xref: /netbsd-src/external/bsd/tcpdump/dist/print-krb.c (revision 8e33eff89e26cf71871ead62f0d5063e1313c33a) 
1 /*
2  * Copyright (c) 1995, 1996, 1997
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that: (1) source code distributions
7  * retain the above copyright notice and this paragraph in its entirety, (2)
8  * distributions including binary code include the above copyright notice and
9  * this paragraph in its entirety in the documentation or other materials
10  * provided with the distribution, and (3) all advertising materials mentioning
11  * features or use of this software display the following acknowledgement:
12  * ``This product includes software developed by the University of California,
13  * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14  * the University nor the names of its contributors may be used to endorse
15  * or promote products derived from this software without specific prior
16  * written permission.
17  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18  * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20  *
21  * Initial contribution from John Hawkinson (jhawk@mit.edu).
22  */
23 
24 #include <sys/cdefs.h>
25 #ifndef lint
26 __RCSID("$NetBSD: print-krb.c,v 1.9 2024/09/02 16:15:31 christos Exp $");
27 #endif
28 
29 /* \summary: Kerberos printer */
30 
31 #include <config.h>
32 
33 #include "netdissect-stdinc.h"
34 
35 #include "netdissect.h"
36 #include "extract.h"
37 
38 /*
39  * Kerberos 4:
40  *
41  * Athena Technical Plan
42  * Section E.2.1
43  * Kerberos Authentication and Authorization System
44  * by S. P. Miller, B. C. Neuman, J. I. Schiller, and J. H. Saltzer
45  *
46  * https://web.mit.edu/Saltzer/www/publications/athenaplan/e.2.1.pdf
47  *
48  * 7. Appendix I Design Specifications
49  *
50  * Kerberos 5:
51  *
52  * RFC 1510, RFC 2630, etc.
53  */
54 
55 
56 static const u_char *c_print(netdissect_options *, const u_char *, const u_char *);
57 static const u_char *krb4_print_hdr(netdissect_options *, const u_char *);
58 static void krb4_print(netdissect_options *, const u_char *);
59 
60 #define AUTH_MSG_KDC_REQUEST			1<<1
61 #define AUTH_MSG_KDC_REPLY			2<<1
62 #define AUTH_MSG_APPL_REQUEST			3<<1
63 #define AUTH_MSG_APPL_REQUEST_MUTUAL		4<<1
64 #define AUTH_MSG_ERR_REPLY			5<<1
65 #define AUTH_MSG_PRIVATE			6<<1
66 #define AUTH_MSG_SAFE				7<<1
67 #define AUTH_MSG_APPL_ERR			8<<1
68 #define AUTH_MSG_DIE				63<<1
69 
70 #define KERB_ERR_OK				0
71 #define KERB_ERR_NAME_EXP			1
72 #define KERB_ERR_SERVICE_EXP			2
73 #define KERB_ERR_AUTH_EXP			3
74 #define KERB_ERR_PKT_VER			4
75 #define KERB_ERR_NAME_MAST_KEY_VER		5
76 #define KERB_ERR_SERV_MAST_KEY_VER		6
77 #define KERB_ERR_BYTE_ORDER			7
78 #define KERB_ERR_PRINCIPAL_UNKNOWN		8
79 #define KERB_ERR_PRINCIPAL_NOT_UNIQUE		9
80 #define KERB_ERR_NULL_KEY			10
81 
82 struct krb {
83 	nd_uint8_t pvno;	/* Protocol Version */
84 	nd_uint8_t type;	/* Type+B */
85 };
86 
87 static const struct tok type2str[] = {
88 	{ AUTH_MSG_KDC_REQUEST,		"KDC_REQUEST" },
89 	{ AUTH_MSG_KDC_REPLY,		"KDC_REPLY" },
90 	{ AUTH_MSG_APPL_REQUEST,	"APPL_REQUEST" },
91 	{ AUTH_MSG_APPL_REQUEST_MUTUAL,	"APPL_REQUEST_MUTUAL" },
92 	{ AUTH_MSG_ERR_REPLY,		"ERR_REPLY" },
93 	{ AUTH_MSG_PRIVATE,		"PRIVATE" },
94 	{ AUTH_MSG_SAFE,		"SAFE" },
95 	{ AUTH_MSG_APPL_ERR,		"APPL_ERR" },
96 	{ AUTH_MSG_DIE,			"DIE" },
97 	{ 0,				NULL }
98 };
99 
100 static const struct tok kerr2str[] = {
101 	{ KERB_ERR_OK,			"OK" },
102 	{ KERB_ERR_NAME_EXP,		"NAME_EXP" },
103 	{ KERB_ERR_SERVICE_EXP,		"SERVICE_EXP" },
104 	{ KERB_ERR_AUTH_EXP,		"AUTH_EXP" },
105 	{ KERB_ERR_PKT_VER,		"PKT_VER" },
106 	{ KERB_ERR_NAME_MAST_KEY_VER,	"NAME_MAST_KEY_VER" },
107 	{ KERB_ERR_SERV_MAST_KEY_VER,	"SERV_MAST_KEY_VER" },
108 	{ KERB_ERR_BYTE_ORDER,		"BYTE_ORDER" },
109 	{ KERB_ERR_PRINCIPAL_UNKNOWN,	"PRINCIPAL_UNKNOWN" },
110 	{ KERB_ERR_PRINCIPAL_NOT_UNIQUE,"PRINCIPAL_NOT_UNIQUE" },
111 	{ KERB_ERR_NULL_KEY,		"NULL_KEY"},
112 	{ 0,				NULL}
113 };
114 
115 static const u_char *
116 c_print(netdissect_options *ndo,
117         const u_char *s, const u_char *ep)
118 {
119 	u_char c;
120 	int flag;
121 
122 	flag = 1;
123 	while (s < ep) {
124 		c = GET_U_1(s);
125 		s++;
126 		if (c == '\0') {
127 			flag = 0;
128 			break;
129 		}
130 		fn_print_char(ndo, c);
131 	}
132 	if (flag)
133 		return NULL;
134 	return (s);
135 }
136 
137 static const u_char *
138 krb4_print_hdr(netdissect_options *ndo,
139                const u_char *cp)
140 {
141 	cp += 2;
142 
143 #define PRINT		if ((cp = c_print(ndo, cp, ndo->ndo_snapend)) == NULL) goto trunc
144 
145 	PRINT;
146 	ND_PRINT(".");
147 	PRINT;
148 	ND_PRINT("@");
149 	PRINT;
150 	return (cp);
151 
152 trunc:
153 	nd_print_trunc(ndo);
154 	return (NULL);
155 
156 #undef PRINT
157 }
158 
159 static void
160 krb4_print(netdissect_options *ndo,
161            const u_char *cp)
162 {
163 	const struct krb *kp;
164 	u_char type;
165 	u_short len;
166 
167 #define PRINT		if ((cp = c_print(ndo, cp, ndo->ndo_snapend)) == NULL) goto trunc
168 /*  True if struct krb is little endian */
169 #define IS_LENDIAN(kp)	((GET_U_1((kp)->type) & 0x01) != 0)
170 #define KTOHSP(kp, cp)	(IS_LENDIAN(kp) ? GET_LE_U_2(cp) : GET_BE_U_2(cp))
171 
172 	kp = (const struct krb *)cp;
173 
174 	type = GET_U_1(kp->type) & (0xFF << 1);
175 
176 	ND_PRINT(" %s %s: ",
177 	    IS_LENDIAN(kp) ? "le" : "be", tok2str(type2str, NULL, type));
178 
179 	switch (type) {
180 
181 	case AUTH_MSG_KDC_REQUEST:
182 		if ((cp = krb4_print_hdr(ndo, cp)) == NULL)
183 			return;
184 		cp += 4;	/* ctime */
185 		ND_PRINT(" %umin ", GET_U_1(cp) * 5);
186 		cp++;
187 		PRINT;
188 		ND_PRINT(".");
189 		PRINT;
190 		break;
191 
192 	case AUTH_MSG_APPL_REQUEST:
193 		cp += 2;
194 		ND_PRINT("v%u ", GET_U_1(cp));
195 		cp++;
196 		PRINT;
197 		ND_PRINT(" (%u)", GET_U_1(cp));
198 		cp++;
199 		ND_PRINT(" (%u)", GET_U_1(cp));
200 		break;
201 
202 	case AUTH_MSG_KDC_REPLY:
203 		if ((cp = krb4_print_hdr(ndo, cp)) == NULL)
204 			return;
205 		cp += 10;	/* timestamp + n + exp + kvno */
206 		len = KTOHSP(kp, cp);
207 		ND_PRINT(" (%u)", len);
208 		break;
209 
210 	case AUTH_MSG_ERR_REPLY:
211 		if ((cp = krb4_print_hdr(ndo, cp)) == NULL)
212 			return;
213 		cp += 4;	  /* timestamp */
214 		ND_PRINT(" %s ", tok2str(kerr2str, NULL, KTOHSP(kp, cp)));
215 		cp += 4;
216 		PRINT;
217 		break;
218 
219 	default:
220 		ND_PRINT("(unknown)");
221 		break;
222 	}
223 
224 	return;
225 trunc:
226 	nd_print_trunc(ndo);
227 }
228 
229 void
230 krb_print(netdissect_options *ndo,
231           const u_char *dat)
232 {
233 	const struct krb *kp;
234 
235 	ndo->ndo_protocol = "kerberos";
236 	nd_print_protocol(ndo);
237 
238 	kp = (const struct krb *)dat;
239 
240 	switch (GET_U_1(kp->pvno)) {
241 
242 	case 1:
243 	case 2:
244 	case 3:
245 		ND_PRINT(" v%u", GET_U_1(kp->pvno));
246 		break;
247 
248 	case 4:
249 		ND_PRINT(" v%u", GET_U_1(kp->pvno));
250 		krb4_print(ndo, (const u_char *)kp);
251 		break;
252 
253 	case 106:
254 	case 107:
255 		ND_PRINT(" v5");
256 		/* Decode ASN.1 here "someday" */
257 		break;
258 	}
259 }
260