1 /*
2 * Copyright (c) 1995, 1996, 1997
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
16 * written permission.
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 *
21 * Initial contribution from John Hawkinson (jhawk@mit.edu).
22 */
23
24 /* \summary: Kerberos printer */
25
26 #include <config.h>
27
28 #include "netdissect-stdinc.h"
29
30 #include "netdissect.h"
31 #include "extract.h"
32
33 /*
34 * Kerberos 4:
35 *
36 * Athena Technical Plan
37 * Section E.2.1
38 * Kerberos Authentication and Authorization System
39 * by S. P. Miller, B. C. Neuman, J. I. Schiller, and J. H. Saltzer
40 *
41 * https://web.mit.edu/Saltzer/www/publications/athenaplan/e.2.1.pdf
42 *
43 * 7. Appendix I Design Specifications
44 *
45 * Kerberos 5:
46 *
47 * RFC 1510, RFC 2630, etc.
48 */
49
50
51 static const u_char *c_print(netdissect_options *, const u_char *, const u_char *);
52 static const u_char *krb4_print_hdr(netdissect_options *, const u_char *);
53 static void krb4_print(netdissect_options *, const u_char *);
54
55 #define AUTH_MSG_KDC_REQUEST 1<<1
56 #define AUTH_MSG_KDC_REPLY 2<<1
57 #define AUTH_MSG_APPL_REQUEST 3<<1
58 #define AUTH_MSG_APPL_REQUEST_MUTUAL 4<<1
59 #define AUTH_MSG_ERR_REPLY 5<<1
60 #define AUTH_MSG_PRIVATE 6<<1
61 #define AUTH_MSG_SAFE 7<<1
62 #define AUTH_MSG_APPL_ERR 8<<1
63 #define AUTH_MSG_DIE 63<<1
64
65 #define KERB_ERR_OK 0
66 #define KERB_ERR_NAME_EXP 1
67 #define KERB_ERR_SERVICE_EXP 2
68 #define KERB_ERR_AUTH_EXP 3
69 #define KERB_ERR_PKT_VER 4
70 #define KERB_ERR_NAME_MAST_KEY_VER 5
71 #define KERB_ERR_SERV_MAST_KEY_VER 6
72 #define KERB_ERR_BYTE_ORDER 7
73 #define KERB_ERR_PRINCIPAL_UNKNOWN 8
74 #define KERB_ERR_PRINCIPAL_NOT_UNIQUE 9
75 #define KERB_ERR_NULL_KEY 10
76
77 struct krb {
78 nd_uint8_t pvno; /* Protocol Version */
79 nd_uint8_t type; /* Type+B */
80 };
81
82 static const struct tok type2str[] = {
83 { AUTH_MSG_KDC_REQUEST, "KDC_REQUEST" },
84 { AUTH_MSG_KDC_REPLY, "KDC_REPLY" },
85 { AUTH_MSG_APPL_REQUEST, "APPL_REQUEST" },
86 { AUTH_MSG_APPL_REQUEST_MUTUAL, "APPL_REQUEST_MUTUAL" },
87 { AUTH_MSG_ERR_REPLY, "ERR_REPLY" },
88 { AUTH_MSG_PRIVATE, "PRIVATE" },
89 { AUTH_MSG_SAFE, "SAFE" },
90 { AUTH_MSG_APPL_ERR, "APPL_ERR" },
91 { AUTH_MSG_DIE, "DIE" },
92 { 0, NULL }
93 };
94
95 static const struct tok kerr2str[] = {
96 { KERB_ERR_OK, "OK" },
97 { KERB_ERR_NAME_EXP, "NAME_EXP" },
98 { KERB_ERR_SERVICE_EXP, "SERVICE_EXP" },
99 { KERB_ERR_AUTH_EXP, "AUTH_EXP" },
100 { KERB_ERR_PKT_VER, "PKT_VER" },
101 { KERB_ERR_NAME_MAST_KEY_VER, "NAME_MAST_KEY_VER" },
102 { KERB_ERR_SERV_MAST_KEY_VER, "SERV_MAST_KEY_VER" },
103 { KERB_ERR_BYTE_ORDER, "BYTE_ORDER" },
104 { KERB_ERR_PRINCIPAL_UNKNOWN, "PRINCIPAL_UNKNOWN" },
105 { KERB_ERR_PRINCIPAL_NOT_UNIQUE,"PRINCIPAL_NOT_UNIQUE" },
106 { KERB_ERR_NULL_KEY, "NULL_KEY"},
107 { 0, NULL}
108 };
109
110 static const u_char *
c_print(netdissect_options * ndo,const u_char * s,const u_char * ep)111 c_print(netdissect_options *ndo,
112 const u_char *s, const u_char *ep)
113 {
114 u_char c;
115 int flag;
116
117 flag = 1;
118 while (s < ep) {
119 c = GET_U_1(s);
120 s++;
121 if (c == '\0') {
122 flag = 0;
123 break;
124 }
125 fn_print_char(ndo, c);
126 }
127 if (flag)
128 return NULL;
129 return (s);
130 }
131
132 static const u_char *
krb4_print_hdr(netdissect_options * ndo,const u_char * cp)133 krb4_print_hdr(netdissect_options *ndo,
134 const u_char *cp)
135 {
136 cp += 2;
137
138 #define PRINT if ((cp = c_print(ndo, cp, ndo->ndo_snapend)) == NULL) goto trunc
139
140 PRINT;
141 ND_PRINT(".");
142 PRINT;
143 ND_PRINT("@");
144 PRINT;
145 return (cp);
146
147 trunc:
148 nd_print_trunc(ndo);
149 return (NULL);
150
151 #undef PRINT
152 }
153
154 static void
krb4_print(netdissect_options * ndo,const u_char * cp)155 krb4_print(netdissect_options *ndo,
156 const u_char *cp)
157 {
158 const struct krb *kp;
159 u_char type;
160 u_short len;
161
162 #define PRINT if ((cp = c_print(ndo, cp, ndo->ndo_snapend)) == NULL) goto trunc
163 /* True if struct krb is little endian */
164 #define IS_LENDIAN(kp) ((GET_U_1((kp)->type) & 0x01) != 0)
165 #define KTOHSP(kp, cp) (IS_LENDIAN(kp) ? GET_LE_U_2(cp) : GET_BE_U_2(cp))
166
167 kp = (const struct krb *)cp;
168
169 type = GET_U_1(kp->type) & (0xFF << 1);
170
171 ND_PRINT(" %s %s: ",
172 IS_LENDIAN(kp) ? "le" : "be", tok2str(type2str, NULL, type));
173
174 switch (type) {
175
176 case AUTH_MSG_KDC_REQUEST:
177 if ((cp = krb4_print_hdr(ndo, cp)) == NULL)
178 return;
179 cp += 4; /* ctime */
180 ND_PRINT(" %umin ", GET_U_1(cp) * 5);
181 cp++;
182 PRINT;
183 ND_PRINT(".");
184 PRINT;
185 break;
186
187 case AUTH_MSG_APPL_REQUEST:
188 cp += 2;
189 ND_PRINT("v%u ", GET_U_1(cp));
190 cp++;
191 PRINT;
192 ND_PRINT(" (%u)", GET_U_1(cp));
193 cp++;
194 ND_PRINT(" (%u)", GET_U_1(cp));
195 break;
196
197 case AUTH_MSG_KDC_REPLY:
198 if ((cp = krb4_print_hdr(ndo, cp)) == NULL)
199 return;
200 cp += 10; /* timestamp + n + exp + kvno */
201 len = KTOHSP(kp, cp);
202 ND_PRINT(" (%u)", len);
203 break;
204
205 case AUTH_MSG_ERR_REPLY:
206 if ((cp = krb4_print_hdr(ndo, cp)) == NULL)
207 return;
208 cp += 4; /* timestamp */
209 ND_PRINT(" %s ", tok2str(kerr2str, NULL, KTOHSP(kp, cp)));
210 cp += 4;
211 PRINT;
212 break;
213
214 default:
215 ND_PRINT("(unknown)");
216 break;
217 }
218
219 return;
220 trunc:
221 nd_print_trunc(ndo);
222 }
223
224 void
krb_print(netdissect_options * ndo,const u_char * dat)225 krb_print(netdissect_options *ndo,
226 const u_char *dat)
227 {
228 const struct krb *kp;
229
230 ndo->ndo_protocol = "kerberos";
231 nd_print_protocol(ndo);
232
233 kp = (const struct krb *)dat;
234
235 switch (GET_U_1(kp->pvno)) {
236
237 case 1:
238 case 2:
239 case 3:
240 ND_PRINT(" v%u", GET_U_1(kp->pvno));
241 break;
242
243 case 4:
244 ND_PRINT(" v%u", GET_U_1(kp->pvno));
245 krb4_print(ndo, (const u_char *)kp);
246 break;
247
248 case 106:
249 case 107:
250 ND_PRINT(" v5");
251 /* Decode ASN.1 here "someday" */
252 break;
253 }
254 }
255