The best would be in the future to get rid of the heimdal and mit
support completely and only depend on nettle.
thus adding native support to read keytab files (trivial, the
fileformat is real simple and semi-documented in a comment in the mit
sourcecoe (but with a small bug in the comment))
then doing the mixing of salt and usage and stuff manually and
decrypting it manually using nettle (for the 4-5 common enctypes, the
rest doesnt matter really)
preferably with heuristics to handle the subtle differences between
packetcable and kerberos completely automagically.
On Fri, 15 Oct 2004 11:04:32 +0200, Thomas Anders
<thomas.anders@xxxxxxxxxxxxx> wrote:
> Gerald Combs wrote:
> > I suppose it would help if I actually attached the patch in question.
>
> The functionality provided by this patch looks extremely useful. For a
> few minor modifications see attached diff (on top of applied patch).
> (Unfortunately, the nettle patch was a bit hard to read since it includes
> whitespace cleanup.)
>
> Many thanks to CableLabs for finally contributing to Ethereal instead
> of maintaining private copies!!
>
> +Thomas
>
> --
> Thomas Anders (thomas.anders at blue-cable.de)
>
>
> --- epan/dissectors/packet-kerberos.c.rev12296+nettle 2004-10-15 10:46:55.000000000 +0200
> +++ epan/dissectors/packet-kerberos.c 2004-10-15 11:00:21.000000000 +0200
> @@ -45,7 +45,7 @@
> */
>
> /*
> - * Some of the development of the RADIUS protocol decoder was sponsored by
> + * Some of the development of the Kerberos protocol decoder was sponsored by
> * Cable Television Laboratories, Inc. ("CableLabs") based upon proprietary
> * CableLabs' specifications. Your license and use of this protocol decoder
> * does not mean that you are licensed to use the CableLabs'
> @@ -417,7 +417,7 @@
>
> /* XXX we should only do this for first time, then store somewhere */
>
> - /* should this have a destroy context ? heidal people would know */
> + /* should this have a destroy context ? MIT people would know */
> if(first_time){
> first_time=0;
> ret = krb5_init_context(&context);
> @@ -563,7 +563,7 @@
>
> /* XXX we should only do this for first time, then store somewhere */
>
> - /* should this have a destroy context ? heidal people would know */
> + /* should this have a destroy context ? heimdal people would know */
> if(first_time){
> first_time=0;
> ret = krb5_init_context(&context);
> @@ -575,7 +575,7 @@
>
> for(ek=enc_key_list;ek;ek=ek->next){
> krb5_crypto crypto;
> - guint8 *cryptocopy; /* workaround for pre-6.1 heimdal bug */
> + guint8 *cryptocopy; /* workaround for pre-0.6.1 heimdal bug */
>
> /* shortcircuit and bail out if enctypes are not matching */
> if(ek->key.keyblock.keytype!=keytype){
> @@ -587,7 +587,7 @@
> return NULL;
> }
>
> - /* pre-6.1 versions of heimdal would sometimes change
> + /* pre-0.6.1 versions of heimdal would sometimes change
> the cryptotext data even when the decryption failed.
> This would obviously not work since we iterate over the
> keys. So just give it a copy of the crypto data instead.
> @@ -728,7 +728,6 @@
>
> /* XXX we should only do this for first time, then store somewhere */
>
> - /* should this have a destroy context ? heidal people would know */
> if(first_time){
> first_time = FALSE;
> read_keytab_file(keytab_filename);
>
>
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
>
>
>