Hi Metze,
Can you check those two patches again?
I can not decrypt any of the captures you sent.
I built wireshark with your patch and also patched mit 1.6.3 with the
second patch and load it with
LD_PRELOAD=...../lib/libk5crypto.so
But can not decrypt any of the packets.
The modified krb5_dk_decrypt_maybe_trunc_hmac() is called from
wireshark but this statement is never true :
if (hdr[0] == 0x05 && hdr[1] == 0x04) {
I agree, we should have our own code here, just as we have for arcfour.
Once I can get the decryption working using these hacks, I can look
into re-implementing this code inside wireshark.
The pidl command line to generate a ws dissector looks like this :
pidl lsa.idl --ws-parser
regards
ronnie sahlberg
On Sat, Jul 25, 2009 at 6:47 PM, Stefan (metze)
Metzmacher<metze@xxxxxxxxx> wrote:
> Hi Ronnie,
>
> could you please apply this patch
> http://gitweb.samba.org/?p=metze/wireshark/wip.git;a=commitdiff;h=d4e3184d5faca653ef053b3469ad3f8ec7605b7e
>
> With that patch decryption of aes encrypted traffic works as long as no
> header signing is used.
>
> I tried some hacks to decrypt it when header signing is on
> and use a hacked mit krb5 1.6 version loaded with LD_LIBRARY_PATH
>
> See
> http://gitweb.samba.org/?p=metze/wireshark/wip.git;a=shortlog;h=refs/heads/ws-metze-gssapi-20090725
>
> I think we should have aes specific decryption code in wireshark like we
> have for arcfour in packet-spnego.c.
>
> With this hacks I can decrypt every packet of the attached captures.
>
> BTW: with what commandline do I have to generate pidl dissectors?
> I want to add it for the DFS-R (FrsTransport) Interface.
>
> metze
>
