From e4ba6dbc3f1e76890b22773807ea37fe8fa2b1bc Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Wed, 10 Apr 2024 22:34:10 +0200 Subject: Adding upstream version 4.2.2. Signed-off-by: Daniel Baumann --- epan/dissectors/asn1/pkinit/CMakeLists.txt | 39 +++++ epan/dissectors/asn1/pkinit/PKINIT.asn | 174 +++++++++++++++++++++ .../asn1/pkinit/packet-pkinit-template.c | 102 ++++++++++++ .../asn1/pkinit/packet-pkinit-template.h | 21 +++ epan/dissectors/asn1/pkinit/pkinit.cnf | 38 +++++ 5 files changed, 374 insertions(+) create mode 100644 epan/dissectors/asn1/pkinit/CMakeLists.txt create mode 100644 epan/dissectors/asn1/pkinit/PKINIT.asn create mode 100644 epan/dissectors/asn1/pkinit/packet-pkinit-template.c create mode 100644 epan/dissectors/asn1/pkinit/packet-pkinit-template.h create mode 100644 epan/dissectors/asn1/pkinit/pkinit.cnf (limited to 'epan/dissectors/asn1/pkinit') diff --git a/epan/dissectors/asn1/pkinit/CMakeLists.txt b/epan/dissectors/asn1/pkinit/CMakeLists.txt new file mode 100644 index 00000000..50209cb2 --- /dev/null +++ b/epan/dissectors/asn1/pkinit/CMakeLists.txt @@ -0,0 +1,39 @@ +# CMakeLists.txt +# +# Wireshark - Network traffic analyzer +# By Gerald Combs +# Copyright 1998 Gerald Combs +# +# SPDX-License-Identifier: GPL-2.0-or-later +# + +set( PROTOCOL_NAME pkinit ) + +set( PROTO_OPT ) + +set( EXT_ASN_FILE_LIST +) + +set( ASN_FILE_LIST + PKINIT.asn +) + +set( EXTRA_DIST + ${ASN_FILE_LIST} + packet-${PROTOCOL_NAME}-template.c + packet-${PROTOCOL_NAME}-template.h + ${PROTOCOL_NAME}.cnf +) + +set( SRC_FILES + ${EXTRA_DIST} + ${EXT_ASN_FILE_LIST} +) + +set( A2W_FLAGS -b ) + +set( EXTRA_CNF + "${CMAKE_CURRENT_BINARY_DIR}/../cms/cms-exp.cnf" +) + +ASN2WRS() diff --git a/epan/dissectors/asn1/pkinit/PKINIT.asn b/epan/dissectors/asn1/pkinit/PKINIT.asn new file mode 100644 index 00000000..ff25738f --- /dev/null +++ b/epan/dissectors/asn1/pkinit/PKINIT.asn @@ -0,0 +1,174 @@ +--NOTE: we have to accomodate BOTH existing users of early drafts, such as +--packetcable as well as new users once the protocol is standardized. +-- +--This asn1 file is based on draft-ietf-cat-kerberos-pk-init-20.txt +--but has been modified to acocmodate the Wireshark asn2wrs compiler +--and our environment +-- +--new structures are uncommented and added on demand as they are required +-- +--Copyright (C) The Internet Society (2004). This document is subject +--to the rights, licenses and restrictions contained in BCP 78, and +--except as set forth therein, the authors retain all their rights. +-- +-- +--This document and the information contained herein are provided on an +--"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS +--OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET +--ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, +--INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE +--INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED +--WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +-- + +KerberosV5-PK-INIT-SPEC { + iso(1) identified-organization(3) dod(6) internet(1) + security(5) kerberosV5(2) modules(4) pkinit(5) } +DEFINITIONS EXPLICIT TAGS ::= +BEGIN + + + IMPORTS + SubjectPublicKeyInfo, AlgorithmIdentifier, Name + FROM PKIX1Explicit88 { iso (1) identified-organization (3) + dod (6) internet (1) security (5) mechanisms (5) + pkix (7) id-mod (0) id-pkix1-explicit (18) } + + + ContentInfo, IssuerAndSerialNumber + FROM CryptographicMessageSyntax { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) + modules(0) cms(1) } + + + KerberosTime, TYPED-DATA, PrincipalName, Realm, EncryptionKey + FROM KerberosV5Spec2 { iso(1) identified-organization(3) + dod(6) internet(1) security(5) kerberosV5(2) modules(4) + krb5spec2(2) } ; + + +-- id-pkinit OBJECT IDENTIFIER ::= +-- { iso (1) org (3) dod (6) internet (1) security (5) +-- kerberosv5 (2) pkinit (3) } +-- +-- +-- id-pkauthdata OBJECT IDENTIFIER ::= { id-pkinit 1 } +-- id-pkdhkeydata OBJECT IDENTIFIER ::= { id-pkinit 2 } +-- id-pkrkeydata OBJECT IDENTIFIER ::= { id-pkinit 3 } +-- id-pkekuoid OBJECT IDENTIFIER ::= { id-pkinit 4 } +-- id-pkkdcekuoid OBJECT IDENTIFIER ::= { id-pkinit 5 } +-- +-- +-- pa-pk-as-req INTEGER ::= TBD +-- pa-pk-as-rep INTEGER ::= TBD +-- pa-pk-ocsp-req INTEGER ::= TBD +-- pa-pk-ocsp-rep INTEGER ::= TBD +-- +-- +-- ad-initial-verified-cas INTEGER ::= TBD +-- +-- +-- td-dh-parameters INTEGER ::= TBD +-- td-trusted-certifiers INTEGER ::= 104 +-- td-certificate-index INTEGER ::= 105 + + +PaPkAsReq ::= SEQUENCE { + signedAuthPack [0] ContentInfo, + trustedCertifiers [1] SEQUENCE OF TrustedCA OPTIONAL, + kdcCert [2] IssuerAndSerialNumber OPTIONAL, + ... +} + + +TrustedCA ::= CHOICE { + caName [0] Name, + issuerAndSerial [2] IssuerAndSerialNumber, + ... +} + +DHNonce ::= OCTET STRING + +AuthPack ::= SEQUENCE { + pkAuthenticator [0] PKAuthenticator, + clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL, + supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier + OPTIONAL, + clientDHNonce [3] DHNonce OPTIONAL, + ... +} + + +PKAuthenticator ::= SEQUENCE { + cusec [0] INTEGER, + ctime [1] KerberosTime, + nonce [2] INTEGER (0..4294967295), + -- paChecksum [3] Checksum, # changed during draft-ietf-cat-kerberos-pk-init* from Checksum to OCTET STRING OPTIONAL + paChecksum [3] OCTET STRING OPTIONAL, + ... +} + +-- +-- TrustedCertifiers ::= SEQUENCE OF Name +-- +-- +-- CertificateIndex ::= IssuerAndSerialNumber +-- +-- +KRB5PrincipalName ::= SEQUENCE { + realm [0] Realm, + principalName [1] PrincipalName +} +-- +-- +-- InitialVerifiedCAs ::= SEQUENCE OF SEQUENCE { +-- ca [0] Name, +-- validated [1] BOOLEAN, +-- ... +-- } +-- + +PaPkAsRep ::= CHOICE { + dhSignedData [0] ContentInfo, + encKeyPack [1] ContentInfo, + ... +} + + +KDCDHKeyInfo ::= SEQUENCE { + subjectPublicKey [0] BIT STRING, + nonce [1] INTEGER, + dhKeyExpiration [2] KerberosTime OPTIONAL, + ... +} + +-- +-- ReplyKeyPack ::= SEQUENCE { +-- replyKey [0] EncryptionKey, +-- nonce [1] INTEGER (0..4294967295), +-- ... +-- } + +-- Windows compat glue -- + +PKAuthenticator-Win2k ::= SEQUENCE { + kdcName [0] PrincipalName, + kdcRealm [1] Realm, + cusec [2] INTEGER (0..4294967295), + ctime [3] KerberosTime, + nonce [4] INTEGER (-2147483648..2147483647), + ... +} + +PA-PK-AS-REQ-Win2k ::= SEQUENCE { + signed-auth-pack [0] ContentInfo, + trusted-certifiers [2] SEQUENCE OF TrustedCA OPTIONAL, + kdc-cert [3] IMPLICIT OCTET STRING OPTIONAL, + encryption-cert [4] IMPLICIT OCTET STRING OPTIONAL, + ... +} + +PA-PK-AS-REP-Win2k ::= PaPkAsRep + +END + diff --git a/epan/dissectors/asn1/pkinit/packet-pkinit-template.c b/epan/dissectors/asn1/pkinit/packet-pkinit-template.c new file mode 100644 index 00000000..ec582729 --- /dev/null +++ b/epan/dissectors/asn1/pkinit/packet-pkinit-template.c @@ -0,0 +1,102 @@ +/* packet-pkinit.c + * Routines for PKINIT packet dissection + * Ronnie Sahlberg 2004 + * + * Wireshark - Network traffic analyzer + * By Gerald Combs + * Copyright 1998 Gerald Combs + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "config.h" + +#include +#include + +#include "packet-ber.h" +#include "packet-pkinit.h" +#include "packet-cms.h" +#include "packet-pkix1explicit.h" +#include "packet-kerberos.h" + +#define PNAME "PKINIT" +#define PSNAME "PKInit" +#define PFNAME "pkinit" + +void proto_register_pkinit(void); +void proto_reg_handoff_pkinit(void); + +/* Initialize the protocol and registered fields */ +static int proto_pkinit = -1; +#include "packet-pkinit-hf.c" + +/* Initialize the subtree pointers */ +#include "packet-pkinit-ett.c" + +static int dissect_KerberosV5Spec2_KerberosTime(bool implicit_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_); +static int dissect_KerberosV5Spec2_Realm(bool implicit_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_); +static int dissect_KerberosV5Spec2_PrincipalName(bool implicit_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_); +static int dissect_pkinit_PKAuthenticator_Win2k(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); + +#include "packet-pkinit-fn.c" + +int +dissect_pkinit_PA_PK_AS_REQ(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_) { + offset = dissect_pkinit_PaPkAsReq(FALSE, tvb, offset, actx, tree, -1); + return offset; +} + +int +dissect_pkinit_PA_PK_AS_REP(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_) { + offset = dissect_pkinit_PaPkAsRep(FALSE, tvb, offset, actx, tree, -1); + return offset; +} + +static int +dissect_KerberosV5Spec2_KerberosTime(bool implicit_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_) { + offset = dissect_krb5_ctime(tree, tvb, offset, actx); + return offset; +} + +static int +dissect_KerberosV5Spec2_Realm(bool implicit_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_) { + offset = dissect_krb5_realm(tree, tvb, offset, actx); + return offset; +} + +static int +dissect_KerberosV5Spec2_PrincipalName(bool implicit_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_) { + offset = dissect_krb5_cname(tree, tvb, offset, actx); + return offset; +} + + +/*--- proto_register_pkinit ----------------------------------------------*/ +void proto_register_pkinit(void) { + + /* List of fields */ + static hf_register_info hf[] = { +#include "packet-pkinit-hfarr.c" + }; + + /* List of subtrees */ + static gint *ett[] = { +#include "packet-pkinit-ettarr.c" + }; + + /* Register protocol */ + proto_pkinit = proto_register_protocol(PNAME, PSNAME, PFNAME); + + /* Register fields and subtrees */ + proto_register_field_array(proto_pkinit, hf, array_length(hf)); + proto_register_subtree_array(ett, array_length(ett)); + +} + + +/*--- proto_reg_handoff_pkinit -------------------------------------------*/ +void proto_reg_handoff_pkinit(void) { +#include "packet-pkinit-dis-tab.c" +} + diff --git a/epan/dissectors/asn1/pkinit/packet-pkinit-template.h b/epan/dissectors/asn1/pkinit/packet-pkinit-template.h new file mode 100644 index 00000000..5d0bd9a7 --- /dev/null +++ b/epan/dissectors/asn1/pkinit/packet-pkinit-template.h @@ -0,0 +1,21 @@ +/* packet-pkinit.h + * Routines for PKINIT packet dissection + * Ronnie Sahlberg 2004 + * + * Wireshark - Network traffic analyzer + * By Gerald Combs + * Copyright 1998 Gerald Combs + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef PACKET_PKINIT_H +#define PACKET_PKINIT_H + +int dissect_pkinit_PA_PK_AS_REQ(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_); +int dissect_pkinit_PA_PK_AS_REP(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_); + +#include "packet-pkinit-exp.h" + +#endif /* PACKET_PKINIT_H */ + diff --git a/epan/dissectors/asn1/pkinit/pkinit.cnf b/epan/dissectors/asn1/pkinit/pkinit.cnf new file mode 100644 index 00000000..a64c322c --- /dev/null +++ b/epan/dissectors/asn1/pkinit/pkinit.cnf @@ -0,0 +1,38 @@ +# pkinit.cnf +# pkinit conformation file + +#.MODULE_IMPORT +PKIX1Explicit88 pkix1explicit + +#.INCLUDE ../pkix1explicit/pkix1explicit_exp.cnf +#.IMPORT ../cms/cms-exp.cnf + +#.EXPORTS +PaPkAsReq +PaPkAsRep +PA-PK-AS-REQ-Win2k +PA-PK-AS-REP-Win2k + +#.FN_BODY PKAuthenticator + if (kerberos_is_win2k_pkinit(actx)) { + return dissect_pkinit_PKAuthenticator_Win2k(implicit_tag, tvb, offset, actx, tree, hf_index); + } +%(DEFAULT_BODY)s + +#.REGISTER +AuthPack B "1.3.6.1.5.2.3.1" "id-pkauthdata" +KDCDHKeyInfo B "1.3.6.1.5.2.3.2" "id-pkdhkeydata" +KRB5PrincipalName B "1.3.6.1.5.2.2" "id-pkinit-san" + +#.NO_EMIT + +#.TYPE_RENAME + +#.FIELD_RENAME +KDCDHKeyInfo/nonce dhNonce +PKAuthenticator-Win2k/cusec cusecWin2k +PKAuthenticator/nonce paNonce +PKAuthenticator-Win2k/nonce paNonceWin2k + +#.END + -- cgit v1.2.3