--- /dev/null
+This is a patch to apply to MIT Kerberos 1.10 in order to relax the checks
+for checksum verification.
+
+This is needed for wireshark when dealing with DCERPC encrypted with modern
+encryption when headers are part of the signing.
+
+Because we relax the checks you don't want to have this as your default library
+
+The way to get it working is to do
+* get the library from http://web.mit.edu/kerberos/dist/historic.html#krb5-1.10-src
+ (ie. http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.5-signed.tar)
+* do configure --prefix=<PATH_FOR_PATCHED_KERBEROS>
+ ie. ./configure --prefix=/usr/local/krb5
+* Apply the patch, from the top of the source directory of MIT:
+ patch -p 0 <<PATH_TO_PATCH>
+* make
+* sudo make install
+
+Then you can use this library with wireshark, either by forcing wireshark at
+build time to link with this particular libary, or at runtime with the command
+LD_LIBRARY_PATH=<PATH_FOR_PATCHED_KERBEROS>/lib wireshark
+
+--- src/lib/crypto/krb/decrypt.c.org 2013-09-21 14:03:58.598430994 -0700
++++ src/lib/crypto/krb/decrypt.c 2013-09-21 14:29:07.146400036 -0700
+@@ -77,9 +77,38 @@
+
+ ret = ktp->decrypt(ktp, key, usage, cipher_state, iov, 4);
+ if (ret != 0)
+- zap(output->data, plain_len);
+- else
++ {
++ unsigned int len = plain_len;
++ /*
++ * HACK:
++ * This is a HACK to allow Wireshark to decrypt DCERPC
++ * payload when header signing is used.
++ *
++ * We know the checksum was wrong, this happens
++ * when DCERPC uses header signing as we don't give all the data for
++ * the signature to be correct.
++ * Still we will assume the decrypt was ok if we find something that looks
++ * like a valid gss_cfx_wrap_token header
++ * It is 16 bytes long
++ * and starts with 0x05 0x04 and sits at the end of the
++ * encrypted data.
++ */
++ if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY && len > 16) {
++ char *dec_hdr = output->data + (len - 16);
++ char GSS_CFX_TOKEN_MAGIC[2] = { 0x05, 0x04 };
++ if (memcmp(GSS_CFX_TOKEN_MAGIC, dec_hdr, 2) != 0) {
++ zap(output->data, plain_len);
++ } else {
++ output->length = plain_len;
++ ret = 0;
++ }
++ } else {
++ zap(output->data, plain_len);
++ }
++ }
++ else {
+ output->length = plain_len;
++ }
+ zapfree(scratch, header_len + trailer_len);
+ return ret;
+ }