+extern krb5_error_code
+krb5int_c_mandatory_cksumtype(krb5_context, krb5_enctype, krb5_cksumtype *);
+
+static void
+verify_krb5_pac(proto_tree *tree _U_, asn1_ctx_t *actx, tvbuff_t *pactvb)
+{
+ krb5_error_code ret;
+ enc_key_t *ek = NULL;;
+ krb5_data checksum_data = {0,0,NULL};
+ krb5_cksumtype server_checksum = 0;
+ krb5_cksumtype kdc_checksum = 0;
+ int length = tvb_captured_length(pactvb);
+ const guint8 *pacbuffer = NULL;
+ krb5_pac pac;
+
+ /* don't do anything if we are not attempting to decrypt data */
+ if(!krb_decrypt || length < 1){
+ return;
+ }
+
+ /* make sure we have all the data we need */
+ if (tvb_captured_length(pactvb) < tvb_reported_length(pactvb)) {
+ return;
+ }
+
+ pacbuffer = tvb_get_ptr(pactvb, 0, length);
+
+ ret = krb5_pac_parse(krb5_ctx, pacbuffer, length, &pac);
+ if (ret != 0) {
+ proto_tree_add_expert_format(tree, actx->pinfo, &ei_kerberos_decrypted_keytype,
+ pactvb, 0, 0,
+ "Failed to parse PAC buffer %d in frame %u",
+ ret, actx->pinfo->fd->num);
+ return;
+ }
+
+ ret = krb5_pac_get_buffer(krb5_ctx, pac, KRB5_PAC_SERVER_CHECKSUM,
+ &checksum_data);
+ if (ret == 0) {
+ server_checksum = pletoh32(checksum_data.data);
+ krb5_free_data_contents(krb5_ctx, &checksum_data);
+ };
+ ret = krb5_pac_get_buffer(krb5_ctx, pac, KRB5_PAC_PRIVSVR_CHECKSUM,
+ &checksum_data);
+ if (ret == 0) {
+ kdc_checksum = pletoh32(checksum_data.data);
+ krb5_free_data_contents(krb5_ctx, &checksum_data);
+ };
+
+ read_keytab_file_from_preferences();
+
+ for(ek=enc_key_list;ek;ek=ek->next){
+ krb5_keyblock keyblock;
+ krb5_cksumtype checksumtype = 0;
+
+ if (server_checksum == 0 && kdc_checksum == 0) {
+ break;
+ }
+
+ ret = krb5int_c_mandatory_cksumtype(krb5_ctx, ek->keytype,
+ &checksumtype);
+ if (ret != 0) {
+ continue;
+ }
+
+ keyblock.magic = KV5M_KEYBLOCK;
+ keyblock.enctype = ek->keytype;
+ keyblock.length = ek->keylength;
+ keyblock.contents = (guint8 *)ek->keyvalue;
+
+ if (checksumtype == server_checksum) {
+ ret = krb5_pac_verify(krb5_ctx, pac, 0, NULL,
+ &keyblock, NULL);
+ if (ret == 0) {
+ used_signing_key(tree, actx->pinfo, ek, pactvb,
+ server_checksum, "Verified Server");
+ server_checksum = 0;
+ }
+ }
+
+ if (checksumtype == kdc_checksum) {
+ ret = krb5_pac_verify(krb5_ctx, pac, 0, NULL,
+ NULL, &keyblock);
+ if (ret == 0) {
+ used_signing_key(tree, actx->pinfo, ek, pactvb,
+ kdc_checksum, "Verified KDC");
+ kdc_checksum = 0;
+ }
+ }
+
+ }
+
+ krb5_pac_free(krb5_ctx, pac);
+}
+