2 * Routines for Kerberos
3 * Wes Hardaker (c) 2000
4 * wjhardaker@ucdavis.edu
5 * Richard Sharpe (C) 2002, rsharpe@samba.org, modularized a bit more and
6 * added AP-REQ and AP-REP dissection
8 * Ronnie Sahlberg (C) 2004, major rewrite for new ASN.1/BER API.
9 * decryption of kerberos blobs if keytab is provided
11 * See RFC 1510, and various I-Ds and other documents showing additions,
12 * e.g. ones listed under
14 * http://www.isi.edu/people/bcn/krb-revisions/
18 * http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-clarifications-07.txt
22 * http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-referrals-05.txt
24 * Some structures from RFC2630
28 * Ethereal - Network traffic analyzer
29 * By Gerald Combs <gerald@ethereal.com>
30 * Copyright 1998 Gerald Combs
32 * This program is free software; you can redistribute it and/or
33 * modify it under the terms of the GNU General Public License
34 * as published by the Free Software Foundation; either version 2
35 * of the License, or (at your option) any later version.
37 * This program is distributed in the hope that it will be useful,
38 * but WITHOUT ANY WARRANTY; without even the implied warranty of
39 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
40 * GNU General Public License for more details.
42 * You should have received a copy of the GNU General Public License
43 * along with this program; if not, write to the Free Software
44 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
48 * Some of the development of the Kerberos protocol decoder was sponsored by
49 * Cable Television Laboratories, Inc. ("CableLabs") based upon proprietary
50 * CableLabs' specifications. Your license and use of this protocol decoder
51 * does not mean that you are licensed to use the CableLabs'
52 * specifications. If you have questions about this protocol, contact
53 * jf.mule [AT] cablelabs.com or c.stuart [AT] cablelabs.com for additional
71 #include <nettle/des.h>
72 #include <nettle/cbc.h>
74 #include "crypt-md5.h"
75 #include <sys/stat.h> /* For keyfile manipulation */
80 #include <epan/packet.h>
82 #include <epan/strutil.h>
84 #include <epan/conversation.h>
85 #include <epan/dissectors/packet-kerberos.h>
86 #include <epan/dissectors/packet-netbios.h>
87 #include <epan/dissectors/packet-tcp.h>
88 #include <epan/prefs.h>
89 #include <epan/dissectors/packet-ber.h>
90 #include <epan/dissectors/packet-pkinit.h>
91 #include <epan/dissectors/packet-cms.h>
92 #include <epan/dissectors/packet-windows-common.h>
94 #include <epan/dissectors/packet-dcerpc-netlogon.h>
95 #include <epan/dissectors/packet-dcerpc.h>
97 #include <epan/dissectors/packet-gssapi.h>
98 #include <epan/emem.h>
100 #define UDP_PORT_KERBEROS 88
101 #define TCP_PORT_KERBEROS 88
103 static dissector_handle_t kerberos_handle_udp;
105 /* Desegment Kerberos over TCP messages */
106 static gboolean krb_desegment = TRUE;
108 static gint proto_kerberos = -1;
109 static gint hf_krb_rm_reserved = -1;
110 static gint hf_krb_rm_reclen = -1;
112 static gint hf_krb_pac_signature_type = -1;
113 static gint hf_krb_pac_signature_signature = -1;
114 static gint hf_krb_pac_clientid = -1;
115 static gint hf_krb_pac_namelen = -1;
116 static gint hf_krb_pac_clientname = -1;
117 static gint hf_krb_w2k_pac_entries = -1;
118 static gint hf_krb_w2k_pac_version = -1;
119 static gint hf_krb_w2k_pac_type = -1;
120 static gint hf_krb_w2k_pac_size = -1;
121 static gint hf_krb_w2k_pac_offset = -1;
122 static gint hf_krb_padata = -1;
123 static gint hf_krb_error_code = -1;
124 static gint hf_krb_ticket = -1;
125 static gint hf_krb_AP_REP_enc = -1;
126 static gint hf_krb_KDC_REP_enc = -1;
127 static gint hf_krb_tkt_vno = -1;
128 static gint hf_krb_e_data = -1;
129 static gint hf_krb_TransitedEncoding = -1;
130 static gint hf_krb_PA_PAC_REQUEST_flag = -1;
131 static gint hf_krb_encrypted_authenticator_data = -1;
132 static gint hf_krb_PAC_LOGON_INFO = -1;
133 static gint hf_krb_PAC_CREDENTIAL_TYPE = -1;
134 static gint hf_krb_PAC_SERVER_CHECKSUM = -1;
135 static gint hf_krb_PAC_PRIVSVR_CHECKSUM = -1;
136 static gint hf_krb_PAC_CLIENT_INFO_TYPE = -1;
137 static gint hf_krb_encrypted_PA_ENC_TIMESTAMP = -1;
138 static gint hf_krb_checksum_checksum = -1;
139 static gint hf_krb_encrypted_PRIV = -1;
140 static gint hf_krb_encrypted_Ticket_data = -1;
141 static gint hf_krb_encrypted_AP_REP_data = -1;
142 static gint hf_krb_encrypted_KDC_REP_data = -1;
143 static gint hf_krb_PA_DATA_type = -1;
144 static gint hf_krb_PA_DATA_value = -1;
145 static gint hf_krb_etype_info_salt = -1;
146 static gint hf_krb_etype_info2_salt = -1;
147 static gint hf_krb_etype_info2_s2kparams = -1;
148 static gint hf_krb_SAFE_BODY_user_data = -1;
149 static gint hf_krb_PRIV_BODY_user_data = -1;
150 static gint hf_krb_realm = -1;
151 static gint hf_krb_crealm = -1;
152 static gint hf_krb_sname = -1;
153 static gint hf_krb_cname = -1;
154 static gint hf_krb_name_string = -1;
155 static gint hf_krb_provsrv_location = -1;
156 static gint hf_krb_e_text = -1;
157 static gint hf_krb_name_type = -1;
158 static gint hf_krb_lr_type = -1;
159 static gint hf_krb_from = -1;
160 static gint hf_krb_till = -1;
161 static gint hf_krb_authtime = -1;
162 static gint hf_krb_patimestamp = -1;
163 static gint hf_krb_SAFE_BODY_timestamp = -1;
164 static gint hf_krb_pausec = -1;
165 static gint hf_krb_lr_time = -1;
166 static gint hf_krb_starttime = -1;
167 static gint hf_krb_endtime = -1;
168 static gint hf_krb_key_expire = -1;
169 static gint hf_krb_renew_till = -1;
170 static gint hf_krb_rtime = -1;
171 static gint hf_krb_ctime = -1;
172 static gint hf_krb_cusec = -1;
173 static gint hf_krb_stime = -1;
174 static gint hf_krb_susec = -1;
175 static gint hf_krb_SAFE_BODY_usec = -1;
176 static gint hf_krb_nonce = -1;
177 static gint hf_krb_transitedtype = -1;
178 static gint hf_krb_transitedcontents = -1;
179 static gint hf_krb_keytype = -1;
180 static gint hf_krb_keyvalue = -1;
181 static gint hf_krb_IF_RELEVANT_type = -1;
182 static gint hf_krb_IF_RELEVANT_value = -1;
183 static gint hf_krb_adtype = -1;
184 static gint hf_krb_advalue = -1;
185 static gint hf_krb_etype = -1;
186 static gint hf_krb_etypes = -1;
187 static gint hf_krb_LastReqs = -1;
188 static gint hf_krb_IF_RELEVANT = -1;
189 static gint hf_krb_addr_type = -1;
190 static gint hf_krb_address_ip = -1;
191 static gint hf_krb_address_netbios = -1;
192 static gint hf_krb_msg_type = -1;
193 static gint hf_krb_pvno = -1;
194 static gint hf_krb_kvno = -1;
195 static gint hf_krb_checksum_type = -1;
196 static gint hf_krb_authenticator_vno = -1;
197 static gint hf_krb_AuthorizationData = -1;
198 static gint hf_krb_key = -1;
199 static gint hf_krb_subkey = -1;
200 static gint hf_krb_seq_number = -1;
201 static gint hf_krb_EncTicketPart = -1;
202 static gint hf_krb_EncAPRepPart = -1;
203 static gint hf_krb_EncKrbPrivPart = -1;
204 static gint hf_krb_EncKDCRepPart = -1;
205 static gint hf_krb_LastReq = -1;
206 static gint hf_krb_Authenticator = -1;
207 static gint hf_krb_Checksum = -1;
208 static gint hf_krb_s_address = -1;
209 static gint hf_krb_HostAddress = -1;
210 static gint hf_krb_HostAddresses = -1;
211 static gint hf_krb_APOptions = -1;
212 static gint hf_krb_APOptions_use_session_key = -1;
213 static gint hf_krb_APOptions_mutual_required = -1;
214 static gint hf_krb_TicketFlags = -1;
215 static gint hf_krb_TicketFlags_forwardable = -1;
216 static gint hf_krb_TicketFlags_forwarded = -1;
217 static gint hf_krb_TicketFlags_proxyable = -1;
218 static gint hf_krb_TicketFlags_proxy = -1;
219 static gint hf_krb_TicketFlags_allow_postdate = -1;
220 static gint hf_krb_TicketFlags_postdated = -1;
221 static gint hf_krb_TicketFlags_invalid = -1;
222 static gint hf_krb_TicketFlags_renewable = -1;
223 static gint hf_krb_TicketFlags_initial = -1;
224 static gint hf_krb_TicketFlags_pre_auth = -1;
225 static gint hf_krb_TicketFlags_hw_auth = -1;
226 static gint hf_krb_TicketFlags_transited_policy_checked = -1;
227 static gint hf_krb_TicketFlags_ok_as_delegate = -1;
228 static gint hf_krb_KDCOptions = -1;
229 static gint hf_krb_KDCOptions_forwardable = -1;
230 static gint hf_krb_KDCOptions_forwarded = -1;
231 static gint hf_krb_KDCOptions_proxyable = -1;
232 static gint hf_krb_KDCOptions_proxy = -1;
233 static gint hf_krb_KDCOptions_allow_postdate = -1;
234 static gint hf_krb_KDCOptions_postdated = -1;
235 static gint hf_krb_KDCOptions_renewable = -1;
236 static gint hf_krb_KDCOptions_canonicalize = -1;
237 static gint hf_krb_KDCOptions_opt_hardware_auth = -1;
238 static gint hf_krb_KDCOptions_disable_transited_check = -1;
239 static gint hf_krb_KDCOptions_renewable_ok = -1;
240 static gint hf_krb_KDCOptions_enc_tkt_in_skey = -1;
241 static gint hf_krb_KDCOptions_renew = -1;
242 static gint hf_krb_KDCOptions_validate = -1;
243 static gint hf_krb_KDC_REQ_BODY = -1;
244 static gint hf_krb_PRIV_BODY = -1;
245 static gint hf_krb_ENC_PRIV = -1;
246 static gint hf_krb_authenticator_enc = -1;
247 static gint hf_krb_ticket_enc = -1;
248 static gint hf_krb_e_checksum = -1;
250 static gint ett_krb_kerberos = -1;
251 static gint ett_krb_TransitedEncoding = -1;
252 static gint ett_krb_PAC_LOGON_INFO = -1;
253 static gint ett_krb_PAC_CREDENTIAL_TYPE = -1;
254 static gint ett_krb_PAC_SERVER_CHECKSUM = -1;
255 static gint ett_krb_PAC_PRIVSVR_CHECKSUM = -1;
256 static gint ett_krb_PAC_CLIENT_INFO_TYPE = -1;
257 static gint ett_krb_KDC_REP_enc = -1;
258 static gint ett_krb_EncTicketPart = -1;
259 static gint ett_krb_EncAPRepPart = -1;
260 static gint ett_krb_EncKrbPrivPart = -1;
261 static gint ett_krb_EncKDCRepPart = -1;
262 static gint ett_krb_LastReq = -1;
263 static gint ett_krb_Authenticator = -1;
264 static gint ett_krb_Checksum = -1;
265 static gint ett_krb_key = -1;
266 static gint ett_krb_subkey = -1;
267 static gint ett_krb_AuthorizationData = -1;
268 static gint ett_krb_sname = -1;
269 static gint ett_krb_cname = -1;
270 static gint ett_krb_AP_REP_enc = -1;
271 static gint ett_krb_padata = -1;
272 static gint ett_krb_etypes = -1;
273 static gint ett_krb_LastReqs = -1;
274 static gint ett_krb_IF_RELEVANT = -1;
275 static gint ett_krb_PA_DATA_tree = -1;
276 static gint ett_krb_PAC = -1;
277 static gint ett_krb_s_address = -1;
278 static gint ett_krb_HostAddress = -1;
279 static gint ett_krb_HostAddresses = -1;
280 static gint ett_krb_authenticator_enc = -1;
281 static gint ett_krb_AP_Options = -1;
282 static gint ett_krb_KDC_Options = -1;
283 static gint ett_krb_Ticket_Flags = -1;
284 static gint ett_krb_request = -1;
285 static gint ett_krb_recordmark = -1;
286 static gint ett_krb_ticket = -1;
287 static gint ett_krb_ticket_enc = -1;
288 static gint ett_krb_PRIV = -1;
289 static gint ett_krb_PRIV_enc = -1;
290 static gint ett_krb_e_checksum = -1;
292 guint32 krb5_errorcode;
295 dissector_handle_t krb4_handle=NULL;
297 static gboolean do_col_info;
301 call_kerberos_callbacks(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int tag)
303 kerberos_callbacks *cb=(kerberos_callbacks *)pinfo->private_data;
311 cb->callback(pinfo, tvb, tree);
323 /* Decrypt Kerberos blobs */
324 static gboolean krb_decrypt = FALSE;
326 /* keytab filename */
327 static const char *keytab_filename = "insert filename here";
331 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
333 enc_key_t *enc_key_list=NULL;
336 add_encryption_key(packet_info *pinfo, int keytype, int keylength, const char *keyvalue, const char *origin)
340 if(pinfo->fd->flags.visited){
343 printf("added key in %d\n",pinfo->fd->num);
345 new_key=g_malloc(sizeof(enc_key_t));
346 g_snprintf(new_key->key_origin, KRB_MAX_ORIG_LEN, "%s learnt from frame %d",origin,pinfo->fd->num);
347 new_key->next=enc_key_list;
348 enc_key_list=new_key;
349 new_key->keytype=keytype;
350 new_key->keylength=keylength;
351 /*XXX this needs to be freed later */
352 new_key->keyvalue=g_memdup(keyvalue, keylength);
354 #endif /* HAVE_HEIMDAL_KERBEROS || HAVE_MIT_KERBEROS */
357 #ifdef HAVE_MIT_KERBEROS
360 read_keytab_file(const char *filename, krb5_context *context)
363 krb5_keytab_entry key;
365 krb5_kt_cursor cursor;
368 /* should use a file in the ethereal users dir */
369 ret = krb5_kt_resolve(*context, filename, &keytab);
371 fprintf(stderr, "KERBEROS ERROR: Could not open keytab file :%s\n",filename);
376 ret = krb5_kt_start_seq_get(*context, keytab, &cursor);
378 fprintf(stderr, "KERBEROS ERROR: Could not read from keytab file :%s\n",filename);
383 new_key=g_malloc(sizeof(enc_key_t));
384 new_key->next=enc_key_list;
385 ret = krb5_kt_next_entry(*context, keytab, &key, &cursor);
390 /* generate origin string, describing where this key came from */
391 pos=new_key->key_origin;
392 pos+=g_snprintf(pos, KRB_MAX_ORIG_LEN, "keytab principal ");
393 for(i=0;i<key.principal->length;i++){
394 pos+=g_snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "%s%s",(i?"/":""),(key.principal->data[i]).data);
396 pos+=g_snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "@%s",key.principal->realm.data);
398 /*printf("added key for principal :%s\n", new_key->key_origin);*/
399 new_key->keytype=key.key.enctype;
400 new_key->keylength=key.key.length;
401 new_key->keyvalue=g_memdup(key.key.contents, key.key.length);
402 enc_key_list=new_key;
406 ret = krb5_kt_end_seq_get(*context, keytab, &cursor);
408 krb5_kt_close(*context, keytab);
415 decrypt_krb5_data(proto_tree *tree, packet_info *pinfo,
418 const guint8 *cryptotext,
421 static int first_time=1;
422 static krb5_context context;
425 static krb5_data data = {0,0,NULL};
426 krb5_keytab_entry key;
428 /* dont do anything if we are not attempting to decrypt data */
433 /* XXX we should only do this for first time, then store somewhere */
434 /* XXX We also need to re-read the keytab when the preference changes */
436 /* should this have a destroy context ? MIT people would know */
439 ret = krb5_init_context(&context);
443 read_keytab_file(keytab_filename, &context);
446 for(ek=enc_key_list;ek;ek=ek->next){
449 /* shortcircuit and bail out if enctypes are not matching */
450 if(ek->keytype!=keytype){
454 input.enctype = ek->keytype;
455 input.ciphertext.length = length;
456 input.ciphertext.data = (guint8 *)cryptotext;
458 data.length = length;
462 data.data = g_malloc(length);
464 key.key.enctype=ek->keytype;
465 key.key.length=ek->keylength;
466 key.key.contents=ek->keyvalue;
467 ret = krb5_c_decrypt(context, &(key.key), usage, 0, &input, &data);
469 printf("woohoo decrypted keytype:%d in frame:%d\n", keytype, pinfo->fd->num);
470 proto_tree_add_text(tree, NULL, 0, 0, "[Decrypted using: %s]", ek->key_origin);
478 #elif defined(HAVE_HEIMDAL_KERBEROS)
480 read_keytab_file(const char *filename, krb5_context *context)
483 krb5_keytab_entry key;
485 krb5_kt_cursor cursor;
488 /* should use a file in the ethereal users dir */
489 ret = krb5_kt_resolve(*context, filename, &keytab);
491 fprintf(stderr, "KERBEROS ERROR: Could not open keytab file :%s\n",filename);
496 ret = krb5_kt_start_seq_get(*context, keytab, &cursor);
498 fprintf(stderr, "KERBEROS ERROR: Could not read from keytab file :%s\n",filename);
503 new_key=g_malloc(sizeof(enc_key_t));
504 new_key->next=enc_key_list;
505 ret = krb5_kt_next_entry(*context, keytab, &key, &cursor);
510 /* generate origin string, describing where this key came from */
511 pos=new_key->key_origin;
512 pos+=g_snprintf(pos, KRB_MAX_ORIG_LEN, "keytab principal ");
513 for(i=0;i<key.principal->name.name_string.len;i++){
514 pos+=g_snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "%s%s",(i?"/":""),key.principal->name.name_string.val[i]);
516 pos+=g_snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "@%s",key.principal->realm);
518 new_key->keytype=key.keyblock.keytype;
519 new_key->keylength=key.keyblock.keyvalue.length;
520 new_key->keyvalue=g_memdup(key.keyblock.keyvalue.data, key.keyblock.keyvalue.length);
521 enc_key_list=new_key;
525 ret = krb5_kt_end_seq_get(*context, keytab, &cursor);
527 krb5_kt_close(*context, keytab);
534 decrypt_krb5_data(proto_tree *tree, packet_info *pinfo,
537 const guint8 *cryptotext,
540 static int first_time=1;
541 static krb5_context context;
546 /* dont do anything if we are not attempting to decrypt data */
551 /* XXX we should only do this for first time, then store somewhere */
552 /* XXX We also need to re-read the keytab when the preference changes */
554 /* should this have a destroy context ? Heimdal people would know */
557 ret = krb5_init_context(&context);
561 read_keytab_file(keytab_filename, &context);
564 for(ek=enc_key_list;ek;ek=ek->next){
565 krb5_keytab_entry key;
567 guint8 *cryptocopy; /* workaround for pre-0.6.1 heimdal bug */
569 /* shortcircuit and bail out if enctypes are not matching */
570 if(ek->keytype!=keytype){
574 key.keyblock.keytype=ek->keytype;
575 key.keyblock.keyvalue.length=ek->keylength;
576 key.keyblock.keyvalue.data=ek->keyvalue;
577 ret = krb5_crypto_init(context, &(key.keyblock), 0, &crypto);
582 /* pre-0.6.1 versions of Heimdal would sometimes change
583 the cryptotext data even when the decryption failed.
584 This would obviously not work since we iterate over the
585 keys. So just give it a copy of the crypto data instead.
586 This has been seen for RC4-HMAC blobs.
588 cryptocopy=g_malloc(length);
589 memcpy(cryptocopy, cryptotext, length);
590 ret = krb5_decrypt_ivec(context, crypto, usage,
596 printf("woohoo decrypted keytype:%d in frame:%d\n", keytype, pinfo->fd->num);
597 proto_tree_add_text(tree, NULL, 0, 0, "[Decrypted using: %s]", ek->key_origin);
598 krb5_crypto_destroy(context, crypto);
601 krb5_crypto_destroy(context, crypto);
606 #elif defined (HAVE_LIBNETTLE)
608 #define SERVICE_KEY_SIZE (DES3_KEY_SIZE + 2)
609 #define KEYTYPE_DES3_CBC_MD5 5 /* Currently the only one supported */
611 typedef struct _service_key_t {
616 char origin[KRB_MAX_ORIG_LEN+1];
618 GSList *service_key_list = NULL;
622 add_encryption_key(packet_info *pinfo, int keytype, int keylength, const char *keyvalue, const char *origin)
624 service_key_t *new_key;
626 if(pinfo->fd->flags.visited){
629 printf("added key in %d\n",pinfo->fd->num);
631 new_key = g_malloc(sizeof(service_key_t));
633 new_key->keytype = keytype;
634 new_key->length = keylength;
635 new_key->contents = g_malloc(keylength);
636 memcpy(new_key->contents, keyvalue, keylength);
637 g_snprintf(new_key->origin, KRB_MAX_ORIG_LEN, "%s learnt from frame %d", origin, pinfo->fd->num);
638 service_key_list = g_slist_append(service_key_list, (gpointer) new_key);
646 for(ske = service_key_list; ske != NULL; ske = g_slist_next(ske)){
647 sk = (service_key_t *) ske->data;
648 if (sk && sk->contents) g_free(sk->contents);
651 g_slist_free(service_key_list);
652 service_key_list = NULL;
656 read_keytab_file(const char *service_key_file)
661 unsigned char buf[SERVICE_KEY_SIZE];
662 int newline_skip = 0, count = 0;
664 if (service_key_file != NULL && stat (service_key_file, &st) == 0) {
666 /* The service key file contains raw 192-bit (24 byte) 3DES keys.
667 * There can be zero, one (\n), or two (\r\n) characters between
668 * keys. Trailing characters are ignored.
671 /* XXX We should support the standard keytab format instead */
672 if (st.st_size > SERVICE_KEY_SIZE) {
673 if ( (st.st_size % (SERVICE_KEY_SIZE + 1) == 0) ||
674 (st.st_size % (SERVICE_KEY_SIZE + 1) == SERVICE_KEY_SIZE) ) {
676 } else if ( (st.st_size % (SERVICE_KEY_SIZE + 2) == 0) ||
677 (st.st_size % (SERVICE_KEY_SIZE + 2) == SERVICE_KEY_SIZE) ) {
682 skf = eth_fopen(service_key_file, "rb");
685 while (fread(buf, SERVICE_KEY_SIZE, 1, skf) == 1) {
686 sk = g_malloc(sizeof(service_key_t));
687 sk->kvno = buf[0] << 8 | buf[1];
688 sk->keytype = KEYTYPE_DES3_CBC_MD5;
689 sk->length = DES3_KEY_SIZE;
690 sk->contents = g_malloc(DES3_KEY_SIZE);
691 memcpy(sk->contents, buf + 2, DES3_KEY_SIZE);
692 g_snprintf(sk->origin, KRB_MAX_ORIG_LEN, "3DES service key file, key #%d, offset %ld", count, ftell(skf));
693 service_key_list = g_slist_append(service_key_list, (gpointer) sk);
694 fseek(skf, newline_skip, SEEK_CUR);
696 g_warning("added key: %s", sk->origin);
702 #define CONFOUNDER_PLUS_CHECKSUM 24
705 decrypt_krb5_data(proto_tree *tree, packet_info *pinfo,
708 const guint8 *cryptotext,
712 guint8 *decrypted_data = NULL, *plaintext = NULL;
716 guint32 tag, item_len, data_len;
717 int id_offset, offset;
718 guint8 key[DES3_KEY_SIZE];
719 guint8 initial_vector[DES_BLOCK_SIZE];
721 md5_byte_t digest[16];
722 md5_byte_t zero_fill[] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
723 md5_byte_t confounder[8];
730 /* dont do anything if we are not attempting to decrypt data */
735 if (keytype != KEYTYPE_DES3_CBC_MD5 || service_key_list == NULL) {
739 decrypted_data = g_malloc(length);
740 for(ske = service_key_list; ske != NULL; ske = g_slist_next(ske)){
741 sk = (service_key_t *) ske->data;
743 des_fix_parity(DES3_KEY_SIZE, key, sk->contents);
746 memset(initial_vector, 0, DES_BLOCK_SIZE);
747 res = des3_set_key(&ctx, key);
748 cbc_decrypt(&ctx, des3_decrypt, DES_BLOCK_SIZE, initial_vector,
749 length, decrypted_data, cryptotext);
750 encr_tvb = tvb_new_real_data(decrypted_data, length, length);
752 tvb_memcpy(encr_tvb, confounder, 0, 8);
754 /* We have to pull the decrypted data length from the decrypted
755 * content. If the key doesn't match or we otherwise get garbage,
756 * an exception may get thrown while decoding the ASN.1 header.
757 * Catch it, just in case.
760 id_offset = get_ber_identifier(encr_tvb, CONFOUNDER_PLUS_CHECKSUM, &cls, &pc, &tag);
761 offset = get_ber_length(tree, encr_tvb, id_offset, &item_len, &ind);
763 CATCH (BoundsError) {
769 data_len = item_len + offset - CONFOUNDER_PLUS_CHECKSUM;
770 if ((int) item_len + offset > length) {
775 md5_append(&md5s, confounder, 8);
776 md5_append(&md5s, zero_fill, 16);
777 md5_append(&md5s, decrypted_data + CONFOUNDER_PLUS_CHECKSUM, data_len);
778 md5_finish(&md5s, digest);
780 if (tvb_memeql (encr_tvb, 8, digest, 16) == 0) {
781 g_warning("woohoo decrypted keytype:%d in frame:%d\n", keytype, pinfo->fd->num);
782 plaintext = g_malloc(data_len);
783 tvb_memcpy(encr_tvb, plaintext, CONFOUNDER_PLUS_CHECKSUM, data_len);
786 g_free(decrypted_data);
791 g_free(decrypted_data);
796 #endif /* HAVE_MIT_KERBEROS / HAVE_HEIMDAL_KERBEROS / HAVE_LIBNETTLE */
800 /* TCP Record Mark */
801 #define KRB_RM_RESERVED 0x80000000L
802 #define KRB_RM_RECLEN 0x7fffffffL
804 #define KRB5_MSG_TICKET 1 /* Ticket */
805 #define KRB5_MSG_AUTHENTICATOR 2 /* Authenticator */
806 #define KRB5_MSG_ENC_TICKET_PART 3 /* EncTicketPart */
807 #define KRB5_MSG_AS_REQ 10 /* AS-REQ type */
808 #define KRB5_MSG_AS_REP 11 /* AS-REP type */
809 #define KRB5_MSG_TGS_REQ 12 /* TGS-REQ type */
810 #define KRB5_MSG_TGS_REP 13 /* TGS-REP type */
811 #define KRB5_MSG_AP_REQ 14 /* AP-REQ type */
812 #define KRB5_MSG_AP_REP 15 /* AP-REP type */
814 #define KRB5_MSG_SAFE 20 /* KRB-SAFE type */
815 #define KRB5_MSG_PRIV 21 /* KRB-PRIV type */
816 #define KRB5_MSG_CRED 22 /* KRB-CRED type */
817 #define KRB5_MSG_ENC_AS_REP_PART 25 /* EncASRepPart */
818 #define KRB5_MSG_ENC_TGS_REP_PART 26 /* EncTGSRepPart */
819 #define KRB5_MSG_ENC_AP_REP_PART 27 /* EncAPRepPart */
820 #define KRB5_MSG_ENC_KRB_PRIV_PART 28 /* EncAPRepPart */
821 #define KRB5_MSG_ERROR 30 /* KRB-ERROR type */
823 /* address type constants */
824 #define KRB5_ADDR_IPv4 0x02
825 #define KRB5_ADDR_CHAOS 0x05
826 #define KRB5_ADDR_XEROX 0x06
827 #define KRB5_ADDR_ISO 0x07
828 #define KRB5_ADDR_DECNET 0x0c
829 #define KRB5_ADDR_APPLETALK 0x10
830 #define KRB5_ADDR_NETBIOS 0x14
831 #define KRB5_ADDR_IPv6 0x18
833 /* encryption type constants */
834 #define KRB5_ENCTYPE_NULL 0
835 #define KRB5_ENCTYPE_DES_CBC_CRC 1
836 #define KRB5_ENCTYPE_DES_CBC_MD4 2
837 #define KRB5_ENCTYPE_DES_CBC_MD5 3
838 #define KRB5_ENCTYPE_DES_CBC_RAW 4
839 #define KRB5_ENCTYPE_DES3_CBC_SHA 5
840 #define KRB5_ENCTYPE_DES3_CBC_RAW 6
841 #define KRB5_ENCTYPE_DES_HMAC_SHA1 8
842 #define KRB5_ENCTYPE_DSA_SHA1_CMS 9
843 #define KRB5_ENCTYPE_RSA_MD5_CMS 10
844 #define KRB5_ENCTYPE_RSA_SHA1_CMS 11
845 #define KRB5_ENCTYPE_RC2_CBC_ENV 12
846 #define KRB5_ENCTYPE_RSA_ENV 13
847 #define KRB5_ENCTYPE_RSA_ES_OEAP_ENV 14
848 #define KRB5_ENCTYPE_DES_EDE3_CBC_ENV 15
849 #define KRB5_ENCTYPE_DES3_CBC_SHA1 16
850 #define KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96 17
851 #define KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96 18
852 #define KRB5_ENCTYPE_DES_CBC_MD5_NT 20
853 #define KERB_ENCTYPE_RC4_HMAC 23
854 #define KERB_ENCTYPE_RC4_HMAC_EXP 24
855 #define KRB5_ENCTYPE_UNKNOWN 0x1ff
856 #define KRB5_ENCTYPE_LOCAL_DES3_HMAC_SHA1 0x7007
857 #define KRB5_ENCTYPE_RC4_PLAIN_EXP 0xffffff73
858 #define KRB5_ENCTYPE_RC4_PLAIN 0xffffff74
859 #define KRB5_ENCTYPE_RC4_PLAIN_OLD_EXP 0xffffff78
860 #define KRB5_ENCTYPE_RC4_HMAC_OLD_EXP 0xffffff79
861 #define KRB5_ENCTYPE_RC4_PLAIN_OLD 0xffffff7a
862 #define KRB5_ENCTYPE_RC4_HMAC_OLD 0xffffff7b
863 #define KRB5_ENCTYPE_DES_PLAIN 0xffffff7c
864 #define KRB5_ENCTYPE_RC4_SHA 0xffffff7d
865 #define KRB5_ENCTYPE_RC4_LM 0xffffff7e
866 #define KRB5_ENCTYPE_RC4_PLAIN2 0xffffff7f
867 #define KRB5_ENCTYPE_RC4_MD4 0xffffff80
870 #define KRB5_CHKSUM_NONE 0
871 #define KRB5_CHKSUM_CRC32 1
872 #define KRB5_CHKSUM_MD4 2
873 #define KRB5_CHKSUM_KRB_DES_MAC 4
874 #define KRB5_CHKSUM_KRB_DES_MAC_K 5
875 #define KRB5_CHKSUM_MD5 7
876 #define KRB5_CHKSUM_MD5_DES 8
877 /* the following four comes from packetcable */
878 #define KRB5_CHKSUM_MD5_DES3 9
879 #define KRB5_CHKSUM_HMAC_SHA1_DES3_KD 12
880 #define KRB5_CHKSUM_HMAC_SHA1_DES3 13
881 #define KRB5_CHKSUM_SHA1_UNKEYED 14
882 #define KRB5_CHKSUM_HMAC_MD5 0xffffff76
883 #define KRB5_CHKSUM_MD5_HMAC 0xffffff77
884 #define KRB5_CHKSUM_RC4_MD5 0xffffff78
885 #define KRB5_CHKSUM_MD25 0xffffff79
886 #define KRB5_CHKSUM_DES_MAC_MD5 0xffffff7a
887 #define KRB5_CHKSUM_DES_MAC 0xffffff7b
888 #define KRB5_CHKSUM_REAL_CRC32 0xffffff7c
889 #define KRB5_CHKSUM_SHA1 0xffffff7d
890 #define KRB5_CHKSUM_LM 0xffffff7e
891 #define KRB5_CHKSUM_GSSAPI 0x8003
894 * For KERB_ENCTYPE_RC4_HMAC and KERB_ENCTYPE_RC4_HMAC_EXP, see
896 * http://www.ietf.org/internet-drafts/draft-brezak-win2k-krb-rc4-hmac-04.txt
898 * unless it's expired.
901 /* pre-authentication type constants */
902 #define KRB5_PA_TGS_REQ 1
903 #define KRB5_PA_ENC_TIMESTAMP 2
904 #define KRB5_PA_PW_SALT 3
905 #define KRB5_PA_ENC_ENCKEY 4
906 #define KRB5_PA_ENC_UNIX_TIME 5
907 #define KRB5_PA_ENC_SANDIA_SECURID 6
908 #define KRB5_PA_SESAME 7
909 #define KRB5_PA_OSF_DCE 8
910 #define KRB5_PA_CYBERSAFE_SECUREID 9
911 #define KRB5_PA_AFS3_SALT 10
912 #define KRB5_PA_ENCTYPE_INFO 11
913 #define KRB5_PA_SAM_CHALLENGE 12
914 #define KRB5_PA_SAM_RESPONSE 13
915 #define KRB5_PA_PK_AS_REQ 14
916 #define KRB5_PA_PK_AS_REP 15
917 #define KRB5_PA_DASS 16
918 #define KRB5_PA_ENCTYPE_INFO2 19
919 #define KRB5_PA_USE_SPECIFIED_KVNO 20
920 #define KRB5_PA_SAM_REDIRECT 21
921 #define KRB5_PA_GET_FROM_TYPED_DATA 22
922 #define KRB5_PA_SAM_ETYPE_INFO 23
923 #define KRB5_PA_ALT_PRINC 24
924 #define KRB5_PA_SAM_CHALLENGE2 30
925 #define KRB5_PA_SAM_RESPONSE2 31
926 #define KRB5_TD_PKINIT_CMS_CERTIFICATES 101
927 #define KRB5_TD_KRB_PRINCIPAL 102
928 #define KRB5_TD_KRB_REALM 103
929 #define KRB5_TD_TRUSTED_CERTIFIERS 104
930 #define KRB5_TD_CERTIFICATE_INDEX 105
931 #define KRB5_TD_APP_DEFINED_ERROR 106
932 #define KRB5_TD_REQ_NONCE 107
933 #define KRB5_TD_REQ_SEQ 108
934 /* preauthentication types >127 (i.e. negative ones) are app specific.
935 hopefully there will be no collissions here or we will have to
936 come up with something better
938 #define KRB5_PA_PAC_REQUEST 128 /* MS extension */
939 #define KRB5_PA_PROV_SRV_LOCATION 255 /* packetcable stuff */
941 /* Principal name-type */
942 #define KRB5_NT_UNKNOWN 0
943 #define KRB5_NT_PRINCIPAL 1
944 #define KRB5_NT_SRV_INST 2
945 #define KRB5_NT_SRV_HST 3
946 #define KRB5_NT_SRV_XHST 4
947 #define KRB5_NT_UID 5
948 #define KRB5_NT_X500_PRINCIPAL 6
949 #define KRB5_NT_SMTP_NAME 7
950 #define KRB5_NT_ENTERPRISE 10
953 * MS specific name types, from
955 * http://msdn.microsoft.com/library/en-us/security/security/kerb_external_name.asp
957 #define KRB5_NT_MS_PRINCIPAL -128
958 #define KRB5_NT_MS_PRINCIPAL_AND_SID -129
959 #define KRB5_NT_ENT_PRINCIPAL_AND_SID -130
960 #define KRB5_NT_PRINCIPAL_AND_SID -131
961 #define KRB5_NT_SRV_INST_AND_SID -132
963 /* error table constants */
964 /* I prefixed the krb5_err.et constant names with KRB5_ET_ for these */
965 #define KRB5_ET_KRB5KDC_ERR_NONE 0
966 #define KRB5_ET_KRB5KDC_ERR_NAME_EXP 1
967 #define KRB5_ET_KRB5KDC_ERR_SERVICE_EXP 2
968 #define KRB5_ET_KRB5KDC_ERR_BAD_PVNO 3
969 #define KRB5_ET_KRB5KDC_ERR_C_OLD_MAST_KVNO 4
970 #define KRB5_ET_KRB5KDC_ERR_S_OLD_MAST_KVNO 5
971 #define KRB5_ET_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN 6
972 #define KRB5_ET_KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN 7
973 #define KRB5_ET_KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE 8
974 #define KRB5_ET_KRB5KDC_ERR_NULL_KEY 9
975 #define KRB5_ET_KRB5KDC_ERR_CANNOT_POSTDATE 10
976 #define KRB5_ET_KRB5KDC_ERR_NEVER_VALID 11
977 #define KRB5_ET_KRB5KDC_ERR_POLICY 12
978 #define KRB5_ET_KRB5KDC_ERR_BADOPTION 13
979 #define KRB5_ET_KRB5KDC_ERR_ETYPE_NOSUPP 14
980 #define KRB5_ET_KRB5KDC_ERR_SUMTYPE_NOSUPP 15
981 #define KRB5_ET_KRB5KDC_ERR_PADATA_TYPE_NOSUPP 16
982 #define KRB5_ET_KRB5KDC_ERR_TRTYPE_NOSUPP 17
983 #define KRB5_ET_KRB5KDC_ERR_CLIENT_REVOKED 18
984 #define KRB5_ET_KRB5KDC_ERR_SERVICE_REVOKED 19
985 #define KRB5_ET_KRB5KDC_ERR_TGT_REVOKED 20
986 #define KRB5_ET_KRB5KDC_ERR_CLIENT_NOTYET 21
987 #define KRB5_ET_KRB5KDC_ERR_SERVICE_NOTYET 22
988 #define KRB5_ET_KRB5KDC_ERR_KEY_EXP 23
989 #define KRB5_ET_KRB5KDC_ERR_PREAUTH_FAILED 24
990 #define KRB5_ET_KRB5KDC_ERR_PREAUTH_REQUIRED 25
991 #define KRB5_ET_KRB5KDC_ERR_SERVER_NOMATCH 26
992 #define KRB5_ET_KRB5KDC_ERR_MUST_USE_USER2USER 27
993 #define KRB5_ET_KRB5KDC_ERR_PATH_NOT_ACCEPTED 28
994 #define KRB5_ET_KRB5KDC_ERR_SVC_UNAVAILABLE 29
995 #define KRB5_ET_KRB5KRB_AP_ERR_BAD_INTEGRITY 31
996 #define KRB5_ET_KRB5KRB_AP_ERR_TKT_EXPIRED 32
997 #define KRB5_ET_KRB5KRB_AP_ERR_TKT_NYV 33
998 #define KRB5_ET_KRB5KRB_AP_ERR_REPEAT 34
999 #define KRB5_ET_KRB5KRB_AP_ERR_NOT_US 35
1000 #define KRB5_ET_KRB5KRB_AP_ERR_BADMATCH 36
1001 #define KRB5_ET_KRB5KRB_AP_ERR_SKEW 37
1002 #define KRB5_ET_KRB5KRB_AP_ERR_BADADDR 38
1003 #define KRB5_ET_KRB5KRB_AP_ERR_BADVERSION 39
1004 #define KRB5_ET_KRB5KRB_AP_ERR_MSG_TYPE 40
1005 #define KRB5_ET_KRB5KRB_AP_ERR_MODIFIED 41
1006 #define KRB5_ET_KRB5KRB_AP_ERR_BADORDER 42
1007 #define KRB5_ET_KRB5KRB_AP_ERR_ILL_CR_TKT 43
1008 #define KRB5_ET_KRB5KRB_AP_ERR_BADKEYVER 44
1009 #define KRB5_ET_KRB5KRB_AP_ERR_NOKEY 45
1010 #define KRB5_ET_KRB5KRB_AP_ERR_MUT_FAIL 46
1011 #define KRB5_ET_KRB5KRB_AP_ERR_BADDIRECTION 47
1012 #define KRB5_ET_KRB5KRB_AP_ERR_METHOD 48
1013 #define KRB5_ET_KRB5KRB_AP_ERR_BADSEQ 49
1014 #define KRB5_ET_KRB5KRB_AP_ERR_INAPP_CKSUM 50
1015 #define KRB5_ET_KRB5KDC_AP_PATH_NOT_ACCEPTED 51
1016 #define KRB5_ET_KRB5KRB_ERR_RESPONSE_TOO_BIG 52
1017 #define KRB5_ET_KRB5KRB_ERR_GENERIC 60
1018 #define KRB5_ET_KRB5KRB_ERR_FIELD_TOOLONG 61
1019 #define KRB5_ET_KDC_ERROR_CLIENT_NOT_TRUSTED 62
1020 #define KRB5_ET_KDC_ERROR_KDC_NOT_TRUSTED 63
1021 #define KRB5_ET_KDC_ERROR_INVALID_SIG 64
1022 #define KRB5_ET_KDC_ERR_KEY_TOO_WEAK 65
1023 #define KRB5_ET_KDC_ERR_CERTIFICATE_MISMATCH 66
1024 #define KRB5_ET_KRB_AP_ERR_NO_TGT 67
1025 #define KRB5_ET_KDC_ERR_WRONG_REALM 68
1026 #define KRB5_ET_KRB_AP_ERR_USER_TO_USER_REQUIRED 69
1027 #define KRB5_ET_KDC_ERR_CANT_VERIFY_CERTIFICATE 70
1028 #define KRB5_ET_KDC_ERR_INVALID_CERTIFICATE 71
1029 #define KRB5_ET_KDC_ERR_REVOKED_CERTIFICATE 72
1030 #define KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNKNOWN 73
1031 #define KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNAVAILABLE 74
1032 #define KRB5_ET_KDC_ERR_CLIENT_NAME_MISMATCH 75
1033 #define KRB5_ET_KDC_ERR_KDC_NAME_MISMATCH 76
1035 static const value_string krb5_error_codes[] = {
1036 { KRB5_ET_KRB5KDC_ERR_NONE, "KRB5KDC_ERR_NONE" },
1037 { KRB5_ET_KRB5KDC_ERR_NAME_EXP, "KRB5KDC_ERR_NAME_EXP" },
1038 { KRB5_ET_KRB5KDC_ERR_SERVICE_EXP, "KRB5KDC_ERR_SERVICE_EXP" },
1039 { KRB5_ET_KRB5KDC_ERR_BAD_PVNO, "KRB5KDC_ERR_BAD_PVNO" },
1040 { KRB5_ET_KRB5KDC_ERR_C_OLD_MAST_KVNO, "KRB5KDC_ERR_C_OLD_MAST_KVNO" },
1041 { KRB5_ET_KRB5KDC_ERR_S_OLD_MAST_KVNO, "KRB5KDC_ERR_S_OLD_MAST_KVNO" },
1042 { KRB5_ET_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, "KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN" },
1043 { KRB5_ET_KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, "KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN" },
1044 { KRB5_ET_KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE, "KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE" },
1045 { KRB5_ET_KRB5KDC_ERR_NULL_KEY, "KRB5KDC_ERR_NULL_KEY" },
1046 { KRB5_ET_KRB5KDC_ERR_CANNOT_POSTDATE, "KRB5KDC_ERR_CANNOT_POSTDATE" },
1047 { KRB5_ET_KRB5KDC_ERR_NEVER_VALID, "KRB5KDC_ERR_NEVER_VALID" },
1048 { KRB5_ET_KRB5KDC_ERR_POLICY, "KRB5KDC_ERR_POLICY" },
1049 { KRB5_ET_KRB5KDC_ERR_BADOPTION, "KRB5KDC_ERR_BADOPTION" },
1050 { KRB5_ET_KRB5KDC_ERR_ETYPE_NOSUPP, "KRB5KDC_ERR_ETYPE_NOSUPP" },
1051 { KRB5_ET_KRB5KDC_ERR_SUMTYPE_NOSUPP, "KRB5KDC_ERR_SUMTYPE_NOSUPP" },
1052 { KRB5_ET_KRB5KDC_ERR_PADATA_TYPE_NOSUPP, "KRB5KDC_ERR_PADATA_TYPE_NOSUPP" },
1053 { KRB5_ET_KRB5KDC_ERR_TRTYPE_NOSUPP, "KRB5KDC_ERR_TRTYPE_NOSUPP" },
1054 { KRB5_ET_KRB5KDC_ERR_CLIENT_REVOKED, "KRB5KDC_ERR_CLIENT_REVOKED" },
1055 { KRB5_ET_KRB5KDC_ERR_SERVICE_REVOKED, "KRB5KDC_ERR_SERVICE_REVOKED" },
1056 { KRB5_ET_KRB5KDC_ERR_TGT_REVOKED, "KRB5KDC_ERR_TGT_REVOKED" },
1057 { KRB5_ET_KRB5KDC_ERR_CLIENT_NOTYET, "KRB5KDC_ERR_CLIENT_NOTYET" },
1058 { KRB5_ET_KRB5KDC_ERR_SERVICE_NOTYET, "KRB5KDC_ERR_SERVICE_NOTYET" },
1059 { KRB5_ET_KRB5KDC_ERR_KEY_EXP, "KRB5KDC_ERR_KEY_EXP" },
1060 { KRB5_ET_KRB5KDC_ERR_PREAUTH_FAILED, "KRB5KDC_ERR_PREAUTH_FAILED" },
1061 { KRB5_ET_KRB5KDC_ERR_PREAUTH_REQUIRED, "KRB5KDC_ERR_PREAUTH_REQUIRED" },
1062 { KRB5_ET_KRB5KDC_ERR_SERVER_NOMATCH, "KRB5KDC_ERR_SERVER_NOMATCH" },
1063 { KRB5_ET_KRB5KDC_ERR_MUST_USE_USER2USER, "KRB5KDC_ERR_MUST_USE_USER2USER" },
1064 { KRB5_ET_KRB5KDC_ERR_PATH_NOT_ACCEPTED, "KRB5KDC_ERR_PATH_NOT_ACCEPTED" },
1065 { KRB5_ET_KRB5KDC_ERR_SVC_UNAVAILABLE, "KRB5KDC_ERR_SVC_UNAVAILABLE" },
1066 { KRB5_ET_KRB5KRB_AP_ERR_BAD_INTEGRITY, "KRB5KRB_AP_ERR_BAD_INTEGRITY" },
1067 { KRB5_ET_KRB5KRB_AP_ERR_TKT_EXPIRED, "KRB5KRB_AP_ERR_TKT_EXPIRED" },
1068 { KRB5_ET_KRB5KRB_AP_ERR_TKT_NYV, "KRB5KRB_AP_ERR_TKT_NYV" },
1069 { KRB5_ET_KRB5KRB_AP_ERR_REPEAT, "KRB5KRB_AP_ERR_REPEAT" },
1070 { KRB5_ET_KRB5KRB_AP_ERR_NOT_US, "KRB5KRB_AP_ERR_NOT_US" },
1071 { KRB5_ET_KRB5KRB_AP_ERR_BADMATCH, "KRB5KRB_AP_ERR_BADMATCH" },
1072 { KRB5_ET_KRB5KRB_AP_ERR_SKEW, "KRB5KRB_AP_ERR_SKEW" },
1073 { KRB5_ET_KRB5KRB_AP_ERR_BADADDR, "KRB5KRB_AP_ERR_BADADDR" },
1074 { KRB5_ET_KRB5KRB_AP_ERR_BADVERSION, "KRB5KRB_AP_ERR_BADVERSION" },
1075 { KRB5_ET_KRB5KRB_AP_ERR_MSG_TYPE, "KRB5KRB_AP_ERR_MSG_TYPE" },
1076 { KRB5_ET_KRB5KRB_AP_ERR_MODIFIED, "KRB5KRB_AP_ERR_MODIFIED" },
1077 { KRB5_ET_KRB5KRB_AP_ERR_BADORDER, "KRB5KRB_AP_ERR_BADORDER" },
1078 { KRB5_ET_KRB5KRB_AP_ERR_ILL_CR_TKT, "KRB5KRB_AP_ERR_ILL_CR_TKT" },
1079 { KRB5_ET_KRB5KRB_AP_ERR_BADKEYVER, "KRB5KRB_AP_ERR_BADKEYVER" },
1080 { KRB5_ET_KRB5KRB_AP_ERR_NOKEY, "KRB5KRB_AP_ERR_NOKEY" },
1081 { KRB5_ET_KRB5KRB_AP_ERR_MUT_FAIL, "KRB5KRB_AP_ERR_MUT_FAIL" },
1082 { KRB5_ET_KRB5KRB_AP_ERR_BADDIRECTION, "KRB5KRB_AP_ERR_BADDIRECTION" },
1083 { KRB5_ET_KRB5KRB_AP_ERR_METHOD, "KRB5KRB_AP_ERR_METHOD" },
1084 { KRB5_ET_KRB5KRB_AP_ERR_BADSEQ, "KRB5KRB_AP_ERR_BADSEQ" },
1085 { KRB5_ET_KRB5KRB_AP_ERR_INAPP_CKSUM, "KRB5KRB_AP_ERR_INAPP_CKSUM" },
1086 { KRB5_ET_KRB5KDC_AP_PATH_NOT_ACCEPTED, "KRB5KDC_AP_PATH_NOT_ACCEPTED" },
1087 { KRB5_ET_KRB5KRB_ERR_RESPONSE_TOO_BIG, "KRB5KRB_ERR_RESPONSE_TOO_BIG"},
1088 { KRB5_ET_KRB5KRB_ERR_GENERIC, "KRB5KRB_ERR_GENERIC" },
1089 { KRB5_ET_KRB5KRB_ERR_FIELD_TOOLONG, "KRB5KRB_ERR_FIELD_TOOLONG" },
1090 { KRB5_ET_KDC_ERROR_CLIENT_NOT_TRUSTED, "KDC_ERROR_CLIENT_NOT_TRUSTED" },
1091 { KRB5_ET_KDC_ERROR_KDC_NOT_TRUSTED, "KDC_ERROR_KDC_NOT_TRUSTED" },
1092 { KRB5_ET_KDC_ERROR_INVALID_SIG, "KDC_ERROR_INVALID_SIG" },
1093 { KRB5_ET_KDC_ERR_KEY_TOO_WEAK, "KDC_ERR_KEY_TOO_WEAK" },
1094 { KRB5_ET_KDC_ERR_CERTIFICATE_MISMATCH, "KDC_ERR_CERTIFICATE_MISMATCH" },
1095 { KRB5_ET_KRB_AP_ERR_NO_TGT, "KRB_AP_ERR_NO_TGT" },
1096 { KRB5_ET_KDC_ERR_WRONG_REALM, "KDC_ERR_WRONG_REALM" },
1097 { KRB5_ET_KRB_AP_ERR_USER_TO_USER_REQUIRED, "KRB_AP_ERR_USER_TO_USER_REQUIRED" },
1098 { KRB5_ET_KDC_ERR_CANT_VERIFY_CERTIFICATE, "KDC_ERR_CANT_VERIFY_CERTIFICATE" },
1099 { KRB5_ET_KDC_ERR_INVALID_CERTIFICATE, "KDC_ERR_INVALID_CERTIFICATE" },
1100 { KRB5_ET_KDC_ERR_REVOKED_CERTIFICATE, "KDC_ERR_REVOKED_CERTIFICATE" },
1101 { KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNKNOWN, "KDC_ERR_REVOCATION_STATUS_UNKNOWN" },
1102 { KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNAVAILABLE, "KDC_ERR_REVOCATION_STATUS_UNAVAILABLE" },
1103 { KRB5_ET_KDC_ERR_CLIENT_NAME_MISMATCH, "KDC_ERR_CLIENT_NAME_MISMATCH" },
1104 { KRB5_ET_KDC_ERR_KDC_NAME_MISMATCH, "KDC_ERR_KDC_NAME_MISMATCH" },
1109 #define PAC_LOGON_INFO 1
1110 #define PAC_CREDENTIAL_TYPE 2
1111 #define PAC_SERVER_CHECKSUM 6
1112 #define PAC_PRIVSVR_CHECKSUM 7
1113 #define PAC_CLIENT_INFO_TYPE 10
1114 static const value_string w2k_pac_types[] = {
1115 { PAC_LOGON_INFO , "Logon Info" },
1116 { PAC_CREDENTIAL_TYPE , "Credential Type" },
1117 { PAC_SERVER_CHECKSUM , "Server Checksum" },
1118 { PAC_PRIVSVR_CHECKSUM , "Privsvr Checksum" },
1119 { PAC_CLIENT_INFO_TYPE , "Client Info Type" },
1125 static const value_string krb5_princ_types[] = {
1126 { KRB5_NT_UNKNOWN , "Unknown" },
1127 { KRB5_NT_PRINCIPAL , "Principal" },
1128 { KRB5_NT_SRV_INST , "Service and Instance" },
1129 { KRB5_NT_SRV_HST , "Service and Host" },
1130 { KRB5_NT_SRV_XHST , "Service and Host Components" },
1131 { KRB5_NT_UID , "Unique ID" },
1132 { KRB5_NT_X500_PRINCIPAL , "Encoded X.509 Distinguished Name" },
1133 { KRB5_NT_SMTP_NAME , "SMTP Name" },
1134 { KRB5_NT_ENTERPRISE , "Enterprise Name" },
1135 { KRB5_NT_MS_PRINCIPAL , "NT 4.0 style name (MS specific)" },
1136 { KRB5_NT_MS_PRINCIPAL_AND_SID , "NT 4.0 style name with SID (MS specific)"},
1137 { KRB5_NT_ENT_PRINCIPAL_AND_SID, "UPN and SID (MS specific)"},
1138 { KRB5_NT_PRINCIPAL_AND_SID , "Principal name and SID (MS specific)"},
1139 { KRB5_NT_SRV_INST_AND_SID , "SPN and SID (MS specific)"},
1143 static const value_string krb5_preauthentication_types[] = {
1144 { KRB5_PA_TGS_REQ , "PA-TGS-REQ" },
1145 { KRB5_PA_ENC_TIMESTAMP , "PA-ENC-TIMESTAMP" },
1146 { KRB5_PA_PW_SALT , "PA-PW-SALT" },
1147 { KRB5_PA_ENC_ENCKEY , "PA-ENC-ENCKEY" },
1148 { KRB5_PA_ENC_UNIX_TIME , "PA-ENC-UNIX-TIME" },
1149 { KRB5_PA_ENC_SANDIA_SECURID , "PA-PW-SALT" },
1150 { KRB5_PA_SESAME , "PA-SESAME" },
1151 { KRB5_PA_OSF_DCE , "PA-OSF-DCE" },
1152 { KRB5_PA_CYBERSAFE_SECUREID , "PA-CYBERSAFE-SECURID" },
1153 { KRB5_PA_AFS3_SALT , "PA-AFS3-SALT" },
1154 { KRB5_PA_ENCTYPE_INFO , "PA-ENCTYPE-INFO" },
1155 { KRB5_PA_ENCTYPE_INFO2 , "PA-ENCTYPE-INFO2" },
1156 { KRB5_PA_SAM_CHALLENGE , "PA-SAM-CHALLENGE" },
1157 { KRB5_PA_SAM_RESPONSE , "PA-SAM-RESPONSE" },
1158 { KRB5_PA_PK_AS_REQ , "PA-PK-AS-REQ" },
1159 { KRB5_PA_PK_AS_REP , "PA-PK-AS-REP" },
1160 { KRB5_PA_DASS , "PA-DASS" },
1161 { KRB5_PA_USE_SPECIFIED_KVNO , "PA-USE-SPECIFIED-KVNO" },
1162 { KRB5_PA_SAM_REDIRECT , "PA-SAM-REDIRECT" },
1163 { KRB5_PA_GET_FROM_TYPED_DATA , "PA-GET-FROM-TYPED-DATA" },
1164 { KRB5_PA_SAM_ETYPE_INFO , "PA-SAM-ETYPE-INFO" },
1165 { KRB5_PA_ALT_PRINC , "PA-ALT-PRINC" },
1166 { KRB5_PA_SAM_CHALLENGE2 , "PA-SAM-CHALLENGE2" },
1167 { KRB5_PA_SAM_RESPONSE2 , "PA-SAM-RESPONSE2" },
1168 { KRB5_TD_PKINIT_CMS_CERTIFICATES, "TD-PKINIT-CMS-CERTIFICATES" },
1169 { KRB5_TD_KRB_PRINCIPAL , "TD-KRB-PRINCIPAL" },
1170 { KRB5_TD_KRB_REALM , "TD-KRB-REALM" },
1171 { KRB5_TD_TRUSTED_CERTIFIERS , "TD-TRUSTED-CERTIFIERS" },
1172 { KRB5_TD_CERTIFICATE_INDEX , "TD-CERTIFICATE-INDEX" },
1173 { KRB5_TD_APP_DEFINED_ERROR , "TD-APP-DEFINED-ERROR" },
1174 { KRB5_TD_REQ_NONCE , "TD-REQ-NONCE" },
1175 { KRB5_TD_REQ_SEQ , "TD-REQ-SEQ" },
1176 { KRB5_PA_PAC_REQUEST , "PA-PAC-REQUEST" },
1177 { KRB5_PA_PROV_SRV_LOCATION , "PA-PROV-SRV-LOCATION" },
1181 static const value_string krb5_encryption_types[] = {
1182 { KRB5_ENCTYPE_NULL , "NULL" },
1183 { KRB5_ENCTYPE_DES_CBC_CRC , "des-cbc-crc" },
1184 { KRB5_ENCTYPE_DES_CBC_MD4 , "des-cbc-md4" },
1185 { KRB5_ENCTYPE_DES_CBC_MD5 , "des-cbc-md5" },
1186 { KRB5_ENCTYPE_DES_CBC_RAW , "des-cbc-raw" },
1187 { KRB5_ENCTYPE_DES3_CBC_SHA , "des3-cbc-sha" },
1188 { KRB5_ENCTYPE_DES3_CBC_RAW , "des3-cbc-raw" },
1189 { KRB5_ENCTYPE_DES_HMAC_SHA1 , "des-hmac-sha1" },
1190 { KRB5_ENCTYPE_DSA_SHA1_CMS , "dsa-sha1-cms" },
1191 { KRB5_ENCTYPE_RSA_MD5_CMS , "rsa-md5-cms" },
1192 { KRB5_ENCTYPE_RSA_SHA1_CMS , "rsa-sha1-cms" },
1193 { KRB5_ENCTYPE_RC2_CBC_ENV , "rc2-cbc-env" },
1194 { KRB5_ENCTYPE_RSA_ENV , "rsa-env" },
1195 { KRB5_ENCTYPE_RSA_ES_OEAP_ENV, "rsa-es-oeap-env" },
1196 { KRB5_ENCTYPE_DES_EDE3_CBC_ENV, "des-ede3-cbc-env" },
1197 { KRB5_ENCTYPE_DES3_CBC_SHA1 , "des3-cbc-sha1" },
1198 { KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96 , "aes128-cts-hmac-sha1-96" },
1199 { KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96 , "aes256-cts-hmac-sha1-96" },
1200 { KRB5_ENCTYPE_DES_CBC_MD5_NT , "des-cbc-md5-nt" },
1201 { KERB_ENCTYPE_RC4_HMAC , "rc4-hmac" },
1202 { KERB_ENCTYPE_RC4_HMAC_EXP , "rc4-hmac-exp" },
1203 { KRB5_ENCTYPE_UNKNOWN , "unknown" },
1204 { KRB5_ENCTYPE_LOCAL_DES3_HMAC_SHA1 , "local-des3-hmac-sha1" },
1205 { KRB5_ENCTYPE_RC4_PLAIN_EXP , "rc4-plain-exp" },
1206 { KRB5_ENCTYPE_RC4_PLAIN , "rc4-plain" },
1207 { KRB5_ENCTYPE_RC4_PLAIN_OLD_EXP, "rc4-plain-old-exp" },
1208 { KRB5_ENCTYPE_RC4_HMAC_OLD_EXP, "rc4-hmac-old-exp" },
1209 { KRB5_ENCTYPE_RC4_PLAIN_OLD , "rc4-plain-old" },
1210 { KRB5_ENCTYPE_RC4_HMAC_OLD , "rc4-hmac-old" },
1211 { KRB5_ENCTYPE_DES_PLAIN , "des-plain" },
1212 { KRB5_ENCTYPE_RC4_SHA , "rc4-sha" },
1213 { KRB5_ENCTYPE_RC4_LM , "rc4-lm" },
1214 { KRB5_ENCTYPE_RC4_PLAIN2 , "rc4-plain2" },
1215 { KRB5_ENCTYPE_RC4_MD4 , "rc4-md4" },
1219 static const value_string krb5_checksum_types[] = {
1220 { KRB5_CHKSUM_NONE , "none" },
1221 { KRB5_CHKSUM_CRC32 , "crc32" },
1222 { KRB5_CHKSUM_MD4 , "md4" },
1223 { KRB5_CHKSUM_KRB_DES_MAC , "krb-des-mac" },
1224 { KRB5_CHKSUM_KRB_DES_MAC_K , "krb-des-mac-k" },
1225 { KRB5_CHKSUM_MD5 , "md5" },
1226 { KRB5_CHKSUM_MD5_DES , "md5-des" },
1227 { KRB5_CHKSUM_MD5_DES3 , "md5-des3" },
1228 { KRB5_CHKSUM_HMAC_SHA1_DES3_KD, "hmac-sha1-des3-kd" },
1229 { KRB5_CHKSUM_HMAC_SHA1_DES3 , "hmac-sha1-des3" },
1230 { KRB5_CHKSUM_SHA1_UNKEYED , "sha1 (unkeyed)" },
1231 { KRB5_CHKSUM_HMAC_MD5 , "hmac-md5" },
1232 { KRB5_CHKSUM_MD5_HMAC , "md5-hmac" },
1233 { KRB5_CHKSUM_RC4_MD5 , "rc5-md5" },
1234 { KRB5_CHKSUM_MD25 , "md25" },
1235 { KRB5_CHKSUM_DES_MAC_MD5 , "des-mac-md5" },
1236 { KRB5_CHKSUM_DES_MAC , "des-mac" },
1237 { KRB5_CHKSUM_REAL_CRC32 , "real-crc32" },
1238 { KRB5_CHKSUM_SHA1 , "sha1" },
1239 { KRB5_CHKSUM_LM , "lm" },
1240 { KRB5_CHKSUM_GSSAPI , "gssapi-8003" },
1244 #define KRB5_AD_IF_RELEVANT 1
1245 #define KRB5_AD_INTENDED_FOR_SERVER 2
1246 #define KRB5_AD_INTENDED_FOR_APPLICATION_CLASS 3
1247 #define KRB5_AD_KDC_ISSUED 4
1248 #define KRB5_AD_OR 5
1249 #define KRB5_AD_MANDATORY_TICKET_EXTENSIONS 6
1250 #define KRB5_AD_IN_TICKET_EXTENSIONS 7
1251 #define KRB5_AD_MANDATORY_FOR_KDC 8
1252 #define KRB5_AD_OSF_DCE 64
1253 #define KRB5_AD_SESAME 65
1254 #define KRB5_AD_OSF_DCE_PKI_CERTID 66
1255 #define KRB5_AD_WIN2K_PAC 128
1256 static const value_string krb5_ad_types[] = {
1257 { KRB5_AD_IF_RELEVANT , "AD-IF-RELEVANT" },
1258 { KRB5_AD_INTENDED_FOR_SERVER , "AD-Intended-For-Server" },
1259 { KRB5_AD_INTENDED_FOR_APPLICATION_CLASS , "AD-Intended-For-Application-Class" },
1260 { KRB5_AD_KDC_ISSUED , "AD-KDCIssued" },
1261 { KRB5_AD_OR , "AD-AND-OR" },
1262 { KRB5_AD_MANDATORY_TICKET_EXTENSIONS , "AD-Mandatory-Ticket-Extensions" },
1263 { KRB5_AD_IN_TICKET_EXTENSIONS , "AD-IN-Ticket-Extensions" },
1264 { KRB5_AD_MANDATORY_FOR_KDC , "AD-MANDATORY-FOR-KDC" },
1265 { KRB5_AD_OSF_DCE , "AD-OSF-DCE" },
1266 { KRB5_AD_SESAME , "AD-SESAME" },
1267 { KRB5_AD_OSF_DCE_PKI_CERTID , "AD-OSF-DCE-PKI-CertID" },
1268 { KRB5_AD_WIN2K_PAC , "AD-Win2k-PAC" },
1272 static const value_string krb5_transited_types[] = {
1273 { 1 , "DOMAIN-X500-COMPRESS" },
1277 static const value_string krb5_address_types[] = {
1278 { KRB5_ADDR_IPv4, "IPv4"},
1279 { KRB5_ADDR_CHAOS, "CHAOS"},
1280 { KRB5_ADDR_XEROX, "XEROX"},
1281 { KRB5_ADDR_ISO, "ISO"},
1282 { KRB5_ADDR_DECNET, "DECNET"},
1283 { KRB5_ADDR_APPLETALK, "APPLETALK"},
1284 { KRB5_ADDR_NETBIOS, "NETBIOS"},
1285 { KRB5_ADDR_IPv6, "IPv6"},
1289 static const value_string krb5_msg_types[] = {
1290 { KRB5_MSG_TICKET, "Ticket" },
1291 { KRB5_MSG_AUTHENTICATOR, "Authenticator" },
1292 { KRB5_MSG_ENC_TICKET_PART, "EncTicketPart" },
1293 { KRB5_MSG_TGS_REQ, "TGS-REQ" },
1294 { KRB5_MSG_TGS_REP, "TGS-REP" },
1295 { KRB5_MSG_AS_REQ, "AS-REQ" },
1296 { KRB5_MSG_AS_REP, "AS-REP" },
1297 { KRB5_MSG_AP_REQ, "AP-REQ" },
1298 { KRB5_MSG_AP_REP, "AP-REP" },
1299 { KRB5_MSG_SAFE, "KRB-SAFE" },
1300 { KRB5_MSG_PRIV, "KRB-PRIV" },
1301 { KRB5_MSG_CRED, "KRB-CRED" },
1302 { KRB5_MSG_ENC_AS_REP_PART, "EncASRepPart" },
1303 { KRB5_MSG_ENC_TGS_REP_PART, "EncTGSRepPart" },
1304 { KRB5_MSG_ENC_AP_REP_PART, "EncAPRepPart" },
1305 { KRB5_MSG_ENC_KRB_PRIV_PART, "EncKrbPrivPart" },
1306 { KRB5_MSG_ERROR, "KRB-ERROR" },
1313 static int dissect_krb5_application_choice(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset);
1314 static int dissect_krb5_Application_1(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset);
1315 static int dissect_krb5_Authenticator(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset);
1316 static int dissect_krb5_EncTicketPart(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset);
1317 static int dissect_krb5_EncAPRepPart(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset);
1318 static int dissect_krb5_EncKrbPrivPart(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset);
1319 static int dissect_krb5_EncKDCRepPart(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset);
1320 static int dissect_krb5_KDC_REQ(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset);
1321 static int dissect_krb5_KDC_REP(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset);
1322 static int dissect_krb5_AP_REQ(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset);
1323 static int dissect_krb5_AP_REP(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset);
1324 static int dissect_krb5_SAFE(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset);
1325 static int dissect_krb5_PRIV(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset);
1326 static int dissect_krb5_ERROR(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset);
1328 static const ber_choice_t kerberos_applications_choice[] = {
1329 { KRB5_MSG_TICKET, BER_CLASS_APP, KRB5_MSG_TICKET, 0, dissect_krb5_Application_1 },
1330 { KRB5_MSG_AUTHENTICATOR, BER_CLASS_APP, KRB5_MSG_AUTHENTICATOR, 0, dissect_krb5_Authenticator },
1331 { KRB5_MSG_ENC_TICKET_PART, BER_CLASS_APP, KRB5_MSG_ENC_TICKET_PART, 0, dissect_krb5_EncTicketPart },
1332 { KRB5_MSG_AS_REQ, BER_CLASS_APP, KRB5_MSG_AS_REQ, 0, dissect_krb5_KDC_REQ },
1333 { KRB5_MSG_AS_REP, BER_CLASS_APP, KRB5_MSG_AS_REP, 0, dissect_krb5_KDC_REP },
1334 { KRB5_MSG_TGS_REQ, BER_CLASS_APP, KRB5_MSG_TGS_REQ, 0, dissect_krb5_KDC_REQ },
1335 { KRB5_MSG_TGS_REP, BER_CLASS_APP, KRB5_MSG_TGS_REP, 0, dissect_krb5_KDC_REP },
1336 { KRB5_MSG_AP_REQ, BER_CLASS_APP, KRB5_MSG_AP_REQ, 0, dissect_krb5_AP_REQ },
1337 { KRB5_MSG_AP_REP, BER_CLASS_APP, KRB5_MSG_AP_REP, 0, dissect_krb5_AP_REP },
1338 { KRB5_MSG_ENC_AS_REP_PART, BER_CLASS_APP, KRB5_MSG_ENC_AS_REP_PART, 0, dissect_krb5_EncKDCRepPart },
1339 { KRB5_MSG_ENC_TGS_REP_PART, BER_CLASS_APP, KRB5_MSG_ENC_TGS_REP_PART, 0, dissect_krb5_EncKDCRepPart },
1340 { KRB5_MSG_ENC_AP_REP_PART, BER_CLASS_APP, KRB5_MSG_ENC_AP_REP_PART, 0, dissect_krb5_EncAPRepPart },
1341 { KRB5_MSG_ENC_KRB_PRIV_PART, BER_CLASS_APP, KRB5_MSG_ENC_KRB_PRIV_PART, 0, dissect_krb5_EncKrbPrivPart },
1342 { KRB5_MSG_SAFE, BER_CLASS_APP, KRB5_MSG_SAFE, 0, dissect_krb5_SAFE },
1343 { KRB5_MSG_PRIV, BER_CLASS_APP, KRB5_MSG_PRIV, 0, dissect_krb5_PRIV },
1344 { KRB5_MSG_ERROR, BER_CLASS_APP, KRB5_MSG_ERROR, 0, dissect_krb5_ERROR },
1345 { 0, 0, 0, 0, NULL }
1350 dissect_krb5_application_choice(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1352 offset=dissect_ber_choice(pinfo, tree, tvb, offset, kerberos_applications_choice, -1, -1, NULL);
1357 static const true_false_string krb5_apoptions_use_session_key = {
1358 "USE SESSION KEY to encrypt the ticket",
1359 "Do NOT use the session key to encrypt the ticket"
1361 static const true_false_string krb5_apoptions_mutual_required = {
1362 "MUTUAL authentication is REQUIRED",
1363 "Mutual authentication is NOT required"
1366 static int *APOptions_bits[] = {
1367 &hf_krb_APOptions_use_session_key,
1368 &hf_krb_APOptions_mutual_required,
1372 dissect_krb5_APOptions(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1374 offset=dissect_ber_bitstring32(FALSE, pinfo, tree, tvb, offset, APOptions_bits, hf_krb_APOptions, ett_krb_AP_Options, NULL);
1380 static const true_false_string krb5_kdcoptions_forwardable = {
1381 "FORWARDABLE tickets are allowed/requested",
1382 "Do NOT use forwardable tickets"
1384 static const true_false_string krb5_kdcoptions_forwarded = {
1385 "This ticket has been FORWARDED",
1386 "This is NOT a forwarded ticket"
1388 static const true_false_string krb5_kdcoptions_proxyable = {
1389 "PROXIABLE tickets are allowed/requested",
1390 "Do NOT use proxiable tickets"
1392 static const true_false_string krb5_kdcoptions_proxy = {
1393 "This is a PROXY ticket",
1394 "This ticket has NOT been proxied"
1396 static const true_false_string krb5_kdcoptions_allow_postdate = {
1397 "We allow the ticket to be POSTDATED",
1398 "We do NOT allow the ticket to be postdated"
1400 static const true_false_string krb5_kdcoptions_postdated = {
1401 "This ticket is POSTDATED",
1402 "This ticket is NOT postdated"
1404 static const true_false_string krb5_kdcoptions_renewable = {
1405 "This ticket is RENEWABLE",
1406 "This ticket is NOT renewable"
1408 static const true_false_string krb5_kdcoptions_canonicalize = {
1409 "This is a request for a CANONICALIZED ticket",
1410 "This is NOT a canonicalized ticket request"
1412 static const true_false_string krb5_kdcoptions_disable_transited_check = {
1413 "Transited checking is DISABLED",
1414 "Transited checking is NOT disabled"
1416 static const true_false_string krb5_kdcoptions_renewable_ok = {
1417 "We accept RENEWED tickets",
1418 "We do NOT accept renewed tickets"
1420 static const true_false_string krb5_kdcoptions_enc_tkt_in_skey = {
1421 "ENCrypt TKT in SKEY",
1422 "Do NOT encrypt the tkt inside the skey"
1424 static const true_false_string krb5_kdcoptions_renew = {
1425 "This is a request to RENEW a ticket",
1426 "This is NOT a request to renew a ticket"
1428 static const true_false_string krb5_kdcoptions_validate = {
1429 "This is a request to VALIDATE a postdated ticket",
1430 "This is NOT a request to validate a postdated ticket"
1433 static int* KDCOptions_bits[] = {
1434 &hf_krb_KDCOptions_forwardable,
1435 &hf_krb_KDCOptions_forwarded,
1436 &hf_krb_KDCOptions_proxyable,
1437 &hf_krb_KDCOptions_proxy,
1438 &hf_krb_KDCOptions_allow_postdate,
1439 &hf_krb_KDCOptions_postdated,
1440 &hf_krb_KDCOptions_renewable,
1441 &hf_krb_KDCOptions_opt_hardware_auth,
1442 &hf_krb_KDCOptions_canonicalize,
1443 &hf_krb_KDCOptions_disable_transited_check,
1444 &hf_krb_KDCOptions_renewable_ok,
1445 &hf_krb_KDCOptions_enc_tkt_in_skey,
1446 &hf_krb_KDCOptions_renew,
1447 &hf_krb_KDCOptions_validate,
1452 dissect_krb5_KDCOptions(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1454 offset=dissect_ber_bitstring32(FALSE, pinfo, tree, tvb, offset, KDCOptions_bits, hf_krb_KDCOptions, ett_krb_KDC_Options, NULL);
1459 dissect_krb5_rtime(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1461 offset=dissect_ber_GeneralizedTime(FALSE, pinfo, tree, tvb, offset, hf_krb_rtime);
1466 dissect_krb5_ctime(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1468 offset=dissect_ber_GeneralizedTime(FALSE, pinfo, tree, tvb, offset, hf_krb_ctime);
1472 dissect_krb5_cusec(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1474 offset=dissect_ber_integer(FALSE, pinfo, tree, tvb, offset, hf_krb_cusec, NULL);
1479 dissect_krb5_stime(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1481 offset=dissect_ber_GeneralizedTime(FALSE, pinfo, tree, tvb, offset, hf_krb_stime);
1485 dissect_krb5_susec(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1487 offset=dissect_ber_integer(FALSE, pinfo, tree, tvb, offset, hf_krb_susec, NULL);
1493 dissect_krb5_error_code(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1495 offset=dissect_ber_integer(FALSE, pinfo, tree, tvb, offset, hf_krb_error_code, &krb5_errorcode);
1496 if(krb5_errorcode && check_col(pinfo->cinfo, COL_INFO)) {
1497 col_add_fstr(pinfo->cinfo, COL_INFO,
1499 val_to_str(krb5_errorcode, krb5_error_codes,
1500 "Unknown error code %#x"));
1508 dissect_krb5_till(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1510 offset=dissect_ber_GeneralizedTime(FALSE, pinfo, tree, tvb, offset, hf_krb_till);
1514 dissect_krb5_from(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1516 offset=dissect_ber_GeneralizedTime(FALSE, pinfo, tree, tvb, offset, hf_krb_from);
1523 dissect_krb5_nonce(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1525 offset=dissect_ber_integer(FALSE, pinfo, tree, tvb, offset, hf_krb_nonce, NULL);
1531 * etype[8] SEQUENCE OF INTEGER, -- EncryptionType,
1534 dissect_krb5_etype(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1538 offset=dissect_ber_integer(FALSE, pinfo, tree, tvb, offset, hf_krb_etype, &etype);
1540 proto_item_append_text(tree, " %s",
1541 val_to_str(etype, krb5_encryption_types,
1546 static ber_sequence_t etype_sequence_of[1] = {
1547 { BER_CLASS_UNI, BER_UNI_TAG_INTEGER, BER_FLAGS_NOOWNTAG, dissect_krb5_etype },
1550 dissect_krb5_etype_sequence_of(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1552 offset=dissect_ber_sequence_of(FALSE, pinfo, tree, tvb, offset, etype_sequence_of, hf_krb_etypes, ett_krb_etypes);
1556 static guint32 authenticator_etype;
1558 dissect_krb5_authenticator_etype(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1560 offset=dissect_ber_integer(FALSE, pinfo, tree, tvb, offset, hf_krb_etype, &authenticator_etype);
1562 proto_item_append_text(tree, " %s",
1563 val_to_str(authenticator_etype, krb5_encryption_types,
1568 static guint32 Ticket_etype;
1570 dissect_krb5_Ticket_etype(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1572 offset=dissect_ber_integer(FALSE, pinfo, tree, tvb, offset, hf_krb_etype, &Ticket_etype);
1574 proto_item_append_text(tree, " %s",
1575 val_to_str(Ticket_etype, krb5_encryption_types,
1580 static guint32 AP_REP_etype;
1582 dissect_krb5_AP_REP_etype(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1584 offset=dissect_ber_integer(FALSE, pinfo, tree, tvb, offset, hf_krb_etype, &AP_REP_etype);
1586 proto_item_append_text(tree, " %s",
1587 val_to_str(AP_REP_etype, krb5_encryption_types,
1592 static guint32 PA_ENC_TIMESTAMP_etype;
1594 dissect_krb5_PA_ENC_TIMESTAMP_etype(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1596 offset=dissect_ber_integer(FALSE, pinfo, tree, tvb, offset, hf_krb_etype, &PA_ENC_TIMESTAMP_etype);
1598 proto_item_append_text(tree, " %s",
1599 val_to_str(PA_ENC_TIMESTAMP_etype, krb5_encryption_types,
1607 * HostAddress ::= SEQUENCE {
1608 * addr-type[0] INTEGER,
1609 * address[1] OCTET STRING
1612 static guint32 addr_type;
1613 static int dissect_krb5_addr_type(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1615 offset=dissect_ber_integer(FALSE, pinfo, tree, tvb, offset, hf_krb_addr_type, &addr_type);
1618 static int dissect_krb5_address(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1625 proto_item *it=NULL;
1627 /* read header and len for the octet string */
1628 offset=dissect_ber_identifier(pinfo, tree, tvb, offset, &class, &pc, &tag);
1629 offset=dissect_ber_length(pinfo, tree, tvb, offset, &len, NULL);
1631 address_str=ep_alloc(256);
1635 case KRB5_ADDR_IPv4:
1636 it=proto_tree_add_item(tree, hf_krb_address_ip, tvb, offset, 4, FALSE);
1637 g_snprintf(address_str,256,"%d.%d.%d.%d",tvb_get_guint8(tvb, offset),tvb_get_guint8(tvb, offset+1),tvb_get_guint8(tvb, offset+2),tvb_get_guint8(tvb, offset+3));
1639 case KRB5_ADDR_NETBIOS:
1641 char netbios_name[(NETBIOS_NAME_LEN - 1)*4 + 1];
1642 int netbios_name_type;
1644 netbios_name_type = process_netbios_name(tvb_get_ptr(tvb, offset, 16), netbios_name);
1645 g_snprintf(address_str, 255, "%s<%02x>", netbios_name, netbios_name_type);
1646 it=proto_tree_add_string_format(tree, hf_krb_address_netbios, tvb, offset, 16, netbios_name, "NetBIOS Name: %s (%s)", address_str, netbios_name_type_descr(netbios_name_type));
1650 proto_tree_add_text(tree, tvb, offset, len, "KRB Address: I dont know how to parse this type of address yet");
1654 /* push it up two levels in the decode pane */
1656 proto_item_append_text(proto_item_get_parent(it), " %s",address_str);
1657 proto_item_append_text(proto_item_get_parent_nth(it, 2), " %s",address_str);
1663 static ber_sequence_t HostAddress_sequence[] = {
1664 { BER_CLASS_CON, 0, 0, dissect_krb5_addr_type },
1665 { BER_CLASS_CON, 1, 0, dissect_krb5_address },
1669 dissect_krb5_HostAddress(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1672 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, HostAddress_sequence, hf_krb_HostAddress, ett_krb_HostAddress);
1677 dissect_krb5_s_address(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1680 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, HostAddress_sequence, hf_krb_s_address, ett_krb_s_address);
1686 * HostAddresses ::= SEQUENCE OF SEQUENCE {
1687 * addr-type[0] INTEGER,
1688 * address[1] OCTET STRING
1692 static ber_sequence_t HostAddresses_sequence_of[1] = {
1693 { BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_krb5_HostAddress },
1696 dissect_krb5_HostAddresses(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1698 offset=dissect_ber_sequence_of(FALSE, pinfo, tree, tvb, offset, HostAddresses_sequence_of, hf_krb_HostAddresses, ett_krb_HostAddresses);
1706 dissect_krb5_msg_type(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1710 offset=dissect_ber_integer(FALSE, pinfo, tree, tvb, offset, hf_krb_msg_type, &msgtype);
1712 if (do_col_info & check_col(pinfo->cinfo, COL_INFO)) {
1713 col_add_str(pinfo->cinfo, COL_INFO,
1714 val_to_str(msgtype, krb5_msg_types,
1715 "Unknown msg type %#x"));
1719 /* append the application type to the subtree */
1720 proto_item_append_text(tree, " %s", val_to_str(msgtype, krb5_msg_types, "Unknown:0x%x"));
1728 dissect_krb5_pvno(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1730 offset=dissect_ber_integer(FALSE, pinfo, tree, tvb, offset, hf_krb_pvno, NULL);
1737 * PrincipalName ::= SEQUENCE {
1738 * name-type[0] INTEGER,
1739 * name-string[1] SEQUENCE OF GeneralString
1744 dissect_krb5_name_type(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1747 offset=dissect_ber_integer(FALSE, pinfo, tree, tvb, offset, hf_krb_name_type, &name_type);
1749 proto_item_append_text(tree, " (%s):",
1750 val_to_str(name_type, krb5_princ_types,
1755 static char name_string_separator;
1757 dissect_krb5_name_string(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1759 char name_string[256];
1761 offset=dissect_ber_GeneralString(pinfo, tree, tvb, offset, hf_krb_name_string, name_string, 255);
1763 proto_item_append_text(tree, "%c%s", name_string_separator, name_string);
1764 name_string_separator='/';
1769 static ber_sequence_t name_stringe_sequence_of[1] = {
1770 { BER_CLASS_UNI, BER_UNI_TAG_GeneralString, BER_FLAGS_NOOWNTAG, dissect_krb5_name_string },
1773 dissect_krb5_name_strings(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1775 name_string_separator=' ';
1776 offset=dissect_ber_sequence_of(FALSE, pinfo, tree, tvb, offset, name_stringe_sequence_of, -1, -1);
1780 static ber_sequence_t PrincipalName_sequence[] = {
1781 { BER_CLASS_CON, 0, 0, dissect_krb5_name_type },
1782 { BER_CLASS_CON, 1, 0, dissect_krb5_name_strings },
1786 dissect_krb5_sname(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1789 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, PrincipalName_sequence, hf_krb_sname, ett_krb_sname);
1794 dissect_krb5_cname(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1797 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, PrincipalName_sequence, hf_krb_cname, ett_krb_cname);
1804 dissect_krb5_realm(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1806 offset=dissect_ber_GeneralString(pinfo, tree, tvb, offset, hf_krb_realm, NULL, 0);
1811 dissect_krb5_crealm(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1813 offset=dissect_ber_GeneralString(pinfo, tree, tvb, offset, hf_krb_crealm, NULL, 0);
1820 dissect_krb5_PA_PAC_REQUEST_flag(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1822 offset=dissect_ber_boolean(FALSE, pinfo, tree, tvb, offset, hf_krb_PA_PAC_REQUEST_flag);
1827 static ber_sequence_t PA_PAC_REQUEST_sequence[] = {
1828 { BER_CLASS_CON, 0, 0, dissect_krb5_PA_PAC_REQUEST_flag },
1832 dissect_krb5_PA_PAC_REQUEST(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1835 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, PA_PAC_REQUEST_sequence, -1, -1);
1844 dissect_krb5_PA_PROV_SRV_LOCATION(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1846 offset=dissect_ber_GeneralString(pinfo, tree, tvb, offset, hf_krb_provsrv_location, NULL, 0);
1854 dissect_krb5_kvno(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1856 offset=dissect_ber_integer(FALSE, pinfo, tree, tvb, offset, hf_krb_kvno, NULL);
1864 dissect_krb5_seq_number(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1866 offset=dissect_ber_integer(FALSE, pinfo, tree, tvb, offset, hf_krb_seq_number, NULL);
1874 dissect_krb5_patimestamp(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1876 offset=dissect_ber_GeneralizedTime(FALSE, pinfo, tree, tvb, offset, hf_krb_patimestamp);
1879 #ifdef HAVE_KERBEROS
1881 dissect_krb5_pausec(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1883 offset=dissect_ber_integer(FALSE, pinfo, tree, tvb, offset, hf_krb_pausec, NULL);
1886 static const ber_sequence_t PA_ENC_TS_ENC_sequence[] = {
1887 { BER_CLASS_CON, 0, 0, dissect_krb5_patimestamp },
1888 { BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_krb5_pausec },
1892 dissect_krb5_decrypt_PA_ENC_TIMESTAMP (packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1894 guint8 *plaintext=NULL;
1897 length=tvb_length_remaining(tvb, offset);
1899 /* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
1901 * AS-REQ PA_ENC_TIMESTAMP are encrypted with usage
1905 plaintext=decrypt_krb5_data(tree, pinfo, 1, length, tvb_get_ptr(tvb, offset, length), PA_ENC_TIMESTAMP_etype);
1910 next_tvb = tvb_new_real_data (plaintext,
1913 tvb_set_child_real_data_tvbuff(tvb, next_tvb);
1915 /* Add the decrypted data to the data source list. */
1916 add_new_data_source(pinfo, next_tvb, "Decrypted Krb5");
1919 offset=dissect_ber_sequence(FALSE, pinfo, tree, next_tvb, 0, PA_ENC_TS_ENC_sequence, -1, -1);
1928 dissect_krb5_encrypted_PA_ENC_TIMESTAMP(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1930 #ifdef HAVE_KERBEROS
1931 offset=dissect_ber_octet_string_wcb(FALSE, pinfo, tree, tvb, offset, hf_krb_encrypted_PA_ENC_TIMESTAMP, dissect_krb5_decrypt_PA_ENC_TIMESTAMP);
1933 offset=dissect_ber_octet_string_wcb(FALSE, pinfo, tree, tvb, offset, hf_krb_encrypted_PA_ENC_TIMESTAMP, NULL);
1937 static ber_sequence_t PA_ENC_TIMESTAMP_sequence[] = {
1938 { BER_CLASS_CON, 0, 0,
1939 dissect_krb5_PA_ENC_TIMESTAMP_etype },
1940 { BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL,
1941 dissect_krb5_kvno },
1942 { BER_CLASS_CON, 2, 0,
1943 dissect_krb5_encrypted_PA_ENC_TIMESTAMP },
1947 dissect_krb5_PA_ENC_TIMESTAMP(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1949 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, PA_ENC_TIMESTAMP_sequence, -1, -1);
1957 dissect_krb5_etype_info_salt(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1959 offset=dissect_ber_octet_string(FALSE, pinfo, tree, tvb, offset, hf_krb_etype_info_salt, NULL);
1964 dissect_krb5_etype_info2_salt(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1966 offset=dissect_ber_GeneralString(pinfo, tree, tvb, offset, hf_krb_etype_info2_salt, NULL, 0);
1971 dissect_krb5_etype_info2_s2kparams(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1973 offset=dissect_ber_octet_string(FALSE, pinfo, tree, tvb, offset, hf_krb_etype_info2_s2kparams, NULL);
1977 static ber_sequence_t PA_ENCTYPE_INFO_ENTRY_sequence[] = {
1978 { BER_CLASS_CON, 0, 0,
1979 dissect_krb5_etype },
1980 { BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL,
1981 dissect_krb5_etype_info_salt },
1985 dissect_krb5_PA_ENCTYPE_INFO_ENTRY(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1987 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, PA_ENCTYPE_INFO_ENTRY_sequence, -1, -1);
1992 static ber_sequence_t PA_ENCTYPE_INFO_sequence_of[1] = {
1993 { BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_krb5_PA_ENCTYPE_INFO_ENTRY },
1996 dissect_krb5_PA_ENCTYPE_INFO(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
1998 offset=dissect_ber_sequence_of(FALSE, pinfo, tree, tvb, offset, PA_ENCTYPE_INFO_sequence_of, -1, -1);
2003 static ber_sequence_t PA_ENCTYPE_INFO2_ENTRY_sequence[] = {
2004 { BER_CLASS_CON, 0, 0,
2005 dissect_krb5_etype },
2006 { BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL,
2007 dissect_krb5_etype_info2_salt },
2008 { BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL,
2009 dissect_krb5_etype_info2_s2kparams },
2013 dissect_krb5_PA_ENCTYPE_INFO2_ENTRY(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2015 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, PA_ENCTYPE_INFO2_ENTRY_sequence, -1, -1);
2020 static ber_sequence_t PA_ENCTYPE_INFO2_sequence_of[1] = {
2021 { BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_krb5_PA_ENCTYPE_INFO2_ENTRY },
2024 dissect_krb5_PA_ENCTYPE_INFO2(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2026 offset=dissect_ber_sequence_of(FALSE, pinfo, tree, tvb, offset, PA_ENCTYPE_INFO2_sequence_of, -1, -1);
2032 * PA-DATA ::= SEQUENCE {
2033 * padata-type[1] INTEGER,
2034 * padata-value[2] OCTET STRING,
2035 * -- might be encoded AP-REQ
2038 guint32 krb_PA_DATA_type;
2040 dissect_krb5_PA_DATA_type(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2042 offset=dissect_ber_integer(FALSE, pinfo, tree, tvb, offset, hf_krb_PA_DATA_type, &krb_PA_DATA_type);
2043 krb_PA_DATA_type&=0xff; /*this is really just one single byte */
2046 proto_item_append_text(tree, " %s",
2047 val_to_str(krb_PA_DATA_type, krb5_preauthentication_types,
2053 dissect_krb5_PA_DATA_value(packet_info *pinfo, proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2055 proto_tree *tree=parent_tree;
2057 if(ber_last_created_item){
2058 tree=proto_item_add_subtree(ber_last_created_item, ett_krb_PA_DATA_tree);
2062 switch(krb_PA_DATA_type){
2063 case KRB5_PA_TGS_REQ:
2064 offset=dissect_ber_octet_string_wcb(FALSE, pinfo, tree, tvb, offset,hf_krb_PA_DATA_value, dissect_krb5_application_choice);
2066 case KRB5_PA_PK_AS_REQ:
2067 offset=dissect_ber_octet_string_wcb(FALSE, pinfo, tree, tvb, offset,hf_krb_PA_DATA_value, dissect_pkinit_PA_PK_AS_REQ);
2069 case KRB5_PA_PK_AS_REP:
2070 offset=dissect_ber_octet_string_wcb(FALSE, pinfo, tree, tvb, offset,hf_krb_PA_DATA_value, dissect_pkinit_PA_PK_AS_REP);
2072 case KRB5_PA_PAC_REQUEST:
2073 offset=dissect_ber_octet_string_wcb(FALSE, pinfo, tree, tvb, offset,hf_krb_PA_DATA_value, dissect_krb5_PA_PAC_REQUEST);
2075 case KRB5_PA_PROV_SRV_LOCATION:
2076 offset=dissect_ber_octet_string_wcb(FALSE, pinfo, tree, tvb, offset,hf_krb_PA_DATA_value, dissect_krb5_PA_PROV_SRV_LOCATION);
2078 case KRB5_PA_ENC_TIMESTAMP:
2079 offset=dissect_ber_octet_string_wcb(FALSE, pinfo, tree, tvb, offset,hf_krb_PA_DATA_value, dissect_krb5_PA_ENC_TIMESTAMP);
2081 case KRB5_PA_ENCTYPE_INFO:
2082 offset=dissect_ber_octet_string_wcb(FALSE, pinfo, tree, tvb, offset,hf_krb_PA_DATA_value, dissect_krb5_PA_ENCTYPE_INFO);
2084 case KRB5_PA_ENCTYPE_INFO2:
2085 offset=dissect_ber_octet_string_wcb(FALSE, pinfo, tree, tvb, offset,hf_krb_PA_DATA_value, dissect_krb5_PA_ENCTYPE_INFO2);
2088 offset=dissect_ber_octet_string_wcb(FALSE, pinfo, tree, tvb, offset,hf_krb_PA_DATA_value, NULL);
2094 static ber_sequence_t PA_DATA_sequence[] = {
2095 { BER_CLASS_CON, 1, 0, dissect_krb5_PA_DATA_type },
2096 { BER_CLASS_CON, 2, 0, dissect_krb5_PA_DATA_value },
2100 dissect_krb5_PA_DATA(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2102 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, PA_DATA_sequence, -1, -1);
2111 * padata[3] SEQUENCE OF PA-DATA OPTIONAL,
2114 static ber_sequence_t PA_DATA_sequence_of[1] = {
2115 { BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_krb5_PA_DATA },
2118 dissect_krb5_padata(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2120 offset=dissect_ber_sequence_of(FALSE, pinfo, tree, tvb, offset, PA_DATA_sequence_of, hf_krb_padata, ett_krb_padata);
2128 static const true_false_string krb5_ticketflags_forwardable = {
2129 "FORWARDABLE tickets are allowed/requested",
2130 "Do NOT use forwardable tickets"
2132 static const true_false_string krb5_ticketflags_forwarded = {
2133 "This ticket has been FORWARDED",
2134 "This is NOT a forwarded ticket"
2136 static const true_false_string krb5_ticketflags_proxyable = {
2137 "PROXIABLE tickets are allowed/requested",
2138 "Do NOT use proxiable tickets"
2140 static const true_false_string krb5_ticketflags_proxy = {
2141 "This is a PROXY ticket",
2142 "This ticket has NOT been proxied"
2144 static const true_false_string krb5_ticketflags_allow_postdate = {
2145 "We allow the ticket to be POSTDATED",
2146 "We do NOT allow the ticket to be postdated"
2148 static const true_false_string krb5_ticketflags_postdated = {
2149 "This ticket is POSTDATED",
2150 "This ticket is NOT postdated"
2152 static const true_false_string krb5_ticketflags_invalid = {
2153 "This ticket is INVALID",
2154 "This ticket is NOT invalid"
2156 static const true_false_string krb5_ticketflags_renewable = {
2157 "This ticket is RENEWABLE",
2158 "This ticket is NOT renewable"
2160 static const true_false_string krb5_ticketflags_initial = {
2161 "This ticket was granted by AS and not TGT protocol",
2162 "This ticket was granted by TGT and not as protocol"
2164 static const true_false_string krb5_ticketflags_pre_auth = {
2165 "The client was PRE-AUTHenticated",
2166 "The client was NOT pre-authenticated"
2168 static const true_false_string krb5_ticketflags_hw_auth = {
2169 "The client was authenticated by HardWare",
2170 "The client was NOT authenticated using hardware"
2172 static const true_false_string krb5_ticketflags_transited_policy_checked = {
2173 "Kdc has performed TRANSITED POLICY CHECKING",
2174 "Kdc has NOT performed transited policy checking"
2176 static const true_false_string krb5_ticketflags_ok_as_delegate = {
2177 "This ticket is OK AS a DELEGATED ticket",
2178 "This ticket is NOT ok as a delegated ticket"
2181 static int* TicketFlags_bits[] = {
2182 &hf_krb_TicketFlags_forwardable,
2183 &hf_krb_TicketFlags_forwarded,
2184 &hf_krb_TicketFlags_proxyable,
2185 &hf_krb_TicketFlags_proxy,
2186 &hf_krb_TicketFlags_allow_postdate,
2187 &hf_krb_TicketFlags_postdated,
2188 &hf_krb_TicketFlags_invalid,
2189 &hf_krb_TicketFlags_renewable,
2190 &hf_krb_TicketFlags_initial,
2191 &hf_krb_TicketFlags_pre_auth,
2192 &hf_krb_TicketFlags_hw_auth,
2193 &hf_krb_TicketFlags_transited_policy_checked,
2194 &hf_krb_TicketFlags_ok_as_delegate,
2199 dissect_krb5_TicketFlags(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2201 offset=dissect_ber_bitstring32(FALSE, pinfo, tree, tvb, offset, TicketFlags_bits, hf_krb_TicketFlags, ett_krb_Ticket_Flags, NULL);
2206 static guint32 keytype;
2208 dissect_krb5_keytype(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2210 offset=dissect_ber_integer(FALSE, pinfo, tree, tvb, offset, hf_krb_keytype, &keytype);
2212 proto_item_append_text(tree, " %s",
2213 val_to_str(keytype, krb5_encryption_types,
2218 static int keylength;
2219 static const guint8 *keyvalue;
2221 store_keyvalue(packet_info *pinfo _U_, proto_tree *tree _U_, tvbuff_t *tvb, int offset)
2223 keylength=tvb_length_remaining(tvb, offset);
2224 keyvalue=tvb_get_ptr(tvb, offset, keylength);
2228 dissect_krb5_keyvalue(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2230 offset=dissect_ber_octet_string_wcb(FALSE, pinfo, tree, tvb, offset, hf_krb_keyvalue, store_keyvalue);
2236 * EncryptionKey ::= SEQUENCE {
2238 * keyvalue [1] octet string
2240 static ber_sequence_t EncryptionKey_sequence[] = {
2241 { BER_CLASS_CON, 0, 0,
2242 dissect_krb5_keytype },
2243 { BER_CLASS_CON, 1, 0,
2244 dissect_krb5_keyvalue },
2248 dissect_krb5_key(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2250 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, EncryptionKey_sequence, hf_krb_key, ett_krb_key);
2252 #ifdef HAVE_KERBEROS
2253 add_encryption_key(pinfo, keytype, keylength, keyvalue, "key");
2258 dissect_krb5_subkey(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2260 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, EncryptionKey_sequence, hf_krb_subkey, ett_krb_subkey);
2261 #ifdef HAVE_KERBEROS
2262 add_encryption_key(pinfo, keytype, keylength, keyvalue, "subkey");
2270 dissect_krb5_PAC_LOGON_INFO(packet_info *pinfo, proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2272 proto_item *item=NULL;
2273 proto_tree *tree=NULL;
2274 guint8 drep[4] = { 0x10, 0x00, 0x00, 0x00}; /* fake DREP struct */
2275 dcerpc_info di; /* fake dcerpc_info struct */
2276 void *old_private_data;
2278 item=proto_tree_add_item(parent_tree, hf_krb_PAC_LOGON_INFO, tvb, offset, tvb_length_remaining(tvb, offset), FALSE);
2280 tree=proto_item_add_subtree(item, ett_krb_PAC_LOGON_INFO);
2283 /* skip the first 20 bytes, they look like a unique ndr pointer
2284 followed by (where did it come from?) a contect_handle ?*/
2285 proto_tree_add_text(tree, tvb, offset, 20, "unknown: is this an undocumented policy handle?");
2289 /* the PAC_LOGON_INFO blob */
2290 /* fake whatever state the dcerpc runtime support needs */
2291 di.conformant_run=0;
2293 old_private_data=pinfo->private_data;
2294 pinfo->private_data=&di;
2295 init_ndr_pointer_list(pinfo);
2296 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2297 netlogon_dissect_PAC_LOGON_INFO, NDR_POINTER_REF,
2298 "PAC_LOGON_INFO:", -1);
2299 pinfo->private_data=old_private_data;
2305 dissect_krb5_PAC_CREDENTIAL_TYPE(packet_info *pinfo _U_, proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2307 proto_item *item=NULL;
2308 proto_tree *tree=NULL;
2310 item=proto_tree_add_item(parent_tree, hf_krb_PAC_CREDENTIAL_TYPE, tvb, offset, tvb_length_remaining(tvb, offset), FALSE);
2312 tree=proto_item_add_subtree(item, ett_krb_PAC_CREDENTIAL_TYPE);
2320 dissect_krb5_PAC_SERVER_CHECKSUM(packet_info *pinfo _U_, proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2322 proto_item *item=NULL;
2323 proto_tree *tree=NULL;
2325 item=proto_tree_add_item(parent_tree, hf_krb_PAC_SERVER_CHECKSUM, tvb, offset, tvb_length_remaining(tvb, offset), FALSE);
2327 tree=proto_item_add_subtree(item, ett_krb_PAC_SERVER_CHECKSUM);
2330 /* signature type */
2331 proto_tree_add_item(tree, hf_krb_pac_signature_type, tvb, offset, 4, TRUE);
2334 /* signature data */
2335 proto_tree_add_item(tree, hf_krb_pac_signature_signature, tvb, offset, tvb_length_remaining(tvb, offset), FALSE);
2341 dissect_krb5_PAC_PRIVSVR_CHECKSUM(packet_info *pinfo _U_, proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2343 proto_item *item=NULL;
2344 proto_tree *tree=NULL;
2346 item=proto_tree_add_item(parent_tree, hf_krb_PAC_PRIVSVR_CHECKSUM, tvb, offset, tvb_length_remaining(tvb, offset), FALSE);
2348 tree=proto_item_add_subtree(item, ett_krb_PAC_PRIVSVR_CHECKSUM);
2351 /* signature type */
2352 proto_tree_add_item(tree, hf_krb_pac_signature_type, tvb, offset, 4, TRUE);
2355 /* signature data */
2356 proto_tree_add_item(tree, hf_krb_pac_signature_signature, tvb, offset, tvb_length_remaining(tvb, offset), FALSE);
2362 dissect_krb5_PAC_CLIENT_INFO_TYPE(packet_info *pinfo _U_, proto_tree *parent_tree, tvbuff_t *tvb, int offset)
2364 proto_item *item=NULL;
2365 proto_tree *tree=NULL;
2369 item=proto_tree_add_item(parent_tree, hf_krb_PAC_CLIENT_INFO_TYPE, tvb, offset, tvb_length_remaining(tvb, offset), FALSE);
2371 tree=proto_item_add_subtree(item, ett_krb_PAC_CLIENT_INFO_TYPE);
2375 offset = dissect_nt_64bit_time(tvb, tree, offset,
2376 hf_krb_pac_clientid);
2379 namelen=tvb_get_letohs(tvb, offset);
2380 proto_tree_add_uint(tree, hf_krb_pac_namelen, tvb, offset, 2, namelen);
2384 name=tvb_get_ephemeral_faked_unicode(tvb, offset, namelen/2, TRUE);
2385 proto_tree_add_string(tree, hf_krb_pac_clientname, tvb, offset, namelen, name);
2392 dissect_krb5_AD_WIN2K_PAC_struct(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2397 proto_item *it=NULL;
2398 proto_tree *tr=NULL;
2401 /* type of pac data */
2402 pac_type=tvb_get_letohl(tvb, offset);
2403 it=proto_tree_add_uint(tree, hf_krb_w2k_pac_type, tvb, offset, 4, pac_type);
2405 tr=proto_item_add_subtree(it, ett_krb_PAC);
2410 /* size of pac data */
2411 pac_size=tvb_get_letohl(tvb, offset);
2412 proto_tree_add_uint(tr, hf_krb_w2k_pac_size, tvb, offset, 4, pac_size);
2415 /* offset to pac data */
2416 pac_offset=tvb_get_letohl(tvb, offset);
2417 proto_tree_add_uint(tr, hf_krb_w2k_pac_offset, tvb, offset, 4, pac_offset);
2421 next_tvb=tvb_new_subset(tvb, pac_offset, pac_size, pac_size);
2423 case PAC_LOGON_INFO:
2424 dissect_krb5_PAC_LOGON_INFO(pinfo, tr, next_tvb, 0);
2426 case PAC_CREDENTIAL_TYPE:
2427 dissect_krb5_PAC_CREDENTIAL_TYPE(pinfo, tr, next_tvb, 0);
2429 case PAC_SERVER_CHECKSUM:
2430 dissect_krb5_PAC_SERVER_CHECKSUM(pinfo, tr, next_tvb, 0);
2432 case PAC_PRIVSVR_CHECKSUM:
2433 dissect_krb5_PAC_PRIVSVR_CHECKSUM(pinfo, tr, next_tvb, 0);
2435 case PAC_CLIENT_INFO_TYPE:
2436 dissect_krb5_PAC_CLIENT_INFO_TYPE(pinfo, tr, next_tvb, 0);
2445 dissect_krb5_AD_WIN2K_PAC(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2451 /* first in the PAC structure comes the number of entries */
2452 entries=tvb_get_letohl(tvb, offset);
2453 proto_tree_add_uint(tree, hf_krb_w2k_pac_entries, tvb, offset, 4, entries);
2456 /* second comes the version */
2457 version=tvb_get_letohl(tvb, offset);
2458 proto_tree_add_uint(tree, hf_krb_w2k_pac_version, tvb, offset, 4, version);
2461 for(i=0;i<entries;i++){
2462 offset=dissect_krb5_AD_WIN2K_PAC_struct(pinfo, tree, tvb, offset);
2468 static guint32 IF_RELEVANT_type;
2470 dissect_krb5_IF_RELEVANT_type(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2472 offset=dissect_ber_integer(FALSE, pinfo, tree, tvb, offset, hf_krb_IF_RELEVANT_type, &IF_RELEVANT_type);
2474 proto_item_append_text(tree, " %s",
2475 val_to_str(IF_RELEVANT_type, krb5_ad_types,
2481 dissect_krb5_IF_RELEVANT_value(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2483 switch(IF_RELEVANT_type){
2484 case KRB5_AD_WIN2K_PAC:
2485 offset=dissect_ber_octet_string_wcb(FALSE, pinfo, tree, tvb, offset, hf_krb_advalue, dissect_krb5_AD_WIN2K_PAC);
2488 offset=dissect_ber_octet_string(FALSE, pinfo, tree, tvb, offset, hf_krb_IF_RELEVANT_value, NULL);
2492 static ber_sequence_t IF_RELEVANT_item_sequence[] = {
2493 { BER_CLASS_CON, 0, 0,
2494 dissect_krb5_IF_RELEVANT_type },
2495 { BER_CLASS_CON, 1, 0,
2496 dissect_krb5_IF_RELEVANT_value },
2500 dissect_krb5_IF_RELEVANT_item(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2502 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, IF_RELEVANT_item_sequence, hf_krb_IF_RELEVANT, ett_krb_IF_RELEVANT);
2507 static ber_sequence_t IF_RELEVANT_sequence_of[1] = {
2508 { BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_krb5_IF_RELEVANT_item },
2512 dissect_krb5_IF_RELEVANT(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2514 offset=dissect_ber_sequence_of(FALSE, pinfo, tree, tvb, offset, IF_RELEVANT_sequence_of, -1, -1);
2519 static guint32 adtype;
2521 dissect_krb5_adtype(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2523 offset=dissect_ber_integer(FALSE, pinfo, tree, tvb, offset, hf_krb_adtype, &adtype);
2525 proto_item_append_text(tree, " %s",
2526 val_to_str(adtype, krb5_ad_types,
2532 dissect_krb5_advalue(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2535 case KRB5_AD_IF_RELEVANT:
2536 offset=dissect_ber_octet_string_wcb(FALSE, pinfo, tree, tvb, offset, hf_krb_advalue, dissect_krb5_IF_RELEVANT);
2539 offset=dissect_ber_octet_string(FALSE, pinfo, tree, tvb, offset, hf_krb_advalue, NULL);
2544 * AuthorizationData ::= SEQUENCE {
2546 * ad-data [1] octet string
2548 static ber_sequence_t AuthorizationData_item_sequence[] = {
2549 { BER_CLASS_CON, 0, 0,
2550 dissect_krb5_adtype },
2551 { BER_CLASS_CON, 1, 0,
2552 dissect_krb5_advalue },
2556 dissect_krb5_AuthorizationData_item(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2558 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, AuthorizationData_item_sequence, hf_krb_AuthorizationData, ett_krb_AuthorizationData);
2563 static ber_sequence_t AuthorizationData_sequence_of[1] = {
2564 { BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_krb5_AuthorizationData_item },
2567 dissect_krb5_AuthorizationData(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2569 offset=dissect_ber_sequence_of(FALSE, pinfo, tree, tvb, offset, AuthorizationData_sequence_of, -1, -1);
2576 dissect_krb5_transited_type(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2580 offset=dissect_ber_integer(FALSE, pinfo, tree, tvb, offset, hf_krb_transitedtype, &trtype);
2582 proto_item_append_text(tree, " %s",
2583 val_to_str(trtype, krb5_transited_types,
2590 dissect_krb5_transited_contents(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2592 offset=dissect_ber_octet_string(FALSE, pinfo, tree, tvb, offset, hf_krb_transitedcontents, NULL);
2597 * TransitedEncoding ::= SEQUENCE {
2599 * contents [1] octet string
2601 static ber_sequence_t TransitedEncoding_sequence[] = {
2602 { BER_CLASS_CON, 0, 0,
2603 dissect_krb5_transited_type },
2604 { BER_CLASS_CON, 1, 0,
2605 dissect_krb5_transited_contents },
2609 dissect_krb5_transited(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2611 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, TransitedEncoding_sequence, hf_krb_TransitedEncoding, ett_krb_TransitedEncoding);
2618 dissect_krb5_authtime(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2620 offset=dissect_ber_GeneralizedTime(FALSE, pinfo, tree, tvb, offset, hf_krb_authtime);
2624 dissect_krb5_starttime(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2626 offset=dissect_ber_GeneralizedTime(FALSE, pinfo, tree, tvb, offset, hf_krb_starttime);
2630 dissect_krb5_endtime(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2632 offset=dissect_ber_GeneralizedTime(FALSE, pinfo, tree, tvb, offset, hf_krb_endtime);
2636 dissect_krb5_renew_till(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2638 offset=dissect_ber_GeneralizedTime(FALSE, pinfo, tree, tvb, offset, hf_krb_renew_till);
2643 * EncTicketPart ::= SEQUENCE {
2644 * flags [0] TicketFlags,
2645 * key [1] EncryptionKey,
2647 * cname [3] PrincipalName,
2648 * transited [4] TransitedEncoding,
2649 * authtime [5] KerberosTime,
2650 * starttime [6] KerberosTime OPTIONAL,
2651 * endtime [7] KerberosTime,
2652 * renew-till [8] KerberosTime OPTIONAL,
2653 * caddr [9] HostAddresses OPTIONAL,
2654 * authorization-data [10] AuthorizationData OPTIONAL
2657 static ber_sequence_t EncTicketPart_sequence[] = {
2658 { BER_CLASS_CON, 0, 0,
2659 dissect_krb5_TicketFlags },
2660 { BER_CLASS_CON, 1, 0,
2662 { BER_CLASS_CON, 2, 0,
2663 dissect_krb5_crealm },
2664 { BER_CLASS_CON, 3, 0,
2665 dissect_krb5_cname },
2666 { BER_CLASS_CON, 4, 0,
2667 dissect_krb5_transited },
2668 { BER_CLASS_CON, 5, 0,
2669 dissect_krb5_authtime },
2670 { BER_CLASS_CON, 6, BER_FLAGS_OPTIONAL,
2671 dissect_krb5_starttime },
2672 { BER_CLASS_CON, 7, 0,
2673 dissect_krb5_endtime },
2674 { BER_CLASS_CON, 8, BER_FLAGS_OPTIONAL,
2675 dissect_krb5_renew_till },
2676 { BER_CLASS_CON, 9, BER_FLAGS_OPTIONAL,
2677 dissect_krb5_HostAddresses },
2678 { BER_CLASS_CON, 10, BER_FLAGS_OPTIONAL,
2679 dissect_krb5_AuthorizationData },
2683 dissect_krb5_EncTicketPart(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2685 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, EncTicketPart_sequence, hf_krb_EncTicketPart, ett_krb_EncTicketPart);
2696 * EncAPRepPart ::= SEQUENCE {
2697 * ctime [0] KerberosTime
2698 * cusec [1] Microseconds
2699 * subkey [2] encryptionKey OPTIONAL
2700 * seq-number [3] uint32 OPTIONAL
2703 static ber_sequence_t EncAPRepPart_sequence[] = {
2704 { BER_CLASS_CON, 0, 0,
2705 dissect_krb5_ctime },
2706 { BER_CLASS_CON, 1, 0,
2707 dissect_krb5_cusec },
2708 { BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL,
2709 dissect_krb5_subkey },
2710 { BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL,
2711 dissect_krb5_seq_number },
2715 dissect_krb5_EncAPRepPart(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2717 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, EncAPRepPart_sequence, hf_krb_EncAPRepPart, ett_krb_EncAPRepPart);
2724 static guint32 lr_type;
2725 static const value_string krb5_lr_types[] = {
2726 { 0 , "No information available" },
2727 { 1 , "Time of last initial TGT request" },
2728 { 2 , "Time of last initial request" },
2729 { 3 , "Time of issue of latest TGT ticket" },
2730 { 4 , "Time of last renewal" },
2731 { 5 , "Time of last request" },
2732 { 6 , "Time when password will expire" },
2733 { 7 , "Time when account will expire" },
2737 dissect_krb5_lr_type(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2739 offset=dissect_ber_integer(FALSE, pinfo, tree, tvb, offset, hf_krb_lr_type, &lr_type);
2744 dissect_krb5_lr_value(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2746 offset=dissect_ber_GeneralizedTime(FALSE, pinfo, tree, tvb, offset, hf_krb_lr_time);
2751 static ber_sequence_t LastReq_sequence[] = {
2752 { BER_CLASS_CON, 0, 0,
2753 dissect_krb5_lr_type },
2754 { BER_CLASS_CON, 1, 0,
2755 dissect_krb5_lr_value },
2759 dissect_krb5_LastReq(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2761 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, LastReq_sequence, hf_krb_LastReq, ett_krb_LastReq);
2765 static ber_sequence_t LastReq_sequence_of[1] = {
2766 { BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_krb5_LastReq },
2769 dissect_krb5_LastReq_sequence_of(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2771 offset=dissect_ber_sequence_of(FALSE, pinfo, tree, tvb, offset, LastReq_sequence_of, hf_krb_LastReqs, ett_krb_LastReqs);
2777 dissect_krb5_key_expiration(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2779 offset=dissect_ber_GeneralizedTime(FALSE, pinfo, tree, tvb, offset, hf_krb_key_expire);
2783 static ber_sequence_t EncKDCRepPart_sequence[] = {
2784 { BER_CLASS_CON, 0, 0,
2786 { BER_CLASS_CON, 1, 0,
2787 dissect_krb5_LastReq_sequence_of },
2788 { BER_CLASS_CON, 2, 0,
2789 dissect_krb5_nonce },
2790 { BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL,
2791 dissect_krb5_key_expiration },
2792 { BER_CLASS_CON, 4, 0,
2793 dissect_krb5_TicketFlags },
2794 { BER_CLASS_CON, 5, 0,
2795 dissect_krb5_authtime },
2796 { BER_CLASS_CON, 6, BER_FLAGS_OPTIONAL,
2797 dissect_krb5_starttime },
2798 { BER_CLASS_CON, 7, 0,
2799 dissect_krb5_endtime },
2800 { BER_CLASS_CON, 8, BER_FLAGS_OPTIONAL,
2801 dissect_krb5_renew_till },
2802 { BER_CLASS_CON, 9, 0,
2803 dissect_krb5_realm },
2804 { BER_CLASS_CON, 10, 0,
2805 dissect_krb5_sname },
2806 { BER_CLASS_CON, 11, BER_FLAGS_OPTIONAL,
2807 dissect_krb5_HostAddresses },
2811 dissect_krb5_EncKDCRepPart(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2813 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, EncKDCRepPart_sequence, hf_krb_EncKDCRepPart, ett_krb_EncKDCRepPart);
2820 dissect_krb5_authenticator_vno(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2822 offset=dissect_ber_integer(FALSE, pinfo, tree, tvb, offset, hf_krb_authenticator_vno, NULL);
2829 dissect_krb5_checksum_type(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2831 offset=dissect_ber_integer(FALSE, pinfo, tree, tvb, offset, hf_krb_checksum_type, NULL);
2836 dissect_krb5_checksum_checksum(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2838 offset=dissect_ber_octet_string(FALSE, pinfo, tree, tvb, offset, hf_krb_checksum_checksum, NULL);
2843 * Checksum ::= SEQUENCE {
2846 static ber_sequence_t Checksum_sequence[] = {
2847 { BER_CLASS_CON, 0, 0,
2848 dissect_krb5_checksum_type },
2849 { BER_CLASS_CON, 1, 0,
2850 dissect_krb5_checksum_checksum },
2854 dissect_krb5_Checksum(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2856 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, Checksum_sequence, hf_krb_Checksum, ett_krb_Checksum);
2862 * Authenticator ::= SEQUENCE {
2863 * authenticator-vno [0] integer
2865 * cname [2] PrincipalName
2866 * cksum [3] Checksum OPTIONAL
2867 * cusec [4] Microseconds
2868 * ctime [5] KerberosTime
2869 * subkey [6] encryptionKey OPTIONAL
2870 * seq-number [7] uint32 OPTIONAL
2871 * authorization-data [8] AuthorizationData OPTIONAL
2874 static ber_sequence_t Authenticator_sequence[] = {
2875 { BER_CLASS_CON, 0, 0,
2876 dissect_krb5_authenticator_vno },
2877 { BER_CLASS_CON, 1, 0,
2878 dissect_krb5_crealm },
2879 { BER_CLASS_CON, 2, 0,
2880 dissect_krb5_cname },
2881 { BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL,
2882 dissect_krb5_Checksum },
2883 { BER_CLASS_CON, 4, 0,
2884 dissect_krb5_cusec },
2885 { BER_CLASS_CON, 5, 0,
2886 dissect_krb5_ctime },
2887 { BER_CLASS_CON, 6, BER_FLAGS_OPTIONAL,
2888 dissect_krb5_subkey },
2889 { BER_CLASS_CON, 7, BER_FLAGS_OPTIONAL,
2890 dissect_krb5_seq_number },
2891 { BER_CLASS_CON, 8, BER_FLAGS_OPTIONAL,
2892 dissect_krb5_AuthorizationData },
2896 dissect_krb5_Authenticator(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2898 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, Authenticator_sequence, hf_krb_Authenticator, ett_krb_Authenticator);
2905 dissect_krb5_PRIV_BODY_user_data(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2908 offset=dissect_ber_octet_string(FALSE, pinfo, tree, tvb, offset, hf_krb_PRIV_BODY_user_data, &new_tvb);
2911 call_kerberos_callbacks(pinfo, tree, new_tvb, KRB_CBTAG_PRIV_USER_DATA);
2916 static ber_sequence_t EncKrbPrivPart_sequence[] = {
2917 { BER_CLASS_CON, 0, 0,
2918 dissect_krb5_PRIV_BODY_user_data },
2919 { BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL,
2920 dissect_krb5_patimestamp },
2921 { BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL,
2922 dissect_krb5_cusec },
2923 { BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL,
2924 dissect_krb5_seq_number },
2925 { BER_CLASS_CON, 4, 0,
2926 dissect_krb5_s_address },
2927 { BER_CLASS_CON, 5, BER_FLAGS_OPTIONAL,
2928 dissect_krb5_HostAddresses },
2932 dissect_krb5_EncKrbPrivPart(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2934 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, EncKrbPrivPart_sequence, hf_krb_EncKrbPrivPart, ett_krb_EncKrbPrivPart);
2939 static guint32 PRIV_etype;
2941 dissect_krb5_PRIV_etype(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2943 offset=dissect_ber_integer(FALSE, pinfo, tree, tvb, offset, hf_krb_etype, &PRIV_etype);
2945 proto_item_append_text(tree, " %s",
2946 val_to_str(PRIV_etype, krb5_encryption_types,
2952 #ifdef HAVE_KERBEROS
2954 dissect_krb5_decrypt_PRIV (packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2956 guint8 *plaintext=NULL;
2959 length=tvb_length_remaining(tvb, offset);
2962 plaintext=decrypt_krb5_data(tree, pinfo, 13, length, tvb_get_ptr(tvb, offset, length), PRIV_etype);
2967 next_tvb = tvb_new_real_data (plaintext,
2970 tvb_set_child_real_data_tvbuff(tvb, next_tvb);
2972 /* Add the decrypted data to the data source list. */
2973 add_new_data_source(pinfo, next_tvb, "Decrypted Krb5");
2975 offset=dissect_ber_choice(pinfo, tree, next_tvb, 0, kerberos_applications_choice, -1, -1, NULL);
2983 * PRIV-BODY ::= SEQUENCE {
2984 * KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
2986 * msg-type[1] INTEGER,
2987 * enc-part[3] EncryptedData
2991 dissect_krb5_encrypted_PRIV(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
2993 #ifdef HAVE_KERBEROS
2994 offset=dissect_ber_octet_string_wcb(FALSE, pinfo, tree, tvb, offset, hf_krb_encrypted_PRIV, dissect_krb5_decrypt_PRIV);
2996 offset=dissect_ber_octet_string_wcb(FALSE, pinfo, tree, tvb, offset, hf_krb_encrypted_PRIV, NULL);
3000 static ber_sequence_t ENC_PRIV_sequence[] = {
3001 { BER_CLASS_CON, 0, 0,
3002 dissect_krb5_PRIV_etype },
3003 { BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL,
3004 dissect_krb5_kvno },
3005 { BER_CLASS_CON, 2, 0,
3006 dissect_krb5_encrypted_PRIV },
3010 dissect_krb5_ENC_PRIV(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3012 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, ENC_PRIV_sequence, hf_krb_ENC_PRIV, ett_krb_PRIV_enc);
3015 static ber_sequence_t PRIV_BODY_sequence[] = {
3016 { BER_CLASS_CON, 0, 0,
3017 dissect_krb5_pvno },
3018 { BER_CLASS_CON, 1, 0,
3019 dissect_krb5_msg_type },
3020 { BER_CLASS_CON, 3, 0,
3021 dissect_krb5_ENC_PRIV },
3025 dissect_krb5_PRIV(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3028 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, PRIV_BODY_sequence, hf_krb_PRIV_BODY, ett_krb_PRIV);
3035 dissect_krb5_SAFE_BODY_user_data(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3038 offset=dissect_ber_octet_string(FALSE, pinfo, tree, tvb, offset, hf_krb_SAFE_BODY_user_data, &new_tvb);
3040 call_kerberos_callbacks(pinfo, tree, new_tvb, KRB_CBTAG_SAFE_USER_DATA);
3044 dissect_krb5_SAFE_BODY_timestamp(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3046 offset=dissect_ber_GeneralizedTime(FALSE, pinfo, tree, tvb, offset, hf_krb_SAFE_BODY_timestamp);
3051 dissect_krb5_SAFE_BODY_usec(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3053 offset=dissect_ber_integer(FALSE, pinfo, tree, tvb, offset, hf_krb_SAFE_BODY_usec, NULL);
3057 static ber_sequence_t SAFE_BODY_sequence[] = {
3058 { BER_CLASS_CON, 0, 0,
3059 dissect_krb5_SAFE_BODY_user_data },
3060 { BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL,
3061 dissect_krb5_SAFE_BODY_timestamp },
3062 { BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL,
3063 dissect_krb5_SAFE_BODY_usec },
3064 { BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL,
3065 dissect_krb5_seq_number },
3066 /*XXX this one is OPTIONAL in packetcable? but mandatory in kerberos */
3067 { BER_CLASS_CON, 4, BER_FLAGS_OPTIONAL,
3068 dissect_krb5_s_address },
3069 { BER_CLASS_CON, 5, BER_FLAGS_OPTIONAL,
3070 dissect_krb5_HostAddresses },
3074 dissect_krb5_SAFE_BODY(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3077 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, SAFE_BODY_sequence, -1, -1);
3084 static ber_sequence_t SAFE_sequence[] = {
3085 { BER_CLASS_CON, 0, 0,
3086 dissect_krb5_pvno },
3087 { BER_CLASS_CON, 1, 0,
3088 dissect_krb5_msg_type },
3089 { BER_CLASS_CON, 2, 0,
3090 dissect_krb5_SAFE_BODY },
3091 { BER_CLASS_CON, 3, 0,
3092 dissect_krb5_Checksum },
3096 dissect_krb5_SAFE(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3099 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, SAFE_sequence, -1, -1);
3106 * KDC-REQ-BODY ::= SEQUENCE {
3107 * kdc-options[0] KDCOptions,
3108 * cname[1] PrincipalName OPTIONAL,
3109 * -- Used only in AS-REQ
3110 * realm[2] Realm, -- Server's realm
3111 * -- Also client's in AS-REQ
3112 * sname[3] PrincipalName OPTIONAL,
3113 * from[4] KerberosTime OPTIONAL,
3114 * till[5] KerberosTime,
3115 * rtime[6] KerberosTime OPTIONAL,
3117 * etype[8] SEQUENCE OF INTEGER, -- EncryptionType,
3118 * -- in preference order
3119 * addresses[9] HostAddresses OPTIONAL,
3120 * enc-authorization-data[10] EncryptedData OPTIONAL,
3121 * -- Encrypted AuthorizationData encoding
3122 * additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
3126 static ber_sequence_t KDC_REQ_BODY_sequence[] = {
3127 { BER_CLASS_CON, 0, 0,
3128 dissect_krb5_KDCOptions },
3129 { BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL,
3130 dissect_krb5_cname },
3131 { BER_CLASS_CON, 2, 0,
3132 dissect_krb5_realm},
3133 { BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL,
3134 dissect_krb5_sname },
3135 { BER_CLASS_CON, 4, BER_FLAGS_OPTIONAL,
3136 dissect_krb5_from },
3137 /* this field is not optional in the kerberos spec,
3138 * however, in the packetcable spec it is optional.
3139 * make it optional here since normal kerberos will
3140 * still decode the pdu correctly.
3142 { BER_CLASS_CON, 5, BER_FLAGS_OPTIONAL,
3143 dissect_krb5_till },
3144 { BER_CLASS_CON, 6, BER_FLAGS_OPTIONAL,
3145 dissect_krb5_rtime },
3146 { BER_CLASS_CON, 7, 0,
3147 dissect_krb5_nonce },
3148 { BER_CLASS_CON, 8, 0,
3149 dissect_krb5_etype_sequence_of },
3150 { BER_CLASS_CON, 9, BER_FLAGS_OPTIONAL,
3151 dissect_krb5_HostAddresses },
3152 /* XXX [10] and [11] enc-authorization-data and additional-tickets should be added */
3156 dissect_krb5_KDC_REQ_BODY(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3158 conversation_t *conversation;
3161 * UDP replies to KDC_REQs are sent from the server back to the client's
3162 * source port, similar to the way TFTP works. Set up a conversation
3165 * Ref: Section 7.2.1 of
3166 * http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-clarifications-07.txt
3168 if (pinfo->destport == UDP_PORT_KERBEROS && pinfo->ptype == PT_UDP) {
3169 conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, PT_UDP,
3170 pinfo->srcport, 0, NO_PORT_B);
3171 if (conversation == NULL) {
3172 conversation = conversation_new(pinfo->fd->num, &pinfo->src, &pinfo->dst, PT_UDP,
3173 pinfo->srcport, 0, NO_PORT2);
3174 conversation_set_dissector(conversation, kerberos_handle_udp);
3178 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, KDC_REQ_BODY_sequence, hf_krb_KDC_REQ_BODY, ett_krb_request);
3186 * KDC-REQ ::= SEQUENCE {
3188 * msg-type[2] INTEGER,
3189 * padata[3] SEQUENCE OF PA-DATA OPTIONAL,
3190 * req-body[4] KDC-REQ-BODY
3193 static ber_sequence_t KDC_REQ_sequence[] = {
3194 { BER_CLASS_CON, 1, 0,
3195 dissect_krb5_pvno },
3196 { BER_CLASS_CON, 2, 0,
3197 dissect_krb5_msg_type },
3198 { BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL,
3199 dissect_krb5_padata },
3200 { BER_CLASS_CON, 4, 0,
3201 dissect_krb5_KDC_REQ_BODY },
3205 dissect_krb5_KDC_REQ(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3207 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, KDC_REQ_sequence, -1, -1);
3213 #ifdef HAVE_KERBEROS
3215 dissect_krb5_decrypt_authenticator_data (packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3217 guint8 *plaintext=NULL;
3220 length=tvb_length_remaining(tvb, offset);
3222 /* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
3224 * Authenticators are encrypted with usage
3229 plaintext=decrypt_krb5_data(tree, pinfo, 7, length, tvb_get_ptr(tvb, offset, length), authenticator_etype);
3232 plaintext=decrypt_krb5_data(tree, pinfo, 11, length, tvb_get_ptr(tvb, offset, length), authenticator_etype);
3237 next_tvb = tvb_new_real_data (plaintext,
3240 tvb_set_child_real_data_tvbuff(tvb, next_tvb);
3242 /* Add the decrypted data to the data source list. */
3243 add_new_data_source(pinfo, next_tvb, "Decrypted Krb5");
3246 offset=dissect_ber_choice(pinfo, tree, next_tvb, 0, kerberos_applications_choice, -1, -1, NULL);
3255 * EncryptedData ::= SEQUENCE {
3256 * etype[0] INTEGER, -- EncryptionType
3257 * kvno[1] INTEGER OPTIONAL,
3258 * cipher[2] OCTET STRING -- ciphertext
3262 dissect_krb5_encrypted_authenticator_data(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3264 #ifdef HAVE_KERBEROS
3265 offset=dissect_ber_octet_string_wcb(FALSE, pinfo, tree, tvb, offset, hf_krb_encrypted_authenticator_data, dissect_krb5_decrypt_authenticator_data);
3267 offset=dissect_ber_octet_string_wcb(FALSE, pinfo, tree, tvb, offset, hf_krb_encrypted_authenticator_data, NULL);
3271 static ber_sequence_t encrypted_authenticator_sequence[] = {
3272 { BER_CLASS_CON, 0, 0,
3273 dissect_krb5_authenticator_etype },
3274 { BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL,
3275 dissect_krb5_kvno },
3276 { BER_CLASS_CON, 2, 0,
3277 dissect_krb5_encrypted_authenticator_data },
3281 dissect_krb5_encrypted_authenticator(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3283 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, encrypted_authenticator_sequence, hf_krb_authenticator_enc, ett_krb_authenticator_enc);
3292 dissect_krb5_tkt_vno(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3294 offset=dissect_ber_integer(FALSE, pinfo, tree, tvb, offset, hf_krb_tkt_vno, NULL);
3299 #ifdef HAVE_KERBEROS
3301 dissect_krb5_decrypt_Ticket_data (packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3306 length=tvb_length_remaining(tvb, offset);
3308 /* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
3310 * All Ticket encrypted parts use usage == 2
3312 if( (plaintext=decrypt_krb5_data(tree, pinfo, 2, length, tvb_get_ptr(tvb, offset, length), Ticket_etype)) ){
3314 next_tvb = tvb_new_real_data (plaintext,
3317 tvb_set_child_real_data_tvbuff(tvb, next_tvb);
3319 /* Add the decrypted data to the data source list. */
3320 add_new_data_source(pinfo, next_tvb, "Decrypted Krb5");
3323 offset=dissect_ber_choice(pinfo, tree, next_tvb, 0, kerberos_applications_choice, -1, -1, NULL);
3331 dissect_krb5_encrypted_Ticket_data(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3333 #ifdef HAVE_KERBEROS
3334 offset=dissect_ber_octet_string_wcb(FALSE, pinfo, tree, tvb, offset, hf_krb_encrypted_Ticket_data, dissect_krb5_decrypt_Ticket_data);
3336 offset=dissect_ber_octet_string_wcb(FALSE, pinfo, tree, tvb, offset, hf_krb_encrypted_Ticket_data, NULL);
3340 static ber_sequence_t encrypted_Ticket_sequence[] = {
3341 { BER_CLASS_CON, 0, 0,
3342 dissect_krb5_Ticket_etype },
3343 { BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL,
3344 dissect_krb5_kvno },
3345 { BER_CLASS_CON, 2, 0,
3346 dissect_krb5_encrypted_Ticket_data },
3350 dissect_krb5_Ticket_encrypted(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3352 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, encrypted_Ticket_sequence, hf_krb_ticket_enc, ett_krb_ticket_enc);
3357 static ber_sequence_t Application_1_sequence[] = {
3358 { BER_CLASS_CON, 0, 0,
3359 dissect_krb5_tkt_vno },
3360 { BER_CLASS_CON, 1, 0,
3361 dissect_krb5_realm },
3362 { BER_CLASS_CON, 2, 0,
3363 dissect_krb5_sname },
3364 { BER_CLASS_CON, 3, 0,
3365 dissect_krb5_Ticket_encrypted },
3369 dissect_krb5_Application_1(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3371 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, Application_1_sequence, hf_krb_ticket, ett_krb_ticket);
3378 static const ber_choice_t Ticket_choice[] = {
3379 { 1, BER_CLASS_APP, 1, 0,
3380 dissect_krb5_Application_1 },
3381 { 0, 0, 0, 0, NULL }
3384 dissect_krb5_Ticket(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3386 offset=dissect_ber_choice(pinfo, tree, tvb, offset, Ticket_choice, -1, -1, NULL);
3395 * AP-REQ ::= [APPLICATION 14] SEQUENCE {
3397 * msg-type[1] INTEGER,
3398 * ap-options[2] APOptions,
3400 * authenticator[4] EncryptedData
3403 static ber_sequence_t AP_REQ_sequence[] = {
3404 { BER_CLASS_CON, 0, 0,
3405 dissect_krb5_pvno },
3406 { BER_CLASS_CON, 1, 0,
3407 dissect_krb5_msg_type },
3408 { BER_CLASS_CON, 2, 0,
3409 dissect_krb5_APOptions },
3410 { BER_CLASS_CON, 3, 0,
3411 dissect_krb5_Ticket },
3412 { BER_CLASS_CON, 4, 0,
3413 dissect_krb5_encrypted_authenticator },
3417 dissect_krb5_AP_REQ(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3419 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, AP_REQ_sequence, -1, -1);
3427 #ifdef HAVE_KERBEROS
3429 dissect_krb5_decrypt_AP_REP_data(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3431 guint8 *plaintext=NULL;
3434 length=tvb_length_remaining(tvb, offset);
3436 /* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
3438 * Authenticators are encrypted with usage
3443 plaintext=decrypt_krb5_data(tree, pinfo, 12, length, tvb_get_ptr(tvb, offset, length), AP_REP_etype);
3448 next_tvb = tvb_new_real_data (plaintext,
3451 tvb_set_child_real_data_tvbuff(tvb, next_tvb);
3453 /* Add the decrypted data to the data source list. */
3454 add_new_data_source(pinfo, next_tvb, "Decrypted Krb5");
3457 offset=dissect_ber_choice(pinfo, tree, next_tvb, 0, kerberos_applications_choice, -1, -1, NULL);
3466 dissect_krb5_encrypted_AP_REP_data(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3468 #ifdef HAVE_KERBEROS
3469 offset=dissect_ber_octet_string_wcb(FALSE, pinfo, tree, tvb, offset, hf_krb_encrypted_AP_REP_data, dissect_krb5_decrypt_AP_REP_data);
3471 offset=dissect_ber_octet_string_wcb(FALSE, pinfo, tree, tvb, offset, hf_krb_encrypted_AP_REP_data, NULL);
3475 static ber_sequence_t encrypted_AP_REP_sequence[] = {
3476 { BER_CLASS_CON, 0, 0,
3477 dissect_krb5_AP_REP_etype },
3478 { BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL,
3479 dissect_krb5_kvno },
3480 { BER_CLASS_CON, 2, 0,
3481 dissect_krb5_encrypted_AP_REP_data },
3485 dissect_krb5_encrypted_AP_REP(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3487 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, encrypted_AP_REP_sequence, hf_krb_AP_REP_enc, ett_krb_AP_REP_enc);
3493 * AP-REP ::= [APPLICATION 15] SEQUENCE {
3495 * msg-type[1] INTEGER,
3496 * enc-part[2] EncryptedData
3499 static ber_sequence_t AP_REP_sequence[] = {
3500 { BER_CLASS_CON, 0, 0,
3501 dissect_krb5_pvno },
3502 { BER_CLASS_CON, 1, 0,
3503 dissect_krb5_msg_type },
3504 { BER_CLASS_CON, 2, 0,
3505 dissect_krb5_encrypted_AP_REP },
3509 dissect_krb5_AP_REP(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3511 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, AP_REP_sequence, -1, -1);
3520 static guint32 KDC_REP_etype;
3522 dissect_krb5_KDC_REP_etype(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3524 offset=dissect_ber_integer(FALSE, pinfo, tree, tvb, offset, hf_krb_etype, &KDC_REP_etype);
3526 proto_item_append_text(tree, " %s",
3527 val_to_str(KDC_REP_etype, krb5_encryption_types,
3533 #ifdef HAVE_KERBEROS
3535 dissect_krb5_decrypt_KDC_REP_data (packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3537 guint8 *plaintext=NULL;
3540 length=tvb_length_remaining(tvb, offset);
3542 /* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
3544 * ASREP/TGSREP encryptedparts are encrypted with usage
3550 plaintext=decrypt_krb5_data(tree, pinfo, 3, length, tvb_get_ptr(tvb, offset, length), KDC_REP_etype);
3553 plaintext=decrypt_krb5_data(tree, pinfo, 8, length, tvb_get_ptr(tvb, offset, length), KDC_REP_etype);
3556 plaintext=decrypt_krb5_data(tree, pinfo, 9, length, tvb_get_ptr(tvb, offset, length), KDC_REP_etype);
3561 next_tvb = tvb_new_real_data (plaintext,
3564 tvb_set_child_real_data_tvbuff(tvb, next_tvb);
3566 /* Add the decrypted data to the data source list. */
3567 add_new_data_source(pinfo, next_tvb, "Decrypted Krb5");
3570 offset=dissect_ber_choice(pinfo, tree, next_tvb, 0, kerberos_applications_choice, -1, -1, NULL);
3579 dissect_krb5_encrypted_KDC_REP_data(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3581 #ifdef HAVE_KERBEROS
3582 offset=dissect_ber_octet_string_wcb(FALSE, pinfo, tree, tvb, offset, hf_krb_encrypted_KDC_REP_data, dissect_krb5_decrypt_KDC_REP_data);
3584 offset=dissect_ber_octet_string_wcb(FALSE, pinfo, tree, tvb, offset, hf_krb_encrypted_KDC_REP_data, NULL);
3588 static ber_sequence_t encrypted_KDC_REP_sequence[] = {
3589 { BER_CLASS_CON, 0, 0,
3590 dissect_krb5_KDC_REP_etype },
3591 { BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL,
3592 dissect_krb5_kvno },
3593 { BER_CLASS_CON, 2, 0,
3594 dissect_krb5_encrypted_KDC_REP_data },
3598 dissect_krb5_encrypted_KDC_REP(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3600 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, encrypted_KDC_REP_sequence, hf_krb_KDC_REP_enc, ett_krb_KDC_REP_enc);
3606 * KDC-REP ::= SEQUENCE {
3608 * msg-type[1] INTEGER,
3609 * padata[2] SEQUENCE OF PA-DATA OPTIONAL,
3611 * cname[4] PrincipalName,
3613 * enc-part[6] EncryptedData
3616 static ber_sequence_t KDC_REP_sequence[] = {
3617 { BER_CLASS_CON, 0, 0,
3618 dissect_krb5_pvno },
3619 { BER_CLASS_CON, 1, 0,
3620 dissect_krb5_msg_type },
3621 { BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL,
3622 dissect_krb5_padata },
3623 { BER_CLASS_CON, 3, 0,
3624 dissect_krb5_crealm },
3625 { BER_CLASS_CON, 4, 0,
3626 dissect_krb5_cname },
3627 { BER_CLASS_CON, 5, 0,
3628 dissect_krb5_Ticket },
3629 { BER_CLASS_CON, 6, 0,
3630 dissect_krb5_encrypted_KDC_REP },
3634 dissect_krb5_KDC_REP(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3636 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, KDC_REP_sequence, -1, -1);
3645 dissect_krb5_e_text(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3647 offset=dissect_ber_GeneralString(pinfo, tree, tvb, offset, hf_krb_e_text, NULL, 0);
3652 dissect_krb5_e_data(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3654 switch(krb5_errorcode){
3655 case KRB5_ET_KRB5KDC_ERR_PREAUTH_REQUIRED:
3656 offset=dissect_ber_octet_string_wcb(FALSE, pinfo, tree, tvb, offset, hf_krb_e_data, dissect_krb5_padata);
3660 offset=dissect_ber_octet_string(FALSE, pinfo, tree, tvb, offset, hf_krb_e_data, NULL);
3666 /* This optional field in KRB_ERR is used by the early drafts which
3667 * PacketCable still use.
3670 dissect_krb5_e_checksum(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3672 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, Checksum_sequence, hf_krb_e_checksum, ett_krb_e_checksum);
3679 * KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
3681 * msg-type[1] INTEGER,
3682 * ctime[2] KerberosTime OPTIONAL,
3683 * cusec[3] INTEGER OPTIONAL,
3684 * stime[4] KerberosTime,
3686 * error-code[6] INTEGER,
3687 * crealm[7] Realm OPTIONAL,
3688 * cname[8] PrincipalName OPTIONAL,
3689 * realm[9] Realm, -- Correct realm
3690 * sname[10] PrincipalName, -- Correct name
3691 * e-text[11] GeneralString OPTIONAL,
3692 * e-data[12] OCTET STRING OPTIONAL
3695 * e-data This field contains additional data about the error for use
3696 * by the application to help it recover from or handle the
3697 * error. If the errorcode is KDC_ERR_PREAUTH_REQUIRED, then
3698 * the e-data field will contain an encoding of a sequence of
3699 * padata fields, each corresponding to an acceptable pre-
3700 * authentication method and optionally containing data for
3703 static ber_sequence_t ERROR_sequence[] = {
3704 { BER_CLASS_CON, 0, 0,
3705 dissect_krb5_pvno },
3706 { BER_CLASS_CON, 1, 0,
3707 dissect_krb5_msg_type },
3708 { BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL,
3709 dissect_krb5_ctime },
3710 { BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL,
3711 dissect_krb5_cusec },
3712 { BER_CLASS_CON, 4, 0,
3713 dissect_krb5_stime },
3714 { BER_CLASS_CON, 5, 0,
3715 dissect_krb5_susec },
3716 { BER_CLASS_CON, 6, 0,
3717 dissect_krb5_error_code },
3718 { BER_CLASS_CON, 7, BER_FLAGS_OPTIONAL,
3719 dissect_krb5_crealm },
3720 { BER_CLASS_CON, 8, BER_FLAGS_OPTIONAL,
3721 dissect_krb5_cname },
3722 { BER_CLASS_CON, 9, 0,
3723 dissect_krb5_realm },
3724 { BER_CLASS_CON, 10, 0,
3725 dissect_krb5_sname },
3726 { BER_CLASS_CON, 11, BER_FLAGS_OPTIONAL,
3727 dissect_krb5_e_text },
3728 { BER_CLASS_CON, 12, BER_FLAGS_OPTIONAL,
3729 dissect_krb5_e_data },
3730 { BER_CLASS_CON, 13, BER_FLAGS_OPTIONAL,
3731 dissect_krb5_e_checksum }, /* used by PacketCable */
3735 dissect_krb5_ERROR(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset)
3737 offset=dissect_ber_sequence(FALSE, pinfo, tree, tvb, offset, ERROR_sequence, -1, -1);
3744 static struct { const char *set; const char *unset; } bitval = { "Set", "Not set" };
3746 static gint dissect_kerberos_udp(tvbuff_t *tvb, packet_info *pinfo,
3748 static void dissect_kerberos_tcp(tvbuff_t *tvb, packet_info *pinfo,
3750 static gint dissect_kerberos_common(tvbuff_t *tvb, packet_info *pinfo,
3751 proto_tree *tree, gboolean do_col_info,
3752 gboolean do_col_protocol,
3754 kerberos_callbacks *cb);
3755 static void dissect_kerberos_tcp_pdu(tvbuff_t *tvb, packet_info *pinfo,
3760 dissect_kerberos_main(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int do_col_info, kerberos_callbacks *cb)
3762 return (dissect_kerberos_common(tvb, pinfo, tree, do_col_info, FALSE, FALSE, cb));
3766 kerberos_output_keytype(void)
3772 dissect_kerberos_udp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
3774 /* Some weird kerberos implementation apparently do krb4 on the krb5 port.
3775 Since all (except weirdo transarc krb4 stuff) use
3776 an opcode <=16 in the first byte, use this to see if it might
3778 All krb5 commands start with an APPL tag and thus is >=0x60
3779 so if first byte is <=16 just blindly assume it is krb4 then
3781 if(tvb_bytes_exist(tvb, 0, 1) && tvb_get_guint8(tvb, 0)<=0x10){
3783 return call_dissector(krb4_handle, tvb, pinfo, tree);
3790 return dissect_kerberos_common(tvb, pinfo, tree, TRUE, TRUE, FALSE, NULL);
3794 kerberos_rm_to_reclen(guint krb_rm)
3796 return (krb_rm & KRB_RM_RECLEN);
3800 get_krb_pdu_len(tvbuff_t *tvb, int offset)
3805 krb_rm = tvb_get_ntohl(tvb, offset);
3806 pdulen = kerberos_rm_to_reclen(krb_rm);
3807 return (pdulen + 4);
3811 dissect_kerberos_tcp_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
3813 pinfo->fragmented = TRUE;
3814 if (dissect_kerberos_common(tvb, pinfo, tree, TRUE, TRUE, TRUE, NULL) < 0) {
3816 * The dissector failed to recognize this as a valid
3817 * Kerberos message. Mark it as a continuation packet.
3819 if (check_col(pinfo->cinfo, COL_INFO)) {
3820 col_set_str(pinfo->cinfo, COL_INFO, "Continuation");
3826 dissect_kerberos_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
3828 if (check_col(pinfo->cinfo, COL_PROTOCOL))
3829 col_set_str(pinfo->cinfo, COL_PROTOCOL, "KRB5");
3830 if (check_col(pinfo->cinfo, COL_INFO))
3831 col_clear(pinfo->cinfo, COL_INFO);
3833 tcp_dissect_pdus(tvb, pinfo, tree, krb_desegment, 4, get_krb_pdu_len,
3834 dissect_kerberos_tcp_pdu);
3838 * Display the TCP record mark.
3841 show_krb_recordmark(proto_tree *tree, tvbuff_t *tvb, gint start, guint32 krb_rm)
3844 proto_item *rm_item;
3845 proto_tree *rm_tree;
3850 rec_len = kerberos_rm_to_reclen(krb_rm);
3851 rm_item = proto_tree_add_text(tree, tvb, start, 4,
3852 "Record Mark: %u %s", rec_len, plurality(rec_len, "byte", "bytes"));
3853 rm_tree = proto_item_add_subtree(rm_item, ett_krb_recordmark);
3854 proto_tree_add_boolean(rm_tree, hf_krb_rm_reserved, tvb, start, 4, krb_rm);
3855 proto_tree_add_uint(rm_tree, hf_krb_rm_reclen, tvb, start, 4, krb_rm);
3860 dissect_kerberos_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
3861 gboolean dci, gboolean do_col_protocol, gboolean have_rm,
3862 kerberos_callbacks *cb)
3865 proto_tree *kerberos_tree = NULL;
3866 proto_item *item = NULL;
3867 void *saved_private_data;
3869 /* TCP record mark and length */
3871 gint krb_reclen = 0;
3873 saved_private_data=pinfo->private_data;
3874 pinfo->private_data=cb;
3878 krb_rm = tvb_get_ntohl(tvb, offset);
3879 krb_reclen = kerberos_rm_to_reclen(krb_rm);
3881 * What is a reasonable size limit?
3883 if (krb_reclen > 10 * 1024 * 1024) {
3884 pinfo->private_data=saved_private_data;
3887 if (do_col_protocol) {
3888 if (check_col(pinfo->cinfo, COL_PROTOCOL))
3889 col_set_str(pinfo->cinfo, COL_PROTOCOL, "KRB5");
3892 item = proto_tree_add_item(tree, proto_kerberos, tvb, 0, -1, FALSE);
3893 kerberos_tree = proto_item_add_subtree(item, ett_krb_kerberos);
3895 show_krb_recordmark(kerberos_tree, tvb, offset, krb_rm);
3898 /* Do some sanity checking here,
3899 * All krb5 packets start with a TAG class that is BER_CLASS_APP
3900 * and a tag value that is either of the values below:
3901 * If it doesnt look like kerberos, return 0 and let someone else have
3908 get_ber_identifier(tvb, offset, &tmp_class, &tmp_pc, &tmp_tag);
3909 if(tmp_class!=BER_CLASS_APP){
3913 case KRB5_MSG_TICKET:
3914 case KRB5_MSG_AUTHENTICATOR:
3915 case KRB5_MSG_ENC_TICKET_PART:
3916 case KRB5_MSG_AS_REQ:
3917 case KRB5_MSG_AS_REP:
3918 case KRB5_MSG_TGS_REQ:
3919 case KRB5_MSG_TGS_REP:
3920 case KRB5_MSG_AP_REQ:
3921 case KRB5_MSG_AP_REP:
3922 case KRB5_MSG_ENC_AS_REP_PART:
3923 case KRB5_MSG_ENC_TGS_REP_PART:
3924 case KRB5_MSG_ENC_AP_REP_PART:
3925 case KRB5_MSG_ENC_KRB_PRIV_PART:
3928 case KRB5_MSG_ERROR:
3933 if (do_col_protocol) {
3934 if (check_col(pinfo->cinfo, COL_PROTOCOL))
3935 col_set_str(pinfo->cinfo, COL_PROTOCOL, "KRB5");
3938 if (check_col(pinfo->cinfo, COL_INFO))
3939 col_clear(pinfo->cinfo, COL_INFO);
3942 item = proto_tree_add_item(tree, proto_kerberos, tvb, 0, -1, FALSE);
3943 kerberos_tree = proto_item_add_subtree(item, ett_krb_kerberos);
3948 offset=dissect_ber_choice(pinfo, kerberos_tree, tvb, offset, kerberos_applications_choice, -1, -1, NULL);
3950 pinfo->private_data=saved_private_data;
3954 proto_item_set_len(item, offset);
3955 pinfo->private_data=saved_private_data;
3960 kerberos_prefs_apply_cb(void) {
3961 #ifdef HAVE_LIBNETTLE
3963 read_keytab_file(keytab_filename);
3968 proto_register_kerberos(void)
3970 static hf_register_info hf[] = {
3971 { &hf_krb_rm_reserved, {
3972 "Reserved", "kerberos.rm.reserved", FT_BOOLEAN, 32,
3973 &bitval, KRB_RM_RESERVED, "Record mark reserved bit", HFILL }},
3974 { &hf_krb_rm_reclen, {
3975 "Record Length", "kerberos.rm.length", FT_UINT32, BASE_DEC,
3976 NULL, KRB_RM_RECLEN, "Record length", HFILL }},
3977 { &hf_krb_transitedtype, {
3978 "Type", "kerberos.transited.type", FT_UINT32, BASE_DEC,
3979 VALS(krb5_transited_types), 0, "Transited Type", HFILL }},
3980 { &hf_krb_transitedcontents, {
3981 "Contents", "kerberos.transited.contents", FT_BYTES, BASE_HEX,
3982 NULL, 0, "Transitent Contents string", HFILL }},
3983 { &hf_krb_keytype, {
3984 "Key type", "kerberos.keytype", FT_UINT32, BASE_DEC,
3985 VALS(krb5_encryption_types), 0, "Key Type", HFILL }},
3986 { &hf_krb_keyvalue, {
3987 "Key value", "kerberos.keyvalue", FT_BYTES, BASE_HEX,
3988 NULL, 0, "Key value (encryption key)", HFILL }},
3990 "Type", "kerberos.adtype", FT_UINT32, BASE_DEC,
3991 VALS(krb5_ad_types), 0, "Authorization Data Type", HFILL }},
3992 { &hf_krb_IF_RELEVANT_type, {
3993 "Type", "kerberos.IF_RELEVANT.type", FT_UINT32, BASE_DEC,
3994 VALS(krb5_ad_types), 0, "IF-RELEVANT Data Type", HFILL }},
3995 { &hf_krb_advalue, {
3996 "Data", "kerberos.advalue", FT_BYTES, BASE_HEX,
3997 NULL, 0, "Authentication Data", HFILL }},
3998 { &hf_krb_IF_RELEVANT_value, {
3999 "Data", "kerberos.IF_RELEVANT.value", FT_BYTES, BASE_HEX,
4000 NULL, 0, "IF_RELEVANT Data", HFILL }},
4002 "Encryption type", "kerberos.etype", FT_INT32, BASE_DEC,
4003 VALS(krb5_encryption_types), 0, "Encryption Type", HFILL }},
4004 { &hf_krb_addr_type, {
4005 "Addr-type", "kerberos.addr_type", FT_UINT32, BASE_DEC,
4006 VALS(krb5_address_types), 0, "Address Type", HFILL }},
4007 { &hf_krb_pac_signature_type, {
4008 "Type", "kerberos.pac.signature.type", FT_INT32, BASE_DEC,
4009 NULL, 0, "PAC Signature Type", HFILL }},
4010 { &hf_krb_name_type, {
4011 "Name-type", "kerberos.name_type", FT_INT32, BASE_DEC,
4012 VALS(krb5_princ_types), 0, "Type of principal name", HFILL }},
4013 { &hf_krb_lr_type, {
4014 "Lr-type", "kerberos.lr_type", FT_UINT32, BASE_DEC,
4015 VALS(krb5_lr_types), 0, "Type of lastreq value", HFILL }},
4016 { &hf_krb_address_ip, {
4017 "IP Address", "kerberos.addr_ip", FT_IPv4, BASE_NONE,
4018 NULL, 0, "IP Address", HFILL }},
4019 { &hf_krb_address_netbios, {
4020 "NetBIOS Address", "kerberos.addr_nb", FT_STRING, BASE_NONE,
4021 NULL, 0, "NetBIOS Address and type", HFILL }},
4022 { &hf_krb_authtime, {
4023 "Authtime", "kerberos.authtime", FT_STRING, BASE_NONE,
4024 NULL, 0, "Time of initial authentication", HFILL }},
4025 { &hf_krb_SAFE_BODY_timestamp, {
4026 "Timestamp", "kerberos.SAFE_BODY.timestamp", FT_STRING, BASE_NONE,
4027 NULL, 0, "Timestamp of this SAFE_BODY", HFILL }},
4028 { &hf_krb_patimestamp, {
4029 "patimestamp", "kerberos.patimestamp", FT_STRING, BASE_NONE,
4030 NULL, 0, "Time of client", HFILL }},
4032 "pausec", "kerberos.pausec", FT_UINT32, BASE_DEC,
4033 NULL, 0, "Microsecond component of client time", HFILL }},
4034 { &hf_krb_lr_time, {
4035 "Lr-time", "kerberos.lr_time", FT_STRING, BASE_NONE,
4036 NULL, 0, "Time of LR-entry", HFILL }},
4037 { &hf_krb_starttime, {
4038 "Start time", "kerberos.starttime", FT_STRING, BASE_NONE,
4039 NULL, 0, "The time after which the ticket is valid", HFILL }},
4040 { &hf_krb_endtime, {
4041 "End time", "kerberos.endtime", FT_STRING, BASE_NONE,
4042 NULL, 0, "The time after which the ticket has expired", HFILL }},
4043 { &hf_krb_key_expire, {
4044 "Key Expiration", "kerberos.key_expiration", FT_STRING, BASE_NONE,
4045 NULL, 0, "The time after which the key will expire", HFILL }},
4046 { &hf_krb_renew_till, {
4047 "Renew-till", "kerberos.renenw_till", FT_STRING, BASE_NONE,
4048 NULL, 0, "The maximum time we can renew the ticket until", HFILL }},
4050 "rtime", "kerberos.rtime", FT_STRING, BASE_NONE,
4051 NULL, 0, "Renew Until timestamp", HFILL }},
4053 "ctime", "kerberos.ctime", FT_STRING, BASE_NONE,
4054 NULL, 0, "Current Time on the client host", HFILL }},
4056 "cusec", "kerberos.cusec", FT_UINT32, BASE_DEC,
4057 NULL, 0, "micro second component of client time", HFILL }},
4058 { &hf_krb_SAFE_BODY_usec, {
4059 "usec", "kerberos.SAFE_BODY.usec", FT_UINT32, BASE_DEC,
4060 NULL, 0, "micro second component of SAFE_BODY time", HFILL }},
4062 "stime", "kerberos.stime", FT_STRING, BASE_NONE,
4063 NULL, 0, "Current Time on the server host", HFILL }},
4065 "susec", "kerberos.susec", FT_UINT32, BASE_DEC,
4066 NULL, 0, "micro second component of server time", HFILL }},
4067 { &hf_krb_error_code, {
4068 "error_code", "kerberos.error_code", FT_UINT32, BASE_DEC,
4069 VALS(krb5_error_codes), 0, "Kerberos error code", HFILL }},
4071 "from", "kerberos.from", FT_STRING, BASE_NONE,
4072 NULL, 0, "From when the ticket is to be valid (postdating)", HFILL }},
4074 "till", "kerberos.till", FT_STRING, BASE_NONE,
4075 NULL, 0, "When the ticket will expire", HFILL }},
4076 { &hf_krb_name_string, {
4077 "Name", "kerberos.name_string", FT_STRING, BASE_NONE,
4078 NULL, 0, "String component that is part of a PrincipalName", HFILL }},
4079 { &hf_krb_provsrv_location, {
4080 "PROVSRV Location", "kerberos.provsrv_location", FT_STRING, BASE_NONE,
4081 NULL, 0, "PacketCable PROV SRV Location", HFILL }},
4083 "e-text", "kerberos.e_text", FT_STRING, BASE_NONE,
4084 NULL, 0, "Additional (human readable) error description", HFILL }},
4086 "Realm", "kerberos.realm", FT_STRING, BASE_NONE,
4087 NULL, 0, "Name of the Kerberos Realm", HFILL }},
4089 "Client Realm", "kerberos.crealm", FT_STRING, BASE_NONE,
4090 NULL, 0, "Name of the Clients Kerberos Realm", HFILL }},
4091 { &hf_krb_pac_clientname, {
4092 "Name", "kerberos.pac.name", FT_STRING, BASE_NONE,
4093 NULL, 0, "Name of the Client in the PAC structure", HFILL }},
4094 { &hf_krb_msg_type, {
4095 "MSG Type", "kerberos.msg.type", FT_UINT32, BASE_DEC,
4096 VALS(krb5_msg_types), 0, "Kerberos Message Type", HFILL }},
4097 { &hf_krb_APOptions, {
4098 "APOptions", "kerberos.apoptions", FT_BYTES, BASE_HEX,
4099 NULL, 0, "Kerberos APOptions bitstring", HFILL }},
4100 { &hf_krb_APOptions_use_session_key, {
4101 "Use Session Key", "kerberos.apoptions.use_session_key", FT_BOOLEAN, 32,
4102 TFS(&krb5_apoptions_use_session_key), 0x40000000, "", HFILL }},
4103 { &hf_krb_APOptions_mutual_required, {
4104 "Mutual required", "kerberos.apoptions.mutual_required", FT_BOOLEAN, 32,
4105 TFS(&krb5_apoptions_mutual_required), 0x20000000, "", HFILL }},
4106 { &hf_krb_KDCOptions, {
4107 "KDCOptions", "kerberos.kdcoptions", FT_BYTES, BASE_HEX,
4108 NULL, 0, "Kerberos KDCOptions bitstring", HFILL }},
4109 { &hf_krb_TicketFlags, {
4110 "Ticket Flags", "kerberos.ticketflags", FT_NONE, BASE_NONE,
4111 NULL, 0, "Kerberos Ticket Flags", HFILL }},
4112 { &hf_krb_TicketFlags_forwardable, {
4113 "Forwardable", "kerberos.ticketflags.forwardable", FT_BOOLEAN, 32,
4114 TFS(&krb5_ticketflags_forwardable), 0x40000000, "Flag controlling whether the tickes are forwardable or not", HFILL }},
4115 { &hf_krb_TicketFlags_forwarded, {
4116 "Forwarded", "kerberos.ticketflags.forwarded", FT_BOOLEAN, 32,
4117 TFS(&krb5_ticketflags_forwarded), 0x20000000, "Has this ticket been forwarded?", HFILL }},
4118 { &hf_krb_TicketFlags_proxyable, {
4119 "Proxyable", "kerberos.ticketflags.proxyable", FT_BOOLEAN, 32,
4120 TFS(&krb5_ticketflags_proxyable), 0x10000000, "Flag controlling whether the tickes are proxyable or not", HFILL }},
4121 { &hf_krb_TicketFlags_proxy, {
4122 "Proxy", "kerberos.ticketflags.proxy", FT_BOOLEAN, 32,
4123 TFS(&krb5_ticketflags_proxy), 0x08000000, "Has this ticket been proxied?", HFILL }},
4124 { &hf_krb_TicketFlags_allow_postdate, {
4125 "Allow Postdate", "kerberos.ticketflags.allow_postdate", FT_BOOLEAN, 32,
4126 TFS(&krb5_ticketflags_allow_postdate), 0x04000000, "Flag controlling whether we allow postdated tickets or not", HFILL }},
4127 { &hf_krb_TicketFlags_postdated, {
4128 "Postdated", "kerberos.ticketflags.postdated", FT_BOOLEAN, 32,
4129 TFS(&krb5_ticketflags_postdated), 0x02000000, "Whether this ticket is postdated or not", HFILL }},
4130 { &hf_krb_TicketFlags_invalid, {
4131 "Invalid", "kerberos.ticketflags.invalid", FT_BOOLEAN, 32,
4132 TFS(&krb5_ticketflags_invalid), 0x01000000, "Whether this ticket is invalid or not", HFILL }},
4133 { &hf_krb_TicketFlags_renewable, {
4134 "Renewable", "kerberos.ticketflags.renewable", FT_BOOLEAN, 32,
4135 TFS(&krb5_ticketflags_renewable), 0x00800000, "Whether this ticket is renewable or not", HFILL }},
4136 { &hf_krb_TicketFlags_initial, {
4137 "Initial", "kerberos.ticketflags.initial", FT_BOOLEAN, 32,
4138 TFS(&krb5_ticketflags_initial), 0x00400000, "Whether this ticket is an initial ticket or not", HFILL }},
4139 { &hf_krb_TicketFlags_pre_auth, {
4140 "Pre-Auth", "kerberos.ticketflags.pre_auth", FT_BOOLEAN, 32,
4141 TFS(&krb5_ticketflags_pre_auth), 0x00200000, "Whether this ticket is pre-authenticated or not", HFILL }},
4142 { &hf_krb_TicketFlags_hw_auth, {
4143 "HW-Auth", "kerberos.ticketflags.hw_auth", FT_BOOLEAN, 32,
4144 TFS(&krb5_ticketflags_hw_auth), 0x00100000, "Whether this ticket is hardware-authenticated or not", HFILL }},
4145 { &hf_krb_TicketFlags_transited_policy_checked, {
4146 "Transited Policy Checked", "kerberos.ticketflags.transited_policy_checked", FT_BOOLEAN, 32,
4147 TFS(&krb5_ticketflags_transited_policy_checked), 0x00080000, "Whether this ticket is transited policy checked or not", HFILL }},
4148 { &hf_krb_TicketFlags_ok_as_delegate, {
4149 "Ok As Delegate", "kerberos.ticketflags.ok_as_delegate", FT_BOOLEAN, 32,
4150 TFS(&krb5_ticketflags_ok_as_delegate), 0x00040000, "Whether this ticket is Ok As Delegate or not", HFILL }},
4151 { &hf_krb_KDC_REQ_BODY, {
4152 "KDC_REQ_BODY", "kerberos.kdc_req_body", FT_NONE, BASE_NONE,
4153 NULL, 0, "Kerberos KDC REQuest BODY", HFILL }},
4154 { &hf_krb_PRIV_BODY, {
4155 "PRIV_BODY", "kerberos.priv_body", FT_NONE, BASE_NONE,
4156 NULL, 0, "Kerberos PRIVate BODY", HFILL }},
4157 { &hf_krb_encrypted_PRIV, {
4158 "Encrypted PRIV", "kerberos.enc_priv", FT_NONE, BASE_NONE,
4159 NULL, 0, "Kerberos Encrypted PRIVate blob data", HFILL }},
4160 { &hf_krb_KDCOptions_forwardable, {
4161 "Forwardable", "kerberos.kdcoptions.forwardable", FT_BOOLEAN, 32,
4162 TFS(&krb5_kdcoptions_forwardable), 0x40000000, "Flag controlling whether the tickes are forwardable or not", HFILL }},
4163 { &hf_krb_KDCOptions_forwarded, {
4164 "Forwarded", "kerberos.kdcoptions.forwarded", FT_BOOLEAN, 32,
4165 TFS(&krb5_kdcoptions_forwarded), 0x20000000, "Has this ticket been forwarded?", HFILL }},
4166 { &hf_krb_KDCOptions_proxyable, {
4167 "Proxyable", "kerberos.kdcoptions.proxyable", FT_BOOLEAN, 32,
4168 TFS(&krb5_kdcoptions_proxyable), 0x10000000, "Flag controlling whether the tickes are proxyable or not", HFILL }},
4169 { &hf_krb_KDCOptions_proxy, {
4170 "Proxy", "kerberos.kdcoptions.proxy", FT_BOOLEAN, 32,
4171 TFS(&krb5_kdcoptions_proxy), 0x08000000, "Has this ticket been proxied?", HFILL }},
4172 { &hf_krb_KDCOptions_allow_postdate, {
4173 "Allow Postdate", "kerberos.kdcoptions.allow_postdate", FT_BOOLEAN, 32,
4174 TFS(&krb5_kdcoptions_allow_postdate), 0x04000000, "Flag controlling whether we allow postdated tickets or not", HFILL }},
4175 { &hf_krb_KDCOptions_postdated, {
4176 "Postdated", "kerberos.kdcoptions.postdated", FT_BOOLEAN, 32,
4177 TFS(&krb5_kdcoptions_postdated), 0x02000000, "Whether this ticket is postdated or not", HFILL }},
4178 { &hf_krb_KDCOptions_renewable, {
4179 "Renewable", "kerberos.kdcoptions.renewable", FT_BOOLEAN, 32,
4180 TFS(&krb5_kdcoptions_renewable), 0x00800000, "Whether this ticket is renewable or not", HFILL }},
4181 { &hf_krb_KDCOptions_canonicalize, {
4182 "Canonicalize", "kerberos.kdcoptions.canonicalize", FT_BOOLEAN, 32,
4183 TFS(&krb5_kdcoptions_canonicalize), 0x00010000, "Do we want the KDC to canonicalize the principal or not", HFILL }},
4184 { &hf_krb_KDCOptions_opt_hardware_auth, {
4185 "Opt HW Auth", "kerberos.kdcoptions.opt_hardware_auth", FT_BOOLEAN, 32,
4186 NULL, 0x00100000, "Opt HW Auth flag", HFILL }},
4187 { &hf_krb_KDCOptions_disable_transited_check, {
4188 "Disable Transited Check", "kerberos.kdcoptions.disable_transited_check", FT_BOOLEAN, 32,
4189 TFS(&krb5_kdcoptions_disable_transited_check), 0x00000020, "Whether we should do transited checking or not", HFILL }},
4190 { &hf_krb_KDCOptions_renewable_ok, {
4191 "Renewable OK", "kerberos.kdcoptions.renewable_ok", FT_BOOLEAN, 32,
4192 TFS(&krb5_kdcoptions_renewable_ok), 0x00000010, "Whether we accept renewed tickets or not", HFILL }},
4193 { &hf_krb_KDCOptions_enc_tkt_in_skey, {
4194 "Enc-Tkt-in-Skey", "kerberos.kdcoptions.enc_tkt_in_skey", FT_BOOLEAN, 32,
4195 TFS(&krb5_kdcoptions_enc_tkt_in_skey), 0x00000008, "Whether the ticket is encrypted in the skey or not", HFILL }},
4196 { &hf_krb_KDCOptions_renew, {
4197 "Renew", "kerberos.kdcoptions.renew", FT_BOOLEAN, 32,
4198 TFS(&krb5_kdcoptions_renew), 0x00000002, "Is this a request to renew a ticket?", HFILL }},
4199 { &hf_krb_KDCOptions_validate, {
4200 "Validate", "kerberos.kdcoptions.validate", FT_BOOLEAN, 32,
4201 TFS(&krb5_kdcoptions_validate), 0x00000001, "Is this a request to validate a postdated ticket?", HFILL }},
4203 "Pvno", "kerberos.pvno", FT_UINT32, BASE_DEC,
4204 NULL, 0, "Kerberos Protocol Version Number", HFILL }},
4206 "Kvno", "kerberos.kvno", FT_UINT32, BASE_DEC,
4207 NULL, 0, "Version Number for the encryption Key", HFILL }},
4208 { &hf_krb_checksum_type, {
4209 "Type", "kerberos.checksum.type", FT_UINT32, BASE_DEC,
4210 VALS(krb5_checksum_types), 0, "Type of checksum", HFILL }},
4211 { &hf_krb_authenticator_vno, {
4212 "Authenticator vno", "kerberos.authenticator_vno", FT_UINT32, BASE_DEC,
4213 NULL, 0, "Version Number for the Authenticator", HFILL }},
4214 { &hf_krb_encrypted_authenticator_data, {
4215 "Authenticator data", "kerberos.authenticator.data", FT_BYTES, BASE_HEX,
4216 NULL, 0, "Data content of an encrypted authenticator", HFILL }},
4217 { &hf_krb_encrypted_PA_ENC_TIMESTAMP, {
4218 "enc PA_ENC_TIMESTAMP", "kerberos.PA_ENC_TIMESTAMP.encrypted", FT_BYTES, BASE_HEX,
4219 NULL, 0, "Encrypted PA-ENC-TIMESTAMP blob", HFILL }},
4220 { &hf_krb_PAC_LOGON_INFO, {
4221 "PAC_LOGON_INFO", "kerberos.PAC_LOGON_INFO", FT_BYTES, BASE_HEX,
4222 NULL, 0, "PAC_LOGON_INFO structure", HFILL }},
4223 { &hf_krb_PAC_CREDENTIAL_TYPE, {
4224 "PAC_CREDENTIAL_TYPE", "kerberos.PAC_CREDENTIAL_TYPE", FT_BYTES, BASE_HEX,
4225 NULL, 0, "PAC_CREDENTIAL_TYPE structure", HFILL }},
4226 { &hf_krb_PAC_SERVER_CHECKSUM, {
4227 "PAC_SERVER_CHECKSUM", "kerberos.PAC_SERVER_CHECKSUM", FT_BYTES, BASE_HEX,
4228 NULL, 0, "PAC_SERVER_CHECKSUM structure", HFILL }},
4229 { &hf_krb_PAC_PRIVSVR_CHECKSUM, {
4230 "PAC_PRIVSVR_CHECKSUM", "kerberos.PAC_PRIVSVR_CHECKSUM", FT_BYTES, BASE_HEX,
4231 NULL, 0, "PAC_PRIVSVR_CHECKSUM structure", HFILL }},
4232 { &hf_krb_PAC_CLIENT_INFO_TYPE, {
4233 "PAC_CLIENT_INFO_TYPE", "kerberos.PAC_CLIENT_INFO_TYPE", FT_BYTES, BASE_HEX,
4234 NULL, 0, "PAC_CLIENT_INFO_TYPE structure", HFILL }},
4235 { &hf_krb_checksum_checksum, {
4236 "checksum", "kerberos.checksum.checksum", FT_BYTES, BASE_HEX,
4237 NULL, 0, "Kerberos Checksum", HFILL }},
4238 { &hf_krb_ENC_PRIV, {
4239 "enc PRIV", "kerberos.ENC_PRIV", FT_BYTES, BASE_HEX,
4240 NULL, 0, "Encrypted PRIV blob", HFILL }},
4241 { &hf_krb_encrypted_Ticket_data, {
4242 "enc-part", "kerberos.ticket.data", FT_BYTES, BASE_HEX,
4243 NULL, 0, "The encrypted part of a ticket", HFILL }},
4244 { &hf_krb_encrypted_AP_REP_data, {
4245 "enc-part", "kerberos.aprep.data", FT_BYTES, BASE_HEX,
4246 NULL, 0, "The encrypted part of AP-REP", HFILL }},
4247 { &hf_krb_encrypted_KDC_REP_data, {
4248 "enc-part", "kerberos.kdcrep.data", FT_BYTES, BASE_HEX,
4249 NULL, 0, "The encrypted part of KDC-REP", HFILL }},
4250 { &hf_krb_PA_DATA_value, {
4251 "Value", "kerberos.padata.value", FT_BYTES, BASE_HEX,
4252 NULL, 0, "Content of the PADATA blob", HFILL }},
4253 { &hf_krb_etype_info_salt, {
4254 "Salt", "kerberos.etype_info.salt", FT_BYTES, BASE_HEX,
4255 NULL, 0, "Salt", HFILL }},
4256 { &hf_krb_etype_info2_salt, {
4257 "Salt", "kerberos.etype_info2.salt", FT_BYTES, BASE_HEX,
4258 NULL, 0, "Salt", HFILL }},
4259 { &hf_krb_etype_info2_s2kparams, {
4260 "Salt", "kerberos.etype_info.s2kparams", FT_BYTES, BASE_HEX,
4261 NULL, 0, "S2kparams", HFILL }},
4262 { &hf_krb_SAFE_BODY_user_data, {
4263 "User Data", "kerberos.SAFE_BODY.user_data", FT_BYTES, BASE_HEX,
4264 NULL, 0, "SAFE BODY userdata field", HFILL }},
4265 { &hf_krb_PRIV_BODY_user_data, {
4266 "User Data", "kerberos.PRIV_BODY.user_data", FT_BYTES, BASE_HEX,
4267 NULL, 0, "PRIV BODY userdata field", HFILL }},
4268 { &hf_krb_pac_signature_signature, {
4269 "Signature", "kerberos.pac.signature.signature", FT_BYTES, BASE_HEX,
4270 NULL, 0, "A PAC signature blob", HFILL }},
4271 { &hf_krb_PA_DATA_type, {
4272 "Type", "kerberos.padata.type", FT_UINT32, BASE_DEC,
4273 VALS(krb5_preauthentication_types), 0, "Type of preauthentication data", HFILL }},
4275 "Nonce", "kerberos.nonce", FT_UINT32, BASE_DEC,
4276 NULL, 0, "Kerberos Nonce random number", HFILL }},
4277 { &hf_krb_tkt_vno, {
4278 "Tkt-vno", "kerberos.tkt_vno", FT_UINT32, BASE_DEC,
4279 NULL, 0, "Version number for the Ticket format", HFILL }},
4280 { &hf_krb_HostAddress, {
4281 "HostAddress", "kerberos.hostaddress", FT_NONE, BASE_DEC,
4282 NULL, 0, "This is a Kerberos HostAddress sequence", HFILL }},
4283 { &hf_krb_s_address, {
4284 "S-Address", "kerberos.s_address", FT_NONE, BASE_DEC,
4285 NULL, 0, "This is the Senders address", HFILL }},
4287 "key", "kerberos.key", FT_NONE, BASE_DEC,
4288 NULL, 0, "This is a Kerberos EncryptionKey sequence", HFILL }},
4290 "Subkey", "kerberos.subkey", FT_NONE, BASE_DEC,
4291 NULL, 0, "This is a Kerberos subkey", HFILL }},
4292 { &hf_krb_seq_number, {
4293 "Seq Number", "kerberos.seq_number", FT_UINT32, BASE_DEC,
4294 NULL, 0, "This is a Kerberos sequence number", HFILL }},
4295 { &hf_krb_AuthorizationData, {
4296 "AuthorizationData", "kerberos.AuthorizationData", FT_NONE, BASE_DEC,
4297 NULL, 0, "This is a Kerberos AuthorizationData sequence", HFILL }},
4298 { &hf_krb_EncTicketPart, {
4299 "EncTicketPart", "kerberos.EncTicketPart", FT_NONE, BASE_DEC,
4300 NULL, 0, "This is a decrypted Kerberos EncTicketPart sequence", HFILL }},
4301 { &hf_krb_EncAPRepPart, {
4302 "EncAPRepPart", "kerberos.EncAPRepPart", FT_NONE, BASE_DEC,
4303 NULL, 0, "This is a decrypted Kerberos EncAPRepPart sequence", HFILL }},
4304 { &hf_krb_EncKrbPrivPart, {
4305 "EncKrbPrivPart", "kerberos.EncKrbPrivPart", FT_NONE, BASE_DEC,
4306 NULL, 0, "This is a decrypted Kerberos EncKrbPrivPart sequence", HFILL }},
4307 { &hf_krb_EncKDCRepPart, {
4308 "EncKDCRepPart", "kerberos.EncKDCRepPart", FT_NONE, BASE_DEC,
4309 NULL, 0, "This is a decrypted Kerberos EncKDCRepPart sequence", HFILL }},
4310 { &hf_krb_LastReq, {
4311 "LastReq", "kerberos.LastReq", FT_NONE, BASE_DEC,
4312 NULL, 0, "This is a LastReq sequence", HFILL }},
4313 { &hf_krb_Authenticator, {
4314 "Authenticator", "kerberos.Authenticator", FT_NONE, BASE_DEC,
4315 NULL, 0, "This is a decrypted Kerberos Authenticator sequence", HFILL }},
4316 { &hf_krb_Checksum, {
4317 "Checksum", "kerberos.Checksum", FT_NONE, BASE_DEC,
4318 NULL, 0, "This is a Kerberos Checksum sequence", HFILL }},
4319 { &hf_krb_HostAddresses, {
4320 "HostAddresses", "kerberos.hostaddresses", FT_NONE, BASE_DEC,
4321 NULL, 0, "This is a list of Kerberos HostAddress sequences", HFILL }},
4322 { &hf_krb_IF_RELEVANT, {
4323 "IF_RELEVANT", "kerberos.if_relevant", FT_NONE, BASE_DEC,
4324 NULL, 0, "This is a list of IF-RELEVANT sequences", HFILL }},
4326 "Encryption Types", "kerberos.etypes", FT_NONE, BASE_DEC,
4327 NULL, 0, "This is a list of Kerberos encryption types", HFILL }},
4328 { &hf_krb_LastReqs, {
4329 "LastReqs", "kerberos.LastReqs", FT_NONE, BASE_DEC,
4330 NULL, 0, "This is a list of LastReq structures", HFILL }},
4332 "Server Name", "kerberos.sname", FT_NONE, BASE_DEC,
4333 NULL, 0, "This is the name part server's identity", HFILL }},
4335 "Client Name", "kerberos.cname", FT_NONE, BASE_DEC,
4336 NULL, 0, "The name part of the client principal identifier", HFILL }},
4337 { &hf_krb_authenticator_enc, {
4338 "Authenticator", "kerberos.authenticator", FT_NONE, BASE_DEC,
4339 NULL, 0, "Encrypted authenticator blob", HFILL }},
4340 { &hf_krb_ticket_enc, {
4341 "enc-part", "kerberos.ticket.enc_part", FT_NONE, BASE_DEC,
4342 NULL, 0, "The structure holding the encrypted part of a ticket", HFILL }},
4343 { &hf_krb_AP_REP_enc, {
4344 "enc-part", "kerberos.aprep.enc_part", FT_NONE, BASE_DEC,
4345 NULL, 0, "The structure holding the encrypted part of AP-REP", HFILL }},
4346 { &hf_krb_KDC_REP_enc, {
4347 "enc-part", "kerberos.kdcrep.enc_part", FT_NONE, BASE_DEC,
4348 NULL, 0, "The structure holding the encrypted part of KDC-REP", HFILL }},
4350 "e-data", "kerberos.e_data", FT_NONE, BASE_DEC,
4351 NULL, 0, "The e-data blob", HFILL }},
4353 "padata", "kerberos.padata", FT_NONE, BASE_DEC,
4354 NULL, 0, "Sequence of preauthentication data", HFILL }},
4356 "Ticket", "kerberos.ticket", FT_NONE, BASE_DEC,
4357 NULL, 0, "This is a Kerberos Ticket", HFILL }},
4358 { &hf_krb_TransitedEncoding, {
4359 "TransitedEncoding", "kerberos.TransitedEncoding", FT_NONE, BASE_DEC,
4360 NULL, 0, "This is a Kerberos TransitedEncoding sequence", HFILL }},
4361 { &hf_krb_PA_PAC_REQUEST_flag, {
4362 "PAC Request", "kerberos.pac_request.flag", FT_UINT32, BASE_DEC,
4363 NULL, 0, "This is a MS PAC Request Flag", HFILL }},
4364 { &hf_krb_w2k_pac_entries, {
4365 "Num Entries", "kerberos.pac.entries", FT_UINT32, BASE_DEC,
4366 NULL, 0, "Number of W2k PAC entries", HFILL }},
4367 { &hf_krb_w2k_pac_version, {
4368 "Version", "kerberos.pac.version", FT_UINT32, BASE_DEC,
4369 NULL, 0, "Version of PAC structures", HFILL }},
4370 { &hf_krb_w2k_pac_type, {
4371 "Type", "kerberos.pac.type", FT_UINT32, BASE_DEC,
4372 VALS(w2k_pac_types), 0, "Type of W2k PAC entry", HFILL }},
4373 { &hf_krb_w2k_pac_size, {
4374 "Size", "kerberos.pac.size", FT_UINT32, BASE_DEC,
4375 NULL, 0, "Size of W2k PAC entry", HFILL }},
4376 { &hf_krb_w2k_pac_offset, {
4377 "Offset", "kerberos.pac.offset", FT_UINT32, BASE_DEC,
4378 NULL, 0, "Offset to W2k PAC entry", HFILL }},
4379 { &hf_krb_pac_clientid, {
4380 "ClientID", "kerberos.pac.clientid", FT_ABSOLUTE_TIME, BASE_NONE,
4381 NULL, 0, "ClientID Timestamp", HFILL }},
4382 { &hf_krb_pac_namelen, {
4383 "Name Length", "kerberos.pac.namelen", FT_UINT16, BASE_DEC,
4384 NULL, 0, "Length of client name", HFILL }},
4385 { &hf_krb_e_checksum, {
4386 "e-checksum", "kerberos.e_checksum", FT_NONE, BASE_DEC,
4387 NULL, 0, "This is a Kerberos e-checksum", HFILL }},
4390 static gint *ett[] = {
4392 &ett_krb_KDC_REP_enc,
4395 &ett_krb_AP_REP_enc,
4399 &ett_krb_IF_RELEVANT,
4400 &ett_krb_PA_DATA_tree,
4402 &ett_krb_HostAddress,
4403 &ett_krb_HostAddresses,
4404 &ett_krb_authenticator_enc,
4405 &ett_krb_AP_Options,
4406 &ett_krb_KDC_Options,
4407 &ett_krb_Ticket_Flags,
4409 &ett_krb_recordmark,
4411 &ett_krb_ticket_enc,
4414 &ett_krb_EncTicketPart,
4415 &ett_krb_EncAPRepPart,
4416 &ett_krb_EncKrbPrivPart,
4417 &ett_krb_EncKDCRepPart,
4419 &ett_krb_Authenticator,
4423 &ett_krb_AuthorizationData,
4424 &ett_krb_TransitedEncoding,
4426 &ett_krb_PAC_LOGON_INFO,
4427 &ett_krb_PAC_CREDENTIAL_TYPE,
4428 &ett_krb_PAC_SERVER_CHECKSUM,
4429 &ett_krb_PAC_PRIVSVR_CHECKSUM,
4430 &ett_krb_PAC_CLIENT_INFO_TYPE,
4431 &ett_krb_e_checksum,
4433 module_t *krb_module;
4435 proto_kerberos = proto_register_protocol("Kerberos", "KRB5", "kerberos");
4436 proto_register_field_array(proto_kerberos, hf, array_length(hf));
4437 proto_register_subtree_array(ett, array_length(ett));
4439 /* Register preferences */
4440 krb_module = prefs_register_protocol(proto_kerberos, kerberos_prefs_apply_cb);
4441 prefs_register_bool_preference(krb_module, "desegment",
4442 "Reassemble Kerberos over TCP messages spanning multiple TCP segments",
4443 "Whether the Kerberos dissector should reassemble messages spanning multiple TCP segments."
4444 " To use this option, you must also enable \"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
4446 #ifdef HAVE_KERBEROS
4447 prefs_register_bool_preference(krb_module, "decrypt",
4448 "Try to decrypt Kerberos blobs",
4449 "Whether the dissector should try to decrypt "
4450 "encrypted Kerberos blobs. This requires that the proper "
4451 "keytab file is installed as well.", &krb_decrypt);
4453 prefs_register_string_preference(krb_module, "file",
4454 "Kerberos keytab file",
4455 "The keytab file containing all the secrets",
4461 static int wrap_dissect_gss_kerb(tvbuff_t *tvb, int offset, packet_info *pinfo,
4462 proto_tree *tree, guint8 *drep _U_)
4466 auth_tvb = tvb_new_subset(
4467 tvb, offset, tvb_length_remaining(tvb, offset),
4468 tvb_reported_length_remaining(tvb, offset));
4470 dissect_kerberos_main(auth_tvb, pinfo, tree, FALSE, NULL);
4472 return tvb_length_remaining(tvb, offset);
4476 static dcerpc_auth_subdissector_fns gss_kerb_auth_fns = {
4477 wrap_dissect_gss_kerb, /* Bind */
4478 wrap_dissect_gss_kerb, /* Bind ACK */
4480 wrap_dissect_gssapi_verf, /* Request verifier */
4481 wrap_dissect_gssapi_verf, /* Response verifier */
4482 wrap_dissect_gssapi_payload, /* Request data */
4483 wrap_dissect_gssapi_payload /* Response data */
4488 proto_reg_handoff_kerberos(void)
4490 dissector_handle_t kerberos_handle_tcp;
4492 krb4_handle = find_dissector("krb4");
4494 kerberos_handle_udp = new_create_dissector_handle(dissect_kerberos_udp,
4496 kerberos_handle_tcp = create_dissector_handle(dissect_kerberos_tcp,
4498 dissector_add("udp.port", UDP_PORT_KERBEROS, kerberos_handle_udp);
4499 dissector_add("tcp.port", TCP_PORT_KERBEROS, kerberos_handle_tcp);
4501 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_INTEGRITY,
4502 DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS,
4503 &gss_kerb_auth_fns);
4505 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_PRIVACY,
4506 DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS,
4507 &gss_kerb_auth_fns);
4513 MISC definitions from RFC1510:
4515 Realm ::= GeneralString
4517 KerberosTime ::= GeneralizedTime
4519 AuthorizationData ::= SEQUENCE OF SEQUENCE {
4521 ad-data[1] OCTET STRING
4523 APOptions ::= BIT STRING {
4530 TicketFlags ::= BIT STRING {
4545 KDCOptions ::= BIT STRING {
4559 enc-tkt-in-skey(28),
4565 LastReq ::= SEQUENCE OF SEQUENCE {
4567 lr-value[1] KerberosTime
4570 Ticket ::= [APPLICATION 1] SEQUENCE {
4573 sname[2] PrincipalName,
4574 enc-part[3] EncryptedData
4577 -- Encrypted part of ticket
4578 EncTicketPart ::= [APPLICATION 3] SEQUENCE {
4579 flags[0] TicketFlags,
4580 key[1] EncryptionKey,
4582 cname[3] PrincipalName,
4583 transited[4] TransitedEncoding,
4584 authtime[5] KerberosTime,
4585 starttime[6] KerberosTime OPTIONAL,
4586 endtime[7] KerberosTime,
4587 renew-till[8] KerberosTime OPTIONAL,
4588 caddr[9] HostAddresses OPTIONAL,
4589 authorization-data[10] AuthorizationData OPTIONAL
4592 -- encoded Transited field
4593 TransitedEncoding ::= SEQUENCE {
4594 tr-type[0] INTEGER, -- must be registered
4595 contents[1] OCTET STRING
4598 -- Unencrypted authenticator
4599 Authenticator ::= [APPLICATION 2] SEQUENCE {
4600 authenticator-vno[0] INTEGER,
4602 cname[2] PrincipalName,
4603 cksum[3] Checksum OPTIONAL,
4605 ctime[5] KerberosTime,
4606 subkey[6] EncryptionKey OPTIONAL,
4607 seq-number[7] INTEGER OPTIONAL,
4608 authorization-data[8] AuthorizationData OPTIONAL
4611 PA-DATA ::= SEQUENCE {
4612 padata-type[1] INTEGER,
4613 padata-value[2] OCTET STRING,
4614 -- might be encoded AP-REQ
4617 padata-type ::= PA-ENC-TIMESTAMP
4618 padata-value ::= EncryptedData -- PA-ENC-TS-ENC
4620 PA-ENC-TS-ENC ::= SEQUENCE {
4621 patimestamp[0] KerberosTime, -- client's time
4622 pausec[1] INTEGER OPTIONAL
4625 EncASRepPart ::= [APPLICATION 25[25]] EncKDCRepPart
4626 EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
4628 EncKDCRepPart ::= SEQUENCE {
4629 key[0] EncryptionKey,
4630 last-req[1] LastReq,
4632 key-expiration[3] KerberosTime OPTIONAL,
4633 flags[4] TicketFlags,
4634 authtime[5] KerberosTime,
4635 starttime[6] KerberosTime OPTIONAL,
4636 endtime[7] KerberosTime,
4637 renew-till[8] KerberosTime OPTIONAL,
4639 sname[10] PrincipalName,
4640 caddr[11] HostAddresses OPTIONAL
4643 APOptions ::= BIT STRING {
4649 EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
4650 ctime[0] KerberosTime,
4652 subkey[2] EncryptionKey OPTIONAL,
4653 seq-number[3] INTEGER OPTIONAL
4656 KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
4658 msg-type[1] INTEGER,
4659 safe-body[2] KRB-SAFE-BODY,
4663 KRB-SAFE-BODY ::= SEQUENCE {
4664 user-data[0] OCTET STRING,
4665 timestamp[1] KerberosTime OPTIONAL,
4666 usec[2] INTEGER OPTIONAL,
4667 seq-number[3] INTEGER OPTIONAL,
4668 s-address[4] HostAddress,
4669 r-address[5] HostAddress OPTIONAL
4672 KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
4674 msg-type[1] INTEGER,
4675 enc-part[3] EncryptedData
4678 EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
4679 user-data[0] OCTET STRING,
4680 timestamp[1] KerberosTime OPTIONAL,
4681 usec[2] INTEGER OPTIONAL,
4682 seq-number[3] INTEGER OPTIONAL,
4683 s-address[4] HostAddress, -- sender's addr
4684 r-address[5] HostAddress OPTIONAL
4688 KRB-CRED ::= [APPLICATION 22] SEQUENCE {
4690 msg-type[1] INTEGER, -- KRB_CRED
4691 tickets[2] SEQUENCE OF Ticket,
4692 enc-part[3] EncryptedData
4695 EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
4696 ticket-info[0] SEQUENCE OF KrbCredInfo,
4697 nonce[1] INTEGER OPTIONAL,
4698 timestamp[2] KerberosTime OPTIONAL,
4699 usec[3] INTEGER OPTIONAL,
4700 s-address[4] HostAddress OPTIONAL,
4701 r-address[5] HostAddress OPTIONAL
4704 KrbCredInfo ::= SEQUENCE {
4705 key[0] EncryptionKey,
4706 prealm[1] Realm OPTIONAL,
4707 pname[2] PrincipalName OPTIONAL,
4708 flags[3] TicketFlags OPTIONAL,
4709 authtime[4] KerberosTime OPTIONAL,
4710 starttime[5] KerberosTime OPTIONAL,
4711 endtime[6] KerberosTime OPTIONAL
4712 renew-till[7] KerberosTime OPTIONAL,
4713 srealm[8] Realm OPTIONAL,
4714 sname[9] PrincipalName OPTIONAL,
4715 caddr[10] HostAddresses OPTIONAL
4718 METHOD-DATA ::= SEQUENCE of PA-DATA
4720 If the error-code is KRB_AP_ERR_METHOD, then the e-data field will
4721 contain an encoding of the following sequence:
4723 METHOD-DATA ::= SEQUENCE {
4724 method-type[0] INTEGER,
4725 method-data[1] OCTET STRING OPTIONAL
4728 EncryptionKey ::= SEQUENCE {
4730 keyvalue[1] OCTET STRING
4733 Checksum ::= SEQUENCE {
4734 cksumtype[0] INTEGER,
4735 checksum[1] OCTET STRING