=0;i<key.principal->name.name_string.len;i++){
660 pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin),
661 g_snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "%s%s",(i?"/":""),key.principal->name.name_string.val[i]));
663 pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin),
664 g_snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "@%s",key.principal->realm));
666 new_key->keytype=key.keyblock.keytype;
667 new_key->keylength=key.keyblock.keyvalue.length;
668 new_key->keyvalue=(char*)g_memdup(key.keyblock.keyvalue.data, key.keyblock.keyvalue.length);
669 enc_key_list=new_key;
673 ret = krb5_kt_end_seq_get(krb5_ctx, keytab, &cursor);
675 krb5_kt_close(krb5_ctx, keytab);
682 decrypt_krb5_data(proto_tree *tree, packet_info *pinfo,
691 int length = tvb_length(cryptotvb);
692 const guint8 *cryptotext = tvb_get_ptr(cryptotvb, 0, length);
694 /* don't do anything if we are not attempting to decrypt data */
699 /* make sure we have all the data we need */
700 if (tvb_length(cryptotvb) < tvb_reported_length(cryptotvb)) {
704 read_keytab_file_from_preferences();
706 for(ek=enc_key_list;ek;ek=ek->next){
707 krb5_keytab_entry key;
709 guint8 *cryptocopy; /* workaround for pre-0.6.1 heimdal bug */
711 /* shortcircuit and bail out if enctypes are not matching */
712 if((keytype != -1) && (ek->keytype != keytype)) {
716 key.keyblock.keytype=ek->keytype;
717 key.keyblock.keyvalue.length=ek->keylength;
718 key.keyblock.keyvalue.data=ek->keyvalue;
719 ret = krb5_crypto_init(krb5_ctx, &(key.keyblock), (krb5_enctype)0, &crypto);
724 /* pre-0.6.1 versions of Heimdal would sometimes change
725 the cryptotext data even when the decryption failed.
726 This would obviously not work since we iterate over the
727 keys. So just give it a copy of the crypto data instead.
728 This has been seen for RC4-HMAC blobs.
730 cryptocopy=(guint8*)g_memdup(cryptotext, length);
731 ret = krb5_decrypt_ivec(krb5_ctx, crypto, usage,
736 if((ret == 0) && (length>0)){
739 printf("woohoo decrypted keytype:%d in frame:%u\n", ek->keytype, pinfo->fd->num);
740 proto_tree_add_text(tree, NULL, 0, 0, "[Decrypted using: %s]", ek->key_origin);
741 krb5_crypto_destroy(krb5_ctx, crypto);
742 /* return a private g_malloced blob to the caller */
743 user_data=(char*)g_memdup(data.data, data.length);
745 *datalen = data.length;
749 krb5_crypto_destroy(krb5_ctx, crypto);
754 #elif defined (HAVE_LIBNETTLE)
756 #define SERVICE_KEY_SIZE (DES3_KEY_SIZE + 2)
757 #define KEYTYPE_DES3_CBC_MD5 5 /* Currently the only one supported */
759 typedef struct _service_key_t {
764 char origin[KRB_MAX_ORIG_LEN+1];
766 GSList *service_key_list = NULL;
770 add_encryption_key(packet_info *pinfo, int keytype, int keylength, const char *keyvalue, const char *origin)
772 service_key_t *new_key;
774 if(pinfo->fd->flags.visited){
777 printf("added key in %u\n",pinfo->fd->num);
779 new_key = g_malloc(sizeof(service_key_t));
781 new_key->keytype = keytype;
782 new_key->length = keylength;
783 new_key->contents = g_memdup(keyvalue, keylength);
784 g_snprintf(new_key->origin, KRB_MAX_ORIG_LEN, "%s learnt from frame %u", origin, pinfo->fd->num);
785 service_key_list = g_slist_append(service_key_list, (gpointer) new_key);
793 for(ske = service_key_list; ske != NULL; ske = g_slist_next(ske)){
794 sk = (service_key_t *) ske->data;
796 g_free(sk->contents);
800 g_slist_free(service_key_list);
801 service_key_list = NULL;
805 read_keytab_file(const char *service_key_file)
810 unsigned char buf[SERVICE_KEY_SIZE];
811 int newline_skip = 0, count = 0;
813 if (service_key_file != NULL && ws_stat64 (service_key_file, &st) == 0) {
815 /* The service key file contains raw 192-bit (24 byte) 3DES keys.
816 * There can be zero, one (\n), or two (\r\n) characters between
817 * keys. Trailing characters are ignored.
820 /* XXX We should support the standard keytab format instead */
821 if (st.st_size > SERVICE_KEY_SIZE) {
822 if ( (st.st_size % (SERVICE_KEY_SIZE + 1) == 0) ||
823 (st.st_size % (SERVICE_KEY_SIZE + 1) == SERVICE_KEY_SIZE) ) {
825 } else if ( (st.st_size % (SERVICE_KEY_SIZE + 2) == 0) ||
826 (st.st_size % (SERVICE_KEY_SIZE + 2) == SERVICE_KEY_SIZE) ) {
831 skf = ws_fopen(service_key_file, "rb");
834 while (fread(buf, SERVICE_KEY_SIZE, 1, skf) == 1) {
835 sk = g_malloc(sizeof(service_key_t));
836 sk->kvno = buf[0] << 8 | buf[1];
837 sk->keytype = KEYTYPE_DES3_CBC_MD5;
838 sk->length = DES3_KEY_SIZE;
839 sk->contents = g_memdup(buf + 2, DES3_KEY_SIZE);
840 g_snprintf(sk->origin, KRB_MAX_ORIG_LEN, "3DES service key file, key #%d, offset %ld", count, ftell(skf));
841 service_key_list = g_slist_append(service_key_list, (gpointer) sk);
842 fseek(skf, newline_skip, SEEK_CUR);
844 g_warning("added key: %s", sk->origin);
850 #define CONFOUNDER_PLUS_CHECKSUM 24
853 decrypt_krb5_data(proto_tree *tree, packet_info *pinfo,
860 guint8 *decrypted_data = NULL, *plaintext = NULL;
863 guint32 tag, item_len, data_len;
864 int id_offset, offset;
865 guint8 key[DES3_KEY_SIZE];
866 guint8 initial_vector[DES_BLOCK_SIZE];
868 md5_byte_t digest[16];
869 md5_byte_t zero_fill[] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
870 md5_byte_t confounder[8];
875 int length = tvb_length(cryptotvb);
876 const guint8 *cryptotext = tvb_get_ptr(cryptotvb, 0, length);
879 /* don't do anything if we are not attempting to decrypt data */
884 /* make sure we have all the data we need */
885 if (tvb_length(cryptotvb) < tvb_reported_length(cryptotvb)) {
889 if (keytype != KEYTYPE_DES3_CBC_MD5 || service_key_list == NULL) {
893 decrypted_data = g_malloc(length);
894 for(ske = service_key_list; ske != NULL; ske = g_slist_next(ske)){
895 gboolean do_continue = FALSE;
896 sk = (service_key_t *) ske->data;
898 des_fix_parity(DES3_KEY_SIZE, key, sk->contents);
901 memset(initial_vector, 0, DES_BLOCK_SIZE);
902 des3_set_key(&ctx, key);
903 cbc_decrypt(&ctx, des3_decrypt, DES_BLOCK_SIZE, initial_vector,
904 length, decrypted_data, cryptotext);
905 encr_tvb = tvb_new_real_data(decrypted_data, length, length);
907 tvb_memcpy(encr_tvb, confounder, 0, 8);
909 /* We have to pull the decrypted data length from the decrypted
910 * content. If the key doesn't match or we otherwise get garbage,
911 * an exception may get thrown while decoding the ASN.1 header.
912 * Catch it, just in case.
915 id_offset = get_ber_identifier(encr_tvb, CONFOUNDER_PLUS_CHECKSUM, &cls, &pc, &tag);
916 offset = get_ber_length(encr_tvb, id_offset, &item_len, &ind);
918 CATCH_BOUNDS_ERRORS {
924 if (do_continue) continue;
926 data_len = item_len + offset - CONFOUNDER_PLUS_CHECKSUM;
927 if ((int) item_len + offset > length) {
932 md5_append(&md5s, confounder, 8);
933 md5_append(&md5s, zero_fill, 16);
934 md5_append(&md5s, decrypted_data + CONFOUNDER_PLUS_CHECKSUM, data_len);
935 md5_finish(&md5s, digest);
937 if (tvb_memeql (encr_tvb, 8, digest, 16) == 0) {
938 g_warning("woohoo decrypted keytype:%d in frame:%u\n", keytype, pinfo->fd->num);
939 plaintext = g_malloc(data_len);
940 tvb_memcpy(encr_tvb, plaintext, CONFOUNDER_PLUS_CHECKSUM, data_len);
946 g_free(decrypted_data);
952 g_free(decrypted_data);
957 #endif /* HAVE_MIT_KERBEROS / HAVE_HEIMDAL_KERBEROS / HAVE_LIBNETTLE */
959 #define INET6_ADDRLEN 16
961 /* TCP Record Mark */
962 #define KRB_RM_RESERVED 0x80000000U
963 #define KRB_RM_RECLEN 0x7fffffffU
965 #define KRB5_MSG_TICKET 1 /* Ticket */
966 #define KRB5_MSG_AUTHENTICATOR 2 /* Authenticator */
967 #define KRB5_MSG_ENC_TICKET_PART 3 /* EncTicketPart */
968 #define KRB5_MSG_AS_REQ 10 /* AS-REQ type */
969 #define KRB5_MSG_AS_REP 11 /* AS-REP type */
970 #define KRB5_MSG_TGS_REQ 12 /* TGS-REQ type */
971 #define KRB5_MSG_TGS_REP 13 /* TGS-REP type */
972 #define KRB5_MSG_AP_REQ 14 /* AP-REQ type */
973 #define KRB5_MSG_AP_REP 15 /* AP-REP type */
975 #define KRB5_MSG_SAFE 20 /* KRB-SAFE type */
976 #define KRB5_MSG_PRIV 21 /* KRB-PRIV type */
977 #define KRB5_MSG_CRED 22 /* KRB-CRED type */
978 #define KRB5_MSG_ENC_AS_REP_PART 25 /* EncASRepPart */
979 #define KRB5_MSG_ENC_TGS_REP_PART 26 /* EncTGSRepPart */
980 #define KRB5_MSG_ENC_AP_REP_PART 27 /* EncAPRepPart */
981 #define KRB5_MSG_ENC_KRB_PRIV_PART 28 /* EncKrbPrivPart */
982 #define KRB5_MSG_ENC_KRB_CRED_PART 29 /* EncKrbCredPart */
983 #define KRB5_MSG_ERROR 30 /* KRB-ERROR type */
985 /* address type constants */
986 #define KRB5_ADDR_IPv4 0x02
987 #define KRB5_ADDR_CHAOS 0x05
988 #define KRB5_ADDR_XEROX 0x06
989 #define KRB5_ADDR_ISO 0x07
990 #define KRB5_ADDR_DECNET 0x0c
991 #define KRB5_ADDR_APPLETALK 0x10
992 #define KRB5_ADDR_NETBIOS 0x14
993 #define KRB5_ADDR_IPv6 0x18
995 /* encryption type constants */
996 #define KRB5_ENCTYPE_NULL 0
997 #define KRB5_ENCTYPE_DES_CBC_CRC 1
998 #define KRB5_ENCTYPE_DES_CBC_MD4 2
999 #define KRB5_ENCTYPE_DES_CBC_MD5 3
1000 #define KRB5_ENCTYPE_DES_CBC_RAW 4
1001 #define KRB5_ENCTYPE_DES3_CBC_SHA 5
1002 #define KRB5_ENCTYPE_DES3_CBC_RAW 6
1003 #define KRB5_ENCTYPE_DES_HMAC_SHA1 8
1004 #define KRB5_ENCTYPE_DSA_SHA1_CMS 9
1005 #define KRB5_ENCTYPE_RSA_MD5_CMS 10
1006 #define KRB5_ENCTYPE_RSA_SHA1_CMS 11
1007 #define KRB5_ENCTYPE_RC2_CBC_ENV 12
1008 #define KRB5_ENCTYPE_RSA_ENV 13
1009 #define KRB5_ENCTYPE_RSA_ES_OEAP_ENV 14
1010 #define KRB5_ENCTYPE_DES_EDE3_CBC_ENV 15
1011 #define KRB5_ENCTYPE_DES3_CBC_SHA1 16
1012 #define KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96 17
1013 #define KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96 18
1014 #define KRB5_ENCTYPE_DES_CBC_MD5_NT 20
1015 #define KERB_ENCTYPE_RC4_HMAC 23
1016 #define KERB_ENCTYPE_RC4_HMAC_EXP 24
1017 #define KRB5_ENCTYPE_UNKNOWN 0x1ff
1018 #define KRB5_ENCTYPE_LOCAL_DES3_HMAC_SHA1 0x7007
1019 #define KRB5_ENCTYPE_RC4_PLAIN_EXP 0xffffff73
1020 #define KRB5_ENCTYPE_RC4_PLAIN 0xffffff74
1021 #define KRB5_ENCTYPE_RC4_PLAIN_OLD_EXP 0xffffff78
1022 #define KRB5_ENCTYPE_RC4_HMAC_OLD_EXP 0xffffff79
1023 #define KRB5_ENCTYPE_RC4_PLAIN_OLD 0xffffff7a
1024 #define KRB5_ENCTYPE_RC4_HMAC_OLD 0xffffff7b
1025 #define KRB5_ENCTYPE_DES_PLAIN 0xffffff7c
1026 #define KRB5_ENCTYPE_RC4_SHA 0xffffff7d
1027 #define KRB5_ENCTYPE_RC4_LM 0xffffff7e
1028 #define KRB5_ENCTYPE_RC4_PLAIN2 0xffffff7f
1029 #define KRB5_ENCTYPE_RC4_MD4 0xffffff80
1031 /* checksum types */
1032 #define KRB5_CHKSUM_NONE 0
1033 #define KRB5_CHKSUM_CRC32 1
1034 #define KRB5_CHKSUM_MD4 2
1035 #define KRB5_CHKSUM_KRB_DES_MAC 4
1036 #define KRB5_CHKSUM_KRB_DES_MAC_K 5
1037 #define KRB5_CHKSUM_MD5 7
1038 #define KRB5_CHKSUM_MD5_DES 8
1039 /* the following four come from packetcable */
1040 #define KRB5_CHKSUM_MD5_DES3 9
1041 #define KRB5_CHKSUM_HMAC_SHA1_DES3_KD 12
1042 #define KRB5_CHKSUM_HMAC_SHA1_DES3 13
1043 #define KRB5_CHKSUM_SHA1_UNKEYED 14
1044 #define KRB5_CHKSUM_HMAC_MD5 0xffffff76
1045 #define KRB5_CHKSUM_MD5_HMAC 0xffffff77
1046 #define KRB5_CHKSUM_RC4_MD5 0xffffff78
1047 #define KRB5_CHKSUM_MD25 0xffffff79
1048 #define KRB5_CHKSUM_DES_MAC_MD5 0xffffff7a
1049 #define KRB5_CHKSUM_DES_MAC 0xffffff7b
1050 #define KRB5_CHKSUM_REAL_CRC32 0xffffff7c
1051 #define KRB5_CHKSUM_SHA1 0xffffff7d
1052 #define KRB5_CHKSUM_LM 0xffffff7e
1053 #define KRB5_CHKSUM_GSSAPI 0x8003
1056 * For KERB_ENCTYPE_RC4_HMAC and KERB_ENCTYPE_RC4_HMAC_EXP, see
1058 * http://www.ietf.org/internet-drafts/draft-brezak-win2k-krb-rc4-hmac-04.txt
1060 * unless it's expired.
1063 /* pre-authentication type constants */
1064 #define KRB5_PA_TGS_REQ 1
1065 #define KRB5_PA_ENC_TIMESTAMP 2
1066 #define KRB5_PA_PW_SALT 3
1067 #define KRB5_PA_ENC_ENCKEY 4
1068 #define KRB5_PA_ENC_UNIX_TIME 5
1069 #define KRB5_PA_ENC_SANDIA_SECURID 6
1070 #define KRB5_PA_SESAME 7
1071 #define KRB5_PA_OSF_DCE 8
1072 #define KRB5_PA_CYBERSAFE_SECUREID 9
1073 #define KRB5_PA_AFS3_SALT 10
1074 #define KRB5_PA_ENCTYPE_INFO 11
1075 #define KRB5_PA_SAM_CHALLENGE 12
1076 #define KRB5_PA_SAM_RESPONSE 13
1077 #define KRB5_PA_PK_AS_REQ 14
1078 #define KRB5_PA_PK_AS_REP 15
1079 #define KRB5_PA_DASS 16
1080 #define KRB5_PA_ENCTYPE_INFO2 19
1081 #define KRB5_PA_USE_SPECIFIED_KVNO 20
1082 #define KRB5_PA_SAM_REDIRECT 21
1083 #define KRB5_PA_GET_FROM_TYPED_DATA 22
1084 #define KRB5_PA_SAM_ETYPE_INFO 23
1085 #define KRB5_PA_ALT_PRINC 24
1086 #define KRB5_PA_SAM_CHALLENGE2 30
1087 #define KRB5_PA_SAM_RESPONSE2 31
1088 #define KRB5_TD_PKINIT_CMS_CERTIFICATES 101
1089 #define KRB5_TD_KRB_PRINCIPAL 102
1090 #define KRB5_TD_KRB_REALM 103
1091 #define KRB5_TD_TRUSTED_CERTIFIERS 104
1092 #define KRB5_TD_CERTIFICATE_INDEX 105
1093 #define KRB5_TD_APP_DEFINED_ERROR 106
1094 #define KRB5_TD_REQ_NONCE 107
1095 #define KRB5_TD_REQ_SEQ 108
1097 /* preauthentication types >127 (i.e. negative ones) are app specific.
1098 however since Microsoft is the dominant(only?) user of types in this range
1099 we also treat the type as unsigned.
1101 #define KRB5_PA_PAC_REQUEST 128 /* (Microsoft extension) */
1102 #define KRB5_PA_FOR_USER 129 /* Impersonation (Microsoft extension) See [MS-SFU] */
1104 #define KRB5_PA_PROV_SRV_LOCATION 0xffffffff /* (gint32)0xFF) packetcable stuff */
1106 /* Principal name-type */
1107 #define KRB5_NT_UNKNOWN 0
1108 #define KRB5_NT_PRINCIPAL 1
1109 #define KRB5_NT_SRV_INST 2
1110 #define KRB5_NT_SRV_HST 3
1111 #define KRB5_NT_SRV_XHST 4
1112 #define KRB5_NT_UID 5
1113 #define KRB5_NT_X500_PRINCIPAL 6
1114 #define KRB5_NT_SMTP_NAME 7
1115 #define KRB5_NT_ENTERPRISE 10
1118 * MS specific name types, from
1120 * http://msdn.microsoft.com/library/en-us/security/security/kerb_external_name.asp
1122 #define KRB5_NT_MS_PRINCIPAL -128
1123 #define KRB5_NT_MS_PRINCIPAL_AND_SID -129
1124 #define KRB5_NT_ENT_PRINCIPAL_AND_SID -130
1125 #define KRB5_NT_PRINCIPAL_AND_SID -131
1126 #define KRB5_NT_SRV_INST_AND_SID -132
1128 /* error table constants */
1129 /* I prefixed the krb5_err.et constant names with KRB5_ET_ for these */
1130 #define KRB5_ET_KRB5KDC_ERR_NONE 0
1131 #define KRB5_ET_KRB5KDC_ERR_NAME_EXP 1
1132 #define KRB5_ET_KRB5KDC_ERR_SERVICE_EXP 2
1133 #define KRB5_ET_KRB5KDC_ERR_BAD_PVNO 3
1134 #define KRB5_ET_KRB5KDC_ERR_C_OLD_MAST_KVNO 4
1135 #define KRB5_ET_KRB5KDC_ERR_S_OLD_MAST_KVNO 5
1136 #define KRB5_ET_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN 6
1137 #define KRB5_ET_KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN 7
1138 #define KRB5_ET_KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE 8
1139 #define KRB5_ET_KRB5KDC_ERR_NULL_KEY 9
1140 #define KRB5_ET_KRB5KDC_ERR_CANNOT_POSTDATE 10
1141 #define KRB5_ET_KRB5KDC_ERR_NEVER_VALID 11
1142 #define KRB5_ET_KRB5KDC_ERR_POLICY 12
1143 #define KRB5_ET_KRB5KDC_ERR_BADOPTION 13
1144 #define KRB5_ET_KRB5KDC_ERR_ETYPE_NOSUPP 14
1145 #define KRB5_ET_KRB5KDC_ERR_SUMTYPE_NOSUPP 15
1146 #define KRB5_ET_KRB5KDC_ERR_PADATA_TYPE_NOSUPP 16
1147 #define KRB5_ET_KRB5KDC_ERR_TRTYPE_NOSUPP 17
1148 #define KRB5_ET_KRB5KDC_ERR_CLIENT_REVOKED 18
1149 #define KRB5_ET_KRB5KDC_ERR_SERVICE_REVOKED 19
1150 #define KRB5_ET_KRB5KDC_ERR_TGT_REVOKED 20
1151 #define KRB5_ET_KRB5KDC_ERR_CLIENT_NOTYET 21
1152 #define KRB5_ET_KRB5KDC_ERR_SERVICE_NOTYET 22
1153 #define KRB5_ET_KRB5KDC_ERR_KEY_EXP 23
1154 #define KRB5_ET_KRB5KDC_ERR_PREAUTH_FAILED 24
1155 #define KRB5_ET_KRB5KDC_ERR_PREAUTH_REQUIRED 25
1156 #define KRB5_ET_KRB5KDC_ERR_SERVER_NOMATCH 26
1157 #define KRB5_ET_KRB5KDC_ERR_MUST_USE_USER2USER 27
1158 #define KRB5_ET_KRB5KDC_ERR_PATH_NOT_ACCEPTED 28
1159 #define KRB5_ET_KRB5KDC_ERR_SVC_UNAVAILABLE 29
1160 #define KRB5_ET_KRB5KRB_AP_ERR_BAD_INTEGRITY 31
1161 #define KRB5_ET_KRB5KRB_AP_ERR_TKT_EXPIRED 32
1162 #define KRB5_ET_KRB5KRB_AP_ERR_TKT_NYV 33
1163 #define KRB5_ET_KRB5KRB_AP_ERR_REPEAT 34
1164 #define KRB5_ET_KRB5KRB_AP_ERR_NOT_US 35
1165 #define KRB5_ET_KRB5KRB_AP_ERR_BADMATCH 36
1166 #define KRB5_ET_KRB5KRB_AP_ERR_SKEW 37
1167 #define KRB5_ET_KRB5KRB_AP_ERR_BADADDR 38
1168 #define KRB5_ET_KRB5KRB_AP_ERR_BADVERSION 39
1169 #define KRB5_ET_KRB5KRB_AP_ERR_MSG_TYPE 40
1170 #define KRB5_ET_KRB5KRB_AP_ERR_MODIFIED 41
1171 #define KRB5_ET_KRB5KRB_AP_ERR_BADORDER 42
1172 #define KRB5_ET_KRB5KRB_AP_ERR_ILL_CR_TKT 43
1173 #define KRB5_ET_KRB5KRB_AP_ERR_BADKEYVER 44
1174 #define KRB5_ET_KRB5KRB_AP_ERR_NOKEY 45
1175 #define KRB5_ET_KRB5KRB_AP_ERR_MUT_FAIL 46
1176 #define KRB5_ET_KRB5KRB_AP_ERR_BADDIRECTION 47
1177 #define KRB5_ET_KRB5KRB_AP_ERR_METHOD 48
1178 #define KRB5_ET_KRB5KRB_AP_ERR_BADSEQ 49
1179 #define KRB5_ET_KRB5KRB_AP_ERR_INAPP_CKSUM 50
1180 #define KRB5_ET_KRB5KDC_AP_PATH_NOT_ACCEPTED 51
1181 #define KRB5_ET_KRB5KRB_ERR_RESPONSE_TOO_BIG 52
1182 #define KRB5_ET_KRB5KRB_ERR_GENERIC 60
1183 #define KRB5_ET_KRB5KRB_ERR_FIELD_TOOLONG 61
1184 #define KRB5_ET_KDC_ERROR_CLIENT_NOT_TRUSTED 62
1185 #define KRB5_ET_KDC_ERROR_KDC_NOT_TRUSTED 63
1186 #define KRB5_ET_KDC_ERROR_INVALID_SIG 64
1187 #define KRB5_ET_KDC_ERR_KEY_TOO_WEAK 65
1188 #define KRB5_ET_KDC_ERR_CERTIFICATE_MISMATCH 66
1189 #define KRB5_ET_KRB_AP_ERR_NO_TGT 67
1190 #define KRB5_ET_KDC_ERR_WRONG_REALM 68
1191 #define KRB5_ET_KRB_AP_ERR_USER_TO_USER_REQUIRED 69
1192 #define KRB5_ET_KDC_ERR_CANT_VERIFY_CERTIFICATE 70
1193 #define KRB5_ET_KDC_ERR_INVALID_CERTIFICATE 71
1194 #define KRB5_ET_KDC_ERR_REVOKED_CERTIFICATE 72
1195 #define KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNKNOWN 73
1196 #define KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNAVAILABLE 74
1197 #define KRB5_ET_KDC_ERR_CLIENT_NAME_MISMATCH 75
1198 #define KRB5_ET_KDC_ERR_KDC_NAME_MISMATCH 76
1200 static const value_string krb5_error_codes[] = {
1201 { KRB5_ET_KRB5KDC_ERR_NONE, "KRB5KDC_ERR_NONE" },
1202 { KRB5_ET_KRB5KDC_ERR_NAME_EXP, "KRB5KDC_ERR_NAME_EXP" },
1203 { KRB5_ET_KRB5KDC_ERR_SERVICE_EXP, "KRB5KDC_ERR_SERVICE_EXP" },
1204 { KRB5_ET_KRB5KDC_ERR_BAD_PVNO, "KRB5KDC_ERR_BAD_PVNO" },
1205 { KRB5_ET_KRB5KDC_ERR_C_OLD_MAST_KVNO, "KRB5KDC_ERR_C_OLD_MAST_KVNO" },
1206 { KRB5_ET_KRB5KDC_ERR_S_OLD_MAST_KVNO, "KRB5KDC_ERR_S_OLD_MAST_KVNO" },
1207 { KRB5_ET_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, "KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN" },
1208 { KRB5_ET_KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, "KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN" },
1209 { KRB5_ET_KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE, "KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE" },
1210 { KRB5_ET_KRB5KDC_ERR_NULL_KEY, "KRB5KDC_ERR_NULL_KEY" },
1211 { KRB5_ET_KRB5KDC_ERR_CANNOT_POSTDATE, "KRB5KDC_ERR_CANNOT_POSTDATE" },
1212 { KRB5_ET_KRB5KDC_ERR_NEVER_VALID, "KRB5KDC_ERR_NEVER_VALID" },
1213 { KRB5_ET_KRB5KDC_ERR_POLICY, "KRB5KDC_ERR_POLICY" },
1214 { KRB5_ET_KRB5KDC_ERR_BADOPTION, "KRB5KDC_ERR_BADOPTION" },
1215 { KRB5_ET_KRB5KDC_ERR_ETYPE_NOSUPP, "KRB5KDC_ERR_ETYPE_NOSUPP" },
1216 { KRB5_ET_KRB5KDC_ERR_SUMTYPE_NOSUPP, "KRB5KDC_ERR_SUMTYPE_NOSUPP" },
1217 { KRB5_ET_KRB5KDC_ERR_PADATA_TYPE_NOSUPP, "KRB5KDC_ERR_PADATA_TYPE_NOSUPP" },
1218 { KRB5_ET_KRB5KDC_ERR_TRTYPE_NOSUPP, "KRB5KDC_ERR_TRTYPE_NOSUPP" },
1219 { KRB5_ET_KRB5KDC_ERR_CLIENT_REVOKED, "KRB5KDC_ERR_CLIENT_REVOKED" },
1220 { KRB5_ET_KRB5KDC_ERR_SERVICE_REVOKED, "KRB5KDC_ERR_SERVICE_REVOKED" },
1221 { KRB5_ET_KRB5KDC_ERR_TGT_REVOKED, "KRB5KDC_ERR_TGT_REVOKED" },
1222 { KRB5_ET_KRB5KDC_ERR_CLIENT_NOTYET, "KRB5KDC_ERR_CLIENT_NOTYET" },
1223 { KRB5_ET_KRB5KDC_ERR_SERVICE_NOTYET, "KRB5KDC_ERR_SERVICE_NOTYET" },
1224 { KRB5_ET_KRB5KDC_ERR_KEY_EXP, "KRB5KDC_ERR_KEY_EXP" },
1225 { KRB5_ET_KRB5KDC_ERR_PREAUTH_FAILED, "KRB5KDC_ERR_PREAUTH_FAILED" },
1226 { KRB5_ET_KRB5KDC_ERR_PREAUTH_REQUIRED, "KRB5KDC_ERR_PREAUTH_REQUIRED" },
1227 { KRB5_ET_KRB5KDC_ERR_SERVER_NOMATCH, "KRB5KDC_ERR_SERVER_NOMATCH" },
1228 { KRB5_ET_KRB5KDC_ERR_MUST_USE_USER2USER, "KRB5KDC_ERR_MUST_USE_USER2USER" },
1229 { KRB5_ET_KRB5KDC_ERR_PATH_NOT_ACCEPTED, "KRB5KDC_ERR_PATH_NOT_ACCEPTED" },
1230 { KRB5_ET_KRB5KDC_ERR_SVC_UNAVAILABLE, "KRB5KDC_ERR_SVC_UNAVAILABLE" },
1231 { KRB5_ET_KRB5KRB_AP_ERR_BAD_INTEGRITY, "KRB5KRB_AP_ERR_BAD_INTEGRITY" },
1232 { KRB5_ET_KRB5KRB_AP_ERR_TKT_EXPIRED, "KRB5KRB_AP_ERR_TKT_EXPIRED" },
1233 { KRB5_ET_KRB5KRB_AP_ERR_TKT_NYV, "KRB5KRB_AP_ERR_TKT_NYV" },
1234 { KRB5_ET_KRB5KRB_AP_ERR_REPEAT, "KRB5KRB_AP_ERR_REPEAT" },
1235 { KRB5_ET_KRB5KRB_AP_ERR_NOT_US, "KRB5KRB_AP_ERR_NOT_US" },
1236 { KRB5_ET_KRB5KRB_AP_ERR_BADMATCH, "KRB5KRB_AP_ERR_BADMATCH" },
1237 { KRB5_ET_KRB5KRB_AP_ERR_SKEW, "KRB5KRB_AP_ERR_SKEW" },
1238 { KRB5_ET_KRB5KRB_AP_ERR_BADADDR, "KRB5KRB_AP_ERR_BADADDR" },
1239 { KRB5_ET_KRB5KRB_AP_ERR_BADVERSION, "KRB5KRB_AP_ERR_BADVERSION" },
1240 { KRB5_ET_KRB5KRB_AP_ERR_MSG_TYPE, "KRB5KRB_AP_ERR_MSG_TYPE" },
1241 { KRB5_ET_KRB5KRB_AP_ERR_MODIFIED, "KRB5KRB_AP_ERR_MODIFIED" },
1242 { KRB5_ET_KRB5KRB_AP_ERR_BADORDER, "KRB5KRB_AP_ERR_BADORDER" },
1243 { KRB5_ET_KRB5KRB_AP_ERR_ILL_CR_TKT, "KRB5KRB_AP_ERR_ILL_CR_TKT" },
1244 { KRB5_ET_KRB5KRB_AP_ERR_BADKEYVER, "KRB5KRB_AP_ERR_BADKEYVER" },
1245 { KRB5_ET_KRB5KRB_AP_ERR_NOKEY, "KRB5KRB_AP_ERR_NOKEY" },
1246 { KRB5_ET_KRB5KRB_AP_ERR_MUT_FAIL, "KRB5KRB_AP_ERR_MUT_FAIL" },
1247 { KRB5_ET_KRB5KRB_AP_ERR_BADDIRECTION, "KRB5KRB_AP_ERR_BADDIRECTION" },
1248 { KRB5_ET_KRB5KRB_AP_ERR_METHOD, "KRB5KRB_AP_ERR_METHOD" },
1249 { KRB5_ET_KRB5KRB_AP_ERR_BADSEQ, "KRB5KRB_AP_ERR_BADSEQ" },
1250 { KRB5_ET_KRB5KRB_AP_ERR_INAPP_CKSUM, "KRB5KRB_AP_ERR_INAPP_CKSUM" },
1251 { KRB5_ET_KRB5KDC_AP_PATH_NOT_ACCEPTED, "KRB5KDC_AP_PATH_NOT_ACCEPTED" },
1252 { KRB5_ET_KRB5KRB_ERR_RESPONSE_TOO_BIG, "KRB5KRB_ERR_RESPONSE_TOO_BIG"},
1253 { KRB5_ET_KRB5KRB_ERR_GENERIC, "KRB5KRB_ERR_GENERIC" },
1254 { KRB5_ET_KRB5KRB_ERR_FIELD_TOOLONG, "KRB5KRB_ERR_FIELD_TOOLONG" },
1255 { KRB5_ET_KDC_ERROR_CLIENT_NOT_TRUSTED, "KDC_ERROR_CLIENT_NOT_TRUSTED" },
1256 { KRB5_ET_KDC_ERROR_KDC_NOT_TRUSTED, "KDC_ERROR_KDC_NOT_TRUSTED" },
1257 { KRB5_ET_KDC_ERROR_INVALID_SIG, "KDC_ERROR_INVALID_SIG" },
1258 { KRB5_ET_KDC_ERR_KEY_TOO_WEAK, "KDC_ERR_KEY_TOO_WEAK" },
1259 { KRB5_ET_KDC_ERR_CERTIFICATE_MISMATCH, "KDC_ERR_CERTIFICATE_MISMATCH" },
1260 { KRB5_ET_KRB_AP_ERR_NO_TGT, "KRB_AP_ERR_NO_TGT" },
1261 { KRB5_ET_KDC_ERR_WRONG_REALM, "KDC_ERR_WRONG_REALM" },
1262 { KRB5_ET_KRB_AP_ERR_USER_TO_USER_REQUIRED, "KRB_AP_ERR_USER_TO_USER_REQUIRED" },
1263 { KRB5_ET_KDC_ERR_CANT_VERIFY_CERTIFICATE, "KDC_ERR_CANT_VERIFY_CERTIFICATE" },
1264 { KRB5_ET_KDC_ERR_INVALID_CERTIFICATE, "KDC_ERR_INVALID_CERTIFICATE" },
1265 { KRB5_ET_KDC_ERR_REVOKED_CERTIFICATE, "KDC_ERR_REVOKED_CERTIFICATE" },
1266 { KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNKNOWN, "KDC_ERR_REVOCATION_STATUS_UNKNOWN" },
1267 { KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNAVAILABLE, "KDC_ERR_REVOCATION_STATUS_UNAVAILABLE" },
1268 { KRB5_ET_KDC_ERR_CLIENT_NAME_MISMATCH, "KDC_ERR_CLIENT_NAME_MISMATCH" },
1269 { KRB5_ET_KDC_ERR_KDC_NAME_MISMATCH, "KDC_ERR_KDC_NAME_MISMATCH" },
1274 #define PAC_LOGON_INFO 1
1275 #define PAC_CREDENTIAL_TYPE 2
1276 #define PAC_SERVER_CHECKSUM 6
1277 #define PAC_PRIVSVR_CHECKSUM 7
1278 #define PAC_CLIENT_INFO_TYPE 10
1279 #define PAC_S4U_DELEGATION_INFO 11
1280 #define PAC_UPN_DNS_INFO 12
1282 static const value_string w2k_pac_types[] = {
1283 { PAC_LOGON_INFO , "Logon Info" },
1284 { PAC_CREDENTIAL_TYPE , "Credential Type" },
1285 { PAC_SERVER_CHECKSUM , "Server Checksum" },
1286 { PAC_PRIVSVR_CHECKSUM , "Privsvr Checksum" },
1287 { PAC_CLIENT_INFO_TYPE , "Client Info Type" },
1288 { PAC_S4U_DELEGATION_INFO , "S4U Delegation Info" },
1289 { PAC_UPN_DNS_INFO , "UPN DNS Info" },
1295 static const value_string krb5_princ_types[] = {
1296 { KRB5_NT_UNKNOWN , "Unknown" },
1297 { KRB5_NT_PRINCIPAL , "Principal" },
1298 { KRB5_NT_SRV_INST , "Service and Instance" },
1299 { KRB5_NT_SRV_HST , "Service and Host" },
1300 { KRB5_NT_SRV_XHST , "Service and Host Components" },
1301 { KRB5_NT_UID , "Unique ID" },
1302 { KRB5_NT_X500_PRINCIPAL , "Encoded X.509 Distinguished Name" },
1303 { KRB5_NT_SMTP_NAME , "SMTP Name" },
1304 { KRB5_NT_ENTERPRISE , "Enterprise Name" },
1305 { KRB5_NT_MS_PRINCIPAL , "NT 4.0 style name (MS specific)" },
1306 { KRB5_NT_MS_PRINCIPAL_AND_SID , "NT 4.0 style name with SID (MS specific)"},
1307 { KRB5_NT_ENT_PRINCIPAL_AND_SID, "UPN and SID (MS specific)"},
1308 { KRB5_NT_PRINCIPAL_AND_SID , "Principal name and SID (MS specific)"},
1309 { KRB5_NT_SRV_INST_AND_SID , "SPN and SID (MS specific)"},
1313 static const value_string krb5_preauthentication_types[] = {
1314 { KRB5_PA_TGS_REQ , "PA-TGS-REQ" },
1315 { KRB5_PA_ENC_TIMESTAMP , "PA-ENC-TIMESTAMP" },
1316 { KRB5_PA_PW_SALT , "PA-PW-SALT" },
1317 { KRB5_PA_ENC_ENCKEY , "PA-ENC-ENCKEY" },
1318 { KRB5_PA_ENC_UNIX_TIME , "PA-ENC-UNIX-TIME" },
1319 { KRB5_PA_ENC_SANDIA_SECURID , "PA-PW-SALT" },
1320 { KRB5_PA_SESAME , "PA-SESAME" },
1321 { KRB5_PA_OSF_DCE , "PA-OSF-DCE" },
1322 { KRB5_PA_CYBERSAFE_SECUREID , "PA-CYBERSAFE-SECURID" },
1323 { KRB5_PA_AFS3_SALT , "PA-AFS3-SALT" },
1324 { KRB5_PA_ENCTYPE_INFO , "PA-ENCTYPE-INFO" },
1325 { KRB5_PA_ENCTYPE_INFO2 , "PA-ENCTYPE-INFO2" },
1326 { KRB5_PA_SAM_CHALLENGE , "PA-SAM-CHALLENGE" },
1327 { KRB5_PA_SAM_RESPONSE , "PA-SAM-RESPONSE" },
1328 { KRB5_PA_PK_AS_REQ , "PA-PK-AS-REQ" },
1329 { KRB5_PA_PK_AS_REP , "PA-PK-AS-REP" },
1330 { KRB5_PA_DASS , "PA-DASS" },
1331 { KRB5_PA_USE_SPECIFIED_KVNO , "PA-USE-SPECIFIED-KVNO" },
1332 { KRB5_PA_SAM_REDIRECT , "PA-SAM-REDIRECT" },
1333 { KRB5_PA_GET_FROM_TYPED_DATA , "PA-GET-FROM-TYPED-DATA" },
1334 { KRB5_PA_SAM_ETYPE_INFO , "PA-SAM-ETYPE-INFO" },
1335 { KRB5_PA_ALT_PRINC , "PA-ALT-PRINC" },
1336 { KRB5_PA_SAM_CHALLENGE2 , "PA-SAM-CHALLENGE2" },
1337 { KRB5_PA_SAM_RESPONSE2 , "PA-SAM-RESPONSE2" },
1338 { KRB5_TD_PKINIT_CMS_CERTIFICATES, "TD-PKINIT-CMS-CERTIFICATES" },
1339 { KRB5_TD_KRB_PRINCIPAL , "TD-KRB-PRINCIPAL" },
1340 { KRB5_TD_KRB_REALM , "TD-KRB-REALM" },
1341 { KRB5_TD_TRUSTED_CERTIFIERS , "TD-TRUSTED-CERTIFIERS" },
1342 { KRB5_TD_CERTIFICATE_INDEX , "TD-CERTIFICATE-INDEX" },
1343 { KRB5_TD_APP_DEFINED_ERROR , "TD-APP-DEFINED-ERROR" },
1344 { KRB5_TD_REQ_NONCE , "TD-REQ-NONCE" },
1345 { KRB5_TD_REQ_SEQ , "TD-REQ-SEQ" },
1346 { KRB5_PA_PAC_REQUEST , "PA-PAC-REQUEST" },
1347 { KRB5_PA_FOR_USER , "PA-FOR-USER" },
1348 { KRB5_PA_PROV_SRV_LOCATION , "PA-PROV-SRV-LOCATION" },
1352 static const value_string krb5_encryption_types[] = {
1353 { KRB5_ENCTYPE_NULL , "NULL" },
1354 { KRB5_ENCTYPE_DES_CBC_CRC , "des-cbc-crc" },
1355 { KRB5_ENCTYPE_DES_CBC_MD4 , "des-cbc-md4" },
1356 { KRB5_ENCTYPE_DES_CBC_MD5 , "des-cbc-md5" },
1357 { KRB5_ENCTYPE_DES_CBC_RAW , "des-cbc-raw" },
1358 { KRB5_ENCTYPE_DES3_CBC_SHA , "des3-cbc-sha" },
1359 { KRB5_ENCTYPE_DES3_CBC_RAW , "des3-cbc-raw" },
1360 { KRB5_ENCTYPE_DES_HMAC_SHA1 , "des-hmac-sha1" },
1361 { KRB5_ENCTYPE_DSA_SHA1_CMS , "dsa-sha1-cms" },
1362 { KRB5_ENCTYPE_RSA_MD5_CMS , "rsa-md5-cms" },
1363 { KRB5_ENCTYPE_RSA_SHA1_CMS , "rsa-sha1-cms" },
1364 { KRB5_ENCTYPE_RC2_CBC_ENV , "rc2-cbc-env" },
1365 { KRB5_ENCTYPE_RSA_ENV , "rsa-env" },
1366 { KRB5_ENCTYPE_RSA_ES_OEAP_ENV, "rsa-es-oeap-env" },
1367 { KRB5_ENCTYPE_DES_EDE3_CBC_ENV, "des-ede3-cbc-env" },
1368 { KRB5_ENCTYPE_DES3_CBC_SHA1 , "des3-cbc-sha1" },
1369 { KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96 , "aes128-cts-hmac-sha1-96" },
1370 { KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96 , "aes256-cts-hmac-sha1-96" },
1371 { KRB5_ENCTYPE_DES_CBC_MD5_NT , "des-cbc-md5-nt" },
1372 { KERB_ENCTYPE_RC4_HMAC , "rc4-hmac" },
1373 { KERB_ENCTYPE_RC4_HMAC_EXP , "rc4-hmac-exp" },
1374 { KRB5_ENCTYPE_UNKNOWN , "unknown" },
1375 { KRB5_ENCTYPE_LOCAL_DES3_HMAC_SHA1 , "local-des3-hmac-sha1" },
1376 { KRB5_ENCTYPE_RC4_PLAIN_EXP , "rc4-plain-exp" },
1377 { KRB5_ENCTYPE_RC4_PLAIN , "rc4-plain" },
1378 { KRB5_ENCTYPE_RC4_PLAIN_OLD_EXP, "rc4-plain-old-exp" },
1379 { KRB5_ENCTYPE_RC4_HMAC_OLD_EXP, "rc4-hmac-old-exp" },
1380 { KRB5_ENCTYPE_RC4_PLAIN_OLD , "rc4-plain-old" },
1381 { KRB5_ENCTYPE_RC4_HMAC_OLD , "rc4-hmac-old" },
1382 { KRB5_ENCTYPE_DES_PLAIN , "des-plain" },
1383 { KRB5_ENCTYPE_RC4_SHA , "rc4-sha" },
1384 { KRB5_ENCTYPE_RC4_LM , "rc4-lm" },
1385 { KRB5_ENCTYPE_RC4_PLAIN2 , "rc4-plain2" },
1386 { KRB5_ENCTYPE_RC4_MD4 , "rc4-md4" },
1390 static const value_string krb5_checksum_types[] = {
1391 { KRB5_CHKSUM_NONE , "none" },
1392 { KRB5_CHKSUM_CRC32 , "crc32" },
1393 { KRB5_CHKSUM_MD4 , "md4" },
1394 { KRB5_CHKSUM_KRB_DES_MAC , "krb-des-mac" },
1395 { KRB5_CHKSUM_KRB_DES_MAC_K , "krb-des-mac-k" },
1396 { KRB5_CHKSUM_MD5 , "md5" },
1397 { KRB5_CHKSUM_MD5_DES , "md5-des" },
1398 { KRB5_CHKSUM_MD5_DES3 , "md5-des3" },
1399 { KRB5_CHKSUM_HMAC_SHA1_DES3_KD, "hmac-sha1-des3-kd" },
1400 { KRB5_CHKSUM_HMAC_SHA1_DES3 , "hmac-sha1-des3" },
1401 { KRB5_CHKSUM_SHA1_UNKEYED , "sha1 (unkeyed)" },
1402 { KRB5_CHKSUM_HMAC_MD5 , "hmac-md5" },
1403 { KRB5_CHKSUM_MD5_HMAC , "md5-hmac" },
1404 { KRB5_CHKSUM_RC4_MD5 , "rc5-md5" },
1405 { KRB5_CHKSUM_MD25 , "md25" },
1406 { KRB5_CHKSUM_DES_MAC_MD5 , "des-mac-md5" },
1407 { KRB5_CHKSUM_DES_MAC , "des-mac" },
1408 { KRB5_CHKSUM_REAL_CRC32 , "real-crc32" },
1409 { KRB5_CHKSUM_SHA1 , "sha1" },
1410 { KRB5_CHKSUM_LM , "lm" },
1411 { KRB5_CHKSUM_GSSAPI , "gssapi-8003" },
1415 #define KRB5_AD_IF_RELEVANT 1
1416 #define KRB5_AD_INTENDED_FOR_SERVER 2
1417 #define KRB5_AD_INTENDED_FOR_APPLICATION_CLASS 3
1418 #define KRB5_AD_KDC_ISSUED 4
1419 #define KRB5_AD_OR 5
1420 #define KRB5_AD_MANDATORY_TICKET_EXTENSIONS 6
1421 #define KRB5_AD_IN_TICKET_EXTENSIONS 7
1422 #define KRB5_AD_MANDATORY_FOR_KDC 8
1423 #define KRB5_AD_OSF_DCE 64
1424 #define KRB5_AD_SESAME 65
1425 #define KRB5_AD_OSF_DCE_PKI_CERTID 66
1426 #define KRB5_AD_WIN2K_PAC 128
1427 #define KRB5_AD_SIGNTICKET 0xffffffef
1429 static const value_string krb5_ad_types[] = {
1430 { KRB5_AD_IF_RELEVANT , "AD-IF-RELEVANT" },
1431 { KRB5_AD_INTENDED_FOR_SERVER , "AD-Intended-For-Server" },
1432 { KRB5_AD_INTENDED_FOR_APPLICATION_CLASS , "AD-Intended-For-Application-Class" },
1433 { KRB5_AD_KDC_ISSUED , "AD-KDCIssued" },
1434 { KRB5_AD_OR , "AD-AND-OR" },
1435 { KRB5_AD_MANDATORY_TICKET_EXTENSIONS , "AD-Mandatory-Ticket-Extensions" },
1436 { KRB5_AD_IN_TICKET_EXTENSIONS , "AD-IN-Ticket-Extensions" },
1437 { KRB5_AD_MANDATORY_FOR_KDC , "AD-MANDATORY-FOR-KDC" },
1438 { KRB5_AD_OSF_DCE , "AD-OSF-DCE" },
1439 { KRB5_AD_SESAME , "AD-SESAME" },
1440 { KRB5_AD_OSF_DCE_PKI_CERTID , "AD-OSF-DCE-PKI-CertID" },
1441 { KRB5_AD_WIN2K_PAC , "AD-Win2k-PAC" },
1442 { KRB5_AD_SIGNTICKET , "AD-SignTicket" },
1446 static const value_string krb5_transited_types[] = {
1447 { 1 , "DOMAIN-X500-COMPRESS" },
1451 static const value_string krb5_address_types[] = {
1452 { KRB5_ADDR_IPv4, "IPv4"},
1453 { KRB5_ADDR_CHAOS, "CHAOS"},
1454 { KRB5_ADDR_XEROX, "XEROX"},
1455 { KRB5_ADDR_ISO, "ISO"},
1456 { KRB5_ADDR_DECNET, "DECNET"},
1457 { KRB5_ADDR_APPLETALK, "APPLETALK"},
1458 { KRB5_ADDR_NETBIOS, "NETBIOS"},
1459 { KRB5_ADDR_IPv6, "IPv6"},
1463 static const value_string krb5_msg_types[] = {
1464 { KRB5_MSG_TICKET, "Ticket" },
1465 { KRB5_MSG_AUTHENTICATOR, "Authenticator" },
1466 { KRB5_MSG_ENC_TICKET_PART, "EncTicketPart" },
1467 { KRB5_MSG_TGS_REQ, "TGS-REQ" },
1468 { KRB5_MSG_TGS_REP, "TGS-REP" },
1469 { KRB5_MSG_AS_REQ, "AS-REQ" },
1470 { KRB5_MSG_AS_REP, "AS-REP" },
1471 { KRB5_MSG_AP_REQ, "AP-REQ" },
1472 { KRB5_MSG_AP_REP, "AP-REP" },
1473 { KRB5_MSG_SAFE, "KRB-SAFE" },
1474 { KRB5_MSG_PRIV, "KRB-PRIV" },
1475 { KRB5_MSG_CRED, "KRB-CRED" },
1476 { KRB5_MSG_ENC_AS_REP_PART, "EncASRepPart" },
1477 { KRB5_MSG_ENC_TGS_REP_PART, "EncTGSRepPart" },
1478 { KRB5_MSG_ENC_AP_REP_PART, "EncAPRepPart" },
1479 { KRB5_MSG_ENC_KRB_PRIV_PART, "EncKrbPrivPart" },
1480 { KRB5_MSG_ENC_KRB_CRED_PART, "EncKrbCredPart" },
1481 { KRB5_MSG_ERROR, "KRB-ERROR" },
1488 static int dissect_krb5_application_choice(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_);
1489 static int dissect_krb5_Application_1(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_);
1490 static int dissect_krb5_Authenticator(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_);
1491 static int dissect_krb5_EncTicketPart(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_);
1492 static int dissect_krb5_EncAPRepPart(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_);
1493 static int dissect_krb5_EncKrbPrivPart(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_);
1494 static int dissect_krb5_EncKrbCredPart(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_);
1495 static int dissect_krb5_EncKDCRepPart(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_);
1496 static int dissect_krb5_KDC_REQ(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_);
1497 static int dissect_krb5_KDC_REP(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_);
1498 static int dissect_krb5_AP_REQ(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_);
1499 static int dissect_krb5_AP_REP(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_);
1500 static int dissect_krb5_SAFE(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_);
1501 static int dissect_krb5_PRIV(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_);
1502 static int dissect_krb5_CRED(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_);
1503 static int dissect_krb5_ERROR(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_);
1505 static const ber_old_choice_t kerberos_applications_choice[] = {
1506 { KRB5_MSG_TICKET, BER_CLASS_APP, KRB5_MSG_TICKET, 0, dissect_krb5_Application_1 },
1507 { KRB5_MSG_AUTHENTICATOR, BER_CLASS_APP, KRB5_MSG_AUTHENTICATOR, 0, dissect_krb5_Authenticator },
1508 { KRB5_MSG_ENC_TICKET_PART, BER_CLASS_APP, KRB5_MSG_ENC_TICKET_PART, 0, dissect_krb5_EncTicketPart },
1509 { KRB5_MSG_AS_REQ, BER_CLASS_APP, KRB5_MSG_AS_REQ, 0, dissect_krb5_KDC_REQ },
1510 { KRB5_MSG_AS_REP, BER_CLASS_APP, KRB5_MSG_AS_REP, 0, dissect_krb5_KDC_REP },
1511 { KRB5_MSG_TGS_REQ, BER_CLASS_APP, KRB5_MSG_TGS_REQ, 0, dissect_krb5_KDC_REQ },
1512 { KRB5_MSG_TGS_REP, BER_CLASS_APP, KRB5_MSG_TGS_REP, 0, dissect_krb5_KDC_REP },
1513 { KRB5_MSG_AP_REQ, BER_CLASS_APP, KRB5_MSG_AP_REQ, 0, dissect_krb5_AP_REQ },
1514 { KRB5_MSG_AP_REP, BER_CLASS_APP, KRB5_MSG_AP_REP, 0, dissect_krb5_AP_REP },
1515 { KRB5_MSG_ENC_AS_REP_PART, BER_CLASS_APP, KRB5_MSG_ENC_AS_REP_PART, 0, dissect_krb5_EncKDCRepPart },
1516 { KRB5_MSG_ENC_TGS_REP_PART, BER_CLASS_APP, KRB5_MSG_ENC_TGS_REP_PART, 0, dissect_krb5_EncKDCRepPart },
1517 { KRB5_MSG_ENC_AP_REP_PART, BER_CLASS_APP, KRB5_MSG_ENC_AP_REP_PART, 0, dissect_krb5_EncAPRepPart },
1518 { KRB5_MSG_ENC_KRB_PRIV_PART, BER_CLASS_APP, KRB5_MSG_ENC_KRB_PRIV_PART, 0, dissect_krb5_EncKrbPrivPart },
1519 { KRB5_MSG_ENC_KRB_CRED_PART, BER_CLASS_APP, KRB5_MSG_ENC_KRB_CRED_PART, 0, dissect_krb5_EncKrbCredPart },
1520 { KRB5_MSG_SAFE, BER_CLASS_APP, KRB5_MSG_SAFE, 0, dissect_krb5_SAFE },
1521 { KRB5_MSG_PRIV, BER_CLASS_APP, KRB5_MSG_PRIV, 0, dissect_krb5_PRIV },
1522 { KRB5_MSG_CRED, BER_CLASS_APP, KRB5_MSG_CRED, 0, dissect_krb5_CRED },
1523 { KRB5_MSG_ERROR, BER_CLASS_APP, KRB5_MSG_ERROR, 0, dissect_krb5_ERROR },
1524 { 0, 0, 0, 0, NULL }
1529 dissect_krb5_application_choice(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
1531 offset=dissect_ber_old_choice(actx, tree, tvb, offset, kerberos_applications_choice, -1, -1, NULL);
1535 static const true_false_string krb5_apoptions_reserved = {
1539 static const true_false_string krb5_apoptions_use_session_key = {
1540 "USE SESSION KEY to encrypt the ticket",
1541 "Do NOT use the session key to encrypt the ticket"
1543 static const true_false_string krb5_apoptions_mutual_required = {
1544 "MUTUAL authentication is REQUIRED",
1545 "Mutual authentication is NOT required"
1548 static int *APOptions_bits[] = {
1549 &hf_krb_APOptions_reserved,
1550 &hf_krb_APOptions_use_session_key,
1551 &hf_krb_APOptions_mutual_required,
1555 dissect_krb5_APOptions(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
1557 offset=dissect_ber_bitstring32(FALSE, actx, tree, tvb, offset, APOptions_bits, hf_krb_APOptions, ett_krb_AP_Options, NULL);
1563 static const true_false_string krb5_kdcoptions_forwardable = {
1564 "FORWARDABLE tickets are allowed/requested",
1565 "Do NOT use forwardable tickets"
1567 static const true_false_string krb5_kdcoptions_forwarded = {
1568 "This ticket has been FORWARDED",
1569 "This is NOT a forwarded ticket"
1571 static const true_false_string krb5_kdcoptions_proxiable = {
1572 "PROXIABLE tickets are allowed/requested",
1573 "Do NOT use proxiable tickets"
1575 static const true_false_string krb5_kdcoptions_proxy = {
1576 "This is a PROXY ticket",
1577 "This ticket has NOT been proxied"
1579 static const true_false_string krb5_kdcoptions_allow_postdate = {
1580 "We allow the ticket to be POSTDATED",
1581 "We do NOT allow the ticket to be postdated"
1583 static const true_false_string krb5_kdcoptions_postdated = {
1584 "This ticket is POSTDATED",
1585 "This ticket is NOT postdated"
1587 static const true_false_string krb5_kdcoptions_renewable = {
1588 "This ticket is RENEWABLE",
1589 "This ticket is NOT renewable"
1591 static const true_false_string krb5_kdcoptions_constrained_delegation = {
1592 "This is a request for a CONSTRAINED DELEGATION PAC",
1593 "This is a normal request (no constrained delegation)"
1595 static const true_false_string krb5_kdcoptions_canonicalize = {
1596 "This is a request for a CANONICALIZED ticket",
1597 "This is NOT a canonicalized ticket request"
1599 static const true_false_string krb5_kdcoptions_disable_transited_check = {
1600 "Transited checking is DISABLED",
1601 "Transited checking is NOT disabled"
1603 static const true_false_string krb5_kdcoptions_renewable_ok = {
1604 "We accept RENEWED tickets",
1605 "We do NOT accept renewed tickets"
1607 static const true_false_string krb5_kdcoptions_enc_tkt_in_skey = {
1608 "ENCrypt TKT in SKEY",
1609 "Do NOT encrypt the tkt using the skey"
1611 static const true_false_string krb5_kdcoptions_renew = {
1612 "This is a request to RENEW a ticket",
1613 "This is NOT a request to renew a ticket"
1615 static const true_false_string krb5_kdcoptions_validate = {
1616 "This is a request to VALIDATE a postdated ticket",
1617 "This is NOT a request to validate a postdated ticket"
1620 static int* KDCOptions_bits[] = {
1621 &hf_krb_KDCOptions_forwardable,
1622 &hf_krb_KDCOptions_forwarded,
1623 &hf_krb_KDCOptions_proxiable,
1624 &hf_krb_KDCOptions_proxy,
1625 &hf_krb_KDCOptions_allow_postdate,
1626 &hf_krb_KDCOptions_postdated,
1627 &hf_krb_KDCOptions_renewable,
1628 &hf_krb_KDCOptions_opt_hardware_auth,
1629 &hf_krb_KDCOptions_constrained_delegation,
1630 &hf_krb_KDCOptions_canonicalize,
1631 &hf_krb_KDCOptions_disable_transited_check,
1632 &hf_krb_KDCOptions_renewable_ok,
1633 &hf_krb_KDCOptions_enc_tkt_in_skey,
1634 &hf_krb_KDCOptions_renew,
1635 &hf_krb_KDCOptions_validate,
1640 dissect_krb5_KDCOptions(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
1642 offset=dissect_ber_bitstring32(FALSE, actx, tree, tvb, offset, KDCOptions_bits, hf_krb_KDCOptions, ett_krb_KDC_Options, NULL);
1647 dissect_krb5_rtime(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
1649 offset=dissect_ber_GeneralizedTime(FALSE, actx, tree, tvb, offset, hf_krb_rtime);
1654 dissect_krb5_ctime(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
1656 offset=dissect_ber_GeneralizedTime(FALSE, actx, tree, tvb, offset, hf_krb_ctime);
1660 dissect_krb5_cusec(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
1662 offset=dissect_ber_integer(FALSE, actx, tree, tvb, offset, hf_krb_cusec, NULL);
1667 dissect_krb5_stime(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
1669 offset=dissect_ber_GeneralizedTime(FALSE, actx, tree, tvb, offset, hf_krb_stime);
1673 dissect_krb5_susec(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
1675 offset=dissect_ber_integer(FALSE, actx, tree, tvb, offset, hf_krb_susec, NULL);
1681 dissect_krb5_error_code(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
1683 offset=dissect_ber_integer(FALSE, actx, tree, tvb, offset, hf_krb_error_code, &krb5_errorcode);
1684 if(krb5_errorcode) {
1685 col_add_fstr(actx->pinfo->cinfo, COL_INFO,
1687 val_to_str(krb5_errorcode, krb5_error_codes,
1688 "Unknown error code %#x"));
1696 dissect_krb5_till(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
1698 offset=dissect_ber_GeneralizedTime(FALSE, actx, tree, tvb, offset, hf_krb_till);
1702 dissect_krb5_from(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
1704 offset=dissect_ber_GeneralizedTime(FALSE, actx, tree, tvb, offset, hf_krb_from);
1711 dissect_krb5_nonce(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
1713 offset=dissect_ber_integer(FALSE, actx, tree, tvb, offset, hf_krb_nonce, NULL);
1719 * etype[8] SEQUENCE OF INTEGER, -- EncryptionType,
1722 dissect_krb5_etype(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
1726 offset=dissect_ber_integer(FALSE, actx, tree, tvb, offset, hf_krb_etype, &etype);
1728 proto_item_append_text(tree, " %s",
1729 val_to_str(etype, krb5_encryption_types,
1734 static ber_old_sequence_t etype_sequence_of[1] = {
1735 { BER_CLASS_UNI, BER_UNI_TAG_INTEGER, BER_FLAGS_NOOWNTAG, dissect_krb5_etype },
1738 dissect_krb5_etype_sequence_of(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
1740 offset=dissect_ber_old_sequence_of(FALSE, actx, tree, tvb, offset, etype_sequence_of, hf_krb_etypes, ett_krb_etypes);
1744 static guint32 authenticator_etype;
1746 dissect_krb5_authenticator_etype(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
1748 offset=dissect_ber_integer(FALSE, actx, tree, tvb, offset, hf_krb_etype, &authenticator_etype);
1750 proto_item_append_text(tree, " %s",
1751 val_to_str(authenticator_etype, krb5_encryption_types,
1756 static guint32 Ticket_etype;
1758 dissect_krb5_Ticket_etype(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
1760 offset=dissect_ber_integer(FALSE, actx, tree, tvb, offset, hf_krb_etype, &Ticket_etype);
1762 proto_item_append_text(tree, " %s",
1763 val_to_str(Ticket_etype, krb5_encryption_types,
1768 static guint32 AP_REP_etype;
1770 dissect_krb5_AP_REP_etype(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
1772 offset=dissect_ber_integer(FALSE, actx, tree, tvb, offset, hf_krb_etype, &AP_REP_etype);
1774 proto_item_append_text(tree, " %s",
1775 val_to_str(AP_REP_etype, krb5_encryption_types,
1780 static guint32 PA_ENC_TIMESTAMP_etype;
1782 dissect_krb5_PA_ENC_TIMESTAMP_etype(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
1784 offset=dissect_ber_integer(FALSE, actx, tree, tvb, offset, hf_krb_etype, &PA_ENC_TIMESTAMP_etype);
1786 proto_item_append_text(tree, " %s",
1787 val_to_str(PA_ENC_TIMESTAMP_etype, krb5_encryption_types,
1795 * HostAddress ::= SEQUENCE {
1796 * addr-type[0] INTEGER,
1797 * address[1] OCTET STRING
1800 static guint32 addr_type;
1801 static int dissect_krb5_addr_type(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
1803 offset=dissect_ber_integer(FALSE, actx, tree, tvb, offset, hf_krb_addr_type, &addr_type);
1807 #define ADDRESS_STR_BUFSIZ 256
1808 static int dissect_krb5_address(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
1815 proto_item *it=NULL;
1817 /* read header and len for the octet string */
1818 offset=dissect_ber_identifier(actx->pinfo, tree, tvb, offset, &appclass, &pc, &tag);
1819 offset=dissect_ber_length(actx->pinfo, tree, tvb, offset, &len, NULL);
1821 address_str=(char *)wmem_alloc(wmem_packet_scope(), ADDRESS_STR_BUFSIZ);
1822 address_str[0]='\0';
1824 case KRB5_ADDR_IPv4:
1825 it=proto_tree_add_item(tree, hf_krb_address_ip, tvb, offset, 4, ENC_BIG_ENDIAN);
1826 g_snprintf(address_str,ADDRESS_STR_BUFSIZ,"%d.%d.%d.%d",tvb_get_guint8(tvb, offset),tvb_get_guint8(tvb, offset+1),tvb_get_guint8(tvb, offset+2),tvb_get_guint8(tvb, offset+3));
1828 case KRB5_ADDR_NETBIOS:
1830 char netbios_name[(NETBIOS_NAME_LEN - 1)*4 + 1];
1831 int netbios_name_type;
1832 int netbios_name_len = (NETBIOS_NAME_LEN - 1)*4 + 1;
1834 netbios_name_type = process_netbios_name(tvb_get_ptr(tvb, offset, 16), netbios_name, netbios_name_len);
1835 g_snprintf(address_str, ADDRESS_STR_BUFSIZ, "%s<%02x>", netbios_name, netbios_name_type);
1836 it=proto_tree_add_string_format(tree, hf_krb_address_netbios, tvb, offset, 16, netbios_name, "NetBIOS Name: %s (%s)", address_str, netbios_name_type_descr(netbios_name_type));
1839 case KRB5_ADDR_IPv6:
1840 it=proto_tree_add_item(tree, hf_krb_address_ipv6, tvb, offset, INET6_ADDRLEN, ENC_NA);
1841 g_snprintf(address_str, ADDRESS_STR_BUFSIZ, "%s", tvb_ip6_to_str(tvb, offset));
1844 proto_tree_add_text(tree, tvb, offset, len, "KRB Address: I don't know how to parse this type of address yet");
1848 /* push it up two levels in the decode pane */
1850 proto_item_append_text(proto_item_get_parent(it), " %s",address_str);
1851 proto_item_append_text(proto_item_get_parent_nth(it, 2), " %s",address_str);
1857 static ber_old_sequence_t HostAddress_sequence[] = {
1858 { BER_CLASS_CON, 0, 0, dissect_krb5_addr_type },
1859 { BER_CLASS_CON, 1, 0, dissect_krb5_address },
1863 dissect_krb5_HostAddress(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
1866 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, HostAddress_sequence, hf_krb_HostAddress, ett_krb_HostAddress);
1871 dissect_krb5_s_address(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
1874 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, HostAddress_sequence, hf_krb_s_address, ett_krb_s_address);
1880 dissect_krb5_r_address(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
1883 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, HostAddress_sequence, hf_krb_r_address, ett_krb_r_address);
1889 * HostAddresses ::= SEQUENCE OF SEQUENCE {
1890 * addr-type[0] INTEGER,
1891 * address[1] OCTET STRING
1895 static ber_old_sequence_t HostAddresses_sequence_of[1] = {
1896 { BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_krb5_HostAddress },
1899 dissect_krb5_HostAddresses(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
1901 offset=dissect_ber_old_sequence_of(FALSE, actx, tree, tvb, offset, HostAddresses_sequence_of, hf_krb_HostAddresses, ett_krb_HostAddresses);
1907 /* sequence of tickets */
1908 static ber_old_sequence_t sequence_of_tickets[1] = {
1909 { BER_CLASS_APP, 1, 0, dissect_krb5_Application_1},
1912 dissect_krb5_sq_tickets(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
1914 offset=dissect_ber_old_sequence_of(FALSE, actx, tree, tvb, offset, sequence_of_tickets, hf_krb_sq_tickets, ett_krb_sq_tickets);
1920 dissect_krb5_msg_type(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
1924 offset=dissect_ber_integer(FALSE, actx, tree, tvb, offset, hf_krb_msg_type, &msgtype);
1926 if (gbl_do_col_info) {
1927 col_add_str(actx->pinfo->cinfo, COL_INFO,
1928 val_to_str(msgtype, krb5_msg_types,
1929 "Unknown msg type %#x"));
1931 gbl_do_col_info=FALSE;
1933 /* append the application type to the subtree */
1934 proto_item_append_text(tree, " %s", val_to_str(msgtype, krb5_msg_types, "Unknown:0x%x"));
1942 dissect_krb5_pvno(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
1944 offset=dissect_ber_integer(FALSE, actx, tree, tvb, offset, hf_krb_pvno, NULL);
1951 * PrincipalName ::= SEQUENCE {
1952 * name-type[0] INTEGER,
1953 * name-string[1] SEQUENCE OF GeneralString
1956 static guint32 name_type;
1958 dissect_krb5_name_type(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
1960 offset=dissect_ber_integer(FALSE, actx, tree, tvb, offset, hf_krb_name_type, &name_type);
1962 proto_item_append_text(tree, " (%s):",
1963 val_to_str(name_type, krb5_princ_types,
1968 static char name_string_separator;
1970 dissect_krb5_name_string(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
1972 char name_string[256];
1974 offset=dissect_ber_GeneralString(actx, tree, tvb, offset, hf_krb_name_string, name_string, 255);
1976 proto_item_append_text(tree, "%c%s", name_string_separator, name_string);
1977 name_string_separator='/';
1982 static ber_old_sequence_t name_stringe_sequence_of[1] = {
1983 { BER_CLASS_UNI, BER_UNI_TAG_GeneralString, BER_FLAGS_NOOWNTAG, dissect_krb5_name_string },
1986 dissect_krb5_name_strings(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
1988 name_string_separator=' ';
1989 offset=dissect_ber_old_sequence_of(FALSE, actx, tree, tvb, offset, name_stringe_sequence_of, -1, -1);
1993 static ber_old_sequence_t PrincipalName_sequence[] = {
1994 { BER_CLASS_CON, 0, 0, dissect_krb5_name_type },
1995 { BER_CLASS_CON, 1, 0, dissect_krb5_name_strings },
1999 dissect_krb5_sname(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2002 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, PrincipalName_sequence, hf_krb_sname, ett_krb_sname);
2007 dissect_krb5_pname(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2010 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, PrincipalName_sequence, hf_krb_pname, ett_krb_pname);
2015 dissect_krb5_cname(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2018 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, PrincipalName_sequence, hf_krb_cname, ett_krb_cname);
2025 dissect_krb5_prealm(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2027 offset=dissect_ber_GeneralString(actx, tree, tvb, offset, hf_krb_prealm, NULL, 0);
2032 dissect_krb5_srealm(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2034 offset=dissect_ber_GeneralString(actx, tree, tvb, offset, hf_krb_srealm, NULL, 0);
2039 dissect_krb5_realm(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2041 offset=dissect_ber_GeneralString(actx, tree, tvb, offset, hf_krb_realm, NULL, 0);
2046 dissect_krb5_crealm(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2048 offset=dissect_ber_GeneralString(actx, tree, tvb, offset, hf_krb_crealm, NULL, 0);
2055 dissect_krb5_PA_PAC_REQUEST_flag(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2057 offset=dissect_ber_boolean(FALSE, actx, tree, tvb, offset, hf_krb_PA_PAC_REQUEST_flag, NULL);
2062 static ber_old_sequence_t PA_PAC_REQUEST_sequence[] = {
2063 { BER_CLASS_CON, 0, 0, dissect_krb5_PA_PAC_REQUEST_flag },
2067 dissect_krb5_PA_PAC_REQUEST(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2070 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, PA_PAC_REQUEST_sequence, -1, -1);
2076 dissect_krb5_s4u2self_auth(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2078 offset=dissect_ber_GeneralString(actx, tree, tvb, offset, hf_krb_s4u2self_auth, NULL, 0);
2082 static ber_old_sequence_t PA_FOR_USER_sequence[] = {
2083 { BER_CLASS_CON, 0, 0, dissect_krb5_cname },
2084 { BER_CLASS_CON, 1, 0, dissect_krb5_realm },
2085 { BER_CLASS_CON, 2, 0, dissect_krb5_Checksum },
2086 { BER_CLASS_CON, 3, 0, dissect_krb5_s4u2self_auth },
2091 dissect_krb5_PA_FOR_USER(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2093 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, PA_FOR_USER_sequence, -1, -1);
2099 dissect_krb5_PA_PROV_SRV_LOCATION(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2101 offset=dissect_ber_GeneralString(actx, tree, tvb, offset, hf_krb_provsrv_location, NULL, 0);
2109 dissect_krb5_kvno(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2111 offset=dissect_ber_integer(FALSE, actx, tree, tvb, offset, hf_krb_kvno, NULL);
2119 dissect_krb5_seq_number(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2121 offset=dissect_ber_integer(FALSE, actx, tree, tvb, offset, hf_krb_seq_number, NULL);
2129 dissect_krb5_patimestamp(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2131 offset=dissect_ber_GeneralizedTime(FALSE, actx, tree, tvb, offset, hf_krb_patimestamp);
2134 #ifdef HAVE_KERBEROS
2136 dissect_krb5_pausec(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2138 offset=dissect_ber_integer(FALSE, actx, tree, tvb, offset, hf_krb_pausec, NULL);
2141 static const ber_old_sequence_t PA_ENC_TS_ENC_sequence[] = {
2142 { BER_CLASS_CON, 0, 0, dissect_krb5_patimestamp },
2143 { BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_krb5_pausec },
2147 dissect_krb5_decrypt_PA_ENC_TIMESTAMP (proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2149 guint8 *plaintext=NULL;
2152 length=tvb_length_remaining(tvb, offset);
2154 /* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
2156 * AS-REQ PA_ENC_TIMESTAMP are encrypted with usage
2162 next_tvb=tvb_new_subset_remaining(tvb, offset);
2163 plaintext=decrypt_krb5_data(tree, actx->pinfo, 1, next_tvb, PA_ENC_TIMESTAMP_etype, NULL);
2168 next_tvb = tvb_new_child_real_data(tvb, plaintext,
2171 tvb_set_free_cb(next_tvb, g_free);
2173 /* Add the decrypted data to the data source list. */
2174 add_new_data_source(actx->pinfo, next_tvb, "Decrypted Krb5");
2177 offset=dissect_ber_old_sequence(FALSE, actx, tree, next_tvb, 0, PA_ENC_TS_ENC_sequence, -1, -1);
2186 dissect_krb5_encrypted_PA_ENC_TIMESTAMP(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2188 #ifdef HAVE_KERBEROS
2189 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_krb_encrypted_PA_ENC_TIMESTAMP, dissect_krb5_decrypt_PA_ENC_TIMESTAMP);
2191 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_krb_encrypted_PA_ENC_TIMESTAMP, NULL);
2195 static ber_old_sequence_t PA_ENC_TIMESTAMP_sequence[] = {
2196 { BER_CLASS_CON, 0, 0,
2197 dissect_krb5_PA_ENC_TIMESTAMP_etype },
2198 { BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL,
2199 dissect_krb5_kvno },
2200 { BER_CLASS_CON, 2, 0,
2201 dissect_krb5_encrypted_PA_ENC_TIMESTAMP },
2205 dissect_krb5_PA_ENC_TIMESTAMP(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2207 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, PA_ENC_TIMESTAMP_sequence, -1, -1);
2215 dissect_krb5_etype_info_salt(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2217 offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_krb_etype_info_salt, NULL);
2222 dissect_krb5_etype_info2_salt(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2224 offset=dissect_ber_GeneralString(actx, tree, tvb, offset, hf_krb_etype_info2_salt, NULL, 0);
2229 dissect_krb5_etype_info2_s2kparams(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2231 offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_krb_etype_info2_s2kparams, NULL);
2235 static ber_old_sequence_t PA_ENCTYPE_INFO_ENTRY_sequence[] = {
2236 { BER_CLASS_CON, 0, 0,
2237 dissect_krb5_etype },
2238 { BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL,
2239 dissect_krb5_etype_info_salt },
2243 dissect_krb5_PA_ENCTYPE_INFO_ENTRY(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2245 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, PA_ENCTYPE_INFO_ENTRY_sequence, -1, -1);
2250 static ber_old_sequence_t PA_ENCTYPE_INFO_sequence_of[1] = {
2251 { BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_krb5_PA_ENCTYPE_INFO_ENTRY },
2254 dissect_krb5_PA_ENCTYPE_INFO(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2256 offset=dissect_ber_old_sequence_of(FALSE, actx, tree, tvb, offset, PA_ENCTYPE_INFO_sequence_of, -1, -1);
2261 static ber_old_sequence_t PA_ENCTYPE_INFO2_ENTRY_sequence[] = {
2262 { BER_CLASS_CON, 0, 0,
2263 dissect_krb5_etype },
2264 { BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL,
2265 dissect_krb5_etype_info2_salt },
2266 { BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL,
2267 dissect_krb5_etype_info2_s2kparams },
2271 dissect_krb5_PA_ENCTYPE_INFO2_ENTRY(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2273 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, PA_ENCTYPE_INFO2_ENTRY_sequence, -1, -1);
2278 static ber_old_sequence_t PA_ENCTYPE_INFO2_sequence_of[1] = {
2279 { BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_krb5_PA_ENCTYPE_INFO2_ENTRY },
2282 dissect_krb5_PA_ENCTYPE_INFO2(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2284 offset=dissect_ber_old_sequence_of(FALSE, actx, tree, tvb, offset, PA_ENCTYPE_INFO2_sequence_of, -1, -1);
2291 dissect_krb5_PW_SALT(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2295 /* Microsoft stores a special 12 byte blob here
2299 * decode everything as this blob for now until we see if anyone
2300 * else ever uses it or we learn how to tell whether this
2301 * is such an MS blob or not.
2303 proto_tree_add_item(tree, hf_krb_smb_nt_status, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2304 nt_status=tvb_get_letohl(tvb, offset);
2306 col_append_fstr(actx->pinfo->cinfo, COL_INFO,
2308 val_to_str_ext(nt_status, &NT_errors_ext,
2309 "Unknown error code %#x"));
2313 proto_tree_add_item(tree, hf_krb_smb_unknown, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2316 proto_tree_add_item(tree, hf_krb_smb_unknown, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2323 * PA-DATA ::= SEQUENCE {
2324 * padata-type[1] INTEGER,
2325 * padata-value[2] OCTET STRING,
2326 * -- might be encoded AP-REQ
2329 static guint32 krb_PA_DATA_type;
2331 dissect_krb5_PA_DATA_type(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2333 offset=dissect_ber_integer(FALSE, actx, tree, tvb, offset, hf_krb_PA_DATA_type, &krb_PA_DATA_type);
2336 proto_item_append_text(tree, " %s",
2337 val_to_str(krb_PA_DATA_type, krb5_preauthentication_types,
2343 dissect_krb5_PA_DATA_value(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2345 proto_tree *tree=parent_tree;
2347 if(actx->created_item){
2348 tree=proto_item_add_subtree(actx->created_item, ett_krb_PA_DATA_tree);
2352 switch(krb_PA_DATA_type){
2353 case KRB5_PA_TGS_REQ:
2354 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset,hf_krb_PA_DATA_value, dissect_krb5_application_choice);
2356 case KRB5_PA_PK_AS_REQ:
2357 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset,hf_krb_PA_DATA_value, dissect_pkinit_PA_PK_AS_REQ);
2359 case KRB5_PA_PK_AS_REP:
2360 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset,hf_krb_PA_DATA_value, dissect_pkinit_PA_PK_AS_REP);
2362 case KRB5_PA_PAC_REQUEST:
2363 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset,hf_krb_PA_DATA_value, dissect_krb5_PA_PAC_REQUEST);
2365 case KRB5_PA_FOR_USER:
2366 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset,hf_krb_PA_DATA_value, dissect_krb5_PA_FOR_USER);
2368 case KRB5_PA_PROV_SRV_LOCATION:
2369 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset,hf_krb_PA_DATA_value, dissect_krb5_PA_PROV_SRV_LOCATION);
2371 case KRB5_PA_ENC_TIMESTAMP:
2372 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset,hf_krb_PA_DATA_value, dissect_krb5_PA_ENC_TIMESTAMP);
2374 case KRB5_PA_ENCTYPE_INFO:
2375 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset,hf_krb_PA_DATA_value, dissect_krb5_PA_ENCTYPE_INFO);
2377 case KRB5_PA_ENCTYPE_INFO2:
2378 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset,hf_krb_PA_DATA_value, dissect_krb5_PA_ENCTYPE_INFO2);
2380 case KRB5_PA_PW_SALT:
2381 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset,hf_krb_PA_DATA_value, dissect_krb5_PW_SALT);
2384 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset,hf_krb_PA_DATA_value, NULL);
2390 static ber_old_sequence_t PA_DATA_sequence[] = {
2391 { BER_CLASS_CON, 1, 0, dissect_krb5_PA_DATA_type },
2392 { BER_CLASS_CON, 2, 0, dissect_krb5_PA_DATA_value },
2396 dissect_krb5_PA_DATA(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2398 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, PA_DATA_sequence, -1, -1);
2407 * padata[3] SEQUENCE OF PA-DATA OPTIONAL,
2410 static ber_old_sequence_t PA_DATA_sequence_of[1] = {
2411 { BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_krb5_PA_DATA },
2414 dissect_krb5_padata(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2416 offset=dissect_ber_old_sequence_of(FALSE, actx, tree, tvb, offset, PA_DATA_sequence_of, hf_krb_padata, ett_krb_padata);
2423 static const true_false_string krb5_ticketflags_forwardable = {
2424 "FORWARDABLE tickets are allowed/requested",
2425 "Do NOT use forwardable tickets"
2427 static const true_false_string krb5_ticketflags_forwarded = {
2428 "This ticket has been FORWARDED",
2429 "This is NOT a forwarded ticket"
2431 static const true_false_string krb5_ticketflags_proxiable = {
2432 "PROXIABLE tickets are allowed/requested",
2433 "Do NOT use proxiable tickets"
2435 static const true_false_string krb5_ticketflags_proxy = {
2436 "This is a PROXY ticket",
2437 "This ticket has NOT been proxied"
2439 static const true_false_string krb5_ticketflags_allow_postdate = {
2440 "We allow the ticket to be POSTDATED",
2441 "We do NOT allow the ticket to be postdated"
2443 static const true_false_string krb5_ticketflags_postdated = {
2444 "This ticket is POSTDATED",
2445 "This ticket is NOT postdated"
2447 static const true_false_string krb5_ticketflags_invalid = {
2448 "This ticket is INVALID",
2449 "This ticket is NOT invalid"
2451 static const true_false_string krb5_ticketflags_renewable = {
2452 "This ticket is RENEWABLE",
2453 "This ticket is NOT renewable"
2455 static const true_false_string krb5_ticketflags_initial = {
2456 "This ticket was granted by AS and not TGT protocol",
2457 "This ticket was granted by TGT and not as protocol"
2459 static const true_false_string krb5_ticketflags_pre_auth = {
2460 "The client was PRE-AUTHenticated",
2461 "The client was NOT pre-authenticated"
2463 static const true_false_string krb5_ticketflags_hw_auth = {
2464 "The client was authenticated by HardWare",
2465 "The client was NOT authenticated using hardware"
2467 static const true_false_string krb5_ticketflags_transited_policy_checked = {
2468 "Kdc has performed TRANSITED POLICY CHECKING",
2469 "Kdc has NOT performed transited policy checking"
2471 static const true_false_string krb5_ticketflags_ok_as_delegate = {
2472 "This ticket is OK AS a DELEGATED ticket",
2473 "This ticket is NOT ok as a delegated ticket"
2476 static int* TicketFlags_bits[] = {
2477 &hf_krb_TicketFlags_forwardable,
2478 &hf_krb_TicketFlags_forwarded,
2479 &hf_krb_TicketFlags_proxiable,
2480 &hf_krb_TicketFlags_proxy,
2481 &hf_krb_TicketFlags_allow_postdate,
2482 &hf_krb_TicketFlags_postdated,
2483 &hf_krb_TicketFlags_invalid,
2484 &hf_krb_TicketFlags_renewable,
2485 &hf_krb_TicketFlags_initial,
2486 &hf_krb_TicketFlags_pre_auth,
2487 &hf_krb_TicketFlags_hw_auth,
2488 &hf_krb_TicketFlags_transited_policy_checked,
2489 &hf_krb_TicketFlags_ok_as_delegate,
2494 dissect_krb5_TicketFlags(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2496 offset=dissect_ber_bitstring32(FALSE, actx, tree, tvb, offset, TicketFlags_bits, hf_krb_TicketFlags, ett_krb_Ticket_Flags, NULL);
2501 static guint32 keytype;
2503 dissect_krb5_keytype(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2505 offset=dissect_ber_integer(FALSE, actx, tree, tvb, offset, hf_krb_keytype, &keytype);
2507 proto_item_append_text(tree, " %s",
2508 val_to_str(keytype, krb5_encryption_types,
2513 static int keylength;
2514 static const guint8 *keyvalue;
2516 store_keyvalue(proto_tree *tree _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2518 keylength=tvb_length_remaining(tvb, offset);
2519 keyvalue=tvb_get_ptr(tvb, offset, keylength);
2523 dissect_krb5_keyvalue(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2525 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_krb_keyvalue, store_keyvalue);
2531 * EncryptionKey ::= SEQUENCE {
2533 * keyvalue [1] octet string
2535 static ber_old_sequence_t EncryptionKey_sequence[] = {
2536 { BER_CLASS_CON, 0, 0,
2537 dissect_krb5_keytype },
2538 { BER_CLASS_CON, 1, 0,
2539 dissect_krb5_keyvalue },
2543 dissect_krb5_key(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2545 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, EncryptionKey_sequence, hf_krb_key, ett_krb_key);
2547 #ifdef HAVE_KERBEROS
2548 add_encryption_key(actx->pinfo, keytype, keylength, keyvalue, "key");
2553 dissect_krb5_subkey(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2555 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, EncryptionKey_sequence, hf_krb_subkey, ett_krb_subkey);
2556 #ifdef HAVE_KERBEROS
2557 add_encryption_key(actx->pinfo, keytype, keylength, keyvalue, "subkey");
2563 dissect_krb5_PAC_DREP(proto_tree *parent_tree, tvbuff_t *tvb, int offset, guint8 *drep)
2565 proto_item *item=NULL;
2566 proto_tree *tree=NULL;
2570 item=proto_tree_add_text(parent_tree, tvb, offset, 16, "DREP");
2571 tree=proto_item_add_subtree(item, ett_krb_PAC_DREP);
2574 val = tvb_get_guint8(tvb, offset);
2575 proto_tree_add_uint(tree, hf_dcerpc_drep_byteorder, tvb, offset, 1, val>>4);
2586 /* This might be some sort of header that MIDL generates when creating
2587 * marshalling/unmarshalling code for blobs that are not to be transported
2588 * ontop of DCERPC and where the DREP fields specifying things such as
2589 * endianess and similar are not available.
2592 dissect_krb5_PAC_NDRHEADERBLOB(proto_tree *parent_tree, tvbuff_t *tvb, int offset, guint8 *drep, asn1_ctx_t *actx _U_)
2594 proto_item *item=NULL;
2595 proto_tree *tree=NULL;
2598 item=proto_tree_add_text(parent_tree, tvb, offset, 16, "MES header");
2599 tree=proto_item_add_subtree(item, ett_krb_PAC_MIDL_BLOB);
2602 /* modified DREP field that is used for stuff that is transporetd ontop
2605 proto_tree_add_item(tree, hf_krb_midl_version, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2608 offset = dissect_krb5_PAC_DREP(tree, tvb, offset, drep);
2611 proto_tree_add_item(tree, hf_krb_midl_hdr_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2614 proto_tree_add_item(tree, hf_krb_midl_fill_bytes, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2617 /* length of blob that follows */
2618 proto_tree_add_item(tree, hf_krb_midl_blob_len, tvb, offset, 8, ENC_LITTLE_ENDIAN);
2625 dissect_krb5_PAC_LOGON_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2627 proto_item *item=NULL;
2628 proto_tree *tree=NULL;
2629 guint8 drep[4] = { 0x10, 0x00, 0x00, 0x00}; /* fake DREP struct */
2630 static dcerpc_info di; /* fake dcerpc_info struct */
2631 static dcerpc_call_value call_data;
2633 item=proto_tree_add_item(parent_tree, hf_krb_PAC_LOGON_INFO, tvb, offset, tvb_length_remaining(tvb, offset), ENC_NA);
2635 tree=proto_item_add_subtree(item, ett_krb_PAC_LOGON_INFO);
2638 /* skip the first 16 bytes, they are some magic created by the idl
2639 * compiler the first 4 bytes might be flags?
2641 offset=dissect_krb5_PAC_NDRHEADERBLOB(tree, tvb, offset, &drep[0], actx);
2643 /* the PAC_LOGON_INFO blob */
2644 /* fake whatever state the dcerpc runtime support needs */
2645 di.conformant_run=0;
2646 /* we need di->call_data->flags.NDR64 == 0 */
2647 di.call_data=&call_data;
2648 di.dcerpc_procedure_name = "";
2650 init_ndr_pointer_list(&di);
2651 offset = dissect_ndr_pointer(tvb, offset, actx->pinfo, tree, &di, drep,
2652 netlogon_dissect_PAC_LOGON_INFO, NDR_POINTER_UNIQUE,
2653 "PAC_LOGON_INFO:", -1);
2658 dissect_krb5_PAC_S4U_DELEGATION_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2660 proto_item *item=NULL;
2661 proto_tree *tree=NULL;
2662 guint8 drep[4] = { 0x10, 0x00, 0x00, 0x00}; /* fake DREP struct */
2663 static dcerpc_info di; /* fake dcerpc_info struct */
2664 static dcerpc_call_value call_data;
2666 item=proto_tree_add_item(parent_tree, hf_krb_PAC_S4U_DELEGATION_INFO, tvb, offset, tvb_length_remaining(tvb, offset), ENC_NA);
2668 tree=proto_item_add_subtree(item, ett_krb_PAC_S4U_DELEGATION_INFO);
2671 /* skip the first 16 bytes, they are some magic created by the idl
2672 * compiler the first 4 bytes might be flags?
2674 offset=dissect_krb5_PAC_NDRHEADERBLOB(tree, tvb, offset, &drep[0], actx);
2677 /* the S4U_DELEGATION_INFO blob. See [MS-PAC] */
2678 /* fake whatever state the dcerpc runtime support needs */
2679 di.conformant_run=0;
2680 /* we need di->call_data->flags.NDR64 == 0 */
2681 di.call_data=&call_data;
2682 di.dcerpc_procedure_name = "";
2684 init_ndr_pointer_list(&di);
2685 offset = dissect_ndr_pointer(tvb, offset, actx->pinfo, tree, &di, drep,
2686 netlogon_dissect_PAC_S4U_DELEGATION_INFO, NDR_POINTER_UNIQUE,
2687 "PAC_S4U_DELEGATION_INFO:", -1);
2693 dissect_krb5_PAC_UPN_DNS_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2695 proto_item *item=NULL;
2696 proto_tree *tree=NULL;
2697 guint16 dns_offset, dns_len;
2698 guint16 upn_offset, upn_len;
2703 item=proto_tree_add_item(parent_tree, hf_krb_PAC_UPN_DNS_INFO, tvb, offset, tvb_length_remaining(tvb, offset), ENC_NA);
2705 tree=proto_item_add_subtree(item, ett_krb_PAC_UPN_DNS_INFO);
2709 upn_len = tvb_get_letohs(tvb, offset);
2710 proto_tree_add_item(tree, hf_krb_pac_upn_upn_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2712 upn_offset = tvb_get_letohs(tvb, offset);
2713 proto_tree_add_item(tree, hf_krb_pac_upn_upn_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2717 dns_len = tvb_get_letohs(tvb, offset);
2718 proto_tree_add_item(tree, hf_krb_pac_upn_dns_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2720 dns_offset = tvb_get_letohs(tvb, offset);
2721 proto_tree_add_item(tree, hf_krb_pac_upn_dns_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2725 proto_tree_add_item(tree, hf_krb_pac_upn_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2728 offset = upn_offset;
2730 bc = tvb_length_remaining(tvb, offset);
2731 dn = get_unicode_or_ascii_string(tvb, &offset,
2732 TRUE, &dn_len, TRUE, TRUE, &bc);
2733 proto_tree_add_string(tree, hf_krb_pac_upn_upn_name, tvb, upn_offset, upn_len, dn);
2736 offset = dns_offset;
2738 bc = tvb_length_remaining(tvb, offset);
2739 dn = get_unicode_or_ascii_string(tvb, &offset,
2740 TRUE, &dn_len, TRUE, TRUE, &bc);
2741 proto_tree_add_string(tree, hf_krb_pac_upn_dns_name, tvb, dns_offset, dns_len, dn);
2747 dissect_krb5_PAC_CREDENTIAL_TYPE(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2749 proto_tree_add_item(parent_tree, hf_krb_PAC_CREDENTIAL_TYPE, tvb, offset, tvb_length_remaining(tvb, offset), ENC_NA);
2756 dissect_krb5_PAC_SERVER_CHECKSUM(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2758 proto_item *item=NULL;
2759 proto_tree *tree=NULL;
2761 item=proto_tree_add_item(parent_tree, hf_krb_PAC_SERVER_CHECKSUM, tvb, offset, tvb_length_remaining(tvb, offset), ENC_NA);
2763 tree=proto_item_add_subtree(item, ett_krb_PAC_SERVER_CHECKSUM);
2766 /* signature type */
2767 proto_tree_add_item(tree, hf_krb_pac_signature_type, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2770 /* signature data */
2771 proto_tree_add_item(tree, hf_krb_pac_signature_signature, tvb, offset, tvb_length_remaining(tvb, offset), ENC_NA);
2777 dissect_krb5_PAC_PRIVSVR_CHECKSUM(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2779 proto_item *item=NULL;
2780 proto_tree *tree=NULL;
2782 item=proto_tree_add_item(parent_tree, hf_krb_PAC_PRIVSVR_CHECKSUM, tvb, offset, tvb_length_remaining(tvb, offset), ENC_NA);
2784 tree=proto_item_add_subtree(item, ett_krb_PAC_PRIVSVR_CHECKSUM);
2787 /* signature type */
2788 proto_tree_add_item(tree, hf_krb_pac_signature_type, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2791 /* signature data */
2792 proto_tree_add_item(tree, hf_krb_pac_signature_signature, tvb, offset, tvb_length_remaining(tvb, offset), ENC_NA);
2799 dissect_krb5_PAC_CLIENT_INFO_TYPE(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2801 proto_item *item=NULL;
2802 proto_tree *tree=NULL;
2805 item=proto_tree_add_item(parent_tree, hf_krb_PAC_CLIENT_INFO_TYPE, tvb, offset, tvb_length_remaining(tvb, offset), ENC_NA);
2807 tree=proto_item_add_subtree(item, ett_krb_PAC_CLIENT_INFO_TYPE);
2811 offset = dissect_nt_64bit_time(tvb, tree, offset,
2812 hf_krb_pac_clientid);
2815 namelen=tvb_get_letohs(tvb, offset);
2816 proto_tree_add_uint(tree, hf_krb_pac_namelen, tvb, offset, 2, namelen);
2820 proto_tree_add_item(tree, hf_krb_pac_clientname, tvb, offset, namelen, ENC_UTF_16|ENC_LITTLE_ENDIAN);
2827 dissect_krb5_AD_WIN2K_PAC_struct(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2832 proto_item *it=NULL;
2833 proto_tree *tr=NULL;
2836 /* type of pac data */
2837 pac_type=tvb_get_letohl(tvb, offset);
2838 it=proto_tree_add_uint(tree, hf_krb_w2k_pac_type, tvb, offset, 4, pac_type);
2840 tr=proto_item_add_subtree(it, ett_krb_PAC);
2845 /* size of pac data */
2846 pac_size=tvb_get_letohl(tvb, offset);
2847 proto_tree_add_uint(tr, hf_krb_w2k_pac_size, tvb, offset, 4, pac_size);
2850 /* offset to pac data */
2851 pac_offset=tvb_get_letohl(tvb, offset);
2852 proto_tree_add_uint(tr, hf_krb_w2k_pac_offset, tvb, offset, 4, pac_offset);
2856 next_tvb=tvb_new_subset(tvb, pac_offset, pac_size, pac_size);
2858 case PAC_LOGON_INFO:
2859 dissect_krb5_PAC_LOGON_INFO(tr, next_tvb, 0, actx);
2861 case PAC_CREDENTIAL_TYPE:
2862 dissect_krb5_PAC_CREDENTIAL_TYPE(tr, next_tvb, 0, actx);
2864 case PAC_SERVER_CHECKSUM:
2865 dissect_krb5_PAC_SERVER_CHECKSUM(tr, next_tvb, 0, actx);
2867 case PAC_PRIVSVR_CHECKSUM:
2868 dissect_krb5_PAC_PRIVSVR_CHECKSUM(tr, next_tvb, 0, actx);
2870 case PAC_CLIENT_INFO_TYPE:
2871 dissect_krb5_PAC_CLIENT_INFO_TYPE(tr, next_tvb, 0, actx);
2873 case PAC_S4U_DELEGATION_INFO:
2874 dissect_krb5_PAC_S4U_DELEGATION_INFO(tr, next_tvb, 0, actx);
2876 case PAC_UPN_DNS_INFO:
2877 dissect_krb5_PAC_UPN_DNS_INFO(tr, next_tvb, 0, actx);
2887 dissect_krb5_AD_WIN2K_PAC(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2893 /* first in the PAC structure comes the number of entries */
2894 entries=tvb_get_letohl(tvb, offset);
2895 proto_tree_add_uint(tree, hf_krb_w2k_pac_entries, tvb, offset, 4, entries);
2898 /* second comes the version */
2899 version=tvb_get_letohl(tvb, offset);
2900 proto_tree_add_uint(tree, hf_krb_w2k_pac_version, tvb, offset, 4, version);
2903 for(i=0;i<entries;i++){
2904 offset=dissect_krb5_AD_WIN2K_PAC_struct(tree, tvb, offset, actx);
2911 static ber_old_sequence_t AD_SIGNTICKET_sequence[] = {
2912 { BER_CLASS_CON, 0, 0,
2913 dissect_krb5_etype },
2914 { BER_CLASS_CON, 1, 0,
2915 dissect_krb5_Checksum },
2919 /* first seen in traces from vista */
2921 dissect_krb5_AD_SIGNTICKET(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx)
2923 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, AD_SIGNTICKET_sequence, -1, -1);
2928 static guint32 IF_RELEVANT_type;
2930 dissect_krb5_IF_RELEVANT_type(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2932 offset=dissect_ber_integer(FALSE, actx, tree, tvb, offset, hf_krb_IF_RELEVANT_type, &IF_RELEVANT_type);
2934 proto_item_append_text(tree, " %s",
2935 val_to_str(IF_RELEVANT_type, krb5_ad_types,
2941 dissect_krb5_IF_RELEVANT_value(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2943 switch(IF_RELEVANT_type){
2944 case KRB5_AD_WIN2K_PAC:
2945 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_krb_advalue, dissect_krb5_AD_WIN2K_PAC);
2947 case KRB5_AD_SIGNTICKET:
2948 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_krb_advalue, dissect_krb5_AD_SIGNTICKET);
2951 offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_krb_IF_RELEVANT_value, NULL);
2955 static ber_old_sequence_t IF_RELEVANT_item_sequence[] = {
2956 { BER_CLASS_CON, 0, 0,
2957 dissect_krb5_IF_RELEVANT_type },
2958 { BER_CLASS_CON, 1, 0,
2959 dissect_krb5_IF_RELEVANT_value },
2963 dissect_krb5_IF_RELEVANT_item(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2965 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, IF_RELEVANT_item_sequence, hf_krb_IF_RELEVANT, ett_krb_IF_RELEVANT);
2970 static ber_old_sequence_t IF_RELEVANT_sequence_of[1] = {
2971 { BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_krb5_IF_RELEVANT_item },
2975 dissect_krb5_IF_RELEVANT(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2977 offset=dissect_ber_old_sequence_of(FALSE, actx, tree, tvb, offset, IF_RELEVANT_sequence_of, -1, -1);
2982 static guint32 adtype;
2984 dissect_krb5_adtype(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2986 offset=dissect_ber_integer(FALSE, actx, tree, tvb, offset, hf_krb_adtype, &adtype);
2988 proto_item_append_text(tree, " %s",
2989 val_to_str(adtype, krb5_ad_types,
2995 dissect_krb5_advalue(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
2998 case KRB5_AD_IF_RELEVANT:
2999 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_krb_advalue, dissect_krb5_IF_RELEVANT);
3002 offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_krb_advalue, NULL);
3007 * AuthorizationData ::= SEQUENCE {
3009 * ad-data [1] octet string
3011 static ber_old_sequence_t AuthorizationData_item_sequence[] = {
3012 { BER_CLASS_CON, 0, 0,
3013 dissect_krb5_adtype },
3014 { BER_CLASS_CON, 1, 0,
3015 dissect_krb5_advalue },
3019 dissect_krb5_AuthorizationData_item(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3021 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, AuthorizationData_item_sequence, hf_krb_AuthorizationData, ett_krb_AuthorizationData);
3026 static ber_old_sequence_t AuthorizationData_sequence_of[1] = {
3027 { BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_krb5_AuthorizationData_item },
3030 dissect_krb5_AuthorizationData(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3032 offset=dissect_ber_old_sequence_of(FALSE, actx, tree, tvb, offset, AuthorizationData_sequence_of, -1, -1);
3039 dissect_krb5_transited_type(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3043 offset=dissect_ber_integer(FALSE, actx, tree, tvb, offset, hf_krb_transitedtype, &trtype);
3045 proto_item_append_text(tree, " %s",
3046 val_to_str(trtype, krb5_transited_types,
3053 dissect_krb5_transited_contents(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3055 offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_krb_transitedcontents, NULL);
3060 * TransitedEncoding ::= SEQUENCE {
3062 * contents [1] octet string
3064 static ber_old_sequence_t TransitedEncoding_sequence[] = {
3065 { BER_CLASS_CON, 0, 0,
3066 dissect_krb5_transited_type },
3067 { BER_CLASS_CON, 1, 0,
3068 dissect_krb5_transited_contents },
3072 dissect_krb5_transited(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3074 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, TransitedEncoding_sequence, hf_krb_TransitedEncoding, ett_krb_TransitedEncoding);
3081 dissect_krb5_authtime(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3083 offset=dissect_ber_GeneralizedTime(FALSE, actx, tree, tvb, offset, hf_krb_authtime);
3087 dissect_krb5_starttime(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3089 offset=dissect_ber_GeneralizedTime(FALSE, actx, tree, tvb, offset, hf_krb_starttime);
3093 dissect_krb5_endtime(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3095 offset=dissect_ber_GeneralizedTime(FALSE, actx, tree, tvb, offset, hf_krb_endtime);
3099 dissect_krb5_renew_till(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3101 offset=dissect_ber_GeneralizedTime(FALSE, actx, tree, tvb, offset, hf_krb_renew_till);
3106 * EncTicketPart ::= SEQUENCE {
3107 * flags [0] TicketFlags,
3108 * key [1] EncryptionKey,
3110 * cname [3] PrincipalName,
3111 * transited [4] TransitedEncoding,
3112 * authtime [5] KerberosTime,
3113 * starttime [6] KerberosTime OPTIONAL,
3114 * endtime [7] KerberosTime,
3115 * renew-till [8] KerberosTime OPTIONAL,
3116 * caddr [9] HostAddresses OPTIONAL,
3117 * authorization-data [10] AuthorizationData OPTIONAL
3120 static ber_old_sequence_t EncTicketPart_sequence[] = {
3121 { BER_CLASS_CON, 0, 0,
3122 dissect_krb5_TicketFlags },
3123 { BER_CLASS_CON, 1, 0,
3125 { BER_CLASS_CON, 2, 0,
3126 dissect_krb5_crealm },
3127 { BER_CLASS_CON, 3, 0,
3128 dissect_krb5_cname },
3129 { BER_CLASS_CON, 4, 0,
3130 dissect_krb5_transited },
3131 { BER_CLASS_CON, 5, 0,
3132 dissect_krb5_authtime },
3133 { BER_CLASS_CON, 6, BER_FLAGS_OPTIONAL,
3134 dissect_krb5_starttime },
3135 { BER_CLASS_CON, 7, 0,
3136 dissect_krb5_endtime },
3137 { BER_CLASS_CON, 8, BER_FLAGS_OPTIONAL,
3138 dissect_krb5_renew_till },
3139 { BER_CLASS_CON, 9, BER_FLAGS_OPTIONAL,
3140 dissect_krb5_HostAddresses },
3141 { BER_CLASS_CON, 10, BER_FLAGS_OPTIONAL,
3142 dissect_krb5_AuthorizationData },
3146 dissect_krb5_EncTicketPart(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3148 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, EncTicketPart_sequence, hf_krb_EncTicketPart, ett_krb_EncTicketPart);
3159 * EncAPRepPart ::= SEQUENCE {
3160 * ctime [0] KerberosTime
3161 * cusec [1] Microseconds
3162 * subkey [2] encryptionKey OPTIONAL
3163 * seq-number [3] uint32 OPTIONAL
3166 static ber_old_sequence_t EncAPRepPart_sequence[] = {
3167 { BER_CLASS_CON, 0, 0,
3168 dissect_krb5_ctime },
3169 { BER_CLASS_CON, 1, 0,
3170 dissect_krb5_cusec },
3171 { BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL,
3172 dissect_krb5_subkey },
3173 { BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL,
3174 dissect_krb5_seq_number },
3178 dissect_krb5_EncAPRepPart(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3180 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, EncAPRepPart_sequence, hf_krb_EncAPRepPart, ett_krb_EncAPRepPart);
3187 static guint32 lr_type;
3188 static const value_string krb5_lr_types[] = {
3189 { 0 , "No information available" },
3190 { 1 , "Time of last initial TGT request" },
3191 { 2 , "Time of last initial request" },
3192 { 3 , "Time of issue of latest TGT ticket" },
3193 { 4 , "Time of last renewal" },
3194 { 5 , "Time of last request" },
3195 { 6 , "Time when password will expire" },
3196 { 7 , "Time when account will expire" },
3200 dissect_krb5_lr_type(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3202 offset=dissect_ber_integer(FALSE, actx, tree, tvb, offset, hf_krb_lr_type, &lr_type);
3207 dissect_krb5_lr_value(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3209 offset=dissect_ber_GeneralizedTime(FALSE, actx, tree, tvb, offset, hf_krb_lr_time);
3214 static ber_old_sequence_t LastReq_sequence[] = {
3215 { BER_CLASS_CON, 0, 0,
3216 dissect_krb5_lr_type },
3217 { BER_CLASS_CON, 1, 0,
3218 dissect_krb5_lr_value },
3222 dissect_krb5_LastReq(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3224 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, LastReq_sequence, hf_krb_LastReq, ett_krb_LastReq);
3228 static ber_old_sequence_t LastReq_sequence_of[1] = {
3229 { BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_krb5_LastReq },
3232 dissect_krb5_LastReq_sequence_of(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3234 offset=dissect_ber_old_sequence_of(FALSE, actx, tree, tvb, offset, LastReq_sequence_of, hf_krb_LastReqs, ett_krb_LastReqs);
3240 dissect_krb5_key_expiration(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3242 offset=dissect_ber_GeneralizedTime(FALSE, actx, tree, tvb, offset, hf_krb_key_expire);
3246 static ber_old_sequence_t EncKDCRepPart_sequence[] = {
3247 { BER_CLASS_CON, 0, 0,
3249 { BER_CLASS_CON, 1, 0,
3250 dissect_krb5_LastReq_sequence_of },
3251 { BER_CLASS_CON, 2, 0,
3252 dissect_krb5_nonce },
3253 { BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL,
3254 dissect_krb5_key_expiration },
3255 { BER_CLASS_CON, 4, 0,
3256 dissect_krb5_TicketFlags },
3257 { BER_CLASS_CON, 5, 0,
3258 dissect_krb5_authtime },
3259 { BER_CLASS_CON, 6, BER_FLAGS_OPTIONAL,
3260 dissect_krb5_starttime },
3261 { BER_CLASS_CON, 7, 0,
3262 dissect_krb5_endtime },
3263 { BER_CLASS_CON, 8, BER_FLAGS_OPTIONAL,
3264 dissect_krb5_renew_till },
3265 { BER_CLASS_CON, 9, 0,
3266 dissect_krb5_realm },
3267 { BER_CLASS_CON, 10, 0,
3268 dissect_krb5_sname },
3269 { BER_CLASS_CON, 11, BER_FLAGS_OPTIONAL,
3270 dissect_krb5_HostAddresses },
3274 dissect_krb5_EncKDCRepPart(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3276 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, EncKDCRepPart_sequence, hf_krb_EncKDCRepPart, ett_krb_EncKDCRepPart);
3283 dissect_krb5_authenticator_vno(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3285 offset=dissect_ber_integer(FALSE, actx, tree, tvb, offset, hf_krb_authenticator_vno, NULL);
3291 #define KRB5_GSS_C_DELEG_FLAG 0x01
3292 #define KRB5_GSS_C_MUTUAL_FLAG 0x02
3293 #define KRB5_GSS_C_REPLAY_FLAG 0x04
3294 #define KRB5_GSS_C_SEQUENCE_FLAG 0x08
3295 #define KRB5_GSS_C_CONF_FLAG 0x10
3296 #define KRB5_GSS_C_INTEG_FLAG 0x20
3297 #define KRB5_GSS_C_DCE_STYLE 0x1000
3299 static const true_false_string tfs_gss_flags_deleg = {
3300 "Delegate credentials to remote peer",
3303 static const true_false_string tfs_gss_flags_mutual = {
3304 "Request that remote peer authenticates itself",
3305 "Mutual authentication NOT required"
3307 static const true_false_string tfs_gss_flags_replay = {
3308 "Enable replay protection for signed or sealed messages",
3309 "Do NOT enable replay protection"
3311 static const true_false_string tfs_gss_flags_sequence = {
3312 "Enable Out-of-sequence detection for sign or sealed messages",
3313 "Do NOT enable out-of-sequence detection"
3315 static const true_false_string tfs_gss_flags_conf = {
3316 "Confidentiality (sealing) may be invoked",
3317 "Do NOT use Confidentiality (sealing)"
3319 static const true_false_string tfs_gss_flags_integ = {
3320 "Integrity protection (signing) may be invoked",
3321 "Do NOT use integrity protection"
3324 static const true_false_string tfs_gss_flags_dce_style = {
3326 "Not using DCE-STYLE"
3329 /* Dissect a GSSAPI checksum as per RFC1964. This is NOT ASN.1 encoded.
3332 dissect_krb5_rfc1964_checksum(asn1_ctx_t *actx _U_, proto_tree *tree, tvbuff_t *tvb)
3338 /* Length of Bnd field */
3339 len=tvb_get_letohl(tvb, offset);
3340 proto_tree_add_item(tree, hf_krb_gssapi_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3344 proto_tree_add_item(tree, hf_krb_gssapi_bnd, tvb, offset, len, ENC_NA);
3349 proto_tree_add_item(tree, hf_krb_gssapi_c_flag_dce_style, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3350 proto_tree_add_item(tree, hf_krb_gssapi_c_flag_integ, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3351 proto_tree_add_item(tree, hf_krb_gssapi_c_flag_conf, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3352 proto_tree_add_item(tree, hf_krb_gssapi_c_flag_sequence, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3353 proto_tree_add_item(tree, hf_krb_gssapi_c_flag_replay, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3354 proto_tree_add_item(tree, hf_krb_gssapi_c_flag_mutual, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3355 proto_tree_add_item(tree, hf_krb_gssapi_c_flag_deleg, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3358 /* the next fields are optional so we have to check that we have
3359 * more data in our buffers */
3360 if(tvb_length_remaining(tvb, offset)<2){
3363 /* dlgopt identifier */
3364 proto_tree_add_item(tree, hf_krb_gssapi_dlgopt, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3367 if(tvb_length_remaining(tvb, offset)<2){
3370 /* dlglen identifier */
3371 dlglen=tvb_get_letohs(tvb, offset);
3372 proto_tree_add_item(tree, hf_krb_gssapi_dlglen, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3375 if(dlglen!=tvb_length_remaining(tvb, offset)){
3376 proto_tree_add_text(tree, tvb, 0, 0, "Error: DlgLen:%d is not the same as number of bytes remaining:%d", dlglen, tvb_length_remaining(tvb, offset));
3380 /* this should now be a KRB_CRED message */
3381 offset=dissect_ber_old_choice(actx, tree, tvb, offset, kerberos_applications_choice, -1, -1, NULL);
3387 static guint32 checksum_type;
3390 dissect_krb5_checksum_type(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3392 offset=dissect_ber_integer(FALSE, actx, tree, tvb, offset, hf_krb_checksum_type, &checksum_type);
3398 dissect_krb5_checksum_checksum(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3402 switch(checksum_type){
3403 case KRB5_CHKSUM_GSSAPI:
3404 offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_krb_checksum_checksum, &next_tvb);
3405 dissect_krb5_rfc1964_checksum(actx, tree, next_tvb);
3408 offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_krb_checksum_checksum, NULL);
3414 * Checksum ::= SEQUENCE {
3417 static ber_old_sequence_t Checksum_sequence[] = {
3418 { BER_CLASS_CON, 0, 0,
3419 dissect_krb5_checksum_type },
3420 { BER_CLASS_CON, 1, 0,
3421 dissect_krb5_checksum_checksum },
3425 dissect_krb5_Checksum(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3427 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, Checksum_sequence, hf_krb_Checksum, ett_krb_Checksum);
3433 * Authenticator ::= SEQUENCE {
3434 * authenticator-vno [0] integer
3436 * cname [2] PrincipalName
3437 * cksum [3] Checksum OPTIONAL
3438 * cusec [4] Microseconds
3439 * ctime [5] KerberosTime
3440 * subkey [6] encryptionKey OPTIONAL
3441 * seq-number [7] uint32 OPTIONAL
3442 * authorization-data [8] AuthorizationData OPTIONAL
3445 static ber_old_sequence_t Authenticator_sequence[] = {
3446 { BER_CLASS_CON, 0, 0,
3447 dissect_krb5_authenticator_vno },
3448 { BER_CLASS_CON, 1, 0,
3449 dissect_krb5_crealm },
3450 { BER_CLASS_CON, 2, 0,
3451 dissect_krb5_cname },
3452 { BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL,
3453 dissect_krb5_Checksum },
3454 { BER_CLASS_CON, 4, 0,
3455 dissect_krb5_cusec },
3456 { BER_CLASS_CON, 5, 0,
3457 dissect_krb5_ctime },
3458 { BER_CLASS_CON, 6, BER_FLAGS_OPTIONAL,
3459 dissect_krb5_subkey },
3460 { BER_CLASS_CON, 7, BER_FLAGS_OPTIONAL,
3461 dissect_krb5_seq_number },
3462 { BER_CLASS_CON, 8, BER_FLAGS_OPTIONAL,
3463 dissect_krb5_AuthorizationData },
3467 dissect_krb5_Authenticator(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3469 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, Authenticator_sequence, hf_krb_Authenticator, ett_krb_Authenticator);
3476 dissect_krb5_PRIV_BODY_user_data(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx)
3479 offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_krb_PRIV_BODY_user_data, &new_tvb);
3482 call_kerberos_callbacks(actx->pinfo, tree, new_tvb, KRB_CBTAG_PRIV_USER_DATA, (kerberos_callbacks*)actx->private_data);
3487 static ber_old_sequence_t EncKrbPrivPart_sequence[] = {
3488 { BER_CLASS_CON, 0, 0,
3489 dissect_krb5_PRIV_BODY_user_data },
3490 { BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL,
3491 dissect_krb5_patimestamp },
3492 { BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL,
3493 dissect_krb5_cusec },
3494 { BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL,
3495 dissect_krb5_seq_number },
3496 { BER_CLASS_CON, 4, 0,
3497 dissect_krb5_s_address },
3498 { BER_CLASS_CON, 5, BER_FLAGS_OPTIONAL,
3499 dissect_krb5_HostAddresses },
3503 dissect_krb5_EncKrbPrivPart(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3505 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, EncKrbPrivPart_sequence, hf_krb_EncKrbPrivPart, ett_krb_EncKrbPrivPart);
3510 static guint32 PRIV_etype;
3512 dissect_krb5_PRIV_etype(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3514 offset=dissect_ber_integer(FALSE, actx, tree, tvb, offset, hf_krb_etype, &PRIV_etype);
3516 proto_item_append_text(tree, " %s",
3517 val_to_str(PRIV_etype, krb5_encryption_types,
3523 #ifdef HAVE_KERBEROS
3525 dissect_krb5_decrypt_PRIV (proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3527 guint8 *plaintext=NULL;
3530 length=tvb_length_remaining(tvb, offset);
3535 next_tvb=tvb_new_subset_remaining(tvb, offset);
3536 plaintext=decrypt_krb5_data(tree, actx->pinfo, 13, next_tvb, PRIV_etype, NULL);
3541 next_tvb = tvb_new_child_real_data(tvb, plaintext,
3544 tvb_set_free_cb(next_tvb, g_free);
3546 /* Add the decrypted data to the data source list. */
3547 add_new_data_source(actx->pinfo, next_tvb, "Decrypted Krb5");
3549 offset=dissect_ber_old_choice(actx, tree, next_tvb, 0, kerberos_applications_choice, -1, -1, NULL);
3557 * PRIV-BODY ::= SEQUENCE {
3558 * KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
3560 * msg-type[1] INTEGER,
3561 * enc-part[3] EncryptedData
3565 dissect_krb5_encrypted_PRIV(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3567 #ifdef HAVE_KERBEROS
3568 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_krb_encrypted_PRIV, dissect_krb5_decrypt_PRIV);
3570 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_krb_encrypted_PRIV, NULL);
3574 static ber_old_sequence_t ENC_PRIV_sequence[] = {
3575 { BER_CLASS_CON, 0, 0,
3576 dissect_krb5_PRIV_etype },
3577 { BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL,
3578 dissect_krb5_kvno },
3579 { BER_CLASS_CON, 2, 0,
3580 dissect_krb5_encrypted_PRIV },
3584 dissect_krb5_ENC_PRIV(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3586 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, ENC_PRIV_sequence, hf_krb_ENC_PRIV, ett_krb_PRIV_enc);
3589 static ber_old_sequence_t PRIV_BODY_sequence[] = {
3590 { BER_CLASS_CON, 0, 0,
3591 dissect_krb5_pvno },
3592 { BER_CLASS_CON, 1, 0,
3593 dissect_krb5_msg_type },
3594 { BER_CLASS_CON, 3, 0,
3595 dissect_krb5_ENC_PRIV },
3599 dissect_krb5_PRIV(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3602 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, PRIV_BODY_sequence, hf_krb_PRIV_BODY, ett_krb_PRIV);
3607 static guint32 EncKrbCredPart_etype;
3609 dissect_krb5_EncKrbCredPart_etype(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3611 offset=dissect_ber_integer(FALSE, actx, tree, tvb, offset, hf_krb_etype, &EncKrbCredPart_etype);
3613 proto_item_append_text(tree, " %s",
3614 val_to_str(EncKrbCredPart_etype, krb5_encryption_types,
3624 static ber_old_sequence_t KrbCredInfo_sequence[] = {
3625 { BER_CLASS_CON, 0, 0, dissect_krb5_key },
3626 { BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_krb5_prealm },
3627 { BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL, dissect_krb5_pname },
3628 { BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL, dissect_krb5_TicketFlags },
3629 { BER_CLASS_CON, 4, BER_FLAGS_OPTIONAL, dissect_krb5_authtime },
3630 { BER_CLASS_CON, 5, BER_FLAGS_OPTIONAL, dissect_krb5_starttime },
3631 { BER_CLASS_CON, 6, BER_FLAGS_OPTIONAL, dissect_krb5_endtime },
3632 { BER_CLASS_CON, 7, BER_FLAGS_OPTIONAL, dissect_krb5_renew_till },
3633 { BER_CLASS_CON, 8, BER_FLAGS_OPTIONAL, dissect_krb5_srealm },
3634 { BER_CLASS_CON, 9, BER_FLAGS_OPTIONAL, dissect_krb5_sname },
3635 { BER_CLASS_CON, 10, BER_FLAGS_OPTIONAL, dissect_krb5_HostAddresses },
3639 dissect_krb5_KrbCredInfo(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3642 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, KrbCredInfo_sequence, hf_krb_KrbCredInfo, ett_krb_KrbCredInfo);
3647 static ber_old_sequence_t KrbCredInfo_sequence_of[1] = {
3648 { BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_krb5_KrbCredInfo },
3651 dissect_krb5_KrbCredInfo_sequence_of(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3653 offset=dissect_ber_old_sequence_of(FALSE, actx, tree, tvb, offset, KrbCredInfo_sequence_of, hf_krb_KrbCredInfos, ett_krb_KrbCredInfos);
3657 static const ber_old_sequence_t EncKrbCredPart_sequence[] = {
3658 { BER_CLASS_CON, 0, 0, dissect_krb5_KrbCredInfo_sequence_of },
3659 { BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_krb5_nonce },
3660 { BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL, dissect_krb5_ctime },
3661 { BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL, dissect_krb5_cusec },
3662 { BER_CLASS_CON, 4, BER_FLAGS_OPTIONAL, dissect_krb5_s_address },
3663 { BER_CLASS_CON, 5, BER_FLAGS_OPTIONAL, dissect_krb5_r_address },
3668 dissect_krb5_EncKrbCredPart(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3670 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, EncKrbCredPart_sequence, hf_krb_EncKrbCredPart, ett_krb_EncKrbCredPart);
3675 #ifdef HAVE_KERBEROS
3677 dissect_krb5_decrypt_EncKrbCredPart (proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3679 guint8 *plaintext=NULL;
3683 next_tvb=tvb_new_subset_remaining(tvb, offset);
3685 length=tvb_length_remaining(tvb, offset);
3688 * EncKrbCredPart encrypted with usage
3692 plaintext=decrypt_krb5_data(tree, actx->pinfo, 14, next_tvb, EncKrbCredPart_etype, NULL);
3696 tvbuff_t *child_tvb;
3697 child_tvb = tvb_new_child_real_data(tvb, plaintext,
3700 tvb_set_free_cb(child_tvb, g_free);
3702 /* Add the decrypted data to the data source list. */
3703 add_new_data_source(actx->pinfo, child_tvb, "EncKrbCredPart");
3705 offset=dissect_ber_old_choice(actx, tree, child_tvb, 0, kerberos_applications_choice, -1, -1, NULL);
3712 dissect_krb5_encrypted_CRED_data(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3714 #ifdef HAVE_KERBEROS
3715 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_krb_encrypted_EncKrbCredPart, dissect_krb5_decrypt_EncKrbCredPart);
3717 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_krb_encrypted_EncKrbCredPart, NULL);
3722 static ber_old_sequence_t encrypted_CRED_sequence[] = {
3723 { BER_CLASS_CON, 0, 0,
3724 dissect_krb5_EncKrbCredPart_etype },
3725 { BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL,
3726 dissect_krb5_kvno },
3727 { BER_CLASS_CON, 2, 0,
3728 dissect_krb5_encrypted_CRED_data },
3732 dissect_krb5_encrypted_CRED(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3734 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, encrypted_CRED_sequence, hf_krb_CRED_enc, ett_krb_CRED_enc);
3739 static ber_old_sequence_t CRED_BODY_sequence[] = {
3740 { BER_CLASS_CON, 0, 0,
3741 dissect_krb5_pvno },
3742 { BER_CLASS_CON, 1, 0,
3743 dissect_krb5_msg_type },
3744 { BER_CLASS_CON, 2, 0,
3745 dissect_krb5_sq_tickets },
3746 { BER_CLASS_CON, 3, 0,
3747 dissect_krb5_encrypted_CRED },
3751 dissect_krb5_CRED(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3754 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, CRED_BODY_sequence, hf_krb_CRED_BODY, ett_krb_CRED);
3761 dissect_krb5_SAFE_BODY_user_data(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx)
3764 offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_krb_SAFE_BODY_user_data, &new_tvb);
3766 call_kerberos_callbacks(actx->pinfo, tree, new_tvb, KRB_CBTAG_SAFE_USER_DATA, (kerberos_callbacks*)actx->private_data);
3770 dissect_krb5_SAFE_BODY_timestamp(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3772 offset=dissect_ber_GeneralizedTime(FALSE, actx, tree, tvb, offset, hf_krb_SAFE_BODY_timestamp);
3777 dissect_krb5_SAFE_BODY_usec(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3779 offset=dissect_ber_integer(FALSE, actx, tree, tvb, offset, hf_krb_SAFE_BODY_usec, NULL);
3783 static ber_old_sequence_t SAFE_BODY_sequence[] = {
3784 { BER_CLASS_CON, 0, 0,
3785 dissect_krb5_SAFE_BODY_user_data },
3786 { BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL,
3787 dissect_krb5_SAFE_BODY_timestamp },
3788 { BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL,
3789 dissect_krb5_SAFE_BODY_usec },
3790 { BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL,
3791 dissect_krb5_seq_number },
3792 /*XXX this one is OPTIONAL in packetcable? but mandatory in kerberos */
3793 { BER_CLASS_CON, 4, BER_FLAGS_OPTIONAL,
3794 dissect_krb5_s_address },
3795 { BER_CLASS_CON, 5, BER_FLAGS_OPTIONAL,
3796 dissect_krb5_HostAddresses },
3800 dissect_krb5_SAFE_BODY(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3803 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, SAFE_BODY_sequence, -1, -1);
3810 static ber_old_sequence_t SAFE_sequence[] = {
3811 { BER_CLASS_CON, 0, 0,
3812 dissect_krb5_pvno },
3813 { BER_CLASS_CON, 1, 0,
3814 dissect_krb5_msg_type },
3815 { BER_CLASS_CON, 2, 0,
3816 dissect_krb5_SAFE_BODY },
3817 { BER_CLASS_CON, 3, 0,
3818 dissect_krb5_Checksum },
3822 dissect_krb5_SAFE(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3825 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, SAFE_sequence, -1, -1);
3830 #ifdef HAVE_KERBEROS
3831 static guint32 enc_authorization_data_etype;
3834 dissect_krb5_decrypt_enc_authorization_data(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3836 guint8 *plaintext=NULL;
3840 next_tvb=tvb_new_subset_remaining(tvb, offset);
3842 length=tvb_length_remaining(tvb, offset);
3846 The key usage value used when encrypting is 5
3847 if a sub-session key is used, or 4 if the session key is used.
3850 plaintext=decrypt_krb5_data(tree, actx->pinfo, 4, next_tvb, enc_authorization_data_etype, NULL);
3853 plaintext=decrypt_krb5_data(tree, actx->pinfo, 5, next_tvb, enc_authorization_data_etype, NULL);
3857 tvbuff_t *child_tvb;
3858 child_tvb = tvb_new_child_real_data(tvb, plaintext,
3861 tvb_set_free_cb(child_tvb, g_free);
3863 /* Add the decrypted data to the data source list. */
3864 add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5");
3867 proto_tree_add_text(tree, child_tvb, 0, length, "AtuhorizationData for TGS_REQ not implemented yet");
3875 dissect_krb5_encrypted_enc_authorization_data(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3877 #ifdef HAVE_KERBEROS
3878 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_krb_encrypted_enc_authorization_data, dissect_krb5_decrypt_enc_authorization_data);
3880 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_krb_encrypted_enc_authorization_data, NULL);
3886 dissect_krb5_enc_authorization_data_etype(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3888 #ifndef HAVE_KERBEROS
3889 guint32 enc_authorization_data_etype;
3891 offset=dissect_ber_integer(FALSE, actx, tree, tvb, offset, hf_krb_etype, &enc_authorization_data_etype);
3893 proto_item_append_text(tree, " %s",
3894 val_to_str(enc_authorization_data_etype, krb5_encryption_types,
3899 static ber_old_sequence_t enc_authorization_data_sequence[] = {
3900 { BER_CLASS_CON, 0, 0,
3901 dissect_krb5_enc_authorization_data_etype },
3902 { BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL,
3903 dissect_krb5_kvno },
3904 { BER_CLASS_CON, 2, 0,
3905 dissect_krb5_encrypted_enc_authorization_data },
3909 dissect_krb5_enc_authorization_data(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3911 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, enc_authorization_data_sequence, -1, -1);
3917 * KDC-REQ-BODY ::= SEQUENCE {
3918 * kdc-options[0] KDCOptions,
3919 * cname[1] PrincipalName OPTIONAL,
3920 * -- Used only in AS-REQ
3921 * realm[2] Realm, -- Server's realm
3922 * -- Also client's in AS-REQ
3923 * sname[3] PrincipalName OPTIONAL,
3924 * from[4] KerberosTime OPTIONAL,
3925 * till[5] KerberosTime,
3926 * rtime[6] KerberosTime OPTIONAL,
3928 * etype[8] SEQUENCE OF INTEGER, -- EncryptionType,
3929 * -- in preference order
3930 * addresses[9] HostAddresses OPTIONAL,
3931 * enc-authorization-data[10] EncryptedData OPTIONAL,
3932 * -- Encrypted AuthorizationData encoding
3933 * additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
3937 static ber_old_sequence_t KDC_REQ_BODY_sequence[] = {
3938 { BER_CLASS_CON, 0, 0,
3939 dissect_krb5_KDCOptions },
3940 { BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL,
3941 dissect_krb5_cname },
3942 { BER_CLASS_CON, 2, 0,
3943 dissect_krb5_realm},
3944 { BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL,
3945 dissect_krb5_sname },
3946 { BER_CLASS_CON, 4, BER_FLAGS_OPTIONAL,
3947 dissect_krb5_from },
3948 /* this field is not optional in the kerberos spec,
3949 * however, in the packetcable spec it is optional.
3950 * make it optional here since normal kerberos will
3951 * still decode the pdu correctly.
3953 { BER_CLASS_CON, 5, BER_FLAGS_OPTIONAL,
3954 dissect_krb5_till },
3955 { BER_CLASS_CON, 6, BER_FLAGS_OPTIONAL,
3956 dissect_krb5_rtime },
3957 { BER_CLASS_CON, 7, 0,
3958 dissect_krb5_nonce },
3959 { BER_CLASS_CON, 8, 0,
3960 dissect_krb5_etype_sequence_of },
3961 { BER_CLASS_CON, 9, BER_FLAGS_OPTIONAL,
3962 dissect_krb5_HostAddresses },
3963 { BER_CLASS_CON, 10, BER_FLAGS_OPTIONAL,
3964 dissect_krb5_enc_authorization_data },
3965 { BER_CLASS_CON, 11, BER_FLAGS_OPTIONAL,
3966 dissect_krb5_sq_tickets },
3970 dissect_krb5_KDC_REQ_BODY(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
3972 conversation_t *conversation;
3975 * UDP replies to KDC_REQs are sent from the server back to the client's
3976 * source port, similar to the way TFTP works. Set up a conversation
3979 * Ref: Section 7.2.1 of
3980 * http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-clarifications-07.txt
3982 if (actx->pinfo->destport == UDP_PORT_KERBEROS && actx->pinfo->ptype == PT_UDP) {
3983 conversation = find_conversation(actx->pinfo->fd->num, &actx->pinfo->src, &actx->pinfo->dst, PT_UDP,
3984 actx->pinfo->srcport, 0, NO_PORT_B);
3985 if (conversation == NULL) {
3986 conversation = conversation_new(actx->pinfo->fd->num, &actx->pinfo->src, &actx->pinfo->dst, PT_UDP,
3987 actx->pinfo->srcport, 0, NO_PORT2);
3988 conversation_set_dissector(conversation, kerberos_handle_udp);
3992 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, KDC_REQ_BODY_sequence, hf_krb_KDC_REQ_BODY, ett_krb_request);
4000 * KDC-REQ ::= SEQUENCE {
4002 * msg-type[2] INTEGER,
4003 * padata[3] SEQUENCE OF PA-DATA OPTIONAL,
4004 * req-body[4] KDC-REQ-BODY
4007 static ber_old_sequence_t KDC_REQ_sequence[] = {
4008 { BER_CLASS_CON, 1, 0,
4009 dissect_krb5_pvno },
4010 { BER_CLASS_CON, 2, 0,
4011 dissect_krb5_msg_type },
4012 { BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL,
4013 dissect_krb5_padata },
4014 { BER_CLASS_CON, 4, 0,
4015 dissect_krb5_KDC_REQ_BODY },
4019 dissect_krb5_KDC_REQ(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4021 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, KDC_REQ_sequence, -1, -1);
4027 #ifdef HAVE_KERBEROS
4029 dissect_krb5_decrypt_authenticator_data (proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4031 guint8 *plaintext=NULL;
4035 next_tvb=tvb_new_subset_remaining(tvb, offset);
4037 length=tvb_length_remaining(tvb, offset);
4039 /* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
4041 * Authenticators are encrypted with usage
4046 plaintext=decrypt_krb5_data(tree, actx->pinfo, 7, next_tvb, authenticator_etype, NULL);
4049 plaintext=decrypt_krb5_data(tree, actx->pinfo, 11, next_tvb, authenticator_etype, NULL);
4053 tvbuff_t *child_tvb;
4054 child_tvb = tvb_new_child_real_data(tvb, plaintext,
4057 tvb_set_free_cb(child_tvb, g_free);
4059 /* Add the decrypted data to the data source list. */
4060 add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5");
4063 offset=dissect_ber_old_choice(actx, tree, child_tvb, 0, kerberos_applications_choice, -1, -1, NULL);
4072 * EncryptedData ::= SEQUENCE {
4073 * etype[0] INTEGER, -- EncryptionType
4074 * kvno[1] INTEGER OPTIONAL,
4075 * cipher[2] OCTET STRING -- ciphertext
4079 dissect_krb5_encrypted_authenticator_data(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4081 #ifdef HAVE_KERBEROS
4082 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_krb_encrypted_authenticator_data, dissect_krb5_decrypt_authenticator_data);
4084 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_krb_encrypted_authenticator_data, NULL);
4088 static ber_old_sequence_t encrypted_authenticator_sequence[] = {
4089 { BER_CLASS_CON, 0, 0,
4090 dissect_krb5_authenticator_etype },
4091 { BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL,
4092 dissect_krb5_kvno },
4093 { BER_CLASS_CON, 2, 0,
4094 dissect_krb5_encrypted_authenticator_data },
4098 dissect_krb5_encrypted_authenticator(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4100 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, encrypted_authenticator_sequence, hf_krb_authenticator_enc, ett_krb_authenticator_enc);
4109 dissect_krb5_tkt_vno(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4111 offset=dissect_ber_integer(FALSE, actx, tree, tvb, offset, hf_krb_tkt_vno, NULL);
4116 #ifdef HAVE_KERBEROS
4118 dissect_krb5_decrypt_Ticket_data (proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4124 next_tvb=tvb_new_subset_remaining(tvb, offset);
4126 length=tvb_length_remaining(tvb, offset);
4128 /* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
4130 * All Ticket encrypted parts use usage == 2
4132 if( (plaintext=decrypt_krb5_data(tree, actx->pinfo, 2, next_tvb, Ticket_etype, NULL)) ){
4133 tvbuff_t *child_tvb;
4134 child_tvb = tvb_new_child_real_data(tvb, plaintext,
4137 tvb_set_free_cb(child_tvb, g_free);
4139 /* Add the decrypted data to the data source list. */
4140 add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5");
4143 offset=dissect_ber_old_choice(actx, tree, child_tvb, 0, kerberos_applications_choice, -1, -1, NULL);
4151 dissect_krb5_encrypted_Ticket_data(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4153 #ifdef HAVE_KERBEROS
4154 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_krb_encrypted_Ticket_data, dissect_krb5_decrypt_Ticket_data);
4156 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_krb_encrypted_Ticket_data, NULL);
4160 static ber_old_sequence_t encrypted_Ticket_sequence[] = {
4161 { BER_CLASS_CON, 0, 0,
4162 dissect_krb5_Ticket_etype },
4163 { BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL,
4164 dissect_krb5_kvno },
4165 { BER_CLASS_CON, 2, 0,
4166 dissect_krb5_encrypted_Ticket_data },
4170 dissect_krb5_Ticket_encrypted(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4172 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, encrypted_Ticket_sequence, hf_krb_ticket_enc, ett_krb_ticket_enc);
4177 static ber_old_sequence_t Application_1_sequence[] = {
4178 { BER_CLASS_CON, 0, 0,
4179 dissect_krb5_tkt_vno },
4180 { BER_CLASS_CON, 1, 0,
4181 dissect_krb5_realm },
4182 { BER_CLASS_CON, 2, 0,
4183 dissect_krb5_sname },
4184 { BER_CLASS_CON, 3, 0,
4185 dissect_krb5_Ticket_encrypted },
4189 dissect_krb5_Application_1(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4191 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, Application_1_sequence, hf_krb_ticket, ett_krb_ticket);
4198 static const ber_old_choice_t Ticket_choice[] = {
4199 { 1, BER_CLASS_APP, 1, 0,
4200 dissect_krb5_Application_1 },
4201 { 0, 0, 0, 0, NULL }
4204 dissect_krb5_Ticket(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4206 offset=dissect_ber_old_choice(actx, tree, tvb, offset, Ticket_choice, -1, -1, NULL);
4215 * AP-REQ ::= [APPLICATION 14] SEQUENCE {
4217 * msg-type[1] INTEGER,
4218 * ap-options[2] APOptions,
4220 * authenticator[4] EncryptedData
4223 static ber_old_sequence_t AP_REQ_sequence[] = {
4224 { BER_CLASS_CON, 0, 0,
4225 dissect_krb5_pvno },
4226 { BER_CLASS_CON, 1, 0,
4227 dissect_krb5_msg_type },
4228 { BER_CLASS_CON, 2, 0,
4229 dissect_krb5_APOptions },
4230 { BER_CLASS_CON, 3, 0,
4231 dissect_krb5_Ticket },
4232 { BER_CLASS_CON, 4, 0,
4233 dissect_krb5_encrypted_authenticator },
4237 dissect_krb5_AP_REQ(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4239 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, AP_REQ_sequence, -1, -1);
4247 #ifdef HAVE_KERBEROS
4249 dissect_krb5_decrypt_AP_REP_data(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4251 guint8 *plaintext=NULL;
4254 length=tvb_length_remaining(tvb, offset);
4256 /* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
4258 * Authenticators are encrypted with usage
4265 next_tvb=tvb_new_subset_remaining(tvb, offset);
4266 plaintext=decrypt_krb5_data(tree, actx->pinfo, 12, next_tvb, AP_REP_etype, NULL);
4271 next_tvb = tvb_new_child_real_data(tvb, plaintext,
4274 tvb_set_free_cb(next_tvb, g_free);
4276 /* Add the decrypted data to the data source list. */
4277 add_new_data_source(actx->pinfo, next_tvb, "Decrypted Krb5");
4280 offset=dissect_ber_old_choice(actx, tree, next_tvb, 0, kerberos_applications_choice, -1, -1, NULL);
4289 dissect_krb5_encrypted_AP_REP_data(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4291 #ifdef HAVE_KERBEROS
4292 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_krb_encrypted_AP_REP_data, dissect_krb5_decrypt_AP_REP_data);
4294 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_krb_encrypted_AP_REP_data, NULL);
4298 static ber_old_sequence_t encrypted_AP_REP_sequence[] = {
4299 { BER_CLASS_CON, 0, 0,
4300 dissect_krb5_AP_REP_etype },
4301 { BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL,
4302 dissect_krb5_kvno },
4303 { BER_CLASS_CON, 2, 0,
4304 dissect_krb5_encrypted_AP_REP_data },
4308 dissect_krb5_encrypted_AP_REP(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4310 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, encrypted_AP_REP_sequence, hf_krb_AP_REP_enc, ett_krb_AP_REP_enc);
4316 * AP-REP ::= [APPLICATION 15] SEQUENCE {
4318 * msg-type[1] INTEGER,
4319 * enc-part[2] EncryptedData
4322 static ber_old_sequence_t AP_REP_sequence[] = {
4323 { BER_CLASS_CON, 0, 0,
4324 dissect_krb5_pvno },
4325 { BER_CLASS_CON, 1, 0,
4326 dissect_krb5_msg_type },
4327 { BER_CLASS_CON, 2, 0,
4328 dissect_krb5_encrypted_AP_REP },
4332 dissect_krb5_AP_REP(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4334 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, AP_REP_sequence, -1, -1);
4343 static guint32 KDC_REP_etype;
4345 dissect_krb5_KDC_REP_etype(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4347 offset=dissect_ber_integer(FALSE, actx, tree, tvb, offset, hf_krb_etype, &KDC_REP_etype);
4349 proto_item_append_text(tree, " %s",
4350 val_to_str(KDC_REP_etype, krb5_encryption_types,
4356 #ifdef HAVE_KERBEROS
4358 dissect_krb5_decrypt_KDC_REP_data (proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4360 guint8 *plaintext=NULL;
4364 next_tvb=tvb_new_subset_remaining(tvb, offset);
4366 length=tvb_length_remaining(tvb, offset);
4368 /* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
4370 * ASREP/TGSREP encryptedparts are encrypted with usage
4376 plaintext=decrypt_krb5_data(tree, actx->pinfo, 3, next_tvb, KDC_REP_etype, NULL);
4379 plaintext=decrypt_krb5_data(tree, actx->pinfo, 8, next_tvb, KDC_REP_etype, NULL);
4382 plaintext=decrypt_krb5_data(tree, actx->pinfo, 9, next_tvb, KDC_REP_etype, NULL);
4386 tvbuff_t *child_tvb;
4387 child_tvb = tvb_new_child_real_data(tvb, plaintext,
4390 tvb_set_free_cb(child_tvb, g_free);
4392 /* Add the decrypted data to the data source list. */
4393 add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5");
4396 offset=dissect_ber_old_choice(actx, tree, child_tvb, 0, kerberos_applications_choice, -1, -1, NULL);
4405 dissect_krb5_encrypted_KDC_REP_data(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4407 #ifdef HAVE_KERBEROS
4408 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_krb_encrypted_KDC_REP_data, dissect_krb5_decrypt_KDC_REP_data);
4410 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_krb_encrypted_KDC_REP_data, NULL);
4414 static ber_old_sequence_t encrypted_KDC_REP_sequence[] = {
4415 { BER_CLASS_CON, 0, 0,
4416 dissect_krb5_KDC_REP_etype },
4417 { BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL,
4418 dissect_krb5_kvno },
4419 { BER_CLASS_CON, 2, 0,
4420 dissect_krb5_encrypted_KDC_REP_data },
4424 dissect_krb5_encrypted_KDC_REP(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4426 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, encrypted_KDC_REP_sequence, hf_krb_KDC_REP_enc, ett_krb_KDC_REP_enc);
4432 * KDC-REP ::= SEQUENCE {
4434 * msg-type[1] INTEGER,
4435 * padata[2] SEQUENCE OF PA-DATA OPTIONAL,
4437 * cname[4] PrincipalName,
4439 * enc-part[6] EncryptedData
4442 static ber_old_sequence_t KDC_REP_sequence[] = {
4443 { BER_CLASS_CON, 0, 0,
4444 dissect_krb5_pvno },
4445 { BER_CLASS_CON, 1, 0,
4446 dissect_krb5_msg_type },
4447 { BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL,
4448 dissect_krb5_padata },
4449 { BER_CLASS_CON, 3, 0,
4450 dissect_krb5_crealm },
4451 { BER_CLASS_CON, 4, 0,
4452 dissect_krb5_cname },
4453 { BER_CLASS_CON, 5, 0,
4454 dissect_krb5_Ticket },
4455 { BER_CLASS_CON, 6, 0,
4456 dissect_krb5_encrypted_KDC_REP },
4460 dissect_krb5_KDC_REP(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4462 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, KDC_REP_sequence, -1, -1);
4471 dissect_krb5_e_text(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4473 offset=dissect_ber_GeneralString(actx, tree, tvb, offset, hf_krb_e_text, NULL, 0);
4478 dissect_krb5_e_data(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4480 switch(krb5_errorcode){
4481 case KRB5_ET_KRB5KDC_ERR_BADOPTION:
4482 case KRB5_ET_KRB5KDC_ERR_CLIENT_REVOKED:
4483 case KRB5_ET_KRB5KDC_ERR_KEY_EXP:
4484 case KRB5_ET_KRB5KDC_ERR_POLICY:
4485 /* ms windows kdc sends e-data of this type containing a "salt"
4486 * that contains the nt_status code for these error codes.
4488 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_krb_e_data, dissect_krb5_PA_DATA);
4490 case KRB5_ET_KRB5KDC_ERR_PREAUTH_REQUIRED:
4491 case KRB5_ET_KRB5KDC_ERR_PREAUTH_FAILED:
4492 case KRB5_ET_KRB5KDC_ERR_ETYPE_NOSUPP:
4493 offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_krb_e_data, dissect_krb5_padata);
4497 offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_krb_e_data, NULL);
4503 /* This optional field in KRB_ERR is used by the early drafts which
4504 * PacketCable still use.
4507 dissect_krb5_e_checksum(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4509 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, Checksum_sequence, hf_krb_e_checksum, ett_krb_e_checksum);
4516 * KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
4518 * msg-type[1] INTEGER,
4519 * ctime[2] KerberosTime OPTIONAL,
4520 * cusec[3] INTEGER OPTIONAL,
4521 * stime[4] KerberosTime,
4523 * error-code[6] INTEGER,
4524 * crealm[7] Realm OPTIONAL,
4525 * cname[8] PrincipalName OPTIONAL,
4526 * realm[9] Realm, -- Correct realm
4527 * sname[10] PrincipalName, -- Correct name
4528 * e-text[11] GeneralString OPTIONAL,
4529 * e-data[12] OCTET STRING OPTIONAL
4532 * e-data This field contains additional data about the error for use
4533 * by the application to help it recover from or handle the
4534 * error. If the errorcode is KDC_ERR_PREAUTH_REQUIRED, then
4535 * the e-data field will contain an encoding of a sequence of
4536 * padata fields, each corresponding to an acceptable pre-
4537 * authentication method and optionally containing data for
4540 static ber_old_sequence_t ERROR_sequence[] = {
4541 { BER_CLASS_CON, 0, 0,
4542 dissect_krb5_pvno },
4543 { BER_CLASS_CON, 1, 0,
4544 dissect_krb5_msg_type },
4545 { BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL,
4546 dissect_krb5_ctime },
4547 { BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL,
4548 dissect_krb5_cusec },
4549 { BER_CLASS_CON, 4, 0,
4550 dissect_krb5_stime },
4551 { BER_CLASS_CON, 5, 0,
4552 dissect_krb5_susec },
4553 { BER_CLASS_CON, 6, 0,
4554 dissect_krb5_error_code },
4555 { BER_CLASS_CON, 7, BER_FLAGS_OPTIONAL,
4556 dissect_krb5_crealm },
4557 { BER_CLASS_CON, 8, BER_FLAGS_OPTIONAL,
4558 dissect_krb5_cname },
4559 { BER_CLASS_CON, 9, 0,
4560 dissect_krb5_realm },
4561 { BER_CLASS_CON, 10, 0,
4562 dissect_krb5_sname },
4563 { BER_CLASS_CON, 11, BER_FLAGS_OPTIONAL,
4564 dissect_krb5_e_text },
4565 { BER_CLASS_CON, 12, BER_FLAGS_OPTIONAL,
4566 dissect_krb5_e_data },
4567 { BER_CLASS_CON, 13, BER_FLAGS_OPTIONAL,
4568 dissect_krb5_e_checksum }, /* used by PacketCable */
4572 dissect_krb5_ERROR(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4574 offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, ERROR_sequence, -1, -1);
4581 static gint dissect_kerberos_common(tvbuff_t *tvb, packet_info *pinfo,
4582 proto_tree *tree, gboolean do_col_info,
4583 gboolean do_col_protocol,
4585 kerberos_callbacks *cb);
4586 static int dissect_kerberos_tcp_pdu(tvbuff_t *tvb, packet_info *pinfo,
4587 proto_tree *tree, void* data _U_);
4591 dissect_kerberos_main(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int do_col_info, kerberos_callbacks *cb)
4593 return (dissect_kerberos_common(tvb, pinfo, tree, do_col_info, FALSE, FALSE, cb));
4597 kerberos_output_keytype(void)
4603 dissect_kerberos_udp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
4605 /* Some weird kerberos implementation apparently do krb4 on the krb5 port.
4606 Since all (except weirdo transarc krb4 stuff) use
4607 an opcode <=16 in the first byte, use this to see if it might
4609 All krb5 commands start with an APPL tag and thus is >=0x60
4610 so if first byte is <=16 just blindly assume it is krb4 then
4612 if(tvb_length(tvb) >= 1 && tvb_get_guint8(tvb, 0)<=0x10){
4616 res=call_dissector_only(krb4_handle, tvb, pinfo, tree, NULL);
4624 return dissect_kerberos_common(tvb, pinfo, tree, TRUE, TRUE, FALSE, NULL);
4628 kerberos_rm_to_reclen(guint krb_rm)
4630 return (krb_rm & KRB_RM_RECLEN);
4634 get_krb_pdu_len(packet_info *pinfo _U_, tvbuff_t *tvb, int offset)
4639 krb_rm = tvb_get_ntohl(tvb, offset);
4640 pdulen = kerberos_rm_to_reclen(krb_rm);
4641 return (pdulen + 4);
4645 dissect_kerberos_tcp_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
4647 pinfo->fragmented = TRUE;
4648 if (dissect_kerberos_common(tvb, pinfo, tree, TRUE, TRUE, TRUE, NULL) < 0) {
4650 * The dissector failed to recognize this as a valid
4651 * Kerberos message. Mark it as a continuation packet.
4653 col_set_str(pinfo->cinfo, COL_INFO, "Continuation");
4656 return tvb_length(tvb);
4660 dissect_kerberos_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data)
4662 col_set_str(pinfo->cinfo, COL_PROTOCOL, "KRB5");
4663 col_clear(pinfo->cinfo, COL_INFO);
4665 tcp_dissect_pdus(tvb, pinfo, tree, krb_desegment, 4, get_krb_pdu_len,
4666 dissect_kerberos_tcp_pdu, data);
4667 return tvb_length(tvb);
4671 * Display the TCP record mark.
4674 show_krb_recordmark(proto_tree *tree, tvbuff_t *tvb, gint start, guint32 krb_rm)
4677 proto_item *rm_item;
4678 proto_tree *rm_tree;
4683 rec_len = kerberos_rm_to_reclen(krb_rm);
4684 rm_item = proto_tree_add_text(tree, tvb, start, 4,
4685 "Record Mark: %u %s", rec_len, plurality(rec_len, "byte", "bytes"));
4686 rm_tree = proto_item_add_subtree(rm_item, ett_krb_recordmark);
4687 proto_tree_add_boolean(rm_tree, hf_krb_rm_reserved, tvb, start, 4, krb_rm);
4688 proto_tree_add_uint(rm_tree, hf_krb_rm_reclen, tvb, start, 4, krb_rm);
4693 dissect_kerberos_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
4694 gboolean dci, gboolean do_col_protocol, gboolean have_rm,
4695 kerberos_callbacks *cb)
4697 volatile int offset = 0;
4698 proto_tree *volatile kerberos_tree = NULL;
4699 proto_item *volatile item = NULL;
4700 asn1_ctx_t asn1_ctx;
4702 /* TCP record mark and length */
4704 gint krb_reclen = 0;
4706 gbl_do_col_info=dci;
4709 krb_rm = tvb_get_ntohl(tvb, offset);
4710 krb_reclen = kerberos_rm_to_reclen(krb_rm);
4712 * What is a reasonable size limit?
4714 if (krb_reclen > 10 * 1024 * 1024) {
4717 if (do_col_protocol) {
4718 col_set_str(pinfo->cinfo, COL_PROTOCOL, "KRB5");
4721 item = proto_tree_add_item(tree, proto_kerberos, tvb, 0, -1, ENC_NA);
4722 kerberos_tree = proto_item_add_subtree(item, ett_krb_kerberos);
4724 show_krb_recordmark(kerberos_tree, tvb, offset, krb_rm);
4727 /* Do some sanity checking here,
4728 * All krb5 packets start with a TAG class that is BER_CLASS_APP
4729 * and a tag value that is either of the values below:
4730 * If it doesnt look like kerberos, return 0 and let someone else have
4737 get_ber_identifier(tvb, offset, &tmp_class, &tmp_pc, &tmp_tag);
4738 if(tmp_class!=BER_CLASS_APP){
4742 case KRB5_MSG_TICKET:
4743 case KRB5_MSG_AUTHENTICATOR:
4744 case KRB5_MSG_ENC_TICKET_PART:
4745 case KRB5_MSG_AS_REQ:
4746 case KRB5_MSG_AS_REP:
4747 case KRB5_MSG_TGS_REQ:
4748 case KRB5_MSG_TGS_REP:
4749 case KRB5_MSG_AP_REQ:
4750 case KRB5_MSG_AP_REP:
4751 case KRB5_MSG_ENC_AS_REP_PART:
4752 case KRB5_MSG_ENC_TGS_REP_PART:
4753 case KRB5_MSG_ENC_AP_REP_PART:
4754 case KRB5_MSG_ENC_KRB_PRIV_PART:
4755 case KRB5_MSG_ENC_KRB_CRED_PART:
4758 case KRB5_MSG_ERROR:
4763 if (do_col_protocol) {
4764 col_set_str(pinfo->cinfo, COL_PROTOCOL, "KRB5");
4766 if (gbl_do_col_info) {
4767 col_clear(pinfo->cinfo, COL_INFO);
4770 item = proto_tree_add_item(tree, proto_kerberos, tvb, 0, -1, ENC_NA);
4771 kerberos_tree = proto_item_add_subtree(item, ett_krb_kerberos);
4774 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
4775 asn1_ctx.private_data = cb;
4778 offset=dissect_ber_old_choice(&asn1_ctx, kerberos_tree, tvb, offset, kerberos_applications_choice, -1, -1, NULL);
4779 } CATCH_BOUNDS_ERRORS {
4783 proto_item_set_len(item, offset);
4788 kerberos_prefs_apply_cb(void) {
4789 #ifdef HAVE_LIBNETTLE
4791 read_keytab_file(keytab_filename);
4796 proto_register_kerberos(void)
4798 static hf_register_info hf[] = {
4799 { &hf_krb_rm_reserved, {
4800 "Reserved", "kerberos.rm.reserved", FT_BOOLEAN, 32,
4801 TFS(&tfs_set_notset), KRB_RM_RESERVED, "Record mark reserved bit", HFILL }},
4802 { &hf_krb_rm_reclen, {
4803 "Record Length", "kerberos.rm.length", FT_UINT32, BASE_DEC,
4804 NULL, KRB_RM_RECLEN, NULL, HFILL }},
4805 { &hf_krb_transitedtype, {
4806 "Type", "kerberos.transited.type", FT_UINT32, BASE_DEC,
4807 VALS(krb5_transited_types), 0, "Transited Type", HFILL }},
4808 { &hf_krb_transitedcontents, {
4809 "Contents", "kerberos.transited.contents", FT_BYTES, BASE_NONE,
4810 NULL, 0, "Transited Contents string", HFILL }},
4811 { &hf_krb_keytype, {
4812 "Key type", "kerberos.keytype", FT_UINT32, BASE_DEC,
4813 VALS(krb5_encryption_types), 0, NULL, HFILL }},
4814 { &hf_krb_keyvalue, {
4815 "Key value", "kerberos.keyvalue", FT_BYTES, BASE_NONE,
4816 NULL, 0, "Key value (encryption key)", HFILL }},
4818 "Type", "kerberos.adtype", FT_UINT32, BASE_DEC,
4819 VALS(krb5_ad_types), 0, "Authorization Data Type", HFILL }},
4820 { &hf_krb_IF_RELEVANT_type, {
4821 "Type", "kerberos.IF_RELEVANT.type", FT_UINT32, BASE_DEC,
4822 VALS(krb5_ad_types), 0, "IF-RELEVANT Data Type", HFILL }},
4823 { &hf_krb_advalue, {
4824 "Data", "kerberos.advalue", FT_BYTES, BASE_NONE,
4825 NULL, 0, "Authentication Data", HFILL }},
4826 { &hf_krb_IF_RELEVANT_value, {
4827 "Data", "kerberos.IF_RELEVANT.value", FT_BYTES, BASE_NONE,
4828 NULL, 0, "IF_RELEVANT Data", HFILL }},
4830 "Encryption type", "kerberos.etype", FT_INT32, BASE_DEC,
4831 VALS(krb5_encryption_types), 0, NULL, HFILL }},
4832 { &hf_krb_addr_type, {
4833 "Addr-type", "kerberos.addr_type", FT_UINT32, BASE_DEC,
4834 VALS(krb5_address_types), 0, "Address Type", HFILL }},
4835 { &hf_krb_pac_signature_type, {
4836 "Type", "kerberos.pac.signature.type", FT_INT32, BASE_DEC,
4837 NULL, 0, "PAC Signature Type", HFILL }},
4838 { &hf_krb_name_type, {
4839 "Name-type", "kerberos.name_type", FT_INT32, BASE_DEC,
4840 VALS(krb5_princ_types), 0, "Type of principal name", HFILL }},
4841 { &hf_krb_lr_type, {
4842 "Lr-type", "kerberos.lr_type", FT_UINT32, BASE_DEC,
4843 VALS(krb5_lr_types), 0, "Type of lastreq value", HFILL }},
4844 { &hf_krb_address_ip, {
4845 "IP Address", "kerberos.addr_ip", FT_IPv4, BASE_NONE,
4846 NULL, 0, NULL, HFILL }},
4847 { &hf_krb_address_ipv6, {
4848 "IPv6 Address", "kerberos.addr_ipv6", FT_IPv6, BASE_NONE,
4849 NULL, 0, NULL, HFILL }},
4850 { &hf_krb_address_netbios, {
4851 "NetBIOS Address", "kerberos.addr_nb", FT_STRING, BASE_NONE,
4852 NULL, 0, "NetBIOS Address and type", HFILL }},
4853 { &hf_krb_authtime, {
4854 "Authtime", "kerberos.authtime", FT_STRING, BASE_NONE,
4855 NULL, 0, "Time of initial authentication", HFILL }},
4856 { &hf_krb_SAFE_BODY_timestamp, {
4857 "Timestamp", "kerberos.SAFE_BODY.timestamp", FT_STRING, BASE_NONE,
4858 NULL, 0, "Timestamp of this SAFE_BODY", HFILL }},
4859 { &hf_krb_patimestamp, {
4860 "patimestamp", "kerberos.patimestamp", FT_STRING, BASE_NONE,
4861 NULL, 0, "Time of client", HFILL }},
4863 "pausec", "kerberos.pausec", FT_UINT32, BASE_DEC,
4864 NULL, 0, "Microsecond component of client time", HFILL }},
4865 { &hf_krb_lr_time, {
4866 "Lr-time", "kerberos.lr_time", FT_STRING, BASE_NONE,
4867 NULL, 0, "Time of LR-entry", HFILL }},
4868 { &hf_krb_starttime, {
4869 "Start time", "kerberos.starttime", FT_STRING, BASE_NONE,
4870 NULL, 0, "The time after which the ticket is valid", HFILL }},
4871 { &hf_krb_endtime, {
4872 "End time", "kerberos.endtime", FT_STRING, BASE_NONE,
4873 NULL, 0, "The time after which the ticket has expired", HFILL }},
4874 { &hf_krb_key_expire, {
4875 "Key Expiration", "kerberos.key_expiration", FT_STRING, BASE_NONE,
4876 NULL, 0, "The time after which the key will expire", HFILL }},
4877 { &hf_krb_renew_till, {
4878 "Renew-till", "kerberos.renenw_till", FT_STRING, BASE_NONE,
4879 NULL, 0, "The maximum time we can renew the ticket until", HFILL }},
4881 "rtime", "kerberos.rtime", FT_STRING, BASE_NONE,
4882 NULL, 0, "Renew Until timestamp", HFILL }},
4884 "ctime", "kerberos.ctime", FT_STRING, BASE_NONE,
4885 NULL, 0, "Current Time on the client host", HFILL }},
4887 "cusec", "kerberos.cusec", FT_UINT32, BASE_DEC,
4888 NULL, 0, "micro second component of client time", HFILL }},
4889 { &hf_krb_SAFE_BODY_usec, {
4890 "usec", "kerberos.SAFE_BODY.usec", FT_UINT32, BASE_DEC,
4891 NULL, 0, "micro second component of SAFE_BODY time", HFILL }},
4893 "stime", "kerberos.stime", FT_STRING, BASE_NONE,
4894 NULL, 0, "Current Time on the server host", HFILL }},
4896 "susec", "kerberos.susec", FT_UINT32, BASE_DEC,
4897 NULL, 0, "micro second component of server time", HFILL }},
4898 { &hf_krb_error_code, {
4899 "error_code", "kerberos.error_code", FT_UINT32, BASE_DEC,
4900 VALS(krb5_error_codes), 0, "Kerberos error code", HFILL }},
4902 "from", "kerberos.from", FT_STRING, BASE_NONE,
4903 NULL, 0, "From when the ticket is to be valid (postdating)", HFILL }},
4905 "till", "kerberos.till", FT_STRING, BASE_NONE,
4906 NULL, 0, "When the ticket will expire", HFILL }},
4907 { &hf_krb_name_string, {
4908 "Name", "kerberos.name_string", FT_STRING, BASE_NONE,
4909 NULL, 0, "String component that is part of a PrincipalName", HFILL }},
4910 { &hf_krb_provsrv_location, {
4911 "PROVSRV Location", "kerberos.provsrv_location", FT_STRING, BASE_NONE,
4912 NULL, 0, "PacketCable PROV SRV Location", HFILL }},
4914 "e-text", "kerberos.e_text", FT_STRING, BASE_NONE,
4915 NULL, 0, "Additional (human readable) error description", HFILL }},
4916 { &hf_krb_s4u2self_auth, {
4917 "S4U2Self Auth", "kerberos.s4u2self.auth", FT_STRING, BASE_NONE,
4918 NULL, 0, "S4U2Self authentication string", HFILL }},
4920 "Realm", "kerberos.realm", FT_STRING, BASE_NONE,
4921 NULL, 0, "Name of the Kerberos Realm", HFILL }},
4923 "SRealm", "kerberos.srealm", FT_STRING, BASE_NONE,
4924 NULL, 0, "Name of the Kerberos SRealm", HFILL }},
4926 "Delegated Principal Realm", "kerberos.prealm", FT_STRING, BASE_NONE,
4927 NULL, 0, "Name of the Kerberos PRealm", HFILL }},
4929 "Client Realm", "kerberos.crealm", FT_STRING, BASE_NONE,
4930 NULL, 0, "Name of the Clients Kerberos Realm", HFILL }},
4931 { &hf_krb_pac_clientname, {
4932 "Name", "kerberos.pac.name", FT_STRING, BASE_NONE,
4933 NULL, 0, "Name of the Client in the PAC structure", HFILL }},
4934 { &hf_krb_msg_type, {
4935 "MSG Type", "kerberos.msg.type", FT_UINT32, BASE_DEC,
4936 VALS(krb5_msg_types), 0, "Kerberos Message Type", HFILL }},
4937 { &hf_krb_APOptions, {
4938 "APOptions", "kerberos.apoptions", FT_BYTES, BASE_NONE,
4939 NULL, 0, "Kerberos APOptions bitstring", HFILL }},
4940 { &hf_krb_APOptions_reserved, {
4941 "reserved", "kerberos.apoptions.reserved", FT_BOOLEAN, 32,
4942 TFS(&krb5_apoptions_reserved), 0x80000000, NULL, HFILL }},
4943 { &hf_krb_APOptions_use_session_key, {
4944 "Use Session Key", "kerberos.apoptions.use_session_key", FT_BOOLEAN, 32,
4945 TFS(&krb5_apoptions_use_session_key), 0x40000000, NULL, HFILL }},
4946 { &hf_krb_APOptions_mutual_required, {
4947 "Mutual required", "kerberos.apoptions.mutual_required", FT_BOOLEAN, 32,
4948 TFS(&krb5_apoptions_mutual_required), 0x20000000, NULL, HFILL }},
4949 { &hf_krb_KDCOptions, {
4950 "KDCOptions", "kerberos.kdcoptions", FT_BYTES, BASE_NONE,
4951 NULL, 0, "Kerberos KDCOptions bitstring", HFILL }},
4952 { &hf_krb_TicketFlags, {
4953 "Ticket Flags", "kerberos.ticketflags", FT_NONE, BASE_NONE,
4954 NULL, 0, "Kerberos Ticket Flags", HFILL }},
4955 { &hf_krb_TicketFlags_forwardable, {
4956 "Forwardable", "kerberos.ticketflags.forwardable", FT_BOOLEAN, 32,
4957 TFS(&krb5_ticketflags_forwardable), 0x40000000, "Flag controlling whether the tickets are forwardable or not", HFILL }},
4958 { &hf_krb_TicketFlags_forwarded, {
4959 "Forwarded", "kerberos.ticketflags.forwarded", FT_BOOLEAN, 32,
4960 TFS(&krb5_ticketflags_forwarded), 0x20000000, "Has this ticket been forwarded?", HFILL }},
4961 { &hf_krb_TicketFlags_proxiable, {
4962 "Proxiable", "kerberos.ticketflags.proxiable", FT_BOOLEAN, 32,
4963 TFS(&krb5_ticketflags_proxiable), 0x10000000, "Flag controlling whether the tickets are proxiable or not", HFILL }},
4964 { &hf_krb_TicketFlags_proxy, {
4965 "Proxy", "kerberos.ticketflags.proxy", FT_BOOLEAN, 32,
4966 TFS(&krb5_ticketflags_proxy), 0x08000000, "Has this ticket been proxied?", HFILL }},
4967 { &hf_krb_TicketFlags_allow_postdate, {
4968 "Allow Postdate", "kerberos.ticketflags.allow_postdate", FT_BOOLEAN, 32,
4969 TFS(&krb5_ticketflags_allow_postdate), 0x04000000, "Flag controlling whether we allow postdated tickets or not", HFILL }},
4970 { &hf_krb_TicketFlags_postdated, {
4971 "Postdated", "kerberos.ticketflags.postdated", FT_BOOLEAN, 32,
4972 TFS(&krb5_ticketflags_postdated), 0x02000000, "Whether this ticket is postdated or not", HFILL }},
4973 { &hf_krb_TicketFlags_invalid, {
4974 "Invalid", "kerberos.ticketflags.invalid", FT_BOOLEAN, 32,
4975 TFS(&krb5_ticketflags_invalid), 0x01000000, "Whether this ticket is invalid or not", HFILL }},
4976 { &hf_krb_TicketFlags_renewable, {
4977 "Renewable", "kerberos.ticketflags.renewable", FT_BOOLEAN, 32,
4978 TFS(&krb5_ticketflags_renewable), 0x00800000, "Whether this ticket is renewable or not", HFILL }},
4979 { &hf_krb_TicketFlags_initial, {
4980 "Initial", "kerberos.ticketflags.initial", FT_BOOLEAN, 32,
4981 TFS(&krb5_ticketflags_initial), 0x00400000, "Whether this ticket is an initial ticket or not", HFILL }},
4982 { &hf_krb_TicketFlags_pre_auth, {
4983 "Pre-Auth", "kerberos.ticketflags.pre_auth", FT_BOOLEAN, 32,
4984 TFS(&krb5_ticketflags_pre_auth), 0x00200000, "Whether this ticket is pre-authenticated or not", HFILL }},
4985 { &hf_krb_TicketFlags_hw_auth, {
4986 "HW-Auth", "kerberos.ticketflags.hw_auth", FT_BOOLEAN, 32,
4987 TFS(&krb5_ticketflags_hw_auth), 0x00100000, "Whether this ticket is hardware-authenticated or not", HFILL }},
4988 { &hf_krb_TicketFlags_transited_policy_checked, {
4989 "Transited Policy Checked", "kerberos.ticketflags.transited_policy_checked", FT_BOOLEAN, 32,
4990 TFS(&krb5_ticketflags_transited_policy_checked), 0x00080000, "Whether this ticket is transited policy checked or not", HFILL }},
4991 { &hf_krb_TicketFlags_ok_as_delegate, {
4992 "Ok As Delegate", "kerberos.ticketflags.ok_as_delegate", FT_BOOLEAN, 32,
4993 TFS(&krb5_ticketflags_ok_as_delegate), 0x00040000, "Whether this ticket is Ok As Delegate or not", HFILL }},
4994 { &hf_krb_KDC_REQ_BODY, {
4995 "KDC_REQ_BODY", "kerberos.kdc_req_body", FT_NONE, BASE_NONE,
4996 NULL, 0, "Kerberos KDC REQuest BODY", HFILL }},
4997 { &hf_krb_PRIV_BODY, {
4998 "PRIV_BODY", "kerberos.priv_body", FT_NONE, BASE_NONE,
4999 NULL, 0, "Kerberos PRIVate BODY", HFILL }},
5000 { &hf_krb_CRED_BODY, {
5001 "CRED_BODY", "kerberos.cred_body", FT_NONE, BASE_NONE,
5002 NULL, 0, "Kerberos CREDential BODY", HFILL }},
5003 { &hf_krb_encrypted_PRIV, {
5004 "Encrypted PRIV", "kerberos.enc_priv", FT_NONE, BASE_NONE,
5005 NULL, 0, "Kerberos Encrypted PRIVate blob data", HFILL }},
5006 { &hf_krb_KDCOptions_forwardable, {
5007 "Forwardable", "kerberos.kdcoptions.forwardable", FT_BOOLEAN, 32,
5008 TFS(&krb5_kdcoptions_forwardable), 0x40000000, "Flag controlling whether the tickets are forwardable or not", HFILL }},
5009 { &hf_krb_KDCOptions_forwarded, {
5010 "Forwarded", "kerberos.kdcoptions.forwarded", FT_BOOLEAN, 32,
5011 TFS(&krb5_kdcoptions_forwarded), 0x20000000, "Has this ticket been forwarded?", HFILL }},
5012 { &hf_krb_KDCOptions_proxiable, {
5013 "Proxiable", "kerberos.kdcoptions.proxiable", FT_BOOLEAN, 32,
5014 TFS(&krb5_kdcoptions_proxiable), 0x10000000, "Flag controlling whether the tickets are proxiable or not", HFILL }},
5015 { &hf_krb_KDCOptions_proxy, {
5016 "Proxy", "kerberos.kdcoptions.proxy", FT_BOOLEAN, 32,
5017 TFS(&krb5_kdcoptions_proxy), 0x08000000, "Has this ticket been proxied?", HFILL }},
5018 { &hf_krb_KDCOptions_allow_postdate, {
5019 "Allow Postdate", "kerberos.kdcoptions.allow_postdate", FT_BOOLEAN, 32,
5020 TFS(&krb5_kdcoptions_allow_postdate), 0x04000000, "Flag controlling whether we allow postdated tickets or not", HFILL }},
5021 { &hf_krb_KDCOptions_postdated, {
5022 "Postdated", "kerberos.kdcoptions.postdated", FT_BOOLEAN, 32,
5023 TFS(&krb5_kdcoptions_postdated), 0x02000000, "Whether this ticket is postdated or not", HFILL }},
5024 { &hf_krb_KDCOptions_renewable, {
5025 "Renewable", "kerberos.kdcoptions.renewable", FT_BOOLEAN, 32,
5026 TFS(&krb5_kdcoptions_renewable), 0x00800000, "Whether this ticket is renewable or not", HFILL }},
5027 { &hf_krb_KDCOptions_constrained_delegation, {
5028 "Constrained Delegation", "kerberos.kdcoptions.constrained_delegation", FT_BOOLEAN, 32,
5029 TFS(&krb5_kdcoptions_constrained_delegation), 0x00020000, "Do we want a PAC containing constrained delegation info or not", HFILL }},
5030 { &hf_krb_KDCOptions_canonicalize, {
5031 "Canonicalize", "kerberos.kdcoptions.canonicalize", FT_BOOLEAN, 32,
5032 TFS(&krb5_kdcoptions_canonicalize), 0x00010000, "Do we want the KDC to canonicalize the principal or not", HFILL }},
5033 { &hf_krb_KDCOptions_opt_hardware_auth, {
5034 "Opt HW Auth", "kerberos.kdcoptions.opt_hardware_auth", FT_BOOLEAN, 32,
5035 NULL, 0x00100000, "Opt HW Auth flag", HFILL }},
5036 { &hf_krb_KDCOptions_disable_transited_check, {
5037 "Disable Transited Check", "kerberos.kdcoptions.disable_transited_check", FT_BOOLEAN, 32,
5038 TFS(&krb5_kdcoptions_disable_transited_check), 0x00000020, "Whether we should do transited checking or not", HFILL }},
5039 { &hf_krb_KDCOptions_renewable_ok, {
5040 "Renewable OK", "kerberos.kdcoptions.renewable_ok", FT_BOOLEAN, 32,
5041 TFS(&krb5_kdcoptions_renewable_ok), 0x00000010, "Whether we accept renewed tickets or not", HFILL }},
5042 { &hf_krb_KDCOptions_enc_tkt_in_skey, {
5043 "Enc-Tkt-in-Skey", "kerberos.kdcoptions.enc_tkt_in_skey", FT_BOOLEAN, 32,
5044 TFS(&krb5_kdcoptions_enc_tkt_in_skey), 0x00000008, "Whether the ticket is encrypted in the skey or not", HFILL }},
5045 { &hf_krb_KDCOptions_renew, {
5046 "Renew", "kerberos.kdcoptions.renew", FT_BOOLEAN, 32,
5047 TFS(&krb5_kdcoptions_renew), 0x00000002, "Is this a request to renew a ticket?", HFILL }},
5048 { &hf_krb_KDCOptions_validate, {
5049 "Validate", "kerberos.kdcoptions.validate", FT_BOOLEAN, 32,
5050 TFS(&krb5_kdcoptions_validate), 0x00000001, "Is this a request to validate a postdated ticket?", HFILL }},
5052 "Pvno", "kerberos.pvno", FT_UINT32, BASE_DEC,
5053 NULL, 0, "Kerberos Protocol Version Number", HFILL }},
5055 "Kvno", "kerberos.kvno", FT_UINT32, BASE_DEC,
5056 NULL, 0, "Version Number for the encryption Key", HFILL }},
5057 { &hf_krb_checksum_type, {
5058 "Type", "kerberos.checksum.type", FT_UINT32, BASE_DEC,
5059 VALS(krb5_checksum_types), 0, "Type of checksum", HFILL }},
5060 { &hf_krb_authenticator_vno, {
5061 "Authenticator vno", "kerberos.authenticator_vno", FT_UINT32, BASE_DEC,
5062 NULL, 0, "Version Number for the Authenticator", HFILL }},
5063 { &hf_krb_encrypted_authenticator_data, {
5064 "Authenticator data", "kerberos.authenticator.data", FT_BYTES, BASE_NONE,
5065 NULL, 0, "Data content of an encrypted authenticator", HFILL }},
5066 { &hf_krb_encrypted_EncKrbCredPart, {
5067 "enc EncKrbCredPart", "kerberos.EncKrbCredPart.encrypted", FT_BYTES, BASE_NONE,
5068 NULL, 0, "Encrypted EncKrbCredPart blob", HFILL }},
5069 { &hf_krb_encrypted_PA_ENC_TIMESTAMP, {
5070 "enc PA_ENC_TIMESTAMP", "kerberos.PA_ENC_TIMESTAMP.encrypted", FT_BYTES, BASE_NONE,
5071 NULL, 0, "Encrypted PA-ENC-TIMESTAMP blob", HFILL }},
5072 { &hf_krb_encrypted_enc_authorization_data, {
5073 "enc-authorization-data", "kerberos.enc_authorization_data.encrypted", FT_BYTES, BASE_NONE,
5074 NULL, 0, NULL, HFILL }},
5075 { &hf_krb_PAC_LOGON_INFO, {
5076 "PAC_LOGON_INFO", "kerberos.PAC_LOGON_INFO", FT_BYTES, BASE_NONE,
5077 NULL, 0, "PAC_LOGON_INFO structure", HFILL }},
5078 { &hf_krb_PAC_CREDENTIAL_TYPE, {
5079 "PAC_CREDENTIAL_TYPE", "kerberos.PAC_CREDENTIAL_TYPE", FT_BYTES, BASE_NONE,
5080 NULL, 0, "PAC_CREDENTIAL_TYPE structure", HFILL }},
5081 { &hf_krb_PAC_SERVER_CHECKSUM, {
5082 "PAC_SERVER_CHECKSUM", "kerberos.PAC_SERVER_CHECKSUM", FT_BYTES, BASE_NONE,
5083 NULL, 0, "PAC_SERVER_CHECKSUM structure", HFILL }},
5084 { &hf_krb_PAC_PRIVSVR_CHECKSUM, {
5085 "PAC_PRIVSVR_CHECKSUM", "kerberos.PAC_PRIVSVR_CHECKSUM", FT_BYTES, BASE_NONE,
5086 NULL, 0, "PAC_PRIVSVR_CHECKSUM structure", HFILL }},
5087 { &hf_krb_PAC_CLIENT_INFO_TYPE, {
5088 "PAC_CLIENT_INFO_TYPE", "kerberos.PAC_CLIENT_INFO_TYPE", FT_BYTES, BASE_NONE,
5089 NULL, 0, "PAC_CLIENT_INFO_TYPE structure", HFILL }},
5090 { &hf_krb_PAC_S4U_DELEGATION_INFO, {
5091 "PAC_S4U_DELEGATION_INFO", "kerberos.PAC_S4U_DELEGATION_INFO", FT_BYTES, BASE_NONE,
5092 NULL, 0, "PAC_S4U_DELEGATION_INFO structure", HFILL }},
5093 { &hf_krb_PAC_UPN_DNS_INFO, {
5094 "UPN_DNS_INFO", "kerberos.PAC_UPN_DNS_INFO", FT_BYTES, BASE_NONE,
5095 NULL, 0, "UPN_DNS_INFO structure", HFILL }},
5096 { &hf_krb_checksum_checksum, {
5097 "checksum", "kerberos.checksum.checksum", FT_BYTES, BASE_NONE,
5098 NULL, 0, "Kerberos Checksum", HFILL }},
5099 { &hf_krb_ENC_PRIV, {
5100 "enc PRIV", "kerberos.ENC_PRIV", FT_BYTES, BASE_NONE,
5101 NULL, 0, "Encrypted PRIV blob", HFILL }},
5102 { &hf_krb_encrypted_Ticket_data, {
5103 "enc-part", "kerberos.ticket.data", FT_BYTES, BASE_NONE,
5104 NULL, 0, "The encrypted part of a ticket", HFILL }},
5105 { &hf_krb_encrypted_AP_REP_data, {
5106 "enc-part", "kerberos.aprep.data", FT_BYTES, BASE_NONE,
5107 NULL, 0, "The encrypted part of AP-REP", HFILL }},
5108 { &hf_krb_encrypted_KDC_REP_data, {
5109 "enc-part", "kerberos.kdcrep.data", FT_BYTES, BASE_NONE,
5110 NULL, 0, "The encrypted part of KDC-REP", HFILL }},
5111 { &hf_krb_PA_DATA_value, {
5112 "Value", "kerberos.padata.value", FT_BYTES, BASE_NONE,
5113 NULL, 0, "Content of the PADATA blob", HFILL }},
5114 { &hf_krb_etype_info_salt, {
5115 "Salt", "kerberos.etype_info.salt", FT_BYTES, BASE_NONE,
5116 NULL, 0, NULL, HFILL }},
5117 { &hf_krb_etype_info2_salt, {
5118 "Salt", "kerberos.etype_info2.salt", FT_BYTES, BASE_NONE,
5119 NULL, 0, NULL, HFILL }},
5120 { &hf_krb_etype_info2_s2kparams, {
5121 "Salt", "kerberos.etype_info.s2kparams", FT_BYTES, BASE_NONE,
5122 NULL, 0, "S2kparams", HFILL }},
5123 { &hf_krb_SAFE_BODY_user_data, {
5124 "User Data", "kerberos.SAFE_BODY.user_data", FT_BYTES, BASE_NONE,
5125 NULL, 0, "SAFE BODY userdata field", HFILL }},
5126 { &hf_krb_PRIV_BODY_user_data, {
5127 "User Data", "kerberos.PRIV_BODY.user_data", FT_BYTES, BASE_NONE,
5128 NULL, 0, "PRIV BODY userdata field", HFILL }},
5129 { &hf_krb_pac_signature_signature, {
5130 "Signature", "kerberos.pac.signature.signature", FT_BYTES, BASE_NONE,
5131 NULL, 0, "A PAC signature blob", HFILL }},
5132 { &hf_krb_PA_DATA_type, {
5133 "Type", "kerberos.padata.type", FT_INT32, BASE_DEC,
5134 VALS(krb5_preauthentication_types), 0, "Type of preauthentication data", HFILL }},
5136 "Nonce", "kerberos.nonce", FT_UINT32, BASE_DEC,
5137 NULL, 0, "Kerberos Nonce random number", HFILL }},
5138 { &hf_krb_tkt_vno, {
5139 "Tkt-vno", "kerberos.tkt_vno", FT_UINT32, BASE_DEC,
5140 NULL, 0, "Version number for the Ticket format", HFILL }},
5141 { &hf_krb_KrbCredInfo, {
5142 "KrbCredInfo", "kerberos.KrbCredInfo", FT_NONE, BASE_NONE,
5143 NULL, 0, "This is a Kerberos KrbCredInfo", HFILL }},
5144 { &hf_krb_HostAddress, {
5145 "HostAddress", "kerberos.hostaddress", FT_NONE, BASE_NONE,
5146 NULL, 0, "This is a Kerberos HostAddress sequence", HFILL }},
5147 { &hf_krb_s_address, {
5148 "S-Address", "kerberos.s_address", FT_NONE, BASE_NONE,
5149 NULL, 0, "This is the Senders address", HFILL }},
5150 { &hf_krb_r_address, {
5151 "R-Address", "kerberos.r_address", FT_NONE, BASE_NONE,
5152 NULL, 0, "This is the Recipient address", HFILL }},
5154 "key", "kerberos.key", FT_NONE, BASE_NONE,
5155 NULL, 0, "This is a Kerberos EncryptionKey sequence", HFILL }},
5157 "Subkey", "kerberos.subkey", FT_NONE, BASE_NONE,
5158 NULL, 0, "This is a Kerberos subkey", HFILL }},
5159 { &hf_krb_seq_number, {
5160 "Seq Number", "kerberos.seq_number", FT_UINT32, BASE_DEC,
5161 NULL, 0, "This is a Kerberos sequence number", HFILL }},
5162 { &hf_krb_AuthorizationData, {
5163 "AuthorizationData", "kerberos.AuthorizationData", FT_NONE, BASE_NONE,
5164 NULL, 0, "This is a Kerberos AuthorizationData sequence", HFILL }},
5165 { &hf_krb_EncTicketPart, {
5166 "EncTicketPart", "kerberos.EncTicketPart", FT_NONE, BASE_NONE,
5167 NULL, 0, "This is a decrypted Kerberos EncTicketPart sequence", HFILL }},
5168 { &hf_krb_EncAPRepPart, {
5169 "EncAPRepPart", "kerberos.EncAPRepPart", FT_NONE, BASE_NONE,
5170 NULL, 0, "This is a decrypted Kerberos EncAPRepPart sequence", HFILL }},
5171 { &hf_krb_EncKrbPrivPart, {
5172 "EncKrbPrivPart", "kerberos.EncKrbPrivPart", FT_NONE, BASE_NONE,
5173 NULL, 0, "This is a decrypted Kerberos EncKrbPrivPart sequence", HFILL }},
5174 { &hf_krb_EncKrbCredPart, {
5175 "EncKrbCredPart", "kerberos.EncKrbCredPart", FT_NONE, BASE_NONE,
5176 NULL, 0, "This is a decrypted Kerberos EncKrbCredPart sequence", HFILL }},
5177 { &hf_krb_EncKDCRepPart, {
5178 "EncKDCRepPart", "kerberos.EncKDCRepPart", FT_NONE, BASE_NONE,
5179 NULL, 0, "This is a decrypted Kerberos EncKDCRepPart sequence", HFILL }},
5180 { &hf_krb_LastReq, {
5181 "LastReq", "kerberos.LastReq", FT_NONE, BASE_NONE,
5182 NULL, 0, "This is a LastReq sequence", HFILL }},
5183 { &hf_krb_Authenticator, {
5184 "Authenticator", "kerberos.Authenticator", FT_NONE, BASE_NONE,
5185 NULL, 0, "This is a decrypted Kerberos Authenticator sequence", HFILL }},
5186 { &hf_krb_Checksum, {
5187 "Checksum", "kerberos.Checksum", FT_NONE, BASE_NONE,
5188 NULL, 0, "This is a Kerberos Checksum sequence", HFILL }},
5189 { &hf_krb_HostAddresses, {
5190 "HostAddresses", "kerberos.hostaddresses", FT_NONE, BASE_NONE,
5191 NULL, 0, "This is a list of Kerberos HostAddress sequences", HFILL }},
5192 { &hf_krb_IF_RELEVANT, {
5193 "IF_RELEVANT", "kerberos.if_relevant", FT_NONE, BASE_NONE,
5194 NULL, 0, "This is a list of IF-RELEVANT sequences", HFILL }},
5196 "Encryption Types", "kerberos.etypes", FT_NONE, BASE_NONE,
5197 NULL, 0, "This is a list of Kerberos encryption types", HFILL }},
5198 { &hf_krb_KrbCredInfos, {
5199 "Sequence of KrbCredInfo", "kerberos.KrbCredInfos", FT_NONE, BASE_NONE,
5200 NULL, 0, "This is a list of KrbCredInfo", HFILL }},
5201 { &hf_krb_sq_tickets, {
5202 "Tickets", "kerberos.sq.tickets", FT_NONE, BASE_NONE,
5203 NULL, 0, "This is a list of Kerberos Tickets", HFILL }},
5204 { &hf_krb_LastReqs, {
5205 "LastReqs", "kerberos.LastReqs", FT_NONE, BASE_NONE,
5206 NULL, 0, "This is a list of LastReq structures", HFILL }},
5208 "Server Name", "kerberos.sname", FT_NONE, BASE_NONE,
5209 NULL, 0, "This is the name part server's identity", HFILL }},
5211 "Delegated Principal Name", "kerberos.pname", FT_NONE, BASE_NONE,
5212 NULL, 0, "Identity of the delegated principal", HFILL }},
5214 "Client Name", "kerberos.cname", FT_NONE, BASE_NONE,
5215 NULL, 0, "The name part of the client principal identifier", HFILL }},
5216 { &hf_krb_authenticator_enc, {
5217 "Authenticator", "kerberos.authenticator", FT_NONE, BASE_NONE,
5218 NULL, 0, "Encrypted authenticator blob", HFILL }},
5219 { &hf_krb_CRED_enc, {
5220 "EncKrbCredPart", "kerberos.encrypted_cred", FT_NONE, BASE_NONE,
5221 NULL, 0, "Encrypted Cred blob", HFILL }},
5222 { &hf_krb_ticket_enc, {
5223 "enc-part", "kerberos.ticket.enc_part", FT_NONE, BASE_NONE,
5224 NULL, 0, "The structure holding the encrypted part of a ticket", HFILL }},
5225 { &hf_krb_AP_REP_enc, {
5226 "enc-part", "kerberos.aprep.enc_part", FT_NONE, BASE_NONE,
5227 NULL, 0, "The structure holding the encrypted part of AP-REP", HFILL }},
5228 { &hf_krb_KDC_REP_enc, {
5229 "enc-part", "kerberos.kdcrep.enc_part", FT_NONE, BASE_NONE,
5230 NULL, 0, "The structure holding the encrypted part of KDC-REP", HFILL }},
5232 "e-data", "kerberos.e_data", FT_NONE, BASE_NONE,
5233 NULL, 0, "The e-data blob", HFILL }},
5235 "padata", "kerberos.padata", FT_NONE, BASE_NONE,
5236 NULL, 0, "Sequence of preauthentication data", HFILL }},
5238 "Ticket", "kerberos.ticket", FT_NONE, BASE_NONE,
5239 NULL, 0, "This is a Kerberos Ticket", HFILL }},
5240 { &hf_krb_TransitedEncoding, {
5241 "TransitedEncoding", "kerberos.TransitedEncoding", FT_NONE, BASE_NONE,
5242 NULL, 0, "This is a Kerberos TransitedEncoding sequence", HFILL }},
5243 { &hf_krb_PA_PAC_REQUEST_flag, {
5244 "PAC Request", "kerberos.pac_request.flag", FT_BOOLEAN, BASE_NONE,
5245 NULL, 0, "This is a MS PAC Request Flag", HFILL }},
5246 { &hf_krb_w2k_pac_entries, {
5247 "Num Entries", "kerberos.pac.entries", FT_UINT32, BASE_DEC,
5248 NULL, 0, "Number of W2k PAC entries", HFILL }},
5249 { &hf_krb_w2k_pac_version, {
5250 "Version", "kerberos.pac.version", FT_UINT32, BASE_DEC,
5251 NULL, 0, "Version of PAC structures", HFILL }},
5252 { &hf_krb_w2k_pac_type, {
5253 "Type", "kerberos.pac.type", FT_UINT32, BASE_DEC,
5254 VALS(w2k_pac_types), 0, "Type of W2k PAC entry", HFILL }},
5255 { &hf_krb_w2k_pac_size, {
5256 "Size", "kerberos.pac.size", FT_UINT32, BASE_DEC,
5257 NULL, 0, "Size of W2k PAC entry", HFILL }},
5258 { &hf_krb_w2k_pac_offset, {
5259 "Offset", "kerberos.pac.offset", FT_UINT32, BASE_DEC,
5260 NULL, 0, "Offset to W2k PAC entry", HFILL }},
5261 { &hf_krb_pac_clientid, {
5262 "ClientID", "kerberos.pac.clientid", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
5263 NULL, 0, "ClientID Timestamp", HFILL }},
5264 { &hf_krb_pac_namelen, {
5265 "Name Length", "kerberos.pac.namelen", FT_UINT16, BASE_DEC,
5266 NULL, 0, "Length of client name", HFILL }},
5267 { &hf_krb_pac_upn_flags, {
5268 "Flags", "kerberos.pac.upn.flags", FT_UINT32, BASE_HEX,
5269 NULL, 0, "UPN flags", HFILL }},
5270 { &hf_krb_pac_upn_dns_offset, {
5271 "DNS Offset", "kerberos.pac.upn.dns_offset", FT_UINT16, BASE_DEC,
5272 NULL, 0, NULL, HFILL }},
5273 { &hf_krb_pac_upn_dns_len, {
5274 "DNS Len", "kerberos.pac.upn.dns_len", FT_UINT16, BASE_DEC,
5275 NULL, 0, NULL, HFILL }},
5276 { &hf_krb_pac_upn_upn_offset, {
5277 "UPN Offset", "kerberos.pac.upn.upn_offset", FT_UINT16, BASE_DEC,
5278 NULL, 0, NULL, HFILL }},
5279 { &hf_krb_pac_upn_upn_len, {
5280 "UPN Len", "kerberos.pac.upn.upn_len", FT_UINT16, BASE_DEC,
5281 NULL, 0, NULL, HFILL }},
5282 { &hf_krb_pac_upn_upn_name, {
5283 "UPN Name", "kerberos.pac.upn.upn_name", FT_STRING, BASE_NONE,
5284 NULL, 0, NULL, HFILL }},
5285 { &hf_krb_pac_upn_dns_name, {
5286 "DNS Name", "kerberos.pac.upn.dns_name", FT_STRING, BASE_NONE,
5287 NULL, 0, NULL, HFILL }},
5288 { &hf_krb_e_checksum, {
5289 "e-checksum", "kerberos.e_checksum", FT_NONE, BASE_NONE,
5290 NULL, 0, "This is a Kerberos e-checksum", HFILL }},
5291 { &hf_krb_gssapi_len, {
5292 "Length", "kerberos.gssapi.len", FT_UINT32, BASE_DEC,
5293 NULL, 0, "Length of GSSAPI Bnd field", HFILL }},
5294 { &hf_krb_gssapi_bnd, {
5295 "Bnd", "kerberos.gssapi.bdn", FT_BYTES, BASE_NONE,
5296 NULL, 0, "GSSAPI Bnd field", HFILL }},
5297 { &hf_krb_gssapi_c_flag_deleg, {
5298 "Deleg", "kerberos.gssapi.checksum.flags.deleg", FT_BOOLEAN, 32,
5299 TFS(&tfs_gss_flags_deleg), KRB5_GSS_C_DELEG_FLAG, NULL, HFILL }},
5300 { &hf_krb_gssapi_c_flag_mutual, {
5301 "Mutual", "kerberos.gssapi.checksum.flags.mutual", FT_BOOLEAN, 32,
5302 TFS(&tfs_gss_flags_mutual), KRB5_GSS_C_MUTUAL_FLAG, NULL, HFILL }},
5303 { &hf_krb_gssapi_c_flag_replay, {
5304 "Replay", "kerberos.gssapi.checksum.flags.replay", FT_BOOLEAN, 32,
5305 TFS(&tfs_gss_flags_replay), KRB5_GSS_C_REPLAY_FLAG, NULL, HFILL }},
5306 { &hf_krb_gssapi_c_flag_sequence, {
5307 "Sequence", "kerberos.gssapi.checksum.flags.sequence", FT_BOOLEAN, 32,
5308 TFS(&tfs_gss_flags_sequence), KRB5_GSS_C_SEQUENCE_FLAG, NULL, HFILL }},
5309 { &hf_krb_gssapi_c_flag_conf, {
5310 "Conf", "kerberos.gssapi.checksum.flags.conf", FT_BOOLEAN, 32,
5311 TFS(&tfs_gss_flags_conf), KRB5_GSS_C_CONF_FLAG, NULL, HFILL }},
5312 { &hf_krb_gssapi_c_flag_integ, {
5313 "Integ", "kerberos.gssapi.checksum.flags.integ", FT_BOOLEAN, 32,
5314 TFS(&tfs_gss_flags_integ), KRB5_GSS_C_INTEG_FLAG, NULL, HFILL }},
5315 { &hf_krb_gssapi_c_flag_dce_style, {
5316 "DCE-style", "kerberos.gssapi.checksum.flags.dce-style", FT_BOOLEAN, 32,
5317 TFS(&tfs_gss_flags_dce_style), KRB5_GSS_C_DCE_STYLE, NULL, HFILL }},
5318 { &hf_krb_gssapi_dlgopt, {
5319 "DlgOpt", "kerberos.gssapi.dlgopt", FT_UINT16, BASE_DEC,
5320 NULL, 0, "GSSAPI DlgOpt", HFILL }},
5321 { &hf_krb_gssapi_dlglen, {
5322 "DlgLen", "kerberos.gssapi.dlglen", FT_UINT16, BASE_DEC,
5323 NULL, 0, "GSSAPI DlgLen", HFILL }},
5324 { &hf_krb_smb_nt_status, {
5325 "NT Status", "kerberos.smb.nt_status", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
5326 &NT_errors_ext, 0, "NT Status code", HFILL }},
5327 { &hf_krb_smb_unknown, {
5328 "Unknown", "kerberos.smb.unknown", FT_UINT32, BASE_HEX,
5329 NULL, 0, NULL, HFILL }},
5330 { &hf_krb_midl_blob_len, {
5331 "Blob Length", "kerberos.midl_blob_len", FT_UINT64, BASE_DEC,
5332 NULL, 0, "Length of NDR encoded data that follows", HFILL }},
5333 { &hf_krb_midl_fill_bytes, {
5334 "Fill bytes", "kerberos.midl.fill_bytes", FT_UINT32, BASE_HEX,
5335 NULL, 0, "Just some fill bytes", HFILL }},
5336 { &hf_krb_midl_version, {
5337 "Version", "kerberos.midl.version", FT_UINT8, BASE_DEC,
5338 NULL, 0, "Version of pickling", HFILL }},
5339 { &hf_krb_midl_hdr_len, {
5340 "HDR Length", "kerberos.midl.hdr_len", FT_UINT16, BASE_DEC,
5341 NULL, 0, "Length of header", HFILL }},
5345 static gint *ett[] = {
5347 &ett_krb_KDC_REP_enc,
5351 &ett_krb_AP_REP_enc,
5354 &ett_krb_KrbCredInfos,
5355 &ett_krb_sq_tickets,
5357 &ett_krb_IF_RELEVANT,
5358 &ett_krb_PA_DATA_tree,
5361 &ett_krb_KrbCredInfo,
5362 &ett_krb_HostAddress,
5363 &ett_krb_HostAddresses,
5364 &ett_krb_authenticator_enc,
5366 &ett_krb_AP_Options,
5367 &ett_krb_KDC_Options,
5368 &ett_krb_Ticket_Flags,
5370 &ett_krb_recordmark,
5372 &ett_krb_ticket_enc,
5376 &ett_krb_EncTicketPart,
5377 &ett_krb_EncAPRepPart,
5378 &ett_krb_EncKrbPrivPart,
5379 &ett_krb_EncKrbCredPart,
5380 &ett_krb_EncKDCRepPart,
5382 &ett_krb_Authenticator,
5386 &ett_krb_AuthorizationData,
5387 &ett_krb_TransitedEncoding,
5389 &ett_krb_PAC_LOGON_INFO,
5390 &ett_krb_PAC_SERVER_CHECKSUM,
5391 &ett_krb_PAC_PRIVSVR_CHECKSUM,
5392 &ett_krb_PAC_CLIENT_INFO_TYPE,
5393 &ett_krb_PAC_S4U_DELEGATION_INFO,
5394 &ett_krb_e_checksum,
5395 &ett_krb_PAC_MIDL_BLOB,
5397 &ett_krb_PAC_UPN_DNS_INFO
5399 static ei_register_info ei[] = {
5400 { &ei_krb_decrypted_keytype, { "kerberos.decrypted_keytype", PI_SECURITY, PI_CHAT, "Decrypted keytype", EXPFILL }},
5402 module_t *krb_module;
5403 expert_module_t *expert_krb;
5405 proto_kerberos = proto_register_protocol("Kerberos", "KRB5", "kerberos");
5406 proto_register_field_array(proto_kerberos, hf, array_length(hf));
5407 proto_register_subtree_array(ett, array_length(ett));
5408 expert_krb = expert_register_protocol(proto_kerberos);
5409 expert_register_field_array(expert_krb, ei, array_length(ei));
5411 /* Register preferences */
5412 krb_module = prefs_register_protocol(proto_kerberos, kerberos_prefs_apply_cb);
5413 prefs_register_bool_preference(krb_module, "desegment",
5414 "Reassemble Kerberos over TCP messages spanning multiple TCP segments",
5415 "Whether the Kerberos dissector should reassemble messages spanning multiple TCP segments."
5416 " To use this option, you must also enable \"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
5418 #ifdef HAVE_KERBEROS
5419 prefs_register_bool_preference(krb_module, "decrypt",
5420 "Try to decrypt Kerberos blobs",
5421 "Whether the dissector should try to decrypt "
5422 "encrypted Kerberos blobs. This requires that the proper "
5423 "keytab file is installed as well.",
5426 prefs_register_filename_preference(krb_module, "file",
5427 "Kerberos keytab file",
5428 "The keytab file containing all the secrets",
5434 static int wrap_dissect_gss_kerb(tvbuff_t *tvb, int offset, packet_info *pinfo,
5435 proto_tree *tree, dcerpc_info *di _U_, guint8 *drep _U_)
5439 auth_tvb = tvb_new_subset_remaining(tvb, offset);
5441 dissect_kerberos_main(auth_tvb, pinfo, tree, FALSE, NULL);
5443 return tvb_length_remaining(tvb, offset);
5447 static dcerpc_auth_subdissector_fns gss_kerb_auth_connect_fns = {
5448 wrap_dissect_gss_kerb, /* Bind */
5449 wrap_dissect_gss_kerb, /* Bind ACK */
5450 wrap_dissect_gss_kerb, /* AUTH3 */
5451 NULL, /* Request verifier */
5452 NULL, /* Response verifier */
5453 NULL, /* Request data */
5454 NULL /* Response data */
5457 static dcerpc_auth_subdissector_fns gss_kerb_auth_sign_fns = {
5458 wrap_dissect_gss_kerb, /* Bind */
5459 wrap_dissect_gss_kerb, /* Bind ACK */
5460 wrap_dissect_gss_kerb, /* AUTH3 */
5461 wrap_dissect_gssapi_verf, /* Request verifier */
5462 wrap_dissect_gssapi_verf, /* Response verifier */
5463 NULL, /* Request data */
5464 NULL /* Response data */
5467 static dcerpc_auth_subdissector_fns gss_kerb_auth_seal_fns = {
5468 wrap_dissect_gss_kerb, /* Bind */
5469 wrap_dissect_gss_kerb, /* Bind ACK */
5470 wrap_dissect_gss_kerb, /* AUTH3 */
5471 wrap_dissect_gssapi_verf, /* Request verifier */
5472 wrap_dissect_gssapi_verf, /* Response verifier */
5473 wrap_dissect_gssapi_payload, /* Request data */
5474 wrap_dissect_gssapi_payload /* Response data */
5479 proto_reg_handoff_kerberos(void)
5481 dissector_handle_t kerberos_handle_tcp;
5483 krb4_handle = find_dissector("krb4");
5485 kerberos_handle_udp = new_create_dissector_handle(dissect_kerberos_udp,
5487 kerberos_handle_tcp = new_create_dissector_handle(dissect_kerberos_tcp,
5489 dissector_add_uint("udp.port", UDP_PORT_KERBEROS, kerberos_handle_udp);
5490 dissector_add_uint("tcp.port", TCP_PORT_KERBEROS, kerberos_handle_tcp);
5492 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_CONNECT,
5493 DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS,
5494 &gss_kerb_auth_connect_fns);
5496 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_INTEGRITY,
5497 DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS,
5498 &gss_kerb_auth_sign_fns);
5500 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_PRIVACY,
5501 DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS,
5502 &gss_kerb_auth_seal_fns);
5508 MISC definitions from RFC1510:
5510 Realm ::= GeneralString
5512 KerberosTime ::= GeneralizedTime
5514 AuthorizationData ::= SEQUENCE OF SEQUENCE {
5516 ad-data[1] OCTET STRING
5518 APOptions ::= BIT STRING {
5525 TicketFlags ::= BIT STRING {
5540 KDCOptions ::= BIT STRING {
5554 enc-tkt-in-skey(28),
5560 LastReq ::= SEQUENCE OF SEQUENCE {
5562 lr-value[1] KerberosTime
5565 Ticket ::= [APPLICATION 1] SEQUENCE {
5568 sname[2] PrincipalName,
5569 enc-part[3] EncryptedData
5572 -- Encrypted part of ticket
5573 EncTicketPart ::= [APPLICATION 3] SEQUENCE {
5574 flags[0] TicketFlags,
5575 key[1] EncryptionKey,
5577 cname[3] PrincipalName,
5578 transited[4] TransitedEncoding,
5579 authtime[5] KerberosTime,
5580 starttime[6] KerberosTime OPTIONAL,
5581 endtime[7] KerberosTime,
5582 renew-till[8] KerberosTime OPTIONAL,
5583 caddr[9] HostAddresses OPTIONAL,
5584 authorization-data[10] AuthorizationData OPTIONAL
5587 -- encoded Transited field
5588 TransitedEncoding ::= SEQUENCE {
5589 tr-type[0] INTEGER, -- must be registered
5590 contents[1] OCTET STRING
5593 -- Unencrypted authenticator
5594 Authenticator ::= [APPLICATION 2] SEQUENCE {
5595 authenticator-vno[0] INTEGER,
5597 cname[2] PrincipalName,
5598 cksum[3] Checksum OPTIONAL,
5600 ctime[5] KerberosTime,
5601 subkey[6] EncryptionKey OPTIONAL,
5602 seq-number[7] INTEGER OPTIONAL,
5603 authorization-data[8] AuthorizationData OPTIONAL
5606 PA-DATA ::= SEQUENCE {
5607 padata-type[1] INTEGER,
5608 padata-value[2] OCTET STRING,
5609 -- might be encoded AP-REQ
5612 padata-type ::= PA-ENC-TIMESTAMP
5613 padata-value ::= EncryptedData -- PA-ENC-TS-ENC
5615 PA-ENC-TS-ENC ::= SEQUENCE {
5616 patimestamp[0] KerberosTime, -- client's time
5617 pausec[1] INTEGER OPTIONAL
5620 EncASRepPart ::= [APPLICATION 25[25]] EncKDCRepPart
5621 EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
5623 EncKDCRepPart ::= SEQUENCE {
5624 key[0] EncryptionKey,
5625 last-req[1] LastReq,
5627 key-expiration[3] KerberosTime OPTIONAL,
5628 flags[4] TicketFlags,
5629 authtime[5] KerberosTime,
5630 starttime[6] KerberosTime OPTIONAL,
5631 endtime[7] KerberosTime,
5632 renew-till[8] KerberosTime OPTIONAL,
5634 sname[10] PrincipalName,
5635 caddr[11] HostAddresses OPTIONAL
5638 APOptions ::= BIT STRING {
5644 EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
5645 ctime[0] KerberosTime,
5647 subkey[2] EncryptionKey OPTIONAL,
5648 seq-number[3] INTEGER OPTIONAL
5651 KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
5653 msg-type[1] INTEGER,
5654 safe-body[2] KRB-SAFE-BODY,
5658 KRB-SAFE-BODY ::= SEQUENCE {
5659 user-data[0] OCTET STRING,
5660 timestamp[1] KerberosTime OPTIONAL,
5661 usec[2] INTEGER OPTIONAL,
5662 seq-number[3] INTEGER OPTIONAL,
5663 s-address[4] HostAddress,
5664 r-address[5] HostAddress OPTIONAL
5667 KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
5669 msg-type[1] INTEGER,
5670 enc-part[3] EncryptedData
5673 EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
5674 user-data[0] OCTET STRING,
5675 timestamp[1] KerberosTime OPTIONAL,
5676 usec[2] INTEGER OPTIONAL,
5677 seq-number[3] INTEGER OPTIONAL,
5678 s-address[4] HostAddress, -- sender's addr
5679 r-address[5] HostAddress OPTIONAL
5683 KRB-CRED ::= [APPLICATION 22] SEQUENCE {
5685 msg-type[1] INTEGER, -- KRB_CRED
5686 tickets[2] SEQUENCE OF Ticket,
5687 enc-part[3] EncryptedData
5690 EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
5691 ticket-info[0] SEQUENCE OF KrbCredInfo,
5692 nonce[1] INTEGER OPTIONAL,
5693 timestamp[2] KerberosTime OPTIONAL,
5694 usec[3] INTEGER OPTIONAL,
5695 s-address[4] HostAddress OPTIONAL,
5696 r-address[5] HostAddress OPTIONAL
5699 KrbCredInfo ::= SEQUENCE {
5700 key[0] EncryptionKey,
5701 prealm[1] Realm OPTIONAL,
5702 pname[2] PrincipalName OPTIONAL,
5703 flags[3] TicketFlags OPTIONAL,
5704 authtime[4] KerberosTime OPTIONAL,
5705 starttime[5] KerberosTime OPTIONAL,
5706 endtime[6] KerberosTime OPTIONAL
5707 renew-till[7] KerberosTime OPTIONAL,
5708 srealm[8] Realm OPTIONAL,
5709 sname[9] PrincipalName OPTIONAL,
5710 caddr[10] HostAddresses OPTIONAL
5713 METHOD-DATA ::= SEQUENCE of PA-DATA
5715 If the error-code is KRB_AP_ERR_METHOD, then the e-data field will
5716 contain an encoding of the following sequence:
5718 METHOD-DATA ::= SEQUENCE {
5719 method-type[0] INTEGER,
5720 method-data[1] OCTET STRING OPTIONAL
5723 EncryptionKey ::= SEQUENCE {
5725 keyvalue[1] OCTET STRING
5728 Checksum ::= SEQUENCE {
5729 cksumtype[0] INTEGER,
5730 checksum[1] OCTET STRING