#include <nettle/des.h>
#include <nettle/cbc.h>
#endif
-#include <epan/crypt/crypt-md5.h>
+#include <epan/crypt/md5.h>
#include <sys/stat.h> /* For keyfile manipulation */
#endif
static gint hf_krb_PAC_SERVER_CHECKSUM = -1;
static gint hf_krb_PAC_PRIVSVR_CHECKSUM = -1;
static gint hf_krb_PAC_CLIENT_INFO_TYPE = -1;
-static gint hf_krb_PAC_CONSTRAINED_DELEGATION = -1;
+static gint hf_krb_PAC_S4U_DELEGATION_INFO = -1;
static gint hf_krb_PAC_UPN_DNS_INFO = -1;
static gint hf_krb_encrypted_PA_ENC_TIMESTAMP = -1;
static gint hf_krb_encrypted_enc_authorization_data = -1;
static gint ett_krb_PAC_SERVER_CHECKSUM = -1;
static gint ett_krb_PAC_PRIVSVR_CHECKSUM = -1;
static gint ett_krb_PAC_CLIENT_INFO_TYPE = -1;
-static gint ett_krb_PAC_CONSTRAINED_DELEGATION = -1;
+static gint ett_krb_PAC_S4U_DELEGATION_INFO = -1;
static gint ett_krb_KDC_REP_enc = -1;
static gint ett_krb_EncTicketPart = -1;
static gint ett_krb_EncAPRepPart = -1;
g_free(decrypted_data);
return(plaintext);
}
+ tvb_free(encr_tvb);
}
g_free(decrypted_data);
#define KRB5_TD_REQ_SEQ 108
/* preauthentication types >127 (i.e. negative ones) are app specific.
- Hopefully there will be no collisions here or we will have to
- come up with something better.
- XXX: Although KRB5_PA_PAC_REQUEST is " >127 " and thus presumably
- would be encoded as a negative number, various captures seen all
- have this pa-data-type encoded as a positive number (0x0080).
- We'll assume that KRB5_PA_S4U2SELF is also encoded as a positive number.
+ however since Microsoft is the dominant(only?) user of types in this range
+ we also treat the type as unsigned.
*/
#define KRB5_PA_PAC_REQUEST 128 /* (Microsoft extension) */
-#define KRB5_PA_S4U2SELF 129 /* Impersonation (Microsoft extension) */
+#define KRB5_PA_FOR_USER 129 /* Impersonation (Microsoft extension) See [MS-SFU] */
#define KRB5_PA_PROV_SRV_LOCATION 0xffffffff /* (gint32)0xFF) packetcable stuff */
#define PAC_SERVER_CHECKSUM 6
#define PAC_PRIVSVR_CHECKSUM 7
#define PAC_CLIENT_INFO_TYPE 10
-#define PAC_CONSTRAINED_DELEGATION 11
+#define PAC_S4U_DELEGATION_INFO 11
#define PAC_UPN_DNS_INFO 12
static const value_string w2k_pac_types[] = {
{ PAC_SERVER_CHECKSUM , "Server Checksum" },
{ PAC_PRIVSVR_CHECKSUM , "Privsvr Checksum" },
{ PAC_CLIENT_INFO_TYPE , "Client Info Type" },
- { PAC_CONSTRAINED_DELEGATION, "Constrained Delegation" },
+ { PAC_S4U_DELEGATION_INFO , "S4U Delegation Info" },
{ PAC_UPN_DNS_INFO , "UPN DNS Info" },
{ 0, NULL },
};
{ KRB5_TD_REQ_NONCE , "TD-REQ-NONCE" },
{ KRB5_TD_REQ_SEQ , "TD-REQ-SEQ" },
{ KRB5_PA_PAC_REQUEST , "PA-PAC-REQUEST" },
- { KRB5_PA_S4U2SELF , "PA-S4U2SELF" },
+ { KRB5_PA_FOR_USER , "PA-FOR-USER" },
{ KRB5_PA_PROV_SRV_LOCATION , "PA-PROV-SRV-LOCATION" },
{ 0 , NULL },
};
return offset;
}
-static ber_old_sequence_t PA_S4U2SELF_sequence[] = {
+static ber_old_sequence_t PA_FOR_USER_sequence[] = {
{ BER_CLASS_CON, 0, 0, dissect_krb5_cname },
{ BER_CLASS_CON, 1, 0, dissect_krb5_realm },
{ BER_CLASS_CON, 2, 0, dissect_krb5_Checksum },
};
static int
-dissect_krb5_PA_S4U2SELF(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+dissect_krb5_PA_FOR_USER(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
{
- offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, PA_S4U2SELF_sequence, -1, -1);
+ offset=dissect_ber_old_sequence(FALSE, actx, tree, tvb, offset, PA_FOR_USER_sequence, -1, -1);
return offset;
}
case KRB5_PA_PAC_REQUEST:
offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset,hf_krb_PA_DATA_value, dissect_krb5_PA_PAC_REQUEST);
break;
- case KRB5_PA_S4U2SELF:
- offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset,hf_krb_PA_DATA_value, dissect_krb5_PA_S4U2SELF);
+ case KRB5_PA_FOR_USER:
+ offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset,hf_krb_PA_DATA_value, dissect_krb5_PA_FOR_USER);
break;
case KRB5_PA_PROV_SRV_LOCATION:
offset=dissect_ber_old_octet_string_wcb(FALSE, actx, tree, tvb, offset,hf_krb_PA_DATA_value, dissect_krb5_PA_PROV_SRV_LOCATION);
}
static int
-dissect_krb5_PAC_CONSTRAINED_DELEGATION(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+dissect_krb5_PAC_S4U_DELEGATION_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
{
proto_item *item=NULL;
proto_tree *tree=NULL;
static dcerpc_call_value call_data;
void *old_private_data;
- item=proto_tree_add_item(parent_tree, hf_krb_PAC_CONSTRAINED_DELEGATION, tvb, offset, tvb_length_remaining(tvb, offset), ENC_NA);
+ item=proto_tree_add_item(parent_tree, hf_krb_PAC_S4U_DELEGATION_INFO, tvb, offset, tvb_length_remaining(tvb, offset), ENC_NA);
if(parent_tree){
- tree=proto_item_add_subtree(item, ett_krb_PAC_CONSTRAINED_DELEGATION);
+ tree=proto_item_add_subtree(item, ett_krb_PAC_S4U_DELEGATION_INFO);
}
/* skip the first 16 bytes, they are some magic created by the idl
offset=dissect_krb5_PAC_NDRHEADERBLOB(tree, tvb, offset, &drep[0], actx);
- /* the PAC_CONSTRAINED_DELEGATION blob */
+ /* the S4U_DELEGATION_INFO blob. See [MS-PAC] */
/* fake whatever state the dcerpc runtime support needs */
di.conformant_run=0;
/* we need di->call_data->flags.NDR64 == 0 */
actx->pinfo->private_data=&di;
init_ndr_pointer_list(actx->pinfo);
offset = dissect_ndr_pointer(tvb, offset, actx->pinfo, tree, drep,
- netlogon_dissect_PAC_CONSTRAINED_DELEGATION, NDR_POINTER_UNIQUE,
- "PAC_CONSTRAINED_DELEGATION:", -1);
+ netlogon_dissect_PAC_S4U_DELEGATION_INFO, NDR_POINTER_UNIQUE,
+ "PAC_S4U_DELEGATION_INFO:", -1);
actx->pinfo->private_data=old_private_data;
return offset;
offset+=2;
/* client name */
- name=tvb_get_ephemeral_faked_unicode(tvb, offset, namelen/2, TRUE);
+ name=tvb_get_ephemeral_unicode_string(tvb, offset, namelen/2, ENC_LITTLE_ENDIAN);
proto_tree_add_string(tree, hf_krb_pac_clientname, tvb, offset, namelen, name);
offset+=namelen;
case PAC_CLIENT_INFO_TYPE:
dissect_krb5_PAC_CLIENT_INFO_TYPE(tr, next_tvb, 0, actx);
break;
- case PAC_CONSTRAINED_DELEGATION:
- dissect_krb5_PAC_CONSTRAINED_DELEGATION(tr, next_tvb, 0, actx);
+ case PAC_S4U_DELEGATION_INFO:
+ dissect_krb5_PAC_S4U_DELEGATION_INFO(tr, next_tvb, 0, actx);
break;
case PAC_UPN_DNS_INFO:
dissect_krb5_PAC_UPN_DNS_INFO(tr, next_tvb, 0, actx);
col_set_str(pinfo->cinfo, COL_PROTOCOL, "KRB5");
}
if (tree) {
- item = proto_tree_add_item(tree, proto_kerberos, tvb, 0, -1, FALSE);
+ item = proto_tree_add_item(tree, proto_kerberos, tvb, 0, -1, ENC_NA);
kerberos_tree = proto_item_add_subtree(item, ett_krb_kerberos);
}
show_krb_recordmark(kerberos_tree, tvb, offset, krb_rm);
col_clear(pinfo->cinfo, COL_INFO);
}
if (tree) {
- item = proto_tree_add_item(tree, proto_kerberos, tvb, 0, -1, FALSE);
+ item = proto_tree_add_item(tree, proto_kerberos, tvb, 0, -1, ENC_NA);
kerberos_tree = proto_item_add_subtree(item, ett_krb_kerberos);
}
}
{ &hf_krb_PAC_CLIENT_INFO_TYPE, {
"PAC_CLIENT_INFO_TYPE", "kerberos.PAC_CLIENT_INFO_TYPE", FT_BYTES, BASE_NONE,
NULL, 0, "PAC_CLIENT_INFO_TYPE structure", HFILL }},
- { &hf_krb_PAC_CONSTRAINED_DELEGATION, {
- "PAC_CONSTRAINED_DELEGATION", "kerberos.PAC_CONSTRAINED_DELEGATION", FT_BYTES, BASE_NONE,
- NULL, 0, "PAC_CONSTRAINED_DELEGATION structure", HFILL }},
+ { &hf_krb_PAC_S4U_DELEGATION_INFO, {
+ "PAC_S4U_DELEGATION_INFO", "kerberos.PAC_S4U_DELEGATION_INFO", FT_BYTES, BASE_NONE,
+ NULL, 0, "PAC_S4U_DELEGATION_INFO structure", HFILL }},
{ &hf_krb_PAC_UPN_DNS_INFO, {
"UPN_DNS_INFO", "kerberos.PAC_UPN_DNS_INFO", FT_BYTES, BASE_NONE,
NULL, 0, "UPN_DNS_INFO structure", HFILL }},
&ett_krb_PAC_SERVER_CHECKSUM,
&ett_krb_PAC_PRIVSVR_CHECKSUM,
&ett_krb_PAC_CLIENT_INFO_TYPE,
- &ett_krb_PAC_CONSTRAINED_DELEGATION,
+ &ett_krb_PAC_S4U_DELEGATION_INFO,
&ett_krb_e_checksum,
&ett_krb_PAC_MIDL_BLOB,
&ett_krb_PAC_DREP,