Add a HACK patch for building a patched kerberos library

Signed-off-by: Matthieu Patou <mat@matws.net>

diff --git a/epan/dissectors/kerberos_1-10.patch b/epan/dissectors/kerberos_1-10.patch
new file mode 100644 (file)
index 0000000..a1adcdb
--- /dev/null
+++ b/epan/dissectors/kerberos_1-10.patch
@@ -0,0 +1,65 @@
+This is a patch to apply to MIT Kerberos 1.10 in order to relax the checks
+for checksum verification.
+
+This is needed for wireshark when dealing with DCERPC encrypted with modern
+encryption when headers are part of the signing.
+
+Because we relax the checks you don't want to have this as your default library
+
+The way to get it working is to do
+* get the library from http://web.mit.edu/kerberos/dist/historic.html#krb5-1.10-src
+  (ie. http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.5-signed.tar)
+* do configure --prefix=<PATH_FOR_PATCHED_KERBEROS>
+  ie. ./configure --prefix=/usr/local/krb5
+* Apply the patch, from the top of the source directory of MIT:
+  patch -p 0 <<PATH_TO_PATCH>
+* make
+* sudo make install
+
+Then you can use this library with wireshark, either by forcing wireshark at
+build time to link with this particular libary, or at runtime with the command
+LD_LIBRARY_PATH=<PATH_FOR_PATCHED_KERBEROS>/lib wireshark
+
+--- src/lib/crypto/krb/decrypt.c.org   2013-09-21 14:03:58.598430994 -0700
++++ src/lib/crypto/krb/decrypt.c       2013-09-21 14:29:07.146400036 -0700
+@@ -77,9 +77,38 @@
+
+     ret = ktp->decrypt(ktp, key, usage, cipher_state, iov, 4);
+     if (ret != 0)
+-        zap(output->data, plain_len);
+-    else
++    {
++        unsigned int len = plain_len;
++        /*
++         * HACK:
++         * This is a HACK to allow Wireshark to decrypt DCERPC
++         * payload when header signing is used.
++         *
++         * We know the checksum was wrong, this happens
++         * when DCERPC uses header signing as we don't give all the data for
++         * the signature to be correct.
++         * Still we will assume the decrypt was ok if we find something that looks
++         * like a valid gss_cfx_wrap_token header
++         * It is 16 bytes long
++         * and starts with 0x05 0x04 and sits at the end of the
++         * encrypted data.
++         */
++        if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY && len > 16) {
++            char *dec_hdr = output->data + (len - 16);
++            char GSS_CFX_TOKEN_MAGIC[2] = { 0x05, 0x04 };
++            if (memcmp(GSS_CFX_TOKEN_MAGIC, dec_hdr, 2) != 0) {
++                zap(output->data, plain_len);
++            } else {
++                output->length = plain_len;
++                ret = 0;
++            }
++        } else {
++           zap(output->data, plain_len);
++        }
++    }
++    else {
+         output->length = plain_len;
++    }
+     zapfree(scratch, header_len + trailer_len);
+     return ret;
+ }