From 32284c753bbaa5029002cc0a24284e55c9c8337e Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Tue, 21 Apr 2015 12:27:14 -0400
Subject: [PATCH 1/2] Update the KRB tests a bit.

---
 .../scripts.base.protocols.krb.kinit/output      |   3 +++
 .../scripts.base.protocols.krb.tgs/krb.log       |  10 ++++++++++
 testing/btest/Traces/krb/auth.trace              | Bin 0 -> 1447 bytes
 .../btest/scripts/base/protocols/krb/kinit.test  |  14 ++++++++++++--
 .../btest/scripts/base/protocols/krb/tgs.test    |   7 +++++++
 5 files changed, 32 insertions(+), 2 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.krb.kinit/output
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.krb.tgs/krb.log
 create mode 100644 testing/btest/Traces/krb/auth.trace
 create mode 100644 testing/btest/scripts/base/protocols/krb/tgs.test

diff --git a/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output b/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output
new file mode 100644
index 0000000000..0bec7ee13c
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output
@@ -0,0 +1,3 @@
+KRB_AP_REQUEST
+[pvno=5, realm=VLADG.NET, service_name=krbtgt/VLADG.NET, cipher=18]
+[use_session_key=F, mutual_required=F]
diff --git a/testing/btest/Baseline/scripts.base.protocols.krb.tgs/krb.log b/testing/btest/Baseline/scripts.base.protocols.krb.tgs/krb.log
new file mode 100644
index 0000000000..517cc2f3be
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.krb.tgs/krb.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	krb
+#open	2015-04-21-16-15-33
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	request_type	client	service	success	error_msg	from	till	cipher	forwardable	renewable	client_cert_subject	client_cert_fuid	server_cert_subject	server_cert_fuid
+#types	time	string	addr	port	addr	port	string	string	string	bool	string	time	time	string	bool	bool	string	string	string	string
+1429583645.478441	CXWv6p3arKYeMETxOg	192.168.1.31	64889	192.168.1.32	88	TGS	vladg/VLADG.NET	krbtgt/VLADG.NET	T	-	-	0.000000	aes256-cts-hmac-sha1-96	T	F	-	-	-	-
+#close	2015-04-21-16-15-33
diff --git a/testing/btest/Traces/krb/auth.trace b/testing/btest/Traces/krb/auth.trace
new file mode 100644
index 0000000000000000000000000000000000000000..e9f1ba952138a8c99c81d59cc3a80226449326c7
GIT binary patch
literal 1447
zcmca|c+)~A1{MYw`2U}Qff2}&-EJEC(ubYlG!p|DGpNY6)K#8%@LFW@eGUd!2By8P
zFBupd1lMgpu!2z@h!y@;GDI+~6t&1{Vw!8v#58juGZQ20A|S!DxQR&(D53<!av)L0
zMNLeiEKN*;c}+~bKtaw0Af+G~zD4ZJtYD`sZep}dY+^JuXks*kNOMbbhWR+Uxa;}3
zhAfgZkO7G@Efh5nmS)Q?N-9Y&L6TqG_{X5}CrE`5#KOimER8RZy{sxay4_eucZ+ak
z-PF1I*ZkgeY>Lm_{buKeFUGB%#SQBw{1G+P_I0@OD6?q#HqDqn3MM~p85+n5GcCRn
z6<21NeehevO`m@`4Du=(oT*J4O5c@q>dkCbu8eJR$_Z5wo4??QT-KbXpdIO9TY?wQ
zShxIbp3v@@&NZQTZwEW=KJOaS%JKRAQ4jtfVzb!hylL%-Qi_v$`R{D`8l^Wrtjn}+
zX}0k+8!ozfQg7eUHR~P!u}7U*ufVwUWBn&?rB6RNggW_Z6io75zujUx;kUxAu!m!<
z)shlp+sZOa6T=h7a(8#!n7k(`Th`(IlE!TYjhn&VU(~porE$gHuO}_{xqE#*6@2pT
zuRCijSX1P7))WU#VcNjdfBwe8?lWDQ6<br(Dh@n}H+{G?FOzTa(nH;^9~EA_8S&}3
z))H4m^=;=^4+w9Xn6kC~9n<th+A9v}t<#Wey<0uwGtcL~G=)9QW~X=Go+08A)^qrZ
zWS+vBue0*E=Olh;*S?Yv9bx2m_{90ljVm|td;NQSVZNx%>-B<4OdI32ym)=lWvkzr
z-M^;R8BE!A%V<fmLE-{X5=a0hf<?$Nz8D(gj5uO^sh|YEp{2QjfguorLDX_KCYH?C
z{Jtyr40wPEfr(L&iBW)wQ5=-C7y7X?ECD8M5QZdbNCF2Z?P<V-4NTfwj)RglD0wqP
z{H<ha5;M(hVk!fs*CI%Q1g0+D#mH`4B4i){l44xQX}~VcT9%WTlD@Qw(GQr8y@2W1
z4WbQM2P_@q@)a-_2mp2RfTI$clK-<b{!za5!8`G3h2ZK0&We&h&D(Q4js-4#-|~S$
zY}b?ojU&DZjcN}C-f&N!eYsC?UUo_JS9{St(to9ur+i{M?)AuiI&+&;Nj_KU`EJ*u
ztNSxc?5o=LbyZp)%1Tq8%zR(m*1zXhM9zt?M|SVqIcLLL55Laty$^QDo-2}``AIkA
z!uy6D7Z!@^ewiQZaM`TD%KCkX?(v^Lzx|#qzcT!4ap3D^>zJF}L-;rvohR7y-~S<f
z?#Z;sSVO<E!(X(&A29WQvtsg5*AJFqw{}lEurlVx;pwGYR=7&<QgmWBF0#)waV>ap
zF;-f4f%&UO<~y&0FRtDndOfpe+hzN#_lJ{~Wyc9DYy4!;_#PZ0iyEJ^G(K_vYq@&=
zl??Z9YV0`+b06^WD?U<)<1uyI&i*gPXnE-@&%fUr?6y1)K6^P`-O>8^!DvPq50|Oj
zKkOCv6s}pR>R@^6(yMYi?p5-}4*%wyv728X{qaazOHujr3zzm!e536YeT(sTznfas
zd#;AUE$@8za--Z_zdAK?f4f>`?lFhGt3Ziw+VZ!hGDc_BRw&gM*+%bN&$Y+nvDGbZ
z#y)wQ6#?lgy04aN&Du9-@$^l{TLhMVQMkOU-K325o}iM>!|CDw?hBoH#vjwt;=e2F
f<QJ*SF$YyX$1psdF`aGB`ne)Au20Zgpno3#**8w<

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/krb/kinit.test b/testing/btest/scripts/base/protocols/krb/kinit.test
index a42e996ac9..d49d393261 100644
--- a/testing/btest/scripts/base/protocols/krb/kinit.test
+++ b/testing/btest/scripts/base/protocols/krb/kinit.test
@@ -1,6 +1,16 @@
 # This test exercises many of the Linux kinit options against a KDC
 
-# @TEST-EXEC: bro -b -r $TRACES/krb/kinit.trace %INPUT
+# @TEST-EXEC: bro -b -r $TRACES/krb/kinit.trace %INPUT > output
 # @TEST-EXEC: btest-diff krb.log
+# @TEST-EXEC: btest-diff output
+
+@load base/protocols/krb
+
+event krb_ap_request(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options)
+	{
+	print "KRB_AP_REQUEST";
+	print ticket;
+	print opts;
+	}
+
 
-@load base/protocols/krb
\ No newline at end of file
diff --git a/testing/btest/scripts/base/protocols/krb/tgs.test b/testing/btest/scripts/base/protocols/krb/tgs.test
new file mode 100644
index 0000000000..5b1aa26f1e
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/krb/tgs.test
@@ -0,0 +1,7 @@
+# This test exercises a Kerberos authentication to a Kerberized SSH server
+
+# @TEST-EXEC: bro -b -r $TRACES/krb/auth.trace %INPUT
+# @TEST-EXEC: btest-diff krb.log
+
+@load base/protocols/krb
+

From 52ff6a6404240f822506c4b272a4cb2a7e6495be Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Tue, 21 Apr 2015 13:00:31 -0400
Subject: [PATCH 2/2] Fix doc on krb_cred

---
 src/analyzer/protocol/krb/events.bif | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/analyzer/protocol/krb/events.bif b/src/analyzer/protocol/krb/events.bif
index e6b438f2b0..950b40ac12 100644
--- a/src/analyzer/protocol/krb/events.bif
+++ b/src/analyzer/protocol/krb/events.bif
@@ -139,7 +139,7 @@ event krb_safe%(c: connection, is_orig: bool, msg: KRB::SAFE_Msg%);
 ##
 ## is_orig: Whether the originator of the connection sent this message.
 ##
-## msg: A Kerberos KDC request message data structure.
+## tickets: Tickets obtained from the KDC that are being forwarded.
 ##
 ## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
 ##    krb_ap_request krb_ap_response krb_priv krb_safe krb_error