mirror of
https://github.com/samba-team/samba.git
synced 2025-02-03 13:47:25 +03:00
tests/krb5: Add more ASN1 definitions for FAST
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
This commit is contained in:
Joseph Sutton
Andrew Bartlett
parent
025737deb5
commit
ec70290029
@ -1,3 +1,43 @@
|
||||
-- Portions of these ASN.1 modules are structures are from RFC6113
|
||||
-- authored by S. Hartman (Painless Security) and L. Zhu (Microsoft)
|
||||
--
|
||||
-- Copyright (c) 2011 IETF Trust and the persons identified as authors of the
|
||||
-- code. All rights reserved.
|
||||
--
|
||||
-- Redistribution and use in source and binary forms, with or without
|
||||
-- modification, is permitted pursuant to, and subject to the license terms
|
||||
-- contained in, the Simplified BSD License set forth in Section 4.c of the IETF
|
||||
-- Trust’s Legal Provisions Relating to IETF Documents
|
||||
-- (http://trustee.ietf.org/license-info).
|
||||
--
|
||||
-- BSD License:
|
||||
--
|
||||
-- Copyright (c) 2011 IETF Trust and the persons identified as authors of the code. All rights reserved.
|
||||
-- Redistribution and use in source and binary forms, with or without modification, are permitted provided
|
||||
-- that the following conditions are met:
|
||||
-- • Redistributions of source code must retain the above copyright notice, this list of conditions and
|
||||
-- the following disclaimer.
|
||||
--
|
||||
-- • Redistributions in binary form must reproduce the above copyright notice, this list of conditions
|
||||
-- and the following disclaimer in the documentation and/or other materials provided with the
|
||||
-- distribution.
|
||||
--
|
||||
-- • Neither the name of Internet Society, IETF or IETF Trust, nor the names of specific contributors,
|
||||
-- may be used to endorse or promote products derived from this software without specific prior written
|
||||
-- permission.
|
||||
-- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS”
|
||||
-- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
-- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
-- ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
|
||||
-- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||
-- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||
-- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||
-- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||
-- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
-- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
-- POSSIBILITY OF SUCH DAMAGE.
|
||||
--
|
||||
|
||||
KerberosV5Spec2 {
|
||||
iso(1) identified-organization(3) dod(6) internet(1)
|
||||
security(5) kerberosV5(2) modules(4) krb5spec2(2)
|
||||
@ -464,6 +504,69 @@ PA-PAC-OPTIONS ::= SEQUENCE {
|
||||
KERB-KEY-LIST-REQ ::= SEQUENCE OF EncryptionType -- Int32 encryption type --
|
||||
KERB-KEY-LIST-REP ::= SEQUENCE OF EncryptionKey
|
||||
|
||||
FastOptions ::= BIT STRING {
|
||||
reserved(0),
|
||||
hide-client-names(1),
|
||||
kdc-follow-referrals(16)
|
||||
}
|
||||
|
||||
KrbFastReq ::= SEQUENCE {
|
||||
fast-options [0] FastOptions,
|
||||
padata [1] SEQUENCE OF PA-DATA,
|
||||
req-body [2] KDC-REQ-BODY,
|
||||
...
|
||||
}
|
||||
|
||||
KrbFastArmor ::= SEQUENCE {
|
||||
armor-type [0] Int32,
|
||||
armor-value [1] OCTET STRING,
|
||||
...
|
||||
}
|
||||
|
||||
KrbFastArmoredReq ::= SEQUENCE {
|
||||
armor [0] KrbFastArmor OPTIONAL,
|
||||
req-checksum [1] Checksum,
|
||||
enc-fast-req [2] EncryptedData -- KrbFastReq --
|
||||
}
|
||||
|
||||
PA-FX-FAST-REQUEST ::= CHOICE {
|
||||
armored-data [0] KrbFastArmoredReq,
|
||||
...
|
||||
}
|
||||
|
||||
KrbFastFinished ::= SEQUENCE {
|
||||
timestamp [0] KerberosTime,
|
||||
usec [1] Int32,
|
||||
crealm [2] Realm,
|
||||
cname [3] PrincipalName,
|
||||
ticket-checksum [4] Checksum,
|
||||
...
|
||||
}
|
||||
|
||||
KrbFastResponse ::= SEQUENCE {
|
||||
padata [0] SEQUENCE OF PA-DATA,
|
||||
-- padata typed holes.
|
||||
strengthen-key [1] EncryptionKey OPTIONAL,
|
||||
-- This, if present, strengthens the reply key for AS and
|
||||
-- TGS. MUST be present for TGS.
|
||||
-- MUST be absent in KRB-ERROR.
|
||||
finished [2] KrbFastFinished OPTIONAL,
|
||||
-- Present in AS or TGS reply; absent otherwise.
|
||||
nonce [3] UInt32,
|
||||
-- Nonce from the client request.
|
||||
...
|
||||
}
|
||||
|
||||
KrbFastArmoredRep ::= SEQUENCE {
|
||||
enc-fast-rep [0] EncryptedData, -- KrbFastResponse --
|
||||
...
|
||||
}
|
||||
|
||||
PA-FX-FAST-REPLY ::= CHOICE {
|
||||
armored-data [0] KrbFastArmoredRep,
|
||||
...
|
||||
}
|
||||
|
||||
-- MS-KILE End
|
||||
--
|
||||
--
|
||||
@ -631,7 +734,8 @@ PADataTypeValues ::= INTEGER {
|
||||
kRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon
|
||||
kRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u
|
||||
kRB5-PADATA-REQ-ENC-PA-REP(149), --
|
||||
kRB5-PADATA-SUPPORTED-ETYPES(165) -- MS-KILE
|
||||
kRB5-PADATA-SUPPORTED-ETYPES(165), -- MS-KILE
|
||||
kRB5-PADATA-PAC-OPTIONS(167) -- MS-KILE
|
||||
}
|
||||
PADataTypeSequence ::= SEQUENCE {
|
||||
dummy [0] PADataTypeValues
|
||||
|
||||
@ -36,29 +36,44 @@ KRB_TGS_REQ = int(krb5_asn1.MessageTypeValues('krb-tgs-req'))
|
||||
# PAData types
|
||||
PADATA_ENC_TIMESTAMP = int(
|
||||
krb5_asn1.PADataTypeValues('kRB5-PADATA-ENC-TIMESTAMP'))
|
||||
PADATA_ENCRYPTED_CHALLENGE = int(
|
||||
krb5_asn1.PADataTypeValues('kRB5-PADATA-ENCRYPTED-CHALLENGE'))
|
||||
PADATA_ETYPE_INFO = int(
|
||||
krb5_asn1.PADataTypeValues('kRB5-PADATA-ETYPE-INFO'))
|
||||
PADATA_ETYPE_INFO2 = int(
|
||||
krb5_asn1.PADataTypeValues('kRB5-PADATA-ETYPE-INFO2'))
|
||||
PADATA_FOR_USER = int(
|
||||
krb5_asn1.PADataTypeValues('kRB5-PADATA-FOR-USER'))
|
||||
PADATA_FX_COOKIE = int(
|
||||
krb5_asn1.PADataTypeValues('kRB5-PADATA-FX-COOKIE'))
|
||||
PADATA_FX_ERROR = int(
|
||||
krb5_asn1.PADataTypeValues('kRB5-PADATA-FX-ERROR'))
|
||||
PADATA_FX_FAST = int(
|
||||
krb5_asn1.PADataTypeValues('kRB5-PADATA-FX-FAST'))
|
||||
PADATA_KDC_REQ = int(
|
||||
krb5_asn1.PADataTypeValues('kRB5-PADATA-KDC-REQ'))
|
||||
PADATA_PAC_OPTIONS = int(
|
||||
krb5_asn1.PADataTypeValues('kRB5-PADATA-PAC-OPTIONS'))
|
||||
PADATA_PAC_REQUEST = int(
|
||||
krb5_asn1.PADataTypeValues('kRB5-PADATA-PA-PAC-REQUEST'))
|
||||
PADATA_PK_AS_REQ = int(
|
||||
krb5_asn1.PADataTypeValues('kRB5-PADATA-PK-AS-REQ'))
|
||||
PADATA_PK_AS_REP_19 = int(
|
||||
krb5_asn1.PADataTypeValues('kRB5-PADATA-PK-AS-REP-19'))
|
||||
PADATA_SUPPORTED_ETYPES = int(
|
||||
krb5_asn1.PADataTypeValues('kRB5-PADATA-SUPPORTED-ETYPES'))
|
||||
|
||||
# Error codes
|
||||
KDC_ERR_C_PRINCIPAL_UNKNOWN = 6
|
||||
KDC_ERR_POLICY = 12
|
||||
KDC_ERR_ETYPE_NOSUPP = 14
|
||||
KDC_ERR_PREAUTH_FAILED = 24
|
||||
KDC_ERR_PREAUTH_REQUIRED = 25
|
||||
KDC_ERR_NOT_US = 35
|
||||
KDC_ERR_BADMATCH = 36
|
||||
KDC_ERR_SKEW = 37
|
||||
KDC_ERR_GENERIC = 60
|
||||
KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS = 93
|
||||
|
||||
# Name types
|
||||
NT_UNKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-UNKNOWN'))
|
||||
@ -67,6 +82,7 @@ NT_SRV_HST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-HST'))
|
||||
NT_SRV_INST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-INST'))
|
||||
NT_ENTERPRISE_PRINCIPAL = int(krb5_asn1.NameTypeValues(
|
||||
'kRB5-NT-ENTERPRISE-PRINCIPAL'))
|
||||
NT_WELLKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-WELLKNOWN'))
|
||||
|
||||
# Authorization data ad-type values
|
||||
|
||||
@ -79,6 +95,8 @@ AD_MANDATORY_TICKET_EXTENSIONS = 6
|
||||
AD_IN_TICKET_EXTENSIONS = 7
|
||||
AD_MANDATORY_FOR_KDC = 8
|
||||
AD_INITIAL_VERIFIED_CAS = 9
|
||||
AD_FX_FAST_ARMOR = 71
|
||||
AD_FX_FAST_USED = 72
|
||||
AD_WIN2K_PAC = 128
|
||||
AD_SIGNTICKET = 512
|
||||
|
||||
@ -133,3 +151,18 @@ KU_KRB_SAFE_CKSUM = 15
|
||||
(section 5.6.1) '''
|
||||
KU_NON_KERB_SALT = 16
|
||||
KU_NON_KERB_CKSUM_SALT = 17
|
||||
|
||||
KU_ACCEPTOR_SEAL = 22
|
||||
KU_ACCEPTOR_SIGN = 23
|
||||
KU_INITIATOR_SEAL = 24
|
||||
KU_INITIATOR_SIGN = 25
|
||||
|
||||
KU_FAST_REQ_CHKSUM = 50
|
||||
KU_FAST_ENC = 51
|
||||
KU_FAST_REP = 52
|
||||
KU_FAST_FINISHED = 53
|
||||
KU_ENC_CHALLENGE_CLIENT = 54
|
||||
KU_ENC_CHALLENGE_KDC = 55
|
||||
|
||||
# Armor types
|
||||
FX_FAST_ARMOR_AP_REQUEST = 1
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
# Auto-generated by asn1ate v.0.6.1.dev0 from rfc4120.asn1
|
||||
# (last modified on 2021-06-16 08:54:13.969508)
|
||||
# (last modified on 2021-06-25 12:10:34.484667)
|
||||
|
||||
# KerberosV5Spec2
|
||||
from pyasn1.type import univ, char, namedtype, namedval, tag, constraint, useful
|
||||
@ -619,6 +619,17 @@ EncryptionTypeSequence.componentType = namedtype.NamedTypes(
|
||||
)
|
||||
|
||||
|
||||
class FastOptions(univ.BitString):
|
||||
pass
|
||||
|
||||
|
||||
FastOptions.namedValues = namedval.NamedValues(
|
||||
('reserved', 0),
|
||||
('hide-client-names', 1),
|
||||
('kdc-follow-referrals', 16)
|
||||
)
|
||||
|
||||
|
||||
class KDCOptionsValues(univ.BitString):
|
||||
pass
|
||||
|
||||
@ -800,6 +811,72 @@ KerbErrorDataTypeSequence.componentType = namedtype.NamedTypes(
|
||||
)
|
||||
|
||||
|
||||
class KrbFastArmor(univ.Sequence):
|
||||
pass
|
||||
|
||||
|
||||
KrbFastArmor.componentType = namedtype.NamedTypes(
|
||||
namedtype.NamedType('armor-type', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
|
||||
namedtype.NamedType('armor-value', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1)))
|
||||
)
|
||||
|
||||
|
||||
class KrbFastArmoredRep(univ.Sequence):
|
||||
pass
|
||||
|
||||
|
||||
KrbFastArmoredRep.componentType = namedtype.NamedTypes(
|
||||
namedtype.NamedType('enc-fast-rep', EncryptedData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0)))
|
||||
)
|
||||
|
||||
|
||||
class KrbFastArmoredReq(univ.Sequence):
|
||||
pass
|
||||
|
||||
|
||||
KrbFastArmoredReq.componentType = namedtype.NamedTypes(
|
||||
namedtype.OptionalNamedType('armor', KrbFastArmor().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0))),
|
||||
namedtype.NamedType('req-checksum', Checksum().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 1))),
|
||||
namedtype.NamedType('enc-fast-req', EncryptedData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2)))
|
||||
)
|
||||
|
||||
|
||||
class KrbFastFinished(univ.Sequence):
|
||||
pass
|
||||
|
||||
|
||||
KrbFastFinished.componentType = namedtype.NamedTypes(
|
||||
namedtype.NamedType('timestamp', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
|
||||
namedtype.NamedType('usec', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))),
|
||||
namedtype.NamedType('crealm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))),
|
||||
namedtype.NamedType('cname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 3))),
|
||||
namedtype.NamedType('ticket-checksum', Checksum().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 4)))
|
||||
)
|
||||
|
||||
|
||||
class KrbFastReq(univ.Sequence):
|
||||
pass
|
||||
|
||||
|
||||
KrbFastReq.componentType = namedtype.NamedTypes(
|
||||
namedtype.NamedType('fast-options', FastOptions().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
|
||||
namedtype.NamedType('padata', univ.SequenceOf(componentType=PA_DATA()).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))),
|
||||
namedtype.NamedType('req-body', KDC_REQ_BODY().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2)))
|
||||
)
|
||||
|
||||
|
||||
class KrbFastResponse(univ.Sequence):
|
||||
pass
|
||||
|
||||
|
||||
KrbFastResponse.componentType = namedtype.NamedTypes(
|
||||
namedtype.NamedType('padata', univ.SequenceOf(componentType=PA_DATA()).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
|
||||
namedtype.OptionalNamedType('strengthen-key', EncryptionKey().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 1))),
|
||||
namedtype.OptionalNamedType('finished', KrbFastFinished().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))),
|
||||
namedtype.NamedType('nonce', UInt32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3)))
|
||||
)
|
||||
|
||||
|
||||
class MessageTypeValues(univ.Integer):
|
||||
pass
|
||||
|
||||
@ -871,6 +948,24 @@ PA_ENC_TS_ENC.componentType = namedtype.NamedTypes(
|
||||
)
|
||||
|
||||
|
||||
class PA_FX_FAST_REPLY(univ.Choice):
|
||||
pass
|
||||
|
||||
|
||||
PA_FX_FAST_REPLY.componentType = namedtype.NamedTypes(
|
||||
namedtype.NamedType('armored-data', KrbFastArmoredRep().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0)))
|
||||
)
|
||||
|
||||
|
||||
class PA_FX_FAST_REQUEST(univ.Choice):
|
||||
pass
|
||||
|
||||
|
||||
PA_FX_FAST_REQUEST.componentType = namedtype.NamedTypes(
|
||||
namedtype.NamedType('armored-data', KrbFastArmoredReq().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0)))
|
||||
)
|
||||
|
||||
|
||||
class PACOptionFlags(KerberosFlags):
|
||||
pass
|
||||
|
||||
@ -980,7 +1075,8 @@ PADataTypeValues.namedValues = namedval.NamedValues(
|
||||
('kRB5-PADATA-PKINIT-KX', 147),
|
||||
('kRB5-PADATA-PKU2U-NAME', 148),
|
||||
('kRB5-PADATA-REQ-ENC-PA-REP', 149),
|
||||
('kRB5-PADATA-SUPPORTED-ETYPES', 165)
|
||||
('kRB5-PADATA-SUPPORTED-ETYPES', 165),
|
||||
('kRB5-PADATA-PAC-OPTIONS', 167)
|
||||
)
|
||||
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user