diff options
Diffstat (limited to '')
-rw-r--r-- | print-krb.c | 259 |
1 files changed, 259 insertions, 0 deletions
diff --git a/print-krb.c b/print-krb.c new file mode 100644 index 0000000..959b555 --- /dev/null +++ b/print-krb.c @@ -0,0 +1,259 @@ +/* + * Copyright (c) 1995, 1996, 1997 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that: (1) source code distributions + * retain the above copyright notice and this paragraph in its entirety, (2) + * distributions including binary code include the above copyright notice and + * this paragraph in its entirety in the documentation or other materials + * provided with the distribution, and (3) all advertising materials mentioning + * features or use of this software display the following acknowledgement: + * ``This product includes software developed by the University of California, + * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of + * the University nor the names of its contributors may be used to endorse + * or promote products derived from this software without specific prior + * written permission. + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. + * + * Initial contribution from John Hawkinson (jhawk@mit.edu). + */ + +/* \summary: Kerberos printer */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include "netdissect-stdinc.h" + +#include "netdissect.h" +#include "extract.h" + +/* + * Kerberos 4: + * + * Athena Technical Plan + * Section E.2.1 + * Kerberos Authentication and Authorization System + * by S. P. Miller, B. C. Neuman, J. I. Schiller, and J. H. Saltzer + * + * https://web.mit.edu/Saltzer/www/publications/athenaplan/e.2.1.pdf + * + * 7. Appendix I Design Specifications + * + * Kerberos 5: + * + * RFC 1510, RFC 2630, etc. + */ + + +static const u_char *c_print(netdissect_options *, const u_char *, const u_char *); +static const u_char *krb4_print_hdr(netdissect_options *, const u_char *); +static void krb4_print(netdissect_options *, const u_char *); + +#define AUTH_MSG_KDC_REQUEST 1<<1 +#define AUTH_MSG_KDC_REPLY 2<<1 +#define AUTH_MSG_APPL_REQUEST 3<<1 +#define AUTH_MSG_APPL_REQUEST_MUTUAL 4<<1 +#define AUTH_MSG_ERR_REPLY 5<<1 +#define AUTH_MSG_PRIVATE 6<<1 +#define AUTH_MSG_SAFE 7<<1 +#define AUTH_MSG_APPL_ERR 8<<1 +#define AUTH_MSG_DIE 63<<1 + +#define KERB_ERR_OK 0 +#define KERB_ERR_NAME_EXP 1 +#define KERB_ERR_SERVICE_EXP 2 +#define KERB_ERR_AUTH_EXP 3 +#define KERB_ERR_PKT_VER 4 +#define KERB_ERR_NAME_MAST_KEY_VER 5 +#define KERB_ERR_SERV_MAST_KEY_VER 6 +#define KERB_ERR_BYTE_ORDER 7 +#define KERB_ERR_PRINCIPAL_UNKNOWN 8 +#define KERB_ERR_PRINCIPAL_NOT_UNIQUE 9 +#define KERB_ERR_NULL_KEY 10 + +struct krb { + nd_uint8_t pvno; /* Protocol Version */ + nd_uint8_t type; /* Type+B */ +}; + +static const struct tok type2str[] = { + { AUTH_MSG_KDC_REQUEST, "KDC_REQUEST" }, + { AUTH_MSG_KDC_REPLY, "KDC_REPLY" }, + { AUTH_MSG_APPL_REQUEST, "APPL_REQUEST" }, + { AUTH_MSG_APPL_REQUEST_MUTUAL, "APPL_REQUEST_MUTUAL" }, + { AUTH_MSG_ERR_REPLY, "ERR_REPLY" }, + { AUTH_MSG_PRIVATE, "PRIVATE" }, + { AUTH_MSG_SAFE, "SAFE" }, + { AUTH_MSG_APPL_ERR, "APPL_ERR" }, + { AUTH_MSG_DIE, "DIE" }, + { 0, NULL } +}; + +static const struct tok kerr2str[] = { + { KERB_ERR_OK, "OK" }, + { KERB_ERR_NAME_EXP, "NAME_EXP" }, + { KERB_ERR_SERVICE_EXP, "SERVICE_EXP" }, + { KERB_ERR_AUTH_EXP, "AUTH_EXP" }, + { KERB_ERR_PKT_VER, "PKT_VER" }, + { KERB_ERR_NAME_MAST_KEY_VER, "NAME_MAST_KEY_VER" }, + { KERB_ERR_SERV_MAST_KEY_VER, "SERV_MAST_KEY_VER" }, + { KERB_ERR_BYTE_ORDER, "BYTE_ORDER" }, + { KERB_ERR_PRINCIPAL_UNKNOWN, "PRINCIPAL_UNKNOWN" }, + { KERB_ERR_PRINCIPAL_NOT_UNIQUE,"PRINCIPAL_NOT_UNIQUE" }, + { KERB_ERR_NULL_KEY, "NULL_KEY"}, + { 0, NULL} +}; + +static const u_char * +c_print(netdissect_options *ndo, + const u_char *s, const u_char *ep) +{ + u_char c; + int flag; + + flag = 1; + while (s < ep) { + c = GET_U_1(s); + s++; + if (c == '\0') { + flag = 0; + break; + } + fn_print_char(ndo, c); + } + if (flag) + return NULL; + return (s); +} + +static const u_char * +krb4_print_hdr(netdissect_options *ndo, + const u_char *cp) +{ + cp += 2; + +#define PRINT if ((cp = c_print(ndo, cp, ndo->ndo_snapend)) == NULL) goto trunc + + PRINT; + ND_PRINT("."); + PRINT; + ND_PRINT("@"); + PRINT; + return (cp); + +trunc: + nd_print_trunc(ndo); + return (NULL); + +#undef PRINT +} + +static void +krb4_print(netdissect_options *ndo, + const u_char *cp) +{ + const struct krb *kp; + u_char type; + u_short len; + +#define PRINT if ((cp = c_print(ndo, cp, ndo->ndo_snapend)) == NULL) goto trunc +/* True if struct krb is little endian */ +#define IS_LENDIAN(kp) ((GET_U_1((kp)->type) & 0x01) != 0) +#define KTOHSP(kp, cp) (IS_LENDIAN(kp) ? GET_LE_U_2(cp) : GET_BE_U_2(cp)) + + kp = (const struct krb *)cp; + + type = GET_U_1(kp->type) & (0xFF << 1); + + ND_PRINT(" %s %s: ", + IS_LENDIAN(kp) ? "le" : "be", tok2str(type2str, NULL, type)); + + switch (type) { + + case AUTH_MSG_KDC_REQUEST: + if ((cp = krb4_print_hdr(ndo, cp)) == NULL) + return; + cp += 4; /* ctime */ + ND_PRINT(" %umin ", GET_U_1(cp) * 5); + cp++; + PRINT; + ND_PRINT("."); + PRINT; + break; + + case AUTH_MSG_APPL_REQUEST: + cp += 2; + ND_PRINT("v%u ", GET_U_1(cp)); + cp++; + PRINT; + ND_PRINT(" (%u)", GET_U_1(cp)); + cp++; + ND_PRINT(" (%u)", GET_U_1(cp)); + break; + + case AUTH_MSG_KDC_REPLY: + if ((cp = krb4_print_hdr(ndo, cp)) == NULL) + return; + cp += 10; /* timestamp + n + exp + kvno */ + len = KTOHSP(kp, cp); + ND_PRINT(" (%u)", len); + break; + + case AUTH_MSG_ERR_REPLY: + if ((cp = krb4_print_hdr(ndo, cp)) == NULL) + return; + cp += 4; /* timestamp */ + ND_PRINT(" %s ", tok2str(kerr2str, NULL, KTOHSP(kp, cp))); + cp += 4; + PRINT; + break; + + default: + ND_PRINT("(unknown)"); + break; + } + + return; +trunc: + nd_print_trunc(ndo); +} + +void +krb_print(netdissect_options *ndo, + const u_char *dat) +{ + const struct krb *kp; + + ndo->ndo_protocol = "krb"; + kp = (const struct krb *)dat; + + if (dat >= ndo->ndo_snapend) { + nd_print_trunc(ndo); + return; + } + + switch (GET_U_1(kp->pvno)) { + + case 1: + case 2: + case 3: + ND_PRINT(" v%u", GET_U_1(kp->pvno)); + break; + + case 4: + ND_PRINT(" v%u", GET_U_1(kp->pvno)); + krb4_print(ndo, (const u_char *)kp); + break; + + case 106: + case 107: + ND_PRINT(" v5"); + /* Decode ASN.1 here "someday" */ + break; + } +} |