/src/wireshark/epan/dissectors/packet-dcerpc-krb5rpc.c

Source
/* packet-dcerpc-krb5rpc.c
 *
 * Routines for dcerpc DCE/KRB5 interface
 * Copyright 2002, Jaime Fournier <Jaime.Fournier@hush.com>
 * This information is based off the released idl files from opengroup.
 * ftp://ftp.opengroup.org/pub/dce122/dce/src/security.tar.gz security/idl/krb5rpc.idl
 *
 * Wireshark - Network traffic analyzer
 * By Gerald Combs <gerald@wireshark.org>
 * Copyright 1998 Gerald Combs
 *
 * SPDX-License-Identifier: GPL-2.0-or-later
 */

#include "config.h"


#include <epan/packet.h>
#include <epan/asn1.h>
#include "packet-dcerpc.h"
#include "packet-kerberos.h"

void proto_register_krb5rpc (void);
void proto_reg_handoff_krb5rpc (void);

static int proto_krb5rpc;

static int ett_krb5rpc;


static e_guid_t uuid_krb5rpc =
  { 0x8f73de50, 0x768c, 0x11ca, {0xbf, 0xfc, 0x08, 0x00, 0x1e, 0x03, 0x94,
                                 0x31}
};
static uint16_t ver_krb5rpc = 1;
static int hf_krb5rpc_opnum;
static int hf_krb5rpc_sendto_kdc_rqst_keysize;
static int hf_krb5rpc_sendto_kdc_rqst_spare1;
static int hf_krb5rpc_sendto_kdc_resp_len;
static int hf_krb5rpc_sendto_kdc_resp_max;
static int hf_krb5rpc_sendto_kdc_resp_spare1;
static int hf_krb5rpc_sendto_kdc_resp_keysize;
/* static int hf_krb5rpc_sendto_kdc_resp_st; */
static int hf_krb5rpc_krb5;
static int ett_krb5rpc_krb5;

static int
krb5rpc_dissect_sendto_kdc_rqst (tvbuff_t * tvb, int offset,
                                 packet_info * pinfo, proto_tree * tree,
                                 dcerpc_info *di, uint8_t *drep)
{
  uint32_t keysize, spare1, remain;
  proto_item *item;
  tvbuff_t *krb5_tvb;
  proto_tree *subtree;


  /*
   *        [in]        handle_t        h,
   *        [in]        unsigned32      len,
   *        [in, size_is(len)]
   *        byte            message[],
   *        [in]        unsigned32      out_buf_len,
   */

  offset =
    dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
                       hf_krb5rpc_sendto_kdc_rqst_keysize, &keysize);
  offset =
    dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
                       hf_krb5rpc_sendto_kdc_rqst_spare1, &spare1);
  item = proto_tree_add_item (tree, hf_krb5rpc_krb5, tvb, offset, -1, ENC_NA);
  subtree = proto_item_add_subtree (item, ett_krb5rpc_krb5);

  remain = tvb_captured_length_remaining(tvb, offset);
  krb5_tvb = tvb_new_subset_length(tvb, offset, remain);
  offset = dissect_kerberos_main (krb5_tvb, pinfo, subtree, true, NULL);


  return offset;
}


static int
krb5rpc_dissect_sendto_kdc_resp (tvbuff_t * tvb, int offset,
                                 packet_info * pinfo, proto_tree * tree,
                                 dcerpc_info *di, uint8_t *drep)
{
  uint32_t resp_len, maxsize, spare1, keysize, remain;
  proto_item *item;
  tvbuff_t *krb5_tvb;
  proto_tree *subtree;


  /*
   *
   *        [out]       unsigned32      *resp_len,
   *        [out, length_is(*resp_len), size_is(out_buf_len)]
   *        byte            out_buf[],
   *        [out]       error_status_t  *st unsigned long
   *
   */

  offset =
    dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
                       hf_krb5rpc_sendto_kdc_resp_len, &resp_len);
  offset =
    dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
                       hf_krb5rpc_sendto_kdc_resp_max, &maxsize);
  offset =
    dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
                       hf_krb5rpc_sendto_kdc_resp_spare1, &spare1);
  offset =
    dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
                       hf_krb5rpc_sendto_kdc_resp_keysize, &keysize);


  item = proto_tree_add_item (tree, hf_krb5rpc_krb5, tvb, offset, -1, ENC_NA);
  subtree = proto_item_add_subtree (item, ett_krb5rpc_krb5);
  remain = tvb_captured_length_remaining(tvb, offset);
  krb5_tvb = tvb_new_subset_length(tvb, offset, remain);

  offset = dissect_kerberos_main (krb5_tvb, pinfo, subtree, true, NULL);
  offset += 16; /* no idea what this is, probably just extended encrypted text. */

  return offset;
}


static const dcerpc_sub_dissector krb5rpc_dissectors[] = {
  {0, "rsec_krb5rpc_sendto_kdc", krb5rpc_dissect_sendto_kdc_rqst,
   krb5rpc_dissect_sendto_kdc_resp},
  {0, NULL, NULL, NULL},
};


void
proto_register_krb5rpc (void)
{
  static hf_register_info hf[] = {
    {&hf_krb5rpc_opnum,
     {"Opnum", "krb5rpc.opnum", FT_UINT16, BASE_DEC, NULL, 0x0,
      NULL, HFILL }},
    {&hf_krb5rpc_sendto_kdc_rqst_keysize,
     {"Request keysize",
      "krb5rpc.sendto_kdc_rqst_keysize", FT_UINT32, BASE_DEC, NULL, 0x0,
      NULL, HFILL}},
    {&hf_krb5rpc_sendto_kdc_rqst_spare1,
     {"Request spare1",
      "krb5rpc.sendto_kdc_rqst_spare1", FT_UINT32, BASE_DEC, NULL, 0x0, NULL,
      HFILL}},
    {&hf_krb5rpc_sendto_kdc_resp_len,
     {"Response length", "krb5rpc.sendto_kdc_resp_len",
      FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL}},
    {&hf_krb5rpc_sendto_kdc_resp_max,
     {"Response max", "krb5rpc.sendto_kdc_resp_max",
      FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL}},
    {&hf_krb5rpc_sendto_kdc_resp_spare1,
     {"Response spare1",
      "krb5rpc.sendto_kdc_resp_spare1", FT_UINT32, BASE_DEC, NULL, 0x0, NULL,
      HFILL}},
    {&hf_krb5rpc_sendto_kdc_resp_keysize,
     {"Response key size",
      "krb5rpc.sendto_kdc_resp_keysize", FT_UINT32, BASE_DEC, NULL, 0x0,
      NULL, HFILL}},
#if 0
    {&hf_krb5rpc_sendto_kdc_resp_st,
     {"Response st", "krb5rpc.sendto_kdc_resp_st",
      FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL}},
#endif
    {&hf_krb5rpc_krb5,
     {"krb5", "krb5rpc.krb5", FT_BYTES, BASE_NONE, NULL, 0x0,
      "krb5 blob", HFILL}},

  };

  static int *ett[] = {
    &ett_krb5rpc,
    &ett_krb5rpc_krb5,
  };
  proto_krb5rpc =
    proto_register_protocol ("DCE/RPC Kerberos V", "KRB5RPC", "krb5rpc");
  proto_register_field_array (proto_krb5rpc, hf, array_length (hf));
  proto_register_subtree_array (ett, array_length (ett));
}

void
proto_reg_handoff_krb5rpc (void)
{
  /* Register the protocol as dcerpc */
  dcerpc_init_uuid (proto_krb5rpc, ett_krb5rpc, &uuid_krb5rpc, ver_krb5rpc,
                    krb5rpc_dissectors, hf_krb5rpc_opnum);
}

/*
 * Editor modelines  -  https://www.wireshark.org/tools/modelines.html
 *
 * Local Variables:
 * c-basic-offset: 2
 * tab-width: 8
 * indent-tabs-mode: nil
 * End:
 *
 * ex: set shiftwidth=2 tabstop=8 expandtab:
 * :indentSize=2:tabSize=8:noTabs=true:
 */

Coverage Report

Created: 2025-12-27 06:52

Line	Count	Source
1		/* packet-dcerpc-krb5rpc.c
2		*
3		* Routines for dcerpc DCE/KRB5 interface
4		* Copyright 2002, Jaime Fournier <Jaime.Fournier@hush.com>
5		* This information is based off the released idl files from opengroup.
6		* ftp://ftp.opengroup.org/pub/dce122/dce/src/security.tar.gz security/idl/krb5rpc.idl
7		*
8		* Wireshark - Network traffic analyzer
9		* By Gerald Combs <gerald@wireshark.org>
10		* Copyright 1998 Gerald Combs
11		*
12		* SPDX-License-Identifier: GPL-2.0-or-later
13		*/
14
15		#include "config.h"
16
17
18		#include <epan/packet.h>
19		#include <epan/asn1.h>
20		#include "packet-dcerpc.h"
21		#include "packet-kerberos.h"
22
23		void proto_register_krb5rpc (void);
24		void proto_reg_handoff_krb5rpc (void);
25
26		static int proto_krb5rpc;
27
28		static int ett_krb5rpc;
29
30
31		static e_guid_t uuid_krb5rpc =
32		{ 0x8f73de50, 0x768c, 0x11ca, {0xbf, 0xfc, 0x08, 0x00, 0x1e, 0x03, 0x94,
33		0x31}
34		};
35		static uint16_t ver_krb5rpc = 1;
36		static int hf_krb5rpc_opnum;
37		static int hf_krb5rpc_sendto_kdc_rqst_keysize;
38		static int hf_krb5rpc_sendto_kdc_rqst_spare1;
39		static int hf_krb5rpc_sendto_kdc_resp_len;
40		static int hf_krb5rpc_sendto_kdc_resp_max;
41		static int hf_krb5rpc_sendto_kdc_resp_spare1;
42		static int hf_krb5rpc_sendto_kdc_resp_keysize;
43		/* static int hf_krb5rpc_sendto_kdc_resp_st; */
44		static int hf_krb5rpc_krb5;
45		static int ett_krb5rpc_krb5;
46
47		static int
48		krb5rpc_dissect_sendto_kdc_rqst (tvbuff_t * tvb, int offset,
49		packet_info * pinfo, proto_tree * tree,
50		dcerpc_info di, uint8_t drep)
51	0	{
52	0	uint32_t keysize, spare1, remain;
53	0	proto_item *item;
54	0	tvbuff_t *krb5_tvb;
55	0	proto_tree *subtree;
56
57
58		/*
59		* [in] handle_t h,
60		* [in] unsigned32 len,
61		* [in, size_is(len)]
62		* byte message[],
63		* [in] unsigned32 out_buf_len,
64		*/
65
66	0	offset =
67	0	dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
68	0	hf_krb5rpc_sendto_kdc_rqst_keysize, &keysize);
69	0	offset =
70	0	dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
71	0	hf_krb5rpc_sendto_kdc_rqst_spare1, &spare1);
72	0	item = proto_tree_add_item (tree, hf_krb5rpc_krb5, tvb, offset, -1, ENC_NA);
73	0	subtree = proto_item_add_subtree (item, ett_krb5rpc_krb5);
74
75	0	remain = tvb_captured_length_remaining(tvb, offset);
76	0	krb5_tvb = tvb_new_subset_length(tvb, offset, remain);
77	0	offset = dissect_kerberos_main (krb5_tvb, pinfo, subtree, true, NULL);
78
79
80	0	return offset;
81	0	}
82
83
84		static int
85		krb5rpc_dissect_sendto_kdc_resp (tvbuff_t * tvb, int offset,
86		packet_info * pinfo, proto_tree * tree,
87		dcerpc_info di, uint8_t drep)
88	0	{
89	0	uint32_t resp_len, maxsize, spare1, keysize, remain;
90	0	proto_item *item;
91	0	tvbuff_t *krb5_tvb;
92	0	proto_tree *subtree;
93
94
95		/*
96		*
97		* [out] unsigned32 *resp_len,
98		* [out, length_is(*resp_len), size_is(out_buf_len)]
99		* byte out_buf[],
100		* [out] error_status_t *st unsigned long
101		*
102		*/
103
104	0	offset =
105	0	dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
106	0	hf_krb5rpc_sendto_kdc_resp_len, &resp_len);
107	0	offset =
108	0	dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
109	0	hf_krb5rpc_sendto_kdc_resp_max, &maxsize);
110	0	offset =
111	0	dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
112	0	hf_krb5rpc_sendto_kdc_resp_spare1, &spare1);
113	0	offset =
114	0	dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
115	0	hf_krb5rpc_sendto_kdc_resp_keysize, &keysize);
116
117
118	0	item = proto_tree_add_item (tree, hf_krb5rpc_krb5, tvb, offset, -1, ENC_NA);
119	0	subtree = proto_item_add_subtree (item, ett_krb5rpc_krb5);
120	0	remain = tvb_captured_length_remaining(tvb, offset);
121	0	krb5_tvb = tvb_new_subset_length(tvb, offset, remain);
122
123	0	offset = dissect_kerberos_main (krb5_tvb, pinfo, subtree, true, NULL);
124	0	offset += 16; /* no idea what this is, probably just extended encrypted text. */
125
126	0	return offset;
127	0	}
128
129
130		static const dcerpc_sub_dissector krb5rpc_dissectors[] = {
131		{0, "rsec_krb5rpc_sendto_kdc", krb5rpc_dissect_sendto_kdc_rqst,
132		krb5rpc_dissect_sendto_kdc_resp},
133		{0, NULL, NULL, NULL},
134		};
135
136
137		void
138		proto_register_krb5rpc (void)
139	14	{
140	14	static hf_register_info hf[] = {
141	14	{&hf_krb5rpc_opnum,
142	14	{"Opnum", "krb5rpc.opnum", FT_UINT16, BASE_DEC, NULL, 0x0,
143	14	NULL, HFILL }},
144	14	{&hf_krb5rpc_sendto_kdc_rqst_keysize,
145	14	{"Request keysize",
146	14	"krb5rpc.sendto_kdc_rqst_keysize", FT_UINT32, BASE_DEC, NULL, 0x0,
147	14	NULL, HFILL}},
148	14	{&hf_krb5rpc_sendto_kdc_rqst_spare1,
149	14	{"Request spare1",
150	14	"krb5rpc.sendto_kdc_rqst_spare1", FT_UINT32, BASE_DEC, NULL, 0x0, NULL,
151	14	HFILL}},
152	14	{&hf_krb5rpc_sendto_kdc_resp_len,
153	14	{"Response length", "krb5rpc.sendto_kdc_resp_len",
154	14	FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL}},
155	14	{&hf_krb5rpc_sendto_kdc_resp_max,
156	14	{"Response max", "krb5rpc.sendto_kdc_resp_max",
157	14	FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL}},
158	14	{&hf_krb5rpc_sendto_kdc_resp_spare1,
159	14	{"Response spare1",
160	14	"krb5rpc.sendto_kdc_resp_spare1", FT_UINT32, BASE_DEC, NULL, 0x0, NULL,
161	14	HFILL}},
162	14	{&hf_krb5rpc_sendto_kdc_resp_keysize,
163	14	{"Response key size",
164	14	"krb5rpc.sendto_kdc_resp_keysize", FT_UINT32, BASE_DEC, NULL, 0x0,
165	14	NULL, HFILL}},
166		#if 0
167		{&hf_krb5rpc_sendto_kdc_resp_st,
168		{"Response st", "krb5rpc.sendto_kdc_resp_st",
169		FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL}},
170		#endif
171	14	{&hf_krb5rpc_krb5,
172	14	{"krb5", "krb5rpc.krb5", FT_BYTES, BASE_NONE, NULL, 0x0,
173	14	"krb5 blob", HFILL}},
174
175	14	};
176
177	14	static int *ett[] = {
178	14	&ett_krb5rpc,
179	14	&ett_krb5rpc_krb5,
180	14	};
181	14	proto_krb5rpc =
182	14	proto_register_protocol ("DCE/RPC Kerberos V", "KRB5RPC", "krb5rpc");
183	14	proto_register_field_array (proto_krb5rpc, hf, array_length (hf));
184	14	proto_register_subtree_array (ett, array_length (ett));
185	14	}
186
187		void
188		proto_reg_handoff_krb5rpc (void)
189	14	{
190		/* Register the protocol as dcerpc */
191	14	dcerpc_init_uuid (proto_krb5rpc, ett_krb5rpc, &uuid_krb5rpc, ver_krb5rpc,
192	14	krb5rpc_dissectors, hf_krb5rpc_opnum);
193	14	}
194
195		/*
196		* Editor modelines - https://www.wireshark.org/tools/modelines.html
197		*
198		* Local Variables:
199		* c-basic-offset: 2
200		* tab-width: 8
201		* indent-tabs-mode: nil
202		* End:
203		*
204		* ex: set shiftwidth=2 tabstop=8 expandtab:
205		* :indentSize=2:tabSize=8:noTabs=true:
206		*/