/*

 * kerberos.c

 *

 * Copyright (C) 2011-25 - ntop.org

 * Copyright (C) 2009-11 - ipoque GmbH

 *

 * This file is part of nDPI, an open source deep packet inspection

 * library based on the OpenDPI and PACE technology by ipoque GmbH

 *

 * nDPI is free software: you can redistribute it and/or modify

 * it under the terms of the GNU Lesser General Public License as published by

 * the Free Software Foundation, either version 3 of the License, or

 * (at your option) any later version.

 *

 * nDPI is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU Lesser General Public License for more details.

 *

 * You should have received a copy of the GNU Lesser General Public License

 * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.

 *

 */

#include "ndpi_protocol_ids.h"

#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_KERBEROS

#include "ndpi_api.h"

#include "ndpi_private.h"

/* #define KERBEROS_DEBUG 1 */

#define KERBEROS_PORT 88

static int ndpi_search_kerberos_extra(struct ndpi_detection_module_struct *ndpi_struct,

              struct ndpi_flow_struct *flow);

/* Reference: https://en.wikipedia.org/wiki/X.690#Length_octets */

static int krb_decode_asn1_length(struct ndpi_detection_module_struct *ndpi_struct,

                                  size_t * const kasn1_offset)

{

  struct ndpi_packet_struct * const packet = &ndpi_struct->packet;

  int64_t length;

  u_int16_t value_len;

  length = asn1_ber_decode_length(&packet->payload[*kasn1_offset],

          packet->payload_packet_len - *kasn1_offset,

          &value_len);

  if (length == -1 ||

      packet->payload_packet_len < *kasn1_offset + value_len + length)

  {

    return -1;

  }

  *kasn1_offset += value_len;

  return (int)length;

}

/* Reference: https://en.wikipedia.org/wiki/X.690#Identifier_octets */

static int krb_decode_asn1_sequence_type(struct ndpi_detection_module_struct *ndpi_struct,

                                         size_t * const kasn1_offset)

{

  struct ndpi_packet_struct * const packet = &ndpi_struct->packet;

  if (packet->payload_packet_len <= *kasn1_offset + 1 /* length octet */ ||

      packet->payload[*kasn1_offset] != 0x30 /* Universal Constructed Tag Type: Sequence */)

  {

    return -1;

  }

  (*kasn1_offset)++;

  return krb_decode_asn1_length(ndpi_struct, kasn1_offset);

}

/* Reference: https://en.wikipedia.org/wiki/X.690#Identifier_octets */

static int krb_decode_asn1_string_type(struct ndpi_detection_module_struct *ndpi_struct,

                                       size_t * const kasn1_offset,

                                       char const ** const out)

{

  struct ndpi_packet_struct * const packet = &ndpi_struct->packet;

  int length;

  if (packet->payload_packet_len <= *kasn1_offset + 1 /* length octet */ ||

      (packet->payload[*kasn1_offset] != 0xA3 /* Context-specific Constructed Tag Type: Bit String */ &&

       packet->payload[*kasn1_offset] != 0xA4 /* Context-specific Constructed Tag Type: Octect String */ &&

       packet->payload[*kasn1_offset] != 0x30 /* Sequence Of */))

  {

    return -1;

  }

  (*kasn1_offset)++;

  length = krb_decode_asn1_length(ndpi_struct, kasn1_offset);

  if (length <= 0)

  {

    return -1;

  }

  if (out != NULL)

  {

    *out = (char *)&packet->payload[*kasn1_offset];

  }

  return length;

}

/* Reference: https://en.wikipedia.org/wiki/X.690#Identifier_octets */

static int krb_decode_asn1_int_type(struct ndpi_detection_module_struct *ndpi_struct,

                                    size_t * const kasn1_offset,

                                    int * const out)

{

  struct ndpi_packet_struct * const packet = &ndpi_struct->packet;

  int length;

  if (packet->payload_packet_len <= *kasn1_offset + 1 /* length octet */ ||

      packet->payload[*kasn1_offset] != 0x02)

  {

    return -1;

  }

  (*kasn1_offset)++;

  length = krb_decode_asn1_length(ndpi_struct, kasn1_offset);

  if (length <= 0 || length > 4)

  {

    return -1;

  }

  if (out != NULL)

  {

    int i = 0;

    *out = 0;

    for (; i < length; ++i)

    {

      *out |= (unsigned int)packet->payload[*kasn1_offset + i] << (length - i - 1) * 8;

    }

    *kasn1_offset += i;

  }

  return length;

}

/* Tags in which we are not interested. */

static int krb_decode_asn1_blocks_skip(struct ndpi_detection_module_struct *ndpi_struct,

                                       size_t * const kasn1_offset)

{

  struct ndpi_packet_struct * const packet = &ndpi_struct->packet;

  int length;

  if (packet->payload_packet_len <= *kasn1_offset + 1 /* length octet */ ||

      (packet->payload[*kasn1_offset] != 0xA0 /* Constructed Context-specific NULL */ &&

       packet->payload[*kasn1_offset] != 0xA1 /* Constructed Context-specific BOOLEAN */ &&

       packet->payload[*kasn1_offset] != 0xA2 /* Constructed Context-specific INTEGER */))

  {

    return -1;

  }

  (*kasn1_offset)++;

  length = krb_decode_asn1_length(ndpi_struct, kasn1_offset);

  if (length < 0)

  {

    return -1;

  }

  return length;

}

static void krb_strncpy_lower(char * const dst, size_t dst_siz,

                              char const * const src, size_t src_siz)

{

  int i, dst_len = (int)ndpi_min(src_siz, dst_siz - 1);

   dst[dst_len] = '\0';

   for(i = 0; i < dst_len; ++i)

   {

     if (ndpi_isprint(src[i]) == 0)

     {

       dst[i] = '?';

     } else {

       dst[i] = tolower(src[i]);

     }

   }

}

/* Reference: https://datatracker.ietf.org/doc/html/rfc4120 */

static int krb_parse(struct ndpi_detection_module_struct * const ndpi_struct,

                     struct ndpi_flow_struct * const flow,

                     size_t payload_offset)

{

  size_t kasn1_offset = payload_offset;

  int length, krb_version, msg_type;

  char const * text;

  length = krb_decode_asn1_sequence_type(ndpi_struct, &kasn1_offset);

  if (length < 0)

  {

    return -1;

  }

  length = krb_decode_asn1_blocks_skip(ndpi_struct, &kasn1_offset);

  if (length < 0)

  {

    return -1;

  }

  length = krb_decode_asn1_int_type(ndpi_struct, &kasn1_offset, &krb_version); /* pvno */

  if (length != 1 || krb_version != 5)

  {

    return -1;

  }

  length = krb_decode_asn1_blocks_skip(ndpi_struct, &kasn1_offset);

  if (length < 0)

  {

    return -1;

  }

  length = krb_decode_asn1_int_type(ndpi_struct, &kasn1_offset, &msg_type); /* msg-type */

  if (length != 1 || msg_type != 0x0d /* TGS-REP */)

  {

    return -1;

  }

  krb_decode_asn1_blocks_skip(ndpi_struct, &kasn1_offset);

  length = krb_decode_asn1_sequence_type(ndpi_struct, &kasn1_offset); /* Optional PADATA */

  if (length > 0)

  {

    kasn1_offset += length;

  }

  length = krb_decode_asn1_string_type(ndpi_struct, &kasn1_offset, &text);

  if (length < 3)

  {

    return -1;

  }

  kasn1_offset += length;

  text += 2;

  length -= 2;

  if (flow->protos.kerberos.domain[0] == '\0')

  {

    krb_strncpy_lower(flow->protos.kerberos.domain, sizeof(flow->protos.kerberos.domain),

                      text, length);

  }

  length = krb_decode_asn1_string_type(ndpi_struct, &kasn1_offset, NULL);

  if (length < 0)

  {

    return -1;

  }

  length = krb_decode_asn1_sequence_type(ndpi_struct, &kasn1_offset);

  if (length < 0)

  {

    return -1;

  }

  length = krb_decode_asn1_blocks_skip(ndpi_struct, &kasn1_offset);

  if (length < 0)

  {

    return -1;

  }

  kasn1_offset += length;

  length = krb_decode_asn1_blocks_skip(ndpi_struct, &kasn1_offset);

  if (length < 0)

  {

    return -1;

  }

  length = krb_decode_asn1_string_type(ndpi_struct, &kasn1_offset, &text);

  if (length < 3)

  {

    return -1;

  }

  kasn1_offset += length;

  text += 2;

  length -= 2;

  if (flow->protos.kerberos.hostname[0] == '\0' && text[length - 1] != '$')

  {

    krb_strncpy_lower(flow->protos.kerberos.hostname, sizeof(flow->protos.kerberos.hostname),

                      text, length);

  } else if (flow->protos.kerberos.username[0] == '\0') {

    krb_strncpy_lower(flow->protos.kerberos.username, sizeof(flow->protos.kerberos.username),

                      text, length - 1);

  }

  return 0;

}

static void ndpi_int_kerberos_add_connection(struct ndpi_detection_module_struct *ndpi_struct,

               struct ndpi_flow_struct *flow) {

  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_KERBEROS, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);

  NDPI_LOG_DBG(ndpi_struct, "trace KERBEROS\n");

}

/* ************************************************* */

static void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct,

         struct ndpi_flow_struct *flow) {

  struct ndpi_packet_struct *packet = &ndpi_struct->packet;

  u_int16_t sport = packet->tcp ? ntohs(packet->tcp->source) : ntohs(packet->udp->source);

  u_int16_t dport = packet->tcp ? ntohs(packet->tcp->dest) : ntohs(packet->udp->dest);

  const u_int8_t *original_packet_payload = NULL;

  u_int16_t original_payload_packet_len = 0;

  if((sport != KERBEROS_PORT) && (dport != KERBEROS_PORT)) {

    NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);

    return;

  }

  NDPI_LOG_DBG(ndpi_struct, "search KERBEROS\n");

#ifdef KERBEROS_DEBUG

  printf("\n[Kerberos] Process packet [len: %u]\n", packet->payload_packet_len);

#endif

  if(flow->kerberos_buf.pktbuf != NULL) {

    u_int missing = flow->kerberos_buf.pktbuf_maxlen - flow->kerberos_buf.pktbuf_currlen;

    if(packet->payload_packet_len <= missing) {

      memcpy(&flow->kerberos_buf.pktbuf[flow->kerberos_buf.pktbuf_currlen], packet->payload, packet->payload_packet_len);

      flow->kerberos_buf.pktbuf_currlen += packet->payload_packet_len;

      if(flow->kerberos_buf.pktbuf_currlen == flow->kerberos_buf.pktbuf_maxlen) {

  original_packet_payload = packet->payload;

  original_payload_packet_len = packet->payload_packet_len;

  packet->payload = (u_int8_t *)flow->kerberos_buf.pktbuf;

  packet->payload_packet_len = flow->kerberos_buf.pktbuf_currlen;

#ifdef KERBEROS_DEBUG

  printf("[Kerberos] Packet is now full: processing\n");

#endif

      } else {

#ifdef KERBEROS_DEBUG

  printf("[Kerberos] Missing %u bytes: skipping\n",

         flow->kerberos_buf.pktbuf_maxlen - flow->kerberos_buf.pktbuf_currlen);

#endif

  return;

      }

    }

  }

  /* I have observed 0a,0c,0d,0e at packet->payload[19/21], maybe there are other possibilities */

  if(packet->payload_packet_len >= 4) {

    u_int32_t kerberos_len, expected_len;

    u_int16_t base_offset = 0;

    if(packet->tcp) {

      kerberos_len = ntohl(get_u_int32_t(packet->payload, 0)),

  expected_len = packet->payload_packet_len - 4;

      base_offset = 4;

    } else

      base_offset = 0, kerberos_len = expected_len = packet->payload_packet_len;

#ifdef KERBEROS_DEBUG

    printf("[Kerberos] [Kerberos len: %u][expected_len: %u]\n", kerberos_len, expected_len);

#endif

    if(kerberos_len < 12000) {

      /*

  Kerberos packets might be too long for a TCP packet

  so it could be split across two packets. Instead of

  rebuilding the stream we use a heuristic approach

      */

      if(kerberos_len > expected_len) {

  if(packet->tcp) {

    if(flow->kerberos_buf.pktbuf == NULL) {

      flow->kerberos_buf.pktbuf = (char*)ndpi_malloc(kerberos_len+4);

      if(flow->kerberos_buf.pktbuf != NULL) {

        flow->kerberos_buf.pktbuf_maxlen = kerberos_len+4;        

#ifdef KERBEROS_DEBUG

        printf("[Kerberos] Allocated %u bytes\n", flow->kerberos_buf.pktbuf_maxlen);

#endif        

      }

    }

    if(flow->kerberos_buf.pktbuf != NULL) {

      if(packet->payload_packet_len <= flow->kerberos_buf.pktbuf_maxlen) {

        memcpy(flow->kerberos_buf.pktbuf, packet->payload, packet->payload_packet_len);

        flow->kerberos_buf.pktbuf_currlen = packet->payload_packet_len;

      }

    }

  }

  return;

      } else if(kerberos_len == expected_len) {

  if(packet->payload_packet_len > 64) {

    u_int16_t koffset, i;

    for(i=8; i<16; i++)

      if((packet->payload[base_offset+i] == 0x03)

         && (packet->payload[base_offset+i+1] == 0x02)

         && (packet->payload[base_offset+i+2] == 0x01)

         && (packet->payload[base_offset+i+3] != 0x05)

         )

        break;

    koffset = base_offset + i + 3;

#ifdef KERBEROS_DEBUG

    printf("[Kerberos] [msg-type: 0x%02X/%u][koffset: %u]\n",

     packet->payload[koffset], packet->payload[koffset], koffset);

#endif

    if(((packet->payload[koffset] == 0x0A)

        || (packet->payload[koffset] == 0x0C)

        || (packet->payload[koffset] == 0x1E)

        || (packet->payload[koffset] == 0x0D)

        || (packet->payload[koffset] == 0x0E))) {

      u_int32_t koffsetp, body_offset = 0, pad_len;

      u_int8_t msg_type = packet->payload[koffset];

#ifdef KERBEROS_DEBUG

      printf("[Kerberos] Packet found 0x%02X/%u\n", msg_type, msg_type);

#endif

      ndpi_int_kerberos_add_connection(ndpi_struct, flow);

      if(msg_type != 0x0d) /* TGS-REP */ {

        /* Process only on requests */

        if(packet->payload[koffset+1] == 0xA3) {

    if(packet->payload[koffset+3] == 0x30)

      pad_len = packet->payload[koffset+4];

    else {

      /* Long pad */

      pad_len = packet->payload[koffset+2];

      for(i=3; i<10; i++) if(packet->payload[koffset+i] == pad_len) break;

      pad_len = (packet->payload[koffset+i+1] << 8) + packet->payload[koffset+i+2];

      koffset += i-2;

    }

        } else

    pad_len = 0;

#ifdef KERBEROS_DEBUG

        printf("pad_len=0x%02X/%u\n", pad_len, pad_len);

#endif

        if(pad_len > 0) {

    koffsetp = koffset + 2;

    for(i=0; i<4; i++) if(packet->payload[koffsetp] != 0x30) koffsetp++; /* ASN.1 */

#ifdef KERBEROS_DEBUG

    printf("koffsetp=%u [%02X %02X] [byte 0 must be 0x30]\n", koffsetp, packet->payload[koffsetp], packet->payload[koffsetp+1]);

#endif

        } else

    koffsetp = koffset;

        body_offset = koffsetp + 1 + pad_len;

        for(i=0; i<10; i++) if(body_offset<packet->payload_packet_len && packet->payload[body_offset] != 0x05) body_offset++; /* ASN.1 */

#ifdef KERBEROS_DEBUG

        printf("body_offset=%u [%02X %02X] [byte 0 must be 0x05]\n", body_offset, packet->payload[body_offset], packet->payload[body_offset+1]);

#endif

      }

      if(msg_type == 0x0A) /* AS-REQ */ {

#ifdef KERBEROS_DEBUG

        printf("[Kerberos] Processing AS-REQ\n");

#endif

        if(body_offset < packet->payload_packet_len) {

    u_int16_t name_offset = body_offset + 13;

    for(i=0; (i<20) && (name_offset < packet->payload_packet_len); i++) {

      if(packet->payload[name_offset] != 0x1b)

        name_offset++; /* ASN.1 */

    }

#ifdef KERBEROS_DEBUG

    printf("name_offset=%u [%02X %02X] [byte 0 must be 0x1b]\n", name_offset, packet->payload[name_offset], packet->payload[name_offset+1]);

#endif

    if(name_offset < packet->payload_packet_len - 1) {

      u_int cname_len = 0;

      name_offset += 1;

      if(name_offset < packet->payload_packet_len - 1 &&

         ndpi_isprint(packet->payload[name_offset+1]) == 0) /* Isn't printable ? */

      {

        name_offset++;

      }

      if(name_offset < packet->payload_packet_len - 3 &&

         packet->payload[name_offset+1] == 0x1b)

      {

        name_offset += 2;

      }

      cname_len = packet->payload[name_offset];

      if((cname_len+name_offset) < packet->payload_packet_len) {

        u_int realm_len, realm_offset;

        char cname_str[48];

        u_int8_t num_cname = 0;

      cname_str[0] = '\0'; // required, because cname_len

        while(++num_cname <= 2) {

          if (name_offset + cname_len + 1 >= packet->payload_packet_len)

            cname_len = 0;

          krb_strncpy_lower(cname_str, sizeof(cname_str), (char*)&packet->payload[name_offset+1], cname_len);

#ifdef KERBEROS_DEBUG

          printf("[AS-REQ][s/dport: %u/%u][Kerberos Cname][len: %u][%s]\n", sport, dport, cname_len, cname_str);

#endif

          if(((strcmp(cname_str, "host") == 0) || (strcmp(cname_str, "ldap") == 0)) && (packet->payload[name_offset+1+cname_len] == 0x1b) && num_cname == 1) {

            name_offset += cname_len + 2;

            if (name_offset < packet->payload_packet_len)

              cname_len = packet->payload[name_offset];

          } else{

            break;

          }

        }

        realm_offset = cname_len + name_offset + 3;

        /* if cname does not end with a $ then it's a username */

        if(cname_len > 0 && name_offset + cname_len + 1 < packet->payload_packet_len

           && (cname_len < sizeof(cname_str))

           && (cname_str[cname_len-1] == '$')) {

          cname_str[cname_len-1] = '\0';

          ndpi_snprintf(flow->protos.kerberos.hostname, sizeof(flow->protos.kerberos.hostname), "%s", cname_str);

        } else

          ndpi_snprintf(flow->protos.kerberos.username, sizeof(flow->protos.kerberos.username), "%s", cname_str);

        for(i=0; (i < 14) && (realm_offset <  packet->payload_packet_len); i++) {

          if(packet->payload[realm_offset] != 0x1b)

      realm_offset++; /* ASN.1 */

        }

#ifdef KERBEROS_DEBUG

        printf("realm_offset=%u [%02X %02X] [byte 0 must be 0x1b]\n", realm_offset,

         packet->payload[realm_offset], packet->payload[realm_offset+1]);

#endif

        realm_offset += 1;

        //if(num_cname == 2) realm_offset++;

        if(realm_offset  < packet->payload_packet_len) {

          realm_len = packet->payload[realm_offset];

          if((realm_offset+realm_len) < packet->payload_packet_len) {

      char realm_str[48];

      realm_offset += 1;

      krb_strncpy_lower(realm_str, sizeof(realm_str), (char*)&packet->payload[realm_offset], realm_len);

#ifdef KERBEROS_DEBUG

      printf("[AS-REQ][Kerberos Realm][len: %u][%s]\n", realm_len, realm_str);

#endif

            ndpi_snprintf(flow->protos.kerberos.domain, sizeof(flow->protos.kerberos.domain), "%s", realm_str);

          }

        }

      }

    }

        } 

#ifdef KERBEROS_DEBUG

        printf("[Kerberos] Setting extra func from AS-REQ\n");

#endif

        flow->max_extra_packets_to_check = 5; /* Reply may be split into multiple segments */

        flow->extra_packets_func = ndpi_search_kerberos_extra;

      } else if(msg_type == 0x0e) /* AS-REQ */ {

#ifdef KERBEROS_DEBUG

        printf("[Kerberos] Processing AS-REQ\n");

#endif

        /* Nothing specific to do; stop dissecting this flow */

        flow->extra_packets_func = NULL;

      } else if(msg_type == 0x0c) /* TGS-REQ */ {

#ifdef KERBEROS_DEBUG

        printf("[Kerberos] Processing TGS-REQ\n");

#endif

        if(body_offset < packet->payload_packet_len) {

    u_int16_t name_offset, padding_offset = body_offset + 4;

    name_offset = padding_offset;

    for(i=0; i<14 && name_offset < packet->payload_packet_len; i++) if(packet->payload[name_offset] != 0x1b) name_offset++; /* ASN.1 */

#ifdef KERBEROS_DEBUG

    printf("name_offset=%u [%02X %02X] [byte 0 must be 0x1b]\n", name_offset, packet->payload[name_offset], packet->payload[name_offset+1]);

#endif

    if(name_offset < (packet->payload_packet_len - 1)) {

      u_int realm_len;

      name_offset++;

      realm_len = packet->payload[name_offset];

      if((realm_len+name_offset) < packet->payload_packet_len) {

        char realm_str[48];

        name_offset += 1;

        krb_strncpy_lower(realm_str, sizeof(realm_str), (char*)&packet->payload[name_offset], realm_len);

#ifdef KERBEROS_DEBUG

        printf("[TGS-REQ][s/dport: %u/%u][Kerberos Realm][len: %u][%s]\n", sport, dport, realm_len, realm_str);

#endif

        ndpi_snprintf(flow->protos.kerberos.domain, sizeof(flow->protos.kerberos.domain), "%s", realm_str);

        /* If necessary we can decode sname */

        if(flow->kerberos_buf.pktbuf) {

          ndpi_free(flow->kerberos_buf.pktbuf);

          packet->payload = original_packet_payload;

          packet->payload_packet_len = original_payload_packet_len;

        }

        flow->kerberos_buf.pktbuf = NULL;

      }

    }

        }

#ifdef KERBEROS_DEBUG

        printf("[Kerberos] Setting extra func from TGS-REQ\n");

#endif

        if(!packet->udp) {

          flow->max_extra_packets_to_check = 5; /* Reply may be split into multiple segments */

          flow->extra_packets_func = ndpi_search_kerberos_extra;

        }

        if(flow->kerberos_buf.pktbuf != NULL) {

    ndpi_free(flow->kerberos_buf.pktbuf);

    packet->payload = original_packet_payload;

    packet->payload_packet_len = original_payload_packet_len;

    flow->kerberos_buf.pktbuf = NULL;

        }

        return;

      } else if(msg_type == 0x0d) /* TGS-REP */ {

        NDPI_LOG_DBG(ndpi_struct, "[Kerberos] Processing TGS-REP\n");

        if (krb_parse(ndpi_struct, flow, 8) != 0)

        {

          NDPI_LOG_DBG(ndpi_struct, "[TGS-REP] Invalid packet received\n");

          return;

        }

        NDPI_LOG_DBG(ndpi_struct,

                     "[TGS-REP][s/dport: %u/%u][Kerberos Hostname,Domain,Username][%s,%s,%s]\n",

                     sport, dport, flow->protos.kerberos.hostname, flow->protos.kerberos.domain,

                     flow->protos.kerberos.username);

        flow->extra_packets_func = NULL;

      } else if(msg_type == 0x1e) /* Error */ {

#ifdef KERBEROS_DEBUG

        printf("[Kerberos] Processing KRB-Error\n");

#endif

        /* Nothing specific to do; stop dissecting this flow */

        flow->extra_packets_func = NULL;

      }

      return;

    }

  }

      }

    } else {

#ifdef KERBEROS_DEBUG

      printf("[Kerberos][s/dport: %u/%u] Skipping packet: too long [kerberos_len: %u]\n",

       sport, dport, kerberos_len);

#endif

      if(flow->protos.kerberos.domain[0] != '\0')

  return;

    }

  }

  NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);

}

static int ndpi_search_kerberos_extra(struct ndpi_detection_module_struct *ndpi_struct,

              struct ndpi_flow_struct *flow)

{

  struct ndpi_packet_struct *packet = &ndpi_struct->packet;

#ifdef KERBEROS_DEBUG

  printf("[Kerberos] Extra function\n");

#endif

  /* Unfortunately, generic "extra function" code doesn't honour protocol bitmask */

  /* TODO: handle that in ndpi_main.c for all the protocols */

  if(packet->payload_packet_len == 0 ||

     packet->tcp_retransmission)

    return 1;

  /* Possibly dissect the reply */

  ndpi_search_kerberos(ndpi_struct, flow);

  /* Possibly more processing */

  return flow->extra_packets_func != NULL;

}

void init_kerberos_dissector(struct ndpi_detection_module_struct *ndpi_struct) {

  register_dissector("Kerberos", ndpi_struct,

                     ndpi_search_kerberos,

                     NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,

                      1, NDPI_PROTOCOL_KERBEROS);

}