forked from osmocom/wireshark
add a -K command line option to provide the name of the kerberos keytab
file to use for decryption of Krb5 and GSS-KRB svn path=/trunk/; revision=26343
This commit is contained in:
parent
5c82d9b784
commit
24b76bdc14
|
@ -422,24 +422,36 @@ printf("added key in %u\n",pinfo->fd->num);
|
|||
|
||||
#ifdef HAVE_MIT_KERBEROS
|
||||
|
||||
static void
|
||||
read_keytab_file(const char *filename, krb5_context *context)
|
||||
static krb5_context krb5_ctx;
|
||||
|
||||
void
|
||||
read_keytab_file(const char *filename)
|
||||
{
|
||||
krb5_keytab keytab;
|
||||
krb5_keytab_entry key;
|
||||
krb5_error_code ret;
|
||||
krb5_keytab_entry key;
|
||||
krb5_kt_cursor cursor;
|
||||
enc_key_t *new_key;
|
||||
static int first_time=1;
|
||||
|
||||
printf("read keytab file %s\n", filename);
|
||||
if(first_time){
|
||||
first_time=0;
|
||||
ret = krb5_init_context(&krb5_ctx);
|
||||
if(ret){
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
/* should use a file in the wireshark users dir */
|
||||
ret = krb5_kt_resolve(*context, filename, &keytab);
|
||||
ret = krb5_kt_resolve(krb5_ctx, filename, &keytab);
|
||||
if(ret){
|
||||
fprintf(stderr, "KERBEROS ERROR: Could not open keytab file :%s\n",filename);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
ret = krb5_kt_start_seq_get(*context, keytab, &cursor);
|
||||
ret = krb5_kt_start_seq_get(krb5_ctx, keytab, &cursor);
|
||||
if(ret){
|
||||
fprintf(stderr, "KERBEROS ERROR: Could not read from keytab file :%s\n",filename);
|
||||
return;
|
||||
|
@ -448,7 +460,7 @@ read_keytab_file(const char *filename, krb5_context *context)
|
|||
do{
|
||||
new_key=g_malloc(sizeof(enc_key_t));
|
||||
new_key->next=enc_key_list;
|
||||
ret = krb5_kt_next_entry(*context, keytab, &key, &cursor);
|
||||
ret = krb5_kt_next_entry(krb5_ctx, keytab, &key, &cursor);
|
||||
if(ret==0){
|
||||
int i;
|
||||
char *pos;
|
||||
|
@ -472,9 +484,9 @@ read_keytab_file(const char *filename, krb5_context *context)
|
|||
}
|
||||
}while(ret==0);
|
||||
|
||||
ret = krb5_kt_end_seq_get(*context, keytab, &cursor);
|
||||
ret = krb5_kt_end_seq_get(krb5_ctx, keytab, &cursor);
|
||||
if(ret){
|
||||
krb5_kt_close(*context, keytab);
|
||||
krb5_kt_close(krb5_ctx, keytab);
|
||||
}
|
||||
|
||||
}
|
||||
|
@ -488,7 +500,6 @@ decrypt_krb5_data(proto_tree *tree, packet_info *pinfo,
|
|||
int keytype)
|
||||
{
|
||||
static int first_time=1;
|
||||
static krb5_context context;
|
||||
krb5_error_code ret;
|
||||
enc_key_t *ek;
|
||||
static krb5_data data = {0,0,NULL};
|
||||
|
@ -505,11 +516,7 @@ decrypt_krb5_data(proto_tree *tree, packet_info *pinfo,
|
|||
/* should this have a destroy context ? MIT people would know */
|
||||
if(first_time){
|
||||
first_time=0;
|
||||
ret = krb5_init_context(&context);
|
||||
if(ret){
|
||||
return NULL;
|
||||
}
|
||||
read_keytab_file(keytab_filename, &context);
|
||||
read_keytab_file(keytab_filename);
|
||||
}
|
||||
|
||||
for(ek=enc_key_list;ek;ek=ek->next){
|
||||
|
@ -533,7 +540,7 @@ decrypt_krb5_data(proto_tree *tree, packet_info *pinfo,
|
|||
key.key.enctype=ek->keytype;
|
||||
key.key.length=ek->keylength;
|
||||
key.key.contents=ek->keyvalue;
|
||||
ret = krb5_c_decrypt(context, &(key.key), usage, 0, &input, &data);
|
||||
ret = krb5_c_decrypt(krb5_ctx, &(key.key), usage, 0, &input, &data);
|
||||
if((ret == 0) && (length>0)){
|
||||
char *user_data;
|
||||
|
||||
|
@ -550,24 +557,36 @@ printf("woohoo decrypted keytype:%d in frame:%u\n", keytype, pinfo->fd->num);
|
|||
}
|
||||
|
||||
#elif defined(HAVE_HEIMDAL_KERBEROS)
|
||||
static void
|
||||
read_keytab_file(const char *filename, krb5_context *context)
|
||||
static krb5_context krb5_ctx;
|
||||
|
||||
void
|
||||
read_keytab_file(const char *filename)
|
||||
{
|
||||
krb5_keytab keytab;
|
||||
krb5_error_code ret;
|
||||
krb5_keytab_entry key;
|
||||
krb5_error_code ret;
|
||||
krb5_kt_cursor cursor;
|
||||
enc_key_t *new_key;
|
||||
static int first_time=1;
|
||||
|
||||
if(first_time){
|
||||
first_time=0;
|
||||
ret = krb5_init_context(&krb5_ctx);
|
||||
if(ret){
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
/* should use a file in the wireshark users dir */
|
||||
ret = krb5_kt_resolve(*context, filename, &keytab);
|
||||
ret = krb5_kt_resolve(krb5_ctx, filename, &keytab);
|
||||
if(ret){
|
||||
fprintf(stderr, "KERBEROS ERROR: Could not open keytab file :%s\n",filename);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
ret = krb5_kt_start_seq_get(*context, keytab, &cursor);
|
||||
ret = krb5_kt_start_seq_get(krb5_ctx, keytab, &cursor);
|
||||
if(ret){
|
||||
fprintf(stderr, "KERBEROS ERROR: Could not read from keytab file :%s\n",filename);
|
||||
return;
|
||||
|
@ -576,7 +595,7 @@ read_keytab_file(const char *filename, krb5_context *context)
|
|||
do{
|
||||
new_key=g_malloc(sizeof(enc_key_t));
|
||||
new_key->next=enc_key_list;
|
||||
ret = krb5_kt_next_entry(*context, keytab, &key, &cursor);
|
||||
ret = krb5_kt_next_entry(krb5_ctx, keytab, &key, &cursor);
|
||||
if(ret==0){
|
||||
unsigned int i;
|
||||
char *pos;
|
||||
|
@ -599,9 +618,9 @@ read_keytab_file(const char *filename, krb5_context *context)
|
|||
}
|
||||
}while(ret==0);
|
||||
|
||||
ret = krb5_kt_end_seq_get(*context, keytab, &cursor);
|
||||
ret = krb5_kt_end_seq_get(krb5_ctx, keytab, &cursor);
|
||||
if(ret){
|
||||
krb5_kt_close(*context, keytab);
|
||||
krb5_kt_close(krb5_ctx, keytab);
|
||||
}
|
||||
|
||||
}
|
||||
|
@ -615,7 +634,6 @@ decrypt_krb5_data(proto_tree *tree, packet_info *pinfo,
|
|||
int keytype)
|
||||
{
|
||||
static int first_time=1;
|
||||
static krb5_context context;
|
||||
krb5_error_code ret;
|
||||
krb5_data data;
|
||||
enc_key_t *ek;
|
||||
|
@ -631,11 +649,7 @@ decrypt_krb5_data(proto_tree *tree, packet_info *pinfo,
|
|||
/* should this have a destroy context ? Heimdal people would know */
|
||||
if(first_time){
|
||||
first_time=0;
|
||||
ret = krb5_init_context(&context);
|
||||
if(ret){
|
||||
return NULL;
|
||||
}
|
||||
read_keytab_file(keytab_filename, &context);
|
||||
read_keytab_file(keytab_filename);
|
||||
}
|
||||
|
||||
for(ek=enc_key_list;ek;ek=ek->next){
|
||||
|
@ -651,7 +665,7 @@ decrypt_krb5_data(proto_tree *tree, packet_info *pinfo,
|
|||
key.keyblock.keytype=ek->keytype;
|
||||
key.keyblock.keyvalue.length=ek->keylength;
|
||||
key.keyblock.keyvalue.data=ek->keyvalue;
|
||||
ret = krb5_crypto_init(context, &(key.keyblock), 0, &crypto);
|
||||
ret = krb5_crypto_init(krb5_ctx, &(key.keyblock), 0, &crypto);
|
||||
if(ret){
|
||||
return NULL;
|
||||
}
|
||||
|
@ -664,7 +678,7 @@ decrypt_krb5_data(proto_tree *tree, packet_info *pinfo,
|
|||
*/
|
||||
cryptocopy=g_malloc(length);
|
||||
memcpy(cryptocopy, cryptotext, length);
|
||||
ret = krb5_decrypt_ivec(context, crypto, usage,
|
||||
ret = krb5_decrypt_ivec(krb5_ctx, crypto, usage,
|
||||
cryptocopy, length,
|
||||
&data,
|
||||
NULL);
|
||||
|
@ -674,13 +688,13 @@ decrypt_krb5_data(proto_tree *tree, packet_info *pinfo,
|
|||
|
||||
printf("woohoo decrypted keytype:%d in frame:%u\n", keytype, pinfo->fd->num);
|
||||
proto_tree_add_text(tree, NULL, 0, 0, "[Decrypted using: %s]", ek->key_origin);
|
||||
krb5_crypto_destroy(context, crypto);
|
||||
krb5_crypto_destroy(krb5_ctx, crypto);
|
||||
/* return a private g_malloced blob to the caller */
|
||||
user_data=g_malloc(data.length);
|
||||
memcpy(user_data, data.data, data.length);
|
||||
return user_data;
|
||||
}
|
||||
krb5_crypto_destroy(context, crypto);
|
||||
krb5_crypto_destroy(krb5_ctx, crypto);
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
|
4
file.h
4
file.h
|
@ -470,4 +470,8 @@ cf_status_t
|
|||
cf_merge_files(char **out_filename, int in_file_count,
|
||||
char *const *in_filenames, int file_type, gboolean do_append);
|
||||
|
||||
#if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
|
||||
void read_keytab_file(const char *);
|
||||
#endif
|
||||
|
||||
#endif /* file.h */
|
||||
|
|
|
@ -998,6 +998,7 @@ print_usage(gboolean print_ver) {
|
|||
fprintf(output, " -P <key>:<path> persconf:path - personal configuration files\n");
|
||||
fprintf(output, " persdata:path - personal data files\n");
|
||||
fprintf(output, " -o <name>:<value> ... override preference or recent setting\n");
|
||||
fprintf(output, " -K <keytab> keytab file to use for kerberos decryption\n");
|
||||
#ifndef _WIN32
|
||||
fprintf(output, " --display=DISPLAY X display to use\n");
|
||||
#endif
|
||||
|
@ -1737,7 +1738,7 @@ main(int argc, char *argv[])
|
|||
char *err_str;
|
||||
#endif
|
||||
|
||||
#define OPTSTRING_INIT "a:b:c:C:Df:g:Hhi:klLm:nN:o:P:pQr:R:Ss:t:vw:X:y:z:"
|
||||
#define OPTSTRING_INIT "a:b:c:C:Df:g:Hhi:kK:lLm:nN:o:P:pQr:R:Ss:t:vw:X:y:z:"
|
||||
|
||||
#if defined HAVE_LIBPCAP && defined _WIN32
|
||||
#define OPTSTRING_WIN32 "B:"
|
||||
|
@ -2118,6 +2119,12 @@ main(int argc, char *argv[])
|
|||
#endif
|
||||
break;
|
||||
|
||||
#if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
|
||||
case 'K': /* Kerberos keytab file */
|
||||
read_keytab_file(optarg);
|
||||
break;
|
||||
#endif
|
||||
|
||||
/*** all non capture option specific ***/
|
||||
case 'C':
|
||||
/* Configuration profile settings were already processed just ignore them this time*/
|
||||
|
|
8
tshark.c
8
tshark.c
|
@ -310,6 +310,7 @@ print_usage(gboolean print_ver)
|
|||
fprintf(output, " -h display this help and exit\n");
|
||||
fprintf(output, " -v display version info and exit\n");
|
||||
fprintf(output, " -o <name>:<value> ... override preference setting\n");
|
||||
fprintf(output, " -K <keytab> keytab file to use for kerberos decryption\n");
|
||||
}
|
||||
|
||||
/*
|
||||
|
@ -751,7 +752,7 @@ main(int argc, char *argv[])
|
|||
GLogLevelFlags log_flags;
|
||||
int optind_initial;
|
||||
|
||||
#define OPTSTRING_INIT "a:b:c:C:d:De:E:f:F:G:hi:lLnN:o:pqr:R:s:St:T:vVw:xX:y:z:"
|
||||
#define OPTSTRING_INIT "a:b:c:C:d:De:E:f:F:G:hi:K:lLnN:o:pqr:R:s:St:T:vVw:xX:y:z:"
|
||||
#ifdef HAVE_LIBPCAP
|
||||
#ifdef _WIN32
|
||||
#define OPTSTRING_WIN32 "B:"
|
||||
|
@ -999,6 +1000,11 @@ main(int argc, char *argv[])
|
|||
if (!add_decode_as(optarg))
|
||||
exit(1);
|
||||
break;
|
||||
#if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
|
||||
case 'K': /* Kerberos keytab file */
|
||||
read_keytab_file(optarg);
|
||||
break;
|
||||
#endif
|
||||
case 'D': /* Print a list of capture devices and exit */
|
||||
#ifdef HAVE_LIBPCAP
|
||||
status = capture_opts_list_interfaces(FALSE);
|
||||
|
|
Loading…
Reference in New Issue