xref: /dragonfly/contrib/tcpdump/print-krb.c (revision 6f5ec8b5) 
1 /*
2  * Copyright (c) 1995, 1996, 1997
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that: (1) source code distributions
7  * retain the above copyright notice and this paragraph in its entirety, (2)
8  * distributions including binary code include the above copyright notice and
9  * this paragraph in its entirety in the documentation or other materials
10  * provided with the distribution, and (3) all advertising materials mentioning
11  * features or use of this software display the following acknowledgement:
12  * ``This product includes software developed by the University of California,
13  * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14  * the University nor the names of its contributors may be used to endorse
15  * or promote products derived from this software without specific prior
16  * written permission.
17  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18  * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20  *
21  * Initial contribution from John Hawkinson (jhawk@mit.edu).
22  */
23 
24 /* \summary: Kerberos printer */
25 
26 #ifdef HAVE_CONFIG_H
27 #include <config.h>
28 #endif
29 
30 #include "netdissect-stdinc.h"
31 
32 #include "netdissect.h"
33 #include "extract.h"
34 
35 /*
36  * Kerberos 4:
37  *
38  * Athena Technical Plan
39  * Section E.2.1
40  * Kerberos Authentication and Authorization System
41  * by S. P. Miller, B. C. Neuman, J. I. Schiller, and J. H. Saltzer
42  *
43  * https://web.mit.edu/Saltzer/www/publications/athenaplan/e.2.1.pdf
44  *
45  * 7. Appendix I Design Specifications
46  *
47  * Kerberos 5:
48  *
49  * RFC 1510, RFC 2630, etc.
50  */
51 
52 
53 static const u_char *c_print(netdissect_options *, const u_char *, const u_char *);
54 static const u_char *krb4_print_hdr(netdissect_options *, const u_char *);
55 static void krb4_print(netdissect_options *, const u_char *);
56 
57 #define AUTH_MSG_KDC_REQUEST			1<<1
58 #define AUTH_MSG_KDC_REPLY			2<<1
59 #define AUTH_MSG_APPL_REQUEST			3<<1
60 #define AUTH_MSG_APPL_REQUEST_MUTUAL		4<<1
61 #define AUTH_MSG_ERR_REPLY			5<<1
62 #define AUTH_MSG_PRIVATE			6<<1
63 #define AUTH_MSG_SAFE				7<<1
64 #define AUTH_MSG_APPL_ERR			8<<1
65 #define AUTH_MSG_DIE				63<<1
66 
67 #define KERB_ERR_OK				0
68 #define KERB_ERR_NAME_EXP			1
69 #define KERB_ERR_SERVICE_EXP			2
70 #define KERB_ERR_AUTH_EXP			3
71 #define KERB_ERR_PKT_VER			4
72 #define KERB_ERR_NAME_MAST_KEY_VER		5
73 #define KERB_ERR_SERV_MAST_KEY_VER		6
74 #define KERB_ERR_BYTE_ORDER			7
75 #define KERB_ERR_PRINCIPAL_UNKNOWN		8
76 #define KERB_ERR_PRINCIPAL_NOT_UNIQUE		9
77 #define KERB_ERR_NULL_KEY			10
78 
79 struct krb {
80 	nd_uint8_t pvno;	/* Protocol Version */
81 	nd_uint8_t type;	/* Type+B */
82 };
83 
84 static const struct tok type2str[] = {
85 	{ AUTH_MSG_KDC_REQUEST,		"KDC_REQUEST" },
86 	{ AUTH_MSG_KDC_REPLY,		"KDC_REPLY" },
87 	{ AUTH_MSG_APPL_REQUEST,	"APPL_REQUEST" },
88 	{ AUTH_MSG_APPL_REQUEST_MUTUAL,	"APPL_REQUEST_MUTUAL" },
89 	{ AUTH_MSG_ERR_REPLY,		"ERR_REPLY" },
90 	{ AUTH_MSG_PRIVATE,		"PRIVATE" },
91 	{ AUTH_MSG_SAFE,		"SAFE" },
92 	{ AUTH_MSG_APPL_ERR,		"APPL_ERR" },
93 	{ AUTH_MSG_DIE,			"DIE" },
94 	{ 0,				NULL }
95 };
96 
97 static const struct tok kerr2str[] = {
98 	{ KERB_ERR_OK,			"OK" },
99 	{ KERB_ERR_NAME_EXP,		"NAME_EXP" },
100 	{ KERB_ERR_SERVICE_EXP,		"SERVICE_EXP" },
101 	{ KERB_ERR_AUTH_EXP,		"AUTH_EXP" },
102 	{ KERB_ERR_PKT_VER,		"PKT_VER" },
103 	{ KERB_ERR_NAME_MAST_KEY_VER,	"NAME_MAST_KEY_VER" },
104 	{ KERB_ERR_SERV_MAST_KEY_VER,	"SERV_MAST_KEY_VER" },
105 	{ KERB_ERR_BYTE_ORDER,		"BYTE_ORDER" },
106 	{ KERB_ERR_PRINCIPAL_UNKNOWN,	"PRINCIPAL_UNKNOWN" },
107 	{ KERB_ERR_PRINCIPAL_NOT_UNIQUE,"PRINCIPAL_NOT_UNIQUE" },
108 	{ KERB_ERR_NULL_KEY,		"NULL_KEY"},
109 	{ 0,				NULL}
110 };
111 
112 static const u_char *
113 c_print(netdissect_options *ndo,
114         const u_char *s, const u_char *ep)
115 {
116 	u_char c;
117 	int flag;
118 
119 	flag = 1;
120 	while (s < ep) {
121 		c = GET_U_1(s);
122 		s++;
123 		if (c == '\0') {
124 			flag = 0;
125 			break;
126 		}
127 		fn_print_char(ndo, c);
128 	}
129 	if (flag)
130 		return NULL;
131 	return (s);
132 }
133 
134 static const u_char *
135 krb4_print_hdr(netdissect_options *ndo,
136                const u_char *cp)
137 {
138 	cp += 2;
139 
140 #define PRINT		if ((cp = c_print(ndo, cp, ndo->ndo_snapend)) == NULL) goto trunc
141 
142 	PRINT;
143 	ND_PRINT(".");
144 	PRINT;
145 	ND_PRINT("@");
146 	PRINT;
147 	return (cp);
148 
149 trunc:
150 	nd_print_trunc(ndo);
151 	return (NULL);
152 
153 #undef PRINT
154 }
155 
156 static void
157 krb4_print(netdissect_options *ndo,
158            const u_char *cp)
159 {
160 	const struct krb *kp;
161 	u_char type;
162 	u_short len;
163 
164 #define PRINT		if ((cp = c_print(ndo, cp, ndo->ndo_snapend)) == NULL) goto trunc
165 /*  True if struct krb is little endian */
166 #define IS_LENDIAN(kp)	((GET_U_1((kp)->type) & 0x01) != 0)
167 #define KTOHSP(kp, cp)	(IS_LENDIAN(kp) ? GET_LE_U_2(cp) : GET_BE_U_2(cp))
168 
169 	kp = (const struct krb *)cp;
170 
171 	type = GET_U_1(kp->type) & (0xFF << 1);
172 
173 	ND_PRINT(" %s %s: ",
174 	    IS_LENDIAN(kp) ? "le" : "be", tok2str(type2str, NULL, type));
175 
176 	switch (type) {
177 
178 	case AUTH_MSG_KDC_REQUEST:
179 		if ((cp = krb4_print_hdr(ndo, cp)) == NULL)
180 			return;
181 		cp += 4;	/* ctime */
182 		ND_PRINT(" %umin ", GET_U_1(cp) * 5);
183 		cp++;
184 		PRINT;
185 		ND_PRINT(".");
186 		PRINT;
187 		break;
188 
189 	case AUTH_MSG_APPL_REQUEST:
190 		cp += 2;
191 		ND_PRINT("v%u ", GET_U_1(cp));
192 		cp++;
193 		PRINT;
194 		ND_PRINT(" (%u)", GET_U_1(cp));
195 		cp++;
196 		ND_PRINT(" (%u)", GET_U_1(cp));
197 		break;
198 
199 	case AUTH_MSG_KDC_REPLY:
200 		if ((cp = krb4_print_hdr(ndo, cp)) == NULL)
201 			return;
202 		cp += 10;	/* timestamp + n + exp + kvno */
203 		len = KTOHSP(kp, cp);
204 		ND_PRINT(" (%u)", len);
205 		break;
206 
207 	case AUTH_MSG_ERR_REPLY:
208 		if ((cp = krb4_print_hdr(ndo, cp)) == NULL)
209 			return;
210 		cp += 4; 	  /* timestamp */
211 		ND_PRINT(" %s ", tok2str(kerr2str, NULL, KTOHSP(kp, cp)));
212 		cp += 4;
213 		PRINT;
214 		break;
215 
216 	default:
217 		ND_PRINT("(unknown)");
218 		break;
219 	}
220 
221 	return;
222 trunc:
223 	nd_print_trunc(ndo);
224 }
225 
226 void
227 krb_print(netdissect_options *ndo,
228           const u_char *dat)
229 {
230 	const struct krb *kp;
231 
232 	ndo->ndo_protocol = "krb";
233 	kp = (const struct krb *)dat;
234 
235 	if (dat >= ndo->ndo_snapend) {
236 		nd_print_trunc(ndo);
237 		return;
238 	}
239 
240 	switch (GET_U_1(kp->pvno)) {
241 
242 	case 1:
243 	case 2:
244 	case 3:
245 		ND_PRINT(" v%u", GET_U_1(kp->pvno));
246 		break;
247 
248 	case 4:
249 		ND_PRINT(" v%u", GET_U_1(kp->pvno));
250 		krb4_print(ndo, (const u_char *)kp);
251 		break;
252 
253 	case 106:
254 	case 107:
255 		ND_PRINT(" v5");
256 		/* Decode ASN.1 here "someday" */
257 		break;
258 	}
259 }
260