X-Git-Url: http://git.samba.org/?p=metze%2Fwireshark%2Fwip.git;a=blobdiff_plain;f=epan%2Fdissectors%2Fasn1%2Fkerberos%2Fpacket-kerberos-template.c;h=bf4b7eec77698ab15babf78e5cb8773ae8dd6e47;hp=dee5174a04c19780bc1b8b780ab225ecff71a8e6;hb=ef16670105c8652d6dbacf87f092525c10c8ae91;hpb=fe36aa77e4a3ba00d5884da0ffe2267a80cf0a58 diff --git a/epan/dissectors/asn1/kerberos/packet-kerberos-template.c b/epan/dissectors/asn1/kerberos/packet-kerberos-template.c index dee5174a04..bf4b7eec77 100644 --- a/epan/dissectors/asn1/kerberos/packet-kerberos-template.c +++ b/epan/dissectors/asn1/kerberos/packet-kerberos-template.c @@ -71,6 +71,13 @@ #include "packet-smb-common.h" #include "packet-x509af.h" +#define KEY_USAGE_FAST_REQ_CHKSUM 50 +#define KEY_USAGE_FAST_ENC 51 +#define KEY_USAGE_FAST_REP 52 +#define KEY_USAGE_FAST_FINISHED 53 +#define KEY_USAGE_ENC_CHALLENGE_CLIENT 54 +#define KEY_USAGE_ENC_CHALLENGE_KDC 55 + void proto_register_kerberos(void); void proto_reg_handoff_kerberos(void); @@ -87,6 +94,8 @@ typedef struct kerberos_key { typedef struct { guint32 msg_type; + gboolean kdc_response_initialized; + gboolean kdc_response; guint32 etype; guint32 padata_type; guint32 is_enc_padata; @@ -102,16 +111,19 @@ static dissector_handle_t kerberos_handle_udp; /* Forward declarations */ static int dissect_kerberos_Applications(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); static int dissect_kerberos_PA_ENC_TIMESTAMP(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); +static int dissect_kerberos_PA_ENC_TS_ENC(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); static int dissect_kerberos_KERB_PA_PAC_REQUEST(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); static int dissect_kerberos_PA_S4U2Self(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); static int dissect_kerberos_PA_S4U_X509_USER(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); static int dissect_kerberos_ETYPE_INFO(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); static int dissect_kerberos_ETYPE_INFO2(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); static int dissect_kerberos_AD_IF_RELEVANT(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); -static int dissect_kerberos_PA_AUTHENTICATION_SET(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); +static int dissect_kerberos_PA_AUTHENTICATION_SET_ELEM(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); static int dissect_kerberos_PA_FX_FAST_REQUEST(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); -static int dissect_kerberos_EncryptedChallenge(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); static int dissect_kerberos_PA_FX_FAST_REPLY(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); +static int dissect_kerberos_KrbFastReq(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); +static int dissect_kerberos_KrbFastResponse(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); +static int dissect_kerberos_EncryptedChallenge(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); /* Desegment Kerberos over TCP messages */ static gboolean krb_desegment = TRUE; @@ -835,58 +847,6 @@ decrypt_krb5_data(proto_tree *tree, packet_info *pinfo, * unless it's expired. */ -/* pre-authentication type constants */ -#define KRB5_PA_TGS_REQ 1 -#define KRB5_PA_ENC_TIMESTAMP 2 -#define KRB5_PA_PW_SALT 3 -#define KRB5_PA_ENC_ENCKEY 4 -#define KRB5_PA_ENC_UNIX_TIME 5 -#define KRB5_PA_ENC_SANDIA_SECURID 6 -#define KRB5_PA_SESAME 7 -#define KRB5_PA_OSF_DCE 8 -#define KRB5_PA_CYBERSAFE_SECUREID 9 -#define KRB5_PA_AFS3_SALT 10 -#define KRB5_PA_ENCTYPE_INFO 11 -#define KRB5_PA_SAM_CHALLENGE 12 -#define KRB5_PA_SAM_RESPONSE 13 -#define KRB5_PA_PK_AS_REQ 14 -#define KRB5_PA_PK_AS_REP 15 -#define KRB5_PA_DASS 16 -#define KRB5_PA_PK_AS_REP_17 17 -#define KRB5_PA_ENCTYPE_INFO2 19 -#define KRB5_PA_USE_SPECIFIED_KVNO 20 -#define KRB5_PA_SAM_REDIRECT 21 -#define KRB5_PA_GET_FROM_TYPED_DATA 22 -#define KRB5_PA_SAM_ETYPE_INFO 23 -#define KRB5_PA_ALT_PRINC 24 -#define KRB5_PA_SAM_CHALLENGE2 30 -#define KRB5_PA_SAM_RESPONSE2 31 -#define KRB5_TD_PKINIT_CMS_CERTIFICATES 101 -#define KRB5_TD_KRB_PRINCIPAL 102 -#define KRB5_TD_KRB_REALM 103 -#define KRB5_TD_TRUSTED_CERTIFIERS 104 -#define KRB5_TD_CERTIFICATE_INDEX 105 -#define KRB5_TD_APP_DEFINED_ERROR 106 -#define KRB5_TD_REQ_NONCE 107 -#define KRB5_TD_REQ_SEQ 108 -/* preauthentication types >127 (i.e. negative ones) are app specific. - however since Microsoft is the dominant(only?) user of types in this range - we also treat the type as unsigned. -*/ -#define KRB5_PA_PAC_REQUEST 128 /* (Microsoft extension) */ -#define KRB5_PA_FOR_USER 129 /* Impersonation (Microsoft extension) See [MS-SFU]. XXX - replaced by KRB5_PA_S4U2SELF */ -#define KRB5_PA_S4U2SELF 129 -#define KRB5_PADATA_S4U_X509_USER 130 /* certificate protocol transition request */ -#define KRB5_PADATA_FX_COOKIE 133 -#define KRB5_PA_AUTHENTICATION_SET 134 -#define KRB5_PADATA_FX_FAST 136 -#define KRB5_PADATA_FX_ERROR 137 -#define KRB5_PADATA_ENCRYPTED_CHALLENGE 138 -#define KRB5_PADATA_PKINIT_KX 147 -#define KRB5_ENCPADATA_REQ_ENC_PA_REP 149 - - -#define KRB5_PA_PROV_SRV_LOCATION 0xffffffff /* (gint32)0xFF) packetcable stuff */ /* Principal name-type */ #define KRB5_NT_UNKNOWN 0 #define KRB5_NT_PRINCIPAL 1 @@ -1073,112 +1033,6 @@ static const value_string w2k_pac_types[] = { { 0, NULL }, }; -#if 0 -static const value_string krb5_princ_types[] = { - { KRB5_NT_UNKNOWN , "Unknown" }, - { KRB5_NT_PRINCIPAL , "Principal" }, - { KRB5_NT_SRV_INST , "Service and Instance" }, - { KRB5_NT_SRV_HST , "Service and Host" }, - { KRB5_NT_SRV_XHST , "Service and Host Components" }, - { KRB5_NT_UID , "Unique ID" }, - { KRB5_NT_X500_PRINCIPAL , "Encoded X.509 Distinguished Name" }, - { KRB5_NT_SMTP_NAME , "SMTP Name" }, - { KRB5_NT_ENTERPRISE , "Enterprise Name" }, - { KRB5_NT_MS_PRINCIPAL , "NT 4.0 style name (MS specific)" }, - { KRB5_NT_MS_PRINCIPAL_AND_SID , "NT 4.0 style name with SID (MS specific)"}, - { KRB5_NT_ENT_PRINCIPAL_AND_SID, "UPN and SID (MS specific)"}, - { KRB5_NT_PRINCIPAL_AND_SID , "Principal name and SID (MS specific)"}, - { KRB5_NT_SRV_INST_AND_SID , "SPN and SID (MS specific)"}, - { 0 , NULL }, -}; -#endif - -static const value_string krb5_preauthentication_types[] = { - { KRB5_PA_TGS_REQ , "PA-TGS-REQ" }, - { KRB5_PA_ENC_TIMESTAMP , "PA-ENC-TIMESTAMP" }, - { KRB5_PA_PW_SALT , "PA-PW-SALT" }, - { KRB5_PA_ENC_ENCKEY , "PA-ENC-ENCKEY" }, - { KRB5_PA_ENC_UNIX_TIME , "PA-ENC-UNIX-TIME" }, - { KRB5_PA_ENC_SANDIA_SECURID , "PA-PW-SALT" }, - { KRB5_PA_SESAME , "PA-SESAME" }, - { KRB5_PA_OSF_DCE , "PA-OSF-DCE" }, - { KRB5_PA_CYBERSAFE_SECUREID , "PA-CYBERSAFE-SECURID" }, - { KRB5_PA_AFS3_SALT , "PA-AFS3-SALT" }, - { KRB5_PA_ENCTYPE_INFO , "PA-ENCTYPE-INFO" }, - { KRB5_PA_ENCTYPE_INFO2 , "PA-ENCTYPE-INFO2" }, - { KRB5_PA_SAM_CHALLENGE , "PA-SAM-CHALLENGE" }, - { KRB5_PA_SAM_RESPONSE , "PA-SAM-RESPONSE" }, - { KRB5_PA_PK_AS_REQ , "PA-PK-AS-REQ" }, - { KRB5_PA_PK_AS_REP , "PA-PK-AS-REP" }, - { KRB5_PA_DASS , "PA-DASS" }, - { KRB5_PA_PK_AS_REP_17 , "PA-PK-AS-REP-17" }, - { KRB5_PA_USE_SPECIFIED_KVNO , "PA-USE-SPECIFIED-KVNO" }, - { KRB5_PA_SAM_REDIRECT , "PA-SAM-REDIRECT" }, - { KRB5_PA_GET_FROM_TYPED_DATA , "PA-GET-FROM-TYPED-DATA" }, - { KRB5_PA_SAM_ETYPE_INFO , "PA-SAM-ETYPE-INFO" }, - { KRB5_PA_ALT_PRINC , "PA-ALT-PRINC" }, - { KRB5_PA_SAM_CHALLENGE2 , "PA-SAM-CHALLENGE2" }, - { KRB5_PA_SAM_RESPONSE2 , "PA-SAM-RESPONSE2" }, - { KRB5_TD_PKINIT_CMS_CERTIFICATES, "TD-PKINIT-CMS-CERTIFICATES" }, - { KRB5_TD_KRB_PRINCIPAL , "TD-KRB-PRINCIPAL" }, - { KRB5_TD_KRB_REALM , "TD-KRB-REALM" }, - { KRB5_TD_TRUSTED_CERTIFIERS , "TD-TRUSTED-CERTIFIERS" }, - { KRB5_TD_CERTIFICATE_INDEX , "TD-CERTIFICATE-INDEX" }, - { KRB5_TD_APP_DEFINED_ERROR , "TD-APP-DEFINED-ERROR" }, - { KRB5_TD_REQ_NONCE , "TD-REQ-NONCE" }, - { KRB5_TD_REQ_SEQ , "TD-REQ-SEQ" }, - { KRB5_PA_PAC_REQUEST , "PA-PAC-REQUEST" }, - { KRB5_PA_FOR_USER , "PA-FOR-USER" }, - { KRB5_PADATA_S4U_X509_USER , "PA-S4U-X509-USER" }, - { KRB5_PADATA_FX_COOKIE , "PA-FX-COOKIE" }, - { KRB5_PA_AUTHENTICATION_SET , "KRB5-PA-AUTHENTICATION-SET" }, - - { KRB5_PADATA_FX_FAST , "PA-FX-FAST" }, - { KRB5_PADATA_FX_ERROR , "PA-FX-ERROR" }, - { KRB5_PADATA_ENCRYPTED_CHALLENGE , "PA-ENCRYPTED-CHALLENGE" }, - { KRB5_PADATA_PKINIT_KX , "PA-PKINIT-KX" }, - { KRB5_ENCPADATA_REQ_ENC_PA_REP , "PA-REQ-ENC-PA-REP" }, - { KRB5_PA_PROV_SRV_LOCATION , "PA-PROV-SRV-LOCATION" }, - { 0 , NULL }, -}; - -#define KRB5_AD_IF_RELEVANT 1 -#define KRB5_AD_INTENDED_FOR_SERVER 2 -#define KRB5_AD_INTENDED_FOR_APPLICATION_CLASS 3 -#define KRB5_AD_KDC_ISSUED 4 -#define KRB5_AD_OR 5 -#define KRB5_AD_MANDATORY_TICKET_EXTENSIONS 6 -#define KRB5_AD_IN_TICKET_EXTENSIONS 7 -#define KRB5_AD_MANDATORY_FOR_KDC 8 -#define KRB5_AD_OSF_DCE 64 -#define KRB5_AD_SESAME 65 -#define KRB5_AD_OSF_DCE_PKI_CERTID 66 -#define KRB5_AD_WIN2K_PAC 128 -#define KRB5_AD_SIGNTICKET 0xffffffef - -static const value_string krb5_ad_types[] = { - { KRB5_AD_IF_RELEVANT , "AD-IF-RELEVANT" }, - { KRB5_AD_INTENDED_FOR_SERVER , "AD-Intended-For-Server" }, - { KRB5_AD_INTENDED_FOR_APPLICATION_CLASS , "AD-Intended-For-Application-Class" }, - { KRB5_AD_KDC_ISSUED , "AD-KDCIssued" }, - { KRB5_AD_OR , "AD-AND-OR" }, - { KRB5_AD_MANDATORY_TICKET_EXTENSIONS , "AD-Mandatory-Ticket-Extensions" }, - { KRB5_AD_IN_TICKET_EXTENSIONS , "AD-IN-Ticket-Extensions" }, - { KRB5_AD_MANDATORY_FOR_KDC , "AD-MANDATORY-FOR-KDC" }, - { KRB5_AD_OSF_DCE , "AD-OSF-DCE" }, - { KRB5_AD_SESAME , "AD-SESAME" }, - { KRB5_AD_OSF_DCE_PKI_CERTID , "AD-OSF-DCE-PKI-CertID" }, - { KRB5_AD_WIN2K_PAC , "AD-Win2k-PAC" }, - { KRB5_AD_SIGNTICKET , "AD-SignTicket" }, - { 0 , NULL }, -}; -#if 0 -static const value_string krb5_transited_types[] = { - { 1 , "DOMAIN-X500-COMPRESS" }, - { 0 , NULL } -}; -#endif - static const value_string krb5_msg_types[] = { { KRB5_MSG_TICKET, "Ticket" }, { KRB5_MSG_AUTHENTICATOR, "Authenticator" }, @@ -1373,7 +1227,7 @@ dissect_krb5_decrypt_PA_ENC_TIMESTAMP (gboolean imp_tag _U_, tvbuff_t *tvb, int /* Add the decrypted data to the data source list. */ add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5"); - offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1); + offset=dissect_kerberos_PA_ENC_TS_ENC(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1); } return offset; } @@ -1467,6 +1321,108 @@ dissect_krb5_decrypt_CRED_data (gboolean imp_tag _U_, tvbuff_t *tvb, int offset, } return offset; } + +static int +dissect_krb5_decrypt_KrbFastReq(gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, + proto_tree *tree, int hf_index _U_) +{ + guint8 *plaintext; + int length; + kerberos_private_data_t *private_data = kerberos_get_private_data(actx); + tvbuff_t *next_tvb; + + next_tvb=tvb_new_subset_remaining(tvb, offset); + length=tvb_captured_length_remaining(tvb, offset); + + /* RFC6113 : + * KrbFastResponse encrypted with usage + * KEY_USAGE_FAST_ENC 51 + */ + plaintext=decrypt_krb5_data(tree, actx->pinfo, KEY_USAGE_FAST_ENC, + next_tvb, private_data->etype, NULL); + + if(plaintext){ + tvbuff_t *child_tvb; + child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length); + tvb_set_free_cb(child_tvb, g_free); + + /* Add the decrypted data to the data source list. */ + add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5"); + + offset=dissect_kerberos_KrbFastReq(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1); + } + return offset; +} + +static int +dissect_krb5_decrypt_KrbFastResponse(gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, + proto_tree *tree, int hf_index _U_) +{ + guint8 *plaintext; + int length; + kerberos_private_data_t *private_data = kerberos_get_private_data(actx); + tvbuff_t *next_tvb; + + next_tvb=tvb_new_subset_remaining(tvb, offset); + length=tvb_captured_length_remaining(tvb, offset); + + /* + * RFC6113 : + * KrbFastResponse encrypted with usage + * KEY_USAGE_FAST_REP 52 + */ + plaintext=decrypt_krb5_data(tree, actx->pinfo, KEY_USAGE_FAST_REP, + next_tvb, private_data->etype, NULL); + + if(plaintext){ + tvbuff_t *child_tvb; + child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length); + tvb_set_free_cb(child_tvb, g_free); + + /* Add the decrypted data to the data source list. */ + add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5"); + + offset=dissect_kerberos_KrbFastResponse(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1); + } + return offset; +} + +static int +dissect_krb5_decrypt_EncryptedChallenge(gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, + proto_tree *tree, int hf_index _U_) +{ + guint8 *plaintext; + int length; + kerberos_private_data_t *private_data = kerberos_get_private_data(actx); + tvbuff_t *next_tvb; + int usage = 0; + + next_tvb=tvb_new_subset_remaining(tvb, offset); + length=tvb_captured_length_remaining(tvb, offset); + + /* RFC6113 : + * KEY_USAGE_ENC_CHALLENGE_CLIENT 54 + * KEY_USAGE_ENC_CHALLENGE_KDC 55 + */ + if (private_data->kdc_response) { + usage = KEY_USAGE_ENC_CHALLENGE_KDC; + } else { + usage = KEY_USAGE_ENC_CHALLENGE_CLIENT; + } + plaintext=decrypt_krb5_data(tree, actx->pinfo, usage, next_tvb, private_data->etype, NULL); + + if(plaintext){ + tvbuff_t *child_tvb; + child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length); + tvb_set_free_cb(child_tvb, g_free); + + /* Add the decrypted data to the data source list. */ + add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5"); + + offset=dissect_kerberos_PA_ENC_TS_ENC(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1); + } + return offset; +} #endif /* Dissect a GSSAPI checksum as per RFC1964. This is NOT ASN.1 encoded.