1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-14 19:24:43 +03:00
Joseph Sutton 45d81d56ab tests/krb5: Allow additional unexpected padata types
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-07 07:40:33 +00:00

845 lines
28 KiB
Groff
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

-- Portions of these ASN.1 modules are structures are from RFC6113
-- authored by S. Hartman (Painless Security) and L. Zhu (Microsoft)
--
-- Copyright (c) 2011 IETF Trust and the persons identified as authors of the
-- code. All rights reserved.
--
-- Redistribution and use in source and binary forms, with or without
-- modification, is permitted pursuant to, and subject to the license terms
-- contained in, the Simplified BSD License set forth in Section 4.c of the IETF
-- Trusts Legal Provisions Relating to IETF Documents
-- (http://trustee.ietf.org/license-info).
--
-- BSD License:
--
-- Copyright (c) 2011 IETF Trust and the persons identified as authors of the code. All rights reserved.
-- Redistribution and use in source and binary forms, with or without modification, are permitted provided
-- that the following conditions are met:
-- • Redistributions of source code must retain the above copyright notice, this list of conditions and
-- the following disclaimer.
--
-- • Redistributions in binary form must reproduce the above copyright notice, this list of conditions
-- and the following disclaimer in the documentation and/or other materials provided with the
-- distribution.
--
-- • Neither the name of Internet Society, IETF or IETF Trust, nor the names of specific contributors,
-- may be used to endorse or promote products derived from this software without specific prior written
-- permission.
-- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS”
-- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-- ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
-- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-- POSSIBILITY OF SUCH DAMAGE.
--
KerberosV5Spec2 {
iso(1) identified-organization(3) dod(6) internet(1)
security(5) kerberosV5(2) modules(4) krb5spec2(2)
} DEFINITIONS EXPLICIT TAGS ::= BEGIN
-- OID arc for KerberosV5
--
-- This OID may be used to identify Kerberos protocol messages
-- encapsulated in other protocols.
--
-- This OID also designates the OID arc for KerberosV5-related OIDs.
--
-- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID.
id-krb5 OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) dod(6) internet(1)
security(5) kerberosV5(2)
}
Int32 ::= INTEGER (-2147483648..2147483647)
-- signed values representable in 32 bits
UInt32 ::= INTEGER (0..4294967295)
-- unsigned 32 bit values
Microseconds ::= INTEGER (0..999999)
-- microseconds
--
-- asn1ate doesn't support 'GeneralString (IA5String)'
-- only 'GeneralString' or 'IA5String', on the wire
-- GeneralString is used.
--
-- KerberosString ::= GeneralString (IA5String)
KerberosString ::= GeneralString
Realm ::= KerberosString
PrincipalName ::= SEQUENCE {
name-type [0] NameType, -- Int32,
name-string [1] SEQUENCE OF KerberosString
}
NameType ::= Int32
KerberosTime ::= GeneralizedTime -- with no fractional seconds
HostAddress ::= SEQUENCE {
addr-type [0] Int32,
address [1] OCTET STRING
}
-- NOTE: HostAddresses is always used as an OPTIONAL field and
-- should not be empty.
HostAddresses -- NOTE: subtly different from rfc1510,
-- but has a value mapping and encodes the same
::= SEQUENCE OF HostAddress
-- NOTE: AuthorizationData is always used as an OPTIONAL field and
-- should not be empty.
AuthorizationData ::= SEQUENCE OF SEQUENCE {
ad-type [0] AuthDataType, -- Int32,
ad-data [1] OCTET STRING
}
AuthDataType ::= Int32
PA-DATA ::= SEQUENCE {
-- NOTE: first tag is [1], not [0]
padata-type [1] PADataType, -- Int32
padata-value [2] OCTET STRING -- might be encoded AP-REQ
}
PADataType ::= Int32
--
-- asn1ate doesn't support 'MAX' nor a lower range != 1.
-- We'll use a custom enodeValue() hooks for BitString
-- in order to encode them with at least 32-Bit.
--
-- KerberosFlags ::= BIT STRING (SIZE (32..MAX))
KerberosFlags ::= BIT STRING (SIZE (1..32))
-- minimum number of bits shall be sent,
-- but no fewer than 32
EncryptedData ::= SEQUENCE {
etype [0] EncryptionType, --Int32 EncryptionType --
kvno [1] Int32 OPTIONAL,
cipher [2] OCTET STRING -- ciphertext
}
EncryptionKey ::= SEQUENCE {
keytype [0] EncryptionType, -- Int32 actually encryption type --
keyvalue [1] OCTET STRING
}
Checksum ::= SEQUENCE {
cksumtype [0] ChecksumType, -- Int32,
checksum [1] OCTET STRING
}
ChecksumType ::= Int32
Ticket ::= [APPLICATION 1] SEQUENCE {
tkt-vno [0] INTEGER (5),
realm [1] Realm,
sname [2] PrincipalName,
enc-part [3] EncryptedData -- EncTicketPart
}
-- Encrypted part of ticket
EncTicketPart ::= [APPLICATION 3] SEQUENCE {
flags [0] TicketFlags,
key [1] EncryptionKey,
crealm [2] Realm,
cname [3] PrincipalName,
transited [4] TransitedEncoding,
authtime [5] KerberosTime,
starttime [6] KerberosTime OPTIONAL,
endtime [7] KerberosTime,
renew-till [8] KerberosTime OPTIONAL,
caddr [9] HostAddresses OPTIONAL,
authorization-data [10] AuthorizationData OPTIONAL
}
-- encoded Transited field
TransitedEncoding ::= SEQUENCE {
tr-type [0] Int32 -- must be registered --,
contents [1] OCTET STRING
}
TicketFlags ::= KerberosFlags
-- reserved(0),
-- forwardable(1),
-- forwarded(2),
-- proxiable(3),
-- proxy(4),
-- may-postdate(5),
-- postdated(6),
-- invalid(7),
-- renewable(8),
-- initial(9),
-- pre-authent(10),
-- hw-authent(11),
-- the following are new since 1510
-- transited-policy-checked(12),
-- ok-as-delegate(13)
AS-REQ ::= [APPLICATION 10] KDC-REQ
TGS-REQ ::= [APPLICATION 12] KDC-REQ
KDC-REQ ::= SEQUENCE {
-- NOTE: first tag is [1], not [0]
pvno [1] INTEGER (5) ,
msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --),
padata [3] SEQUENCE OF PA-DATA OPTIONAL
-- NOTE: not empty --,
req-body [4] KDC-REQ-BODY
}
KDC-REQ-BODY ::= SEQUENCE {
kdc-options [0] KDCOptions,
cname [1] PrincipalName OPTIONAL
-- Used only in AS-REQ --,
realm [2] Realm
-- Server's realm
-- Also client's in AS-REQ --,
sname [3] PrincipalName OPTIONAL,
from [4] KerberosTime OPTIONAL,
till [5] KerberosTime,
rtime [6] KerberosTime OPTIONAL,
nonce [7] UInt32,
etype [8] SEQUENCE OF EncryptionType -- Int32 - EncryptionType
-- in preference order --,
addresses [9] HostAddresses OPTIONAL,
enc-authorization-data [10] EncryptedData OPTIONAL
-- AuthorizationData --,
additional-tickets [11] SEQUENCE OF Ticket OPTIONAL
-- NOTE: not empty
}
EncryptionType ::= Int32
KDCOptions ::= KerberosFlags
-- reserved(0),
-- forwardable(1),
-- forwarded(2),
-- proxiable(3),
-- proxy(4),
-- allow-postdate(5),
-- postdated(6),
-- unused7(7),
-- renewable(8),
-- unused9(9),
-- unused10(10),
-- opt-hardware-auth(11),
-- unused12(12),
-- unused13(13),
-- Canonicalize is used in RFC 6806
-- canonicalize(15),
-- 26 was unused in 1510
-- disable-transited-check(26),
--
-- renewable-ok(27),
-- enc-tkt-in-skey(28),
-- renew(30),
-- validate(31)
AS-REP ::= [APPLICATION 11] KDC-REP
TGS-REP ::= [APPLICATION 13] KDC-REP
KDC-REP ::= SEQUENCE {
pvno [0] INTEGER (5),
msg-type [1] INTEGER (11 -- AS -- | 13 -- TGS --),
padata [2] SEQUENCE OF PA-DATA OPTIONAL
-- NOTE: not empty --,
crealm [3] Realm,
cname [4] PrincipalName,
ticket [5] Ticket,
enc-part [6] EncryptedData
-- EncASRepPart or EncTGSRepPart,
-- as appropriate
}
EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
EncKDCRepPart ::= SEQUENCE {
key [0] EncryptionKey,
last-req [1] LastReq,
nonce [2] UInt32,
key-expiration [3] KerberosTime OPTIONAL,
flags [4] TicketFlags,
authtime [5] KerberosTime,
starttime [6] KerberosTime OPTIONAL,
endtime [7] KerberosTime,
renew-till [8] KerberosTime OPTIONAL,
srealm [9] Realm,
sname [10] PrincipalName,
caddr [11] HostAddresses OPTIONAL,
encrypted-pa-data[12] METHOD-DATA OPTIONAL
}
LastReq ::= SEQUENCE OF SEQUENCE {
lr-type [0] Int32,
lr-value [1] KerberosTime
}
AP-REQ ::= [APPLICATION 14] SEQUENCE {
pvno [0] INTEGER (5),
msg-type [1] INTEGER (14),
ap-options [2] APOptions,
ticket [3] Ticket,
authenticator [4] EncryptedData -- Authenticator
}
APOptions ::= KerberosFlags
-- reserved(0),
-- use-session-key(1),
-- mutual-required(2)
-- Unencrypted authenticator
Authenticator ::= [APPLICATION 2] SEQUENCE {
authenticator-vno [0] INTEGER (5),
crealm [1] Realm,
cname [2] PrincipalName,
cksum [3] Checksum OPTIONAL,
cusec [4] Microseconds,
ctime [5] KerberosTime,
subkey [6] EncryptionKey OPTIONAL,
seq-number [7] UInt32 OPTIONAL,
authorization-data [8] AuthorizationData OPTIONAL
}
AP-REP ::= [APPLICATION 15] SEQUENCE {
pvno [0] INTEGER (5),
msg-type [1] INTEGER (15),
enc-part [2] EncryptedData -- EncAPRepPart
}
EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
ctime [0] KerberosTime,
cusec [1] Microseconds,
subkey [2] EncryptionKey OPTIONAL,
seq-number [3] UInt32 OPTIONAL
}
KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
pvno [0] INTEGER (5),
msg-type [1] INTEGER (20),
safe-body [2] KRB-SAFE-BODY,
cksum [3] Checksum
}
KRB-SAFE-BODY ::= SEQUENCE {
user-data [0] OCTET STRING,
timestamp [1] KerberosTime OPTIONAL,
usec [2] Microseconds OPTIONAL,
seq-number [3] UInt32 OPTIONAL,
s-address [4] HostAddress,
r-address [5] HostAddress OPTIONAL
}
KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
pvno [0] INTEGER (5),
msg-type [1] INTEGER (21),
-- NOTE: there is no [2] tag
enc-part [3] EncryptedData -- EncKrbPrivPart
}
EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
user-data [0] OCTET STRING,
timestamp [1] KerberosTime OPTIONAL,
usec [2] Microseconds OPTIONAL,
seq-number [3] UInt32 OPTIONAL,
s-address [4] HostAddress -- sender's addr --,
r-address [5] HostAddress OPTIONAL -- recip's addr
}
KRB-CRED ::= [APPLICATION 22] SEQUENCE {
pvno [0] INTEGER (5),
msg-type [1] INTEGER (22),
tickets [2] SEQUENCE OF Ticket,
enc-part [3] EncryptedData -- EncKrbCredPart
}
EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
ticket-info [0] SEQUENCE OF KrbCredInfo,
nonce [1] UInt32 OPTIONAL,
timestamp [2] KerberosTime OPTIONAL,
usec [3] Microseconds OPTIONAL,
s-address [4] HostAddress OPTIONAL,
r-address [5] HostAddress OPTIONAL
}
KrbCredInfo ::= SEQUENCE {
key [0] EncryptionKey,
prealm [1] Realm OPTIONAL,
pname [2] PrincipalName OPTIONAL,
flags [3] TicketFlags OPTIONAL,
authtime [4] KerberosTime OPTIONAL,
starttime [5] KerberosTime OPTIONAL,
endtime [6] KerberosTime OPTIONAL,
renew-till [7] KerberosTime OPTIONAL,
srealm [8] Realm OPTIONAL,
sname [9] PrincipalName OPTIONAL,
caddr [10] HostAddresses OPTIONAL
}
KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
pvno [0] INTEGER (5),
msg-type [1] INTEGER (30),
ctime [2] KerberosTime OPTIONAL,
cusec [3] Microseconds OPTIONAL,
stime [4] KerberosTime,
susec [5] Microseconds,
error-code [6] Int32,
crealm [7] Realm OPTIONAL,
cname [8] PrincipalName OPTIONAL,
realm [9] Realm -- service realm --,
sname [10] PrincipalName -- service name --,
e-text [11] KerberosString OPTIONAL,
e-data [12] OCTET STRING OPTIONAL
}
METHOD-DATA ::= SEQUENCE OF PA-DATA
--
-- asn1ate doesn't support 'MAX'
--
-- TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
TYPED-DATA ::= SEQUENCE SIZE (1..256) OF SEQUENCE {
data-type [0] Int32,
data-value [1] OCTET STRING OPTIONAL
}
-- preauth stuff follows
PA-ENC-TIMESTAMP ::= EncryptedData -- PA-ENC-TS-ENC
PA-ENC-TS-ENC ::= SEQUENCE {
patimestamp [0] KerberosTime -- client's time --,
pausec [1] Microseconds OPTIONAL
}
ETYPE-INFO-ENTRY ::= SEQUENCE {
etype [0] EncryptionType, --Int32 EncryptionType --
salt [1] OCTET STRING OPTIONAL
}
ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
ETYPE-INFO2-ENTRY ::= SEQUENCE {
etype [0] EncryptionType, --Int32 EncryptionType --
salt [1] KerberosString OPTIONAL,
s2kparams [2] OCTET STRING OPTIONAL
}
ETYPE-INFO2 ::= SEQUENCE SIZE (1..256) OF ETYPE-INFO2-ENTRY
AD-IF-RELEVANT ::= AuthorizationData
AD-KDCIssued ::= SEQUENCE {
ad-checksum [0] Checksum,
i-realm [1] Realm OPTIONAL,
i-sname [2] PrincipalName OPTIONAL,
elements [3] AuthorizationData
}
AD-AND-OR ::= SEQUENCE {
condition-count [0] Int32,
elements [1] AuthorizationData
}
AD-MANDATORY-FOR-KDC ::= AuthorizationData
-- S4U
PA-S4U2Self ::= SEQUENCE {
name [0] PrincipalName,
realm [1] Realm,
cksum [2] Checksum,
auth [3] KerberosString
}
--
--
-- MS-KILE Start
KERB-ERROR-DATA ::= SEQUENCE {
data-type [1] KerbErrorDataType,
data-value [2] OCTET STRING OPTIONAL
}
KerbErrorDataType ::= INTEGER
KERB-PA-PAC-REQUEST ::= SEQUENCE {
include-pac[0] BOOLEAN --If TRUE, and no pac present, include PAC.
--If FALSE, and PAC present, remove PAC
}
KERB-LOCAL ::= OCTET STRING -- Implementation-specific data which MUST be
-- ignored if Kerberos client is not local.
KERB-AD-RESTRICTION-ENTRY ::= SEQUENCE {
restriction-type [0] Int32,
restriction [1] OCTET STRING -- LSAP_TOKEN_INFO_INTEGRITY structure
}
PA-SUPPORTED-ENCTYPES ::= Int32 -- Supported Encryption Types Bit Field --
PACOptionFlags ::= KerberosFlags -- Claims (0)
-- Branch Aware (1)
-- Forward to Full DC (2)
-- Resource Based Constrained Delegation (3)
PA-PAC-OPTIONS ::= SEQUENCE {
options [0] PACOptionFlags
}
-- Note: KerberosFlags ::= BIT STRING (SIZE (32..MAX))
-- minimum number of bits shall be sent, but no fewer than 32
KERB-KEY-LIST-REQ ::= SEQUENCE OF EncryptionType -- Int32 encryption type --
KERB-KEY-LIST-REP ::= SEQUENCE OF EncryptionKey
FastOptions ::= BIT STRING {
reserved(0),
hide-client-names(1),
kdc-follow-referrals(16)
}
KrbFastReq ::= SEQUENCE {
fast-options [0] FastOptions,
padata [1] SEQUENCE OF PA-DATA,
req-body [2] KDC-REQ-BODY,
...
}
KrbFastArmor ::= SEQUENCE {
armor-type [0] Int32,
armor-value [1] OCTET STRING,
...
}
KrbFastArmoredReq ::= SEQUENCE {
armor [0] KrbFastArmor OPTIONAL,
req-checksum [1] Checksum,
enc-fast-req [2] EncryptedData -- KrbFastReq --
}
PA-FX-FAST-REQUEST ::= CHOICE {
armored-data [0] KrbFastArmoredReq,
...
}
KrbFastFinished ::= SEQUENCE {
timestamp [0] KerberosTime,
usec [1] Int32,
crealm [2] Realm,
cname [3] PrincipalName,
ticket-checksum [4] Checksum,
...
}
KrbFastResponse ::= SEQUENCE {
padata [0] SEQUENCE OF PA-DATA,
-- padata typed holes.
strengthen-key [1] EncryptionKey OPTIONAL,
-- This, if present, strengthens the reply key for AS and
-- TGS. MUST be present for TGS.
-- MUST be absent in KRB-ERROR.
finished [2] KrbFastFinished OPTIONAL,
-- Present in AS or TGS reply; absent otherwise.
nonce [3] UInt32,
-- Nonce from the client request.
...
}
KrbFastArmoredRep ::= SEQUENCE {
enc-fast-rep [0] EncryptedData, -- KrbFastResponse --
...
}
PA-FX-FAST-REPLY ::= CHOICE {
armored-data [0] KrbFastArmoredRep,
...
}
-- MS-KILE End
--
--
--
--
-- prettyPrint values
--
--
NameTypeValues ::= INTEGER { -- Int32
kRB5-NT-UNKNOWN(0), -- Name type not known
kRB5-NT-PRINCIPAL(1), -- Just the name of the principal as in
kRB5-NT-SRV-INST(2), -- Service and other unique instance (krbtgt)
kRB5-NT-SRV-HST(3), -- Service with host name as instance
kRB5-NT-SRV-XHST(4), -- Service with host as remaining components
kRB5-NT-UID(5), -- Unique ID
kRB5-NT-X500-PRINCIPAL(6), -- PKINIT
kRB5-NT-SMTP-NAME(7), -- Name in form of SMTP email name
kRB5-NT-ENTERPRISE-PRINCIPAL(10), -- Windows 2000 UPN
kRB5-NT-WELLKNOWN(11), -- Wellknown
kRB5-NT-ENT-PRINCIPAL-AND-ID(-130), -- Windows 2000 UPN and SID
kRB5-NT-MS-PRINCIPAL(-128), -- NT 4 style name
kRB5-NT-MS-PRINCIPAL-AND-ID(-129) -- NT style name and SID
}
NameTypeSequence ::= SEQUENCE {
dummy [0] NameTypeValues
}
TicketFlagsValues ::= BIT STRING { -- KerberosFlags
reserved(0),
forwardable(1),
forwarded(2),
proxiable(3),
proxy(4),
may-postdate(5),
postdated(6),
invalid(7),
renewable(8),
initial(9),
pre-authent(10),
hw-authent(11),
-- the following are new since 1510
transited-policy-checked(12),
ok-as-delegate(13)
}
TicketFlagsSequence ::= SEQUENCE {
dummy [0] TicketFlagsValues
}
KDCOptionsValues ::= BIT STRING { -- KerberosFlags
reserved(0),
forwardable(1),
forwarded(2),
proxiable(3),
proxy(4),
allow-postdate(5),
postdated(6),
unused7(7),
renewable(8),
unused9(9),
unused10(10),
opt-hardware-auth(11),
unused12(12),
unused13(13),
cname-in-addl-tkt(14),
-- Canonicalize is used by RFC 6806
canonicalize(15),
-- 26 was unused in 1510
disable-transited-check(26),
--
renewable-ok(27),
enc-tkt-in-skey(28),
renew(30),
validate(31)
}
KDCOptionsSequence ::= SEQUENCE {
dummy [0] KDCOptionsValues
}
APOptionsValues ::= BIT STRING { -- KerberosFlags
reserved(0),
use-session-key(1),
mutual-required(2)
}
APOptionsSequence ::= SEQUENCE {
dummy [0] APOptionsValues
}
MessageTypeValues ::= INTEGER {
krb-as-req(10), -- Request for initial authentication
krb-as-rep(11), -- Response to KRB_AS_REQ request
krb-tgs-req(12), -- Request for authentication based on TGT
krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
krb-ap-req(14), -- application request to server
krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
krb-safe(20), -- Safe (checksummed) application message
krb-priv(21), -- Private (encrypted) application message
krb-cred(22), -- Private (encrypted) message to forward credentials
krb-error(30) -- Error response
}
MessageTypeSequence ::= SEQUENCE {
dummy [0] MessageTypeValues
}
PADataTypeValues ::= INTEGER {
kRB5-PADATA-NONE(0),
-- kRB5-PADATA-TGS-REQ(1),
-- kRB5-PADATA-AP-REQ(1),
kRB5-PADATA-KDC-REQ(1),
kRB5-PADATA-ENC-TIMESTAMP(2),
kRB5-PADATA-PW-SALT(3),
kRB5-PADATA-ENC-UNIX-TIME(5),
kRB5-PADATA-SANDIA-SECUREID(6),
kRB5-PADATA-SESAME(7),
kRB5-PADATA-OSF-DCE(8),
kRB5-PADATA-CYBERSAFE-SECUREID(9),
kRB5-PADATA-AFS3-SALT(10),
kRB5-PADATA-ETYPE-INFO(11),
kRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
kRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
kRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19)
kRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19)
-- kRB5-PADATA-PK-AS-REQ-WIN(15), - (PKINIT - old number)
kRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25)
kRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25)
kRB5-PADATA-PA-PK-OCSP-RESPONSE(18),
kRB5-PADATA-ETYPE-INFO2(19),
-- kRB5-PADATA-USE-SPECIFIED-KVNO(20),
kRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number
kRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
kRB5-PADATA-GET-FROM-TYPED-DATA(22),
kRB5-PADATA-SAM-ETYPE-INFO(23),
kRB5-PADATA-SERVER-REFERRAL(25),
kRB5-PADATA-ALT-PRINC(24), -- (crawdad@fnal.gov)
kRB5-PADATA-SAM-CHALLENGE2(30), -- (kenh@pobox.com)
kRB5-PADATA-SAM-RESPONSE2(31), -- (kenh@pobox.com)
kRB5-PA-EXTRA-TGT(41), -- Reserved extra TGT
kRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName
kRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT
kRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT
kRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific
kRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER
kRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER
kRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com
kRB5-PADATA-FOR-USER(129), -- MS-KILE
kRB5-PADATA-FOR-X509-USER(130), -- MS-KILE
kRB5-PADATA-FOR-CHECK-DUPS(131), -- MS-KILE
kRB5-PADATA-AS-CHECKSUM(132), -- MS-KILE
-- kRB5-PADATA-PK-AS-09-BINDING(132), - client send this to
-- tell KDC that is supports
-- the asCheckSum in the
-- PK-AS-REP
kRB5-PADATA-FX-COOKIE(133), -- krb-wg-preauth-framework
kRB5-PADATA-AUTHENTICATION-SET(134), -- krb-wg-preauth-framework
kRB5-PADATA-AUTH-SET-SELECTED(135), -- krb-wg-preauth-framework
kRB5-PADATA-FX-FAST(136), -- krb-wg-preauth-framework
kRB5-PADATA-FX-ERROR(137), -- krb-wg-preauth-framework
kRB5-PADATA-ENCRYPTED-CHALLENGE(138), -- krb-wg-preauth-framework
kRB5-PADATA-OTP-CHALLENGE(141), -- (gareth.richards@rsa.com)
kRB5-PADATA-OTP-REQUEST(142), -- (gareth.richards@rsa.com)
kBB5-PADATA-OTP-CONFIRM(143), -- (gareth.richards@rsa.com)
kRB5-PADATA-OTP-PIN-CHANGE(144), -- (gareth.richards@rsa.com)
kRB5-PADATA-EPAK-AS-REQ(145),
kRB5-PADATA-EPAK-AS-REP(146),
kRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon
kRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u
kRB5-PADATA-REQ-ENC-PA-REP(149), --
kRB5-PADATA-SUPPORTED-ETYPES(165), -- MS-KILE
kRB5-PADATA-PAC-OPTIONS(167), -- MS-KILE
kRB5-PADATA-GSS(655) -- gss-preauth
}
PADataTypeSequence ::= SEQUENCE {
dummy [0] PADataTypeValues
}
AuthDataTypeValues ::= INTEGER {
kRB5-AUTHDATA-IF-RELEVANT(1),
kRB5-AUTHDATA-INTENDED-FOR-SERVER(2),
kRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3),
kRB5-AUTHDATA-KDC-ISSUED(4),
kRB5-AUTHDATA-AND-OR(5),
kRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6),
kRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7),
kRB5-AUTHDATA-MANDATORY-FOR-KDC(8),
kRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9),
kRB5-AUTHDATA-OSF-DCE(64),
kRB5-AUTHDATA-SESAME(65),
kRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
kRB5-AUTHDATA-WIN2K-PAC(128),
kRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
kRB5-AUTHDATA-SIGNTICKET-OLDER(-17),
kRB5-AUTHDATA-SIGNTICKET-OLD(142),
kRB5-AUTHDATA-SIGNTICKET(512)
}
AuthDataTypeSequence ::= SEQUENCE {
dummy [0] AuthDataTypeValues
}
ChecksumTypeValues ::= INTEGER {
kRB5-CKSUMTYPE-NONE(0),
kRB5-CKSUMTYPE-CRC32(1),
kRB5-CKSUMTYPE-RSA-MD4(2),
kRB5-CKSUMTYPE-RSA-MD4-DES(3),
kRB5-CKSUMTYPE-DES-MAC(4),
kRB5-CKSUMTYPE-DES-MAC-K(5),
kRB5-CKSUMTYPE-RSA-MD4-DES-K(6),
kRB5-CKSUMTYPE-RSA-MD5(7),
kRB5-CKSUMTYPE-RSA-MD5-DES(8),
kRB5-CKSUMTYPE-RSA-MD5-DES3(9),
kRB5-CKSUMTYPE-SHA1-OTHER(10),
kRB5-CKSUMTYPE-HMAC-SHA1-DES3(12),
kRB5-CKSUMTYPE-SHA1(14),
kRB5-CKSUMTYPE-HMAC-SHA1-96-AES-128(15),
kRB5-CKSUMTYPE-HMAC-SHA1-96-AES-256(16),
kRB5-CKSUMTYPE-GSSAPI(32771), -- 0x8003
kRB5-CKSUMTYPE-HMAC-MD5(-138), -- unofficial microsoft number
kRB5-CKSUMTYPE-HMAC-MD5-ENC(-1138) -- even more unofficial
}
ChecksumTypeSequence ::= SEQUENCE {
dummy [0] ChecksumTypeValues
}
EncryptionTypeValues ::= INTEGER {
kRB5-ENCTYPE-NULL(0),
kRB5-ENCTYPE-DES-CBC-CRC(1),
kRB5-ENCTYPE-DES-CBC-MD4(2),
kRB5-ENCTYPE-DES-CBC-MD5(3),
kRB5-ENCTYPE-DES3-CBC-MD5(5),
kRB5-ENCTYPE-OLD-DES3-CBC-SHA1(7),
kRB5-ENCTYPE-SIGN-DSA-GENERATE(8),
kRB5-ENCTYPE-ENCRYPT-RSA-PRIV(9),
kRB5-ENCTYPE-ENCRYPT-RSA-PUB(10),
kRB5-ENCTYPE-DES3-CBC-SHA1(16), -- with key derivation
kRB5-ENCTYPE-AES128-CTS-HMAC-SHA1-96(17),
kRB5-ENCTYPE-AES256-CTS-HMAC-SHA1-96(18),
kRB5-ENCTYPE-ARCFOUR-HMAC-MD5(23),
kRB5-ENCTYPE-ARCFOUR-HMAC-MD5-56(24),
kRB5-ENCTYPE-ENCTYPE-PK-CROSS(48),
-- some "old" windows types
kRB5-ENCTYPE-ARCFOUR-MD4(-128),
kRB5-ENCTYPE-ARCFOUR-HMAC-OLD(-133),
kRB5-ENCTYPE-ARCFOUR-HMAC-OLD-EXP(-135),
-- these are for Heimdal internal use
-- kRB5-ENCTYPE-DES-CBC-NONE(-0x1000),
-- kRB5-ENCTYPE-DES3-CBC-NONE(-0x1001),
-- kRB5-ENCTYPE-DES-CFB64-NONE(-0x1002),
-- kRB5-ENCTYPE-DES-PCBC-NONE(-0x1003),
-- kRB5-ENCTYPE-DIGEST-MD5-NONE(-0x1004), - private use, lukeh@padl.com
-- kRB5-ENCTYPE-CRAM-MD5-NONE(-0x1005) - private use, lukeh@padl.com
kRB5-ENCTYPE-DUMMY(-1111)
}
EncryptionTypeSequence ::= SEQUENCE {
dummy [0] EncryptionTypeValues
}
KerbErrorDataTypeValues ::= INTEGER {
kERB-AP-ERR-TYPE-SKEW-RECOVERY(2),
kERB-ERR-TYPE-EXTENDED(3)
}
KerbErrorDataTypeSequence ::= SEQUENCE {
dummy [0] KerbErrorDataTypeValues
}
PACOptionFlagsValues ::= BIT STRING { -- KerberosFlags
claims(0),
branch-aware(1),
forward-to-full-dc(2),
resource-based-constrained-delegation(3)
}
PACOptionFlagsSequence ::= SEQUENCE {
dummy [0] PACOptionFlagsValues
}
END