packet-kerberos: avoid guessing the authorization_data keyusage

Change-Id: I28bdf176818401c1e4e6ef15cf808e502fcf4989 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-on: https://code.wireshark.org/review/37300 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2020-05-24 16:36:29 +02:00 · 2020-05-24 16:36:29 +02:00 · fd9ed550c3
parent d89565e0c0
commit fd9ed550c3
2 changed files with 21 additions and 9 deletions
--- a/epan/dissectors/asn1/kerberos/packet-kerberos-template.c
+++ b/epan/dissectors/asn1/kerberos/packet-kerberos-template.c
@ -2745,6 +2745,7 @@ static int
 dissect_krb5_decrypt_authorization_data(gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
 					proto_tree *tree, int hf_index _U_)
 {
+	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
 	guint8 *plaintext;
 	int length;
 	tvbuff_t *next_tvb;
@ -2757,10 +2758,15 @@ dissect_krb5_decrypt_authorization_data(gboolean imp_tag _U_, tvbuff_t *tvb, int
 	 * Authenticators are encrypted with usage
 	 * == 5 or
 	 * == 4
+	 *
+	 * 4. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with
+	 *    the TGS session key (section 5.4.1)
+	 * 5. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with
+	 *    the TGS authenticator subkey (section 5.4.1)
 	 */
-	plaintext=decrypt_krb5_data_asn1(tree, actx, 5, next_tvb, NULL);
-
-	if(!plaintext){
+	if (private_data->PA_TGS_REQ_subkey != NULL) {
+		plaintext=decrypt_krb5_data_asn1(tree, actx, 5, next_tvb, NULL);
+	} else {
 		plaintext=decrypt_krb5_data_asn1(tree, actx, 4, next_tvb, NULL);
 	}

--- a/epan/dissectors/packet-kerberos.c
+++ b/epan/dissectors/packet-kerberos.c
@ -3186,6 +3186,7 @@ static int
 dissect_krb5_decrypt_authorization_data(gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
 					proto_tree *tree, int hf_index _U_)
 {
+	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
 	guint8 *plaintext;
 	int length;
 	tvbuff_t *next_tvb;
@ -3198,10 +3199,15 @@ dissect_krb5_decrypt_authorization_data(gboolean imp_tag _U_, tvbuff_t *tvb, int
 	 * Authenticators are encrypted with usage
 	 * == 5 or
 	 * == 4
+	 *
+	 * 4. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with
+	 *    the TGS session key (section 5.4.1)
+	 * 5. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with
+	 *    the TGS authenticator subkey (section 5.4.1)
 	 */
-	plaintext=decrypt_krb5_data_asn1(tree, actx, 5, next_tvb, NULL);
-
-	if(!plaintext){
+	if (private_data->PA_TGS_REQ_subkey != NULL) {
+		plaintext=decrypt_krb5_data_asn1(tree, actx, 5, next_tvb, NULL);
+	} else {
 		plaintext=decrypt_krb5_data_asn1(tree, actx, 4, next_tvb, NULL);
 	}

@ -7024,7 +7030,7 @@ dissect_kerberos_EncryptedChallenge(gboolean implicit_tag _U_, tvbuff_t *tvb _U_


 /*--- End of included file: packet-kerberos-fn.c ---*/
-#line 3708 "./asn1/kerberos/packet-kerberos-template.c"
+#line 3714 "./asn1/kerberos/packet-kerberos-template.c"

 #ifdef HAVE_KERBEROS
 static const ber_sequence_t PA_ENC_TS_ENC_sequence[] = {
@ -8542,7 +8548,7 @@ void proto_register_kerberos(void) {
        NULL, HFILL }},

 /*--- End of included file: packet-kerberos-hfarr.c ---*/
-#line 4293 "./asn1/kerberos/packet-kerberos-template.c"
+#line 4299 "./asn1/kerberos/packet-kerberos-template.c"
 	};

 	/* List of subtrees */
@ -8646,7 +8652,7 @@ void proto_register_kerberos(void) {
    &ett_kerberos_EncryptedChallenge,

 /*--- End of included file: packet-kerberos-ettarr.c ---*/
-#line 4316 "./asn1/kerberos/packet-kerberos-template.c"
+#line 4322 "./asn1/kerberos/packet-kerberos-template.c"
 	};

 	static ei_register_info ei[] = {