summaryrefslogtreecommitdiff
path: root/asn1/kerberos
diff options
context:
space:
mode:
authorAnders Broman <anders.broman@ericsson.com>2008-10-15 06:14:24 +0000
committerAnders Broman <anders.broman@ericsson.com>2008-10-15 06:14:24 +0000
commit18a701918b4ff383114d2d8282ccb4ce4f69d79d (patch)
tree9bdec51f589e72a4ffbb8b87dfd99d16720b32f5 /asn1/kerberos
parentc99312dae0587939b3aae92bbb7bd4fc7a009800 (diff)
downloadwireshark-18a701918b4ff383114d2d8282ccb4ce4f69d79d.tar.gz
Start of an asn2wrs generated kerberos dissector. Most of the hand crafted stuff is in the template file but it's not yet accessed from the asn2wrs generated code.
- Work in progress. svn path=/trunk/; revision=26460
Diffstat (limited to 'asn1/kerberos')
-rw-r--r--asn1/kerberos/KerberosV5Spec2.asn418
-rw-r--r--asn1/kerberos/Makefile.am26
-rw-r--r--asn1/kerberos/Makefile.common52
-rw-r--r--asn1/kerberos/Makefile.nmake29
-rw-r--r--asn1/kerberos/kerberos.asn417
-rw-r--r--asn1/kerberos/kerberos.cnf12
-rw-r--r--asn1/kerberos/packet-kerberos-template.c1313
-rw-r--r--asn1/kerberos/packet-kerberos-template.h35
8 files changed, 2302 insertions, 0 deletions
diff --git a/asn1/kerberos/KerberosV5Spec2.asn b/asn1/kerberos/KerberosV5Spec2.asn
new file mode 100644
index 0000000000..0c5e593c84
--- /dev/null
+++ b/asn1/kerberos/KerberosV5Spec2.asn
@@ -0,0 +1,418 @@
+--http://www.ietf.org/rfc/rfc4120.txt?number=4120
+KerberosV5Spec2 {
+ iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) kerberosV5(2) modules(4) krb5spec2(2)
+} DEFINITIONS EXPLICIT TAGS ::= BEGIN
+
+-- OID arc for KerberosV5
+--
+-- This OID may be used to identify Kerberos protocol messages
+-- encapsulated in other protocols.
+--
+-- This OID also designates the OID arc for KerberosV5-related OIDs.
+--
+-- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID.
+-- My stuff
+Applications ::= CHOICE {
+ ticket Ticket, -- 1 --
+ authenticator Authenticator, -- 2 --
+ encTicketPart EncTicketPart, -- 3 --
+ as-req AS-REQ, -- 10 --
+ as-rep AS-REP, -- 11 --
+ tgs-req TGS-REQ, -- 12 --
+ tgs-rep TGS-REP, -- 13 --
+ ap-req AP-REQ, -- 14 --
+ ap-rep AP-REP, -- 15 --
+ krb-safe KRB-SAFE, -- 20 --
+ krb-priv KRB-PRIV, -- 21 --
+ krb-cred KRB-CRED, -- 22 --
+ encASRepPart EncASRepPart, -- 25 --
+ encTGSRepPart EncTGSRepPart, -- 26 --
+ encAPRepPart EncAPRepPart, -- 27 --
+ encKrbPrivPart EncKrbPrivPart, -- 28 --
+ encKrbCredPart EncKrbCredPart, -- 29 --
+ krb-error KRB-ERROR -- 30 --
+ }
+-- end my stuff
+id-krb5 OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) kerberosV5(2)
+}
+
+Int32 ::= INTEGER (-2147483648..2147483647)
+ -- signed values representable in 32 bits
+
+UInt32 ::= INTEGER (0..4294967295)
+ -- unsigned 32 bit values
+
+Microseconds ::= INTEGER (0..999999)
+ -- microseconds
+
+KerberosString ::= GeneralString (IA5String)
+
+Realm ::= KerberosString
+
+PrincipalName ::= SEQUENCE {
+ name-type [0] Int32,
+ name-string [1] SEQUENCE OF KerberosString
+}
+
+KerberosTime ::= GeneralizedTime -- with no fractional seconds
+
+HostAddress ::= SEQUENCE {
+ addr-type [0] Int32,
+ address [1] OCTET STRING
+}
+
+-- NOTE: HostAddresses is always used as an OPTIONAL field and
+-- should not be empty.
+HostAddresses -- NOTE: subtly different from rfc1510,
+ -- but has a value mapping and encodes the same
+ ::= SEQUENCE OF HostAddress
+
+-- NOTE: AuthorizationData is always used as an OPTIONAL field and
+-- should not be empty.
+AuthorizationData ::= SEQUENCE OF SEQUENCE {
+ ad-type [0] Int32,
+ ad-data [1] OCTET STRING
+}
+
+PA-DATA ::= SEQUENCE {
+ -- NOTE: first tag is [1], not [0]
+ padata-type [1] Int32,
+ padata-value [2] OCTET STRING -- might be encoded AP-REQ
+}
+
+KerberosFlags ::= BIT STRING (SIZE (32..MAX))
+ -- minimum number of bits shall be sent,
+ -- but no fewer than 32
+
+EncryptedData ::= SEQUENCE {
+ etype [0] Int32 -- EncryptionType --,
+ kvno [1] UInt32 OPTIONAL,
+ cipher [2] OCTET STRING -- ciphertext
+}
+
+EncryptionKey ::= SEQUENCE {
+ keytype [0] Int32 -- actually encryption type --,
+ keyvalue [1] OCTET STRING
+}
+
+Checksum ::= SEQUENCE {
+ cksumtype [0] Int32,
+ checksum [1] OCTET STRING
+}
+
+Ticket ::= [APPLICATION 1] SEQUENCE {
+ tkt-vno [0] INTEGER (5),
+ realm [1] Realm,
+ sname [2] PrincipalName,
+ enc-part [3] EncryptedData -- EncTicketPart
+}
+
+-- Encrypted part of ticket
+EncTicketPart ::= [APPLICATION 3] SEQUENCE {
+ flags [0] TicketFlags,
+ key [1] EncryptionKey,
+ crealm [2] Realm,
+ cname [3] PrincipalName,
+ transited [4] TransitedEncoding,
+ authtime [5] KerberosTime,
+ starttime [6] KerberosTime OPTIONAL,
+ endtime [7] KerberosTime,
+ renew-till [8] KerberosTime OPTIONAL,
+ caddr [9] HostAddresses OPTIONAL,
+ authorization-data [10] AuthorizationData OPTIONAL
+}
+
+-- encoded Transited field
+TransitedEncoding ::= SEQUENCE {
+ tr-type [0] Int32 -- must be registered --,
+ contents [1] OCTET STRING
+}
+
+TicketFlags ::= KerberosFlags
+ -- reserved(0),
+ -- forwardable(1),
+ -- forwarded(2),
+ -- proxiable(3),
+ -- proxy(4),
+ -- may-postdate(5),
+ -- postdated(6),
+ -- invalid(7),
+ -- renewable(8),
+ -- initial(9),
+ -- pre-authent(10),
+ -- hw-authent(11),
+-- the following are new since 1510
+ -- transited-policy-checked(12),
+ -- ok-as-delegate(13)
+
+AS-REQ ::= [APPLICATION 10] KDC-REQ
+
+TGS-REQ ::= [APPLICATION 12] KDC-REQ
+
+KDC-REQ ::= SEQUENCE {
+ -- NOTE: first tag is [1], not [0]
+ pvno [1] INTEGER (5) ,
+-- msg-type [2] INTEGER (10 - - AS - - | 12 - - TGS - -),
+ msg-type [2] INTEGER,
+ padata [3] SEQUENCE OF PA-DATA OPTIONAL
+ -- NOTE: not empty --,
+ req-body [4] KDC-REQ-BODY
+}
+
+KDC-REQ-BODY ::= SEQUENCE {
+ kdc-options [0] KDCOptions,
+ cname [1] PrincipalName OPTIONAL
+ -- Used only in AS-REQ --,
+ realm [2] Realm
+ -- Server's realm
+ -- Also client's in AS-REQ --,
+ sname [3] PrincipalName OPTIONAL,
+ from [4] KerberosTime OPTIONAL,
+ till [5] KerberosTime,
+ rtime [6] KerberosTime OPTIONAL,
+ nonce [7] UInt32,
+ etype [8] SEQUENCE OF Int32 -- EncryptionType
+ -- in preference order --,
+ addresses [9] HostAddresses OPTIONAL,
+ enc-authorization-data [10] EncryptedData OPTIONAL
+ -- AuthorizationData --,
+ additional-tickets [11] SEQUENCE OF Ticket OPTIONAL
+ -- NOTE: not empty
+}
+
+KDCOptions ::= KerberosFlags
+ -- reserved(0),
+ -- forwardable(1),
+ -- forwarded(2),
+ -- proxiable(3),
+ -- proxy(4),
+ -- allow-postdate(5),
+ -- postdated(6),
+ -- unused7(7),
+ -- renewable(8),
+ -- unused9(9),
+ -- unused10(10),
+ -- opt-hardware-auth(11),
+ -- unused12(12),
+ -- unused13(13),
+-- 15 is reserved for canonicalize
+ -- unused15(15),
+-- 26 was unused in 1510
+ -- disable-transited-check(26),
+--
+ -- renewable-ok(27),
+ -- enc-tkt-in-skey(28),
+ -- renew(30),
+ -- validate(31)
+
+AS-REP ::= [APPLICATION 11] KDC-REP
+
+TGS-REP ::= [APPLICATION 13] KDC-REP
+
+
+KDC-REP ::= SEQUENCE {
+ pvno [0] INTEGER (5),
+-- msg-type [1] INTEGER (11 - - AS - - | 13 - - TGS - -),
+ msg-type [1] INTEGER,
+ padata [2] SEQUENCE OF PA-DATA OPTIONAL
+ -- NOTE: not empty --,
+ crealm [3] Realm,
+ cname [4] PrincipalName,
+ ticket [5] Ticket,
+ enc-part [6] EncryptedData
+ -- EncASRepPart or EncTGSRepPart,
+ -- as appropriate
+}
+
+EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
+
+EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
+
+EncKDCRepPart ::= SEQUENCE {
+ key [0] EncryptionKey,
+ last-req [1] LastReq,
+ nonce [2] UInt32,
+ key-expiration [3] KerberosTime OPTIONAL,
+ flags [4] TicketFlags,
+ authtime [5] KerberosTime,
+ starttime [6] KerberosTime OPTIONAL,
+ endtime [7] KerberosTime,
+ renew-till [8] KerberosTime OPTIONAL,
+ srealm [9] Realm,
+ sname [10] PrincipalName,
+ caddr [11] HostAddresses OPTIONAL
+}
+
+LastReq ::= SEQUENCE OF SEQUENCE {
+ lr-type [0] Int32,
+ lr-value [1] KerberosTime
+}
+
+AP-REQ ::= [APPLICATION 14] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (14),
+ ap-options [2] APOptions,
+ ticket [3] Ticket,
+ authenticator [4] EncryptedData -- Authenticator
+}
+
+APOptions ::= KerberosFlags
+ -- reserved(0),
+ -- use-session-key(1),
+ -- mutual-required(2)
+
+-- Unencrypted authenticator
+Authenticator ::= [APPLICATION 2] SEQUENCE {
+ authenticator-vno [0] INTEGER (5),
+ crealm [1] Realm,
+ cname [2] PrincipalName,
+ cksum [3] Checksum OPTIONAL,
+ cusec [4] Microseconds,
+ ctime [5] KerberosTime,
+ subkey [6] EncryptionKey OPTIONAL,
+ seq-number [7] UInt32 OPTIONAL,
+ authorization-data [8] AuthorizationData OPTIONAL
+}
+
+AP-REP ::= [APPLICATION 15] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (15),
+ enc-part [2] EncryptedData -- EncAPRepPart
+}
+
+EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
+ ctime [0] KerberosTime,
+ cusec [1] Microseconds,
+ subkey [2] EncryptionKey OPTIONAL,
+ seq-number [3] UInt32 OPTIONAL
+}
+
+KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (20),
+ safe-body [2] KRB-SAFE-BODY,
+ cksum [3] Checksum
+}
+
+KRB-SAFE-BODY ::= SEQUENCE {
+ user-data [0] OCTET STRING,
+ timestamp [1] KerberosTime OPTIONAL,
+ usec [2] Microseconds OPTIONAL,
+ seq-number [3] UInt32 OPTIONAL,
+ s-address [4] HostAddress,
+ r-address [5] HostAddress OPTIONAL
+}
+
+KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (21),
+ -- NOTE: there is no [2] tag
+ enc-part [3] EncryptedData -- EncKrbPrivPart
+}
+
+EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
+ user-data [0] OCTET STRING,
+ timestamp [1] KerberosTime OPTIONAL,
+ usec [2] Microseconds OPTIONAL,
+ seq-number [3] UInt32 OPTIONAL,
+ s-address [4] HostAddress -- sender's addr --,
+ r-address [5] HostAddress OPTIONAL -- recip's addr
+}
+
+KRB-CRED ::= [APPLICATION 22] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (22),
+ tickets [2] SEQUENCE OF Ticket,
+ enc-part [3] EncryptedData -- EncKrbCredPart
+}
+
+EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
+ ticket-info [0] SEQUENCE OF KrbCredInfo,
+ nonce [1] UInt32 OPTIONAL,
+ timestamp [2] KerberosTime OPTIONAL,
+ usec [3] Microseconds OPTIONAL,
+ s-address [4] HostAddress OPTIONAL,
+ r-address [5] HostAddress OPTIONAL
+}
+
+KrbCredInfo ::= SEQUENCE {
+ key [0] EncryptionKey,
+ prealm [1] Realm OPTIONAL,
+ pname [2] PrincipalName OPTIONAL,
+ flags [3] TicketFlags OPTIONAL,
+ authtime [4] KerberosTime OPTIONAL,
+ starttime [5] KerberosTime OPTIONAL,
+ endtime [6] KerberosTime OPTIONAL,
+ renew-till [7] KerberosTime OPTIONAL,
+ srealm [8] Realm OPTIONAL,
+ sname [9] PrincipalName OPTIONAL,
+ caddr [10] HostAddresses OPTIONAL
+}
+
+KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (30),
+ ctime [2] KerberosTime OPTIONAL,
+ cusec [3] Microseconds OPTIONAL,
+ stime [4] KerberosTime,
+ susec [5] Microseconds,
+ error-code [6] Int32,
+ crealm [7] Realm OPTIONAL,
+ cname [8] PrincipalName OPTIONAL,
+ realm [9] Realm -- service realm --,
+ sname [10] PrincipalName -- service name --,
+ e-text [11] KerberosString OPTIONAL,
+ e-data [12] OCTET STRING OPTIONAL
+}
+
+METHOD-DATA ::= SEQUENCE OF PA-DATA
+
+TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
+ data-type [0] Int32,
+ data-value [1] OCTET STRING OPTIONAL
+}
+
+-- preauth stuff follows
+
+PA-ENC-TIMESTAMP ::= EncryptedData -- PA-ENC-TS-ENC
+
+PA-ENC-TS-ENC ::= SEQUENCE {
+ patimestamp [0] KerberosTime -- client's time --,
+ pausec [1] Microseconds OPTIONAL
+}
+
+ETYPE-INFO-ENTRY ::= SEQUENCE {
+ etype [0] Int32,
+ salt [1] OCTET STRING OPTIONAL
+}
+
+ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
+
+ETYPE-INFO2-ENTRY ::= SEQUENCE {
+ etype [0] Int32,
+ salt [1] KerberosString OPTIONAL,
+ s2kparams [2] OCTET STRING OPTIONAL
+}
+
+ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
+
+AD-IF-RELEVANT ::= AuthorizationData
+
+AD-KDCIssued ::= SEQUENCE {
+ ad-checksum [0] Checksum,
+ i-realm [1] Realm OPTIONAL,
+ i-sname [2] PrincipalName OPTIONAL,
+ elements [3] AuthorizationData
+}
+
+AD-AND-OR ::= SEQUENCE {
+ condition-count [0] Int32,
+ elements [1] AuthorizationData
+}
+
+AD-MANDATORY-FOR-KDC ::= AuthorizationData
+
+END
diff --git a/asn1/kerberos/Makefile.am b/asn1/kerberos/Makefile.am
new file mode 100644
index 0000000000..462af31e88
--- /dev/null
+++ b/asn1/kerberos/Makefile.am
@@ -0,0 +1,26 @@
+# $Id$
+#
+#
+# Wireshark - Network traffic analyzer
+# By Gerald Combs <gerald@wireshark.org>
+# Copyright 1998 Gerald Combs
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+
+include ../Makefile.preinc
+include Makefile.common
+include ../Makefile.inc
+
diff --git a/asn1/kerberos/Makefile.common b/asn1/kerberos/Makefile.common
new file mode 100644
index 0000000000..658df0627b
--- /dev/null
+++ b/asn1/kerberos/Makefile.common
@@ -0,0 +1,52 @@
+# $Id$
+#
+#
+# Wireshark - Network traffic analyzer
+# By Gerald Combs <gerald@wireshark.org>
+# Copyright 1998 Gerald Combs
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+
+PROTOCOL_NAME=kerberos
+
+DISSECTOR_FILES=packet-$(PROTOCOL_NAME).c \
+ packet-$(PROTOCOL_NAME).h
+
+NEED_PACKET_PROTO_H = 1
+
+EXPORT_FILES = \
+ $(PROTOCOL_NAME)-exp.cnf
+
+EXT_ASN_FILE_LIST =
+
+ASN_FILE_LIST = KerberosV5Spec2.asn
+
+# The packet-$(PROTOCOL_NAME)-template.h and $(PROTOCOL_NAME).asn
+# files do not exist # for all protocols: Please add/remove as required.
+EXTRA_DIST = \
+ $(ASN_FILE_LIST) \
+ packet-$(PROTOCOL_NAME)-template.c \
+ packet-$(PROTOCOL_NAME)-template.h \
+ $(PROTOCOL_NAME).cnf
+
+SRC_FILES = \
+ $(EXTRA_DIST) \
+ $(EXT_ASN_FILE_LIST)
+
+A2W_FLAGS= -b -X -T -e
+
+EXTRA_CNF=
+
diff --git a/asn1/kerberos/Makefile.nmake b/asn1/kerberos/Makefile.nmake
new file mode 100644
index 0000000000..5a32997c60
--- /dev/null
+++ b/asn1/kerberos/Makefile.nmake
@@ -0,0 +1,29 @@
+## Use: $(MAKE) /$(MAKEFLAGS) -f makefile.nmake
+#
+# $Id$
+#
+#
+# Wireshark - Network traffic analyzer
+# By Gerald Combs <gerald@wireshark.org>
+# Copyright 1998 Gerald Combs
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+
+include ../../config.nmake
+include ../Makefile.preinc.nmake
+include Makefile.common
+include ../Makefile.inc.nmake
+
diff --git a/asn1/kerberos/kerberos.asn b/asn1/kerberos/kerberos.asn
new file mode 100644
index 0000000000..621f30c2f5
--- /dev/null
+++ b/asn1/kerberos/kerberos.asn
@@ -0,0 +1,417 @@
+ KerberosV5Spec2 {
+ iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) kerberosV5(2) modules(4) krb5spec2(2)
+} DEFINITIONS EXPLICIT TAGS ::= BEGIN
+
+-- OID arc for KerberosV5
+--
+-- This OID may be used to identify Kerberos protocol messages
+-- encapsulated in other protocols.
+--
+-- This OID also designates the OID arc for KerberosV5-related OIDs.
+--
+-- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID.
+id-krb5 OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) kerberosV5(2)
+}
+
+-- WS construct
+Application ::= CHOICE {
+ ticket Ticket,
+ authenticator Authenticator,
+ encTicketPart EncTicketPart,
+ as-req AS-REQ,
+ as-rep AS-REP,
+ tgs-req TGS-REQ,
+ tgs-rep TGS-REP,
+ ap-req AP-REQ,
+ ap-rep AP-REP,
+ krb-safe KRB-SAFE,
+ krb-priv KRB-PRIV,
+ krb-cred KRB-CRED,
+ encASRepPart EncASRepPart,
+ encTGSRepPart EncTGSRepPart,
+ encAPRepPart EncAPRepPart,
+ encKrbPrivPart EncKrbPrivPart,
+ encKrbCredPart EncKrbCredPart,
+ krb-error KRB-ERROR
+}
+
+Int32 ::= INTEGER (-2147483648..2147483647)
+ -- signed values representable in 32 bits
+
+UInt32 ::= INTEGER (0..4294967295)
+ -- unsigned 32 bit values
+
+Microseconds ::= INTEGER (0..999999)
+ -- microseconds
+
+KerberosString ::= GeneralString (IA5String)
+
+Realm ::= KerberosString
+
+PrincipalName ::= SEQUENCE {
+ name-type [0] Int32,
+ name-string [1] SEQUENCE OF KerberosString
+}
+
+KerberosTime ::= GeneralizedTime -- with no fractional seconds
+
+HostAddress ::= SEQUENCE {
+ addr-type [0] Int32,
+ address [1] OCTET STRING
+}
+
+-- NOTE: HostAddresses is always used as an OPTIONAL field and
+-- should not be empty.
+HostAddresses -- NOTE: subtly different from rfc1510,
+ -- but has a value mapping and encodes the same
+ ::= SEQUENCE OF HostAddress
+
+-- NOTE: AuthorizationData is always used as an OPTIONAL field and
+-- should not be empty.
+AuthorizationData ::= SEQUENCE OF SEQUENCE {
+ ad-type [0] Int32,
+ ad-data [1] OCTET STRING
+}
+
+PA-DATA ::= SEQUENCE {
+ -- NOTE: first tag is [1], not [0]
+ padata-type [1] Int32,
+ padata-value [2] OCTET STRING -- might be encoded AP-REQ
+}
+
+KerberosFlags ::= BIT STRING (SIZE (32..MAX))
+ -- minimum number of bits shall be sent,
+ -- but no fewer than 32
+
+EncryptedData ::= SEQUENCE {
+ etype [0] Int32 -- EncryptionType --,
+ kvno [1] UInt32 OPTIONAL,
+ cipher [2] OCTET STRING -- ciphertext
+}
+
+EncryptionKey ::= SEQUENCE {
+ keytype [0] Int32 -- actually encryption type --,
+ keyvalue [1] OCTET STRING
+}
+
+Checksum ::= SEQUENCE {
+ cksumtype [0] Int32,
+ checksum [1] OCTET STRING
+}
+
+Ticket ::= [APPLICATION 1] SEQUENCE {
+ tkt-vno [0] INTEGER (5),
+ realm [1] Realm,
+ sname [2] PrincipalName,
+ enc-part [3] EncryptedData -- EncTicketPart
+}
+
+-- Encrypted part of ticket
+EncTicketPart ::= [APPLICATION 3] SEQUENCE {
+ flags [0] TicketFlags,
+ key [1] EncryptionKey,
+ crealm [2] Realm,
+ cname [3] PrincipalName,
+ transited [4] TransitedEncoding,
+ authtime [5] KerberosTime,
+ starttime [6] KerberosTime OPTIONAL,
+ endtime [7] KerberosTime,
+ renew-till [8] KerberosTime OPTIONAL,
+ caddr [9] HostAddresses OPTIONAL,
+ authorization-data [10] AuthorizationData OPTIONAL
+}
+
+-- encoded Transited field
+TransitedEncoding ::= SEQUENCE {
+ tr-type [0] Int32 -- must be registered --,
+ contents [1] OCTET STRING
+}
+
+TicketFlags ::= KerberosFlags
+ -- reserved(0),
+ -- forwardable(1),
+ -- forwarded(2),
+ -- proxiable(3),
+ -- proxy(4),
+ -- may-postdate(5),
+ -- postdated(6),
+ -- invalid(7),
+ -- renewable(8),
+ -- initial(9),
+ -- pre-authent(10),
+ -- hw-authent(11),
+-- the following are new since 1510
+ -- transited-policy-checked(12),
+ -- ok-as-delegate(13)
+
+AS-REQ ::= [APPLICATION 10] KDC-REQ
+
+TGS-REQ ::= [APPLICATION 12] KDC-REQ
+
+KDC-REQ ::= SEQUENCE {
+ -- NOTE: first tag is [1], not [0]
+ pvno [1] INTEGER (5) ,
+-- msg-type [2] INTEGER (10 - - AS - - | 12 - - TGS - -),
+ msg-type [2] INTEGER,
+ padata [3] SEQUENCE OF PA-DATA OPTIONAL
+ -- NOTE: not empty --,
+ req-body [4] KDC-REQ-BODY
+}
+
+KDC-REQ-BODY ::= SEQUENCE {
+ kdc-options [0] KDCOptions,
+ cname [1] PrincipalName OPTIONAL
+ -- Used only in AS-REQ --,
+ realm [2] Realm
+ -- Server's realm
+ -- Also client's in AS-REQ --,
+ sname [3] PrincipalName OPTIONAL,
+ from [4] KerberosTime OPTIONAL,
+ till [5] KerberosTime,
+ rtime [6] KerberosTime OPTIONAL,
+ nonce [7] UInt32,
+ etype [8] SEQUENCE OF Int32 -- EncryptionType
+ -- in preference order --,
+ addresses [9] HostAddresses OPTIONAL,
+ enc-authorization-data [10] EncryptedData OPTIONAL
+ -- AuthorizationData --,
+ additional-tickets [11] SEQUENCE OF Ticket OPTIONAL
+ -- NOTE: not empty
+}
+
+KDCOptions ::= KerberosFlags
+ -- reserved(0),
+ -- forwardable(1),
+ -- forwarded(2),
+ -- proxiable(3),
+ -- proxy(4),
+ -- allow-postdate(5),
+ -- postdated(6),
+ -- unused7(7),
+ -- renewable(8),
+ -- unused9(9),
+ -- unused10(10),
+ -- opt-hardware-auth(11),
+ -- unused12(12),
+ -- unused13(13),
+-- 15 is reserved for canonicalize
+ -- unused15(15),
+-- 26 was unused in 1510
+ -- disable-transited-check(26),
+--
+ -- renewable-ok(27),
+ -- enc-tkt-in-skey(28),
+ -- renew(30),
+ -- validate(31)
+
+AS-REP ::= [APPLICATION 11] KDC-REP
+
+TGS-REP ::= [APPLICATION 13] KDC-REP
+
+
+KDC-REP ::= SEQUENCE {
+ pvno [0] INTEGER (5),
+-- msg-type [1] INTEGER (11 - - AS - - | 13 - - TGS - -),
+ msg-type [1] INTEGER,
+ padata [2] SEQUENCE OF PA-DATA OPTIONAL
+ -- NOTE: not empty --,
+ crealm [3] Realm,
+ cname [4] PrincipalName,
+ ticket [5] Ticket,
+ enc-part [6] EncryptedData
+ -- EncASRepPart or EncTGSRepPart,
+ -- as appropriate
+}
+
+EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
+
+EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
+
+EncKDCRepPart ::= SEQUENCE {
+ key [0] EncryptionKey,
+ last-req [1] LastReq,
+ nonce [2] UInt32,
+ key-expiration [3] KerberosTime OPTIONAL,
+ flags [4] TicketFlags,
+ authtime [5] KerberosTime,
+ starttime [6] KerberosTime OPTIONAL,
+ endtime [7] KerberosTime,
+ renew-till [8] KerberosTime OPTIONAL,
+ srealm [9] Realm,
+ sname [10] PrincipalName,
+ caddr [11] HostAddresses OPTIONAL
+}
+
+LastReq ::= SEQUENCE OF SEQUENCE {
+ lr-type [0] Int32,
+ lr-value [1] KerberosTime
+}
+
+AP-REQ ::= [APPLICATION 14] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (14),
+ ap-options [2] APOptions,
+ ticket [3] Ticket,
+ authenticator [4] EncryptedData -- Authenticator
+}
+
+APOptions ::= KerberosFlags
+ -- reserved(0),
+ -- use-session-key(1),
+ -- mutual-required(2)
+
+-- Unencrypted authenticator
+Authenticator ::= [APPLICATION 2] SEQUENCE {
+ authenticator-vno [0] INTEGER (5),
+ crealm [1] Realm,
+ cname [2] PrincipalName,
+ cksum [3] Checksum OPTIONAL,
+ cusec [4] Microseconds,
+ ctime [5] KerberosTime,
+ subkey [6] EncryptionKey OPTIONAL,
+ seq-number [7] UInt32 OPTIONAL,
+ authorization-data [8] AuthorizationData OPTIONAL
+}
+
+AP-REP ::= [APPLICATION 15] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (15),
+ enc-part [2] EncryptedData -- EncAPRepPart
+}
+
+EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
+ ctime [0] KerberosTime,
+ cusec [1] Microseconds,
+ subkey [2] EncryptionKey OPTIONAL,
+ seq-number [3] UInt32 OPTIONAL
+}
+
+KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (20),
+ safe-body [2] KRB-SAFE-BODY,
+ cksum [3] Checksum
+}
+
+KRB-SAFE-BODY ::= SEQUENCE {
+ user-data [0] OCTET STRING,
+ timestamp [1] KerberosTime OPTIONAL,
+ usec [2] Microseconds OPTIONAL,
+ seq-number [3] UInt32 OPTIONAL,
+ s-address [4] HostAddress,
+ r-address [5] HostAddress OPTIONAL
+}
+
+KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (21),
+ -- NOTE: there is no [2] tag
+ enc-part [3] EncryptedData -- EncKrbPrivPart
+}
+
+EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
+ user-data [0] OCTET STRING,
+ timestamp [1] KerberosTime OPTIONAL,
+ usec [2] Microseconds OPTIONAL,
+ seq-number [3] UInt32 OPTIONAL,
+ s-address [4] HostAddress -- sender's addr --,
+ r-address [5] HostAddress OPTIONAL -- recip's addr
+}
+
+KRB-CRED ::= [APPLICATION 22] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (22),
+ tickets [2] SEQUENCE OF Ticket,
+ enc-part [3] EncryptedData -- EncKrbCredPart
+}
+
+EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
+ ticket-info [0] SEQUENCE OF KrbCredInfo,
+ nonce [1] UInt32 OPTIONAL,
+ timestamp [2] KerberosTime OPTIONAL,
+ usec [3] Microseconds OPTIONAL,
+ s-address [4] HostAddress OPTIONAL,
+ r-address [5] HostAddress OPTIONAL
+}
+
+KrbCredInfo ::= SEQUENCE {
+ key [0] EncryptionKey,
+ prealm [1] Realm OPTIONAL,
+ pname [2] PrincipalName OPTIONAL,
+ flags [3] TicketFlags OPTIONAL,
+ authtime [4] KerberosTime OPTIONAL,
+ starttime [5] KerberosTime OPTIONAL,
+ endtime [6] KerberosTime OPTIONAL,
+ renew-till [7] KerberosTime OPTIONAL,
+ srealm [8] Realm OPTIONAL,
+ sname [9] PrincipalName OPTIONAL,
+ caddr [10] HostAddresses OPTIONAL
+}
+
+KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (30),
+ ctime [2] KerberosTime OPTIONAL,
+ cusec [3] Microseconds OPTIONAL,
+ stime [4] KerberosTime,
+ susec [5] Microseconds,
+ error-code [6] Int32,
+ crealm [7] Realm OPTIONAL,
+ cname [8] PrincipalName OPTIONAL,
+ realm [9] Realm -- service realm --,
+ sname [10] PrincipalName -- service name --,
+ e-text [11] KerberosString OPTIONAL,
+ e-data [12] OCTET STRING OPTIONAL
+}
+
+METHOD-DATA ::= SEQUENCE OF PA-DATA
+
+TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
+ data-type [0] Int32,
+ data-value [1] OCTET STRING OPTIONAL
+}
+
+-- preauth stuff follows
+
+PA-ENC-TIMESTAMP ::= EncryptedData -- PA-ENC-TS-ENC
+
+PA-ENC-TS-ENC ::= SEQUENCE {
+ patimestamp [0] KerberosTime -- client's time --,
+ pausec [1] Microseconds OPTIONAL
+}
+
+ETYPE-INFO-ENTRY ::= SEQUENCE {
+ etype [0] Int32,
+ salt [1] OCTET STRING OPTIONAL
+}
+
+ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
+
+ETYPE-INFO2-ENTRY ::= SEQUENCE {
+ etype [0] Int32,
+ salt [1] KerberosString OPTIONAL,
+ s2kparams [2] OCTET STRING OPTIONAL
+}
+
+ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
+
+AD-IF-RELEVANT ::= AuthorizationData
+
+AD-KDCIssued ::= SEQUENCE {
+ ad-checksum [0] Checksum,
+ i-realm [1] Realm OPTIONAL,
+ i-sname [2] PrincipalName OPTIONAL,
+ elements [3] AuthorizationData
+}
+
+AD-AND-OR ::= SEQUENCE {
+ condition-count [0] Int32,
+ elements [1] AuthorizationData
+}
+
+AD-MANDATORY-FOR-KDC ::= AuthorizationData
+
+END
diff --git a/asn1/kerberos/kerberos.cnf b/asn1/kerberos/kerberos.cnf
new file mode 100644
index 0000000000..1b99705bcc
--- /dev/null
+++ b/asn1/kerberos/kerberos.cnf
@@ -0,0 +1,12 @@
+# kerberos.cnf
+# kerberos conformation file
+# Copyright 2007 Anders Broman
+# $Id$
+
+#.FIELD_RENAME
+
+#.FN_PARS
+Int32 VAL_PTR = etype
+
+
+
diff --git a/asn1/kerberos/packet-kerberos-template.c b/asn1/kerberos/packet-kerberos-template.c
new file mode 100644
index 0000000000..bd13cea8e1
--- /dev/null
+++ b/asn1/kerberos/packet-kerberos-template.c
@@ -0,0 +1,1313 @@
+/* packet-kerberos.c
+ * Routines for Kerberos
+ * Wes Hardaker (c) 2000
+ * wjhardaker@ucdavis.edu
+ * Richard Sharpe (C) 2002, rsharpe@samba.org, modularized a bit more and
+ * added AP-REQ and AP-REP dissection
+ *
+ * Ronnie Sahlberg (C) 2004, major rewrite for new ASN.1/BER API.
+ * decryption of kerberos blobs if keytab is provided
+ *
+ * See RFC 1510, and various I-Ds and other documents showing additions,
+ * e.g. ones listed under
+ *
+ * http://www.isi.edu/people/bcn/krb-revisions/
+ *
+ * and
+ *
+ * http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-clarifications-07.txt
+ *
+ * and
+ *
+ * http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-referrals-05.txt
+ *
+ * Some structures from RFC2630
+ *
+ * $Id$
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ */
+
+/*
+ * Some of the development of the Kerberos protocol decoder was sponsored by
+ * Cable Television Laboratories, Inc. ("CableLabs") based upon proprietary
+ * CableLabs' specifications. Your license and use of this protocol decoder
+ * does not mean that you are licensed to use the CableLabs'
+ * specifications. If you have questions about this protocol, contact
+ * jf.mule [AT] cablelabs.com or c.stuart [AT] cablelabs.com for additional
+ * information.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#include <glib.h>
+#include <ctype.h>
+
+#ifdef HAVE_LIBNETTLE
+#define HAVE_KERBEROS
+#ifdef _WIN32
+#include <des.h>
+#include <cbc.h>
+#else
+#include <nettle/des.h>
+#include <nettle/cbc.h>
+#endif
+#include <epan/crypt/crypt-md5.h>
+#include <sys/stat.h> /* For keyfile manipulation */
+#endif
+
+#include <epan/packet.h>
+
+#include <epan/strutil.h>
+
+#include <epan/conversation.h>
+#include <epan/emem.h>
+#include <epan/dissectors/packet-kerberos.h>
+#include <epan/dissectors/packet-netbios.h>
+#include <epan/dissectors/packet-tcp.h>
+#include <epan/prefs.h>
+#include <epan/dissectors/packet-ber.h>
+#include <epan/dissectors/packet-per.h>
+#include <epan/dissectors/packet-pkinit.h>
+#include <epan/dissectors/packet-cms.h>
+#include <epan/dissectors/packet-windows-common.h>
+
+#include <epan/dissectors/packet-dcerpc-netlogon.h>
+#include <epan/dissectors/packet-dcerpc.h>
+
+#include <epan/dissectors/packet-gssapi.h>
+
+#include <wiretap/file_util.h>
+
+#define PNAME "Kerberos"
+#define PSNAME "KRB5"
+#define PFNAME "kerberos"
+
+static kerberos_packet_info kerberos_pi;
+
+#define UDP_PORT_KERBEROS 88
+#define TCP_PORT_KERBEROS 88
+
+static dissector_handle_t kerberos_handle_udp=NULL;
+
+/* Desegment Kerberos over TCP messages */
+static gboolean krb_desegment = TRUE;
+
+static gint proto_kerberos = -1;
+
+
+#include "packet-kerberos-hf.c"
+
+/* Initialize the subtree pointers */
+static gint ett_kerberos = -1;
+#include "packet-kerberos-ett.c"
+
+guint32 krb5_errorcode;
+
+
+static dissector_handle_t krb4_handle=NULL;
+
+static gboolean do_col_info;
+
+
+static void
+call_kerberos_callbacks(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int tag)
+{
+ kerberos_callbacks *cb=(kerberos_callbacks *)pinfo->private_data;
+
+ if(!cb){
+ return;
+ }
+
+ while(cb->tag){
+ if(cb->tag==tag){
+ cb->callback(pinfo, tvb, tree);
+ return;
+ }
+ cb++;
+ }
+ return;
+}
+
+
+
+#ifdef HAVE_KERBEROS
+
+/* Decrypt Kerberos blobs */
+static gboolean krb_decrypt = FALSE;
+
+/* keytab filename */
+static const char *keytab_filename = "insert filename here";
+
+#endif
+
+#if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
+#ifdef _WIN32
+/* prevent redefinition warnings in kfw-2.5\inc\win_mac.h */
+#undef HAVE_STDARG_H
+#undef HAVE_SYS_TYPES_H
+#endif
+#include <krb5.h>
+enc_key_t *enc_key_list=NULL;
+
+static void
+add_encryption_key(packet_info *pinfo, int keytype, int keylength, const char *keyvalue, const char *origin)
+{
+ enc_key_t *new_key;
+
+ if(pinfo->fd->flags.visited){
+ return;
+ }
+printf("added key in %u\n",pinfo->fd->num);
+
+ new_key=g_malloc(sizeof(enc_key_t));
+ g_snprintf(new_key->key_origin, KRB_MAX_ORIG_LEN, "%s learnt from frame %u",origin,pinfo->fd->num);
+ new_key->next=enc_key_list;
+ enc_key_list=new_key;
+ new_key->keytype=keytype;
+ new_key->keylength=keylength;
+ /*XXX this needs to be freed later */
+ new_key->keyvalue=g_memdup(keyvalue, keylength);
+}
+#endif /* HAVE_HEIMDAL_KERBEROS || HAVE_MIT_KERBEROS */
+
+
+#ifdef HAVE_MIT_KERBEROS
+
+static void
+read_keytab_file(const char *filename, krb5_context *context)
+{
+ krb5_keytab keytab;
+ krb5_keytab_entry key;
+ krb5_error_code ret;
+ krb5_kt_cursor cursor;
+ enc_key_t *new_key;
+
+ /* should use a file in the wireshark users dir */
+ ret = krb5_kt_resolve(*context, filename, &keytab);
+ if(ret){
+ fprintf(stderr, "KERBEROS ERROR: Could not open keytab file :%s\n",filename);
+
+ return;
+ }
+
+ ret = krb5_kt_start_seq_get(*context, keytab, &cursor);
+ if(ret){
+ fprintf(stderr, "KERBEROS ERROR: Could not read from keytab file :%s\n",filename);
+ return;
+ }
+
+ do{
+ new_key=g_malloc(sizeof(enc_key_t));
+ new_key->next=enc_key_list;
+ ret = krb5_kt_next_entry(*context, keytab, &key, &cursor);
+ if(ret==0){
+ int i;
+ char *pos;
+
+ /* generate origin string, describing where this key came from */
+ pos=new_key->key_origin;
+ pos+=MIN(KRB_MAX_ORIG_LEN,
+ g_snprintf(pos, KRB_MAX_ORIG_LEN, "keytab principal "));
+ for(i=0;i<key.principal->length;i++){
+ pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin),
+ g_snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "%s%s",(i?"/":""),(key.principal->data[i]).data));
+ }
+ pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin),
+ g_snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "@%s",key.principal->realm.data));
+ *pos=0;
+/*printf("added key for principal :%s\n", new_key->key_origin);*/
+ new_key->keytype=key.key.enctype;
+ new_key->keylength=key.key.length;
+ new_key->keyvalue=g_memdup(key.key.contents, key.key.length);
+ enc_key_list=new_key;
+ }
+ }while(ret==0);
+
+ ret = krb5_kt_end_seq_get(*context, keytab, &cursor);
+ if(ret){
+ krb5_kt_close(*context, keytab);
+ }
+
+}
+
+
+guint8 *
+decrypt_krb5_data(proto_tree *tree, packet_info *pinfo,
+ int usage,
+ int length,
+ const guint8 *cryptotext,
+ int keytype)
+{
+ static int first_time=1;
+ static krb5_context context;
+ krb5_error_code ret;
+ enc_key_t *ek;
+ static krb5_data data = {0,0,NULL};
+ krb5_keytab_entry key;
+
+ /* dont do anything if we are not attempting to decrypt data */
+ if(!krb_decrypt){
+ return NULL;
+ }
+
+ /* XXX we should only do this for first time, then store somewhere */
+ /* XXX We also need to re-read the keytab when the preference changes */
+
+ /* should this have a destroy context ? MIT people would know */
+ if(first_time){
+ first_time=0;
+ ret = krb5_init_context(&context);
+ if(ret){
+ return NULL;
+ }
+ read_keytab_file(keytab_filename, &context);
+ }
+
+ for(ek=enc_key_list;ek;ek=ek->next){
+ krb5_enc_data input;
+
+ /* shortcircuit and bail out if enctypes are not matching */
+ if(ek->keytype!=keytype){
+ continue;
+ }
+
+ input.enctype = ek->keytype;
+ input.ciphertext.length = length;
+ input.ciphertext.data = (guint8 *)cryptotext;
+
+ data.length = length;
+ if(data.data){
+ g_free(data.data);
+ }
+ data.data = g_malloc(length);
+
+ key.key.enctype=ek->keytype;
+ key.key.length=ek->keylength;
+ key.key.contents=ek->keyvalue;
+ ret = krb5_c_decrypt(context, &(key.key), usage, 0, &input, &data);
+ if((ret == 0) && (length>0)){
+ char *user_data;
+
+printf("woohoo decrypted keytype:%d in frame:%u\n", keytype, pinfo->fd->num);
+ proto_tree_add_text(tree, NULL, 0, 0, "[Decrypted using: %s]", ek->key_origin);
+ /* return a private g_malloced blob to the caller */
+ user_data=g_malloc(data.length);
+ memcpy(user_data, data.data, data.length);
+ return user_data;
+ }
+ }
+
+ return NULL;
+}
+
+#elif defined(HAVE_HEIMDAL_KERBEROS)
+static void
+read_keytab_file(const char *filename, krb5_context *context)
+{
+ krb5_keytab keytab;
+ krb5_keytab_entry key;
+ krb5_error_code ret;
+ krb5_kt_cursor cursor;
+ enc_key_t *new_key;
+
+ /* should use a file in the wireshark users dir */
+ ret = krb5_kt_resolve(*context, filename, &keytab);
+ if(ret){
+ fprintf(stderr, "KERBEROS ERROR: Could not open keytab file :%s\n",filename);
+
+ return;
+ }
+
+ ret = krb5_kt_start_seq_get(*context, keytab, &cursor);
+ if(ret){
+ fprintf(stderr, "KERBEROS ERROR: Could not read from keytab file :%s\n",filename);
+ return;
+ }
+
+ do{
+ new_key=g_malloc(sizeof(enc_key_t));
+ new_key->next=enc_key_list;
+ ret = krb5_kt_next_entry(*context, keytab, &key, &cursor);
+ if(ret==0){
+ unsigned int i;
+ char *pos;
+
+ /* generate origin string, describing where this key came from */
+ pos=new_key->key_origin;
+ pos+=MIN(KRB_MAX_ORIG_LEN,
+ g_snprintf(pos, KRB_MAX_ORIG_LEN, "keytab principal "));
+ for(i=0;i<key.principal->name.name_string.len;i++){
+ pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin),
+ g_snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "%s%s",(i?"/":""),key.principal->name.name_string.val[i]));
+ }
+ pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin),
+ g_snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "@%s",key.principal->realm));
+ *pos=0;
+ new_key->keytype=key.keyblock.keytype;
+ new_key->keylength=key.keyblock.keyvalue.length;
+ new_key->keyvalue=g_memdup(key.keyblock.keyvalue.data, key.keyblock.keyvalue.length);
+ enc_key_list=new_key;
+ }
+ }while(ret==0);
+
+ ret = krb5_kt_end_seq_get(*context, keytab, &cursor);
+ if(ret){
+ krb5_kt_close(*context, keytab);
+ }
+
+}
+
+
+guint8 *
+decrypt_krb5_data(proto_tree *tree, packet_info *pinfo,
+ int usage,
+ int length,
+ const guint8 *cryptotext,
+ int keytype)
+{
+ static int first_time=1;
+ static krb5_context context;
+ krb5_error_code ret;
+ krb5_data data;
+ enc_key_t *ek;
+
+ /* dont do anything if we are not attempting to decrypt data */
+ if(!krb_decrypt){
+ return NULL;
+ }
+
+ /* XXX we should only do this for first time, then store somewhere */
+ /* XXX We also need to re-read the keytab when the preference changes */
+
+ /* should this have a destroy context ? Heimdal people would know */
+ if(first_time){
+ first_time=0;
+ ret = krb5_init_context(&context);
+ if(ret){
+ return NULL;
+ }
+ read_keytab_file(keytab_filename, &context);
+ }
+
+ for(ek=enc_key_list;ek;ek=ek->next){
+ krb5_keytab_entry key;
+ krb5_crypto crypto;
+ guint8 *cryptocopy; /* workaround for pre-0.6.1 heimdal bug */
+
+ /* shortcircuit and bail out if enctypes are not matching */
+ if(ek->keytype!=keytype){
+ continue;
+ }
+
+ key.keyblock.keytype=ek->keytype;
+ key.keyblock.keyvalue.length=ek->keylength;
+ key.keyblock.keyvalue.data=ek->keyvalue;
+ ret = krb5_crypto_init(context, &(key.keyblock), 0, &crypto);
+ if(ret){
+ return NULL;
+ }
+
+ /* pre-0.6.1 versions of Heimdal would sometimes change
+ the cryptotext data even when the decryption failed.
+ This would obviously not work since we iterate over the
+ keys. So just give it a copy of the crypto data instead.
+ This has been seen for RC4-HMAC blobs.
+ */
+ cryptocopy=g_malloc(length);
+ memcpy(cryptocopy, cryptotext, length);
+ ret = krb5_decrypt_ivec(context, crypto, usage,
+ cryptocopy, length,
+ &data,
+ NULL);
+ g_free(cryptocopy);
+ if((ret == 0) && (length>0)){
+ char *user_data;
+
+printf("woohoo decrypted keytype:%d in frame:%u\n", keytype, pinfo->fd->num);
+ proto_tree_add_text(tree, NULL, 0, 0, "[Decrypted using: %s]", ek->key_origin);
+ krb5_crypto_destroy(context, crypto);
+ /* return a private g_malloced blob to the caller */
+ user_data=g_malloc(data.length);
+ memcpy(user_data, data.data, data.length);
+ return user_data;
+ }
+ krb5_crypto_destroy(context, crypto);
+ }
+ return NULL;
+}
+
+#elif defined (HAVE_LIBNETTLE)
+
+#define SERVICE_KEY_SIZE (DES3_KEY_SIZE + 2)
+#define KEYTYPE_DES3_CBC_MD5 5 /* Currently the only one supported */
+
+typedef struct _service_key_t {
+ guint16 kvno;
+ int keytype;
+ int length;
+ guint8 *contents;
+ char origin[KRB_MAX_ORIG_LEN+1];
+} service_key_t;
+GSList *service_key_list = NULL;
+
+
+static void
+add_encryption_key(packet_info *pinfo, int keytype, int keylength, const char *keyvalue, const char *origin)
+{
+ service_key_t *new_key;
+
+ if(pinfo->fd->flags.visited){
+ return;
+ }
+printf("added key in %u\n",pinfo->fd->num);
+
+ new_key = g_malloc(sizeof(service_key_t));
+ new_key->kvno = 0;
+ new_key->keytype = keytype;
+ new_key->length = keylength;
+ new_key->contents = g_malloc(keylength);
+ memcpy(new_key->contents, keyvalue, keylength);
+ g_snprintf(new_key->origin, KRB_MAX_ORIG_LEN, "%s learnt from frame %u", origin, pinfo->fd->num);
+ service_key_list = g_slist_append(service_key_list, (gpointer) new_key);
+}
+
+static void
+clear_keytab(void) {
+ GSList *ske;
+ service_key_t *sk;
+
+ for(ske = service_key_list; ske != NULL; ske = g_slist_next(ske)){
+ sk = (service_key_t *) ske->data;
+ if (sk && sk->contents) g_free(sk->contents);
+ if (sk) g_free(sk);
+ }
+ g_slist_free(service_key_list);
+ service_key_list = NULL;
+}
+
+static void
+read_keytab_file(const char *service_key_file)
+{
+ FILE *skf;
+ struct stat st;
+ service_key_t *sk;
+ unsigned char buf[SERVICE_KEY_SIZE];
+ int newline_skip = 0, count = 0;
+
+ if (service_key_file != NULL && stat (service_key_file, &st) == 0) {
+
+ /* The service key file contains raw 192-bit (24 byte) 3DES keys.
+ * There can be zero, one (\n), or two (\r\n) characters between
+ * keys. Trailing characters are ignored.
+ */
+
+ /* XXX We should support the standard keytab format instead */
+ if (st.st_size > SERVICE_KEY_SIZE) {
+ if ( (st.st_size % (SERVICE_KEY_SIZE + 1) == 0) ||
+ (st.st_size % (SERVICE_KEY_SIZE + 1) == SERVICE_KEY_SIZE) ) {
+ newline_skip = 1;
+ } else if ( (st.st_size % (SERVICE_KEY_SIZE + 2) == 0) ||
+ (st.st_size % (SERVICE_KEY_SIZE + 2) == SERVICE_KEY_SIZE) ) {
+ newline_skip = 2;
+ }
+ }
+
+ skf = eth_fopen(service_key_file, "rb");
+ if (! skf) return;
+
+ while (fread(buf, SERVICE_KEY_SIZE, 1, skf) == 1) {
+ sk = g_malloc(sizeof(service_key_t));
+ sk->kvno = buf[0] << 8 | buf[1];
+ sk->keytype = KEYTYPE_DES3_CBC_MD5;
+ sk->length = DES3_KEY_SIZE;
+ sk->contents = g_malloc(DES3_KEY_SIZE);
+ memcpy(sk->contents, buf + 2, DES3_KEY_SIZE);
+ g_snprintf(sk->origin, KRB_MAX_ORIG_LEN, "3DES service key file, key #%d, offset %ld", count, ftell(skf));
+ service_key_list = g_slist_append(service_key_list, (gpointer) sk);
+ fseek(skf, newline_skip, SEEK_CUR);
+ count++;
+g_warning("added key: %s", sk->origin);
+ }
+ fclose(skf);
+ }
+}
+
+#define CONFOUNDER_PLUS_CHECKSUM 24
+
+guint8 *
+decrypt_krb5_data(proto_tree *tree, packet_info *pinfo,
+ int _U_ usage,
+ int length,
+ const guint8 *cryptotext,
+ int keytype)
+{
+ tvbuff_t *encr_tvb;
+ guint8 *decrypted_data = NULL, *plaintext = NULL;
+ int res;
+ guint8 cls;
+ gboolean pc;
+ guint32 tag, item_len, data_len;
+ int id_offset, offset;
+ guint8 key[DES3_KEY_SIZE];
+ guint8 initial_vector[DES_BLOCK_SIZE];
+ md5_state_t md5s;
+ md5_byte_t digest[16];
+ md5_byte_t zero_fill[] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
+ md5_byte_t confounder[8];
+ gboolean ind;
+ GSList *ske;
+ service_key_t *sk;
+ struct des3_ctx ctx;
+
+
+ /* dont do anything if we are not attempting to decrypt data */
+ if(!krb_decrypt){
+ return NULL;
+ }
+
+ if (keytype != KEYTYPE_DES3_CBC_MD5 || service_key_list == NULL) {
+ return NULL;
+ }
+
+ decrypted_data = g_malloc(length);
+ for(ske = service_key_list; ske != NULL; ske = g_slist_next(ske)){
+ gboolean do_continue = FALSE;
+ sk = (service_key_t *) ske->data;
+
+ des_fix_parity(DES3_KEY_SIZE, key, sk->contents);
+
+ md5_init(&md5s);
+ memset(initial_vector, 0, DES_BLOCK_SIZE);
+ res = des3_set_key(&ctx, key);
+ cbc_decrypt(&ctx, des3_decrypt, DES_BLOCK_SIZE, initial_vector,
+ length, decrypted_data, cryptotext);
+ encr_tvb = tvb_new_real_data(decrypted_data, length, length);
+
+ tvb_memcpy(encr_tvb, confounder, 0, 8);
+
+ /* We have to pull the decrypted data length from the decrypted
+ * content. If the key doesn't match or we otherwise get garbage,
+ * an exception may get thrown while decoding the ASN.1 header.
+ * Catch it, just in case.
+ */
+ TRY {
+ id_offset = get_ber_identifier(encr_tvb, CONFOUNDER_PLUS_CHECKSUM, &cls, &pc, &tag);
+ offset = get_ber_length(tree, encr_tvb, id_offset, &item_len, &ind);
+ }
+ CATCH (BoundsError) {
+ tvb_free(encr_tvb);
+ do_continue = TRUE;
+ }
+ ENDTRY;
+
+ if (do_continue) continue;
+
+ data_len = item_len + offset - CONFOUNDER_PLUS_CHECKSUM;
+ if ((int) item_len + offset > length) {
+ tvb_free(encr_tvb);
+ continue;
+ }
+
+ md5_append(&md5s, confounder, 8);
+ md5_append(&md5s, zero_fill, 16);
+ md5_append(&md5s, decrypted_data + CONFOUNDER_PLUS_CHECKSUM, data_len);
+ md5_finish(&md5s, digest);
+
+ if (tvb_memeql (encr_tvb, 8, digest, 16) == 0) {
+g_warning("woohoo decrypted keytype:%d in frame:%u\n", keytype, pinfo->fd->num);
+ plaintext = g_malloc(data_len);
+ tvb_memcpy(encr_tvb, plaintext, CONFOUNDER_PLUS_CHECKSUM, data_len);
+ tvb_free(encr_tvb);
+
+ g_free(decrypted_data);
+ return(plaintext);
+ }
+ }
+
+ g_free(decrypted_data);
+ return NULL;
+}
+
+
+#endif /* HAVE_MIT_KERBEROS / HAVE_HEIMDAL_KERBEROS / HAVE_LIBNETTLE */
+
+
+
+/* TCP Record Mark */
+#define KRB_RM_RESERVED 0x80000000L
+#define KRB_RM_RECLEN 0x7fffffffL
+
+#define KRB5_MSG_TICKET 1 /* Ticket */
+#define KRB5_MSG_AUTHENTICATOR 2 /* Authenticator */
+#define KRB5_MSG_ENC_TICKET_PART 3 /* EncTicketPart */
+#define KRB5_MSG_AS_REQ 10 /* AS-REQ type */
+#define KRB5_MSG_AS_REP 11 /* AS-REP type */
+#define KRB5_MSG_TGS_REQ 12 /* TGS-REQ type */
+#define KRB5_MSG_TGS_REP 13 /* TGS-REP type */
+#define KRB5_MSG_AP_REQ 14 /* AP-REQ type */
+#define KRB5_MSG_AP_REP 15 /* AP-REP type */
+
+#define KRB5_MSG_SAFE 20 /* KRB-SAFE type */
+#define KRB5_MSG_PRIV 21 /* KRB-PRIV type */
+#define KRB5_MSG_CRED 22 /* KRB-CRED type */
+#define KRB5_MSG_ENC_AS_REP_PART 25 /* EncASRepPart */
+#define KRB5_MSG_ENC_TGS_REP_PART 26 /* EncTGSRepPart */
+#define KRB5_MSG_ENC_AP_REP_PART 27 /* EncAPRepPart */
+#define KRB5_MSG_ENC_KRB_PRIV_PART 28 /* EncKrbPrivPart */
+#define KRB5_MSG_ENC_KRB_CRED_PART 29 /* EncKrbCredPart */
+#define KRB5_MSG_ERROR 30 /* KRB-ERROR type */
+
+/* address type constants */
+#define KRB5_ADDR_IPv4 0x02
+#define KRB5_ADDR_CHAOS 0x05
+#define KRB5_ADDR_XEROX 0x06
+#define KRB5_ADDR_ISO 0x07
+#define KRB5_ADDR_DECNET 0x0c
+#define KRB5_ADDR_APPLETALK 0x10
+#define KRB5_ADDR_NETBIOS 0x14
+#define KRB5_ADDR_IPv6 0x18
+
+/* encryption type constants */
+#define KRB5_ENCTYPE_NULL 0
+#define KRB5_ENCTYPE_DES_CBC_CRC 1
+#define KRB5_ENCTYPE_DES_CBC_MD4 2
+#define KRB5_ENCTYPE_DES_CBC_MD5 3
+#define KRB5_ENCTYPE_DES_CBC_RAW 4
+#define KRB5_ENCTYPE_DES3_CBC_SHA 5
+#define KRB5_ENCTYPE_DES3_CBC_RAW 6
+#define KRB5_ENCTYPE_DES_HMAC_SHA1 8
+#define KRB5_ENCTYPE_DSA_SHA1_CMS 9
+#define KRB5_ENCTYPE_RSA_MD5_CMS 10
+#define KRB5_ENCTYPE_RSA_SHA1_CMS 11
+#define KRB5_ENCTYPE_RC2_CBC_ENV 12
+#define KRB5_ENCTYPE_RSA_ENV 13
+#define KRB5_ENCTYPE_RSA_ES_OEAP_ENV 14
+#define KRB5_ENCTYPE_DES_EDE3_CBC_ENV 15
+#define KRB5_ENCTYPE_DES3_CBC_SHA1 16
+#define KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96 17
+#define KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96 18
+#define KRB5_ENCTYPE_DES_CBC_MD5_NT 20
+#define KERB_ENCTYPE_RC4_HMAC 23
+#define KERB_ENCTYPE_RC4_HMAC_EXP 24
+#define KRB5_ENCTYPE_UNKNOWN 0x1ff
+#define KRB5_ENCTYPE_LOCAL_DES3_HMAC_SHA1 0x7007
+#define KRB5_ENCTYPE_RC4_PLAIN_EXP 0xffffff73
+#define KRB5_ENCTYPE_RC4_PLAIN 0xffffff74
+#define KRB5_ENCTYPE_RC4_PLAIN_OLD_EXP 0xffffff78
+#define KRB5_ENCTYPE_RC4_HMAC_OLD_EXP 0xffffff79
+#define KRB5_ENCTYPE_RC4_PLAIN_OLD 0xffffff7a
+#define KRB5_ENCTYPE_RC4_HMAC_OLD 0xffffff7b
+#define KRB5_ENCTYPE_DES_PLAIN 0xffffff7c
+#define KRB5_ENCTYPE_RC4_SHA 0xffffff7d
+#define KRB5_ENCTYPE_RC4_LM 0xffffff7e
+#define KRB5_ENCTYPE_RC4_PLAIN2 0xffffff7f
+#define KRB5_ENCTYPE_RC4_MD4 0xffffff80
+
+/* checksum types */
+#define KRB5_CHKSUM_NONE 0
+#define KRB5_CHKSUM_CRC32 1
+#define KRB5_CHKSUM_MD4 2
+#define KRB5_CHKSUM_KRB_DES_MAC 4
+#define KRB5_CHKSUM_KRB_DES_MAC_K 5
+#define KRB5_CHKSUM_MD5 7
+#define KRB5_CHKSUM_MD5_DES 8
+/* the following four comes from packetcable */
+#define KRB5_CHKSUM_MD5_DES3 9
+#define KRB5_CHKSUM_HMAC_SHA1_DES3_KD 12
+#define KRB5_CHKSUM_HMAC_SHA1_DES3 13
+#define KRB5_CHKSUM_SHA1_UNKEYED 14
+#define KRB5_CHKSUM_HMAC_MD5 0xffffff76
+#define KRB5_CHKSUM_MD5_HMAC 0xffffff77
+#define KRB5_CHKSUM_RC4_MD5 0xffffff78
+#define KRB5_CHKSUM_MD25 0xffffff79
+#define KRB5_CHKSUM_DES_MAC_MD5 0xffffff7a
+#define KRB5_CHKSUM_DES_MAC 0xffffff7b
+#define KRB5_CHKSUM_REAL_CRC32 0xffffff7c
+#define KRB5_CHKSUM_SHA1 0xffffff7d
+#define KRB5_CHKSUM_LM 0xffffff7e
+#define KRB5_CHKSUM_GSSAPI 0x8003
+
+/*
+ * For KERB_ENCTYPE_RC4_HMAC and KERB_ENCTYPE_RC4_HMAC_EXP, see
+ *
+ * http://www.ietf.org/internet-drafts/draft-brezak-win2k-krb-rc4-hmac-04.txt
+ *
+ * unless it's expired.
+ */
+
+/* pre-authentication type constants */
+#define KRB5_PA_TGS_REQ 1
+#define KRB5_PA_ENC_TIMESTAMP 2
+#define KRB5_PA_PW_SALT 3
+#define KRB5_PA_ENC_ENCKEY 4
+#define KRB5_PA_ENC_UNIX_TIME 5
+#define KRB5_PA_ENC_SANDIA_SECURID 6
+#define KRB5_PA_SESAME 7
+#define KRB5_PA_OSF_DCE 8
+#define KRB5_PA_CYBERSAFE_SECUREID 9
+#define KRB5_PA_AFS3_SALT 10
+#define KRB5_PA_ENCTYPE_INFO 11
+#define KRB5_PA_SAM_CHALLENGE 12
+#define KRB5_PA_SAM_RESPONSE 13
+#define KRB5_PA_PK_AS_REQ 14
+#define KRB5_PA_PK_AS_REP 15
+#define KRB5_PA_DASS 16
+#define KRB5_PA_ENCTYPE_INFO2 19
+#define KRB5_PA_USE_SPECIFIED_KVNO 20
+#define KRB5_PA_SAM_REDIRECT 21
+#define KRB5_PA_GET_FROM_TYPED_DATA 22
+#define KRB5_PA_SAM_ETYPE_INFO 23
+#define KRB5_PA_ALT_PRINC 24
+#define KRB5_PA_SAM_CHALLENGE2 30
+#define KRB5_PA_SAM_RESPONSE2 31
+#define KRB5_TD_PKINIT_CMS_CERTIFICATES 101
+#define KRB5_TD_KRB_PRINCIPAL 102
+#define KRB5_TD_KRB_REALM 103
+#define KRB5_TD_TRUSTED_CERTIFIERS 104
+#define KRB5_TD_CERTIFICATE_INDEX 105
+#define KRB5_TD_APP_DEFINED_ERROR 106
+#define KRB5_TD_REQ_NONCE 107
+#define KRB5_TD_REQ_SEQ 108
+/* preauthentication types >127 (i.e. negative ones) are app specific.
+ hopefully there will be no collissions here or we will have to
+ come up with something better
+*/
+#define KRB5_PA_PAC_REQUEST 128 /* MS extension */
+#define KRB5_PA_PROV_SRV_LOCATION 255 /* packetcable stuff */
+
+/* Principal name-type */
+#define KRB5_NT_UNKNOWN 0
+#define KRB5_NT_PRINCIPAL 1
+#define KRB5_NT_SRV_INST 2
+#define KRB5_NT_SRV_HST 3
+#define KRB5_NT_SRV_XHST 4
+#define KRB5_NT_UID 5
+#define KRB5_NT_X500_PRINCIPAL 6
+#define KRB5_NT_SMTP_NAME 7
+#define KRB5_NT_ENTERPRISE 10
+
+/*
+ * MS specific name types, from
+ *
+ * http://msdn.microsoft.com/library/en-us/security/security/kerb_external_name.asp
+ */
+#define KRB5_NT_MS_PRINCIPAL -128
+#define KRB5_NT_MS_PRINCIPAL_AND_SID -129
+#define KRB5_NT_ENT_PRINCIPAL_AND_SID -130
+#define KRB5_NT_PRINCIPAL_AND_SID -131
+#define KRB5_NT_SRV_INST_AND_SID -132
+
+/* error table constants */
+/* I prefixed the krb5_err.et constant names with KRB5_ET_ for these */
+#define KRB5_ET_KRB5KDC_ERR_NONE 0
+#define KRB5_ET_KRB5KDC_ERR_NAME_EXP 1
+#define KRB5_ET_KRB5KDC_ERR_SERVICE_EXP 2
+#define KRB5_ET_KRB5KDC_ERR_BAD_PVNO 3
+#define KRB5_ET_KRB5KDC_ERR_C_OLD_MAST_KVNO 4
+#define KRB5_ET_KRB5KDC_ERR_S_OLD_MAST_KVNO 5
+#define KRB5_ET_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN 6
+#define KRB5_ET_KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN 7
+#define KRB5_ET_KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE 8
+#define KRB5_ET_KRB5KDC_ERR_NULL_KEY 9
+#define KRB5_ET_KRB5KDC_ERR_CANNOT_POSTDATE 10
+#define KRB5_ET_KRB5KDC_ERR_NEVER_VALID 11
+#define KRB5_ET_KRB5KDC_ERR_POLICY 12
+#define KRB5_ET_KRB5KDC_ERR_BADOPTION 13
+#define KRB5_ET_KRB5KDC_ERR_ETYPE_NOSUPP 14
+#define KRB5_ET_KRB5KDC_ERR_SUMTYPE_NOSUPP 15
+#define KRB5_ET_KRB5KDC_ERR_PADATA_TYPE_NOSUPP 16
+#define KRB5_ET_KRB5KDC_ERR_TRTYPE_NOSUPP 17
+#define KRB5_ET_KRB5KDC_ERR_CLIENT_REVOKED 18
+#define KRB5_ET_KRB5KDC_ERR_SERVICE_REVOKED 19
+#define KRB5_ET_KRB5KDC_ERR_TGT_REVOKED 20
+#define KRB5_ET_KRB5KDC_ERR_CLIENT_NOTYET 21
+#define KRB5_ET_KRB5KDC_ERR_SERVICE_NOTYET 22
+#define KRB5_ET_KRB5KDC_ERR_KEY_EXP 23
+#define KRB5_ET_KRB5KDC_ERR_PREAUTH_FAILED 24
+#define KRB5_ET_KRB5KDC_ERR_PREAUTH_REQUIRED 25
+#define KRB5_ET_KRB5KDC_ERR_SERVER_NOMATCH 26
+#define KRB5_ET_KRB5KDC_ERR_MUST_USE_USER2USER 27
+#define KRB5_ET_KRB5KDC_ERR_PATH_NOT_ACCEPTED 28
+#define KRB5_ET_KRB5KDC_ERR_SVC_UNAVAILABLE 29
+#define KRB5_ET_KRB5KRB_AP_ERR_BAD_INTEGRITY 31
+#define KRB5_ET_KRB5KRB_AP_ERR_TKT_EXPIRED 32
+#define KRB5_ET_KRB5KRB_AP_ERR_TKT_NYV 33
+#define KRB5_ET_KRB5KRB_AP_ERR_REPEAT 34
+#define KRB5_ET_KRB5KRB_AP_ERR_NOT_US 35
+#define KRB5_ET_KRB5KRB_AP_ERR_BADMATCH 36
+#define KRB5_ET_KRB5KRB_AP_ERR_SKEW 37
+#define KRB5_ET_KRB5KRB_AP_ERR_BADADDR 38
+#define KRB5_ET_KRB5KRB_AP_ERR_BADVERSION 39
+#define KRB5_ET_KRB5KRB_AP_ERR_MSG_TYPE 40
+#define KRB5_ET_KRB5KRB_AP_ERR_MODIFIED 41
+#define KRB5_ET_KRB5KRB_AP_ERR_BADORDER 42
+#define KRB5_ET_KRB5KRB_AP_ERR_ILL_CR_TKT 43
+#define KRB5_ET_KRB5KRB_AP_ERR_BADKEYVER 44
+#define KRB5_ET_KRB5KRB_AP_ERR_NOKEY 45
+#define KRB5_ET_KRB5KRB_AP_ERR_MUT_FAIL 46
+#define KRB5_ET_KRB5KRB_AP_ERR_BADDIRECTION 47
+#define KRB5_ET_KRB5KRB_AP_ERR_METHOD 48
+#define KRB5_ET_KRB5KRB_AP_ERR_BADSEQ 49
+#define KRB5_ET_KRB5KRB_AP_ERR_INAPP_CKSUM 50
+#define KRB5_ET_KRB5KDC_AP_PATH_NOT_ACCEPTED 51
+#define KRB5_ET_KRB5KRB_ERR_RESPONSE_TOO_BIG 52
+#define KRB5_ET_KRB5KRB_ERR_GENERIC 60
+#define KRB5_ET_KRB5KRB_ERR_FIELD_TOOLONG 61
+#define KRB5_ET_KDC_ERROR_CLIENT_NOT_TRUSTED 62
+#define KRB5_ET_KDC_ERROR_KDC_NOT_TRUSTED 63
+#define KRB5_ET_KDC_ERROR_INVALID_SIG 64
+#define KRB5_ET_KDC_ERR_KEY_TOO_WEAK 65
+#define KRB5_ET_KDC_ERR_CERTIFICATE_MISMATCH 66
+#define KRB5_ET_KRB_AP_ERR_NO_TGT 67
+#define KRB5_ET_KDC_ERR_WRONG_REALM 68
+#define KRB5_ET_KRB_AP_ERR_USER_TO_USER_REQUIRED 69
+#define KRB5_ET_KDC_ERR_CANT_VERIFY_CERTIFICATE 70
+#define KRB5_ET_KDC_ERR_INVALID_CERTIFICATE 71
+#define KRB5_ET_KDC_ERR_REVOKED_CERTIFICATE 72
+#define KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNKNOWN 73
+#define KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNAVAILABLE 74
+#define KRB5_ET_KDC_ERR_CLIENT_NAME_MISMATCH 75
+#define KRB5_ET_KDC_ERR_KDC_NAME_MISMATCH 76
+
+static const value_string krb5_error_codes[] = {
+ { KRB5_ET_KRB5KDC_ERR_NONE, "KRB5KDC_ERR_NONE" },
+ { KRB5_ET_KRB5KDC_ERR_NAME_EXP, "KRB5KDC_ERR_NAME_EXP" },
+ { KRB5_ET_KRB5KDC_ERR_SERVICE_EXP, "KRB5KDC_ERR_SERVICE_EXP" },
+ { KRB5_ET_KRB5KDC_ERR_BAD_PVNO, "KRB5KDC_ERR_BAD_PVNO" },
+ { KRB5_ET_KRB5KDC_ERR_C_OLD_MAST_KVNO, "KRB5KDC_ERR_C_OLD_MAST_KVNO" },
+ { KRB5_ET_KRB5KDC_ERR_S_OLD_MAST_KVNO, "KRB5KDC_ERR_S_OLD_MAST_KVNO" },
+ { KRB5_ET_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, "KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN" },
+ { KRB5_ET_KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, "KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN" },
+ { KRB5_ET_KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE, "KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE" },
+ { KRB5_ET_KRB5KDC_ERR_NULL_KEY, "KRB5KDC_ERR_NULL_KEY" },
+ { KRB5_ET_KRB5KDC_ERR_CANNOT_POSTDATE, "KRB5KDC_ERR_CANNOT_POSTDATE" },
+ { KRB5_ET_KRB5KDC_ERR_NEVER_VALID, "KRB5KDC_ERR_NEVER_VALID" },
+ { KRB5_ET_KRB5KDC_ERR_POLICY, "KRB5KDC_ERR_POLICY" },
+ { KRB5_ET_KRB5KDC_ERR_BADOPTION, "KRB5KDC_ERR_BADOPTION" },
+ { KRB5_ET_KRB5KDC_ERR_ETYPE_NOSUPP, "KRB5KDC_ERR_ETYPE_NOSUPP" },
+ { KRB5_ET_KRB5KDC_ERR_SUMTYPE_NOSUPP, "KRB5KDC_ERR_SUMTYPE_NOSUPP" },
+ { KRB5_ET_KRB5KDC_ERR_PADATA_TYPE_NOSUPP, "KRB5KDC_ERR_PADATA_TYPE_NOSUPP" },
+ { KRB5_ET_KRB5KDC_ERR_TRTYPE_NOSUPP, "KRB5KDC_ERR_TRTYPE_NOSUPP" },
+ { KRB5_ET_KRB5KDC_ERR_CLIENT_REVOKED, "KRB5KDC_ERR_CLIENT_REVOKED" },
+ { KRB5_ET_KRB5KDC_ERR_SERVICE_REVOKED, "KRB5KDC_ERR_SERVICE_REVOKED" },
+ { KRB5_ET_KRB5KDC_ERR_TGT_REVOKED, "KRB5KDC_ERR_TGT_REVOKED" },
+ { KRB5_ET_KRB5KDC_ERR_CLIENT_NOTYET, "KRB5KDC_ERR_CLIENT_NOTYET" },
+ { KRB5_ET_KRB5KDC_ERR_SERVICE_NOTYET, "KRB5KDC_ERR_SERVICE_NOTYET" },
+ { KRB5_ET_KRB5KDC_ERR_KEY_EXP, "KRB5KDC_ERR_KEY_EXP" },
+ { KRB5_ET_KRB5KDC_ERR_PREAUTH_FAILED, "KRB5KDC_ERR_PREAUTH_FAILED" },
+ { KRB5_ET_KRB5KDC_ERR_PREAUTH_REQUIRED, "KRB5KDC_ERR_PREAUTH_REQUIRED" },
+ { KRB5_ET_KRB5KDC_ERR_SERVER_NOMATCH, "KRB5KDC_ERR_SERVER_NOMATCH" },
+ { KRB5_ET_KRB5KDC_ERR_MUST_USE_USER2USER, "KRB5KDC_ERR_MUST_USE_USER2USER" },
+ { KRB5_ET_KRB5KDC_ERR_PATH_NOT_ACCEPTED, "KRB5KDC_ERR_PATH_NOT_ACCEPTED" },
+ { KRB5_ET_KRB5KDC_ERR_SVC_UNAVAILABLE, "KRB5KDC_ERR_SVC_UNAVAILABLE" },
+ { KRB5_ET_KRB5KRB_AP_ERR_BAD_INTEGRITY, "KRB5KRB_AP_ERR_BAD_INTEGRITY" },
+ { KRB5_ET_KRB5KRB_AP_ERR_TKT_EXPIRED, "KRB5KRB_AP_ERR_TKT_EXPIRED" },
+ { KRB5_ET_KRB5KRB_AP_ERR_TKT_NYV, "KRB5KRB_AP_ERR_TKT_NYV" },
+ { KRB5_ET_KRB5KRB_AP_ERR_REPEAT, "KRB5KRB_AP_ERR_REPEAT" },
+ { KRB5_ET_KRB5KRB_AP_ERR_NOT_US, "KRB5KRB_AP_ERR_NOT_US" },
+ { KRB5_ET_KRB5KRB_AP_ERR_BADMATCH, "KRB5KRB_AP_ERR_BADMATCH" },
+ { KRB5_ET_KRB5KRB_AP_ERR_SKEW, "KRB5KRB_AP_ERR_SKEW" },
+ { KRB5_ET_KRB5KRB_AP_ERR_BADADDR, "KRB5KRB_AP_ERR_BADADDR" },
+ { KRB5_ET_KRB5KRB_AP_ERR_BADVERSION, "KRB5KRB_AP_ERR_BADVERSION" },
+ { KRB5_ET_KRB5KRB_AP_ERR_MSG_TYPE, "KRB5KRB_AP_ERR_MSG_TYPE" },
+ { KRB5_ET_KRB5KRB_AP_ERR_MODIFIED, "KRB5KRB_AP_ERR_MODIFIED" },
+ { KRB5_ET_KRB5KRB_AP_ERR_BADORDER, "KRB5KRB_AP_ERR_BADORDER" },
+ { KRB5_ET_KRB5KRB_AP_ERR_ILL_CR_TKT, "KRB5KRB_AP_ERR_ILL_CR_TKT" },
+ { KRB5_ET_KRB5KRB_AP_ERR_BADKEYVER, "KRB5KRB_AP_ERR_BADKEYVER" },
+ { KRB5_ET_KRB5KRB_AP_ERR_NOKEY, "KRB5KRB_AP_ERR_NOKEY" },
+ { KRB5_ET_KRB5KRB_AP_ERR_MUT_FAIL, "KRB5KRB_AP_ERR_MUT_FAIL" },
+ { KRB5_ET_KRB5KRB_AP_ERR_BADDIRECTION, "KRB5KRB_AP_ERR_BADDIRECTION" },
+ { KRB5_ET_KRB5KRB_AP_ERR_METHOD, "KRB5KRB_AP_ERR_METHOD" },
+ { KRB5_ET_KRB5KRB_AP_ERR_BADSEQ, "KRB5KRB_AP_ERR_BADSEQ" },
+ { KRB5_ET_KRB5KRB_AP_ERR_INAPP_CKSUM, "KRB5KRB_AP_ERR_INAPP_CKSUM" },
+ { KRB5_ET_KRB5KDC_AP_PATH_NOT_ACCEPTED, "KRB5KDC_AP_PATH_NOT_ACCEPTED" },
+ { KRB5_ET_KRB5KRB_ERR_RESPONSE_TOO_BIG, "KRB5KRB_ERR_RESPONSE_TOO_BIG"},
+ { KRB5_ET_KRB5KRB_ERR_GENERIC, "KRB5KRB_ERR_GENERIC" },
+ { KRB5_ET_KRB5KRB_ERR_FIELD_TOOLONG, "KRB5KRB_ERR_FIELD_TOOLONG" },
+ { KRB5_ET_KDC_ERROR_CLIENT_NOT_TRUSTED, "KDC_ERROR_CLIENT_NOT_TRUSTED" },
+ { KRB5_ET_KDC_ERROR_KDC_NOT_TRUSTED, "KDC_ERROR_KDC_NOT_TRUSTED" },
+ { KRB5_ET_KDC_ERROR_INVALID_SIG, "KDC_ERROR_INVALID_SIG" },
+ { KRB5_ET_KDC_ERR_KEY_TOO_WEAK, "KDC_ERR_KEY_TOO_WEAK" },
+ { KRB5_ET_KDC_ERR_CERTIFICATE_MISMATCH, "KDC_ERR_CERTIFICATE_MISMATCH" },
+ { KRB5_ET_KRB_AP_ERR_NO_TGT, "KRB_AP_ERR_NO_TGT" },
+ { KRB5_ET_KDC_ERR_WRONG_REALM, "KDC_ERR_WRONG_REALM" },
+ { KRB5_ET_KRB_AP_ERR_USER_TO_USER_REQUIRED, "KRB_AP_ERR_USER_TO_USER_REQUIRED" },
+ { KRB5_ET_KDC_ERR_CANT_VERIFY_CERTIFICATE, "KDC_ERR_CANT_VERIFY_CERTIFICATE" },
+ { KRB5_ET_KDC_ERR_INVALID_CERTIFICATE, "KDC_ERR_INVALID_CERTIFICATE" },
+ { KRB5_ET_KDC_ERR_REVOKED_CERTIFICATE, "KDC_ERR_REVOKED_CERTIFICATE" },
+ { KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNKNOWN, "KDC_ERR_REVOCATION_STATUS_UNKNOWN" },
+ { KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNAVAILABLE, "KDC_ERR_REVOCATION_STATUS_UNAVAILABLE" },
+ { KRB5_ET_KDC_ERR_CLIENT_NAME_MISMATCH, "KDC_ERR_CLIENT_NAME_MISMATCH" },
+ { KRB5_ET_KDC_ERR_KDC_NAME_MISMATCH, "KDC_ERR_KDC_NAME_MISMATCH" },
+ { 0, NULL }
+};
+
+
+#define PAC_LOGON_INFO 1
+#define PAC_CREDENTIAL_TYPE 2
+#define PAC_SERVER_CHECKSUM 6
+#define PAC_PRIVSVR_CHECKSUM 7
+#define PAC_CLIENT_INFO_TYPE 10
+#define PAC_CONSTRAINED_DELEGATION 11
+static const value_string w2k_pac_types[] = {
+ { PAC_LOGON_INFO , "Logon Info" },
+ { PAC_CREDENTIAL_TYPE , "Credential Type" },
+ { PAC_SERVER_CHECKSUM , "Server Checksum" },
+ { PAC_PRIVSVR_CHECKSUM , "Privsvr Checksum" },
+ { PAC_CLIENT_INFO_TYPE , "Client Info Type" },
+ { PAC_CONSTRAINED_DELEGATION, "Constrained Delegation" },
+ { 0, NULL },
+};
+
+
+
+static const value_string krb5_princ_types[] = {
+ { KRB5_NT_UNKNOWN , "Unknown" },
+ { KRB5_NT_PRINCIPAL , "Principal" },
+ { KRB5_NT_SRV_INST , "Service and Instance" },
+ { KRB5_NT_SRV_HST , "Service and Host" },
+ { KRB5_NT_SRV_XHST , "Service and Host Components" },
+ { KRB5_NT_UID , "Unique ID" },
+ { KRB5_NT_X500_PRINCIPAL , "Encoded X.509 Distinguished Name" },
+ { KRB5_NT_SMTP_NAME , "SMTP Name" },
+ { KRB5_NT_ENTERPRISE , "Enterprise Name" },
+ { KRB5_NT_MS_PRINCIPAL , "NT 4.0 style name (MS specific)" },
+ { KRB5_NT_MS_PRINCIPAL_AND_SID , "NT 4.0 style name with SID (MS specific)"},
+ { KRB5_NT_ENT_PRINCIPAL_AND_SID, "UPN and SID (MS specific)"},
+ { KRB5_NT_PRINCIPAL_AND_SID , "Principal name and SID (MS specific)"},
+ { KRB5_NT_SRV_INST_AND_SID , "SPN and SID (MS specific)"},
+ { 0 , NULL },
+};
+
+static const value_string krb5_preauthentication_types[] = {
+ { KRB5_PA_TGS_REQ , "PA-TGS-REQ" },
+ { KRB5_PA_ENC_TIMESTAMP , "PA-ENC-TIMESTAMP" },
+ { KRB5_PA_PW_SALT , "PA-PW-SALT" },
+ { KRB5_PA_ENC_ENCKEY , "PA-ENC-ENCKEY" },
+ { KRB5_PA_ENC_UNIX_TIME , "PA-ENC-UNIX-TIME" },
+ { KRB5_PA_ENC_SANDIA_SECURID , "PA-PW-SALT" },
+ { KRB5_PA_SESAME , "PA-SESAME" },
+ { KRB5_PA_OSF_DCE , "PA-OSF-DCE" },
+ { KRB5_PA_CYBERSAFE_SECUREID , "PA-CYBERSAFE-SECURID" },
+ { KRB5_PA_AFS3_SALT , "PA-AFS3-SALT" },
+ { KRB5_PA_ENCTYPE_INFO , "PA-ENCTYPE-INFO" },
+ { KRB5_PA_ENCTYPE_INFO2 , "PA-ENCTYPE-INFO2" },
+ { KRB5_PA_SAM_CHALLENGE , "PA-SAM-CHALLENGE" },
+ { KRB5_PA_SAM_RESPONSE , "PA-SAM-RESPONSE" },
+ { KRB5_PA_PK_AS_REQ , "PA-PK-AS-REQ" },
+ { KRB5_PA_PK_AS_REP , "PA-PK-AS-REP" },
+ { KRB5_PA_DASS , "PA-DASS" },
+ { KRB5_PA_USE_SPECIFIED_KVNO , "PA-USE-SPECIFIED-KVNO" },
+ { KRB5_PA_SAM_REDIRECT , "PA-SAM-REDIRECT" },
+ { KRB5_PA_GET_FROM_TYPED_DATA , "PA-GET-FROM-TYPED-DATA" },
+ { KRB5_PA_SAM_ETYPE_INFO , "PA-SAM-ETYPE-INFO" },
+ { KRB5_PA_ALT_PRINC , "PA-ALT-PRINC" },
+ { KRB5_PA_SAM_CHALLENGE2 , "PA-SAM-CHALLENGE2" },
+ { KRB5_PA_SAM_RESPONSE2 , "PA-SAM-RESPONSE2" },
+ { KRB5_TD_PKINIT_CMS_CERTIFICATES, "TD-PKINIT-CMS-CERTIFICATES" },
+ { KRB5_TD_KRB_PRINCIPAL , "TD-KRB-PRINCIPAL" },
+ { KRB5_TD_KRB_REALM , "TD-KRB-REALM" },
+ { KRB5_TD_TRUSTED_CERTIFIERS , "TD-TRUSTED-CERTIFIERS" },
+ { KRB5_TD_CERTIFICATE_INDEX , "TD-CERTIFICATE-INDEX" },
+ { KRB5_TD_APP_DEFINED_ERROR , "TD-APP-DEFINED-ERROR" },
+ { KRB5_TD_REQ_NONCE , "TD-REQ-NONCE" },
+ { KRB5_TD_REQ_SEQ , "TD-REQ-SEQ" },
+ { KRB5_PA_PAC_REQUEST , "PA-PAC-REQUEST" },
+ { KRB5_PA_PROV_SRV_LOCATION , "PA-PROV-SRV-LOCATION" },
+ { 0 , NULL },
+};
+
+static const value_string krb5_encryption_types[] = {
+ { KRB5_ENCTYPE_NULL , "NULL" },
+ { KRB5_ENCTYPE_DES_CBC_CRC , "des-cbc-crc" },
+ { KRB5_ENCTYPE_DES_CBC_MD4 , "des-cbc-md4" },
+ { KRB5_ENCTYPE_DES_CBC_MD5 , "des-cbc-md5" },
+ { KRB5_ENCTYPE_DES_CBC_RAW , "des-cbc-raw" },
+ { KRB5_ENCTYPE_DES3_CBC_SHA , "des3-cbc-sha" },
+ { KRB5_ENCTYPE_DES3_CBC_RAW , "des3-cbc-raw" },
+ { KRB5_ENCTYPE_DES_HMAC_SHA1 , "des-hmac-sha1" },
+ { KRB5_ENCTYPE_DSA_SHA1_CMS , "dsa-sha1-cms" },
+ { KRB5_ENCTYPE_RSA_MD5_CMS , "rsa-md5-cms" },
+ { KRB5_ENCTYPE_RSA_SHA1_CMS , "rsa-sha1-cms" },
+ { KRB5_ENCTYPE_RC2_CBC_ENV , "rc2-cbc-env" },
+ { KRB5_ENCTYPE_RSA_ENV , "rsa-env" },
+ { KRB5_ENCTYPE_RSA_ES_OEAP_ENV, "rsa-es-oeap-env" },
+ { KRB5_ENCTYPE_DES_EDE3_CBC_ENV, "des-ede3-cbc-env" },
+ { KRB5_ENCTYPE_DES3_CBC_SHA1 , "des3-cbc-sha1" },
+ { KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96 , "aes128-cts-hmac-sha1-96" },
+ { KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96 , "aes256-cts-hmac-sha1-96" },
+ { KRB5_ENCTYPE_DES_CBC_MD5_NT , "des-cbc-md5-nt" },
+ { KERB_ENCTYPE_RC4_HMAC , "rc4-hmac" },
+ { KERB_ENCTYPE_RC4_HMAC_EXP , "rc4-hmac-exp" },
+ { KRB5_ENCTYPE_UNKNOWN , "unknown" },
+ { KRB5_ENCTYPE_LOCAL_DES3_HMAC_SHA1 , "local-des3-hmac-sha1" },
+ { KRB5_ENCTYPE_RC4_PLAIN_EXP , "rc4-plain-exp" },
+ { KRB5_ENCTYPE_RC4_PLAIN , "rc4-plain" },
+ { KRB5_ENCTYPE_RC4_PLAIN_OLD_EXP, "rc4-plain-old-exp" },
+ { KRB5_ENCTYPE_RC4_HMAC_OLD_EXP, "rc4-hmac-old-exp" },
+ { KRB5_ENCTYPE_RC4_PLAIN_OLD , "rc4-plain-old" },
+ { KRB5_ENCTYPE_RC4_HMAC_OLD , "rc4-hmac-old" },
+ { KRB5_ENCTYPE_DES_PLAIN , "des-plain" },
+ { KRB5_ENCTYPE_RC4_SHA , "rc4-sha" },
+ { KRB5_ENCTYPE_RC4_LM , "rc4-lm" },
+ { KRB5_ENCTYPE_RC4_PLAIN2 , "rc4-plain2" },
+ { KRB5_ENCTYPE_RC4_MD4 , "rc4-md4" },
+ { 0 , NULL },
+};
+
+static const value_string krb5_checksum_types[] = {
+ { KRB5_CHKSUM_NONE , "none" },
+ { KRB5_CHKSUM_CRC32 , "crc32" },
+ { KRB5_CHKSUM_MD4 , "md4" },
+ { KRB5_CHKSUM_KRB_DES_MAC , "krb-des-mac" },
+ { KRB5_CHKSUM_KRB_DES_MAC_K , "krb-des-mac-k" },
+ { KRB5_CHKSUM_MD5 , "md5" },
+ { KRB5_CHKSUM_MD5_DES , "md5-des" },
+ { KRB5_CHKSUM_MD5_DES3 , "md5-des3" },
+ { KRB5_CHKSUM_HMAC_SHA1_DES3_KD, "hmac-sha1-des3-kd" },
+ { KRB5_CHKSUM_HMAC_SHA1_DES3 , "hmac-sha1-des3" },
+ { KRB5_CHKSUM_SHA1_UNKEYED , "sha1 (unkeyed)" },
+ { KRB5_CHKSUM_HMAC_MD5 , "hmac-md5" },
+ { KRB5_CHKSUM_MD5_HMAC , "md5-hmac" },
+ { KRB5_CHKSUM_RC4_MD5 , "rc5-md5" },
+ { KRB5_CHKSUM_MD25 , "md25" },
+ { KRB5_CHKSUM_DES_MAC_MD5 , "des-mac-md5" },
+ { KRB5_CHKSUM_DES_MAC , "des-mac" },
+ { KRB5_CHKSUM_REAL_CRC32 , "real-crc32" },
+ { KRB5_CHKSUM_SHA1 , "sha1" },
+ { KRB5_CHKSUM_LM , "lm" },
+ { KRB5_CHKSUM_GSSAPI , "gssapi-8003" },
+ { 0 , NULL },
+};
+
+#define KRB5_AD_IF_RELEVANT 1
+#define KRB5_AD_INTENDED_FOR_SERVER 2
+#define KRB5_AD_INTENDED_FOR_APPLICATION_CLASS 3
+#define KRB5_AD_KDC_ISSUED 4
+#define KRB5_AD_OR 5
+#define KRB5_AD_MANDATORY_TICKET_EXTENSIONS 6
+#define KRB5_AD_IN_TICKET_EXTENSIONS 7
+#define KRB5_AD_MANDATORY_FOR_KDC 8
+#define KRB5_AD_OSF_DCE 64
+#define KRB5_AD_SESAME 65
+#define KRB5_AD_OSF_DCE_PKI_CERTID 66
+#define KRB5_AD_WIN2K_PAC 128
+static const value_string krb5_ad_types[] = {
+ { KRB5_AD_IF_RELEVANT , "AD-IF-RELEVANT" },
+ { KRB5_AD_INTENDED_FOR_SERVER , "AD-Intended-For-Server" },
+ { KRB5_AD_INTENDED_FOR_APPLICATION_CLASS , "AD-Intended-For-Application-Class" },
+ { KRB5_AD_KDC_ISSUED , "AD-KDCIssued" },
+ { KRB5_AD_OR , "AD-AND-OR" },
+ { KRB5_AD_MANDATORY_TICKET_EXTENSIONS , "AD-Mandatory-Ticket-Extensions" },
+ { KRB5_AD_IN_TICKET_EXTENSIONS , "AD-IN-Ticket-Extensions" },
+ { KRB5_AD_MANDATORY_FOR_KDC , "AD-MANDATORY-FOR-KDC" },
+ { KRB5_AD_OSF_DCE , "AD-OSF-DCE" },
+ { KRB5_AD_SESAME , "AD-SESAME" },
+ { KRB5_AD_OSF_DCE_PKI_CERTID , "AD-OSF-DCE-PKI-CertID" },
+ { KRB5_AD_WIN2K_PAC , "AD-Win2k-PAC" },
+ { 0 , NULL },
+};
+
+static const value_string krb5_transited_types[] = {
+ { 1 , "DOMAIN-X500-COMPRESS" },
+ { 0 , NULL }
+};
+
+static const value_string krb5_address_types[] = {
+ { KRB5_ADDR_IPv4, "IPv4"},
+ { KRB5_ADDR_CHAOS, "CHAOS"},
+ { KRB5_ADDR_XEROX, "XEROX"},
+ { KRB5_ADDR_ISO, "ISO"},
+ { KRB5_ADDR_DECNET, "DECNET"},
+ { KRB5_ADDR_APPLETALK, "APPLETALK"},
+ { KRB5_ADDR_NETBIOS, "NETBIOS"},
+ { KRB5_ADDR_IPv6, "IPv6"},
+ { 0, NULL },
+};
+
+static const value_string krb5_msg_types[] = {
+ { KRB5_MSG_TICKET, "Ticket" },
+ { KRB5_MSG_AUTHENTICATOR, "Authenticator" },
+ { KRB5_MSG_ENC_TICKET_PART, "EncTicketPart" },
+ { KRB5_MSG_TGS_REQ, "TGS-REQ" },
+ { KRB5_MSG_TGS_REP, "TGS-REP" },
+ { KRB5_MSG_AS_REQ, "AS-REQ" },
+ { KRB5_MSG_AS_REP, "AS-REP" },
+ { KRB5_MSG_AP_REQ, "AP-REQ" },
+ { KRB5_MSG_AP_REP, "AP-REP" },
+ { KRB5_MSG_SAFE, "KRB-SAFE" },
+ { KRB5_MSG_PRIV, "KRB-PRIV" },
+ { KRB5_MSG_CRED, "KRB-CRED" },
+ { KRB5_MSG_ENC_AS_REP_PART, "EncASRepPart" },
+ { KRB5_MSG_ENC_TGS_REP_PART, "EncTGSRepPart" },
+ { KRB5_MSG_ENC_AP_REP_PART, "EncAPRepPart" },
+ { KRB5_MSG_ENC_KRB_PRIV_PART, "EncKrbPrivPart" },
+ { KRB5_MSG_ENC_KRB_CRED_PART, "EncKrbCredPart" },
+ { KRB5_MSG_ERROR, "KRB-ERROR" },
+ { 0, NULL },
+};
+
+#ifdef HAVE_KERBEROS
+static int
+dissect_krb5_decrypt_authenticator_data (proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+{
+ guint8 *plaintext=NULL;
+ int length;
+
+ length=tvb_length_remaining(tvb, offset);
+
+ /* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
+ * 7.5.1
+ * Authenticators are encrypted with usage
+ * == 7 or
+ * == 11
+ */
+ if(!plaintext){
+ plaintext=decrypt_krb5_data(tree, actx->pinfo, 7, length, tvb_get_ptr(tvb, offset, length), authenticator_etype);
+ }
+ if(!plaintext){
+ plaintext=decrypt_krb5_data(tree, actx->pinfo, 11, length, tvb_get_ptr(tvb, offset, length), authenticator_etype);
+ }
+
+ if(plaintext){
+ tvbuff_t *next_tvb;
+ next_tvb = tvb_new_real_data (plaintext,
+ length,
+ length);
+ tvb_set_free_cb(next_tvb, g_free);
+ tvb_set_child_real_data_tvbuff(tvb, next_tvb);
+
+ /* Add the decrypted data to the data source list. */
+ add_new_data_source(actx->pinfo, next_tvb, "Decrypted Krb5");
+
+ dissect_kerberos_Applications(FALSE, next_tvb, 0, actx, tree, -1)
+ }
+ return offset;
+}
+#endif
+
+#include "packet-kerberos-fn.c"
+
+
+
+}
+/*--- proto_register_kerberos -------------------------------------------*/
+void proto_register_kerberos(void) {
+
+ /* List of fields */
+
+
+#include "packet-kerberos-hfarr.c"
+ };
+
+ /* List of subtrees */
+ static gint *ett[] = {
+ &ett_kerberos,
+#include "packet-kerberos-ettarr.c"
+ };
+
+
+ /* Register protocol */
+ proto_kerberos = proto_register_protocol(PNAME, PSNAME, PFNAME);
+ /* Register fields and subtrees */
+ proto_register_field_array(proto_kerberos, hf, array_length(hf));
+ proto_register_subtree_array(ett, array_length(ett));
+
+
+ register_dissector("kerberos", dissect_kerberos, proto_kerberos);
+ /* Register preferences */
+ krb_module = prefs_register_protocol(proto_kerberos, kerberos_prefs_apply_cb);
+ prefs_register_bool_preference(krb_module, "desegment",
+ "Reassemble Kerberos over TCP messages spanning multiple TCP segments",
+ "Whether the Kerberos dissector should reassemble messages spanning multiple TCP segments."
+ " To use this option, you must also enable \"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
+ &krb_desegment);
+#ifdef HAVE_KERBEROS
+ prefs_register_bool_preference(krb_module, "decrypt",
+ "Try to decrypt Kerberos blobs",
+ "Whether the dissector should try to decrypt "
+ "encrypted Kerberos blobs. This requires that the proper "
+ "keytab file is installed as well.", &krb_decrypt);
+
+ prefs_register_string_preference(krb_module, "file",
+ "Kerberos keytab file",
+ "The keytab file containing all the secrets",
+ &keytab_filename);
+#endif
+
+}
+static int wrap_dissect_gss_kerb(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, guint8 *drep _U_)
+{
+ tvbuff_t *auth_tvb;
+
+ auth_tvb = tvb_new_subset(
+ tvb, offset, tvb_length_remaining(tvb, offset),
+ tvb_reported_length_remaining(tvb, offset));
+
+ dissect_kerberos_main(auth_tvb, pinfo, tree, FALSE, NULL);
+
+ return tvb_length_remaining(tvb, offset);
+}
+
+
+static dcerpc_auth_subdissector_fns gss_kerb_auth_fns = {
+ wrap_dissect_gss_kerb, /* Bind */
+ wrap_dissect_gss_kerb, /* Bind ACK */
+ NULL, /* AUTH3 */
+ wrap_dissect_gssapi_verf, /* Request verifier */
+ wrap_dissect_gssapi_verf, /* Response verifier */
+ wrap_dissect_gssapi_payload, /* Request data */
+ wrap_dissect_gssapi_payload /* Response data */
+};
+
+
+
+/*--- proto_reg_handoff_kerberos ---------------------------------------*/
+void
+proto_reg_handoff_kerberos(void)
+{
+
+ dissector_handle_t kerberos_handle_tcp;
+
+ krb4_handle = find_dissector("krb4");
+
+ kerberos_handle_udp = new_create_dissector_handle(dissect_kerberos_udp,
+ proto_kerberos);
+ kerberos_handle_tcp = create_dissector_handle(dissect_kerberos_tcp,
+ proto_kerberos);
+ dissector_add("udp.port", UDP_PORT_KERBEROS, kerberos_handle_udp);
+ dissector_add("tcp.port", TCP_PORT_KERBEROS, kerberos_handle_tcp);
+
+ register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_INTEGRITY,
+ DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS,
+ &gss_kerb_auth_fns);
+
+ register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_PRIVACY,
+ DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS,
+ &gss_kerb_auth_fns);
+
+}
+
+
diff --git a/asn1/kerberos/packet-kerberos-template.h b/asn1/kerberos/packet-kerberos-template.h
new file mode 100644
index 0000000000..d9397696a8
--- /dev/null
+++ b/asn1/kerberos/packet-kerberos-template.h
@@ -0,0 +1,35 @@
+/* packet-kerberos.h
+ * Routines for kerberos packet dissection
+ * Copyright 2007, Anders Broman <anders.broman@ericsson.com>
+ *
+ * $Id$
+ *
+ * Ethereal - Network traffic analyzer
+ * By Gerald Combs <gerald@ethereal.com>
+ * Copyright 1998 Gerald Combs
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ */
+
+#ifndef PACKET_KERBEROS_H
+#define PACKET_ROS_H
+
+
+
+#include "packet-kerberos-exp.h"
+
+#endif /* PACKET_KERBEROS_H */
+
+