Expose PA_ENC_TIMESTAMP to script land

src/analyzer/protocol/krb/krb-padata.pac

@@ -32,8 +32,13 @@ zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const ZeekAnaly
 				// will be generated as separate event
 				break;
 			case PA_ENC_TIMESTAMP:
-				// encrypted timestamp is unreadable
+				{
+				auto type_val = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::Type_Value);
+				type_val->Assign(0, data_type);
+				type_val->Assign(1, to_stringval(element->pa_data_element()->pa_enc_ts()->ciphertext()->encoding()->content()));
+				vv->Assign(vv->Size(), std::move(type_val));
 				break;
+				}
 			case PA_PW_SALT:
 				{
 				auto type_val = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::Type_Value);
@@ -185,6 +190,7 @@ type KRB_PA_Data(is_orig: bool, pkt_type: uint8) = record {
 # Each pre-auth element
 type KRB_PA_Data_Element(is_orig: bool, type: int64, length: uint64) = case type of {
 	PA_TGS_REQ       -> pa_tgs_req	: KRB_PA_AP_REQ_wrapper(is_orig);
+	PA_ENC_TIMESTAMP -> pa_enc_ts   : KRB_Encrypted_Data &length=length;
 	PA_PW_SALT       -> pa_pw_salt	: ASN1OctetString;
 	PA_PW_AS_REQ	   -> pa_pk_as_req	: KRB_PA_PK_AS_Req &length=length;
 	PA_PW_AS_REP	   -> pa_pk_as_rep	: KRB_PA_PK_AS_Rep &length=length;

testing/btest/Baseline/scripts.base.protocols.krb.pa_data/output

@@ -0,0 +1,22 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+as_request with pa_adata, CjGaD11BLkmCG5cEVf
+[data_type=133, val=MIT]
+[data_type=2, val=\x09\x10/\xe6\xf0\x88Mf|\xa1\xe3`\xbe\x01\xf1\x86;F\xed%6O\x1c\xb4F\xe5}4\x93&\xe2\xb6\xcd\xc5\x0f\x9bW\xbd"\xe4\xde}I\x8c\x14]n\\xc14\x80\xa3r&\xe3.]
+as_request with pa_adata, C1ejhC4SXsZ4pEdOd
+[data_type=133, val=MIT]
+[data_type=2, val=\x0d\x1b\xf0W\x01>\xa3\xbd\xedD\xe8\xe8\xe6&P\xbe\x92\xb2>o\xe6\xe3\xf3\x0d\xeal\xb1\xa2\xf9\xf9\xb4\xf7\xfa\xcb\xf4W\x9d\xf74\x03\xe6\x02~\x80!V\x81`\xdb\xec\xc5[\x86;\x9cZ]
+as_request with pa_adata, CCgIHR2Vna1ZW9BPjd
+[data_type=133, val=MIT]
+[data_type=2, val=\xfcF\xa4\xf4\xaa\x04x\x9a\x12X\xc6.\x00QPT!\x7f\xfa\x1dH&p\x9a@:\xb21b\xef\x86\xa1\xa6f\x82\x0d\x1bY{f\xe8\xc9\xa2t>\x9e=\x00\x80vw\x04\xb4&JU]
+as_request with pa_adata, CBr8Cp4juBTcRQZAA4
+[data_type=133, val=MIT]
+[data_type=2, val=j\x0a\xcc\xec\x94K>d\xe2\xff\xfc\x96\x9a\x14\xdd\xce\xd2-\xb4\xb5\xa9\x17I\xb0W\xd7\xd8<\xb2\xac##\xd8\'\xd1\x0e\xbc\xeeS;o\xb7\xbf\x83\x92\x99\x1c\xf0<\x90i\xbe\xa3\xf12]
+as_request with pa_adata, C9Mb033HGlhETKxUbj
+[data_type=133, val=MIT]
+[data_type=2, val=\xef\xf9\xcb\x83\x80\xe8\x83\xf9\x9a\xf0\xf31\xf0\x10\xe9\xa9\xd9\x9a\x00\xdej\xe0\xba\xa8R\xd7A\xed\x06\x86\x89<\xd2>H[El\x8c\xbb\xbd<v\x9b\xc6\x17\xc3\xb5~\xb8\xc1\xbf\xe8\xcf"\xbc]
+as_request with pa_adata, CoVJDI3K3qTiTnPoV9
+[data_type=133, val=MIT]
+as_request with pa_adata, ChHNpz2Xf9xMo2lnC4
+[data_type=133, val=MIT]
+as_request with pa_adata, C2qZRm2yQg9RoQNkVg
+[data_type=133, val=MIT]

testing/btest/scripts/base/protocols/krb/pa_data.test

@@ -0,0 +1,16 @@
+# This test prints all pa_data in krb_as_request() handlers
+
+# @TEST-EXEC: zeek -b -r $TRACES/krb/kinit.trace %INPUT > output
+# @TEST-EXEC: btest-diff output
+
+@load base/protocols/krb
+
+event krb_as_request(c: connection, msg: KRB::KDC_Request)
+       {
+       if ( |msg$pa_data| > 0 )
+               {
+               print "as_request with pa_adata", c$uid;
+               for ( _, pa in msg$pa_data )
+                       print pa;
+               }
+       }