Hi list
I am the guy that implemented Kerberos support in Ethereal to allow
users (given the keytab file is available) to decrypt the content of
tickets.
I would like to add support for MIT kerberos as well so that users can
select at compile time which particular version of kerberos they use
and get ethereal to compile for it.
I am not really a kerberos hacker and i am lazy.
Would anyone out there want to give me a hand in implementing a
MITized version of the small test program I have attached? If i get
this small proggie MITized I should be able to figure out how to merge
it into ethereal myself (modulo questions like how would I find out
the proper -l -L and -I directives to the gcc commandline)
The attached file is a program for Heimdal.
The idea is that the program reads a binary file containing an
encrypted blob (no asn1 encapsulation) then it opens the keytab file
and iterates over every single secret key in it and tries to decrypt
the blob.
If the decryption was successful, it writes it out again to a file.
any takers?
best regards
ronnie sahlberg
#include <sys/types.h>
#include <sys/stat.h>
#include <err.h>
#include <fcntl.h>
#include <krb5.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
static void
readfile(const char *fn, krb5_data *data)
{
struct stat sb;
ssize_t ret;
int fd;
fd = open(fn, O_RDONLY);
if (fd < 0)
err(1, "open");
ret = fstat(fd, &sb);
if (ret < 0)
err(1, "fstat");
data->length = sb.st_size;
data->data = malloc(sb.st_size);
if (data->data == NULL)
err(1, "malloc");
ret = read(fd, data->data, data->length);
if (ret < 0)
err(1, "read");
else if (ret != data->length)
errx(1, "read complete early");
close(fd);
}
static void
writefile(const char *fn, krb5_data *data)
{
ssize_t ret;
int fd;
fd = open(fn, O_WRONLY|O_CREAT|O_TRUNC, 0666);
if (fd < 0)
err(1, "open");
ret = write(fd, data->data, data->length);
if (ret < 0)
err(1, "write");
else if (ret != data->length)
errx(1, "write complete early");
close(fd);
}
static void
decrypt_krb5_data(krb5_context context,
const char *name,
krb5_keyusage usage,
const krb5_data *encdata,
krb5_data *data)
{
krb5_error_code ret;
krb5_keytab keytab;
krb5_keytab_entry entry;
krb5_kt_cursor cursor;
int ok = 0;
ret = krb5_kt_resolve(context, name, &keytab);
if (ret)
krb5_err(context, 1, ret, "resolving keytab %s", name);
ret = krb5_kt_start_seq_get(context, keytab, &cursor);
if(ret)
krb5_err(context, 1, ret, "krb5_kt_start_seq_get %s", name);
while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){
krb5_crypto crypto;
ret = krb5_crypto_init(context, &entry.keyblock, 0, &crypto);
if (ret)
krb5_err(context, 1, ret, "krb5_crypto_init");
ret = krb5_decrypt_ivec(context, crypto, usage,
encdata->data, encdata->length,
data,
NULL);
if (ret == 0) {
char *principal;
krb5_unparse_name(context, entry.principal, &principal);
printf("%s\n", principal);
ok = 1;
}
krb5_kt_free_entry(context, &entry);
krb5_crypto_destroy(context, crypto);
if (ok)
break;
}
ret = krb5_kt_end_seq_get(context, keytab, &cursor);
if(ret)
krb5_err(context, 1, ret, "krb5_kt_end_seq_get %s", name);
krb5_kt_close(context, keytab);
if (!ok)
krb5_errx(context, 1, "didn't decrypt ok");
}
int
main(int argc, char **argv)
{
krb5_context context;
krb5_error_code ret;
krb5_data encdata, data;
ret = krb5_init_context(&context);
if (ret)
errx(1, "krb5_init_context: %d\n", ret);
if (argc != 4)
errx(1, "argc != 4");
readfile(argv[2], &encdata);
decrypt_krb5_data(context, argv[1], 2, &encdata, &data);
writefile(argv[3], &data);
return 0;
}
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
