Adding upstream version 4.2.2.upstream/4.2.2

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

5 files changed, 374 insertions, 0 deletions

diff --git a/epan/dissectors/asn1/pkinit/CMakeLists.txt b/epan/dissectors/asn1/pkinit/CMakeLists.txt
new file mode 100644
index 00000000..50209cb2
--- /dev/null
+++ b/epan/dissectors/asn1/pkinit/CMakeLists.txt
@@ -0,0 +1,39 @@
+# CMakeLists.txt
+#
+# Wireshark - Network traffic analyzer
+# By Gerald Combs <gerald@wireshark.org>
+# Copyright 1998 Gerald Combs
+#
+# SPDX-License-Identifier: GPL-2.0-or-later
+#
+
+set( PROTOCOL_NAME pkinit )
+
+set( PROTO_OPT )
+
+set( EXT_ASN_FILE_LIST
+)
+
+set( ASN_FILE_LIST
+	PKINIT.asn
+)
+
+set( EXTRA_DIST
+	${ASN_FILE_LIST}
+	packet-${PROTOCOL_NAME}-template.c
+	packet-${PROTOCOL_NAME}-template.h
+	${PROTOCOL_NAME}.cnf
+)
+
+set( SRC_FILES
+	${EXTRA_DIST}
+	${EXT_ASN_FILE_LIST}
+)
+
+set( A2W_FLAGS -b )
+
+set( EXTRA_CNF
+	"${CMAKE_CURRENT_BINARY_DIR}/../cms/cms-exp.cnf"
+)
+
+ASN2WRS()
diff --git a/epan/dissectors/asn1/pkinit/PKINIT.asn b/epan/dissectors/asn1/pkinit/PKINIT.asn
new file mode 100644
index 00000000..ff25738f
--- /dev/null
+++ b/epan/dissectors/asn1/pkinit/PKINIT.asn
@@ -0,0 +1,174 @@
+--NOTE: we have to accomodate BOTH existing users of early drafts, such as
+--packetcable as well as new users once the protocol is standardized.
+--
+--This asn1 file is based on draft-ietf-cat-kerberos-pk-init-20.txt
+--but has been modified to acocmodate the Wireshark asn2wrs compiler
+--and our environment
+--
+--new structures are uncommented and added on demand as they are required
+--
+--Copyright (C) The Internet Society (2004).  This document is subject
+--to the rights, licenses and restrictions contained in BCP 78, and
+--except as set forth therein, the authors retain all their rights.
+--
+--
+--This document and the information contained herein are provided on an
+--"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+--OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+--ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+--INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+--INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+--WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 
+--
+
+KerberosV5-PK-INIT-SPEC {
+           iso(1) identified-organization(3) dod(6) internet(1)
+           security(5) kerberosV5(2) modules(4) pkinit(5) } 
+DEFINITIONS EXPLICIT TAGS ::= 
+BEGIN
+
+
+    IMPORTS
+        SubjectPublicKeyInfo, AlgorithmIdentifier, Name
+            FROM PKIX1Explicit88 { iso (1) identified-organization (3)
+              dod (6) internet (1) security (5) mechanisms (5)
+              pkix (7) id-mod (0) id-pkix1-explicit (18) }
+
+
+        ContentInfo, IssuerAndSerialNumber
+            FROM CryptographicMessageSyntax { iso(1) member-body(2)
+              us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16)
+              modules(0) cms(1) }
+
+
+        KerberosTime, TYPED-DATA, PrincipalName, Realm, EncryptionKey
+            FROM KerberosV5Spec2 { iso(1) identified-organization(3)
+              dod(6) internet(1) security(5) kerberosV5(2) modules(4)
+              krb5spec2(2) } ;
+
+
+--    id-pkinit  OBJECT IDENTIFIER ::=
+--      { iso (1) org (3) dod (6) internet (1) security (5)
+--        kerberosv5 (2) pkinit (3) }
+--
+--
+--    id-pkauthdata  OBJECT IDENTIFIER  ::= { id-pkinit 1 }
+--    id-pkdhkeydata  OBJECT IDENTIFIER  ::= { id-pkinit 2 }
+--    id-pkrkeydata  OBJECT IDENTIFIER  ::= { id-pkinit 3 }
+--    id-pkekuoid  OBJECT IDENTIFIER  ::= { id-pkinit 4 }
+--    id-pkkdcekuoid  OBJECT IDENTIFIER  ::= { id-pkinit 5 }
+--
+--
+--    pa-pk-as-req INTEGER ::=                 TBD
+--    pa-pk-as-rep INTEGER ::=                 TBD
+--    pa-pk-ocsp-req INTEGER ::=               TBD
+--    pa-pk-ocsp-rep INTEGER ::=               TBD
+--
+--
+--    ad-initial-verified-cas INTEGER ::=      TBD
+--
+--
+--    td-dh-parameters INTEGER ::=             TBD
+--    td-trusted-certifiers INTEGER ::=        104
+--    td-certificate-index INTEGER ::=         105
+
+
+PaPkAsReq ::= SEQUENCE {
+    signedAuthPack          [0] ContentInfo,
+    trustedCertifiers       [1] SEQUENCE OF TrustedCA OPTIONAL,
+    kdcCert                 [2] IssuerAndSerialNumber OPTIONAL,
+    ...
+}
+
+
+TrustedCA ::= CHOICE {
+    caName                  [0] Name,
+    issuerAndSerial         [2] IssuerAndSerialNumber,
+    ...
+}
+
+DHNonce ::= OCTET STRING
+
+AuthPack ::= SEQUENCE {
+    pkAuthenticator         [0] PKAuthenticator,
+    clientPublicValue       [1] SubjectPublicKeyInfo OPTIONAL,
+    supportedCMSTypes       [2] SEQUENCE OF AlgorithmIdentifier
+                                OPTIONAL,
+    clientDHNonce           [3] DHNonce OPTIONAL,
+    ...
+}
+
+
+PKAuthenticator ::= SEQUENCE {
+    cusec                   [0] INTEGER,
+    ctime                   [1] KerberosTime,
+    nonce                   [2] INTEGER (0..4294967295),
+    -- paChecksum              [3] Checksum, # changed during draft-ietf-cat-kerberos-pk-init* from Checksum to OCTET STRING OPTIONAL
+    paChecksum              [3] OCTET STRING OPTIONAL,
+    ...
+}
+
+--
+--    TrustedCertifiers ::= SEQUENCE OF Name
+--
+--
+--    CertificateIndex ::= IssuerAndSerialNumber
+--
+--
+KRB5PrincipalName ::= SEQUENCE {
+    realm                   [0] Realm,
+    principalName           [1] PrincipalName
+}
+--
+--
+--    InitialVerifiedCAs ::= SEQUENCE OF SEQUENCE {
+--        ca                      [0] Name,
+--        validated               [1] BOOLEAN,
+--        ...
+--    }
+--
+
+PaPkAsRep ::= CHOICE {
+      dhSignedData            [0] ContentInfo,
+      encKeyPack              [1] ContentInfo,
+      ...
+}
+
+
+KDCDHKeyInfo ::= SEQUENCE {
+    subjectPublicKey        [0] BIT STRING,
+    nonce                   [1] INTEGER,
+    dhKeyExpiration         [2] KerberosTime OPTIONAL,
+    ...
+}
+
+--
+--    ReplyKeyPack ::= SEQUENCE {
+--        replyKey                [0] EncryptionKey,
+--        nonce                   [1] INTEGER (0..4294967295),
+--        ...
+--    }
+
+-- Windows compat glue --
+
+PKAuthenticator-Win2k ::= SEQUENCE {
+	kdcName			[0] PrincipalName,
+	kdcRealm		[1] Realm,
+	cusec			[2] INTEGER (0..4294967295),
+	ctime			[3] KerberosTime,
+	nonce                   [4] INTEGER (-2147483648..2147483647),
+	...
+}
+
+PA-PK-AS-REQ-Win2k ::= SEQUENCE {
+	signed-auth-pack	[0] ContentInfo,
+	trusted-certifiers	[2] SEQUENCE OF TrustedCA OPTIONAL,
+	kdc-cert		[3] IMPLICIT OCTET STRING OPTIONAL,
+	encryption-cert		[4] IMPLICIT OCTET STRING OPTIONAL,
+	...
+}
+
+PA-PK-AS-REP-Win2k ::= PaPkAsRep
+
+END
+
diff --git a/epan/dissectors/asn1/pkinit/packet-pkinit-template.c b/epan/dissectors/asn1/pkinit/packet-pkinit-template.c
new file mode 100644
index 00000000..ec582729
--- /dev/null
+++ b/epan/dissectors/asn1/pkinit/packet-pkinit-template.c
@@ -0,0 +1,102 @@
+/* packet-pkinit.c
+ * Routines for PKINIT packet dissection
+ *  Ronnie Sahlberg 2004
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "config.h"
+
+#include <epan/packet.h>
+#include <epan/asn1.h>
+
+#include "packet-ber.h"
+#include "packet-pkinit.h"
+#include "packet-cms.h"
+#include "packet-pkix1explicit.h"
+#include "packet-kerberos.h"
+
+#define PNAME  "PKINIT"
+#define PSNAME "PKInit"
+#define PFNAME "pkinit"
+
+void proto_register_pkinit(void);
+void proto_reg_handoff_pkinit(void);
+
+/* Initialize the protocol and registered fields */
+static int proto_pkinit = -1;
+#include "packet-pkinit-hf.c"
+
+/* Initialize the subtree pointers */
+#include "packet-pkinit-ett.c"
+
+static int dissect_KerberosV5Spec2_KerberosTime(bool implicit_tag _U_, tvbuff_t *tvb, int offset,  asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_);
+static int dissect_KerberosV5Spec2_Realm(bool implicit_tag _U_, tvbuff_t *tvb, int offset,  asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_);
+static int dissect_KerberosV5Spec2_PrincipalName(bool implicit_tag _U_, tvbuff_t *tvb, int offset,  asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_);
+static int dissect_pkinit_PKAuthenticator_Win2k(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+
+#include "packet-pkinit-fn.c"
+
+int
+dissect_pkinit_PA_PK_AS_REQ(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_) {
+  offset = dissect_pkinit_PaPkAsReq(FALSE, tvb, offset, actx, tree, -1);
+  return offset;
+}
+
+int
+dissect_pkinit_PA_PK_AS_REP(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_) {
+  offset = dissect_pkinit_PaPkAsRep(FALSE, tvb, offset, actx, tree, -1);
+  return offset;
+}
+
+static int
+dissect_KerberosV5Spec2_KerberosTime(bool implicit_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_) {
+  offset = dissect_krb5_ctime(tree, tvb, offset, actx);
+  return offset;
+}
+
+static int
+dissect_KerberosV5Spec2_Realm(bool implicit_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_) {
+  offset = dissect_krb5_realm(tree, tvb, offset, actx);
+  return offset;
+}
+
+static int
+dissect_KerberosV5Spec2_PrincipalName(bool implicit_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_) {
+  offset = dissect_krb5_cname(tree, tvb, offset, actx);
+  return offset;
+}
+
+
+/*--- proto_register_pkinit ----------------------------------------------*/
+void proto_register_pkinit(void) {
+
+  /* List of fields */
+  static hf_register_info hf[] = {
+#include "packet-pkinit-hfarr.c"
+  };
+
+  /* List of subtrees */
+  static gint *ett[] = {
+#include "packet-pkinit-ettarr.c"
+  };
+
+  /* Register protocol */
+  proto_pkinit = proto_register_protocol(PNAME, PSNAME, PFNAME);
+
+  /* Register fields and subtrees */
+  proto_register_field_array(proto_pkinit, hf, array_length(hf));
+  proto_register_subtree_array(ett, array_length(ett));
+
+}
+
+
+/*--- proto_reg_handoff_pkinit -------------------------------------------*/
+void proto_reg_handoff_pkinit(void) {
+#include "packet-pkinit-dis-tab.c"
+}
+
diff --git a/epan/dissectors/asn1/pkinit/packet-pkinit-template.h b/epan/dissectors/asn1/pkinit/packet-pkinit-template.h
new file mode 100644
index 00000000..5d0bd9a7
--- /dev/null
+++ b/epan/dissectors/asn1/pkinit/packet-pkinit-template.h
@@ -0,0 +1,21 @@
+/* packet-pkinit.h
+ * Routines for PKINIT packet dissection
+ *  Ronnie Sahlberg 2004
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#ifndef PACKET_PKINIT_H
+#define PACKET_PKINIT_H
+
+int dissect_pkinit_PA_PK_AS_REQ(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_);
+int dissect_pkinit_PA_PK_AS_REP(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_);
+
+#include "packet-pkinit-exp.h"
+
+#endif  /* PACKET_PKINIT_H */
+
diff --git a/epan/dissectors/asn1/pkinit/pkinit.cnf b/epan/dissectors/asn1/pkinit/pkinit.cnf
new file mode 100644
index 00000000..a64c322c
--- /dev/null
+++ b/epan/dissectors/asn1/pkinit/pkinit.cnf
@@ -0,0 +1,38 @@
+# pkinit.cnf
+# pkinit conformation file
+
+#.MODULE_IMPORT
+PKIX1Explicit88              pkix1explicit
+
+#.INCLUDE ../pkix1explicit/pkix1explicit_exp.cnf
+#.IMPORT ../cms/cms-exp.cnf
+
+#.EXPORTS
+PaPkAsReq
+PaPkAsRep
+PA-PK-AS-REQ-Win2k
+PA-PK-AS-REP-Win2k
+
+#.FN_BODY PKAuthenticator
+	if (kerberos_is_win2k_pkinit(actx)) {
+		return dissect_pkinit_PKAuthenticator_Win2k(implicit_tag, tvb, offset, actx, tree, hf_index);
+	}
+%(DEFAULT_BODY)s
+
+#.REGISTER
+AuthPack          B "1.3.6.1.5.2.3.1" "id-pkauthdata"
+KDCDHKeyInfo      B "1.3.6.1.5.2.3.2" "id-pkdhkeydata"
+KRB5PrincipalName B "1.3.6.1.5.2.2"   "id-pkinit-san"
+
+#.NO_EMIT
+
+#.TYPE_RENAME
+
+#.FIELD_RENAME
+KDCDHKeyInfo/nonce	dhNonce
+PKAuthenticator-Win2k/cusec cusecWin2k
+PKAuthenticator/nonce	paNonce
+PKAuthenticator-Win2k/nonce	paNonceWin2k
+
+#.END
+