xref: /netbsd-src/external/bsd/tcpdump/dist/print-krb.c (revision ccd9df534e375a4366c5b55f23782053c7a98d82) 
1 /*
2  * Copyright (c) 1995, 1996, 1997
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that: (1) source code distributions
7  * retain the above copyright notice and this paragraph in its entirety, (2)
8  * distributions including binary code include the above copyright notice and
9  * this paragraph in its entirety in the documentation or other materials
10  * provided with the distribution, and (3) all advertising materials mentioning
11  * features or use of this software display the following acknowledgement:
12  * ``This product includes software developed by the University of California,
13  * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14  * the University nor the names of its contributors may be used to endorse
15  * or promote products derived from this software without specific prior
16  * written permission.
17  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18  * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20  *
21  * Initial contribution from John Hawkinson (jhawk@mit.edu).
22  */
23 
24 #include <sys/cdefs.h>
25 #ifndef lint
26 __RCSID("$NetBSD: print-krb.c,v 1.8 2023/08/17 20:19:40 christos Exp $");
27 #endif
28 
29 /* \summary: Kerberos printer */
30 
31 #ifdef HAVE_CONFIG_H
32 #include <config.h>
33 #endif
34 
35 #include "netdissect-stdinc.h"
36 
37 #include "netdissect.h"
38 #include "extract.h"
39 
40 /*
41  * Kerberos 4:
42  *
43  * Athena Technical Plan
44  * Section E.2.1
45  * Kerberos Authentication and Authorization System
46  * by S. P. Miller, B. C. Neuman, J. I. Schiller, and J. H. Saltzer
47  *
48  * https://web.mit.edu/Saltzer/www/publications/athenaplan/e.2.1.pdf
49  *
50  * 7. Appendix I Design Specifications
51  *
52  * Kerberos 5:
53  *
54  * RFC 1510, RFC 2630, etc.
55  */
56 
57 
58 static const u_char *c_print(netdissect_options *, const u_char *, const u_char *);
59 static const u_char *krb4_print_hdr(netdissect_options *, const u_char *);
60 static void krb4_print(netdissect_options *, const u_char *);
61 
62 #define AUTH_MSG_KDC_REQUEST			1<<1
63 #define AUTH_MSG_KDC_REPLY			2<<1
64 #define AUTH_MSG_APPL_REQUEST			3<<1
65 #define AUTH_MSG_APPL_REQUEST_MUTUAL		4<<1
66 #define AUTH_MSG_ERR_REPLY			5<<1
67 #define AUTH_MSG_PRIVATE			6<<1
68 #define AUTH_MSG_SAFE				7<<1
69 #define AUTH_MSG_APPL_ERR			8<<1
70 #define AUTH_MSG_DIE				63<<1
71 
72 #define KERB_ERR_OK				0
73 #define KERB_ERR_NAME_EXP			1
74 #define KERB_ERR_SERVICE_EXP			2
75 #define KERB_ERR_AUTH_EXP			3
76 #define KERB_ERR_PKT_VER			4
77 #define KERB_ERR_NAME_MAST_KEY_VER		5
78 #define KERB_ERR_SERV_MAST_KEY_VER		6
79 #define KERB_ERR_BYTE_ORDER			7
80 #define KERB_ERR_PRINCIPAL_UNKNOWN		8
81 #define KERB_ERR_PRINCIPAL_NOT_UNIQUE		9
82 #define KERB_ERR_NULL_KEY			10
83 
84 struct krb {
85 	nd_uint8_t pvno;	/* Protocol Version */
86 	nd_uint8_t type;	/* Type+B */
87 };
88 
89 static const struct tok type2str[] = {
90 	{ AUTH_MSG_KDC_REQUEST,		"KDC_REQUEST" },
91 	{ AUTH_MSG_KDC_REPLY,		"KDC_REPLY" },
92 	{ AUTH_MSG_APPL_REQUEST,	"APPL_REQUEST" },
93 	{ AUTH_MSG_APPL_REQUEST_MUTUAL,	"APPL_REQUEST_MUTUAL" },
94 	{ AUTH_MSG_ERR_REPLY,		"ERR_REPLY" },
95 	{ AUTH_MSG_PRIVATE,		"PRIVATE" },
96 	{ AUTH_MSG_SAFE,		"SAFE" },
97 	{ AUTH_MSG_APPL_ERR,		"APPL_ERR" },
98 	{ AUTH_MSG_DIE,			"DIE" },
99 	{ 0,				NULL }
100 };
101 
102 static const struct tok kerr2str[] = {
103 	{ KERB_ERR_OK,			"OK" },
104 	{ KERB_ERR_NAME_EXP,		"NAME_EXP" },
105 	{ KERB_ERR_SERVICE_EXP,		"SERVICE_EXP" },
106 	{ KERB_ERR_AUTH_EXP,		"AUTH_EXP" },
107 	{ KERB_ERR_PKT_VER,		"PKT_VER" },
108 	{ KERB_ERR_NAME_MAST_KEY_VER,	"NAME_MAST_KEY_VER" },
109 	{ KERB_ERR_SERV_MAST_KEY_VER,	"SERV_MAST_KEY_VER" },
110 	{ KERB_ERR_BYTE_ORDER,		"BYTE_ORDER" },
111 	{ KERB_ERR_PRINCIPAL_UNKNOWN,	"PRINCIPAL_UNKNOWN" },
112 	{ KERB_ERR_PRINCIPAL_NOT_UNIQUE,"PRINCIPAL_NOT_UNIQUE" },
113 	{ KERB_ERR_NULL_KEY,		"NULL_KEY"},
114 	{ 0,				NULL}
115 };
116 
117 static const u_char *
118 c_print(netdissect_options *ndo,
119         const u_char *s, const u_char *ep)
120 {
121 	u_char c;
122 	int flag;
123 
124 	flag = 1;
125 	while (s < ep) {
126 		c = GET_U_1(s);
127 		s++;
128 		if (c == '\0') {
129 			flag = 0;
130 			break;
131 		}
132 		fn_print_char(ndo, c);
133 	}
134 	if (flag)
135 		return NULL;
136 	return (s);
137 }
138 
139 static const u_char *
140 krb4_print_hdr(netdissect_options *ndo,
141                const u_char *cp)
142 {
143 	cp += 2;
144 
145 #define PRINT		if ((cp = c_print(ndo, cp, ndo->ndo_snapend)) == NULL) goto trunc
146 
147 	PRINT;
148 	ND_PRINT(".");
149 	PRINT;
150 	ND_PRINT("@");
151 	PRINT;
152 	return (cp);
153 
154 trunc:
155 	nd_print_trunc(ndo);
156 	return (NULL);
157 
158 #undef PRINT
159 }
160 
161 static void
162 krb4_print(netdissect_options *ndo,
163            const u_char *cp)
164 {
165 	const struct krb *kp;
166 	u_char type;
167 	u_short len;
168 
169 #define PRINT		if ((cp = c_print(ndo, cp, ndo->ndo_snapend)) == NULL) goto trunc
170 /*  True if struct krb is little endian */
171 #define IS_LENDIAN(kp)	((GET_U_1((kp)->type) & 0x01) != 0)
172 #define KTOHSP(kp, cp)	(IS_LENDIAN(kp) ? GET_LE_U_2(cp) : GET_BE_U_2(cp))
173 
174 	kp = (const struct krb *)cp;
175 
176 	type = GET_U_1(kp->type) & (0xFF << 1);
177 
178 	ND_PRINT(" %s %s: ",
179 	    IS_LENDIAN(kp) ? "le" : "be", tok2str(type2str, NULL, type));
180 
181 	switch (type) {
182 
183 	case AUTH_MSG_KDC_REQUEST:
184 		if ((cp = krb4_print_hdr(ndo, cp)) == NULL)
185 			return;
186 		cp += 4;	/* ctime */
187 		ND_PRINT(" %umin ", GET_U_1(cp) * 5);
188 		cp++;
189 		PRINT;
190 		ND_PRINT(".");
191 		PRINT;
192 		break;
193 
194 	case AUTH_MSG_APPL_REQUEST:
195 		cp += 2;
196 		ND_PRINT("v%u ", GET_U_1(cp));
197 		cp++;
198 		PRINT;
199 		ND_PRINT(" (%u)", GET_U_1(cp));
200 		cp++;
201 		ND_PRINT(" (%u)", GET_U_1(cp));
202 		break;
203 
204 	case AUTH_MSG_KDC_REPLY:
205 		if ((cp = krb4_print_hdr(ndo, cp)) == NULL)
206 			return;
207 		cp += 10;	/* timestamp + n + exp + kvno */
208 		len = KTOHSP(kp, cp);
209 		ND_PRINT(" (%u)", len);
210 		break;
211 
212 	case AUTH_MSG_ERR_REPLY:
213 		if ((cp = krb4_print_hdr(ndo, cp)) == NULL)
214 			return;
215 		cp += 4;	  /* timestamp */
216 		ND_PRINT(" %s ", tok2str(kerr2str, NULL, KTOHSP(kp, cp)));
217 		cp += 4;
218 		PRINT;
219 		break;
220 
221 	default:
222 		ND_PRINT("(unknown)");
223 		break;
224 	}
225 
226 	return;
227 trunc:
228 	nd_print_trunc(ndo);
229 }
230 
231 void
232 krb_print(netdissect_options *ndo,
233           const u_char *dat)
234 {
235 	const struct krb *kp;
236 
237 	ndo->ndo_protocol = "krb";
238 	kp = (const struct krb *)dat;
239 
240 	if (dat >= ndo->ndo_snapend) {
241 		nd_print_trunc(ndo);
242 		return;
243 	}
244 
245 	switch (GET_U_1(kp->pvno)) {
246 
247 	case 1:
248 	case 2:
249 	case 3:
250 		ND_PRINT(" v%u", GET_U_1(kp->pvno));
251 		break;
252 
253 	case 4:
254 		ND_PRINT(" v%u", GET_U_1(kp->pvno));
255 		krb4_print(ndo, (const u_char *)kp);
256 		break;
257 
258 	case 106:
259 	case 107:
260 		ND_PRINT(" v5");
261 		/* Decode ASN.1 here "someday" */
262 		break;
263 	}
264 }
265