A conversation in Wireshark might have two endpoints or might have no
endpoints; few if any have one endpoint. Distinguish between
conversations and endpoints.
Within the cKSUMTYPE-GSSAPI (0x8003) BLOB we should not try to decrypt
CRED data if etype 0 is used.
This is used by a Heimdal client as the authenticator is already
encrypted. Windows encrypts it again using the same key that was
used to encrypt the authenticator.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Windows clients use pA-TGS-REQ before pA-FX-FAST, which means
we have a the subkey from the pA-TGS-REQ
AP-REQ/Authenticator before we try to decrypt the
pA-FS-FAST/enc-fast-req.
But a Heimdal client sends pA-FX-FAST before pA-TGS-REQ.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This was done for all generated values in commit:
commit 7e99bbf32b
Author: John Thacker <johnthacker@gmail.com>
AuthorDate: Tue Nov 23 21:36:02 2021 -0500
Commit: John Thacker <johnthacker@gmail.com>
CommitDate: Thu Dec 2 20:40:22 2021 -0500
BER: Make GeneralizedTime a FT_ABSOLUTE_TIME
...
But we need to also do it for manual stuff.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Since we now support ISO 8601 Basic format, have asn2wrs.py
convert GeneralizedTime fields in BER to FT_ABSOLUTE_TIMEs and use
the new common code to convert them. This means that the fields
can be compared with other time fields in filters, etc.
We prefer pinfo->pool over the global wmem_packet_scope() now. Convert a
few more asn1 dissectors. After this commit, just three asn1 dissectors
remain.
Part 1/2 as the commits were too big for CI.
Largely find/replace, with a few manual tweaks. Then regenerate the asn1
dissector sources and make sure everything still builds. There are a
handful of cases I skipped as too complex, but this covers most of the
asn1 dissectors.
We use some private functions from MIT kerberos:
- krb5_free_enc_tkt_part()
- decode_krb5_enc_tkt_part()
- encode_krb5_enc_tkt_part()
but we already do that for krb5int_c_mandatory_cksumtype(),
which is newer than the above functions.
We use all of them only under HAVE_KRB5_PAC_VERIFY,
so we don't seem to need additional configure tests.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Improve script by ignoring common contractions, dealing with
e.g. \n within strings, and finding multiple concatenated words even
when no camelCase is used.
Also includes some actual spelling fixes.
Found using tools/check_tfs.py, included in this commit.
Here are the reports that were fixed here:
Examining:
All dissector modules
epan/dissectors/packet-assa_r3.c tfs_mortisepins_flags - could have used tfs_high_low from tfs.c instead: {High,Low}
epan/dissectors/packet-btle.c tfs_present_bit - could have used tfs_present_not_present from tfs.c instead: {Present,Not Present}
epan/dissectors/packet-dhcp.c tfs_fqdn_s - could have used tfs_server_client from tfs.c instead: {Server,Client}
epan/dissectors/packet-docsis-macmgmt.c mdd_tfs_on_off - could have used tfs_on_off from tfs.c instead: {On,Off}
epan/dissectors/packet-docsis-macmgmt.c mdd_tfs_en_dis - could have used tfs_enabled_disabled from tfs.c instead: {Enabled,Disabled}
epan/dissectors/packet-docsis-macmgmt.c req_not_req_tfs - could have used tfs_requested_not_requested from tfs.c instead: {Requested,Not Requested}
epan/dissectors/packet-docsis-tlv.c on_off_tfs - could have used tfs_on_off from tfs.c instead: {On,Off}
epan/dissectors/packet-docsis-tlv.c activation_tfs - could have used tfs_active_inactive from tfs.c instead: {Active,Inactive}
epan/dissectors/packet-docsis.c ena_dis_tfs - could have used tfs_enabled_disabled from tfs.c instead: {Enabled,Disabled}
epan/dissectors/packet-ecmp.c tfs_not_expected_expected - could have used tfs_odd_even from tfs.c instead: {Odd,Even}
epan/dissectors/packet-erf.c erf_link_status_tfs - could have used tfs_up_down from tfs.c instead: {Up,Down}
epan/dissectors/packet-h263.c on_off_flg - could have used tfs_on_off from tfs.c instead: {On,Off}
epan/dissectors/packet-h263.c cpm_flg - could have used tfs_on_off from tfs.c instead: {On,Off}
epan/dissectors/packet-interlink.c flags_set_notset - could have used tfs_set_notset from tfs.c instead: {Set,Not set}
epan/dissectors/packet-ip.c tos_set_low - could have used tfs_low_normal from tfs.c instead: {Low,Normal}
epan/dissectors/packet-ip.c tos_set_high - could have used tfs_high_normal from tfs.c instead: {High,Normal}
epan/dissectors/packet-isakmp.c flag_r - could have used tfs_response_request from tfs.c instead: {Response,Request}
epan/dissectors/packet-isis-lsp.c tfs_metric_supported_not_supported - could have used tfs_no_yes from tfs.c instead: {No,Yes}
epan/dissectors/packet-kerberos.c supported_tfs - could have used tfs_supported_not_supported from tfs.c instead: {Supported,Not supported}
epan/dissectors/packet-kerberos.c set_tfs - could have used tfs_set_notset from tfs.c instead: {Set,Not set}
epan/dissectors/packet-mac-lte.c mac_lte_scell_status_vals - could have used tfs_activated_deactivated from tfs.c instead: {Activated,Deactivated}
epan/dissectors/packet-p_mul.c no_yes - could have used tfs_no_yes from tfs.c instead: {No,Yes}
epan/dissectors/packet-pgm.c opts_present - could have used tfs_present_not_present from tfs.c instead: {Present,Not Present}
epan/dissectors/packet-rsl.c rsl_ms_fpc_epc_mode_vals - could have used tfs_inuse_not_inuse from tfs.c instead: {In use,Not in use}
epan/dissectors/packet-sita.c tfs_sita_on_off - could have used tfs_on_off from tfs.c instead: {On,Off}
epan/dissectors/packet-vines.c tfs_vine_rtp_no_yes - could have used tfs_no_yes from tfs.c instead: {No,Yes}
epan/dissectors/packet-vnc.c button_mask_tfs - could have used tfs_pressed_not_pressed from tfs.c instead: {Pressed,Not pressed}
27 issues found
Change-Id: I7e53b491f20289955c9e9caa8357197d9010a5aa
Reviewed-on: https://code.wireshark.org/review/38087
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The static arrays are supposed to be arrays of const pointers to int,
not arrays of non-const pointers to const int.
Fixing that means some bugs (scribbling on what's *supposed* to be a
const array) will be caught (see packet-ieee80211-radiotap.c for
examples, the first of which inspired this change and the second of
which was discovered while testing compiles with this change), and
removes the need for some annoying casts.
Also make some of those arrays static while we're at it.
Update documentation and dissector-generator tools.
Change-Id: I789da5fc60aadc15797cefecfd9a9fbe9a130ccc
Reviewed-on: https://code.wireshark.org/review/37517
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
FreeBSD defines constants such as KRB5_KU_USAGE_ACCEPTOR_SEAL
as part of the krb5_key_usage struct. Having such a defines
causes a clash that breaks the compilation. The struct needs to be
included first.
Error:
In file included from ./asn1/kerberos/packet-kerberos-template.c:413:
/usr/include/krb5.h:255:5: error: expected identifier
KRB5_KU_USAGE_ACCEPTOR_SEAL = 22,
^
./asn1/kerberos/packet-kerberos-template.h:22:41: note: expanded from macro 'KRB5_KU_USAGE_ACCEPTOR_SEAL'
#define KRB5_KU_USAGE_ACCEPTOR_SEAL 22
^
Change-Id: Ic241f2b6a2c01e7bd6c84d05e509f12e738ab2ac
Reviewed-on: https://code.wireshark.org/review/37358
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal@wireshark.org>
FreeBSD shows a combination of define cases that make the function
missing_encryption_key unused. Put it in the right define scope.
Change-Id: Icf226f134ffa7624a7daf709c302c29acfffe95e
Reviewed-on: https://code.wireshark.org/review/37360
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
You are in a twisty little maze of #ifdefs, all different.
Change-Id: I4c82efe27e840919c7bf19a035abe90cd84e0fbd
Reviewed-on: https://code.wireshark.org/review/37367
Reviewed-by: Guy Harris <gharris@sonic.net>
Error:
./asn1/kerberos/packet-kerberos-template.c:109:2: error: unknown type name ‘enc_key_t’
./asn1/kerberos/kerberos.cnf: In function ‘dissect_kerberos_EncryptionKey’:
./asn1/kerberos/kerberos.cnf:386:7: error: unused variable ‘start_offset’ [-Werror=unused-variable]
./asn1/kerberos/kerberos.cnf: In function ‘dissect_kerberos_T_authenticator_subkey’:
./asn1/kerberos/kerberos.cnf:406:42: error: ‘save_Authenticator_subkey’ undeclared (first use in this function); did you mean ‘hf_kerberos_authenticator_subkey’?
./asn1/kerberos/kerberos.cnf:406:42: note: each undeclared identifier is reported only once for each function it appears in
./asn1/kerberos/kerberos.cnf: In function ‘dissect_kerberos_T_encTicketPart_key’:
./asn1/kerberos/kerberos.cnf:445:42: error: ‘save_EncTicketPart_key’ undeclared (first use in this function); did you mean ‘hf_kerberos_encTicketPart_key’?
./asn1/kerberos/kerberos.cnf: In function ‘dissect_kerberos_T_encKDCRepPart_key’:
./asn1/kerberos/kerberos.cnf:435:42: error: ‘save_EncKDCRepPart_key’ undeclared (first use in this function); did you mean ‘hf_kerberos_encKDCRepPart_key’?
./asn1/kerberos/kerberos.cnf: In function ‘dissect_kerberos_T_encAPRepPart_subkey’:
./asn1/kerberos/kerberos.cnf:416:42: error: ‘save_EncAPRepPart_subkey’ undeclared (first use in this function); did you mean ‘hf_kerberos_encAPRepPart_subkey’?
./asn1/kerberos/kerberos.cnf: In function ‘dissect_kerberos_T_krbCredInfo_key’:
./asn1/kerberos/kerberos.cnf:455:42: error: ‘save_KrbCredInfo_key’ undeclared (first use in this function); did you mean ‘hf_kerberos_krbCredInfo_key’?
cc1: all warnings being treated as errors
Change-Id: Ib9e38c3d745dd8a12ac8e4691918770a8b876727
Reviewed-on: https://code.wireshark.org/review/37313
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This improves the performance a lot if you have a keytab with a lot of
entries (e.g. for a whole domain).
GSSKRB5 decryption should only try the subkey of the AP-Rep.
We could further optimize this and remember the key
on the cenversation after the first success, but
that's for another day.
Change-Id: I405e41e7d90073d569fcbeec4b4188453a251000
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/37323
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Have completely separate definitions of krb5_fast_key(); the one used if
we don't have krb5_c_fx_cf2_simple() declares *all* parameters as
unused, as it's a stub routine.
Change-Id: I828c8d8f60634fcf537c2822f1a1c5db33ea2798
Reviewed-on: https://code.wireshark.org/review/37321
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
We already know about the top level message type.
So we only need an autodetection for the TGS-REP.
We could also avoid that, but that would need state to
match TGS-REQ with TGS-REP.
But if we client used FAST and we got a strengthen_key,
we're sure an authenticator subkey was used.
Windows don't use an authenticator subkey without FAST,
but heimdal does.
For now try 8 before 9 in order to avoid overhead and false
positives for the 'kerberos.missing_keytype' filter in pure
windows captures.
Change-Id: If974dda735cd2aa5b1920c26309e5e2081723e4f
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/37299
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change-Id: I28bdf176818401c1e4e6ef15cf808e502fcf4989
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/37300
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
We already know a few details in order to avoid the autodetection.
This avoids overhead and false positives for the
'kerberos.missing_keytype' filter.
Change-Id: I8a15fa41d2a56df3fb26de046a401bf43a876b79
Reviewed-on: https://code.wireshark.org/review/37298
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
It's useful to see which decryption keys are missing!
The "kerberos.missing_keytype" filter can be used to find all of them.
It's also useful to see which key_map was is in used
and how many decryption attempts were tried.
This should also allow future optimizations in
order to avoid decryption attempts based on the usage
and more detailed key maps.
Change-Id: Ie0302454e29a65aa00ddac79839aac8ec63fa290
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/37297
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Currently this is only available for MIT Kerberos, but it
should be possible to implement the same using
krb5_crypto_fx_cf2() from Heimdal.
Change-Id: Ic3327dfde770f9345485bf97e2ac6045b909b64e
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/36472
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This gives a useful overview.
Change-Id: I39aaa8cf5de6fa3788c674355675873f2212b78f
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/37292
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This way we can avoid zero_private on the stack.
Change-Id: Iea7ed7e1cd6d0616b0e72aeff489549efd13e4f4
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/37291
Reviewed-by: Anders Broman <a.broman58@gmail.com>
That makes it easier to match them.
Change-Id: I29b9d69415d82a1ea7df275a89a413c2fd460b1f
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/37289
Reviewed-by: Anders Broman <a.broman58@gmail.com>
For now we use kerberos_all_keys, but in future we may select the
map based on passed usage.
Change-Id: I1f29e97aa60a41be3694b75bc4353b3a5dae0eae
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/37288
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This will be used temporary in order to replace
enc_key_list until we maintain/use separate lists.
Note that this will use wmem_file_scope(), but it
will get the longterm keys filled in when needed.
In the long run, we'll use more detailed lists
and use optimizations depending on the key usage.
Change-Id: If654dcfbc9ec8742eadbbb82b97a23fe8403022d
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/37287
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Here it's enough to try longterm keys from the keytab.
Change-Id: I4d98fd7aa456c5cf2ca175cdcefc0ad1a4a8be2d
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/37286
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This will replace enc_key_list in the long run,
but will hold only keytabb entries, as that's what
the consumers outside of packet-kerberos.c are using.
Change-Id: Iba0436a0c1754232f0363cb1e9a905ac7c22986f
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/37285
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Guy Harris